MikroTik

pe1chl

Indeed. So when you want WiFi to work and also jumbo frames on ethernet you will have to set it up so the WiFi is not part of (the same) bridge. That will add an extra routing hop for your WiFi and the MTU can be different.

pe1chl

The wifiwave2 driver does not support MTU over 1500 bytes, that is why it keeps dropping back.
With only ethernet it would probably work fine.
(WiFi does not support jumbo frames)

pe1chl

On Linux, you can install the i386 libs and 32-bit wine. Now...for Intel-based Mac, wine wouldn't work with 32-bit Dude. Must be CrossOver wine, it can run 32bit applications with emulation on 64bit CrossOver wine No idea, when installing wine64 on Debian Linux (64-bit) and using it to run winbox64...

pe1chl

except: if some client set the DNS server manually it bypass the pihole Once you have fixed that, some client will not use the DNS protocol on TCP/UDP port 53, but instead will use DoH or DoT. Or when you have a client that does not like your limitations, they will just setup a VPN and send everyth...

pe1chl

Hold on, you're right, it is just webfig traffic. I thought it was total traffic, which be okay. But not sure what webfig traffic usage shows... It shows how much traffic it takes to display and update the page you are viewing in webfig. For some pages that is almost zero, because they are just sta...

pe1chl

The default firewall already blocks everything from WAN except port forwarded traffic . He chose to modify that, and now he has trouble. Lesson: when you do not understand how it works, and you modify it, it may break. This is the rule as it is by default: /ip firewall filter add chain=forward actio...

pe1chl

I recommend you to use netinstall to install the current version of RouterOS (6.49.10 when you want to remain on v6 or otherwise 7.11.2) and then reconfigure your router by pasting the export into a command prompt section by section. Or even better by manually configuring again what you really need ...

pe1chl

I used a similar scheme with multiple prefixes in the traffic selector quite widely. But, of course, StrongSwan acted as both server and client. (Linux servers). And there were no problems with this. More precisely, in IKEv2 mode Mikrotik only accepts the first prefix in the traffic selector. But i...

pe1chl

Study the packet flow to understand that. Or do not add rules to the default firewall before you understand what they do.

https://help.mikrotik.com/docs/display/ ... n+RouterOS

pe1chl

These values are there for a purpose. Is there a problem with them? I presume these figures are the TX/RX rate of the connection with webfig. People probably assume these are the global TX/RX rate of the router (same as was on the LCD back in the old days)? Anyway, how important is that "purpo...

pe1chl

You are replying to a very old topic, and things have changed a lot since then.
I would not know if that still works.

pe1chl

You say you control 200 proxies.
Configure IN THOSE PROXIES what the maximum number of connections is.

pe1chl

In case it was not clear yet: the bridge is not between internet and your local network. It is between the ports that you assign to your local network, usually all ports you do not use for internet or other purposes, and the WiFi interfaces (if any). In the current version of RouterOS it is like the...

pe1chl

I am now setting up a new Mikrotik router and it is telling me to set up a bridge first thing, this just makes absolutely no sense to me as I thought the point of a bridge was to link different networking equipment together? Not just to create a dhcp network, the documentation doesn't say why it wa...

pe1chl

Noted after installation (do no know how long it exists as I just changed IPv6 settings) that when you have IPv6 enabled but IPv6 routing disabled, the IPv6 forward chain gets hit with multicast packets from the local network, as if it wants to forward them. I've put that drop rule with log into 7....

pe1chl

I think it v6 it worked both ways which is of course a bit silly... "in" suggests that the network on the left is smaller (or same size) than the network on the right.

pe1chl

Noted after installation (do no know how long it exists as I just changed IPv6 settings) that when you have IPv6 enabled but IPv6 routing disabled, the IPv6 forward chain gets hit with multicast packets from the local network, as if it wants to forward them. /ipv6 settings set forward=no /ipv6 firew...

pe1chl

No.
The first one is "is the room in you" and the second one is "are you in the room".

pe1chl

Why don't you solve the problem where it occurs: in the proxies ?

pe1chl

The second version is the correct one. The first one does not make sense.

pe1chl

However, different wireless drivers do interact with passing frames beyond basic MAC addressing and some drivers might burp on frames they don't recognize. I think the problem is that the drivers have to do some kind of workaround to replace ARP. The WiFi has the same MAC for all clients, but they ...

pe1chl

When my routing table is empty, the default route is announced immediately, which means that my configuration is good (maybe not optimal, but it works). When my routing table is full, I run into problems. I've been so irritated by the situation that I've made all the combinations you mentioned befo...

pe1chl

It doesn't really matter. To continue to work in the wifiwave2 era, the hAP ac2 would need to have more flash as well.

pe1chl

When you want to keep your routing table fully populated from uplinks but want to send only default route to clients, it is probably best to run different instances (templates) for them.

pe1chl

It thurns out that mikrotik doesnt like one word domains as static. # NAME REGEXP TYPE ADDRESS TTL 0 X ;;; defconf router.lan 192.168.1.1 1d 1 mobilesvr 192.168.1.150 1w3d 2 mobilesvr.lan 192.168.1.150 1w3d dig 'mobilesvr.lan' returns 192.168.1.150 dig 'mobilesvr' returns SERVFAIL I cannot confirm ...

pe1chl

I don't really get all this tagged/untagged discussion. The 802.11 frame header has no place for a VLAN ID, so, technically, wifi interfaces are never tagged. Well 802.11 standard frame has no space for a VLAN tag, and only has space for 3 MAC addresses. But MT with WLAN driver "AP bridge"...

pe1chl

Those are garbage, don't buy them!
No, I think we will see an AX model in the (near?) future...

pe1chl

When you need fixes you can just as well install an RC version. At some point in time the version will change to 7.12 and it is still the same software.

pe1chl

pe1chl

The method you have will work, but you need to increase the "maximum number of connections" ("shared users") to something higher than 1. Even when you do not want that.

pe1chl

Likely you can still view the routing table in the Snmp tab, if that is an option.

Except when you have multiple routing tables, then SNMP retrieval of routes will fail in v7.

pe1chl

Well of course in the typical setup where the normal WAN and the LTE both get their IP and default gateway using some dynamic mechanism (like PPPoE or DHCP) it can easily happen that adding another uplink kills the first one. You need to configure the routing in such a way that the different "d...

pe1chl

... so you want to explain the visitors of https://test456.com/ "no, you must not enter that, you must enter https://test456.com:4443/ ??? And when they forget the :4443 then they get "warning! invalid certficate! someone may be eavesdropping on you!!" ?? Good luck with that. No, it i...

pe1chl

Isn't it time by now (2023) that you abandon the use of FTP?

pe1chl

You will need newer equipment for that. The new devices that support 802.11k/r/v can do roaming without re-authenticating, but the older devices cannot and it will not be added. However, even with this roaming you still can run into the situation where a user re-authenticates because their device be...

pe1chl

Are these to another MikroTik router that you manage, or to some outside VPN service?

pe1chl

In such cases it depends on what you actually expect. When a single client has to be able to setup a single connection and it has to be 2.5 Gbps the options are far more limited than when you expect 1 Gbps to each client but several clients together can add up to 2.5 Gbps. Also, you will almost alwa...

pe1chl

Hi there, On a MikroTik CCR1016-12S-11S+ which runs RouterOS 7.6 I need to configure a second gateway only for a specific computer from my network. Currently I have tried several things I read in the Forums, but none of them worked. I tried Mangle prerouting as well, but without luck. Other posts w...

pe1chl

It is not that clear cut. When you have a card from another manufacturer with a chipset that is also used in other MikroTik devices, it can just work.
In fact I have suggested that this may be a solution to have both 2 GHz and 5 GHz WiFi with wifiwave2 on the 4011.

pe1chl

It is really very common that when first using netinstall (or when using it while in distress) one simply cannot get it to work. Besides the mistake that you made in this case, it generally is a picky program that will fail on many system configurations. It is always advisable to do a rehearsal of a...

pe1chl

The "cpu temperature" is a temperature measured on the CPU chip itself, and it is always quite a lot higher than any temperature you would measure with a sensor on the board or on the outside of the package. 62c is not unreasonably high. That being said, it never hurts to have some additio...

pe1chl

50 ohm terminators with the appropriate connector type should do the job.
Real ones are expensive, but suitable ones for this purpose can be obtained for cheap on Aliexpress.

pe1chl

What is the config on that router? I am observing the same thing on my RB4011, but by now I have found what causes it: I have added the package rose-storage and I have added a "disk" that is a mount of an external fileserver. This makes reboot getting stuck. So when you do something simila...

pe1chl

In my router running v7.12rc it certainly is present in the export. And it was before as well.

pe1chl

You can also add a simple web server on a computer (your preferred flavor of OS), or even a RaspBerry Pi on the LAN and port forward via NAT so it can be reached from the Internet. The question started with: I have an VPS that has MikroTik CHR installed on it. So to do it that way he would have to ...

pe1chl

The rackmounted versions had the displays on the front. Sure, when you bought an RB2011 for desktop use it had the display on the top and that was inconvenient when you wanted to put it on a shelf in a rack, but the rackmounted RB2011 had no such issue. Same for the CCR devices from that time. Of co...

pe1chl

Read also the title: "My Youtube Video player has blocked"

There is no trace of anything related to MikroTik.

Ok exercise for you: see this recent new posting: viewtopic.php?t=200911
There is no trace of anything related to MikroTik.
Should it be deleted?

pe1chl

Is it so difficult to read, even for a moderator?? I am talking about the initial question. It does not mention an Adblocker. How is the first question inappropriate for this forum, as rextended wrote: "For me the mistake is not immediately deleting the post, instead of replying." I don't ...

pe1chl

Question and the first answer had no connection to Mikrotik even beeing asked for more details. I don't agree with that!! The first question was clearly from a person with limited knowledge of English, and was about a problem that could be related to his router. Maybe he (or the admin of the router...

pe1chl

Aha I see. In v6 it was S in cli as well, and in v7 it is s in cli but S in winbox.
Stupid, I would say...

Again, what RouterOS version do you have?

pe1chl

That will likely solve it, as long as you do not paste that export back again. Alternatively you can try changing (or just removing) the MAC address settings seen in the config. That will make them fall back to defaults which are the device-unique MAC addresses assigned during manufacturing. Then yo...

pe1chl

Hmm and what rule would you add for that?
I am legit curious, I'd like to understand where I went wrong and how I could fix it.
Thank you.

You have not shown us your full firewall configuration yet, so how should we know???
Show the result of a /ip firewall export

pe1chl

In these cases that is difficult to infer from the first question. Almost all questions on this forum initially are vague, do not include any context, and require additional posts to get that info. At that time it may become obvious that the question is not related to any MikroTik software or hardwa...

pe1chl

Thanks, sounds very promising .... is there any guide or manual how to achieve that ?

https://help.mikrotik.com/docs/display/ROS/L2TP

pe1chl

So what seems to be the problem in ROS is that on shutdown/reboot sequence, NFS server doesn't get stopped. Hence exported disk partition still shows usage and unmounting it hangs. Yes, that is what I wrote is my guess as well. In this case it seems the NFS client won't stop because it gets no repl...

pe1chl

I think the availability of interfaces on the different MikroTik models mainly depends on the chips they use in them. For each new model a chip (SoC) is selected and it offers some different types of interfaces. Adding a new interface type that is not directly supported by the SoC would mean extra s...

pe1chl

Well, you are asking for a charger and "we" are not aware of any MikroTik product that has a rechargable battery.
So it is a bit unclear what you want to charge.

pe1chl

The reason that it breaks is that the rules you made do not accept input that is a reply to outgoing connects, like the update of DDNS.
But also other things would go wrong, like query of DNS or download of upgrades.

pe1chl

Looking at the MAC addresses, you probably restored a backup from another device?

pe1chl

Static routes have "AS" flag. I don't know what the s flag is for.
What RouterOS version do you have?

pe1chl

Of course it depends on what the connected device is. When it is a MikroTik device you can also see the uptime in IP->Neighbors.
And it depends on your requirements. When you want to know if it had recently connected you can use the "Last Seen" field in the leases.

pe1chl

At least when using L2TP/IPsec you do not need any special tricks.
Put the L2TP server on the site with the public IP and connect it from the other site. That one can even have a dynamic IP.

pe1chl

Maybe they have a warehouse full of old LHG 5 and no more LHG 5 ac in stock, then they would have to produce it again? The architecture of the LHG 5 ac is similar to the hAP ac2 and its limited 16 MB flash is becoming a problem with RouterOS v7. So maybe at some time we will see a LHG 5 ax to replac...

pe1chl

Also first check that when the load is 100% there is not a lot of wireguard traffic.

pe1chl

If I recall, AC2 or cap AC had such an occurrence (128 vs 256 Mb RAM), no ? Yes, I think this really happened :-( My ac2 has only 128 MB RAM. I think in that case the website always said 128 MB RAM but some users found that they bought a device that in reality had 256 MB RAM, then they bought more ...

pe1chl

When I use Adblocker my YouTube video player has stopped.
You got the wrong forum. It is a forum about MikroTik routers. You should write to forum about your Adblocker software.

Or Youtube. Youtube has started banning users that use an Adblocker.

pe1chl

This time I manually rebooted the router before trying to install the update, and the reboot was hanging. Just like the update is hanging when I try it after some uptime. Could it be caused by rose-storage? I have an NFS mount (the router mounts a share from an NFS server). I could imagine that thi...

pe1chl

Hello, does the DHCP server of RouterOS on the same device have to be specified as a valid server for the DHCP alert (/ip dhcp-server alert valid-server=), or is it automatically treated as a "valid server"? No, it is not required. Just enabling that function will find other DHCP servers ...

pe1chl

Maybe most buyers preferred the extra link margin for AC use that an XL provides... I do have an LHG 5 ac but it sits unused in storage because I did not notice that it does not support 10 MHz bandwidth, which we use. So now I use a LHG XL HP5 instead (of course on normal power). When you want bette...

pe1chl

Buy a new router. E.g. an RB5009.

pe1chl

Well, in general I agree with that, but not in the case of netinstall. That is just a badly designed/implemented program.

pe1chl

But the 20Mb for SSTP over 1G uplink does seem like it's MTU related

Actually 20Mb is about the upper bound for all encrypting tunnels on the 2011. Only plain tunnels (GRE, IPIP) without encryption exceed that.

pe1chl

Yes, best solution every time is to disable "detect internet", it provides no useful function. It is easy enough to maintain the WAN and LAN interface lists manually. Yeah, I am only using it because for some reason I can't make the router use a route with a distance higher than the main ...

pe1chl

Hi,
one of my CRS328-24P-4S+ don't know about PoE on interfaces 9-24, however PoE on theese ports still works...

Same model, with same RoS version, but different device this problem haven't.

Did you restore a "backup" file from another device on that one?

pe1chl

Cofiguration is relatively complex to post and contains too many private details to remove... talking about ~150 rules or so. Allow-all is great as soho firewall default, but generally shouldn't be a croproate practice... Of course. I do not like the default config either, although it is already mu...

pe1chl

SSTP client on my home Mikrotik router

What is the model of your home MikroTik router?
Did you disable "fasttrack"?

pe1chl

You need to understand that the default firewall installed by RouterOS (on models that have a default configuration) operates on the principle that undesired traffic is blocked and at the end of the list there is an implicit "default accept". The structure of the rules is dependent on that...

pe1chl

Yes, best solution every time is to disable "detect internet", it provides no useful function.
It is easy enough to maintain the WAN and LAN interface lists manually.

pe1chl

Forward chain From subnet or interface To subnet or interface Action drop Repeat for all combinations. That is actually a bad solution. It does not scale, when you have 5 interfaces there are already 20 combinations. Better: add each interface to an interface list. There already exists the interfac...

pe1chl

I explained what is available in RouterOS. What he knows from other platforms is not available. No need to discuss that any further. I should say once you understand the packet flow (at least in general) in RouterOS it is not required to trace the entire flow, you immediately know which rules the pa...

pe1chl

The packet flow can be found here: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow
At any point in the flow where there is a [| |] box you can insert a log rule.

pe1chl

You can add a log option to a rule in the firewall to log when it matches, or you can add an extra "log" rule with the appropriate matching criteria (in this case an address, but it can be anything) and when it matches it will log the appropriate message. The default logging configuration ...

pe1chl

Upgrading from v6.9x to 7.12rc2 all bgp, mpls, ospf settimg all missing. Thx What did you expect...just upgrade and continue? You just moved to a new major version! Well, in normal situations it would convert them during the upgrade. If that happened and if it works correctly depends on details of ...

pe1chl

Why waste time on protocol recognition when you can just use the DSCP values that any reasonable SIP application already sets?

pe1chl

Yes, that is a common issue with IPsec. People configure "more secure" IPsec settings (PFS, 256 bits, DH with long keys) and then it only works between routers but not with commonly used client devices... Worst is that it requires ongoing research to know what settings are supported in eac...

pe1chl

When going to the trouble of setting up a container with a good DNS resolver, I would not rely on the behavior of the existing DNS resolver in RouterOS. Let the container make its own queries and if necessary use RouterOS only to NAT them to the outside world, not to resolve them. You can then confi...

pe1chl

I confirm that (on 7.12rc1) the Bridge VLAN "Current tagged" column incorrectly lists the wlan interfaces. I have added them both to Tagged for several VLANs, but wlan2 does not appear correctly in "Current tagged" even when a client is connected that uses the VLAN (RADIUS assign...

pe1chl

Is the router ever going to do downloads (for upgrade) over IPv6?? The download server has an IPv6 record but RouterOS does not request it...

pe1chl

Yes, many devices list "open port requirements" for access they want TO the internet. But in most default configurations of routers with connection-tracking firewall (like MikroTik), ALL ports are already open outbound. So there is nothing you need to change on the router. It is unfortunat...

pe1chl

You need to ask such questions to sales or on the support site, not here on the community forum.

pe1chl

Make the firewall setup so that everything that is not required is blocked.
In fact that is what the default firewall setup does.
No need to add such rules for specific ports, only add rules for things you want open.

pe1chl

Did you already check if RouterOS performs the functions you need?

pe1chl

I don't think you can/should do RPKI validation on a single-peer endpoint. Leave that to your upstream ISP. They can do all the route selection for you and send you only a default route.

pe1chl

It depends on the internal structure of your small home. I have a similar small appartment but straight through the middle there is a concrete wall (part of the structure of the building), while all other walls are plasterboard. I do require two WiFi devices for reasonable coverage. Otherwise the si...

pe1chl

When you have more than one DHCP client of course you should set the default route distance differently in each of them, and probably setup two route tables and a script to insert a default route in the second table, and routing rules or mangling. I would not think it would cause the issue that you ...

pe1chl

I don't see how any of that would be an advantage when having only one peer.

pe1chl

BGP can run multithreaded (see posting above), but when you have only 1 peer there is nothing to gain that way.
Is this only a test? Or else, why would you run full-table BGP with only 1 peer?
Ask the ISP to send you only a default route...

pe1chl

I don't think that will be fixed... v6 is no longer maintained except for security issues, and this seems to be a niche problem.

pe1chl

Maybe you have put those ports in a bridge? make sure each of them is not member of any bridge.

pe1chl

Forgot to mention it was a binary backup, not an exported config

You copied a binary backup to another router? that cannot be done. It is accepted, but it causes weird issues.

pe1chl

20 Mbit/s is enough to fully load a 2011 when it has to encrypt/decrypt the traffic.
Unless you show the config export, nobody can help you with a solution.

pe1chl

As mkx indicates, the difference comes when routing, which is why MikroTik can justify the moniker "Cloud Router Switch." Yes, it's a router, and it's a switch. This line of products are better at switching than routing, but the fact that your CRS series switch can also route packets betw...

pe1chl

RB4011 series - amazingly powerful routers

The 4011 is a bit of a dead end. Cannot support BOTH 2.4/5 GHz WiFi AND new WiFi driver. Not recommended for new purchase.

pe1chl

Fine!

pe1chl

He is already on upgrade channel (see the question) so that is not it. I think a more likely reason for it failing is that the flash is probably almost full. The hAP ac2 has a chronic lack of space. I have one running 7.12rc1 and it has only 1000kB free out of the total 16M (16000kB). It may be bett...

pe1chl

To have it solved you will first have to reproduce it on v7, as v6 is no longer maintained except for security issues.
I think it has been improved in v7. You can now assign a name to a disk yourself and it will stick to that disk.

pe1chl

Everything you configure in the terminal is immediately saved.
It is not like in some other routers that you configure things only in memory and then have to "write" that to flash.

pe1chl

One would expect, just like in Linux, to have a checkmark to select automatic mounting on boot yes/no.
Other than that, I don't see an issue. Maybe you can schedule a job at boot to eject the disk when you do not want it to be mounted by default.

pe1chl

You need to find that out yourself, because I do not know what "full CDP support" means.

pe1chl

Because BGP adds its own ASN only when sending routes to remote peers (so prepending own as is possible only in output). By adding local as in input you are deliberately "saying" that those routes are looped, you might as well just reject the routes. No, the purpose of prepending own AS o...

pe1chl

Look in "/ip neighbor" and its settings, there is some rudimentary support there.

pe1chl

Maybe you can use this script to show you prefix counts on commandline: /system script add comment="print BGP prefix count" dont-require-permissions=no name=\ bgp-prefixes owner=admin policy=read source="/routing/bgp/session {\r\ \n :global prefixes ({});\r\ \n :global active ({});\r\...

pe1chl

Hello Mat I have exactly the same problem with version 7.11.2 I'm a bit disappointed that Mikrotik hasn't replied to you since June 2023, It's inconceivable to me... Well, this forum is mainly for inter-user communication. When you want a reply from support and/or some chance your topic gets put on...

pe1chl

I would think the bottom is 1 and the top is 2.
That is also the way our new CCR2004 is numbered (I did not expect it because for other manufacturers the top is the lower numbered port)

pe1chl

Please don't pollute the topic with unrelated things!

pe1chl

Yes. But only in the old WiFi drivers and not in the new wifiwave2. So let's first check which one you use.
Edit: seems to be possible now as well, but I do not know how as I do not use that myself.

pe1chl

And can you assign the VLAN to each client separately using RADIUS (via user-manager)? That was possible in the old WiFi.

pe1chl

Hint: use the "/export show-sensitive terse" command (especially the "terse" parameter) when you want easier handling in a text editor or script. I don't use it because my Perl script first performs the equivalent action on "non-terse" exports, but it can save some work...

pe1chl

Welcome to my foe list!

pe1chl

This time I manually rebooted the router before trying to install the update, and the reboot was hanging. Just like the update is hanging when I try it after some uptime. Could it be caused by rose-storage? I have an NFS mount (the router mounts a share from an NFS server). I could imagine that this...

pe1chl

Except that it isn't true... the features of routers differ, and adaptations are required in the export file to be able to import it on another one.

pe1chl

I have never seen it... You are right, migration of config in MikroTik routers is a bit of a problem. It is not possible to do it using .backup files, but the backup restore procedure does not check that and happily messes up the device. And the load of .rsc files also is problematic. The import com...

pe1chl

For example: Cloudflare tunnel cannot be started because the returned (argotunnel.com) domain record does not contain an SOA record. Interesting that you found an actual problem resulting from that behavior. But did you really confirm it to be the reason? As you mentioned I encountered a problem wi...

pe1chl

Sorry, why should it? The purpose of the use-application-dns.net domain was to tell Firefox in a network that the network admin does not want the users to use DoH. The domain is registered on internet and one is supposed to override that in a local static entry with an NXDOMAIN response. I even ask...

pe1chl

Or just block based on IP or IP address ranges. Just like always because for years we knew this was coming. The problem is that you cannot block services that run on large CDN or other server farms like Google's in that way. When you even can find all addresses used by Youtube, you may find that th...

pe1chl

Funny topic. You guys want firefox to be more secure and less secure at the same time :) Well, the issue is that "secure" can have different definitions depending on the viewpoint. The people at Firefox (and some vocal organizations) consider it "secure" when only the end-user c...

pe1chl

Firefox has now started rolling out the implementation of Encrypted Client Hello (ECH) to their users: https://blog.mozilla.org/en/products/firefox/encrypted-hello/ This will mean that using firewall filters that use tls-host= (or L7 filters that try to do the same thing) to "block certain webs...

pe1chl

Frankly I would prefer when features like SMB or PROXY were just removed from RouterOS... get a NAS!

pe1chl

Such problems are normally a combination of MTU issues and badly configured firewall (not necessarily your firewall, can just as well be at bitbucket.org).

pe1chl

/interface vlan
add interface=ether1 mtu=1492 name=EboxVlan vlan-id=40

That is wrong. mtu should not be set to 1492 there. Remove that.

pe1chl

I don't understand you either. Maybe you are difficult to understand.

pe1chl

What protocols best fit to securely connect same networks over public network?

GRE/IPsec is a good choice. That is completely unrelated to your first question.

pe1chl

Transport Mode

It will be transport mode when both endpoints directly have a public IP address.
When there is NAT in front of the MikroTik router at one end, it will be tunnel mode (because IPsec transport mode does not support NAT).

pe1chl

A friend asked for a recommendation, he is interested only in wifi strength and quality, so the number of ports is not important, but to recommend something similar is an overkill. Of course you also need to consider if you want to recommend MikroTik to your friend, or if that is just overkill. Whe...

pe1chl

Make a ticket on the customer support portal at https://help.mikrotik.com/servicedesk

pe1chl

Also, I would warn against trying to do too much in a single expression. At some point it just won't work and there are no ways to debug it. It is safest to move some calculated value into a variable first before using it inside another expression, and also best to use the . string concat operator i...

pe1chl

As I wrote above (at a time when all of this simply did not work due to bugs, that have been fixed now) there is a "bgp-input-remote-as" you can use for that.

pe1chl

When you want to generate a mail with the data YOU find interesting, you can do it.
But probably your requirements are quite unique, so it would not be reasonable to have a standard facility for that.
Print what you want and mail it.

pe1chl

What happened with fixed speed and duplex?

pe1chl

I don't think it can be solved with scripting. What we need is a default user entry (that matches any username that is not explicitly in the table). Or even better: the possibility to specify username as a regexp, so you can add entries that match e.g MAC addresses with some OUI or (with some effort...

pe1chl

"/log [/user/get XXX password]"

For how many years now has this not been working? It was years before the end of v6 that passwords were no longer retrievable (only stored encrypted)...

pe1chl

@MT: please check all of YOUR SFP(+) models on compatibility with a new ROS version! It seems that SFP support is the "rocket science" of today. Unlike in their early days, rockets today often work on the first try and failures are quite rare. SFP changes usually fail every time (somethin...

pe1chl

The firewall rule needs an extra parameter in-interface-list=LAN or in-interface-list=!WAN or similar, so that it won't accept RADIUS traffic from internet. As I mentioned before, it is extremely sad that there is no possibility in user-manager to have a "default user" that determines what...

pe1chl

Yes, you get the VLAN you assign to the user as a tagged VLAN on the bridge, so when you want to do anything with it you need to create a VLAN subinterface on the bridge and configure DHCP on it. And firewall rules. As I mentioned, I use it with a PSK on the wireless. The only reason I use the user-...

pe1chl

Check if the trunk is configured for autonegotiation and if so, try to set fixed speed and Full Duplex at each end.

pe1chl

Of course you need to configure it so that the VLANs actually work. I did not check that in the config, but you would need a DHCP server on each VLAN etc. I still do have a (common) WPA2-PSK password on the SSID, that makes it "secure". Without password it will indicate insecure. And of co...

pe1chl

For such a config, router A must have static routes for the subnets connected to router B, or autorouting must be setup to distribute these.

pe1chl

Yes, of course. Unless you use multiple routing tables.

pe1chl

It depends. When that device somehow tries to obtain info via the network, e.g. DHCP client, IP Cloud client using default route, etc it may be possible to find it by doing packet trace on the port on mikrotik1 where mikrotik2 is connected.

pe1chl

In the meantime you may work around your problem by setting up a VPN to your syslog host and sending the traffic over that.

pe1chl

A problem still stands which is I can't ping interfaces of a same router together even though the ipv6/setting/set forward is set to yes. (e.g ether4 and ether3 of the router can't ping each other) What is the problem?? should I add some routes? but I thought by default they're connected Yes you ma...

pe1chl

When you want to connect two routers using 2 cables, e.g. for redundancy or load sharing, you need to configure a "bonding" interface with those ethernet ports as member, and configure the address on the bonding interface.

pe1chl

The problem is not the MAC address, the problem is that the RADIUS server does not answer your query.
So you need to fix that first. Try to use the router LAN address instead of 127.0.0.1
Make sure the input rules of the firewall don't block RADIUS (UDP port 1812-1813,3799)

pe1chl

When you get no reply from the RADIUS server, usually the secret is wrong between them. You have no secret configured in the radius server and user-manager, maybe that is mandatory (I do not know, I do have it). Also I do not use 127.0.0.1 but the IP of the router on the LAN, but that should not be ...

pe1chl

Under /system logging enable debug for wireless and radius (all topics) and you can see exactly what is happening. (open the log window) I keep logging for wireless enabled so I can see the devices joining the network performing the authentication. Logging for radius I have disabled during normal us...

pe1chl

RAM shortage (where firmware is stored during the upgrade) is common problem on those smaller smips devices, you must make sure you have at least 7.7MB free RAM available (winbox/system/resources) before upgrade, unfortunately this doesn't help you now I guess... No, those small smips devices do NO...

pe1chl

I don't have any wifiwave2 devices so I can't comment...

pe1chl

When you need to change the VLAN MAC, of course it will change when you change the parent ethernet interface MAC.
Of course the MAC on the untagged VLAN and all other VLANs will change as well, but that likely does not matter.

pe1chl

Why should a newcomer on a forum know less than a person with hundreds of posts ? I learned what a public IP is and about sensitivity at school then university, years before setting up my first home network, I worked with sensitive data for years before writing a single post here and touching a Mik...

pe1chl

You need to enable "MAC authentication" in your wireless security profile, select a MAC format, MAC "as username", and add "usernames" that are the MAC addresses of the devices you want to accept (in that same format). The users have no password. To assign a VLAN to the...

pe1chl

First inform you about what "stable" means before you base your expectations on it. That prevents disappointment. To be fair, regardless of what "stable" means I'd expect firmware updates _not_ to brick my devices. Yes, but so do we expect for "testing" or "develo...

pe1chl

not what I expected on "stable" tree.

First inform you about what "stable" means before you base your expectations on it. That prevents disappointment.

pe1chl

I only used CLI to export/import large sections of configuration
Welcome brother, sorry you hear your escape attempt failed.

What does this message mean? Please delete it.

pe1chl

Yeah, value-name should have been named "prompt", and pre-input should have been named "default". What is now "prompt" is redundant because a parameter without name is also considered a prompt (probably for backward compatibility?) and because a linefeed is issued after...

pe1chl

But be honest now, how practical is for me, small home user to tackle in with RADIUS, user manager ? (i will, i have test equipment ready for that even if i said that i don't want to do that.) Actually, user-manager is easy to get going. I am using it now instead of access lists on WiFi (i.e. a sec...

pe1chl

It looks like the issue is more that the "preinput" name is unclear, it should have been something like "default". In the example you suggest that the preinput is a "prompt" on the same line, but in fact it is the initial content of the input buffer, that you can backsp...

pe1chl

I don't wanna mess with RADIUS, User Managers etc and for what, for something that more and more vendors implement... For eg. TP-Link... Not expensive as Ruckus... And Mikrotik targets home users also... So this looks important for me... You have bought the wrong equipment. MikroTik provides you wi...

pe1chl

As for IoT - I put those into a separate VLAN / SSID and don't care much about them. You can also lock them up later on with access lists if needed. I use separate VLANs for IoT and similar, but creating a separate SSID for each network is very inefficient. So now I use a single SSID and have MAC a...

pe1chl

unsubscribing, since I do not even care anymore. moved back to fortigates because of this crap.

Useless to report that here. Report the number of units you planned to buy and have canceled to sales@mikrotik.com, then it may have an effect.

pe1chl

I'm still hoping that webfig will be enhanced at some time so it has the same features as winbox.
That really is possible using today's web features.

pe1chl

The problem is that EAP isn't supported by minimal systems (like printers and IoT devices), and that many devices do not work properly when both PSK and EAP are configured on the same SSID (although the standard and the configuration of RouterOS does allow that). Another problem is that configuring ...

pe1chl

Why would CLI be inescapable? This is not Cisco!
I only used CLI to export/import large sections of configuration, for the usual management of routers I never use CLI.

pe1chl

They released version 7, claiming they would revolutionize it. I agree that v7 in general has been a disappointment. It has been delayed far too long, and the revolutionary new routing engine is unfinished and shows little progress. It seems that MikroTik has moved away from the small ISP market an...

pe1chl

Aha that is an interesting observation! I will try to configure fixed resolutions to see if that solves it. Maybe it keeps the desktops active when the screen is off. (I will have to plan some time for that to reboot the system into textmode and fiddle with xorg.conf, always a tedious and frustratin...

pe1chl

Did you read this comment: Ruckus actually managed to get a patent for this “feature” 10+ years ago

pe1chl

There is System->Packages->Check installation but it is completely unclear what it does and what it doesn't do.

pe1chl

Ok, but in my case it seems related to the display going to sleep, the X server somehow locking the applications (or informing them) and then wine incorrectly handling that. I remember from the past when I enabled a screen saver in a system where programs were continuously displaying output, there w...

pe1chl

I have been running winbox under wine for ages. Now I have installed a new Linux system, and I have an interesting new problem... (it isn't a winbox problem, the same thing happens when I run e.g. wordpad.exe so it is something related to wine or another system component) My issue is this: when the ...

pe1chl

You could also just give in and grant users the capability to get a Linux shell, of course protected by a flag in device-mode and a warning that routers with this enabled cannot be supported via the usual channels. That would likely end the constant search of "vulnerabilities" to get that ...

pe1chl

You can always downgrade.

Well, that probably requires a netinstall by now... even within v6, upgrading such devices often was problematic.

pe1chl

Sure the System->Packages menu could have some very simple improvements! Not only selection of a version, but also selection of packages to install. The packages are available from the update server, so why do we have to download them on a computer, finding the correct architecture, unzip the file, ...

pe1chl

#3 Ability to hide/remove certain columns from some of the screens would be wonderful. This will allow support staff to reduce the clutter by having fewer but relevant columns displayed on some mobile devices such as small laptops. #4 If the above custom configuration can be saved as part of a user...

pe1chl

I obviously needed to remove some parameters before the import: dev-type tap dev tap0 writepid /var/run/openvpn_client1.pid auth RSA-SHA256 local 192.168.x.y tls-client client lport 0 ca /etc/openvpn/client/client1.ca cert /etc/openvpn/client/client1.cert key /etc/openvpn/client/client1.key tls-aut...

pe1chl

Could this be related to 'ARP entries building up' here: https://forum.mikrotik.com/viewtopic.php?t=195759 and hence causing issues not handing out IP's anymore? No. ARP entries are not DHCP entries. When DHCP assigns an existing address to a new device (while the old address is no longer assigned)...

pe1chl

I have some TCP performance issue on a CCR2004 (Router B) running 7.12beta3 and beta7, but just on forwarding plane. You say forwarding but then you are testing from router to router? To test forwarding performance, put an end-system (e.g. a PC) at each end behind the routers, and test between the ...

pe1chl

Furthermore, when you run OpenVPN on the OPNsense firewall it would presumably be the openvpn.net implementation.
That is massively better than the "OVPN" in RouterOS.

pe1chl

Yes but with IPsec tunnel interfaces it is always unclear where to sniff. On a plain Linux system the issue is exactly the same. Because the plaintext traffic and the encrypted traffic is assigned to the same interface. Indeed, with VTI it would be better, but MikroTik has no VTI. Instead you can us...

pe1chl

When you configure plain IPsec tunnel policies, you are asking for this kind of trouble...

pe1chl

It is probably not that easy to implement...

pe1chl

Again I had the problem that my RB4011 hangs during update. It appears to happen "after some uptime" only. It was running 7.12beta3 for 20 days, I did the update, and it shuts down but does not perform the update. Of the 10 ethernet ports, only the LED on port 10 remains on. That one is do...

pe1chl

Please, any chance to make the station-bridge mode compatible over the air between different generations of devices? bridge mode is already incompatible between manufacturers. basically you have to see wifiwave2 devices as a different manufacturer. when you require transparent bridging over differe...

pe1chl

What do you mean, support for template formatting? When you select IPFIX you can mostly select the members of the template (Ok, some check marks enable multiple fields) but when your collector cannot parse a template that has fields it does not want, I'd say the blame is on the collector. I wrote a ...

pe1chl

In my opinion even more important is to extend the byte counters to 64 bits. (now they are 32 bits which really does not cut it with today's network speeds)

pe1chl

The "new devices" listing on the hardware page has a MIPSBE device, with 16MB flash even.

pe1chl

As I wrote before, it is something that the new Linux kernel does. Probably there is a reason for that change, is more efficient or whatever.

pe1chl

I would say what "stable" means is a matter of opinion

When you want it like that, fine. But some people have the opinion that "stable" means (or suggests) that it works fine and does not crash. But that is not aligned with reality.

pe1chl

So, create the scheduled script. That works, and causes no further issues.

pe1chl

I hope the improved routing filters they promised should be _IN_ before they make an LTS v7 So basically we have one group who wishes that a long term version is released as soon as possible so that they can deploy v7 in their organization that has the policy of only running long term versions, and...

pe1chl

... and then there are (probably) thousands of us using RouterOS on dozens of devices from home applications to medium size enterprises and did not encounter any serious issue for years, so we are perfectly fine with calling it "stable" :) Again (100th time): "stable" in the cha...

pe1chl

One way of reproducing this is to have multiple route tables. The SNMP OID does not really provide for that, and it seems RouterOS just merges the output for the different tables which disturbs the sorting and thus the increasing of the OID in walk.

Search found 11929 matches