MikroTik

Steveocee

This is the basic setup I use for both my main internet connections as well as my VPN setups, it's fast (very) and requires no additional scripting or netwatch usage. Just ensure your pppoe client does not create it's own default route. /ip route add check-gateway=ping comment=Internet distance=1 ga...

Steveocee

Pre-empting the worst is probably the best summary.
If they're poking at certain ports when they shouldn't then you probably don't want them poking at anything.

Steveocee

Roaming in this way is driven by the client device, you can have the best setup in the world but a sticky client won't move. You can try to encourage this movement by ensuring you are using non overlapping channels and employing a minimum RSSI on the AP's.

Steveocee

I've dropped you an email. My extract has probably 95% of what you need, just need to change the line that grabs the MAC address to grab the SN and you should be good to go.

Steveocee

A dst-nat rule should do this week enough. If you match against anything destined TCP/UDP 53 and just dst-nat it to your server you can rule all dns through it.

Have you specified it on the DHCP server as well or is the MT not doing that?

Steveocee

Glad you got it sorted.
Maybe just shuffle the "accept dst-nat" rule to number 3? You really want the rules with the most traffic towards the top so the packets are not delayed in being handled and est&rel will be the highest ones (in most applications).

Steveocee

Thanks for some feedback - i will look at making a few amendments to my base config generator to include some enhancements to the firewall. I have remove the IPs / screenshots from the post above Just removed my home routers firewall config with this to see how it works .. we specialise in VoIP so ...

Steveocee

I agree but just strange it allows it on Sat...

Because.......

MikroTik

Steveocee

You probably wouldn't with that implementation. You are only FT'ing the "input" traffic and not the "forward" with that rule. Once you apply it to the forward chain then things start to get a lot more interesting but it begs the question if you really "need" to? Trying ...

Steveocee

00:00:00-23:59:59

I doubt that second will go astray.

Steveocee

DNS is also open to the world!! Your firewall rules fast track anything going input then you have drop rules after this which will never work as you have already fast tracked the traffic. steve@general:~$ dig forum.mikrotik.com @X.X.X.X ; <<>> DiG 9.10.3-P4-Ubuntu <<>> forum.mikrotik.com @X.X.X.X ;;...

Steveocee

"00:00:00-00:00:00"

I think is what you want.

Steveocee

So quick follow up. MikroTik support have so far been very responsive however the implication is currently that the issue is with my computers L2 connectivity. My desktop and 2 laptops can't discover it (cabled and 2 wireless) however the 'Tik App on my phone on the same wireless AP as the laptops C...

Steveocee

If both networks are running from the one single RB2011 in the middle then you do not need to do anything to get them talking. Both networks are connected to a "router" so it will naturally route between them.

Steveocee

Right, the picture helps. >You need ALL the numbers you have mentioned >You need to change the in-interface to pppoe-out1 >You need another rule for the UDP traffic, to do this, open up your current one and choose "copy" which will open up another window copied from the first, go to genera...

Steveocee

I think you want something like this, you won't be able to copy/paste it as my in-interface name is probably different to yours, change this for your WAN interface name and it should work.; /ip firewall nat add action=dst-nat chain=dstnat comment=example-rule dst-port=3189 in-interface=ether1_WAN pr...

Steveocee

This will guide you through; https://www.youtube.com/watch?v=3ni_R03OOrg thanks but i know those things, i just don't know which one of these numbers is the port ! TCP: 1935,3478-3480 UDP: 3074,3478-3479 right now i put this (3478-3480) for both ports and chose Wlan1 for "In Interface" an...

Steveocee

This will guide you through;
https://www.youtube.com/watch?v=3ni_R03OOrg

Steveocee

How are you planning on shaping the traffic? (Out of interest).
I would recommend CHR as it is a "current" product where X86 has been left behind a bit in terms of hardware support.

Steveocee

Your problem looks to be the same as others have found a common issue here;
viewtopic.php?f=3&t=128762&p=693740&hil ... ng#p693740

Steveocee

I think you are confusing routeros version a bit with your routerboard FW. If you are uploading the file to the wAP, do a system > reboot. That will initiate an update of routerOS. Once routerOS is updated go to system > routerboard and you will see that the 6.43.4 FW is available for the board. Hit...

Steveocee

I see so I have been using the wrong file for uprade ehhhhhhhh ok I will check the architecture and let you know

It's ARM like the poster above has said.

Steveocee

I too get this however it is not so much a problem as expected behaviour. You can use split VPN types as you have found or you could set up a VPN from the router and some sort of policy based routing to get around this.

Steveocee

It sounds like there is a second DHCP server on your network. Maybe you have bridged the WAN interface? Could be a possibility. Try turning off your dhcp server and then connect to your network as dhcp client to check. Also posting config is needed with most problems, 95% of it will not be unique to...

Steveocee

Thank you for your reply. But it's vary sad...

It's a change to how you need to operate. Sad in the short term I agree but once you adjust your working methods. It will become second nature as it currently is.

Steveocee

We are the biggest UK distributor for MikroTik and we have stock: https://linitx.com/product/mikrotik-routerboard-hap-ac2-with-uk-psu-tower-shape/15370 Hope that helps Nick I live in EU, not in UK. Issue is for EU not UK. :) Good job they ship to the EU then!!! https://linitx.com/info/shippingreturns

Steveocee

35% of a quad core is 100% load of a core in single core application. Total utilisation doesn't tell you this, if you check profile when CPU is that high I reckon you have a maxed out core hence the packet drops.

Steveocee

You will need to post your config to let everyone see and help.

Steveocee

Hi Steve, Just send me the airline tickets and I will be glad to stand at one end of the connection to move things around. I am really lucky ;-) On the other hand the fetid vapours of intoxicated Brits (on warm beer) may be a cloud to dense for your traffic ;-PP That's it. Must be the toxicity of t...

Steveocee

My 2.6Km link does not want to link up. I'm using 64800 as not totally sure about legalities of 66Ghz in the UK yet. Little bit gutted as I expected at least something. Apparently you do not direct the antenna. We previously worked with SIKLU so there is experience. The main thing that would be dir...

Steveocee

My 2.6Km link does not want to link up. I'm using 64800 as not totally sure about legalities of 66Ghz in the UK yet. Little bit gutted as I expected at least something.

Steveocee

It's a great idea to have a management network if your end devices can be separated like that. Once you are in a SOHO/SMB environment then this becomes almost standard to have multiple LANs (/vlans). The trick is ensuring nobody simply plugs in to your MGMT network to access the devices. Ensuring yo...

Steveocee

Pardon me for asking but is there a specific "need" to have the traffics behave in this way?
You could simplify your life massively by using a PCQ load balanced queue and balancing over the 2 connections which would introduce failover as well.

Steveocee

Smokeping.

Steveocee

Setting up a NAT rule is not enough. If your firewall is blocking the connection then the NAT rule will not work. You'd be better doing an export of both your firewall filters and NAT table for everyone to see and advise on. The default config has a rule to drop anything non-dst NAT'd which is very ...

Steveocee

CRS305-1G-4S+IN Maybe a stupid question but could one use the above device as an ethernet translation/adapter device (ethernet in from the LAN, fibre out to specific locations or devices)? The info says the ethernet is strictly for management so me thinks not. You could use an SFP+ to ether net ada...

Steveocee

Maybe this then?
https://mikrotik.com/product/hap_ac2

Steveocee

Which one would be recommended? Small physical size would be good for me...

Where is your budget at? A hAP AC2 could do what you want but so could a CCR1009. Budget plays a part.
I take it the CRS125 can be reused as a switch if you need that many ethernet ports?

Steveocee

So, I have too much firewall rules and/or too much VLAN routing?

Yes.

Steveocee

You need a ROUTER not a SWITCH WITH L3 CAPABILITY.
Your config is far beyond what I would ever want to deploy onto a CRS125, you are asking too much of it.

Steveocee

I suggest you all write to Mikrotik support, seeing as they clearly don't believe me - based on the fact that they have done NOTHING about this bug in the last 9 months.
Posting here is essentially pointless.

Done.

Steveocee

Would be nice if CRS112 was half rack width with option to join 2 together to make 16 port full width.

Steveocee

How are you auth'ing these users?

You can build contention groups within simple queues without too much problems. Just need a way of identifying who is in which pipe;
https://wiki.mikrotik.com/wiki/Manual:HTB

Steveocee

SMB over the web is hideous. Latency will affect the performance massively. If you can you might be better trying to get an FTP or SFTP up and attack it that way.

Steveocee

Interesting as both statements can actually be correct at the same time if you read the information as a whole..... User added entries (user in place of admin, you know, the ones you specify yourself) take priority over servers gained dynamically -HOWEVER- If a server is gained dynamically BEFORE a ...

Steveocee

Normis I understand your comment about 8 Clients 125Mbps etc, but the problem is we are competing with full fibre installs in the UK and a speed test at 100Mbps is not what they signed up for or expect. We offer 100, 250, 500 and 1Gbps plans and having that missing product in the middle is a real p...

Steveocee

This implies that the router is certainly capable;
https://mikrotik.com/product/RB951G-2Hn ... estresults

Most likely an issue with your configuration. Can you post an export for all to see?

Steveocee

Unless you find an alternate reference stating otherwise, I think you may owe me some brewskis :-)))))) "When both static and dynamic servers are set, static server entries are more preferred, however it does not indicate that static server will always be used (for example, previously query wa...

Steveocee

Hi Steve, - DHCP Client, USE PEER DNS, instructs the router to use ISP DNS servers - IP DNS, allows one to enter in manually selected DNS Servers such as google and dyndns They both show up on the IP DNS page, and from what I gather the USE PEER DNS takes precedence and thus although one may have g...

Steveocee

For IntusDave:
Do you have any problem or do you update? I run your script but the script didn't download nothing.

I thank you for your help!

Are you running IP > Cloud ? Would be the "easiest" thing to check at this point as it is a prerequisite.

Steveocee

Create a another simple queue above your current one with target IP as your 1 device which will take priority.

Or you can create fast track rule for your 1 device which will then stop using queues.

Steveocee

I think the answer in your use is to simply get a CRS328 which is a little more expensive but has some "growing room". https://mikrotik.com/product/crs328_24p_4s_rm I hope that dedicated PoE and non-PoE ports will not be a thing in the future and they adopt the standard they are currently ...

Steveocee

Yes the simplest way would be to run a VPN over the router and then forward ports from the VPN IP address to your server. This would work in fairness like a PPPoE connection.

Steveocee

Being totally honest you sound like you need a local consultant rather than help from the community with this. It's not just the design but the implementation as well will need to be very specific and a local consultant will be able to do all of this for you. For kit, the cAP or wAP AC would probabl...

Steveocee

I too have this problem. Winbox finds all RB & CRS devices in my network but my CHR takes about 4 tries to discover if at all.

Steveocee

We have been using the RB2011 boards for some time now and have just recently experienced two units that will shut down when eth1 is plugged into a cisco poe switch. Works great when the poe is turned off on the switch port but is there any explanation as to why our past units are fine and only rec...

Steveocee

Take what you need from this. Explains how to hairpin NAT, create the correct port forwards and can be adapted for dynamic or static WAN IP (plus some comedy phrases);
https://www.youtube.com/watch?v=_kw_bQyX-3U

Steveocee

Think of the entire CRS range as a switch with "some" routing capability.

Steveocee

CRS125 is at heart a switch with some routing functionality, you shouldn't expect too much from it. Best I have ever had was 125Mb throughput but that was without fast track. Btest is an inefficient beast as well, you'd be better iPerfing through the router rather than in/out of it due to it's very ...

Steveocee

The 3011 would be a good choice if it was stable. It has a lot of port flapping issues which are yet to be fixed so I wouldn't confidently tell you to buy one. The RB1100AHx4 is very good and would easily cope with what you need however is a bit pricier than the 3011. Maybe the Hex or the Hex-S if y...

Steveocee

I have the following Configuration:
VMware ESXi v6.0.0

I am using ESXi 6.5.0 u2 with absolutely no issues at all. Is there any reason you have not updated your ESXi installation?

Steveocee

What channel are you using? The oxygen absorption effect is lessened as you go above 60Ghz. The "testing" 66Ghz channel is marketed as capable of 4Km so the current 64800 may give you the push you need.

Steveocee

No danger at all. It will work absolutely fine.

Steveocee

The interface is classed as a slave as it is part of a bridge, you can't run a DHCP client or server on a salve port, you would need to put it onto the bridge. That and the above.

Steveocee

I've watched list "2" slowly grow over time, I think it was "only" around 14,000 entries when you first started this thread off and now it is up to 23,500+ entries. Seriously amazing stuff Dave.

Steveocee

I would be tempted to future proof from the start and look at either a pair of 1016's or a 1036 (the pair of 1016 is for fault tolerance).

Steveocee

Can you get the NAT type working if you remove the load balancer, so running a single connection first (even though it may be bad) and then add the load balancer back?

A correct implementation of UPnP should work (although not secure) but should as a minimum be consistent.

Steveocee

My understanding was that DNS servers were always used in preference order. First one until it is not available at which point the queries go to the second.

If this is not the case it is both good and bad news I guess.

Steveocee

Without knowing exact specification of what you want to achieve or you want to spend then I'd agree with Normis. That's a great all rounder.

Steveocee

If you have 2 separate bridges in the router then traffic behind them should be able to talk to each other anyway due to the fact you are connecting to a router. It will route as it's default mechanism. You actually have to try hard and firewall/filter them not to. You should be able to achieve what...

Steveocee

Put a cheap MT unit behind with IP>Cloud enabled.
Create address list on your router to only allow those DDNS names access to PPTP port.
Drop all other PPTP requests

Steveocee

Address list is much more efficient for CPU than multiple FW lines.

Steveocee

This is excellent! I am now significantly more confident my 2.5Km link will work. (Hope you don't need your backup).

Steveocee

Kid Control is by far the easiest way of achieving time based access across a child's devices. You can restrict the time slots (multiples throughout the day) speed and easily assign multiple devices to a child group.

Steveocee

I have a question about trees colors (green, yellow, green). I found in old post that color states are related with limit-at and max-value. green - a class the actual rate of which is equal or less than limit-at... yellow - a class the actual rate of which is greater than limit-at and equal or less...

Steveocee

Can you try disabling fasttrack. That stops connection tracking and may be what is causing the packets not to be classed as established or related.

Steveocee

You will need to provide some more information for people to be able to help you. Can you provide an export of your config so we can see what the router is doing? Try turning off fasttrack as that stops connection tracking and may be part of the issue you are getting.

Steveocee

The WAP LTE can take a direct input of between 9&30v.
You could use the bundled 4 pin automotive installation cable and use 12v to power it.

Steveocee

Ok so after upgrading from 6.43 to 6.43.2 the problems ceased. It gets decent throughput and performance but still not compared to a RB941's throughput performance with the exact same settings and firmware. Have you actually tried Nest's suggestion? What that guy doesn't know about WiFi isn't worth...

Steveocee

Can you do a full export of your firewall?
Are you explicitly accepting already established and related connections?

Steveocee

Have been saying for a long time there is room for a CCR with a quad core and the 4011 is close to making it (that rack mount though).

Almost like the CCR line went AMD mentality (more cores are better) than the Intel way of faster better cores.

Excited about this new generation of CCR

Steveocee

Is there a chance of running 6.43? The is a new implementation of IP cloud and it may be a "legacy" feature.

Steveocee

Will be perfectly fine and work with existing switches without issue.

Steveocee

Yes, we are aware of this peculiarity and we are working also on new routers that have higher power per core, not just many cores.

That is extremely good news.

Steveocee

Some models are lacking CPU information on the website. So far, just looking at the MHz on the listing is enough to categorize the models: 400 MHz: essentially switch, very low routing performance 600 MHz: RB2011-class router 800 MHz: about the same routing performance, different arch 800 MHz dual ...

Steveocee

As a temporary work around have you tried making cloud.mikrotik a DNS static entry in the main router and sending the traffic nowhere? It may remove the flood of outbound DNS but obviously won't stop it as such.

Steveocee

X86 or CHR?
I believe MT put most of the ongoing work and drivers into CHR now and do not update X86 so much.

Steveocee

Some models are lacking CPU information on the website. So far, just looking at the MHz on the listing is enough to categorize the models: 400 MHz: essentially switch, very low routing performance 600 MHz: RB2011-class router 800 MHz: about the same routing performance, different arch 800 MHz dual ...

Steveocee

You are opening a VPN server up to the world and are unhappy the world is trying to use it. Are you expecting the genuine VPN connections from a set IP address(es) or range or is it more a road warrior kind of setup? If you are expecting specific IP's then you can add them to a list and amend your a...

Steveocee

Interesting experiences.
I have some test kit going up soon which is by Google mapping 2.63Km clear LOS tower to tower.
I'm not expecting full PHY rates but am wondering what it will reach and how any rain will affect the link. My hope is that it folds back and doesn't go off completely.

Steveocee

From fresh install CHR is slightly hindered, you will only get 1Mb in one direction but full speeds in the other. Once you give it internet and assign it to your account it goes into trial mode (60 days) use. Once the 60 days runs out there is no detriment to the OS, it carries on working fine apart...

Steveocee

I actually thought that a CCR didn't have much of a config on it straight out of the box.

If you can't get connection from the router, go back to basics, is the CCR getting an IP? Does the interface have an IP?

Steveocee

Hi, What editor are you using? It's probably not the best idea to move between versions with an imported export as the newer version may not have some of the older references, some things change between version numbers which you may be referencing. To debug you could manually copy and paste the line...

Steveocee

Really looking forward to it.

Steveocee

LCD > PIN

Capture.PNG

Steveocee

If you are unticking "add-default-route" then you simply need to correctly create a route for the router to reach the web.
Can you do an export of your static routes.

Steveocee

Didn't realise this was a necro.

Steveocee

OP has a point. New 60Ghz "Lite" model can do 60Ghz connection so up to Gbit over the air in full duplex and is specced with a 10/100 port. Mental! This is a CPE unit for connecting to an access point. If the AP has a gigabit connection and there are 8 CPEs connected, nobody can get more ...

Steveocee

OP has a point. New 60Ghz "Lite" model can do 60Ghz connection so up to Gbit over the air in full duplex and is specced with a 10/100 port. Mental!

Steveocee

Absolutely!

I find them very handy when setting up firewall and NAT rules.

Steveocee

Just signed up to the forums to say... I really want this feature too. At this rate I'm going to have to buy an Ubiquiti EdgeRouter X to replace my hEX... Not quite as good as codel but use an sfq until it gets implemented. Just make sure you set the limits a few kB below what your service can do t...

Steveocee

Have just moved my CHR up and cannot see any Winbox entry for IP>Cloud however terminal I can access it and apply it.

Steveocee

Have just noticed 6.43 has moved into the current branch so have updated accordingly. Can't seem to find IP>Cloud though?? Looking forward to using the IntrusBL again.

**It's not in Winbox but is there in the terminal.

Steveocee

Discovering CHR via Winbox is very hit and miss. My CHR sometimes comes up if I refresh neighbours about 4 times and leave it for 5 mins. I wouldn't pin "all" of the blame on Winbox/WINE combo at this point.

Steveocee

Steveocee This image compares only the color of the device in the interior, rather than laying the cable to the workstations (everything is done in the cable duct 25x60 mm) CRS112 or CRS326 is not suitable for tasks (expensive and two-storey ports, us need one floor ports UTP hid in cable channel 2...

Steveocee

And one port should be placed on bootom side to be pluggable directly from the wall with 5 cm hidden cable. This port should be PoE In to power device. and ports should be colored to let users easy find one ... I am almost listening to technician saying "look for purple port and connect cable ...

Steveocee

Image example It would never look like that though. Surely a CRS112 or CRS326 would do what you need? They can be wall mounted by turning the rack ears 90 degrees. I've taken the liberty of making your image look realistic though. Please note you can use different coloured LAN cables if you wish. 1...

Steveocee

Problem is here: RouterOS 6.35.4 Reset your RB3011 to factory default. Update it to the latest RouterOS 6.42.7 at time of writing this. Check for any scripts, scheduled tasks or files that look like they shouldn't be there. Change the admin details, create a new user for yourself, give yourself admi...

Steveocee

Don't quote me but I thought on that model it was either 2.4Ghz or 5Ghz. Not simultaneous.

Steveocee

I have 6 SFP modules from various vendors and none of them work in rb3011. They work in all my other network equipment. i will try to replace the rb3011. Sorry to say that unless they are MikroTik modules you will not get much support. You should always use the correct module per device rather than...

Steveocee

Budget would be useful.

hAP AC or hAP AC2 would be towards the top of the pile.

If you can wait a short while one of these viewtopic.php?f=3&t=138613

Steveocee

Make sure you are in ether2 or ether3 and use Winbox. If L3 is an issue you should be able to L2 into it.

Steveocee

Have you correct SFP modules for send and receive? normally blue and yellow bars on them Blue and yellow is generally if you are using BiDi SFP's to denote which end you have used. I use Cisco GLC-SX-MM with no issues on my RB3011 so there is some evidence they "may" work. Have you got an...

Steveocee

So you've got a guest network that you want to slow down but they are still a member of your "private" LAN? You'd be better going down the slightly longer route and splitting them off with their own "guest" bridge and IP range to separate them from your LAN and it will give you m...

Steveocee

A couple of days ago I think I may have found a slight "hiccp" with my brutal approach. The kids couldn't get Amazon prime to work and last night I also couldn't watch an Amazon video. Disabled my drop blocklist rule and they started working, looks like something from Amazon "poked&qu...

Steveocee

The queues may not have worked if the interfaces you specified were part of a guest bridge. Try applying 1 simple queue to the bridge rather than the interfaces and you should find it starts working.

Steveocee

The current MUPS is only really aimed at single device upkeep such as clients CPE to keep internet going in case of power outage. When I read your first post my knee-jerk reaction was that RB260GSP ships with 2.5A power adapter which I would not expect a MUPS to be able to do. It of course has the e...

Steveocee

Whilst this won't answer your question directly. If it was me I'd have whipped the top off the router to see what RAM it has currently and taken specs from that. MT have a 1036 "EM" model that ships with 2x8GB DIMMs so you can get at least 16GB in there. Begs the question though, what are ...

Steveocee

The images released were probably just prototype. I can't see MT negating a feature like the USB from it's mid level tier lineup. LCD I wouldn't blame them from dropping, they're a waste of resource at best.

Steveocee

Do you need to reinstall RouterOS? You can do a hardware reset which puts the router back to factory settings or you can netinstall as others have said.

Steveocee

Yep. Those 2 drop downs in the advanced tab are too far out of reach

Steveocee

Simple queue is perfectly adequate for this. Just use the first tab.
With only first tab is impossible to perform an elementary task in one queue:
set summary limit + set per IP limit

Have you looked into Queue type PCQ? I thought that would do what you are looking at?

Steveocee

The subnets on each port only need a router between them to talk to each other. Thankfully you have that.
By its nature the CCR should try to route between the subnets unless you have stopped them from talking to each other.

Can you post more config?

Steveocee

Have you changed the queue recently? Maybe remove and re-add it. Have you rebooted the router? Rubbish answer but it did get me out of a similar situation once. The queue is pointed at the bridge, do you mean to limit the entire bridge like this? What is it you are trying to limit? WAN link? Can you...

Steveocee

You may be able to "bodge" this by setting up your LAN as a hotspot client and limiting data used that way? Very long winded way around doing it but should work.

Steveocee

Under the IP>Cloud setting, check to see if the time update function is ticked (by default it usually is) as this will keep looking time up. Enter your chosen NTP server in System>SNTP client instead.

That "should" sort it.

Steveocee

Hello,

current Queues has a very large number of settings and a very complex and confusing.

Please add simple speed limiter.

Simple queue is perfectly adequate for this. Just use the first tab. What is it you are trying to limit?

Steveocee

As per previous reply. Please post a config so we can see for a loop, have you set an admin-mac address on your bridge? Sometimes this helps. I usually grab ether1's MAC and increase second character eg; E4:CC:D4 becomes E6:CC:D4

Steveocee

+1 Was reading about this earlier. Would love to see the MikroTik finger "on the pulse".

Steveocee

Hi, Maybe a couple of WAP AC's would do the trick? Having said that as much as the guys on this forum may not like me mentioning it, something like a UBNT nanoHD would serve even better. I find MikroTik routers absolutely amazing for routers and switching but wireless I sometimes find lacking or lag...

Steveocee

Also dangerous in a lot of situations.

That's why there is also a software option to turn it off.

Steveocee

Hello world !!!

Does anyone make some test installations wth the wireless wire dish kit, and can show some results ?
I am looking for some hardware for a stable 4,5 km connection. I need ~500mbit/s.
Can these devices provide this ?

TIA
wayne

80Ghz may be better suited.

Steveocee

Sounds like it is faulty. How old is it? Will the seller not allow you to return?

Steveocee

Do you mean kind of like the reset button you get on UBNT PoE?
That would be a pretty amazing idea.

Steveocee

This is why there is no V7. Upload to a current router and fire starts.

Steveocee

Hairpin NAT is what you need. Have a look at my video which shows you how to do this;
https://www.youtube.com/watch?v=_kw_bQyX-3U

Steveocee

Not that I have a huge need for this but it would be great if MikroTik just made it work. I fear it may be hardware related as "old" software would only allow X amount of master's in a master-slave switch configuration.

Steveocee

I've stuck the following onto a spare IP we have kicking about just to see what is prodding at it. It's harvesting a lot of IP's at the moment, forward planning is to have the IP's added dynamically then upload them to a server centrally then all border routers pull from that. You need to set a whit...

Steveocee

Even though it is labelled all ports PoE, routerOS gives you full option to force it on, off or auto on.

It will be fine.

Steveocee

Are you sure it is PPPoE related and not that the carrier link has gone down? What technology are you connecting over?

Steveocee

@IntrusDave Can I ask if there is any way to relax this "need" for cloud? With 6.43 being an RC candidate many people won't run this on their "normal" equipment and only on test stuff. I love your script, I really do but I don't want to run a potentially unstable routerOS releas...

Steveocee

for some reason many of my firewalls do not seem to have the version of the code that supports the ddns. So when I go to /ip there is no "cloud". This is true for both x86 versions and CHR running 6.42.7. Has anybody else seen this? You need 6.43 on your CHR to run IP>Cloud and it has bee...

Steveocee

This is a fantastic start!

I'll grab hold of this later and push it to a test router I have to see what it does or doesn't break.

Thank you

Steveocee

When you mangle you are inspecting every packet so the CPU in those Hex's will start to max out quite quickly, yes they are brilliant for the price but the VPN performance is in part to the HW offloading. You need something with more CPU power. As a minimum you would want an RB3011, better yet an RB...

Steveocee

You would generally get better receive rates at the client end but you may struggle in getting RX rates at the AP up. IT wouldn't be uncommon to get a-symmetrical results. In PtP there would be little reason not to run matched antennas.

Steveocee

First thing to check is SIP helper turned off in your routers? IP>Firewall>Services ?
Occasionally clients call up with SIP issues and ask for SIP-ALG to be turned off which the above is the "go to" in this occasion.

Steveocee

When ubiquity had problems with cracking ToughCable, they replaced it. When almost all car industry had a airbag,brake or software problems, they recall the cars for service. When Samsung had sell explosive phones, they replace the phones. Can you see the problem now? All of the above have a cost v...

Steveocee

Expanding on previous comment. Use static DNS entry and force DNS requests to your MikroTik.

Steveocee

An older issue with lower end models was that having the LCD screen active would cause latency spikes. Don’t know if you have LCD active but may be worth a try turning it off if it is on?

Steveocee

Yes should definitely work.

Steveocee

It depends which UAP you are using. Some will work from 24v power source and some need 48v power source.

From memory the UAP-AC-Lite and LR will power up from 24v and anything above that needs 48v (AC-Pro and onwards).

Steveocee

How are you trying to block it?
You could use the TLS matcher in firewall to block it.

Steveocee

Will it be available for x86 router soon?
I am also looking forward to have support in x86

I hear mumbles of CHR being available from 6.43 so there could quite possibly be x86 implementation.

Steveocee

Stupid question, why a RAW and Filter drop rule? Can't there be 1 rule in RAW which kills everything on the list?

Steveocee

Steveocee thank you for explanation. The one more thing I would like to ask: Is adding new rule like I mentioned above safe? Or maybe there are other ways to get the router accessible over VPN? That rule could be tightened down a little more by specifying the in-interface as your VPN. I think that ...

Steveocee

I would not want to daisy chain anything off the back of the RB3011. Personally I would be putting a passive injector between all the equipment mentioned. Why? The power output is not enough especially if you are looking at running kit out of the following kits PoE. It just won't be reliable.

Steveocee

That should work as long as it is above the block access rule.
The original rule was input chain so would only apply to traffic destined for the router. If you were blocking access to the LAN you'd want a forward rule as well, that is why you can ping hosts and not the router.

Steveocee

Single SSID is simple. Set same SSID and ensure AP's are on different non overlapping channels. Roaming is handled by the client mostly anyway.

Steveocee

Your description is very vague. Anything from this page, maybe buy the best your budget allows?
https://mikrotik.com/products/group/wir ... and-office

If you can be more specific then we can advise better.

Steveocee

Your firewall filter rule disallows access from anything not on your LAN interface list. You are effectively not coming from your LAN interface when VPN'ing in to the router. That is most likely the cause.

Steveocee

So I have to put a passive injector between RB760iGS and RB912UAG-5HPND. I dont want to use another PSU than my 24V/5A industrial railed one. I would not want to daisy chain anything off the back of the RB3011. Personally I would be putting a passive injector between all the equipment mentioned. Yo...

Steveocee

Yes, I've blocked most of the IP's that are trying to leach the lists. Still working on an auth system that is reliable. I think it's going to have to be based on the the Cloud DNS.. [/ip cloud set ddns-enable=yes] is going to be required, unless MikroTik gives me a way to authenticate better than ...

Steveocee

IIRC the max power output for an RB3011 is 0.5A (500ma)
What does the IIRC mean? Sorry I dont understand. Is it factory specification?

“If I Remember Correctly”

Steveocee

IIRC the max power output for an RB3011 is 0.5A (500ma)

Steveocee

@IntrusDave
Have you changed the beta availability again? I've just checked my list to make sure it's still updating nicely and noticed I've jumped form some 2K to 16K entries!
Thank you

Steveocee

If you run maybe 2 cores do any get disabled?

Steveocee

Set your primary as distance 1 and enable check gateway.
Set secondary link as distance 2.

Router will go down primary until it cannot reach gateway where it will failover with no need for additional scripting.

Simple, but it works well.

Steveocee

ESXi on the free license will only allow up to 8 vCPUs, have you paid for ESXi? Usually ESXi would not start the VM and tell you to pay for it but maybe you’re getting a weird behaviour?

How many CPUs are you allocating?

Steveocee

You could also check if the new CCR can run 6.40 firmware (see in System->Resources what is the factory software, is it 6.40 or lower?) If so, you could downgrade to 6.40.8 and it will probably load your export without further issue, then you can upgrade again to 6.42.6 and it will automatically co...

Steveocee

How many CPU's are you assigning to the CHR installation? What happens if you set just 1?

Steveocee

Thanks! This is the next line not working set [ find default-name=ether4 ] advertise=100M-full,1000M-full comment=\ "Database Server" master-port=ether1-Group1-Master name=ether4-Group1 6.41 did away with master-slave configuration and introduced hardware offload to a software bridge.

Steveocee

Flow control is not present in the newer firmware hence not being able to apply it.

Steveocee

How are you powering the powerbox? I seem to remember reading recently (can't remember what thread) that you will get this if it is powered by PoE but not if it is by mains DC jack.

Steveocee

Hello,
Can you post your config? Make sure to use the hide sensitive command so no needful details are shared with the world.

Steveocee

Can you post a bit more about what you are trying to achieve and how you have already gone about it?
Do an export of your config but hiding sensitive details or just your queues and we can probably help you.

Steveocee

It's limited for now, hoping to have a very basic auth system in place by tomorrow morning. My server logs show at least 2 people trying VERY hard to figure out how to trick the server to sending the list to a wget/curl client. Sorry, but the blaintant abuse won't be tolerated. I'll post a simple G...

Steveocee

Yes. I know. But after pressing the button apply or OK in the WebFig all the input I made disappear and the user get the status blocked. But I found a solution: Adding a user in the terminal works well. the user gets blocked (and the input disappears) while adding a user in the WebFig. Thanks! If y...

Steveocee

From another WISP in the UK. We too are seeing this problem. More often than not PoE disappears, a reboot does not fix it but a prolonged power off (1hr) does.
We don't want to switch back to injectors either we have seen a sharp rise in routers going "duff" and dropping power out of P5.

Steveocee

I see everybody here is amazed how great service it is, but has anybody think about security risks of such service? Importing third-party script to your router without any validation? I wonder why this list is not provided as plain list of IPs and let everybody implement custom script parsing and v...

Steveocee

Just put this onto my CHR home router. Had to fiddle the script a little bit to make it work though which I expected I may need to; Note, disk1 is not present and I had to add in a "?" after the "fetch.php" /tool fetch mode=https dst-path=/blacklist/filters.rsc url="https://...

Steveocee

There is absolutely no problem in using the router as a PPtP client whilst it has a PPPoE internet connection. The issue you are facing sounds like you are allowing the PPtP tunnel to apply it's own default route weighted "1". Do not allow it to create it's own route and then build your ro...

Steveocee

/watching

Interested to see feedback from those using this.

Steveocee

You need to click the drop down next to the days. You are creating the user with no allotted time slot to use their device.
Once you click the drop down they will get time slot 00:00:00 - 00:00:00 which is always on.

Steveocee

How do you want to share it?
Purpose built QoS?
Perfectly balanced per connection?
Round robin of connections trying to make use of it?

Steveocee

All the info you need will be just here; https://wiki.mikrotik.com/wiki/Manual:Interface/Bonding I have played around with bonding using 2 CCR's and a few ethernet's between them, I found the best results from using the "rr" method. Using 5Ghz dishes though it could be more beneficial to s...

Steveocee

PC model is 9x1Ghz cores
Non-PC model is 9x1.2Ghz cores

These are stock figures but a small difference to be noticed if you are doing CPU intensive tasks.

Steveocee

Please post a config for the problem device.

What are you using dude to monitor exactly? Your ISPs network? I didn’t quite understand that bit. You don’t really have a network to monitor?

Steveocee

When you say you have just installed CHR, do you mean you’ve used the premade OVA from MikroTik or you have used an ISO to install or how have you done it? Googleing the problem refers you to the VMware help center and the general consensus is it is caused by a kernel panic in the guest. So how have...

Steveocee

Alphabetical as far as I’ve always understood it.

Steveocee

There is no security key for your connection to the wireless. It means you are susceptible to some unscrupulous people.
My advice would be to get a VPN to encapsulate your traffic so you can’t be intercepted.

Steveocee

You can use https://mikrotikconfig.com/firewall/ to generate national IP lists. I would suggest generating just 1 which uses your country IP addresses. Rename the list to "national" or similar to suit. Mangle your traffic marking dst-address-list national traffic and then another mangle ru...

Steveocee

Thats a long way for the LHG60's!

Steveocee

Is the environment very warm? I would dare say the obvious of would a standard cooling (non-PC) unit do the same?
Have you "overclocked" the CPU at all? Can you try running the CPU at a lower frequency and see if you get the same? System>Routerboard>Settings

Steveocee

You could run a script on schedule to check if pppoe_out1 is down and if it is then send email?
Probably not quite as "clean" as using Netwatch but would certainly overcome the problem.

Steveocee

By default the www service is enabled and the router will hold port 80. You can change that to free it up or you can disable www service if you are using Winbox.

Can you post some config?

Steveocee

This is something which seems to crop up now and again. I am yet to find a "real" solution to it.

Are you using an admin MAC on your bridge? May be worth applying an admin MAC.

Steveocee

As Normis has mentioned. You will need a src-nat rule (copy the existing one and put your new range in) but also make sure you haven't made a mistake with the IP address on your new network. You MUST put the subnet after the IP address. You could do an export hide-sensitive to help us see your confi...

Steveocee

My god, you're a genius, I never thought of using .5.0/24 as my source but sure thats the most logical thing. It seems so simple now. And of course yeah 192.168.20.78/24 is the gateway I marked the diagram wrongly. Thank you so much for sticking with this and for all your help!! Glad you got it wor...

Steveocee

License the CHR to your account for the 30 day trial and then don't upgrade. Full speeds and no cost.

Steveocee

Using a hairpin in its basic format, maybe something like this? Although I would point out that in your diagram you have listed VLAN704 with IP 192.168.20.64/28 which is the network address so I'm not sure if that may be affecting you? Either way try masquerading your /24 at your /28 as theoreticall...

Search found 1120 matches