Network traffic gets slower, when adding vlans

RouterOS Beginner Basics
1

Hi everyone,

I’m a software developer slowly getting into network stuff. I got myself a Mikrotik hex lite, two cap lites and two additional cap ac, all working behind a FritzBox 7490 (Modem & Router).
The architecture is as follows: ISP → FritzBox → Hex Lite → 2 TP-Link Switches (SW1 on eth2 & SW2 on eth3) → Access Points.
I managed to configure 12 VLANs with firewall rules, DHCP servers, OpenVPN into VLANs, etc.
A few days ago I noticed, that the more VLANs I create, the slower the traffic on the network gets. It gets so slow, that I can hardly work anymore. I already ruled out the access points, but did not get any further.
Using torch I could see, that there is a constant UDP connection (bootps, bootpc) per VLAN with 2.7kbps. When I disable a VLAN, than the connection disappears and the speed on the network increases (online speed test).
Interestingly only 11 of the 12 VLANs have such a UDP connection and I cannot figure out, where the difference is. VLAN 30 does not use it.

I just learned, that these connections are used for dhcp and are ok as long as they don’t constantly appear and don’t slow down the network.
And of course I already did a lot of research.

I hope you can rescue me or at least give me a hint, as this problem drives me crazy. But please be aware, that I still consider myself a beginner.

Thanks in advance,
Timo.


# 2024-09-09 22:37:51 by RouterOS 7.15.3
# software id = 8WJC-AIWT
#
# model = RB750Gr3
# serial number = HD00880AA8M
/interface bridge
add arp=proxy-arp igmp-snooping=yes name="Bridge LAN" vlan-filtering=yes
/interface ethernet
set [ find default-name=ether1 ] name="ether1 WAN"
set [ find default-name=ether2 ] name="ether2 LAN SW1"
set [ find default-name=ether3 ] name="ether3 LAN SW2"
set [ find default-name=ether4 ] name="ether4 LAN"
set [ find default-name=ether5 ] name="ether5 LAN MGMT"
/interface vlan
add disabled=yes interface="Bridge LAN" name="VLAN FIRMA" vlan-id=200
add disabled=yes interface="Bridge LAN" name="VLAN FIRMA VPN" vlan-id=201
add disabled=yes interface="Bridge LAN" name="VLAN FIRMA Wifi" vlan-id=202
add interface="Bridge LAN" name="VLAN SURNAME" vlan-id=30
add disabled=yes interface="Bridge LAN" name="VLAN SURNAME VPN" vlan-id=31
add disabled=yes interface="Bridge LAN" name="VLAN SURNAME Wifi" vlan-id=\
    32
add disabled=yes interface="Bridge LAN" name="VLAN SURNAME Wifi Gast" \
    vlan-id=33
add disabled=yes interface="Bridge LAN" name="VLAN IoT" vlan-id=20
add interface="Bridge LAN" name="VLAN MGMT" vlan-id=10
add disabled=yes interface="Bridge LAN" name="VLAN PT" vlan-id=210
add disabled=yes interface="Bridge LAN" name="VLAN Solar" vlan-id=40
add disabled=yes interface="Bridge LAN" name="VLAN Storage" vlan-id=100
/caps-man datapath
add bridge="Bridge LAN" client-to-client-forwarding=yes local-forwarding=yes \
    name=datapath_SURNAME vlan-id=32 vlan-mode=use-tag
add bridge="Bridge LAN" client-to-client-forwarding=no local-forwarding=yes \
    name=datapath_SURNAME_Gast vlan-id=33 vlan-mode=use-tag
add bridge="Bridge LAN" client-to-client-forwarding=yes local-forwarding=yes \
    name=datapath_FIRMA vlan-id=202 vlan-mode=use-tag
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm name=security_SURNAME
add authentication-types=wpa2-psk encryption=aes-ccm name=\
    security_SURNAME_Gast
add authentication-types=wpa2-psk encryption=aes-ccm name=\
    security_FIRMA
/caps-man configuration
add channel.skip-dfs-channels=yes country=germany datapath=\
    datapath_SURNAME distance=indoors installation=indoor mode=ap name=\
    cfg_SURNAME security=security_SURNAME ssid=SURNAME
add channel.skip-dfs-channels=yes country=germany datapath=\
    datapath_SURNAME_Gast distance=indoors installation=indoor mode=ap \
    name=cfg_SURNAME_Gast security=security_SURNAME_Gast ssid=\
    "SURNAME Gast"
add channel.skip-dfs-channels=yes country=germany datapath=\
    datapath_FIRMA distance=indoors hide-ssid=yes installation=indoor \
    mode=ap name=cfg_FIRMA security=security_FIRMA ssid=\
    FIRMA
/caps-man interface
add configuration=cfg_SURNAME disabled=no mac-address=48:A9:8A:1C:BC:82 \
    master-interface=none name=cap1 radio-mac=48:A9:8A:1C:BC:82 radio-name=\
    48A98A1CBC82
add configuration=cfg_SURNAME_Gast disabled=no mac-address=\
    4A:A9:8A:1C:BC:82 master-interface=cap1 name=cap2 radio-mac=\
    00:00:00:00:00:00 radio-name=4AA98A1CBC82
add configuration=cfg_FIRMA disabled=no mac-address=4A:A9:8A:1C:BC:83 \
    master-interface=cap1 name=cap3 radio-mac=00:00:00:00:00:00 radio-name=\
    4AA98A1CBC83
add configuration=cfg_SURNAME disabled=no mac-address=48:A9:8A:1C:BC:83 \
    master-interface=none name=cap4 radio-mac=48:A9:8A:1C:BC:83 radio-name=\
    48A98A1CBC83
add configuration=cfg_SURNAME_Gast disabled=no mac-address=\
    4A:A9:8A:1C:BC:84 master-interface=cap4 name=cap5 radio-mac=\
    00:00:00:00:00:00 radio-name=4AA98A1CBC84
add configuration=cfg_FIRMA disabled=no mac-address=4A:A9:8A:1C:BC:85 \
    master-interface=cap4 name=cap6 radio-mac=00:00:00:00:00:00 radio-name=\
    4AA98A1CBC85
add configuration=cfg_SURNAME disabled=no mac-address=48:A9:8A:1B:B9:D4 \
    master-interface=none name=cap7 radio-mac=48:A9:8A:1B:B9:D4 radio-name=\
    48A98A1BB9D4
add configuration=cfg_SURNAME_Gast disabled=no mac-address=\
    4A:A9:8A:1B:B9:D4 master-interface=cap7 name=cap8 radio-mac=\
    00:00:00:00:00:00 radio-name=4AA98A1BB9D4
add configuration=cfg_FIRMA disabled=no mac-address=4A:A9:8A:1B:B9:D5 \
    master-interface=cap7 name=cap9 radio-mac=00:00:00:00:00:00 radio-name=\
    4AA98A1BB9D5
add configuration=cfg_SURNAME disabled=no mac-address=48:A9:8A:1B:B9:D5 \
    master-interface=none name=cap10 radio-mac=48:A9:8A:1B:B9:D5 radio-name=\
    48A98A1BB9D5
add configuration=cfg_SURNAME_Gast disabled=no mac-address=\
    4A:A9:8A:1B:B9:D6 master-interface=cap10 name=cap11 radio-mac=\
    00:00:00:00:00:00 radio-name=4AA98A1BB9D6
add configuration=cfg_FIRMA disabled=no mac-address=4A:A9:8A:1B:B9:D7 \
    master-interface=cap10 name=cap12 radio-mac=00:00:00:00:00:00 radio-name=\
    4AA98A1BB9D7
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool_default ranges=10.10.1.100-10.10.1.254
add name=dhcp_pool_SURNAME ranges=10.10.30.100-10.10.30.254
add name=dhcp_pool_Mgmt ranges=10.10.10.100-10.10.10.254
add name=dhcp_pool_Solar ranges=10.10.40.100-10.10.40.254
add name=dhcp_pool_PT ranges=10.10.210.100-10.10.210.254
add name=dhcp_pool_FIRMA ranges=10.10.200.100-10.10.200.254
add name=dhcp_pool_IoT ranges=10.10.20.100-10.10.20.254
add name=dhcp_pool_FIRMA_VPN ranges=10.10.201.100-10.10.201.254
add name=dhcp_pool_Storage ranges=10.10.100.100-10.10.100.254
add name=dhcp_pool_FIRMA_WIFI ranges=10.10.202.100-10.10.202.254
add name=dhcp_pool_SURNAME_VPN ranges=10.10.31.100-10.10.31.254
add name=dhcp_pool_SURNAME_Wifi_Gast ranges=10.10.33.100-10.10.33.254
add name=dhcp_pool_SURNAME_Wifi ranges=10.10.32.100-10.10.32.254
/ip dhcp-server
add address-pool=dhcp_pool_FIRMA_VPN interface="VLAN FIRMA VPN" lease-time=\
    1w1d name="DHCP FIRMA VPN"
add address-pool=dhcp_pool_IoT interface="VLAN IoT" lease-time=1w1d name=\
    "DHCP IoT"
add address-pool=dhcp_pool_Mgmt interface="VLAN MGMT" lease-time=1w1d name=\
    "DHCP MGMT"
add address-pool=dhcp_pool_SURNAME disabled=yes interface=\
    "VLAN SURNAME" lease-time=1w1d name="DHCP SURNAME"
add address-pool=dhcp_pool_PT disabled=yes interface="VLAN PT" \
    lease-time=1w1d name="DHCP PT"
add address-pool=dhcp_pool_Solar interface="VLAN Solar" lease-time=1w1d name=\
    "DHCP Solar"
add address-pool=dhcp_pool_FIRMA interface="VLAN FIRMA" lease-time=1w1d name=\
    "DHCP FIRMA"
add address-pool=dhcp_pool_Storage disabled=yes interface="VLAN Storage" \
    lease-time=1w1d name="DHCP Storage"
add address-pool=dhcp_pool_SURNAME_VPN interface="VLAN SURNAME VPN" \
    lease-time=1w1d name="DHCP SURNAME VPN"
add address-pool=dhcp_pool_SURNAME_Wifi interface="VLAN SURNAME Wifi" \
    lease-time=1w1d name="DHCP SURNAME Wifi"
add address-pool=dhcp_pool_SURNAME_Wifi_Gast interface=\
    "VLAN SURNAME Wifi Gast" lease-time=1w1d name=\
    "DHCP SURNAME Wifi Gast"
add address-pool=dhcp_pool_FIRMA_WIFI interface="VLAN FIRMA Wifi" lease-time=\
    1w1d name="DHCP FIRMA Wifi"
/ppp profile
add local-address=10.10.201.1 name="OpenVPN Profile" remote-address=\
    dhcp_pool_FIRMA_VPN use-ipv6=no
/caps-man access-list
add allow-signal-out-of-range=10s comment="iPhone USER1" disabled=no \
    mac-address=CE:45:8C:7F:21:6A ssid-regexp=""
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-enabled master-configuration=cfg_SURNAME \
    slave-configurations=cfg_SURNAME_Gast,cfg_FIRMA
/interface bridge port
add bridge="Bridge LAN" interface="ether2 LAN SW1"
add bridge="Bridge LAN" interface="ether3 LAN SW2"
add bridge="Bridge LAN" interface="ether4 LAN"
add bridge="Bridge LAN" interface="ether5 LAN MGMT" pvid=10
/ip neighbor discovery-settings
set discover-interface-list=all
/interface bridge vlan
add bridge="Bridge LAN" tagged="ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" \
    vlan-ids=30
add bridge="Bridge LAN" tagged="ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" \
    vlan-ids=40
add bridge="Bridge LAN" tagged="ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" \
    vlan-ids=200
add bridge="Bridge LAN" tagged=\
    "ether5 LAN MGMT,ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" vlan-ids=10
add bridge="Bridge LAN" tagged="ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" \
    vlan-ids=210
add bridge="Bridge LAN" tagged="ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" \
    vlan-ids=20
add bridge="Bridge LAN" tagged="ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" \
    vlan-ids=201
add bridge="Bridge LAN" tagged="ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" \
    vlan-ids=100
add bridge="Bridge LAN" tagged="ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" \
    vlan-ids=202
add bridge="Bridge LAN" tagged="ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" \
    vlan-ids=31
add bridge="Bridge LAN" tagged="ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" \
    vlan-ids=32
add bridge="Bridge LAN" tagged="ether2 LAN SW1,ether3 LAN SW2,Bridge LAN" \
    vlan-ids=33
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface="ether1 WAN" list=WAN
add interface="Bridge LAN" list=LAN
add interface="VLAN MGMT" list=LAN
/interface wifi capsman
set package-path="" require-peer-certificate=no upgrade-policy=none
/ip address
add address=192.168.100.2/24 interface="ether1 WAN" network=192.168.100.0
add address=10.10.10.10/24 interface="Bridge LAN" network=10.10.10.0
add address=10.10.10.1/24 interface="VLAN MGMT" network=10.10.10.0
add address=10.10.30.1/24 interface="VLAN SURNAME" network=10.10.30.0
add address=10.10.40.1/24 interface="VLAN Solar" network=10.10.40.0
add address=10.10.210.1/24 interface="VLAN PT" network=10.10.210.0
add address=10.10.20.1/24 interface="VLAN IoT" network=10.10.20.0
add address=10.10.200.1/24 interface="VLAN FIRMA" network=10.10.200.0
add address=10.10.100.1/24 interface="VLAN Storage" network=10.10.100.0
add address=10.10.201.1/24 interface="VLAN FIRMA VPN" network=10.10.201.0
add address=10.10.31.1/24 interface="VLAN SURNAME VPN" network=10.10.31.0
add address=10.10.32.1/24 interface="VLAN SURNAME Wifi" network=10.10.32.0
add address=10.10.33.1/24 interface="VLAN SURNAME Wifi Gast" network=\
    10.10.33.0
add address=10.10.202.1/24 interface="VLAN FIRMA Wifi" network=10.10.202.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add disabled=yes interface="ether1 WAN" use-peer-dns=no
/ip dhcp-server network
add address=10.10.10.0/24 dns-server=10.10.10.1 gateway=10.10.10.1 netmask=24
add address=10.10.20.0/24 dns-server=10.10.20.1 gateway=10.10.20.1
add address=10.10.30.0/24 dns-server=10.10.30.1 gateway=10.10.30.1 netmask=24
add address=10.10.31.0/24 dns-server=10.10.31.1 gateway=10.10.31.0 netmask=24
add address=10.10.32.0/24 dns-server=10.10.32.1 gateway=10.10.32.0 netmask=24
add address=10.10.33.0/24 dns-server=10.10.33.1 gateway=10.10.33.0 netmask=24
add address=10.10.40.0/24 dns-server=10.10.40.1 gateway=10.10.40.1 netmask=24
add address=10.10.100.0/24 dns-server=10.10.100.1 gateway=10.10.100.1
add address=10.10.200.0/24 dns-server=10.10.200.1 gateway=10.10.200.1 \
    netmask=24
add address=10.10.201.0/24 dns-server=10.10.201.1 gateway=10.10.201.1
add address=10.10.202.0/24 dns-server=10.10.202.1 gateway=10.10.202.1
add address=10.10.210.0/24 dns-server=10.10.210.1 gateway=10.10.210.1 \
    netmask=24
/ip dns
set allow-remote-requests=yes cache-size=20480KiB servers=\
    192.168.100.1,8.8.8.8,1.1.1.1,9.9.9.9
/ip dns adlist
add file=hosts.txt
/ip firewall address-list
add address=10.10.20.0/24 list="All VLANs"
add address=10.10.30.0/24 list="All VLANs"
add address=10.10.40.0/24 list="All VLANs"
add address=10.10.50.0/24 list="All VLANs"
add address=10.10.100.0/24 list="All VLANs"
add address=10.10.200.0/24 list="All VLANs"
add address=10.10.201.0/24 list="All VLANs"
add address=10.10.210.0/24 list="All VLANs"
add address=10.10.200.0/24 list=FIRMA
add address=10.10.201.0/24 list="FIRMA VPN"
add address=10.10.10.0/24 list=Management
add address=10.10.30.0/24 list=SURNAME
add address=10.10.100.0/24 list=Storage
add address=10.10.33.0/24 list="SURNAME Wifi Gast"
add address=10.10.10.0/24 list="All VLANs"
add address=10.10.31.0/24 list="All VLANs"
add address=10.10.32.0/24 list="All VLANs"
add address=10.10.33.0/24 list="All VLANs"
add address=10.10.202.0/24 list="All VLANs"
add address=10.10.202.0/24 list=FIRMA
add address=10.10.32.0/24 list=SURNAME
add address=10.10.31.0/24 list="SURNAME VPN"
add address=192.168.100.0/24 list=WAN
/ip firewall filter
add action=accept chain=input comment=OpenVPN dst-port=1194 in-interface=\
    "ether1 WAN" log=yes protocol=udp
add action=accept chain=forward comment="Zugriff Management" \
    connection-state=invalid,established,related,new,untracked \
    dst-address-list="All VLANs" src-address-list=Management
add action=accept chain=forward comment=\
    "Zugriff SURNAME -> SURNAME VPN" connection-state=\
    invalid,established,related,new,untracked dst-address-list=\
    "SURNAME VPN" src-address-list=SURNAME
add action=accept chain=forward comment=\
    "Zugriff SURNAME VPN -> SURNAME" connection-state=\
    invalid,established,related,new,untracked dst-address-list=SURNAME \
    src-address-list="SURNAME VPN"
add action=accept chain=forward comment="Zugriff SURNAME -> Storage" \
    connection-state=invalid,established,related,new,untracked \
    dst-address-list=Storage src-address-list=SURNAME
add action=accept chain=forward comment="Zugriff Storage -> SURNAME" \
    connection-state=invalid,established,related,new,untracked \
    dst-address-list=SURNAME src-address-list=Storage
add action=accept chain=forward comment="Zugriff SURNAME VPN -> Storage" \
    connection-state=invalid,established,related,new,untracked \
    dst-address-list=Storage src-address-list="SURNAME VPN"
add action=accept chain=forward comment="Zugriff Storage -> SURNAME VPN" \
    connection-state=invalid,established,related,new,untracked \
    dst-address-list="SURNAME VPN" src-address-list=Storage
add action=accept chain=forward comment="Zugriff FIRMA -> FIRMA VPN" \
    dst-address-list="FIRMA VPN" src-address-list=FIRMA
add action=accept chain=forward comment="Zugriff FIRMA VPN -> FIRMA" \
    dst-address-list=FIRMA src-address-list="FIRMA VPN"
add action=accept chain=forward comment="Zugriff FIRMA -> Storage" \
    connection-state=invalid,established,related,new,untracked \
    dst-address-list=Storage src-address-list=FIRMA
add action=accept chain=forward comment="Zugriff Storage -> FIRMA " \
    connection-state=invalid,established,related,new,untracked \
    dst-address-list=FIRMA src-address-list=Storage
add action=accept chain=forward comment="Zugriff Internet" dst-address-list=\
    WAN src-address-list="All VLANs"
add action=drop chain=forward comment="Sperre zwischen VLANs" \
    connection-state=invalid,established,related,new,untracked \
    dst-address-list="All VLANs" src-address-list="All VLANs"
/ip firewall nat
add action=masquerade chain=srcnat out-interface="ether1 WAN"
add action=masquerade chain=srcnat comment=OpenVPN disabled=yes src-address=\
    10.10.201.0/24
add action=accept chain=input comment="OpenVPN TCP" dst-port=1194 protocol=\
    tcp
add action=accept chain=input comment="OpenVPN UDP" dst-port=1194 protocol=\
    udp
/ppp profile
set *FFFFFFFE local-address=192.168.89.1 remote-address=*12
/ppp secret
add name=USER1 profile="OpenVPN Profile" service=ovpn
add name=USER2 profile="OpenVPN Profile" service=ovpn
/routing rule
add action=lookup disabled=yes dst-address=10.10.30.16/24 src-address=\
    192.168.100.1/24 table=main
/system clock
set time-zone-name=Europe/Berlin
/system note
set show-at-login=no
/tool romon
set enabled=yes
2

Any reason for using “arp=proxy-arp” setting on bridge? It does somehow defeat use of VLANs (as means to separate subnets).

Can you quantify the “It gets so slow, that I can hardly work anymore.” statement? Although hEX is a pretty decent little device, it’s not very powerful after all. Official test results indicate that it’s realistically capable of routing at around 380Mbps cumulative (give or take; look at “routing → 25 ip filter rules → 512 byte packet size”). Your setup is on the complex end of spectrum, so I’d expect to see even lower number. Mind that test results were done while running v6 and some indications are that running v7 may reduce routing capacity (if so and to what extent again depends on actual use case). Running other services (such as capsman) consumes further CPU resources which bites into routing performance as well.

3

Noooo, I just typed quite an extensive answer and it was lost due to an SQL error of the forum. So my answer is a little bit shorter now.

  • As I learn by instructions and playing aroung afterwards, there was no reason to set arp=proxy-arp, so I turned it off and that did the trick. Seemed like there was some kind of flooding in the whole physical network, as it got worse some time after restarting the Hex. I also encountered this when connecting to the FritzBox via Wifi.
  • When setting “Detect Internet” to “Detect Interface List=LAN” the constant UDP connections disappeared.
  • I also turned on IGMP Snooping and DHCP Snooping as this sounds good to me.

The network speed slowed down from 80 Mbps to 30 Mbps for download and 30 Mbps to 0.something for upload. So actual not usable anymore.

My next challenges now are:

  • connecting the cap ac’s to the internet for updates
  • making the ac lites available in capsman
  • enabling internet connection for VLAN 10
    But that sounds more doable for me, than a UDP flood. :wink:

After reenabling all the fun stuff on the hex, the cpu is totally bored at 1%. Yes, there is not too much traffic in my home network, but in general that sounds promising to me.


So thanks a lot for your help!!!

4

Just saw, that the gateways in some DHCP server configurations were wrong. Wifi works now! :slight_smile:

5

Do yourself a favour and disable the detect internet thingy (set list to none). It’s only good when one doesn’t know which port is supposed to connect internet, otherwise it doesn’t do anything (best case) or causes random problems (worst case). UDP flooding seems to be somewhere in between …

6

Judging from the reports I have seen on the forum, the worst case seems to be the normality…

7

Being an optimistic guy I tend to believe that most people, who have this **** enabled, don’t see any problems (so they don’t report anything on this forum) … hence my inclusion of the “best case” in my previous post. Just in case that @OP doesn’t see (a big) problem with it currently … but to make him consider this action anyway.

8

I think I will add this to my Mikrotik Club Rules :wink: :

  1. You do not use VLAN1
  2. You DO NOT use VLAN1
  3. You do not use detect internet
    4)…
9
  1. Do NOT use quickset
10

This one should be made rule number -1 … or whatever takes to make it to very top of rules.

11

I want to join!

I think I’ve successfully passed the hazing period…

12

Small correction.
4. Do NOT use quickset unless you start from default config

It can have its value for some users though I also admit it has been hugely neglected with the arrival of AX-devices (Or later versions of ROS ? Quite a bit of Quickset schemes which were present before, are missing).
Avoiding it in total may be for most the wiser option.

13

Exactly. If there were enough quickset profiles/schemes to cover like 98% of use cases, then I’d be all for quickset … it is a corner stone for offering MT devices to people without ROS knowledge. However since many profiles are missing (and have been missing already in v6, my favourite missing one is “switch/AP device”) it’s marginally useful. If one adds the fact that quickset very likely messes anything done outside quickset, then using quickset can be pretty dangerous (and doing things outside is quite frequent as quickset profiles don’t cover enough use cases).

14

@holvoeth
Your correction is overruled :laughing: :

Judge Chamberlain Haller: Mr. Gambini?
Vinny Gambini: Yes, sir?
Judge Chamberlain Haller: That is a lucid, intelligent, well thought-out objection.
Vinny Gambini: Thank you, Your Honor.
Judge Chamberlain Haller: [in a firm tone] Overruled.

rules need to be brief and absolute, no IF’s, no BUT’s or exceptions of any kind (even if these exist) as if you introduce them you loose most of the relevance.

Like:
4) You do not use Quickset, if you use it, you must cite Holvoeth as in “Really, officer, Holvoeth made me do it”,

You see, it doesn’t sound as effective as it should be, maybe using a chiastic structure :confused: :
4) You do not use Quickset, unless starting from netinstall/default config, but just do not

15

I think we can go back to “do NOT use quickset” … if user comes to @holvoetn asking him about rules, then that user is already way past the IFs and BUTs which would potentially allow to use quickset.

16

Good :slight_smile: , AND I’ll move it one notch up:

  1. You do not use VLAN1
  2. You DO NOT use VLAN1
  3. You do not use Quickset
  4. You do not use detect internet
    5)…
17

But … but …

ok, I’ll accept because otherwise it may be considered contempt of court :laughing:

18

I tried it, but Winbox does not save it. It always comes back with “all” after a restart.

19

Check by opening a terminal and issuing in it:

 /interface/detect-internet/print

if you see it as “none” after you changed it in Winbox (before rebooting) BUT it changes back to “all” after a reboot, there must be a script (or something else) that re-initializes it.

That whole stuff seems to be buggy:
http://forum.mikrotik.com/t/detect-internet-strange-behavior-ros-7-0-7-6/162129/1
(cannot say if that has been fixed)

20

  1. Leave default firewall configuration UNLESS you really know what are you doing.

  2. For best wifi experience DO NOT use WPA3 :laughing:

  3. DO NOT USE CRS devices as routers.