Has anyone noticed that after these new updates the WiFi signal became weaker? Hap ax and Hap ac
PS: Problem solved, for some reason the channel went to the 20mhz band
@kiwirock30, try what @infabo suggested, it should work. I don’t see this option in WinBox, keep that in mind.
/interface/wifi> set wifi2 disable-running-check=yes
Your observed behaviour matches documentation:
disable-running-check (no | yes; default: no)
yes - interface’s running property will be true whenever the interface is not disabled
no - interface’s running property will only be true when it has established a link to another device
can you please share your script?
I have some issues with “script failed” and I have to do the import of a TXT address list manually each time.
thank you
Have a new hAP ax lite (dual 800 MHz ARM architecture), aka L41G-2axD. L2TP tunnel with hardware accelerated IPSec only achieves 10 Mbps throughput. Any suggestions, we upgraded a hAP ac as it didn’t have AES hardware offloading.
Full details here:
Regards
David Herselman
hAP ax lite has no “IPsec” section under “test results” on the information page.
That means it is not recommended for IPsec usage.
hAP ax2 is the next model up and it has IPsec in its test results.
Greetings. A link to the script is below provided by optio, msatter & other geniuses of this forum
https://forum.mikrotik.com/t/is-8mb-in-a-variable-from-a-txt-file-is-possible/174013/50
The lists I use are these.
$update url=https://cinsscore.com/list/ci-badguys.txt delimiter=("\n") listname=z-blocklist_CI_badguys timeout=1d
$update url=https://www.spamhaus.org/drop/drop.txt delimiter=("\_") listname=z-blocklist_SpamHaus timeout=1d
$update url=https://view.sentinel.turris.cz/greylist-data/greylist-latest.csv listname=z-blocklist_Turris delimiter=, timeout=1d heirule=http|telnet|ftp
$update url=https://lists.blocklist.de/lists/strongips.txt delimiter=("\n") listname=z-blocklist_BlocklistDE_strongips timeout=1d
$update url=https://blocklist.greensnow.co/greensnow.txt delimiter=("\n") listname=z-blocklist_GreenSnow timeout=1d
Please do not use Spamhaus (they are like internet “blackmailers”), other admins won’t like you for it.
Ive never met a company with worse support than they have.
I do recall however having tested it not that long ago ? Or was it L009 ? Don’t know anymore … it is not on IPSEC Help pages so probably the latter.
Anyhow, test results are not always updated after a feature has been added.
Found it: supported since 7.10b5 and I did test it against RB5009.
So not even Help pages are updated.
Many thanks for your feedback! Waiting on a maintenance window to test to see if the performance issue gets resolved when upgrading to 7.20b6.
I read up on them. And you’re right, they do some shady stuff, especially with outlook. I no longer use their list. Thanks for the heads up
I wonder where it is reported that hardware acceleration is used for a particular IPsec tunnel…
What I do know from docs is that IPsec with SHA512 hashing is not accelerated, also AES-GCM is not accelerated no matter the hash on IPQ-5018 and since there is no mention in MT docs on what IPQ-5010 supports:
IPsec Hardware acceleration
I could only assume that it does not support those as well…
Anyways on those slower CPUs with dubious IPsec HW support you would be probably far better of by using WireGuard instead of L2TP/IPsec IMHO…
Under IP->IPsec->Installed SAs you see a H in the first column for hardware-accelerated.
(the column says EH in that case)
When there is only E it is not accelerated.
Indeed as you say it can depend on the negotiated parameters (based on the config and the capabilities of the other side) whether there is acceleration or not. There is no config “prefer accelerated” so when yoy have selected long keys “because it is safer” you may end up with an unbearably slow connection that could be faster with different key length or algorithm.
Unfortunately indeed there is no entry in that specific table. However it seems to be safe to state “any device with lite in the name is not supposed to be used like this”.
I.e. they are only for basic NAT routing / bridging / AP usage, not for things like tunnels, encrypted DNS, 50000-item access lists, etc.
Again unfortunately, that is not clearly communicated by MikroTik. There at least should be a pointer to the next-higher-up model for every “lite” device with comment that for more serious use that one should be considered.
Under IP->IPsec->Installed SAs you see a H in the first column for hardware-accelerated.
I presumed it should be there but the first column was empty (just 3 dots) until I widened the column 
Thanks
Ah, another case of “default column widths are not useful or even correct”… that should really be fixed.
2 Likes
I find it not reliable. On all my mikrotiks it always displays the “Hardware AEAD (H)” flag even when using an encryption algorithm that should not be hw accelerated on that platform.
For example, aes 256 gcm will display H on both my RB5009 (which is hw accelerated) and my hap ac2 (which is not hw accelerated according to the table).
But I guess it could also be that it is hw accelerated and the table is not updated (just like the above example where some CPUs are not even in the table)
Of course one issue is that IPsec has both encryption and signing, and it could be that one of them is hardware accelerated and the other one not (due to selection of the algorithms). Then what will it display?
And then there are the encryption algorithms that also do the signing, like aes gcm…