I got a new 2011. As per the instructions on the box, I upgraded the OS and then the firmware. It all seemed to go just fine. I rebooted, logged in, checked that it was up to the new version... all was great. Until the next time I did a config reset.

After resetting, I couldn't connect to anything. I checked and saw I had an IP assigned, but oddly enough... no default gateway. I manually put it in but still couldn't connect to anything. So I did a hardware reset (confirmed by the fact the screen is no longer calibrated and the default PIN is used) but same thing... no default router and I can't connect to it at all.

Did this thing just crap out on me? Please help quickly.

After using the screwdriver reset (as opposed to the pushbutton), it made some weird beeping sound it didn't before (rapid beeps in successively lower pitch) then I could access it again.

I hope someone can assure me that's normal.. because it sure sounded strange. It isn't the normal beeps that take place after reboot.

OK, so it happened again... completely locked out with no default gateway and no way to connect until after I do that screwdriver reset (what, by the way, is the difference between that reset and the pushbutton one?)

This time I see what happened, but I have no idea why.

I can access and use all the settings via the web admin (WebFig) but if I telnet or use Winbox, it warns me of some default config that appears to be wiping out everything I've done, so I hit "r" for revert... and my box is temporarily bricked.

So should I avoid WinBox/Telnet? Where is that default script coming from? Why is it clobbering my existing config?

I think based on this post and the other one you made to the Beginner Basics forum that you may be operating under some false assumptions, not just when it comes to MikroTik but also general computer networking, and could benefit from doing some reading through the (e.g.) MikroTik wiki. Of course, if you would rather beat your head on a desk for several hours, some people find that they learn best through trial and error (I know I do for sure! and I have the bumps on my head to prove it).

There are two kinds of initial config: a BLANK config and a DEFAULT config. A default config is what it sounds like: a set of reasonable basic settings that you can use as a starting point for making changes. A blank config means there is NO configuration on the router at all: NO IP addresses, NO DHCP servers, NO routing table entries, NO firewall or NAT rules, NOTHING.

When you first started up your router, you experienced a DEFAULT config: the ports were arranged in a typical LAN/WAN split with one port set as the WAN and the remaining on the LAN (with a common L2 broadcast domain), there was a default LAN IP of 192.168.88.1/24, a DHCP server running on the LAN, a DHCP client running on the WAN, a general NAT rule, and some firewall rules defined on the WAN.

RouterOS did not used to always ship with a default config. Out of the box, it had a *blank* config. And many/most? old-timers prefer to start from a blank slate. So when you log into a router for the first time, it gives you a run-down of the default config that has been applied, and gives you a chance to [R]emove it if you so desire. That is what happened when you pressed "R": it didn't "brick" itself; you removed the default config, which meant that you wiped out the default IP address along with everything else I described. The router *had no IP address configured on it*, period. And without an IP address configured on it, you clearly cannot telnet, SSH, or Webfig into it, because all of those services run over IP.

If you have a router with a *blank* config, the only way that you can get into it is through Winbox. Winbox has a special mode where you can specify the MAC address of a target router *instead* of an IP address. It talks to the router via a proprietary protocol, one which doesn't require that the router have an IP address configured on it. When you load Winbox, it should show you all of the MikroTik routers it has discovered on the local broadcast domain, and you can click on a MAC address to pre-fill in the "Connect to:" field. Once you are in, you can configure the router as you wish.

The two reset "buttons" is also kind of a legacy thing, but if you read the short 2-page quick start pamphlet that was included in your box, that should clear up their uses. For reasons unknown to me, RouterBoards originally only allowed you to reset them via that internal screwdriver hole. The external button was merely used to toggle the backup bootloader, in the event that the primary one became corrupt, but it would not reset the router config itself. Eventually this changed, and now the external button has multiple functions *depending on exactly when you start holding it in, how long you hold it in for, and when exactly you let go*. Again, this is all described on the pamphlet. Nowadays everything can be accomplished via the main button, and for one of the functions (resetting the config), the internal screwdriver hole is essentially redundant.

The "weird beeping sound" you heard means that you managed to reset the bootloader settings in addition to the router config. By default, for the very first boot, the bootloader engages the Flashfig feature. And rather than extending this response out any longer, I will let you practice reading the manual in order to learn what this is: http://wiki.mikrotik.com/wiki/Manual:Flashfig

Hope this helps,

-- Nathan

I think based on this post and the other one you made to the Beginner Basics forum that you may be operating under some false assumptions, not just when it comes to MikroTik but also general computer networking, and could benefit from doing some reading through the (e.g.) MikroTik wiki. Of course, if you would rather beat your head on a desk for several hours, some people find that they learn best through trial and error (I know I do for sure! and I have the bumps on my head to prove it).

Thanks for your response, and I'm going to carefully go through it, but I wanted to start by responding to this part:

That wiki is the biggest source of beginner frustration. I spent hours reading through it. It is so incomplete, disjointed, and full of typos and grammatical errors and I believe you have to be far beyond beginner to make use of it. And am I a "beginner"? That's obviously relative. I would say I am, but not so absolute of a beginner that I shouldn't be able to understand. This is my first non-consumer router, and I knew I was getting into a learning curve. But one should be able to go from exhausing the feature set of a high-end consumer router to getting the basics running on a low-end enterprise router without much of a leap... certainly with the help of documentation.

But the worst part is when I *did* find the help and examples I was looking for... and it just didn't work.

Now I'm off to work. I promise I will carefully go through your post. Thank you for your time.

but if you read the short 2-page quick start pamphlet that was included in your box, that should clear up their uses.

Said pamphlet may have been helpful... if it existed. I promise you there was absolutely no literature included in my box. The only instructions at all were printed on the box itself, saying the default address and username and that it is important to go to www.mikrotik.com/update

I just inspected the packaging more carefully in case it was stuffed in the PSU area or something... nada.

[...] but not so absolute of a beginner that I shouldn't be able to understand. This is my first non-consumer router, and I knew I was getting into a learning curve. But one should be able to go from exhausing the feature set of a high-end consumer router to getting the basics running on a low-end enterprise router without much of a leap...

I feel you, but the reality is that a lot depends on what you know and don't know about IP networking conceptually and what assumptions you are bringing to the table with you. You may find that you have to unlearn a bunch of stuff first before you can get very far. Please understand that this is absolutely not intended as an insult to you in the slightest; everyone has had to start at ground zero at some point. And it is also extremely possible that many of us here (myself included) have been around so long that we are likely blind in many ways to what is poorly documented and what isn't. But I can tell you that if all you have had experience with up to now are consumer-grade home routers, they have shielded you from having to know and understand how a lot of things work at their most fundamental level -- principles vs. methods -- and it is helpful to know these things when working with a platform that enables you to shoot yourself in the foot 1,000 different ways.

As RouterOS started off as something that a networking engineer might drop in place of a Cisco or Juniper on their network, and not as a platform to power home routers, much of the documentation is going to assume that you understand these concepts, and that you already know very specifically what you want to accomplish. So the documentation probably isn't going to be spending a lot of time educating you on, for example, "what is a bridge?", but rather answering questions like "given that we both already know what a bridge is, how do I go about creating and configuring a bridge on this particular platform?"

Unlike a consumer-grade router which is more akin to a fast food meal, RouterOS is a collection of ingredients and kitchen tools. The documentation's job is not to provide you with recipes; it assumes that you already know how to cook and you know your way around a kitchen generally-speaking, and that you are bringing your own recipes with you. You just need to be shown around this particular kitchen.

Said pamphlet may have been helpful... if it existed. I promise you there was absolutely no literature included in my box.

Hmm, then your vendor/distributor/retailer did you a great wrong and disservice. It is usually sitting either directly on top of or beneath the router itself:



...in any case, you can find PDFs of the pamphlet for each model on http://www.routerboard.com/; here is the link to your router's PDF: http://i.mt.lv/routerboard/files/rb2011U-qg.pdf.

-- Nathan

After re-reading your original posts again, I *think* I understand where part of your confusion is coming from with the initial config and the worries of bricking, etc.

Like I said before, when you first power up a MikroTik with its factory-default config in place, the very first time that you connect to it with either telnet, SSH, or Winbox, it will tell you "hey! instead of a blank config, I started up with this default config that looks like this!", and gives you the option to either keep that config, or remove it. "R" in this case does *not* stand for "revert", it stands for "remove". If you tap "R", you are telling it to delete all config from the device. At that point, you would need to re-connect to the router with Winbox via MAC address to add any configuration to the device.

For whatever reason, I don't think that it shows you this message about the default config if you log in to manage it via the web interface (Webfig). So here is what I suspect is happening:

1. You are booting up the router with a default configuration.
2. The first action you take is to log into it via the web interface.
3. You don't see this message about the default config (nor are you given the option to remove it).
4. You make a few changes here and there. You log out.
5. Later, you log in through either Winbox, telnet, or SSH for the first time.
6. The router sees that this is the first time you have logged in via one of those methods and so it flashes up the info about the default config.
7. You click the Remove button or tap "R" on the keyboard.
8. The router wipes all config off of itself in response to your instruction to do so.

Your operating assumption as a first-time user (which isn't an unreasonable one) is that since you have already logged in once and made some changes, it is no longer either 1) the first time you have logged in, nor is it 2) running an unmodified, factory-default config any longer (since you made changes). But since you made those changes through the web, when you log in for the first time via one of the other methods, the internal flag that says you have already logged in at least once and been shown the "default config" informational message never gets cleared, so it pops up the message. You get confused because from your perspective, you already made some changes, so you think that what it's telling you is that it overwrote some of your earlier changes, but that's not what happened. It didn't make any changes. All it did was flash up a dialog box that you should have seen before this point, but didn't because you happened to access it via the web. So you think hitting "R" is going to undo the damage that it just did (but didn't do), when what hitting "R" actually does is wipe all config off the router completely. Then you get kicked out, and you think it's bricked (because you didn't know about connecting with Winbox via MAC address).

This is definitely an oversight by RouterOS's developers. Webfig is actually relatively new. There was a very mediocre web configuration interface before, but it didn't expose the full functionality of the router to you. Webfig today, though, basically gives you almost all of Winbox's functionality in a web browser. They obviously forgot to add the default config informational bulletin to Webfig, and yet they recommend in the "quick start" docs that you log in for your first time with Webfig (probably because that is easier than telling new people to download a special app for the first time and run it).

I'm surprised this confusion doesn't happen more often, but like I said, we all have our blind spots...the fix would either be for them to display that dialog about the default config in Webfig, or to merely have a Webfig login clear the flag that says you have been shown that dialog so that if you later log in via Winbox or whatever, you won't be shown it.

-- Nathan

First, I want to take a moment to thank you Nathan... I really appreciate your time.

You nailed exactly how I was seeing it. You're exactly right on what I thought "r" was doing, and I understand now what it actually did. You're also right that I didn't know I could log in via MAC using WinBox. So I see I wasn't really locked out, I just didn't know how to get in.

You're also right that being "shielded" from understanding fundamental networking concepts has done me a rather huge disservice... because I'm bloody confused.

I thought I had it. Then I managed to get locked out again lol.

I started over again with a fresh default config. I logged in via WinBox. Made some changes and got a "router disconnected" message. Since I was connected via MAC and not IP, that surprised me since all I did was mess around with the DHCP server. If I were logged in by IP, it would have made sense. But, whatever... I logged back in (via MAC again) no problem. Then I set master=None on ETH3-5, set up a new DHCP server on ETH2 (which I was connected to), and deleted the default bridge. The moment I deleted the bridge, I was kicked off again and could not log back in - even by MAC. I'm sure I've done something wrong, but I'm not sure why what I did would prevent me from getting back in???

Any ideas?

I am very confused on how to get multiple devices connected to multiple ports without a bridge and each getting their IP addresses dynamically. I *think* I understand that each interface will need its own DHCP server, but can't they all draw from the same pool and use the same Network entry? I don't want different subnets. Maybe I'm over-complicating things and going about this the wrong way. I'm pretty sure from other things I read that I eventually do want to ditch that bridge (so that I have better control over queues - which I haven't yet gotten to), but I'm having a heck of a time with it.

ps. That pamphlet definitely 100% was not in my box! Thanks for the link.

The moment I deleted the bridge, I was kicked off again and could not log back in - even by MAC.

I think that this and your comments below and in the other thread betray the fact that you don't understand what a bridge is. A bridge is simply a software-based switch of etherlike interfaces. When ports are members of a bridge, you no longer address the ports individually, but the bridge that they are members of. SO, when you add IP addresses that you want to be used on the bridge, you would have to bind the address to the bridge interface, not the individual ethernet ports. Same goes for DHCP servers, firewall rules, etc. All members of a bridge act as a single logical interface, and they share a single MAC address amongst each other as well as a common L2 broadcast domain. The bridge interface code will generally pick one MAC address automatically from among all member interfaces and use it to represent the bridge (I can't remember if it automatically picks the highest-numbered MAC or the lowest, but it's one of those two), though the MAC address on the bridge can be overridden and specified manually if desired.

So, when you are talking to the router over MAC Winbox, and you are talking to it through an ethernet port that is a member of a bridge, if you make a change to that bridge or that port (you delete the bridge, you remove the port as a member of the bridge, etc.), of course you are going to get kicked out of your Winbox session...you just severed the communications channel you were using. However, you *should* be able to reconnect back up again. Did you re-scan the list of devices in Winbox to see if after deleting the bridge the router is being seen with a *different* MAC address than what you used to connect to it before?

There are a couple of reasons why I can think of that would prevent you from doing so:

1) You are trying to MAC Winbox in through the ethernet port that was set up to be the WAN port by the default config. The WAN port has a bunch of default firewall rules on it to protect it from being accessed from the internet at large. Those rules also break MAC Winbox from working on that particular port.

2) MAC Winbox actually does use IP communication behind-the-scenes, sending and receiving broadcast IP packets. So it does require an IP address to be configured on your computer's ethernet port, although it doesn't care a whit *what* that address is. If your computer got an IP automatically via DHCP from the MikroTik, remember that the default DHCP server is configured to run on the bridge interface that you just deleted, so you broke the DHCP server, which means you can't get an address from the router any longer. Also, the default DHCP server config specifies a really short lease time (10 minutes), so very shortly after you deleted the bridge, your computer's DHCP lease expired and it no longer had an IP address. If you wait a couple of minutes, most PC operating systems will self-assign a link-local (169.254.x.x) IP to themselves after DHCP timeout, but until that happens (or you set a static IP on your computer and turn DHCP off), connecting to the router via MAC Winbox will be impossible.

Likely you just didn't want long enough for the computer to pick a 169.254.x.x address to give itself after it lost contact with the MikroTik DHCP server.

I am very confused on how to get multiple devices connected to multiple ports without a bridge and each getting their IP addresses dynamically. I *think* I understand that each interface will need its own DHCP server, but can't they all draw from the same pool and use the same Network entry? I don't want different subnets.

You keep saying you don't want a bridge, but trust me: you want a bridge. I'm not sure where you are getting the idea that you don't. (You also definitely don't want multiple DHCP servers.) You can't have multiple devices plugged into multiple ports share a common subnet without also having them all participate on the same broadcast domain (well, you *can*, but you don't want to without VERY good reasons). What *specifically* are you trying to accomplish that the default config does not already do for you?

Again, a bridge is just a switch running in software. There are two hardware switch chips on the 2011, each handling 5 ports. If you want 2 subnets, one for each switch-group, then you can dismantle the bridge. At that point, the only way for devices plugged into switch 1 to talk to devices plugged into switch 2 is via IP routing, which necessarily means separate subnets. But if you want all 10 ports (with the exception of the WAN) to work as a *single* contiguous virtual switch, the two physical switch-groups need to be bridged together.

-- Nathan

I think that this and your comments below and in the other thread betray the fact that you don't understand what a bridge is.

No, I think I pretty much have that concept. Your description matches my understanding of what it is. However, I clearly didn't recognize the nuanced impact of removing it, particularly:

So, when you are talking to the router over MAC Winbox, and you are talking to it through an ethernet port that is a member of a bridge, if you make a change to that bridge or that port (you delete the bridge, you remove the port as a member of the bridge, etc.), of course you are going to get kicked out of your Winbox session...you just severed the communications channel you were using.

However, you *should* be able to reconnect back up again. Did you re-scan the list of devices in Winbox to see if after deleting the bridge the router is being seen with a *different* MAC address than what you used to connect to it before?

Yes, I did. No, I couldn't.

There are a couple of reasons why I can think of that would prevent you from doing so:[...]

2) MAC Winbox actually does use IP communication behind-the-scenes

Yeah, probably that. Although, it never did come back and even manually assigning an IP did no good. Eventually, however, I realized I could connect by IP though I still can't by MAC. And when I had it mis-configured such that IP was impossible, I was simply locked out with no recourse other than wiping config.

You keep saying you don't want a bridge, but trust me: you want a bridge. I'm not sure where you are getting the idea that you don't. (You also definitely don't want multiple DHCP servers.) You can't have multiple devices plugged into multiple ports share a common subnet without also having them all participate on the same broadcast domain (well, you *can*, but you don't want to without VERY good reasons). What *specifically* are you trying to accomplish that the default config does not already do for you?

I'm still thinking I don't want it, but obviously I'm not articulating why. But your own explanation of how the bridge works coincides with other advice I got (and why I don't want a bridge). My main goal - the whole reason I got this to replace my consumer router - is to equally share WAN bandwidth amongst certain members of the network (note: not the same as QoS prioritizing). If the ports are bridged, then any queues impact that single common interface, no? How can I then define queues for the individual member interfaces?

Maybe I can - that's clearly past where I'm at now, in terms of learning curve. I can't actually remember right now where I read it, but there were more than one blogs/posts that indicated a trade-off between speed/simplicity of bridges and master/slave vs. fine-grain control of individual interfaces.

I'm not arguing, and I am more than willing to keep the bridge if there's light at the end of the tunnel. Perhaps you can help me with that then? I posted it somewhere else and I'll copy it here:

ETH01 - WAN
ETH02 - Admin PC
ETH03 - Server
ETH04 - WAP
ETH05 - N/C
ETH06 - VoIP box
ETH07 - DEVICE
ETH08 - DEVICE
ETH09 - DEVICE
ETH10 - DEVICE

The four "DEVICE" entries are just low-priority items that need network access but require absolutely no priority. VoIP needs highest priority. Then I want the other three to share - in some fair fashion - the available bandwidth, up and down. I could do everything but the last bit on my consumer router but the QoS and other settings were too limited. I could prioritize them and I could cap them, but I couldn't "share". Ie. if one computer was downloading a large file, the others were severely hampered unless I gave them higher priority, in which case they would hog the bandwidth at the others' expense. I want to guarantee each 1/3 bandwidth (up/down), but not limit any one to 1/3 if the other(s) aren't currently using theirs.

In part this is preparing for a slightly more complex situation, where I expect to be sharing our [total] bandwidth with another party. In that case, it becomes more important that they get half and I get half, but again I don't want either to be limited to half when the other isn't using their full allotment.

In that latter case, I would then want my half to be fairly split 3 ways as described above, and I think that means another router and that's fine, if so.

Not sure if you solved your setup.

I use simple queues assigned as PCQ. "Max" is limit of broadband, "limit at" is the guaranteed minimum. Simple queues can be IP ranges or i think, individual IP address. It doesn't use ports.

So, in your case, I would bridge all together for the LAN and use the simple PCQ queues. Then I would statically assign the IP for the admin, server and ip phone but use dhcp for the extra low priority devices. Setting the queues for each.

I don't bother with priority with PCQ.