/export file=anynameyoulike
Well, then start by describing the issue you need to resolve first.I've recently been tasked to assist with a WiFi issue at a company of roughly 40 - 50 users.
The topic name might give an indicationWell, then start by describing the issue you need to resolve first.
# aug/12/2024 16:11:41 by RouterOS 6.49.17
# software id = Y22R-I3EW
#
# model = RBD52G-5HacD2HnD
# serial number = Serial Number
/caps-man channel
add band=5ghz-n/ac control-channel-width=20mhz extension-channel=XX name=5Ghz \
reselect-interval=1h save-selected=no skip-dfs-channels=no tx-power=20
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2412 name=2412 reselect-interval=1h secondary-frequency=\
disabled tx-power=14
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2437 name=2437 reselect-interval=1h secondary-frequency=\
disabled tx-power=14
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
frequency=2462 name=2462 reselect-interval=1h secondary-frequency=\
disabled tx-power=14
add band=2ghz-b/g/n control-channel-width=20mhz extension-channel=disabled \
name=2.4Ghz reselect-interval=1h save-selected=no tx-power=14
/interface bridge
add arp=proxy-arp name=bridge-lan
/interface ethernet
set [ find default-name=ether1 ] name=ether1-WAN
set [ find default-name=ether5 ] l2mtu=1596 mac-address=48:8F:5A:2C:2F:08 \
name=ether2-mtnlte
set [ find default-name=ether4 ] l2mtu=1596 mac-address=48:8F:5A:2C:2F:09 \
name=ether3-LAN
set [ find default-name=ether3 ] l2mtu=1596 mac-address=48:8F:5A:2C:2F:0A \
name=ether4-LAN
set [ find default-name=ether2 ] l2mtu=1596 mac-address=48:8F:5A:2C:2F:0B \
name=ether5
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-WAN name="ISP Name" \
password=***** user=user@user
/interface l2tp-server
add name=l2tp-in1 user=vpn
add name=l2tp-in2-user1 user=user1
add name=l2tp-in3-user2 user=user2
/interface wireless
set [ find default-name=wlan1 ] ssid=MikroTik
set [ find default-name=wlan2 ] ssid=MikroTik
/caps-man datapath
add bridge=bridge-lan local-forwarding=yes name=Internet
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm group-encryption=aes-ccm \
group-key-update=40m name="WiFi Security" passphrase=********
/caps-man configuration
add channel=5Ghz country="south africa" datapath=Internet datapath.bridge=\
bridge-lan installation=indoor mode=ap name="Config 5G" rx-chains=0,1 \
security="WiFi Security" ssid="Pepla 5G" tx-chains=0,1
add channel=2.4Ghz country="south africa" datapath=Internet datapath.bridge=\
bridge-lan installation=indoor mode=ap name="Config 2.4Ghz" rx-chains=0,1 \
security="WiFi Security" ssid=Pepla tx-chains=0,1
/interface ethernet switch port
set 0 default-vlan-id=1 vlan-mode=fallback
set 1 default-vlan-id=1 vlan-mode=fallback
set 2 default-vlan-id=1 vlan-mode=fallback
set 3 default-vlan-id=1 vlan-mode=fallback
set 5 default-vlan-id=1 vlan-mode=fallback
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip ipsec profile
set [ find default=yes ] enc-algorithm=aes-256,aes-128,3des
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha256,sha1
/ip pool
add name=dhcp ranges=192.168.0.11-192.168.0.239
add name=vpn ranges=192.168.89.2-192.168.89.255
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-lan lease-time=4w name=\
dhcp
/ppp profile
add change-tcp-mss=yes local-address=192.168.89.1 name=RAS remote-address=vpn \
use-encryption=yes
/queue simple
add disabled=yes limit-at=100M/100M max-limit=100M/100M name=VPN target=\
154.73.32.0/32
add disabled=yes limit-at=80M/80M max-limit=80M/80M name=Rest queue=\
default/default target="" total-queue=default
/snmp community
set [ find default=yes ] addresses=154.73.32.1/32,154.73.32.2/32
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/caps-man access-list
add action=accept allow-signal-out-of-range=10s disabled=yes signal-range=\
-70..120 ssid-regexp=""
add action=reject allow-signal-out-of-range=10s disabled=yes signal-range=\
-120..-71 ssid-regexp=""
/caps-man manager
set ca-certificate=auto certificate=auto enabled=yes
/caps-man manager interface
set [ find default=yes ] forbid=yes
add disabled=no interface=bridge-lan
/caps-man provisioning
add action=create-dynamic-enabled hw-supported-modes=gn,b \
master-configuration="Config 2.4Ghz" name-format=identity
add action=create-dynamic-enabled hw-supported-modes=ac,an \
master-configuration="Config 5G" name-format=identity
/interface bridge port
add bridge=bridge-lan interface=ether3-LAN
add bridge=bridge-lan interface=ether4-LAN
add bridge=bridge-lan interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set default-profile=RAS enabled=yes ipsec-secret="*********" \
use-ipsec=yes
/interface list member
add list=WAN
add interface=bridge-lan list=LAN
/interface pptp-server server
set default-profile=RAS enabled=yes
/interface sstp-server server
set default-profile=RAS enabled=yes
/ip address
add address=192.168.0.1/24 interface=bridge-lan network=192.168.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=255 disabled=no interface=ether2-mtnlte
/ip dhcp-server lease
add address=192.168.0.27 client-id=1:0:14:fd:19:21:4d mac-address=\
00:14:FD:19:21:4D server=dhcp
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 \
ntp-server=154.73.32.1,154.73.32.2
/ip dns
set allow-remote-requests=yes servers=\
8.8.8.8,154.73.32.2,2c0f:f720::1,2c0f:f720::2
/ip firewall address-list
add address=154.73.32.0/22 list=iewc-ip4s
add address=165.16.200.0/21 list=iewc-ip4s
add address=154.73.34.4/30 list=iewc-voice
add address=154.73.34.8/30 list=iewc-voice
add address=197.96.209.0/24 list=iewc-voice
add address=154.73.35.0/24 list=iewc-voice
/ip firewall filter
add action=accept chain=input connection-state=established,related
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" dst-port=1723 protocol=tcp
add action=accept chain=input comment="allow sstp" dst-port=443 protocol=tcp
add action=drop chain=input connection-state=invalid
add action=accept chain=input dst-port=22,2000,8291 protocol=tcp \
src-address-list=iewc-ip4s tcp-flags=syn,!fin,!rst,!ack
add action=accept chain=input icmp-options=8:0-255 protocol=icmp
add action=accept chain=input dst-port=53,123 in-interface=bridge-lan \
protocol=udp
add action=accept chain=input dst-port=22,8291 in-interface=bridge-lan \
protocol=tcp tcp-flags=syn,!fin,!rst,!ack
add action=accept chain=forward dst-port=19001 protocol=tcp
add action=drop chain=input
/ip firewall mangle
add action=accept chain=prerouting dst-address=192.168.0.0/24
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes log=yes log-prefix=MARK \
out-interface=bridge-lan
add action=masquerade chain=srcnat
/ip firewall service-port
set tftp disabled=yes
set h323 disabled=yes
set sip disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip route
add distance=10 gateway=192.168.0.10
add comment=briisk-dev-collections.database.windows.net disabled=yes \
distance=1 dst-address=102.133.120.2/32 gateway=*B
add comment=2_briisk-dev-collections.database.windows.net disabled=yes \
distance=1 dst-address=102.133.152.32/32 gateway=*B
add comment=lecroc.dedicated.co.za disabled=yes distance=1 dst-address=\
165.73.81.148/32 gateway=*A
add comment=lecroc.dedicated.co.za disabled=yes distance=1 dst-address=\
165.73.81.148/32 gateway=*B
add comment=pepladev2.dedicated.co.za disabled=yes distance=1 dst-address=\
197.242.150.92/32 gateway=*A
add comment=pepladev2.dedicated.co.za disabled=yes distance=1 dst-address=\
197.242.150.92/32 gateway=*B
add comment=stimulusmaksima.dedicated.co.za disabled=yes distance=1 \
dst-address=197.242.159.114/32 gateway=*A
add comment=stimulusmaksima.dedicated.co.za disabled=yes distance=1 \
dst-address=197.242.159.114/32 gateway=*B
/ppp secret
add name=vpn password="*****"
add name=user1 password=********
add name=user2 password=******
add name=user3 password=********* profile=RAS
/radius
add address=154.73.34.18 secret=eevohch5mie0ou1P service=login
add address=154.73.34.19 secret=eevohch5mie0ou1P service=login
add address=154.73.34.18 secret=eevohch5mie0ou1P service=login
add address=154.73.34.19 secret=eevohch5mie0ou1P service=login
/system clock
set time-zone-name=Africa/Johannesburg
/system identity
set name=iewc-cpe-pepla
/system ntp client
set enabled=yes server-dns-names=kerberos.iewc.co.za,cerberus.iewc.co.za
/system scheduler
add interval=1d name=backup_daily on-event=backup_email policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=may/18/2018 start-time=00:30:00
add interval=1w name=auto_upgrade on-event="/system package update\r\
\ncheck-for-updates once\r\
\n:delay 30s\r\
\n:if ([ get status ] = \"New version is available\") do { install }" \
policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon \
start-date=mar/01/2023 start-time=00:30:00
/system script
add dont-require-permissions=no name=backup_email owner=admin policy=\
ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/export\
\_file=email;\r\
\n/tool e-mail send to=\"mikrotik@uls.co.za\" subject=(\"[CPE BACKUP] \".[\
/system identity get name]) body=(\"Note that this is an export.rsc file a\
nd not a backup.backup file for mikrotik.\") file=email.rsc;\r\
\n:log info \"Export email sent.\";"
/tool e-mail
set address=mail.iewc.co.za from=mikrotik@uls.co.za start-tls=yes
/user aaa
set use-radius=yes
- I believe so, I know they use VPN accounts for users to remotely connect to the Mikrotik Router located in the office to obtain the Company Public IP. This IP is whitelisted at another company they do work for. However, I've tried creating an account, but when I create the VPN on my Windows machine, it fails. I haven't google'd that much yet with regards to this, but this is one of things I also need to look into. (I hope I've addressed your questions about internet facing device and DNS, NTP?)If a wired conneciton is fast, then it is not related to the routing part of the router.
I also notice that the 2.4GHz radio is broadcasting on channels 1, 3 and 6. In an ideal world (funny in the 2.4GHz context) you would only use channels 1, 6 and 11. Might want to configure frequencies 2412, 2437 and 2462.
Thanks for pointing that out. I went ahead and created additional frequencies for 2.4Ghz. I couldn't manually assign it from CAPsMAN, to I'm hoping that this would suffice? See attached.
Some concerns:
- the firewall is modded. And I think it is missing some rules (definitely on the forward chain). Is this a public Internet facing device?
- sure you want to have so many services publically available (like providing DNS and NTP to the world, assuming it is publically available)?
- I notice some asteriks in the config, is this some legacy that hasn't been properly removed?
- why do you have IPv6 DNS servers configured while you only use IPv4?
I just wanted to correct this statement.Beware that ...
-Mikrotik does not activate WMM if not set in config
At the moment, we have 28 devices connected to the WiFi, Be that via 2.4Ghz or 5Ghz. My laptop would also jump between 2 AP's. Hallway Ap & Blue AP. See attached Floor Layout of the Office. Tuesday's and Thursday's have the least amount of people in the office. But the WiFi still feels slow, as if the internet feels slow. Reponse time of websites are long, takes a few seconds longer for the sites to open compared to being on cable. I even have a space AP that I could install, however, I wasn't sure if this might help and where to put it.You said that sometimes wifi is feeling great and sometimes is sluggish.
How many clients are connected to the AP when wifi is "sluggish" ?
Maybe there is too many clients on one AP...
Hi there bpwl. Thank you so much for contributing to this request for assistance. I really do appreciate that some of your stature would share your knowledge with us.Varying wifi performance is normally not visible in the config settings.
Wifi is a shared medium, you are influenced by other devices.
These very short PING delays in those tests. Over wifi ?
Long PING times do indeed make the connection feel slow, very slow, even if the rate is OK.
Beware that ...
-Mikrotik does not activate WMM if not set in config
-Mikrotik does not assign WMM priorities to traffic (video, voice, ...) unless extra FW mangle rules are added. DSCP must be converted to priority in local RouterOS.
-For all but lowest WMM priority Mikrotik does not do AMPDU aggregation by default
-WMM priority takes the wifi-ether access much faster than the regular (shorter wait time for transmission attempt)
-Regular wifi will not get a fair share of air-time if WMM priority is around
For the 2.4GHz, avoid the 802.11b setting. "b" gives 1Mbps beacon speed (30 SSID/AP at 1Mbps overhead will fill all the available air-time just with the beacons)
802.11b in one AP, forces other reachable AP's to also work with 1Mbps. There are 1Mbps connections in your sample.
Thanks for the correction. You're absolutly right, it is enabled but AFAIK it does not bring the expected wifi priority (short intertransmission delay) . That is something else.I just wanted to correct this statement.Beware that ...
-Mikrotik does not activate WMM if not set in config
Thanks Erlinden. Can you maybe point me in the right direction on how to do this perhaps? Hoping this info might assist?If no VLAN's are involved, the D-Link will do just fine (assuming it has gigabit ports).
The cAP ac does handle the wifi-qcom-ac pretty well (in my experience), though I red someone having out of memory problems (therefor a daily reboot was introduced). Haven't seen that problem myself (uptime over a couple of weeks).
That would be me but that is using 7.16rc package. The issue has been confirmed by MT-staff (strods) so a fix should be coming.The cAP ac does handle the wifi-qcom-ac pretty well (in my experience), though I red someone having out of memory problems (therefor a daily reboot was introduced). Haven't seen that problem myself (uptime over a couple of weeks).
Because wave2 package only existed until 7.12. It also was too big to be installed on 16MB flash devices.
I'm guessing then that we installed wifi-qcom-ac above wifi-qcom because its smaller and the settings are practically the same?