MikroTik

pe1chl

They are related but they are not the same thing. When you have hardware capable of L3 processing, one way to use it is to offload the processing of fasttrack into it. But as you rightly indicate, then first you need to have fasttrack in the first place. However, the L3 hardware is also capable of h...

pe1chl

When you configure such a service and pull data from an external provider, you should always realize what may happen when they send you bad data. Even when the router ignores the actual address in the lists (which I think it does...), there still is the risk that this external service is blocking si...

pe1chl

When the secret signing key gets compromised in the way Kaldek suggests, it is not an issue if you have a hosts file with bad entries, because the adversary could just put their compromised code on the original servers. If the signing key gets compromised that does not mean access to the original s...

pe1chl

Even a small fan running at reduced speed will help a lot. It is just that slight breeze that you need to replace the air nearest to the unit. At room temperature an RB5009 sitting on a surface will get 55-60C and that is quite acceptable. With yours getting 85C I presume you are in a hot climate an...

pe1chl

RouterOS is not in any way involved in encrypted (https) connections made by clients. So "certificate pinning" makes no sense. That is just half of the truth. If RouterOS itself downloads packages that same RouterOS is actually the client. But it downloads them using http. Not https. So t...

pe1chl

Lots of (especially cheap) ISPs give a private IP because IPv4 addresses are getting scarce.
Use IPv6, there you get a large space of private IPs. Well, extremely cheap ISPs do not have IPv6, but these are not recommended.

pe1chl

It is very unlikely that something like this would be related to a defect in your ax3 and would be fixed by returning it and ordering another one... (I feel for the webshops that get these returns, get devices back as "defective" and have to write off on that. And I feel for myself as I ha...

pe1chl

RouterOS is not in any way involved in encrypted (https) connections made by clients. So "certificate pinning" makes no sense. The updates are signed with a secret key of which the public key is present in the router. Not a PKI certificate. When the secret signing key gets compromised in t...

pe1chl

Yes, but it is not updated on the screen even when you press F5 for refresh (you need to toggle to another tab and back), and it does not reflect the number of accepted prefixes, only the (approximate) number of prefixes the other side sends. So, before filtering. So it is not as useful as it was in...

pe1chl

Probably this limit was invented 10 years ago and with todays hardware it could well be higher. Maybe better would be to make this property settable and have the user decide how much RAM they want to spend on connection tracking... I see no reason to limit this. If the system needs it, it needs it....

pe1chl

It should not be an issue, because almost all websites are now https and all updates (Microsoft, MikroTik) are digitally signed so you cannot setup a website hosting trojaned ROS images.

pe1chl

Yes, sure that would be more versatile. Of course it could also result in disgruntled users that claim the router has a memory leak. See the 7.15rc topic.

pe1chl

No, unfortunately that wasn't it... I still see sequences like this: 2024-05-17T14:37:50+02:00 N0280 n0211-1 {l_addr: 172.22.32.126, r_addr: 172.22.32.12} Connection closed 2024-05-17T14:37:50+02:00 N0280 n0211-1 {l_addr: 172.22.32.126, r_addr: 172.22.32.12} Idle 2024-05-17T14:37:50+02:00 N0280 n021...

pe1chl

The maximum connection tracking entries in Linux is a parameter (stored in /proc/sys/net/nf_conntrack_max) which can be tuned. The documentation for RouterOS states: --------------------------------- max-entries (integer) Max amount of entries that the connection tracking table can hold. This value ...

pe1chl

Well, at least they could have integrated some filter so that VLAN information is not silently dropped when the network card driver does not have a VLAN configuration interface. It was never a good idea to put that layer in the network card driver and the manufacturer-specific config section, but I ...

pe1chl

I cannot imagine a situation where you would usefully have a port as an untagged member of multiple VLANs, which is a flexibility that this config provides. Most other manufacturers do not even allow such a configuration. I can't even imagine how such a config would work in practice. Destination IP...

pe1chl

Please consider to make a 5G product similar to what is now on offer for LTE6. (a separate (semi-)outdoor PoE-powered device that can be connected to an existing PoE-providing router to have a 5G link and can be located at a place with good coverage, i.e. outside of the server-room 19" rack whe...

pe1chl

Works for me too.

pe1chl

Don't tell us that VLAN configuration is done differently in RouterOS than by everyone else! That simply is NOT true! Across the board there are different ways of handling VLANs, broadly speaking: - the VLAN-centered method where you configure a VLAN and specify which ports should be tagged and unta...

pe1chl

Did you already add the mangle rule?

pe1chl

It appears the mt.lv server hosting the newsletter is down at the moment...

pe1chl

... when a user process (like the DNS resolver, the proxy, etc) allocates memory, it normally does so by requesting a block of memory from the kernel, giving out small pieces of that to the program requiring them (e.g. a cache, some buffers, some other data structure), and when the program decides ...

pe1chl

I think I am closing in on the problem... It turns out that the L2TP client addresses of the different routers get sent around using BGP, mostly due to the different way that BGP networks and filtering work in v7 relative to v6. Whenever an L2TP link closes, that info gets sent around the entire net...

pe1chl

Yes, but what do you want to happen? Should the router not add more entries to the list when that would consume all memory, and then MikroTik would run the risk that an outraged user would spam all It's not about what I want to happen. I was explaining that the used memory should not grow up to 100...

pe1chl

VLAN routing is broken because the PCC mangle rules (the third set of mangle rules) specify that everything that is !local goes to the WAN. So my VLAN traffic is being sent to the WAN. To fix this problem I defined a “Connected-Subnets” “Address List” which contains each LAN subnet. 192.168.1.1./24...

pe1chl

Yes, but what do you want to happen? Should the router not add more entries to the list when that would consume all memory, and then MikroTik would run the risk that an outraged user would spam all the way over internet that their router was hacked because it failed to block an attacker even though ...

pe1chl

Not quite. What RoS reports as "used" memory is the equivalent of the field "used", given by the command "free". THIS value should not grow until everything is used. What should grow until memory gets all used is "used + buff/cache" - but this isn't what RoS ...

pe1chl

There is a problem with route enumeration using snmp, e.g. using the command snmpnetstat -v2c -c public -Cr hostname In some cases, it continues printing the same route over and over, it seems the "get next" gets in a loop. Not sure at which version that exactly has been introduced, but it...

pe1chl

*) system - skip configuration upgrade from RouterOS v6 on configuration reset;

Is there already some way to delete RouterOS v6 configuration from an upgraded device? (other than netinstalling it)

pe1chl

If this description is correct and complete, and they go straight to 7.15 stable without clarification about this, it will be a typical case of MT behavior. That is of course utter nonsense. EVERY SOFTWARE MANUFACTURER puts versions into release with known problems. The only thing you can blame on ...

pe1chl

The problem of course is that RouterOS (and the devices it is running on) is so versatile that there always are many bugs, but most users will not see them. E.g. the "BGP causes 100% CPU" bug is something I have never seen, but I do not use BGP for an internet routing table, but rather for...

pe1chl

Probably a PMTUD problem. You should not change MTU on the GRE (except to set it lower when the internet MTU is not 1500, e.g. when you use PPPoE). Instead, make this mange rule to decrease MSS on the TCP connections: /ip firewall mangle add action=change-mss chain=forward new-mss=clamp-to-pmtu pass...

pe1chl

Remember that connections made before you change a firewall configuration can continue to run even when changes in the configuration would preclude that.
So you should be careful with "I do this and then I change that and now this or that" kind of testing.

pe1chl

1. Cleanup old documentation -ie delete it wiki.mikrotik.com and mikrotik.com/download/pdf/MT_Manual.pdf are a couple of examples that really need to go. I don't agree with that! It is already bad enough that most MikroTik documentation is not linked a version history of RouterOS. When you are runn...

pe1chl

It doesn't matter what your requirements are, the product line never matches it. The TS apparently wants the perfect device for the least amount of money, or else he gets in a divorce. But even without that problem, it is difficult to find the perfect device for everyone! E.g. I would like a device ...

pe1chl

The reason that your setup works in v6 and not in v7 probably is that in v7 a routing mark means "lookup ONLY in this table" and in v6 it meant "lookup first in this table and then try table main". This subtle difference means that you NEED to either put explicit routes to the lo...

pe1chl

Even in v7 the VLAN features are OK with the old WiFi driver. The problem is in the new wifi-qcom(-ac) driver.

pe1chl

Don't know why we can't all respect MT support's repeated requests to keep conversation to specifically functionality new/changed in 7.15 so they can work on finalizing a clean release. The reason is that these release topics are the only topics that are often read by MikroTik personnel. So chattin...

pe1chl

Yes, it is an old topic. I think I put a remark in another topic before.
It is a pity that this is not available... it seems that simply changing a bounds check on the value would make it possible.

pe1chl

Now that the VLAN-filtering bridge supports ingress filters like frame-types=admit-only-untagged-and-priority-tagged , does RouterOS (possibly via some trick) already allow sending priority-tagged frames? It would seem to be easy: add a VLAN with ID 0 to the bridge and set the port to "tagged V...

pe1chl

It is impossible to debug such things remotely. All I know is that such constructs work for me.

pe1chl

I think nobody would group "VLAN" under enterprise features or even features to be excluded from a light version! To the contrary, I think the omission of VLAN features in the new WiFi driver is a serious omission that should really be fixed. But a light version to be used on access points...

pe1chl

Then, someone from MT lists V7 as the official and recommended version for download on the HAP lite product page. I agree that this is bad. They should not recommend v7 on devices that cannot run it. Devices like hAP lite even struggle when running later v6 versions, let alone v7. But I guess it is...

pe1chl

But if you use it with configurations similar to those from the old RouterOS v6, you will find that over time, memory will leak, and disk space will gradually drop to zero Once again, and for the final time, "the memory" has NOTHING to do with "the disk space"! These are two dif...

pe1chl

Having it with the default "skip-dfs-channels" does not make it "not work", it just makes it take longer to start after a reboot. When in the past you have started the router, first have connected via wired connection or 2 GHz and have been busy with that, you may never have noti...

pe1chl

So, if you're just experiencing memory leaks, I suggest routinely restarting the device. What I encountered was the disk space leaking to zero. I'm not sure what was being recorded inside; the files directory was empty and of no help. Moreover, this problem only occurs with RouterOS 7.x. Since the ...

pe1chl

That will be an endless uphill battle. When you are selling such a limited service (or your clients buy it and ask you to maintain the router) you should simply explain to them that it has limited usefulness in today's world, and that it will easily be saturated. And tell them that their policy shou...

pe1chl

The reason that this does not work well is that there are multiple addresses for each domain name, and that the returned addresses vary depending on where the DNS request is coming from. When your router is making DNS requests for these domains via the DNS resolvers configured in the router, it can ...

pe1chl

Observing more closely it does not seem to be related to "session to the same IP". It is important that on the central router the connections are listen=yes connect=no (i.e. "passive"). All connections are running (session is active), then one of them closes for whatever reason, ...

pe1chl

Yes of course that is possible, that is just a dst-nat rule (possibly combined with a src-nat rule to translate the source address as well)...
I thought you already tried that.

pe1chl

Besides that, there are a lot of very educational videos on Youtube.
E.g. on the MikroTik channel

https://www.youtube.com/@mikrotik

pe1chl

At the moment I think it is more a "RB5009 USB issue" than a "LTE stick issue"....
Boy that be good to know if same stick worked in another Mikrotik.

See my post above on Tue Apr 23, 2024. For me the stick is detected OK but it is unreliable (compared to before).

pe1chl

When your kids have Google software (Android, Chrome) they already are using DoH without knowing it...

pe1chl

Thanks. Can confirm that the root server queries are on port 53. So for now I have 53 blocked on my firewall for everybody except the piholes.

That is fine, as long as you understand that in today's world that does not do anything.
(because of DoT, DoH and VPN)

pe1chl

At the moment I think it is more a "RB5009 USB issue" than a "LTE stick issue"....

pe1chl

My stick is a Huawei E3372 as well, the type that functions as a NAT router ("Config-less LTE interface" it says in the supported models list). It was really stable on v6 but on v7 (with the RB5009) there have been hickups. But not at every provider disconnect, these happen every 8 hours h...

pe1chl

That is a "known bug" or "works as designed", depending on who you ask.
Personally I am not against requiring a specific rule for "action=lookup routing-mark=abcd table=abcd" but it should be documented and be consistent between IPv4 and IPv6.

pe1chl

Also, when the viewers have been on Youtube before they will remember the countless ads for VPN services they have seen there.
So they will install one of those and your Youtube Block Attempt will turn into a VPN Block hunt.

pe1chl

Really? With old wireless driver I could see the wifi symbol on my Android device disappear and reappear after 1 ~second. It was clearly not just some milliseconds. That is just UI, I would not consider that a measurement. It is better to e.g. make a VoIP phone call over WiFi and have it play music...

pe1chl

Well, setting VPI/VCI is done by setting the VLAN you use towards the module. There is a table somewhere. But it has common values only, when your ISP uses a unique VPI/VCI it will not be in the table and it cannot be used, maybe unless you manage to read the flash from the module, find the VLAN->VP...

pe1chl

I have one but I cannot guarantee that it is still working OK. It worked when I last tried but it runs very hot.
When you like to consider it I trust you can find my contact information (mail address) based on my username.

pe1chl

That is what happens all too easily anyway. We have deployed N AP's configured with 10 MHz bandwidth and when the AC CPE's appeared they could not be set to 10 MHz (although the datasheet of the chip says it can), so we are in a similar corner. Users being forced to buy outdated N CPE's unless at le...

pe1chl

It does that without any roaming support at all! The roaming really isn't much faster with "Fast Roaming" (FT) and WPA2-PSK. The advantage of this addition is mainly there when you use WPA2-EAP (and also WPA3 I think).

pe1chl

And what also doesn't work is setting VLAN ID dynamically for individual wifi stations (either via ACLs or via radius server) which otherwise use same SSID and same wifi interface (note that this is not the same as running virtual WiFi with different SSID which comes with separate wifi interface on...

pe1chl

That is only until Youtube have migrated their entire website to QUIC.

pe1chl

One problem with the RB5009 you need to be aware of is that it has 4 cores and variable clock speed. It will normally run at 350 MHz but it can kick up to 1400 MHz when the OS decides that this is required. Unfortunately the mechanisms used to do this speed governing seem to be not optimal for route...

pe1chl

Now that you know that bonding is not possible and you need to have load balancing, search again on the forum!

pe1chl

This will block a lot of stuff. it's not perfect. There is no perfect solution. It really depends on who your users are, how hard they will try, and how bad it is if they succeed as to how much work you want to put into making it harder and harder. When you have users that even have the slightest m...

pe1chl

Nowadays, even the SNI field (TLS Host) is often encrypted using ESNI encryption.

And Youtube runs over UDP when possible, which "TLS host" does not support.

pe1chl

it works even without running capsman

That is only for roaming between 2.4 and 5 GHz on the same AP.
When you have 2 APs you need capsman.

pe1chl

That is likely something that (also) depends on your particular configuration.

pe1chl

It is because your ISP blocks the NTP port 123 for you. As explained above.

pe1chl

Yes an older RB4011 can run v6, but I think when you buy one today it will come with v7 and cannot be downgraded to v6. That is also true for a couple of other models. Sometimes changes are made to the hardware without ever telling us (e.g. via some "v2" addition to the type) and the corre...

pe1chl

That app issue is probably the app only supporting the old WiFi driver and you using the new one (or vice-versa).

pe1chl

Ok then the possibilities seem to be to use the console port (assuming you can find someone nearby to plug a cable). And lesson for next time: when you do that kind of config, always first click the "safe mode" button and click it again when you are done. When making mistakes like this, it...

pe1chl

I still see a problem with announcing IPv6 addresses. When I enter an IPv6 address with advertise=yes that gets properly advertised. When I change that to advertise=no, it is still advertised but with "Preferred lifetime: 0". That is OK, it means "deprecated" and a system with a ...

pe1chl

Ok so maybe you can try that VLAN method too. Make a VLAN for the VoIP devices, configure LLDP to use that Voice VLAN, and when you connect a phone it will automatically use that (tagged) VLAN on whatever port to use your VoIP service. But when you connect a normal PC, it will remain on the untagged...

pe1chl

Why is that specification of MAC address even required? We have lots of VoIP phones and we just plug them in whatever port.
(the phones are even on another VLAN but the get that info themselves from LLDP)

pe1chl

I would also be interested in such a device for the company where I work. Something like the SXT LTE6 or the ATL LTE18 but then for 5G. I guess until such a thing is available we need to go for like a Chateau 5G model or something from another vendor. (it is not really needed to put it outdoor, but ...

pe1chl

The problem is that with the new driver, any SSID can only be member of ONE VLAN, the untagged VLAN on the bridge port where it is connected. So when you have a main network and a guest network, you can work with the current situation by having two SSIDs and configure the bridge correspondingly. But...

pe1chl

Just reset the switch to factory defaults (button press during powerup) and load your latest configuration backup.

pe1chl

Yes that is like here, a little breeze makes a lot of difference.
But this temperature is nothing to worry about, it would be a good idea to do something when it gets above 60 or 70.

pe1chl

Indeed, my RB4011, hAP ac2 and LHG5ac all came with v6. But probably new instances (when still made) will be v7.

pe1chl

Yes, that would be a good idea. Probably mentioning that it does not seem to perform well when the task at hand loads only a single core. 47C is not bad. I now have 3 of those RB5009 running and two are on shelves in 19" cabinets, run at 48/49C and one is on my desk and it is 43C. (all of them ...

pe1chl

These versions are of course installed on routers in the factory. Do you still manufacture devices with v6 preinstalled? I wondered about that too, but it seems like some old models that never had a hardware change in the past years still use v6. (not that having a router with v6 guarantees that a ...

pe1chl

My experience is that all devices that I buy come with RouterOS that is a couple of versions down, so I immediately upgrade them to latest stable. But for defconf changes that is already too late, unless the procedure above is followed. I always to that, but I doubt the average customer does. Exampl...

pe1chl

*) defconf - updated wireless password handling; Good !!! All those defconf updates for 6.49.x are probably not going to bring anything. Who is going to update their device and then reset to defaults? Even after buying new devices that is not part of the usual installation procedure for most people...

pe1chl

Yeah, I think the CPU governor should keep it at 1400 MHz for some time when it has deemed that to be required, not fall back so quickly. It was probably coded (or tuned) more for a workstation than for a router. One of the problems probably is that the PPPoE is single-threaded (to avoid packet re-o...

pe1chl

I have read in other places that there are performance problems with the switch on the RB5009. Not sure what is really true, some people claim it helps to remove the 2.5G from the advertisement list on ether1 but i can't believe that. I have a couple of RB5009 in the company but none in a configurat...

pe1chl

My experience is that the addresses are requested/assigned in the order you created them, and this is the same every time. In my case that results in the first interface getting :1: at my ISP, but when I use the same config behind an AVM router it gets :fc:. So no, no direct influence on what subnet...

pe1chl

In RouterOS v7 it seems that when two or more peers have a BGP session to the same local IP, and one of them closes, they all are closed. The log says "Idle" for those sessions. Usually they are quickly re-established by the peer and remain up from that time. In my config this occurs for a...

pe1chl

Actually it is not necessary (and not a good idea) to increase the MTU on an ethernet device "to accomodate VLAN". VLAN header overhead is incorporated in the ethernet device settings automatically. You ONLY need to increase the MTU for the PPPoE overhead, so the device where pppoe-out wit...

pe1chl

I have also made a SUP case (SUP-151076) as past night the RB5009 rebooted by itself (claiming it was probably a powerfailure) without visible preceding issue with the LTE stick. They advised me to install a script that checks every 10s for LTE1 and if it is missing immediately makes a supout file. ...

pe1chl

Yeah that is all fine, but I had the (physically) same LTE stick plugged into a RB750Gr3 running 6.49.10 for many years, and there never were problems. Now I swapped the router for a RB5009 of course running v7 (in my case 7.12.1) and there are these problems. They can say "it is the stick caus...

pe1chl

You could enable logging to disk of wireless events and hope that there still is something logged before it really crashes.

pe1chl

That is not what I am suggesting. What I suggest is that when a radar event has been detected, several channels be monitored at the same time, to more quickly select a new channel with least chance of radar events. As it is now, when the device experiences radar on channel 100, it will happily switc...

pe1chl

Well, that is usually the first phase with bugs reported to a vendor or software developer: denial. Only after many reports have come in and they decide to do further research, it will become apparent it is a problem and something has to be done. Compare it to the 16M flash situation. We have been t...

pe1chl

As a workaround, I have made this script and scheduled it to run 2 times per day, at a time when the network is least used: :if ([:len [/interface find where name="lte1"]] = 0) do={ /log warning "no lte1 interface, rebooting!" :delay 2s /system reboot } The router logs to an exte...

pe1chl

It is only one step up in price category. And you also get sufficient flash for upgrades and partioning so that is not a bad deal.

pe1chl

I'm not so sure about that. E.g. on other manufacturer's equipment, one chain can remain operational while the other scans or surveys the band, monitors neighboring APs, etc.

pe1chl

It would be nice when the AP would make (more) effort to monitor several channels at the same time while looking for a candidate channel... This would only be possible if device would have two receivers ... But todays devices all have two, three or four receivers! Whether they can be independently ...

pe1chl

Furhermore, in BSD syslog mode you can set a facility/severity (which is convenient to send the MikroTik messages to a fixed place), but the MikroTik-specific topic strings are never sent to the syslog server.
This has been mentioned for many years but nothing is ever done about it.

pe1chl

I would say that when the operator has not set specific channels, a DFS event occurs, and the AP cannot decide on another channel, it is a device problem not a configuration problem. However, patience may be required. Some countries mandate that the AP monitors a new channel for 10 minutes before it...

pe1chl

The latter is usually caused by the flash memory being completely full.
Check System->Resources and look at the HDD space. When it is zero or near zero (e.g. 8K), you are in trouble.

pe1chl

Basically it is just a big mess.
Some forum members try to get MikroTik's attention, but it seems impossible.
See this topic (among others): viewtopic.php?p=1069280

pe1chl

Coincidentally I migrated a site from a hEX (RB750Gr3) to a RB5009 with LTE backup using Huawei stick, and now I also have a problem... It may however be a different issue. The link was up for over a week, including some provider disconnects, however then suddenly the link disconnected, the LTE1 de...

pe1chl

Or more general: add an extra topic to each and every unique log message, which is some numeric code that uniquely identifies that particular message.
That allows us to easily log or exclude particular messages.

pe1chl

Cumulus got bought by nVidia, BigSwitch got bought by Arista, Nicera got bought by VMWare and relabeled to NSX, Microsoft came out with Sonic

That sounds like a thing not to touch even with a long pole!

pe1chl

No, that should not happen. Coincidentally I migrated a site from a hEX (RB750Gr3) to a RB5009 with LTE backup using Huawei stick, and now I also have a problem... It may however be a different issue. The link was up for over a week, including some provider disconnects, however then suddenly the lin...

pe1chl

Coincidentally I migrated a site from a hEX (RB750Gr3) to a RB5009 with LTE backup using Huawei stick, and now I also have a problem... It may however be a different issue. The link was up for over a week, including some provider disconnects, however then suddenly the link disconnected, the LTE1 dev...

pe1chl

You need to use CAPsMAN for that...

pe1chl

Ok. that might have been the reason behind the problem reported in SUP-135512.
It has not recurred after 2 reboots in a couple of days, but maybe the specific traffic pattern has not occurred again...

pe1chl

Yes, there is a bug there, but usually it does not no it every 10 seconds but rather every couple of hours.
Maybe 10 seconds while that check is still trying and has not yet displayed a fail message.

pe1chl

Ok then it will become more difficult. You need to check if the ISP router supports IPv6 prefix delegation via DHCPv6, if necessary you need to enable that. Then you add a DHCPv6 client on the MikroTik, with "request prefix" and a pool name, e.g. "ipv6pool", and the option "...

pe1chl

Start by removing all options in "IP->Cloud".

pe1chl

Is it in routing mode? Is there a reason not to use bridge mode?

pe1chl

When you want to define what the device should do in your opinion, please create a ticket at the MikroTik support site! "You just don't get a link, unless you set the port on the CRS51 C0-8XS-2XQ-IN to 40 Gbit." But what do you mean with that? You turned off auto negotiate? Or did you remo...

pe1chl

It means your L2 link is dead. A blank MAC address in an ARP entry means the entry is "incomplete", i.e. there was no reply to the ARP request. That being said, a difference between v6 and v7 is that v7 never clears the ARP table. So even after an entry is unused for a long time, it still ...

pe1chl

Remember that when you do not use autonegotiation, you have to manually set both speed and duplex mode AT EACH END. When not setting full duplex, the default is half duplex (for reasons of backward compatibility to 25 years ago), and you will get this warning when the other end is configured for ful...

pe1chl

Request: some function to "compact databases" so that the size of the databases again corresponds to what you would have after a "reset configuration" and an "import" of the current configuration (plus things like certificates etc). As it is now, the databases size tend...

pe1chl

It seems that in practice most problems are related more to the actual configuration than to the hardware model. That is why one should always at least include the "/export hide-sensitive" output. There are some models with "known issues" but I do not think the 1100 is much affec...

pe1chl

It does not always happen, maybe only when you have a certain number (or type) of interfaces.

pe1chl

Besides that, MikroTik have also stated on this forum that you can ask the password at your distributor/seller.
I assume it will then be provided in a mail or so, and this problem with recognizing the characters does not exist because you can cut/paste it.

pe1chl

Indeed it looks a lot more tricky, but maybe I have done it that way in the past... I think I plugged the stick, the LTE1 device was created, then I unplugged it and made a DHCP client on the LTE1 device, then re-plugged the stick. I can try to do that again... but will be during next working week. ...

pe1chl

Ok, but I am not sure I want that... it is convenient in the config that the local address is always the same, and the double-NAT is no issue. This link is not used for normal outgoing traffic, the L2TP tunnel is one of the BGP peerings to the central router, the usual traffic flows over GRE/IPsec v...

pe1chl

Well, the HUAWEI stick just presents itself as a NAT router, it isn't really an LTE device (no properties of LTE visible at all)... So it would be sufficient to just to a DHCP request, you get IP 192.168.8.100/24 with gateway 192.168.8.1 and everything works. As I want to use it only for a backup L2...

pe1chl

Today I replaced a hEX gr3 running 6.49 with a RB5009 with 7.12.1 One of the functions of the router is a backup via an LTE USB stick (HUAWEI). When I plugged the stick from the old router to the new, a DHCP client was automatically created. However, I want to edit the settings of that client. It is...

pe1chl

As far as I understand in v7 MikroTik have ripped out the entire routing function of the standard Linux kernel, and re-done it themselves... (I suggested to make "routing" a separate optional package as it was in v6, but I got the reply that without routing the router would be useless. In ...

pe1chl

It has been discussed in other topics as well, after some denial the users install such a NAT rule and all starts working. (even after the ISP has claimed "they do not filter") Of course it would be best when MikroTik added a new option to NTP client: use random source port number (instead...

pe1chl

I would have expected some kind of API as that's more efficient (no need to parse command line) and less prone to breaking changes. All the config methods are abstractions over some internal config schema (see /console/inspect). So...I'm just not sure where efficiency comes in — once config change ...

pe1chl

When you have a 5009, you can always partition it so you have a rollback copy in case something goes wrong. When you remove power during the boot process it will switch to the other partition, so you can ask someone to unplug it, wait 15 seconds, and unplug it again. Or you can make a clever script ...

pe1chl

Does WinBox effectively issue CLI commands to get/set changes?
I would think so. If you look at command history, it looks the same if its run from Winbox or from terminal.

No, it is more like API calls.

pe1chl

Yes, you could certainly write a web management tool that performs all its actions via API. That basically is what winbox is doing as well. The winbox protocol and API probably have a lot in common. I think what winbox has extra is the capability to query the available commands and the corresponding...

pe1chl

Central (overall) management is the topic of another thread.
You know, one of those "we are considering, we want your input" and then you never hear from the product again.

pe1chl

I experimented a while with a SFP ADSL/VDSL modem, and it had the same problem. The SFP standard has been designed with active cooling devices in mind (datacenter switches) where there is some over-pressure in the cabinet that flows out via the SFP slot. Without that, all except the most modern opti...

pe1chl

Not very useful, those "I don't understand why you would want that, so you should not want that!" replies. I understand what you mean but there is no direct solution in RouterOS. It has been proposed before that it would be useful to have some "mnemonic name" for an IP address ot...

pe1chl

From the product page of the S+RJ10: Any MikroTik device with active cooling that has SFP+ ports can now be used without installing any optical fiber, just plug the S+RJ10 and your network can be upgraded to 10 Gbps, making it ready for the next generation of RJ45 hardware. S+RJ10 module is supporte...

pe1chl

Which is why IMO effort should be directed at web applications, not native apps. There's already WebFig ... functionality-wise it's on par with WinBox, so no need to re-invent the wheel. No it is NOT! Work is required to bring it on par. There should be multiple windows, tabs in the windows, saved ...

pe1chl

It is not only switches. I recently looked for a product to add high-performance LTE to a site where we have VDSL and cannot have fiber. I found the ATL LTE18 kit. It seems like a semi-professional device. But even this has only 16MB flash. Now when we install RouterOS >7.13 of course we can remove ...

pe1chl

I don't understand what you (pe1chl and Paternot) are talking about. On devices with 16MB the update packages are already downloaded to some "internal" tmpfs on volatile memory. And you say, devices with e.g. 128MB flash memory do download the upgrade package to flash instead? You underst...

pe1chl

Will MikroTik add specific support for the PtMP use case? Other manufacturers have (unfortunately) already added their own proprietary extensions, so unless MikroTik will do it in a compatible way we will probably have the same mess as before? (PtMP optimized setups only working when all equipment i...

pe1chl

ROS 7.7 - see https://help.mikrotik.com/docs/display/ROS/Disks#Disks-AllocateRAMtofolder But doesn't help what we were talking about: using RAM to store the upgrade MikroTik could (and should) fix that! When a RAMdisk of sufficient size is available, use that as the temp area for download of the up...

pe1chl

It might if ROS was changed to use RAM disks more aggressivelly. As it is now, 128MB on audience isn't enough (or it wasn't back in v7.5 times), with 64MB partitions upgrade didn't succeed due to lack of flash space. It's because with audience's 256MB RAM, RAM disk is not used. It seems that flash ...

pe1chl

Using the CLI avoids the trouble described by dwnldr above my post. That is the point. CLI is explicit. Winbox is "QuickSet light". Come on! That is just hogwash! Winbox has the gui widgets available to indicate if a value is empty or unset. That it does not work correctly in these new me...

pe1chl

Maybe they added some cleanup code, as I mentioned above after an upgrade to beta9 my Free HDD space went from 188 to 844 KiB! So this was not using netinstall, just an upgrade from within RouterOS. I think (but I am not sure) that this device was upgraded from v6, not netinstalled, so it may be tha...

pe1chl

I don't have much personal experience with the WiFi menu, because the new WiFi system is unusable for me as long as it does not allow to assign a VLAN to a user via access-list and RADIUS. Hopefully that will be implemented soon. However, I installed it on a test device and observed what was basical...

pe1chl

Could you please give us an example? For example, when I make a BGP template with local AS 65530, and I make a BGP connection referencing that template, the connection will have AS 65530 with white background. When I remove that using the up-triangle and save it, it will come back. I asked that que...

pe1chl

Well, one of the things I call buggy (and what you may call "confusing for first time users") is that the inherited values shown in winbox get written back as individually configured values when an item is saved. That is not how most users expect it to work. I expect inherited values to be...

pe1chl

@pe1chl - yes. Im using wifiwave drivers since they appeared in v7 Ok, you probably have more experience than I do. I changed the wifi driver on a LHG5 ac that I have here in storage, just to see if it works and how the status is with the space issue (seen 7.15beta9 for good news!). What I noticed ...

pe1chl

Did you update both sides? Maybe the bridging protocol in the "wifi-qcom - updated driver" is subtly different from the previous one?

pe1chl

Did you try just rebooting the Comcast router without shutting it down for an hour? Usually it would be enough, at least for me it is with AVM Fritzbox routers that we have on our local ISP which assigns a static address to each subscriber. The NAT table issue in the Fritzbox is then cleared. It can...

pe1chl

Is that with the new WiFi driver? Its configuration is a bit confusing because it can be done both in profiles and directly on the interface.

pe1chl

I upgraded the LHG 5ac I use for testing (only) from beta6 to beta9 and the Free HDD space went from 188 to 844 KiB!
(using the new WiFi driver)
So that is good!
However I cannot upgrade my hAP ac2 until the dynamic VLAN assignment per user on WiFi interfaces (via accesslist and RADIUS) is back.

pe1chl

For some reason the L2TP/IPsec link will only work when the port number 500 is passed on without translation, and when the ISP router sees more than one IPsec connection it will change the port number and you will not be able to get it working again until the conflicting NAT entry has been deleted. ...

pe1chl

It often helps when you disable the L2TP link for ~10 minutes so all NAT entries in the ISP router get cleared out. Other than that, there is little that can be done. When other users behind the same router have L2TP to your "central" MikroTik router, there is your reason: the MikroTik rou...

pe1chl

Yes. This is caused by NAT issues in an ISP router that sits in front of your MikroTik.
Restart that. You can also sometimes avoid it by configuring the MikroTik as "DMZ host" in that ISP router.

pe1chl

Can you help me figure out a napkin scenario where it actually does cause a loop? I tried to think up one but couldn’t, at least not with EBGP and sane tie-breaking rules (like those I described). The issue is that in a more complicated network, a route that you get from a peer may ultimately be co...

pe1chl

They are the same, as they always are. It is not clear why there is a separate "development" and "testing" channel, it only causes mistakes and confusion. "development" could be some daily-build or alpha channel, but MikroTik does not publicly release alpha versions, th...

pe1chl

That only works (reliably) when you are facing the simple situation of two BGP peers that send you a locally originated route (e.g. a default route) over 1 hop. When the network is a little more complicated (several routers with several links between them, i.e. a partial mesh) such simple hacks may ...

pe1chl

Up until beta8 it was (and still is) in development channel. As beta versions usually are.

Well, now they have set the development channel to 7.15beta9 as well...
Apparently it is easy to set testing and development to any version, but difficult to set long-term to 7.12.1

pe1chl

I am using a 5009 with several ports with VLANs (all on a common VLAN-aware bridge) and I have not yet observed such a problem...
I have set the STP mode to "none", as I always do in places where there is no need for STP.

pe1chl

It would be nice when the BGP Sessions window in winbox finally would become auto-refreshing as it was in v6. When the sessions window is kept open, it shows a fake "uptime" and all other sessions status is not updated until F5 is pressed. This is inconvenient. In v6 (BGP Peers) it worked ...

pe1chl

Anyway, when you have 0KB HDD space available your device is a time bomb. It will not survive a reboot.
So now you need to netinstall it, and after that you can try again.

pe1chl

When you need more powerful processing and do not want to use "the cloud" you could also consider running a container locally on the router (at least when the router is sufficiently equipped for that).

pe1chl

1d6b  Linux Foundation
	0001  1.1 root hub
	0002  2.0 root hub
	0003  3.0 root hub

pe1chl

This is the "usb root hub", the router side of the USB bus. It was always there, also before you connected your phone. You cannot remove it.

pe1chl

I had one hAP ac2 brick itself after the upgrade and resetting it didn't bring it back to life. Fortunately I had a hAP ax3 on-hand spare to swap it with. The other hAP ac2 and lower models I'm managing I've had to pause auto-updates on (and just in time.) Bottom-line in my opinion, the ac2 and low...

pe1chl

Thank you. When i changed mode on RB941 from B/G to B/G/N it connected to WiFi. Then i had problem because RB941 didn't want to get IP from DHCP. Then it got IP but i didn't get IP on my laptop that was connected to RB941 even i connected to ether port that was in the same bridge as WiFi. As I alre...

pe1chl

I don't think that is related to timezone, the availability of new versions is not determined by time but by fetching a specific URL that returns the "latest version", which is then compared to the installed version. As you see, it may even be lower. What this indicates is that the server ...

pe1chl

This is not sufficient for devices that work by default without you ever having to log in. 50k Cisco devices do absolutely nothing when you power them up first time, you need to do a lot of configuration. But a MikroTik router connected to a line with DHCP will often work with the default config, a...

pe1chl

All other brands I've used so far (from cheap Chinese ones to 50k Cisco ones - with the exception of Fritz), simply force you to set a password on first login. This is not sufficient for devices that work by default without you ever having to log in. 50k Cisco devices do absolutely nothing when you...

pe1chl

Will this apply to Cisco, Juniper, Arista, etc. as well?

Certainly for their products intended for, or likely to end up on, the consumer market.

pe1chl

As a Chateau LTE 12 owner, I cannot even get past v7.14, let alone, v7.14.1 or further, as no storage, so how is that going to work. That is a different problem... it has been mentioned often enough already. For now, what you could try is to export and backup the configuration and then netinstall i...

pe1chl

They should have used lightseconds instead :-)
Then we can all agree and no internal conversion is required...

pe1chl

RouterOS does not copy values from template to connection config. Winbox is doing that if you open connection and apply config. Ok, consider that a bug and put it on your list for fixing... Winbox should not apply parameters that the user does not enter. (in fact, I have seen other forum posts wher...

pe1chl

No, I have never wasted my time on a RouterOS OpenVPN server, I am using Linux with the openvpn.net server instead.

Also, my usecase does not require paranoid encryption parameters, so I just use AES-128-GCM. But I don't know if that affects the situation with MikroTik.

pe1chl

Yes, Templates can be used to provide default values to a larger number of Connections. What you set in the Template you do not need to set in the Connection. (unfortunately, for some values RouterOS does not keep the value in the Connection "blank" but instead copies the value from the Te...

pe1chl

The point still remains that this new feature has not been implement because the programmers think the users are idiots, but because practice has shown that they are. There have been too many MikroTik routers on the internet without a password, and never being updated either. After several incidents...

pe1chl

OpenVPN support in v6 is really limited. e.g. it does not support UDP transport, only TCP. and does not support more advanced ways of authentication and several newer OpenVPN features. In RouterOS v7 it is a bit better. But the situation basically remains that MikroTik has written their own OpenVPN ...

pe1chl

pseudobridge on a device using the old wireless drivers cannot connect to a device using the new drivers. so you need to use normal station mode, not pseudobridge. of course that changes the functionality. you may have to make some config changes e.g. change from bridge to router mode in these clien...

pe1chl

What they mean is they are working on making it smaller, and that they expect to have something by the time rc1 is released. As there has always been growth when adding new features, and the size of 16MB is already not very large compared to modern software "standards", I expect the only w...

pe1chl

Maybe you have "graphing" running with "store on disk" enabled (and store every 5 minutes)?
And/or DHCP "store leases on disk" set to "immediately" and a lot of DHCP activity (short lease time and/or unreliable connections)?

pe1chl

However, the wifi-qcom-ac drivers bring other significant improvements that go beyond throughput. Unfortunately they also bring the big disadvantage that you can no longer dynamically assign a VLAN to each client... (via access list, mac authentication, or WPA2-EAP) That really should be fixed befo...

pe1chl

Guys, remember that most of the lab devices they are developing on have nothing else on the disk, so 7.14/7.15 etc. all fit and work fine because likely the CI/CD setup is wiping those test devices with a fresh netinstall every time. You can't expect a lab device to load up all the cruft many of us...

pe1chl

with an footnote on RB4011i, that new wifi-qcom-ac only helps with 5Ghz, and the driver does not work for 2.4Ghz AFAIK... but RB4011 more storage too. Perhaps some new "wifi-qcom-ac-lite" without QCA9984 driver? And the "wifi-qcom-ac" can still be used on Audience and RB4011, ev...

pe1chl

You can only indentify different peers before starting parameter negotiation when using exchange mode "agressive" instead of the default "main". That will again be a problem when you want to abide by the rules of several different client OSes. RouterOS decides which peer configu...

pe1chl

Of course when you use a max 105c capacitor, and you run it at 105c, you are asking for problems...
One would hope the temperature in that area is less than 105c.

pe1chl

And your comment about ROS7 scripting is valid in a ROS6 thread because ... ???

Well, maybe because when you have a router that originally had a v6 release before 6.49.13 with IPv6 enabled, and you upgraded it to v7, that wrong rule will still be there and has to be corrected.

pe1chl

Don't tell us you were not aware, and were not warned, about possible space issues on 16MB flash devices!
It was discussed on the forum from the time those were released. Remember the original MikroTik products usually had 64MB or 128MB flash.

pe1chl

Whatever is the situation, something has to be done. Denying the problem no longer works.

pe1chl

do you mean via RADIUS?
nope, I want just the existing feature in wifi-qcom driver

That is not a required feature, you can assign the VLAN in the bridge.
What is missing is the dynamic assignment via RADIUS or bridge filters.

pe1chl

I don't know if it is a known issue, I only know that I do not experience it.
(and I have a similar config running under 7.12.1)

pe1chl

There is a major problem: it has only 15.3 MB flash (several other devices have 16 MB but this has less) and this is becoming a problem with recent RouterOS versions. You can install 7.12.1 and keep that as long as possible, and maybe there will be a solution (like a lite version of RouterOS). Until...

pe1chl

I'm running several routers with RSTP, but for me the current "stable version" is 7.12.1 So I am not running 7.14 on any production device.... only in test environments where there is no bridge. So maybe try installing 7.12.1 and remain on that version for some time (until the many new bug...

pe1chl

The issue probably is that .npk packages are mostly a read-only compressed filesystem that is copied to the flash in its entirety and then are mounted at runtime (with the appropriate code to de-compress files on access). So, it is not a simple matter of "during installation see which drivers a...

pe1chl

Yeah, it is clear that this card, which seemed very attractive for co-located servers requiring a router, is not usable in practice. E.g. it would also have to be running when the system is in STANDBY state, so you can poweroff the server via ILO/DRAC and then still be connected to send a poweron co...

pe1chl

Current (and likely future) devices already have more flash space... except for some pure switches, were it is not required so much. Of course that would still mean a "lite" version of routeros for switches (not switchos) would have to be released, which does not include all those features...

pe1chl

I don't think that would affect existing devices...

pe1chl

Likely more can be gained by removing webfig than by removing winbox support...

pe1chl

Well, at work I just bought 3 new RB5009UPr+S+IN and as they provide PoE they can supply the access points at the locations and make replacing the PoE switches less expensive (we had PoE everywhere for VoIP phones, but fixed telephony has been phased out so now only access points require PoE). The p...

Search found 12013 matches