MikroTik

mkx

My current 27km AirFiber 5XHD link on 3' (1m) 34dBi antennas and 100MHz of spectrum ... This setup hardly qualifies as "wifi based link". While it does use frequency from U-NII-3 band, it obviously doesn't use 802.11-compliant channel width (which would be either 80MHz or 160MHz) ... and ...

mkx

TxRx rate in the "Status" page of the WLAN2 interface shows to be 585Mbs. This shows you that signal loss between both devices is considerable. And apart from removing the obstacle there isn't much that can be done. Then it comes to efficiency of using the "raw interface rate" f...

mkx

I always assumed SwOS being way simpler might also lead to less CPU load and thus power consumption ... If configured properly, then handling of actual traffic would be done by switch ASIC in both cases. The difference is in management (but that's only effective when management is on-going ... and ...

mkx

I'm out of ideas. You may want to ask support@mikrotik.com if there are any other options (if device had serial console, then you'd have option to boot back into ROS and proceed from there).

mkx

Are you sure it's not optimally performing already? SFP+ has 10Gbps line rate ... AFAIK host and module always talk at this rate. What then module negotiates with its fiber peer is pretty differrent thing. And quite possibly it negotiates 2.5Gbps as well ... and that 500Mbps service you're subscribe...

mkx

After picking router, netinstall may only show packages applicable to your router. Check hardware platform, it has to match ...

mkx

CRS devices which can dual boot ROS or SwOS are a bit nastier beasts. You said you netinstalled device with "7.11.1-4" which doesn't conform to Mikrotik version notation ... so not sure what exactly did you netinstall, but it might indicate you installed ROS. Indeed winbox should help acce...

mkx

I get this BL WL. I will try to make it that way. src-address-list is a path from the root or from some specific dir? I'm not sure I'm getting your question. src-address-list acts similarly to src-address ... but takes name of address list as parameter. You have a feasible address list in your conf...

mkx

I'd go with ROS without a second thought.

CRS310 can be quite a beast of a router when running ROS v7 (with L3HW) ... when you only need the device as a (higher-end) switch, this may compare to a a pile of chrome and huge alloy rims on a family sedan ... but why not if it's for free?

mkx

Oh my, what a convoluted firewall. It would be much easier, if you'd have explicit ultimate rule in the line of chain=forward action=drop ... preceeded by explicit allow rules. Now, if you build a black list of addresses, it's wise to have white list as well. So you first accept connections from whi...

mkx

I think that we should simply forget about anything changing for CRS1xx or CRS2xx. If these were made by any other vendor, they would be long since end of support (probably stuck at running v6.42 or something). Quite a few other devices are in the same boat (all having Qualcomm switch chips or Qualc...

mkx

DHCP server in ROS lacks any of non-essential functionalities.

mkx

Winbox and SwOS are two quite distinct things. Winbox is OK for ROS-running devices, one needs web browser for SwOS.

mkx

Show us firewall configuration (execute /ip firewall export file=anynameyouwish from UI, fetch the file off device, open it with text editor and copy-paste it here inside [code] [/code] environment).

mkx

I think if you better must go for a CRS switch which can offer much better management features because works using RouterOS, is worth the price increase Switching is SOOOO much easier to deal with in SwitchOS... Better and easier can be quite much anti-correlated. And easier can be subjective ... e...

mkx

1. Any reason it does not support USB 3.0?

USB3.0 can kill 2.4GHz WiFi. USB2.0 can do up to (realistically) 400Mbps, which is not that bad either.

mkx

Q(PSE): Hi, is there a device on the other end of this cable A(PD): Yes, I am here Q(PSE):Good, which kind of device are you? A(PD): I am an 802.3at device. Q(PSE):That's what you say, let me make sure, are you a 802.3at device? A:(PD):Yes, I am an 802.3at (class 4) device. A:(PSE):Ah, ok, I am giv...

mkx

When fasttrack is disabled on hAP ac2, then max throughput is severely limited. My experience with IPv6 (no fasttrack support) shows that hAP ac2 can do somewhere around 350Mbps (give or take). Processing queues adds to CPU workload. So I guess you'd have to drastically reduce queue throughput (to s...

mkx

If max power consumption is maximum 16 W, how can the poe out be 57 V x 0.5 A = 18.5 W + 4 W internal use = 22.5 W. I guess that power consumption is calculated with offered powering options (18POW and 24HPOW) in mind, they both supply 24V. So 0.5A * 24V = 12W .. and 4W+12W=16W ... I guess that max...

mkx

So what the goal mikrotik have capsman feature if with this configuration the performance degraded? This feature was just fine with 802.11g (max 54Mbps code rate, 30Mbps actual data throughput) cAPs. A nice feature: CAPsMAN connection can be routed over MAN/WAN links and capsman forwarding in this ...

mkx

I don't think software ID has anything with hardware[*]. I've got two devices RB951G, both purchased around the same time, both came with similar factory installed ROS and firmware, AFAIK there weren't different revisions of this model. And yet they have completely different software ID. [*]it might...

mkx

MTU/MSS/MRU was an issue from beginning of internet. In IPv4, packet fragmentation was allowed and until certain point in time, all routers did it if needed. However, it's burden for routers and fragmentation slowly ceased to happen, instead routers started to drop packets which exceeded MTU of next...

mkx

I bought a 48V PoE+ injector hoping I could feed the hEX S PoE-in (this worked) and simultaneously the AP using on eth5 using the PoE-out featuere, only to learn that this doesn't work when the hEX S is powered using PoE-in, even though the injector has more than enough power to supply the two devi...

mkx

@kcarhc ... free storage space on 15.3MiB ARM devices is a different issue than RAM memory leak. It's common knowledge (without any speciffic insights) that hAP ac2 running ROS v7 should either be used as pretty simple AP or as router without any wireless package intalled. In both cases it runs pret...

mkx

... mopidy needs now IP in config. Unless you configured web proxy on Mikrotik, it doesn't change payload of packets ... it can block them (firewall rules) or change source and destination IP address and/or port (NAT rules). As I already wrote, it's client which includes server FQDN in application ...

mkx

If that's so then it seems mopidy doesn't seem to like being used with that particular name.

Does mopidy have any logs? Anything in them when you're unable to access mopidy using name?

mkx

Thought not sure why you can't connect to it via IP.

My thinking is packets, transmitted by CCR, are too big for management station if that one is not set for jumbo frames as well. Wireshark might tell (probably not), some diagnostic counters on management station's NIC as well.

mkx

Is there anything about wlan2 in logs since reboot?

mkx

Changing MTU has to be done carefully ... and on all devices in same L3 network (subnet) as every member of eubnet has to be able to receive jumbo packets (MRU usually closely follows MTU). and this relies on all devices being able to use large L2MTU.

mkx

@jvanhambelgium - Just curious, why do you want to turn off STP considering there will likely be multiple devices connected to each switch? STP has nothing to do with number of devices connected to each switch, it has to do with loop detection and prevention. While one can never be sure there won't...

mkx

As @strods explained: the DUID sent out by ISP of @OP is not DUID value , it's only DUID type. So strictly speaking ROS can't treat "DUID as opaque VALUE" because value in this case is NULL. Yeah, probably wouldn't hurt anybody if ROS accepted NULL as DUID value ... but since ROS is doing ...

mkx

Passing name, with which client is trying to connect server (e.g. SNI), is the matter of application layer, it has nothing to do with router or firewall (which work on lower layers). So why mopidy client doesn't tell mopidy server it's trying to access "music.lan" is up to mopidy client. Y...

mkx

sfp-sfpplus1 interface doesn't seem to be in connected/running state. What does ODI UI say about GPON status? You'll have to verify it's established between SFP+ module and OLT.

mkx

Signal strength and quality are good, there's CA available. If you were the only user in these two cells, you could get something like 150/35 Mbps (R11e-LTE6 doesn't do CA in uplink). Actual performance will very much depend on cell load which varies with time of day and is usually the worst during ...

mkx

Configuration abstraction complexity stems from the simple fact that MikroTik never built their own custom data-plane, they relied on Linux kernel data-plane all these years instead ... Well, Mikrotik obviously doesn't have in-house development resources to go for custom anything large scale. They ...

mkx

Even though L4 data is unacknowledged type (UDP), WiFi layer (L2 in particular) still requires some bi-directional communication (ACKs of wireless frames for example) when data is sent to unicast destination address. Which means that jamming transmitting side effectively blocks it from transmitting ...

mkx

What in particular does mean "Mikrotik A is jammed"?

mkx

UDP is state-less L4 protocol ... meaning that UDP connections are not really established, there is no connection handshake. Instead one side starts to transmit packets and the other side may (or may not) transmit packets in the opposite direction. Whether traffic is bidirectional or not entirely de...

mkx

It was my understanding that CRS309-1G-8S+IN can switch at 10Gb/sec on ALL ports, and RB5009UG+S+IN router can handle 10Gb/sec across its SFP+ port. According to my understainding of official test results for RB5009 (and many other long-time forum members' understanding as well) it can route in rea...

mkx

Where can I read more about it?

This post/thread might be interesting for a start: viewtopic.php?t=202578

mkx

The day I enable capsman on any of my devices, means my brain has been taken over by fungi! It's not very friendly for sure. But worth noting that there is no fast roaming without CAPsMAN... @anav is roaming between Nova Scotia and Italy. No amount of MT's "Fast Transition" will expedite ...

mkx

Cut the shite and allow official ONIE flashing, and let us install our own NOS. If you don't want to use ROS ... and you're saying other vendors provide whitebox devices with similar hardware ... so why would you want to use anything by Mikrotik? I'm guessing you're still intrigued by MT's price ta...

mkx

Many industry folks (outside Latvia) are of the opinion that MikroTik operates using Soviet economic/business model ... It's often very hard to get rid of some mental petterns if they are given (or enforced) to a few generations in a row. One of them is "USA are the greatest in known Universe ...

mkx

6 S wifi1 wifi 1500 48:A9:8A:F2:68:BC
7 RS wifi2 wifi 1500 48:A9:8A:F2:68:BD

Your device is running new wifi driver, so the config is under /interface/wifi ...

Old driver names interfaces as wlanX ...

mkx

I didn't say it's detecting actual radar, it might be something else which (to ROS) slightly resembles shape of a radar pulse (could be some BlueTooth gadget, could be some microwave owen, could be some other WiFi device transmitting a burst of energy not decodable by your devices, etc. So check log...

mkx

@libove is stating an almost sensible reason. I don't know why exactly would MSI break standard behaviour (could be they are trying to "enhance security" by ignoring broadcast frames ... or they are trying to skip processing usual broadcast packets, such as DHCP handshake and what not whil...

mkx

Maybe not coincidence because whilst the access point carries out the physical radar check, it could be CAPsMAN that decides what to do with the radar event and which frequency to move to? My reasoning here is that CAPsMAN holds the configuration data on frequency, not the access point? CAPsMAN ind...

mkx

Did logs mention DFS/CAC?

It could be false positive radar detection based on some actual external interference (which appears on some schedule) ...

mkx

Missing minimum antenna gain is not something universal, my Audience running wifi-qcom-ac shows (and uses) it. So you may want to create supout.rif and open trouble ticket with support@mikrotik.com ...

mkx

... at a minimum just please implement the (already submitted) feature request to do unicast instead of only broadcast. Please elaborate on the following two questions: What would be the benefit of using unicast ethernet frames instead of broadcasts? What would be benefit of using unicast IP addres...

mkx

You need NAT46 gateway inside your LAN. I'm pretty sure that ROS doesn't support NAT46 so you'll have to find some other solution.

mkx

I am not even convinced that the encapsulated UDP packet may work ... It won't work without the "last mile router" collecting IP/MAC mappings. Without support on router it'll try to deliver UDP packet just like it was ordinary packet ... and will try to do ARP whohas inquiry which will ob...

mkx

Or does the AP that is controlled by capsman do the check.

Radar checks are always done by device which does Tx/Rx ... which means AP.

mkx

Can you fetch data from X.Y.Z.T:7250 using another computer from same subnet? It is possible that your API server only binds to loopback interface (127.0.0.1 a.k.a. localhost).

mkx

not a bad idea, just to put a lead acid akku instead of li-ion. You can't just replace batteries with different chemistry, each chemistry has different charging profile and (unsuspecting) charger may destroy batteries very soon. Batteries may suffer from undercharge (and usable authonomy is the lea...

mkx

RSRQ (and consequently SINR) could indeed be better. Low RSRQ may indicate interference from other cell towers. If those are in same direction as your serving cell, then you can't do anything. If tce interferring cells are not in the same direction, then you might be able to improve RSRQ by changing...

mkx

All old text books circa 1980s LOL At which time Latvia was still part of Soviet Union. So those western (US in particular) books were probably banned ... or at least ignored because Soviet communism did things differently. So it might be that all of these concepts are somehow unknown to MT managem...

mkx

Single bridge with vlan-filtering enabled.

Performance wise all options are similar, CPU will have to deal with VLAN tags in any case.

But: configuration of single bridge is more compact, more elegant and (to me) easier to read ... all of it means lesser probability to make an error in config.

mkx

The WoL magic is all inside the packet payload, meaning ffffffffffff plus the destination MAC address repeated N times. Ethernet headers are only of interest of L2 devices on the way (switches) ... if these (still) have dst-mac in their FDB tables, then they will pass frame on (hopefully) correct eg...

mkx

In historical list of changelogs it's listed in changelog for 7.10 for console and webfig.

mkx

Generally when winbox is connected to RIS device, there will be some traffic. How much depends on windows open in winbox, some get constantly updated with statistics, some don't cause a lot (or any) traffic. Depending on windows open and CPU power in ROS device also CPU load can increase considerabl...

mkx

Is this enough for make it work? All wrong. Have a (very good) look at this tutorial: https://forum.mikrotik.com/viewtopic.php?t=143620 Your "ROSish" cludge doesn't seem to follow Cisco config (not closely at least), so I'm not trying to show correct config tor MT. If you won't be able to...

mkx

I mean, it's subtle, but I can hear the low hum unless I turn on the radio or TV to drown it out... Congratuations, you found out why legal noise levels in night time are lower than in daytime. Because if there are no other noises present, then sound/noise with certain (low) level is more audible t...

mkx

But @anav brings up a valid point. If the switch was 100 miles away, how were you managing it before?

It doesn't really matter. If L2 configuration gets screwed, then no amount of L3/L4/L6 connectivity helps. Because all of it depends on working L2.

mkx

It is kind of interesting, why device decided to use wrong package. I saw different files in packages then what was before, so I uploaded all of them within one and the same place, expecting routerOS to be intelligent enough to use correct package, but apparently it has happened the other way aroun...

mkx

Wireless drivers by default don't touch 802.1Q headers ... so if they receive frame with such header on one side (either radio or CPU side), they will pass it to the other side. So what you have to do is to bridge wired and wireless interface on each of SXT and make both interfaces (wired and wirele...

mkx

Sure the dst-address- list is an IP address? This. dst-address-list property expects name of address list as parameter ... and doesn't complain if there isn't such list at the time of creating the rule. So in your case NAT rule expects address list with name "199.181.204.130" and containi...

mkx

If you can do a "lab test", then remove PSU2 and see if device keeps running afterwards ... without any hiccups. With failing PSU you'd see strange things happen quite soon.

mkx

It's called compression ... basic idea behind all compression algorithms is to remove any redundant information from data set ... even if that information doesn't seem redundant to humans' minds.

mkx

5G as in "WiFi 5GHz band" or as in "5G the mobile technology"? If the former, then there are a few models. If the later, then I guess we'll have to wait a bit longer, 5G is still not very mature technology and suitable (to MT) modem modules may not have price tag as low as MT's m...

mkx

This way we see that there is a SLAAC (g) and a DHCP (d) route, which are identical. Only when the the DHCP route is set with the next-hop does the routing actually work. IMO when having two identical routes, either should work (and flags don't matter, they are metadata not routing information). It...

mkx

Where did wifi-qcom-ac package go? can't seems to find in extra package and why?

It's in the extras package archive, where it had always been. However, AFAIK it's only available for ARM architecture(s).

mkx

So ax products supports bridge VLAN filtering, right?

All products support bridge VLAN filtering. What wifi-qcom-ac doesn't support is being a tagged trunk (or hybrid for that matter) port of a bridge (but wifi-qcom for ax devices does ... in certain scenarios).

mkx

It should be consistent. It just feels unfinished.

I whole heartedly agree ... and hope that they'll bring them up to the same level eventually.

mkx

Why does a server go down? Makes no sense. There are many reasons for server to go down ... one is that it emits smoke. Snd what @OP wants to do is a "poor man's high-availability". I'm affraid that out of the box, ROS doesn't have such functionality. But there's always possibility to cre...

mkx

This NAT rule add action=dst-nat chain=dstnat dst-port=80 protocol=tcp to-addresses=\ 192.168.188.170 to-ports=80 is very greedy. It takes every connection attempt towards standard HTTP port 80 in any direction (from any of LAN subnets towards any other subnet and internet) and forwards it to the co...

mkx

Even when the "add-default-route" option is set to "yes", why would the DHCP client not add the correct IPv6 default route if it only requests an address and not a prefix? Because DHCPv6 protocol doesn't support passing routing information to client. And it doesn't matter if cli...

mkx

I've seen system time to drift wildly on some computer when CPU frequency was not stable (e.g. due to thermal issues). But it was never at only half speed. So I think it's really up to MT support to shed some light here.

mkx

In theory that has nothing to do with bridge mode (none, STP, RSTP, MSTP). Bridge mode is about loop detection (and blocking ports where loops are detected). What you see is likely effect of improper FDB[*] handling and/or L2 hardware offload. The basic functionality of a bridge (or switch) is that ...

mkx

If I try to connect to this FTP I can connect with proxy I cannot. But we need to use proxy because our security department will deploy netskope and limit access to the internet and ports including FTP There may be a bit of misunderstanding here. It's well known that FTP is an awfully outdated prot...

mkx

Never heard about "devolo", nor even interested in. There are tons of such devices in the market.

If that's true for one random vendor (devolo), why isn't it also true for another random vendor (mikrotik)?

mkx

OK, you did UDP traceroute, which is not really representative for your case (any firewall may let TCP 21 = FTP through, but not UDP 21 which doesn't map to anything). But even if it is representative, it's some host on active24 network edge which seems to drop connection, the last node which replie...

mkx

Traffic does not (and should) not leak from one VLAN to another. If traffic from one VLAN is intended to pass to another VLAN, then normally it should be routed. Config of switch you're showing doesn't include routing features. IEEE1588 (PTP) is normally multicast from GM. And it's normally not rout...

mkx

Yes, it's known that using PPPoE seems to drop throughput more than one would expect (probably not as much as you're observing though). And yes, it is known that running bandwidth test on the device itself does stress CPU to the point it becomes the bottleneck (and taking precious CPU cycles away fr...

mkx

ROS v6 without optional ntp package runs a SNTP client ... which obtains time every now and then using NTP protocol and adjusts clock (often this means stepping time). You may want to install ntp package which comes with NTP service (you don't have to allow clients to connect), but also tries to adj...

mkx

on /export show-sensitive file=export
expected end of command (line 1 column 9)

export command in ROS v6 doesn't have property show-sensitive ... it's default behaviour. So simply re-run command without this property set.

mkx

Personally I'm mostly advising against using ROS device for any high-level service (such as DNS server, web proxy server, file server, ...) if possible. They are, due to space constraints and MT in-house development, mostly quite limited functionality-wise, so using some general-purpose server machi...

mkx

Export scripts are not immutable between ROS versions. So there isn't necessarily anything wrong, it could be that there are some changes between both ROS versions which affect the way comands are executed. To see what exactly is wrong, you'll have to debug things. One way would be to post actual er...

mkx

To me the crucial question is: are those devices supposed to connect with each other freely (as if they were connected to same ethernet hub) regardless the side of wireless link they are?

mkx

PPPoE server may (erroneously) advertise incorrect MTU (in your case it seems as a viable number, sometimes the value is crazily high). At some version, ROS started to log such advetisements, but it otherwise ignores it. In your particular case you may want to try setting 1492 as MTU on your pppoe-o...

mkx

Web proxy is dealing with HTTP protocol ... specifically when clients are configured to use web proxy they use some extensions of HTTP protocol (so transparent proxying may not work even with unencrypted connections let alone with encrypted ones). FTP is completely different protocol ... and AFAIK R...

mkx

And I'll go even further: since the old router is running ancient version of ROS, its config is very likely either customized (to the point of being butchered) or based on ancient defaults. Specially if it's the later case I'd recommend to start from default config on new router (reset to factory de...

mkx

You're doing IPv6 addressing wrong. Your router doesn't really need GUA (global) address on WAN port. However you do need a prefix to make enabling IPv6 on your LAN subnets possible. So instead of your DHCPv6 client config you should use something like this: /ipv6/dhcp-client add interface=ether1_WA...

mkx

The loopback interface was always there (vital for some operations so removing it would very probably cause some problems), but was hidden up to recent ROS versions. So seeing it is a feature. I'm afraid you'll have to learn to turn the blind eye to it if you don't see any use for it.

mkx

E.g. on other manufacturer's equipment, one chain can remain operational while the other scans or surveys the band, monitors neighboring APs, etc. Out of curiosity: what's the price tag of that piece of equipment? And, unless it's got N+1 receivers (where N is MIMO rank), performance of live connec...

mkx

recently i started having issues with my mikrotik router. It terminate pppoe, all interfaces shut down for 1 or 2 seconds and they come up again. I'd say that first 4 posted log lines belong to previous event sequence. Events sequence logically begins with flapping all ether ports. Which in turn dr...

mkx

Two things strike me: you only mention adding ether1 to bridge br0 as port in step #2. You don't mention enabling vlan-filtering on br0? Without it, pvid setting doesn't get enforced. The VLAN table definition is borked. Most important: you have to add bridge port as tagged VLAN member for all VLANs...

mkx

This would only be possible if device would have two receivers ... But todays devices all have two, three or four receivers! You know all too well what I meant. And you also know well that chains of a radio (i.e. MIMO legs) are not independent and are not meant to be tuned individually (even if the...

mkx

It would be nice when the AP would make (more) effort to monitor several channels at the same time while looking for a candidate channel... This would only be possible if device would have two receivers ... or DSP software which would allow receiving whole band at the same time. Radars tend to show...

mkx

Sometimes it's easier not to mess with raw (and notrack) because raw rules are very rigid compared to filter rules (and, AFAIK, connection tracking is crucial for NAT). Instead it's possible to add another accept rule which matches traffic which should not be fasttracked and place it above the fastt...

mkx

It seems to be related to DFS (hence only 5 GHz) and the specific position that they are located in, but definitely not hardware and/or config. If DFS is playing games, then it's mostly configuration (if device admin sees radar detections, then he should set other channels to operate on) and only p...

mkx

Antenna feeder cables should always be as short as possible. It depends on cable quality and frequency used, but it easily exceeds 5dB per 10m. As for the antenna, the almost only important thing is antenna gain (the higher the better), which again depends on frequency used. LTE can use anything bet...

mkx

Fasttrack HW-Offloads established connections to the switch-chip, Wrong. It's one of possibilities, but (currently) it's a niche use. Fasttrack was available way before first devices with L3HW offload came to life. The old fasttrack manual page describes its behaviour nicely. The new help system do...

mkx

CAPsMAN can only provision wifi interfaces after CAP connects to CAPsMAN. From your description I understand that there won't be any wired connection between hAP ax3 and cAP ax, so you'll have to use one of radios on cAP ax for uplink. If you can, I suggest you to dedicate one of radios on cAP ax to...

mkx

The recommendation is about setting VLANs in wifi-qcom driver (and wifi-qcom-ac lacks it). This compares to using switch chip part of config for wired ports. The way you worded the recommendation is no the way I understand it, so I can't comment directly on the wording you chose. Alas, the general i...

mkx

... wondered if it's safe to run it as is with 0 space available? No, it's not safe, so you should act on it as soon as possible. Very likely it won't just crash (but it might), however it is very likely that it'll experience some problems if it happens to reboot for some reason (e.g. power outage ...

mkx

Mikrotik Know this ?????

I bet they know this. But this is an user-to-user forum, so you have to ask MT directly, e.g. by sending them e-mail to support@mikrotik.com .

mkx

As both devices only accept 18V-28V, you clearly need PoE switch which does "passive" PoE and is powered with 24V (or there about) power adapter. Next you have to carefully read power specifications of both devices and consider how you're going to use them. If you'll use them as simple APs...

mkx

it hAP ac2 in screenshot? doubts

No, screenshots are from Audience (the other half of setup). @OP never claimed they were from hAP ac2.

mkx

Just out of curiosity, would an 802.3af device work plugged in the hEX S passive poe out port? Probably yes. The power negotiation phase (which is the basic difference between passive PoE and 802.3 PoE) in 802.3 af/at is there for PSE (PoE out device) to make sure that power can safely be enabled o...

mkx

There should be a slight delay for subsequent handovers (to make one and then wait what happens), and/or the signal difference required to initiate one must be much higher. We should be able to specify both parameters. Three handovers within few seconds is way too much and almost never an appropria...

mkx

The only history (and not really complete) is in logs ... until they persist. What many people do is they periodically create textual export and store them somwhere off device and use appropriate tool to compare different export files. One can use git to store files and use built-in tools to see dif...

mkx

Roaming is always a RPITA, even on public mobile networks (e.g. LTE) where roaming/handover mechanizms are waaay better that what we have in WiFi. And the only solution is to design wireless signal coverage so that AP signal overlap (areas with similar signal strengths where stations want to roam to...

mkx

You need one L3 interface per device with same IP address. It can either be a router with multiple routed ports or a VLAN-enabled switch with each pirt set as access port to different VLAN and backed with router using many VLANs. There were a few discussions about the same issue before (solutions we...

mkx

Would you recommend any brand?

I only have experience with one particular model (some not-so-recent model by Fluke), so my recommendations aren't very relevant.

mkx

It could be either of devices. But it could be the cable between the two devices. Ideally you'd check the cable using a professional UTP cable tester to verify that the cable is made according to specs (also frequency response and crosstalk, these tend to become a problem with high-speed links). Eve...

mkx

I managed to have one ap (A) and the second mikrotik (B) configured as wds slave, but then, when A is off, B doesn't provide an access point. MT doesn't have anything like "fallback" for repeater AP. What often repeater AP does is that it uses radio (master wifi interface) to connect to s...

mkx

Also many (older) IoT devices don't like seeing anything modern being broadcast in their SSID ... such as WPA3 or FT or similar.

mkx

Out of curiosity, though. An antenna gain of 0 is, in my understanding, the maximum gain possiblr. Wouldn't increasing it to another number just make my connection even worse? In theory, antenna gain can be anything between negative infinity and large positive number. In reality most antennas have ...

mkx

I am talking about the front LEDs yeah ?

Ah, right.

It could be that leds functionality refers to L3 interface (when configured so). And that excludes tagged traffic. You may want to open a ticket with support@mikrotik.com and have them clarify (and update/ammend help page as well).

mkx

When you upliaded all packages, ROS tried to install all. And probably ran out of flash space.

You can do the upgrade, but this time only upload routeros package (base package) and wireless package (from accompanying extras packages). Nothing more.

mkx

Actually it does show ... it shows all traffic, passing a physical port (tagged or untagged). If you are not seeing the same way, then explain actual topology and setup so we can see if there's misunderstanding or a possible bug. And what exactly you're observing, it could be I'm referring to someth...

mkx

There was a breaking change between 7.12 and 7.13 regarding wireless package: it used to be part of base package before but now it's a separate package. If you use ROS built-in upgrade procedure (/system/packages/upgrade...), it's required to go via 7.12 ... if you upgrade by manually uploading npk ...

mkx

Another aspect: MT is primarily software company (developing and marketing RouterOS). The rest (hardware, even SwitchOS) is "supporting activities". And they definitely are not heavily into hardware production (AFAIK they design their devices, but manufacturing is outsourced; I may be wron...

mkx

However when trying to make a firewall rule to disallow traffic between the two hosts, it doesn't seem to apply and can still ping to device connected to port 11. Firewall rules act on L3 (IP) ... and that happens when router does routing between two devices. Routing is when both devices are aware ...

mkx

I'd like to setup capsman, but I've seen that there are 2 versions. When I look into new one I don't see any interfaces which is suspicious to me. Is that ok? Would it be possible to run RB4011 as capsman server even for cAP AX? If capsman isn't the right way to go, what would be the easiest way to...

mkx

I'm affraid you may have to drive. Unless the following succeeeds. You can try (in lab first!) to do both uninstall and downgrade in single step: upload the routeros package (desired version, e.g. 6.49.14) mark wireless package for uninstallation request downgrade reboot ... and keep fingers crossed

mkx

According to wikipedia article , the WoL magic frame is basically broadcast on ethernet layer, but as payload it does contain MAC address of device which is supposed to wake-up. Then there are extensions which make WoL packets routable (using destination IP address), but need support from "vict...

mkx

It's doable, but slightly more complicate, it includes packet marking and using multiple routing tables (which helps ROS to select correct egress interface for each packet). Start by reading this topic.

mkx

Theoretically WOL could be on a BMC with an IP address ... In this case BMC is fully up & running, accepting HTTP / API / whatever conbections and one can use appropriate command to power on the whole system. WOL stands for Wake On LAN, meaning that host's NIC is half alive and ready to receive...

mkx

If you're thinking of a combo "interface is bridge port, but is anchor for a vlan interface" ... then no, it shouldn't be done like that (it falls into category "it shouldn't be used as interface"). The problem in your setup procedure is that you're effectively changing L2 topolo...

mkx

"Trunk with native VLAN" in Cisco is "hybrid" in Mikrotik. So configure port to: "vlan receive - any" and set "default vlan id" to "native VLAN ID" of your choice (e.g. 4000). You have to mark such port as member of VLAN with "native VLAN ID&quo...

mkx

It seems that the only Mikrotik's own wifi card supporting 802.11 ac is R11e-5HacD. And that one is built around QCA9882. If you find a card built around same chipset, chances are that it'll work. Or go for this card if miniPCIe format suits you.

mkx

I did another test incorporating the changes in my last post and I've now positively identified the point at which I lose connection to be enabling ether1 as a port on br0. It shouldn't come as a surprise. After an interface is "enslaved" as port of a bridge, it shouldn't be used as inter...

mkx

wifi-qcom-ac doesn't support "native" VLAN tagging. So how do you make wifi interface a bridge port?

mkx

Two things to check: list of currently installed packages. In order for downgrade/upgrade to succeed, files with all currently installed packages have to be uploaded to device. After performing next downgrade attempt and after you see it failed, check logs. It will always contain something about upg...

mkx

Proxy-ARP might explain that ...

mkx

I'll comment on "just before loosing contact" config on hAP: you should never add vlan interface back to anchor. Like this: /interface vlan add comment=team451 interface=br0 name=team451 vlan-id=500 /interface bridge port add bridge=br0 comment=team451 interface=team451 internal-path-cost=...

mkx

Can you post the "bootstrapped" config of hEX? The one before trying to add ether1 to bridge (which breaks your connectivity)?

mkx

Yes, and as I pointed out, that's a multi-port aggregate test, not a single-stream single-port test. mkx's point builds atop that. What you're saying makes no sense. It's not like each interface is dedicated to it's own single CPU core, so using more ports won't make the CPU process the packets any...

mkx

I just configure ntp client server as pool.ntp.org, so, nothing to do with hamilton.com pool.ntp.org points at a few IP addresses, where public NTP servers reside. Addresses, to which pool.ntp.org resolves, can vary with subsequent DNS queries. And, again: the NTP servers arr volunteered by differe...

mkx

Your screenshots show that you're using built-in bandwidth test. It is a well known fact (you're excused since you're new to ROS) that bandwidth test is heavy on CPU and on many device models it itself is a bottleneck. It is recommended to run tests using two external devices, known to be able to cr...

mkx

Is it possible to disable connection tracking for the scanner, while still swapping the LAN IP with WAN IP?

Nope, NAT relies on connection tracking. So no connection tracking, no NAT. At least in ROS.

mkx

Take a look at the RB5009 test results . Your application is the lower rightmost number in the first table, ... Not even that. Tests are using normal long-living connections, so even tests which use tiny packets, can benefit of fast-tracking. OP is doing port scanning, which means that every third ...

mkx

Just manually override MTU setting of EOIP interface. EOIP does fragment/defragment frames, which are otherwise too large to fit the outer MTU, if needed.

mkx

Concentrate on working with ether1, other ports aren't used for netinstall process. Then follow this sequence (it worked most of times on all of my devices): connect cable between ether1 and PC setup PC appropriately (e.g. disable firewall, excess network interfaces, ...) start netinstall executable...

mkx

If nothing else helps you'll have to netinstall the device. Note that the process is very fragile and sometimes takes lots of experimenting with different details before it succeeds.

mkx

I think that passive DACs require both connected devices to be of same SFP generation/variety ... as these DACs more or less simply connect appropriate SFP signal lines together. Many devices have SFP ports that are actually single rate (e.g. SFP+ only supports 10Gbps ... it's the module which can n...

mkx

PPPoE can't really be in bridge mode because bridge is L2 and PPPoE is L3. IP address is "integral part" of L3 interface, it can't be "forwarded" elsewhere. What usually "put in bridge mode" means is that that device is L2-transparrent ... passing either DHCP handshake ...

mkx

NATed traffic also gets fasttracked if appropriate rules are set. And in this case indeed rules, which handle traffic initially, don't get hit any more and thus counters don't increment.

mkx

Clearly 'hiding' the true mac address............ Perhaps you prefer "FU:FU:FU:FU:FU:FU" "=) Yup, I figured as much. But every time I see somebody playing this game (not knowing that MAC addresses are almost the least sensitive information a config can contain), I always wonder what ...

mkx

I'll pay close attention to this versus the link you sent me. In particular pay attention to these details: bridge CPU-facing port VLAN membership has to be configured explicitly as well frame-types, tagged/untagged and PVID properties have to be consistent distinction between different properties ...

mkx

You have a number of errors in VLAN-related config. I suggest you to go through the definitive guide to ROS VLANing.

BTW, I don't think FF:FF:FF:FF:FF:FF is a valid MAC address for bridge.

mkx

For FT to work, CAP devices have to run wifi-qcom (or wifi-qcom-ac) driver. Which means ROS 7.13+ and ARM architecture. As to CAPsMAN device: it has to run ROS 7.13+ as well. But it doesn't have to run wifi-qcom (or wifi-qcom-ac) as these are "only" wireless chipset drivers. Core functiona...

mkx

All devices I mentioned, run 7.13.2. None are hEX. Here's export from one of them: /interface bridge add admin-mac=E6:8D:8C:49:EE:4A auto-mac=no name=bridge port-cost-mode=short /interface bridge port add bridge=bridge interface=ether1 internal-path-cost=10 path-cost=10 add bridge=bridge interface=e...

mkx

- cAP ax: reset config and set it in CAPs mode (this is enough) - CAPsMAN: config datapaths with corresponding VLAN id's Use a hybrid port with management VLAN untagged, Corporate and Guest tagged. Just to clarify: the last line (regarding hybrid port) refers to port to which cAP ax devices are con...

mkx

I guess you should ask support@mikrotik.com to clarify what happens after 60 days of internet unavailability to licensed CHR. And report back their answer as it'll be probably interesting for a few other people.

mkx

I guess you have "detect internet" feature enabled ... and adding a DHCP client to interface, which is determined to be a WAN interface, is one of "magic" things which happen. If you have incentive (and knowledge) to fine-tune router's config, then I suggest you to disable "...

mkx

Having "connection-state" property set to empty string "" is not the same as not having it set at all. So unset connection-state property on your inter-VLAN firewall rules.

mkx

Well, by default there is only one bridge. Called, bridge. so I don't know what you mean by "manually set MAC addresses on all bridges" ... I have a few Mikrotik devices on the LAN, each have one bridge and I manually set MAC addresses on each and every bridge. Hence use of plural "b...

mkx

If you replace old router with a new one and the public IP address is the same, then you'll end up with two A records: <old_SN>.sn.mynetname.net and <new_SN>.sn.mynetname.net ... both pointing at same address. I don't see how this is a problem, if you know <new SN>, then old record won't make any ha...

mkx

With lots of fiddling it is possible to replace the two 1783-NATR devices with a single "multi purpose" router. But it's not easy as both "private" LANs use same IP address space and this is actually problem from routing point of view. So it is actually much easier to use one NAT...

mkx

Are there any of devices you listed in your previous post which are interconnected with more than single UTP cable? In particular I'm thinking of connection between AX88U and CRS326 ... To be on the "fast" side: please ammend the description with exhastive list of connection between the de...

mkx

why is this working and : chain=srcnat action=src-nat to-addresses=10.10.5.50 src-address=10.10.1.0/24 out-interface=ether5 did not work? Because you used wrong address setting for to-address property. The "to-address" property of src-nat rule sets the IP address which will replace the or...

mkx

Are you sure that cameras provide their service on ports 8001 and 8002? I'd guess they are actually using standard port 80 ... in which case NAT rules should have "to-ports=80" set.

mkx

This is wrong: /interface vlan add interface=ether3 name=CAM88 vlan-id=88 add interface=ether3 name=IoT687 vlan-id=687 add interface=ether3 name=VLAN82 vlan-id=82 add interface=ether3 name=VLAN3000 vlan-id=3000 add interface=ether3 name=WIFI20 vlan-id=20 add interface=ether3 name=WORK999 vlan-id=999...

mkx

usually the antennas should be vertical, no matter how you install the device Nope. MIMO works best if reception from both Tx antennas is as uncorrelated as possible. Antennas are polarized and with 2x2 MIMO, different polarization makes best possible diversity ... and that's when both antennas are...

mkx

You should set Egress setting on access ports (on SwOS device ports 2-5) to "Always Strip".

mkx

Mikrotik (and members of the board) advise is that of assigning manually a mac address to the bridge, but it has to be seen if - even if doing that - it would be listed on another device with /tool/mac-telnet ... Just checked ... I have manually set MAC addresses on all bridges ... and /tool/mac-te...

mkx

Not only in ROS, also elsewhere. VLANs work between devices, if one uses them but the rest don't then they are either no good or interfere with traffic. Here kicks in the suggestion by @loloski: show us the physical/logical network topology (which includes ISP gear) so we can suggest you all the nec...

mkx

In Firewall / Address list I create 2 new records with the same name and each should have the subnet? Is this the way?

Yes, enter address with subnet mask, e.g. "192.168.4.0/23"

mkx

PPPoE works directly over ethernet ... so VRRP and routing etc. doesn't affect it. So yes, ISP's and your own PPPoE servers can interfere with each other. You should separate WAN and LAN on L2 (it seems you don't have it right now, only on L3), VLANs seem a natural solution to your problem (in this ...

mkx

So far I didn't stumble upon setup where DHCPv6 server was dynamic, so I'm a bit lost here. In your case, how does DHCPv6 server pppoe-sn_dsnw2845b110 get created? Since pools are all static, you should be able to create static DHCPv6 serve as well ... and in that case, you should be able to make le...

mkx

I have created a Firewall rule which works, but it gives access also from these subnets 192.168.0.x, 192.168.1.x , 192.168.2.x as well Is it possible to give access only to 192.168.4.0/23 and 192.168.10.0/23 with another way? You'll have to use two rules, each targeting individual subnet. Problem w...

mkx

RB1100AHx4 is still listed as "current device" on Mikrotik web page. So it should be able to buy it. Whether it's from old stock of from production line ... that can only Mikrotik answer (but I highly doubt they would). As to local distributor's stock: they tend to keep in stock models tha...

mkx

This is really weird. In your opening post you wrote that wireless client can ping gateway (router), but the rest of (internet?) traffic is blocked for a while. But if device wants to communicate with internet, it is sending traffic to router ... and that works as you are saying. You can try to torc...

mkx

Show config ... the /ipv6/dhcp-server/export part at least.

mkx

Your topology description is a bit fuzzy ... but combined with log entry it indicates you might have some misconfiguration of your device ...

mkx

Is the prefix pool ... which DHCPv6 uses to fetch prefixes for clients ... a dynamic (i.e. fetched from upstream DHCPv6 server) or a static one?

mkx

The way you explain the symptoms, the problem might be also in ARP entry aging on switches/bridges ... all mentioned devices are part of it, including the TP-link switch. If you can, connect both hAPs to hEX directly just to make sure that TP-link isn't playing games.

mkx

Where are you accessing 192.168.1.40:8123 from, the rest of LAN? If that's so, you can't block traffic on router because traffic between two LAN devices doesn't pass router.

mkx

I'm not trying to diss it (too much) but defending the existing isn't too helpful when you're trying to think outside the existing box. It would really help if you stated what are your wishes/requirements from the new web app. Because there are many things that can already be done, but using a few ...

mkx

Can I improve the rules further?

I don't really have much experience with switch chip ACLs so I can't give you any further assistance.

mkx

I see native WinBox on Linux in my dream when i sleep ))) Which is why IMO effort should be directed at web applications, not native apps. There's already WebFig ... functionality-wise it's on par with WinBox, so no need to re-invent the wheel. But there's a very important difference, which can not...

mkx

I'm out of ideas ... sorry.

mkx

Your config shows that your ROS is using 192.168.10.1 as gateway. Is this correct? Is gateway allowing traffic?

mkx

Mikrotik is purported to be working on a "multiplatform client" ... US-ASCII works on all modern platforms just fine :wink: For the record: my native language doesn't fit in any western 8-bit encodings, even less in 7-bit US-ASCII, so I'm grateful for UTF-8. But when it comes to networkin...

mkx

Since both ports connect devices in same subnet, they clearly have to be in same bridge. But: simple bridge (no VLANs, etc.) is by default offloaded to hardware so bridge filters can't catch traffic (bridge is executed by CPU, HW offloaded traffic never leaves switch chip). There are two options: 1)...

mkx

If you run comnand

/tool/traceroute 8.8.8.8

what does it show?

mkx

On your router, look in "IP address" and check which IP address is listed for your WAN interface. Then compare it to pubic IP address, reported in various places (cloud is one thing, there are several web pages telling you this information). If they are not the same, then your WAN IP addre...

mkx

If you want any feedback from MT support, then you'll have to open support ticket. This is merely an user forum, hosted on MT's servers ... and occasionally visited by MT staffers. It is not means of official support.

mkx

Out of interest, inSSIDer is reporting signal strength of ~-50 but the hAP ax2 log shows about -20 lower. Why the difference? Each device reports strength of signal received from the link peer . inSSIDer is reporting signal strength of AP, received by laptop. And hAP ax3 reports signal strength of ...

mkx

By default, device considers ether1 to be WAN port and management is not possible via that port. Management is possible via all other ports (including wireless). However: by default it also serves as router and its LAN address is 192.168.88.1/24 ... which conflicts with your existing LAN. The best w...

mkx

WAF?

It doesn't hurt either, so why do you bother?

mkx

What's wrong with server-dns-names property? Used instead of primary-ntp and secondary-ntp?

mkx

I am one of these "others" as well I connect to ISP using SFP module ...

Ah, OK, that explains it.

mkx

I cannot tell difference when it comes to CPU usage on RB5009. Both before and after disabling HW offload it's ~30% when transferring between WAN and LAN @ 2Gbit speed. That's because vast majority of CPU resourdes are used for firewalling, some for routing and only minor portion for interface hand...

mkx

One of possible outcomes of using reset button is configuration reset to factory defaults (which doesn't include CAPsMAN). Another one is to put device into CAP mode.

You can do that also via any of UIs (I'd suggest you winbox as it allows connection even if device doesn't have usable IP setup).

mkx

For many years we have been using "United states" here in Ukraine )) ... We can use 12,13 channels in 2,4GHz, but in real life we have a lot of American gadgets IMO the first one explains the second one. But the second one doesn't explain the first one, using Ukraine country settings does...

mkx

While we wait to be joined by @mkx

Nah, not my piece of pie. There are too many buzzwords in the thread title which I don't do (hotspot, radius, ...).

Search found 12138 matches