MikroTik

Amm0

now it's ok, I found the solution https://forum.mikrotik.com/viewtopic.php?t=197800 I put ':put' and everything works For avoid useless print, like It's the [] sub-command that's the issue if I recall - if it's command result isn't going to a variable, there is no need for the [] backets. e.g. [$fl...

Amm0

Clearly any port using the bridge is not going to work. But just to confirm you tried Layer2 winbox using MAC address of the ether1 while connected to it?

Did you have RoMON enabled on it, if so it MIGHT show up on another router with RoMON enabled.

Amm0

RoMON works at the ethernet level, using non-IP ether-type. So it has nothing to do with routing tables or VRF.
It only works on "ethernet-like" interfaces, and a VRF "interface" is not ethernet-like since it does not have a MAC address.

Amm0

Good to hear! Lesson is posting the entire config is helpful... And even then I had to look /ip/dhcp-server/alert docs myself since I didn't know HOW it worked. The yellow box in docs told the whole story however: https://i.ibb.co/xghv7rh/Screenshot-2024-05-08-at-9-52-02-AM.png I still wonder why it...

Amm0

home office gets stuffed with 5 more plants and flowers EVERYWHERE and you have to water them and dust the leaves"

Given Wi-Fi's natural enemy is foliage, this makes sense. I guess explaining with more plants, you'll need more Wi-Fi, is not going to work.

Amm0

Thanks for indulging in the vlan-filtering=yes. I just know that works with VRRP, and if there was a bug/config-issue/etc here... I figured it block or change the issue. No such luck it seems. Scanned your config again... I did notice one of the routers was using /ip/dhcp-server/alert & that mig...

Amm0

FWIW, another way of building the GQL string is using RouterOS array to store it, and the use [:serialize] to convert RouterOS array to JSON, this avoid some of the more complex escaping (and uses a { } block so :local variables can be used at the CLI, since you'd want to use :local variables a fina...

Amm0

Your HTTP example is useful. HTTP bodies do NOT need any escaping, but GraphQL must want the \" with your leading 0 case. And you can see that cURL use the single quotes, so quotes shouldn't need escaping there either. So I think the issue is in RouterOS you need a "triple backsplash"...

Amm0

RouterOS really needs an mDNS solution out of the box (both as multicast and Wide Area Bonjour).

Well the DNS-SD part could have been done by simply allowing a PTR RR in the /ip/dns/static YEARS ago. Being able to statically configure mDNS be useful, but cannot even do that. Frustrating.

Amm0

It not so easy with container if it's an event like dhcp-client where this script lives. I doubt there is a bug in /tool/fetch here... but one wrong escape char in query, it ain't going to work. If it works in Postman, with the leading 0, can you cut-and-paste Postman's HTTP and cURL "Code snip...

Amm0

The leading 0 in the value of $testname? If so, you might want to quoting $testname. (Also, as quoted above, the variable name looks wrong.) :global data file "{\"query\":\"query inventory{inventory_model_field_data(general_search: \" $testname \" ){entities{id}}}\"...

Amm0

Okay, so you want all trunk ports, that make sense. I still recommend using bridge vlan-filtering=yes. Your issue with that is the BRIDGE-LAN itself needs to be in the tagged= list. /interface bridge vlan add bridge=BRIDGE-LAN disabled =yes tagged= BRIDGE-LAN ,sfp-sfpplus2-LAN vlan-ids=2,5-7,10,12,1...

Amm0

That's kinda far away from the defaults... I don't have much in the configuration because I'm just starting out. Are firewall rules enough for you? You do have some blocking rules... So if some update on iPhone uses same CDN/cloud/etc as something that's blocked... That be one reason it wouldn't wor...

Amm0

1. Any reason it does not support USB 3.0? USB3.0 can kill 2.4GHz WiFi. USB2.0 can do up to (realistically) 400Mbps, which is not that bad either. Fair point. But annoying since always some compromise to upgrade. I still have quite a few RB953s I'd like to upgrade, and still no decent replacement b...

Amm0

I'm pretty sure this is a VLAN tagging issue – this is not easy to get right as all the parts have to align... So just enabling vlan-filtering=yes is not the whole story for sure... Can you post a redacted config of one of the routers, and some description of what VLANs should be tagged/untagged on ...

Amm0

Thanks for this. I am terrible at programming but RouterOS seems a bit different than anything else I have looked at(python, JS). FWIW, the [:deserialize from=json] is new operation – before :deserialize was added your problem here be a nightmare. But fair enough, it is different from anything else...

Amm0

Mikrotik QuickSet config use a bridge filter that block forwarding. So that's another way to do client isolation:

/interface bridge filter
add action=drop chain=forward in-interface=wifiXX
add action=drop chain=forward out-interface=wifiXX

Amm0

Yeah that's how it RouterOS output's an array, but the array "->" operator can be used. In routeros there an "index" using numbers (e.g. JSON backets [ ]), or if "map" with key-values, then quoted named is used with the "->" routeros array accessor operator......

Amm0

Yeah that's how it RouterOS output's an array, but the array "->" operator can be used. In routeros there an "index" using numbers (e.g. JSON backets [ ]), or if "map" with key-values, then quoted named is used with the "->" routeros array accessor operator......

Amm0

See also, viewtopic.php?t=185667

Amm0

FWIW, If you don't want to use vlan-filtering approach. You'd need seperate bridges for each VLAN, which is going to be bigger PITA than figuring out the bridge VLAN table approach....

Amm0

Was you VLAN+bridge without filtering working before VRRP? Also, looks like sfpplus-2 is the one with issues, and that's the one with horizon=0 while rest are horizon=1. Regardless, you should use vlan-filtering=yes on the bridge. See https://help.mikrotik.com/docs/display/ROS/Bridge+VLAN+Table One ...

Amm0

It has to be the VLAN tagging in the bridge. VRRP doesn't effect broadcast scope for DHCP, but untagged/mistagged PVIDs would...

Can you post the bridge configuration?

Amm0

While I get aesthetics of black, does seem like asking for trouble with AX chips... It's a pity that NetBox 5 AX only operates at 5GHz. Otherwise, it would probably be a better choice because of the white plastic case. LOL. I made my own list of complaints: https://forum.mikrotik.com/viewtopic.php?t...

Amm0

In general I like the upcoming NetMetal ax and L23UGSR-5HaxD2HaxD , as an alternative in Mikrotik's "custom LTE router" lineup... But some feedback based on specs... 1. Any reason it does not support USB 3.0? This kinda limits it for use with high-speed LTE networks because of the USB bus ...

Amm0

It's a fair question. The AX chips seem "hotter" generally. They don't list weight in specs..., but suspect it has more metal than older one to compensate.

Amm0

It more that there isn't one setting for setting up queues. And a lot of considerations go into a queue type/strategy. So there is no simple answer to your question...

Amm0

I just know Hauwei LTE modem sticks are a PITA. Generally if RouterOS is doing what Linux is doing that what I'd expect with LTE setting mode=auto, so that's working... - stick in a Linux PC. This is another story, since, even if it is automatically recognized by Linux, Linux gets a private IP and I...

Amm0

Fair enough. I didn't notice the /23...assumed /24. Otherwise the VRRP part looks right. I'd look at your bridge configuration, on why clients are getting address on all. Some VLAN filtering misconfiguration could cause that. e.g. /interface/bridge/vlans vs PVID/frame-type etc.... What interface is ...

Amm0

Put the VETH in LAN interface list, otherwise default firewall will drop the traffic.

Amm0

C) modem set to AUTO, reboot the 5009, the LTE interface pops up end is present. The IP address obtained by the LTE is PRIVATE \ behind NAT It could be in ECM mode, and it's using NAT on the stick. And Mikrotik isn't setting it to MBIM mode automatically Perhaps you might be access some web UI on t...

Amm0

Fair enough re 5Ghz. Worth trying wifi-qcom-ac if you haven't yet on the Audience yet. But if you have concrete...a cable makes total sense. While agree there are odd gaps in the line-up. I'm not convinced "wi-fi less" hAPax3 is what's missing.... e.g. it be the only "hAP" withou...

Amm0

So I bought an Audience to cover the living room and the terrace and the kitchen. Wife approves, Audience is pretty. I have it piggybacked to my ax3 on the 2.4 GHz channel as station pseudobridge. But the most I can get is 50-ish Mbps. The Audience has 2 x 5Ghz radios – that's how it was designed t...

Amm0

Try setting the LTE mode back to "auto" instead of serial or mbim? Also make sure to update the /system/routerboard firmware too. Serial should be able get same public IP. There is an APN setting in PPP, I suspect that need to be explicitly set to something to get public address. Hopefully...

Amm0

Installed 7.15rc2 yesterday evening. This morning the story is TOTALLY different. Still working? If so, you might want to update your support case with Mikrotik with your findings. Maybe they'd know why the 7.15rc fix does not cover the "If unplugged while the router is UP ... Then if I plug a...

Amm0

Looks like this covers it: /ip/firewall/filter add action=accept chain=forward comment="LAN to Adguard" dst-address=172.17.0.2 src-address-list=LAN I don't see anything wrong there. You're correct to leave the address-list entry for 172.17.0.0/24 disabled - otherwise the container be allow...

Amm0

Your firewall is blocking access to the VETH / 172.17.0.0/24. You seem to add the VETH subnet to LAN address -list add address=172.17.0.0/24 BUT it is marked a disabled=yes. The quicker fix may be to add VETH to the LAN interface -list. Mikrotik example for pihole uses a dst-nat rule, which you use ...

Amm0

You can use a script on PPP profile to add/update static entires for the check-gateway=ping, similar to /ip/dhcp-client script ... but a two-step profile via a new /ppp/profile with a script to set check-gateway, and that new PPP profile linked in the PPPoE interface. But this complexity is why I su...

Amm0

VRRP isn't too hard. But the VRRP address needs to be /32 (which it is). But the VRRP and LAN do need to be in same subnet. And looks like CCTV-Access has mismatched IPs (likely typo ... but would for sure cause issues): /ip address add address=10.110 .3 .2. 253/23 comment=CCTV-Access interface=CCTV...

Amm0

Do you have "Use Default Route" enabled on the PPPoE interface? One thing you can do there is make sure that's check, but use a higher distance like 11 and 12 respectively. Right now there is only interface routes, no IP route to internet. You can then have lower distance= value for static...

Amm0

But, when I execute the same code via another script, the global variable value2 is always empty.

FWIW, this is covered by doc's "tips and tricks":
https://wiki.mikrotik.com/wiki/Manual:S ... her_script

Amm0

Why dream so faintly? 7HbeQ, 7HbeO :wink: Can we add the letter "R" in these dreams? Bingo! Just noticed new L23UGS R -5HaxD2HaxD. My complaints about the L11UG was the lack of miniPCIe/SIM and no SFP (or 2nd port) seem solved: https://mikrotik.com/product/l23ugsr_5haxd2haxd I'll be getti...

Amm0

IDK. But agree what's :global, to what users, is really inconsistent for sure. I'm just not sure what's "correct" since how globals (and permissions) are handled has been a moving target across past half dozen releases. Underlying the bigger issue that the available policy options do not m...

Amm0

I agree with you RouterOS should recover if Linux recovers after the carrier's 4 hour session limit. A lot folks, include me, uses the LTE modems in remote places so IMO if some script is need to "recover" LTE interface, that's a workaround to some RouterOS bug that should be fixed. And, h...

Amm0

I agree that something is "fishy" here. Perhaps it's the USB hardware/driver/kernel, IDK. But if it's not detecting it...worth checking an older version or different hardware. Over the years, I've seen some LTE bug fix in a release, cause problems for other modems – why I do suggest checki...

Amm0

At the moment I think it is more a "RB5009 USB issue" than a "LTE stick issue".... Boy that be good to know if same stick worked in another Mikrotik. I guess if wanted experiment more, try an older RouterOS on RB5009 to see if some of the various "refactoring" changes ...

Amm0

I believe RouterOS 7.15rc add some HW QoS, see https://help.mikrotik.com/docs/pages/vi ... =189497483

Amm0

If something does not come up in serial mode... it's not a good sign of stability. Mikrotik does have a list of modems they've tested here: https://help.mikrotik.com/docs/display/ROS/Peripherals But yeah the particular USB ID needs to be mapped. I guess getting a miniPCI-to-USB case and using one of...

Amm0

Try setting putting into serial mode: /interface/lte/settings/set mode=serial You should power off and power on after this change. And if shows as ports then, you can try PPP. using /interface/ppp-out (which may appear automatically if port is found). I doubt this modem is going to work as LTE. If i...

Amm0

Check if USB has shows any serial channels, using "/ports print". My guess is this a QMI modem, so it does not support ECM or MBIM need to make an "lte" interface in RouterOS. If it has any chanels, you might be able to use /interface/ppp-out to try to connect to it via PPP. e.g....

Amm0

Yeah you need gps.npk. It's surprising it doesn't come preinstalled since GPS is always present. But I can see how that be annoying – it be like a few help pages to figure it out if not familar with RouterOS. You might want to make a feature request at https://help.mikrotik.com, since GPS.npk should...

Amm0

Certainly Mikrotik has a curious business strategy from this silicon valley denizen POV. I kinda view Mikrotik more as a redhat that made the choice to fund itself by selling low-margin hardware, over a high-margin services. It's a choice. On this front and to @DarkNate points on "config comple...

Amm0

The day I enable capsman on any of my devices, means my brain has been taken over by fungi!

It's not very friendly for sure. But worth noting that there is no fast roaming without CAPsMAN...

Amm0

Why is this the case? I thought we lived in a VLAN-Filtered world now. Well, the idea is keep the cAPs simple. The default config uses a "dumb" bridge. So that bridge to pass whatever vlan added by wifi driver. e.g. more hybrid port like UBNT APs. The wifi-qcom-ac driver do not support VL...

Amm0

verified that the post to the API it does in fact confirm the config and eliminate the reset loop cycle. it's a bit of a weird solution, but it 100% resolves the issue.

Great work. But this is a bug (or at least doc issue on how one should do this "correctly").

Amm0

tool/fetch url=http://192.168.88.1/rest/system/note user=user password=password http-method=post http-data="{\"note\":\"system configured\"}" http-header-field="Content-Type:application/json" With POST, it URL is url=h ttp://192.168.88.1/rest/system/note /set...

Amm0

As for the $action, I am hoping that it is possible to do something like :set action "confirmed" It may need at ":return 1" or something, but "guess-and-test" is rather annoying approach to something like this. To be honest, I don't care how it works. It just be good t...

Amm0

Well better docs on the mechanics of branding/default configuration be a good start. But exactly how stuff like $action in defconf is suppose to work be good to document. Just not seeing enterprise support, if they cannot keep the docs up to date. I have a lot of the wAPacRs with 16MB & use zero...

Amm0

Hmm. I have defconf scripts, but I've never see anything like this. But $action is provided in a custom V7 defconf, and you AFAIK you do not have to confirm anything. Now I have NOT tested this recently... So perhaps this has changed when they separated out the caps-man defconf script. Also, I use a...

Amm0

All seem to work just fine... But I guess, you learn something new every day 🤷 LOL, Lisp and Ada examples. Now, RouterOS's logic inherits some from LUA actually, which ver 5(?) supported. I think they created the current language to be more "config centric" than a general-purpose language...

Amm0

I am just thinking in terms of “does it make sense” Well is the office Wi-Fi crappy? Then it make sense. If your need is "security", I guess an extra router add additional layer beyond whatever your laptop's default firewall is doing. Just seems like marginal benefit, since I suspect you ...

Amm0

It would still be nice to see a user-friendly addition to the existing RouterOS WOL tool to specify that the magic packet must be unicast. Not sure how wide-spread the problem, but given @fragtion is also interested. You should file as a feature request at help.mikrotik.com. From the wireshark, it'...

Amm0

The solution is don't use the same local variable name as the attribute. See https://wiki.mikrotik.com/wiki/Manual:Scripting_Tips_and_Tricks#Always_use_unique_variable_names So using $comment would be it being nil/[:nothing], and find's matcher with nil is ignore... so it returns them all. And it re...

Amm0

Depends on the problem you're trying to solve. There are many ways to configure things. As it stands, the NAT rules use one public for one subnet 192.168.1.0, and 2nd IP for 192.168.0.0. To use rules and routing table, the gateway needs to use an interface qualifier & add'l NAT rules. Specifical...

Amm0

USB modem typically have several ports, /port/print will show how many. And on the /interface/ppp-client interface, it's the info-channel= that's used for AT commands. So it using the 2nd port (zero index), you might try making info-channel=0 or info-channel=2... Also may want to disable/uncheck dia...

Amm0

Use can use /interface/ppp-out/at-chat input=ATI for a serial-based or modem may appear as /interface/lte, and that too has the /interface/lte/at-chat input=ATI.

The /system/serial-terminal is only for interactive use, no scripting.

Amm0

The first NAT rule should use a src-nat, not masquerade. If action=masquerade, then the to-address= is NOT used... e.g. /ip firewall nat add action=masquerade chain=srcnat src-address=192.168.0.0/24 to-addresses=xx.xx.55.84 ==> /ip firewall nat add action=src-nat chain=srcnat src-address=192.168.0.0...

Amm0

"port with pvid added to untagged group" is not actually a hard error. My current understanding is that it is a call to attention to clue the user in that some dynamic config has happened and the end state of that should be verified to ensure it is as intended, but it isn't immediately an...

Amm0

Not easily in v7.10, but in latest stable this work: { :local bgwtime [:deserialize from=json ([/tool/fetch url=https://worldtimeapi.org/api/timezone/Asia/Baghdad as-value output=user]->"data")] # debug to show output :put $bgwtime # print one value from the worldtimeapi.org data :put ($bg...

Amm0

It's just hard to help when it bit unclear what the script is trying to do...

There is also [:timestamp] which will give you an int of the time (in nanoseconds since 1970). Also time types can be compared without converting to an int.

Amm0

You'd assign the MACVLAN the public IP address "manually" in /ip/address, instead of using /ip/dhcp-client. For intents in the firewall/routing, it's a different layer2 interface – which means all example that expect an ethernet interface name, should work same with MACVLAN.

Amm0

And with netmap, you'd need a src-nat rule too, but matching on src-address using the LAN address of the server and a to-address=55.5.5.3

Amm0

well ok I like this idea here Typically one uses one IP for the router and a second IP directly for a server for example. actually in real situation this second IP for the server and maybe we can use it for other device, but you mean to put the public directly in the server ..? If it's a server, th...

Amm0

Well that should work. Maybe post the relevant config?

I suppose another approach that allow config closer to the typical dualwan examples is using a MACVLAN interface for the 2nd public IP. And use that MACVLAN as interface instead of something like ether2 in other examples.

Amm0

Ahh, single interface now thats challenging.......... I'm not sure what it gets you, if it's the same ISP... Normally ISP do throttling/queues by the customer's link, not by specific public IP... but perhaps not. Also, another approach that allow config closer to the typical dualwan examples is usi...

Amm0

I am really was thinking about that, but the problem is that i have only one out interface ether1 Perhaps the question is what's the purpose of using the 2nd public IP, if it's using same physical upstream? e.g. 1. Do you want to different dst-nat rules based on IP? In this case, you just need to a...

Amm0

Yeah, they may need to know your MAC address. You can "clone it" but simply entering your old router's MAC address on the ether1 interface, obviously your older router have be unplugged after.

Amm0

Okay, that all I got. I was guessing at the default gateway, and it's unclear why touchthe dst-addr of 10.x.x.x

Is there a modem to reboot? But I think you're going to have to confirm with your ISP the needed settings. As I said, the first step "IP over ethernet" is just pretty vague.

Amm0

Export your configuration by going to Terminal, then use ":export file=config.rsc" and download config.rsc from Files section in winbox/webfig.

Post that here, perhaps ether1 is not being set as a WAN port is my guess at what's going on.

Amm0

I supose you can try disabling the "input" firewall filter rule with "drop" and "!LAN" & see if you get a DHCP address after that. If that works, then you might have to allow DHCP from the VLAN 911 to the firewall to allow it I guess. And/or, just assign the IP addr...

Amm0

Maybe disable PoE on ether1? e.g. you have this message: # poe-out status: short_circuit Possible that interfering with the traffic, since your not getting anything back (or at least only a few packets). Can also look at Logs, and see if anything there has errors/warning. But I'm kinda out of sugges...

Amm0

Yeah /tool/netwatch is the "poor mans" way of HA. See https://help.mikrotik.com/docs/display/ROS/Netwatch Basically you can ping your primary server using netwatch, and have an "on-down" script that modifies the firewall to change the to-address to the 2nd servers. And also an &q...

Amm0

This all looks right. The odd thing is that it does look like the ISP thinks your IP is 10.2.118.106 on VLAN 911. You're running an older version. And I want to say some version had some bug in dhcp-client around that time. You may want to download latest stable release, and copy it to the root of F...

Amm0

Yeah I meant WAN. So that's right.

Try the ether1 in torch, to see if you getting any traffic from upstream. The torch above shows your dhcp-client looking for an address on VLAN 911.

Might want to post your config too. In terminal, :export file=config.rsc then download from Files.

Amm0

Did you add "vlanfiber" VLAN interface as a LAN in /interface/list?

Amm0

The 1st requirement is kinda odd: "IP over ethernet". If that mean PPPoE (or perhaps Mikrotik specific EoIP?) that be different story, but I presume they just mean it has VLAN. But step 1 is an odd way to state a requirement. One thing might help here, is if you can use /tool/torch on the ...

Amm0

See viewtopic.php?t=196072&hilit=system+clock+get+date

Amm0

The docs show assigning an IP address to VLANs and tagged= INCLUDING the bridge interface: Add Bridge VLAN entries and specify tagged ports in them. In this example bridge1 interface is the VLAN trunk that will send traffic further to do InterVLAN routing. Bridge ports with frame-types set to admit-...

Amm0

Sorry, I thought sfpplus1 was one of your VLANs... Basically as config stands, SSH only be available from sfp-sfpplus1 via 192.168.20.33, from a host in that subnet & connect directly (or via some switch connected sfpplus1). Since sfpplus1 is not connect on this router to the VLANs, and there ar...

Amm0

https://help.mikrotik.com/docs/display/ROS/Default+configurations?preview=/167706788/167706790/RouterMode.txt Hmm. I hadn't noticed they had the config now in the docs. For those, you'd need netinstall to replace the default configuration... but still how well it work still depend somewhat on the r...

Amm0

You can also get into the router via winbox and MAC address, which seems you have. So use: /system/reset-configuration no-default=no keep-users=yes Keep in mind... not all router have a default configuration, or 192.168.88.1 exists only on one port without DHCP. Only the home/CPE-like routers have t...

Amm0

Push and hold reset button for, generally, ~7 seconds while plugging it in (i.e. until, generally, USR light blinks). That will get you back to the default configuration stored. See https://help.mikrotik.com/docs/display/ROS/Reset+Button One note: If you replace the default with netinstall, well, th...

Amm0

This is an artifact of how RouterOS bridge works & a bit confusing initially. Under /interface/bridge/vlans, you need to have your VLANs listed, and – importantly for SSH – the bridge interface itself needs to be a tagged port . You don't need to add access ports (e.g. ports with frame-trype=all...

Amm0

I see two entries (plus winbox ones) in 7.15rc1. One that says (unknown) from the remote IP, and 2nd that says "api" with no IP. 1 2024-04-24 11:18:10 xxxuser 192.XX.XX.148 (unknown) 2 2024-04-24 11:18:10 xxxuser api I don't see multiple ones, but I only tested from my laptop, so only one ...

Amm0

I want to say it used say "api" for via, not "(unknown)" - so that's also not right here. When you say "forever", so you mean longer than 2 minutes. AFAIK REST API is just a proxy layer over the native API, and that api uses sessions... so reasonable it stick around for...

Amm0

I have not tested either. But I believe once the vendor's Android app sets up a carrier profile, it stores on the physical SIM with custom JavaCard app that manages it. e.g. esim.me FAQ, Can I turn my existing device into an eSIM-compatible device? Yes, you can do this with eSIM.me. Thanks to the eS...

Amm0

AFAIK, the esim.me cards are just some JavaCard applet (software) running on a SIM card. These applet are "run" by SIM Toolkit (STK), which on most modems is accessed via AT command (or QMI on older modems). On Android, any app certainly have to go through the STK to interact with the SIM ...

Amm0

From winbox/webfig, the selected band (and tower info, signal, etc) should show on the lte1 interface under status tab. No outdoor directional antennas work in US other than the LTE6 ones today. The newer ATL does not work. There is slightly better modem in the US-based Chateau, but that's an indoor...

Amm0

See https://forum.mikrotik.com/viewtopic.php?t=194738&hilit=quickset+access But agree if one is "upgrading" from a hAPac2/3 to a hAPax2/3, they don't seem to care much about removing features. My bigger annoyance is the hAPac2 has USB, while newer hAPax2 does not. IMO Mikrotik just vie...

Amm0

I should have mentioned that I am using the US versions of both LHG units. I will dig into the bands a bit and respond with findings. It may take me a few days. :) Well... only the US models have issues with newer modems having less bands... so easy to guess ;). But I do suspect you'll see old one ...

Amm0

Well, you might want to look at the bands being used. Don't know if this US T-Mobile, but if you were using US version of LHG LTE, the older unit have band 4 and Band 5. I'm guessing the newer LTE6 is using Band 12, while older one may been using Band 4.... (and Band 66 likely need to get more speed...

Amm0

You should be able to have static filter rule in chain=forward BEFORE the dynamic DNS redirect rule that action=accept the DNS traffic. Hotspot enter their dynamic rules via action=jump, so you're free to add static config BEFORE the initial jump. I understand that. But I DON'T NEED that redirect a...

Amm0

You should enable /system/ptp for the ethernet/SFP ports as a first step, as that allows you to configure the ports for PTP. See:
https://help.mikrotik.com/docs/display/ ... e+Protocol

Now whether PTP works on a VLAN on the CRS326, I don't know...

Amm0

I'd recommend the second option

Totally agree, Chateau with external antenna be best. One assumption being the Wi-Fi part is needed INSIDE the trailer. If wi-fi is needed outside, well, it ain't going to get far...

Amm0

The LM960 be tricky. The LHG has only 2 antenna jacks, and their U.FL...while LM960 uses MHF-4 connections. But Mikrotik has good support for the LM960s (e.g. it shows all the LTE metrics), so it should, generally, work. Assuming you adapt U.FL to MHF-4, you could just use the two antenna ports to L...

Amm0

Just the answer the question, How should I change the hotspot config to change/disable, for example, DNS redirect? You should be able to have static filter rule in chain=forward BEFORE the dynamic DNS redirect rule that action=accept the DNS traffic. Hotspot enter their dynamic rules via action=jump...

Amm0

Let not blame CAPsMAN, it really the hybrid port and funky bridge VLAN configuration's fault here ;). Not here, but with Wave2/AX drivers, you need CAPsMAN for roaming, so not so easily wished away... I guess I'm unsure why you're doing this in two phases. Perhaps have good reasons. But FWIW you can...

Amm0

Context matters here. While uPnP ones are not cleaned up is different problem than hotspot generated firewall rules and different still from connected routes, BTH, VPNs, etc. For example OP's hotspot rules are not changeable since the rules change based on setting under /ip/hotspot, which is how you...

Amm0

To turn this problem on its head for a minute, would it be better if I made ether1 a pure trunk with no untagged traffic on it? That's not the easiest thing to do in my architecture since it makes bootstrapping much harder, but if that will make the system more robust I can do that. It's not issue ...

Amm0

As noted, 1. ether1 is disabled in /interface/bridge/ports.

2. You still need vlan 450 marked as tagged on bridge (br0)

/interface bridge vlan add bridge=br0 tagged=br0 vlan-ids=450

Amm0

Any way to create a log entry that persists a reboot when watchdog is about to reboot? Or send an email with date/time? I should have been clear in my other post. I think the email is only generated when a supout is generated and supout is only generated if there is a hang/etc. Docs say: Watchdog r...

Amm0

Also, you can add a /system/watchdog with a ping address supplied. This will reboot the router if ping fails after X seconds/minutes. Not ideal but provides one more backstop.
https://help.mikrotik.com/docs/display/ROS/Watchdog

Amm0

I am asking this because the USB LTE stick I have has been used for many years inside other two linux based routers (ADB and Sercomm) with no problems. The same SIM card with the same APN is running in many devices aroud, most of them alarm systems, in remote location, with no problems at all. I'd ...

Amm0

You don't have screenshots. But it does seem TR069 has not been updated for the newer AX drivers based on the doc. e.g. schema shows TR069 XML attrs map to "/interface wireless =interface-type!=virtual", not /interface/wifi ...

Might want to file a bug at help.mikrotik.com.

Amm0

If one AP is working today, than I'd imagine a newer AX-based hAPax3 would improve things slightly. And I'd imagine at least 2Ghz signal reach most places, which is enough for movies. Certainly, a couple APs, one per floor and/or opposing sides, provide more consistent speeds with Wi-Fi. Now... it y...

Amm0

You can exclude specific topics, for example: "info,!wireless" will exclude all info log messages that contain also wireless topic I agree merged topics= works well enough from the RouterOS CLI to search logs. BUT... issue is when OTHER system process the logs via syslog where the complai...

Amm0

other suggested stick? an external LTE modem? Maybe from MikroTik? Any idea is appreciated, but... something working, please :-) Probably already done this, but I'd make sure the APN is right - those log look like it's not getting an IP address, which could mean some specifical APN setup may be req...

Amm0

Since often a ISP modem/ONT has one port... the use case for the RB1100's "bypass" with VRRP and 2nd router is undervalued aspect of it. Or ISP gives use a subnet like a typical /29, to allow other routers so that even if the router is rebooted, those servers/routers use a public address f...

Amm0

Yeah something is fishy with RB5009 and/or USB, seemingly with Hueweis. There's been a few posts. About the only thing a user can do, is try the stable and beta/rc and/or even older V7 to see if those fix. Specifically 7.15rc has a fix to always leave the LTE interface around, so that worth trying. ...

Amm0

Yes, they did change it, and did warn users If you count a forum posting, sure. Cloudflare is $28B company, not Mikrotik. So sharing of certs in a forum posting without some hash (SHA256/etc) and only indica of authority being "Cloudflare Team" next to the user & going on to recommend...

Amm0

Are you aware of any way\command to connect \ diconntect the LTE? There are two ways. one is to disable and enabled the lte interface (via "/interface/lte lte1"). The other is power cycling the USB (via "/system/routerboard/usb/power-reset"). Using netwatch script is the way to ...

Amm0

Tend to agree with @mkx. I think we'd more likely see ROS support for whitebox switches (if they have required hardware resources) than the other way around. RouterOS as ONIE loadable image be the first step. And likely a good one. It's kinda like another CHR at some level, and they did just release...

Amm0

By default, there is no check on the distance=1 /ip/route (e.g. fiber). So simply unplugging is not going to cause a failover immediately. If fiber is a static route, you should add a check-gateway=ping on the 0.0.0.0 default route in /ip/route. If the fiber using DHCP client to get the fiber WAN IP...

Amm0

Cannot say if to keep the link some pinging is enough, but you could set a script that just pings the (I presume there is one) the DNS that the LTE provider gives you once every (say) hour or so. This could be a netwatch script or a scheduled one. Totally possible carrier may separately force a dro...

Amm0

Sure, that work too. But you don't have further ability to limit to just the router (which I don't show above, but /routing/rule let you exclude LAN IP from using LTE for the destination of 1.0.0.1 – a main route for 1.0.0.1 applies to all src-address) A separate routing table keeps things clean IMO...

Amm0

MikroTik support says that the RB5009 is OK, looking at the logs. IMO, its a bug if it doesn't come back if other OSes do recover... But to force ping out LTE while fiber is the active route in main requires using a routing-table. To create a new seperate routing table that only goes over LTE, it's...

Amm0

You still need some hotspot user (and password), even if hidden... You can create a hotspot user with the desire setting for the "without username" case, then use that user as a NEW value="..." in HTML as the post describes. e.g. <input type="hidden" name="username...

Amm0

It could also be "detect internet" as that also pings upgrade.mikrotik.com.

Amm0

A more complex example of using fetch with variables (and wrapping it in a function to make it easier to use from CLI) is one I wrote for extracting ZeroTier members via ZT's HTTP API to add static DNS entries for them:
viewtopic.php?t=204990&hilit=zerotier

Amm0

To store as a variable, you can just replace the ":put " with a ":global results " would work. There are also :local variables e.g. { :local results ([...]->"data") :put $results } The result is going to be JSON, so to get that into a RouterOS array, you need to use &qu...

Amm0

As I said, I haven't used the ZT container, so IDK. So my suggestion was to make sure enabled Logging is checked on the /container for ZT, and the look at "/log print". Alternatively, you might be able to access the shell of the container using /container/print then /container/shell XX whe...

Amm0

@Amm0 with the schedule do I script it into the code I have created for the sensor or use the system scheduler in system menu ? You put your code INTO scheduler's on-event. It would just need to be added once. The scheduler (aka `cron`) will then run your script on the interval= set. Using winbox, ...

Amm0

Couple thoughts: 1. Did you put the VETH in LAN interface list (or address-list if using those)? e.g. firewall blocks !LAN by default 2. The Mikrotik ZT client will inject ZT routers to the router, but using a ZT container won't... So you need a static route on CHR/X86 to the ZT network as Mikrotik ...

Amm0

The quoting all looks right, and CURL is doing same "single line" GraphQL. My other thought is /tool/fetch is using \r\n as the line ending, not just \n... Perhaps just add \n to the end, since it's complaining about In latest V7, there is the newer [:tolf] to convert any CRLF. So perhaps ...

Amm0

Well, it the -H 'Content-Type: application/json' that's messing in your /tool/fetch - that's setting it as JSON. :put ([/tool fetch url="https://somewebsite/api/graphql" \ http-method=post \ http-header-field="Content-Type:application/json,Authorization: Bearer eyJ0eXAiOiJKV1QiLCJhbGc...

Amm0

@Amm0 thanks will give that a shot.

One note, in scheduler script, you might want to use "/log info TEXT" instead of a :put.

Amm0

Hmm unfortunately the same response. It is so weird that it works with Curl or Postman but not with the fetch tool. Can you post the command you're using with `curl` that works? You may also need to add JSON as the content-type to /tool/fetch, since my guess is curl is using a --json (which sets th...

Amm0

Or run at CLI, add an other :while (1) do={ ... } around the code, with a :delay 10s before the end of the loop. It take a ctrl-c to exit.

Amm0

@Amm0 I am getting somewhere now I need to just get this script to refresh every 10s when the new local pktdata is updated You can put the code into /system/schedule** script with an 10s interval, that starts at "startup". ** likely easier in winbox/webfif to cut-and-paste code than use C...

Amm0

Essentially the conversion from hex-in-a-string to an int take the following form today: [:tonum "0x$[:pick $pktdata <index> (<index> + <len>) ]"] So in your code it look like this: # Main function to decode Bluetooth advertisement data /iot bluetooth scanners advertisements { :local adids...

Amm0

I suppose you could try the old /ip/packing, as that lets you set an aggregated size. It's old as dirt, but if "packing" smaller packets into a bigger one is the goal, worth a look/try:
https://help.mikrotik.com/docs/display/ROS/IP+packing

Amm0

I believe you need spaces between attributes and brackets in graphql. Might want to try something like this: http-data="{\"query\":\"query accountid { accounts(id:2) { entities { name }}}\"}" or since query is already in the JSON perhaps http-data="{\"query\&q...

Amm0

Thanks @sirbryan. My knowledge of 60GHz is limited. I do know that it's jitter that kill you for Dante, so great data. The thing that seem limiting is there are not any MCS-like knobs to tweak – since I'm not sure negotiating a higher MCS is helpful for stability. e.g. Changing MCS has to introduce ...

Amm0

Re UBNT vs MT.... I think it be more physics, than hardware since it's a standard protocol. Only note be that Mikrotik uses a bond on 60Ghz PtP products with 5Ghz backup... For Dante, 5Ghz be worthless as backup, so using bond would add a smidgen of latency that could be avoided. I'm pretty sure Dan...

Amm0

Yeah in V6, pref-src is used for everything in routing. In V7, it's ONLY used for router initiated traffic. RouterOS V7's "FIB logic" when multiple IPs in same subnet... IDK for sure. I'm don't think it's documented what happens. I do know pref-src= on a router in V7 works for something li...

Amm0

Assuming it's V7. The address used for "local out" traffic (e.g. telnet from router) should be shown a local-address in /ip/route/print... To set it for traffic originated from the router (e.g. /tool/fetch, /system/ssh, telnet out, etc.), then pref-src= can be used to control. If pref-src ...

Amm0

Couple questions: - Were you in AES67 mode? - Did the Dante controller have a specific error on the clock and/or see a lot of jitter in clock's graphs? One thought is by default 60GHz PtP Mikrotiks use a bond with 5Ghz. I'd remove the bond if it was being used, since failover to 5Ghz is not going to...

Amm0

wAP ac is not discontinued

Perhaps, but it's "brother" with miniPCIe is marked as discontinued (https://mikrotik.com/product/wap_r_ac)

Amm0

Assuming you have not upgrade the wireless drivers...

There should be a QuickSet mode (in upper left) for "PTP Bridge CPE", you should be able to use that to connect to Starlink Wi-Fi's SSID and should bridge it to ether2 (and I think ether1).

Amm0

Fair enough, it is even more confusing. I thought it's just UDP with different ether type. That it might not be UDP was a suprise. With NirSoft's WakeMeOnLAN tool, I can successfully wake-on-lan an MSI Cubi2 system on my LAN. A sniffer trace of what WOL packet gets generated with your tool when usin...

Amm0

It may flow via L2 MAC, but it's still formatted as UDP packet AFAIK.

Could be wrong... but I think it's just specific IP address, instead of broadcast 255.255.255.255, in the UDP part of the packet.

Amm0

@normis any update on a native mac app for winbox?

Given we're at an icon flashing in task bar: https://youtu.be/sQPlwDSd5LM?t=184 — be a while.

No other proof of life... Like screenshot? Or, at least clue on framework/lang... Can we put rest it's Electron?

Amm0

Theoretically WOL could be on a BMC with an IP address, and the WOL turns out rest of system. It does not seem like a bad option to have, although perhaps confusing since IP isn't going to help in most cases. Kinda niche, but Mikrotik has the feature request category at help.mikrotik.com.

Amm0

Why on the forum?
They should have a services status on the main website.
Agree. Or perhaps some backup host someplace else for geo-redundancy. Not asking 5-nines here.

Well, they should have a status page. I'd suggest Dude and function to update the web site

Amm0

Seriously?

LOL. I don't think @DarkNate was even trying to troll [here] – just a lucky guess. If so, you have some eggs from your pizza to throw at him.

Pineapples, like IPv6, aren't everywhere.

Amm0

First bet is DNS.

Good to hear.
It really is always DNS.

Amm0

Yeah realized after that DNS was already likely MS AD DNS. I suppose another way to skin that are is set the Mikrotik DNS to your AD's DNS? Since I do think hotspot is sending all DNS to Mikrotik regardless of what DNS IP is used. While you can have a firewall rule before that has a hotspot chain ru...

Amm0

Capacs take minutes to setup and dont change very often Most Wi-Fi APs have some central manager, so it's not unreasonable to want that on Mikrotik. It's the view of all APs in one place that's useful of CAPsMAN. Or if you want to make a change to SSID/password, etc. are all easier down the road to...

Amm0

Config may help here, dunno. But ISP upstream may redirect NTP and/or DNS. Might want to try at the Terminal: :put [:resolve pool.ntp.org] I suspect that will get you the same 173.255.241.249. Be curious to see what DNS servers are getting used: /ip/dns print ; /ip/dns/cache print where data=173.255...

Amm0

Ok, thanks! I think I'm having larger MTU/MSS issues, as its not working, but I'll post a separate topic for that. Set EoIP to 1500 MTU. It will fragment but almost certainly needed since I doubt the HDHomeRun does PMTUD. Generally there 7 MPEG frames per RTP packet, so I'm guess it like needs 1400...

Amm0

Mikrotik has a pigtail part: https://mikrotik.com/product/acsmaufl

That get you SMA. Most Wi-Fi things RP-SMA. But AFAIK the wAPac is same as LTE ones with u.fl connectors on board for Wi-Fi.

Amm0

It was a serious pain in the ass and took a lot of hours. Good news is the EAP supplicant stuff just worked, no fiddling. Oh I'm sure. But the new drivers likely worth the effort. Used the wifiwave2 (now wifi-qcom-ac) on Audiences for long while, it was night-and-day difference. Welp... my RB4011 b...

Amm0

Are we talking about this one: https://mikrotik.com/product/wap_ac Yes. I mainly use the https://mikrotik.com/product/wap_r_ac which has miniPCIe slot, so I habitually add the "R". But the wAPac is identical, except no LTE modem. It's the plain "wAP R" you wouldn't want as that'...

Amm0

The wAPacR is a router, and is an AP by default. The newer wifi-qcom-ac drivers will get you Wave2 support on it. So you should not need the Starlink router - assuming the third-party Starlink+PoE to Ethernet adapter works. The Amazon links seem to do that so the ethernet that be usable can be the W...

Amm0

Some older Huawei modem had issues with IPv6, but you've disabled it in both places, so I dunno.

I'd add lte,!packet,!raw as a topic /system/logging, reboot, and collect a supout.rif file & email that and what you've seen to support@mikrotik.com

Amm0

Fair enough. More that if disabled under /ipv6, you have to change the APN under /interface/lte/apn so the ip-type=IPv4 as well.

Amm0

One thing to try is setting just the "IPv4" option in the APN Profile, instead of "auto", as the "IP Type".

Amm0

The only difference is the "LTE way" is there is no scripting actions on it. But if you didn't have that need... I'm not sure what advantage to go through the trouble to "fool" routeros into creating an actual /ip/dhcp-client for an LTE interface? The APN Profile does mimic the o...

Amm0

I hear Active Directory. First bet is DNS. I suspect the hotspot clients are using Mikrotik DNS, which isn't going to the know the SRV/etc records needed for AD LDAP. You could confirm by setting a hotspot client's DNS to explicitly use Microsoft AD DNS servers. If that works, it's for sure DNS. Eve...

Amm0

Fair enough. The double-NAT does offer a static config on Mikrotik side, so can see that's being a plus. And L2TP is a different story for the NAT'ed CGNAT going on, than say WG/etc. More note that, in most normal cases (not BGP+L2TP ;) ), likely better if modem operates in MBIM mode if possible in ...

Amm0

V7 support MBIM modems. I'd imagine you'd be able use an AT command to switch it from the "NAT-mode" (Linux ECM driver) to MBIM modem. That get the CGNAT address on the router. If you google for your modem and MBIM (or if specs suggest Windows 8-11 support), I'd imagine there is some AT co...

Amm0

In the LTE Profile, under /interface/lte/apn. /interface/lte/apn/set [find name=default] default-route-distance=2 use-peer-dns=no add-default-route=no Not sure if NTP over MBIM is even possible, but NTP not settable regardless. FWIW, If you're going to use routing tables, set a higher distance for L...

Amm0

Fair enough. I hate Confluence, as user and admin many years ago. Have you ever looked at AsciiDoc (https://asciidoc.org)? It deals with all the TOC/etc stuff that markdown doesn't. OSS, no Java, and esoteric syntax seems more Mikrotik. Apple uses it for the their new PKL language, https://pkl-lang....

Amm0

Thanks all, I've been playing about with GNS3 last night so might try see if I can lab it out before doing anything and having to get on the roof to reset it! FWIW. You shouldn't have to go to roof, assuming you know the user/password. All Mikrotik support winbox via Layer2, so can connect via MAC ...

Amm0

I'd see this done once with some UBNT with some AVIO adapters. Venue suggested its work fine. While I believe them... the use case was not something like FOH to a stage where failure be disasterous. Theoretically, 60Ghz should work. You also do have Dante's latency setting to tweak to help. So there...

Amm0

Your right. I get confused on the Chateau, most are 16MB storage. And I kinda assumed @normis has some reason for his comments however

Amm0

@normis has a point: most of the cost on Chateau LTE18 is for the LTE modem. So if LTE is not needed, it's not a great choice. e.g. while starlink is within its routing abilities, it's not a powerful router. A hAPax3 is more powerful router, and has more internal storage, if no LTE is needed. Althou...

Amm0

My question is regarding the router! I have never turned it on and it does not prevent my access via iphone. Neither router nor smartphone apps care if disabled. But if do use the app... it quite visible since it kinda looks like there is no internet (e.g. it says "Internet: disabled" or ...

Amm0

Hey Ammo, I use an Iphone and have not used this functionality. How would it make the experience better??? Don't enable it using the mobile app is my #1 advice**. The "detect-interface-list" is the only important setting. That setting is where it does the detection. Since there is no poin...

Amm0

Layer 2 vs Layer 3. /interface/vlan creates a Layer3 route on a VLAN. While the critical setting vlan-filtering=yes/no on the /interface/bridge is what essentially converts the software bridge from a.dumb switch and a VLAN-aware switch. The /interface/bridge/vlans is how you set hybrid/trunk/access ...

Amm0

If the VLAN already defined on either end of the link. The 60Ghz LHG should just bridge anything passing over it with the default configuration. e.g. you don't need to set vlan-filtering=yes and define VLANs unless you want to restrict traffic going over the link. So if the Cisco's already have VLAN...

Amm0

there are not so many new features during these revisions.

Think y'all selling yourselves short.

And docs themselves do get updated regularly.

Seems like a `cron` job...

Amm0

Winbox, IMHO is the secret sauce, allowing non CLI trained folks to access and modify their configs and view all kinds of information. Agreed. If you BOTH CLI and winbox, or have potentially multiple users making updates, it is really well integrated. e.g. the "live update" of winbox dial...

Amm0

Finally a normal reaction to this :D Part of the detect-internet logic includes adding a dhcp-client. Given "Detect" is in name, it is odd it modifies config. And since adding a dhcp-client could effect routing...why folks have negative reaction. But the graph in mobile app is super usefu...

Amm0

But, that is just a "winbox bug", that could be fixed with some additional code in winbox. After all, it knows which items you have changed. As someone who has noticed this behavior and already complained elsewhere: of course it is a bug IMHO. Mikrotik may see it differently. I think winb...

Amm0

You might just use netinstall to reset it to defaults. But it is critical you do not press reset button MORE than 10 seconds - it should be around 6-7 seconds from power on & normally some light goes from solid to flashing, at which point you release the reset button. While the button reset shou...

Amm0

But at first I didn't see the detail as I was using Comfortclick's http driver to test it and it only said Internal server error... FWIW, if you use Postman to test request, I created a RAML/OpenAPI scheme that allows testing of the REST API. See https://forum.mikrotik.com/viewtopic.php?t=199476&am...

Amm0

Your right it's not a server error so 5xx status code is wrong.

Although the specific permission that's missing be more helpful.

Amm0

i'll go through the wiki once again, then probably i'll ask support I've never used the interface-specific ones. But just re-read docs since I wrote from my memory and my usage ;). https://help.mikrotik.com/docs/pages/viewpage.action?pageId=8978569#RoMON-Secrets One of the rules is For each interfa...

Amm0

Short Answer is NO . It kinda up to the mail client to figure it out. For sure, the file extension has to match the file type (e.g. if it's a png, name should end in .png) But how Mikrotik generates the multipart MIME has some effects. Basically all attachments get added using the follow headers for...

Amm0

The skimpy docs on select-rule has come up before: https://forum.mikrotik.com/viewtopic.php?t=206072&hilit=bgp+select It can't hurt to open a ticket at support@mikrotik.com about the poor docs on BGP's select-rule. I'm not sure what is not covered by the V7 BGP filter language e.g. what can only...

Amm0

b. BTH configurations where the Peer (server for handshake) has a public IP and has no need to punch out to the proxy MT WG server. I'm not sure how BTH would interfere with other WG config. BTH with a "real" public IP would still use DDNS, but still does not "punch out" a ports...

Amm0

Create a routing rule with Source of WAN2 IP address , and force all such traffic to table pointing to WAN2. OR, even sneakier, Dst-NAT traffic to wireguard port to WAN2, to-address=WAN1 This has come up a few times.... Maybe @normis/etc can comment on it somewhere. Although it's WG, not BTH specif...

Amm0

FWIW on this one: 1. I know recommendation. This is my decision for App Android. Yeah if you don't use mobile apps, the use of "detect-internet" is unclear. But if you do use the mobile apps...it front-and-center on the app & does enable a nice graph of WAN usage if enabled. And you've...

Amm0

I would have expected some kind of API as that's more efficient (no need to parse command line) and less prone to breaking changes. All the config methods are abstractions over some internal config schema (see /console/inspect). So...I'm just not sure where efficiency comes in — once config change ...

Amm0

It's likely better thinking of the RouterOS CLI in terms of a REPL for a programming language, than ANY UNIX shell. It's thinking CLI is more like Linux/UNIX is where the trouble starts ;) FWIW, I'm not sure $() is newer than ``. The $() is more for variable assignment IMO, while backtick works anyw...

Amm0

Of course it should, you programmed the router to do so. Geez, there is no accountability in todays youth ;-) And this is why I always think ECMP and routing rules is often a better approach to load balancing. Even though ECMP is "less random" than PCC, changing the default firewall is fr...

Amm0

I didn't even think about the use (), i'm kind new to scripting, thanks for the hint!

If you know Linux/UNIX, the [] are similar to `` backtick to run a command and replace result in-place.

Amm0

The WAN has a dhcp-client enabled on it. And it goes through prerouting just like eveything else. So it gets marked per your mangle rules.

Amm0

That's DHCP.

Search found 3947 matches