MikroTik

erlinden

Talking about weird...are you using the RB5009 as switch?
Can you share the config of it?

/export file=anynameyoulike

Make sure to remove any personal info like serial and public IP information

erlinden

CAPsMAN server can be installed on any RouterOS device , even if the device itself does not have a wireless interface: https://help.mikrotik.com/docs/pages/viewpage.action?pageId=1409149#APController(CAPsMAN)-Overview g21 Make one of the aps CAPsMAN...that's it. But you might want to consider using...

erlinden

You can disable logging on this firewall rule.

erlinden

i not use VLAN

You want to:
Router: viewtopic.php?t=143620#p706997
Accesspoint: viewtopic.php?t=143620#p706999

erlinden

Looking at your config...sure you use CAPsMAN? I was expecting some sort of configuration (but I'm not familiair with the WAVE2 package).
What is the use of all the bridges? And why not use multiple VLAN's (which will make your life easier on the firewall)?

erlinden

Config would be very helpful:

/export file=anynameyoulike

erlinden

That was the problem...but this kind of problems should never exist.

Any professional networking device will give you the possibility to change MAC addresses. It's up to the user to have it changed...or not.

erlinden

What does

I can't connect to 192.168.88.1. Tried on different browsers, just in case.

mean? And have you tried with SSH?
Is there a password sticker on the RB?

Don't get disappointed, RoutersOS does have a steap learning curve. But once figured out...

erlinden

Can you please share the configuration:

 /caps-man export

That will provide a lot more information (at least, I hope).

erlinden

Would it be possible to work with a single DHCP server? Van you please explain a bit more about the environment? Roaming (makes me think of wireless clients, is this correct?), three routers and leasetimes of 7 days doesn't sound like a regular network.

erlinden

From the wiki: https://wiki.mikrotik.com/wiki/Silent_boot https://wiki.mikrotik.com/wiki/Manual:RouterBOARD_settings And the helpfiles: https://help.mikrotik.com/docs/display/ROS/RouterBOOT#RouterBOOT-Configuration https://help.mikrotik.com/docs/display/ROS/RouterBOARD#RouterBOARD-Settings Check for...

erlinden

Sounds to me like you don't have a major problem....is beeping disabled (not sure if possible)?
And is that your only problem?

erlinden

Need some help, @batot...why did you create three bridges (for which most ports are disabled)? And can you please supply some explanation on how you want your router to act? Is China blocking necessary, or could you use a whitelist mechanism?

/ip upnp
set enabled=yes

Please...don't.

erlinden

Ah...now I understand, some sort of custom logging where this information is included.

erlinden

If I look in /ip/dhcp-server/leases in Winbox, it shows the bridge port. Are these connected through wire or wireless? The latter is (in my case) not shown, while everything connected to wire is.

erlinden

@rextended...so sad...

erlinden

I checked your earlier screenprint and noticed that you are using two bridges. If you want to use hardware offloading you should migrate to a single bridge, combined with VLAN's if necessary. Are you using queues? Are you sure you want to be helped? Can you share a config that you feel confident wit...

erlinden

Would be helpfull if you can supply both a network diagram showing the VLAN's and a complete output of your config.

erlinden

My best guess: you are trying to forward to your router (I assume 192.168.88.1 is your router address?).
Can you connect to 192.168.88.1:25565 if you are on your LAN?

erlinden

Theoretical if you have right, how are you explain that upgrade to version 6.49.7 resolve problem? There are more explanations, if you want a good answer can you please share the config? /export hide-sensitive file=anynameyoulike Don't forget to remove serial/public IP/other personal information

erlinden

My I ask why you don't use the buildin service in MikroTik?

/ip/cloud

erlinden

Defnitely a misconfig, would be usefull to have an export (if you want to continu the CAPsMAN route): /caps-man export file=anynameyoulike From an admin perspective I would use CAPsMAN, especially on being able to monitor all wirelles devices in one place. But there are enough reasons to stick to st...

erlinden

I have more that 30 bridges...

I hope you mean 30 VLAN's? Because anything can be handled with a single bridge (and will perform better).

erlinden

Love self love, might want to mark rextended as the best solution to give him the credits.
And sorry for not knowing this, learned from rextended again!

erlinden

Can you please share your complete config? /export file=anynameyoulike Remove serial and any public IP information (as well from your opening post) and any personal information. Any reason for still running this older LTS version? By default, everything on the input chain is blocked, except through ...

erlinden

If you install the wifiwav2 package, wireless interfaces should be available again. Think that would be the first step.
If that is not working (and you have more goovy stuff), you might want to consider performing a netinstall.

Why did you upgrade?

erlinden

you're not accurate in your description, a script can't read your mind.

I think the TS wants to be able to enable/disable items on a list...which is, as far as I know, not possible.
Hence the idea of moving items in between 2 lists.

Unfortunately, the TS wants a script he can use immediately...

erlinden

From a conceptual point of view: create two addresslists and move the entries accordingly.

erlinden

VLAN config is the same for ether1 and 5, there is something wrong with ether1 on ax2, both of my ax2 have same problem...

Can you please share your config?

/export file=anynameyoulike

Make sure to remove serial, public IP address and any other personal info.

erlinden

Two things to focus on:

Route: https://help.mikrotik.com/docs/display/ROS/IP+Routing
Firewall: https://help.mikrotik.com/docs/display/ROS/Filter

erlinden

I think it was introduced in the Wave2 driver, can't find any reference in the help files with the standard driver:
https://help.mikrotik.com/docs/display/ ... +Interface

erlinden

You have to explicitly add the parameter show-sensitive on (any) V7 to export all sensitive data. By default it is excluded from the export.

erlinden

I'm not sure, maybe something wrong with my settings, but 1 meter away from the router all I can get over WiFi is

Instead of posting a result from speedtest, you could better post config and perform a throughput test with a tool like iPerf.

erlinden

Haven't red all you wrote, any VLAN topic should have at least one link to this great topic:
viewtopic.php?t=143620

erlinden

add action=accept chain=input comment="allow SSH temporarily" dst-port=22 protocol=tcp

If you add this after the Wireguard rule you should be able to connect.

erlinden

The port should be explicitly be opened on the input chain (there is no port forward necessary), assuming you want to have this service available on the WAN site. And...as soon as you managed to get it to work...close it! Security wise you don't want this...never. Is this what you want to achieve? I...

erlinden

I would like to know if the Mikrotik has any country that uses only the UNII-1 (36, 40, 44 and 48) and UNII-3 (149, 153, 157 and 161) channels in the 5GHz frequency?

Why? You want to live there?

erlinden

Don't you have/need firewall rules?
Did you set up hairpin NAT properly?

https://help.mikrotik.com/docs/display/ ... HairpinNAT

erlinden

Instead/besides a backup, you can also perform an export which will save your configuration:
https://help.mikrotik.com/docs/display/ ... tandExport

erlinden

Should look more closely...why don't you add the VLAN on the bridge? Or better, what is the purpose of the VLAN? Or even "more" better, can you draw a diagram of how this device is supposed to work?

For reference:
viewtopic.php?f=23&t=143620

erlinden

The WiFi speed is very slow, up to 100Mbps with both 2.4 and 5 GHz. I can't find any capping configuration but I may absolutely be wrong. Do you have any suggestion? Your config is crappy in regards to wireless settings. Please use the search option in this forum (and search for user bpwl), you wil...

erlinden

As long as you configure as mentioned below, you will get your "seamless experience": SSID is identical All security settings are equal Channels are non overlapping Both accesspoints are on the same L2 network As far as I know there is no 802.11v currently (which would make the handover fa...

erlinden

If you are trying from a pc connected to the MikroTik...what IP do you use to connect to? Might be that the ISP modem/router does not support NAT loopback. Can you: Test with a smartphone? => Check the counter on your MikroTik "wireguard handshake" rule, if hit you know port forwarding and...

erlinden

Can you please share your config?

/export file=anynameyoulike

Remove any personal information like serial and public IP addresses

erlinden

According to the product (did I chose the correct?) page: https://mikrotik.com/product/crs354_48g_4splus2qplusrm is should be able to run it.
Why would you like to run SwitchOS?
What is your actual question? How to switch from RouterOS to SwitchOS?

erlinden

Actually, mine is "set" to unknown (where Certificate is presented in red).

erlinden

So my question is how to reset a field that cannot be blank?

Make export, remove any unnecessary lines, reset the Tik without default and import your export.
Instead of reset, you can also do a netinstall.

erlinden

Not sure why you are reffering to a database, any customization like this can be done through an API:

V 6: https://wiki.mikrotik.com/wiki/Manual:API
V 7: https://help.mikrotik.com/docs/display/ROS/API

erlinden

Why not drill a hole in ones head. You mean like a piercing? @TS: hAP ac2 is using a different wifi driver from the hAP ax2. Therefor there might be a difference in configuration. Unfortunately @anav forgot about the standard question (which is basically the "did you reboot your machine?"...

erlinden

Roaming is a client thing, just make sure that SSID and all security settings are equal (and all devices are in the same L2 network. Fyi: CAPsMAN is great fun, think it still lacks some functionality (but might be a bit complex to configure...learning curve is steep) Mesh is when you have a wireless...

erlinden

The only question is how to remove the certificate selected for openvpn from the configuration.

I'll just sit and watch till you finally Googled it.

erlinden

Why not create an open wifi network?

erlinden

Have no experience with Wave2 (yet), but I would assume that the combination channelwidth 80MHz and frequency 5825 doesn't make sense. There doesn't seem to be a filter on the frequency dropdownlist, dependant on the channelwidth selected. As far as I can see, frequency 5825 is only supported when y...

erlinden

Hop this clarifies it a bit more:

So, your channel 42 is exactely in the middle as well as 155.

erlinden

Channel 42 would be from 36 up to 48. You start with a control channel (20MHz wide) and add 3 x 20MHz extension channels to it. I.e. Control channel 5180 (channel 36) and extension channels Ceee would be from 5170 to 5250. You can also select a control channel somewhere in between (can't think of a ...

erlinden

Comparing https://mikrotik.com/product/hap_ac2#fndtn-testresults with https://mikrotik.com/product/hex_s#fndtn-testresults it seems to me that the hEX S less performant than the cAP ac2. What is the CPU usage while running/testing?

erlinden

I Do not understand, Why mikrotik has so slow speed when port forwarding ? I think you made some errors on the config: IP address should be set on the bridge, not on an interface that is part of the bridge If you want to do VLAN, you should have VLAN filtering turned on on the bridge What is the CP...

erlinden

Higher production costs? And there still seems to be a market for it.

erlinden

Well...I think it was introduced around 2014, I think you can say the RB2011 is reliable on the long term.
But instead of thinking about the differences...what are your requirements?

erlinden

Can you:

Please supply the /export file=anynameyoulike (wihtout the serial/public IP/anything else personal)?
tell if you have any experience with NAT loopback and port forwarding?

erlinden

Did you fill in 223.178.222.199 or 223.178.222.199/24 as IP address? It should be the latter.

erlinden

Instead of using speedtest, you better test with a tool like iPerf. That will give a better indication of the wireless speed.
I'll check your config in the mean time...

erlinden

Don't forget, assuming you didn't mess up the firewall, to add the vlanISP to the WAN addresslist.
Otherwise Internet won't work (while you have a public IP address assigned to this interface).

erlinden

When selecting 160MHz I think DFS channels are required. And, there are only two options for a 160MHz bandwidth: 5170MHz - 5330MHz or 5490MHz - 5650MHz. I have absolutely no experience with this, but I assume you should change frequency and allow DFS channel first. And from the documentation I would...

erlinden

My advice: Reset your device and start configuring from scratch up. Your firewall is a joke (being polite), and you only want to do remote management through VPN. You might even want to consider a netinstall as your device could very well be compromised. Please read: https://help.mikrotik.com/docs/d...

erlinden

Absolutely no clue what your question might be, but here is something you probably want to read:

https://help.mikrotik.com/docs/display/ROS/Bonding

erlinden

Select the test channel!

erlinden

If you want to upgrade to v7, please select test instead of stable. Or download the package manually, place it in the root and reboot. Why do you want to upgrade?

erlinden

Would start with not using extension channel on the 2.4GHz radio. Also, adjust your transmission power to something sane. Think if you require 802.11a and 802.11b (more of a standard advice, probably won't help sole your problem). Might want to update the RouterOS (any reason for running this versio...

erlinden

Is your MikroTik wirelessly connected at all? Is your security settings correct (WPA AND WPA2)? Is the SSID correct? Are you sure you can connect wirelessly on the 5GHz band? Has anything changed on the wireless network you connect to? Does your MikroTik get an IP address (DHHCP Client)? Why do you ...

erlinden

If your MikroTik has a public IP address, the firewall is not complete. But it would help if you supply us with a complete network diagram (clients are not relevant). And also supply us the complete export:

/export file=anynameyoulike

Make sure to remove serial/public IP/anything als personal

erlinden

Though it does make perfect sense to you, please enlighten me...why do you need that information?
As far as I know it is not available, might be worth to suggest it to MikroTik.

erlinden

/system/resource print This will provide information like: uptime: 3w5d23h29m44s version: 7.7 (stable) build-time: Jan/12/2023 07:35:45 factory-software: 6.44.3 free-memory: 927.3MiB total-memory: 1024.0MiB cpu: ARM cpu-count: 4 cpu-load: 3% free-hdd-space: 421.6MiB total-hdd-space: 512.2MiB archit...

erlinden

Sure MikroTik is your way to go?

Open Terminal (it's in the menu)
/export file=anynameyoulike (and press enter)
Open Files
Download the anynameyoulike.rsc file
Open the file with your preferred edittor
Copy the content and paste it here (don't forget to remove the personal information

erlinden

Give us some more info:

/export file=anynameyoulike

Remove serial and public IP (and any other personal info) and post in between [ code] tags.

erlinden

I order by time.

Ok, that is your problem...

erlinden

Strange...haven't seen this behaviour. The log isn't ordered on the #column...that would help

erlinden

That wouldn't make sense...can you share /log print ?

erlinden

Try a factory reset:
https://wiki.mikrotik.com/wiki/Manual:Reset

erlinden

Any other ideas or should i return it as defective unit ?

After all the steps you took...RMA it indeed.

erlinden

You might want to try netinstall the device:
https://help.mikrotik.com/docs/display/ROS/Netinstall

erlinden

You would have to initiate the VPN from the MikroTik (run a VPN client) to a public VPN server.

erlinden

Netinstall and import the export file you created before the upgrade?
Did you install any additional packages?

erlinden

Check the logging?
Sure the file is ok?
Filename should be: routeros-arm64-7.7.npk

erlinden

When using WinBox, upgrading through /system/packages is the easiest way.
Are you sure you downloaded the correct architecture? What CCR do you use (can be ARM and ARM 64)?

erlinden

The firewall is probably blocking because the VPN clients are not on the LAN address list:

add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN

erlinden

Can you please share your config? Specifically of the CAPsMAN?

/export file=anynameyoulike

Make sure to remove serial, public IP and anything else personal

erlinden

Two things in regards to Wifi:

- don't use WPA-PSK
- don't use extension channels on the 2.4GHz radio

Not sure if it is related to your problem or if it is a problem by itself

erlinden

Prefer to use a drop everything else on the end of the chain rules...so both input and forward have this drop rule. Next, please post a complete export and remove the screenshots (as there is so much more info in the export) and use code tags for markup [ code]: /export file=anynameyoulike Make sure...

erlinden

https://help.mikrotik.com/docs/display/ ... p+features

erlinden

Might have to look better...I think some parts of the config is missing?
Why use 2.4GHz radios only?

[Update]
Was expecting some intelligent on the radio channel settings...I think it is currently configured as "fingers crossed".

erlinden

Check the "in" and "out" interfaces, that might give you a clue.
Hope this is not your entire firewall?

erlinden

Might show up in Quick Set at VPN Access. Just don't use Quick Set.

erlinden

You might want to have a look at these YouTube videos:

Bruteforce protection - MikroTik firewall rules:
https://youtu.be/UXGVQmFUfL4

Port knocking with MikroTik:
https://youtu.be/ZaWTuqIdhLM

erlinden

Do I need the extra package?

As far as I know the hAP ax3 requires wifiwave2 package.

Oops...too late

erlinden

Nope...you should have both Saturday and Sunday from 00:00:00 to 01:00:00.

erlinden

By not starting up you (also) mean:
- no DHCP request?
- not discoverable?

erlinden

Have a look at simple queues:
https://help.mikrotik.com/docs/display/ ... impleQueue

erlinden

You might want to consider doing it the bridge vlan filtering way:
viewtopic.php?f=13&t=143620

What RouterOS version are both Tiks running?

erlinden

What is the expected result and what is the actual result?
Can you share the complete config?

/export file=anynameyoulike

Don't forget to remove any personal information

erlinden

DDOS Mitigation won't help most users (ISP can/should help in this case).

The number of rules will increase complexity. As long as you know what you do (and what every rules reason for being is) you won't make it vurnerable.

erlinden

To start: can you please use the correct notation: m = millli M = Mega b = bit B = byte Usually network speed is witten in Mbps (or Mb/s) or Gbps (or Gb/s). Wireguard should be able to do better, can you share your config? /export file=anynameyoulike Make sure to remove any personal information. Dur...

erlinden

Oops, I missed the most important part...clone the MAC address of the pc (which can be found with the command ipconfig /all ). Just red your post again, what you are saying is that the pc gets an IP address on eth1, but not on eth2? Sounds like you bind your DHCP server to eth1 (which doesn't make s...

erlinden

Can you connect the router (with the eth1 port connected) to test if the DHCP client is working?
If a pc is working on the connection, can you test with the pc's address cloned in the MikroTik on eth1?

And...never ever use Quickset after any manual adjustment to the config.

erlinden

Perhaps have a look at this:
https://help.mikrotik.com/docs/pages/vi ... Id=8978441

Mesh = wireless backhaul (and has absolutely nothing to do with seamless roaming).

erlinden

I have absolutely no idea what you mean by mesh...if both interfaces are added to the bridge (and the wireless is configured as ap-bridge) clients on wireless will receive IP address. Can you share your config to find out why it is not working for you? /export file=anynameyoulike Make sure to remove...

erlinden

If you want to really wipe everythng on router, then netinstall the device. Beware that it's a very fragile process (a bit less so if using linux variant).

Did you perform the netinstall succesfully, @Tent1987?

erlinden

Think it requires advanced options (push the advanced button to get the tab):

https://help.mikrotik.com/docs/display/ ... PowerTable

erlinden

Is there a reason why you are not doing VLAN filtering on the bridge (instead of creating a bridge per vlan)?
viewtopic.php?t=143620

erlinden

I'm just saying it gives less coverage or maybe i'm doing a mistake, so i appreciate any comment toward the solution.

Yes...it's a mistake on your site. Please read my previous post and change config accordingly.

erlinden

Take in consideration what @holvoetn mentioned: export your complete config (/export show-sensitive file=anynameyoulike), do a netinstall and perform an import of the config (/import file=anynameyoulike). Hope it helps!

erlinden

You are using 40MHz bandwidth on the 2.4GHz radio of the MikroTik while the Asus is 20MHz. That will make a huge difference, especially looking at the saturation of the 2.4GHz band. Next, if you want to compare you should use the same settings (bands) on both devices (ofcourse not at the same time).

erlinden

Nope...

How fast after boot does it happen?
Have you sent the supout file yet?
Anything exotic in your config?

erlinden

Depends on regulations (which depends on country code), can you check:

/interface wireless info allowed-channels

https://help.mikrotik.com/docs/display/ ... +Interface

erlinden

Seems that the help page is not up to date yet, the wiki is: https://wiki.mikrotik.com/wiki/Manual:IP/Hotspot/Profile Rate limitation in form of rx-rate[/tx-rate] [rx-burst-rate[/tx-burst-rate] [rx-burst-threshold[/tx-burst-threshold] [rx-burst-time[/tx-burst-time]]]] [priority] [rx-rate-min[/tx-rat...

erlinden

Where exactely do you see this setting?
I checked the helppage, but it wasn't mentioned:
https://help.mikrotik.com/docs/pages/vi ... d=56459266

If it has to do with the wireless device:
https://help.mikrotik.com/docs/display/ ... SRatetable

erlinden

I'm using simple queues (which work pretty straight forward). Might be sufficient for you as well?

/queue simple
add dst=[WAN interface] max-limit=100M/100M name=[ANYNAMEYOULIKE] target=[IP ADDRESS]

erlinden

The answer to VLAN everything:
viewtopic.php?f=23&t=143620

erlinden

Is the SSID still broadcasted?
Does disable&enalbe the interface solve the problem?
Can you share your config?

/export file=anynameyoulike

Make sure you remove any personal information.

erlinden

I read some comments about higher temperature, nothing about freezing devices.
Couldn't help it, what are freezes in your case? Can you share your config to get some proper feedback?

/export file=anynameyoulike

Make sure to get rid of all personal information.

erlinden

Hello every one, just starting in mikrotik world, I have a RB951G-2HnD but my wireless is too slow, is there a way to connect an 5g external ap to one of its ports but slave to local lan?

Yes, exactly as you describe.

erlinden

Something like a hotspot?
https://help.mikrotik.com/docs/pages/vi ... d=56459266

erlinden

Some guy at work told me there is a way to re-install the preconfigured config (when u buy it), he was talking about a package. If you perform a reset (/system reset-configuration) it will perform a reset and apply a default configuration. Only if you thick the "No Default Configuration" ...

erlinden

Can you please share your current configuration:

/export file=anynameyoulike

Make sure to remove any personal information.

Please also check with other cable.

erlinden

Can you please share your config:

/export hide-sensitive file=anynameyoulike

Don't forget to remove any personal information.

erlinden

Do you get an IP address when connected through wireless?

erlinden

As described you would have to make available access on the WAN port of the MikroTik. Just open the Winbox port on the WAN port input chain...that is it.

erlinden

For the time being you can configure it as stand alone instead of cAP.

erlinden

What is the purpose of making it hidden?
Can you unhide it, connect the tv and make it hidden again?

erlinden

But the problem is..... will mikrotik add support for this?

Is it a problem if MikroTik supplies support?
Or would it be a problem if no support is supplied?

Please be honest...is your question serious?

erlinden

Instead of using the interface list, you can als use the interface that is the WAN port of your router.
Other option is to add the addreslist (/interface) and add the WAN port interface to it. After this you will be able to select it from the dropdownlist.

erlinden

Your screenshot states that OpenWRT is no longer supported by OpenWRT on specific MikroTik hardware. MikroTik has never supported any other OS other then the once they supply with their hardware.

erlinden

Do you think MikroTik did support it any time?
Think this question should be asked on the OpenWRT forum instead.

erlinden

Can you share your config?
/export file=anynameyoulike(and remove any personal information).

erlinden

As mentioned, the current config is necessary, especially the firewall rules (as interVLAN traffic is allowed by default).

You can use /export on the Terminal (i.e. /ip firewall export or /export).

erlinden

Ok, can you share your current config (/wireless export)? Make sure to remove the personal info if any. If you place it between code tags it will be most readable.

erlinden

Have you set country code?

erlinden

By disabling the rule every port on your router is open from the internet. That's absolutely terrible from a security perspective. What is the purpose for this forward in the first place? Do you want to be able to perform admin on the MT? As mentioned, if (and you really don't!) you want to have SSH...

erlinden

Already tried a netinstall to make sure the device is clean?

erlinden

Default rules will prefend any access from the Internet to the internal network.

What I like to do is end both input and forward chain with a rule dropping everything else (first make sure that anything you like to do is allowed).

erlinden

Do you have Internet access at all on the MikroTik?
Does a ping 8.8.8.8 give a response?

erlinden

Besides fixed channels, you can also read this topic:
viewtopic.php?t=177019

Summarized: check DHCP lease time and use 40MHz channelwidth on 5GHz and 20MHz on 2.4GHz radio.

erlinden

Could be anything, but auto is never a good option...

Can you share /caps-man export?

erlinden

Why do you have a bridge configured for WAN? There is only one interface (eth1) on the bridge!?

erlinden

/interface wireless
station-roaming (disabled | enabled; Default: disabled)

Station Roaming feature is available only for 802.11 wireless protocol and only for station modes.
https://help.mikrotik.com/docs/display/ ... +Interface

erlinden

Several options:

If you redirect the router IP will be used in the logging of the PiHole.
You better set DNS server in the /ip dhcp-server network section (from commandline it would be /ip dhcp-server network set 0 dns-server=[ip address PiHole])

erlinden

How is the url resolved? If with public IP address you have to have Hairpin NAT in place:
https://help.mikrotik.com/docs/display/ ... HairpinNAT

erlinden

why not?

Because, for me, I don't see the benefit. And there is more to improve in my opinion. Your turn

erlinden

In addition to the post of @inteq:

Set the country code
Enable WMM Support

As mentioned, DFS requires some patience (up till 10 minutes) during startup.

erlinden

Totally lost now. I must admit that after 12 years with Mikrotik today I surrendered and ordered Omada kit.

Lol...thanks for informing us. Hope this other vendor will solve your problem.

Btw, if you share your current config (minus all personal info) we can have a look at it.

erlinden

What problem does it solve? By the public IP address you are always able to determine the ISP.

erlinden

I still see two bridges, as mentioned earlier please stick to one bridge. When it comes to VLAN, please use this topic only: https://forum.mikrotik.com/viewtopic.php?t=143620 It has got lots of examples and will guide you to a working environment. My experience is that there is a lot of crap, escpec...

erlinden

In addition to the screenshots...can you please share your config?
/export file=anynameyoulike

Please make sure that all personal information is removed

erlinden

Ok...can you please also share /ip route export?

erlinden

Can you share your /ip route print?

erlinden

How did you get to the number 8?
Is there always a line of sight?
What are the requirements?

erlinden

Is there a reason you haven't set frame-types: frame-types=admit-only-untagged-and-priority-tagged Next to that, you configure different pvid from vlan-ids. Perhaps have a look at this help page: https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-BridgeVLANFiltering

erlinden

Thanks @own3r1138, I indeed made a tpo.
Can you let us know how things go after making the adjustments, @Tony359?

erlinden

Yes, that's just fine.

My recommendations

You can turn off WPS Mode (from a security perspective).
Don't use 802.11a/b unless absolutely necessary
Set WWM on (advanced settings)
Optimize Rx Power (advanced settings)

erlinden

Factory defaults work...well, optimization should be done afterwards. Every channel (1, 2, 3...11) in 2.4GHz is 5MHz wide. By choosing channel 1,6 or 11, you choose 20MHz it total (hence the adjacent channels). If you select to use extension channel (channel width) instead of using 20MHz you use 40M...

erlinden

UInless you live in a place where there are no nearby Wifi networks, you could better not set a 40MHz bandwidth on the 2.4GHz radio. Instead, turn extension channel off. Besides (though no problem related), configure extension channels manually (i.e. Ceee), otherwise there is no predictable outcome ...

erlinden

Can you please share:

/interface/wireless/ export hide-sensitive

erlinden

So much that can be configured:

Don't use 802.11a neither 802.11b
Don't use extension channel on the 2.4GHz radio
Consider using 40MHz bandwidth on the 5GHz radio
Specify your channels explicitely
Don't use wpa-psk, only use wpa2-aes
Country code

erlinden

Just simply ignore all errors on wireless/wlan/lcd.

Learned something again today!

erlinden

After exporting your current configuration, you can easily edit it in any text editor. You have to change it manually, otherwise the import will fail. Also, if you have fixed MAC addresses, you have to change them. And make sure that you are running the same RouterOS. Do you have (many) users config...

erlinden

Fully agree with tips from @erlinden. Important tips!

What a compliment! And thanks for learning from you again!

erlinden

If you mean by old ancient...yes Interference will always have to be avoided...sharing the same channel is the worst you can do. When I used CAPsMAN (years ago, so I have to answer by heart) I made a configuration per radio. That way I could specify everything per radio. Roaming will definitely work...

erlinden

From your configuration I would like to give you the following hints/tips: Don't use 802.11a neither 802.11b Don't use extension channel on the 2.4GHz radio Consider using 40MHz bandwidth on the 5GHz radio Specify your channels explicitely Don't use tkip And furthermore...don't share a config that m...

erlinden

Can you please share your current configuration?
/export hide-sensitive file=anynameyoulike

Make sure to remove any personal information.

erlinden

Grandstream, if using Cloud GWN, requires an Internet connection on the default VLAN (otherwise you are not able to configure the accesspoint). This can be accomplished by having an Internet VLAN untagged on the port where the GWN is connected to. Not sure if all is set including management VLAN you...

erlinden

IP addresses can be found /ip dhcp-server leases
If you want to know the connected devices per radio, you have to look at /caps-man/registration-table/ (I'm doing this by hard)

erlinden

May I suggest starting from scratch...getting everything in place correctly (not many interfaces on the bridge), and then reconfigure to multi WAN?

erlinden

It's been a while since I used CAPsMAN: think you should do all the configuration on the manager site and not on the CAPs site.

erlinden

Mmmm...a lot of things not making sense: where are your firewall filter rules? why is there a DHCP client on the bridge? what is the purpose of the 192.168.222.x network? /ip dns has the 192.168.30.1 entry...are you behind NAT? why the static routes? less important...WPA-PSK? You can (nearly) leave ...

erlinden

Please show your onfig: /export hide-sensitive file=anynameyoulike
And just make sure you removed any personal information

erlinden

Perhaps you can add your model number and your config?

/export hide-sensitive file=anynameyoulike
Make sure to remove any personal information

erlinden

Common, you can do a lot better than this. If you are serious, please provide some relevant information.

erlinden

In case you missed: Don't write novels, post /export hide-sensitive file=x. Use find&replace in your favourite text editor to systematically replace all occurrences of each public IP address potentially identifying you by a distinctive pattern such as my.public.ip.1. You're very welcome, @rexten...

erlinden

@Coolbox:

security.authentication-types=wpa-psk,wpa2-psk

I would expect at least wpa2-psk (and perhaps wpa3). Why use wpa-psk?

erlinden

Just to make sure: can you share your config (to see if anything could cause this)?
/export hide-sensitive file=anynameyoulike (and make sure to remove any personal information)

erlinden

You are right. I am sorry for the confusion.

No need to apologize, and feel free to ask for help if required.

erlinden

Yes, is possible using virtual wlan. It will be tied to the physical wlan1 (using same channel and other wifi related settings) but it can have a different SSID. Agree, but that was not the question, hence my answer. Therefor I prefer a topicstarter to explain the problem instead of coming up with ...

erlinden

I mean, the behaviour can be overwritten by setting the DNS server explicitely:

/ip dhcp-server network add address=192.168.128.0/24 dns-server=192.168.128.1 comment=defconf gateway=192.168.128.1 netmask=24

erlinden

Sounds a bit dramatic...is there a functional requirement for switching to v7?

erlinden

I think it can be overwritten by setting DNS server in /ip dhcp-server network

erlinden

Is a downgrade to LTS (6.48.6) an option?

erlinden

There is no way to make a 5GHz radio into a 2.4GHz radio (and vice versa).
People tend to move away from the 2.4GHz radio (due to heavy interference), what makes you want to use this specifi band?

erlinden

Please read this:
viewtopic.php?f=23&t=143620

erlinden

Anyone else have idea what could be wrong with my setup ? Agree with anav: read a bit more about VLAN. Besides...you only want your router to take care of DHCP, not your accesspoint. About your wireless settings: - don't use auto - only choose 20MHz channelwidth on the 2.4GHz radio - don't use XXXX...

erlinden

Is it prohibited to the 5GHz radio, or does it also happen on the 2.4GHz radio? Do all accesspoints have the same behaviour? Does the logging give you any clue? Sure the VLAN section is correct? I'm missing the frame-types=admit-only-untagged-and-priority-tagged on the /interface brdige port. But my...

erlinden

I don't see the pools specified...is this your complete config?

erlinden

Most VPN solutions require routes...have you configured one for the VPN clients?
Can you please share your config?

/export hide-sensitive file=anynameyoulike (don't leave any personal info in it)

erlinden

This problem can be solved with the access lists. there you can list the interfaces to which the device with the given MAC can connect

Assuming the MAC address is static (which isn't when it comes to wireless interfaces).

Still waiting for your config, kekraiser

erlinden

Your public IP might be listed on the webserver, where the VPN public IP address isn't? Is it a public webserver? What error do you get?

erlinden

Let's first focus on the problem: what is the logging saying?
Can we check the CAPsMAN config (as well): /caps-man export (make sure to remove any personal data.

erlinden

Contact support?
https://mikrotik.com/support

erlinden

Would be helpful if you share your current config (/export hide-sensitive file=anynameyoulike), make sure to remove any private information.

erlinden

Is there anything in de logging giving a clue?

erlinden

Do the clients respond to ping? Could be a firewall in between (for instance). Can clients ping one another?

erlinden

As shown in the CMD prompt, your computer doesn't get an IP address as well. That makes me believe that it is not MikroTik related. Some ISP's do require some patience before handing out an IP address to a "new" mac address. At least reboot modem (or better leave it powered off for a while...

Search found 1398 matches