MikroTik

mkx

Container, hosted by router itself. You can do almost anything inside a container. IMO it's a bit "heavy iron" just to present users with a big friendly red "activate" button though.

mkx

And you too anav.

mkx

Bridge ... has ports as members. Ports are ether2 or ether3. When it comes to bridge, VLANs are simply frame headers but beyond that bridge has no notion of vlan interfaces. Then there are interfaces. Those are entities where router actively communicates with rest of networks. Bridge happens to come...

mkx

As an aide to debugging ... it is possible to run wireshark on same interface. It then shows pretty clearly if/when RB starts with etherbooting procedure (it starts emitting bootp requests whuch are initially pretty similar to DHCP client requests). Another suggestion: connect dumbest switch you can...

mkx

Are you sure your ax3 is being managed by capsman? My understanding is that local radios aren't supported. Probably it's not managed by CAPsMAN. But: docs say "APs need to be managed by the same instance of RouterOS" ... which is true if CAPsMAN (managing remote wifiwave2 radios) runs on ...

mkx

CPU-switch interconnect has to be member of appropriate VLANs: /interface ethernet switch vlan add ports= switch1-cpu, ether2 switch=switch1 vlan-id=10 add ports= switch1-cpu, ether3 switch=switch1 vlan-id=20 Keep in mind that, from switch chip point of view, the CPU-switch interconnect (switchX-cpu...

mkx

Link aggregation is not a simple "times N" business. There are many different types (or modes) which behave differently. And many types can be configured differently. And often both link partners (e.g. switch and NAS) can use different types but aggregated link still works. And most import...

mkx

If you configure hAP ac3 as station, then you can set MAC address of wireless interface to something ISP's wireless router recognizes and allows. If you otherwise keep default config of device, then there are only a few changes necessary: remove correct wireless interface from list of bridge ports c...

mkx

LetsEncrypt has a global limit of how many certificate requests are granted per top level domain. Since DynDNS service, provided by Miktrotik, uses "mynetname.net" as TLD, there are large number of users trying to get LetsEncrypt certificate for their xxxxx.sn.mynetname.net device. This ge...

mkx

Debug message is saying that Windows NTP server is not accurate enough to take it as time source. The most likely reason is that Windows machines traditionally keep time with low precision and are thus unfit for distribution of precise time (i.e. NTP). The less likely reason (in your case) is that N...

mkx

MU-MIMO, OFDMA, Beamforming, Target Wake Time, BSS, 1024QAM. MU-MIMO doesn't work well with only 2 chains/antennae on AP OFDMA helps where there are many concurrent users (not likely in SOHO environment) Beamforming doesn't work well with only 2 antennae ... unlike hAP ax2 Audience actually does ha...

mkx

I never set up users using a script, so I can't help you with that ....

mkx

AX2 has good performace over all it is better buy than Audience . I'm not sure that highlited part is true yet. This forum has plenty of threads about issues with hAP ax2 ... and none about issues with Audience. My own Audience works flawless ever since I purchased it. It came with factory software...

mkx

idk what happen if you mismatch packages.. If version of any of extra packages doesn't match version of base package, it won't be installed. BTW, no need to install all of the extra packages, only those which provide functionality you need. For ax devices one definitely needs wifiwave2 package, the...

mkx

Range extending, a.k.a. wireless bridge, comes with huge bag of problems. It's due to lack of standardization, so it's not really vendor specific, but it means that problems are likely when using equipment from different vendors. You can read more about problems in wireless station modes manual page...

mkx

Until somebody else with first-hand experience chimes in, here's my 5 cents: you probably have to configure port mirroring between target port and cpu-switch port, it's in switch menu . After that packet sniffer should be able to pick something ... Again: I don't have CRS1xx, so the above is only (w...

mkx

Dont be afraid I am cleared up to PG 50+

You may be, but there are innocent young souls around here ....

mkx

did you report that as a bug or do you get a spanking?? I was gonna comment your statement, but the comnent would probably be rated as PG18 :wink: Plus I only found this out the other day. Days of v6 in my home network are counted, so why should I bother to report ... And it's not a security proble...

mkx

Additionally: NTP server on ROS v6 seems to be slightly non-standard ... ROS v7 clients don't want to sync with it although ntpq (linux command line tool) output seems fine.

mkx

Okay but only for RB4011 correct.

Well, OP's ap.rsc mentions it's from RB4011 ... hence my post is highly relevant in this thread.

mkx

It's been explained that when they first implemented L2 HW offload, they implemented it so that CPU-switch interconnect will only pass VLANs of which bridge interface is member (either tagged or untagged). And it worked perfectly because those devices were wired-only devices with single switch chip ...

mkx

One bug on devices that can offload VLANs to swtich chips (and RB4011 is one of them) on one and and have more than one switch chip (RB4011 is one of them) on the other hand: if VLANs span anything but single switch chip, then bridge port has to be tagged member of that VLAN even if device does not ...

mkx

TL;DR ... if you have IGMP snooping enabled on switches, disable it and see if it works then. I don't have first-hand experience with SwOS, but AFAIK IGMP snooping on both SwOS and ROS is broken and breaks IPv6. At least that was the case in ROS v6 and I haven't checked it with recent ROS versions. ...

mkx

It's MTU+fragmentation on top of additional overhead (both computational as well as data volume).

I wonder what IPIP functionality is missing from WG which makes you run IPIP on top of WG?

mkx

That's how IP devices are supposed to work unless there's a very good reason not to. So what is it you're trying to achieve?

mkx

You need to do this on the pfsense router and cisco switch so wrong forum.

@anav, I thought you'd come up with correct answer on this one ... which is: replace Cisco with a CRS3xx switch

mkx

Auto-negotiation includes (brief) link quality check. If negotiation ends up with speeds lower than expected, this indicates a problem with link. Most often it's marginal UTP cables, cable termination or connectors. And yes, some devices can be more susceptible to those problems than other devices. ...

mkx

Is there any particular reason why you want to fix the link speed?

mkx

Could be some other device on same network that acts as DHCP server. You should be able to verify on client, which receives wrong IP address to see which DHCP server offered the wrong IP address. no new device that serves ip addresses has been added in the last 2 years. it receives the ip via ether...

mkx

The "high band" radio lists channels up to 5825MHz (U-NNI-3) on my Audience. I'm not going to use those as U-NNI-3 channels are limited to 14dBm (25mW) in ETSI countries.

mkx

Yes, you can connect a secondary CRS312 switch as an uplink to add more ports. This is called "stacking" and is supported by the CRS312. It could be that different equipment vendors use same word but with different meanings. However, all vendors that I'm familiar with, use "stacking&...

mkx

I'm aware of that and obviously when device runs in AP / hotspot, it has to work according to country regulations. And in that case device has to find out (this way or another) which region it currently is to adapt to local regulatory limits. This is why I wrote "I don't understand why WiFi sta...

mkx

I was able to make the Pixel 6a see the network by installing grapheneOS. Strange, I don't know why factory Android couldn't see it. I expect that every modern device/OS has to have country limitations built in, just like ROS does. And it seems that FCC insists on clearing individual device types f...

mkx

Start by upgrading ROS to latest stable (which is 7.8 at time of writing this post).

mkx

Could be some other device on same network that acts as DHCP server. You should be able to verify on client, which receives wrong IP address to see which DHCP server offered the wrong IP address.

mkx

Check CPU frequency setting (/system/routerboard/settings), if it's set to auto (default since v7) then it's automatically changed according to CPU load. If it's set to some particular value and yet you see it changing, then you may want to open support ticket.

mkx

Yes, NTP setup changed. It's pretty easy to find out the new syntax if you try it manually. /system/clock/set time-zone-name=America/MyCity time-zone-autodetect=no /system/ntp/client/set servers=10.200.7.34 enabled=yes There's only one property (servers), but takes a coma-separated list of servers (...

mkx

This document mentions that only 802.3ad bonding and balance-xor are offloaded to hardware. CRS326 is in the device class explicitly mentioned, I would expect RB5009 to fall in this category as well as it has a pretty advanced switch chip. Bond type active-backup is not HW offloaded on any of devic...

mkx

I can imagine two possibilities: ISP will perform netmap between public IP address given to you and your communication address. In this case you have to setup a pretty straight-forward src-nat rule (similar to rule below, but without the dst-address part and to-addresses set to interface IP address)...

mkx

https://rts-bg.com/bg/ethernet-routers/610-mikrotik-rb3011uias-rm.html - 189$ RB3011 is pretty outdated now. It was a truly amazing device back when it first came out, but it's outdated never the less. It'll barely route at 1Gbps. There are a much more powerful devices available now, such as RB4011...

mkx

NAT is a L3 (IP) function and when firewall does it, it doesn't matter how a particular local IP is connected to router regarding L2. So if a packet arrives via IPSec to router and that packet has to leave router via interface that has SRC-NAT active, then connection tracking machinery makes note of...

mkx

One question tough: what is your expectation when or if any time IPv6 FastTrack will be implemented in ROS v7, will the FastTrack handler also supports source and destination NAT, so special exceptions for NATed connections are not required. apply to snpt and dnpt actions (NPTv6) too as it seems le...

mkx

Mangle and fasttrack are not compatible. Even in the case of the NPTv6 pair of rules that @Sob has provided ? AFAIK fasttrack is not yet supported in IPv6. But when it will be supported in IPv6, rules by @sob won't be compatible ... without properly configuring firewall filter rules (either fasttra...

mkx

Mangle and fasttrack are not compatible. Hence it's good to avoid mangle rules if it's possible. If you have to use them anyway (meaning you have to take care what to fasttrack and what not), then I don't think there's much of a difference (if any).

mkx

Both WAN IP addresses are in 10.0.0.0/8 and thus in private "non-routable" IP address space. ISP definitely performs NAT on your traffic.

mkx

Some of signal strength difference comes also from the fact that cAP ac uses 20MHz channel while hAP ax3 uses 40MHz channel. The difference due to this reason should only be 3dB though.

mkx

Fast track rule from published export is this: add action=fasttrack-connection chain=forward comment="Fasttrack not IPSEC" \ connection-mark=!ipsec connection-state=established,related dst-limit=\ 1,5,dst-address/1m40s hw-offload=yes limit=1,5:packet psd=21,3s,3,1 time=\ 0s-1d,sun,mon,tue,...

mkx

The RB5009, configured as switch, indicates that link partner is advertising speeds 10Mbps and 100Mbps. There are 3 possibilities (I'm listing them in order of probability, but you may want to check them starting from the simplest check towards the complex ones): The cable connectors are iffy ... if...

mkx

Compare WAN IP addresses on your Mikrotik to IP address shown by some internet-based service (e.g. https://www.whatismyip.com/ ) ... obviously you'll have to do some tricks get results for both WAN links. If IP addresses are the same, then ISP doesn't do additional NAT (but may still run firewall so...

mkx

If the backup was made while device was running fine, then restoring config from backup file should be fine. If backup is from same device that is.

mkx

Export config to text file. It doesn't contain absolutely everything (it lacks users, passwords, certificates, ssh keys, etc.), but it's pretty safe to trsnsfer to another device model. Plus you can see what it contaibs so you can adapt config if necessary.

mkx

Restoring wrong backup file can completely mess configuration. But it's very unlikely that it would cause permanent damage to device.

mkx

It's clear why you excluded ipsec traffic. But what about those packet rates etc.?

mkx

You don't harden the router by default. You let the person installing it harden it. Indeed. But not on consumer market. If devices are sold on consumer market, they should come hardened from factory. Recently we've had an user who never changed any configuration because his RB worked as he wanted s...

mkx

(2) bond (much like bridge) at the same time entity which distributes traffic between two or more physical links and is interface for higher layers. So yes, it's bond interface that has to be bridge port, not slave interfaces (used as links). @OP: what the hell is the fasttrack construct supposed to...

mkx

@spyghost: when client status says "freq-drift: 0 PPM", then either device has a perfect oscillator (highly unlikely) or NTP client didn't do the synchronization properly yet ... it takes hours if not days for NTP client to settle to usable accuracy after it's configured from scratch (freq...

mkx

The DHCP-client bit was so the RB750GL gets an IP address from the RB4011, so I can route return traffic from my main network more easily. it's not entirely clear here who does routing between VLAN50 and the rest of network. Since ether1 is either trunk or hybrid port (if untagged is allowed over w...

mkx

I have a couple of RB951Gs, which feature a bit faster CPU but same switch chip. And I can tell that when configured via switch chip menus (including VLANs), this thing can do wirespeed without CPU even noticing. If done via bridge menus, it'll be able to go to 1Gbps between a pair of ports, but wit...

mkx

Which interface is your WAN? If it's ether1, then it won't offload routing to HW, for that all involved interfaces have to be members of same bridge. Separation between LAN and WAN is then achieved using VLANs. However, some MT switches (dunno if CRS310 is one of them) experience quite some issues w...

mkx

Changing over to switch setup would definitely make your RB750GL a much faster switch. Conversion between the two configuration styles is not trivial, but not hard either. Basically you have to replace /interface bridge port and /interface bridge vlan sections with corresponding config under /interf...

mkx

Yes ... using a full-blown ssh client which in fact still implements outdated algorithms but doesn't have them enabled by default. What I really wanted to know - is there a possibility to get connected to the cisco switch using a MikroTik router ? Is there a full-blown ssh client for MikroTik Route...

mkx

Post by @FramiJhames looks very much like something ChatGPT might come up with.

mkx

Such data as: SSID, MAC address, IP, VLAN name, VPN's name, ports, interface name, password, login, users, etc. Half of mentioned things are not sensitive at all. And further quarter is not exported (even with show-sensitive). IMO this is indicative why you'll have hard time to get any advice here....

mkx

This device won't do anything because ... it's not configured.

Reset it to factory defaults and it should get you going.

mkx

... it is different than ROS v7 installed on a hAP AC Router. Disclaimer: I don't own neither hAP ax2 nor hAP ac. However I do have a few other mikrotik devices (different architectures even) running v7 and they all seem alike. With one difference: wireless config comes in two varieties, one is leg...

mkx

Is there a possibility to get connected?

Yes ... using a full-blown ssh client which in fact still implements outdated algorithms but doesn't have them enabled by default.

mkx

Thanks, that didn't seem to do anything for me, still stuck at 500Mbps with capsman enabled compared to 7-800Mbps without. Do you have local-forwarding set to no in CAPsMAN datapath configuration (it's default so this property might not be shown in export)? This setting is known to reduce throughpu...

mkx

Did you verify also the "trusted" applications? AWG antivirus is known to have a "feature" to detect vulnerable devices on LAN so that it can alert user about them. The feature is a recent addition and user is not prompted to enable it.

mkx

If I understand the firewall implementation right if the first rule makes a jump to the kid-control chain for EVERY connection which started in the forward chain and no firewall condition in kid-control chain (which is added to the bottom) is met then it just ends its "journey" thru the f...

mkx

Efficiency of typical step-down converters is worse with higher difference between input and output voltage (there are numerous articles about it on internet). So I believe that numbers you're seeing are at least indicative if not scientifically accurate. Where higher voltages shine is power loss on...

mkx

For NTP server on ROS to do whst it's supposed to do also NTP client on same device has to be up&running. So is NTP client state "synchronized"?

/system ntp client print

If client is not synchronized, then server will not return meaningfull sync data.

mkx

Interface lists work where property is called <something> interface -list but not if property is called simply <something> interface or something which implies enumerating interfaces (like in your case with tagged ). IIRC interface lists are only widely used in firewall (which is L3 function) ... yo...

mkx

I'm sorry, but somebody else will have to explain it to you in Hebrew, I'm not fluent in it.

Perhaps it would help you if you revisited explanation of bridge mysteries by @sindy?

mkx

Did you see this thread? viewtopic.php?t=175667

mkx

so if i run a sniffer, what interface will be the target and if i opened using wireshark what i have to look in the sniffer file to identify the problem..?

Obviously it'll be WAN interface (if your winbox access is open). And the sniffer contents? Let me google that for you ...

mkx

My question yet unanswered to any satisfaction is what about the ingress filtering checkbox on the bridge a. should that be checked. b. what does it do c. how is it related to ingress filtering on each /interface bridge port line. It's about bridge port - the one that allows CPU/ROS to interact (vi...

mkx

I want to better understand Case1, in case their is a scenario where it may make sense to use it. However I cannot wrap my head around Case 1, if you do assign vlan-id=5, vlan-mode=use tag! More specifically what do you then do on the /interface bridge port settings and /interface bridge vlan setti...

mkx

so bridge interface should be PVID=1 (as by default) untagged? And VLANs section of brigde shows VLAN1 as dynamic? It's not "should". But it's IMO a very good practice to have bridge interface (which is a "gateway" between CPU and the rest of LANs) configured as trunk port and h...

mkx

Are they molded into the concrete? Yes, there are cases like this. E.g. my parents' house, I had to use MoCa adapters to deliver IPTV to the right spot. Works great as long as one removes any legacy crap (like splitters or outlets which feature RF filters) because those were made to pass frequencie...

mkx

First off: it's a bad idea to allow winbox access from WAN. In past there were a few exploits of winbox access. Second: winbox saying "logging in" and nothing more very probably means some device is (silently) dropping packets and winbox is re-trying to establish connection. As you can log...

mkx

However unless I missed it (cause I don't know where to look), you are not hardware offloading the bridge. Config looks fine to me. I don't have any idea why it doesn't perform wirespeed. The fact that it's possible to get around 0.5Gbps of throughput without any noticeable CPU load tells that very...

mkx

Hi, your tests make no sence..how you can get on AC 945Mb/s? The old hAP ac (not the new ac2 variant) has 3 chains on 5GHz radio and has thus up to 1300Mbps interface rate. hAP ax3, OTOH, has only 2 chains and thus supports up to 866Mbps interface rate (if running in ac compatibility)or 1200Mbps in...

mkx

( there is no CHAIN called drop LOL)
Really strange that you can create something that its not even an option

Creating custom chain (e.g. one named drop) is fine and sometimes very handy. However you have to configure firewall to jump into that chain (in certain conditions).

mkx

ROS defaults for bridge ports are PVID=1, frame-types=admit-all and ingress-filtering=no ... bridge interface has PVID set to 1 by default as well ... so if one simply enables vlan-filtering (default is disabled), device will still act as dumb switch between all nember ports, but this time only for ...

mkx

What does /interface/wifiwave2/monitor 0 (and 1) say about used Tx power? It should be somewhere above 20[dBm] ...

I don't think you have to set chains ... it'll just use all chains available in hardware.

mkx

That is when it did not match (even just once) the reject rule in your list. Right. I adjusted the rules that did not include signal-range to have one. Will test and report back. Edit: Here's report: I had to roll back the ACL changes. My daughter has a Nokia 7.1 android phone which seemingly doesn...

mkx

I dropped tx-power on the 2GHz radio to 12 so that clients prefer the 5GHz radio. You could try to "push" clients to 5GHz using access-list rules. I constructed a set of rules on my Audience (ac device running wifiwave2 in ROS v7.8): add action=reject allow-signal-out-of-range=10s comment...

mkx

I agree that dateext is very useful option (if it's handled properly by logrotate implementation). I just strongly disagree to deviate in ROS from the way index numbering works in general linux.

mkx

AFAIK (I hope I'm already wrong) currently CAPsMAN v2 doesn't support FT yet. So FT only works when wifiwave2 device (e.g. Audience or hAP ax3) is configured in stand-alone AP mode and FT works then between interfaces of same device (i.e. between 2.4GHz and 5GHz radio). The way it has to be set is t...

mkx

Out of curiosity: how did you test the performance of shaper? iperf UDP test or something different?

mkx

Yes, this configuration will be offloaded to hardware, so traffic between a pair of SFP+ ports will not go via CPU. So it should match performance under SwOS. Yes, if you also add PVID setting to bridge ports, those will become hybrid ports. Obviously you have to change also frame-types setting to &...

mkx

This kind of naming is very common in linux when "logrotate" facility is used (the differentce is that in linux normally the file being actively written to has name without "index" (e.g. 0) in it). Plus it's pretty easy to trim excess files and keep the "index" in file ...

mkx

Just an example: /interface bridge add name=BR vlan-filtering=yes frame-types=admit-only-vlan-tagged ingress-filtering=yes #L2 setup ... all ports are trunk ports, tagged only /interface bridge port add bridge=BR interface=sfp-sfpplus1 frame-types=admit-only-vlan-tagged ingress-filtering=yes add bri...

mkx

station-pseudobridge should work fine with a huge gotcha: DHCP server (sitting on the "master" side of such wireless bridge) has to allow multiple leases to same MAC address. If it doesn't (and many DHCP servers don't), then only first device on the "island side" successfully rec...

mkx

To create transparent bridge between two wired "islands" of same LAN, the wireless leg has to support 4-address mode. WiFi standards don't specify such a mode, so vendors implemented them each their own way (so they are mostly mutually incompatible). This 4-address mode is enabled by setti...

mkx

As I said, go for a pretty recent ROS package. I seem to remember that there were some problems with booting v7 kernel on devices with ancient routerboot ... so prerequisite for upgrading to v7 on those devices was to update routerboot to something fairly recent. And again, I've no Idea which fwf fi...

mkx

dstnat: in:ether4 out:(unknown 0), src-mac, proto TCP (SYN), 192.168.10.10:51894->20.20.20.10:3389, len 52

I guess you see this in log ... is it verbose copy of whole log message? And what is now exact dst-nat rule?

mkx

Document on IP/Services says that ROS uses TCP port 2000 for bandwidth testing service by default.

mkx

I guess that "upgrade firmware over ..." refers to routerboot only and not entire ROS. So you can try to upgrade routerboot to at least 6.48.6 (latest long-term, I'm pretty confident it can boot ROS v7 kernel). Download main ROS package. Open it with 7-zip, go into etc folder (inside archi...

mkx

... the speed has been inconsistent. I got good speed in the early morning but the performance went down during the day. This is what usually hapoens if MNO's cell tower is in heavy use ... large number of subscribers competing for scarce resources (throughput). The only thing you can do to get bet...

mkx

The dst-nat rules you already have, are almost fine. With exception: the "in-interface=ether2" stands in the way. So you can omit the "in-interface" property (but might cause some other problem, depends on the rest of NAT rules you have), or simply add similar pair of rules, but ...

mkx

802.11k is supported in wifiwave2.
the other one are coming too.

As the thread title says ... for hAP ac2? I'd love to see that ...

mkx

/interface list member add comment=defconf disabled=yes interface=ether1 list=WAN add interface=ether2 list=LAN add interface=ether3 list=LAN add interface=ether4 list=LAN add interface=ether5 list=LAN add interface=wlan2 list=LAN add interface=wlan1 list=LAN The problem is that interface list is n...

mkx

With all the effort they put into antenna design, antenna radiation pattern is not spherical, it's torroidal (doughnut shaped). Which means that it does matter how device is mounted. If it's fit for ceiling mount it's not as fit for wall mount. Well, it can be done, but coverage won't be good in cer...

mkx

A suggestion: try to set security parameters to WPA2 only ... authentication-types=wpa2-psk encryption=ccmp ... It could be that those IoT devices freak out due to seeing unknown security features offered by AP. Another possibility would be to downgrade the 2.4GHz radio to 802.11n (chanel.band=2ghz-...

mkx

It looks like Windows just strips off the vlan tags and then gets the RAs which are in VLAN tagged packets.

This is already a pretty well known fact around here ....

mkx

IMO it's a gross misconfiguration (of network admin mostly) to set port as hybrid or trunk when machibe, connecting to that port is a Windows machine. Only when machine administrator adjusts adapter/network stack settings to deal with tagged frames properly, then it's time for network admin to allow...

mkx

/ip dns is an array of properties with values. You can only change settings of existing (predefined) properties, you can't add/invent new ones. comment does not exist ... neither in 6.49.7 nor in 7.8. Sometimes I wonder if @anav has something to do with ChatGPT (who is known to invent things) :lol:

mkx

Some DHCP servers can assign multiple IP addresses to single MAC address. I've no idea whether Huavei DHCP server is one of those. If MT device is configured as station-pseudobridge, then it'll use own MAC address for all packets going out through wifi interface. Which means that AP and all devices ...

mkx

IPv6 setting forwarding defines whether device will act as IPv6 router or not. If you use device as AP or as switch (or as combination of both), then it's fine to set this setting to no. If device should forward traffic between different L3 interfaces, then this setting has to be set to yes.

mkx

As @tdw hinted: Mikrotik default config is essentially not to accept RAs. You need them accepted, so configure your Mikrotik to do it:

/ipv6 settings set accept-router-advertisements=yes

Note that up to and including 7.7 routes, accepted by RAs, were not shown under /ipv6 route.

mkx

I solved the problem by setting the frequency to 5745 UNII-3 is a fairly recent addition to allowed 5GHz band. Not every 5G WiFi device has hardware support for it, not every WiFi device had been updated with new country regulations. Support for UNII-4 channels is even less common. We'd have to kno...

mkx

Minimum configuration is one bridge. In most configuration WAN requires single interface which can either be off-bridge or member of common bridge (properly configured). Actually, minimum configuration is no bridge ... if all interfaces are used for connecting different networks (so device is router...

mkx

Wireless mode "bridge" only works, if AP is mikrotik as well. There are some less favourable alternatives but might not work as intended. Read about them in this article: https://wiki.mikrotik.com/wiki/Manual:Wireless_Station_Modes Reading the document one would assume that "station-p...

mkx

First: it's a bit confusing which bridge personality is meant in which configuration part. Rule of thumb: when property name is "bridge", then it's referring to switch-like personality. When property name is "interface", then it refers to the bridge personality of interface betwe...

mkx

Advantage might be seemingly spmpler setup. But there are plenty of disadvantages, most important one is possible loss of HW offload of wired traffic and thus increase of CPU load and/or decreased throughput.

mkx

The idea is simple and only works either a) if all LANs which use same switch but need to be separated on L2 are untagged or b) if LANs include trunk ports, those VLANs are distinct. For case a) one configures part of ports with one PVID and the other ports with another PVID ... only ports with same...

mkx

Switch (with or without VLANs) normally doesn't require a running router for its own operations. Which is switching ethernet frames between ports (according to VLAN configuration if it has VLAN configuration set and enabled). Router offers IP services to connected networks. In the narrow meaning onl...

mkx

.. station on wifiwave2 doesn't work either, selecting a SSID from scan results in a generic winbox error. Well, wifiwave2 driver is a moving target right now and MT's tradition is that those moving targets are really only supported via CLI. So inability to make things work in station mode via winb...

mkx

assuming 2.4GHz radio (probably interface wlan1) is provisioned and running ... create new wireless interface which will be virtual and will use wlan1 as master interface. Something like this: /interface wireless add master-interface=wlan1 name=wlan1_guest ssid=<guest SSID> security-profile=<guest ...

mkx

Unlike many vocal individuals, who express their opinions on LT version of ROS v7 around here, I can fully understand why MT doesn't release LT version of v7. This forum is full of reports of bugs, missing functionality and what not. And until most of those complaints are closed, ROS v7 is under ver...

mkx

In addition: try pings to a server close to your router (network wise) to exclude possible bottlenecks/congestions on upstream links which are way beyond your administrative reach.

mkx

When running ROS on this device, if bridge configuration subtree is done correctly, should perform as good as if there was SwOS available for it, i.e. wirespeed. Default config (all ports bridged, no VLANs) is an example of such "wirespeed config". If you add VLANs in the "single brid...

mkx

Are you sure wifiwave2 package is present on that device? Wireless radio on hAP ax 2 is only supported by wifiwave2. So if OP sees any of wireless-related options this means wifiwave2 driver is installed. Yes, it's known that wifiwave2 for now only supports 2 modes: AP and station. Some of those Qu...

mkx

Well, so far you got opinion of two forum members. Perhaps some other members will still chime in with different opinions in the next few days. At the end of the day it's up to you to do whatever you decide to do. You can follow those youtube videos and see if that's gonna help you get work done (bu...

mkx

So you do have dark fiber between the sites? There's a passive 80Gbps to 8x 10Gbps splitter solution and it's called CWDM. Mikrotik offers some CWDM gear. You have to use CWDM SFP+ modules (instead of normal 1310nm SMF modules), a passive MUX which joins/separates different wavelengths at each end o...

mkx

Ceee, this means setting center frequency 5500 ... but that still doesn't make channel 100 to be 80MHz wide. Yes it is 80 MHz wide. That is the way Mikrotik does it. It's a matter of notation Not entirely. Either that contigous 80MHz channel is 100+104+108+112 (combination of 4 adjacent 20MHz chann...

mkx

The idea is this: if some remote host tries to connect to IP/port combination which is not allowed (either it's not DST NATed in IPv4 or is blocked in IPv6), then such remote host is added to black list. Hence forth the same host can not connect to otherwise allowed/open IP/port combination (e.g. HT...

mkx

By default, CRS devices are configured to act as switches between all ports. So the problem you're experiencing is most probably not configuration error. I don't have a CRS305, but I believe that the RJ45 port is intended for management. Thus it might not be part of switch ports group. Mikrotiks are...

mkx

Those domains and hosts resolve differently every time somebody resolves them. Which means that address list might be current at some moment in time and awfully obsolete some tens of seconds later. For example, www.facebook.com resolves as CNAME (pointer) to some particular host with TTL of 1 hour (...

mkx

I dont want to block the traffic. I just want to provide 200 Mbps bandwidth on Youtube, Facebook, and WhatsApp. OK, so it's not application blocking, it's application throughput shaping. Actually similar concept ... The point of what @anav wrote is that ROS is not up to precise application identifi...

mkx

It is possible, but it's not very straight forward. I'll assume a few things: company's main page FQDN points at router's WAN IP address there's a DST NAT rule which forwards access to port 80 from WAN interface to actual web server, which is hosted on a LAN server you're trying to access company's ...

mkx

This setup has a gotcha: it doesn't work if you want to connect to WAN IP address (and have DST NAT working) from within LAN. Neither does the rule by @baragoon on its own (it needs another SRC-NAT rule), but the rule in my post can't be used in this case. I'm gonna assume this is when to use a hai...

mkx

Post configuration you have so far (execute /export hide-sensitive file=anynameyouwish in terminal window, fetch resulting file and post its contents inside [code] [/code] block).

Just to make sure: the upstream AP doesn't require any special registration of users (apart from knowing WSK)?

mkx

No issues, what voltage do you use to power this up and what is the loaded voltage at the unit? Measured voltage at 23.2VDC at one problematic unit. Voltage is fine if it was measured while wAP ac was drawing power (wAP ac can take as low as 11V). If the measurement was done when wAP ac was off, th...

mkx

... it can detect the location by SIM operator ...

SIM operator doesn't necessarily give current location (think roaming). So it's actually MCC of currenly used network (can even be the "emergency calls only" half-registered network, phone will be able to read MCC anyway).

mkx

The LG G4 I mentiobed in post #15 above got info about rough location from mobile network (MCC says it all). So it doesn't really matter where devicecwas purchased (unless it's crippled to country speciffics), if it's truly "world" device it'll adjust to country regulations according to lo...

mkx

It is fine to have DST NAT set up like this: add action=dst-nat chain=dstnat in-interface-list=WAN dst-port=80,443 protocol=tcp to-addresses=LAN_SERVER_IP WAN interface list is already used in firewall and NAT rules. This setup has a gotcha: it doesn't work if you want to connect to WAN IP address (...

mkx

None. The interference happens because both protocols use same open/free radio spectrum. There's no physical property of radio transmitter/receiver that can deal with in-band interference and the possibilities to filter out interference, which is not using same technology, are limited. E.g. typical ...

mkx

2. Using observation of the WAN interface and ping time although not always accurate (see the example of my speedtest results, I guarantee that if the parameters are ping time/latency, anything related to ping then failover will never succeed). You decided to misinterpret what I wrote ... and the p...

mkx

... if the channel width is 80 MHz and the center freq is 5500 it means it starts at 5460 which is outside the range. Nope. Mikrotik shows frequency which is center frequency of Control channel. So clearly control channel was ftom 5490MHz to 5510MHz. The rest is a guess, but if channel layout was C...

mkx

As I noted earlier, these commands add tagging of the VLAN id to the packets which leave the bridge. No, these commands don't add or remove tags. These commands say that frames, tagged with VIDs configured, can pass tagged from bridge (the switch like entity) to bridge interface. The other member p...

mkx

with Huawei MediaPad T5 tablet to use 5GHz band (it used to stick to 2.4GHz a lot).
I thought I was the only one in the world this this damn tablet 😂

Nah, we're two ... and a a few million Chineze ....

mkx

After a quick check on this topic, I see the 7.8 as an ALPHA... not a "stable" release... Could be. But my Audience (running wave2 driver) lijes it very much, since upgrade to 7.8 WiFi works much smoother, I don't have to play tricks with Huawei MediaPad T5 tablet to use 5GHz band (it use...

mkx

I don't know how exactly Israel mandates usage of WiFi, so your guess is as good as mine.

mkx

How do I know if my bandwidth is dropping or not if WAN utilization is low and ping is good? You can't be sure but if buffers are not filling and thus ping is not increasing, it's pretty safe to assume that bandwidth is higher than required throughput at that particular moment. Meaning that there i...

mkx

The way @pe1chl showed actually allows to have different channel parameters depending on selected centre frequency. When simply listing frequencies in single statement all the rest of properties have to be the same. So the new way is not as flexible as the old one ... sigh, I guess we'll have to get...

mkx

If your current provisioning rule looks like this: add radio-mac=00:00:00:00:00:00 action=create-dynamic-enabled master-configuration=cfg_5G name-format=prefix-identity name-prefix="5G" then you have to add additional provisioning rule (and move it above the existing one) like this: add ra...

mkx

When the bandwidth that I subscribe to from A drops to 1Mbps, how can I make the internet access route switch to B automatically other than using the speedtest results as a parameter? While uplink to provider A is in use, running speed test a) interferes with normal traffic and b) is inconclusive b...

mkx

Nadol - Why? There was no problem description. I don't know why. It start with 7.7, clicking download&install using winbox, reboot and still at 7.6 When upgrade fails, it's usually something in logs about the cause of it. So after you try to upgrade and it fails, immediately after reboot check ...

mkx

DFS channels between 5600 MHz and 5650 MHz are so called "weather" DFS channels which require scanning with duration of 10 minutes ... during which no transmission is allowed. So if there's no weather radar in your neighbourhood, WiFi might actually appear ... but after 10 minutes (which i...

mkx

Too bad wifiwave2 doesn't allow constructing frequency lists ... or does it? Entries under /interface/wifiwave2/channel don't seem to have property list available?

mkx

Surely if everyone reasoned badly like you, everything would be blocked due to continuous tests that consume bandwidth for nothing. So, how to change internet access routes automatically when the bandwidth on one of the routes is dropping? [/quote] Routing is not the problem, upstream link capacity...

mkx

There is a value that I can pay attention? actualy on crs326-24g-2s+ have 600 devices at /in/bridge/host print count-only, and my cpu is reaching 100%, so its already "large"? The value which (in your use scenario) has to be observed is "IPv4 route prefixes" (and "IPv6 rout...

mkx

As @anav noted, it is perfectly fine to group lines per VLAN. There's a gotcha: some VLAN ID can only be referred to in single line. So this construct is not possible: /interface bridge vlan add bridge=BR1 tagged=BR1 vlans=10,20,30 add bridge=BR1 tagged=BR1,ether1 vlans=10 this one is fine though: /...

mkx

I have two 64MiB partitions on Audience, after downloading the update (ROS 7.8 + wifiwave2) there was only left 1% free, it barely fit in it. After the actualization 41MiB of 64.3 MiB used (believe me I don't store files on the router). @MIKROTIK Can it be slimmed down? Upgrading ROS+wifiwave2 on m...

mkx

Can MT wifiwave2 do this, what Engenius descibes as bandsteering ? I don't think it can ... in current state. Apart from ACLs (which are static) there's no mechanism in ROS to ignore wireless clients when they try to associate ... which is, by the way, the gist of Engenius' implementation: ignore a...

mkx

Mentioned SFP+ modules should do the trick. When it comes to fibre stretch between "civilization and cave", in principle there are two kinds of optical cables: single-mode (SM) and multi-mode (MM). Mentioned SFP+ module works with MM (multi-mode) fibre, so that's the type you need to get. ...

mkx

As I said: it's cosmetics. xSTP is actually function of bridge and if a port is member of bridge, it's not possible to "disable xSTP" on that port only. It is, however, possible to set that port as edge and in this case (bugs aside) that port should not participate in any of xSTP communica...

mkx

Nope. Provisioning doesn't touch radio MAC address. Provisioning can set VAP's MAC address (interface.mac-address) and if it's not set, it's "invented". And I guess it's invented at provisioning time, not at configuration time. So I imagine that if you add radio-mac=<MAC address> copy-from...

mkx

He successfully avoided capsman so far ... karma bit him

mkx

I don't think you can create a group of devices. In provisioning you can add individual devices, each is identified by radio-mac ... which is MAC address of cAP's radio interface. I didn't try, but there's option copy-from ... it might simply copy settings of referenced entry (when executing add com...

mkx

The wifiwave2 configuration tree (in CLI, dunno about GUIs) contains branch called security. There you define a profile. When provisioning wireless interfaces (either master or virtual), refer to the profile instead of setting things directly. This way you can be sure that all interfaces (which use ...

mkx

Well, it is possible to make car, driving on a highway lane, to change to another lane by hitting it from a side, but I wouldn't call that "steering". After you configure all the bells of 802.11r (the whistles of k+v are missing), you can configure access-list to kick devices off 2.4GHz ra...

mkx

There's no such thing as band steering in WiFiland. But I guess that devices have some preference built in and one can help them to select AP in their favourite band by enabling the whole suite of 802.11 r+k+v ... As far, as I know, MT implemented 802.11r (a.k.a. BSS fast transition) but not the oth...

mkx

My understanding is as follows: bridge port in ROS has certain set of properties and those properties will be set always (this way or another). Then it comes to the point whether some of properties actually make sense in certain condition or not. When bridge has any protocol-mode set (other than non...

mkx

... will using two different SSID names even allow the firewall to distinguish what is connected to Guest from what is connected to IoT? No, firewall doesn't know anything about SSIDs, it only knows about L3+L4 stuff (IP addresses, TCP/UDP ports) and L2 interfaces it's working with. Now, if firewal...

mkx

What you observe doesn't necessarily mean that all traffic of those clients is actually routed by Mikrotik. It's possible you only see DNS traffic. But it's also possible that MT draws traffic towards itself. But if you want to make a step forward in direction of making sure your Mikrotik does only ...

mkx

1. You are right, probably the code snippet, when applied to default config, does nothing and thus result isn't as intended. On empty config, comnand "add" with similar properties has to be used. 2. Bridge in ROS has two (or more, depends how thoroughly one divides them) personalitues: the...

mkx

Remember that there are two DFS ranges, 10 minute (for meteorological radars) and 1 minute (for ATC radars). The 1 minute applies to pretty wide frequency range, so it's almost impossible to avoid it.

mkx

And the gain of the antenna where go??? You should only count number of Tx streams once ... and usually that's counted in total Tx power of device, which in my previous post is worded as "output by Tx power amplifier, is limited to 20dBm (or 17 dBm per chain)". So your equation should rea...

mkx

I seem to remember @Normis saying that those lite devices feature USB ports only for powering and that they're pretty brain dead when it comes to support for anything but 5V (i.e. no PD support) ... in essence, use the supplied power brick with it. There was a family of such devices which supported ...

mkx

Ease of management, since only "one" switch needs to be configured/monitored/maintained? Is there any performance hit when NOT using MLAG? Nope, MLAG has nothing to do with switch management. Corporate type of switches use some sort of stacking to create a larger "virtual" switc...

mkx

Another possibility: as MAC address spoofing us really easy to do, it's possible there's some malware around. It should be possible to locate the offending device by examining FDBs on switches to see which ether port is the last one to see it.

mkx

It seems like device with offending MAC address is (mis)configured to perform proxy ARP (in a buggy way as well). I can't imagine another reason for sone device to systematically claim ownership of IP address which is occupied by another device in same L2 broadcast domain.

mkx

What about /ip/dhcp-server/lease make-static [ find ] I don't know if this has to be a two-liner or it can be done as one liner (with possible modification of the expression inside square blackets to also include path before find command). In general, whichever command takes index number as unnamed ...

mkx

I think an important factor in the ax3 case is the uselessness of the 2Ghz radio if you're not full-on Wifi6. It doesn't support ac.

This is not ax3 specific, it's standard. 802.11ac is only for 5GHz band, just like 802.11a was.

mkx

I'm not sure if country limits, burned in ROS running on SXT 2 are special. However, on my RB951G running ROS 7.7, country limits for "united states" says that EIRP is limited to 30dBm on 2.4GHz band. SXT 2 antenna has 10dBi gain meaning that Tx power, output by Tx power amplifier, is limi...

mkx

Do you think that changing subnet would not be useful? No. Subnet mask tells device which IP addresses are directly accessible (i.e. IP addresses which fall into same subnet) and for those it does not have to use gateway. If you physically separate devices into 3 networks (and put router in the cen...

mkx

One of basic reasons to segment a LAN into multiple (smaller) LANs is to block broadcasts. The rest (control of unicast connectivity between different LANs) is add-on function. So if you really want to use different WAN links for different classes of devices, you can still have all devices in same s...

mkx

If your firewall is still largely based on default, then you have to add pppoe-out1 interface (or whatever it's called in your particular setup) to WAN interface list. Hmmm ... the wording used in your post makes me wonder if I understand your use case correctly. So if in doubt, post configuration o...

mkx

I just simply want to move all my cAPs from one CAPSMAN to a new one and then remove CAPSMAN on RB951G-2HnD and then replace with ax3. CAPsMAN has this redundancy built in: if there are multiple managers available on L2 network, any of thrm can provision CSPs ... prerequisite is that configuration ...

mkx

I'm not sure this order (first MAC, then IP) is about the order. I'd say it's by design, autoconfiguration only works via broadcast/MAC and that's the way vast majority of installations are supposed to work. And it's the only way possible when "configuring" AP into CAPsMAN mode by performi...

mkx

I smell a user article if MKX doesnt make one LOL I'm affraid we'll see another article from @anav's "guides for ROS dummies" series. 1. I don't do articles, 2. I haven't got to the point of installing CAPsMANwave2 and 3. I only got up to ac with my wifiwave2 device (audience). I'll gladl...

mkx

Anything involving IP address is K3. So if switch has IP address associated to a particular port, it'll respond with associated MAC address. Same if switch is L3 switch (IE routing). It may even run something like proxy-arp. Remember that for switching only, swirch doesn't need to use own MAC addres...

mkx

Special consideration of LAN interface list is only due to firewall settings (default) and tools mac-server . Otherwise LAN interface list is no magic. Well, perhaps the "detect internet" does something about it, this one is magic to everybody, it's just not clear if it's a good magic or b...

mkx

I was born as senior ... you grumpy old fart

mkx

QinQ is simply double VLAN encapsulation, which makes full ethernet frame size equal to 1526 (when using standard 1500 byte L3 MTU). Which means that switches, involved in such traffic, have to support L2MTU at least this large. However, MTU still remains 1500. The gist of it: router works with IP p...

mkx

- a DHCP client stores old lease and lease server. The client will renew DHCP with the used DHCP server, before requesting via broadcast. According to wikipedia article (which includes quite some details), when acquiring DHCP lease DHCP client always sends packets to broadcast MAC address ... even ...

mkx

Also AC should be able of something like 500Mbps or even more (833Mbps symbol rate is theoretical max, realistically possible is at least 20% less), but on Mikrotik with legacy wireless driver that's mission impossible, 350Mbps is a decent figure for RB4011. You could install wifiwave2 driver on RB4...

mkx

In principle wifiwave2 setting of, say, band="2GHz-ax", will support older technology generations (b, g, n). In legacy driver it was possible to disable older technologies, but this doesn't seem to be possible (for now) in wifiwave2. It's best to leave "supported-rates" at defaul...

mkx

As I wrote, differences will be seen in mediocre conditions. Which start to happen when signal strength drops to slightly above receiver sensitivity (and one should take into account also receiver sensitivity of client), where device Tx power capabilities make difference. If signal strength of AP is...

mkx

Based on Wiki, channel 100 can be 80Mhz and starts at 5500 (center). No, based on Wiki, channel 100 is 20MHz wide and spans 5490-5510 MHz (with 5500MHz center frequency). Then there's a 40MHz wide channel 102 which happens to overlap 20MHz channels 100 and 104. Nominally channel 102 has center freq...

mkx

Radio basics: signal strength budget is S = Tx power + Tx antenna gain - path loss + Rx antenna gain which then has to be greater than receiver sensitivity (for link to work at all). And SINR is ratio between signal (S) and noise (which includes thermal noise, receiver noise figure, unrelated noise ...

mkx

Nope. MTU (the layer 3, i.e. IP) for VLAN-driven IP subnet should be the same as if VLAN wasn't used. The universal number on ethernet networks (plain or with VLANs) is 1500. Longer explanation: when using IP over ethernet, as mentioned, standard max packet size (including IP headers) is 1500 bytes....

mkx

What I want to achieve is each non-WAN port on hEX having seperate lan address space, and I have several of these 'dumb' switches that I could connect to each of the non-wan ports to get more ports for each of the new lan spaces. If this is so, then use router's ports as completely independent inte...

mkx

Wikipedia has a really nice article on WiFi channels ... with shown standard channels according to channel widths. When trying to implement them, keep in mind that on Mikrotik one always sets center frequency of 20MHz control channel and separately adds Channel layout. In particular: 5825MHz is cent...

mkx

As mkx wrote: it might disable HW offloading for every port? I don´t think so, but I am not 100% sure. It's not what I wrote. I wasn't specific about why using SFP as switched/bridged port would be less than ideal, but this is what I had in my mind: SFP port, when in use, is wired directly to CPU. ...

mkx

Well, I tried in /ip firewall filter ... one can not remove comment (i.e. field where empty value is as good as not set) with either of constructs, only setting with empty value does. But for optional property (I tried with in-interface) both ways (unset X in-interface ... and ... set X !in-interfac...

mkx

It seems that unset is only available in menus where items have optional parameters. In IP address, only optional parameter is comment. Any other missing and configuration item doesn't make any sense. Other configuration items (like firewall filter) have many properties and not all have to be presen...

Search found 9440 matches