MikroTik

petterg

I did not include the config in the upgrade. I did the upgrade while default config was running. After the upgrade I did reset configuration and asked it to run a script "my_defaults.rsc" rather than factory defaults. That script failed to run, so I ended out doing another reset configurat...

petterg

This is crazy! Out of desperation I figured I should reset to default configuration, thinking maybe there were something new with RoS7 that I missed out when I was starting with blank config. SO, I took backup using winbox backup button, and ran /export compact file=wg-failed.rsc Then I reset config...

petterg

Thanks for the ideas on various routings over the tunnel, once the tunnel is established. The problem here however is that the mikrotik doesn't even try to establish the tunnel. (In the final setup I will be using multiple routing tables as well.) Routing 8.8.8.8 over the tunnel is my test towards a...

petterg

I'm trying to set up a mikrotik as wireguard client, with no success. I have no experience with wireguard at all. The config that is claimed to work on linux (I did not test it my self) is as follows: [Interface] PrivateKey = KF****GI= Address = 10.2.0.2/32 DNS = 10.2.0.1 [Peer] PublicKey = wq****o=...

petterg

Not really. Cause when you travel, you very often get to somewhere where the distance from your room to the AP you're connecting is rather long. And then you may also want your private wlan to cover the hotels dining area, or outdoors. The 5GHz just doesn't reach that long. Hence the 5GHz end up bei...

petterg

Using other devices, like a hotspot mobile phone, usb nic, console cable with usb adapter.... I consider those a workaround, not a solution. A better workaround would be to use a dual radio mikrotik.
Shouldn't be that hard to make a wlan available for config.

petterg

I'd suggest you to return the new laptop due to lack of fundamental functionality (wired network connectivity) No way! This is the only portable computer that exist! There are no other laptop out there that provides 20+ hours of effective battery time (unless I do graphics work), with the weight of...

petterg

disable-running-check did nothing, looking from the wireless devices. Slave wlan did not show up in list of wifis. However the master wlan does keep the running flag, even when not connected. (I'm currently not using connect list. Just set one ssid and one security profile) If the problem is that it...

petterg

the disable-running-check was indead the wrong number. it is working as expected. Is it? What version of ROS are you on? It's not working for me using ROS 6.48. Maybe our expectations are different. When I set disable-running-check=yes on wlan1 (mode=station) it keeps the running flag when disconne...

petterg

I'd imagine the wlan master interface would be running when it looks for AP's to connect to. Loosing wlan connection is not the same as killing the interface. If the mikrotik wlan master is connected to a AP, and the AP is switched off, the slave wlans on the mikrotik keeps running for a few seconds...

petterg

I'm using a rb951 as a travel router. It creates vpn's and makes sure all my devices communicate over those vpn connections. I use two setups. One config where eth1 is the wan port, and wlan1 is in ap bridge mode. The other config has wlan1 used as wan in station bridge (or psudobridge) mode and my ...

petterg

This is getting stranger.... Last night the mobile network provider was down for about 2 hours. When it got back the both pcs connected and stayed connected for 5 hours. Then the testpc disconnected and since then the testpc has disconnected every few minutes, while the adminpc stayed connected. Aft...

petterg

Oh. That was complicated. Thanks

petterg

This is not an mikrotik issue. Most probably it's a windows issue. However I haven't been able to find any helpful information anywhere else. Hopefully someone here has experience with windows vpn disconnecting. I have an issue with a win7 pc that is used for administration of an security system. It...

petterg

When writing a script to run when a vpn (dis)connects, is there any way for the script to know the username of the user who logged in or out?

petterg

Thanks for your reply. I thought it had to be associated to the vpn disconnect and (re-)connects because the disconnect may be related to public ip change on the network the devices are connected to. But on second thought, maybe a netwatch on the vpn connections remote (seen from server) ip could wo...

petterg

I have some devices around that I need to access remotely. As they are behind nat (most of them) and non of them have a static public ip, I've solved the remote access by having all of them setup as a vpn client, using a mikrotik hAP as a vpn server. Most of the devices uses pptp. (Those that suppor...

petterg

There aren't any other isps in the area. They are using the 450MHz-band which is not supported by normal equipment.

petterg

I know about similar items. Problem is that the modem has battery that lasts for 6 hours.
When I said unplug power, that included pulling out the battery. It will not power on if battery is not installed.

petterg

Is there a way to script a mikrotik so that if it looses network connection, it will call the modem website, log in, go to the reboot webpage and click the reboot button? The case is that a mikrotik router is behind a modem. The network connection frequently goes down, and the only way to get back o...

petterg

Why is there a note in documentation telling to use the old style vlan config "on RouterBOARD series devices, this includes RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP and other devices"? I see that doing vlan "the new way" ends up doing this setup in software. While in the old w...

petterg

When using capsman with several ssid's, each connected to a vlan, each will make a dynamic interface on the cap that is member of the bridge. So caps have more than one port. I.e. the cAP ac has two ports. The port that goes to the network / capsman has to have all vlans tagged. How can I make one o...

petterg

Solved! It turns out that the naming of the capsman configurations was the problem. A wlan configuration named "wlan40", "wlan41", ... causes some conflicts. Feature request: Give a error when a conflicting name is set. (just the same way as when trying to create a firewall rule ...

petterg

After two years of not working with networking I'm feeling like a noob when returning. I'm probably missing some details in the config. I've setup a capsman (3011) and some caps. All caps behave the same, so I focus on one of them, a cAP. The cap is connecting to capsman, but it (they) does not get ...

petterg

I resat config and started blank. Even copy/pasted the config into the box, and it works. Why this didn't work in the first place reminds a mystery.

petterg

I noticed this note in the doc. https://wiki.mikrotik.com/wiki/Manual:Basic_VLAN_switching Note: This type of configuration should be used on RouterBOARD series devices, this includes RB4xx, RB9xx, RB2011, RB3011, hAP, hEX, cAP and other devices. That note was under an example of old-way vlan config...

petterg

The interfaces in routeros default lists are there just for being there in the default config. I don't think they block anything. The 192.168.88.1-address I move between the vlan45- and bridge-interfaces for testing. Just a way for testing ping to the pc with address 192.168.88.2 without putting han...

petterg

What I've just realized is that setting bridge ingress-filtering=yes | no makes the difference if the router is communicating with pc on eth9 using ip on bridge interface (ingress-filtering=no) or not at all (ingress-filtering=yes). It doesn't under any circumstances communicate with the pc on eth9 ...

petterg

A pc with static ip192.168.88.2 is connected to eth9. If I put ip 192.168.88.1 on vlan45 (which should be untagged on eth9) and ping 192.168.88.2, I get no reply. If I put the same ip on bridge interface, I get reply. According to the config the result should have been the other way around. To me it...

petterg

This is not firewall related. It is within the bridge/vlan config. (There are no firewall output rule defined, and my test is from the router) Ports pvid are as show in the config in first post. Bridge pvid=1. Thats why I suspect packages get vlanid=1 on ingress. (Is there a way to see if that's act...

petterg

Thanks! That was one thing I had missed. It makes sense just like in the old bridge one had to remember to include cpu-port in the switch config. But there must be one more thing I've missed: Adding bridge as tagged interface on all vlans helped for the loss of communication on tagged packages when ...

petterg

Last time I did vlan setup was with ros 6.39. Now with ros 6.46 I though it would be simplified by the new way of bridge implementation. But I run into trouble. The goal is to make a RB3011 have the following setup: eth1: wan-interface (no vlan) eth2,eth3: tagged vlans 40,41,42,43,44,45,46 eth4: unt...

petterg

Thanks

petterg

I'm a noob when it comes to scripting mikrotik. How do you use varables with a name that contains a "-" ? Reading the manual at https://wiki.mikrotik.com/wiki/Manual:PPP_AAA For /ppp profile under section "on-up" it states: Execute script on user login-event. These are available ...

petterg

Thanks. Then the answer to my question is 'no'.

petterg

my OpenVPN only accept the connection if the first packet is 60bytes. Connection like telnet won't get through and will be thrown to DROP rule. Not great but works for me. Something like that would be nice, assumed first packet from a browser always has the same size. What I had in mind was a https...

petterg

Is there a way to create a mangle rule that matches the first packet (from client to server) of a https connection?
It doesn't need to 100%. What I want is a rule that can separate actual https initial packets from most other (i.e. port scanners) initial packets.

petterg

I have a rb3011 running ovpn server. This works for mikrotik - mikrotik tunneling, gentoo - mikrotik, mac - mikrotik and windows - mikrotik. However, ubuntu - mikrotik returns "error=unsupported certificate purpose" On gentoo I've tested client versions 2.4.2, 2.4.4 and 2.4.6. All works. O...

petterg

We've identified one macbook that seemed to be the cause of this issue. Disconnected it from wlan - problem went away. Reconnected it - problem came back. Rebooted that mac - problem is gone. At least for now. This device got identified because the user complained that wlan only worked in her office...

petterg

This is an office network in a building where walls and windows are so thick that there are no wifi coverage on the balcony, Even with the AP just inside the window. Wifi is WPA2-PSK. Apple devices has not behaved this way before. I have not tested another mikrotik, but the customers network admin h...

petterg

Well. Disable DHCP server and force everyone to set static ip will be a way to get around DHCP issues. Though, it will case quite a bit of other problems when dealing with users without technical knowledge. The strange thing is that this turned up as an issue with so many devices at once. Network eq...

petterg

At a customers site, a week ago, log started to show lots of dhcp-lan client xx:xx:xx:xx:xx:xx declines IP adress 172.18.11.xx there were several of these entries every second during business hours. The problem was reported as windows users got a message telling their ip was already in use. Well, no...

petterg

In a setup of 4 wAP ac's administrated by CapsMan things works good for pc's and android devices, but not for iphones and macbooks. Same SSID are used for 2G and 5G. The Apple devices then chooses 2G over 5G. So I created a new SSID for 5G only. This made the Apple products to jump to the combined 2...

petterg

In a setup with multiple wAP ac setup as CAPs administrated from CapsMan, where both the 5ghz and 2ghz radios are provided with the same configuration, what is the easiest way to avoid that a single CAP select a specific channel? The current issue is that one Caps 2ghz tend to select the 2427MHz cha...

petterg

A customer has three wAP ac setup for capsman using vlan (old version - ros 6.39). Two of them works fine. The third one does not communicate on ether1. The config is pretty much identical. Hostname and IP are the major differences as I can see. Why does one of these not communicate on ether1? I kno...

petterg

Where do you store a file in router os to make it available to download via https (webfig)?

petterg

I'm in need of a cron job on a server to make changes to the router. The server is located in a none-secure zone, hence I don't want to give it full admin permission. I want it to trigger the script to change the router firewall config as needed to do some other tasks in that cron job, then, when it...

petterg

Seems like all 6.40.7 download links are dead on https://mikrotik.com/download

petterg

I have some users who are allowed to login using webconfig only. There they are set up with a skin that shows the scripts only, hence they cannot really do anything to the config even though the scripts requires the users to have write policy enabled. I've had scripts that disables / enables interfa...

petterg

Another way to trigger the script from wan: In winbox go to ppp -> profile -> (add) -> scripts Then, when your user logs in the script is triggered that makes use of the build in wol tool. For security you may put logged in users into a subnet not used for anything else, create firewall rule to tarp...

petterg

Are noone able to see where I went wrong with this?

petterg

I ran into this issue again. What was the solution this time was to downgrade firmware, and upgrade firmware again. No config changed - problem gone.
I wonder if that's going to be the solution next time as well.

petterg

I guess you could solve this by creating a script in the mikrotik that sends magic packet to the server. Next you need a way to trigger the script. One way to do that is to create a firewall filter or mangle rule on a chosen port, and a scheduled task (running every minute or so) that checks the pac...

petterg

I'm missing out on something with the vlan setup. On a hAP AC running ROS 6.39.1 the goal is to use switching on port 3-5, while ports 1 and 2 are standalone. Port 5 is the master port. On port 4 and 5 I want tagged vlan1 and vlan2, while on port 3 I want vlan1 to be untagged. In my current config, ...

petterg

I have not configured channels. Hence the caps should use the country dependent frequency list.

petterg

Country tested with norway (frequency list know to be incorrect for wAPac models), france and UK. There are no other 5GHz networks in range at this customers site. The same goes at my house where I replicated the issue. For the two previous customers where I ran into this, there were some other 5ghz...

petterg

New customer - same problem. What appeared to solve the problem last time, does not work now. This setup differs in the way that I put the wAPac as capsman, and hAPac as cap (last time it was the other way around). Both selects 5180MHz for 5GHz. For 2GHz the select different channels. Apparently a f...

petterg

Does anyone know of free ssl certs that will work with ros sstp server service / MS sstp client? Now as even Microsoft has distrusted startssl, the only provider I'm aware of to provide free ssl certs is Letsencrypt. However, certs from Letsencrypt are valid only for 90 days. That calls for a need t...

petterg

I guess you could connect a device that will create a loop. Try it multiple places in your network. If it causes the caps to disconnect you may have a lead.

petterg

Thanks for making me aware of that

petterg

Attached are two screenshots of capsman and caps while they were on my desk at home

capsman.jpg

capsman-4devices.jpg

petterg

I got to a very minimal config demonstrating the problem. I wrote down all the changes I did to the default config. Resat config, went through all the steps I had written down, and the problem was replicated. Then I connected another wAPac running ros 6.35 - which also got the same frequency. Then I...

petterg

I'm currently trying to simplify config as much as possible to isolate the issue. This has revealed two other issues that I think are bugs. Those two are: 1) reset-configuration deletes all files on unit. This is causing problem when I want a script to run after reset - the script file is no longer ...

petterg

When running reset-configuration from system menu in winbox all files are removed. Is this a bug? If this is not a bug, is there a chance to go back to the old practice where you could do a backup, reset config, and keep the backupfiles remained in the unit. (Also it seems pointless that the dialog ...

petterg

Now I've replicated this issue at home. Took a brand new hAPac and a new wAPac, ros 6.40.3, copied system identity, capsman, caps, bridge, vlan, switch and IP settings from the customer. They are connected to each other with a 30cm cable, and they select same channel for both radios. I live at at pl...

petterg

Thanks. You may be onto something. Restarting the cap makes it select another 2GHz channel, but it keeps using the same 5GHz. There's a lot of unused 5GHz channels in the building, and the the APs are within range of each other (-58dB). Is something wrong with the wAPac channel selection that makes ...

petterg

Noone has experienced this?
This is the second time I have this issue. The first time I thought all the wAPac's I had with me was from a defective batch, and replaced them with hAPac's.

petterg

Maybe there's a pc in your network that has wlan and cabled nic's bridged? When that user connects his laptop to the cabled network it creates a loop causing everything to stop for a while, including your caps connection to capsman.

petterg

I suppose you could even make a sort of switch by inserting a usb stick. If file1 is present on usb storage, run script1. If file2 is present run script2.... Multiple sticks act as different switches.

petterg

Maybe this is a (r)STP config issue?

petterg

My home router runs a script that has the intention to enable wlan when someone tries to connect, and disables wlan when no clients are connected. This is scheduled to run every 150seconds. It's not as effective as it sounds. wlan is only disabled 93% of the time when disabled. The reminding 7% of t...

petterg

That would require to enter all frequencies, make a full list of frequencies for the country. I was wondering if there was a way to say all EXCEPT the one specified.

petterg

I updated a customers caps from ros 6.39.1 to 6.40.3. Now I notice that both caps (a hAPac and a wAPac) have selected the same channel for both radios. I didn't notice if they did so before the update. How can they do that for both radios? They are located just 10m from each other. I could understan...

petterg

Is there a way to configure caps to NOT use a specific frequency? Trouble is that in a small area the 5500MHz is not working (near the fridge in a meetingroom), and the nearest AP tend to select exactly that channel when set to auto. The result is that devices try to connect to that AP, get disconne...

petterg

I hope so too. But as off today that is not the case.

petterg

If you read the wiki, the table shows that offloading will automatically be disabled once you make use of vlan, unless you are using a crs3xx. https://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features#Bridge_Hardware_Offloading I also though taking a port out of switch would make me able to do swit...

petterg

The way I read the new bridge/vlan implementation, the hardware offloading will be disabled once vlan is enabled on most devices. Hence anything vlan will be software. I don't think that will be a good idea. Also I have no idea of how to do the setup when a unit should run be configured as a caps wi...

petterg

I can ask them to connect a second cable, but as this unit only has one switch chip, it's still a major chance of loosing connection when doing the switch config. Just two weeks ago I went to a customer to setup two wAPac's and a hAPac as capsman with vlan. The customer had a rb750gl as router, with...

petterg

I've lately learned that it's better to configure vlan on bridge interface than on etherX interface. Then use the switch menu to control what to tag or untag. How the switch menu works highly depends on the switch chip - they all seems to behave differently, and I have to say the switch vlan config ...

petterg

This kind of sounds similar to what I experienced with a rb3011. After 6 weeks it got worse. Turned out to be a faulty router. Replaced with a new one, copied config, problem solved.

petterg

I never (with a few exceptions) create drop rules, except for the final drop all rule. My philosophy is that everything should be dropped unless I specify otherwise. What you probably want is: add action=accept chain=forward comment=Established connection-state=established add action=accept chain=fo...

petterg

I want to change a customers vlan setup, without going onsite. How can I do this without loosing connection to the unit? This customer has a hAPac as single access point in their office, also serving as a local switch. It's connected to a RB450g serving as a router. Now their extending their office ...

petterg

Old thread, but it looks like a solution has arrived! I have not tested though, and it's not mentioned in the wiki. ROS: 6.40.3 Capsman -> Channel -> reselect interval The name sounds like something we've been looking for. Seems like this cannot be set on a wlan interface not controlled by capsman.

petterg

One way could be to schedule a reboot. Preferably outside office hours.

petterg

Just an update: The new 3011 (which actually is older than the old one) is stable running same config as the dead one. Winbox stayed connected for 40 hours over vpn, then power at my house went out an my internet connection dropped. Thats way better than the old 3011 managed when new. This was my fi...

petterg

Thanks
*feeling blind*

petterg

I replaced the box because within an hour after I posted this thread it got impossible to deal with. I couldn't even stay connected to the unit long enough to do a remote reboot - neither by winbox or telnet (from lan). As the problem got worse so fast, and also started to affect packets passing tro...

petterg

A customer has a RB3011 as main router and running CAPsMAN. Ever since it was new, winbox has disconnected frequently. When I first configured it, the disconnects happend at randomish 30 minute intervals. I could reconnect immediately so it wasn't a big issue. Now this happens about every minute, an...

petterg

In the old days of winbox I could save ip, username, (password) and a comment of the devices I manage with winbox. In the 3.11 version I could copy my old config into the new and get the list of managed devices. I could also add the column "notes" to see the comment saved with each device....

petterg

The ISP switch is a Zyxel. I think the model number was 2210.
I didn't pay attention to what was written on the sfp.

ISP say they wont support any other configuration that the one they have provided. So the options is either to do it by mikrotik configuration or get a second UPS.

petterg

At a customers site ISP delivers fiber in the basement. The fiber terminates in a switch controlled by ISP. I think they're using vlan and their point with a switch rather than a media converter is that they could just configure another port at the switch in order to give a connection to a new custo...

petterg

I had a new case of a similar subject. I had 11 vlans configured on eth5. Then I got the need for the same vlans on sfp1. I figured the fastest way to get them all in place was to do an export compact, search/replace the interface name, and run the resulting script. That was a mistake. I did not cha...

petterg

I think I found the answer here https://forum.mikrotik.com/viewtopic.php?t=102518#p509112 ... There is also quick and dirty way to do what you want - just export the certificate on your old CAPsMAN along with its private key. You do this by: /cert export-certificate 0 export-passphrase=12345678, it ...

petterg

Well, at least we've learned that the fastest way to a fresh start may be backup - reset - restore.

petterg

A customer has a setup where sstp uses two different radius servers depending on the domain-part of the username. I would think that wlan would give similar behavior in respect to domain name. The only thing I did to make it work was to enter domainname for each radius server. I'll post config here,...

petterg

That's pretty much what I did. Hence I temporary concluded a faulty config, but what could be causing such behavior? After all the problem were first observed on ports that was unchanged from the default settings. And why is the problem impossible to replicated when config is restored from a backup?...

petterg

I'm testing out capsman... As it seems to introduce a single point of failure (if the capsman goes down, all CAPs are disabled) I'm trying to setup a second CAPsMAN. The idea is that the CAPs will use the second one when the primary goes down. So I did /capsman export compact on the one running, usi...

petterg

Here's the story of a brand new RB3011 I've been fighting today. There is something about this box that is not right, and I can't figure what it is. First thing I did was to upgrade it to ROS 6.39.2. My laptop was connected to eth3. Then I took eth6 out of bridge and added vlans to it. A wAP ac conn...

petterg

Thanks, that was the trick! I add some details in case someone is searching for the solution to a similar issue. When using capsman forwarding: -set bridge in datapath section of capsman - do not set bridge in cap config. When using local forwarding: - set vlan using bridge as interface. Do not use ...

petterg

I'm testing out capsman. What I'm trying to do is to provision multiple ssid to multiple wAP ac / hAP ac that already has vlan and bridges configured. The problem is that provisioning does not add wlan interface to the local bridge at the ap. I have to log into every ap and run something like /inter...

petterg

Does capsman tell clients which AP to connect to?

petterg

A customer has 3 wAP ac running ROS 6.39.1. All setup with same SSID / wpa2 key so that clients can move around the area and connect to the AP with strongest signal. Problem is that they have 6 sonos devices, and these seems to frequently connect to the first AP they see, not the one with the strong...

petterg

Bonding two EoIP tunnels over two wlan links seems quite stable using broadcast as bond mode. The only issue I ran into is that when a client moves from one site to the other, traffic stops for 30-60 seconds. I followed an example of bonding eoip where rstp was used on the bridge. I suspect the rstp...

petterg

Maybe that could be something for Mikrotik to implement as well?

petterg

The reason I asked is that a customer is in a location where channels are crowded. Even in the 5ghz band its hard to find channels. I've never used auto channel. At this place there may be channels available where the AP is located, but once moving 5m away the same channel is filled with other netwo...

petterg

How does routeros decide which frequency to use when AP is set to auto? Does it scan and look for the frequency with the least noise? (If so; How often does it perform such scan?) Does the connected clients affect the frequency selection in any way? If there are two AP's at same frequency (your own ...

petterg

I've experienced that HP Spectre 13 running windows 8.1 preferred 2GHz at default setting, even when putting the laptop next to the AP. Setting it manually to 5GHz solved performance issues (2GHz in that office building is crowded.)

petterg

From reading the manual on bonding, bonding seems to be the way to go. Choosing the bonding mode seems to require some experimenting. And while the manual states that wireless interfaces can be bounded, the examples states that they can not unless a layer of EoIP is added. I'm a bit confused, but I ...

petterg

I've tried both bands, different frequencies. They all seems to drop, but not at the same time. Currently 2GHz band is the one in use, and I have configured a test subnet for a 5GHz link. I have a ping running on the 5GHz link. From the log it seems like the 5GHz is still alive when the 2GHz disconn...

petterg

I have 2 wAP ac mounted for a wireless link between two buildings. The link transports 5 vlans. Problem is that a few times a day some cars stop outside and the link drops. So I'm thinking, as the wAP ac has two radios, I could use them both, and hopefully when cars passes, only one of the frequenci...

petterg

I was hoping the packets could be identified in some other way than by IP.

petterg

What is best practice to give priority to Skype users connected with wlan? Keep in mind that Skype (for business) is tunneling VoIP over https. How would you give priority to these packages? Would you setup QoS to give priority by skype server IP and a script to look up skype connection dns and upda...

petterg

In order to locate the problem I'd start with doing speed test to/from the CRS125 from both sides. Either by configuring the CRS125 so that it can be used for speedtest, or (better) bring another box up on the roof and connect it to the CRS125 for performing the speed test trough the CRS125. Another...

petterg

The solution is explained here:
viewtopic.php?f=2&t=120003

petterg

I finally figured this one out! The problem is explained here: https://support.radware.com/app/answers/answer_view/a_id/15364/~/when-should-source-mac-learning-be-disabled-on-vlans%3F Somehow I managed to set sa-learning=no in both entries at switch->ingress-vlan-translation Changing that to yes (wh...

petterg

You can set both customer-vid and service-vid in switch -> vlan
I think that is what you need. I have never tried service-vid. And customer-vid seems to be buggy as showed in this thread:
viewtopic.php?f=2&t=120003

petterg

You probably want to add out-interface to both of those rules. And disable the masquerade rule if you haven't - or at least put it later than the two new ones. Next. Take a look at the packet counter for each of the rules. Do they hit any packets at all? If yes. create a mangle rule, post routing, t...

petterg

You'll need to ask if the 4 of them are willing to cooperate with each other in order to provide you bounding of their lines. I'll guess they say no, if you're lucky enough to get in touch with anyone at their customer care who understands what bounding is. When I did this I had two lines from the s...

petterg

Bonding is possible only if your ISP is willing to cooperate. It requires that there is a shared public ip between the lines. I've done this a couple of times many years ago. Load balancing is something you can do independent of the ISP. There are a few howtos around the forum and/or wiki about how ...

petterg

I think I've seen a UPnP setting for each guest in hyper-v management. Look for it and see if it helps to change that setting.

petterg

I assume R1 main and backup connections does not share ip's. My approach in such case would be to make sure router at R2 would be the one to initiate the connection. At R2 I would create a set of netwatch entries: - Netwatch1: ip=[a lan ip at R1] OnDown=/system script run StabilityCheck - Netwatch2:...

petterg

I've managed to replicate and isolate an issue two of my customers of CRS125 has run into. I'm not sure if this is a bug or a config fault. I've replicated this with ROS 6.15 6.38.1 and 6.39rc55. What happens is that the CRS125 starts sending out each packet (TX) to ALL active ports. It basically st...

petterg

You said the remote part would have to make connection to a server first, the you wanted a rule to be created from that server to the client. In that sense you know the clients ip, and can use the ip as identifier. It will work as long as the client keeps the same ip while connected. When IP changes...

petterg

What I showed is to logic to create those return rules. Now as you say there is a lan to lan dial up, you skip the connection scrips, and just create a set of those two rules explained for each client ip you want. (or make a script to generate the for you) I recommend putting them in a new chain, an...

petterg

I ran into case of wireless clients not getting dhcp once. Everything worked if I set static ip on the wireless clients. I spent hours trying to figure out and finally went for factory reset of the access point and start all over. Then it worked. So, my advice, if you're stuck; start all over again.

petterg

I think you could accomplish this by using firewall action = add dst/src to address list Combine this with the use of ppp -> profiles -> add -> scripts (winbox navigation) The idea is that when a dial up connection is established, a script will run that creates: - a fw rule with dst-address=[client ...

petterg

You may find what you're looking for here
https://wiki.mikrotik.com/wiki/Manual:CRS_examples

Far down that page there's an example called "isolation"

petterg

There seems to be a problem with CRS125 wire speed. Say ports 3-24 is set up with port2 as master port. Now, if you connect a 10mbit (or 100mbit) device to any of the grouped ports, and two 1Gbit devices to two of the other ports in the same group, the max data transfer speed between the two 1Gbit d...

petterg

It is somewhat offtopic for this thread, but still.. Unless you plan to add more ports to the bridges later, it's pointless to have bridges with only one interface. Just assign the ip adresses and the firewall rules to the vlan interfaces, and you can delete the bridges. Also, when you do config cha...

petterg

So the problem may be that I have one single port and 23 in the port group, not all 24 in the group?
Unfortunately I had to hand this box over to the customer - the last in stock - and have to wait for a new delivery to arrive before I can experiment more with this.

petterg

Am I alone with the issue of masterport not working when vlan is configured?

petterg

Here is the config (excluded wireless, dhcp and ipsec config) where ether2 is not working. Does anyone see why that is? Ether1 is wan, Ether2-16 are untagged members of bridge-lan, Ether17-20 are untagged members of bridge-gjest, Ether21-24 are tagged members of both bridges. # feb/14/2017 01:23:28 ...

petterg

Thanks. I think I found the answer to my question in a note in your first link Note: Multiple master-port configuration is designed as fast and simple port isolation solution, but it limits a part of VLAN functionality supported by CRS switch-chip. For advanced configurations use one master-port wit...

petterg

This is the first time I run into the need of vlan on a CRS125. The switch menu on CRS125 tells that there are some new possibilities with the CRS compared to the routerboards I've configured for vlan earlier (mostly 1100AHx2, 433g and 951g). The config I'm looking for is: Ether1 as wan link (routin...

petterg

I didn't have the username and password fields in that menu. Guess I need a software upgrade. Which ROS version is that screen shot from?

petterg

I got a surprise when I replaced an rb951g with an CRS125-24G-1S-2HnD-IN - I thought they would be quite similar in regards to wlan. They were set up as wlan stations connecting to a cisco ap several buildings away. While the rb951g had a signal to noise ratio of 24-28dB (depending on weather) and g...

petterg

Oh, so it's not just me being blind this time?

petterg

Today I failed in setting up an rb951g for a customer. I thought it would be a simple case, but I couldn't solve it. The case is that this customer (small company) has moved into a building where they have internet access from the owner of the building, provided as wlan only. My plan was to set an r...

petterg

Thank you Normis

petterg

Does the antenna in wAP give better signal in some directions?
I'm wondering if it makes a difference if it's roof mounted (near the wall) or wall mounted (near the roof) when the goal is to get the best signal in a half circle out from the wall?

petterg

Thanks
I wasn't aware of the wap series AP's.
Do you really think there's no need for roof mounted sector antennas (as the SXT series) in the large open area?

petterg

Hi guys I need a recommendation for access points to cover a indoor basketball arena. The area is about 40m x 30m. Roof is 8m up. There is also a cafe next to the arena that should be covered and meetingrooms/wardrobes one floor up from the cafe. Outer walls and roof are steel (may reflect wireless ...

petterg

Then, how come it works randomly? If a command in the script requires write, how come the user with read only access can run it most of the time? And, when the script owned by admin is run by a read only user, why does the log show that the "device was changed by admin"? And why does this ...

petterg

I created a custom skin. It randomly works. Sometimes user cannot log in. Giving the group write permission makes the login stable. But I don't want the user to have write permission. Having just read and web permission, the user randomly cannot log in. Another issue is that script randomly is not e...

petterg

Is there a way to limit a user login to run script only? I frequently run into the case where I want to allow someone to run a script on some of my routerboards, and I don't want them to be able to do or see any other parts of the config. The scripts could be of the kind 'wakeOnLanFtpServer', or 'En...

petterg

Isn't the antenna in 951 (and 751) shaped so that the signal goes equally out in all directions? If so it would have to be mounted in the height of peoples head. I think a more directional antenna is required to mount the equipment somewhat less visible. I have a bunch of rb951g laying around. Rule ...

petterg

I've now spoken to some friends who runs a catering service. We're thinking of setting up a test with 2.4GHz only, and invite a bunch of people for a snack and wlan test. Which antennas would be the best suited? According to the cisco guide the preferred antenna should ha low gain and cover as small...

petterg

I'd like to test mikrotik for this application. Over the years I've replaced a lot of expensive cisco wlan that users complain about i favor of cheap mikrotik. It won't be cheap to test with mikrotiks either. I'll need probably 15 AP's and 500 people. I don't have that many friends! (Or I could do a...

petterg

Things I learned from Ciscos guide: it is better for two APs to share a channel than to have two channels overlapping on the edge. Two APs sharing a channel can demodulate each others’ transmissions and share the bandwidth amicably. When two channels overlap at the edge, it is just noise to both and...

petterg

The subject has been up before, but the newest I found was 3 years old. Has something changed? The case is: one room, 20x50m. 500 devices (mobile, laptop, pad, press camera..) Can it be covered by mikrotik wlan devices? Say 50% of the devices can handle 5ghz. 50% is stuck on 2,4Ghz. How many 2,4GHz ...

petterg

Thanks. Your config did the trick. This config now works excellent with radius on windows server 2012.
The required changes was mac-mode=username, and disable eap-accounting.

petterg

Device: rb433gl, ros 6.7, 2x wlan. I'm trying to setup a wlan on microtik so that users will use their username/password in AD to connect. I've got to the point where computers that are members of the domain (and has a certificate from the domain installed) will connect using the certificate and not...

petterg

*bump*

petterg

What is the preferred way to setup ipsec tunnel between two 1100AHx2 to make use of the build in hardware encryption? I've tried quite a few combinations of settings, and never really got the expected throughput over the tunnel. I'm currently running peer with 3des/md5/modp1024 and policy at aes-128...

petterg

After some discussion with spectralink we figured that the accesspoint needs to support WMM-PS or WMM-AC in order for the handset to connect. I found a statement from mikrotik dated 2011 that PS is not supported. Is that still true? I haven't found anything regarding mikrotik and WMM-AC. Could it be...

petterg

I've bumped into the very same issue using RB951g with ROS 6.7 and ROS 5.25 (two boxes). A friend of mine managed to get the spectralink 8440 connected to his RB493g using a b/g wlan card about a year ago. He remember he messed about a lot to make it work, but finally he got it. Surely he didn't mak...

petterg

Has anyone tried just to send a wol magic packet to the box?
(Why would anyone shutdown a routerboard unless there is a need to unplug the powercable?)

petterg

Thanks to this thread and rpr's posting above I managed to get a new certificate into my router. However I struggled to figure out why the cert was not accepted when enabling sstp. RouterOS WinBox Error Couldn't change SSTP Server - no certificate found (6) [OK] Even thou the certificate appeared in...

petterg

Will a proxy really help in this situation? I'd suppose it would make all connections look like they come from the proxy servers ip?

petterg

Thanks. I didn't know the term "hairpin nat". Hence not what to search for.

The link describes the setup I'm currently using. What is the other way (of the two) of doing this?

petterg

Would it be possible to set the router to reply with some kind of reroute-information to the laptop on lan, so that it will send new request directly to the serverLanIp with correct port number? How does other brands solve this? I'm quite sure I've done this kind of setups before I discovered mikrot...

petterg

I got a challenge with a portforward setup. lan subnet is 192.168.91.0/24 wan subnet is 84.x.x.192/29 The mikrotik router is setup with 3 public addresses (so far) on the wan interface. From those there are several ports forwarded to 6 servers on lan. Now, the challenge. Laptops are set to connect t...

petterg

The easiest way to get what you want is to make a 3rd ipsec from brench1 to brench2. This also gives the fastest connection. If you need the network to scale better you'll need to add brench2 subnet on head-side of head-brench1-policy and brench1 subnet on head-side of head-brench2-policy - either b...

petterg

I have a fully redundant network consisting of 2x rb1100ahx2. Being fully redundant, implies a network loop and use of RST, which again implies the use of bridge where switching otherwise would have been sufficient. (And I love the by-pass functionality!) The RB's are set as master / standby using V...

petterg

I think I found a bug in CRS125 running ROS 6.5, and it's still there after upgrading to ROS 6.7 I want a bandwidth to/from all destinations except for one particular subnet to be limited (All local subnets on this box is within 172.27.0.0/16 the range) According to how I read documentation the foll...

petterg

As this new box has a significantly changed switch menu (in winbox) I suppose there might be some changes to best practice for configuring wlan. What will be the best configuration in the following scenario: CRS125 setup: ether1: gateway, dhcp client ether2: private network, dhcp server ether3-19: s...

petterg

When configuring ROS 6.6 so that one interface has one static ip and one ip from dhcp (both in the same subnet) - after a week the interface stop responding to any packets. Status in the routing table for 0.0.0.0/0 route is "unreachable". But pinging the gateway from the router does get re...

petterg

A little update here as the registerfix didn't work for one of my users. The next time I had the users pc on my hands I searched through the registry for keys named "SCHANNEL" and added the key value to all the hits I got. That solved the problem. The search got 4-5 hits. I don't know whic...

petterg

I have to admit that after upgrading CRS125 to ROS 6.6, the switch configuration in winbox is rather confusing.

What does "Bridge Type" = "service / customer vlan bridge" do?

petterg

Registry fix did not solve the problem for my user who upgraded to windows 8.1. I guess there is something more that has to be fixed when using radius for authentication? (pptp also fail to authenticate using radius, and the router never send auth-packets to the radius server, neigther for pptp nor ...

petterg

My experience is that SSTP is fastest for tunneling routerboard-routerboard and routerboard-windows when you're not having rb1100AHx2 or rb1000 on both ends. With those two routerboards ipsec 3des is the fastest. However, rb1100AH (not x2) also won't have any problem filling a 100mbit link with ipse...

petterg

I guess the same issue is reported here.

FYI, I have confirmed that this bug is back in Windows 8.1 and ROS 6.1. Adding SendExtraRecord with with a hexadecimal base value of 2, the problem is resolved.

I'll make the win 8.1 user try the register fix mentioned in that thread.

petterg

Has anyone had success when connecting windows 8.1 to routeros' sstp or pptp server? I've only got to test one pc with windows 8.1, and my experience is that radius (windows domain) users fail to authenticate when logging in from windows 8.1 client, while users that authenticate locally on the route...

petterg

A customer had the same issue. We replaced the motherboard and I have no longer access to it and can't really test this out, so I'm writing this so that hopefully others may find it handy information. I read in the changelog that this issue (or something very similar) has been fixed in a newer route...

petterg

*bump*

petterg

I'm quite sure the authentication server is not set to allow NAS-Port-Type = 5 for the username provided. (This is just another term for telling the same as I did on april 24th)

petterg

Hi guys In a setup with the following interfaces: ether1-wan, bridge-lan, bridge-dmz and bridge-guest How would you go about setting bandwith limitation to guest and dmz connections with wan, and not limit any other interfaces? My issue is that in configuration of queues i can only match on src-inte...

petterg

The solution is called Framed-pool. This is a setting that can be configured for a network policy on windows server. You set framed-pool=some name, and create a ip-pool on the mikrotik with the same name.

petterg

Seems like your radius server is not set to allow dial in / vpn connection type for the username you're providing.

petterg

A customer uses pptp / sstp to a rb1100ahx2. They authenticate with their windows domain user and the mikrotik uses radius to verify their credentials. It works. However, is there any way to make users that are authenticated by radius use different ppp security profiles? Basically what we want is th...

petterg

*bump*

petterg

The closest I've been to make this work is this: (Testing on rb493g, ros 5.22) /interface bridge add l2mtu=1520 name=bridgeV5 add l2mtu=1516 name=bridgeV7 /interface vlan add interface=bridgeV5 name=vlan7 vlan-id=7 add interface=bridgeV7 name=vlan5 vlan-id=5 /interface bridge port add bridge=bridgeV...

petterg

Hi guys. How would you do this configuration? On a rb1100AHx2 I want a private and a guest networks. On port 1-5 (switch group 1) I want the private network untagged and guest network as a tagged vlan (vlanid 7). On port 6-10 (switch group 2) I want the guest network untagged and private network as ...

petterg

You set up sstp exactly like you set up pptp. Only difference (for a basic setup) is that you select sstp every place you would otherwise select pptp. And in the firewall you need to open port 443, not 1723 (unless you select a custom port in the config) To secure the sstp you should also create a c...

petterg

May I ask how you connect the 3G usb device to the rb2011? (Where did you find a cable with micro usb male in one end and regular usb female in the other?)

petterg

I don't really see why you want the pptp server for this. If I get you right you have users traveling with laptop and a mikrotik and you want to be able to get onto to lan-side of the box i order to i.e. do rdp to the users computer. The way I do this is to setup sstp-server on the office router. On...

petterg

What if you change the script so that it disables ppp-out interface, sleep 10 seconds, do usb power reset, sleep 10 seconds, enable ppp-out

petterg

With the reduced wlan tx-power the usb was alive for almost 2 weeks! That is, the day after I lowered the power I left for 11 days. When I got back, it was still working - and it stopped working during that day. I'm not sure if is improvement though. It managed 2 days of use and 9 days of idling. I'...

petterg

I've replicated this issue on several devices and ros versions. Either I'm doing something wrong, or there is a bug. Routerboards apparently cannot use other routerboards set up with vrrp as gateway, as the arp table get a mismatch ip / mac address. Is there a trick to get around this? In short: Set...

petterg

I was not using any cable between modem and card. Where do I find the settings to adjust usb power? Now I've tested with a usb-power inejctor (huawei brand, not mikrotik) and it has been somewhat more stable. More stable in the sense that I did not need to change the router configuration. Disconnect...

petterg

Thank you. I'll give that a try.

petterg

*bump*

petterg

I've solved the startup issue this way: I've scheduled the following to run on startup: /system script run vrrpCheck The script vrrpCheck basically runs the onBackup, then waits for a while before it checks if there is any vrrp master interfaces. If there is, it runs onMaster. The script looks like ...

petterg

I connected a mobile usb modem to a rb751g with the intention that the router should provide network access for some laptops. It worked great... for two days. Within a week the mobile connection has failed 4 times, in 4 different ways. Has anyone experienced anything similar? Any suggestions on how ...

petterg

I want this to be a script. If I have to do things on my pc in order to run the script, it's kind of pointless to use a script. Then it would be easier to do all changes on both routers manually.

petterg

Except that grep does not exist in routeros. What would a command to perform something similar to grep on a file look like in routeros?

petterg

I guess the lack of replies to this thread is because it's not possible to filter on export. What about textfile editing? Is it possible to make a script that extracts only some of the lines from the export file into a new file that can be used for import? What I need is something similar to cat exp...

petterg

petterg

Metarouter is not supported on RB1100AHx2

Any chance that metarouter will be supported on RB1100AHx2 ?

petterg

I'm thinking of syncing firewall rules between two routers, and I came across the method explained in the last post of this thread: http://forum.mikrotik.com/viewtopic.php?f=2&t=59240 But how can I sync only some of the rules? I was thinking one way to go would be to prefix the comment of all th...

Search found 230 matches