MikroTik

whitbread

Nope - my best guess is, that the size grows with any certificate issued by the device. As you cannot delete issued certificates the size grows until you do a config reset.

whitbread

I use a script to store export file and backup file (no password) once a day via ftp on my nas. The router crashed - I did a netinstall already and could do a successful restore with a version from May, 7th which is only 0,9MB in size. Since then all stored backup files are sized ~2MB. These can be ...

whitbread

Same behaviour - RouterOS tries to copy / extract the backup file to internal flash and restore fails. Message box says 'Couldn't restore configuration - action failed (6)'.

whitbread

I gonna try that - thx.
The exports are available, but do not include certs an others.

whitbread

I tried to restore my crashed hap ac^2 from the latest backup file available. Unfortunatelty the size of the backup file is too big for the limited flash (what a decisive decision!) of the device. I had to use an older version of my backups. During this progess I observerd the curiousity that my bac...

whitbread

OK this information is pretty useful. As I am running a lot of mibse devices it is not a good idea to use bridge filters. Actually I use hw-offloading / switching with vlan enabled. If I understand it correctly ipv6 traffic is isolated the same way as ipv4 is. VLAN10 devices cannot connect with VLAN...

whitbread

hmm ok - this answer seems concluding. Let me ask if I understand it correctly: As long as ipv6 package is disabled or not installed, no routing takes place, but unhindered traffic within any L2 segment takes place. If I take a look at a usual switch setup (bridge with hw offloading) this means, tha...

whitbread

Thx for your answer.
So, not installing ipv6 package does block any ipv6 traffic?
I do not want to end in ipv6 traffic going through my router without being aware of it!

whitbread

I do not use ipv6 at the moment and I am not planning to do so. Just a simple question: What implication does it have to install and activate vs. to not install or disable the ipv6 package? Is it safe to leave it disabled when I want make sure, that no ipv6 traffic takes place? Or is it better to ac...

whitbread

Is the issue with maximum address list entries on arm devices (hap ac^2) resolved?

whitbread

I still don't understand how you can trust your country government (which is known for blocking and filtering information), but don't trust Mozilla, Cloudflare and Google :-D And I don‘t understand how anyone can trust G**gle at all. In fact all US-based services are to be untrusted. I don‘t use go...

whitbread

Good luck blocking all the cloud providers, since anyone can host any service anywhere. So true - this is holy sh*t! Actually I am in fact using a doh-blocklist, but if I am not trusting this anymore the only way to go is HTTPS inspection - nothing I'd like to do either. If I cannot trust my client...

whitbread

Just block dammit client-side DoH and DoT DNS. DNS is router's job - no matter if UDP-53, DoH or DoT. I do not see any argument for secure DNS, but I would never use my ISP's DNS either.

whitbread

I think MTik is not ready for ipv6 so isn’t the world. My ISP is not offering ipv6 and my hope is that ipv8 is ready before ipv6 is largely used.
The absence of NATing in ipv6 is my main concern.

whitbread

you need a good script to do what u want.

whitbread

just follow the link in #3. I use it in the same way for my untrusted iot devices. It is not a solution for a guest network imo.

whitbread

If you need an affordable router go for the hap ac2, if you need a good wireless device think about it twice. I cannot recommend anythink really apart from the good old rb2011 for your 2G network. I use my hap ac2 primarily as a router, moved the 2G network back to my rb2011 and all my 5G devices co...

whitbread

Sry Mikrotik - your public relations behaviour is a total desaster when it comes to this topic. This is a user forum. So I don‘t expect u guys to do the right thing nor do I expect that u even know the truth. We all know that here and there especially software projects might end in a desaster. In co...

whitbread

Well - try to look at your postal address first.

whitbread

This is the end Mikrotik! Regulation got u by the balls. With antenna gain and TX limitation there is no way to use Mikrotik wireless devices anymore unless u stick to a version prior to these awful changes. Even if I would tend to see the root of these changes outside of Mikrotik the devices are cr...

whitbread

Sry the actual approach is bulshit! Iam willing to comply with regulations in all areas except power. So we need a manual power setting to override. I live in an area without any neighbor wireless networks - so no big deal here. Otherwise the people are using no country setting in the future leading...

whitbread

Use a router for routing and a switch for switching. If using one device only go for a decent router. A router can do switching with ease, a switch cannot do routing decently.

whitbread

What kinda mobile device u r using?
How u connect to musiccast devices?
More details on your network (vlans, devices, subnets, etc,) plz

whitbread

If some1 probes your router on unused well known ports you do not want him to be able to evaluate if an exploit is working on another used port. True - you can use blacklists for this either.

whitbread

turn off internet detection

whitbread

Not sure what u are (not) doing with ur devices, but my rb2011´s are maxed out at about 35MBit with my configuration. So I would tend to think about adding a hap ac2 or similar as a router and you should be happy.

whitbread

I have 951Gˋs running as well plus a new hap ac2. As long as you can use FP routing you are happy. When it comes to vlan aware bridging the new hap ac2 makes u happy. It is a really nice and fast router and I am happy with the wireless as well. The 4011 is for those who need all cpu based routing or...

whitbread

Well - the CRS is a switch...

Use a router for routing!

whitbread

I gave up and use only 1 (virtual) IP in my DNS config. That does the trick.

whitbread

Thx for your explanation.
To cut it short I need to use routing technologies rather than bonding. Gonna work it out...

whitbread

Thx for answering. Well, I try to explain my setup: two redundant gateway router serve two redundant lan router; they are physically connected by a single switch and traffic is forced through a single transparent proxy. If the switch fails traffic should flow through direct connection; if the proxy ...

whitbread

I need to implement a active/backup szenario over 4 interfaces, which need to be activated in a specific order. So let us assume vlan10 will be the default connection. vlan11 will be the next interface to become active if available, followed by the interfaces vlan210 and vlan211. Can this be achieve...

whitbread

Well, it is a fact, that a lot of new devices due to hardware design are not much good for the new way of how bridging in combination with vlans or bonding is impemented. Unfortunately the devices do not scale very will with cores; a fast cpu is more important than numerous cores. Thus the one and o...

whitbread

Same issue with my rb2011-uias's. Tried to duplicate the one in production to my lab.
After restore rb started into secondary partition. Tried again with no success and gave up.

whitbread

Best advice is to buy two devices. Always use seperate ap and router/switch.

whitbread

Sry oo is on my blacklist...

whitbread

if you want to use hw offloading, put every port in coresponding bridge, configure each port in switch chip as secure including switch chip. Every VLAN that needs to reach the router must be configured in switch vlan.

leave one port extra for management until everything works!

whitbread

So bad you cannot use switch chip together with bridges anymore :( You can definitely use VLANs in "hybrid" mode ... do the VLAN filtering on switch chip (/interface ethernet switch) and "new bridge" (without using bridge vlan functionality) with individual ports as members. Not...

whitbread

*) bridge - improved performance when bridge VLAN filtering is used without hardware offloading; Just testet 6.43 on a hap ac2 - everything went smooth so far. As I am struggling for the best way to deal with my setup I did performance tests anyway. Just wanted to let you know that there is a perfo...

whitbread

Maybe specs are meant to increase sales on RB3011...

From my perspective it is the better option as I don't see any decent performance upgrade with multicore. hap ac2 is doing only slightly faster than rb2011 in my environment (far away from wire-speed).

whitbread

Whatever we request it is too late I guess...

whitbread

Do not forget to route them through anonymous proxy or gateway.

Or use onvif cameras together with your nas and stop those cameras' outbound communication at all.

Btw - same applies for all IoT devices (including Win10 computers)!

whitbread

It always depends on your needs and environment. I have no noise on 2G at all but my @pple devices do not accept 40MHz on 2G, so I had to use at least one 5G AP and choose the wAPac. It is doing nice without walls but just a single wall at 10m distance does not work at all - good to have 2G for thes...

whitbread

From my perspective 5GHz is totally useless if you want to serve more than a single room in your house.

whitbread

If CPU is not limiting by being used by bandwidth test, then I would start playing with the following values: - Band: my suggestion would be G/N only - Channel Width: must be 20/40 to achieve good results - power: if distance is low, high power is reducing bandwidth (use status -> ccq to determine o...

whitbread

You must not use RB as Traffic Generator itself when trying to measure wireless performance on the same device as this uses up CPU.

So you are measuring the measuring performance instead of the wireless or whatsoever performance.

whitbread

Same issue here - I am not convinced of 5G at all! Reason is - from my not amateur perspective - that wap ac 2G power is higher than 5G power and furthermore 2G makes it so much better through walls than 5G. In fact 5G is working only in sight distance at my home. As soon as any walls come into play...

whitbread

I cannot use Mikrotik DNS for my internal nets either. Wether this is caused by missing knowledge or missing functionality may be concluded by others. I solved the issue by using the built-in DNS-Server of my NAS, leaving Mikrotik to take care of the public DNS-Servers only.

whitbread

No significant change in disk usage nor disk writes on RB2011, Upgraded from 6.41 to 6.42.1

whitbread

I have a home-based installation with my small business running behind. I do have another firewall from another vendor between my wan and my lan. I wasn't hit by this bug despite the fact that winbox port was open. This might be just lucky as I blacklist any IP trying famous "attack ports"...

whitbread

Can we move this double reboot discussion to a separate thread plz...

whitbread

You can restrict access per user to IP(-ranges). So you may allow access only to a restricted user only.

I would tend to think about using port knocking - easy to configure and use and pretty safe if you use a good port combination.

whitbread

Are you using IPSec?

whitbread

Thx for your answer - it explains the connection between router and device A, but what about the connection between device A and B? Where is ARP needed or where can I set ARP to reply-only to enhance security? I try to draw it here: device A (edge port; vlan10) vlan10 interface - Bridge10 \ / CRS (t...

whitbread

If you want to isolate clients on the switching chip (which is my understanding of what you want to do) you need to use the port isolation feature on CRS switches. For routerboard devices I have no idea how to resolve this though...

whitbread

My network is built primarily by a CRS125 working as a switch only, a LAN firewall and a gateway router (both RB2011's). The routers are connected thru trunked ports as I am using numerous VLAN's. All devices are on version 6.41 and I am using the new hardware offloading, both on CRS and on RB2011s....

whitbread

Just RTFM - it is not that difficult:

Use single bridge with HW-offloading and keep VLAN filtering disabled. Now go to the switch menu and configure your VLAN's as before.

whitbread

I think I am stuck between the desired and the posibble. To cut it short: The only reason I was in need for 5GHz is the Apple TV - due to Apple's policy to reject using 40MHz channel width on 2GHz. I live in a pretty calm environment and don't have problems with noise. So the wAPac resides in my liv...

whitbread

Hmm - you mean I should use same SSID but different password? That won't help really. I am in the need of a high performance PtP link (wAP ac to RB951G) to another building. I know that my indoor clients would be better served with something like 17db only. That is why I started to use the wAP ac: I...

whitbread

I would recommend using a proxy server configured by proxy.pac. This would give you the opportunity to route by source IP - everything coming from proxy goes WAN2, everything else WAN1.

whitbread

I have replaced a RB951Ui-2HnD with wAP ac. The device is working as AP bridge on 2GHz and as AP on 5GHz. It is configured as CAP. As the station is placed behind some obstacles I need to use full power on 2GHz. Most clients are Apple devices which are pretty slow on 2GHz as they refuse to use 40MHz...

whitbread

wtf - the longer you read about experience with new devices the longer you tend to keep good old RB2011's, but with every second power failure I loose one ot those either.

whitbread

IMHO IPv6 is a dead concept.

Either IPv8 comes to life or I will die before being forced to use IPv6...

whitbread

Do you have access lists in place? Try without restricting signal on @pple devices.

whitbread

price is unreasonable though !

whitbread

From my experience (especially newer) @pple devices do not work very well on 2GHz. Unfortunately there are no adequate follow up devices to the famous RB951G/Ui-2HnD. My experience matches your description. Wrong password message is quite annoying - simply just don't type in new one. Actually having...

whitbread

I just finished a script for DNS failover using 'resolve' function. Cannot access it actually, but this is what did: 1. Define DNS servers to check 2. Use do / on error construct to check if resolve delivers a result 3. Use first DNS server with successful resolving as system DNS and as DNS server b...

whitbread

MikroTik Sales might kill me for that answer: If you are done with consumer grade routers you should be done with consumer related demands for a router as well. The hap ac is a really good router with a lot of feaures in networking including access to an external hdd. The latter ist not meant to ser...

whitbread

I can confirm it works as described above.

Another option is to use EOIP - the only way for me since I started using CapsMan on my AP's.

whitbread

IMHO ipv6 is a dead concept.

I will either see ipvx (x>6) or die before ipv4 will be shut down. So it is not worth the effort.

whitbread

I am still curious which devices will support HW-offloading when VLAN-Filtering is enabled. I understand, that most devices need to run inter VLAN switching via CPU, but currently all my devices (RB2011 et. al.) don't do HW-offloading at all. Is this a software limitation of the current RC developme...

whitbread

imho it is actually only good for a LAN router not for a router with direct uplink.

What I do like actually is that it gives information about the ports open via MAC.

whitbread

Oh boy - you are right: RTFM! The bridge itself is kind of an interface. Now everything works. But I am still curious if I choose the correct way to work with untagged i.e. PVID1-traffic. Both trunk ports have PVID1. The whole configuration works only if I set both trunk ports as tagged in bridge vl...

whitbread

I am stuck with new bridge implementation using VLAN's either. What I want to accomplish is to pass tagged traffic through the router while reaching the router through the same VLAN. I am using RB2011's and a RB951G with v.6.41RC44. R1 is connected via cable to R2. R2 is connected via wireless bridg...

whitbread

switch chip is history.

Main setting will be the Bridge Port VLAN setting. For tagged ports u need Bridge VLAN setting.
Actually for most devices hw-offload does not work when VLAN is enabled on a Bridge.

For details plz refer to the manual (wiki).

whitbread

You don't seriously recommend using Windows 10 ?!?

whitbread

I keept it simple naming it "WLAN"...

whitbread

I won't buy any new Mikrotik with 16MB storage size!

Reasons are not hard to find:
- 2nd partition as a backup for config changes and / or updates
- local backup and config exports to store for a cpl of days
- updates without any problems (I know it works usually but not always)

whitbread

Thx for explanation.

I have a strange situation: I have two transceivers with a 85DLC05D sticker on it, but one shows up as a 35LC20D using 850nm?!?

whitbread

I want to connect two RB2011UiAS RM via SFP. Actually they are only centimeters apart, but this may change in the future. New distance will be beyond 50m though. As this is my first contact with fiber I need to ask some essential questions: Can you connect a S-85DLC05D to a S-35LC20D? Which cable ha...

whitbread

Yep - in default config eth1 is WAN interface, thus blocks incoming traffic.

whitbread

cutting a long story short, you cannot 'redirect' https with ROS. U have to use a proxy which supports https, Mikrotik doesnt...

whitbread

As I have the same issue with 6.40.1 (see version thread) I would recommend to go back to 6.39.2 which works fine.

Sending supout ist certainly highly appreciated.

whitbread

One of my RB2011UiAS-RM's runs into kernel failure every couple of hours - back to 6.39.2 - no more reboot's occured.

whitbread

But take into mind, that from next release on (currently RC channel) there will be no more difference...

whitbread

my experience is that external services like OPENDNS dont't really block the stuff I would rate as evil. So go for DNS blocking on your router or proxy with blocking rules.

whitbread

books are 'offline' - I like that idea

whitbread

Think about higher MTU

whitbread

Just regularly update your OS - and never believe in snake oil aka virus scanner!

whitbread

Another good idea is to restrict access to services by ip (/ip service). Making services only available from local ip ranges / subnets will help against those attacks and btw did help vs. the current exploit either.

whitbread

Blocking Skype is the way to go btw.

whitbread

RB2011UiAS and RB951G show same results with ~380 Mbps

Funny thing is my RB951Ui shows ~470Mbps

whitbread

Probably not a problem of winbox. I am running 3.7 daily with many opened devices simultaneously for few weeks without any crash. Win 7 ultimate 64bit. Certainly a winbox problem as all versions until 3.4 were running like charme. Didn't say it is not working on all Win 7 64bit installtions though ...

whitbread

Winbox 3.7 crashes repeatedly on my Win7 64bit. Not even able to kill the process; have to do a full reboot to solve the problem. Winbox 3.4 works stable though. As ROS 6.37.1 does not work with prior versions of Winbox is there a way to get hold of a ROS 6.36 version for my problem router hap lite ...

whitbread

no answer yet...

holiday season?

wrong question?

other reason?

whitbread

Nobody around able to give me a hint?

whitbread

We switched from NAND to SPI FLASH, which have proven to be more reliable. We may use bigger size SPI FLASH in future, but since it is enough for RouterOS basic functionality, we use the best available size at the moment. This is at least an answer even though I don't like it. I agree with you tha...

whitbread

My Setup is as follows: Notebook - 951G(1) - Wireless Bridge - 951G(2) - NAS If I connect the NB via cable to (1) I reach throughput of app. 14MB/s, Notebook - AP - 951G(1) - Wireless Bridge - 951G(2) - NAS but as soon as I connect another AP (RB751U or Airport Express) via cable my throughput drop...

whitbread

What I am missing in the whole discussion is the reason / motivation of MikrotTik to stick to 16MB... I use many RB751U's and a lot of RB951's (U/G) and have always 2 partitions in place. I tried a RB941-2nD and this is a nightmare! So I still resist to buy any of the newer models with 16MB. I would...

whitbread

No problem for me apart from the naming. I am a SOHO user only and nobody else than me is relying on my infrastructure.

whitbread

Sure but RC is not Test; so a bricked unit is not be expected usually...

If something is not working you rather expect to downgrade to your last working version and not to start from scratch.

whitbread

My RB951UI constantly reboots every 10 to 11 hrs (watchdog enabled) due to lost connection to RB951G connected directly via ethernet. Both on RC32. No memory or cpu issue according to graphs. supout sent.

whitbread

I would rather tend to deinstall packages not needed; this frees up lots of memory and storage.

16 MB is not sufficient for all packages. I can accept that on hap lite but not on hap ac lite...

whitbread

Solution:

http://forum.mikrotik.com/viewtopic.php ... 50#p515250

whitbread

Solved this issue finally! (tested on version 6.32.1)
...
it was solved by turning the ip cache feature back on.
...

I can confirm, that enabling /ip settings route-cache works on RB750GL, RB951G-2HnD both on Rel. 6.34rc34

whitbread

MikroTik does not support OVPN on UDP Ports; your VPN-Provider expects UDP though.

whitbread

I have a weird behaviour: I am using a RB750GL and a hAP lite both running on v6.33.3 stable. Both are used as PPPoE router and are interconnected thru EOIP / IPSEC. When changing a comment on a firewall rule in WinBox suddenly all interfaces dissapear except the ether-interfaces, cpu goes up to 100...

whitbread

Thx for your help so far - I am still testing...

whitbread

I had same issues with L2TP / IPSec; using EOIP / IPSec now and doing a reboot every 4 hrs...

Tested ROS 6.33.3 and 6.34rc19

whitbread

Did I do anything wrong or nobody around to help?

whitbread

I have a RB751U-2HnD running RouterOS 6.33.3.

IP Cloud is inactive

 /ip cloud print
  ddns-enabled: no
  update-time: no

but I see connections to 81.198.87.240:15252 - why this?!?

whitbread

What I try to accomlish is policy based routing based on source IP. I followed http://wiki.mikrotik.com/wiki/Testwiki/IP_routing#Dynamic_routing Using " Set up routing policy using ip route rule " works fine, but I always get into timeout errors when using " Set up routing policy usin...

whitbread

Strange behaviour here - action timed out: When changing interfaces the following appears after a long while: 2015-11 Mikrotik Winbox Error Could not change interface.JPG Same issue in the console: 2015-11 Mikrotik Console Error Could not change interface.JPG Supout.rif already provided to Support.

whitbread

IP menu - Web Proxy - Access - ...Crashed!
Windows 7 x64

+1

whitbread

Isn't the Anonymous checkbox in Web-proxy meant to do this?!?

whitbread

Nobody?!?

... or did I do something wrong?

whitbread

Goal: I have a scenario where I want to split traffic coming from clients connected to Router B (station) with destination clients connected to Router A (AP). I have two subnets numbered #1 (172.16.1.0) and #3 (172.16.3.0) connected to Router B. I have the same two subnets connected to Router A. Th...

whitbread

Nobody any clue?!?

whitbread

Hi, I have a RB 750GL which worked once. Since days now I do not get any connection at all. What I tried to solve the problem: - reset the configuration by using the reset button and finally the reset jumper hole I am not sure if I did it correctly because I do not understand when to release the res...

Search found 119 matches