MikroTik

coddy

The problem with a jump version is it leaves the admin with a one time only choice, what options do I set? Now if you want to secure the device in case of possible future exploit you should choose the minimum options required. But what do you do if a year down the track you suddenly discover that a ...

coddy

A jump version is simply a temporary solution, what happens when Mikrotik decide there is a 'new' device-mode setting that can be set? Another 'jump' version? No, I believe the easiest way forward is as I've described: https://forum.mikrotik.com/viewtopic.php?p=1103228#p1103228 It enables ISPs/SMBs/...

coddy

ok, the main points of what I was proposing to ease this transition: On first upgrade to 7.17, or initial power-on or netinstall with 7.17+ Display or have available (/system/routerboard/get device-token) a secure device token string for a limited period of time (30 minutes) The admin can copy this ...

coddy

@infabo, I like how you think, but we need to find a suitable path forward. The pitfall, I guess falls into the "you can't trust a compromised device/pc/mac/toaster" category. You should netinstall such a device or 'recycle it' (rubbish bin). (A possible workaround would be to only allow t...

coddy

@ofca, @mikrotik, Another option would be to have a token that can be user settable for say 30 minutes after initial upgrade to v7.17 or first power on if already 7.17+. After that period of time you would need to set a flag and power cycle or reset the device to allow the token to be set again. Onc...

coddy

@bbs2web MLAG Config: Just some quick observations, may or may not help: I see you are tagging the bridge with every vlan, unless you are creating vlans under the bridge to add IPs for routing (not supported with MLAG) I am not sure why you are doing that. My MLAG switch is purely L2 with the except...

coddy

@bbs2web: MLAG peerlink I have 2 x CRS317 with LACP 802.3ad peerlink, connected via 2 x 10g DAC cables. No issues with the peerlink flapping. Zero. Since you have already tried replacing the DAC cables without success, maybe try moving the peerlink to two SFP+ (10G) ports with suitable DAC cables. R...

coddy

The documentation ( https://help.mikrotik.com/docs/display/ROS/DNS ) does not even list the vrf parameter, so who knows! But I agree, this would appear to be messy. Both the 'server' settings and 'client/resolver' settings are in the same flat list. A better solution for the dns client would be to ...

coddy

v7.16rc4 - DNS VRF does not work.
When setting:

/ip dns set vrf=mgmtvrf

the system always sends DNS queries via the main vrf, regardless of this setting.

coddy

@bratislav - MLAG & v7.16RC4 I changed my MLAG configuration to have the management IP on the bridge (br-trunk) instead of a VLAN interface (vl-switches) under the br-trunk bridge. I then upgraded to 7.16RC4 and it went fine, I lost a couple of pings and switches went up/down, nothing unexpected...

coddy

@bratislav, interesting, as I have the same setup, including 2 DACs in 802.3ad bond for peer link with dedicated PVID. All VLANs are tagged on the LAG-PeerLink except for the PVID (3999) for the peerlink, which is untagged on LAG-PeerLink. Multiple LACP bonds to fabric switches (some MT some not), a...

coddy

The issue is not ESX, that is just a highly visible victim. The floor switch (crs328p) connected lacp across both crs317 (mlag) switches also loses the ability to ping one of the mlag switches for a period of time 5-15mins after the switch has actually finished rebooting. It seems like the mlag is n...

coddy

ESXi is just the obvious user facing issue. Ignoring that, I still have the obvious problem of not being able to ping one of the switch management interfaces for this period of time also, indicating the problem is to do with the L2 Mac table, not ESXi. At a guess the mlag switches are not synchronis...

coddy

MLAG is configured to support the top of rack switches and floor switches which connect to both fabric switches using LACP. Yes ESXi will happily work without mlag across two switches. The issue is the floor switch losing connectivity to half the VMs and one of the fabric switch management IPS when ...

coddy

FYI: MLAG issue: two CRS317 in MLAG, with ESX hosts dual connected to CRS317 (not LACP, but having ESX decide which switch to send traffic based on the port up status, and the MAC address of the VM). When switch 1 goes down for firmware upgrade, all is ok, ESX starts using switch 2 for all VMs. When...

coddy

7.16rc2 fixed the issue with the 6to4 tunnel crashing the Mikrotik when you disable / re-enable the tunnel. Thank you MT!

coddy

@strods, The problem appears to exist regardless of IP configuration. It was first detected on a fully configured and working unit that was upgraded to 7.16 rc1. I just tried to find the minimalist config required to reproduce the issue. (Of course in my live mikrotik if the ISP pppoe tunnel is not ...

coddy

On Topic: 7.16 RC1 - Found an annoying bug with the 6to4 tunnel interface. I have VRRP on-backup and on-master scripts that disable or enable various interfaces to enable HA between to Mikrotiks. One of the Mikrotiks ended up in a boot-loop. The root cause was a process failure when the 6to4 tunnel ...

coddy

@br0kenPKI Thank you for discovering this, spending the time to investigate it, verifying each version to determine when the problem occurred, and creating a corresponding SUP. Your posts were informative and clear, and your efforts should be commended. If MT closed the case with not a problem in re...

coddy

Bump on this please, has everyone else given up on MLAG on the CRS platform? I have a pair of CRS-317's in MLAG, with two DAC's in a bond forming the MLAG channel between the two CRS-317. I have an upstream CRS-328P that is running LAG across both CRS-317's (In an MLAG LAG group). I have AX3 access...

coddy

Upgraded my two CRS317 switches running MLAG to v7.15.1 and continue to experience this problem. swFloor -> LAG -> MLAG ( swFabric1 <- LACP Bond Peer Link -> swFabric2) Now the critical bit: To manage swFabric1 & swFabric2 they both have /interface vlan add interface=br-trunk name=vl-Switches vl...

coddy

Just manually downloaded winbox64.exe and it still has the invalid digital signature due to being signed after the signing certificate had expired... Either it has been signed with an expired certificate (and signed after the certificate expiry date) or if MT have fixed the problem (i.e. They must ...

coddy

I added the following to 'enable' steering On the CAPsMAN /interface wifiwave2 steering add name=<NameOfSteeringGroup> neighbor-group=dynamic-<wifiSSID>-<RandomHex> rrm=yes wnm=yes Note: You do not get autocomplete for the neighbor-group-dynamic= parameter, you need to obtain the name of the group m...

coddy

7.10beta5 - Remote CAPsMAN managed AX3 - Uptime approximately 4 days 10 hours, "invalid password" prompt across Win11 Laptop, iPhone and Samsung phone - again... Rebooting AX3 resolved problem. Created SUP-116195 with support.rif file whilst it was in its failed state. The other AX3 (actin...

coddy

For me (CAPsMAN controlled AX3), I needed to disable hardware offloading on my trunk port on the bridge (I was trunking back to a main switch). In your configuration your ax2 is acting as a switch, so disabling hw offloading will impact speed at which traffic will flow between two ports on the same ...

coddy

*) wifiwave2 - fixed dynamic interface adding to bridge on CAP device; Hap-AX3 remote CAPsMAN controlled dynamic VLAN addition to bridge does not work still. I need to manually bridge wifi interfaces to correct vlan, and ensure the upstream ethernet port (trunk port) is marked as not hardware offlo...

coddy

Yes I have multiple SSIDs and VLANs. Due to 7.9 not dynamically adding VLANs to remote CAPsMAN managed AXs (Works on a local AX if that AX is the CAPsMAN server also), I have to manually bridge the wifi SSID's to the appropriate VLANs. Having said that, others are experiencing the same issues with s...

coddy

ok, make that 4 of us, both of my Hap AX3 completely drop wireless clients after around 24 hours. They continue to advertise the SSIDs but no new registrations occur. I'm using CAPsMAN server on one AX3, the other AX3 is a client. Both stop registrations. As a test I rebooted the remote 'client' AX3...

coddy

7.9rc5 with AX3 (Caps man slave), updated from rc4 fine. Worked for a day, then iPhone 14 and Samsung s10 both reported password incorrect (although not changed). Laptop (connected using different SSID) also reported disconnected (Windows 11). Rebooted AX3, laptop automatically reconnects. Phones ne...

coddy

@Ullinator see my post #114, dynamic port binding does not work in AX models at present. If you want to get it to work you have to manually bind the wifi interface to the bridge using the correct vlan-id. Here's hoping Mikrotik get this sorted soon, they have an AX CAP device in production now, I am...

coddy

@nonolk: I don't have a SUP for the "incorrect password" problem, I don't have a handle on it yet. I created a sup for the dynamic binding/vlan problems, and was informed it will be fixed (hopefully 7.9 final, but that may be too optimistic). I don't know at this stage if the password prob...

coddy

I have none of your problems, I have one hAP ax3 and two hAP ax2 with capsman which work perfectly. You probably misconfigured capsman wave 2, I don't use dynamic interfaces for wifi. CAPsMAN is "meant" to use dynamic binding, so that you do not need to configure static bridge port bindin...

coddy

CAPsMAN AX3/Audience issues with 7.9RC1 and 7.9RC2 Dynamic binding of datapath to bridge port not working on remote Hap AX3 devices Dynamic binding of datapath to bridge port works on Hap AX3 device if it is also acting as the CAPsMAN Updating CAPsMAN wifi profiles results in remote APs re-creating...

coddy

After upgrading to RouterOS v6.6 on two 1100 AHx2, I found that I was not able to ping certain interfaces. The investigation revealed that the ARP cache on the switches were learning 00-00-00-00-00-00 MAC addresses dynamically for other RouterOS v6.6 interfaces, and so were clients. As seen by /ip a...

Search found 34 matches

Re: v7.17beta [testing] is released!

Re: v7.17beta [testing] is released!

Re: v7.17beta [testing] is released!

Re: v7.17beta [testing] is released!

Re: v7.17beta [testing] is released!

Re: v7.16 [stable] is released!

Re: v7.16rc [testing] is released!

Re: v7.16rc [testing] is released!

Re: v7.16rc [testing] is released!

Re: v7.16rc [testing] is released!

Re: v7.16rc [testing] is released!

Re: v7.16rc [testing] is released!

Re: v7.16rc [testing] is released!

Re: v7.16rc [testing] is released!

Re: v7.16rc [testing] is released!

Re: v7.16rc [testing] is released!

Re: v7.16rc [testing] is released!

Re: v7.16rc [testing] is released!

Re: v7.16beta [testing] is released!

Re: v7.15.1 [stable] is released!

Re: Mlag breaks access to switch half Solved

Re: WinBox v3.39 released!

Re: v7.11beta [testing] is released!

Re: v7.10beta [testing] is released!

Re: Wireless clients not connecting after upgrade to 7.9 [hAP ax2] [SOLVED]

Re: v7.10beta [testing] is released!

Re: v7.9 [stable] is released!

Re: v7.9 [stable] is released!

Re: v7.9rc is released!

Re: v7.9rc is released!

Re: v7.9rc is released!

Re: v7.9rc is released!

Re: v7.9rc is released!

RouterOS v6.6 ARP Bug and VRRP bug