MikroTik

dave864

I think my point was made quite well. Nobody from MT did anything about openWRT discussion. However, other people did. What comes next is that, that person is now a mod and can now take matters in their own hands. Interesting that some long term forum users think of the benefits of openWRT Without h...

dave864

Late to the party, I don't visit often. However, What I would like to reaffirm is that non paid mods need respect others and not let power do to their heads. Holvoetn recently told people off in the cap wave2 thread. https://forum.mikrotik.com/viewtopic.php?t=170736 I'd say, unless a paid mk staffer...

dave864

Hi, I tried open wrt but couldn't get it to install. I gave up.

I agree with your findings but sadly this hardware is depreciated. It is a shame.

dave864

I am able to access the router using MAC, but not using IP address when using the Winbox tool.
Strangely, I can access through a browser to the same IP.

Any ideas why that is?

dave864

I've had a strange issue whereby I lost access to various devices and the ARP tables are filling up with IP addresses that don't exist, but the subnet does. Also, Winbox cannot see my router anymore. This is on 7.6. So for now I have removed CAKE, and gone back to Simple queue + FQ_Codel. The ARP is...

dave864

Everyone in here. Thanks, I finally got mine working properly instead of the Frankenstein mess I had before! Windows: Addresses set to a unique /32 address 192.168.30.2/32. Allowed IP = 0.0.0.0/0 End point = my Router IP/port Peer = Router unique public key Interface = client1 unique public key Andr...

dave864

Just tried Cake on Interfaces. Works really well in ROS 7.6. Eth 7 - WAN = Upload 70M Sfp+ LAN = Download = 520M Speedtest gives 504M and 67M with ping 7ms no load, 7ms under load and 6ms upload when on load. Voda fiber has provided me with 500M 68M connection, and I'm passing through their router a...

dave864

I've tried out Cake on an interface that is asymmetrical and it appears to work fine. 500Mbs down and 87Mbs upload. Cake was set to 85Mbs and appears to provide the expected maximum download while having near maximum upload with low latency. Surely, download is shaped and controlled by the ISP and u...

dave864

Hope everyone learned a lesson? Don't jump the gun. Chill out. Let some people install and see how it goes. Use a test bench. I only just upgraded to 7.2.1 the day before these nightmares started. My next jump will be a week tested 7.4.x Stop jumping on every update that comes out. Give MT time and ...

dave864

Interesting...... - enable "use IP firewall" on bridge settings After I changed that setting, my mangle for set priority suddenly sprang to life. It went from 50 packets over weeks, to incrementing rapidly. No other settings changed. So I have: WMM on, 0 to 5 ticked for AMPDU, and a post m...

dave864

bowl, I too wondered about this. Because with fast path, mangle is not used. After days of usage, I have barely a few packets that hit the mangle.
Also, in your example, you only set priorities 0 to 5. What about 6 & 7?
And why is guard set long and not both?

dave864

don't use capsman.
Distance set to indoor and not left as default which is dynamic. I think this option is only available on stand-alone.
Can't really suggest anything else.

dave864

I get 1472 on wi-fi to the router. Ping payload. 1464 to Google DNS. Looks ok I'm terms of it working. But I'll probably tweak the wi-fi to match my internet size. There isn't much point having large packet sizes as you're limited to your ISP beyond your network. You are aware that the packet sizes ...

dave864

While experienced users will be puzzled by the simplicity of setting to caps mode for capsman adoption, or bridging to enable the Ethernet port, a new user to routeros finds usage to be a very steep learning curve. What I mean is, while we may not see value in what is being requested by @homerouter,...

dave864

I have a Xiaomi 11T phone and the same problem when trying to login to hAPac3 on 5GHz. I tried to activate CAPsman and the login was successful. I spent two days searching for the difference between configuration via CAPsman and without it. I found it - I guess. The problem is that by default, when...

dave864

I have a Xiaomi 11T phone and the same problem when trying to login to hAPac3 on 5GHz. I tried to activate CAPsman and the login was successful. I spent two days searching for the difference between configuration via CAPsman and without it. The problem is that by default, when configuring the WLAN ...

dave864

Excellent! There was a difference and you were correct. Horizontal gives about 2m more range, so probably 6m in total! Only kidding. All MT wi-fi is terrible anyway so knowing the best way to get the most out of them is useful. I've got 2 of these for testing and even used 1 for a year or so. Quite ...

dave864

I've noticed this too. But I do occasionally get 2 streams. Maybe it's noise and the mikrotik wi-fi struggles?

dave864

Everyone asks the auto frequency list question but nobody answers it. In frequency, enter a frequency and click the down arrow and enter more frequencies. That's it. I should state that capsman allows frequencies to be constructed in a separate frequencies panel. You tie all the panels together at t...

dave864

Sounds sensible. Wi-fi features definitely need work.

dave864

I feel the forum is taking a turn for the worse. Asking commentators to post a config or it didn't happen and other forms of proof. All is a bit harsh. Hats off to those that did apply the proof that they were telling the truth! Geez. Have some faith in people. MT forums are usually populated by pro...

dave864

Hey, what about the beeper..... Will that be enabled for sound effects too?

dave864

Hi kiste, I've not found the examples given to sufficiently explain setting up 40/80MHz. It's an easy pointer to understand what they are and I'm sure you and this thread Op from 2018 understood too. I'm my case, I've always used 20MHz channel until recently. Basically, you don't have to set anythin...

dave864

I've no idea if you're setup correctly as mine looks different to yours. But, v7 software routing is not complete and recursive does not work yet - as far as I'm aware.
I'm on long term. V6.47.10 I believe.

dave864

It has been decided that old equipment will not get r k v and that new equipment, not yet released will get these features. This is based on old stuff using a custom wi-fi code. MT will not back port because the firmware flash storage in those devices is typically too small at about 16MB I believe. ...

dave864

I'm on the latest stable and have persistent 3% packet loss on capac. Speeds are consistent though, if not a little slow.

dave864

The only thing clear is that wifiwave2 will not come to old products. MT will not support both packages running in v7 - I guess this is what is meant? MT will not back port wpa3 to the old v6 wi-fi package but that package is still actively maintained, for now - am I correct? Does this mean that cap...

dave864

I know it was said that there are no plans for AR9300 to be supported in WiFiWave2 package. However are there any plans of supporting running both wifiwave2 and the normal wireless package alongside? There are no plans to support running both packages at the same time, no. The wifiwave2 package bet...

dave864

I think early generation of cap AC were released with 256MB. But a later revision reduced that. All mine have 256MB. I could be wrong here. I'll see if I can grab a screen shot. But it might be possible to load through CAPSMAN. In theory it should be possible, to load a binary file with a config. Bu...

dave864

I must say that I find openwrt very interesting. I'd like to run with wpa3 on my CAPs and MT have not committed to any new features. I'm sure they will do something, eventually though.

dave864

I removed the Source address and it made no difference. I don't know if I'm imagining it but now I have a simple Mangle on Prerouting, it appears that some web pages are stalling. Is it correct to simply have a single prerouting mangle rule covering the lan (for each WAN)? add action=mark-routing ch...

dave864

I had another go at doing the mangle without conn marks and I think that worked. add action=mark-routing chain=prerouting comment=WAN1 dst-address-list=!to_WAN2list new-routing-mark=to_WAN1 passthrough=no src-address-list=to_WAN1list add action=mark-routing chain=prerouting comment=WAN2 dst-address-...

dave864

Just a note: you don't need to mark connections in your setup, as you mark connection for every packet from LAN, and then mark routing for every packet from LAN using connection-mark you just set. You can mark routing directly. Unless you're using those marks in Filter or NAT for some reason... Any...

dave864

From the bits of information you've posted instead of the complete configuration, I assume that you didn't get the purpose of setting the connection-mark in the /ip ipsec mode-config row. You can use src-address-list , connection-mark , or both, but if you use both, packets need to match both to ge...

dave864

Hi Note,
If you have a rule that marks a connection, and then a rule to mark a route then you must have passthrough = YES on the mark connection. That way, the processing can drop onto the route mark rule.

dave864

2020-07-22v2.png I think I know the problem: Mangle. My Ether7 and Ether6 inputs are mangled to WAN1conn and WAN2conn. So when my traffic on WAN1 swaps to WAN2, the incoming traffic gets conn marked as WAN2conn while its out going traffic remains at a WAN1conn mark. Do you agree, is this the problem?

dave864

Do you use VRF there?.. > no to_WAN1 data flows through WAN2 What error does, for example, 'ping' return on the client? Is it timeout? Did you check where actually packets marked as to_WAN1 go? No idea what VRF is. I do not use BGP or anything. This router is in my house, I plugged 2 mobile broadba...

dave864

Normal: WAN1 and WAN2 working 0 X S ;;; Local LTE dst-address=0.0.0.0/0 gateway=192.168.42.129 gateway-status=192.168.42.129 inactive check-gateway=ping distance=2 scope=30 target-scope=10 routing-mark=to_ISP2 1 A S ;;; DEFAULT route for WAN2 devices to WAN2 dst-address=0.0.0.0/0 gateway=8.8.4.4 gat...

dave864

Yes, that is correct. For to_WAN1, When the modern on ether7 goes down then I expect it to switch to ether6. While that does happen in the router, additional dynamic rule is created. And the traffic does not actually flow to ether6. When I delete the dynamic rule traffic still does not flow. By dyna...

dave864

to_WAN1 and to_WAN2 So I have removed the old testing rules. So everything listed is used except the LTE rule 0 and the currently the blackholes are not active. 0 X S ;;; Local LTE dst-address=0.0.0.0/0 gateway=192.168.42.129 gateway-status=192.168.42.129 inactive check-gateway= scope=30 target-scop...

dave864

I removed the DAS dynamic entry - again. happens whenever a connection drops. 2020-07-20 (2).png Now I get this: 0 X S ;;; Local LTE dst-address=0.0.0.0/0 gateway=192.168.42.129 gateway-status=192.168.42.129 inactive check-gateway=ping distance=2 scope=30 target-scope=10 routing-mark=to_ISP2 1 A S ;...

dave864

I had changed WAN1 to now be fully Conn marked. So now both WAN1 & WAN2 devices have conn marks. I obviously have the Route marks set in Mangle too. Today I had an outage on WAN1. I turned WAN1 off and all the WAN1 devices did not switch over. The route did change to the backup. However, a Dynam...

dave864

WAN2 have a connection mark.
WAN1 does not. Could that be the source of the problem you think?

dave864

I have tried this method of load balancing with fail over. While I am able to successfully load balance; WAN1 without any routing marks but WAN2 with routing mark to_WAN2 Using Address lists and Mangle I now have most traffic on WAN1 but 2 devices on WAN2. When WAN1 or WAN2 are power cycled, the rec...

dave864

Thank you!

Just bought Chateau. Worked out of the box but upgraded to Beta8 and it broke LTE.

These commands worked:
/interface lte apn add apn=internet use-network-apn=no
/interface lte set lte1 apn-profiles=internet

Didn't do the IPv4 bit. For another day!

dave864

Hey, that works.
Web pages are going through better and google now works.
Thanks - very much appreciated

Just ran speed tests to the free ProtonVPN in NL and it is doing 20mbs both ways. vast improvement

dave864

Tunnel = un-ticked
Source = 0.0.0.0/0
Dest = 192.168.50.0/24
protocol = 255(all)
Template = un-ticked

Action = none
Level = require
IPsec Proto = esp
Proposal = ProtonVPNproposal or should this be default?

dave864

My IPsec policy is a template.
Are you saying I create the exact same thing but set it as not a template and set action to none?

I don't understand that. You're suggesting that the ICMP packets are incorrectly being pushed through the tunnel instead of back to the lan

dave864

Hi Sindy,
Your second point about IPsec and mtu. I am confused.
I understand the mtu and your reasons but not sure how to solve it with the additional rule. Is that a firewall rule or something I setup in NAT or IPSEC?

dave864

The free server is a bit funky. I get some web pages working fine, Google webpage/search doesn't work at all. DNS does though although I use 8.8.8.8 and 1.1.1.1 so no idea if my dns switched provider. This issue might be my config and not related to the free server. Anyway, speedtest net mobile app ...

dave864

Well what da-ya know?!?!? I did it!!!! Thanks Sindy. I had not done that part. https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_RouterOS substitute for ProtonVPN, got an address (free server) in Netherlands got my IKE details from my ProtonVPN account Got cert from: https://protonvpn.com...

dave864

I get
Can't verify peers certificate from store
Peer failed to authorise

Any ideas?

dave864

I do not have any fast-track firewall rules. I don't think fast-track is enabled. I looked in IP\Settings and the Fast Path is unchecked (think that is something entirely different though) I do have route cache enabled though - don't know what that does? I use simple queues and remember there was a ...

dave864

I don't understand the 2nd and 3rd Prerouting.... If I untick PASSTHROUGH on the 2nd. OR I move the 3rd up to position 2 then the connection fails. I have removed the Connection Mark from the NAT and all is ok. But the problem above is still apparent. NAT Chain=Src NAT, Out Interface=LTE1, Action= M...

dave864

Ok. Got it. ISP1 is ADSL ISP2 is LTE I've got the unique device MAC marked and placed into an address list DeviceToISP2 - done in MANGLE Firewall For now, I've put a block all INPUT chain from LTE1 Mangle - Untick Passthrough except for where mentioned PREROUTING - In interface=LTE1, Action=Mark Con...

dave864

I'm trying to do the same.
I have tried packet marking all from a device single IP on LAN and using Routing. But this still does not work.
Any ideas?

I only want one device to pass through WAN2 while all other traffic to go through WAN1

dave864

This is great news.
Does anyone know the url to fetch the google cert?

dave864

Why is the use-ipsec=yes a bad thing?

dave864

I don't know when it happened but the kid controls don't appear to accept times anymore. Not that it's important in the grand scheme of things.
It was working when it accepted only the allowed times but Mikrotik decided to add on times and off times which is odd.

dave864

+1
About time DNSCrypt or DNS over TLS was implemented.

dave864

Strange. I have mine setup the same way. My kids Mac address is set and the hours it can be active - not blocked, are set. And yes, the guide was not entirely helpful. Once blocked, you should see a B next to the device Includes the kids menu. Also, a firewall will is created at the top of your fire...

dave864

I'm not sure anyone really knows how to do this as I've asked similar questions. I've tried using certificates but they just don't work. The guide is not very good and I think it needs updating with a fool proof step by step instructions list - with pictures! I'll be watching this thread for a solut...

dave864

My internal IP is 192.168.60.1 for the vpn elements.
Perhaps some of my error is with the certs so can we start there please?

Every guide ive read does the certs differently for SAN and most guide assume knowledge and miss out tons of details. I just can't get this working.

dave864

Could anyone help provide a real idiot guide to ovpn with Mikrotik and Android please? I have tried making a cert and configuring the ovpn client but can't get it to work. I have tired my certs generated, inside my Mikrotik, with L2TP and can't get that working either. All I can use is preshared keys!

dave864

+1
I have an iot gadget that needs DTIM or beacons to be spaced out. DTIM works brill at 7. My choice was that or change beacons to 200 / 250 ms

dave864

Any equipment you buy today will support 11r and 11k. Anything in the last 2 years will too. Almost all iPhones supported these standards for several years.

These standards are supported in all modern WiFi chipsets. It's up to vendors to implement on top.

dave864

I use edimax wap1750 with 11r and 11k. 11r gives a FT on my SSID decode data using WiFi analyser android application = [WPA2-PSK+FT/WPA2-CCMP][ESS] All clients - android phones and tablets - connect and roam except 1 laptop with old Intel WiFi. 11n I think. In that case it connects but falls asleep ...

dave864

Thanks KAAS for the L7 work. it's very useful.

dave864

Use a L7 filter, mangle and a simple queue. /ip firewall layer7-protocol add name=MicrosoftUpdates regexp="^.+(update.microsoft|windowsupdate|download.microsoft|wustat|ntservicepack).*\$" /ip firewall mangle add action=mark-packet chain=prerouting comment="ms list dst" layer7-pro...

dave864

Just Google it. No offence. I tried coaxial direct copper. This has the SFP+ integrated to the cable. It works perfectly at 10G speeds. I should think that most if not all SFP/SFP+ modules will work. Although you should be looking at SFP+? I remember reading a few issues but don't remember the brand...

dave864

It does look like the way I have it setup is to try and reserve or guarantee a minimum service. But that any one user can use all the capacity if available. To have 5 users, each will need to be manually setup with ip addressed and have a queue each. Seems like hard work. Is there another way of doi...

dave864

Err. Just done a quick test on 6.34.6 it appears the simple queue isn't working. Both limit at and max limit are not working as I thought they did. I'll do some more testing tomorrow night, but you might be right with the limit at setting reserving capacity. If that's true then either set a simple q...

dave864

The PCQ type works very well for me but..... PCQ is per connection queueing. From what I understand, it detects a connection based on ip. I haven't tested it for a while but I could be wrong on its effect. I'll test this weekend to find out. I seem to remember having it allow an individual user to u...

dave864

The limit at parameter tells the router to give 2M to reach IP. The max of the connection is 10M. The PCQ type will use this information to try and guarantee 2M per ip. So.... Say you have 2 users. Each will get 2M. Total used will be 4M Say you have 5 users, each gets 2M with total 10M. Say you hav...

dave864

Target = 192.168.0.0/24
Max limit = 10M
Limit at = 2M
Queue type = PCQ-UPLOAD-DEFAULT and also PCQ-DOWNLOAD-DEFAULT

I have one for the ISPQueue connection /16 and one for each smaller /24 group. These smaller groups has the main ISP queue linked using the PARENT=ISPQueue setting

dave864

Not sure if you solved your setup. I use simple queues assigned as PCQ. "Max" is limit of broadband, "limit at" is the guaranteed minimum. Simple queues can be IP ranges or i think, individual IP address. It doesn't use ports. So, in your case, I would bridge all together for the...

dave864

Hi, When I setup a simple queue using PCQ, the total counters do not increment. PCQ download and upload are OK. The queue functions correctly. With default-small for the total, the counters remain blank. But, set the total to default and the counters start working. Very odd. Is that the correct setu...

dave864

On my edimax pro, mine were defaulted to 300s. We have no issues with android gear and have no apple stuff yet. But I can change it to 65535s max. I chose 12h. On the edimax the setting, if the same, is called station idle time out. I've already ordered a couple of mikrotik APs to test. So I hope th...

Search found 78 matches