I agree with pe1chl, of course. Permitting only a range of IPs that you anticipate your mobile or other internet would have when you want access, is the way to go. Still, this is kinda ridiculous to always be scared to allow access from the internet, because of such large-scale exploits that can hap...

Depends on what other rules are in effect, their order as well. This rule would block as it says - to this dst IP and this port. Maybe your banking traffic depends in some step on SSH/port22 and is not always in effect. Sometimes things are not that simple as one single TCP connection. As other said...

And why DNS is not an option, port forwarding has nothing to do with that. You use domain names instead of IPs. Also if you use Host-based multiple-websites behind one server, you will have to use domains. Well, if hosting just one default website, that is not an issue though. But what you are askin...

As seen I think it couldn't be just a bridge. You have different networks (100, 105, 98, 95) which have to be routed. Routing marks? What for...

I always upgrade the firmware as well when I upgrade ROS on devices I have or had, without problems. Yes, some time ago they changed numbering to match that of ROS. I remember somewhere they advise to upgrade both everytime.

Of course you can use it for NAS-like activities - access via FTP, offsite storage, media storage etc.

That's just the speed the port on your ONU can do or ISP provided. This router can do much more but obviously it is limited to 100Mbps by your ISP and port. Look at CPU load (of mikrotik) when speedtesting. It shouldn't be over 5-10% for 100 Mbps.

Why source-address-list or source address at all?
As someone mentioned, he is most likely missing a route at the original zone (or properly configured gateway) towards second zone.

What exact route have you created? I assume you did that on your first router (with the internet which built the 1.XXX network). You may have to create also a 'back' route on your 88.XXX network (on the ac2) that can route reply packets back to 1.XXX network. But the default 0.0.0.0/0 route that hav...

On 6.44.3 I have NAT rules that change ports from outside to inside and they work Ok.
There is something else in your config(s) (not necessarily in your tick devices) for sure that screw things up.

Why not just separate the ports 3-24 from the main bridge, let them be alone without bridges and just assign a DHCP to each one of these ports (along with addresses and corespodning Networks of course)? Simple and to the point. Then the necessary firewall rules as appropriate.

Then why do you use 192.168.88.XXX LAN addresses? If that's your LAN and you Use NAT then it's normal clients to (must) have 88.XXX addresses. Why using NAT on the MT device?
As I see it, it should just be an AP, disabled DHCP and NAT, and let your internet box manage everything in the 1.XXX network.

Check again IP addresses, I had a case with wrong IP and it took me half an hour until I spotted it. Check again firewall rules carefully and see their counters if some increases too. Check other dstnats for any conflicts etc. Make 100% sure port 55000 is not blocked by ISP. Some ISP's first-line su...

It could be some "cold soldering" some loose joint on the board. A chip or RJ45 pin.

Thanks. I know hardware-wise it's all the same (no HDDs, moving parts etc..) but I was a little affraid you know... My older router was decomissioned the other day after I configured my new device, and I shut it down through Winbox. The power LED continued to be lit up so I guess power couldn't be c...

I've got a new device and am now considering to use /system shutdown before I switch cables or places, or just to service/clean the UPS. So I guess /system -> shutdown is still the better way than just unplug, at least a bit safer anyway. After that, will the device boot up normally after reapplying...

Yeah, but as I expected, my ISP has its "half"-duplex service. If I were to reach ~1Gbps Up and ~1Gbps down, that'd mean 2Gbps internet (which is not true of course), but when I wget-ed a big file with 100MB/s, it plummeted to below 20 and 10 MB/s when I ran speedtest and it got to Upload ...

How do I test this?

For now I don't find the device too hot, in a room with 25* ambient. I placed it in a tower orientation.

Yeah, to me too. I just bought one piece yesterday and while the dealer was confident they will have sent me 256MB version, after I got my hands on it, it turned out to be 128MB. I was angry but after all and reading this (and other) topic I decided to keep it and get over it. It is just the bad fee...

My unit arrived. For now I'm very pleased with its performance (wired). It achieves the same speeds as without a router (~940/960 Mbps Dn/Up) with only about 10% CPU load. It seems the front "panel" is kind of protruded and along the whole perimeter there is one big ventilation opening tha...

Thanks. Yes, I won't use VLANs anytime soon (I guess), and definitely not PPPoE (No ISP around ever offered such access and hopefully won't). What I'm worried about a little, is this 2Gbps link CPU-switch. If WAN port is connected to this chip anyway (as LAN ports), the "internet would have to ...

Thanks. Ok, I'm already convinced to buy it after also asking advice in another forum. The guy said he was using some tunnels and VPNs.. on a 100mbit connection and his device used just about 2-4% CPU. Although Normis said somewhere that the high temps are not to worry about, I'm also almost convinc...

RB951G could not quite keep up with my gigabit internet connection with just a couple dozen of Firewall rules and a dozen dst-NAT's. What I could achieve tops around 700 mbit up and 800-820 DL. Direct connection to ISP tops around 940/970 mbit. Is hAP AC2 stable enough to handle this kind of speeds ...

That's right. Just as "contains 192" does not work, this makes it useless in this case. 192.0.0.0/8 would match "192" only in the start of the address, which is what OP wants I guess. If we have two addresses: 192.168.1.2 and 123.192.11.2, how would I match these two with one rul...

In columns that have an IP address there is a filter "in" and "not in" that you should use for those purposes. E.g. "Address in 192.168.0.0/16" Ok, yes, but Contains does the same. Why then there is "contains".. The filter comparison dropdown updates with new...

I was struggling with similar issue but in my case it seems just a limitation. I was trying to filter out rows in Connections by two filter rules linked with logical OR. Winbox seems to only use AND implicitly for its filter function with no way to use OR. See what I'm talking about in terms of comm...

I have to concur with the guys with gigabit connections. I have a gigabit connection and with fastrack I can go up to 900+ Mbps with 95% CPU, but disabling fasttrack (to enable simple queues to limit some clients to about 300-400 Mbps) and just enabling a simple queue, the speed falls down to below ...

A fellow forumer (from another forum) has tested few pieces of this new hEX. His tests show some limit of about 600 Mbit/s on-direction rate (BTest with TCP). I'm more interested in more basic home usage with a gigabit internet connection. RB951G currently is able to carry (route) about up to real-l...