I convinced a friend to purchase a hAPac who needed more control of his network than the ISP gateway/router would give him. I kept it for a few days while I updated to 6.43.2 mipsbe (and firmware), configured a firewall/NAT, scripts, scheduler, backups, exports etc on it. All seemed to be going well. I had configured it so that I could get into his WinBox from my home, and my cellphone via the Mikrotik Android app. When we installed it into his house, everything seemed to initially go well. We installed it at the demarc point in the basement level of his house which is not the best place but had ethernet cable running to a few points in the house, so there it stayed. The shelf where the hAPac sits has a 6" tin heating pipe 12" directly above it, and a natural gas furnace slightly below and offset a few feet.
Before installing at his house, I setup some firewall address-lists as blacklists and Bogons. While configuring these lists I tried to specify different timeout values and had a heck of a time doing so. When it did take the new timeout value, some of the timeout values were applied to lists they were not intended for. For example:
/ip firewall address-list set timeout=3d [find name=intrusBL];
would apply the specified timeout to a few, but not all of the addresses in the Bogons list I had created, in addition to the solely intended intrusBL address-list. I tried this a few times with the same results. Eventually I removed the ~20k entry dynamic blacklist, got the Bogons straightened out and left it at that until I had more time to work with it.
When we installed it at his house we called our ISP to turn off its wireless broadcast and just be a bridge gateway to the internet with his new static IP. All good. The ISP gateway/router was not broadcasting its SSID anymore and the previous ISP AP SSID was not showing up in mobile devices. However later when I ran his WinBox wifi scanner from my home I found some device broadcasting on 2.4Gh/g @ -19dB. I figured this must be coming from within his house but we had asked the ISP to turn off all wifi, so what is it? Homeowner was convinced it was a neighbours wifi but I said nah, the signal is too strong. Another call to the ISP found that their TV-modem device was broadcasting this SSID erroneously and they promptly stopped its broadcast with apologies.
So now we have a less congested 2.4Gh signal, but the home occupants are still complaining of a weak signal. A look in Logs showed a lot of disconnects with extensive data loss. In particular a desktop PC with a Dlink USB-wifi dongle had severe issues trying to stay connected to the new hAPac, 2.4 or 5Gh. Apparently it was fine with the previous ISP AP but not any more, so to mitigate this and save some face (I had bragged up the Mikrotik signal would be stronger) I suggested wiring a cat5e cable to this desktop PC in the dining room. I did this and while finishing up the daughter comes in and says she lost wifi and couldn't reconnect. In fact everybody did, and couldn't.
I and Mikrotik are losing reputation fast now. I go downstairs and unplug-reboot the hAPac. No change. Back upstairs and try to connect with WinBox through a bedroom desktop PC - nogo. No change. Downstairs again unplug-reboot the ISP gateway and the hAPac. No change. Nobody can connect. No WinBox. Downstairs again and do a hold-reset-button reboot. Upstairs yes now I can get into WinBox. Standard base config though. Luckily I have a config backup so I quickly restore that and reboot the hAPac. Phew I think, it should be good to go. But still nobody can connect. Can't get into WinBox anymore either, but I can connect through the Mikrotik Android app.
Looking around through that is tedious, but my only way in. I check the firewall to see if anything changed that would block 192.168.88.0/24 but it looks ok. Further checking revealed all of IP-DHCP Server/Network was missing. That explains why nobody can connect, but why is it missing from the restored backup? I now thought if I can get in through the Android app with my cellphones' public IP, then I should get be able to get into his WinBox from my home computer which would make fixing his config much easier through a full sized WinBox. So at home now I get into his WinBox, setup his DHCP, and compare my rb2011 config with his hAPac config, page by page, every + new item also, looking for more corruption. I don't find any other differences other than those one would expect. Its now 5 AM, I reboot his hAPac, cross my fingers, and yes I can get back in and see devices connecting. Sleep time. Later in the morning they tell me that wifi is now working and the dining room desktop PC is connecting too. But wait theres more!
Connecting from home to his hAPac I am confronted with the terminal window now displaying about 6 of these:
oct/16/2018 17:56:05 backup,critical error creating backup file: could not read all configuration files
I check and yes it comes from when I run this from Terminal or script:
/system backup save dont-encrypt=yes password="" ;
I reason that would probably explain why the restore from backup was missing the DHCP server/network sections. But why can't it read all the configuration files? Bad RAM? Bad NAND? Bad eeprom?
To deal with the weak signal in parts of the house (most devices are connecting at -67dB+), I am first going to try re-orienting the device 90 degrees, or upright, as far as can be physically from the pipe. Failing that, placing the hAPac on top of that 6" heating pipe, rather than its current position 12" below, so the waveforms go up through the wood floor without the pipe blockage. To that end I plan to make a small platform with a first layer of house insulation (R12 or the like) to sit on the heating pipe, then a piece of styro/pink hard insulation for further insulation and a stable platform for the hAPac. Failing that, try out external antennas that you can attach to the hAPac. Failing that, move the whole kit and kaboodle upstairs to the dining room or the bedroom, but this will lose one of the cat5e runs, dining room or bedroom whichever I choose, or ... ya run another cable from either room to the demarc point.
My questions now are:
1) Why can't the hAPac create viable backups?
2) Is there a way to test the RAM?
3) Is there a way to test the NAND?
4) Is there a way to test the eeprom?
4) Why the address-list corruption when trying to change timeout values? buffer overflow? stack overflow?
5) Did the address-list corruption lead to the corrupt backups?
6) Are 20k blacklist addresses too many?
7) What should be the gain be on the antennae I should try? Mikrotik sells a ~4dB gain dual band antenna (ACSWI) with the appropriate u.fl connector the hAPac needs and is a direct fit in the plastic shell. Or I could find some others but would additionally need some rpsma connectors in addition to the antennae. The house is not large; single story, approx 1000 sq ft. with a finished concrete basement. Built in the early '70s, 2x4 construction throughout.
https://solimedia.net/product/dual-band ... k-antenna/ (ACSWI ~4dB gain))
https://solimedia.net/product/wifi-omni-antenna-24ghz/ (7dB gain)
https://solimedia.net/product/wifi-sma- ... enna-5ghz/ (5dB gain)
Is it time to RMA this device particularily in view of the fact I can't obtain a proper backup?Can anyone provide some answers to the questions?
Thanks for reading this chapter of Mikrotik 100-Things U Didn't Expect
Notes:
-I searched the forum and tried the suggested /ip ssh regenerate-host-key and reboot, which helped many people here, but didn't help me
-A second suggestion from here, performing a netinstall, restored the ability to create a viable backup
-two same name users can log in to Mikrotik WinBox at the same time, but to both run the wifi scanner, must be logged in as different users.
-reducing the CPU frequency from 720 to 600Mhz did not make a difference in creating backups
-my rb2011 cpu(MIPS 74KC V4.12) and the hAPac cpu(MIPS 74KC V5.0) are from the same family but rb2011 default frequency is 600Mhz and idles at 34c while the hAPac default is 720Mhz and idles at 47c
-Mikrotik OS does not like fat32 formatted USB sticks