 | Thomas Mueller on Question got closed in May 202… |
 | Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
| Thaddy de Koning on Formulier voor bewindvoerders… |
 | jpluimers on Belastingaangifte 2023 met Exc… |
Posted by jpluimers on 2025/08/15
I have been contemplating on pfSense hardware as there has been a large shortage on that market especially for having more than 2 ports (similar to for instance Mikrotik PoE router unavailability).
If by now I have not found any, I might want to revisit [Wayback/Archive] Gowin R86S mini PC offers 2.5GbE and 10GbE networking for $310 and up – CNX Software has 3 RJ45 ports and 2 SFP+ cages.
They found it via this 4 page review:
Posted in Ethernet, Hardware, MikroTik, Network-and-equipment, pfSense, Power User, routers | Leave a Comment »
Posted by jpluimers on 2025/07/09
I wasn’t aware that [Wayback/Archive] [OpenWrt Wiki] MikroTik was available. Many devices are incomplete in support, but it is good to know there is an alternative to the buggy scripting interface of RouterOS.
For the hEX series, support seems good enough to give it a try this summer, but I need to figure out of the hEX PoE RB960PGS is supported. I have good hopes as other models of the RB9* series are.
A few warnings from the below links:
These hEX related models are supported on the web-site (which also explains major differences with Fast Ethernet (100 Mbit/s) and Gigabit Ethernet (1 Gbit/s) models:
Posted in Development, Hardware, MikroTik, Network-and-equipment, Power User, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2024/07/05
Two interesting posts on fast network routing:
… I also ran into weird DNS slow-downs, which I didn’t fully diagnose. In Wireshark, it looked like my machine sent 2 DNS queries but received only 1 DNS result, and then waited for a timeout.
… Since I last used MikroTik in 2014 the software seems to have barely changed. I wish they finally implemented some table-stakes features like DNS resolution for DHCP hostnames
–jeroen
Posted in Ethernet, Hardware, LifeHacker, MikroTik, Network-and-equipment, Power User, routers | Leave a Comment »
Posted by jpluimers on 2023/12/11
Last year, after an already long sequence of doing stupid things, Ubiquiti sued Brian Krebs.
For many this was a reason to think about what to replace their Ubiquiti.
My cloud key had already died, I never installed the USG router, so this is the reminder to see if anything has come up to replace the Unifi access points that is easy to manage in a self-hosted way are powered over ethernet, do the same seamless handover and cooperative WiFi antenna management.
Some links from back then:
Posted in Cloud Key, Ethernet, Hardware, MikroTik, Network-and-equipment, pfSense, Power User, routers, Ubiquiti, Unifi-Ubiquiti, USG Ubiquiti Unifi Security Gateway, WiFi | Leave a Comment »
Posted by jpluimers on 2023/04/13
MikroTik switches and routers are very flexible to configure, as everything is done through [Wayback/Archive] RouterOS settings.
This means that given enough ports, you can split a physical switch into logical switches. This can be very convenient when you run multiple networks without VLAN.
Earlier this week, I already wrote about Torching a specific port on a MikroTik switch or router running RouterOS which involved turning off hardware acceleration off for specific ports in order to have the flow through the underlying switch chip prohibiting torch and filter features.
For splitting noticing which ports are connected to which switch chip is also important: splitting works best if you can configure each logical switch to exclusively use network ports on one switch chip.
This post was to both research how to configure this, and if my MikroTik devices would allow for hardware acelleration.
Here are some links that should help me with configuring (via [Wayback/Archive] mikrotik split switch in two – Google Search):
–jeroen
Posted in Development, Hardware, MikroTik, Network-and-equipment, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2023/04/11
On most recent [Wayback/Archive] RouterOS configurations of MikroTik Routers and Switches, running [Wayback/Archive] Torch a port will show zero traffic when they are part of a bridge configuration. The same holds for the Packet Sniffer.
The reason is that these bridges have hardware acceleration turned on, which makes all traffic go through the switch chip instead of the device CPU. Torch works on the CPU level, so won’t show hardly any traffic except for some configuration stuff (depending on the combination of switch chip and CPU type).
This is not documented in the Torch documentation, but it is documented in the Packet Sniffer documentation.
Further reading:
Note: Unicast traffic between Wireless clients with client-to-client forwarding enabled will not be visible to sniffer tool. Packets that are processed with hardware offloading enabled bridge will also not be visible (unknown unicast, broadcast and some multicast traffic will be visible to sniffer tool).
As the ethernet ports are marked as S(laves) in the tables, I would assume that they are member ports of bridges and “hardware acceleration” is enabled (the value of hw in the respective rows of /interface bridge port is set to yes). So any frames which pass through these ports to other ports of the same switch chip are counted by the switch chip counters, but as they never get to the CPU, the torch cannot see them.
Consider the following scenario, you setup a bridge and have enabled hardware offloading in order to maximize the throughput for your device, as a result your device is working as a switch, but you want to use Sniffer or Torch tools for debugging purposes, or maybe you want to implement packet logging.
/interface bridge add name=bridge1 /interface bridge port add bridge=bridge1 hw=yes interface=ether1 learn=yes add bridge=bridge1 hw=yes interface=ether2 learn=yes
When running Sniffer or Torch tool to capture packets you might notice that barely any packets are visible, only some unicast packets, but mostly broadcast/multicast packets are captured, while the interfaces report that much larger traffic is flowing through certain interfaces than the traffic that was captured. Since RouterOS v6.41 if you add two or more Ethernet interfaces to a bridge and enable Hardware Offloading, then the switch chip will be used to forward packets between ports. To understand why only some packets are captured, we must first examine how the switch chip is interconnected with the CPU, in this example we can use a block diagram from a generic 5-Port Ethernet router:
Generic Ethernet router
For this device each Ethernet port is connected to the switch chip and the switch chip is connected to the CPU using the CPU port (sometimes called the switch-cpu port). For packets to be visible in Sniffer tools, the packet must be sent from an Ethernet port to the CPU port, this means that the packet must be destined to the CPU port (destination MAC address of the packet matches the bridge’s MAC address) or the packet’s MAC address has not be learnt (packet is flooded to all ports), this behavior is because of MAC learning·The switch chip keeps a list of MAC addresses and ports called the Hosts table· Whenever a packet needs to be forwarded, the switch chip checks the packet’s destination MAC address against the hosts table to find which port should it use to forward the packet. If the switch chip cannot find the destination MAC address, then the packet is flooded to all ports (including the CPU port). In situations where packet is supposed to be forwarded from, for example, ether1 to ether2 and the MAC address for the device behind ether2 is in the hosts table, then the packet is never sent to the CPU and therefore will not be visible to Sniffer or Torch tool..
Packets with a destination MAC address that has been learned will not be sent to the CPU since the packets are not not being flooded to all ports. If you do need to send certain packets to the CPU for packet analyser or for Firewall, then it is possible to copy or redirect the packet to the CPU by using ACL rules. Below is an example how to send a copy of packets that are meant for
4C:5E:0C:4D:12:4B:/interface ethernet switch ruleadd copy-to-cpu=yes dst-mac-address=4C:5E:0C:4D:12:4B/FF:FF:FF:FF:FF:FF ports=ether1 switch=switch1Note: If the packet is sent to the CPU, then the packet must be processed by the CPU, this increases the CPU load.
The following script is used to associate IP address of directly connected stations to physical port of the switch.
Warning: Running this script will make the CPU go to 100% for about 30-40 seconds, so please run the script when needed or by using scheduler.
–jeroen
Posted in Development, Hardware, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | 1 Comment »
Posted by jpluimers on 2021/12/31
A few notes:
%APPDATA%\Mikrotik\Winbox
sessions contains binary *.viw files that seem to represent “view” configurations (the positions, dimensions and other properties of the open Windows in a Winbox session) where the * of the name seems to be an IPv4 address of a machine.6.40.3-2932358209 and 6.43.13-695307561 contain configuration files that seem to determine what WinBox features a certain RouterOS version should reveal; files in those directories seem to always be these:
advtool.crc / advtool.jgdhcp.crc / dhcp.jghotspot.crc / hotspot.jgicons.crc / icons.pngmpls.crc / mpls.jgppp.crc / ppp.jgroteros.crc / roteros.jgroting4.crc / roting4.jgsecure.crc / secure.jgwlan6.crc / wlan6.jgAddresses.cdb and settings.cfg.viwsessionpath contains the expanded path %APPDATA%\Mikrotik\Winbox\sessionsThe *.crc files contain a CRC code, presumably on the contents of the correspoding *.jg file. The *.jg files seem to contain some kind of JSON.
Some links I found:
–jeroen
Posted in Development, Internet, MikroTik, Power User, RouterOS, routers, Scripting, Software Development | Leave a Comment »
Posted by jpluimers on 2021/12/13
I wanted access to a supposedly reset a MikroTik [WayBack] MikroTik CRS109-8G-1S-2HnD-IN, but the default credentials did not work. Somehow, keeping the reset button pushed for almost 20 seconds also did not reset+reboot it.
Luckily, the default PIN code was still 1234 ([WayBack] Manual:LCD TouchScreen: PIN code – MikroTik Wiki) so I could reset it ([WayBack] Manual:LCD TouchScreen: Reboot and Reset Configuration – MikroTik Wiki).
After this, I changed credentials and PIN, documented configuration and credentials, and ensured there is a back-up of that documentation available.
Note: fiddling with power and reset button might have worked, though it is odd the CRS109 documentation does not mention this. PIN code worked faster, so that’s what solved my issue first.
Related:
–jeroen
Posted in Hardware, Internet, MikroTik, Network-and-equipment, Power User, routers | Leave a Comment »
Posted by jpluimers on 2021/11/02
Some links in case I ever need to jail-break a Mikrotik device:
–jeroen
Posted in Development, Internet, MikroTik, Power User, routers, Software Development | Leave a Comment »
Posted by jpluimers on 2021/09/24
In the past I had these manual scripts to power-cycle a hung RaaspberryPi device:
/interface ethernet poe set ether5 poe-out=off /interface ethernet poe set ether5 poe-out=forced-on
or on one line:
/interface ethernet poe set ether5 poe-out=off; /interface ethernet poe set ether5 poe-out=forced-on
I am going to try this script for the port having a Raspberry Pi on it (note: this requires a 48V power brick for the Mikrotik!) on RouterOS version 6.48.3 (stable):
/interface ethernet set [ find default-name=ether5 ] comment="RaspberryPi" poe-out=\ forced-on power-cycle-ping-address=192.168.124.38 power-cycle-ping-enabled=\ yes power-cycle-ping-timeout=2m
The above has not worked for a long time as per [Wayback] No POE Power Cycle @ hEX POE – MikroTik:
But it might be fixed as of [Wayback] RouterOS version v6.47.3[stable] as per [Wayback] MikroTik Routers and Wireless – Software: 6.47.3 (2020-Sep-01 05:24):
…
*) poe – fixed “power-cycle” functionality on RB960GSP;
…
Similar issues exist on RB760iGS/Hex S, and there the fix requires new hardware in addition to firmware as per [Wayback] POE OUT issue on ether5 rb760igs (no power) – MikroTik
Note that I did disassemble both of these routers for inspection and there are obvious changes to the hardware to correct the PoE problems – most notably a completely different relay, capacitor and some minor circuit design changes.
If it still fails, I might try
[Wayback] No POE Power Cycle @ hEX POE – MikroTik: workaround script
:local ipPing ("x.x.x.x") :local pingip # # pingip below RUNS and sets the variable # to number of successful pings ie 3 means 3 of 45 success # can also use ($pingip > 1) or ($pingip >= 1) both TESTED # ($pingip >= 1) means if only 1 or 0 pings do the IF, not the ELSE # :log info ("ping CHECK script IS RUNNING NOW") # first delay 90 b4 ping test incase this is running at POWER UP :delay 90 :set pingip [/ping $ipPing count=45] :if ($pingip <= 3) do={ :log warning (">95% lost ping LOSS to isp GW IP x.x.x.x via ether5 so DO POE powerCYCLE") /interface ethernet poe set ether5 poe-out=off :delay 12 /interface ethernet poe set ether5 poe-out=auto-on :delay 10 :log warning ("ether5 POE HAS BEEN TURNED BACK ON") :delay 90 /system script run emailPOEresult } else={ :log warning ("PoeCyclePINGcheck ELSE ran so no ping loss detected by script") }
Based on:
Posted in Development, Hardware Development, Internet, MikroTik, Power User, Raspberry Pi, routers | Leave a Comment »
The Wiert Corner - irregular stream of stuff 