Make sure you connect it to your router via wire.

Wireless mesh/repeater/extender is not good performance.

If running a wire is an issue. Powerline Ethernet (homeplug av2), coax (moca or Hpna), or Ethernet extender (dsl/phone) is much better alternatives than wireless repeater.

This is a close to wired as you can get without running cable. 2000 = 1000 up x 1000 down. (Full duplex)

https://www.amazon.com/TP-LINK-Powerline-Pass-Through-TL-PA9020P-KIT/dp/B01H74VKZU

1- don't use quickset 2- factory reset the unit and use ether1 for WAN 3- Tinker from there 4- User Winbox not the webUI 5- Use the wiki and learn the platform

Most likely you used the quickset menu, or you just changed the address without changing the DHCP server/pool etc.

If you cba learning the platform then maybe throw openwrt on there.. not something I've played with so I couldn't advise

https://openwrt.org/toh/mikrotik/rb2011

There are cable cutouts on the underside of the cAP AC which can be easily removed with a utility knife or a pair of pliers. So, you can still flush mount the access point and run the cable along the surface of the wall: https://i.imgur.com/xqa9KsL.png

As far as mounting without drilling, a few pieces of mounting tape should work nicely:

https://www.amazon.com/Scotch-Extreme-Mounting-1-inch-60-inches/dp/B009NP1JQC/

Somebody might have shared some illegal materials using a subdomain and some fool judge ordered the whole domain to close. Not knowing anything about how things work. The same thing can happen with dyndns. And any other domain that has user generated content like wordpress and such. Imagine the scandal if FBI took over wordpress.com because someone blogged and shared illegal material.

Look at WG, really - it faced a lot of scrutiny when being accepted into the kernel. It's much more performant than IPSec with acceleration. IPSec is good but very heavy and with a lot of bad decisions made decades ago. WG is fast because it's very bare-bone and uses modern crypto. While it sounds very counter-intuitive that WG without hw-accel beats IPSec with it is actually true. The new crypto algorithms are ridiculously fast on modern general-purpose CPUs because they were designed for that. IPSec isn't actually accelerated - only its crypto is, because normally it's orders of magnitude slower on general-purpose silicon (and thus needs a dedicated block).

Look at https://www.wireguard.com/performance/ - while it's not a definitive measure it shows the trend. I deploy WG mainly due to it's lack of chattiness, more stable ping, and the fact that it doesn't have problem with any networks (IPSec relies on GRE being allowed where it's often not b/c people often only allow TCP+UDP on firewalls... which is stupid but that's the reality).

The redirection is done by the device so you have no control over the error being displayed. Samsung's in particular are the worst offenders for this and it's something we've seen with our own captive portal.

Most devices will try and retrieve a URL first to see if they have internet connectivity and if they need to go into captive portal mode. For example Android Kit kat uses clients3.google.com whereas appla has used http://captive.apple.com/hotspot-detect.html in the past. Different Android versions and iOS versions use many different URLs to check.

Different error codes from the URL then tell the device what mode it should be in. You can find out more about the android proces here https://www.chromium.org/chromium-os/chromiumos-design-docs/network-portal-detection

You can try whitelisting the URLs but it only means that users have to manually visit the URL of your captive portal or another non HSTS protected site such as www.sky.com

Normis and Co. (aka Mikrotik) has started working on an Android utility that gives you ability to configure your router more conveniently, while on the go.

You have to sign up to get "on the list" so I thought I would share it here.

Edit:

Normis added a non-google play download link for the utility to the forum post:

Download APK

I have a NordVPN connection established on my RB4011 using their IKEv2 certificates. It was pretty easy to set up, I wonder if perhaps you could follow their guide and substitute your own modifications:

Using the Mode Config parameters you can reliably route whatever traffic you want over the VPN.

RouterOS is still superior. I would suggest you look for a compatible VPN provider like SaferVPN. They have a tutorial for using OpenVPN from a MikroTik.

> Astrill provides a few different - OpenWeb, OpenVPN and PPTP, L2TP, Cisco IPsec, SSTP.

SSTP is easiest to implement I think.

/tool fetch mode=http url="" /certificate import passphrase=""

/interface sstp-client add add-default-route=yes authentication=mschap2 certificate=none connect-to=\ :443 dial-on-demand=no disabled=no http-proxy=0.0.0.0:443 \ keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled name=vpn password=\ <your password> profile=default-encryption user=<username> \ verify-server-address-from-certificate=yes verify-server-certificate=yes

Hope this helps

You could install something like heartbeat on the servers to do this.

https://www.digitalocean.com/community/tutorials/how-to-create-a-high-availability-setup-with-heartbeat-and-floating-ips-on-ubuntu-14-04

Your Xiaomi r3 completely outspecs the hap lite https://openwrt.org/toh/xiaomi/mir3

R3 has four times the ram, 128m Vs 32m R3 has eight times the ROM, 128m Vs 16m

https://openwrt.org/toh/mikrotik/rb941_2nd

My Fast tests were almost twice as high using 64 versus using 65. 64 was the same speed as 128. 65 was the lowest speed using fast.com.

I'm using a laptop with no vpn and I'm using my Verizon unlimited plan phone for the hotspot.

Not off hand, though if Proton VPN also makes use of EAP then the setup should really be pretty much similar to that of NordVPN. Will see if I can get some Proton VPN details and play around with it, if I'm successful I'll definitely create a similar video.

I just realized, I still use the old script before the cloud IP.

This script only works if your interface has the correct external IP (not double-nat).

:global currentIP; :local newIP [/ip address get [find interface="INTERFACENAMEHERE"] address]; :set newIP [:pick $newIP 0 [:find $newIP "/"]]; :if ($newIP != $currentIP) do={ :log info "IP address $currentIP changed to $newIP"; :set currentIP $newIP; /tool fetch mode=https url="https://www.duckdns.org/update?domains=SUBDOMAINHERE&amp;token=TOKENHERE&amp;ip=$newIP" dst-path=duckdns.txt; :local result [/file get duckdns.txt contents]; :log info "Duck DNS update result: $result"; }

You just need to change the INTERFACENAMEHERE, SUBDOMINHERE, and TOKENEHERE

You may find that just moves the problem to the WAP Ac, since it will have to do the same thing. If btest is the way you want to go about your testing, I'd download the windows client and do it from a PC behind the HEX. As others here have mentioned, the hex does do gigabit routing. http://www.mikrotik.com/download/btest.exe is the link for the btest windows client.

hAP lite has a different, smaller ROS package (SMIPS, size around 7 MB) than the other Mikrotik models (MIPSBE, size around 10 MB).

http://www.mikrotik.com/download

Direct link: http://download2.mikrotik.com/routeros/6.35.4/routeros-smips-6.35.4.npk

You should be able to upload this 7 MB file to your hAP lite in full (either via web GUI or Winbox Files menu or FTP) then just reboot the device.

Disclaimer: I am not a comcast user so I dont know how they do their network.
First thing I would Check your PC firewall rules if you have one. create them if you dont. If thats not the case proceed >

My big question is are they giving you an IP inside their network or are you getting an actual public IP to your router. IE is the cable modem handing you a 192.168.x.x to your router. This would indicate if modem is acting as router aswell or they NAT you behind them. You could use something like Logmein Hamachi to by pass that, but all your friends would have to install that aswell.

Next thing. Im confused why you would have to clone your mac. You should be able to plug your router into the cable modem (reboot everything) and shit should work assuming router is configured correctly. But like I said, I am not very familiar with CC.

Find out what your IP is or better yet use the IP > Cloud DDNS in the mikrotik. See if your friends can maybe ping it?

Hey guys,

Looks like it works now, of course I don't have all the 20 MB/s that my ISP provides but sites load as expected and won't crash upon loading.

u/sillentkil, I disabled Fasttrack like you said, and u/No-Influence-2512 I added the lines you shared. Apparently it took the Tik a couple of Reboots to get going, now the load has increased accordingly and I see it peak at 60%. I know there might be some more room for improvement but as of now the router is working as expected and complying with its full purpose, connecting my 2 NAS and 2 Terminals through UTP and the other devices through wifi, all now protected though NordVPN services.

You guys are far better help than Mikrotik documentation and even Nord's tech support, maybe you ought to keep their paychecks lol.

Thanks a lot once again!

If you put all the ports on the same bridge, disable any services like DHCP, then probably.

I suspect that is probably NOT the best approach...

Any reason this wouldn't fit your needs? (It even costs a bit less than a hEX S)

https://www.amazon.com/TRENDnet-Switching-Capacity-Protection-TEG-S51SFP/dp/B019IHWSF0

This method uses 12v to power the router and passes thru 12v poe.

Another way is to us a 48v PoE injector to power the router and then use a 48v to 12v PoE splitter like this:

Gigabit PoE Splitter 12V 2A Output with IEEE 802.3af/at Standard Compl... https://www.amazon.com/dp/B08HS4NT13/ref=cm_sw_r_sms_api_glt_fabc_4SNDQMCQC0FADY0P0WDW

Can you state your router model? Do benchmark on site like and see the CPU load - i expect one node run at 100% when other will be not affected. It's because NordVPN was not using modern cryptography last when i checked. They was going on AES-CBC not AES-GCM

Absolutely love mine. You'll need a WAP if you got the non-wireless model. I use the TPLink EAP 245 and the combo works great. I bought a 48V power brick so I could use the POE port without using the power adapter on my WAP: https://www.amazon.com/gp/product/B00N6W1HGU/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&amp;psc=1

It took me a good 2-3 days to get things configured correctly, with VLANs, firewall rules, etc with a lot of help from this subreddit and a lot of reading/searching through google. Once you get it setup and get used to the configuration, it's pretty easy to remember.

Call me Richard Stallman. But I can’t in good conscience help you out. Because that means I’m supporting NordVPN. I believe NordVPN is taking advantage of you and their other customers. And it’s well regarded by industry professionals that company is miss leading not transparent. Even shills who will allow advertising money to cloud their morals and beliefs dropped them as a sponsor.

Nothing against you, no offense. I’d gladly help you out. But not if NordVPN is involved.

The only time a VPN as a service provider gives you added security is connecting to a public hotspot, our questionable friends wifi.

I’d highly suggest you setup your own VPN for whatever purposes you need. VPS hosts allow you to pick what data center location your server is hosted if that’s a concern for you. A company such NordVPN shouldn’t be rewarded by misleading customers. Even if you’re not being mislead. Other customers are. Don’t give them your money.

Almost all traffic now is HTTPS. You could even setup TLS or HTTPS DNS. So ISP snooping is something people come up with to make you feel exposed. You're basically saying I don't trust my local provider. But I trust NordVPN more, even though I personally don't know them. So they can see what IPs I wish to contact. At some point it's got to traverse the Internet in a normal fashion. Whether it does that leaving NordVPN's NOC or your ISP's.

If you're trying to hide from law enforcement. Nord or any other VPN provider will more than happily rat you out just as fast as your ISP would.

For the most part your everyday traffic coming out your personal home, you're just adding unnecessary latency. I'd much rather my bank traffic go through my country, it's already encrypted. Than to send it off to some other country just to relay it back to where it originated from and pass through many more hands. And probably hands that are more willing to try to decrypt and countries where there's no repercussion if they try to do so. The thing home users, prosumers, and a step above average users don't understand and won't even listen to is. The data leaving NordVPN is identically exposed to the Internet as if it left your house directly. You're just making it take a different route. And it doesn't fool ad trackers. Ad trackers had this figured out way before VPNs were a thing. You think they ignored the fact people take vacations and could at any given time be using a different device or access the Internet from a different location?

In another comment you mentioned you don't see many IT security professionals chiming in. You know why. We don't feel VPN as a service is secure.

I tried many configs just to get GCM with no success. I believe NordVPN does not support GCM. Currently in a process of pushing them to admit that. I’ve sent them something similar to main post as a response to their weird configs as I opened support ticket. Waiting for an answer.

Probably will dump them prior 30 days mark and buy higher tier from ProtonVPN as Black Friday is coming soon.

With security its all about those small inconsistencies as usually they are sign of bigger problem.

Thanks to you u/akliouev configs are tighter.

Next steps are also pushing VPN providers to do IPv6 support as many European servers prefer v6 and I have some IP leaks. And no - I will not turn off IPv6 :)

NordVPN does have a tutorial on their site for configuring a VPN connection within your Mikrotik router, and combining that with a list of the IP addresses of the streaming service you are connecting to, you should be able to achieve what you're looking for. In short, you would have an address list of all the IPs of that service, then any packet destined for those IPs gets a routing mark of "Nord" or whatever, and that route is assigned to the VPN's gateway. I don't have an actual config to share with you, but here's a thread on the Mikrotik forums with a little more info: ?t=61677

Try this:

> /ip ipsec mode-config

> add connection-mark=ProtonVPN name=ProtonVPN responder=no

> /ip ipsec policy group

> add name=ProtonVPN

> /ip ipsec profile

> add dh-group=modp4096,modp2048 enc-algorithm=aes-256 hash-algorithm=sha256 name=ProtonVPN

> /ip ipsec peer

> add disabled=yes exchange-mode=ike2 name=ProtonVPN profile=ProtonVPN send-initial-contact=no

> /ip ipsec proposal

> set [ find default=yes ] auth-algorithms=sha256 enc-algorithms=aes-256-cbc pfs-group=modp2048

> /ip ipsec identity

> add auth-method=eap certificate=ProtonVPN eap-methods=eap-mschapv2 generate-policy=port-override mode-config=ProtonVPN password=XXX peer=ProtonVPN policy-template-group=ProtonVPN username=XXX

> /ip ipsec policy

> add dst-address=0.0.0.0/0 group=ProtonVPN src-address=0.0.0.0/0 template=yes

All my capsman deployments have been with basic 2.4GHz radios for barcode scanners so I'm not super familiar with running a hAP AC with capsman.

That said, I think you need to add extension channels to your 5GHz config in capsman. You've posted your /wireless config but I'm pretty sure it all gets "commented out" by capsman, so it's really just showing you what your radios would be doing if cap mode wasn't enabled.

If you have an Android phone, I highly recommend the app Wifi Analyzer. In the settings for the app, you can enable displaying wide channels. Then on the graph it displays, you'll see a wider parabola over the frequencies your hAP is taking up.

Is this for clients to connect through NordVPN out to the Internet?

RouterOS supports this natively now with EAP IKEv2 support.

Why not just run it on RouterOS directly and policy route specific IPs through the gateway?

Did I miss which device you are asking about?

Tether support needs to be enabled for a given USB port when the ROS is compiled for that model.

For some they choose not to.

An Ethernet adapter should work into a WAN port, best to get one with a separate power port to keep the phone charged.

https://www.amazon.com/Ethernet-Adapter-Charge-Network-100Mbps/dp/B0BJZRWRXZ

Or a "docking hub" with Ethernet may work.

I haven’t run into any bandwidth issues, but then again, I’m running a maximum of 100Mbps worth of bonded connections. I ended up basically using the bonded Speedify connection as transport for my Wireguard VPN so that I could stream Netflix, etc.

I wanted to throw Speedify out there. Check out the SmoothWAN project, which is basically OpenWRT with Speedify integrated into the UI. I’ve been using it to bond 1 DSL Connection + 2 LTE connections and it’s been working great for several months. At one point, I had SmoothWAN in front of my MikroTik, and I was running a Wireguard tunnel from my MikroTik through the SmoothWAN box with no issues. Latency increases a bit, as with any VPN, but the stability of my video calls is vastly improved. If you don’t need binding for your whole network, there’s a Speedify App for Windows and Linux as well.

All WANs are cellphones here. Only one USB port means manual failover, swapping out say the TMO phone if the ATT goes down.

Right?

Or I could try https://www.amazon.com/Ethernet-Adapter-Charge-Network-100Mbps/dp/B0BJZRWRXZ

apparently these work

Happy so far! I just have it sitting on my desk to test it out, but I'm going to put it in a closet in my hallway once I run Ethernet through the crawlspace (so noise will be less of an issue)

I wanted to use SwitchOS, but it has the fans running basically all the time. Unfortunately it's a known issue with SwitchOS. RouterOS v7 is better - it only turns on the fans once the switch exceeds some temperature threshold, and turns them off once the temperature drops enough.

I'd recommend also getting a serial RJ45 to USB cable. Something like https://www.amazon.com/Console-Essential-Accesory-Ubiquity-Switches/dp/B01AFNBC3K - Any cable that's compatible with Cisco should work. If you're ever in a situation where a MikroTik switch or router gets stuck in a boot loop or the network won't come up due to some misconfiguration (you lock yourself out, disable the wrong ports, etc), you can connect to it via the serial connection and see the bootup logs and reconfigure the switch.

Here is a link from NordVPN which accomplishes the same thing but uses an address list of subnets which are sent through the tunnel.

The instructions show there being two mounting tabs on either side. I wonder if it's possible to use something like these and attach one to either side https://www.amazon.com/Mounting-Brackets-76-5mm-Compliant-10-PACK/dp/B01G47BNS0

Thought I would update for anyone thinking about the noctua mod

I got the 328 and did the fan swap out right out of the box, so nothing to directly compare it to. I used the low noise adapters on these. This is with roughly only 55w draw atm. I used a push/pull config here just because of how the board layout was.

Current temps:
CPU Temperature 48C
Board Temperature 35C
FAN1 2805 RPM
FAN2 2925 RPM

For the 354, it was ALWAYS loud. Sometimes louder than others when it would ramp up to 7500+ rpms for no reason. I posted before the temps/rpms at a random time I checked it, but here's the recap:
CPU Temperature 56C

Board Temperature 46C

Fans all 6400ish RPM

&#x200B;

After swapping out for the noctua's:

CPU Temperature 59C
Board Temperature 33C
FAN1 4170 RPM
FAN2 4185 RPM
FAN3 4590 RPM

I did not use the low noise adapter here just in case it needed those extra RPMs. It's a little odd that the board temp decreased pretty substantially but the cpu temp rose a tad.

With both, they are virtually silent. If I put my ear up to the 354, I can hear it, but a few feet away, I can't hear anything. With the 328, even if I put my ear up to it, I can barely hear it.

Very easy to do. The 328 took less than 10 minutes. The 354 has a bracket running down the center that made it take a little longer because 2 of the fans it was hard to get to the screws. I ended up just taking it off and putting it back after. Took maybe 20 minutes. Very happy with the results.

Fans used - https://www.amazon.com/dp/B071W93333

My bad. I posted the wrong link. This is the link: https://www.amazon.com/Mikrotik-CRS328-24P-4S-RM-Ethernet-rackmount/dp/B07C657P7Q/ref=sr_1_2?crid=MXXTDYE5X1K&amp;keywords=crs328&amp;qid=1665697311&amp;qu=eyJxc2MiOiIzLjA4IiwicXNhIjoiMi40NiIsInFzcCI6IjEuNTAifQ%3D%3D&amp;sprefix=crs328%2Caps%2C63&amp;sr=8-2&amp;ufe=app_do%3Aamzn1.fos.4dd97f68-284f-40f5-a6f1-1e5b3de13370. The delivery date I see is October 25 - November 3.

Amazon has it now. https://www.amazon.com/MikroTik-12-Port-Switch-CRS312-4C-8XG-RM/dp/B07VS1XJZ6/ref=sr_1_4?crid=1974UCS53AXMR&amp;keywords=mikrotik+rb5009&amp;qid=1665693762&amp;qu=eyJxc2MiOiIzLjMzIiwicXNhIjoiMi4xMyIsInFzcCI6IjEuMDkifQ%3D%3D&amp;sprefix=mikrotik+rb5009%2Caps%2C41&amp;sr=8-4&amp;ufe=app_do%3Aamzn1.fos.4dd97f68-284f-40f5-a6f1-1e5b3de13370

Ships in 1-3 weeks.

nslenders is right, it's MS-156, not u.fl or mhf or anything like that. Pushing down the center pin disconnects the line and shunts it to the connector. Here's an adapter: https://www.amazon.com/MS-156-MS156-RP-SMA-probe-Shipping/dp/B00VPRFE62

I run a network monitoring business.. CHR and for hosted cloud with Zabbix. Sweet.

Also great for just having a home lab and VPN server in one. No need for ExpressVPN if all I wanna do is be anonymous.

However I have express VPN and intend to run it in a container for going to other countries.

Container for PiHole....

It's a lot of fun for $5 a month.

here u go

could also use a DAC cable instead of 2x sfp to rj45 and a netgear ‎XS505M.
it should get u 4x 10G rj45 links
And with a dac u dont get the power loss/heat of the sfp-rj45 modules.
But it might be a little bit more expensive as the solution of p3ter_se

Just fyi I'm pretty close to having ExpressVPN working in a container on RouterOS. For those wanting a cheaper alternative than their router or potentially setting up multiple countries for different devices (multiple containers) this could be super handy if you wanna use Lightway which is their proprietary protocol not available on RouterOS. Main focus of the project is to get around the main govt firewall in Egypt. Will post if I get it all running like I think it should.

Does the ExpressVPN client work on the container?

What i would do(tho I haven't done anything like this before)

Assign to VEth interfaces to the container. One for the wan of expressVPN and another connect to your mikrotik.

Create a default route for the container only...nothing else For ypur lan, create a default route through the ExpressVPN container.

Dont forget nat too

Let me know how it goes

Why not run your own CHR in the cloud in the geography that you want to be in (or multiple ones, they are about $5 a month) and just run your own VPN service ? If it's for media, this idea won't work as the datacenter IPs are usually blocked by netflix etc. You need something like ExpressVPN and such for that. Am doing some similar things myself and happy to give you some advice if you are still looking to use the 'bricks'.

Did this actually work well for you ? I'm looking for a small little device to run ExpressVPN container on. Assuming I have external storage, will this little box have enough grunt to get by for 1 user basically only watching netflix and general household traffic ?

If you can get into such a range of the AP on other side that phone will detect the network, app like wifiman (https://play.google.com/store/apps/details?id=com.ubnt.usurvey) might be worth a shot. It will tell you frequence/channel, channel width, AP mac (also vendor, if it knows), PHY mode (i.e. b/g/n/ac/ax support, number of mimo streams), and so on.

Yeah it's annoying. I looked many places and the single wan thing is a limitation.

Mullvad, Proton, Pia, Nord.. those kinds of VPNs. Right now plex is the only thing that needs to be exposed. Maybe I'll do some sort of ftp or remote desktop in the future.

You've got pretty decent results, and there's nothing wrong with your 4011 or config, except for server choice.

However it's strange to see a drop in speed RB4011 vs ISP router - 4011 will handle these speeds easily. It could be just test or environment peculiarity, not a real thing. Or your ISP may throttle your connection, or just don't have enough uplink bandwidth at the moment of measurement. Or your ISP router uses IPv6, and you haven't configured it on your 4011.

"Same city" means nothing on Internet - the packets to the building across the street may cross Atlantic on its way. And 44ms RTT is a sure indicator of something like this happening.

Run a ping and see with what TTL it will return to determine real adjacency (in this particular moment, ofc), PingInfoView is a tool of choice for such measurements. Works great for handpicking NordVPN servers from the list returned by its API.

Yes, NordVPN have an API. It's not officially public, but it works, and you can grab a complete server list with current load for all servers.

Then you can sort and filter the list as you wish - there's little reason to consider servers across the globe when you want a server in adjacent jurisdiction, and you don't need all 20 servers in that particular location, a couple of least loaded will do - and feed it to PingInfoView to measure latency, packet loss and number of hops. Obvious criteria are minimum loss, lowest latency and number of hops (10 ms 6 hops is better than 10 ms 9 hops).

So just choose another VPN server.

And keep in mind that most of Internet links and servers are shared resources - you really couldn't expect your VPN server to saturate your link all the time.

Good to see you again:) The other thing you can consider for emergency situations is the little device called woomb. Amazon has it for $30: https://www.amazon.com/gp/product/B07DZDF9GN/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&amp;psc=1. You plug it into the USB port, and it acts as a Wi-Fi access point that allows you to connect to the router that way.

It saved me any number of times when I messed up bad enough.

I know this is the Mikrotik reddit, I myself use mainly Mikrotik routers/switches/APs together with a few UniFi APs for wifi6 clients, let me just put a crazy idea out there. If you don't need VLANs and you just want the simplest route to really fast wifi5 and wifi6, there is the ASUS GT-AX6000. In the same location in my house that I have tested the Audience and the UniFi6 mesh, this wifi6 router from ASUS can get sustained 900Mbps (measured with iperf3) for wifi6 clients like an iPhone 11, and performs similar to the Audience and UniFi APs for wifi5. The setup is about 3 clicks through some webpages and it is online. It runs the Asuswrt variant of the opensource Tomato firmware, and there is also the well-supported Asuswrt-Merlin firmware that you can load on it. It is apparently possible to get it to work with VLANS, but I have never invested enough time into figuring that out. Just sayin.

Will, I am just following tutorials and using L2TP over IPSEC
But I think I am having issues in either Peers config or Identities Config
For the first one, I entered the address provided by Express and chose main in "Exchange Mode" (Tutorial said IKE2 but that won't even activate the port)
IN Identities I chose Auth. Method as "pre shared key xauth" and entered key in secret and username and password as provided by ExpressVPN
Still, I can see the Active Peers but no uptime and not connected to VPN

ExpressVPN is no doubt the same as others. I haven't done this in a while but I did have different ports and WiFi networks for 3 different countries going on one router which was pretty sweet at the time. Just a matter of creating different networks and different routes. All of the VPNs for each country was PPTP and super easy. These days maybe PPTP isn't secure enough, no doubt you have to use L2TP over IPSEC.

What is your use case ?

I did have to buy a new power supply to run off the pow power though. This is the one I bought PoE Texas PS-48v60w | 48 Volt 60... https://www.amazon.com/dp/B00N6W1HGU?ref=ppx_pop_mob_ap_share

Of course you can just use the included adapter with the EAP also.

Mullvad does. Alternatively sign up for a VPS or cloud hosting and setup your own OpenVPN proxy. Best speed might come from wireguard instead of openvpn but I'm not sure if that's a true statement on this HW.

I had this problem on Windows 10, but not 7. My fix was this:

https://www.amazon.com/Cable-Matters-Ethernet-Adapter-Supporting/dp/B00BBD7NFU/

Works 100% of the time now, in every device I've used for NetInstall.

I had two Dell Latitudes that didn't like NetInstall on Windows 10 with Intel NICs. Now they work. Don't need it on Windows 7, same hardware...go figure.

Turning off all the interfaces didn't help me either.

This is what I have, worked perfectly. https://www.amazon.com/gp/product/B0753HBT12/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&amp;psc=1

>PoE 8-port injector

??? Something like this: https://www.amazon.com/POE-8-48v60w-Passive-Ethernet-Midspan-Injector/dp/B0086SQDMM ?

I looked at those, but I was concerned about having a spaghetti closet with all the patch cables between the router and the distribution....

A trick I use for remote equipment installations is to purchase a battery-backed 12V power supply box made for access control and camera systems. You can snip off the wall wart and hard-wire any accessories that run on 12V directly into the overcurrent-protected terminals and only have one mains power cord.

One example:
https://www.amazon.com/EVERSECU-Channel-Cabinet-Regulated-Included/dp/B07VQSLGWR/

For 5V equipment, you can get either a small 12V-to-5V board on Amazon or install a 12V USB adapter.

I really appreciate your help with this. So, CPU is staying around 2% during the speed test. Also, same cable... connected directly to (https://www.amazon.com/gp/product/B07RH7VPDF) on a speed test gives 4.8Gbps up and down, so that rules out the ISP under-delivering or a cable issue.

Let me see where I can find the zero NAT rules and filters. I'm new to this, and this User Interface is a bit overwhelming for a n00b like myself.

Keep in mind these are $1k APs.

https://www.amazon.com/gp/product/B07RXLTRTP/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&amp;psc=1 is $400 shipped. You could try ebay as well.

You'll want to use the Unleashed firmware, but that can be flashed on "Non-unleashed branded units".

My setup is a bit odd. I use the 2.4Ghz as a Hotspot in my cab for my phone and tablet. The 5Ghz Radio links up to my home WiFi so my Dashcam can upload. I have an L2TP VPN setup between the truck and my home network as well so I can do stupid things, like use a VoIP phone in my cab.

This is the antenna I installed: https://www.amazon.com/gp/product/B01MF9FXCZ/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&amp;psc=1

There are less expensive options out there. I think Digikey has a shark-fin that does LTE/WiFi/GPS for about half the price. However, this one has a REALLY good seal. I've been through car washes and a couple turd-floater rains and not seen a drop in the cab.

What I don't do is have any Failover between LTE and the 5Ghz. I just use the 5Ghz in my driveway exclusively for the dashcam to upload... though I would like it to use VPN over the LTE when away from home. Still haven't figured out the routing fort that.

For power I installed a sub-panel in my passenger footwell near the factory fuse panel. The sub panel is wired straight to my battery with a Havis Charge Guard. The Charge Guard detects the ripple current of the alternator and kills power to the sub-panel 2 hours after the engine is stopped (resetting if the engine starts before the timer ends). The charge guard also monitors battery voltage and will shut off the panel sooner if the battery drops below 11V.

# mar/12/2022 23:44:29 by RouterOS 6.48.4

software id = Z1JA-P0QL

model = RB4011iGS+

serial number = F03A0E144CB6

/ip firewall address-list add address=192.168.88.0/24 list=ProtonVPN /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked" connection-state=\ established,related,untracked add action=drop chain=input comment="defconf: drop invalid" connection-state=\ invalid disabled=yes add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment=\ "defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1 add action=drop chain=input comment="defconf: drop all not coming from LAN" \ disabled=yes in-interface-list=!LAN add action=accept chain=forward comment="defconf: accept in ipsec policy" \ ipsec-policy=in,ipsec add action=accept chain=forward comment="defconf: accept out ipsec policy" \ ipsec-policy=out,ipsec add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \ connection-state=established,related disabled=yes add action=accept chain=forward comment=\ "defconf: accept established,related, untracked" connection-state=\ established,related,untracked add action=drop chain=forward comment="defconf: drop invalid" \ connection-state=invalid disabled=yes add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new disabled=yes in-interface-list=WAN add action=accept chain=forward connection-nat-state=srcnat,dstnat \ in-interface-list=WAN protocol=tcp /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" \ ipsec-policy=out,none out-interface-list=WAN add action=dst-nat chain=dstnat dst-port=0-65535 in-interface=all-ethernet \ protocol=tcp to-addresses=192.168.88.140 to-ports=0-65535

https://hastebin.com/asenaqasaz.sql

Here you go. I think there are other issues with my current configuration too :c I am very new to this and could use all the help I need :c

My setup...
Motorola MB8611 (2.5) > RB5009 7.1.1 (SFP+ 10Gb, set at 10G, turned off flow control both sides) > CSS326 Switch (SFP+ 10Gb) > Unraid NAS

Same Xfinity plan, I'm in Minnesota.

Just got my SFP DAC for the NAS today. Pulled 1.2Gb from internet real world in a Docker on the NAS. Fast.com test says >1.1Gb every time (on the NAS).

RB5009 has is not "fasttrack", has one simple queue for unlimited download and limiting upload at 35 to eliminate bufferbloat. Didn't watch router CPU during download but I think no issues.

Not sure if I am lucky, knocking on wood.

> Looking for advise here, not fanboyism. According the office specs the hex pro does just 39.2Mbps @ 64 bytes. And, yes I know that is al lot smaller than most internet traffic.

My speedtest on the regular HEX $60 router while running 802.1x client to bypass AT&T's fiber gateway. If you're using a normal ISP that doesn't require 802.1x, you'd achieve even more than 900Mbps/700Mbps.

Honestly the CPU usage never went past 35% on Hex when running speedtests and downloading large iso and other test files. Based on your other replies I can tell you're a stereotypical smartass vyos user, but try to chill a little.

Personally left vyos for Ubnt then Mikrotik and haven't looked back.

I have no wireless mesh. 2 access points with wired connection to Poe+ switch. 16 wifi devices connected, most of which are smart home

Here is speeds on my Moto one action https://www.speedtest.net/my-result/a/5992427950

If you trust me, WinBox v3.31 -> https://anonfiles.com/T7uauas3wc/winbox64_exe

sha256 684e916766c261a8711f9416c411f80893a35bd75bce26f1f33438679eb9d95e winbox64.exe

Another DP: 5009 running 7.1.1, Motorola MB6811, Cox 1G overprovisioned. Running the modem's port directly into my laptop via 2.5G peaks around ~1.2Gbit. Plugging the modem into the 5009's 2.5G port gives me the ~400Mbit as reported here. Bought a SFP+ port when I got the 5009, and if I plug the modem into that, I get the ~1.2Gbit rate again.

FWIW, this is the SFP+ I'd used : https://www.amazon.com/gp/product/B08FXBFZP8 . It does report the rate to be 10G and negotiation "incomplete" in Interface Ethernet Status, which may be a key factor here.

I ended up buying this one, so I can control the speed:

ELUTENG Dual 40mm USB Fan with 3 Speeds Adjustable 5V PC Fan Max 5500RPM 40mm * 40mm * 25mm Mini Case Fan Quiet Computer Fan Compatible for PC, TV Box, Router, Xbox, Playstation https://www.amazon.com/dp/B08ZY7X4CR/ref=cm_sw_r_cp_api_glt_fabc_8X10YAPJ3EDPMQ5G1AZX

you need to setup the bandwith limit within the queue type instead of the queue object for cake (i.e you need two different queue objects for cake - one for download and a different one for upload)

my current setup of these queue types for my 16Mbit / 2Mbit ADSL Connection looks as follows:

[admin@MikroTik] > /queue/type/print detail where name~"cake.*" Flags: * - default 0 name="cake_UL" kind=cake cake-bandwidth=1800.0kbps cake-overhead=44 cake-atm=atm cake-overhead-scheme="" cake-rtt=100ms cake-rtt-scheme=internet cake-diffserv=diffserv4 cake-flowmode=dual-srchost cake-nat=yes cake-wash=no cake-ack-filter=filter cake-memlimit=1024.0KiB

1 name="cake_DL" kind=cake cake-bandwidth=15.0Mbps cake-overhead=44 cake-atm=atm cake-overhead-scheme="" cake-rtt=100ms cake-rtt-scheme=internet cake-diffserv=diffserv4 cake-flowmode=dual-dsthost cake-nat=yes cake-wash=yes cake-ack-filter=none cake-memlimit=8.0MiB

for the needed overhead values for different connection types you can have a look at the openwrt sqm documentation which does list some examples there (https://openwrt.org/docs/guide-user/network/traffic-shaping/sqm#configuring_the_sqm_bufferbloat_packages below "link layer adaption")

to use these queues I just created a simple queue using these queue types for upload and download respectively:

[admin@MikroTik] > /queue/simple/print detail where name~"*_cake" Flags: X - disabled, I - invalid; D - dynamic 0 name="all_cake" target=192.168.7.0/24 dst=ether3_internet parent=none packet-marks="" priority=8/8 queue=cake_UL/cake_DL limit-at=0/0 max-limit=0/0 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s bucket-size=0.1/0.1

Thank you. Sorry, I only read about VLANs, have 0 experience with them yet.

So, my understanding is that basically openwrt AP will assign VLAN tags to packets and RouterOS will be able to see them?

A bummer, though, is that openwrt says that WiFi support for N66U is "sketchy" =\ https://openwrt.org/toh/asus/rt-n66u I'll see if I have other routers around that are better supported by openwrt

If it's TP-Link you can serach it in OpenWRT database. If you have an appropriate model (there is any OpenWRT available) you can use OpenWRT and set it as Access Point. I haven't tried it personally, but it should work fine.

Did you enable Hardware offloading on your bridge in ROS? I've seen a huge difference in CPU usage (practically it barely reaches 20%-25% in high traffic situations) after enabling it and I have a PPPoE client setup with queues and mangle rules set as well. My internet connections is a 100Mbps VDSL.

If hw offload is enabled, you'll see the H flag in the Ports list under Bridge.

https://snipboard.io/4HivT3.jpg

I had to go to 64.

The way I tested it was to go to fast.com - my data plan limits netflix traffic on phone devices to 4Mbps, with no speed cap on the limited hotspot data. At 65ttl fast.com was 75Mbps, at 64 it was 4Mbps. Done and Done.

>The gist of the article is to demonstrate that different VPN standards/implementations have different overheads and can lead to different throughput of data through the VPNs.That has no bearing on the version or the 3rd party service that you are using.

I think OP was specifically interested in Wireguard performance as VPN server since they called it out in their post.

>There might be some changes in the capacity but I have not come across a major change in my experience.

There a lot of buzz around Wireguard's benchmarks since they represent a pretty significant step forward. It's small footprint allowed it to be built into the Linux kernel opening up the possibilty for Mikrotik to include it RouterOS very recently. All these developments happened after the article you provided was written. The VPN and cryptography space is rapidly evolving and absolutely represent major changes.

It's IKEv2, so should be trivial to configure on a 'tik

You can try use https://protonvpn.com/support/linux-ikev2-protonvpn/ as the reference guide

Plays juuust fine. I have the router handle DHCP, and do address reservation for my usual devices.

Last time I think it was roughly 850 up and down.

&#x200B;

And if you don't already have a pi-hole, I'd highly recommend looking into trying it out.

Ok, ignoring the router for a moment; if your server is running SSH on port 22 set fail2ban to allow SSH on that port with your 6 failed login settings.

Back to the router. If your server is running SSH on port 22, and fail2ban it's accepting connections there, your settings should work. If your server is running SSH on a different port, set your 3710 rule's to-ports to the port your server is running.

Not knowing your setup, take a look at Pi-hole for adblock. It can be installed on any Linux server, or there is a docker container the runs it.

And as for VPN, Mikrotik's can run those fairly stably. If you run into issues when you get there, feel free to PM me with a link to your post and I can help you if need be.

I just did a 2-pack of fans from Amazon and some adhesive backed heatsinks. A little noisy for sitting on a desk next to you but keeps the temps in check.

Will probably put a resistor inline with the power cable to quite them down a bit further once I finish modeling/printing a couple shrouds.

I was pretty surprised at how well my new RB5009 is doing as a Wireguard client. I have it setup so any device with a default gateway pointed at an IP on my first LAN port goes out in the clear, but setting the default gateway to an IP on the second LAN port goes out through a Wireguard tunnel to Mullvad. In the clear, I speed test at around 550-650Mbps, but through Mullvad that drops to 475-500Mbps. It's been super stable too. I am happy.

https://www.amazon.com/wireless-USB-WiFi-Adapter-PC/dp/B07P5PRK7J/ref=sr_1_3?crid=BBBBPESZGNW6&amp;keywords=wifi+usb+adapter+for+pc&amp;qid=1640799920&amp;sprefix=wifi+usb%2Caps%2C224&amp;sr=8-3

for what OP is trying to achieve, yes. use the link above

I tired to manually do this wth a few 4G links but Mikrotik dont really do it well.

What I did was an IPSec tunnel for each internet connection then ran a EOIP tunnel over that and then did a bond them together. it did work but I had much better results with OpenMPTCPRouter. If Speedify is not working for you then the is nothing you can do.

The reality is bonding internet connections is not linear anyway. so usually your speed is the slowest connection x how many connections you have

I wonder if OP will come back to see this, but maybe it's something to do with "UDP Multicast", which some IPTV providers use. It's discussed in this OpenWRT wiki article...

Which pins are you referring to? https://openwrt.org/_detail/media/mikrotik/rb941-2nd_pcb_top.jpg?id=toh%3Amikrotik%3Arb941_2nd

common sense tells me a public mikrotik server is NOT doing 15TB a month, maybe a speedtest server. or a fast.com server.

&#x200B;

unless you got actual links that talk about their usage, your guess is as good as mine.

Unplug the Tik. Go bare, plug your PC into WAN. Hit that bad boy up with fast.com and speedtest.net. Take a few tests, see if it actually gets to 240mbps. Whatever you max out at, multiply by .90 (240 * .9 = 216) Set the limit to 216 mbps, how are you guys getting internet access? Does each apartment have it's own router or is everyone just connected via wired or random scattered APs?

&#x200B;

Eitherway, if you need help and the landlord sees it as an issue, I can provide remote support and get you setup. All you need is a laptop and Teamviewer. This includes resetting the MikroTik to factory defaults, setting up graphing for everything (you will have insights of whos using the most etc), Queues and more. My rates aren't bad either.

Absolutely. If you ran out of options, I suggest you get this little device, MikroTik Woobm: https://www.amazon.com/gp/product/B07DZDF9GN/ref=ppx_yo_dt_b_search_asin_title?ie=UTF8&amp;psc=1. It provides out-of-band management of your router. Saved my day many times, when I messed up the configurations and completely lost access. With this, you won't need to reset the device.

Use a pair of mikrotik 60G ac. https://www.amazon.de/MikroTik-preconfigured-CubeG-5ac60ad-W125911911-International/dp/B08P4LNZML/ref=mp_s_a_1_27?crid=2FFDI01J49B2V&amp;keywords=mikrotik+60g+ac&amp;qid=1636587407&amp;sprefix=mikrotik+60g+ac%2Caps%2C130&amp;sr=8-27 They are paired in the factory, you only need to plugin power and ethernet cable

I am really not good at software, but I can follow instructions. Do you have any guides ? I have zabbix installed in a vm from a pre-built from zabbix.com but other than that. I'm not really good at the rest. Running Mikrotik 6.47 stable.

Having different traceroute results is expected with a VPN. The VPN creates a tunnel through your ISP (and the rest of the world) to the VPN server and essentially makes that VPN host your next hop as far as your regular traffic is concerned. Those 10.x.x.x IPs are still there, just sort of hidden by the tunnel. Imagine you wanted to mail a letter to Argentina without giving out your address and without anyone knowing, you could put that letter in another letter and mail it to a trusted third person who sends the letter from their address.

Going with a PC directly into the modem is what support centers love to hear but if they're a pain, it may be best to stick with asking them simple questions that they don't have to spend too much time answering.

If changing your DNS seemed to help (versus using the one provided by your ISP, I assume?), it might be worth trying GRC's DNS Benchmark to see which ones are the fastest. https://www.grc.com/dns/benchmark.htm

Hmmm. You might be able to accomplish this with a DNS proxy, SmartDNS from OverPlay

https://www.overplay.net/en/products/smartdns

This would fix the Netflix issue pretty easily as well as services like iplayer and iTV.

However I was under the impression that roku was hard coded dns.

You could use your Mikrotik to intercept dns and redirect it to your Mikrotik, which then your Mikrotik would use the SmartDNS.

All of this is much easier and lighter than a VPN.

If you absolutely a VPN, then they also offer a combo option too.

I was wondering if you could do it by DNAT-ing your UDP stream, rewriting the destination address to that multicast address. Found this via google:

http://serverfault.com/questions/257399/unicast-to-multicast-via-iptables

RouterOS uses iptables under the hood, so this might be of help to you.

I've recently been going through this trying to get it to work via FreeIPA via radius.

The radius -> FreeIPA works fine but i'm having issues with the way it handles the password via ldap. Any experience?

if i put the user directly into radius locally (rather than lookup via ldap in freeipa) it works fine.

It's specifically with how freeradius does the lookup inside ldap (useful for AD as well..)

Thanks, How would I do this with a dynamic DNS setup?

Currently mine looks like so: DynamicDNS (https://freedns.afraid.org/) > CNAME record on my domain > Resolves to public IP > Mikrotik > NAT rule for port 80 to my internal server's IP of 192.168.0.10.

Nginx then matches the domain to its config files and serves the appropriate files.

I just run this script in my scheduler every 15 minutes.

:global currentIP;

:local newIP [/ip address get [find interface="ether1"] address]; :set newIP [:pick $newIP 0 [:find $newIP "/"]]

:if ($newIP != $currentIP) do={ :log info "ip address $currentIP changed to $newIP"; :set currentIP $newIP; :local url "https://freedns.afraid.org/dynamic/update.php?YOURUPDATEURL&amp;address=$newIP"; /tool fetch mode=http url="$url" keep-result=no }

I regularly use PingPlotter (or alternatively WinMTR or Windows' built-in pathping from command prompt) to troubleshoot issues like this. Just point them towards something out on the internet (I usually pick Google's DNS, 8.8.8.8) and watch to see where this packet loss starts. If it's in the first hop, it may be between you and the router (perhaps wireless noise from neighbors?). If it's clean until a few hops in, it'd be on your ISP's side.

Thank you very much for your information and your time. I appreciate it.
I found a way to host a server vissible to the public without any port forwarding. Im using https://ngrok.com/ . They make a tunnel with me and direct the traffic to my pc, which is awesome. But they assign you a public IP but it change every time or so.