**Official MikroTik Hardware **

[Ad_Augendae]

Well I guess I could keep the new cAPax and use it as the router and move the hAPax2 to my living room with another SSID and just hope the new cAP gives enough coverage
elsewhere (small ish house, compact) that would mean moving cables and buying another cheap switch to put behind the cAPax

 

[WJA96]

Why do you want to use different SSIDs? Same SSID, seamless roaming. Don’t over-think it.

 

[Ad_Augendae]

Thats just what I have atm, 2xoffice upstairs, we have a lot of old and new devices, your idea makes more sense though I've never been able to get my devices to ever roam properly hence the system I use now. It's just lacking slight coverage to the offices, which i hope to improve with the above. I will try the theory though!
Now i'm trying to figure out pushing voltage from one end to the other.... reading now, not idea how it all works.

 

[Ad_Augendae]

Modem-->Inject--24V-2.5A-->cAPax-->Switch--->Hapax. I have no idea what I can and can't push etc.
All passive items, the switch goes to -30v the cAP -48v the hAP -28V

 

[Ad_Augendae]

hmm.. RB260GSP POE out ports can be turned on and off.

 

[WJA96]

Surely you want to go modem -> hAP AX, then hAP AX to switch and switch to cAP AX?

If the modem, router and switch are all mains powered then you don’t need the injector.

 

[Ad_Augendae]

So I have the Modem & hAP ax upstairs (VM&BT comes into a cupboard) a switch in the loft with a power source and I want to bring the hAP ax Downstairs Shelf, use the cAP mounted to the loft ceiling as the Router replace the old switch (In loft) with a RB260GSP feed the hAP ax with power from the switch which feeds a few pc's from the loft. The cAP comes complete with it's own Injector in the kit. I've never used POE it's a learning curve I guess. I'm still reading.....
Happy for any suggestions.

 

[Super Tigers]

Well the Mikrotik hAP AX lite has arrived a couple of days early...

Turned it on and connected to it by my USB gigabit lan cable and ran Winbox, tried to connect with the default Mikrotik username admin and a blank password - wouldn't connect!! Ten minutes of cursing ensued, multiple resets etc, then by chance I picked the router and noticed on the sticker are new secure passwords for WIFI and Admin account.

Connected fine with the password, updated from stable 7.7 to stable 7.8 release and upgraded the Routerboard firmware. I am currently running the default config with DNS over HTTPS and default firewall rules with Fasttrack enabled.


I haven't tweaked anything with the wifi except add a more secure password, 20/40mhz channels. My laptop with Intel AX200 wifi card 2x2 is connecting at a 400- 500mb+ speeds on 2.4ghz with WPA3 only security. Iphone SE 5G is connecting at 200mb only though. This is going to need a bit of tweaking, but a good start so far.

 

[Ad_Augendae]

Ahh Cool, glad you got it

I'm downstairs from mine, I get around 400 ish..

 netsh wlan show interface

There is 1 interface on the system:

    Name                   : WiFi
    Description            : Intel(R) Wi-Fi 6E AX210 160MHz
    GUID                   :
    Physical address       :
    Interface type         : Primary
    State                  : connected
    SSID                   :
    BSSID                  :
    Network type           : Infrastructure
    Radio type             : 802.11ax
    Authentication         : WPA3-Personal  (H2E)
    Cipher                 : CCMP
    Connection mode        : Profile
    Band                   : 2.4 GHz
    Channel                : 1
    Receive rate (Mbps)    : 413
    Transmit rate (Mbps)   : 413
    Signal                 : 83%
    Profile                :

    Hosted network status  : Not available

ps right click show coloums to hide MAC's etc, also detailed mode.

 

[Ad_Augendae]

Also Create another full user and disable the admin account

 

[Ad_Augendae]

Have you got certs for the HTTPS, I was thinking about a paid dns but I've been having problems while testing so called Win11 Encrypted DNS these...

 Get-DnsClientDohServerAddress

ServerAddress        AllowFallbackToUdp AutoUpgrade DohTemplate
-------------        ------------------ ----------- -----------
149.112.112.112      False              False       https://dns.quad9.net/dns-query
9.9.9.9              False              False       https://dns.quad9.net/dns-query
8.8.8.8              False              False       https://dns.google/dns-query
8.8.4.4              False              False       https://dns.google/dns-query
1.1.1.1              False              False       https://cloudflare-dns.com/dns-query
1.0.0.1              False              False       https://cloudflare-dns.com/dns-query
2001:4860:4860::8844 False              False       https://dns.google/dns-query
2001:4860:4860::8888 False              False       https://dns.google/dns-query
2606:4700:4700::1001 False              False       https://cloudflare-dns.com/dns-query
2606:4700:4700::1111 False              False       https://cloudflare-dns.com/dns-query
2620:fe::9           False              False       https://dns.quad9.net/dns-query
2620:fe::fe          False              False       https://dns.quad9.net/dns-query

 

[Super Tigers]

Also Create another full user and disable the admin account

all ready done, default admin account has been binned after I took the screenshot, didn't want put my secure username up.

To get cert for DNS over HTTPS use -


open up terminal

/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"
/certificate import file-name=DigiCertGlobalRootCA.crt.pem

/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

/ip dns static

add address=1.1.1.1 name=cloudflare-dns.com

then untick use Peer DNS from DHCP client. Set your NTP client and also untick use Peer NTP from DHCP client tab. Flush the DNS cache

Also remove any dynamic servers from DNS tab an you should be good to go.

 

[Ad_Augendae]

all ready done, default admin account has been binned after I took the screenshot, didn't want put my secure username up.

To get cert for DNS over HTTPS use -


open up terminal

/tool fetch url="https://cacerts.digicert.com/DigiCertGlobalRootCA.crt.pem"
/certificate import file-name=DigiCertGlobalRootCA.crt.pem

/ip dns set use-doh-server=https://cloudflare-dns.com/dns-query verify-doh-cert=yes

/ip dns static

add address=1.1.1.1 name=cloudflare-dns.com

then untick use Peer DNS from DHCP client. Set your NTP client and also untick use Peer NTP from DHCP client tab. Flush the DNS cache

Also remove any dynamic servers from DNS tab an you should be good to go.

great info thanks.


/ip firewall nat add chain=dstnat action=redirect protocol=tcp dst-port=53
/ip firewall nat add chain=dstnat action=redirect protocol=udp dst-port=53

 

[Ad_Augendae]

Spoiler: What's new in 7.9rc1 (2023-Mar-30 16:42):

What's new in 7.9rc1 (2023-Mar-30 16:42):

Changes in this release:

*) bgp - copy all well-known and optional transitive attributes for BGP VPNv4 (introduced in v7.9beta4);
*) bgp - fixed BGP VPNv4 origin attribute (introduced in v7.9beta4);
*) console - fixed syntax highlighting when editing scripts (introduced in v7.9beta4);
*) console - replaced "fingerprint" with "skid" in "/certificate print";
*) health - fixed bogus value reporting for CRS510 device;
*) ike1 - improved service stability when handling non-RSA keys (introduced in v7.9beta4);
*) ike2 - fixed minor logging typo;
*) ipsec - added error log message when peer ID does not match certificate;
*) ipsec - improved handling of configuration that refers to non-existent certificate (introduced in v7.9beta4);
*) ipv6 - fixed IPv6 ND configuration change storing (introduced in v7.9beta4);
*) ipv6 - send out RA packet with "preferred-lifetime" set to "0" when IPv6 address is deactivated;
*) netinstall-cli - improved device reinstall on failed attempt;
*) snmp - improved outputting of routes;
*) ssh - added support for Ed25519 key export and import in PKCS8 format;
*) ssh - improved system stability when using SSH tunneling (introduced in v7.9beta4);
*) timezone - updated timezone information from "tzdata2023c" release;
*) wifiwave2 - fixed key handshake timeout for re-associating client devices on 802.11ac interfaces;
*) winbox - fixed changing slot name under "System/Disk" menu;

Other changes since v7.8:

*) bgp - improved BGP VPN selection;
*) bridge - added warning log when "ageing-time" exceeds supported hardware limit for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) bridge - fixed FastPath when setting "use-ip-firewall-for-vlan" or "use-ip-firewall-for-pppoe" without enabled "use-ip-firewall";
*) certificate - fixed bogus log messages;
*) chr - fixed public SSH key pulling when running on AWS;
*) console - added "/task" submenu (CLI only);
*) console - added option to create new files using "/file add" command (CLI only);
*) console - improved stability when doing "/console inspect" in certain menus;
*) console - improved stability when editing long strings;
*) console - improved system stability;
*) console - removed bogus "reset" command from "/system resource usb" menu;
*) console - rename flag "seen reply" to "seen-reply" under "/ipv6 firewall connection" menu;
*) console - show Ethernet advertise, speed and duplex settings depending on configured auto-negotiation;
*) container - fixed invoking "container shell" more than once;
*) container - improved "container pull" to support OCI manifest format;
*) detnet - fixed interface state detection after reboot;
*) dhcp - changed the default lease time for newly created DHCP servers to 30 minutes;
*) dhcpv4-server - release lease if "check-status" reveals no conflict;
*) disk - improved system stability when removing USB while formatting;
*) ethernet - fixed half-duplex forced mode at 10Mbps and 100Mbps on ether1 for RB5009, Chateau 5G ax and hAP ax3 devices;
*) filesystem - fixed partition "copy-to" function;
*) firewall - added "connection-nat-state" to IPv6 mangle and filter rules;
*) health - added limited manual control over fans for CRS3xx, CRS5xx, CCR2xxx devices;
*) ipsec - fixed packet processing by hardware encryption engine on RB850Gx2 device;
*) ipsec - refactor X.509 implementation;
*) ipv6 - added "valid" and "lifetime" parameters for SLAAC IPv6 addresses;
*) l3hw - improved route offloading for 98DX224S, 98DX226S, and 98DX3236 switch chips;
*) leds - disable LEDs after "/system shutdown";
*) lte - capped maximum lifetime of SLAAC address to 1 hour;
*) lte - fixed CA band clearing on RAT mode change;
*) lte - fixed duplicate IPv6 route for lte interface when "ipv6-interface" setting is used;
*) lte - fixed LTE interface not showing up when resetting RouterOS configuration;
*) lte - fixed passthrough mode when used together with another APN for Chateau 5G;
*) lte - fixed R11-LTE-US in LTE passthrough mode;
*) lte - fixed R11e-LTE-US reporting of RSSI in LTE mode;
*) lte - fixed re-attach in some cases where module would stay in not-running state after network detach;
*) lte - fixed second modem halt on dual R11e-LTE6 setup;
*) mpls- fixed LDP "preferred-afi" parameter;
*) netwatch - added "startup-delay" setting (CLI only);
*) netwatch - improved ICMP status evaluation when no reply was present;
*) netwatch - limit "start-delay" range;
*) ospf - fixed processing of fragmented LSAs;
*) ovpn - added support for OVPN server configuration export and client configuration import from .ovpn file;
*) quickset - fixed displaying of "SINR" when value is 0;
*) rose-storage - added option to nvme-discover with hostname (CLI only);
*) rose-storage - fixed crash on nvme-tcp disable;
*) rose-storage - fixed rsync transfer permissions;
*) rose-storage - various stability fixes;
*) route - fixed "dynamic-id" for VRF tables;
*) route - improved system stability when making routing decision;
*) route - show SLAAC routes under the "/routing route" menu;
*) route-filter - improved stability when matching blackhole routes;
*) routerboot - added "preboot-etherboot" and "preboot-etherboot-server" settings ("/system routerboard upgrade" required) (CLI only);
*) sfp - added log warning about failed auto-initialization on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - allow modules that hold "TX_FAULT" high signal all the time on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - allow modules with bad or no EEPROM in forced mode on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - fixed "rate-select" functionality on CCR2004-16G-2S+ and CCR2004-1G-12S+2XS devices (introduced in v7.8);
*) sfp - fixed combo-ether link monitor for CRS328-4C-20S-4S+ switch;
*) sfp - improved module initialization and display more detailed initialization status on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) sfp - improved SFP28 interface stability with some optical modules for CRS518 switch;
*) sfp - improved system stability with some SFP GPON modules on RB4011, RB5009, CCR2004-1G-12S+2XS, CCR2004-16G-2S+, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ devices;
*) socks - added VRF support;
*) ssh - added Ed25519 host key support;
*) ssh - do not allow SHA1 usage with strong crypto enabled;
*) ssh - improved service responsiveness when changing SSH service settings;
*) ssh - improved SSH key import process;
*) storage - mount RAM drive for devices with 32MB flash;
*) supout - added DHCP server network section;
*) switch - fixed ACL rules matching IPv6 packets when using only IPv4 matchers;
*) switch - improved system stability for 98DX8208, 98DX8216, 98DX8212, 98DX8332, 98DX3257, 98DX4310, 98DX8525, 98DX3255, 98PX1012 switches;
*) vrrp - added "self" value for "group-master" setting;
*) vxlan - added forwarding table;
*) vxlan - fixed packet drops when host moves between remote VTEPs;
*) webfig - added inline comments;
*) webfig - fixed "Destination" value under "MPLS/Forwarding-Table" menu;
*) webfig - fixed issue where "Certificate" value disappears under "IP/Services" menu;
*) webfig - fixed issue where entries might be missing under "IP/DHCP-Server" menu;
*) webfig - various stability fixes;
*) wifiwave2 - added "radio/reg-info" command to show regulatory requirements (currently implemented for 802.11ac interfaces) (CLI only);
*) wifiwave2 - added ability to configure antenna gain;
*) wifiwave2 - added ability to configure beacon interval and DTIM period;
*) wifiwave2 - added information on additional interface capabilities to radio parameters;
*) wifiwave2 - automatically add a VLAN-tagged interface to the appropriate bridge VLAN;
*) wifiwave2 - exit sniffer command and return error when trying to sniff on an unsupported channel;
*) wifiwave2 - fixed 802.11r roaming for clients that performed initial authentication with an AP which has been restarted since;
*) wifiwave2 - fixed issue of some supported channels not being listed in the radio parameters;
*) wifiwave2 - fixed issue which lead to VLAN-tagged wireless clients receiving tagged traffic from other VLANs;
*) wifiwave2 - fixed VLAN tagging for unencrypted (open) APs;
*) wifiwave2 - improved general interface stability;
*) wifiwave2 - improved regulatory compliance for hAP ax^2, hAP ax^3 and Chateau ax;
*) wifiwave2 - increased maximum value for "channel.frequency" to 7300;
*) wifiwave2 - show information on captured packets and added ability to save them locally in a pcap file;
*) winbox - added "MTU" and "Hoplimit" properties under "IPv6/Routes" menu;
*) winbox - added "Preferred AFI" property under "MPLS/LDP-Instance" menu;
*) winbox - added "S" flag under "IPv6/Firewall/Connections" menu;
*) winbox - added "Tx Power" property under "Wifiwave2/Status" menu;
*) winbox - added "Tx Queue Drops" property under interface settings "Traffic" tab;
*) winbox - added "Username" and "Password" properties under "Container/Config" menu;
*) winbox - added "Valid" and "Preferred" properties under "IPv6/Address" menu;
*) winbox - added missing properties for "Remote ID Type" under "IP/IPsec/Identities" menu;
*) winbox - changed route flag name from "invalid" to "inactive";
*) winbox - fixed "TLS" property under "Tools/Email" menu;
*) winbox - fixed "Type" property under "System/Disk" menu when "rose-storage" package is installed;
*) winbox - fixed default value for "Allow managed" property under "Zerotier" menu;
*) winbox - fixed duplicate "My ID" column under "IP/IPsec/Identities" menu;
*) winbox - fixed minor typo in "WifiWave2/Radios" menu;
*) winbox - fixed missing "Sector Writes" for certain devices under "System/Resources" menu (introduced in v7.8);
*) winbox - improved Ethernet advertise, speed and duplex settings;
*) winbox - only show permitted countries for wifiwave2 interfaces;
*) winbox - show missing "Designated Bridge" and "Designated Port Number" monitoring data under "Bridge/Port menu;
*) www - allow unsecure HTTP access to REST API;
*) x86 - fixed changing software-id (introduced in v7.7);
*) zerotier - upgraded to version 1.10.3;

Changes in this release:

*) bgp - copy all well-known and optional transitive attributes for BGP VPNv4 (introduced in v7.9beta4);
*) bgp - fixed BGP VPNv4 origin attribute (introduced in v7.9beta4);
*) console - fixed syntax highlighting when editing scripts (introduced in v7.9beta4);
*) console - replaced "fingerprint" with "skid" in "/certificate print";
*) health - fixed bogus value reporting for CRS510 device;
*) ike1 - improved service stability when handling non-RSA keys (introduced in v7.9beta4);
*) ike2 - fixed minor logging typo;
*) ipsec - added error log message when peer ID does not match certificate;
*) ipsec - improved handling of configuration that refers to non-existent certificate (introduced in v7.9beta4);
*) ipv6 - fixed IPv6 ND configuration change storing (introduced in v7.9beta4);
*) ipv6 - send out RA packet with "preferred-lifetime" set to "0" when IPv6 address is deactivated;
*) netinstall-cli - improved device reinstall on failed attempt;
*) snmp - improved outputting of routes;
*) ssh - added support for Ed25519 key export and import in PKCS8 format;
*) ssh - improved system stability when using SSH tunneling (introduced in v7.9beta4);
*) timezone - updated timezone information from "tzdata2023c" release;
*) wifiwave2 - fixed key handshake timeout for re-associating client devices on 802.11ac interfaces;
*) winbox - fixed changing slot name under "System/Disk" menu;

 

[WJA96]

While I think it’s great that folks are following the RouterOS updates I would caution anyone to think REALLY hard before they upgrade to a non-stable release. MikroTik stable releases are, generally, OK, but the others are quite often as buggy as a very buggy thing and should be approached with extreme caution.

 

[Turn]

@WJA96 Have you faced any of these bugs yourself & if so what type of issues did you have?

Sometimes I do go try out an rc build if I see something that looks interesting. But otherwise I generally try to stay on stable, but haven't had any issues myself when I did use rc, that said I don't access the router itself much & I don't have any super complicated setup either...

 

[WJA96]

Yes, I’ve had routers bricked, features not working at all, memory leaks galore, variable speeds. Lots of issues.

I don’t play with the UBNT beta software in production kit either.

 

[Ad_Augendae]

No I just chuck 'em there for people to keep abreast. I would urge people to take a view though as you said.

 

[Ad_Augendae]

What's new in 7.9rc2 (2023-Apr-05 13:56):

Changes in this release:

*) snmp - fixed several OIDs that were returning empty values (introduced in v7.9beta4);
*) ssh - added support for Ed25519 key export and import in PKCS8 format;
*) wifiwave2 - fixed group key update for VLAN-tagged clients (introduced in v7.9beta4);

 

[Super Tigers]

What's new in 7.9rc2 (2023-Apr-05 13:56):

Changes in this release:

*) snmp - fixed several OIDs that were returning empty values (introduced in v7.9beta4);
*) ssh - added support for Ed25519 key export and import in PKCS8 format;
*) wifiwave2 - fixed group key update for VLAN-tagged clients (introduced in v7.9beta4);

I am still happily running 7.9RC1 on the AX lite, no issues so far, no memory leaks and I have chucked a couple of hundred gigs through it and all seems stable.