I wasn't sure what you meant by cache size so I spent some time looking at the DNS window and noticed there is a Cache Size field in IP > DNS. It was set to 2048KB so I assume this is the default. Changed it to 16384KB and the Cache Used indicator now shows 10061KB used. Thanks.

For those looking for hap ac2, you can get it from sublime for 299. I had mine for a couple weeks now (bought from oversea) for use at hometown. The 5GHz performance kinda low probably due to interference, not sure the root cause though (there were couple of dual band routers and other devices next to it). It had 233MB RAM, more than the advertised spec of hap ac2.

edit: I just checked mikrotik forum and plenty of ppl complaining about the hap ac2 wifi performance issue. I only use it with Digi LTE which had shitty speed at my hometown. And I thought interference & LTE congestion the cause for the shittier speed. Well, avoid hap ac2 for now.

This post has been edited by jio: Apr 12 2018, 01:24 AM

Hi guys, I need opinion to setup the hypp tv. I got rb3011(upstair handling pppoe) and spare rd750(downstairs to receive hypp tv). My question is can this two do vlan trunk? So both internet and vlan600 connection can pass-through using single cable, and from 750 i can output to normal internet and also vlan600 for hypp tv.
Need advice, thanks.

In a hurry, so let me know if anything is not clear.


This is the bridge config on my main router, where Unifi is coming into.

My VLANs:
vlan600 for HyppTV.
vlan50 for LAN traffic.
There're 2 more vlans but can be ignored so I removed them from the above config. I don't have any untagged traffic.

Most important:
ether3-trunk1 is the trunk to my RB2011UAS downstairs. (trunk for vlan50 and vlan600)
ether5-wan1 is connected to the BTU.
ether2 is connected to a switch. (vlan50)
ether1 and ether4 are bonded to another Mikrotik. Can ignore this. (vlan50)

Downstairs, for the router on the other end of the trunk, you configure something similar to the above.


Mine is like this. For educational purposes, my RB2011 is configured using the switch chip. So may bit a bit confusing. It still is to me.
Maybe easier if you just configure using bridge and vlans like the first router.

Note: Not sure 100% if all this is the optimal way but it works.

This post has been edited by soonwai: Apr 12 2018, 06:54 PM

Thank you so much for the guide. I shall do it and revert back to you if anything.
Out of curiosity, what is thisfunction for?


set 11 default-vlan-id=50 vlan-mode=secure

Sorry, /export doesn't show all the info. #11 is switch1-cpu. Here's a /print to give the /export some context.

The RB2011 has 2 separate switches hence switch1-cpu & switch2-cpu.

This post has been edited by soonwai: Apr 12 2018, 11:00 PM

I see. Same like rb3011. I need to study back the switch as my 3011, I bridge all port from port 2 till 10 (before this use master/slave). Gonna working on it after went home. Thank you

Mikrotik CAP AC




For those who want this router @ access point can place order here

Mikrotik CAP AC








Gigabit Controller Managed AP
Integrated Dual Band & Dual Chain WiFi - 802.11b/g/n 2.4 Ghz and 802.11ac 5GHz
All new ARM 4 Core 716 MHz CPU - IPQ-4018
2 x 1000Base-T Ethernet ports - Gigabit AP
Built in 128MB RAM
Level 4 RouterOS license
802.3at/af POE-in - supported
Passive POE out on second gigabit port
Up-to 26 dBm TX power

The device comes bundled with two enclosures, so you can choose the design you like best. The cAP ac is a very capable and powerful wireless access point that looks beautiful on both walls and ceilings. The concurrent dual band wireless radio supports dual chain 2 GHz and 5 GHz in 802.11ac and legacy standards, and will provide coverage in 360 degrees around it. Even though the radio supports repeater mode, the two Ethernet ports give you the ability to extend your network with cables, even if PoE power is required, since the cAP ac supports 802.3af/at PoE input on the first port, and passive PoE output (up to 57V) on the second port. The cAP ac is a feature packed device with a sleek enclosure, that can become inconspicuous with the push of a button - the customizable mode button in the device center will turn off all lights and sounds at it’s default configuration, but can be reconfigured to launch any RouterOS script. The cAP ac is equipped with two Ethernet ports, allowing you to connect another device, to further extend your network. What’s more, the second Ethernet port supports passive PoE output (up to 57 V), so it can power a wide variety of RouterBOARDs and other devices, like IP cameras. In the following scenario, you can use a central hEX PoE device to power all your cAP ac units, and then have cAP lite units connected to provide even better coverage. The hEX PoE can even be used as a CAPsMAN server, so you can easily manage all your access points, and control all their settings in a single device. We sell cAP ac (International) 2412-2484MHz and 5150MHz-5875MHz range

This post has been edited by MX510: Apr 17 2018, 07:42 AM

Compare to wAP AC which has 3 chain, which is better in term of wireless performance?

Advisory: Vulnerability exploiting the Winbox port

https://forum.mikrotik.com/viewtopic.php?f=21&t=133533

This is bad. For those who have Winbox open.

Time to switch to Asus.

Actually TM modem and router are alsovulnerable to this new modem comes with different default password with last 4 digit of mac address

There is a lot of attack on port 80

Do secure your router by setting a password on your Mikrotik router

remove admin full access by set with different username and password

In addition you can always

Assign a different port

IP -> Services -> www either disable or set different port

And lose all your ability to customise on Mikrotik?

Its all over again RSA then AES if you know the history. Open source in theory is the only safe approach as the codes can be verified, no hidden stuff etc

This post has been edited by XPS: Apr 23 2018, 09:02 PM

The real threat is more than firewall. Its how well protected the vendor firmware is on the download servers, development - test - release software controls, etc. Also how are clients within the internal network protected against an attack originating from an internal client.

No lah, kidding of course. Last week flashed Tomato on my old RT-N16. Been meaning to try it out. It looks so pretty.

Tomato not LEDE on RT-N16? Would be awesome to get your experiences with a network with LEDE, PiHole ad-blocker, some intrusion detection device. That's a project on the back burner for now until can find some time.

Vulnerability fixed (hopefully) in just released v6.42.1 and v6.43rc4.

This post has been edited by soonwai: Apr 23 2018, 10:05 PM

not a big issue, as vulnerability do happen from time to time.

so in order to stay secure, it is vital for us to configure the firewall properly and make sure the device is up to date with the latest patch.

tips from mikrotik, disable any unused ip service, firewall winbox/ssh/telnet or any used ip service port expose to internet, restrict the access of ip service to certain address only, update to 6.42.1.

Just finish basic setup for my new mikrotik router

Looks complicate, imma start to learn using routerOS from now on :3

FYI, wifi performance issue is fixed on 6.43rc5 for hap ac2

I'm using it, works great


Hello Sifus, some quick question about simple queue and queue tree

Can I use them simultaneously?

for example, currently I'm prioritizing 80,443 traffics as first priority over all others traffic on Queue Tree also can limit speed by what kind of traffics (differentiate traffics by using packet marks)

then use Simple Queue to do priority and speed limit for clients by local ip addresses (assign them static ip on dhcp and set specific ip address to control)

I'm still looking for a way to force clients to use a specified ip address by their mac address, blocking their network access if they manually change to other ip addresses (prevent them from changing their lan ip)


i tried and it works pretty well for what I need

is it alright to use it that way? any conflict?

This post has been edited by squall0833: May 3 2018, 02:27 AM

Need help tp configuring IPv6 on TIME internet. I try to follow tutorials for TM Unifi but it didnt work. Can someone assist me how to configre mikrotik to get ipv6 address from TIME internet?

Currently I am using hAP-ac