Community discussions

MikroTik App

Search found 94 matches

by azzurro
Mon Apr 29, 2024 11:48 pm
Forum: Wireless Networking
Topic: LTE passthrough + management on one interface - sanity check
Replies: 2
Views: 1768

LTE passthrough + management on one interface - sanity check

Hi I'm trying to configure my Chateau LTE12 so it passes through lte1 to ether1 and so that I have a VLAN interface (ID 1128 in my case) for management, also on ether1. The following config seems to work just fine, I just wanted to have it sanity checked whether there are any obvious mistakes or no-...
by azzurro
Fri Mar 15, 2024 2:05 pm
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 167
Views: 51327

Re: Feature Request: IPSEC Improvements

at least, that's the message that they are sending. kind of. because not many home users or small businesses will need a 40G switch. especially when considering that the 40G train is kind of dead, since 10/25/100/400G emerged.
by azzurro
Fri Mar 15, 2024 1:09 pm
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 167
Views: 51327

Re: Feature Request: IPSEC Improvements

i don't know, honestly. but their level of ignorance drove me away from mikrotik for anything edge-firewall which needs to do VPN stuff.
by azzurro
Fri Mar 15, 2024 10:53 am
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 167
Views: 51327

Re: Feature Request: IPSEC Improvements

just move to a different vendor. mikrotik only supporting policy based ipsec vpn has shown to stay beyond ridiculousness.
by azzurro
Wed Feb 14, 2024 10:01 pm
Forum: Wireless Networking
Topic: R11e-LTE6 modem firmware changelog
Replies: 38
Views: 20196

Re: R11e-LTE6 modem firmware changelog

how are things going with V036? I'm running V034 and not intending to upgrade, since everything is working rock-solid for me.
Just being curious.
by azzurro
Mon Dec 11, 2023 12:07 am
Forum: General
Topic: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]
Replies: 9
Views: 4516

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]

update: i was on 7.11.2, which had a bug where fasttrack wouldn't work anymore properly, with L3 HW.
updated to 7.12.1 and now fasttrack is working and cpu load has dropped significantly.
by azzurro
Sun Dec 10, 2023 3:03 am
Forum: General
Topic: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]
Replies: 9
Views: 4516

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]

If you want traffic from a port to be manipulated, disable offloading on that port. Enable fasttrack rules with hwoffload=yes to match already classified traffic and take advantage of some acceleration. Little followup to this topic. Until now, just not offloading anything that exits ether1 worked ...
by azzurro
Tue Sep 19, 2023 6:00 pm
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 167
Views: 51327

Re: Feature Request: IPSEC Improvements

IPSEC improvement is here, its called wireguard ;-P
yea, sure ;)
by azzurro
Tue Sep 19, 2023 5:26 pm
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 167
Views: 51327

Re: Feature Request: IPSEC Improvements

as I said, I do not care anymore. that amount of ignorance won't drive just me away. MT is now switches for me and that's it (maybe L3 switches). certainly no firewall and certainly no ipsec endpoint. both is hilariously cumbersome if one has ever worked with any kind of even entry level enterprise ...
by azzurro
Tue Sep 19, 2023 1:14 pm
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 167
Views: 51327

Re: Feature Request: IPSEC Improvements

unsubscribing, since I do not even care anymore. moved back to fortigates because of this crap.
by azzurro
Tue Aug 29, 2023 3:24 pm
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

ok, this is it people, no plans but they'll "consider it". bye bye for good for any edge routers, mikrotik... Hello, Thank you for contacting MikroTik Support. At the moment there are no plans to change IPSEC functionality, thanks for your request we will consider such implementation. Best...
by azzurro
Tue Aug 29, 2023 12:32 pm
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

sure, that's why I bought the RB5009 in the first place. but it turned out that different features were more important than like having an SFP+ port. also, I bought mine used for EUR 350. Also, you can get a 40F which is still as powerful (if not more powerful) as a RB5009 and that is obtainable wel...
by azzurro
Tue Aug 29, 2023 11:58 am
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

yeah well, I've just switched back to a Fortigate 60F from my RB5009 and I'm not looking back. Very sad but I was just fed up of the IPSEC implementation in ROS. Route based IPSEC is such a charm to work with! I'm not considering putting ROS routers anywhere in the near future where I need IPSEC, no...
by azzurro
Thu Aug 24, 2023 5:27 pm
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

as I have mostly interop inconveniences with fortigates, I can't resort to ip-ip or gre, as these often can't be hw offloaded on the smaller fortigate models, whereas IPSEC VTI can.
by azzurro
Thu Aug 24, 2023 4:32 pm
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

wait, I never said VTI would have a higher demand/forum thread count than OpenVPN or Wireguard. We were talking about IPSEC in general, which you downplayed. Again, I do not want to accept VTI being referred to as "granting/responding to every request". That always sound to me like people ...
by azzurro
Thu Aug 24, 2023 3:52 pm
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

so, if IPSEC is that exotic, please tell me why there is so many threads about it and why is mikrotik working hard on supporting hw-acceleration for IPSEC wherever possible and why is mikrotik improving their ipsec implementation all the time? how do you know, what types of vpn are being requested b...
by azzurro
Thu Aug 24, 2023 12:17 pm
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

true, but dude, please don't refer to VTI as "every type of VPN" like it is some exotic thing. i don't know any other serious vendor these days who doesn't implement VTI. to be honest, mikrotiks are versatile AF and implement like every piece of whatnot but VTI of all things still doesn't ...
by azzurro
Thu Aug 24, 2023 12:06 pm
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

the issue is interoperability with other endpoints. for example once i wanted to build gre over ipsec with a fortigate but the fortigate had a hard time and struggled with GRE, it made tons of CPU load on it, while pure IPSEC would have been hw-accelerated and lightning fast. and you can't always ju...
by azzurro
Mon Jul 10, 2023 3:38 pm
Forum: General
Topic: LTE passthrough routing question
Replies: 0
Views: 454

LTE passthrough routing question

Hi - Chateau LTE12, one interface removed from the bridge - LTE passthrough configured to that one interface - IP address and default route to my router configured on bridge to allow management of the Chateau + Internet access for the Chateau for NTP, firmware upgrades, ... Does the default route in...
by azzurro
Wed May 31, 2023 2:24 pm
Forum: General
Topic: Chateau 5G lte1 interface resets during speed tests or sudden burst of activity
Replies: 33
Views: 9613

Re: Chateau 5G lte1 interface resets during speed tests or sudden burst of activity

open a ticket with MT support. i had this issue with the LTE12 modem and while it was never officially confirmed, Mikrotik worked with quectel and i went through one or two modem beta firmwares and workarounds and now with the latest firmware the issue has been resolved. be aware though, that it to...
by azzurro
Sun May 28, 2023 11:29 pm
Forum: General
Topic: Chateau 5G lte1 interface resets during speed tests or sudden burst of activity
Replies: 33
Views: 9613

Re: Chateau 5G lte1 interface resets during speed tests or sudden burst of activity

open a ticket with MT support. i had this issue with the LTE12 modem and while it was never officially confirmed, Mikrotik worked with quectel and i went through one or two modem beta firmwares and workarounds and now with the latest firmware the issue has been resolved. be aware though, that it too...
by azzurro
Wed May 17, 2023 1:54 pm
Forum: General
Topic: IKE2: can't agree on IKE proposal - RouterOS choosing wrong proposal!
Replies: 6
Views: 1883

Re: IKE2: can't agree on IKE proposal - RouterOS choosing wrong proposal!

ok thanks for confirming that.

I don't know how Fortigate with its FortiOS is doing it but there it was working perfectly, having different phase 1 settings in this scenario.
anyways, it is what it is and I'm happy it is working now at least the way it is.
by azzurro
Wed May 17, 2023 1:36 pm
Forum: General
Topic: IKE2: can't agree on IKE proposal - RouterOS choosing wrong proposal!
Replies: 6
Views: 1883

Re: IKE2: can't agree on IKE proposal - RouterOS choosing wrong proposal!

Yes, I understand that, sorry. I thought too much of the config could be confusing since it is quite extensive. I think that should be all, regarding IPSEC. Order of which rules do you mean? Of course, I have firewall filter rules in place but they simply allow udp 500, 4500 and protocol 50 ipsec-es...
by azzurro
Wed May 17, 2023 10:27 am
Forum: General
Topic: Diagnosing LTE internet issues
Replies: 0
Views: 353

Diagnosing LTE internet issues

Hi I have a Chateau LTE12 router and since a few weeks I am experiencing weird, random and frequent issues with my internet connection like frequent packet loss, despite good signal strength and quality. My cellular provider told me that there are absolutely no issues in their network and I also do ...
by azzurro
Wed May 17, 2023 10:19 am
Forum: General
Topic: IKE2: can't agree on IKE proposal - RouterOS choosing wrong proposal!
Replies: 6
Views: 1883

Re: IKE2: can't agree on IKE proposal - RouterOS choosing wrong proposal!

I have identities, sorry for not posting them earlier. /ip/ipsec/identity peer=IKE2-Dialup auth-method=eap-radius mode-config=roadwarrior certificate=certificate-request.cer_0 generate-policy=port-strict policy-template-group=roadwarrior peer=IKE2-Dialup auth-method=pre-shared-key remote-id=fqdn:sit...
by azzurro
Mon May 15, 2023 2:22 pm
Forum: General
Topic: IKE2: can't agree on IKE proposal - RouterOS choosing wrong proposal!
Replies: 6
Views: 1883

IKE2: can't agree on IKE proposal - RouterOS choosing wrong proposal!

Hi /ip/ipsec/profile name="roadwarrior" hash-algorithm=sha384 prf-algorithm=sha384 enc-algorithm=aes-256 dh-group=modp2048 lifetime=1d proposal-check=strict nat-traversal=no dpd-interval=1m dpd-maximum-failures=5 name="site1" hash-algorithm=sha384 enc-algorithm=aes-256 dh-group=m...
by azzurro
Thu May 04, 2023 6:41 pm
Forum: General
Topic: VPN concentrator with Fortigates (dynamic and static IP), AVM FritzBox (dynamic IP) and road warriors
Replies: 6
Views: 1404

Re: VPN concentrator with Fortigates (dynamic and static IP), AVM FritzBox (dynamic IP) and road warriors

by the way I ended up getting rid of aggressive mode completely and reconfigured the peers to main mode and IKE2.
by azzurro
Thu May 04, 2023 6:39 pm
Forum: General
Topic: IPsec Site to Site MSS issues edit: WAN MTU issue!
Replies: 0
Views: 630

IPsec Site to Site MSS issues edit: WAN MTU issue!

Hi i had massive issues with TCP retransmits, out of order and dup ACK via all of my site to site VPN tunnels so I created the following rules on the one router which had the issues (ether7 is wan): chain=forward action=change-mss new-mss=900 passthrough=yes tcp-flags=syn protocol=tcp in-interface=e...
by azzurro
Wed May 03, 2023 2:09 am
Forum: General
Topic: VPN concentrator with Fortigates (dynamic and static IP), AVM FritzBox (dynamic IP) and road warriors
Replies: 6
Views: 1404

Re: VPN concentrator with Fortigates (dynamic and static IP), AVM FritzBox (dynamic IP) and road warriors

Ahh so is this a case of trying to stuff a square peg of current and secure RoS into a round hole of old and unsecured VPN Protocols. One could say it looks like your up shits creek without a paddle. Hypothetically speaking of course, someone needs the powers to be to know that that the other boxes...
by azzurro
Tue May 02, 2023 8:53 pm
Forum: General
Topic: VPN concentrator with Fortigates (dynamic and static IP), AVM FritzBox (dynamic IP) and road warriors
Replies: 6
Views: 1404

Re: VPN concentrator with Fortigates (dynamic and static IP), AVM FritzBox (dynamic IP) and road warriors

unfortunately one doesn't always have control over all peer sites and devices. so replacing the remote devices unfortunately is not an option here. replacing the mikrotik with a different solution like pfsense, opnsense or sophos xg is an option though. however, i'd favor to achieve the goal with th...
by azzurro
Tue May 02, 2023 4:25 pm
Forum: General
Topic: VPN concentrator with Fortigates (dynamic and static IP), AVM FritzBox (dynamic IP) and road warriors
Replies: 6
Views: 1404

VPN concentrator with Fortigates (dynamic and static IP), AVM FritzBox (dynamic IP) and road warriors

Hi, I'm having a hard time replacing a Fortigate firewall which is acting mainly as a VPN gateway with a RB5009. Remote peers are consisting of various devices, which all have different requirements: Fortigate with static IP Fortigate with dynamic IP behind NAT (NAT-T req'd) Mikrotik wAP ac LTE kit ...
by azzurro
Thu Mar 30, 2023 3:11 am
Forum: General
Topic: RB5009 IPSec Performance
Replies: 33
Views: 17746

Re: RB5009 IPSec Performance

They're saying this in the footer: - All tests are done with Xena Networks specialized test equipment (XenaBay),and done according to RFC2544 (Xena2544) - Max throughput is determined with 30+ second attempts with 0,1% packet loss tolerance in 64, 512, 1400 byte packet sizes - Test results show devi...
by azzurro
Sun Mar 26, 2023 12:27 pm
Forum: General
Topic: IKEv2 + GRE with Fortigate - GRE connects only one way?
Replies: 5
Views: 1524

Re: IKEv2 + GRE with Fortigate - GRE connects only one way?

I've enabled nat-t now on both sides but still no luck, unfortunately. Do I need any route on the Mikrotik side for 192.168.99.5/32 to go into the tunnel? Do I need a srcnat allow rule on the MT side? I have a feeling that I'm missing something on the MT side and I wasn't able to pinpoint it. Not ev...
by azzurro
Sun Mar 26, 2023 4:26 am
Forum: General
Topic: IKEv2 + GRE with Fortigate - GRE connects only one way?
Replies: 5
Views: 1524

Re: IKEv2 + GRE with Fortigate - GRE connects only one way?

Hi, what output do you mean? Also I don't know about these Cisco commands. Here's the configs though: The IPSEC tunnel is up btw, the MT just can't initiate a GRE tunnel to the Fortigate, but the other direction works just fine. I mostly want to understand why the MT can't initiate the GRE tunnel. M...
by azzurro
Sat Mar 25, 2023 4:25 am
Forum: General
Topic: IKEv2 + GRE with Fortigate - GRE connects only one way?
Replies: 5
Views: 1524

IKEv2 + GRE with Fortigate - GRE connects only one way?

Hi so I have IKEv2 + GRE working between a CHR and a Fortigate in tunnel mode and from the Fortigate I can ping the IP of the loopback bridge which was created on the Mikrotik but vice versa, from the Mikrotik I can't ping the corresponding IP of the tunnel interface of the Fortigate. Pings are allo...
by azzurro
Tue Mar 21, 2023 2:12 am
Forum: General
Topic: IPSEC Site to Site between Mikrotiks with GRE and Firewall
Replies: 0
Views: 558

IPSEC Site to Site between Mikrotiks with GRE and Firewall

Hi so I've been working in my lab on configuring a site to site IKEv2 VPN with GRE between two Mikrotiks, where both peers have static IPs, so no dynamic policies either. Also, I wanted basic NAT Router and firewall rules to be in place. I had to adapt the example from the documentation a bit and ev...
by azzurro
Sat Mar 18, 2023 4:01 am
Forum: General
Topic: Chateau 5G lte1 interface resets during speed tests or sudden burst of activity
Replies: 33
Views: 9613

Re: Chateau 5G lte1 interface resets during speed tests or sudden burst of activity

oh boy. I have the Chateau LTE12 and only with the very latest modem firmware EG12EAPAR01A13M4G these issues (interface resets, modem crashes, LTE interruption until I reset the interface, ...) have stopped. I was hoping to upgrade to the Chateau LTE18 ax soon but now I'm in doubt if I'll maybe face...
by azzurro
Tue Feb 07, 2023 11:55 am
Forum: General
Topic: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7
Replies: 19
Views: 12326

Re: Step by Step tutorial on Enabling Dynamic VLANs using CAPsMAN and the new User Manager on ROS7

Nice writeup, thank you! It would also be interesting to see dynamic VLANs without CAPsMAN, i.e. only with one router and its integrated WiFi capabilities. I wonder how much that would differ from this tutorial.
by azzurro
Sun Jan 22, 2023 3:03 pm
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

MT could at least let us know/update us whether it is on some kind of roadmap...

Please!
by azzurro
Tue Oct 11, 2022 7:40 pm
Forum: Forwarding Protocols
Topic: IS-IS
Replies: 172
Views: 64030

Re: IS-IS

I'd rather like to see IPSEC VTI in ROS. Shouldn't be too much of an issue since it is possible with the Kernel currently used in ROS 7...
by azzurro
Fri May 13, 2022 10:45 pm
Forum: General
Topic: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]
Replies: 9
Views: 4516

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]

See https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading . Enable hardware offloading on the switch (Interface/Ethernet/Switch) Disable offloading on the Internet-facing port(s) (Interface/Ethernet/Switch/Port) Enable offloading on LAN-facing ports (Interface/Ethernet/Switch/Port) You ...
by azzurro
Thu May 12, 2022 2:39 am
Forum: General
Topic: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]
Replies: 9
Views: 4516

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]

Thanks, makes absolutely sense. Is there a way to direct certain traffic through the CPU or the other way round to only offload traffic between certain networks or interfaces? basically any traffic that goes to the internet, doesn't really need to be offloaded, because of limited internet speed. L3H...
by azzurro
Wed May 11, 2022 5:36 pm
Forum: General
Topic: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]
Replies: 9
Views: 4516

Re: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]

got anyone an idea? or am I completely on the wrong track and mangle should work with L3HW enabled? I am not even sure about that.

thanks!
by azzurro
Wed May 11, 2022 12:42 pm
Forum: General
Topic: [7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]
Replies: 9
Views: 4516

[7.2.3] Connection/Routing Mark (Mangle) with L3 HW Offloading [SOLVED]

Hi Currently, with L3HW enabled on my CRS309-1G-8S+, it seems that Mange Rules are not applied to traffic. Is there a way to make mangle rules work selectively or would I have to disable L3HW all together? The goal of my mangle rules is, that I route my LAN traffic to the internet through an L7 fire...
by azzurro
Thu Apr 21, 2022 10:44 pm
Forum: General
Topic: CRS309-1G-8S+IN as lab datacenter router - good idea?
Replies: 20
Views: 2695

Re: CRS309-1G-8S+IN as lab datacenter router - good idea?

ok that makes sense, thanks! but you're saying it yourself in some way: who says, the CRS309 doesn't maintain one entry per WAN destination IP? something like this (where AA:BB:CC:DD:11:22 is the NAT firewall's MAC): 37.2.1.1 / 255.255.255.255 / AA:BB:CC:DD:11:22 37.2.1.2 / 255.255.255.255 / AA:BB:C...
by azzurro
Thu Apr 21, 2022 12:14 pm
Forum: General
Topic: CRS309-1G-8S+IN as lab datacenter router - good idea?
Replies: 20
Views: 2695

Re: CRS309-1G-8S+IN as lab datacenter router - good idea?

... and by 16K - 30K routes you mean connected (dynamic) and manual (static) routes? I don't think I'll ever hit that limit... All types of routes (type doesn't matter for HW offload engine). And the number is not that large, there's a gotcha: if there's a connected network, then every active host ...
by azzurro
Thu Apr 21, 2022 10:32 am
Forum: General
Topic: CRS309-1G-8S+IN as lab datacenter router - good idea?
Replies: 20
Views: 2695

Re: CRS309-1G-8S+IN as lab datacenter router - good idea?

Hi, you almost have the same config as I have, except I have a trunk between my FW and my CRS309. It works extremely well in this setup, but I'm not using L3offloading on the switch. The routing is done by the FW. The biggest problem I have are the MT 10G Cu SFPs, which are getting extremely hot. I...
by azzurro
Wed Apr 20, 2022 11:57 pm
Forum: General
Topic: CRS309-1G-8S+IN as lab datacenter router - good idea?
Replies: 20
Views: 2695

Re: CRS309-1G-8S+IN as lab datacenter router - good idea?

you are right, CRS is not doing NAT so no need for fast-track your router firewall doing nat supports many gigabits of NAT? which device is ? ah yes, makes sense, no nat, no connection tracking :D my nat firewall is a fortigate 60D, it can do at least wirespeed NAT with its ASICs (1Gbps that is). i...
by azzurro
Wed Apr 20, 2022 11:42 pm
Forum: General
Topic: CRS309-1G-8S+IN as lab datacenter router - good idea?
Replies: 20
Views: 2695

Re: CRS309-1G-8S+IN as lab datacenter router - good idea?

yeah well that's the same as /ip firewall connection print count-only so i guess there's not much going on with 30-60 connections. I'd have to create firewall rules for fast-tracking, I guess? it doesn't seem those non-fast-tracked connections are bothering the CPU in any kind of way, haven't seen i...
by azzurro
Wed Apr 20, 2022 11:35 pm
Forum: General
Topic: CRS309-1G-8S+IN as lab datacenter router - good idea?
Replies: 20
Views: 2695

Re: CRS309-1G-8S+IN as lab datacenter router - good idea?

check if this terminal command works:
/ip firewall connection print count-only where fasttrack=yes
that shows 0.
but /ip firewall connection print count-only shows 60...
by azzurro
Wed Apr 20, 2022 11:10 pm
Forum: General
Topic: CRS309-1G-8S+IN as lab datacenter router - good idea?
Replies: 20
Views: 2695

Re: CRS309-1G-8S+IN as lab datacenter router - good idea?

nice setup As long as you consciously stay within the limits of this device, you'll be fine: 16K - 30K Routes 4.5K Fast-track Connections 1024 ACL Rules and i think you must stay below 100kpps /1gbps of traffic procesed by CPU thanks! How can I check how many fast-track connections I'm currently us...
by azzurro
Wed Apr 20, 2022 6:00 pm
Forum: General
Topic: CRS309-1G-8S+IN as lab datacenter router - good idea?
Replies: 20
Views: 2695

CRS309-1G-8S+IN as lab datacenter router - good idea?

Hi I have configured my CRS309 to be my lab inter-VLAN router with L3 HW offloading. So far, everything seems to work great and I wanted to check back on your opinions as I'm not sure how good of an idea this is. All the NAT lifting, site to site VPNs and so on is done by a separate hardware, as I g...
by azzurro
Thu Apr 14, 2022 12:08 pm
Forum: General
Topic: Performance metrics for L3 HW switches outdated?
Replies: 4
Views: 1003

Re: Performance metrics for L3 HW switches outdated?

Routing metrics were done before L3HW was implemented. So those on product pages show software routing stats. Regarding hardware routing, if the traffic can be offloaded, it gets near-to-wire-speed performance on any MikroTik device that supports L3HW. Roughly, hardware routing speed = wire-speed -...
by azzurro
Thu Apr 14, 2022 3:34 am
Forum: General
Topic: Performance metrics for L3 HW switches outdated?
Replies: 4
Views: 1003

Re: Performance metrics for L3 HW switches outdated?

Hey I was just wondering, since many L3 switches like the CRS309-1G-8S+IN or the CRS326-24G-2S+RM now should support quite some L3 HW accelleration, aren't the routing metrics on the product pages now outdated? Shouldn't they reach kind of wire speed now, when routing? Of course taking into account...
by azzurro
Thu Apr 14, 2022 3:32 am
Forum: General
Topic: Route invalid after reboot [SOLVED]
Replies: 7
Views: 4229

Re: Route invalid after reboot [SOLVED]

7.3beta33 has a fix for this, i have confirmed with my device that the issue has gone away!
by azzurro
Tue Apr 12, 2022 7:38 pm
Forum: General
Topic: Route invalid after reboot [SOLVED]
Replies: 7
Views: 4229

Re: Route invalid after reboot [SOLVED]

Hello azzurro, Did you open a ticket regarding this? I think We are facing same problem. When you configure routes they became up, but after reboot they started as I nactive. Disable and reenable the route made them to work again (other routes are removed from output): [] > ip/route/print Flags: D ...
by azzurro
Tue Apr 12, 2022 1:18 pm
Forum: General
Topic: Performance metrics for L3 HW switches outdated?
Replies: 4
Views: 1003

Performance metrics for L3 HW switches outdated?

Hey I was just wondering, since many L3 switches like the CRS309-1G-8S+IN or the CRS326-24G-2S+RM now should support quite some L3 HW accelleration, aren't the routing metrics on the product pages now outdated? Shouldn't they reach kind of wire speed now, when routing? Of course taking into account ...
by azzurro
Tue Apr 12, 2022 12:47 pm
Forum: General
Topic: Route invalid after reboot [SOLVED]
Replies: 7
Views: 4229

Re: Route invalid after reboot [SOLVED]

add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.31.62@mgmt pref-src=192.168.31.61 routing-table=mgmt suppress-hw-offload=no vrf-interface=ether5 Could you try disable the check-gateway=ping on this route to see if it makes a difference to the route showing red on...
by azzurro
Tue Apr 12, 2022 2:43 am
Forum: General
Topic: Route invalid after reboot [SOLVED]
Replies: 7
Views: 4229

Re: Route invalid after reboot [SOLVED]

*bump*
got nobody an idea? i still wasn't able to solve this issue. is this more likely a bug or more likely a misconfiguration?
is this even the way VRFs were meant to be used? basically I wanted to have a completely separated management interface, that's all...
by azzurro
Sat Apr 09, 2022 3:06 am
Forum: General
Topic: Route invalid after reboot [SOLVED]
Replies: 7
Views: 4229

Route invalid after reboot [SOLVED]

Hi, the route for the management VRF on a separated interface gets red/invalid after every reboot, making it impossible for me to manage the device unless I NAT myself in and deconfigure the narrowed down IP allow lists for all the management services. Disabling and re-enabling the route fixes it an...
by azzurro
Fri Apr 08, 2022 5:59 pm
Forum: General
Topic: Routing throughput on RB5009
Replies: 5
Views: 4073

Re: Routing throughput on RB5009

Its designed for heavy routing like through ISPs to servers etc.... If you want a lab network of devices for heavy transfer of data between devices on a network, then get a high powered switch. where I am coming from, a device called "router" can do inter-vlan-routing with wire speed. at ...
by azzurro
Fri Apr 08, 2022 5:48 pm
Forum: General
Topic: Routing throughput on RB5009
Replies: 5
Views: 4073

Re: Routing throughput on RB5009

Just not aware of any ISPs much beyond 1gig.............
I am using it for what it is advertised: The ultimate home lab router. So I have multiple VLANs and happend to have to route between two of them. Would've been nice if I had gotten 10 Gb/s.
by azzurro
Fri Apr 08, 2022 2:14 pm
Forum: General
Topic: L3 HW Offload support on RB5009 [SOLVED]
Replies: 20
Views: 12043

Re: L3 HW Offload support on RB5009 [SOLVED]

you mean once RouterOS has support for hw-offloading on the 5009? Because I wasn't able to enable L3HW on it when I tried... Yes, exactly. Once hw-offload is enabled in ROS, I would expect IPv4 unicast at a minimum to be offloaded for static routes, directly connected routes and RIP, OSPF, BGP with...
by azzurro
Fri Apr 08, 2022 10:33 am
Forum: General
Topic: L3 HW Offload support on RB5009 [SOLVED]
Replies: 20
Views: 12043

Re: L3 HW Offload support on RB5009 [SOLVED]

L3HW routing is better used for cases like inter-VLAN routing, That's what I'm trying to do here. the 10 Gb/s advertised throughput That's conditional . Are you doing full-size packets with no firewall rules and no queues? afaik, iperf is sending as large packets as possible, so yes, full-size pack...
by azzurro
Fri Apr 08, 2022 2:34 am
Forum: General
Topic: L3 HW Offload support on RB5009 [SOLVED]
Replies: 20
Views: 12043

Re: L3 HW Offload support on RB5009 [SOLVED]

it seems that I'm failing to understand the concepts. I want to let the router route (RB5009). Aren't routing decisions possible with L3 HW offloading? How are the 10 Gb/s advertised throughput achievable with a RB5009? I'm only getting around 1,5 Gb/s to around 5 Gb/s between two VLANs, depending o...
by azzurro
Fri Apr 08, 2022 2:03 am
Forum: General
Topic: Routing throughput on RB5009
Replies: 5
Views: 4073

Routing throughput on RB5009

Hi this may be related to my other post regarding the RB5009 and HW L3 offloading but I may as well be on the wrong track there, so I'm asking another question: How is the advertised throughput of around 9 Gb/s achievable on the RB5009? I have the 10 Gb interface connected to a server with two VLANs...
by azzurro
Fri Apr 08, 2022 12:53 am
Forum: General
Topic: L3 HW Offload support on RB5009 [SOLVED]
Replies: 20
Views: 12043

L3 HW Offload support on RB5009 [SOLVED]

Hi, i was wondering whether the RB5009 will get HW offloading support for L3 at some point. It is a bit funny imho, that I'm thinking about moving L3 to my CRS326 while having "The ultimate heavy-duty home lab router" just to get 10G wire speed. Well, at least that's going to save me one 1...
by azzurro
Fri Apr 08, 2022 12:25 am
Forum: General
Topic: RB5009 IPSec Performance
Replies: 33
Views: 17746

Re: RB5009 IPSec Performance

i did some tests with 7.1.1 and achieved more than 800 Mbit/s with pretty high encryption algorithms.
https://sleepytechbloke.wordpress.com/2 ... g-support/
by azzurro
Fri Feb 18, 2022 4:59 pm
Forum: General
Topic: Establish a routed IPSec tunnel between an EdgeRouter an Mikrotik [SOLVED]
Replies: 5
Views: 2302

Re: Establish a routed IPSec tunnel between an EdgeRouter an Mikrotik [SOLVED]

Hi @azzurro, Thank you for your contribution. For our purpose, since we'll be using ospf, we will need a tunneled interface with IP's on each side of the tunnel for the routers to communicate. What would be the correct configuration for such a set up? Hi in that case you'll have to go with GRE over...
by azzurro
Fri Feb 18, 2022 2:24 am
Forum: General
Topic: Feature request: Support HAproxy "PROXY" protocol
Replies: 2
Views: 1302

Feature request: Support HAproxy "PROXY" protocol

Hi this may be very specific but I think it may be useful when dealing with reverse proxies. I would like to see MikroTiks to support the PROXY protocol of HAproxy (which is a popular open source reverse proxy): https://github.com/haproxy/haproxy/blob/master/doc/proxy-protocol.txt The proxy protocol...
by azzurro
Thu Feb 17, 2022 12:29 am
Forum: General
Topic: Chateau LTE12 in passthrough mode + internet access for itself
Replies: 7
Views: 2284

Re: Chateau LTE12 in passthrough mode + internet access for itself

What i would do is, configure VLANs on the interfaces connecting the Router and the LTE device... Those VLAN interfaces would be used for management purposes of the LTE and for communication with the Router. Then i would use the interface ( not the VLAN one ) for the passthrough. You will also need...
by azzurro
Wed Feb 16, 2022 11:59 pm
Forum: General
Topic: Chateau LTE12 in passthrough mode + internet access for itself
Replies: 7
Views: 2284

Chateau LTE12 in passthrough mode + internet access for itself

Hi, I've just now replaced some generic Huawei LTE router with the Chateau LTE12 and configured it for passthrough mode. For management, I have removed ether5 from the bridge and assigned an IP address to it. ether5 is connected to my hardware firewall to a DMZ interface so that there is no way for ...
by azzurro
Wed Feb 16, 2022 11:51 pm
Forum: General
Topic: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]
Replies: 14
Views: 2320

Re: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]

ok thanks, people! if this ever occurs again, I'll know what to try.
by azzurro
Wed Feb 16, 2022 11:50 pm
Forum: General
Topic: Establish a routed IPSec tunnel between an EdgeRouter an Mikrotik [SOLVED]
Replies: 5
Views: 2302

Re: Establish a routed IPSec tunnel between an EdgeRouter an Mikrotik [SOLVED]

Hi I have written two blog posts exactly about this topic and I believe you should find there what you're looking for. https://sleepytechbloke.wordpress.com/2022/01/30/mikrotik-ipsec-vpn-vendor-interoperability/ https://sleepytechbloke.wordpress.com/2022/01/31/ipsec-site-to-site-vpn-between-fortigat...
by azzurro
Wed Feb 16, 2022 11:44 pm
Forum: General
Topic: When to use GRE tunnel with IPSec in 2022
Replies: 4
Views: 4652

Re: When to use GRE tunnel with IPSec in 2022

if you need interfaces, you want to go with IPIP or GRE or something like that. e.g. if you want to use OSPF.
by azzurro
Tue Feb 15, 2022 9:20 pm
Forum: General
Topic: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]
Replies: 14
Views: 2320

Re: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]

Exactly...
So the reset and restore had nothing to do with fixing the problem or not...
Does everything still work if you lets say reboot both devices ?
i did not reset nor restore! that you must have misinterpreted.
i still have to try the reboot (and will do)
by azzurro
Tue Feb 15, 2022 9:09 pm
Forum: General
Topic: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]
Replies: 14
Views: 2320

Re: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]

If i read correctly, your problem was "fixed" as soon as you applied the config again and before the Reset/Restore procedure... So there must be something else... it was fixed when i disabled - bridge fast-forward - allow fast path - hw offload on the affected interfaces (server uplink an...
by azzurro
Tue Feb 15, 2022 8:45 pm
Forum: General
Topic: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]
Replies: 14
Views: 2320

Re: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]

Backup creates binary blob, possinby taking corrupt binary config. Do it's not clear if reset/restore wold clear this kind of problem.
what about (verbose) export? i guess that should work...
by azzurro
Tue Feb 15, 2022 3:09 pm
Forum: General
Topic: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]
Replies: 14
Views: 2320

Re: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]

There have been some (rare) cases where correct setup didn't work as expected. Reboot did not help. Re-doing the same config again made things work. So it seems that sometimes some wrong configuration lingers somewhere and after re-doing the same config it finally gets overwritten. I'd attribute yo...
by azzurro
Tue Feb 15, 2022 12:18 pm
Forum: General
Topic: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]
Replies: 14
Views: 2320

Re: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]

Update: now things are getting spooky. i have set all settings back to their original state, when things weren't working as expected but now everything still works. ARP messages are getting delivered properly and now even in /interface/ethernet/switch/host/print the ARP entries in question are shown...
by azzurro
Tue Feb 15, 2022 11:32 am
Forum: General
Topic: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]
Replies: 14
Views: 2320

Re: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]

Hi thanks for your response! Out of curiosity I now disabled the following things: - bridge fast-forward - allow fast path - hw offload on the affected interfaces (server uplink and firewall uplink where the ARP traffic should come from/go to) - limit broadcasts on the affected interfaces Now the is...
by azzurro
Tue Feb 15, 2022 3:01 am
Forum: General
Topic: Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]
Replies: 14
Views: 2320

Possible ARP issue with VLANs on CRS326-24G-2S+RM @6.48.6 [SOLVED]

Hi i am on current long term 6.48.6 with this switch and i have a weird ARP issue in combination with VLANs. VLANs are configured on the bridge, all tagged, only L2 (switching), no interfaces apart from management, no routing. On one of the switchports, i have directly(!) connected a Fortigate 60D f...
by azzurro
Fri Feb 04, 2022 1:49 am
Forum: General
Topic: ROS 7 VRF PPP/L2TP/SSTP servers
Replies: 0
Views: 1013

ROS 7 VRF PPP/L2TP/SSTP servers

Hi PPTP/L2TP/SSTP servers and more don't seem to be listening in anything else than the main VRF. I just wanted to build an SSTP server within a separated VRF where it has interfaces and routes towards WAN and LAN through another L7 firewall, but failed because the SSTP server just wasn't listening ...
by azzurro
Sun Jan 30, 2022 7:49 pm
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

I recommend you with any vendor to only look at what they offer TODAY and not at what is being demanded in the forums or even what is being promised by the vendor. It does not matter what is being asked for, there is always something else on demand. That's what I'm doing. MikroTik have paid attenti...
by azzurro
Sun Jan 30, 2022 3:40 pm
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

the lack of VTI support is a major showstopper and we would have the opportunity for hundreds of customers buying mikrotik, but now they have to go to cisco or fortinet. Are you sure that when VTI is implemented, you will not come back with "VTI is nice, now we need to have NHRP"? yes, be...
by azzurro
Sun Jan 30, 2022 4:08 am
Forum: General
Topic: Hub and Spoke VPN - Routing confusion [SOLVED]
Replies: 2
Views: 1676

Re: Hub and Spoke VPN - Routing confusion [SOLVED]

yes, thanks! major bummer, that mikrotik still hasn't implemented that.
by azzurro
Sun Jan 30, 2022 4:02 am
Forum: General
Topic: IPSec VTI
Replies: 62
Views: 26579

Re: IPSec VTI

It's natural, new things are invented, they are useful, competitors have them, people see it there and want them too, it will never end. It's not possible to add everything, but once something evolves into "everyone else has it", you can't ignore it forever. yes but VTI is not "every...
by azzurro
Sun Jan 30, 2022 3:56 am
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 167
Views: 51327

Re: Feature Request: IPSEC Improvements

+1 for VTI!
On Fortigates I've been doing that for 10 years!
i gotta return my hEX and RB5009 as they can't interoperate with my Fortigates which are doing VTI. And even if they could, not having tunnel interfaces when connectes to my Fortigates is a huge PITA, due to routing.
by azzurro
Sun Jan 30, 2022 1:23 am
Forum: General
Topic: Hub and Spoke VPN - Routing confusion [SOLVED]
Replies: 2
Views: 1676

Hub and Spoke VPN - Routing confusion [SOLVED]

Hi first of all, I'm coming from the Fortigate world and so I am a newcomer to MikroTiks. Recently a VPN scenario with Hub and Spoke topology (all branch offices are connected to the headquarter and they all communicate with each other through the headquarter) gave me headaches with the MikroTiks. W...
by azzurro
Fri Jan 28, 2022 2:42 am
Forum: General
Topic: How fast should IPSEC be with hEX and iperf3?
Replies: 1
Views: 775

Re: How fast should IPSEC be with hEX and iperf3?

turns out, i am a complete moron. i had a 100 Mbit connection between the two endpoints because the cable i used appearently wasn't capable of Gbit. Best thing is that I knew that and wanted to swap it out later. Well, I guess I had forgotten about that. lol. Anyway, now I get around 310 Mbit/s with...
by azzurro
Fri Jan 28, 2022 2:04 am
Forum: General
Topic: How fast should IPSEC be with hEX and iperf3?
Replies: 1
Views: 775

How fast should IPSEC be with hEX and iperf3?

Hi, how much bandwidth am I supposed to get through a hEX (RB750Gr3)? I currently only get around 100 Mbit/s with iperf3, 1-4 parallel streams, no additional parameters, no difference if 1 or 4 streams. My IPSEC site to site connection has the following properties: IKEv2 AES256-CBC SHA256 MODP2048 V...
by azzurro
Sun Jan 23, 2022 1:26 am
Forum: Useful user articles
Topic: Using MikroTik router as SSTP server for Windows Always On
Replies: 1
Views: 10658

Using MikroTik router as SSTP server for Windows Always On

Hi i have written an article about how to use your MikroTik router as a SSTP VPN server for Windows Always On VPN clients. The guide incorporates a dedicated hardware firewall to lift the weight of firewalling off the MikroTik router so it can do its single purpose thing (in this scenario). https://...
by azzurro
Fri Jan 21, 2022 11:53 am
Forum: General
Topic: SSTP server default route in VRF
Replies: 0
Views: 2384

SSTP server default route in VRF

Hi! I would like my SSTP server to be in a separate VRF. Current issue is, that during the connection process, packets get sent to the client through the default route of the main routing table but the VRF which is supposed to be there for the SSTP clients, has a separate default route. Is that poss...