MikroTik

cyayon

Hi,

Since the upgrade to 7.15.3 on a CRS-305 my SFP S+RJ10 is flapping (auto-neg 2.5G).
With the previous firmware 7.13.5, no issue.

cyayon

Here the script which is scheduled every minutes. It's far from perfect but it worked. I do not use my CCR2116 for dual-wan/failover, I moved my wan2 on another router (pure linux). Do not hesitate to purpose enhancements and corrections. # check wan # # use this with netwatch or scheduler # prefer ...

cyayon

It would be great to be able to ping from interface (like on Linux ping -I …). We can also use a dhcp client script which update Netwatch sec-address (if wan address is not fixed). Another enhancement would be to be able to ping multiple IP before declaring wan interface down, like nested recursive ...

cyayon

let me try to reformulate my question.

If I enable L3HW, will my firewall rules be bypassed ?

Also, there is an ipv6 HW option in switch>switch>L3 HW settings>IPv6 HW
does this params have an effect on defined ipv6 firewall rules ?

thanks

cyayon

Hi,

I think using mangle mark packet is no more necessary since recent version of ROS.
Netwatch is able to define a src-address, then simply use it to ping from the DSL interface.
Moreover, I think that using mangle/mark can cause issue with fasttrack firewall rules.

cyayon

Hi thanks for your answer.
On a firewall device (which is my case), is it a mistake to enable it ?

cyayon

Hi, I am currently doing some summer cleaning on my configs. I have found that on my CCR2116 (internet router/firewall), that the L3HW is disabled on switch level but enable on switch port level. Is there any mistake to enable on both level (switch and switch port) ? The CCR2116 (7.13.5) is connecte...

cyayon

Hi, thanks for your answer. The CCR2116 is generating the request, in particular DHCP-client to authenticate to ISP. I am aware that I could use mangle rules, at least on DHCP ipv6 requests. But not on DHCP ipv4. Moreover, it could be cleaner to be able to use directly switch rules or even better an...

cyayon

Hi, My ISP (Orange France) require that ICMP and DHCP (clients) requests marked COS 6 and DSCP 6. Currently, I am using another switch (CRS310) with the GPON SFP and some switch rules on it, because switch rules only work with input requests (not output). Today (with 7.15), is it possible to use swi...

cyayon

Yes of course

cyayon

Ok.
I moved these SFP to a CRS310 and I have no more issues.
Some people also used CRS328 with success.
The issue seems to be only related to CRS305.

cyayon

Hi,

It seems that the last 7.15 beta is better.
Did you tried ?

cyayon

Hi,
just upgraded CRS328-24P-4S+ from 7.10.2 -> 7.12.1 -> 7.13.2 (packages and routerboard firmware), and got this error message in logs :

Failed to upgrade poe FW on , diag code 80/328

Is this normal ?

thanks

cyayon

And there is still nothing in 7.13.2 about the issue on RB5009UPr+S+ of the random reboot ?
Code: Select all
 2024-01-14 06:18:50 system,error,critical router rebooted without proper shutdown, probably power outage 

Hi, is there always random reboot with 7.13.1 ? did you also test 7.13.2 ?

thanks.

cyayon

Does the last 7.13.1 fix the reboot and/or memory leak issues ?

thanks.

cyayon

Thanks.
I would like your opinion about the concept.
Script instead of recursive route.

I am pretty sure that the algo works because i am using it on a pure linux router.
But it could be a bad idea on ROS… and prefer recursive route for some reasons.

Thanks for your comments.

cyayon

Hi, Very cool script ! Thanks ! I am currently using nested recursive routing to check ISP health. I am really dubitative if only one check (not nested) is sufficient in real life to check ISP health. I have currently 3 nested recursive route, It is perhaps too much… I am looking to replace my recur...

cyayon

ok, I saw, it is only on 7.11 (beta).
But even with src-address param, we cannot use multiple ip to check.
If the single defined ip is down, mkt will consider wan interface as down. I prefer to have multiple...

cyayon

with more recent V7 you can now at least use src-address now for netwatch, i have yet to lab this as well just like you I also use recursive routing for WAN monitoring

Hello,
sorry, but I do not see src-address for netwatch ... (ROS 7.10.2)

cyayon

Hello, I would like to know if it possible to replace recursive routing with netwatch or a script ? I already tried this in the past but without success. I have 2 WAN connections in failover mode and use recursive routing to monitor main WAN. It works as expected but it is a little bit complicated (...

cyayon

Thanks ! I thank it was a good practice to begin mangle with the following 2 rules to skip already established. /ip firewall mangle add action=accept chain=prerouting comment="nomark related" connection-mark=no-mark connection-state=established,related /ip firewall mangle add action=accept...

cyayon

Because i choose to differentiate traffic by whether it has been marked by the router or not. I have not thought of using new for example, but I stick with what I know works. There may be certain situations where new may not............ but I dont have the level of knowledge to state with any certa...

cyayon

If you are talking from external to access router you need to mangle. { First we need to identify traffic coming into the router } add chain=prerouting action=mark-connection connection-mark=no-mark passthrough=yes \ in-interface=ether1 new-connection-mark=viaISP1 add chain=prerouting action=mark-c...

cyayon

Ok, here are my updated rules. For memory, I am trying to achieve these goals : -For outbound (lan to internet) use wan1 (main) and wan2 ONLY if wan1 is down (check wan1 with recursive routing…) -For inbound (internet to lan), wan1 and wan2 could be used from internet. I self-host some services… fir...

cyayon

Thanks.

The output rules i have are for handle traffic of the router itself.
I edited my last post with new mangles rules. Did you see them and what do you think about ?

Thanks.

cyayon

Thanks for your answer. 1. YES (but I don't know if it a good pratice) 2. in the last version, I removed the input mangle rules and it works (but I think this not optimized) 3. I do not understand everything, could you please give me a small example ? 4. for a moment, I thank I made a real mistake i...

cyayon

Ok, I finally managed to made it work with the following rules and fasttrack additional condition : connection-mark=no-mark. /ip firewall mangle add action=mark-routing chain=prerouting connection-mark=conn-wan1 in-interface-list=!WAN new-routing-mark=route-wan1 passthrough=yes /ip firewall mangle a...

cyayon

Hi, Many thanks Sindy for your answer. I thank I was using mangle rules right, but as an evidence, it is not... My issue is for inbound packets from internet via WAN2 (when WAN1 is NOT down). I do not understand where I made a mistake : vlan832-orange1 is wan1 ether2.wan2 is wan2 interface-list WAN ...

cyayon

Hi, Nobody have an idea for this issue ? No answer from the support :( Just an idea, could it be related to fasttrack ? I read somewhere that Fasttrack and mangle dual-wan are incompatible, is it a mistake ? If fasttrack is the issue, is there a workaround to keep fasttrack only for some packets of ...

cyayon

Thanks.

As i understand, switch ACL are only for inbound traffic, not outbound (my case).

cyayon

Thanks.

Do i need to enable on the switch ?

/interface/ethernet/switch/set l3-hw-offloading=yes

Does my current switch rules will work or do i need to rewrite them ?

thanks

cyayon

Hi,
I am in the same boat. Did you manage to apply ACL rules to change COS of you DHCP client requests ?

thanks.

cyayon

Hello,

Here is the config. I just removed some sensitive informations.

thanks.

cyayon

Hello, I do not change this params from default (upgraded to 7.10.2). Switch > Switch1 > L3HW Offloading is DISABLED Switch > Port > sfpX (wan port) > L3HW Offloading is ENABLED (i tried to disable but the web interface give an error for Storm Rate which is to 10000% per default). /interface/etherne...

cyayon

Hello, I don't know if it related or not. Sorry if i made a mistake to post here. I am currently using switch rules on a CRS305 in front of CCR2116 tp change COS on DHCP (ipv6 ipv4) requests. These DHCP requests with COS 6 are a requirement to authenticate to my ISP. I decided to remove the CRS305 a...

cyayon

Hi,

Nobody with this strange issue ?
Thanks

cyayon

Hi, I encounter a strange issue with an GPON-ONU-34-20BI inside a CRS305. In the last month, the SFP fail, show a TX=-40dB on the SFP information page of RouterOS. I had to disable / enable the SFP port to retrieve a connection. The issue appears on different versions of ROS from 7.7 to 7.9.2. No lo...

cyayon

Ok, need a script to find addresses to use from DHCP client (used to authenticate to ISP).
Thanks.

cyayon

Thanks, but majority of clients use stateless configuration. In this case, there is no specific option to define on the client side.

cyayon

Hi,

Is it possible to assign a specific subnet from the pool ?
Instead of increment +1 I would like to assign directly the 42th subnet from the pool.
Is there a trick ?

Thanks

cyayon

Hi, I encounter a strange issue today. I had a failure on my primary link and another failure on my dynamic ip update script for my secondary link... When the primary link came back, i tested my secondary link input rules and routes (when my 2 links are up and running). A simple curl from an interne...

cyayon

Hi, I encounter a strange issue today. I had a failure on my primary link and another failure on my dynamic ip update script for my secondary link... When the primary link came back, i tested my secondary link input rules and routes (when my 2 links are up and running). A simple curl from an interne...

cyayon

Thanks

cyayon

Hi,

i do not understand this, someone could explain please ?

*) bridge - prevent bridging the VLAN interface created on the same bridge;

cyayon

Hello, I made 2 tcpdump traces on the server itself, not the CCR. Here are the files : - lte.txt : 2 failed requests from phone when connected on LTE network (ipv6 only with NAT64/DNS64) - wifi.txt : 1 success request from phone when connected on a Wifi network (ipv4) Except differents MSS first req...

cyayon

Hi all, I have an issue in some strange geographic situations. My mobile operator (in France) use ipv6 only tunnels/NAT64/DNS64 to ipv4 services. My mobile (iPhone) have only an ipv6 public address and in some locations I am unable to contact my ipv4 only services which are hosted behind a CCR2116 w...

cyayon

Hi,

Does the 7.10.1 contain fix for DNS issue ?
If not, do you plan to release a 7.10.2 or should we waiting for 7.11 ?

Thanks.

cyayon

lot of fixes in this release, hope to have a better QA than previous release...

cyayon

There are no major changes in firewall.

Thanks.
Do you plan to release a 7.10.1 to resolve DNS static issues ?

cyayon

Anyone who has upgraded to 7.10 and encounters DNS crashes, can try using the following code to disable the dns-to-address-list configuration first: /ip dns static set [find where address-list!=""] address-list="" It is known that version 7.10, due to the addition of endpoint-in...

cyayon

Thanks for the video.
I will partition my CCR 2116 for sure.

Is there lot of people whose are using partitions here ?

It is regrettable that we can not partition CRS devices (305 and 328 in my case)… is there any workaround ?

cyayon

Is it a recommended best practice or downgrade a unique part is sufficient ?
Do you partition your CCRs ?

cyayon

Thanks !

cyayon

Thanks, I will lost nothing (config and system) when going from 1 to 2 partions ?
My current part 1 (or 0) will not be lost when creating (system and copy config) to the second new.

Thanks.

cyayon

Many thanks for your complete answer !
Just a last question/confirmation, when partitioning from 1 to 2 partitions, I will NOT loose any configuration ?
Just create partition, copy config to the new, activate to test, reboot, reactivate the old, reboot.
Thanks

cyayon

Hi, I have 3 Mikrotik devices : CCR2116, CRS328 Poe and CRS305. I have read some threads about partitioning to be able to upgrade / rollback easier. CCR2116 current single partition usage is about 30MB, there is 95MB free (128MB total). CRS 305 and 328 there is only less than 2MB free ! (total 16MB)...

cyayon

I have upgraded my routers from 7.7 to 7.9 everything is running OK. The issue with L3-HW is still not resolved. The ticket is open since january. We wait... I have noticed that on the 4011 the CPU is now set to auto and its speed is dynamic. Maybe to reduce heat? Hi, What is the issue with l3-hw p...

cyayon

Hi,

Some users have bad performances with ipv4 and enabled bridge filters actives.
In previous versions (7.7 and 7.8) there was no issue. Since 7.9 (stable) ipv4 bandwith is lower for about 35%.

Anyone else ?

cyayon

Thanks. I think that CCR and RB5009 have different issues. Hope that v7.9 will finally made this SFP work as expected.

cyayon

Thanks.
As i know, this GPON have different issue on CCR. Than are going crazy and PSU switch to fail mode.
I am not sure, but i think that the GPON was working correctly on rb5009 but with v7.7. The v7.8 introduced a regression.

Did you try the GPON without the modification on v7.7 ?

cyayon

excessive quotation removal

Hi,
What GPON module do you use and what was the issue please ?
I am using a GPON SFP from FS.com for a French ISP (Orange) and have to keep it in a CRS305 to workaround compatibility issue with CCR.
Does the 7.9 firmware work better for you ?
Thanks ?

cyayon

Hi,
The gpon sfp module FS GPON-ONU-34-20BI is correctly detected and seems to work properly on CRS-305 with ROS 7.8.

cyayon

Ok i understand. Many many thanks for your time and precious help.
I wish you an happy new year !

See you next year

cyayon

ok, i have added all these rules : /routing rule add src-address=80.11.60.214 action=lookup table=route-wan1 add src-address=192.168.6.254 action=lookup table=route-wan2 add dst-address=192.168.0.0/16 action=lookup table=main but, it didn't work. no ping from lan (192.168.0.0/16 match) to WAN1_IP. a...

cyayon

i just applied everything. first problem : i cannot ping from the router itself and from LAN devices my 2 external public IP addresses given by my ISPs (from wan1 and wan2). I think it is a routing issue, my firewall rules drop ICMP : DROP input: in:wan2 out:(unknown 0), connection-mark:conn-wan2 co...

cyayon

Thanks. I understood

cyayon

Ok, many thanks again.

In conclusion only one default gateway route with no distance param in each route table != main.
Rp_filter = no->loose

Thanks !

cyayon

Ok i removed check-gateway and it worked. Are you sure that there is no need for this route to be recursive because in Anav guide and milkrotik help site, these exist and are recursive. If it is not necessary, I suppose I could also keep only one (the first) table=route_ISP1 distance=3 ? Do i need t...

cyayon

Thanks ! I didn’t understand what you say about this /ip routing rule ———- is it necessary ???? ————— routing-mark=ISP1_route action=lookup table=main routing-mark=ISP2_route action=lookup table=main —————————————————- And if i do this add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=...

cyayon

Thanks. ip routing table add name=ISP1_route fib add name=ISP2_route fib /ip route add check=gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=1.0.0.1 scope=10 target-scope=12 table=main add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=PrimaryISP-gatewayIP scope=10 target-scope=12...

cyayon

Yes my LTE have an external address. It is not fixed. But the Mikrotik will connected to the LTE router which have a fixed address (not a bridge). On my current router (a custom Archlinux based), I have only mangle prerouting rules and routing rules and it works. For the Mikrotik, If i put anything ...

cyayon

Ok thanks.

If I need inbound connections from internet via ISP1 and ISP2, do
I need firewall mangling rules ? For rouie and conn marking.
If yes, prerouting only I suppose, not output ?

Thanks.

cyayon

Hello,

Did you try again with ROS 7 ?

cyayon

Thé configs you post here seems to work as expected. Many thanks for that !!! I do not understand why the config in the official guide https://help.mikrotik.com/docs/pages/viewpage.action?pageId=26476608 do not work at all. I followed it and gateways were flapping ok/ko every 2 or 3 minutes. What am...

cyayon

Thanks !
I Will test tomorrow…

cyayon

Many thanks to both.

I do not really understand why nested is better (or not) than the flat ?

Nested seems more readable, but is it more efficient ?

cyayon

Ok, Just to be sure... With my gateways and context : The nested following version : /ip route add dst-address=0.0.0.0/0 gateway=10.10.10.10 scope=10 target-scope=14 add check-gateway=ping dst-address=10.10.10.10/32 gateway=8.8.8.8 scope=10 target-scope=13 add dst-address=8.8.8.8/32 gateway=80.11.60...

cyayon

Many thanks for your answer ! I will test and keep you informed Just a last questions :) When wan1 go down, the failover link wan2 will take over. But, will I be able to join 8.8.8.8, 1.1.1.1. And 9.9.9.9 from wan2 ? If not, i will have to choose others ip addresses … What does check-gateway arp and...

cyayon

Thanks,

i understand.

instead of using dhcpv6 statefull, i will try to use firewall dstnat based on mac address to redirect traffic to the good DNS.

cyayon

Ok, i think i understand. in this implementation, if i understand correctly everything is fine : /ip route add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=30 target-scope=12 add distance=3 dst-address=1.1.1.1/32 gateway=80.11.60.1 scope=10 target-scope=11 add check-gate...

cyayon

I will post here my last export. As soon as i have access later today… Could you please confirm that it is better to do this : dst-address=0.0.0.0/0 -> scope=30 dst-address=x.x.x.x/32 -> distance=3 /ip route add check-gateway=ping distance=3 dst-address=0.0.0.0/0 gateway=1.1.1.1 scope=30 target-scop...

cyayon

When i enable only ND on ROS (no dhcp-server), and enable dnsmasq, client devoces, never get anything from dnsmasq. Only ND seems to configure devices.

cyayon

Hi,
Many thanks for your answer.

Do I have to check-gateway ping the failover wan too ?

Just to make sure, could you please my implementation ?

Thanks !

cyayon

Thanks

But how to mix the two ?
Using Ros to do stateless ND and use dnsmasq for statefull ?

cyayon

Hi, In dhcp-server v4, i have some device (identified via mac-address) which have specific DNS server for parental control or ad-block. In dhcp-server v6, i would like to do the same. I know that it is not possible with stateless / slaac config. I need statefull config. Today i do it with dnsmasq an...

cyayon

Hi, i have removed all mangle firewall rules, removed all default gateway and disabled on dhcp-client add-default-route (ISP1). Then i executed the following (80.11.60.1 is main default route ISP1/dhcp and 192.168.6.1 is LTE failover router) : /ip route add check-gateway=ping distance=3 dst-address=...

cyayon

Thanks, Before configuring something more advanced i am trying to check something simple. I have followed recursive routing doc before (not is this export), but it didn’t work at all. The routes were flapping ok/KO every 2 or 3 minutes. After that I was going to do failover with a script as a workar...

cyayon

Hi,

thanks for your answer.

here an export.

how to define a routing-table with ping command on ROS ?

cyayon

Just a suggestion for investigation, as I could only test part of it on a remote device I cannot afford to tamper with too much. If you specify an interface as a parameter of the ping command, RouterOS doesn't look for the best route out of those whose gateway interface is the specified one, but it...

cyayon

Hi, I am going to be crazy with this issue. I have 2 wan : WAN1 primary : dhcp-client inside a bridge (to do bridge-filters and modifying COS, required by ISP) WAN2 secondary : standard interface to a tier router WAN1 default route distance is 1 WAN2 default route distance is 2 /ping address=8.8.8.8...

cyayon

Hi,

Same issue here.
First primary link is direct DHCP and secondary is LTE via a dedicated router.
I do not understand why it is declared as faulty and recovered every two or three minutes.

I am on a CCR 2004 ROS 7.6.

cyayon

Hello,

Do you know if it possible to define statically ipv6 static address using dhcp server on ROS (7.6 on CCR2004) ?
I would like to attribute a fixed ipv6 address to some device from their MAC address (like ipv4 dhcp server leases).

Thanks

Search found 92 matches