MikroTik

paolopoz

We finally managed to fix it!
By simply exchanging the network driver of the VM from e1000 to vmxnet3 the problem was gone. Finally.

paolopoz

mine is solved too.... I tried a lot playing with the mtu and finally I ended up adding the ether interface in a bridge and now it works in less than 1 second

Thank you for your feedback. Did you change something in bridge configuration about MTU or did you leave it as default?

paolopoz

Hello, now that 6.49 is out and Delegated-IPv6-Prefix works as intended for PPPoE clients, I want to go ahead and provide IPv6 to our customers. To make things right I want to follow the often cited RIPE BCOP: https://www.ripe.net/publications/docs/ripe-690 Following the previous document I need to ...

paolopoz

I am trying the same setup on 6.48.3 and the bug is still there.
Does the workaround provided by @hlaaluu really works?

Anyway I see that in latest 6.49 beta the bug is fixed. Let's wait for a stable release.

paolopoz

@MyThoughts: Thanks for confirming the problem and for sharing your workaround. After your experience I suppose the client is to blame.

@nje431: I checked the MTU along the whole path from server to client and back, seems fine to me so I assume mine is a different problem.

paolopoz

@nikc: We did not upgrade the client with the automatic procedure, we downloaded the installer and run with admin rights.

@KayBur: tried reinstalling but nothing changes.

I confirm that a workaround is to click compulsively on Connect button, after a few seconds the connection is established.

paolopoz

Hello, after upgrading The Dude server from 6.45.8 to 6.47.10 we keep having problems of clients that are unable to load, they stay in "getting stuff" indefinitely and just a few kbs are flowing. Obviously we updated all the clients manually with the corresponding version. Sometimes we are...

paolopoz

@mkx: it's an upstream on MikroTik side, sorry, I forgot to mention. I already tried to contact that specific ISP but to no avail.

@nescafe2002: thanks for pointing out. I don't want them to disable IPv6, instead there may be some users IPv6-only not reaching the forum.

paolopoz

As the title says. A few days back we had problems accessing the forum in IPv6 because one of the upstream providers had extreme RTT so the requests timed out. Now we get a connection reset when trying to access it. Anyone else experiencing it? I had to disable IPv6 in order to access and post this....

paolopoz

I got a CCR1072 with a SFP+ that since yesterday started incrementing Tx FCS Error counter.
I looked around but all I can find is about FCS from bad cables which I suppose would be in Rx.

Question is: do someone know where Tx FCS Errors are from, what can cause them?

paolopoz

Hello all! I work in a team and I am responsible for transitioning from using everybody a single password for all the routers to managing access with different groups and RADIUS login. Most of us use the Dude and especially the feature of Tools > Winbox into the devices. It would be nice to use this...

paolopoz

No, it's totally blank.
I am using the default configuration.
Also, the wiki says that on RB2011 it's not possible to change the LEDs behaviour.

paolopoz

I have this old RB2011L-IN which I just changed the power supply because the previous one was dead. I reset it and upgraded it to the last version (6.43.13), checked all ports and found that when I connect ether5 the USR LED starts blinking the same way as the traffic LED of ether5. This happens onl...

paolopoz

Hi, i am trying to do basically the same thing but not working. I have 2 routerboards. Server RB1100AHx2 - vpn server Remote site RBSXTR - 3G router Connected via VPN and connection between is OK. But now i have device behind remote router and i can not access it. What was the solution that you had...

paolopoz

Hello all! Since today I stubmled upon a problem with Winbox 3.14: every time I try to connect to a host beyond NAT, the application get stuck saying "Downloading descriptors" and then it crashes. This happens also on another PC on my LAN with winbox 3.14. If I try with version 3.13 everyt...

paolopoz

I doubt this can be caused by some device on the local network, however you test this hypothesis by unplugging the LAN and let the router plugged only to the WAN. Another thing that I suggest to check is the source IP address of the server-ip-mismatch. Is it the one you configured? Maybe those wrong...

paolopoz

I think it's a matter of packet replies, or better: outgoing packets from router.
I am stuck because I can't think of a method to send the packets directly to the gateway from the bridge...
I will ponder about it but if anybody has other proposals they are welcome

paolopoz

I'm sorry, my fault. dst-nat is right.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address=WANIPOFCUSTOMER dst-port=8291 protocol=tcp src-address=WANIPOFYOUROFFICE to-addresses=192.168.199.1(bridge IP)

And of course modify the firewall filter rules accordingly, input chain.

paolopoz

You should DST-NAT.
You have to change from the public IP of the customer router to the out of scope IP assigned to the bridge. Make sure to also check the return path.

paolopoz

/interface l2tp-client monitor VPN1 once do={ :if ($"status"!="connected") do={ /interface l2tp-client set VPN2 disabled=no /interface l2tp-client set VPN1 disabled=yes /delay 20 /interface l2tp-client monitor VPN2 once do={ :if ($"status"!="connected") do={ ...

paolopoz

This way you are monitoring VPN2 only if VPN1 is connected, is that right?

I am setting up a lab, then I let you know.

paolopoz

Just troubleshooting a script on another topic:
viewtopic.php?f=2&t=129716

Maybe we can join forces

paolopoz

Where do these devices come from? Is it possible they were customised by the reseller?

paolopoz

This: /ip firewall nat add action=masquerade chain=srcnat Should be more specific, for example add the out-interface otherwise it will NAT everything. You can also put more specific rules before the masquerade, so you are sure the latter will not interfere. To better understand this situations I fin...

paolopoz

I'm sorry, I wrongly assumed that you are also the ISP, so you would be able to add another network on top of the WAN access. You can surely put an IP address in the bridge interface without it being cause of any problem, unless you put the same IP used in that network segment. According to https://...

paolopoz

Matching criteria inside the NAT rule.
You know: src-address, dst-address, protocol, etc.

paolopoz

Does the packet counter for src-nat rule increment?
If you want to mark packets then you can bind to that packet mark for the src-nat to work.

paolopoz

I had similar issues with SFP on a CCR1072.
Have you tried to disable and then enable the affected ports?
For me it worked.

paolopoz

You just put another rule under the dst-nat, this time with src-nat.
You then need to match the packets you already dst-natted.
A rule could be something like this:

/ip firewall nat
add action=src-nat chain=srcnat dst-port=6060 protocol=tcp dst-addresses=192.168.10.102 to-address=192.168.77.1

paolopoz

Can't you just add a management IP address to the bridge and then point to it?

paolopoz

Check on System > Scheduler if there is any script running at startup, then disable it.

If you are trying to reset the device remember to

system  reset-configuration  no-defaults=yes

paolopoz

NVR needs to know where to send the reply packet, so the router on remote site it should have the gateway through the VPN.
If you cannot do this, you can workaround by src-nat the packet with an IP from the local router (e.g. 192.168.77.1) which is reachable from the NVR.

paolopoz

Are you using these lines

VPN Interface 1

also into the script or are the commented?

The message "terminating... - administrator request" seems to refer to a VPN that is not working for some kind of misconfiguration.

paolopoz

Did you find this rule preconfigured in some router? What version?
What problem are you encountering with this?

paolopoz

Netwatch should work also through a VPN. Are you checking an IP which is reachable only via VPN? Please also consider that the ping is generated from the router itself, so NAT and route rules should be consistent. You can also monitor the status of the VPN with a script and then schedule it to run p...

paolopoz

https://wiki.mikrotik.com/wiki/Manual:L ... e_drive.3F
https://wiki.mikrotik.com/wiki/Manual:Replacement_Key

paolopoz

Are you sure that other IPs are free?
If you want to be sure that the cause of connection not working is the (lack of) IP address assigned, then you should check on the client device.
Usually dhcp-server assign the IPs starting from the highest one (in your case from 200 to 10).

paolopoz

Thanks pe1chl, this is of course some kind of scanning coming from big internet but this is not what I want to point out.

What I mean is: a client should just get back its request, then why do I see incoming packets as if the router was listening on port 123/UDP? This is a server behaviour.

paolopoz

If it was working, then there is no reason why it would go slow.
Unless you have added some kind of queues.
Please check CPU and end-to-end latency.

paolopoz

You said: The connection it's established but i canno't ping o do other to the Internal IP of the other site which reads as if IPsec tunnel is working but no data is passed on it. So, is it the LAN-to-LAN flowing? Can you reach remote hosts through the VPN? Please check in IPsec > Installed SAs and ...

paolopoz

I guess that you are BGP peering with a ISP or carrier and they are announcing to you the full table (~500k routes). Am I right?
If this is the case, be aware that BGP is a single thread process and it is not possible to make it use the multi-core architecture.

paolopoz

I have some routers with SNTP client (the built-in one) enabled and working. Some interfaces has public IP addresses but I don't have any firewall rule configured because I want to use FastPath. Checking SNTP client status I often see this: last-bad-packet-from: 162.209.xxx.xx last-bad-packet-before...

paolopoz

Did you get it working?
If you need help with NAT config just drop a line.

paolopoz

Hello! First, this task will be better suited by a switch with VLAN capabilities, you don't really need a router to do this. If you want to solve this situation with this hardware you need to use bridges between ethernet ports and GRE or EoIP tunnels. So that you must have: [ether1--bridge1--gre-tun...

paolopoz

Hello all! In 6.39 changelog I see that: *) log - added warning when Winbox/Dude sessions were denied; But I didn't expect it to work it even if /ip service rule do not allow access to winbox port from that specific IP. I think that this kind of logs must not be generated if the port is unreachable ...

paolopoz

Check all the timing in phase2 (proposal) and phase1 (peer), they must be equal on both sides. Also set NTP client on both endpoints with the same server, so that they are as much in sync as possible. Some FWs have more re-keying options than time, such as amount of data. Be sure to disable them and...

paolopoz

Thank you strods for explanation.
However in my case I also have packets incrementing in output.
I attach an excerpt from a screenshot to better explain.

fp-eth.PNG

Is it the same behaviour of counting also for Tx packets?

paolopoz

Could it be a faulty rate limit on ISP side? Try add a simple queue a bit below the max bandwidth of the link, to see if it's any better. Maybe the old ASA had some rate limit configured in it. Also, if you have access to it, try to compare the configuration of interfaces. I rule out a hw problem as...

paolopoz

Thanks andriys,
I forgot to mention: neither Fasttrack is enabled under /ip settings and stats are empty.
I only have a bridge as a loopback with no ports configured, so that cannot be the source of that packets, in fact those stats are empty.

paolopoz

Hello all.
I have a router with 6.40.3 where I can see FP counters incrementing on both Tx and Rx on some interfaces, while if I check under IP Settings I see that FastPath is not active nor the counters increment.
Are those packets using FastPath on those interfaces or not?

paolopoz

Did you find a solution?

paolopoz

Isn't adding a static route just enough?

/ip route add dst-address=192.168.2.0/24 gateway=192.168.1.253

Else, if you need to redirect to the Cisco only the traffic coming from 192.168.1.0/24 you need a routing mark

paolopoz

PowerBeam M5 on one side and Rocket M5 on the other.

paolopoz

paolopoz

Thank you all.
By setting the OSPF neighbor to NBMA I fixed the problem!

paolopoz

@ivicask: what others are saying is that in multi-cpu boards (like your hEX or my CCR) some processes that don't use multi-threading can consume a single core to 100% but what you see in total (that one you see in winbox) is a fraction of percent. Given that you have a dual-cpu system, if one goes t...

paolopoz

On a different scenario but I have the same problem. Many simple queues on a CCR1009, CPU is fine (<50%) but throughput is really limited. Disabling queues makes it flow without issues.
I don't know what to do.

paolopoz

Check in BGP instance what it's redistributing.

paolopoz

I second idlemind: path cost is the way to go. You can also take advantage of Equal Cost Multi Path (ECMP) from OSPF: if a router sees two paths with same total cost it will equally distribute the streams in both links. However keep in mind this is working only for new data streams, so it will take ...

paolopoz

Hello! I have 2 routers with OSPF neighboring over a radio link (Ubiquiti). It happens that the link state goes randomly down even if the radio link is always up and running. Both routers have been upgraded to 6.38.5. One is a CCR1009, other is a RB2011. CPU resources are within good margins. OSPF n...

paolopoz

Another common solution would be to use BGP over OSPF. You let OSPF manage the reachability from a router to another, then route all the customers prefixes with BGP which is lighter on updates. You only need a centralized BGP route-reflector (better two), it can be an existing router. In this way we...

paolopoz

I second that!
This is a fundamental feature to provide connectivity to customers while keeping the internet a good place.
Given the continous rise in DDoS attacks we as providers have the responsibility to do this kind of checks and I know that MikroTik understand its role in this.

paolopoz

Late reply...
I successfully configure IPsec tunnels between WatchGuard and MikroTik, they all work (almost all on first try) and pass traffic.
You have to exclude IPsec traffic from NAT (ip > firewall > nat). Add a rule with action "accept".

paolopoz

Good job!

However a nice feature which is now lost was the fact that log messages were colour-coded for up or down events. Now it's all black and it's less easy to spot up/down events.
It would be great to have this feature back.

paolopoz

I have the same problem here, with latest stable release (6.35.4). To me it's software-related as the log lines for sntp aren't anymore classified in topic ntp but fall into the general system and info topics, thus popping up every update. Obviously I don't want to disable those topics because they ...

paolopoz

I am starting to implement RFC2827 / BCP38 on our network.
I would like to know if the Reverse Path Filter is working, if it generates some logs when a packet is blocked or how to enable it (given that this is under /ip settings) and if there is a counter for these blocked packets.
Thanks!

paolopoz

This is an incomplete bug report. I write it down the same for future reference or just for someone to pick it up. Case: RB2011 with latest version (6.32.2) with no configuration applied. Connect one port to a live LAN on any of RB ethernet port. After a few seconds the CPU goes straight to 100%, pr...

paolopoz

Thanks normis for the explanation

paolopoz

I think the subject says it all.
I want to know it also to evaluate the CPU (un)load of this "half fast path" feature.

paolopoz

http://wiki.mikrotik.com/wiki/Supported_Hardware

paolopoz

Are there other switches in the network? Did you connected some of them together using two or more ports of the MikroTik?
Probably the router freezed because of a broadcast storm.
Learn about "Spanning Tree Procol" and then enable it on the bridge configuration, STP tab.

paolopoz

Slow download speeds BGP prefixes, and uneven loading the CPU.

This is a known limitation: BGP routing table loading is single threaded thus using only one CPU.

paolopoz

Does anybody experienced problems with wireless disconnections after upgrading to 6.28? I have a PtP link and after upgrading one of the two sides I keep getting disconnections with error: lost connection received deauth class 2 frame received (6) After downgrading to 6.27 the problem disappeared. T...

paolopoz

Bugs in Winbox 3: I have a list of devices automatically imported from previous Winbox version. When trying to modify one of these entries by adding to them a group name, those items disappear from the list. Even selecting the specific group in the dropdown menu does not help. It is necessary to clo...

paolopoz

Here is what happen: booting CCR without any port attached works fine, as soon as I attach the ethernet cable from my notebook to the eth7 the router reboot. Here is what I see on console: Pid: 0, comm: swapper/34, CPU: 34 r0 : 0xfffffe40751d0000 r1 : 0xfffffe00006e99d8 r2 : 0x0000000000002824 r3 : ...

paolopoz

I upgraded my CCR-1036 from v6.5 to v6.6rc1 but now the router reboot continously shorly after the boot phase.
I will make other tests connecting in console while booting but by now it seems to me that the 6.6rc1 is bugged.

paolopoz

Same here, with much less bandwidth than 460 Mbps. However I see that the problem is tied with lot of traffic flowing. To me it also happens on more than one interface at once: 16:35:32 system,info filter rule changed by admin 16:35:32 system,info filter rule changed by admin 16:35:45 system,info de...

Search found 77 matches