MikroTik

pants6000

With EIM-NAT and netmap, Mikrotiks can be pretty good NAT boxes at a price that's hard to beat. I would also like to see max conntrack raised or configurable for the same reasons as OP. That said, I have only seen the hard limit hit once and that was from malware--I now limit client connections to 1...

pants6000

I have a CCR1036 doing NAT and plan to replace with a/several CCR2116(s). The 1036 has a large number of connections in the conntrack table (typically 150-300k) and it won't be long until it starts to hit the throughput limits of its 2x10G interfaces. Despite this, CPU use is topping out at only aro...

pants6000

Other things apparently missing from the E50UG vs the RB750Gr3 are the microSD slot and beeper.

Aargh, no beeper?!? I am actually using the beeper/feeper for other people to stage hEXen 'blind', where the beeps and feeps indicate the stage and success or failure of the staging.

pants6000

Would it be possible to have the upgrade process look at something in the pre-upgraded configuration to determine what the device-mode would be afterwards? Like maybe something in /system/note or some other text field that already exists in older versions, something like that? Or maybe a script that...

pants6000

Will there be -48VDC power supplies for the CRS520? Any MPLS HW acceleration possible in the future? Stacking? Faster-than-light communication? Ok maybe that one is too big an ask.

pants6000

What about not using API to configure the VLANs and whatnot at the end, instead generate a little .rsc with the appropriate config/commands in it, and /fetch and /import it?

pants6000

I just did a linux-native netinstall and it was so easy! A big improvement in comparison to the old gui netinstall on windows/wine. Three thumbs up!

pants6000

Do you have the SIP helper disabled?

Can you sniff closer to the SIP sever, like on the ingress interface to the openvpn server?

pants6000

I see that there are a few PTP models that support the wifi-qcom-ac driver.

Does using the new drivers/wave2 for a PTP link realistically gain anything?

I would love to hear from someone who has tried swapping between AC and wave2 on the same radios/locations.

pants6000

Disclaimer: I don't know if this will work on ROS but it feels like it should... and I am lazy. Try, for example, putting 192.168.200.1/24 on a bridge (with no ports on it, used like a loopback int on other platforms), and then adding a /32 route to each printer with the connected interface as the g...

pants6000

Very weird indeed.

Do you know if your provider is using MPLS to transport this? It might be worth changing the MAC that starts with 4 to something else... I'm not (entirely) insane, read this:

https://mailman.nanog.org/pipermail/nan ... 89395.html

pants6000

Since ARP seems to work, can you mac-ping or mac-telnet between the two boxes? Do you see sensible things in the ARP table?

I wonder what the deal is with all the "bogus IPv4 version" stuff seen in the pcaps.

pants6000

If it works when it's triple-tagged like that, something in here must be stripping two layers of tags. What is your provider like? Do they do anything with tags? Are you using 0x88a8 s-tags because they want that or is that of your own doing? It might be helpful to post packet captures, it's easier ...

pants6000

jsadler, have you tried setting reneg-sec to 0?

Have an issue with OVPN server on 7.10RC3 (and also 7.9.2) where Mikrotik Clients disconnect after exactly 1 hour of connected time...

pants6000

I like most of the webfig changes (including/especially the inline comments!), but the centered detail screens just strike me as odd, like the pages aren't rending correctly.

pants6000

It show's that combination in the brochure, and even mentions that specific combination in the product description. Did you try it and are having problems? I didn't, I missed that in the description somehow... "Simply remove one of the current power supplies..."; implying that mixing them...

pants6000

Exactly what I need to know... again. Thanks!

...
I have the same configuration, also mixed on the same rack devices with "-" and "+", and all work as expected, without short-circuits,
because both the AC and DC power sources are galvanically isolated

pants6000

Is the combination of a -48V power supply (PW48V-12V85W) and an AC power supply a supported configuration? CCR2116 is my likely target.

pants6000

Perfect, thank you!

My two-touch provisioning system is down to one-touch now!

pants6000

I want to "/system reset-configuration" from a file that I am "/importing" under ROS 7.6.

Is there a way to skip the "dangerous! Reset anyway?" prompt when that command is in an imported file like this?

pants6000

*) ovpn - fixed encryption key renewal process which caused periodic session disconnects; This seemed to have fixed my hourly-disconnect problem! I thought it had to do with the "reneg-secs" OVPN parameter but I see that's still set to 3600. In any case, a client/config that wouldn't make...

pants6000

+1, I am already using CCRs for NAT but this would be awesome and simplify configuration greatly.

pants6000

Will there be -48V DC power supplies available for the CCR2116?

pants6000

Something like an RB2011 (which would be plenty fast enough) but with 6 to 12 rs232-over-RJ45 ports instead of all the ethernet ports. -48v input would be a nice bonus, like on the RB1100AHx4. ROS already has everything needed to be a console server, plus lots of things that console servers from the...

pants6000

Please add "reneg-sec" config option to the ROS openvpn server. I have openvpn clients without access to their configuration; without being able to set "reneg-sec" on either side, clients will disconnect & reconnect every hour. Setting reneg-sec = 0 on the server should allo...

pants6000

Is this V7 only? Backporting this to V6 would be pretty nice if so...

pants6000

Yay for 60GHz/5GHz devices!

What is the fail-over mechanism between the 60 and 5GHz radios?

Is there a US/INTL version split like the other 5GHz devices?

I'd really like to see some internal pics if anyone can find them.

pants6000

Does SWOS support rate-limiting both egress and ingress port speeds on CRS309-1G-8S+IN, CRS328-4C-20S-4S+RM, or CRS317-1G-16S+RM?

pants6000

Do you have bridge port MAC learning turned on or off?

pants6000

I wonder what CPU arch these new CCRs will use, should they exist...

pants6000

Does it fit/work?

pants6000

Always nice to see new telco powered stuff!

The new CCR-1036es, do they use soldered-in RAM or DIMMs or something else?

pants6000

Actual tcpdump.

I know and use the existing local and remote sniffing tools, but they are not a satisfying replacement for a quick and simple "tcpdump -X" from the CLI.

pants6000

Fine for me, such things won't get very far with The Boss and "techs", though, who are not particularly technical. Want something that I can just say "buy 10 of these" and be done with it. Such things exist but they are either very pricey or of questionable... everything. Perhaps...

pants6000

How about a little hand-held box with a touch-screen and ethernet port for network testing? Test/display DHCP, PPPOE, etc., along with basic MII info and stats? Bandwidth test? POE testing/info? Really it'd just be stuffing a ROS router into an appropriate box with a battery, and some UI work for th...

pants6000

Possible bug:
I have installed a fresh CHR with 6.40.9; the SIP helper port config is completely missing in webfig. It is present (and was enabled by default) in the ROS cli.

pants6000

Try disabling CSMA if you haven't:

/interface wireless nstreme
set wlan1 disable-csma=yes enable-nstreme=yes

The fine manual suggests that NV2 disables it automatically.

pants6000

'export' command is not including the wireless SSID as expected on RBSXTG-5HPnD-HGr2 with an nstreme network configured/connected/working. /interface wireless set [ find default-name=wlan1 ] band=5ghz-onlyn channel-width=20/40mhz-Ce country="united states" disabled=no \ frequency=auto freq...

pants6000

I think this would be an awesome feature!

pants6000

+1, IMHO, DHCP traffic should probably be marked as high-priority regardless of (kinda stupid) ISP requirement.

pants6000

A source-address option for bandwidth test would be nice!

pants6000

FWIW, working beautifully on my 951Ui-2HnD at home. Don't see an inordinate number of sector writes, either.

pants6000

If you pay attention to what line of the config it stopped on, you can continue the import with "import from-line=", just increment the line number that it stopped on by 1.

But something like "continue import on error" would be a nice feature. +1

pants6000

Gonna resurrect this thread again... I got a CCR-1036 and the secondary power supply connector is not actually installed on the board, though I can see where it obviously goes. Other than having no connector, will the secondary supply work on the CCR-1036 as it does the other CCRs?

pants6000

Ahh, didn't see that when I was searching before... gonna order one now. Thanks!

pants6000

Just want to confirm this before I spend my boss's money on one... thanks!

pants6000

Have you tried fasttrack?

http://wiki.mikrotik.com/wiki/Manual:Wiki/Fasttrack

pants6000

Being able to set the RADIUS source IP to an interface instead of an explicit IP address would be useful... for me, at least! We have ROS boxen that speak RADIUS over a VPN to our freeradius servers; if I could set the RADIUS request source IP to the VPN interface, it would make for simpler "co...

pants6000

Something like one of the 1016 or 1036 boards that can take lots of RAM, but in a chassis with dual power supplies. Ideally one would just get a 1072 for such features, but the ~$1k price point is a much easier sell to stingy bosses than the $3k price point, especially if I want several (or more :D ...

pants6000

What happens if we leave 2 PPPoE servers (CCRs) on the same L2 network ? Does the lowest load server accepts the incoming pppoe sessions faster than the one with more load ? Do they naturally balance each other ? I have done this (with other routers) and yes, it works that way, more or less. The cl...

pants6000

Do you have UPNP enabled on these routers?

pants6000

Check this out, it might work for you:
http://wiki.mikrotik.com/wiki/How_to_bl ... e_firewall

pants6000

Does "bug fixes" include security issues? If so, how long will a given release be supported?

pants6000

Also if your modem offers "ppp-ip extension", you should definitely try that--it will terminate the PPPOE session on the modem and bridge (well, not really bridge but the idea is the close enough) the IP data to the LAN port. That will relieve your Mikrotik from dealing with PPPOE so it ca...

pants6000

It's kind of gross, but you could set up a port with your trunks on it and plug it into another port on the same box that did the EOIP tunneling...

pants6000

So it sounds like though you're in the same same IP subnet, you don't actually have a real L2 path between each other--it's probably vlan-per-customer, and the routes are /32s pointed at q-in-q interfaces. As a result, your ARP requests for the "other side" go unheard. If that's the case, ...

pants6000

+1 I use a whole special PC (+ UPS & switch) with Linux & tinydns for that important task... but this is MINI-task and totally overkill for my up to 10 lines of DNS config. Would be great feature to little Mikrotik boxes. Not as simple but I think metarouter + openwrt could replace your lin...

pants6000

Have you tried a regular straight-through cat5?

pants6000

I'm curious, how are you using the RB to access the TTL? I have a few highway signs that use serial to ethernet interfaces, plus a RB. I would love to be able to use the RB's USB port and drop one more device.

Check this out: http://wiki.mikrotik.com/wiki/Manual:Port#Remote_Access

pants6000

Tell us more, won't you?

pants6000

Where can we download version 6.27 software for several of our PPC and Mipsbe devices?

http://download2.mikrotik.com/routeros/ ... e-6.27.npk
http://download2.mikrotik.com/routeros/ ... c-6.27.npk

Yay for sensible/predictable URLs!

pants6000

Maybe your conn. tracking table is filling up or something similar? Try turning the values in ip/firewall/connections/tracking down, especially the tcp established timeout.

pants6000

I mangle tcp packets with the ack flag set and size < 64, then put those high up in my queue tree, which has an upload bandwidth slightly lower than the actual speed so as to avoid drops/buffering by the modem. Try this on: /ip firewall mangle add action=mark-packet chain=forward new-packet-mark=ack...

pants6000

Well, let's see what that capture looks like when you can get one... and us seeing as much of "/ip firewall export" as you're comfortable with may be helpful as well.

pants6000

Your ISP (or modem?) is giving you an RFC1918 "fake" IP, which is icky at best. I wonder if something upstream if you is at fault here... any chance of getting a real IP on your 'tik?

pants6000

Can you get a packet capture of this happening for us to ogle?

pants6000

Have you tried turning SIP ALG off in IP/firewall/service ports? Just disable the 'sip' entry on port 5060.

pants6000

Are your ADSL modems also routers or are they just bridges?

pants6000

PPTP/PPPOE interfaces (all PPP? more?) are disconnected then re-connected when clicking "OK" on their /webfig/#Interfaces.Interface page, even if nothing has changed. It probably shouln't do that.

pants6000

I've got some: Configurable view of ip/firewall fields in webfig like in winbox (I really could use to see the "address list" fields in the list!) text config export from webfig's file menu per-interface RPF & RPF logging "safe mode by default" option so I can *never* be lock...

pants6000

It'd be cool if there was a way that Safe Mode could be configured to be enabled from the very beginnig of a session, and you'd have to turn it off intentionally if you wanted/needed to (call it "cat mode".)

pants6000

Is there a way to see/change the DSCP to 802.1p COS map? Specifically I'd like DSCP 46 to map to COS 5 instead of COS 6.

pants6000

[admin@HGW] > system routerboard print routerboard: yes model: 951Ui-2HnD serial-number: XXXXXXXXXXXX current-firmware: 3.22 upgrade-firmware: 3.22 [admin@HGW] > system health print [admin@HGW] > ======================================= [admin@hq-ccr1] > system routerboard print routerboard: yes mode...

pants6000

A little late here... but in my testing (just now, on 6.25 between two CCRs), ROS does indeed copy the original DSCP value to the new header. You can also mangle it like any other traffic if you need to set/change the value. Lovely!

pants6000

*) improved boot times;

Reboot dropped from 42 to 32 seconds on my RB951Ui! Sweet!

pants6000

Cisco's "flex links" is another way to do that without STP.

http://www.cisco.com/c/en/us/td/docs/sw ... flink.html

pants6000

No, this config is for doing it in a routed manner. Your 'tiks DHCP server will do its usual thing, using local IP addresses, and the magling and routing will select and send the traffic you want over the VPN. I'm not sure that you can bridge over PPTP like that.

pants6000

Marking packets and then routing based on the mark is what you want, I think: ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=use-artgw src-address=192.168.10.0/24 ip route add distance=1 gateway=192.168.0.253 routing-mark=use-artgw ip firewall mangle add action=mark-rou...

pants6000

You should be able to just route whatever you want out your pptp connection, something like this: ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=use-vpn src-address=10.0.0.0/8 ip route add distance=1 gateway=pptp-server routing-mark=use-vpn Your pptp server will either ...

pants6000

FWIW, IPv6 seems to be working fine for me on 6.22.

pants6000

Subect really nails it. Is there a way to get winbox running on linux under wine to use interfaces other than eth0?

pants6000

What kind of load did you have at 20% CPU load? How does CPU load scale with forwarding load?

pants6000

Using webfig on 6.20, I can't correctly add a new DHCP network in IP/dhcp server/networks. The only field that will stay populated is the address field, the rest are cleared when I press apply. Tried from two different browsers. CLI/winbox work fine.

pants6000

found the thread http://forum.mikrotik.com/viewtopic.php?f=3&t=89246&hilit=psu+ccr Sweet... so what CCR models would that work on? Could one replace the single PS of the 1009-8G-1S with one of these? Or both PSes in a dual-PS model? (My boss is *very* telco-oriented, I think this just sold ...

pants6000

Yeah, the web interface in particular is pretty starkly commented/annotated in a lot of places. In this case (just to make it weirder?), if you want to do a qinq stack of VLANs with the outer ethertype of 0x8100, you don't use the "service tag" option--rather just add the inner VLAN as usu...

pants6000

"Use service tag" is for 802.1ad stacked vlans, and sets the outer tag ethertype to 0x88a8.

pants6000

++ here as well!

pants6000

Just go grab the right file, upload it to the router, reboot... easy! There's a firmware upgrade that you can do after the OS upgrade (from system/routerboard) that comes bundled with the OS package.

pants6000

For logging, you could use torch for real-time info, or put a firewall rule on the wifi interface with a target of LOG and stash that somewhere (hopefully not on your flash!) with syslog, or use netflow export, or do the sniffing thing... and probably about half a dozen more. 5.26 is at the end of d...

pants6000

If you can put routes in the NAS, put in a route to 192.168.88.0/24 with the Mikrotik's VPN interface (10.10.10.1) as the next-hop.

It's no big deal here though, since it's unlikely the NAS will have to open connections to machines on your LAN.

pants6000

Sweet! It's kind of a dirty hack but it'll work for this just fine.

pants6000

The VPN server probably doesn't have a correct route back to your LAN at 192.168.88.1. You might try setting up a rule on the mikrotik to masqurerade connections going out the pptp interface, that way the VPN server doesn't need a route back to you.

pants6000

What's your CPU usage like? Which ethernet ports are you using?

pants6000

Are you accepting "established" and "related" connections in the forward chain?

Can you post your config?

What ROS version are you using?

pants6000

NM my firefox problem, clearing the cache fixed it! (duh!)

pants6000

I was feeling adventurous tonight and upgraded my 751G-2HnD from 5.26. I can't login to webfig with firefox now, I get an "ERROR: Internal Server Error". Chromium works, winbox works, telnet/ssh works... tried another reboot and resetting the password, no luck. My GRE tunnel (to a C6500) s...

Search found 96 matches