MikroTik

Larsa

And multihop and nexthop-choice are configured on the Mikrotik?

Larsa

Unfortunately, MACVLAN still needs either routing rules or @Sindy's NAT trick to work properly.

Larsa

@Mimiko, your only options are either routing rules or NAT, unless you’re on one of the newer ROS versions where they supposedly fixed the issue, i.e. that WireGuard’s initial handshake is going out via the default gateway instead of the inbound interface. Might’ve been mentioned in this or the othe...

Larsa

This is just a user forum. Please report bugs directly to MikroTik support: https://mikrotik.com/support

Larsa

@Josephny, please listen to BartoszP's advice — they're legit. My recommendation: don’t use an external DNS server for your local needs and private addresses (for a bunch of different reasons)

Larsa

Did you read the blogs, and have you also checked how multihop and nexthop-choice are configured on your MikroTik?

Larsa

No need for public A records if you run your own internal DNS server with a split DNS setup. You can map a domain like mqtt-ha.mydomain.local (or whatever) to 10.100.0.1 and have all your IoT devices point to that DNS server. It’s best practice in setups like this and is simple, reliable and fully u...

Larsa

One thing you could try is adding a RAW rule to see if those fragments even hit the router’s CPU. RAW is processed before conntrack or filters, so it might be a good way to check if something’s silently dropping them early. Use something like this: " /ip firewall raw add chain=prerouting fragme...

Larsa

I might’ve missed or misunderstood something, but here are a few quick follow-up questions: 1. Is the Azure route (10.130.0.0/20) completely missing in the guest VRF, or is it there but inactive? If it’s inactive, it could be due to an unreachable next-hop or a higher route distance. 2. Are you usin...

Larsa

True word or gossip?

As Amm0 mentioned, check out the latest RFC as they’re working on now: RFC 9759 – Unified Time Scaling (synchronizing timers for MPLS). 😉

Larsa

Ah, but of course, I totally missed that screenshot detail, good catch!

That clears it up then. The connectivity issue clearly has nothing to do with that, so yep, looks like it was just a red herring.

Larsa

please don't scare me, I got 8 BGP connections and a AS on a CCR running 7.15 since July I think and just considering to update and saw this :P

We’re still on 7.15 and won’t upgrade until there’s a long-term version with at least three patch releases.

Larsa

It would also be valid to ask why input src-nat is omitted from the official packet flow diagrams by Mikrotik, while being fully and correctly supported.

Yeah, that question has come up a few times before. Personally, I think those packet flow diagrams have a lot of room for improvement!

Larsa

Hello @thomasz and welcome to the forum! Yes, both the RB5009 and L009 can handle this setup just fine. You can create two separate networks (either using VLANs or by assigning different ports) and connect each mesh system to its own network while still sharing the same internet connection. The RB50...

Larsa

@lurker888: Great summary! Just wondering, why go with a bridge instead of assigning the addresses straight to the wg interface in this case? @Mimiko: You’ve probably already thought about it, but just a heads-up that each client still needs a unique public key in a separate peer entry, otherwise Wi...

Larsa

Just a thought, and maybe I'm missing something, but can't you give full access just between the Chromecast and Streaming Host 1?

Larsa

It seems you're running into a weird issue caused by multiple RA ULA prefixes being advertised on the same network. Your Mikrotik is advertising fd9d:..., but your Apple TV is also sending out RAs for fdf7:.... Devices like Home Assistant, the Apple Home app, and the HomeKit bridge might end up usin...

Larsa

Okay, but first try to explain what you're trying to accomplish without using too many technical terms.

Larsa

I want my router public ip address to be always that from nisp - regardless if aips is in use, my public ip should be that from nisp. That won’t work, unfortunately. You can’t use the public IP from nisp while sending traffic through aisp, since they’re on different networks and ISPs only route IPs...

Larsa

It works. With routing rules, you force outbound traffic to use a specific egress interface, which automatically sets the source address to that WAN’s IP. But you can also use the Sindy NAT trick: "/ ip firewall nat chain=dstnat dst-address-type=local in-interface=WAN2 protocol=udp dst-port=wg-...

Larsa

Have you tried policy routing using routing rules, with separate routing tables for each WireGuard instance?

Larsa

It might actually happen sooner than you'd expect. Word is Mikrotik has recently brought on about 15 people, supposedly working full-time on developing business-oriented features.

Larsa

Mikrotik’s known VRRP’s been broken for a few releases now, but why it’s still not fixed is anyone’s guess. Still there in v7.19, apparently.

Pretty remarkable that a mission-critical HA (high availability) feature isn’t fixed right away, if you ask me.

Larsa

Anything about the VRRP bug yet?

Larsa

Hi @kanwhoa and welcome to the Mikrotik user forum! Thanks for the detailed post but a few things are a bit unclear though: You mention "full access between all bridge ports", but also describe firewall filtering between trusted and untrusted bridges. That sounds contradictory unless you m...

Larsa

Great, that means Mikrotik has at least acknowledged the issue. The next step is to push the matter further and raise awareness in the two release channels that are currently active: v7.18.2 [stable] is released! v7.19beta [testing] is released! Post a short description of the problem, like in this ...

Larsa

@kryptonian; this is most likely coming from an Apple device on your network. Apple HomeKit/Thread devices (especially early builds) can accidentally leak IPv6 prefixes via RA, like the 2103::/64 you're seeing. It’s not intentional, but it's a known quirk that’s been brought up in IPv6 and HomeKit d...

Larsa

@jojorock If you really want help figuring this out, you need to be a lot clearer about what’s actually working and what’s not. Right now, some of what you're saying just doesn’t add up. You say the router isn’t even connected to the internet, has no local IP, no DNS, no DHCP… but then you show an a...

Larsa

You have three L2TP clients enabled at the same time, all set to add-default-route=yes and dial-on-demand=yes. That creates multiple default routes which might cause unstable behavior, especially if another tunnel is added on top of this. The output from "ip route print" confirms it: 0 ADS...

Larsa

@eomcsqwipik: Once you’ve cleaned up your firewall, or preferably reset the entire router to factory default settings, and still see abnormally high outbound traffic, my guess is that you might have a compromised PC on your LAN that’s part of a botnet. P.S. Never, ever open any ports from the router...

Larsa

I just glanced through your config very briefly and might be totally off or missing something here, so take this as a guess but it looks like both delegated IPv6 prefixes are being advertised on all VLANs. You're assigning one prefix to vlan10-lan and another to vlan20-iot, but the default /ipv6 nd ...

Larsa

@jojorock; as @tdw pointed out, the DAC route is expected since it's created by the VPN tunnel. The remote and local IPs (i.e. 10.64.64.105 and 10.112.112.153) are assigned by the VPN server and the client might have limited control in this case. To figure out why the connection drops, here are a fe...

Larsa

If you haven't already, please report it to Mikrotik support (this is just a user forum).

Larsa

Hi @FrancoisBellec and welcome to the forum! Azure usually requires EBGP multihop (typically TTL=255 for GTSM). Make sure multihop is enabled for the Azure peer. Routes might not be propagated across VRFs if the next-hop remains unreachable. It might also be worth checking if the Azure routes are ac...

Larsa

Hi @Ishe and welcome to the forum! Are you running ROS v6? I'm not entirely sure, but I think ROS v6 had some issues with IP reassembly back in the day. Also (and this is just speculation) I vaguely remember reading somewhere that if fast-path was enabled, fragmented UDP packets might get dropped or...

Larsa

What makes you think starting a v8 branch would change anything? IMO (and just speculating here) MT would really benefit from reorganizing and establishing an R&D department dedicated specifically to enterprise networking. Of course, priorities and development direction naturally depend on their...

Larsa

Hi @Turmoil3489 and welcome to the forum! Firstly, not all SFP modules are automatically compatible with Mikrotik devices. Please check if your module is on Mikrotik’s official compatibility list or is known to work with RouterOS. Incompatible or high-power modules may either not show up at all or r...

Larsa

It's likely caused by newline or whitespace characters in the output returned by ssh-exec. Even if the visible result is '1', the actual string might include hidden characters like '\r' or '\n', which would explain the length of 3. The built-in :tonum doesn’t handle end-of-line characters well. You ...

Larsa

Yeah, your first rule is enough i.e. you don’t need to create each port mapping separately. When you omit the to-ports parameter, Mikrotik ROS automatically assumes that the destination port on the internal IP (in your case, 192.168.81.108) should be the same as the one on the external request. So: ...

Larsa

Yep, just predefine topic=dns and enable it when needed. It might still be a good idea to create your own action=DNSLOG. That way, you can easily filter out just the DNS requests once logging is enabled.

Larsa

Hi Alex and welcome to the forum! From your description, it sounds like you're running ROS v7 on a Mikrotik HeX (RB750Gr3) on the local side, but just to confirm, is the remote side a Bintec RS353? If so, that means there's only a Mikrotik device on one end of the IPsec tunnel, correct? That might b...

Larsa

Your device might be hacked!

Larsa

I just don’t get why they still go with only 16MB. Not exactly future-proof, if you ask me. If you look at the cost for 32MB, the difference is basically pocket lint. The only explanation I can come up with is that they’re sitting on some massive warehouse full of 16MB chips they’re desperately tryi...

Larsa

@infabo: Not the new LMP 5G that was announced with just 16 MB of storage(!)

Larsa

I was hoping there would be a simpler way to see the DNS requests passing through my router. It's actually pretty easy! Just create your own logging action (output), for example called DNSLOG , and then add a logging rule for DNS requests using that action. After that, check all DNS requests by ope...

Larsa

I don’t mind paying a bit extra for enterprise-level functionality. This could serve as an additional revenue stream that helps fund continued development and support, especially with a focus on advanced functionality for businesses and service providers.

Larsa

.. I am able to venture that perhaps MikroTik will have to think about different Software and Firmware (Routerboard) for the same hardware for different applications. ... If the fight to split the main software package is already big, imagine thinking about multiple flavors of firmware? It's going ...

Larsa

Are you referring to MPLS L3 VPN RFC 4364, a generic IPv6 VPN RFC 4213, or tunneling methods like those in RFC 2473 or 2784/2890?

If you’re talking about MPLS, there are plenty of other mainstream capabilities I’d prefer to see implemented as well like EVPN, SR, TE and OAM.

Larsa

Hard to say exactly what’s going wrong, but an easy way to troubleshoot is to run "/system telnet" from a router that's having issues. This guide shows how to Testing SMTP using Telnet . It’ll let you see where the SMTP process is failing and should give you a proper error message in plain...

Larsa

That's an even better alternative! Makes sense to balance the load and get the most out of both routers/providers while still keeping failover in place.

Larsa

If you're sending on behalf of "<user>@<myowndomain>.com" from a new IP address that isn’t part of Google Workspace’s infrastructure, you’ll need to manually add that IP address to your domain’s SPF record. Otherwise, Google (and other receivers) may reject or flag the message as unauthori...

Larsa

Just a quick follow-up to clarify: A Google app password usually works fine out of the box for regular Gmail addresses (like xxxxx@gmail.com). But if you're sending from a custom domain (like xxxx@yyyyy.com), it won’t work unless a proper SPF record is set up for that domain.

Larsa

Just to add to what's already been said: Google has become much stricter to prevent spam and abuse. An AUTH failure might not only mean wrong credentials. It can also happen if the sender is not authorised to send on behalf of the domain used in the "MAIL FROM:" during SMTP. Make sure the ...

Larsa

I think option 2 might be cleaner and easier to maintain, especially with multiple VLANs. Fewer VRRP instances means less config overhead. Plus, tying VRRP directly to the main bonded interface ensures proper failover behavior. Unless you have a specific reason to isolate each VLAN with its own VRRP...

Larsa

To me, the key question still is: Does FastPath require a hard dependency on patched drivers, or can ROS use skb with standard hooks? Yes, of course. That's what we are discussing. Yeah, but you forgot to add my mighty conclusion: I’m still convinced it’s the latter — meaning this can be abstracted...

Larsa

It sounds like there might be some kind of misconfiguration. If you're absolutely sure everything is set up correctly, I’d recommend reaching out to support for further assistance. I don't have the time or resources to set up a test environment to check this for you, I hope you understand. A few add...

Larsa

/disk test utility clears caches before running tests. Just a quick follow-up on the cache clearing part: even if /disk test flushes some caches before the run, that doesn't necessarily eliminate caching effects—especially in short burst tests where you're still likely to hit RAM-level buffers or c...

Larsa

Just a quick note on the short bursts: those are most likely hitting cached data rather than reflecting sustained transfer speeds from storage to user space. The comparison to dd might be useful for Linux users, though both tools are fairly synthetic and don’t always reflect real-world I/O patterns....

Larsa

Hey, good points and nice digging! It’s fair to point out that Mikrotik has patched drivers, as you mentioned with L2MTU — but that was mostly with ROS 6.x. When ROS v6 was built on Linux 3.3.5, there were quite a few limitations around L2MTU handling, both in the networking stack and in many driver...

Larsa

My take: Honestly, I think “ interface driver extension ” most likely refers to using something like the skb->cb[] control buffer to tag packets internally. That buffer is explicitly designed for storing temporary, per-packet metadata and is commonly used by various subsystems (including Netfilter a...

Larsa

@NathanA: Fastpath and Fasttrack generally speaking do NOT work on x86....however, both of these features require specific support to be added to the network interface driver (ethernet chip, etc.). Do you know how it actually works under the hood? My guess is that Mikrotik uses their own skb attrib...

Larsa

I just realized I wasn’t clear enough. I meant running a disk speed test directly on the RDS2216 inside a container, if that’s possible.

Larsa

Would be interesting to see the same tests run directly on the RDS2216. Any chance you could give that a try?

Larsa

Thanks for great feedback and for sharing your hands-on experience! Looking forward to seeing what you come up with next.

Larsa

Normis, if Mikrotik is still serious about developing a storage solution, it might be more practical to offer it as an add-on "install package" using one of the well-established open-source storage platforms rather than building a proprietary system from scratch. I strongly advise against ...

Larsa

Some troubleshooting tips: Enable BFD on all links to get a fast response when toggling links or making other changes. Set up OSPF logging on all routers to check if they are sending and receiving proper LSA messages. ( /system logging add topics=ospf,!packet action=memory ). If you can't spot inbou...

Larsa

The following recommendations are general since you haven’t described the overall topology of the solution. With over 500 subnets, I’d definitely consider using multiple OSPF areas, particularly Stub Areas or NSSA for your LTE links if they are not part of a transit path. Use area summarization at A...

Larsa

Putting lipstick on a pig but since someone called it "Kermit the NAS," I guess it’s more like putting lipstick on Miss Piggy! 😉

Larsa

No need to use multiple areas, loopback interfaces, Stub, NSSA, or filters. In your scenario, just use a single area, and costs will work as expected. (Routing->OSPF->Interface Templates)

Larsa

Normis, thanks for the reply and details on existing features. But let’s be real here—while these are basic storage functions , they’re nowhere near the administrative tools that actual enterprise (or even small office/home office) NAS solutions provide. Restructuring – More than just RAID Restructu...

Larsa

Managing storage requires administrative tools for restructuring, error handling, and backup/restore. All of these are missing in ROS. In other words, this solution is not suitable for mission-critical applications.

Larsa

Thanks for the feedback!

Anyone know if it's only web-wwl that works with automatic renewal of LE certificates using the DNS-01 challenge, or if it will also work for IPsec and cloud domains (ie, "type=cloud-dns")?

Larsa

Just for the record, in case this wasn’t reported to support: The Let's Encrypt DNS-01 challenge has stopped working. Ref: viewtopic.php?p=1133904

Larsa

Just for the record, in case this wasn’t reported to support: The Let's Encrypt DNS-01 challenge has stopped working. Ref: viewtopic.php?p=1133904

Larsa

It is. And actually worked without port 80 open when I first issued the certificate with type=cloud-dns. This was introduced in 7.16. But maybe is broken now. I dont know.

Yeah, sounds like a bug to me. Maybe someone should open a ticket or mail "support@mikrotik.com" about it.

Larsa

I thought the whole idea of the Let's Encrypt DNS-01 challenge was that it doesn't require port 80 at all. Have I missed something?

Larsa

@wispmikrotik; This is just a user forum. You should get in touch directly with Mikrotik sales at "sales@mikrotik.com" or their support team at "support@mikrotik.com" for official information and assistance.

Larsa

@wmeibers: XFRM has been a standard part of IPsec since Linux 2.6, which was released in December 2003.

Larsa

Unfortunately no wireless or anything else, just plain CHR.

Larsa

Well, congrats on guru status! Now, the real test: What’s the meaning of life?

Larsa

GNS3 is like ROS, pretty easy once you connect the dots!

It runs just as well on Windows Hyper-V.

Larsa

Yeah, I feel you. Times are rough, so enjoy all your slaps while you can!

Larsa

@anav, you gotta forgive me, but that was seriously hilarious!! ROFL

Ps..
@anav, you officially have 10 slaps reserved!

Larsa

I just built an Ampere 80-core 3GHz machine and, now that I came across this thread, I'll be testing 40Gbps NICs, and eventually 100Gbps (if I can justify the expense; have zero need for it yet). You don’t need an 80-core 3GHz CPU to handle 100Gbps! Less than 16 cores are enough with proper NIC acc...

Larsa

PortalNET: The secret that no one will tell you.. either because they have not lost time testing.. is the NIC cards... in order to suceed with Multi-CPU x86_64 on RouterOS v7.15.xx stable version.. is the Network cards... because they are related to IRQ on the CPU.. Amm0: I'd listen to PortalNET co...

Larsa

Totally off-topic, but I really don’t get why some ISPs still insist on using outdated tech like PPPoE with FTTx. I mean, all modern BNGs support IPoE with optional VLAN tagging, which is so much easier to set up and manage. Using PPPoE is just plain dumb and overcomplicated.

Larsa

Nope, that’s about the www-ssl certificates I mentioned in my previous post. There’s no official Mikrotik documentation on sn.mynetname.net , just like this external blog also points out: " There is no documentation yet. How does this feature work? Let’s find out... " Maybe someone can ema...

Larsa

I tried to find some comprehensive Mikrotik documentation on Let's Encrypt, but it looks like there's nothing except some brief info on certificate support for the 'www-ssl' service, IPsec and this external blog about cloud-dns.

Larsa

@Sindy claimed that updates for LetsEncrypt (LE) certs are now built into ROS and therefore don’t need to be scripted anymore. We don’t use LE, so I haven’t bothered to verify this. What’s the actual situation with this?

Larsa

This is just a user forum. Please file a bug report with Mikrotik support or report it in the corresponding ROS version release thread.

Larsa

Yes.

Yes to what? 🤔

Anyway, my guess is that they’re till using v3. It would be interesting to see what would happen if everyone were forced to use v4. 😉

Larsa

Sign of times.
When mobile UI moves into desktop, it's a sign of idiotism.

Hear, hear!

Ps..
We don’t really know what’s going on behind the scenes, but one can’t help but wonder if they are deliberately ignoring the serious design flaws by burying their heads in the sand?!

Larsa

I forgot to mention that most NMOs have a soft cap on max speed. With a standard consumer plan, inbound speeds usually top out around 800-900 Mbps. If you want higher, guaranteed speeds with better latency, you’ll need to pay extra.

Larsa

5G/NR on normal/mid bands (FR1) will never ever get you 7 Gbps. For that, you’ll need a 5G radio that supports FR2, but the trade-off is a much smaller coverage area and you’ll have to be within 50 meters of the base station antenna to get that kind of speed.

Larsa

Thanks for testing! Since 7.16.2 and 7.15.3 give the same results as 7.18.1, it doesn’t seem to be a version-specific issue. But the fact that 6.49.18 performs so much better with the exact same settings is really weird. It might be worth checking if there have been any changes to the default TCP se...

Larsa

LMP 5G with only 16 MB of storage, seriously?! The ATL 5G looks really promising, though. I guess all these new models are announced on MWC25's final day tomorrow (Thursday).

Another thing that struck me is that Mikrotik has been improving its design language.

Larsa

Okay, with the same config as v6? Then it might be 7.18.1. Have you tried 7.15.3 or 7.16.2? Btw, just wondering, are you using some kind of default ROS firewall config while testing? What endpoints are you using while testing? Exactly the same default CHR config. No ROS firewall at all (I've posted...

Larsa

Okay, with the same config as v6? Then it might be 7.18.1. Have you tried 7.15.3 or 7.16.2? Btw, just wondering, are you using some kind of default ROS firewall config while testing? What endpoints are you using while testing? EDIT: Just tried iPerf in a lab instance with v7.15 to a local Win11 and ...

Larsa

No need to speculate. This is a standard setup to get split outbound traffic working, just like he asked. If there’s anything else, I’m pretty sure @nonpe can speak for himself.

Larsa

@omoluwabi; The CCR1036-12G-4S is a powerhouse router with a 36-core CPU, delivering around 15 Gbps routing capacity and 10 Gbps with 256 IPsec tunnels. It has no problem handling a full BGP table with more than 1 million IPv4 prefixes and approx 220,000 IPv6 prefixes. It’s equipped with only GbE po...

Larsa

@nonpe; you can try this setup to route subnet 192.168.88.1/24 through ISP2 while keeping ISP1 as the default gateway for everything else. This assumes you’ve already created the routing table ISP2. 1. Mark traffic from the subnet to use ISP2 /routing rule add src-address=192.168.88.1/24 action=look...

Larsa

To start with, e2-micro is an entry-level VPS type with a shared vCPU, which means it only gets a fraction of a physical CPU core. When the vCPU is shared with other workloads, it can easily get maxed out and cause CHR’s throughput to drop to almost zero. Second, the VPC firewall should be turned of...

Larsa

Read about authentication in the Mikrotik docs: RouterOS > High Availability Solutions > VRRP

Larsa

I have an issue with my old Mikrotik CRS125-24G-1S switch. My internet (or LAN connection) is sometimes incredible slow! Using my ethernet connected pc is sometimes only 1-2Mbit/sec, same if I test with another computer, or through a Wireless AP...Looking at Resources, it says cpu load is somewhere...

Larsa

Looks like your looking for a syntax checker while I am looking for a syntax teacher. No reason why we both cant be happy.

Haha, yeah! Some of those add-ons actually do both if you hook them up to Copilot. Win-win!

Larsa

I have an opinion nonetheless (they're free, after all): Why not check out claude.ai's current level of understanding before concluding how to make AI more accurate and useful for ROS config help? My analysis on how well claude.ai does with ROS is not worth the electrons used to express them here, ...

Larsa

Nowadays, almost all tools, like editors and IDEs like Notepad++, Emacs, and VS Code, can read BNF and highlight syntax errors. Smart IDEs like Visual Studio, Eclipse, and JetBrains can also warn about logical errors, such as unassigned or misspelled variables, flawed conditions (if/then/else), infi...

Larsa

Background Many developers and tools, including modern AI/LLM models, can now understand and process formal syntax definitions. Having an official BNF (Backus-Naur Form) for ROS scripting would make it much easier to analyze, validate, and generate scripts accurately. Why this would be useful Bette...

Larsa

So if you ask me... better AI with RouterOS config start with an LSP. And LSP be useful since a real person can use it check their own code and get "hints" etc. Win, win. Since today's LLMs also understand syntax definitions and can be trained accordingly, it would be great if Mikrotik co...

Larsa

But it's RouterOS scripting where these LLM falter. Stuff like JavaScript is 10000x more common & on top there is plenty of linter to pre-check output of LLM for JavaScript validity. I'd have to imagine more LLM take advantage of "LSP" (see https://langserver.org), while open standard...

Larsa

Yeah, AI is great for boilerplate work, but you need to know the basics to fix the flaws. Plus, you need access to multiple LLM engines (ie different models) since answers still vary a lot depending on the situation.

Larsa

Didn’t mean you specifically, but if you relate… well, I’m not gonna argue! 65+ maybe?

Larsa

@3zzy, don’t mind all the grumpy old men in this forum. Everyone has different backgrounds and opinions on what’s right or wrong ;) I totally get your point. Not everyone has the same learning style, and modern tools exist to make complex tasks more accessible. While mastering the basics is valuable...

Larsa

Firstly, have you considered VRRP? I think this would be an easy-to-implement and elegant solution using the MikroTik devices. VRRP would also be completely independent of other devices in the network for their default gateway. You can also add ROS Netwatch to monitor the ISP connection status and t...

Larsa

This is just a thought but have you considered VRRP as described in Mikrotik RouterOS > High Availability Solutions VRRP.

Anyhow, if you need further help, you'll need to provide much more detail about the entire setup in the drawing.

Larsa

BFD is just a signaling protocol, and ROS can use it with OSPF or BGP. How is the device in the drawing, labeled "Device with Single HOP BFD Activated," configured in terms of type/model, protocol (L2/L3?), etc.? Is it under your control? Since you haven't provided any details about the se...

Larsa

Yeah, for a router like CHR, there aren't really any obvious advantages to running it x86 "bare metal." On the contrary, it's way easier to manage a virtual instance with CHR, which is also easy to move "live" between different environments if you need to perform maintenance on a...

Larsa

Reply from Mikrotik support: "Seems like some HW limitation, try using hypervisor and install CHR, this will allow to deal with hw incompatibilities if such arise. We do not create drivers for hw, they are based on Linux kernel. " @himurae; that reply from Mikrotik support is not entirely...

Larsa

Larsa

@anav; afaik, all VPS providers allow you to configure lower NIC MTUs. But why would you need a lower NIC MTU in a cloud environment?

Larsa

This is how you change the MTU in a virtual environment running CHR (or any other virtual guest). Windows Hyper-V - With SR-IOV: MTU can be changed directly by CHR. - Without SR-IOV (using the Hyper-V virtual switch): MTU must be set on the host first and then on the virtual switch for changes to ta...

Larsa

Keep instance-id=0 (default and standard for OSPFv2) to maintain compatibility with BIRD and other OSPF implementations. Changing it is unnecessary unless using OSPFv3 multi-instance setups, which I suspect doesn't apply here. If running an older RouterOS version, consider upgrading, since MikroTik ...

Larsa

A modern alternative to DMVPN is an SD-WAN solution like ZeroTier, which is built into RouterOS. If you need both, you can integrate DMVPN with ZeroTier.

Larsa

20250301, The problem is still happening, Neither Mikrotik nor Google Cloud solved the problem, Can anyone submit a new ticket to Mikrotik? @bugtik, if you need help in this user forum, you’ll have to provide more details about your GCE setup, including networking (GCP/VPC), mode, IP settings, fire...

Larsa

@Teslasystems: Wow, that was truly an impressive amount of quality work you put into this. Hope you get some feedback from Mikrotik.

Larsa

Larsa, you are confusing this with a home NAS. It's not Normis, does indeed not! 😉 Just to be clear, I'm comparing the RouterOS v7 special ROSE edition, running on the ROSE Enterprise Data Server RDS2216 (" designed for enterprise environments. Secure, scalable, and under your control "),...

Larsa

In general, "improved stability" usually means that they've fixed a bug that used to cause a crash.

Larsa

I just realized I forgot to give a heads-up in this thread too, like I did in "v7.18rc [testing]":

Heads-up - breaking changes for management and monitoring:
*) console - put !empty sentence when API query returns nothing;

Larsa

Yeah, but why waste valuable resources on this experiment? I mean, it’s not even close to offering basic functionality for the SMB market like DSM or QTS do, so IMO the whole concept is dead on arrival and just a total waste of money. Why not just call it what it is: a router with some extra storage...

Larsa

Hmm, I’d say the RDS2216 sits somewhere between the CCR2216 and CCR2116 in terms of both specs and price. But yeah, the RDS2216 has a pretty attractive price for that configuration, plus, like you said, you get some storage as well (though personally I wouldn’t use it as a business-critical storage ...

Larsa

Well, this new ”cool toy” RDS2216 isn’t even playing the same sport as WAFL, let alone competing in 24x7x365 business-critical operations.

I’d say MikroTik is in way over its head on this one and in a different galaxy than NetApp. 😉

Larsa

Even vanilla Btrfs RAID 1 can be a real headache, for example, if a disk intermittently disconnects or fails for some reason and then gets marked as unreliable. Restoring a Btrfs RAID 1 is a pretty complicated process and requires expert knowledge, as @Petch1 pointed out in another thread. In other ...

Larsa

@oreggin; the Wiki describes a planned disk replacement, but @pe1chl ran into an unexpected failure. Since Btrfs RAID1 doesn’t have automatic resync, it might be unreliable when disks go offline (kernel RAID handles resyncing differently) Beyond what @pe1chl mentioned, there are plenty of other risk...

Larsa

Larsa

bcachefs is the answer. It is the ultimate filesystem for Linux. Cache tiering, Erasure Coding (RAID5/6), No Write-Hole, Snapshots. its currently marked experimental in the kernel, but the roadmap is to have this removed within 6 months. I doubt that CacheFS will be non-experimental within six mont...

Larsa

Secure Zero Touch Provisioning (SZTP) for mass deployment in enterprise networking would be a welcome addition. Most major vendors already support it. The client is relatively small (similar to TR-369/069), and there are some open-source reference implementations available for the config servers as ...

Larsa

Regarding BTRFS, I strongly advise against using advanced RAID setups or filling up the storage. These factors, combined with other known issues and the lack of clear documentation on storage configuration, pose a significant risk. If a filesystem or storage failure occurs without proper repair tool...

Larsa

If you're thinking about drivers, pretty much all Prestera drivers developed by Marvell are already available in Linux, and since RouterOS is based on Linux, I'm pretty sure MT is using the same ones.

Larsa

If that’s the case, using the 98DX4310 only as a standalone switch with just the control plane connected to the PCI bus would be pretty useless.

Larsa

I have the exact same thoughts. The hardware is really interesting for that price, with built-in NIC features like 2×100G, 4×25G, etc and an SFF-8644. The problem with this setup, as I see it, is that you simply can't rely on a locked-down and limited network operating system environment like Mikrot...

Larsa

If you haven’t already, file a bug report with Mikrotik support (this is just a user forum).

Larsa

Totally missed it was about the IPsec identity. Since we're not using ISRG, I wasn't aware that LE certificate creation and renewal is now fully automated by ROS. Can this also manage IPsec certificates using LE?

P.S.
Fixed my previous reply so it won't confuse future readers.

Larsa

It was meant for TheSantiagoSP, so no worries!

Larsa

You need to add a routing rule to make sure traffic goes through the "TEST1" table instead of the "main" table. Just an example to illustrate: " /ip route rule add src-address=x.x.x.x/y action=lookup table=TEST1 ". This ensures that routing follows the specified table f...

Larsa

WireGuard's "Cryptokey" routing differs from traditional IP routing. That said, you can treat the WG interface just like a regular Ethernet interface. Just give it an IP address like you would with any other network interface, and recursive routing will work the same way.

Larsa

Larsa

@Sergejs, appreciate the feedback and the clarification. Thanks!

Larsa

I don’t think anyone’s missing your point, but it still doesn’t actually explain why, which was my original question.

The same applies to whether “closed thread = closed branch” also means never releasing any new patches for that branch again.

Larsa

There is an extremely simple and easy-to-implement solution to mitigating brute-force attacks: just gradually increasing the response delay after each failed login attempt, up to a set limit, to prevent account lockout.

Larsa

New version is out = MT no longer wants to hear about bugs in previous one because they will not be hotfixing that one anymore = topic closed. Yeah, that’s my guess too: topic closed = branch closed . But I’m still not convinced about the actual when and why . Maybe it’s just as simple as there bei...

Larsa

To rephrase it again: The known enemy is the best enemy. There are a lot of topics on downgrading to the older versions just to have network in the known equilibrium point even if not all functions work as expected for that versions. Totally agree with "The known enemy is the best enemy,"...

Larsa

@wrkq I appreciate your take on this, but I’m not sure how it ties into my original question. I was specifically asking why forum threads for previous patch releases (like v7.16.x and v7.17.x) get locked as soon as a new major release comes out. What you explained about backporting and long-term sup...

Larsa

Fixes, updates and new features are added to the newest MikroTik RouterOS version. It is not possible to release "fixed/improved 7.13" (example), that contains specific issue fix. That's why the latest release version topic is open and we are looking into it closely for proper reports, th...

Larsa

Sorry if I missed where this is explained, but I honestly don’t get why threads for previous major releases, like "v7.16.2 [stable]" and "v7.17.2 [stable]", are locked the moment a new major release drops. I’m pretty sure most users are probably still on older versions, so why sh...

Larsa

This is just a user forum, not a time machine !!!!!!!!!!!!!!!!!!!!!!!!!!

You replied to a post from 2013 so it might be better to email MikroTik support directly.

Larsa

This was really leaked OR maybe it's an April Fools video ready with quite some time in advance :)

Yeah, @sirbryan totally wrecked Mikrotik's April Fool’s prank they’d been planning for over a year! 🤣

Larsa

For all you storage haters: https://youtu.be/g1wpIIfYpZA?feature=shared Fun, but was this intended for April 1st? 😉 Anyway, I’d never ever trust MT ROS for business-critical data storage — for pretty obvious reasons! Now please go back and fix those routing issues. But maybe the development team th...

Larsa

Well, Amm0, in that case, I'm also here for moral support! 😉 But considering pe1chl's specific need and the limited documentation on this, I think it'll be pretty tough to figure out how it works behind the scenes. So, MT is probably the only one who can say if it's doable or not (if they even bothe...

Larsa

If the data center already uses the entire 10.122.0.0/16 subnet for other purposes, it’s better to pick a different subnet for the WireGuard tunnel. That way, you avoid routing conflicts and make return traffic easier to manage if needed. A good option would be 172.16.10.0/24, with for example 172.1...

Larsa

I think you might have accidentally written the wrong address for one of the WireGuard interfaces since both have the same one.

Larsa

I'm not sure what you mean by "proxy server," but if your DNS-NAT is set up correctly, you shouldn't need a return route. To access your LAN, you'll still need to add a route from the datacenter and allow access in the forward chain on the LtAP. If you want to allow access to the LtAP itse...

Larsa

It is clear that in 7.16 some breakage was introduced in the routing... and now we cannot assume that it will ever be fixed?I presume the window for BGP fixes in 7.18 has again been closed now that we are in rc? Is "routing" still a priority for MikroTik or do we now only get fixes and ad...

Larsa

Most software I'm aware of these days doesn't support EOS any more, and why would they if M$ doesn't support them.

Windows 7 is still used by approx 34 million users! 😉

Larsa

It's much easier to understand if you just explain the end goal. For example, do you want to access the LAN behind the LtAP from the data center, or the other way around (or both ways?)

To make it easier to suggest a practical solution, please provide the subnet on each side.

Larsa

Yeah, that also means Winbox 4 won't run on anything older than Windows 10 (ie, no XP, Vista or Win 7/8).

Larsa

Heads-up - breaking changes for management and monitoring:
*) console - put !empty sentence when API query returns nothing;

Larsa

Yeah, brute force dictionary attack is the correct term here. 'Username Enume' is totally off in this context—probably named that way just to create some hype.

Larsa

Brute force dictionary attack is the correct term, not "Username Enume" which is totally wrong in this context. Also, access to port 8291 is required and additional dictionary attacks for the password, which will be very tricky if there's a delay between attempts.

Larsa

@Josephny: I'm sure we would all agree that communicating technical concepts is a very challenging endeavor. Yeah, especially since there still isn’t a good user guide that clearly explains the packet flow in a simple, easy-to-understand way. Another thing that can be confusing is that WinBox mixes...

Larsa

The .vsdx format is for complete diagrams, while .vssx, .vss, and .vsx are for collections of shapes (stencils). Also reread my previous comment.

Larsa

@Jotne: Perhaps I misunderstood what you’re looking for, but .vsdx is the standard format for Visio nowadays. You can easily convert it to .vssx, .vss, or .vsx for stencil use (just drag the shapes into a new stencil and save it in your preferred format). @Normis: "Are there major differences b...

Larsa

Thanks so much, I completely missed this! Breaking changes like these should come with bold warning signs. It’s also a typical sign that Mikrotik’s developers and managers still don’t get their business customers. Mikrotik could at least try by adding a section called 'Breaking changes' in the relea...

Larsa

When I reread your first post, I realized I totally missed two key details: that you’ll be using the switch standalone and with PoE. With that in mind and since you will only run pure Dante traffic, pretty much any switch with PoE will do.

Ps..
Looks like you’re double-quoting your replies.

Larsa

It doesn’t necessarily have to be ROS; it could be storage constraints, hardware or network failure, power shutdown, or other environmental issues. So there’s no point in continuing to speculate until you can access the server.

Larsa

It might work, but if this is for a recording setup and Dante is sharing the network with other bulk traffic, I’d say QoS is essential to maintain audio quality. Dante is pretty sensitive to latency and jitter, so QoS makes sure that Dante streams are prioritized over other types of network traffic....

Larsa

only have the model, but i canot reach the server x86 Supermicro SYS-530MT-H8TNR Okay, when you have access, please provide the full config, including NICs, storage boards, etc. Btw, it might be worth checking if the setup complies with Mikrotik’s requirements. Just a tip: if the Supermicro is co-l...

Larsa

@SMARTNETTT – Hopefully just on a lab server then, right? If this is regarding a bare metal x86, provide the manufacturer, model, and full configuration — without that, your warning is pretty useless! If it happens multiple times and your configuration is supported, open a support ticket with Mikrot...

Larsa

@orfeous, Starting from ROS v7.15, all Mikrotik QoS-capable switches can use Dante. For more info on switches supporting Dante, check out these links: Mikrotik help - Bridging and Switching - MikroTik QoS-Capable devices ("QoS Device Support") Mikrotik help - Bridging and Switching - Appli...

Larsa

XFRM has been a part of IPsec since Linux 2.6, released in December 2003.

Larsa

Here are some other troubleshooting suggestions. Sorry if I misunderstand or missed anything both of you already tried! - Check that Windows trusts the Mikrotik CA Open certmgr.msc. Go to "Trusted Root Certification Authorities". Check that the signing CA of the Mikrotik certificate is the...

Larsa

Just a long shot, but have you tried checking with extended logging on Windows? 1. "C:\> netsh trace start VpnClient per=yes maxsize=0 filemode=single" 2. Test the VPN connection 3. "C:\> netsh trace stop" 4. Open the .etl file using Event Viewer (eventvwr.msc). The .etl files ar...

Larsa

@Guscht: Can't help, but a notice: It's 2025, IPsec is an old, outdated overcomplicated, error-prone dinosaur. If possible, use a modern technology like Wireguard. Sure, IPsec is a "dinosaur" — just one that happens to be the standard for countless enterprises, governments, and critical i...

Larsa

...a fiber socket in each guest room... Even though it sounds a bit unusual to me, it’s possible it exists. But I can’t remember ever seeing it in a hotel, and I’ve traveled quite a bit. I mean, bringing your own fiber optic patch cables plus an SFP/RJ45 Ethernet media converter doesn’t exactly fee...

Larsa

Thank you so much!

Larsa

OpenConnect is already supported as an add-on container app service.

Larsa

Have you ever seen a hotel or student housing with an SFP port in the wall, or did you mean something else? Usually, when fiber (passive or not) is installed in a property for the end user, it's typically terminated with Ethernet or WiFi.

Larsa

v3 is already abandoned. They've said many times that there won't be any changes. Only security fixes. I afraid that some day, after updating to new RouterOS, it will show "Protocol is not supported"... And I also feel bad with this stupid design in v4. For me it's like a toy currently, I...

Larsa

We went from something that worked fine on windows and emulated well on others, most of the time, to something that doesn't work as well as the old one anywhere...

Yeah, I feel the same way. I really hope MT won't retire v3 before everything’s up to par.

Larsa

We're running a script-based approach since MT hasn't implemented SNMP for OSPF LSA yet (only for BGP). Check out "OSPF SNMP monitoring" in the "Routing Protocol Overview".

Larsa

WireGuard works well for monitoring and management, but it’s not the best choice for large-scale operations that require many connections and high throughput. In these cases, IPSec is the only real option. If someone finds IPSec tricky to set up, it’s likely more a matter of experience and expertise...

Larsa

My take on this is pretty simple: 1. Carrier aggregation is a must to get decent speeds with CAT6. 2. I'm pretty sure the China box won't do much better than the MT if properly configured. 3. Most built-in external antennas on 4G CPEs are used for Wi-Fi nowadays, not the LTE radio. For example, with...

Larsa

@sirbryan, that’s not gonna happen. ROS is designed as an embedded NOS with its own limitations. When it comes to running ROS as CHR, there are way better options. Plus, MT lacks the skill set and experience, and ROS is too unreliable for storage solutions like hyper-convergence.

Larsa

For RAM I'd say WG definitely ... because IPsec is part of ROS since ages and I'm sure they did whatever possible to reduce its memory footprint. I don't think they put the same amount of energy into WG so far. I'm not saying anything about CPU utilization, but probably WG fares better (everybody's...

Larsa

That was a lot to take in and maybe a bit tricky to get a clear picture of. Here are a few things that might help clarify things: What exactly isn’t working? - Are all Zerotier peers unreachable from the LAN, or just some? - Can LAN devices ping any Zerotier IPs, or is all Zerotier traffic failing f...

Larsa

OSPF with BFD = fast reroute within a few ms.

Larsa

It pretty easy to understand using recursive routing in this simple terms: A → B (A needs to reach B) B → C (B is reachable via C) So, A → C (indirectly via B) Example using recursive routing with ROS: 1. Set A to go via B: /ip route add dst-address=A gateway=B 2. Resolve B via C: /ip route add dst-...

Larsa

@oreggin, if you're looking for advanced MPLS/BGP solutions, you’ll probably need to consider other brands—but that also comes with additional costs. Since this is just a user forum, if you have a serious business case, you might want to contact MikroTik directly at sales@mikrotik.com or support@mik...

Larsa

I've also been thinking about getting some Ecobees. Do you use them standalone, or together with something like Home Assistant or another system?

Larsa

OSPF only handles routing between nodes in a network and doesn’t impact performance per se. Building your own mesh network works fine with a few nodes, but as the number of nodes increases, the number of tunnels grows exponentially (see below). OSPF is pretty easy to configure, but you have to do it...

Larsa

@MikroTikMarc, looks like you guys had a great time!

Gotta say, your presentation on YouTube how to build a complex OSPF lab for under $100 using Proxmox and CHR was awesome too!

Btw, here’s the link to the blog page that was mentioned in the presentation: https://admiralplatform.com/blog-page/

Search found 2078 matches