MikroTik

savage

Facing same issues 7.18.2

savage

SwOS should just go and die a slow death IMHO.

savage

zero images loading, zero stylesheets loading.... royally messed up yeah

savage

After updating from 7.16.1 to 7.18.1 /export show-sensitive terse started showing new bogus interface /interface ovpn-server server add mac-address=[...] name=ovpn-server1 While it's disabled by default, I would prefer default config and especially updates not to create bogus interfaces. Also notic...

savage

Mine clicks in just fine...

savage

OMG - and it works! LOL

savage

thnx - didn't expect it to be listed under usermanager

savage

Hi, Mikrotik-Switching-Filter is not defined at https://wiki.mikrotik.com/Manual:RADIUS_Client Does anyone have the VendorID & Value available perhaps? Also, looking at https://help.mikrotik.com/docs/spaces/ROS/pages/328090/Dot1X, it makes use of the Mikrotik-Switching-Filter attribute to apply ...

savage

Hi,

Any possibility that we can port security control on CRS devices in the future?

If interface has more than x MAC's shut down, etc...

savage

rule="if (bgp-as-path XXXXX) {reject;}"

rule="if (bgp-as-path XXXXX || bgp-as-path AAAA || bgp-as-path BBBB || bgp-as-path CCCC) {reject;};"
Or as others suggested, numbered lists.

savage

So not quite sure here whether it is, or isn't hardware offloaded :-)

savage

(One could surmise that the networking codebases are significantly more difficult to work on than implementing existing Linux solutions, hence the appearance that the "goodies" are getting more attention. It doesn't take much to add GUI knobs and levers for BTRFS, for example, but chasing...

savage

+1, I couldn't agree more. I use those features, and I am happy with the functionalities they provide... I use BGP routing, and I am sad it no longer works reliably (as it did in v6 and for some time in v7, I would say between 7.10 and 7.15). Our production network is on 7.13, and absolute zero iss...

savage

*) l3hw - added initial HW offloading for VXLAN on compatible switches (additional fixes)

Anyone looked at this one yet? Performance? Also, I recall this was added on one of the 17.x versions, is this now in 17.2?

savage

You must have a global in order for IPv6 to work. So are you saying that if there is no global address, then Unique Local Addresses will not work? Or is it just that the ULA's will work locally, but there is no connection to the wider internet? Because the latter wold be good enough for me. https:/...

savage

Firewalls.

You must have a global in order for IPv6 to work.

savage

Use a CCR to do the routing (VLANs), and break the VLANs out to physical ports on the CRS.

You'll be pressed for a 24+ port router from MT.

savage

Look at the newer ARM64 processor routers. With V7, they are pretty decent.

savage

License servers offline again since 04/02/2025.... More than a day now

savage

Monitoring the light levels will also help, it's not unheard of that light levels drop due to tight bends / the cabling moving beyond acceptable levels etc.

savage

In the same subnet, the FTP server considers the src IP address as local. (/24). As the src-ip is local, traffic is not sent back to the router, but an ARP broadcast is sent and the server requires the mac address in order to send the traffic back to the source. From what you are describing, source ...

savage

I'd take a stab and say it is more than likely bypass / filter capacitors for the chip.

As a unwritten 'standard' - try 0.1uF, maybe 6.3V (you should be able to get a voltage reading there to rate the caps appropriately for voltage levels).

savage

Hi, Using a QSFP+ as a TOR, I want to utilize the 2 x 40Gbps QSFP+ for backhaul. What are my options in terms of Mikrotik switches, for high capacity / redundant 40Gbps links? I don't see any other switches from Mikrotik with a QSFP+ form factor, except for the CRS326-24S-2Q+RM Can I link a QSFP+ to...

savage

v7 is plagued with sequence mismatch errors. We have it on almost all our v7 routers, comes and goes at free will.

In our case at least, it hasn't impacted routing. Just an annoying log entry.

savage

How do i delete loop back interface? i am not interested in

Can't. And ditto. If I need a loopback, I'll create one :)

savage

Well...

Whilst I am happy and grateful to FINALLY have a v7 AMI on AWS... Reading this thread, I'll skip on 7.14

savage

[admin@MikroTik] /routing/filter/community-ext-list> add list=yes communities="rt:123:123" [admin@MikroTik] /routing/filter/community-ext-list> add list=yes communities="rt:123:123.123.123.123" invalid value for argument community: invalid prefix route distinguisher value value ...

savage

Hi All, if (afi ipv4 && protocol bgp) { jump GLOBAL-DENY-v4; if (bgp-as-path ^123$) { set bgp-local-pref 200; } set bgp-communities TRANSIT; set bgp-ext-communities rt:123:111.111.111.111; accept; } The bgp-ext-communities are not applied. bgp-communities are however applied? Am I missing so...

savage

BGP in ROSv7 defaults to 'deny all' for route filters, where as ROSv6 was 'accept all'.

You need an inbound and outbound filter on the BGP sessions.

savage

Public Tunnel ran fine with ROSv6 ipsec enabled. Tunnel runs fine on ROSv7 too, the ipsec is just not configured and visible in /ip/ipsec, and traffic on the tunnel is unencrypted, even though ipsec is enabled on the EoIP configuration. Seems to me that ROSv7 is ignoring the ipsec secret configurati...

savage

You have configured tunnels on both sides ?

Of course. The tunnel is in a Running state.

Hmpf. Will look at it some more then. Maybe I am missing something.

savage

It works. I set up such tunnels. What configuration do you have? 7.13.3? I know it works adding the ipsec key to the EoIP configuration, but no ipsec phase 1 / phase 2 is configured in /ip/ipsec? Packet dumps also indicate gre traffic, and not ipsec traffic. [admin@MikroTik] > /interface/eoip/print...

savage

Hi,

Is it just me, or is ipsec on eoip tunnels also not working / implemented?

thnx

savage

https://www.rfc-editor.org/rfc/rfc2138#page-48 5.32. NAS-Identifier Description This Attribute contains a string identifying the NAS originating the Access-Request. It is only used in Access-Request packets. Either NAS-IP-Address or NAS-Identifier SHOULD be present in an Access-Request packet. A sum...

savage

Plenty other attributes that can be used, such as NAS-IP-Address ? Definitely, however the external service uses only Nas-Identifier and they likely won't change that just for me. I did ask, though Then it's a lack of functionality on the external service, unfortunately. Install a AAA proxy in the ...

savage

Plenty other attributes that can be used, such as NAS-IP-Address ?

savage

[admin@MikroTik] > /ip/route/print count-only 0 action timed out - try again, if error continues contact MikroTik support and send a supout file (13) Can't add static routes, can't view routing tables, can't count routes, can't do anything pertaining to routes. Not even rebooting the router solves ...

savage

It would always be best to adhere to common hostname format standards as system identity translates to hostname of the device.

Then Mikrotik should check that, when setting the identity and not accept spaces (and other characters that doesn't belong there) :)

savage

Same story here.

Also find it amusing that you still have to revert to looking at packet dumps, to see what is actually advertised too.

ROSv7 feels like a pet project that got started and just never got finished. Def. not prod ready IMHO.

savage

I reported it to support in March (SUP-110901) but never got any response.

Also no response on my support ticket. Seems that is the norm these days.

TY for confirming.

savage

Hi, Am I missing something? if (afi ipv4 && protocol bgp && bgp-communities equals TRANS-ANNOUNCE) { delete bgp-communities TRANS-ANNOUNCE; accept; } The filter matches communities TRANS-ANNOUNCE, but it does not delete TRANS-ANNOUNCE prior to sending the advertisement on to the prov...

savage

Hi,

Can comments be added in ROSv7 routing filters? Tried #, ', as well as //

Thanks

savage

/routing/route print detail

And clearly you haven't read the forum posts...

savage

/routing/route print (detail)? Have you tried it before you actually just assumed things? Clearly, you are under estimating my intelligence here... [chrisk@x] > /system/package/print Columns: NAME, VERSION # NAME VERSION 0 routeros 7.11 [chrisk@x] > /ip route/print detail Flags: D - dynamic; X - di...

savage

Hi,

Seeing that V7 is now so stable and mainstream and all....

When can we expect to see things like BGP/OSPF/RIP/etc metrics and AS Paths etc in a simple route print command?

savage

Try 7.10.2 - works nicely.

Hire me as a QA engineer, and I will "try" it for you. Not my job, and not on my networks.

Anyways... Moving on...

savage

Unless you have specific critical issues that you have reported directly to MikroTik, please do not spread misinformation about software stability. There's no misinformation - it's all over the forums. As you don't have a ROSv7 long-term release, but instead, only a stable release, your software re...

savage

Then please UPDATE YOUR DATASHEETS so that I don't buy crap that I don't want!

savage

Have 2 v7 devices in our network, work on them every day, and no, I am not happy with v7 yet. Why not please just address my concerns, instead of pushing your v7 agenda? Since when are the CRS326-24S+2Q+ v7 only, and why is this not reflected in the datasheets like you specify the requirements for R...

savage

Hi, I have at least 30 CRS326-24S+2Q+ (r2) running in our datacenters, all happily running ROSv6. We've now received 4 new CRS326-24S+2Q+ (r3) units, that we are attempting to deploy. These devices to our surprise, came to us with ROSv7 (which, we don't deem as production ready). Both a software dow...

savage

Don't think they doing anything anymore for v6. Dissapointing, as v7 is faaar from production ready.

savage

savage I know that cables exist. What I meant is a box that I can plug A fiber into running at 40G and it has a DAC cable from it so I can connect it to 4 x 10G ports Any 40G QSFP interface on the one side, any 10G Interface on the other side? The CRS326-24S+2Q+RM for example as 2 x QSFP ports. So ...

savage

Uhm. Have you tried google?

They exist, and is commonly used.

savage

+1 - really annoying. v5 does not support v6, and v9 does not support time stamps. I can't even remember for how long Netflow has been an issue in 'tik. Would be lovely to just get this fixed once and for all please. Flow Record: Flags = 0x06 FLOW, Unsampled label = <none> export sysid = 25 size = 6...

savage

Come on guys! It is "quite common" that an ISP blocks all traffic from UDP port 123

Uhm, no? ISPs should not, ever, be filtering traffic. Not their responsibility. If my ISP blocks port 123 (or any port for that matter), I'll be cancelling services very promptly thereafter.

savage

So whats the most logical solution when you only have X number of cables? You remove a radio, install something like a PowerBox in between, then reconnect the radio to the powerbox and you also have another 3 ports available. Easy logical straightforward expansion Yet the netpower has no PoE input ...

savage

There's a switch in between. VLAN 100 is LAN Management and VLAN 101 is WIFI Management. VLANs are correct between the firewalls. Confirmed that they can see each other through neighbors and can ping local IP of each other. And for example, if I disable VRRP on MTik02, it can ping and see MTik01 wi...

savage

I would try different SFP modules, looks like you've got some cheap made in Japan AliExpress SFPs there... Just my 2c.

savage

Yep, seems pretty normal for generic sfp's to randomly work between MT chassis. I have about 50 MT devices in my care all using fiber trunks. Generally speaking I use either genuine mikrotik SFP's, or Cisco Genuine( which seem to work fine ) in my MT gear. I also keep an eye on : https://wiki.mikro...

savage

Either your fiber lead is faulty, or yes, you need to cross your fiber leads on the patch lead. TX goes to RX and RX goes to TX. They are (or should be) crossed. RX loose and a -40dB is essentially telling you that it is not receiving any light. So either the receiving end is broken, or the transmit...

savage

Hi,

Is it just me, or is Mikrotik missing some SFP modules?

I am looking for a QSFP (40Gbps) SM module, as well as a SFP28 (25Gbps) SM module? Seems there are only QSFP for multi-mode fiber, and SFP28 only comes in a DAC cable???

What's my options please.

Thanks,

savage

RouterOS versions 7.1.4 and 7.1.5 has been released "v7 stable" channel! Before an upgrade: 1) Remember to make backup/export files before an upgrade and save them on another storage device; 2) Make sure the device will not lose power during upgrade process; 3) Device has enough free stor...

savage

export gets stuck often at various part of the config, in all versions.

known thing, reported many many times before to MT, and no fixes.

savage

So I finally figured it out. Dam Mikrotik, that was a brain twister.

Nothing to do with Mikrotik. This is networking 1-0-1... Any router, will give you the exact same result.

savage

I don't think CPU usage is a problem. As you said, the 5009 should do more and runs at a maximum of 39%. The CHR runs at 4x 4.0GHz with less than 10%. ...running a similar setup (RB4011 with 1G/55M I-Net and 1x3GHz/2M CHR,) I can confirm, that 450Mbps is max for traffic via the wg-link. As RB4011 a...

savage

I don't see how the info I posted is inaccurate. It contains a bash snippet which downloads current allocations directly from RIPE's ftp. It builds the download URL using current system date. You can check RIPE's ftp contents using this http mirror: https://ftp.ripe.net/pub/stats/ripencc/ . As you ...

savage

Reasons not to use ROS7...

savage

I suggest you scheduling a reboot every 7/14 days in the night to refresh the routers. I solved in this way when I got bricked 4011...

Restarting a core network device, holding millions of BGP routes, is not a way to 'solve' a problem. Glad it works for you though.

savage

* MODS: Please remove if inappropriate * Hi Everyone, I've been running a eBGP service for quite some time privately to protect my own network infrastructure via BGP, instead of using Firewall ACLs. It is significantly less resource intensive to null-route a IP address, vs. having to firewall it. Up...

savage

Hi,

Upgrading from 6.48.x to 7.1.x - NTP client not working... stuck on waiting.

Works fine here...

savage

With many things, if you don't enable them, all they do is eating some disk space. I'd understand the poor souls with 16MB storage devices, but why do you worry about it, when yours has half a gigabyte? :) Because with all things, there's a little thing called bugs. What do you think happens when 7...

savage

7.1 "long-term" ?

savage

Mikrotik as far as I remember, allocates IPs out of the pools on a first-come, first-served basis. Which ever first IP is available in the pool, will be allocated. If user A disconnects, no one else connects, and user A reconnects an hour later, they will get the same IP. If user A disconnects, user...

savage

Just an FYI - QinQ requires jumbo frames. 1500 byte frames aren't enough to encapsulate a VLAN inside a VLAN.

Not sure if it is/isn't the issue but worth noting regardless as you'll run into massive fragmentation issues once you actually start pushing data.

savage

It will hold the routes with minimal memory - that's not the problem. Changing the routes in the actual routing table, will take 5+ minutes however. It learns the routes via BGP fairly quickly, but it updates, -notoriously- slowly. Failing over a full table (880K+ routes) will take you 30 minutes, e...

savage

BTW, just because there is 0 printed on it, don't assume it's 0 ohm.

Be that what it may, as others have said... There's way more wrong with your RB than a blown resistor. There's a reason why it blew.

savage

Your rule allows for .30 to talk to .31. You don't have a rule to allow .31 to talk to .30

savage

AS Path filters are regular expressions. You don't have a regular expression in your filter.

savage

CYMRU provides examples for Mikrotik - use them, they work.

savage

savage

Hi guys, For the love of me, I can't find it now. Can someone recommend a few of these manufacturers that sells (pref. modular) x86, 1U routers running 'Tik. I know there's a few of them with modular SFP/SFP+/Copper ports/interfaces, running on Xeon processors. Just can't remember the names now. And...

savage

The VLAN and the Bond has the same MAC address - Cisco's doesn't like this, and MT refuses to add functionality in order to change MAC addresses for VLANs. The VLAN will always have the same MAC as the parent interface. This would be especially troublesome if the provider does some kind of MAC filte...

savage

Adding route: 100.100.0.0/24 >>> /ip/route/add >>> =type=blackhole >>> =bgp-origin=igp >>> =bgp-communities=65000:5002 >>> =dst-address=100.100.0.0/24 start read_len read_len got 5 recv 5 <<< !trap start read_len read_len got 64 recv 64 <<< =message=value of dst-address must have number address aft...

savage

Hi All, Adding route: 100.200.0.0/16 >>> /ip/route/add >>> =.type=blackhole >>> =.bgp-communities=65000:5002 >>> =.dst-address=100.200.0.0/16 >>> =.bgp-origin=igp start read_len 1 Am I missing something? A return of 1 means it's not likeing something in the parameters? I'm not sure what?

savage

Can we get these libs updated please?

They no longer work after the recent changes made by Mikrotik.

savage

wtf? LC connector, but a RJ45 SFP?

Yes - the port is down, and not coming up.... Wonderful.

CCR1072-1G-8S+

savage

I don't believe it's possible (Mikrotik or not) to implement filters per neighbor in OSPF...

Use BGP. That's one way to solve your issues.

savage

- are you seriously using "admin" ?

Oh yes - that's the other thing I do by default. admin username is deleted / renamed.

savage

In general management ports like SSH and Winbox should not be open to internet by default. +1 All my routers have *all* management services firewalled and only accessible from a management address-list, unused services disabled. Not one of my routers has been hit. Only thing accessible from 0.0.0.0...

savage

255 is a broadcast address when the subnet's broadcast address falls there (i.e., x.x.x.255/24)

VPNs and (more specifically) PPP, uses point-to-point addressing. There is no network, nor broadcast address at play.

savage

Can also confirm, I've done some serious traffic under serious loads on a CHR (ESX).

The problem is however, it's not always feasible to put down a x86 host for virtualization. When it's possible though, it's a no-brainer.

savage

If there really isn't anything configured on the router as you claimed, it can only be a layer 1 / layer 2 issue.

Check Ethernet cables, ports, errors, duplex mismatches, etc.

savage

18 Gbit/s, when in the web page says that it can pass until 80 Gbit/s. There is something weird. Can you post your export with hide-sensitive option? Regards. MT's estimates, are extremely optimistic. The tests are done virtually with a blank router, doing absolutely nothing at all - it doesn't rep...

savage

Cisco, Juniper, Huawei, Alcatel, etc... all have the option to create a "prefix-list" for filters. I'm surprised Mikrotik doesn't offer this option...

/routing filter ?

what's your problem?

savage

add action=dst-nat chain=dstnat dst-address=11.22.33.44 in-interface=WAN to-addresses=192.168.0.69

add src-address=!<your internal IP range>, or exclude your public IP as a dst-address from your masquerade rule.

You can't masq yourself out, and expect to come back in.

savage

Don't know what MT was thinking to add a torrent client, in a router?!?!?!?!

+1 - remove.

savage

As the devices are 1:1 nated,

/ip ipsec profile
set [ find default=yes ] dh-group=modp1024 nat-traversal=no

nat-traversal on the default policies needs to be enabled.

savage

Setting flow-control to off seems to have solved it... I have no idea why it wasn't off, is off the default? Flow control is supposed to be a good thing, if you have a limited speed (less than ethernet line rate), limited buffer depth device between you and the next hop. http://virtualthreads.blogs...

savage

set [ find default-name=ether1 ] rx-flow-control=auto tx-flow-control=auto
set [ find default-name=ether2 ] mtu=1280

Why are you running a 1280 MTU? Set flow-control to off too.

This isn't a standard config, there's a LOT of "other" stuff here.

savage

:if ([/system clock get date]~"/01/") do={
#place instructions here
};

Wouldn't that also run every day on the first month?

savage

Well, VLANs are Layer 2 - I don't believe you can "guarantee" layer 3 capacity.

If you have a 100mbps interface, give vlan1 95mbps, and vlan2 5mbps via simple queues. More than that, I don't think you can do.

savage

The SFP's will automatically increase/decrease power as needed. There's no minimum distance for a fiber cable. Maximum limitations are provided as there is loss / fade over long cable runs.

savage

Also hate these default configs they started implementing. Makes life unnecessarily difficult

savage

when i change weight/local pref then it takes about 3-5m for update the weights because i haveabout 4m routes in my route table. how in the heck do you have 4m routes, are you not filtering out anything smaller than a /24 ? Of course, don't except anything smaller than /24. Two or three full tables...

savage

Seen this happen on other networking kits where power was supplied to Ethernet ports that should not be getting power yes.

savage

/interface vlan [ /interface vlan find ] set disabled=[no|yes]

savage

:if ([/ip ipsec policy get [find dst-address=10.0.0.0/16] value-name=dst-address] = 10.0.0.0/16) do={ :put found } else={ :put notfound } works when there is a policy matching 10.0.0.0, but returns a "no such item" error on a check when there isn't a policy. Why return an error? shouldn't...

savage

Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default # PEER TUNNEL SRC-ADDRESS DST-ADDRESS PROTOCOL ACTION LEVEL PH2-COUNT 0 T * ::/0 ::/0 all 1 A TRANS-GW #1 yes 0.0.0.0/0 a.b.23.213/32 all encrypt require 1 2 A TRANS-GW #1 yes 0.0.0.0/0 c.d.30.0/24 all encrypt requ...

savage

I would also pin this rather on an underlying ethernet issue. 20+ flaps in 24 hours is a lot.

Ethernet errors, packet loss? anything at all wrong with the links?

savage

Once per three years is more than enough.

LOL

savage

Thnx for the explanation guys. Makes sense.

savage

What happens if you set do-not-fragment while pinging the IPv4 address? do-not-fragment=yes then as expected, IPv4 fails as well as IPv6 do-not-fragment=no then as expected IPv4 works, but not as expected IPv6 does not. I don't believe do-not-fragment is applied to IPv6 traffic on a IPv4 gre tunnel...

savage

Hi Guys, Two routers, identical configuration: /interface gre add allow-fast-path=no ipsec-secret="blah" local-address=192.168.24.98 mtu=1520 name=gre-tunnel1 remote-address=192.168.24.54 /ipv6 address add address=X:X:X:101::16/126 advertise=no interface=gre-tunnel1 /ip address add address...

savage

Static routes. Pretty much all that comes to mind.

OSPF can't manipulate cost per route, only per interface.

savage

No outages on the L2 circuit? Even briefly (a few seconds) that is long enough for a packet to disappear / be lost?

I've seen similar issues where one router would transmit a packet through a L2 provider circuit, and the packet doesn't get to the remote side, causing OSPF to get confused.

savage

I don't believe you'll be able to run OSPF inside AWS. They block Multicast / Broadcasts.

I also believe (not sure if it's fixed yet) that there is/was issues with OSPF over ipip. Not 100% on this, but I recall something like this.

savage

viewtopic.php?t=119494

Contains in details what is required and what you are missing, and also covers a small bug (which I don't know whether it's fixed yet or not).

savage

Hi Guys, Anyone here using the Mikrotik MM / SM SFP modules on Cisco 9200 switches (1G links)? I know there are IOS commands and what not for the Cisco to "make it work" with 3rd party optics - this doesn't guarantee compatibility though. Just figured I'd ask to see whether I can get confi...

savage

And that's precisely the problem with BGP being single threaded in MT.

Unfortunately, there's no way to speed up the time the convergence takes on MT currently. Your stuck at a few minutes of downtime, or alternately, use different routers.

savage

Only way to do this without messing things up, is to use a VRF

savage

You are using PPPoE, which has overhead on the protocol.

I don't believe 90Mbps on a 100Mbps PPPoE account, is unrealistic TBH.

EDIT: As you've mentioned as well... Yes, use 1Gbps ports, not 10/100. It does make a difference.

savage

Filters has been buggy for as long as I can remember. It's not something you want to change and/or update frequently. Refreshing the (bgp) peer, or changing the order of the filter rules, may cause the BGP process to re-read and process the updated filter, but yes. It's kinda a hit and a miss at thi...

savage

At those distances, I would just pull fiber and forget about copper all together.

I've seen many (even CAT6) cables where the copper qty in the cable was low. Errors started to happen from as near as 60m.

savage

CRS326
CRS112
CRS305

?

Those are switches, not routers.

savage

We are also seeing this on CCRs from time to time...

savage

It's an issue with new ROS default configs & ROS versions shipped, and firmware... I've probably installed over 200 RB750's over the last two months (and other RBs). All of them, I've had to use a specific ethernet port and/or wireless, upgrade ROS, reboot (twice, because after the first reboot ...

savage

Acct-Session-Id is not globally unique, it is not per NAS unique, and it is not unique across reboots.

https://tools.ietf.org/html/rfc2866#page-15 The RFC makes no requirement for the attribute to be unique.

savage

For LACP all interfaces must be of the same speed & duplex.

You can use a SPF+ port, but needs to be a SFP (1G) module, and not a SPF+ (10G) module.

You can run SPF (1G) and copper together in a LACP, no problems there.

savage

14V at the end of a 130M 24AWG (presumably) cable run is actually quite good. The voltage drop is quite normal over that distance, but it SHOULD be sufficient as the RB's SHOULD operate on 12V. As others suggested, I would also recommend trying a 30V PSU. Just to be safe. My guess however, is that y...

savage

Not yet supported. Many, many, IPv6 stuff isn't fully implemented yet in ROS.

PPP & IPv6 is also severely lacking.

savage

I'm sure it will be resolved in v7

savage

I guess us moving into Mimosa was the right decision in the end.

+1

Love it how mikrotik pretty much just don't care.

savage

This is not an exploit.

Yes - that's precisely why the topic says Denial of Service, and not Exploit

Funny how most devices have things like control plane policing, to limit things like this.

savage

Further to stop using CCRs in it's entirety (PSU issues, BGP issues), we too, are seriously considering alternatives (Cambium / Mimosa) to Mikrotik on the wireless side. Mikrotik's loosing traction fast. Unless v7 is a magic bullet that gets released, very, very soon... I see tough times ahead for M...

savage

Add a null / blackhole route with a high metric. That will catch the traffic when the VPN isn't active. When the VPN becomes active, it will install a route with a lower metric, and the lower metric route will take preference, routing your traffic normally over the VPN.

savage

Also still frequently seeing DB errors, and waiting minutes (literally) for pages to load...

savage

ditto

savage

So then why we only seeing 20-30Mbps throughput on the APs? :D Back to square one... running a loop here... one more time ; a client with Rx-rate connection rate of 52Mbps will have throughput of more or less 30Mbps when doing bandwidth test. at that moment the total bandwidth available to all clie...

savage

. And when it's NOT active, you sit with links with 3% or 5% CCQ, which degrades the performance of the links that IS active... How ? , only active low data rates that are degrading throughput of AP. Thats basic wifi behaviour. Idle connections almost none. So then why we only seeing 20-30Mbps thro...

savage

What makes this interesting, is that CCQ drops when the link is idle and there's no traffic. Yet, when there's traffic all CCQs are well over the 80% and we still only get about 30Mbps / 35Mbps. CCQ can only be measured with active traffic. Well... DUH, of course. And when it's NOT active, you sit ...

savage

We're sitting with the same thing... What makes this interesting, is that CCQ drops when the link is idle and there's no traffic. Yet, when there's traffic all CCQs are well over the 80% and we still only get about 30Mbps / 35Mbps. Given that CCQ drops when links are idle, just how are you supposed ...

savage

Indeed. And now read what I said, setup the bridges, setup the EoIP tunnel between the MT Box and the PPPoE Server, and it should work. If you get the PPPoE Requests at the MT, there is no reason why you cannot tunnel it to kingdom come, if you so desire. EoIP - it's a trick, it's not a solution. E...

savage

Thnx for confirming.

savage

Hi,

ROS 6.39.3 (bugfix)...

/ip firewall address-list add address=127.0.0.1 comment="_TEST_" list="test" timeout=00:02:00

Never mind what values I use for timeout, the dynamic rule is created, but after 10 to 20 seconds, the rule is removed again...

savage

You can not use simultaneous use without checkrad. If the radius server misses an accounting stop it's not going to close the session. The only way to know whether the session is active or not is to query he nas. These things aren't out of the box configurations. It requires a lot of work and custom...

savage

Remember your 300 Mbps speed is in a single direction only, actual traffic will be both ways and a 100 Mbps fullduplex ethernet connection could in theory transfer up to 200 Mbps added. Nice math :) So yes, whilst it's 300mbps in a single direction, a 10/100 port CAN NOT, and NEVER WILL be able to ...

savage

https://github.com/FreeRADIUS/freeradius-server/blob/v3.0.x/doc/configuration/simultaneous_use You need to *read* this, to understand how it works. It's not just a matter of slapping a few attributes into a radius request. Pay attention especially to section 3 in the documentation, IMPLEMENTATION, a...

savage

Due to the connection-tracking required, I think connection-limit only applies to TCP traffic, not UDP.

I may be wrong on this one, but I'm fairly sure that's what your problem is. You also want to be on the forward chain, not the input chain (your three connection-tracking rules).

savage

Yes in single authentication, but when you have dual authentication (like one time password - OTP) than we want to give users more time to enter it.... And giving the use time to enter a OTP, has nothing to do with the duration of the AAA *request*. The *request* is only sent AFTER the user entered...

savage

Uhm.

20s is WAY to long for a AAA response, by that time, your client would long have given up trying to authenticate. You want to handle AAA within 2 or 3 seconds (tops).

savage

Hi, From the docs (https://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#Connect_List) Operation: connect-list rules are always checked sequentially, starting from the first. disabled rules are always ignored. Only the first matching rule is applied. If connect-list does not have any rule that ma...

savage

Hi, We are using a CCR1072-1G-8S+ as our core router. In the near future we will attach two 10gig links to it with a dualport Intel x710 with sr optics: https://www.intel.com/content/www/us/en/ethernet-products/optics-cables/ethernet-sfp-optics-brief.html?wapkw=intel%20SFP%20%20optics As Intel stat...

savage

I gave up on mikrotik when we moved to a dual stack network because of this bug. You can find new Juniper SRX routers pretty cheaply if you look hard. Don’t pay more than 25% of the list cost, though. I'm in the same boat. Can't use MT in my core / borders. MT is definitely not aware of the actual ...

savage

/interface vlan add name=wan vlan-id=20 interface=ether1 /ip address add address=100.64.139.40/30 interface=wan /ip route add dst=0.0.0.0/0 gateway=100.64.139.39 /ip firewall nat add chain=srcnat out-interface=wan action=src-nat to-address=62.28.108.38 As you don't have 62.28.108.38 assigned to any...

savage

On your WAN Ethernet port... Create a VLAN with VLANID 20 On the VLAN interface, assign 100.64.139.40/30 Add default route to 100.64.139.39 Confirm that you can ping 100.64.139.39 (or at least see the MAC address under /ip arp), if not, there's no point in going further... If you can then; Create lo...

savage

Do you monitor / graph the power levels of the device?

Sounds to me like it's the PSU failing... Quite a few people suffer from PSU issues on the CCRs, despite MT claiming nothing wrong, problem fixed, new PSU, etc...

savage

Well, if you want to use /29 as a base pool size and don't want to get painted into a corner because some tower is much more popular, then what you could do is allocate your initial /29 blocks sparsely and then simply increase to /28 at sites requiring it, then /27, etc. Amusing of course that that...

savage

As long as you're within the 300m distance limitation, yes. No reason why it won't work.
Why 300 meters. With S+31DLC10D single mode sfp+ 10km. It is compatible

Because the OP *specifically* mentions MM fiber?

savage

https://mikrotik.com/product/CCR1009-8G-1S-1Splus Clearly states 8 x 10/100/1000 Ethernet ports, 1 x SFP ports, and 1 x SFP+ ports (SFP+ = 10G) https://mikrotik.com/product/Splus85DLC03D Clearly states it's a SFP+ module (10G), and it supports 10Gbps. Not sure which datasheets you are looking at :)

savage

As long as you're within the 300m distance limitation, yes. No reason why it won't work.

savage

It's a known thing with various vendors and switches - it's not specifically related to MT. On gigabit Ethernet, auto negotiation negotiates a lot more than just speed & duplex. It's more than likely one of these other things that is negotiated, that is failing (for example flow control) - and t...

savage

Not with ECMP I believe, but something similar can be achieved by using https://wiki.mikrotik.com/wiki/Manual:PCC

savage

You send a PPP echo, and the remote does not respond. Therefore, the link is closed. You said you haven't changed the MAC addresses. Have you tried to do so? I am going to go on a limb here and say that the PPPoE Service from the provider is tied to your MAC address and it will only work if the new ...

savage

Yes.

Run scripts on the accounting tables and close sessions which should not be open, or check the 'checkrad' scripts (which would also need customization) so that the radius server actually queries the nas to confirm whether or not a session is active.

savage

wAP AC and RB952Ui-5ac2nD, but the wifi speed is very horrible. Never more than 50-60 mbps on a clean 5 ac channel with -55db The wan capable of 125mbps. See here . hAP AC & wAP AC are the best! I can do over 150Mbps on my cell phone, Yes, and the OP is speaking about ISP services. 1) Outdoors,...

savage

On the SFP it doesn't matter - as long as it is the correct connector. You don't get a APC and/or UPC SFP module. It's difficult to explain, but on a mid coupler, the plastic extending from the fiber connectors needs to be aligned correctly (either square (UPC) or angled (APC)). In a SPF module, the...

savage

Don't think you'll ever see the (real world) speeds you want on point to multi-point connections...

Definitely no where near those speeds with a -80 signal.

savage

Either a APC to UPC patch lead, or as you say, most commonly they just splice the required pigtail on to the fiber yes with the appropriate mid-coupler.

Personally, I don't buy into the whole APC thing being better...

savage

Oh ok, I stand corrected - there's one

savage

Sounds like a good candidate for VPLS and a central PPPoE server exercise.

savage

Can pretty much guarantee you it won't be considered for anything other than ROS v7. There's been plenty discussions on here about large communities. MT always avoiding the issue with hacks and 'other' things to do, instead of proper large communities. We have a 32bit asn, and use a private 16bit as...

savage

Or the product must just be designed better...

Have two 3011s here with the same issue. Like the CCR's, I've stopped buying them.

savage

Knowing MT and looking at all their other products, I'd say passive POE is correct, and 802.3at/af is incorrect.

There's not one single MT device that runs on 802.3at/af

savage

If your seller provides no warranty, you can either replace the cap, like others posted above. To prolong the life of the cap, you can set the FAN mode to "redundant" which increases fan speed and brings temperature down by at least 3 degrees celsius. You can also mount the device in some...

savage

What will you offer to people having 1036 with the old design suffering on this problems? Contact the seller for warranty options, just like with any hardware issue. Does your re-sellers KNOW that replacement PSUs even exist? Again, see my comment(s) above which you so nicely ignored. We are being ...

savage

+1 - and in -precisely- the same situation as you, considering the options of MT as a "to the masses" CPE... Another good example to MT's lack of "adequate" fiber support, is the MANTBOXes for example. Simply no place what so ever to terminate / splice - never mind the actual pro...

savage

Check the changelogs. I suspect you'll need to contact MT about this.

I recall some version change where dynamic MSS rules was removed, and it is now apparently handled internally inside PPP itself.

savage

As far as I know, the last 6-8 months we are shipping units with an improved PSU, the C10 has been changed to a better one. Some parts have been changed to better handle the heating. Is there any way for a distributor to tell if they have the fixed version? I'm looking to deploy my first CCR1036 so...

savage

I was just curious if anyone thinks that the ROS implementation should not clobber the case of the actual DNS reply. (again, it shouldn't matter - I agree 100%) It more than likely shouldn't yes. But as you said - it shouldn't matter either. I'd perhaps just file a bug, and shove it under the ROS v...

savage

Think it's the lock being anal. If there's a RFC stating case sensitivity on DNS resolution, it would be the first that I hear about it.

savage

I emailed support about this issue - feedback below: Yes, it is a known problem, it tries multiple times except that with each try and failure interval between tries increase. Currently solution for this problem when interval becomes too high is only disable/enable. This will change in ROS v7. From...

savage

FreeRadius has modules to handle these kind of things, specifically.

It's not complicated to setup at all.. https://wiki.freeradius.org/modules/Rlm_sqlcounter

savage

A real pity that this as well as filters, are only implemented for IPv4, and nothing for IPv6...

savage

Sounds like your ISP is doing it wrong, very wrong in fact.

+1

If that's how your ISP hands out IPv6, I suggest you find a new ISP...

savage

I think you are limited to E1000 cards if you use x86 but if you use CHR you can use vxmnet3 which will give more performance.

That's also true yes. x86 does not support vxmnet3, so no 10G.

savage

@savage it does not apply in this case. Recursive routing does not work only with link-local gateways. I beg to differ.... [cknipe@WCLH-BR01.cpt.za.as203319.net] > /ipv6 route print detail where gateway=2a07:b2c5::3 Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, o -...

savage

If this is for recursive routing, you need to manually add a static route in the tables for the gateway IP address. MT doesn't do recursive routing correctly in IPv6, it's a known bug.

savage

Copy & Pasted the configurations across the 31 radios? Perhaps, including the statically configured MAC addresses?

savage

Does VMWare (Running inside Windows 10 PRO) support TRUNK interfaces? and How to achieve that?

VMWare Workstation no. You'd need to use ESXi (vSphere).

savage

Yes - Don't do it.

Separate sessions for IPv4 and IPv6 peering.

savage

The reason the radius is rejecting the request (ignoring it), is presumably because you have the client configured in radius with a src of 10.100.3.1, but the request is coming from 10.100.3.120. If you check the FR logs, or run FR in debug mode, you'd also notice big fat warnings and errors genera...

savage

You configured ROS to use 10.100.3.1 as a src-address for radius requests, yet, the packet dump indicates that the request is originating from 10.100.3.120 (the local ethernet interface address). That would indicate to me that 10.100.3.1 is not assigned to the router. Do you have a loopback iterface...

savage

I've been able to solve the issue, I can login via web and ssh with ActiveDirectory and FreeRadius. I can share the config if someone have problems. Maybe Windows's password encryption is reversible, but I would doubt it Windows can store the passwords using "reversable" encryption. It's ...

savage

In general (not ros specific), I think the AS path can only be appended too, I don't think any device can remove from the AS path.

savage

I wish you could configure what authentication mechanism was used for all of these. My company had a userdb with encrypted passwords, so we could not use RADIUS auth for winbox sessions (chap requires cleartext password db). Ditto. Stumped to see CHAP2 has been thrown into the mix too now :shock: N...

savage

There's piles of sorting that's wrong.

IPv6 routing tables is a total mess too, doesn't seem to get sorted at all.

savage

On RB951-2n (R2) ether1 default L2MTU is 1600, that's why only ether2 appear in the export.

Ah yes, of course. Thanks!

savage

R2: /interface bridge add name=loopback /interface ethernet set [ find default-name=ether2 ] l2mtu=1600 /interface vpls add advertised-l2mtu=1508 disabled=no l2mtu=1508 mac-address=02:9D:3D:58:0D:7D name=R2-R1 remote-peer=172.16.0.1 vpls-id=1:2 /ip address add address=172.16.1.2/24 interface=ether1...

savage

Once thing I can get my head around is how to give each router an accessible IP so I can reach both independently. Both routers will have the same config in terms of firewall rules etc. Each running their own LNS with different public IPs. Make the two /30's public IPs (which is industry best pract...

savage

Try forcing them to 1000/Full. I've seen a lot of SFP interfaces causing issues with auto negotiation, and normally forcing them to 1000/full on both sides causes the links to come up.

Other than that, yes, suggest you contact MT.

Search found 1289 matches