Except their website states that support@ is only for people having bought their hardware from them directly ...

(and I don't even really see how that's possible, they don't seem to sell anything themselves directly and always point to distributors)

So ... no reply whatsoever from Mikrotik ...

Tx works like a charm !

Huh, either I haven't been clear or you haven't read it properly. If in the config when creating it I type : /interface ipip add allow-fast-path=no local-address=172.30.2.1 name=tx_tunnel remote-address=172.30.2.2 Then, when doing an export, it will show : /interface ipip add allow-fast-path=no !kee...

Looks like a bug ... If I specify the !keepalive when creating the IPIP tunnel, then the keep alive is indeed not present when I do a print. But if I don't specify anything when creating it, then an export will show "!keepalive" but will in fact have the default 10,10s enabled ! That's act...

Interesting, that's not what I'm seeing at all on 6.35.4 ... [admin@ccr1036] /interface ipip> export # jul/25/2016 23:15:21 by RouterOS 6.35.4 /interface ipip add allow-fast-path=no !keepalive local-address=172.30.2.1 name=tx_tunnel remote-address=172.30.2.2 [admin@ccr1036] /interface ipip> print Fl...

It's not disabled by default ... it's set to 10 x 10s by default.

export shows "!keepalive" but that apparently just takes the hardcoded default and doesn't disable it.
If you do an export verbose you see the actual default.

Hi, IPIP interface seems to have a keepalive feature with some special packets and disable the interface if the remote doesn't respond ... But if I terminate an IPIP tunnel with a linux host, it doesn't know how to handle those and so the mikrotik disables the interface ... I'd like to completely di...

Hi, What would be the equivalent of such a null route written in Cisco syntax : ip route 1.1.1.1 255.255.255.0 Null0 100   Basically I need some traffic to be null routed but can't use iptables filters easily because it only has to be null routed if there is not a more specific route or a route with...

Hi, I've been trying to make an IPIP tunnel in VRF (i.e. both the tunnel itself and also the underlying peers are in the VRFs) and failing ... tunnels stays in the "not running state" and as soon as I disable the VRF it starts working. Below is the config I've been trying to use, with two ...

Ok great tx for the quick answer.

Ok, that's mildly annoying but I guess I can live with it for now.

You specifically said "In ROS v6". Does that mean you're planning to fix that behavior in future ROS ?

Ok, so I'm trying to do a simple VRF test. I have a CCR1036 with two trunk links, each carrying two vlan. (one of the link is a bond of but not important here). link1 is bond1 and carries vlan1000 and vlan1001 link2 is sfp-sfpplus1 and carries vlan2000 and vlan2001 I've setup two VRF, one with vlan1...

Being able to turn on reverse-path filter per-interface ...

TBH I can't believe it's not possible yet ...

I'm with jarda there. Their contract should include bandwidth / traffic / volume / speed etc ... if they go over what's specified, bill them for it. If it's not specified then that's your fault for not including it. If you base your whole business on oversubscribing your links massively and planning...

+1

At least the ability to push flowspec out to peers. (i.e. no need to interpret and actually apply the rules locally).

I understand Mikrotik's opinion above, but at this point in the process it's just irrelevant, it's too late, it's been adopted and the only viable choice is to support it.

Yeah, I understand your current diagram ... my point was that you could _change_ it and just have everything connected to your switch (both peers and ISP) and then have the CCR "on a stick" just connected to your switch and use VLANs as virtual patch cables to make any logical topology you...

CCR1072-1G-8S+ has 8 SFP+ that can do 10G or 1G. There are also other models with 2 SFP+ and 1G ports as 1G-base-t rather than SFP. But you could also only use a single 10G port for all your uplinks using VLANs on your switch to establish the point-to-point connections to your peers. Or even just t...

I think your main issue is that you should have a rule to accept all packets from already established connections /ip firewall filter add chain=forward action=accept connection-state=established,related at the beginning of the chain. That's because the rules are applied to each packet and not to eac...

Yes and ?  Does it not work ?

Rules get matched, so I expect the packets to be dropped as requested ...

And you tried adding this to "  /interface bridge filter " ?  (and _NOT_ /ip firewall )

I don't know the RB2011UiAS in details, but if it supports placing bridging firewall rules between eth3 and eth4, it should work just fine.

I assume both your AP are plugged in a switch ?

What you need is the switch needs to filter packets so it only allows traffic from the APs to the GW and nothing else.

I understand they don't have unlimited resources, which is why they must focus on the features that will benefit the most their customers and IMHO a gentle "+1" on a thread isn't a bad way to show interest in a feature ... Also first post is from 2008, so I wouldn't call that "instant...

Hi, Is there any hope to get hw accelerated AES-GCM-128 (or 256) in CCR ? As far as I understand the GCM mode is actually easier to do fast and doesn't have the pipelining dependency of the CBC mode, so I'd actually expect the performance to be better ... I can't see any real "hardware module&q...

+1 for LLDP

Plenty of equipement doesn't have CDP and being able to identify what's connected to what it pretty useful ...