MikroTik

Hi,

In the process of testing RoMON in a limited (production) setup between two sites running an RB1100AHx2 as a router and RB912UAG-5HPnD as AP. Both sites are connected through an EoIP tunnel with IPsec.

RoMON is enabled and discovery works as advertised (i.e.: all four devices are being discovered, correct hops etc).
Using any of the devices as RoMON agent (using the management VLAN IP of the device), I can successfully connect and manage the other local device. However as soon as the RoMON connection has to cross the EoIP tunnel one of the following things might happen:
-Winbox successfully seems to establish connection and I get a briefly functioning interface, but after a few seconds the UI updates stop (i.e.: figures freeze) and I cannot manage the device
-Winbox successfully seems to establish connection but all windows remain empty
-after cache is cleared, Winbox has trouble downloading plugins however after multiple attempts one of the above will happen

All other traffic is running across the EoIP tunnel as it should. I see no packet loss on the statistics and again if I connect Winbox to the machine at the other side of the tunnel using IP it works as it should. If I use the device at the other side of the tunnel as the RoMON agent, I can manage the other device that is local to that RoMON agent, but again, no device at the other side of the EoIP tunnel.

Normally, especially since the connection seems to start successful, I would say this is a problem with one of the firewall rules, but it is my understanding that the RoMON concept bypasses any forwarding or firewall rules and I can't find any specifics on the inner workings (torch leaves with with very little clues), it's a difficult place for me to start trouble shooting.

All systems running RouterOS 6.34.2
RB1100AHx2's running firmware 3.24
Using Winbox 3.1

Any help appreciated.

I think a network diagram will ease things, otherwise is hard to follow. Four devices?

Only time I managed to screw RoMON was by wreaking havoc with MTUs.

AFAIK RoMON is an ethernet protocol (88bf), think if there could be anything screwing it...

Simplified diagram (switches and modems left out): To reiterate the first post to the above diagram:

Devices are being discovered properly across both sites (i.e.: Router1 sees AP1, Router2, AP2; Router 2 sees AP2, Router1, AP1, etc.).

Connecting WinBox to via RoMON works only for devices local to the particular RoMON agent (e.g. Router1 to AP1, Router2 to AP2, etc.).

Crossing the EoIP between agent and device doesn't work (e.g. Router1 to Router2, Router1 to AP2, Router2 to AP1, etc). With 'doesn't work' I mean that the connection establishes (i.e. it logs in and the Winbox UI loads), but after 3-4 seconds the UI stops updating and eventually I will get disconnected. Upon reconnection UI windows are empty etc (see first post). Wait a few moments and it works again for the few seconds.

Note that when connecting Winbox to AP2 with Router2 as RoMON agent, I'm using the same EoIP tunnel.

Onto the MTU suggestion. On both routers:
-/tool romon discovery shows L2MTU of 1500 for all devices
-EoIP configured auto MTU with Actual MTU showing 1424.
-WAN ethernet port (used for EoIP) configured MTU 1500 and L2MTU 1600

magchiel, thank you very much for the detailed problem description.
Please send us (support@mikrotik.com), support output files from "Router1" and "Router2". We will see what could be wrong.

magchiel, thank you very much for the detailed problem description.
Please send us (support@mikrotik.com), support output files from "Router1" and "Router2". We will see what could be wrong.

Sent. Thanks in advance.

magchiel, thank you very much for the detailed problem description.
Please send us (support@mikrotik.com), support output files from "Router1" and "Router2". We will see what could be wrong.

Sent. Thanks in advance.

I face the same issues. In my network there is 1 RB2011 and several RB750GL and RB750Gr-2. The RB750GL's and RB7540Gr-2's are connected with the RB2011 via EoIP-tunnels

It may be a bug... in the meantime check RoMON ID (try to set it statically to one of your ether MACs) and EoIP MAC addresses, it may have something to do with that.

This seems to be a bug, i can replicate it consistently across various ROS versions and devices.

I'll leave a log window open, have the time on the bar. connect to it via romon. the logs will tick over fine and the clock will tick over the seconds. As soon as i click something in winbox the screen will come up empty and the clock on the bar will stop. then after a few seconds i get disconnected.

Sometimes i can connect back again straight away to see the log screen again. sometimes i can't untill i restart romon on the device i was going through not the one i'm connecting to.

Romon ID's set to eoip interface mac, also tried setting it to just about everything i could think of doesn't seem to make a difference. I've got romon secrets on both ends too.

I'd send supouts to support while triggering the bug.

sorry for not posting back sooner. apparently (as per support response) it's by design and RoMON packets will travel through EoIP bridge to any device in the network *as long as those are not tunnel endpoints*.

it is suggested to use the RoMON User policy introduced in 6.35 and use the edge router as a stepping stone to connect any internal devices.

I have not yet priotised time to experiment as I can't find much added value in the using EoIP in favour of IPIP between the different edge routers.

Hi

Has anybody come up with a workaround to use RoMON over EoIP ?

I would like to use this, since I'm having a router behind 2 times isp nat which connects "home" over L2TP and EoIP and the only way i can Winbox in to this one is over RoMON.

BooX

Has anybody come up with a workaround to use RoMON over EoIP ?

Has anybody come up with a workaround to use RoMON over EoIP ?

I´ve made a secondary VPLS over the L2TP server binding that I´m running the EoIP over - then RoMON works flawlesly. Even with the remote router behind 2 time isp nat.

Don´t know if this is the solution in all cases, but works here

BooX

Has anybody come up with a workaround to use RoMON over EoIP ?

I´ve made a secondary VPLS over the L2TP server binding that I´m running the EoIP over - then RoMON works flawlesly. Even with the remote router behind 2 time isp nat.

Don´t know if this is the solution in all cases, but works here

BooX

i cant find VPLS. where is this menu?

i cant find VPLS. where is this menu?

Under MPLS

i had MPLS package disabled. thats why i couldn't find it.
ok i setup VPLS over L2TP (without EoIP) and romon is working great. thanx!

Could you please give some basic guidance on setting up VPLS for ROMON? I expected it will work same way as EoIP (create interfaces, set remote IP, done...) but my VPLS interface is just sitting there without being connected. Does it require MPLS or other features before I can start playing with VPLS?
(week ago I had no idea about those features. I just hit a dead end when trying to establish ROMON on network with unifi switches - they block ROMON packets so I need some simple tunnel. EoIP gives me ROMON discovery but connection does not work)

this is the wiki i used to get it working.

https://wiki.mikrotik.com/wiki/Transpar ... using_MPLS

Thanks a lot I did not notice this one as I was always looking just for VPLS

(I will update feedback once I make it working)

Edit: Thanks to the guide, I was able to make it working. Unfortunately, I noticed that between routerboards it works while with CHR it drops in few seconds.
for example:
working: RBD52G-----{VPLS}-----RBD52G
working: RBD52G-----{VPLS}-----RBD52G-----{LAN}-----CHR
working: CHR-----{LAN}-----RBD52G-----{VPLS}-----RBD52G

not working: RBD52G----{VPLS}----CHR
not working: RBD52G----{VPLS}----CHR----{LAN}----RBD52G
not working: CHR----{VPLS}----RBD52G
not working: CHR----{VPLS}----RBD52G----{LAN}----RBD52G

Shortly said - if ROMON is passing through VPLS connected to CHR, I can discover and connect, but connection drops within a couple of seconds. That is same behavior as described by magchiel - author of this topic.

I actually hoped that I can use CHR as central point and connect every, even NATted routerboards to it for management purposes but apparently there are some serious issues with stability of these networks.