MikroTik

fflo

@sirbryan can confirm that this bug is gone upgrading to the latest v7.11b7. Thanks for your hint. Update: Unfortunately upgrading the CCR2116 to pre-releases of v7.11 did not fix this issue. Log shows the error message: script error: action timed out - try again, if error continues contact MikroTi...

fflo

@sirbryan can confirm that this bug is gone upgrading to the latest v7.11b7. Thanks for your hint.

fflo

That's the input filter on external IPv4 BGP4 peers: add chain=NO-RFC6890-V4 rule="if (dst == 0.0.0.0/0 && afi ipv4) {reject}" add chain=NO-RFC6890-V4 rule="if (dst in 0.0.0.0/0 && dst-len in 25-32 && afi ipv4) {reject}" add chain=NO-RFC6890-V4 rule="...

fflo

sirbryan, thanks for your hint. The CCR2116 router having the IP-routing gone stuck bug after generating an autosupout.rif is only running a BGP table of a few hundred routes. So it should be no load issue. Nonetheless, I've upgraded the device to 7.11b7; it's worth a try. Off-topic: Another CCR2116...

fflo

Hi, do you have a hint what may cause latest v7.10.x to stop routing traffic after the CCR generates an autosupout.rif file? /log/print shows no message for this event. /routing/route/print freezes with no output after the autosupout.rif file has been generated. Have to reboot the CCR device every f...

fflo

Hi, running the BGP full table on CCR2xxx equipment is working smoothly only if the "Input Filter" (and "Output Filter") is disabled. Enabling an "Input Filter" list on a BGP full table to filter out invalid prefixes results in one CPU thread going stuck at 100% and rou...

fflo

OSPFv2 and OSPFv3 got unusable since v7.1rc5. OSPFv2 is struggling with error messages like using md5 auth: OspfInterface { { *12 0.0.0.0 0 ROUTERIP } Backup DR Broadcast } auth data corrupted from REMOTEIP OSPFv3 requires to disable and re-enable any GLOBAL /ipv6/address to start working with v7.1r...

fflo

Do you have a hint how to use the feature /routing/ospf/interface-template prefix-list for route filtering?
I did not succeed using the same syntax as instance in- and out-filters.

fflo

Due to occasional hardware reboots on CCR2004-1G-12S+2XS gear I have upgraded to v7.1rc5. It's been a mess of a few hours to update the configuration to match the new configuration style. OSPFv2 is unstable communicating with Cisco ASR routers in case the broadcast network interface is using MD5 pro...

fflo

Can confirm, that Layer-3 MPLS VPN does not work at least up to 7.1rc2. This should be fixed soon, because Router OS v7 would offers many performance optimizations for BGP and Layer-3 routing + supports IPv6. I have tried the recently released version 7.1rc1, but I still have problems receiving rout...

fflo

Any progress on mpls L3/ VRF routing? thx Looking forward on this as well, RC3 still missing the ability to set the routing-distinguisher on VRF, need this for routing import export in MP-BGP The latest release that has this capability is beta6, none of the RC’s have this capability Please bring ba...

fflo

Can we please have the possibility to choose a specific prefix from an IPv6 pool? viewtopic.php?t=153437
Please.
It's really annoying to deal with this.

+1

fflo

!) enabled initial MPLS support (CLI only);
Thanks! That a important one

Yes. Does it already work in combination with BGP4 VRF?

fflo

Looks like export still hangs...

Is there a reason why this bug has not been fixed?
Working with the Terminal regularly this keeps me from testing the latest v7.1 betas. Does there exist a workaround?

fflo

Hi vasco, Hello, [...] What is happening here? Why some HTTPS websites on IPv6 works and others don't? Do you have any ideas about what is wrong with my RouterOS setup or what should I change? Thank you for any ideas or comments. I am working on this issue for several hours now without any luck or p...

fflo

Hello, I've read several times 10Gb/s on Copper SFP+ implied noticeable power consumption and heat. Do you have any comparison between Fiber and Copper SFP+ when connecting over 1 Gb/s ? Can S+AO0005 be seen a way to work around power/heat issues without sacrifying throughput when inter-connecting ...

fflo

Hi, I am unable to get a simple GRE6 tunnel up and running between two RB3011 (arm) devices using the latest stable v6.47.8 ROS. Tested with and without IPsec password. /ipv6 firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-st...

fflo

Support for both: VPNv4 and VPNv6 would be awesome using the new BGP4 implementation.

fflo

Hi, what's the current status of VRF support with RouterOS v7 (beta)? VRF now seems to have moved from IPv4 only to support both IPv4 and IPv6 (hey that's awesome in combination with BGP4 and MPLS), but I am unable to find a way to configure "Route Distinguisher" and Import and Export Rout...

fflo

... My current DNS setting [admin@GittuTik] /ip dns> print servers: 8.8.8.8,8.8.4.4 dynamic-servers: 103.86.96.100,103.86.99.100 use-doh-server: https://dns.google/dns-query verify-doh-cert: yes allow-remote-requests: yes max-udp-packet-size: 4096 query-server-timeout: 10s query-total-timeout: 15s ...

fflo

In my experience with traditional IPSec site-to-site tunnels, when PFS group doesn't match on both peers, the tunnel can be brought up in only one direction. The reverse direction will always fail. I don't recall which condition was which though. I imagine the side with better PFS would downgrade t...

fflo

I think you see the mismatch only if session key is about to expire and rekeying fails. So did you test for more than just session startup? L2TP IPsec tunnels configured with mismatching PFS-Group settings in phase2 are running seamlessly without noticeable interruptions. At least combinations with...

fflo

Hi, seems to me that current RouterOS versions are ignoring the IPsec phase2 (Proposals) PFS-Group setting. Mixing this setting on client/server-side with different values (i.e. modp-1024 and none) has no actual effect on the connection. I guess the weakest setting wins. Do you have a hint on how to...

fflo

@Mikrotik: no hint for this issue?

fflo

We work with this the other way around, management via main routing table and customer traffic in VRFs. We drink our own Kool-Aid though, so our own offices have routers where our traffic is in a VRF and we subsequently didn't have access to routers from within our own network. The following rules ...

fflo

Implementation of something like https://github.com/burghardt/easy-wg-quick would be awesome.

This would allow secure and fast VPN client configuration using a simple QR code to scan.

fflo

Yes, it will. At the moment VRFs are still not enabled.

Any update on this feature? Would love to see this coming soon. Thx.

fflo

Bumping this topic, I recently had strange DNS leak issue and was able to pinpoint it to NordVPN's dynamic server in /ip dns Skimming through, I don't think there's a simple solution (yet) to ignore the dynamic dns set by Nord's IKEv2 tunnel I am using the following bugfix, to decide which DNS serv...

fflo

Hi, do you have a hint how I can inject "Default Originate" default-routes into VRFs? Imported default-routes (0.0.0.0/0) originating from an imported other VRF do not get redistributed, although the "Redistribute Other BGP" option is configured for the VRF. Currently, I am using...

fflo

+1 useful option and easy to implement.

fflo

"DNS leak" in VPN scenario usually denotes "resolving names through DNS server other than VPN provider's". If you'll route traffic from a "client group" (identified with network addresses, ports, L7 patterns used, whatever) to a VPN, but don't use VPN provider's DNS se...

fflo

@Mikrotik: Is it possible to block the DNS configuration parameters for an IKEv2 EAP VPN tunnel setup?
How does RouterOS select which DNS server is used from the list of available static and dynamic DNS servers?

fflo

+1

Please add this feature to v7. It's a requirement to use CCR equipment for hosting flexible K8S clouds.

fflo

Since firmware version v6.45, Mikrotik routers support dialing out an IKEv2 EAP VPN tunnel. For configuration, it's necessary to create a new "/ip ipsec mode-config" with responder=no that will request configuration parameters from the VPN provider's server. Example configuration: https://...

fflo

Did you check that protocol 41 is not blocked in-transit (in- and outbound to HE)?
Have you cross-checked the IPv4 addresses to be static on both ends?

fflo

Ack.
@Mikrotik: any hint when this issue will be fixed?

fflo

Hi how can I set up static subnet prefixes for connected interfaces from a provider DHCPv6 assigned IPv6 pool with RouterOS? Using this configuration does not work on RouterOS: [admin@mikrotik-labdemo] /ipv6 pool> print Flags: D - dynamic # NAME PREFIX PREFIX-LENGTH EXPIRES-AFTER 0 D DSL-IPV6-POOL 2...

fflo

Hi,

does RouterOS v7 support IPv6 with VRF?

-fflo

fflo

Any news about BGP routing on RouterOS v7 Beta?
On which software is the new implementation based on?

fflo

Hi, working excessively with VRFs I noted one drawback. How can I configure different DHCP network settings in case different VRFs share the same network? For example if several VRFs use common networks like 192.168.1.0/24? /ip dhcp-server network does not offer a possibility to bind network setting...

fflo

As a sum up current recommended workaround bugfix is adding the following filters to the firewall until the patched packages are available? /ip firewall raw add action=drop chain=prerouting protocol=tcp tcp-mss=0-535 tcp-flags=syn log=no log-prefix="SACK" comment="SACK Panic: CVE-2019...

fflo

Hi, is Mikrotik RouterOS affected by CVE-2019-11477, CVE-2019-11478 and CVE-2019-5599? https://github.com/Netflix/security-bulletins/blob/master/advisories/third-party/2019-001.md https://packetstormsecurity.com/files/153346/Kernel-Live-Patch-Security-Notice-LSN-0052-1.html https://access.redhat.com...

fflo

Any update on this topic?
Using CCR1072 equipment no-one likes to get stuck with a hanging routing table on one core and route insert or modification times of 15-20 minutes.

fflo

@Mikrotik
Is it possible to integrate FRRouting into RouterOS 6?
- https://frrouting.org/
- https://github.com/FRRouting/frr

Going this step should add BGP multithread support + full MPLS IPv6 / VPNv6 support.

fflo

Any update on this issue?

fflo

@Mikrotik: Can you please add EAP authentication as initiator for RouterOS v6 to fix this issue?
At least IKEv2 with certificates and EAP auth, commonly used by many VPN providers, should be supported on current RouterOS.

Search found 46 matches