Community discussions

Search found 43 matches

by berlo
Tue May 08, 2018 12:46 am
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

The one I have that doesn't reboot have a bug with the ping tool, sometimes it stops working at all for some hours.
Disable route cache, it fixed for me.
by berlo
Mon Jan 29, 2018 5:07 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

hi, route cache should not cause reboot, but stop on packet forwarding. If your device have enough performance to forward traffic in slow path you can try disable the cache. You will see CPU usage increasing. If you got kernel panic you need to hard reboot the router, so you need a managed pdu or so...
by berlo
Wed Jan 24, 2018 9:37 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

No, is on the fly. All changes can be done without reboot. The only issues are dummy rules that are not removed automatically, but need to reboot it to reactivate fast path
by berlo
Mon Dec 04, 2017 1:32 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

the CPU usage in fastpath is always lower, so on high normal traffico fastpath still the only one solution.

But if without fastpath the ccr can handle the traffic, you can keep route cache disable that will help under ddos where you experiencing stop packet forwarding.
by berlo
Mon Nov 06, 2017 5:47 pm
Forum: General
Topic: Route Cache disabled with Fast Path
Replies: 6
Views: 2485

Re: Route Cache disabled with Fast Path

check 750Gr3 performance. Bridging none (fast path) 162.4 1,972.2 443.7 1,817.4 1039.1 532.0 Bridging 25 bridge filter rules 162.4 1,972.2 168.1 688.5 174.3 89.2 Routing none (fast path) 162.4 1,972.2 444.4 1,820.3 1035.0 529.9 Routing 25 simple queues 162.4 1,972.2 179.6 735.6 171.4 87.8 You can't ...
by berlo
Sat Nov 04, 2017 1:29 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

Yes and now ccr was raised to 28 in all Europe. All are working fine and we never experienced more random reboots. Also we experienced better performance on routes with > 1kk routes installed disabled route cache. You loose some % CPU, about 10% more, but you will not experiencing packetloss/stop fo...
by berlo
Fri Nov 03, 2017 1:54 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

You need to have console opened, because if is kernel panic or memory error or similar you can't see the error message
by berlo
Fri Nov 03, 2017 1:17 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

have you tried disabling whatdog and keep serial console opened?

You should see the error
by berlo
Thu Nov 02, 2017 9:22 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

hi, at the moment we have 21 ccr1072 with 6.41rc44 all up with 17 days without issue. We do bgp + filtering + ospf. Nothing else. Try to upgrade to this release, if you still experience reboot you can exclude these service as reboot cause. We experienced reboots with cpu upgraded to 1200Mhz, at 1000...
by berlo
Thu Nov 02, 2017 10:50 am
Forum: General
Topic: Route Cache disabled with Fast Path
Replies: 6
Views: 2485

Re: Route Cache disabled with Fast Path

i just received reply that in v.7 they will update the kernel so route cache will be removed too.

I think that removing route cache will be a big improvements to all people that have partial or full route bgp setup.
by berlo
Thu Nov 02, 2017 1:12 am
Forum: General
Topic: Route Cache disabled with Fast Path
Replies: 6
Views: 2485

Route Cache disabled with Fast Path

Dear Support, in last months we spent a lot of time to find best solution that can handle lot pps during DDoS. From kernel 3.6 route cache is disabled because is proven that can cause performance drop under high load. With fast path enabled (route cache enabled) just 2gig syn flood can cause packet ...
by berlo
Thu Oct 26, 2017 1:09 pm
Forum: General
Topic: TCP SYN Flood attack causing high cpu
Replies: 13
Views: 8709

Re: TCP SYN Flood attack causing high cpu

With syncookie you ask to routeros to be a proxy and it help a bit on syn floods. Another trick we added is to put in mangle some tcp checks to mark and put ip in blacklist. /ip firewall> mangle print Flags: X - disabled, I - invalid, D - dynamic 0 chain=prerouting action=add-src-to-address-list tcp...
by berlo
Tue Oct 17, 2017 1:08 am
Forum: General
Topic: TCP SYN Flood attack causing high cpu
Replies: 13
Views: 8709

Re: TCP SYN Flood attack causing high cpu

Yes i know the conseguencies on MT. DDoS Mitigation is my job :-) If you want help your router to support 2x DDoS you're receiving now, disable route cache. You will see your cpu usage immediately goes down. Put rp_filter in loose mode and enable tcp syncookie. Set (only if you use router as border ...
by berlo
Tue Oct 17, 2017 12:31 am
Forum: General
Topic: TCP SYN Flood attack causing high cpu
Replies: 13
Views: 8709

Re: TCP SYN Flood attack causing high cpu

have you tried removing any rule to activate fast path and let fastnemon blackhole traffic?

Why not considering contact a DDoS protected company to use for incoming traffic forwarded trought gre tunnel? You will save lot of headache
by berlo
Mon Oct 16, 2017 11:49 pm
Forum: General
Topic: [Feature Request] sFlow
Replies: 11
Views: 2564

Re: [Feature Request] sFlow

CRS317 is within 250 price range, not something unsustainable and you get 16 10gig port on dual power supply. If you're running multiple 10gig ports you have ccr1072. The only chance to absorb DDoS attack is keeping it on fast path. If you use fastrack or filter in raw you will see unfiltere package...
by berlo
Mon Oct 16, 2017 11:40 pm
Forum: General
Topic: [Feature Request] sFlow
Replies: 11
Views: 2564

Re: [Feature Request] sFlow

If you need do DDoS detection best is to put on top or behind a crs317 switch and setup port mirroring.

You can monitor mirrored traffic in real time.
by berlo
Fri Oct 13, 2017 4:09 pm
Forum: General
Topic: Which types of ports would you like to see for a high speed router
Replies: 168
Views: 25444

Re: Which types of ports would you like to see for a high speed router

@normis for me new router need to be able to handle medium/high pps during attacks. We have lot of customers that joined our DDoS protected transit service because they have 100% CPU usage and loose router access during tcp floods (ccr1036 and ccr1072 devices). As personal experience, on our CCR1072...
by berlo
Thu Aug 17, 2017 11:19 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

me too on lab router. Disabling watchdog we see the CPU goes to 100% due to networking process and router became unusable.

Downgrade to 6.40 fix the issue.
by berlo
Mon Jul 17, 2017 3:06 am
Forum: Forwarding Protocols
Topic: Traffic Flow ( netflow) Autonomous system information
Replies: 44
Views: 12190

Re: Traffic Flow ( netflow) Autonomous system information

As workaround configure on vm/server nprobe + ntopng. You can create virtual interface. For example create a file /etc/ntopng/nprobe-mikrotik.conf --zmq="tcp://*:42165" --collector-port=9996 -n=none -i=none where 9996 is the port where you receive flow. create ntopng.conf file and insert -G=/var/run...
by berlo
Fri Jul 14, 2017 1:52 am
Forum: General
Topic: Examples of using RAW firewall?
Replies: 28
Views: 7398

Re: Examples of using RAW firewall?

yes i know that post, but the information on it was not correct. Read last reply of that thread. I write here why blackholing is better: ################### Blackholing is better because we can use it with fastpath active. Disabling route cache is not an option because this action disable fastpath A...
by berlo
Fri Jul 14, 2017 1:04 am
Forum: General
Topic: Examples of using RAW firewall?
Replies: 28
Views: 7398

Re: Examples of using RAW firewall?

I confirm the word of ZeroByte. We use raw table on our exchange routers to block some commond attack likes SSDP, LDAP, rate limiting DNS... We also fastrack other traffic and we can absorb some f *large* attacks.

If you need to drop some network, i suggest to using blackhole type routing
by berlo
Fri Jul 07, 2017 11:58 am
Forum: General
Topic: IP RAW + Fasttrack is possible!
Replies: 2
Views: 1173

Re: IP RAW + Fasttrack is possible!

These CPU %'s are used to change quite often .... /tool profile show you cpu usage and values changes frequently, but you should not see big differences. My screenshots are the cpu average and the delta is 1-2%. Now the range on AMS router is 17%-19% with 4Gbps in and 8Gbps out. Linx router is 13-1...
by berlo
Fri Jul 07, 2017 5:53 am
Forum: General
Topic: IP RAW + Fasttrack is possible!
Replies: 2
Views: 1173

IP RAW + Fasttrack is possible!

Searching documentation on how to speed up our ccr1072 performance i found that https://forum.mikrotik.com/viewtopic.php?t=114824#p577193 For me this have no sense has the fasttrack need to be tagged in mangle that is after ip raw so i did some tests. 1) first example: IP raw in place without accept...
by berlo
Tue Jul 04, 2017 2:58 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

1036 is single PSU, 1072 is redundant. Also we experienced same issue on 3 different CCRs.

Is a different case
by berlo
Sun Jul 02, 2017 4:26 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12561

Re: Why source-based blackhole instead of firewall drop

Blackholing is better because we can use it with fastpath active. Disabling route cache is not an option because this action disable fastpath As DDoS Protected company we're tuning ccr1072 mikrotik devices that we have on IXs and we have this configuration: - Fastpath active (i see if we disable rou...
by berlo
Fri Jun 30, 2017 5:48 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3310

Re: Set CPU frequency to 1200MHz on ccr1072

yes i read it but for testing i mean in real enviroment. I mean reboots are random. For do these testing i think they upgrade to 1200Mhz, rebooted, test the bandwidth, rebooted... so no time to check if everything is well. For developing products, test stability etc, i think they use standard 1000Mh...
by berlo
Fri Jun 30, 2017 4:39 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3310

Re: Set CPU frequency to 1200MHz on ccr1072

The exact cpu model should be TLR4-07280DG-10CE A0a that is 1000Mhz by default. I was in contact with Mikrotik Support but the result is that they ask for RMA for broken part. I have "hard head" so did some additional testing and found the issue. I really doubt that they will fix it because overcloc...
by berlo
Fri Jun 30, 2017 9:26 am
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3310

Re: Set CPU frequency to 1200MHz on ccr1072

hi,
yes my previous consideration was wrong, the issue is confirmed on CPU overclock. We identified it keeping serial console opened and after reboot you see a message related to cpu error, something like:

"processor error"
by berlo
Thu Jun 29, 2017 11:49 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

Yes, we have downgraded to 1000Mhz and we not had more unexpected reboot
by berlo
Mon Jun 12, 2017 10:08 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 123
Views: 16896

Re: CCR1072 watchdog reboot

We fighted too for same reboot. We're talking with the support and they suspect an hardware failure, but i can reproduce reboots always with same conditions and are: - If you use traffic-flow with selected interfaces (i mean anything different then interfaces: ALL), we have continous reboot every 3-...
by berlo
Wed Jun 07, 2017 4:22 am
Forum: General
Topic: Raw Firewall - fastpath?
Replies: 0
Views: 337

Raw Firewall - fastpath?

Hi All, i'm trying to setup my ccr1072 to have maximum performance and have some basic firewalling. We receive lot of DDoS, so the troughtput is important. This is my enviroment: - We monitor traffic and, when anomaly is detected we divert traffic with bgp announcement to some paralles filters. Filt...
by berlo
Thu Jun 01, 2017 10:34 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3310

Re: Set CPU frequency to 1200MHz on ccr1072

after furter investigation we realized that the issue is not on cpu frequency that was changed 7 days ago, but the flow exporter. We did some changes todat like move from all interfaces to selected one and changing inactive and active timeouts. I reverting back these parameters, meanwhile generated ...
by berlo
Thu Jun 01, 2017 9:38 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3310

Re: Set CPU frequency to 1200MHz on ccr1072

Router worked fine for 2 weeks, but ttoday i got two random reboot with that error "router was rebooted without proper shutdown by watchdog timer" I not know if is cpu related or not, so i revert back to 1000Mhz If i still experiencing reboot i will inform users on this thread that is not related to...
by berlo
Fri May 26, 2017 8:55 pm
Forum: Forwarding Protocols
Topic: set multiple communities in filters
Replies: 3
Views: 595

Re: set multiple communities in filters

hi
thank you NickOlsen, yes i realised later that feature :oops:
by berlo
Thu May 25, 2017 10:29 pm
Forum: Forwarding Protocols
Topic: set multiple communities in filters
Replies: 3
Views: 595

Re: set multiple communities in filters

you're right, worked well 17 chain=Filter Out match-chain=Filter bgp-communities="" invert-match=no action=passthrough set-bgp-prepend-path="" set-bgp-communities=0:6939,0:47624 Seems that winbox need multiple field, you can't put same 0:6939,0:47624 rule. You need to put each community on each fiel...
by berlo
Thu May 25, 2017 8:26 pm
Forum: Forwarding Protocols
Topic: set multiple communities in filters
Replies: 3
Views: 595

set multiple communities in filters

hi, i need to set multiple communities in my output bgp filter but seems not possible. If i set something like: chain=Filter Out match-chain=Filter bgp-communities="" invert-match=no action=passthrough set-bgp-prepend-path="" set-bgp-communities=0:6939 it work, but if i need to set something like 17...
by berlo
Sat May 20, 2017 8:12 pm
Forum: General
Topic: Which types of ports would you like to see for a high speed router
Replies: 168
Views: 25444

Re: Which types of ports would you like to see for a high speed router

You''re confusing "modular" word. Modular not mean 13u or bigger router. For example ASR 1001 is a modular router and is 1u. http://www.cisco.com/c/dam/en/us/support/docs/SWTG/ProductImages/routers-asr-1001-router.jpg You can setup a 1u or 2u router with fixed ports and a module for expansion to sav...
by berlo
Sat May 20, 2017 4:39 pm
Forum: Beginner Basics
Topic: DDoS Protecion for CPU Model
Replies: 13
Views: 1767

Re: DDoS Protecion for CPU Model

If you use local ISP for tr traffic you can ask him to put ACL on your port for some kind of attacks, like amp, source ports etc). If you're connected on a IX you can use community to filter out carriers where you receive part of DDoS. For example we have some customers in TR that have your similar ...
by berlo
Sat May 20, 2017 2:48 pm
Forum: General
Topic: Which types of ports would you like to see for a high speed router
Replies: 168
Views: 25444

Re: Which types of ports would you like to see for a high speed router

For first high end routers i think better is create a product with most used ports. Due to dropping of 100Ge ports price, most datacenters are replacing SFP28 QSFP etc with them. Modular router is fundamental requirement I think somethinf like: - Default: 1 x Fe Mgmt Port 8 x 10SFP+ port - Free modu...
by berlo
Sat May 20, 2017 2:34 pm
Forum: Beginner Basics
Topic: DDoS Protecion for CPU Model
Replies: 13
Views: 1767

Re: DDoS Protecion for CPU Model

Nowadays 10Ge is too few to protect a server from DDoS. Better is contact a company that offer this solution and do remote bgp. As you offer gaming best solution is choosing a company closest to you. Where are you colocated?
by berlo
Mon May 15, 2017 4:43 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3310

Re: Set CPU frequency to 1200MHz on ccr1072

@Ascendo For DDoS we're highly specialized on that. For uplinks and edge we use ASR9k. As distribution nexus. But we're now creating a parallels network and mikrotik seems to be fine. This is the project we're building http://seflow.net/2/index.php/en/blog/seflow-european-network-expansion-roadmap (...
by berlo
Mon May 15, 2017 2:40 am
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3310

Re: Set CPU frequency to 1200MHz on ccr1072

We run ours at 1200Mhz and it seems to work just fine.
thank you. Following your words I upgraded to 1200Mhz this aftenoon. Profile show that CPU usage lowered from 11% to 8%. No routing issue and CPU temperature still around 43°C
by berlo
Sun May 14, 2017 5:16 am
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3310

Set CPU frequency to 1200MHz on ccr1072

Hi All, i'm new on Mikrotik (our network is full cisco), but we planned to send 20 CCR1072 to peer on IX's. I just activated one CCR1072 (for optimize the configuration) on local IX with 2x10Ge uplink with 57 active peers. After some optimization i got CPU usage around 11% with about 5Gbps traffic. ...