MikroTik

osc86

Unlike TCP, GRE is completely stateless, there's no way the router knows if an incoming GRE packet is new, related, established or something else. On both endpoints of the tunnel you need to have these firewall rules set up. Output chain's default action is accept, so you only have to do it for inpu...

osc86

@baks this is why the drop invalid rule is placed AFTER the accept established,related,untracked rule. 1 ;;; defconf: accept established,related,untracked chain=input action=accept connection-state=established,related,untracked log=no log-prefix="" 2 ;;; defconf: drop invalid chain=input action=drop...

osc86

File from 159.148.147.204 is corrupted.
https://159.148.172.226/routeros/6.44.5 ... 6.44.5.zip seems ok.

osc86

Any updates regarding the SNMPv3 PrivAuth <-> Dude Issue?
For sure there's something wrong, I set up a new dude server and this "bad packet" error happens on all my devices running 6.45.1, LibreNMS works fine, though.

osc86

My configurations use all types of tunnels.

GRE, IPIP, EoIP. All of them, over IPsec without any problems on my end.

same here, no issues.

osc86

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.

osc86

I can also confirm snmpv3 does not work in 6.45rc50 with Observium or snmpwalk.

@slackR Did you already open a ticket at Mikrotik Support?

osc86

for some reason, my device isn't responding to SNMPv3 queries anymore, since I upgraded to beta50. I'm using LibreNMS for monitoring my devices, also tried manually with snmpwalk -> no response. EDIT: [admin@CORE] /snmp community> pr d Flags: * - default 0 * name="librenms" addresses=::/0 security=p...

osc86

osc86, I can not reproduce the issue. Can you please send a supout.rif file to support@mikrotik.com?

Done. [Ticket#2019051022005463]

osc86

After upgrading from beta31 to beta34-42, all IKEv2 PSK ipsec tunnels don't come up, getting Authentication failed in the logs (yes, psk is the same on both sides, hasn't been changed). Downgrading to beta31 again resolves the issue. 16:50:20 ipsec notify: AUTHENTICATION_FAILED 16:50:20 ipsec,error ...

osc86

After ugrading from beta31 to beta34, none of the ipsec tunnels work. Reverted back to b31.

osc86

After I had big problems with ipsec in 6.44.1/hAP ac I remained using 44.1 for a while. Thinking that beta31 had already those issues fixed, I tried to upgrade with the following IPsec configuration: /ip ipsec peer add exchange-mode=ike2 name=router passive=yes /ip ipsec policy group add name=RoadW...

osc86

So this means wired 802.1x is now supported I guess. Any idea how we can configure this through CLI ? Also is there a planned GUI support version of it coming soon ? Before anyone asks. Configuration options for dot1x are not yet enabled in this release. Coming in next beta, most likely next week.

osc86

I have an CHR install which capsman is running. On 6.45beta27 I noticed that when I try to see on winbox the "Configurations" tab under Capsman settings or "CAP Interface", winbox close/crash without any error on Log window. I also updated to latest beta (6.45beta31) and sitll issue persist. My win...

osc86

I hope they'll add an option to remove single SAs in the future.

osc86

----------------------
!) dot1x - added support for IEEE 802.1X Port-Based Network Access Control (CLI only);
----------------------
Amazing news! Thanks!

osc86

igmp-snooping is killing ipv6 connectivity, by not forwarding neighbor solicitation messages.
FF02:1:XXXX:XXXX isn't listed in MDB table, so no NS messages are exchanged between hosts.
This happens at least since beta22.

osc86

so why are we sitting with &^%%$& 16MB of NANDs

I agree, this is ridiculous

osc86

uninstall tr069 package, remove everything from /files, upgrade only routeros, after suiccessful upgrade install tr069 again

osc86

Tested Version on CCR1036-12G-4S - ROMON is not showing up in a discovery - ROMON appears to have been broken or some part of it. - CCR1036 is not showing up in ROMON list anymore after 44.1 installed. Anybody else seeing this.... or not! ? Updated a CCR1009, 2xCHR, 951Ui-2HnD, 750G r3, 2x 941-2nD ...

osc86

BUG – v.6.44 on ARM boxes RB3011 is losing IPSEC configuration After upgrade of ARM boxes (RB3011) to latest stable version 6.44, IPSEC is not working. Winbox GUI /ip ipsec section in is empty and no new config parameters can be added; In console /ip ipsec export gives just info that all subsection...

osc86

*) bridge - fixed possible memory leak when using "ingress-filtering=yes" on bridge interface; How did this bug manifest itself?? Been using this setup for a while and didnt notice any issues, on the other hand I dont really monitor that closely. I reported this problem to mt support. It occured on...

osc86

Another "bug" from version to version, form stable to stable release

"Future" time on GRE tunnels in (up\down) status field
May be someone know how it resolve?
Thanks!

Check System / Clock

All tunnel interfaces show the correct date and time on my devices.

osc86

updated a CCR1009 from 6.43.12 to 6.44 -> Lost connectivity on all eoip (ipsec) interfaces. Update: so it seems that this update broke ipsec completely on my device. The router locks up every time I try to access any menus under ip / ipsec. I only have about 5 tunnels configured with very basic sett...

osc86

I noticed a memory leak when bridge is set to frame-types=admit-only-vlan-tagged.
What is the device model affected?

CCR1009-7G-1C-1S+

osc86

I noticed a memory leak when bridge is set to frame-types=admit-only-vlan-tagged. Winbox and cli are unable to display interfaces / vlan / firewall rules etc after a few hours. A supout file takes like forever to generate and is corrupt when done.

osc86

are they still working on a fix?

IMG_0658.jpg

osc86

Most likely a supout.rif file is already generating in the backgound. Is there an autosupout.rif file in the Files menu? No, there are no files at all in the files menu. I had rebooted and tried again. It is still trying to generate the supout 5 hours later. If I go to the command line and type "/i...

osc86

thanks FransUrbo!
This also fixed the problem with iOS devices.

osc86

I still see SAs are not removed when they expire. Why isn't it possible to remove single SAs?

osc86

After updating CCR1009 to 6.43 there is a problem with port stability! Has anyone else encountered such a problem?

I doubt this is a software issue. Seems only one port is affected.
I don't have such a problem on my CCR1009.

osc86

We have a huge memory leak on the new 6.43 code running on our CRS317's. Some devices seem to be more affected than others, but within 10hrs the device reboots due to low memory. I encountered the same problem on a CCR while it was still rc. MT Support was unable to reproduce / fix it. Only a netin...

osc86

The comment column is missing in ipsec peer menu in winbox, and my id is shown twice

osc86

osc86, we are aware of the issue. It will be fixed until 6.43 is released in current release channel.

Something must have been changed with ipsec processing in rc64. No traffic is passing through the tunnels.
I moved back to 56, where everything works fine.

osc86

I lost all ipsec connections after updating to rc64 because of a bug in peer profiles.

osc86

even more important, the memory leak is still not fixed

osc86

Yesterday I set up an ipsec connection between 2 devices, one running 6.42.6 the other 6.43rc44. All IKE related settings were the same on both devices, but I wasn't able to establish a connection, unless I changed the hash algorithm to sha256 on the one running 6.42.6 and sha1 on the other. When I ...

osc86

anyone noticing a memory leak that ends with a kernel panic? this is on a CCR1009-7G-1C-1S+ running v6.43rc44

osc86

CPU hog issue is still not fixed in rc28
(Ticket#2018010522007579)

osc86

any updates on this, did you get it working?

osc86

Adding or removing vlans in MSTI makes my 1009 unreachable on all interfaces, have to power cycle to regain access.. 100% reproducible

osc86

How to correctly add virtual interfaces like eoip tunnels to the bridge? I tried 2 ways to get this working, without any luck. 1. When I add the tunnel interface as port to the bridge and create vlans on the bridge, the interface never comes up because of constant STP Learning/Discarding. I didn't f...

osc86

*) ipsec - allow to specify remote peer address as DNS name (CLI only);

does this mean ipsec tunnels can be established between 2 sites with dynamic ip addresses, so I can get rid of the additional L2TP Tunnel?

Search found 43 matches