MikroTik

eduplant

Unfortunately, BGP only gives you the tools to be authoritative about who you send traffic to, not how others send traffic to you. For the outbound direction, you could use policy routing to ensure that 189 always exits ISP 2 if it's up. That's probably not worth it: for some traffic, ISP 1 might be...

eduplant

I usually link the NSRC BGP BCP slides [1] since they're the most concise description I know of for good BGP practice. The default answer I would go with is: Have the internet edge routers participate in OSPF with each other and with the rest of your network. This is how they reach your clients. Hav...

eduplant

I think your only option is to create a filter. There is a remove-private-as option but nothing I'm aware of for filtering prefixes automatically. Generally it's considered good practice to always have inbound and outbound routing policy for BGP even if the logic is straightforward for your network....

eduplant

This requires professional consultancy, who needs to evaluate your business budget, scale, scope, existing network design, transport provider available, transport type, network equipment, number of sites etc. Certainly. I'm personally always glad to engage in a design discussion about a specific pr...

eduplant

I think I might have gotten confused during your follow-up explanation. You mentioned that there are already ISP uplinks at the OFCINA router which are using BGP. Where is the part in which you are moving from static routing to OSPF? Do you have an ISP providing transport for the internal connection...

eduplant

Your reply makes sense to me. Are your ISP links pictured or is this only your internal topology? If this is your internal topology, where do the provider uplinks come in? Running BGP rather than OSPF with another provider (or anyone outside of the administrative control of your organization) is alw...

eduplant

It sounds like you had already settled on a routing policy under ROS v6. Can we see your existing configuration (with any sensitive bits removed)?

eduplant

A couple of observations that might help: 1) OSPF has a strict area hierarchy where a backbone area (area 0) borders all additional areas. The link topology may not be, but the areas must be hub-and-spoke. The exceptions to this (virtual links) aren’t generally considered good practice in greenfield...

eduplant

Adding another voice to the importance of this being implemented. The linux kernel already supports per-interface rp-filters of off, loose, and strict. Maybe there will be some challenges with certain switch chips not supporting per-interface RPF for L3 offload, but giving us the knob to pick a glob...

eduplant

Doubly weird if it's not reproducible in the lab with the same configs. I have been away from my lab for a bit and haven't had time to work on mine. In my case the IPv4 and IPv6 sessions have nearly the same config and the IPv6 propagation pattern is what you'd expect but IPv4 isn't. I'll reboot my ...

eduplant

Very strange. I can't spot the mistake if there is one. You shouldn't need client-to-client reflection especially since neither of your two devices are acting as rr/rr-client. As far as I understand it, the logic is supposed to be: eBGP -> iBGP, send to other iBGP and rr-clients iBGP -> iBGP, do not...

eduplant

There are likely a number of moving pieces to that so more config context might help. Out of curiosity, do you have both a v4 and v6 stack configured on the routers and BGP is carrying both address families (over a v4 peering)? If the routers don’t have a v6 stack configured, the only BGP mechanism ...

eduplant

Hi all, I'm testing a design in the lab and am unsure whether I'm making a configuration error, something I'm doing isn't actually supported, or I'm hitting a bug. To start, here is the design. It is all virtualized CHRs running 7.8stable. The general idea is that there are two regions being simulat...

eduplant

Do we have an ETA on when additional paths (RFC 7911) support is coming? Last year we were told in this thread that multipath and add-path are not implemented even though the add-path-out=all|none knob exists and is documented . I wouldn't personally want development resources diverted away from BFD...

eduplant

RouterOS is more like SQL — so it's tables and relationships all the way down. Every network OS I know of uses a configuration database under the hood, including Cisco/Arista/Juniper. I agree that Mikrotik made the right choice exposing the database semantics as the configuration language rather th...

eduplant

/interface bridge :if ([:len [find name="foo"]] = 0) do={add name="foo"} set "foo" protocol-mode="rstp" That works, too. My point was that whether you write it your way or mine, if you do the entire config like this, there's a lot of extraneous logic to fake ...

eduplant

Are there plans (and is there sufficient community interest) for RouterOS to implement something equivalent to `configure replace` on Cisco/Arista or `load override` on Juniper? I was able to find at least one reference to this from 2016 [1], but I'm hoping that there is more interest in this featur...

eduplant

@Angelos, thanks for the consideration but unfortunately I’m not looking to take on any contract work at the moment. My involvement in the Mikrotik forums and use of the platform is mostly for fun and to enable my side projects. My day job is on networks with bigger scope and bigger boxes. Fortunate...

eduplant

Rather than reinvent the wheel, I usually point folks to the NSRC's intro primers because BGP is a very big topic: https://learn.nsrc.org/bgp/intro_bgp_best_practices A lot of these examples tend to be written in Cisco-ese, but you can always cross reference with the Mikrotik wiki [1][2] for the sim...

eduplant

Looks like you have OSPF set to type=ptp . From OSPF's perspective, the Wireguard interface is a single interface even if more than one remote peer can send packets to it. In P2P mode it's going to assume that there is only one peer on the interface and use the usual multicast/broadcast mechanism. W...

eduplant

On Mikrotik, BGP policy is expressed with route filters under /routing/filter/rule [1]. The syntax works sort of like a mix of the firewall rule chains and a pattern matching language. I’m not exactly sure of the context in which you’re running BGP, but it’s usually good practice to have inbound and...

eduplant

Ah I see, in that case no I wasn't correct. I didn't realize 7.x came with proper BGP multihoming support. Looking at your routing table, they have different next hops and are both installed. Is it possible for you to write a routing policy to localpref up one of the prefixes? That ought to prevent ...

eduplant

It is, in fact, a firewall rule that is preventing our iBGP peers from establishing. Phew, that is a lot easier to explain than what else I could imagine. Glad you found it. My question is, why does this block the iBGP connection between our internal peers, and not the eBGP connection from our rout...

eduplant

From my understanding, BGP multipathing (multiple BGP next hops, both installed) isn’t implemented in RouterOS, however recursive resolution for BGP routes (one BGP next hop, ECMP next hop to reach it) is implemented. This might be what your client is experiencing with two ECMP routes pointing over ...

eduplant

Well seems like reachability is fine since you can see the connection attempts going in both directions. I assume the two sides can ping each other's BGP addresses and the ARP tables are fine? And /ip route check <remote address> shows the interface you expect on both sides? If you forcibly set mult...

eduplant

It should be obvious if you /tool sniffer it, but it's possible that for some reason they're both using different source addresses and subsequently are ignoring each others' connection attempts. If that's what shows up you could try to set update-source to force it to use the address you want. I'm g...

eduplant

There do seem to be an abnormally high number of weird BGP bugs that I see cropping up for v7 in these forum threads. Every week I refresh "Forwarding Protocols" and there's some new cryptic interoperability or feature breakage being reported. Sometimes it's threads about people not readin...

eduplant

Does /routing/route print where ospf show routes but just without the A active flag? If there are received LSAs, it would seem to be an issue installing the routes rather than receiving them. Maybe there is some sort of next-hop resolution problem that is preventing them being installed in the table?

eduplant

Does /tool sniff have anything to say in terms of confirming that the routers are trying to establish a TCP socket? If the connection establishes but something else goes wrong, it might be captured in the BGP logs. You can up the BGP logging in /system logging . I don't see anything obviously wrong ...

eduplant

I stared at this a while until I think I got my head around why this might look preferable to you. It seems like rather than accepting the physical ring shape of your network, the switches would enable somewhat of a transport medium for a series of “point-to-point” circuits between routers that othe...

eduplant

I think you're on the way there. It's possible to redistribute the DirectConnect BGP routes into OSPF as external type 2 and have your preferred path have the lower cost. A couple of observations: 1. Is this OSPF pathway between the routers a dedicated VLAN or is it shared with client devices? If it...

eduplant

Firstly, I am using Bird 1.6.3,. not 2.x. Secondly, I have tried to do that but failed to get the filter correct. Do you have any suggestions? These two opaque routes only exist in the LSADB - they dont show up in routes in BIRD or the mikrotik devices. From a post above, you can see the LSA type i...

eduplant

Been using BIRD a lot lately and glanced at this. AFAIK BIRD 2.X doesn’t yet implement opaque LSAs (see suggestions for future work) [1]. If I follow correctly, rather than filtering them transiting through the Mikrotik, could you filter them inbound in BIRD? That would at least prevent BIRD from er...

eduplant

It’s not always welcome but when I read scenarios like this I like to raise some questions to make sure that what’s possible is the same as what’s wise. Using cheaper switches (like Mikrotik) to act as port expanders for expensive ASR ports makes sense, but what exactly is the goal of bridging the t...

eduplant

I don't think you're missing anything. From reading the documentation, it seems like bgp-as-path is an immutable property of a BGP route in RouterOS 6 and 7. In 6.x, the only AS_PATH related actions in route filters are set-bgp-prepend and set-bgp-prepend-path . In 7.x, bgp-path-peer-prepend and bgp...

eduplant

Glad that’s working. You might want to give CZFan’s suggestion a shot. It seems like from reading the docs that action=redirect is a combination src and dest NAT that is designed to do this. I didn’t know it existed when replying

eduplant

Unfortunately, I'm not exactly sure how you're logging or whether or not something's configured incorrectly. If you wanted to post more of your firewall rules (redacted if necessary) and the NAT config, myself or others could put a second set of eyes on it. A related question: is your NTP server on ...

eduplant

My understanding is that in passthrough mode the DHCP server is handled by the ISP but could be wrong. Seems like you eventually sorted it out but I did want to add some clarification here that the phantom dynamic DHCP server is normal and is a requirement to kludge passthrough functionality throug...

eduplant

If you’re intending to provide layer-2 service to the end clients, then presumably you would build two bridges on the PE router, each with one Ethernet interface, and then set up two VPLS tunnels each linked to a different bridge. If you’re intending to provide layer 3 service, then it would be a ma...

eduplant

No worries; your English is just fine I think it’s the networking concept that I’m missing. If you want to route clients based on their source address, you can use :ip firewall mangle to set a new-routing-mark and then use :ip route rule to determine which routing table to lookup the next hop in. Th...

eduplant

This is a little stale but I was catching up on posts and figured I'd comment. Outbound is easy because as ipanetengineer pointed out; you have routing filters. Whether or not you can do what you want in terms of inbound is very topology dependent and is pretty much impossible to do in an absolute o...

eduplant

I’ve read your post a couple of times and I’m struggling to understand the goal so I can be helpful. If you have a default from one ISP and then a collection of BGP routes from another with no default, the longest prefix match is already going to take care of the circumstance you describe. Traffic w...

eduplant

1) Doing a controller without the ability to have idempotent commit is a fool's errand, and will only end in tears, both for the developers and users. Fix that first, the rest becomes MUCH easier.

+100 on this and the rest of your suggestions.

eduplant

I would vastly prefer development effort be put towards making RouterOS 7 more automation-friendly rather than towards making another single-pane-of-glass management solution. I certainly understand the urge to do so, especially for single-vendor networks that want something that "just works&qu...

eduplant

Sure, BGP only requires TCP reachability so there's no reason that wouldn't work. I would usually advise that you consider the high-availability ramifications but since you only have one router anyway, I'm not sure it impacts the situation much.

eduplant

If the static route to the BGP peer address points to a next hop address, I believe you can continue chaining recursive resolution if you manipulate the scope and target-scope values for the static routes. So for example your static route to the BGP peer address can point to the far side of the loca...

eduplant

Cool - bit of a bummer but I guess that is what "proper" stacking is for Yeah, MLAG and “stacking” really do have completely separate design goals. Because they both share some of the same capabilities, I understand and regularly see a lot of confusion. The real goal of a stacking configu...

eduplant

I don't understand how LACP24's state effects LACP23 ? You’re correct in that there is no direct relationship between the two on the Mikrotiks. In fact, unless you have more than one MLAG member on a given chassis, it doesn’t even apply any LACP load-sharing algorithm at all. This is paradoxically ...

eduplant

Gotcha. You get all of your LACP load-sharing properties back by just adding another link to the currently orphaned MLAG 24. It’s just a LAG from the perspective of “Host 2” (which happens to be an HP switch which then has yet another standard LAG to your server). Is there a reason you can’t do that...

eduplant

The orphaned LACP is "lacp24" the one I want load balanced is "lacp23" - they are 2 different LACPs. Putting the question differently - if I have traffic come in on a single port, how do I get it to load balance across a MLAG ? Pardon the hasty tablet sketch … this type of thing...

eduplant

I suspected something like this, except that some other vendors that support MLAG does this (Juniper and HP, not sure about the rest) - would be nice IMHO Interesting … do you have a reference to the Juniper docs for the knob that enables this? I haven’t had to configure it on Juniper and am curiou...

eduplant

If I understand the question correctly you would like traffic coming from an orphan port (port connected to only one chassis) to be load balanced to both a local member of an MLAG and a remote member of the same MLAG. I have never seen any vendor support this. Cisco’s VSS (iOS/iOS-XR) and vPC (NXOS)...

eduplant

I haven’t tested this myself yet but reading @mrz’s response I’m curious. Since setting distance is conceptually invalid in this case, is the result that the entire filter clause fails to be applied? I would naïvely expect that it would just ignore the irrelevant set statement. It seems reasonable t...

eduplant

If Mikrotik claims this isn't a bug, that is disappointing. I will admit that source address selection in IPv6 is significantly more complicated (multiple scopes and dynamic prefixes with different lifetimes) but for a device acting as a router, you need to be able to have the flexibility to pick yo...

eduplant

So the bug isn't a bug because they never designed it to work for IPv6, but this is needed for the same reasons it is needed for IPv4.. Not working as documented seems like a bug to me.. As in, the preferred-source field of IPv6 routes simply doesn't work? I haven't had a reason to try and set it a...

eduplant

What I dont understand is why the designers of IPv6 built in such colossal waste since a /64 is the smallest subnet, each time a /64 is assigned that space is 99% wasted. It's probably better to think of IPv6 as a 64-bit global address concatenated with a 64-bit local address. Calling the local add...

eduplant

And are the blue and grey lines also physical links? This would mean CE router #3 from the left would have … 6 uplinks? If just counting red that would be 4? Default route is not preferred because only 1 of 8 of their public IP networks not reachable through primary in that case BGP automatically sw...

eduplant

What do the red lines represent? Are each of the 7 firewall icons a different customer or different sites for the same customer? Where do the public addresses come into play? Are they PI or PA addresses? Are you already announcing them to the rest of the world via BGP? Some version of this is proba...

eduplant

There are a number of scenarios and probably “Site to Site GRE tunnel over IPsec (IKEv2) using DNS” is closest to what you’re trying to configure. Frankly now that I’m looking at it, this use case does seem to use a client remote-address that is derived directly from DNS. It’s been a while since I’v...

eduplant

I’m pretty sure you’d want to model it on the “road warrior” configuration [1] with hub side generating dynamic policies. If the hub device can’t have a static address, it gets a lot more annoying. RouterOS cannot natively use DNS names in place of IP address entries so you’ll have to live with some...

eduplant

Ok, I did some more testing and that is exactly the issue. If you enable hardware offloading, it breaks VRF completely. Glad we isolated it. I still think this behavior deserves some inspection by Mikrotik. It's all fine and well to not support VRF via hardware offloading, but the correct answer sh...

eduplant

And just to clarify, I am the ISP Engineer on top of diagram and bottom is CE. Ah okay, that helps also. I usually assume people asking are the downstream customers. So looking at the diagram ... you are sharing RFC 1918 space with a downstream customer? They're not announcing you any public addres...

eduplant

I don't know how to insert diagram. In the post UI there's an Attachments tab next to Options where you can upload images. Once they're uploaded, you can also place them inline. Seeing a diagram would be a big help. 1. yes, it's basically dual homing from the ISP to the customer Same upstream ISP, ...

eduplant

Those addresses are included for virtual links. Currently they are included unconditionally. Gotcha; that does appear to be one of the RFC circumstances in which they would be there. I'm still interested in whether or not Mikrotik is willing to give us a way to pick an address off of a loopback rat...

eduplant

Some questions:

Do you have some specifics about what your network currently looks like? Hopefully a diagram?
Do you have provider-independent address space?

eduplant

I want to use 2 x /25 on my router.
Im advertesing /24 to neighbor.

Yeah you shouldn't need to do anything special with BGP then. The /24 covers both /25s so once traffic reaches you your router will just use the more specifics.

eduplant

I have real IP like (example: 1.1.1.0/24) . I advertesing 1.1.1.0/24 . I want to use 1.1.1.0/25 and 1.1.1.129/25 on my VLAN's. Why do you need to advertise something smaller to your BGP neighbors? Also if you are actually using those two /25s in your network, shouldn't they already be in the table ...

eduplant

Bump.

I know scrutinizing the OSPFv3 database isn’t everyone’s idea of fun

eduplant

Can you confirm the config syntax you used to add the static routes? Did you also include vrf-interface? I didn't specify vrf-interface , I just specified the dst-address , the routing-table , and the next-hop gateway using the <address>@<table> format. I'm frankly not even sure what vrf-interface ...

eduplant

the connections between the various rack are already present and must not be changed (number of fibers). The switches will be connected to PCs and the servers directly to the core switches. There are various VLANs but basically each switch serves a distinct room (classroom). Redundancy is not neede...

eduplant

I’ve been telling myself that the clients in question actually just want a virtual circuit to connect branch routers. Most of the networks that want point-to-point layer 2 just want a cheaper alternative to a dedicated wave and that they don’t have to do anything gross like BGP with site-of-origin. ...

eduplant

Reading your scenario, I get why you're investigating how to do it. I mostly try and discourage people because they look at the features/documentation, see that it's possible, and then end up stitching LANs together for "convenience" rather than for a solid reason. If you're providing esse...

eduplant

The complexity and overhead (header size) is usually pretty directly related to how complicated of a problem it is that the tunneling mechanism is being designed to solve. IPIP is a really simplified tunneling mechanism. Encapsulating IP-in-IP really is meant for devices acting as a router because t...

eduplant

Gotcha. Do you have a sense of what type of oversubscription is permissible? Are these gigabit connections at the edge for client connectivity or are they for servers in those racks? Also what are your requirements for redundancy? It looks like you are trying to have two of everything but in some ca...

eduplant

I would like the maximum possible speed on the backbones but with the current models it seems to me that the only solution is 10G. Mikrotik has a somewhat odd collection of interface speeds on their current product lineup once you get past 10GBE. That's probably going to be the common denominator u...

eduplant

Thanks so much for following up and testing it on your end. So I tested this and inter-vlan routing works but it breaks internet connectivity again like before because my hosts that are on the main routing table are now using the default route configured on a separate VRF. The internet in this case...

eduplant

By default RouterOS is trying to use the IP on the interface closest to the destination for it's output traffic, for exchanges, it is using the exchange IP, which can't be replied to because the are not routed. Ahh, makes sense. You did mention that this was in an IX setting and I didn’t fully thin...

eduplant

Ah I see; thanks for the diagram. Does the client have a second NAT because they’re administratively not part of your organization (and also don’t coordinate addressing with you)? If that’s the case, then you probably don’t have a choice other than to port forward. It’s worth pointing out that that ...

eduplant

Thank you!

Sure thing. I’m curious what your use case is that requires it.

eduplant

From your description I gather that you have a double-NAT scenario and are trying to permit communication between hosts on the inner and outer NAT islands. What exactly are you trying to accomplish and are you allowed to make changes to the overall network layout? Double NAT is rarely helpful. Also,...

eduplant

According to the :routing filter documentation [1] it looks like you can use the :routing filter set set-pref-src=<ip_address> option in inbound filters.

[1] https://wiki.mikrotik.com/wiki/Manual:R ... ng_filters

eduplant

Okay, I think I got it. My test setup is using two v7.1.5 CHRs with one acting as the firewall: donatoroman_topo.PNG When installing your configuration at first I also had inactive default routes. The problem seems to be that the next-hops of the static routes are always looked up in the main table ...

eduplant

Is this on v7.x.x or v6.x.x? I’m not super familiar with VRF on Mikrotik specifically but I’m willing to configure this in my lab and use it as a learning experience. I’d rather do it with a matching RouterOS version since routing and feature support is so different across each right now. Looking c...

eduplant

So the only route required is
add dst-address=192.168.1.0/24 gateway=wireguard1 table=main

Correct, maybe I should have been more clear that the red routes are present in the configs and should be removed and the green routes are their replacement.

eduplant

I had to diagram this for myself to make heads or tails of it. Agreed with @sob here, I think the main problem is just a basic routing issue rather than anything wrong with your Wireguard configuration. To confirm, can your routers ping each other on the addresses (192.168.9.2 <-> 192.168.9.1) you'v...

eduplant

Correct; the routing configuration is significantly different in v7.x.x. You might want to inspect the new wiki for both OSPF specifically [1] and the general changes to the :routing configuration tree [2] before continuing. In the case of :routing ospf network , what you're probably looking for is ...

eduplant

I have been testing OSPFv3 on RouterOS v7.1.5 and run into what seems like a basic issue, but after scrutinizing the relevant section of RFC2740 [1], I can't quite puzzle it out. I'm hoping one of you with more OSPFv3 experience or someone from Mikrotik happens to see this and can comment. From my u...

eduplant

hi, because I need to broadcast my own ip address to the operator through BGP, and at the same time I need to pass the BGP route to others, so I do this Ah I see. So what again is the purpose of check-gateway=ping in your network? If you aren’t invalidating the next-hop via an ICMP check than it wo...

eduplant

Hi，Let me explain to you: my ROS has only one BGP connection, and recently it is due to the line interconnected with the operator, the operator's ip address will lose packets, but the actual line and ping to other ip addresses of the operator are normal Yes, the operator explained that they set a s...

eduplant

Let me explain my network environment to you: I use RouterOS to connect with the operator and establish an eBGP neighbor through this connection. I receive the BGP routes sent by the operator. Do you only have this one link or do you have other links to the same or a different provider? I’m trying ...

eduplant

When the unreachable phenomenon occurs, the BGP route received by ROS-01 from ROS-02 is also unreachable. At this time, when the static route Check-gateway of ROS-01 is disabled, the static route and BGP return to normal. It sounds like you're seeing what I'm seeing, then. I think the behavior migh...

eduplant

Basically we are tricking R2 into thinking it has a way to get to 192.168.30.0/24 via an interface - either with a static route or as a directly connected network. But that traffic will never actually hit the loopback interface - instead, it will be picked up by the IPsec policy and forwarded to R3...

eduplant

I scratched my head looking at this and decided to just test it in the lab myself. Whether or not I can reach the BGP routes is fully dependent on whether or not I have the static route (to 192.168.199.0/24 via 10.10.10.2) on ROS-01 enabled or not. At some level this makes sense to me because I imag...

eduplant

Thanks for the update mrz; glad to hear that the use cases have been persuasive to Mikrotik product engineering. The two options would meet the requirement for me at least, not sure about others' use cases. Presumably anybody desiring a retry behavior wants it to be pretty slow to avoid flapping and...

eduplant

If I'm reading your scenario correctly, this is mostly a NAT problem. Part of the point of having one IP per service in a load balancer scenario is that each service can use the standard ports. If you crush the entire range of IPs and map it back onto one IP via NAT (technically NAPT is the problem ...

eduplant

It might feel a little unintuitive but in the typical case it doesn't matter. From an ethernet perspective, hosts on the LAN don't much care that they're receiving their traffic from one MAC and sending their traffic to another. If you really want to influence it, though, there are two cases to hand...

eduplant

Technically it’s possible as long as the prefix you want to advertise is shorter (in terms of bit length) than the longest your peers will accept (usually /24). Since IP is destination-routed, it isn’t so much a BGP issue for outbound but you could policy route traffic from that network towards a pa...

eduplant

Looking at this again I think I misunderstood the scenario as you having two routers you control on opposite ends of a L3 provider in the middle. I attached a messy mspaint sketch of my second reading to see if that's correct before I open my mouth more. Is this x.x.x.x/x prefix on the far side of t...

eduplant

Have you tried network-type NBMA, static OSPF neighbors and static routes for the neighbors? Anything with broadcast hellos in either direction won’t work because of the tunnels and the intermediate routed hops. As long as both sides of the IPsec region have enough to figure out how to unicast to t...

eduplant

I would be really surprised if there is a technical reason that it is difficult to implement maximum-prefix but I don’t know enough about the new BGP architecture in 7.0 to say. AFAIK maximum-prefix needs to kick in far earlier than any of the parts of BGP processing that are performance critical. I...

eduplant

Could be a number of things but it’s sort of hard to say without a better sense of your configuration and the full topology. Even then, I would probably be collecting packet captures and manually trying to inspect what’s happening both on the 88 LAN and the 1 LAN. If you have some more information I...

eduplant

This is a legacy parameter that initially was used to not overflow available memory. Is overflowing available memory truly a non-issue? I get that with software packet forwarding, the only real limitation in the lookup table is the size of RAM and that is becoming --- or is already --- a nonissue o...

eduplant

Not 100% my area of expertise but I do seem to recall that if you have devices in the MPLS network that do hardware forwarding, there are some ASICs that try and introspect past the MPLS label and can cause some subtle mishandling of VPLS payloads. The phenomenon that I recall was this one [1] where...

eduplant

This post is a little stale but hopefully you noticed the later thread: https://forum.mikrotik.com/viewtopic.php?t=182402 What you're describing is technically doable and according to your output, the two OSPF routes are installed with a + for ECMP. It seems like you probably hit the bug with ECMP o...

eduplant

I stood up 3 RouterOSv6.49.2 CHRs on a LAN, configured an extremely basic OSPFv2 configuration, and let it go. In my case, no adjacency successfully forms and all three routers cycle through adjacencies with two other peers. Presumably this is because the whole conversation happens with the multicas...

eduplant

To confirm: it sounds like you’re saying that using OSPFv2, you run a single broadcast segment where one router is configured as “point-to-point” and the other 4 routers on this same broadcast segment are configured as “point-to-point”? Typically I would think in this case you would use “point-to-mu...

eduplant

Saw this didn’t get any sort of reply; figured I’d take a shot if you still are looking for help. What exactly isn’t working? You mentioned BGP but also that default was being redistributed into OSPF. Is BGP only eBGP with upstream providers? If both router 1 and router 3 are originating default in ...

eduplant

The question is the following: If I wanted to make another supply point dedicated to a segment of the network, physically in another geographical position, not necessarily interconnected to the first, I can also announce some IP of the mi / 24 that I do not use or I need a other subnet / 24 public ...

eduplant

One observation would be to be careful if you plan to implement stateful firewall rules on the CCRs. I can’t think of a simple way to avoid some traffic asymmetry if your BGP border routers and client LAN routers are the same. connectlife is right that there isn’t really anything that VRRP should im...

eduplant

I thank you for the competent and detailed answer. Your suggestions were useful and functional. :) Everything works perfectly. Great, glad to hear it. A question arises, having only one public subnet / 24, and aware that smaller subnets cannot be announced in eBGP, he asks me if it was possible to ...

eduplant

RouterOS v7 route filtering can filter routes created by other OSPF LSA types routes I believe, not just external LSAs.

Documentation does say that there’s an ospf-type= matcher in routing filters … maybe I should have tested before opening my mouth

eduplant

The particular use case is to prevent routes advertised by Neighbor A due to a bug from spreading further to the network I think you can use two different OSPF Instances in your router, using redistribute-other-ospf. With different OSPF Instances, you can use ospf-filters between them. Yeah with th...

eduplant

As for actively harmful effects - yes, nothing should beat a connected route, but knowing how SW development often goes, it is hard to predict what it might actually cause at some recipient. Agreed. If I were in your shoes I would be looking for a way to filter it too :). Anything in 127.0.0.0/8 is...

eduplant

FYI actually all three status types are determined locally on the RTR client. Validator just sends the list of prefixes and originator AS. Yeah, you’re technically right. I was mostly focusing on how “unknown” is determined. I can’t find anywhere that requires that “I can’t talk to an RPKI validato...

eduplant

We will think of some solution not to make whole chain invalid after validator goes down. Part of my last reply included a suggestion for the changed behavior and I’ll try to reproduce it in case its helpful. I was curious where the determinations for “valid”, “unknown”, and “invalid” come from. Ac...

eduplant

The particular use case is to prevent routes advertised by Neighbor A due to a bug from spreading further to the network - in particular it was advertising 127.0.0.1/32. Oh, strange. I suppose there isn’t a way to prevent it from being advertised on neighbor A if it’s a bug, then? Does it have any ...

eduplant

Looks like we lost the last two posts here but one of my bigger takeaways was to confirm my understanding of what Jan observed. Is it really the case from what you observed that routes that 1) survive the inbound filter based on RPKI status + operator policy, 2) survive route selection and get insta...

eduplant

I would imagine this is by design. With a distance vector protocol, ingesting -> modifying -> propagating routes is part of normal operation and path determination. On the other hand, with a link-state protocol, every router in the network needs to have a consistent view of the topology (or at least...

eduplant

...not limited to forums...complete domain mikrotik.com wasn't available for me on sunday - including DDNS / Cloud Service. I am sitting in central Europe

Same in North America. Condolences to the Mikrotik staff who are probably having a stressful Monday morning responding to whatever it was.

eduplant

Did the forums get reverted to an earlier database snapshot or something in the last 24 hours? It appeared to be down from North America and is back now with at least one thread I was active in missing and several more without the most recent replies. (Didn’t see an appropriate misc/meta board so I ...

eduplant

Not being able to see the advertisements is a little rough. At least it sounds like it’s going to be implemented it’s just not ready yet. How is the new /routing/routes working for seeing inbound routes in your production environment? According to the docs: “Read-only table that lists routes from al...

eduplant

Can you include some of the relevant config snippets and maybe a quick diagram?

eduplant

I think the current word is still that it’s not implemented yet. mrz from support indicated this back in August [1] and I still don’t see it in v7.1stable. Here’s hoping that in addition to a view of RIB-OUT we get a proper RIB-IN with the new BGP implementation :) [1] https://forum.mikrotik.com/vie...

eduplant

Thanks for the info. I usually like to check that it’s necessary because the easiest way to run BGP in your network is to not have to run BGP :) With a single internet edge router and two ISPs, you won’t have to bother with iBGP. My short list of recommendations would be to: Only accept a default ro...

eduplant

I was doing this pretty late at night and think I was a bit sleep deprived. Thinking about it with a clearer head in the morning, of course there’s no IPv4 NEXT_HOP because there’s no configured IPv4 address to use. Does your configuration have at least one IPv4 address configured to use as transpor...

eduplant

Update: Redistributing static routes produces a similar result where expected behavior occurs with IPv6 routes but not with IPv4 routes. The one eligible tie-down static for 1.2.3.0/24 makes it through the out filter but not the in filter on the other side. The packet capture witnesses it go out wi...

eduplant

I had the lab open and figured I'd take a crack at this. I get unexpected behavior also, although in a slightly different way. Whether I use synchronize=no or synchronize=yes plus a static tie-down route, the 1.2.3.0/24 address does show up in /routing bgp advertisements for me. All is not well, tho...

eduplant

Might want to take a look at the Mikrotik wiki for outbound load sharing strategies [1]. Firewall marking + mangle might be the right way to go here. Exactly what to configure would require more context about what else these routers are doing (NAT/firewalling/etc.). Presumably if you're doing BGP tr...

eduplant

You might want to do a bit of reading about the protocol itself followed by something like this BGP best current practices talk from the NSRC [1]. A couple of questions for the sake of understanding: 1. Do you have your own ASN or are you being provided with a private ASN from your upstream provider...

eduplant

I'm not aware of a way, unfortunately. If this is just for the sake of convenience while testing things, have you considered using IPv6? Link-local addresses have the autoconfig property you're looking for. Alternatively, since you mentioned that they're just point-to-point links, have you considere...

eduplant

Is anyone aware of a good way to approximate Cisco/Juniper ` ip unnumbered ` behavior with IPv6 in RouterOS? For those not aware (there are only a couple of mentions of the concept on the forums and they're quite old) the point of ` ip unnumbered ` is to avoid having to assign unique IP prefixes to ...

eduplant

+1 on re-implementing /ip/route/check In addition to losing its functionality for scripting, its absence is a big loss for human troubleshooting. Even though it's possible to inspect the routing table in close detail to determine the next hop yourself, I submit that this is missing the point. Arguab...

eduplant

For those who are interested, I have a simple mDNS reflector developed by myself and running in Docker. It is just hundreds lines of code in C, supporting both ipv4 and ipv6: https://github.com/vfreex/mdns-reflector I haven't done any testing yet but this looks really useful. My workaround from thi...

eduplant

Oh good question @colin, I don’t know of a way. Perhaps adding :resolve server=8.8.8.8 might be handy.

eduplant

Thanks @cthil and @Cha0s for the feedback. At current, I use an external resolver via HTTP/CGI interface to circumvent the limitations of the internal one and would be VERY happy to abandon that path. Truth be told, I'm trying desperately to avoid taking this path in the first place. I'm working on ...

eduplant

I didn't realize there was a thread that was this old about frustration with the RFC-noncompliant nature of DNS resolution in RouterOS. I think @alaine was on the right track in 2015 when they suggested that the best angle to take is a backward-compatible improvement to :resolve . Anyone still follo...

eduplant

I don't see a problem with :resolve, it just resolves to which address to go. In a literal sense, I agree. This is why I'm suggesting that the default behavior without type= or full-answer=true be preserved for backward compatibility. Getting a single answer is a useful property of :resolve . Not e...

eduplant

+100, again.

Even if the actual mechanisms aren't directly supported, arbitrary DHCP option requests and values would be really handy.

eduplant

Hello, I just posted a feature request in a separate thread but wanted to at least link it here for possible visibility: [Feature Request] :resolve DNS Client Improvements One of the advantages of RouterOS is its scriptability and the strength of its shell syntax for getting things done. New improve...

eduplant

One of the advantages of RouterOS is its scriptability and the strength of its shell syntax for getting things done. New improvements in the :system and :tool areas have given us more tools than ever, and augmenting existing features with script="" hooks have given us even more places to u...

eduplant

On a HW routerboard, you can set the onboard serial baud rate (usually for `serial0`) with `system routerboard settings set baud-rate=<rate>`. Another way seems to be to press `s` during the boot process and select it that way. CHR shows only `routerboard=no` (for good reason; it isn't one), but thi...

Search found 141 matches