MikroTik

mikeeg02

Some things to consider. Max phy MTU on the rb2011 is limited much lower than you appear to have set on the 1100. RB2011 series ether1-ether5:4074; ether6-ether10:2028; sfp1:4074 RB1100AH ether1-ether10:9498; ether11:9500, ether12-ether13:9116 https://wiki.mikrotik.com/wiki/Manual:Maximum_Transmissi...

mikeeg02

There are many things you have to be considerate of when running networking over wireless links. Bandwidth considerations and qos methods may need to be implemented to keep ospf adjacencies and determine which traffic is given the best effort. While wireless registration may not have dropped, have y...

mikeeg02

OSPF and MPLS configured, but VPLS is not UP MK-06 /mpls interface add disabled=no interface=all mpls-mtu=9000 /mpls ldp add afi=ip,ipv6 disabled=no lsr-id=10.255.255.6 transport-addresses=10.255.255.6 vrf=main /mpls ldp interface add disabled=no interface=ether1 transport-addresses="" ad...

mikeeg02

Post your config. I have been able to successfully pass vpls traffic on my test bench with 7.1 between a few rb1100ahx4's I use for testing.

mikeeg02

I never had reboot on 2004, but packet loss. I use the latest lonterm+latest routerboot and it works flawlessy. we have a policy that reboot each router every 14 days at night to avoid issues. 0 issues till now. on the 7.1rc4 it was very unstable on some test units, rebooted on the bench, upgraded ...

mikeeg02

I do have good up time on ros7.1rc4. Its missing features that I need for production (that and using RC software in production is foolish) In current use its not doing much (just using at home now) but Ive never achieved this long of uptime. Not using cake, but am using queues for upload and ospf ov...

mikeeg02

viewtopic.php?t=164578

I'd advise you to read through this thread. There are a few. Also, there are limitations to how many s+rj10 you can put in close proximity. I don't have the link off hand, but I'd suggest you search for it.

mikeeg02

We recently bought two of these for use as BGP routers and I just discovered this topic. We haven't implemented them yet and now I'm a bit anxious about it. We might implement one of them just to see how it behaves. If youre ok with random reboots and can tolerate that. Go ahead. Otherwise best adv...

mikeeg02

It really doesnt sound like your vm running kiwi has access to the external network interface, only internal, since your vm's all can send to your kiwi. If I am understanding what youve written properly.

mikeeg02

May as well reboot it twice more and see if 7.1rc4 does anything for ya.

mikeeg02

Its easy enough to do a packet capture and verify the device is sending the syslog packets. Im betting its an issue with your kiwi setup.

mikeeg02

Dont worry, on v6 they will, sometimes within 12h of eachother. They are special like that. Hope they arent important.

mikeeg02

Im not sure we are ever going to get a fix in v6. Sanders is about leading the way with uptime on 2004s at this point on 7.1rc3, and I am seeing good results with 7.1rc4. But I havent put them back into production, as mpls/vpls is a requirement and vpls is still broken. for me, 7.1rc4 rebooted twic...

mikeeg02

I dont use kiwi, so Im not sure how their filtering works, but you have 192.168.88.1 setup as a source on kiwi, and your logging src-address for the mikrotik is default 0.0.0.0. While the log packet would have a source-ip of 192.168.88.1, kiwi may also be filtering based on the src-address of the lo...

mikeeg02

Im not sure we are ever going to get a fix in v6.

Sanders is about leading the way with uptime on 2004s at this point on 7.1rc3, and I am seeing good results with 7.1rc4. But I havent put them back into production, as mpls/vpls is a requirement and vpls is still broken.

mikeeg02

In our case no, MPLS uses all the OSPF learned routes Hello timers are always reduced to 1s for OSPF. But I fail to see how it would have any impact on MPLS/LDP as they are separate processes. MPLS should simply see any route change then adapt labels accordingly, doesn't matter if its very slightly...

mikeeg02

But does not help in some cases. Just again had to disable/enable MPLS as OSPF had learned a route but MPLS did not. Even disabling the interface did not help. MPLS sends packets into nowhere while a route exist. MT does not fix these bugs for years now. I assume you guys have also limited mapping ...

mikeeg02

millenium7 :

Did you ever set the hello timers in mpls to match the hello timers in ospf? Thats saved me a lot of grief over the years.

mikeeg02

6.48.5 with 1 day and 5 hours crashed the RB, going back to 6.47.10 I made a scipt that every 3 days it reboots. My 2004 just does OSPF. It's a lot of suffering If its just doing ospf you may consider 7.1rc4. Been pretty stable for mine as a firewall. 30 days tops with any 6 release. There's a slig...

mikeeg02

The later 6.47 series fixes the issue with them. 6.47.7-6.47.10 are the versions you'll want to run. The earlier versions has some snmp issues that would do exactly as you describe. I have around 50 of them in the field and experienced what you're going through. My preference is 6.47.10

mikeeg02

I don't believe there's a way to create 2 VPLS tunnels to the same location so I couldn't just separate the the links into 2 OSPF paths to split the traffic that way. You can have as many tunnels between the two points as you want. Just use a unique vpls-id. Since you are using mpls-te you could ad...

mikeeg02

The fact you added a masquerade rule to the rb1100 on the ovpn out interface and can now ping the server leads me to believe the route in the server (dst-192.168.88.0/24) to use the vpn client isnt correct. A trace route from the server to 192.168.88.x should show if its trying to use the proper gat...

mikeeg02

In winbox, attempting to add (clicking the +) or edit (double click the interface) a vpls interface closes winbox immediately.

CLI works fine.

winbox 64 3.29, tested on both a ccr2004 and a ccr1009

But atleast the vpls tunnel establishes!

mikeeg02

Would be helpful to have the rest of your firewall rules, but you likely need to add a forward chain rule, and make sure its above any drop rules in the forward chain. /ip firewall filter add chain=forward src-address=10.9.0.0/24 dst-address=192.168.88.0/24 action=accept In the client machine you ar...

mikeeg02

Does CCR2004 still crash using capsman? I will ask daily, no worries. On a test today I started capsman and connected a client, it provisioned client and is still running. Not using it for anything, just test device. 2004 is still running. 2004 capsman.png EDIT: ccr2004 with rj01 sfp will only nego...

mikeeg02

It would be very helpful for you to provide an export of your config and post it, our answers would be much more helpful. That being said, you should be able to use simple queues to prioritize traffic the way you want (If I am understanding your request the way you intend it) I have made some assump...

mikeeg02

VPLS causes an immediate crash. I have to disable it on the far side to get the router out of a reboot loop. That was one of the first things I tried as well, but per documentation, ldp signaled vpls is only "partially working" First tried with two rb750s, then I tested with a ccr1009 and...

mikeeg02

According to the code section written above on CRS2 your are using tagged 3902, though you have told us just before that, you are using 1000.

post.png

Also, I think its recommended not to specify untagged ports, they will be dynamically added when you set port pvid.

mikeeg02

Silly question, the devices you are trying to access are using 192.168.2.1 as their gateway?

And you definitely waited the 3 minutes or so after disabling the nat rule, to allow the firewall connection tracking to release the nat connection?

mikeeg02

Changing the bridge configuration didnt make a difference for me, but this should. I missed it because its not a line in your config. /interface ethernet switch port set switch1-cpu vlan-header=always-strip vlan-mode=fallback set switch2-cpu vlan-header=always-strip vlan-mode=fallback To match the r...

mikeeg02

Unless you are doing site to site with another router, remove the bridge from the ppp profile, then remove the nat rule. Wait for the connection to drop from connection tracking (3m by default I believe) /ppp profile add change-tcp-mss=yes dns-server=1.1.1.1,1.0.0.1 \ interface-list=LAN local-addres...

mikeeg02

The current export file from the router would be helpful. Additionally, when removing your nat rule, you have to remember to wait for the timeout, and/or remove the connection from the firewall. If the connection tracking is still running from the nat rule, it will fail until the connection is dropp...

mikeeg02

Can you give us a current export of your config?

mikeeg02

In mikrotik the default untagged vlan is 0 anyway. But the other settings will need changed.

vlan-header=always-strip
vlan-mode=fallback

mikeeg02

In winbox you can click the up arrow. I think the other changes are more important though. I think the reason this is necessary is because of how the bridge processes the dynamic (vpn) traffic.

winbox.png

mikeeg02

You need to re-configure for vlan filtering so that the switch will do hardware offloading. Move the vlan interfaces to the bridge, and set appropriate pvid on untagged and set tagged vlan interfaces and set the bridge to vlan filtering. Then you can still run your dhcp client on vlan1 After this un...

mikeeg02

It looks better now though it looks like they have been removed. For whatever reason earlier on mobile Chrome browser I noticed the same.

mikeeg02

You can manually set each in winbox so you can be sure the default vlan id goes away. Depending on how you are accessing the router, you may drop connectivity briefly, but it should come back after winbox closes. If its remote, safemode may be worth utilizing.

mikeeg02

You'll still need proxy-arp on the remote bridge if your VPN pool ips are in the same subnet as the remote Lan subnet. But I think you will be able to make this installation like your others. If your other installations are revision 1 routers I think the default switch chip settings worked fine. Whi...

mikeeg02

Thats what my 3011 looked like and it caused me issues with remote untagged traffic. If you paste the code above in terminal it will set them the same, and you may find it fixes your problem.

mikeeg02

I came across some odd behavior in a new r2 revision 3011 that won't show up in an export.(as it was from default config) I'm not sure if the r2 2011s have the same default configuration now, but get a winbox screen shot of the ->switch then port tab. The problem I had with the 3011 was everything i...

mikeeg02

I read what he had wrote, and am familiar with what he has. What I was fearful of was that you may of confused it with the older model with the switch chip when you made your suggestion. I have seen this on the forum several times(Not you specifically, but the model). Unfortunately, without personal...

mikeeg02

That I agree with and understand. But the way it was written above could have been misconstrued by someone newer to mikrotik. And I was fearful he was referring to the older hardware that did have a switch chip in it. While the newer version does not. Which of course did not require such a poor reply.

mikeeg02

Because of the way the sequence of posts went. The post prior to the one I quoted said "CRS112 does not suppport Bridge VLAN filtering along with VLANs... So you should use the old way of VLANs..." Yours directly following says "But the CCR1009 does so you should use the link provided...

mikeeg02

But the CCR1009 does so you should use the link provided for that device.

Have to be careful with this one.

The CCR1009-8G has a switch chip on 1-4.

The CCR1009-7G does not.

mikeeg02

In addition to what was asked above.
48 and 50km microwave / radio paths are very long. What are you considering good signal?

I think as stated above is on the right track, you're going to have to look into you're wireless statistics.

mikeeg02

I assume you're using winbox, for queues to work with bridge you need to go to interface bridge settings and set use-ip-firewall to yes or enabled. Your AP default configuration has a firewall, and would have that enabled. Default with no config, the router sets use-ip-firewall to no or disabled.

mikeeg02

Actually, the answer is maybe. With the factory ac adapter, it makes 24v. So under system/health the voltage would say 24.x V. If your POE is a 48v model, under system/health the voltage would show the higher voltage. But if the POE is of the 24v standard, then I dont think you can. Routeros seems t...

mikeeg02

For the diehards still trying to use these, any updates on stability? Been quiet in here.

mikeeg02

MIKROTIK RB433GL WLAN 10.70.0.0/24 interface ip 10.70.0.1 LAN 10.30.0.0/24 interface ip 10.30.0.180 GW on mikrotik is 10.30.0.254 I know you have WLAN's ip listed as interface, but is WLAN a bridge port? If it is, in the bridge settings you would need to enable ip-firewall. The rest of the configur...

mikeeg02

Firewall FIRST rule is set to
cahin forward
dst. address 10.30.0.0/254
action drop

and i still can access to web servers / web pages on network 10.30.0.0/24
HTTP or HTTPS

Is your destination address in your rule /24 or is it /254 as your post says?

mikeeg02

The packet sniffer is far more powerful, it generates an actual wireshark capture file you can copy to your computer, and open with wireshark, and see every piece of info on every packet. Just like you captured it locally with your computer. You can also specify tx, rx or both on an interface which ...

mikeeg02

My apologies, I was a little dyslexic with some of the numbers. Re-reading what isnt working, it sounds like R3, and R4 need either the gateway put into them, or a static route also entered into them for the 10.0.0.x/24 subnet and utilizing the 10.10.1.254 gateway. As you said, R1 and servers 10.0.0...

mikeeg02

Simplistic fix is to enable proxy-arp on the bridge on R2 that the R3,R4, etc connect through. In my opinion the better approach is to put the sstp tunnel traffic on a subnet different than that the client's use.

mikeeg02

Have they implemented the self destruct option in software for them yet?

I have 8 or 10 of them sitting behind me taken out of production.

Still frustrated with that financial contribution.

Hoping someone reports life is good with them again so I can use them for anything.

mikeeg02

If he changed his ppp network addresses like provided in the screen shots, thats why he can now get to his existing 10.0.0.0/8 subnets attached to the router. The reason he couldnt before is because he was trying to overlap his ppp and local to the router subnets, which is why I suggested changing t...

mikeeg02

/ip firewall filter add action=accept chain=forward comment="Allow new connections through router coming in LAN interface" connection-state=\ new in-interface=ether1 Looking at your firewall config, ether1 is your WAN, and in that rule you're allowing all new forward connections from your ...

mikeeg02

In the PPP profile, put the local address as an arbitrary non-used ip range IE 192.168.255.254, and for the remote address make an /ip pool in the same subnet. Then in your PPP clients leave "use default gateway on remote network" enabled, and now you can get to the subnets available to th...

mikeeg02

Why are you entering the ip address in the windows box?

mikeeg02

Add a route in the client for 192.168.11.0/24 with a gateway of 192.168.102.1. Trace route agrees its going through your local gateway.

mikeeg02

If you want them in the same broadcast domain, this may help.

https://wiki.mikrotik.com/wiki/Manual:B ... _bridging)

mikeeg02

In your client routing table, if it has the vpn as the default gateway it should have something similar to this, where 192.168.55.254 is my vpn local address. See how the metric has changed to prefer the vpn for default gateway vs local, which in my case is 192.168.88.1. vpn.png If you add the route...

mikeeg02

Add the route in the client. Not in ppp.

In windows it would be route add 10.0.0.0/8 10.0.0.1

mikeeg02

If you run a trace route to 192.168.11.1 or any of the ip addresses assigned to interfaces in the router, what does that show?

mikeeg02

Is the client device configured to use the vpn as default gateway?

mikeeg02

From what I can see, In the remote device connected via l2tp,("thebox") add a route 10.0.0.0/8 to use 10.0.0.1 gateway. I would bet that you have it set to not use the l2tp server as default gateway? In which case you will need to add a route. It should be able to ping and/or telnet/ssh in...

mikeeg02

I have changed the partition and installed version 6.47.10 so far so good. I don't know which baton he sent me, but now I don't see the original partition. Only the current one remains. And I would like to refloat that partition to have a backup in the event of a failure. If possible I would sugges...

mikeeg02

What do you think if I activate the other partition that contains very old firmware. (6.45.1) If it was a firmware problem or an attack (malicious software entered) the problem should disappear. If it's a hardware problem, continue. Wasnt there some serious vulnerabilities discovered in the 6.45.x ...

mikeeg02

If youre trying to stop broadcast traffic between client bridged vlans, I think you could to add the clients ports to the same horizon, and leave your internet port out of it.

Split horizon bridging.

mikeeg02

Max-limit is going to be the maximum value on the interface, usually minus 10% as a safety net and thats up to your discretion. You can also use this to help limit with customer bursts. Which leads to my second part of the statement, you are going to have to limit the bursts. If you are not shaping ...

mikeeg02

Like Sindy said, you would use the set-priority to assign the COS value in the vlan tag on outgoing packets so that the wireless link would make the decision to drop lower COS value traffic first (assuming you have it set to respect vlan COS value. Marking traffic and using queue's affects how the m...

mikeeg02

The way this is written below, you have the parent being the ospf marked traffic, and then the child is traffic that does not have marked traffic, but if the parent requires marked traffic, there should be no un-marked traffic. This also will only affect routed traffic, not mpls/vpls /queue simple a...

mikeeg02

Are you certain you don't have an ac power problem?

mikeeg02

If youre running a dhcp server on each vlan, and they are all hosted on one port, meaning it's feeding your backhaul, or core switch network, why do you want to or feel you need to bridge the vlans? This device should be hosting the gateway routes and dhcp service, at this point it seems like it's a...

mikeeg02

As silly as this will sound, what version ROS are you running? I am running 6.47.7 and 6.47.8 in about 50 of my rb1100ahx4's. And I dont have reboots, or accessibility issues since going to these later versions. Are you certain you do not have power issues? Mine are all running of -48v dc battery pl...

mikeeg02

A few questions... What hardware and long term version? Are you running VPLS? Are your OSPF and LDP timers matched? CCR-1036-8G-2S+ 6.46.8 OSPF/LDP Timers default: OSPF: 5/1/ 10 /40 LDP: 5/15 VPLS: yes (This is our reason to use MPLS). I have seen this kind of behaviour at differnet sites over the ...

mikeeg02

You're not alone. https://forum.mikrotik.com/viewtopic.php?f=3&t=164578 https://forum.mikrotik.com/viewtopic.php?f=3&t=167512 My fault. Was unable to find it in forum... Reading right now. Thanks! Didn't mean it like that. Just wanted to show you that thread in case you hadn't seen it. Unfo...

mikeeg02

You're not alone.

viewtopic.php?f=3&t=164578

viewtopic.php?f=3&t=167512

mikeeg02

Mikrotik does not log l2mtu misconfiguration when type is set to point to point.

Is point to point default on the other router? I did not see you setting type on it.

mikeeg02

Looks like your default backbone area on the Router OS is being disabled: /routing ospf area set [ find default=yes ] disabled=yes add area-id=172.16.117.0 name=area1 Could your try to enable it? It looks like hes using area-id=172.16.117.0 on the gre interface between the opensense and mikrotik, a...

mikeeg02

Alternatively, if you would like to set the priority using what you have in both directions, you could just remove the in-interface. Then all marked packets in the bridge forward chain will set the priority, no matter which way they are going.

Edit: Good work!

mikeeg02

There's another problem too - he seems have configured the bridge filter to set the priority for the packets that have just been received over the VPLS tunnel instead of the packets that he is about to send over the VPLS tunnel. You probably want to set EXP for the packets that you are about to sen...

mikeeg02

/ip firewall mangle *** add action=mark-connection chain=prerouting comment=OTHER_Traffic connection-mark=no-mark new-connection-mark=8BEF passthrough=yes add action=mark-packet chain=prerouting connection-mark=8BEF new-packet-mark=8BEF passthrough=no The part asterisk was at the bottom of the list,...

mikeeg02

I have done what pe1chl has described in a system in New Jersey for a customer. They had 6 sites with public ips, works pretty well. You can configure the gre tunnels to utilize ipsec. Then assign the gre's to ospf.

mikeeg02

Yes, exactly, I suspect he might think that the queue priority is somehow going to transfer to packet priority/EXP. And of course, as you say, that is not the case. Another thing to realize as I think he has them backwards. Queue priorities are highest..1, to lowest..8. Vs COS/packet highest..7, to...

mikeeg02

My apologies. I had thought maybe he had updated that part of his config but he may not have.

If he doesn't know or realize, queue priority is only that. Will not transfer to packet or exp priority. As he has the queues built.

mikeeg02

That is strange because I can't see the EXP field changing its value. I made a mirror port on a port going to MPLS cloud and dumped frames with Wireshark: You no longer have any set-priority actions to set the priority to anything other than 0 - that's why you don't see anything. If thats his edge ...

mikeeg02

There are a few catcha-gotcha's that come up depending on the hardware. If you are in excess of two hops away and using RB hardware (non CCR), you will need to add single port bridges on the mpls out-in interfaces. But to start, you need to verify that you have your outgoing traffic from the start (...

mikeeg02

The LSRs handle mpls exp bits "automatically". https://wiki.mikrotik.com/wiki/Manual:MPLS/EXP_bit_behaviour "When RouterOS receives MPLS packet, it sets "ingress priority" value for packet to that carried inside top label. Note that "ingress priority" is not a fiel...

mikeeg02

In this situation, the NVR monitors/reports/records video loss. Its somewhat forgiving, so if its reporting loss, I believe its truly worse than it is. Packet sniffer on the mpls interfaces shows the control word being used on every packet, which I have accounted for in mtu's I believe. I have other...

mikeeg02

physical mpls interfaces are 1500/1584 l2mtu vlan on said interfaces are 1500/1580 l2mtu (actual mpls interfaces to keep vlan priority) vpls interfaces are 1500/1514 l2mtu vpls bridged access ports are 1500/1514 l2mtu EOIP 1500. mpls mtu 1540 I guess I am curious why when the only change was changin...

mikeeg02

I have a video camera (5-10 mb/s) l2 service thats reported loss over a large private microwave circuit. (Along with other services) with a mix of routers. The core is comprised of ccr1009s, and the edge routers are a mix of rb1100ah4 and 3011s. I thought I had a switching issue / layer1 on the came...

mikeeg02

From SUPPORT: "We have managed to reproduce the issue locally in our labs and look forward to fixing it on upcoming RouterOS versions, unfortunately, I cannot provide an ETA now. Best regards, Edgars P." Did you try going to 6.47.8? I haven't tried the newer stuff. Too many complaints. 6....

mikeeg02

Most has been fixed in last RC but still some left. MT says they are improving it still but the fix itself is well tested.

/M

Hows the uptime look so far?

mikeeg02

The bridge filters you have created on the switch will not work when the vlans/traffic are being handled in HW mode. If you look at the statistics for those filter rules you will likely notice the counters not incrementing. Looking your original post, in the switch rules you have the sfp ports liste...

mikeeg02

Are you wiresharking on another port of the same switch? Or are you connected to a router, or another switch downstream? If its a downstream mikrotik device, mikrotik bridge default changes vlan priority to priority 0. In which case you would need to add /interface bridge filter add action=set-prior...

mikeeg02

Instead of waiting the 10 minutes, couldnt he also go into /ip firewall connection find it and remove it? As I wrote - removal of connection normally works, but the handling of GRE in connection tracking is weird in many aspects. I had multiple cases where the removal of GRE didn't succeed in the p...

mikeeg02

In that case, the only thing I can imagine is that the GRE packets started arriving before this dst-nat rule has been added, so a tracked GRE connection has been created. And only packets not matching any existing connection are pushed through the srcnat and dstnat chains. So /ip firewall connectio...

mikeeg02

CCR1036-8G-2S+'s have been ordered and I will be swapping out all of my CCR2004's ASAP.

Thats the route I went (replaced with 1036s). No reboots since, 100+ days. Not running bgp here, but an ospf/mpls network. Max uptime was 30ish days with 2004s for me. No matter what version.

mikeeg02

RATE SELECT is specific pin of the SFP slot interface that can be used to change operating rate of the SFP module. Low/High are actual voltage levels Mikrotik sets this pin to. If it actually does anything and what it does depends on the specific SFP. So check your SFP module specification... What ...

mikeeg02

It would help if you post your config. Firewall rules can easily block them from establishing.

mikeeg02

In the computer you're using to access the VPN, you can disable use of the VPN for default route in the VPN settings. I am trying it on PC with Debian and Android Mobile phone connected to AP in bridge mode. If the computer is initiating the vpn connection, then I believe you will need to figure ou...

mikeeg02

In the computer you're using to access the VPN, you can disable use of the VPN for default route in the VPN settings.

mikeeg02

Could be interesting

6.49 released.

switch - improved packet transmit between CPU and 98PX1012 for CCR2004-1G-12S+2XS device;

viewtopic.php?f=21&t=172259&sid=b361e20 ... ddcaa12707

It's a beta, so test it out first.

mikeeg02

Could be interesting

6.49 released.

switch - improved packet transmit between CPU and 98PX1012 for CCR2004-1G-12S+2XS device;

viewtopic.php?f=21&t=172259&sid=b361e20 ... ddcaa12707

It's a beta, so test it out first.

mikeeg02

We've reported it to Mikrotik on multiple occasions an they've been able to replicate it. Unfortunately now we have all the CCR2004's out of production so we cannot provide any further production testing - The risk was too high leaving it in the network. This is where I am at on the subject as well...

mikeeg02

No solution yet. Even downgrading to 6.45.8 anyone?! I've been running the 6.47 variant in my 3011s and ccr1009s, without port flapping issues. They have uptime since I upgraded to either 6.47.7 or 6.47.8, so 45-60 days ago. All are running ospf and mpls /vpls. I've migrated to the later versions o...

mikeeg02

Just opened and supout sent, i believe it is something to do with ospf and or mpls. I have other 2004 routers but they don't reboot that often, some have uptime as much as 20 days. these instead restart every 7-8 hours (OSPF + MPLS, no firewall, mix of 10G 1G interfaces) Same here, 6..48 and a lot ...

mikeeg02

Yes, they suggested custom firmware and wanted serial out information. Though the response was unfortunately after I pulled the unit from service. This unit was located about two hours from my office. A little too far to gamble. I had two in a redundant setup that were ten minutes from my office, w...

mikeeg02

I havent tried 6.48, but the thread from 6.48 doesnt look stable at all. I pulled mine last 2004 from service for now until they are stable. I think I have about 6 of the dang things. They suggested custom firmware for them, but I cant let it keep running like that. I will have to setup a separate ...

mikeeg02

Sent another one in. SUP-37419 (new) SUP-35544 (yours) SUP-30924 (my previous) Yeah and sent in some more too - one asking if 6.48 does in fact solve anything more but got a wierd response so I've asked for clarification. No responses on the main issue in the reboot. /M I havent tried 6.48, but the...

mikeeg02

Sent another one in.

SUP-37419 (new)
SUP-35544 (yours)
SUP-30924 (my previous)

mikeeg02

Hi,

We had 2 reboots on 6.47.8 in the last 24 hours. Seems they last longer but still reboots.

/Mikael

Mine was going strong until you said that, it died 2.5 hours ago lol, time to pull it I suppose. Has anyone had better success 6.46 long term versions?

mikeeg02

Mine is running an apartment complex providing internet to tenants. Nothing fancy. Just a few VLANs, NAT and firewall rules. Peak traffic is about 500mbps. What types of sfp's is yours using ? I am using the mikrotik gigabit RJ45 SFPs (S-RJ01) Do you notice any of your interfaces dropping (going up...

mikeeg02

Mine is running an apartment complex providing internet to tenants. Nothing fancy. Just a few VLANs, NAT and firewall rules. Peak traffic is about 500mbps.

What types of sfp's is yours using ?

mikeeg02

We've had one reboot since being on 6.47.8

Device was installed on the 12th this month and rebooted on the 14th :(

Do you have any logging running? CPU performance, etc? Traffic?

What sfp's are you using?

mikeeg02

Hi, Are any of you experiencing reboots still? We actually havent had any on 6.47.8 yet and the interfaces going down could have been from an RJ45 sfp plug which does makes me wonder about power in the sfp cages on the 2004, but it wasent even connected to anything so was easy to remove. /Mikael I ...

mikeeg02

Thanks for the updates and fix!

mikeeg02

Ive noticed lately as soon as I am logged in, the post button goes away for the software feedback in the announcements section. Anyone know whats going on? At first I thought it was my account, but I noticed that nobody has replied to the new 6.48RC thread, so maybe nobody else can either?

mikeeg02

Why do you keep only guaranteeing 10kb/s on these two queues anyways?

Is that all thats truly desired to have gauranteed?

Or maybe the whole goal is to learn service based limiting?

mikeeg02

I believe I have found how created my problem. I believe it was related to queue size. I was doing testing previously with larger queue sizes and higher bandwidth affects on processor performance and such. I outsmarted myself. My apologies.

mikeeg02

Interestingly enough. I was able to fully duplicate what the OP complained about this morning before I left the house. Now that Ive tested with the sub-parent, and returned to a queue more like described above, it works as it should. I know 6.47 does operate differently than 6.47.8 does. I've been ...

mikeeg02

With 6.47.8 and what hardware? 6.48 beta58, RB4011 wifi model, fasttrack disabled (of course) I don't think 6.47.8 should behave any differently. Interestingly enough. I was able to fully duplicate what the OP complained about this morning before I left the house. Now that Ive tested with the sub-p...

mikeeg02

Without the intermediate queue on this release, the prioritized traffic it not queued/dropped/limited at properly. CIR works as intended, but the max-limit is the problem. As he noted, it pretty much is split 50/50 until max-limit is reached on the child queues This is what I get with my queue setu...

mikeeg02

I found a simple work around. /queue tree add limit-at=10M max-limit=10M name=local_out parent=bridge add max-limit=10M name=queue_local_out parent=local_out add comment="SSH 10k guaranteed, high priority" limit-at=10k max-limit=10M name=ssh_to_bridge packet-mark=ssh parent=queue_local_ou...

mikeeg02

Regarding prioritizing the upload direction, the connection-mark value is common for both directions of a connection. So you can translate the same connection-mark to a packet-mark e.g. depending on in-interface . But if the root parents of queues are interfaces, you can use the same packet-mark fo...

mikeeg02

I believe adjusting bucket size is where you will find your answer. I still have my test setup together. I can try to verify this evening.

mikeeg02

Changed queue tree config to this: /queue tree add limit-at=10M max-limit=10M name=local_out parent=bridge add comment="SSH 10k guaranteed, high priority" limit-at=10k max-limit=10M name=ssh_to_bridge packet-mark=ssh parent=\ local_out priority=1 add comment="Backup server SSH, low p...

mikeeg02

We have been advised against using bfd in Mikrotiks by Mikrotik helpdesk. Its been broken for a long time and will not be fixed in 6.x was the answer when I asked again some months ago. BFD typically works fine on CHR, and most ARM based Mikrotik's. I use it with no issue on CHR & RB4011. I hav...

mikeeg02

We have been advised against using bfd in Mikrotiks by Mikrotik helpdesk. Its been broken for a long time and will not be fixed in 6.x was the answer when I asked again some months ago. I note you write dropped ospf/bfd but did your interfaces go down too? /M I have over 100 wireless microwave path...

mikeeg02

Hi again, Today we again experienced a drop of interfaces on a 2004. The drop this time was not all the interfaces, but still all ospf was lost. The other 2004s we are running in test has less traffic and no problems, but one thing I realized is that we are using an SFP28 (DAC Cable) port and that ...

mikeeg02

If you feel like it then please mail Mikrotik support and reference SUP-35544 which is the ticket we have with this behavior. /M Ill have to put them back in service to do that lol. Ive since replaced them. I will have to try them and either with the older version you started with, or wait for a ne...

mikeeg02

Hi, We havent seen any reboots in 6.47.8 but one 2004 dropped and reconnected all intefaces same second. Was asked by Mikrotik if it was a cable issue - which I dont think since nobody was in the rack or the other sites it connects to. Also disconnecting and reconnecting 8 cables same second would ...

mikeeg02

How long was 6.47.4 stable for you? I went right from 6.47 -> 6.47.7, then 6.47.8 and experienced the reboots in all. The longest uptime I saw was 14 or so days. I did NOT upgrade the routerboard firmware yet. I have gone ahead and ordered a different CCR model to replace the 2004. I think my longe...

mikeeg02

Upgraded one of my CCR2004s to 6.47.8 and just saw an unexpected reboot.
What version were you on previously?
6.47.4

How long was 6.47.4 stable for you? I went right from 6.47 -> 6.47.7, then 6.47.8 and experienced the reboots in all.

mikeeg02

Upgraded one of my CCR2004s to 6.47.8 and just saw an unexpected reboot.

What version were you on previously?

mikeeg02

Thats what I was afraid of. Were you able to log into it shortly before it rebooted? Or do you keep cpu statistics? If so were they higher than normal before reboot? Yes, of course, nothing really special. It's not related to trafic, because it happens during night when it's much lower. CCR2004_Upt...

mikeeg02

Hi this seems to have been fixed in latest stable - 6.47.8 Thanks for the update, but with the old version it would last up to ~20 some days before it would quit. Sometimes as quick as 8 or so.I do hope they figure it out soon, I have about 10 of these now that will hold paper down, until they are ...

mikeeg02

I have two 2004s (and a few spares on the shelf), which are neighbors to each other in a small (mid 20s) mpls network, not a lot of throughput, not a lot of firewall rules(typical usage ~1%). Started with 6.47, tried 6.47.7 (which was better) but every so often they would just reboot. And typically ...

mikeeg02

Don't know if that is related to this particular update, but RB3011 couldn't boot anymore after updating from 6.47.6, being restarted every time after "Starting services" stage. I've tried NetInstall to 6.47.8 and 6.47.7 without and with config wipe — no success. Long story short — I've r...

mikeeg02

That makes sense, and now that I know the secret to making the non chr routers properly utilize EXP/COS (as of your comments last night) I was thinking adding the second router as a P router would do as you said above. I havent tested the loss of QOS with php using implicit-null, but in the manual ...

mikeeg02

But I cant seem to queue the packets that originate from the router. Yes, this is not possible, unfortunately. The issue is that ingress-priority is only set automatically when the packet first arrives at the router, and you can only match ingress-priority in bridge filter rules (not priority). Any...

mikeeg02

Hi, Yes, we experienced this problem long ago. This works fine with CHR but not with any hardware routers - if you are running any hardware router and not CHR, it ends up being COS 0 after the second router. The only workaround we found was to add a single port bridge on the second router, with the...

mikeeg02

Currently running 6.47.7 **Updated to hopefully make things a little clearer.** Ive been trying to track down an issue I have been having with priorities, and believe I have narrowed it down, but cannot figure out why its happening and need some advice. Diagram below shows whats going on but I will ...

mikeeg02

Can you post details of the config? Heres a dev router. Effectively everything that comes in ether5 is being packet marked and priority set before it goes into the vpls tunnel that starts here. If this router was in the middle, and using the bridge method described above, I can queue the mpls packe...

mikeeg02

Bringing back an old thread. I have tested and accomplished what you have shown above, in the middle routers. Lets say you wanted to accomplish this on the link between mtk1 and mtk2..... mtk1 who is a vpls tunnel end point. How do you queue the mpls out frames from there and include the traffic fr...

mikeeg02

deleted. Forgot a dependency

mikeeg02

Bringing back an old thread. I have tested and accomplished what you have shown above, in the middle routers. Lets say you wanted to accomplish this on the link between mtk1 and mtk2..... mtk1 who is a vpls tunnel end point. How do you queue the mpls out frames from there and include the traffic fro...

mikeeg02

The licensed links are all ~150 mb/s. The voice traffic is low, but all sites get the traffic at the same time. Each of the vpls tunnels should be capable of 10mb/s. The big thing is latency. One of the other reasons I was looking at the ah4 is I believe its the only device that will run off of -48v...

mikeeg02

Hello, We have a two ring system that requires ~22 routers, utilizing ospf between routers, and vpls tunnels. There are two "hub sites" where the tunnels from each site will terminate. Dispersing several vlans to several devices. The the "hub" sites will have ~18 vpls tunnels (on...

mikeeg02

I guess we read that page differently. When I read it, they have listed that the 2004 is compatible with 1G and 10G sfp modules (which if memory serves me right sfp's all are 1G or better). Then they go into detail on what the RJ01 supports, which they list that it only supports auto. But what its n...

mikeeg02

Is this a silly question? Does mikrotik not support fixed rates on sfps?

mikeeg02

Does anyone know of a SFP that will work with a CCR2004 that the port speed can be set to fixed 100m/full ? Ive tried several mfgs, and as the documentation says, RJ-01 will not do fixed rates. I have a customer thats standing their ground on 100m/fixed, and am trying to accomodate. Any suggestions?...

mikeeg02

I upgraded our system to 6.44.3 a few weeks ago. My "hub" router is a rb1100AHx4 dude edition that runs also the dude. After a few weeks of running, the routeros and http services on every device that utilized them timed out. Ping, and the other dude services worked, as well as the ospf an...

mikeeg02

What is a stable/reliable trap manager then?

I've been using the dude because its on standalone hardware, not associated with a computer. And it will poll snmp traps, just not work as a manager where it can just accept them.

mikeeg02

I have a couple of pretty extensively setup snmp monitoring systems using a few mikrotik routers. I have snmp polling setup, but the one thing I cant seem to figure out, is how to make the dude act as a "trap manager" where it reacts when a snmp message from a device is sent to it (outside...

mikeeg02

The VPLS MTU is the size of the MTU you want to hand off to your customer. The interface MTU should be set to accommodate the overhead of VPLS. You need at least 1530 to send an 802.1q tagged frame through a VPLS tunnel. https://wiki.mikrotik.com/images/3/35/MTUVPLS.png Take a look at this MUM pres...

mikeeg02

Ive done some path costing, and optimized routes to that extent, and considered how that will be affected in the event that a path is down. Recently I found that rp-filter was set to strict, which upon researching I have found to be more desireable to use loose. Changing so seems to of remedied the ...

mikeeg02

Sorry for my paint skills, or lack there of. My physical network layout is below. What I need is the redundancy of being able to use ANY route available to get where it needs to go, while also still being smart about it, and using the the least amount of hops. (They are all wirelessly connected, som...

mikeeg02

mikeeg02 - Quoted fix is for CCR devices, not for the CRS. Does the same problem persist on 6.42rc version? Please test this if possible. If problem persist, then contact support. Im not sure why I said CRS, it is a CCR1009. My mistake, I'm about half sick. What was addressed with the tile improvem...

mikeeg02

RouterOS version 6.41.4 has been released in public "current" channel! !) tile - improved overall system performance and stability ("/system routerboard upgrade" required); If you experience version related issues, then please send supout file from your router to support@mikroti...

mikeeg02

While different. This sounds similar to what I'm experiencing. Router A cannot ping router F, but I can ping router F using router A as a gateway. Router A can establish a vpls tunnel to router F. There are some oddities that didn't present themself in 6.38.5 for me. I changed some path costs and ma...

mikeeg02

I'm not sure where to put this question so here goes. I've built a vpls network using mikrotik equipment (3011s and CCRs) that goes across the state using PTP microwave links,(26 sites/routers all together) using single 172.16.0.0/29 subnets per interface link. Everything was completely stable on 6....

Search found 163 matches