MikroTik

MichaelHallager

A bit of time has passed so I hope you were able to fix the issue.

IPv6 + ROS7 had all sorts of issues at the time of the original post. This was due to MTU.

These were fixed in ROS 7.9 although at the time of this post ROS 7.11.2 is the latest stable.

MichaelHallager

Maybe this can be useful Management access configuration https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-Managementaccessconfiguration Thanks very much and I got my answer there. I needed to add the bridge to the list of tagged ports under /interface/bridge/vl...

MichaelHallager

Running RouterOS 7.10 on a CRS326-24S+2Q+RM, however, this issue has affected different switches and versions of ROS. The purpose of this link is for the switches own connectivity for administration. I can't quite get my head around this. Setting up PTP (trunk) connections are trivial on a router an...

MichaelHallager

Its working now and as sometimes happens it was a small oversight.

I had not set the RR peers address families = IPv6. I know this setting well but didn't notice it unset even on multiple look overs. Once set suddenly it works as expected.

Thanks for the help

MichaelHallager

An example of the RR clients (a border router) 100 ;;; [redacted] chain=bgp-rr-v6-in rule="if (dst in [redacted]/45 and dst-len in 45-48) { accept; }" 101 chain=bgp-rr-v6-in rule="reject;" Explanation: Borders should accept local origin route information from RR 102 X ;;; Filter...

MichaelHallager

It's working for me. My connections to the RR's are dual-AFI on a single BGP connection, with a route filter to change the gateway of IPv6 routes to the IPv6 loopback of the router. Otherwise it tries to use the IPv4 literal (::ffff:x.x.x.x), which could also work if you add it as a loopback on the...

MichaelHallager

Does anyone have this combination working? I am using ROS 7.7. It appears to be unrelated to my other issue* because it affects every router and it has never worked for me. Furthermore, all the necessary PTP, etc, routes are showing in OSPF-v3 at this time. I have a route reflector setup for BGP and...

MichaelHallager

On all my routers running 7.7, I switched all my OSPFv3 types to broadcast from PTP. Thanks for the info. This was one suggestion offered in a private conversation with an industry associate. I have also enabled redistribute=connected for OSPF-v3 hence my delay in responding because I wanted to see...

MichaelHallager

Two possibilities to check: 1. ROS7 requires syncronise unlike ROS6 where it was an option. So therefore you will need to pop a static route entry to blackhole and a high distance (250 will do - as long as its higher then anything else) which equals your route announcements. 2. Some config can get l...

MichaelHallager

You can prefer one provider over another for outgoing traffic with distance or local pref. You can try and tweak incoming traffic via AS prepend but TBH this is pretty hit and miss. Another option could be split announcements if you have sufficient IP space. Whatever you do consider you can not forc...

MichaelHallager

Since upgrading to ROS 7, I have never been able to get OSPFv3 stable. OSPFv2 works as expected and I have deployed a near identical setup for OSPFv3 with the only change specifying interfaces instead of IP ranges. The last time v3 worked as expected was ROS 6. I have waited a while in case its an R...

MichaelHallager

I recently migrated a network to ROS 7.6. IPv6 recursive routing now works, yay. Unfortunately there is now a new issue and that's some PTP links are randomly dropping out of OSPFv3. So this effectively renders IPv6 BGP over OSPFv3 useless. Nothing else has changed. The PTP OSPFv3 routes worked with...

MichaelHallager

Does it work when you configure the DoH server by IP instead of by name?

No.

MichaelHallager

Hello,
Did you add the certificate and NTP?

Yes to both, however, the certificate should only be required with verify-doh-cert=yes and I had it turned off while was trying to resolve this.

MichaelHallager

I have an Unbound DoH server which I have tested working with a web browser and the included dohclient command. But its not working for Mikrotik. Has anyone come across anything incompatible with these? I tried with 2 different devices running 6.48.6 LTS and 7.1 LTS. In all cases it would resolve th...

MichaelHallager

It can be many things (one possibility is that configuration converter barfed at something during upgrade) ... so why don't you post current configuration for review? I spent way too much checking the configuration. It was all still there. Its not like a router where I had to go and setup BGP from ...

MichaelHallager

I recently became AS (Autonomus System). As from the beginning I have configured an eBGP Router that announces my Public / 29 network. Is your ASN a private one for routing between you and the ISP or are you intending to announce into the global routing table? If the later, it will only work with a...

MichaelHallager

I have a CRS328 PoE switch [1] running a basic port based VLAN with a trunk port to a router and IP access for switch admin purposes. This works fine with ROS 6.48.6 LTS. But I tried an upgrade to ROS 7.1.1 and it did not work. I could SSH into the switch and ping any host on the same subnet/vlan bu...

MichaelHallager

After upgrading 2 switches from 6.47.10 to 6.48.6 I had the same issue. The models are: CRS312-4C+8XG-RM CRS326-24S+2Q+RM These are both MIPS architecture. These are both running in a multiple vlan environment with a trunk connection to a router. IP addressing is /30 + /126 over a dedicated vlan wit...

MichaelHallager

This can be done the following way: /ipv6 pool add name=text_description prefix=[IPv6 address]/[length] prefix-length=[length] You will need one pool per client if you want to do static assignments. In this case both of the above length attributes would be equal. In Freeradius, etc: attribute = Mikr...

MichaelHallager

Setting up peering by itself isn't enough. Both your uplines and possibly their uplines will need to allow your route announcements through their filters.

MichaelHallager

BGP filters do not accept > 16 bit ASN numbers.

Obviously, this is an issue of importance.

Platform = CCR1009 with 6.45.6

MichaelHallager

First of all 10.10.... looks like is an Private IP, you cannot advertise them to BGP! Of course you can You probably won't find an ISP willing to take your 10.0.0.0/8 (or other RFC1918 addresses), but if you do then there's nothing to say you can't do it. If you publicly announce RFC1918 space - in...

MichaelHallager

Platform - CCR1009 / ROS 6.45.5

Under interfaces / VLAN -

I accidentally typed "remove 11" instead of "remove numbers=11" and the router became unresponsive and required a reboot.

MichaelHallager

Using ROS 6.45.5 on CCR1009 If the admin changes the name of a filter, this does not propagate through to any peers using the filter. What happens is the peer simply starts acting as if there were no filter. Of course, this is an undesirable situation. My suggested behaviour would be for either- 1. ...

MichaelHallager

When you say that you need to "account" for it, what does that mean exactly?

Traffic In and Traffic Out. At present I do this with Firewall / Mangle and connection marking + packet marking. But I am not clear how to do this over an IX interface with multiple bilateral peers.

MichaelHallager

I have a CCR1009 and multiple BGP peers. Some I peer with through dedicated interfaces so this is easy to traffic-account for. However, some peers I reach via bilateral-peering through an IX and I need a way to account individually for this traffic. How can this be achieved to the point of the packe...

MichaelHallager

@bmann has made some very good points which I can relate to. I come from the Cisco camp and I was amazed when I bought my RB1100AHx4 what I was getting for the money... and it's made in Latvia, not China! Personally, I think Mikrotik products are possibly a bit too cheap and I would be happy to pay ...

MichaelHallager

I have been spreading the word around in other forums.

If it's of any interest / help I am happy to act as a remote test case providing no harm is done.

MichaelHallager

I can report I had (now disabled) IPv6 connectivity and a few days ago my router rebooted for no obvious reason. A couple of days later I was alerted to this issue.

As a consequence, I am now assuming the exploit is out there in the wild and is being used.

MichaelHallager

viewtopic.php?f=2&t=122420

i also submitted a ticket to support. Hope this can be fixed soon.

Thanks for that. Clearly, it's not just me.

MichaelHallager

I am running 6.43.8 though this issue has persisted over several previous versions.

On a restart, the IPV6 DHCP client gets stuck on status "binding". I have to manually disable, then enable, and then IPV6 works.

Is there any way to fix this for reliable restarts?

MichaelHallager

Ok. Worked it out now thanks.

For some reason, SFP was not in the port list so I had to add it.

MichaelHallager

Thinking a bit outside the square - will your ISP offer you a public subnet? There is usually an extra charge for this. $2 per IPV4 address per month is the going rate. So a /29 (8 IP's of which 5 are usable for hosts) would be $16 per month. Otherwise, if you can get IPV6 space and can do end-to-en...

MichaelHallager

Can this be done?

MichaelHallager

First things first -

Did you secure your hAP ac before connecting it to the internet?

MichaelHallager

I have fixed the issue by doing both of the following: 1. Disabling auto-addressing on the relevant VLAN 2. Disabling Slackware NetworkManager and setting my IP address manually in rc.inet1 (IPV4) and rc.local (IPV6) as follows: /etc/rc.d/rc.networkmanager stop chmod 600 /etc/rc.d/rc.networkmanager ...

MichaelHallager

The 5311 also suppprts ADSL2/2+ though no mention of ADSL1 support- https://www.metanoia-comm.com/admin/product_en/front/index2.php?id=119&upid=73 Here in New Zealand, most VDSL (strictly speaking it's VDSL2) connections are deployed from fibre-fed cabinets. But ours is a very small rural townsh...

MichaelHallager

Blocking ports is useless. Youtube and Facebook use the normal ports 80 and 443.

MichaelHallager

are you using Dt. Telekom? You must take care on the dynamic IPv6 prefix change (Zwangstrennung). It's better to internally address via ULA address. Also you must decrease the GUA lifetime by hand as RouterOS does not care about the lifetime given by DHVP6. Thanks for that. I am a customer of Inspi...

MichaelHallager

Prior to doing this I reinstated auto config and ND. IPV6 / Addresses [admin@MikroTik] /ipv6 address> print Flags: X - disabled, I - invalid, D - dynamic, G - global, L - link-local # ADDRESS FROM-POOL INTERFACE ADVERTISE 0 DL fe80::dceb:95ff:fe38:7658/64 bridge-wlan no 1 DL fe80::1c37:82ff:fe40:ebb...

MichaelHallager

I have been allocated a /56 IPV6 from my ISP. I have DHCPv6 setup on the pppoe0 interface (PPPoE over VDSL2) and a /64 from the pool on the LAN interface (Vlan40). When I use address auto config, it works fine. When I try to set a static IP on the host and Vlan40, it works for a few minutes to an ho...

MichaelHallager

Sorry about the delay in responding. I was not aware this site would not email me a reply notification. I eventually tracked the problem to the SFP settings. The 5311 requires the port is set as 1Gbps full duplex. Fibre is popular and we have only few sites still use VDSL It is here as well but cons...

MichaelHallager

Hi all. This is my first post to the Mikrotik forum and I hope to become a regular here. My background is Linux Systems Admin - predominantly using Cisco. When it comes to Miktotik, I will assume I am a beginner. I have a Metanoia VT5311 VDSL SFP and a hAP AC. I am located in New Zealand. If someone...

Search found 44 matches