MikroTik

wojo

This was tested on 7.12, though i seldom open ssh from external but this needs to be look into :( ss.png I'm also seeing worse results on slower CPU devices it seems. More latency to connect or failed connections on a Hex S vs a CCR2004 series for example. Thanks for confirming I'm not alone. I fir...

wojo

Done!

wojo

I'm seeing this issue only on SSH, curious if anyone else can reproduce. https://tcp.ping.pe/yourhost:22 Do you see connections being dropped from many hosts? Other ports are fine e.g., 80/443 to the router (I temporarily opened them up), port forwards to other hosts, etc. On this service I see near...

wojo

Ugh, it was a raw filter for bogons gone wrong. Closing this thread.

wojo

Yeah the netwatch variable aren't going to pass via a /system/script/run.... The variables are already local to the netwatch script, so "passing" them another script isn't going to work. While you should be able to assign them to globals (or uses a single array global with the values), th...

wojo

/routing ospf instance add comment="OSPF v2" disabled=no name=ospf-v2 router-id=192.168.20.1 /routing ospf instance add comment="OSPF v3" disabled=no name=ospf-v3 router-id=192.168.20.1 version=3 /routing ospf area add disabled=no instance=ospf-v2 name=ospf-area-4 /routing ospf ...

wojo

I've inlined everything: :local name "$comment $status" :local email [/system logging action get [/system logging action find name=email] email-to] :local details ("name = $name\n\ndone = $"done-tests"\nfailed = $"failed-tests"\nsent = $"sent-count"\nresp...

wojo

[$"done-tests"] etc should be ( $"done-tests" ) if you want to assign them . Square brackets [] are for commands only, so that your big problem — parenthesis () are for grouping & still need the rest ($"variable-with-space"). Ah, yeah that was a mistake but the val...

wojo

If I create a system script called NetwatchLog, which logs $id for example, it works if I set up the netwatch as such: add ... up-script=NetwatchLog However, it does not receive those variables in this format: add ... up-script=/system script run NetwatchLog I have a lot of code in that which I woul...

wojo

Did you allow OSPF protocol input/forward in /ip/firewall/filter？ I use OSPF ptp through wireguard both on IPv4 and v6，works well。 Yes, in fact I am allowing all input (not just ospf) on the wireguard interfaces. I also log any drops and nothing shows up. I must be missing something, do you mind po...

wojo

Is it possible to get OSPF working on Wireguard in PTP mode? I've seen mixed things around broadcast/multicast not working on Wireguard to the fact that I just need to allow 224.0.0.0/24 in the Wireguard AllowedIPs and it should work. When set to ptp, I see the traffic and nothing is being blocked (...

wojo

I have an issue with Netwatch on 7.5 release and also v7.6beta4 on one RB5009. For some reason, none of the execution stats are updating. add disabled=no timeout=5s type=icmp host=208.67.222.222 interval=15s Nothing special, one a hex this updates every 15s with the execution counter going up, on a ...

wojo

Has the issue been fixed yet?
I hope to be wrong but It can't be solved due of missing of cache in the switch chip, same problem of CCR2004

Everything seems fine here with `cpu-flow-control`

wojo

The 7.3 series works well for me with the cpu-flow-control on the switch. I'm running 7.3beta37 right now, and all is well for 10G, 2.5G and 1G hosts. Something to note is that I had a lot of problems with my CRS328 switch in RouterOS, Mikrotik has confirmed tx-flow-control does not work correctly i...

wojo

I lost my bridge configurations on a CRS328 and my clock (defaulted to 1970) and most of my DHCPv4 static leases on my RB5009. This was around April 3rd or 4th, and I wasn't watching for it closely. In all my cases it was not a revert to a prior, just random (e.g. 50% of DHCPv4 static leases that ha...

wojo

Upgrade done on two CRS326-24G-2S+ done (ROS and FW) from 7.2RC5 to 7.2RC7, one of it lost the "bridge" after FW-upgrade and reboot.
Restore of the backup fixed it, but it was a little shocking moment as the PING didn´t came back.....

Lost bridge on one of my CRS328s as well. Very odd.

wojo

Are you plugging the 1G clients directly into the RB5009? When I do that the new FW is a bit better, but my typical setup has the RB5009 connected via 10G DAC to my switch, the 1G clients in there saw no noticeable improvement while the 10G clients in the same switch still got ~1400Mbps My topology...

wojo

removed unneeded quotation - use "Post Reply"

Ah you are seeing the same issue with 1G download that I am. Good to know I'm not alone. Working with Mikrotik on this, open a ticket and they may request info (stats counters, etc).

wojo

Running 7.2rc5 my 10G hosts are doing well, 2.3Gbps bidirectional on my 2Gbps over-provisioned AT&T link. However, my 1G hosts are doing about 780Mbps down, and 950Mbps up. Not sure why the download is impacted. Happens on many hosts, and even with /interface/ethernet/switch/set 0 cpu-flow-contr...

wojo

Running 7.2rc5 my 10G hosts are doing well, 2.3Gbps bidirectional on my 2Gbps over-provisioned AT&T link. However, my 1G hosts are doing about 780Mbps down, and 950Mbps up. Not sure why the download is impacted. Happens on many hosts, and even with /interface/ethernet/switch/set 0 cpu-flow-contr...

wojo

removed unneeded quotation - use "Post Reply" Fiber Mall 10G SFP+ to RJ45 for Cisco SFP-10G-T-80 Compatible, 10GBASE-T SFP+ Copper RJ-45 80m Transceiver Module Can find on Amazon. They are the 80m capable Broadcom chips. No drop outs running up 3 floors on Cat5e with zero issues at full 1...

wojo

removed unneeded quotation - use "Post Reply" My topology is: 2.5G AT&T UVerse ---copper---> 2.5G -- RB5009 -- 10G SFP+ ----10G DAC-----> CRS238 10G SFP+ then off that switch, a mixture of - Direct 10G SFP host - Direct 1G host - 10G SFP+ to 10GBaseT (over Cat5e) to 10G SFP+ on anothe...

wojo

Really interesting that some people are not seeing it fixed.

For me V1, V2 and V3 gave full 2.3Gbps both ways. V4 was a tad slower, 800-900Mbps start and it would go up from there.

wojo

They had me test the alpha firmware as well and it definitely clears up the issue. Woohoo!

Did all work the same for you? One of them, the last one v4 seemed to still have issues on my side.

wojo

Three of the four test versions worked very well! Encouraging, I'm sure more to come soon from Mikrotik! I've restored to 7.2rc4 for now, not going to run those alpha builds

wojo

I had similar problems with a Realtek RTL8125B. Turning flow control on fixed the problem. For me, flow control was a completely separate issue but solved just general issues on my network with mismatch link speeds causing buffers to overflow. I'm trying some test builds from MikroTik, will report ...

wojo

Did they post this somewhere or is this in response to a support ticket?

Sorry, left that out. It was in response to a support ticket where we've been passing supout files, scenarios, etc. I'm eagerly awaiting the next testing branch update to scour over the change log that's for sure.

wojo

There may be hope, Mikrotik seems to have reproduced the issue.

We reproduced a similar behavior locally. We are looking forward to improving such behavior with different link speeds in further RouterOS releases.

wojo

For those with issues on the RB5009 with different link speeds (2.5G, 10G, see https://forum.mikrotik.com/viewtopic.php?t=182691&e=1&view=unread#unread) it seems they may have reproduced the issue locally and a fix is pending: We reproduced a similar behavior locally. We are looking forward ...

wojo

removed unneeded quotation - use "Post Reply"

Same thing here, for IPv6 dropped packets and the issues with >1G connections. Did nothing.

wojo

So far I've tried a few suggestion from Mikrotik on the RB5009 re: 2.5G, such as some queue changes, but nothing has fixed the issue with me. I'd steer clear of the RB5009 right now due to what seems like issues with mixed link speed routing, not just specifically the 2.5G port but also related to 1...

wojo

The only possible "fix" I see is to glue 1G sticker over 2.5G label under that port, remove 2.5G advertisement in setup (as default) Except even at 1G, I still see 10G hosts on my network at half speed. Clearly it's not specifically the 2.5G port, but rather some sort of wider spread issu...

wojo

Anyone having RADIUS/dot1x issues? I have three User Manager instances (replicated) between my router and two switches. Most devices are now not responding and getting a timeout instead, I see responses to the EAP challenges but they don't authorize. MikroTik confirmed RADIUS/dot1x is broken in 7.2...

wojo

Anyone having RADIUS/dot1x issues?

I have three User Manager instances (replicated) between my router and two switches. Most devices are now not responding and getting a timeout instead, I see responses to the EAP challenges but they don't authorize.

wojo

Some major issues on a RB5009: 1) 2.5G link does not work well at all, I'm on 2G U-Verse via a BGW320-505 linked at 2.5G. It causes about 1/2 bandwidth on 1G hosts, and on 10G hosts seeing as bad a 75% reduction in speed. https://forum.mikrotik.com/viewtopic.php?p=908812#p908812 https://forum.mikrot...

wojo

I can replicate this on 7.1.1 and the newly released 7.2rc3.

wojo

I think this is related to viewtopic.php?p=908812#p908812

Some info in my post here viewtopic.php?p=909084#p909084. Basically it behaves differently if it is a 10G or 1G host on my network, so odd.

wojo

removed unneeded quotation - use "Post Reply" Okay, stuff is getting weird. But basically I think I have the same issue as everyone else with the 2.5G link, with some twists. 2.5G to 2.5G - 10G host: 2.2Gbps down, 700Mbps up -- about 35% speed up, this is new and only happens on the 10G h...

wojo

Having a very weird issue where upload bandwidth is very limited (about half or less), but only when Fast Path is enabled: https://forum.mikrotik.com/viewtopic.php?t=182694 Also starting to debug an issue where just IPv6 traffic is dropping around 50% traffic from my Synology NAS, but another host o...

wojo

ROS 7.1.1 on a RB5009 I just upgraded to 2.5G symmetric fiber and have a very odd problem where certain hosts are seeing slower upload speeds. My topology is AT&T U-Verse BGW320-505 modem <---2.5G---> RB5009 <---10G DAC---> CRS328. From there I have various hosts on 1G and 10G (via DAC cables). ...

wojo

Running 7.1.1 I also notice it does not pick up an address through SLAAC

wojo

Looks like SD cards still do not mount on CCR1009-7G-1C-1S+, same on 7.1.x.

wojo

Looks like SD cards still do not mount on CCR1009-7G-1C-1S+, same on 7.2rc1.

wojo

This bricked my CCR1009-7G-1C-1S+ in a boot loop I had to Netinstall and get back running on 7.1.1. Here's the serial console log, I tried everything including the backup boot loader but it always panics like this: Could not mount ubifs/yaffs filesystem: No such device [ 10.000322] Kernel panic - no...

wojo

This version broke communication between a crs318 and a crs317 with a SFP+ 10Gbase-T adapters (same adapter type on both ends). It works fine with 7.1 and 7.1.1.

Ditto, killed all my Fiber Mall SFP-10G-T-CI-80m units. Works on 7.1.1.

wojo

When I migrated, I ended up with these: /routing filter rule add chain=dynamic-in comment="101 -> 1 with check-gateway=ping" rule=\ "if (distance == 101) { set distance 1; set gw-check icmp; }" add chain=dynamic-in comment="102 -> 2 with check-gateway=ping" rule=\ "...

wojo

Same here, I disabled ipsec and some routing filters that were migrated over, and everything is OK for now. Before that a reboot would help for a little, but then the IPSec connection would die and 8 of the 9 cores would be at 100%. I've moved my IPSec connection to Wireguard and the problem hasn't...

wojo

I saw my ccr1009 had 95+% utilization on 4 cores (represented as "networking" in the profile tool) and l2tp/ipsec (looked more like an ipsec issue) would not connect as a client. A reboot had everything back to normal. I did not get a supout.rif, but I will get one if I see the issue agai...

wojo

Looks like I lost access to SD cards on my CCR1009 with this release. My existing sd card is not visible and a new card is also not visible.

Also lost access to my SD card.

wojo

mynetname.net has had many issues over the last year or two and this proven MikroTik does not treat is seriously. I liked how integrated it was, but moving everything I have to my backup service.

wojo

Not sure what happened yesterday but my bypass on a CCR1009 stopped working. I have two sets of certificates, neither would authenticate. Perhaps like @archerious the certs were blacklisted, and it requires different/newer certs now? I plugged my BGW210 back in and it also never completed 802.1x aut...

wojo

EDIT3: Got everything working again, had to switch certs. Bizarre. Strange that the BGW210 works fine, but the certs ripped from it no longer work. Instead using backup NVG589's certs. Well that's weird, you would figure if it was on it would be on for all devices. Maybe XGS-PON only applies to cer...

wojo

My theory is that after so many days of not being able to communicate with my AT&T gateway, the AT&T network invalidates something?

Really hope that's not the case. I've been running way longer but this could be a regional. Scary.

wojo

Now with 6.48 released, has anyone tried the following item? Also going to give it another shot when I won't take down the network for the family right before Christmas and get yelled at ;) *) dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client; Wojo, upgraded my RB4011iGS+ to 6.48,...

wojo

Now with 6.48 released, has anyone tried the following item? Also going to give it another shot when I won't take down the network for the family right before Christmas and get yelled at ;)

*) dot1x - accept priority tagged (VLAN 0) EAP packets on dot1x client;

wojo

You can now eliminate your scripts enabling/disabling the bridge because with 6.48beta58 you can now authenticate with the bridge enabled!

I tried this but it failed, and I haven't revisited to investigate. Can you elaborate on your setup?

wojo

UPDATE -- oops, my connection did a failover to LTE and I thought it was working. Something isn't right because it does authenticate with 802.1x but data packets are still not being processed, unless I filter them with a bridge... which then breaks 802.1x. Was hoping one of the two last bullets on m...

wojo

I just received a RB4011iGS+RM ... the extra sticker on the package said "RB4011iGS+RM - new" and under System - Routerboard, the dialoge states "Revision: r2". Be really interesting to see some internal pics. We could compare with rev1 and see what any visible differences could...

wojo

I just received a RB4011iGS+RM ... the extra sticker on the package said "RB4011iGS+RM - new" and under System - Routerboard, the dialoge states "Revision: r2". Shipped with Firmware revision "6.45.9 stable" ...will monitor closely and report how this thing will perfor...

wojo

I can no longer recommend the RB4011 as I've been getting the issue described here with it hitting 100% CPU, freezing up, etc. I'm at very low load (residendial), but still happens what seems like once a month now. Going back to the CCR1009 that I didn't sell, yet, along with the switch. More at htt...

wojo

Well, it happened again for me on my RB4011iGS+. Woke up to a nearly frozen router, been at 100% dropping nearly all traffic and pings since 2am. Had to unplug to get it back up and running.

About to call it quits on the RB4011.

wojo

Its not so much a fix, as it is additional functionality we want. OK, what is the process for getting that to the right people at MT? Contact support and refer back to this thread? I think email is probably the best method. If we pool efforts with a clear description of what we need and get request...

wojo

The hEX RB750Gr3 has truly impressed me, when paired with $49 Tp-Link in front and my Aruba 2930f switch for LAN, it's getting over 900/900 with fast-tracking on and less than 50% cpu usage: It's quite good! In fact, selling my CCR1009 and keeping the RB4011 as my primary, and the hEX RB750Gr3 as m...

wojo

I'd assume a script that checks for 802.1x status connecting or authenticating or rejected would then turn off bridge_wan, then when it says authenticated, turn back on bridge_wan. That should get it surviving reboots and working even if ONT loses connection for a few minutes that way we don't have...

wojo

Is there a reason for them to even tag vlan 0 other than to be annoying?

... I think annoying us may be the reason

wojo

Ask wojo Phew, this is digging back. I did two things with my CCR: 1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj: https://forum.mikrotik.com/viewtopic.php?f=23&t=154954&sid=35ff16c62c0a60ac123ed9f844c0892f#p766...

wojo

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging? Ask wojo Phew, this is digging back. I did two things with my CCR: 1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj:...

wojo

... for CCRs, what model switches have people been using in front it to take care of the vlan 0 tagging? Ask wojo Phew, this is digging back. I did two things with my CCR: 1) script to change the VLAN filtering mode to automate, with just the CCR, the ability to both authenticate and pass trafficj:...

wojo

This concerns me but running a RB4011iGS+ right now at stock frequency with no issue for months under Gigabit load. Will be watching this thread for updates.

wojo

I also picked up a 4011 with a good deal so I'm going to be switching (get it?!) as well. The CCR1009 is really overkill for the home anyway and this lets me either not have those scripts or the external switch I use not to strip the tags. Set up the RB4011 today and all is going smooth, no longer ...

wojo

i have tested that with no better results. :( Well, sorry to hear that. We need RouterOS to have better support for 802.1p tags is what this is coming down to. I agree, it seems to be the issue I'm facing as well. I was hoping to get wojo's config and give it a try, but I may have to return my ccr ...

wojo

Hi, New mikrotik user with CCR1009-7G-1C-1S+PC running 6.46.1. I am having the same issue as jack2020 with my device. I have followed the excellent writeups here to the letter, but my tik does not respond to the eapol start message coming from the ONT. If anyone has any other ideas, please let me k...

wojo

... - When I tried without the Bridge I use only one interface and override the MAC. When I tried with the bridge I left the interface with the original MAC. ... Nothing different than the suggested ones. I also reset the configuration without "Default config". /interface ethernet set [fi...

wojo

Here is my configuration with my modification. This one is without the WAN Bridge, the first screenshot was with the WAN Bridge. I removed the real MAC address for this post. Hmm, the EPOL process is failing for sure. You get the identity request, but the tik doesn't even try to respond. Could you ...

wojo

Update : see your post about the switch config, yeah that's exactly what I'm thinking. Here's my post I was just about to hit Submit on: OK, my theory seems like it could be correct. I added DSCP into my Wireshark columns, and it shows CS6 level for all packets coming from the ONT. To test this, I ...

wojo

Here's my capture. This is on my ether3-ont interface with no bridge. As you can see it goes through EPOL successfully and then when I broadcast for DHCP I get an offer back on VLAN 0. The only way I've been able to process those incoming packets (incl. all subsequent IP packets) is to place that in...

wojo

I have the Alcatel-Lucent G-010G-A. I'll try to get a capture later. Won't be today.

Same model here.

wojo

Yes, and it works! I'll will update the article now. Basically, follow the article, but set the clock, under System / Clock to be the correct time and date. Then reboot. Thereafter, you can unplug the cable, release/renew IP, turn off the interface, whatever, and it will re-auth correctly. My time ...

wojo

Well, after going around and around with this, I was finally able to get it to work with only using ether1 . The system time must be correct. Set that, then reboot. And with just the interface (no bridge), you can disconnect the ONT ethernet cable or disable that interface, bring it back and it'll ...

wojo

Okay, I think what may have happened is that I too had a bridge, then took it out of the bridge. After that, is stays working. Please try wojo scripts. I will keep looking until I find the answer. I got bit by the same thing when first starting as well, until I started throwing reboots and disconne...

wojo

Sadly with the new Mikrotik CCR1009 I'm still have the same message "Authenticaded without server" and no IP address. I also tried the script to verify the Dot1x status and no luck. Looking for any help. Thanks I think I've hit that when something was wrong with the certs or dot1x setup. ...

wojo

With the momentum from pcunite, I did post my setup to his new cleaner thread: viewtopic.php?f=23&t=154954&p=766284#p766284

tl;dr is that I still have the VLAN 0 problem, but it is mitigated by a script I wrote to manage the bridge interface based on dot1x status.

wojo

I'm still unable to have any IP traffic pass due to the VLAN 0 tagging. Nothing has changed for me, must be a configuration that is regional or something. I've placed my configuration and script into this new thread which is a little cleaner and focused: https://forum.mikrotik.com/viewtopic.php?f=23...

wojo

I'm still unable to have any IP traffic pass due to the VLAN 0 tagging. Nothing has changed for me, must be a configuration that is regional or something. That said, since I was able to get it working in two phases, this time I automated it. The idea is to have a script monitor things and automatica...

wojo

@wojo I'm able to use ether1 and get Dot1x Cert status authenticated . Also DHCP client on ether1 pulled an IP, all without putting ether1 on a bridge. Everything seems to be working fine. Using firmware 6.46.1 on an RB4011. Can you update this thread with your success? I'll test this, may not be a...

wojo

I'm able to do the certification based authentication but not that survives a reboot or re-auth, will try to work with MikroTik on this. Does that mean you successfully do auth through RB and have the certs installed on the RB? Seems the dot1x is what we need, just haven't tried it yet. I have cert...

wojo

I'm able to do the certification based authentication but not that survives a reboot or re-auth, will try to work with MikroTik on this.

wojo

That's a good tip to get a the better router for sure.

I'm still working on the solution for Mikrotik, just need to get back to it have a lot of other things that popped up.

wojo

@wojo - I saw your other post earlier and figured out that you made some progress THANK YOU! Did you also file a ticket with support?

I didn't, thought it wasn't provided to the built in license types after 30 days. I'll give it a shot though.

wojo

Question - what protocol-mode have you set on the bridge? One of the STP flavors or none ? I've tried both both also thinking it could be the restrictions around 802.1D. I also spent way too much time tinkering with all the settings I could think of in the dark for weird interactions/bugs but could...

wojo

I'm able to authenticate with the ONT using the dot1x 802.11x support on my CCR1009, just took disabling CRL, setting both the identity and anonymous identity to the MAC on the certs and then importing the entire cert chain. Probably can enable the CRL if the supplemental certs are there, not sure. ...

wojo

I'm able to successfully authenticate with a 802.1x server using RouterOS on a bare interface, but once that interface is a part of a bridge (with default settings) I cannot successfully complete the EAPOL process. It seems to never get to the TLSv1 packet exchange, but I do see the identity request...

wojo

This is quite annoying, keeping an RSA key around literally just for my Mikrotiks now.

wojo

I would love this, please add this MT!

wojo

I thought that as well, but with a :delay 15 or so that covers that just fine.

The issue was truly the disk1 issue, if I store the file on the internal storage or after formatting, it worked fine. How odd!

wojo

Seems to be related to disk1, I formatted the disk as ext3 and it is fine now. Odd.

wojo

Found a LOG problem with an IPv6 DHCP-CLIENT . The log says there was an error adding the dynamic prefix pool, but it actually is created correctly. Cosmetic problem? dhcp,error failed to add ipv6 pool MYPOOL: ok ..... ....... Yes, I have a similar issue:with the current release 6.43 dhcp,error fai...

wojo

I get a script error only when running a script during startup. When it runs on a scheduled run after, it is fine. The error is: script,error router atl: script error: action timed out - try again, if error continues contact MikroTik support and send a supout file (13) The script is as follows: :loc...

Search found 98 matches