MikroTik

Emil66

Without "b" we could have 4 separate 20MHz channels in 2.4GHz band in Europe. 1-5-9-13. "b" DSSS is 22MHz wide AFAIK. Seconded. 802.11b-channels are too wide for a bandwidth plan with four non-overlapping channels. Please don't use 802.11b and please afford us the ability to exc...

Emil66

So few things to check out

I'm not "holding it wrong".

Emil66

No, but since you came around to discuss things, you could ask about this rule If I could read his mind and see that he meant that as a rule of thumb, I wouldn't need to ask for an explanation, but alas, no mindreading. You fanbois are not helping Mikrotik. Every single buyer who gets a router for ...

Emil66

@anav mentioned the "rule of thumb": when looking at MT official test results, take "Routing -> 25 filter rules -> 512 byte packet size" number ... that one represents real-life performance pretty well (still with a fairly large error margin though). That figure actually represe...

Emil66

You are correct, I was going by memory when I first got mine many years ago. Looking at the website it is revamped, only 385 with 25 filter rules so yes 300-450 is more likely. So clearly not lying.

Playing dumb?

Emil66

somewhere in the vicinity of 600-700 throughput

With ROS6. The current version, ROS7, is slower.

Emil66

Ah that's typo lol, I edited the comment. add from-pool=global address= ::1 /64 interface=vlan-iot eui-64=no advertise=yes add from-pool=global address= :0:1::1 /64 interface=vlan-work eui-64=no advertise=yes add from-pool=global address= :0:2::1 /64 interface=vlan-tv eui-64=no advertise=yes That's...

Emil66

add from-pool=global address= ::1 /64 interface=vlan-iot eui-64=no advertise=yes add from-pool=global address= ::2 /64 interface=vlan-work eui-64=no advertise=yes add from-pool=global address= ::3 /64 interface=vlan-tv eui-64=no advertise=yes If RouterOS did at all what you claim, that would produc...

Emil66

/* edit: off topic */

Emil66

/* edit: off topic */

Emil66

It becomes a bit complicated, or rather impossible, if you have a need for prefixes with different lengths, because the pool can have just one pool-prefix-length and you can't take a chunk out of the pool to create a "sub" pool with a different prefix length. So if you need /60 prefixes fo...

Emil66

The "pool-prefix-length" is meant to be the length of the prefixes which you want to draw from the address pool, not the prefix length that your ISP assigns. Most of the time, you want those address ranges to be significantly smaller (bigger prefix length), so that you have multiple prefix...

Emil66

You can set the default valid and preferred lifetimes which then get applied to dynamic prefixes. In the CLI it's under "/ipv6 nd prefix default" (v6 syntax), in the web GUI it's under "IPv6", "ND", "Prefixes" Tab, "Default" button.

Emil66

You had that already, because it's part of the default firewall configuration: /ip firewall nat add action=masquerade chain=srcnat comment="defconf: masquerade" ipsec-policy=out,none out-interface-list=WAN You just need to edit the "WAN" interface list to include your vlan interf...

Emil66

Did you update the WAN interface list to include the VLAN interface but not ether1? That interface list is what configures the firewall for NAT to the internet, etc..

Emil66

Make the Vlan interface the WAN interface, not the untagged ether1. Put the DHCP client on the Vlan, not the untagged ether1.

Emil66

The RB750Gr3 is not fast enough for gigabit internet if you use IPv6 with a firewall (tops out at about 600 Mbit/s without encapsulation). The router is barely fast enough with IPv4 without encapsulation, but PPPoE will drag it below 1 Gbps. You also have to watch out for ports using the same of the...

Emil66

How to deal with variable prefixes: viewtopic.php?t=168470
How to set a static interface identifier is device dependent. The key words to search for are EUI-64 or, preferably, "tokenized interface identifier".

Emil66

dhcpv6-server - fixed DUID generation with timestamp;

Is there a way to trigger this without reinstalling the router, or generally to reset the DUID?

Edit: Sorry, I missed that it is just for the server. Question remains: Can the client DUID be reset without reinstalling the router?

Emil66

/ip address
add address=192.168.0.1/24 comment=defconf interface=ether2 network=\
192.168.0.0

That looks familiar...

Emil66

Try to understand what you're doing, don't just copy & paste. You need two NAT rules for the server: One destination NAT rule and one source NAT rule. The destination NAT is what's usually called a "port forwarding". It tells the router that incoming connections to a particular port on...

Emil66

Details are important. Computers do what you tell them, not necessarily what you mean. If you tell the router to masquerade packets coming from 192.168.0.0, it will masquerade only those packets, not packets from any other address in 192.168.0.0-192.168.0.255 (192.168.0.0/24).

Emil66

See the hairpin NAT documentation . Note that the destination address matched in the src-nat rule is not the external address. Source-NAT is performed after the destination-NAT rule has changed the destination address to the internal address of the server. For debugging, keep an eye on the firewall ...

Emil66

It is (for now) possible to filter based on the "outer" domain name as transmitted in the TLS negotiation. In order to indicate to the server which certificate to use, the clients send the domain name as "server name indication" (SNI). This happens before the certificate is prese...

Emil66

Some things are easier with IPv6, because there is no NAT. Some things are more difficult with IPv6, because there is no NAT.

Emil66

There is no mechanism for prefix delegation in RAs. RAs advertise the router's prefix(es). They are not and indeed cannot be used to delegate prefixes. Conversely there is no mechanism for advertising prefixes in the DHCPv6 standard, just for delegating them. Delegating means assigning an entire pre...

Emil66

mkx may be dissatisfied with the features supported by the RouterOS DHCPv6 server, but claiming that it can't distribute prefixes is factually incorrect. In a SOHO environment, DHCPv6 is really only needed for prefix delegation and RouterOS can do that.

Emil66

DHCPv6 server in ROS v6 implements only a fraction of functionality (which doesn't include neither prefix distribution nor end device IPv6 address) and is used only for distributing IPv6 addresses of DNS servers (and perhaps some other minor stuff). Prefix sharing is done through different mechanis...

Emil66

Yes, that's the hairpin-NAT rule. The "masquerade" target changes the source address to the address of the egress interface. Use the "src-nat" target instead and set the "to-addresses" in that rule to the WAN-address.

Emil66

You can match for the SNI host in the firewall by setting the "tls-host" parameter. You can use that to dst-nat towards different backends. Note that this doesn't work for fragmented packets, the QUIC protocol or ESNI. A reverse proxy would be the preferred solution.

Emil66

You're seeing the result of a hairpin-NAT-rule. This is explained here: https://help.mikrotik.com/docs/display/ROS/NAT#NAT-HairpinNAT . If you just need to change the address to the WAN IP address of the router instead of its LAN IP address, you can do that by changing the "to-addresses" i...

Emil66

The firewall in RouterOS is default-allow. The underlying Linux kernel can set a different default policy per chain, but this is not exposed in RouterOS. So any packet which makes it to the end of a chain is accepted. The rule which is responsible for "allowing" services on the router to b...

Emil66

In that case your ISP may not be doing ingress filtering. That is bad. (HE certainly filters.) You can send packets with alien source addresses through your ISP, but the return traffic to these addresses will still arrive through the HE tunnel, so you've created asymmetric routing. If the router doe...

Emil66

As I wrote before, with IPv4 you can do this because NAT changes the source address to the address which is assigned to the interface through which the packets are sent out. It doesn't work with IPv6 because there is no NAT. The packets are sent out exactly how they arrive from the device, so the de...

Emil66

If a host uses a source IPv6 address from the HE prefix, then your router must send that traffic through the HE tunnel, regardless of the destination address, because your ISP will almost certainly drop these packets. If the host uses a source IPv6 address from the provider prefix, then your router ...

Emil66

Unless you have provider-independent address space and an agreement with your provider that allows you to use it, you usually can't send from IP addresses that aren't assigned to you by your provider. The router needs to pick the route based on the source IP address chosen by the device. It can't ju...

Emil66

You need to create VLAN interfaces on the bridge interface, not on interfaces that are part of the bridge. And then you bind the DHCP servers to the VLAN interfaces. So you have for example "ether1", "ether2" and "ether3" in "yourbridge". You configure "e...

Emil66

I've been trying for hours to configure a DHCPv6 server for prefix delegation and the server keeps telling the client "no prefix available". I think I found what's wrong: The web configuration interface lets you set the pool from which the prefixes are assigned, and you can apply/ok and se...

Emil66

Note that (A || B && C) means (A || (B && C)) due to operator precedence, not ((A || B) && C). If you want the latter, you need to use parentheses as shown. It's like 1+2*3 is 7, not 9.

Emil66

The DHCP clients receive the DNS server addresses with their initial DHCP lease. Unless they disconnect from the network and reconnect, they do not get them again. If you want to make the change instantaneous, you can use NAT to redirect DNS requests to your filtering DNS server during the daytime.

Emil66

:if ($a=1) do={ :log info "A is definitely 1"} else={ :if ($a=2) do={ :log info "A is definitely 2"} else={ :log info "A is not 1 or 2"} If you fix your formatting, the problem becomes obvious: You're missing a closing brace for the first else. :if ($a=1) do={ :log inf...

Emil66

See the explanation and a workaround here: viewtopic.php?f=9&t=172125#p843397

Emil66

You still need to deal with "numbers" like 768k, 3M or 1G.

Emil66

Why do not not see Temperature/Voltage?

I had the same issue. It works again after I clicked "OK" on the empty settings page. (I use the web interface.)

Emil66

Sums are obtained by adding stuff up. Computers only do what they're told. Try telling the computer to add something.

Emil66

is this a feature, a known limitation or a bug It's a choice: https://en.wikipedia.org/wiki/Local_variable#Static_local_variables It's a bit weird that scalar variables are not static and arrays are, but the script language is all sorts of weird anyway. I do understand however that ({}) is not the ...

Emil66

Mikrotik RouterOS script variables are "static". The value is stored with the function, and as you have seen, this is implemented by rewriting the function whenever the value of a local variable is changed. Assigning an array is done by reference, not by value, which means the variable doe...

Emil66

It seems you only need the port open for yourself or a small number of users (because you mention changing the port number regularly). In that case you could use " port knocking " to hide the open port from scanners. Make sure to use an individual sequence of ports, not the ones in the tut...

Emil66

If you can sell me a couple public IPv4 addresses for less than the cost of a replacement router which handles IPv6 properly, I'm all ears. As it is, I can only recommend against using Mikrotik gear if IPv6 is a requirement. That said, after some more testing it looks like the router doesn't reassem...

Emil66

I've done that. It just tells me that it's a UDP packet with the right properties to be caught by the second rule. That's why I wrote the second rule as the inverse of the first rule: It really should not be possible for a packet to make it past the first and second rule and still match the third ru...

Emil66

I think it's a connection tracking / SIP helper problem. I can't reproduce it with just ordinary UDP packets that have no prior relation to some other connection. It reliably occurs if the UDP packet is an RTP packet coming in for a SIP "connection". I don't understand how that could make ...

Emil66

That's not it. I just used the inversion to make sure I cover all ports with the first two rules. The result is the same if I positively check for 10000-65535 in the second rule. The packet with the high port doesn't match that rule and falls through to the third rule, where it matches. It doesn't e...

Emil66

The three rules are: add action=drop chain=forward dst-address-list=test dst-port=1-9999 protocol=udp add action=accept chain=forward dst-address-list=test dst-port=!1-9999 protocol=udp add action=accept chain=forward dst-address-list=test protocol=udp The address list is a single IPv6 address. It ...

Emil66

If I have three IPv6 firewall rules, that each accept or drop after checking for UDP dst-port 1-9999, UDP dst-port ! 1-9999 and just UDP, I would expect the last rule to never match, because a port is either in that range or not in that range, so either rule one or two should match and end processin...

Emil66

FYI: You're reading the block diagram wrong. The Hex S is capable of routing a full gigabit one way even on ports which use the same path to the CPU. Each of the two gigabit CPU links is 1 Gbps in and 1 Gbps out. You only need to use ports which are on separate links if you want to route a gigabit i...

Emil66

The point was I understand about the order of firewall rules and efficiency of checking packets. What I was questioning and wanted to see a reference about was this line........... " Things like tracked connections (and also address lists) are stored in a clever way so the match can be made mo...

Emil66

@Emil66 It's a forum for technical assistance. Don't be offended when you "waltz in" post "some gut feelings and expectations" without any substations, and someone reacts on that... Your opinions are incorrect. This thread could have been over when vecernik87 correctly informed ...

Emil66

looking for a reference that the router processes filter rules of accepted/related more efficiently than other firewall filter rules in general and specifically better than raw rules. Nobody said anything like that. Each rule that needs to be checked takes some time, When processing a packet that b...

Emil66

I asked for factual info & data, not some gut feelings and expectations! The Linux kernel code is open source. You can look it up yourself. This is the Mikrotik Beginner Basics forum, not a technical debate club. ...to pass many rules before they are accepted, the CPU load will be high... Can y...

Emil66

I wouldn't advise to use raw-prerouting rule. It might have negative impact on speed of all (including fasttracked) connections. ... it will have more negative, than positive consequences because ... This is based on what factual info / data? It a rule base system like any other table (filter,nat,m...

Emil66

I was not aware that any Mikrotik Products supported DS-Lite, please explain how you support this. They don't support DS-Lite. But DS-Lite is just native IPv6 with an IPIPv6 tunnel to a CGNAT gateway for IPv4. Mikrotik routers can do the tunneling, but lack the automatic configuration and the neces...

Emil66

I was led to believe that the Hex S (RB760IGS) achieves full gigabit throughput. This is not the case with IPv6. Due to the lack of IPv6 fasttrack support, IPv6 throughput maxes out at roughly 500 Mbit/s. That alone is bad enough, but on a DS-Lite connection, IPv4 is tunneled via IPv6, so even IPv4 ...

Emil66

Motivation: The DHCP server in Mikrotik routers can be configured to supply arbitrary options to clients, and the DHCP client in Mikrotik routers can be configured to add arbitrary options too, but the DHCP client has no method of requesting arbitrary options from the server and does not make values...

Emil66

I'm trying to configure a Mikrotik router to use a DS-Lite (dual stack lite) internet connection as defined in RFCs 6333 and 6334 . DS-Lite combines a native IPv6 connection with a IPIPv6 tunnel to a CGNAT gateway called AFTR (Address Family Transition Router). The router learns the remote tunnel en...

Emil66

This is already the case in default configuration.. Indeed it is. I dug a little deeper, and while the default configuration has the addresses on the bridge, applying the configuration from the "Quick Set" form moves the addresses over to ether2, even if all I change is the password. So t...

Emil66

Disclaimer: I am an absolute beginner. Got my first Mikrotik router today. Nevertheless, I think there's a problem in the default configuration, but as I'm new to this, I'm not sure. Please enlighten me if this is my mistake. In the default configuration, ports 2 through 5 and the SFP slot are in a ...

Search found 66 matches