MikroTik

floaty

make yourself acquainted with ssh-key authenticaton !
.
BUT of course you can try ! ... the youngest day ... ? ... is public !

floaty

the script just fails ...
.
it's a nice "try just at home example"

floaty

that may or may not be so ...
better you check that out by testing your configuration(s)
.
you should be suspicious, if two versions work : )
.
had QinQ never in production ... but earned all the the time mx'ed emotions, hearing production stories ....

floaty

.

A bit of a pity that MikroTik defined their own protocol type

.
... sometimes it's just about having my own "Jodeldiplom" ?!
.
... but opening a platform for a compatibilty is - of course - always a sometimes hard-to-know business-decision ...
I see more options, than contraints for this case

floaty

. Open vSwitch is using GRETAP as a tunneling option ! ... maybe also an option to terminate MTik-wireless-devices over a distributed-foreign network-infrastructure ?! ... with the new hiperf-switches and 10/25G-routers ... ?! that would be "a feature" also for datacenter-like installations !! ... o...

floaty

.
just to illustrate the issue ( ... opened the archives)
.

diff-is-diff.png

floaty

nope ... tried that ! MTik-EoIP and GRETAP make use of different protocol-types ... so ... the feature-request ... is simply a request for a compatibility-flag . https://tools.ietf.org/html/rfc2784 . 7.2. Protocol Types GRE uses an ETHER Type for the Protocol Type. New ETHER TYPES are assigned by Xe...

floaty

stunts like that will not work with user/password-authentication (there is no unattended remote-shell usage which needs interaction for authentication - security-reasons) you need to setup key-authentication between the devices then you can use ... : . [admin@tikki] > system ssh-exec <address> -- <c...

floaty

in case your netflix is off duty ... surrogate:
https://www.youtube.com/watch?v=C46ISu_T2SE
starting 33:00

floaty

https://wiki.mikrotik.com/wiki/Manual:I ... LAN#Q-in-Q
.
not 100% posititve about ... but maybe the remote-device uses 802.1ad compliant tagging
then you need to set

use-service-tag = yes

floaty

viewtopic.php?f=2&t=149235
+1

floaty

just add a vlan-interface and choose your ethernet-interface as source-interface in case you need this vlan on multiple ports, you have to interconnect the vlan-interface(s) with a bridge ... (there are more options if a hardware-switch in your plattform is involved ... but above option should work ...

floaty

As I said: "The DNS on the router is not enabled." . there is no "The DNS" on the router ... there is a dns resolver in the ip stack and a service which you can enable or not. . if there is no dns-server-entry in the /ip/dns-settings ... you can still catch a dns-server address if a dhcp-client is ...

floaty

In the the communication between a network-access-server (short: nas) aka "your mikrotik hotspot __and__ a radius-server aka "your user-manager" (maybe both functions on the same device), are two different communication-channels defined. One for authentication and one for accounting. Obviously the a...

floaty

also nice ... (and highly usable !)
https://www.coursera.org/lecture/tcp-ip ... ples-QgePi

floaty

guess you're looking for somewhat of a reprint of the manuals ? ... yeah man I would ! ... but I bruised ma pötchen . but you could search the index for "vlan" "switching" "routing" ... then "firewall" ... and my experience ... once you've started ... you do not stop for a year ! . best you start wi...

floaty

... and you should have blacked out every other url in the screenshot ... so it's an easy guess

floaty

- capture some of these packets and have a look inside ... dns is propably good for some information bouta source of these requests
- disable the web-interface (if it's enabled) of the router ... there's a link ... maybe a client is triggering that link (may be you : )

floaty

think we're done here

floaty

.
the squirrel may be not really the fastest one on the ash ... but nimble and diligent !
.

cp2.PNG

floaty

.
https://www.open.com.au/radiator/ref/Ra ... ation.html
.
... guess this is the point where I ask for a "generate RADSEC-Cert-pair" button ... ... jeez ... why has it always to be pandemonium ?

floaty

. obviously something odd with the parser in the log-subsystem ... communication is running on port 2083 . [admin@tikki] > 15:05:47 echo: radius,debug new request 0d:5f code=Access-Request service=login 15:05:47 echo: radius,debug sending 0d:5f to 192.168.7.74:8968 15:05:47 echo: radius,debug RADSEC...

floaty

. First thing that comes to mind is the typical reverse DNS query most linux distros do when accessed via SSH . agreed by the 100% . check /etc/ssh/sshd_config of your containers ...vm's whatsoever ... . #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 Per...

floaty

switching hardware is a "Thing" in ROS ... did you try to change the mode to fallback ? ( ... fallback normally doesn't hurt)
... maybe it's just an unsopported handle in the interface ?! ... best guess.
.
btw. is this a good old XP-box ?
.

xp.PNG

floaty

. and ... bringing in the question as accurate as obviously possible ... could have spared IO-ops too : | . I know what's loading the CPU. My question is, why so much? One EPYC Rome core can do 1.7 GBytes/s AES encryption. Two cores can 2*1.7*8=27 Gbits/s My traffic is very small, only 0.5 Gbit/s CP...

floaty

. maybe a problem with exposing all your heroic cpu-capabilities to your CHR-vm ?! . ... and why do you give a rotten f**t about your VM-cpu ? ... what's with your host cpu ? . ... and in the end ... being busy its what you paid the cpu for ! . give me your CPU-problems and you can have my IO-ops di...

floaty

.
call for input !

floaty

.
do you obeyed orders ? : )
.
https://wiki.mikrotik.com/wiki/Manual:T ... nToNewDude
.
honestly I haven't done it myself ... would be interesting if it is possible to switch a database from x86 to arm ... or reverse ?!

floaty

. route whenever you can route ... bridge only when needed ( I would say: when unavoidable ). . you wanna have control over your traffic flow ? ... separate your interfaces, build up small broadcast-domains ... then you can measure the traffic with fw-rules. . carefull with bridging wireless-interfa...

floaty

. seems everyone is skipping the "keep-it-simple-course" in network-potty-class ... . why ? . fun of administrating one of these devices is knowing what you're doing ... . I also created 3 virtual wireless interfaces (one for each physical wireless one ) and bridged them in bridge 2 . what for ? flo...

floaty

.
or maybe "radius" is already sensitive

.
... it smells sensitive : )

floaty

. what*s with good old trust ? . or maybe our MTikl-friends add a radius-tickbox ... end of story ... your complain makes sense ... seems not to be a very big story . tikbox.PNG . other question ... were you able to authenticate against a RADSEC-enabled server ? . have'nt found a success-message on ...

floaty

.
or maybe /tool/profile ... can grow to a friend of yours ?
.

perf-profile.PNG

floaty

.
https://mum.mikrotik.com/presentations/ ... 562405.pdf
.
fyi

floaty

.
my best guess ... calculating encryption ?! ... ... even packet forwarding isn't a "Zuckerschlecken"
switch off IPSec for the tunnel ... check again !?

floaty

when you enable the webinterface of your routers ... you can see the perf graphs for the interfaces there also ...
.
... so when you do, do you have the same FX ?
.

web-perf.PNG

floaty

.

In ROS the SNMP strings are setup the same as all other devices

.
We really want to believe you

... but show us.
.

/snmp export

floaty

I'm not sure that I understand correctly

.
just a side-degression in iperf ... please proceed

floaty

. sorry to interfere only for beeing so nitpicky ... I have to give the tcp-default ... but ... mutiple "routes" ? ... nöh . 39494 39500 39498 39496 . root@badger:~# iperf -c 192.168.67.140 -P 4 ------------------------------------------------------------ Client connecting to 192.168.67.140, TCP por...

floaty

after a while (some hours) data is only send to the first server configured, the second and third server does not get data anymore. . since your setup seems to be working for a while ..., but than not ... a bug would come to mind so ... maybe one of your devices are still under support ?! ... try t...

floaty

I'm struggeling with my english a life long ... and the english men ... struggle with me ... bouta'länguoch'uff'curse !! . sooo ...? . question: do you use 'dude' for monitoring ? or some other inside-ROS-tool with a script ... . The problem is that my monitoring 10.10.4.180, polls the device, and l...

floaty

ooops ... if this is about dhcp-options ?!
... sorry for coming sassy in the first place ...
there are interesting features coming up in the testing- and beta-versions which might raise your interest ...
check out the news-channels ...

floaty

1. we are all agree from leasing .. really !
.
since you now may feel a little bit better, you might be able to give us a 'communique' of your sufferings ?!

floaty

Lukas 23,34

floaty

Yeah, can be done, but for the danger of locking myself out of the switch

.
every good network administrator has done this ... like every good sailor has crossed the ... fan

floaty

sometimes ... if ... nothing new appears ... nothing happened ?! . you like to see a new ppp-interface ... why ? if you setup a new (ov)ppp-server ... only the capabiltiy for such an interface is born (goda** I'm biblic today) . good old atheists would check with an "/export" before and after ... if...

floaty

you can ! ... all the way ... use the contrary approach ... drop everything, till "your" network works again like expected ...
.
or you do a trip to google ... protocols that should never left my local-LAN ... my local-machine ... ... my Mind ... etc.

floaty

A firewall segregates two or more parts of a network, A network is called a functional interaction of items. . Make a packet-trace (only the the headers ... to be wise) on every part of your network(s) AND decide yourself what's needed and what's not ! . You wanna call yourself bible-proof ... so re...

floaty

and sorry I couldn't resist ... let be god a G00dm4n

floaty

not shure you've checked out the TR069 capabilities of ROS yet ? (yepp ... right ... me neither)
.
but since these capabilities are implemented, so you should start to crtitize these functionality ?!
.
you want a bridge ? ... checkout the ferry before !

floaty

earn a very 'yes' to the provider redundancy part ( and keep studying the relevant forum-posts ) ... and earn a 'maybe' to the WLAN part ... your brandnew hAP ac² should have of "a place" of 'undoubtabletized' LTE-receiving quality ( like blessed mother mary ) ... if this is also the place where you...

floaty

can only measure 5MBps from the server->client. But only if I measure with a single thread. If I measure with parallel option of iperf3 (this way it creates multiple connections), the bandwidth can reach the uplink limits (25MBps) even through the abroad ISP. . little bit unclear how long you did t...

floaty

... and more dangerous ! in dry areas temperatures rise and fall with dust and dawn extremely. brings ... condensed water into the equation !! NO FUN ... had that myself when I found one of our antenna-cables with N-connector drowned ... first I thought it wasn't well enough insulated. But wise-guys...

floaty

in summer the temperature in shadows can reach 42ºC . guess you can have such extremes nearly worldwide now (exept really circumpolar) ... WAP LTE is specified (Tested ambient temperature -40°C to 60°C) ... since you have to expose the device with it's internal antennas ... :( . advice ? start with...

floaty

... and ... whenever possible ... recheck with another device, where you can also see the configuration and connection-state ... it's possible your provider does not want you, with your device.(-identifier) on that frequency ( at that time ... with that contract ... whatsoever ) ... it's a policied ...

floaty

MTU 1418, while rest of the network and of course internet connection is 1500 . you build a tunnel inside a tunnel ... you build a bridge over a bridge ... this is what happens ! . A fat man creeping though a tunnel, should be aware of the problem, ... before forwarding. . maybe you should check: h...

floaty

openvpn is very wealthy in it's feature-set ... please give us an "/export/withou... " from your terminal as an attachment to your next post, for further investigations.
.
nice gesture would be, to make a little sketch with relevant links and addresses ... to fetch the issue even faster ...

floaty

my first guess ?! ...
FF UU NN

floaty

I guess he's offering free outlays for critical assessment ... isn't he ?!
.
who had the boldness

... ... this is not the place to worship mammon !

floaty

! OR ! . if your "two-tunnel-machine" can be the ppp-client in the setup ... you can set that client-interface into a VRF to work-around the "one-IPeed-client" and hence the routing-problem ... ... but as always and before we're opening that barrel: better tell the auditorium about the use-case you ...

floaty

can i make 2 PPP VPNs (L2TP) from 2 different WAN ? For ex. LTE + WAN1 , One tunnel connect from LTE , second one from WAN. I see no problem in here ... . Dst. Addr both tunnels are the same. ... this might trigger a routing problem, because your tunnel-client-ip is either reachable over LTE OR ove...

floaty

Is there an issue I´m mising? ... highly presumable. 1. did you perform a test of your freeradius-server over the network with a tool like radtest ( or similiar ) ? ( ... it's the first thing you would do !) 2. stop your freeradius-(service) and start the server from the command-line in debug-mode ...

floaty

so ... first ... I am not catholic ( and 'am spending no sympathies for any tribes ... ) . BUT . Is there an option to bond multiple LTE wan (example 3x LHG LTE6) with two Mikrotik via GRE,EoIP or VPN to reduce broadcasting latency? . you can avoid congestion-related latency by increasing the bandwi...

floaty

your WAN-interface is: 1. with good reason 2. for your own good 3. and therefore by default not in the fancy roundel for such pieces of lunacy ! . please make your self aquainted with common strategies of internet-security ... and the sophisticated concepts of the before named, which offers the Mikr...

floaty

... or you catch the guy who's maintaining your local cell-tower by impeding his beer in the local pub, because you instructed the bar-crew before, to do so ... and ask him if it's worth !? .. or you spend then a "beer more" on him ... and he's considering a custom config for your IMEI (please have ...

floaty

and maybe it's worth to investigate the "router-isn't-usable-by-IP-anymore*-thing ... on local interface ? no ping ? no arp ? no mac (! see ... you're doing mac-telnet ) ... there is mac-access ! what about arp ? ... so every little step ... like an outsider ( ... maybe like an intruder) . I had thi...

floaty

. Main problem is, It's not possible to reproduce the issue with (yet) known tasks or tools ... . graylog is exactly the tool I would use for such investigations ... did you mentioned interface up/downs from one of your routers when you timeframed the occurence of the incident ... any route chances ...

floaty

... to give my inside pestalozzi a chance ... All clients see each other, all client can access internet on port1. All clients use same gateway 192.168.1.1 ... why in the name of pestalozzi, do these entities need addresses from different pools for ? ... what is the distinguishable criterion for the...

floaty

mmh ... without being rude (trying), I can recommend a link: . http://www.subnet-calculator.com/ . you're switching bits very frequently ... which can you bring in networking-devils kitchen very soon 8) . so ... if I see this right, you have more a DHCP-problem than a networking problem ?! . If you ...

floaty

... A A N N D D ... by the way there is a 60 day grace period for every CHR-VM ... fully featured ... so if you do it the very scottish way ... : you rent this one to your customer and after that you can use the money for your nephews christmas CHR ... so you can pour yourself an extra bottle eggnog...

floaty

not shure which license do you have in mind ? ... renting ?! ... interesting ! guess you're burning more money to setup the rental-contract and keep your related paperwork tidy, than the license would cost you. but sometimes business-ways are mysterious ways ... ?! so ... do it the scottish way: res...

floaty

Since the problem occures very sparsely, it's not so probable that you catch the trigger for the event by a "lucky punch". Anyway if you haven't yet, setup centralized syslogging and keep all you routers in time-sync. The rough timestamp of the event and the surrounded syslog-events from all other r...

floaty · Re: Different DHCP pools on ports from 192.168.1.0/21 network yes.png

yes.png

floaty

guess you are a little bit out of "usual concept" !? . your interfaces are in the same IP-subnet 192.168.1.1/21 is (192.168.0.1 - 192.168.7.254) so there would be no need to configure different router interfaces BUT if you want it like that: +---+ +---+ +---+ +---+ +---+ +---+ | 1 | | 2 | | 3 | | 4 ...

floaty

. just for the completeness of the picture: proxying a request from freeradius-v4 to MTik-UM-v7b5 seems to be a nogo . after setting up a new instance for MTik-UM in new radius_rlm of FRv4; FRv4 tries something like a check or hello or something, before the rlm is fully instantiated ... which fails ...

floaty

. just discovered a nice radius testing-tool ... no eap-features ... ,but its possible to save predefined setup's, contains coa-requests, server-stress-testing ,monitoring ... tidy for windows, linux, freebsd ... decent seems ntradping, my convenient good old geezer, is ready for pension :( . https:...

floaty

.
https://www.dfn.de/fileadmin/3Beratung/ ... Strauf.pdf
.
for v4-afficionados !

floaty

. ... while v7 is still cooking ... were stuck with our windows-wlan-clients in the meantime ... and because corona-boreout and freeradius3.0 forming a perfect couple ... we are setting up an EAP-proxy (almost better than sudoku) . ------ ubnt bananapi CHR //// \\\\ +-------+ +-------+ +-------+ | S...

floaty

Mikrotik have the development smarts to cleanly integrate WireGuard into RouterOS, and now that it has been mainlined I would not be surprised if we see it in the very near future.

.
hear hear

floaty

. This is a nice thing ... but I have to admit my company plan is not an unlimited one, so while I normally in "the zone" every month, I want avoid any BW-kinkyness. But the test-router is intended as custumers mgmt-backup-line ( F L A T R A T E !) ... then I'm definitly able to flood some statistic...

floaty

. some toilet-paperroll-hunters returned to aerie ? ... or power-saving mode ... keeping the shores of kreuzberg-mountain green ? we know only a little ! plz remember ... floaty is YOUR performance leader in tha moment (actual results in post above) ... ... so far ... good night and good luck ! . 13...

floaty

. just found the solution: https://mikrotik.com/product/intercell_10_b38_b39 : ) power up your own cell ... out in the middle ... no interference and with your own iperf-server !! That stops all the yodeling and tells you whats behind that door !! Maybe that beast is excatly intended for that purpos...

floaty

just realized ... broke ma own record ... and still leader of the pack !
H O O K A Y I P P Y J A Y H E Y !!

floaty

.
22:05 (todays watermark ... guess they'r all out there hunting the last shit-paperroll avail in the stetl ?!
.

13mar2020.PNG

.

floaty

. and the main problem ... results are totally erratic ... in the middle of the effin night, no lights on in the hood !! ... same config I've used before ... performance is unexplainable like "my ass" . ... who has the guts to explain such B-sheet to a paying customer ? ... are they scrubbing the an...

floaty

. It's not as simple as this (but not much more complicated either): users share air-time. The higher number of users, the lower air time and thus lower throughput each gets. . guess this is a verry sensefull statement ! cause good old air is a very democratic medium - shared by all of us. you wanna...

floaty

.
If the Force might be with us

.

floaty

. Guess there is enough processing power in such an LTE-pop to force me to whatever channel / config they want, if I do not fit into the "for-the-greater-good-QoS-shaping-policy". And most of the time I'm not in the mood to wardrive the best spot for a high-perf LTE-link around. Good Old G. generall...

floaty

.
!!! B O O Y A C A S H A !!!
.
in front of the peloton:
.
!!! FF ... FF ... FF ... F L O A T Y !!!
.

in_front.PNG

.
https://www.speedtest.net/
.
.
.

pop.PNG

.
.

hw-cfg.PNG

.
.

cfg-stat.PNG

floaty

.
would be interesting ( ... for me)
which (and where) is the highest speed ever scored to a cellular network with the latest mt-hardware (R11e-LTE6)
...
gentlemen ... start your engines !

floaty

...
guess it's not that simple ?!
.
... maybe country-specific delicacies ?!
.

skip-b20.PNG

.

b20-disable.PNG

.

floaty

. Again, avoid using B20 and 5Mhz bandwith. ... how ? ... and why ? . This B20 is one of slowest (compare to B3 > B1 > B7 who are THREE KING's of LTE in EMEA and R11e-LTE6 only do 2CA: B3+B7 between them). ... where got that wisdom from ?? . Just tested new delivered RBLtAP-2HnD&R11e-LTE6 ... and so...

floaty

I'm in.
+1 for WireGuard.

floaty

no ... annoying mischief, because the clock is always working against you ...
but also with the exact clocking the win7-client fails.

floaty

... while reviewing ... and talking odds ...
.

no_tupi_nix_w7_more_odd.png

.
maybe a clock prob I did run into ...

floaty

yay: one+ for a radius-eap-debugging option . ... since I found the (or a possible) power-supply for my grand ole 2530p (nice keyboard, btw) -> ... also windows7 is not able to connect to the MT-CHR7-radius. Also for my cross-check-radius-server (zeroshell) I had to install the CA and the server-cer...

floaty

some tinkering-time should be integral part of any workday : )
... so if anyone calls you in for another tubby meeting ... say: sorry, I have something of tremendous importance to tinker !

floaty

It is possible to define different "customers" (like administrative domains) ... and it's possible to apply different sets of user-profiles (for vouchers, quotas etc.). Not shure about the logo-customization ... If you're already using MTik-devices you can download the usermanager package, install i...

floaty

seems that feature isn't so widely implemented (self carved freeradius-installation ... possible ... not exaggerated easy) and until someone put a gracious eye on your feature-request ... you can evaluate here: https://www.kaplansoft.com/tekradius/ ( ... only when you can live with a windows-box) Sh...

floaty

just had an over-christmas-discussion with my colleagues over the topic ... . just check !! ... even dns-filtering is a walrus-nipples-thing : . ... ad-content is filtered ... the loaded site(s) seems to be slow ... because the content of interest is placed last ... no effin pictures of socks inbetw...

floaty

... so far as I recall ... it was a thorny way to implement in ISC too ( for me : ) ... but there's lot of time till january 6th :evil: . [admin@homeland-chr] > ip dhcp-server vendor-class-id print Columns: NAME, VID, SERVER, OPTION-SET, ADDRESS-POOL # NAME VID SERVER OPTION-SET ADDRESS-POOL 0 gs820...

floaty

btw.
there tons of articles in this forum how to make use of anti-spam-, anti-phishing, - or country-code related community-lists with a MTik-board.
.
add a local anti-virus-proxy ... and your'e good to go

floaty

... every filter (dns, av, antispam ... whatsoever) will slow down your secured application ... EVERY ! ... because you delegated sagacity to an entity with more discipline than you own by yourself ... and thats a good thing ... when it comes to computed routines 8) ... but it adds cpu-, asic-, what...

floaty

I guess without the ability to debug the radius server side this is as cushy as nosepicking in a hobos schnozzle. We better wait for an "upstream statement" ... Maybe an old windows7-valiant out threre can tell if he's able to connect ... [ ... also the fortiauthenticator spat out my keysize 4096 ce...

floaty

yeah ... good tool (and as old as methusalix) ... . maybe the binary partly crashed ... it is not showing such behaviour on my machine ... wrong shared secret -> access-reject . . btw. repeated my eap-test with new generated certificates keysize 4096 instead of 2048 ... and then also the android cli...

floaty

just had a little read-along ... again . 169 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:45652, id: 119 170 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:45652, id: 119 171 Dec/13/2019 00:30:55 memory manager, debug >>> ...

floaty

so ... for starters ... it seems the problem ist NOT related to the certificates I've generated on the chr-v7-radius-um-machine :!: I've installed these certificates on another radius-machine ... . you may ask: ... what the **ck took him so long ? a.) ... tried that on my production-machine ... whic...

floaty

indeed ... bootet up another wireshark to free my win10-machine for a test ... seems the setup of the encrypted eap-tunnel fails ... no accept, no reject ... stuck in challenge . so maybe a problem with my server-certificate ... or: https://support.microsoft.com/en-ph/help/3121002/windows-10-devices...

floaty

guess this feature will make a lot of people very happy ( and of course ... no doubt ... me too)
well done

.

v7-eap-test-ws.png

.

v7-eap-test-rad-debug.png

.

v7-eap-test-um-stat.PNG

.

v7-eap-test-um-sess.PNG

.

v7-eap-test-andr.png

.
.
and unlike me, keep your clocks in sync !

floaty

divide et impera ... I agree by 100% ... but when 2000 ip-phones fresh outta box staring at you, you will beg for your vendor-class-based dhcp-features ... Sometimes you want split the ip-address-space for your VoIP by building ... add 4 types of phones (or AP's) and you will go nuts very soon :shock:

floaty

to be honest ... hopefully this feature will find it's way into v.6.4.x too ... while v7 is simmering.
... guess we will see (maybe one or another afficionado will give me "a ball plus" here : )

floaty

just had a look in v7 beta4 ... . [admin@MikroTik] /ip/dhcp-server/vendor-class-id> add Creates new item with specified property values. address-pool -- pool used for this vendor-class-id copy-from -- Item number disabled -- Defines whether item is ignored or used name -- option-set -- server -- glo...

floaty

For what I see, vendor-class-specific option-43 delivery is not implemented yet ... it's possible to have a specific ip-pool based on the vendor-class-id, but it's neither possible to add an dhcp-option-set to an ip-pool nor is there any matching condition-parm in the option-43-definition. So what's...

floaty

. maybe santa puts "wireshark" under your tree ?! ... you copied the hex-code with delimiters from the log-dump into your data-field ... not very convincing ( if I were a computer and had a saying in here ) . collect your dhcp-packets with -> Tools -> Packet sniffer . read out your vendor-spec data ...

floaty

Recently I had to replace a "multi-speed-media-converter" from amazon at a customer-site, because the device failed epicly in terms of performance (it's x-mas time, so the vendor is NOT revealed). The provider-cpe (presumedly set to 100MBit/full-duplex) had to be linked to a gigabit-1000base-sx port...

floaty

guess, you should introduce this to an insurance-agent of your trust to get a rate ... a good rate ... !?
... maybe even homeland-security should be asked for any objections
... who wants to be stuck in a guantanamo-style facility over x-mas by accident ?

floaty

just a low priority post ... that may ... or may not be of interest: reanimated a 'RBwAPG-5HacT2HnD' which I received as DoA from ebay ... spend 3 hours on it ! :( device came in from a probably failed openwrt-install-session ... no word on ethernet nor wifi ... after a 10sec-reset-button-reset "Old...

floaty

yepp, when I got this setup to fly, caribean retirement is on schedule

floaty

and in most of the cases a GPeR would make sense ... adding a proper housing for it [GPeR IP67 Case] , would be sensefull too: installation is straight forward ... ... when using ready-made cables you have possibly to shorten the bend relief of the cable . 1_1.jpg . 2_2.jpg . 3_3.jpg . 4_4.jpg . 5_5...

floaty

At least you can simply replace it in case it breaks . mmh ... doesn't saw that - really good - point :-| Just migrated my busiest-helper-files to the m2 of my "RB1100AHx4 Dude" ... to bad I didn't got attentive of this potential issue before I began to script. Is there a tool to check the health o...

floaty

+1 . would be a neat thing have a ppp-up (-down) script which needs helper-files to store dialer-states ... that's scratchy ... not so healthy for a flash or even for an usb-disk ... so definitly plus one ( ... even in v6.44+ [letting v7 be a good man] ... ... wanna show this to my colleagues ... .....

floaty

I see

floaty

one more thing:
.
reviewing your quickstart-guide, you can revise below on s.4 to 192.168.8.3 !
.

qs-mqs-s4.png

floaty

What are you guys talking about?

.
bout the Mikrotik MQS Quickstart-Guide ? ... and the recommendations made there (obviously not your recommendations ?!)
...
later is "Operating system support The device software version is 1.2p" mentioned ... which differs to v1.1

.

qs-mqs.png

floaty

That's a profound complaint, ... but obviously it is the main purpose of MQS to do so. The cause could be accidental misuse or damage. To distinguish between these two possibilities a more detailed description of your problem would be necessary. :-| MQS quickstart-guide says actual sw-version is 1.2...

floaty

Guess without internet access for the device, you can't. There's no manual download in the moment ... what's wrong with the running image ? . manual download - computer says: no <Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>EFE50D47CE5598D3</RequestId> <HostId> 23YQ6R...

floaty

i have error

.
sad, but an error is better than nothing

... would you like to share that error ?
... or a screenshot ?

floaty

.

where can i get the latest MQS software ?

.
.

We recommend clicking the “Check for updates” button and updating your system software to the latest
version to ensure the best performance and stability

.
https://i.mt.lv/cdn/rb_files/1568358529 ... %20web.pdf

floaty

... or just send all files in a specific folder (disk2/sw/*) ...
.

/tool e-mail send  to="rcvr@rcvr.net" from="$sysName@sndr.net" body="disk2/sw-content" subject="disk2/sw-content" file=[:file find where name~"disk2/sw/"]

floaty

installed dude under dusk1/dude ? ... instead disk1/dude ?
.
obstinate files may be removeable, when logged as admin with a sftp-client (like WinSCP) ... and with circumspection

floaty

Lucky you. May happen that problems are linked with usb / mSD storage type on routerboards while on CHR this does not apply. . just found, that well aged statement ... sounds like Dude on 'usb / mSD' is not one of the brightest ideas ?! ... should I keep the hands off it ? ... planned to test such,...

floaty

I am not sure if I need a level 5 license to RB750GL where Radius (user-manager) is installed or the hEX where the DHCP is installed

.
https://wiki.mikrotik.com/wiki/Manual:L ... nse_Levels
.

snip.png

.
where Radius (user-manager) is installed

floaty

Hello Forum, I am looking for a way to save the result of a function ... "somewhere". My problem: inside my devicelabels the snmp-device-name is dynamically displayed from a function. In case the device isn't responding any longer, I'm loosing the device-name in the label (but I won't !) So what are...

floaty

Maybe ... there is no advantage this time (the price eventually or the rugged design ? ... choose ) If I don't miss anything in the spec, it is no full RouterOS running on MQS. It is an AP-bridge only, which delivers passive PoE to a "setup-candidate" [point]. . MQS itself can be configured only in ...

floaty

uuh ... yeah ... tried to push an interface into a VRF ... failed ... pushed harder ... saw the error-message ...
... maybe a little "what's-worth-to-test-and-what's-not-implemented-yet-v7-matrix" could be helpfull in the notes ... to avoid 'early redundancy'
... anyway: thumbs-up !

floaty

Version number 7.0beta2 Router's model CHR . [admin@CHRv7] > ip vrf add name=vrf10 [admin@CHRv7] > /routing table add fib name=main-fib vrf=main [admin@CHRv7] > [admin@CHRv7] > /routing table print Flags: D - dynamic; X - disabled, I - invalid; U - used 0 name="main-fib" vrf=main fib [admin@CHRv7] >...

floaty

Version number 7.0beta2 Router's model model: RouterBOARD 3011UiAS firmware-type: ipq8060 factory-firmware: 6.42.12 current-firmware: 7.0beta2 upgrade-firmware: 7.0beta2 Steps to reproduce the issue [admin@RB3011] > ip vrf add name=vrf10 [admin@RB3011] > ip vrf add name=vrf20 [admin@RB3011] > ip vrf...

floaty

last advise !
while editing your posting ... and going lazy ...
... don't become sloppy with your GPER-jumpers ...

(stock your tools ... and keep hoover and cat away

)
.

jumper.png

floaty

guess this behaviour is related to PoE-detection in the switch ... no passive PoE-adapter in the arsenal to verify ... so check, before climb ! Normis explained that 802.3af/at powering only works when there's a compliant device down the line ... if there isn't one, passive PoE injector should be u...

floaty

... so far ... my request for clearance at marvell ... stuck in spam ?! ... ignored ?! ... I don't give a schattenriss ... we proceed ! ... todays setup is able to escalate things to mtu-size 9216 byte ... and is able to do a perf-test too I added a PoE-injector and removed the GPER-jumper on PoE-ou...

floaty

when I got my 'security cleareance' ... I will find a way, to leak in between the lines, while telling noomp :wink: . Dear floaty, We have received your registration request for use of the Marvell Extranet. You indicated on the registration form that you either don't have a Marvell Non-Disclosure Ag...

floaty

It may or may not occur to you, that the use of serial-console to a virtual machine on an ESXi-host could be conveniant for you ?! ... this presumption turns into pain in the a*s, when a serial console is MANDATORY :twisted: ... for me ? ... yesterday ! There might be a bunch of fun-seeking network-...

floaty

I think its a 2port switch with Poe in to power it and Poe pass-through . @chechito seems you were right by first best-guess-attempt ... btw. ... ... were you able to exactly identify, whether the marvell-chip is a 88E8040 or a 88E8042 ?? even when it is a: Marvell® Yukon 88E8040 Gigabit Ethernet C...

floaty

sooo ... hopefully without being to much over the railing, we can say: . GPER is 802.1at-PoE-powered two-port switch, which is capable to deliver 802.1at-PoE-power to a client-device and it is transparent for every Layer2-protocol*), while it supports a mtu-size of at least 9014 bytes ?! *) in a mor...

floaty

because it is my responsability to keep the readers tight and greedy ... now ... at very last ... the gretchen-question: ? MTU ? for starters: it was not so easy to find the proper equipment for the mtu-tests here at homeland-labs :? While the "wuhan-sw" supports a max. frame-size of 9600 bytes (gue...

floaty

side-note: when plugging in a GPER into my PoE-switch like that: . #1.png . ... and than add a PoE-Client behind the GPER, like that: . #2.png . ... or that: . #3.png . . ... the PoE-Client is not powered up ... I had to disconnect and reconnect the cable at PoE-Switch before power is delivered ( I ...

floaty

since we were able to add an OSPF-Router in Vlan11 on a "wuhan-sw"-port ... we can mark tickbox "multicast" as 'checked'
.

802.##4.PNG

.

802.##5.png

floaty

and not so surprising anymore: . wuhan-sw# show run --- snip --- ! interface GigabitEthernet 1/1 switchport mode trunk poe mode plus poe power limit 30.0 ! --- snip --- wuhan-sw# show vlan VLAN Name Interfaces ---- -------------------------------- ---------- 1 default Gi 1/1,3-10 11 nubecula Gi 1/1-...

floaty

... yepp ... the discourse had a little drift :wink: ... so ... STP, 802.1q: Setup: PoE-Switch<-->GPER<-->passivePoEconv<-->mapLite . 802.##1.png . . wuhan-sw# show spanning-tree active CIST Bridge STP Status Bridge ID : 32768.9A-86-03-28-05-01 Root ID : 32768.9A-86-03-28-05-01 Root Port : - Root Pa...

floaty

https://en.wikipedia.org/wiki/Shannon_limit
.
interesting article indeed ... and crazy numbers:
.

tönn.PNG

floaty

1) at what OSI layer this device work? at L1 like hub, or at L2 like switch? 2) what delay does this device add? 3) why distance is limited to 1500 m? . 1) ... the DEVICE (aka GPeR [thats from the birth-certificate] acts obviously like a switch ... different ether-speeds ... with full-duplex on bot...

floaty

would be good to identify the switch chip . Yeah I know ... but this reminds of christmas, when I was a child ... my sister got a new watch ... and I got lot of trouble ... and she would not accept 'my fireforce-truck' ! as compensation. To be honest ... I already tried, but my little iPhone-crowba...

floaty

oncho.png

.
... yepp ... I thought so ... ... guess I was to hasty to shoot a bundle

floaty

most fun is always testing new stuff 8) ... guess we can skip the 'unboxing part', because this is obviously the wysiwyg-approach ... no knives ... no scissors ... no violence needed ... and I aggree 100% with it . 1st.png . first test ... brute force ! the big buddy in the foreground is a wireless-...

floaty

"Yes, it will effectively extend your cable and will pass any data you transmit" data ... yep, data is a lot ... so let us concatenate which questions: - ether-speed negotiation bursts (and the results ... we all now: it's standard ... but it's not golden in functionality ... nowhere ) - lldp-behavi...

floaty

a switch with 2 ports doesn't need to learn no MAC addresses of cause there would be no need, neither would be a need for that in a linux-bridge which contains two logical interfaces by my command or a 24-port switch where I only plugged two cables in ... ... but they do ! ... threrefore my questio...

floaty

It's like putting a switch in between

mmh, thats a delphi-oracle term ...
a switch learns mac-adresses ... a switch ages mac-adresses !?
so question is: is this a switch, like a two-port-bridge or is it just like patch-port in OVS which says "<->" ?

floaty

adding ftp-rights to the user-group solved the issue for me - just like dasiu wrote

dude-read.PNG

floaty

As a big-fan of smokeping for debugging routing-issues and monitoring routing-performance I was recently kind of dejected when my ROS-remote-poller stopped working. I upgraded my central monitoring-machine to debian buster and smokeping 2.7.3-2. Everything worked out, except the mikrotik-remote-poll...

floaty

Definitly joining the club, ... would be a nice thing for networks where you can only send status mails out or only dial-in access is avail ! Tried to build a script which fetches the netmap-status via https from it's own webfig and sends out a mail ... failed ... seems this is for grown up's. In ad...

floaty

Not shure if this feature is under consideration ... ? Would be a big gain being able to terminate a gretap-tunnel to a RB-device. As far as I understand the protocol-numbers used in the header are different in Linux-gretap and RB-EoIP. Since newadays a lot of wireless-devices using gretap-bridging ...

floaty

I'm not really an english-teacher ... but ... I can still ping stuff in SYSTEM2 vrf or the main routing table. when we examine the word 'or' in the quote above , it is not possible to bring the described failure in compliance to master George Boole ... aren't we ? ... so: first check if the setup yo...

floaty

Maybe you should have a look to this thread, where I've posted a couple of hints ... not shure if splynx have or allows full access to dictionaries of their radius service. I've build something like that for my customer-service-gateway ... not fully productive yet, but I'm pretty happy with it till ...

floaty

Just learned, that the radius-attribute "Mikrotik-Group" is 'ppp-aware'. So ... it seems Santa stays frosty up in Lappland this year, because you can (if you want) realize a radius-based VRF-selection with "Mikrotik-Group". You have to skip the user-decidable realm-selection in the ppp-up/down scrip...

floaty

Testing with pppoe was not so golden ... the session-setup and close in pppoe is to fast to grab the named interface-name. Figured that it's better to put a delay before reading the interface-name on a ppp-down-event and then to kill the whole shebang in the name of the zombie. If you wanna use pppo...

floaty

you need kind of a "crime scene cleaner" ppp-up: :local localAddr $"local-address" :local remoteAddr $"remote-address" :local callerId $"caller-id" :local calledId $"called-id" :local interfaceName [/interface get $interface name] :local calledRealm [:pick $user ([:find $user "@" ]+1) 60] :local vrf...

floaty

Yepp, were still waiting for a mikrotik radius-attribute like 'mikrotik-user-vrf' ... Till santa puts that under the tree, we can try with these humble scripts I've tweaked. Made these with open-vpn, but it should also work with other ppp-based stuff To get it work you will need a couple helper file...

Search found 167 matches