MikroTik

floaty

+1 . great I've found your post ! everytime I'm doing a re-discovery (and networks ... ... there arara changing!) ... I give the bold F-word three times, because nothing happens : | ... also a discoverable service-preset would be very sensefull ( ... do not know if this has to be forked into a new ...

floaty

L3-offloading is a broad topic ... the prestera-chip also supports "NVGRE, VXLAN-GPE, GENEVE, SPB, and 802.1BR port extender"
... is vxlan-tunneling now also implemented with hardware-flow-support ... or we talking just base L3-forwarding capabilities ( ... for now) ?

floaty

Had a look, to the system ... obviously some fork or kind of open-wrt ... not much functionality left, from what you can get, if ROS or an 'open' OpenWRT is installed. Strolled into the Netduma-forum, where the Netduma-CTO claims, that the machine contains proprietary QoS-functionality, which makes ...

floaty

so why the effin f'''' did you not started testing yet ?

floaty

.
would horizontalize the problem for tile-cpu's (just a remark ... I'm not an owner ... not now)
.
guess the general possibility to export a table to csv would do it for the relevant horsemen !?
.
( ... as always: just my opinion ... you can do whatever you want ... without affecting my circles)

floaty

Hi Emmah,

your verbal descrption of your problem is not sufficent to help you.
... if the problem is really bugging you, make a sketch and try to illustrate where you got stuck.
... give the people here an idea what you did on the device !

namaste

floaty

It's a BETA-version ... and exactly meant to reinvent your discovery spirit. UserMan is and was a radius-implemention so adressing for clients, is done with radius-attributes. Not shure which features you are targeting on ... but that worked with a lot of versions before 7.XBETA. So stage your lab ....

floaty

. you failed ... in multiple ways ! . 1st) you failed with laying out your issue and your network design in a reasonable way . 2nd) you brought your personel confusion into this forum . 3rd) you have already a workaround (RBD52G is working pretty, while 951G makes headache*) ... so nobody has motive...

floaty

.

Direct to the point, is it even possible in the first place?

.
a question ...
a question that might also Descartes, Pascal and Heisenberg could have asked that way ...
.
: ) don't bust our nuts ... and post the solution

floaty

. the question is indeed not fully without cause ... guess you want to connect to another vendor ? ... if not ... ignore my mumble ... not an expert, but in a stream-cipher with an pre-shared or diffie-hellman'ed key, should the cpu-load for de- & encrypt pretty much the same And I guess the referen...

floaty

I'm saving this text in case it will disappear as well.

.
you're safe here

.
you should consider such a task if you're wandering an ubnt-forum .... because it happened to me there ( for minor boldness : )

floaty

. first ! ... you giving us config-data (which is a nice thing) ... you put it in here: . post-cfg.PNG . so nobody gets eye-cancer ! . and I'm not shure if you posted everything from router2 ... but a default-route to router1 would make huge sense .... and I'm missing it ... do you copy ? providing ...

floaty

. if this is only happens to your aruba-ap's ... not to the rest of your network-equipment (like other cisco, huawei ... juniper, alcatel switches ... ) . it smells to me like something is wrong with your vlan-configuration. . whatever ... your aruba-ap's (instant- or controller-ruled) might have a ...

floaty

.
first post ? ... really ?!
.
I like your style man ! .... somewhat consequently from the start ... keep on rockin!

floaty

.
not a problem ... had a beer aside ... thats why I'm doing the easy cases ...
... enlarge forum-karma ... drinking beer ... like bodhisattva recommended

floaty

.
anyway ... that's a neat thing ... so I'm fishing revenue here too

floaty

.
so far with typo's
.
beeing sedulously with screenshots ... is really for the Kimme : |

floaty

. the script should start every time, a lease from the related dhcp-service is issued ... so your logs doesn't show any script-activity ... something's wrong (tautologically : |) . even when the script is outdated ... there should be a loggged failure 'bout it ... so check your references and for ty...

floaty

. and you're not the first when you search the forum, for the keywords in the article below (yes, it's one from our admired market-leader : ) . https://www.cisco.com/c/en/us/support/docs/ip/transmission-control-protocol-tcp/200932-Ethernet-MTU-and-TCP-MSS-Adjustment-Conc.html . homebrewed here: . ht...

floaty

I mean, yes ... MTU-related ...

floaty

floaty

the packets are being shown, ufw is disabled so its not a problem there . shown ... ? where ? . do you wanna say, you were able to see the already DST-NAT'ed packets at the target-system [10.2.1.2] ?? ... if not check first ! . there is a rule to another port on the same system ... do you checked i...

floaty

. first of all ... you could log your point of interest to a destination of your convenience ... guess most convenient, because fastet, is to your console of choice: . system/logging/add topics=script action=echo . trigger a dhcp-event and have a look, if some birdy is flying up in the console ... I...

floaty

. Had some spooky moments with the dude myself ... you made quite a step from 6.45.2 to 6.47.1 ... Migrating a database between software-versions is probably not the most beloved homework for a developer. Not shure whether the amount of the data is worth the effort and if you have a db-backup ? I wo...

floaty

thumbs up !

floaty

Please include gretap tunnel in version 7.1. eoip is not vendor neutral. . reviewed the old links in the topic ... maybe it's just the two of us ? : ) , I've tested gretap tunneling with cisco-click-OS-AP's and Alcatel-Stellar-AP's (generic support for the last) I outperformed the alcatel-gtts solu...

floaty

https://forum.mikrotik.com/viewtopic.php?f=1&t=160484 . since I gave already +1 I am at: 2 . I see this more relevant than vxlan ... classical "virtualizers" loosing land ... (Gordon Gecko said: Greed is good ... but some water [and more money] underbridged) so I guess some "unencumbered" protocols...

floaty

. there are rumors, that swos supports snmp ... and than an ocean is cracking open ! https://wiki.mikrotik.com/wiki/File:Swos-statistics2.png . SwOS only supports a partial MIKROTIK-MIB (for health, PoE-out and SFP diagnostics). To monitor interface status and some other counters, you should look fo...

floaty

Thanks, tried the real 24dBi antenna setting, still no love. And as far as PTP set-asides, it appears the FCC has dropped those from the regulations, as far as I can find. . . so maybe an "older" image-version brings your wireless-link to live : | . but you can consider yourself: youre on the 'axe ...

floaty

just had a look into my account ... there's the possibilty to request a country-key-lock for a device . so maybe you can do that (cause the PtP-has default- and permanent license ?!) for your legit serial ?! . maybe you should push again support-side ... your Tik'l comes with a support-period for th...

floaty

. not shure if we're talking the same issue ... but choosing the reg-domain can be sometime kinky for a MTik-Device. Sometimes (or always?) there is a predefined min/max antenna gain to be set, before you can choose the related country-reg-domain and installation-environment*. If there's the wrong v...

floaty

.
What's new in 6.48beta12 (2020-Jul-06 13:33):
.
*) ike1 - allow using "my-id" parameter with XAuth;
.
SOLVED

floaty

.
just some illustrations added ....
... coped a while with the ROS-ipsec-template-thing ... doing this config ... I'm happy to understand now what it can be usefull for : )
.

installed-SAs.PNG

.

used-policies.png

floaty

. recently got the task to provide a VPNC-link to a group of users ... my MTik-arsenal came to mind followed some older posts in the forum and got it running with v7.1beta1 (unforti not with a production-release because of limits in xauth-implementation) *1) . I had no access to the remote-vpn-devic...

floaty

. ran into a problem configuring ROS 6.47.1 as xauth-client: I cannot choose 'key-id' as local-id-source -> error . xauth_6.47.1.PNG . same on CLI [admin@MikroTik] /ip ipsec identity> set 0 my-id=key-id:abcxyz failure: XAuth must use auto my-id [admin@MikroTik] /ip ipsec identity> . according to thi...

floaty

.
a ball plus : ) vrf-menu has joined ip-context in winbox
.

vrf-menu.png

floaty

.
"ip route" context is still a CLI-only domain
.

bumms.PNG

floaty

must be very annoying to our fellow Mikrotikls, that every new release anouncement is turning into a whining-zone : )
.
so many fashionable new features ... no party : \
... but that's your life jacky brown : |
.
so hopefully my vendor id dhcpd inconvience is handled first : )

floaty

...
and I cannot be tired of repeating: "do not bridge so effin much!"
bridging is advanced pharmacy ... you do to much ... it turns to poison !
.
the most wellknown traffic-catastrophes happended in conjunction to bridges and tunnels

NO JOKE !

floaty

revisited ... . in your very well populated bridge: I configured ether2 to 5 to only works with VLAN90 --> to talks with Clients (un-tagged) ... hopefulle correct. you've configured a PVID=90 for eth2-5 but (it seems to me() these ports are intended to be just ethernet -access-port for your clients ...

floaty

booh ... thats rich ... if you have winbox, can you post a screenshot from your "interfaces list"
.
if made a sketch before you started to configure all these ... ? ... can you share ... I'm a picture man.
I can't figure what's the purpose of all this ! : |

floaty

my opinion ? ... there are two ways to proceed with the issue: 1.st approach: you read the related documentation and then read forward in this forum how to get support - then you formulate a new request in here with the newly learned skills 2.nd approach: youtube yourself an old muppets-show episode...

floaty

From your decription I figure there are two devices involved ... but your posting is ... blunt ... from which one? . and whats the problem with a little sketch, to let the "free-of-charge-supporters" know, what you are created over there ? ... is this too much ? ... it .. isn't too much ! . end of k...

floaty

nope ... not down ... keep on investigating. . C:\WINDOWS\system32>ping a815XXX648c.sn.mynetname.net Ping wird ausgeführt für a8150965648c.sn.mynetname.net [78.XX.YY.145] mit 32 Bytes Daten: Antwort von 78.XX.YY.145: Bytes=32 Zeit=28ms TTL=243 Antwort von 78.XX.YY.145: Bytes=32 Zeit=29ms TTL=243 Pin...

floaty

... your snipped configuration does not contain a hint to which interface you're configured dhcp-server is connected to ?! . if you want a common network over multiple (hardware-)interfaces there should be a bridge, where all your intented (hardeware-)interfaces are "a port" [personally not so happy...

floaty

. still no option-set linking to a vendor-class-id possible in dhcpd ... ? it's possible in v7beta8 !? ... is this by intent ?... or a bug ? . . [admin@v6.47.1] /ip dhcp-server vendor-class-id> add Creates new item with specified property values. address-pool -- pool used for this vendor-class-id co...

floaty

feature was introduced a while ago in v6.47 and it is also avail in v7beta8 in v7beta8 I am able to link an option-set to a vendor-id (what is obviously the main-purpose), but I cannot do that in v6.47 ( ... our beloved production-release) ?? ... dhcp is application-layer, nothing kernel relevant (i...

floaty

... who's wondering ? we have IPv6 running for over 10 years in the provider-production-environment ... but who's using ? in EMEA or AMER (without BETA-Feeling) ? Noises heard: it's running big time in the "chinese-internet" (and they wanna be part of the standardization-process ... [they invented t...

floaty

thanks ... nice ... will see if I can scramble up some money to become a mAP-owner

floaty

you're right ... the simplest possibility is far too - ... bloody - simple here. https://mum.mikrotik.com/presentations/VN17/presentation_4493_1494480323.pdf The Technique; Ninja Said This is The Jutsu #joke • Static DNS # ... näh • Web Proxy # ... nope • Route Policy # ... eventually, why not ... i...

floaty

.
? someone did this before ? ... looks viable ... but I'm 55-60 bucks away from knowing for shure ...
.

like-that.png

floaty

is there some kind of Y-Cable avail to power the mAP via power-bank and use the USB-Host for a serial-USB-adapter at the same time ? . +----+ +----------+ +-----<<----+ | usb/serialadapter | | | +----+ (( | +----------| +----------------------+ ((( | mAP | | | | (( | +------+ +----->>-->| Powerbank ...

floaty

. and ...I found the group-feature ... inbetween ... hard to see : ) . /user-manager/user/group . [admin@chr-7-1] /user-manager/user/group> print Flags: * - default 0 * name="default" default-name="default" outer-auths=pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap2 inner-auths=ttls-p...

floaty

.
you can also add:
Radius:IETF Framed-Pool
to select the IP-Pool
.
and
Radius:IETF Filter-Id
to define a firewall-chain in MTik-ROS

floaty

. you should be able to do this by adding the attribute "Mikrotik-Group" to a user (haven't figured if and when if, ... how to add a attribute-set to a profile or user-profile ... like a group-feature ? ... I would like that too) . Mikrotik-Group - Router local user group name (defines in /user grou...

floaty

. not v4 ... right . foo@pike:~# dig -x 2001:4860:4860::64 ; <<>> DiG 9.10.3-P4-Debian <<>> -x 2001:4860:4860::64 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35978 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION...

floaty

. I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address? . same experience here: using the avail v4 adresses gives warnings (maybe a google by-the-side-sausage ??) ... seems there's loadbalancing inbetween, which is fetching "dns.google" [o...

floaty

. When in WinBox 3.24 I go to IP -> Routes, click "Add" and type "8.8.8.8@" in Dst. Address, WinBox hungs and, a few seconds later, disappears. Is it only me with Wine on MacOS, or the problem is repeatable everywhere? . it's general . Winbox 3.24 crashes after setting up VRF and opening '/IP/routes...

floaty

unless this isn't a hardware-related issue ... I see the same odds here on the other side of the pond. . [R11e-LTE-US 13-15 Mb] ?? . This is (my oppinion !) a very sorry performance for the capabilities the standard should be able to serve. so.. (for me very) obviously the providers classify the har...

floaty

sad ... evolution ... in fact ... there's in all times a child behind
I'm a sad mammal to say so ...

.
I'm great splunk fan !! ... but I'm doing graylog ... until I'm not !

floaty

yepp: buttercream !
... my doc told me !

floaty

. user-manager / radiusd: chap-authentication works eap works ! ( : [] ) no logging messages echoed to terminal-session for: . [admin@chr-7-1] > /system/logging/print Flags: X - DISABLED, I - INVALID; * - DEFAULT Columns: TOPICS, ACTION # TOPICS ACTION ### snip ### 4 radius echo

floaty

. Winbox 3.24 crashes after setting up VRF and opening '/IP/routes' dialog ( ...and crashes immediately after trying to reopen) . [admin@chr-7-1] > ip route print Flags: D - DYNAMIC; A - ACTIVE; C - CONNECT, S - STATIC, m - MODEM Columns: DST-ADDRESS, GATEWAY, DISTANCE # DST-ADDRESS GATEWAY D 0 AS 0...

floaty

. and VRF ! that's rich ! . [admin@chr] > ip vrf add list=vrf-if-list-red name=vrf-red 03:52:05 echo: radvd,debug skip Router Advertisement sending on bridge2: no prefixes to send [admin@chr] > ip vrf add list=vrf-if-list-red name=vrf-red [admin@chr] > 03:52:11 echo: system,info vrf-red added by adm...

floaty

make yourself acquainted with ssh-key authenticaton !
.
BUT of course you can try ! ... the youngest day ... ? ... is public !

floaty

the script just fails ...
.
it's a nice "try just at home example"

floaty

that may or may not be so ...
better you check that out by testing your configuration(s)
.
you should be suspicious, if two versions work : )
.
had QinQ never in production ... but earned all the the time mx'ed emotions, hearing production stories ....

floaty

.

A bit of a pity that MikroTik defined their own protocol type

.
... sometimes it's just about having my own "Jodeldiplom" ?!
.
... but opening a platform for a compatibilty is - of course - always a sometimes hard-to-know business-decision ...
I see more options, than contraints for this case

floaty

. Open vSwitch is using GRETAP as a tunneling option ! ... maybe also an option to terminate MTik-wireless-devices over a distributed-foreign network-infrastructure ?! ... with the new hiperf-switches and 10/25G-routers ... ?! that would be "a feature" also for datacenter-like installations !! ... o...

floaty

.
just to illustrate the issue ( ... opened the archives)
.

diff-is-diff.png

floaty

nope ... tried that ! MTik-EoIP and GRETAP make use of different protocol-types ... so ... the feature-request ... is simply a request for a compatibility-flag . https://tools.ietf.org/html/rfc2784 . 7.2. Protocol Types GRE uses an ETHER Type for the Protocol Type. New ETHER TYPES are assigned by Xe...

floaty

stunts like that will not work with user/password-authentication (there is no unattended remote-shell usage which needs interaction for authentication - security-reasons) you need to setup key-authentication between the devices then you can use ... : . [admin@tikki] > system ssh-exec <address> -- <c...

floaty

in case your netflix is off duty ... surrogate:
https://www.youtube.com/watch?v=C46ISu_T2SE
starting 33:00

floaty

https://wiki.mikrotik.com/wiki/Manual:I ... LAN#Q-in-Q
.
not 100% posititve about ... but maybe the remote-device uses 802.1ad compliant tagging
then you need to set

use-service-tag = yes

floaty

viewtopic.php?f=2&t=149235
+1

floaty

just add a vlan-interface and choose your ethernet-interface as source-interface in case you need this vlan on multiple ports, you have to interconnect the vlan-interface(s) with a bridge ... (there are more options if a hardware-switch in your plattform is involved ... but above option should work ...

floaty

As I said: "The DNS on the router is not enabled." . there is no "The DNS" on the router ... there is a dns resolver in the ip stack and a service which you can enable or not. . if there is no dns-server-entry in the /ip/dns-settings ... you can still catch a dns-server address if a dhcp-client is ...

floaty

In the the communication between a network-access-server (short: nas) aka "your mikrotik hotspot __and__ a radius-server aka "your user-manager" (maybe both functions on the same device), are two different communication-channels defined. One for authentication and one for accounting. Obviously the a...

floaty

also nice ... (and highly usable !)
https://www.coursera.org/lecture/tcp-ip ... ples-QgePi

floaty

guess you're looking for somewhat of a reprint of the manuals ? ... yeah man I would ! ... but I bruised ma pötchen . but you could search the index for "vlan" "switching" "routing" ... then "firewall" ... and my experience ... once you've started ... you do not stop for a year ! . best you start wi...

floaty

... and you should have blacked out every other url in the screenshot ... so it's an easy guess

floaty

- capture some of these packets and have a look inside ... dns is propably good for some information bouta source of these requests
- disable the web-interface (if it's enabled) of the router ... there's a link ... maybe a client is triggering that link (may be you : )

floaty

think we're done here

floaty

.
the squirrel may be not really the fastest one on the ash ... but nimble and diligent !
.

cp2.PNG

floaty

.
https://www.open.com.au/radiator/ref/Ra ... ation.html
.
... guess this is the point where I ask for a "generate RADSEC-Cert-pair" button ... ... jeez ... why has it always to be pandemonium ?

floaty

. obviously something odd with the parser in the log-subsystem ... communication is running on port 2083 . [admin@tikki] > 15:05:47 echo: radius,debug new request 0d:5f code=Access-Request service=login 15:05:47 echo: radius,debug sending 0d:5f to 192.168.7.74:8968 15:05:47 echo: radius,debug RADSEC...

floaty

. First thing that comes to mind is the typical reverse DNS query most linux distros do when accessed via SSH . agreed by the 100% . check /etc/ssh/sshd_config of your containers ...vm's whatsoever ... . #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 Per...

floaty

switching hardware is a "Thing" in ROS ... did you try to change the mode to fallback ? ( ... fallback normally doesn't hurt)
... maybe it's just an unsopported handle in the interface ?! ... best guess.
.
btw. is this a good old XP-box ?
.

xp.PNG

floaty

. and ... bringing in the question as accurate as obviously possible ... could have spared IO-ops too : | . I know what's loading the CPU. My question is, why so much? One EPYC Rome core can do 1.7 GBytes/s AES encryption. Two cores can 2*1.7*8=27 Gbits/s My traffic is very small, only 0.5 Gbit/s CP...

floaty

. maybe a problem with exposing all your heroic cpu-capabilities to your CHR-vm ?! . ... and why do you give a rotten f**t about your VM-cpu ? ... what's with your host cpu ? . ... and in the end ... being busy its what you paid the cpu for ! . give me your CPU-problems and you can have my IO-ops di...

floaty

.
call for input !

floaty

.
do you obeyed orders ? : )
.
https://wiki.mikrotik.com/wiki/Manual:T ... nToNewDude
.
honestly I haven't done it myself ... would be interesting if it is possible to switch a database from x86 to arm ... or reverse ?!

floaty

. route whenever you can route ... bridge only when needed ( I would say: when unavoidable ). . you wanna have control over your traffic flow ? ... separate your interfaces, build up small broadcast-domains ... then you can measure the traffic with fw-rules. . carefull with bridging wireless-interfa...

floaty

. seems everyone is skipping the "keep-it-simple-course" in network-potty-class ... . why ? . fun of administrating one of these devices is knowing what you're doing ... . I also created 3 virtual wireless interfaces (one for each physical wireless one ) and bridged them in bridge 2 . what for ? flo...

floaty

.
or maybe "radius" is already sensitive

.
... it smells sensitive : )

floaty

. what*s with good old trust ? . or maybe our MTikl-friends add a radius-tickbox ... end of story ... your complain makes sense ... seems not to be a very big story . tikbox.PNG . other question ... were you able to authenticate against a RADSEC-enabled server ? . have'nt found a success-message on ...

floaty

.
or maybe /tool/profile ... can grow to a friend of yours ?
.

perf-profile.PNG

floaty

.
https://mum.mikrotik.com/presentations/ ... 562405.pdf
.
fyi

floaty

.
my best guess ... calculating encryption ?! ... ... even packet forwarding isn't a "Zuckerschlecken"
switch off IPSec for the tunnel ... check again !?

floaty

when you enable the webinterface of your routers ... you can see the perf graphs for the interfaces there also ...
.
... so when you do, do you have the same FX ?
.

web-perf.PNG

floaty

.

In ROS the SNMP strings are setup the same as all other devices

.
We really want to believe you

... but show us.
.

/snmp export

floaty

I'm not sure that I understand correctly

.
just a side-degression in iperf ... please proceed

floaty

. sorry to interfere only for beeing so nitpicky ... I have to give the tcp-default ... but ... mutiple "routes" ? ... nöh . 39494 39500 39498 39496 . root@badger:~# iperf -c 192.168.67.140 -P 4 ------------------------------------------------------------ Client connecting to 192.168.67.140, TCP por...

floaty

after a while (some hours) data is only send to the first server configured, the second and third server does not get data anymore. . since your setup seems to be working for a while ..., but than not ... a bug would come to mind so ... maybe one of your devices are still under support ?! ... try t...

floaty

I'm struggeling with my english a life long ... and the english men ... struggle with me ... bouta'länguoch'uff'curse !! . sooo ...? . question: do you use 'dude' for monitoring ? or some other inside-ROS-tool with a script ... . The problem is that my monitoring 10.10.4.180, polls the device, and l...

floaty

ooops ... if this is about dhcp-options ?!
... sorry for coming sassy in the first place ...
there are interesting features coming up in the testing- and beta-versions which might raise your interest ...
check out the news-channels ...

floaty

1. we are all agree from leasing .. really !
.
since you now may feel a little bit better, you might be able to give us a 'communique' of your sufferings ?!

floaty

Lukas 23,34

floaty

Yeah, can be done, but for the danger of locking myself out of the switch

.
every good network administrator has done this ... like every good sailor has crossed the ... fan

floaty

sometimes ... if ... nothing new appears ... nothing happened ?! . you like to see a new ppp-interface ... why ? if you setup a new (ov)ppp-server ... only the capabiltiy for such an interface is born (goda** I'm biblic today) . good old atheists would check with an "/export" before and after ... if...

floaty

you can ! ... all the way ... use the contrary approach ... drop everything, till "your" network works again like expected ...
.
or you do a trip to google ... protocols that should never left my local-LAN ... my local-machine ... ... my Mind ... etc.

floaty

A firewall segregates two or more parts of a network, A network is called a functional interaction of items. . Make a packet-trace (only the the headers ... to be wise) on every part of your network(s) AND decide yourself what's needed and what's not ! . You wanna call yourself bible-proof ... so re...

floaty

and sorry I couldn't resist ... let be god a G00dm4n

floaty

not shure you've checked out the TR069 capabilities of ROS yet ? (yepp ... right ... me neither)
.
but since these capabilities are implemented, so you should start to crtitize these functionality ?!
.
you want a bridge ? ... checkout the ferry before !

floaty

earn a very 'yes' to the provider redundancy part ( and keep studying the relevant forum-posts ) ... and earn a 'maybe' to the WLAN part ... your brandnew hAP ac² should have of "a place" of 'undoubtabletized' LTE-receiving quality ( like blessed mother mary ) ... if this is also the place where you...

floaty

can only measure 5MBps from the server->client. But only if I measure with a single thread. If I measure with parallel option of iperf3 (this way it creates multiple connections), the bandwidth can reach the uplink limits (25MBps) even through the abroad ISP. . little bit unclear how long you did t...

floaty

... and more dangerous ! in dry areas temperatures rise and fall with dust and dawn extremely. brings ... condensed water into the equation !! NO FUN ... had that myself when I found one of our antenna-cables with N-connector drowned ... first I thought it wasn't well enough insulated. But wise-guys...

floaty

in summer the temperature in shadows can reach 42ºC . guess you can have such extremes nearly worldwide now (exept really circumpolar) ... WAP LTE is specified (Tested ambient temperature -40°C to 60°C) ... since you have to expose the device with it's internal antennas ... :( . advice ? start with...

floaty

... and ... whenever possible ... recheck with another device, where you can also see the configuration and connection-state ... it's possible your provider does not want you, with your device.(-identifier) on that frequency ( at that time ... with that contract ... whatsoever ) ... it's a policied ...

floaty

MTU 1418, while rest of the network and of course internet connection is 1500 . you build a tunnel inside a tunnel ... you build a bridge over a bridge ... this is what happens ! . A fat man creeping though a tunnel, should be aware of the problem, ... before forwarding. . maybe you should check: h...

floaty

openvpn is very wealthy in it's feature-set ... please give us an "/export/withou... " from your terminal as an attachment to your next post, for further investigations.
.
nice gesture would be, to make a little sketch with relevant links and addresses ... to fetch the issue even faster ...

floaty

my first guess ?! ...
FF UU NN

floaty

I guess he's offering free outlays for critical assessment ... isn't he ?!
.
who had the boldness

... ... this is not the place to worship mammon !

floaty

! OR ! . if your "two-tunnel-machine" can be the ppp-client in the setup ... you can set that client-interface into a VRF to work-around the "one-IPeed-client" and hence the routing-problem ... ... but as always and before we're opening that barrel: better tell the auditorium about the use-case you ...

floaty

can i make 2 PPP VPNs (L2TP) from 2 different WAN ? For ex. LTE + WAN1 , One tunnel connect from LTE , second one from WAN. I see no problem in here ... . Dst. Addr both tunnels are the same. ... this might trigger a routing problem, because your tunnel-client-ip is either reachable over LTE OR ove...

floaty

Is there an issue I´m mising? ... highly presumable. 1. did you perform a test of your freeradius-server over the network with a tool like radtest ( or similiar ) ? ( ... it's the first thing you would do !) 2. stop your freeradius-(service) and start the server from the command-line in debug-mode ...

floaty

so ... first ... I am not catholic ( and 'am spending no sympathies for any tribes ... ) . BUT . Is there an option to bond multiple LTE wan (example 3x LHG LTE6) with two Mikrotik via GRE,EoIP or VPN to reduce broadcasting latency? . you can avoid congestion-related latency by increasing the bandwi...

floaty

your WAN-interface is: 1. with good reason 2. for your own good 3. and therefore by default not in the fancy roundel for such pieces of lunacy ! . please make your self aquainted with common strategies of internet-security ... and the sophisticated concepts of the before named, which offers the Mikr...

floaty

... or you catch the guy who's maintaining your local cell-tower by impeding his beer in the local pub, because you instructed the bar-crew before, to do so ... and ask him if it's worth !? .. or you spend then a "beer more" on him ... and he's considering a custom config for your IMEI (please have ...

floaty

and maybe it's worth to investigate the "router-isn't-usable-by-IP-anymore*-thing ... on local interface ? no ping ? no arp ? no mac (! see ... you're doing mac-telnet ) ... there is mac-access ! what about arp ? ... so every little step ... like an outsider ( ... maybe like an intruder) . I had thi...

floaty

. Main problem is, It's not possible to reproduce the issue with (yet) known tasks or tools ... . graylog is exactly the tool I would use for such investigations ... did you mentioned interface up/downs from one of your routers when you timeframed the occurence of the incident ... any route chances ...

floaty

... to give my inside pestalozzi a chance ... All clients see each other, all client can access internet on port1. All clients use same gateway 192.168.1.1 ... why in the name of pestalozzi, do these entities need addresses from different pools for ? ... what is the distinguishable criterion for the...

floaty

mmh ... without being rude (trying), I can recommend a link: . http://www.subnet-calculator.com/ . you're switching bits very frequently ... which can you bring in networking-devils kitchen very soon 8) . so ... if I see this right, you have more a DHCP-problem than a networking problem ?! . If you ...

floaty

... A A N N D D ... by the way there is a 60 day grace period for every CHR-VM ... fully featured ... so if you do it the very scottish way ... : you rent this one to your customer and after that you can use the money for your nephews christmas CHR ... so you can pour yourself an extra bottle eggnog...

floaty

not shure which license do you have in mind ? ... renting ?! ... interesting ! guess you're burning more money to setup the rental-contract and keep your related paperwork tidy, than the license would cost you. but sometimes business-ways are mysterious ways ... ?! so ... do it the scottish way: res...

floaty

Since the problem occures very sparsely, it's not so probable that you catch the trigger for the event by a "lucky punch". Anyway if you haven't yet, setup centralized syslogging and keep all you routers in time-sync. The rough timestamp of the event and the surrounded syslog-events from all other r...

floaty · Re: Different DHCP pools on ports from 192.168.1.0/21 network yes.png

yes.png

floaty

guess you are a little bit out of "usual concept" !? . your interfaces are in the same IP-subnet 192.168.1.1/21 is (192.168.0.1 - 192.168.7.254) so there would be no need to configure different router interfaces BUT if you want it like that: +---+ +---+ +---+ +---+ +---+ +---+ | 1 | | 2 | | 3 | | 4 ...

floaty

. just for the completeness of the picture: proxying a request from freeradius-v4 to MTik-UM-v7b5 seems to be a nogo . after setting up a new instance for MTik-UM in new radius_rlm of FRv4; FRv4 tries something like a check or hello or something, before the rlm is fully instantiated ... which fails ...

floaty

. just discovered a nice radius testing-tool ... no eap-features ... ,but its possible to save predefined setup's, contains coa-requests, server-stress-testing ,monitoring ... tidy for windows, linux, freebsd ... decent seems ntradping, my convenient good old geezer, is ready for pension :( . https:...

floaty

.
https://www.dfn.de/fileadmin/3Beratung/ ... Strauf.pdf
.
for v4-afficionados !

floaty

. ... while v7 is still cooking ... were stuck with our windows-wlan-clients in the meantime ... and because corona-boreout and freeradius3.0 forming a perfect couple ... we are setting up an EAP-proxy (almost better than sudoku) . ------ ubnt bananapi CHR //// \\\\ +-------+ +-------+ +-------+ | S...

floaty

Mikrotik have the development smarts to cleanly integrate WireGuard into RouterOS, and now that it has been mainlined I would not be surprised if we see it in the very near future.

.
hear hear

floaty

. This is a nice thing ... but I have to admit my company plan is not an unlimited one, so while I normally in "the zone" every month, I want avoid any BW-kinkyness. But the test-router is intended as custumers mgmt-backup-line ( F L A T R A T E !) ... then I'm definitly able to flood some statistic...

floaty

. some toilet-paperroll-hunters returned to aerie ? ... or power-saving mode ... keeping the shores of kreuzberg-mountain green ? we know only a little ! plz remember ... floaty is YOUR performance leader in tha moment (actual results in post above) ... ... so far ... good night and good luck ! . 13...

floaty

. just found the solution: https://mikrotik.com/product/intercell_10_b38_b39 : ) power up your own cell ... out in the middle ... no interference and with your own iperf-server !! That stops all the yodeling and tells you whats behind that door !! Maybe that beast is excatly intended for that purpos...

floaty

just realized ... broke ma own record ... and still leader of the pack !
H O O K A Y I P P Y J A Y H E Y !!

floaty

.
22:05 (todays watermark ... guess they'r all out there hunting the last shit-paperroll avail in the stetl ?!
.

13mar2020.PNG

.

floaty

. and the main problem ... results are totally erratic ... in the middle of the effin night, no lights on in the hood !! ... same config I've used before ... performance is unexplainable like "my ass" . ... who has the guts to explain such B-sheet to a paying customer ? ... are they scrubbing the an...

floaty

. It's not as simple as this (but not much more complicated either): users share air-time. The higher number of users, the lower air time and thus lower throughput each gets. . guess this is a verry sensefull statement ! cause good old air is a very democratic medium - shared by all of us. you wanna...

floaty

.
If the Force might be with us

.

floaty

. Guess there is enough processing power in such an LTE-pop to force me to whatever channel / config they want, if I do not fit into the "for-the-greater-good-QoS-shaping-policy". And most of the time I'm not in the mood to wardrive the best spot for a high-perf LTE-link around. Good Old G. generall...

floaty

.
!!! B O O Y A C A S H A !!!
.
in front of the peloton:
.
!!! FF ... FF ... FF ... F L O A T Y !!!
.

in_front.PNG

.
https://www.speedtest.net/
.
.
.

pop.PNG

.
.

hw-cfg.PNG

.
.

cfg-stat.PNG

floaty

.
would be interesting ( ... for me)
which (and where) is the highest speed ever scored to a cellular network with the latest mt-hardware (R11e-LTE6)
...
gentlemen ... start your engines !

floaty

...
guess it's not that simple ?!
.
... maybe country-specific delicacies ?!
.

skip-b20.PNG

.

b20-disable.PNG

.

floaty

. Again, avoid using B20 and 5Mhz bandwith. ... how ? ... and why ? . This B20 is one of slowest (compare to B3 > B1 > B7 who are THREE KING's of LTE in EMEA and R11e-LTE6 only do 2CA: B3+B7 between them). ... where got that wisdom from ?? . Just tested new delivered RBLtAP-2HnD&R11e-LTE6 ... and so...

floaty

I'm in.
+1 for WireGuard.

floaty

no ... annoying mischief, because the clock is always working against you ...
but also with the exact clocking the win7-client fails.

floaty

... while reviewing ... and talking odds ...
.

no_tupi_nix_w7_more_odd.png

.
maybe a clock prob I did run into ...

floaty

yay: one+ for a radius-eap-debugging option . ... since I found the (or a possible) power-supply for my grand ole 2530p (nice keyboard, btw) -> ... also windows7 is not able to connect to the MT-CHR7-radius. Also for my cross-check-radius-server (zeroshell) I had to install the CA and the server-cer...

floaty

some tinkering-time should be integral part of any workday : )
... so if anyone calls you in for another tubby meeting ... say: sorry, I have something of tremendous importance to tinker !

floaty

It is possible to define different "customers" (like administrative domains) ... and it's possible to apply different sets of user-profiles (for vouchers, quotas etc.). Not shure about the logo-customization ... If you're already using MTik-devices you can download the usermanager package, install i...

floaty

seems that feature isn't so widely implemented (self carved freeradius-installation ... possible ... not exaggerated easy) and until someone put a gracious eye on your feature-request ... you can evaluate here: https://www.kaplansoft.com/tekradius/ ( ... only when you can live with a windows-box) Sh...

floaty

just had an over-christmas-discussion with my colleagues over the topic ... . just check !! ... even dns-filtering is a walrus-nipples-thing : . ... ad-content is filtered ... the loaded site(s) seems to be slow ... because the content of interest is placed last ... no effin pictures of socks inbetw...

floaty

... so far as I recall ... it was a thorny way to implement in ISC too ( for me : ) ... but there's lot of time till january 6th :evil: . [admin@homeland-chr] > ip dhcp-server vendor-class-id print Columns: NAME, VID, SERVER, OPTION-SET, ADDRESS-POOL # NAME VID SERVER OPTION-SET ADDRESS-POOL 0 gs820...

floaty

btw.
there tons of articles in this forum how to make use of anti-spam-, anti-phishing, - or country-code related community-lists with a MTik-board.
.
add a local anti-virus-proxy ... and your'e good to go

floaty

... every filter (dns, av, antispam ... whatsoever) will slow down your secured application ... EVERY ! ... because you delegated sagacity to an entity with more discipline than you own by yourself ... and thats a good thing ... when it comes to computed routines 8) ... but it adds cpu-, asic-, what...

floaty

I guess without the ability to debug the radius server side this is as cushy as nosepicking in a hobos schnozzle. We better wait for an "upstream statement" ... Maybe an old windows7-valiant out threre can tell if he's able to connect ... [ ... also the fortiauthenticator spat out my keysize 4096 ce...

floaty

yeah ... good tool (and as old as methusalix) ... . maybe the binary partly crashed ... it is not showing such behaviour on my machine ... wrong shared secret -> access-reject . . btw. repeated my eap-test with new generated certificates keysize 4096 instead of 2048 ... and then also the android cli...

floaty

just had a little read-along ... again . 169 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:45652, id: 119 170 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:45652, id: 119 171 Dec/13/2019 00:30:55 memory manager, debug >>> ...

floaty

so ... for starters ... it seems the problem ist NOT related to the certificates I've generated on the chr-v7-radius-um-machine :!: I've installed these certificates on another radius-machine ... . you may ask: ... what the **ck took him so long ? a.) ... tried that on my production-machine ... whic...

floaty

indeed ... bootet up another wireshark to free my win10-machine for a test ... seems the setup of the encrypted eap-tunnel fails ... no accept, no reject ... stuck in challenge . so maybe a problem with my server-certificate ... or: https://support.microsoft.com/en-ph/help/3121002/windows-10-devices...

floaty

guess this feature will make a lot of people very happy ( and of course ... no doubt ... me too)
well done

.

v7-eap-test-ws.png

.

v7-eap-test-rad-debug.png

.

v7-eap-test-um-stat.PNG

.

v7-eap-test-um-sess.PNG

.

v7-eap-test-andr.png

.
.
and unlike me, keep your clocks in sync !

floaty

divide et impera ... I agree by 100% ... but when 2000 ip-phones fresh outta box staring at you, you will beg for your vendor-class-based dhcp-features ... Sometimes you want split the ip-address-space for your VoIP by building ... add 4 types of phones (or AP's) and you will go nuts very soon :shock:

floaty

to be honest ... hopefully this feature will find it's way into v.6.4.x too ... while v7 is simmering.
... guess we will see (maybe one or another afficionado will give me "a ball plus" here : )

floaty

just had a look in v7 beta4 ... . [admin@MikroTik] /ip/dhcp-server/vendor-class-id> add Creates new item with specified property values. address-pool -- pool used for this vendor-class-id copy-from -- Item number disabled -- Defines whether item is ignored or used name -- option-set -- server -- glo...

floaty

For what I see, vendor-class-specific option-43 delivery is not implemented yet ... it's possible to have a specific ip-pool based on the vendor-class-id, but it's neither possible to add an dhcp-option-set to an ip-pool nor is there any matching condition-parm in the option-43-definition. So what's...

floaty

. maybe santa puts "wireshark" under your tree ?! ... you copied the hex-code with delimiters from the log-dump into your data-field ... not very convincing ( if I were a computer and had a saying in here ) . collect your dhcp-packets with -> Tools -> Packet sniffer . read out your vendor-spec data ...

floaty

Recently I had to replace a "multi-speed-media-converter" from amazon at a customer-site, because the device failed epicly in terms of performance (it's x-mas time, so the vendor is NOT revealed). The provider-cpe (presumedly set to 100MBit/full-duplex) had to be linked to a gigabit-1000base-sx port...

floaty

guess, you should introduce this to an insurance-agent of your trust to get a rate ... a good rate ... !?
... maybe even homeland-security should be asked for any objections
... who wants to be stuck in a guantanamo-style facility over x-mas by accident ?

floaty

just a low priority post ... that may ... or may not be of interest: reanimated a 'RBwAPG-5HacT2HnD' which I received as DoA from ebay ... spend 3 hours on it ! :( device came in from a probably failed openwrt-install-session ... no word on ethernet nor wifi ... after a 10sec-reset-button-reset "Old...

floaty

yepp, when I got this setup to fly, caribean retirement is on schedule

floaty

and in most of the cases a GPeR would make sense ... adding a proper housing for it [GPeR IP67 Case] , would be sensefull too: installation is straight forward ... ... when using ready-made cables you have possibly to shorten the bend relief of the cable . 1_1.jpg . 2_2.jpg . 3_3.jpg . 4_4.jpg . 5_5...

floaty

At least you can simply replace it in case it breaks . mmh ... doesn't saw that - really good - point :-| Just migrated my busiest-helper-files to the m2 of my "RB1100AHx4 Dude" ... to bad I didn't got attentive of this potential issue before I began to script. Is there a tool to check the health o...

floaty

+1 . would be a neat thing have a ppp-up (-down) script which needs helper-files to store dialer-states ... that's scratchy ... not so healthy for a flash or even for an usb-disk ... so definitly plus one ( ... even in v6.44+ [letting v7 be a good man] ... ... wanna show this to my colleagues ... .....

floaty

I see

floaty

one more thing:
.
reviewing your quickstart-guide, you can revise below on s.4 to 192.168.8.3 !
.

qs-mqs-s4.png

floaty

What are you guys talking about?

.
bout the Mikrotik MQS Quickstart-Guide ? ... and the recommendations made there (obviously not your recommendations ?!)
...
later is "Operating system support The device software version is 1.2p" mentioned ... which differs to v1.1

.

qs-mqs.png

floaty

That's a profound complaint, ... but obviously it is the main purpose of MQS to do so. The cause could be accidental misuse or damage. To distinguish between these two possibilities a more detailed description of your problem would be necessary. :-| MQS quickstart-guide says actual sw-version is 1.2...

floaty

Guess without internet access for the device, you can't. There's no manual download in the moment ... what's wrong with the running image ? . manual download - computer says: no <Error> <Code>AccessDenied</Code> <Message>Access Denied</Message> <RequestId>EFE50D47CE5598D3</RequestId> <HostId> 23YQ6R...

floaty

i have error

.
sad, but an error is better than nothing

... would you like to share that error ?
... or a screenshot ?

floaty

.

where can i get the latest MQS software ?

.
.

We recommend clicking the “Check for updates” button and updating your system software to the latest
version to ensure the best performance and stability

.
https://i.mt.lv/cdn/rb_files/1568358529 ... %20web.pdf

floaty

... or just send all files in a specific folder (disk2/sw/*) ...
.

/tool e-mail send  to="rcvr@rcvr.net" from="$sysName@sndr.net" body="disk2/sw-content" subject="disk2/sw-content" file=[:file find where name~"disk2/sw/"]

floaty

installed dude under dusk1/dude ? ... instead disk1/dude ?
.
obstinate files may be removeable, when logged as admin with a sftp-client (like WinSCP) ... and with circumspection

floaty

Lucky you. May happen that problems are linked with usb / mSD storage type on routerboards while on CHR this does not apply. . just found, that well aged statement ... sounds like Dude on 'usb / mSD' is not one of the brightest ideas ?! ... should I keep the hands off it ? ... planned to test such,...

floaty

I am not sure if I need a level 5 license to RB750GL where Radius (user-manager) is installed or the hEX where the DHCP is installed

.
https://wiki.mikrotik.com/wiki/Manual:L ... nse_Levels
.

snip.png

.
where Radius (user-manager) is installed

floaty

Hello Forum, I am looking for a way to save the result of a function ... "somewhere". My problem: inside my devicelabels the snmp-device-name is dynamically displayed from a function. In case the device isn't responding any longer, I'm loosing the device-name in the label (but I won't !) So what are...

floaty

Maybe ... there is no advantage this time (the price eventually or the rugged design ? ... choose ) If I don't miss anything in the spec, it is no full RouterOS running on MQS. It is an AP-bridge only, which delivers passive PoE to a "setup-candidate" [point]. . MQS itself can be configured only in ...

floaty

uuh ... yeah ... tried to push an interface into a VRF ... failed ... pushed harder ... saw the error-message ...
... maybe a little "what's-worth-to-test-and-what's-not-implemented-yet-v7-matrix" could be helpfull in the notes ... to avoid 'early redundancy'
... anyway: thumbs-up !

floaty

Version number 7.0beta2 Router's model CHR . [admin@CHRv7] > ip vrf add name=vrf10 [admin@CHRv7] > /routing table add fib name=main-fib vrf=main [admin@CHRv7] > [admin@CHRv7] > /routing table print Flags: D - dynamic; X - disabled, I - invalid; U - used 0 name="main-fib" vrf=main fib [admin@CHRv7] >...

Search found 231 matches