MikroTik

floaty

.
?[(ROSv7b4 & 802.1x) & (windows-802.1x-client)] -> 'in statu quo res erant ante bellum' [pre-ROSv7b4]

floaty

dude just checks if reasonable response is received. (dude server should be added to radius servers shared secret list)." So I removed all the changes and created the dude in the shared secret list and it worked for me. . true ... for me too ... anyway, it would be nice to know, whether and ho...

floaty

just because already chocolate-santa's awaiting you in the local supermarket, it doesn't mean christmas eve has broken !
... maybe it's a little bit about timing ?! guess your impatient question shows mom and dad they're do'in fine : )

floaty

gacias !

floaty

.
no predefined place on this board for a buzzer ... looks bad for a beeping hAP ac^2
.

hapac2-8.jpg

.
like on https://i.mt.lv/cdn/rb_images/1533_hi_res.png

floaty

guess 3 & 4 are just to pin the button to the board ... but you could test the the broken button with a beeper ... ?! ... the one with the switching-function are yours.
.
... btw. sincs your box is open : ) ... can you post a photo from the whole board ? ... just another issue to consider. Thanks.

floaty

can you just solder the speaker to the board? ... not me ... you could do it yourself. But what is highly questionable: can that lead to a fruitful result ? Odds that you ruin the board with such shenanigans are quite high. Why not selling the board and have a beeping one instead. Interchanging non...

floaty

. updated wireshark -> 3.4 ... tried again ... standard-wireshark-pcap works ... maybe mouse-jitter when I saved the pcap-file with the previous-version : | . [admin@chr-7-1] > tool traffic-generator inject-pcap pcap-file=ping-req#.pcap once interface=71-e2-vlan100 iteration: 1 tx-packets: 1 tx-byte...

floaty

. with traffic captured on a MTik devices it works ... not a big deal; but to replay "a situation" from somewhere else it would be nice to import such traffic !? . [admin@chr-7-1] > [admin@chr-7-1] > tool traffic-generator inject-pcap pcap-file=ntest.pcap once interface=71-e2-vlan100 itera...

floaty

Diffs in response time that big appears to me, like the first configured resolver times out and a backup entry is doing the job.
Try a tool like dig or nslookup to check, if your Mtik is resolving.
Change to
ip dns
and
export terse
your config to give us some insight whats in the config.

floaty

. You could add an raspi-zero-pi to the usb-port, configure it as an usb-ip-node and a syslog-receiver. Then ... for every event you need a sound ... you generate a syslog-message, which you can translate via 'logwatch' or something similiar into a special noise. Very soon you have grown youself a r...

floaty

. your precision-freeware isn't showing any parameter stepsize on it's x-axis ?? ... so for starters: hard to say if this is an issue or a neurotic prolaps ... (sorry !) : ) . not shure what kind of size (router and network) we are talking about ? ... in my Opinion: Gibson's Stevie targeted with thi...

floaty

. from your initial post I saw that: . /ip ipsec policy add dst-address=0.0.0.0/0 group=WindscribeVPN proposal=WindscribeVPN src-address=0.0.0.0/0 template=yes . just made my first efforts with the ipsec-template feature myself ... question is why is your template so ...gdmn "wwiiddee" ? ....

floaty

. Just tried to inject some modified packets into my home-network, but had no luck wenn I tried with externally captured traffic (wireshark, tcpdump). So question : which format an injectable capture-file should be written in, to have allowance to pass by to the wire ? Is only with a mikrotik-device...

floaty

Not 100% sure about that. Since hw-offloading is working with the "real" interface address - mac or IP (and I presume the hw-offloading is anchored to the mac-address) my idea was to use VRRP only as failure-recognition and use the master/backup-script to set and reset the IP of the interf...

floaty

. Actually the results from my testing are better than expected. Using only the up-down-scripts from VRRP to set the IP-address of an hardware-offloaded (vlan-)interface, then push some gratuitous-arp packets with the traffic-generator tool. Downtime <~ 1Sec. ... Not Datacenter-like but better than ...

floaty

mmh ... "vrrp-by-proxy* (using *vrrp-v3 with a script for setting 'vlan-if'-IP ) could be a workaround made some tests ... just dreaming ... : ) ... setting an address ... pushing some extra pakets ... : | ? . guess the problem isn't merely connected to hw-offloading, then to presenting the &qu...

floaty

. I had nearly the same results with an IP-address directly bound to a switch-port as with an IP-address bound to a vlan-interface. Hard to explain throughput > 9Gbit/s with some software-wizardness (which might be there : ) ... but that would be "beyond" ! If I understood raimondsp explan...

floaty

Hello, are there any recommendations, opinions or a prospect how CRS3xx-hardware-offloading could be implemented in a redundant IP-topology. Is this possibly part of a roadmap ? Just learned that an IP-redundancy-protocol like VRRP or even a simple script - state of play - can't be used to achieve L...

floaty

. I suggest you create a separate forum thread regarding L3HW+VRRP. If gets enough attention, then we will put it on our roadmap. . thanks, will do ... just brooded what a script could do ... seems a lot of shebang has to be considered ... it isn't done by an IP-address-change; can't change mac-addr...

floaty

the vlan-interface on top of a bridge is also kind of 'virtual' ... ... and in a high bandwidth environment it would be not so uncommon to have the need for redundancy ? ... so if an offload redirect is possible from the vlan-interface to the bridge-interface ... maybe it's also possible to add a st...

floaty

. not working, when I put VRRP-interfaces aside to the vlan-interfaces and use these as gw-addresses ... maybe not yet supported ... or do I miss something in the vrrp config or somewhere else ?! ... still wirespeed when I use the vlan-if-IP's as gateways ... . [admin@crs312] /interface/vrrp> export...

floaty

. was'nt shure if all that means the L3hw-offloading would include a vlan interface on top ... ... now I am ... tested with a crs312 ... and indeed: fun ! . !!!!!!!!!!!!!!!!!!!!!!!!!!!!!! interface ethernet switch set 0 l3hw=yes /interface bridge add name=bridge1 vlan-filtering=no /interface bridge ...

floaty

+1 . great I've found your post ! everytime I'm doing a re-discovery (and networks ... ... there arara changing!) ... I give the bold F-word three times, because nothing happens : | ... also a discoverable service-preset would be very sensefull ( ... do not know if this has to be forked into a new ...

floaty

L3-offloading is a broad topic ... the prestera-chip also supports "NVGRE, VXLAN-GPE, GENEVE, SPB, and 802.1BR port extender"
... is vxlan-tunneling now also implemented with hardware-flow-support ... or we talking just base L3-forwarding capabilities ( ... for now) ?

floaty

Had a look, to the system ... obviously some fork or kind of open-wrt ... not much functionality left, from what you can get, if ROS or an 'open' OpenWRT is installed. Strolled into the Netduma-forum, where the Netduma-CTO claims, that the machine contains proprietary QoS-functionality, which makes ...

floaty

so why the effin f'''' did you not started testing yet ?

floaty

.
would horizontalize the problem for tile-cpu's (just a remark ... I'm not an owner ... not now)
.
guess the general possibility to export a table to csv would do it for the relevant horsemen !?
.
( ... as always: just my opinion ... you can do whatever you want ... without affecting my circles)

floaty

Hi Emmah,

your verbal descrption of your problem is not sufficent to help you.
... if the problem is really bugging you, make a sketch and try to illustrate where you got stuck.
... give the people here an idea what you did on the device !

namaste

floaty

It's a BETA-version ... and exactly meant to reinvent your discovery spirit. UserMan is and was a radius-implemention so adressing for clients, is done with radius-attributes. Not shure which features you are targeting on ... but that worked with a lot of versions before 7.XBETA. So stage your lab ....

floaty

. you failed ... in multiple ways ! . 1st) you failed with laying out your issue and your network design in a reasonable way . 2nd) you brought your personel confusion into this forum . 3rd) you have already a workaround (RBD52G is working pretty, while 951G makes headache*) ... so nobody has motive...

floaty

.

Direct to the point, is it even possible in the first place?

.
a question ...
a question that might also Descartes, Pascal and Heisenberg could have asked that way ...
.
: ) don't bust our nuts ... and post the solution

floaty

. the question is indeed not fully without cause ... guess you want to connect to another vendor ? ... if not ... ignore my mumble ... not an expert, but in a stream-cipher with an pre-shared or diffie-hellman'ed key, should the cpu-load for de- & encrypt pretty much the same And I guess the ref...

floaty

I'm saving this text in case it will disappear as well.

.
you're safe here

.
you should consider such a task if you're wandering an ubnt-forum .... because it happened to me there ( for minor boldness : )

floaty

. first ! ... you giving us config-data (which is a nice thing) ... you put it in here: . post-cfg.PNG . so nobody gets eye-cancer ! . and I'm not shure if you posted everything from router2 ... but a default-route to router1 would make huge sense .... and I'm missing it ... do you copy ? providing ...

floaty

. if this is only happens to your aruba-ap's ... not to the rest of your network-equipment (like other cisco, huawei ... juniper, alcatel switches ... ) . it smells to me like something is wrong with your vlan-configuration. . whatever ... your aruba-ap's (instant- or controller-ruled) might have a ...

floaty

.
first post ? ... really ?!
.
I like your style man ! .... somewhat consequently from the start ... keep on rockin!

floaty

.
not a problem ... had a beer aside ... thats why I'm doing the easy cases ...
... enlarge forum-karma ... drinking beer ... like bodhisattva recommended

floaty

.
anyway ... that's a neat thing ... so I'm fishing revenue here too

floaty

.
so far with typo's
.
beeing sedulously with screenshots ... is really for the Kimme : |

floaty

. the script should start every time, a lease from the related dhcp-service is issued ... so your logs doesn't show any script-activity ... something's wrong (tautologically : |) . even when the script is outdated ... there should be a loggged failure 'bout it ... so check your references and for ty...

floaty

. and you're not the first when you search the forum, for the keywords in the article below (yes, it's one from our admired market-leader : ) . https://www.cisco.com/c/en/us/support/docs/ip/transmission-control-protocol-tcp/200932-Ethernet-MTU-and-TCP-MSS-Adjustment-Conc.html . homebrewed here: . ht...

floaty

I mean, yes ... MTU-related ...

floaty

floaty

the packets are being shown, ufw is disabled so its not a problem there . shown ... ? where ? . do you wanna say, you were able to see the already DST-NAT'ed packets at the target-system [10.2.1.2] ?? ... if not check first ! . there is a rule to another port on the same system ... do you checked i...

floaty

. first of all ... you could log your point of interest to a destination of your convenience ... guess most convenient, because fastet, is to your console of choice: . system/logging/add topics=script action=echo . trigger a dhcp-event and have a look, if some birdy is flying up in the console ... I...

floaty

. Had some spooky moments with the dude myself ... you made quite a step from 6.45.2 to 6.47.1 ... Migrating a database between software-versions is probably not the most beloved homework for a developer. Not shure whether the amount of the data is worth the effort and if you have a db-backup ? I wo...

floaty

thumbs up !

floaty

Please include gretap tunnel in version 7.1. eoip is not vendor neutral. . reviewed the old links in the topic ... maybe it's just the two of us ? : ) , I've tested gretap tunneling with cisco-click-OS-AP's and Alcatel-Stellar-AP's (generic support for the last) I outperformed the alcatel-gtts solu...

floaty

https://forum.mikrotik.com/viewtopic.php?f=1&t=160484 . since I gave already +1 I am at: 2 . I see this more relevant than vxlan ... classical "virtualizers" loosing land ... (Gordon Gecko said: Greed is good ... but some water [and more money] underbridged) so I guess some "unen...

floaty

. there are rumors, that swos supports snmp ... and than an ocean is cracking open ! https://wiki.mikrotik.com/wiki/File:Swos-statistics2.png . SwOS only supports a partial MIKROTIK-MIB (for health, PoE-out and SFP diagnostics). To monitor interface status and some other counters, you should look fo...

floaty

Thanks, tried the real 24dBi antenna setting, still no love. And as far as PTP set-asides, it appears the FCC has dropped those from the regulations, as far as I can find. . . so maybe an "older" image-version brings your wireless-link to live : | . but you can consider yourself: youre on...

floaty

just had a look into my account ... there's the possibilty to request a country-key-lock for a device . so maybe you can do that (cause the PtP-has default- and permanent license ?!) for your legit serial ?! . maybe you should push again support-side ... your Tik'l comes with a support-period for th...

floaty

. not shure if we're talking the same issue ... but choosing the reg-domain can be sometime kinky for a MTik-Device. Sometimes (or always?) there is a predefined min/max antenna gain to be set, before you can choose the related country-reg-domain and installation-environment*. If there's the wrong v...

floaty

.
What's new in 6.48beta12 (2020-Jul-06 13:33):
.
*) ike1 - allow using "my-id" parameter with XAuth;
.
SOLVED

floaty

.
just some illustrations added ....
... coped a while with the ROS-ipsec-template-thing ... doing this config ... I'm happy to understand now what it can be usefull for : )
.

installed-SAs.PNG

.

used-policies.png

floaty

. recently got the task to provide a VPNC-link to a group of users ... my MTik-arsenal came to mind followed some older posts in the forum and got it running with v7.1beta1 (unforti not with a production-release because of limits in xauth-implementation) *1) . I had no access to the remote-vpn-devic...

floaty

. ran into a problem configuring ROS 6.47.1 as xauth-client: I cannot choose 'key-id' as local-id-source -> error . xauth_6.47.1.PNG . same on CLI [admin@MikroTik] /ip ipsec identity> set 0 my-id=key-id:abcxyz failure: XAuth must use auto my-id [admin@MikroTik] /ip ipsec identity> . according to thi...

floaty

.
a ball plus : ) vrf-menu has joined ip-context in winbox
.

vrf-menu.png

floaty

.
"ip route" context is still a CLI-only domain
.

bumms.PNG

floaty

must be very annoying to our fellow Mikrotikls, that every new release anouncement is turning into a whining-zone : )
.
so many fashionable new features ... no party : \
... but that's your life jacky brown : |
.
so hopefully my vendor id dhcpd inconvience is handled first : )

floaty

...
and I cannot be tired of repeating: "do not bridge so effin much!"
bridging is advanced pharmacy ... you do to much ... it turns to poison !
.
the most wellknown traffic-catastrophes happended in conjunction to bridges and tunnels

NO JOKE !

floaty

revisited ... . in your very well populated bridge: I configured ether2 to 5 to only works with VLAN90 --> to talks with Clients (un-tagged) ... hopefulle correct. you've configured a PVID=90 for eth2-5 but (it seems to me() these ports are intended to be just ethernet -access-port for your clients ...

floaty

booh ... thats rich ... if you have winbox, can you post a screenshot from your "interfaces list"
.
if made a sketch before you started to configure all these ... ? ... can you share ... I'm a picture man.
I can't figure what's the purpose of all this ! : |

floaty

my opinion ? ... there are two ways to proceed with the issue: 1.st approach: you read the related documentation and then read forward in this forum how to get support - then you formulate a new request in here with the newly learned skills 2.nd approach: youtube yourself an old muppets-show episode...

floaty

From your decription I figure there are two devices involved ... but your posting is ... blunt ... from which one? . and whats the problem with a little sketch, to let the "free-of-charge-supporters" know, what you are created over there ? ... is this too much ? ... it .. isn't too much ! ...

floaty

nope ... not down ... keep on investigating. . C:\WINDOWS\system32>ping a815XXX648c.sn.mynetname.net Ping wird ausgeführt für a8150965648c.sn.mynetname.net [78.XX.YY.145] mit 32 Bytes Daten: Antwort von 78.XX.YY.145: Bytes=32 Zeit=28ms TTL=243 Antwort von 78.XX.YY.145: Bytes=32 Zeit=29ms TTL=243 Pin...

floaty

... your snipped configuration does not contain a hint to which interface you're configured dhcp-server is connected to ?! . if you want a common network over multiple (hardware-)interfaces there should be a bridge, where all your intented (hardeware-)interfaces are "a port" [personally no...

floaty

. still no option-set linking to a vendor-class-id possible in dhcpd ... ? it's possible in v7beta8 !? ... is this by intent ?... or a bug ? . . [admin@v6.47.1] /ip dhcp-server vendor-class-id> add Creates new item with specified property values. address-pool -- pool used for this vendor-class-id co...

floaty

feature was introduced a while ago in v6.47 and it is also avail in v7beta8 in v7beta8 I am able to link an option-set to a vendor-id (what is obviously the main-purpose), but I cannot do that in v6.47 ( ... our beloved production-release) ?? ... dhcp is application-layer, nothing kernel relevant (i...

floaty

... who's wondering ? we have IPv6 running for over 10 years in the provider-production-environment ... but who's using ? in EMEA or AMER (without BETA-Feeling) ? Noises heard: it's running big time in the "chinese-internet" (and they wanna be part of the standardization-process ... [they ...

floaty

thanks ... nice ... will see if I can scramble up some money to become a mAP-owner

floaty

you're right ... the simplest possibility is far too - ... bloody - simple here. https://mum.mikrotik.com/presentations/VN17/presentation_4493_1494480323.pdf The Technique; Ninja Said This is The Jutsu #joke • Static DNS # ... näh • Web Proxy # ... nope • Route Policy # ... eventually, why not ... i...

floaty

.
? someone did this before ? ... looks viable ... but I'm 55-60 bucks away from knowing for shure ...
.

like-that.png

floaty

is there some kind of Y-Cable avail to power the mAP via power-bank and use the USB-Host for a serial-USB-adapter at the same time ? . +----+ +----------+ +-----<<----+ | usb/serialadapter | | | +----+ (( | +----------| +----------------------+ ((( | mAP | | | | (( | +------+ +----->>-->| Powerbank ...

floaty

. and ...I found the group-feature ... inbetween ... hard to see : ) . /user-manager/user/group . [admin@chr-7-1] /user-manager/user/group> print Flags: * - default 0 * name="default" default-name="default" outer-auths=pap,chap,mschap1,mschap2,eap-tls,eap-ttls,eap-peap,eap-mschap...

floaty

.
you can also add:
Radius:IETF Framed-Pool
to select the IP-Pool
.
and
Radius:IETF Filter-Id
to define a firewall-chain in MTik-ROS

floaty

. you should be able to do this by adding the attribute "Mikrotik-Group" to a user (haven't figured if and when if, ... how to add a attribute-set to a profile or user-profile ... like a group-feature ? ... I would like that too) . Mikrotik-Group - Router local user group name (defines in ...

floaty

. not v4 ... right . foo@pike:~# dig -x 2001:4860:4860::64 ; <<>> DiG 9.10.3-P4-Debian <<>> -x 2001:4860:4860::64 ;; global options: +cmd ;; Got answer: ;; ->>HEADER<<- opcode: QUERY, status: NOERROR, id: 35978 ;; flags: qr rd ra; QUERY: 1, ANSWER: 1, AUTHORITY: 0, ADDITIONAL: 1 ;; OPT PSEUDOSECTION...

floaty

. I think it's not possible to use google DoH without DNS name in url. Or do you have a working one with ip address? . same experience here: using the avail v4 adresses gives warnings (maybe a google by-the-side-sausage ??) ... seems there's loadbalancing inbetween, which is fetching "dns.googl...

floaty

. When in WinBox 3.24 I go to IP -> Routes, click "Add" and type "8.8.8.8@" in Dst. Address, WinBox hungs and, a few seconds later, disappears. Is it only me with Wine on MacOS, or the problem is repeatable everywhere? . it's general . Winbox 3.24 crashes after setting up VRF and...

floaty

unless this isn't a hardware-related issue ... I see the same odds here on the other side of the pond. . [R11e-LTE-US 13-15 Mb] ?? . This is (my oppinion !) a very sorry performance for the capabilities the standard should be able to serve. so.. (for me very) obviously the providers classify the har...

floaty

sad ... evolution ... in fact ... there's in all times a child behind
I'm a sad mammal to say so ...

.
I'm great splunk fan !! ... but I'm doing graylog ... until I'm not !

floaty

yepp: buttercream !
... my doc told me !

floaty

. user-manager / radiusd: chap-authentication works eap works ! ( : [] ) no logging messages echoed to terminal-session for: . [admin@chr-7-1] > /system/logging/print Flags: X - DISABLED, I - INVALID; * - DEFAULT Columns: TOPICS, ACTION # TOPICS ACTION ### snip ### 4 radius echo

floaty

. Winbox 3.24 crashes after setting up VRF and opening '/IP/routes' dialog ( ...and crashes immediately after trying to reopen) . [admin@chr-7-1] > ip route print Flags: D - DYNAMIC; A - ACTIVE; C - CONNECT, S - STATIC, m - MODEM Columns: DST-ADDRESS, GATEWAY, DISTANCE # DST-ADDRESS GATEWAY D 0 AS 0...

floaty

. and VRF ! that's rich ! . [admin@chr] > ip vrf add list=vrf-if-list-red name=vrf-red 03:52:05 echo: radvd,debug skip Router Advertisement sending on bridge2: no prefixes to send [admin@chr] > ip vrf add list=vrf-if-list-red name=vrf-red [admin@chr] > 03:52:11 echo: system,info vrf-red added by adm...

floaty

make yourself acquainted with ssh-key authenticaton !
.
BUT of course you can try ! ... the youngest day ... ? ... is public !

floaty

the script just fails ...
.
it's a nice "try just at home example"

floaty

that may or may not be so ...
better you check that out by testing your configuration(s)
.
you should be suspicious, if two versions work : )
.
had QinQ never in production ... but earned all the the time mx'ed emotions, hearing production stories ....

floaty

. A bit of a pity that MikroTik defined their own protocol type . ... sometimes it's just about having my own "Jodeldiplom" ?! . ... but opening a platform for a compatibilty is - of course - always a sometimes hard-to-know business-decision ... I see more options, than contraints for this...

floaty

. Open vSwitch is using GRETAP as a tunneling option ! ... maybe also an option to terminate MTik-wireless-devices over a distributed-foreign network-infrastructure ?! ... with the new hiperf-switches and 10/25G-routers ... ?! that would be "a feature" also for datacenter-like installation...

floaty

.
just to illustrate the issue ( ... opened the archives)
.

diff-is-diff.png

floaty

nope ... tried that ! MTik-EoIP and GRETAP make use of different protocol-types ... so ... the feature-request ... is simply a request for a compatibility-flag . https://tools.ietf.org/html/rfc2784 . 7.2. Protocol Types GRE uses an ETHER Type for the Protocol Type. New ETHER TYPES are assigned by Xe...

floaty

stunts like that will not work with user/password-authentication (there is no unattended remote-shell usage which needs interaction for authentication - security-reasons) you need to setup key-authentication between the devices then you can use ... : . [admin@tikki] > system ssh-exec <address> -- <c...

floaty

in case your netflix is off duty ... surrogate:
https://www.youtube.com/watch?v=C46ISu_T2SE
starting 33:00

floaty

https://wiki.mikrotik.com/wiki/Manual:I ... LAN#Q-in-Q
.
not 100% posititve about ... but maybe the remote-device uses 802.1ad compliant tagging
then you need to set

use-service-tag = yes

floaty

viewtopic.php?f=2&t=149235
+1

floaty

just add a vlan-interface and choose your ethernet-interface as source-interface in case you need this vlan on multiple ports, you have to interconnect the vlan-interface(s) with a bridge ... (there are more options if a hardware-switch in your plattform is involved ... but above option should work ...

floaty

As I said: "The DNS on the router is not enabled." . there is no "The DNS" on the router ... there is a dns resolver in the ip stack and a service which you can enable or not. . if there is no dns-server-entry in the /ip/dns-settings ... you can still catch a dns-server address ...

floaty

In the the communication between a network-access-server (short: nas) aka "your mikrotik hotspot __and__ a radius-server aka "your user-manager" (maybe both functions on the same device), are two different communication-channels defined. One for authentication and one for accounting. ...

floaty

also nice ... (and highly usable !)
https://www.coursera.org/lecture/tcp-ip ... ples-QgePi

floaty

guess you're looking for somewhat of a reprint of the manuals ? ... yeah man I would ! ... but I bruised ma pötchen . but you could search the index for "vlan" "switching" "routing" ... then "firewall" ... and my experience ... once you've started ... you do n...

floaty

... and you should have blacked out every other url in the screenshot ... so it's an easy guess

floaty

- capture some of these packets and have a look inside ... dns is propably good for some information bouta source of these requests
- disable the web-interface (if it's enabled) of the router ... there's a link ... maybe a client is triggering that link (may be you : )

floaty

think we're done here

floaty

.
the squirrel may be not really the fastest one on the ash ... but nimble and diligent !
.

cp2.PNG

floaty

.
https://www.open.com.au/radiator/ref/Ra ... ation.html
.
... guess this is the point where I ask for a "generate RADSEC-Cert-pair" button ... ... jeez ... why has it always to be pandemonium ?

floaty

. obviously something odd with the parser in the log-subsystem ... communication is running on port 2083 . [admin@tikki] > 15:05:47 echo: radius,debug new request 0d:5f code=Access-Request service=login 15:05:47 echo: radius,debug sending 0d:5f to 192.168.7.74:8968 15:05:47 echo: radius,debug RADSEC...

floaty

. First thing that comes to mind is the typical reverse DNS query most linux distros do when accessed via SSH . agreed by the 100% . check /etc/ssh/sshd_config of your containers ...vm's whatsoever ... . #PermitUserEnvironment no #Compression delayed #ClientAliveInterval 0 #ClientAliveCountMax 3 Per...

floaty

switching hardware is a "Thing" in ROS ... did you try to change the mode to fallback ? ( ... fallback normally doesn't hurt)
... maybe it's just an unsopported handle in the interface ?! ... best guess.
.
btw. is this a good old XP-box ?
.

xp.PNG

floaty

. and ... bringing in the question as accurate as obviously possible ... could have spared IO-ops too : | . I know what's loading the CPU. My question is, why so much? One EPYC Rome core can do 1.7 GBytes/s AES encryption. Two cores can 2*1.7*8=27 Gbits/s My traffic is very small, only 0.5 Gbit/s CP...

floaty

. maybe a problem with exposing all your heroic cpu-capabilities to your CHR-vm ?! . ... and why do you give a rotten f**t about your VM-cpu ? ... what's with your host cpu ? . ... and in the end ... being busy its what you paid the cpu for ! . give me your CPU-problems and you can have my IO-ops di...

floaty

.
call for input !

floaty

.
do you obeyed orders ? : )
.
https://wiki.mikrotik.com/wiki/Manual:T ... nToNewDude
.
honestly I haven't done it myself ... would be interesting if it is possible to switch a database from x86 to arm ... or reverse ?!

floaty

. route whenever you can route ... bridge only when needed ( I would say: when unavoidable ). . you wanna have control over your traffic flow ? ... separate your interfaces, build up small broadcast-domains ... then you can measure the traffic with fw-rules. . carefull with bridging wireless-interfa...

floaty

. seems everyone is skipping the "keep-it-simple-course" in network-potty-class ... . why ? . fun of administrating one of these devices is knowing what you're doing ... . I also created 3 virtual wireless interfaces (one for each physical wireless one ) and bridged them in bridge 2 . what...

floaty

.
or maybe "radius" is already sensitive

.
... it smells sensitive : )

floaty

. what*s with good old trust ? . or maybe our MTikl-friends add a radius-tickbox ... end of story ... your complain makes sense ... seems not to be a very big story . tikbox.PNG . other question ... were you able to authenticate against a RADSEC-enabled server ? . have'nt found a success-message on ...

floaty

.
or maybe /tool/profile ... can grow to a friend of yours ?
.

perf-profile.PNG

floaty

.
https://mum.mikrotik.com/presentations/ ... 562405.pdf
.
fyi

floaty

.
my best guess ... calculating encryption ?! ... ... even packet forwarding isn't a "Zuckerschlecken"
switch off IPSec for the tunnel ... check again !?

floaty

when you enable the webinterface of your routers ... you can see the perf graphs for the interfaces there also ...
.
... so when you do, do you have the same FX ?
.

web-perf.PNG

floaty

.

In ROS the SNMP strings are setup the same as all other devices

.
We really want to believe you

... but show us.
.

/snmp export

floaty

I'm not sure that I understand correctly

.
just a side-degression in iperf ... please proceed

floaty

. sorry to interfere only for beeing so nitpicky ... I have to give the tcp-default ... but ... mutiple "routes" ? ... nöh . 39494 39500 39498 39496 . root@badger:~# iperf -c 192.168.67.140 -P 4 ------------------------------------------------------------ Client connecting to 192.168.67.14...

floaty

after a while (some hours) data is only send to the first server configured, the second and third server does not get data anymore. . since your setup seems to be working for a while ..., but than not ... a bug would come to mind so ... maybe one of your devices are still under support ?! ... try t...

floaty

I'm struggeling with my english a life long ... and the english men ... struggle with me ... bouta'länguoch'uff'curse !! . sooo ...? . question: do you use 'dude' for monitoring ? or some other inside-ROS-tool with a script ... . The problem is that my monitoring 10.10.4.180, polls the device, and l...

floaty

ooops ... if this is about dhcp-options ?!
... sorry for coming sassy in the first place ...
there are interesting features coming up in the testing- and beta-versions which might raise your interest ...
check out the news-channels ...

floaty

1. we are all agree from leasing .. really !
.
since you now may feel a little bit better, you might be able to give us a 'communique' of your sufferings ?!

floaty

Lukas 23,34

floaty

Yeah, can be done, but for the danger of locking myself out of the switch

.
every good network administrator has done this ... like every good sailor has crossed the ... fan

floaty

sometimes ... if ... nothing new appears ... nothing happened ?! . you like to see a new ppp-interface ... why ? if you setup a new (ov)ppp-server ... only the capabiltiy for such an interface is born (goda** I'm biblic today) . good old atheists would check with an "/export" before and af...

floaty

you can ! ... all the way ... use the contrary approach ... drop everything, till "your" network works again like expected ...
.
or you do a trip to google ... protocols that should never left my local-LAN ... my local-machine ... ... my Mind ... etc.

floaty

A firewall segregates two or more parts of a network, A network is called a functional interaction of items. . Make a packet-trace (only the the headers ... to be wise) on every part of your network(s) AND decide yourself what's needed and what's not ! . You wanna call yourself bible-proof ... so re...

floaty

and sorry I couldn't resist ... let be god a G00dm4n

floaty

not shure you've checked out the TR069 capabilities of ROS yet ? (yepp ... right ... me neither)
.
but since these capabilities are implemented, so you should start to crtitize these functionality ?!
.
you want a bridge ? ... checkout the ferry before !

floaty

earn a very 'yes' to the provider redundancy part ( and keep studying the relevant forum-posts ) ... and earn a 'maybe' to the WLAN part ... your brandnew hAP ac² should have of "a place" of 'undoubtabletized' LTE-receiving quality ( like blessed mother mary ) ... if this is also the place...

floaty

can only measure 5MBps from the server->client. But only if I measure with a single thread. If I measure with parallel option of iperf3 (this way it creates multiple connections), the bandwidth can reach the uplink limits (25MBps) even through the abroad ISP. . little bit unclear how long you did t...

floaty

... and more dangerous ! in dry areas temperatures rise and fall with dust and dawn extremely. brings ... condensed water into the equation !! NO FUN ... had that myself when I found one of our antenna-cables with N-connector drowned ... first I thought it wasn't well enough insulated. But wise-guys...

floaty

in summer the temperature in shadows can reach 42ºC . guess you can have such extremes nearly worldwide now (exept really circumpolar) ... WAP LTE is specified (Tested ambient temperature -40°C to 60°C) ... since you have to expose the device with it's internal antennas ... :( . advice ? start with...

floaty

... and ... whenever possible ... recheck with another device, where you can also see the configuration and connection-state ... it's possible your provider does not want you, with your device.(-identifier) on that frequency ( at that time ... with that contract ... whatsoever ) ... it's a policied ...

floaty

MTU 1418, while rest of the network and of course internet connection is 1500 . you build a tunnel inside a tunnel ... you build a bridge over a bridge ... this is what happens ! . A fat man creeping though a tunnel, should be aware of the problem, ... before forwarding. . maybe you should check: h...

floaty

openvpn is very wealthy in it's feature-set ... please give us an "/export/withou... " from your terminal as an attachment to your next post, for further investigations. . nice gesture would be, to make a little sketch with relevant links and addresses ... to fetch the issue even faster ...

floaty

my first guess ?! ...
FF UU NN

floaty

I guess he's offering free outlays for critical assessment ... isn't he ?!
.
who had the boldness

... ... this is not the place to worship mammon !

floaty

! OR ! . if your "two-tunnel-machine" can be the ppp-client in the setup ... you can set that client-interface into a VRF to work-around the "one-IPeed-client" and hence the routing-problem ... ... but as always and before we're opening that barrel: better tell the auditorium abo...

floaty

can i make 2 PPP VPNs (L2TP) from 2 different WAN ? For ex. LTE + WAN1 , One tunnel connect from LTE , second one from WAN. I see no problem in here ... . Dst. Addr both tunnels are the same. ... this might trigger a routing problem, because your tunnel-client-ip is either reachable over LTE OR ove...

floaty

Is there an issue I´m mising? ... highly presumable. 1. did you perform a test of your freeradius-server over the network with a tool like radtest ( or similiar ) ? ( ... it's the first thing you would do !) 2. stop your freeradius-(service) and start the server from the command-line in debug-mode ...

floaty

so ... first ... I am not catholic ( and 'am spending no sympathies for any tribes ... ) . BUT . Is there an option to bond multiple LTE wan (example 3x LHG LTE6) with two Mikrotik via GRE,EoIP or VPN to reduce broadcasting latency? . you can avoid congestion-related latency by increasing the bandwi...

floaty

your WAN-interface is: 1. with good reason 2. for your own good 3. and therefore by default not in the fancy roundel for such pieces of lunacy ! . please make your self aquainted with common strategies of internet-security ... and the sophisticated concepts of the before named, which offers the Mikr...

floaty

... or you catch the guy who's maintaining your local cell-tower by impeding his beer in the local pub, because you instructed the bar-crew before, to do so ... and ask him if it's worth !? .. or you spend then a "beer more" on him ... and he's considering a custom config for your IMEI (pl...

floaty

and maybe it's worth to investigate the "router-isn't-usable-by-IP-anymore*-thing ... on local interface ? no ping ? no arp ? no mac (! see ... you're doing mac-telnet ) ... there is mac-access ! what about arp ? ... so every little step ... like an outsider ( ... maybe like an intruder) . I ha...

floaty

. Main problem is, It's not possible to reproduce the issue with (yet) known tasks or tools ... . graylog is exactly the tool I would use for such investigations ... did you mentioned interface up/downs from one of your routers when you timeframed the occurence of the incident ... any route chances ...

floaty

... to give my inside pestalozzi a chance ... All clients see each other, all client can access internet on port1. All clients use same gateway 192.168.1.1 ... why in the name of pestalozzi, do these entities need addresses from different pools for ? ... what is the distinguishable criterion for the...

floaty

mmh ... without being rude (trying), I can recommend a link: . http://www.subnet-calculator.com/ . you're switching bits very frequently ... which can you bring in networking-devils kitchen very soon 8) . so ... if I see this right, you have more a DHCP-problem than a networking problem ?! . If you ...

floaty

... A A N N D D ... by the way there is a 60 day grace period for every CHR-VM ... fully featured ... so if you do it the very scottish way ... : you rent this one to your customer and after that you can use the money for your nephews christmas CHR ... so you can pour yourself an extra bottle eggnog...

floaty

not shure which license do you have in mind ? ... renting ?! ... interesting ! guess you're burning more money to setup the rental-contract and keep your related paperwork tidy, than the license would cost you. but sometimes business-ways are mysterious ways ... ?! so ... do it the scottish way: res...

floaty

Since the problem occures very sparsely, it's not so probable that you catch the trigger for the event by a "lucky punch". Anyway if you haven't yet, setup centralized syslogging and keep all you routers in time-sync. The rough timestamp of the event and the surrounded syslog-events from a...

floaty · Re: Different DHCP pools on ports from 192.168.1.0/21 network yes.png

yes.png

floaty

guess you are a little bit out of "usual concept" !? . your interfaces are in the same IP-subnet 192.168.1.1/21 is (192.168.0.1 - 192.168.7.254) so there would be no need to configure different router interfaces BUT if you want it like that: +---+ +---+ +---+ +---+ +---+ +---+ | 1 | | 2 | ...

floaty

. just for the completeness of the picture: proxying a request from freeradius-v4 to MTik-UM-v7b5 seems to be a nogo . after setting up a new instance for MTik-UM in new radius_rlm of FRv4; FRv4 tries something like a check or hello or something, before the rlm is fully instantiated ... which fails ...

floaty

. just discovered a nice radius testing-tool ... no eap-features ... ,but its possible to save predefined setup's, contains coa-requests, server-stress-testing ,monitoring ... tidy for windows, linux, freebsd ... decent seems ntradping, my convenient good old geezer, is ready for pension :( . https:...

floaty

.
https://www.dfn.de/fileadmin/3Beratung/ ... Strauf.pdf
.
for v4-afficionados !

floaty

. ... while v7 is still cooking ... were stuck with our windows-wlan-clients in the meantime ... and because corona-boreout and freeradius3.0 forming a perfect couple ... we are setting up an EAP-proxy (almost better than sudoku) . ------ ubnt bananapi CHR //// \\\\ +-------+ +-------+ +-------+ | S...

floaty

Mikrotik have the development smarts to cleanly integrate WireGuard into RouterOS, and now that it has been mainlined I would not be surprised if we see it in the very near future.

.
hear hear

floaty

. This is a nice thing ... but I have to admit my company plan is not an unlimited one, so while I normally in "the zone" every month, I want avoid any BW-kinkyness. But the test-router is intended as custumers mgmt-backup-line ( F L A T R A T E !) ... then I'm definitly able to flood some...

floaty

. some toilet-paperroll-hunters returned to aerie ? ... or power-saving mode ... keeping the shores of kreuzberg-mountain green ? we know only a little ! plz remember ... floaty is YOUR performance leader in tha moment (actual results in post above) ... ... so far ... good night and good luck ! . 13...

floaty

. just found the solution: https://mikrotik.com/product/intercell_10_b38_b39 : ) power up your own cell ... out in the middle ... no interference and with your own iperf-server !! That stops all the yodeling and tells you whats behind that door !! Maybe that beast is excatly intended for that purpos...

floaty

just realized ... broke ma own record ... and still leader of the pack !
H O O K A Y I P P Y J A Y H E Y !!

floaty

.
22:05 (todays watermark ... guess they'r all out there hunting the last shit-paperroll avail in the stetl ?!
.

13mar2020.PNG

.

floaty

. and the main problem ... results are totally erratic ... in the middle of the effin night, no lights on in the hood !! ... same config I've used before ... performance is unexplainable like "my ass" . ... who has the guts to explain such B-sheet to a paying customer ? ... are they scrubb...

floaty

. It's not as simple as this (but not much more complicated either): users share air-time. The higher number of users, the lower air time and thus lower throughput each gets. . guess this is a verry sensefull statement ! cause good old air is a very democratic medium - shared by all of us. you wanna...

floaty

.
If the Force might be with us

.

floaty

. Guess there is enough processing power in such an LTE-pop to force me to whatever channel / config they want, if I do not fit into the "for-the-greater-good-QoS-shaping-policy". And most of the time I'm not in the mood to wardrive the best spot for a high-perf LTE-link around. Good Old G...

floaty

.
!!! B O O Y A C A S H A !!!
.
in front of the peloton:
.
!!! FF ... FF ... FF ... F L O A T Y !!!
.

in_front.PNG

.
https://www.speedtest.net/
.
.
.

pop.PNG

.
.

hw-cfg.PNG

.
.

cfg-stat.PNG

floaty

.
would be interesting ( ... for me)
which (and where) is the highest speed ever scored to a cellular network with the latest mt-hardware (R11e-LTE6)
...
gentlemen ... start your engines !

floaty

...
guess it's not that simple ?!
.
... maybe country-specific delicacies ?!
.

skip-b20.PNG

.

b20-disable.PNG

.

floaty

. Again, avoid using B20 and 5Mhz bandwith. ... how ? ... and why ? . This B20 is one of slowest (compare to B3 > B1 > B7 who are THREE KING's of LTE in EMEA and R11e-LTE6 only do 2CA: B3+B7 between them). ... where got that wisdom from ?? . Just tested new delivered RBLtAP-2HnD&R11e-LTE6 ... an...

floaty

I'm in.
+1 for WireGuard.

floaty

no ... annoying mischief, because the clock is always working against you ...
but also with the exact clocking the win7-client fails.

floaty

... while reviewing ... and talking odds ...
.

no_tupi_nix_w7_more_odd.png

.
maybe a clock prob I did run into ...

floaty

yay: one+ for a radius-eap-debugging option . ... since I found the (or a possible) power-supply for my grand ole 2530p (nice keyboard, btw) -> ... also windows7 is not able to connect to the MT-CHR7-radius. Also for my cross-check-radius-server (zeroshell) I had to install the CA and the server-cer...

floaty

some tinkering-time should be integral part of any workday : )
... so if anyone calls you in for another tubby meeting ... say: sorry, I have something of tremendous importance to tinker !

floaty

It is possible to define different "customers" (like administrative domains) ... and it's possible to apply different sets of user-profiles (for vouchers, quotas etc.). Not shure about the logo-customization ... If you're already using MTik-devices you can download the usermanager package,...

floaty

seems that feature isn't so widely implemented (self carved freeradius-installation ... possible ... not exaggerated easy) and until someone put a gracious eye on your feature-request ... you can evaluate here: https://www.kaplansoft.com/tekradius/ ( ... only when you can live with a windows-box) Sh...

floaty

just had an over-christmas-discussion with my colleagues over the topic ... . just check !! ... even dns-filtering is a walrus-nipples-thing : . ... ad-content is filtered ... the loaded site(s) seems to be slow ... because the content of interest is placed last ... no effin pictures of socks inbetw...

floaty

... so far as I recall ... it was a thorny way to implement in ISC too ( for me : ) ... but there's lot of time till january 6th :evil: . [admin@homeland-chr] > ip dhcp-server vendor-class-id print Columns: NAME, VID, SERVER, OPTION-SET, ADDRESS-POOL # NAME VID SERVER OPTION-SET ADDRESS-POOL 0 gs820...

floaty

btw.
there tons of articles in this forum how to make use of anti-spam-, anti-phishing, - or country-code related community-lists with a MTik-board.
.
add a local anti-virus-proxy ... and your'e good to go

floaty

... every filter (dns, av, antispam ... whatsoever) will slow down your secured application ... EVERY ! ... because you delegated sagacity to an entity with more discipline than you own by yourself ... and thats a good thing ... when it comes to computed routines 8) ... but it adds cpu-, asic-, what...

floaty

I guess without the ability to debug the radius server side this is as cushy as nosepicking in a hobos schnozzle. We better wait for an "upstream statement" ... Maybe an old windows7-valiant out threre can tell if he's able to connect ... [ ... also the fortiauthenticator spat out my keysi...

floaty

yeah ... good tool (and as old as methusalix) ... . maybe the binary partly crashed ... it is not showing such behaviour on my machine ... wrong shared secret -> access-reject . . btw. repeated my eap-test with new generated certificates keysize 4096 instead of 2048 ... and then also the android cli...

floaty

just had a little read-along ... again . 169 Dec/13/2019 00:30:55 memory manager, debug >>> rx Access-Request from [192.168.2.25]:45652, id: 119 170 Dec/13/2019 00:30:55 memory manager, debug <<< tx Access-Challenge to [192.168.2.25]:45652, id: 119 171 Dec/13/2019 00:30:55 memory manager, debug >>> ...

floaty

so ... for starters ... it seems the problem ist NOT related to the certificates I've generated on the chr-v7-radius-um-machine :!: I've installed these certificates on another radius-machine ... . you may ask: ... what the **ck took him so long ? a.) ... tried that on my production-machine ... whic...

floaty

indeed ... bootet up another wireshark to free my win10-machine for a test ... seems the setup of the encrypted eap-tunnel fails ... no accept, no reject ... stuck in challenge . so maybe a problem with my server-certificate ... or: https://support.microsoft.com/en-ph/help/3121002/windows-10-devices...

floaty

guess this feature will make a lot of people very happy ( and of course ... no doubt ... me too)
well done

.

v7-eap-test-ws.png

.

v7-eap-test-rad-debug.png

.

v7-eap-test-um-stat.PNG

.

v7-eap-test-um-sess.PNG

.

v7-eap-test-andr.png

.
.
and unlike me, keep your clocks in sync !

floaty

divide et impera ... I agree by 100% ... but when 2000 ip-phones fresh outta box staring at you, you will beg for your vendor-class-based dhcp-features ... Sometimes you want split the ip-address-space for your VoIP by building ... add 4 types of phones (or AP's) and you will go nuts very soon :shock:

floaty

to be honest ... hopefully this feature will find it's way into v.6.4.x too ... while v7 is simmering.
... guess we will see (maybe one or another afficionado will give me "a ball plus" here : )

floaty

just had a look in v7 beta4 ... . [admin@MikroTik] /ip/dhcp-server/vendor-class-id> add Creates new item with specified property values. address-pool -- pool used for this vendor-class-id copy-from -- Item number disabled -- Defines whether item is ignored or used name -- option-set -- server -- glo...

floaty

For what I see, vendor-class-specific option-43 delivery is not implemented yet ... it's possible to have a specific ip-pool based on the vendor-class-id, but it's neither possible to add an dhcp-option-set to an ip-pool nor is there any matching condition-parm in the option-43-definition. So what's...

Search found 254 matches