MikroTik

FinlayDaG33k

(accidentally hit "quote" instead of editing previous post and can't delete this one somehow, ignore it pls)

FinlayDaG33k

Please add RB5009 connections list. The RB5009 just serves a few purposes but it doesn't need to run traffic beyond it (its purpose is closer to a server than a router/switch). CAPsMAN UserMan DNS server (Docker container with AdGuard Home) Metrics collection for Prometheus (Docker container with M...

FinlayDaG33k

Don't worry, the forums are voluntary, take your time.

FinlayDaG33k

Consider deploying MSTP if your requirements benefit from root bridge management at the VLAN level . For this topic, addressing STP remains optional but should get attention over the long haul. I don't know if it will benefit from it as I'm not familiar with it outside it preventing loops. I think ...

FinlayDaG33k

May I suggest you consider postponing this part so we can continue the planning process?

Too late for that, already rolled out of bed and finished it.

FinlayDaG33k

Can you enumerate how many ports are free and used on current CCR2004, CRS317, and CRS326? CCR2004 only has 4 ports in use. sfp-sfpplus1: ISP sfp-sfpplus2: CRS317 sfp-sfpplus3: CRS326 sfp-sfpplus4: RB5009 CRS317 has 5 ports in use. This number is expected to go up substantially this year (high like...

FinlayDaG33k

Yes, it's important and requires an entry for every MAC address a given switch sees.

I have about 125-ish devices on the network (though this can sometimes reach 150 when some of my friends come over).
I doubt that would be big enough to cause any issues with the CRS309's smaller Unicast FDB?

FinlayDaG33k

I see, though according to that table, they do have the same amount of ACL rule capacity.
I don't know if the "Unicast FDB" is an important thing?
It's a small homelab network, not hundreds of machines that have a high amount of packets flowing all the time.

FinlayDaG33k

Oh... Those are some significant differences yes. Altho... 16K IPv4 routes and 16K IPv4 hosts should be more than plenty, I think? Checking the "/ip/firewall/connection" on my CCR2004, I get about 3.4K entries. So would that additional 104K IPv4 routes do much for me? Or would it be reason...

FinlayDaG33k

Oops, I'm late in reading existing device details. Please note CRS317 is more capable than CRS309 which is more capable than CRS310, Consider moving CRS310 to CCR2004 connections downstream of the CRS317 and deploy L3 HW routing with a Stateless Hardware Firewall on CRS317. Ok so, viewing from the ...

FinlayDaG33k

Consider instead if current LAN to LAN firewall rules can be substituted with Switch Rules (ACL) per section Stateless Hardware Firewall and if so then you have CCR2004 downtime affecting only WAN links and not LAN links assuming all required Switch Rules fit within device TCAM limits. Oh yes, they...

FinlayDaG33k

Define FT please.

FastTrack

FinlayDaG33k

IMO reviewing Switch Chip Features is worthwhile and in particular drill deep into: CRS3xx, CRS5xx, CCR2116, CCR2216 switch chip features section Models to learn specific switch chip model numbers corresponding to the CRS3xx products under consideration . Review carefully TCAM references in L3 Hard...

FinlayDaG33k

Ahh, I see.
I'll try to poke around with it this weekend to see if stuff breaks or not.
Already was kind of wondering about it in the past given how "unscalable" it felt, just never really played around with it.

FinlayDaG33k

OK, I see enough to draft a CRS309 configuration; that could be a further discussion starting point. But it occurred to me CRS309 has L3HW Offload idiosyncrasies that must be kept front and center for best results. We can work on improving current configurations prior to diving into the future. Do ...

FinlayDaG33k

Edited the blocks.
They looked fine for me (for some reason, I had the old phpBB layout) but I've swapped to the "normal" layout to see if it worked (and will just stick to that, I don't know why it swapped).

Also added the comment blocks you asked for, sans software ID and serial number.

FinlayDaG33k

RouterOS documentation Spanning Tree Protocol has multiple flavors. I really mean export the entire CCR2004 configuration (redact only security sensitive items). Failing to fully disclose creates protracted dialogues leading to annoyance and destroying motivation to help. Your choice do you make it...

FinlayDaG33k

I used to route on CRS309 but moved that job over to an RB5009. Do you run any LAN to LAN firewall rules on CCR2004? Yes, I do. They are basically just: If allowed: Return -> Accept -> Fasttrack. If not allowed: Drop on the spot. /ip firewall filter add action=fasttrack-connection chain=forward com...

FinlayDaG33k

Hii there, I currently have the network setup shown in the "current situation" attachment. However, the CCR2004(-1G-12S+2XS) struggles really hard when transferring data between say, VLAN1001 (eg. my desktop) and VLAN1003 (eg. my NAS), reaching just 5Gbps at max (this is a router bottlenec...

FinlayDaG33k

There are no VLANs defined so... it can not work at all at this stage... VLANs (or the lack there off) isn't relevant here, once the packets get to the AP's interface, it's all just the untagged traffic as far as the AP is concerned and will flow through the network as untagged traffic. Otherwise, ...

FinlayDaG33k

In case nobody noticed, it got sent as the "February 2022" newsletter :p

FinlayDaG33k

Sorry for bumping this thread but I too am interested in this feature. Not because it has much use to me but just because I like to experiment with things. Don't get me wrong, NTP is fine for my needs but I just like to fiddle with things honestly. One minor thing I noticed is that even two of the s...

FinlayDaG33k

Hi hi, hi-de-ho~

So I've been fiddling around and discovered the issue wasn't with the network itself, it was my Windows PC.
Apparently, I had to disable the "Large Send Offload V2 (IPv4)" setting for my NIC in the device manager.

Durr.

FinlayDaG33k

Sadly, adding an additional switch (CRS317-1G-16S+) didn't work, for fixing the upload speed
.It did, however, fix the LAN speed, so that's worth something.

FinlayDaG33k

\o/ Victory! https://i.imgur.com/yAOLnEc.png For those that come by this later (read: "dear future self"): [admin@Main Router] /ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Traefik Ingress (HTTPS) chain=dstnat action=dst-nat to-addresses=10.0.0.149 to-ports=44...

FinlayDaG33k

I now have the following two rules according to that wiki article: [admin@Main Router] /ip firewall nat> print Flags: X - disabled, I - invalid, D - dynamic 0 chain=srcnat action=masquerade src-address=10.0.0.0/8 dst-address=10.0.0.149 out-interface=bridge1 log=yes log-prefix="[LAN]" 1 ;;;...

FinlayDaG33k

The proxy is there so that I can have multiple back-ends on 1 WAN IP (1.2.3.4) and port (443). Basically the proxy matches from the HTTP headers like this (and forwards request accordingly): - "test.finlaydag33k.nl" -> 10.0.1.123 - "www.finlaydag33k.nl" -> 10.0.1.133 - "some...

FinlayDaG33k

In this case, it's basically a webserver that forwards requests to a back-end. How it's hooked up, how it functions etc. etc. is irrelevant otherwise. Basically what the MikroTik router does is: - See if request comes from LAN, destined for 1.2.3.4 (my WAN IP) - Sends it to the proxy as 10.0.0.1 (th...

FinlayDaG33k

Hii there, Yea, the title may not really make any sense so let me explain. I have a traefik proxy that proxies data to back-end applications. let's say my router's WAN IP is 1.2.3.4 and its LAN IP is 10.0.0.1. Now when I try to access something through the proxy, everything goes fine except one thin...

FinlayDaG33k

But it also doesn't explain the issue where with the switch, it works perfectly fine? The link to the modem is the same in that case but somehow it isn't affected by the issue? The SFP+ module could be autonegotiating correctly to 1Gbps in the switch but not the router. That is definitely an option...

FinlayDaG33k

You might want to try rate limiting on your modem port (probably egress) to close of what your internet speed is. Tested it, setting it *slightly* under what I should be able to get (300/30 is what I should get, set it to 250/25) but this only lowers download without affecting upload at all (just s...

FinlayDaG33k

Yes I can :) Though it doesn't seem like anything weird is going on there? https://i.imgur.com/jJbxYso.png The "rate" is 10Gbit because I use an SFP+ module but the link to the modem itself is 1Gbit (the modem only has 1Gbit ethernet ports on it). Also, considering that if I use the 1gbit ...

FinlayDaG33k

The link to the modem is 1gbit.
The download from the ISP is 300mbit and my upload is 30mbit.
I can reach the 300mbit download pretty fine through the SFP+ but the upload is only 1/3rd of what it should reach.
So even if it didn't negotiate down, it doesn't explain why my upload is so poor.

FinlayDaG33k

Yea, I already found that elsewhere too, but it doesn't explain why the upload using speedtest.net is so bad...

FinlayDaG33k

I have set my queue type to an `mq-pfifo` resulting in this: # INTERFACE QUEUE ACTIVE-QUEUE 0 ether1 only-hardware-queue only-hardware-queue 1 ;;; To Modem sfp-sfpplus1 multi-queue-ethernet-default multi-queue-ethernet-default 2 ;;; To Main PC (sfp+) sfp-sfpplus2 multi-queue-ethernet-default multi-q...

FinlayDaG33k

So I've done some deeper diving and found that the 10Gbit speed to my server is due to the thing lacking the switching performance to do this.
Though it doesn't explain why I can't hit my full upload to speedtest while with a switch between it I can :|

FinlayDaG33k

Hii there, I just got in my CCR2004-1G-12S+2XS to replace my CRS326-12G-12S+RM as a router (and make it just a switch) and went to hook it up. Once I was done, however, I ran into a pretty big issue. Any direct uplinks (to server and my desktop) made through my SFP+ are rather bad. This is the uploa...

FinlayDaG33k

I found the issue.
There was this rule that caused the issue:

chain=srcnat action=masquerade src-address=0.0.0.0/0 dst-address=0.0.0.0/0 log=no log-prefix="

Changed it to this, and now it works

chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

FinlayDaG33k

Thanks for your reply.
There is only a modem in front without routing capability (my MikroTik router is the first in line for handling routing).
Before this I had a PfSense box which worked perfectly (until it died)

FinlayDaG33k

Hii there, I'm trying to fix an error on my website, which I can now track to my MikroTik router. When I try to get the Client IP, it returns as `10.0.0.1` no matter what (LAN devices and WAN devices - eg. those on 4G). This, of course, isn't exactly desireable so now I need to fix it... but I have ...

FinlayDaG33k

I have managed to get most of this working except for the isolation and the DHCP pools for AP1's main and guest network.
They currently take away from the "Cabled" pool instead of the pools I want to assign them ("wireless" and "wireless-guest" respectively).

FinlayDaG33k

I have managed to get this working in the time it took for a mod to approve my post

Unfortunately, I have forgotten what I exactly did...

FinlayDaG33k

Hii there, I'm trying to have my MikroTik hAP AC Lite use my router's (CRS326-24G-2S+RM) DHCP. To do so, I have done the following (following the guide on the Manual , with some minor changes that should have no effect?): Plugged the ether1 port from the AP (still off at this time) into the ether3 f...

FinlayDaG33k

Hii there, Yesterday, I have received my new `CRS326-24G-2S+` (I will refer to it as "router") along with two `hAP AC Lite` (will be "AP1" and "AP2" respectively). I also have a Dell PE2748 (will be "switch") in "unmanaged"-mode that has most of my &...

Search found 44 matches