MikroTik

dpsguard

Thank you sindy for your inputs. Good to know that multiple cores will auto get used for data plane. I was not worried about control plane traffic anyway whether that uses one core or more, but definitely I will like to have all cores or at least few cores for sure to be used for user traffic. I had...

dpsguard

Hello All, I am not able to find a suitable document or post that will explain as to how best to distribute load across multiple cores of a CCR. I intend to use CCR1009 model with copper ports. I need only 3 ports out of this, one for WAN and two for LAN. These two LAN ports will be bonded (LACP) wi...

dpsguard

Hi @pe1chl Even so, I don't see Joe Average needing more than 1G NAT/FW anytime soon. True, but the problem is that the routing in CRS and many other devices is not fast enough for that. We "regularly" see disappointed CRS users here who kind of expected it. We can point them to CCR and th...

dpsguard

Hi @jprietove Sorry to dig up this old post. I've been using CCR1016 with bonding in balance_rr with 1.7 Gbps traffic for more than one year, software based (not hardware) and CPU hardly goes more than 5-6%. Can you advise as to any issues when you use round-robin load balancing of packets? Did you ...

dpsguard

Hello All, I might need to set up a hotspot box that will have about 1000 concurrent devices on it, each set to consume up to 6Mbps down and upload with a full commercial Gig circuit. Now we all know that 1000 connected devices mean majority of these are in power sleep mode, and out of others, few a...

dpsguard

Another issue is that PVLANs generally require same kind of switch at the other end. In my case, each AP port on the switch needs to be trunk (so that any vlan configured on the SSID or a dynamic vlan via radius is permitted). Since AP is not a switch from the same vendor, extension of private vlans...

dpsguard

Thank you @jvanhambelgium and yes Private / isolated VLANs can do this if switches support it fully and I am well aware of these with my Cisco background. Cisco switches not only allow private vlans, but these private vlans can only span multiple Cisco switches. My issue is that the switches are TP ...

dpsguard

Hello All, We have multiple discussion posts on this subject (by folks like @Feklar @ZiadZone ) to list a few, where experts like @sindy and @mkx have commented but there is still no full documented solution that works on current codes. https://forum.mikrotik.com/viewtopic.php?t=41263 https://forum....

dpsguard

@mkx, the router was at a friend's place and I could not go there to test again as they had an elderly person come in to live for 10 days and under current situations, I did not want to visit unless I really needed to. So I followed your advice and did a factory reset and did some basic config and I...

dpsguard

Thank you so much @sindy for your help here. I was away and did not get chance to login. I now know the process of soliciting support to read my posts, so will keep in mind. And you are very correct that LACP is purposely preferred over the non protocol portchannels in Cisco and other vendor, just f...

dpsguard

Can someone in support please look into this? Should I conclude that bonding will not work over SFPs? Is this limited to built-in copper ports and hence some of the models with SFP / SFP+ only ports are out of bound of bonding?

Thanks

dpsguard

Further, I can use SFP or SFP+ ports, but my experience is that failover does not work thru SFP ports as Mikotik requires setting up such ports to have auto-neg off and that causes ports to be seen as always up (LED remains lit and MII does not see port to be down if I unplug the cable and somehow A...

dpsguard

Thanks again @mada3k. I do need router and not the switch. The purpose is the hotspot with radius backend. And I need to resiliently connect the hotspot router with two existing switches that are part of the same switch stack, so that if a switch were to fail, then router is still reachable thru the...

dpsguard

Hello all, To make SFPs work, we are required to disable auto negotiation off. That causes port to be seen UP and thus link monitoring does not work. I tried both MII and ARP for link monitoring and none work. If I unplug a cable from any of the two interfaces of the bond, the traffic does not shift...

dpsguard

@MT Support and other members, I have done upgrade to 6.47.6 and issues are still the same. When I disable / enable the ports, then failover and failback works. But when I unplug any of the two cables, then it does not work as port remains lit and mii does not take action. ARP link monitoring is not...

dpsguard

@MT Support, can someone advise on what is going on in this case? For the TLB load balancing mode, only mii is allowed for local link monitoring status, but with SFPs only working with auto-neg off (this sets the light on the port to be permanently on) and full duplex set to yes and speed set to 1Gb...

dpsguard

I thought I had found the correct CLI to get this simple portchannel / LAG working, but I was wrong. 1. I was last testing by disabling and then enabling individual ports from with router. But I now tested by unplugging and then plugging cables and sometimes there is failover and failback in 20 to 3...

dpsguard

Thank you @mada3k

I was earlier thinking of RB1100AHx4 that has a switch chip. But has two many ports. Will that be a better option then?

dpsguard

Hello Support team,

@sergejs
@normis
@janisk

Can someone please advise me on this simple requirement?

Thanks

dpsguard

Hi all, I might need 4 or more of routers wherein I need to create a 4 port bond on each router to connect to a Cisco stacked core switch. The plan will be to have TLB load balancing on the router and then no special configuration on the Core switch. TLB allow and recommends this approach. In doing ...

dpsguard

I have tried protocol less at both ends, as well as LACP at both ends and failover does not happen. Only thing that I have been able to make work is using Active / Passive or transmit load balancing, or adaptive load balancing (which balances both sides, but requires both end to have this setup). Ge...

dpsguard

I was hoping with this all, I will have a resiliency, but if I unplug any cable, the ping thru the LAG drops. So then I changed the mode type to LACP / 802.3ad and that also had the same behavior. Then I changed the link monitoring method to arp and specified the target IP of the other end gateway I...

dpsguard

Seems like I figured this out.

Using set along with the interface name works.

For my bond interface named LAG1 that had only two slave interfaces defined, something like:

interface bonding set transmit-hash-policy=layer-2-and-3 LAG1
interface bonding set link-monitoring=mii LAG1

dpsguard

Hello all, I configured a basic LAG. I have difficulty in adding to this existing config of bond, the load balancing and link monitoring items. edit option only allows changing the existing parameters. And add option is for net-new interface. What is the recommended CLI to add to an existing configu...

dpsguard

Just to add that with ports set to autoneg off and this boot time script bouncing the ports, all Cisco Copper SFPs that I could find in lab switches (version 2 thru 4) work now. Cisco small business copper SFPs ( from SG300 and SG500 switches) don't work. Many of you may have copper SFPs form old Ci...

dpsguard

Thank you @vladimirslk. I tried that already and copper / RJ45 1G SFPs don't work. Only one that works is what I listed with even reboots. The other one does not work unless I do manually port disabled / enabled after router reboots. Here is the script that I added to fix this issue. I have only por...

dpsguard

Folks, I apologize. The model I had was 1016 and not 1009. I have edited the label on the post accordingly. I purchased another two copper SFPs (Phantom SFP) and they work in Cisco switch fine without any config change in Cisco. However, they did not work in 1016. Then I found that I have two Cisco ...

dpsguard

@purba, thanks for explanation of your solution. As per this wiki link below, the network is normally auto calculated (basically network is not subnet that I was thinking of, but the network itself address, the starting address of the subnet) but if it is specified, then it is a single address for t...

dpsguard

@purba this is very interesting solution. Did you mean that the client machines/VMs are in wider mask, while the VLAN interface IP is /32 and the same for all these vlans. Plus you set up ARP to be proxy-arp? In such case, instead of a single IP per client, if you were to do /29 per client, will you...

dpsguard

Thanks you mkx. I was playing with netmask on the dhcp server config and I had tried changing the mask from the default 0 to no avail. I have done reboot few times, but I will sure try you recommendation to do a factory reset and then import the config back in. So you do confirm that dhcp scope off ...

dpsguard

Hi mkx, Thanks. Here is the relevant configuration. The scope on vlan works. The one on ether9 complains. Thanks /interface bridge add name=bridge1 protocol-mode=none vlan-filtering=yes /interface bridge port add bridge=bridge1 ingress-filtering=yes interface=ether2 pvid=120 add bridge=bridge1 ingre...

dpsguard

Hi anav, sorry saw your post after I posted my solution. I believe if you will use SFP port, not SFP+ and use generally available Cisco GLC-T newer revisions (4 or better), then it should work for you to interface with ISP with copper handoff. The only issue you may run into is that ISP will not do ...

dpsguard

The issue is somewhat resolved for me. Here is what I had to do: After the changes and reboot (with SFPs in) using system reboot command issued from serial console, it did not work. Then I took out the SFPs and did a hard reboot by unplugging the power and then added the SFPs back in and now both LA...

dpsguard

Hello Folks, I just bought a lightly used CCR1016 and fired it up. Being a SFP slot only model, there is no copper port. Luckily there is a serial console port that I could use to login using Cisco rollover cable and a DB9 to RJ45 coupler (from an old HP procurve switch I had) and using 115200 8N1, ...

dpsguard

Hello All, I removed interface ether9 of my RG493G, from bridge. Then assigned this physical interface an ip address and then created dhcp scope using the wizard. Process completes, but dhcp server comes out as invalid. main reason, I read is that if there is no IP address assigned to the interface ...

dpsguard

here is a solution by @ZiadZone that I don't fully comprehend for sharing a single dhcp pool for multiple VLANs/APs. Requesting @ZiadZone to further clarify.

viewtopic.php?f=7&t=151631&p=823275#p823275

dpsguard

@ZiadZone, can you please elaborate bit more on your final solution? I am trying to achieve same results. Please see my post viewtopic.php?f=2&t=167456&p=823272#p823272 and I will love to know how did you achieve isolation by using two routers. Thanks

dpsguard

Hello Folks, I am trying to test setting up this scenario using my router 493G (and will then invest in a CCR). So doing a single vlan 120 (a subinterface, attached to bridge interface) and then setting up vlan interface IP address (to serve as gateway for vlan) and then adding necessary dhcp scope ...

dpsguard

While we can have AP change the VLAN in response to the attribute received from the radius (IEEE) , and Mikrotik will have all the vlans already set up on the interface that goes to the switch towards the AP. So the port on Mikrotik going to switch is a trunk port (and same for the APs). AP simply s...

dpsguard

Wanted to clarify that SSID at the AP itself can be simple WPA2-PSk, and these HTTP PAP and MAC Auth settings are to be done on the CCR in the hotspot section.

dpsguard

SSID will use HTTP PAP plus MAC based authentication at the same time. Initially user will get a login page and after that Mac cookie can be set to say a month and then onward, user device wont see the login page for a month. Backend is freeradius and will do the dynamic vlan assignment by pushing t...

dpsguard

Or if I can create so many dhcp scopes on the CCR itself, that should work.

In such cases, i will also need to see if two CCRs can be clustered together or use VRRP (hopefully they will sync up DHCP lease status at least among themselves).

dpsguard

Thank you guys for sharing your experience and knowledge. If split-horizon is a software feature, then it will cause lots of CPU load. So I am then not sure if this is a good solution. I was hoping that bridging section that shows hardware offloading in the RB493G that I have (though it is not suppo...

dpsguard

Thank you @sob, @mkx and @anav for looking into this. This is possible if I wanted to have 60 dhcp scopes and 60 vlan interfaces with dynamic vlan assignments to each apartment with their unique username / password on a 802.1x SSID. And I tested it last year. But issue is management of so many pools...

dpsguard

Requesting experts @sindy @sob and @anav for any advice here.

Can we have multiple VLANs (for isolation) on a common bridge with a large DHCP pool for supporting a single Wireless SSID with backend freeradius for dynamic VLAN allocation, but still part of the same large subnet?

Thanks

dpsguard

Looks like this 10 year old thread may answer my questions, but I will like to know if anyone has successfully implemented this in today's network?

viewtopic.php?t=41263

Thanks

dpsguard

Hello All, Hopefully someone from Mikrotik support or from users who have done something like that already, guide me here. Assuming a high capacity CCR is used, how many subinterfaces / vlans be added under a bridge interface and then tied to the same login page? I am trying to put few apartments in...

dpsguard

@neutronlaser, thanks for your interest in my post and hopefully you can also answer my questions for which I am seeking guidance here. I am not looking for GDPR compliance recommendations from the forum and for that there is a different department. On a login splash page, a student clearly consents...

dpsguard

Thanks. GDPR is not applicable for a school free-WiFi needs in North America. No money and no personal information is collected or used or processed. Hotspot is to be used for students accounts sitting on freeradius to impose some restrictions like simultaneous-use of 3 devices and speedcaps and dai...

dpsguard

In my lab set up, I have just used a small RB493G (running 6.47.3) and what I find is that with hotspot client doing a speed test (no other client / other traffic), CPU shoots up to 70%. Speed of course get closer to 93Mbps (my service is 100Mbps), so not sure if I would have pumped more thru it, wh...

dpsguard

Wanted to add that if need be, I can stop any Natting / masquerading on the hotspot router and offload NAT to another router and this way Hotspot router is only serving as a dhcp server and a hotspot with external webserver and then routes the traffic over to second router, to overall lessen the loa...

dpsguard

Hello all, I am trying to plan for some networks where I have to use Mikrotik CCRs as hotspot splash page routers and then some non Mikrotik wireless APs that have the client to client isolation. At any time, there will be less than 1000 devices online, and they are mostly long term users (students ...

dpsguard

Hello All, For the case of wireless 802.1x, the supplicant will save the credentials for each such SSID. And we will reconnect as soon as device comes into coverage area of the 802.1x SSID. So we can have multiple of these 802.1X SSID profiles. For wired 802.1x, we can save the credentials, but ther...

dpsguard

On further checking, I did find that I missed a step to add the networks, which includes the gateway IP for that vlan. So ip dhcp-server networks stanza is in fact required.

Thanks

dpsguard

By the way, it looks like in presence of a pool / range defined for each dhcp scope, dhcp-server network is redundant. I only had it for Mgmt network as that was added as part of the initial wizard setup. The other two scopes I added by defining the pools and then made use of those pools when I defi...

dpsguard

And appreciate anav also for looking into my post. I should have included full configuration as you never know. But setting up VLANs on RouterOS seems to be convoluted. But once you know the process, it is then simple to repeat it. Thanks again and keep doing good work.

dpsguard

Thank you so much vecernik87. Yes your diagnosis is right to the point. I can now get dhcp IP addresses on both untagged vlan ports. And yes, I missed including the ip dhcp-server networks. It is there in the config. I believe the URL that I referred to, did not include tagging on the bridge interfa...

dpsguard

Hello Folks, I am trying to set up a very basic lab environment and have followed the excellent document available at link below, but any of the ports assigned to the VLANs are not working. Test laptop connected to these ports does not get dhcp IP address. If I connect it to a port (ether9) that is ...

dpsguard

This was a firewall issue with my setup on the test devices. I was testing with windows and somehow devices were set up under Public and private network and I fixed that and I can now see that client to client forwarding is happening by default as I was expecting. And I was able to confirm that clie...

dpsguard

Hello, I am looking to have the following setup to meet my requirements of devices belonging to same user be able to talk to each other but be blcoked from anyone else on the same subnet. 1. Unifi APs are set to do 802.1x / WPA2-Enterprise for the SSID. And Radius server is external (TekRADIUS) with...

Search found 60 matches