MikroTik

DarkNate

Permanent-delete my account. Problem solved. What are you waiting for? Send request to admins to delete this account, permanently.

DarkNate

Or in RouterOS v7, don't fuck with the data plane. Fix bugs, and there many. Make the AX more centerialized and simple. And add more docs, especially on interop with cisco/etc. NOW... For RouterOS V8, you're not wrong: XDP/eBPF architecture is pretty nifty. In theory, existing V7 config could be &q...

DarkNate

DPDK is a set of user-space libraries that normally won't fit into an embedded system. I don't see the point of using ROS to develop a bare-metal DPDK appliance for a tailor-made solution on a market Mikrotik doesn't operate within (i.e. way out of their league). While XDP/eBPF is very capable perf...

DarkNate

That explains a lot. My take on Mikrotik history is that someone had the idea to put a Cisco IOS face over Linux sysctl. Then, double-down by creating their own scripting language to rival Cisco TCL's complexity. So yeah if you "hate" Cisco IOS config, the yeah RouterOS config be a real d...

DarkNate

But you've been going on about how MikroTik should look into DPDK. What are you trying to say? That MikroTik should develop DPDK high end appliances, or did I miss something like an alternative to DPDK?

RouterOS CHR/bare-metal — DPDK/VPP
RouterOS embedded — XDP/eBPF

DarkNate

DPDK in an MT embedded system using a standard SoC? You're joking, right? BTW, it's not 100GB of code we're talking about here, but hugepages for buffer sizes, queue depths, etc..

I just said "not the only option", AKA it MEANS, DPDK is NOT the only option.

DarkNate

Bad language aside, UBNT's EdgeRouter series were based on a fork of VyOS. ( Source ) If VyOS is the fount of networking wisdom…? The mind boggles attempting to string the logic together here. Larry Ellison — one of the major tech billionaires — is famous for owning nearly all of Lanai , at 364 km²...

DarkNate

Are you trying to get banned with all these unprofessional tirades? Don't know what you mean. I talk the same “unprofessional tirades” at work, with clients, with boss/managers/owners/C-suites, peers etc. No problems making $$$$ or developing solutions or buying solutions. If you want to ban me, th...

DarkNate

You're way off base! It's in no way not fair to compare an embedded NOS like MT/ROS to VyOS, which is a full-fledged Debian Linux solution primarily for x86_64 boxes or virtual NOSes that at a minimum requires 2 GB of storage and 512 MB of RAM. ROS should be compared with NOS built on embedded syst...

DarkNate

FYI to the users, the WireGuard problem of trying to re-connect to a previously connected dynamic peer is not a MikroTik problem, it's part of the OG WireGuard codebase. Same issue on a plain Debian install as well.

@normis, does BTH allow me to specify which IPv6 /64 pool to use for the peers?

DarkNate

This Unifi fantasy tale like stories - I feel the urge to respond. To setup a AP with ROS is straight forward and by far no rocket science. I don't talk about bugs that should be fixed. Unifi software has no bugs? sure! Just read about a Unifi AP Firmware release recently that was only 1 day in Ear...

DarkNate

And yet you completely missed what I wrote. Maybe try re-reading my post The purpose was to illustrate a simple use case with MikroTik of 1) not needlessly spending a lot of extra money on gear to provide functionality that isn't needed and has no tangible benefit in that particular use case 2) mas...

DarkNate

Not in Hardware

Any ideas about MPLS/VPLS single-CPU-core choking problem? Did they fix that?

DarkNate

See this here is the problem with this thread in general. If you get to work solely with companies that just throw money around willy nilly on high end gear and needlessly replace infrastructure for little to no practical benefit (which makes me think why are you even bothering with the MikroTik fo...

DarkNate

Although macOS PF is pretty okay

Nah, it's terrible and doesn't even function like *BSD real pf stack or in today's world, eBPF.

DarkNate

@anav did you read some networking books in the past 1–2 years or maybe cleared your CCNA 200-301? You seemed to have stopped being an idiot and seemed to have learnt some decent real networking.

DarkNate

On wireless chip, enable client isolation, then VLANs (Main VLAN, Guest VLAN etc), and finally on the layer 3-sub interface VLAN, you enable local-proxy-arp.

DarkNate

Couldn't agree more, though I think MT is actually pretty decent compared to pure Linux firewalls/routers like OpenWrt, pfSense/OPNSense and similar systems. Yes, MikroTik abstraction is better than vanilla Linux kernel dataplane config (Debian, Ubuntu, OpenWRT-ish although OpenWRT is also abstract...

DarkNate

Hi raimondsp, is VRF support on the roadmap?

Isn't VRF already working?

DarkNate

It's been like 5 years, MikroTik no longer shares changelog for the RouterBOARD FIRMWARE.

I personally enable auto-upgrade, and reboot two times each time I upgrade ROS, leaves no room for doubts about bug fixes etc.

DarkNate

RouterOS is an abstraction layer and can still achieve tasks whilst presented in a totally different way to the user. It does not need to specifically follow any other set standards. And wherever the hardware doesn't support it, it can often be emulated in software. Which is what already happens wi...

DarkNate

Sure and it's all well and good to mention best practices, the reality is the real world doesn't always work that way for a multitude of reasons. One such may be that there's 30x PoE switches in place that work perfectly fine yet are basic SOHO units that do support neither private VLAN's nor port ...

DarkNate

Well, sort of. It still is the chip that sets the limitations. Though SAI offers significantly greater flexibility in managing the configuration process from user space (ie ROS) directly to the driver without having to adopt to and pass through the Linux kernel DSA interface structures (which BTW w...

DarkNate

HI DarkNate, Thank you for sharing this. got some idea about how to implement the same but now some more doubts can we use BNG<>L2 SWITCH<>OLT ? is MPLS VPLS must? I would advise to never do layer 2 spanning as you described in a production network. Please use MPLS everywhere in ISP production netw...

DarkNate

So won't all networking solutions based on the Linux kernel have the same issues/limitations? It's not an “issue” in terms of raw networking functionality. But it is an issue in terms of UI/UX and human design elements. Any software product or hardware product that uses switchdev or just simple Lin...

DarkNate

Hello DarkNate, Can you please share us how did you implement DHCP instead of PPPoE. My Question is: 1. how did you manage to authenticate the users only with DHCP? 2. If someone connects another LAN of their router then how to prevent rogue DHCP Server? BNG<>P<>PE<>L2 switch<>OLT or wireless AP OL...

DarkNate

One use case is where you want port isolation but the switches don't support it. Port isolation aka Private VLAN is supported in the original Linux bridge codebase, it's also on Tik: https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-Portisolation I've used this feat...

DarkNate

Holy shit! I was gone for a few days and came back to see people STILL fighting over the Linux switchdev/DSA abstraction bridging, switching and VLANs. It's not a MikroTik problem, it's a Linux switchdev/DSA problem, which will never be solved because it's embedded deep into Linux Kernel source code...

DarkNate

viewtopic.php?t=204023

DarkNate

We've completely removed PPPoE from our infrastructure due to persistent MTU issues. We moved to DHCP v4/v6 dual-stack queues on MikroTik and have no problems using any RADIUS software vendor to assign /56 lifetime static PD to each residential customer. Also works nicely with the dual-stack queues ...

DarkNate

Use this, delete any other NAT rule you had for hairpinning, put this at the bottom of the table (last rule number).

/ip firewall nat add chain=srcnat src-address=10.0.0.0/24 dst-address=10.0.0.0/24 action masquerade

DarkNate

I have ax2 and ax3, both with 1:1 configuration (wireless config, single bridge config etc etc etc). However, ax2 provides better signal strength and coverage than ax3 does, and it's not only a few people who've been complaining about poor signal quality on ax3's stock antennas: https://forum.mikrot...

DarkNate

I don't get the " why can't just mikrotik do x86 stuff like anyone else with fancy linux dataplane thing " complaints. If Mikrotik doesn't suits your needs, stick with x86-boxes with Linux then. Serious traffic should be done in hardware anyways. Huawei, Cisco, Juniper and Nokia all makes...

DarkNate

Untill it meets DDdoS world... and its software routing crashes... whilst other vendors are using hardware based routing, firewall etc....which makes a hughe difference in the end compared to software rounting systems...... i guess we have to accept the fact of the RoS limitations... its good for s...

DarkNate

RoCE does work with any regular switch/router. However as I pointed out previously, efficiency regarding latency, flow control and buffering will of course vary depending on the environment. RoCE simply transports regular Ethernet frames to another NIC using L2/L3. The receiving NIC's device driver...

DarkNate

Not sure where the insults started but I'll stop you right there. Respect is good and everyone likes it. The question was simple and directed to Mikrotik as a feature request. No need to be offensive I'm clearly "insulting" the "Data Centre Bridge" standard itself (which is not ...

DarkNate

Well, Mikrotik obviously doesn't have in-house development resources to go for custom anything large scale. They did go down this path with their custom wireless drivers (which worked fine for a while) and we all saw where it ended (they are using chipset vendor's drivers now which is fine for most...

DarkNate

Oh sure, I know of the alternatives. All I’m saying is that there are widely adopted OSes that uses/require it. The benefit of those special NICs goes beyond networking as I said. There are (big) CPU benefits on using it. All I’m saying is that we can’t change this for a decade or so as those OSes ...

DarkNate

Like you said, it's UDP at the end of the day. With a proper network architecture, you don't need to bend over backwards for these “special” Ethernet NICs or switches or software. Move to layer 3 driven networking, move to eBGP, move to VXLAN/EVPN and move your Ceph storage to end-to-end 9k MTU over...

DarkNate

Can you tell us something about the hardware? ARM64 varies between, say a Raspberry Pi and a 192-core Ampere One :D I'm guessing it's more like the latter... I'll try to ask my source again for the hardware product page, but I may not be able to reach them. But it wasn't Ampere, it was a Single Boa...

DarkNate

I've worked with a large scale DC network that adopted a design similar to Google and Meta hyperscaler network design. We strictly moved everything to layer 3 with eBGP, similar to this: https://www.rfc-editor.org/rfc/rfc7938.html “Ethernet” was simply limited only to the direct interconnection of d...

DarkNate

Certainly Mikrotik has a curious business strategy from this silicon valley denizen POV. I kinda view Mikrotik more as a redhat that made the choice to fund itself by selling low-margin hardware, over a high-margin services. It's a choice. On this front and to @DarkNate points on “config complexity...

DarkNate

If you don't want to use ROS ... and you're saying other vendors provide whitebox devices with similar hardware ... so why would you want to use anything by Mikrotik? I'm guessing you're still intrigued by MT's price tag ... and I guess you'll just have to deal with current reality (which is ROS + ...

DarkNate

It's often very hard to get rid of some mental petterns if they are given (or enforced) to a few generations in a row. One of them is "USA are the greatest in known Universe in all aspects" mentality, deeply engraved in majority of US population. Unfortunately, that's the reality of human...

DarkNate

If we’re agreeing that nothing the OP can do with the stated configuration will get the packets off the CPU, then I don’t see how MT can fix this thread’s symptom with a better software bridge design. The hardware’s PPS rate limitations are fixed at design time, modulo details like the clock rate s...

DarkNate

@darknate: Resources: Engineering Management ( besides the academics of maths, physics, statistics-probability, electrical, programming, chemistry, drawing, thermodynamics etc...) All old text books circa 1980s LOL PRODUCTION/OPERATIONS MANAGEMENT : Concepts Structure & Analysis --> Richard J T...

DarkNate

At which time Latvia was still part of Soviet Union. So those western (US in particular) books were probably banned ... or at least ignored because Soviet communism did things differently. So it might be that all of these concepts are somehow unknown to MT management. Many industry folks (outside L...

DarkNate

The way I summarize that thread's application to this one is that there is some RouterOS configuration change that would somehow cause the OP's application to proceed much faster, and the only reason it isn't being done is that there are too many possible ways to do it, and the OP has hit on the wr...

DarkNate

OP is yet another victim of the configuration abstraction complexity of MikroTik, again.

Root cause can't be determined without config dump, but this is screaming typical Linux bridge misconfiguration. But OP is clearly an expert in switchdev/Linux DSA paradigm, so I'll leave it here.

DarkNate

Has MikroTik added BQL support for FQ_Codel (and everything else) on this RC version, yet?

DarkNate

I'm confused here.

So ax products supports bridge VLAN filtering, right?

DarkNate

Can some share a picture of most “ideal” hAP ax3 antenna sticks alignment + rotation for max omnidirectional coverage? I can't get good quality signal out of ax3 stock antennas vs ax2.

DarkNate

Well, if you really want to annoy Italians, you should suggest sipping a cappuccino while eating the pineapple pizza.

That would likely result in your early appointment with heaven/god/reincarnation, lol

DarkNate

Nah, I know Italians are very specific about their food lol, it's funny to annoy them. Surely we've seen the videos on social media right

For what it's worth, I don't like pineapples on Pizzas lol, it's stupid.

DarkNate

Who uses Webfig? Just use SSH or API in production and Winbox at home.

DarkNate

Italian Pizza with pineapple toppings is best.

DarkNate

Strange... They gave you a rip-off... My network of radios licensed for hundreds of € doesn't care if it transits IPv4 or IPv6, since it only works on layer 2... I think it's you they sold the toys to... +1 I am confused here. Radios whether that's LTE/5G RAN or Wi-Fi, 802.11 devices or forks of it...

DarkNate

First, please stop with the VPLS Control word crap. Use jumbo frames in the backend network, 9k L3 MTU minimum, L2 is max whatever supported by the hardware on P, PE both, end-to-end on all relevant ports. VPLS will be 9000 L3 MTU, L2MTU you can cap VPLS to a safe number like 9100 on both sides. Cha...

DarkNate

ECMP hashes changing should not normally affect peering sessions. Sure, if the peering session is over the ECMP link (implying multihop) then different paths would get chosen, but that should not affect the TCP session itself. The case where resilient hashing is more useful is ECMP load balancing o...

DarkNate

The reports don't explain the second axis rotation on the sticks, what the hell is the rotation for?

DarkNate

Does anyone know how to properly align hAP ax3 antennas?

viewtopic.php?p=1029590#p1029510

And for hAP ax³, why would sticks rotate around second axis, if it's doughnut shape?

DarkNate

I have an ax2 and ax3, as APs. Configured the same way.

Somehow, my ax2 has better wireless coverage around the house and floors than ax3 does.

I don't know what's wrong with my ax3 unit or antenna alignment, but I couldn't get it to give me good coverage like ax2.

DarkNate

To my knowledge none of the MT employees have said that add path is required to install ECMP routes. And if you are so familiar with Cisco, Juniper and FRR and have at least once deployed BGP on the RouterOS you should know what BGP instance is. There is a lot of info all over the internet on what ...

DarkNate

Hard to say without full config dumps, but yes, the P router should just do two things: ospf underlay to learn/export loopbacks of each PE loopback and LDP/MPLS enabled on both interfaces facing each PE. Then eBGP signalling from PE to PE with AS900 and AS901 should work. I just tested this again in...

DarkNate

I recently learnt there are folks who opt for eBGP based networks and played with it, in my lab, I ran BGP signalled VPLS with eBGP and no route reflectors, loopback IPs for BGP peer with OSPF underlay. And it works fine, no problems.

DarkNate

but you can already have ECMP in any other case, each instance session can install its own best route and form ecmp. I'm not sure what this means. Have employees at MikroTik never deployed BGP multipathing on Cisco, Juniper or even straight FRR on Ubuntu? There is no add-path involved. That is misi...

DarkNate

Do we know of any other popular network vendor that supports this? I'm curious as well

DarkNate

Don't forget BGP UCMP, i.e. weighted ECMP with link bandwidth awareness.

DarkNate

Your wish... Maximum link distance in kilometers, needs to be set for long-range outdoor links. The value should reflect the distance to the AP or station that is furthest from the device. Unconfigured value allows usage of 3KM links. https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-Configurati...

DarkNate

What's new in 7.14.2 (2024-Mar-27 09:48):

*) wifi-qcom - added configuration.distance setting to enable operation over multi-kilometer distances (CLI only);

I can't seem to find this on the documentation. How does it work? How do we configure it? How are the values mapped or parsed internally?

DarkNate

Will MikroTik support BGP multipath U CMP? I.e. to allow us to specify the bandwidth profile for each interface? And therefore perform load balancing across the interfaces either using: 1. Per packet (bad idea for stability/traceroutes etc) 2. Per flow (layer 2/3/4 hashing) https://vxplanet.com/2019...

DarkNate

I just explained with a famous example, OpenVPN ! OpenVPN is a server/client model. WireGuard is a peer to peer overlay network protocol. It's fully layer 3, peer to peer. By default every peer can talk to any other peer using unicast routing, there is no "server" and there is no "cli...

DarkNate

including client/server

Nope. The protocol literally is peer to peer, it is not a server/client protocol like OpenVPN. This is about as stupid as saying OSPF has a sever and a client. People are really stuck up on NATted server/client model to the point they forgot what peer to peer really means.

DarkNate

Has the arm64 VPLS asymmetric bug, been fixed in 7.14.1? Can I now push at least 10Gbps VPLS using a CCR2004?

DarkNate

I will give it a try, thanks! However, what is the point of enabling PIM-SM if I then need to add a manual entry to MDB for not breaking SLAAC, which is exactly what is happening and what I'm trying to correct? Thanks! Yeah, remove the manual entry. I simply didn't update that post anymore. PIM-SM ...

DarkNate

Run PIM-SM, problem solved. I run PIM-SM even for single-VLAN these days. PIM-SM allows you to intelligently populate the multicast routing table (mcast database on MikroTik bridge), you also end up resolving the issue with BUM traffic on the Ethernet spec. I posted PIM-SM config on this forum multi...

DarkNate

Why do people still mess up bridge config on MikroTik? Post after post, day after day for the last 10 years straight.

Read the official docs, only a single bridge should exist:
https://help.mikrotik.com/docs/display/ ... +switching

viewtopic.php?t=204440#p1058995

DarkNate

IGMP Proxy upstream will be your router's loopback, downstream each layer 3 sub interface VLAN.

DarkNate

mDNS uses link-local IPv6…

DarkNate

I suspect any luck you have had with PIM-SM and mDNS is that you are routing IPv6 and ff02:fb is working for you and your devices that use IPv6 for mDNS. Yes, all my home networks/devices and production network are 100% IPv6-enabled/deployed/only/mostly. I stopped wasting my time on legacy IPv4 yea...

DarkNate

You need IGMP Proxy or PIM-SM to run upstream to intelligently populate the multicast-routing table on the “switching” interfaces etc.

It's not just a MikroTik thing, but similarly, same behaviour on other vendors.

DarkNate

Haha, I'm not an expert, unlike other wannabe-experts in this forum or industry in general, I'm just a guy who loves to play with networks. I'm not sure why it works or doesn't work, yet, haven't had time to deep dive into multicast routing. But I do hope, someone with time can properly build a “cle...

DarkNate

See this:
viewtopic.php?t=205139#p1060188

DarkNate

Anyone played with this?

https://help.mikrotik.com/docs/display/ ... t+Protocol

DarkNate

Time Bump.

DarkNate

The moment you are forced to use NAT66/NPTv6 etc, you are breaking IPv6 specs and going back to NATted IPv4 world.

I'd suggest raising hell and going public on their support on Twitter etc and ask them from a /56 PD as per BCOP-690.

DarkNate

WireGuard is a peer-to-peer protocol, it doesn't support server/client functionality. Your blog should accurately explain this relationship of peer-to-peer from a network standpoint.

The Wikipedia article seems fairly clear to me:
https://en.wikipedia.org/wiki/WireGuard

DarkNate

Hi DarkNate, I tested your suggestion about PIM-SM but was not working with printers, Chomecast, etc… Support said that we need multicast repeater (will paste their answer if needed). It should work for you? Share support's full reply. I don't know MikroTik multicast inter-VLAN routing is so messy.

DarkNate

Cleaned config would look something like this: /ipv6 dhcp-client add add-default-route=yes interface=pppoe1 pool-name=ISP-PD-Pool pool-prefix-length=64 prefix-hint=::/48 request=prefix use-peer-dns=no /ipv6 nd set [ find default=yes ] disabled=yes add interface=ether2 /ipv6 address add address=::1 a...

DarkNate

Looks hacky to me. Why not just use PIM-SM? I've shared PIM-SM config sample on this forum a few times, works on ROS v7 latest stable.

DarkNate

What happens if the software uses port TCP:443 for the relaying of the connection?

Or use randomised DNS hostnames that flow over encrypted DoH of the client software itself?

You can't just “block” everything without some downsides.

DarkNate

This is a misconfiguration on your end. Run DHCPv6 client for the ia_pd /48 on top of the PPPoE client interface, from there it will get the /48 from upstream and inject it into the database of the IPv6>Pool. From there, now, you can just use it directly on each VLAN: VLAN1- ::1/64 VLAN2- ::1:1/64 E...

DarkNate

We can't "Add stuff", we can only "Make stuff"

Then make it, or simply allow official ONIE support on your hardware, we'll flash any OS of choice and get over RouterOS.

DarkNate

I'd recommend just using Debian/Ubuntu + FRR or BIRD instead.

DarkNate

*) defconf - use "fq_codel" queue as default interface queue for wired ports on LTE devices;

Still not BQL for RouterOS? I still see poor bufferbloat/CPU usage issues under stress testing. Come on MikroTik, just add BQL support already.

DarkNate

It gets even worse and more confusing, see below: https://forum.mikrotik.com/viewtopic.php?t=204440#p1058995 This is exactly why MikroTik needs to overhaul the source code of RouterOS from scratch (perhaps time re-write in Rust?) and fix the configuration implementation logic from the hardware level...

DarkNate

I will be at IETF next month, will you ?

It would be good to meet up.

No, I live in economies that are far away from most IETF events. But have fun, and maybe try to get MikroTik employees to go there instead. They never participated in the IETF since 1997.

DarkNate

Normis replied in one of the threads on this forum - He said "We'll look into it" or something to that effect.

NO, there's no BQL as of ROS 7.14rc.

DarkNate

How long before we get MPLS/VPLS/EVPN hardware offloaded on CCR2k models and even the newer CRSes?

DarkNate

Yeah, you need BQL to work this out. Contact MikroTik support and ask them to enable it.

DarkNate

This has been discussed ad nauseam. In all of the current documentation regarding bridges and switch chips for recent software versions, MikroTik emphasizes the requirement for a single bridge with all VLANs in it in order for any of the device's hardware offloading to work properly. Otherwise it's...

DarkNate

I don't think this is 100% correct. WAN is a network just like any other, there isn't anything special about it except for understanding how NAT comes into play on either side of the imaginary boundary. When you look at it from an ipv6 perspective it becomes even clearer, there is no difference the...

DarkNate

Isn't it recommended by Mikrotik documentation in the L3HW docs and the basic VLAN docs to not place a VLAN directly on top of a physical interface? That the new/improved/recommended method is to always use the bridge? Obviously this is the only way to take advantage of L3HW inter-vlan routing and ...

DarkNate

This is a problem with the underlying source code of the WireGuard vanilla middleware client application software.

You need to request the devs of the vanilla client to fix this. IPv6 has never been preferred.

DarkNate

For monitoring purposes, in general, for most things, use SNMP.

If there is something that's not covered by SNMP, then use the RESTful API.

DarkNate

Public IPv6 or IPv4 doesn't matter - People never heard of stateful firewall before, it seems.

@OP this may also interest you maybe:
viewtopic.php?t=176358#p1030682

DarkNate

Change log says:
*) defconf - use "fq_codel" queue as default interface queue for wired ports on LTE devices;

They failed to add BQL:
viewtopic.php?p=1046881&hilit=bql#p1046881

DarkNate

Assuming 2a00:1234:567:b01::/56 is your prefix from the ISP, that hopefully complies with BCOP-690. 2a00:1234:567:b01::1/64 will go to your "bridge" as is. Then simply create new pools whereby you have a /60 per pool like say pool1: 2a00:1234:567:b02::/60 etc Then run a DHCPv6 server for i...

DarkNate

CCR1009 LAB Testing v7.14rc A new log entry appears that I have never seen before: Download from api.ipify.org FINISHED Is this injected by MikroTik in THIS RC and for what reason ? api.ipify[.]org and similar domains have long been used by malware to look up an infected device’s public IP. In rese...

DarkNate

Which part of this is unclear? THERE’S NO FIREWALL! As for firewall, firewall is null in my testing and many others in this thread, so firewall is ruled out from day one. In addition, firewall on Windows laptop was also disabled. EIM-NAT (not full cone) is used in SP network CGNAT boxes, at least on...

DarkNate

Chances are high, your testing methodology may be flawed, I don't see network diagrams and full config. As for firewall, firewall is null in my testing and many others in this thread, so firewall is ruled out from day one. In addition, firewall on Windows laptop was also disabled. If you believe tha...

DarkNate

Darknate you have investigated this functionality for some time to great lengths and depths and its STUNning to me that MT doesnt pay more attention to your writing on this subject!! Its it just me or is they don't write full requirements for their software...... Mind you I dont know how you right ...

DarkNate

Did you test on the same external network with each setup ? there could be a different external filtering on the public IP addresses you did use that could explain those differences. Do you own those public IPs ? Regardless what i do i cannot get independant endpoint filtering. Even NAT 1:1 does no...

DarkNate

*) system - expose "lo" and "vrf" interfaces; Does this mean we can (or should?) delete our "loopback bridge" interfaces and use the native loopback interface of the Linux kernel? *) bgp - allow to leak routes between local VRFs; Do we have any configuration example/do...

DarkNate

I tested using this: https://github.com/HMBSbige/NatTypeTester The software bugs have been fixed (I spoke to the developer of this software directly). MikroTik still fails the test. When I test on Juniper or Cisco, test passes just fine. I think MikroTik is failing to test this correctly. TCP/UDP BO...

DarkNate

On the ISP side, we set ia_na and ia_pd lease time to infinity, so what you're seeing is normal. Read this on why/how/what/where:
viewtopic.php?t=176358#p1030682

DarkNate

What's strange about MikroTik as a network vendor is we don't see them in IETF meetings, we don't see them in NANOG, SANOG, UKNOG, NLNOG etc. Other vendors, small or big, attend these events, especially IETF, since all are interested to mingle, improve, and make business deals, but MikroTik employee...

DarkNate

Bottom-line, single bridge means packet is punted to CPU for inter-switch chip traffic… Don't know how I was wrong at all.

DarkNate

For the longest time I thought the same as you, but over time, it was clear that it was my lack of networking knowledge and Ros Principals that was keeping me from unlocking the flexibility. There are many ways to skin a cat [ as mkx & rextended would say ;-) ] with RoS, and that leads to many ...

DarkNate

@jaclaz 1. Nobody is asking for a Juniper MX2020 from MikroTik. 2. MikroTik HARDWARE isn't the problem. In last 10 years of MikroTik, 1/10 are hardware issues. 3. MikroTik SOFTWARE is the problem. In last 10 years of MikroTik, 10/10 are software issues. They can opt for fastest/cheapest solution i.e...

DarkNate

A very interesting thread, thank you. It is also clearly obvious how different people have different needs and different ideas about our products. We sure can't go in all directions this thread would want us to :) One direction is the easiest: Enable official ONIE support on MikroTik hardware, at l...

DarkNate

Use netmap for consistency all around, see the example here:
viewtopic.php?t=176358

DarkNate

You would lose your bet. I didn't say I continued exclusively in the Enterprise domain, did I? If you've had SP/DC experience with other vendors, and assuming you worked with software engineers for network programmability or automation, you'd know MikroTik RouterOS is poor software code, horrible A...

DarkNate

FastPath isn't going to cut it in 2024.

They need to use DPDK/VPP for line-rate software dataplane. Maybe XDP for ingress filtering.

DarkNate

It's not just BIRD, I've seen this with remote peer being Cisco, Huawei as well.

DarkNate

Thee is anyway a post on the forum about a possible way to workaround the issue until fixed in a next release ( a ticket was opened three years ago and Mikrotik's response was that they will fix it, but unfortunately no ETA). Yeah, doesn't take three years to fix serious issues with JTAC… Just sayi...

DarkNate

I would quite like Mikrotik to stick with its current direction. In my opinion, the reality is that these are not suitable devices for people who don't have a good practical grasp of IP, Ethernet, routing, bridging, VLAN and WiFi fundamentals. Having done enterprise networking since the days when v...

DarkNate

I am glad that I haven't seen anyone with the title "product manager" in their videos yet. You often come across such "product managers" in videos from companies like Cambium, Grandstream, and others. In reality, they are pure salespeople and not actual company-internal "pr...

DarkNate

This network is fairly big and needs proper consultation work. MPLS/VPLS should be used for inter-site transport, from access ports of each PE router to wherever you want to terminate the VPLS endpoint. VPLS is member of bridge, bridge contains all access ports + VPLS, VPLS is tagged Ethernet. Uplin...

DarkNate

Personal note: consider following an MBA. See if there are universities/schools near you where you can follow it, if possible evening/weekend classes. Don't go for online course where you basically buy the degree, you will not learn anything from it. My personal view. I'm fortunately in a position ...

DarkNate

Or, at least START by having some method to allow the V7 RouterBOOT to install (or at least boot) an alternative Linux disto. But I don't think the NIH mentality is going away.

Forget RouterBOOT, they can save up money/R&D efforts and just use ONIE, which is a bootloader.

DarkNate

There is a reason there are different engineering disciplines. Engineering Management or Industrial engineering is more geared towards project management, covering forecasting, budgeting, scheduling and statistics, and knowing enough about a wide scope of engineering disciplines to be able to under...

DarkNate

PIM-SM is fairly stable on RouterOS v7 latest versions.

It's likely a design/config issue on your end. Use VPLS to transport the layer 2, run PIM-SM on top of the tagged VLANs which rides on top of the VPLS.

DarkNate

I take a different view: Mikrotik is what happens when you let engineers run a company. The results are predictable. They just keep adding features that are mostly done & move onto new shine things before the last thing was actually done. This lack of focus on quality/completeness shows in rece...

DarkNate

Probably if RouterOS had been open source, ForumOS64 would now exist with everything it needed... Even the useless Dark-Mode... If Nokia, a REAL CARRIER-CLASS network vendor, can benefit from open source, so can MikroTik: https://github.com/nokia?q=srlinux&type=all&language=&sort=name

DarkNate

We all are peasants when comparing with for eg. @DarkNate. For someone who isn't into networking Mikrotik was my first real touch with networks and i got used to it so i don't really know how other vendors have GUI sorted. (Juniper, Nokia, Cisco) But one feature that i would really love to see is P...

DarkNate

Well, for eg. configuring VLANs. I think that regular users would be much more happier if they had some kind of wizard or something to do that. Take a look at ubiquiti and how they have that solved. I mean you can't satisfy all users but if Mikrotik is doing a push towards regular home users then I...

DarkNate

Because MT obviously lacks a few developers to do something from start to end and not stop half way. They started great by hiding switch peculiarities behind L2 HW offloaded bridge. They are sticking to it for new products, but not all of them received offload (yet). But: they did not come around t...

DarkNate

One was so rich it sold out to HPE (who will ruin it). The other probably makes decent money for the founder/owner and staff.

Doesn't take away the fact that Juniper hardware + software are carrier-class in the industry, even better than Cisco. Can you call CCR2216 as carrier-class?

DarkNate

+1000 to @jaclaz comments:
viewtopic.php?t=204023#p1053667

DarkNate

Where are the examples of the ROS complexity? I looked at the VyOS docs. Their config management is very interesting in terms of features like versioning. But VyOS seems to be a full blown Linux OS. Why do we compare with embedded device OS like ROS? A fair comparison would be OpenWrt. But their CL...

DarkNate

MikroTik lacks software engineering expertise, it's clear as day based on the facts we all know and the bugs and the lack of features (MPLS on hardware etc). Why they never scaled up and take VC money like Juniper is beyond me. Look up founded date/year of Juniper and MikroTik, both started in the s...

DarkNate

Yeah, but it looks like nobody cares. They must love the abstraction complexity of tech-debt ridden RouterOS.

Heck, can't even get MPLS/VPLS to work on the ASICs on CCR2k models, it's still CPU-only in 2024.

DarkNate

Some latest examples of the issue with abstraction complexity: https://forum.mikrotik.com/viewtopic.php?t=203326 https://forum.mikrotik.com/viewtopic.php?t=204009 https://forum.mikrotik.com/viewtopic.php?t=203981 https://forum.mikrotik.com/viewtopic.php?t=143510 https://forum.mikrotik.com/viewtopic....

DarkNate

This is my first forum post, that I am making in genuinely trying to get MikroTik to see pain points of most MikroTik users, especially SOHO/Home users and even professional network engineers too. Every vendor in the network world has their own flavours and implementation for configuration abstracti...

DarkNate

RouterOS v7 as of now the latest whatever beta, only supports ia_pd, not ia_na, so answer is no. You should contact MikroTik official support and ask them to implement this instead as base for DHCPv4/v6:
https://www.isc.org/kea/

It even supports DHCPv6 HA:
https://kb.isc.org/docs/aa-01617

DarkNate

I'm using hAP ax2 for 1 year+ now, currently running 7.13.3 ROS and routerboard firmware. 800Mbps upload/download for single client benchmarking. Works fine with multiple clients. I'm using FQ_Codel for interface queues to control bufferbloat. Chances you have some improper bridge/vlan config (as mu...

DarkNate

with BGP-VPLS can you stop dynamic names on that?

See here, dynamic name isn't only issue:
viewtopic.php?t=201638#p1052392

DarkNate

1:1? No. You should first start by checking the block diagram of the new hardware and make sure your bridge/VLAN config is done correctly for the hardware model. https://i.mt.lv/cdn/product_files/L009UiGS-2HaxD-IN_230524.png I don't know your existing network setup, but I would recommend making eth1...

DarkNate

As far as encryption/ciphers goes including ZeroTier and many others, please correct me if I'm wrong, but isn't 64-Bit CPU/Kernel/Host OS the De facto industry standard across the board?

DarkNate

I hope they allow proper PVID/VLAN config for BGP signalled VPLS.

I have not yet adopted BGP signalled VPLS on MikroTik because of this PVID/VLAN problem, even though the BGP signalling itself works solid.

DarkNate

That's a question unanswered from the very first time this device was releases. EDIT: or was it ? https://forum.mikrotik.com/viewtopic.php?p=1026097#p1026097 But given that reply, why 64 bit on RB5009, AX2, AX3, ... ? They don't have 2Gb RAM. That reply from Normis is confusing, we regularly use 64...

DarkNate

Since the L009 has an arm64 CPU, why would they not be using 64-Bit RouterOS on it to begin with?

DarkNate

You are correct, that it behaves identical to netmap, netmap originally was 1:1, but some point in the Linux Kernel chanelogs (I do not know the version number), netmap supported 1:Many. Netmap/Same simply ensures the same ExternalIP:Port mapping when possible for the same clientIP:Port combination....

DarkNate

each customer facing router and hand out a /56 prefix to each customer from a /48 pool on each router. This is off-topic, but I would advise to not use such a small /48 per BNG, use bigger pool. Recommend you check this IPv6 operational BCP once: https://forum.mikrotik.com/viewtopic.php?t=176358#p1...

DarkNate

At the end of the day, the story I've seen time and time again on this forum is that people buy things without researching the block diagram and understanding how the device was meant to be used versus how they want to use it or what their network needs are. I agree on this. Everyone's a network en...

DarkNate

What you want to do fully is: /56 ia_pd per customer, static (because BCOP-690 and SLAAC breaks with dynamic PD) /128 ia_na per customer. MikroTik DHCPv6 server doesn't support ia_na, it only supports ia_pd. You could use a /64 per VLAN with IPv6 RA, but this doesn't support RADIUS/AAA. Each custome...

DarkNate

I think this is what we've all been talking about but in different aspects, some of focused more on best practices versus if something can be done. I never meant to infer that you absolutely cannot use the router in different ways. It's like people who use CRS switches for routers in their home. Ye...

DarkNate

For someone with a CCR2004-16G-2S+ and a single bridge between both switch chips and one of the SFP+ ports, the hardware offloading does work as long as the same vlan to vlan traffic is on the same switch chip. So the winner is mkx! :D inter-asic traffic is punted via CPU, stop purporting fake info...

DarkNate

Yes sir. DarkNate, I trust you more than me :) This is an RB4011, currently I can't show you that ports were hardware offloaded due to testing dhcp/igmp snooping enabled; /interface bridge add dhcp-snooping=yes frame-types=admit-only-vlan-tagged igmp-snooping=yes igmp-version=3 mld-version=2 name=B...

DarkNate

mkx - believe you are wrong this time around. Every one of the devices cited in that section has 1 switch chip only. So, when there is 1 switch chip only, a 88E5191X would be configured accordingly. The disclaimer further down is specifically about devices with two switch chips. Therefore, one woul...

DarkNate

@DarkNate, I could have misread and I don't even have 0,1% of your knowledge, the note you posted seems to be for "Other devices with a built-in switch chip" (VLANs configured on the switch). I was one that reported bug on the RB4011 in v7.8 for devices with 2 switches and hardware offloa...

DarkNate

We had some Ubiquiti wireless equipment that threw the same FCS error, we upgraded/downgraded firmware on the Ubiquiti side to fix it.

I suggest you do the same, reflash latest official firmware on the cambium or downgrade.

DarkNate

Hi DarkNate, So if I want a single bridge I need to connect two ports (one of each switch chip) and probably configure them as trunk for all VLANs. Is that correct? If so, that would be a lot of unneccesary traffic going over that connection, is that what you mean by "bandwidth poor approach&q...

DarkNate

Agree, there must remain a possibility to change these values administratively. Changelog quality is piss-poor.

+10000

DarkNate

Autodetect TZ is a reasonable default... but setting it a TZ is a better idea. Mainly because the logs only record the clock time, not UTC. And dealing with TZ and logging is hard enough, so the last things you'd want is the vagaries of autodetect TZ. If someone uses any logging system, it's likely...

DarkNate

I would strongly suggest hiring someone.. +1 I don't know why a lot of business owners want to cheap out on hiring a high quality network engineer in-house instead of playing engineer themselves. 5 years later, they need to pay tens of thousands of dollars to an external consultant to fix their poo...

DarkNate

Is there any "LACP" config on the MikroTik side? Use this parameter, if there is:
viewtopic.php?p=1047773#p1047773

DarkNate

GeoIP is pseudo-science, just guessing.. CGNAT ISPs also makes the guessing hard.. I suggest just setting the timezone. Not really, modern carriers and ISPs are rolling out RFC8805, which gives you accurate info upto the zip/pin code, even for individual /32 v4 or /128 IPv6 if you want it to. In Mi...

DarkNate

*) ipv6 - made "valid" and "lifetime" parameters dynamic for SLAAC IPv6 addresses;

What does this actually mean?

DarkNate

But it doesn't have to be two bridges, one bridge spanning all ether ports will do just fine.

You could do that, by running a cable from ether8 to ether9, but why? This is a bandwidth poor approach.

DarkNate

Two ASICs, means two bridges. bridge1 for ports ether1-8, bridge2 for ether 9-16, this ensures both port groups are fully hardware offloaded to the correct ASIC. For SFP1 and SFP2, both being independent paths towards the CPU, you could put them in bride3, but I wouldn't advise this, as you will lik...

DarkNate

Less significant, means it doesnt fit into the business planning ( aka profit models and future product planning ). Any change requires resources and those are tightly controlled. @normis I agree with Pe1chl, 7.12.2? whatever was the last one, may be an excellent candidate for long term stable. 7.1...

DarkNate

And also helps potential attackers to scan IPv6 address space much more effectively. I don't know if potentual benefits actually outweigh drawbacks. And why do you consider SOHO differently than DCs and other corporate installations? Obscurity is not security. I don't care if they can ping my hosts...

DarkNate

Ah I see, the changelog could have worded it better. Hopefully it's configurable, to allow proper ICMP errors via firewall. Why waste efforts/CPU cycles on ICMPv4/v6 replies for non-existent pathways? I know there's an RFC for ICMPv4/v6 replies on the LAN, but that was written 20 years ago. I've de...

DarkNate

Apologies, but I'm not following. What routes will be automatically added as blackholes to the routing table by DHCPv6 client?

The delegated prefix. Client receives /56 PD from upstream, /56 aggregate is blackholed.

DarkNate

I've built ISP networks, I've built DC networks and I run MPLS in my home lab with all the fancy eBGP driven architecture and OSPF underlay.

Never used USB, camera, speaker, GPS or touchscreen on network devices before.

+1 to rextended and MikroTik staff on this topic.

DarkNate

Very strange issue. I have a CCR2004 in production running VPLS as a PE router, and I'm unable to see single CPU core choking, CPU cores all are engaged pretty much evenly. Maybe it's config related? ROS version 7.12.1, firmware version 7.12.1 as well (if I use 7.13.x, it reboots every 15 minutes), ...

DarkNate

OpenWrt doesn't sell routers.
You can install BIRD / FRR on OpenWrt.

Obviously they don't dude. It was a joke. My point stands, want Linux vanilla networking? Go for Debian or OpenWRT.

MikroTik is a vendor, and they will do what ALL vendors in the market do, i.e. integrated routing stack.

DarkNate

What RFC / part of RFC is being implemented here?

I don't think there is an RFC that states this, but it's always good practice to blackhole aggregates to prevent layer 3 loops. Most end-users won't know how to do this, so this auto-feature, will take care of that.

DarkNate

Then change that back! In v6 and in general Linux there certainly was and IS a layer that does the routing itself and a separate process or processes that manages the auto-routing like BGP. At the moment you are in the situation that the bad decision to use 16MB (or less) flash memory causes proble...

DarkNate

routing is essential to install even connected and static routes for router to be able to forward anything at all. it does not makes sense to run router without a "routing package", which will render router useless. Lol, for the first time, I agree with MikroTik staff's opinion. This is h...

DarkNate

Not only for difference between versions, also in other areas the documentation is sometimes extremely lacking. See for example "/queue simple". There is no documentation AT ALL, its manual section has only an example that uses only 1/5 of the available parameters. What the other paramete...

DarkNate

I strongly disagree on this as MikroTik simply does not have the required engineering resources to make the necessary validation every six month. One can come to this conclusion just by considering the followings: Test results were not updated using v7 not even for products that were originally shi...

DarkNate

You are 100% correct. But unfortunately many people [including so called gurus] on this forum refuse to accept that important FACT because they are mired in the client/server model ... I've seen the same stupidity on Cisco and Juniper community forums as well, so definitely not MikroTik community-s...

DarkNate

I think "home users" are best served with automatic upgrades and configuration updates. Many home routers will be running with default config and have changed only things like admin password, wifi ssid+password, and internet connection parameters (like PPPoE client). When not any other ch...

DarkNate

Linux LTS kernels have quite a short lifespan, the risk averse way is using the SLTS kernels maintained as part of the Civil Infrastructure Platform (CIP) , of which the latest is the v6.1(-rt) series. Just to put the length of support in perspective: the oldest kernel series maintained as part of ...

DarkNate

Wireguard configuration should add an "Client MTU" parameter. WireGuard is a Peer-to-Peer protocol with built-in 4in6/6in4 mechanisms for easy encapsulation. There's no such thing as “server” or “client” in WireGuard protocol. There are only peers. Set MTU to 1420 on all peers and problem...

DarkNate

Please note that I, personally, do not argue against the need to upgrade to the later/latest kernel, nor do I argue in favor of. You posted a link presumably describing some changes in a specific kernel version that should have explain why Mikrotik should upgrade their kernels to at least 6.8. I wa...

DarkNate

I specifically quoted the part that is unclear. You posted a link to an articles that talks specifically about a TCP end-point optimization to prove your point that the kernel on routers absolutely must be upgraded. How does one relate to the other? Someone else already explained here: https://foru...

DarkNate

I fail to see how that may be relevant for a router. Which part of Not all features/data plane functionality is 100% L3HW. This is MikroTik, not Juniper MX/PTX. is unclear? CCR1k models, older RBs, or even CCR2k and newer CRSes have data plane features/config scenarios/situations where packets/Ethe...

DarkNate

I had problem with SwOS, LACP hashing/load balancing. We kept seeing TCP Retransmissions/Out of order (leading to DUP ACK), etc, and customers complaining about bufferbloat/latency. I switched over everything to RouterOS v7 (latest stable) with fresh netinstall. We are using this config everywhere (...

DarkNate

I don't completely agree. Mikrotik linux kernel is a control plane if you use L3HW.... regards Not all features/data plane functionality is 100% L3HW. This is MikroTik, not Juniper MX/PTX. Take Wi-Fi/Wireless for instance, that's all Linux data plane. They should upgrade to Linux Kernel 6.8, read t...

DarkNate

Use IPv6 and move on with your day.

DarkNate

dtaht, thank you very much for your offer and continuous support on this forum. we will see what we can do and will let you know if we have any questions I hope we see step 1: BQL support RouterOS -wide, MikroTik hardware-wide sooner than later. The Wi-Fi related patches, IMO — You're better off op...

DarkNate

In my world, linux kernel version 5.7 is totally obsolete and i am hoping most of all that they start a version 8 running linux 6.1 or later. Particularly our mt76 and mt79 drivers evolved a lot since even 6.1! MikroTik is probably the only network vendor on the planet that commercially uses the Li...

DarkNate

Why on Earth, would you need to use /32 on local and /31 on remote? This is a very poor implementation of RFC3021, if you could even call it an attempt.

RFC3021 is simply not supported on MikroTik platform, I can't imagine what's taking them so long to support this.

DarkNate

The fq_codel type is set for wired (Ethernet, SFP) interfaces in order to reduce bufferbloat. No interface queue for LTE interface itself. @MikroTik staff. Yes, this is good news, this is a massive step forward in the industry (Yes, I am serious). But there's a problem. MikroTik RouterOS Linux queu...

DarkNate

Can Tilera CCRs distribute L3VPN traffic between multiple cores? I have found it impossible to achieve on ARM and ARM64 devices. Probably not. In 2024, you're better off with hardware that has ASICs. CPU can't do much unless there's XDP for ingress and DPDK for egress, both are non-existent on Mikr...

DarkNate

How you got it ? I cannot pass 1gb/s . Can you please share your conf and traffic profile(avg size of packets )? Follow the MTU section from the Edge/BNG guide. I use jumbo frames network-wide: 9k L3 MTU, maxed L2 MTU on physical ports/interfaces. VPLS L2 MTU capped to 9100. Single bridge config as...

Search found 1178 matches