MikroTik

DarkNate

I am pretty sure it's just a case of "Good things take time" rather than any decision not to support them. Explain to me, how Cumulus, SONiC, OcNOS supports hardware offloading for most of this stuff in 2023 and MikroTik (a company that started in 1996), doesn't? Heck MikroTik's own (pote...

DarkNate

Hate to tell you, but your "inside source" is not trustworthy. Ha, what inside source? The last company, I'd want an “inside source” from is MikroTik. I was poking sarcasm at the obvious fact that MikroTik ROSv7 has been a mess, and you're all very slow in bringing the hardware offloading...

DarkNate

Follow only official docs:
https://help.mikrotik.com/docs/display/ ... +switching

DarkNate

There is no hardware MPLS support in RouterOS v7 at this point.

It's strange, isn't it? The Marvell ASICs that MikroTik uses supports MPLS/VXLAN/EVPN in hardware, but MikroTik decided it was a terrible idea to support these three on the ASICs.

DarkNate

Right... I have it working in test environment... but there's something (netonix, ubnt, xyz, ...) that's killing the MTU :D I'll have to dig :? P.S. I hope my MTU values are not wrong (1530 for MPLS, 1508 VPLS and I think it's 1600 for the ethernet ... I left VLAN at 1500?) Refer to this: https://f...

DarkNate

Hi Nate! What would proper CI/CD look like for a small-ish network, 50-200 devices? The reason I ask is I've struggled with using Ansible—since the extent of ansible "support" is a single CLI wrapper command and you're basically just doing ROS scripting—and like you mention Oxidized seems...

DarkNate

This is because in the case of TILE CPU, a lot of operations are done differently. When some tasks have to be divided to many CPU cores, packet loss and out of order packets can occur. The ARM CPU is smarter in this regard, there is a lot more processing done, so that this does not happen. I think ...

DarkNate

We are not saying that there is nothing to improve. Software can always be improved. That is a never-ending story for any software, not just RouterOS. But comparing different architectures and drivers simply is not fair. They each have their pros and cons. Normis, I have one question. Why not just ...

DarkNate

DarkNate, what's the point of your answer? 1)So if you need or want to use MPLS you have to buy Juniper? And why not Cisco or Huawei or other brands? This is a fanboy position... 2)Is this the game of who's got the longest? 3)Another time you propose a software as solution to all problems... 4)I ca...

DarkNate

WinBox in RouterOS is not just the winbox.exe. WinBox is a protocol that you use to transport RouterOS data from router to application, which includes winbox.exe, mobile applications and tne Dude. WinBox GUI should also match CLI 1:1. Example, why is “Services” (for API, SSH, SNMP etc) inside IPv4 ...

DarkNate

Yes, it matters. I mean, wireless paths, technically, can do 9k MTU for layer 2 if the vendor supports, like some units from Ubiquiti. But the point is, layer 2 MTU should always be MAXED out on ALL Devices, even if it's different between them. Layer 3 MTU needs to be designed in a way that it ensur...

DarkNate

The problem is NOT the single bridge, we know it. The problem is that Mikrotik has not yet implemented handling of MPLS in HW. We are not talking of "user" router. As we said, there can be many problems: we have more than 500.000 connection, much more than can be handled in HW. Some kind ...

DarkNate

Why is that? I'm running carrier grade NAT on some 2216's for customers and was looking into either the nat-ein or nat-pmp to try to get customers gaming setups happy with NAT types. Just trying to find a way to not get a double NAT for gaming consoles without having to give every customer a public...

DarkNate

I don't get the fascination of having two or three beefy routers do everything for the whole network. To me that's a really bad single point of failure. Use each type of router for the things it does best, or design the network around the limitations of each. OP, clearly never read this: https://st...

DarkNate

As we already said, we CANNOT use L3HW here: it uses MPLS/VPLS! And there are other cases where L3HW cannot be used: queues, complicate filtering and NAT, etc... Single bridge for MPLS/VPLS with VLAN filtering and segregation using PVID. Read the link I shared and then read MikroTik official docs. ...

DarkNate

100% sure this user failed to properly configure L3 offloading, single bridge config approach with VLAN segregation. So traffic is going via control plane instead of the data plane (ASIC). https://forum.mikrotik.com/viewtopic.php?p=1031313#p1031313 @normis if you read this, I think it's high-time Mi...

DarkNate

I deploy jumbo frames even on wireless equipment. As long as L2 MTU and L3 is configured correctly across the various paths in the network, there's no issue.

Different wireless equipment have different MTU support, check with the vendor.

DarkNate

MikroTik's software quality is a very bad joke. Guys should go back to the first chapters of any good book on software engineering. It looks like in the past their software was written by the old timers and then the "young, dynamic, from big cities, who think they know better" came on boa...

DarkNate

*) firewall - added "nat-pmp" support;

Why? NAT-PMP was already obsoleted by RFC6887. It would've made more sense to implement PCP, which is also usable in 464xlat, NAT64 and MAP-T.

DarkNate

Of course he did not read what I wrote. I wrote "It is best to update the firmware once after purchase of the device" so you won't have ancient firmware. Bullshit. Buy a device today, netinstall with latest ROS and firmware. Now one year later, ROS version has changed 15 generations and f...

DarkNate

It really isn't a good idea (anymore) to set automatic firmware upgrade. The reason is that the firmware version now changes every time, it is the same as the RouterOS version. But usually there is no update at all in the firmware. Update just does nothing, but it incurs a small risk of rendering t...

DarkNate

I think it is a mistake to apply techniques developed for business-on-budget applications to prosumer cases which my firewall is for.

Disagree. We route to blackhole even on expensive high-end Juniper MXes and PTXes.

DarkNate

But if I were to nitpick I would criticize blanket drop and blackhole rules: local hosts deserve rejection with appropriate ICMP errors. Note that linked RFCs advocate similarly. That it’s not trivial to configure RouterOS like this is whole other matter. This opens a door for DDoS/DoS of the contr...

DarkNate

@Kentzo your approach has duplicity and redundant config, for example with your “trap”. Why would you increase computation costs? Use Route-To-Blackhole directly. In addition, the content in the article is backed by various RFCs and BCPs and BCOPs, all hyperlinked widely across the article if you bo...

DarkNate

I actually disabled all the other rules as well. Is there a base ruleset I should be using? The implicit drop at the bottom is disabled as well.

viewtopic.php?t=176358#p864371

DarkNate

Or even better, BFD. It was made for this purpose.
When is really ready and works...

Works fine on v7.11.2. No problems here for months/weeks now. Even cross-vendor.

DarkNate

Very few people are really qualified to work with dynamic routing protocols. Maybe MikroTik should make more in-depth content on these.

DarkNate

I thought he's talking about cooling system load distribution or something with “loud balance”… Fans are loud for sure.

DarkNate

Yes, it's obviously computationally expensive. Who the hell else even does this?

DarkNate

The chances of school or college “network engineers” deploying proper CGNAT with netmap/EIM-NAT is not slim, it is null/non-existent. I've been through college too, and our PhD certified “engineers” ran like 7 layers of NAT before it reached the Dormitory. Best you can do is Cloudflare WARP free pla...

DarkNate

I don't work for a Tier 1 Carrier so I don't know. Yes, Ciena seems to offer it as a high-SLA metro-service concept I guess MPLS-TP makes sense for transport gear. Not networking gear. As it's 100% transport related tech and less of networking/packet switching. MikroTik doesn't sell transport gear,...

DarkNate

I've used LibreNMS in a large network. No problems with Cisco, Juniper, Arista, MikroTik.

For proper automation, you'd likely need a proper CI/CD pipeline for network-wide and infra-wide automation. Oxidised is there, but it isn't exactly a CI/CD pipeline company-wide.

DarkNate

Use netmap + EIM-NAT on your home MikroTik router and make sure you APs etc are in bridge mode to avoid double/triple NAT.

DarkNate

No, it's mainly used for specialized industries like utilities, industrial, military and so on. When were are often talking Megabits but needs to be very reliable and ultra-fast recovery scenarios. But It could be used as a transport for legacy services on a bigger carrier operator. EVPN and MPLS-T...

DarkNate

MPLS-TP is not legacy, but its a niche market.

How small is the market for this? What are some modern-day use-cases for it in carrier networks? I just can't think of any because of EVPN.

DarkNate

Mark topic as solved. Good luck.

DarkNate

Share config example on both sides.

DarkNate

Well, It's often used as a replacement for legacy TDM-like tech, transporting synchronous and latency sensitive applications. Then safe to say MPLS-TP is also legacy. A lot of carriers have removed TDM/SDH/SONET type equipment and replaced with modern-day OTN. Even LTE/5G doesn't use TDM. There's n...

DarkNate

MPLS-TP is a very different concept. It often requires and specialized hardware and provisioning concepts to make any sense of it.

What's the market share of MPLS-TP anyway? I have not seen it in production.

DarkNate

I think I might have gotten confused during your follow-up explanation. You mentioned that there are already ISP uplinks at the OFCINA router which are using BGP. Where is the part in which you are moving from static routing to OSPF? Do you have an ISP providing transport for the internal connectio...

DarkNate

Upgrade to ROS v7.11.2 on all devices and move on with your life.

DarkNate

One more thing do you think is it actually worth implement OSPF in the network with that quantity of routers even if every router knows about each other and does not filter routes like the want it? I've designed a lot of ISP networks using eBGP/iBGP in conjunction with OSPF/is-is. This is what I do...

DarkNate

If I have to wait to 7.14, 7.16 for a IPv4 is-is implementation.

is-is is not TCP/IP, it's CLNP. Why would it require IPv4 or IPv6 addressing to function?

DarkNate

OSPF doesn't scale. Because OSPF is designed to be a fast convergence, link-state protocol. It's not designed to be a policy shaping routing protocol like BGP. There are a few guys out there in the market who builds ISP networks using a combination of eBGP and iBGP inspired by this: https://www.rfc-...

DarkNate

Thanks for your answer. Of course, if I restart the router without even doing what you say, I'll also solve my problem (before the routing table fills up, it will already have sent the default route to clients). But the challenge was not to restart the router(in production) because if next time I h...

DarkNate

DarkNate, In the config you had the Hardware model "CCR1072". I had already watched the video but the person in question only has a few prefixes, above I had said that it worked when there were a few prefixes but I have several million prefixes in production and the behavior is random and...

DarkNate

Hi DarkNate, So what do I actually have to do? The reason I sent in the configuration is so that someone can help me, not reproach me. Tell me exactly what I need to configure. Regards. Share your hardware model number. BGP affinity config is dependent on hardware model. https://www.youtube.com/wat...

DarkNate

Hi Darknet, Enclosed you'll find a small part of the configuration I consider relevant to your analysis. Client sessions with the "eBGP-INA" template caused me a lot of trouble to announce the default route (random behavior). Where is consistent BGP affinity config on ALL peers? Of course...

DarkNate

If you could give me a BGP session configuration that would 100% announce the default route correctly in a routing table already filled with several million routes, I'd love it.

What you should be doing is exporting your /routing config and post it here for people to review.

DarkNate

I did not say, that OSPF is in any way better than ISIS. It is still a fact, that in enterprise networks OSPF is still in use and scaling got much less an issue with as much resources we have today in any router. So probably current support for routing protocols is no reason for MT to get used more...

DarkNate

Hi all, I have a version of ROS 7.11.2 and I have huge difficulties to send the default-originate to the client routers. Sometimes it works and sometimes it doesn't (most of the time). I've also noticed that when I have almost nothing as a prefix in my routing table, the default route is sent immed...

DarkNate

It will work, but it's a dumb design. Can I design something better? Of course, but nobody would design for free on a forum. I suggest you reach out to any certified MikroTik consultant for a proper design. If you want to self-learn, then a good starting point here: https://study-ccna.com/collapsed-...

DarkNate

OSPF is a PITA. is-is isn't. OSPF requires operational and configuration overhead when you have 1000 layer 3 devices in a network, to maintain the configuration automation template etc, across IPv4 and IPv6. Whereas with is-is, since it's CLNP, I don't need IP addressing whatsoever for underlay netw...

DarkNate

I lost any hopes that MPLS related bugs in ROS 7 will be fixed. Started to look for another router brand without success for now. Just use baby jumbo-frames at the least 1600 L2 MTU, 15xx whatever L3 MTU and no fragmentation occurs. But personally, I ensure 9k MTU on L3 and 9216 or more on L2 netwo...

DarkNate

If XDP/DPDK is used then x86 is the best choice. XDP does not depend on any special HW: https://www.iovisor.org/technology/xdp All new routerboards have ARM. (OK, there is maybe something I miss, but most of them have ARM.) DPDK: Designed to run on Arm, PowerPC and x86 processors, DPDK runs mostly ...

DarkNate

If XDP/DPDK is used then x86 is the best choice. Clearly, you have never spoken with Linux kernel programmers and system programmers to even understand what is XDP or DPDK, and how it is being deployed in the Telecom and data centre industry on all kinds of hardware architectures, ranging from x64 ...

DarkNate

I contacted support about this issue and they responded that they will consider improving the behavior for VPLS when they are added to the bridge and VLANs are used. I would like to remove VPLS permanently and replace it with EVPN and make use of Ethernet Segment Identifiers, but alas, MikroTik sup...

DarkNate

Indeed, the single-bridge design cannot be used in conjunction with BGP VPLS ( https://forum.mikrotik.com/viewtopic.php?p=925249#p925249 ). MikroTik needs to give proper solution for this. Maybe contact support? What about option two here: https://forum.mikrotik.com/viewtopic.php?p=925249#p845362

DarkNate

Misconfiguration of bridge/VLAN/L3 offloading is the likely cause, too many Linux DSA expert users in this forum: https://forum.mikrotik.com/viewtopic.php?p=1025418#p1026101 Some common examples: https://help.mikrotik.com/docs/display/ROS/Layer2+misconfiguration If the above don't apply to you, then...

DarkNate

Your configuration is likely the problem.

See here, PIM works okay for me, inter-VLAN.

viewtopic.php?p=1029268#p1022915

DarkNate

MikroTik RFC9234 is only partial implementation, not full implementation. Check with support.

Meanwhile, Cisco and Juniper don't support it anywhere.

DarkNate

Yes, but is clearly indicated: Warning: this two rules can break the Path MTU Discovery (PMTUD), use only if your device are sensible to "Large ICMP" or "Ping of Death" attack. On doubt, do not use at all!!! 3) Thanks, added on future update. ICMP Completely removed, to avoid pr...

DarkNate

Thanks for your reply. Unfortunately, the technical article refers to VLANs or ports in bridge mode. On my MikroTik RBs, there are no VLANs or bridges. There are only two network interfaces: one connected to the IXP switch and the other to the our switch, in access mode and not VLAN, connected to o...

DarkNate

I was hoping rextended removed the ICMP stuff, which is a bad idea to deploy in prod or even for home users. 1. ICMP is rate limited in RouterOS by default, and same on all network vendor OSes, same on Linux vanilla kernel as well 2. Breaks PMTUD and is just stupid, I've seen large-scale networks do...

DarkNate

Mobile carriers limiting us to ::/64 per SIM card is only one example. So I'd like to stop this discussion here and come back to the question I asked. That's not the problem at all. The issue here is, you aren't aggregating your ULA into a single pool. The mobile carrier's /64, you can just use NAT...

DarkNate

Using a single pool is not an option here. We have a few thousand devices and each has it's own fd10:x:y:z::/64 prefix. In certain environments, we need an additional network that we can advertise to hosts, and this can't be in the fd10::/16 range. This sounds like a problematic approach, IMO. I'd ...

DarkNate

Have a single aggregated pool of the entire /56 or whatever, then use the ::1, ::2... On each different VLAN/Interface, that should work fine.

DarkNate

@DarkNate: Replace XDP by VPP and keep DPDK, please! Or use all of them! :)) VyOs just transitioned from XDP to VPP and many other projects use it, to support >10G speeds. https://wiki.fd.io/view/VPP/What_is_VPP%3F Still, something should have already be done by MT about IPv6 performance! DPDK/VPP ...

DarkNate

Unnumbered OSPF or BGP for that matter, does not work on RouterOS, not even on 7.11.2

DarkNate

Speaking of IPv6, it seems the author published one article on it. Definitely not MikroTik specific, so might make more sense to just comment it here instead:
https://www.daryllswer.com/ipv6-archite ... operators/

DarkNate

Configure as per your hardware model:
https://help.mikrotik.com/docs/display/ ... +switching

DarkNate

MikroTik should just adopt XDP with hardware offloading to the NIC for packet filtering. To Adopt DPDK (or its derivatives) for packet forwarding, a lot of MikroTik boxes would be able to forward 100Gbps at near line-rate using CPU alone with XDP + DPDK.

DarkNate

Fix your BGP affinity as step 1.

Then make sure your L3 offloading, bridge/VLAN configuration is matching this:
https://help.mikrotik.com/docs/display/ ... +switching

DarkNate

The problem with this is, it does not scale, not usable for production pumping 100Gbps traffic per nanosecond. MikroTik needs to add proper CLAT, proper 464xlat and NAT64.

DarkNate

there is journey remaining towards full ROA compliance

Don't confuse ROA data and ROV data. Even if ROA data is 100% compliance, it is useless if there's no ROV implementation.

DarkNate

@DarkNate As far as I know at least in our region (Asia), ROA record is a _must_ now a days if you are advertising your prefix to upstream that's why pe1chl is suggesting that let the upstream handle this RPKI validation, I personally has this mentality too are we really out of touch on reality? Al...

DarkNate

I have a few questions regarding the ESXi host and the CHR VM: What CPU is used? Intel Xeon E5-2620? Intel Xeon Gold 5415+? AMD EPYC 7302? Are the vCPU on the same Socket? (think NUMA and accessing RAM from different CPU socket) What setting are you using for the CPU/MMU virtualization? Which physi...

DarkNate

i am pretty sure there is a way to give the technical message without going into personal affairs

Nothing personal, at all, from my POV. Strictly business here. And as far as “technical message”, that's what MANRS is for.

DarkNate

I don't think you can/should do RPKI validation on a single-peer endpoint. Leave that to your upstream ISP. They can do all the route selection for you and send you only a default route. Are you new to network operations and NOG forums? Do you even know what MANRS is? Very few Tier 1s, Tier 2s and ...

DarkNate

I don't see how any of that would be an advantage when having only one peer. It's abundantly clear you don't understand how RPKI validation/filtering works and why we should all implemented it. You are under the impression that you need to be multi-homed for RPKI validation to work. Start here: htt...

DarkNate

For example - The VLAN concept used by Cisco is something everyone understands and is widley copied everywhere, and its the same on all devices regardless of underlaying chipsets. However in Mikrotik, it's both very chipset dependent, and you can do wrong in multiple ways both in hardware bridge an...

DarkNate

RouterOS can be, very confusing if you are very in to like Cisco/Juniper for since many years. It also can be very confusning if you are a DIY Linux/OpenWRT person and are looking for files to edit. One "drawback" is that you can accomplish things in different ways, with pros and cons. Th...

DarkNate

Rather than some "script" based in RouterOS itself, something like this calls for real network automation. Use Ansible or something similar, or custom python code that runs on a seperate box.

DarkNate

BGP can run multithreaded (see posting above), but when you have only 1 peer there is nothing to gain that way. Is this only a test? Or else, why would you run full-table BGP with only 1 peer? Ask the ISP to send you only a default route... Full table with one peer (or more) ensures this network ca...

DarkNate

And for hAP ax³, why would sticks rotate around second axis, if it's doughnut shape?

Exactly. I don't know how to properly align the antennas on hAP ax3, MikroTik made sure to keep this a secret for reasons I cannot understand.

DarkNate

Not really my expertise but one can assume those antennas on AX3 provide a doughnut shaped radiation pattern perpendicular to the axis of the antenna. For AX2 I think it will be more spherical. Measurement data (from certification ??) might be helpful indeed. I don't know, but a crystal clear docum...

DarkNate

I didn't check the configuration details of OP. But I have a hAP ax2 and hAP ax3, identical config, but ax3 has wireless coverage and performance issues. Maybe it's the way I aligned the antennas or what? Possibly MikroTik can share antenna guide for this model, the blueprints of how the rotational ...

DarkNate

Translation = F*** I'm Good, Just Ask Me !

Translation = I don't need praise from people in this forum. Money doesn't reach my bank account from here. Some people have appreciated my comments in this forum, some have not, doesn't matter to me either way.

DarkNate

I have a CCR<>ax2 setup, where ax2 is a layer 2 devices only. I never actually see PIM packets on my Wi-Fi clients for some reason, it seems wifiwave2 blocks PIM packets? I am not sure, but the MDB table is properly populated so not sure what's going on. I check with WireShark on client side. I see ...

DarkNate

It is a temporary setup. I'll will set VLANs on the same bridge when I buy another VLAN-capable device to plug to ether 3 (GUEST now) which is going to be set as a trunk port so that I can have multiple VLANs on the new device. You only need to configure access port based VLAN for your current setu...

DarkNate

The IGMP/MLD snooping can be set only for ports on the same bridge, which it doesn't seem to be my case.

You are not supposed to be using multiple bridges, read this:
viewtopic.php?p=1026098#p1026101

DarkNate

I set 3 interfaces in bridge (my main LAN), set also services on it. On another interface I set a different subnet for GUEST. Would your setup work for DLNA discovery too? A device on the GUEST subnet needs to contact a service running on the LAN side. Unfortunately I can't set up VLANs at the mome...

DarkNate

<rant> Dude, these ad hominem attacks have got to stop . They add absolutely zero value to the conversation, and every disparaging remark you make completely erases any clout or respect you might have earned when sharing your expertise or opinion. I came to this thread expecting to see what users h...

DarkNate

was not sarcasm maybe sometimes the rude tone i perceive on your words is only the result of the translation. but i found your position not very thoughtful neither constructive Yeah, like I care about what some random dude on the internet thinks about it. You can think what you want, we're never cr...

DarkNate

Example from hAP ax3 core router deployment: /ipv6 firewall raw add action=drop chain=prerouting icmp-options=134:0-255 in-interface=vlanIX protocol=icmpv6 Neighbor Discovery packets received from upstream router are dropped. This doesn't solve the issue at scale, the RAs still flood the wire, stil...

DarkNate

On the other hand - you really can't buy a Nexus or QFX without a pricey support agreement (except for second hand)

Fair argument. MikroTik can sell reasonably priced support agreement. 1/2 the price of Cisco or Juniper.

DarkNate

For SOHO/Home? I think having VLAN Segregation is sufficient, because each VLAN will have a unique IPv4 and IPv6 subnet, which helps with firewall ACLs, custom policy routing, NAT logging etc. I don't do anything special personally for SOHO/Home, plain VLANs and segregated IPv4/IPv6 subnets and I'm ...

DarkNate

You should contact IXP support and register a ticket. It's against IXP rules to flood RAs. Someone recently posted about it here.

DarkNate

Even if they made the hardware, the lack of paid software support would limit the market for MikroTik. No serious operator is going to run hardware with no realistic prospect of a fix in a timely manner. I think this is the real issue. Even if MikroTik made a REAL L3 switching box, say a box costs ...

DarkNate

IPv6-only DNS on MikroTik has never worked correctly for me.

DarkNate

I had no problem setting up my first Mikrotik in 2016 when they barely had any youtube tutorials and I was only taught basic networking for one semester. Every time I see IT """engineer""" I remember that old error "We seem to have encountered some issue but our t...

DarkNate

Some of these would come for free as they can be done in software on the existing hardware, but others such as a larger TCAM come at a cost.

Many people are willing to pay that cost, though, is the point. A MikroTik box won't cost me $400k.

DarkNate

if you see that as an easy task then you are missing a good opportunity, raise some capital and startup your idea i will be expecting that equipment built by your startup to revolutionize the market You have the knowledge and the opportunity so go for it Clearly this is sarcasm, not sure who's fall...

DarkNate

How does a CCR2116 or CCR2216 not achieve what you want. L3 offload on all of the newer Tiks is pretty simple. If the input and output ports both have L3 offload enabled, and it can be routed statelessly, it can be offloaded. Doesn't really matter if it's MPLS, BGP, etc... configuring those routes....

DarkNate

Can you make a business case for a production-grade L3 switch ? If you could make that BC [at a high level] then I suspect that might tweek Tik interetest :D ... Although I do suspect that they already have such BC and have decided that its not worth the investment. Do you have any idea whatsoever ...

DarkNate

You do realize that your question, since asked in an user forum, is more or less a rhetorical one? You're asking about MT's business plans and that question really should be directed towards MT's marketing department directly, ideally backed up by a large past business and prospect of huge future b...

DarkNate

I am writing this post to urge MikroTik to consider producing high-performance, production-grade Layer 3 switches. While MikroTik has somewhat capable Layer 2 switches, its Layer 3 switching capabilities are next to nil. Layer 3 switching has been the de-facto standard in data centres for use-cases ...

DarkNate

Mate, some could find you not only an expert in networking but also in arrogance ... could you stay at networking?

I'm no expert, I'm just educated and literate is all.

DarkNate

work like a charm with BGP

Good luck, have fun.

DarkNate

Hmmmm.... firmware to 1:1 between peers or current-firmware: upgrade-firmware ?

Are you sure you're an engineer, mate? This fundamental stuff in MikroTik.

Obviously current-firmware must match ROS version aka "upgrad-firmware".

DarkNate

Some LLM-based script in the backend could automate that job, auto-scrub passwords, MACs, usernames etc.

DarkNate

viewtopic.php?p=1026101#p1026101

DarkNate

My networks work well now, but I think I got it at least a 100 times wrong. Read posts on the forum, read MT wikis, watched videos. Of course many guides and videos are obsolete, some posts are wrong. As an MT beginner it is an exceptionally big hurdle to get things sorted out and to find and under...

DarkNate

Why would de CLI need to have anything to do with your automation? The CLI is for human consumption, the automation isn't. Nobody's talking about automation in that particular context. I clearly replied to this comment by quoting it. I think you're smoking something. They should have copied Cisco's...

DarkNate

MikroTik firewall address lists, resolves, and updates the FQDNs by default, why do you need a script for a feature that's built-in?

Just enter the DNS hostname in the list and that's it.

DarkNate

You need to deploy CGNAT correctly on the ISP side, see this:
viewtopic.php?t=176358

DarkNate

I agree. Switching on ROS is not intuitive at all. But still, having the necessary background and with little RTFM you can work your way through. They should have copied Cisco's way of doing switching (in terms of UI/UX/CLI). Much more intuitive and easier to troubleshoot. Hell no, f*ck Cisco CLI a...

DarkNate

I really wouldn't worry about it, if there is a valid use case (practical management is absolutely a viable one) then by all means use multiple bridges. If its just a home based setup with multiple VLAN's sure single bridge is a good idea. However as with everything it depends on the use case. Ofte...

DarkNate

sorry, off-topic but ... an additional empty bridge "Lo0" for example would not violate that, right? (for loopback addressing) Loopback is fine, I have single bridge for physical ports/LACP/The works, and separate bridge with STP disabled for loopback. But in some cases, such as MPLS/VPLS...

DarkNate

Most network engineers understand the technology/theory and can navigate easily between different vendors' implementations to achieve the same results. If it takes you days to set up a VLAN, then most likely you are not well-versed with the technology you are trying to use. Just because on other ve...

DarkNate

MikroTik removed firmware changelog (not ROS changelog) years ago, no idea why.

DarkNate

viewtopic.php?p=1020415#p1022915

DarkNate

The author is clearly a man-child.

I have my problems with MikroTik, but I have a problem with Cisco, Juniper, Arista as well. No vendor is perfect.

As a network engineer, I work multivendor on per use-case and business-case basis. Good luck to the OP.

DarkNate

viewtopic.php?t=199442

DarkNate

Seriously, why tf are people still doing this dumb double/triple/multiple bridges crap on modern-day Linux DSA? Have they not received basic education and training in Linux networking or something?

DarkNate

That step is optional 😜 Who told you that? It in fact broke SFP interfaces in the past if you failed to ensure 1:1 matching. Just because MikroTik stopped publishing RouterBOARD firmware changelogs years ago, it doesn't mean there's none. I've worked with many ISPs and WISPs globally who complains ...

DarkNate

Make sure you did it right:

/system routerboard settings
set auto-upgrade=yes

/system/routerboard> print
routerboard: yes
factory-firmware: 6.45.9
current-firmware: 7.11.2
upgrade-firmware: 7.11.2

DarkNate

How's this a network vendor problem?

If you're a network operator, sign up for a DDoS scrubbing provider, if you're a customer of an ISP, ask your ISP to do it.

DarkNate

I've been testing with a lab router using a more appropriate config for the actual environments i'd want to use this in, which is a more complicated topology that isn't just VLAN's on a single bridge. You're violating the Linux DSA network stack by having multiple bridges. Multiple bridges is a con...

DarkNate

Ensuring proper BGP affinity input/output on all BGP peers based on this:
https://www.youtube.com/watch?v=py4up-l ... FmZmluaXR5

No problem with BGP advertisement on ROS v7.11.2.

DarkNate

Export /ipv6 config from both routers. This is likely misconfig.

DarkNate

Why the hell are you using v7.10rc1 in the first place? Move to latest stable or latest beta.

DarkNate

Might be worth mentioning that PIM-SM isn't listed as functional in the Routing Protocol Overview page. Status is "initial support" https://help.mikrotik.com/docs/display/ROS/Routing+Protocol+Overview It is working with this config, but perhaps not ready for production at scale: https://f...

DarkNate

viewtopic.php?t=174354&start=300#p1024267

DarkNate

I suspect @DarkNate is right here... I think IGMP Proxy may ignore mDNS's IP 224.0.0.51/24 since defined as "Local Network Control Block" in RFC-5771 It's ironic that PIM is easier, but there be less complex than the ill-defined IGMP Proxy.... IGMP Proxy was never really a “best practices...

DarkNate

Bridge VLAN filtering options is not MikroTik exclusive:
https://developers.redhat.com/blog/2017 ... -on-bridge
https://docs.bisdn.de/network_configura ... dging.html

DarkNate

... and then there are (probably) thousands of us using RouterOS on dozens of devices from home applications to medium size enterprises and did not encounter any serious issue for years, so we are perfectly fine with calling it "stable" :) RouterOS has so many features, most of the interc...

DarkNate

Bridging in ROS is no different from bridging in Debian, RHEL, Cumulus etc. It's Linux DSA. I never get these half-baked explanations on the forums when it comes to Linux networking, which is what ROS is, a Linux-based CLI daemon that abstracts underlay Linux Kernel with ROS v6/v7 CLI/UI configurati...

DarkNate

Normis I like you and MT but that`s not true...android phones don`t disconnect from the AP if display is off. How can we got msgs from Viber, Whatsapp, Messnger...etc during the all day? My phone has over 1h uptime in my AP (Ax2) now and his display is black most of the time. 99% of modern day Andr...

DarkNate

@OP use this:

/system ntp client
set enabled=yes
/system ntp client servers
add address=time.cloudflare.com

DarkNate

We already have this https://mikrotik.com/product/crs312_4c_8xg_rm CPU specs worry me about using this as a layer 3 access switch (or perhaps distribution switch in smaller networks) for running a few thousand/ten thousand BGP routes/OSPF and in future if MikroTik supports VXLAN with EVPN or MPLS/E...

DarkNate

Can you guys clarify the use case of 2.5G ports but with PoE output? I thought this kind of switch was great for high end PC's, not for plugging in more routers? What's the cost difference between 2.5GbE and 10GbE ports (with optional PoE)? I'd really like to see SOHO equipment moving to minimum 10...

DarkNate

hAP ax2 is sufficient for training purposes.

DarkNate

all phones have power saving options and go to sleep if display is off. yes, wifi also disconnects. what did you expect? I have a few old iPhones running iOS 16, if battery was 100%, and I leave it unplugged and screen turned off, no apps running, I've seen uptime upto 8 hours on MikroTik AP's regi...

DarkNate

Auto works fine. This is my conf. /interface wifiwave2 set [ find default-name=wifi2 ] channel.band=2ghz-ax .skip-dfs-channels=disabled configuration.chains=0,1 .country=Mars .mode=ap .ssid=1234 .tx-chains=0,1 disabled=no name=2GHz_1 security=VLAN666_Security set [ find default-name=wifi1 ] channel....

DarkNate

It's a long explanation that's better explained by a few sources below. In short, this is a feature of modern day VLAN-aware bridging using DSA in Linux networking stack. It allows you to ensure the bridge itself will accept only tagged to prevent possible VLAN leaks due to misconfig and to block na...

DarkNate

I've avoided RouterBOOT firmware problems using this: /system routerboard settings set auto-upgrade=yes Problem solved with double reboots after each ROS upgrade: /system/routerboard> print routerboard: yes factory-firmware: 6.45.9 current-firmware: 7.11.2 upgrade-firmware: 7.11.2 MikroTik should ma...

DarkNate

Before making a big commitment to a new software product; let's get the bread and butter products in order: RouterOS 7 "stable" becomes truly stable ( not just a label ) first and foremost before all else. RouterOS 7 becomes feature complete first and foremost before new software products...

DarkNate

I declare 7.11.2 to be long-term release.

Joking obvs. We can keep b**ching in this forum and other forums, but unless MikroTik does something about software stability/quality issues, nothing will change.

They read silently, while we can only hope they are taking actions in the backend.

DarkNate

I stopped using IGMP Proxy. I migrated to PIM, it works and I stopped worrying. You need ROS v7.11.2 in my testing.

Here:
viewtopic.php?t=198798#p1022915

DarkNate

The bridge configuration is missing some config params: /interface bridge add frame-types=admit-only-vlan-tagged igmp-snooping=yes igmp-version=3 mld-version=2 name=bridge Also remove the VID from /interface bridge mdb , the static MDB entry is to be configured VLAN-neutral aka no VLAN, see official...

DarkNate

If ain't broke, don't fix it.

This is an anti-innovation mindset, usually smells of USSR and fascist regimes' origin.

If it ain't broke, improve it, re-architect if needed, re-test and re-validate. That's how network engineering or any branch of engineering should be.

DarkNate

I did a netinstall of v7.11.2. PIM seems to be working with early testing. Config example for people: /routing pimsm instance add afi=ipv4 disabled=no name=pimsm-IPv4 vrf=main add afi=ipv6 disabled=no name=pimsm-IPv6 vrf=main /routing pimsm interface-template add disabled=no instance=pimsm-IPv4 inte...

DarkNate

Let's be clear about where the insanity lays. MikroTik has laid down a consistent track record; they are not an enterprise vendor. Everyone sets their expectation; repeatedly expecting enterprise results from MikroTik is insane. Marry the enterprise vendor that provides what you really want, whatev...

DarkNate

= /interface wireless do not exist on wifiwave2 Do not worry, is the same error on defconf I report a year ago the 2022-05-04 17:10:00.... Some spam lines inside the file get-custom-defconf , never removed. Too many lazy programmers to fix something reported dozen of times, with precise indication ...

DarkNate

I've seen this on MikroTik, but what about other vendors?

Plain Debian, or whatever or any big vendor. Do they proactively kill user session upon deletion immediately?

DarkNate

After upgrading from v7.11 to v7.11.1 my hAP ax2 throws this error
"error while running customized default configuration script no such item"

DarkNate

Are people still going on about this? Your config export clearly shows you failed to configure the “country” for both bands. Configure the country for both bands to the actual country you bought the iPhones from, reboot the AP.

DarkNate

Why do people still mess up their VLAN/Bridge configuration on MikroTik even though the process is identical on all Linux based NOSes? Read this: https://help.mikrotik.com/docs/display/ROS/Basic+VLAN+switching#BasicVLANswitching-CRS3xx,CRS5xxseriesswitches,CCR2116,CCR2216andRTL8367,88E6393X,88E6191X...

DarkNate

Nobody actually requires XDP or DPDK or VPP or any other acronym.

Yeah keep telling yourself that, good luck, have fun.

https://thebrotherswisp.com/index.php/t ... -hardware/

DarkNate

I'm with patrick7 ; WebFig is valuable and constraining display width in HTML is counter productive. MirkiTik requiring yet another tool like "WinBox" or "The Dude" is unnecessary and not universally wanted. What did MikroTik accomplish besides imposing someone's unwanted concep...

DarkNate

From the results I've seen posted, it's impressive what can be achieved with DPDK/VPP. The VyOS project has replaced the use of XDP with VPP for the data plane. DPDK/VPP and hardware-offloaded XDP can filter/drop/process packets at 100Gbps on commodity hardware including arm64 . I know Fortune 500 ...

DarkNate

On my "modern" router (RB4011), routing IPv6 at 1Gb/s make 1 core being like 95% used. So it's fine for my use case. But it also means it can't do much more, while the router is advertised with a 10Gb/s SFP+ port and a 10Gb/s routing capability... RB4011 was not released in 2022-2023 (mod...

DarkNate

Is this sill the case? I did a lot PIM-routing stuff around 2018/2019 with ROSv6 and it worked really good. Cant believe they still werent able to fix an alredy good working (in v6) feature... It's not working on latest ROS v7.11 stable at least. And MikroTik did not provide PIM config documentatio...

DarkNate

The problem with bug reporting on MikroTik is the lack of enterprise SLA and we, your customers, know for a fact, bug reports sit idle on the helpdesk for months, you can find many instances of such examples on MikroTik forums. This means in simple English, there's little to no incentives for custom...

DarkNate

@normis I use Linux, Windows 11 and macOS. WINE is “good enough” to run the executable on macOS, but there are UI/UX bugs and glitches especially on Apple Silicon. The experience on WINE vs native Windows 11 for Winbox is just different. In face WINE stopped working on macOS Ventura for a few months...

DarkNate

Again, I'm not saying it can't be done, in contrary, it can be done. But, again, for inexperienced user it's only too easy to miss all the points where it has to be done so it's way easier to use other VIDs if there isn't a very good reason to use VID 1 in tagged traffic. We all started from somewh...

DarkNate

To use VLAN 1 in MT world, one has to speak ROSish quite fluently ... it's not a problem of VID itself, the problem is that it's used in ROS as implicit default all over place and one has to know how to look to see it. And then change it according to needs. Which might be too much of a hassle, thus...

DarkNate

Webfig is just a security attack vector.

Disable it, use Winbox. Ask for Dark mode then on Winbox I guess.

DarkNate

I don't think it actually does shit. It doesn't seem to work in my testing.

Best you can do on MikroTik is BFD, with BFD, things should converge pretty fast.

DarkNate

On modern MikroTik hardware (2022-2023), I've never seen a massive difference between IPv4 and IPv6, assuming FastTrack isn't in the discussion.

Especially for CCRs, never seen difference in performance with proper config, hardware offloading, FastPath, bridge config etc.

DarkNate

Dont use vlan1 for data, use any other number VLAN1 does not matter in non-Cisco gear. On Linux aka RouterOS, you just need to ensure bridge ingress filtering to drop untagged “native” VLAN. You can use VLAN 1 just like any other VLAN. I use VLAN1 for MGMT traffic, but you can use it for whatever y...

DarkNate

PIM is non-functional on RouterOS v7.

You should contact MikroTik support.

DarkNate

I don't know, seems flaky. Anyway, personally I use IPv6 everywhere, I stopped caring about NATs.

DarkNate

They need a /tool/nat-detect – I'd rather know the situation, before some gamer is screaming about a test on an XBox. I mean this is open source: https://github.com/HMBSbige/NatTypeTester/ The solution is to patch the source code's bugs, and add support for the remaining RFCs to ensure a wholistic ...

DarkNate

The only other tool I know of is Xbox networking app. Run the network tests, it'll show you the correct results.

DarkNate

You need to make use of IGMP/MLD Snooping + IGMP Proxy in simple topologies. Or use PIM in advanced topologies. And single bridge only, or you're done for, that's not a MikroTik thing, that's how Linux DSA is designed, if you don't like it then use Juniper which is FreeBSD based, but even Juniper ha...

DarkNate

Not that I'm aware of.

If the big vendors don't have it, you can't really expect MikroTik to have it, on priority. Not going to happen anytime soon.

DarkNate

Watch this:
https://youtu.be/py4up-lO8zY

DarkNate

Do we have something similar to this on Juniper or Cisco for reference?

DarkNate

I tested, it's port restricted cone. You're seeing "full cone" if you run it twice with a few seconds, the reason for that is the MikroTik box maintains the state for a few tens of seconds and the remote end-point whose source IP is just the same as previous one, will be able to reach your...

DarkNate

I guess I don't understand the extent of what the IGMP Proxy can do for IPv4. Will the proxy forward more than just the IGMP report and query messages? It seems to me that IGMP is used to join/leave the multicast groups for mDNS and SSDP/DIAL, but once joined will the proxy also forward the other n...

DarkNate

Pelchi are you saying external ICMP incoming could potentially go back out the wrong router even if we mark the incoming traffic. If we are using static routes and not BGP, then we SHOULD mark incoming traffic to make sure it egresses via the same interface. So I don't see any problems here at all.

DarkNate

Maybe, maximal possible throughput at any cost on x86_64 should *not* be Mikrotiks focus since there are so many alternatives already? What are you talking about? I'm talking about CCR, CRS and RB series, arm64 devices. As for x64, that doesn't matter, if it's ASIC, I clearly gave Cisco as example ...

DarkNate

Strange, when I run traceroutes, I see the expect path in the replies. Am I missing something here? Unless you modified pref-src incorrectly via route filters (for BGP full tables) or manually for static routes/double/triple WAN. I always make sure routes learnt via interface A has pref-src matching...

DarkNate

This happened to me randomly on hAP ax2/ax3, on v7.10.2. Not sure why, after a reboot the bandwidth is back to 1Gbps, but after 30mins it drops to max 500Mbps or so.

No fixes in sight.

DarkNate

How easy is it, for example, to rip out the RoS routing stack and inject a new one........ is it a modular thing? Would one then have to redefine all the ICDs between modules...... imagine that many are standard so maybe only modify proprietary items? I don't know. But what I do know is the open so...

DarkNate

MikroTik IGMP Proxy doesn't support IPv6 it seems, after further PCAPs myself, meaning it isn't performing MLD Proxying in the process, even though you configure it right. I suggest you talk to MikroTik official support about it. If they make it work with IPv6, then all these problems disappear over...

DarkNate

...or implement a .npk package of FRRouting This would just add complexity with ASIC/Hardware offloading. What MikroTik can do is build RouterOS's underlying routing stack and possibly other network functions (like BFD) using FRR's latest base code and possibly fork it if required, or use it as is....

DarkNate

I was hoping he was going to tackle endpoint NAT next.

I don't think it's worth anybody's time, we should all just move to native IPv6 and get it over with.

DarkNate

https://www.spinics.net/lists/netfilter/msg56371.html

I certainly don't want NPTv6 traffic being conn_tracked, the whole purpose of NPTv6 is STATELESS. You can mail in IETF mailing lists to verify this.

DarkNate

NPTv6 is meant to be stateless aka no connection tracking. That's the whole point of NPTv6, to avoid breaking layer 4 and avoid the requirements of NAT Traversal helpers. Did you even read RFC6296? Do you not see the word "stateless"? You should be firewalling on the hosts. Let the network...

DarkNate

This happening on certain RouterOS v7 versions, regardless of hardware model.

For me it happens to IPv6, it takes like 10-20 minutes to advertise my prefixes after a reboot.

DarkNate

Use this instead, simpler arithmetical operation.

if (dst==0.0.0.0/0) {accept} else {reject}

DarkNate

Time Bump.

The author is still updating and maintaining the article as of now.

DarkNate

What are we supposed to debug with?

Share the config of the routing filters.

DarkNate

What are you talking about? Loopback bridge is harmless, recommended and a good idea. Why tf do you need “hardware offloading” for loopback bridge? You require SINGLE bridge for physical ports/LACP bonding etc, follow the official MikroTik docs on how to configure bridge VLAN filtering. If you are d...

DarkNate

My comment was for dynamic allocations from an ISP. @DarkNate I can see that your config will work for a static allocation, but not for a dynamic one. I am using Comcast, so not a small ISP by any means. What are you asking lol, if the PD is dynamic, then it will always change. How's this a RouterO...

DarkNate

If RouterOS did at all what you claim, that would produce a bad configuration

Ah that's typo lol, I edited the comment.

DarkNate

You're both (or all?) configuring it wrong. ISP gives me /48 STATIC PD. DHCPv6 clients injects static /48 into the pool. I manually configure the /64, by ensuring I manually specify the router's IP on each of the VLANs. So it's like this: /ipv6/address add from-pool=global address= ::1 /64 interface...

Search found 964 matches