MikroTik

felixka

beta6 fixes the bug in VRF routing for me. Nice.

felixka

Updated my RB5009 today and it's lost it's ability to route certain VLANs out via VPNs from within VRFs. Not sure what's going on exactly yet. But it works fine on 7.13 (didn't try 7.14 as it would break my WAN link due to the VLAN MTU issues).

felixka

You will want to use Netinstall to downgrade in this case: https://wiki.mikrotik.com/wiki/Manual:Netinstall

Make sure to backup your config. The device will be completely wiped in the process.

felixka

When are you releasing 7.12? I need those IKEv2 rekey fixes in the stable version :)
when its done :)

We all know (and Mikrotik lives by it): Done is better than perfect 😉

felixka

*) sfp - fixed link establishment with passive copper cables for RB4011 and CCR2004-16G-2S+ devices (introduced in 7.12rc1); https://mikrotik.com/product/rb4011igs_rm says "Note: Passive DAC (MikroTik S+DA0001/S+DA0003) are not supported." - are they supported now? Or is this a mistake in...

felixka

You could look into VXLAN or EoIP to create an overlay Layer 2 network for your 192.168.50.0/24 and 192.168.51.0/24 subnets over the Layer 3 10.10.0.0/19 network.

felixka

Can you better explain the shortcomings of the RB5009 you noted. " I don't run DHCP or DNS on RouterOS because it doesn't allow for the flexibility I need and also the DNS implementation in RouterOS 7 is troublesome." Sure: The DHCP implementation of RouterOS can only match one DHCP optio...

felixka

I run UniFi for wireless and video surveillance in my house with a MikroTik router as the gateway. It works without any issues. My UniFi controller runs on a CloudKey. You'll lose visibility into anything WAN related in the UniFi controller but that's about it. You will need to keep using the UniFi ...

felixka

Regarding your questions: 1. Whether it will improve network security depends on how you configure the switches and routers in the path. If you freely allow routing traffic between VLANs the security benefits are very little. 2. Yes. You would use VLAN interfaces on the Mikrotik side for this. 3. Ye...

felixka

Most people I know that have some sort of background in networking and who are trying to make Mikrotik work for them go through this at the beginning. It's a normal part of the process. It takes some time, but you'll learn to love it eventually. Especially if, like you said, you are somehow stuck wi...

felixka

It can certainly be done but how you'll do it depends on your network topology.
If the servers are directly connected to the router you could remove the server ports from the LAN bridge, create another bridge that includes your WAN port and then add the server ports to that bridge.

felixka

You will want to use routing.
See: https://help.mikrotik.com/docs/display/ROS/IP+Routing

felixka

Is .65 an IP that the ISP uses for the gateway or does the ISP expect you to set up a gateway at that IP address to handle any traffic going to the subnet?

felixka

If the CRS is already using an IP from the provider does the provider route the /27 to that IP or is the /27 on-link (i.e. not routed to you)? If you do not know how to tell or (test for yourself) the difference it's easiest to ask your ISP how they set this up. Depending on how easy your ISP is to ...

felixka

It'll depend on how your upstream provider routes IPs from this range to you. Do they route the subnet to another IP you have configured on your router? -> Use regular routing. This is the most elegant solution. Does your ISP's router expect all hosts using IPs from the subnet to reply to ARP direct...

felixka

Hello! Please, beware that some of these improvements make Chinese SFP modules (e.g. ONTi Gigabit RJ45 SFP module from Aliexpress) report temperature of 255 degrees which triggers SFP module disabling (for 10 minutes, but it repeats) since the default SFP shutdown temperature is 95 degrees. Thus, y...

felixka

Because so many people have been asking for it for so long, so vehemently. As a result they felt it prudent to add at least four BFD thus far. More to come! Look out for that final release change log.

felixka

As mentioned in https://forum.mikrotik.com/viewtopic.php?p=1001827#p1001827 I am also seeing a DAC cable between a CCR2004-16G-2S+ and an Aruba 1930 switch no longer being able to connect. That CCR2004 was running 7.6 before and the cable worked just fine for all releases before 7.9 (tested with 7.9...

felixka

what would prevent us from flashing a lightweight Linux distro onto some of the arm-based routers and just run FRR? Support for MikroTik hardware and the SoCs they use in mainline linux, bootloader peculiarities, to name a few. MikroTik makes it purposely hard for anyone to get current GPL source c...

felixka

Kudos to the MikroTik team for keeping their cool given the tone by a few customers.
Given that we're dealing with humans on either side of the keyboards I don't think they deserve the abuse they are receiving here, regardless of what their employers' strategy, roadmap and quality of delivery may be.

felixka

What are we missing? How is Mikrotik getting 22Gbps of routing performance through this with no routing rules (512 byte packets)? It's probably in your config. If you post it I can't guarantee I'd see it, but if you don't I will gladly guarantee that I will not see it. When going from Cisco to Mikr...

felixka

I mean one solution could be to just bridge VLAN10 and VLAN20 right on the Mikrotik and make them one L2 broadcast domain because it sounds you are handed two VLANs that you actually don't want to be separate in the first place.

felixka

Why would they need to be in the same IP address range to begin with?
VLANs create a separate Layer 2 domain per VLAN, so trying to overlay a single Layer 3 IP subnet over it sounds like asking for trouble.

felixka

I don't think it's possible and I also don't know why you'd want to do that.

Sounds like an XY Problem.

felixka

Why do they stick with kernel 5.6.3? Why not using latest 5.6.19 at least? Makes me really wonder. Mikrotik heavily modifies the Linux Kernel to support all their hardware. For example, the tile architecture (used in CCR1016/1036/1072) was dropped in Kernel 4.17. So Mikrotik has to manually patch i...

felixka

Anyone know which linux kernel version 7.5b is based off of? Looking forward to full NETMAP support in kernels 5.8+.

7.5beta4 is on Kernel 5.6.3.

felixka

*) ccr - improved interface link stability on CCR2004-16G-2S+PC;

Updated from 7.0.4 to 7.3.1 today but am still seeing intermittent interface flapping when connected to an AVM Fritz!Box Cable Modem from Vodafone Germany.

felixka

If there will be a frontend for it other than Winbox or Webfig I think it should retain that Windows 95 look though.

felixka

What are you talking about? It's been working over here just fine? A developer is me. Things were looking good. They are talking about that Mikrotik decided to limit cake to interface queues only in the latest 7.3beta40 release. Release notes buried here: https://forum.mikrotik.com/viewtopic.php?t=...

felixka

Has Mikrotik ever provided an answer to this request?
Is it even feasible on the hardware side of things?

They have. It's actually even linked in the very first post.

And yes, some of the SoCs and switch chips Mikrotik uses support IPv6 offloading.

felixka

Basically a CCR2004-16G-2S+ but as a pure switch. Not quite. The CCR2004-16G-2S+ does not have PoE Ports. But I, too, would welcome a device like this though I would prefer it in a desktop form factor with optional rack ears and passively cooled. Essentially like a Cisco Catalyst WS-C3560CX-12PD-S.

felixka

I don't get why they can't add the support by the cpu. The switch asic is more "compatible" than the one into the cpu ? idk.... Comes down to the Linux driver support. Most don't have 2500Base-X support, even though the chip may support it. So either Mikrotik goes ahead and implements tha...

felixka

Check out this quote from 4 posts up:

Hardware IPv6 routing on Marvell switch chips (CRS3xx, CCR2116) is in development.

felixka

Try IPv6, not something that's done under fasttrack. My ISP does not offer IPv6. And the HE.net Tunnel I have as an alternative is not fast enough to highlight the problem, if there was one. So I assume I cannot verify the problem you're having, but it sounds logical to me that it could exist under...

felixka

Yes, trust the system!

I like my full speed, thank you! :)

Cannot confirm:
RB5009 ROS7.2 / PPPoE (MTU 1500) on VLAN on Ethernet with MTU 1508

1400 MHz fixed

5009-1400.png

Auto:

5009-auto.png

felixka

Love the CCR2004-16G-2S+PC!

However, what I really need would probably be a CCR2004-16P-2S+PC
Essentially a Mikrotik version of the Cisco Catalyst 3560CX-12PD-S (12 GigE PoE, 2 GigE and 2 SFP+) or even 3560CX-8XPD-S (6 PoE, 2 mGig (10GbE), 2 SFP+). Powerful but still passively cooled.

felixka

Did you do plain SSH over PPPoE+VLAN? In my case I have a GRE/IPsec tunnel over PPPoE+VLAN and inside that I do SSH or BGP which gets stuck (due to nonzero DSCP). Yes, I do "plain" VLAN+PPPoE. In my case it's the WAN connection and then I access SSH or VoIP resources on the internet. This...

felixka

I can confirm that this also fixes the issue of DSCP marked SSH or VoIP connections when using PPPoE with VLAN tagged interfaces. That is interesting... When reading that I eagerly upgraded my RB4011 but for me this problem has not been fixed. I am on an RB5009, so it may have not been fixed on the...

felixka

Looks resolved to me as well, albeit my issue was with DSCP tagged SSH and VoIP connection. Finally

felixka

*) ipv6 - fixed VLAN tagged PPPoE packet receiving on RB5009;

I can confirm that this also fixes the issue of DSCP marked SSH or VoIP connections when using PPPoE with VLAN tagged interfaces.
Also, I finally get an MTU of 1500 if the underlying interface has MTU 1508, as you'd expect with PPPoE.

felixka

I know its only arm yet. Can you post a link to where MT stats that there will be no ZeroTier for other platform?

viewtopic.php?t=178353#p890747

felixka

Well I guess it is ok for one's cheap home wifi router.... so nice reminder of where these products are targeted at, thanks for that Tik! In most cases with MikroTik you end up getting much more than what they paid for. That's why we love them so much. But in some cases, and more so lately, you get...

felixka

Try Optcore. I've used them for all my SFP needs so far, but haven't tested their 100G stuff. At $65 for the SR and $400 for the LR modules it's not too expensive to give it a shot.

felixka

Possibly related: viewtopic.php?t=182691
But it could also be something else. Without a full config (/system export hide-sensitive) it's hard to tell.

felixka

Yes, this is a bug and Mikrotik is fixing it in one of the coming releases.
It is also discussed here: viewtopic.php?t=177984

felixka

The RB5009 does not have a console port.

felixka

Docker does not boot anything. It takes an image and runs a command from it in a containerized way. You would need a full- or paravirtualized hypervisor to boot CHR, as the CHR relies on the Kernel it comes with to perform many of the networking functions. Docker is OS-level virtualization and relie...

felixka

I receive roughly 950-980Mbit when I do a SpeedTest on TCP protocol. However, when I use UDP, I only get 15-3 Mbit. Is it because of me? It is likely because of you. UDP speed tests usually test using a pre-set low target bitrate (iperf3 uses 1 Mbit/s, for example). UDP does not have congestion con...

felixka

ATA can register in v6.49.2 without any problems. With V7 everything else on my network works as expected. My setup is a PPPoE internet connection for home use, I followed Mikrotik's first time configuration guide (https://help.mikrotik.com/docs/display/ROS/First+Time+Configuration) doing a clean i...

felixka

Some chipsets support PPPoE hardware acceleration (such as Atheros IPQ806x). Don't know if MikroTik uses it though. Most of the time you're running PPPoE at a payload MTU of 1492 so there will be packet fragmentation occurring on your router. That will be enough to prevent these packets being fasttr...

felixka

Anyone have any information on whether this issue will be resolved in upcoming firmwares or not? :? As far as the erroneous insertion of DSCP flags on VLAN interfaces (which I believe is underlying this issue) is concerned I have confirmation from Mikrotik that the issue will be fixed but that ther...

felixka

MTU

Interface | MTU  | L2 MTU
br_wan    | 1500 | 1514
vlan_wan  | 1500 | 1510
ppoe_wan6 | 1480 | -

I use the following for Bell Canada and it gives me an MTU of 1500:

Interface  | MTU  | L2 MTU
ether1     | 1520 | 1534
br_wan     | 1520 | 1534
pppoe-out1 | no value set (default)

felixka

After upgrading my RB4011 home router, SSH sessions to remote servers don't work. To make them work again, I have to set on the SSH client another IPQoS (e.g. cs1). Is it normal? I have a ticket open regarding this: SUP-63430 Support is saying they cannot reproduce it. Support was finally able to r...

felixka

Just received a reply on my open ticket SUP-63430. This ticket relates to DSCP marked traffic not passing through in the PPPoE/VLAN tagged scenario. Support asked to me to test something and it looks as though I was able to confirm a possible bug they are seeing in their lab now as well. It seems th...

felixka

The first new question for the ROS 7 exams is which one of the three legitimate ways to configure the PPPoE client on a VLAN-tagged interface does not trigger a non-reproducible bug regarding not forwarding DSCP marked packets.

felixka

This problem appears to occur only in the ARM architecture, I bet that when you copy your entire config to a RB2011 or CCR1009 it will work just fine. That would have to be both ARM and ARM64 because the RB4011 is 32 bit and the RB5009 is 64 bit. It would be interesting to see if the CR2004-16G is ...

felixka

After upgrading my RB4011 home router, SSH sessions to remote servers don't work. To make them work again, I have to set on the SSH client another IPQoS (e.g. cs1). Is it normal? I have a ticket open regarding this: SUP-63430 Support is saying they cannot reproduce it. My debugging so far tells me ...

felixka

If everything you are doing now is working then I would not recommend to upgrade. I use a CCR2004-16G-2S+ in production with L2TP/IPSec VPN clients and I haven't found a definitive answer in the forum yet if the newest 7.1rc7 does not cause the router to reboot when these VPN clients connect. I also...

felixka

Is AES GCM not being hardware offloaded for IPSec on RB5009 a bug or is this simply not supported? AES CBC is offloaded just fine.

felixka

For what it's worth, I'm running an Optcore OSP10G-8503DCR on my RB5009 with 7.1rc6 and it works just fine with the default settings.

felixka

Yes it is.

felixka

The 10.255.255.1/30 network essentially provides two IP addresses: 10.255.255.1 and 10.255.255.2. These are there to facilitate the routing between the two endpoints on the tunnel. These should be chosen such that they are "out of the way" of any of the other subnets you're using. You are ...

felixka

So I figured out it had something to do with my PPPoE internet link being VLAN tagged in my router. Moved the VLAN tagging out to an external switch and put the PPPoE link directly on the ether1 interface untagged and the problem went away.

felixka

Maybe fallout from this:

 *) wireguard - do not consider WireGuard interface as ethernet;

felixka

You can choose to participate (voluntarily) or stick to the older versions and wait for v7.9.4 with fewer bugs and problems.

True for those who own older hardware that supports the 6.x release train. Not true for those who have bought any of the more recent products that will only run 7.x.

felixka

For now, 2 VLANS need to get shoved through a VPN to my cottage somehow. Will it take more than 1 VPN? perhaps 1 VPN per VLAN? I'm just trying to conceptualise this. VLANs are Layer2, IPsec is Layer 3. You can route all your home traffic through one tunnel and then separate it into VLANs again in t...

felixka

Somehow the workarounds do not work for IPsec encapsulated SSH traffic.

felixka

Could you please enable it on RouterOS ? Now its normally included in linux kernel. What do you mean with "its normally included in linux kernel"? Where in the kernel exactly is it "normally included"? Support for 2500Base-X in Linux is mostly ethernet driver specific at this po...

felixka

My issue of not being able to SSH out seems to be a bug that was fixed in 7.1beta3 but seems to have resurfaced.
viewtopic.php?p=885937#p885937

felixka

I'm seeing this issue again on 7.1rc4. SSH works using the -oIPQoS=reliability workaround but not without it.

felixka

I can confirm that the RB5009 can be powered using the Ubiquiti 802.3af Injectors while still maintaining a 2.5GBase-T link.

I can also confirm that the SFP+ does not support 2500Base-X (relevant for people that use certain GPON SFP ONTs that allow syncing at that rate).

felixka

Merely someone here posting a tc -s qdisc show with cake output showing some drops or marks and backlog would make me very happy after waiting all this time for mikrotik to catchup Hi Dave, fancy seeing you around here! Thanks for your work in ridding the world of bufferbloat! Unfortunately, Mikrot...

felixka

It failed me today. So, no.
Maybe tomorrow.

felixka

So my ISP put me out of my misery of using a SFP GPON ONT and gave me an ONT box with RJ45 for the handoff. Yet, the PPPoE on VLAN with MTU 1500 is still not working for me on 7.1rc4, SFP ONT or Ethernet to the ONT box. The PPPoE link comes up with MTU 1500 (outer VLAN interface is MTU 1520 and unde...

felixka

Yes: viewtopic.php?p=880437&hilit=offloading+ipv6#p880437

felixka

Unfortunately the CCR2004 has no USB or SD card interfaces so you cannot expand the storage.

Not entirely true. The CCR2004-16G-2S+ does indeed have a USB 3.0 Type A port. The CCR2004-1G-12S+2XS does not.

felixka

I would like to invoke @msatter for our obligatory PPPoE / SFP+ MTU > 1500 on RB4011 test

I assume it's still broken unless it's covered under " *) other minor fixes and improvements;"
Would test myself but I just started my workday and can't mess up my Internet right now

felixka

The PPPoE through a SFP still drops back to a MTU of 1480...it was fixed in Beta 6.49 so please patch ROS 7.x also.

Just chiming in again that I can second this. Thanks msatter for testing

I always look for your reports.

felixka

Got it to work for my setup where the Omada device is on a static IP and the Mikrotik RB4011 is on a dynamic IP, initiating the IPSec tunnel from it's side. TL-R605 Firmware: 1.1.0 RB4011 Firmware: 6.49beta46 Here are my settings: Mikrotik side: /ip ipsec profile add dh-group=ecp521 enc-algorithm=ae...

felixka

I, too, have been unable to make this work between a TL-R605 and an RB4011 running ROSv6.46. The Mikrotik router tries to establish a Phase 2 tunnel but never receives a reply from the TP-Link.
This Omada stuff seems to be very early stage right now.

felixka

Although I don't know what their priorities are, one issue that i might see with where you place #1 is that to finish porting everything that is in v6 (meaning the various kernel modifications), they would lock themselves down to a particular kernel version. They might have to redo the modification...

felixka

*) rb4011 - fixed SFP+ port MTU setting after link state change; *) rb4011 - improved SFP+ port stability after boot-up; I can confirm that I can now reboot my router and have full MTU 1500 PPPoE internet without having to: Manually unplug and re-plug the GPON ONT SFP Manually fiddle with the MTU o...

felixka

Hope this will also stop the router crashing when you change the MTU of an interface. I appreciate your test reports as we seem to be having the same issues. I'm with Bell in Canada and they also use baby jumbo frames on a SFP ONT with PPPoE. So I see the same crashing and MTU issues you are seeing.

Search found 83 matches