MikroTik

smyers119

After upgrading to 7.12 and 7.13 there seems to be a bug preventing multicast packets coming in on zerotier. I use to have ospf running between hosts over zerotier link that no longer work. when doing a packet capture, the mikrotik does not receive ospf hellos but the other end does. Rulled out fire...

smyers119

You never say what your having a problem with, this is a pretty typical setup. What your trying to do is covered in the mikrotik documentation.

smyers119

Explain more of what your trying to do. What you showed that the isp gave you, and what your doing in your config does not match up. Where is this vlan 990 coming from?

smyers119

Seems you all are being affected from this known bug: viewtopic.php?t=185237

smyers119

Same issue but with EC25 US Version

smyers119

Check here, this article has a good example for ipv6 firewall, it's geared for isp's but will work fine for your needs. https://www.rfc-editor.org/rfc/rfc4890

smyers119

If you want to filter icmpv6 then follow this RFC https://www.rfc-editor.org/rfc/rfc4890

smyers119

Think of zerotier like connecting your device to a l2 switch. so if you connect your router to that l2 switch as long as you have routing and the firewall done correctly you can access whatever you need to. your not going to find a big speed difference between the two..

smyers119

have you tried a ssh socks proxy?

smyers119

did you turn SIP helper on/off? That's usually the first thing to try here. I keep all conntrack helpers off so it's less code packets need to be evaluated for which = less cpu

smyers119

you have two isp's coming in on the same interface??

smyers119

rx pauses on both interfaces watching to tv-s. pfifo should be configured on these interfaces? how big the value should be for start? pfifo starts off at 50. I would double it until there is no pause frames, then drop it by a quarter until there is pause frames. Then you'll have your ideal bucket s...

smyers119

i see RX pauses only. If i turn off the FC and turn on the HWO, i see RX overflows on uplink

rx pauses on which interface?

smyers119

I would try and use the pfifo queue and keep upping the bucket size until you get rid of the pause frames.

smyers119

It show's that combination in the brochure, and even mentions that specific combination in the product description. Did you try it and are having problems?

smyers119

are you seeing drops/errors on the 100mbps interfaces??

smyers119

any of the interface queue's should not effect fastrack to anything but that interface

smyers119

the hardware queues's aka ring buffers work with fastrack. and holds about a 100packets.

smyers119

Are you running any qos? have you tried turning on the basic queueing for the 100mbps interfaces / bridges?

smyers119

related: viewtopic.php?p=966414#p966414

smyers119

mikrotik already has a checkbox to enable rfc3164 compatibility.

smyers119

I've been ignoring this post because this is a good example of the XY problem , Instead of coming here with a problem needing solved, you came with a solution for a unknown problem that you can't make work. And as always with these types of posts you'll never get anywhere until you take a step back ...

smyers119

Just confirming you have referenced the current documentation and understand the changes that were made with route filters. it's "completely" different in v7.

smyers119

Have you referenced the help documents?

https://help.mikrotik.com/docs/display/ROS/PPPoE

smyers119

there is also BSD syslog standard RFC3164 <--which mikrotik definitely supports (needs to be enabled)

smyers119

Syslog is a standard, and as such all messages no matter the vender should be in the same generalized format. See RFC 5424

smyers119

Any chance of a duplicate ip somewhere?

smyers119

have you already referenced the official resources? if so what specifically do you need help with?

smyers119

My ISP router would be connected to ETH1 and each subsequent firewall representing a separate customer would be connected to the next available port, meaning Firewall 1 would go to ETH2, Firewall 2 would go to ETH3, etc.. Each firewall would have its own dedicated public IP address from my /27 ISP ...

smyers119

Why did you pick MPLS? Is MPLS already used in this network? What features from MPLS are you hoping to use to fix your problem, which you have done a horrible job of describing? My interpretation of the problem: Connect two networks together in a redundant fashion using a layer 3 protocol. Am i right?

smyers119

Well seems ipsec/l2tp/vxlan = 50Mb, and wireguard/vxlan = 70Mb.

Last thing to try is ipsec/gre/vxlan.

then pick whatever is the fastest.

smyers119

Hi Sob, thanks for the reply. Mikrotik-1: [admin@MikroTik] > ip firewall nat print detail Flags: X - disabled, I - invalid, D - dynamic 1 chain=srcnat action=accept src-address=192.168.55.0 dst-address=172.29.20.0/24 log=no log-prefix="" 2 ;;; default configuration chain=srcnat action=mas...

smyers119

This problem is well documenteds in the already available resources

smyers119

you can look at ansible. same thing as you stated but they dumb the scripting down.

smyers119

Flex link is still a layer 2 redundancy. I thought you don't have layer 2 control.

smyers119

What if you used this or this or this. It's made to receive the correct wavelengths.

smyers119

See this thread for helpful firewall learning links from me and @anav.

smyers119

your source port is never going to be 53 when your doing a dns lookup, therefore it makes sense those 2 bottom rules did not work. and for the first rule the input chain would not be consulted on traffic going through the router.

smyers119

have you reviewed the readily availably docs? Route Filtering had a big logic change from v6 to v7.

smyers119

I want to provide instantaneous response time to any fault wiithin the main interconnecting cables between buildings in the site..., Do you control the devices between the buiildings? If so you can set up snmp monitoring between all the devices and achieve the same result. I personally do not think...

smyers119

IPSEC/GRE/VXLAN seems like a lot of overhead as well, but it doesn't look like mikrotik supports layer 2 gre. what kind of problems are you having with eoip? I guess if I was having problems with EOIP my next thing to try would be Vxlan as well.

smyers119

Do you have a MPLS backbone between the two datacenters? If not then why is VPLS even a option? Seems like a lot of overhead for a simple p2p vpn.

smyers119

Probably should of researched the answer to that question before you switched in the first place.

smyers119

sounds like something you could easily automate with anisble or the likes.

smyers119

if you control dns in this scenario, just have the dns point to your internal proxy for those websites listed.

smyers119

Maybe a diagram of what your trying to accomplish will help us understand what your trying to do.

smyers119

If the SIP helper ALG is on turn it off, and retest. if it's off then turn it on and retest.

smyers119

Not enough information.

smyers119

You really have not given us enough information to formulate a helpful response. But in general I would introduce you to the "router", the router was created from the soul need of connecting layer 2 networks together.

smyers119

To understand why you need to understand how the firewall works. you can use the already available to you help documents from mikrotik to find the answer and pay special attention to here.

smyers119

post your config. sounds like you've done a lot of wrong stuff. there is no nat or port forwarding involved for zerotier. If you have default firewall rules the easiest way to get this to work would be to add zerotier1 (or whatever you named you zerotier interface) to the LAN interface list.

smyers119

Hello, is the pwr-line feature of the hAP lite stable? I'm wondering because I could not find this feature on the product page https://mikrotik.com/product/RB941-2nD-TC . The documentation was not enlightening either https://help.mikrotik.com/docs/display/ROS/PWR+Line . Thanks & best Quote from...

smyers119

first thing i would do is confirm whatever device I am testing from is actually able to create 10Gbps of packets to begin with. Maybe test on a loopbak? or more preferably isolate 2 hosts on 1 switch and test between them Next I would check my STP settings, you have a lot of duplicate pathways betwe...

smyers119

Please search KB docs for answers before posting in forum.

https://wiki.mikrotik.com/wiki/Manual:IP/Cloud

smyers119

https://help.mikrotik.com/docs/display/ ... 3%28PCC%29

smyers119

Please make sure search current help documents so your not asking questions already answered.

https://help.mikrotik.com/docs/display/ ... figuration

smyers119

please refer to this table

if you use a compatible encryption algorithm and hash then it will be offloaded, if you don't then it won't be.

smyers119

AllowedIPs= 0.0.0.0/24

This means the only allowed ips are 0.0.0.0-0.0.0.255

I doubt that's what you actually meant to restrict it to, as that will not match anything

smyers119

To understand what's going on with this packet you need to understand basic networking.

Here is a video that will hopefully help you, if you still have questions please ask for clarification. (I didn't actually watch it myself)
https://youtu.be/cn8Zxh9bPio

smyers119

https://wiki.mikrotik.com/wiki/Manual:S ... e_Protocol

smyers119

Looking at this further vrf might be easier. Just create a voice vrf and add both eth4.1558 and vlan 58 to the vrf ip vrf add name=voice interfaces=[interfaces] place-before=0 then create your vrf route (EDITED wrong command before) ip route add dst-address=0.0.0.0/0 gateway=10.11.12.19@voice routin...

smyers119

You can accompish the same thing using simple policy based routing in mikrotik. Although with the way you obfuscated ip's both private and public, is the worst way you could possible do, makes it 10x harder to try and follow along and offer help. Please fix if you require further help. https://help....

smyers119

v7 commands are documented here.

smyers119

ptp communicates using multicast. ptp is not meant to span across geographic locations. This is against best practice and you are not going to have good results. "care must be taken when extending PTP. Varying latency across a WAN can compromise PTP accuracy as the PTP mean path delay is consta...

smyers119

"This option is only honored if the hostname for the client machine is not set."

smyers119

create another instance, filter ospf-in redistribute ospf from first instance

smyers119

You currently route ipv4 right? It's the same concept. What are you having an issue with?

smyers119

Yes the routers can route.

smyers119

Did you not look at the test results, which gives you a pretty reliable dataset on what to expect

https://mikrotik.com/product/ccr2216_1g ... estresults

smyers119

What is your source of this "technically wrong" Because from what I see in the technical standard IEEE 802.1AX-2008, there should be a locally unique identifier That is correct. Locally unique means the SYSTEM ID is unique to the local L2 device. In the case of MLAG, the System is really ...

smyers119

Problem 2. Somewhat related as it helps get you to a solution. You run different LACP system-IDs on every bonding port by default. This is technically wrong. The LACP system-ID should be the same for the entire chassis (And as such, the same for all MLAG peers). It bears no relevance to the underly...

smyers119

So.... what do you think ECMP is?

smyers119

Quectel EC25-AF

smyers119

Until you hear back about the speed problem are you interested in alternative solutions to your problem? There is plenty of other ways to extend your layer 2 network that may not take as much of a speed deficit as vxlan, assuming there's nothing you can do about that.

smyers119

So....based on what you posted You create a ipsec tunnel then created a gre tunnel MT ---------------ipsec tunnel -------------- CISCO \-------------GRE Tunnel -----------------/ I don't think that's what you meant to do. Usually the GRE tunnel is encapsulated with IPSEC so your data is secure. What...

smyers119

Quectel EC25-AF

smyers119

what interface do you have zerotier bound to?

smyers119

So it just seems Win10Home doesn't have this option at all. Even installing gpedit doesn't give all the full-featured QoS management. I did not know windows 10 home had those limitations. I guess I was wrong and your way as convuluted as it is, is the current best way to deal with this, while using...

smyers119

The software is ClickOnce, this is a deployment technology that enables you to create self-updating Windows-based applications that can be installed and run with minimal user interaction. Applications that are deployed using ClickOnce technology are restricted to a set of permissions and actions th...

smyers119

Is this from a windows pc?

smyers119

For desktop. Make a firewall address list of all viper desktops on windows 10 go to group policy editor computer --> windows settings --> Policy based QOS (right click and create new policy) Create a firewall rule that matches your dscp value you put in windows and route it where you want it to go.

smyers119

The changing destination Ip's have nothing to do with this problem. I don't think you understand how much your over complicating this. This is super easy. For the desktop all you need to do is go into advanced firewalling and change the dscp for that viper application. then you can route based on th...

smyers119

If Viber is the problem, do not use generic title... https://commons.erau.edu/jdfsl/vol12/iss2/11/ Since @extended made this 10x easier, now you know what to do. Firewall list with Viber users. PBR based on ports from article with source address of firewall list. (I would do a packet capture to con...

smyers119

If Viber is the problem, do not use generic title...

https://commons.erau.edu/jdfsl/vol12/iss2/11/

Excellent resource. Thank you for your contribution.

smyers119

I can think of at least two different ways to do this that would be better then your way. Let's get some more information. Is Viber running on phones or desktop?

smyers119

What problem are you trying to solve? guarantee there's a better way

smyers119

WOW just WOW, Did you not even read my post? of course i did the normal troubleshooting how else do you think i zeroed in on the DHCP service. No I will not be posting my configs as the configuration is not the cause of the issue, I will quote Yet again I have Multiple CRS 328's configured the exac...

smyers119

Before diving into this can you pick one of the latest stable firmwares (6.48.6, 6.49.4,7.1, 7.1.3) and then get back to us and let us know if it's still a problem.
note (make sure the firmware not just the softrware gets updated!)

smyers119

Thanks, that is the trick. Strange this reverse logic. I was trying to find the syntax and/or explanation of the error text line but was not able to find anything. Doesn't have to be I was going off what you already had, below should also work. if(CountRegisteredClientsTable() > 210, "Number o...

smyers119

Note: up=no value so it should be:

try:

if(CountRegisteredClientsTable() < 210, "", "Number of WIFI Clients above 210! ")

smyers119

It seems some people connect their Mikrotik routers via this configurations that I don't access to them.

If you say so. Good luck

smyers119

That's a dmvpn, which mikrotik does not support. The only non cisco device that can do that is vyos (that I am aware of)

smyers119

I am on 7.1.3 and both ipv4/6 routes show up in winbox.

smyers119

zerotier is not available on all models and thus a cautionary offering.

True, but it can be spun up on, and ran off of almost any linux box. but then your adding complexity, cost and reliability issues.

smyers119

I would pay the money for zerotier if I were in your shoes. Zerotier can seamlessly use all links and does all the hard work behind the scenes. It's a SD-WAN type solution which is exactly what your looking for.

smyers119

That sounds like a management nightmare. Most people use dmvpn for such a use case. No matter what you do, your going to want to automate everything. if you can script then use your language of choice, if you can't then look into ansible. good luck, as that's a huge undertaking

smyers119

A 301 is a permanent redirect, why wouldn't you just point to the new url? cause its a script to download script in a case of global updates on many routers. I can change 301 redirect to any hosting I'll get at that time I dont know where download part will be at that time Again a 301 is for permin...

smyers119

What problem are you trying to solve / troubleshoot

smyers119

Just an update i found something similiar to what cisco offers in the documentation they may help you. This would only apply to the crs series. https://help.mikrotik.com/docs/pages/viewpage.action?pageId=103841835 priority-to-queue (priority-range:queue; Default: 0-15:0,1:1,2:2,3:3) Internal priorit...

smyers119

how are you sumarizing? with

/ip ospf area range

??

I am assuming your cisco is the ABR?

You have left out so much information it's impossible to help at this point.

smyers119

did you change the default password?

smyers119

A 301 is a permanent redirect, why wouldn't you just point to the new url?

smyers119

Have you consulted the help articles?:

https://help.mikrotik.com/docs/display/ROS/NAT

smyers119

have you done any troubleshooting? Looked at the logs? If so what is in the logs?

smyers119

so post what you figured out so far, and where your having problems.

The forums are here to help people, If your not looking for help, but instead looking for someone to do it for you then say so. I am sure there is plenty of people willing to do so for the right price.

smyers119

did you try a a static lag?

smyers119

windows computers by default block pings that are from different subnets.

smyers119

Actually L3 checksum is unusable in this scenario. With IPv4 there is checksum, but covers only IP header without payload. In IPv6 checksum is completely omited, L4 is expected to cover it ... indeed TCP and UDP include checksums (UDP checksum in IPv4 is optional but in IPv6 it's mandatory), which ...

smyers119

Many L7 protocols rely on the network to properly calculate checksums while sending and receiving individual packets. ....... There is a slim chance that this is a network issue (yes it is possible, but not probable). there is multiple redundanct checks throughout the layers. On Layer 2 you have Cy...

smyers119

This is not going to be a network problem. Assuming they are not using their own proprietary network stack the most likely source is going to be in layer 7.

smyers119

On the edgerouter set the router-advert for that interface to advertise as the default route. Then mikrotik will learn it automatically. You should be using the link local address for the default route, that may be why your having a problem, but first way is better solution.

smyers119

version, firmware? try to make sure you are adding all pertinent information for people to troubleshoot.

smyers119

I have 400 APs that need to be connected to the RADIUS SERVER, do you want me to input the IP ADDRESS one by one?

Your the only guy I know that has fit 400 access points in a subnet with 255 ip's. Absolutely Amazing! What's your secret?

smyers119

you'll want to look into enabling fastpath as well https://wiki.mikrotik.com/wiki/Manual:Fast_Path EDIT: I just seen your using queue's, that's probably the source of your high cpu and limiting your growth. Per specs: Mode Configuration 1518 byte 512 byte 64 byte kpps Mbps kpps Mbps kpps Mbps Routin...

smyers119

Did you specifically set connection tracking off aka

/ip firewall connection tracking enabled no

if not, adding a firewall rule automatically turns it on.

smyers119

you'll need vrrp with load-balancing (setup in a failover configuration) bundled together with a custom script.

smyers119

But when I do the similar process on a Mac

What is that process?

Is there any symbolic links on server or client?

smyers119

I think you need to look up what an ip address is, and then you may understand why that is not valid. specifically you will want to research the difference between a address and a subnet mask

smyers119

Good Day My customer has a network for their office PC's, Tills, Scales, and Camera systems (10.0.0.8/24) They have most of their Computers static IP, as well as their IP Cameras and NVR's. Their ISP Router supplies the DHCP for any clients with Dynamic IP. However their Camera Provider also has an...

smyers119

That's not how read that article at all. Note this portion: By default (when no routing-mark values are used) all active routes are in the main table, and there is only one hidden implicit rule ("catch all" rule) that uses the main table for all destination lookups. The implicit catch all ...

smyers119

Redistribution into an NSSA area creates a special type of link-state advertisement (LSA) known as type 7, which can only exist in an NSSA area.

smyers119

And you are correct, not only did I forget I did not know of that limitation. My first pc ran Windows 3.1, and I had no knowledge what RAM even was / or how it mattered back then. I guess nibble and minesweeper just wasn't that worried about it. I don't even remember when RAM became a issue, but it ...

smyers119

Now that we have 64 Bit systems we have forgotten how it use to be :) The 2 GB limit is a real limit for systems running 32 Bit as is a limitation from the 32 Bit address space. https://en.wikipedia.org/wiki/2_GB_limit So my assumption here is that PAE is not used thus limiting the memory to 2 GB h...

smyers119

CHR supports more RAM and also will work faster in any case. The recommendation is not silly at all. It's silly because the OP came here asking to get his current setup to work better, not asking for recommendations on upgrades. The "upgrading to a better system then it will work better" ...

smyers119

RouterOS 6 x86 is 32-bit only. Use CHR on KVM/VMware/HyperV for running 64-bit. 32bit can handle up to 4gb of ram. why the silly recommendation of going virtual? A 32bit machine can not visualize a 64bit machine. @OP, why leave the most important piece of information out... how much RAM is on the s...

smyers119

SLAAC works on layer 2, and does not cross routed interfaces. I am not aware of any helper or relay to bypass this limitation, but one may exist. usually people get prefix's delegated for their internal subnet's through a dhcpv6-server.

smyers119

As stated above you can NOT do this. (with bonding)

smyers119

GNS3 is not able to simulate a layer 2 link loss. It's not a routeros issue.

smyers119

I was able to test this in GNU3 with 7.2r1, and can confirm same results. I researched it on the GNU3 forums and apparently it is a known limitation that even though you disable a interface on 1 router the other router still see's the link as up/up.

smyers119

I think that the problem does come from the emulation layer in EVE-NG : I suppose that the layer 1 physical Ethernet protocols are not emulated. (for exemple port speed negociation). This mean that when i disable the ether3 interface on R4, R1 ether3 interface does not see that the Ethernet link is...

smyers119

Confirmed this is against RFC: 5.3.12.3 When an Interface Fails or is Disabled If an interface fails or is disabled a router MUST remove and stop advertising all routes in its forwarding database that make use of that interface. It MUST disable all static routes that make use of that interface. If o...

smyers119

I am going to research this, as I am pretty sure that shouldn't happen and may even be against RFC. That route should be invalid as soon as the interface goes up down. you should not need bfd.

(tested and confirmed that is the way it happens in cisco packet tracer)

smyers119

as a last note, it can cause problems using public ip's that you do not own in your network. You should only be using RFC1918 ip's in your network.

smyers119

I would still consider this a bug though as it shouldn't be arping for an ip that is not in a directly connected subnet (IMHO) it should only try icmp.

smyers119

If I remember correctly cisco enables proxy arp by default. So I suspected that was the issue. disabling it should solve your issue.

smyers119

can you post the route tables in both the failed state and normal state. and also your test configs would help as well.

smyers119

Is it only me who considers this to be a potential security risk, exposing some configuration of the router to every device on the network?

It's only a security risk if you configure it like a security risk

smyers119

I have no idea what those settings are doing on the MT. Remember I have not pushed any traffic yet from any other devices onto the virtual LAN. So its not a concern at the moment. I fully expect that the missing gap MUST be done at the zerotier network level not on my MT devices. For instance lets ...

smyers119

According to the docs it only supports snmpv1.

https://help.mikrotik.com/docs/display/SWOS/SwOS

you may be able to use ACL's to restrict source ip's

smyers119

Your looking for a default route or "route of last resort"

/ip route add dst-address=0.0.0.0/0 gateway=1.2.3.1

smyers119

....you don't have any config on mikrotik for bonded interfaces.

smyers119

I am thinking I need to go to ZT advanced settings and put in a route. Destination is 0.0.0.0/0 via ZT IP address of the Server ROUTER. However that will send any traffic on the ZT virtual LAN from any other node/device NOT JUST the ServerClient device and its specific subnet traffic to the Server ...

smyers119

conflict detection sends out a icmp and arp and if it receives a response from either one labels it as a conflict. I would run a packet capture when this happens and find out who is responding,

smyers119

I am thinking I need to go to ZT advanced settings and put in a route. Destination is 0.0.0.0/0 via ZT IP address of the Server ROUTER. However that will send any traffic on the ZT virtual LAN from any other node/device NOT JUST the ServerClient device and its specific subnet traffic to the Server ...

smyers119

well, it's definitely not Zerotier then. what's your RouterOS?

My test topology:

PC -->Microtik<-zerotier->opnsense in cloud-->internet

results: (maxed my upload speed)
speedtestzt.PNG

7.1.1 RB4011

smyers119

@smyers119 is there a way to test speed only to my mikrotik and not the NAS ? wireguard performance is not that better either. i think something's wrong with the router.. did you test your tunnel? My test topology: PC -->Microtik<-zerotier->opnsense in cloud-->internet results: (maxed my upload spe...

smyers119

That sounds all MT and NO ZT for setup. It wont be ip addresses it will be a subnet. No need to mangle, source address is the subnet but will use Table and Route rule. But how to get this subnet via zerotier (from client router) to server Router and to the server routers internet. I know how to man...

smyers119

smyers, how do I connect a subnet on one MT router (acting as a client node), to go out the WANIP of another MT router (acting as a server node) through zerotier, That is what I have not been able to figure out? Then I will test that vs a wireguard connection I already have doing the same thing. Th...

smyers119

Let me see if i can try and speed test my zerotier tunnel and get back to you, (not that it helps since i am using rb4011)

smyers119

I don't see anything that would cause a speed problem in your config. Zerotier support is still in the works, so maybe it's something on mikrotik's end. The only thing I have done different is limit the zerotier instance to running on my WAN, and instead of making specific firewall rules for zerotie...

smyers119

Can you post your sanitized config.

smyers119

Zerotier goes through the ZT network, if your physical location is remote, and there are no ZT root servers nearby, it can be slower. You can read how it works here: https://docs.zerotier.com/zerotier/manual A wants to send a packet to B, but since it has no direct path it sends it upstream to R (a...

smyers119

1. no your router is not secure

2. l2tp does not provide encryption, so no it is not secure. it is usually tunneled through ipsec. wireguard would be easier then openvpn.

smyers119

when you see a ff:fe, that means that it's EUI64 generated from mac. Since this is a layer 3 tunnel it doesn't appear a mac address is generated (I checked by creating a tunnel and using /interface/print) Though it is creating the ipv6 address based off this mac FE:FD:00:00:00:00 (if my math is corr...

smyers119

For some reason routeros does not support something so simple. But you should be able to do something similiar. under bridge filter you can mark the packets, then create a queue that prioritizes those marks. This will probably take some experienting to figure out.

smyers119

I am having the same problem with Webfig going to the terminal after login and giving a 404 error if I click on the Webfig button. Recent changes to my RB3011: - Update to v7.1.1 - Reset the Router - Imported .rsc config file. - Created a skin without the Quick Set button (I would assume that cause...

smyers119

remove this rule: add action=drop chain=input comment="Drop everything else" Tried this, but no change. The only other difference I see is that my estab/related rule also allows untracked, which is the default config. Try adding that to your estab/related rule. Also, no change here. I am ...

smyers119

Why should he drop that rule? He has all the rules prior to that allowing traffic from the LAN side. He even doesnt need the specific NTP rules because above that rule he has the one that allows all VLANs, FULL ACCESS to the router and all BASE...... your trying to troubleshoot a symptom of the pro...

smyers119

The only other difference I see is that my estab/related rule also allows untracked, which is the default config. Try adding that to your estab/related rule.

smyers119

remove this rule:

add action=drop chain=input comment="Drop everything else"

smyers119

let me browse threw your firewall. stratum 16 means it's not synchronizing.

smyers119

what does /system/ntp monitor-peers show?

smyers119

I am kind of disappointed I can't set it to pull multiple servers from the pool though

smyers119

I am not able to reproduce your problem. It should not be a firewall issue as you don't need to add any extra firewall rules. It would fall uinder estab/related traffic [admin@router1] /system/ntp/client> print enabled: yes mode: unicast servers: time.nist.gov freq-drift: 0 PPM status: synchronized ...

smyers119

Adding routes for mikrotik is covered in the help doc's , but I don't think that's what you actually want since the tik already knows about the network. You want to add a route in your zerotier network that points to your tik. If you can't figure out how to do that you may want to ask a zerotier for...

smyers119

That sounds correct, your network can not communicate with the device directly, it needs to go through the repeater. So the repeater is the next layer 2 hop before it gets to the destination.

smyers119

OSPF 100% broken after update.

Not seeing neighbors anymore.
Check if you use authentication ..
In my case this was the problem, neighbor is ros6
I just remove it .. for me this was not requirements (legacy config) so i did not do future tests

Thanks, no auth here.

smyers119

I didn't have time to troubleshoot, but on upgrade ospf stopped working. Was unable to view any routes/nexthops from cli or winbox. downgrade to 7.1 fixed the problem.

smyers119

Easiest way to explain zerotier is it's a virtual managed switch. So the possibilities are limited to only your imagination. you can do all the above and then some. I have not had that good success incorporating mobile devices. (I don't have iphones to test just android)

smyers119

I had a similiar problem, upgrading firmware and factory resetting fixed it. In my case it happened after a power outage which i think corrupted the config. It was still reachable by mac on winbox.

smyers119

SIP helper modules are best disabled. SBC is meant to be the outside device, it's the equivelent of a firewall for VOIP. If your filtering traffic going to the SBC I guess that means you don't have any remote-worker phones set up.

smyers119

https://labs.ripe.net/author/babak_farr ... s-traffic/

smyers119

As a mikrotik enthusiastic and network engineer since 2012 i have setup hundrends of clients with routerboards. I like mikrotik because it has all networking options to touch and configure. Well at 2020 i cant even make a simple pppoe bridge and some bugs which make some configurations to stop work...

smyers119

You are wasting your time, I do this for a living............. A BUG moron! Not YOUR BUGS!! The problem set describes the operational impact to your work due to the bug.......... That provides context to how the feature (singular) is NOT working and how it is preventing your configuration from work...

smyers119

Well the ref quoted does say "your issue" which is singular, not my fault you are illiterate and provided multiple issues on one ticket.

I know your trying to redeem yourself, but your just not there. Maybe next time.

I highlighted the important parts for you.

ticket.PNG

smyers119

The onus is on you to learn how to report issues, not for Normis' team to respond to each ticket and user etc.............. I think the whole point of "support" has eluded you. If there is any type of specific requirements/rule's they need to be told to the end user requesting support bef...

smyers119

(Moved Post) Here is an odd one I am chasing after. My test router at the shop has Zerotier 1.6.5 on it as the RB3011 is running 7.1rc4 The router we put at a the bosses brother's has Zerotier 1.6.6 on it, as the RRB3011 is running 7.1 Both have Zerotier bridged to the bridge The RB3011 with 7.1rc4...

smyers119

Each ticket is assigned a category and then handled by a specific specialist. You can't just dump all kinds of random issues into one complaint, this is why your ticket got stuck in the system. Please report each bug separately. Maybe pointing that out when it was first noticed would of been more p...

smyers119

I had issues on the last beta and now again with 7.1 in that Zerotier on my RB3011 becomes unresponsive. Other devices on the same Zerotier network are still contactable. About every 5 days I need to disable the Zerotier interface on my RB3011 and re-enable it again. However my RB3011 is bridged to...

smyers119

Sometimes I can login via Zerotier and sometimes not. This is definitely a bug in Mikrotik ZeroTier. I consider this not reliable. There is still work to be done. I have not had one problem with zerotier. If your on the firewall rule in winbox then you are going to mess the rule up, as zerotier is ...

smyers119

Mention it here. Start a new thread.
Most likely someone encountered the issue as well.
Maybe some even know a work around already...

As you can see in the picture of the ticket, all the issue's started in the forums and went unanswered so they got upgraded to official support.

smyers119

I am not looking for a timeline of a fix, just an acknowledgment of the problem and whether they can reproduce it or if I need to provide more info / try some troubleshooting steps.

smyers119

I am new to official support, It say's 3 business days, but obviously that's wishful thinking. Can someone experienced give me the average wait time for such a request.

Thanks,

tiksupticket.PNG

smyers119

Reference this article, to hopefully help you better understand what's going on.

https://help.mikrotik.com/docs/display/ ... c+Concepts

smyers119

do you have a firewall rule allowing the connection? post firewall config

smyers119

You'll find your answer here:
https://help.mikrotik.com/docs/display/ ... c+Concepts

smyers119

DHCP Options tab

Is where you add your dhcp options.

DHCP Options set tab

is where you would group options together that are located in dhcp options..

Network/dhcp-options(-set)

Is where you add the options (or sets) you created to the subnet of your choosing.

smyers119

Are you stuck at ExStart on the state? I had this issue and did a rollback to get it working again. Created supout and reported it today.
I think OSPF still needs some love to get to a good state.

I have a rb4011 with ospf and ospfv3 running with no hickups.

smyers119

I don't see any error's in the log's you posted. How about posting the sanitized configs for the routers your trying to get connected as neighbors.

smyers119

To be clear, I'm not asking about RouterOS (I simply dont need most of the RouterOS functionality, so prefer SwOS to keep it lean). What do you think your gaining by "keeping it lean" If you don't need most of the features then don't use them. MLAG is currently only supported in RouterOS,...

smyers119

I don't think it's unlikely that your third-grader may have picked up a lot of technical knowledge in passing. You can't expect the whole world that have that knowledge. One may hope that forums like this will spread some of that around. This single option is buried among 25 others, many of which a...

smyers119

The "switches" product page on Mikrotik's site currently lists 25 items, of which only one fits, and you're getting upset because the OP didn't find that 1:25 item, belittling him for missing the 4% solution? I'd say we should congratulate him if he did find it! I am not congratulating an...

smyers119

Hello, I have a question about speeds on mikrotik switches, as i saw on the product pages, only 10gb ports are the sfp+ ones, so my question is if there's a mikrotik switch that can do 10gb with cat 6 on regular rj45? ... Did you even look? https://mikrotik.com/product/crs312_4c_8xg_rm .... And als...

smyers119

Tracing route to download.mikrotik.com [2a02:610:7501:1000::204] over a maximum of 30 hops: 1 <1 ms <1 ms <1 ms 2601:XXXX:XXXX:f06:c6ad:34ff:fef8:d6e0 2 7 ms 7 ms 7 ms 2001:558:4033:74::1 3 8 ms 8 ms 8 ms 2001:558:12:1fd::1 4 8 ms 8 ms 11 ms 2001:558:10:5d6::1 5 * * * Request timed out. 6 38 ms 31 ...

smyers119

On other venders you can increase "maximum-paths" 2, to enable ecmp. I was looking through the options in ROS CLI and could not find something similar.

smyers119

You are correct that is not how OSPF is supposed to work! But when a Cisco certified network consultant first adds 10.0.0.0/8 in OSPF network and then proceeds to add /30's within that ip range with OSPF interfaces network-type=point-to-point, It had me wondering if this was best network configurat...

smyers119

I am running ospf with no issues over here on 7.1 # dec/07/2021 07:05:32 by RouterOS 7.1 # software id = IZUY-SLWC # # model = RB4011iGS+ # serial number = /routing ospf instance add name=default router-id=10.172.255.1 /routing ospf area add instance=default name=default /routing ospf interface-temp...

smyers119

You should open a ticket with Mikrotik with the supout.rif, does seem like a bug. Not sure how folks can help if so. I am not clear on bug reporting etiquite in this community, but according to this post, The forum is the correct place for beta releases. Is 7.1 still considered beta? https://forum....

smyers119

See an ARP with a different IP isn't necessary "wrong" from L3 POV – multihoming. It's only wrong from a ROS "packet flow"/policy prospective. And, how the ZeroTier package approaches discovery on the ROS is not document by Mikrotik & ZT only has a high-level overview of how...

smyers119

My router appears to be acting appropriate on the WAN [[REDACT]@router1] /tool/sniffer> packet/print detail 0 time=33.477 num=1 direction=rx src-mac=00:01:5C:92:AA:46 dst-mac=FF:FF:FF:FF:FF:FF interface=eth1 protocol=arp size=60 cpu=0 1 time=33.529 num=2 direction=tx src-mac=C4:AD:34:F8:D6:DF dst-ma...

Search found 235 matches