MikroTik

loloski

/31 is not supported natively by 6.49 I think /31 started on v7.17 if I were you make a lab and test

loloski

Since there's no roadmap or anything we can just cross our finger hoping the v7 routing engine is robust enough to accommodate all this Enterprise and SP features that most of the users is waiting over the years.

loloski

this really depend on how you want to handover the service and IP, the easiest way is make a PPPoE server and route the /32 public IP to your customer, there's no sense to route /30 to them since it will consume 4 address to your existing ip block, another possible option if you are using v7.18 at l...

loloski

I'm one of the hopeful on this EVPN stuff I hope one day we can build spine and leaf architecture for DC at cheaper cost, this will bring a lot of value to MT if it was done right at the first time I sincerely hope this time that they will implement this as complete and robust solution, not like wit...

loloski

Also when I enable l3-hw + fasttrack, I make some rules in the switch ruleset to "redirect to cpu" the IP ranges that I want to nat. If I dont do that, they cannot enter the conntrack. really? why it's not mentioned here or the docs is outdated how do you find it out? https://help.mikroti...

loloski

Though this work I'm just wondering is this the optimal way to do it? why configure the vlan using bridge filtering whilst this kind of device the vlan should be config in switch menu? or the vlan tagged interface could also attach directly to ether1, i'm just curious thanks!

loloski

yes for definitely use this as a starting point https://www.youtube.com/watch?v=CCbVzl6WtF0

loloski

I have a similar nic card with you link to CRS317 with a regular DAC cable (non-mikrotik) and it works fine for LibreQoS

loloski

In addition to what the other said here use /31 to your advantage specially if you use v7.18 /30 still using 4 address and use private IP as a point to point mechanism inside your network that's how we conserved V4 address

loloski

make sure you are not behind a NAT/CGNAT subnet from your ISP and also make sure your 192.168.88.253 host is reachable via routing

/ip/firewall/nat
add chain=dstnat action=dst-nat to-addresses=192.168.88.253 to-ports=80 protocol=tcp dst-address=your_public_ip dst-port=80

loloski

Before ROSE came to life there were lot of V6 features still not ported to ros v7 from simple to the hardest one e.g proper routing filters comparable to V6 I can keep on and on, what I personally want to say make v7 comparable to V6 first or even better no feature left behind from V6 then after tha...

loloski

Make routing and switching as your priority and lastly whatever your heart desires you will see it makes a lot of difference, make RouterOS great again ahahhahahaaha

loloski

@mrz most of the people here buy high-end devices from you guys from switch to router and we expect that it will work properly if there was a bug we expect that each bug was fairly treated even though it was hard to fix don't assume always that it was a config issue or user error, we notice that you...

loloski

That's not the case on my end please see attached if you will notice before that rule I punch a hole in the firewall to explicitly open the ports i want because it was close by default

1.png

loloski

For sure you have to align the MTU otherwise it won't form adjacency it will stuck to exStart status, thanks for the tip anyway

loloski

If you use the default firewall this will drop the connection regardless of the port that's why you have to define your LAN subnet in the interface list that's why you have to define what are the ports you want to open prior or before hitting this rule, factory default firewall rule of MT is sane an...

loloski

If you run portscan internally that's expected try to access does services externally you won't be able to open it does ports you have mentioned assuming your host-inbound firewall rule is correct if your firewall rule is misconfigured you will be able to connect to does port from external but will ...

loloski

This is geared toward a switch with limited router functionality, please export your config and paste it here so that other people can help you this device is under power to be a router but give decent performance as a switch

loloski

since you don't provide anything, try to change the cable first

loloski

ECMP 90% of the time it works for us but we are having issues with HTTPS some sites behind the L7 load balancers is kicking us in the butt, in the old days where HTTPS is not that common compare to what we have today, we used netfilter module SAME to workaround this. how about NETMAP in conjunction ...

loloski

no offense I hope what you are saying is true because from my perspective evidently more and more people is getting frustrated on how thing is going in terms of development which matters (for our use case), even though we moved most of our gear to other platform MT has sizable portion of our network...

loloski

As per normis they are working hard on ROSE features/stability on 7.19 and 7.20 so I guess no progress on routing,switching and hwoffload features I hope I'm mistaken

loloski

Ok thanks it means i was under the rock these days, it's good that they have an official product now that support e-Sim I hope even the cheaper once will have this in the future

loloski

What are the MT product that support e-Sim? or this is just preparation for the future release?

loloski

even cloudflare same thing i've seen this kind of behavior i'm not judging I'm just stating the facts since this is not mandatory so that's fine I just turned it off, I have 12 upstream in a single box I rotate each every ISP there's always a timeout one way or another.

loloski

I recreate the same step as you mentioned and I press the undo button the removal of loopback interface wasn't reverted only the eoip interface that i create to reproduce the bug was reverted, good catch with the bug

loloski

viewtopic.php?p=1140349#p1140349

The interface loopback can be deleted kudos to the OP, to restore lo in my brief test you have to perform /system/reset-configuration no-defaults=yes this is not only for 7.19 i test this on 7.18 same bug

loloski

Indeed the lo interface has been deleted this is nasty bug, to restore lo this is what i do

/system/reset-configuration no-defaults=yes

loloski

since day 1 this DoH implementation in ROS v7 is shaky at best for the same reason you mentioned

loloski

I was able to achieve full cone NAT on RouterOS 7.13.5 using the following NAT rules:

This doesn't work for some reason are you sure full cone nat is working properly as advertise? will dig more

loloski

I think fischerdouglas pov is please fix VRF implementation in general in preparation for the future together with L3HW offload, imagine you are doing EVPN + VXLAN with VRF and no hardware offload support? just to give context. I think he was saying VRF with hardware offload is not an after thought ...

loloski

yes discard option is not optional features and should return in v7 at least in OSPF if they can't do it in one sweep and later in BGP, I personally haven't seen an official response on this with Mikrotik, just wondering why other vendors can do it, what's so special with ros v7 code base that this ...

loloski

I got a deprecation type of response from mrz on this ticket so it won't moved forward I just wonder why there are still some fixes being push through if v6 is totally deprecated, I could understand if recent code drop to v6 is purely security issue related fix which is not. I'm not questioning thei...

loloski

once wifi interface was involved even it has switch chip it will processed by the cpu anyway.

loloski

remove one port from the bridge example ether5 and use that as your management interface while you are trying to get your head around it, so that you won't get lockout if bridge vlan filtering was on and not yet configured the switch to your liking and access the device via mac address in winbox, ju...

loloski

set Route Comment is not working properly as it should, when you set the "Action" to accept it will show the route comment when you set it to reject it will show the comment and it appears to work correctly but when you re-login to winbox the comment will disappear again just like with the...

loloski

try to moved to other ports just for troubleshooting or update to latest v6 LTS release, normally MT hardware has long life i'm still not convince it's a hardware issue and also paste your whole config here

loloski

I resolved this by reducing MTU from 10218 to 9566, now both rosv6 and rosv7 is happily working as it should

loloski

Background All routers and participating switches jumbo frame is enable and it works great All Ros v7 routers participating in OSPF with BFD enable established adjacency,exchanging routes and it works as expected Issue Neighbor Ros V6.49.18 stuck in Ex-Start (if BFD is enable) cycle between Ex-Start...

loloski

ping from where?, try to isolate the issue by changing the cable first and make a basic config before you jump to conclusion that this is a hardware issues

loloski

ahhah I hope that's not case whatever noise gather here shouldn't affect the development task at hand, personally i want them to succeed their hardware is good just got side track for lots of unnecessary distraction due to self inflicted decision. @MT if you truly start the development of EVPN + VXL...

loloski

Honestly they have to do something big or small because this will be a recurring theme that someone is high jacking this release thread hoping to convey/share/discuss or event rant out of frustration just like what we are doing now :) the irony is MT is getting angry when someone high jacking this t...

loloski

Who wants to help I can provide hosting space and use freedns for the domain, I can provide bugzilla/mantisbt or any other bug tracking tool that makes the job done just let me know, but first we have to know if Mikrotik is also on-board with the idea otherwise this is futile.

loloski

Not directly. There is an option to use BFD as a gateway check for static routes but it is not yet implemented fully. It does not create BFD session, it can use only existing BFD sessions created by other routing protocols. @ MT care to share if MT developer plans to finish what's left in the BFD i...

loloski

best to show your config so that someone might take a look into it, make that a habit in Mikrotik land

loloski

I already file a feature request they just close it and say mikrotik just support LNS end of discussion, so it means you have to look elsewhere

loloski

:global nexthop ([/ip/route/check dst-ip=1.1.1.1 once as-value]->"nexthop")
:put $nexthop

loloski

oh my..... my bad it was an april fools joke sucks to be me hahahahaha who knows MT make it reality it means we are back to reality of push and pull

loloski

ehehehe, I'm looking forward for the new 15 developers just onboard with MT will make a real difference and concentrate on more pressing issues (L2,L3 and HW offload stuff) rather than what you have mentioned above :). I hope this is real news rather than gossip

loloski

It's ok to wait as long as you have confirmation that they are being tackled or acknowledge being develop, I hope this essential features will come to fruition in my lifetime

loloski

Another thing to observed with 7.16 and up release, accessing MikroTik device with PPPoE enabled server with ROMON is a hit and miss most of the time you will get disconnected with winbox3 while it's working fine with winbox4 I can't report this as a bug because not sure where the problem is but it'...

loloski

I have one CRS317 when you access the Switch -> Qos -> Port menu is crashing winbox3 while it's working properly with winbox4 the weird thing is my other CRS317 is working as expected anyone seen like this? not entirely sure if this is bug or just local to my setup

loloski

Since you don't put a network diagram here, I assume that this could be a hairpin NAT issue please make a small diagram so that other can help you out, assuming proper routing was in place you can also solved this issue using split horizon DNS

loloski

after my ccr1036 firmware upgrade and a restart the memory slightly elevated consumption around 1.1g but it stabilize there I hope this will continue

loloski

You could research on Sangoma that's what we used in the old days I don't know if this works with x86 MikroTik PC never try them

loloski

@MT to give you context on why we need some sort of transparency here is this, we are about to consider to buy some CRS354 because we are considering mikrotik for a pet project rather than considering juniper / arista for our project that requires MLAG I can't make a decision upfront because this 35...

loloski

Fair enough but you can still control the things if you want it too like just list all the confirmed bugs that you triage and all of us outsider can just take a look. ros_version ticket_id title description status_code created_on will_be_fixed_on_version? this are the fields that is needed status_co...

loloski

supout.rif attach to the ticket can be hidden if that's the only concern, if they can program the linux kernel they can easily do that for sure don't they? I think this will greatly help them along the way

loloski

@MT quick question I hope if you don't mind asking, what's your rationale why you don't have public bug tracking system where everyone can chime in or at least can lookup what ticket are open / close or about to get fix or invalid, so that everyone has a valuable insight if they are affected by the ...

loloski

same no dice [admin@MikroTik] > /interface/veth/add address=2001:db8:1:1:1:1:1:1/64 gateway="" gateway6=2001:db8::1 name=example [admin@MikroTik] /interface/veth> :put [get example value-name=address] 2001:db8:1:1::/64 [admin@MikroTik] /interface/veth> /system/resource/print uptime: 2m2s v...

loloski

nice one kudos to you!

loloski

nope this should be finished under 5 to 10 mins tops, you can try to reboot the device

loloski

Out of memory condition. CCR1036 just updated at 7.18.2 from 7.18.1 I can concur this sucks for just 2 days uptime after the upgrade the memory it consume is insane, normally the consumption is under 1g, we don't have any use case anymore with mikrotik except for BRAS mikrotik please fix this don't...

loloski

deleted

loloski

if only mikrotik can make RB5012-2S+ that would be perfect for his requirement hahahah just kidding!

loloski

well, you can't have your cake and eat it too. there's no hardware accelerated NAT on 326 compare to 317, your 326 is a switch with limited routing capability rule of thumb in MT world if it's a router don't make it a switch if it's a switch don't make it a router

loloski

It's a good switch why not you can turn on hardware off loading for inter-vlan routing, but put a router in-front like RB5009 as a start to handle your upstream traffic going to internet

loloski

They can't easily outsource it even though they want it too, I strongly believed they document their code base using their language so it's hard to get / poach some people from the industry that can do smart coding having good oral and written communication in their language at the same time. I thin...

loloski

We are lucky we moved our edge to other platform and we don't have to deal with this BGP situation anymore our use case now with MT is more limited (BRAS) but still crucial with our daily operation and our bandwidth management moved to OLT and libreQoS at least MT doesn't rob my sleep anymore, I hop...

loloski

you can use e-worm comprehensive script available at https://github.com/eworm-de/routeros-scripts you don't have to code anything

loloski

chain=srcnat action=masquerade

It's not a bug it was as designed, there you have NAT/Masquerade

loloski

@MT any chance on fixing BGP sessions refresh on winbox3 just like how ros v6 behave?, I have a group of engineers that we train as part of Knowledge transfer and none of these engineers seen MT in the past, they were really impressed on what MT can do but awe at the same time with this kind of cosm...

loloski

First off all you are doing it wrong, in HEX there's a different way to configure VLAN what you are doing is for CRS3XX

Try this
https://www.youtube.com/watch?v=Rj9aPoyZOPo

loloski

form a private network using zerotier together with the other participant and spawn your private server inside zerotier network and you are done

loloski

Thanks for detailed observation and explanation on the issue, this will be very hard to tracked down and fix from MT because this can be a TCP/IP stack issues with the kernel they are currently using with ros v7, I can feel you and most of the time I also got frustrated that there were more pressing...

loloski

*) net - remove support for automatic multicast tunneling (AMT) interface (introduced in v7.18); I'm fairly confused here if this is not ready why it was available in both CLI and Winbox normally if MT is cooking something it was always available in CLI first until it was ready for prime time, now ...

loloski

and if yes the fix is underway as per other forum user that encounter and raise the same thing :)

loloski

Do you happen to report this to support and what's they response?, I have multi-gigs of traffic between 3 to 6 gigs but with fasttrack turned on, can you elaborate more on the issues do you encounter packet loss or high cpu usage perhaps?, thanks I'm also interested on your finding because there wer...

loloski

Time to netinstall that device

loloski

Create a separate VLAN with DHCP and make a firewall rule that you are accepting host inbound traffic (INPUT Chain) on port 80,22 or 8291 whatever your preferred management protocol and done or use VRF it's not hard you just have to know your way around with MT VRF approach let assume your ether5 wi...

loloski

True Huawei and ZTE is king you can easily pass on the cost to customer without much trouble specially in this trying times

loloski

Router 5 ports, wifi6, etc. its price is about 99 USD. This will be very hard to justify with the management to make substantial inventory for FISP specially the Chinese brand around the corner cost 15 USD (landed cost) if you have volume of course, not to mentioned you have single POTS/FXS as a bo...

loloski

Never seen like this with MT on both v6 or v7, try to change cable first and re-observed

loloski · Re: after upgrade to 6.49.18 CPU Spikes Nope, it remains the same here 1.PNG

Nope, it remains the same here

1.PNG

loloski

This is WoW if it's true, if the cost of this unit is between 18 to 20 USD this will fly in Asian Market otherwise this is DOA

loloski

# Create Bridge /interface/bridge/add name=bridge1 # Add port on the bridge assign ether1 as vlan 100 and ether2 as vlan 200 /interface/bridge/port/add pvid=100 interface=ether1 frame-types=admit-only-untagged-and-priority-tagged /interface/bridge/port/add pvid=200 interface=ether2 frame-types=admi...

loloski

This is the precise reason why we moved to other vendor, because no solution in plain sight for some features that we need as SP, best of luck to MT specially now they are doing EVPN which will open another set of can of worms (I hope for the better) this MPLS stuff for sure will going to push back ...

loloski

Try this instead this is not meant to be complete at any form just to give you a working example Create a VLAN in the bridge # Create Bridge /interface/bridge/add name=bridge1 # Add port on the bridge with pvid=10 let assume pvid=10 LAN vlan /interface/bridge/port/add pvid=10 interface=ether1 frame-...

loloski

ping your next-hop 192.168.128.1 if it's working check your NAT/Masquerade rule on that router and also why STP not RSTP? you forgot also to add br1 as tagged interface This is how you do it add br1 as tagged /interface bridge vlan add bridge=br1 comment=Service tagged=br1,bond1 vlan-ids=128 other t...

loloski

We have seen this behavior as well with winbox, but port 8291 was only exposed to management vlan and I'm the only one accessing the device during that time so this SYN flooding warning is just a fluke at least for me

loloski

This storage woes will not happen in the first place if only mikrotik don't offer 16MB flash in their product they can pass on this to consumer they are just crazy and masochist for shooting themselves on the foot for making an extra effort to fix this storage woes without wiggle room and in the end...

loloski

/ip/ipsec/policy/set src-address=0.0.0.0/0 dst-address=0.0.0.0/0 numbers=0

CHR goes in limbo if you enable IPSEC policy with this parameter, we just stumble this accidentally during lab.

loloski

how to undo this?
i was playing around , and i want to bring it to how it was, without /routing filter rule

sorry for late reply

/routing/settings/set dynamic-in-chain=""

loloski

This is very handy ip-service - show all TCP/UDP connections on the system; ip-service - show all TCP/UDP ports on system, including ports in containers; route - added options to set dynamic-in and connected-in chains in /routing/settings; This is very buggy and slow [rchan@Home] > /routing/settings...

loloski

I just commissioned this switch to semi production environment with ros v7.17.2 5 days ago I hope won't encounter this oddities

loloski

Well, this new ”cool toy” RDS2216 isn’t even playing the same sport as WAFL, let alone competing in 24x7x365 business-critical operations. I’d say MikroTik is in way over its head on this one and in a different galaxy than NetApp. 😉 They won't call this enterprise storage for no reason let them coo...

loloski

This is a new cool toy in the block, If you could beat the reliability WAFL filesystem and have snap mirror functionality which only transfer the delta update at the block level then I can easily convince the management to upgrade at least 10 ageing filer that we have which runs 24x7x365 downside (v...

loloski

hapac2.png

It's working on hapac2

loloski

I ask again for focus on: - Ensuring minimum resources, and also limiting them to a certain maximum, for control-plane processes. - Correcting and optimizing existing network protocols (VRF, L3VPN, 6PE/6vPE, BGP-LU, Flowspec). - Making Kernel bypass and hardware offload work in these protocols. - S...

loloski

That's odd if you have default route to 0.0.0.0/0 it means any definitely your are not going to encounter no route to host error, please check your routing table

loloski

I always encounter this if my ISP is blocking wireguard, my workaround is to replace wireguard with SSTP

loloski

Is this 7.19 material? I hope it does but will watch this in the background as a hobbyist

loloski

This will surely be an exciting release, lot's of changes across the board most notable changes mlag fixes, ipv6 fasttrack and /31 support

loloski

Normally you shouldn't hit this limit even for a loaded box like 1036 or 2116 except for some misconfiguration like your router is on the edge doing NAT and OSPF without area range summary / aggregate things like that is common as a beginner mistake this is one of the scenario i've seen in live envi...

loloski

There you go I publicly open this no need to ask for access, kudos to kevin for making this stuff

loloski

This is the copy of the VM

https://drive.google.com/drive/folders/ ... drive_link

loloski

I hope i have the same optimism with you, best of luck for 7.18 if they have a significant code drop for L2 features I already stopped believing

loloski

I personally want this in but I already loose hope if simple DAI "Dynamic Arp Inspection" L2 feature is not in the roadmap how much more on this, We don't really know what market segment they want to position themselves if they want to route/switch/IoT/NAS/storge the world who knows?

loloski

yes somehow but the switching capacity is very limited VS with real stacking solution on Cisco / Juniper and another pita if my memory serves correctly is MSTP and Double Tag Stacking

loloski

stacking on the other hand can go up to 8 switches with most vendors which support stacking.

Another missed opportunity with Mikrotik Stacking / Virtual Chassis in Juniper world is pretty much after sought feature

loloski

We already moved on for any advance L2/switching features go somewhere else this MLAG implementation of MT is not fully baked, we learned the hard lesson plain and simple

loloski

You need reverse proxy in TCP mode to do this, you can put haproxy or nginx as reverse proxy in a container inside the TIK or you can do it outside your router and make port forwarding

loloski

@normis I don't think that's practical on operation standpoint I also can feel their pain, can we revert or go back to 7.16 and moved on and don't touch that device-mode thing!, you guys are shooting yourself on the foot there are lot of people don't like where this is heading, just my 0.02$

loloski

Yep you can disagree with me anytime but it's happening, we can no longer wait for mikrotik to mature its routing and switching portfolio our company is now restructuring the team willing to let go some MT engineer not willing to be re-assigned or adapt other platform, MT not wanting to spend develo...

loloski

The future with MT is bleak anything with Service Provider solution my company accept that facts now, we are now going back to Juniper as much as possible and put mikrotik on some areas as we see it fit or put them in the shelves for eternity who knows one of these days they are going to land some c...

loloski

what you want is hairpin nat, just google it https://www.youtube.com/watch?v=1I5FywY6opQ

loloski

Hi fischerdouglas,

Let see how it will pan out in the end I hope the solution will not be half baked

loloski

That's one of the purpose of VLAN to segregate some subnet like your management VLAN where's the problem? don't put a router that will do inter-vlan routing for that subnet or better yet make a dedicated VRF for your management VLAN, I'm sorry if i failed to see your point

loloski

while we are on the subject of making winbox more mondern and useful how about also bringing back proper routing filters to streamline the process and still leave the current behavior/design for some power/advance users?, just my 0.2$

loloski

and also the set of icons is very fresh and professional I hope the skins is also align and haven't tried it yet :)

loloski

return back my esc :) and the tab vs dropdown should be user configurable and the rest is history, the UI is gorgeous eeehhheeh finally i say something good with MT

loloski

The application and the device that has to be manage was separated by wireguard vpn, L3 connection from ubuntu console where this application was installed to the device needs to be manage is workiing properly like ping and ssh but on the GUI of this application using scanner the device won't show u...

loloski

This is the broadstroke of what you want to accomplish at least on the side of mikrotik /interface/vlan/add interface=ether2 vlan-id=2 name=TRUNK-VLAN-2 /ip/address/add address=192.168.2.2/30 interface=TRUNK-VLAN-2 Just open winbox and launch terminal then copy and paste this will be a lot faster th...

loloski

Since MT won't confirm or deny if they are working on it, I presume this won't see the light and day I for one also hoping this will become reality because we have a lot of CPE (hapac2) will surely benefit from this but I'm slowly starting to accept that this won't happen and started to lose hope

loloski

Configure VLAN in switch menu since this is not CRS3XX series to utilize switch chip

loloski

You need a single vlan aware bridge to take advantage the switch chip and activate L3 hardware offload if you need intervlan routing, remember CRS is geared toward a switch with limited routing capability This is a great guide https://www.youtube.com/watch?v=c2sAA6jMjCY Mikrotik is very verbose comp...

loloski

After we recall this switch from production, we were able to identify what cause the reboot but we don't know how to reproduce this at will, the culprit is L3 hardware offload if we turn it off the switch is performing well In the lab this switch is for days now running without incident, we believed...

loloski

Use this video from network berg very straightforward 
https://www.youtube.com/watch?v=uVag_e475zc

loloski

There's no built-in support for reverse proxy, If your device has sufficient resource like RB4011 / RB5009 install container package and pull image like nginx or haproxy

loloski

VyOS CLI is pretty much the same with Juniper so I don't have problems with it, I just commissioned a box yesterday doing OSPF + NAT and it's working as expected with light load around 1G, what I'm really interested and want to see how does it perform with VyOS + VPP

loloski

Did you test VyoS 1.5 rolling + VPP addons how is it? anyway there's no excuse for me now to create a test environment since VPP addons is now available for testing

loloski

@ Tom I hope if you don't mind asking this question do you have current test setup at least with FRR + VPP how's the performance and any gotcha? I don't mind getting my hands dirty again to rollout pure linux solution as long as they are worth it. I'm also eyeing for VyOS but as far as i know they a...

loloski

Actually I don't think they can't do it, they just have a miss opportunity to hire good engineering talent because they require the developer to know their language as prerequisite I don't think it's a bad thing for them, but that will surely impact the hiring process. Honestly you are right they ar...

loloski

They can do it for sure they have R & D and programming team that can work hand in hand if they have incentive to do it as a business entity. This is just business decision after all if they gonna do it or not, just my 0.2$

loloski

They are going to be slave on fixing does you mentioned issues indefinitely if MT continue on their journey for what appears of not giving much attention to unit testing and somehow luck of leader / visionary for much of the codebase instead they just let the individual programmer to be the king of ...

loloski

priceless

interesting perfect!!

loloski

I don't think that feature is available in ROS today, you can kinda sort of emulate that via ros api whenever you are provisioning another BRAS but is clunky at least for my personal taste

loloski

How do you measure performance bandwidth test inside MT device or using iperf? how about distance and weather condition? i'm not pretending to be expert in wireless but that's the common theme usually ask by the expert here in wireless so that someone can point you in right direction

loloski

ROS is not possible to run on your QNAP device, if you truly want to experience ROS download CHR and buy a desired license for your use case and install it on your preferred virtualization platform like Proxmox,HyperV, and Vmware. Just wondering why you want to run ROS in your storage device though

loloski

I haven't notice anything unusual here...

loloski

@Tom, I do agree with you I hope whoever decides on the other side of the aisle also think the same way as you do, but evidently this is not the case here I think and firmly believed they have their own winning formula that they believed to make them thrived and Service Provider oriented product is ...

loloski

Isn't it counterintuitive for MT to push their hardware sales rather than CHR + VPP that's why it appears they are not interested to make this happen? I hope this is not the case I think most of the SP guys here including us is willing to pay for a reasonable price just to make this happen anyone ca...

loloski

Yes 200% because it's a regen site so network engineer was station there in any shape or form the roving guard stay outside the premises, I have no choice we have to replace the switch this weekend and continue triaging this issue in the sidelines, thanks for your time looking into I just hope there...

loloski

Potential problem with power supply ? Any chance to have that replaced by a spare (you should have a spare if it's critical equipment) ? Well that's next in my TODO list yes this is critical i'm going to send someone in the DC I just hate the ton of paperwork just to pull this out and replace :) Th...

loloski

The switch was indeed had been rebooted it was confirm with our NMS and the actual logs from the switch, the switch is running fine the traffic is around 4gb+ during the outage as per the zabbix graph and we have around 2 dozens of this switch in the field running 24x7 having almost the same traffic...

loloski

# 2024-07-29 13:12:15 by RouterOS 7.15.1 # software id = 1ZQI-INIS # # model = CRS310-1G-5S-4S+ # serial number = HDF0860Q6TP /interface bridge add add-dhcp-option82=yes admin-mac=18:FD:74:FE:43:7C auto-mac=no \ dhcp-snooping=yes frame-types=admit-only-vlan-tagged mvrp=yes name=\ DISTRIBUTION vlan-...

loloski

3Gbps traffic it usually sits about 75% CPU CCR1009-7G-1C-1S+ this is pretty much the max of this device and yes connection tracking will disable NAT/Masquerade CRS-326 is a switch with limited routing capability so it won't benefit you use CCR2116 instead the difference is night and day you can st...

loloski

This is the setup I use at home: hex S / RB760iGS as CAPsMAN + UserManager 3 cAP ax as access points controlled by CAPsMAN This setup only uses wifi-qcom and dynamic vlans using usermanager are absolutely working as intended. One SSID is wpa3-eap only using peap with dynamic vlans and I have two ad...

loloski

so what's with my avatar? it has nothing to do with you and it's there since day one, my opinion is mine alone I don't represent MT on any way shape or form and i'm not the only one using that kind of avatar

loloski

as per the above post this is not encouraging my hopes already sunk, 802.1x + 802.1q is pretty much standard in the campus/enterprise, I'm not a native english speaker so please bare with me with the question 802.1x + 802.1q + radius (usermanager/freeradius) with wifi-qcom-ac/wifi-qcom latest and gr...

loloski

wifi-qcom-ac? No, no dynamic VLAN assignment

ouch another mishap and potential savings is already lost, we got the speed we need at the expense of loosing another non optional important feature sigh...

Thanks for your reply anyway greatly appreciate it!!!

loloski

Does capsman + wifi-qcom-ac/wifi-qcom works with radius + 802.1x and VLAN?, aruba is so expensive for our needs but it works for us over the years, the project is few months away and it so small (10 x WIFI6 AP) and worth to take a risk and I do have enough time to do experimentation. Please could so...

loloski

This is really a sad affair only MT know what they are cooking behind the scene and release the code to the mass and hope it stick, you are the unlucky ones if the code they are messing up with broke your environment, honestly starting from 7.13 to 7.15.3 you have to have a separate semi production ...

loloski

However some years old x86 Xeon motherboards with VPP enabled Linux are sustaining 100-Gig network routing throughputs ( measured and verified ).

are you referring to FRR + VPP or something else care to elaborate more please?

loloski

- PfSense currently have a VPP software router ( TNSR on a Linux kernel ). I have heard that it is near 100-Gig wire-speed on good/modern x86 bare-metal hardware with newer PCIe # 100-Gig network interfaces. - Linux already has VPP options you can package install. - VyOS already has VPP options you...

loloski

@ OP / Tom We are in the same boat as you we are growing but in a much slowly pace as a side effect I think we can still wait at least a few more years to wait for VYoS or Bison Router to mature, any chance you can share other cost and effective solution you are looking into?, I hate to ask this sin...

loloski

I have a lot of deployment with more than 10 (1G individual connection) on a single CCR2116 with policy based routing but not with PCC since I don't have a use case for it and I hate that i can't predict where the customer traffic is being routed / natted from. In my opinion this PCC won't scale in ...

loloski

what you are asking for this little device is unreasonable, even if you made it to work this will surely crawl and grinding to halt

loloski

First and foremost CRS309-1G-8S+ is a switch with limited routing capability you will be disappointed that it won't hit your 1G mark, just my 0.2$

loloski

Well we are lucky because we are the ISP

, if you are a customer just get metro-e services from your upstream and be done with it

they will be happy to oblige whatever you need

loloski

our simple use case is just like this and we haven't gotten really far due to the said limitation apart from simple tag stacking we also need double tag stacking since we are offering last mile service https://help.mikrotik.com/docs/display/ROS/Bridging+and+Switching#BridgingandSwitching-VLANTunneli...

loloski

I don't know if this makes difference but can you replace your fasttrack rules with this

/ip/firewall/filter add chain=forward action=fasttrack-connection connection-state=established,related
/ip/firewall/filter add chain=forward action=accept connection-state=established,related

loloski

This is possible we have done this in the past but the performance isn't great specially if your intentions is to link your DC, all processing is done in CPU we used CRS317 before and we gave up so we are force to used Juniper instead just my 0.2$, this is another wish list from us that we don't kno...

loloski

Be sure you have ROA records so that you can be certain you were able to announce your prefix successfully, check for HE looking glass so that you can traceroute your PI address from various location and also if you are multi home make it sure that no one will use your link to become transit from ot...

loloski

if I entered a wrong password, instead of giving me an error of wrong password, it gives out Radius server not responding. It would have been nice if it gives the correct error message of invalid username and password. Is this normal or am I missing something? That's by design at least in ROS v6, I...

loloski

In as much as we want it too it's dead on the water already, DAI was closely tied up in DHCP snooping database and the customer will surely not going to do any manual task on this even though it's possible in Cisco and also as an Integrator you want a proper solution in the long run I'm just barely ...

loloski

I think the problem is you are using this on lower end device that's why the list won't populated try this on RB5009 it should work

loloski

Yeah, we lost the sales already and I can even look in the eyes of the customer, their CTO are willing to wait if only Mikrotik can/will commit a timeline but that's all a dream now they don't even reply to my support ticket with regards to this issue, sad it's hard to push them in the right directi...

loloski

No problem

loloski

Assumption ether1 is the port towards your ISP modem/media converter and vlan 735 is your assignment and the service handover to you is via a tagged/port, if you are having a hard time I suggest ask them to handover to you the service via access port so you just simply assign the IP to your interfac...

loloski

Indeed, this feature is not optional and MT should implement this feature soon most major brand support these

loloski

This is really scary whenever someone from the dev enhancing the DNS code base one way or another they always broke the dns resolver, can you just adapt other code base like tinydns/dnscache from djb or any reputable alternatives so that you can concentrate on more pressing issues and do what you do...

loloski

@MT Last week we are in the middle of presentation for a potential big customers and we stumble a requirement that caught us off guard, the potential customer want to migrate their ageing cisco catalyst gear to Mikrotik they are almost sold to the extent the purchase order is about to sign but the ...

loloski

@Apachez are you the same Apachez on VYOS forum, if you are I'm glad you are here too

loloski

 
 *) dns - added support for mDNS proxy (CLI only);
 *) ipv6 - fixed "no-dad" functionality;

finally we can test anycast now and mDNS proxy this is awesome any docs?

loloski

[adam@gw01] /interface/bridge> /interface/bridge print Flags: X - disabled, R - running 0 R name="bridge1" mtu=auto actual-mtu=1500 l2mtu=1584 arp=enabled arp-timeout=auto mac-address=D4:01:C3:0E:BC:7E protocol-mode=none fast-forward=yes igmp-snooping=no auto-mac=yes ageing-time=5m vlan-f...

loloski

On this beta the switch menu is present in CHR please hide it just like with the previous CHR version

loloski

We need both stability and new feature focus specially on service provider just my humbly opinion

loloski

*) bgp - fixed cluster-list and originator-id;

Cisco peer will now be happy

loloski

Am i kidding hell no! we are not a hobby shop and we need real stability on ROS I know money is hard to come by these days that's why we are lock into their ecosystem if we can motivate them by giving some premium or extra why not? a lot of small and medium size business depends on ROS whether we li...

loloski

@normis Don't you think it's about time to charge extra premium to ROS I know a lot of people is willing to shell out money us included and the money you gather on this can fund ROS even further to improve not only the software stack but to improved the product overall?, I hate to admit that sometim...

loloski

it's a network route the /29 that you hand over to them via PPPoE should be assign on their CPE as LAN IP and the /29 that you assign to your customer should be advertise going to your edge with your IGP of choice to make a proper routing /29 Public IP (X.X.Y.Y) WWW -> EDGE -> BRAS -> CPE 100.64.X.X...

loloski

+1 on this, I hope they won't forgot this important feature

loloski

if you have OSPF and assign some local address like 10.255.255.1/32 on loopback (lo) interface this is connected route is this allowed or not? or just the hardcoded (127.0.0.1) is not allowed?

loloski

use netmap instead of src-nat it will work

loloski

GR is not supported atm no one knows where this could be implemented

loloski

I believed if you are passing traffic less than 1G i think you are safe, I think someone test this on CCR2004 if my memory serves correctly they were able to get 1G speed, you can certainly try this on your environment before going live

loloski

even if it remotely possible don't do it because macsec and vxlan encapsulation/decapsulation is process by CPU for now, some of the marvel hardware is capable but the codebase of mikrotik does not support it that's what I'm reading here in the forum all the time look at what post https://forum.mikr...

loloski

Nope, can't reproduce your issue, did you try to remove your cache and try again?

loloski

I'm just genuinely curious can someone from MT camp/support can tell us why they are having a hard time to implement this very important feature for SOHO markets, if they can do it in IPV4 why not in IPV6 been using other gears for the last 5 to 6 years and never seen this is an issue, Is this purel...

loloski

you have private IP and it's being natted in the ISP router

loloski

Please check your main site

loloski

Indeed I agree with pe1chl, I once hit this limit 1000 customers with individual /32 learned route from OSPF because of a misconfigured BNG router i believed the router can handle more load if only this connection tracking is settable, not some magic dynamic hard limit based on free memory from the ...

loloski

that's how NAT works, it's a return packet from 8.8.8.8 going to LAN host that's why it's outgoing interface is ether1 which is your WAN interface isn't it?

loloski

@Infabo This is not a routing filter issue because the syntax is working fine, the issue that I want to raise is clear, if you apply that rule in in-filter-chain in OSPF instance, the adjacency between neighbor will teardown what MT should do is don't allow the user to set "gw-check bfd" s...

loloski

Thanks for the heads up, but it doesn't warrant why the adjacency between ospf neighbor will teardown for me it's a bug. I think the bug here is set gw-check bfd; when you just accept everything Adjacency formed and stable I file a support ticket for this https://help.mikrotik.com/servicedesk/servic...

loloski

I hope they don’t in this RC OSPF adjacency is tearing down if bfd is enabled and you have in-filter-chain in your ospf instance with this rule chain=ospf-in rule=“if(protocol ospf && dst==0.0.0.0/0) { set gw-check bfd; } accept;” I try latest 7.14 stable same thing in my understanding BFD f...

loloski

make a REST services/api that will post process the data after receiving from your MT devices, problem solved

loloski

Is that PPP accounting radius issue is not covered with unit testing so that you can catch that early and minimize releasing software that has birth defects? hahaha just kidding, I'm just curious

loloski

If this is in a corporate settings, talk to HR and help them craft a policy that watching youtube or doing anything outside the scope of work is subject for expulsion, we've done this and it works 100% of time sometimes technology is not answer for a modern tech world, just my 0.2$

Search found 654 matches