MikroTik

loloski

Thanks for heads up

loloski

*) queue - improved system stability (introduced in v7.6);

Can someone elaborate on this please?, thanks

loloski

using this RC in GNS3 you can't login via winbox it just simply saying logging even ssh connection it's not working :(, never seen this before

2.png

edit: webfig works

1.png

loloski

no-export will be passed to the peer in new routing version. But for v6, most likely it will stay as it is.

May we ask for the progress on this?

loloski

i'm afraid you have to netinstall and be it on site

loloski

Yeah it's working fine with cisco in GNS3

2.png

1.png

loloski

add bridge=main tagged=qsfpplus1-1,combo4 untagged=\ ether1,ether2,ether3,ether4,ether5,ether7,ether14,ether15,ether16,ether17 \ vlan-ids=1 for some vlans your ether1 is a tagged port but for vlan-ids=1 it's an access port for can you disabled this first and try again? not unless this is hybrid por...

loloski

I don't think if this will help you or not, but can you make a single vlan aware bridge and remove a bridge dedicated for the management?

loloski

that is expected PNET/GNS3 is just for lab/simulation only what do you expect? and even it can route properly, CHR is limited to 1MB only if you don't have a valid license, you can obtain a demo P1 license and try again if you are that persistent

loloski

I have higher chance of doing netinstall in linux VS windows 10/11 but if your hands are tied make it sure that you disable all lan adapters in windows except for the wired LAN and disable windows firewall to make it sure, ether1 is the port you are going to use for netinstall, In my experience you ...

loloski

I really love MT for what is worth and the value it bring to a lot of company startup whether it's big and small, but this wireless radio/driver issues and capsman drama makes a lot of users look elsewhere, luckily for us we don't have use case for wireless other than out of band management connecti...

loloski

I don't think check-gateway = bfd is already implemented

https://help.mikrotik.com/docs/display/ ... l+Overview

loloski

if this is the subnet behind cisco (10.0.0.0/24) via ether1 you are trying to reach? i would suggest make a point to point connection /30 between mikrotik and cisco like e.g 10.100.10.1/30 on ether1 and 10.100.10.2/30 on cisco and route the LAN subnet 10.0.0.0/24 to 10.100.10.2 ip route add dst-addr...

loloski

Please don't double post, I believed the issue here is the same with your other post which i reply as well It is common issue with new user is that they don't RTFM i believed it was mentioned in the docs that you should enumerate your WAN and LAN interface in the interface list , so that you are not...

loloski

you don't need NAT for them to reach each other make sure both raspberry pi and the pc has their appropriate default gateway and you are set, In the Router see to it the firewall rules (filter) in FORWARD chain should allows this two subnet 10.10.1.0/24 and 10.10.5.0/24 to traverse, if you do have a...

loloski

to be honest it would be better if you ship the logs to a remote syslog server and parse it from there like a small VM perhaps, you have full blown scripting language at your disposal when it's outside MT device, even it's possible you have to store it somehow the previously stored e-mail for post p...

loloski

I redo this using eBGP approach between PE BGP is up OSPF is up VPLS is up and still can't ping

, i'll attach all configs except for CE1 and CE2 because they are just static IP

1.png

loloski

Hard to say without full config dumps, but yes, the P router should just do two things: ospf underlay to learn/export loopbacks of each PE loopback and LDP/MPLS enabled on both interfaces facing each PE. Then eBGP signalling from PE to PE with AS900 and AS901 should work. I just tested this again i...

loloski

This works for me, it worked but not really great because you still have ros v6 at play

1.png

loloski

I have a similar post to you, as per some folks here they said v7 has still some bug in VPLS even though everything seems right the VPLS tunnel is up IGP is up and BGP sessildons is all up it still won't work... If you really want to make VPLS work make the P router as Route Reflector with v6.49.X i...

loloski

If you are behind a CGNAT you are mostly out of luck, there are few ways to overcome this with various degree of hassle / difficulty on your part option A first get a business line and ask your ISP to provide you /30 or /29 V4 address or even better get IPV6 address allocation option B pop a VM to a...

loloski

This is mikrotik forum, you can instantly google it if you need to

loloski

Draw a diagram or find a way to better explain your issue so that others might be able to help you

loloski

it's either use static routing or use IGP like OSPF so that each router will learn each router's loopback address and also you don't need a separate bridge to emulate loopback interface lo is now exposed by default on 7.14.2

loloski

Yeah you are both right it's unrelated i follow what clambert suggest i change the "P" address to something else the passive flag is gone and still not working

, thanks mrz for the confirmation

loloski

Thanks a lot for the post at least i have a workaround for now running the "P" router in ros v6. I can now finally rest literally

and replicate this combo in production, I hope this VPLS issue will get the right attention it deserved and finally put to end

loloski

I recently learnt there are folks who opt for eBGP based networks and played with it, in my lab, I ran BGP signalled VPLS with eBGP and no route reflectors, loopback IPs for BGP peer with OSPF underlay. And it works fine, no problems. I redo the lab and try your approach it doesn't work because the...

loloski

@Darknate

Thanks will try that approach, I think mikrotik knows this that's why they don't want to create an LTS release yet because v7 still not feature parity with V6

loloski

I think this is an LDP issue after all because with v6.49.14 all LDP interface in P1 is in DO (Dynamic,Operational) state while in v7.15b9 it's in DOp (Dynamic,Operational,Passive) I already file a bug report SUP-149275 I think i'm one on a few if not many encounter this issue, this is really a sad ...

loloski

I redo the whole thing and change P1 to v6.49.14 and it work, my conclusion is v7 BGP RR + v7 BGP signal VPLS is not working, but v7 route reflector alone is working as advertise.

@ MT could someone from your end confirm this behavior?

1.png

2.png

loloski

your diagram/networks It's fine as it is but really depends on what you are doing and trying to achieve, but i will do it differently because public ip is very scarce i will conserve it if i have to as much as possible, if some servers or workstation can be behind a NAT i'll do it.

1.png

loloski

This is really red herring I’m just going in circles, could someone please confirm if BGP signal VPLS with rosv7 route reflector still not supported till this day? Just a hint will do thanks

loloski

There are many ways how to make a VLAN in mikrotik, even if it works it doesn't mean it's correct because if you are doing that on non CRS 3xx series it will consume CPU, so be careful

loloski

You need a trunk port on both router and proxmox, this is how you are going to do it if your equipment is a CRS 3xx switch this is device specific , this is just a bare minimum and assume that your tagged port is ether1 [admin@RT] > export # 2024-04-04 22:01:36 by RouterOS 7.15beta9 # software id = ...

loloski

Please check if you are blocking OSPF incorporate this rule with your existing firewall

ip firewall filter add action=accept chain=input protocol=ospf

loloski

Good day to all, i want to migrate our small production MPLS/VPLS setup to v7 but before we do that we want to lab it first with GNS3 but I hit a snag, all bgp session is up and VPLS interface is all up but can't seems to pass tagged vlan100 from CE1 to CE2, all mtu on all participating LDP interfac...

loloski

Yes 2216 and 2116 is a different beast :) I hope MT support would be able to help you out along the way

loloski

We don't do NAT. Everything is routed, there's one forward chain FW rule to deal with private addresses. Sure there are ~1000 queues, but it is, as you say, a big box! (for our heavier traffic we've moved In our experience 1072 is more suitable as edge router doing BGP and OSPF only and disable con...

loloski

+1
+100 for EVPN/VXLAN

We can dream on

loloski

Please create a different thread so that others might be able to help you and by the looks of it is this a one big box doing everything how about NAT? if yes you might rethink your strategy

loloski

Please check if this is not a cable issue (check for negotiated speed on port) or You need better device like RB4011 or RB5009 if you need SFP interface, otherwise you can opt to choose hapac2 at least for less pricey option

Please see MT test result page

1.png

loloski

IS-IS is available for v4 and v6 as early as 7.13.3 if my memory serves correctly in CLI not winbox though

loloski

just use zerotier + romon is much simpler and use routing if you need to reach LAN subnet, just my 0.2$

loloski

I hope this 7.15 release once become "battle tested" in the field will become the LTS release this is long time coming and badly needed

loloski

MVRP appear to work correctly on my initial test :) I can't hold my excitement the vlan is withdrawn automatically in the other switch if for some reason a specific vlanids is no longer in-use :)

loloski

Any progress in this front please or we just keep on dreaming?

loloski

well first look for the obvious, check your disk space

loloski

try this first

https://help.mikrotik.com/docs/display/ROS/PIM-SM

loloski

Will try that in the future

loloski

Today we are monitoring this in our NMS periodically via SSH is there any plans that active-ports and inactive-ports will be available via SNMP? [user@POP1-R2-CORESW] > /interface/bonding/monitor numbers: 0 mode: 802.3ad active-ports: sfp-sfpplus1,sfp-sfpplus2 inactive-ports: lacp-system-id: 78:9A:1...

loloski

Thanks I hope the workaround is soon to be implemented

loloski

I've seen in Normis post since they are not using their in-house Wi-Fi driver anymore they can jump on the wifi7 band wagon with ease, I guess the demand will only be the limiting factor here time will tell of course

loloski

Shameless plug, I personally use e-worm collection for this purpose https://github.com/eworm-de/routeros-sc ... reboot.rsc

loloski

It is not possible to leak "main" connected routes and be able to reach local addresses.

May i ask if it is fixable in the future or it is what it is?

loloski

I attach the config from "P - Router" to wrap your head around on it. a friendly tip read the routing table entries per VRF for you to grasp the concept, feel free to ask if you have question

loloski

Actually this easy a few routing rules and routing adjustment to your environment it's done, People think this is hard because they don't know how routing works there are two ways to achieved this in RouterOS by using routing rules or mangle for a start you should watch this video to get the concept...

loloski

I found a way through trial and error and I don't think i know enough how VRF works in MT in low level because there's no documentation at all just config snippets

1.png

loloski

The protocol is intended to be compatible with other vendors, but it is still undergoing testing to ensure compatibility. Let us know if you have any feedback. Will going to test this thoroughly if it's working properly with CHR, I don't have a spare equipment at the moment to lab this up in actual...

loloski

It seems the limitation is real you can't reach a subnet subnet if the flag is not "DAC" / directly connected even though it is reachable in Main Routing Table. What a bummer, in other platform this is well supported I hope this limitation has a fix in sight :(, This is really unfortunate ...

loloski

I slightly modify the topology and have a loopback address 10.0.0.1/32 on R1 so in theory I should be able to reach 192.168.50.1 and 10.0.0.1/32 from C1 and C2 if this this route leaking feature was really working as advertise

1.png

loloski

I don't think that's the case look carefully the VRF and the routing table of main evidently 192.168.50.0/24 on ether4 is on main routing table and it's working properly

1.png

loloski

+1 on this, this is game changer for wISP

loloski

@MT quick question if MVRP implementation is working properly in the next few beta/rc, is it compatible with other implementation like Juniper or it will never be?

loloski

Yes RouterOS lite it is and allow big files like drivers (wifi-qcom/wifi-qcom-ac) or any extra package to be loaded in external place like USB if present in the device. /* Dream On */

loloski

Substitute to your real subnet 1.png [admin@R1] > export # 2024-03-26 10:18:18 by RouterOS 7.14.1 # software id = # /interface vlan add interface=ether1 name=VLAN1530 vlan-id=1530 /port set 0 name=serial0 /ip address add address=117.1.1.218/29 interface=VLAN1530 network=117.1.1.216 add address=117.2...

loloski

Hooraahh... i made it to work the routing entries for subnet 192.168.50.0/24 the gateway should be the ether4@main

1.png

loloski

I believed there were similar request in the past that rp_filter can be turned on/off per interface but nothing come up to a fruition from MT camp

loloski

I now add a routing entries to each VRF that I think might solve the issue but still is not working, the C2 router can reach internet and VRF_CUSTOMER-A and VRF_CUSTOMER-B but not 192.168.50.0/24 subnet in the main routing table of the Provider Router

1.png

2.png

3.png

loloski

1.png 2.png This is how far I go from R1 192.168.50.1 using this routing rules above I was able to reach 192.168.0.1 and 192.168.1.1 but not the whole subnet I know I'm missing a routing entries for 192.168.50.0/24 subnet in both vrf_cusotmer_a and vrf_customer_b routing table to make this work I j...

loloski

In Ros v7.14.1 Route leaking between VRF is so easy I just follow the Simple VRF Setup in the mikrotik documents and it works like a charm, however the docs never mentioned or give a snippet config on how to leak between the VRF network with the Main routing table on the Provider Router https://help...

loloski

Draw a basic network diagram including vlan assignment so that we can easily help you, I just interpret what you said

loloski

You need reverse proxy for that like nginx or haproxy, you can do port forwarding on port 80 to a local reverse proxy from there handle the routing logic

loloski

-- The problem is, that on ports ether46, ether47, ether48 I'm not seeing any traffic that goes into corresponding ports ether6, ether5, ether7. /interface/bridge/port add bridge=bridge comment="Bistro in" frame-types=admit-only-untagged-and-priority-tagged interface=ether5 pvid=119 add br...

loloski

if qsfpplus1-1 is your trunk port

/interface/bridge/vlan/add vlan-ids=111 tagged=bridge,qsfpplus1-1 untagged=ether7,ether48 bridge=bridge

loloski

try this and adapt to your situation you missed where the bridge should be tagged as well /interface/bridge/add pvid=4094 frame-types=admit-only-vlan-tagged name=bridge # Best practice don't set pvid=1 /interface/bridge/port add interface=ether7 frame-types=admit-only-untagged-and-priority-tagged pv...

loloski

Do you have at least initial draft document for MVRP?

loloski

:put [/system/resource/get uptime
11w2d15:59:17
]

loloski

Please don't do it CRS112 is geared toward as a switch not a router it has very weak CPU, what you can do put router upfront then Make a Queue in the router

loloski

+1 please

loloski

For us we learned the hardway, We are only using 1072 for EDGE routing purposes BGP/OSPF no NAT/Firewall and Queues they are fine, for Access Concentrators we stick for a dozen of 1036 with rule of thumb of 950 customers per 1036 doing NAT and Queue, For some of our PoP with premium customers which ...

loloski

check your switch chip 98DX226S if bonding is ever supported

https://help.mikrotik.com/docs/display/ ... Offloading

loloski

discard is not supported in v7

loloski

please use iperf it was a known fact that bandwidth test inside mikrotik will eat your CPU

loloski

On beta 8
*) bgp - allow to leak routes between local VRFs;

If you are looking for proper implementation through RD i don't think it will happen today :(

loloski

CRS310 is geared toward as a switch not much of a router

Screenshot 2024-02-08 060857.png

loloski

it would be best, if they allow the package to be stored and install via external USB or make a ROS lite package as suggested by others here, our HAPAC2 CPE fleet would surely welcome this change if this happen :)

loloski

By the way forgot to say thanks in advance for the people who could chime in

loloski

In our quest to ditch PPPoE in our network we decided to give it a whim and put a LAB generally it was ok, the client computer can authenticate it's MAC in user-manager via radius but I found it odd that you can authenticate the same mac address at the same time this is a no go for ISP setup, well h...

loloski

wait is over, I was able to activate the license just an hour ago

loloski

this cause us trouble because we have a scheduled deployment yesterday and send me 2 people in the DC doing nothing in the middle of the night in the end we pull out the server and will try again somewhere next week not really a big deal but a nuisance indeed

loloski

I already contact them via Support Ticket and no one is responding and even in discord this was reported as well on #CHR channel and I'm not alone

loloski

MT,

Please take a look into this we can't activate CHR license, there was a bad http response when you try to login your account in the renewal license dialog, thanks!!!!

loloski

Established VPN of your choice, then use mangle or routing rules to route your internal subnet to the other side of the tunnel then use srcnat NAT

loloski

you can use this as a starting point and also discard is no longer available please read the document

https://help.mikrotik.com/docs/display/ ... h+examples
https://help.mikrotik.com/docs/display/ ... nd+Filters

loloski

This was tested on 7.12, though i seldom open ssh from external but this needs to be look into

ss.png

loloski

We have a situation where our 2 edge router is both originating default route in OSPF domain we want to match the gateway and set appropriate distance just like i shown below is this possible? it was not clear in the documentation how to use the "gw" or can it be used in OSPF context, than...

loloski

Download and import this cert if you are using cloudflare DNS it should work
https://cacerts.digicert.com/DigiCertGl ... G2.crt.pem

loloski

https://stubarea51.net/2016/01/21/put-5 ... r-testing/

This is life saver luckily I was able to save the VM, the tool is not downable anymore :) I hope kevin will re-upload this again

loloski

I think you are right :), I stand corrected this design flaw is really a punch in the gut they should fix this, we are going to do some more pre-flight test otherwise we are going to call off again the deployment :( if you have single peer you can get away with it but multiple peer this will blow ou...

loloski

I don't think that's the case i load more than 300K routes and that few /32 slips into crack, if I follow what you say all on that list will be accepted but it's not I think they just made a string match there literally, will going to retest again and remove 0.0.0.0/0 i think I can still reproduce it

loloski

Input Accept NLRI bug

It accept some prefix not in the list of prefix allowed to be accepted i stumble this bug in a lab

ss.png

loloski

MT Any chances on improving router filtering in UI/winbox now?, we are not asking for v6 like for like UI but at least some semblance of having a more polish product rather than as if the UI was design after having a drinking session in the party :) the routing filter is v7 is more powerful in v6 bu...

loloski

This is impossible with ROS v7 today or in the future, that kind of traffic you are looking for is not for a SOHO environment

loloski

Hi guys, Just want to ask if somebody encounter this issue, where most of the time i reboot the router it doesn't boot properly you have to properly power cycle the router at least 3 times to work, the 2nd port always lit but dim and it's doing nothing, i already netinstall the device still the prob...

loloski

ok thanks a ton, really excited to put this in the field next week

BR

loloski

yeah we have our own instance of routinator too, that's good to hear that it was working well, you are in 2216 i'm on 1072 this is what really scare me now :)

loloski

Hmm.... that's reassuring but we need to test this thoroughly specially rpki validation this will surely a showstopper to us, BFD is working properly glad it was sorted out.

loloski

@rpingar I hope if you don't mind asking hpw's all your ticket related to BGP issues? did MT respond or fix most of your issues? we are going to retry again to put MT in IX scenario and i just feared we are going to pull it again and replace it with Juniper platform inadvertly due to instability I'v...

loloski

set the distance/cost of your preferred next-hop to 1 and the other remaining link to 2 in this way all traffic generated by the router itself will go to the default gateway with distance/cost of 1 no mangles involved, I hope this suffice enough to meet your requirement and use PBR to steer your tra...

loloski

info !wireguard

loloski

It was here, please read

https://help.mikrotik.com/docs/display/ ... rtisements

loloski

I hope this functionality can be restored in OSPF at least, this is what set apart from MT to other big brand where dynamic routing protocols is rock solid, another grief is when you have millions of routing entries in routing tables winbox start to crawl well that's for another day totally unrelate...

loloski

sorry for beating the dead horse, can someone shed some light on why discard is no longer available in ros v7?

loloski

In v7 it was rejected / deny by default

loloski

as a last resort though it's not the _real_ solution he/she could install zerotier in the other device using his/her 2nd ISP as a next-hop then use ROMON if the purpose of this zerotier is just for management purposes no more fiddling with mangle

loloski

you can try to use mangle output and routing mark to make host outbound traffic of the router to go on specific ISP on udp port 9993

/ip firewall mangle
add action=mark-routing chain=output dst-port=9993 new-routing-mark=UG3 passthrough=no protocol=udp

loloski

Ok i stand corrected back to the v6 version where it was still not bundled :)

loloski

wifi-qcom-ac is already out of the door a year ago who have thought this is possible?, who knows? maybe just maybe they break again the taboo and make v7 semi modular again like what we have in v6 where you can uninstall something at some extent to free up some space or resource.

loloski

LOL, you can upgrade beyond 7.12.1 and still have zerotier. What is your point? I can't upgrade to past/beyond 7.12.1 because this is the last version I can have a wireless + zerotier on this device, I'm just wondering why some people here is very apprehensive if all you want is to get the last oun...

loloski

Yeah that's why we might stay indefinitely in 7.12.1 because we can't eat our cake and have it too :) unfortunately wireguard is not an option for us :p

loloski

Well, I certainly consider it a step backward that almost all functionality is now in a single "routeros" package. I can fully understand why packages like "DHCP", "PPP", "ipv6", "security" were merged with the system package! They often have nasty ...

loloski

Question does MVRP implementation will be vendor neutral? Once it become stable?

loloski

You are right and spot on, I'm responsible with Engineering In perfect world I got the final say on most things related to network from Core,CO,Pop down to Last mile, but still can be vetoed once there was a big Asian money at stake down to a drain pipe, Cap-ex is hard to come by in emerging market ...

loloski

Care to share how much MPLS traffic you have at peak and is it in tile arch?, we have a pilot MPLS implementation base on v6 (mpls atom/pseudowire) in one of our PoP and just running < 500mb at peak

loloski

There's a bug in bridge where a port role is blank in CHR and hapac2 in my limited testing at least

loloski

@Darknate I can feel you and I can clearly see your point and that was really obvious, but I don't need reasons to ditch MT because the company I work for already accept that fact that MT as a company is not perfect, my personal only sour grape with them is they don't layout their roadmap on what th...

loloski

Just notice push route is in the ovpn server setting not per secret/user basis? I hope MT would make it more flexible

loloski

*) bridge - added MLAG support for MSTP bridges; *) bridge - added MVRP support (CLI only); *) bridge - improved bridge VLAN configuration validation; *) bridge - improved configuration speed on large VLAN setups; *) bridge - improved protocol-mode MSTP functionality; *) bridge - improved protocol-...

loloski

@DarkNate As a band aid solution whilst we are still waiting for proper EVPN/VXLAN to come in Mikrotik, our tech stack revolves around mikrotik for 3 years now lots of investment already from hardware to people training and we don't want to go back to pure Juniper shop if we can fight for it for cos...

loloski

Yeah, Q3 next year if MT can't still produce a decent implementation for all of this critical technologies in ISP space we are going to re-think our strategies, If only LAC mode not just LNS is readily available today we can duct tape our network and still can still wait for another 3 years more, ev...

loloski

you need policy based routing, as a primer check this out https://www.youtube.com/watch?v=1oawZUqB_Eo If i were you since you really want to learn look read network primer in other platforms as well because the learning curve is steep in MIkrotik if you don't have previous solid background in networ...

loloski

at least for me this is fair enough

loloski

MT, Would you be so kind if you could restore the functionality that we can remove dynamic simple queue on the fly via up/down script in PPPoE profile and create the simple queue to our liking?, our solution relies on this heavily and we can't move our BRAS/PPPoE concentrator to v7 latest stable ver...

loloski

@mrz, if you could be so kind could you please confirm if MP-BGP/EVPN + VXLAN is now on horizon since IS-IS was in too? just a nugget please because this will be very critical to us in near feature

loloski

Wow, that's good news but the million dollar question is when this going to see the light of the day

most of the Chinese cheapos switches now a days support this like Rujie/Maipu et al, please add Q-in-Q in hardware in the pipeline please

loloski

If your motherboard and NIC support SR-IOV used that instead just my 0.2$

loloski

expose growright or any other MRTG option to MT graphing via CLI or winbox

loloski

Sorry for not filling a proper bug report don't have a good experience of doing it for some occasions now, it's either no one answer or the support claims it's a support issues I'm tired already sorry

loloski

In Hapac2 DOH is working fine for a few minutes then all of the sudden the configuration revert back to the original setting prior of the change, at first I thought I'm just crazy but it happen to me more than 3 times now

loloski

7.12 stable to 7.13beta1 will fail to update if zerotier package was install on hapac2

loloski

as per MT, flat out that's not possible

loloski

This is doable please check
https://help.mikrotik.com/docs/display/ROS/Dot1X

loloski

system - fixed process multithreading (introduced in v7.9);

care to elaborate please?

loloski

@DarkNate As far as I know at least in our region (Asia), ROA record is a _must_ now a days if you are advertising your prefix to upstream that's why pe1chl is suggesting that let the upstream handle this RPKI validation, I personally has this mentality too are we really out of touch on reality? Alm...

loloski

@holvoetn

what a clever workaround, hehehe let me try that approach and will update this post

, thanks a ton

Edit: @holvoetn you're a genius it works! like what you said EOIP interface doesn't need to be a member of a bridge

loloski

a shorthand syntax if you want to set ge-0/0/18 as access port with vlan member 20 for example the right syntax would be at least on Juniper with legacy Junos (NON ELS)

set interfaces ge-0/0/18 unit 0 family ethernet-switching port-mode access vlan members 20

loloski

root@EX4200# set ethernet-switching-options secure-access-port interface ge-0/0/18 ? Possible completions: + allowed-mac Allowed MAC address on this interface + apply-groups Groups from which to inherit configuration data + apply-groups-except Don't inherit configuration data from these groups dhcp...

loloski

I already tried removing storm control and still doesn't work

loloski

Out of desperation I ask bing chat and this should do it but unfortunately not for EX4200 because ether-type-list is not available in EX4200 set ethernet-switching-options secure-access-port vlan members INTERNAL set ethernet-switching-options secure-access-port interface ge-0/0/18 mac-limit 1 set e...

loloski

@Amm0 Thanks for the input to answer your question both device in question that participate in ROMON their interface are both _not_ part of the bridge, so the problem really lies on Juniper (None ELS) security default policy, I'm really stuck since this device does not have J-Care support contract :...

loloski

We have seen this today on one of our CCR2004 L2TP + IPSEC, there's no workaround on this other than restarting the whole device which is very annoying we don't know what the condition needs to reproduce the issue, but other installation is working fine for months without the issue with the same con...

loloski

Yeah I read that too, but we haven't turned on any security of the switch because this was a temporary thing [root@EX4200# show ethernet-switching-options secure-access-port { interface ge-0/0/8.0 { dhcp-trusted; } interface ge-0/0/12.0 { dhcp-trusted; } } voip; storm-control { interface all; } {mas...

loloski

Good day, does anyone from you guys know the knobs to turn on/off in Juniper so that it can forward romon traffic? we deploy this switch as an interim edge switch while we are waiting for the proper hardware to be delivered in DC, the switch has a couple of VLAN and nothing spectacular, thanks in ad...

loloski

Does it mean ISIS will slide to 7.13? normally when RC was release there's no other feature will come in

loloski

since you don't put any network diagram or configuration i'm going to assume you use this switch as your NAT router therefore use hw offloaded nat since your device support that feature https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading if the assumption is wrong please put network di...

loloski

There's a sync connection tracking available in Mikrotik i think conntrackd is working behind the scene, this is the CARP equivalent in OpenBSD, I'm more willing to be corrected if this was not the case:)

loloski

most likely he has queue in them + NAT that's why fasttrack was not enabled just speculation on my part

loloski

Realistically more or less that will be close, get CCR2116 if you need more power and you are not going to look back. we have seen in the field of 15GB of throughput with 50% CPU usage or better yet get Juniper MX platform if you need more

ss.png

loloski

remove all this (Calea, gps,lora, routeros, tr069-client, ups, user-manager) then update to 7.11.2 except the base package of course (routeros)

loloski

remove all addon package then upgrade it will work

loloski

check your port speed if it was 1G if not then replace your UTP cable and also make it sure that your PC / Laptop has support of 1G as well, good luck

loloski

call your ISP because that might be intentional, when in doubt try to plug your PC in lieu of MT and the behavior should be the same

loloski

Hi All,

Good day, I’m not sure where I read it, could someone confirm if MSTP is compatible with LACP with 802.3ad mode, i know MLAG is not but don’t know if this holds true for LACP thanks

loloski

CRS112 is geared toward a switch not much of a router remove Masquerade or NAT there and place a router in front, just my 0.2

loloski

I hope the improved routing filters they promised should be _IN_ before they make an LTS v7, don't get me wrong the current routing filter is fine but it needs a lot of improvement specially if you compare it to V6, then pick up where they left off on some L2 functionality in marvel prestera hardwar...

loloski

look for how PBR works https://www.slideshare.net/GLCNetworks/ ... n-mikrotik

loloski

why multiple bridge? for the WAN connection you can straightly assign the ip address to the interface, please prepare a diagram so that others can help you

loloski

MT problem is simple they don't have at all or lack of sufficient unit test coverage in the code base, look at how brittle the SFP and Bridging code section where every release they claim improvement on this areas so frequently, I hate to say this I hope ROS v7 wasn't design by bunch of drunk engine...

loloski

This is how it look like, same for 1036,RB4011 i'll try to netinstall them later if i can reproduce the issue
2.PNG

netinstall solved the terminal issue

loloski

Honestly there's a lot of variable here get a consultant that they do this thing for a living, there's no single right answer for your question. If you decided to do this on your own please consider this https://www.ekahau.com/ this will greatly help you in designing your wifi network not cheap but ...

loloski

Same with our CCR1072 spare in the lab :(

2.PNG

loloski

This is how it look like, same for 1036,RB4011 i'll try to netinstall them later if i can reproduce the issue

2.PNG

loloski

console died so far i can reproduce this on a spare CCR1036 and CRS317 so this is not architecture specific Is that on a physical console? (serial port and terminal program) As I cannot reproduce that on a terminal window... Terminal inside winbox, prior to upgrade both my 1036 and 317 devices is f...

loloski

RB4011 is also affected :( but hapac2 is working

loloski

console died so far i can reproduce this on a spare CCR1036 and CRS317 so this is not architecture specific

2.png

loloski

Interface - added "macvlan" interface support;

Wow this is quite a surprise

loloski

I'm not going to chase this on them any more, since they deny the existence of the NO DAD bug alone because they know that it will lead to a much bigger issue of which you confirm, thanks anyway for the update

loloski

I hope you guys are right, but there's no indication that they moving in this direction

loloski

ovpn - added "tls-auth" option support for imported .ovpn profiles;
mpls - added option to match and set MPLS EXP with bridge and mangle rules;

been waiting this for a couple of years now :)

loloski

With that number of peer our platform of choice is Juniper MX200 at least, you can certainly try CCR2216 if you have budget or leeway to make experiment

, we have a few dozen of that CCR2004 that we loan to other or just collecting dust due underwhelming bgp performance

loloski

If you are not using NAT please disable connection tracking and firewall rules and just like what pe1chl said play with affinity and check which settings works for your use case. you may also check this

https://www.daryllswer.com/edge-router-bng-optimisation-guide-for-isps/

loloski

2.png

so far upgrade for 1036,1072,317,326,4011,HAPAC2 went without a hitch

loloski

as they always say, if it's not mentioned in the changelog therefore they won't fix it

loloski

I think the problem here with MT they should finished one thing at a time before jumping on to another task at hand and also they should published the roadmap at least people know what to expect or not, otherwise this will be a recurring theme MT will surely delete this post anytime soon just like w...

loloski

Please turn on RSTP unless you have a valid reason to turn it off and also turn on auto neg on interface as much as possible for those untagged/access port ensure you have frame-types=admit-only-untagged-and-priority-tagged Please export the whole configuration and attach it here so that other peopl...

loloski

Please see this presentation from Kevin https://stubarea51.net/2020/03/03/start ... hitecture/

loloski

sorry to break the bubble but NAT64 is not supported at this point

They could implement and adopt this in their stack but I think they are not interested on this at this point to stabilized ROS v7, but who knows

https://www.jool.mx/en/run-nat64.html

loloski

Does segment routing is inherent with IS-IS or the traffic engineering part is where it got very exciting?

loloski

Just do PBR (Policy base Route) and you're good to go. https://help.mikrotik.com/docs/display/ ... cy+Routing

loloski

if you are making CRS305 as a switch remove the IP address that you assign on it and create a bridge and add two ethernet ports in the bridge and assign IP on your server and the fiber modem as you may call it and it should work e.g /interface/bridge/add name=BRIDGE /interface/bridge/port add interf...

loloski

Thanks for the insight at least I'm not alone but this is low priority given the circumstances of MT they want to stabilized ROS v7 in general which is a good thing

loloski

Yeah surely do certainly, what surprise me is it seems like no DAD (Duplicate address detection) option is not working even though you toggle it :) in cisco i try to lab this thing up in the most simple way possible that I could think of and it appears to work correctly afaic and not to pretend to k...

loloski

I just want to lab up a potential use case where I do have a container with reverse proxy that will piggy back the traffic going back to the real server for HA purposes

loloski

your device is geared toward as a switch with basic router functionality, please try to use different device

loloski

Hi all,

Anyone know if MT does support anycast address? can anyone shed some light on this please, the manual doesn't say much on this topic

loloski

the OP refers to dumb switch / unmanage switch

loloski

with more recent V7 you can now at least use src-address now for netwatch, i have yet to lab this as well just like you I also use recursive routing for WAN monitoring

loloski

I see now back to the lab, thanks a ton

loloski

Hi All, I've have been labing this since yesterday i can't seems to figure out how bridge horizon works on PPPoE server, The lab is so simple 1 PPPoE server with 2 PPPoe Client no switch in between the pppoe client plug straight to ether1 and ether2 of PPPoE server I've try to set the horizon value ...

loloski

Hey MT,

Please check my colleague alerted me just now that they can't register an account in the forum, just fyi

2.png

Search found 437 matches