MikroTik

lurker888

Yep, wg requires a monotonous time for handshakes to succeed. And you also correctly pointed out that disabling and enabling a peer resets this timestamp and so it's not checked on the next handshake attempt. Clearly NTP is the proper solution, however I have some applications where it is not easily...

lurker888

I love the forum too. But to the point. It's a strange behavior for sure. Maybe it really is a bug. I did a quick test both with converting to static and adding a new static entry with the same mac. I couldn't reproduce the behavior. Maybe I didn't do the exact steps that I would assume you took or ...

lurker888

Hello and welcome, Your dhcp server lease list looks suspiciously like it was created with the "export" command. The export doesn't contain dynamic entries - it is only meant to capture the actual configuration, not print the current state. Try the following command: /ip/dhcp-server/lease/...

lurker888

Interesting. I cannot confirm this behavior on my RB5009 (RouterOS 7.18.2, auto-mac=yes). When the Ethernet interface that provides the bridge MAC address goes down, the bridge MAC address does not change. The Mikrotik documentation does not mention the behavior you describe either. On what hardwar...

lurker888

I was helping a colleague and your post popped into my mind. Just an idea, and don't treat it as more, but I'll jot it down here anyway. A similar behavior arises when a port goes down and it is part of a bridge that doesn't have an admin-mac assigned manually. Mikrotik (and generally Linux) systems...

lurker888

Output packets are most certainly src-natted. If you don't see your NAT rule working correctly these are the probable causes: 1. If the connection already has a conntrack entry, the src-nat rules are not consulted (again) for the ongoing connection. You have to delete the conntrack entry with some v...

lurker888

It would be nice for Mikrotik to allow configuring the accept router advertisements setting per interface (especially because these devices are mainly routers). In the meantime the firewall can be used to filter them Also be aware that there was a bug that enabled remote code execution from malforme...

lurker888

Hi, I have used Mikrotiks in this way many times, so it's definitely possible :-) I have no experience with the hEX S, but they all run the same software, so in terms of Wireguard, there will be no differences. I wouldn't use the wg import function, but configure the tunnels manually. The import is ...

lurker888

Okay. With regard to in-tunnel traffic routing, the "table" parameter of the interface only affects adding the routes based on "allowedips" to the specified (non-main) routing table. If that's your only wish, well that's already accomplished :-) In this regards there is literally...

lurker888

@lurker888 VRF's are similar but not the same. F.e. I'm providing DNS & NTP through ros, but both services can only run in one VRF. At least there doesn't seem to be a way to have DNS/NTP in more then one VRF as in winbox it's just a dropdown so you cant add multiple VRF's. With a 'normal' rout...

lurker888

Isn't all this about trying to recreate a VRF without using the word? Having a separate routing table. Check. Having two interfaces that only use this table for lookups. Check. Wanting to add addresses to the interfaces which only make sense in the given table. Check. All these things would work eff...

lurker888

I think the confusion comes about because OP never actually describes what they want to do. Btw. assigning a default via a wg tunnel in a table of your choice works perfectly. Just tried it, for me it shows up as "As" (Active, static) and doesn't have the U (Unreachable) flag, which is qui...

lurker888

This is a fair point. Though I don't necessarily think that they need to throw the actual syntax out. Maybe it would be easier if they did so rather than special-casing it, but if they at least wanted the CLI experience to be consistent, they could decide to not actually treat table entries as trad...

lurker888

I am curious what you are looking for that is not currently possible with /ip/firewall/connection/remove [find where <blah>] ? I thought I explained it well with: Because the current way with list building and iteration is really cumbersome, slow and resource intensive." Since you suggested a ...

lurker888

You're making it awfully hard to disagree with you because you are making valid points :-) Your asserting the kernel current logic, trumps what the MirkoTik docs do say. Perhaps. Docs could be wrong about "on IP change", but that be glaring oversight by MikroTik at this point. And it could...

lurker888

I get the kernel discussion... but Mikrotik does patch a lot of things, so kernel version is not always that telling. The docs and history suggest NAT masquerade should clear conntrack based on IP change... so suggestion DHCP feature for it seems premature (i.e. if DHCP client could do it , so coul...

lurker888

Sorry lurker didnt really understand but you seem to be saying that with the new kernel ( really still an old kernel ) that MT is now using, the unexpected behaviour is normal/expected, much to our shagrin. Furthermore, you are hoping that MT comes up with a built-in easier way to clear the connect...

lurker888

Yup watching this thread as most expect masquerade to clear connections..........otherwise rextended scripts will get extended use LOL. I would not consider this solved until MT replies with certainty about new behaviour or they forget to do something during programming etc............ Yep. But thi...

lurker888

If that's your only disagreement with what I said, I'll happily give you that

lurker888

@op: You didn't really do anyone a favor by not giving a full config. I don't necessarily agree with @jaclaz that the settings are "all jumbled", but when one doesn't understand a problem, then quite often they don't understand it because they don't know where to look - and only including ...

lurker888

The rb5009 actually has a trick up its sleeve with its thermal design. The SFP cage is coupled to the backplane/heatsink with a thermal spongy thingy. This gives it quite good characteristics for cooling the modules. Still, multi-gig modules run hot, so don't expect the full temperature range for yo...

lurker888

For the DC inputs Mikrotik uses an arrangements of one input diode per dc input with the cathodes joined, which serves as the input to the buffer capacitor and then the smps. Using the same voltage is therefore fine. (I have deployed many devices which do not have dual inputs with the single input p...

lurker888

Glad it works.

You shouldn't use proxy-arp btw. You only need it because the address is on ether2 instead of the bridge. When an interface is part of a bridge, all IP related configuration should be done on the bridge.

lurker888

Yeah, it’s unfortunately more common than you might think, especially at small and mid-sized facilities designed by “old-school PLC guys” who lack basic networking knowledge. Not disagreeing with you. However what *really* surprised me is that I used to work with a bunch of young and *very* talente...

lurker888

Again, the culture around PLCs, networks and their users is really messed up somehow. An especially common one is that they assume that masquerading on every interface of a router is normal, e.g. even when no nat is done but two subnets are involved and the PLC is being accessed from a different one...

lurker888

Your diagram is still incomplete/incorrect. My notes: * You say that you want addresses 10.0.80.200-203 (4 addresses) on the ether1 side. I will assume: * You want to use one for managing the your Mikrotik router. Let's assume that's 10.0.80.200. This we will have as a /24 address. * You want to use...

lurker888

You really should draw a proper network diagram and then we can talk about the individual rules. Also note that it's not a single rule that in itself does all the things you want, but a set of them that work together. The whole scenario is discussed btw in quite some detail in the thread that lead t...

lurker888

[...] and turns out that most issues that I am having are due to incorrect configuration on PLC side. Src-nat takes care of that, because the devices see all connections coming from their own subnet and send answers there. So the default gateway config doesn't come up at all. I was not just trying ...

lurker888

What the OP is about is a fairly standard ask in the automation field. Just some points: * Yes, most PLCs, sensors, relays etc. allow you to set an address, netmask, gateway and usually offer DHCP support. Somehow the guys doing these sorts of things don't want to set this up correctly. I don't know...

lurker888

Although the number of clients you are serving are not exactly optimal for a single ac2, your problems in this case don't seem to come from wireless problems. The fact that wired clients also have access interruptions confirms this. That you can access the management interface also suggests hat your...

lurker888

My hunch is that even those in the IPv6 idealist camps would say this isn't the case, since if you are using it "as intended", you will have multiple addresses per interface, and that intra-LAN, your hosts should all be using link-local, or ULA, or something else to talk to each other. Th...

lurker888

Based on your previous posts there must be some gotcha to your question, but I'll bite. To make sense of the test results, we first look at the size of the packets. Simple IMIX assumes an average IP packet size of 340 bytes. Were we to assume that a TCP connection has one ACK for every full-size fra...

lurker888

i agree with your arguments about renumbering and why it's not practical to preserve addresses/prefixes in some scenarios, especially for smaller ISPs and ones that have grown their networks organically. One thing I would like to point out however, is that not preserving the allocation and allocatin...

lurker888

Glad it worked.

You're always welcome to share your script/template as a reply in the "Useful user articles" topic I referenced. Hint-hint?

lurker888

The ISP modem has 4 1GBps ports and has a built-in dhcp servers .. all i did is connect one of the ports on the CRS326-24S+2Q+RM like in my case port sfp-sfpplus24 and enabling dhcp client on and creating a default route. is what i did wrong in anyway ? how else i m suppose to do this You're probab...

lurker888

Any number of things :-) My guesses would start at: * resetting the device without no-default-configuration * somehow your script doesn't run to the end (if any error is encountered, execution stops) - it's best to copy-paste it in parts into the terminal while debugging to actually see the error (i...

lurker888

IPCP itself doesn't really know about "framed routes", which is just an implementation detail on the PPP server side. [...] Well, I'm not very knowledgeable about last mile technologies. Of course I know that IPCP only handles addresses. I have the impression that usually when a static su...

lurker888

The answers you have been given are essentially correct. You're not the first person to be confused by the product name. The CRS devices are essentially switches and do this functionality and wire-speed. The router in the name refers to the fact that full router functionality is available in their s...

lurker888

Regarding age, the affected one is from the initial series that still had the 256 MB RAM. As for the environment, it has always been in a living room, never exposed to direct sunlight, ambient temperature and vapors you'd expect in a non-smokers' living room... yet here we are. And yes, it is a sin...

lurker888

I get the historical reasoning, but the trouble is, from the network's perspective, a UE is a UE is a UE, and a given SIM card could be inserted into any "class" of device, and even be swapped between devices from time to time. The same SIM card that is in a "phone" one minute c...

lurker888

Which is actually great, because in a few years, the moleskin layer turns out into the same sticky mess the thickier rubberish soft coats normally do. I liked the moleskin feel very much too until I've found out his happens. Yep. Especially if they're exposed to high temp, sunlight, vapors (anythin...

lurker888

If you think you've found a bug, don't hesitate to contact Mikrotik about it. However please be aware, that switch ACLs and rules are not as simple as you would want them to be. The behavior is switch chip dependent and what setting take precedence and when is not trivial (and to add to the frustrat...

lurker888

In terms of physical size, would you say there is much difference betwen your ac2 (which I think is the same size as the ac lite) and the ax2? All three have the *exact* same silhouette. The ax2 is noticeably heavier and has a fairly large grille cutout, both due to the larger heatsink necessary fo...

lurker888

Hi, There is no "hAP ac2 lite". The devices are: * hAP ac lite (RB952Ui-5ac2nD or -TC for the tower case variant) * hAP ac2 (RBD52G-5HacD2HnD-TC) * hAP ax2 (C52iG-5HaxD2HaxD-TC) That said, both the ac2 and ax2 are a significant upgrade compared to the ac lite. If I had to choose between th...

lurker888

At least when it comes to 3GPP networks, changes on such large networks (and the devices that connect to them) seem to move at the Speed of Slow(tm). As can be seen when perusing the relevant RFCs and 3GPP standards docs, initially LTE did not support any IPv6 deployment model other than a single /...

lurker888

why not just use IPv6 NAT? (With non-ULA internal addressing...) If not ULA (which is obviously undesirable due to how most client network stacks treat them), then what IP space would you suggest such a set-up use? That was what the "..." part was about. I'm quite sure that you are aware ...

lurker888

Designing properly standard compliant PoE devices (both source and sink side) is not exactly trivial, and manufacturing it costs significantly more than the "more-or-less if you look at it the right way" versions of the same. Why not get a nice passive injector? There are actually ones ava...

lurker888

Well, that wouldn't be very switch-like... I tested this on an rb5009 with the 88e6393x and it works correctly. (In the sense that it blocks ipv4, arp, ipv6, etc.) There was a bug related to switch rules that was fixed recently in or around 7.17 which could easily result in your observed result. I d...

lurker888

It's becoming sort of a standard for site-to-site tunnels involving Linux/BSD soho/smb routers. Several years ago I was looking specifically for devices capable of WireGuard for site-to-site small project. This is actually when I learned about MikroTik. People like you reporting their real-world ex...

lurker888

At the risk of being an idiot online: for these sorts of residential connections, why not just use IPv6 NAT? (With non-ULA internal addressing...) While it's not absolutely technically the cleanest, but neither is not delegating at least a /56 (or lately a /60) proper according to recommendations.

lurker888

How's everyone's experience with the CCR2004-16G-2S+ been these days? I remember hearing a lot about stability issues, but that was a while ago and could have been related to running V6 on it, when it was designed for V7, or maybe early V7 bugs. What's everyone's thoughts on the stability of the CC...

lurker888

I think you've tried the usual stuff. Sometimes gigabit auto kind of conspires to make your life difficult. Downgrading etc. usually doesn't help with these devices. (I mean devices with the Marvell switch chips.) The drivers are solid in this regard and simply don't change version to version. When ...

lurker888

I think it would be nice to publish wg performance data for the different models. It's becoming sort of a standard for site-to-site tunnels involving Linux/BSD soho/smb routers. Or maybe someone with lots of devices lying around could provide us with a proper comparison??? If the numbers sound a bit...

lurker888

Glad it worked out.

lurker888

That you got this far is actually good news. The formatting/transfer only takes at most a few minutes. I only encountered a similar situation when I nudged the rj45 connector loose. (The locking tab, as usual, was broken.) EDIT: It's safe to unplug/retry as many times as you have to. There are two p...

lurker888

Hi and welcome to the forum! Mikrotik routers basically all run the same software, so have the same feature set (with some minor differences). I'd reject the hEX S (rb750igs) out of hand, because it has a MIPS CPU, and Mikrotik has pretty much committed itself to ARM devices for the future. Unless y...

lurker888

Well something went wrong, that much is pretty obvious. Actually the latest version marked as stale is the 7.18.2. Your best bet in these situations is to netinstall the device. You'll have to get both the netinstall program and the routeros software (mipsbe version) from the download page. Netinsta...

lurker888

Only authenticated users show up in the peers as "Current endpoint address". If I understand your solution correctly, thanks to the src-nat rule in input, the current enpoint address is always 172.16.10.2 (as per https://forum.mikrotik.com/viewtopic.php?p=1136875#p1136875) . So to find a ...

lurker888

Check for the obvious: DHCP snooping disables fast track. I had a similar issue a while ago. It didn't involve LACP, but that shouldn't have an effect on fast track. So, basically fast track wouldn't work for traffic coming from and going back into the same vlan filtered bridge. (Counters weren't in...

lurker888

Thank you for your reply. Banning works for other services. Not for wg. May be you are correct that limiting the the rate is a better solution than banning. For now I do not know yet how to capture from logs or other way the auth failure of the peers. For now I use the client ip to differentiate fr...

lurker888

Just to be very clear: the WireGuard protocol requires that the destination address of the initial handshake request MUST match the source address of the initial handshake response , otherwise the session will be dropped. If the handshake succeeds, then it is fine for the address to change, and Wir...

lurker888

Hi and welcome! The ability to set link-local addresses was added is 7.17. From the changelog: *) ipv6 - added support for manual link-local address configuration; A better question is: why would you want to do that? Usually for the link-local address is constructed from the mac address, which is th...

lurker888

So here's my response. (I see what you are doing with wireguard just dont agree with it. There is no case where both sides of a connection need 50.0/24 that I can see.) I just wanted to send a ping across. This is what I typed first. There's no hidden agenda. :-) So our mangling was working but real...

lurker888

@Mimiko: I'm not clear on what you want to do. Only authenticated users show up in the peers as "Current endpoint address" Why would you want to ban authenticated users? If you really want to ban them, why not just disable the peer? If you're afraid of the CPU load that failed authenticati...

lurker888

ECMP behavior has changed many times in the kernel. E.g. the 4.4 series was massively hated for this. Some were reversed, some not. There's an entire cottage industry of kernel modules that beef up/apply different heuristics to ECMP path selection. Locally originated packets for ECMP are an even mur...

lurker888

Exactly. The redundancy I don't mind so much, but a connection can only carry one mark. (In this case it doesn't cause any trouble though.)

As to the VRF version: I have a few of these projects on my list. Sooner or later I'll get around to it. It would of course be very welcome if you'd test it out.

lurker888

I really am not getting your question. I promise I'm not being purposefully obtuse, and I *have* read your post several times and in full before responding. So I can only answer literally the question you have asked. So if the SELECTION PROCESS as we understand it is. What will will the router choos...

lurker888

No, I wrote exactly what I meant. We are specifically talking about a situation in which * you have multiple connections with defaults (maybe ECMP, maybe failover) * these are "normal ISP" connections, where you receive an address that should be used for outbound traffic for each of them (...

lurker888

So lurker did you test like 3 WANS with ECMP load balancing Basic mangle rule in wan3 out wan3 generic all traffic to WAN back out same WAN. What does the wireguard process choose for source address in this case, alway the correct WAN?? ( regardless if you put wireguard on wan1, wan2, or wan3 ) I d...

lurker888

@lurker888, does EOIP really have the same handshake issue as WG, like I described above? It doesn't. EoIP is only used to provide the two wan connections in the test setup. The packet capture is of wireguard traffic. The description of the test setup makes this clear: We have two WANS. For this ex...

lurker888

Okay, but have you actually tested the "hard down" theory? Anyhow, we still use routing rules, which we consider clean and easy, and they work with MACVLAN too. And we'll keep using this approach until Mikrotik fixes the issue where the initial WireGuard handshake always leaves through th...

lurker888

Yes, I'm looking at /system/routerboard. Keep in mind that all of my 256MB devices were purchased at the same time, and so were the 128MB ones (at a later date), so I probably only have devices from two production runs. My older 256MB devices have 6.40.5 (2017-10-31) as the factory version, the rela...

lurker888

You're pretty attentive! All of my ac2 devices have stickers with "-TC" on the boxes and on the units themselves. The 256MB report themselves as "-TC", the 128MB ones not.

lurker888

Hi, That's a neat observation. I have both, but never noticed. The -TC was used by Mikrotik to mean "Tower Case" in the "hAP ac lite", which is released as both RB952Ui-5ac2nD-TC and RB952Ui-5ac2nD. (The former having the case style of the hap ac2) I'm not aware of the hap ac2 ev...

lurker888

My bad that is valid, but this is assuming the remote router is an MT router. ( client peer for handshake) ........ makes sense, so other peers connecting to the local router can easily re-enter the tunnel and reach the remote router via the local router, so to speak. The local router needs allowed...

lurker888

It goes to root reason. As I stated, WAN1 being primary WAN2 secondary wanting to use WAN2 for wireguard. We only need to mangle for WAN2 and the problem was the router was sending return traffic via WAN1........ In my reply I pointed out that you don't *have* to do anything to wan1 traffic for eve...

lurker888

So in your example you have to manipulate both wans, not just wan2?? I don't exactly get what you mean by "manipulate". In the example I treat the WANs in a symmetric manner. We don't have to. If we remove everything that is related to the wg-wan1 mark, so these: /ip firewall mangle add a...

lurker888

I was planning on writing out an example, so just for your reading pleasure: the official "rabbit hole solution" to multi-wan wireguard hosting. We have two WANS. For this example, the two WAN connections are actually EoIP tunnels to another router. The base configuration is: Interfaces: /...

lurker888

Hi, Really common question. Here are the references: https://forum.mikrotik.com/viewtopic.php?t=215744 https://forum.mikrotik.com/viewtopic.php?t=215953 The first one has explanations, he second one has a working example. (The second one will probably get corrected based on my latest comments in the...

lurker888

If you meet the criteria that I've explained in the previous post about "main" routes and addresses not being lost, sindy's version works absolutely fine with leaving the source address in place. Of course only if correctly implemented :-) Public addresses are static, but providers may di...

lurker888

Glad it's working, and a great writeup! Now I will know where to refer people asking for this. It comes up several times a month. The following part should be however corrected. second one has connection and routing marks on traffic coming from the PLCs to the router. /ip firewall mangle # Mark conn...

lurker888

Sounds like a kind of "secret key" (rather than a password). Good idea. But won't help for already deployed devices. A rose by any other name. The problem around the whole thing is: * The attacks/botnets have become increasingly weaponized and are not one-off any more, but supported by ei...

lurker888

I'm wondering how dnating to onother ip of wan1 will assure that originated from wireguard packets will have src ip of second wan? Or i'm missing something. Both dst-nat and src-nat (and masquerade) actions do *both* a translation that is specified in the rule, *and* a translation of the packets in...

lurker888

@infabo Sorry, but this is exactly why they say that the road to hell is paved with good intentions. First of all, this device controller at this point is just a dream. Second, companies really like this stuff because then the devices can be tied to subscriptions and their resale can be limited. Man...

lurker888

What you have in your DNS records and whether you do or don't do nat has no bearing on your firewall and access control capabilities. Maybe I'm misunderstanding, but I assumed that by NAT you meant opening a port that forwards frames arriving on the public IP address port of the router (the WAN por...

lurker888

Any thoughts on what the responder checkbox is trying to do?? Sorry, I meant to answer that one as well, just forgot by the time I got there. Responder is a very useful feature. Wireguard in its default form (that generally should not be reconfigured by the user) behaves in the following way: * the...

lurker888

What you have in your DNS records and whether you do or don't do nat has no bearing on your firewall and access control capabilities.

lurker888

Just thought I'd chime in to add to the confusion. Generally, private (RFC1918, etc.) addresses are permitted in public DNS records, in fact this is not uncommon. The rise in popularity of this is in fact rising because it's not exactly easy to do split DNS nowadays with hard-coded DNS servers on de...

lurker888

@Mimiko My post that explains why wireguards has this idiosyncrasy in its design (right here on this thread): https://forum.mikrotik.com/viewtopic.php?p=1111816#p1111816 And the one that explains the source address assignment in detail: (You should probably scroll though the entire thread) https://f...

lurker888

Thank you. This does work. I already have marked and sticky connections implemented per each incoming WAN IP. Also @Larsa, of course each client is configured with its own public key and all allowed addresses. It was just this thing about different WAN IP. @lurker888 why define a rule in /ip/firewa...

lurker888

@infabo: There is currently no way to set device-mode in netinstall scripts (without the unplug/reset procedure) It was suggested by many to allow only scripts executed as post netinstall scripts to be allowed to do this. As far as I know, it was not implemented. The device-mode settings persist ind...

lurker888

Originally device-mode limited some things. Okay, most of these were newly introduced anyway, like containers. Then device mode limited more things after an upgrade. Okay, we have to reset/unplug everything. Please stick to the facts. Under the old "enterprise" device mode, everything was...

lurker888

Although with device mode *some* input from the community was taken into account, it was not nearly enough. Originally device-mode limited some things. Okay, most of these were newly introduced anyway, like containers. Then device mode limited more things after an upgrade. Okay, we have to reset/unp...

lurker888

Just writing to emphasize the points made by @mkx. While non-standard ports, port knocking, etc. are useful in cutting down on the number of log entries or in mitigating CPU usage from failed authentication attempts in case a bot/botnet really takes a liking to you, actual security is provided by se...

lurker888

@Larsa: Of course this also works with the two addresses on any interface (one assigned to the router and one not assigned, but routed to the interface in the "main" table - these are the criteria for conntrack to work). For me the wg interface is associated with the overlay traffic and in...

lurker888

You will have to somehow allow the reverse connection obviously. You can make the thing a bit more secure by using something a bit like port knocking: * add a dst-address-list criterion to your rule for port 8010 * populate this address list based on packets flowing to your ChromeCast control ports ...

lurker888

I think I understand what @Mimiko want: simply to have many WAN addresses, and for wg to always answer on that address. WG intentionally as a bit of a strange behavior (different from the usual stuff like ping, DNS over UDP, OpenVPN over UDP, etc.) One way of doing what is asked for here is the foll...

lurker888

That you see traffic on the WAN that you don't see on the bridge means that the outbound traffic is generated by your router. It is likely that you router is being used to attack others on the Internet using DNS amplification, as referenced by others. The easy way to both see if this is happening is...

lurker888

Thank you for the replies! The manager want to keep all wireguard peers, so i was wondering if the cpu will handle the load. Also, I read in the forum that ccr2004 cpu manages the switch chips, and rb5009 switch management is not from the cpu - if i got this correctly - so isn't this a bottleneck f...

lurker888

Yep. The rb2011 is a nice and decent device, it just has its limitations. Saying that you only problem with a device introduced in 2011 is that it feels sluggish with today's internet speeds is a testament to the quality of their design, and the fact that it still receives regular software updates i...

lurker888

I wouldnt know eltikpad, I have never had to resort to putting an address on the bridge while using vlans. I prefer clean separation of bridge from DHCP etc, once I start using vlans. I can image one situation where it would be natural to have the bridge port as an access port: when using the devic...

lurker888

With your current setup the ping is supposed to work (or not work) as you describe. This does not indicate that you didn't accomplish what you set out to do, or that somehow it's wrong; this is just not implemented. Most people are happy to get this far, and accomplish the bare minimum, so really ju...

lurker888

This forum also has a section named "Useful user articles". This thing comes up on the forum from time to time - maybe consider doing a write-up...

lurker888

Good to hear. So... in order: You have to add the tables manually, and the routing marks are created by the table. I missed that part. The routing rules that you added are not strictly necessary. Without the rules, the behavior would be very similar, only with the action "lookup" instead o...

lurker888

It's considered "established".

Next up will be to disable fasttrack. Sounds good, doesn't work.

lurker888

Since you're seeing something that seems to completely contradict the documentation, I actually prototyped the issue fully. (I drank too much coffee and have too much time on my hands.) In this case of course I control the DHCP server. When I force the client to renew (and of course it's NAK'd, and ...

lurker888

You could log the RAs you receive. Maybe your provider doesn't send any? For an internal host I'm logging 2025-03-27 19:53:03 radvd,debug received Router Advertisement on vlan100-local from fe80::dc2c:6eff:fe48:9517 2025-03-27 19:53:03 radvd,debug mtu 1480 2025-03-27 19:53:03 radvd,debug DNS server ...

lurker888

other-configuration (yes | no; Default: no) The flag indicates whether hosts should use stateful autoconfiguration to obtain additional information (excluding addresses). GIve it a try. Your will probably have to reboot. That's just for emitted RAs. BTW he's already running a DHCP client, which is ...

lurker888

Hi, You just have to make your Wireguard server reachable from wherever it is you want to connect from. If the Mikrotik is not your Internet gateway, then this involves port forwarding; if it is then that doesn't have to be done. The default firewall blocks incoming connections, so you'll probably h...

lurker888

Just a note. When the "accept router advertisement" setting is changed, it only takes effect after a reboot. (Newer versions have a warning about this.)

lurker888

Looked it up amongst the kernel patches. For some time period the behavior was indeed to purge the connections if the address changed (pr added/removed). This was reverted, and it is not the behavior any more. The purging of the entries only happens on link down. (At least for the 5.6 that Mikrotik ...

lurker888

Could you also share the sniffed packets as received and transmitted by the rb5009, both on the external and internal interface?

lurker888

If I can provide any more information or config, please let me know.

Exactly! Do so. A full config would be the first step. (Redact private stuff as needed.)

lurker888

Well, exactly that's the reason I think it's a bug, because there is no src-nat rule in place. I'm using masquerade only: In may experience the masquerade part of conntrack works correctly and purges the appropriate entries. I'm not trying to be dismissive, but I would assume that there is somethin...

lurker888

I would agree with the others. Just having proper encrypted management access is enough to push me in the RouterOS direction. I also find having all sorts of router and VPN functionality, MVRP etc. really nice. I wouldn't exactly say take SwOS out the back and shoot it. I'd rather put in in marketin...

lurker888

When posting questions like this it is always nice to include a full configuration export of your device, because setting may have (seemingly strange) interactions. (/export file=choseaname; you may wish to read this over and redact any information you don't want to share.) That said, what you descr...

lurker888

Maybe I'm totally confused, but I understand OP to mean that he wants to make the DNS server's queries (when recursing) to come from a different source address *depending on* who the request was received from. The in-built resolver doesn't support anything like this. This would also necessarily invo...

lurker888

It works as designed. To elaborate a bit, there is a difference between NAT action=masquerade and action=src-nat. In case masquerade is used, the conntrack entries are purged automatically. For src-nat they are not. In this case ou can clear them using a script as suggested. This doesn't affect conn...

lurker888

No need to apologize; everyone's just here to help. (Okay, sometimes people just come for some fun flame wars

)

Glad it's resolved.

lurker888

In principle you don't want to set bridge port as tagged member of a VLAN if you don't intend CPU to interact with that VLAN over that bridge. [...] So I'm eager to hear use case for such setup. Huh? That's just not true. Maybe you are assuming that the MT in question is a router that will also be ...

lurker888

I was kind of surprised that mikrotik doesn't have the option to change the default policy as expended upon in many other threads, especially considering how straight-forward it is to do in iptables; maybe there is some other technical issue, maybe its just not worth their time since a drop all rul...

lurker888

Okay, I couldn't resist adding an example of how to do it correctly. Watch from 3:17
https://www.youtube.com/watch?v=PYIEP0u ... e6&index=3

The guy is an instructor with top notch equipment including proper non-ocular (stereoscopic) magnification.

lurker888

Well.. I'm an EE and neither me, nor my colleagues, nor the technicians that I worked with had any difficulty in soldering these things with just a normal soldering iron (Weller TCP / Hakko fx-888, etc.) and tweezers. (And with better ones like the Hakko fx-951 it's much easier.) I tried to look up ...

lurker888

Or you can just cut off the plastic pins. BTW soldering these low pin count SONs with a normal soldering iron is totally possible, if not necessary fun. And the cheap hot air stations go for under USD 100 and work completely fine. (Of course the USD 1000+ brand name ones look nicer :-) ) Many people...

lurker888

Also please update the software on your device to something recent; I would suggest the latest stable version 7.18.2. Bugs are fixed all the time and devices usually ship with quite ancient versions. Please don't forget that the bootloader/firmware (called RouterBoot) has to be updated as a separate...

lurker888

[...] the only thing I cannot wrap my head around is that the same "address=192.168.0.180/24" can actually be applied to multiple different interfaces without causing RouterOS to get confused. Having the same address and subnet on multiple interfaces only becomes problematic when routing ...

lurker888

How is it "reserved"? Or, how is "bridging between access ports to VLAN XYZ" different from "bridging between untagged ports"? What would be the purpose of a managed switch if you could not make an "untagged port" (= access one) a member of whatever VLAN you ...

lurker888

Well... your setup seems ok based on a cursory reading. How high do your pings get? Compared to your friends? Make sure that you are addressing your server via the router's *external* address even from the inside. You can always enable logging for your hairpin nat rule to check if all the address tr...

lurker888

[...] If you have a WAN port outside of the bridge, then fasttrack would still be working for connections between the WAN port and the interfaces on the bridge (including VLANs), but both fast path and fasttrack will be ineffective for any traffic between members of the bridges (such as inter-VLAN ...

lurker888

Perhaps this is what you are getting at, but most of these aforementioned switches will reserve VID 1 as an "untagged" VLAN, and likely will either not accept (or egress) tags on a trunk port with VID=1 (because it won't allow you to configure that as a valid trunk tagged ID to begin with...

lurker888

RouterOS generally exposes the networking system of the Linux kernel almost directly to the user. That means that you generally have to know what you're doing to configure it correctly. The other commenters are completely correct in that it doesn't require any sort of diploma or formal training, but...

lurker888

Hi! The firewall NAT actions src-nat and masquerade do the reverse port translation correctly, so what you describe is probably not what is happening. (Or not all that is happening.) To clear up the situation: create a packet capture on *both* the LAN and WAN side for these packets. (This can be don...

lurker888

If you don't mind me hijacking the thread a bit about vlan 1. I fully agree with @sindy, that "don't use vlan 1" has become somewhat of a meme on this forum, and I also agree that memes in and of themselves are often not very useful. However this does have some basis in reality. In most sw...

lurker888

Hello lurker888, many thanks for your reply! And pointing out the somewhat interesting choice of router model (sadly, I was not involved in the purchasing decision) - we might revisit this decision! Don't worry then. If you're looking for long-term reliability then I would seriously consider someth...

lurker888

Hi, what you want to do comes up quite frequently in industrial automation type scenarios. The good news is that it absolutely can be done, however it requires something called "policy routing", which is not the easiest for a first try at configuring Mikrotik devices. Some ideas: https://f...

lurker888

@sindy @erlinden I thought I were starting to understand, but I am lost again :? I am not sure about the difference between a purely trunk bridge-the-port or an hybrid bridge-the-port. Why would I chose one configuration over the other ? I am not sindy or erlinden but... You should realize that the...

lurker888

I agree with almost everything said in this thread. The default firewall rules as written are totally correct, and match what most (not really configurable) off-the-shelf routers provide. However I also think that it would be easier to understand and modify them if they were split up to be more expl...

lurker888

You chose option 1. Good for you!

I would suggest checking out number 2 as well. It's much cleaner - at least in my estimation. You will get the same throughput.

lurker888

Hi! You're jumping in on the deep end here. What you want can generally be done, but expect a bit of a learning curve on the way. Actually I've helped someone with a setup similar to yours recently and the results were very satisfying. The CRS (Cloud Router Switch) devices are named quite awkwardly,...

lurker888

It should return NXDOMAIN. So it depends on what you mean by "blocked". It seems I have misinterpreted the mentioned article (and how Pi-hole responds to blocked domains). I interpreted the article as saying that as long as the domain doesn't resolve in a completely normal manner, it's co...

lurker888

It should return NXDOMAIN. So it depends on what you mean by "blocked".

lurker888

Don't forget the use-application-dns.net stuff. In my experience lots of software obeys it.

lurker888

I happen to have tackled this problem. I have a blocklist of IP addresses for the common external resolvers. Currently it sits around 1700 IPs (and roughly 1000 IPv6 addresses) To be a bit more exact in what I found useful as a solution: * block outgoing ports 53 and 853 (udp and tcp) * block all ou...

lurker888

The reference can be found here BTW with pretty diagrams :-) https://help.mikrotik.com/docs/spaces/ROS/pages/21725296/MTU+in+RouterOS EDIT: Usually Mikrotik devices set up the L2MTU by default with some 1500+ value, and this takes into account the buffer memory stuff that I talked about in my answer...

lurker888

Oopsie, Mikrotik counts things differently, than I'm used to. Sorry. I'll edit the original answer shortly.

For MPLS/VPLS, the MTU stays the same, but the L2MTU must be increased by 4 per MPLS tag and 4 +14 for a VPLS tag + the internal ethernet header.

lurker888

Short answer: yes, you have it correct. MTU refers to the IP packet size, and well behaved Internet circuits have an MTU of 1500 by agreement. You may consider increasing this in the following scenarios: * you want to use (IP-level) encryption; IPSec, Wireguard, etc. all have per packet overheads. I...

lurker888

Hello, there was some issue around that version where the kernel partition was too small (i don't know - sometimes?), and some sort of repartitioning took place automatically. There may be some hardcoded values there. Anyhow, I'm willing to bet you a flash chip (ha-ha) that after a netinstall it wil...

lurker888

Hi, thanks for good news :) I figured out what that was. As soon as I turn on my studio mixer which is eqipped with DANTE card that is connected to network, the cpu jumps up. Good to hear. DANTE (and other A/V protocols) tend to use multicast. These streams load your device in two ways: * bridging:...

lurker888

I would add two things to the discussion, maybe you will find them helpful. First, the "enable VLAN filtering" on the bridge level is one of worst names that could have been given to this option. With this option disabled, the bridge will act as a "dumb" switch, and will perform ...

lurker888

The usual advice to have one bridge with VLAN filtering enabled is solid, and is the preferred approach. So this is what I will suggest. Especially for the first time, configuring VLAN filtering can be daunting, and configuring it wrong can easily lead to a loss of access to your device, so your onl...

lurker888

Hi! I'm glad that at least your DNS woes are over. The device that you have is able to handle approximately 500 Mbps of traffic. (In the specs look at performance numbers for 512 byte packets / 25 firewall filter rules.) The CPU load - especially at low traffic volumes - is very non-linear with thro...

lurker888

What you actually want is overlay networking of some type. There are many possible standards and realizations to choose from, but currently VXLAN seems to be the weapon of choice across vendors. The ASICs that support this type of operation can sometimes (usually?) be configured to do what you want ...

lurker888

I tried to include both a technically correct answer as to why this is not possible and a subtle reference to the X-Y problem.

https://en.wikipedia.org/wiki/XY_problem

lurker888

No, this cannot be done. On the fourth port you prescribe that a broadcast packet that comes in with tag 500 should be reflected to the same port with tag 501. To further complicate this, a broadcast packet arriving on another port of your bridge4 would have to be sent out twice (multiplied) both wi...

lurker888

@maxxch Yes, it is possible. And I'm happy to give you an example. But before I do, could you please carefully reread what I have written, and confirm that I have correctly understood what you want to do. (I am not doubting that you somehow need this, but - at least from what I've seen - it's quite ...

lurker888

I will assume then "q-tag" means the normal 802.1q (ethertype 0x8100) tags. I will also assume that each customer has one physical connection to your switch. And I take it that you want to connect q-tag-10 between Customer-2 and Customer-3. But that you would want not to connect Customer-2...

lurker888

Edited with possible cases.

EDIT:
If you only want separate switching domains, then adjusting the forwarding vector would already solve all your problems.

lurker888

My bad. I completely thought that you wanted routing. No, indeed it can only offload a single (VLAN-aware bridge.) All other devices will be the same. I can't imagine what you would want to do that would necessarily require two bridges. Roughly here are the cases: * You don't use VLANs on the bridge...

lurker888

This is indeed expected behavior. And exactly correct. These (and all other) switch chips can only offload one bridge. Most manufacturers just "implicitly" put all ports into a bridge and don't even expose you to this. Mikrotik allows more than one bridge, but - again - only one can be han...

lurker888

I thought I shouldn't stick my nose into this, but this is as far as I could resist :-) Amm0 is absolutely right, this is a user forum. (The server is provided by MikroTik, but basically that and minimal maintenance is as far as their involvement goes. Though some of their employees lurk around here...

lurker888

Hi,

Basically the wiki.mikrotik.com stuff refers to v6.xx of RouterOS, the docs for the newer v7 - which I guess you're using - is at help.mikrotik.com

So in your case I would take a look at
https://help.mikrotik.com/docs/spaces/R ... 328220/BGP

lurker888

Thanks for the detailed stats!

So the software actually makes quite good choices about what to offload. In one case 2.25k / 300k unloads 40% of traffic, in the other 4k / 370k unloads 65%. Nice. You were right, that's absolutely worthwhile.

It's good to hear some success stories here sometimes.

lurker888

I'm not sure I understand your problem exactly.

Do you want physical redundancy i.e. have two (essentially parallel) wires connecting your routers, so that if one fails, the other takes over?

lurker888

Nevertheless you did a pretty good job. First, when configuring dhcp networks, don't specify the netmask. The address prefix length will be used automatically (/24) (For some particular setups these may need to be mismatched, but those are very unusual.) Yes, the allow-remote-requests is off be defa...

lurker888

It's always safe to flush the DNS cache. It's up to you. The DNS cache - were it not for the firewall misconfiguration - should be almost empty. One of the strange things about your config is that you enabled the dns "allow-remote-requests" thingy, and you configured lots of static records...

lurker888

That's what I meant. Looks good. Is the DNS load gone? I'm not especially concerned with the networking/bridging/firewall etc. load - that's normal if you're using it. According to its published measurements it can do ~500Mbps, and CPU usage is not linear, so I wouldn't be surprised if a couple of R...

lurker888

NO! You misunderstood something.

I think you just moved your *forward* rule, but that's not what I meant.

The *forward* rule was correct, and in the correct place. Return it!

Add the same rule, just to the *input* chain, and place that at the end!

lurker888

The problem is in your firewall rules. Somehow the "input drop all !LAN" got deleted from the default. Add it back and your problem will probably be done. You have to add this to the end of your rules. The syntax is: add action=drop chain=input comment="Drop all not coming from LAN an...

lurker888

This may not be too helpful, but when I had similar issues, it was the power supply gradually failing. If you have one handy, try testing it with a known good one. At least in my experience these power bricks fail way more often than the routers themselves.

lurker888

First of all, sorry for the CCR assumption, I was looking as loloski's screencap, not yours. The firewall rules seem to be the default, and they are quite good. They should protect you from this sort of things if everything else is set up correctly, so while the rules you wrote are not bad, the &quo...

lurker888

The DNS load would account for your increased CPU usage. That kind of load on a CCR1036 would mean that it's serving the DNS load for several thousand machines (more like tens of thousands...) I presume this is not your use case. Together with the fact that reverting the software didn't help, and th...

lurker888

Only around 2K connections can be offloaded 2k connections at 2mbps each connection can add up around 4gbps, for a device like ccr2116 with an estimated throughput of 20gbps thats around 20%, it is not something insignificant i have seen a significant reduction in cpu usage with this offload featur...

lurker888

The problems with splitting the software in many small packages are: 1. some packages may be or get dependent on others, and the architecture has no provision for "pulling in packages". e.g. in v6 there were separate packages for "security" (encryption), "ppp", "d...

lurker888

The CCR1036 has been discontinued. I hear that they are still available second hand... only this would make me buy the CCR2116. I have no experience with the CCR1036, but I have used the 2116 for CGNAT. They can easily push 10Gb+ even without fasttrack. Even with bonding the interface limit is pract...

lurker888

Oh, I see. Some GTS root certificates are cross-signed with other roots "to ensure optimal support across a wide range of devices", as per their FAQ . In any case, I think GTS is a CA big enough to be considered. It has its own ACME implementation that is used in-house (by Firebase servic...

lurker888 · Re: after upgrade to 6.49.18 CPU Spikes Tools->Profile gives some insight.

Tools->Profile gives some insight.

lurker888

Hi there! You got some good pointers, let me give my two cents. Hey guys, I am trying to set up a dedicated management port in RouterOS, kind of like how SWOS handles it, completely isolated from any other ports on the switch, meaning only devices connected to the management port can manage the swit...

lurker888

I'm curious as to why GTS (Google Trust Services) root CAs are missing in built-in root certificate authorities. The situation with GTS is a little involved. The short answer: The certs issued by GTS *are* trusted under the current collection of Mikrotik trust anchors. (I have verified this with go...

lurker888

Just my two cents. For devices which you don't want to fuss around with, test things, possibly netinstall, a usual recommendation is to avoid using "bare" release versions (because they usually contain improvements/fixes that sometimes break things) and use the latest "point release&q...

lurker888

I'm happy to confirm that the DHCP snooping issue is fixed in beta4. (At least for me.) Setting the DHCP client "routing table" parameter to "default" from Winbox (v3) and Webfig still doesn't work correctly. (In fact, the default is "main", and trying to set it to &quo...

lurker888

I saw your other post about the 10Mbps problem as well. It's not clear to me what your problem is... When you say *all* ports go to 10 Mbps, what did you do to verify that? I see that you are using an usb-to-ethernet adapter. What other device verifies the same problem? It's not clear whether you ma...

lurker888

Hi! At around 7.13 the wireless drivers were shuffled around. You need to install the "wifi-qcom" package. On your device you can do this by going to System->Packages, click "Check for updates", (a lot of packages should appear greyed out), you then select the package "wifi-...

lurker888

Generally, I am in agreement with you that router manufacturers do shady stuff, mostly in order to be able to claim the highest speeds with the puniest possible CPUs. Let's be clear, by shady I mean that what they actually do is undisclosed (very bad!) and generally, when reverse engineered (usually...

lurker888

Part of my testing procedure was moving the DHCP server and client configs around from interface to interface, between interfaces and bridges. I didn't find any cases where DHCP communications unexpectedly worked when applied to an interface other than one I was directly connected to. I managed to ...

lurker888

Yep. All the MAC-* (mac-telnet, mac-winbox, mac-ping) also use raw sockets. I consider the only correct configuration for these outside of a homelab setting to be either "none" or a single trusted port or vlan. I don't exactly get the point that @mkx makes. Probably just a misunderstanding...

lurker888

You are really getting into this :-) First of all: you should get the same result whether the interface is a bridge or a "naked" port. And indeed you will, if you turn off use-ip-firewall (as you should). The setting use-ip-firewall actually utilizes a feature of ebtables (bridge filter in...

lurker888

Yep. DHCP snooping has some sort of major problem. I updated a previously working rb5009 router (from 7.18 stable) to 7.19b2, and can't ping/connect to the router through a bridge that has VLAN filtering and DHCP snooping enabled. A bit weirdly the DHCP server works correctly (provided by the same r...

lurker888

As mkx said, of the usual services only DHCP is special.

Mikrotik does allow you access to the netfilter raw chain (/ip firewall raw) and yes, it can be used to filter DHCP packets. I can't think of a practical use for this, but it is possible.

lurker888

Actually no. The firewall simply does not apply to the packets of the dhcp client. This may sound strange, but in fact it is quite logical. The DHCP client must send and receive packets while the interface in question has no valid ip configuration. In this state it is not possible to bind a normal s...

lurker888

Hi, The default firewall only accepts DNS queries from members of the LAN interface list. Make smarthome a member. This should solve your immediate issue. You should also remove ether1 from the WAN interface list. (You are not actually receiving internet on ether1, but on the pppoe interface.) Also,...

lurker888

First of all, the specified temperatures in the specification all refer to *ambient* temperature, that is: locate it in a normally ventilated (non-obstructed) place and put a (normal room) thermometer let's say 30cm from it. What that reads is the temperature data sheets refer to. Yes, the WiFi chip...

lurker888

@BartoszP My experience regarding allocations from a pool does not match yours. I've used next-pools for many years to assign openvpn addresses in /30 subnet schemes (long story why /30 was needed), and what I found is that if the first pool has a free address, then that is always allocated, and onl...

lurker888

Basically PVST and PVST+ (and R-PVST+) in general were designed as a better alternative to the STP-RSTP protocols. In that they succeeded. MSTP coming about muddled things a bit; while achieving the same general goal (per-VLAN spanning trees), it does so very differently. (MSTP does not address redu...

lurker888

Hi, You describe a lot of things. Just to make a few points: * Mikrotik and CISCO stuff are fully compatible on the RSTP front. STP nowadays should not be used. MSTP is simply unnecessary. PVST and its variants are not supported by Mikrotik. Stick with RSTP. * That a root bridge is selected is norma...

lurker888

I don't know why you would want to log these packets at all. For educational/testing, ok, sure. But this rule has been used like this in basically every Linux machine, cloud server, etc. forever, and no one got hurt. You could log not-FIN invalid, as BartoszP suggested, but again: IP is not designed...

lurker888

Yet another approach. Mikrotiks allow you to have more than one address on an interface. We will use this temporarily: 1. Add (not change/modify) an address of 192.168.87.1/24 to your LAN interface (probably bridge) 2. Reconfigure DHCP. Change the IP Pool to e.g. 192.168.87.100-192.168.87.253 and th...

lurker888

Hi! First of all, configuring openvpn is not complicated, but not simple. This is not because of what Mikrotik does, it's just how openvpn is. Regarding certificates. Usually openvpn is deployed with self-signed certificates (that is: ones that cannot be verified by the public PKI system). The certi...

lurker888

This is a common question for the linux nf_conntrack machinery. There is much discussion around how a TCP connection starts (the three-way handshake), but much less is said about how it ends. It ends with a FIN (can also be FIN ACK) packet from the side closing the connection, and a FIN, ACK is sent...

lurker888

That's totally fine. You will still have to do step 1 of what I wrote - in order for the router itself to be able to do "automatic" updates, access the IP->Cloud things (DDNS, time service...) You can set its DNS server to the Adguard, but personally I wouldn't. No use in having ad blockin...

lurker888

Sir @anav, you must be joking. You do know that the rb5009 does indeed have an sfp+ port, right? In fact I think that this is probably the best device to receive a "multi-gig" internet connection. It's usually delivered on a copper 2.5GbE, and you can fan out either using the 1G ports on t...

Search found 283 matches