MikroTik

Cha0s

But then any TxPause frame will be dropped one. Load on RB is never higher than 20% (1gbps fiber). Tx Flow control is enabled on purpose, I'm only surprised that such fast RB and still with pause frames. Flow control does not know or care about your router load. It only cares about congestion on th...

Cha0s

Pause frames are part of Flow Control.
https://en.wikipedia.org/wiki/Ethernet_flow_control
https://wiki.mikrotik.com/wiki/Manual:I ... e/Ethernet

If anything, high CPU usage could cause to miss transmitting a pause frame, not increase them.

Cha0s

Caching proxies in 2021 with most websites running TLS nowadays, is... oxymoron.

Cha0s

I still have the CPU clock set to 1200 MHz, as I am not in the mood to break the things again (3 units are pretty far away from my current location). I've set everywhere the cpu to 1200MHz and while that reduces the frequency of the problem, it does not eliminate it. And having to drive 2 hours to ...

Cha0s

Has anyone with an r2 revision unit experienced any problems?

Nothing mentioned here in this thread actually works for more than a few months (at best).

So, has r2 resolved the issues we are seeing? If yes I can start replacing boards left and right. I am tired of this...

Cha0s

Forget MikroTik for BGP with full routes. It doesn't matter which model you use. Or even CHR. It is simply not usable when dealing with more than a 200-300k routes. It's not only terribly bad at convergence times, but even a simple prefix search can take 10-15 minutes and in the meantime the whole B...

Cha0s

I don't know what those 'DDoS Rules' are, but you can use the Raw table to do filtering without connection tracking enabled.

Cha0s

The last few days, I noticed I cannot reply to the posts made in the announcement section.

Judging by the last post, it appears that someone changed the forum permissions on December the 9th.

Cha0s

Quick Set is good example, you may find it useless and waste of developer's time (can't be too much), but is doesn't get in your way, you can simply ignore it. But it helps MikroTik to sell their stuff to new groups of customers. Which in turn those new groups of customers which were attracted by Q...

Cha0s

R1CH, there is no crash here my friend so no worries, What you are saying is already well known and not the issue here but thanks anyways! ;)

Wait until you get a SYN Flood DDoS and watch your MikroTik (doesn't matter which model or how much bandwidth you have) become totally unresponsive.

Cha0s

There is no License Level 4 for CHR.
https://wiki.mikrotik.com/wiki/Manual:CHR#CHR_Licensing

Cha0s

All I am saying is, that those who have enough switches that will benefit from a single management plane, will almost certainly need HA features to go with it. In other words, introducing SPOFs on the network just to save on management costs, probably wont fly with most network engineers. At least t...

Cha0s

If there's no redundancy and no efficiency (local switching), what's the point in this technology?

Why not implement something that's more datacenter/enterprise friendly?
Even if it's proprietary. It's not like everyone else's stacking options are inter-compatible anyway...

Cha0s

Firewall and Bridge Filter rules lists are still misbehaving. As long as a rule detail window is open, the list itself will not let you drag and drop rules properly. When you're dragging a rule, it jumps to the very bottom of the list every second (on each window refresh). It seems to only happen w...

Cha0s

In my 20 years of experience with PHP and phpBB, I've never ever seen users' password stop working because of a PHP version change.

So was this sudden "migration and maintenance" some type of compromise which MikroTik failed to inform us about?

Cha0s

Same here. Password was not working. Had to reset.

Cha0s

ABSOLUTELY no need for NAT under ipv6 ......

Of course! We wouldn't want to be able to do what we need with our network. That would be outrageous!

Cha0s

This issue (autoscroll hiding the last line) actually exists since forever. If you run ping and resize the window a little bit, you can make it hide the last line, just the way you see it now in the log window. It all has to do with the correct window size for autoscroll to work properly. Annoying, ...

Cha0s

What's new in v3.27: *) fixed content drawing of read-only tables (introduced in v3.26); I did not try that version at first (because I did not install 3.26) but now I got a message from OskarsK asking if it fixes the column/rule dragging problem, and indeed it seems that this issue is now resolved...

Cha0s

Can we have more information on CVE-2020-3702 and what it is.
More should I patch now or later type of question.

https://www.welivesecurity.com/2020/08/ ... sdropping/

Cha0s

I am left to conclude that there is a problem with software version Router OS 6.2 and later perhaps even earlier as this problem was never there before. Do you really run RouterOS v6.2? That's 7 years old! There are dozens and dozens of fixes and new features since then! I'd say, try to upgrade fir...

Cha0s

Also for every NAT that happens in v6, 4 kitties are murdered!

Keep that in mind next time you people ask such outrageous features that other vendors support for years now!
The body(kitty) count is in the billions by now! A tragedy really...

Cha0s

Problem with moving firewall rules and jumping around randomly has not been resolved.

So winbox >3.21 is still not usable.

Cha0s

I've been using Wireguard the last few months on my Smartphone and Laptop and regardless what that article says, for my use case it is a godsend! Never before I could truly have "always-on" VPN on android while on the move (frequent change of networks/ips) without having constant connectiv...

Cha0s

Don't get stuck in the past

I don't think he is the one stuck in the past, rather the "IT companies" (more like Cisco resellers), which prefer to charge 10.000€ for a Cisco that does 1/10 of what a MikroTIk will do at 1/10 the price.

To me, it's just ignorance and many times arrogance.

Cha0s

RB260GS (and/or CSS106-5G-1S) does not support any kind of bonding.

Cha0s

It's a good thing you aren't in sales.

You can tell that to Cisco. With ALL their wizards for noobs. Right? ;)

Cha0s

I don't have it at hand, but I remember someone had posted it in the forum a while ago.

Cha0s

So in terms of MikroTik and RouterOS I do not see ANY functionality that mimics or deals with wire-speed Routing at the switch level. L3 offloading happens on the switch chip. That's why it's called "L3 offloading". They offload the routing functionality from the CPU, to the switch chip, ...

Cha0s

!) added WireGuard support;

Gave it a try on a hEX (RB750Gr3) and it worked out of the box!

The performance was capped at around 100mbit though. Maybe the hEX is not powerful enough.
More tests are warranted :)

Cha0s

It would be useful when there would be some kind of "pause" button or a way to configure the update rate of such screens +1 This would be very helpful, especially on the connections tab (firewall window) and on the routes window. On routers with hundreds of thousands of connections and/or...

Cha0s

On the one hand, using VRRP the way OP described, will not necessarily make failover any faster, if for example the physical link stays up but it doesn't pass any traffic. Even if you failover on your end, the other end will still have to timeout before using the routes from the other BGP peer. On t...

Cha0s

Anecdotal? How can you pretend to know the benefits, or lack thereof, without fine details regarding the way that it would work? I do not pretend. I know that it won't be more beneficial, faster, more money saving (or whatever) than pasting a single command on CLI for example. There are all the too...

Cha0s

You don't need VRRP if you already have 2 BGP sessions with your upstream. Just ditch VRRP on the public side (ether1), and do 1 BGP peering on each of your routers. BGP will take care of failover, etc. You can also use BGP MED to control which router will be the "primary" (ie: on which ro...

Cha0s

The argument against this is similar to the argument that the gui isn't needed at all because there's a command line.

The argument against this, is that it will produce anecdotal time and money savings.

Cha0s

If you like wizards and non industry standard terminology (jargon), you can always use vendors like TP-Link, D-Link, Netgear, etc.

Cha0s

Which reset button exactly?
There are many reset buttons on Winbox windows.

Cha0s

I have no idea how WebFig skins work. I've never used WebFig (I am not a masochist

).
But you may try escaping single quotes.

'Don\'t require permissions'

Cha0s

Looks like LibreNMS.

Cha0s

RouterOS backups do not include the Dude data.

You need to backup the dude database separately using the following command:

/dude export-db dude.db

Cha0s

Dude 3.6 cannot connect to newer versions of ROS. In recent (well not so recent) versions of ROS the authentication method has changed, so old Dude cannot connect anymore. AFAIK there is no workaround except to update. But, while updating might sound cool, you make sure you do tons of tests and back...

Cha0s

LE: It seems somehow my vlan interface was not initialized properly since its interface route didn't appear in the routing table. After an edit/update of the interface it seems to be fixed. This has happened to me starting with v6.45.7 (also on a CCR1009). Disabling/enabling the interface fixes the...

Cha0s

that way I will have 2 cores "dedicated" by CHR and I will not have problems with processor overload
it is? Am I right?

Correct

Cha0s

https://wiki.mikrotik.com/wiki/Supporte ... less_cards

Note: RouterOS v6 does not support any USB Wi-Fi adapter

Cha0s

It is not true. You can have more than 2 cores per CHR instance. I believe the linux kernel can handle 2048 cores (and that's an old info - this may have been increased in recent years). BUT, you should NOT proceed with your suggested setup. Disable hyperthreading on the hypervisor's CPU and only gi...

Cha0s

The backup will work. Here are the differences between those 2 levels. https://wiki.mikrotik.com/wiki/Manual:License#License_Levels I don't think that you'll have any problems, unless you use more than 200 PPPoE interfaces or something. BUT, backups from other devices will cause you headaches restor...

Cha0s

Both routers support AES hw acceleration. So both can do way more than 70mbit/s with encryption. Also, AFAIK, increasing the CPU cores, will not increase your throughput if all traffic flows through a single IPsec session. EoIP and L2TP can both do hundreds of mbits/s without breaking a sweat. So, i...

Cha0s

I've got the same issue with multiple RB4011's. Completely locked out, while still forwarding traffic. My common denominator on the boards that lock me out, is the use of IPsec. More specifically the devices that crash are VPN concentrators that allow IPsec sessions from anyone in the world. One of ...

Cha0s

Strange that other people deny that they have a problem, maybe they don't understand what issue I mean?

Probably.
I just confirmed the issue is also present on Windows 10.

Cha0s

The problem with windows that have dynamic updates remains the same, I went back to 3.21 after 10 seconds of test...

I confirm the problem on Windows 7 64, using 64bit winbox.

Cha0s

The L3 hardware offload will take many months (or years - we are talking about v7 after all) before you can consider it stable. And even then, it will still be a... switch.

Cha0s

Forget CRS.
CRS are switches. NOT routers.

You DON'T want to use a switch as a router no matter how good you think it looks.

You need a CCR. Check mikrotik.com/products to find the one that suits your needs.

Cha0s

If you need fixed/stable latency then you must use an ethernet cable to connect.
Using WiFi, especially in 2.4GHz, you will always have jitter.

Cha0s

If there is L3 reach-ability between the relay and the server, it doesn't matter how they reach each other (OSPF, BGP, RIP, static, whatever).

Cha0s

Colored rules could be useful. It would allow users to make it look like circus, but it would be everyone's choice. When used responsibly, it could sometimes help.

++

Cha0s

You can reach 80gbps of unrealistic traffic with a 1072, but with real traffic, it begins to lost packets with a fraction of the max throughput. :? Have you tried with disabled connection tracking? You will not have stateful firewall without connection tracking, but the performance is way better. I...

Cha0s

I didn't notice any difference on an 802.11n Nstreme link that I tried 6.47rc2 on. But it was working fine before anyway. The general problem with Nstreme, since 802.11n, is that it keeps disconnecting for no apparent reason. "Polling timeout" IIRC. When it works OK (clean frequency and bi...

Cha0s

This is irrelevant.

Cha0s

This has been addressed in Winbox 3.24. You can move the columns around and also apply filters on the log window. In your case, going from VGA to HDMI, I can only assume that your PC changed it's dpi scaling. With dpi scaling anything other than 100%, older versions of winbox will cause the log wind...

Cha0s

Upgraded from 6.45.5 to 6.47rc2.

Noticed that btest is taking up more memory causing boards with 32MB RAM to become unresponsive.

I don't know in which version this started. I also tried 6.46.6 with the same results.

Cha0s

I don't know why this anav guy is so hostile to me. I put him into my ignore list. He has to stay out of all my discussions b/c of his sick and hostile comments to my postings.

Aww, did your feelings got hurt?

Cha0s

I've got a CRS317 with LACP bonding.
On the other end I've got two Cisco Nexus 7706 (portchannel with VPC).

I don't have the issue you describe.
But I use RouterOS instead of SwOS.

Cha0s

Frankly since 802.11n, but I am curious what exactly they fixed.

Cha0s

Open Addresses.CDB with notepad and you will probably be able to find the password in there.

Cha0s

[joking]
I am using Windows 95, they have been working great for the last 25 years without any updates!
I've also been using no firewall, since firewalls are for newbs.

But, today I logged in only to find out that they were hacked!

How could this have happened???
[/joking]

Cha0s

*) wireless - fixed Nstreme wireless protocol performance decrease;

Can you give more information about this?

Cha0s

@mkx, you seem not to understand the problem.
As I wrote ... waste of my time.

Yeap! Added to foes... can't stand 100 posts per day blaming incompetence as bugs.

Cha0s

You mean constructive, like telling you exactly how to downgrade and you ignoring it?

Cha0s

Like I said: even the standard downgrade function does not work, as the version is the same as before, after the reboot. Then you are doing something wrong. Read the fine manual again and retry until you succeed. Only with exercise you will learn how to properly use ROS. [admin2@CRS125] /ip service...

Cha0s

I believe that Wireless Sniffer uses the same protocol as Packet Sniffer to stream the data to a server. TZSP

Cha0s

Go to the Switch window and then on the Port tab.

There you can set the Ingress and Egress rate of each interface.

Cha0s

You need to either set a different subnet for the modem (or LAN) or bridge ether1 and ether2 so they are both in the same broadcast domain. Right now you've got 10.0.0.0/24 for both the modem (ether1) and your lan (ether2) Also, you probably will need to set up a SNAT rule to be able to access the m...

Cha0s

It used to be different (I don't recall when they changed their licensing model) and a license would not cover unlimited major version upgrades. At some point (I think during v5) they changed this model. I've got licenses that I bought in 2005 using v2.9.x and have upgraded them to v3, v4, v5, v6 ov...

Cha0s

Like I said: even the standard downgrade function does not work, as the version is the same as before, after the reboot.

Then you are doing something wrong.
Read the fine manual again and retry until you succeed.

Only with exercise you will learn how to properly use ROS.

Cha0s

To upgrade you can use the System > Packages window and click on "Check for Upgrades". From there you can also change channels (stable, long-term, rc, dev) If you want to downgrade to a specific version, then you have to upload the packages manually to the router and then from the System >...

Cha0s

@Cha0s, what you suggest would likely work, but sending individual packets of the same TCP session via different physical paths is what 9 of 10 dentists advice against as that may cause packets to arrive to destination in shuffled order. So a good exercise but a possible headache if deployed in pro...

Cha0s

One way to evenly distribute the traffic among all interfaces with using pure ECMP (no routing marks, etc), is by disabling route cache in IP > Settings. This will make each packet to go through a different interface in round-robin fashion (I think), instead of per src/dst ip. So even a single conne...

Cha0s

What's broken in beta60? I use it on a lora gateway and I haven't noticed any issues (albeit - it's just a lora gateway). By the way, I kind of gotten used to the new icon-set, but it appears terribly low quality. Like using old gifs (256colors) in 90s web pages and manually setting the dimensions i...

Cha0s

Small DIN switches.. Wide input DC power. It'd be nice to be able to mount small switches on walls in closets, cabinets, backboards, industrial situations, etc... Good idea! Also something like what Nexans is doing with their Microswitches for FTTO. I've used them in a few buldings and while the id...

Cha0s

r00t, you are spot on!

(too bad there isn't a 'hear hear' or 'clapping' emoticon available)

Cha0s

Winbox is more than comfortable. If you don't feel comfortable with the current UI, then Winbox is not for you. You can look into TP-Link or Netgear. I hear their devices are VERY comfortable to use. Hey bro, I think you are too proud with wrong direction, I just suggest to Mikrotik for better user...

Cha0s

Check here: viewtopic.php?p=793526#p793526

Cha0s

Third, UI/UX dose not harm WinBox, it only interface to make more comfortable look and feel to use network as simple configuration. By definition changing the UI you change the interface . It's the "I" in UI. Winbox is more than comfortable. If you don't feel comfortable with the current ...

Cha0s

But now they are aspiring to be in the range of Enterprise hardware/software vendors, so such topics must receive top priority. Unfortunately they are just aspiring to get into the enterprise sector. They don't actually try to. I can't imagine any big enterprise that can wait for over 6 years for f...

Cha0s

I guess most of you have already noticed that <TAB> key does not move focus from one input field to another.

And double click on an input field does not select the text.

Cha0s

Also tried using the server feature in btest, but router can't connect to it, no matter if using UDP or TCP. Going to server tab, checking "Enabled" and pressing "Apply settings" does nothing. I don't even see open btest TCP port... Works ok here. Maybe your windows firewall blo...

Cha0s

:global dns [:resolve "www.google.com"]     
:put $dns
216.58.212.4

Cha0s

What does SDN have to do with Winbox UI?

I strongly disagree with redesigning the Winbox UI.

Cha0s

I think it's more complicated than that. No matter what method you choose, how would you (automatically/inside ROS only) know that the bottleneck is between you and the ISP (thus the ISP cheating) or somewhere outside your ISP's network (depending on how/with who you perform the tests) ? If the ISP ...

Cha0s

Sure, that's all true (that was implied by my "user defined policy" comment).
But OP didn't mention anything about RIRs or the public internet or any "provider".

Those were your assumptions followed by a false statement about what the protocol can or cannot do.

Cha0s

BGP not allow to announce /24 to provider over eBGP but if you are in your network with iBGP you can do it! This is a false statement. BGP doesn't care about prefix length on its advertisements, regardless of eBGP or iBGP. You are confusing user defined policy (which yes, /24 is usually the smalles...

Cha0s

So... you are using Docker to run a fully virtualized instance of CHR using qemu.
Meaning this is not a container but a full fledged VM over Docker.

What exactly is the point of this?

Cha0s

Unfortunatley every time MikroTik features in a Linus Tech Tips video he never gives the product the showcase it deserves, makes me wonder if he really understands it! After watching their 10 Gbit home network video a while back and they were having trouble figuring out how to configure it/couldn't...

Cha0s

Do you or anybody else can tell me whether RouterOS can be tested also in an LXC (or LXD) container in Linux as well? ROS cannot work as a container. Do you happen to know whether RouterOS can be installed on the following dual-core ARM device with multiple Gigabit interfaces: http://wiki.banana-pi...

Cha0s

Do you or anybody else can tell me whether RouterOS can be tested also in an LXC (or LXD) container in Linux as well?

ROS cannot work as a container.

Cha0s

So I don't see this one getting fixed any time soon (even if it's fixed, it will probably never make it to each vendor's updates). Wow! Talk about bad prediction! Just today I got an update from Samsung! And while it didn't mention anything in the changelog, it appears that they included a fix for ...

Cha0s

BGP can and will announce any prefix length.

Check your filters, you probably discard any prefix smaller than /24.

Cha0s

I was waiting for this much more than for DoH but each has their own preferences I guess.

Yeah, DoH is cool, but DNS forwarding is more essential to me.
I personally had given up on it. So this was a pleasant surprise!

Cha0s

nz_monkey is spot on

Is this an subtle acknowledgement that you are working on it?

Cha0s

*) dns - added support for forwarding DNS queries of static entries to specific server (CLI only);
*) dns - added support for multiple type static entries (CLI only);

Finally!!!
Can't wait to test this one out!

Will forwarding be able to match regex entries also?

Cha0s

From what I understand this is an Android bug and it's not specific to MikroTik. So I don't see this one getting fixed any time soon (even if it's fixed, it will probably never make it to each vendor's updates). For the time being I switched to Wireguard, and so far I am very happy with it. I'll pro...

Cha0s

Android 9: terminates after about 83 seconds...

Also Android 10 on Samsung Galaxy S9+
Prior to the recent Android 10 upgrade from Android 9, it was definitely working for me without problems.

Has anyone found out any solution?

Cha0s

That's exactly what EoIP is for.

Cha0s

Pay attention to the implementation scheme, are there any comments? He just told you. The switches you are using are not routers. You need to put in proper routers if you need to route (not switch) traffic. MikroTik switches, are not L3 switches. They may technically be able to do routing, but not ...

Cha0s

This is certainly true but why not do an identical procedure on ROS via WinBox or WebFig? Because it is a waste of developer resources. MikroTik should focus on fixing bugs and introducing new features. Not cater to noobs that cannot be bothered to read the manual. Seriously, the amount of posts as...

Cha0s

This is exactly why I hate the IT community. Simplifying something isn’t going to cost you your job. That's why I hate the non-IT community . Instead of complaining about what you don't know how to use and asking to dumb down things, you should start by RTFM. It doesn't cost your job. It isn't even...

Cha0s

That what you wrote is still in the future. All major web servers support TLS 1.3 already. Browsers too. It is NOT in the future. It's already being rolled out. It has started since 2018. At the moment using DoH is futile if you want to have privacy. I remember back in the non SSL/TLS days, people ...

Cha0s

It is a FALSE assumption, that your traffic (metadata) is invisible when using HTTPS or/and DoH. When TLS 1.3 becomes mainstream, it will no longer be an assumption. Right now even using TLS, the ISP can see the domain you are visiting. After TLS 1.3 that will no longer be possible and the L3-L4 &q...

Cha0s

Agreed. New icon set is horrendous
Those new are just UGLY, one color type.
Yes! Bring our colors back! It is much easier to find something on a glance when it is different from its neighbors...

+1

Cha0s

People who asked to do the interface smaller probably work on a FullHD monitor because on a 4K monitor (3840x2160) the interface looks incredibly small even with the maximal zoom. Please make the interface bigger or add more zoom levels. QHD, and I still prefer it smaller than the default. The more...

Cha0s

I'll go slightly against the flow. Everyone seems to want things bigger, but I'd rather have them smaller. Or maybe better term would be more condensed. It's about one specific thing, line height. +1 Finally I see someone talking about UI efficiency and not looks! I too want to be able to see as mu...

Cha0s

ROS didn't use Quagga.

This is not true.
Back in 2.x days ROS was using quagga. And a rather buggy version at that.

But yes, the current implementation AFAIK is not based on quagga.

Cha0s

What did you try?

Cha0s

Use the Netwatch tool.

https://wiki.mikrotik.com/wiki/Manual:Tools/Netwatch

Cha0s

or use other more reliable ways.

Or just revert it back to how it was...

Cha0s

System files have always been hidden / not accessible for a user in RouterOS. Packages are now following the same principle. That is just plain silly! Now when I check for new version and click Download, or after uploading files using FTP, I cannot even check if the files were loaded completely bef...

Cha0s

I'd like to ask the developers if they can, so please kindly fix the bug, according to their natural priority ... It appears that Mikrotik's priority on cosmetic bugs is very very low. This bug has been reported many many times for many many months now and it has been thoroughly ignored by MikroTik...

Cha0s

Remove tr069 package, then manually upload the new packages (not the bundle) you need.

Reboot, and you are good to go.

Cha0s

Virtio

Cha0s

CHR's virtio/vmxnet3 based interfaces seem to always show "Auto Negotiation: Incomplete | Rate: Unknown".
License doesn't matter. You can try it yourself with a P10 demo license and it will still show Incomplete/Unknown.

Regardless of the negotiation status, it does actually work at 10Gbit.

Cha0s

What have you tried?
Post you configuration.

Cha0s

"my ISP does not offer it" To me this is kind of a chicken and egg problem. If ROS doesn't fully support it, then yes, ISPs based on ROS won't offer it, and then users won't use it, which in turn translates to "low demand" in MUMs, etc. IPv6 doesn't bring much benefit to the end...

Cha0s

Today we got this announcement from RIPE. Dear colleagues, Today, at 15:35 UTC+1 on 25 November 2019, we made our final /22 IPv4 allocation from the last remaining addresses in our available pool. We have now run out of IPv4 addresses. Our announcement will not come as a surprise for network operato...

Cha0s

I don't think you can do that.

The way I understand it, if you need a prefix to be passed through the Anti-DDoS ISP, you need to only announce it via them and not any other ISP.
Otherwise, anyone that is closer to that other ISP will choose that path to reach you instead of the Anti DDoS ISP.

Cha0s

I've used various SFP+ modules on RB4011 without any issues. CISCO-AVAGO 10Gbase-SR SFBR-709SMZ-CS2 CISCO-AVAGO 10Gbase-LR SFCT-739SMZ FS 10GBase-ER SFP-10GER-31 OPTIC 10Gbase-SR S+85DLC03D MikroTik 10Gbase-SR S+85DLC03D And a few more (mainly 1Gbit) that I don't recall at the moment. As a matter of...

Cha0s

I don't know if I fully understand what you ask, but I believe that in order to achieve what you want, you stop announcing your prefixes to the worldwide ISP and only announce them to the Anti-DDoS ISP, and they in turn announce them to the world. This way your incoming world-wide traffic will arriv...

Cha0s

The next two Mum's are on the 14th of November and the 28-29 of November. My money is on Brazil in two weeks.

It got announced today in Athens' MUM.
https://youtu.be/ZKLtPiFoX4k?t=3514

Cha0s

Thank you for your opinion.

Cha0s

FastPath needs Route Cache to be enabled.

With route cache enabled, the router becomes almost completely unresponsive during any moderate SYN flood attack.

Cha0s

They will not get such contracts anyway, and those that do get them generally deliver equipment that is a little more sturdy. At its price, of course. Yeap, I agree. In my country at least, it is certain that the job will go to the company with the worst price and the most kickbacks to the politici...

Cha0s

I presume if port 80 is blocked, it will also try port 443 and even port 6568 as implied in the FAQ. Here are some logs from a corporate proxy blocking anydesk. 1572105939.836 0 x.x.x.x TCP_DENIED/403 2045 CONNECT 144.76.103.6:80 - NONE/- text/html 1572105941.837 0 x.x.x.x TCP_DENIED/403 2059 CONNE...

Cha0s

This is not a Docker image for ROS but for OpenVPN.

Not to mention that it hasn't been updated for over 4 years.
https://github.com/AlexBeznos/openvpn-mikrotik

IMHO, ROS on Docker (or any other container platform) is a waste of time.

Cha0s

Docker is a container.
ROS is not just a web server or some app to be run in a container.

It is heavily dependent on its kernel to implement many of its features.

So my guess is that there will never be a docker image for ROS.

Cha0s

could you please consider changing application bar/other WinBOX window component colour while in SafeMode? Regardless of information when exiting the app it would help to identify the current mode.

+1

Cha0s

MikroTik routers are fine for many purposes, but when it appears you are pushing the limits it may be time to look at others. Sadly, this is very true. I would love to see higher end models using ASICs (with the appropriate price tag) to be able to use MikroTik hardware for enterprise solutions. CC...

Cha0s

With only 60 routes, it is indeed annoying! If you try to login with a fresh/empty ( <none> ) winbox session, does it change anything? ingdaka on every single router I manage that has more than 1-2 thousands of advertisements, it always occurs. Without exception and regardless of architecture. Proba...

Cha0s

Also you cannot block port 80/443 obviously, so the anydesk client will be able to reach the anydesk servers, and from there I believe if port 7070 is blocked, it will work over 443. I never said blocking ports 80 or 443... in my previous post i said block the listening port which is not 80 or 443 ...

Cha0s

L7 firewall blocking is not recommended anymore...! Especially when what you want can be achieved by a simple TCP port block..! I don't think that a simple block will do it. https://support.anydesk.com/FAQ Which ports does AnyDesk use? To connect to the AnyDesk network port 80, 443 or 6568 is used....

Cha0s

One thing that may help replicate this issue is using the sfp port. Both times I have witnessed this and all times our tech support has witnessed this the sfp port is in use.

Interesting detail.

In my board that the issue occurs, I indeed use the SFP port.

Cha0s

For the problem to manifest you have to have no device connected to 5GHz wifi for a few hours. Then it "crashes". The title is a bit misleading. The interface doesn't get disabled, in that you don't see it disabled (greyed out) in winbox. It shows up/enabled fine in winbox/cli, but it doe...

Cha0s

Cha0s

For the problem to manifest you have to have no device connected to 5GHz wifi for a few hours. Then it "crashes". The title is a bit misleading. The interface doesn't get disabled, in that you don't see it disabled (greyed out) in winbox. It shows up/enabled fine in winbox/cli, but it does...

Cha0s

"Broken" is rather vague.

Post proper pictures with proper lighting of both sides of all boards so we can see what the damage is exactly.
Posting 3 boards on top of each other, and on their back where there are no components, is just silly.

Cha0s

Please remove it, or at a minimum put it in a separate .NPK from the base OS. maybe a separate soho.npk that includes the torrent client, kid-control and SMB server..

Amen!

Cha0s

Wait, torrent wasn't a joke?

Torrent is an essential feature of every router!
DNS on the other hand...

Cha0s

At the moment there is no fully automated method in ROS to switch from a bad uplink (bad as in slight packet loss or increased latency somewhere between you and the destination - but still functional as far as ROS is concerned) to a backup/good one. You either have to resort to cumbersome scripts a...

Cha0s

I don't know (or care) about how LTE handles loss, etc, but I think we've got offtopic comparing this to LTE. LTE is just one type of Internet access and is irrelevant to the topic at hand IMHO. I can see this technology having significant benefits even if your uplinks are fiber based with 99.999% u...

Cha0s

I did Anav. One of the first hits was NordVPN, but I see it doesn't support MikroTik anymore. Hence I'm asking here. Since v6.45 MikroTik can connect to NordVPN without problems. using IKEv2. https://nordvpn.com/tutorials/mikrotik/ikev2/ https://wiki.mikrotik.com/wiki/IKEv2_EAP_between_NordVPN_and_...

Cha0s

Cha0s

Yes, ~45 degrees seems to be the norm for this device.

graph.php.png

Here's a comparison between RB3011 and and RB4011 that replaced it around a month ago.

Cha0s

Several days passed, still no replies and not a single email about this issue. Is the RB4011 5GHz issue resolved? The problem still exists. For me it took about 29 days on a brand new RB4011, before it occurred. Since then the wifi gets disabled (stuck in "initializing") in less than a da...

Cha0s

Mikrotik doesn't block Google Translate, or any other service for that matter. All RouterOS does, is route packets from one network to another, according to however you configure the device to do so. It doesn't take it on itself to decide whether you should be able to access a webservice or not. If ...

Cha0s

Don't touch my WinBox, it's one of the best tools invented by mankind, and it's perfect as it is now. It's like trying to reform hammer, sure you can come up with something else that's not bad either, but it still won't be good replacement for the simple and reliable tool in all cases. Native WinBo...

Cha0s

*) system - accept only valid string for "name" parameter in "disk" menu (CVE-2019-15055);

I guess asking for more info on that is pointless until you provide an update for stable/long-term channels, right?

Cha0s

Yes, I am aware of that, but how do the others do it, at train stations, airports ... ? a few weeks ago I set up a WLAN connection at the airport and I couldn't download any files. So there has to be a solution. I doubt they were able to block files download over an HTTPS connection. Only whole dom...

Cha0s

Strangely enough, URL Block also works for HTTPS pages. This works here, for example: ^.+(youtube.com|facebook.com).*$ Domain block (not URL block) works because the domain is visible (unencrypted) during the TLS session setup between the browser and the server. After that, you cannot see anything ...

Cha0s

This L7 Regexp does not work anymore since update: \.(exe|dmg|cab|msi|flv|mp2|mp3|m4a|mp4|torrent)($|\?) I used this to block file download. I also don't know which MikroTik version I had before. I think it was the 6.43. You do understand that this is useless in an ever growing https world, right?

Cha0s

Probably something wrong on your side. An antivirus messing up with the downloads maybe?

All links work fine on my end.

Cha0s

I've got a few of the non wifi RB4011 models and I have no issues. In fact I found that RB4011 was the only model that I could saturate the uplink with a single connection over IPsec, while others couldn't go much higher than 150Mbps (and that with multiple connections only). Granted, my configurati...

Cha0s

Almost two years have passed, and absolutely nothing has changed.

CCRs still cannot route (not drop) a moderate flood of SYN packets.

Cha0s

cpu spikes
Huh?..

Do you want to elaborate more?

Cha0s

Also, Winbox on Linux/Wine is definitely heavier/slower than on windows. Each screen refresh causes cpu spikes when having multiple windows open.
On windows there is no such cpu usage no matter how many windows I have open in winbox.

Cha0s

Last Link Up/Down Time botched. It started happening to me (951G-2HnD, 941-2nD) on the latest stable ROS 6.45.1 / WinBox 3.19. Ethernet and ppp links. WinBox Terminal - correct: last-link-down-time=jul/08/2019 12:31:21 WinBox Interface List - wrong: Last Link Down Time: Jul/14/2019 09:44:52 Today i...

Cha0s

Everyone who is experiencing problems with Winbox authorization - we will release a new Winbox loader with a fix for this problem as soon as possible. We are very sorry for any inconvenience caused. While you are at it, will you fix the interfaces last up/down times on winbox that are in the future?

Cha0s

My configurations use all types of tunnels.

GRE, IPIP, EoIP. All of them, over IPsec without any problems on my end.

Cha0s

You are looking for ECMP - Equal Cost Multipath. https://wiki.mikrotik.com/wiki/Manual:BGP_Load_Balancing_with_two_interfaces ECMP by default (route cache=on), will load balance per connection and not per packet. By disabling route cache (in IP > Settings) then ECMP load balances per packet on all a...

Cha0s

2 Mikrotik Team Do you confirm some troubles with GRE interfaces + IPSec (transport) ? What we have to do in that case? Maybe there is something special with update? For example: We have to update passive sites first to 6.45.1 and after main router to 6.45.1 Or another way? Thanks! I have IPsec tun...

Cha0s

I agree with pe1chl. phpBB can also send mails using the native mail() function of PHP, which by default will send mails using sendmail executable to localhost. This can be blazing fast since it doesn't even care if the local MTA is loaded or not or even running at all. It writes directly to the fil...

Cha0s

i upgrade my RB433AH after that...i couldn't access with current user and password and with admin???? . My observation is that after a reboot, the first login attempt fails ... subsequent logins are successful. This behavior has been reproducible after every reboot, of the single device I'm testing...

Cha0s

NETMAP needed.

not nat.

You mean NPT, and both NAT66 and NPT (or netmap) are types of NAT.

Cha0s

Will it ever be possible to filter ipsec logs by peer? Debugging is pretty much impossible if you have a ton of tunnels active.

+1

Cha0s

If you have many custom settings, then you should most definitely not use quickset. If you can still sensibly change settings using quick set, then ... you don't have that many settings after all. I'm sorry but reset is not a solution Then you shouldn't use Quickset. Quickset is only for initial se...

Cha0s

That wrong time is a "known problem" that was introduced several versions ago, not with this version. It likely is already on the list of things to fix. Also I believe it's a winbox bug and not a ROS bug. CLI shows the correct times. IIRC deleting the session on winbox also shows the corr...

Cha0s

LtAP mini Kit has two SIM slots. Is it possible you are using the wrong SIM slot?

They way those slots are it's not always clear weather you've inserted the SIM on slot 1 or slot 2 (they call it up/down in System>Routerboard>SIM menu).

Cha0s

What does the browser's web developer's tools console shows when it cannot load the iframe? If the iframe url can load when accessed directly, then it's almost certain that it is not a networking/MTU/MSS issue. Is it possible that the client's browser is messed up (or some other software is messing ...

Cha0s

MikroTik has no L3 switch that can do wirespeed routing. Can can do L3 stuff on MikroTik switches, but the performance will be way lower than 10Gbit (maybe even lower than 1Gbit) since all those functions are done on the CPU and not on the switch chips. The CCR line are not switches but routers. Tha...

Cha0s

Just got an RB4011iGS+RM. It has 512MB flash, so I might have been interested, but the online documentation states that it's only available for MIPS, TILE and PowerPC. Too bad. RB4011 perfectly supports multiple partitions. I am using it on multiple RB4011s. AFAIK as long as you have >=64MB of flas...

Cha0s

If you double click on the source address it gets copied to the Src. Address Filter field.
Same goes for Destination address.

No the best solution, but it's better than nothing.

Cha0s

For Unimus, connect to router periodically (user configured scheduling), and retrieve "/export compact". After that, strip all dynamic content in the output (timestamps, log messages, runtime comments, etc.). Parse the config, check if anything changed against last retrieved config. If a ...

Cha0s

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk? Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc? Usually a configuration management system does this for you. Unimus does this out-of-the box...

Cha0s

In what scenario? If it's road warrior (typical when src is unknown or when src has dynamic IP) then policies should be already auto generated. In the scenario where an ISP doesn't provide a static IP to it's client, instead using Dynamic IP or PPPoE with a dynamic IP. In such cases, a DDNS hostnam...

Cha0s

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk?
Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc?

Cha0s

+1 for TACACS+ support

Cha0s

Incorrect time is cosmetic Winbox bug noticed when there are multiple Winbox instances open. If you check in terminal, time is reported correctly.

When will it be fixed? This has been reported for many releases by now.

Cha0s

I confirm the problem.

Cha0s

Check this MUM presentation https://mum.mikrotik.com/presentations/ ... _Nikos.pdf

Cha0s

On RB951 and similar boards, I don't expect the best performance and I don't think PHP should be supported at all on these models due to the low power CPU and resources. But for the more capable models, like RB3011, RB4011, CHR and CCR-series, it could be a nice addition. Yeah, but that ain't gonna...

Cha0s

Legal limits are about EIRP. EIRP is not Tx power at transmitter's RF connector, it's power at antenna perimeter. And that value is affected by antenna gain. Which is not how most of WiFi users (and, sadly, WISPs) understood things ... I remember attending a Netgear "seminar" back in 2005...

Cha0s

PHP Support for webpages. So, that we can make advanced webpages without visible scripts (JavaScript is visible to the user, PHP scripts are not). I know MikroTik's webserver is meant to provide the basics, but you don't always have the space and budget to place an external webserver (and no.... a ...

Cha0s

In year 2019 - this RB belongs to the trash

Besides suggesting putting it in a landfill, polluting the environment for no good reason, do you have anything on-topic to suggest?
Like for example, what is the value of C78?

Cha0s

Those are C67 and C68 and their value is: 560μF 6.3V 105°C

While we are at it, does anyone know the value of C78?
It's right behind the DC barrel connector and it's an SMD one.

ima_82b5a40.jpeg

Cha0s

AFAIK there is no such option.

On the other hand, MikroTik is a router, not a NAS device. Don't use it like that.

Cha0s

That (voip) explains the high packet rate but low bandwidth I saw on your screenshots. Unless you use NAT, you don't need the SIP direct media helper (and I think it doesn't even get involved in forwarded traffic when there is no NAT). Also, connection tracking in general, with lots of connections a...

Cha0s

Same with the web interface.

Cha0s

+1 by me as well.

Cha0s

You cannot bond at the CHR level. Right now you are bonding two virtual NICs that connect to a Virtual Switch. Not Nexus. You should do the bonding at the ESXi level. But from there I don't know how you could get more that 10Gbps on the CHR. I've read some posts that the VMXNET3 driver doesn't reall...

Cha0s

Upgrading from 2.8 to 2.9 on a CSS106-5G-1S causes severe traffic drop between 1G ports and 100Mbit ports. It's random from 0 to 40Mbps. Reverting back to 2.8 traffic increased back to steady 100Mbps. Are there any errors in interface stats when using v2.8 or v2.9? No errors at all on any port.

Cha0s

Upgrading from 2.8 to 2.9 on a CSS106-5G-1S causes severe traffic drop between 1G ports and 100Mbit ports. It's random from 0 to 40Mbps.
Reverting back to 2.8 traffic increased back to steady 100Mbps.

Cha0s

Same here

Cha0s

I did as much reading as I could both with the sparse supplied docs and what was online before and during my efforts!! I have winbox v3.18, I fail to see a safe mode. FWIW, been doing router stuff etc. since 1989 but I am not an "IT Professional" Everything about RouterOS is documented he...

Search found 1034 matches