Community discussions

MikroTik App

Search found 730 matches

by roadracer96
Thu Feb 22, 2024 2:57 am
Forum: General
Topic: MLAG hopelessly broken?
Replies: 17
Views: 4549

Re: MLAG hopelessly broken?

Easy. Don't use mikrotik!
by roadracer96
Thu Feb 22, 2024 2:56 am
Forum: General
Topic: 2x CRS326-24S+2Q+ MLAG configuration
Replies: 3
Views: 859

Re: 2x CRS326-24S+2Q+ MLAG configuration

Mlag is completely broken in mikrotik. Doesn't work right at all and never should have been released.
by roadracer96
Fri Nov 24, 2023 5:52 am
Forum: General
Topic: mlag setup questions
Replies: 3
Views: 2835

Re: mlag setup questions

Can you please expound upon that statement? I have set up MLAG on a couple of CRS326-24s+2q+rm starting with RouterOS 7.3 and upgraded a couple of times since then. Thank you for your input!
viewtopic.php?t=185237#p928292

Broken worthless crap.
by roadracer96
Fri Aug 25, 2023 5:51 am
Forum: General
Topic: mlag setup questions
Replies: 3
Views: 2835

Re: mlag setup questions

Mlag is non functional. Don't waste your time. They have no intention of fixing it.
by roadracer96
Fri Aug 25, 2023 3:11 am
Forum: General
Topic: MLAG hopelessly broken?
Replies: 17
Views: 4549

Re: MLAG hopelessly broken?

Mikrotik MLAG has never worked properly. Anyone who says otherwise has never used a REAL working MLAG setup. The entire Mikrotik approach to MLAG is half-baked. Ive been waiting over a year for a fix and they could care less.. I have a pair of nice paper weights sitting here.. Completely worthless ...
by roadracer96
Fri Jul 14, 2023 3:55 am
Forum: General
Topic: MLAG hopelessly broken?
Replies: 17
Views: 4549

Re: MLAG hopelessly broken?

Mikrotik MLAG has never worked properly. Anyone who says otherwise has never used a REAL working MLAG setup. The entire Mikrotik approach to MLAG is half-baked. Ive been waiting over a year for a fix and they could care less.. I have a pair of nice paper weights sitting here.. Completely worthless e...
by roadracer96
Sat Mar 04, 2023 3:28 am
Forum: General
Topic: Mikrotik CRS326-24S+2Q+RM
Replies: 11
Views: 1905

Re: Mikrotik CRS326-24S+2Q+RM

Hi @OriiOn While MLAG/VCP is obviously better, people have used the redundant switches without MLAG support for long time. If you use iSCSI for connectivity to NetApp, there should be no issue at all, you create multi-path configuration on two different subnets. For NFS and VM traffic you would use...
by roadracer96
Tue Feb 28, 2023 9:52 pm
Forum: General
Topic: Mikrotik CRS326-24S+2Q+RM
Replies: 11
Views: 1905

Re: Mikrotik CRS326-24S+2Q+RM

Mlag doesn't fail over transparently. If the primary device restarts or fails. The lacp system id and STP bridge ID of the secondary reverts causing complete outage for several seconds. It works. Unless you want it to work for faiover. Not even close. It's half assed. Spend the money and get a good ...
by roadracer96
Sat Feb 25, 2023 5:17 am
Forum: General
Topic: MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots
Replies: 15
Views: 6032

Re: MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots

Ive had these switches for over a year now.. I spent time with support explaining how it should work and they were receptive.. a year later.. nothing.. I have paper weights.. The latest version of code drops 75% of traffic in MCLAG... Ridiculous product. Something every other vendor has had figured ...
by roadracer96
Sat Feb 25, 2023 5:13 am
Forum: General
Topic: Mikrotik CRS326-24S+2Q+RM
Replies: 11
Views: 1905

Re: Mikrotik CRS326-24S+2Q+RM

Dont buy it if you intend to use MLAG. MLAG is severely broken in Mikrotik and they have demonstrated zero interest in fixing it.. Lots of talk.. no action.. Ive been sitting on a pair of CRS317-1G-16S+ for over a year now and MLAG is still as broken (more so) than it has ever been.
by roadracer96
Fri Apr 22, 2022 5:45 am
Forum: General
Topic: MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots
Replies: 15
Views: 6032

Re: MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots

Thanks for sharing these details! Your observations are correct. When a primary node is rebooted, the secondary node will revert its LACP system-ID and RSTP ID to the local values. This can cause some packet loss during LACP renegotiation, especially when the LACP rate is set to 30 seconds. However...
by roadracer96
Tue Apr 19, 2022 7:35 pm
Forum: General
Topic: MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots
Replies: 15
Views: 6032

Re: MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots

No the system id is globally unique, then each LAG aggregation group also has a locally unique identifier. I guess I wasn't clear about that. Please refer to the technical documents for more specifics. The system id is created with a combination of the priority and mac address. Yes. One system id t...
by roadracer96
Tue Apr 19, 2022 7:32 pm
Forum: General
Topic: MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots
Replies: 15
Views: 6032

Re: MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots

Thanks for sharing these details! Your observations are correct. When a primary node is rebooted, the secondary node will revert its LACP system-ID and RSTP ID to the local values. This can cause some packet loss during LACP renegotiation, especially when the LACP rate is set to 30 seconds. However...
by roadracer96
Tue Apr 19, 2022 5:07 am
Forum: General
Topic: MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots
Replies: 15
Views: 6032

Re: MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots

What is your source of this "technically wrong" Because from what I see in the technical standard IEEE 802.1AX-2008, there should be a locally unique identifier That is correct. Locally unique means the SYSTEM ID is unique to the local L2 device. In the case of MLAG, the System is really ...
by roadracer96
Mon Apr 18, 2022 8:50 pm
Forum: RouterOS beta
Topic: VLAN+MLAG+VRRP not working properly
Replies: 6
Views: 3200

Re: VLAN+MLAG+VRRP not working properly

One of the fundamental operational elements for most other network vendors when running MLAG + VRRP is to set the RSTP root to the same switch as the VRRP Master (or in this case - the path to it) and the other switch as a secondary root. Curious if you've tried this and if it made a difference? Ty...
by roadracer96
Mon Apr 18, 2022 7:07 pm
Forum: General
Topic: MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots
Replies: 15
Views: 6032

MLAG Issue - MLAG functionality flaps LACP system-id of secondary when primary reboots

I did open a ticket for it but thought I would post here for comment: MLAG synchronizes the LACP system-id of the secondary nodes ports with the LACP system-id of the primary node bonding interface that has the same MLAG id assigned to it. Problem 1. If you reboot the primary node, the secondary nod...
by roadracer96
Fri Apr 28, 2017 3:38 am
Forum: General
Topic: ETA v8
Replies: 21
Views: 7626

Re: ETA v8

Right. But they don't run bgp and ospf and fib updates and filtering and xxxxxxx under the same process. That's why a dual core major brand router can handle several hundred peers with convergence times 5x faster than 2 peers on a mikrotik. I guess you are waiting for some specific feature, not the ...
by roadracer96
Fri Feb 17, 2017 3:33 am
Forum: General
Topic: Bug in ipv6 link-local address is now generated from tunnel local-address
Replies: 8
Views: 3793

Re: Bug in ipv6 link-local address is now generated from tunnel local-address

It's intentional. It used to be generated from the tunnnel name so if you created a tunnel called sitea_siteb on both routers they would have the same ll address and ospfv3 wouldn't work over them.
by roadracer96
Fri Feb 17, 2017 3:30 am
Forum: General
Topic: V7 ....
Replies: 23
Views: 10120

Re: V7 ....

Doesn't matter to me. I pulled out all my mikrotik stuff except in some "cheap" areas of my networks. Too little development was happening on features that really matter. Too much development on bullshit creature features. It's like they don't care to fix all the big problems that would ta...
by roadracer96
Wed Dec 21, 2016 6:09 am
Forum: RouterBOARD hardware
Topic: CRS317-1G-16S+RM MPLS Support
Replies: 56
Views: 25773

Re: CRS317-1G-16S+RM MPLS Support

You know damn well what he meant. It had a very specific and obvious question. "Will this device support MPLS at wire speed?. The answer is no. There is no yes answer. It will forward Ethernet frame at wire speed. It will likely have no concept of what mpls is other than perhaps the ethertype a...
by roadracer96
Tue Dec 20, 2016 12:05 am
Forum: RouterBOARD hardware
Topic: CRS317-1G-16S+RM MPLS Support
Replies: 56
Views: 25773

Re: CRS317-1G-16S+RM MPLS Support

Mrz. I really gotta hand it to you. You are an enormous moron. I really wonder what goes through your head sometimes.

You do realize there is an entire world of cam forwarded mpls switches out there, right?

Your answer is just stupid beyond all belief.
by roadracer96
Sun Oct 30, 2016 3:51 am
Forum: General
Topic: SSTP Server - routes for clients
Replies: 2
Views: 2641

Re: SSTP Server - routes for clients

You can blame Microsoft for that.

There is no means to push routes to clients in sstp. I'm pretty sure windows running as the sstp server can't even do it.
by roadracer96
Wed Oct 26, 2016 6:35 am
Forum: General
Topic: mikrotik hacked!?
Replies: 14
Views: 6933

Re: mikrotik hacked!?

There is no hacker proof. And you can't even get close with mikrotik. A couple of lacking features off the top of my head that prohibit their use as a firewall in an enterprise/smb environment. SSL decryption and inspection. Application identification/policy. Ids/ips signatures. Vulnerability signat...
by roadracer96
Mon Oct 24, 2016 10:57 pm
Forum: General
Topic: mikrotik hacked!?
Replies: 14
Views: 6933

Re: mikrotik hacked!?

Or it connects to a DNS name that was hijacked and an the exploit downloaded. Lots of those dvr systems create connections automaticallly. The little webcam I use to watch my kiddo sleep tunnels out to the net and you can connect to it by knowing a serial # or something. That's why you need to log i...
by roadracer96
Sun Oct 09, 2016 5:10 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 49025

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Maybe that look at all he brocade 7450s. They have an available IPSec module. Now. Keep in mind this isn't really useful for road warrior. It's only designed for router to router links.
by roadracer96
Sun Oct 09, 2016 5:08 pm
Forum: General
Topic: IPv6 testing, some help required
Replies: 14
Views: 4367

Re: IPv6 testing, some help required

It doesn't request a /64 for the WAN. It requests a NA address and derives the prefix of the subnet fro router advertisements. Dhcpv6 from a single client standpoint (i.e.: not a PD request) has no concept of a subnet mask.
by roadracer96
Sat Oct 08, 2016 2:28 am
Forum: General
Topic: IPv6 testing, some help required
Replies: 14
Views: 4367

Re: IPv6 testing, some help required

Depends on your configuration. We use /64s and /60s for residential users. Nobody has used a /60 yet. And a single IP for the wan interface. In reality you don't need the single IP in the wan. It's not used for anything in 99% of situations. Source guarded ports so users can't egress traffic with un...
by roadracer96
Sat Oct 08, 2016 2:20 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 49025

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Brocade MLXs. Having 400gbit of IPSec throughout and 2.4million hardware route scale is just a happy side effect. The reality is. We collapsed a lot of devices into 1 per building (9 total MLXs). The internet facing units have the newer 20 port 10gig IPSec enabled line cards.
by roadracer96
Wed Oct 05, 2016 2:59 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 49025

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

The problem with misordered packets is that the receiving side has to wait for everything to come in so it can reorder them and feed them to the application. This results in the connection slowing down and scaling the window size smaller in order to guarantee delivery. You could tweak the settings i...
by roadracer96
Mon Aug 31, 2015 10:59 pm
Forum: General
Topic: Feature Request: PEAP-MSCHAPv2 in station mode
Replies: 6
Views: 3846

Re: Feature Request: PEAP-MSCHAPv2 in station mode

Its already there. I think its only available from the CLI.
by roadracer96
Mon Aug 03, 2015 4:56 pm
Forum: General
Topic: Feature Request: Specify IPv6 VRRP Link Local address
Replies: 0
Views: 1683

Feature Request: Specify IPv6 VRRP Link Local address

Other hardware I use allows me to specify the virtual link local address on IPv6 VRRP sessions. Its much easier to have the gateway be fe80::1 on every segment of the network. instead of the default VRRP link local address.
by roadracer96
Fri Jul 31, 2015 2:49 am
Forum: General
Topic: DHCPv6 Relay not saving config? 6.30.1
Replies: 0
Views: 1107

DHCPv6 Relay not saving config? 6.30.1

It works fine. Just doesn't keep across reboots of router.

Anyone else? RB1100AHx2, 6.30.1
by roadracer96
Thu Jun 11, 2015 8:54 pm
Forum: Forwarding Protocols
Topic: What BGP setups need to be optimized
Replies: 57
Views: 31916

Re: What BGP setups need to be optimized

Multicore
SNMP monitoring/traps
Graceful restart
Flap dampening
Native multipathing


Would be nice:
IRR lookups
by roadracer96
Sat May 16, 2015 2:47 am
Forum: General
Topic: NPTv6 / RFC 6296 Support?
Replies: 53
Views: 15690

Re: NPTv6 / RFC 6296 Support?

You lost my attention at "ssl vpns are better". Lol. Really?
by roadracer96
Sat May 16, 2015 12:47 am
Forum: General
Topic: NPTv6 / RFC 6296 Support?
Replies: 53
Views: 15690

Re: NPTv6 / RFC 6296 Support?

Good point. Announce 2 prefixes with RA and with a low lifetime. Failover by disabling a prefix announcement. Any sort of nat outside of 6to4 for IPv6 only hosts should be abolished. The point of wasteful assignments is really not founded. The address space really is that vast that it doesn't matter.
by roadracer96
Sat May 16, 2015 12:41 am
Forum: General
Topic: NPTv6 / RFC 6296 Support?
Replies: 53
Views: 15690

Re: NPTv6 / RFC 6296 Support?

Don't do it. Do it the right way. Not the hack way. I'm not sure what the real costs are but a few thousand euros per month sounds pretty steep for announcing a prefix. It'd be a couple hundred dollars a month in the states. Cost of doing business. Do it right or don't do it. it's not a business. i...
by roadracer96
Fri May 15, 2015 1:54 pm
Forum: General
Topic: NPTv6 / RFC 6296 Support?
Replies: 53
Views: 15690

Re: NPTv6 / RFC 6296 Support?

I'm personally against anything to do with nat and IPv6. We don't need another bandaid like nat originally was. Use IPv6 the way it was intended to be used. any comments on how to balance a few IPv6 uplinks? or just failover for the home Internet? Don't do it. Do it the right way. Not the hack way....
by roadracer96
Fri May 15, 2015 5:39 am
Forum: General
Topic: NPTv6 / RFC 6296 Support?
Replies: 53
Views: 15690

Re: NPTv6 / RFC 6296 Support?

I'm personally against anything to do with nat and IPv6. We don't need another bandaid like nat originally was. Use IPv6 the way it was intended to be used.
by roadracer96
Tue May 12, 2015 3:24 am
Forum: General
Topic: Feature Request: RSTP for CRS to build ring network
Replies: 23
Views: 10277

Re: Feature Request: RSTP for CRS to build ring network

Ethernet rings are l2. Vpls from Mikrotik is shoddy for that purpose. Not to mention convoluted solution to a small problem. Rings are very simple and very fast.
by roadracer96
Fri May 08, 2015 4:38 am
Forum: Forwarding Protocols
Topic: BGP & ICMP
Replies: 9
Views: 2663

Re: BGP & ICMP

The Mikrotik is announcing the IP range :-)
I meant the ips between you and them. The /30 between you is peeled off of a latger subnet that they might not announce.
by roadracer96
Thu May 07, 2015 3:35 am
Forum: Forwarding Protocols
Topic: BGP & ICMP
Replies: 9
Views: 2663

Re: BGP & ICMP

The ISP isn't announcing the peering ips most likely.
by roadracer96
Thu May 07, 2015 3:31 am
Forum: General
Topic: Feature Request: RSTP for CRS to build ring network
Replies: 23
Views: 10277

Re: Feature Request: RSTP for CRS to build ring network

Rings work better there than stp and are simpler. Mlag would be better for that scenario though. Mikrotik is really behind the times when it comes to basic redundancy considerations.
by roadracer96
Mon May 04, 2015 4:30 am
Forum: General
Topic: TCP Acceleration
Replies: 5
Views: 4530

Re: TCP Acceleration

That's not really a router function. That's a de facto saas application. You can setup squid to do the same thing. Not to mention the fact that it's a diminishing market.
by roadracer96
Thu Apr 23, 2015 7:49 pm
Forum: RouterBOARD hardware
Topic: CRS226-24G-2S+ Poor routing performance
Replies: 35
Views: 32496

Re: CRS226-24G-2S+ Poor routing performance

Switches in routers in the non "soft" world are the same thing these days.. IPs/routes get programmed in hardware and forwarded at line rate. I wish MT would actually start programming the forwarding tables in the switch chips to make them line rate routers.. that'd be the cats PJs. Kinda ...
by roadracer96
Thu Apr 23, 2015 7:44 pm
Forum: General
Topic: Feature Request: RSTP for CRS to build ring network
Replies: 23
Views: 10277

Re: Feature Request: RSTP for CRS to build ring network

Rings work great.. STP, kinda well... sucks.. it works, but not super duper fast.

G8032 rings in a switched environment are awesome. No reason the feature shouldn't be included.
by roadracer96
Thu Apr 23, 2015 3:00 am
Forum: General
Topic: Plex and browser in iOS does not work in Mikrotik
Replies: 2
Views: 1609

Re: Plex and browser in iOS does not work in Mikrotik

Configuration problem. Plex works fine with my iOS devices.
by roadracer96
Thu Apr 23, 2015 2:52 am
Forum: General
Topic: Feature Request: RSTP for CRS to build ring network
Replies: 23
Views: 10277

Re: Feature Request: RSTP for CRS to build ring network

G8032 rings. Not stp.
by roadracer96
Sat Apr 11, 2015 12:19 am
Forum: RouterBOARD hardware
Topic: CCR IPSec performance
Replies: 41
Views: 25751

Re: CCR IPSec performance

Why not? It's a real world test ... Because first of all this is a testing i/o of your laptops and then network devices :) after testing with traffic generators you should always test with the type of traffic you will normally have to deal with as network admin... if your users use smb, ftp or nfs ...
by roadracer96
Sat Apr 11, 2015 12:15 am
Forum: RouterBOARD hardware
Topic: CCR IPSec performance
Replies: 41
Views: 25751

Re: CCR IPSec performance

Sounds damn close to what I got... And they kept telling me I was wrong. What numbers are correct? :) Maybe there is something wrong with your laptops? I do not like the idea to download some file in such tests... GRE over IPSEC between 2 CCRs will perform very fast if you do the speed test from on...
by roadracer96
Sat Feb 14, 2015 2:26 am
Forum: RouterBOARD hardware
Topic: CCR IPSec performance
Replies: 41
Views: 25751

Re: CCR IPSec performance

Sounds damn close to what I got... And they kept telling me I was wrong.
by roadracer96
Mon Nov 24, 2014 11:01 pm
Forum: General
Topic: CAPsMAN auto frequency
Replies: 39
Views: 40571

Re: CAPsMAN auto frequency

Doesn't matter if you are indoor or outdoor. If you want to use 80mhz channels in ac, you have to use dfs or only have 2 non overlapping channels.
by roadracer96
Mon Nov 17, 2014 8:09 pm
Forum: General
Topic: CAPsMAN auto frequency
Replies: 39
Views: 40571

Re: CAPsMAN auto frequency

In RouterOS 6.22 CAPsMANv2 frequency auto-select does NOT work. Every provisioned CAP lands on the same frequency. I haven't tried v2 but it works for me on v1. Did you try it on v1, and did it work for you on v1, too? One thing that I have noticed is that if I boot up all of my CAPs at the same ti...
by roadracer96
Sat Nov 15, 2014 1:49 am
Forum: General
Topic: 6.22 released!
Replies: 151
Views: 71003

Re: 6.22 released!

HE.net 6to4 tunnel works fine at home.. 6.19,6.20,6.21.1,6.22 MTU set to auto didn't work until 6.22 though. Currently running 1480 MTU and can pull 600+mbit across it up and down. CCR-1016. Also, as of the 6.21 release, I stopped MSS clamping in mangle with the new feature to auto clamp MSS on the ...
by roadracer96
Fri Nov 14, 2014 6:19 pm
Forum: General
Topic: CAPsMAN auto frequency
Replies: 39
Views: 40571

Re: CAPsMAN auto frequency

Auto select doesn't work. It did seem to sort of work in 6.19 Capsman. But not when the device first came up. Only if you disable/reenabled the interface after it rebooted. Then it would work. On 6.21 and 6.22, it seems about as useless as a box of rocks. But when are you going to (re)support TRUE ...
by roadracer96
Fri Nov 14, 2014 2:47 am
Forum: General
Topic: CAPsMAN auto frequency
Replies: 39
Views: 40571

Re: CAPsMAN auto frequency

Auto select doesn't work. It did seem to sort of work in 6.19 Capsman. But not when the device first came up. Only if you disable/reenabled the interface after it rebooted. Then it would work. On 6.21 and 6.22, it seems about as useless as a box of rocks. But when are you going to (re)support TRUE D...
by roadracer96
Wed Nov 12, 2014 8:20 pm
Forum: General
Topic: 6.22 released!
Replies: 151
Views: 71003

Re: 6.22 released!

Opened a case about 6.21.1 today... VRRP IPv6 no worky worky. Backup router flaps constantly. Was working on 6.19, broken in 6.21

Guessing that fix isn't in it...
by roadracer96
Thu Nov 06, 2014 7:51 pm
Forum: General
Topic: Feature Request: EAP-TTLS/EAP-PEAP
Replies: 15
Views: 9294

Re: Feature Request: EAP-TTLS/EAP-PEAP

They aren't turned on right now, but you have to do it in the CLI, not through winbox or webfig. in the security profile or on the wireless interface there is an option for mschap username and mschap password and identity. Connects as a station just fine. Then we GRE tunnel back to a CCR1036 and do ...
by roadracer96
Thu Nov 06, 2014 7:45 pm
Forum: General
Topic: GRE over IPSEC, CCR, VERY SLOW
Replies: 39
Views: 23568

Re: GRE over IPSEC, CCR, VERY SLOW

It is very difficult to find other vendors selling TILE. For now you should try my advice on having multiple tunnels. CPUs like TILE and GPUs are something new to mikrotik so there are bound to be difficulties making full use of it. Yeah. Because I really want to go from 10 tunnels to 40 just to ge...
by roadracer96
Tue Oct 28, 2014 5:02 pm
Forum: General
Topic: GRE over IPSEC, CCR, VERY SLOW
Replies: 39
Views: 23568

Re: GRE over IPSEC, CCR, VERY SLOW

In my test setup between two CCRs, gre over ipsec had no problems fowarding 500Mbps with 1450 byte packets.
Its pretty obvious that your perfect conditions test case doesn't reflect real world performance.
by roadracer96
Tue Oct 28, 2014 4:59 pm
Forum: General
Topic: Feature Request: EAP-TTLS/EAP-PEAP
Replies: 15
Views: 9294

Re: Feature Request: EAP-TTLS/EAP-PEAP

I haven't tried eap-ttls in station mode, but eap-mschapv2 does work in station mode. Works fine on our eduroam network.
by roadracer96
Tue Oct 07, 2014 4:36 am
Forum: RouterBOARD hardware
Topic: DO NOT USE CCR1036 WITH 2 BGP SESSIONS
Replies: 6
Views: 3078

Re: DO NOT USE CCR1036 WITH 2 BGP SESSIONS

Running 2 with 3 full v6 and v4 feed with OSPF and ospfv3. Was up to 48 days before going to 6.19.
by roadracer96
Wed Sep 24, 2014 1:22 am
Forum: General
Topic: Feature request: CAPsManager - roaming
Replies: 80
Views: 39118

Re: Feature request: CAPsManager - roaming

I understand the request and it is a good one, but just wanted to note, that you can already configure access list to disconnect client with bad signal, and the client will then reconnect to the nearest AP That's not even close to the capability of a fully managed zero handoff roaming situation. Ze...
by roadracer96
Wed Sep 10, 2014 9:33 pm
Forum: Forwarding Protocols
Topic: Loss of BGP function after 3-4 weeks
Replies: 16
Views: 5706

Re: Loss of BGP function after 3-4 weeks

I have a 2x 1036s running 3 full v4 and v6 feeds.. one is at 47 days uptime on 6.17 right now... the other was up to about 60 days before I rebooted to test something (6.15).

Plus some queuing and simple policy routing.
by roadracer96
Sat Sep 06, 2014 6:52 pm
Forum: Wireless Networking
Topic: Disassociate device (CoA, SNMP ...)
Replies: 15
Views: 5693

Re: Disassociate device (CoA, SNMP ...)

Radius comes from the controller. Not the ap. In your case it's both.
by roadracer96
Wed Sep 03, 2014 10:35 pm
Forum: General
Topic: v6.19 released
Replies: 256
Views: 117031

Re: v6.19 released

roadracer96,
please provide us (support@mikrotik.com) with support output file from your router.

I couldn't get one. Any time I tried to do that or export config, it would reboot. I had to net-install it.
by roadracer96
Mon Sep 01, 2014 6:42 pm
Forum: Wireless Networking
Topic: Disassociate device (CoA, SNMP ...)
Replies: 15
Views: 5693

Re: Disassociate device (CoA, SNMP ...)

Im pretty up on Packetfence... Would probably need to do an SNMP query to make sure the wireless-FP package is being used and no the regular wireless package. Both will work, but only one will work with VLAN assignment.
by roadracer96
Mon Sep 01, 2014 6:33 pm
Forum: General
Topic: v6.19 released
Replies: 256
Views: 117031

Re: v6.19 released

6.19 upgrade definitely plays havoc on configs. I have a very simple config on my home router (CCR1016-12G). 3x Capsman APS, one bridge as LAN interface, one wan interface, NAT, IPv6, DHCP server. Upgrading from 6.18 made it so the bridge didn't show up in interfaces, but the router still worked and...
by roadracer96
Mon Sep 01, 2014 6:29 pm
Forum: General
Topic: Feature requests
Replies: 1740
Views: 624970

Re: Feature requests

BFD detects when the peer goes away based on the interval of the BFD messages x multiplier.. So .25 second message X 3 multiplier = .75 second detection time. If OSPF is shut down on an interface, BFD will get shut down and in .75 seconds, the routes on the other end will get dropped. Graceful resta...
by roadracer96
Mon Sep 01, 2014 5:38 am
Forum: General
Topic: Feature requests
Replies: 1740
Views: 624970

Re: Feature requests

That isn't graceful restart. Graceful restart means "hold your routes until I come back, wait up to x seconds for me to finish my operation then update routes after we reestablish adjacency". The change you requested is best handled with bfd.
by roadracer96
Sun Aug 31, 2014 3:54 am
Forum: General
Topic: Feature requests
Replies: 1740
Views: 624970

Re: Feature requests

Both of my other brands of firewalls and routers support graceful ospf/bgp restart. It's very nice when you are making a change to the routing process but don't want to dump all routes.
by roadracer96
Sun Aug 31, 2014 3:51 am
Forum: General
Topic: [Feature request] src-addr for fetch tool
Replies: 2
Views: 1857

Re: [Feature request] src-addr for fetch tool

This would be helpful. Same for package upgrade.
by roadracer96
Thu Aug 28, 2014 2:43 pm
Forum: RouterBOARD hardware
Topic: 60KM SFP
Replies: 8
Views: 3761

Re: 60KM SFP

It all depends on the power budget of the link. Did the installer of the fiber provide loss numbers?
by roadracer96
Fri Aug 22, 2014 4:18 am
Forum: General
Topic: 7.0?
Replies: 44
Views: 18517

Re: 7.0?

I run multI cast over gre on a cc and it works fine a few 7mbit streams
by roadracer96
Fri Aug 15, 2014 8:23 pm
Forum: RouterBOARD hardware
Topic: Millions of connections - CCR1036 or x86?
Replies: 5
Views: 2836

Re: Millions of connections - CCR1036 or x86?

Ccr should handle it memory wise. Even with 4gb iirc linux uses about 300 bytes per connection. So 1gb free ram gives you upwards of 3 million. This is in theory not practice though. Can say what would really happen.
by roadracer96
Thu Aug 14, 2014 11:07 pm
Forum: General
Topic: RADIUS Opinions
Replies: 13
Views: 4714

Re: RADIUS Opinions

FreeRADIUS with perl module. There is no substitute.
by roadracer96
Thu Aug 14, 2014 2:08 am
Forum: General
Topic: Routing issue VRF Pref-src
Replies: 3
Views: 1732

Re: Routing issue VRF Pref-src

What's bridge_outside. Is ether24 in a bridge? If so then run dhcp client on the bridge. Not the member interface.
by roadracer96
Wed Aug 13, 2014 2:47 pm
Forum: General
Topic: eduroam: VLAN assignment based on RADIUS 802.1x reply
Replies: 40
Views: 22626

Re: eduroam: VLAN assignment based on RADIUS 802.1x reply

It doesn't fully work. Im setting it up like this: RB1100AHX2 Caps Manager Omnitik AP Caps Client Manager Forwarding mode Omnitik plugged into port 10 of RB1100, Caps using ethernet discovery and communication, not L3. Bridge BR-CAPS setup on RB1100 with port 13 as slave, connected to upstream switc...
by roadracer96
Wed Aug 13, 2014 12:42 am
Forum: General
Topic: SNMP, Source IP, OSPF / Multihomed
Replies: 3
Views: 2625

Re: SNMP, Source IP, OSPF / Multihomed

Set a routing mark in mangle output src port 161 have that routing table point back to your app. It sucks but it works. Only seems to happen with multiple routing tables.
by roadracer96
Tue Aug 12, 2014 9:03 pm
Forum: General
Topic: CAPsMAN Weeping
Replies: 11
Views: 5588

Re: CAPsMAN Weeping

* Currently no roaming standard added. Hopefully that will change? * Is it bad that CAPsMAN chooses a less used channel and not sticking to the 1-6-11 model? Versus the better, more modern method of sharing a single channel throughout the entire network, yes.. it is bad. * You can change the tx-pow...
by roadracer96
Tue Aug 12, 2014 7:29 pm
Forum: General
Topic: VOTE FOR PACKETFENCE SUPPORT
Replies: 33
Views: 14702

Re: VOTE FOR PACKETFENCE SUPPORT

To show him how much of an idiot he is.. Sometimes people just don't know...
by roadracer96
Tue Aug 12, 2014 7:22 pm
Forum: General
Topic: VOTE FOR PACKETFENCE SUPPORT
Replies: 33
Views: 14702

Re: VOTE FOR PACKETFENCE SUPPORT

Aug 12 11:57:58 httpd.webservices(20577) INFO: handling radius autz request: from switch_ip => 1.2.3.4, connection_type => Wireless-802.11-NoEAP,switch_mac => d4:ca:6d:d2:88:67, mac => my.ip.on.em.ac, port => 0, username => my.ip.on.em.ac (pf::radius::authorize) Aug 12 11:57:58 httpd.webservices(205...
by roadracer96
Tue Aug 12, 2014 6:33 pm
Forum: General
Topic: eduroam: VLAN assignment based on RADIUS 802.1x reply
Replies: 40
Views: 22626

Re: eduroam: VLAN assignment based on RADIUS 802.1x reply

Unknown attribute? This is CAPSMAN ROS 6.18 11:31:46 radius,debug,packet received Access-Accept with id 90 from 10.0.0.28:1812 11:31:46 radius,debug,packet Signature = 0x82d76e59de1aa563441b2ab5ed61c5d3 11:31:46 radius,debug,packet Acct-Interim-Interval = 600 11:31:46 radius,debug,packet Unknown-Att...
by roadracer96
Tue Aug 12, 2014 6:10 pm
Forum: General
Topic: eduroam: VLAN assignment based on RADIUS 802.1x reply
Replies: 40
Views: 22626

Re: eduroam: VLAN assignment based on RADIUS 802.1x reply

you should use our MikroTik attributes: MIKROTIK_WIRELESS_VLANID = 26, /* integer */ MIKROTIK_WIRELESS_VLANIDTYPE = 27, /* integer */ VLANIDTYPE: 0 - 802.1q tag 1 - 802.1ad tag (service tag) Thanks! Those don't show up in any of the radius dictionaries I've seen, including your wiki. ;) Are there a...
by roadracer96
Tue Aug 12, 2014 12:07 pm
Forum: General
Topic: VOTE FOR PACKETFENCE SUPPORT
Replies: 33
Views: 14702

Re: VOTE FOR PACKETFENCE SUPPORT

1, Thank you for the nice response. 2, Thus far, I have found and used another product, (Reluctantly I might add) 3, Mikrotiks Strength going forward will be their Value for the dollar, As things change and even more things virtualize, they will champion the market of performance for the dollar.. T...
by roadracer96
Tue Aug 12, 2014 12:03 pm
Forum: General
Topic: CAPsMAN Weeping
Replies: 11
Views: 5588

Re: CAPsMAN Weeping

It'll get better. Keep in mind it costs about 1/8th the price of something like our meru that does what you mention.
by roadracer96
Tue Aug 12, 2014 3:12 am
Forum: SwOS
Topic: VLANs are not isolated from each other?
Replies: 9
Views: 8617

Re: VLANs are not isolated from each other?

Thread jacking. Zero relevance.
by roadracer96
Tue Aug 12, 2014 3:11 am
Forum: General
Topic: Feature Request: OpenVPN [ovpn] udp tunnels
Replies: 249
Views: 138829

Re: Feature Request: OpenVPN [ovpn] udp tunnels

All of you, Go and vote your support here : http://forum.mikrotik.com/viewtopic.php?f=1&t=86461

Seriously. Not even related. Not at all. Thread jacking.
by roadracer96
Tue Aug 12, 2014 3:09 am
Forum: Wireless Networking
Topic: Wireless 802.1x Problem
Replies: 3
Views: 3346

Re: Wireless 802.1x Problem

you need to get on-board the Dynamic VLAN Assignment bandwagon.. Vote here for it : http://forum.mikrotik.com/viewtopic.php?f=1&t=86461
Thread jacking.
by roadracer96
Tue Aug 12, 2014 3:08 am
Forum: Virtualization
Topic: OpenWRT metarouter patch v1.2
Replies: 40
Views: 74325

Re: OpenWRT metarouter patch v1.2

Ive messed with OpenWRT to get virtualization and packetfence support. All thats needed to run it directly is to enable Dynamic VLAN Assignment.. Go Vote here for it : http://forum.mikrotik.com/viewtopic.php?f=1&t=86461

Thread jacking.
by roadracer96
Tue Aug 12, 2014 2:49 am
Forum: General
Topic: VOTE FOR PACKETFENCE SUPPORT
Replies: 33
Views: 14702

Re: VOTE FOR PACKETFENCE SUPPORT

http://forum.mikrotik.com/viewtopic.php?f=1&t=81881 You can follow up with Mikrotik on what the proper radius attribute is. They say it works. If you know the attribute it will take 4 seconds to copy the hostapd.pm and paste the radius reply sub from switch.pm and change the attribute. Then it'l...
by roadracer96
Tue Aug 12, 2014 2:44 am
Forum: General
Topic: VOTE FOR PACKETFENCE SUPPORT
Replies: 33
Views: 14702

Re: VOTE FOR PACKETFENCE SUPPORT

And cross posting in any thread where someone has a question about wireless "you should request dynamic vlan assignment" is what? Get a life. If the product does t do what you want then find another product. Don't expect a company that sells budget products to drop everything because you h...
by roadracer96
Mon Aug 11, 2014 4:31 pm
Forum: General
Topic: eduroam: VLAN assignment based on RADIUS 802.1x reply
Replies: 40
Views: 22626

Re: eduroam: VLAN assignment based on RADIUS 802.1x reply

vlan-mode and vlan-id can be only specified from the MAC RADIUS response. From the EAP RADIUS response it isn't specified. Testing this. Mac auth, Trying to assign tagged vlan based on RADIUS response. Mon Aug 11 09:21:41 2014 Packet-Type = Access-Accept Tunnel-Private-Group-Id:0 = "1208"...
by roadracer96
Mon Aug 11, 2014 12:00 pm
Forum: General
Topic: VOTE FOR PACKETFENCE SUPPORT
Replies: 33
Views: 14702

Re: VOTE FOR PACKETFENCE SUPPORT

What facts are wrong about packetfence? I'm calling your bluff. You don't know anything about how packetfence works. You do have to prove yourself right in this case. You are spreading misinformation. Maybe, just to shut you up, I'll setup a mt ap as a client to packetfence and show you it works. Th...
by roadracer96
Mon Aug 11, 2014 4:28 am
Forum: General
Topic: VOTE FOR PACKETFENCE SUPPORT
Replies: 33
Views: 14702

Re: VOTE FOR PACKETFENCE SUPPORT

You moron. Capsman supports radius dynamic Vlan assignment using standard radius attributes. It will work with packetfence. Hostapd has absolutely nothing to do with switches. Configure a capsman access point with radius mac auth and point it at packetfence configured as hostapd and it will probably...
by roadracer96
Sun Aug 10, 2014 8:02 pm
Forum: General
Topic: VOTE FOR PACKETFENCE SUPPORT
Replies: 33
Views: 14702

Re: VOTE FOR PACKETFENCE SUPPORT

I be for a 10000 port, 200+ switch network with 300 aps running packetfence. I understand completely how it works. I've written custom modules for packetfence and it isn't that hard. It will already work for wireless(capsman mac auth), Just not for wired. There is absolutely no support for it in Rou...
by roadracer96
Sun Aug 10, 2014 5:11 am
Forum: General
Topic: Feature Request: Dynamic V-Lan Assignment
Replies: 5
Views: 2895

Re: Feature Request: Dynamic V-Lan Assignment

It's not pessimistic. Adding radius vlan assignment and 802.1x to a switch from scratch isn't going to be trivial. Planning, developing, testing and executing isn't an overnight thing. Flooding a message board with requests isn't going to make it happen faster. I swear you request this once a week i...
by roadracer96
Sun Aug 10, 2014 5:08 am
Forum: General
Topic: VOTE FOR PACKETFENCE SUPPORT
Replies: 33
Views: 14702

Re: VOTE FOR PACKETFENCE SUPPORT

You could write a packetfence module. You'd get results faster that way. Their modules design is usable via ssh. Could also interface it with the packetfence API.
by roadracer96
Sat Aug 09, 2014 7:47 pm
Forum: General
Topic: Feature Request: Dynamic V-Lan Assignment
Replies: 5
Views: 2895

Re: Feature Request: Dynamic V-Lan Assignment

I'm all for it as well. But the reality is.. A feature like that isn't going to pop up any time soon on switches.
by roadracer96
Wed Aug 06, 2014 10:21 pm
Forum: General
Topic: eduroam: VLAN assignment based on RADIUS 802.1x reply
Replies: 40
Views: 22626

Re: eduroam: VLAN assignment based on RADIUS 802.1x reply

fow what purposes you would use that vlan-id if we would try to add that to the EAP RADIUS response? Dynamic vlan assignment based on the user. For instance. We broadcast the "eduroam" SSID. We have employees connect to it and get vlan 501, students connect and get vlan 502, IT department...
by roadracer96
Tue Aug 05, 2014 5:48 pm
Forum: General
Topic: eduroam: VLAN assignment based on RADIUS 802.1x reply
Replies: 40
Views: 22626

Re: eduroam: VLAN assignment based on RADIUS 802.1x reply

vlan-mode and vlan-id can be only specified from the MAC RADIUS response. From the EAP RADIUS response it isn't specified.

AHHH.. OK.. That would explain why it didn't work for me when all i did as change from MAC to EAP..... When do we expect that to work?
by roadracer96
Tue Aug 05, 2014 4:45 am
Forum: General
Topic: eduroam: VLAN assignment based on RADIUS 802.1x reply
Replies: 40
Views: 22626

Re: eduroam: VLAN assignment based on RADIUS 802.1x reply

Im TELLING you that Capsman DOES NOT work with 802.1x.. I tried it at home. It only works with MAC based..

Once more. Caps man DOES NOT work with 802.1x. AT ALL.

EDIT: The security options exist, but they just don't work. Im sure they will in the future, but at the moment, they don't.
by roadracer96
Sun Aug 03, 2014 3:21 am
Forum: General
Topic: Will 7.0 be based on kernel 3.14?
Replies: 7
Views: 4038

Re: Will 7.0 be based on kernel 3.14?

And vxlan support.
by roadracer96
Sat Aug 02, 2014 12:29 am
Forum: General
Topic: eduroam: VLAN assignment based on RADIUS 802.1x reply
Replies: 40
Views: 22626

Re: eduroam: VLAN assignment based on RADIUS 802.1x reply

Capsman doesn't support 802.1xand capsman is the only one that supports radius vlan assignment.

We just rolled out eduroam. Dynamic vlan assignment is a requirement for us. We are trying to go single ssid.
by roadracer96
Fri Aug 01, 2014 1:28 am
Forum: General
Topic: eduroam: VLAN assignment based on RADIUS 802.1x reply
Replies: 40
Views: 22626

Re: eduroam: VLAN assignment based on RADIUS 802.1x reply

Capsman can't do 802.1x. Mikrotik can't do eduroam at the moment. Use ubiquiti or openwrt. Or pretty much any othe vendor.
by roadracer96
Wed Jul 30, 2014 3:14 am
Forum: Forwarding Protocols
Topic: OSPF Loop-d-Loop
Replies: 3
Views: 2594

Re: OSPF Loop-d-Loop

It's mpls. Stop advertising all links for the time being. Just advertise the loop back.
by roadracer96
Mon Jul 28, 2014 5:52 am
Forum: General
Topic: How to build a Wi-Fi roaming environment of using CAPsMAN
Replies: 11
Views: 10811

Re: How to build a Wi-Fi roaming environment of using CAPsMA

Doesn't matter if it's in the spec or not. Zero handoff roaming is a no brainer requirement for a centrally managed ap environment. Capsman was the first step. Now the blanks need to be filled in for it to become a true enterprise wireless system.
by roadracer96
Sat Jul 26, 2014 5:18 am
Forum: Forwarding Protocols
Topic: Proper IPv6 support
Replies: 7
Views: 3614

Re: Proper IPv6 support

I was more focused on the point that you were implying we shouldn't be using link local. When that's exactly what they are for. You could have an ospfv3 network spanning 50 nodes and only have global addresses at the ends. Thing of beauty.
by roadracer96
Sat Jul 26, 2014 12:06 am
Forum: Forwarding Protocols
Topic: OSPFv3 IPv6 Learned Next-hop
Replies: 3
Views: 1968

Re: OSPFv3 IPv6 Learned Next-hop

Ospvv3 router ids still use 32bit ips. Typically you'll sett it to the same ip as the v4 router id.
by roadracer96
Fri Jul 25, 2014 3:59 am
Forum: Forwarding Protocols
Topic: Proper IPv6 support
Replies: 7
Views: 3614

Re: Proper IPv6 support

That's why link local addresses are suffixed with %interface. Sounds like you need proper ipv6 training. Ospfv3 is working fine in production for me on vlan interfaces. It works exactly as other devices work with vlan interfaces.
by roadracer96
Wed Jul 23, 2014 2:23 am
Forum: RouterBOARD hardware
Topic: CLOUD CORE ROUTER
Replies: 1373
Views: 1184485

Re: CLOUD CORE ROUTER

You really love to hear yourself talk don't you. Just buy one and find out. 900 bucks is always I the budget when you are talking about replacing 5 and 10k devices.
by roadracer96
Thu Jul 17, 2014 3:59 am
Forum: General
Topic: v6.15 released
Replies: 302
Views: 133140

Re: v6.15 released

By looking at sonicwall links, where is the benefit of VTI in such configuration? You still need to set policies for that interface meaning additional configuration. on mikrotik: gre over ipsec would be true interface usable for routing firewall etc. ipsec with subnet policies - the same as sonic w...
by roadracer96
Wed Jul 16, 2014 1:34 am
Forum: SwOS
Topic: What is the use of 260GSP ?
Replies: 17
Views: 12556

Re: What is the use of 260GSP ?

Thanks for your comments. As i see it - the majority of devices need 802.3af. When will mikrotik have a poe switch with 802.3af POE? The majority of devices, from what point of view??? Um. Every point of view except the niche ubnt and Mikrotik market. It's like 95% to 5%. Af is better. Plain and si...
by roadracer96
Wed Jul 16, 2014 12:01 am
Forum: Forwarding Protocols
Topic: WE NEED EIGRP
Replies: 39
Views: 21916

Re: WE NEED EIGRP

Lol. 400 routes in ospf is nothing. The slowest Mikrotik in current production could handle that without issue. Ospf is never overkill if you are talking about multiple subnets with multiple links. It just works.
by roadracer96
Tue Jul 15, 2014 11:54 pm
Forum: General
Topic: Feature Request:DHCP Server Update DNS Servers
Replies: 5
Views: 3027

Re: Feature Request:DHCP Server Update DNS Servers

on next dhcp lease update they should receive updated parameter list. Isn't it? The dhcp server needs Kerberos credentials to update the dns record of the device in AD. Don't need it for any domain attached pc though (linux, windows, mac). They will just update dns directly. Personally, id say not ...
by roadracer96
Tue Jul 15, 2014 12:11 am
Forum: General
Topic: Feature Request:DHCP Server Update DNS Servers
Replies: 5
Views: 3027

Re: Feature Request:DHCP Server Update DNS Servers

Just my .02.. If its a branch office, use DHCP relay to AD, then it will update.
by roadracer96
Tue Jul 08, 2014 3:06 pm
Forum: General
Topic: Feature request: proxy_arp_pvlan
Replies: 10
Views: 5815

Re: Feature request: proxy_arp_pvlan

BUT, the OP wanted to have devices on the same subnet talk to upstream router but not each-other. split horizon bridging will accomplish this easily. Just put all customer ports in horizon 1 and the upstream port in horizon 0 and you are in business. I do see the difference in what you were asking f...
by roadracer96
Tue Jul 08, 2014 11:30 am
Forum: General
Topic: Feature request: proxy_arp_pvlan
Replies: 10
Views: 5815

Re: Feature request: proxy_arp_pvlan

You can already do this with... Well... Proxy arp and ip firewall or with split horizon bridging.
by roadracer96
Mon Jul 07, 2014 6:49 pm
Forum: General
Topic: lost all vrrp interfaces
Replies: 8
Views: 2840

Re: lost all vrrp interfaces

No.. Suppor is a pain.. I only open bug reports if it breaks to the point that it doesn't work.. lol.
by roadracer96
Mon Jul 07, 2014 5:52 pm
Forum: General
Topic: lost all vrrp interfaces
Replies: 8
Views: 2840

Re: lost all vrrp interfaces

Its a bug. Happens on tile and ppc units (at least). See it on 6.10+ versions (Haven't tested earlier).

Its mostly an annoyance. It continues to work.
by roadracer96
Mon Jul 07, 2014 5:32 pm
Forum: General
Topic: How to configured BGP route import and export policy.
Replies: 6
Views: 3799

Re: How to configured BGP route import and export policy.

/routing filter add action=discard chain=isp1_in prefix=10.0.0.0/8 prefix-length=8-32 #DROP RFC1918 add action=discard chain=isp1_in prefix=192.168.0.0/16 prefix-length=16-32 #DROP RFC1918 add action=discard chain=isp1_in prefix=172.16.0.0/12 prefix-length=12-32 #DROP RFC1918 add action=accept chain...
by roadracer96
Sat Jul 05, 2014 5:48 am
Forum: Forwarding Protocols
Topic: mikrotik ospf and quagga via openvpn
Replies: 5
Views: 5472

Re: mikrotik ospf and quagga via openvpn

Try /30 on both ends.
by roadracer96
Thu Jul 03, 2014 10:05 pm
Forum: Forwarding Protocols
Topic: OSPF taking wrong path despite cost (asymmetric)
Replies: 13
Views: 4275

Re: OSPF taking wrong path despite cost (asymmetric)

Yeah, OSPF should take care of the backup.
by roadracer96
Thu Jul 03, 2014 5:14 am
Forum: General
Topic: IGMP Snooping
Replies: 134
Views: 81613

Re: IGMP Snooping

And after a little playing at home last night, capsman bridge ports. 7mbit of multicast from iptv on the wire (same bridge) as the cap interfaces crushed it. Couldn't even get a dhcp address.
by roadracer96
Thu Jul 03, 2014 5:07 am
Forum: Forwarding Protocols
Topic: OSPF taking wrong path despite cost (asymmetric)
Replies: 13
Views: 4275

Re: OSPF taking wrong path despite cost (asymmetric)

Why do you even have dhcp enabled?
by roadracer96
Thu Jul 03, 2014 5:04 am
Forum: General
Topic: Shortest Path Bridging
Replies: 4
Views: 2395

Re: Shortest Path Bridging

Think of it as ospf for layer 2 networks including ecmp.
by roadracer96
Wed Jul 02, 2014 2:24 pm
Forum: General
Topic: ADD DYNAMIC VLAN ASSIGNMENT.
Replies: 37
Views: 23500

Re: ADD DYNAMIC VLAN ASSIGNMENT.

At the switch level too.. we use packet fence to control about 10000 network ports in addition to the APs. MAC based vlan assignment for the switches and mac/802.1x for the APs.
by roadracer96
Wed Jul 02, 2014 1:14 am
Forum: Forwarding Protocols
Topic: OSPF taking wrong path despite cost (asymmetric)
Replies: 13
Views: 4275

Re: OSPF taking wrong path despite cost (asymmetric)

Post a /ip route print from each router.

Where is the default route coming from? Or is there no default?
by roadracer96
Tue Jul 01, 2014 9:33 pm
Forum: Forwarding Protocols
Topic: Help Please - iBGP setup - The Correct Way
Replies: 5
Views: 3550

Re: Help Please - iBGP setup - The Correct Way

probably best to just do a static route between BGP_R1 and BGP_R3 via R2 unless there are really multiple paths. The only time you really need to run BGP on a loopback interface is if its multi hop talking over multiple paths out of multiple interfaces from the same router. KISS method - Keep it sim...
by roadracer96
Tue Jul 01, 2014 9:27 pm
Forum: Forwarding Protocols
Topic: OSPF taking wrong path despite cost (asymmetric)
Replies: 13
Views: 4275

Re: OSPF taking wrong path despite cost (asymmetric)

Is your default route being flooded from a router not in the picture? Is it being exported as type 2 and not type 1?
by roadracer96
Tue Jul 01, 2014 9:09 pm
Forum: General
Topic: IGMP Snooping
Replies: 134
Views: 81613

Re: IGMP Snooping

Routeros being linux based doesn't help when the switch chip needs to do be able to implement it, not routeros (outside of bridge ports).

Im gonna throw PIM snooping out there too.. That'd help with multicast over VPLS links. :D
by roadracer96
Tue Jul 01, 2014 5:13 am
Forum: Forwarding Protocols
Topic: OSPF taking wrong path despite cost (asymmetric)
Replies: 13
Views: 4275

Re: OSPF taking wrong path despite cost (asymmetric)

Post full /routing ospf export from each
by roadracer96
Tue Jul 01, 2014 4:42 am
Forum: RouterBOARD hardware
Topic: Is there any plan to launch a Carrier Grade System ?
Replies: 10
Views: 4181

Re: Is there any plan to launch a Carrier Grade System ?

We use extreme. Every major player supports mlag and erps. Eaps just happens to be really easy to setup. Not without it bugs though.
by roadracer96
Mon Jun 30, 2014 8:24 pm
Forum: RouterBOARD hardware
Topic: Is there any plan to launch a Carrier Grade System ?
Replies: 10
Views: 4181

Re: Is there any plan to launch a Carrier Grade System ?

To add:

Ethernet OAM
Ethernet rings
Multi-device link aggregation
Full, TRUE VRF instances (Not policy routing based) with IPv6 and service support
by roadracer96
Sun Jun 29, 2014 3:16 am
Forum: General
Topic: Feature request: Time/date startup value in /system/clock
Replies: 14
Views: 4202

Re: Feature request: Time/date startup value in /system/cloc

Pretty sure you can set a script to run on boot can't you? Have it set the initial time to something close.

Rtc in the higher end models would be worth the extra 2 bucks IMHO. At least on higher end models.
by roadracer96
Fri Jun 27, 2014 1:36 pm
Forum: General
Topic: ADD DYNAMIC VLAN ASSIGNMENT.
Replies: 37
Views: 23500

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Put it this way.. I have 300 Meru APs on campus.. Im not super impressed with them overall.. Having functional 802.1x and Mac based authentication with dynamic VLAN assignment and dynamic profiles (Add to queues or address lists and such) would make it usable for me. Vport/Channel sharing would be a...
by roadracer96
Wed Jun 25, 2014 5:52 am
Forum: General
Topic: Feature Request: g.8032
Replies: 1
Views: 1752

Re: Feature Request: g.8032

+1. 3.3ms cfm intervals.
by roadracer96
Mon Jun 23, 2014 4:28 am
Forum: General
Topic: ADD DYNAMIC VLAN ASSIGNMENT.
Replies: 37
Views: 23500

Re: ADD DYNAMIC VLAN ASSIGNMENT.

using CRS you can set up MAC addresses that will have VLAN assigned, no matter what port is used. That doesn't help with wireless/802.1x. I'd like to see mac/802.1x radius auth in switches and access points honoring the vlan returned by radius. All the big players and lots of the small ones support...
by roadracer96
Thu Jun 19, 2014 4:29 am
Forum: RouterBOARD hardware
Topic: iSCSI traffic replication over Fibre connection routers
Replies: 8
Views: 2814

Re: iSCSI traffic replication over Fibre connection routers

So I'm guessing my post was deleted. Buy a ccr and try tunneled traffic. See for yourself. Rb1100ahx2 is generally faster.
by roadracer96
Tue Jun 17, 2014 4:02 pm
Forum: General
Topic: Which Router for large number of VPNs for a central office?
Replies: 4
Views: 1934

Re: Which Router for large number of VPNs for a central offi

Yes, and that number is valid. But l2tp or gre over ipsec breaks down that number.. throw in TCP connections and it is even lower.. 3.5gbit goes down to 100mbit or less with TCP connections. Thrown in multiple tunnels all sending data and it seems like it might be getting some kind of race condition...
by roadracer96
Tue Jun 17, 2014 4:33 am
Forum: General
Topic: CCR1009 or RB1100AHx2 for EoIP+IPSec
Replies: 17
Views: 10632

Re: CCR1009 or RB1100AHx2 for EoIP+IPSec

For a single connection, you won't likely get 150mbit throughout with gre or eoip over IPSec on any ccr. S
by roadracer96
Tue Jun 17, 2014 4:30 am
Forum: General
Topic: Which Router for large number of VPNs for a central office?
Replies: 4
Views: 1934

Re: Which Router for large number of VPNs for a central offi

Looking for opinions for a good model that could handle 200 +/- IPSEC VPN tunnels back to it. Not too much constant traffic, mainly SNMP/management and the occasional VoIP call across the line. If we should want to go with more traffic at a later time, this should figure in. A 1100AHx2 should do ar...
by roadracer96
Wed Jun 11, 2014 7:03 pm
Forum: General
Topic: v6.14 released
Replies: 114
Views: 37692

Re: v6.14 released

and now Enterprise and Carriers with CCRs.

LOL.. That made me chuckle a bit..
by roadracer96
Wed Jun 04, 2014 6:52 pm
Forum: General
Topic: CCR VPLS performance, 10g
Replies: 3
Views: 2859

Re: CCR VPLS performance, 10g

That is what I was looking for.. Where did you hear that v7 is going to support spreading connections over multiple cores? Whats the word for an ETA on v7? In a nutshell, I need high speed, redundant L2 connectivity from one datacenter to another. Just running an L2 vlan won't work because one of th...
by roadracer96
Wed Jun 04, 2014 2:54 am
Forum: General
Topic: CCR VPLS performance, 10g
Replies: 3
Views: 2859

CCR VPLS performance, 10g

I was planning on using a few CCR1036s for a connection between datacenters. Now I'm not so sure. Asking those that have tried. What kind of single connection TCP performance can one expect between 2 CCR1036s over 10gig VPLS?

Is it going to be limited to 1gig?
by roadracer96
Tue Jun 03, 2014 3:01 am
Forum: General
Topic: CC1036 Performance issues
Replies: 10
Views: 4541

Re: CC1036 Performance issues

I'd use em for mpls/vpls if it weren't for that limitation. Iscsi from datacenter to datacenter, easy 3-4 gig single tcp stream. Vmotion with hosts heavy on ram. 1gig is nothing for network bandwidth these days.
by roadracer96
Wed May 28, 2014 10:01 pm
Forum: General
Topic: High Speed VPN - 100Mbps +
Replies: 25
Views: 23469

Re: High Speed VPN - 100Mbps +

I just did a UDP test with 10 streams.. I got 800mbit.. with 20% packet loss..

Transmit only.
by roadracer96
Wed May 28, 2014 5:45 pm
Forum: General
Topic: High Speed VPN - 100Mbps +
Replies: 25
Views: 23469

Re: High Speed VPN - 100Mbps +

You said 800mbit, not 229mbit or 353mbit.

PS: You said 800mbit full duplex... I see 229mbit/353mbit 1/2 duplex. I bet if you did them both ways at the same time, the results would be approximately 1/2.
by roadracer96
Wed May 28, 2014 4:41 pm
Forum: General
Topic: High Speed VPN - 100Mbps +
Replies: 25
Views: 23469

Re: High Speed VPN - 100Mbps +

Support only got 190mbit from router to router (IE: Not forwarding). I, (And others on the forum) don't see near that performance. I can only get about 20-25mbit full duplex between a CCR1036 and RB1100AHx2 using IPERF TCP, single connection with a 1400MTU GRE tunnel, a few mangle rules and a few qu...
by roadracer96
Wed May 28, 2014 12:31 am
Forum: General
Topic: High Speed VPN - 100Mbps +
Replies: 25
Views: 23469

Re: High Speed VPN - 100Mbps +

SSTP can do more than 40Mbps especially on CCR. Also ipsec on CCR can encrypt/decrypt up to 1.3Gbps on a single tunnel. Yeah right. Not in any of my testing with sstp, openvpn, gre/IPSec, l2tp/IPSec. Support told me that's the way it is and don't expect it to get better. Rb1100ahx2 outperforms ccr ...
by roadracer96
Fri May 16, 2014 1:43 am
Forum: General
Topic: GRE over IPSEC, CCR, VERY SLOW
Replies: 39
Views: 23568

Re: GRE over IPSEC, CCR, VERY SLOW

They have already responded. That's the way it is. The tcp connection, gre tunnel, forwarding, and ipsec are all processed on one core. Apparently 1 core of a rb1100ahx2 is faster than 1 core of a tilera.
by roadracer96
Wed May 14, 2014 1:04 am
Forum: RouterBOARD hardware
Topic: RB1100AHx2 or CCR1009-8G-1S-1S+
Replies: 19
Views: 15253

Re: RB1100AHx2 or CCR1009-8G-1S-1S+

Exactly why I ordered up 2 CCRs to use for production to replace the RB1100AHx2 proof of concept devices.. Unfortunately the 1100s performed better. It seems as if its trying to do GRE, IPSEC, and all forwarding related to a particular connection on one core of the CPU at exactly the same time.. Tha...
by roadracer96
Tue May 13, 2014 7:35 pm
Forum: RouterBOARD hardware
Topic: RB1100AHx2 or CCR1009-8G-1S-1S+
Replies: 19
Views: 15253

Re: RB1100AHx2 or CCR1009-8G-1S-1S+

Redundant PSU is a nice feature, but not necessary. I believe the RB1100AHx2 is better for VPN but the CCR has better routing throughput? Difficult choice... not anymore, since RouterOS v6.12, encrypted tunnel speed is much better than RB1100 Maybe IPSEC tunnel mode, but not a GRE or IPIP or L2TP t...
by roadracer96
Mon May 12, 2014 3:37 pm
Forum: RouterBOARD hardware
Topic: RB1100AHx2 or CCR1009-8G-1S-1S+
Replies: 19
Views: 15253

Re: RB1100AHx2 or CCR1009-8G-1S-1S+

If you are using GRE or IPIP tunnels over IPSEC, don't get the Tilera CPU. VERY broken. MT Support won't even respond about it. Limited to about 25mbit full duplex. AHx2 pushes over 300mbit.
by roadracer96
Sat May 10, 2014 5:48 am
Forum: General
Topic: ADD DYNAMIC VLAN ASSIGNMENT.
Replies: 37
Views: 23500

Re: ADD DYNAMIC VLAN ASSIGNMENT.

Www.packetfence.org

Should work with capsman as a hostapd ap when it's production. I'd like to see radius support in the switches.
by roadracer96
Wed May 07, 2014 6:19 pm
Forum: Forwarding Protocols
Topic: ospfv3 and ipv6 - Discarding packet: locally originated
Replies: 18
Views: 10257

Re: ospfv3 and ipv6 - Discarding packet: locally originated

Thanks for the unhelpful input. Id wager that the problem is in how you assign link local addresses to tunnel interfaces that results in te same link local address on a remote side as on another tunnels local side. Otherwise, it shouldn't matter if the same link local address is found on 2 seperate ...
by roadracer96
Wed May 07, 2014 8:33 am
Forum: Forwarding Protocols
Topic: ospfv3 and ipv6 - Discarding packet: locally originated
Replies: 18
Views: 10257

Re: ospfv3 and ipv6 - Discarding packet: locally originated

How many years and still not fixed? Get it together guys.

6.12
by roadracer96
Wed May 07, 2014 7:08 am
Forum: General
Topic: MikroTik MetroEthernet 2.0 Certification
Replies: 10
Views: 4127

Re: MikroTik MetroEthernet 2.0 Certification

Don't think they could. They lack the oam support. Good reason to add it though.
by roadracer96
Wed May 07, 2014 7:01 am
Forum: General
Topic: Request: IP-SLA
Replies: 21
Views: 18278

Re: Request: IP-SLA

Ccm messaging as part of g.8032 ethernet rings can be used this way. Kill 2 birds with one stone.
by roadracer96
Wed May 07, 2014 3:41 am
Forum: RouterBOARD hardware
Topic: Request for real Cloud Core Router HW (10Gbps)
Replies: 18
Views: 10408

Re: Request for real Cloud Core Router HW (10Gbps)

Use l3 switches for our bgp peerings. 3 full v6 and v4 tables. All in hardware. Works perfect. College campus.

Yes. The tests show that. Which makes it even worse. They designed the tests to cover up the flaws.
by roadracer96
Tue May 06, 2014 3:19 pm
Forum: RouterBOARD hardware
Topic: Request for real Cloud Core Router HW (10Gbps)
Replies: 18
Views: 10408

Re: Request for real Cloud Core Router HW (10Gbps)

Old switch ASICS only knew how to process VLAN tags, MAC Addresses, and maybe DSCP/TOS. Modern switch ASICS know how to process data at L4. This encompasses routing. The $4k SWITCHES we use can ROUTE or SWITCH at line-rate across all ports simultaneously, 50 gbe ports and 2-4 10gbe ports. The core S...
by roadracer96
Tue May 06, 2014 3:54 am
Forum: RouterBOARD hardware
Topic: Request for real Cloud Core Router HW (10Gbps)
Replies: 18
Views: 10408

Re: Request for real Cloud Core Router HW (10Gbps)

For ISP aggregate traffic, which is really what MikroTik seems to be playing for, 1gbps single stream isn't that bad a limitation. We are a mid-sized wholesaler in AU and still will only do about 500-600mbit aggregate traffic. Big single streams are more suited to switching rather than routing. Swi...
by roadracer96
Mon May 05, 2014 9:04 pm
Forum: General
Topic: GRE over IPSEC, CCR, VERY SLOW
Replies: 39
Views: 23568

Re: GRE over IPSEC, CCR, VERY SLOW

1 week, multiple emails to support, no response.. I know they know about it.. After searching the forums, I can see it is a problem with their code on the Tilera CPU... Alpha quality at best.
by roadracer96
Mon May 05, 2014 3:42 pm
Forum: General
Topic: LLDP
Replies: 136
Views: 68744

Re: LLDP

+1 LLDP = awesome.
by roadracer96
Mon May 05, 2014 6:24 am
Forum: RouterBOARD hardware
Topic: Request for real Cloud Core Router HW (10Gbps)
Replies: 18
Views: 10408

Re: Request for real Cloud Core Router HW (10Gbps)

You gotta be shitting me. I've been waiting on a reply about something similar. 1gb per core , single stream? Throw gre an ipsec in the mix and you are. Down to. 50 mbit. Rb1100 works better.
by roadracer96
Tue Apr 29, 2014 8:54 pm
Forum: Forwarding Protocols
Topic: Multicast routing
Replies: 15
Views: 5675

Re: Multicast routing

Works fine on RB1100AHx2. Same config on a CCR1036 doesn't work.

Im kind of TO'd.. GRE over IPSEC doesn't work, PIM doesn't work... The 2 biggest reasons I need these and neither work.

Yay.
by roadracer96
Tue Apr 29, 2014 3:26 pm
Forum: Forwarding Protocols
Topic: Multicast routing
Replies: 15
Views: 5675

Re: Multicast routing

Im still fiddling, but I don't think PIM works on CCR. My PIM BSR is at my core network. RB1100AHx2 worked fine with it. CCR doesn't seem to. BUT, there are some other changes I made when I put the CCR in that I have to work backwards through before I say it doesn't work for sure. All I can say now ...
by roadracer96
Tue Apr 29, 2014 3:22 pm
Forum: General
Topic: GRE over IPSEC, CCR, VERY SLOW
Replies: 39
Views: 23568

Re: GRE over IPSEC, CCR, VERY SLOW

I have 2 CCRs, but haven't tested it that way. They are a redundant pair... 2x CCR will end up serving 5x sites each with 2x RB1100AHx2. I suppose I could create a tunnel between them to test, but without hearing from support, its kind of a moot point.
by roadracer96
Tue Apr 29, 2014 2:25 pm
Forum: General
Topic: IGMP Snooping
Replies: 134
Views: 81613

Re: IGMP Snooping

A managed switch that doesn't support IGMP AND PIM snooping is worthless in most enterprise environments. Fine for home, bad for enterprise. Simply stating that IGMP snooping isn't a standard doesn't negate its popularity, widespread implementation, and overall usefulness. A manually programmable mu...
by roadracer96
Tue Apr 29, 2014 2:21 pm
Forum: General
Topic: GRE over IPSEC, CCR, VERY SLOW
Replies: 39
Views: 23568

Re: GRE over IPSEC, CCR, VERY SLOW

Same here.. If I use tunnel mode instead of transport for subnet to subnet communication, its as fast as you would expect it to be. Its only when tunneling GRE or IPIP that it slows. It sounds like a operating system quirk when the 2 are combined. Unfortunately, I need to run GRE tunnels for routing...
by roadracer96
Mon Apr 28, 2014 5:46 pm
Forum: General
Topic: GRE over IPSEC, CCR, VERY SLOW
Replies: 39
Views: 23568

Re: GRE over IPSEC, CCR, VERY SLOW

I emailed support before posting this to open a case.

Do you already have a case open?
by roadracer96
Mon Apr 28, 2014 4:12 pm
Forum: General
Topic: GRE over IPSEC, CCR, VERY SLOW
Replies: 39
Views: 23568

GRE over IPSEC, CCR, VERY SLOW

simple GRE tunnel over IPSEC transport mode, AES-CBC (Tried other algs as well), between CCR 1036 and RB1100AHx2 maxes at about 50Mbit aggregate throughput. 25/25 tx/rx, 5/45 tx/rx, etc. Same tunnel disabling the IPSEC policy nets over 500mbit aggregate throughput. Running the same setup between to ...
by roadracer96
Tue Jan 21, 2014 10:10 pm
Forum: General
Topic: IPV6 is it usable
Replies: 7
Views: 2889

Re: IPV6 is it usable

There seems to be a problem with the Next Hop in BGP, if you use OSPFv3 as IGP. You will see the Next Hop as "unreachable" in the routing table. You can find some Information in this forum. - Mat Yeah, I just did some testing with it and I had to create a route filter to set the next hop ...
by roadracer96
Tue Sep 25, 2012 12:37 am
Forum: General
Topic: RouterOS v6 release candidate 1
Replies: 96
Views: 39319

Re: RouterOS v6 release candidate 1

Packages were enabled. Config was there. Im pretty sure it worked when I tested out 6.0b3 (Stopped using it for other reasons). Tried doing the ol edit save
by roadracer96
Tue Sep 25, 2012 12:12 am
Forum: General
Topic: RouterOS v6 release candidate 1
Replies: 96
Views: 39319

Re: RouterOS v6 release candidate 1

IPv6 seems to stop working after upgrading from 5.20 to 6rc1. Downgrade made it all work fine again. RB1100, RB1100AH, rb2011
by roadracer96
Mon Sep 17, 2012 4:13 pm
Forum: General
Topic: RB1000 SSTP, major disconnect issues
Replies: 11
Views: 5756

Re: RB1000 SSTP, major disconnect issues

Havent heard from support in 30 days.

Have sent 5 emails and none have been responded to.

I upgraded to 5.20 and it is still happening. I put a queue in place to limit traffic to 25mbit, still happens.

What do I need to do to get resolution to this issue?
by roadracer96
Sun Aug 26, 2012 2:39 pm
Forum: General
Topic: RB1000 SSTP, major disconnect issues
Replies: 11
Views: 5756

Re: RB1000 SSTP, major disconnect issues

2 days of uptime, happened again... Still nothing from support.
by roadracer96
Sat Aug 25, 2012 5:22 am
Forum: General
Topic: RB1000 SSTP, major disconnect issues
Replies: 11
Views: 5756

Re: RB1000 SSTP, major disconnect issues

Still regular disconnects. Actually had to reboot the router today to get everything going again.
by roadracer96
Thu Aug 23, 2012 8:45 pm
Forum: General
Topic: v5.20 released
Replies: 113
Views: 50163

Re: v5.20 released

bug in sstp??

Ticket#2012082266000094
Ongoing.

Happens a lot on my RB1000 w/ ~200 clients. Other times, the SSTP service just bombs out and nobody can connect until its restarted. Been waiting on a fix for a looong time.
by roadracer96
Fri Aug 17, 2012 12:31 pm
Forum: General
Topic: v5.20 released
Replies: 113
Views: 50163

Re: v5.20 released

Very disappointed that no SSTP fixes made it into this release.
Have you actually tried it?
No, but there was nothing in the changelog.
by roadracer96
Thu Aug 16, 2012 4:49 am
Forum: General
Topic: v5.20 released
Replies: 113
Views: 50163

Re: v5.20 released

Very disappointed that no SSTP fixes made it into this release.
by roadracer96
Mon Aug 13, 2012 8:06 pm
Forum: General
Topic: RB1000 SSTP, major disconnect issues
Replies: 11
Views: 5756

Re: RB1000 SSTP, major disconnect issues

Support has been in the router and installed some debugging package a week ago... Thats the last I heard. SSTP has crashed several times since they installed the package, but they havent got back to me yet... No response to emails...
by roadracer96
Thu Aug 09, 2012 2:18 pm
Forum: General
Topic: OpenVPN performance, throughput odd/bad.
Replies: 5
Views: 4986

Re: OpenVPN performance, throughput odd/bad.

For AES-256, 10mbit is expected.
by roadracer96
Thu Aug 09, 2012 1:32 am
Forum: SwOS
Topic: SwOS - Support for LAG/LACP/EtherChannel [SOLVED]
Replies: 2
Views: 6658

Re: SwOS - Support for LAG/LACP/EtherChannel [SOLVED]

On a 5 port switch?
by roadracer96
Wed Aug 08, 2012 2:27 pm
Forum: General
Topic: SSTP defaults to RC4
Replies: 5
Views: 2319

Re: SSTP defaults to RC4

Thatd be optimal... AES would be much preferred over RC4. Just because Windows is fine with a mid-grade security doesnt mean ROS-ROS communication has to be stuck with it.. Right?
by roadracer96
Wed Aug 08, 2012 11:41 am
Forum: General
Topic: SSTP defaults to RC4
Replies: 5
Views: 2319

Re: SSTP defaults to RC4

We cant make use of TLS 1.1?
by roadracer96
Wed Aug 08, 2012 4:22 am
Forum: General
Topic: OpenVPN Tun/IP mode
Replies: 2
Views: 1840

Re: OpenVPN Tun/IP mode

That's a limitation of windows openvpn. Windows doesn't like point to poin addresses on Ethernet cards and that is effectively what the openvpn adapter is.
by roadracer96
Wed Aug 08, 2012 4:10 am
Forum: General
Topic: SSTP defaults to RC4
Replies: 5
Views: 2319

SSTP defaults to RC4

Since 5.13, a change made will default ros sstp to rc4 unless the client doesn't advertise rc4. In a pcap of a handshake between ros and ros. The client advertises 4 ciphers. Including aes256. The server responds back that it only supports rc4. I'd say we NEED an option on client and server side to ...
by roadracer96
Tue Aug 07, 2012 3:57 pm
Forum: General
Topic: Very high cpu usage with 20+ sstp clients
Replies: 17
Views: 6397

Re: Very high cpu usage with 20+ sstp clients

What is the total encrypted traffic you are pushing? RB1000 with 200ish clients and about 40-50mbit of traffic pushes 25-30% cpu. I can see an RB1200 sweating with 1/2 that traffic.
by roadracer96
Mon Aug 06, 2012 5:12 am
Forum: General
Topic: RB1000 SSTP, major disconnect issues
Replies: 11
Views: 5756

Re: RB1000 SSTP, major disconnect issues

And again today, middle of the day, only about 1mbit of traffic on 200 connections. The tunnels I have on my 1100ah all stayed up. Def not an ISP problem. Had to disable SSTP server and re-enable, then every connection popped back up. Commented config.. You can see it really is stripped down to the ...
by roadracer96
Sun Aug 05, 2012 4:22 pm
Forum: RouterBOARD hardware
Topic: RB751U-2Hn frequent (daily) reboots
Replies: 111
Views: 86063

Re: RB751U-2Hn frequent (daily) reboots

Ive got about 30 of em... In process of collecting them and sending them back. Worthless device. Pretty much dont work right unless you are within 20 feet of if. Have tried everything short of putting an external antenna on them (Not doing that, shouldnt have to). Even the 2 I have at my house are j...
by roadracer96
Sun Aug 05, 2012 1:57 pm
Forum: General
Topic: RB1000 SSTP, major disconnect issues
Replies: 11
Views: 5756

Re: RB1000 SSTP, major disconnect issues

Its not the ISP. Its in one of the top rated data-centers. in the country. Giig uplink, and itll pull that much if I transmit to multiple hosts simultaneously. I have 6 SSTP connections on a RB1100 on the same switch in the same rack in the same datacenter and they never drop connection. But there a...
by roadracer96
Sat Aug 04, 2012 1:52 am
Forum: General
Topic: RB1000 SSTP, major disconnect issues
Replies: 11
Views: 5756

RB1000 SSTP, major disconnect issues

Have went back and forth with support a few times, sent multiple supouts and debug logs. Issue still persists. ~200ish SSTP tunnels to an RB1000, 5.18 and now 5.19, all 5.18 clients. RB450gs, 433ahs, 2011s... I run Amanda backup over the VPN links. So at peak load, its running about 40ish mbit downl...
by roadracer96
Tue Jun 05, 2012 10:44 pm
Forum: RouterBOARD hardware
Topic: RB751-2HnD wireless problems
Replies: 14
Views: 6451

Re: RB751-2HnD wireless problems

I can confirm. Seems to work mostly fine as a standard AP, but I have LOADS of problems running it with virtual APS and WDS. Barely able to keep a signal, extremely bad ping times. Both with Ubiquiti and mikrotik on the client side. However, If I use a 751 as a client to a 411, it works flawlessly. ...
by roadracer96
Mon Dec 19, 2011 11:52 pm
Forum: General
Topic: IPv6 speed/weirdness....
Replies: 1
Views: 989

Re: IPv6 speed/weirdness....

Bump....
by roadracer96
Sat Dec 17, 2011 12:21 am
Forum: General
Topic: IPv6 speed/weirdness....
Replies: 1
Views: 989

IPv6 speed/weirdness....

OK.. Have a tunnel setup at a datacenter on an RB1000. Have some virtual machines behind that router. Speed tests to those VMs are what I would expect from a free ipv6 tunnel.. About 5mbit. Now.. I have a IPIP/IPSEC vpn going to several remote offices with a 6in4 tunnel going over that connection. I...
by roadracer96
Wed Aug 31, 2011 5:57 am
Forum: RouterBOARD hardware
Topic: RB450 Capacitors problem?
Replies: 121
Views: 60997

Re: RB450 Capacitors problem?

I really hope I dont start seeing this problem. I have about 80 450Gs I rolled out in the last 6 months. I don't think you will. This is the first RB450G that we have seen with bulging caps. I am hoping this is an anomaly. The 450G power circuit design is much different from the older RB450 power c...
by roadracer96
Wed Aug 31, 2011 5:43 am
Forum: RouterBOARD hardware
Topic: Poor quality of the capacitors in RouterBoards
Replies: 38
Views: 19363

Re: Poor quality of the capacitors in RouterBoards

So far, in the past 2 months, I've had a dozen 450gs, 3 433ahs, and 2 411ars die by this. I could care less about the 5 minutes of soldering or the 60 cents for replacement caps, it's the drive time and customer dissatisfaction. Solid routers. As long as the caps hold out. Would be at less than 1% f...
by roadracer96
Tue Mar 01, 2011 2:15 am
Forum: RouterBOARD hardware
Topic: RB-1100 Port problems, and performance problems
Replies: 61
Views: 24318

Re: RB-1100 Port problems, and performance problems

Yeah, I found the same thing. But only mangle rules that affect ether 11-13. And it SEEMS only mangle rules that have a queue acting on them.
by roadracer96
Sat Feb 26, 2011 9:20 pm
Forum: General
Topic: Connecting to internal Exchange server with external hostnam
Replies: 7
Views: 3590

Re: Connecting to internal Exchange server with external hos

Properly configured exchange handles this automatically...
by roadracer96
Wed Feb 23, 2011 4:18 pm
Forum: General
Topic: UDP Timeout Setting / SIP helper service
Replies: 3
Views: 4964

Re: UDP Timeout Setting / SIP helper service

I guess I dont see what you are getting at. One of my techs has a remote phone at his home office. Before we switched to running the VOIP over the VPN tunnels, if his PPPOE connection dropped and reconnected, his phone would simply reconnect to the PBX.
by roadracer96
Wed Feb 23, 2011 3:34 am
Forum: General
Topic: UDP Timeout Setting / SIP helper service
Replies: 3
Views: 4964

Re: UDP Timeout Setting / SIP helper service

I think I looked at it before and it detected the registration interval negotiated with the SIP connection. IE: If I changed it on my phones, it would change in con tracking. I cant remember for sure. I have all my phones set to 60 second keepalives and they always work.
by roadracer96
Fri Feb 18, 2011 4:07 pm
Forum: General
Topic: Problems with Router OS detecting L7 V5.0RC9 and others
Replies: 4
Views: 2168

Re: Problems with Router OS detecting L7 V5.0RC9 and others

Mathematically, it is more likely that there is a variable you arent accounting for. Like the length of the stream, or maybe skype changing its stream further into a connection, or something like that.

linux L7 filter/pattern matching works fine.
by roadracer96
Mon Feb 14, 2011 1:27 pm
Forum: General
Topic: how to block https://www.facebook.com
Replies: 23
Views: 36653

Re: how to block https://www.facebook.com

im totally agree with edified, the problem is web-proxy cannot block blocking facebook via https :( my co staff here at around 100 employees they have individual computers i dony want staff using facebook during office hours. thanks Yes it can. FORCE their compuers to use the proxy directly, instea...
by roadracer96
Sun Feb 13, 2011 4:48 pm
Forum: General
Topic: RouterOS v5rc9
Replies: 108
Views: 19178

Re: RouterOS v5rc9

Well, when it happens, NO clients can connect. What kind of signal are you seeing when it happens, ill check.
by roadracer96
Sun Feb 13, 2011 7:22 am
Forum: General
Topic: RouterOS v5rc9
Replies: 108
Views: 19178

Re: RouterOS v5rc9

What wireless mode are you running? 802.11? yes That is the problem, unless the MT guys have fixed it with the RC9 release the NV2 package won't run in 802.11 mode without the AP interface locking up after a random period of time. What happens is the AP will stop transmitting data, the clients stay...
by roadracer96
Sun Feb 13, 2011 7:18 am
Forum: General
Topic: mikrotik.com ipv6 problem?
Replies: 5
Views: 2034

mikrotik.com ipv6 problem?

I can only get to forum.mikrotik.com/www.mikrotik.com with ipv4.. ipv6 (At least via he.net) isnt working...

Only me?
by roadracer96
Sun Feb 13, 2011 7:17 am
Forum: General
Topic: How auteticate wired client
Replies: 7
Views: 2567

Re: How auteticate wired client

I would like to see 802.1x authentication on MT switchports. Would be a nice feature.
by roadracer96
Fri Feb 11, 2011 10:13 pm
Forum: General
Topic: Routerboard 1100 interface flabbing in Bridge mode and QoS
Replies: 3
Views: 2173

Re: Routerboard 1100 interface flabbing in Bridge mode and Q

Ive narrowed it down. If you have a simple mangle rule that marks a connection and another mangle rule that marks packets associated with that connection, if those packets are forwarded through 11,12,13 and out another physical interface (not a problem over a vpn tunnel), it will flip-flop the port....
by roadracer96
Thu Feb 10, 2011 11:19 pm
Forum: General
Topic: RB1100 crashing/freeze when disconnecting cable from ether13
Replies: 11
Views: 2720

Re: RB1100 crashing/freeze when disconnecting cable from eth

Just got and installed a RB1100, and have found the same issues.... Anytime something is disconnected from ports 11-13 the rb1100 crashes and the only way to recover is by rebooting. Has there been any word from MT as to a solution for this? I was using port 13 to connect a laptop for administratio...
by roadracer96
Thu Feb 10, 2011 6:45 pm
Forum: General
Topic: Routerboard 1100 interface flabbing in Bridge mode and QoS
Replies: 3
Views: 2173

Re: Routerboard 1100 interface flabbing in Bridge mode and Q

Know issue on ports 11-13. 5 bucks says you can run just fine on ports 1-10.
by roadracer96
Thu Feb 10, 2011 4:16 pm
Forum: General
Topic: RouterOS v5rc9
Replies: 108
Views: 19178

Re: RouterOS v5rc9

IPSEC still no worky on RB1100. Works on RC7, but not 8 and 9. Doesnt matter really. Im sending it back.
by roadracer96
Thu Feb 10, 2011 5:03 am
Forum: General
Topic: how to block https://www.facebook.com
Replies: 23
Views: 36653

Re: how to block https://www.facebook.com

If you really must do this, there is really only one good way.

Drop all outbound traffic and require people to use the proxy (configured in the browser).

Then the proxy can block HTTPS traffic.

Dropping traffic containing facebook wont do it, because you cant match content in an https connection.
by roadracer96
Thu Feb 10, 2011 1:03 am
Forum: General
Topic: 5.0rc8 IPv6 packets over IPv4 IPsec tunnel
Replies: 2
Views: 1972

Re: 5.0rc8 IPv6 packets over IPv4 IPsec tunnel

I just to a 6in4 tunnel over ipip ipsec.

Have tunnels going to 5 locations that way. Works great.

I wouldnt think ipv6 over ipv4 IPSEC would work. It tunnels ipv4, it doesnt transform ipv6 into ipv4.
by roadracer96
Tue Feb 08, 2011 12:27 am
Forum: General
Topic: Why wont check-gateway work for DHCP assigned internet acess
Replies: 10
Views: 5482

Re: Why wont check-gateway work for DHCP assigned internet a

/routing filter
add action=passthrough chain=dynamic-in disabled=no set-check-gateway=ping

Try that.

EDIT: You can change the distance under the dhcp client for that interface.
by roadracer96
Mon Feb 07, 2011 4:21 am
Forum: General
Topic: RB1100 crashing/freeze when disconnecting cable from ether13
Replies: 11
Views: 2720

Re: RB1100 crashing/freeze when disconnecting cable from eth

Mine doesn't crash, but link on 11,12,13 doesn't stay up. Ever. It flops ever 5ish minutes. Been waiting 6 months on a fix.
by roadracer96
Sat Feb 05, 2011 4:39 am
Forum: Wireless Networking
Topic: Out Public IP from RB??
Replies: 5
Views: 1867

Re: Out Public IP from RB??

If you have a /28, you don't have 30. 32-28= 4 bits = 16 ips. Minus broadcast and network = 14, minus router ip = 13 usable.
by roadracer96
Sat Feb 05, 2011 4:34 am
Forum: General
Topic: Maximum Private IPs to srcnat to one public IP
Replies: 10
Views: 2599

Re: Maximum Private IPs to srcnat to one public IP

That's good to know! We started with an RB450 with an RB1100 on order. Things worked great! I tried putting in an RB1100 when it arrived. However, customers' links were getting dropped, Netflix movies would not stream, etc. All kinds of issues. With the RB450 back in place, everything worked smooth...
by roadracer96
Sat Feb 05, 2011 1:23 am
Forum: General
Topic: RouterOS v5rc8
Replies: 110
Views: 28195

Re: RouterOS v5rc8

Vlan is broken too. Or there is any special setting to vlan in rc8? After upgrade to rc8 all vlan stopped working. Downgrade to rc7 and all works again. Vlan is working on RB450G and RB1000 My test is on RB1100 only. FYI, I cant say if switch based vlan is working or not. I use interface/vlan.
by roadracer96
Fri Feb 04, 2011 9:33 pm
Forum: General
Topic: RouterOS v5rc8
Replies: 110
Views: 28195

Re: RouterOS v5rc8

Vlan is broken too. Or there is any special setting to vlan in rc8? After upgrade to rc8 all vlan stopped working. Downgrade to rc7 and all works again.

Vlan is working on RB450G and RB1000
by roadracer96
Fri Feb 04, 2011 2:01 am
Forum: RouterBOARD hardware
Topic: RB-1100 Port problems, and performance problems
Replies: 61
Views: 24318

Re: RB-1100 Port problems, and performance problems

I just shot another supout to Mikrotik on 5.0rc7. Still getting the flapping ether11-13

I either need this working now, or a replacement RB1000

This is getting really old. Had the thing for 8 months now, reported the problem, they cant seem to fix it.

I have no use for this brick
by roadracer96
Fri Feb 04, 2011 12:25 am
Forum: General
Topic: RouterOS v5rc8
Replies: 110
Views: 28195

Re: RouterOS v5rc8

Intel 5100 ABG gets disconnected from R2N on RB433AH. Downgrading to rc7 works fine.
by roadracer96
Thu Feb 03, 2011 10:20 pm
Forum: General
Topic: RouterOS v5rc8
Replies: 110
Views: 28195

Re: RouterOS v5rc8

Works on RB450g, RB433AH, with DHCP and with IPv6. Just not on my RB1100. Maybe it has to do with using a switch ether port for the internet connection?

Even my RB1000 works fine. I think its RB1100 specific...
by roadracer96
Thu Feb 03, 2011 8:50 pm
Forum: General
Topic: RouterOS v5rc8
Replies: 110
Views: 28195

Re: RouterOS v5rc8

Now it DID work on my RB450g via IPSEC, but that is a static IP in the router, not DHCP like my RB1100. Maybe that is the issue. IPSEC starts before the DHCP lease is there, then the IP is added and it doesnt want to listen on it? That would explain the error.
by roadracer96
Thu Feb 03, 2011 8:22 pm
Forum: General
Topic: RouterOS v5rc8
Replies: 110
Views: 28195

Re: RouterOS v5rc8

Just tried it again and NTP synced right away, but no IPSEC. IPSEc debugging showed this.. 13:20:15 ipsec,debug ignore because do not listen on source address : 1.2.3.4 Where 1.2.3.4 is my wan address. Seems suspect. EDIT: I do have IPv6 enabled on this router. Maybe that has something to do with it?
by roadracer96
Thu Feb 03, 2011 8:12 pm
Forum: General
Topic: RouterOS v5rc8
Replies: 110
Views: 28195

Re: RouterOS v5rc8

My RB1100 IPSEC stopped working to my RB1000. Just an ipip tunnel over ipsec. Never gets a valid SA. Havent played with it too much, but it doesnt work. quick question - is the date/time on both routers correct? Didnt specifically check, but they were both set to sync via NTP to the same server. I ...
by roadracer96
Thu Feb 03, 2011 5:15 pm
Forum: General
Topic: RouterOS v5rc8
Replies: 110
Views: 28195

Re: RouterOS v5rc8

My RB1100 IPSEC stopped working to my RB1000. Just an ipip tunnel over ipsec. Never gets a valid SA. Havent played with it too much, but it doesnt work.
by roadracer96
Thu Jan 27, 2011 2:41 am
Forum: General
Topic: IPv6 doens't create connect route, why?
Replies: 3
Views: 1261

Re: IPv6 doens't create connect route, why?

Hard to diagnose w/o the full IP... Im just gonna guess that the :1:1::1/64 and :1:2::2/64 are really in the same subnet? At least tell us how many bits are left of the :: I dont have RC8 on my RB1000, but on RC7, it creates then as you would expect, even if it is in the same subnet on a different i...
by roadracer96
Mon Jan 24, 2011 5:28 pm
Forum: General
Topic: Block SIP
Replies: 3
Views: 1199

Re: Block SIP

95% of SIP devices use UDP, not TCP.

FWIW.
by roadracer96
Thu Jan 20, 2011 6:21 pm
Forum: General
Topic: v5rc7 released
Replies: 95
Views: 23212

Re: v5rc7 released

roadracer96,
thank you very much for the report.
The problem for /ip ipsec policy is fixed, the problem was for IPv4 addresses policies, the latest version fixes that.
5.0rc8 will contain ipv6 support for IPSec by the way.

Sweeeeeet.....
by roadracer96
Wed Jan 19, 2011 1:26 am
Forum: General
Topic: 5.0rc7 ISO installation without USB keyboard support?
Replies: 5
Views: 3037

Re: 5.0rc7 ISO installation without USB keyboard support?

Dunno for sure, but try enabling legacy usb support in the bios. This makes the USB keyboard emulate an 8042 port.
by roadracer96
Wed Jan 19, 2011 1:07 am
Forum: General
Topic: v5rc7 released
Replies: 95
Views: 23212

Re: v5rc7 released

FYI on 5.0rc8 posted above.. /ip ipsec proposal set default auth-algorithms=sha1 disabled=no enc-algorithms=aes-256 lifetime=30m name=default pfs-group=modp1024 /ip ipsec peer add address=1.2.3.4/32:500 auth-method=rsa-signature certificate=timhome1 dh-group=modp1024 disabled=no dpd-interval=disable...
by roadracer96
Tue Jan 18, 2011 7:47 pm
Forum: General
Topic: What external radius you use? Why?
Replies: 18
Views: 3379

Re: What external radius you use? Why?

fewi - re FreeRadius, good recommendation. But it does need a lot of time and work to make a usable front end for billing and user control. OK for geeks or those on a big budget to pay for a web developer! :-) Anyone using DaloRadius? I use FreeRADIUS/daloradius frontend. I dont bill for services, ...
by roadracer96
Fri Jan 14, 2011 1:04 am
Forum: General
Topic: Excluding host from getting proxied?
Replies: 7
Views: 1992

Re: Excluding host from getting proxied?

Dst-address-list=!somelist

Create a script that resolves those names to ips and adds them to an address list.

Problem solved.
by roadracer96
Thu Jan 13, 2011 11:48 pm
Forum: SwOS
Topic: Can't get VLAN scenario to work in 1.2
Replies: 6
Views: 5015

Re: Can't get VLAN scenario to work in 1.2

Same problem here on 1.4. Help! EDIT: OK, it works, but its weird. RB493 ether9 vlan10,20,30,50 - ether1 RB250GS -ether2 vlan10,20,30,50 - ether1 vlan 10,20,30,50 RB411AR \ether3,4,5 native VLAN 20 On the 493, port 1 is WAN, ports2-6 are a switch group bridged to vlan10, ports 7-8 a switch group bri...
by roadracer96
Fri Jan 07, 2011 11:50 pm
Forum: RouterBOARD hardware
Topic: RB450G Gigabit problem
Replies: 11
Views: 7699

Re: RB450G Gigabit problem

I have a procurve 1800-24 and a couple RB450gs attached to it. They sync up at 1gbit no problem. Shot cat6 cables, like 12"... But any reasonable distance should work.
by roadracer96
Tue Jan 04, 2011 6:23 pm
Forum: General
Topic: IPv6 TODO
Replies: 54
Views: 15115

Re: IPv6 TODO

we could make v5 full release in 2 months, and release v6 beta the day after that. just sayin Beta != Release ? Release means when something is available to the public. How stable or complete that release is, is another question. As you know, versions keep changing, and new features get added since...
by roadracer96
Mon Jan 03, 2011 5:44 pm
Forum: General
Topic: IPv6 TODO
Replies: 54
Views: 15115

Re: IPv6 TODO

we could make v5 full release in 2 months, and release v6 beta the day after that. just sayin

Beta != Release
by roadracer96
Mon Jan 03, 2011 3:14 pm
Forum: General
Topic: IPv6 TODO
Replies: 54
Views: 15115

Re: IPv6 TODO

12-18 months before ROS really supports IPv6 completely.
so and where did you get that number?
If you arent doing IPv6 IPSEC until V6, and v5 has been testing for 9 months, with a few months to go until stable.

Just sayin....
by roadracer96
Fri Dec 31, 2010 3:52 am
Forum: RouterBOARD hardware
Topic: Router building
Replies: 3
Views: 1736

Re: Router building

Keep in mind, you will ONLY have wireless connectivity if you are using it as your firewall/router. There is only one LAN port.

Otherwise, they are good units. I have tons of them in the field. A simple 7db antenna will get you really good range.
by roadracer96
Fri Dec 31, 2010 12:10 am
Forum: General
Topic: IPv6 TODO
Replies: 54
Views: 15115

Re: IPv6 TODO

Is it possible for you to add a remove button to remove all the "Mikrotik HttpProxy" headers while you guys are at it? ;)

Should also allow you to disable exposing the address of the device being proxied (X-Forwarded-For header).
by roadracer96
Fri Dec 31, 2010 12:07 am
Forum: General
Topic: IPv6 TODO
Replies: 54
Views: 15115

Re: IPv6 TODO

Cant really say you support IPv6 without IPSEC functional.. IIRC, the IPv6 RFC required IPSEC capability... ;)

So realistically, we are looking at about 12-18 months before ROS really supports IPv6 completely.
by roadracer96
Fri Dec 31, 2010 12:00 am
Forum: General
Topic: v5rc7 released
Replies: 95
Views: 23212

Re: v5rc7 released

What is your configuration? Is it on bridge interface? What does radv logs say?

Yes, bridge interface. Havent had a chance to look at the logs. Its almost NYE and I work in the hospitality industry = busy. ;D
by roadracer96
Thu Dec 30, 2010 4:45 pm
Forum: General
Topic: v5rc7 released
Replies: 95
Views: 23212

Re: v5rc7 released

Im not getting a IPv6 Stateless address on my Win7 computer or my ipad.. I did on rc6 and rc5. Try to disable and enable IPv6 protocol on that interface in Windows 7. It is. In my office on 5.0rc6 it works. At home it worked on rc5 and 6. When I went to rc7 it stopped. On my iPhone, iPad, and on my...
by roadracer96
Thu Dec 30, 2010 1:43 am
Forum: General
Topic: v5rc7 released
Replies: 95
Views: 23212

Re: v5rc7 released

Im not getting a IPv6 Stateless address on my Win7 computer or my ipad.. I did on rc6 and rc5.
by roadracer96
Wed Dec 29, 2010 5:31 pm
Forum: General
Topic: v5rc6 released
Replies: 107
Views: 26876

Re: v5rc6 released

SSTP is still new and really does nothing new compared with L2TP and PPTP etc. Wow. You might wanna watch what you say when comparing L2TP/PPTP to an actual secure VPN solution.. My post was about work arounds, SSTP offers nothing other than being simple, if you need secure stable VPN right now wor...
by roadracer96
Tue Dec 28, 2010 4:50 pm
Forum: General
Topic: v5rc6 released
Replies: 107
Views: 26876

Re: v5rc6 released

SSTP is still new and really does nothing new compared with L2TP and PPTP etc.

Wow. You might wanna watch what you say when comparing L2TP/PPTP to an actual secure VPN solution..
by roadracer96
Fri Dec 24, 2010 5:35 pm
Forum: General
Topic: v5rc6 released
Replies: 107
Views: 26876

Re: v5rc6 released

I can confirm the hotspot error 503.
by roadracer96
Fri Dec 24, 2010 4:16 am
Forum: General
Topic: v5rc6 released
Replies: 107
Views: 26876

Re: v5rc6 released

Cant add/edit ipv6 routes in winbox, only from cli. Gets an error.