MikroTik

FIPTech

Seems like Adlist is not supporting modern adlist file formats with domain wildcards. For example abp style domains. Seems like recent adlists are using a form of wildcards for domains to reduce the list size. For example OISD.NL is supporting those formats : oisd small https://small.oisd.nl (abp-st...

FIPTech

Thanks i'm going to try that. I was able to save the array to a file and compare it with a Wireshark capture. The data seems correct.

But probably not so easy to parse and manipulate to get the MAP-E tunnel settings because there is some bit level handling to do.

FIPTech

I would need to get the result of a DHCPv6 client request for option 94 (MAP-E container).

Is there a way to get that in a script ?

I'm able to successfully request this option through Option 6, and i get a correct answer from the server.

FIPTech

@Mikrotik are you going to add an auto-update feature to addlist function. My lists have updated twice in as many days. Would be great to be able to schedule it to fetch/look early in the morning etc. adlist updates every 1 hour, but in upcoming versions you will be able to change it Please add a W...

FIPTech

DHCPv6 client default route corrupted addition after reboot : The DHCPv6 client is not adding correctly the default route after reboot. (RB5009). In my case the DHCPv6 client is set on a VLAN interface, located on a VLAN aware bridge. Edit : this bug exhibit only if the DHCPv6 client is in address m...

FIPTech

Good work on this one. - LLDP-MED is now fully working thanks to the MAC/PHY TLS addition. - MTU do not reset to 1500 on bridge VLAN interfaces after reboot. But the DHCPv6 client seems to have a problem. In my case it is set on a VLAN interface, located on a VLAN aware bridge. After rebooting, the ...

FIPTech

I mean I did that but I didn´t find something about loopback Loopback is a word frequently used for those virtual interfaces, but it is not really meaningful. Because those interfaces are not really used for loopback but more to simplify routing or setup (router address, unnumbered IP, some IPsec s...

FIPTech

Here is a bridge filter NAT problem with Ros7.14RC2, RB5009. The following setup is a simple layer 2 NAT, to masquerade the MAC address of a client device. There are two rules for layer 2 src and dest NAT, and two rules to make an ARP fixer. One more rule to filter anything except IPv4 traffic from ...

FIPTech

@raimondsp, there is also I think the case where you need bridge filter rules, for instance my provider Orange in France require to set the COS to 6 for DHCP request, therefore I need to use a bridge port to set it on my rb5009 as the new-vlan-priority is not supported on this device as a switch ru...

FIPTech

AFAIK it's customary to have same MAC address in all VLANs handled by same hardware interface in many OSes. In addition: this is not a problem at all with IVL as all switches will build their FDB with triplets VID+MAC+port. This can be a problem with SVL when different VLANs take different paths (e...

FIPTech

Actually it is not possible to change the MAC addresses for VLAN interfaces on bridges. This can be a problem when a device external MAC address in a VLAN is the one that is used on the bridge and other bridge VLAN interfaces. This create a MAC address conflict. It should be possible with an Indepen...

FIPTech

I have a use case where i need a layer 2 NAT, to hide the mac address of a device. Layer 3 NAT is not possible in this use case because there is no L3 NAT helper for the protocol that needs to be nated. I was not able to do it inside the same router (RB5009 - Ros 7.14rc2). I tried to use the bridge ...

FIPTech

The only other tool I know of is Xbox networking app. Run the network tests, it'll show you the correct results. There is another tool that seems quite complete : punch-check. https://github.com/delthas/punch-check RFC 4787 defines several NAT properties and which are needed for hole-punching suppo...

FIPTech

Is there a correction for LLDP-MED ? In the beta it was missing Ieee 802.3 - MAC/PHY Configuration/Status. Without this option, LLDP-MED does not work, it is rejected by phones. The LLDP-MED standard (ansi-tia-1057) is asking for a mandatory MAC/PHY Configuration/Status TLV. The consequence is that ...

FIPTech

I've only seen this weird bridge problem only on MikroTik to begin with. See this thread for details: https://forum.mikrotik.com/viewtopic.php?t=204023 If you like Mikrotik prices, but would like an even better price / performance ratio, then use your experience, advanced knowledge, speed and smart...

FIPTech

IP WAN ports (like eBGP Transit, IXP port, PNI port, residential broadband DHCP, PPPoE etc) are meant to be independent PHY ports outside any bridge, if they need VLAN tagging on egress, you directly create layer 3 sub-interface VLAN on top of the port. This has been discussed ad nauseam. In all of...

FIPTech

The bridge interface MTU is 1700 (L2MTU 1704). Bridge ports members have a 1500 MTU except for the WAN SFP interface that have a 1704 MTU (1704 L2MTU). Then i have VLANs interfaces on the Bridge interface, for WAN and LANs. They all have a 1500 MTU (1700 L2MTU), except for the WAN VLAN that have a ...

FIPTech

I keep having the MTU reseting from 1700 to 1500 on a VLAN interface. 7.14 RC1. RB5009. The VLAN interface is on a VLAN aware Bridge (L2MTU = 1704 on the bridge interface). MTU = 1700 is accepted, then strangely revert to 1500 without any reported error. It's very annoying. I loose connectivity bec...

FIPTech

I keep having the MTU reseting from 1700 to 1500 on a VLAN interface. 7.14 RC1. RB5009. The VLAN interface is on a VLAN aware Bridge (L2MTU = 1704 on the bridge interface). MTU = 1700 is accepted, then strangely revert to 1500 without any reported error. It's very annoying. I loose connectivity beca...

FIPTech

https://forum.mikrotik.com/viewtopic.php?t=181922 Is it possible that bridge filtering in ros 7 is broken ?? I have some problems with bridge filtering. Ros 7.14RC1. I cannot get the VLAN matcher to work in the NAT chains, except if a previous rule did filter by source mac address and mark the pack...

FIPTech

I think that you are wrong. First, Ethernet header is 14 bytes, not 18. Second, Mikrotik L2MTU never takes into account the size of the Ethernet header, it takes only DATA + IP header + VLAN and eventual other encaps. It means that when the L2MTU is 1500 for example, you can have a max MTU of 1500, ...

FIPTech

RB5009 using RouterOS 7.14RC1 : When adding a VLAN interface on a bridge, it is not possible to have MTU = L2MTU. For example, if the available L2MTU is 1600 on the VLAN interface, then it is not possible to get a MTU of 1600. If i try to put MTU = 1600, then the interface revert to MTU = 1500 silen...

FIPTech

... However, gamer customers still report they see "moderate NAT" on Xbox and not open. ... If they have a forward accept rule for UDP traffic from WAN to LAN, or no firewall rules at all, and the two needed EIM / EIF rules in NAT then they should get open NAT. I did test on 7.14RC1. Some...

FIPTech

My setup cannot be simpler. I will not spend time for a drawing. two local sub-networks, on two different VLANs, routed through an RB5009, Ros 7.14RC1. Just that and default firewall rules to forbid WAN to LAN traffic and allow established traffic. Then another firewall forward rule to permit WAN to...

FIPTech

I've seen in the forum some complaints saying that IPv4 independent mapping and filtering NAT was not working. For memory, "endpoint independent mapping and filtering NAT", RFC5780, is a more modern name for the old RFC3489 "full cone NAT". It is a type of NAT where foreign IP ad...

FIPTech

Ok i tried it. Setup : two local sub-networks, on two different VLANs, routed through an RB5009, Ros 7.14RC1. Source NAT between the two sub-networks using endpoint independent NAT actions in src-nat and dst-nat chains. NAT Test rules.png On the "WAN" network, i started a STUNMAN version 1...

FIPTech

Ok, i'm going to try a new test with a local Stun server on a natted private subnetwork. If it's broken this will make another serious report and they will probably fix it. I will need some time nevertheless to setup a Stun server. If someone can do it faster than me it would be fine. I need it beca...

FIPTech

I tested using this: https://github.com/HMBSbige/NatTypeTester The software bugs have been fixed (I spoke to the developer of this software directly). MikroTik still fails the test. When I test on Juniper or Cisco, test passes just fine. I think MikroTik is failing to test this correctly. TCP/UDP B...

FIPTech

I don't know, seems flaky. Anyway, personally I use IPv6 everywhere, I stopped caring about NATs. How did you test ? Did you use a public Stun server ? I did test with a public Stun server and got the same results as you : endoint dependent NAT. But i'm skeptical, because Mikrotik said it's working...

FIPTech

Unfortunately LLDP-MED is rarely used, at least for small and medium telephony installation, because the hardware does not always implement it. I think the main reason is small and medium installations do not use VLANs at all, either for telephony or for other applications. Yes that's true. I've se...

FIPTech

Thank you very much for starting this thread: the topic seems very important to me. Yes it's an interesting topic. LLDP-MED simplify a lot telephony setups with autoprovisioning. It is specially important when there is more than a couple phones in the setup. It avoids the need of double boot for ph...

FIPTech

Thanks for the explanation. I think that i need to make things clearer. LLDP MED is practically non-operational on Router OS, but the real problem is not bridge port PVID = 1 or bridge port PVID = something else. The real problems are described in this summary thread which should be read before : ht...

FIPTech

Yes please create a bug report based on the thread below. Thanks a lot for the help you did provide as well other participants.

For reference, the summary thread :

viewtopic.php?t=203774

FIPTech

To conclude, the real problem is the missing MAC/PHY TLV. LLDP is working if port PVID is not 1. I thought that it was not working because when i did setup a different ID, this did cut the forwarding of the Procurve switch LLDP connected to the RB5009 on the same bridge. Then the phone was not able ...

FIPTech

Here is a new thread to summarize this one where i found some LLDP problems : https://forum.mikrotik.com/viewtopic.php?t=203637 I was able to detect 3 main problems during LLDP and LLDP-MED testing (RouterOS 7.14beta7 - RB5009). Some of them have been discussed before, but probably not enough, or no...

FIPTech

. I did find the problem. RouterOS does not include a 802.3 MAC/PHY TLV in its LLDP MED packets. The 802.3 MAC/PHY Configuration/Status TLV is mandatory for all LLDP-MED devices to both send and receive. This is clearly stated in the ANSI/TIA-1057- 2006 document. This TLV is defined inside the IEEE ...

FIPTech

A) The LLDP forwarding problem was detected two years ago : https://forum.mikrotik.com/viewtopic.php?t=182667 I think that the default should be filtering of the reserved LLDP multicast MAC address (01:80:c2:00:00:0e), even if (R/M)STP is disabled. And eventually give an option to disable the filter...

FIPTech

Wow, yup! I tested and that's indeed the case. As FIPTech said that its bridge had STP disabled, I suspect that is why he saw the LLDPDU on each port. Really something I wouldn't have thought of. Remains the question about the LLDP-MED network policy TLV which I do not see advertised in my tests. I...

FIPTech

Some observations might be explained with disabled (R/M)STP on the bridge. It is expected to forward reserved multicast MACs 01:80:C2:00:00:0X (LLDP, BPDU, etc.) when using " protocol-mode=none " setting. STP is disabled on the bridge. I will try to enable it and see if it stops to forwar...

FIPTech

... I think we have identified two issues here. MT's LLDP doesn't generate the MED TLV in the LLDPDU (ticket open) MT (7.14b7 on RB) bridges the LLDPDU I do not have a true tap device, but is is not really needed here to confirm those problems. A true TAP would be useful to watch for L1 problems bu...

FIPTech

I connected another auxiliary router for packet capture, and i did first discover something abnormal : LLDP announcement from every devices connected to the ports of the other router bridge are visible. This indicates that LLDP is switched and broadcasted between ports. I suspect that it's a bug. No...

FIPTech

OK. So you see the same when you change the VLAN of the port as I do when I set the discovery on the VLAN interface. I have the feeling that there is something I am missing but I can't quite point it. Can we do the following? With the discovery as it is, port with PVID1 and additional VLAN (4000) t...

FIPTech

I do. I will test later today with VLAN1 and VLAN10 to see if there is a difference. Meanwhile, if you issue "/ip/neighbor/print" to check that you see neighbors? I see the phones when their hybrid port are configured with VLAN 1 as untagged. As soon as i put a different VLAN ID LLDP does...

FIPTech

Still do not work with the Ethernet physical port in the discovery interface list...

I suspect that only the Default VLAN with ID = 1 can send LLDP MED.

Are you in a VLAN aware bridge too ?

FIPTech

You are probably right, LLDP needs low level access to the port, not the VLAN interface on it. I'm going to try that.

FIPTech

Yes the untagged guest VLAN for phones hybrid ports is VLAN-INVITE. And i have nothing else between the phones and the router. The phones are powered by the router POE ports. Your setup is a bit different because you are not using LLDP MED announcements. Could you enable lldp-med-net-policy-vlan on ...

FIPTech

Hi FIPTech, That's strange. Can you send your discovery settings and the interface lists members? Also and to confirm - your bridge is configured with vlan-filtering=yes , correct? /ip/neighbor/discovery-settings/print /interface/list/member/print Yes the bridge is a VLAN aware bridge. discover-int...

FIPTech

Edit : please read this summary and conclusion thread before : https://forum.mikrotik.com/viewtopic.php?t=203774 All the stuff below are the details that led to the final conclusions. PVID = 1 or not is not the culprit for LLDP-MED not working. Setup : RB5009, RouterOS 7.14beta7 I have some hybrid ...

FIPTech

Does someone know what is mode=strict for an interface in RIP protocol ?

FIPTech

I got an RB5009. I did put Ros 7.14beta7 on it and i did test an IPIPv6 tunnel on a vlan interface on the SFP. The internal MTU of the tunnel is 1500. (MTU 1700 in the parent VLAN) The result is not impressive. CPU2 is near 100% and 875 mb/s is the maximum speed i can get inside the tunnel. I though...

FIPTech

Were you able to test IPIP(v4) usage scenario where there is Fast Path allow-fast-path=yes to increase the performance? No, i do not have an IPIP(v4) tunnel to try that. My provider is IPv6 native, with an IPIP6 Tunnel for IPv4 Internet access. Nevertheless i did test the underlying native IPv6 spe...

FIPTech

I tried to disable the IPv4 route cache under RouterOs 6.49.11 on this RB3011. For IPv4 Internet access from a PC browser to a bandwidth test site, here is what i get on the IPIPv6 tunnel : With route cache enabled : download 371 mb/s upload 390 mb/s With route cache disabled : 303 mb/s 324 mb/s Thi...

FIPTech

Thanks for those advices. I did try RouterOS 7.12 a few days ago and it was the same heavy slow down problem as i got a few months ago. Not a slight 10% or 20% slow down that seems to be seen globally with RouterOS7 specially on old devices, but an heavy slow down to around 20 mb/s download speed. N...

FIPTech

... So if I understand you correctly you are using RouterOS v7.13 or newer on your RB3011 and in your configuration you have: bridge1 with ether1 to ether5 bridge2 with ether6 to ether10 SFP1 is not part of either of bridge1 or bridge2 there aren't any VLANs beside you are trying to use on SFP when...

FIPTech

This is very interesting but i do not think that the problem can be related to the QCA8337 switch chip setup because i'm using an RB3011. In this router the SFP interface is not in the switch1 or switch2 group. It is directly linked to the CPU1 through a 1 Gbps link. For LANs, i'm using the switch1 ...

FIPTech

Did someone test the speed available on a IPIPV6 Tunnel for RB3011, RB4011 and RB5009 routers ? (The IPIPv6 Tunnel will be used on the SFP Interface, on a VLAN) Actually i have a RB3011 that is limiting my IPv4 Internet access speed to around 350 mb/s. The CPU1 core is saturated at 100% by this Tunn...

FIPTech

Recently i did change my setup for Internet access. Previously i was connected behind a bridged provider Box through an RB3011 Ether1 interface, without VLAN. Using RouterOS 6.49.11. The Internet bandwidth was 940 mb/s download, 550 mb/s upload, for IPv4 and IPv6. It was the normal bandwidth of thi...

FIPTech

I know this is a old post, but I wanted to add to the collective knowledge.

...

Old things are like stones. They rock !

FIPTech

Very interesting, thanks for sharing this idea.

FIPTech

Same problem here when upgrading from 6.48.6 to 7.8 on my RB3011UiAS. Massive performance drop when routing from a vlan to another vlan. I've seen that with a proxmox vm backup to a SMB server located on another vlan. The connection speed was not stable, i got around 950 mbps before upgrade, and aro...

FIPTech

This has nothing to do with Mikrotik specifically, the same would be seen using a router from any other network vendor. It is well known that most Microsoft network drivers strip VLAN tags on ingress, so any tagged broadcast/multicast packets will also be delivered to the network stack rather than ...

FIPTech

. I faced a nasty problem after enabling IPv6 in a LAN with two subnetworks (main and guest networks, splited in two VLANs). I did use stateless IPv6 configuration on both subnetworks, advertised by a Mikrotik router. After doing that, i had a Windows 10 PC where i got two IPv6 addresses, one for ea...

FIPTech

To enable directed broadcast, you'll need to choose a free IP address on the destination Network, and map the Ethernet broadcast address on it (FF:FF:FF:FF:FF:FF). You can do this using ARP static entries inside Router OS. About this am interested in at least doing it this way. Can you provide for ...

FIPTech

Fist thing you cannot include access ports in a dynamic GVRP VLAN. And a dynamic VLAN cannot get an IP Address. You must make the VLANs you need on access ports statics before you can configure them and give them eventually an IP address. With this command : static-vlan <vlan-id> (do not forgot to i...

FIPTech

EVE-NG is using an older QEMU 2.12 version. GNS3 is using version 4.2.1. This could explain why NGS3 is not working here. But, i did test inside EVE-NG with QEMU 4.1.0 and it's working. Eventually QEMU 4.2.1 could still be the culprit but there is a bit more probability that the NGS3 VM is responsib...

FIPTech

Here is a spreadsheet to calculate the string needed for option 121 on a DHCP server. DHCP option 121 is for distribution of IPv4 classless static routes to clients or why not between routers. Mikrotik DHCP client support it. I did collect some important information about option 121 that are spread ...

FIPTech

Did someone test Router OS inside GNS3 (latest version 2.28) ? I have disconnects between Winbox on the Host and virtual QEMU Router OS VM inside GNS3. For example if i try to upload a file through Winbox on the host machine (Windows 7), i cannot get more than about 30 Ko transferred and Winbox is d...

FIPTech

Is there a summary somewhere for minor or major changes in the Traffic / Packet Flow for Router OS 7 ?

FIPTech

Watching a bit more in details whats going on a when a point to point link between two routers is broken, when using OSPF and /32 addressing with the same IP on all interfaces of the same router, here is what i saw in Router OS 6.49.2 : If the interface of the broken link goes down, there is no prob...

FIPTech

GNS3 is not able to simulate a layer 2 link loss. It's not a routeros issue. Not layer 2, but layer 1 link loss. If you check at L2 in GNS3, using ARP for example in a bonding interface, the broken link will be detected. So yes virtual environments cannot simulate a L1 link loss, but even with phys...

FIPTech

I was able to test this in GNU3 with 7.2r1, and can confirm same results. I researched it on the GNU3 forums and apparently it is a known limitation that even though you disable a interface on 1 router the other router still see's the link as up/up. I did test on GNS3 with Router OS 6.49.2. Same re...

FIPTech

I'll attempt to reproduce in gnu3. does you get the same results with 6.49? 7+ doesn't work in gnu3 (i believe it's a virtualbox problem) In GNS3 i think that Ros 7 is working, did you try Router OS in a QEMU VM ? What are you using for the GNS3 virtual instance ? Try to use Vmware player instead o...

FIPTech

I think that the problem does come from the emulation layer in EVE-NG : I suppose that the layer 1 physical Ethernet protocols are not emulated. (for exemple port speed negociation). This mean that when i disable the ether3 interface on R4, R1 ether3 interface does not see that the Ethernet link is ...

FIPTech

Sure, but the attacker will need level 2 access and the ability to forge some 802.2 packets. After that the GVRP packet structure is very simple, this is a list of vlans with their numbers. The culprit is GVRP not filtering correctly packets for him when STP is disabled in the switch. This mean that...

FIPTech

During a test session i did find a very nasty bug between Router OS and a Procurve Aruba 2530 switch. the kind of bug that can fully break an entire network. This is the first time i have a problem with STP, but this one is a big one ! I've heard some tech guys inside Datacenters complaining about S...

FIPTech

can you post the route tables in both the failed state and normal state. and also your test configs would help as well. Here is the setup (All routers are Router OS 7.2 rc1 CHR in a virtual machine EVE-NG. The administration virtual switch is a Mikrotik router, where a bridge with horizon settings ...

FIPTech

/32 Point to Point links are useful to reduce the consumption of IP addresses (a lot) for direct links between routers. Specially when using the same IP address for all interfaces of the same router. (concept similar to unnumbered IP address). Another advantage is simplification of the configuration...

FIPTech

I know this is very late to the party, but I had this issue driving me nuts as well. My setup gets an IPv6 prefix from my ISP and SLAAC works when I connect a PC via an ethernet cable, but not when I connect using a CAPSMAN managed AP. The solution for me was to set the multicast helper to full on ...

FIPTech

we have possible fix for this issue, that will be included in upcoming version.
I tested the bug on beta3 and it’s still there

Where did you get beta 3 ?

FIPTech

I believe there is even simpler way: /ip route rule add interface=vlan-mgmt action=drop I think that this does not forbid IP traffic from another subnetwork interface to enter in the Management Vlan interface IP address if i'm right. It does just block routed IP outgoing traffic from the router man...

FIPTech

I'm not using the default rules, i have a couple interface lists where i put subnetworks interfaces. I have lists for Backbones, Data Lans, Guests, Management, and so on. Then filtering in firewall is done so that each class do have separate forwarding capabilities. So in my case there is no problem...

FIPTech

For security reasons a Management Vlan should not be routable. There should be a setting for this in the router (and Mikrotik switches too) to avoid routing between other interfaces and the management VLAN interface. This is a security measure that protect the management VLAN from been accessible fr...

FIPTech

Please allow the use of user certificates for OpenVPN clients authentification. And allow to not use username and password. User login is optional with OpenVPN when user certificates are used. Some providers are now migrating to Wireguard but in the meantime some are still using OpenVPN with mandato...

FIPTech

Seems to me that L3 isolation for different clients is not enough. For example there is no Mac isolation, that mean that if a mac address is duplicated there can be problems. Arp attacks could be done too and there is no possibility to filter L2 broadcast storms. And this solution need firewall filt...

FIPTech

Same problem here. Seems like tls-auth or tls-crypt without user and password is something very common now; and considered as a better security than user and passwords. Allow the parsing of a .ovpn file for configuration would be a good thing to. What is the OpenVPN version used inside Router Os V7 ?

FIPTech

Why not use Port isolation in the switch chip settings ?

This is hardware filtering, so it does not take CPU time from the router, and is at L2 so probably more secure than L3 isolation.

Bridge horizon is another solution but is software only i think.

FIPTech

Adding the desired bridge ports interfaces in the discover address list, and removing the Bridge interface from this list does work. No more mndp traffic on the ISP port. Problem solved, but Mikrotik switch filter problem not solved. I feel that switch filters inside Router OS is mostly untested, un...

FIPTech

So if the "IPv6-only" uplink port is configured for hw=no on the relevant /interface bridge port row, it is well possible that this is the reason why the switch chip rule is bypassed. i did see that too, and i tried to enable and disable hardware offload to verify if the switch filter is ...

FIPTech

In your case, preventing all traffic with destination MAC address ff:ff:ff:ff:ff:ff and source MAC address of the ether3-... from being egress via ether3-... could be sufficient, but it requires that you create a static ARP record for the IPv4 WAN gateway and that you don't need DHCP I tried to fil...

FIPTech

Please post your config
/export hide-sensitive file=anynameyouwish

The problem is related to Winbox 3.27 as there is no problem with Winbox 3.18

FIPTech

The key here is that the switch chip rules are processed at ingress. Thanks a lot i did reverse the rule. Ingress processing ! We would need a clear diagram of the switch chip signal flow in the manual to avoid mistakes like this. With this in mind i'm able to filter traffic entering a physical int...

FIPTech

The blackhole bridge as a gateway for the traffic which must not leak is a safer way than any dynamically added/enabled firewall rule, as the packet processing in kernel is faster than any firewall rule modifications (which are done from userspace), so a few packets could often leak before the rule...

FIPTech

When using Ike2 with mode change, it is quite complicated to avoid LAN leaking to the internet when the IPsec peer is down. This is because the dynamic src-nat rule disappear when the peer is down, causing the LAN traffic to be routed unencrypted to Internet through the default route gateway. The wo...

FIPTech

I suspect MNDP may be sent directly from the member interfaces rather than from the bridge, which is why bridge filter cannot catch it (leaving aside that there were some endianness-related issues with bridge filter on some CPU architectures). Check which interface-list is configured as discover-in...

FIPTech

Since upgrade to Router OS 6.47.4 from 6.43.2, i'm not able to create switch rules and switch vlans with Winbox 3.27. (RB3011UiAS). I did upgrade to from Winbox 3.18 to Wonbox 3.27 at the same time. The rules or vlans are added but appear colored in red inside Winbox. If i use Winbox 3.18, then addi...

FIPTech

It seems that i'm not able to catch and drop mndp udp port 5678 broadcast traffic going out from an interface in a Brdige. mndp is enabled on this bridge because it is a Lan bridge, But there is a Wan interface in it to bridge IPv6 (hybrid setup where i need to route IPv4 and bridge IPv6 because the...

FIPTech

However, I'm not aware of any vendor's switch which would permit tagless frames to pass transparently through the switch without being made members of some VLAN, and you cannot e.g. specify an instance of MSTP to handle tagless frames along with some group of VLAN IDs. Thanks i see i'm not mad now....

FIPTech

I'm not sure i was clear enough. So lets take a simple example : 1) Create a Bridge 2) Put a port inside it, for example ether5. It will get PVID 1 by default. 3) activate vlan filtering on this bridge. This will create a dynamic vlan rule with bridge(cpu) and ether5 ports. You have now a bridge wit...

FIPTech

Good descriptions here but i know what a VLAN is, Q in Q, Cos in VLans, the internal structure of the frame, ingress and egress filtering, DHCP on vlans, inter vlan routing, VRF, MPLS, VPLS, and so on. What i'm saying here is that the Mikrotik implementation does not follow the 802.1q standard becau...

FIPTech

My test has been done on a Hap ac lite using Router OS 7.1 beta 2. Does this mean that untagged traffic should be moved to something else than 1 to allow Tagged traffic on port 1 ? In this case, for example, untagged traffic is moved to VLAN 1000 using PVID = 1000 And then a VLAN interface with VLAN...

FIPTech

According to the test i did it's not possible to use tagged traffic with vlan ID = 1 in a bridge using a VLAN filter setup. It is conflicting with untagged traffic that is using VLAN ID = 1 internally. As soon as we add an hybrid port with untagged traffic, the bridge create a dynamic vlan filter ru...

FIPTech

+1. Asked this a few years ago for SIP phones VLAN automatic selection.

FIPTech

Are there variables available to read DHCP client options in a DHCP server lease script ? I would need to read the User Class option (code 77), to break the iPXE loop when booting an iPXE client (chainloading from a TFTP boot file). https://ipxe.org/howto/dhcpd#pxe_chainloading This is to select the...

FIPTech

It would be nice in the meantime to have guidelines to optimize roaming with Capsman.

FIPTech

I think that some glue code is missing to get IPv6 multicast working with Capsman interfaces. Probably the multicast helper is IPv4 only. It has not been updated to work with IPv6. This explain why in your case IPv6 clients does not get an IPv6 address with auto-configuration. In my case i wanted to...

FIPTech

Are you able to dump a configuration from the ProCurve's showing a single port untagged for VLAN1 and tagged for VLAN1? I'd be extremely surprised if that is the case as well as confused as to how that isn't at the least causing the link to bridge traffic twice if not forming a loop. I know this is...

FIPTech

It is not possible to use untagged and tagged vlan-id=1 traffic at the same time. you mean, untagged on some ports and tagged on others? or both untagged and tagged on the same port (schrodinger vlan)?.. I think he means "have vlan 1 tagged on some port, and at the same time have some other vl...

FIPTech

It is not possible to use untagged and tagged vlan-id=1 traffic at the same time. you mean, untagged on some ports and tagged on others? or both untagged and tagged on the same port (schrodinger vlan)?.. I think he means "have vlan 1 tagged on some port, and at the same time have some other vl...

FIPTech

According to a simple test i've just done on a vlan aware bridge, it is not possible to use tagged vlan 1 and untagged traffic at the same time. As soon as a bridge vlan rule is set with vlan-ids=1 and bridge ports added as tagged, Winbox connection (connected on the bridge untagged vlan IP) is lost...

FIPTech

I think i would be interesting to have an option inside Winbox to automatically create a vlan rule on a brige when adding a vlan interface to it. This would create a vlan rule with the vlan id of the interface, including all bridge ports. Agree but winbox isn't alway possible to use. I still think ...

FIPTech

I think i would be interesting to have an option inside Winbox to automatically create a vlan rule on a brige when adding a vlan interface to it.

This would create a vlan rule with the vlan id of the interface, including all bridge ports.

FIPTech

FIPTech

Any way to enable STP / RSTP / MSTP logging ?

FIPTech

A couple problems seen during testing : 1) The new vlan aware bridge seems to broke ROMON function. I did loose ROMON router access after this problem did appear so i have no more information to share. This is to be confirmed, the root cause is perhaps another problem as i was testing RSTP. When i d...

FIPTech

I did some RSTP tests with a correct (i think) vlan aware bridge setup.

I was not able to get RSTP working correctly with an HP procurve 2520-8-G at the other side. Specially when Mikrotik (RB750G) is not the STP root.

Somebody did success ?

FIPTech

In my understanding native vlan is always untagged even on trunk port On cisco is 1 by default I used vlan 99 tagged to be my management vlan, but now on this new way I can't find PS My dot1q it is on my rb 450g where All vlan is set up on eth 2. And management ip is set to vlan 99 But I can't ping...

FIPTech

frame-types and ingress-filtering do not appear inside bridge details : [admin@MikroTik] /interface bridge> print detail Flags: X - disabled, R - running 0 R ;;; defconf name="bridge" mtu=auto actual-mtu=1500 l2mtu=1520 arp=enabled arp-timeout=auto mac-address=00:0C:42:70:13:66 protocol-mo...

FIPTech

Has the RouterOS behavior changed.. I havent tried it yes but this confusion has been discussed here: https://forum.mikrotik.com/viewtopic.php?f=2&t=115115&p=572377&hilit=pvid+0#p572377 Different vendros use different approach to native VLAN.. Yes, but regardless what is used internally...

FIPTech

Here is the article about new VLAN-aware bridge implementation: https://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_VLAN_Filtering A couple examples will be added and more information will be updated based on your feedback. Something is not clear to me for vlan-id=1, the default for PVID....

FIPTech

This puts you in the position someone like Cisco is in. Easy and consistent to configure across your platforms for layer 2. TLDR; consistency breeds confidence and confidence brings hardware sales. As soon as the GUI / Console gives a good understanding of the underlying technology, it's not a prob...

FIPTech

We can now make two bridges in the same switch group. For example (RB750G) : Ether2 and Ether3 -> bridge1 Ether4 and Ether5 -> bridge2 Ether2 to Ether5 are in the same hardware switch group. Does it mean that there is full level2 isolation between the two bridges ? Or not ? How is it managed interna...

FIPTech

RB750G (Atheros 8316 supported switch chip) : hw-offload does not seem to work : [admin@MikroTik] /interface bridge port> print detail Flags: X - disabled, I - inactive, D - dynamic, H - hw-offload 0 interface=VLAN-LAB-Ether2 bridge=bridge3 priority=0x80 path-cost=10 internal-path-cost=10 edge=auto ...

FIPTech

I am try /tool fetch url=(https://api.telegram.org/botXXX/sendMessagechat_id=YYY&text=test) check-certificate=no keep-result=no mode=https and receive error: failure: invalid URL protocol Syntax is not correct i think. Try this : /tool fetch url="https://api.telegram.org/botxxx/sendMessage...

FIPTech

Seems like there is a problem with msti bridge ID (mac address is wrong) : [admin@MikroTik] /interface bridge msti> monitor 0 state: enabled current-mac-address: 00:00:00:00:00:00 root-bridge: yes root-bridge-id: 0x6005.00:00:00:00:00:00 regional-root-bridge-id: 0x6005.00:00:00:00:00:00 root-path-co...

FIPTech

I've seen this after changing STP mode or changing STP priority. Disappear after router reset : Root bridge ID : 0x8000.00:00:00:00:00:00 The mac address should be the one of the admin-mac address of the bridge : 00:3C:97... This address is really sent in BPDUs, can be seen on a connected procurve s...

FIPTech

EDIT 2: I'm taking a break for a bit, I'm not seeing a way to configure MST instances yet Is it what your are looking for ? [admin@MikroTik] /interface bridge msti> print detail Flags: X - disabled 0 identifier=5 bridge=bridge3 priority=0x6400 vlan-mapping=4060 [admin@MikroTik] /interface bridge ms...

FIPTech

!) bridge - implemented software based MSTP (untested, undocumented, CLI only); !) switch - "master-port" conversion into a bridge with hardware offload "hw" option (undocumented, CLI only); Quite how you expect anybody to be able to understand or test this in any meanigful way ...

FIPTech

I have rb2011 with 2 to 5 ports in master-slave relations via "master-port". Also I had switch filter rule to limit broadcast packets to 5th port of this group flowing from other ports in this group (I have wifi access point on this 5th port and significant broadcasts on other ports). Wha...

FIPTech

bridge ports : point-to-point=auto detection does not seem to work. Duplex links (most frequent case) should be detected as point-to-point links. half duplex links (connected to a hub for example) should be considered shared links. from : http://www.cisco.com/c/en/us/support/docs/lan-switching/spann...

FIPTech

Enabling mstp on the interface used for management result in disconnecting Winbox (RB750G).

No other stp device in the network.

If safe mode is active it is not possible to enable mstp.

Enabling RSTP do not trig this problem.

FIPTech

I've just redo an IPv6 check. IPv6 seems to work behind Capsman forwarding. The router OS wifi client can connect to a global IPv6 address with this setup. But IPv6 does not work behind station pseudobridge. This mode is mandatory to bridge a device behind the wifi client. It does work with IPv4 onl...

FIPTech

Do you have an example config that isn't working? I've been using CAPSman with full dual stack for some time. I'm in the process of converting it all over to VPLS, but not forwarding IPv6 never popped up as an issue with me original config. nb Another question : Are you using station or station pse...

FIPTech

Do you have an example config that isn't working? I've been using CAPSman with full dual stack for some time. I'm in the process of converting it all over to VPLS, but not forwarding IPv6 never popped up as an issue with me original config. nb I don't have anymore this setup as i did add VPLS tunne...

FIPTech

We could think how to sync the APs that are on different frequencies but located on the same tower and connected to the same ethernet network. You could take some ideas from or use PTP (https://en.wikipedia.org/wiki/Precision_Time_Protocol) to synchronise the APs internal clocks over ethernet and h...

FIPTech

For this to work, there are two solutions : - the radio clock need to have an input for a sync reference, and a sync generator is needed to generate the sync carrier on the right frequency. - the radio clock need a VCO clock, voltage controlled oscillator, so that it is possible to adjust the trans...

FIPTech

To use radio to sync the AP is crazy if you have an interference on the channel (in dense urban area is very easy) you lost the slave or slaves..... GPS sync reduce interference on the tower, reduce interference beetwen the towers, allow dense deployment and the last but not least allow sync beetwe...

FIPTech

We could think how to sync the APs that are on different frequencies but located on the same tower and connected to the same ethernet network. You could take some ideas from or use PTP (https://en.wikipedia.org/wiki/Precision_Time_Protocol) to synchronise the APs internal clocks over ethernet and h...

FIPTech

In the recent v6 RC there is a new default firewall rule for IPv6 input filtering. /ipv6 firewall filter add action=drop chain=input comment=\ "defconf: rfc4890 drop ll if hop-limit!=255" dst-address=fe80::/10 \ hop-limit=not-equal:255 protocol=icmpv6 This is causing problems when pinging ...

FIPTech

Why should it be directorial, if you send traffic then you want to know if it has arrived and if not, retransmit. Inside router OS, a software bridge rule (a forward filter) is directional. It is effective only in the direction you did write it for. If you need traffic in the other direction, you n...

FIPTech

Something else i've just discovered : Switch Rules are not fully directional (to be confirmed). Example : Here is a set of two rules to restrict traffic between two switch ports : 0 switch=switch1 ports=ether1-sw1-Wan-TV vlan-id=100 copy-to-cpu=no redirect-to-cpu=no mirror=no new-dst-ports=ether5-sw...

FIPTech

I've always had some difficulties to setup hardware switches on Routerboards, even after reading in details the wiki about this, as soon as the setup is more complicated than enabling master port on some ports, to switch all ports of the group and get an interface and mac address for the switch grou...

FIPTech

Router OS do know the antenna gain (dBi), there is a setting for this. And it does take this into account when adjusting the TX power level if you are using regulatory-domain mode or Capsman. For APs with integrated antenna, antenna gain could even be hardcoded. In the end too much regulations is pa...

FIPTech

For Capsman provisionning, i think it would be useful to have a way to select interfaces by frequency band. So that we can give a name with the Band in it. For example, when provisionning a dual band HAP access point, we need actually to create two provisionning rules with selection by MAC address o...

FIPTech

With Capsman, it would be useful i think to have an option to automatically disable Radar detection when using low power level outdoor. Radar detection is not always reliable and can cause very long (sometimes some hours) AP detection times before interface is effectively enabled, specially when usi...

FIPTech

I bought recently an RB3011UiAS, and i was surprised to see that the switches (QCA 8337) were not able to set New Vlan IDs inside rules.

Are there any Routerboard routers supporting this feature in their switches ?

FIPTech

Now they just need to ad LLDP-MIB and LLDP-MED support and it will be complete :) Thoses MED informations do allow voice vlan auto selection on a phone : MED Information Detail EndpointClass :Class3 Media Policy Vlan id :70 Media Policy Priority :6 Media Policy Dscp :46 But LLDP-Med do allow as wel...

FIPTech

[ This would be a console command only anyway, and a console warning could be issued : "ageing-time=0 will disable mac learning. Are you sure you want to do this ?" interactive commands with user confirmation suck. cannot be automated properly. of course a system wide "confirm=yes&qu...

FIPTech

If it would allow 0, we would have mac learning disable capability. this is certainly a possibility. i just checked the corresponding code in kernel (net/bridge/br_fdb.c) and it seems to act so. there's a function called br_fdb_update and its first check is on whether there's a topology change, and...

FIPTech

In linux bridge using ageing-time=0 disable mac learning.

But the smaller value in Router OS is 10 seconds.

If it would allow 0, we would have mac learning disable capability.

FIPTech

Inside version 6.39 there is support for fast-forward (available in the console only). I suppose that it is mac-learning turned off, and perhaps a couple other optimizations at the code level. Router OS 6.39 : - bridge - added support for special and faster case of fastpath called "fast-forwar...

FIPTech

Inside version 6.39 there is support for fast-forward (available in the console only). I suppose that it is mac-learning turned off, and perhaps a couple other optimizations at the code level. Router OS 6.39 : - bridge - added support for special and faster case of fastpath called "fast-forward...

FIPTech

I have seen many problems blocking VOIP trafic as soon as there is NAT and redundant links. The solution is native IPv6 but we are still far from a global IPv6 world, specially inside the LAN. And some area are still mostly IPv4, for example the LTE / smartphones market where IPv4 is most of the tim...

FIPTech

LLDP-Med would be a nice addition for Voip, so that the voice VLAN can be automatically detected by phones. This is a switch feature. This is true for example for Mitel - Aastra phones that know how to get the voice vlan from LLDP. Probably other brands today have LLDP-Med support. Other phones need...

FIPTech

+1.

DHCP server name is very confusing because it does not have address distribution neither dhcp options support. Only prefix delegation support.

It is even more confusing because the Router OS DHCPv6 client has address support but this function can't be used with the server side.

FIPTech

Good point this will be simpler and faster. BGP_simple work but is very slow. From 15 minutes to 2 hours to load 500 000 prefix, depending about where you did write the command line to launch bgp_simple. From the console it is very slow, certainly because bgp_simple does not deamonize and need to wr...

FIPTech

Any planned ETA for ipv6 support ? When some low cost monitoring solution have IPv6 support since around 2011 and there is discussion if IPv6 should be enabled by default, Mikrotik does only have IPv4 support in 2017. https://support.zabbix.com/browse/ZBXNEXT-3752 According to what i've seen recentl...

FIPTech

Would be better to have something like this :

- off (default)
- on

or

- off
- on (default)

And give the possibility to change the global defaults.

FIPTech

There are many options inside Loop Protect settings for EoIPv6 tunnels.

Those options are normally related to TCP state reports in the Firewall connections.

Seen inside Router OS 6.39 and 6.40rc2

Is that a bug ? Or a side effect of Vodka ?

Loop-Protect.png

FIPTech

I have no experience with mpcie cards, the only lte modem i did test is a very common one, the Huawey E3372 USB. Regardless what i did, i was not able to disable the internal NAT of the modem. There are two firmwares for this modem. One with NAT, and the other without NAT. But the one without NAT do...

FIPTech

Where the default Router OS values can be set ? And if they are not settable, why do they exist ? I mean why do we have in the interface many fields with "default" instead of the actual set value ? Wouldn't it be simpler to remove all references to default values in the Winbox and Webfig i...

FIPTech

Seems to be similar to CSS Unicode backlash escaped (Hexa) encoding. So in fact the underlying encoding is ASCII.

For example "é" become \E9.

FIPTech

you could use Webfig as well to copy paste the script. Then if you need it for other routers, export the DHCP config using an SSH or Telnet console : /ip dhcp-server export file=dhcp-config.rsc Get this file through ftp for example, edit it to remove unuseful things with Notepad++ or similar editor,...

FIPTech

Yes i think you can just copy and past this inside the winbox dhcp server lease script window. I've just made a new try, what i said in the previous message is not fully exact. In fact the script does execute for a DHCP release. Here is a new version of the script, with DNS erase capability when a D...

FIPTech

Here is a script i did to update the DNS static entries from DHCP leases. You need to put it in a dhcp script lease. I have no answer for your script upload question. Router OS 6.39 at least is needed to get it working. Be careful if you use it on a large DNS set as it could remove entries. It is de...

FIPTech

Here is a slightly better script to add a DNS entry for each DHCP lease. Version 6.39 simplify the script thanks to the new lease-hostname variable. This one check for existence of static DNS entries with the same fully qualified domain names or same addresses and delete them before adding a new DNS...

FIPTech

@ ditonet Thanks, i did forget to put " " around the lease-hostname variable :( stupid error. So the final working script to write a DNS record for each IP lease : (note that this is a simplified script, it does not verify neither delete DNS multiple registrations and does not delete the D...

FIPTech

*) dhcpv4-server - added "lease-hostname" script parameter; Cannot get this variable to work. Other previously available variables are working. It would be useful if lease-scripts could execute when the IP is not renewed by the client, so that we can easily remove a DNS entry. I tried to u...

FIPTech

To make things clearer i did this : L1-MTU.png Carrier extension is only present for 1000 base-T. Up to 448 padding bytes are added for small packets. This mean that for a large number of small packets, the throughput is only marginally better than Fast Ethernet 100 Base-T !! So to get a good throug...

FIPTech

To complete this discussion : Hardware MTU = Ethernet Mac Header (14 bytes) + L2-MTU or for some manufacturers : Hardware MTU = Ethernet Mac Header (14 bytes) + L2-MTU + FCS CRC trailer (4 bytes) And the true level 1 hardware MTU is something like this : True Hardware L1 MTU = Ethernet Sync Preamble...

FIPTech

That's true, but getting the right knowledge about L2-MTU, MPLS-MTU and IP-MTU is a good start as soon as you get problems, so that you know where you need to look for and so that you can design simple tests to diagnose. For example i did start this basic MTU study because of a problem with a static...

FIPTech

Here is some background and comparison between Mikrotik L2-MTU and switches hardware MTU. There is a lot of confusion here because most manufacturers (except Mikrotik) do not explicitly describe how the hardware MTU is calculated. Some background : http://thenetworksherpa.com/ospf-master-the-mtu-mad...

FIPTech

DHCP Option 66 can be used for a host name or an ip address. In both case it is normally a string. If used for an IP address, according to what i'm used to, it is necessary to convert the IP address to a string. Using four hex values does not work, at least with Aastra phones. https://wiki.mikrotik....

FIPTech

I cannot get the 802.3 matcher working. To be able to enter a value in the SAP filed, i need to put a value in the mac protocol field. Strangely as well the SAP field of the matcher (i suppose that SAP mean DSAP + SSAP) is a 2 octets value (2 x 8 bits), but we can enter only a 8 bits value here. The...

FIPTech

According to some tests i did, Capsman interfaces used in forwarding mode do not allow IPv6 on the client. An ethernet client bridged to the wlan interface of a Mikrotik in stationpseudobridge mode do not work with IPv6 traffic. Finally the only way to get IPv6 on an ethernet client was to add an Eo...

FIPTech

Some interesting technical details and roaming tests with a 802.11r setup : http://revolutionwifi.blogspot.fr/2013/05/apple-ios-fast-roaming-with-aerohive-wi.html Another big player in the computer world, if not the biggest one, support fast roaming (Microsoft Windows 10) : https://msdn.microsoft.co...

FIPTech

+1 Capsman is very useful to manage access points but it could do a bit more than configuration only. 802.11r,k,v is mandatory nowadays. Modern very widely available WIFI clients like Iphones and Samsung Galaxy phones (since S4) are compatible since years. http://www.cisco.com/c/en/us/td/docs/wirele...

FIPTech

+1 to be able to put an LTE interface inside a bridge. But this will not remove the biggest problem, the NAT inside the LTE 4G modem. To remove that limitation we need bridge mode inside the modem, or IP passthrough. The USB LTE 4G modem i tried, a E3372h from Huawei, can't deliver the WAN ip addres...

FIPTech

A solution to add EtherSam (Y.1564), RFC2544 and OAM management capability would be to use smart SFPs on Mikrotik SFP enabled routers.

http://www.aimvalley.com/portfolio_item ... smart-sfp/
or
http://www.oesolutions.com/products/smartsfp/

FIPTech

Another thread here :

http://forum.mikrotik.com/viewtopic.php ... ic#p301027

FIPTech

how much NAT needs to be done before that gain is realized In a provider network, the latency should be kept at a very small value (ideally in the us range for each device), and even more importantly should be kept constant so that there will be no added jitter to packets. A hardware processing (so...

FIPTech

An IPv6 only bridge between the LAN and WAN would be a simple solution but i can't get it working. Something like this should work : ebtables -t broute -A BROUTING -p ! ipv6 -j DROP (from : http://ip6.fr/free-broute/ ) I did try to bridge IPv6 with an external switch using a per protocol VLAN but th...

FIPTech

I can confirm that this is a problem. One of my provider is delivering a single /64 and does not care about IPv6 routing. So it's not possible to get that working with RouterOS, even using 6.7 version. NDP proxying or IPv6 bridging seems the only solutions. I have another provider delivering a /48 (...

FIPTech

It seems to me that Winbox is using a non standard window management, bypassing normal Windows API. I reported this a long time ago and spent some time with AMM to find a solution without success. If winbox is non standard, well why not if it's more reliable / performant, but something simple could ...

FIPTech

According to what i've seen with NAT, it is always a difficult problem for VoIP if you have a failover gateway to access the public network. You have to manually erase (or using a script) the wrong connections after a gateway change, or the VoiP trunks can become dead after coming back to the primar...

FIPTech

You can do that with FreeBSD (PFsense do support this). It is sometimes usefull to disable connection tracking for some traffics, specially routed VoIP trafic when there are multiple failover gateways, to avoid ghost connections causing dead VoIP trunks. Without this option, a manual connection rese...

FIPTech

Nobody ?

FIPTech

A small correction : After checking more deeply, Router OS is deauthenticating before reboot. But the problem is that the PPPoE session for the provider DSL link is deauthenticated at the same time and because of this tunnel PPP sessions routed through the PPPoE link cannot be deauthenticated proper...

FIPTech

I'm trying to setup access ports on a RB750G. I want Ether3,4,5 to be access ports for VLAN100. VLAN100 is a VLAN interface on Ether2 Ether2 is a trunk port connected to an external switch So in the end i have : Ether2 = Trunk port with VLAN100, VLAN200, VLAN300 connected to an external switch. Ethe...

FIPTech

Seems like the AR8327 has problems with VLAN filtering / mangling. This could explain why VLAN filtering is disabled.

Would be better to revert to the AR8316...

FIPTech

The switch ship can VLAN tag and untag data on the ingress and egress of each port onthe 750'g.

You are wrong, that's not true for the RB750GL. The AR8327 chip cannot remove, add or change VLAN header. Very bad...

FIPTech

Be careful, AR8327 cannot use VLAN ID, VLAN priority, New VLAN ID inside rules. Cannot use as well leave-as-is, always-strip, add-if-missing in switch port setup. So you can't use this switch to convert acces ports to trunk, or anything related to VLAN manipulation like removing VLAN headers. Seems ...

FIPTech

Thanks for your +1 but i don't see it on my Karma :=(

FIPTech

For critical routers, those that must never go down more than a couple minutes, even if you do a mistake, or those located on very high towers / roof use a router with a serial port available on it. Then wire a cable to this serial port so that you don't have to go on the roof, and use that for corr...

FIPTech

Very often, peoples think that they can get a perfect VOIP quality with standard ADSL links using some magic with QOS rules. This is sometimes possible, but most of the time this is not possible. Because of DSLAM overload, transport overload, provider overload, DSL link stability problems, tier one ...

FIPTech

Router OS does not deauthenticate PPTP (or L2TP or PPPoE) links before reboot. As a result, the PPP server is waiting for a PPP timeout before to clear the PPP session. But most of the time, the client router is alive again before the timeout, and before that the PPP server has disable the server in...

FIPTech

I will not add anything to this difficult to edit list. It is now mostly unefficient because of its lenght and unorganized style. Something more modern is needed to manage feature requests. I prefer to discuss here those requests to that each one can participate and Mikrotik can have a better unders...

FIPTech

Yes this is working because your private L2 transport support a 1508 MTU, but it is out of standard. PPPoE links should be limited to 1492 MTU to follow the standard and avoid compatibility problems. According to RFC 2516 (PPP over Ethernet) : The Maximum-Receive-Unit (MRU) option MUST NOT be negoti...

FIPTech

PPPoE links are limited to 1492. Some CPE can even refuse to connect if the provider permit a 1500 PPPoE MTU. So most providers are following the standard and force the PPPoE MTU to 1492. In France, all big providers have an ADSL transport network MTU of 1500, so there is absolutly no possibility to...

FIPTech

no special requirements except that your hardware needs to be compatible, and that you'll need to buy a licence after the trial period, (one day if i remember well). You'll need to install it on HD from the CD if i remember well, this needs a full HD format. you cannot partition your disk. I don't l...

FIPTech

A 680 Mhz router with only one core is not powerfull enough to do this. The RAM quantity is not the problem. The processor speed is. Do not forget that on a software based router, all packets need to pass through the processor for routing, qos, firewall, and all other tasks like MLPPP framing. In th...

Search found 571 matches