Community discussions

Search found 177 matches

by blackmetal
Thu Aug 22, 2019 1:22 pm
Forum: General
Topic: Mikrotik CCR 1036 8G 2S+ Performance issue
Replies: 9
Views: 647

Re: Mikrotik CCR 1036 8G 2S+ Performance issue

As i understand CCr can note route this amount of traffic to user due to linux kernel?
by blackmetal
Thu Aug 22, 2019 1:02 pm
Forum: General
Topic: Mikrotik CCR 1036 8G 2S+ Performance issue
Replies: 9
Views: 647

Re: Mikrotik CCR 1036 8G 2S+ Performance issue

Hi
I am using latest version for both routerboot and ros
by blackmetal
Thu Aug 22, 2019 12:25 pm
Forum: General
Topic: Mikrotik CCR 1036 8G 2S+ Performance issue
Replies: 9
Views: 647

Re: Mikrotik CCR 1036 8G 2S+ Performance issue

connection tracking is disabled, an i have no ipv6 traffic even bgp ipv6 and all traffics are ipv4
by blackmetal
Thu Aug 22, 2019 11:57 am
Forum: General
Topic: fasttrack or RAW is better for blocking ddos attacks?
Replies: 2
Views: 329

fasttrack or RAW is better for blocking ddos attacks?

Hello, I have a mikrotik ccr 1036 and most of my ddos attacks are on TCP/UDP and currently my connection tracking is disabled and i block destination hosts on RAW filtering for reduce cpu loads. so i want to know this way save better CPU usages for me or enable connection tracking and use fast track...
by blackmetal
Thu Aug 22, 2019 11:35 am
Forum: General
Topic: Mikrotik CCR 1036 8G 2S+ Performance issue
Replies: 9
Views: 647

Re: Mikrotik CCR 1036 8G 2S+ Performance issue

i sent an email to support@mikrotik.com but they suggested me some rules for fighting ddos, how ever i do not want protect my customers from ddos attacks and i want to transit this traffic to them because we do not offer ddos protection service! so i do not know why does datasheet numbers are really...
by blackmetal
Thu Aug 22, 2019 11:32 am
Forum: General
Topic: Mikrotik CCR 1036 8G 2S+ Performance issue
Replies: 9
Views: 647

Re: Mikrotik CCR 1036 8G 2S+ Performance issue

This is really fantastic for me why does datasheet numbers are differents with productional enviroments!
by blackmetal
Wed Aug 21, 2019 5:41 pm
Forum: General
Topic: import 2500 ip address list to mikrotik ccr 1036/1072 cause any issue?
Replies: 2
Views: 425

import 2500 ip address list to mikrotik ccr 1036/1072 cause any issue?

Hello,
I want to import a blacklist which include 2500 ip address and add a rule in RAW chain to drop these source ips,
having these amount of ip address cause any issue on performance?
thanks
by blackmetal
Wed Aug 21, 2019 7:41 am
Forum: General
Topic: Mikrotik CCR 1036 8G 2S+ Performance issue
Replies: 9
Views: 647

Mikrotik CCR 1036 8G 2S+ Performance issue

Hello, I have a mikrotik ccr 1036-8g-2s+ with about 10 filter rule and per your datasheet on https://mikrotik.com/product/CCR1036-8G-2Splus in routing mode with 25 filter rule 1036 can handle 1.5gbps bps and 3m pps but the issue here is when i receive DDOS attack my CPU usage is %100, the DDoS i rec...
by blackmetal
Wed Aug 21, 2019 7:26 am
Forum: General
Topic: Moving rules from Filter to RAW cause better performance?
Replies: 7
Views: 811

Re: Moving rules from Filter to RAW cause better performance?

Have a look here: https://forum.mikrotik.com/viewtopic.php?f=13&t=149312#p735848 Thanks Buddy for guide me! but i read that thread and it was like a argument between two person who one of them agreed with filter chain and another one agreed with RAW chain, but personally i am agree with raw chain b...
by blackmetal
Wed Aug 21, 2019 6:03 am
Forum: General
Topic: question about CCR 1072 CPU
Replies: 3
Views: 530

Re: question about CCR 1072 CPU

So your mean is if i run at 1200mhz, probably my device fail sooner? I want to put it in conditioned datacenter so airflow and etc ia fine
by blackmetal
Tue Aug 20, 2019 8:48 pm
Forum: General
Topic: Moving rules from Filter to RAW cause better performance?
Replies: 7
Views: 811

Re: Moving rules from Filter to RAW cause better performance?

Thank you for your comment,
Still waiting for other guys comments to choose best decision.
by blackmetal
Tue Aug 20, 2019 8:32 pm
Forum: General
Topic: Moving rules from Filter to RAW cause better performance?
Replies: 7
Views: 811

Re: Moving rules from Filter to RAW cause better performance?

my connection tracking is disabled on my routers so there is no connection tracking. and my rules are only permit or deny so there is no complicated rules.
by blackmetal
Tue Aug 20, 2019 8:18 pm
Forum: General
Topic: Moving rules from Filter to RAW cause better performance?
Replies: 7
Views: 811

Moving rules from Filter to RAW cause better performance?

Hello,
I have a Mikrotik CCR 1036 and i have about 10 IP FIlter rules on it, in some cases (like high pps) my cpu usages is around %70 so my question is if i disable all of my ip filter firewall rules and migrate them to RAW , is it cause better performance and reduce cpu usages?
Thanks,
by blackmetal
Tue Aug 20, 2019 8:03 pm
Forum: General
Topic: question about CCR 1072 CPU
Replies: 3
Views: 530

question about CCR 1072 CPU

Hello,
By default Mikrotik CCr 1072 CPU work with 1000mhz speed, if i change speed to 1200mhz , do i face any issue? and why does mikrotik set cpu speed to 1000mhz by default when we can use 1200mhz for better performance?
THanks,
by blackmetal
Sun Aug 18, 2019 7:41 am
Forum: General
Topic: openvpn routes in client config not working
Replies: 0
Views: 221

openvpn routes in client config not working

Hello, i have configured openvpn in my ros and this is my openvpn client config : client dev tun proto tcp remote sub.domain.tld 1194 resolv-retry infinite nobind persist-key persist-tun remote-cert-tls server cipher AES-128-CBC auth SHA1 auth-user-pass #redirect-gateway def1 route 172.16.96.0 255.2...
by blackmetal
Sat Jul 13, 2019 6:39 pm
Forum: Forwarding Protocols
Topic: whats different between ip route blackhole and bgp blackholing actions?
Replies: 0
Views: 406

whats different between ip route blackhole and bgp blackholing actions?

Hello, For blackhole a /32 we add that /32 in bgp->networks then in our bgp filtering rules accept it with the community that our upstream give us, but i am curious whats the difference between this action with add that /32 with bgp-community and blackholing type in routing table, are both of them s...
by blackmetal
Wed Jul 10, 2019 8:33 am
Forum: General
Topic: watchdog timer cause reboot
Replies: 4
Views: 537

Re: watchdog timer cause reboot

Hello,
i have upgrade my routerboot firmware and it seems my problem solved.
my router is up for about 5-6 days now and it seems it was a bug between ros and routerboot firmware that has issue when sending watchdog signal to routerboot
by blackmetal
Mon Jul 08, 2019 9:08 am
Forum: Forwarding Protocols
Topic: question about bgp extended community
Replies: 0
Views: 321

question about bgp extended community

Hello, For 16 bit as number in inbound routing filter i am using set bgp community and for my upstream i am using bgp-communities so in this way i will only permit prefixes for my peers on their bgp session and does not permit whole prefixes for my outbound filtering again, so if i have a problem wi...
by blackmetal
Thu Jul 04, 2019 10:37 am
Forum: General
Topic: watchdog timer cause reboot
Replies: 4
Views: 537

Re: watchdog timer cause reboot

Thank you for your comment, but i have never any problem with stable versions, anyway, are we able downgrade routeros and firmware from 6.45.1 to 6.43.16 ? and whats your idea about this issue that i explained? in addition to all of them i have upgraded them to 6.45.1 because i as you know they were...
by blackmetal
Thu Jul 04, 2019 8:32 am
Forum: General
Topic: watchdog timer cause reboot
Replies: 4
Views: 537

watchdog timer cause reboot

Hello, 2 days ago Mikrotik announced 6.45.1 that they solved some security issues on that version and i have upgraded all of my CCR's to 6.45.1 but after upgrade one of my CCR1036-8G-2S+ to 6.45.1 it reboots suddenly twice in 3 days. and the log was this : router was rebooted without proper shutdown...
by blackmetal
Fri Jun 07, 2019 12:02 am
Forum: Scripting
Topic: question about traffic monitor scripting
Replies: 0
Views: 337

question about traffic monitor scripting

Hello,
i want to use traffic monitor feature but I need a script that checks received speed for an interface every 1 minutes or 30 seconds and if the speed of that interface was above than threshold for 1m or 30s then run some commands,
can anyone help me?

Thank you.
by blackmetal
Thu Jun 06, 2019 6:12 pm
Forum: Forwarding Protocols
Topic: main diffrence between weight & local pref?
Replies: 5
Views: 621

Re: main diffrence between weight & local pref?

Hello,
right now everything is clear and i understood.
just a question is there any way that set which peers first start to load and install routes and for example if that peer was not existed then load the second peer and install their routes in FIB?
thank you.
by blackmetal
Thu Jun 06, 2019 4:01 pm
Forum: Forwarding Protocols
Topic: main diffrence between weight & local pref?
Replies: 5
Views: 621

Re: main diffrence between weight & local pref?

Hello, actually i was using weight and when one of my bgp session died it takes about 5-10m for switch the outbound traffic to other peers but with local pref right now it takes about 2m , so in the speed i think local pref is winner, so I want to check with your guys if i am wrong in this case abou...
by blackmetal
Thu Jun 06, 2019 9:48 am
Forum: Forwarding Protocols
Topic: question about bgp full table from 2 different provider
Replies: 7
Views: 746

Re: question about bgp full table from 2 different provider

ah, signle thread on mikrotik generated much issues ! i hope they solve this in ros 7 as they already has this in their plan.
by blackmetal
Wed Jun 05, 2019 4:45 pm
Forum: Forwarding Protocols
Topic: main diffrence between weight & local pref?
Replies: 5
Views: 621

main diffrence between weight & local pref?

Hello, i know weight and local pref do same things for outbound routes, and weight is for cisco devices, but the question here is whats the main difference between them? when should we use weight and when should we use local pref? for example when you have 4m routes installed in your route table, us...
by blackmetal
Wed Jun 05, 2019 4:42 pm
Forum: Forwarding Protocols
Topic: question about bgp full table from 2 different provider
Replies: 7
Views: 746

Re: question about bgp full table from 2 different provider

when i change weight/local pref then it takes about 3-5m for update the weights because i haveabout 4m routes in my route table.
by blackmetal
Mon Jun 03, 2019 3:19 pm
Forum: Forwarding Protocols
Topic: question about bgp full table from 2 different provider
Replies: 7
Views: 746

question about bgp full table from 2 different provider

Hello, i have 2 different carrier on my router and i have set weight 350 for my first carrier and force it for my outbound traffic and set second carrier weight to 300 and i am receving bgp full table from both providers. my problem here is when my bgp session with carrier #1 disconnect it takes abo...
by blackmetal
Sun Apr 28, 2019 3:50 pm
Forum: General
Topic: mikrotik power on hours
Replies: 6
Views: 491

Re: mikrotik power on hours

I want check how much this device worked, because its for my friend and he told me it worked for 2month so i want check if it really worked 2month or not
by blackmetal
Sun Apr 28, 2019 2:18 pm
Forum: General
Topic: mikrotik power on hours
Replies: 6
Views: 491

mikrotik power on hours

Hello,
i have a ccr 1072 can i check power on hours for this devic e? is there anyway for do this?

Thank you.
by blackmetal
Sat Apr 20, 2019 9:27 am
Forum: General
Topic: question about advertised command
Replies: 0
Views: 193

question about advertised command

Hello,
i have many bgp peers and when i want see one of my prefix is advertising to which peers i will execute "routing bgp advertisements print where prefix =192.168.0.1/24" but it takes about 4-5 minutes at least. is there any command that process this faster?


Thank you.
by blackmetal
Fri Apr 12, 2019 2:01 pm
Forum: Forwarding Protocols
Topic: question about advertised route and memory
Replies: 0
Views: 337

question about advertised route and memory

Hello,
i have about 3m routes on my route tables so i want advertise them to a peer , now my question is when i advertise these routes to a peer they take memory ? or only when i receive route from a peer it makes my memory busy ?
thank you.
by blackmetal
Thu Apr 04, 2019 3:22 pm
Forum: The Dude
Topic: function for traffic monitoring for all devices
Replies: 0
Views: 434

function for traffic monitoring for all devices

Hello,
i have 5 CCR 1036 and i have about 200 vlans on every device i need a function that alert me when an interface exceed X mbps , i find some topics that explains this for 1 interface for index id but i need monitor all vlans, ethernet, bonding m....

THank you.
by blackmetal
Thu Apr 04, 2019 10:01 am
Forum: The Dude
Topic: CCR CPU % monitoring
Replies: 2
Views: 534

Re: CCR CPU % monitoring

thank you so much!
do you have any idea how can manage traffic monitor in dude? i want dude monitor my uplink (its a ethernet port or somewhere bonding) and when exceed Xgbps inform me.
do you have any idea?
by blackmetal
Wed Apr 03, 2019 9:29 am
Forum: The Dude
Topic: CCR CPU % monitoring
Replies: 2
Views: 534

CCR CPU % monitoring

Hello,
how can i setup my dude software that check CPU % for my CCR's and when CPU usages was above %40 send an email to me or execute a file on my local server?
thank you.
by blackmetal
Fri Mar 15, 2019 9:19 pm
Forum: General
Topic: Feature request: BGP4-MIB (RFC 4273)
Replies: 32
Views: 5626

Re: Feature request: BGP4-MIB (RFC 4273)

+1 again and again.
i know when this feature release i may not alive but i hope my son can use this feature :D we request this many times. and we should monitor many peers with eyes or script!
by blackmetal
Fri Mar 15, 2019 8:03 am
Forum: Forwarding Protocols
Topic: bgp routing best practice for outbound?
Replies: 3
Views: 651

bgp routing best practice for outbound?

Hello, i have 3 upstream provider and i have 2 bgp session from each one (first session is master and second one is backup) and i have only 1 bgp session from 3rd provider. and i am receiving full bgp table from each one. i configured weight for each session as following : first provider with first ...
by blackmetal
Sun Mar 10, 2019 8:11 am
Forum: General
Topic: problem with connection tracking/RAW filering rules order after reboot the router
Replies: 0
Views: 193

problem with connection tracking/RAW filering rules order after reboot the router

Hello, i have a Mikrotik CCR 1036 8G 2S+ and i have disabled connection tracking and i saw there are rules like as following for keep CT in disabled mode https://s3.eu-west-2.amazonaws.com/blackmetal1/files/2019/03/winbox_wXsBNE7GMU.png now the issue is when i reboot the router the first 2 rules (fo...
by blackmetal
Tue Feb 12, 2019 7:39 am
Forum: General
Topic: problem with executing /export compact
Replies: 0
Views: 301

problem with executing /export compact

Hello, i have a mikrotik ccr 1016 12s 1s+ with 4 bgp peers with full routing bgp peer with each of them, now the issue is when i want backup my router with /export compact command after i execute this is show the configs until /ipv6 firewall filter step (after that it show /lcd command) then it wait...
by blackmetal
Sat Feb 09, 2019 9:42 am
Forum: Forwarding Protocols
Topic: qustion about local pref and multi path
Replies: 0
Views: 401

qustion about local pref and multi path

Hello, i have a mikrotik ccr with 6 bgp peers, 4 bgp peers is from out ip transit's and i am receiving full routing (bgp) table from them. 2 bgp session is over GRE tunnel. and i am receiving 1.1.1.0/24 and 2.2.2.0/24 (for example) from customers that have bgp with me over GRE tunnel. now sometimes ...
by blackmetal
Mon Feb 04, 2019 7:24 am
Forum: Forwarding Protocols
Topic: set bgp weight for bgp neighbour instead prefix ?
Replies: 0
Views: 340

set bgp weight for bgp neighbour instead prefix ?

Hello,
i want know is it possible that set weight per bgp neighbour instead prefix like cisco ? so for every prefix we do not use route map or route filter.

THank you.
by blackmetal
Sun Feb 03, 2019 8:43 am
Forum: General
Topic: Mikrotik CCR 1016 12S 1S+ memory upgrade?
Replies: 0
Views: 355

Mikrotik CCR 1016 12S 1S+ memory upgrade?

Hello,
i have a Mikrotik CCR 1016 12S 1S+ and due to bgp table i need to upgrade memory to 4gb or 16gb so is it possible upgrade memory for this device?
if yes what brand do you suggest?
thank you.
by blackmetal
Fri Feb 01, 2019 9:13 am
Forum: General
Topic: CCR 1016 12S 1S+ with 4 BGP Peers with full table?
Replies: 0
Views: 335

CCR 1016 12S 1S+ with 4 BGP Peers with full table?

Hello, i have a CCR 1016 12S 1S+ and i have 4 BGP Peers on it, now i want receive full bgp table from all bgp peers (from that 4 bgp peers) and as you know ccr 1016 memory is 2gb so is it enough for manage this? and also i have a ccr 1036 12g 4s and it has 4gb memory and i have 2 bgp peers on it wit...
by blackmetal
Wed Jan 30, 2019 2:00 pm
Forum: Forwarding Protocols
Topic: Problem while using VRRP between routers with BGP
Replies: 7
Views: 847

Re: Problem while using VRRP between routers with BGP

Hi,
in bgp actions tab i look for distance there was nothing and then i check actions that and use set distance but no sucess.
thanks
by blackmetal
Wed Jan 30, 2019 10:00 am
Forum: Forwarding Protocols
Topic: Problem while using VRRP between routers with BGP
Replies: 7
Views: 847

Re: Problem while using VRRP between routers with BGP

Hello,
both of my routers has same AS and esbtalished bgp with same router with my carrier.
also i have ospf between my routers (not physcally) but with vlan.
so hwo can i chahnge distance?
thanks
by blackmetal
Wed Jan 30, 2019 8:34 am
Forum: Forwarding Protocols
Topic: Problem while using VRRP between routers with BGP
Replies: 7
Views: 847

Problem while using VRRP between routers with BGP

Hello, i have 2x CCR and both of them are connected to my provider same switch. and on both of them i have configured bgp and vrrp and both of them are announcing same prefixes. but the issue is incoming traffic is available on both router however i want only force traffic to my master router and if...
by blackmetal
Sun Jan 27, 2019 11:15 am
Forum: General
Topic: bulk update for interface with 180 VLANs
Replies: 1
Views: 308

bulk update for interface with 180 VLANs

Hi,
i have around 180 Vlans on my router i want move them from Ether1 to BondingInterface1 so is there any command for do this?
thanks
by blackmetal
Thu Jan 17, 2019 5:05 pm
Forum: General
Topic: Mikrotik VRRP question
Replies: 4
Views: 441

Re: Mikrotik VRRP question

as i read https://mum.mikrotik.com//presentations ... _Nikos.pdf there is no need for vrrp per interface~!
by blackmetal
Thu Jan 17, 2019 4:33 pm
Forum: General
Topic: Mikrotik VRRP question
Replies: 4
Views: 441

Re: Mikrotik VRRP question

are you sure this?
for 135 VLANs i should create 135 VRRP interface and set gateway for every vlan to vrrp interface? are you sure?
DC routers is not important for me, so whats the best practice for mikrotik redundancy ?
by blackmetal
Thu Jan 17, 2019 10:49 am
Forum: General
Topic: Mikrotik VRRP question
Replies: 4
Views: 441

Mikrotik VRRP question

Hello, i have a 2 ccr 1036 (1x 1036 8g 2s+ / 1x 1036 12g 4s) both of them are connected to my datacenter provider core switch and both of them are connected to same core switch in my network ( i have core fiber switch for my racks) we have same configs (bgp, vlan, rules,....) on both ccr 1036 and i ...
by blackmetal
Mon Jan 14, 2019 8:12 pm
Forum: General
Topic: question about VRRP
Replies: 0
Views: 245

question about VRRP

Hello, i have a 2 ccr 1036 (1x 1036 8g 2s+ / 1x 1036 12g 4s) both of them are connected to my datacenter provider core switch and both of them are connected to same switch. we have same configs (bgp, vlan, rules,....) on both ccr 1036 and i have around ~135 Vlans on first mikrotik and i have configu...
by blackmetal
Sun Dec 30, 2018 6:25 pm
Forum: General
Topic: Help about Mikrotik Redundancy (Not VRRP)
Replies: 0
Views: 259

Help about Mikrotik Redundancy (Not VRRP)

Hello, as you can see in graph i want put 2 seprate router (1x ccr 1036-8g-2s+ & 1x ccr 1036-12g-4s ) with 2 seprate core switch. and i have 4 rack . so my racks has 2 uplink, one of them is connected to first core switch and second one is connected to secon core switch. also my routers have same co...
by blackmetal
Tue Dec 25, 2018 2:13 pm
Forum: General
Topic: strange problem with PBR rules
Replies: 0
Views: 202

strange problem with PBR rules

Hello, today i face a strange thing ... when i have create a mangle rule and use route action for change next hop it does not work however it already works. but when i mark routing and add static route to 0.0.0.0/0 with marked routes it works, can anyone help me why does not mangle rule with route a...
by blackmetal
Sun Dec 02, 2018 6:30 pm
Forum: General
Topic: question about no track action in raw firewall rules
Replies: 11
Views: 1033

Re: question about no track action in raw firewall rules

i do not want protect customers from ddos attacks and its not important for traffic arrives at customer services the only things is prevent router from high cpu usages.
so if i use ip frewall raw rules with no track and fast track connection in filter rules , do i get high cpu usages?
by blackmetal
Sun Dec 02, 2018 4:18 pm
Forum: General
Topic: question about no track action in raw firewall rules
Replies: 11
Views: 1033

Re: question about no track action in raw firewall rules

see for example when i receive 500k packets for a user on udp port 9987 my cpu load is aroun %80 then i block that ports in ip firewal -> raw filter then my cpu load will be %0 with same amount of data. right now whats your suggestions instead drop them for this? use no track / use fast track ? i wa...
by blackmetal
Sun Dec 02, 2018 2:25 pm
Forum: General
Topic: question about no track action in raw firewall rules
Replies: 11
Views: 1033

Re: question about no track action in raw firewall rules

I'm not sure what you want to achieve. By dropping the packet already using an /ip firewall raw rule, such dropped packet will never reach the connection-tracking phase so it won't generate the CPU load associated to connection tracking. If you just label it as no-track instead of dropping it, it w...
by blackmetal
Sun Dec 02, 2018 7:07 am
Forum: General
Topic: question about no track action in raw firewall rules
Replies: 11
Views: 1033

Re: question about no track action in raw firewall rules

is there anyway like no track except drop ? because most of my users have teamspeak server and while they are undder attack i am drop udp 9987 towards their network so i want the dirty packets does not trigger mikrotik connection traccking and prevent cpu usages. whats the other way except black hol...
by blackmetal
Sat Dec 01, 2018 10:01 pm
Forum: General
Topic: question about no track action in raw firewall rules
Replies: 11
Views: 1033

question about no track action in raw firewall rules

Hello, i have a ccr 1036 8g 2s+ and in some cases that my users receive ddos attacks (for example too many new connections or around 500k udp) i should add a rule in ip firewall raw with drop action so that packets does not go through connection tracking table (my connection tracking in my mikrotik ...
by blackmetal
Tue Nov 06, 2018 3:11 pm
Forum: General
Topic: strange error on mikrotik crs 326
Replies: 0
Views: 227

strange error on mikrotik crs 326

Hello, i have a mikrotik crs 326 24g 1s+ under my ccr 1009 7g router and today i face a strange error.. suddenly my switch goes down and switch uplinks ports was not connected on my ccr router and also i did not have switch in my neighbour list because switch uplink ports that connected to my router...
by blackmetal
Sun Nov 04, 2018 1:45 pm
Forum: General
Topic: problem while pinging in layer 2 area from mikrotik to cisco
Replies: 0
Views: 237

problem while pinging in layer 2 area from mikrotik to cisco

Hello, i have connected all of my cisco switches by vlan in my floors toa rb750 for remote managemnt but i have packet loss while i ping all of my cisco switches. this is the results: SEQ HOST SIZE TTL TIME STATUS 320 172.16.x.x 56 255 0ms 321 172.16.x.x 56 255 0ms 322 172.16.x.x timeout 323 172.16....
by blackmetal
Sat Nov 03, 2018 6:17 pm
Forum: General
Topic: rules order in raw firewall change
Replies: 11
Views: 760

Re: rules order in raw firewall change

they should not yes, but i have this issue and also they will be upper of dynamic rules in raw tab If you rules order has changed without your knowledge it means your system is compromised. I suggest that you NETINSTAL and start fresh. we have several ccr and all of them has same issue so its not r...
by blackmetal
Sat Nov 03, 2018 6:16 pm
Forum: General
Topic: rules order in raw firewall change
Replies: 11
Views: 760

Re: rules order in raw firewall change

how can i manage dynamic rules that be always top of my rules after restart?
by blackmetal
Sat Nov 03, 2018 3:04 pm
Forum: General
Topic: rules order in raw firewall change
Replies: 11
Views: 760

Re: rules order in raw firewall change

they should not yes, but i have this issue and also they will be upper of dynamic rules in raw tab If you rules order has changed without your knowledge it means your system is compromised. I suggest that you NETINSTAL and start fresh. we have several ccr and all of them has same issue so its not r...
by blackmetal
Sat Nov 03, 2018 1:13 pm
Forum: General
Topic: rules order in raw firewall change
Replies: 11
Views: 760

Re: rules order in raw firewall change

they should not yes, but i have this issue and also they will be upper of dynamic rules in raw tab
by blackmetal
Sat Nov 03, 2018 11:34 am
Forum: General
Topic: rules order in raw firewall change
Replies: 11
Views: 760

rules order in raw firewall change

Hello, we have some CCR 1036 and we have some raw firewall rules in our ccr's when we reboot the router or in such special case rules order will change. so is there anyway save rules order in raw firewall filtering? because i have some rules for block special ports and when the rules order change my...
by blackmetal
Sun Oct 28, 2018 1:33 pm
Forum: General
Topic: creating too many vlans cause any problem?
Replies: 7
Views: 647

Re: creating too many vlans cause any problem?

ok,
as i understand now, if i have 1k or 2k on my ccr 1036 it has no issue right?
by blackmetal
Sun Oct 28, 2018 8:11 am
Forum: General
Topic: creating too many vlans cause any problem?
Replies: 7
Views: 647

Re: creating too many vlans cause any problem?

1. i know i do not have 8k vlan or ports on a single router :D maybe i havemax up to 1000vlans so your mean is if i have for example maybe K (thousands) vlans on a same router maybe winbox cause high load because it loads all interface in realtime , otherwise they work pretty fine, right? so we can ...
by blackmetal
Sat Oct 27, 2018 9:47 am
Forum: General
Topic: creating too many vlans cause any problem?
Replies: 7
Views: 647

Re: creating too many vlans cause any problem?

as i know it should not have any issues,
so mentioned that your isp first of the year has 1k users with one vlan per customer so about 1000vlans ona single ccr 1036 ?
then cpu utilization was around %10-20
its really good. but i will apperciate if others give me suggestion i want make sure of this.
by blackmetal
Sat Oct 27, 2018 7:37 am
Forum: General
Topic: creating too many vlans cause any problem?
Replies: 7
Views: 647

creating too many vlans cause any problem?

Hello, i have some CCR 1036 8G 2S+ and CCR 1036 4S so i want see if i create many vlans under my switch uplinks for example 500 or 1000 vlans , is it cause any problem such as high cpu usages ? i talk with some tech guys they told me add new vlan and having many vlans on your routers does not cause ...
by blackmetal
Sat Oct 20, 2018 9:43 pm
Forum: General
Topic: limit vpn users to certain ip address
Replies: 0
Views: 266

limit vpn users to certain ip address

Hello, i have setup a vpn server for my users for access their IPMI ip addresses so i am looking for way that limit every account username to a specific ip address my mean is for example when account X logged in then that account can only browse 1.2.3.4 and all other IPs blocked for that users. is t...
by blackmetal
Thu Oct 18, 2018 3:15 pm
Forum: General
Topic: Feature request: BGP4-MIB (RFC 4273)
Replies: 32
Views: 5626

Re: Feature request: BGP4-MIB (RFC 4273)

i remembered they have told me it will be release in ros v7 ... i really love mikrotik but feature request is not too much important :D most of time their team think what things are important for them and then develop them... right now we have about 104 peers and for monitor them we are doing them b...
by blackmetal
Sun Oct 07, 2018 8:54 am
Forum: General
Topic: question about romon discovery (forbid ports)
Replies: 0
Views: 303

question about romon discovery (forbid ports)

Hello,
i have about 250 Vlans under SFP+2 (i have ccr 1036) if i set romon port forbid for only SFP+2 interface so all vlans under this interface can not discover my router by romon?
because i want only specific ports can reach romon discovery and my clients can not do it,

thanks,
by blackmetal
Thu Sep 27, 2018 4:47 pm
Forum: General
Topic: strange error on mikrotik crs 326
Replies: 3
Views: 304

Re: strange error on mikrotik crs 326

it seems it was a bug, i have upgrade routeros to 6.43.2 and the problem solved,
by blackmetal
Thu Sep 27, 2018 4:31 pm
Forum: General
Topic: strange error on mikrotik crs 326
Replies: 3
Views: 304

Re: strange error on mikrotik crs 326

yes, all ports are member of bridge.
bridge mac is CC:2D:E0:D6:DD:E0
admin mac for bridge is CC:2D:E0:D6:DD:E0

ether5 mac is CC:2D:E0:D6:DD:E4
ether6 mac is CC:2D:E0:D6:DD:E5
by blackmetal
Thu Sep 27, 2018 4:22 pm
Forum: General
Topic: strange error on mikrotik crs 326
Replies: 3
Views: 304

strange error on mikrotik crs 326

Hello, i have a mikoritk crs 326 and today i face a strange issue with that, i have connected a server to ether6 and access it to vlan id 105 but interface ether5 was disabled from interface menu, my server that connected to ether6 can not reach my router and i have search many hours then for test i...
by blackmetal
Tue Sep 25, 2018 8:02 pm
Forum: General
Topic: question about transmit hash policy
Replies: 11
Views: 1369

Re: question about transmit hash policy

thanks man, you helped me a lot,
s you said if i use a good cat 6 cable for my bonding interface and use balance rr i have no problem with out of order tcp transmission and have no problem with udp or other protocols right?

again thank you you helped me alot
by blackmetal
Tue Sep 25, 2018 6:32 pm
Forum: General
Topic: question about transmit hash policy
Replies: 11
Views: 1369

Re: question about transmit hash policy

you helped me a lot, i really thank you., and i think you have mistake i have up to 5gbps :D you told i am able use up to 5Mbps :D anyway thank you. and alst question my friend is what will happen if one my slave port bandwidth will be full ? are the other packets drop ? or they will transmit from o...
by blackmetal
Tue Sep 25, 2018 5:48 pm
Forum: General
Topic: question about transmit hash policy
Replies: 11
Views: 1369

Re: question about transmit hash policy

Hello,
in balance rr i think i will get retransmitting segments for tcp/ip so its better use layer2-layer3 transmit hash, so when layer2-layer3 transmit hash in enabled i do not have equal bandwidth like as balance rr but i can get throughput up to 5gbps , right?
thanks
by blackmetal
Tue Sep 25, 2018 2:19 pm
Forum: General
Topic: question about transmit hash policy
Replies: 11
Views: 1369

Re: question about transmit hash policy

in addition to my last posts please http://prntscr.com/kyh2a1 1. when i have set layter2-layer3 transmit hash i see outgoing traffic balanced over active LAG ports, but sometimes i see one of the ports outgoing traffic is around 180mb and its not balance, when i check flow i see its from one src ip ...
by blackmetal
Tue Sep 25, 2018 1:31 pm
Forum: General
Topic: question about transmit hash policy
Replies: 11
Views: 1369

Re: question about transmit hash policy

so my questions are : 1. right now can i have 5gb throughput from my brocade switch to mikrotik ccr 1016 ? You have configured your bonding mode=802.3ad. This means that "LACP balances outgoing traffic across the active ports based on hashed protocol header information and accepts incoming traffic ...
by blackmetal
Tue Sep 25, 2018 12:50 pm
Forum: General
Topic: question about transmit hash policy
Replies: 11
Views: 1369

question about transmit hash policy

Hello, i have a mikrotik ccr 1016 and i have connected 5 ports from mikrotik to a brocade 6450 and this mikrotik configs : Flags: X - disabled, R - running 0 R name="Cogent-Uplink" mtu=1500 mac-address=XXXXX arp=enabled arp-timeout=auto slaves=Ether1->Uplink,Ether4>Uplink mode=802.3ad primary=none l...
by blackmetal
Fri Sep 07, 2018 5:55 am
Forum: General
Topic: problem with outbound traffic between mikrotik and fortigate
Replies: 4
Views: 360

Re: problem with outbound traffic between mikrotik and fortigate

i hope you do not want just increase your post count :) 1.2.3.0/24 is sample and just search on forum then you will see many people use these kind of ranges as sample,
by blackmetal
Thu Sep 06, 2018 11:01 am
Forum: General
Topic: problem with outbound traffic between mikrotik and fortigate
Replies: 4
Views: 360

problem with outbound traffic between mikrotik and fortigate

Hello, we have establish GRE tunnel between a mikrotik and fortigate and we can ping both side of tunnel and we establish bgp over tunnel and announce a /24 to mikrotik now everything is ok and when i do packet capture i see incoming packets from GRE tunnel but they can not reach out from fortigate ...
by blackmetal
Tue Aug 14, 2018 7:57 pm
Forum: General
Topic: best software to monitor bgp peers?
Replies: 0
Views: 258

best software to monitor bgp peers?

Hello,
can anyone help me what is the best software for monitor BGP peers?
i know i can do it with scripts , netwatch and ... but we need a specific software like as observium or solarwinds but they only monitor peers by MIB and in Ros6 MIB for bgp peers is not available.

THanks,
by blackmetal
Tue Aug 07, 2018 6:54 am
Forum: General
Topic: problem with ccr 1016
Replies: 0
Views: 274

problem with ccr 1016

Hello,
i have a ccr 1016 when i login to winbox i see port eth3 has R flag however
there is no cable plugged into that port and when i plugin port in eth3 and
plug other side to my switch, my switch show it as not connected,
whats wrong and how can i solve this?
thanks
by blackmetal
Tue Jul 24, 2018 10:08 pm
Forum: General
Topic: GRE tunnel not up!
Replies: 2
Views: 284

Re: GRE tunnel not up!

i just find the issue,
the issue was for keep alive , when i have disable that it works
by blackmetal
Tue Jul 24, 2018 9:55 pm
Forum: General
Topic: GRE tunnel not up!
Replies: 2
Views: 284

GRE tunnel not up!

Hi,
i have just setup a new CCR 1009 7g 1s 1s+ and add a first GRE on that but gre is down! i can not find the problem
can anyone help me?
thanks
by blackmetal
Tue Jul 24, 2018 11:28 am
Forum: General
Topic: ZeroDay Bug For Winbox! [24 April 2018] [SOLVED]
Replies: 3
Views: 732

ZeroDay Bug For Winbox! [24 April 2018] [SOLVED]

Hello, today we see unsuall log on our mikrotik CCR's and we found https://www.bleepingcomputer.com/news/security/mikrotik-patches-zero-day-flaw-under-attack-in-record-time/ , so it seems there is a zero day bug for winbox and it does not have CVE yet, can i ask mikrotik support explain about this a...
by blackmetal
Fri Jul 06, 2018 8:14 pm
Forum: General
Topic: cpu usage problem with ccr 1009
Replies: 1
Views: 309

cpu usage problem with ccr 1009

Hi, i want a ccr 1009 7g 1s 1s+ andi have 3 simple firewall filter rules, 2 raw rules, 5x EoIP tunnel, 5x BGP Peers (we are announcing 7x /24 ), sometimes that we receive attack about 150k pps with 64 bytes over UDP our cpu usages will goes around %100, how ever in datasheet it supports too much mor...
by blackmetal
Fri Jul 06, 2018 8:05 pm
Forum: General
Topic: question about romon
Replies: 2
Views: 400

question about romon

Hi, i have 4 Mikrotik CCR in different location and all of them has difference upstream provider, can i establish L2 Tunnel on one of my CCR and then connect by romon over tunnel to them ? actually i want know does romon work over tunnel if remote location has problem in firewall rules or routing is...
by blackmetal
Tue Jul 03, 2018 9:37 pm
Forum: Forwarding Protocols
Topic: OSPF cause high cpu usage?
Replies: 1
Views: 466

OSPF cause high cpu usage?

Hello, i have 4x /24 private range and some other prefixes that i want advertise them in OSPF between my routers and i do not have lot update in my OSPF routes (maybe 1-4 update in a week) so i want know if i run OSPF between my routers is it cause more load for my router cpu ? my router cpu always ...
by blackmetal
Sat Jun 30, 2018 4:47 pm
Forum: General
Topic: question about limit option in firewall rules
Replies: 0
Views: 194

question about limit option in firewall rules

Hello,
i want use limit option in firewall rules that limit every vlan to 60k pps but when i choose all vlan and set limit option to 60k it calculate all vlan pps, how can i do this per vlan ? i should create rule per vlan ?
i have around 140 vlans if i create 140 rules mikrotik surely die!
thanks
by blackmetal
Fri Jun 29, 2018 7:29 pm
Forum: Beginner Basics
Topic: bridge filter reduce performacne on crs 326 ?
Replies: 7
Views: 751

Re: bridge filter reduce performacne on crs 326 ?

ok last question is if i use scripts with scheduler that run script every 10 or 15 seconds (that script only check pps on each interface and shutdown them for 2m if they have more than X pps) is it cause high cpu usages or not ?
thanks
by blackmetal
Fri Jun 29, 2018 7:02 pm
Forum: Beginner Basics
Topic: bridge filter reduce performacne on crs 326 ?
Replies: 7
Views: 751

Re: bridge filter reduce performacne on crs 326 ?

ok understood,
other features like snmp or bonding or such feature does not cause loose performacne?
by blackmetal
Fri Jun 29, 2018 6:32 pm
Forum: Beginner Basics
Topic: bridge filter reduce performacne on crs 326 ?
Replies: 7
Views: 751

Re: bridge filter reduce performacne on crs 326 ?

hi, i have following options enabled : 1. bridge enabled with no filters 2. no ip firewall rules 3. just create some switch rules 4. snmp enabled so in this case hardware switching works with no problem ? also i have these rules in my switching tab : 0 switch=switch1 ports=Eth2->VPS-KVM1 src-address...
by blackmetal
Fri Jun 29, 2018 4:36 pm
Forum: Beginner Basics
Topic: bridge filter reduce performacne on crs 326 ?
Replies: 7
Views: 751

bridge filter reduce performacne on crs 326 ?

Hello,
i have a mikrotik crs 326 so i want add 4-6 filter rules if i use bridge filter rules i should except ethernet result as show on https://mikrotik.com/product/CRS326-24G-2SplusRM ?
thanks
by blackmetal
Wed Jun 27, 2018 10:25 pm
Forum: General
Topic: fasttrack connection question
Replies: 3
Views: 325

Re: fasttrack connection question

understood.. but in first step when i have enable fasttrack connection rule i see no save on cpu usages! i send test udp flood to outside and my cpu usages will be like as old. it was hug around %10 on a ccr 1036
by blackmetal
Wed Jun 27, 2018 9:02 pm
Forum: General
Topic: fasttrack connection question
Replies: 3
Views: 325

fasttrack connection question

Hello, i want enable fasttrack connection for my forward chain but i want add many ip addresses that not included in fast track and add a rules that drop those ips in next rules, so in this way does fast track work? and can i have better cpu performance? this is the rules i have : 0 D ;;; special du...
by blackmetal
Tue Jun 26, 2018 8:12 pm
Forum: General
Topic: crs 326 scripting cause reduce performance?
Replies: 0
Views: 203

crs 326 scripting cause reduce performance?

Hello, i want add a script on my crs 326 that check all ports every 10 or 15 seconds and if any port use more than X unicast pps disable that port and after X minutes enable port again, i want know if i add this script with one scheduler can i have full wire speed and layer 2 performance as you writ...
by blackmetal
Tue Jun 26, 2018 1:16 pm
Forum: General
Topic: firewall rules not work for some specific reason
Replies: 10
Views: 709

Re: firewall rules not work for some specific reason

understood,
if i want have limited traffic on vlan10 i should limit traffic on the switch right? so the traffic does not reach VLAN10 and CCR does not process it ? in any other way traffic should reach vlan10 right?(when traffic reach vlan10 i can decide drop or forward it right?)
by blackmetal
Tue Jun 26, 2018 7:17 am
Forum: General
Topic: firewall rules not work for some specific reason
Replies: 10
Views: 709

Re: firewall rules not work for some specific reason

hi, yes my router route in and out ... this is my topology My Upstream -> ETH1-Uplink <-> My CCR 1036(it has bgp too) <-> VLAN10(for dedicated server) <-> ETH2-SwitchUPLINK<-> CRS326/Brocade <-> ETH10/User-Dedicated-Server so when i used that firewall rules i have same amount of pss on VLAN10 on my ...
by blackmetal
Mon Jun 25, 2018 12:24 pm
Forum: General
Topic: firewall rules not work for some specific reason
Replies: 10
Views: 709

Re: firewall rules not work for some specific reason

i have no fasttrack rule all of them are for mikrotik built in fast track and yes i move my rules at first lines above all other rules and issue exist yet,
by blackmetal
Mon Jun 25, 2018 11:49 am
Forum: General
Topic: firewall rules not work for some specific reason
Replies: 10
Views: 709

Re: firewall rules not work for some specific reason

i have tried that now! and set source ip but still i have same amount of pps on my vlan
by blackmetal
Mon Jun 25, 2018 7:47 am
Forum: General
Topic: firewall rules not work for some specific reason
Replies: 10
Views: 709

firewall rules not work for some specific reason

Hello, i have 2 rule and they are : 6 chain=forward action=accept src-address=x.x.x.x dst-limit=4000,20,src-address/1m log=no log-prefix="" 7 chain=forward action=drop src-address=x.x.x.x log=no log-prefix=" so when i start send flooding with hping from x.x.x.x to the internet i see 60k PPS on that ...
by blackmetal
Sun Jun 24, 2018 7:02 pm
Forum: General
Topic: ip firewall limit option problem
Replies: 0
Views: 187

ip firewall limit option problem

Hello, i have limit a VLAN on my router to 4000 packets per seconds with 10 burst but my problem is when i have enable this rule on my router and send test packets with hping3 i have around 40k pps on that vlan but i do not have that amount of pps on my uplink and when i have disable that rule i hav...
by blackmetal
Sun Jun 24, 2018 9:53 am
Forum: General
Topic: Feature request: BGP4-MIB (RFC 4273)
Replies: 32
Views: 5626

Re: Feature request: BGP4-MIB (RFC 4273)

+1 for this feature!
we really need this feature asap. if you can implement it in ros 6 it will be very very very good .
because we have lot bgp session that we need to monitor them and for this reason we use 2 different monitoring!
by blackmetal
Fri Jun 22, 2018 9:27 am
Forum: General
Topic: crs326-24g-2s+rm traffic storm
Replies: 9
Views: 913

Re: crs326-24g-2s+rm traffic storm

understood,
so if i use routeros and use only switch tab i have full performance and if i use firewall rules or etc my performance will degree, right?
by blackmetal
Fri Jun 22, 2018 8:43 am
Forum: General
Topic: crs326-24g-2s+rm traffic storm
Replies: 9
Views: 913

Re: crs326-24g-2s+rm traffic storm

but when i send an email to support@mikrotik.com and ask them what performance do i get if i add 4-5 firewall rules, they told me i should expect ethernet result on datasheet so its too much low , so are you sure there is no difference in performance between routeros and swos ? because i need to use...
by blackmetal
Wed Jun 20, 2018 11:31 pm
Forum: General
Topic: crs326-24g-2s+rm traffic storm
Replies: 9
Views: 913

Re: crs326-24g-2s+rm traffic storm

hi,
just another question if i use swos or routeros on crs326 it cause any difference on speed performance?
thanks
by blackmetal
Wed Jun 20, 2018 2:36 pm
Forum: General
Topic: crs326-24g-2s+rm traffic storm
Replies: 9
Views: 913

crs326-24g-2s+rm traffic storm

Hello,
i want buy a crs326-24g-2s+rm but i need to limit known/unknown unicast,multicast,broadcast traffic to X% and if exceed more than this limit or drop it,
i see some article on wiki.mikrotik.com but it seems it can only limit unknown unicast, can anyone help me regarding this?
thanks
by blackmetal
Mon May 14, 2018 10:38 am
Forum: General
Topic: connect to winbox by mac in windows server with 2 NIC
Replies: 0
Views: 186

connect to winbox by mac in windows server with 2 NIC

hello, i have a windows server with 2 NIC the first NIC connected to internet with default gateway and the second NIC connected to my CCR->Ether8 and third NIC connected to our private network so ifi lost access to my ccr i will connect by private network and i want connec to winbox by mac address b...
by blackmetal
Wed Apr 18, 2018 8:34 am
Forum: General
Topic: vrrp and bgp
Replies: 1
Views: 379

vrrp and bgp

Hello, 1. i have a colocation service with a datacenter and i have 2x mikrotik router and i have around 50 VLANs on my router and i have bgp session with my upstream so the question is many of my users gateway is the ips that i have set for their VLANs so i can not set 192.168.1.10/32(for example) o...
by blackmetal
Mon Apr 09, 2018 2:22 pm
Forum: Forwarding Protocols
Topic: announce private ip over bgp or ospf
Replies: 2
Views: 447

announce private ip over bgp or ospf

Hello, i have 3x private /24 and i want announce them between my routers and right now i am doing it with BGP so i want know the best way is announce it over BGP or create OSPF connection and do it by OSPF ? in my iBGP's i have announce my 3x private ip + some /32 ips so whats your suggestion and wh...
by blackmetal
Tue Feb 20, 2018 7:42 am
Forum: General
Topic: hwo to detect fan failure on CCR ?
Replies: 0
Views: 256

hwo to detect fan failure on CCR ?

Hello,
i have a ccr 1016 when i set main fan = main it set fan to auxiliary fan , so it means my main fan failed?
and how can i detect my fan is failed exactly?
and if i open ccr chassis and swap the fan with mikrotik OEM fan are they enough ?
thanks
by blackmetal
Sat Feb 17, 2018 2:15 pm
Forum: General
Topic: interface bonding with SFP+ and Ethernet
Replies: 1
Views: 366

interface bonding with SFP+ and Ethernet

Hello,
i need to make a lacp (bonding) with 1x SFP+ and 2x (1G)Ethernet ports so i want know is it possible that lacp 1x SFP+ and 2x (1G) Ethernet ports on mikrotik ccr 1036 8g 2s+ ?
my next side has cisco nexus 4948 for this,
thanks
by blackmetal
Thu Feb 15, 2018 9:12 am
Forum: General
Topic: problem with fan rpm on ccr 1016
Replies: 1
Views: 340

Re: problem with fan rpm on ccr 1016

it seems everything is fine because i see some times (when hardware wants switch between main and auxiliary fan) no fan working for around 30seconds and in this 30seconds cpu temperature and system temperature is static and have no change. and i check cpu temperature for last 2 years its always on 5...
by blackmetal
Thu Feb 15, 2018 8:48 am
Forum: General
Topic: problem with fan rpm on ccr 1016
Replies: 1
Views: 340

problem with fan rpm on ccr 1016

Hello,
i have a ccr 1016-12g today i see fan2 speed is around 700rpm-1500rpm i have attach graph for my fan speed and system health,
is the fan healthy ?
and is it normal that working in this rpm ?
graph is for past 1 year.
thanks
by blackmetal
Sat Dec 30, 2017 6:06 pm
Forum: General
Topic: connect 2sfp+ to CCR1009-7G-1C-1Splus ?
Replies: 2
Views: 321

connect 2sfp+ to CCR1009-7G-1C-1Splus ?

Hello,
i have a CCR1009-7G-1C-1Splus and i have a sfp+ uplink and i need a sfp+ uplink for my switch , do you have any idea how can i connect 2 sfp+ to CCR1009-7G-1C-1Splus without swap it with other brands?
thanks
by blackmetal
Mon Dec 18, 2017 5:34 pm
Forum: General
Topic: RB3011 port disconnect and connect and not working normally!
Replies: 0
Views: 173

RB3011 port disconnect and connect and not working normally!

Hello, today i face new issue and it was all connected devices to port 1-5 could not ping gateway and their port disconnect and connect and i change all cables but no success then finally move all devices to port 6-10 and they work with no issue , can you help me how can i trouble shoot issue for th...
by blackmetal
Fri Nov 24, 2017 9:35 am
Forum: General
Topic: mikrotik ccr and fortigate firewall policy
Replies: 11
Views: 1136

Re: mikrotik ccr and fortigate firewall policy

there is an idea that create a mangle for incoming traffic that set fortinet as gateway and in ccr create another mangle for that src ips orginate from my network for set next hop to fortinet , in this way the only issue is for outgoing traffic first they travel to mikrotik then i set next hop to fo...
by blackmetal
Thu Nov 23, 2017 5:16 pm
Forum: General
Topic: mikrotik ccr and fortigate firewall policy
Replies: 11
Views: 1136

Re: mikrotik ccr and fortigate firewall policy

and is there any other way except mangle?
by blackmetal
Thu Nov 23, 2017 4:34 pm
Forum: General
Topic: mikrotik ccr and fortigate firewall policy
Replies: 11
Views: 1136

Re: mikrotik ccr and fortigate firewall policy

Hi
In mu 3750 i should add mangle for that right?
Can you give me some example for in and out ?
by blackmetal
Thu Nov 23, 2017 1:40 pm
Forum: General
Topic: mikrotik ccr and fortigate firewall policy
Replies: 11
Views: 1136

Re: mikrotik ccr and fortigate firewall policy

with mangale i can manage receive packets what about sent packets? those packets generate by my devices will go throu router directly, because they have my router as gateway
by blackmetal
Thu Nov 23, 2017 9:34 am
Forum: General
Topic: mikrotik ccr and fortigate firewall policy
Replies: 11
Views: 1136

Re: mikrotik ccr and fortigate firewall policy

hi,
please check attachment , this is my net diagram.
and i know i can connect fortinet to my core switch then static route my prefix to foritnet and create vlan on it then in my switch access to that vlan for that port,
but i need to all of my vlans created in mikrotik,
thanks
by blackmetal
Wed Nov 22, 2017 6:10 pm
Forum: General
Topic: mikrotik ccr and fortigate firewall policy
Replies: 11
Views: 1136

mikrotik ccr and fortigate firewall policy

Hello, i have a mikrotik CCR1036 2s+-em and it works as router and i connected a cisco 3750 to this router. now we want add a new firewall in this network and connect a port from firewall to switch or router and pass some /32 or less throu firewall device, how can i do it? i know i can do static rou...
by blackmetal
Thu Oct 26, 2017 8:25 am
Forum: Forwarding Protocols
Topic: best path choose wrongly
Replies: 9
Views: 856

Re: best path choose wrongly

see one of my upstream is ddos protected and the other one is not. i announce /23 to my primary upstream and announce 1x /24 to my ddos protected upstream(because i want one of my 24 will be ddos protected and the other one keep in primary uplink) but right now when i send test attack to my /24 i se...
by blackmetal
Sat Oct 21, 2017 1:11 pm
Forum: General
Topic: bgp route monitor
Replies: 1
Views: 432

bgp route monitor

Hello,
i want a bgp route monitor that when my bgp path change send an email to me. can anyone help me abotu any website?
i tried bgpmon and they have a lot delay for update me.
thanks,
by blackmetal
Fri Oct 20, 2017 10:51 pm
Forum: Forwarding Protocols
Topic: best path choose wrongly
Replies: 9
Views: 856

Re: best path choose wrongly

Hi
Yes none of my isps do not offer community so the only way is send smallest prefix?
by blackmetal
Fri Oct 20, 2017 8:51 pm
Forum: Forwarding Protocols
Topic: best path choose wrongly
Replies: 9
Views: 856

Re: best path choose wrongly

Actually both of my provider does not allow me set localpref weight or such things they only allow prepend Whats the other solution instead announce small subnet? And are you sure small subnet worka? Because provider 1 and 2 are different and they do not have bgp together as15412 and as 3223 has its...
by blackmetal
Fri Oct 20, 2017 7:24 pm
Forum: Forwarding Protocols
Topic: best path choose wrongly
Replies: 9
Views: 856

Re: best path choose wrongly

i have /20 but i am advertising 4x /22 in same datacenter..
what about if i advertise /22 in first uplink and advertise 4x /24 on second uplink then it will chose second uplink ?right?
by blackmetal
Fri Oct 20, 2017 6:27 pm
Forum: Forwarding Protocols
Topic: best path choose wrongly
Replies: 9
Views: 856

best path choose wrongly

Hello, i have a prefix (for example x.x.x.x/24) and i have uplink from 2 provider (1. AS15412 / 2. AS3223) and as a note i do not have direct BGP session with them i bought uplink from their resellers and i have bgp session with their resellers. i announced x.x.x.x/24 to both uplink and set x3 prepe...
by blackmetal
Mon Sep 25, 2017 2:40 pm
Forum: General
Topic: ping issues between cisco and CCR Device
Replies: 0
Views: 307

ping issues between cisco and CCR Device

Hello, i have a CCR1036-2s+ and a 3750e-48TD-s (with x2-10gb-sr) and i connect these devices by sfp+ ports and a fiber patch cord i set a private ip on both side and when i ping from mikrotik to switch the ping time is between 0~2ms but sometimes it has 50ms or 18ms but it is not much for example af...
by blackmetal
Sat Sep 23, 2017 4:21 pm
Forum: General
Topic: CCR1009-8G-1S-1Splus with 10gb uplink ?!
Replies: 7
Views: 887

Re: CCR1009-8G-1S-1Splus with 10gb uplink ?!

no my uplink isnot more than 1.5gbps is peak time
by blackmetal
Sat Sep 23, 2017 3:07 pm
Forum: General
Topic: CCR1009-8G-1S-1Splus with 10gb uplink ?!
Replies: 7
Views: 887

Re: CCR1009-8G-1S-1Splus with 10gb uplink ?!

Hi,
yes my distance is under 300m it is around 20-30m .
because i do not see anywhere in the datasheet that mention it supports 10gb
by blackmetal
Sat Sep 23, 2017 1:32 pm
Forum: General
Topic: CCR1009-8G-1S-1Splus with 10gb uplink ?!
Replies: 7
Views: 887

CCR1009-8G-1S-1Splus with 10gb uplink ?!

Hello,
i want purchase CCR1009-8G-1S-1Splus with S+85DLC03D sfp+ modules so i want know can i establish 10gb uplink with this module and sfp+ port with my upstream switch ?
my upstream switch is sfp+ and support 10gb also and its multimode,
thanks
by blackmetal
Tue Aug 22, 2017 7:01 am
Forum: General
Topic: why prepend not working?
Replies: 4
Views: 704

Re: why prepend not working?

perfect answer my friend,
thank for help
by blackmetal
Mon Aug 21, 2017 9:06 pm
Forum: General
Topic: why prepend not working?
Replies: 4
Views: 704

Re: why prepend not working?

yes when i disable my announced route in location B , lg.he.net show x5 prepend but when i enable it again it choose it choose wrong path,
any idea?
by blackmetal
Mon Aug 21, 2017 7:49 pm
Forum: General
Topic: why prepend not working?
Replies: 4
Views: 704

why prepend not working?

Hello, i have bgp session with cogent in 2 different country so i am announce same prefix from my primary router in location A then i establish ibgp with my ccr in location b and i am advertising x.x.x.x/24 in primary link with x5 prepend and announce it by ibgp to my location b with no prepend so m...
by blackmetal
Sat Aug 19, 2017 12:22 pm
Forum: General
Topic: BPDU Filter in mikrotik CCR
Replies: 5
Views: 889

Re: BPDU Filter in mikrotik CCR

if port not added to bridge it does not send bpdu packet right?
by blackmetal
Sat Aug 19, 2017 11:38 am
Forum: General
Topic: BPDU Filter in mikrotik CCR
Replies: 5
Views: 889

Re: BPDU Filter in mikrotik CCR

ok i undderstand , it happen in layer 2 so when i have bridge or when i have layer 3 switch it may happen bpdu right?
thanks
by blackmetal
Sat Aug 19, 2017 9:20 am
Forum: General
Topic: BPDU Filter in mikrotik CCR
Replies: 5
Views: 889

BPDU Filter in mikrotik CCR

Hello,
i have a Mikrotik CCR 1036-8g-2S+ and i connect my upstream fiber to SFP1 and connect SFP2 to Cisco 3750G SFP1 Port and my provider told me i should filter bpdu because if they receive bpdu they will shutdown my switch port so can you tell me how can i filter bpdu on my mikrotik?
thanks
by blackmetal
Fri Aug 18, 2017 11:52 am
Forum: General
Topic: set primary ip for interface
Replies: 6
Views: 1155

Re: set primary ip for interface

we ask this from mikrotik support and they offer us use pref-src with static route or source nat and it works for us,
maybe some one need this solution
thanks
by blackmetal
Thu Aug 17, 2017 9:59 am
Forum: General
Topic: set primary ip for interface
Replies: 6
Views: 1155

Re: set primary ip for interface

I think another way is tell my provider that assign a vlan to me then i set that vlan on Ether1 and set private ip over that VLAN and then assign static routed Ip to ethe1 in this way my router should transit packets with my public ip right? and another question if we have 2x /30 over an ether1 whic...
by blackmetal
Thu Aug 17, 2017 9:52 am
Forum: General
Topic: set primary ip for interface
Replies: 6
Views: 1155

Re: set primary ip for interface

so what is your suggestion for solve this?
because i need my packets headers travel with public ip instead my private ip
by blackmetal
Wed Aug 16, 2017 3:55 pm
Forum: General
Topic: set primary ip for interface
Replies: 6
Views: 1155

set primary ip for interface

Hello, we have 192.168.1.2/30 on our Ether1 and my upstream provider static x.x.x.x/27 to 192.168.1.2 and i set x.x.x.1/27 on Ether1 so right now all packets go out with 192.168.1.2 however i want they use x.x.x.1 as source ip, how can i do this? in cisco we can specify secondary ip but in mikrotik ...
by blackmetal
Sat Jul 29, 2017 7:28 pm
Forum: Scripting
Topic: outsource mikrotik script development
Replies: 0
Views: 266

outsource mikrotik script development

Hello, we need a script for our mikrotik that run every minutes and ping 2 destination ip and check packet loss then if packet loss will be more than X minutes disable some of our bgp networks and enable amangle rules that called XYZ when this step done it should wait X minutes then again run script...
by blackmetal
Wed Jul 12, 2017 7:30 am
Forum: Forwarding Protocols
Topic: why prepend/weight not working ?
Replies: 1
Views: 473

why prepend/weight not working ?

Hello, i have a ccr in datacenter A and another ccr in Datacenter B both of them are using a same carrier and i am advertising x.x.x.x/24 from both of them but in Datacenter B i advertise this prefix with 3 time prepend or weight 80 but no one in world learn this route! this is my configuration on D...
by blackmetal
Tue Jul 11, 2017 9:13 pm
Forum: General
Topic: Change TTL Cause do not show router ip in traceroute
Replies: 10
Views: 1494

Re: Change TTL Cause do not show router ip in traceroute

Again, this does NOTHING [/u] to protect you from DDOS which was the original reason you wanted to do it. /ip firewall filter add action=drop chain=output icmp-options=11:0-255 protocol=icmp ^^ place that rule appropriately (or at the top) of your firewall filter. You will not emit the time-exceede...
by blackmetal
Tue Jul 11, 2017 8:23 pm
Forum: General
Topic: Change TTL Cause do not show router ip in traceroute
Replies: 10
Views: 1494

Re: Change TTL Cause do not show router ip in traceroute

see my friend, forgot about ddos attack i just need my router ip does not show in traceroute and forgot why i need this, what is your best sugeestion for this ? because when i drop icmp for input it blocks icmp but my router ip show in traceroute and mtr but when i change ttl my router ip does not s...
by blackmetal
Tue Jul 11, 2017 7:49 pm
Forum: General
Topic: Change TTL Cause do not show router ip in traceroute
Replies: 10
Views: 1494

Re: Change TTL Cause do not show router ip in traceroute

i do not have any attacks right , you said increase ttl by2 cause problem ? i also do it in prerouting chain and set protocol to icmp only and distinaition to my prefix only Yes changing TTL on traffic can be extremely harmful to network operations unless you really understand what it's doing at an...
by blackmetal
Tue Jul 11, 2017 7:37 pm
Forum: General
Topic: Change TTL Cause do not show router ip in traceroute
Replies: 10
Views: 1494

Re: Change TTL Cause do not show router ip in traceroute

i do not have any attacks right ,
you said increase ttl by2 cause problem ?
i also do it in prerouting chain and set protocol to icmp only and distinaition to my prefix only
by blackmetal
Tue Jul 11, 2017 6:56 pm
Forum: General
Topic: Change TTL Cause do not show router ip in traceroute
Replies: 10
Views: 1494

Re: Change TTL Cause do not show router ip in traceroute

i think i explain my questions badly see i have x.x.x.0/30 between my ccr and my upstream ccr and x.x.x.1 is set on upstream ccr and i set x.x.x.2 on my router then we established bgp and we are advertise my own ip range and also i have no problem with attacks because my prefix advertise from a ddos...
by blackmetal
Tue Jul 11, 2017 6:01 pm
Forum: General
Topic: Change TTL Cause do not show router ip in traceroute
Replies: 10
Views: 1494

Change TTL Cause do not show router ip in traceroute

Hello, i want hide my router ip from traceroute due to ddos attack and i do this with change ttl options and increase 2 for ttl , so there is somethings strange for me why after increase ttl my router ip do not show ? however in cisco when we increase ttl it just add that count hop to packet! so why...
by blackmetal
Fri Apr 21, 2017 9:11 pm
Forum: General
Topic: huge difference for quota between SNMP and netflow
Replies: 0
Views: 282

huge difference for quota between SNMP and netflow

Hello, we use observium as our monitoring and monitor all interfaces by SNMP and use pmacct as our ip accounting from some days ago (we use mikrotik trafficflow) but we today when we check the quota we face a stange issue, and that is data is too much different between what snmp says and pmacct says...
by blackmetal
Sun Feb 14, 2016 8:52 pm
Forum: General
Topic: connection tracking cause packet loss!
Replies: 2
Views: 457

Re: connection tracking cause packet loss!

Hi, no it is set to yes, also i know yes and auto does not have different when you have filter rules, i have baout 10 filter rule, i do not limit icmp but i block some ips in my rules for ddos attacks for X minutes, 1.my rules is when more than x pps receive then block src/dst ip 2. syn flood protec...
by blackmetal
Sun Feb 14, 2016 8:43 pm
Forum: General
Topic: connection tracking cause packet loss!
Replies: 2
Views: 457

connection tracking cause packet loss!

Hello, we have a CCR 1016 when we enable connection tracking out cpu usage will be around %5-15 but some times every 2-3 hrs it will increase to %99 and we receive packet loss and when we disable connection tracking pcu usage will be %0 we have about 50mbps traffic on this ccr and it is in bridge mo...
by blackmetal
Sat Nov 21, 2015 10:54 am
Forum: General
Topic: limit in firewall rules
Replies: 3
Views: 1219

Re: limit in firewall rules

i create following rules : add action=jump chain=forward connection-state=new jump-target=mychain add action=return chain=mychain limit=500,5 add action=add-dst-to-address-list address-list=mychain address-list-timeout=10m chain=mychain add action=drop chain=forward dst-address-list=mychain so i wan...
by blackmetal
Sat Nov 21, 2015 9:34 am
Forum: General
Topic: limit in firewall rules
Replies: 3
Views: 1219

Re: limit in firewall rules

it is not bps based right? it is pps based? asi see in wiki.
by blackmetal
Sat Nov 21, 2015 7:58 am
Forum: General
Topic: limit in firewall rules
Replies: 3
Views: 1219

limit in firewall rules

Hi,
when we create a rule firewall and enable limit in extra tab and set 1000/sec and set action to drop it means if more than 1000 packet per second receive and exceed 1000 then block ,
is it right?
thanks,
by blackmetal
Sat Nov 21, 2015 7:55 am
Forum: General
Topic: translate rules , what these rules mean ?
Replies: 5
Views: 841

Re: translate rules , what these rules mean ?

thanks all it seems when enable use ip firewall in bridge it passes connection state to firewall and we can control it,
by blackmetal
Thu Nov 19, 2015 4:09 pm
Forum: Scripting
Topic: alert on high pps bps
Replies: 0
Views: 458

alert on high pps bps

Hi,
we need a script that use Torch and email us when src ip -> dst ip hasmore than X pps or bps and email us src/dst ip with pps and bps,
can anyone help?
thanks,
by blackmetal
Tue Nov 17, 2015 8:36 pm
Forum: General
Topic: translate rules , what these rules mean ?
Replies: 5
Views: 841

Re: translate rules , what these rules mean ?

hi,
what do you mean?
your mean is in bridge mode we can not control new connection limitation?
and we can only control new connection and invalid an destablished connectios?
thanks,
by blackmetal
Mon Nov 16, 2015 8:36 am
Forum: General
Topic: incoming link aggregation
Replies: 1
Views: 491

incoming link aggregation

Hi, we have mikrotik ccr with 6x 1Gbps uplink so we want create link aggregation and protect our users from some kind of ddos so i read mikrotik wiki it seems bonding only support outgoing and do not incoming aggregation so is there anyway that i have 6Gbps incoming traffic in my mikrotik ? outgoing...
by blackmetal
Mon Nov 16, 2015 8:34 am
Forum: General
Topic: translate rules , what these rules mean ?
Replies: 5
Views: 841

translate rules , what these rules mean ?

Hi, i have following rules : /ip firewall filter add action=jump chain=forward connection-state=new jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s add action=add-dst-to-address-list address-list=ddosed address-list-timeout=10m chain=detect-ddos ...
by blackmetal
Wed Oct 28, 2015 11:38 pm
Forum: General
Topic: Install mikrotik on a server?
Replies: 2
Views: 301

Re: Install mikrotik on a server?

Ao it is compatible and fully functional with my hp dl320 right?
by blackmetal
Wed Oct 28, 2015 9:29 pm
Forum: General
Topic: Install mikrotik on a server?
Replies: 2
Views: 301

Install mikrotik on a server?

Hi
I want install mikrotik on a server with following specs :
Hp dl320 g8
E3-1230 or e3-1220
8g ram
I want use it as bridge (transparent) behind my router as firewall i want know is it compatible and fully functional ?
Is all things work? For example queue feature use all cpu cores and ... ?
Thanks
by blackmetal
Thu Sep 10, 2015 12:53 pm
Forum: RouterBOARD hardware
Topic: ccr 1016-12g as transparent firewall , performance? good or bad?
Replies: 2
Views: 1042

ccr 1016-12g as transparent firewall , performance? good or bad?

Hi, we have about 3 full rack in a datacenter and we want use CCR 1016-12g as transparent firewall for manage our network and block some connections and prevent dos , so we decide use ccr 1016-12g with 2gb ram, so my questions are : 1. how many rules it can handle without problem? 2. can it handle a...
by blackmetal
Sun Jul 15, 2012 3:57 pm
Forum: General
Topic: l2tp problem
Replies: 0
Views: 384

l2tp problem

Hello, i setup l2tp vpn and this is my peers : [admin@MikroTik] > ip ipsec peer print Flags: X - disabled 0 address=0.0.0.0/0 port=500 auth-method=pre-shared-key secret="9126879054" generate-policy=yes exchange-mode=main send-initial-contact=yes nat-traversal=yes my-id-user-fqdn="" proposal-check=ob...
by blackmetal
Sat Jan 28, 2012 9:57 am
Forum: General
Topic: route traffic to one of the rb750 port
Replies: 0
Views: 268

route traffic to one of the rb750 port

Hello, i have a lan connection in our office if somebody want use internet he/she should connect to our external vpn server so i can connect to our vpn extenral server with rb750 but i do not know how route my traffic to my vpn connection and send the output to port 3 port 2 is for our lan connectio...
by blackmetal
Wed Apr 13, 2011 2:37 pm
Forum: Virtualization
Topic: Problem with booting ros on Xen Virtual Machines
Replies: 11
Views: 4978

Re: Problem with booting ros on Xen Virtual Machines

the problem solve,d

thansk,
by blackmetal
Tue Feb 22, 2011 7:00 am
Forum: Beginner Basics
Topic: Help with SSTP cert
Replies: 8
Views: 35592

Re: Help with SSTP cert

I just finished a SSTP server with cert which works fine with Win 7 and Vista and MikroTik. Let me know if you still have the problem. I will share steps ASAP. Maybe I will post it on wiki (if it is open for users). :-) can you tell me how will you build you ssl certificate? is it self signed certi...
by blackmetal
Mon Feb 21, 2011 2:30 pm
Forum: Beginner Basics
Topic: Help with SSTP cert
Replies: 8
Views: 35592

Re: Help with SSTP cert

i follow http://wiki.mikrotik.com/wiki/Manual:Cr ... rtificates and use sstp.domain.com for CN and also add ca.cert server.cert client.cert to my trust root ca in my computer account, but i get same problem as abovepost,
by blackmetal
Mon Feb 21, 2011 2:27 pm
Forum: Beginner Basics
Topic: Help with SSTP cert
Replies: 8
Views: 35592

Re: Help with SSTP cert

any update ? i have exactly same problem,
by blackmetal
Tue Aug 24, 2010 2:23 pm
Forum: Beginner Basics
Topic: set second port as gateway
Replies: 3
Views: 581

Re: set second port as gateway

thanks,
by blackmetal
Tue Aug 24, 2010 1:55 pm
Forum: Beginner Basics
Topic: set second port as gateway
Replies: 3
Views: 581

Re: set second port as gateway

thanks,
by blackmetal
Tue Aug 24, 2010 10:34 am
Forum: Beginner Basics
Topic: set second port as gateway
Replies: 3
Views: 581

set second port as gateway

Hello,
i have bought a RB750 the default configuration for rb750 is port 1 is gateway and 2-5 is switch how can i set port 2 as a gateway and port 3-5 as switch?
because i have 2 internet provider and i want connect my 2internet provider to my router,

Thanks,
by blackmetal
Mon Aug 16, 2010 9:04 am
Forum: Virtualization
Topic: Problem with booting ros on Xen Virtual Machines
Replies: 11
Views: 4978

Problem with booting ros on Xen Virtual Machines

Hello,
i install ros on my xen virtal machine with iso file but when i want boot it it says Mising operation system,
is there any solution for this?
and also i attach screenshot of my error to this post,

Thanks