MikroTik

markdutton

But setting VRRP ID to match the VLAN ID it's listening on I think helps keep things organized & avoids potential misconfiguration later if say the interface is picked wrong. Interesting you say this. We thought to do the same. However, there are only 256 VRIDs and 4094 VLAN IDs, so this only w...

markdutton

Looking at the CPU usage on a couple of core switches. These are CRS354-48P switches. They are in a pair with 16 MLAGs running to 6 CRS354-48P edge switches. All uplinks are 10Gbs They show a continuous CPU usage of around 60%. The profile monitor shows that most of this, around 33% is unclassified....

markdutton

I put all VRRP subnets into their own VRRP-ID to be sure.

markdutton

Hi group I have around 10 subnets on various VLANs that I need to apply to my VRRP. I have put them all into the same VRRP ID. It all works. Is this an invalid scenario though? Initially I did this as I thought it was the way to make them all failover/failback together, but I realise this is not the...

markdutton

The answer to this question was that there was a bug in the bridge software, which is fixed since 7.10.2

markdutton

Hi I am not hopeful on this, but thought I would ask. I have VOIP between sites over IPSEC VPN. Between the VPN endpoints I have another intermediate router that has Queues configured to prioritise and reserve bandwidth for voice based on DSCP 46 markings. Problem is that I can't see any way to mang...

markdutton

OK. It's a bit hard to show what is happening without "stupid screenshots" though. /interface ethernet set [ find default-name=ether2 ] name=ether2-bond-Aruba-Core set [ find default-name=ether9 ] l2mtu=9092 mtu=9000 name=ether9-To-SAN set [ find default-name=ether10 ] l2mtu=9092 mtu=9000 ...

markdutton

I have two CRS326-24G-2S+ switches connected together to act as a core pair using MLAG. They are running 7.6 as it seems anything past this version is broken for MLAG. On the bridges of each switch I have 8 bonds and 4 normal ports. The 4 normal ports are not lagged. They go to storage devices which...

markdutton

I have the same issue. Very annoying on a mission critical network when they give you 30 minutes downtime. I noticed with 7.9, when I did a show lacp neighbour on a connected Cisco switch, it was showing the port address of one of the MTs for both neighbours, not the bond address. When I downgraded ...

markdutton

OK, I'm stumped.

How do I add users to MT to give different users access to Dude in V7. The Dude policy has gone from system/users.

markdutton

I am sure this has been asked a million times, but is there any way to use custom keying for IPIP tunnels? I can change the default profiles and I don't mind this, but I can't set the tunnel to use IKEV2, which is what I need, as this is a peer setting.

Cheers

markdutton

Thanks Sob. That was the key. I didn't know there was a variable to pick up. It works perfectly.

Cheers.

markdutton

Hi brains trust I have 2 WAN connections and both are DHCP. As the gateway addresses are not always the same, they are not P2P (interfaced based) and the routes themselves are dynamic, I have no solid reference to create any sort of policy based routing. Ideally, it would be great if you could nomin...

markdutton

OK. Thanks for the quick reply.

markdutton

Hi all Sorry if this is already in the system. I may be wrong here, but if I set Redistribute Other OSPF Routes to no, I should not expect these routes to be propagated to other routers should I? I have a central router with 2 connected subnets (over IP tunnels) to 2 remote routers. Running all on A...

markdutton

Thanks Sindy. That looks great.

I will give it a try soon. In the meantime, I just used a policy VPN gateway in Azure and used the standard IPSEC policy based setup in Mikrotik (with my custom profile and policy settings), which worked perfectly.

Mark

markdutton

I need to create and IPIP tunnel to Azure with their VPN connector in routed mode. However, the default Profile and Proposal are used for my other IPIP tunnels. Is there a way to get an IPIP tunnel to use a different profile and proposal than default? If not is there a way to create an IP tunnel tha...

markdutton

LLDP-MED, yes please else the use of the PoE switches is limited.

Agree 100%. It is a fundamental requirement in any enterprise switch.

markdutton

You should enable DHCP VLAN on your phone: https://www.grandstream.com/sites/default/files/Resources/VLAN_Guide.pdf Or configure the VLAN manually. MikroTik does not currently support LLDP-MED which is necessary for communicating voice VLAN ID to phones. This normally isn't a huge problem since mos...

markdutton

Thanks Murmaider! That did it. I was trying previously to do a discard on 192.168.220.0/30, but I don't think it ever matched properly. Either that, or it was another connected route that was causing the problem. Putting in the explicit allow for the route I wanted to advertise followed by a discard...

markdutton

I know I am doing something really dumb here, but I am stuck and I need a hand. I create a backbone area between two routers using an IP tunnel (over IPSEC). For simplicity, the routers each have their local LAN interfaces, their Internet interfaces and their IP tunnel interface. I number the tunnel...

markdutton

You can access graphs within winbox - no need to use web access to them.

Yes but the graphs in Winbox are rubbish compared to the web ones with their time and throughput scales.

markdutton

This is the second advisory for this same port in as many weeks. Whilst we block it to the world we still feel compelled to update all our customers' routers. I hope this is not a sign of things to come. While I'm on my soapbox I'd like to suggest that graphs are moved off the web management port. T...

markdutton

You can limit the IP addresses for defined users. Just make sure that any user IDs that have anything more than read capability can log in only from the LAN side of the network. Yeah I know I can limit IP on the graphing, but what I would like to see is open to world graphing. From my understanding...

markdutton

Whilst we block most of our client routers from the Internet to all but our own IP address for management, there are some clients who want to have the graphs publicly available. I would like to see a separate port for graphing if possible so that this functionality can be available to anyone without...

markdutton

Hi All I have just started trialing Capsman in a development environment. I have only scratched the surface, but these are on my wishlist now. - Auto tuning of an internal wireless network. Power levels and frequencies to ensure smooth transition between nodes. - A graphical heat map in Capsman (or ...

markdutton

I would like to add to this. I have found the following (using Capsman 2). If you set your frequency to auto on the CAP, BEFORE you enable capsman control, it will be auto frequency if Capsman does not specify a channel. However, the auto channel system does not honour the implicit 3 usable channels...

markdutton

OK. Thanks for that. So in relation to multiple VLANS. I only need to define a vlan to ports and CPU if I want to manipulate the VLAN as in my example? The other vlans can be left unassigned at the switch level? It all works fine this way and I have done a million tests, but I don't want to have it ...

markdutton

Hello. I am trying to wrap my head around where I need to actively configure vlan settings on the switch ports. Most commonly, if I want to create a VLAN trunk to an external switch, I simply create multiple VLAN interfaces and assign them all to the same physical port on the Mikrotik. I end up with...

markdutton

OK. Update.

After a cold restart (power off), it has come up working again. We can run until the new firmware is out GA. It seems that this is a start up issue.

markdutton

OK Thanks Normis

Next problem though will be that I can't upgrade the router without netflash.

If I factory default, will I get access to the flash again? I have rebooted, but this did not help.

Is thre any way to get the flash writing without defaulting unit?

Mark

markdutton

Hi All I have a CCR 9 core on 6.15. It is in operation and working, but I can no longer create a backup. The password for the admin has reverted to blank also and won't save. I can't create a capture file with packet sniffer. It is as if the file system has become read only. The exact error when I t...

markdutton

I have reconfigured the job to run outside of the VPN tunnel and it seems to have sorted it. Not sure why the load is so high with Rsync, but it killed the router over IPSEC.

markdutton

Correct it is an IPSEC tunnel.

Additionally, Rsync is running directly across the connection. It is not tunnelled inside SSH.

markdutton

Hi All I have a weird problem on my home RB493. I will say from the outset, I have set up dozens of Mikrotiks and I have been using them internally for a couple of years and this is a one off to me. I have a RB2011L in the office, which I am evaluating. It is normally an RB450G. I have an IPSEC tunn...

markdutton

BTW Fewi I like your idea of using RFC1918 as the source address list so only outbound packets would fire the routing mark. I just put a new rule in my adhoc-bdsl routing table that duplicated the main table rule so the rule would fire in both directions and the inbound route was catered for. It wou...

markdutton

Thanks Fewi I was on the same tack as you stated in your post. I have been able to get the outbound interface working fine using routing marks and a custom routing table. The issue now for me is I already have a huge mangle table for my packet marking rules. To keep things tidy and to get maximum pe...

markdutton

OK. Sorry guys. I have led you astray. The router is very busy, so sometimes it can lead me to make a false assumption. I just did a packet trace on the interfaces. It turns out that the router is NOT using the wrong queues. It is using the wrong interface. However, it is outbounding traffic on the ...

markdutton

Following are all logs except firewall export, which is huge and I would rather not disclose it anyway. The issue is the queues should be attached to the egress interface and they are not. I know this because when I connect externally to my 4-Amcom-BDSL interface via https (443), and drag a file dow...

markdutton

Seems it is caused by various things. It is not really a flapping port as such. Flapping ports don't usually just disable then re-enable with a corresponding log entry. Flapping ports are usually the result of a problem with the Ethernet connection to the remote device. I know I can make the problem...

markdutton

Hi All I have found a bug in the queue tree decision logic which is making it impossible for me to use the router as I need to. The scenario is I have 2 WAN interfaces and I have 2 queue trees attached to these interfaces. I have various mangle rules to create connection and packet marks to fee the ...

markdutton

I think I have almost homed in on this problem for my situation. I swapped out my RB750G for my RB450G today. No problems initially, but then I set about making the changes I had made on the RB750G just before it started to play up (coincidentally the same day I upgraded the firmware). My config is ...

markdutton

I too am having port flapping on my RB750G since upgrading from 5.0beta to 5.5. I am using 4 ports. Three of the ports are dropping then resuming. It is not false logging as I went to the log to work out why I was getting VOIP silence periods of around 10 - 20 seconds. Looking at the log it appears ...

markdutton

Guys this would be good if there was not a bug in the export. I have just done an export from a 750G on v5.5. When I go to import I get "expected end of line at line x, column y" The problem is the exported line is creating the script with the wrong syntax. E.G. /queue interface set 1-Loca...

markdutton

I too was trying to figure this out. However, in defence of Mikrotik, when you do a copy run tftp, then copy tftp run you ARE working with text files.

markdutton

Hi All Just want to do a sanity check. I have setup a queue tree and use mangle rules to create the appropriate packet marks. I read an interesting wiki article showing a rule that would filter TCP traffic, by port, etc and give it a connection mark, with passthrough enabled. Immediately following i...

markdutton

OK. I believe it is definately preserving the markings on encryption. here is what I do. in prerouting mangle table, I mark the packets based on DSCP, address:port, whatever as VOIP. I then create a queue tree with a queue dedicated to VOIP. The queue tree is attached to my external interface. My SI...

markdutton

That's right. On a standard Linux router using the Freeswan IPSEC stack we would set a flag in the ipsec.conf file being hidetos=no. This would cause the encrypter to put the DSCP flag into the outer packet. We would then create a mangle rule as follows. iptables -t mangle -I TS -p 50 -j RETURN ipta...

markdutton

Excellent diagrams! I actually saw these previously, but I did not scroll down to the end, which shows clearly the double handling of packets through the output routing phase if encrypted. This leads me to two more questions. 1. Will packet marks survive the encryption process? 2. Related to above, ...

markdutton

OK, that makes sense. Could you please in basic ascii art, show the path the packets take including encryption. I am used to Linux IP using freeswan, which encrypts data before it enters the routing stack. I can see the advantages of encypting after routing, particularly when doing QoS, but I am a b...

markdutton

Hi All I have a set up where I have two sites linked via RB750G routers over IPSEC tunnel. I want site B to get its DHCP from a DHCP server in site A. I have set up the relay, etc, but there is an issue getting the routers to traverse the tunnel correctly. Devices behind the router are fine as they ...

Search found 51 matches