MikroTik

grzesjan

its internal BGP or external ?

ibgp of course. The last working version of mikrotik's bgp for me is 2.9.42. All next are very unstable and break all sessions maximum after 15 minutes. route-reflect has worked in 2.9.38, later not.

grzesjan

Is it working? I just cannot run it...

grzesjan

grzesjan,
You need to assign the speed in freeradius to the radgroupreply table.

Me? Why me?

I have freeradius working but I'm not using such table

Regards,

grzesjan

Guys, I tried all the examples above and no one seemed to work. Also you did not specify how to add rx different from tx

For me it works. Read the Mikrotik docs - "Rate-Limit" format is good described there.

Gregor.

grzesjan

Rate-Limit += 128k/512k 256k/512K 64K/128K 60/60 5

That will do what you ask, bursting for 60 seconds on each, and will assign a priority of 5 to each queue.

You don't have to give all parameters, you can just use:
Rate-Limit = 512k/512k

Gregor

grzesjan

grzesjan - have you tested v3 routing-test BGP? that is something new.

No, but my admins have been told to test v3 beta this month. We will see how it is stable in our usage. Then I will test v3 bgp.

Gregor

grzesjan

come on! there are more priorities in v3 than this; you are talking like this is the most important thing in a router. separate packages for temperature monitoring? how about new wireless standards, improved speed, mpls, ipv6 and a working bgp ? Thanks God! I have so many problems with BGP and I ha...

grzesjan

Hello I use several Mikrotiks as a gateway with hotspot. There is no web-cache nor web-cache-test package. I use Advertise-* radius attributes to generate ads for the customers. Some of them see alerts about overloaded proxy. Why is that? Will installing web-cache change anything? Thanks for any ans...

grzesjan

Any ideas? I have got confused using static and dynamic queues ... Help me please.

I would like to get the answers. I also have problems mixing dynamic and static queues.

Regards,

Gregor

grzesjan

Hello, I have several Mikrotiks with 1-4 interfaces with hotspot enables on them. DHCP and hotspot use radius and every user gets IP address from radius and its bandwidth limits. All works OK. But I want to make bigger traffic limits to communication between users even on different interfaces. One e...

grzesjan

i need make this conf in MT 2.9.27
this conf file is from Zebra but i don`t know how to make this in MT 2.9.27

There is an article on Mikrotik Wiki, how to translate cisco-like conf to Mikrotik one.

Regards,

Gregor

grzesjan

it's not the megabits, it's the nstreme itself - it's a complicated algorythm which requires a lot of power to show it's capabilities. if you put it on a gigahertz system, it will show you what it can. routerboard can push 200mbits through it in pure routing, over ethernet. so speed is not the issu...

grzesjan

dual nstreme requires a lot of CPU power, your RB's are probably running at their maximum capacity

14/15 Mbps. Is it all for them? Will v3 help with cpu load?

Gregor

grzesjan

Hello I installed b5 on a really crappy link to see what happens I noticed it is very fast to accocate with AP, much faster than v2 Looks like we have much to look foward to :-) :-) I have two routerboards making dual nstream - will change to v3beta help with cpu load of routerboards (all the time ...

grzesjan

In Linux it is configurable under /proc/sys/net.
Good news, but do you know if it is possible to edit it in routeros ?

It is not possible. I have answered to Normis.

Gregor

grzesjan

in linux and routeros the address belongs to the router, not to the interface. the router will answer regarding all it's addresses. the interface entity is only used to create the default route, and that is it's only use

In Linux it is configurable under /proc/sys/net.

Gregor

grzesjan

Sometimes when a link is working near max ospf will loose its routes for 30 seconds or so then back ok again
Is there a way to prevent this?

Probably you have packet losses and OSPF packets just get lost.

Gregor

grzesjan

I'm publishing N networks and the last day I aggregate a lot of more. This lasts routes are publishing with different "Next Hop" than the others, what could it be ?, is it configurable ?

Do you mean iBGP or eBGP?

Gregor

grzesjan

what mikrotik command that similar with this command below:
show ip bgp neighbor 218.100.27.129 advertise
thx

/routing bgp advertisment print PEER-NAME

Gregor

grzesjan

Hello everyone! I have a x86 computer running routeros 2.9.38. I have two 3c509 cards but i can only use one. I tried loading the driver , but it cannot load it twice :( :? Does anyone know how to fix this ? You have something wrong with PCI slot or one of the cards. I have several machines with 4-...

grzesjan

Really ? Do you use WDS with dual nstream ? Is it possible ? As far as I know WDS can't go with dual nstream. I read it in manuall. Oh, I meant 'bridge'. My eployees set up all mikrotik radio links and I don't know the details. Probably it is simple bridge ;) Pozdrawiam Marcin :) Również pozdrawiam...

grzesjan

Which one of nstream do you use ? Simple one or dual ? Dual - as written above. Do you use wds or routing ? As far as I know the wds bridge consume more CPU power. In my opinion for dual nstream the cpu of rb532 is too weak. WDS. I don't want to use routing becouse it would break my OSPF domains. I...

grzesjan

My mikrotik BGP can not connect to any peer after upgrade to 2.9.38

Strange. My 2.9.38 BGP works just fine.

Gregor

grzesjan

RouterOS can handle a LOT more :) even RouterBOARD532 can handle 200Mbit throghput. It is interesting... I have routerboards 532 with two wireless interfaces, nstream, no connection tracking, cpu set to 333 and all I get is 13/14 Mbps (13 Mbps in one direction and 14 Mbps in second direction) and c...

grzesjan

RouterOS can handle a LOT more :) even RouterBOARD532 can handle 200Mbit throghput. It is interesting... I have routerboards 532 with two wireless interfaces, nstream, no connection tracking, cpu set to 333 and all I get is 13/14 Mbps (13 Mbps in one direction and 14 Mbps in second direction) and c...

grzesjan

RouterOS can handle a LOT more :) even RouterBOARD532 can handle 200Mbit throghput. It is interesting... I have routerboards 532 with two wireless interfaces, nstream, no connection tracking, cpu set to 333 and all I get is 13/14 Mbps (13 Mbps in one direction and 14 Mbps in second direction) and c...

grzesjan

Dunno... actually I havent tested it... I will just presume that it never have worked...

I'm not sure but I think I saw it working...

Gregor

grzesjan

And is the BGP RIB separated from the IP rouyte tables? Meaning the RIB willcontain all learnt routes with all attributes, inclkuding redudnant routes... the ip route table only contains the selected routes for forward... will report a bug on this! For me the most annoying thing in Mikrotik is lack...

grzesjan

Oh bother... I realized the incoming filters applied to a peer dont do what they should... I dont get prepend, localpref, communites, whatever impirnted in the routes I receive...

In 2.9.38? Did it work in previous versions?

Gregor

grzesjan

We are working on a completely new SNMP for RouterOS and we are going to also support SNMP write. Could you please write what you wish to see in RouterOS SNMP support, and what network management programs you now use that have SNMP write support. For me, at first read access to some numbers: - numb...

grzesjan

I have written to support@mikrotik.com, but nobody answers...

Finally I got the answer, that the bug was corrected in 2.9.38. I will wait a few days and I will upgrade my routers.

Regards,

Gregor

grzesjan

With the fixes in 2.9.38 it works beatifully!
Thank you Mikrotik!
NOw, lets see what bugs I can find in the OSPF/BGP interaction

Mikrotik put into the Changelog of 2.9.38 that they had fixed bug with unnecessary updates, the bug that I had reported. I will test in next few days

Gregor

grzesjan

I think it is a bug becouse the updates are not needed and in some case someone can dampen our prefixes. Nothing changes at the router with BGP - nothing - so it shouldn't send any updates.

I have written to support@mikrotik.com, but nobody answers...

Regards,

Gregor

grzesjan

Or a bug in the routing engine in general? I mean since you say it stops announcing the prefix if the OSPF has a recalc and take away the OSPF route for that BGP prefix? OK, I think I know. The problem was the interaction between strange Mikrotik behavoiur and very strict dampening setting at my IS...

grzesjan

It sounds to me like your router is stopping to announce the prefix due to that you loose an internal OSPF prefix so IGP synch prohibits BGP to announce the prefix the OSPF prefix was part of. But in a weird twisted way that is not correct. Maybe IGP synch in BGP is bugging/is not correctly impleme...

grzesjan

Are you running redist between bgp and ospf?

As I have mentioned in my first post - all redistribution is switched off.

Gregor

grzesjan

We have recently upgraded from 2.9.31 to 2.9.35 and there is sad surprise - each time our OSPF changes - if one router disappears or appears again, the bgp prefixes announced by this router (added in /router bgp network) disappear. Update - 2.9.31 has the same problem. Lately I haven't got any rout...

grzesjan

We have several networks, each network has some number of leaf routers (Mikrotiks) and one main network router (also Mikrotik). Main network router has BGP to our ISP and also uses OSPF for routing inside our network. We have recently upgraded from 2.9.31 to 2.9.35 and there is sad surprise - each t...

grzesjan

I would like to know what is the demand for Ipv6 support in RouterOS and how far you would like it to be supported. I don't need IPv6 in 2007. But at the end of 2007 and at the beginning of 2008 I think we will need dynamic routing, dhcp, hotspot and - first of all - easy ipv4-ipv6 tunneling. Gregor

grzesjan

As far as I know all matchers belonging to one rule are 'AND'.

Is there any way to do 'OR'?

Gregor

grzesjan

Hello, I have following rule: chain=forward in-interface=!ether1 protocol=tcp dst-port=25 tcp-flags=syn connection-limit=1,32 limit=10/15m,0 action=drop What is the relation between connection-limit and limit? Is it OR or AND? Do both rules have to be matched? Or only one of them? Thanks in advance,...

grzesjan

in wireless you can limit OSI lvl2 but in wireled connections, think - not
but maybe im wrong

So? Can you confirm, that for the limit only IP layer is counted, not all ethernet headers?

grzesjan

Hello,

What exactly is set by rate-limit? Does Mikrotik count only IP layer? Is ethernet layer counted to limits?

Thanks for any aswers...

Gregor

grzesjan

this is normal ... ebgp will remove your own AS numbers since it figures you can get there other ways (part of the same autonomous system). You can run ibgp between them to exchange your own routes if you need, or just let it use the default gateway if that works for you. Is it normal for BGP or fo...

grzesjan

Whow, interesting. First tests show that this solution works.

It seems working. Much thanks for your help!

Gregor

grzesjan

Hello, I have two separate subnets, with separate internet bgp feeds, but they use the same ASn. Something like that: AS12345 -- INTERNET -- INTERNET -- INTERNET -- AS12345 Of course there are different IP subnets announced. Both bgp routers are Mikrotiks 2.9.29-31. Am I missing something? Is Mikrot...

grzesjan

PPPoE kills local network? You'll have to explain that... :shock: Heh, misunderstanding. What I meant was: biggest competitors to us giving ethernet tu customers are DSL providers and cable TV companies. Our biggest advantage is local network - DSL and cable TV cannot provide 100Mbps or even 1Gbps ...

grzesjan

now you know why people use pppoe, encryption and/or hotspot

pppoe kills local network - that is way some people will not use it at all

Gregor

grzesjan

Is there a way to avoid a problem of MAC address cloning and deny unauthorised access to the internet trough my access point. I do not use pppoe, encryption, hotspot, I just use ARP reply-only and I have created an access-list with permited MAC addresses, but it seems that people get through with M...

grzesjan

To accept only valid IP subnets and block everything else by hotspot: /ip hotspot ip-binding add address=<valid-ip-subnet-1> /ip hotspot ip-binding add address=<valid-ip-subnet-2> ... /ip hotspot ip-binding add address=<valid-ip-subnet-x> /ip hotspot ip-binding add address=0.0.0.0/0 type=blocked Wh...

grzesjan

Disable Universal client in HotSpot,
'ip hotspot set 0 address-pool=none', then HotSpot will not translate users addresses.

I don't use universal client. Not at all.

Gregor

grzesjan

You can do it all in the "filter" table. Chain: input In interface: ether2 src-address-list: !ether2-addresses (dont miss the exclamation point) action: drop Chain: forward In interface: ether2 src-address-list: !ether2-addresses (dont miss the exclamation point) action: drop I have tried...

grzesjan

I think you are saying (for example): Your ether 2 has a DHCP range of 10.1.1.x Your hotspot is catching 192.168.0.x on ether2 hotspot because the SOHO routers are leaking these addresses out somehow. Yes, exactly. I create an address-list (in firewall) of ether2 addresses that are valid (10.1.1.x)...

grzesjan

To bridge public IPs to hotspot users you need to connect a secondary ethernet card of the router to the switch of the APs. This bridge interface put in ARP=reply-only and charge statics ARP for theses Publics IPs to this bridge. No, you don't understand. I don't bridge anything. I give users IP ad...

grzesjan

We have wide set of routers authenticating our customers by dhcp/radius - both based on radius. It generally works, but if number of our customers grows, we have two problems: 1. Leacking NAT - some soho routers (planet, d-link, linksys) have leacking NAT - they should NAT all packets but sometimes ...

grzesjan

grzesjan, are you using this? would you mind posting a bit of conf for me to see?

Yes I use. My config is unuseful for you. Look for comments and search
for DEFAULT statements. And use google - it helped me.

Gregor

grzesjan

I am trying to setup everything so that if the user/mac is not in the freeradius table then mikrotik dhcp will stick the user/mac in pool xxx rather than flat out denying them access, any ideas on how to do this? Freereadius has /etc/freeradius/radius.conf (AFAIK) and there is option DEFAULT. Hope ...

grzesjan

Is the mac sent with : or - ?

With :

Gregor

grzesjan

How big real traffic you can get using two simple outdoor routerboards integrated with antennas? Is it possible to transmit symetric 20Mbps/20Mbps with not so big pps? I think about link about 800 meters.

Thanks for the answers,
Best regards.

Gregor

grzesjan

Does anybody use route-reflect=yes? For me it does not work. I have following setup: A----B----C Routers A, B and C are in the same AS, A and C have bgp session with B. On router B I have route-reflect=yes in peers A and B. But A doesn't see prefixes from C and vice-versa. Anybody using route-reflec...

grzesjan

Hello,

Can Mikrotik use PCI-X cards? If so, can you recommend me a NIC with PCI-X bus, RJ-45 connector and with 10/100/1000 Mbps speed? Maybe some Intel? I have read about some Intel cards no longer supported...

Thanks in advance!

Best regards,
Gregor

grzesjan

Please help mi understand hotspot timeouts. I unsderstand the docs about idle-timeout, but I have no idea about keepalive-timeout. Does keepalive-timeout send pings? What kind of pings are they - icmp or arp? What if I set keepalive-timeout to 15 minutes and my customers have firewalls blocking icmp...

grzesjan

[quote="trampen"]keepalive-timeout=10s idle-timeout=23h59m59s/quote] What are your timeouts in /ip hotspot and what in /ip hotspot user profile ? I have problems with users "hanging" even if they are disconnected. I'm not sure if keepalive-timout sends pings? What if customer has...

grzesjan

Properly set "keepalive-timeout" solved my problem.

What is the proper setting for you?

Gregor

grzesjan

different hardware cant import config, only if Identical in everyway. This is why you do an Export file Full-Config from the main telnet prompt. This file is a script, which can easily be put onto other hardware, long as OS versions match or is newer (in most cases). This even lets you take a confi...

grzesjan

we will research all possibilities. thank you for suggestions Why is it not possible to leave ether1 as ether1 even if this is different physical port? Imagine such situation - my power supply damaged and burnt whole pc and hard disk. I take firstavailable PC, which has different mother board, diff...

grzesjan

------------------------------------------------------------------------------------ I thing is possible, you can create new queue simple for that subnet e.g: xxx.xxx.xxx.0/24 [that's for 24 bits ranges] or as subnet you want my pppoe, hotspot and dynamic just enought with simple queue ------------...

grzesjan

Hello I use dhcp/hotspot, both based on radius. Radius gives attribute RateLimit to dhcp and that creates the queue and cut the bandwidth of that user. That generally works. Is there any possibility to have two different MAC address, two different users to operate in the same queue? I mean set the c...

grzesjan

------------------------------------------------------------------------------------ Terminal vt100 detected, using single line input mode [setangundul@moLatvia] > /ip hot ac pr Flags: R - radius, B - blocked # USER ADDRESS UPTIME SESSION-TIME-LEFT IDLE-TIMEOUT 0 R ubudmusi 86.47.11.253 2m30s 27m30...

grzesjan

Hello I have Mikrotik configured as dhcp server/hotsport for users authenticating in my radius server. All works fine but I would like to simply know, which MAC belongs to which customer (which customer in my database). Is it a way to send a attribute with customer-ID by radius which will be shown ...

grzesjan

I use hotspot to cut unidentified users. Hotspot authenticates user by mac, unknown mac's get to login page, where they have to register using customer id and password. That generally works. Recently I saw some strange situations: 1. Unidentified user had http connections redirected to captive-porta...

grzesjan

if you mean arp ping, then it's already there - just set the arp interface parameter for the regular ping command.

Yes, I haven't seen it. Me idiot

Gregor

grzesjan

I would like to have arping on Mikrotiks. Am I the only one with such wish?

Regards,

Gregor

grzesjan

Hello, I want to start writing some scripts to Mikrotiks, but I would like to have some examples. I would like to have something like arping for Mikrotik, I have thought about a script which: - finds interface of the given IP address - set the interface into arp=enabled mode - remove (and store) MAC...

grzesjan

I have just played with /tools sniffer host print - it is fine, but how can I make "sniffer host print" to display only machines from specified address class? I would like to have something like lan station monitor in iptraf. How can I make it in Mikrotik? Maybe some script? Thanks in adva...

grzesjan

Hello I have Mikrotik configured as dhcp server/hotsport for users authenticating in my radius server. All works fine but I would like to simply know, which MAC belongs to which customer (which customer in my database). Is it a way to send a attribute with customer-ID by radius which will be shown b...

grzesjan

It allows to select different Radius server based on hotspot server profile.

Can you explain? And would you be so kind and update all docs?

Gregor

grzesjan

In hotspot profile there is something like radius-default-domain - what is it? Mikrotik doc's at http://www.mikrotik.com/docs/ros/2.9/ip/hotspot don't mention it.
Any help?

Gregor

grzesjan

So if the client is using 30p2p connections, and they try to view a website, nothing will happen as no new connections will be made right?

You can try to limit tcp connections to ports > 443. It works.

Gregor

grzesjan

[quote="changeip"]When you say 'some peerings' do you mean to internal routers using ibgp or other outside providers?/quote]

Both - but less than 100 routes each.

Gregor.

grzesjan

How many people actually have BGP working in production with > 2.9.14 routing-test? Of those how many are using more than 1 peer? We've been testing for months and can't get anything working reliably and I'm close to giving up on it. I have similar problems. I use Mikrotik in production (currently ...

grzesjan

Noone?

grzesjan

I suppose this has to do with the fact that the MAC-level protocols work by broadcasting, and things get messed up when there is more than one interface...

Yes, but there is no problem with sending broadcasts to all active interfaces.

Gregor

grzesjan

I have encountered a problem with Winbox. My laptop has two network cards - wired and wireless, both connected to the same switched network, served by one Mikrotik. The problem is that winbox sees my Mikrotik only if I have only one network card connected/running. If I have only wireless connection,...

grzesjan

I have a problem and I don't know if it is a bug in Mikrotik's BGP. I have two routers - A and B with iBGP sessions between them without any filters. Router B has only one session with router A, and router A has several eBGP sessions. Router A uses filter to set nexthop of some routes and it works f...

grzesjan

Still one thing is not corrected. Mikrotik show status=connect and the other side shows status=established. Session is OK, prefixes are being sent both ways.

Gregor

grzesjan

have you all upgraded to v2.9.26?
How many sectors it writes all the time?

I have upgraded. After rebooting there was almost no changes in config.
Now I have:

uptime: 12h15m35s
write-sect-since-reboot: 425

So it is not too big number.
However I wonder if I can lower it.

Gregor

grzesjan

Here is the setup I have: Our connection to the Internet is via BGP through our ISP connected to a Cisco router. The Cisco is talking to a 2.9.26 Mikrotik via OSPF which is talking to another 2.9.26 Mikrotik. The final Mikrotik connects via BGP to a customer Cisco router. So, we have: ISP->Cisco 1-...

grzesjan

NTP client isn't writing anything to the drive. "/system logging action=echo" is increasing the sector writes. Next version will have more optimized management so it isn't writing so much. Action=echo I have only for critical logs. I have seen that ntp client increases number of writes - ...

grzesjan

Code: Select all
  write-sect-since-reboot: 129728
         write-sect-total: 3556164
This is an older Sandisk...still chiggin' away. Note that if you use NTP, writes will increase much faster.

I use ntp client and I have big number of writes. Mikrotik? Can you do something with ntp client?

grzesjan

by the way, that's a RB500, you can't change the flash there ...

Eeee? So what do I do? Just thrash it and send you request about new key?

Gregor

grzesjan

How many (aproximately) writes to flash will kill it? I have: [admin@TESTY] > /system resource print uptime: 4d20h48m45s version: "2.9.25" free-memory: 15744kB total-memory: 30440kB cpu: "MIPS 4Kc V0.10" cpu-frequency: 264MHz cpu-load: 0 free-hdd-space: 93816kB total-hdd-space: 1...

grzesjan

Hey guys, Currently our network runs a kind of ebgp with each internal router running on a different AS I've been wanting to go to ibgp for a while now but have come up againest an issue time and time again. Our network looks like this Tower5-----Tower1 -------Tower2------Tower0------Edge Tower4 --...

grzesjan

i use package from topic - for last 12 hours everything is OK!!! 4 BGP sessions work great for now. Thanks from me for fix and for "network" command too. I had everything OK for the whole weekend and today my router went crazy and I had to disable all BGP peers and leave only uplink to an...

grzesjan

how do you set rate limits for hotspot users with radius I want to set up a hotspot where the user database is held in radius. I want to be able to set users to auto login with mac auth. and also to set their rate-limit with bursting. Can somebody point me in the right direction? Read Mikrotik's do...

grzesjan

maybe you can come on icq as well ?

Only jabber available. Grzegorz.Janoszka <AT> jabber.aster.pl.

Gregor

grzesjan

Gregor i have installed last version on routing-test-2.9.25.npk and for last 12 hours BGP is still up and running without deaviations. And now i think to joy with prepends and hold timer to make router more flexible with dynamic routes. I don't think we are going to make anything stable with mikrot...

grzesjan

Advertise with command
network=xxx.xxx.xxx.xxx/xx is ok.

So? Do you see prefixes entered in network= as advertised in /routing bgp advertisment?

I don't see them

Gregor

grzesjan

One interesting thing - I use 2.9.25 with upgraded routing-test package. When I export the configuration I see: / routing ospf interface set FIXME interface=ether1 cost=10 priority=1 authentication-key="" \ retransmit-interval=5s transmit-delay=1s hello-interval=10s \ dead-interval=40s net...

grzesjan

network is first simple way to advertise your own networks and if you add them with command - this is your networks from your router ... other ways is with "connected and static" but is not useful for small networks with mikrotik filters that i can`t successfuly run for some reasons. That...

grzesjan

Are there specific HS docs somewhere I can search in? I have tried in the MT 2.9 reference and found nothing.

Mac authentication.

Gregor

grzesjan

We are currently seeing an issue where the RB500's with 2.9.19 lose OSPF connectivity to Cisco routers. The RB 230's do not have this issue on the same software.

Do you have time set on this RB500? I had some problem with OSPF Mikrotik to quagga and time difference was the reason.

Gregor

grzesjan

please test the new routing test package:
http://www.mikrotik.com/download/routin ... 25_new.zip

Yes, this version is much better. Now MAJOR problems were solved.

Details sent to support.

Gregor

grzesjan

This is a user-to-user forum. If you wish to inform Mikrotik about a bug, please contact support@mikrotik.com with the supout.rif file from the latest version

I wanted other users to be aware of the problem.

Gregor

grzesjan

Dear Mikrotik, What haven't you informed us that new shiny version 2.9.25 of routeros supports only one BGP peer? I have today crash becouse I have upgraded router with 4 BGP peers to 2.9.25. The logs were full of: 09:37:15 system,info router rebooted 09:37:21 route,bgp,info Failed to open TCP conne...

grzesjan

MT has sent me an update routing-test to see if cpu problem is fixed. So far everything seems to have settled down. The speed to sync peers has slowed down a bit but at least it doesnt spin out of control with 100% cpu forever. i've been testing it for hours with quagga and it seems to be much bett...

grzesjan

Also once again thank you for not telling us about the new features. Network, Aggregate and Advertisements commands. (What is the 3rd one actually do? Is it something similar to a route-map policy? Ooo... I have just seen it. Advertisement seems to be working (thanks!): [admin@MikroTik] > /routing ...

grzesjan

[ I think that without the real testing from the client's end and only with the empty shouting this waiting will be much, much longer. I will test 2.9.25 tomorrow morning but for now I see some things still missing in bgp: - network declaration, like "network W.X.Y.Z" - completely reset o...

grzesjan

I have set up Mikrotik to use Radius for dhcp address assigment and hotpost authentication (mac). I don't want to use hostspot's one-to-one nat, so I haven't set address-pool in my hotspot config and it is set to null: [admin@TESTY] > /ip hotspot print Flags: X - disabled, I - invalid, S - HTTPS # N...

grzesjan

it was in Mikrotik lab at friday but not in download page...I think this delay is because new version is under stress-test now...

Wow, <irony>the first version stress-tested!</irony>

Yes, I know, I'm cruel

Gregor

grzesjan

david - today

Two days passed after that "today" and no new software.

Gregor

grzesjan

54kb *1024 = 55296

55296/55296

Or simply: 54k/54k

Gregor

grzesjan

Yes, I restarted the BGP router...and it worked again.
I think this issue can show up any moment and my customers won't be happy with any more service outages.
Stephan

This is Mikrotik

We have to wait for Mikrotik to correct such issues. I hope they will do it.

Gregor

grzesjan

Oops...typo... version 2.9.23
Stephan

Have you restarted Mikrotik? Mikrotik's bgp is rather unstable for now.

Gregor

grzesjan

I'm not doing much more that using it for internal routing, as for ebgp i'm using quagga. There are no stability issues, and no need to reboot (2.9.23, routing test, using RB532). The only real problem i've found is that there is almost no documentation at all! Bye, Ricky For internal routing mikro...

grzesjan

yes, you can use mac-authentication in hotspot, without the login page. it will still have the rest of the hotspot features, like adverising. OK, I have done it, two questions: 1. I have set up login-type=mac, but from time to time first web page I see after requesting an IP is login page. Sometime...

grzesjan

So is anybody using the latest mikrotik advanced-routing BGP in production? I'm just curious as to what their thougts and impressions are of it and if all the kinks seem to have been worked out. I use routing-test package and I can not recommend it to use in production. Many things require reboot, ...

grzesjan

Well, if the box they pull data from is compromised, the result is the same. No, becouse we can filter pulled data. Some checking can be done. Some damage can be done if main box is compromised (for example they can turn off nat for everyone), but they can not _compromise_ the rest of boxes, for ex...

grzesjan

DHCP simply gives your customer an IP address and does nothing else. Simple and unsecure. HotSpot gives your customer a login page, a ton of authentication features, univercal-client (customer can have anything in his TCP/IP settings, his internet will still work), statistics, bandwidth control, us...

grzesjan

Hi Today I have a config, that Mikrotik is a router serving dhcp based on radius. When I have started to go deep into configuration, I have realised that some important features are only in hotspot mode, not in normal dhcp (for example advertise-url). What is the difference between hotspot and norma...

grzesjan

Is Advertise-URL and Advertise-Interval valid radius attributes??? This is the first time I'm hearing about those... There is well known web site: http://www.mikrotik.com/docs/ros/2.9/guide/aaa_radius and there we have: # Advertise-URL - URL of the page with advertisements that should be displayed ...

grzesjan

Thanks all for your help. BGP route server is quite resonable idea. I will try to implement this. But I still think that we should have wget

Gregor

grzesjan

One avenue you may wish to explore, would be linking a BGP instance to the address-list(s), with a frequently run script (I use a funky ping, and a firewall rule that detects it, to avoid writing to flash, and to ensure the address ages out correctly). That way, you could keep them updated in near ...

grzesjan

Hi, I try to use Mikrotik Advertise-URL feature. Radius sends attribites: Sending Access-Accept of id 44 to ==========:1182 Session-Timeout := 86400 Advertise-URL := "http://192.0.2.1:83/" Advertise-Interval := 2 And nothing happens - I can see all web pages, no advertises are beeing shown...

grzesjan

Better run a bash script from dedicated box, something like: for i in $ROUTER_ADDRESSES do ssh -l $USER $i "/ip firewall address-list rem [find name=nonat]; /ip firewall address-list add name=nonat address=<address>"; done Yes, I know such solutions - they are good but have one weak point...

grzesjan

have many mikrotiks with private addresses which act as a nat. However I have several network prefixes (all in my own network) I don't want to nat the traffic to. I have done it making /ip firewall address-list nonat and defining there some prefixes and one rule in /ip firewall nat which accepts dst...

grzesjan

While not a bad idea, if you (MikroTik) do implement this, please make it optional.

Yes, I have thought to make it optional or configurable - something like: allow-in-subnet-addresses=yes

Gregor

grzesjan

It will be nice to implement more options for radius client, for example
setting PARENT-QUEUE in Rate-Limit attribute ,
and put Mark-Id and Filter-Id to work with PPPoE and with PPTP too.

I would like to add to radius DNS-primary-server and DNS-secondary server or something similar.

Gregor

grzesjan

I use mikrotik as a dhcp server, mikrotik takes all data from radius. I have one problem. I have used to ISC's dhcpd and its behaviour. The problem is in rather rare case - mikrotik has dhcp server on interface local with 10.0.0.0/24 network (and 10.0.0.1 ip) and if radius gives to mikrotik IP from ...

grzesjan

I use Mikrotik as a router at many levels in my network and I have following suggestions: 1. how to check what prefixes are announced to peer? I need something like "show ip bgp neighbor A.B.C.D advertised-routes" 2. I would like to have network definition in bgp instance - now I use some ...

grzesjan

[quote="Juzna"]is it possible to add column TTL into packet filter and mangle?
[/quote
]
I would love to have it too!

Gregor

grzesjan

The standard radius attributes are MS-Primary-DNS-Server and MS-Secondary-DNS-Server. How MT have implemented that on a DHCP level, is not known to me. Try those two, if they don't work I believe you'll have to do it in some other form (not radius). -- C Ooops, I have confirmed both attributes to w...

grzesjan

Now, when you start reading the various RFCs dealing with Radius, Authentication, Accounting, and Authorization, you would see that many of these RFCs specifically names Attributes that are supported through the RFC. If the software or NAS claims to support RFCxyz, then it must support *anything* m...

grzesjan

MS-Primary/Secondary-DNS-Server is one of the only ways I know to specify DNS servers to PPP Connections via Radius. Cisco uses them, MT accepts them (even through they're not documented), and I'm sure allot of other NAS providers use them as well. MS-Primary/Secondary-DNS-Server IMHO can also be c...

grzesjan

The standard radius attributes are MS-Primary-DNS-Server and MS-Secondary-DNS-Server. How MT have implemented that on a DHCP level, is not known to me. Try those two, if they don't work I believe you'll have to do it in some other form (not radius). -- C radio:~# grep -i MS-Primary-DNS-Server /usr/...

grzesjan

Hello, I have just set up Mikrotik to use radius for dhcp authenticating. I have read the docs and haven't found an answer: how to pass dns servers to such dhcp clients? Now i have /ip dhcp-servers network statements but I would like to use radius parameters for that. How can I do it? Regards, Gregor

grzesjan

On the clients.conf, I put in: client 192.168.1.32 { secret = testing123 } When I used NTRadPing from 192.168.1.32, I got this message: rad_recv: Access-Request packet from host 192.168.1.32:1244, id=4, length=50 Ignoring request from unknown client 192.168.1.32:1244 What seemed to be the problem? ...

grzesjan

Gregor I'd say that want you're trying to do is still against the rules. Against WHAT rules? It is ONLY a match. You can match packets basing on their tcp flags, ports and so on. Address/mask matching is a simple bitwise operation resulting in "true" or "false". Tell me what rul...

grzesjan

From RFC1812: The classical IP addressing architecture used addresses and subnet masks to discriminate the host number from the network prefix. With network prefixes, it is sufficient to indicate the number of bits in the prefix. Both representations are in common use. Architecturally correct subne...

grzesjan

I'm not an authority on BGP, but from what I understand, BGP does not maintain an established connection. -Rich It does. BGP uses TCP connections on port 179. When BGP router receives TCP reset it MUST close the session and clear all routes immediately! It can't wait any second. I use Mikrotik not ...

grzesjan

try : /ip firewall address-list add list=net address=10.0.1.248/29 /ip firewall address-list add list=net address=10.0.2.248/29 /ip firewall address-list add list=net address=10.0.3.248/29 /ip firewall address-list add list=net address=10.0.4.248/29 /ip firewall address-list add list=net address=10...

grzesjan

Hi How to add noncontinuous network mask? I have 6 interfaces - from 10.0.0.1/24 to 10.0.5.1/24 and each subnet has reserved some IP's for dhcp for unregistered users - IP's 248-254. I want to redirect such IP's to my captive portal. I know I can use 6 rules - 10.0.0.248/29 to 10.0.5.248/29, but I w...

grzesjan

Hi! - why bgp has so poor performance? What do you mean by "poor" performance? We're using BGP to our upstream providers without any issues (although we're only accepting the default route and not a full table). I mean that I have Pentium III 1.7 GHz machine with Mikrotik and whole BGP li...

grzesjan

I'm rather new user to Mikrotik, I have read all docs and some questions are still unanswered: - why bgp has so poor performance? - why bgp does not see restart of a peer? I have to refresh the peer manualy on Mikrotik every time I reset its peer - how to check what prefixes are announced to peer? -...

Search found 144 matches