MikroTik

kobuki

Added dedicated /64 prefix between ISP Router and Mikrotik Routed /48 prefix via /64 to us @kafart: Did you need to rework your config to contain only one bridge? I'm in a similar situation where I have the uplink VLAN on an "uplink" bridge, and internal VLANs on another, "internal&q...

kobuki

I see. I got the impression that the CPU itself provides some kind of switch functionality that helps traversing packets at the rated 2.5 Gbps speed. But it seems that it's just a software bridge between the actual switch chips.

kobuki

I use an RB1100AHx4 for a few servers in a DC and noticed that the switch-CPU interconnects that are supposed to be HW-accelerated use the CPU a lot. Between the switches at full 1 Gbit rate, a single TCP connection through a VLAN uses around 17% CPU. The bridge is added to that VLAN but the VLAN do...

kobuki

A bridge consisting of ports, bridged on the other side as well, with disabled STP will: create a loop It will not: balance traffic to use 4 Gbps Sometimes there is no real, usable and good technical solution for a problem. Or the solution would be to pay more money for getting the service on an 10...

kobuki

BPDU can be disabled. A distinct separate bridge should see no other Layer 2 traffic where a shared bridge may allow other Layer 2 and if so consider switch port rules that allows only specific MAC set This might lead somewhere. Although we experimented with a lot of things, like setting the brid...

kobuki

Just sharing untested thoughts that may help: Remove all IP from ether[123] Add a bridge with member ports ether[123] Add the multiple IP to the bridge interface only You should have a single interface (bridge) reachable via ether[123] with one subnet per interface and one default gateway. Expected...

kobuki

Check this vrrp hack.

Thanks, I've seen this, but it seems they use a single interface. I'll look into it anyway.

kobuki

multiple interfaces in the same subnet * might be impossible * without using VRF. Multiple connected routes for the same subnet is * against all * routing standards/practises/ways/rfcs/wjatever... We still don't know what kind of "limitation" this is. We still don't know what you're tryin...

kobuki

Being rude to someone trying to help is an easy way to keep hearing crickets............ You were the first who asked for more info - I greatly appreciate your input and I provided as much as I can. Patrick7 stated what's already obvious: it's not a good practice, I've already said in my first po...

kobuki

No you have not :-) Nobody knows what this "limitation" is. Anyways, I'm out since you dont want to share important facts. Wise choice. It didn't seem you had the intent to help anyway. For anyone willing to help, to re-iterate: we had arrived at this solution after testing out variou...

kobuki

Who forces you to do that?

I've noted everything in OP and provided some additional info. This is what I need to work with, any suggestions are welcome that might help in this situation.

kobuki

Multiple interfaces in the same subnet is NEVER a good idea.

I know that, but I'm forced into this scenario so I need to solve this somehow. Do you have any suggestions?

kobuki

I was able to reproduce the problem via POC in a CHR. Full config export and packet trace below. I wanted to attach the pcap, but it won't let me (maybe I should use some specific extension). EDIT: 10.11.12.101 is my windows client on the LAN, 192.168.13.0/24 is a network I want access to via WG and...

kobuki

Detailed network diagram will help. plus config less router serial number, public WANIP information keys etc. It can be treated as default config with 3 interfaces (ether1-3) configured for a specific IP in the uplink public subnet and a default WG config with a single client. I traced the traffic ...

kobuki

I have a peculiar situation. We're forced to use separate interfaces on our router on the same subnet, because of ISP limitations. We use ether1-3 with 3 separate addresses, but a single default GW for the router, also on the same subnet. I've set up Wireguard with a known working config, and see th...

kobuki

I'm seeing the same issue on a CHR instance in a KVM VM (on Proxmox VE). Cloud time sync is off, 4 ntp servers are configured, all work. The offset is weirdly high. Can it be caused by something like CPU frequency scaling? 13:56:55 system,info ntp change time Jul/14/2023 13:56:55 => Jul/14/2023 13:5...

kobuki

"something is missing/not good enough on the mikrotik device and I want to add/replace it" I think that's all to it. They they seem to keep adding extras to ROS to allure to more potential customers. Until it doesn't compromise base functionality or security, I don't thing there's harm in...

kobuki

Hi, gurus :) . Since ROS still does not support tls-auth for OpenVPN (so many years... :?), I've been trying to find a workaround with OpenVPN client (giggio/openvpn-arm) running within the ROS container. However, no success. The client within container successfully connects to VPN server, I can re...

kobuki

I'm seeing an error when trying to add a container using this remote image: zabbix-proxy-sqlite3:alpine-6.0-latest Logs: 23:25:41 container,info,debug importing remote image: zabbix-proxy-sqlite3, tag: alpine-6.0-latest 23:25:41 system,info item added by cesar 23:25:43 container,info,debug error re...

kobuki

I see the mounts, but I want to write to them, which is not possible (permission error). I can't reproduce this. Please write to support with exact steps how are you getting this error and reference to this forum thread. Alright, it works, but only in a certain way - as your workaround suggests, st...

kobuki

I see the mounts, but I want to write to them, which is not possible (permission error). I can't reproduce this. Please write to support with exact steps how are you getting this error and reference to this forum thread. I used a test x86 KVM VM (fresh install from CD) with a single drive, can this...

kobuki

- The CT can't write to the mounted dirs - is that normal? Is there a way to write to them or to any place that's visible on the host? I need the container to write logs and status files. mount folders are not browsable from RouterOS, but you can access file through ftp,sftp, etc. I see the mounts,...

kobuki

Containers: is it possible to create mounts that the container can write into? My current tests with this beta show that it's not possible (permission error). It's an important function for many containers. stop/start newly created and started container and mounts should appear. We will fully fix t...

kobuki

Containers: is it possible to create mounts that the container can write into? My current tests with this beta show that it's not possible (permission error). It's an important function for many containers.

kobuki

I got around testing the container functionality with OpenVPN 2.5.7, Alpine Linux, x86 VM and 7.15beta. It's working, with a few oddities. - The CT can't write to the mounted dirs - is that normal? Is there a way to write to them or to any place that's visible on the host? I need the container to wr...

kobuki

Add your tun/taps as variables for your container. I tested with Zerotier in an Alpine Linux image and it works perfectly:

ZTTUNTAP.png

Nice!

kobuki

Could you allow systemd to work inside container?
NO!

That sounds good! How will it be supported?
/dev/net/tun device now is available for container use

I'll try as soon as I can after work. Is net_admin capability available along with tun?

kobuki

tun/tap support will be added in next release. Anything else to consider adding before stable release? Could you allow systemd to work inside container? It's practically never needed (but not impossible) for a container. A Docker container is not a VM nor an LXC container that provides full OS virt...

kobuki

tun/tap support will be added in next release. Anything else to consider adding before stable release? Well, just another idea. As I plan to run Suricata on an x86 host, I read this page and found: "This container will attempt to run Suricata as a non-root user provided the containers has the ...

kobuki

tun/tap support will be added in next release. Anything else to consider adding before stable release? That sounds good! How will it be supported? Will we need to create them on the router (host), or will it be possible to apply NET_ADMIN to a specific container so it can add it for itself? I think...

kobuki

There will always be some changes or requirement for configuration. Creating a TUN or TAP is not enough, you also need to configure how it is to be connected to the remainder of the network. Even when you run OpenVPN natively on a Linux box you will need to do that. So it is nothing special. We're ...

kobuki

Sure it can! I have written software that uses TUN/TAP myself. It requires privileges to create a TUN or TAP interface but once you have done that and opened it you can pass it along as an fd that can be used by less-privileged code. So it would be possible to arrange that a container config can cr...

kobuki

OpenVPN is open source so it can be modified to adapt to a different situation. Are you being sarcastic? But anyway, no, it can't. Using the tuntap kernel module, tun/tap devices, network admin functions, etc. is in its very foundation. And anyway, who would have the capability to make such changes...

kobuki

Maybe you can add such network config capability to the RouterOS container config/setup menus? It could mean certain software (after adaptation) could use the network devices previously setup, without the container having permission to do it by itself. For one, OpenVPN requires this cap after start...

kobuki

Will it be possible to add capabilities to containers? For instance, cap NET_ADMIN is required to create/use TUN/TAP virtual network devices for various functions. OpenVPN or other VPN solutions, like OpenConnect requires this functionality.

kobuki

As soon as the container feature is stable, an OpenVPN container, as the ROS implementation is a fraction of the upstream. I could finally stop depending on another device for my OVPN needs.

kobuki

There are no port mappings in this config panel, will they be added later?

kobuki

All base OS images need a command to run, otherwise they're just a bunch of files extracted to the overlay FS. It would be nice to be able to spec the command to be run even for these images in ROS, like for standard docker tools.

kobuki

Mikrotik support has a response to this issue: The warning will appear when you have some untagged port automatically added to the VLAN group. This happens when the port has set "pvid" and then in "/interface bridge vlan" table you create an entry with multiple VLANs, which inclu...

kobuki

If /interface bridge vlan print does not show any ports in the CURRENT-UNTAGGED column when that error is displayed it could be a bug. wlan interfaces themselves have options for VLAN tagging so it may be a historic artefact. Indeed, the untagged list is empty: /interface bridge vlan print Flags: X...

kobuki

It isn't the CAP configuration, it relates to having untagged= entries under /interface bridge vlan on rows which specify more than a single value for vlan-ids= . See the warning regarding this here https://help.mikrotik.com/docs/display/ROS/Bridge#Bridge-BridgeVLANtable Separating the bridge VLANs...

kobuki

As I stated tdw, its not a simple matter its the fact that the OP does not understand Bridge vlan filtering and thus giving him the config answer is actually not helpful as he will now not read the link nor really learn anything. I do understand the purpose of bridge vlan filtering and for the 3rd ...

kobuki

OK, additional info: the warning only appears when there are active CAP wlan interfaces dynamically added to the bridge. If I disable CAP and thus the dynamic ports, the warning disappears. I admit that I'm not very experienced with CAP, so the issue might lie somewhere in that config. Although I on...

kobuki

What the hell, man. Since my 10 years and near 150 posts here I haven't received such a rude and condescending answer to a reasonable post for help. From an old forum guru, at that! Please consider a calmer tone. It's unnecessary to accuse people of said behavior and assume things about people you h...

kobuki

I have a weird warning on my cAP AC, I think it's best to post my config, it's pretty simple (see at the end). Very close to default empty, just a trunk port with 3 VLANs and a CAPs config for the wifi. What I'm puzzled about is the following line: # port with pvid added to untagged group which migh...

kobuki

I'm surprised no one could answer this... Anyway, let me put it another way: on a CRS326, can I do anything in the bridge and/or VLAN/filtering that disables HW offload? Will I need to do any kind of filtering in the switch menu?

kobuki

I want to achieve a seemingly simple goal: "split" ingress traffic to 2 VLANs received on an ethernet interface, using a CRS326 or similar 24-port switch. I have an ISP provided gateway that offers IPTV streams in some VPCs (not important) and besides this traffic, there's a PPPoE connecti...

kobuki

FWIW, I've set up a nightly restart of the affected router and it offers a workaround, as the issue hasn't repeated yet since then. I's not ideal and not a real solution but causes no problems at the moment. I'm still hoping for a backport of the fix in the LTS series.

kobuki

I'm running ROS 6.45.9 Long Term on a new RB1100AHx4DE after having trouble with my initial RB1100AHx4DE on the same version restarting itself at about 1 month intervals. The new RB1100AHx4DE is running well with 84days uptime. So 6.45.9 is fine for you? I don't have much room for experiments as it...

kobuki

For others following this topic, please upgrade to 6.47.8 or newer, there are relevant fixed that will improve or remedy any issues described in this topic. I'm experiencing the same issue on RB1100AHx4. As I see the 6.47.8 version is in the stable branch, but I only run the long term one. I've bur...

kobuki

Same issue today on an RB450Gx4 - only reboot helped. These are some of the latest entries forwarded to the external log target. Seeing that no Mikrotik personnel commented on the issue, it's probably an unknown issue. CPU usage is minimal on average, very rarely peaking to 20-25% for shorter period...

kobuki

stable UDP and SHA512 Btw I now noticed that ovpn in ROS only supports md5 and sha1 (sha256, sha224, sha384, sha512). SHA512 would be fine! SHA256 and up are actually part of the SHA2 family of hashes, including SHA512. There's no practical difference between eg. SHA256 and SHA512. But still no GCM...

kobuki

Finally up and running with RouterOS 7.0 beta3! 😊 Finally. That's nice. I see the new UDP option, however still no SHA2 HMAC or EC cipher algos there. Only the outdated MD5 and SHA1 and AES for cipher, which in itself is good, but not enough (no TLS auth either). Well, it's still a beta so hopefull...

kobuki

Not all of it, you should keep vlan20 and related L3 setup ... And make sure you firewall VLAN20 from the rest of LANs (and WAN) on your main router. The trouble with (over-configured) L3 devices is that they can become routers between subnets (VLANs) in which they have L3 setup if admin doesn't pr...

kobuki

BTW, if you're trying to ping CRS' address, you can't because br-trunk has to be tagged member of itself. Same goes with RB ... . Thanks. This seems to have been the key... Weird but logical. I'll do some tests and set this thread solved for others if all is fine. Not many live devices on the acces...

kobuki

OK, I changed the bridge/port config per suggestions, but it still doesn't work. By that I mean not a single ping is working between the 2 devices with this setup on neither VLAN. With torch or packet capture it's obvious that the packets are not tagged properly so they don't flow in the right VLAN....

kobuki

Yup, leave pvid set to 1 or whichever vid you're not going to use. How things work: if a port has pvid set, it will add VLAN tag to any untagged packets on ingress. And natural configuration would be to have same port set as untagged member of same VLAN ... so that VLAN tags get stripped on egress....

kobuki

1st rule: don't use pvid on bridge, rather explicitly configure vlan interface with appropriate vid (as you have it later in the config) 2nd rule: don't ever use pvid on trunk interfaces, run them all tagged (right now you have configuration mismatch... ether1 n CRS and ether2 on RB have pvid=10 se...

kobuki

I'd like to achieve a simple network (to be later expanded), where the RB1100AHx4 is the main gateway and the CRS328-24P-4S+ the distribution/access switch. For now, I have 2 VLANs, ID 10 and 20. I want to connect the VLANs between the devices and provide DHCP on VLAN 10, while VLAN 20 is an adminis...

kobuki

I already mentioned two of those. Support is in mainline for ages. Both stable, widely used. As for security, both can work unprivileged (no root access at all). A chroot is not a solution. But it's up to MT anyway and I'm not really keeping my hopes up in either subject.

kobuki

I know what MR is and I used to use and test it. But it's not supported well and I have no idea what technology it uses. Seems left in ROS as a feature but it's effectively abandoned.

kobuki

I don't recall any of the device series released in the last couple of years actively supporting or advertising any kind of virtualization (not talking about x86 solutions here). Only one should be supported, if ever, not 2 or more. That wouldn't make sense. If the technology changes, so be it, but ...

kobuki

VIrtualization is a ubiquitous technology nowadays. Almost all x86 and many ARM platforms (and more) are capable of running it. Kernel/cgroup based technologies (eg. Docker, LXC) are practically available anywhere where a Linux kernel is running. It's not rudimentary, it's rock solid (when properly ...

kobuki

If at least we had a robust implementation of any virtualization tech in ROS for the lower-end devices, we would be able to add an image with a fully working OVPN implementation. It really baffles me that wherever we use MT devices and use OVPN (much more user friendly and easier to manage, support ...

kobuki

this is an issue since 2010 It's almost like a disincentive in spite of other VPN tech like IPSEC which has a quite good implementation that keeps evolving. In retrospect, what we heard in the last 10 years about why NOT implement it properly sound like really bad excuses. Or it's an indisclosable ...

kobuki

Something with a proper implementation. Selecting, testing and proof of concept starts within two months.

No further disclosures.

Will you be allowed to tell after final selection is done?

kobuki

If nothing changes very very soon, I have to replace my tiks. Talking over 3000 devices. Replaments will come.

May I ask what the replacements will be?

kobuki

Will CVE fixes get into the 6.43 LTS version?

kobuki

Hello Mikrotik Engineers, I know you have received many requests regarding OpenVPN UDP support, however it is proving almost impossible to get a clear answer. I'm all for Mikrotik and I use a lot of their devices, physical and virtual ROS, and they are mostly great, but I'm afraid proper OVPN suppo...

kobuki

None of these CVE-s are noted in the MT Security Blog and thus they are not real! ;-) Let's hope they have taken note and will issue an official comment and a patch. It's already in upstream. Yes, I do have some ports forwarded but not in the 0-500 range The TCP MSS is a TCP/IP specific parameter, ...

kobuki

There are fixes in kernel upstream for these vulnerabilities. Will Mikrotik apply them in a security release?

kobuki

So ether 5 is a TRUNK port and not an access port?????

Yes.

kobuki

/interface bridge vlan
add bridge=bridge-lan tagged=bridge-lan,ether5 vlan-ids=20

This one solved it, thanks! I know the PVIDs are redundant but they do practically nothing in this setup, so it doesn't hurt either. ROS defaults to PVID 1 and I tend to change it from 1 to one of my VLAN IDs.

kobuki

@sebastia, @mkx, thanks, one of these might be the overlook, I'll try them and also anav's suggestions. @anav: thanks for the thorough inspection of the export, but please don't mind all the defaults and missing bits (dhcp, pool, etc.), when I'll have the vlan issue fixed, I'll reconfigure the whole...

kobuki

From the full config you can see that ether5 is added to bridge-lan, and that is the interface connected to a trunk port on a switch with vlan 20 where only tagged packets travel. If I add the vlan on ether5, it starts working, with vlan filtering turned on. It's as if vlan filtering only allows tra...

kobuki

It's a basic test config not too far from the default one. Thanks.

kobuki

Thanks, I did that, but it didn't help. It's not an inter-VLAN routing problem, though, since I have only one VLAN. Unless I'm misunderstanding something, of course. /interface bridge vlan add bridge=bridge-lan tagged=bridge-lan vlan-ids=20 /interface bridge vlan print detail Flags: X - disabled, D ...

kobuki

I'd like to use the VLAN filtering capability on a HAP AC2. No HW chip VLAN settings are used, all are on defaults since I want to use the bridge facility for this entirely. This is the config I'm using: /interface bridge add fast-forward=no frame-types=admit-only-vlan-tagged ingress-filtering=yes n...

kobuki

What do you want to say? Have you example of hacked 6.42.7 or are you just guessing and making noise? One of a client's main router with ros 6.42.7 has been compromised and a lot of traffic was beeing generated before i replace it for a new one. Ros 6.42.7 with only winbox port open to web, and the...

kobuki

I removed the ipsec config for a while since the unsecured connection works between the 2 IPs and we need to do traffic between the peers. However I need the secure the connection, so I added the same config again. When I ping eg. IP2 from IP1, I see egress traffic in Torch on ether1 (the IF with th...

kobuki

Currently heise.de writes about attacks on Mikrotik-Devices. Maybe you can correct something on the part of Mikrotik, because the news does not sound good. https://www.heise.de/security/meldung/Spionage-und-Krypto-Mining-MikroTik-Router-angreifbar-4155288.html It looks like a clickbait, smelling pi...

kobuki

I've set up a tunnel between 2 routers, one RB850Gx2 (6.42.7), and one x86 (6.42.6) in a KVM virtual environment. The connection is established, but it frequently drops the ball and no traffic can pass between them. Sometimes it works for a full day, then drops again for extended periods. There're n...

kobuki

They do respond partially on port 80, but act strangely.

What do you mean by that?

kobuki

Is he trying to use Winbox to connect

No idea, but possible.

how would you route a Winbox connection through a socks proxy?

I assume that's a rhetorical question.

kobuki

It was empty where I checked, too. It's possibly just a presence indicator in the swarm for the C&C as you also mentioned...

kobuki

Now I can remote login to the infected router with user "sys" via SOCK

Good! Thanks for the feedback. Your attacker was a particularly malicious one, almost locking you out completely. Almost.

kobuki

2. I have try to login to remote mikrotik with that password but no success so I think the problem come from the hacker allow only IP 127.0.0.1 to login with "sys" account. And the hacker use script to disable hard reset, so I just ask can I use the serial cable to login. (infected router...

kobuki

We have added more details, so that it is more clear:
https://blog.mikrotik.com/security/winb ... ility.html

It would be really useful to bump that post with today's date and tag with (UPDATED) or something.

kobuki

... Create Security mailing list (the Blog you created is a nice step forward, but this is useful for "post event summary" and maybe not exactly for urgent security advisories). ... [/b][/i] I think this one would be very useful. I for one am subscribed to multiple ones already, and do pa...

kobuki

So what about version 6.40.8, is vulnerable or not? Could somebody from Mikrotik finally confirm it? Have you read the first post of this thread? EDIT: hmm, now that you asked, and reading the blog post again, it's really not very apparent which version pertains to which release branch at a single ...

kobuki

Since the attacker is inserting his script into the targeted routers and changing configuration in them, we recommend to carefully inspect the configuration of your device, restore it from verified backups or export files, and follow generic advice in the above links. What sorts of changes are bein...

kobuki

Figuratively asking: Are you saying that Mikrotik has hundreds of thousands devices? No, users are owners of them. Should Mikrotik call/inform each user/owner and "persude" to upgrade? What if user says NO? What if admins in DC ignore such info? I'm not "advocatus diaboli" of Mi...

kobuki

Hopefully the userdb (and every bit doing anything with passwords in ROS) gets hashes for passwords from now on, and hopefully a modern one. From "now on"? Really? Like stated repeatedly, this has been fixed a long time ago. This is just a reminder AGAIN to please upgrade, where all these...

kobuki

This vulnerablity is from 6.28. I try it: https://github.com/BigNerd95/WinboxExploit https://github.com/BasuCert/WinboxPoC On the first link WinboxExploit.py reveals that the admin password is stored in the clear in the device. It simply requests the userdb and prints stuff found at offset 55. Mind...

kobuki

hi guys considering buying one of these for general home use.. want to use it for wifi & VPN. Would wifi be ok using latest stock f/w for general home use? whats best speed anyones got using VPN single tunnel 256bit? cheers See here . I was able to saturate my 110 Mb downstream using AES-128+SH...

kobuki

Does anyone have the depth of the new CRS354-48P-4S+2Q+?

I am curious if it will fit into some customer wall mount racks.

Maybe this helps a bit.

kobuki

It doesn't work.

Well, I guess that would nail it for @acruhl then.

kobuki

Metarouter does not work on RB850Gx2.

The menu is actually there in Winbox, but it doesn't work? Never tried it since I don't need it at that site.

kobuki

Why shouldn't I buy the RB850Gx2? ARM SOCs are faster, run a lot colder and more commonplace (~= cheaper). If you don't need the additional speed of IPSEC HW acceleration, there's no real need to consider the outdated RB850Gx2. The new one beats it in every other way. EDIT: oh, and the RB850Gx2 doe...

kobuki

@mducharme: thanks for the heads-up about STP. I might switch to standard bridge config later, for now it works so I'll just let it be. I need remote hands to power-cycle, so maybe tomorrow. Luckily the SFP cage is vacant.

kobuki

@mducharme: in the meantime I've "found" the VLAN filtering option (I was in a kind of hurry to bring things back online), so I'll start testing it on the RB2011. I've modified my original post, removing the false info. So it might become possible to use the bridge config and ditch the old...

kobuki

RB2011 upgrade from 6.34.2. - VLANs are not converted - new bridge is not created but interface master-slave relations removed - after removing all VLANs to re-create the configuration manually using a new bridge, 2 bridges are automagically created somehow (RB2011 has 2 switch groups) and interface...

kobuki

I found this page on the HAP AC2 the other day. I thought it's relevant because the CPU is almost the same, barring wlan capabilities in the RB450Gx4. It's mostly throughput tests (including PPPoE over Gbit), in Russian but the screen shots should speak for themselves.

kobuki

@chechito: I stated my needs. I don't need a $300 router. Believe me, I don't mix up heavy queues with some NAT or filter rules. I also separate my APs and gateway, though HAP AC^2 and RB450Gx4 use a similar CPU. After reading posts on other forums and also here I concluded that the RB450Gx4 would b...

kobuki

@chechito, chanks for the insight, though comparing the devices in itself doesn't tell much. Obviously the RB1100 series is way faster. But many small, cheap routers are capable of what I ask and I think for MT to stay competitive in that price range they should be able to handle that, too. There's ...

kobuki

I'm considering the local provider's gigabit GPON offering, which comes with an ONT with AC wifi, but I Want to use the PPPoE pass-through option. Would I be able to saturate Gbit wtih an RB450Gx4 and PPPoE using NAT and around 10 effective FW rules? Has really no one attempted using Gbit PPPoE on ...

kobuki

I'm considering the local provider's gigabit GPON offering, which comes with an ONT with AC wifi, but I Want to use the PPPoE pass-through option. Would I be able to saturate Gbit wtih an RB450Gx4 and PPPoE using NAT and around 10 effective FW rules?

kobuki

I would highly doubt that the existing name servers would be having degradation from legitimate updates or queries.

With 60 sec TTL it's entirely possible, but it was just a guess. If it keeps being DDOS'd, then well, SOL. And yes, using the serial directly in the host name is not a bright idea.

kobuki

I raised my concerns about the built-in function, the thread is not about the alternatives that I know and use as well (dns.he.net or freedns.afraid org are good examples among many). The functionality is a good addition to RouterOS but the backing service is flaky. Mikrotik might have underestimate...

kobuki

(post Removed as others have answered my question)

kobuki

Pardon me, but specifying "www server" is not clear, at all. A serious security vulnerability merits more than vague statements about services. Do the scripts only scan port 80? Are we safe behind HTTPS (which still fall under the "www server" category) or not? Etc. You're obviou...

kobuki

Just to make it clear: only devices running a not up-to-date RouterOS version are affected, whose HTTP port (TCP/80) are open and provides the login facility and management GUI, right? I never allow unencrypted connections and always disable the HTTP and HTTPS interfaces. Only SSH and Winbox is enab...

kobuki

Nice to know that you take note of the problems, however it's still serviced from a single unicast IPv4 address...

kobuki

See here for an overview: https://intodns.com/mynetname.net One server is not answering, lame delegation, etc, quite a handful. I'm a bit concerned about these DNS servers, there's only 2 of them for the "cloud" dynamic names, apparently no real strong clould backing infrastructure is pres...

kobuki

With the new bridge implementation using HW offload, will it be possible to use multiple bridges using the offload capability, effectively creating multiple "switch groups" that retain wire speed in the group? It's now possible to do something similar using VLANs where each VLAN has a CPU ...

kobuki

@pe1chl: well, it was my mistake, the ack mail landed in the spam folder after all. It got lost with the junk there but just found it. I hope they can fix the issue. It works for you, it should for me as well. I hope it's not a faulty HAP AC where I tested it.

kobuki

@pe1chl, can you please tell me what version of the srick you use? There're different series, 21.xx, 22.xx. Also, did you make any special settings?

My host is not spamming but that's only relevant when sending mails out of it, not when receiving...

kobuki

I also have a Huawei E3372, it works fine in Hilink mode under Debian Linux 8, kernel 4.2, but I can't make it work on my HAP AC. The modem is stuck in the vendor-id="0x12d1" device-id="0x1508" configuration, which is the "basic" mode without the Hilink interface. Linux...

kobuki

Hi guys, We have bought a 2U Dell Server with 4 Dual 10Gbps ports and we would like to install RouterOS or CHR on it in order to overcome the BGP limitations of our CCR1036. We are not going to install anything else on this server to make sure it has all the power available to handle our multigigab...

kobuki

For example x86 don't have virtio drivers, so you can't install RouterOS on a public cloud like Amazon EC2, Azure, or like it.

The installable x86 version does include virtio drivers, I use virtualised ROS instances at multiple places (on KVM, not Xen) with virtio, without problems.

kobuki

I'm not exactly new to Mikrotik and RouterOS in general, but aside from simple queues for DL/UL limitations, I've worked very little with them. I'd like to employ a simple priority measure for the IPSEC/ESP tunnel we installed between 2 offices. Sometimes the tunnel suffers because of other inetrnet...

kobuki

kobuki product is called hAP AC (the same name as topic). I think it is easy name to remember. RB962UiGS-5HacT2HnT is product code, and it collects all information you need to know about ports and features (if you like). Thanks -- however the post where I noted that it was meant to be a joke and I ...

kobuki

I'm glad it appeared finally. I have the AC Lite and it's fine so far, I'll probably replace an older TP-Link dualband as soon as I can get hold of a HAP AC, for testing.

kobuki

My experience...it depends on your understanding of "beating"..... I have just, finally, thanks my God, replaced an ERLITE-3 by an RB/3011 on a 300/300 Mbits PPOE/Nated fiber connection with IPTV and IP phone...unbeliable: back to have a router in a corner of my house acting as a router a...

kobuki

I'm not very concerned about the problem, but I find it weird that with ever falling flash prices, Mikrotik wants to save the pennies on it. In large volumes, it turns into profit, that's for sure, but still...

kobuki

Has anyone been able to conduct IPSEC throughput tests on the new RB850Gx2 with HW acceleration? My local supplier is already selling them with the new serial but I'm hesitant to buy them for new projects just for this feature yet.

kobuki

Please consider adding the recognition of extra virtual disks to the appliance. Additional virtual storage space would be very useful for larger web caches, FTP or Samba servers as a simple and easy alternative to other storage appliaces with no fancy requirements. Will this be possible in the fina...

kobuki

Great Idea. I'm already using several instances of ROS on virtualised platforms for live virtual systems and for testing. When a polished final product, I'm sure it will be a success. Please consider adding the recognition of extra virtual disks to the appliance. Additional virtual storage space wou...

kobuki

Shaoranrch, thanks for the extensive answer. Your explanation is of course, logical, and I'm aware of the basics of IP resolution within L2 broadcast domains, but at a point it seems to contradict my findings where I said I could just ping the gateway IP just fine, yet ROS refused to use it. OTOH, I...

kobuki

Well, I solved this, kind of. /ip address add address=88.x.x.177 interface=ether2 network=78.y.y.132 /ip route add gateway=78.y.y.132 ROS automatically adds a host route for 78.y.y.132 (main ip of the host machine, outside of the routed /29 subnet) on ether2 and I can use it as gateway for the /29 e...

kobuki

Well, I have tried your suggestions, but neither of them is working on RouterOS. I can't make it work, whatever I try. I even enabled proxy arp on the host so the upstream gw appears as directly connected IP, to no avail. If the ROS doesn't have an IP from the same subnet as the gateway, it doesn't ...

kobuki

Thanks, pukkita, I'll try this tomorrow and report back.

kobuki

I'm trying to create a simple config at a datacenter where I am allocated a single "main" IP with a default GW on the same subnet. All is fine. Then I requested for an additional subnet which is statically routed to this main IP. It's from a different, arbitrary subnet. This setup is virtu...

kobuki

Well, I actually solved it at last. I don't know what the problem was, I rebuilt the IPSEC config from scratch and poof, it started working. No config difference compared to what I've shown earlier, that I know of. Weird.

kobuki

Oops, my mis-read, sorry. I'm used to mis-configuring it myself where I put the connect-to IP in instead of the remote-LAN IP, glossed over your opening statement, sorry. Do you have a regular client connection that works with these settings? To me, the MT settings look correct and I'd be inclined ...

kobuki

You need your /ip firewall nat rule (the bypass rule) to match the local and remote private networks. So, if the local side is 192.168.1.0/24 and the remote side is 192.168.2.0/24, your NAT bypass rule would be as follows: /ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192...

kobuki

I'm trying to create an ipsec tunnel to a host where the destination subnet and remote public endpoint is both the same single public IP address, that is, it's a seemingly simple config where they allow access to a single public address from our small local subnet. The ipsec config looks like this: ...

kobuki

Are you really complaining about not getting an answer in a forum within 8 hours?

Check your clock, please. It was about a day later.

But no. It was merely a rhetorical question, if that helps to satisfy your curiosity (or your feeling of righteousness).

kobuki

I wonder if I ever get an answer...

kobuki

I was anticipating this feature and installed 6.29.1 only to find out that it's not supported on my router at home which is an RB450G. It has been one of the most popular ones and there isn't a night and day difference between this and the 750G which is indeed supported. Their hardware is almost ide...

kobuki

KVM is inherently an x86-only technology - so I'd say definitely no. You can already use KVM on RouterOS x86. It started on x86, but it has progressed far beyond that. The code is actively maintained on multiple architectures, see: http://www.linux-kvm.org/page/Status However, it's only considered ...

kobuki

we are actively working on virtualization support for multicore RouterBOARD products.

Any chance of KVM virtualisation on these boards?

kobuki

After the announcement that 6.20 will only work with Winbox3, I started testing it a bit. I'm using Windows 7 SP1 x64 and have found that it can only save 5.x window sessions (it might save them but definitely can't load them). 6.x sessions are always started with a blank window, regardless of the s...

kobuki

What's new in 6.20rc6 (2014-Sep-08 10:16): *) pppoe client - increase connection timeout to make connection establishment possible on busy pppoe server; *) dhcp server - change default lease time from 3 days to 10 minutes to avoid running out of IPs; *) ipsec - allow binding modeconf address to use...

kobuki

Is the latency of 6-7 ms I see on the images normal? I thought it would be less. Where does it come from? Wifi mod/demod or packet transmission time (not the radio wave speed), inherent device latency, or something else?

kobuki

Some news: http://www.brocade.com/forms/jsp/vyatta-download/index.jsp?src=WS&lsd=Banner&lst=BRCD&cn=SDN-GDG-14Q1-EVAL-WS-Vyatta-Download&intcmp=lp_vyatta_trial_hp_bn_00001&gcn=&ggeo= Brocade make vyatta distrib that makes that what we want from ROS in HyperV\esxi This is in ...

kobuki

Thanks Quindor. Yes, we encountered an issue that needed to be fixed in the board design before we can start mass production. Sorry that this happened and pushed the previously estimated release date. Ah, good it hasn't been abandoned. You could have told us earlier... such a simple note. Awaiting ...

kobuki

Haha nice . Didn't even notice the CCR1009 has a switch port , I just assumed it lacked it like all the other CCR's. I think I pretty much found my replacement device for the 2011's now. Yeah. But unfortunately it has active cooling (a fan). Not an ideal choice for a fast broadband connection for a...

kobuki

Maybe they've withdrawn it, not wanting to create an inbreed competition to their own low-end Tilera-based devices... Or are fine-tuning and testing the code to be the finest possible ever made for a MikroTik router :) Anyway I'm also eager to try it and replace one or 2 450G and 2011. Dual-core PPC...

kobuki

I've upgraded an RB2011L-IN to 6.13 a few days ago, and I' observing a strange CPU behaviour. The average CPU usage is higher by about 2-3% and there are randomly repeating very short 100% usage spikes, without any significant traffic or other measurable activity (in the middle of the night for exam...

kobuki

I'm using an MT5 instance on a VM too (Proxmox PVE, KVM, virtio NICs). It's working fine. Also shortly tested 6, no problems. But I can fully understand that those already having a Hyper-V infrastructure in place, would want to run ROS on it. All that is missing is some modules? And MT is not willin...

kobuki

On RB450G, when I change the MAC of ether1 to match the one required by my ISP, no stats are displayed. "Overall Stats", "Rx Stats", "Tx Stats" windows are empty. Traffic graphs are OK. This error is present since 5.23 as far as can remember, but for all 6.x versions I ...

kobuki

i have this issue with certifcates as well. seems winbox thinks its 365 regardless of the actual date

I can also confirm this. Simply forgot to report in my previous post.

kobuki

Certificate export is not working. RB2011LS-IN, Windows 7 SP1 x64 running Winbox. When I press Export in the certificate details window, Winbox exits in an instant and all windows settings since its last start are lost. Also, cannot rename the certificate, it says "certificate subject is read o...

kobuki

RB450G, rc14, WinBox: ethernet interface Overall/Rx/Tx stats are completely empty or partially empty. On my router, ether1 is blank on every stats pages, and ether2 (2-4 ports switched together) is partially blank on the stats pages. ether1 has a changed MAC (ISP MAC restrictions), maybe this has so...

kobuki

Same problem on RB450G. 5-minute interval, store on disk for every graph. After reboot, resource graphs are retained, interface graphs are missing. Using RouterOS 6rc14.

kobuki

EDIT: for a mysterious reason it suddenly started to work. Deja vu... Please help. It's a config that used to work (recreated, but it's along the same principles and the IPs are the same), but now the connection doesn't even start initialising. Enabled the IPsec debug log, but besides config changes...

kobuki

This one is quite good:
http://www.cyberbajt.pl/cms.php?get=produkt,4114

Do you think one could use 2.4 and 5 GHz in simultaneous mode on a MikroTik device, using this card?

kobuki

It's very nice as a router or AP. But it does not perform well as switch or NAT. On the other hand, Asus RT-N66U has much better performance as gigabit switch or NAT. Well, it has 2 distinct switches, one 5-port Gbit and one 5-port fast ethernet. Switching within one switch or the other is wirespee...

kobuki

Could any of you please provide the NAT and Switching performance via iPerf? I tried iPerf on my RB433GL and RB493G. The RB433GL has very poor performance on everything. No wonder it's low cost model. RB493G is alright, but not great! I only only get 2XX Kbps on NAT and 4XX Kbps on switch chip. I d...

kobuki

I use an RB411AR w/R52n for my AP. The integrated card for B/G w/WEP for backwards compatibility and R52n for 300Mb @ 5GHz. Works fine, though occasionally I max out the CPU with large transfers, still near 100Mb wire speed most of the time. Sorry for the possibly dumb question, I have no experienc...

kobuki

I'm considering the purchase of a simultaneous dual-band device myself. Preferably MikroTik, if there's a feasible solution. Have you decided on your solution? I'm curious.

kobuki

You have to sign up for pre-release testing, and have to agree that some of these releases are alpha-quality. They can and will crash. Send email to support if you agree to test this.

Thanks. For a beta/RC it's pretty normal.

kobuki

Please excuse my ignorance, but where can I download RC1 for testing? Public pages show only 6.0b3 download links.

kobuki

I thought I report this. Happening in a VMWare Workstation 9.0.0 build-812388. See attached screenshots (same error in 2 pics). Fresh install, was just about to set up an IP address. Issued a print statement under /ip address.

kobuki

I'm also evaluating the possibility of using MT in a purely MS environment using Hyper-V as hypervisor. It'd be really nice if I were able to use ROS 6 there.

kobuki

If anyone is interested, I've made a simple test with NAT. An adress on ether1 (representing the wan side), a subnet on ether2 (representing a lan), and a simple TCP forwarding rule from ether1_wan_ip:9999 to a virtual machine on ether2_lan_ip:9999. There is a masquerading srcnat rule for the subnet...

kobuki

Thanks. I've decided to try the RB2011 for the particular task for a start. If it's not a good fit I might go a little higher, maybe try a 450G or use something completely different (not a MikroTik product). RB1200 is out of the current budget. That'd be a shame since I like their products and espec...

kobuki

As I've already said, I was comparing the two while trying to decide. No NAT figures there, only routred/bridged config with and without conntrack, which is not the same. Actually, far from it. The 450G is capable of a NAT througput at around 200 Mbps (based on others and on my own experience), whil...

kobuki

Well, i guess so. Compared to the 450G, how are NAT throughput figures? Can the 2011 top the 450G's max througput of about 200 Mbps? This in an information I'm unable to find. I won't actually need more than that, of course, just wondering.

kobuki

Yeah, comparing the throughput figures, I thought so too. No queues planned so far, however, I'm concerned about the amount of ram. 2011 has 64M, while the 450G has 256M. Although no heavily loaded servers inside with thousands of connections, so it might not be an issue.

kobuki

What would be the proper choice of a routerboard from the current available lineup of hardware for the following scenario? - BW: about 125 Mbits down / 10 Mbits up, cable - users: about 30 in an office, normal office work, nothing out of the ordinary - a mail server in the office for those users, wi...

kobuki

Well, I seem to have found a solution. I'm posting it in order for others looking for a solution to this problem can find it in the future. The "nemesis" utility needs to be installed. In my case on Debian, it's a simple matter of running "aptitude update; aptitude install nemesis&quo...

kobuki

I have a RouterOS appliance running in a KVM VPS in a datacenter. I'm moving IP addresses from the hardware interface to the VPS, but run into a problem all the time I do this. The datacenter's uplink switch has a 4-hour eviction policy set on its ARP cache, so I'm guarenteed to have a 4-hour downti...

kobuki

Well, this stuff made me curious so I've created a VMWare image of the newest ROS, converted it into the appropriate format, uploaded to S3 (where the C2 cloud can import it)... only to find out in the end that this method only works for Windows operating systems. There is, however, another possibil...

kobuki

Yeah, thanks, that was my plan anyway. Use a ROS installation as gateway/shaper for some of the VPSes and do some testing. If it goes well, I can consider switching the entire HW node. I'll report some of my findings if anyone is interested. Unfortunately not much info is available in this subject (...

kobuki

I'm sorry if it looks as if I wanted to steal this thread, in that case I'm going to open a new one, but my question seems relevant. I'm also thinking of running a MikroTik ROS as a KVM appliance as a cheap and handy alternative to a separate racked product. It's in fact installed and running fine i...

kobuki

Thanks for the replies. I'm using Zabbix for the moment, and it doesn't influence the SNMP readings at all (CPU load or anything else). I'm suspecting RouterOS is misbehaving at certain periods. I might need to forget the built-in graphing completely if it's so unreliable.

kobuki

I've employed an RB450G in a datacenter recently, and experiencing strange 100% CPU usage spikes on the CPU graph. They always last a single tick only, and the SNMP monitoring tool sampling the same board (with more frequent, 2-minute intervals) shows no signs of them. There are no other kinds of re...

kobuki

+1

I'm also curious about these figures. But I guess until at least IKEv2 and UDP support for OpenVPN is implemented it has not much use for me.

kobuki

No, unfortunatey no fiddling with the MTU helps. One direction is working OK, the other isn't.

kobuki

Well, I tried to lower the MTU on the WAN side, it did not help. It's as if conntracking didn't kick in or something. The first packet is fine, the rest is lost. My other suspicion is that the ADSL modem's buggy firmware doesn't forward the IPsec packets correctly in both directions, although IPsec ...

kobuki

So no one has an idea?

kobuki

Some additional info. It seems I'm able to download small files, but not larger ones. My guess is that the file must fit in a single packet or there's some relation to the packet size. I can download a 1300 bytes file, but not a 1400 bytes file... Uploading arbitrary files is still not a problem. It...

kobuki

I can't figure out a probably simple situation, please give me some advices, I'm not experienced with MikroTik IPsec. I've successfully connected 2 endpoints. I can ping the remote end, but no equip to serve on the remote side yet so I cannot test that direction but i suppose it works. The 2.2.2.x i...

kobuki

I think it's a general enough question to be answered here on the forums. I might additionally send a support query though.

kobuki

Well, as 5.7 is out I've done a quick upgrade. For previous upgrades, it seems I've done a very simple mistake... This time I had the idea of waiting a lot more before declaring my router unresponsive and surprise, surprise - it rebooted after like a minute or so and is back online, upgraded. It's s...

kobuki

I'm also interested in this. I'm planning on using an x86 ROS as VPN GW, and was wondering about the same thing. It would be nice if 5.x already supported AES-NI.

kobuki

Thanks. As I've mentioned I don't have the proper serial cable at the moment, so I can't use that for now. I've managed to flash a working 5.6 onto the device, but as soon as I do a "/system reset-configuration" the connection is lost and all I can do is re-flash the device via netinstall....

kobuki

Alright, to answer my own question. It's possible to make the RB450G boot via the network basically the same way as the RB750G, using the reset button. I was succesfully able to flash 5.6 with netinstall, but the problem remains: it cannot be flashed using the normal WinBox method. Do I miss somethi...

kobuki

Please help. I've upgraded my 450G from 4.15 to 5.6 via the WinBox method. The update itself went fine. It was previously accessible via the LAN IP of 192.168.0.192, and via MAC address. After the upgrade it's not accessible any more at all, with either method. Since I don't have the proper serial c...

kobuki

After having found the problem myself, let me phrase in simple words what I wanted to achieve, we might still find a fault, and others may be able to learn from it. x.x.139.66 is router public gateway address on ether1, 192.168.88.1 is internal LAN address on ether2, x.x.35.229 is the remote managem...

kobuki

I have basically the same problem. I've set up the SNMP service, firewall input and NAT rules, yet it doesn't work. Port 161 is also filtered, so I needed the NAT rule. Other NAT rules are happily working, this one doesn't. Using torch I can see incoming traffic from the management machine to UDP po...

kobuki

Yeah, I have to agree for the most part, but this customer gets his 120 Mb line for not significantly more than their old 16 Mb DSL line... I can hardly sell them a router costing around $600... I guess at the end they'll have tu put up with the simple CPE the ISP installed ATM. We'll see.

kobuki

Yeah, I've already checked out the r0c-n0c routers, but I think that compared to a ~$130 RB450G, a $600 appliance is a little more than an "upgrade"

They don't really seem to be in the same league...

kobuki

Heck, there are parts of the world people would laugh at you for a mikrotik... because you get internet via 1gbit connection as part of your appartement rent ;) No joke ;) A poor 450 would probably melt. Not literally. Well, Mikrotik routers are practically unbeatable in price/performance ratio. Bu...

kobuki

Alright, thanks. I have a 450G at hand to toy with so I'll do some testing. I'm hoping it might still be enough, altho the device should be chosen for the theoretical maximum load, with all possible circumstances taken into consideration.

kobuki

Hm, thank you for the insightful answer. So the theoretical/advertised routing performance of several hundred megabits of the most common MT routers won't suffice for such a connection? I'm rather surprised. We've measured a 4-5% CPU load on a 750G for a 10/10 Mbits connection saturated in one direc...

kobuki

Sorry if this question has been answered before already, search didn't really help me in this case. We're about to install a new router at a customer's office next week. They have a 120 Mbps connection at the local cable company, and we're looking for recommendations on a specific routerboard model....

kobuki

You need to reinstall RouterOS. http://wiki.mikrotik.com/wiki/Netinstall http://routerboard.com/pricelist/download_file.php?file_id=123 HTH, Well, thanks. In the meantime I've also found the proper method for reflashing via netboot. Although encountered a few problems. 1. Unfortunately updating did...

Search found 201 matches