MikroTik

brianchrist

I found the problem.

I put the jump action to evaluate the PPP filters in the "input" chain which cause an error when the dynamic rules are created (include in & out interface in the rules)
You have to put it in the forward chain which accepts either in or out interface.

brianchrist

1. make sure you can ping the 192.168.0.1 from client device (172.16.0.2) 2. make sure your traceroute to internet (ex. 8.8.8.8) go through 192.168.0.1 3. add NAT on 192.168.0.1 router /ip firewall nat add action=masquerade chain=srcnat out-interface=<interface with public IP> src-address=172.16.0.0...

brianchrist

You're marking the packets on the incoming LAN interface with mark-routing, so they will be routed to the ISP interface while Mikrotik evaluates the routing decision.
They will never reach other LAN interfaces.

brianchrist

Just connect the Mikrotiks using that single cable and add VLAN interfaces on the ETH interface on both devices.

Something like this:

2021-09-22_153917.jpg

brianchrist

Hi all, I set up the Mikrotik as a VPN server using L2TP and RADius authentication. When I add the attribute "Filter-Id" to the Accept-Response, the established connection will be dropped. The error message in the log is: could not add filter: outgoing interface matching not possible in in...

brianchrist

I knew it.

brianchrist

If your internet/uplink plugged to ether1, this should work:

/ip firewall nat add chain=dstnat dst-port=25565 action=dst-nat to-addresses=192.168.88.29 in-interface=ether1

and make sure you have src-nat for internal hosts to access the internet.

brianchrist

Please add dropped packet counter for SNMP (OID), this is very important to measure queue effectiveness.

brianchrist

which link is broken? works for everyone else

got it. it's only available on czech and germany site

brianchrist

where i can download it?
the download link at http://www.mikrotik.com/download.html is broken

brianchrist

Driver used is realtek. I have couple of intel pro 1000, i tried it before with same result. Irq is balanced to use the two cores. RPS doesn't seem to work yet in v5rc1, enabled but the other two cores are idle while the two cores connected to the NICs are 100%. I really hopes RPS can work to solve ...

brianchrist

Just using mikrotik's bandwidth test on 2 PCs and router under test in between.

brianchrist

considering the CPU is 100% already, will changing NIC make any difference?
or might the PCI slowness increase the CPU load?

brianchrist

great!

i manage to create selector for connection markings (which hits on new connection only) and the packet marking.
on my simulation router the performance is increase 25k to 62.5k pps

it's 250% increase ... yahoooooo

brianchrist

Selector is a great idea!

Thanks leonset.

brianchrist

Some disadvantages of using PCQ on dedicated customers: - cannot have more than one IP address. Each IP in PCQ will be treated as one customer, dedicated customer might have up to 32 IPs - cannot have SNMP (OID) for each customer - cannot set custom bandwidth requested by customer (upload, download,...

brianchrist

just limiting bandwidth for each --dedicated-- customer, not broadband, each customer might have different bandwidth limit.
I use PCQ for broadbands.

brianchrist

Getting desperate here ... Mikrotik setup as transparent bandwidth manager only (bridged), 250 customers, 2 mangles for each customer (~500 mangles), 500 queue classes Maximum load only 65k pps, 100% on both CPUs (for each NIC) Tested on ROS v4 and v5, same result. Hardware: Gigabyte Motherboard Int...

brianchrist

forget about RB1000-1100 for you network, no more than 150-200MBit whith little firewall. Use Core-i5-i7 based routers or Xeon 54x, 55x, 56x + Intel based ethernet. (Now on Core-i7 have 2 BGB full view uplink, ~ 400 Mbit traffic, heavy mangle chain, little forward chain , little nat chain, CPU load...

brianchrist

After struggling for couple weeks, I found the cause of the drop is the CPU. I use dual 4 core xeon (makes 8 cores) but Mikrotik only use 1 core (because I only use 1 interface) Drops happen when CPU (a core) reach 100%, you can see each core usage in ROSv5, in ROSv4 cannot see each core. In my case...

brianchrist

i have intel here too and one of the ether shows rx drops 5 in 5 minutes exactly. the proc is a dual core. if i set the /system hardware set multi-cpu=no, it can get better? thanks no. keep multi-cpu=yes if your mikrotik detect 2 cpus, just make sure the load is below 50% otherwise it will start dr...

brianchrist

New find out.

Using Intel Core i5 3.33GHz with equal Gygabyte MB is no better than AMD 3.0 GHz

Using Intel shows counting RX Drops.
Using AMD shows NO drop at all.

brianchrist

Hi,

What MoBo and NICs do you use?

Regards, Grzegorz.

Gigabyte GA-MA785GM-US2H
Onboard NIC
AMD Phenom II 3.0 GHz

brianchrist

it's a matter of CPU! Using double xeon (totally 8 cores) 2.26 GHz does not good enough to serve 1200 lines of mangles and 200 queue policies. Mikrotik use one core only for firewall & queue, that's why the cpu resource shows 15% (one core equal to 12.5% for 8 cores cpu) I change the CPU to AMD ...

brianchrist

Onboard NIC (intel) on Intel mainboard has RX drops problem. RB-44GV NIC doesn't have problem with RX drops, but has problem with FCS/CRC error on Cisco switch. (tested with several cards) RB-44G NIC has no problem with FCS/CRC but the RX drops exist. Dlink 538T has problem with RX drops, but it muc...

brianchrist

Same problem here.
I'm using intel onboard NIC, Intel motherboard.
Traffic is about 100 Mbps, 28k pps.
cpu is 15%

Is the buffer of the onboard NIC to small to handle this traffic?

Tonight I'll try RB-44G NIC

brianchrist

but the xx.xx.xx.xx could be different for each session since the IP is dynamic using DCHP.

the situation:

1. host got ip dynamically (dhcp)
2. host connect to vpn server (using pptp) add default gateway to the link.
3. need static route to a host but NOT via pptp link

brianchrist

i need to put a static route to a PPTP host on a dynamic ip client (dhcp).
is there any way to do this without script?
using ethernet interface as gateway is not working.

i need this because i have to use the default gateway routed to the pptp interface.

brianchrist

mrz is right, i have same situation with cobianet and now i have oveercome the problem by add filters to allow only prefix you need only. my routing filter on pptp server: 0 chain=ospf-in prefix=10.162.0.0/16 prefix-length=0-32 invert-match=no action=accept 1 chain=ospf-in invert-match=no action=dis...

brianchrist

Maybe someone will need it =)

http://wiki.mikrotik.com/wiki/Change_MA ... _interface

I think you should add the physical interface to the bridge.
And looks like this only add a new MAC to the VLAN because the original interface MAC still exist.

brianchrist

Let me simplified this.

Hotspot should be reply any arp-request from client computers with hotspot mac-address.
What happen if the real owner of IP address replying also (in case the IP address is used by a computer on the same subnet)?

brianchrist

I'm using ROS 3.28 My hotspot clients seem do not have arp-reply from hotspot gateway. Here the case: One of my client (Computer A) using static IP 192.168.1.1 Other client (Computer B) that eventually using static IP with the 192.168.1.1 as gateway, have mac-address of Computer A instead of hotspot...

brianchrist

I tried adding static ARP method before but you have to change the interface ARP setting to reply-only, or a new ARP entry will created as the user using new IP address.

brianchrist

Looks like i addressed the issue in this mangle rule.. if i enable this, the router crashes after a while and reboots /ip firewall mangle chain=forward action=add-dst-to-address-list src-address-list=IP dst-address-list=!IP address-list="P2P Address" address-list-timeout=5m connection-mar...

brianchrist

Does anyone knows that EoIP use ICMP?

Because when my link provider block the ICMP between the IP tunnel, the packet loss is increase significantly and back to normal when the ICMP filter is disabled.

brianchrist

I run the dude over mikrotik's xen.
everything run nicely, until the vm restart.
all config lost, just like when you first time login to the dude.

mt v3.22
dude 3.1

any suggestions?

brianchrist

try this filter to bind IP and MAC:

add action=drop chain=forward src-address=192.168.X.X src-mac-address=!00:0C:42:XX:XX:XX

* there is a "!" in front of MAC address

brianchrist

two interfaces from the same router connected to a switch can cause loop in the network (the network can be down).
if you want to run 2 PPPoE service with different profile, it can be done on one interface.

brianchrist

Almost same problem with me and still find the cause. I'm using Intel Quad Core on Asus mobo, RB44G running as bridge, transparent firewall, vlans and queue. System works as expected but not more than 2 days, it just crash and restart. Log only shows "router was rebooted without proper shutdown...

brianchrist

I use EoIP between HQ and branches, the VoIP and data works fine.
I use x86 PCs and different versions of mikrotik

brianchrist

v3.14

torch-error.png

the link doesn't work.
never happen before. any clue?

brianchrist

New findouts: This morning I did a ping test again, but now I add a firewall filter on each box and the result is: All the packets COUNT and bytes COUNT in each box are exacly the same, means no packet is loss nor bypassed. But the traffic RATE in the middle mikrotik, in torch, is always lower than ...

brianchrist

Is connection tracking for bridge on? Why would you want to put Vlan, if you bridge the two routers? Do you mean the one at the /ip firewall connections? yes, it is enabled. and, use-ip-firewall: yes use-ip-firewall-for-vlan: yes Between those two routers, there are some vlans, with different purpo...

brianchrist

Configuration: 1 PC with 2 network cards, bridged Mikrotik version 3.14 Vlan trunk traffics (802.1q) flow through the box without problem. diagram: router1(vlan) --------- Mikrotik (bridge) --------- (trunk)Cisco(vlan) --------- router2 Problem: If you try to torch the traffic on Mikrotik, you'll fi...

Search found 44 matches