MikroTik

wispvt

I don't have any way for sure of knowing no other changes possibly affect it, as when you have a large network, many changes get made and sometimes if it doesn't affect many customers in a meaningfull obvious way they can go unnoticed but I'm pretty certain it was the update to ROS that caused the i...

wispvt

We can run speed tests to outsied the eoip tunnel just fine, it would nice to test through the tunnel though to see how the tunnel is performing. I'll try adding the ip address as permanent ip's to the list to see if your theory is correct. Do you think there will be a permanent fix in the future RO...

wispvt

Sindy we got the configurations made as you suggested and it appears it is working. The only issue I have seen so far is speed tests between routers on each end of the link only seems to work in 1 direction across the EoIP link, in the other direction it starts to works then dies. We saw it before w...

wispvt

Sindy I am still unable to get to work. I can see the counters going up in the bridge filter to mark the packets but in the mangle rules to add to a list the packet count will always sit at 0 even with the rules at the top. It's the same on both ends of the link. Both bridges are set to use ip firew...

wispvt

There are no addresses specified. Only things specified in the secret is the name, password, and profile. Should there be a mac address associated with this interface somewhere? Also should arp=proxy-arp be set on the bridges and the admin-mac address at both ends? I see some people use that in thei...

wispvt

Office End /ppp profile add bridge=bridge1 bridge-horizon=1 interface-list=LAN name="BCP Profile" use-encryption=yes use-ipv6=no /interface l2tp-server server set default-profile="BCP Profile" enabled=yes mrru=1600 Remote End /ppp profile add bridge=bridge1 name="BCP Profile...

wispvt

I was able to get l2tp set up with BCP pretty easily. The issue I'm having is pinging any hosts on the other end of tunnel from either end are returns DUP pings non-stop so I'm assuming traffic packets are duplicated as well. Speed through the l2tp is much better than the EoIP link though. When I pu...

wispvt

Thanks

wispvt

Thanks again for the info, is there a better more modern way to connect remote sites across the internet instead of EoIP where MTU sizing is not an issue and may also take less CPU resources and have better throughput?

wispvt

Thanks I'll give that a try. Is there any other way to lower the MTU below 1500 on an EoIP interface and not affect everyone else on the bridge even though they aren't even sending traffic over the EoIP interface. Both ends of the EoIP link are on NAT'd firewalls to the LAN bridges.

wispvt

I have the same issue, my EoIP interface is on a bridge with multiple other ports. I'm using V7.11.2. If I lower the MTU of the EoIP interface down from 1500 to 1458, traffic flows much better across the tunnel but cause issues for other people on other interfaces on the bridge. I can't add those ma...

wispvt

/ip firewall mangle add action=accept chain=prerouting comment="Allow usage of default routing table for traffic to connected networks." \ dst-address=75.xxx.xxx.0/24 in-interface-list=LAN add action=accept chain=prerouting comment="Allow usage of default routing table for traffic to ...

wispvt

I am trying to add a vlan network onto my existing network where no traffic is on a vlan. I need to isolate the VLAN traffic on the same network as existing traffic and only allow it to access the DHCP server and gateway of the hotspot firewall not firewall 1. I try setting the port 2 on the bridge ...

wispvt

Thanks for the response. Is there anything I can do to lower the CPU usage to achieve more than 2Gbps on my CCR2004 in real world scenario? Is there anyway to diagnose and tell if certain mangle or firewall rules are the cause of the slow down or inefficient? If you look at the cpu profile is only s...

wispvt

We have noticed the same thing on CPU usage, we just upgraded a NAT firewall that does PCC load balancing from 6.48.9 to 7.11.2 yesterday and you can see the huge difference in CPU usage. I would have thought with the newer OS it would be dramatically lower not signifigantly highter. This is on a CC...

wispvt

Just had a CCR2004-1G-12S+2XS start doing the same thing. Filtered the SCTP traffic in RAW but to no avail so it's something else. Downgraded the router to 6.48.6 for the fix. So if it is an attack it has evolved to now include arm64 processors and possibly different protocol.

wispvt

It definately could be some sort of attack vector but the fact that it only affects tile version of routers running the exact same software version as other models makes it unlikely although not entirely impossible.

wispvt

Yup, the 24th was the trigger date for us as well and then saw the frequency of reboots increase from the 26th on. After rolling back to 6.48.6 we've had no issues for 12 hours. It seems like it's only affecting tile processor routers from the posts.

wispvt

I rolled back to 6.48.6 to try as my reboots increased in frequency to every 5-15 minutes. I'll post results later.

wispvt

I have a CCR1016-12S-1S+ doing the exact same thing. It had been fine for over a month on 7.6 but in the last week since 11/24/2022 it has rebooted around 10 times. Some of the times are shortly after a previous reboot. It can't be a power supply issue as it's a dual PS router and it's fed by a UPS ...

wispvt

Recently started getting the above error on a router. Not sure if its a bug in 6.48.6 or something else. The ARP cache only has about 3500 entries and the Max Neighbor Settings in /IP Settings is set to 32768 so it's not even close capacity. There have been no changes on this router recently except ...

wispvt

Tried setting up 7.1 as a transparent traffic shaper using Mangle and queue trees, but 7.1 has issues marking download packets, it wants to mark everything as upload. Other people have complained of the same issue.

wispvt

I just saw how to do it with address lists and queue trees using mangle to lower the cpu usage, my question would be is we are already marking new incoming packets and connections to load balance our backbone connections with PCC, so how would you mark packets to handle both of these uses as packets...

wispvt

Now that 7.1 is out for testing, we want to experiment with doing traffic shaping in the Mikrotik router using cake. To shape a few thousand users on a dozen various plans, do I need to create 2 queue rules for each user, 1 for upload and 1 for download, or is there some way to just enter their wifi...

wispvt

I upgraded the switch from long-term 6.47.10 to stable 6.48.3 and it resolved that issue. I did see in the change log there was a fix for CDP so I'm guessing that was it.

wispvt

Rebooting this morning didn't resolve the issue.

wispvt

I rebooted it this morning. It is strange when I enabled RSTP today about 10 entries showed up in the neighbor list. I will try rebooting it tomorrow morning again. It passes too much traffic to take it down during the day. Each switch on either side of this one, the neighbor table looks fine.

wispvt

I apoligize for not attaching. Here it is.

wispvt

It is a CRS317, firmware 6.47.10. There are about 50 routerboards on the network and all are performing normally. I enable RSTP on the bridge and a few entries showed up, but something is still blocking everything.

wispvt

I have a CRS317 and there are no Neighbor entries. Under Discover settings it is set to all interfaces, ARP is enabled on all interfaces as well. For the life of me I can't figure out whyat is blocking it, there are no firewall or bridge rules. I feel like there was a cli command that was used on th...

wispvt

We are running VRRP interfaces for our gateway IP's for redundancy whose interface is set to the bridge. The arp table has 2 entries for each IP, one that shows the bridge interface, and one for the vrrp interface. Is this normal or should I be changing the arp setting on the VRRP interface or bridg...

wispvt

I am trying to allow my VPN server where the clients are 10.0.80.0 and its LAN has an IP of 10.0.90.10 which is connected to a Mikrotik router which does NAT and has 10.0.90.1 assigned to its bridge. I am trying to allow the VPN clients to communicate to other clients that have ip addresses 10.0.90....

wispvt

I was able to solve the issue. I had to set the STP to none on the bridge that the VPLS was connected to. It was already set to none on the loopback, but apparently when the route changes it also trigger RSTP which drops the traffic. Once I disabled that it worked like a champ.

wispvt

I did enable use BFD on each OSPF interface and BGP peer. Is there anything else to do? Its so wierd that when I unplug the cable the VPLS interface immediately shows the new next hop but traffic takes 20 seconds afterward to begin flowing again across the VPLS connection. At the top of the VPLS int...

wispvt

I just did a quick config in some other ccr with tile processors and its the same. When ping across the bridge and VPLS interface it takes 22 seconds when a link drops or resumes. I've attched a copy of the 2 test routers configs. Changing the OSPF hello and dead timers on each interface has no effe...

wispvt

After all my testing, I have another setup up on some mikrotik switches that works great, it seems like its possibly a bug with the new ccr2004. I see the vpls shows the new route within 2 seconds on the web interface, but doesn't start passing traffic for another 20 on the vpls connection. My other...

wispvt

It looks like its not an OSPF convergence issue as it is looking like with 2 seconds it is re-establing a link but that the VPLS is taking 20 seconds to begin passing traffic after getting notified of the new route.

wispvt

I'm setting up a couple new CCR2004 with 3 redundant paths between them on the bench using a OSPF, BGP, MPLS, VPLS configuration. When I drop out the link carrying traffic, it takes 20 seconds for traffic to re-establish on the backup link. Is this normal convergence time, or possibly a setting I am...

wispvt

I have a switch at Tower A with 2 links feeding to Tower B which is where the router to the Internet is. It is a flat bridge network, I want all traffic to go over link 1 until it fails, then send the traffic over link 2. I don't want to use LAG as I plan on adding a 3rd backup link between towers t...

wispvt

Using Switch OS is not a solution. Its possibly a bandaid, I don't want to be pushing 10G of data hoping that works. Need a reliable fix.

wispvt

We have the same issues CRS328 to servers with 10Gtek X520 cards. 1G is fine, but 10G is unstable. We have 4 brand new CRS328 that do the same thing. Its very disappointing as we bought them so we could switch 10G traffic. Not sure what to do now as we need reliable 10G switching. Any recommendations?

wispvt

Customers are already aggregated onto one link by the time they hit our NOC. I don't think put every customer on a separate VLAN is how the bigger ISP's do it though.

wispvt

Hi, Currently we use mostly Ubiquiti radios with a mix of our wifi routers or customer owned wifi routers connected to them for our customers. We use the traffic shaping built into the radios to control their bandwidth. We would like to test moving the traffic shaping to the main NAT router for them...

wispvt

We want to automate the upgrade process for our Mikrotik routers. We currently have a working script that downloads from Mikrotik directly but we want to host the .npk files on one of Mikrotik routers so we can control the update process and thoroughly test the firmware prior. We have tried the docu...

wispvt

I have 2 Mikrotik firewalls linked across the Internet with EoIP. I am trying to enable IPSec on the tunnel but when I do, no traffic passes. Fast Path is disable on the EoIP interface like it recommends but the firewall does use fast track for connections. Is there any trick to getting this working?

wispvt

I am looking to create a VPLS tunnel from the LAN side of one NAT's firewall out through the Internet to another NAT'd firewall to the LAN side there to extend out the LAN. How do you deal with going through both NAT'd firewalls to create a flat bridged network. So obviously you can't create a tunne...

wispvt

To change the order of the rule, just click on it and drag it to where you want it placed in the order.

wispvt

How much horsepower does it take to run MPLS/VPLS. We set up a test bed of 4 CRS112-BP-4S-IN switches which is what we might normally use at a smaller micro pop site where we have small 14-16" boxes and just need POE to the radio and UPS and they failed terribly. They could only do 50-60 Mbps b...

wispvt

Thanks. On the MTU size, I see some people set it to 1530 for MPLS, some 1580, 1600, and 2000. Is there any downside to setting it to 2000 across the board? Also I am having issues getting the MPLS working out in the field through the various wireless links even though on my lab it works fine. I hav...

wispvt

I can get everything connected but not carrying traffic properly. Would you by chance have an example config of say a tower router set up with a couple of AP's and backhaul, and one of your core router that you are routing it to using private subnets that we could see as an example to compare and le...

wispvt

i have a question as we are trying to do the same with mpls and vpls. if you are using vpls tunnels back to your core everywhere, how is bgp doing anything with your traffic ip addresses as everything is supposed to be traveling over the tunnel. I also noticed there were no traffic networks entered ...

wispvt

Upgrading the firmware from the latest bugfix to the latest current firmware resolved the issue. There were multiple vrrp fixes in the the 6.42 branch.

wispvt

We have a router that works fine now with our gateway addresses assigned to a bridge and using NAT and PCC mangle rules to load balance through multiple upstream providers. When we try to move the gateway ip's from the bridge to a newly created vrrp interface assigned to the bridge, we notice about ...

wispvt

Thanks

wispvt

Hi, We are currently load balancing our traffic over multiple providers on separate interfaces using PCC and masquerade NAT. We would also like to make the traffic going an interface isn't all sharing the ip and also split the traffic on each interface over say 5 ip addresses. Is this possible and h...

wispvt

Is there any plans to maintain the POE output voltage during reboots so whatever device is connected to the port doesn't reboot as well like other manufacturers. It would be a great feature.

wispvt

We have a bunch of routers at various sites that feed our core router at the head end that does NAT and mangle. Obviously we need connection tracking at the core, so how do we allow fragmented packets to pass through the firewall and is there any downside to this and would it break anything else?

wispvt

Did any one solve this as we have the same issue with a bunch of our clients. Only the IPSec connections of ATT microcells ever seem affected. Any help in resolving this would be appreciated.

wispvt

That was definitely the ticket, it has been nice and stable since. @IntrusDave what to you use for load balancing to knock out routes that are down.

wispvt

I think we have found the solution. The firewall scripts that are floating around are too restrictive on the ICMP chains which can cause pings to be dropped which normally wouldn't be a problem until you enable check ping on the gateways for the routes when setting up load balancing. I will know by ...

wispvt

We aren't using any routing protocols. Only static routes for our 3 uplinks, and the system does create a couple of dynamic routes for our non-routable address on the bridge. The debug just shows some select route sections followed by where it adds or subtract routes, no info as to what is triggerin...

wispvt

We turned on debug and logged messages to a remote server and found what is happening, now need help what is causing it and how to stop it from dropping traffic Sep 15 11:19:05 xxx.xxx.xxx.xxx route,debug,calc Begin calculation Sep 15 11:19:05 xxx.xxx.xxx.xxx route,debug,calc End calculation Sep 15 ...

wispvt

We are having an issue with the bridge traffic on a CCR router running 6.34.6 pausing randomly for about a minute. It might be 12 hours between when this happens. The bridge traffic is NAT'd to 3 upstream providers using mangle and everything works great till this happen. After a minute of no data p...

wispvt

I'm all set, please disregard.

wispvt

We are setting up a Zabbix monitoring server but end up with holes in our graphing on interfaces once they are exceeding approximately 400Mbps. We are graphing the same data from Ubiquiti equipment in front of it with no problem. The Mikrotik we are trying to monitor is a CCR. We are using SNMP2 for...

wispvt

I have 3 backbone providers. I NAT all the clients to a public IP address, and some clients have their own src-nat set up to get their own public IP address. I am using ECMP in the routing table to balance out the connections across all the links. When it was just 1 provider I had zero issues with t...

wispvt

I don't want to do NAT, I just want to route each of the 2 /24 blocks out the appropriate WAN port to the proper ISP. So is there a way to make block 1 go out ISP 1 interface and block 2 go out ISP 2 interface using simple routes, or do I need to use mangle.

wispvt

If you have multiple providers who each have assigned you a /24 block of ip addresses, how do you configure the routes for each pool. Do you have to use mangle and the overhead associated with it or is there a simple way to route all traffic from ISP block 1 - LAN 1 out through ISP1 and ISP block 2 ...

wispvt

There has to be something with the 1200's and the firmware past 6.10. I hate to throw out the 1/2 dozen 1200's we have due to obviously a firmware issue. All our other switches are fine. I have kept hoping it would get fixed in each version but to no avail. It would be nice if someone from Mikrotik ...

wispvt

Has anyone found the fix for this, the firmware is now at 6.24 and we are still unable to move past 6.10 because of this bug with Ubiquiti gear connected to. We have tried Ubiquiti firmware 5.6beta6 as well and still the same results. We have only seen this issue on the RB-1200 and the quickest way ...

wispvt

I upgraded a CCR from 6.13 to 6.21rc22 and the router started rebooting on its own every minute. Was able to see in the logs that the router rebooted itself due to a kernel error but had to quickly go back to a stable version (now 6.20) as it was a production router. Anyone seen this on rc 22? Did ...

wispvt

Does anyone know how to stop unicast flooding on a Mikrotik bridge.

wispvt

Around 2000. I think what I am seeing is unicast flooding where a bridge which doesn't have the mac address listed in its host table will send out the packets to all interfaces connected to the bridge. Cisco has an easy way to disable this but I am unable to find out how to block unicast flooding on...

wispvt

We are seeing the same issue with spikes on our bridge traffic. When we do a tcpdump we find that the main router is just dumping random traffic out on all ports of the bridge and for some reason ignoring where it should go based on the entries in the bridge host table. Ours is pretty regularly abou...

wispvt

I have noticed sometimes that when I look up the rogue traffic there is an entry in the arp table of where it should be going to and the interface will be the bridge, but if you go to the bridge host table that MAC address listed next to the ip address will sometimes not be there. Any reason for thi...

wispvt

LOL no bridging loops, its impossible to do as each switch is at a remote site from another site and everything is isolated. Traffic flows fine except for these random bursts of traffic every 30 secs to a minute. If I trace out the ip and mac that it should be going to they exist on all different pa...

wispvt

Also all the Mikrotik switches that are fed off the main router are nothing more than bridges. All ports are bridged on these routers and split horizon is used to isolate all the ports in the bridge.

wispvt

These are all mikrotik switches. Basically a 1100ah2 feeds a dozen rb1200's which in turn feed a bunch of 750UP's at all the various sites.

wispvt

Should the switches that are connected into the main router have all their ports and bridges set to proxy-arp or just arp like everything is in the main router?

wispvt

There are a few thousand mac addresses and ip's on this segment of the network so there is no way it is getting maxed. Basicically we have a mikrotik switch that feeds different sites which in turn deed smaller sites. Could a switch way out at the edge of the network feeding maybe 50 devices cause t...

wispvt

Also is it possible to increase its size once tracked down?

wispvt

How would you tell if the table is getting full and is there an easy way to track it down as we have close to a 100 switches in our network.

wispvt

I pulled some of the traffic from the tcp dump, and matched the ip address to mac address and traced out. I could locate the mac in the next switch off one port of the main router in its host table for its bridge but not in another that it was also getting sent through. Is this some sort of multicas...

wispvt

I was monitoring one of our customers equipment and noticed .5-2Mbps of random traffic on it. After troubleshooting and running tcpdump it looks like somehow the Mikrotik router is forwarding certain netflix traffic to all devices on the bridge at the same time which results in these random spikes o...

wispvt

We are having an issue with our Mikrotik router. It typically happens in the evening. One of our ports will just stop responding on the bridge. RSTP will take over and the traffic will get moved over to another back up link during this time until it comes back in a few minutes. When this happens, yo...

wispvt

They were wired right. Update though, the new firmware seems to be much better and is powering the Motorola Canopy just fine. My techs issue was a an issue the the Canopy and not the Mikrotik. So far we have half a dozen deployed over the last couple of months and they work great. No issues, love th...

wispvt

We tested the new firmware as well and it does not resolve the issue of not being able to power Motorola Canopy from these units. Tried both settings, "forced-on" and "auto" to no avail. If the new firmware was supposed to fix these problems with the POE than it is still broken.

wispvt

When I said voltage drop I didn't mean across your cable I meant the supply voltage. If your supply voltage is 18V vs 24 volts, the equipment will normally draw more current at 18volts vs 24 volts. Which is why I said to try the higher voltage as these units are a little finicky with their current s...

wispvt

We use 24V to supply the RB750UP which could be the difference. Remember as voltage drops, your current draw will increase which could be triggering the protection circuit on the RB750UP. Try a 24V power supply, and make sure it can handle the load easily from all the equipment it is supplying.

wispvt

We have them working. The RB750UP has issues with the POE. I have found it works better if you set the POE to on and not use the auto setting as it is more flaky. Cabling is just a straight through cable. Hopefully they will make some changes to the firmware to allow more user adjustment. But they a...

wispvt

we are working on possible solutions to turn on as much as possible devices. Most probably it will be additional setting added to enable unsafe mode. As soon as we receive the device that does not work properly (AFAIK it is or soon will be on route) What did you mean by as soon as you receive the d...

wispvt

But we still need a way to make this work for all devices, other people are having the same issue, the port won't turn on when equipment is connected, but once it is on it will power the equipment just fine. So maybe there needs to be an option to turn the checks off on a port by port basis for prob...

wispvt

I measured the resistance across the POE wires of the Motorola that doesn't work, its 2.5K - 3K Ohms, the units that are working fine are 2-3M Ohms. These aren't even close to the resistance someone was talking about earlier.

wispvt

Yes the canopy and trango are reversed. We made up cables accordingly and they work great as long as you connect the Canopy once the poe output on the mikrotik has fully switched on. We measured the Canopy and they seem to draw about 200mA vs the Trango's which draw 130mA at startup which is still a...

wispvt

After getting a RB750UP in, we began testing it. It works great except for if you try to power a Motorola Canopy unit from it using POE. If the Motorola is connected and the RB750UP is rebooted, the switch will not turn on the poe for that port even though it says it is on when looking at the ethern...

wispvt

So is there any way to tunnel around a bridge that is isolated with split-horizon?

wispvt

No we do not. Each client connects to an AP with a wireless unit at their location, there is no need to install a separate mikrotik unit at each house as that adds more to overhead and more headaches. We hand out non-routable IP's via a centralized DHCP server and everything is bridged which makes f...

wispvt

Bridging works best for us and customers as it allows us easily to get to any piece of equipment and a consistent gateway for all customers so its easy to troubleshoot and provision.

wispvt

I am using split horizon to isolate clients connected to AP's on each port. It works well so you don't have to worry about any type of broadcast, dhcp or any other traffic traveling between each port. I don't want to disable it as I want to keep the network isolated, I just want to get around it for...

wispvt

I am using split horizon to isolate traffic on my ports to isolate all my customers. It works well but wouldn't you know I have one customer who needs to communicate with their office which is also in my system over a vpn but the split horizon is stopping it. Is there anyway to get a connection arou...

wispvt

It is the upload going through the bridge. I can reverse cable through different ports and always the same results. As soon as I remove the bridge and use as a switch by configuring master port it works great so this would indicate to me it isn't the hardware issue they were talking about in 5.3 and...

wispvt

wispvt

No I test in each direction independantly. I also use other speed tests as well, all with the same result, once I start using the bridge interface, it limits flow in one direction. I did notice there were issues reported in the 5.3 code on the 450 boards, but has anyone tested the 5.4 on a 450G to v...

wispvt

I tried that with the same results. Performance through the bridge is still only good in one direction, and .5M in the other, yet works great when using it as a switch. Any other ideas?

wispvt

Thanks that solved the speed issue, but one of the things we wanted to do was use the split horizon feature available under bridging to isolate all ports and only allow ports 2 - 5 to communicate with port one which is our backhaul and not to each other. Also upgraded to 5.4 before trying your solut...

wispvt

I am setting up my first mikrotik routers, and when running iperf through them the speed is good in one direction, but only .5M in the other. If you bypass the router its great. Tried 2 different boards. Using default config and just trying to use them as a simple switch for now to verify performanc...

wispvt

The more radios and sector antennas you use, the more clients you can support so that is your biggest consideration when designing a site.

wispvt

They are going to be public ips traversing across each port handed out by a main dhcp server so separate subnets are not an option.

wispvt

How do I configure it to use port 1 as the internet uplink for all other ports and the remaining ports which are connected to AP's to be isolated from each other while still having access to the uplink port on port 1. We also need to get back to any port from the uplink port and get access to the ap...

Search found 109 matches