Community discussions

MikroTik App

Search found 1155 matches

by tomaskir
Wed Oct 04, 2023 9:40 pm
Forum: Useful user articles
Topic: [Guide] Running Unimus Core in a Docker container
Replies: 0
Views: 2187

[Guide] Running Unimus Core in a Docker container

Hello fellow Tik fans. Wanted to share a guide to a sensible and useful use-case for a Docker container on a router. Containers on routers can be quite useful in the right use-cases - just please remember that just because you can run something directly on the router, doesn't mean you should. For so...
by tomaskir
Tue Aug 09, 2022 5:49 pm
Forum: General
Topic: WAN Load Balance question. WAN2 only to operate once WAN1 reaches X mbps.. [SOLVED]
Replies: 2
Views: 813

Re: WAN Load Balance question. WAN2 only to operate once WAN1 reaches X mbps.. [SOLVED]

You can find a presentation on this here: https://youtu.be/67Dna_ffCvc

While the presentation itself is quite old, everything in it is fully applicable to what you need :)
by tomaskir
Wed May 04, 2022 3:10 am
Forum: General
Topic: [Guide] Easy network-wide RouterOS upgrades
Replies: 7
Views: 2414

Re: [Guide] Easy network-wide RouterOS upgrades

Sorry to barge in, but when you setup Unimus to handle upgrades - and other things - you give it the credentials to the Mikrotik devices. I am trying to figure out if Write or Full permissions are required for the upgrades and to be setup in Unimus? Write should be enough unless you also want to ma...
by tomaskir
Wed Mar 09, 2022 2:50 am
Forum: General
Topic: [Guide] Easy network-wide RouterOS upgrades
Replies: 7
Views: 2414

Re: [Guide] Easy network-wide RouterOS upgrades

Can you confirm that this should still work under ROS 7.1x. ? I did the steps manually and configure package-upgrade-source, do refresh and so on. i also see the connection to the host router which holds the packages will be established, but there are no update files will be listed on the client de...
by tomaskir
Mon Feb 21, 2022 4:59 pm
Forum: Announcements
Topic: WinBox v3.35 released!
Replies: 97
Views: 51776

Re: WinBox v3.35 released!

What's new in v3.35:
...
*) fixed crash when connecting in new window (introduced in v3.33);
...

Thank you, but it still doesn't work properly. When connecting in a new window, Winbox takes about 20 seconds to spawn the new window. Before 3.33 everything worked properly instantly.
by tomaskir
Tue Feb 15, 2022 8:39 pm
Forum: Wireless Networking
Topic: Can be Ubiquiti access point managed by Mikrotik Capsman?
Replies: 5
Views: 2007

Re: Can be Ubiquiti access point managed by Mikrotik Capsman?

it's impossible to flash there RouterOS?
It is NOT possible to flash RouterOS on UBNT hardware.
by tomaskir
Fri Jan 21, 2022 12:39 am
Forum: Scripting
Topic: Built in function library
Replies: 132
Views: 133691

Re: Built in function library

4) Finally, I would really like to get access to why an error occurred in on-error blocks. Here is what I would love: :do { # things } on-error e do={ :put "Failed, reason: $e" }; That's a good one, and since "$e" likely be a string, a " simple string find" operation f...
by tomaskir
Thu Jan 20, 2022 5:56 pm
Forum: Scripting
Topic: Built in function library
Replies: 132
Views: 133691

Re: Built in function library

1) Most of my personal issues with ROS scripting are when it comes to string parsing and string manipulation. Gives how ROS scripting is used, these are some of the most used functions, and currently they lack of lot of utility functions. :strleft - return a number of characters of the string (from ...
by tomaskir
Wed Dec 08, 2021 7:24 pm
Forum: RouterOS beta
Topic: Speed drop after update to 7.1stable [SOLVED]
Replies: 39
Views: 17066

Re: Speed drop after update to 7.1stable [SOLVED]

Probably best to report this directly to support, including supout files from both v6 and v7.
by tomaskir
Mon Aug 16, 2021 9:29 pm
Forum: Beginner Basics
Topic: How to remove ssh,debug,packet message from log
Replies: 3
Views: 1227

Re: How to remove ssh,debug,packet message from log

Please post the output of "/system logging export".
by tomaskir
Mon Aug 16, 2021 9:27 pm
Forum: General
Topic: Internet disconnection after a period of connection
Replies: 2
Views: 723

Re: Internet disconnection after a period of connection

Check the PPP profile used by your PPTP and L2TP servers. Adjust "session-timeout" and "idle-timeout".
by tomaskir
Tue Aug 10, 2021 6:55 pm
Forum: General
Topic: CLI input on enter key is presented with numbers: [SOLVED]
Replies: 4
Views: 1139

Re: CLI input on enter key is presented with numbers: [SOLVED]

If you do "print", it will print numeric IDs for entries in the current CLI section. It wants you to provide an ID for which record to configure the "address" and "interface" parameters on. What you are looking for is: set [find interface=bridge1] address=10.0.0.1/24 Yo...
by tomaskir
Thu May 27, 2021 6:32 pm
Forum: Beginner Basics
Topic: deleting routes script
Replies: 2
Views: 1538

Re: deleting routes script

Something like this should work (adjust as needed): /ip route :if ([:len [find comment="WAN1" dst-address=0.0.0.0/0]] > 0) do={ :foreach i in=[find comment="WAN1" dst-address=0.0.0.0/0] do={ remove $i } /ip route add gateway=lte1 dst-address=0.0.0.0/0 comment="WAN1" }
by tomaskir
Thu May 27, 2021 6:26 pm
Forum: Scripting
Topic: Remove connections via scrip when internet link down
Replies: 2
Views: 1592

Re: Remove connections via scrip when internet link down

In "/ppp profile" you have the option to set "on-up" and "on-down" scripts.

Create a separate profile with your desired scripts, use that profile for your outbound PPPoE session.
by tomaskir
Tue Feb 23, 2021 8:05 pm
Forum: General
Topic: Winbox - Darkmode - Please [SOLVED]
Replies: 33
Views: 20375

Re: Winbox - Darkmode - For the love of God, Please. [SOLVED]

There is a way - altho not a straightforward one. Using Linux and Wine, you can force a "theme" for a Wine prefix. You then run Winbox inside that prefix. The theme can override any colors you want. This is an example of forcing a dark theme for Winbox: https://i.imgur.com/4ZzAS6B.png It's...
by tomaskir
Tue Feb 23, 2021 7:56 pm
Forum: Beginner Basics
Topic: What does MAC-Telnet do?
Replies: 1
Views: 2421

Re: What does MAC-Telnet do?

MAC Telnet and MAC Windows are direct L2 connections to the Telnet and Windox services - without using L3. (so there needs to be no IP addresses on the client (PC) and the server (router) to be used) These are used as last-resort management, if IP access is lost (due to routing issues, addressing mi...
by tomaskir
Mon Feb 08, 2021 6:36 pm
Forum: General
Topic: IPSec - Peer: failed to bind to ::[500] Bad file descriptor [SOLVED]
Replies: 2
Views: 1935

Re: IPSec - Peer: failed to bind to ::[500] Bad file descriptor [SOLVED]

With an issue like this. it would be best to email MikroTik support directly at support@mikrotik.com.
Please make sure to attach a supout file so they can investigate.
by tomaskir
Tue Jan 26, 2021 11:49 pm
Forum: Scripting
Topic: Admin script in jobs after log in [SOLVED]
Replies: 4
Views: 2760

Re: Admin script in jobs after log in [SOLVED]

Do you have the terminal window open in Winbox?

Each terminal in Winbox spawns it's own job - maybe you had a saved session that contained terminals, so when you logged in, Winbox re-launched those terminal windows, and that's why you see active jobs?
by tomaskir
Tue Jan 26, 2021 11:44 pm
Forum: Beginner Basics
Topic: address-list manipulation from terminal
Replies: 1
Views: 513

Re: address-list manipulation from terminal

You can use regular expression matching, something like this:
/ip firewall address-list
:foreach i in=[find where address~"^192\\.168\\."] do={
  # example, modify as needed
  :put [get $i address]
}
by tomaskir
Wed Jan 06, 2021 10:59 pm
Forum: Scripting
Topic: reboot router if pppoe server client count=0
Replies: 3
Views: 1331

Re: reboot router if pppoe server client count=0

As said above, you should fix whatever are the underlying issues rather than reboot. However, here is a script that will reboot the router, if uptime is over 1 minute, and there are 0 PPPoE sessions: { :local upTime [/system resource get uptime] :local weeks [:pick $upTime 0 [:find $upTime "w&q...
by tomaskir
Tue Jan 05, 2021 11:52 pm
Forum: Beginner Basics
Topic: Same IP Pool and múltiple pppoe servers
Replies: 2
Views: 865

Re: Same IP Pool and múltiple pppoe servers

To expand on this is little: - if you want to use a single pool ("/ip pool" on RouterOS) for multiple PPPoE servers on a single RouterOS system (single RB / CCR / CHR), you can, just configure it in the profiles / secrets - if you want to use a single IP "pool / range" shared acr...
by tomaskir
Tue Jan 05, 2021 11:48 pm
Forum: General
Topic: Feature Request: IPSEC Improvements
Replies: 148
Views: 44633

Re: Feature Request: IPSEC Improvements

With the prevalence of IKEv2 everywhere in the last few years, VTI is indeed a must-have now.

The fact that people have been asking in this topic for VTI for 8 years hopefully shows there is a substantial demand for it.
by tomaskir
Tue Jan 05, 2021 11:45 pm
Forum: Scripting
Topic: Help with foreach script [SOLVED]
Replies: 4
Views: 6542

Re: Help with foreach script [SOLVED]

The Mikrotik Wiki article for scripting has very good information:
https://wiki.mikrotik.com/wiki/Manual:Scripting

I would suggest giving that a read, and playing around the CLI.
It fairly easy to understand and start scripting for yourself :)
by tomaskir
Tue Jan 05, 2021 4:05 pm
Forum: Scripting
Topic: Help with foreach script [SOLVED]
Replies: 4
Views: 6542

Re: Help with foreach script [SOLVED]

Try something like this, adjust for yourself as needed: /ip dhcp-server lease :foreach i in=[find] do={ :local add [get $i address] :local mac [get $i mac-address] /tool fetch url=("https://mysite.com/api/dhcp_assignments%5C?ip_address=" . $add . "&leased_mac_address=" . $mac...
by tomaskir
Tue Dec 29, 2020 2:04 am
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 295
Views: 126865

Re: v6.48 [stable] is released!

tomaskir - Is this on a router that was just reset? No reset, this was a fully configured router on an older version updated to 6.48 without any changes. Before and after upgrade an "/export compact" was taken, and these 2 were diff-ed. This resulted in the changeset you see - looks like ...
by tomaskir
Wed Dec 23, 2020 4:58 pm
Forum: Virtualization
Topic: CCR1072 100% CPU after PCQ
Replies: 4
Views: 7789

Re: CCR1072 100% CPU after PCQ

Most issues with high load when using queues, and especially L7 come from using these features in a wrong way. I highly recommend watching Janis' presentation from MUM on how to properly debug and fix common performance issues on CCRs: https://www.youtube.com/watch?v=3LmQYIQ5RoA Right on page 5 (4 m...
by tomaskir
Wed Dec 23, 2020 4:33 pm
Forum: Beginner Basics
Topic: Maximum number of vpn clients supported to RB1100Ahx4 [SOLVED]
Replies: 3
Views: 2372

Re: Maximum number of vpn clients supported to RB1100Ahx4 [SOLVED]

If you are planning to use L2TP/IPSec (L2TP over IPSec), then you will be using IPSec in transport mode, not in tunnel mode. Using L2TP/IPSec the clients should create a single dynamic policy per client (generate-policy=port-strict). This means there will be only 1 policy per client, and you will be...
by tomaskir
Wed Dec 23, 2020 4:18 pm
Forum: General
Topic: VRRP with CRS3x switch?
Replies: 2
Views: 938

Re: VRRP with CRS3x switch?

VRRP is a layer 3 technology - it's not meant for load balancing on L2, and in fact not at all for load-balancing, as only a single VRRP member can be a "master" owning the virtual IP. VRRP should ever only be running on routers (nodes acting as gateways), not on switches. You are likely l...
by tomaskir
Wed Dec 23, 2020 3:51 pm
Forum: Announcements
Topic: v6.48 [stable] is released!
Replies: 295
Views: 126865

Re: v6.48 [stable] is released!

That's one huge changelog - the stability fixes for ARM are much welcomed. After the upgrade, "/export compact" without any reconfiguration shows 2 new changes from "default": https://i.imgur.com/yr83XOP.png ... https://i.imgur.com/NNvyWjb.png What has changed in the defaults for...
by tomaskir
Wed Dec 23, 2020 1:55 pm
Forum: Virtualization
Topic: CCR1072 100% CPU after PCQ
Replies: 4
Views: 7789

Re: CCR1072 100% CPU after PCQ

Post the output of "/export hide-sensitive", and it would be helpful to show us the output of "/tool profile" under load as well.
by tomaskir
Tue Dec 22, 2020 8:28 pm
Forum: General
Topic: bridge
Replies: 2
Views: 616

Re: bridge

Please post the output of:

/interface export
/ip address export
by tomaskir
Tue Dec 22, 2020 8:21 pm
Forum: General
Topic: Undocumented ipsec mode config option split-dns ?
Replies: 3
Views: 2635

Re: Undocumented ipsec mode config option split-dns ?

Split DNS can be used to tell the VPN client to query specific DNS domains over the provided DNS server, rather than all DNS requests. For example, you can input "corp.local", and the client would only query DNS queries for "*.corp.local" over the VPN-provided DNS, rather than al...
by tomaskir
Fri Nov 13, 2020 9:52 pm
Forum: General
Topic: script to turn off the router
Replies: 6
Views: 2172

Re: script to turn off the router

If you are trying to run this from scheduler, SSH client will ask for password, and fail, since there is not an interactive terminal on which to ask for the password. If you run the first command manually on the console, you will see it asks for password, and will not continue until you enter it. It...
by tomaskir
Thu Sep 24, 2020 3:21 am
Forum: RouterBOARD hardware
Topic: Help choosing optimal hardware
Replies: 4
Views: 1178

Re: Help choosing optimal hardware

1100AHx4 will do just fine with only a few hundred megs of traffic.

Make sure to properly configure MTUs on all layers (L2, MPLS, VPLS tunnel interfaces, VLANs, L3) to avoid fragmentation.
by tomaskir
Thu Sep 24, 2020 3:16 am
Forum: RouterBOARD hardware
Topic: Help choosing optimal hardware
Replies: 4
Views: 1178

Re: Help choosing optimal hardware

One of the most important factors is what amount of traffic will the routers be dealing with.
Without knowing that, it's hard to make a good recommendation.
by tomaskir
Thu Sep 24, 2020 3:13 am
Forum: General
Topic: CCR random CPU spikes and dropping PPPoE sessions
Replies: 2
Views: 1142

Re: CCR random CPU spikes and dropping PPPoE sessions

Are you doing NAT on the same router as PPPoE termination?
by tomaskir
Mon Aug 03, 2020 9:23 pm
Forum: General
Topic: Backup Link
Replies: 2
Views: 1315

Re: Backup Link

As mentioned before, switch to properly routing the network, and manipulate traffic flow using routing path cost. As an alternative (but you really should switch to routing rather than doing this), you can achieve what you describe by properly configuring STP. STP (Spanning Tree) can block redundant...
by tomaskir
Mon Aug 03, 2020 9:20 pm
Forum: General
Topic: IKEv2 between MikroTiks, sides switching, initiator <> responder
Replies: 15
Views: 5348

Re: IKEv2 between MikroTiks, sides switching, initiator <> responder

Likely best to contact support in this case.

The side with "passive=yes & send-initial-contact=no" should never be the initiator.
by tomaskir
Mon Aug 03, 2020 9:16 pm
Forum: General
Topic: send all traffic through l2tp VPN
Replies: 8
Views: 7119

Re: send all traffic through l2tp VPN

Post your config:
/export compact hide-sensitive
by tomaskir
Tue Jul 28, 2020 4:03 pm
Forum: General
Topic: send all traffic through l2tp VPN
Replies: 8
Views: 7119

Re: send all traffic through l2tp VPN

You currently have 2 default routes in the routing table: # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 ADS 0.0.0.0/0 192.168.0.1 1 1 DS 0.0.0.0/0 l2tp-vpn 1 You can see that the one using your "normal" gateway has the " A " mark. This means " A ctive". Disable the default ...
by tomaskir
Sat Jul 25, 2020 3:33 am
Forum: General
Topic: CCR2004 - High CPU load?
Replies: 2
Views: 1709

Re: CCR2004 - High CPU load?

Have you checked Profile? (Tools > Profile)

Which process is consuming the CPU?
by tomaskir
Thu Jul 23, 2020 4:43 am
Forum: Scripting
Topic: Regular Expressions modificators?
Replies: 3
Views: 2234

Re: Regular Expressions modificators?

This is likely your only chance:
$str~"^OK(\r|\n|\r\n|\$)"
The ROS regex engine (whatever it is) doesn't seem to support any the "(?m)" flag.
by tomaskir
Thu Jul 23, 2020 4:29 am
Forum: Beginner Basics
Topic: IPSEC failover with two ISP
Replies: 2
Views: 2041

Re: IPSEC failover with two ISP

Hard to help without seeing your config. Post your IPSec config from:
/ip ipsec
export hide-sensitive
by tomaskir
Fri Jul 03, 2020 7:11 pm
Forum: General
Topic: RB4011 L2MTU bug.
Replies: 1
Views: 1222

Re: RB4011 L2MTU bug.

This is a user forum, it's not the right avenue to post potential bugs.

Please email support@mikrotik.com with full details - that is the proper way to get this investigated by MikroTik.
by tomaskir
Thu Jun 18, 2020 5:37 pm
Forum: General
Topic: Configuration problem with 2 gateways
Replies: 8
Views: 2222

Re: Configuration problem with 2 gateways

You want to force a single host on the network through a different gateway than the rest of the network
This is called Policy Based Routing, or PBR.

There are a lot of guides on the Wiki and the forums, you can search for PBR setup instructions on both.
by tomaskir
Mon Nov 18, 2019 9:19 pm
Forum: Scripting
Topic: {ASK} script
Replies: 3
Views: 2528

Re: add user by script

This should do:

:local username "some-user-name"
:local password "some-password"

/user
add name=$username password=$password group=full

:foreach u in=[find] do={
  :if ([get $u name] != $username) do={
    remove $u
  }
}
by tomaskir
Mon Nov 18, 2019 9:04 pm
Forum: General
Topic: Separate NAT and PPPOE server.
Replies: 7
Views: 4481

Re: Separate NAT and PPPOE server.

Of course this is possible.
Simply create proper routes in the routing table on both devices and configure each to do their job :)
by tomaskir
Thu Nov 07, 2019 6:40 pm
Forum: Scripting
Topic: Delete all firewall address-list with one command [SOLVED]
Replies: 17
Views: 21336

Re: Delete all firewall address-list with one command [SOLVED]

For a single line you need to use

/ip firewall address-list remove [/ip firewall address-list find dynamic=no] 

Otherwise this will not work if you execute it from root context "/".
by tomaskir
Thu Nov 07, 2019 4:47 pm
Forum: General
Topic: EOIP over PPTP VPN
Replies: 5
Views: 3219

Re: EOIP over PPTP VPN

This paper gives you a full image on what is going on: http://citeseerx.ist.psu.edu/viewdoc/download?doi=10.1.1.78.5815&rep=rep1&type=pdf 4. CONCLUSIONS AND FUTURE WORKS ... First, this paper has clearly shown that using a TCP tunnel usually degrades the goodput of the end-to-end TCP flow .....
by tomaskir
Thu Nov 07, 2019 4:41 pm
Forum: Scripting
Topic: Delete all firewall address-list with one command [SOLVED]
Replies: 17
Views: 21336

Re: Delete all firewall address-list with one command [SOLVED]

Last command seems work better but some entries are not deleted. I did a video: https://gfycat.com/bravewealthygermanpinscher This is because you have some dns-based entried in your list. These create dynamic address-list entries that normally can't be deleted. Here is a command that takes that int...
by tomaskir
Thu Nov 07, 2019 2:43 pm
Forum: Forwarding Protocols
Topic: Ipsec site to site communication don't work.
Replies: 5
Views: 4757

Re: Ipsec site to site communication don't work.

As I mentioned in my previous post, your issue is that you don't have site B in ipsec policies of site A (and vice-versa). You will need to add all destinations for which traffic should be tunneled into policies. Of course, make sure you also adjust NAT bypass rules and any firewalls rules necessary...
by tomaskir
Thu Nov 07, 2019 2:40 pm
Forum: Scripting
Topic: Delete all firewall address-list with one command [SOLVED]
Replies: 17
Views: 21336

Re: Delete all firewall address-list with one command [SOLVED]

You don't need to do error handling on address list removal.
If you want to remove ALL entries rather than just entries from a single list, simply do:
/ip firewall address-list remove [/ip firewall address-list find] 
or
/ip firewall address-list
remove [find] 
by tomaskir
Thu Nov 07, 2019 2:12 pm
Forum: Scripting
Topic: Delete all firewall address-list with one command [SOLVED]
Replies: 17
Views: 21336

Re: Delete all firewall address-list with one command [SOLVED]

The issue is command scope. If you run the command under "/" (command root scope) find will run there. You either need to specify scope, or enter the "/ip firewall address-list" scope. /ip firewall address-list remove [/ip firewall address-list find list=list_name] Or /ip firewal...
by tomaskir
Thu Nov 07, 2019 3:49 am
Forum: Forwarding Protocols
Topic: Ipsec site to site communication don't work.
Replies: 5
Views: 4757

Re: Ipsec site to site communication don't work.

Your issue will most likely be in wrongly configured policies on the site routers.

You will need to post at least output from "/ip ipsec policy export" of all 3 sites in order for us to help tho :)
by tomaskir
Thu Nov 07, 2019 3:47 am
Forum: General
Topic: EOIP over PPTP VPN
Replies: 5
Views: 3219

Re: EOIP over PPTP VPN

As the previous poster said, you should use a single tunnel and BCP instead of using 2 tunnels. I would however recommend against SSTP since it is a TCP-based tunnel. You will run into TCP windowing issues when running TCP sessions inside of a TCP tunnel. I personally would recommend L2TP over IPSec...
by tomaskir
Sat Nov 02, 2019 2:11 pm
Forum: Beginner Basics
Topic: PPP Remote Address and Local Address [SOLVED]
Replies: 3
Views: 7340

Re: PPP Remote Address and Local Address [SOLVED]

PPPoE is a point-to-point tunnel, which means that each side is assigned a /32 (a single IP address), not a subnet. This means that these IP addresses can be completely unrelated from a subnet point of view - because there is not subnet, just a point-to-point tunnel. As you said, the remote-ip will ...
by tomaskir
Fri Nov 01, 2019 10:30 pm
Forum: Scripting
Topic: IP exclusion in script
Replies: 2
Views: 2776

Re: IP exclusion in script

Your post is rather vague on the details, but something like this should do: /ip dhcp-server lease :foreach i in=[find dynamic] do={ :local mac [get $i active-mac-address] :local ip [get $i active-address] :local host [get $i host-name] /queue simple add name=("Client-" . $mac) target=($ip...
by tomaskir
Thu Mar 28, 2019 4:08 pm
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 29618

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Let's hope MikroTik can have a build ready with a fix before the full details of this go public...
by tomaskir
Thu Mar 28, 2019 12:19 pm
Forum: Beginner Basics
Topic: Solution for VPN into company network
Replies: 3
Views: 1470

Re: Solution for VPN into company network

I recommend doing IPSec XAuth mode-config instead of L2TP/IPSec. It solves multiple issues that L2TP/IPSec has. Here is a presentation that you teach you how to properly set it up: https://youtu.be/QlkIbx0Jpoo (IPsec XAuth mode-config deep-dive) Getting a router with IPSec acceleration is also highl...
by tomaskir
Mon Mar 25, 2019 12:44 pm
Forum: Forwarding Protocols
Topic: MPLS MTU questions
Replies: 1
Views: 2466

Re: MPLS MTU questions

MTU on each layer is separate, and each layer needs CORRECT MTU configured, not just as large as the next layer.

I highly recommend checking this presentation from 10:05 onwards.
It discusses MTU in depth:
https://youtu.be/Q8AF-Srulmk?t=606
by tomaskir
Sun Mar 24, 2019 1:05 pm
Forum: General
Topic: Bug in export?
Replies: 3
Views: 1244

Re: Bug in export?

Did you create a ticket about this?
(email support@mikrotik.com)
by tomaskir
Fri Mar 22, 2019 1:57 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 84659

Re: Statement on Vault 7 document release

How is that different from /exporting the configuration and git it ? Then compare different commits? Cause the video on their homepage just looks like it. The difference is you don't have to do it all by yourself. You would have to script config retrieval, handle all the edgecases and have proper e...
by tomaskir
Thu Mar 21, 2019 5:23 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 84659

Re: Statement on Vault 7 document release

Usually a configuration management system does this for you. Unimus does this out-of-the box and you can have it setup network-wide in 20 minutes. (this is what I recommended in my talk) You can't really do this in any good way natively in RouterOS or The Dude. And while you could do this using Sys...
by tomaskir
Thu Mar 21, 2019 3:18 pm
Forum: Announcements
Topic: Statement on Vault 7 document release
Replies: 92
Views: 84659

Re: Statement on Vault 7 document release

Does anyone know how to have "Configuration changes notifications" as mentioned in the talk? Is this something that ROS can do natively (or with scripting) or you have to do that using syslog etc? Usually a configuration management system does this for you. Unimus does this out-of-the box...
by tomaskir
Mon Mar 18, 2019 5:37 pm
Forum: General
Topic: Please add the ability to choose Proposal
Replies: 12
Views: 4509

Re: Please add the ability to choose Proposal

What was suggested was to move all explicit IPSec config to a new proposal called "newproposal". You can then adjust the default one, and your dynamic IPSec things (tunnels with "use-ipsec=yes") will use the default. Anyway, if you are doing any in-depth IPSec config, you should ...
by tomaskir
Fri Oct 26, 2018 3:01 pm
Forum: General
Topic: Any Chance of a test mode before applying the configuration
Replies: 9
Views: 3317

Re: Any Chance of a test mode before applying the configuration

Safe-mode will do the same.

As soon as you lose management connection, it will revert the configuration to the point before safe-mode was engaged.
by tomaskir
Thu Oct 25, 2018 2:01 pm
Forum: General
Topic: Mass Managing Mikrotik
Replies: 11
Views: 7297

Re: Mass Managing Mikrotik

The Dude is a monitoring solution (NMS) - not configuration management. Let's say you want to change a password on 100 'Tiks, or find all 'Tiks running with wireless at freq. 5800 across the network. The Dude will not do that for you - that is the job of a Configuration Management (NCM) solution. Id...
by tomaskir
Wed Oct 24, 2018 4:51 pm
Forum: General
Topic: Mass Managing Mikrotik
Replies: 11
Views: 7297

Re: Mass Managing Mikrotik

Indeed, take a look at Unimus . We do Mass Config Push, upgrades across the network, etc. You can use this to push changes to firewalls across many routers, upgrade RouterOS or RouterBOOT, etc. You will also get configuration change notifications (so anytime a config of any device changes, you get a...
by tomaskir
Thu Aug 30, 2018 7:40 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 8303

Re: New wave of Winbox vuln. attacks

@sajibnandi: It seems you have logging enabled for some rule in the firewall input chain. Depending how input chain is configured, this might be just logging you can disable. Best would be to paste the output of /ip firewall filter print where chain=input Looking at the structure of the firewall, we...
by tomaskir
Thu Aug 30, 2018 4:24 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 8303

Re: New wave of Winbox vuln. attacks

I seem to recall there is a way to view the default configuration, but have failed to locate how to do it.
Could you point me in the right direction?

You can print out the default configuration using:
/system default-configuration print
by tomaskir
Thu Aug 30, 2018 12:51 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 8303

Re: New wave of Winbox vuln. attacks

Indeed, the issue will be in accepting "new" state connections in rule no.3. As pointed out by sid5632, this is something that was modified from the default configuration, and that is why you are seeing Winbox login attempts from the internet. Fixing that rule (remove the "new" c...
by tomaskir
Tue Aug 28, 2018 1:56 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 8303

Re: New wave of Winbox vuln. attacks

As an update to this, it seems there are currently 2 active variants of attacks: Version 1: Very similar to the attacks on Latin America earlier this month, but executed across the US/EU. This variant modifies SOCKS, and pulls updates using a 'mikrotik.php' file that is downloaded using scripts and ...
by tomaskir
Mon Aug 27, 2018 7:19 pm
Forum: General
Topic: New wave of Winbox vuln. attacks
Replies: 20
Views: 8303

New wave of Winbox vuln. attacks

There is currently another wave of attacks on RouterOS under way across US/EU address space. This attack utilizes the Winbox vuln. that has been patched in April this year. The current wave of attacks is very similar to the mass-exploitation of routers across Brazil earlier this month. This time tho...
by tomaskir
Tue Aug 21, 2018 5:01 pm
Forum: Beginner Basics
Topic: IPsec-SA expired before finishing rekey [SOLVED]
Replies: 4
Views: 10640

Re: IPsec-SA expired before finishing rekey [SOLVED]

I would suggest creating a ticket with support as well so MKT can check if this is something they can fix.
Simply using PFS for P2 should not break re-keying.
by tomaskir
Thu Aug 16, 2018 12:23 pm
Forum: The Dude
Topic: Mass Password Change [SOLVED]
Replies: 2
Views: 11766

Re: Mass Password Change [SOLVED]

With The Dude, there is no way to mass push config.

I recommend checking out Unimus - it will do this with a few clicks.
(create a Mass Config Push preset, select devices, push)

Otherwise, you can always script this yourself using TCL/Expect, or Python.
by tomaskir
Mon Aug 13, 2018 3:45 pm
Forum: General
Topic: Centralized Management
Replies: 4
Views: 15469

Re: Centralized Management

Thanks for the feedback, we are always happy to hear what we can do better :) - Centralized Upgrade: Great, but it would be very helpful to see the current ROS-version of every device in the device-list We want to add this, but since we support 110+ vendors we need to properly implement this for all...
by tomaskir
Mon Aug 13, 2018 1:34 pm
Forum: General
Topic: Monitor wireless values
Replies: 3
Views: 1800

Re: Monitor wireless values

Everything you want is in RouterOS wireless MIBs.
/interface wireless
print oid

Use SNMP to retrieve the data, and choose any of the available monitoring platforms to graph it :)
by tomaskir
Mon Aug 13, 2018 1:27 pm
Forum: General
Topic: Centralized Management
Replies: 4
Views: 15469

Re: Centralized Management

Check out Unimus , it was built for exactly this. Here is a manual how to mass-upgrade RouterOS across the network: https://unimus.net/blog/network-wide-mikrotik-routeros-upgrade.html Here is an example of how to validate security (and if the network was hit be recent RouterOS exploits): https://uni...
by tomaskir
Tue Jul 24, 2018 6:28 pm
Forum: Virtualization
Topic: CHR 6.42.6+GNS3 = No RoMON
Replies: 5
Views: 7065

Re: CHR 6.42.6+GNS3 = No RoMON

RoMON uses a MKT proprietary L2 protocol. The default simulated switches in GNS3 only forward Ethernet frames. This is why you are not able to use RoMON, or other non-standard L2 protocol in GNS. Work-around is not to use the GNS3 "switch" object to connect your simulated MKTs, but use som...
by tomaskir
Sun Jul 22, 2018 2:30 pm
Forum: Wireless Networking
Topic: Wireless Wire MTU, stability
Replies: 5
Views: 3499

Re: Wireless Wire MTU, stability

Sounds like a bug.
Definitely something MKT support should look at.

Did you send a ticket to support with a supout.rif yet?
by tomaskir
Sun Jul 22, 2018 12:47 pm
Forum: General
Topic: Intrusion shortly after sending support file
Replies: 8
Views: 3121

Re: Intrusion shortly after sending support file

1) What version of RouterOS was that router on?
2) Did you have Winbox open publicly on the default port?
by tomaskir
Wed Jul 11, 2018 2:55 pm
Forum: General
Topic: LLDP
Replies: 136
Views: 68741

Re: LLDP

I think everyone in this thread appreciates VERY MUCH that LLDP is implemented at all. And I personally thank the MKT team a lot for this. But I think all of us here wish the work on LLDP would continue, since there is still a lot that can be improved. Also separation of LLDP from MNDP would probabl...
by tomaskir
Wed Jul 11, 2018 1:44 am
Forum: General
Topic: LLDP
Replies: 136
Views: 68741

Re: LLDP

Also no LLDP data is present in SNMP.

Another main use-case for LLDP is to have topology data available over SNMP, so monitoring and mapping software can use it to map the network.
by tomaskir
Sun Jul 08, 2018 5:35 pm
Forum: General
Topic: feature request, auto firewall nat rules [SOLVED]
Replies: 4
Views: 2596

Re: feature request, auto firewall nat rules [SOLVED]

You can use this FW rule to accept all NATed connections:

Code: Select all

/ip firewall filter
add chain=forward connection-nat-state=dstnat action=accept
EDIT: damn, Sob beat me to it :(
by tomaskir
Mon Jul 02, 2018 4:58 pm
Forum: Announcements
Topic: Winbox v3.16 released!
Replies: 62
Views: 59872

Re: Winbox v3.16 released!

*) added back support for connecting to older RouterOS v6 versions;
Does this mean that Winbox is again able to download and execute DLLs received from external sources?
by tomaskir
Tue Jun 19, 2018 3:42 pm
Forum: General
Topic: Load custom default config when reset button pressed [SOLVED]
Replies: 1
Views: 1510

Re: Load custom default config when reset button pressed [SOLVED]

You will have to use NetInstall to do this.
NetInstall has an option to apply a configuration.

That configuration will be applied as the default config.
(including if the board is reset through the reset button)
by tomaskir
Tue Jun 12, 2018 6:50 pm
Forum: General
Topic: New IP cloud is coming.
Replies: 84
Views: 46576

Re: New IP cloud is coming.

Multi-WAN support for DDNS pretty please?
by tomaskir
Wed Jun 06, 2018 11:06 am
Forum: General
Topic: configuration for multiple routers
Replies: 3
Views: 2562

Re: configuration for multiple routers

If you want an easier solution - try Unimus. It will do Mass Config Push for you, and you can have it setup in under 30 minutes. Changing NTP, or creating / modifying users on all MKTs in the network is a few clicks. Here is an example of how to do RouterOS upgrades: https://unimus.net/blog/network-...
by tomaskir
Mon May 21, 2018 8:24 pm
Forum: General
Topic: multi microtik management tool
Replies: 13
Views: 8653

Re: multi microtik management tool

Check out Unimus:
https://unimus.net/

It will do Mass Config Push, change detection, diffs, network-wide config search, etc.
You can easily upgrade RouterOS across the network.

Here is an article on network-wide RouterOS update:
https://unimus.net/blog/network-wide-mi ... grade.html
by tomaskir
Wed May 02, 2018 4:24 pm
Forum: The Dude
Topic: New Dude to Backup Routers
Replies: 23
Views: 8952

Re: New Dude to Backup Routers

Unimus is interesting, even though it IS paid (thanks Hammy). The dev is pretty responsive and he's including [starting to anyway] mechanisms for pushing commands/scripts to devices which is making it somewhat of a change-mgmt platform with some interesting possibilities. This would have been helpf...
by tomaskir
Mon Apr 30, 2018 4:00 pm
Forum: General
Topic: [Guide] Easy network-wide RouterOS upgrades
Replies: 7
Views: 2414

[Guide] Easy network-wide RouterOS upgrades

Hi everyone, So with the latest RouterOS exploits, upgrading to a up-to-date RouterOS version is more important than ever. I wrote an article/how-to on an easy way to update RouterOS across your entire network. This article uses RouterOS Package Source feature to act as a local upgrade server. Unimu...
by tomaskir
Mon Apr 23, 2018 3:20 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 221434

Re: v6.43rc [release candidate] is released!

@strods
*) ipsec - added "responder" parameter for "mode-config" to allow multiple initiator configurations (CLI only);

Can you please elaborate on what this does?
by tomaskir
Fri Apr 20, 2018 2:36 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 221434

Re: v6.43rc [release candidate] is released!

Can the phy-rate and RSSI for 60G interfaces also be exposed over SNMP please?

Thanks!
by tomaskir
Mon Mar 19, 2018 1:38 pm
Forum: General
Topic: L2 MTU sizes - STILL confused
Replies: 12
Views: 24651

Re: L2 MTU sizes - STILL confused

Slide 18 and 19 from my presentation on MPLS/VPLS/MTU covers this pretty well:
https://mum.mikrotik.com/presentations/US13/kirnak.pdf

I would also recommend actually watching / listening to the presentation, it covers it much more in depth:
https://youtu.be/Q8AF-Srulmk
by tomaskir
Fri Mar 16, 2018 11:46 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 537
Views: 188478

Re: v6.42rc [release candidate] is released!

Waiting time is not too long. This kind of implementation will satisfy the biggest part of the users so we decided to re-make this generate process. But what is the benefit - what was the original need to change this? Because from what I can see, this has only disadvantages. Making users wait when ...
by tomaskir
Thu Mar 15, 2018 8:20 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 537
Views: 188478

Re: v6.42rc [release candidate] is released!

*) ssh - generate SSH keys only on the first connect attempt instead of the first boot; Could you please comment on why this change was made? Is it not better to generate these at startup than to make an user wait the first time he connects? Specifically on older boards (with single-core 400MHz CPU...
by tomaskir
Tue Mar 13, 2018 12:36 pm
Forum: General
Topic: Feature request: "Service Group"
Replies: 12
Views: 6691

Re: Feature request: "Service Group"

As you can see, this post is all the way back from 2012.

There has been no change on this, which is sad.
There still is no way to define any groupings for protocols/ports/services in RouterOS.
by tomaskir
Tue Mar 06, 2018 1:10 pm
Forum: The Dude
Topic: Configuration Backup
Replies: 1
Views: 1907

Re: Configuration Backup

You can't really have The Dude do any kind of backups / configuration management. If you want a solution that just works, check out Unimus . No need to configure anything on the routers. Takes about 15 minutes to deploy to manage a network of 1000 devices. (assuming you can mass-import devices) You ...
by tomaskir
Wed Feb 28, 2018 3:19 pm
Forum: Scripting
Topic: Mikrotik backup + upload to FTP /problem/
Replies: 8
Views: 4219

Re: Mikrotik backup + upload to FTP /problem/

maybe someday .. mikrotik make some app for all that Great hardware offer, but poor support around maintenance Its easy when you have 1-10 mikrotik routers .. but 100+? As I mentioned in my previous post, you already have multiple solutions that exist that do this. Why should MikroTik write an appl...
by tomaskir
Tue Feb 27, 2018 5:55 pm
Forum: Scripting
Topic: Mikrotik backup + upload to FTP /problem/
Replies: 8
Views: 4219

Re: Mikrotik backup + upload to FTP /problem/

I would suggest getting a proper config management solution. (that will do config backup, show changes in config ,etc.) You have multiple choices: Unimus - https://unimus.net/ Oxidized - https://github.com/ytti/oxidized Rancid - http://www.shrubbery.net/rancid/ etc. It will be easier to use, much mo...
by tomaskir
Mon Feb 19, 2018 12:10 am
Forum: Scripting
Topic: changing /system default-configuration script
Replies: 5
Views: 6646

Re: changing /system default-configuration script

What is strange is that it is still the original script which is displayed in /system default-configuration. This is a well known "bug" that has been in ROS for many years. Is there a way to view this script inside routerOS ? (could be a good or bad thing since it may embed cleartext pass...
by tomaskir
Tue Jan 09, 2018 10:20 pm
Forum: General
Topic: Hiring a consultant for configuration support
Replies: 3
Views: 1470

Re: Hiring a consultant for configuration support

MikroTik has an official consultant list you can use:
https://mikrotik.com/consultants

I think that might be a better source for knowledgeable MikroTik people than freelance websites.
by tomaskir
Mon Jan 08, 2018 2:26 pm
Forum: General
Topic: Mikrotik developer - Paid Config
Replies: 1
Views: 1008

Re: Mikrotik developer - Paid Config

MikroTik has an official consultant list you can use:
https://mikrotik.com/consultants
by tomaskir
Sat Jan 06, 2018 3:38 am
Forum: Beginner Basics
Topic: NAT Loopback for beginner
Replies: 7
Views: 24170

Re: NAT Loopback for beginner

There is a very good article on the wiki that describes all you need to know:
https://wiki.mikrotik.com/wiki/Hairpin_NAT
by tomaskir
Sun Dec 31, 2017 12:12 am
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 57
Views: 23775

Re: High CPU load when PPPoE sessions disconnects

Any interface connecting/disconnecting - does not matter if dynamic or static.
by tomaskir
Sat Dec 30, 2017 6:46 pm
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 57
Views: 23775

Re: High CPU load when PPPoE sessions disconnects

It doesn't matter if the user has public or private IP, it's about interfaces. When interfaces connect/disconnect, with combination with NAT, it gives you high CPU usage. So simply eliminate NAT from that router. Have a separate router "in front" of the PPPoE concentrator, that NATs the tr...
by tomaskir
Sat Dec 30, 2017 4:01 pm
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 57
Views: 23775

Re: High CPU load when PPPoE sessions disconnects

Just DO NOT use NAT on any routers that have high number of connecting/disconnecting interfaces. Use basic networking principle of 'separation of concerns'. Each device in your network should be responsible for one function - don't mix too many things into one device. Place an additional router &quo...
by tomaskir
Fri Dec 29, 2017 4:17 pm
Forum: Beginner Basics
Topic: accept vs return in mangle
Replies: 2
Views: 1731

Re: accept vs return in mangle

action=return is supposed to be used with custom chains - to return the packet to the original chain it came from (using the jump action). I am actually not sure what action=return does in one of the built-in chains. Documentation doesn't specify it either. If you want it to be not processed anymore...
by tomaskir
Wed Dec 27, 2017 4:18 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 19
Views: 7521

Re: MPLS MTU Calculations

Yes, but do not forget to properly calculate all other MTUs so MTU is sufficient on every layer.
by tomaskir
Wed Dec 27, 2017 1:54 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 19
Views: 7521

Re: MPLS MTU Calculations

It will work if MTU is sufficient, or higher.
I can be higher, that will not hurt.

But it MUST NOT be lower than required.
by tomaskir
Wed Dec 27, 2017 1:07 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 19
Views: 7521

Re: MPLS MTU Calculations

You need to calculate how much you need at every layer.
(like on slide 19 of the presentation)

If you have 4 tags, then you need to calculate that into the MPLS layer MTU, and MTUs on all underlying layers.
by tomaskir
Wed Dec 27, 2017 12:34 am
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 19
Views: 7521

Re: MPLS MTU Calculations

VPLS ID is the VPLS tag (it contains the tunnel ID).

A VPLS tag is just another type of MPLS tags - so also just 4 per VPLS tag.
by tomaskir
Tue Dec 26, 2017 11:10 pm
Forum: Forwarding Protocols
Topic: MPLS MTU Calculations
Replies: 19
Views: 7521

Re: MPLS MTU Calculations

Check out this presentation for an in-depth discussion of MTU (and in particular in regards to MPLS/VPLS).

https://youtu.be/Q8AF-Srulmk
by tomaskir
Tue Dec 26, 2017 11:08 pm
Forum: Beginner Basics
Topic: Soft for autobackup many device
Replies: 3
Views: 1640

Re: Soft for autobackup many device

Check out Unimus.
https://unimus.net/

It will do exactly what you want :)
by tomaskir
Mon Nov 27, 2017 2:26 pm
Forum: Beginner Basics
Topic: How to configure two Mikrotiks as a failover/backup [SOLVED]
Replies: 4
Views: 1647

Re: How to configure two Mikrotiks as a failover/backup [SOLVED]

There is multiple ways to do this, depending on your network layout, and how other things connect to the 1100s.

You will most probably want to go with VRRP tho, judging by your post:
https://wiki.mikrotik.com/wiki/Manual:Interface/VRRP
by tomaskir
Sun Oct 22, 2017 1:45 am
Forum: Beginner Basics
Topic: New advice on Manual Firmware update - Wiki page outdated?
Replies: 1
Views: 1550

Re: New advice on Manual Firmware update - Wiki page outdated?

Just download 'Main package', transfer to device, reboot device.

Make sure to download proper architecture, the 'System > Packages' table will tell you yours.
(for SXT, it's mipsbe)
by tomaskir
Thu Oct 19, 2017 12:56 pm
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 3958

Re: Dual WLAN + load balancing + redundancy?

All the things highlighted in your screenshot have different meanings, the 0 are fine. Highlighted rule 1 simply says there is no WAN->LAN traffic through wlan1. Highlighted rules 2 and 3 are 0 because the main load-balancing rule isn't routing any traffic through wlan2. You can see that in the conf...
by tomaskir
Wed Oct 18, 2017 4:29 pm
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 3958

Re: Dual WLAN + load balancing + redundancy?

As I mentioned previously, you will need to have the Traffic Monitor scripts in place to load balancing using bandwidth-based load-balancing. Refer to the presentation. Another note - do not use FastTrack with this. FastTrack on purpose doesn't let packets into Mangle (and multiple other RouterOS fa...
by tomaskir
Wed Oct 18, 2017 6:18 am
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 3958

Re: Dual WLAN + load balancing + redundancy?

1) Mangle miss-configuration Rule 10 - you are missing negation signs. "dst-address-type=!local" and "dst-address-list=!Connected" If you are doing bandwidth-based load-balancing, you will also need the Traffic Monitors which switch the routing mark on the main load-balancing Man...
by tomaskir
Wed Oct 18, 2017 3:13 am
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 3958

Re: Dual WLAN + load balancing + redundancy?

That config is completely wrong, so no wonder it doesn't work :)

Implement proper Mangle as in either of the presentations, then test.
If it still doesn't work after, please post the Mangle export and what doesn't work.
by tomaskir
Wed Oct 18, 2017 12:06 am
Forum: Beginner Basics
Topic: Add firewall filter in top position
Replies: 3
Views: 1970

Re: Add firewall filter in top position

Is this what you are looking for?
/ip firewall filter
add src-address-list=device.admins action=accept place-before=3
by tomaskir
Tue Oct 17, 2017 7:52 pm
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 3958

Re: Dual WLAN + load balancing + redundancy?

Most probably it's an issue in your Mangle config.

Please post your Mangle export.
by tomaskir
Tue Oct 17, 2017 9:56 am
Forum: Beginner Basics
Topic: Dual WLAN + load balancing + redundancy?
Replies: 18
Views: 3958

Re: Dual WLAN + load balancing + redundancy?

You will need to properly setup load balancing using Mangle.
Check out this presentation, it should cover what you need to know:
https://youtu.be/67Dna_ffCvc

Feel free to skip to around 6:30 - that's when the Mangle stuff starts.
by tomaskir
Mon Oct 16, 2017 10:02 pm
Forum: Announcements
Topic: RouterOS (v6.39.3, v6.40.4, v6.41rc) NOT affected by WPA2 vulnerabilities
Replies: 58
Views: 149816

Re: RouterOS NOT affected by WPA2 vulnerabilities

Good job on the fast announcement and staying on top of the vulnerabilities. Specially thanks for the additional per-protocol information and the clarification that was added after the initial post! (for people coming in later - the bottom half of MikroTiks post was added after official information ...
by tomaskir
Sat Oct 14, 2017 6:10 pm
Forum: Beginner Basics
Topic: How to send a backup to email [SOLVED]
Replies: 13
Views: 8827

Re: How to send a backup to email [SOLVED]

You can configure any of them to take a backup every 12h or 24h. Unimus is the simplest to setup, fastest to use, and has nice things like graphical diff (see changes between backups, or between devices), and a network-wide config search. (type in "vlan 1002" and see everywhere in your net...
by tomaskir
Sat Oct 14, 2017 5:00 pm
Forum: Beginner Basics
Topic: How to send a backup to email [SOLVED]
Replies: 13
Views: 8827

Re: How to send a backup to email [SOLVED]

Sending backups to email is bad for multiple reasons.
Security, scalability, management (imagine you need to change the email address, or email credentials on 100 devices), etc.

You should look at a proper backup solution, such as Unimus, Rancid or Oxidized.
by tomaskir
Thu Oct 05, 2017 6:03 pm
Forum: General
Topic: snmp security... private or authorized?
Replies: 6
Views: 5786

Re: snmp security... private or authorized?

For SNMPv3: none - no hashing nor encryption authorized - hashing private - hashing and encryption So for none, you dont need hash or encryption password, just username. SNMPv3 with "none" security behaves much like SNMPv2c. Authorized will use SHA1 or MD5 (depending on your configuration)...
by tomaskir
Thu Oct 05, 2017 2:29 pm
Forum: General
Topic: 2 Internet Connections, one for Inbound and one for Outbound
Replies: 4
Views: 1601

Re: 2 Internet Connections, one for Inbound and one for Outbound

You can have only one default route.
It can go either through WAN1, or WAN2.

As soon as you need some things to go through WAN1, and other things to go through WAN2, you need Mangle.
by tomaskir
Thu Oct 05, 2017 12:49 pm
Forum: General
Topic: 2 Internet Connections, one for Inbound and one for Outbound
Replies: 4
Views: 1601

Re: 2 Internet Connections, one for Inbound and one for Outbound

You will need to configure Mangle properly, and handle WAN->Router marking.

Check out this presentation:
https://youtu.be/67Dna_ffCvc

Feel free to skip to around 6:30 - that's when the Mangle stuff starts.
by tomaskir
Wed Oct 04, 2017 11:38 pm
Forum: General
Topic: First 100Mbps WAN1, next 100Mbps WAN2
Replies: 5
Views: 1816

Re: First 100Mbps WAN1, next 100Mbps WAN2

Great presentation, this is exactly what I needed. Thank you.

Is it possible for me to see the slides in this presentation? It would be a great help.
There is a link in the video description :)
by tomaskir
Wed Oct 04, 2017 3:04 pm
Forum: Beginner Basics
Topic: Rename interfaces [SOLVED]
Replies: 2
Views: 1743

Re: Rename interfaces [SOLVED]

I personally consider leaving interface names as default as best practice.

Use comments to store descriptive information about an interface.
by tomaskir
Wed Oct 04, 2017 10:34 am
Forum: General
Topic: First 100Mbps WAN1, next 100Mbps WAN2
Replies: 5
Views: 1816

Re: First 100Mbps WAN1, next 100Mbps WAN2

If you are looking for bandwidth-based load balancing, check out this presentation:
https://youtu.be/67Dna_ffCvc

Feel free to skip to around 6:30 - that's when the Mangle stuff starts.
by tomaskir
Tue Oct 03, 2017 6:10 pm
Forum: General
Topic: [hEX] 80 PPPoE session on RB750Gr3
Replies: 4
Views: 1643

Re: [hEX] 80 PPPoE session on RB750Gr3

Then the hEX should be fine :)
by tomaskir
Tue Oct 03, 2017 5:22 pm
Forum: General
Topic: [hEX] 80 PPPoE session on RB750Gr3
Replies: 4
Views: 1643

Re: [hEX] 80 PPPoE session on RB750Gr3

It depends.

How much traffic will it there be?

What other things will the box do?
(firewall, QoS, NAT, etc.)
by tomaskir
Mon Oct 02, 2017 7:29 pm
Forum: General
Topic: Wirless Signal Dissaper when iphone is locked
Replies: 4
Views: 1475

Re: Wirless Signal Dissaper when iphone is locked

1) This is unrelated to MikroTik, or RouterOS. 2) It's common for smartphones to go into power saving when you lock them / put them into standby mode with the power button. Same for Galaxy S8, use power button to put it into standby, WiFi gets turned off. These are normal power-savings features. On ...
by tomaskir
Mon Oct 02, 2017 7:27 pm
Forum: General
Topic: more that 200 L2TP sessions for HEX (L4 license upgrade for routerbord) [SOLVED]
Replies: 1
Views: 1562

Re: more that 200 L2TP sessions for HEX (L4 license upgrade for routerbord) [SOLVED]

Yes, the license limit is applicable to RouterBOARDs. So you will not be able to do more than 200 tunnels on a RouterBOARD with an L4 license. You can buy an L5 license, and apply it to the RB. There is no upgrade (you can't just pay the difference) in RouterOS licensing, so you need a new L5 licens...
by tomaskir
Mon Oct 02, 2017 7:24 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 2877

Re: Dual WAN not responding to external telnet/WinBox requests

Sorry for the late reply, I finally had some time to look at your Mangle export today. 1) move the rules which handle WAN->ROS connections to the top. Before those prerouting rules. 2) do the input/output chain Mangle rules capture any traffic? That is, is the packet counter on all of them increasin...
by tomaskir
Thu Sep 28, 2017 4:49 pm
Forum: General
Topic: High CPU load when PPPoE sessions disconnects
Replies: 57
Views: 23775

Re: High CPU load when PPPoE sessions disconnects

If you are using Masquarade on the router, that is the problem. When using Masquarade, RouterOS has to do full connection tracking recalculation on EACH interface connect/disconnect. So if you have lots of PPPoE session connecting/disconnecting, connection tracking will constantly be recalculated wh...
by tomaskir
Thu Sep 21, 2017 3:32 pm
Forum: General
Topic: List of IPSEC Speed, Encrypt Algo, Hash Algo, DH Group
Replies: 1
Views: 7864

Re: List of IPSEC Speed, Encrypt Algo, Hash Algo, DH Group

We use this with our IPSec everywhere:
Phase 1: AES256, SHA512, MODP2048
Phase 2: AES128, SHA1, MODP2048

For us, this is a good balance of security/performance.

SHA1 in P2 could be improved on, but for our requirements, it's enough.
(since SHA1 collisions have been now peformed)
by tomaskir
Thu Sep 21, 2017 2:57 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 2877

Re: Dual WAN not responding to external telnet/WinBox requests

tomaskir is not quite right because it's better to mark connections in prerouting rather then in input. Look at pcc example: https://wiki.mikrotik.com/wiki/Manual:PCC#Application_Example_-_Load_Balancing May be you forgot to add respective routes for that routing marks (like in pcc example). And yo...
by tomaskir
Wed Sep 20, 2017 7:17 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 2877

Re: Dual WAN not responding to external telnet/WinBox requests

Post your entire '/ip firewall mangle export' please.
by tomaskir
Mon Sep 18, 2017 6:27 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 7242

Re: Help with Ipsec and iOS

Ahh in my configuration the two are the same, can that be the problem?
EDIT:
Try to configure the L2TP secret in "/ppp l2tp-secret".
Make sure it's the same as the IPSec PSK in "/ip ipsec peer".

Then make sure it's the same in your client.
by tomaskir
Mon Sep 18, 2017 6:13 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 7242

Re: Help with Ipsec and iOS

The L2TP secret is required. If i remove it, and try to connect i get the message "The IPsec shared secret is missing." There is a difference between IPSec PSK (pre-shared key), and the L2TP secret. You need to use the IPSec PSK (the one configured in "/ip ipsec peer"), but you ...
by tomaskir
Mon Sep 18, 2017 5:53 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 7242

Re: Help with Ipsec and iOS

This would be the issue:
16:40:21 l2tp,debug tunnel 15 received bad auth. response, stopping

Make sure NOT to use an L2TP secret in the VPN config on the iPhone, only L2TP username/password.
by tomaskir
Mon Sep 18, 2017 5:25 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 7242

Re: Help with Ipsec and iOS

You can turn off logging for IPSec, we see that works.

Turn on logging for L2TP, that should tell us why it's failing to establish an L2TP session.
by tomaskir
Mon Sep 18, 2017 4:36 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 7242

Re: Help with Ipsec and iOS

My PPP configuration is: ... Your PPP profile is wrong. Use it like this: /ppp profile add change-tcp-mss=no dns-server=x.x.x.x local-address=x.x.x.x name=VPN remote-address=VPN_Users use-compression=no use-encryption=no use-ipv6=no use-mpls=no use-upnp=no Change neccessary things (such as DNS serv...
by tomaskir
Mon Sep 18, 2017 3:20 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 7242

Re: Help with Ipsec and iOS

It seems IPSec works, and clients can't connect L2TP. We see in the log: 14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.209[4500]->xx.xx.x.68[4500] spi=0xd337886 14:12:51 ipsec IPsec-SA established: ESP/Transport xx.xx.x.68[4500]->xx.xx.x.209[4500] spi=0xaddadc4 14:12:51 l2tp,info first ...
by tomaskir
Mon Sep 18, 2017 3:04 pm
Forum: General
Topic: Help with Ipsec and iOS
Replies: 18
Views: 7242

Re: Help with Ipsec and iOS

1) Make sure you are running latest RouterOS
There has been many IPSec fixes recently.

2) Enable IPSec logging:

Code: Select all

/system logging
add topics=ipsec,!debug
3) Post your "/ip ipsec export" here
Maybe it's something simple we can spot just from the export.
by tomaskir
Sat Sep 16, 2017 2:38 pm
Forum: Beginner Basics
Topic: Small firewall question
Replies: 2
Views: 1150

Re: Small firewall question

You will have to use the bridge.
Then either use bridge filters, or enable "Use IP firewall" for bridge, and use firewalling to block it.

In firewall, simply drop everything other than what you want to allow.
by tomaskir
Sat Sep 16, 2017 1:17 pm
Forum: Beginner Basics
Topic: port targeting with two WAN
Replies: 3
Views: 1199

Re: port targeting with two WAN

You need to do Mangle like this: /ip firewall mangle add chain=prerouting src-address=192.168.0.0/24 connection-mark=no-mark action=mark-connection new-connection-mark=ThroughOnly_WAN2 add chain=prerouting src-address=192.168.0.0/24 connection-mark=ThroughOnly_WAN2 action=mark-routing new-routing-ma...
by tomaskir
Sat Sep 16, 2017 2:33 am
Forum: Beginner Basics
Topic: port targeting with two WAN
Replies: 3
Views: 1199

Re: port targeting with two WAN

You will need to configure policy based routing (PBR) in Mangle.

I suggest looking through the wiki and the forums, there are plenty of Mangle examples for PBR.
by tomaskir
Fri Sep 15, 2017 7:11 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 2877

Re: Dual WAN not responding to external telnet/WinBox requests

You Mangle is wrong. You need to handle incoming conections in the input change, and set the routing mark in output. Do it like in the presentation, and it will work: /ip firewall mangle add chain=input connection-mark=no-mark in-interface=ISP_1 action=mark-connection new-connection-mark=WAN1->ROS a...
by tomaskir
Fri Sep 15, 2017 6:00 pm
Forum: Beginner Basics
Topic: Dual WAN not responding to external telnet/WinBox requests
Replies: 11
Views: 2877

Re: Dual WAN not responding to external telnet/WinBox requests

You need to properly handle WAN->Router connections in Mangle. Meaning, if a connection from a certain WAN is iniciated, it needs to be replied to over the same WAN. Look at this presentation, it should explain everything: https://youtu.be/67Dna_ffCvc Feel free to skip to around 6:30 - that's when t...
by tomaskir
Fri Sep 15, 2017 5:59 pm
Forum: General
Topic: how to setup fallover and port forwarding correctly
Replies: 1
Views: 1014

Re: how to setup fallover and port forwarding correctly

You need to properly handle WAN->LAN connections in Mangle. Meaning, if a connection from a certain WAN is iniciated, it needs to be replied to over the same WAN. Look at this presentation, it should explain everything: https://youtu.be/67Dna_ffCvc Feel free to skip to around 6:30 - that's when the ...
by tomaskir
Fri Sep 15, 2017 1:21 am
Forum: General
Topic: Doing NAT inside a single L2 domain (vlan)
Replies: 3
Views: 1334

Re: Doing NAT inside a single L2 domain (vlan)

You should route that public /24 to the customer. So instead of your router serving as the gateway for "his" public /24, you will instead route that entire /24 to his routers IP. That way he can terminate that public /24 on his own router, and do with it as he pleases. He would also be abl...
by tomaskir
Thu Sep 14, 2017 5:17 pm
Forum: Announcements
Topic: Newsletter 78 with 1GBPS WIRELESS PRODUCT ANNOUNCEMENT!
Replies: 109
Views: 49238

Re: Newsletter 78 with 1GBPS WIRELESS PRODUCT ANNOUNCEMENT!

Any news on the LHG 60? We really need those in our network :) Wireless Wire is our first 60GHz product, LHG series will follow. Please give this kit a chance - performance will pleasantly surprise You. Its not that it's missing performance, we have some 200-300 meter links we would really like to ...
by tomaskir
Thu Sep 14, 2017 4:31 pm
Forum: Announcements
Topic: Newsletter 78 with 1GBPS WIRELESS PRODUCT ANNOUNCEMENT!
Replies: 109
Views: 49238

Re: Newsletter 78 with 1GBPS WIRELESS PRODUCT ANNOUNCEMENT!

Any news on the LHG 60?

We really need those in our network :)
by tomaskir
Thu Sep 14, 2017 2:05 pm
Forum: General
Topic: Backup mikrotik configurations
Replies: 10
Views: 4459

Re: Backup mikrotik configurations

Unimus is not a cloud software, you run it locally on your servers.
Unless you stick it in the cloud.
Touché :D
by tomaskir
Thu Sep 14, 2017 2:04 pm
Forum: General
Topic: IPsec Performance
Replies: 16
Views: 14476

Re: IPsec Performance

Hi! Could you help me with speed limit IPsec Traffic on RB/951G-2HnD if we use SHA-1 AES-256 Group2 (1024-bits)?
Which speed will handle its with aes256?
Here is a hAP AC IPSec performance test:
viewtopic.php?f=2&t=99975

You can expect 951G to do about 20% less.
by tomaskir
Thu Sep 14, 2017 3:19 am
Forum: General
Topic: Backup mikrotik configurations
Replies: 10
Views: 4459

Re: Backup mikrotik configurations

Have a look at https://unimus.net/
No thanks. Only interested in local solutions.
Unimus is not a cloud software, you run it locally on your servers.
by tomaskir
Thu Sep 14, 2017 3:00 am
Forum: General
Topic: If distance and scope are the same value, how will the default gateway be determined?
Replies: 2
Views: 1759

Re: If distance and scope are the same value, how will the default gateway be determined?

Scope is used for reverse route lookup, so if a route does not need to be reverse looked-up, scope is not used. For your use-case, just adjust the distance as needed. Routes are resolved by specific-ness (more specific mask always wins), then by distance (lower distance wins). As mentioned previousl...
by tomaskir
Fri Apr 21, 2017 7:12 pm
Forum: General
Topic: New OID for CPU
Replies: 8
Views: 13226

Re: New OID for CPU

It is simple: .1.3.6.1.2.1.25.3.3.1.2 is a standards based OID (coming from the host mgmt MIB). The MIB specifies: The average, over the last minute, of the percentage of time that this processor was not idle. Implementations may approximate this one minute smoothing period if necessary. Meaning the...
by tomaskir
Mon Nov 28, 2016 7:53 pm
Forum: General
Topic: MPLS PPPoE
Replies: 3
Views: 1421

Re: MPLS PPPoE

There is also a video that goes with it, it might help you if you only have the .pdf:
https://www.youtube.com/watch?v=Q8AF-Srulmk
by tomaskir
Fri Sep 30, 2016 1:31 pm
Forum: Announcements
Topic: v6.38rc [release candidate] is released
Replies: 331
Views: 121892

Re: v6.38rc [release candidate] is released

I see my LLDP peers in the "/ip neighbour show" table on RouterOS. They don't have any info other than mac-address and IP (Mikrotik devices show software-id, version, etc.) Neither of the 2 switches connected to my test MikroTik show up over LLDP in its "/ip neighbor print detail&quo...
by tomaskir
Fri Sep 30, 2016 1:12 pm
Forum: Announcements
Topic: v6.38rc [release candidate] is released
Replies: 331
Views: 121892

Re: v6.38rc [release candidate] is released

Our switch sees the MikroTik in its LLDP table now, just no way to configure it on RouterOS yet I guess.
And no way to see LLDP peer table in Router OS yet.

And of course LLDP data it not in SNMP either...
by tomaskir
Fri Sep 30, 2016 12:56 pm
Forum: Announcements
Topic: v6.38rc [release candidate] is released
Replies: 331
Views: 121892

Re: v6.38rc [release candidate] is released

Where can I configure LLDP, I cant find anything related to it in "/ip neighbor" or anywhere else.
by tomaskir
Thu Apr 14, 2016 2:53 pm
Forum: General
Topic: LLDP
Replies: 136
Views: 68741

Re: LLDP

Please do not forget to implement LLDP MIB in SNMP, I think having LLDP information available over SNMP is a crucial feature for everyone.
by tomaskir
Fri Oct 30, 2015 2:22 pm
Forum: RouterBOARD hardware
Topic: info CCR1072-1G-8S+
Replies: 25
Views: 10878

Re: info CCR1072-1G-8S+

We also have quite a few CCRs deployed, and have not had issues. If you know what you are doing, and doing everything properly (test config changes and version upgrades in a lab before going live), you should not have issues. You will find that many people that complain either dont know what they ar...
by tomaskir
Wed Oct 28, 2015 6:56 pm
Forum: General
Topic: router is trying to connect to this after been rebooted?
Replies: 4
Views: 1713

Re: router is trying to connect to this after been rebooted?

Seems like "/ip cloud" auto time set, or "/system clock" auto time-zone detection.

You can disable both.
by tomaskir
Mon Oct 26, 2015 5:23 pm
Forum: General
Topic: info tx/rx rate show in new terminal
Replies: 2
Views: 2069

Re: info tx/rx rate show in new terminal

Be careful, looking at a one-off snapshot of current traffic on interface is NOT at all precise. For example, you take a snapshot every 10s, and both snapshots show 10kbps traffic. But this is totally un-precise, what if in-between, the traffic was 5mbps? Do it the same way SNMP does, take the count...
by tomaskir
Mon Oct 26, 2015 2:36 pm
Forum: RouterBOARD hardware
Topic: RB850Gx2 vs hex
Replies: 5
Views: 3259

Re: RB850Gx2 vs hex

It is not that the 850Gx2 doesnt supports fast-path, its that the tests were done before fast-path support was in RouterOS. (since 850Gx2 is an older product then hEX - and MikroTik apparently didnt update the test results on the 850Gx2 page) 850Gx2 fully supports fast path, and will always be quite...
by tomaskir
Mon Oct 12, 2015 11:48 am
Forum: General
Topic: v6.33rc release candidate (final testing)
Replies: 202
Views: 64761

Re: v6.33rc release candidate (final testing)

Confirming reboot loop on CCR1036 and CCR1009.
by tomaskir
Fri Oct 02, 2015 1:19 pm
Forum: Wireless Networking
Topic: Poe swtich : Hp 1910-8g-Poe (180watt) + netmetal always poweroff
Replies: 7
Views: 2015

Re: Poe swtich : Hp 1910-8g-Poe (180watt) + netmetal always poweroff

NetMetals only support passive PoE, they do NOT support .3at/.3af.

Check here:
http://routerboard.com/RB921UAGS-5SHPacT-NM
802.3af support no
by tomaskir
Wed Sep 23, 2015 4:56 pm
Forum: General
Topic: BGP TTL protection per RFC 3682
Replies: 2
Views: 2527

Re: BGP TTL protection per RFC 3682

I know this is not exactly what you are looking for, but you can change the TTL of any packets from your MikroTik using Mangle.

This work-around could be used at least temporarily to achieve what you describe.
by tomaskir
Mon Sep 21, 2015 6:04 pm
Forum: General
Topic: Telnet to 161 for snmp causes router to lock up
Replies: 3
Views: 1444

Re: Telnet to 161 for snmp causes router to lock up

Did you make a support ticket?

If not, please make a support ticket by mailing to support@mikrotik.com
by tomaskir
Mon Sep 14, 2015 3:39 pm
Forum: General
Topic: Feature requests
Replies: 1740
Views: 624888

Re: Feature requests

Add option to define in radius configuration tab, IP by which will be sending always request to Radius server I have 30 IP's and MT always is sending request to radius server via first IP. Sometimes something is wrong and MT is trying send request via other IP. Problem is that on radius server i ha...
by tomaskir
Fri Sep 11, 2015 12:30 pm
Forum: General
Topic: Training: I'd like to be a certified trainer.
Replies: 1
Views: 1300

Re: Training: I'd like to be a certified trainer.

Contant training@mikrotik.com, they will be glad to assist you.
by tomaskir
Thu Sep 10, 2015 5:59 pm
Forum: RouterBOARD hardware
Topic: RB1200 low bandwidht/high latency on some ports
Replies: 4
Views: 1581

Re: RB1200 low bandwidht/high latency on some ports

Yes, the problems with 9-10 were with jitter, lower speed, and possible packet-loss.

I have never seen issues on ether2 on RB1200, and as you can see from forum searches, noone else complains either.
by tomaskir
Thu Sep 10, 2015 5:49 pm
Forum: RouterBOARD hardware
Topic: RB1200 low bandwidht/high latency on some ports
Replies: 4
Views: 1581

Re: RB1200 low bandwidht/high latency on some ports

RB1200 is no longer sold for about 2 years now.

It had BAD issues with ether9 and ether10, avoid those ports.
Rest of the ports were good, it was a good board as long as you didnt use 9-10.

We still have many deployed, kicking hard without any issue (again we are not using ports 9-10).
by tomaskir
Mon Sep 07, 2015 6:06 pm
Forum: General
Topic: Reverse NAT or WAN NAT Redirection on RouterOS
Replies: 3
Views: 2678

Re: Reverse NAT or WAN NAT Redirection on RouterOS

Here you go, this should give you all required info to solve it:
http://wiki.mikrotik.com/wiki/Hairpin_NAT
by tomaskir
Mon Sep 07, 2015 11:52 am
Forum: Announcements
Topic: v6.30.4 bugfix release
Replies: 103
Views: 40277

Re: v6.30.4 bugfix release

Found a minor bug in 6.30.4, easy to duplicate.

Winbox 3rc12
RB1100AHx2

Control B does not work to bring up comments. Works fine on RB2011iL

Cheers
Ctrl+M is the shortcut for comments...
by tomaskir
Thu Sep 03, 2015 6:49 pm
Forum: General
Topic: Load Balance Incoming Connection Issues - Similar IPs - Connect from Home to Work.
Replies: 2
Views: 1040

Re: Load Balance Incoming Connection Issues - Similar IPs - Connect from Home to Work.

You do not have proper mangling on WAN->Router and WAN->LAN connections.
A connection initiated on a certain ISP MUST BE replied to using the same ISP.

Go over this presentation, it will explain more:
https://www.youtube.com/watch?v=67Dna_ffCvc
by tomaskir
Mon Aug 31, 2015 10:31 pm
Forum: RouterBOARD hardware
Topic: RBmAP2n - system reset removes files???
Replies: 2
Views: 2983

Re: RBmAP2n - system reset removes files???

Read the "Warning" section here:
http://wiki.mikrotik.com/wiki/Manual:System/File

So on devices with "flash" directory, put files you want to persist over a reboot/reset in that directory.
by tomaskir
Fri Aug 28, 2015 7:47 pm
Forum: General
Topic: hAP IPSec performance tests
Replies: 0
Views: 2688

hAP IPSec performance tests

Hi guys, I did some IPSec performance tests on the hAP today, sharing results here. Tests were performed using IPSec in tunnel mode. Performance tested using iperf in udp mode, routing through the tunnel. General configuration details: L2 FastPath used: Yes L3 FastPath used: No FastTrack used: No Fi...
by tomaskir
Wed Aug 05, 2015 6:12 pm
Forum: General
Topic: CRS & Bonding LACP
Replies: 11
Views: 4678

Re: CRS & Bonding LACP

No, CRS does NOT have hw support for bonding nor LACP.
by tomaskir
Mon Aug 03, 2015 8:27 pm
Forum: Beginner Basics
Topic: One pptp-server on each wan interface
Replies: 4
Views: 1568

Re: One pptp-server on each wan interface

How can I bind pptp-server to a specific incoming interface? What should I do if I want to up two different ( authentication service ) pptp-servers on the mikrotik Use firewall to drop/allow connection only from specific interfaces. As for your 2nd question, can you please be more clear? What exact...
by tomaskir
Thu Jul 30, 2015 3:36 pm
Forum: Beginner Basics
Topic: Simple question 750GL dual wan
Replies: 3
Views: 1200

Re: Simple question 750GL dual wan

Yes it is possible.
by tomaskir
Thu Jul 30, 2015 12:30 pm
Forum: Wireless Networking
Topic: Network Bandwidth Monitoring ?
Replies: 12
Views: 3907

Re: Network Bandwidth Monitoring ?

I really recommend a look at NetXMS. Its completely free (and open source) works great with MikroTik. We use it as a centralized Monitoring, Management and Alerting platform. We run all our analytics on it, use it for inventory management, IP space management, etc. Its got a bit of a learning curve,...
by tomaskir
Mon Jul 27, 2015 6:02 pm
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 579
Views: 273636

Re: Cloud Hosted Router

Integrated it in my GNS3 instead of my current images, completely smooth and works very nicely.
Getting MikroTik working in GNS3 is now a 3-click process.

I am EXTREMELY happy with this, very nice job MikroTik, major props for this!
by tomaskir
Mon Jul 27, 2015 5:57 pm
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 579
Views: 273636

Re: Cloud Hosted Router

So, the vmdk is already a 64bit build.

Cant run it using i386, only runs on a x64 VM.

Very nice!
by tomaskir
Sat Jul 25, 2015 8:45 pm
Forum: Announcements
Topic: v6.30.2 bugfix release
Replies: 147
Views: 58652

Re: v6.30.2 bugfix release

I just upgraded our company's CCR1036-8G from 6.3 to 6.30.2 and then upgraded the Firmware from 3.10 to 3.27. Since upgrading our PPTP VPN connections are dropping randomly with an error "CCP lost compression got our of sync: disabling compression" then the next message is "terminati...
by tomaskir
Thu Jul 23, 2015 10:30 am
Forum: RouterBOARD hardware
Topic: Serial number oid via snmp...
Replies: 9
Views: 8627

Re: Serial number oid via snmp...

If not mistaken you using snmp walk right, then it may go to your routerboard but not for all...
i have different version of the RouterOS and non of them success to read...
What version of RouterOS do you have?
by tomaskir
Wed Jul 22, 2015 6:47 pm
Forum: RouterBOARD hardware
Topic: Serial number oid via snmp...
Replies: 9
Views: 8627

Re: Serial number oid via snmp...

.1.3.6.1.4.1.14988.1.1.7.3.0 works for me for Serial number.
Remember that x86 RouterOS doesnt have serial number.

What RouterOS version are you using?
by tomaskir
Wed Jul 22, 2015 9:57 am
Forum: Announcements
Topic: v6.30.x bugfix release
Replies: 136
Views: 51774

Re: v6.30.1 bugfix release

Winbox ignores tick "IP - UPnP - Show Dummy Rule" - they always are in NAT tab. Could you fix it? (Or please give an advice how to report this annoying thing?)
Thanks.
Send the report to support@mikrotik.com
by tomaskir
Mon Jul 20, 2015 12:35 pm
Forum: General
Topic: Login problem - bad rule
Replies: 2
Views: 912

Re: Login problem - bad rule

Click on the MAC address of your device in Winbox to connect using MAC-Winbox.

This is a pure L2 connection, so is not blocked by Firewall.

Then do all the changes through that.
by tomaskir
Wed Jul 15, 2015 4:34 pm
Forum: General
Topic: [BUG?] 6.30 - Getting wireless frequency no longer works
Replies: 1
Views: 961

Re: [BUG?] 6.30 - Getting wireless frequency no longer works

6.30 has new wireless-fp package, "frequency" parameter is no longer available.

You can use this however:
{
/interface wireless
:local tTest [monitor wlan1 once as-value]
:put [:pick ($tTest->"channel") 0 4]
}
by tomaskir
Wed Jul 15, 2015 4:08 pm
Forum: Wireless Networking
Topic: Finding which channel has 'auto' selected
Replies: 2
Views: 1287

Re: Finding which channel has 'auto' selected

/interface wireless monitor wlan1
by tomaskir
Wed Jul 15, 2015 1:41 pm
Forum: Announcements
Topic: v6.30.x bugfix release
Replies: 136
Views: 51774

Re: v6.30.1 bugfix release

Awesome job on the new release system!

Thank you for doing it!
by tomaskir
Tue Jul 14, 2015 2:43 pm
Forum: General
Topic: How to flush a single SA?
Replies: 2
Views: 1419

Re: How to flush a single SA?

If you have multiple peers, you can kill a single peer in /ip ipsec remote-peers (which will ofc flush SAs of that peer).

Its atleast a little better then flusing all SAs.
by tomaskir
Mon Jul 13, 2015 1:15 pm
Forum: Wireless Networking
Topic: [bug] wireless-fp and CLI tab-completion not working
Replies: 2
Views: 1218

[bug] wireless-fp and CLI tab-completion not working

With wireless-fp (which is now the default wireless package) tab-completion for the "country" doesnt work. /interface wireless> set [find name=wlan1] country=[TAB] Will NOT give you all available countries. This means there is no way for you to see in the CLI all the available countries fo...
by tomaskir
Thu Jul 09, 2015 4:08 pm
Forum: General
Topic: 6.30 ipsec-policy matcher question
Replies: 12
Views: 3050

Re: 6.30 ipsec-policy matcher question

Now added to fw manual. There you will find difference between ipsec and none Just a final confirmation, so basically the settings are: ipsec-policy=in,none - incoming packets matched by any policy before decryption ipsec-policy=in,ipsec- incoming packets matched by any policy after decryption ipse...
by tomaskir
Thu Jul 09, 2015 3:04 pm
Forum: General
Topic: 6.30 ipsec-policy matcher question
Replies: 12
Views: 3050

6.30 ipsec-policy matcher question

Hi guys, Whats the difference between ipsec-policy=in,ipsec and ipsec-policy=in,none? Its not made clear in the new Manual article http://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Allow_Only_Ipsec_Ecapsulated_Traffic Also the options are not yet described in the firewall Manual article http://wiki.mikr...
by tomaskir
Tue Jun 23, 2015 1:55 pm
Forum: RouterBOARD hardware
Topic: hEX lite, function of ports
Replies: 3
Views: 1676

Re: hEX lite, function of ports

All ports are totally equal and can be anything.
The labels are just how the router behaves with default (factory) config.

You can reconfigure the router to do anything.
by tomaskir
Tue Jun 23, 2015 10:48 am
Forum: General
Topic: ipsec and multiple ip addresses on interface
Replies: 5
Views: 3275

Re: ipsec and multiple ip addresses on interface

There is local-address in 6.27 too, I tried that, that doesn't help...

I also tried to add y.y.y.y/32 route to peer with pref-src=x.x.x.x. It doesn't work as well.
It works correctly for me even with 6.23.

Are you sure other NAT / Mangle rules are not interfering?
by tomaskir
Fri Jun 19, 2015 5:29 pm
Forum: General
Topic: ipsec and multiple ip addresses on interface
Replies: 5
Views: 3275

Re: ipsec and multiple ip addresses on interface

Yes, using 6.29.1, you can specify IP address used per-peer.
/ip ipsec peer set 0 local-address=x.x.x.x
by tomaskir
Fri Jun 19, 2015 2:57 pm
Forum: General
Topic: Optimize WLAN Bridge as Low Latency connection for DSL Bonding
Replies: 12
Views: 3894

Re: Optimize WLAN Bridge as Low Latency connection for DSL Bonding

Nstream will be the best option for lowest latency (if like you mentioned, throughput is secondary).
by tomaskir
Fri Jun 19, 2015 12:17 pm
Forum: General
Topic: Support for PPPoE MTU > 1492 (via RFC4638 PPP-Max-Payload)
Replies: 19
Views: 8757

Re: Support for PPPoE MTU > 1492 (via RFC4638 PPP-Max-Payload)

You have something configured wrong then. 1500 works without a problem. Client config: /ppp profile add change-tcp-mss=no name=pppoe use-compression=no use-encryption=no use-ipv6=no use-mpls=no \ use-vj-compression=no /interface pppoe-client add disabled=no interface=ether1 keepalive-timeout=10 max-...
by tomaskir
Thu Jun 18, 2015 12:31 pm
Forum: General
Topic: Support for PPPoE MTU > 1492 (via RFC4638 PPP-Max-Payload)
Replies: 19
Views: 8757

Re: Support for PPPoE MTU > 1492 (via RFC4638 PPP-Max-Payload)

PPPoE client supports 1500 MTU in v6.x

Support for MTU >1500 is not there, but 1500 is supported.
/interface pppoe-client add interface=ether1 max-mtu=1500 max-mru=1500
by tomaskir
Wed Jun 17, 2015 1:47 pm
Forum: General
Topic: Mikrotik Hotspot Manager [beta]
Replies: 44
Views: 26591

Re: Mikrotik Hotspot Manager [beta]

The link isn't working :? :?
This thread is 9 years old...
This is the UserManager ... you can get the package and install it in your MikroTik.

Do NOT bump old threads.

Can this please be locked?
by tomaskir
Wed Jun 17, 2015 1:45 pm
Forum: The Dude
Topic: List of limitations/bugs/fixes/todo in The Dude 4.0b3?
Replies: 3
Views: 2635

Re: List of limitations/bugs/fixes/todo in The Dude 4.0b3?

4.0b3 uses an embedded sqlite DB to store things in. As soon as the DB file is larger then 2GB, you are screwed (that is the limit on the old sqlite drivers Dude 4.0b3 is using). There are ways to recover - includes deleting all historical data. You however have to manually dump (export) the sqlite ...
by tomaskir
Wed Jun 17, 2015 12:21 pm
Forum: General
Topic: Error in "Current Firmware Version" in system/routerboard?
Replies: 6
Views: 1964

Re: Error in "Current Firmware Version" in system/routerboard?

Yes, some of the newer units update firmware automatically.

After you reboot for ROS update, you will see the standard firmware update message in the log, and after another reboot, you will have newest firmware automatically.
by tomaskir
Wed Jun 17, 2015 12:20 pm
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 6428

Re: Packet gets lost: how to debug?

Well, without getting access to the system and playing with it directly, I dont see why it doesnt work.

You can contact me at tomas[at]atris[dot]sk if you want more direct help.
Or maybe someone else can help you.
by tomaskir
Wed Jun 17, 2015 10:13 am
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 6428

Re: Packet gets lost: how to debug?

Post your "/ip rou exp" please. There are 2 things I can see happening: 1) routing engine dropping packets because of no route or a blackhole route 2) packets are arriving with TTL of 1, therefore are being dropped I also advise sniffing the traffic (there is an action in prerouting that c...
by tomaskir
Tue Jun 16, 2015 6:59 pm
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 6428

Re: Packet gets lost: how to debug?

You mentioned in your previous posts you can properly see the return traffic in mangle pre-routing: prerouting in:ether1-gateway out:(none), src-mac e4:48:ab:ab:ab:ab, proto ICMP (type 8, code 0), 10.5.1.14->10.0.10.2, len 84 This means the encrypted traffic is properly coming in and being decrypted...
by tomaskir
Tue Jun 16, 2015 5:02 pm
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 6428

Re: Packet gets lost: how to debug?

The addresses being incorrect and missing incoming ipsec firewall rule was a copy-paste mistake on my end. Sorry for the confusion. That is why I said it would not work with the previously posted config. I can also confirm traffic is arriving at 10.5.1.14 when pinging from 10.0.10.2. Replies from 1...
by tomaskir
Tue Jun 16, 2015 4:11 pm
Forum: General
Topic: using snmp v3 v3.20
Replies: 6
Views: 7623

Re: using snmp v3 v3.20

what is the difference between SECUIRITY=PRIVATE VS SECURITY=AUTHORIZED ?
Do NOT bump a 4 years old topic.

Regarding your quesion, watch this presentation and you can learn all about SNMP an SNMP in MikroTik:
https://www.youtube.com/watch?v=McUCYuy9Cv0
by tomaskir
Tue Jun 16, 2015 4:08 pm
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 6428

Re: Packet gets lost: how to debug?

First of all, from these exports, your IPSec should not work at all, since the policies dont match the peers: /ip ipsec peer add address=54.239.63.154/32 ... add address=54.239.63.155/32 ... /ip ipsec policy add ... sa-dst-address=54.239.63.111 ... add ... sa-dst-address=54.239.63.222 ... add ... sa...
by tomaskir
Tue Jun 16, 2015 3:06 pm
Forum: General
Topic: Packet gets lost: how to debug?
Replies: 14
Views: 6428

Re: Packet gets lost: how to debug?

Post your export of:
/ip ipsec exp
/ip fi filt exp
/ip fi nat exp
/ip fi mang exp
/ip rou exp
by tomaskir
Mon Jun 15, 2015 3:52 pm
Forum: Beginner Basics
Topic: OID SNMP
Replies: 1
Views: 3681

Re: OID SNMP

Go over the data in this presentation:
https://youtu.be/McUCYuy9Cv0

It will give you all useful OIDs and what is located where.
by tomaskir
Mon Jun 15, 2015 12:50 pm
Forum: General
Topic: Set Admin Password via Config File (Flashfig)
Replies: 8
Views: 3246

Re: Set Admin Password via Config File (Flashfig)

/user set [/user find name="admin"] password=123456
by tomaskir
Tue Jun 09, 2015 11:54 am
Forum: Announcements
Topic: v6.29 released
Replies: 191
Views: 75887

Re: v6.29 released

Hi, I think this is a bug or something can't say cleary. Problem is when change SIM card for RB922 or RB912 with RouterOS v6.29.1. Have 2 SIM card with different ISP. Another have PIN code other not have PIN code. When first card witch have PIN code everything works wine, but when i change card to ...
by tomaskir
Tue Jun 09, 2015 11:48 am
Forum: Forwarding Protocols
Topic: VPLS/MPLS via ospf in wireless network
Replies: 31
Views: 9208

Re: VPLS/MPLS via ospf in wireless network

1508 is however correct if you need to deliver full frames (1500) in a pppoe session inside of the vpls tunnel.

Which is what the presentation was dealing with.
by tomaskir
Mon Jun 08, 2015 10:46 am
Forum: Announcements
Topic: v6.29 released
Replies: 191
Views: 75887

Re: v6.29 released

@normis
I have managed to reproduce a very rare and annoying bug [Ticket#201503206600075]

It will go away if I reboot the device.
Could someone from support please look at this so I can give you guys SSH access?
I cant keep the device in this state for long, since it needs to be used.
by tomaskir
Tue Jun 02, 2015 11:27 am
Forum: General
Topic: Winbox 3 RC
Replies: 636
Views: 206393

Re: Winbox 3 RC

It was announced before somewhere, that single letter shortcuts are removed, because there was a risk of accidentaly removing, disabling, etc. We will add shift or something to these keys Yes, I read that and I understand why that was done for remove/disable etc. But comment was not mentioned. Comm...
by tomaskir
Tue Jun 02, 2015 10:05 am
Forum: General
Topic: Winbox 3 RC
Replies: 636
Views: 206393

Re: Winbox 3 RC

The C button no longer works for me to set comments in RC10.

Is this also happening for others?
by tomaskir
Thu May 28, 2015 4:25 pm
Forum: General
Topic: "no-mark" as default mark to all connections and traffic
Replies: 19
Views: 10643

Re: "no-mark" as default mark to all connections and traffic

Very useful and it significantly reduces complexity :) . I just came across the need for a default routing-mark=no-mark as well which is not implemented as of now (v6.28) :(
This post is from 2009.

This is already working as described in 6.28.

@MirkoTik - Please lock this topic.
by tomaskir
Mon May 25, 2015 12:58 pm
Forum: Forwarding Protocols
Topic: VPLS/MPLS via ospf in wireless network
Replies: 31
Views: 9208

Re: VPLS/MPLS via ospf in wireless network

Are you using nv2 for wireless?
by tomaskir
Mon May 25, 2015 12:23 pm
Forum: Forwarding Protocols
Topic: VPLS/MPLS via ospf in wireless network
Replies: 31
Views: 9208

Re: VPLS/MPLS via ospf in wireless network

1500 is the correct L3 and L2 MTU on the VPLS interface in your test scenario. Remember that MTU (L3 MTU) in MKT is with the data, L4 and L3 headers counted in. Calculation of MTU from the point of view of the VPLS interface: 1472 data + 8 icmp header + 20 ip header = 1500 L3 MTU for the VPLS interf...
by tomaskir
Mon May 25, 2015 11:50 am
Forum: Forwarding Protocols
Topic: VPLS/MPLS via ospf in wireless network
Replies: 31
Views: 9208

Re: VPLS/MPLS via ospf in wireless network

Hi, Well, that works, but I have read somewhere that the vpls interface will fragment the package anyway, due that I can ping whit 1500 packetsize as well. Eth header 14, MPLS 4, VPLS ID 4, VPLS 4, IP header 20 + data 1500 + ping header 8 = 1554 How does this work ? ? ? Yes, VPLS interface will fra...
by tomaskir
Fri May 22, 2015 7:07 pm
Forum: Forwarding Protocols
Topic: VPLS/MPLS via ospf in wireless network
Replies: 31
Views: 9208

Re: VPLS/MPLS via ospf in wireless network

Yes, your calculations are correct, and it will work. Just remember to set the L2MTU correctly on all interfaces on all devices. As for how to test it: Simply create a VPLS tunnel between 2 routers, and try to ping within that tunnel with 1472 packet size with do-not-fragment set. (1472 because ICMP...
by tomaskir
Tue Apr 28, 2015 2:56 pm
Forum: Announcements
Topic: FastTrack - New feature in 6.29
Replies: 237
Views: 203546

Re: FastTrack - New feature in 6.29

Question - if I have no rules in forward chain - only in input chain (typical transit router) - will FastTrack be active? IMO, if there are no rules in a default chain, that chain should automatically be FastTracked (so I dont have to add rules now to tons of transit routers to take advantage of Fas...
by tomaskir
Tue Apr 28, 2015 12:35 pm
Forum: Announcements
Topic: FastTrack - New feature in 6.29
Replies: 237
Views: 203546

Re: FastTrack - New feature in 6.29

I will wait for 6.29 final before trying this, but in your rules you add a fasttrack rule and then an accept rule. What happens if there is no accept rule. Doesn't the fasttrack rule here do exactly this - passthrough all packets matched by it ? Yes, but accept is also needed - it was mentioned in ...
by tomaskir
Fri Apr 24, 2015 6:19 pm
Forum: Announcements
Topic: RouterOS v6.28 released
Replies: 229
Views: 92268

Re: RouterOS v6.28 released

Router RB850Gx2 hangs on reboot if serial port is removed from the /system console [admin@RB850Gx2] > /system console print Flags: X - disabled, U - used, F - free # PORT TERM RouterBOOT booter 3.22 RouterBoard 850Gx2 CPU frequency: 533 MHz Memory size: 512 MiB NAND size: 512 MiB Press any key with...
by tomaskir
Fri Apr 24, 2015 12:17 pm
Forum: General
Topic: Нow can i load-balance vpn-tunnel traffic over two links?
Replies: 8
Views: 4149

Re: Нow can i load-balance vpn-tunnel traffic over two links?

How ECMP checks the current link load before send the traffic to this link? There is no load checking. ECMP simply routes each packet over one of the available gateways in a round-robin fashion. There is a catch however - routing decisions are cached by the kernel, so actually, ECMP is more like pe...
by tomaskir
Wed Apr 22, 2015 2:40 pm
Forum: Announcements
Topic: RouterOS v6.28 released
Replies: 229
Views: 92268

Re: RouterOS v6.28 released

Problem with e-mail client still exists.
If you use TLS then the second EHLO, which is normally issued after STARTTLS, is malformed and rejected by postfix with error "Helo command rejected: invalid ip address"
Did you report this to support@mikrotik.com?
by tomaskir
Tue Apr 21, 2015 2:43 pm
Forum: The Dude
Topic: The Dude Alternatives
Replies: 24
Views: 46623

Re: The Dude Alternatives

Thanks. Do you use an agent for those Windows servers? I was hoping to find a way to monitor disk space and memory usage through snmp but that's been more difficult than expected. No, we monitor all using SNMP. Its the same as in The Dude, this is all from the Storage table at OID .1.3.6.1.2.1.25.2...
by tomaskir
Fri Apr 17, 2015 5:01 pm
Forum: General
Topic: v6.28 will be released this week!
Replies: 72
Views: 27008

Re: v6.28 will be released this week!

We have plans to release v6.28 during this week.
Really this week?
Better late than with bugs!
by tomaskir
Wed Apr 15, 2015 5:37 pm
Forum: General
Topic: BGP4-MIB for SNMP monitoring
Replies: 2
Views: 2467

Re: BGP4-MIB for SNMP monitoring

+1 for BGP-MIB

STP-MIB would also be really useful :)
by tomaskir
Mon Apr 13, 2015 5:15 pm
Forum: General
Topic: Нow can i load-balance vpn-tunnel traffic over two links?
Replies: 8
Views: 4149

Re: Нow can i load-balance vpn-tunnel traffic over two links?

How can i use ECMP with IPsec VPN-tunnel? You cant use it with IPSec in tunnel node. You need to manipulate the routing table, which IPSec tunnel mode policies do not use. Use IPSec in transport mode with a different tunneling protocol (like GRE or L2TP), which will give you an interface, and you c...
by tomaskir
Mon Apr 13, 2015 12:55 pm
Forum: General
Topic: The Radius packets can't pass over ipsec with RouterOS
Replies: 5
Views: 1622

Re: The Radius packets can't pass over ipsec with RouterOS

Which IP is the Radius server and which IP is the radius client? Because you mention The packets will be send from 112.25.145.100, but not encrypted and not pass over Ipsec. If packets from 112.25.145.100 are not encrypted, you are showing us exports from the wrong router (the router hosting 192.168...
by tomaskir
Mon Apr 13, 2015 12:47 pm
Forum: General
Topic: Problem with SSH client
Replies: 2
Views: 1157

Re: Problem with SSH client

It would be helpful if you actually described what the problem is.
by tomaskir
Mon Apr 13, 2015 12:45 pm
Forum: Beginner Basics
Topic: Copying Config to Different Model of Mikrotik Router Board
Replies: 2
Views: 1510

Re: Copying Config to Different Model of Mikrotik Router Board

Just a side node, if you have ROS v5, use
/export compact file=name.rsc
If you have ROS v6, use
/export file=name.rsc
by tomaskir
Fri Apr 10, 2015 3:51 pm
Forum: Beginner Basics
Topic: IPSec/L2TP help
Replies: 2
Views: 1184

Re: IPSec/L2TP help

Its a known issue with MikroTik IPSec.
Its actually an issue in MikroTik NAT-T functionality.

You can not have multiple clients from one public IP.

Consider building a site-to-site tunnel, or use a different tunneling protocol, such as SSTP.
by tomaskir
Fri Apr 10, 2015 12:03 pm
Forum: RouterBOARD hardware
Topic: RB3011 Block diagram?
Replies: 230
Views: 73024

Re: RB3011 Block diagram?

This is the CPU that we will use for RB3011: http://www.anandtech.com/show/7526/qualcomm-atheros-announces-new-internet-processor-lineup-ipq8064-and-ipq8062 Can you as well confirm that both switch-chips have a full-duplex 2Gbps link to the CPU? And if the HW acceleration support for AES is going t...
by tomaskir
Thu Apr 09, 2015 12:03 pm
Forum: RouterBOARD hardware
Topic: RB3011 Block diagram?
Replies: 230
Views: 73024

Re: Re:

its likely one of "off the shelf" inexpensive A9 twin-core SoC. which explain relatively small performance (for twin-core 1.2Ghz chip). a12/a17 do about 42% more performance than A9 (on same clock on similar die) and a53 and a57 do about 2.5x and 4x times (in peak not sustaine/stressed)mo...
by tomaskir
Wed Apr 08, 2015 7:30 pm
Forum: RouterBOARD hardware
Topic: RB3011 Block diagram?
Replies: 230
Views: 73024

Re: RB3011 Block diagram?

Oh wow, that would be a big upgrade over everything with a switch chip that they used before. Even the CCR1009 has a 1Gbit link internally to the 4x1Gbps connected through the switch chip. Are you sure he said 2Gbps per switch chip link, or maybe he meant 1Gbps to each switch chip so 2Gbps in total...
by tomaskir
Wed Apr 08, 2015 4:28 pm
Forum: RouterBOARD hardware
Topic: RB3011 Block diagram?
Replies: 230
Views: 73024

Re:

And what about hardware aes support?
Since CPU brand/type is currently unknown, if it supports aes hw acceleration is also unknown.
by tomaskir
Wed Apr 08, 2015 2:52 pm
Forum: General
Topic: Нow can i load-balance vpn-tunnel traffic over two links?
Replies: 8
Views: 4149

Re: Нow can i load-balance vpn-tunnel traffic over two links?

A much better solution is to use ECMP load-balancing over the VPN links. If you balance on L2 (using EoIP), you will get huge problems with out-of-order packet delivery, fragmentation, and a lot of other things. Using ECMP also has its disadvantages (very similar to LACP), but overall, is a better s...