MikroTik

robertpenz

Do you have any comments on how other vendors are dealing with this problem? We might consider improving our implementation or adding new configuration settings, but would like to hear other opinions as well. I'm running MLAG setups for over 15 years and all vendors I used so far do following. ISC ...

robertpenz

Hi! We're using CCR2116-12G-4S+ and we're able to send about 2,2 Gbit in one direction over a WireGuard tunnel and one core is at almost 100%, but the overall load is at under 20%. We thought that adding another WireGuard tunnel and load balance the traffic over it will use a second core and allow u...

robertpenz

Hey, I had face a problem with pynetinstall and i troubled it. so you can give me a some tips and tricks to fix it. Please create a ticket on https://github.com/dvtirol/pynetinstall/issues and we take a look at it Has anyone implemented a plugin to allow automatic detection and uploading of firmwar...

robertpenz

Hi! We're heavy using Mikrotiks in our environment and automation is very important for us. We're generating the configuration for our network equipment via scripts/templates from a source of truth system. To be able to integrate the Mikrotiks better in that workflow (which we use also for enterpris...

robertpenz

It should be Web-based and the Server should run also on Linux - we don't have Windows Servers.

robertpenz

Thx for the reply. Where do I see the costs? The Cost should be 50 and 60. And where do I see the route candidates I get via OSPF? I should see 192.168.76.0/27 2 times. [Mikrotik] > /routing/route/print Flags: A - ACTIVE; c, s, o, y - COPY; H - HW-OFFLOADED Columns: DST-ADDRESS, GATEWAY, AFI, DISTAN...

robertpenz

1. The documentation states. "An interface where dot1x server is enabled will block all traffic except for EAPOL packets which is used for the authentication." There is no explanation if that means only incoming or also outgoing traffic. The reason I ask is that in enterprise networks, Wa...

robertpenz

I've set up my first OSPF on a RouterOS 7 - done a few on previous versions. It works so far for me, but I'm missing a place to see the costs of the route candidates. In RouterOS 6 it was via /routing ospf route print - but that's gone in RouterOS 7 - what's the new way to check that? The new docume...

robertpenz

that's correct as far as I know, but the problem is that if you'll try e.g. a SNMP query to the mikrotik via wireguard/zerotier from an IP that's in the subnet the router uses to connect to the internet it does not work - you can't bind the snmpd (and other services to a VRF). As one use case is tha...

robertpenz

Doubtless true, but surely you can try it and get the answer faster than it'll take someone to give a definitive reply. but that way if outgoing traffic is leaking it could be a feature or a bug or the other way round if it does not get out ... as most features got only implemented with 7.2 that qu...

robertpenz

Hi thx for your answer. Yes, I can and will try it out, just thought that I'm not the first one looking into that or maybe someone from Mikrotik reads it and tells us what's the correct meaning of the documentation. About the mac based / port based. No, that has nothing to do with mac-auth. Basicall...

robertpenz

Hi! I read through the documentation at https://help.mikrotik.com/docs/display/ROS/Dot1X and have some questions. I'm used to configuring 802.1x NAC on major switch brands like, cisco, extreme, hp .... but I don't get some points in the Mikrotik documentation. I hope someone can help me. 1. The docu...

robertpenz

No one has an idea? I don't understand that, is that not a classic usecase for zerotier? Put a router anywhere, and it works even on overlapping subnets.

robertpenz

Hi! my goal is to have a rb5009, which can be connected to any internet connection (it just needs to be provided an IP via DHCP). The rb5009 establishes a Zerotier connection to the other routers in the same Zerotier network and route clients behind it through it. That's easy, now the more complicat...

robertpenz

My 5009 crashed every few days, it stopped only after I upgraded all other mikrotiks in the network to >= 7.1 - in my case I believe it was a bug in the capsman or discovery protocol that went away when all systems used 7.x

robertpenz

Hi! for me download.mikrotik.com resolves do: download.mikrotik.com has address 159.148.172.226 download.mikrotik.com has address 159.148.147.204 download.mikrotik.com has IPv6 address 2a02:610:7501:1000::204 download.mikrotik.com has IPv6 address 2a02:610:7501:4000::226 but the IPv6 addresses don't...

robertpenz

Hi! I've downloaded https://download.mikrotik.com/routeros/7.1/all_packages-arm64-7.1.zip and unzipped it, but I found only following packages: calea-7.1-arm64.npk gps-7.1-arm64.npk iot-7.1-arm64.npk tr069-client-7.1-arm64.npk user-manager-7.1-arm64.npk zerotier-7.1-arm64.npk What I'm doing wrong? T...

robertpenz

+1 mmips and chr for the central location

robertpenz

I don't have a bridge on my setup, everything is routed. So these seem to be separated problems.

robertpenz

Thx for the tip - at least for beta4 that also worked for me ... deleted all ipv6 firewall rules and it started working and kept working after appling them again - at least for the last few minutes.

robertpenz

IPv6 forward is not working on Hex - is this a known problem and is there a workaround for it?

robertpenz

I'm running a hEX (model: RB750Gr3) - I don't believe it's a connection tracking issue as I don't see matches on the "invalid" rule also. And yes input is working, just forward not.

robertpenz

Downgrade to 7.1beta4 makes ping working, but TCP traffic is still not forwarded.

robertpenz

Hi! UPDATE: IPv6 forwarding is not working at all - does not matter if I add 2 vlans and I try to ping between them or the below setup. The counters of the ipv6 firewall rules are not incremented (also the invalid drop rules. I've also disabled all queues - so that can't also be the problem. I was r...

robertpenz

Hi!

I've upgraded from a 6.x to 7.1beta6, and now I'm missing the /system/ups path. I've looked into the all_packages-mmips-7.1beta6.zip, but there is no ups module. Please advise how to get the ups monitoring going again. Thx.

Regards,
Robert

robertpenz

We did some performance Tests with Wireguard and man it is faster than any other VPN with much less CPU load! And for Android Phones the battery is not used more than without VPN, which is not true for all other VPNs - It makes a VPN almost transparent performance wise. Please implement!!

robertpenz

@sid5632: thx, changed it to your version

robertpenz

no, the CHR is on our own ESX in our datacenter.

robertpenz

I'm seeing on our firewalls that our test CHR is trying to connect to IP 169.254.169.254 with HTTP every few seconds (= over 250.000 connections attempts in 12h) . Google showed some old posts from 2015 where it was described as bug that will be fixed. As we're running 6.41.4, so it seems not. I did...

robertpenz

so its not possible to get from a guest down to the host?

robertpenz

What about Meta-Router feature? And Spectre is not Intel only, also ARM. https://security.googleblog.com/2018/01/todays-cpu-vulnerability-what-you-need.html These vulnerabilities affect many CPUs, including those from AMD, ARM, and Intel, as well as the devices and operating systems running on them.

robertpenz

Hi! Is RouterOS (and if yes which versions) affected by the CVE-2017-14491, CVE-2017-14492, CVE-2017-14493, CVE-2017-14494, CVE-2017-14495, CVE-2017-14496, CVE-2017-13704 which where released by Google? https://security.googleblog.com/2017/10/behind-masq-yet-more-dns-and-dhcp.html I'm asking as I fo...

robertpenz

I've reported that problem in ticket 2017020822000589, and Sergejs has acknowledged a bug with handling tagged packets and they will fix it.

robertpenz

I see the same problem with 6.37.4. It seems to be a problem on interfaces which have tagged vlans. As I see the same problem on multiple routers which are not on the same subnet it can't be a damaged NIC or wrong configured client. We've also activated reverse path filtering so its not possible tha...

robertpenz

Hi!

What is the purpose of the mode button/switch next to the USB port as seen on this image. Could not find an answer searching.

robertpenz

With userspace I meant that there is no kernel patching needed as the mikrotik kernel is heavily modified so that would be tricky to apply. A user space program with only a few dependencies should be much easier to integrate.

robertpenz

The popular German enterprise IT magazine iX did a big article about WAN optimization in their last issue (2/2016). Part of the article was testing Open Source solutions. The clear winner is SoloWAN (https://github.com/centeropenmiddleware/solowan). They did tests for cifs, nfs, https and http traff...

robertpenz

Hi! I don't understand why Mikrotik keeps DSA, its insecure (yes, also the 2048bit version), and does not support RSA. Anyway yesterday OpenSSH 7.0 has been released and DSA is not longer supported. So please move to RSA and ECC now - Thx! see also: http://it.slashdot.org/story/15/08/11/2340247/open...

robertpenz

RSA would be great for yubi keys to have two factor authentication (ssh key on the yubi key)

robertpenz

Please make it possible to push certain clients from 2,4 to 5ghz if the same SSID is configured (which should the default mode on shipping). Some devices stay on 2,4 even if they support 5, and the air time in the 2,4 space is valuable.

robertpenz

Answer is per router: * how many peers; 10 * how many routes in routing table; /ip route print count-only 1978010 /ipv6 route print count-only 43565 * is there also OSPF,MPLS, VPLS, RIP etc running on the router; OSPF * what are the hardware specs; CCR1036-8G-2S+ * are there routing filters; yes * a...

robertpenz

Hi, We've implemented an OSFP ECMP setup with 5.x and for each tcp connection / flow it has been decided which route it takes. For us it seams that this has been changed with 6.x that the same dst-address (of the flow) of multiple clients stay on the same interface. Is this correct? and how can we c...

robertpenz

Using 6.18 with snmpv3 and aes for some weeks now ... no problems. it is stable even if queried a lot.

robertpenz

Following text http://wiki.mikrotik.com/index.php?title=Manual:License&curid=1634&diff=26596&oldid=26595 RouterOS upgrade capabilities are not limited by time, but by version, and this depends on the RouterOS license level. For example if you are running RouterOS v5, your license could r...

robertpenz

+1 also

robertpenz

Is it possible that this are aggregated AS?

robertpenz

I've found AS paths with { } entries ... does someone know what that means? Here a screenshot

robertpenz

I replaced 2 Vyatta Routers with Mikrotik ones, the setup is the basis for this blog post: http://robert.penz.name/779/howto-setup ... k-routers/

robertpenz

What I want to know is, if only the administration (HTTPS, Winbox) is vulnerable, which would be not big problem as we're using dedicated management networks, or production service also external user can reach.

robertpenz

ok only 6.x gets an security update. so switch services are vulnerable? I need this to compare the the security impact against the time and money the update from 5.x costs.

robertpenz

With my routers running 6.x thats easy. But we've many 5.x still and a upgrade to 6.14 is not that fast done. So I would like to know which services/protocols are affected. If I don't use them I don't need to upgrade. Or will there be a 5.x security release.

robertpenz

Which services / protocols on the RouterOS are vulnerable?

robertpenz

Because I post in my blog not only Mikrotik stuff (in reality it is only a small part) and I want one central place for all my stuff.

robertpenz

I've written a howto on combining Suricata and RouterOs (/tool sniffer) for a SOHO setup as IDS (Intrusion detection system). I link it here, as I've read multiple times people asking for it and today I got some time to write everything down. So here is it: http://robert.penz.name/849/howto-setup-a-...

robertpenz

Is nobody running a Layer 3 hotspot network?

robertpenz

For authenticating users to login via ssh access onto the router or something like this you're correct. But for authentication devices for network access via 802.1x RADIUS is the only game in town. And the encryption of data is not so important there as EAP-TLS is mostly used (If security is a conce...

robertpenz

I have following setup in my lab to reproduce the problem: The Mikrotik has the Internet connection and is running a DHCP Server and Hotspot Server. A layer 3 switch which connects the clients and also provides a DHCP Relay. e.g.: Internet -- Hotspot Mikrotik - (10.0.0.0/24)- Layer3 Switch - (10.0.1...

robertpenz

What has TACACS (Terminal Access Controller Access-Control System) to do with authenticating network devices? As far as I know TACACS is only used for authenticating users that want to access the router (= the admins) .. it has nothing to do with network security or I'm mistaken?

robertpenz

Zorro: I believe you misunderstood my feature request. If you use the DHCP Server on the Mikrotik it is possible to add the MAC address of the client which got the lease to the ARP table of the router. If you now disabled ARP learning only Clients with DHCP can talk over the router and ARP spoofing ...

robertpenz

Does this mean 6.x have the vulnerability and 5.x don't?

robertpenz

plus 1

robertpenz

Hi! I wanted to write this howto for a long time, but never had the time. But now it happened, a howto called "Howto setup a redundant and secure BGP (full table) Internet connection with Mikrotik Routers" and here is the link: http://robert.penz.name/779/howto-setup-a-redundant-and-secure...

robertpenz

Big Thx for this script!

robertpenz

+1 SNMP Monitoring of BGP

robertpenz

Hi! I would love following features specially for the CRS. - Wired MAC Authentication against Radius with dynamic VLAN assignment via Radius - Wired 802.1x Authentication against Radius with dynamic VLAN assignment via Radius - Wired Dual (MAC and 802.1x) Authentication against Radius Following for ...

robertpenz

These 3 would be also my favorites .

robertpenz

Still no answer? I've also sent a mail to the mikrotik support but also no answer there either ....do I need to consider the ipsec part to be brocken for the future?

robertpenz

We are working on a new manual, here is a start http://wiki.mikrotik.com/wiki/Manual:CRS_examples The new CRS looks good from the hardware and cost perspective! But if you want to get also in the small remote offices (currently one needs a router, a switch and access point - with CRS only one devic...

robertpenz

No answer?

robertpenz

Some weeks ago a bug in the random function get_cycles() of the Linux kernel for MIPS processors was discovered. e.g. https://lists.openwrt.org/pipermail/openwrt-devel/2013-September/021318.html And 10 days ago a fix was provided for this: http://git.kernel.org/cgit/linux/kernel/git/torvalds/linux.g...

robertpenz

Ok, Thx for your help.

robertpenz

Hi! I've following queues for my WAN interfaces on both routers and it works as excepted. Now I want to add PCQ to make sure that not one session is filling up the connection if there are other sessions. Where to I need to add the PCQ? with each /queue or is it enough if I set it for the parent? Do ...

robertpenz

I've a question about the fan in a RB1100AHx2. Normally the output looks like this: /system health print fan-mode: auto use-fan: main active-fan: main voltage: 12.3V current: 757mA fan-speed: 1952RPM temperature: 25C cpu-temperature: 35C power-consumption: 9.3W But I've one Router which look like th...

robertpenz

+1 for the post from SwissWISP ... that and a paid support subscription are the only parts holding us back in using Mikrotiks more and in more critical areas.

robertpenz

It would be nice to buy the CCR with 2 PSUs in the first place. With the CCR you're moving into the data centers where this is standard.

robertpenz

Yeah, I would also use only one area for this small setup. Remove the complexity!! >500 routers in one area is no problem today ... Use areas to separate devices with bad ospf implementations from the rest. E.g. loadbalancers or mainframes Or for security reasons ( you want all traffic over some spe...

robertpenz

Fixed in rc4

robertpenz

Why not make 2 ipip tunnels and run ospf over it? I'm running ipsec encrypted ipip tunnels with ospf for a long time without problems .

robertpenz

Take a look at this blog entry http://robert.penz.name/484/howto-use-a ... onnection/ ... Different modem but also mikrotik router

robertpenz

Mikrotik reported back. They could reproduce the bug.

robertpenz

Hi! I believe I found a bug in at least the 5.xx releases (tested with 5.14 and 5.20). Can someone verify my findings please. Following is the setup: VoIP Phone (h.323) - Switch - Mikrotik Router - Switch - VoIP Gateway Here the packet flow 1. A call (media is initialized by the Gateway to the phone...

robertpenz

Hi, We sometimes need media converts fibre to copper ... But it would be cool to have something with some management capatilities ..... Let's say a really small mikrotik with one sfp(or even integrated) and one rj45 plug. Just needs to have following features: - ssh login - bridging between both int...

robertpenz

Its a bug ... it works in rc2 and rc3 until the pptp connection reconnects than it stops working .. I reported it to mikrotik.

robertpenz

thx for your answer

1. I had that already, did remove it as I thought thats maybe the problem .. but I will reinsert it
2. all traffic which the child should get, goes through the DSL Uplink or is there some error in the config so that's not the case?
3. ok

robertpenz

Hi! I've installed 6.0rc2 to play with the simple rules, but I don't understand something My test setup is a mikrotik with a DSL uplink and multiple VLANs hind it. I want to shape the traffic from and to the Internet but not between the VLANs. I therefore added following queue /queue simple add max-...

robertpenz

Can you tell me the aes128 performance of the ccr models? Do they have also a special crypto chip?

THX

robertpenz

Hi! I've a Huawei E170 USB UMTS Stick which works fine under Linux (Centos 6). Now I wanted to use this stick with a Mikrotik (RB751G-2HnD, running 6.0rc2) but I keep getting "NO CARRIER" with a configuration that I believe matches my Linux box. The LED is on the USB stick shows that it is...

robertpenz

ah thx. the transmit-hash-policy is not only for the 802.3ad - i overlooked that

that means I can use balance-xor with transmit-hash-policy layer-2-and-3 / layer-3-and-4 and arp as link-monitoring over 2 eoip tunnels which is not possible 802.3ad. thats cool thx.

robertpenz

From the wiki page http://wiki.mikrotik.com/wiki/Manual:Interface/Bonding I get following balance-xor This mode balances outgoing traffic across the active ports based on hashed protocol header information and accepts incoming traffic from any active port. Mode is very similar to LACP except that it...

robertpenz

I believe the x2 is a dual core machine, which does not support metarouter.

robertpenz

But often you need something on such a "big device" the mikrotik os does not have, like a real radius server (freeradius) and than a openwrt would be nice. If 60mb more flash would make it 5-10 euro more expensive I believe nobody would mind and it would really open some use cases.

robertpenz

but the new 1100AH has also only 40mb and there it is supported (which is good btw as multiple routing instances is state of the art for better switches/routers)

robertpenz

but a router with virtualisation support, which can't be really used with 40mb

robertpenz

I formated it and than I got the status "ready" otherwise it would be not ready. I also did a check-drive. But I'll try an other microsd card, maybe it is incompatible.

robertpenz

Hi! I'm trying following on an 450g with 5.9 and 5.11 software: > /store disk print detail Flags: S - system 0 S name="system" total-space=520192KiB free-space=483996KiB status=ready 1 name="micro-sd" total-space=7639928KiB free-space=7491668KiB status=ready > /store print detail...

robertpenz

We've 100Mbit-200Mbit Traffic so it is a problem for us. We are at 90% CPU with 10Mbyte/sec (100Mbit) (ftp server and ftp client, not to the mikrotik) but we need more and the data sheets said AES chip, but I guess that where the old sheets .... Really bad to name a device as a old one but to have o...

robertpenz

oh, thats not good ... as its the main feature for us

robertpenz

Hi! I've a setup where two 1100AH are connected via 100Mbit and I'm using IPsec with /ip ipsec proposal add auth-algorithms=null disabled=no enc-algorithms=aes-128 lifetime=30m name=IPSec pfs-group=modp1024 And I'm getting 10mbyte/sec through the tunnel, but I don't understand following (during copi...

robertpenz

We've a testversion of a software upgrade which seems to be stable in our tests with metarouter, but we're still testing it. Don't know if other customers are testing it.

Edit: Just found out that RouterOS v5.9 has been released ... we needed to flash our test version via netinstall to make it work.

robertpenz

@janisk: You asked why someone whats to have OpenWRT. We need it in our small remote locations for a Radius Server that can perform 802.1x and MAC authentication. We're replicating the data from the central server and the switches have both server configured. so if there is a problem with one server...

robertpenz

Hi!

I've connected the 1100AH to the normal power (230V) and connected Eth13 to a POE injector. If I removed one of the two power connections the Mikrotik kept running. Has this setup any bad side effects?

Is there a possibility to monitor if one of the 2 "power supplies" goes down?

robertpenz

We've the same problem, just bought four 1100AH with the explicit purpose to use them with MetaRouter, as MetaRouter is not stable on e.g 450G. We really need a fast feedback/solution as otherwise we'll send them back as not working, which we can't do if we keep it longer than for a few days. We bou...

robertpenz

I also would be really interested in the progress .....

robertpenz

Ah thx I overlooked the "none" part ... thx About the IP scheme .. it looks not good in this example but if you've > 100 locations and need separate subnets for different devices it gets quit easy in the data center to sort out the devices as e.g. device class 1 is always with 10.1.x.x and...

robertpenz

Hi! I've following setup: Subnets - Router 1 - IPsec - Router2 - Subnets and Internet Following subnets are directly connected to the router1 10.1.99.0/24 10.2.99.0/24 10.3.99.0/24 10.4.99.0/24 and the router routes between them. The Subnet used for connecting router 1 and 2 is 10.4.254.0/24 Behind ...

Search found 105 matches