MikroTik

normalcy

I've just seen 6.39.3 come into the bugfix train.

Can anyone confirm it includes the fix? Unless I'm blind I didn't see it mentioned in the system -> packages brief release notes.

Out of the office for another week before I can try it on a cloud core.

normalcy

Thanks for this release, but can you add in current bugfix also this -
!) tile - fixed IPSec hardware acceleration out-of-order packet problem, significantly improved performance;
?

I too cannot wait to see this make it to bugfix level of stability.

normalcy

Thanks for the feedback nathan1 and alexjhart (and for you persistence chasing this!!). My testing CCR1016 has been borrowed by a colleague but I look forward to trying this out on it when I get it back. We have multiple CCR1036 acting as VPN concentrators (never got the chance to swap them out afte...

normalcy

Has anyone tried GRE over IPSec transport? Or SMB traffic on windows clients? That's been what we have had issues with.

Looking forward to this fix filtering down - I'll be sorely tempted to use current rather than waiting for bugfix....

normalcy

I get the issue that bugfix is not necessarily clear that it means stable. But 'current' is fine for me for the feature branches as this is similar to the FreeBSD release engineering process. There 'current' is the moving target, but they do call their bugfix 'stable' instead. Ultimately it's all se...

normalcy

This might also be a bit of a long shot, but what happens to the speed test if you change the interface queue type of the ethernet ports?

queue interface set [find default-queue="only-hardware-queue"] queue=ethernet-default

normalcy

What do you have for:

[admin@MikroTik] > ip firewall connection tracking print

and:

[admin@MikroTik] > ip settings print

Assuming these will be factory default settings.

normalcy

There's apparently a lot of things that can cause them as mentioned in that linked article, with the recommendation being that you capture close to the sender. However if you've now used two different mikrotik devices and get the same behaviour that would tend to suggest it's something with them. ma...

normalcy

Ok got the second file. Are you performing one or two speed tests during these two captures? Only a couple of things jump out at me on first look. On the failing capture you're getting a lot of 'TCP Spurious Retransmissions' followed by DUP ACKs that could be a symptom or a contributor to the slowdo...

normalcy

Can you re-upload the second link? i think it's expired on me.

normalcy

Hi. Back from a break. If your links are still good I'll have a look tomorrow. Hopefully we can find something!

normalcy

Oh and no you should only need the one CRS and yes you would only want a minimal config (enough to get management access via winbox - lots of wiki/forum threads about that)

normalcy

Sorry I'm going away on holiday so won't be here for a while. But basically you want to setup a switch group on the CRS for a few ports between your cable modem and the various downstream routers (maybe another one to plug the Foxtel box in and look at that traffic). Then setup mirroring to send tha...

normalcy

I found this old thread via Google. https://groups.google.com/forum/m/#!topic/bit.listserv.openbsd-pf/13gdbhskgE8 Looks like they also had both protocols working on the same segment but one of their vendors gear was also flooded with logs. Although it can work I guess they just don't like having the...

normalcy

http://wiki.mikrotik.com/wiki/Manual:Quickset I know it's still the GUI but maybe quickset would get you going. You could then use the cli export command to see the sort of changes it made to the default config. Winbox is overwhelming at the beginning but once you get used to it the ability to have ...

normalcy

You'd be looking for differences in the packets that could be nailed down to the different setups. Eg qos values, MSS, packet size etc. maybe even do the same with that netgear router that worked to see what it might be doing that the 951 isn't. Otherwise I suppose we would just be running through a...

normalcy

I guess the next thing I'd try in this situation is put a managed switch in between the modem and the routers and mirror the traffic to wireshark to look for any differences when it's working vs when it's not. Don't know if your comfortable at that low a level. Eg: cable modem -> mirroring switch ->...

normalcy

Did some googling and I'm guessing this is your issue http://forums.whirlpool.net.au/archive/2421925

If so you've already tried a fair bit there. It's a weird issue.

normalcy

If you do a regular speed test on a laptop is there also a similar slowdown? Or is it only the Foxtel box? When the cable modem is plugged into the mik is it put in bridge mode or are you double NAT'ing. Nothing really jumped out at me in your config. I guess you've tried with and without the simple...

normalcy

My thought would be configuration (not that there haven't been bugs but basic IPSec is pretty stable in my experience). If you use plain IPSec in tunnel mode you need to ensure that your IPSec policies capture the right traffic (from your local to remote subnet) and your 'NAT bypass' rules are above...

normalcy

Depends a lot on the ip camera brand you use. eg: cheap dahua cameras generally offer port 80 for the web and port 37777 for streaming video over either udp/tcp, you need both. I think a lot of onvif cameras use udp port 514 for transporting the video stream in addition to the web interface on 80 so...

normalcy

You could also run the torch command on that interface to see the IPs and rates hitting the interface.

normalcy

Some do. Search for virtual tunnel interface (VTI). It's a heavily requested feature for mikrotik. For the moment though it's not supported unless you use another tunnel (GRE/IPIP/EOIP/L2TP) as feklar mentioned.

normalcy

Do you get no connection occurring at all or a black screen? I had to clear the df bit in a mangle rule to get RDP working across a remote VPN subnet. If I didn't I could ping and portscan but connecting just gave me a black screen. Sounds like you're not quite getting that far though?

normalcy

Out of interest how did you generate all the individual script files?

I'm facing something similar with a lot of haps as well. Looking into milliscript and flashfig and all the rest but I can see that you will still need create a per device script to load (for identity etc).

normalcy

I know quickset will generally put a deny all filter rule on the wan input if used. But could you also put a security checklist or section for securing router access in quickset too? Something that might let you specify an admin ip/subnet and then automatically populate firewall rules on all input i...

normalcy

Wouldn't mind seeing both ubiquiti and mikrotik support 802.11r in future products as a more standards based method of fast roaming. Although it needs client support as well.

normalcy

Sounds like you might need something like this.

http://www.senetas.com/encryptors/layer-2-encryptors/

They look reassuringly expensive!

normalcy

Yes in fact I created a step by step guide for this specific hardware pairing..... email me at mike(at)43index.com and I will forward you the Word document. I had no problems getting it setup and working just as you are describing. You don't need to tag the VLAN on the Mikrotik end, only on the Edg...

normalcy

Will more of the slides be added to the wiki soon?

normalcy

I'd love to see codel in there too but they may prefer Cisco's PIE instead which is also in the newest kernels.

normalcy

I'd like to try this feature, but I'm having issues on a CCR1036-12G-4S. I've created 3 partitions, but if I "copy-to" from winbox or the console when I reboot after activating one of the two newly created partitions they fail with the message: kernel not found or data corrupted" and then fall back...

normalcy

I'd like to try this feature, but I'm having issues on a CCR1036-12G-4S. I've created 3 partitions, but if I "copy-to" from winbox or the console when I reboot after activating one of the two newly created partitions they fail with the message: kernel not found or data corrupted" and then fall back ...

normalcy

This is fantastic. Thanks for the effort as I think this layout helps you connect the layers together better than the original separated diagrams. Hopefully it becomes the official one.

normalcy

I'm no programmer myself, but maybe looking at the python code for some of the existing firewalld and google compute engine networking modules might be a starting point for anyone with the skills to pick this up?

normalcy

I would love to see something like this as well, but I haven't found anything either. I would imagine you could still use a playbook to make raw routeros calls via ssh, similar to what this guy does with iptables . Otherwise, someone would probably have to write a python based ansible module to call...

normalcy

Eagerly awaiting some indication that mikrotik will add fq_codel support as another AQM algorithm as it is in the Linux kernel and seems to be a great cpe solution (no manual tuning and fast response for variable wifi links). http://www.bufferbloat.net/projects/cerowrt/wiki/Bloat-videos http://getty...

normalcy

We had a 493g and a powered USB hub and it still wasn't enough to get the 3G modem recognised. Had to follow the mod suggested in this thread. Has been working fine since.

http://forum.mikrotik.com/viewtopic.php ... 64#p259164

normalcy

Self inflicted.

Adding a firewall rule to the input chain to allow UDP 67 to router addresses must allow the relay helper to send the dhcp offer back to the clients. Was getting blocked by a drop all filter on the input chain.

normalcy

Did you get a response from mikrotik support on this? I've upgraded a RB1200 to 5.19 and I'm seeing similar behavior as well. Running a dhcp-relay on address 192.168.4.1 vlan4 pointed at a dhcp server at 192.168.0.16. My ISC dhcpd is receiving the discover requests and sending out offers, however th...

normalcy

Hi staticjess, I'm a brand new user to mikrotik and just getting started with their equipment, but I plan to create a setup almost exactly the same as yours with the difference that I'll have a 3G USB backup connection at the branch offices on dynamic IPs as well just to make the IPSec failover more...

Search found 41 matches