Community discussions

MikroTik App

Search found 255 matches

by bbs2web
Mon Feb 12, 2024 3:50 pm
Forum: Announcements
Topic: v7.13.5 [stable] is released!
Replies: 909
Views: 257720

Re: v7.13.4 [stable] is released!

I upgraded my hAP ax3 CAPsMAN APs (there are 8 of them) together with an RB5009 running CAPsMAN on Friday. I appear to be noticing that some wireless clients are having problem keeping their connection. Has anyone else noticed a degradation since 7.13.3, nothing in the change logs... PS: 7.13.4 hard...
by bbs2web
Sun Jan 14, 2024 9:28 am
Forum: Wireless Networking
Topic: hAP ax3 wireless problem [SOLVED]
Replies: 108
Views: 13139

Re: hAP ax3 wireless problem [SOLVED]

We were fortunate to move to a larger property and house in July '23 and I took this as an opportunity to replace hAP ac (v1) units with hAP hAP ax 3 devices with RB5009 acting as a central CAPsMAN and router. I use my home network as an extension of my office and do R&D for 802.1X testing so I ...
by bbs2web
Sun Nov 19, 2023 10:34 am
Forum: Announcements
Topic: v7.12.1 [stable] is released!
Replies: 252
Views: 92155

Re: v7.12 [stable] is released!

Unable to get hardware offloading working on a hAP ax3 (C53UiG+5HPaxD2HPaxD), any suggestions? /interface bridge add add-dhcp-option82=yes dhcp-snooping=yes name=bridge priority=0x7000 vlan-filtering=yes /interface bridge port add bridge=bridge interface=ether1 trusted=yes comment="Uplink to co...
by bbs2web
Sat Jul 29, 2023 8:38 am
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 105745

Re: v7.11beta [testing] is released!

However, it seems to me that the ICMP packet, informing sender that destination is not reachable, actually originates from router itself. So output chain applies (when speaking about firewall). Additionally the information about original ingress interface might be lost due to this, so it might be i...
by bbs2web
Thu Jul 27, 2023 7:37 am
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 105745

Re: v7.11beta [testing] is released!

it's the DHCP server itself so no interface has `trusted=yes` configured Every uplink port on every switch between the dhcp server and client needs to have trusted=yes set (both directions). Yip, aware of that... Router running DHCP would not have trusted set on any of its ports, any downstream swi...
by bbs2web
Mon Jul 24, 2023 11:21 pm
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 105745

Re: v7.11beta [testing] is released!

DHCP snooping is an issue on RouterOS 7.10.2 on the following devices. I don't see this in the change logs, is this a known issue? CRS328-24P-4S+ CRS112-8P-4S CRS354-48P-4S+2Q+ RB5009UG+S+ It either filters all DHCP queries, or sometimes works intermittently. In the case of the RB5009 it's the DHCP ...
by bbs2web
Mon Jul 24, 2023 11:09 pm
Forum: Announcements
Topic: v7.10, 7.10.1 and more [stable] are released!
Replies: 369
Views: 129452

Re: v7.10, 7.10.1 and more [stable] are released!

DHCP snooping is unstable (works intermittently) or not at all, even after restarting. Confirmed on: CRS328-24P-4S+ CRS112-8P-4S CRS354-48P-4S+2Q+ RB5009UG+S+ We have `trusted=yes` configured on the relevant bridge port interface, as well as having `add-dhcp-option82=yes` and `dhcp-snooping=yes` set...
by bbs2web
Wed Jul 19, 2023 4:21 pm
Forum: Announcements
Topic: v7.10, 7.10.1 and more [stable] are released!
Replies: 369
Views: 129452

Re: v7.10, 7.10.1 and more [stable] are released!

RB5009 as router on stick and Capsman managing 2xAX2 and AX3 connected via cisco switch. All with ROS 7.10.2 I am still getting XXXXXX@Jidelna_5GHz rejected, can't find PMKSA with WPA3 PSK enabled in combination with WPA2 PSK.... I also have a RB5009 running as CAPsMAN for 4 x hAP ax^3 CAPs, runnin...
by bbs2web
Thu Jul 13, 2023 9:08 am
Forum: Wireless Networking
Topic: MikroTik hAP ax3 poor WiFi performance
Replies: 258
Views: 47526

Re: MikroTik hAP ax3 poor WiFi performance

Posted the following in the RouterOS 7.10.0 / 7.10.1 / 7.10.2 announcement discussion, thought it may benefit others that are having range problems with their hAP ax^3 routers: I've been disappointed by the WiFi coverage of 4 new hAP ax^3 routers but enjoying CAPsMAN and WiFiwave2. I needed to turn ...
by bbs2web
Thu Jul 13, 2023 8:28 am
Forum: Announcements
Topic: v7.10, 7.10.1 and more [stable] are released!
Replies: 369
Views: 129452

Re: v7.10 and 7.10.1 [stable] is released!

I've been disappointed by the WiFi coverage of 4 new hAP ax^3 routers but enjoying CAPsMAN and WiFiwave2. I needed to turn off LTE on my phone to have it stay connected to the poor signal on the WiFi, in certain parts of the house (including bedroom), but I could stream and use everything perfectly....
by bbs2web
Wed Jul 12, 2023 5:46 am
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 105745

Re: v7.11beta [testing] is released!

You can ensure wireless interfaces are always added as bridge ports on the cAP by specifying it in the wireless datapath settings, not in the bridge port configuration. Many thanks for the script to dynamically fix the bridge VLAN assignments, that is a much better solution instead of restarting th...
by bbs2web
Mon Jul 10, 2023 1:28 pm
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 105745

Re: v7.11beta [testing] is released!

Enabling DHCP snooping on a RB5009, where I technically do not want any interface marked as a trusted bridge port as this router is the DHCP for the various subnets, results in DHCP being filtered and nothing obtaining an IP. Configuration: [admin@RB5009UG+S+] > int bridge export /interface bridge a...
by bbs2web
Sun Jul 09, 2023 4:46 pm
Forum: Announcements
Topic: v7.11beta [testing] is released!
Replies: 373
Views: 105745

Re: v7.11beta [testing] is released!

Is the following already a known problem or should I try engaging with support@mikrotik.com? The following is architecture related, essentially trying to pre-answer 'why' questions: RB5009UG+S+ is configured as central router with an IP in each VLAN, managing DHCP and layer3 filtering between VLANs ...
by bbs2web
Sat Jul 08, 2023 7:54 am
Forum: Announcements
Topic: v7.10, 7.10.1 and more [stable] are released!
Replies: 369
Views: 129452

Re: v7.10 and 7.10.1 [stable] is released!

OSPF MD5 problem, if I disable authentication it reaches full adjacency.
OSPF was down the following morning, had to also change point-to-point to broadcast, to get it to form adjacency again (yes, this required the other end to also be reconfigured to broadcast as well).
by bbs2web
Thu Jul 06, 2023 9:41 am
Forum: Announcements
Topic: v7.10, 7.10.1 and more [stable] are released!
Replies: 369
Views: 129452

Re: v7.10 and 7.10.1 [stable] is released!

OSPF MD5 problem, if I disable authentication it reaches full adjacency. RouterOS 6.49.8 configuration that worked previously: /routing ospf area add area-id=0.0.0.10 name=site3 /routing ospf instance set [ find default=yes ] router-id=100.127.255.10 use-dn=no /routing ospf area range add area=site3...
by bbs2web
Wed May 03, 2023 7:39 am
Forum: Forwarding Protocols
Topic: BGP implementation affected by CVE-2022-40302, CVE-2022-40302 or CVE-2022-43681?
Replies: 1
Views: 1932

BGP implementation affected by CVE-2022-40302, CVE-2022-40302 or CVE-2022-43681?

The CVEs referenced in the subject line have been publicised and the article specifically mentions RouterOS. Obliviously hoping that Mikrotik's BGP implementation isn't affected, could someone at Mikrotik comment? https://thehackernews.com/2023/05/researchers-uncover-new-bgp-flaws-in.html Report by ...
by bbs2web
Thu Mar 30, 2023 8:40 am
Forum: Wireless Networking
Topic: Sleep/Wake-up security flaw?
Replies: 0
Views: 829

Sleep/Wake-up security flaw?

Is Mikrotik also affected by the flaw discussed in the following 802.11 wireless standard security vulnerability? https://www.bleepingcomputer.com/news/security/wifi-protocol-flaw-allows-attackers-to-hijack-network-traffic/ I presume so, if Mikrotik follow the 802.11 standard to the letter. Limited ...
by bbs2web
Sun Mar 26, 2023 1:06 pm
Forum: Announcements
Topic: v7.9beta [testing] is released!
Replies: 118
Views: 25819

Re: v7.9beta [testing] is released!

Any news on fixes for 802.1X (dot1x) which broke in 7.8 for CRS326-24G-2S+?

Neither 7.8 nor 7.9 detail changes for dot1x, so this breaking was unexpected. Problem is essentially that devices don't stay authorised...

Reported here:
viewtopic.php?t=193986#p990192
by bbs2web
Wed Mar 15, 2023 5:14 pm
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 138791

Re: v7.8 [stable] is released!

Apologies, the above was from a MC-LAG pair of CRS326-24G-2S+ devices. Layer 2 forwarding and distributed LACP did appear to work without issue for the half an hour it was on RouterOS 7.8... PS: Nothing in the change logs regarding 802.1X so presume this is an inadvertent bug. Update: Downgrading fr...
by bbs2web
Wed Mar 15, 2023 5:11 pm
Forum: Announcements
Topic: v7.8 [stable] is released!
Replies: 425
Views: 138791

Re: v7.8 [stable] is released!

7.7 was stable but 7.8 appears to have a timeout issue with 802.1X. Devices successfully authenticate, are placed in the correct VLAN but thereafter disappear again with the port transitioning to a blocked state: 16:46:27 dot1x,debug s ether4 "3C:2C:30:DE:99:50" re-authorized with username...
by bbs2web
Wed Jan 11, 2023 5:52 pm
Forum: General
Topic: What is sensitive
Replies: 2
Views: 1180

Re: What is sensitive

Is there an official list available somewhere? I would for example like to know whether the change in behaviour or bug is a security issue. The following script for example periodically resolves DNS FQDNs and then updates configured RADIUS authentication servers: /radius set [find comment=radius1:] ...
by bbs2web
Fri Dec 09, 2022 5:34 am
Forum: Announcements
Topic: v6.48.6 [long-term] is released!
Replies: 126
Views: 274228

Re: v6.48.6 [long-term] is released!

The CVE-2022-45315 advisory appears to relate to an out of bounds read on SNMP. Considering RouterOS enables this by default and NIST appearing to rate this as 9.8, no news from MikroTik...

https://nvd.nist.gov/vuln/detail/CVE-2022-45315
by bbs2web
Wed Oct 19, 2022 6:42 am
Forum: Forwarding Protocols
Topic: IPv6 Router Advertisement packet filtering in switched network
Replies: 4
Views: 4778

Re: IPv6 Router Advertisement packet filtering in switched network

The following forum post appear to provide the necessary requirements to allow one to 'tick the box' to comply with RFC 6105 or superseding RFC 7113:

[SOLVED] CRS - Hardware offloaded (MC-LAG compatible) bridge with IPv6 RA Guard
by bbs2web
Wed Oct 19, 2022 6:38 am
Forum: RouterOS beta
Topic: Security Request - IPv6 RA Guard
Replies: 2
Views: 5699

Re: Security Request - IPv6 RA Guard

The following forum post appear to provide the necessary requirements to allow one to 'tick the box' to comply with RFC 6105 or superseding RFC 7113:

[SOLVED] CRS - Hardware offloaded (MC-LAG compatible) bridge with IPv6 RA Guard
by bbs2web
Wed Oct 19, 2022 12:42 am
Forum: Announcements
Topic: v7.6 [stable] is released!
Replies: 279
Views: 142552

Re: v7.6 [stable] is released!

Any chance MikroTik could consider adding an option to enable/disable IPv6 Router Advertisement (RA) Guard when adding interfaces to a bridge? The following forum post appear to provide the necessary requirements to allow one to 'tick the box' to comply with RFC 6105 or superseding RFC 7113: [SOLVED...
by bbs2web
Wed Oct 19, 2022 12:24 am
Forum: Forwarding Protocols
Topic: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?
Replies: 9
Views: 2299

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Unfortunately couldn't find a way of implementing IPv6 RA Guard (rfc6105) so I hacked switch rules and bridge filters together to achieve the desired results. CRS - Hardware offloaded (MC-LAG compatible) bridge with IPv6 Router Advertisement (RA) Guard: https://forum.mikrotik.com/viewtopic.php?t=190...
by bbs2web
Wed Oct 19, 2022 12:21 am
Forum: Forwarding Protocols
Topic: [SOLVED] CRS - Hardware offloaded bridge with IPv6 RA guard
Replies: 3
Views: 4705

[SOLVED] CRS - Hardware offloaded bridge with IPv6 RA guard

The following is a functional solution to emulate IPv6 Router Advertisement (RA) Guard (rfc6105) from rogue routers on a per interface basis, similar to how DHCP snooping works for IPv4. The following document is most probably the best I came across whilst trying to find something to explain why we ...
by bbs2web
Tue Oct 11, 2022 3:44 pm
Forum: Scripting
Topic: perl API client
Replies: 109
Views: 68704

Re: perl API client

Just some information for anyone that comes across this, after upgrading our Zabbix server and subsequently updating to the latest perl MikroTik API (v2.0.1) available here: https://metacpan.org/pod/MikroTik::API We utilise API-SSL but do not deploy certificates to all monitored routers, using anony...
by bbs2web
Mon Oct 03, 2022 9:53 pm
Forum: Forwarding Protocols
Topic: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?
Replies: 9
Views: 2299

Re: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

Wow guys, having a bad day? Apologies for the Google link, posted this question from my mobile after it came up in my feed. If both Cisco and Juniper's network stacks exempt certain processing, such as STP BPDU guard, root guard when a packet is transmitted with a zero VLAN it could very easily also...
by bbs2web
Fri Sep 30, 2022 8:31 am
Forum: Forwarding Protocols
Topic: another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?
Replies: 9
Views: 2299

another clickbait title: Is RouterOS at risk of VLAN stacking flaw (on never implemented IPv6 RA guard)?

The following article references a VLAN stacking flaw affecting Cisco, Juniper and other vendor devices, are RouterOS 'in software bridging' or hardware offloaded bridge configurations at risk as well? <CENSORED> The four vulnerabilities are: CVE-2021-27853 Layer 2 network filtering capabilities suc...
by bbs2web
Sun Sep 11, 2022 11:05 pm
Forum: Forwarding Protocols
Topic: [Solved] MLAG problem, packets occasionally reflected back
Replies: 1
Views: 1850

Re: MLAG problem, packets occasionally reflected back

It turns out that I had configured the MLAG towards a CCR router with a horizon setting, this had disabled hardware offloading.

With all ports being offloaded this problem immediately stopped occurring for all switches...
by bbs2web
Sat Sep 10, 2022 1:49 am
Forum: Forwarding Protocols
Topic: [Solved] MLAG problem, packets occasionally reflected back
Replies: 1
Views: 1850

[Solved] MLAG problem, packets occasionally reflected back

Hi, Has anyone got production experience with the MLAG redundancy feature? We are experiencing some problems with a pair of CRS354-48G-4S+2Q+ (Marvell 98DX3257) switches. Topology is identical to reference documentation: https://help.mikrotik.com/docs/display/ROS/Multi-chassis+Link+Aggregation+Group...
by bbs2web
Fri Feb 18, 2022 1:05 pm
Forum: Announcements
Topic: v6.49.3 [stable] is released!
Replies: 64
Views: 21477

Re: v6.49.3 [stable] is released!

I have an odd situation in that two virtual RouterOS instances, both running 6.49.4 (x86), support IPSec AES hardware offloading differently. Any ideas on where I could hunt? Both have default IPSec settings: [user@router] > ip ipsec export verbose # feb/18/2022 12:44:25 by RouterOS 6.49.3 # softwar...
by bbs2web
Tue Aug 24, 2021 2:12 am
Forum: Announcements
Topic: v6.48.4 [stable] is released!
Replies: 68
Views: 72588

Re: v6.48.4 [stable] is released!

Please may we have some details relating to 'system - improved stability when receiving bogus packets'.

PS: Upgrades to CCR1036, RB3011, RB750Gr2, hAP ac and CHR all worked perfectly...
by bbs2web
Mon Jun 14, 2021 2:49 pm
Forum: General
Topic: [FEATURE REQUEST] Two Factor Authentication
Replies: 46
Views: 33551

Re: [FEATURE REQUEST] Two Factor Authentication

Herewith a link to a start to finish guide on setting up a Debian host to provide MikroTik compatible (MS-CHAPv2) two factor (aka multi factor authentication or MFA) using Yubico Yubikey together with security group memberships on an Active Directory server: http://lists.freeradius.org/pipermail/fre...
by bbs2web
Thu May 20, 2021 9:39 am
Forum: Announcements
Topic: v6.48.2 [stable] is released!
Replies: 141
Views: 61782

Re: v6.48.2 [stable] is released!

Hi EdPa, Any plans on supporting RADIUS disconnect for dot1x, as it works for wireless? Also any plans to support CoA (change of authorisation)? Hi bbs2web, mac-auth dot1x fixes are available in testing version: *) dot1x - fixed "reject-vlan-id" for MAC authentication (introduced in v6.48)...
by bbs2web
Wed May 19, 2021 5:48 pm
Forum: Announcements
Topic: v6.48.2 [stable] is released!
Replies: 141
Views: 61782

Re: v6.48.2 [stable] is released!

Many thanks, great news! Hi bbs2web, mac-auth dot1x fixes are available in testing version: *) dot1x - fixed "reject-vlan-id" for MAC authentication (introduced in v6.48); *) dot1x - fixed MAC authentication fallback (introduced in v6.48); We will include them in the next stable release as...
by bbs2web
Wed May 19, 2021 2:49 am
Forum: Announcements
Topic: v6.48.2 [stable] is released!
Replies: 141
Views: 61782

Re: v6.48.2 [stable] is released!

Hi, I appear to be experiencing a problem getting dot1x server to work with mac authentication fallback when the supplicant is supposed to timeout. Has anyone validated whether or not this works? We're running Packet Fence 10.3 and have 802.1x wireless and wired authentication working but only wirel...
by bbs2web
Fri Mar 19, 2021 11:46 pm
Forum: Forwarding Protocols
Topic: IP Cloud - DDNS zone structure problem
Replies: 0
Views: 2603

IP Cloud - DDNS zone structure problem

The following appears to be falling on deaf ears, really hoping that MikroTik fix the problem with the IP Cloud dynamic DNS service. The problem? Routers can dynamically maintain a DNS record to resolve to the router's public IP. The problem is that whilst <serial>.sn.mynetname.net resolves the inte...
by bbs2web
Thu Feb 25, 2021 7:13 am
Forum: General
Topic: Radius PAM not want authorize user using PAM
Replies: 1
Views: 1304

Re: Radius PAM not want authorize user using PAM

All FreeRADIUS integration examples we found rely on PAM which require PAP Authenticator. MikroTik uses MS-CHAP v2 which doesn't transmit the password using reversible encryption so it is impossible to split out the Yubico OTP from the password on the RADIUS server. We did however come up with a sol...
by bbs2web
Tue Feb 02, 2021 6:23 am
Forum: Forwarding Protocols
Topic: MPLS incorrect forwarding table
Replies: 23
Views: 9584

Re: MPLS incorrect forwarding table

As requested ;) /routing ospf instance set [ find default=yes ] distribute-default=if-installed-as-type-1 router-id=\ 41.2.3.4 /routing ospf interface add authentication=md5 authentication-key=Hoa8QIu4JpjVYkSM comment=\ zajnb01-cr01: dead-interval=10s hello-interval=1s interface=\ vlan2 network-type...
by bbs2web
Sun Nov 29, 2020 7:20 am
Forum: Announcements
Topic: v6.47.8 [stable] is released!
Replies: 54
Views: 31328

Re: v6.47.8 [stable] is released!

Bridge port hardware offloading remains disabled on hEX (RB750Gr3): [davidh@CPE - Testing] > int bridge export # nov/29/2020 07:17:41 by RouterOS 6.47.8 # software id = HHQ9-GV0X # # model = RB750Gr3 # serial number = 8AFF0A4C0574 /interface bridge add name=bridge priority=0x7000 /interface bridge p...
by bbs2web
Mon Oct 05, 2020 9:33 pm
Forum: Forwarding Protocols
Topic: OSPF VPLS/MPLS load balancing and failover
Replies: 7
Views: 5060

Re: OSPF VPLS/MPLS load balancing and failover

Hi, I would strongly discourage running round robin balancing, especially on wireless links where the latency between the two vendor's implementation will most definitely be different. Out of order packet delivery will cause TCP congestion control to kick in and cause problems with realtime media st...
by bbs2web
Wed Aug 12, 2020 11:53 pm
Forum: Scripting
Topic: Problems when parsing routing table and prefixes change
Replies: 1
Views: 919

Problems when parsing routing table and prefixes change

Hi, I presume the following will need to turn in to a support request but I'm hoping someone has a work around. We walk the routing table looking for prefixes that match certain community strings and then add them to an array, to later add them to firewall address lists. :foreach i in=[ /ip route fi...
by bbs2web
Wed Jun 17, 2020 8:49 am
Forum: Forwarding Protocols
Topic: Redundant paths to OSPF?
Replies: 1
Views: 1519

Redundant paths to OSPF?

Source ---- A ---- B We have a requirement of routing a prefixes towards a customer at both A and B, but they want B as primary. We subsequently define a static route on both A and B, re-advertise them to OSPF as type 1 and set the distance of the static route on A to have a distance of 120. Both st...
by bbs2web
Wed Jun 17, 2020 8:23 am
Forum: Forwarding Protocols
Topic: MPLS incorrect forwarding table
Replies: 23
Views: 9584

Re: MPLS incorrect forwarding table

We have not had this problem in 3 years since: Matching LDP times to OSPF Replacing MikroTik route reflectors with VyOS (FRR) VyOS uses FRR and can now also do MPLS, it reflects defaults and I submitted patches to get route filter feature parity in VyOS (set distance, set preferred source, match on ...
by bbs2web
Mon Jun 01, 2020 8:07 am
Forum: Announcements
Topic: v6.47rc [testing] is released!
Replies: 63
Views: 34546

Re: v6.47rc [testing] is released!

The change log is not comprehensive. Shouldn't it include all changes when moving the release candidate to it's own thread? I'm referring to the following changes which fix packet loss due to bridges learning IP neighbor mac address on blocked STP ports, easily reproducible in a simple ABC triangle....
by bbs2web
Mon Apr 13, 2020 10:02 am
Forum: Forwarding Protocols
Topic: Is this a normal MikroTik VRF behavior?
Replies: 4
Views: 2771

Re: Is this a normal MikroTik VRF behavior?

RouterOS uses standard Linux ip routing tables and provides 'VRF Lite'. This is simply due to all local addresses being added to a default table (255) and there being a default routing rule (0) which references this table ahead of any that are custom added (defining a RouterOS VRF). You can see this...
by bbs2web
Sat Mar 14, 2020 6:53 pm
Forum: Forwarding Protocols
Topic: Forward DHCP broadcasts to NAC
Replies: 0
Views: 2633

Forward DHCP broadcasts to NAC

Does anyone have a clever technique to forwarded broadcast DHCP traffic to a network access control (nac) system, when the MikroTik is the DHCP server? We've been successfully running Packet Fence as a central 802.1X system, including CoA with MikroTik and automated HTTP CoA with UniFi controlled Ub...
by bbs2web
Thu Feb 20, 2020 4:45 am
Forum: Forwarding Protocols
Topic: OSPF Default Route not propigating.
Replies: 2
Views: 3113

Re: OSPF Default Route not propigating.

Please post the outputs of '/routing ospf export' and ensure you are on the latest version of either stable or long-term. Don't forget to update firmware after upgrading (/sys rou pr).
by bbs2web
Mon Jan 27, 2020 10:43 pm
Forum: Forwarding Protocols
Topic: BGP reflection, no filtering?
Replies: 4
Views: 2874

Re: BGP reflection, no filtering?

I've disabled the IPv4 and IPv6 protocol families on the RouterOS route reflectors to exclusively use them for l2vpn whilst FRR route reflectors handle IPv4/6. Convergence is many times faster, most probably simply due to it supporting peer groups, and processes prefixes in a twentieth of the time R...
by bbs2web
Mon Jan 27, 2020 3:05 pm
Forum: Forwarding Protocols
Topic: BGP reflection, no filtering?
Replies: 4
Views: 2874

Re: BGP reflection, no filtering?

Most reflector clients are RouterOS with the MikroTik route reflectors being 6.45.7. We are in the process of upgrading all core routers to 6.46.2. The FRRouting route reflectors are running 7.4-dev with all patches applied up until the 21st of January 2020. It appears to me that RouterOS configured...
by bbs2web
Mon Jan 27, 2020 10:17 am
Forum: Forwarding Protocols
Topic: BGP reflection, no filtering?
Replies: 4
Views: 2874

BGP reflection, no filtering?

Hi, Is it a known design quirk that route filters do not apply to reflected prefixes on a RouterOS route reflector? We have filters in place to change local preference when processing prefixes from another region so that local preference results in the following preference order: Local customers Rem...
by bbs2web
Sat Dec 21, 2019 6:28 am
Forum: Forwarding Protocols
Topic: Critical issue on STP flapping
Replies: 7
Views: 4606

Re: Critical issue on STP flapping

Could you have a look if you are being affected by the unpublished changes regarding CDP transmitting on STP blocked ports which may be poisoning MAC tables?

You can read my report starting this here:
viewtopic.php?f=21&t=147904&p=736204#p736204
by bbs2web
Thu Oct 31, 2019 11:51 pm
Forum: Forwarding Protocols
Topic: manipulate ospf equal cost multi-path
Replies: 3
Views: 4295

Re: manipulate ospf equal cost multi-path

That option should only take effect when redistributing OSPF prefixes between instances. Just set it up properly, both interfaces being part of the same instance (technically the network addresses and netmasks of the interfaces) and then increase administrative cost of the backup interface to 20 on ...
by bbs2web
Thu Oct 24, 2019 10:17 pm
Forum: Forwarding Protocols
Topic: VPLS and Customer VLANS
Replies: 3
Views: 4671

Re: VPLS and Customer VLANS

Just set it up as you had it, bridge an Ethernet port to a vpls interface and then the same on the other PE router. Herewith a sample VPLS interface adding command: add advertised-l2mtu=4374 comment="Customer - City - Head Office - Primary:" disabled=no l2mtu=4374 name=vpls-cust-city remot...
by bbs2web
Thu Oct 10, 2019 7:07 am
Forum: Forwarding Protocols
Topic: MPLS bug?
Replies: 5
Views: 4301

Re: MPLS bug?

I presume there to have been a network interruption which resulted in OSPF reconverging but LDP not having timed out. The following thread details the same problem, we have not had a subsequent problem since matching OSPF and MPLS LDP interface timers: https://forum.mikrotik.com/viewtopic.php?t=114974
by bbs2web
Tue Aug 06, 2019 1:51 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 186
Views: 56399

Re: Suggestion: Completely virtual router based on two physical routers

RouterOS 6.45+ sets the VRRP interface to standby when the associated parent interface is not running. Whilst this makes perfect sense for classic VRRP implementations it causes a problem with the use of VRRP in the context of this high availability implementation. The problem is that since the sync...
by bbs2web
Wed Jul 17, 2019 7:07 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 415
Views: 196481

Re: v6.45.1 [stable] is released!

The old API login method used CHAP (challenge authentication protocol), which requires the router to store the password in plain text. Passwords are now stored as a hash so you need to send the original password, which the router then hashes to compare to the stored password. Use API-SSL if you are ...
by bbs2web
Sat Jul 13, 2019 3:28 pm
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 415
Views: 196481

Re: v6.45.1 [stable] is released!

Could someone else please check if routing crashes when viewing OSPF LSAs via Winbox or running '/routing ospf lsa print' via CLI?
by bbs2web
Sun Jul 07, 2019 2:21 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 415
Views: 196481

Re: v6.45.1 [stable] is released!

Does someone have a problem with mac telnet login via neighbours?

Won't login with any user and pass or without pass, nor admin..
Unfortunately yes, not all devices though and resetting credentials does not help...
by bbs2web
Sat Jun 22, 2019 10:41 am
Forum: Announcements
Topic: v6.44.3 [stable] is released!
Replies: 122
Views: 73095

Re: v6.44.3 [stable] is released!

We have identified an issue with IP neighbour discovery packets, specifically Cisco Discovery Packets (CDP), being transmitted when ports are members of a bridge and spanning tree has detected the port as an alternate path towards the root bridge. Whilst STP correctly disables forwarding it still tr...
by bbs2web
Wed May 22, 2019 6:45 am
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 304
Views: 157266

Re: v6.45beta [testing] is released!

*) firewall - process packets by firewall when accepted by RAW with disabled connection tracking; Please could we have a little more detail regarding this change? We use raw 'no-track' rules extensively, to avoid packet loss on core routers and filtering appears to be working. I assume this is a fi...
by bbs2web
Tue Apr 23, 2019 4:59 pm
Forum: Forwarding Protocols
Topic: First subnet of blackhole route not advertised in OSPF
Replies: 4
Views: 3247

Re: First subnet of blackhole route not advertised in OSPF

Readvertise connected or static is not recommended. If running only OSPF you should define the subnet/s covering the interfaces you want to advertise and you can summarise smaller ranges by defining a summary route. A more scalable way would be to only use OSPF for the router loopback IPs and interf...
by bbs2web
Sun Apr 21, 2019 8:47 am
Forum: Forwarding Protocols
Topic: First subnet of blackhole route not advertised in OSPF
Replies: 4
Views: 3247

Re: First subnet of blackhole route not advertised in OSPF

Check the LSA entries for the routes that are being advertised so understand where they originate from. Summarised routes are announced to cover smaller ones so they may be originating from other routers in your network.
by bbs2web
Thu Apr 11, 2019 1:03 am
Forum: Forwarding Protocols
Topic: IPv6 recursive nexthops via iBGP
Replies: 110
Views: 49874

Re: IPv6 recursive nexthops via iBGP

We've been running IPv6 since September last year without issues. Multiprotocol IPv4 BGP sessions set next hop as the router's loopback IPv4 or IPv6 addresses and IPv6 is MPLS switched between routers, avoiding route lookups at each hop. Core routers don't run BGP, only IPv4 with MPLS so reconvergen...
by bbs2web
Sat Mar 23, 2019 12:38 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 85
Views: 50265

Re: v6.44.1 [stable] is released!

This is definitely an issue with 6.44.1... I unfortunately haven't had an opportunity to distil this yet but have a client's router on which this problem also occurs with a far simpler setup than our own. Presume it's related to bond interfaces, when they interface via a switch... MAC telnet broken ...
by bbs2web
Tue Mar 19, 2019 9:07 pm
Forum: Forwarding Protocols
Topic: bgp prefered route
Replies: 3
Views: 2703

Re: bgp prefered route

Longer prefix match (/24) will always beat /20. Filter x.x.x.x/20 prefix length 21-24 from peer 2...
by bbs2web
Tue Mar 19, 2019 8:52 pm
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 85
Views: 50265

Re: v6.44.1 [stable] is released!

6.44.1 does not make it possible to stop MikroTik neighbour discovery announcements. Winbox shows settings from 6.44 but advertisements are still broadcast and export config contradicts Winbox: #> /ip neighbor discovery-settings set discover-interface-list=!external #> /ip neighbor export /ip neighb...
by bbs2web
Tue Mar 19, 2019 2:38 am
Forum: Announcements
Topic: v6.44.1 [stable] is released!
Replies: 85
Views: 50265

Re: v6.44.1 [stable] is released!

MAC telnet broken in 6.44.1, appears to be when router has multiple interfaces.

Problem on all routers we've upgraded to 6.44.1 whilst 6.44 worked perfectly.

We'll need to lab this, to provide more granular detail...
by bbs2web
Wed Mar 13, 2019 8:58 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 304
Views: 157266

Re: v6.45beta [testing] is released!

Would be really useful to have if then logic within DHCP. The following snippet servers no file to Snom VoIP phone, x64 EFI PXE executable to UEFI PXE devices and normal PXE binary to compatibility devices. From ISC DHCP subnet declaration: if substring(binary-to-ascii(16, 8, ":", hardware...
by bbs2web
Tue Mar 05, 2019 9:54 pm
Forum: Forwarding Protocols
Topic: Using OSPFv3 as transport for IBGP with V6 traffic
Replies: 2
Views: 2573

Re: Using OSPFv3 as transport for IBGP with V6 traffic

I documented a solution to this in the following thread. RouterOS IPv6 bug pertaining to link local address generation on bridge interface was reported as having been fixed but I've retained admin mac on our routers:
viewtopic.php?f=14&t=42268&p=688490#p688490
by bbs2web
Sat Mar 02, 2019 7:58 am
Forum: Forwarding Protocols
Topic: Force single IP through one BGP
Replies: 1
Views: 2257

Re: Force single IP through one BGP

You can't do this with hop-by-hop routing and either need a tunnel interface or use MPLS to switch traffic to the appropriate PE, elected by the ingress PE in to the MPLS cloud.

IP routing rules or mangle firewall rules can be used to setup source routing...
by bbs2web
Sat Mar 02, 2019 7:54 am
Forum: Forwarding Protocols
Topic: Transit and IX problem
Replies: 6
Views: 4247

Re: Transit and IX problem

Also ensure your Cogent and IX peers are associated with the same BGP instance, multiple instances are when you need totally separate BGP for isolated VRFs.
by bbs2web
Sat Mar 02, 2019 7:44 am
Forum: Forwarding Protocols
Topic: Vlans + VRRP + Multiple Public IP addresses
Replies: 10
Views: 7867

Re: Vlans + VRRP + Multiple Public IP addresses

Operat0r: You may want to search these forums for the MikroTik high availability script solution, where a single VRRP interface is used to track router master status and configurations are automatically transferred between them. It generally requires switches to be used to provide uplink to both rou...
by bbs2web
Sat Mar 02, 2019 7:35 am
Forum: Forwarding Protocols
Topic: Vlans + VRRP + Multiple Public IP addresses
Replies: 10
Views: 7867

Re: Vlans + VRRP + Multiple Public IP addresses

The VRRP parent interfaces also don't need to match the subnet of IPs attached to the VRRP interfaces. Documentation and training will always show them being in the same subnet but you can run /30 or even /31 on VRRP interfaces. Clients often want redundant links and infrastructure and therefore ass...
by bbs2web
Fri Mar 01, 2019 10:31 am
Forum: Forwarding Protocols
Topic: VRF Management
Replies: 7
Views: 10754

Re: VRF Management

We work with this the other way around, management via main routing table and customer traffic in VRFs. We drink our own Kool-Aid though, so our own offices have routers where our traffic is in a VRF and we subsequently didn't have access to routers from within our own network. The following rules e...
by bbs2web
Sun Feb 17, 2019 1:40 am
Forum: Forwarding Protocols
Topic: Create prefix list from learned peer routes
Replies: 7
Views: 4006

Re: Create prefix list from learned peer routes

Herewith the thread with the discussion around what I believe you to be after: https://forum.mikrotik.com/viewtopic.php?f=14&p=592989 The referenced script automatically builds prefix filters for customers that we provide IP transit for, to avoid us picking up more specific prefixes via trusted ...
by bbs2web
Tue Feb 12, 2019 9:19 pm
Forum: Forwarding Protocols
Topic: Create prefix list from learned peer routes
Replies: 7
Views: 4006

Re: Create prefix list from learned peer routes

Apologies, I read your initial post again and realised that you're actually wanting to filter out customer prefixes from peers, internet exchanges and upstreams. An issue we once had was a down stream customer advertising a /20 via us and more specific /24 prefixes only on an exchange we also peer o...
by bbs2web
Tue Feb 12, 2019 12:45 am
Forum: Forwarding Protocols
Topic: Create prefix list from learned peer routes
Replies: 7
Views: 4006

Re: Create prefix list from learned peer routes

This feature unfortunately does not exist, would be great if it did though. Have you logged a feature request? NB: The more people individually ask, the more likely Mikrotik will listen... Have a look at the following, appears that it may do what you're looking for: https://forum.mikrotik.com/viewto...
by bbs2web
Mon Feb 11, 2019 11:00 pm
Forum: Announcements
Topic: v6.43.12 [stable] is released!
Replies: 49
Views: 34859

Re: v6.43.12 [stable] is released!

There is a bug in this version as it does not show the routes received from the IPv6 sessions. New_terminal: /ip route print detail where received-from=Peer_X You're expecting IPv6 routes to be shown when querying IPv4 routes... Only upgraded a single router to 6.43.12 which has IPv6 BGP, receives ...
by bbs2web
Fri Feb 08, 2019 6:37 am
Forum: Forwarding Protocols
Topic: IRR Advice
Replies: 1
Views: 2611

Re: IRR Advice

Internet Routing Registries provide methods via which others can retrieve information relating to how IPs, ASNs and other resources are delegated. It allows others to, for example, query who is responsible for an IP or subnet and what prefixes are authorised to be announced by what ASN. Your regiona...
by bbs2web
Wed Jan 23, 2019 1:00 am
Forum: Forwarding Protocols
Topic: VPN - MTU - Change MSS - Wiki
Replies: 2
Views: 19219

Re: VPN - MTU - Change MSS - Wiki

Windows ping command sets the ICMP payload as 1450 bytes, you would need to add 28 bytes (IP and ICMP headers) to get the Mikrotik command line equivalent (1478 bytes). Run '/ppp active print' and ensure that your sessions are actually using IPSec. We use a maximum MTU of 1379: 1500 bytes - 40 for L...
by bbs2web
Mon Jan 14, 2019 9:06 pm
Forum: Forwarding Protocols
Topic: OSPF load balancing
Replies: 8
Views: 4461

Re: OSPF load balancing

We exclusively use OSPF to distribute router's loopback IPs and necessary point to point or broadcast IPs to reach the loopbacks. All customer, peer or IXP routes are distributed using iBGP route reflectors. I've detailed the structure in another post, which you can reference here: https://forum.mik...
by bbs2web
Fri Dec 07, 2018 6:12 am
Forum: Forwarding Protocols
Topic: BGP peer slow to come up after interface enabled
Replies: 3
Views: 2093

Re: BGP peer slow to come up after interface enabled

You could also just adjust the OSPF interfaces to set hello as 1 second, dead timer as 10 seconds and then set the type as point-to-point.
by bbs2web
Fri Dec 07, 2018 6:10 am
Forum: Forwarding Protocols
Topic: BGP peer slow to come up after interface enabled
Replies: 3
Views: 2093

Re: BGP peer slow to come up after interface enabled

Create a PPP profile which enables the peer on 'up' and disables it on 'down', then apply that profile to your VPN connection.
by bbs2web
Thu Dec 06, 2018 10:58 am
Forum: Announcements
Topic: v6.43.7 [stable] is released!
Replies: 53
Views: 33846

Re: v6.43.7 [stable] is released!

We notice no such problem after upgrading a CCR1016-12S-1S+ from 6.43.4 to 6.43.7: We access RouterOS using SSL API service. Upgraded router yesterday evening at around 9:30pm: http://i63.tinypic.com/2afg508.jpg Since upgrading from 6.43.4 to 6.43.7 on all of my MikroTik devices, API-SSL does not wo...
by bbs2web
Wed Dec 05, 2018 6:25 am
Forum: Forwarding Protocols
Topic: OSPF loses routes after days
Replies: 23
Views: 8079

Re: OSPF loses routes after days

We exclusively use OSPF to distribute router's loopback IPs and necessary point to point or broadcast IPs to reach the loopbacks. All customer, peer or IXP routes are distributed using BGP. I've detailed the structure in another post which you can reference here: https://forum.mikrotik.com/viewtopic...
by bbs2web
Mon Nov 19, 2018 11:08 pm
Forum: Forwarding Protocols
Topic: Wrong src_ip in some cases
Replies: 1
Views: 1272

Re: Wrong src_ip in some cases

I always disable the SIP NAT helper modules and use STUN when the phone needs to communicate with a SIP server behind NAT:
/ip firewall service-port
set sip disabled=yes
by bbs2web
Mon Nov 19, 2018 10:59 pm
Forum: Forwarding Protocols
Topic: Redirect DNS to Local Server
Replies: 12
Views: 35687

Re: Redirect DNS to Local Server

My home MikroTik runs a permanent tunnel to our offices. DHCP configures devices to send DNS requests to the MikroTik which then either proxies the requests to Google or forwards it to our AD server. AD realm = ad.lair.co.za AD server = 192.168.1.3 /ip dns set allow-remote-requests=yes servers=8.8.8...
by bbs2web
Mon Nov 19, 2018 10:42 pm
Forum: Forwarding Protocols
Topic: MPLS FIB differente from OSPF FIB
Replies: 2
Views: 1651

Re: MPLS FIB differente from OSPF FIB

Could you provide feedback after matching or reducing MPLS LDP interface hello and dead timers to be smaller or equal to OSPF timers? I've not had a re-occurance since matching my timers to that of the OSPF interfaces and assigning labels out of reserved ranges. More detail here: https://forum.mikro...
by bbs2web
Thu Oct 25, 2018 9:59 pm
Forum: Forwarding Protocols
Topic: BGP route filtering
Replies: 2
Views: 1737

Re: BGP route filtering

You need to escape out $ via cli, eg:
bgp-as-path="^(111_)+(222_)+\$"
by bbs2web
Thu Oct 25, 2018 9:57 pm
Forum: Forwarding Protocols
Topic: BGP route filtering
Replies: 2
Views: 1737

Re: BGP route filtering

There unfortunately isn't a + or - operator, so you need to set local preference explicitly.

/router filter add bgp-as-path="^(111_)+(222_)+$" set-bgp-local-pref=150
as111 is transit and as222 origin

"_222$"
Originated by as222

"_111_"
Transits as111
by bbs2web
Wed Oct 24, 2018 7:01 am
Forum: Forwarding Protocols
Topic: ISP BGP techniques - Building a reliable and scalable network
Replies: 0
Views: 1250

ISP BGP techniques - Building a reliable and scalable network

Many micro ISPs build their networks without using freely available information from various network operator groups (NOGs). The following slides contain probably the best compact collection of techniques ISPs of any size should use to construct a reliable and scalable network. https://www.slideshar...
by bbs2web
Sun Oct 21, 2018 7:24 pm
Forum: Forwarding Protocols
Topic: BGP Prefix Count vs Route LIst load times
Replies: 2
Views: 3027

Re: BGP Prefix Count vs Route LIst load times

Are you filtering prefixes? Full public internet tables can be resource drain when: - Clearing BGP communities used within your network - Filtering IPv4 and IPv6 bogons - Filtering your own and downstream customer prefixes - Appending BGP community values, setting local preference and setting weight...
by bbs2web
Sat Oct 20, 2018 3:42 pm
Forum: Forwarding Protocols
Topic: BGP Prefix Count vs Route LIst load times
Replies: 2
Views: 3027

Re: BGP Prefix Count vs Route LIst load times

The longer load time is primarily due to the information being sent to Winbox and it dynamically updating the route display as it populates the data. Would be miles faster to snapshot and transfer the routing table data and for Winbox to subsequently display the information.
by bbs2web
Sat Oct 20, 2018 3:36 pm
Forum: Forwarding Protocols
Topic: BGP sending wrong link local nexthop
Replies: 1
Views: 1784

Re: BGP sending wrong link local nexthop

There is another way to avoid the problem, which is to change the gateway address from 41.0.0.1/27 to something else, such as 41.0.0.30/27. In my humble opinion MikroTik should lookup opposite protocol IPs using the interface name directly, if the peering session's update-source is set as an interfa...
by bbs2web
Sat Oct 20, 2018 11:15 am
Forum: Forwarding Protocols
Topic: BGP sending wrong link local nexthop
Replies: 1
Views: 1784

BGP sending wrong link local nexthop

We extended IPv6 to a specific router and noticed that prefixes were referencing an unreachable link local address. We transport IPv6 to remote provider edge routers via MPLS switched path (VPLS) so nexthop should be global IPv6 address of the PE's loopback interface. BGP peer could ping both IPv4 a...
by bbs2web
Sun Oct 14, 2018 11:56 am
Forum: Forwarding Protocols
Topic: ipv6 - accept redirects
Replies: 0
Views: 1569

ipv6 - accept redirects

GUI and CLI are inconsistent but Wiki (https://wiki.mikrotik.com/wiki/Manual:IPv6/Settings) concurrs with CLI:
Image

Has anyone confirmed that RouterOS 6.43.2 ignored IPv6 redirects when forwarding is enabled? Possibly via Wireshark?
by bbs2web
Mon Oct 08, 2018 9:21 pm
Forum: Forwarding Protocols
Topic: BGP IPv6 route reflection
Replies: 27
Views: 10967

Re: BGP IPv6 route reflection

We got something similar to Cisco 6PE working by using route reflectors to distribute IPv6 prefixes between PE (provider edge) routers. Prefixes are originated in to iBGP using the PE router's IPv6 loopback IP and the same IP is assigned to a BGP signalled VPLS bridge interface with a /64 subnet mas...
by bbs2web
Thu Sep 27, 2018 11:53 pm
Forum: Forwarding Protocols
Topic: 1 VPLS Tunnel / multi vlan / 1 Dhcp server
Replies: 6
Views: 2081

Re: 1 VPLS Tunnel / multi vlan / 1 Dhcp server

Filtering, natting and queues should be distributed, core routers should be minimalistic with aggregation functions on dedicated provide edge routers.
by bbs2web
Thu Sep 27, 2018 11:48 pm
Forum: Forwarding Protocols
Topic: Setting localpref
Replies: 2
Views: 1299

Re: Setting localpref

create a route filter rule which sets the local preference and then configure the peer to apply that inbound prefix filter.
by bbs2web
Tue Sep 25, 2018 1:44 am
Forum: Forwarding Protocols
Topic: IPv6 recursive nexthops via iBGP
Replies: 110
Views: 49874

Re: IPv6 recursive nexthops via iBGP

As you state the advertise option is not needed and was most probably only effecting a change by it flapping the IPv6 address when applying the change. Problem resurfaces if the layer 2 VPLS tunnels re-establish and automatically get removed and added to the bridge, thereby changing its MAC address....
by bbs2web
Sun Sep 23, 2018 9:37 am
Forum: Forwarding Protocols
Topic: IPv6 recursive nexthops via iBGP
Replies: 110
Views: 49874

Re: IPv6 recursive nexthops via iBGP

My intention with this lab exercise was to find a solution to efficiently switch IPv6 packets between provider edge (PE) routers R1 and R5, through an IPv4 MPLS core, using iBGP. RouterOS 6.43.2 can not be used to recursively resolve IPv6 iBGP nexthop using OSPFv3 and running OSPFv3 without IPv6 MPL...
by bbs2web
Sun Sep 23, 2018 8:28 am
Forum: Forwarding Protocols
Topic: IPv6 recursive nexthops via iBGP
Replies: 110
Views: 49874

Re: IPv6 recursive nexthops via iBGP

IPv6 appears extremely unreliable in the GNS3 virtual lab I put together. The following initially only worked in one direction (R1 -> R5) until I restarted R5, after which it worked in both. Added IPv6 prefix filter to the route reflector (RR1): /routing filter add chain=bgp-in address-family=ipv6 p...
by bbs2web
Sun Sep 23, 2018 6:59 am
Forum: Forwarding Protocols
Topic: IPv6 recursive nexthops via iBGP
Replies: 110
Views: 49874

Re: IPv6 recursive nexthops via iBGP

The point is to get IPv6 ingressing at a PE switched across P routers using MPLS. You also missed the fact that I can ping R5's IPv6 loopback from R1 and vice versa, so the gateways are reachable. We then assigned IPv6 /128 loopback IPs and assigned the same IP with a /64 subnet to the VPLS bridge i...
by bbs2web
Sat Sep 22, 2018 11:07 pm
Forum: Forwarding Protocols
Topic: IPv6 recursive nexthops via iBGP
Replies: 110
Views: 49874

Re: IPv6 recursive nexthops via iBGP

Getting decent IPv4 performance without packet loss on CCR routers has required us to use raw firewall rules to stop connection tracking on forwarded traffic and building a distributed core network where P routers talk only IPv4 OSPF and PE routers exchange routes via BGP route reflectors so that th...
by bbs2web
Thu Sep 20, 2018 10:33 pm
Forum: Announcements
Topic: v6.43.1 [stable] and v6.43.2 [stable] are released!
Replies: 186
Views: 85171

Re: v6.43.1 [stable] and v6.43.2 [stable] is released!

L2TP VPN security concern since upgrading 6.42.6 to 6.43.2, MPPE128 is disabled after VPNs connect in approximately 33.3% of the cases: 21:12:41 l2tp,info first L2TP UDP packet received from xxx.xxx.xxx.xxx 21:12:41 l2tp,ppp,info,account zzzzzzzzzz logged in, yyy.yyy.yyy.yyy 21:12:41 l2tp,ppp,info v...
by bbs2web
Thu Sep 20, 2018 10:21 pm
Forum: Announcements
Topic: v6.43.1 [stable] and v6.43.2 [stable] are released!
Replies: 186
Views: 85171

Re: v6.43.1 [stable] and v6.43.2 [stable] is released!

RouterOS 6.43.2 still hasn't fixed VirtIO multi-queue CPU association problem, both input queues are pinned to the same CPU core: http://i65.tinypic.com/2dbs4lc.jpg Tx and Rx queues should share the same core, as detailed here: https://www.linux-kvm.org/images/e/e3/Ver1.jpg Reference: https://www.li...
by bbs2web
Tue Sep 18, 2018 1:35 am
Forum: Forwarding Protocols
Topic: MED When same AS_PATH
Replies: 7
Views: 2564

Re: MED When same AS_PATH

MED only applies when left most AS is common. It's primarily used to influence which link a neighbor uses when there are redundantly uplinks. To influence a remote network you would need to agree on them building filters that change local preference using something that you can attach to a route whi...
by bbs2web
Mon Sep 17, 2018 2:11 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 147
Views: 70827

Re: v6.43 [current] is released!

Thanks for your suggestions but that's fairly obvious. MikroTik change defaults in RouterOS releases and don't document changes properly (multi-line change log entries would be a start, linking changes to a bug tracking system would be much better). I still think it would be useful to have a command...
by bbs2web
Mon Sep 17, 2018 1:03 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 147
Views: 70827

Re: v6.43 [current] is released!

How does on obtain the default settings for menu items? The '/system default-configuration print' command details the default initialisation script and does not show default values. 6.43 on a hAP ac (962UiGS-5HacT2HnT): [davidh@router] > /int ethernet export # sep/17/2018 11:59:56 by RouterOS 6.43 #...
by bbs2web
Mon Sep 10, 2018 6:56 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 147
Views: 70827

Re: v6.43 [current] is released!

Upgrade a hEX (RB750Gr3) yields the following changes when upgrading from 6.42.7 to 6.43:
/system resource irq rps
set ether1 disabled=no
set ether2 disabled=no
set ether3 disabled=no
set ether4 disabled=no
set ether5 disabled=no
Has this default been changed?
by bbs2web
Mon Sep 10, 2018 4:08 pm
Forum: Announcements
Topic: v6.43 [current] is released!
Replies: 147
Views: 70827

Re: v6.43 [current] is released!

I'm pleasantly surprised to see that we were unaffected by the authentication changes. We use centralised RADIUS authentication to Active Directory and associate AD security group membership to RouterOS user group permissions. Winbox, SSH and local authentication continues to work... VirtIO IRQ mapp...
by bbs2web
Mon Sep 10, 2018 2:41 pm
Forum: General
Topic: raw firewall rule to filter invalid SIP registrations
Replies: 1
Views: 1249

raw firewall rule to filter invalid SIP registrations

The 'content' verb for raw firewall rules is not documented on MikroTik's Wiki. We were having problems implementing this using layer7 filters and forward rules and had to resort to using raw filter rules instead. A client of ours is using a Cisco Call Manager which has been setup incorrectly to reg...
by bbs2web
Sat Aug 25, 2018 8:19 am
Forum: Forwarding Protocols
Topic: BGP and fail over
Replies: 3
Views: 2831

Re: BGP and fail over

Netwatch tool could ping Google's DNS ( 8.8.8.8 ) and adjust the VRRP priority higher or lower than your backup router: /tool netwatch add host=8.8.8.8 down-script="/int vrrp set [ find name=\"vrrp-vlan10\" ] priority=90" up-script="/int vrrp set [ find name=\"vrrp-vlan...
by bbs2web
Mon Aug 20, 2018 8:12 am
Forum: General
Topic: What is ARP-published feature for?
Replies: 24
Views: 19436

Re: What is ARP-published feature for?

That is how it's configured and it is working, but it requires the 'hosting' interface to be configured with 'arp=local-proxy-arp'. I would like to selectively proxy-arp, exclusively for 10.1.1.2. The IP ARP publish feature should do this, in that it should responds to ARP queries but doesn't place ...
by bbs2web
Sun Aug 19, 2018 8:44 pm
Forum: General
Topic: Passwords for hundreds/thousdands of devices
Replies: 10
Views: 3584

Re: Passwords for hundreds/thousdands of devices

We use FreeRADIUS with a custom perl AD authentication module. I have notes on how to easily integrate a Windows based solution (Radiator) using Strawberry Perl to use AD group memberships to effect security group membership.

Works with SSH and Winbox
by bbs2web
Sun Aug 19, 2018 8:36 pm
Forum: General
Topic: Passwords for hundreds/thousdands of devices
Replies: 10
Views: 3584

Re: Passwords for hundreds/thousdands of devices

We generate unique passwords for each router and treat these as once off tokens when routers do not have connectivity. Centralised RADIUS authentication with permission profiles being applied via AD group membership. We process RADIUS logs and automatically blackhole abusive IPs. SSH key authenticat...
by bbs2web
Sun Aug 19, 2018 6:46 pm
Forum: General
Topic: What is ARP-published feature for?
Replies: 24
Views: 19436

Re: What is ARP-published feature for?

Documentation from MikroTik would be appreciated, perhaps this is a bug? We have a 10.1.1.0/28 subnet, where the router has 10.1.1.1, some hosts have 10.1.1.3 and 10.1.1.4. We route 10.1.1.2 to the nearest caching dns server, outside of this vlan. Everything outside of the 10.1.1.0/29 subnet can com...
by bbs2web
Thu Aug 09, 2018 11:49 pm
Forum: General
Topic: Feature request: AES-NI instruction set for x86 RouterOS
Replies: 15
Views: 7393

Re: Feature request: AES-NI instruction set for x86 RouterOS

We have x86 and CHR virtual instances with CPU where hardware offloading does not enable.

Is there a guide smewhere?
by bbs2web
Sun Jul 29, 2018 5:46 pm
Forum: Forwarding Protocols
Topic: MPLS encapsulation in VPLS tunnel
Replies: 2
Views: 1647

Re: MPLS encapsulation in VPLS tunnel

I can confirm that this definitely works, we run a virtual CHR instances with a rstp bridge to multiple VPLS destinations. 6.43rc appears to support forwarding low level BPDU frames such as LACP, when setting the bridge protocol mode to none, so that customers can simply bond to switch stacks. This ...
by bbs2web
Fri Jul 20, 2018 7:19 am
Forum: General
Topic: VRRP received packet with bad checksum
Replies: 4
Views: 4519

Re: VRRP received packet with bad checksum

Last time I looked in to this Wireshark also marked the VRRP packet coming from a Cisco using v3 as invalid. Using v2 works... Did you get a solution to this? I am seeing exactly the same problem, here on CCR1036 running RouterOS 6.40.8; the VRRP partner is a Cisco 2901 running IOS 15.5(3)M7. VRRP v...
by bbs2web
Tue Jun 26, 2018 1:43 am
Forum: Forwarding Protocols
Topic: Local preference not share among ibgp routers
Replies: 2
Views: 1384

Re: Local preference not share among ibgp routers

RouterOS does not redistribute default gateway, you would need to set each peer to distribute default of it's installed but this is unfortunately not always stable... RouterOS design is to use OSPF as IGP so you could advertise default if installed by eBGP and adjust the metric using route filters, ...
by bbs2web
Sat Jun 09, 2018 6:59 am
Forum: Forwarding Protocols
Topic: Filtering individual BGP communities
Replies: 0
Views: 1094

Filtering individual BGP communities

Has anyone worked out a way to delete a specific BGP community? We are present in 5 DCs where we have customers, peers and providers and set local preference on prefixes to prefer routes in that order. Routers in each DC peer with local route reflectors, who in turn peer with route reflectors in eac...
by bbs2web
Wed May 30, 2018 10:35 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 222395

Re: v6.43rc [release candidate] is released!

Perhaps it's possible for Mikrotik to consider allowing radius authentication for bandwidth tests, whilst restructuring authentication?
by bbs2web
Wed May 16, 2018 12:51 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 222395

Re: v6.43rc [release candidate] is released!

We had an issue with a CHR running 6.42.1 restarting 3 times in a day and subsequently downgraded to 6.41.4. Both of these versions yielded high latency, which has been fixed with the multi-queue driver in 6.43.rc12. Steps: Upgraded RouterOS to v6.43rc12 Set KVM VirtIO network driver on Hypervisor t...
by bbs2web
Tue May 08, 2018 10:05 pm
Forum: Virtualization
Topic: CHR kernel crash when heavy traffic
Replies: 8
Views: 8602

Re: CHR kernel crash when heavy traffic

We have observed 6.42.1 locking up on KVM with VirtIO drivers as well. Our throughput is considerably less, 1.4Gbps with 4 x Intel 2640v4 cores.

6.41.4 was stable prior to this...

ie: Me too...

PS: I have not observed any messages on the VM console, screen doesn't wake from blanking...
by bbs2web
Fri May 04, 2018 4:44 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 222395

Re: v6.43rc [release candidate] is released!

CPU utilisation reduction on CCR (Tile) routers is very evident, great work guys! RouterOS versions: We only keep OS version information for the last 30 days 6.41 - MPLS: 04-02 - 04-03 BGP: 04-02 - 04-09 6.41.3 - MPLS: 04-03 - 04-29 BGP: 04-09 - 04-29 6.42.1 - MPLS: 04-29 - current BGP: 04-29 - curr...
by bbs2web
Wed May 02, 2018 5:13 pm
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 272
Views: 98677

Re: v6.42.1 [current]

We have had 3 instances today alone of routers rebooting themselves with the following message: 14:20:40 system,info router rebooted 14:20:40 system,error,critical router rebooted because some critical program crashed Please would MikroTik consider backporting the Winbox security fix and releasing 6...
by bbs2web
Mon Apr 30, 2018 11:53 am
Forum: Announcements
Topic: v6.42.1 [current]
Replies: 272
Views: 98677

Re: v6.42.1 [current]

Two problems with 6.42.1: IP Neighbour discovery settings in Winbox are shown correctly as !external (ie negate 'external' list; aka all interfaces which are not a member of the 'external' interface list) but 'export' does not include the negate (exclamation mark): http://i68.tinypic.com/35irsox.jpg...
by bbs2web
Sun Apr 22, 2018 2:40 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 222395

Re: v6.43rc [release candidate] is released!

VirtIO multi-queue appears to be working: PS: I have poor connectivity at my present location, the gaps in the graph relate to this,not the release candidate's performance... Nice to see MikroTik tying the input and output vCPU assignments to the same core. This correlates to information published h...
by bbs2web
Fri Apr 20, 2018 11:39 pm
Forum: Announcements
Topic: v6.43rc [release candidate] is released!
Replies: 557
Views: 222395

Re: v6.43rc [release candidate] is released!

*) chr - added support for multiqueue feature on "virtio-net";
Please advise if we should disable IRQ RPS when activating multi-queue VirtIO, I assume yes...

Looks better, IRQs increase on additional virtio1-input.1:
Image
by bbs2web
Wed Apr 18, 2018 12:59 am
Forum: Announcements
Topic: v6.42 [current]
Replies: 147
Views: 76679

Re: v6.42 [current]

RouterOS 6.42 does appear to include the VirtIO multi-queue driver but I assume information may have purposefully been left out of the change logs due to it not actually working. We left RPS enabled to distribute the IRQ events on the first queue to the various cores: http://i64.tinypic.com/wbpfuh.j...
by bbs2web
Tue Apr 17, 2018 9:18 pm
Forum: Announcements
Topic: v6.42 [current]
Replies: 147
Views: 76679

Re: v6.42 [current]

Hi strods, VirtIO multI-queue does not actually work on 6.42rc56. I've sent an email to support and posted information in the 6.42rc56 discussion forum, hope this is easily fixed by RouterOS calling ethtool to actually enable multi-queue. Information available here: https://forum.mikrotik.com/viewto...
by bbs2web
Mon Apr 16, 2018 3:26 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 537
Views: 189510

Re: v6.42rc [release candidate] is released!

We repeated the exercise again and had success upgrading to 6.42rc56, only the first queue receives IRQ events though. Probably not calling: ethtool -L ether1 combined 8 Hi strods, We run Proxmox (Debian 9 with KVM) and upgraded a CHR to 6.42rc 56 to test multi-queue VirtIO network support. We set q...
by bbs2web
Thu Apr 12, 2018 3:00 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 537
Views: 189510

Re: v6.42rc [release candidate] is released!

Perhaps multi-queue hasn't been enabled by the guest?

Documentation (http://www.linux-kvm.org/page/Multiqueue) details guests having to run:
ethtool -L eth0 combined $queue_num
by bbs2web
Thu Apr 12, 2018 2:32 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 537
Views: 189510

Re: v6.42rc [release candidate] is released!

Upgrading RouterOS x86 to 6.42rc56 on a reset configuration results in multi-queue VirtIO appearing to initialise. Some questions: I assume we should disable RPS? Shouldn't the IRQ counters be incrementing on other queues? Perhaps someone running multi-queue vmxnet3 could compare? Herewith a screens...
by bbs2web
Tue Apr 10, 2018 9:46 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 537
Views: 189510

Re: v6.42rc [release candidate] is released!

Hi strods,

We run Proxmox (Debian 9 with KVM) and upgraded a CHR to 6.42rc 56 to test multi-queue VirtIO network support.

We set queues equal to the assigned CPU cores and upgraded the router. After booting RouterOS there are no entries in '/int ethernet'...
by bbs2web
Tue Apr 10, 2018 2:53 pm
Forum: Forwarding Protocols
Topic: Getting VRF trace route working
Replies: 1
Views: 3123

Getting VRF trace route working

We constantly get asked by clients why they can not trace paths through VRF networks. Lets explain a simple VPN site: /ip address add address=192.168.250.24 interface=lo # OSPF router ID add address=10.0.0.2/30 interface=ether1 # LTE internet gateway add address=172.17.95.1/24 interface=ether2 # LAN...
by bbs2web
Sun Mar 11, 2018 12:15 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 537
Views: 189510

Re: v6.42rc [release candidate] is released!

Exactly... The CPUs in CRS class devices are weak, extremely weak. I assisted someone recently that couldn't do 10Mbps routing on a CRS125, as this was software based. I would like to see more high end merchant silicon implementations. Broadcom Dune, for example, was released in 2015 and provides 80...
by bbs2web
Fri Mar 09, 2018 8:28 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 537
Views: 189510

Re: v6.42rc [release candidate] is released!

Please would MikroTik consider allowing us to set granular pps (packets per second) filtering on ports, instead of percentage. 1% of 10 Gbps is still 100 Mbps, this would rapidly exhaust MAC address tables and take the network offline. D-Link DGS and Netgear M4300 switches support setting most ports...
by bbs2web
Tue Mar 06, 2018 6:01 pm
Forum: Announcements
Topic: v6.41.2 [current]
Replies: 124
Views: 52273

Re: v6.41.2 [current]

I've sent supout files for a CHR instance before and after upgrading (6.41 to 6.41.2) where bridge ports disappear after upgrading. This problem has occurred on CCR, CHS and 750Gr3 routers, one of which only had 3 bridges with 6 bridge ports... I'll book a maintenance window for next weekend (10th M...
by bbs2web
Thu Mar 01, 2018 12:49 am
Forum: Forwarding Protocols
Topic: How add Prefix adv By BGP To Address-list
Replies: 1
Views: 1573

Re: How add Prefix adv By BGP To Address-list

Set a route filter to append a new bgp community value and then have a look at a script I wrote to automate address lists here:
viewtopic.php?f=14&t=129381
by bbs2web
Thu Mar 01, 2018 12:37 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 537
Views: 189510

Re: v6.42rc [release candidate] is released!

Is it intended that 'on down' script is called each time a PPPoE client unsuccessfully tries to connect? I have a simple script that clears VoIP connection tracking entries, to essentially force them to reroute and only want it to run 'on up' if the connection was previously down and only 'on down' ...
by bbs2web
Thu Mar 01, 2018 12:26 am
Forum: Announcements
Topic: v6.41.2 [current]
Replies: 124
Views: 52273

Re: v6.41.2 [current]

No, they were active and working perfectly. This occurred on another CCR where I subsequently connected via mac telnet and simply dumped all bridge ports back again, any that already existed we skipped. I'll book a maintenance window for next weekend (10th March) and take a supout before and after u...
by bbs2web
Wed Feb 28, 2018 12:25 am
Forum: Announcements
Topic: v6.41.2 [current]
Replies: 124
Views: 52273

Re: v6.41.2 [current]

We've had several instances of CCR routers losing bridge ports after upgrading from 6.41 to 6.41.2. We run rancid as a configuration revision management system and reviewed logs after scheduling upgrades at 3am, ports simply missing. Example: /interface bridge port add bridge=bridge-hosting interfac...
by bbs2web
Sun Feb 18, 2018 5:01 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 186
Views: 56399

Re: Suggestion: Completely virtual router based on two physical routers

Perfect, I'll have some time tomorrow to fiddle with Rancid and agree that discussing this on Github is probably better. Perhaps I should break up the patch in to separate ones, where each one handles a specific point? I agree that the user should be able to select their own network but I think I'd ...
by bbs2web
Sun Feb 18, 2018 4:56 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 186
Views: 56399

Re: Suggestion: Completely virtual router based on two physical routers

I centralise logging and was receiving SMS messages indicating loss of BGP peers. This was due to me originating syslog messages from the loopback IPs, which would then route out: /system logging action set 3 remote=54.119.65.26 src-address=54.79.22.1 I prefer having the standby router exclusively a...
by bbs2web
Sun Feb 18, 2018 3:10 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 186
Views: 56399

Re: Suggestion: Completely virtual router based on two physical routers

The following patch keeps the HA heartbeat and configuration synchronisation interface's original MAC address on both routers. Not necessary on hardware routers with a direct point-to-point network cable but necessary when working with virtual guests or where HA interfaces connect via switch: --- sc...
by bbs2web
Sun Feb 18, 2018 9:40 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 186
Views: 56399

Re: Suggestion: Completely virtual router based on two physical routers

Would you please consider accepting the following patch, it does the following: Changes '] > ' to stop rancid (configuration revision management) matching it to the RouterOS prompt. Changes netmask from /24 to /29 and moved VRRP IP from .10 to .3. Set schedulers' start date to Unix Epoch (Jan/01/197...
by bbs2web
Mon Feb 12, 2018 9:18 pm
Forum: Beginner Basics
Topic: A very noob question about dst-nat rules
Replies: 2
Views: 1087

Re: A very noob question about dst-nat rules

You want traffic to pass through the minimum number of rules so I would create an interface list and then reference that in a single rule...
by bbs2web
Sun Feb 11, 2018 9:33 pm
Forum: Forwarding Protocols
Topic: MikroTik HA stack
Replies: 0
Views: 11293

MikroTik HA stack

I wanted to cast some attention on the excellent work 'nathan1' did with his high availability scripts. A pair of routers essentially use dedicated interfaces as HA heartbeat and configuration synchronisation ports. VRRP essentially governs master status and slave has all other interfaces administra...
by bbs2web
Sun Feb 11, 2018 8:46 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 186
Views: 56399

Re: Suggestion: Completely virtual router based on two physical routers

Hi Nathan, Booting a x86 virtual takes approximately 40 seconds. I converted a customer's active backup routers that we were maintaining, with about 70 individual vrrp interfaces to your ha system. Entire process took about 30 minutes and the process is elegantly simple. No longer have to work with ...
by bbs2web
Sun Feb 11, 2018 2:43 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 186
Views: 56399

Re: Suggestion: Completely virtual router based on two physical routers

Many thanks, you've saved me days! I tested this on virtualised routers first and had a problem that all interfaces would get disabled, including the VRRP parent, until I hashed out the following line in the ha_startup script: /system routerboard settings set silent-boot=yes It's a virtual x86, so i...
by bbs2web
Sat Feb 10, 2018 11:44 am
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 537
Views: 189510

Re: v6.42rc [release candidate] is released!

Could MikroTik please fix BGP peer exports not containing 'remote-as=64512'. We note this behavior on both a 6.41 CHR and CCR1036: /routing bgp peer add default-originate=if-installed in-filter=X-in name=Y out-filter=X-out remote-address=1.1.1.2 tcp-md5-key=secret123 ttl=default remote-as=64512 Then...
by bbs2web
Fri Feb 09, 2018 8:53 pm
Forum: General
Topic: CVE-2018-5951: MikroTik RouterOS Denial of Service Vulnerability
Replies: 20
Views: 8635

Re: CVE-2018-5951: MikroTik RouterOS Denial of Service Vulnerability

Perhaps force '/sys reset' to require an admin password?
by bbs2web
Mon Feb 05, 2018 10:52 am
Forum: Forwarding Protocols
Topic: Cisco STP compatibility, post 6.41
Replies: 0
Views: 1612

Cisco STP compatibility, post 6.41

Has anyone got experience getting STP working with RouterOS 6.41's revised bridging implementation? We historically create rstp bridges and then add vlan or bond interfaces to translate, add or pop tags. We wish to implement layer2 redundancy towards Cisco switches but Mikrotik doesn't provide Multi...
by bbs2web
Wed Jan 31, 2018 7:44 pm
Forum: Scripting
Topic: Playing defense, need help
Replies: 2
Views: 1355

Re: Playing defense, need help

There are various ways of handling this, herewith our method: Drop traffic from blacklisted sources without consuming conntrack table entries: /ip firewall raw add action=accept chain=prerouting comment="Failsafe - allow CDP:" dst-address=255.255.255.255 dst-port=5678 protocol=udp add acti...
by bbs2web
Wed Jan 31, 2018 6:51 pm
Forum: Scripting
Topic: SSH remote multiline commands
Replies: 4
Views: 2525

Re: SSH remote multiline commands

Multiple instructions as a single line? Separate them with a semicolon: /ip firewall nat; print terse where chain=$client-srcnat; add action=src-nat chain=$client-srcnat src-address=$framedipaddress to-address=$publicip comment="$comment" place-before=0; add action=dst-nat chain=$client-ds...
by bbs2web
Tue Jan 30, 2018 10:29 pm
Forum: Scripting
Topic: perl API client
Replies: 109
Views: 68704

Re: perl API client

The following is however again much faster: real 0m0.003s user 0m0.003s sys 0m0.001s An improvement of over 7700%. We work around Perl's compilation overheads: Convert script to TCP server which compiles once, listens on port 7890 and then forks children Replace existing script with simple netcat wr...
by bbs2web
Mon Jan 29, 2018 2:47 pm
Forum: Scripting
Topic: perl API client
Replies: 109
Views: 68704

Re: perl API client

Many thanks to all that have contributed to the MikroTik Perl API. We previously used the ported OO version, as it had the nicest interface and was in CPAN (Comprehensive Perl Archive Network). We however needed to reduce overheads as the OO version utilises the Perl Moose library and subsequently r...
by bbs2web
Thu Jan 18, 2018 10:21 pm
Forum: Forwarding Protocols
Topic: MPLS routes not matching IP route
Replies: 6
Views: 2146

Re: MPLS routes not matching IP route

I wrote about our solution to this problem in the following thread:
viewtopic.php?t=114974
by bbs2web
Thu Jan 18, 2018 10:09 pm
Forum: Virtualization
Topic: Using 'Hardware' watchdog
Replies: 1
Views: 3049

Using 'Hardware' watchdog

It would be great if RouterOS (CHR and x86) would use hardware watchdog features. Virtualisation environments (eg QEMU / KVM) can generally provide an emulated IPMI Intel watchdog interface which causes the virtualisation environment to reset the guest when the counter reaches zero. We've had a few ...
by bbs2web
Thu Jan 18, 2018 9:58 pm
Forum: Virtualization
Topic: Hosting Mikrotik in the Cloud
Replies: 5
Views: 5105

Re: Hosting Mikrotik in the Cloud

We return a couple in Azure and they've been stable for over a year..
by bbs2web
Mon Jan 08, 2018 6:42 pm
Forum: Forwarding Protocols
Topic: Automating address list maintenance - MANRS compliance
Replies: 4
Views: 2868

Re: Automating address list maintenance - MANRS compliance

Credits to 'adeeadee' for the Unix Epoch time functions: https://forum.mikrotik.com/viewtopic.php?t=75555 Credits to 'rextended' for the array push function: https://forum.mikrotik.com/viewtopic.php?t=85992#p434264 And many others for various tips and tricks when working with arrays in RouterOS's sc...
by bbs2web
Mon Jan 08, 2018 5:50 pm
Forum: Forwarding Protocols
Topic: Automating address list maintenance - MANRS compliance
Replies: 4
Views: 2868

Re: Automating address list maintenance - MANRS compliance

Herewith the code without 'export' escaping: # {"<address list>"; <1 = prefixes matching 37314:500>; <1 = prefixes matching 37314:3000>; {<manual prefixes>}; {<custom bgp communities>}}; # Examples: # {"filter-ether1"; 1; 1; {10.1.0.0/16; 10.2.0.0/16}; {}}; # {"filter-ether2...
by bbs2web
Mon Jan 08, 2018 3:09 pm
Forum: Scripting
Topic: How do I reference array using variable?
Replies: 2
Views: 1727

Re: How do I reference array using variable?

Thanks, I assumed as much and worked around this limitation by using nested arrays (similar to a hash table). For those that are interested herewith a post with a functional script: https://forum.mikrotik.com/viewtopic.php?f=14&t=129381&p=635752#p635752 Herewith sample array definition: :loc...
by bbs2web
Mon Jan 08, 2018 1:28 pm
Forum: Forwarding Protocols
Topic: Automating address list maintenance - MANRS compliance
Replies: 4
Views: 2868

Automating address list maintenance - MANRS compliance

Complying with MANRS (https://www.manrs.org/manrs) requires one to filter traffic. Maintaining addresses lists on multiple routers within one's network is however a time consuming task so I wrote the following script which: Creates address list entries from manual entries on a per interface basis Cr...
by bbs2web
Sun Jan 07, 2018 2:13 pm
Forum: Scripting
Topic: How do I reference array using variable?
Replies: 2
Views: 1727

How do I reference array using variable?

I need some assistance on how I can reference arrays using a variable: :local ifs {"ether1"; "ether2";}; :local ether1 {1.1.0.0/16; 2.2.0.0/16;}; :local ether2 {192.168.1.0/24; 192.168.2.0/24;}; :local num 1; :put ($ether1->$num); :foreach if in=$ifs do={ :put ($if->$num); } Outp...
by bbs2web
Fri Jan 05, 2018 10:28 pm
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 139560

Re: v6.41 [current]

Seeing that I am connecting to this router, it would subsequently confirm that RouterOS does not honour ICMP fragmentation needed messages. ie: I connect via Winbox or SSH (port 2200), initial packets go back and forth until a payload exceeds the remote VPN MTU. ICMP 'fragmentation needed' message i...
by bbs2web
Thu Jan 04, 2018 6:34 am
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 139560

Re: v6.41 [current]

You're right, the actual issue appears to be that RouterOS does not appear to process or honor ICMP 'fragmentation needed' messages. The following capture is on a MPLS speaking 6.41 RouterOS device where MPLS switched packets are not captured and subsequently only shows incoming packets which use Pe...
by bbs2web
Mon Jan 01, 2018 6:50 pm
Forum: Announcements
Topic: v6.41 [current]
Replies: 304
Views: 139560

Re: v6.41 [current]

RouterOS 6.41 does not honor received MSS value in TCP SYN packet. We are subsequently unable to connect to our routers through a VPN connection from our offices. pe03 --- MPLS --- br01 --- ccr1 --- Linux system running PPTP Traffic capture on pe03 shows TCP SYN packet arriving with TCP options wher...
by bbs2web
Thu Dec 07, 2017 10:24 pm
Forum: Announcements
Topic: v6.40.5 [current]
Replies: 82
Views: 42519

Re: v6.40.5 [current]

PPP profile 'on-down' commands are run when connection attempts unsuccessful. We run a simple script to clear connection tracking entries, so that NAT updates correctly when outbound connectivity for VoIP changes. Primary connection is PPPoE and failover is LTE. Problem is that PPPoE client, when co...
by bbs2web
Tue Nov 14, 2017 8:06 pm
Forum: Forwarding Protocols
Topic: Filtering OSPF originated links
Replies: 4
Views: 2465

Re: Filtering OSPF originated links

I prefer originating BGP prefixes via static routes as it provides a single control point to: Apply BGP communities Blackhole traffic to suppress ping pongs Avoid having to manage BGP 'networks' Sample: /ip route add bgp-communities=\ 64512:500,64512:900,64512:4000 \ dst-address=50.50.20.0/20 bgp-or...
by bbs2web
Tue Nov 14, 2017 2:55 pm
Forum: Forwarding Protocols
Topic: Mikrotik Backup interface - standby mode
Replies: 2
Views: 1866

Re: Mikrotik Backup interface - standby mode

I assume you want an interface to be administratively disabled until the tracked interface changes state? You could do this by creating an active/backup bond interface and configure IPs on the resulting bond interface: /interface bonding add mode=active-backup name=bond primary=sfp-sfpplus1 slaves=s...
by bbs2web
Tue Nov 14, 2017 2:43 pm
Forum: Forwarding Protocols
Topic: Recursive static route does not apply MPLS labels
Replies: 0
Views: 1166

Recursive static route does not apply MPLS labels

I previously posted about this in (https://forum.mikrotik.com/viewtopic.php?f=14&t=127608), but realise that it was obscure. I would really appreciate someone pointing out a mistake on my side, or whether this is a bug in RouterOS. Simple network path where only edge routers run BGP and all rout...
by bbs2web
Fri Nov 10, 2017 4:34 pm
Forum: Forwarding Protocols
Topic: Filtering OSPF originated links
Replies: 4
Views: 2465

Re: Filtering OSPF originated links

As Anumrak suggests, OSPF ABR (area boundary routers) were designed to do precisely this. Configure the upstream router as follows: /routing ospf area add area-id=0.0.0.1 default-cost=1 inject-summary-lsas=no name=SiteA type=stub /routing ospf area range add area=SiteA range=192.168.1.0/24 /routing ...
by bbs2web
Fri Nov 10, 2017 2:01 pm
Forum: Forwarding Protocols
Topic: MPLS - Source routing
Replies: 0
Views: 947

MPLS - Source routing

50.50.22.4 -> 50.50.22.2 +-> 50.50.22.32 +-> 50.50.22.3 -> 50.50.22.33 +-> 50.50.22.1 50.50.22.4, 50.50.22.32, 50.50.22.33 and 50.50.22.1 are MPLS LERs (label edge routers). 50.50.22.2 and 50.50.22.3 are MPLS LSRs (label switching routers). The LSRs do not run BGP and exclusively learn loopback IPs...
by bbs2web
Fri Nov 10, 2017 1:30 pm
Forum: Forwarding Protocols
Topic: Simple blocking an ASN with BGP? [not resolved]
Replies: 6
Views: 4962

Re: Simple blocking an ASN with BGP? [not resolved]

The formatting I provided was generated by '/routing filter export', should have mentioned that... Simply enter the non escaped versions in Winbox: Exclusively originating directly from (caters for possible prepends): ^(45899_)+$ Either originating or transiting a given network: _45899_ Exclusively ...
by bbs2web
Thu Nov 09, 2017 7:01 pm
Forum: Forwarding Protocols
Topic: Simple blocking an ASN with BGP? [not resolved]
Replies: 6
Views: 4962

Re: Simple blocking an ASN with BGP? [not resolved]

action needs to be accept, with set-type=blackhole. I prefer as path filters like this: bgp-as-path="^(45899_)+\$" You'll need to remove the leading '^' if you are offered the route via other networks though. You could also use the following to match prefixes either originating or transiti...
by bbs2web
Sat Sep 30, 2017 11:43 am
Forum: Virtualization
Topic: CHR <-> RB750Gr3 via GRE over IPSEC Performance issue
Replies: 10
Views: 6921

Re: CHR <-> RB750Gr3 via GRE over IPSEC Performance issue

I'm running CHR on Intel Haswell, without TSX, to support high availability failover to Intel Xeon CPU E5-2640v3. I've confirmed AES pass through by booting the CHR guest using CentOS 7 recovery environment. Confirming 'aes' instruction availability: grep -m1 -o aes /proc/cpuinfo We obtain the follo...
by bbs2web
Fri Sep 08, 2017 6:27 am
Forum: Virtualization
Topic: CHR suggestions for new functionality
Replies: 157
Views: 57619

Re: CHR suggestions for new functionality

We run a hyperconverged cluster using Ceph and KVM and utilise CHR as virtual routers. My wants: - Updated VirtIO vNIC drivers to support multi-queue (probably requires updated kernel). - Intel DPDK support. - Repartition disc, don't mind if this is to increase only. - Fix double NAT in CHR and x86 ...
by bbs2web
Sun Apr 30, 2017 4:50 pm
Forum: Announcements
Topic: v6.39 [current]
Replies: 89
Views: 53738

Re: v6.39 [current]

We've upgraded a variety of devices without issues (CCR1036-12G-4S, CCR1036-8G-2S+, CHR, x86, RB433GL RB411U, hAP ac, 750Gr2, 750Gr3) which utilise MPLS, VPLS, BGP, OSPF, bridging, L2TP (server & client), etc... We have however noticed that a CHR router appears to be restarting its SNMP process ...
by bbs2web
Sat Apr 29, 2017 10:38 am
Forum: Announcements
Topic: v6.39 [current]
Replies: 89
Views: 53738

Re: v6.39 [current]

You can review correspondence in the following post: https://forum.mikrotik.com/viewtopic.php?f=1&p=594913 Hi, !) bridge - reverted bridge BPDU processing back to pre-v6.38 behaviour; (v6.40 will have another separate VLAN-aware bridge implementation); What happened? Is there a thread about this?
by bbs2web
Tue Apr 25, 2017 7:09 pm
Forum: General
Topic: v6.39rc80 [release candidate] is released!
Replies: 63
Views: 22550

Re: v6.39rc79 [release candidate] is released!

We are very appreciative of Mikrotik's decision! Would you perhaps consider a stp bridge sub-menu where one could select either per-bridge (R)STP (the current implementation), standard (R)STP (the one in 6.38) or MSTP? I understand standard (R)STP to essentially be common to all bridges, MSTP to pro...
by bbs2web
Sun Apr 23, 2017 2:27 pm
Forum: Forwarding Protocols
Topic: BGP Communities
Replies: 1
Views: 5007

Re: BGP Communities

Set the BGP peer to use an outbound filter and manipulate the prefixes there: add action=passthrough append-bgp-communities=65535:999 chain=ISP-out comment="append bgp-community=64512:999 where /32:" prefix-length=32 This is typically used to blackhole IPs within your announced prefixes an...
by bbs2web
Fri Apr 21, 2017 1:44 pm
Forum: General
Topic: v6.39rc80 [release candidate] is released!
Replies: 63
Views: 22550

Re: v6.39rc76 [release candidate] is released!

Please provide a method of restoring previous STP mode, whereby Router OS would exclusively transmit and process BPDUs on (R)STP bridge ports. I understand MikroTik removing VLAN tags from STP BPDU frames when people create VLANs on bridges, as in: int vlan add name=vlanXXX interface=bridge vlan-id=...
by bbs2web
Fri Apr 14, 2017 8:25 am
Forum: Forwarding Protocols
Topic: What does /ip route vrf really do?
Replies: 22
Views: 20646

Re: What does /ip route vrf really do?

As others have already stated, assigning an interface to a VRF should not necessitate iptable entries nor ip routing rules. Creating ip routing rules creates 'ip rule' entries. Some implementation examples: You place certain interfaces in to a VRF, to separate routing from the router's own requireme...
by bbs2web
Thu Apr 13, 2017 11:20 pm
Forum: Forwarding Protocols
Topic: MPLS incorrect forwarding table
Replies: 23
Views: 9584

Re: MPLS incorrect forwarding table

MPLS labels should only be relevant to the router receiving the label, so overlapping destination labels shouldn't be a problem in a router's forwarding table. The table may say: - To send to x.x.x.x/y add label 20 and send out A - To send to w.w.w.w/z add label 20 and send out B Your screen shots f...
by bbs2web
Thu Apr 13, 2017 5:12 pm
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 390
Views: 138569

Re: v6.39rc [release candidate] is released

I understand MikroTik removing VLAN tags from STP BPDU frames when people create VLANs on bridges, as in: int vlan add name=vlanXXX interface=bridge vlan-id=XXX The change they however smashed in place, in my humble opinion, shows no field testing nor consideration for existing customers who have bu...
by bbs2web
Tue Apr 11, 2017 5:30 pm
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 390
Views: 138569

Re: v6.39rc [release candidate] is released

Spanning Tree is broken since 6.38. We want to implement redundant bridges, to link together carrier VLANs to customer ports or VLANs. The previous STP implementation was essentially similar to PVSTP (per VLAN Spanning Tree Protocol) but the new implementation results in routers sending and processi...
by bbs2web
Mon Apr 10, 2017 11:43 pm
Forum: Forwarding Protocols
Topic: Route filters
Replies: 9
Views: 6776

Re: Route filters

I don't want to have to update every BGP peering router every time a customer announces a new prefix though, only the routers they peer with. This way the downstream routers can accept eg 10.0.0.0/21 prefix-length=21-24 with an authorised AS path, add our customer community and apply a higher prefer...
by bbs2web
Mon Apr 10, 2017 12:26 pm
Forum: Forwarding Protocols
Topic: Route filters
Replies: 9
Views: 6776

Re: Route filters

Just to recap: We learn customer prefixes via dedicated downstream routers which append a community xxx:1000 and set a high local preference. These routers have queues applied, to limit customers to their subscribed service speed. If a customers advertises eg 1.1.1.0/22 to us, this prefix is then co...
by bbs2web
Sun Apr 09, 2017 12:19 pm
Forum: Forwarding Protocols
Topic: Route filters
Replies: 9
Views: 6776

Re: Route filters

We already do that, the prefix we learn directly has a higher local preference and community assigned by us. Only prefixes with 'customer' community is advertised to our upstream providers. The better matched prefix we learn from our customer is however preferred, although we don't advertise this on...
by bbs2web
Sun Apr 09, 2017 11:03 am
Forum: Forwarding Protocols
Topic: Route filters
Replies: 9
Views: 6776

Re: Route filters

Hrmmm... Filtering out routes on the IX towards our customers unfortunately wouldn't stop us learning a more specific route to the customer via a path we don't want to limit capacity on. I suppose I could jump to a chain which I could build via a script, which would filter out prefixes if they resid...
by bbs2web
Fri Apr 07, 2017 10:15 pm
Forum: Forwarding Protocols
Topic: Route filters
Replies: 9
Views: 6776

Route filters

What are people doing to avoid the following? We mark customer routes with communities, set a higher local preference and weight. IP transit customer peers with us on pe3 and pe4, we add bgp community (eg xxx:1000) and set local preference to 200. Customer advertises /22. Provide edge routers pe1 an...
by bbs2web
Fri Apr 07, 2017 6:55 am
Forum: Forwarding Protocols
Topic: MikroTik - Packet loss on core MPLS router
Replies: 3
Views: 1954

Re: MikroTik - Packet loss on core MPLS router

DACs are fine. Problem was with connecting tracking tables which was learning about every stream although there are no forward firewall rules. What is concerning is that Mikrotik was dropping packets and none of the interface statistics were incrementing their drop counters. CPUs were well balanced ...
by bbs2web
Fri Apr 07, 2017 6:35 am
Forum: General
Topic: Bonding low throughput
Replies: 5
Views: 2720

Re: Bonding low throughput

Apologies about the late reply. The default hashing algorithm might be placing both connections on to the same bond member, you could try changing the hash algorithm to include layer 4 information. The setting is 'transmit-hash-policy', documentation here: https://wiki.mikrotik.com/wiki/Manual:Inter...
by bbs2web
Fri Apr 07, 2017 12:38 am
Forum: Forwarding Protocols
Topic: MPLS incorrect forwarding table
Replies: 23
Views: 9584

Re: MPLS incorrect forwarding table

We made the following change approximately 2 weeks ago and no longer have to disable LDP after restarting a specifically problematic router, which would otherwise never be accessible unless we connected via mac telnet, disabled LDP, waited a couple of seconds and re-enabled it: /mpls set dynamic-lab...
by bbs2web
Fri Apr 07, 2017 12:11 am
Forum: Forwarding Protocols
Topic: What does /ip route vrf really do?
Replies: 22
Views: 20646

Re: What does /ip route vrf really do?

Mikrotik is Linux based and Linux has support for multiple routing tables and routing rules. A VRF attaches the connected interface route to an alternative routing table so that you can have overlapping routes. I prefer examples: Create PPPoE client and obtain default gateway, this will automaticall...
by bbs2web
Thu Mar 30, 2017 1:58 am
Forum: Forwarding Protocols
Topic: MPLS incorrect forwarding table
Replies: 23
Views: 9584

Re: MPLS incorrect forwarding table

We are already running 6.38.5...
by bbs2web
Sun Mar 26, 2017 9:02 pm
Forum: Virtualization
Topic: Does routerOS and CHR handle multicore systems differently?
Replies: 3
Views: 5288

Re: Does routerOS and CHR handle multicore systems differently?

Running CHR under KVM using VirtIO and have configured multiple queues for the network card, essentially matching the number of queues to the number of vCPUs. The processes, on the KVM host, are pinned to cores on the same physical CPU. I unfortunately only see activity on a single CPU, when I set e...
by bbs2web
Thu Mar 23, 2017 9:18 pm
Forum: Forwarding Protocols
Topic: MPLS incorrect forwarding table
Replies: 23
Views: 9584

Re: MPLS incorrect forwarding table

We experience the same issue. One of our routers always has a broken forwarding table after restarting, unless we disable LDP prior to shutdown and then re-enable it again afterwards. We distribute some of our subnets via BGP and OSPF and assumed it was that routes would briefly 'flap' as BGP routes...
by bbs2web
Tue Mar 21, 2017 3:25 pm
Forum: General
Topic: ip route - null route
Replies: 8
Views: 10205

Re: ip route - null route

Hopefully this helps someone else... We prefer to dynamically originate routes from a single static blackhole route, usually the provider edge routers, for the same reason that eflanery explained. We utilise OSPF as our IGP and BGP as our EGP. BGP is set to redistribute static routes whilst OSPF red...
by bbs2web
Fri Mar 03, 2017 1:00 am
Forum: General
Topic: Bonding 802.3ad with vlans packet loss
Replies: 10
Views: 4366

Re: Bonding 802.3ad with vlans packet loss

How could a 6.38 release candidate from 2016 fix his problem on 6.38.3? We have noticed packet loss on aggregate traffic levels above 1Gbps on x86 and Tile since 6.38. Mikrotik support have been provided supout files and other information with ZERO feedback so we've reverted to 6.37.4 (bugfix channe...
by bbs2web
Wed Feb 08, 2017 9:48 pm
Forum: General
Topic: Bonding low throughput
Replies: 5
Views: 2720

Re: Bonding low throughput

This is as per LACP design, a single transfer can not exceed the individual speed of a slave interface.
The hashing options shown in your screen shots are used to predictably keep certain connections on relevant member ports as you would otherwise suffer from our of order packets...
by bbs2web
Thu Feb 02, 2017 11:51 pm
Forum: Announcements
Topic: v6.38.1 [current]
Replies: 73
Views: 39784

Re: v6.38.1 [current]

Please would Mikrotik consider a global bridge setting to restore previous per VLAN (R)STP configuration. We got Netgear to update firmware on M4300 switches to pass through STP as-is and were finally able to implement redundant routers where two sets of bridges could provide VLAN bridging. eg vlan1...
by bbs2web
Wed Dec 14, 2016 9:27 am
Forum: General
Topic: feature request: network namespaces support
Replies: 2
Views: 3108

Re: feature request: network namespaces support

Network namespaces support would additionally provide the ability of being able to construct two active/backup bond interfaces using only two network interfaces. This is useful in scenarios where 10Gbps switches do not have a high speed backbone and where inter-stack traffic becomes the bottleneck. ...
by bbs2web
Thu Nov 17, 2016 6:10 pm
Forum: Virtualization
Topic: CHR - Simple Queue problem
Replies: 0
Views: 2725

CHR - Simple Queue problem

We are running RouterOS CHR, unlimited license on KVM (Proxmox VE). Simple queues appear to be broken, was running 6.37.1 and still broken in 6.38rc25. /queue simple add max-limit=50M/50M name=vlan988-vlan10 target=vlan988-vlan10 Target download is always 0 bytes, target upload appears to work as ex...
by bbs2web
Tue Nov 01, 2016 6:26 pm
Forum: General
Topic: VRRP and firewall rules?
Replies: 3
Views: 6780

Re: VRRP and firewall rules?

The Wiki is wrong, the multicast address is 224.0.0.18. The protocol is also 112 (VRRP) and not 51 (ipsec-ah). Herewith a firewall rule confirmed to work on 6.37.1: /interface vrrp add interface=vlan2000 name=vrrp-vlan2000 priority=254 vrid=23 # Master /ip firewall filter add action=accept chain=inp...
by bbs2web
Sat Sep 24, 2016 10:48 pm
Forum: General
Topic: Feature request: BGP additional path propagation
Replies: 3
Views: 2186

Re: Feature request: BGP additional path propagation

As I understand it, this option is primarily used to pass on a hop count as prefixes are exchanged on their way to route reflectors and ensures traffic follows a predictable path. Without this the route reflectors would collapse active-active routes and only send on one route to other routers. Surpr...
by bbs2web
Mon Aug 15, 2016 6:09 pm
Forum: Forwarding Protocols
Topic: VPLS via MPLS hop does not connect
Replies: 2
Views: 1740

[Solved] Re: VPLS via MPLS hop does not connect

We use OSPF. Working through our configuration and re-reading the MPLS Wiki article however subsequently lead me to understand that non direct LDP sessions become tLDP sessions where 'hello' messages are transmitted directly from R1 to R3 via targeted UDP. I previously assumed LDP would distribute h...
by bbs2web
Mon Aug 15, 2016 5:30 pm
Forum: Forwarding Protocols
Topic: VPLS via MPLS hop does not connect
Replies: 2
Views: 1740

VPLS via MPLS hop does not connect

I am having a problem establishing a VPLS tunnel using a router as a hop. My architecture is relatively simple: R1-e1 -------- e1-R2-e2 --------- e2-R3 I can however establish VPLS tunnels from Router1 to Router2 and Router2 to Router3 but not Router1 to Router3. Router1: /interface bridge add name=...
by bbs2web
Wed Aug 03, 2016 1:18 am
Forum: Forwarding Protocols
Topic: OSPF - Routes marked as inactive
Replies: 4
Views: 4369

[SOLVED] Re: OSPF - Routes marked as inactive

I found what I needed to do in the following thread:
http://forum.mikrotik.com/viewtopic.php?t=46495

Simply set the VRF OSPF instance via CLI: use-dn=no
by bbs2web
Tue Aug 02, 2016 5:21 pm
Forum: Forwarding Protocols
Topic: OSPF - Routes marked as inactive
Replies: 4
Views: 4369

Re: OSPF - Routes marked as inactive

Hrm... I have some other routes which refuse to become active where the next hop is reachable. This route originates via a static route on router2 and should be learnt and installed in Router1: Router2: routing ospf route print detail where dst-address="172.16.200.0/24" 0 instance=mpls dst...
by bbs2web
Tue Aug 02, 2016 4:45 pm
Forum: Forwarding Protocols
Topic: OSPF - Routes marked as inactive
Replies: 4
Views: 4369

Re: OSPF - Routes marked as inactive

I didn't realise that OSPF wouldn't resolve static routes for the destinations. Disabling the static routes resulted in the OSPF propagated routes becoming active and the inactive route then being active: Before disabling the static routes: ip route print detail where dst-address in 172.19.105.0/29 ...
by bbs2web
Tue Aug 02, 2016 2:23 pm
Forum: Forwarding Protocols
Topic: OSPF - Routes marked as inactive
Replies: 4
Views: 4369

OSPF - Routes marked as inactive

I am trying to run a second OSPF instance to provide automated routing redundancy between 3 sites. The infrastructure is currently routed statically and routes appear in the OSPF LSA tables but the OSPF route table marks the routes as inactive. I've temporarily disabled the instance on router 3 to m...
by bbs2web
Thu May 05, 2016 3:01 pm
Forum: Forwarding Protocols
Topic: Getting STP (spanning tree) packets through switch
Replies: 0
Views: 1255

Getting STP (spanning tree) packets through switch

I have a requirement to setup redundant bridges, one per CCR, to link together QinQ VLANs but the interfacing switches appear to be eating the STP packets. Point A is vlan40-vlan10 (double tagged) Point B is vlan50-vlan20 (double tagged) I created the interfaces and bridges on each of the CCR router...
by bbs2web
Sun Feb 21, 2016 12:48 pm
Forum: Forwarding Protocols
Topic: BGP routers not reflecting all routes
Replies: 4
Views: 3225

Re: BGP routers not reflecting all routes

Many thanks for the time and effort you invested in your replies, I've certainly learnt something and have updated the settings on my iBGP peers. Your post perfectly explains why both routers initially have an active and backup route and then remove the backup routes when the other side chooses it a...
by bbs2web
Fri Feb 19, 2016 4:40 pm
Forum: Forwarding Protocols
Topic: BGP routers not reflecting all routes
Replies: 4
Views: 3225

BGP routers not reflecting all routes

We have two BGP sessions with two independent ISPs at two different locations and a multihop BGP session between our two routers. We have configured route reflection to our inter-site peering but notice that some routes are not distributed. I assume that this is simply due to the routes not currentl...
by bbs2web
Fri Feb 19, 2016 3:48 pm
Forum: Forwarding Protocols
Topic: OSPF route filtering
Replies: 4
Views: 3527

Re: OSPF route filtering

Thanks for you idea but this unfortunately wouldn't work. I had simplified an objective to hopefully learn methods of filtering routes received via a specific interface or routes with a specific next-hop gateway. We have BGP established on two routers to different ISPs and run OSPF on 1 Gbps and 10 ...
by bbs2web
Fri Feb 19, 2016 3:18 pm
Forum: Forwarding Protocols
Topic: OSPF route filtering
Replies: 4
Views: 3527

OSPF route filtering

I would like to filter OSPF routes received via a particular interface. We have a VoIP system at a location for which we'd like to provide redundancy whilst essentially dropping data traffic when the primary link is unavailable. router1 ------- link A ------- router2 \---------- link B --------/ I h...
by bbs2web
Tue Feb 02, 2016 8:53 pm
Forum: Forwarding Protocols
Topic: MPLS - Forwarding table incorrect
Replies: 10
Views: 4732

Re: MPLS - Forwarding table incorrect

Thank you for your assistance, I'll try reproduce the problem in a simplified lab environment...
by bbs2web
Wed Jan 27, 2016 2:05 pm
Forum: Forwarding Protocols
Topic: MPLS - Forwarding table incorrect
Replies: 10
Views: 4732

Re: MPLS - Forwarding table incorrect

The second OSPF route, with cost of 100, does not appear to influence the lab setup. Perhaps the outbound label on the route is correct like this?
by bbs2web
Wed Jan 27, 2016 1:46 pm
Forum: Forwarding Protocols
Topic: MPLS - Forwarding table incorrect
Replies: 10
Views: 4732

Re: MPLS - Forwarding table incorrect

I've been able to replicate this in a lab environment. I used two hEX (RouterBOARD 750G r2) units where I connected together ether1 and ether2. I accessed the devices using ether5 and created a VLAN on ccr2's ether5 to simulate the routing issue I'm seeing. PS: I reduced the L2MTU as these devices d...
by bbs2web
Sat Jan 23, 2016 3:22 pm
Forum: Forwarding Protocols
Topic: MPLS - Forwarding table incorrect
Replies: 10
Views: 4732

Re: MPLS - Forwarding table incorrect

The two routers contain fairly extensive configurations and additionally handle BGP sessions to 9 peers between them. We have redundant links between CCR1 and CCR2 with OSPF weighting to make them work as active/passive.The problem appears to have disappeared when disabling OSPF and LDP on the backu...
by bbs2web
Wed Jan 20, 2016 10:01 pm
Forum: General
Topic: Hardware Redundancy / Clustering / Standby Router
Replies: 6
Views: 8059

Re: Hardware Redundancy / Clustering / Standby Router

Absolutely, I would love to review it. I initially thought it wouldn't be possible as exports generally only contain non default settings and RouterOS, to the best of my knowledge, has no mechanism to reset portions of its configuration (ie /int reset). My next thought was to transfer backups to a w...
by bbs2web
Tue Jan 19, 2016 10:55 pm
Forum: Forwarding Protocols
Topic: MPLS - Forwarding table incorrect
Replies: 10
Views: 4732

Re: MPLS - Forwarding table incorrect

Both routers are running 6.33.5 and there are no other routers in the path between CCR1 and CCR2, so my understanding appears to match yours. I'm sure the folks at Mikrotik get loads of false positives so I wanted to confirm this with someone who had MPLS experience before wasting their time. Thanks...
by bbs2web
Mon Jan 18, 2016 11:31 pm
Forum: General
Topic: Hardware Redundancy / Clustering / Standby Router
Replies: 6
Views: 8059

Hardware Redundancy / Clustering / Standby Router

It would be great if RouterOS had a feature to synchronise it's configuration from a partner and enter service when the primary router is unavailable. Something along the lines of transferring a backup or export every X minutes and switching to this configuration when primary is not reachable. For e...
by bbs2web
Mon Jan 18, 2016 11:16 pm
Forum: Forwarding Protocols
Topic: MPLS - Forwarding table incorrect
Replies: 10
Views: 4732

MPLS - Forwarding table incorrect

I'm new to MPLS on RouterOS and don't understand why the forwarding table on CCR1, in the example below, contains an outbound label. Is there perhaps something wrong with my OSPF configuration? Overview: CCR1 lo = 41.79.21.1 seacom-vlan21-vlan210 = 198.19.12.53/30 | seacom-vlan21-vlan210 = 198.19.12...
by bbs2web
Sun Mar 02, 2014 5:17 pm
Forum: General
Topic: PPP link compression with Linux host
Replies: 1
Views: 5387

PPP link compression with Linux host

I have a fairly slow PPP session on which I would like to get compression working on. Connecting a RB411U running RouterOS 6.10 to a CentOS 6.5 server using L2TP and pppd. Firstly, I know MPPE is negotiated in the CCP (Compression Control Protocol) network layer negotiation of PPP and subsequently d...
by bbs2web
Mon Dec 10, 2012 9:58 pm
Forum: General
Topic: Traffic shaping - prioritising TCP ACK - Solved
Replies: 7
Views: 9375

Re: Traffic shaping - prioritising TCP ACK - Solved

Not setting the size was resulting in the rule matching all traffic. Reading the following article leads me to understand that each packet associated with an established connection would have the ACK flag set: http://packetlife.net/blog/2010/jun/7/understanding-tcp-sequence-acknowledgment-numbers/ L...
by bbs2web
Mon Dec 10, 2012 11:12 am
Forum: General
Topic: Traffic shaping - prioritising TCP ACK - Solved
Replies: 7
Views: 9375

Re: Traffic shaping - prioritising TCP ACK (not possible)

This works perfectly! Many thanks for the quick tip. Would anyone have any reference material to substantiate that the 0-123 packet size? I would like to make it as specific as possible but the following is currently working: /queue type add name=syrex-pfifo kind=pfifo pfifo-limit=5 add name=syrex-s...
by bbs2web
Mon Dec 10, 2012 11:06 am
Forum: Wireless Networking
Topic: 300 Mbps Full Duplex 100m link - Quest - Solved
Replies: 19
Views: 10159

Re: 300 Mbps Full Duplex 100m link - Quest

Screenshot collection.

MiMo - TCP transfer screenshots.zip
MiMo - TCP AP1 to AP2.gif
MiMo - TCP AP2 to AP1.gif
MiMo - TCP full duplex

MiMo - UDP transfer screenshots.zip
MiMo - UDP AP1 to AP2.gif
MiMo - UDP AP2 to AP1.gif
MiMo - UDP full duplex
by bbs2web
Mon Dec 10, 2012 10:59 am
Forum: Wireless Networking
Topic: 300 Mbps Full Duplex 100m link - Quest - Solved
Replies: 19
Views: 10159

Re: 300 Mbps Full Duplex 100m link - Quest - Solved (NB)

We finally have a proper full duplex WiFi link working in a lab environment which will be mounted during the course of this week. We are now able to realise close on 200Mbps concurrently . For documentation purposes of this lab environment: 4 x RB433GL (800MHz CPU, 3 Gigabit LAN, 3 mini PCI) 4 x RGP...
by bbs2web
Mon Dec 10, 2012 10:46 am
Forum: Wireless Networking
Topic: 300 Mbps Full Duplex 100m link - Quest - Solved
Replies: 19
Views: 10159

Re: 300 Mbps Full Duplex 100m link - Quest

There appear to be major performance issues when asking the MikroTik RB433GL (probably not limited to this specific model) to route packets concurrently. The following setup completely separates the dual WiFi links but performance is terrible when asking the MikroTik to essentially apply routing rul...
by bbs2web
Thu Dec 06, 2012 2:41 pm
Forum: General
Topic: Traffic shaping - prioritising TCP ACK - Solved
Replies: 7
Views: 9375

Traffic shaping - prioritising TCP ACK - Solved

We (very) successfully shape traffic on Linux systems using HTB and are unable to achieve the same control when using MikroTik routers. The most important rule (to us), which we are currently unable to implement, is the ability to prioritise TCP ACK (acknowledgement) packets to ensure the remote sys...
by bbs2web
Wed Dec 05, 2012 11:18 pm
Forum: Wireless Networking
Topic: 300 Mbps Full Duplex 100m link - Quest - Solved
Replies: 19
Views: 10159

Re: 300 Mbps Full Duplex 100m link - Quest

The wiki article you refrenced specifically states that it's a half duplex solution. I don't want to bond the wireless links, I want the maximum possible speed in full duplex so that transmitting data in either direction doesn't affect the other. I have the link running properly now after moving the...
by bbs2web
Wed Dec 05, 2012 11:38 am
Forum: Wireless Networking
Topic: 300 Mbps Full Duplex 100m link - Quest - Solved
Replies: 19
Views: 10159

Re: 300 Mbps Full Duplex 100m link - Quest

Screenshot collection 2 of 2.

SiSo - TCP transfer screenshots.zip
  • SiSo - TCP AP1 to AP2.gif
    SiSo - TCP AP2 to AP1.gif
    SiSo - TCP full duplex
SiSo - UDP transfer screenshots.zip
  • SiSo - UDP AP1 to AP2.gif
    SiSo - UDP AP2 to AP1.gif
    SiSo - UDP full duplex
by bbs2web
Wed Dec 05, 2012 11:36 am
Forum: Wireless Networking
Topic: 300 Mbps Full Duplex 100m link - Quest - Solved
Replies: 19
Views: 10159

Re: 300 Mbps Full Duplex 100m link - Quest

Screenshot collection 1 of 2.

MiMo - TCP transfer screenshots.zip
  • MiMo - TCP AP1 to AP2.gif
    MiMo - TCP AP2 to AP1.gif
    MiMo - TCP full duplex
MiMo - UDP transfer screenshots.zip
  • MiMo - UDP AP1 to AP2.gif
    MiMo - UDP AP2 to AP1.gif
    MiMo - UDP full duplex
by bbs2web
Wed Dec 05, 2012 11:28 am
Forum: Wireless Networking
Topic: 300 Mbps Full Duplex 100m link - Quest - Solved
Replies: 19
Views: 10159

Re: 300 Mbps Full Duplex 100m link - Quest

For documentation purposes of this lab environment: 2 x RB433GL connected to Linux systems using official Gigabit PoE adapters 2 x RB433GL 4 x R52Hn wireless cards (2 per enclosure) 4 x 10dBi Ubiquiti AirMax MiMo 5GHz Omni (UBAM-O-5G10) Layout: ie: Linux 1Gbps - ether1 RB433GL R52Hn wlan1 ----------...
by bbs2web
Tue Dec 04, 2012 10:57 pm
Forum: Wireless Networking
Topic: nv2 multilink problem
Replies: 94
Views: 36134

Re: nv2 multilink problem

This is similar to a problem I posted (http://forum.mikrotik.com/viewtopic.php?t=67835) where I'm testing RB433GL with R52Hn cards in a lab environment prior to installation. I get excellent throughput in either direction using 5GHz-N using the nv2 wireless protocol but full duplex TCP is terrible. ...
by bbs2web
Tue Dec 04, 2012 10:30 pm
Forum: Wireless Networking
Topic: Help! Sierra MC5727 Issues with RB411U v5.6
Replies: 8
Views: 2737

Re: Help! Sierra MC5727 Issues with RB411U v5.6

Upgrade RouterOS, we had the exact same problem with early releases of RouterOS 5. We are currently running a RB411U with a Sierra MC8792V 3G module on RouterOS 5.21. Herewith a copy of our own internal notes, they were build up last festive season when we first starting playing with the stuff (Our ...
by bbs2web
Tue Dec 04, 2012 1:29 pm
Forum: Wireless Networking
Topic: 300 Mbps Full Duplex 100m link - Quest - Solved
Replies: 19
Views: 10159

Re: 300 Mbps Full Duplex 100m link - Quest

Wouldn't the links then report the CCQ below 100%? Full duplex UDP is working at an acceptable level. Any recommendations on what I can try to do to shield the R52Hn cards from each other? A small sheet or tin placed in an anti-static packet between the two radio cards? The transmit power is current...
by bbs2web
Tue Dec 04, 2012 9:39 am
Forum: Wireless Networking
Topic: 300 Mbps Full Duplex 100m link - Quest - Solved
Replies: 19
Views: 10159

Re: 300 Mbps Full Duplex 100m link - Quest

That is correct. Herewith a summary as I understand the screenshots above might confuse the matter: 2 x RB433GL 4 x R52Hn 4 x 10dBi Ubiquiti AirMax MiMo 5GHz Omni (UBAM-O-5G10) NB: I've disabled the second chain on the R52Hn cards to prevent the two links from running on the same polarisation, altho...
by bbs2web
Mon Dec 03, 2012 11:18 am
Forum: Wireless Networking
Topic: 300 Mbps Full Duplex 100m link - Quest - Solved
Replies: 19
Views: 10159

Re: 300 Mbps Full Duplex 100m link - Quest

Testing TCP in either direction separately provides excellent results:

AP1 to AP2:
real-tcp-1.gif
AP2 to AP1:
real-tcp-2.gif
by bbs2web
Mon Dec 03, 2012 11:14 am
Forum: Wireless Networking
Topic: 300 Mbps Full Duplex 100m link - Quest - Solved
Replies: 19
Views: 10159

Re: 300 Mbps Full Duplex 100m link - Quest

The problem: 40Mbps/15Mbps on full duplex TCP Full duplex TCP only yields: problem-full_duplex.gif Linux system 1 - Listen for data from system 2: nc -l 5000 > /dev/null Linux system 2 - Send data to system 1: dd if=/dev/zero | nc 192.168.254.1 5000 Linux system 2 - Listen for data from system 1: n...