MikroTik

IPANetEngineer

What's the output of

ip route print

and

routing ospf lsa print detail

on the AS_Router ?

IPANetEngineer

That's definitely not normal, when I issue the same command on my home or office router which are both dual stack, I get the global unicast addresses and the default route.

I would recommend downgrading to the LTS version 6.47.9 and see if the issue persists.

IPANetEngineer

These two should get you what you need. Most of what you're looking for will be in the ipv6 menu

ip dns print

and

ipv6 address print

IPANetEngineer

Recursive routing for iBGP next hops in MikroTik only works with IGPs (OSPF and RIP) and static routes.

IPANetEngineer

Normally, you only want the default to originate at the border router where you are peering or have DIA with an upstream.

Then:

Default Originate (if installed) on all eBGP peerings

Permit it via all other eBGP peers in

IPANetEngineer

Is this an eBGP design where every tower is a separate ASN? From reading the notes, it seems that way If so, you'll want to default originate if-installed for every ebgp peering, You also need to make sure that you have a valid and active default route for it to pick up and make sure your in and out...

IPANetEngineer

We've also found that in addition to higher clock speeds, the amount of cache in the CPU helps with performance. Get more if you can afford it.

IPANetEngineer

Probably need more details, I've used 172.16.0.0/12 without issue for years in RouterOS...what's the specific configuration giving you issues?

IPANetEngineer

This is a good idea...would like to see this.

IPANetEngineer

This is a known limitation of ROSv6. Recursive routing doesn't work in IPv6. This is fixed in v7, but it's still in beta.

Some notes about this are in this article:

https://stubarea51.net/2020/12/30/mikro ... spfv3-bgp/

IPANetEngineer

What are the firewall rules/config? Even one rule can make a difference if a large volume of packets hits it.

IPANetEngineer

It would be helpful to see your configuration

IPANetEngineer

Try adding

add stp-type=config

to your filter rule and then create another filter rule for TCN. This should match and only drop BPDUs and not all outbound traffic.

IPANetEngineer

Really excited to see a REST API in this release. Thanks MT!

IPANetEngineer

Continuing the Juniper to MikroTik series. It translates MikroTik CLI into Juniper to make things easier to learn as well as build multi-vendor networks. This post that will show you basic OSPFv2 commands for config and troubleshooting in both ROS and Junos syntax. Enjoy! https://stubarea51.net/2021...

IPANetEngineer

This depends on whether you want full tables or not.

If you don't need full tables, i'd recommend a CCR1036-8G2S+ , if you are going to do full tables, a hypervisor and the CHR will give you the best performance until v7 is out as stable code.

IPANetEngineer

Continuing the tradition with a series that I've had out for several years now. It translates MikroTik CLI into other popular network vendors like Cisco to make things easier to learn as well as build multi-vendor networks. This time we are diving into Juniper. Here is a post that will show you basi...

IPANetEngineer

You don't need to remove it from the bridge, it can be set and changed. However, if spanning tree is running on the bridge and this is a prod network, be mindful of changes that can cause the STP topology to reconverge.

IPANetEngineer

I'd use the CHR for this task...easy to scale for growth as needed. As the CCR2xxx series matures and they release more models, I expect it will be a good choice as well.

IPANetEngineer

IS-IS and Segment Routing (SR-MPLS)

Discussion is here:

viewtopic.php?f=1&t=171278&p=837339#p837339

IPANetEngineer

There were problems with using the SFP+ port on the 4011 with DAC cables in the past. The issue has been fixed in RouterOS, but we still use optical connections on 4011s and have no issues.

I would change to optical and see if the FCS errors continue.

IPANetEngineer

Here is an article I wrote to make Cisco to MikroTik VLAN trunking easier.

https://stubarea51.net/2019/02/06/cisco ... and-vlans/

IPANetEngineer

Sooooo move away from PPPoE to what exactly? We are talking 15.000 CPEs, I’m open to suggestions. Movistar, my home fibre ISP, with millions of customers, runs PPPoE... This really depends on why you want PPPoE. In 2021, PPPoE is typically deployed because you want: 1) Traffic accounting via RADIUS...

IPANetEngineer

The software quality of major network vendors like Cisco/Juniper has gone down in the last 5 years as they lean more on customers for QA.

We've been incredibly successful using the long term version of RouterOS in production networks for both enterprise and service provider.

IPANetEngineer

ASN isn't a piece of information carried in the packet header - only the routing table of a BGP border router.

Do you have a border router with a full table and no default route?

IPANetEngineer

If there are specific ASNs you want the list of prefixes for to then add to a FW rule, the easiest way would probably be a route-set query

https://www.arin.net/resources/manage/irr/

IPANetEngineer

Try setting the speed explicitly on each end to be 10G or 1G and see if that resolves the issue.

IPANetEngineer

At some point in the future, you'll be able to use the CRS354 to route between VLANs without using CPU. The functionality is there in many of the CRS3xx switches in the v7 beta software. However it's not production ready yet. Capabilities are here: https://help.mikrotik.com/docs/display/ROS/CRS3xx+s...

IPANetEngineer

What is the output of the following command?

interface bridge port print where hw-offload=yes

IPANetEngineer

I would ask your provider to send you a full table + default so that you can discard the full table. However, if you decide to leak specific routes or allow the full table in the future, it doesn't require a change by the upstream provider.

IPANetEngineer

It totally stinks and that's great. I hate these broken MTU promoters. My primary uplink provider still caps MTU at 1460 on their so-called "next-gen" fibre infrastructure. Some people never graduated 1500 ethernet MTU basics. First day on the Internet with MTU? :-) His effective MTU was ...

IPANetEngineer

Kicking off the new year to reiterate my MikroTik wish list....while there are many things i'd love to see in ROSv7, these are my top 2. 1) Segment Routing - In the service provider and data center space, MPLS is rapidly moving over to SR-MPLS because it simplifies both label exchange and traffic en...

IPANetEngineer

It seems to be pretty simple. Create an eBGP peering with the cache box using the ASN and IPv4/IPv6 space that Google allocates and then advertise all prefixes for customers that are normally advertised on transit peers. This is the way most content caches work. https://support.google.com/interconne...

IPANetEngineer

Seems like they have an example of this in the new help docs.

If i'm reading it right, you'll need a bridge set with ether-type=0x88a8

https://help.mikrotik.com/docs/display/ ... VLAN+Table

IPANetEngineer

I've been working on a lab for ROSv7 to provide examples for IPv6 config with OSPF and BGP. Details are in the blog post. Hope it's helpful! https://stubarea51.net/2020/12/30/mikrotik-routerosv7-first-look-dynamic-routing-with-ipv6-and-ospfv3-bgp/ https://stubarea51.net/wp-content/uploads/2020/10/im...

IPANetEngineer

There are two different articles that I think would help you here: The first is an overview of migrating from bridged to routed for a WISP https://stubarea51.net/2019/09/15/wisp-design-migrating-from-bridged-to-routed/ The second addresses your concern of getting IPs from a /24 out to the towers. VP...

IPANetEngineer

Large ISP often has several platforms for different workloads. They never do everything in one single platform. Even in smaller ISPs, this is how I design. Trying to fit every service into a couple of routers almost always ends up being more complex than splitting workloads out into Internet Edge, ...

IPANetEngineer

If you're going x64, go for VyOS instead of RouterOS. RouterOS doesn't have many basic features such as NPTv6, Routing Marks for IPv6 etc and the fact that RouterOS v7 has been in development for a decade if not more. VyOS is enterprise-ready (go through their documentation and confirm yourself) an...

IPANetEngineer

Here is a blog post I wrote on MikroTik and VPNv4. In this example, the P routers are Juniper but the PEs are MikroTik and using VPNv4 The lab config is included in the article. https://stubarea51.net/wp-content/uploads/2020/01/MikroTik-to-Juniper-MPLS-and-VPNv4.png https://stubarea51.net/2020/01/22...

IPANetEngineer

The very best way to do this is with communities. With only two upstreams, you may need to break your /20 into a few smaller advertisements like /21s or /22s and then use the traffic engineering communities of your upstream provider to set preferences. Technically you can do this without communities...

IPANetEngineer

VPNv4 requires an MPLS forwarding plane for prefixes to be reachable. Do you have LDP enabled?

IPANetEngineer

This really depends on what your goals are for maintaining full tables. If you want all traffic to leave via Cogent and only the traffic local to Bulgaria to be sent to the local provider, you can take a default route from Cogent and then learn the ~7000 local routes over the other provider. If you ...

IPANetEngineer

G.8032 is definitely the way to go....would love to see this in the CRS3xx series.

IPANetEngineer

I wrote a blog article on this issue and a workaround when doing VPNv4 between MikroTik and Juniper.

https://stubarea51.net/2020/01/22/junip ... 4-interop/

IPANetEngineer

I've done this quite a bit with MikroTik and Fortigate for Enterprise and Data Center networks. Typically I use a design that employs dynamic routing and L3 switch stacks for a few reasons 1) Failover isolation - the border routers can failover independently of the firewall pair if there is an inter...

IPANetEngineer

The configuration example you need to do QinQ on a CRS3xx switch is in the MikroTik Wiki here:

https://wiki.mikrotik.com/wiki/Manual:I ... 8Q-in-Q.29

The support was added in 6.43rc13
*) crs3xx - added initial Q-in-Q hardware offloading support (CLI only)

IPANetEngineer

Hi IPANet, I am in awe of your network designs........... I don't know or think I will ever need fz-codel or cake functionality but I can guarantee you I will probably be eating cake when I read your posts demonstrating such features !! :-) Thanks for the feedback, I appreciate it :-) We'll definit...

IPANetEngineer

If you want to pass all VLANs like a trunk over VPLS without specifying each VLAN, here is a blog article I wrote with config examples on how to use S-Tag for this. https://stubarea51.net/2018/08/07/mikrotik-isp-design-building-an-802-1q-trunk-between-sites-using-vpls-and-s-tag/ https://stubarea51.n...

IPANetEngineer

I am ***soo*** excited to finally see fq-codel and cake in RouterOS, this is going to be a game changer for shaping options in ISP networks.

Nice work MikroTik :)

IPANetEngineer

... the fact that using stateless address assignment means everyone on the Internet knows your device's MAC address. What's so special about my tablet's MAC address that nobody should know it? This is why RFC4941 exists - Windows, Mac and Linux all support privacy extensions to obscure the MAC addr...

IPANetEngineer

Thank god for NAT and IPV4, not sure what disaster IPV6 will bring. ;-P IPv6 is faster than IPv4 and enables end to end connectivity. You *need* to be deploying IPv6 :-) https://www.zdnet.com/article/apple-tells-app-devs-to-use-ipv6-as-its-1-4-times-faster-than-ipv4/ We've run it in dual stack for ...

IPANetEngineer

I need to upgrade the CCR2004 in my lab and see if the stability improves. We've used them for several clients but have also had some stability issues. I think this router will be amazing after a few more months of bug fixes from MikroTik. This is pretty typical of a new router release...it takes a ...

IPANetEngineer

Set your IPv6 MTU to 1280 and see if that solves the issue as there are places on the internet that are still 1280 for IPv6. If that resolves it, you can slowly raise it until things break again to understand what your effective MTU is.

https://blog.cloudflare.com/increasing-ipv6-mtu/

IPANetEngineer

Why not build LACP channels from the 4500X to two different MikroTiks and connnect the MikroTik routers together via BGP?

What role do the MikroTik routers and 4500X play in this network? what are their jobs?

IPANetEngineer

In general, MikroTik does not care about which vendor made the SFP or DAC cable. I've used Cisco DACs and SFP Optics in MikroTik without issue. I've also had a lot of success with FiberStore SFPs and DAC cables. They work well with MikroTik and Cisco. If you have issues with the DAC cable working, t...

IPANetEngineer

Having designed and built hundreds of WISPs, i've got a few things to share with you that may be helpful. We typically deploy a "switch-centric" design where all connections go into a switch because it lowers operational overhead. This is similar to your first design drawing. We've scaled ...

IPANetEngineer

Earlier this year, a model number for a 100G router from MikroTik was leaked. That's about all we know. https://forum.mikrotik.com/viewtopic.php?p=819880 CCR2016-1G-12XS-2XQ is the model number which would have 2 x 100G interfaces and 12 x 25G interfaces The wiki was updated this year to reflect 100...

IPANetEngineer

Can you share the community list for each of the peerings.?

Prepending isn't going to work if you only have one /24

IPANetEngineer

Ideally, you'd push for another peering with your provider or get a second provider and peer with them. Have you asked your upstream if this is possible? I've seen many providers do this if asked by a customer. In that type of design, you'd want to build it like this: https://stubarea51.net/wp-conte...

IPANetEngineer

It appears you are trying to build a mesh VPN where any site can reach any other site. Honestly, as much as I love MikroTik, ZeroTier is a better solution for this. https://www.zerotier.com/ If you're going to use MikroTik, I would consider using L2TP and build tunnels to/from all routers. You can b...

IPANetEngineer

Can you post details of the config?

IPANetEngineer

Nice summary of info...thanks!

IPANetEngineer

Ever since I first started using MikroTik 10 years ago, I've been very impressed with how well they handle higher temperatures when a climate controlled environment is not available.

IPANetEngineer

You cannot use subnets that are directly overlapped in different VRFs in RouterOS v6...this is fixed in RouterOSv7

IPANetEngineer

You cannot use Winbox to manage an Arista device as winbox is specific to MikroTik. You can use it as a route reflector if you want though and that will give you some visibility....but is that a good fit for your network architecture? However, you can use programs like Unimus or Ansible to manage al...

IPANetEngineer

Please post the output of the following commands

/routing ospf export

/routing ospf neighbor print detail

/routing ospf as-border-router print detail

IPANetEngineer

mDNS would be a great addition to enable things like chromecast between subnets.

IPANetEngineer

That's why we normally use the ptp OSPF type on RF links and it works very well with rapid convergence.

What radios are you using that don't support multicast?

IPANetEngineer

Have you tried changing the interface queues for both ports from hardware-only to ethernet-default ? You need buffering when mixing interface speeds on any router and i'm not sure what the default buffer capabilities are for the CCR2004. I would at least try a few different queue types for the inter...

IPANetEngineer

If you can plug into it locally, use mac-telnet with winbox which will bypass all L3 and login to the router

IPANetEngineer

same problem as well

IPANetEngineer

It seems like this would be a natural extension of the DUDE. I would love to see NETCONF capabilities to standardize with the rest of the networking industry.

IPANetEngineer

I'm curious, what is the intent behind not wanting DR/BDR?

You might consider eBGP for RF links. It converges pretty fast and doesn't require multicast

IPANetEngineer

What's the lowest throughput (on the 1G) you've seen the packet loss?

IPANetEngineer

Depending on the type of wireless device you're connecting to, you need to verify the station type under your wireless interface settings. station-bridge is ideal if the other router is a MikroTik. Otherwise you can try station-pseudobridge, but you'll have some limits outside of IPv4 traffic. If it...

IPANetEngineer

If i'm understanding what you're trying to do, all you really need is to bridge the wireless interface on the hAP lite to the physical ports the security devices are plugged into. That will extend the RFC1918 network in the home router through to those devices. 1. under 'bridge' add a new bridge usi...

IPANetEngineer

We have mainly packet loss pinging from the remote end to ccr2004 gigabit interface, the problem probably occurs when the upstream traffic from the 10G->1G fullfill the ethernet..

So does the packet loss only occur when the 1G interface is full?

IPANetEngineer

Yes, you'll need to enable default-originate (if installed) on all peerings in this type of design. I would use BGP communities to set either weight or localpref I did a presentation a few years ago on this type of design at the US MUM in Denver. Here is an overview of the way we used communities. e...

IPANetEngineer

This is great news...have been waiting for this feature for a while.

IPANetEngineer

Thanks for the feedback...i'll check the hypervisor and see if it's creating a bottleneck somewhere.

IPANetEngineer

Did some work on testing the L3 performance last week in 7.1beta2 and published it today.

https://stubarea51.net/2020/10/12/mikro ... e-testing/

IPANetEngineer

I would build a highly available BRAS for PPPoE and use x86 +CHR. We wrote an article on how to design it

https://stubarea51.net/2018/04/23/pppoe ... atorsbras/

IPANetEngineer

Either an RB4011 or a CCR1009 will handle this task easily.

IPANetEngineer

While you can create a bridge and tunnel as others have said, honestly ZeroTier is the easiest way to do this and has the best performance Just install it on each computer and they'll be connected with great performance and none of the typical issues that come with L2 extensions. https://www.zerotie...

IPANetEngineer

Just curious, what application are these servers hosting? It seems like an application load balancer would be a better tool than ECMP in routing since you're expecting TCP sessions from a specific source to stay with the server they hit.

This is the exact problem a load balancer solves :-)

IPANetEngineer

Check the security settings on the ESXI VSWITCH and make sure they are as permissive as possible.

IPANetEngineer

I may have found an answer to this in the v7 docs. I am going to test this with an empty route filter and see if it only advertises interfaces in OSPF that are configured. EDIT: 10/10/2020 - This was the issue - verified it in the original lab https://help.mikrotik.com/docs/display/ROS/ROSv7+Basic+R...

IPANetEngineer

We need more details and examples of your configuration and DHCP lease output to be helpful

IPANetEngineer

Mikrotik default MPLS mtu is 1530, if I understood correctly, then it must be raised if the end customer needs qinq, for example.

yes if you want QinQ then you'll need at least 1534 to support two tags.

IP ArchiTechs has engineers in the EU (+2 time zone) as well as North and South America.

IPANetEngineer

If you're going to keep the traffic at Layer 2, then you'll be able to achieve 10Gbps between hosts that are connected to the switches. In RouterOS v7, L3 at wirespeed is possible since routing is offloaded into hardware. https://help.mikrotik.com/docs/display/ROS/CRS3xx+series+switches#heading-L3Ha...

IPANetEngineer

Can you share more about the network topology and configuration? The CCR1072 will support 15G of traffic

IPANetEngineer

A few thoughts here. 1) You don't want separate instances...that would require redistribution and isn't needed 2) You want a router that isn't a border to act as a route reflector often these are core routers - this can even be out of path like a CHR 3) You need to either set next-hop-self on each b...

IPANetEngineer

When you say teaming with ESXi 6.0 do you mean active/passive teaming or LACP?

IPANetEngineer

That's not the same. The laptop will most likely get the address using SLAAC, or possibly using DHCP but asking for a single address, not for a prefix. You can actually use Linux to test for prefix delegation. This is the syntax for debian based flavors. dhclient -d -6 -P <interface_name> --prefix-...

IPANetEngineer

Id love to understand why (in which situations) Id use PtMP? PtMP was very commonly implemented about 10 to 15 years ago in Frame Relay and ATM networks that were not broadcast capable but could otherwise have more than two hosts on a Layer 2 segment. It is sometimes used in wireless networks with ...

IPANetEngineer

Yes of course, it will be implemented.

Is VPNv6 planned for implementation as well?

IPANetEngineer

why the dhcp give same address to active user ppp ??? i check everything But I couldn't solve the problem
SERVER : 1100AHX2 (6.47.4)
I use Radius

What does the radius log say for those two connections?

IPANetEngineer

I tried with a simpler config and got the same result. This appears to be a bug and not configuration related.

IPANetEngineer

Have you tested that prefix delegation is working with another non-mikrotik device or a laptop?

IPANetEngineer

I agree that HW accelerated security devices at a low price point is a *huge* gap in the market. One feature that would really push the adoption of this is a stateful failover feature between two CRS switches so that it doesn't have to be a customized script + vrrp.

IPANetEngineer

This is typically caused by a duplication of a MAC address in two sessions. How many PPPoE clients do you have and what type of router are you using?

IPANetEngineer

If the /29 isn't routed to you and your ISP will be the GW for the /29, then you really have two options

1) Bridge all the ports together and use L2 to connect hosts together
2) Use Proxy ARP and assign a /32 public to each endpoint (as a loopback) with a route pointing to the /32 on your router.

IPANetEngineer

According to the bridge hw offload guide, that model doesn't support Bridge VLAN filtering in HW offload. Have you tried the same config under the switch menu?

https://wiki.mikrotik.com/wiki/Manual:I ... Offloading

IPANetEngineer

I really hope so, 100G on a CCR or CRS would be amazing!!

We have use cases in the data center and in service providers for 100G ports this would be perfect for.

IPANetEngineer

Are you expecting traffic to grow beyond 1G? If so, i'd go with the CCR2004. Also, if you have the budget, the cost of the CCR2004 is only a few hundred dollars more, so unless you're on a tight budget, the CCR2004 is a better choice. That said, the 4011 will do 2G to 3G of Internet traffic (1500 MT...

IPANetEngineer

I'm doing some lab work with IPv6 routing and ROS7.1beta2 CHR. I'm trying to understand why OSPFv3 is advertising a specific prefix as I didn't explicitly configure it to be advertised and it doesn't show up as an external route indicating redistribution. Here is the network topology https://stubare...

IPANetEngineer

Have you created IRR entries for your aggregate ranges? That will often cause a prefix to be dropped from advertisement to peers.

You can either do this with your RIR (aka ARIN, RIPE, etc) or an independent IRR like https://www.radb.net/

IPANetEngineer

It sounds like your prefixes either aren't being advertised or accepted/announced by your upstream.

What is the output of the following command?

routing bgp advertisements print peer=peer_name

IPANetEngineer

The first thing i'd try is to disable all FW, NAT and MANGLE rules, even if you're sure they aren't interfering and test to see if TCP passes through to that host.

IPANetEngineer

Yes the 4011 will beat the CPU of any CRS switch for routing. Using a router to act as the gateway for LAN subnets and terminate the WAN as well as a switch for port density is a very reliable setup that has been used for over 20 years. It's nice to be able to combine the functions together and the ...

IPANetEngineer

i know that MPLS is sensitive about MTU. Any recommendations / basic rules? I typically recommend that most ISPs running MPLS start with the settings below. This is from a presentation I gave at the MikroTik US MUM https://mum.mikrotik.com/presentations/US16/presentation_3327_1462279781.pdf https:/...

IPANetEngineer

Start with basic reachability checks...can you ping the GW using ICMP or ARP?

Are you peering on a directly connected subnet and not the loopbacks?

IPANetEngineer

MikroTik will only load balance (ECMP) with iBGP when peering via loopbacks and using an IGP (OSPF or RIP) or static routes.

https://wiki.mikrotik.com/wiki/Manual:B ... _with_iBGP

IPANetEngineer

Normally, you don't want spanning tree running on the bridges that connect VPLS together. Trying to converge RSTP across a large network creates a lot of problems. I would eliminate loops and turn spanning tree off. If this isn't possible, I would at least use MSTP instead of RSTP as it calculates t...

IPANetEngineer

I really hope so. BGP EVPN and VxLAN would be an amazing combination for MikroTik.

We could also use Type 5 routes for VRF signalling and have a replacement for MPLS in certain use cases.

IPANetEngineer

Here is an article I did with a basic overview of DHCPv6-PD config on MikroTik

https://stubarea51.net/2018/09/14/wisp- ... your-wisp/

IPANetEngineer

True that I consider Cisco today more really as a software company, where 5-10 years ago "hardware" was more the focus with monolithic software designs. Agree on the licensing too, you almost need a phd to understand that (same with Microsoft etc) and pricing. Like you say, sooo much equi...

IPANetEngineer

So yes ... they pack a lot of performance. Should jolly well hope so for £3,500!! Do Mikrotik do a 48 port switch? I can find MikroTik CRS328-24P so would need two for £750. Serious question, what extra does the Cisco Catalyst 9300 bring to the table? For context (because i'll probably be called a ...

IPANetEngineer

If you can bond the links, it's much simpler and you should use LACP.

BGP Load balancing is for use cases when bonding is not possible.

IPANetEngineer

From an architecture perspective as it relates to PPPoE you need something that can load balance and scale laterally. This is true whether it's MikroTik or Cisco/Juniper. This will allow you to add resources as needed based on load and performance observations. Most of the time we use CHR to termina...

IPANetEngineer

This is an unfair comparison. The CCR is a fix-chassis toy compared to the ASR1006-X which was (waaaaaaaaaay)³ too powerful for such simple requirements stated...so whoever "spec'ed" this setup overdid it...A LOT. You can blast 10 interfaces with 10Gbits/sec each concurrently and it will ...

IPANetEngineer

I think, that Mikrotik is overly complicated in a lot of things. For example Layer-2 configuration: - subinterfaces plus bridges - vlan filtering within the bridge - vlan-handling on the switch itself This is very annoying. No other vender forces you to learn three ways to do simple VLAN stuff. Rea...

IPANetEngineer

Since we run the largest MikroTik consulting firm in the world, I have some thoughts on this :) We have used MikroTik in very large environments for enterprise, data center and ISPs around the world. Like any other piece of network equipment, you have to understand how to design and deploy it. One o...

IPANetEngineer

Not needed as they are inherently secure. That doesn't make any sense....UTM is not just Internet facing, it's designed to detect internal and external threats across an organization's infrastructure. Can you share some details of how blockchain and torrent would prevent malware from replicating on...

IPANetEngineer

UTM could be done for free if all routers had Torrent and BlockChain

How does this solve the problem of analyzing and mitigating threats at L4 - L7?

IPANetEngineer

I just noticed you're talking about IPv6. In IPv4, this works However woth Ipv6, recursive routing does not work in RouterOS 6.x so iBGP does not work...the routes will advertise but are not reachable. You'll have to use OSPFv3 past the BGP Border router to advertise routing reachability. This has b...

IPANetEngineer

1. MikroTik is already working on stacking, I've talked with them at length about the need for this at the MUMs. The last I heard, MikroTik was using a standards based protocol to implement a redundant switching control plane but I don't remember which one. A decent guess would be either SPB (https:...

IPANetEngineer

can anyone please help me to configuring wireguard

i setup peer and wg interface
but traffic cant go throw the tunnel

There is a good tutorial here from Rick Frey

https://rickfreyconsulting.com/wireguard/

IPANetEngineer

This feature is available in Router OS v7.1 beta1 so you can test it, but it's not considered ready for production

https://help.mikrotik.com/docs/display/ ... col+Status

"Routing filter match community/large community lists"

IPANetEngineer

Here is one method of traffic engineering that works very well with MikroTik. From a presentation I did at the MIkroTik US MUM in 2017

https://mum.mikrotik.com/presentations/ ... 062656.pdf

IPANetEngineer

With BFD on for OSPF, you should be able to fail over in a few seconds even without fast reroute.

IPANetEngineer

Have you tried BFD?

IPANetEngineer

Just got my RB4011, and I can confirm that SFP+ works very well with passive DAC. Of course I didn't use the Mikrotik cable. ;) iperf shows around 800 MB/s against my NAS, so I'd say it actually works. Also, I didn't see any flapping. I would be careful until they officially come back with word tha...

IPANetEngineer

Can you share which prefixes you do want to advertise....it looks like you're trying to write a rule to block all IPv6 prefixes

IPANetEngineer

Hi Leandro, There are some _major_ issues with MPLS in RouterOS v6. The major ones being the lack of Fast Re-Route, RSVP paths not failing over(or back), NLRI not being updated for L3VPN's and stale labels causing traffic to disappear. It is usable for basic stuff like VPLS, but it is all done 100%...

IPANetEngineer

MikroTik is using the slow LACP PDU rate of 30s, what rate is the Cisco LACP channel using? If it's set for 1s, i'd reconfigure to 30 and retest.

IPANetEngineer

I'm setting up a couple new CCR2004 with 3 redundant paths between them on the bench using a OSPF, BGP, MPLS, VPLS configuration. When I drop out the link carrying traffic, it takes 20 seconds for traffic to re-establish on the backup link. Is this normal convergence time, or possibly a setting I a...

IPANetEngineer

/31 network between two mikrotik devices - here is how you do it First thing - you do not actually use a /31 in the IP address ( this is important ) Here is how you use a /31 network of only two IP address to get two Mikrotik devices to talk to each other. I am going to demonstrate 192.168.168.0/31...

IPANetEngineer

What are your throughput requirements?

IPANetEngineer

Have you disabled hyperthreading in the BIOS of the host?

IPANetEngineer

I'm not sure if you're running a WISP, but this MUM presentation I did will probably be helpful. Essentially you need to set MTU in 3 places: L2MTU on the interface MTU (which is Layer 3) on the interface or VLAN - This is 1500 by default which is fine for VPLS but if you want to test larger packets...

IPANetEngineer

v7beta does not have this limit.

So if I understand this answer correctly, VRFs are limited to system resources available? Which should mean that several thousand is realistically possible

IPANetEngineer

What is the output of


routing bgp advertisements print peer="peer_name"

IPANetEngineer

an iBGP peering ensures that both border routers have a full view of the routes of the other router and also the interior of the network (if you're iBGP based on the inside) In most cases, an iBGP peering is desired between two routers in the same ASN that take in full tables. Otherwise, traffic cou...

IPANetEngineer

OpenFlow is still very much in use! ISPs, Internet Exchanges and Data Centers all have use cases for OpenFlow. There is a fantastic open source controller called Faucet that is easy to get up and running. https://faucet.nz/ We have been working on a project to use OpenFlow to manage traffic engineer...

IPANetEngineer

I'm waiting on my CCR2004 to get here. Then i'm going to benchmark it with our iperf3 and BGP full table performance lab that we've used for MUM Presentations in the past.

We maxed out the CCR1072 when it first came out with 80Gbps of traffic, so we should be able to make the CCR1004 fall over

IPANetEngineer

It's also worth pointing out, that many IP transit providers (not all) will allow you to announce a prefix length greater than a /24 (i.e /25 through /32) over multiple connections to the same provider & will aggregate the prefix to /24 or less when announcing it to peers in the DFZ.

IPANetEngineer

I'm curious to know the answer to this as well.

Does the long term image load and run properly?

IPANetEngineer

However for WISP networks, hands down EIGRP. And since it's quite simple i'd wager its a lot easier to program and implement than IS-IS As consultants, we design and build a *lot* of WISP networks globally and I can probably count on one hand the number of times i've seen EIGRP used in a WISP in th...

IPANetEngineer

I don't disagree that /31 would be useful but i'd rather see the time spent on improving IPv6 support. The number of IPv6 networks we've been doing consulting work on in the last 12 months has skyrocketed. Once dual stack is in place, IPv4 public requirements don't disappear but are certainly dimini...

IPANetEngineer

when Router C receive the route it is not complete and it will not choose as best path, this is the issue

If a route is not valid or active, it often means the next hop is unreachable. Check that first.

IPANetEngineer

Are you going to put all of the 1Gbps links into the same data center?

IPANetEngineer

This is normal for most BGP routes and does not indicate a problem. This is typically due to a route being redistributed into BGP. Here are the origin types from the BGP-4 RFC (EGP is no longer used so it's listed but not important anymore) https://tools.ietf.org/html/rfc4271 a) ORIGIN (Type Code 1)...

IPANetEngineer

Does you upstream provider support BGP communities? If so, I'd use those instead of prepending which doesn't work as well anymore.

Can you post the config and routing table for each router?

IPANetEngineer

Yes, please add this to the list. More and more people are asking for it.

IPANetEngineer

Can you post configs for all 4 routers in the A,B,C,D chain and the output of the following on A and D?

mpls ldp neighbor print detail

mpls forwarding-table print detail

interface vpls print detail

IPANetEngineer

Ok - next question is re-adjacency – with OSPF can take up to 5mins will iBGP be the same

How many routes and routers do you have and what OSPF network types are you using - boradcast, point-to-point, etc?

IPANetEngineer

Is stubbing and range/summary mandatory for take advantage of the benefits? It definitely helps. The topology information is what contributes to CPU overhead and thus convergence time. When you're summarizing, you're only sending routes and not the detailed area topology info. At what level (# of r...

IPANetEngineer

You can definitely run an additional area and connect it at more than one point. This is why the backbone area exists and when there are redundant paths, they will be used. Areas will definitely help with scaling OSPF when applied to areas of the network that aren't core transit. CPU should be a bit...

IPANetEngineer

Yes, OSPF (or any IGP) is needed to provide loopback reachability for an iBGP AS so issues in OSPF that cause routes to flap can affect BGP and cause the peerings go down.

If the network is well built and designed, this shouldn't happen very often.

IPANetEngineer

You can't separate them. OSPF no matter how much you want to try and pretend differently, it has certain design restrictions that are very restrictive for service providers. Those restrictions make sense in many enterprise environments because of the vastly different topologies and real world condi...

IPANetEngineer

But we have no other protocol to use, we have OSPF and thats it. So rather than picking OSPF to 'solve problems' we have to figure out ways to solve the problems of an OSPF design. Problems like summarization at key points, but spanning multiple areas. I've had to use multiple OSPF area 0 instances...

IPANetEngineer

I have not tried to replicate this exact issue, but I did publish an article a few months ago about Juniper to MIkroTik MPLS with VPNv4 which works well. You can at least use it to verify MPLS between MikroTIk and Juniper. https://stubarea51.net/2020/01/22/juniper-to-mikrotik-mpls-and-vpnv4-interop/

IPANetEngineer

OSPF works fine for corporate/enterprise IS-IS works far better for 'service provider' environments EIGRP works in both This is **NOT** the way to look at routing protocols. Routing protocols solve problems. We have to stop looking at them as enterprise vs. service provider. OSPF and ISIS are link ...

IPANetEngineer

I would much rather have IS-IS or OSPF segment routing for WISP environments. Nobody wants to run MPLS on EIGRP when you have SR available

EIGRP while released to open standards, wasn't completely opened up so most of the best features are missing anyway.

IPANetEngineer

This is more of a general WISP post than anything but there are some specific MikroTik references in here. i've been wanting to do this for a long time but it needed some depth and attention so it's been on the back burner for a while. I finally got a basic comparison written of all the major WISP r...

IPANetEngineer

We've run into this with a few clients that run the 4011 and have used the following as a workaround while we work on a ticket with MikroTik. It seems to be more stable in the few we have tested.

Set the CPU frequency to 1200mhz

system routerboard settings set cpu-frequency=1200

IPANetEngineer

We've run into this with a few clients that run the 4011 and have used the following as a workaround while we work on a ticket with MikroTik. It seems to be more stable in the few we have tested.

Set the CPU frequency to 1200mhz

system routerboard settings set cpu-frequency=1200

IPANetEngineer

We use Unimus for our Data Center and also for our clients. It can backup, notify about config changes and execute automated commands on multiple devices. It supports MikroTik and lots of other vendors as well. It is not expensive and is an excellent tool. https://unimus.net/ https://unimus.net/imag...

IPANetEngineer

Having VxLAN support in HW on the CRS326-24S+2Q+RM would be just amazing.

IPANetEngineer

A couple of questions:

Can you ping the subnets from within your ASN? Also can you post your routing table?

IPANetEngineer

I completely get that it's not trivial. I spend a lot of time consulting in disaggregated networks where we deploy IP Infusion or Cumulus Linux on ONIE switches and sometimes we have to contend with issues in getting the FIB pushed down into the ASIC. My point is that it's possible in software and t...

IPANetEngineer

There is an important point the OP is asking about that is not being addressed. The marvell prestera ASIC that is in the CRS317 and CRS309 is capable of routing in hardware (not the CPU). The question he is asking is if MIkroTik is considering enabling that functionality (which already exists in the...

IPANetEngineer

Confederation is really designed to allow eBGP style policy enforcement within an iBGP AS and break up smaller sub-ASNs within one logical ASN. I've done migration and merging of Public ASNs a numer of times and what you really want to look at is running different instances of BGP on routers that ne...

IPANetEngineer

Now that VxLAN is supported in v7, EVPN would be fantastic to have as well to use as a control plane for VxLAN and for multihoming.

IPANetEngineer

Can you post the full config and active routing tables for the MikroTik and PF Sense device?

IPANetEngineer

So the MikroTik router is receiving the ICMP traffic from the host behind the PF Sense firewall and sending it back. Have you performed a capture on the PF Sense FW to see if it receives the traffic? It seems like your issue is in PF Sense based on the data you sent. The MikroTik is routing correctly.

IPANetEngineer

If you look correctly, he need to route 192.168.0.0/16, as 192.168.5.1 is a part of this network

You're correct, I missed that it's a /16 mask, but I believe the route will still need to be on PF Sense.

IPANetEngineer

Hello, You'll need to add a route : ip route add dst-address=192.168.0.0/16 gateway=10.100.0.60 distance=1 He shouldn't need a route on the MikroTik as both of these will be directly connected networks. More than likely (making an assumption from the drawing), the default GW for the 10.0.0.0/8 netw...

IPANetEngineer

Netwatch would probably be the easiest tool.

You can ping a VPN endpoint and then take an action when it is up or down...like enabling a firewall rule to block all traffic out a certain port to the Internet or changing the routes.

https://wiki.mikrotik.com/wiki/Manual:Tools/Netwatch

IPANetEngineer

If you are going to be moving a lot of traffic between ports at different speeds , you may be exceeding the buffer (which is required for moving traffic between ports of different speeds.

IPANetEngineer

In the lab, I just lowered the VxLAN MTU to 1400 because it was quick and easy. But in production, I would raise the IP MTU of the routed network to something larger like 9000 so that 1500 byte frames can pass without issue.

IPANetEngineer

The CCRs will be too slow until RouterOSv7 is out as a stable option with BGP. The example below is 17 minutes of convergence on CCRs. Here are some examples of convergence time for CCR vs. CHR using Free Range Routing as the RR. The full presentation from MUM US 2019 is here: PDF https://mum.mikrot...

IPANetEngineer

You're welcome! I'm not sure if an IPv6 underlay is supported, but I may try that later today

EDIT: Looks like the VTEPs and VxLAN interface group multicast address are IPv4 only for now.

IPANetEngineer

Here is a blog post I did with a VxLAN lab in EVE-NG between 3 routers and 3 linux servers:

The blog and configurations are available here:
https://stubarea51.net/2020/02/15/mikro ... ook-vxlan/

IPANetEngineer

Here is an example working lab in EVE-NG between 3 routers and 3 linux servers from an article I wrote:

Configs are in the link here:
https://stubarea51.net/2020/02/15/mikro ... ook-vxlan/

IPANetEngineer

Agreed. If we see EVPN added to BGP to support VxLAN in the future, MikroTik will see a massive increase in sales from people who need inexpensive devices to act as a VTEP.

IPANetEngineer

This meas TCP port 179 for BGP is not answering on the remote end which can be one of several things

1) The source of your peering
2) Firewall rules
3) Issue with the router you are peering with.

IPANetEngineer

Can you post your config? What type of AirFibers are you using?

IPANetEngineer

This article I wrote will probably be very helpful since you're familiar with Cisco. It translates cisco switching configs for VLANs to the MikroTik equivalent.

https://stubarea51.net/2019/02/06/cisco ... and-vlans/

IPANetEngineer

Yes, you can do this. Here is an example witjh two Loopback/bridge interfaces

[admin@lab1.iparchitechs.com] > ip route vrf add routing-mark=vrf-1 interfaces=lo1,lo2

IPANetEngineer

Typically when everything else is identical, the oldest route wins

IPANetEngineer

If you have 200 sites, then OSPF is not the right protocol anyway.

I would look at BGP and filtering to solve this problem

IPANetEngineer

I really prefer BGP for what you're trying to do as I really dislike filtering in OSPF. That said, you could filter the routes for each HQ on the ospf-out chain at the Branch. That should prevent the HQs from transiting the branch in an outage but let the branch still talk to each HQ. Probably somet...

IPANetEngineer

I agree, i'd like to see buffer numbers on all the switching chips to be able to plan. The Marvell Prestera chipset this switch is based on (98DX3236) is used in a few other platforms and the listed buffer space is 12MB for the 24 port model. https://eltex-co.com/upload/iblock/9af/MES_2324P_2348P_da...

IPANetEngineer

This is happening because you have them in separate instances. The BGP best path algorithm is only used for routes within the same instance. Otherwise MikroTik's general route selection algorithm is used between instances. From the wiki: "Best path algorithm compares routes received by a single...

IPANetEngineer

Cool....thanks for all the hard work!

IPANetEngineer

I would look at this platform on either side if you want to solve the window problem.

http://wanos.co/wan-optimization/how-wa ... ion-works/

IPANetEngineer

Agreed, this is great work.

IPANetEngineer

I think a routed Data Center Interconnect (DCI) is better than Layer 2, so yes I would route between them and then use VPLS if you must extend VLANs.

But, to be clear, this will not solve the TCP window problem.

Search found 1323 matches