MikroTik

IPANetEngineer

Normis...i'm pretty confident we have replicated the conditions of one of the CVEs from doing some digging on our own for this issue. Without the rules, the router crashed. When we added the rules the router stayed online. Meanwhile CVE-2018-19299 still needs fixing, because even with those perform...

IPANetEngineer

We believe that we have now recreated the conditions of both CVEs and have been able to cause a memory leak and router crash in both of the conditions listed below using software from a common offensive linux security tool for IPv6. soft lockup when forwarding IPv6 packets (CVE-2018-19299); soft loc...

IPANetEngineer

Until we release the next beta with memory exhaustion fix, this firewall config should stop any attack even with small amount of RAM: admin@MikroTik] /ipv6 firewall> export /ipv6 firewall filter add action=drop chain=forward connection-mark=drop connection-state=new /ipv6 firewall mangle add action...

IPANetEngineer

Would somebody please post some additional information about this. I need to understand what is the problem, the potential impact and what vulnerabilities are possible. Where can I find information to read/learn about this? I am not aware of any workarounds or mitigations any of us can use. I belie...

IPANetEngineer

That's normal standard from Mikrotik when they are faced with a problem to resolve That is not true at all! We have always reacted to issues quickly, all the previous vulnerabilities have been fixed within hours or days time. Even in this case, we did reproduce and acknowledge the issue. In this ca...

IPANetEngineer

Even if there is no way to firewall it on a MikroTik, i'm assuming that once we know what is being set in the packet header, it can be mitigated with another solution based on flow detection and dropping the traffic in a switch. That won't work for everyone obviously, but it would work for a lot of ...

IPANetEngineer

This is also a new one for me...will be digging into it

IPANetEngineer

AS Path prepending is not a technology used for outbound route selection (it controls inbound) and it has limited use in the BGP Global Table these days due to provider traffic engineering with localpref overriding it. My question before commenting would be what are you trying to achieve? Equal load...

IPANetEngineer

Hyper-V is hands down the best hypervisor for using a CHR as a BGP edge router. Mostly this is because MikroTIk spent a lot of time building the Hyper-V drivers for the CHR and they used off the shelf drivers for KVM/ESXi The single biggest impact is to get a CPU with a higher clock speed and fewer ...

IPANetEngineer

This MikroTik to Cisco article has been on my to-do list for a while. If you know Cisco and want to understand how to work with VLANs in MikroTik's CRS3xx series of switches, here is a guide to get you started. https://www.stubarea51.net/2019/02/06/cisco-to-mikrotik-switching-and-vlans/ https://www....

IPANetEngineer

If you want absolute control over your traffic paths, eBGP will work well, otherwise OSPF will be better than static routes but is more limited in its ability to manipulate traffic. Here is a presentation I did at the US MUM in 2017 which covers a lot of the questions you have in the first half. htt...

IPANetEngineer

Nothing weird about this. R2 is going to pick the best route for prefix 3.3.3.0/24 to put into the FIB and it has two choices. 1) An iBGP route with an admin distance of 200 2) An OSPF intra-area route with an admin distance of 110 It's going to pick the OSPF route which means there will be no activ...

IPANetEngineer

What are your MTU settings for Layer 2 and Layer 3 on each side of the link OSPF is trying to form a neighbor on? Normally getting stuck in two way indicates MTU, have also seen it occur as the result of a network type mismatch. What is the config for the other router? Here is a presentation I did o...

IPANetEngineer

The VPLS MTU is the size of the MTU you want to hand off to your customer. The interface MTU should be set to accommodate the overhead of VPLS. You need at least 1530 to send an 802.1q tagged frame through a VPLS tunnel. https://wiki.mikrotik.com/images/3/35/MTUVPLS.png Take a look at this MUM prese...

IPANetEngineer

Can you post your configuration?

IPANetEngineer

Take a look at this if you want an example of a production deployment with HA for VPLS and public subnets. Configs are in this post - https://www.stubarea51.net/2018/04/23/wisp-design-building-highly-available-vpls-for-public-subnets/ https://dev.stubarea51.net/wp-content/uploads/2018/08/vpls-1.png

IPANetEngineer

Thanks for doing the testing MIke! I'm looking forward to putting a 4011 in our lab and benchmarking it against a hardware router.

I'm excited about where MikroTik is headed with more ARM based routers

IPANetEngineer

Can you post your config minus sensitive information?

export compact hide-sensitive

IPANetEngineer

This would be really nice to have

IPANetEngineer

To clarify what you are trying to do here... Are you trying to advertise a summary route out of the stub area? If so, the area range command is what you're looking for. /routing ospf area range add advertise=yes area=backbone cost=default disabled=no range=192.168.88.0/24 add advertise=yes area=area...

IPANetEngineer

I would consider a design like this with multiple CCRs so that you have redundancy and the ability to add resources. This can also be done in a CHR very well. We've deployed this for clients with a lot of success. https://www.stubarea51.net/2018/04/23/pppoe-high-availability-design-incorporating-mul...

IPANetEngineer

Thanks! Just tried it on a CRS317-1G-16S+ and it worked perfectly for the RouterOS and Firmware upgrades

IPANetEngineer

It might be more helpful to understand why you want to filter OSPF?

IPANetEngineer

We've worked with a number of clients that have had compromised routers. As others have suggested, the two best things you can possibly do are

1) Netinstall
2) Restore config from text

When we have done this, we have not seen any further issues with the routers

IPANetEngineer

Can you post the output of the MPLS forwarding tables for the Juniper and MIkroTIk routers?

IPANetEngineer

Many many thanks for your great help and idea! It did exactly what I wanted!

Perfect, glad I could help...just update the status of the thread to 'Solved'

IPANetEngineer

No problem! OSPF can be very complicated and takes a while to learn :-) To makes things much easier for yourself, here is what I would do. 1. Put all subnets that connect routers together into the backbone area aka transit links like your PPTP interfaces/subnets 2. Put all subnets that aren't involv...

IPANetEngineer

Where???? I don't see it

IPANetEngineer

At first glance, the main issue is with your design. If you look at the MIkroTik Wiki on OSPF area design, you'll see that multiple areas are all attached to the backbone area.But not Area 1 going to Area 2 https://wiki.mikrotik.com/images/c/cf/Image6006.gif OSPF is not intended for areas other than...

IPANetEngineer

Just wrote an article on how to add IPv6 to your WISP using MIkroTik, complete with configs. It covers adding IPv6 at the Core, the Tower and the subscriber as well as a subscriber device. Hope this is helpful for someone! https://www.stubarea51.net/2018/09/14/wisp-design-an-overview-of-adding-ipv6-...

IPANetEngineer

There are a lot of stable MIkroTik networks with BGP, OSPF, MPLS/VPLS on the CCR series.

Can you post your config? Do you have a network diagram?

IPANetEngineer

Can you post your config? That might be helpful.

Also please post the output of these commands on each router:

routing ospf interface print detail
routing ospf network print detail
routing ospf lsa print detail

IPANetEngineer

You definitely don't want to do it with a small CRS. Look at using a 3011 at smaller sites and CCR at others.

IPANetEngineer

Thanks! will test it in our MirkoTik lab

IPANetEngineer

On the BGP routers, turn on bgp redistribution then add only the wanted routes into ospf-out filter denying the others, so it will redistribute only those? Done this? I fear as the BGP process is single threaded and eats a whole cpu of the CCR it may cause problems. You have to get into hundreds of...

IPANetEngineer

Thanks. On the MTU size, I see some people set it to 1530 for MPLS, some 1580, 1600, and 2000. Is there any downside to setting it to 2000 across the board? Also I am having issues getting the MPLS working out in the field through the various wireless links even though on my lab it works fine. I ha...

IPANetEngineer

How many routes do you want to put in OSPF?

IPANetEngineer

Here's an example of OSPF/MPLS/VPLS for a WISP with HA DCs and with configs....I'll see what I can dig up for BGP

https://www.stubarea51.net/2018/04/23/w ... c-subnets/

IPANetEngineer

This depends on your use case. Some ISPs may use LDP signalled VPLS for private transport circuits. Other ISPs may use BGP signalled VPLS. In most cases, it's helpful to have iBGP to advertise public subjects and /32 loopbacks even if the majority of traffic is in VPLS. In short, having BGP on the i...

IPANetEngineer

I've been wanting to see this as well, but i'd rather have recursive routing in IPv6 for BGP fixed first.

IPANetEngineer

What model and type of routers are you using?

IPANetEngineer

I would consider a design like this and use local pref to prefer the IX routes.

IPANetEngineer

Everyone's use case is different, but I'm actually happy they stripped some things out. I look at this a different way - now you have a router capable of routing 10 Gbps peak throughput which is very close to CCR1009 number for half the cost. All of the bells and whistles are nice, I agree, but i'll...

IPANetEngineer

This largely depends on your BGP edge design and whether or not the peers are fully meshed inside your AS. If the routes learned from your upstreams are only present at the border routers then you'll need aggregate routes injected form the border routers to draw traffic towards one of those peers. A...

IPANetEngineer

The may be some options using policy routing. Can you post a diagram of what you have? It would be much easier to comment with some context as to the layout.

IPANetEngineer

If you run it on a switch, you can ask your upstream provider if you can maintain dual peerings and that way you'll have edge router redundancy if you lose a router or need to upgrade the RouterOS code, it can be done without an outage by failing traffic from one to the other. It still doesn't help ...

IPANetEngineer

I've done a lot of Enterprise networks and there are some key things when you're trying to migrate and the network is a mess. 1) If you don't have detailed documentation of how the current network is laid out, take the time to create it. Layer 1 - Document physical connections to all network equipme...

IPANetEngineer

We've been incredibly successful with switch-centric designs over the years and have deployed it on every continent except Antarctica. Switch stacks are not a single point of failure as they form a pair of HA switches that are logically a single switch from sa spanning tree perspective. Using a swit...

IPANetEngineer

We work on this type of design frequently. I would suggest a switch-centric architecture where all of the links terminate in the switch stack and you use LACP to connect the MikroTik routers and hypervisors. Then connect the internet circuits on different switches in the stack for redundancy. Switch...

IPANetEngineer

This is what you're looking for...hope it helps!

/routing bgp instance
set default as=200
/routing bgp network
add network=10.1.1.0/24
/routing bgp peer
add name=peer1 out-filter=PREPEND remote-address=192.168.1.5 remote-as=100
/routing filter
add action=accept chain=PREPEND set-bgp-prepend=3

Search found 970 matches