Community discussions

MikroTik App

Search found 153 matches

by jmginer
Thu Jan 12, 2023 9:47 am
Forum: General
Topic: Switch ACL to restrict IP usage [SOLVED]
Replies: 25
Views: 7106

Re: Switch ACL to restrict IP usage [SOLVED]

Try to add the first rule

add dst-port=67-68 ports=sfp-sfpplus1 protocol=udp switch=switch
by jmginer
Fri Mar 25, 2022 12:39 pm
Forum: Forwarding Protocols
Topic: ROS7 - How to see how many and what received/advertised routes ?
Replies: 1
Views: 691

ROS7 - How to see how many and what received/advertised routes ?

Hello,

on ROS7, I dont find how to see what are the routes that I receive and I advertise.

How to check it?

Thanks!
by jmginer
Thu Jan 20, 2022 12:33 am
Forum: General
Topic: Feature requests
Replies: 1740
Views: 624844

Re: Feature requests

Feature Request for switch ACL. - Add negative conditions with ! - Add src-address-list - Add dst-address-list These options will allow to reduce the number of rules, in many switches limited to a very low number. In order to protect the access of some computers against other computers connected to ...
by jmginer
Wed Jan 19, 2022 11:34 pm
Forum: General
Topic: Switch ACL to restrict IP usage [SOLVED]
Replies: 25
Views: 7106

Re: Switch ACL to restrict IP usage [SOLVED]

This option is not available in switch ACL. You could use rules to permit packets from the correct source IP on each client port, followed by a drop rule for any IP from all client ports. It's working ok! /interface ethernet switch acl add ip-src=188.1.2.3 mac-protocol=ip src-ports=ether2 add mac-p...
by jmginer
Wed Jan 19, 2022 10:34 pm
Forum: General
Topic: Switch ACL to restrict IP usage [SOLVED]
Replies: 25
Views: 7106

Re: Switch ACL to restrict IP usage [SOLVED]


This option is not available in switch ACL.
You could use rules to permit packets from the correct source IP on each client port, followed by a drop rule for any IP from all client ports.
Thanks!
by jmginer
Wed Jan 19, 2022 10:01 pm
Forum: General
Topic: Switch ACL to restrict IP usage [SOLVED]
Replies: 25
Views: 7106

Re: Switch ACL to restrict IP usage [SOLVED]

Now I get it... Layer-2 security/filter using Layer-3 addresses.. Switch ACL can never check the L3-adress used.

Hmmm.. Static ARP entries on the router/gateway?
How can you control in a router the IPs allowed in a switch port ?
by jmginer
Wed Jan 19, 2022 7:25 pm
Forum: General
Topic: Switch ACL to restrict IP usage [SOLVED]
Replies: 25
Views: 7106

Re: Switch ACL to restrict IP usage [SOLVED]

In Arista, this is done by ACL rules
https://www.arista.com/en/um-eos/eos-ac ... route-maps
by jmginer
Mon Jan 17, 2022 8:47 pm
Forum: General
Topic: Switch ACL to restrict IP usage [SOLVED]
Replies: 25
Views: 7106

Re: Switch ACL to restrict IP usage [SOLVED]

The servers are configured with static IP. But as I said in the first message, the client has root access and can change the IP to another... Technically he can change it. What we have to do is to prevent that when he sets another IP, it works for him... For example: We give him the server configure...
by jmginer
Mon Jan 17, 2022 8:26 pm
Forum: General
Topic: Switch ACL to restrict IP usage [SOLVED]
Replies: 25
Views: 7106

Re: Switch ACL to restrict IP usage [SOLVED]

Isn't there an option in Mikrotik switches to restrict the IPs authorized to use a given port?
by jmginer
Mon Jan 17, 2022 8:04 pm
Forum: General
Topic: Switch ACL to restrict IP usage [SOLVED]
Replies: 25
Views: 7106

Re: Switch ACL to restrict IP usage [SOLVED]

The square in front of a condition where a "!" appears when you click it is the "NOT" operator.

This option is not available in switch ACL.
That's why I open this post :)
Maybe there is some other way to do what I need?
I think is a very basic function for a switch...
by jmginer
Mon Jan 17, 2022 12:16 pm
Forum: General
Topic: Switch ACL to restrict IP usage [SOLVED]
Replies: 25
Views: 7106

Switch ACL to restrict IP usage [SOLVED]

Hi, we are going to offer dedicated servers to our customers, they will have root access. We want to prevent a customer from being able to configure any IP from our network on their server. I guess we will have to create an ACL rule on each port of the switch authorizing only the client IPs. What I ...
by jmginer
Mon Oct 11, 2021 6:08 pm
Forum: RouterOS beta
Topic: Help migrating filter rules from v6 to v7
Replies: 13
Views: 5738

Re: Help migrating filter rules from v6 to v7

Discard rules doesn't work?
/routing filter rule add chain=DECIX-IN rule="discard"
failure: "[Word {discard}]" - unknown action name

In my opinion, the documentation out there is very poor regarding the radical change with filters in v7.
by jmginer
Sun Oct 10, 2021 2:01 pm
Forum: RouterOS beta
Topic: Help migrating filter rules from v6 to v7
Replies: 13
Views: 5738

Help migrating filter rules from v6 to v7

Hello, I'm trying to migrate my BGP filters from v6 to v7. The problem is that I can't find how to migrate the " match-chain " rule. These are my current rules, I receive transit from a provider and offer transit to a customer: /routing filter # section 1 - Accept what my transit provider ...
by jmginer
Wed Sep 29, 2021 7:31 pm
Forum: RouterBOARD hardware
Topic: CCR-1072 upgraded to 20xx, what CPU and specs are expected?
Replies: 2
Views: 2253

CCR-1072 upgraded to 20xx, what CPU and specs are expected?

Hello, I would like to imagine a new top of the line version of the CCR series.

I can imagine something with 16-17 ports:
  • 2 x 40G QSFP+
  • 2 x 25G SFP28
  • 12 x 10G SFP+
  • 1 x 1G eth (never a bad thing to have)

As for CPU, is there any CPU that can handle +100 Gbps and can run ROS v7 ?
by jmginer
Sun Jun 20, 2021 4:08 pm
Forum: General
Topic: ipv6 route filter by dst-address
Replies: 1
Views: 561

Re: ipv6 route filter by dst-address

On the other hand, via terminal it works but the gateway values are cut off and it is impossible to find out the interface of each route. It is impossible to debug IPv6 routing. > ipv6 route print where dst-address=2001:4860::/32 Flags: X - disabled, A - active, D - dynamic, C - connect, S - static,...
by jmginer
Sun Jun 20, 2021 11:34 am
Forum: General
Topic: ipv6 route filter by dst-address
Replies: 1
Views: 561

ipv6 route filter by dst-address

Hello,

is there any reason why it is not possible to filter IPv6 routes based on dst-address ?

Image
by jmginer
Fri Oct 16, 2020 12:17 pm
Forum: RouterOS beta
Topic: Per interface RP Filter setting
Replies: 8
Views: 3822

Re: Per interface RP Filter setting

Agree +1
by jmginer
Fri Oct 09, 2020 5:16 pm
Forum: RouterOS beta
Topic: SFP info dont appear in ROS v7 x86
Replies: 0
Views: 1273

SFP info dont appear in ROS v7 x86

Hello, I've installed ROS 7.1b2 iso on a Supermicro server with x710 and 82599ES chipset cards, and I saw that all information related to SFP are not displayed on both. There is any plan to fix this? [admin@MikroTik] > interface/ethernet/monitor ether9 name: ether9 status: no-link default-cable-sett...
by jmginer
Mon Oct 05, 2020 10:52 pm
Forum: RouterOS beta
Topic: IP Route In RouterOS V7
Replies: 7
Views: 4706

Re: IP Route In RouterOS V7

Please, can you explain more?
by jmginer
Mon Oct 05, 2020 9:12 pm
Forum: RouterOS beta
Topic: Nvidia BlueField-2X
Replies: 1
Views: 1264

Nvidia BlueField-2X

Hello, is the Nvidia BlueField-2X something that we can see in the future CCRs ?

https://www.servethehome.com/nvidia-blu ... -launched/
by jmginer
Mon Oct 05, 2020 5:14 pm
Forum: RouterOS beta
Topic: API on RouterOS v7 [SOLVED]
Replies: 3
Views: 3233

Re: API on RouterOS v7 [SOLVED]

Good question, I just tried it, seems to work the same.

Thanks for your test!
by jmginer
Fri Oct 02, 2020 8:28 pm
Forum: RouterOS beta
Topic: API on RouterOS v7 [SOLVED]
Replies: 3
Views: 3233

API on RouterOS v7 [SOLVED]

Hello,

the API is working on RouterOS 7 like in v6 ?

Or we need to change something on our custom developments?

Thanks!
by jmginer
Thu Aug 27, 2020 11:31 am
Forum: General
Topic: How to correctly implement IPv6 on a hosting company
Replies: 3
Views: 950

Re: How to correctly implement IPv6 on a hosting company

Hello IPAsupport, thanks for your reply. In our case, is not a option to split each customer IPv6 /48 in a VLAN, we have around 5000 customers now, so it's imposible to manage 5000 VLANS. And also very dificult to manage when we want to move a VPS from one node to other node. Specially when a custom...
by jmginer
Tue Aug 25, 2020 11:40 am
Forum: General
Topic: How to correctly implement IPv6 on a hosting company
Replies: 3
Views: 950

How to correctly implement IPv6 on a hosting company

Hello, we are a hosting company and I think we're not implementing IPv6 correctly. We provide VPS servers and our customers are able to enable IPv6 On routing level, we have a unique gateway: 2a00:c0c1::/32 We provide a /48 to every customer, like: 2a00:c0c1:aa::/48 And each customer can assign a /6...
by jmginer
Mon Aug 17, 2020 6:38 pm
Forum: Beginner Basics
Topic: Firewall drop port scanners rule trigered by Avast Antivirus
Replies: 3
Views: 1589

Firewall drop port scanners rule trigered by Avast Antivirus

Hello, the rule: add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no from this page: https://wiki.mikrotik.com/wiki/Drop_port_scanners Is trigered by Avast when...
by jmginer
Sun Jul 19, 2020 8:10 pm
Forum: General
Topic: X86_64 ROS - 64bit Mikrotik [SOLVED]
Replies: 92
Views: 72020

Re: X86_64 ROS - 64bit Mikrotik [SOLVED]

Hello guys thanks for this informative and very useful thread. Can you point out some models of NICs with 2+ SFP+ cages that you know that are recognized by and work great with 64bit? Also some 40gbit SFP just for testing, but the 10gbit ones are enough for production in our everyday work. Regards ...
by jmginer
Wed Jun 17, 2020 5:02 pm
Forum: General
Topic: CPU performance ROS vs 6wind
Replies: 2
Views: 1374

CPU performance ROS vs 6wind

Hello, I don't want to create a dispute with this subject. I'm just trying to understand why the 6wind offers such a brutal performance improvement compared to RouterOS. Both systems running on x86. In order to manage 500,000 PPS in RouterOS we need 16 cores at 3.00 GHz and with 6wind they offer us ...
by jmginer
Fri May 15, 2020 4:53 pm
Forum: Virtualization
Topic: what is your most stable CHR release, share your stat!
Replies: 4
Views: 4587

Re: what is your most stable CHR release, share your stat!

We downgraded from 6.45 to 6.44 when we read this post 2 weeks ago, and seems now is stable. Not any freezy / reboot.

Seems the 6.45 is something wrong.
by jmginer
Thu Apr 30, 2020 8:50 pm
Forum: Virtualization
Topic: what is your most stable CHR release, share your stat!
Replies: 4
Views: 4587

Re: what is your most stable CHR release, share your stat!

Hello, since upgraded from 6.44 to 6.45, I have rebooted the CHR 4 or 5 times because freeze.

Virtualized with Proxmox.
by jmginer
Thu Apr 30, 2020 10:55 am
Forum: RouterBOARD hardware
Topic: CRS326-24S+2Q+RM compatible with QSFP28 2KM transceivers ? [SOLVED]
Replies: 2
Views: 10467

CRS326-24S+2Q+RM compatible with QSFP28 2KM transceivers ? [SOLVED]

Hello!

can I use this transceiver in the switch CRS326-24S+2Q+RM ?

https://www.fs.com/products/84374.html

It's to do a long distance cross-connect.

Thanks!
by jmginer
Sun Apr 05, 2020 8:16 pm
Forum: Beginner Basics
Topic: How to merge all VLAN in a unique interface ? [SOLVED]
Replies: 3
Views: 6839

Re: How to merge all VLAN in a unique interface ? [SOLVED]

Ok, I found the issue. For some reason (I think because in the past I was "playing" with SwOS) I have the port isolation configured like this: /interface ethernet switch port-isolation> print Flags: I - invalid 0 name="sfp01-DECIX-IN" switch=switch1 forwarding-override=sfp02-DECI...
by jmginer
Sun Apr 05, 2020 5:59 pm
Forum: Beginner Basics
Topic: How to merge all VLAN in a unique interface ? [SOLVED]
Replies: 3
Views: 6839

Re: How to merge all VLAN in a unique interface ? [SOLVED]

Hey, thanks, but it's not working for me. I've changed Telia's output on the switch and on the CHR. After the change I don't have a ping on Telia . Here's what I got: https://ginernet.cdnbox.net/images/added/1586099028.jpg On the CRS: /interface bridge add name=BR1 protocol-mode=none vlan-filtering=...
by jmginer
Sun Apr 05, 2020 12:54 pm
Forum: Beginner Basics
Topic: How to merge all VLAN in a unique interface ? [SOLVED]
Replies: 3
Views: 6839

How to merge all VLAN in a unique interface ? [SOLVED]

Hello, Currently, this is the switch configuration I use for my upstream input. https://ginernet.cdnbox.net/images/added/1586080208.jpg /interface bridge port add bridge=BR1 interface=sfp01-DECIX-IN pvid=10 add bridge=BR1 interface=sfp02-DECIX-OUT pvid=10 add bridge=BR1 interface=sfp03-GTT-IN pvid=1...
by jmginer
Sun Apr 05, 2020 12:31 pm
Forum: General
Topic: Mikrotik Rack-mounted Devices Visio Stencils
Replies: 58
Views: 91038

Re: Mikrotik Rack-mounted Devices Visio Stencils

Hello, I opened the mikrotik.vssx file, but is blank. No content.
by jmginer
Wed Feb 12, 2020 1:44 pm
Forum: Beginner Basics
Topic: BUG - Route filter BGP AS PATH
Replies: 2
Views: 1822

Re: BUG - Route filter BGP AS PATH

AS Path filters are regular expressions. You don't have a regular expression in your filter.
Ok, it seems the correct way is:
_2914_
by jmginer
Wed Feb 12, 2020 10:31 am
Forum: Beginner Basics
Topic: BUG - Route filter BGP AS PATH
Replies: 2
Views: 1822

BUG - Route filter BGP AS PATH

Hello,

I have a route filter configured when BGP AS PATH is: 2914
But is also affecting when the BGP AS PATH is: 29141

Seems the string is not correctly passed.

Image
by jmginer
Thu Oct 10, 2019 6:09 pm
Forum: Forwarding Protocols
Topic: Filters for +500 prefixes
Replies: 9
Views: 5026

Re: Filters for +500 prefixes

The option to do this is there, you just have to build more than one filter. Thanks a lot, I do it and is working very fine. But, perhaps if instead of adding prefixes as a new filter, they were added in a separate table, it would be more efficient at the CPU consumption level. The same as the fire...
by jmginer
Fri Oct 04, 2019 1:57 pm
Forum: Forwarding Protocols
Topic: Filters for +500 prefixes
Replies: 9
Views: 5026

Re: Filters for +500 prefixes

Similar feature is currently in development. Thanks, something like this is what I expect: /routing filter add action=accept chain=Upstream-OUT prefix-list=MyPrefix /routing filter prefix-list add prefix=1.1.1.0/24 list=MyPrefix add prefix=2.2.2.0/24 list=MyPrefix add prefix=3.3.3.0/24 list=MyPrefi...
by jmginer
Fri Oct 04, 2019 12:49 pm
Forum: Forwarding Protocols
Topic: Filters for +500 prefixes
Replies: 9
Views: 5026

Re: Filters for +500 prefixes

Cisco, Juniper, Huawei, Alcatel, etc... all have the option to create a "prefix-list" for filters. I'm surprised Mikrotik doesn't offer this option...
/routing filter ?

what's your problem?
No option for prefix-list filters
by jmginer
Thu Oct 03, 2019 9:17 pm
Forum: Forwarding Protocols
Topic: Filters for +500 prefixes
Replies: 9
Views: 5026

Re: Filters for +500 prefixes

Cisco, Juniper, Huawei, Alcatel, etc... all have the option to create a "prefix-list" for filters. I'm surprised Mikrotik doesn't offer this option...
by jmginer
Thu Oct 03, 2019 7:05 pm
Forum: Forwarding Protocols
Topic: Filters for +500 prefixes
Replies: 9
Views: 5026

Filters for +500 prefixes

Hello,

we need to advertise +500 prefixes to 4 BGP providers.

That means that we need to create 2000 filters?

There is any option to create a address-list? then we will be able to reduce to only 4 filters.

Thanks!
by jmginer
Thu Sep 26, 2019 2:05 pm
Forum: General
Topic: High-end switches like 48 x 10G and 24 x 40G
Replies: 3
Views: 1053

Re: High-end switches like 48 x 10G and 24 x 40G

None of them has 48 sfp+ ports or 24 qsfp
by jmginer
Thu Sep 26, 2019 10:36 am
Forum: General
Topic: High-end switches like 48 x 10G and 24 x 40G
Replies: 3
Views: 1053

High-end switches like 48 x 10G and 24 x 40G

Hello, we need switches with high density ports

For distribution: 24 x 40G
For hosting: 48 x 10G sfp+ + 2 x 40G

Thanks!
by jmginer
Fri Sep 06, 2019 6:27 pm
Forum: General
Topic: RouterOS v7.0beta1 (ARM)
Replies: 203
Views: 100716

Re: RouterOS v7.0beta1 (ARM)

Address-lists for route filters available?
by jmginer
Tue Jul 02, 2019 4:23 pm
Forum: General
Topic: Packet sniffer size limit
Replies: 2
Views: 1205

Re: Packet sniffer size limit

So, KiloBytes... will be good if you can fix in Winbox to change

kb -> KiB
by jmginer
Tue Jul 02, 2019 3:59 pm
Forum: General
Topic: Packet sniffer size limit
Replies: 2
Views: 1205

Packet sniffer size limit

Hello,

in winbox > tool > sniffer

says:

Memory Limit = kb (kilobits)
File size = kb (kilobits)

But in the documentation is: KiB, wich is KiloBytes

Whats is the correct one, kilobits or KiloBytes ?

Thanks!
by jmginer
Fri Jun 14, 2019 4:23 pm
Forum: General
Topic: [FEATURE REQUEST] route filter address-list
Replies: 0
Views: 1048

[FEATURE REQUEST] route filter address-list

Hi,

it's hard to create a filter for every new prefix we add to our BGP. It would be much more efficient to be able to manage an address-list or prefix-list.

Thanks!
by jmginer
Wed Jun 05, 2019 11:06 pm
Forum: General
Topic: Switch VLANs Very High CPU [SOLVED]
Replies: 9
Views: 3908

Re: Switch VLANs Very High CPU [SOLVED]

No PM on this forum. So kindly pass the offered gift to a charity of your choice, thank you.


done!

Image
by jmginer
Wed Jun 05, 2019 6:08 pm
Forum: General
Topic: Switch VLANs Very High CPU [SOLVED]
Replies: 9
Views: 3908

Re: Switch VLANs Very High CPU [SOLVED]

Got it! :) I've created the isolated ports and a unique bridge. I've connected my upstreams (3 x FULL BGP) and all the traffic is working fine. The bridge is returning "HW Offload" active on all ports. And the CPU on the CRS is less 1-5% every time. Many thanks! @mkx Please, send me a PM w...
by jmginer
Tue Jun 04, 2019 9:30 pm
Forum: General
Topic: Switch VLANs Very High CPU [SOLVED]
Replies: 9
Views: 3908

Re: Switch VLANs Very High CPU [SOLVED]

You're right, fixed, thanks! :)

Now I have my transit upstreams connected directly to the CHR. Tomorrow I will try with one of them to pass it through the switch.
I suppose I can create a new bridge? Or do I have to use a single bridge to take advantage of HW acceleration?
by jmginer
Tue Jun 04, 2019 1:56 pm
Forum: General
Topic: Switch VLANs Very High CPU [SOLVED]
Replies: 9
Views: 3908

Re: Switch VLANs Very High CPU [SOLVED]

I think I've solved, at least is working and only using 2% CPU... /interface bridge add name=BR1 protocol-mode=none vlan-filtering=yes /interface bridge port add bridge=BR1 interface=sfp-sfpplus1-DECIX-IN add bridge=BR1 interface=sfp-sfpplus2-DECIX-OUT /interface bridge vlan add bridge=BR1 tagged=sf...
by jmginer
Fri May 31, 2019 1:05 pm
Forum: General
Topic: Switch VLANs Very High CPU [SOLVED]
Replies: 9
Views: 3908

Switch VLANs Very High CPU [SOLVED]

Hi, I have a CHR x86 for routing and peering at DECIX Madrid. Additionally DECIX provides me with the same cable peering in Lisbon through a VLAN. The DECIX cable, I have it connected to an intermediate CRS switch. What I do is connect the CRS cable to the CHR with 2 VLANs, one for Lisbon (vlan11) a...
by jmginer
Thu May 02, 2019 12:29 pm
Forum: General
Topic: [Feature request] Terminal peer colum
Replies: 3
Views: 1767

Re: [Feature request] Terminal peer colum

Please, implemt it...
by jmginer
Wed May 01, 2019 9:16 pm
Forum: Forwarding Protocols
Topic: Create BGP communities [SOLVED]
Replies: 3
Views: 16253

Re: Create BGP communities [SOLVED]

Thanks @joegoldman @sri2007, I think I got it: add action=discard bgp-communities=myAS:1000 chain=DECIX-OUT prefix-length=0-128 comment="Dont advertise to DECIX" With this filter rule, when my downstream advertise me a prfix with the comm myAS:1000 my router don't re-advertise to DECIX. I'...
by jmginer
Wed May 01, 2019 12:41 pm
Forum: Forwarding Protocols
Topic: Create BGP communities [SOLVED]
Replies: 3
Views: 16253

Create BGP communities [SOLVED]

Hello,

I offer IP Transit over BGP and would like to create communities for my customers and for them to choose which of my upstreams to advertise their prefixes.

Is this possible with Mikrotik?

Thank you!
by jmginer
Sat Jan 26, 2019 1:25 am
Forum: General
Topic: [Feature request] Terminal peer colum
Replies: 3
Views: 1767

Re: [Feature request] Terminal peer colum

Hello?!
by jmginer
Tue Nov 06, 2018 8:40 pm
Forum: General
Topic: Boot time CRS 226 vs 326
Replies: 0
Views: 788

Boot time CRS 226 vs 326

Hello, the old CRS 226, takes 1 minute to boot, and the new 326 takes 2 minutes.

why the new version takes more time to boot? is normal?

Thanks!
by jmginer
Mon Nov 05, 2018 1:12 pm
Forum: Virtualization
Topic: CHR neighbour discovery problem
Replies: 13
Views: 12665

Re: CHR neighbour discovery problem

My CHR also takes around 1 minute to become discovered by Winbox.
by jmginer
Mon Nov 05, 2018 10:30 am
Forum: General
Topic: Firmware upgrade?
Replies: 3
Views: 1269

Firmware upgrade?

Hello!

When we do a software update, the system marks the firmware as outdated. Is it always necessary to do a double reboot? or is it possible to update the software and firmware in the same reboot?

Thank you!
by jmginer
Mon Oct 29, 2018 1:15 pm
Forum: General
Topic: [Feature request] Terminal peer colum
Replies: 3
Views: 1767

Re: [Feature request] Terminal peer colum

up! up!
by jmginer
Mon Oct 29, 2018 10:46 am
Forum: Forwarding Protocols
Topic: BGP as Transit/IP Provider
Replies: 6
Views: 7587

Re: BGP as Transit/IP Provider

setup appropriate filters to make sure the the customer route is not advertised to your upstream peers when the customer connection to you is down. Hello, I'm having a problem with this, because I'm advertising to my upstreams a prefix that my client is not advertising to me. I think I'm advertisin...
by jmginer
Mon Sep 24, 2018 4:44 pm
Forum: Forwarding Protocols
Topic: Full BGP tables with two upstream ISPs using CHR - Performance question
Replies: 18
Views: 14158

Re: Full BGP tables with two upstream ISPs using CHR - Performance question

btw, you can check this link for a most specific analysis too: https://mum.mikrotik.com/presentations/EU18/presentation_5188_1524562405.pdf Hello!, thanks to share this!!! In your tests with Proxmox, you have only generated less than 80,000 PPS, however with ESXi and Hyper-V you have exceeded +500,...
by jmginer
Mon Sep 24, 2018 12:30 pm
Forum: General
Topic: X86_64 ROS - 64bit Mikrotik [SOLVED]
Replies: 92
Views: 72020

Re: X86_64 ROS - 64bit Mikrotik [SOLVED]

+1 for native implementation to allow +2GB RAM in x86
by jmginer
Mon Sep 24, 2018 9:34 am
Forum: Forwarding Protocols
Topic: BGP as Transit/IP Provider
Replies: 6
Views: 7587

Re: BGP as Transit/IP Provider

setup appropriate filters to make sure the the customer route is not advertised to your upstream peers when the customer connection to you is down. Hello, I'm having a problem with this, because I'm advertising to my upstreams a prefix that my client is not advertising to me. I think I'm advertisin...
by jmginer
Sun Sep 23, 2018 2:57 pm
Forum: General
Topic: Feature Request: export ASN in Netflow
Replies: 7
Views: 3320

Re: Feature Request: export ASN in Netflow

Please, add AS numbers in traffic flow!!!
by jmginer
Sat Sep 01, 2018 12:50 pm
Forum: General
Topic: [Feature request] IPv6 Mangle action route-dst
Replies: 1
Views: 1288

[Feature request] IPv6 Mangle action route-dst

Hello, please add the "action route-dst" in IPv6 mangle.

Currently is only available in IPv4.

Thanks.
by jmginer
Wed Aug 22, 2018 11:39 am
Forum: General
Topic: Feature Request: BGP Multicore
Replies: 6
Views: 4190

Re: Feature Request: BGP Multicore

+100000000
by jmginer
Wed Aug 08, 2018 10:04 am
Forum: General
Topic: ROS 7 Beta
Replies: 42
Views: 22085

Re: ROS 7 Beta

I don't understand the constant need for v7? What are you trying to achieve now and can't that you know v7 can do?
BGP, filters and routing management using multicore
by jmginer
Tue Aug 07, 2018 4:28 pm
Forum: General
Topic: 100% CPU CCR1072 due DDoS - How to improve?
Replies: 16
Views: 4470

Re: 100% CPU CCR1072 due DDoS - How to improve?

Thanks! According to the considerations explained in the wiki, fastpath should work, since the conditions are met https://wiki.mikrotik.com/wiki/Manual:Fast_Path#Bridge_handler , but I don't see any option to force an activation. It would be good if a representative of Mikrotik could confirm it, and...
by jmginer
Tue Aug 07, 2018 4:15 pm
Forum: General
Topic: 100% CPU CCR1072 due DDoS - How to improve?
Replies: 16
Views: 4470

Re: 100% CPU CCR1072 due DDoS - How to improve?

Why do you add all your upstream ports to a bridge? I don't see the point for that... The main reason is that if I change upstream in the future, and connect it to a port that was already used, I'll create a new bridge. This way I can monitor the new bridge and the old upstream traffic does not app...
by jmginer
Tue Aug 07, 2018 4:07 pm
Forum: General
Topic: 100% CPU CCR1072 due DDoS - How to improve?
Replies: 16
Views: 4470

Re: 100% CPU CCR1072 due DDoS - How to improve?

- 0-Switch: Bridge BondSwitchDistribute - 1-GTT: Bridge sfp-sfpplus1-GTT - 2-Adamo: Bridge sfp-sfpplus2-Adamo - 3-DECIX: Bridge sfp-sfpplus3-DECIX - 4-Telxius: Bridge sfp-sfpplus4-Telxius - BondSwitchDistribute : Bonding sfp-sfpplus5-Bond1 + sfp-sfpplus5-Bond2 - DE-Voxility: GRE - bcn1-Adamo: GRE - ...
by jmginer
Tue Aug 07, 2018 3:27 pm
Forum: General
Topic: 100% CPU CCR1072 due DDoS - How to improve?
Replies: 16
Views: 4470

Re: 100% CPU CCR1072 due DDoS - How to improve?

Can you show output of "/interface print stats-detail" to see if you have packets that are not using fast-path? Thanks, here: Flags: D - dynamic, X - disabled, R - running, S - slave 0 RS name="ether1-RescuePC" last-link-down-time=aug/06/2018 22:23:37 last-link-up-time=aug/06/20...
by jmginer
Tue Aug 07, 2018 2:41 pm
Forum: General
Topic: 100% CPU CCR1072 due DDoS - How to improve?
Replies: 16
Views: 4470

Re: 100% CPU CCR1072 due DDoS - How to improve?

I can see from the answers that you guis don't know how fastnetmon's header logs work, that's why I've decided to remove this information so that there's no confusion and put the raw logs of the attack in their place. It is important to see the hour, second and milliseconds of the attack, to underst...
by jmginer
Tue Aug 07, 2018 1:45 pm
Forum: General
Topic: 100% CPU CCR1072 due DDoS - How to improve?
Replies: 16
Views: 4470

Re: 100% CPU CCR1072 due DDoS - How to improve?

The problem seems to be the flows, not the PPS. I have a few rules to allow and deny some address-lists. It should not affect the CPU. You should know that the volume shown in the log is not real, it only reflects the first instant when the attack is detected by fastnetmon and obviously no more info...
by jmginer
Tue Aug 07, 2018 1:03 pm
Forum: General
Topic: 100% CPU CCR1072 due DDoS - How to improve?
Replies: 16
Views: 4470

Re: 100% CPU CCR1072 due DDoS - How to improve?

close port 80 from outside use.


This is not a solution to CPU consumption.

Also, if it's a web server you can't do this, it's a useless solution because the attacker can choose any port.
by jmginer
Tue Aug 07, 2018 12:33 pm
Forum: General
Topic: 100% CPU CCR1072 due DDoS - How to improve?
Replies: 16
Views: 4470

100% CPU CCR1072 due DDoS - How to improve?

Hello, yestreday we received a DDoS attack that caused a 100% CPU usage (it's a CCR 1072) and our system was unable to do a blackhole because the router was inaccesible also via API. We have the IP connection tracking disabled on the firewall. There is some extra option that we can do to prevent a f...
by jmginer
Wed Aug 01, 2018 6:01 pm
Forum: Forwarding Protocols
Topic: MED When same AS_PATH
Replies: 7
Views: 2542

Re: MED When same AS_PATH

Reeeeeally stupid question, but worth asking: is the nexthop reachable on both routes? (target scope within scope?)
Yes, note that the route destination of the image of the firt post in not the same as the second. Are different prefixes ;)
by jmginer
Wed Aug 01, 2018 4:43 pm
Forum: Forwarding Protocols
Topic: MED When same AS_PATH
Replies: 7
Views: 2542

Re: MED When same AS_PATH

mmm, the problem now is that setting a WEIGHT value, the AS_PATH has not priority. https://ginernet.cdnbox.net/images/added/1533130811.png There is possible to give the lower AS_PATH most priority that the WEIGHT value? What I want is to use one transit only in case of the same AS_PATH (hops). but i...
by jmginer
Wed Aug 01, 2018 4:35 pm
Forum: Forwarding Protocols
Topic: MED When same AS_PATH
Replies: 7
Views: 2542

Re: MED When same AS_PATH

Ok, I think the correct way is using the WEIGHT instead MED.

High weight to prefer a route.
by jmginer
Wed Aug 01, 2018 4:10 pm
Forum: Forwarding Protocols
Topic: MED When same AS_PATH
Replies: 7
Views: 2542

MED When same AS_PATH

Hello! for the same route destination we have the same AS_PATH (2 hops). So, we're setting a lower MED value to prefer the left transit instead the right one. But, seems is not taking affect as the router is prefering the right route that we set with higher MED. There is not any differente setting a...
by jmginer
Mon Jun 11, 2018 1:51 pm
Forum: General
Topic: CRS 31x and 32x, no space left to upgrade [SOLVED]
Replies: 1
Views: 1336

CRS 31x and 32x, no space left to upgrade [SOLVED]

Hello,

we just bought some 317 and 328 CRS switches, and we see that they only have 16 MB of storage, wich 13 MB are used, so remain only 3 MB free.

We see that this is not enough to update the switch software.

How do we do it?
by jmginer
Thu May 31, 2018 9:14 am
Forum: General
Topic: FastNetMon Integration with MikroTik (DDoS detection software)
Replies: 43
Views: 31785

Re: FastNetMon Integration with MikroTik (DDoS detection software)

Hi all, we're providing BGP DDoS protection, fully automated mitigation service for Mikrotik networks. Detection and mitigation in less than 5 seconds. More info: https://ginernet.com/en/services/antiddos/bgp/ Hi, I see you're using FastNetMon as the detection mechanism in your service (saw the vid...
by jmginer
Wed May 30, 2018 1:18 pm
Forum: General
Topic: [Feature request] Terminal peer colum
Replies: 3
Views: 1767

[Feature request] Terminal peer colum

Hello, when this command
routing bgp advertisements print
.

The peer column is too thin, only shows 5 characters, this produce that every peer name is cutted.

Please, increase it.

Thanks.
by jmginer
Sat Mar 31, 2018 9:44 pm
Forum: General
Topic: CCR1072 - CPU issue since last sofware + firmware updae - Can not connect via SSH, API and terminal not load
Replies: 2
Views: 1414

Re: CCR1072 - CPU issue since last sofware + firmware updae - Can not connect via SSH, API and terminal not load

Never had before any issue with the current release, but yes, roll-back to bug-fix only version.-
by jmginer
Sat Mar 31, 2018 8:26 am
Forum: General
Topic: CCR1072 - CPU issue since last sofware + firmware updae - Can not connect via SSH, API and terminal not load
Replies: 2
Views: 1414

CCR1072 - CPU issue since last sofware + firmware updae - Can not connect via SSH, API and terminal not load

Hello, I have a CCR 1072 since the last update: 6.41.3 the router crashes 2 or 3 times per week. I know, because we have a script that connects via API and stop working. at this time, we try to connect via SSH and also dont work. Winbox work Ok, but when we launch the terminal, also dont load, after...
by jmginer
Tue Mar 20, 2018 9:47 am
Forum: Forwarding Protocols
Topic: BGP traffic out peer priority
Replies: 6
Views: 4704

Re: BGP traffic out peer priority

your inbound policy affects how you reach external peers. Also note you only really have control over your inbound policy So, there is any option to reach a external peer using the same upstream that they are using to reach me. I have 2 upstreams: Adamo + Telefonica If RETN is reaching me using Tel...
by jmginer
Tue Feb 20, 2018 7:03 pm
Forum: Forwarding Protocols
Topic: routing filter set-bgp-communities ASN 32bit bug/error
Replies: 3
Views: 2060

routing filter set-bgp-communities ASN 32bit bug/error

Hello,

on the DE-CIX, the way to dont export a advertisemend to one peer is doing a setting BGP communitie.

But I get error when I try to add a ASN 32bit on the set-bgp-communities parameter.

Is not detected as a ASN.
by jmginer
Fri Dec 29, 2017 6:23 pm
Forum: Forwarding Protocols
Topic: BGP traffic out peer priority
Replies: 6
Views: 4704

BGP traffic out peer priority

Hello! we have 2 upstreams: Adamo + Telefonica RETN has direct transit with both in our routing tables, we see RETN routes with 2 hops for both (Adamo and Telefonica) In the RETN looking glass, they are sending us the traffic via Telefonica. But our Mikrotik is responding using Adamo. Why we dont re...
by jmginer
Wed Dec 13, 2017 10:36 am
Forum: Forwarding Protocols
Topic: How to advertise the default route? [SOLVED]
Replies: 3
Views: 1979

Re: How to advertise the default route? [SOLVED]

Thanks @Anumrak

works if I set with prefix-length=0
/routing filter
add action=accept chain=Peer-OUT prefix=0.0.0.0/0 prefix-length=0
add action=discard chain=Peer-OUT
by jmginer
Tue Dec 12, 2017 8:02 pm
Forum: Forwarding Protocols
Topic: How to advertise the default route? [SOLVED]
Replies: 3
Views: 1979

How to advertise the default route? [SOLVED]

Hello, we want send default route to a particular peer. In BGP peer, we have tried to set default-originate=always or default-originate=if-installed without success. The only workaround that we have found is to create a out filter with discard action /routing filter add action=discard chain=peer-out...
by jmginer
Mon Nov 06, 2017 4:42 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 613
Views: 255318

Re: RouterOS v7.0 beta1 - when?

That is a lot of route filters for such a small number of peers !
One peer is IX point, with a lot of members.

+300 filters based on different members of the IX and for different /24 subnets.
+500 filters setting a BGP-Local-Pref based on the BGP-AS-Path.
by jmginer
Sun Nov 05, 2017 1:36 pm
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 613
Views: 255318

Re: RouterOS v7.0 beta1 - when?

We bought a year ago a CCR1072,
We are using with 4 peers providing us full routing and with more than 800 filters.
After a reboot, it takes more than 2 hours to apply all routes and filters and it's only using 2% of CPU.
Resume: Sh it product.
by jmginer
Thu Sep 21, 2017 7:34 pm
Forum: General
Topic: Sniffer server howto ?
Replies: 1
Views: 952

Sniffer server howto ?

Hello, anybody can explain me a litle bit how to configure a sniffer capture server? any guide?

Thanks a lot!
by jmginer
Sat Aug 26, 2017 2:00 pm
Forum: General
Topic: FastNetMon Integration with MikroTik (DDoS detection software)
Replies: 43
Views: 31785

Re: FastNetMon Integration with MikroTik (DDoS detection software)

Hi all, we're providing BGP DDoS protection, fully automated mitigation service for Mikrotik networks.
Detection and mitigation in less than 5 seconds.
More info: https://ginernet.com/en/services/antiddos/bgp/
by jmginer
Mon Aug 14, 2017 9:58 am
Forum: General
Topic: Run [find] via API not run
Replies: 1
Views: 1597

Run [find] via API not run

Hello,

we want remove all entries in address-list via API,
this command is working fine via console
/ip firewall address-list remove [find]
but, when we run via API
Return "No such command" error

What is wrong?
by jmginer
Mon Aug 07, 2017 1:42 pm
Forum: General
Topic: How to filter "ip firewall address-list"
Replies: 6
Views: 3273

Re: How to filter "ip firewall address-list"

up up! :)
Any idea?
by jmginer
Fri Aug 04, 2017 12:41 pm
Forum: General
Topic: How to filter "ip firewall address-list"
Replies: 6
Views: 3273

How to filter "ip firewall address-list"

Hello, I want print all the address-list records if the address is inside a subnet If I enter the exact match, is ok: > ip firewall address-list print where address=46.229.168.10 Flags: X - disabled, D - dynamic # LIST ADDRESS CREATION-TIME TIMEOUT 0 D ;;; test test 46.229.168.10 jul/24/2017 13:06:1...
by jmginer
Sat Jun 03, 2017 5:05 pm
Forum: General
Topic: How to count IPv6 traffic
Replies: 3
Views: 1742

Re: How to count IPv6 traffic

up! up! :)
by jmginer
Fri Mar 10, 2017 3:21 pm
Forum: General
Topic: How to count IPv6 traffic
Replies: 3
Views: 1742

Re: How to count IPv6 traffic

up! :)
by jmginer
Thu Feb 16, 2017 10:18 pm
Forum: General
Topic: ip route add very slow in CCR 1072, but ok in x86
Replies: 4
Views: 1660

Re: ip route add very slow in CCR 1072, but ok in x86

Hello, that is a bug on this CCR or what?
by jmginer
Sat Feb 04, 2017 5:29 pm
Forum: General
Topic: How to count IPv6 traffic
Replies: 3
Views: 1742

How to count IPv6 traffic

Hello!

there is any option to know how many traffic is routed in IPv6 ?

Thanks in advance!
by jmginer
Fri Jan 27, 2017 10:22 am
Forum: General
Topic: ip route add very slow in CCR 1072, but ok in x86
Replies: 4
Views: 1660

ip route add very slow in CCR 1072, but ok in x86

Hello,

I have a new CCR1072, and I detect that it takes too long to add static routes, around 30-60 seconds for each route!!!

The CPU is 1%

I have other RouterOS running on x86, and everything is ok.

What is wrong?

Thanks!
by jmginer
Tue Jan 24, 2017 4:28 pm
Forum: Forwarding Protocols
Topic: How to see BGP incoming advertisements [SOLVED]
Replies: 1
Views: 4979

How to see BGP incoming advertisements [SOLVED]

/routing bgp advertisements
Read only information about outgoing routing information currently advertised.
Hello, how can I see what prefixes a peer is advertising me? (incoming routing)

Thanks
by jmginer
Mon Nov 21, 2016 8:24 pm
Forum: Forwarding Protocols
Topic: How to select gateway based on the src-address
Replies: 1
Views: 1419

Re: How to select gateway based on the src-address

Found! with a Mangle:
/ip firewall mangle
add action=route chain=prerouting passthrough=yes src-address=x.x.x.0/24 route-dst=y.y.y.y
y.y.y.y is the gateway IP of my provider (their side IP).
by jmginer
Mon Nov 21, 2016 2:06 pm
Forum: Forwarding Protocols
Topic: How to select gateway based on the src-address
Replies: 1
Views: 1419

How to select gateway based on the src-address

Hello,

we have 2 upstreams in BGP providing us full-routing.

What we want, is to limit one /24 to only use 1 upstream.

We have done for incoming traffic in BGP filters, advertising the /24 to only 1 upstream.

But for the outgoing traffic we don't know how to do.

It's possible?

Thanks!
by jmginer
Sun Jul 31, 2016 1:54 pm
Forum: General
Topic: Driver 40Gbps Intel XL710 QSFP+
Replies: 1
Views: 2004

Driver 40Gbps Intel XL710 QSFP+

Please, add support for the Intel XL710. It's a QSFP+ network card.
Thanks.
by jmginer
Wed Dec 16, 2015 1:41 am
Forum: General
Topic: IGMP Snooping
Replies: 134
Views: 81610

Re: IGMP Snooping

+1 IGMP Snooping to manage my IPTV stations.
by jmginer
Wed Dec 09, 2015 4:31 pm
Forum: Virtualization
Topic: Cloud Hosted Router
Replies: 579
Views: 273635

Re: Cloud Hosted Router

I try to install RouterOS in VULTR, they don't allow to upload images and the ISO also not run as the disk is not detected (virtio disk driver).

It's possible to get a ISO with the Virtio disk driver? or how to install in this case?

Image
by jmginer
Sat Dec 05, 2015 12:25 pm
Forum: General
Topic: igmp-proxy no more available?
Replies: 1
Views: 1203

igmp-proxy no more available?

http://wiki.mikrotik.com/wiki/Manual:Routing/IGMP-Proxy

> /routing igmp-proxy
bad command name igmp-proxy (line 1 column 10)
by jmginer
Fri Dec 04, 2015 1:01 pm
Forum: Beginner Basics
Topic: Add 5GHz to RB951G
Replies: 7
Views: 7618

Re: Add 5GHz to RB951G

Also interested to have 5GHz wireless in my RB951G-2HnD
Some solution using the USB port?
by jmginer
Thu Nov 12, 2015 10:43 am
Forum: General
Topic: Reject incoming traffic if it's spoofed?
Replies: 1
Views: 935

Reject incoming traffic if it's spoofed?

It's possible?

http://spoofer.caida.org/

Thanks!
by jmginer
Thu Nov 12, 2015 9:07 am
Forum: General
Topic: Feature request: Fastnetmon
Replies: 2
Views: 2667

Re: Feature request: Fastnetmon

up! Please, include in RouterOS!
by jmginer
Sat Oct 31, 2015 10:17 pm
Forum: General
Topic: How to select the gateway showed when you traceroute mi network?
Replies: 0
Views: 705

How to select the gateway showed when you traceroute mi network?

Hello! I'm interested to select what IP to show when someone do a traceroute to some of my IPs. I have a RouterOS install, working since a long time, with feel addresses. When it reboots, the "gateway" showed when I trace some of the IPs routed in this router is a randoom one. What I do to...
by jmginer
Fri Sep 25, 2015 11:14 pm
Forum: General
Topic: allow yum on firewall
Replies: 1
Views: 1132

Re: allow yum on firewall

fixed adding: add chain=forward action=accept dst-address=x.x.x.x src-port=20-22 protocol=tcp in-interface=eth1 comment="CTID-3320" add chain=forward action=accept dst-address=x.x.x.x src-port=80 protocol=tcp in-interface=eth1 comment="CTID-3320" add chain=forward action=accept d...
by jmginer
Fri Sep 25, 2015 11:00 pm
Forum: General
Topic: allow yum on firewall
Replies: 1
Views: 1132

allow yum on firewall

Hello, I have this rules applies, but when the host with IP x.x.x.x try to run a yum update command (is a centos VPS), it gets the showed error. Any idea? Thanks in advance!! /ip firewall filter add chain=forward action=accept src-address=8.8.8.8 in-interface=eth1 comment="CTID-3320" add c...
by jmginer
Sun Sep 06, 2015 2:23 pm
Forum: General
Topic: RouterOS x86 only one CPU Core
Replies: 2
Views: 1588

Re: RouterOS x86 only one CPU Core

Fixed downgrading to 6.30.4
by jmginer
Sun Sep 06, 2015 2:13 pm
Forum: General
Topic: RouterOS x86 only one CPU Core
Replies: 2
Views: 1588

Re: RouterOS x86 only one CPU Core

We are having the same issue, just happening since 6.31.
by jmginer
Mon Aug 31, 2015 11:53 am
Forum: General
Topic: Feature request: Fastnetmon
Replies: 2
Views: 2667

Feature request: Fastnetmon

Fastnetmon integration on Mikrotik https://github.com/pavel-odintsov/fastnetmon FastNetMon - A high performance DoS/DDoS load analyzer built on top of multiple packet capture engines (NetFlow, IPFIX, sFLOW, netmap, PF_RING, PCAP). What can we do? We can detect hosts in our own network with a large a...
by jmginer
Mon Aug 24, 2015 10:32 am
Forum: General
Topic: ERROR in virtio disk driver in 6.31
Replies: 3
Views: 3112

Re: ERROR in virtio disk driver in 6.31

I'm getting this error on a RunAbove OpenStack service.
They don't provide me any option to upload a img.
I need to run my own ISO.
When they create the VPS, is created with virtio/qcow2 format, I can't edit this.
by jmginer
Sun Aug 23, 2015 9:29 pm
Forum: General
Topic: ERROR in virtio disk driver in 6.31
Replies: 3
Views: 3112

ERROR in virtio disk driver in 6.31

Hello, What's new in 6.31 (2015-Aug-14 15:42): *) chr - added support for virtio disks I tried to install RouterOS 6.31 on a VPS with: - KVM virtualization - Bus: virtio - Type: qcow2 But not run. Not detect the disk. Tested with RC6.32 and same result. https://ginernet.com/images/added/1440354570.p...
by jmginer
Sat Aug 22, 2015 1:34 pm
Forum: General
Topic: CRS and traffic out with two internet connections,
Replies: 1
Views: 813

CRS and traffic out with two internet connections,

Hello, I have two CCR doing BGP, one with Cogent and the other with Level3. The incoming traffic is arriving Ok by the best BGP route, but I don't know how exactly configure the gateway to to out traffic. https://ginernet.com/images/added/1440239689.png Now I have assigned: CCR-Cogent: 10.0.0.1 CCR-...
by jmginer
Fri Aug 14, 2015 4:38 pm
Forum: Forwarding Protocols
Topic: BGP - Advertise a prefix to only one upstream
Replies: 2
Views: 1445

BGP - Advertise a prefix to only one upstream

Hello, I have two upstreams that they provide me a BGP session to advertise my prefixes. I have multiple prefixes. I want, advertise some prefixes to one upstream and other prefixes to the other. How to do? For example: Prefix: 1.1.1.0/24 advertise to AS1 Prefix: 2.2.2.0/24 advertise to AS2 Prefix: ...
by jmginer
Sun Jun 14, 2015 1:52 am
Forum: General
Topic: bridge received traffic is null after upgrade 6.29
Replies: 3
Views: 1674

bridge received traffic is null after upgrade 6.29

What is happening? is going to be fixed?

Image
by jmginer
Fri Jun 12, 2015 12:03 pm
Forum: Forwarding Protocols
Topic: BGP filter based in address-list?
Replies: 4
Views: 1778

Re: BGP filter based in address-list?

I have 2 peers (Peer1 and Peer2) I've do this to force the incoming connection from AS22222 route via the Peer2. /routing filter add action=accept chain=Peer1-IN prefix=0.0.0.0/0 add action=discard chain=Peer1-OUT bgp-as-path=22222 add action=accept chain=Peer1-OUT prefix=1.2.3.0/24 add action=disca...
by jmginer
Fri Jun 12, 2015 12:26 am
Forum: Forwarding Protocols
Topic: BGP filter based in address-list?
Replies: 4
Views: 1778

Re: BGP filter based in address-list?

Or filter by AS?
I have a list of all AS numbers of my country.
Can you let me to know a example of a filter?
Thanks!
by jmginer
Thu Jun 11, 2015 7:16 pm
Forum: Forwarding Protocols
Topic: BGP filter based in address-list?
Replies: 4
Views: 1778

BGP filter based in address-list?

Hello,

I have a address-list with my country IPs (based on this http://blog.erben.sk/2014/02/06/country-cidr-ip-ranges/)
I have 2 BGP upstreams.
I want use one of the upstreams for users from my country and the other upstream for international visitors.
It's possible?

Thanks!
by jmginer
Sun May 31, 2015 8:13 pm
Forum: General
Topic: PPS limit by dst-address
Replies: 1
Views: 935

PPS limit by dst-address

Hello, I want add to a address list the IP of my customer if it's unders DDoS (for example, 50k PPS). This rule is adding to the address list ALL IPs, not just the IP of my customer, seems is not detecting the PPS limit. Anybody can help me to find what is wrong? Thanks in advance! add action=add-ds...
by jmginer
Mon Apr 20, 2015 5:07 pm
Forum: Forwarding Protocols
Topic: Feature request: BGP flowspec (RFC5575)
Replies: 29
Views: 15528

Re: Feature request: BGP flowspec (RFC5575)

vote +1
by jmginer
Thu Apr 16, 2015 5:56 pm
Forum: General
Topic: GRE MTU issue
Replies: 9
Views: 7927

Re: GRE MTU issue

Thanks! I'm checking, going to return MTU to 1476 and remove ICMP block rule from firewall. Why I'm blocking ICMP? Simple reason -> DDoS If someone wants to DDoS me entire network, just need to DDoS the core router. If I block ICMP, is not possible to know the IP of the router, so, more difficult to...
by jmginer
Thu Apr 16, 2015 4:12 pm
Forum: General
Topic: GRE MTU issue
Replies: 9
Views: 7927

Re: GRE MTU issue

With MTU 1500 on the GRE tunnels, the issue that we detect is that wget downloads from servers connected to mad1 or ali1 and with a IP routed via the GRE (a protected IP) never finish... the download start, but not finish. Also, if I change the MTU to 1476 (default), the download is Ok, but I have p...
by jmginer
Fri Mar 13, 2015 7:41 pm
Forum: General
Topic: GRE MTU issue
Replies: 9
Views: 7927

Re: GRE MTU issue

Thanks @ZeroByte for your support!
by jmginer
Fri Mar 13, 2015 6:49 pm
Forum: General
Topic: GRE MTU issue
Replies: 9
Views: 7927

Re: GRE MTU issue

I have this mangle rule on all routers: [login@mad1] > ip firewall mangle print Flags: X - disabled, I - invalid, D - dynamic 0 chain=postrouting action=change-mss new-mss=clamp-to-pmtu passthrough=yes tcp-flags=syn protocol=tcp log=no log-prefix="" [login@mad1] > But the issue is still. I...
by jmginer
Fri Mar 13, 2015 6:00 pm
Forum: General
Topic: GRE MTU issue
Replies: 9
Views: 7927

GRE MTU issue

Hello, I have created some GRE tunnels btw 3 routers: uk1 --> mad1 --> ali1 uk1 GRE: [login@uk1] > interface gre print Flags: X - disabled, R - running 0 R name="mad1" mtu=auto actual-mtu=1476 local-address=IP.uk1 remote-address=IP.mad1 dscp=inherit clamp-tcp-mss=yes dont-fragment=no [logi...
by jmginer
Fri Mar 06, 2015 5:43 pm
Forum: General
Topic: BGP4-MIB for SNMP monitoring
Replies: 2
Views: 2467

BGP4-MIB for SNMP monitoring

We want monitor via SNMP our BGP sessions.
by jmginer
Thu Feb 19, 2015 11:22 am
Forum: General
Topic: Virtio disk driver - FATAL ERROR: no harddrives found
Replies: 2
Views: 3216

Virtio disk driver - FATAL ERROR: no harddrives found

Hello, we are trying to setup RouterOS x86 in a KVM guest based on the disk VirtIO driver.
The disk is not detected.
Please, fix.

Image
by jmginer
Fri Jan 23, 2015 11:08 pm
Forum: General
Topic: in OVH, 2 subnets, 2 interfaces (vrack + pub) and ARP issue.
Replies: 0
Views: 1481

in OVH, 2 subnets, 2 interfaces (vrack + pub) and ARP issue.

Hello, this config is in a OVH server running with Proxmox and RouterOS installed as KVM VPS. Proxmox IP: 176.31.229.210 Subnet1: 5.196.187.8/29 <- vRack Subnet2: 176.31.52.128/27 <- FailOver with vMAC (Internally called public) I have installed the RouterOS with 2 interfaces: 1 address= 5.196.187.9...
by jmginer
Tue Sep 16, 2014 5:38 pm
Forum: Forwarding Protocols
Topic: BGP4-MIB
Replies: 14
Views: 9964

Re: BGP4-MIB

+1 vote! Thanks!
by jmginer
Tue Sep 16, 2014 5:37 pm
Forum: General
Topic: Limit incoming UDP bw
Replies: 3
Views: 1619

Re: Limit incoming UDP bw

limiting the stream rate before it arrives at you.
But I'm interested to limit per destination, not per source.
Is not possible?
by jmginer
Tue Sep 16, 2014 5:30 pm
Forum: General
Topic: How to hide from traceroute
Replies: 5
Views: 6503

Re: How to hide from traceroute

Many thanks! Yes, now is solved :)
/ip firewall filter add action=drop chain=output protocol=icmp
And also blocking in Linux nodes:
iptables -A OUTPUT -p icmp --icmp-type any -j DROP
Regards!!
by jmginer
Tue Sep 16, 2014 2:25 pm
Forum: General
Topic: How to hide from traceroute
Replies: 5
Views: 6503

Re: How to hide from traceroute

/ip firewall filter add action=drop chain=input protocol=icmp This will make your router not reply to pings either. -Chris Thanks for your response, but don't solve my question, I have this rule active, but when I do a traceroute to some of the VPS servers hosted in a server that are connected to t...
by jmginer
Tue Sep 16, 2014 11:35 am
Forum: General
Topic: How to hide from traceroute
Replies: 5
Views: 6503

How to hide from traceroute

Hello, I want hide from traceroutes the Mikrotik.
How can I do?

Thanks.
by jmginer
Wed Jul 23, 2014 3:04 pm
Forum: General
Topic: Limit incoming UDP bw
Replies: 3
Views: 1619

Limit incoming UDP bw

Hello, how to block incoming UDP traffic to limit 10Mbps per destination IP.
Thanks!
by jmginer
Thu Jun 12, 2014 7:58 pm
Forum: RouterBOARD hardware
Topic: CPU core protect during DDoS to do blackhole
Replies: 1
Views: 1643

CPU core protect during DDoS to do blackhole

Hello, If I receive a DDoS, there is any way to limit the CPU usage for the main uplink to don't use more than a 90% of CPU and then be available to login to the router and do the blackhole? My upstream, can provide me a second uplink with other IP, but the main problem, is, if I'm under DDoS and th...
by jmginer
Fri Feb 14, 2014 6:53 pm
Forum: Forwarding Protocols
Topic: BGP4-MIB
Replies: 14
Views: 9964

Re: BGP4-MIB

+1 to implement BGP4-MIB feature to Mikrotik
by jmginer
Wed Jul 24, 2013 6:55 pm
Forum: General
Topic: IPS support on RouterOS?
Replies: 3
Views: 3024

IPS support on RouterOS?

Hi! there are any plan to add IPS support on RouterOS?
Some option to verify if a incoming IP is spoofed or not?
Nice to prevent DDoS!

Thanks!
by jmginer
Thu Dec 13, 2012 3:04 pm
Forum: RouterBOARD hardware
Topic: Cloud Core Router pps limit on each port?
Replies: 4
Views: 3328

Cloud Core Router pps limit on each port?

Hi all! I'm starting a hosting company and I'm looking to add a CCR as a main router in my rack. My question is about DDos attacks. In the specs it says +22 millions of pps. But if all my traffic is doing on only 1 port, also are available the 22 millions of pps to this port? I think the 22 million ...