MikroTik

mikruser

MT hardware routers have old issue with low and unstable speed via VPN tunnel on high latency WAN link: https://forum.mikrotik.com/viewtopic.php?f=2&t=146665 I also create ticket SUP-22475, but MT support refused to fix issue. Do you want to know what reason they gave? .......... Hello, There is...

mikruser

vikinggeek
Its known issue with Mikrotik RouterBoards: viewtopic.php?t=146665#p769858
You should contact technical support or replace hardware router to CHR.

mikruser

this is a known problem with mikrotik routers on high latency links.
this has been discussed many times on the forum.
you must contact support.

mikruser

Thanks, after set STP Protocol mode = none, hw offload is active.

mikruser

RB750Gr3, hardware offload enabled for bridge ports ether2 and ether3.
Why hardware offload is inactive?

image_750gr3_bridge.png

mikruser

Hello,

How to enter non-english letters to Winbox?
Tried copy-paste, but got ????????.??

mikruser

This topic not about IPsec.
Try without a tunnel.
1) do not use fasttrack
2) one side should be Tile (CCR) or ARM (RB3011)
3) both PC should be Windows
4) for testing: copy big file via shared folder

mikruser

True, sometimes they answer "No, will not fix it until v7", or "will fix in the future" - and future is one year from now. One year - is still optimistic. Issue with CCR Ipsec packet reordering they fixes ~5 years (and for a long time did not even admit that there was a problem)...

mikruser

blingblouw

this issue: viewtopic.php?f=2&t=171165

(and I very much suspect that my other problem is caused by the same reasons viewtopic.php?t=146665 )

mikruser

Paternoot The way to do this is taking out everything that has nothing to do with the problem - a router with minimal configuration. I already wrote why this is impossible. I also tested on RB3011 with simple configuration and sent them the result, but they ignored it for contrived reasons. Usually ...

mikruser

You do have a lot of other configuration on the device. Any router in real life have some configuration. Your routers are not designed for this? Do they only work with very basic configuration? Why then there is no warning about this on the site? We asked if you can test with basic config, you refu...

mikruser

We have requested several things for you to test, but have not received results. I sent you everything I could. what other things do you want? Also, can you test the same installation with another, computer, cables, etc maybe you will read the entire conversation with technical support? I tested di...

mikruser

SUP-37480

mikruser

KENYx120 Have same issue (support ticket SUP-3459) with IPSec between CCR1036 (ROS/ROB 6.44.6) and StrongSwan on CentOS 7 connected to 1Gbp/s links with 300Mbit/s ISP (download/upload) throughput. Latensy between sides abount 18.0ms. did you get a response from technical support? or did they refuse...

mikruser

What is MT technical support (https://help.mikrotik.com/servicedesk/servicedesk) for?
I created a request.
They simply refused to fix the problem and forcibly closed the request.

mikruser

Yes, RouterOS has low quality. I also have some issues ( https://forum.mikrotik.com/viewtopic.php?f=2&t=171165 https://forum.mikrotik.com/viewtopic.php?t=146665 ) MT support is also very bad - they refuse to admit there is a problem. After replacing device to another vendor all problems disappea...

mikruser

pe1chl You are very inattentively reading what they write to you (or deliberately divert the conversation in the other direction). The system is characterized not by the error, but by the reaction to it. 1) a good company would remove the buggy firmware from Downloads ASAP (to minimize problems for ...

mikruser

a MONTH(!!!) has passed since the bugged version 6.48 appeared! this version remains presented on the download page!
there are still no fixes!
in my opinion this is an EPIC FAIL!
such a company should leave the market.

mikruser

Mountaineer I'm sticking to Long Term for future upgrades to any critical equipment. Mikrotik is not intended for use in any critical equipment or enterprise. Repeatedly spoken about this, for example https://forum.mikrotik.com/viewtopic.php?f=2&t=165391 Why hasn't this release been removed from...

mikruser

What about the story with "stable" version 6.48? They released a buggy version a week before the new year, and there is still no fix!
They haven't even removed it from the download page!

mikruser

I tested also on RB3011 and it has the same problem: >iperf-2.0.14a-Dec14_20-win.exe -c x.x.x.x -w 1024K -e -i 1 -t 20 ------------------------------------------------------------ Client connecting to x.x.x.x, TCP port 5001 with pid 17972 (1 flows) Write buffer size: 131072 Byte TCP window size: 1.0...

mikruser

Hello, I have WAN link 200Mbps to remote Windows server with latency 37 ms. With direct connected PC over WAN iperf show good speed in both directions: >iperf-2.0.14a-Dec14_20-win.exe -c x.x.x.x -w 1024K -e -i 1 -r ------------------------------------------------------------ Server listening on TCP ...

mikruser

Hello,
Why hAPac2 and RB3011 have identical ipsec test results?
https://mikrotik.com/product/hap_ac2#fndtn-testresults
https://mikrotik.com/product/RB3011UiAS ... estresults

hapac2_rb3011_ipsec_test_results.png

mikruser

Issue still not fixed on 6.48:

image_bwtest_tcp_ccr_648.png

mikrotik technical support is silent...

mikruser

why are you upgrading to beta-version?
it has been repeatedly said that
"long-term" = Stable
"stable" = Beta
"testing" = Alpha

mikruser

Mikrotik cannot be used in enterprise. Its only for home with low-speed wan. Its too bugged and have very poor support. For example - see CCR\GRE\IPSEC saga: https://forum.mikrotik.com/viewtopic.php?t=84465 https://forum.mikrotik.com/viewtopic.php?t=87892 https://forum.mikrotik.com/viewtopic.php?t=8...

mikruser

Only ipsec hardware accelerated, not openvpn. Avoid using openvpn.

mikruser

This is a widespread problem on older models. But Mikrotik team does not want to solve this problem (
viewtopic.php?t=56656
viewtopic.php?t=59185

mikruser

but distributions cannot be the same:
CHR should contain only virtual device drivers and VMware tools.
x86 should contain a large number of real device drivers.

mikruser

Hello, Why RouterOS CHR and x86 use the same distribution package? https://mikrotik.com/download/ : x86 Main =https://download.mikrotik.com/routeros/6.47.8/routeros-x86-6.47.8.npk CHR Main=https://download.mikrotik.com/routeros/6.47.8/routeros-x86-6.47.8.npk x86 Extra =https://download.mikrotik.com/...

mikruser

6.47.8 still have this issue!

mikruser

Why Mikrotik forcibly reset my password for forum account????
I have been using this account for many years, and suddenly the password stopped working!
you have nothing else to do there ???

mikruser

BGP Insertion (4xFullviews, ~3,2M routes) : 1. RB4011 : 3m45s 2. CCR2004 : 5m38s 3. CCR1016 : 10m09s 4. CCR1009 : 10m45s BGP Removal (4xFullviews, ~3,2M routes) : 1. CCR1016 : 3m18s 2. CCR1009 : 3m25s 3. RB4011 : 8m25s 4. CCR2004 : 19m58s SUGGESTION: These numbers also should be published on Test r...

mikruser

Hello,

please add ability to use Address List in Dst.Address in Routes

mikruser

Any ideas?

mikruser

Hello,

What TCP Congestion Control algorithm is used in Tools-Bandwidth Test-tcp?

mikruser

Paternot
Can you provide proof that chip IPQ-4018 (and other) has a 16MB flash limitation?

krafg
I use System-Packages-Check for updates-Download&install

mikruser

I dont known why Mikrotik support talk about "NAT events". Answer from ManageEngine Netflow Analyzer developers: Hi , Mikrotik device do not send NAT information in the netflow packets. If the device can send NAT information over the flows, we will be able to show you the details. How happ...

mikruser

>>If you could remove packages, it means you put them there. Yes, i always install Extra packages zip from https://mikrotik.com/download >>I can just suggest that you do not install extra packages on small NAND devices. In this case remove Extra packages zip for these devices from https://mikrotik....

mikruser

I already solving this issue by deleting unused packages via System-Packages-Uninstall.

but that doesn't remove the question of why you're saving 50 cents on the cost of creating problems for users.

mikruser

Chupaka I think you should ask Netflow Analyzer if they support necessary fields I asked Mikrotik support. First they blamed the analyzing software, but then they admitted: we currently don't have NAT events available in current stable/long-term releases. We are working to implement the support for...

mikruser

it's more like there's something wrong with your company

mikruser

Set these values:
Proposal: aes-128cbc/sha1/modp1024
Profile: sha1/aes-128/ecp256

mikruser

32/64MB chips are very very cheap, but Mikrotik puts only 16MB. Why???
On hEX, hAPac2 i get errors:
system, error: not enough space for upgrade

mikruser

floaty
in a stream-cipher with an pre-shared or diffie-hellman'ed key, should the cpu-load for de- & encrypt pretty much the same
No. In aes-cbc mode decryption is much faster than encryption.

mikruser

no problem. this compact table may fit on full-hd screen even with CCR1072.

(currently many-rows table should have 1008 rows for 13 services on 72 cores. it doesn't fit on any monitors)

mikruser

Hello,
Instead of many-rows table

image_profile.png

you can use this compact and more informative table:

image_profile_suggestion.png

mikruser

Hello,

https://mikrotik.com/product/RB3011UiAS ... estresults
https://mikrotik.com/product/CCR1009-7G ... estresults

these IPsec test results throughput are for encryption or for decryption?

mikruser

changeip
your code do not work.

Also have this question - how to rename address list via Winbox?

mikruser

Hello,
How to set Pref.Source for dynamic routes type DAS (dynamic active static)? (for example pptp/l2tp/sstp)

mikruser

Issue is still observed on 6.47.1:

image_bwtest_tcp_ccr_6471.png

first graph - test from ccr to chr public ip
second graph - test from ccr to chr private ip (via tunnel)

mikruser

Hello,

Why Mikrotik OVPN Server do not support AES-128-GCM cipher?

mikruser

Hello,

Please add to Bandwidth Test:

TCP Retransmissions count and %
out-of-order packets count and %
duplicate packets count and %
fix Lost Packets info for correct results
more protocols for test (example: gre, sctp)
interface selection for the test

mikruser

So you say that the mikrotik developers created a fake Bandwidth Test udp with a fake "Lost Packets" field?

mikruser

Hello,

I already tested the channels using tcp test: viewtopic.php?f=2&t=163469
and the results looks like there are packet loss.
But why UDP Bandwidth Test do not show packet loss?

mikruser

Hello,

Why TCP Bandwidth Test is sawtooth graph?

To 100M ISP1 WAN link:

image_bwtest_tcp_100M.png

To 200M ISP2 WAN link:

image_bwtest_tcp_200M.png

UDP test perfectly smooth with 0 lost packets even at full link speed.

mikruser

+1 for iperf with charts

mikruser

Now I'm using this Mangle rule:
add action=mark-routing chain=prerouting dst-address-list=!LAN_private new-routing-mark=to_ISP3 passthrough=no src-address=192.168.0.1

mikruser

I already wrote what I want - I need the default route for packets from 192.168.0.1

mikruser

I also have this issuue! (CHR v6.45.9)

mikruser

in this case, the use of Route Rules is not suitable, and I am forced to use the mangle.

mikruser

see my first message with image - I need default route with source based routing.

mikruser

but routing rule doesn't work as expected with the default route (dst.address=0.0.0.0/0). I expected to see specific routes (in Routes tab in main table) first, and only if no specific route is found will the default route rule be used. but this rule sends absolutely all packets from 192.168.0.1 to ...

mikruser

In that case, why I do not get a speed boost (through using SMB Multichannel) when I copy a file through a tunnel?

mikruser

Mikrotik Wiki do not have information about "Rules" tab settings for unknown reasons (https://wiki.mikrotik.com/wiki/Manual:IP/Route)
can you give more information?

mikruser

Hello,

Is it possible to use source based routing without Mangle and marking?
I just need to add a field "Src.Address" to the standard Route form:

image_source_based_routing.png

mikruser

Hello,

is it normal for a Fancon to generate so many IRQ? ~1400 per "tick".

image_fancon_irq_ccr.png

CCR1009, v6.47

mikruser

>>you may try to spread the traffic among multiple tunnels but many tunnels will require many public ip-addresses... and I may need 8 or 16 connections to fully utilize wan link... maybe there's a way to create tunnels not on different ip-addresses, but on different ports of the same address? >>You...

mikruser

Hello, We have two offices connected via high latency high speed WAN links. This WAN links show good speed only with multiple connections. Offices connected via GRE+Ipsec tunnel. For file copy we use Windows10 PC's with network adapter that support Receive Side Scaling (RSS) and SMB Multichannel (4 ...

mikruser

Hello,
I have WiFi on Ubiquiti AP Pro (one SSID on 2.4 and 5GHz).
Any device work without problem on both band.
But Mikrotik hap ac2 (station mode) do not see my SSID on 5 GHz band.
Why?

mikruser

Hello,
Please add to Ethernet Cable Test analog signal information like signal strength, signal-to-noise ratio, etc. for each pair. (like Fluke tester)

mikruser

that you don't understand?
You're on a mikrotik router (for example via winbox).
Now you need to check for port availability at some address (for example 1.2.3.4:945 or 5.6.7.8:1843)

mikruser

You do not understand the question.

mikruser

Hello,

how do you check some ip:port for availability from a mikrotik router?

mikruser

Hello,

https://wiki.mikrotik.com/wiki/Manual:I ... celeration
x86 (AES-NI) ***
*** AES-CBC and AES-CTR only encryption is accelerated, hashing done in software.

Why hashing is not hardware accelerated?
AMD CPU support SHA extensions: https://en.wikipedia.org/wiki/Intel_SHA_extensions

mikruser

I know what's loading the CPU.
My question is, why so much?
One EPYC Rome core can do 1.7 GBytes/s AES encryption.
Two cores can 2*1.7*8=27 Gbits/s
My traffic is very small, only 0.5 Gbit/s
CPU load caused by encryption should be lower than 2%

mikruser

Hello,

I have ESXi 6.7U3 host with AMD EPYC 7502P processor, and VM (2 vCPU) with CHR 6.45.8
On CHR created vpn-tunnel GRE+IPsec (aes-128 ctr sha1)

When i do vMotion via this tunnel at speed 500 Mbit/s, this cause VM CPU usage 45%

Why CPU usage so high?

mikruser

For example - you have multiple offices: HQ-office and branch-offices, each office have piblic IP and private subnet. Very simple solution: HQ-office Mikrotik (master) and branch-offices Mikrotik (slave) have this table: public_ip, private_subnet 1.1.1.1, 192.168.1.0/24 2.2.2.2, 192.168.2.0/24 ........

mikruser

Hello,

Please add button "View packets" (like Torch or Sniffer) on Rule Statistics tab!

mikruser

Hello,
How to disable promiscuous mode on ether1?

mikruser

there are no other versions between them

Image_.png

mikruser

>>Changes since 6.45.7
previous version was 6.44.6

mikruser

I have same issue as described in mdpeterman first post.
NetFlow Analyzer -> Inventory -> Devices-> SomeRouter -> InternalInterface -> Destination (OUT)
shows me external public IP instead of internal private ip-addresses

mikruser

maybe you do not understand my message?

I also have this issue

mikruser

and what should I do?

mikruser

all of these items are already selected by default

mikruser

where to set these fields?

mikruser

what are you speaking about?

mikruser

Also have this issue!

6.44.6, Traffic Flow Version: 9

How to fix it?

mikruser

why did the router send packets from the wrong interface

I do not see your config.
maybe you do not have the necessary mangle output rules,or maybe you do not have the necessary route rules...

mikruser

You should exclude PublicIP-to-PublicIP connections from NAT'ing

mikruser

havrla
illinos is very super for fast and long lines. (VDSL, WIFI, )

"Westwood" is much better:

aed1d4d480366a904cf94a6f3977b383.png

mikruser

don't listen to noobs, you no need add public ip to nat rule.

you need add firewall rule:
accept
forward
dst.address=your internal ip
protocol=tcp
dst.port=your internal port

mikruser

for example https://wiki.mikrotik.com/wiki/Manual:IP/Route
do not have information about "Rules" tab settings.

mikruser

Because it doesn't work as you think. Proposal is linked to policy and policy is linked to peer. Not the other way around. So what you created just sits there and does nothing, because automatically created peer won't use it. You are wrong. Dynamic policies are generated from a template policy: htt...

mikruser

Hello,

I have multiple gre-tunnels with ipsec secret enabled. In gre-tunnel i cannot select custom ipsec proposal.
I created custom IPsec Policy Template (priority#0) for Protocol:47 and custom proposal, but my gre-tunnels still use default proposal.

Why?

mikruser

yeahbunin
read my previous message

mikruser

>>add action=accept chain=forward dst-port=65022 protocol=tcp

you need change port to 22

mikruser

>>Have you specified local and remote addresses of GRE on both routers?
Yes

>>Do you allow proper protocols to pass firewall?
Yes, full access for these addresses (without "IPsec Secret" gre-tunnel link up successfully).

I think this is a bug in ROS...

mikruser

Hello, I created GRE tunnel (with IPsec Sercret) between CCR and CHR. (6.44.6) 1) policy created dynamically successfully (ph2 state established) 2) peer created dynamically successfully 3) identities created dynamically successfully 4) remote peers and installed sa created dynamically successfully ...

mikruser

Hello,
Is it possible to see in Winbox %lost datagrams related to outer (connectionless/stateless) protocol of VPN tunnel?

mikruser

Hello,

How does AutoMTU (Actual MTU) work for VPN tunnels?

For example: i have gre+ipsec tunnels sha1/aes-128 ctr

CCR1009(AMTU1446)----(AMTU1434)RB3011

CCR1009(AMTU1446)----(AMTU1434)hAPac2

Why MTU is different on both sides?

mikruser

Where can I download admin guide with a detailed description of all settings?

mikruser

Hello,

How to set priorities for the encryption algorithms in the default IPsec proposal?

I have "aes-128 cbc" and "aes-128 ctr" selected, and need now set priority1 to ctr, and priority2 to cbc.

mikruser

Hello,
I have router with 3 WAN interfaces.
How to select interface in Bandwidth Test tool? (like in Traceroute tool)

Image_mikr_bt.png

mikruser

Ok, it works...

but this is a very inconvenient setup method.

please add ability to configure through USB!

mikruser

I'm trying login to MQS as described in https://i.mt.lv/cdn/rb_files/1572339613 ... %20web.pdf
but no success
I can connect to wireless network RBMQS_AP1, but computer can't get ip address.
I'm trying reset MQS, but no success.

mikruser

use blackhole route

mikruser

Any news about implementing this feature (VI)?

ISP gave me an additional IP-address on a different subnet.
Now i need create additional (virtual) interface on ether1. MAC address must be different.

mikruser

Absolutely incorrect.
Normal providers do not touch transit icmp traffic.

mikruser

Hello, What type of vpn tunnel should be used in this case: 1) server and clients are Mikrotik routers. 2) server have public ip address. 3) all clients have private ip addresses (behind nat). 4) some clients behind same nat (l2tp+ipsec do not work in this case). 5) MPPE encryption or certificates s...

mikruser

mikrotik's "stable" = beta version in real life

mikruser

6.44.5

mikruser

Interface lte1 - General - APN Profile:
this setting is not remembered between reboots

mikruser

doneware NAT - is not really a CPU intensive process but in real life author writes something else: doush Router only does NAT and nothing else. CCR1072 CPU consumption is %50 with 18gbit/s total throuput + firewall + NAT plus some cores hitting %80. doneware using a dedicated CPU instruction set (...

mikruser

I am very surprised that Mikrotik does not use hardware NAT'ing.

mikruser

Hello,
Please implement VPN over ICMP (ICMP Tunnel)
(it can be very useful in some countries with a totalitarian regime)))

mikruser

normis
Tue Jul 30, 2019 9:57 am
The GPER is a passive device that connects wires together, you can call it Layer1. This is not really a hub.

normis
Fri Aug 02, 2019 3:14 pm
Yes, there is a basic switch chip inside.

Two completely different answers.
You are Dr Jekyll and Mr Hyde??

mikruser

If GPER is just a passive device that connects wires together, then the price is perplexing (50% of Raspberry Pi 4 computer)

mikruser

1) Of course it matters (and two port has nothing to do with it)
2) ???
3) Ok

mikruser

Hello,
1) at what OSI layer this device work? at L1 like hub, or at L2 like switch?
2) what delay does this device add?
3) why distance is limited to 1500 m?

mikruser

Hello,

CHR 6.44.2
PRTG Network Monitor SNMP Traffic sensor

When i copy file via gigabit adapter, SNMP sensor show only 430 Mbit/s

This is a bug in Mikrotik SNMP or in PRTG?

Image1_snmp_.png

mikruser

Hello,

please add not only udp and tcp, but also protocols 4, 47, 50.

mikruser

GRE+IPsec still slow:
viewtopic.php?f=2&t=146665

mikruser

Hello, CHR, 6.44.1, 2 vcpu Xeon Gold CCR1009, 6.44.1 WAN with 45 ms latency [CHR]---wan(tunnel gre+ipsec)wan---[CCR1009] aes128cbc/sha1, Actual MTU = 1426 (Auto) OR aes128ctr/sha1, Actual MTU = 1446 (Auto) Bandwidth Test on CHR to CCR (tcp, receive, 1 connection): between public ip = up to 300 Mbps ...

mikruser

All my tunnels are configured with IPsec Secret enabled, and I will not change it.

We simply need the ability to choose Proposal for each tunnel.

mikruser

I still do not see any real benefit of your request. It literally takes 2 seconds to change proposal value for your policies to a different one. /ip ipsec proposal add name=newproposal copy-from=default /ip ipsec policy set [find proposal=default] proposal=newproposal I was just posting this exact ...

mikruser

Hello,

Why AES CTR is not hardware accelerated on the CHR?

Image_chr_.png

mikruser

Hello,

Does the System\Watchdog on the CHR make sense?
Can he restart the VM if CHR hangs?

mikruser

but I don't want to create additional vlan interfaces

mikruser

I can not merge bridges, because bridges have different ip-addresses and dhcp-servers on them.

mikruser

Hello, We have routerboard with ether2 and ether3 - in bridge1 ether4 and ether5 - in bridge2 now we need special port ether6 which should be a member of both bridges, but in bridge1 as untagged default vlan (vlan1), and in bridge2 as tagged vlan2. This is can be done very simply on a managed switch...

mikruser

Hello,

Why Fast Path not supported with hardware accelerated IPsec?

mikruser

I see a very large number of messages
expected end of command

looking at all, export/import procedure is very bugged on Mikrotik

mikruser

but cli command /import do not work:

expected end of command (line 24 column 26)

mikruser

How to copy configuration from router1 to router2 (different hardware)?
I see this post: viewtopic.php?t=115073
My question: how to export and import via Winbox GUI? (not via terminal cli!)

mikruser

Hello,

please add the ability to drag and drop (copy) rules (and other stuff) from one Winbox window to another Winbox window.

mikruser

in case there is NAT between server and client: google "AssumeUDPEncapsulationContextOnSendRule"

Thanks, it helped!

mikruser

Hello, CCR1009, 6.43.8 cannot connect to L2TP server from Windows 7 and Windows 2008 R2. ipsec, error no suitable proposal found. ipsec, error x.x.x.x failed to get valid proposal. ipsec, error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1). ipsec, error x.x.x.x phase1 negotiation fail...

mikruser

What types of authentication does Mikrotik router support with Windows client?
Only "Use machine certificates"? Or also "Use EAP"?

mikruser

Hello, I already have several ipsec peers with unique ip addresses (it is used for l2tp/ipsec site-to-site vpn's). Now I need to make a IKEv2 server for incoming connections from remote notebooks. For this i need to create ipsec peer with address 0.0.0.0/0. Is it possible to use this peer with other...

mikruser

My question about Backup/Restore

(Import/Export do not work on my devices)

mikruser

Hello,

How to backup config without mac-addresses?
or how to restore config without changing mac-addresses?

mikruser

But why i do not see Import/Export in Winbox?

mikruser

up!
Why is it removed from Winbox GUI???
(but it is still available from command line: /interface ethernet set ether1 bandwidth=unlimited/unlimited)

mikruser

After the command /interface ethernet set ether4-local bandwidth=unlimited/unlimited
I was able to rename the interface

mikruser

I have this problem again after restoring the configuration

mikruser

RB750Gr3
ROS 6.43.4
Winbox 3.18

restoring configuration incorrectly restored interfaces, and I need to rename them
but when I try to change the name I get an error: Couldn't change Interface - not supported on this interface (6)

Image_interface.png

mikruser

When will AES-CTR be added to RB750Gr3?

mikruser

Hello,

Please add "Reconnect" action to Right Click (Context) menu for all interfaces in Winbox
(reconnect = disable+enable)

mikruser

can you explain your setup and logic behind your policy configuration here? I can not think of a single case where responder should generate a dynamic policy with dst-address=0.0.0.0/0. We have a large number of subnets, and instead of creating a separate policy for each subnet, we create one polic...

mikruser

This behavior can be easily reproduced in the test lab.

mikruser

This is not a configuration issue (this configuration worked fine for 7 years)
problem occurs after upgrade to 6.42.x or 6.43.x

mikruser

This IPsec bug still not fixed viewtopic.php?f=2&t=136445

mikruser

6.43.4 also have this issue!

mikruser

I also tested two hAP ac^2 with 6.43.2

EoIP with IPsec (aes-128 ctr), file copy is only 34 MB/s:

hapac2_eoip_ipsec_ctr.png

EoIP without IPsec, file copy is 68 MB/s:

hapac2_eoip.png

mikruser

6.43.2 also have this issue

mikruser

what is "multiple engine"??

mikruser

You can use minimal (fastest) config, required for EoIP+IPsec or L2TP+IPsec or GRE+IPsec.

mikruser

6.43.2 also have this issue!

mikruser

>>The throughput results are there for you to evaluate the IPsec crypto engine performance, not to show you throughput results with various different configurations. IPsec crypto engine performance is a "spherical cow in a vacuum", and does not show real life results. >>check for packet f...

mikruser

>>Adding or enabling any additional RouterOS feature apart from IPsec policies can reduce the throughput significantly. That's why I already suggested that you also publish the results for some popular tunnels+ipsec (l2tp+ipsec, gre+ipsec, eoip+ipsec) https://forum.mikrotik.com/viewtopic.php?f=3&am...

mikruser

I also tested two RB3011 with 6.43.2, connected via EoIP tunnel with IPsec.
They showed an even lower speed, even with hardware acceleration: file copy only 22 MB/s with aes-128 cbc/ctr (this is very far from declared 407.7 Mbps).
Profile:

rb3011_eoip_ipsec.png

mikruser

Very unbalanced router
https://i.mt.lv/cdn/rb_files/RB4011iGSp ... 135303.png

Each switch have 5*1G port, but only 2.5G link to CPU.

What for this router have 10G sfp+ port? All switches summary have only 5G throughput.

mikruser

I found that even just viewing the settings in the Winbox also often causes a 100% CPU load.

I suspect that the developers simply do not test the latest versions ROS/Winbox on RB751U.

Image100cpu.png

mikruser

Hello,

When Mikrotik releases a router that can handle single IPsec tunnel (or MACsec) at 2.5G, 5G, 10G?

mikruser

May I ask why downgrade to such a vulnerable version? Wouldn't be better to upgrade the other equipment if having the same version on all hardware is important?

Due to a this bug in 6.42.x:
viewtopic.php?t=136445

mikruser

This is correct behavior.

But why??
We have another hAP ac^2 router and it works fine with version 6.41.4:

Image_hapac2.png

mikruser

Hello,

Suggestion: release routers with preinstalled Factory Software only from Bugfix release chain.

mikruser

We have hAP ac^2 with Factory Software 6.42.3
How to downgrade the ROS below the factory version (to 6.41.4)?
After /system package downgrade
we get error
error: omitting package system-6.41.4: min RouterOS version is 6.42.3

mikruser

see answer in this topic: viewtopic.php?f=1&t=138427#p682693

Cha0s

Have you tried TP-Link or D-Link?

I am sure they are much easier with all their wizards whistles and bells.

If you find RouterOS hard, then it's probably not for you.

mikruser

Advanced tab also not enough in this case.

mikruser

we are talking about only first tab

mikruser

Simple queue is perfectly adequate for this. Just use the first tab.
With only first tab is impossible to perform an elementary task in one queue:
set summary limit + set per IP limit

mikruser

Feature request: AES hardware acceleration for OpenVPN

mikruser

Hello,

current Queues has a very large number of settings and a very complex and confusing.

Please add simple speed limiter.

mikruser

Hello,

Please add "Benchmark" button to Winbox IP-IPsec-Proposals
for benchmark selected algorithms "encryption", "decryption", "encryption+decryption" speed on any platform
(like VeraCrypt Tools-Benchmark):

Image_bench.png

mikruser

6.42.7 also have this issue!

mikruser

IPv4 fast path is automatically used if following conditions are met:

firewal rules are not configured;

LOL, in this case Fast Path absolutely useless
I do not have routerboards without firewall rules

mikruser

Hello,

Fast Path enabled
But why Fast Path not active?

Image1_fp.png

mikruser

Hello,

Please add to Winbox backup restore wizard:

Interfaces remapping
Interfaces MAC addresses: preserve/reset
DHCP leases: preserve/remove

mikruser

I already have a configuration with a very large number of Ipsec policies (all these policies use proposal:default).

Now I created a l2tp connection with "Use Ipsec", and i need another custom proposal for this.

mikruser

After investigation, I found that the bug is in Firewall-Service Ports-sip
After disable this port, 6.42 also works fine

mikruser

Hello,

Please add the ability to choose Proposal (in L2tp with "Use IPsec")

mikruser

Hello,

Please add SMB WAN Accelerator (for high latency VPN links)
like this: https://www.silver-peak.com/applications/cifs-smb

mikruser

Hello,

Some RouterBoard models have encryption engine.
Central Processing Unit (CPU) and Crypto Processing Unit (CrPU)

But currently in Tools-Profile we can see only CPU % Usage.

Suggestion: please add to Profile also CrPU % Usage.

mikruser

This topic about CCR

mikruser

There is a plan to make HW acceleration for GCM.
Thank you for the confirmation Maris.

As it turned out, the confirmation was not true

mikruser

The presentation says the VMXNET3 NIC supports fastpath. Are you using that?

CHR always uses VMXNET3

mikruser

Also have this question.
Any official comments?

Image_chr_fp.png

mikruser

Yes, Windows share file copy.
I also tried vSphere vMotion, but it did not exceed 60 Mbit/s.

mikruser

Hello, We have WAN-link with 1Gbit/s throughput, but 40 ms latency. iperf3 UDP test really can do 1Gbit/s almost lossless. We have L2TP IPsec tunnel over this WAN-link: LAN1---[CHR]---(l2tp_ipsec_vpn)---[CCR]---LAN2 Now file copy between LAN1 and LAN2 is only 6 MB/s maximum. I try different aes mode...

mikruser

I do not see changes in SIP

mikruser

+ for Iperf

mikruser

kasparskr

do you can release Traffic Generator for Windows?

mikruser

Hello, We have this setup: [FreePBX]---[CCR1]---(l2tp_ipsec_tunnel)---[CCR2]---[sip_clients] At night I updated ССR from 6.40.8 to 6.42.6. As a result, about half of sip clients/trunks can not register (FreePbx reboot did not help). After downgrade CCR back to 6.40.8 everything again worked fine. Wh...

mikruser

Hello,

Please add to l2tp client Dial Out page "IPsec proposal" field

mikruser

Hello,

What is "unclassified"?

Image1_btest_profile.png

mikruser

Hello,

Question about Tools - Bandwidth Test

What TCP Window Size does the test use?

mikruser

Any official info about Bandwidth Test for Windows?

Search found 494 matches