MikroTik

mikruser

normis
Tue Jul 30, 2019 9:57 am
The GPER is a passive device that connects wires together, you can call it Layer1. This is not really a hub.

normis
Fri Aug 02, 2019 3:14 pm
Yes, there is a basic switch chip inside.

Two completely different answers.
You are Dr Jekyll and Mr Hyde??

mikruser

If GPER is just a passive device that connects wires together, then the price is perplexing (50% of Raspberry Pi 4 computer)

mikruser

1) Of course it matters (and two port has nothing to do with it)
2) ???
3) Ok

mikruser

Hello,
1) at what OSI layer this device work? at L1 like hub, or at L2 like switch?
2) what delay does this device add?
3) why distance is limited to 1500 m?

mikruser

Hello,

CHR 6.44.2
PRTG Network Monitor SNMP Traffic sensor

When i copy file via gigabit adapter, SNMP sensor show only 430 Mbit/s

This is a bug in Mikrotik SNMP or in PRTG?

Image1_snmp_.png

mikruser

Hello,

please add not only udp and tcp, but also protocols 4, 47, 50.

mikruser

GRE+IPsec still slow:
viewtopic.php?f=2&t=146665

mikruser

Hello, CHR, 6.44.1, 2 vcpu Xeon Gold CCR1009, 6.44.1 WAN with 45 ms latency [CHR]---wan(tunnel gre+ipsec)wan---[CCR1009] aes128cbc/sha1, Actual MTU = 1426 (Auto) OR aes128ctr/sha1, Actual MTU = 1446 (Auto) Bandwidth Test on CHR to CCR (tcp, receive, 1 connection): between public ip = up to 300 Mbps ...

mikruser

All my tunnels are configured with IPsec Secret enabled, and I will not change it.

We simply need the ability to choose Proposal for each tunnel.

mikruser

I still do not see any real benefit of your request. It literally takes 2 seconds to change proposal value for your policies to a different one. /ip ipsec proposal add name=newproposal copy-from=default /ip ipsec policy set [find proposal=default] proposal=newproposal I was just posting this exact ...

mikruser

Hello,

Why AES CTR is not hardware accelerated on the CHR?

Image_chr_.png

mikruser

Hello,

Does the System\Watchdog on the CHR make sense?
Can he restart the VM if CHR hangs?

mikruser

but I don't want to create additional vlan interfaces

mikruser

I can not merge bridges, because bridges have different ip-addresses and dhcp-servers on them.

mikruser

Hello, We have routerboard with ether2 and ether3 - in bridge1 ether4 and ether5 - in bridge2 now we need special port ether6 which should be a member of both bridges, but in bridge1 as untagged default vlan (vlan1), and in bridge2 as tagged vlan2. This is can be done very simply on a managed switch...

mikruser

Hello,

Why Fast Path not supported with hardware accelerated IPsec?

mikruser

I see a very large number of messages
expected end of command

looking at all, export/import procedure is very bugged on Mikrotik

mikruser

but cli command /import do not work:

expected end of command (line 24 column 26)

mikruser

How to copy configuration from router1 to router2 (different hardware)?
I see this post: viewtopic.php?t=115073
My question: how to export and import via Winbox GUI? (not via terminal cli!)

mikruser

Hello,

please add the ability to drag and drop (copy) rules (and other stuff) from one Winbox window to another Winbox window.

mikruser

in case there is NAT between server and client: google "AssumeUDPEncapsulationContextOnSendRule"

Thanks, it helped!

mikruser

Hello, CCR1009, 6.43.8 cannot connect to L2TP server from Windows 7 and Windows 2008 R2. ipsec, error no suitable proposal found. ipsec, error x.x.x.x failed to get valid proposal. ipsec, error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1). ipsec, error x.x.x.x phase1 negotiation fail...

mikruser

What types of authentication does Mikrotik router support with Windows client?
Only "Use machine certificates"? Or also "Use EAP"?

mikruser

Hello, I already have several ipsec peers with unique ip addresses (it is used for l2tp/ipsec site-to-site vpn's). Now I need to make a IKEv2 server for incoming connections from remote notebooks. For this i need to create ipsec peer with address 0.0.0.0/0. Is it possible to use this peer with other...

mikruser

My question about Backup/Restore

(Import/Export do not work on my devices)

mikruser

Hello,

How to backup config without mac-addresses?
or how to restore config without changing mac-addresses?

mikruser

But why i do not see Import/Export in Winbox?

mikruser

up!
Why is it removed from Winbox GUI???
(but it is still available from command line: /interface ethernet set ether1 bandwidth=unlimited/unlimited)

mikruser

After the command /interface ethernet set ether4-local bandwidth=unlimited/unlimited
I was able to rename the interface

mikruser

I have this problem again after restoring the configuration

mikruser

RB750Gr3
ROS 6.43.4
Winbox 3.18

restoring configuration incorrectly restored interfaces, and I need to rename them
but when I try to change the name I get an error: Couldn't change Interface - not supported on this interface (6)

Image_interface.png

mikruser

When will AES-CTR be added to RB750Gr3?

mikruser

Hello,

Please add "Reconnect" action to Right Click (Context) menu for all interfaces in Winbox
(reconnect = disable+enable)

mikruser

can you explain your setup and logic behind your policy configuration here? I can not think of a single case where responder should generate a dynamic policy with dst-address=0.0.0.0/0. We have a large number of subnets, and instead of creating a separate policy for each subnet, we create one polic...

mikruser

This behavior can be easily reproduced in the test lab.

mikruser

This is not a configuration issue (this configuration worked fine for 7 years)
problem occurs after upgrade to 6.42.x or 6.43.x

mikruser

This IPsec bug still not fixed viewtopic.php?f=2&t=136445

mikruser

6.43.4 also have this issue!

mikruser

I also tested two hAP ac^2 with 6.43.2

EoIP with IPsec (aes-128 ctr), file copy is only 34 MB/s:

hapac2_eoip_ipsec_ctr.png

EoIP without IPsec, file copy is 68 MB/s:

hapac2_eoip.png

mikruser

6.43.2 also have this issue

mikruser

what is "multiple engine"??

mikruser

You can use minimal (fastest) config, required for EoIP+IPsec or L2TP+IPsec or GRE+IPsec.

mikruser

6.43.2 also have this issue!

mikruser

>>The throughput results are there for you to evaluate the IPsec crypto engine performance, not to show you throughput results with various different configurations. IPsec crypto engine performance is a "spherical cow in a vacuum", and does not show real life results. >>check for packet fragmentati...

mikruser

>>Adding or enabling any additional RouterOS feature apart from IPsec policies can reduce the throughput significantly. That's why I already suggested that you also publish the results for some popular tunnels+ipsec (l2tp+ipsec, gre+ipsec, eoip+ipsec) https://forum.mikrotik.com/viewtopic.php?f=3&t=...

mikruser

I also tested two RB3011 with 6.43.2, connected via EoIP tunnel with IPsec.
They showed an even lower speed, even with hardware acceleration: file copy only 22 MB/s with aes-128 cbc/ctr (this is very far from declared 407.7 Mbps).
Profile:

rb3011_eoip_ipsec.png

mikruser

Very unbalanced router
https://i.mt.lv/cdn/rb_files/RB4011iGSp ... 135303.png

Each switch have 5*1G port, but only 2.5G link to CPU.

What for this router have 10G sfp+ port? All switches summary have only 5G throughput.

mikruser

I found that even just viewing the settings in the Winbox also often causes a 100% CPU load.

I suspect that the developers simply do not test the latest versions ROS/Winbox on RB751U.

Image100cpu.png

mikruser

Hello,

When Mikrotik releases a router that can handle single IPsec tunnel (or MACsec) at 2.5G, 5G, 10G?

mikruser

May I ask why downgrade to such a vulnerable version? Wouldn't be better to upgrade the other equipment if having the same version on all hardware is important?

Due to a this bug in 6.42.x:
viewtopic.php?t=136445

Search found 377 matches