MikroTik

mikruser

Hello,

https://wiki.mikrotik.com/wiki/Manual:I ... celeration
x86 (AES-NI) ***
*** AES-CBC and AES-CTR only encryption is accelerated, hashing done in software.

Why hashing is not hardware accelerated?
AMD CPU support SHA extensions: https://en.wikipedia.org/wiki/Intel_SHA_extensions

mikruser

I know what's loading the CPU.
My question is, why so much?
One EPYC Rome core can do 1.7 GBytes/s AES encryption.
Two cores can 2*1.7*8=27 Gbits/s
My traffic is very small, only 0.5 Gbit/s
CPU load caused by encryption should be lower than 2%

mikruser

Hello,

I have ESXi 6.7U3 host with AMD EPYC 7502P processor, and VM (2 vCPU) with CHR 6.45.8
On CHR created vpn-tunnel GRE+IPsec (aes-128 ctr sha1)

When i do vMotion via this tunnel at speed 500 Mbit/s, this cause VM CPU usage 45%

Why CPU usage so high?

mikruser

For example - you have multiple offices: HQ-office and branch-offices, each office have piblic IP and private subnet. Very simple solution: HQ-office Mikrotik (master) and branch-offices Mikrotik (slave) have this table: public_ip, private_subnet 1.1.1.1, 192.168.1.0/24 2.2.2.2, 192.168.2.0/24 ........

mikruser

Hello,

Please add button "View packets" (like Torch or Sniffer) on Rule Statistics tab!

mikruser

Hello,
How to disable promiscuous mode on ether1?

mikruser

there are no other versions between them

Image_.png

mikruser

>>Changes since 6.45.7
previous version was 6.44.6

mikruser

I have same issue as described in mdpeterman first post.
NetFlow Analyzer -> Inventory -> Devices-> SomeRouter -> InternalInterface -> Destination (OUT)
shows me external public IP instead of internal private ip-addresses

mikruser

maybe you do not understand my message?

I also have this issue

mikruser

and what should I do?

mikruser

all of these items are already selected by default

mikruser

where to set these fields?

mikruser

what are you speaking about?

mikruser

Also have this issue!

6.44.6, Traffic Flow Version: 9

How to fix it?

mikruser

why did the router send packets from the wrong interface

I do not see your config.
maybe you do not have the necessary mangle output rules,or maybe you do not have the necessary route rules...

mikruser

You should exclude PublicIP-to-PublicIP connections from NAT'ing

mikruser

havrla
illinos is very super for fast and long lines. (VDSL, WIFI, )

"Westwood" is much better:

aed1d4d480366a904cf94a6f3977b383.png

mikruser

don't listen to noobs, you no need add public ip to nat rule.

you need add firewall rule:
accept
forward
dst.address=your internal ip
protocol=tcp
dst.port=your internal port

mikruser

for example https://wiki.mikrotik.com/wiki/Manual:IP/Route
do not have information about "Rules" tab settings.

mikruser

Because it doesn't work as you think. Proposal is linked to policy and policy is linked to peer. Not the other way around. So what you created just sits there and does nothing, because automatically created peer won't use it. You are wrong. Dynamic policies are generated from a template policy: htt...

mikruser

Hello,

I have multiple gre-tunnels with ipsec secret enabled. In gre-tunnel i cannot select custom ipsec proposal.
I created custom IPsec Policy Template (priority#0) for Protocol:47 and custom proposal, but my gre-tunnels still use default proposal.

Why?

mikruser

yeahbunin
read my previous message

mikruser

>>add action=accept chain=forward dst-port=65022 protocol=tcp

you need change port to 22

mikruser

>>Have you specified local and remote addresses of GRE on both routers?
Yes

>>Do you allow proper protocols to pass firewall?
Yes, full access for these addresses (without "IPsec Secret" gre-tunnel link up successfully).

I think this is a bug in ROS...

mikruser

Hello, I created GRE tunnel (with IPsec Sercret) between CCR and CHR. (6.44.6) 1) policy created dynamically successfully (ph2 state established) 2) peer created dynamically successfully 3) identities created dynamically successfully 4) remote peers and installed sa created dynamically successfully ...

mikruser

Hello,
Is it possible to see in Winbox %lost datagrams related to outer (connectionless/stateless) protocol of VPN tunnel?

mikruser

Hello,

How does AutoMTU (Actual MTU) work for VPN tunnels?

For example: i have gre+ipsec tunnels sha1/aes-128 ctr

CCR1009(AMTU1446)----(AMTU1434)RB3011

CCR1009(AMTU1446)----(AMTU1434)hAPac2

Why MTU is different on both sides?

mikruser

Where can I download admin guide with a detailed description of all settings?

mikruser

Hello,

How to set priorities for the encryption algorithms in the default IPsec proposal?

I have "aes-128 cbc" and "aes-128 ctr" selected, and need now set priority1 to ctr, and priority2 to cbc.

mikruser

Hello,
I have router with 3 WAN interfaces.
How to select interface in Bandwidth Test tool? (like in Traceroute tool)

Image_mikr_bt.png

mikruser

Ok, it works...

but this is a very inconvenient setup method.

please add ability to configure through USB!

mikruser

I'm trying login to MQS as described in https://i.mt.lv/cdn/rb_files/1572339613 ... %20web.pdf
but no success
I can connect to wireless network RBMQS_AP1, but computer can't get ip address.
I'm trying reset MQS, but no success.

mikruser

use blackhole route

mikruser

Any news about implementing this feature (VI)?

ISP gave me an additional IP-address on a different subnet.
Now i need create additional (virtual) interface on ether1. MAC address must be different.

mikruser

Absolutely incorrect.
Normal providers do not touch transit icmp traffic.

mikruser

Hello, What type of vpn tunnel should be used in this case: 1) server and clients are Mikrotik routers. 2) server have public ip address. 3) all clients have private ip addresses (behind nat). 4) some clients behind same nat (l2tp+ipsec do not work in this case). 5) MPPE encryption or certificates s...

mikruser

mikrotik's "stable" = beta version in real life

mikruser

6.44.5

mikruser

Interface lte1 - General - APN Profile:
this setting is not remembered between reboots

mikruser

doneware NAT - is not really a CPU intensive process but in real life author writes something else: doush Router only does NAT and nothing else. CCR1072 CPU consumption is %50 with 18gbit/s total throuput + firewall + NAT plus some cores hitting %80. doneware using a dedicated CPU instruction set (...

mikruser

I am very surprised that Mikrotik does not use hardware NAT'ing.

mikruser

Hello,
Please implement VPN over ICMP (ICMP Tunnel)
(it can be very useful in some countries with a totalitarian regime)))

mikruser

normis
Tue Jul 30, 2019 9:57 am
The GPER is a passive device that connects wires together, you can call it Layer1. This is not really a hub.

normis
Fri Aug 02, 2019 3:14 pm
Yes, there is a basic switch chip inside.

Two completely different answers.
You are Dr Jekyll and Mr Hyde??

mikruser

If GPER is just a passive device that connects wires together, then the price is perplexing (50% of Raspberry Pi 4 computer)

mikruser

1) Of course it matters (and two port has nothing to do with it)
2) ???
3) Ok

mikruser

Hello,
1) at what OSI layer this device work? at L1 like hub, or at L2 like switch?
2) what delay does this device add?
3) why distance is limited to 1500 m?

mikruser

Hello,

CHR 6.44.2
PRTG Network Monitor SNMP Traffic sensor

When i copy file via gigabit adapter, SNMP sensor show only 430 Mbit/s

This is a bug in Mikrotik SNMP or in PRTG?

Image1_snmp_.png

mikruser

Hello,

please add not only udp and tcp, but also protocols 4, 47, 50.

mikruser

GRE+IPsec still slow:
viewtopic.php?f=2&t=146665

mikruser

Hello, CHR, 6.44.1, 2 vcpu Xeon Gold CCR1009, 6.44.1 WAN with 45 ms latency [CHR]---wan(tunnel gre+ipsec)wan---[CCR1009] aes128cbc/sha1, Actual MTU = 1426 (Auto) OR aes128ctr/sha1, Actual MTU = 1446 (Auto) Bandwidth Test on CHR to CCR (tcp, receive, 1 connection): between public ip = up to 300 Mbps ...

mikruser

All my tunnels are configured with IPsec Secret enabled, and I will not change it.

We simply need the ability to choose Proposal for each tunnel.

mikruser

I still do not see any real benefit of your request. It literally takes 2 seconds to change proposal value for your policies to a different one. /ip ipsec proposal add name=newproposal copy-from=default /ip ipsec policy set [find proposal=default] proposal=newproposal I was just posting this exact ...

mikruser

Hello,

Why AES CTR is not hardware accelerated on the CHR?

Image_chr_.png

mikruser

Hello,

Does the System\Watchdog on the CHR make sense?
Can he restart the VM if CHR hangs?

mikruser

but I don't want to create additional vlan interfaces

mikruser

I can not merge bridges, because bridges have different ip-addresses and dhcp-servers on them.

mikruser

Hello, We have routerboard with ether2 and ether3 - in bridge1 ether4 and ether5 - in bridge2 now we need special port ether6 which should be a member of both bridges, but in bridge1 as untagged default vlan (vlan1), and in bridge2 as tagged vlan2. This is can be done very simply on a managed switch...

mikruser

Hello,

Why Fast Path not supported with hardware accelerated IPsec?

mikruser

I see a very large number of messages
expected end of command

looking at all, export/import procedure is very bugged on Mikrotik

mikruser

but cli command /import do not work:

expected end of command (line 24 column 26)

mikruser

How to copy configuration from router1 to router2 (different hardware)?
I see this post: viewtopic.php?t=115073
My question: how to export and import via Winbox GUI? (not via terminal cli!)

mikruser

Hello,

please add the ability to drag and drop (copy) rules (and other stuff) from one Winbox window to another Winbox window.

mikruser

in case there is NAT between server and client: google "AssumeUDPEncapsulationContextOnSendRule"

Thanks, it helped!

mikruser

Hello, CCR1009, 6.43.8 cannot connect to L2TP server from Windows 7 and Windows 2008 R2. ipsec, error no suitable proposal found. ipsec, error x.x.x.x failed to get valid proposal. ipsec, error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1). ipsec, error x.x.x.x phase1 negotiation fail...

mikruser

What types of authentication does Mikrotik router support with Windows client?
Only "Use machine certificates"? Or also "Use EAP"?

mikruser

Hello, I already have several ipsec peers with unique ip addresses (it is used for l2tp/ipsec site-to-site vpn's). Now I need to make a IKEv2 server for incoming connections from remote notebooks. For this i need to create ipsec peer with address 0.0.0.0/0. Is it possible to use this peer with other...

mikruser

My question about Backup/Restore

(Import/Export do not work on my devices)

mikruser

Hello,

How to backup config without mac-addresses?
or how to restore config without changing mac-addresses?

mikruser

But why i do not see Import/Export in Winbox?

mikruser

up!
Why is it removed from Winbox GUI???
(but it is still available from command line: /interface ethernet set ether1 bandwidth=unlimited/unlimited)

mikruser

After the command /interface ethernet set ether4-local bandwidth=unlimited/unlimited
I was able to rename the interface

mikruser

I have this problem again after restoring the configuration

mikruser

RB750Gr3
ROS 6.43.4
Winbox 3.18

restoring configuration incorrectly restored interfaces, and I need to rename them
but when I try to change the name I get an error: Couldn't change Interface - not supported on this interface (6)

Image_interface.png

mikruser

When will AES-CTR be added to RB750Gr3?

mikruser

Hello,

Please add "Reconnect" action to Right Click (Context) menu for all interfaces in Winbox
(reconnect = disable+enable)

mikruser

can you explain your setup and logic behind your policy configuration here? I can not think of a single case where responder should generate a dynamic policy with dst-address=0.0.0.0/0. We have a large number of subnets, and instead of creating a separate policy for each subnet, we create one polic...

mikruser

This behavior can be easily reproduced in the test lab.

mikruser

This is not a configuration issue (this configuration worked fine for 7 years)
problem occurs after upgrade to 6.42.x or 6.43.x

mikruser

This IPsec bug still not fixed viewtopic.php?f=2&t=136445

mikruser

6.43.4 also have this issue!

mikruser

I also tested two hAP ac^2 with 6.43.2

EoIP with IPsec (aes-128 ctr), file copy is only 34 MB/s:

hapac2_eoip_ipsec_ctr.png

EoIP without IPsec, file copy is 68 MB/s:

hapac2_eoip.png

mikruser

6.43.2 also have this issue

mikruser

what is "multiple engine"??

mikruser

You can use minimal (fastest) config, required for EoIP+IPsec or L2TP+IPsec or GRE+IPsec.

mikruser

6.43.2 also have this issue!

mikruser

>>The throughput results are there for you to evaluate the IPsec crypto engine performance, not to show you throughput results with various different configurations. IPsec crypto engine performance is a "spherical cow in a vacuum", and does not show real life results. >>check for packet fragmentati...

mikruser

>>Adding or enabling any additional RouterOS feature apart from IPsec policies can reduce the throughput significantly. That's why I already suggested that you also publish the results for some popular tunnels+ipsec (l2tp+ipsec, gre+ipsec, eoip+ipsec) https://forum.mikrotik.com/viewtopic.php?f=3&t=...

mikruser

I also tested two RB3011 with 6.43.2, connected via EoIP tunnel with IPsec.
They showed an even lower speed, even with hardware acceleration: file copy only 22 MB/s with aes-128 cbc/ctr (this is very far from declared 407.7 Mbps).
Profile:

rb3011_eoip_ipsec.png

mikruser

Very unbalanced router
https://i.mt.lv/cdn/rb_files/RB4011iGSp ... 135303.png

Each switch have 5*1G port, but only 2.5G link to CPU.

What for this router have 10G sfp+ port? All switches summary have only 5G throughput.

mikruser

I found that even just viewing the settings in the Winbox also often causes a 100% CPU load.

I suspect that the developers simply do not test the latest versions ROS/Winbox on RB751U.

Image100cpu.png

mikruser

Hello,

When Mikrotik releases a router that can handle single IPsec tunnel (or MACsec) at 2.5G, 5G, 10G?

mikruser

May I ask why downgrade to such a vulnerable version? Wouldn't be better to upgrade the other equipment if having the same version on all hardware is important?

Due to a this bug in 6.42.x:
viewtopic.php?t=136445

mikruser

This is correct behavior.

But why??
We have another hAP ac^2 router and it works fine with version 6.41.4:

Image_hapac2.png

mikruser

Hello,

Suggestion: release routers with preinstalled Factory Software only from Bugfix release chain.

mikruser

We have hAP ac^2 with Factory Software 6.42.3
How to downgrade the ROS below the factory version (to 6.41.4)?
After /system package downgrade
we get error
error: omitting package system-6.41.4: min RouterOS version is 6.42.3

mikruser

see answer in this topic: viewtopic.php?f=1&t=138427#p682693

Cha0s

Have you tried TP-Link or D-Link?

I am sure they are much easier with all their wizards whistles and bells.

If you find RouterOS hard, then it's probably not for you.

mikruser

Advanced tab also not enough in this case.

mikruser

we are talking about only first tab

mikruser

Simple queue is perfectly adequate for this. Just use the first tab.
With only first tab is impossible to perform an elementary task in one queue:
set summary limit + set per IP limit

mikruser

Feature request: AES hardware acceleration for OpenVPN

mikruser

Hello,

current Queues has a very large number of settings and a very complex and confusing.

Please add simple speed limiter.

mikruser

Hello,

Please add "Benchmark" button to Winbox IP-IPsec-Proposals
for benchmark selected algorithms "encryption", "decryption", "encryption+decryption" speed on any platform
(like VeraCrypt Tools-Benchmark):

Image_bench.png

mikruser

6.42.7 also have this issue!

mikruser

IPv4 fast path is automatically used if following conditions are met:

firewal rules are not configured;

LOL, in this case Fast Path absolutely useless
I do not have routerboards without firewall rules

mikruser

Hello,

Fast Path enabled
But why Fast Path not active?

Image1_fp.png

mikruser

Hello,

Please add to Winbox backup restore wizard:

Interfaces remapping
Interfaces MAC addresses: preserve/reset
DHCP leases: preserve/remove

mikruser

I already have a configuration with a very large number of Ipsec policies (all these policies use proposal:default).

Now I created a l2tp connection with "Use Ipsec", and i need another custom proposal for this.

mikruser

After investigation, I found that the bug is in Firewall-Service Ports-sip
After disable this port, 6.42 also works fine

mikruser

Hello,

Please add the ability to choose Proposal (in L2tp with "Use IPsec")

mikruser

Hello,

Please add SMB WAN Accelerator (for high latency VPN links)
like this: https://www.silver-peak.com/applications/cifs-smb

mikruser

Hello,

Some RouterBoard models have encryption engine.
Central Processing Unit (CPU) and Crypto Processing Unit (CrPU)

But currently in Tools-Profile we can see only CPU % Usage.

Suggestion: please add to Profile also CrPU % Usage.

mikruser

This topic about CCR

mikruser

There is a plan to make HW acceleration for GCM.
Thank you for the confirmation Maris.

As it turned out, the confirmation was not true

mikruser

The presentation says the VMXNET3 NIC supports fastpath. Are you using that?

CHR always uses VMXNET3

mikruser

Also have this question.
Any official comments?

Image_chr_fp.png

mikruser

Yes, Windows share file copy.
I also tried vSphere vMotion, but it did not exceed 60 Mbit/s.

mikruser

Hello, We have WAN-link with 1Gbit/s throughput, but 40 ms latency. iperf3 UDP test really can do 1Gbit/s almost lossless. We have L2TP IPsec tunnel over this WAN-link: LAN1---[CHR]---(l2tp_ipsec_vpn)---[CCR]---LAN2 Now file copy between LAN1 and LAN2 is only 6 MB/s maximum. I try different aes mode...

mikruser

I do not see changes in SIP

mikruser

+ for Iperf

mikruser

kasparskr

do you can release Traffic Generator for Windows?

mikruser

Hello, We have this setup: [FreePBX]---[CCR1]---(l2tp_ipsec_tunnel)---[CCR2]---[sip_clients] At night I updated ССR from 6.40.8 to 6.42.6. As a result, about half of sip clients/trunks can not register (FreePbx reboot did not help). After downgrade CCR back to 6.40.8 everything again worked fine. Wh...

mikruser

Hello,

Please add to l2tp client Dial Out page "IPsec proposal" field

mikruser

Hello,

What is "unclassified"?

Image1_btest_profile.png

mikruser

Hello,

Question about Tools - Bandwidth Test

What TCP Window Size does the test use?

mikruser

Any official info about Bandwidth Test for Windows?

mikruser

Thanks, it works. You are a genius.

mikruser

>>You may start by removing the additional 2.2.2.x addresses in your current setup

these are the necessary addresses, they must be accessible from the Internet

mikruser

>>simply remove one Ethernet interface from an existing bridge and add IP address 2.2.2.1/27 to that interface.
which Ethernet interface?
from which bridge?
why only 2.2.2.1?

I do not see it in your diagram

mikruser

On your diagram I do not see addresses from 2.2.2.0/24 subnet. (on my diagram these 30 addresses resides on Mikrotik2 <2.2.2.2>interface as additional addresses)

mikruser

Аbsolutely did not understand you.
Could you draw a diagram with addresses from my example?

mikruser

>>what is currently between the two Mikrotiks nothing. direct connection. Post the current configurations of both Mikrotiks For example (Mikrotik #1 is only routing, #2 routing and NAT): (Internet, provider gateway)---(1.1.1.0/30)---<1.1.1.1>[Mikrotik1]<2.2.2.1>---(2.2.2.0/24)---<2.2.2.2>[Mikrotik2...

mikruser

Hello,
When i try Make RouterOS Image, i get error:
Couldn't start - this is not a host system

Image_kvm_chr.png

mikruser

How possible create router inside router? Using VRF? KVM? Or more simple solution?

mikruser

Hello, Currently i have this: (Internet)---(MyPublicSubnet1)---[Mikrotik1]---(MyPublicSubnet2)---[Mikrotik2]---(MyPrivateSubnet) MyPublicSubnet1 with 2 public ip MyPublicSubnet2 with 30 public ip Mikrotik1 is only routing Mikrotik2 is routing, nat, l2tp_ipsec_vpn My question: it is possible to creat...

mikruser

Bandwidth Test shows results every 1 second. Snmp monitoring software can not show so frequently.

mikruser

this is a joke? how do you imagine a bandwidth test through snmp?

mikruser

we need more than one number, we need a few numbers (at least two - at the bottom and at the top)

image_bt_num.png

mikruser

TomjNorthIdaho
viewtopic.php?f=1&t=132035

mikruser

We need numbers on the Y-axis so that they can be seen in the screenshots (if you do not understand this from the first message).

mikruser

vecernik87
You are troll? Try mouse over my screenshot.

mikruser

>>I am running several IPsec tunnels using various 6.42.x versions and things like this do not happen

You also use 0.0.0.0/0 in Src.Address (and Generate Policy on other side)?

mikruser

I found a bug in the 6.42.x version:
6.42 generate policy with incorrect Dst.Address: instead of 0.0.0.0/0 (in 6.41) i see public ip of remote router (in 6.42)

Mikrotik, please fix this bug ASAP!

mikruser

Hello,

Please add numbers on Y-axis in Bandwidth Test

image_bt.png

mikruser

Hello,

I create l2tp ipsec tunnel (sha1 aes-128-cbc) Encoding: cbc(aes) + hmac(sha1)
It work, but without hardware acceleration: show E (E-ESP) instead of EH (E-ESP H-Hardware AEAD)

ESXi 6.7, CHR 6.42.5

mikruser

Hello,
After updating from 6.41.4 to 6.42.5 the traffic does not go through the tunnel (tunnel is established, but the traffic does not go).
After downgrade to 6.41.4 everything works fine again.

What changes in 6.42. led to this?

mikruser

Hello,
The interface Name can be anything and does not match the real (physical) number. (for example: ether interface number 2 can have Name 'ether5')
How to see real (physical) ether interface number? (remote, via Winbox)

mikruser

Hello,

Is the module S+RJ10 (https://mikrotik.com/product/s_rj10) compatible with other vendor switches (like HPE, Dell, etc)?

mikruser

>>Remeber that neighbours seen by the router on the "other end" of interface could not be reachable from your LAN segment.

Router on the "other end" should act as a "proxy for winbox" in this case.

mikruser

I do not see "MAC Winbox" in your red circle

mikruser

Hello,

Please add ability to connect to remote neighbors via MAC Winbox
(Menu "IP" - "Neighbors")

mikruser

Hello,

Some models can be overclocked +25% via System - Routerboard - Settings - CPU Frequency.
Is it officially supported? In this case, do we need special conditions for this (eg additional cooling)?

cpu_rb951.png

cpu_hapac2.png

mikruser

Any answer from Mikrotik?
When will you fix this bug?
This is a very serious problem!

mikruser

No, i mean RB750Gr3

mikruser

Hello,

When we can expect the appearance hEX (RB750Gr3) with PoE out (802.3af/at)?

mikruser

Also have this issue CCR1009, 6.39.3 sometime l2tp tunnel cannot connect: l2tp-out1: initializing... l2tp-out1: connecting... l2tp-out1: terminating... - session closed l2tp-out1: disconnected... l2tp-out1: initializing... l2tp-out1: connecting... l2tp-out1: terminating... - old tunnel is not closed...

mikruser

You can see it on Specifications page for all dual-band AP:

https://mikrotik.com/product/RB962UiGS-5HacT2HnT
https://mikrotik.com/product/cap_ac
https://mikrotik.com/product/hap_ac2

Image_mikr_ap.png

i do not see "a" and "n" for 5 GHz...

mikruser

Hello,

Mikrotik dual-band SOHO access point really do not support "n" and "a" standards in 5 GHz?

mikruser

Hello, We have many devices with 6.39.3 and use setting in Interfaces - Ethernet - General - Bandwidth (Rx/Tx) (https://wiki.mikrotik.com/wiki/Manual:Interface/Ethernet) After upgrade to 6.41 this option is gone. Changelog do not have any info about this! https://mikrotik.com/download/changelogs/cur...

mikruser

you do not see first post?

mikruser

any comments from Mikrotik?

mikruser

Currently Mikrotik publish only very synthetic UPD test results, and refuses to publish real-life TCP test results.
You can write a petition about adding result for "Single tunnel TCP single thread" viewtopic.php?f=3&t=97880

mikruser

Hello,

Why Test results for wireless devices
https://mikrotik.com/product/RBcAP2nD#tab1_4
have Ethernet test results instead of Wireless test results?

mikruser

Hello,

I'm trying to find hardware with such specs:

1) Router with hardware AES and 802.3af/at PoE output.
2) Dual-band Ceiling AP with 802.3af/at PoE input.

Does Mikrotik plan to produce such devices?

mikruser

how to kill all old connections if the failover switching occur?

mikruser

Hello, We have a central office (Server side) and several branches (Client side), connected via ipsec in tunnel mode. what are the best practices for creating ipsec tunnels? (we need fast tunnel establishment and fast reconnection). three variants are possible: 1) Server side: Manually created polic...

mikruser

ROS 6.39.3
also have this issue:

rb751_6393.png

mikruser

Windows(192.168.0.1)----()hEX(10.0.0.1)----EoIP+IPsec----(10.0.0.2)hEX()----(192.168.0.2)Windows

mikruser

didomir
>>You can find information here how the tests has been done: https://wiki.mikrotik.com/wiki/Manual:I ... imizations
This is synthetic UDP test.
True "real life" test its TCP single connection, as i suggested.

mikruser

Paternot
>>Traffic inside the IPsec tunnel still crosses the forward chain
No

eoip_ipsec.png

>>Just occurred to me: You said the traffic was about 260 Mb/s. It was just download?
Its unidirectional file copy (download or upload)

mikruser

IPsec use "input" and "output" chain, not "forward".

mikruser

You do not understand. Its "L2 wire" only. No L3 forward.

mikruser

Firewall is blank
These two Hex is direct connected and used as encrypted wire in LAN

mikruser

RB750Gr3
6.39.3
today I found port flapping:

hex_port_flapping.png

mikruser

hex_eoip_ipsec.png

mikruser

Hello, I have RB750Gr3 (6.39.3) with these interfaces: ether1 ether2 ether3 ether4 ether5 eoip-tunnel1 eoip-tunnel2 bridge1 bridge2 ether2, ether3, eoip-tunnel1 is members of bridge1 ether4, ether5, eoip-tunnel2 is members of bridge2 Currently mac-address of bridge1 = mac-address of eoip-tunnel1 mac...

mikruser

I tested in 1Gbit LAN

mikruser

I tested two 750G r3 (6.39.3), connected via EoIP tunnel with IPsec.
Windows file copy test show only 33 MB/s (264 Mbps). This is very far from declared 477 Mbps https://mikrotik.com/product/RB750Gr3.

Maybe you add also results for some popular tunnels+ipsec (l2tp+ipsec, gre+ipsec, eoip+ipsec)?

mikruser

Hello,

I have two RB751U (ROS 6.39.3), and EoIP with ipsec tunnel between them.
When i copy file over tunnel, i see 75% "unclassified" cpu usage:

rb751_eoip.png

mikruser

>>It is stateless traffic, so you could say it is UDP. Please add result for "Single tunnel TCP single thread". Its very useful info, for example as file copying. >>There is no use of testing devices without hardware acceleration, because their performance difference between models is insignificant...

mikruser

As I see, you added "IPsec test results" for some products, like this https://mikrotik.com/product/CCR1009-7G-1C-1Splus

Some questions:

1) how many threads were used in Single tunnel?
2) it's TCP or UDP throughput?
3) why you publish results only for products with hardware ipsec?

mikruser

mikruser

MAC-WinBox service???

mikruser

Also have this issue.
But after disable "SIP Direct Media" all works fine.

Why "SIP Direct Media" is enabled by default?
It should be disabled by default!

mikruser

Hello,

Winbox cannot connect to mac-address:

winbox_macaddr.png

why?

mikruser

But when 6.39 become a bugfix???

very strange situation:

6.41.x = RC
6.40.x = Current
6.39.x = WTF??? Where??? When???
6.38.x = Bugfix

mikruser

CCR1009-8G, 6.39, 6.39.2
I have two interfaces (Type:L2TP Server Binding):
l2tp-in1
l2tp-in2

but sometimes instead of l2tp-in2 i see dynamic interface:

l2tp_sb.png

mikruser

Hello,

Currently "Route Check Gateway" based on simply ping.
My suggestion: add check gateway based on link quality (ping jitter and packet loss) for given period of time.

mikruser

Do you have any plans to release wireless+router devices with HW-IPsec?

mikruser

Hello,

Which wireless+router device (https://mikrotik.com/products/group/wir ... and-office) can handle at least 40Mbit/s ipsec vpn?

mikruser

Hello,

Why hAP lite and hAP lite classic have
Product specifications
CPU QCA9533

but have
Ethernet test results
QCA9531 (650Mhz) 100M all port test

???
https://mikrotik.com/product/RB941-2nD-TC
https://mikrotik.com/product/RB941-2nD

mikruser

Also have this issue (100% cpu) on some RB751U-2HnD (ROS 6.40):

Image1.png

Image2.png

Image3.png

Image4.png

Image5.png

Image6.png

How to fix this issue?

mikruser

Hello,

Can ROS x86 or ROS CHR use AVX2 and AVX-512 instructions from Skylake-X (Core i9 7900X) and Xeon Scalable?

mikruser

Hello,

Please add ability to use DNS names in:

IP-IPsec-Policies-General\Action-Dst.Address
IP-IPsec-Peers-General-Address

mikruser

Any info?

which led\color for 10 Mbps link?
which led\color for 100 Mbps link?
which led\color for 1000 Mbps link?
which led(s)\color(s) for Full\Half duplex link?
which led\color for activity?

mikruser

UP!
We want multiple IP in Watchdog ASAP!

mikruser

We again got this issue - CCR1009 "hung" very strange - ping work, but all ppp-tunnels cannot connect, we cannot connect Winbox to ip, and Winbox do not see CCR in Neighbors.
Only manual power cycle help me.

mikruser

From my experience: 1) "Bugfix" = Final stable version. Only this should be installed on production router. 2) "Current" = Public beta version with bugs for public beta testing, but have official support via support@mikrotik.com. You can install it on own risk. 3) "Release candidate" = beta version ...

mikruser

I repeat my question:
When we can expect this fix in "bugfix" branch?

mikruser

Hello,

We need monitor via SNMP "Interface\ Status \ Link Downs" value, and "Rate" and "Full Duplex" value.
Its possible?

Search found 420 matches