MikroTik

mikruser

I am very surprised that Mikrotik does not use hardware NAT'ing.

mikruser

Hello,
Please implement VPN over ICMP (ICMP Tunnel)
(it can be very useful in some countries with a totalitarian regime)))

mikruser

normis
Tue Jul 30, 2019 9:57 am
The GPER is a passive device that connects wires together, you can call it Layer1. This is not really a hub.

normis
Fri Aug 02, 2019 3:14 pm
Yes, there is a basic switch chip inside.

Two completely different answers.
You are Dr Jekyll and Mr Hyde??

mikruser

If GPER is just a passive device that connects wires together, then the price is perplexing (50% of Raspberry Pi 4 computer)

mikruser

1) Of course it matters (and two port has nothing to do with it)
2) ???
3) Ok

mikruser

Hello,
1) at what OSI layer this device work? at L1 like hub, or at L2 like switch?
2) what delay does this device add?
3) why distance is limited to 1500 m?

mikruser

Hello,

CHR 6.44.2
PRTG Network Monitor SNMP Traffic sensor

When i copy file via gigabit adapter, SNMP sensor show only 430 Mbit/s

This is a bug in Mikrotik SNMP or in PRTG?

Image1_snmp_.png

mikruser

Hello,

please add not only udp and tcp, but also protocols 4, 47, 50.

mikruser

GRE+IPsec still slow:
viewtopic.php?f=2&t=146665

mikruser

Hello, CHR, 6.44.1, 2 vcpu Xeon Gold CCR1009, 6.44.1 WAN with 45 ms latency [CHR]---wan(tunnel gre+ipsec)wan---[CCR1009] aes128cbc/sha1, Actual MTU = 1426 (Auto) OR aes128ctr/sha1, Actual MTU = 1446 (Auto) Bandwidth Test on CHR to CCR (tcp, receive, 1 connection): between public ip = up to 300 Mbps ...

mikruser

All my tunnels are configured with IPsec Secret enabled, and I will not change it.

We simply need the ability to choose Proposal for each tunnel.

mikruser

I still do not see any real benefit of your request. It literally takes 2 seconds to change proposal value for your policies to a different one. /ip ipsec proposal add name=newproposal copy-from=default /ip ipsec policy set [find proposal=default] proposal=newproposal I was just posting this exact ...

mikruser

Hello,

Why AES CTR is not hardware accelerated on the CHR?

Image_chr_.png

mikruser

Hello,

Does the System\Watchdog on the CHR make sense?
Can he restart the VM if CHR hangs?

mikruser

but I don't want to create additional vlan interfaces

mikruser

I can not merge bridges, because bridges have different ip-addresses and dhcp-servers on them.

mikruser

Hello, We have routerboard with ether2 and ether3 - in bridge1 ether4 and ether5 - in bridge2 now we need special port ether6 which should be a member of both bridges, but in bridge1 as untagged default vlan (vlan1), and in bridge2 as tagged vlan2. This is can be done very simply on a managed switch...

mikruser

Hello,

Why Fast Path not supported with hardware accelerated IPsec?

mikruser

I see a very large number of messages
expected end of command

looking at all, export/import procedure is very bugged on Mikrotik

mikruser

but cli command /import do not work:

expected end of command (line 24 column 26)

mikruser

How to copy configuration from router1 to router2 (different hardware)?
I see this post: viewtopic.php?t=115073
My question: how to export and import via Winbox GUI? (not via terminal cli!)

mikruser

Hello,

please add the ability to drag and drop (copy) rules (and other stuff) from one Winbox window to another Winbox window.

mikruser

in case there is NAT between server and client: google "AssumeUDPEncapsulationContextOnSendRule"

Thanks, it helped!

mikruser

Hello, CCR1009, 6.43.8 cannot connect to L2TP server from Windows 7 and Windows 2008 R2. ipsec, error no suitable proposal found. ipsec, error x.x.x.x failed to get valid proposal. ipsec, error x.x.x.x failed to pre-process ph1 packet (side: 1, status 1). ipsec, error x.x.x.x phase1 negotiation fail...

mikruser

What types of authentication does Mikrotik router support with Windows client?
Only "Use machine certificates"? Or also "Use EAP"?

mikruser

Hello, I already have several ipsec peers with unique ip addresses (it is used for l2tp/ipsec site-to-site vpn's). Now I need to make a IKEv2 server for incoming connections from remote notebooks. For this i need to create ipsec peer with address 0.0.0.0/0. Is it possible to use this peer with other...

mikruser

My question about Backup/Restore

(Import/Export do not work on my devices)

mikruser

Hello,

How to backup config without mac-addresses?
or how to restore config without changing mac-addresses?

mikruser

But why i do not see Import/Export in Winbox?

mikruser

up!
Why is it removed from Winbox GUI???
(but it is still available from command line: /interface ethernet set ether1 bandwidth=unlimited/unlimited)

mikruser

After the command /interface ethernet set ether4-local bandwidth=unlimited/unlimited
I was able to rename the interface

mikruser

I have this problem again after restoring the configuration

mikruser

RB750Gr3
ROS 6.43.4
Winbox 3.18

restoring configuration incorrectly restored interfaces, and I need to rename them
but when I try to change the name I get an error: Couldn't change Interface - not supported on this interface (6)

Image_interface.png

mikruser

When will AES-CTR be added to RB750Gr3?

mikruser

Hello,

Please add "Reconnect" action to Right Click (Context) menu for all interfaces in Winbox
(reconnect = disable+enable)

mikruser

can you explain your setup and logic behind your policy configuration here? I can not think of a single case where responder should generate a dynamic policy with dst-address=0.0.0.0/0. We have a large number of subnets, and instead of creating a separate policy for each subnet, we create one polic...

mikruser

This behavior can be easily reproduced in the test lab.

mikruser

This is not a configuration issue (this configuration worked fine for 7 years)
problem occurs after upgrade to 6.42.x or 6.43.x

mikruser

This IPsec bug still not fixed viewtopic.php?f=2&t=136445

mikruser

6.43.4 also have this issue!

mikruser

I also tested two hAP ac^2 with 6.43.2

EoIP with IPsec (aes-128 ctr), file copy is only 34 MB/s:

hapac2_eoip_ipsec_ctr.png

EoIP without IPsec, file copy is 68 MB/s:

hapac2_eoip.png

mikruser

6.43.2 also have this issue

mikruser

what is "multiple engine"??

mikruser

You can use minimal (fastest) config, required for EoIP+IPsec or L2TP+IPsec or GRE+IPsec.

mikruser

6.43.2 also have this issue!

mikruser

>>The throughput results are there for you to evaluate the IPsec crypto engine performance, not to show you throughput results with various different configurations. IPsec crypto engine performance is a "spherical cow in a vacuum", and does not show real life results. >>check for packet fragmentati...

mikruser

>>Adding or enabling any additional RouterOS feature apart from IPsec policies can reduce the throughput significantly. That's why I already suggested that you also publish the results for some popular tunnels+ipsec (l2tp+ipsec, gre+ipsec, eoip+ipsec) https://forum.mikrotik.com/viewtopic.php?f=3&t=...

mikruser

I also tested two RB3011 with 6.43.2, connected via EoIP tunnel with IPsec.
They showed an even lower speed, even with hardware acceleration: file copy only 22 MB/s with aes-128 cbc/ctr (this is very far from declared 407.7 Mbps).
Profile:

rb3011_eoip_ipsec.png

mikruser

Very unbalanced router
https://i.mt.lv/cdn/rb_files/RB4011iGSp ... 135303.png

Each switch have 5*1G port, but only 2.5G link to CPU.

What for this router have 10G sfp+ port? All switches summary have only 5G throughput.

mikruser

I found that even just viewing the settings in the Winbox also often causes a 100% CPU load.

I suspect that the developers simply do not test the latest versions ROS/Winbox on RB751U.

Image100cpu.png

mikruser

Hello,

When Mikrotik releases a router that can handle single IPsec tunnel (or MACsec) at 2.5G, 5G, 10G?

mikruser

May I ask why downgrade to such a vulnerable version? Wouldn't be better to upgrade the other equipment if having the same version on all hardware is important?

Due to a this bug in 6.42.x:
viewtopic.php?t=136445

mikruser

This is correct behavior.

But why??
We have another hAP ac^2 router and it works fine with version 6.41.4:

Image_hapac2.png

mikruser

Hello,

Suggestion: release routers with preinstalled Factory Software only from Bugfix release chain.

mikruser

We have hAP ac^2 with Factory Software 6.42.3
How to downgrade the ROS below the factory version (to 6.41.4)?
After /system package downgrade
we get error
error: omitting package system-6.41.4: min RouterOS version is 6.42.3

mikruser

see answer in this topic: viewtopic.php?f=1&t=138427#p682693

Cha0s

Have you tried TP-Link or D-Link?

I am sure they are much easier with all their wizards whistles and bells.

If you find RouterOS hard, then it's probably not for you.

mikruser

Advanced tab also not enough in this case.

mikruser

we are talking about only first tab

mikruser

Simple queue is perfectly adequate for this. Just use the first tab.
With only first tab is impossible to perform an elementary task in one queue:
set summary limit + set per IP limit

mikruser

Feature request: AES hardware acceleration for OpenVPN

mikruser

Hello,

current Queues has a very large number of settings and a very complex and confusing.

Please add simple speed limiter.

mikruser

Hello,

Please add "Benchmark" button to Winbox IP-IPsec-Proposals
for benchmark selected algorithms "encryption", "decryption", "encryption+decryption" speed on any platform
(like VeraCrypt Tools-Benchmark):

Image_bench.png

mikruser

6.42.7 also have this issue!

mikruser

IPv4 fast path is automatically used if following conditions are met:

firewal rules are not configured;

LOL, in this case Fast Path absolutely useless
I do not have routerboards without firewall rules

mikruser

Hello,

Fast Path enabled
But why Fast Path not active?

Image1_fp.png

mikruser

Hello,

Please add to Winbox backup restore wizard:

Interfaces remapping
Interfaces MAC addresses: preserve/reset
DHCP leases: preserve/remove

mikruser

I already have a configuration with a very large number of Ipsec policies (all these policies use proposal:default).

Now I created a l2tp connection with "Use Ipsec", and i need another custom proposal for this.

mikruser

After investigation, I found that the bug is in Firewall-Service Ports-sip
After disable this port, 6.42 also works fine

mikruser

Hello,

Please add the ability to choose Proposal (in L2tp with "Use IPsec")

mikruser

Hello,

Please add SMB WAN Accelerator (for high latency VPN links)
like this: https://www.silver-peak.com/applications/cifs-smb

mikruser

Hello,

Some RouterBoard models have encryption engine.
Central Processing Unit (CPU) and Crypto Processing Unit (CrPU)

But currently in Tools-Profile we can see only CPU % Usage.

Suggestion: please add to Profile also CrPU % Usage.

mikruser

This topic about CCR

mikruser

There is a plan to make HW acceleration for GCM.
Thank you for the confirmation Maris.

As it turned out, the confirmation was not true

mikruser

The presentation says the VMXNET3 NIC supports fastpath. Are you using that?

CHR always uses VMXNET3

mikruser

Also have this question.
Any official comments?

Image_chr_fp.png

mikruser

Yes, Windows share file copy.
I also tried vSphere vMotion, but it did not exceed 60 Mbit/s.

mikruser

Hello, We have WAN-link with 1Gbit/s throughput, but 40 ms latency. iperf3 UDP test really can do 1Gbit/s almost lossless. We have L2TP IPsec tunnel over this WAN-link: LAN1---[CHR]---(l2tp_ipsec_vpn)---[CCR]---LAN2 Now file copy between LAN1 and LAN2 is only 6 MB/s maximum. I try different aes mode...

mikruser

I do not see changes in SIP

mikruser

+ for Iperf

mikruser

kasparskr

do you can release Traffic Generator for Windows?

mikruser

Hello, We have this setup: [FreePBX]---[CCR1]---(l2tp_ipsec_tunnel)---[CCR2]---[sip_clients] At night I updated ССR from 6.40.8 to 6.42.6. As a result, about half of sip clients/trunks can not register (FreePbx reboot did not help). After downgrade CCR back to 6.40.8 everything again worked fine. Wh...

mikruser

Hello,

Please add to l2tp client Dial Out page "IPsec proposal" field

mikruser

Hello,

What is "unclassified"?

Image1_btest_profile.png

mikruser

Hello,

Question about Tools - Bandwidth Test

What TCP Window Size does the test use?

mikruser

Any official info about Bandwidth Test for Windows?

mikruser

Thanks, it works. You are a genius.

mikruser

>>You may start by removing the additional 2.2.2.x addresses in your current setup

these are the necessary addresses, they must be accessible from the Internet

mikruser

>>simply remove one Ethernet interface from an existing bridge and add IP address 2.2.2.1/27 to that interface.
which Ethernet interface?
from which bridge?
why only 2.2.2.1?

I do not see it in your diagram

mikruser

On your diagram I do not see addresses from 2.2.2.0/24 subnet. (on my diagram these 30 addresses resides on Mikrotik2 <2.2.2.2>interface as additional addresses)

mikruser

Аbsolutely did not understand you.
Could you draw a diagram with addresses from my example?

mikruser

>>what is currently between the two Mikrotiks nothing. direct connection. Post the current configurations of both Mikrotiks For example (Mikrotik #1 is only routing, #2 routing and NAT): (Internet, provider gateway)---(1.1.1.0/30)---<1.1.1.1>[Mikrotik1]<2.2.2.1>---(2.2.2.0/24)---<2.2.2.2>[Mikrotik2...

mikruser

Hello,
When i try Make RouterOS Image, i get error:
Couldn't start - this is not a host system

Image_kvm_chr.png

mikruser

How possible create router inside router? Using VRF? KVM? Or more simple solution?

mikruser

Hello, Currently i have this: (Internet)---(MyPublicSubnet1)---[Mikrotik1]---(MyPublicSubnet2)---[Mikrotik2]---(MyPrivateSubnet) MyPublicSubnet1 with 2 public ip MyPublicSubnet2 with 30 public ip Mikrotik1 is only routing Mikrotik2 is routing, nat, l2tp_ipsec_vpn My question: it is possible to creat...

mikruser

Bandwidth Test shows results every 1 second. Snmp monitoring software can not show so frequently.

mikruser

this is a joke? how do you imagine a bandwidth test through snmp?

mikruser

we need more than one number, we need a few numbers (at least two - at the bottom and at the top)

image_bt_num.png

mikruser

TomjNorthIdaho
viewtopic.php?f=1&t=132035

mikruser

We need numbers on the Y-axis so that they can be seen in the screenshots (if you do not understand this from the first message).

mikruser

vecernik87
You are troll? Try mouse over my screenshot.

mikruser

>>I am running several IPsec tunnels using various 6.42.x versions and things like this do not happen

You also use 0.0.0.0/0 in Src.Address (and Generate Policy on other side)?

mikruser

I found a bug in the 6.42.x version:
6.42 generate policy with incorrect Dst.Address: instead of 0.0.0.0/0 (in 6.41) i see public ip of remote router (in 6.42)

Mikrotik, please fix this bug ASAP!

mikruser

Hello,

Please add numbers on Y-axis in Bandwidth Test

image_bt.png

mikruser

Hello,

I create l2tp ipsec tunnel (sha1 aes-128-cbc) Encoding: cbc(aes) + hmac(sha1)
It work, but without hardware acceleration: show E (E-ESP) instead of EH (E-ESP H-Hardware AEAD)

ESXi 6.7, CHR 6.42.5

mikruser

Hello,
After updating from 6.41.4 to 6.42.5 the traffic does not go through the tunnel (tunnel is established, but the traffic does not go).
After downgrade to 6.41.4 everything works fine again.

What changes in 6.42. led to this?

mikruser

Hello,
The interface Name can be anything and does not match the real (physical) number. (for example: ether interface number 2 can have Name 'ether5')
How to see real (physical) ether interface number? (remote, via Winbox)

mikruser

Hello,

Is the module S+RJ10 (https://mikrotik.com/product/s_rj10) compatible with other vendor switches (like HPE, Dell, etc)?

mikruser

>>Remeber that neighbours seen by the router on the "other end" of interface could not be reachable from your LAN segment.

Router on the "other end" should act as a "proxy for winbox" in this case.

mikruser

I do not see "MAC Winbox" in your red circle

mikruser

Hello,

Please add ability to connect to remote neighbors via MAC Winbox
(Menu "IP" - "Neighbors")

mikruser

Hello,

Some models can be overclocked +25% via System - Routerboard - Settings - CPU Frequency.
Is it officially supported? In this case, do we need special conditions for this (eg additional cooling)?

cpu_rb951.png

cpu_hapac2.png

mikruser

Any answer from Mikrotik?
When will you fix this bug?
This is a very serious problem!

mikruser

No, i mean RB750Gr3

mikruser

Hello,

When we can expect the appearance hEX (RB750Gr3) with PoE out (802.3af/at)?

mikruser

Also have this issue CCR1009, 6.39.3 sometime l2tp tunnel cannot connect: l2tp-out1: initializing... l2tp-out1: connecting... l2tp-out1: terminating... - session closed l2tp-out1: disconnected... l2tp-out1: initializing... l2tp-out1: connecting... l2tp-out1: terminating... - old tunnel is not closed...

mikruser

You can see it on Specifications page for all dual-band AP:

https://mikrotik.com/product/RB962UiGS-5HacT2HnT
https://mikrotik.com/product/cap_ac
https://mikrotik.com/product/hap_ac2

Image_mikr_ap.png

i do not see "a" and "n" for 5 GHz...

mikruser

Hello,

Mikrotik dual-band SOHO access point really do not support "n" and "a" standards in 5 GHz?

mikruser

Hello, We have many devices with 6.39.3 and use setting in Interfaces - Ethernet - General - Bandwidth (Rx/Tx) (https://wiki.mikrotik.com/wiki/Manual:Interface/Ethernet) After upgrade to 6.41 this option is gone. Changelog do not have any info about this! https://mikrotik.com/download/changelogs/cur...

mikruser

you do not see first post?

mikruser

any comments from Mikrotik?

mikruser

Currently Mikrotik publish only very synthetic UPD test results, and refuses to publish real-life TCP test results.
You can write a petition about adding result for "Single tunnel TCP single thread" viewtopic.php?f=3&t=97880

mikruser

Hello,

Why Test results for wireless devices
https://mikrotik.com/product/RBcAP2nD#tab1_4
have Ethernet test results instead of Wireless test results?

mikruser

Hello,

I'm trying to find hardware with such specs:

1) Router with hardware AES and 802.3af/at PoE output.
2) Dual-band Ceiling AP with 802.3af/at PoE input.

Does Mikrotik plan to produce such devices?

mikruser

how to kill all old connections if the failover switching occur?

mikruser

Hello, We have a central office (Server side) and several branches (Client side), connected via ipsec in tunnel mode. what are the best practices for creating ipsec tunnels? (we need fast tunnel establishment and fast reconnection). three variants are possible: 1) Server side: Manually created polic...

mikruser

ROS 6.39.3
also have this issue:

rb751_6393.png

mikruser

Windows(192.168.0.1)----()hEX(10.0.0.1)----EoIP+IPsec----(10.0.0.2)hEX()----(192.168.0.2)Windows

mikruser

didomir
>>You can find information here how the tests has been done: https://wiki.mikrotik.com/wiki/Manual:I ... imizations
This is synthetic UDP test.
True "real life" test its TCP single connection, as i suggested.

mikruser

Paternot
>>Traffic inside the IPsec tunnel still crosses the forward chain
No

eoip_ipsec.png

>>Just occurred to me: You said the traffic was about 260 Mb/s. It was just download?
Its unidirectional file copy (download or upload)

mikruser

IPsec use "input" and "output" chain, not "forward".

mikruser

You do not understand. Its "L2 wire" only. No L3 forward.

mikruser

Firewall is blank
These two Hex is direct connected and used as encrypted wire in LAN

mikruser

RB750Gr3
6.39.3
today I found port flapping:

hex_port_flapping.png

mikruser

hex_eoip_ipsec.png

mikruser

Hello, I have RB750Gr3 (6.39.3) with these interfaces: ether1 ether2 ether3 ether4 ether5 eoip-tunnel1 eoip-tunnel2 bridge1 bridge2 ether2, ether3, eoip-tunnel1 is members of bridge1 ether4, ether5, eoip-tunnel2 is members of bridge2 Currently mac-address of bridge1 = mac-address of eoip-tunnel1 mac...

mikruser

I tested in 1Gbit LAN

mikruser

I tested two 750G r3 (6.39.3), connected via EoIP tunnel with IPsec.
Windows file copy test show only 33 MB/s (264 Mbps). This is very far from declared 477 Mbps https://mikrotik.com/product/RB750Gr3.

Maybe you add also results for some popular tunnels+ipsec (l2tp+ipsec, gre+ipsec, eoip+ipsec)?

mikruser

Hello,

I have two RB751U (ROS 6.39.3), and EoIP with ipsec tunnel between them.
When i copy file over tunnel, i see 75% "unclassified" cpu usage:

rb751_eoip.png

mikruser

>>It is stateless traffic, so you could say it is UDP. Please add result for "Single tunnel TCP single thread". Its very useful info, for example as file copying. >>There is no use of testing devices without hardware acceleration, because their performance difference between models is insignificant...

mikruser

As I see, you added "IPsec test results" for some products, like this https://mikrotik.com/product/CCR1009-7G-1C-1Splus

Some questions:

1) how many threads were used in Single tunnel?
2) it's TCP or UDP throughput?
3) why you publish results only for products with hardware ipsec?

mikruser

mikruser

MAC-WinBox service???

mikruser

Also have this issue.
But after disable "SIP Direct Media" all works fine.

Why "SIP Direct Media" is enabled by default?
It should be disabled by default!

mikruser

Hello,

Winbox cannot connect to mac-address:

winbox_macaddr.png

why?

mikruser

But when 6.39 become a bugfix???

very strange situation:

6.41.x = RC
6.40.x = Current
6.39.x = WTF??? Where??? When???
6.38.x = Bugfix

mikruser

CCR1009-8G, 6.39, 6.39.2
I have two interfaces (Type:L2TP Server Binding):
l2tp-in1
l2tp-in2

but sometimes instead of l2tp-in2 i see dynamic interface:

l2tp_sb.png

mikruser

Hello,

Currently "Route Check Gateway" based on simply ping.
My suggestion: add check gateway based on link quality (ping jitter and packet loss) for given period of time.

mikruser

Do you have any plans to release wireless+router devices with HW-IPsec?

mikruser

Hello,

Which wireless+router device (https://mikrotik.com/products/group/wir ... and-office) can handle at least 40Mbit/s ipsec vpn?

mikruser

Hello,

Why hAP lite and hAP lite classic have
Product specifications
CPU QCA9533

but have
Ethernet test results
QCA9531 (650Mhz) 100M all port test

???
https://mikrotik.com/product/RB941-2nD-TC
https://mikrotik.com/product/RB941-2nD

mikruser

Also have this issue (100% cpu) on some RB751U-2HnD (ROS 6.40):

Image1.png

Image2.png

Image3.png

Image4.png

Image5.png

Image6.png

How to fix this issue?

mikruser

Hello,

Can ROS x86 or ROS CHR use AVX2 and AVX-512 instructions from Skylake-X (Core i9 7900X) and Xeon Scalable?

mikruser

Hello,

Please add ability to use DNS names in:

IP-IPsec-Policies-General\Action-Dst.Address
IP-IPsec-Peers-General-Address

mikruser

Any info?

which led\color for 10 Mbps link?
which led\color for 100 Mbps link?
which led\color for 1000 Mbps link?
which led(s)\color(s) for Full\Half duplex link?
which led\color for activity?

mikruser

UP!
We want multiple IP in Watchdog ASAP!

mikruser

We again got this issue - CCR1009 "hung" very strange - ping work, but all ppp-tunnels cannot connect, we cannot connect Winbox to ip, and Winbox do not see CCR in Neighbors.
Only manual power cycle help me.

mikruser

From my experience: 1) "Bugfix" = Final stable version. Only this should be installed on production router. 2) "Current" = Public beta version with bugs for public beta testing, but have official support via support@mikrotik.com. You can install it on own risk. 3) "Release candidate" = beta version ...

mikruser

I repeat my question:
When we can expect this fix in "bugfix" branch?

mikruser

Hello,

We need monitor via SNMP "Interface\ Status \ Link Downs" value, and "Rate" and "Full Duplex" value.
Its possible?

mikruser

LEDs near ETH ports

mikruser

Hello,

Where can I find the PDF manual with a detailed description of CCR1009 (https://routerboard.com/CCR1009-8G-1S-1Splus)?
For example i cannot find description of eth led's colors value.

mikruser

do you have some connection/route marking mangle rules?

No

mikruser

Hello,

We use this manual for dual-wan RB:
https://wiki.mikrotik.com/wiki/Advanced ... _Scripting
wan1=cheap unlimited traffic
wan2=expensive limited traffic

But i found this issue: when RB switch back from wan2 to wan1, pptp and sip connections stay on wan2!

mikruser

WinBox 3.11
cannot connect to some RB:

ERROR: no roteros.dll found

mikruser

worldcitizen

Its not Hex issue, its 6.38 and above issue
I write about this issue 4 month ago, but Mikrotik ignore this and release bugged 6.39
viewtopic.php?t=116729

mikruser

Hello,

Feature requests:
Detect and block Layer3/4 packets/connections with suspicious signatures.
Centralized updating the database of signatures.

mikruser

Hello,

Feature request: hot-swap PSU (1+1) for 1U models

mikruser

6.39 - another epic fail bugged version from mikrotik. Kill ipsec, kill sip-trunk.

Downgrade to 6.37.5, and all work fine.

mikruser

6.39 also have this issue!

(6.37.5 work fine)

mikruser

6.39 also have this issue and kill IPsec

Why mikrotik developers release bugged versions?????

mikruser

Hello, I have LAN and LAN2 connected via VPN-tunnel: LAN----[eth1 CCR eth5]----((Internet))----[CCR2]---LAN2 now i want limit LAN-to/from-Internet traffic. but when i create Simple Queue with Target=LAN, it limit all traffic (include LAN-LAN2) how to limit only LAN-to/from-Internet traffic (without ...

mikruser

no, you need one simple queue with target=192.168.0.0/24 and max-limit=10M/10M + set queue type=pcq for upload/download and set these with pcq-rate=2M in both 1 client - 2M, up to 5 client - get 2M each. 10 client - 1M each... 1) On which tab i should set queue type=pcq? On "Advanced" tab i do not ...

mikruser

It is impossible to set per-ip limit in ROS?
I must manually create 253 rules for each ip?

mikruser

AHx4 > CCR1009 in single-threaded (one core) tasks, but AHx4 < CCR1009 in a well-parallelizable (multi core) tasks.

mikruser

Hello,

Currently "Ethernet test results" based on very light configurations.

Suggestion:
1) Add more real-life heavier config (ip firewall filter rules + nat rules + mangle rules + queues + vlan)
2) Add crypto config (L2TP/GRE + IPsec)

mikruser

When we can expect this fix in "bugfix" branch?

mikruser

+1
Devices like RB751 is too slow with current ROS Ipsec encr. algorithms (~10Mbit/s)
We want fast fast algorithm!

mikruser

What about using Ryzen? It has incredible crypto performance:

mikruser

Its a well-known problem with mikrotik ipsec tunnels.
Mikrotik ipsec tunnels are not compatible with Windows.

mikruser

Hello,

I need router with features:
1) Hardware encryption (or software can 100 Mbit/s)
2) dual-band 802.11n (minimum 2 spatial stream, but advisable 3)
3) Gigabit ethernet ports

which model you can recommend?

mikruser

It is almost impossible to guess what ipsec config you have and what might not work.

I have a config that works for many years on any version before 6.38
It is incredible that Mikrotik release such bugged version.
This is absolutely unacceptable for enterprise.

mikruser

I really hope the 6.38 bugs are squashed

No, 6.38.1 also bugged, as 6.38 (ipsec tunnel dont work)
Only downgrade to 6.37.3 can help.

mikruser

Hello,

After upgrade to 6.38 ipsec tunnel dont work.

I downgrade to 6.37.3 and tunnel work again.

mikruser

In 6.38 issue has NOT been fixed!!!

mikruser

In v6.38 nat-t is enabled by default because many client devices require it

lol wat???
facepalm.jpg

mikruser

https://community.hpe.com/t5/Switches-Hubs-Modems-Legacy/Overlapping-vlans/td-p/3652542 Here you can find some guy trying to do that on HP switch and it didn't work as expected. HP 2500 switches dont support full featured Port-based Vlan (cannot put one port to two group) and overlapping Vlans supp...

mikruser

http://i.mt.lv/routerboard/files/RB3011 ... 123613.png
http://i.mt.lv/routerboard/files/CCR100 ... 140835.png
...

mikruser

if you assure that currently switch-chip can, please show Winbox screenshots for this:

portbasedvlan.png

mikruser

read first post link ("Port-based VLAN Overview" from page 151)
currently routers with switch-chip cannot do this.

mikruser

I'm not sure if I get what you want but afaik ROS supports VLANs on switch chip level.

No, currently routers with switch-chip can only Tagged Vlan (802.1Q).
My suggestion about port-based Vlan.
It two absolutely different types of Vlan.

mikruser

Like this switch: https://www.alliedtelesis.com/sites/def ... 100a_0.pdf
see "Port-based VLAN Overview" from page 151
In some cases it very useful!

mikruser

v7 ?

I think it will be a Christmas gift

I expect v7 immediately after Christ Second Coming

mikruser

Why Auto-frequency do not select frequency with best noise floor?

mikruser

ROS 6.x is very bugged and level=unique dont work:
http://forum.mikrotik.com/viewtopic.php ... 2&p=541653

mikruser

CHR is OS for virtual machine.
My question about hardware router in 1U rackmount formfactor

mikruser

Hello,
Why Mikrotik does not produce the routers on x86 processors?
Dual-core Skylake can handle 10Gbit/s aes-gcm ipsec tunnel (CCR cannot).

mikruser

Why reordering issue occurs with hardware multicore, but not occurs with software multicore?

mikruser

I understand that Mikrotik says the ordering problem is being fixed (but when? ROS v7?). But can we temporarily get an option in the v6.x version to disable HW acceleration on the CCR platform, so that we can do software CBC on the CCR and hardware CBC on the hex 3r? I vote for that as well! it has...

mikruser

Hello,

Which wireless protocol has the highest goodput?
Is there a wireless protocol with goodput >50%?

mikruser

TomjNorthIdaho

You can post screenshot with "Bandwidth test tool for Windows" window and "Windows Task Manager" window in one screenshot?
I should see 19000 Mbit tcp send and CPU per core usage.

Search found 379 matches