MikroTik

sporkman

...But i ve seen other posts too with problems configuring a /31 subnet between two Mirkotiks official word from MT Support is that ROS does not support /31, have to use /30 or alternatively ptp addressing /32 That is, pardon my language, bullshit on their part. If they don't support it, then a) do...

sporkman

Ugh, so apparently nothing to do with me, sounds like the ISP somehow did not have this routed properly in their core.

Anyhow, the snippet of interest for me was this:

/ip route add distance=1 gateway=10.17.0.1 pref-src=public.ip

Not going to try removing it now to see if it's necessary or not.

sporkman

I seldom use Mikrotiks for much other than CPE, so always NAT and the out of box config for the most part. Trying to use one here as a very dumb router - no firewall, NAT, etc. I have one setup now that has a /28 block of public IPs routed to it, but its WAN IP is a private address in the ISP's netw...

sporkman

+100 Closest thing we have to a standard. Hope not adding it is not some kind of "NIH" (Not Invented Here) thing. Also, many, many of us have no other equipment to test with for remote sites - the Mik is the only thing we fully control. Alternately, improve the built-in "bwtest" ...

sporkman

Wow, no CLI? OK, I'm sold on keeping RouterOS then.

sporkman

I have a CRS312-4C+8XG that's simply being used for layer-2 stuff - we have a few hosts with 10gb/s interfaces and many with just 1gb/s. So this connects to a 10 gig port on a cisco 4948 and this is all just an internal network. Is there any particular advantage to moving from the RouterOS option (w...

sporkman

I'm looking at the packet flow diagram here: https://wiki.mikrotik.com/wiki/Manual:Packet_Flow For the life of me, I can't find anything in there that describes where in that flow packet capture happens. I'm trying to debug a VoIP issue and when capturing on an internal and then an external interfac...

sporkman

I have a CCR with two WAN links, and a LAN link with a few VLANs on it. Everything on the LAN/VLANs is being NAT'd ("masqueraded"). I have an extra /28 routed to one of the WAN links and want to give unfettered access to a piece of that subnet to someone plugged-in to one of the extra LAN ...

sporkman

Winbox do not fetch DLLS for quite some time now. Do not use old winbox.

Don't tell me, tell the guy that wrote the blog post. He did see it happen in his tcpdump though, I don't think he wrote that more than 3-4 months ago.

sporkman

If you're curious how the bug works, this article is a good read: https://n0p.me/winbox-bug-dissection/ The vulnerability would have been less of a problem if Mik used industry-standard password-hashing methods - since the vulnerability was allowing a remote attacker to download any file, and there'...

sporkman

Maybe I'm misunderstanding your request, but this type of check exists already using recursive routing. Many years later, this post of mine still comes up when I search for easy ways to do failover when the gateway is always "up". I never answered this follow-up, but I will now. This is t...

sporkman

Not quite sure how to describe this - assume a Mikrotik router with the stock config/rules. Everything going out ether1 is NAT'd (masqueraded) and the inbound firewall rules are unchanged. Router has a single static IP on ether1 in a /30. An additional /30 is routed to the external interface upstrea...

sporkman

So yesterday I was given an opportunity to test this. Our provider to one of our PoPs dropped our 1Gb/s metro-e link after a manhole fire. In the building, we were able to find someone with a GPON service that's setup for 500/500. We only have an L3 switch there, and the switch cannot do anywhere ne...

sporkman

Which model can get me 500Mb/s or more at about 40K PPS over a GRE tunnel? Any of them? I assume CCRs are out because GRE can't use multiple cores, right?

No encryption, No VPN, just a GRE tunnel.

sporkman

I'm resurrecting my old thread as the "create server binding for a user" does not seem to work. Each time the VPN connection drops, I have to ssh in to the box from somewhere allowed and then manually re-point the static route to the OpenVPN interface. I do have the user for this incoming ...

sporkman

We run an AWS instance and all of our routers tunnel back to this for management access and monitoring. I've been getting more and more random nagios alerts that latency to some sites (via vpn) is spiking. Results generally look like this: 35 packets transmitted, 35 packets received, 0.0% packet los...

sporkman

Totally unrelated cause - my firewall rule to allow OSPF (the protocol) had an improper source address. Why it kind of worked and timed out, not sure - probably some kind of weird one-way communication plus state timeout or something. Working fine now... Thanks for the "loopback" tip, had ...

sporkman

Kind of sad that out of the box Mikrotik still has defaults that allow them to be abused. Someone there must be incredibly stubborn to keep that checkbox checked as a default. :) The defaults ALSO have a firewall filter to block all of this. It doesn't matter if the service is enabled if no packets...

sporkman

Kind of sad that out of the box Mikrotik still has defaults that allow them to be abused. Someone there must be incredibly stubborn to keep that checkbox checked as a default. :) As someone who both has had to fix up customer Mikrotik boxes and has had to deal with 20+Gb/s DDoS attacks (surely many ...

sporkman

Is there anything in the logs? enable it with debug (system >logging) then monitor what happens previously to that drop and paste it here... a complete /routing ospf export will be useful too. The full export is there. Nothing of note in the logs, other than what looks like a reassociation just aro...

sporkman

I'm stumped on this one. I have a bunch of metro-e circuits between a Cisco ASR-1002-X and some cheap old Cisco switches. I run OSPF (v2) between this gear over the metro-e fabric and all is well. In attempting the same with the Mikrotik running the latest firmware (6.33.3) I have no problem with es...

sporkman

Thank you both so much, that really clarifies things for me. If this works, it will be my go-to QoS setup, as it's really simple to explain, and I don't really see putting the phones in their own dhcp scope as a real big pain compared to a more complex QoS config. I'm having a hard time validating t...

sporkman

You don't have a parent queue so priority will not do anything. OK, so if I add a parent queue, I'm not going to classify based on IP, so I need a target interface. On the RB750 would that be the bridge interface or one of the physical switch ports? If my parent queue is say, 1800kb/s, what do my t...

sporkman

I need something that both myself and a support tech can understand. A very common config we run into is a bridged DSL connection (no PPPoE) where the customer needs an actual router that we can maintain as a dmarc. We've been buying lots of RB750s for the slower connections and are mostly happy wit...

sporkman

My bridge interface is configured with the firewall option off: > interface bridge settings print use-ip-firewall: no use-ip-firewall-for-vlan: no use-ip-firewall-for-pppoe: no allow-fast-path: yes Yet I see blocked traffic destined to my (tap mode) openvpn client that's in the same bridge-local bri...

sporkman

I can't quite figure out how to deal with this. I need to point a route back to the far end of an OpenVPN client. I originally just manually added a route and selected the gateway from the dropdown. However I saw today that rancid sent me a config diff from one of my mikrotik routers that showed the...

sporkman

I'm new to Mikrotik, and I was happy to see so many ways to load-balance and failover traffic when there are multiple upstream connections. However it seems like performing a real check beyond "is the upstream router powered up" involves delving into scripting, which is a real pain, especi...

sporkman

I have found issues with what I call dynamic load balancing techniques as explained above. Like pcc etc. Things like making sure some connections always use the same wan add a layer of complexity. My method is simply deviding the client ip address,s into blocks and sending them out to different wan...

sporkman

I was reviewing the various load-balancing options for multiple links (ECMP, PCC, nth), and they all seem reasonable. What I'm wondering is with each line being 15/2, whether the matter of which method is most efficient comes into play. Hardware is the RB2011. Also I'd really like to shoot for the m...

sporkman

I should probably point out the radio has no subs on it yet, it's idle.

I also really don't follow the "force on" vs. "auto" - in my case "force on" is the only thing that works. "auto" seems to just randomly cut power to the radio...

sporkman

Is there a way to calculate a rough average? I mean, it's swinging from almost a full amp, which seems a bit crazy, all the way back to 0...

sporkman

Hello, I have my first routerboard product, an RB750UP. I'm not doing anything terribly complicated, it's basically acting as an ethernet/PoE repeater on a long run. We have about 200 feet of cable from the PoE injector to the RB (port 1), and then another 250 to a Ubiquiti Rocket M5 (off of port 2)...

Search found 32 matches

Re: Point to Point Addressing /32 or /31 Default Route [SOLVED]

Re: Private WAN IPs, public LAN IPs source address for router services?

Private WAN IPs, public LAN IPs source address for router services?

Re: Feature Request: IPerf

Re: To SwOS or not? CRS312-4C+8XG

To SwOS or not? CRS312-4C+8XG

Where does packet capture happen? [SOLVED]

Allow all traffic between one LAN and WAN interface

Re: Winbox vulnerability: please upgrade

Re: Winbox vulnerability: please upgrade

Re: enhance "check-gateway" feature - use arbitrary check IP

Bypass firewall for one interface?

Re: GRE tunnel performance?

GRE tunnel performance?

Re: Pinning a route to an openvpn endpoint?

Lag/jitter on OpenVPN connection

Re: OSPF dropping adjacency every 50S

Re: Mikrotik as source of DNS Amplification attacks

Re: Mikrotik as source of DNS Amplification attacks

Re: OSPF dropping adjacency every 50S

OSPF dropping adjacency every 50S

Re: How simple can Simple Queues be?

Re: How simple can Simple Queues be?

How simple can Simple Queues be?

Firewall blocking bridge to bridge traffic

Pinning a route to an openvpn endpoint?

enhance "check-gateway" feature - use arbitrary check IP

Re: Best load balancing method for 4 WAN links

Best load balancing method for 4 WAN links

Re: varying PoE mA/W output

Re: varying PoE mA/W output

varying PoE mA/W output