Community discussions

Search found 319 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 7
by alex_rhys-hurn
Sun Jun 16, 2019 8:32 pm
Forum: Virtualization
Topic: The CPU has been disabled by the guest operating system
Replies: 32
Views: 5475

Re: The CPU has been disabled by the guest operating system

Hi, I recommend taking a look at your vswitch and physical switch architecture. Be clear about your trunks and any spanning tree issues. Try out the options with promiscuous mode on the vswitches, and esp on the physcial host interfaces. Make sure to use VMXNET3 interfaces and drivers. Understand cl...
by alex_rhys-hurn
Sun Jun 16, 2019 7:42 pm
Forum: General
Topic: Measure aggregate ipv4 vs ipv6 volume through router
Replies: 2
Views: 177

Measure aggregate ipv4 vs ipv6 volume through router

Hi Everyone, I would like to measure and graph the volume of ipv4 and ipv6 traffic through the router. I would even like a command something like: /interface monitor-traffic aggregate type=ipv6 and /interface monitor-traffic aggregate type=ipv4 Can anybody give me some hints to achieve this? All the...
by alex_rhys-hurn
Sun May 19, 2019 11:57 am
Forum: SwOS
Topic: SWOS or ROUTEROS: Confused
Replies: 3
Views: 393

SWOS or ROUTEROS: Confused

Hi, For the CRS317 I am confused. SHould I run SWOS or ROUTEROS? My application is a strictly switching application, no L3 stuff needed except for management. I ask because it seems that even in RouterOS the CRS317 can still deliver HW based features at full speed. Your advice much appreciated. Alex
by alex_rhys-hurn
Sun May 19, 2019 11:54 am
Forum: RouterBOARD hardware
Topic: Feature Request: CRS317
Replies: 1
Views: 207

Feature Request: CRS317

Hello,

According to the attached Marvell Prestera datasheet the chipset can support VXLAN.
marvell-switching-prestera-98dx83xx-product-brief-2016-12.pdf
Please can you add VXLAN support to CRS317

Thanks,

Alex

PS This has been submitted to support@mikrotik.com
by alex_rhys-hurn
Sun May 19, 2019 11:48 am
Forum: RouterBOARD hardware
Topic: Switch specifications for CRS range.
Replies: 0
Views: 185

Switch specifications for CRS range.

Hi All, I find the way that Mikrotik describes its switching products on the website geared to routers and not switches. E.g. this URL: https://mikrotik.com/product/crs317_1g_16s_rm Compare this to the switch data sheets from other vendors: Cisco 2960: https://www.cisco.com/c/en/us/products/collater...
by alex_rhys-hurn
Sun May 19, 2019 11:31 am
Forum: RouterBOARD hardware
Topic: Airflow CRS317-1G-16S+RM
Replies: 2
Views: 349

Airflow CRS317-1G-16S+RM

Hello, I refer to CRS317-1G-16S+RM for use as top of rack switching and ISCSI switching in the data centre. My Colo provider REQUIRES as MANDATORY Front to back airflow. This means that fans should pull the air from the front of the rack and push it oput of the back to maintain proper hot / cold ais...
by alex_rhys-hurn
Wed Aug 22, 2018 11:18 pm
Forum: Forwarding Protocols
Topic: [SOLVED] IBGP over OSPF Single POP ISP Problems
Replies: 2
Views: 571

Re: [SOLVED] IBGP over OSPF Single POP ISP Problems

Hi, I have solved my issues. This post: https://forum.mikrotik.com/viewtopic.php?t=97491 sorted it out. Few things: 1: I had routing loops due to default route problems in ibgp, moving default routing to ospf sorted it. 2: Then I ran in to the issue where Mikrotik will not bring the default route fr...
by alex_rhys-hurn
Tue Aug 21, 2018 11:55 am
Forum: Forwarding Protocols
Topic: [SOLVED] IBGP over OSPF Single POP ISP Problems
Replies: 2
Views: 571

[SOLVED] IBGP over OSPF Single POP ISP Problems

Hi Guys, I am having trouble, and hope you guys can help. Thanks in advance. I am building a network following a design for a POP which I saw at a peering meeting recently (I am sure you are familliar with it). We are a single POP now, but will add more as we go. POP-Topology.png All devices are mik...
by alex_rhys-hurn
Mon Aug 13, 2018 9:50 pm
Forum: Forwarding Protocols
Topic: eBGP and iBGP config with OSPF for internal [SOLVED]
Replies: 9
Views: 2938

Re: eBGP and iBGP config with OSPF for internal [SOLVED]

"You need to set the update-source to be the IP of the loopback interface on the iBGP peers."

Yup. Its 4 years, on and the advice is as good as ever!

This one saved me.

Karma
by alex_rhys-hurn
Fri Jun 29, 2018 5:39 pm
Forum: RouterBOARD hardware
Topic: CHR on Vmware esxi 5.5 Max Interfaces
Replies: 1
Views: 415

SOLVED CHR on Vmware esxi 5.5 Max Interfaces

UPDATE:

When we had the problem this was on a VM with a single CPU socket with a Single CPU Core.

Adding an additional CPU Socket has allowed us to add 10 VMXNET3 interfaces with no IRQ issues anymore.

Consider this solved.

Thanks,

Alex
by alex_rhys-hurn
Fri Jun 29, 2018 4:35 pm
Forum: RouterBOARD hardware
Topic: CHR on Vmware esxi 5.5 Max Interfaces
Replies: 1
Views: 415

CHR on Vmware esxi 5.5 Max Interfaces

Hello, Please can someone tell me the max number of interfaces CHR can accept from the vmware host. CHR 6.42.3 Vmware esxi 5.5 We added 5 VMXNET3 interfaces and everything is fine. Then we added a 6th interface and the CHR would automatically reboot with an IRQ error and then just boot loop. We remo...
by alex_rhys-hurn
Sat Mar 10, 2018 11:07 am
Forum: General
Topic: Slingshot APT [SOLVED]
Replies: 44
Views: 23699

Re: Slingshot APT, RouterOS spying software [SOLVED]

Hi, I am in Kenya, and have deployments of a few hundred devices, though most of them sit inside private MPLS WANs. As far as I know we have not been exposed to this. How do I know if I have? By reading the Kaspersky report, it seems that even if I sort out the router, the issue still remains on any...
by alex_rhys-hurn
Sat Mar 04, 2017 2:58 pm
Forum: General
Topic: RBLHG-5nD. What is the maximum length of CAT5e cable
Replies: 2
Views: 342

Re: RE: RBLHG-5nD. What is the maximum length of CAT5e cable

Hi I need to install RBLHG-5nD - LHG5 (https://mikrotik.com/product/RBLHG-5nD) on a bulding where I need to install 150ft (45m) of CAT 5e indoor cable (Schneider). The power adapator that is supplied in this product is 24v. Do you think this will have enough power to power the antenna for a 3 miles...
by alex_rhys-hurn
Sun Jun 12, 2016 1:33 pm
Forum: General
Topic: Inbound 1:1 static NAT failover
Replies: 2
Views: 487

Inbound 1:1 static NAT failover

Hi Everyone, I have the following network - see image. I have failover between two ISP working perfectly using check-gateway and default route cost. I have 1 mailserver with 1:1 static NAT to ISP1 the primary. So my internal IP NATS to a static External IP from ISP1 What  I want to achieve, is when ...
by alex_rhys-hurn
Sat Jun 11, 2016 11:57 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Mikrotik ha, anyone tried this?
Replies: 5
Views: 2481

Mikrotik ha, anyone tried this?

Hello,

https://github.com/svlsResearch/ha-mikrotik

The link above was suggested to me in another post on vrrp in this forum.

Has anyone tried it out?

Alex
by alex_rhys-hurn
Wed Jun 25, 2014 7:24 pm
Forum: General
Topic: winbox trouble only over one ISP
Replies: 6
Views: 1646

Re: winbox trouble only over one ISP

Thanks again for your help. Here is the output of my mangle rules: /ip firewall mangle> pr detail Flags: X - disabled, I - invalid, D - dynamic 0 chain=forward action=change-mss new-mss=1300 passthrough=yes tcp-flags=syn protocol=tcp tcp-mss=!0-1300 [admin@MikroTik] /ip firewall mangle> Dont ask me ...
by alex_rhys-hurn
Wed Jun 25, 2014 6:32 pm
Forum: General
Topic: winbox trouble only over one ISP
Replies: 6
Views: 1646

Re: winbox trouble only over one ISP

Pinging through the other ISP gives me a maximum size of 1472, and winbox is working with that.

Also I notice for the link which does not work with winbox, when I use winbox with that link but through an IPSEC Tunnel winbox works fine.

Alex
by alex_rhys-hurn
Wed Jun 25, 2014 6:30 pm
Forum: General
Topic: winbox trouble only over one ISP
Replies: 6
Views: 1646

Re: winbox trouble only over one ISP

Hi, Many thanks for your reply. My pings: ping 8.8.8.8 -l 1452 Pinging 8.8.8.8 with 1452 bytes of data: Reply from 8.8.8.8: bytes=64 (sent 1452) time=151ms TTL=44 So the largest I can send is 1452 anything larger wont work. Its a PPPoE Dial up passive fibre optic ISP link. Mikrotik makes two dynamic...
by alex_rhys-hurn
Wed Jun 25, 2014 3:26 pm
Forum: General
Topic: winbox trouble only over one ISP
Replies: 6
Views: 1646

winbox trouble only over one ISP

Hi folks, We manage many Mikrotik Routers for many customers. We access them remotely over the internet using winbox, ssh and webmin. In some cases we also access them via winbox over an IPIP/IPSEC tunnel. Here is my problem, when I use winbox over my ISP called JTL the winbox session will login and...
by alex_rhys-hurn
Mon Feb 24, 2014 7:55 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Poor mans config sync: vrrp
Replies: 7
Views: 3352

Re: Poor mans config sync: vrrp

Hi there, Thanks everyone for the thoughts. Regarding the point where the filter table would be empty when tables flushed, I see your concern, and it is valid. In theory this would only happen on the passive/inactive vrrp partner which has no / little traffic passing through. I can picture some nast...
by alex_rhys-hurn
Fri Feb 21, 2014 1:42 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Poor mans config sync: vrrp
Replies: 7
Views: 3352

Poor mans config sync: vrrp

Hello! I would like to ask the advice and tips of all you gurus out there. We have two ccr routers in VRRP setup. The config is fairly static except for firewall rules which we work on quite a bit. My thoughts, and I am asking you guys if I am mad / wasting my time to try this, is to built a script ...
by alex_rhys-hurn
Thu Dec 05, 2013 2:03 pm
Forum: Forwarding Protocols
Topic: need advice on multi-wan multi-office vpn
Replies: 7
Views: 3222

Re: need advice on multi-wan multi-office vpn

Tomaskir, We meet again!. Yes, I have looked at your video and am in the process of trialling it, as it should solve some of the complexity of rolling out new sites. Very nice design. We are currently doing this on 75 Branches, and your solution addresses a number of scalability problems. Best, Alex
by alex_rhys-hurn
Thu Dec 05, 2013 9:53 am
Forum: Forwarding Protocols
Topic: need advice on multi-wan multi-office vpn
Replies: 7
Views: 3222

Re: need advice on multi-wan multi-office vpn

Hello, I would suggest that you remove the bonding and move over to OSPF ECMP (Equal cost multipathing). I dont tend to use the EOIP Tunnels because they are proprietary to Mikrotik, and so we do this with IPIP Tunnels. So; step 1, build IPIP Tunnel between the offices, two tunnels each branch offic...
by alex_rhys-hurn
Mon Nov 25, 2013 6:43 pm
Forum: General
Topic: VPLS, EThernet Trunk (vlan trunk) and bridges
Replies: 7
Views: 3602

Re: VPLS, EThernet Trunk (vlan trunk) and bridges

Just to finish off the discussion.

Do you have any thoughts towards encrypting the vpls tunnel with IPSec?

Alex
by alex_rhys-hurn
Mon Nov 25, 2013 6:19 pm
Forum: General
Topic: VPLS, EThernet Trunk (vlan trunk) and bridges
Replies: 7
Views: 3602

Re: VPLS, EThernet Trunk (vlan trunk) and bridges

Just read about your question re bridging vlans straight to leased line. We have tried this before, and have also tried simply plugging the leased line ethernet in to the switch, this resulted in immediate phone calls from the service provider complaining about bpdu and other stuff. They have subseq...
by alex_rhys-hurn
Mon Nov 25, 2013 6:14 pm
Forum: General
Topic: VPLS, EThernet Trunk (vlan trunk) and bridges
Replies: 7
Views: 3602

Re: VPLS, EThernet Trunk (vlan trunk) and bridges

Tomaskir, Thanks so much for your quick reply and for taking the time to clarify mtu. We use the VPLS tunnels a lot in another application without the tagged ethernet PW Type so we are familiar with the MTU issue. Our leased line provider gives us jumbo frame capability, and its a pure ethernet link...
by alex_rhys-hurn
Mon Nov 25, 2013 5:45 pm
Forum: General
Topic: VPLS, EThernet Trunk (vlan trunk) and bridges
Replies: 7
Views: 3602

VPLS, EThernet Trunk (vlan trunk) and bridges

Hello, According to the RouterOS Manual, under Vlan: "As VLAN works on OSI Layer 2, it can be used just as any other network interface without any restrictions. VLAN successfully passes through regular Ethernet bridges." And according to 802.1q a VLAN ID is inserted in the ethernet header between th...
by alex_rhys-hurn
Wed Nov 20, 2013 7:44 am
Forum: General
Topic: DHCP Server Capacity - what limit in ROS for leases & server
Replies: 3
Views: 842

Re: DHCP Server Capacity - what limit in ROS for leases & se

Hi,

Thanks for the response, its good to know that my design will fly on this hardware.

So, do you know the theoretical limits for RouterOS as far as DHCP goes, or is it just hardware limited. I cant find anything in the licensing that points to limits.

Many thanks,

Alex
by alex_rhys-hurn
Mon Nov 18, 2013 8:45 am
Forum: General
Topic: DHCP Server Capacity - what limit in ROS for leases & server
Replies: 3
Views: 842

DHCP Server Capacity - what limit in ROS for leases & server

Hello everyone, My network design is: 1 RB1100AH acting as branch edge router. I have 40 Interdepartmental vlans (PCI-DSS requirements) and each one needs a DHCP Server, giving out a /23 to each vlan with MAC Authentication via Userman. My questions are: What is the limit of number of DHCP Servers o...
by alex_rhys-hurn
Thu Nov 07, 2013 2:33 pm
Forum: General
Topic: WAN interface usage is higher than LAN interface usage
Replies: 10
Views: 3442

Re: WAN interface usage is higher than LAN interface usage

Hi, Please be sure that /ip proxy enabled=no and also /ip dns allow-remote-requests = no. FInally if you really dont have the above enabled / firewalled, then I have seen this in one other scenario, and this was provider related. Here goes: The design was where an ISP had provided their own POP in a...
by alex_rhys-hurn
Wed Nov 06, 2013 5:12 pm
Forum: General
Topic: WAN interface usage is higher than LAN interface usage
Replies: 10
Views: 3442

Re: WAN interface usage is higher than LAN interface usage

Hello, In my experience, this situation is almost always caused by lack of or incorrect firewall configuration. Many people consider that the use of NAT is firewalling. It is not. The source of this traffic is often that either or both the DNS server and/or web proxy are enabled on the router, but n...
by alex_rhys-hurn
Sun Sep 29, 2013 4:09 pm
Forum: General
Topic: Site to Site tunnel... how ?
Replies: 7
Views: 1475

Re: Site to Site tunnel... how ?

I cant see why an ipip tunnel is anymore difficult than a GRE tunnel or EoIP Tunnel. Regarding the second option of using IPSec alone, that situation I find often confuses people more, as opposed to simply encrypting the tunnel with only one set of IPsec policy and then using simple routing tables t...
by alex_rhys-hurn
Fri Sep 27, 2013 1:24 pm
Forum: General
Topic: Site to Site tunnel... how ?
Replies: 7
Views: 1475

Re: Site to Site tunnel... how ?

I would not suggest pptp in this situation. You have 2 real choices, eoip or ipip. eoip is proprietary to Mikrotik and IPIP is standards compliant and will work with other devices like cisco. (I know there are other options, but I am considering this a good basic starting point for newbies). SImply ...
by alex_rhys-hurn
Thu Sep 26, 2013 9:29 am
Forum: General
Topic: PCC + Bandwidth Control for VPN Concentrator
Replies: 0
Views: 763

PCC + Bandwidth Control for VPN Concentrator

Hello everyone, I hope you can give me some ideas on this. Our network is 3 ISPs (15 megabits each) load balanced with PCC. We have a VPN Concentrator (Cisco ASA 5510) that is Routed through internally, and has a public IP from each ISP. Our Internal nets 10.0.0.0/8 are natted on the Load Balancer. ...
by alex_rhys-hurn
Mon Sep 02, 2013 9:45 am
Forum: General
Topic: Connect through L2TP
Replies: 13
Views: 1997

Re: Connect through L2TP

Hi,

Sorry about the missing link. Here it is:

http://mum.mikrotik.com/presentations/HR13/kirnak.pdf

In fact I liked it so much we are now trialling it in my own network as we get familiar with the solution for our clients. Previously we have been making static tunnels and IPSec Policy.
by alex_rhys-hurn
Wed Aug 28, 2013 11:56 am
Forum: General
Topic: Trainers: Come to Kenya and teach us!
Replies: 1
Views: 801

Re: Trainers: Come to Kenya and teach us!

Hello,

I just thought I would update you all and say that some trainers came to Kenya and now we are trained and certified! Yippee!

Alex
by alex_rhys-hurn
Wed Aug 28, 2013 11:52 am
Forum: General
Topic: how to block https for facebook.com
Replies: 33
Views: 80790

Re: how to block https for facebook.com

So, to show how easy it is really here is the setup in full: First the Layer & Protocol: /ip firewall layer7-protocol add name=Facebook_URL regexp="^.*(facebook).*\$" Then the Firewall Rule: /ip firewall filter add chain=forward comment="Block Facebook" layer7-protocol=facebook_url That will block a...
by alex_rhys-hurn
Wed Aug 28, 2013 11:18 am
Forum: General
Topic: how to block https for facebook.com
Replies: 33
Views: 80790

Re: how to block https for facebook.com

Hello, I think you may be confusing the term "firewall" with "UTM" or Unified Threat Management. Mikrotik is not a UTM platform. For that you need to look at Checkpoint UTM, Untangle or the like. Personally I dont think that making a layer7 protocol and firewall rule difficult of tedious. Actually I...
by alex_rhys-hurn
Wed Aug 28, 2013 1:34 am
Forum: General
Topic: Connect through L2TP
Replies: 13
Views: 1997

Re: Connect through L2TP

You might be interested in this video at MUM about using l2tp with ipsec to achieve scalable vpn solution for both site to site and dial up road warrior scenarios.

If I have understood your need properly.
by alex_rhys-hurn
Wed Aug 28, 2013 1:29 am
Forum: General
Topic: how to block https for facebook.com
Replies: 33
Views: 80790

Re: how to block https for facebook.com

Wow. Really old thread. Sorry i posted.....
by alex_rhys-hurn
Wed Aug 28, 2013 1:26 am
Forum: General
Topic: how to block https for facebook.com
Replies: 33
Views: 80790

Re: how to block https for facebook.com

The way we do this is to use a layer 7 regular expression to block any url with facebook in it. First make layer 7 protocol with this as the value: ^.*(facebook).*$ Then make a firewall rule to drop that layer 7 protocol. This can be very harsh and even prevent you resolving and pinging facebook as ...
by alex_rhys-hurn
Mon Jun 24, 2013 5:06 pm
Forum: General
Topic: RouterOS 6.1 released
Replies: 198
Views: 53040

Re: RouterOS 6.1 released

The best way to manage logs in Mikrotik - and frankly just about anything - is to export them via Syslog to a Dude server. You can then filter/sort/export them to your hearts content. Go one step further an deploy SIEM if you wish to do correlation etc... http://communities.alienvault.com/ I havent ...
by alex_rhys-hurn
Sun Oct 14, 2012 8:56 am
Forum: General
Topic: URGENT!!! PLS HELP!!!!!!!
Replies: 8
Views: 1008

Re: URGENT!!! PLS HELP!!!!!!!

Hi!

Do you have web proxy enabled?

I have seen exactly this when you enable web proxy but dont protect it with firewall. Then somebody finds your open web proxy and uses it for their own nefarious needs!

Turn off web proxy and see of that helps.

Alex
by alex_rhys-hurn
Tue Sep 25, 2012 11:53 am
Forum: General
Topic: Trainers: Come to Kenya and teach us!
Replies: 1
Views: 801

Trainers: Come to Kenya and teach us!

Hello Mikrotik Trainers, We have been using Mikrotik for a long time now, and have a team of proffessionals who are very comfortable with it. Our team already has CCNA CCNP and the like, but we would now like to certify our team in Mikrotik. This message is to all trainers who would be able to visit...
by alex_rhys-hurn
Thu Aug 02, 2012 5:32 pm
Forum: General
Topic: HELP, CPU MIKROTIK 100%
Replies: 6
Views: 1319

Re: HELP, CPU MIKROTIK 100%

Did you try the suggested upgrade?
by alex_rhys-hurn
Wed Aug 01, 2012 3:43 pm
Forum: General
Topic: Hardware antivirus
Replies: 10
Views: 1853

Re: Hardware antivirus

So, lets try something like this: 1: Connect ISP to ether1 of RB1200 2: Connect LAN1 (Unfiltered Internet users LAN) to ether2 of RB1200, and connect this to an UNTAGGED port of the managed switch that has VLAN1 membership 3: Connect LAN2 (Filtered Internet users LAN) to ether3 of RB1200, and connec...
by alex_rhys-hurn
Wed Aug 01, 2012 3:27 pm
Forum: General
Topic: Hardware antivirus
Replies: 10
Views: 1853

Re: Hardware antivirus

OK, let me make a new network design for you. Do you have manageable switches that can do vlans? Do you mind if you have client PC on completely separate vlans? E.g. computers with unfiltered access to internet on one vlan, and client computers with filtered internet on another vlan? We may need to ...
by alex_rhys-hurn
Wed Aug 01, 2012 11:08 am
Forum: General
Topic: HELP, CPU MIKROTIK 100%
Replies: 6
Views: 1319

Re: HELP, CPU MIKROTIK 100%

Whh version of routeros and which hardware are you using?

This has been seen a couple of times in some recent releases.

I suggest you upgrade your firmware, and also send a supout.rif to support@mikrotik.comi
by alex_rhys-hurn
Wed Aug 01, 2012 10:48 am
Forum: General
Topic: Hardware antivirus
Replies: 10
Views: 1853

Re: Hardware antivirus

According to http://www.pandasecurity.com/homeusers/ ... idIdioma=2 the gatedefender can be configured to router mode.

The design above should work in router mode.

Can you try that?
  • 1
  • 2
  • 3
  • 4
  • 5
  • 7