Community discussions

Search found 224 matches

by jkarras
Thu Sep 20, 2018 5:06 am
Forum: Announcements
Topic: v6.44beta [testing] is released!
Replies: 365
Views: 80805

Re: v6.44beta [testing] is released!

I have set up automated exports and the output is saved in version control system, so I know what exactly changed and when. Can you give more info on your setup/workflow? I am interested in implementing something similar. Thanks. RANCID works for this. There are runners for a lot of different NOS. ...
by jkarras
Wed Mar 21, 2018 11:44 pm
Forum: General
Topic: Multiple IP's from ISP but not a subnet block questions.
Replies: 13
Views: 874

Re: Multiple IP's from ISP but not a subnet block questions.

Could be an order of operations error by not having the more specific network above the less specific in the NAT rules. OSPF shouldn't have any affect on SRCNAT working or not working in this case.
by jkarras
Wed Mar 21, 2018 4:32 pm
Forum: General
Topic: Multiple IP's from ISP but not a subnet block questions.
Replies: 13
Views: 874

Re: Multiple IP's from ISP but not a subnet block questions.

Masquerade as the last rule as a catch-all is fine. Just make sure its the last rule. That said if the first two rules are correctly defined for the network you shouldn't need it. The reason you want to remove it from the config is with multiple IP addresses its unpredictable what IP it will use for...
by jkarras
Wed Mar 21, 2018 6:14 am
Forum: General
Topic: Multiple IP's from ISP but not a subnet block questions.
Replies: 13
Views: 874

Re: Multiple IP's from ISP but not a subnet block questions.

Don't forget to add the new IP to the interface and add a DSTNAT rule for the inbound traffic to make it to your SIP broker. The following should work fine. /ip address add interface=ether1 address yy.yy.yy.83 /ip firewall nat add action=src-nat chain=srcnat out-interface=ether1 src-address=192.168....
by jkarras
Mon Feb 26, 2018 1:02 am
Forum: Scripting
Topic: Script for modify ipip tunnel interface
Replies: 11
Views: 1036

Re: Script for modify ipip tunnel interface

Hi,

my connection is over pppoe, not dhcp client. In spite of that, it would be useful for me? Sorry for my english
You'll have to use a scheduled script then. An example can be seen here.

https://github.com/karrots/ros-ddns-ipsec/
by jkarras
Sun Feb 25, 2018 4:31 am
Forum: Scripting
Topic: Script for modify ipip tunnel interface
Replies: 11
Views: 1036

Re: Script for modify ipip tunnel interface

No need to run this as a script. The DHCP client will provide the information on lease update.

https://wiki.mikrotik.com/wiki/Manual:I ... pt_example
by jkarras
Tue Feb 13, 2018 9:45 pm
Forum: Announcements
Topic: v6.42rc [release candidate] is released!
Replies: 538
Views: 94513

Re: v6.42rc [release candidate] is released!

*) radius - increase allowed RADIUS server timeout to 60s; To add an important reason to the too short limit problem of timeout in radius: Successful authentications are answered immediately (in order of milliseconds if possible), but to protect the server from brute-force attacks and DOS-type atta...
by jkarras
Sun Jan 07, 2018 5:55 am
Forum: General
Topic: IPsec IKEv2 Tunnel Tuning
Replies: 10
Views: 2590

Re: IPsec IKEv2 Tunnel Tuning

Cool, thanks for that. I need to learn MikroTik scripting at some point. I've done a few but it's not sticking in my head. On my setup I would have to set: /ip ipsec peer set X address=$variable /ip ipsec policy set X dst-address=$variable sa-dst-address=$variable I have a dyndns account as well, b...
by jkarras
Sat Jun 03, 2017 7:49 am
Forum: General
Topic: Multiple Public IP Addresses with Same Gateway on Same Interface
Replies: 1
Views: 1156

Re: Multiple Public IP Addresses with Same Gateway on Same Interface

Likely an order of operations problem in your NAT table.

The routing mark rule and the two static routes are unneeded.



Sent from my Nexus 6P using Tapatalk
by jkarras
Thu Jun 01, 2017 7:05 am
Forum: Forwarding Protocols
Topic: MPLS/VPLS Public Statics
Replies: 5
Views: 1003

Re: MPLS/VPLS Public Statics

Network diagram would help.
by jkarras
Fri Apr 21, 2017 6:13 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: v6.39rc80 [release candidate] is released!
Replies: 63
Views: 10597

Re: v6.39rc76 [release candidate] is released!

I understand. I already had an email typed up after that last version didn't fix it with a sprout from before and after the upgrades. I was waiting until after the next update just in case they fixed it then. My case is actually pretty simple. Standard home Internet provider, DHCP on WAN, masquerade...
by jkarras
Fri Apr 21, 2017 5:32 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: v6.39rc80 [release candidate] is released!
Replies: 63
Views: 10597

Re: v6.39rc76 [release candidate] is released!

Marino , and other who might have the same problem potentially. It would be great to get some steps/instructions to support@mikrotik.com how to repeat described problems. Steps for me were to upgrade to anything past rc62. Sites became unbearably slow if the traffic flow went through the fasttrack ...
by jkarras
Fri Apr 14, 2017 5:46 am
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 80762

Re: v6.39rc [release candidate] is released

Confirmed disabling fasttrack rule fixes slow traffic that would have otherwise been tagged by the rule.
by jkarras
Fri Apr 14, 2017 2:11 am
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 80762

Re: v6.39rc [release candidate] is released

When I upgraded to ROS v6.39rc62, the following Firewall rule brought my outside access to a crawl: /ip firewall filter add chain=forward action=fasttrack-connection connection-state=established,related Once I disabled it, the system began to work normally. This is the same with the current release...
by jkarras
Thu Apr 13, 2017 8:35 am
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 80762

Re: v6.39rc [release candidate] is released

Spanning Tree is broken since 6.38. We want to implement redundant bridges, to link together carrier VLANs to customer ports or VLANs. The previous STP implementation was essentially similar to PVSTP (per VLAN Spanning Tree Protocol) but the new implementation results in routers sending and process...
by jkarras
Thu Apr 13, 2017 4:19 am
Forum: Announcements
Topic: v6.39rc [release candidate] is released
Replies: 391
Views: 80762

Re: v6.39rc [release candidate] is released

Spanning Tree is broken since 6.38. We want to implement redundant bridges, to link together carrier VLANs to customer ports or VLANs. The previous STP implementation was essentially similar to PVSTP (per VLAN Spanning Tree Protocol) but the new implementation results in routers sending and process...
by jkarras
Wed Aug 10, 2016 6:57 am
Forum: General
Topic: Scientific Explanation needed for DHCP renew needed!
Replies: 6
Views: 828

Re: Scientific Explanation needed for DHCP renew needed!

I agree with everyone here. Having worked with law enforcement on similar requests I just wanted to mention one other thing to calm some fears. If you're not required by any industry regulation, local law, or company policy to keep the DHCP logs don't worry about getting in trouble with law enforcem...
by jkarras
Wed Aug 10, 2016 6:47 am
Forum: General
Topic: Fastpath on vlan interface.
Replies: 15
Views: 3061

Re: Fastpath on vlan interface.

This really should be a new thread if you want people to look at it. I think there is a misunderstanding of the differences in FastPath and FastTrack as well as what the "auto" setting does with connection tracking. FastPath benefits ROS devices which are only routing. If you use any firewall rules ...
by jkarras
Fri Jun 24, 2016 7:33 am
Forum: RouterOS v6 RC and v7 BETA
Topic: [FEATURE REQUEST] Two Factor Authentication
Replies: 22
Views: 13613

Re: [FEATURE REQUEST] Two Factor Authentication

I am just saying that in all cases it's very low on the priority list of things that will give them a competitive advantage because there are already multiple solutions that will give your desired outcome (RADIUS, SSH keys, site-to-site VPN, and remote access VPN via OTP or client certificate based...
by jkarras
Thu Jun 23, 2016 7:27 am
Forum: RouterOS v6 RC and v7 BETA
Topic: [FEATURE REQUEST] Two Factor Authentication
Replies: 22
Views: 13613

Re: [FEATURE REQUEST] Two Factor Authentication

Why are you allowing the general Internet to get to the management interfaces of your devices? This should all be ACLd off except to known good ranges you connect from or all be done via VPN. There are ways to encrypt the unencrypted portions of the RADIUS datagram. One example would be an encrypte...
by jkarras
Tue Feb 23, 2016 6:22 am
Forum: Forwarding Protocols
Topic: Vlans on routed backbone?
Replies: 6
Views: 1418

Re: Vlans on routed backbone?

If you're using L2 connectivity just to make DHCP work you should look into DHCP relay. Then you could go L3 to the AP and still have one central DHCP server.
by jkarras
Thu Jan 07, 2016 4:47 pm
Forum: Beginner Basics
Topic: how to hide ip from arp
Replies: 9
Views: 1584

Re: how to hide ip from arp

Why? If you remove it from the ARP table the IP will quit functioning.
by jkarras
Tue Jul 14, 2015 7:29 am
Forum: Announcements
Topic: 6.31 RC testing
Replies: 41
Views: 13031

Re: 6.31 RC testing

How long does Mikrotik plan on supporting bugfix versions. Example once 6.32 is released how long will 6.30.x be in development.
by jkarras
Thu Jul 09, 2015 6:07 am
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature Request v7 MacSec CCR 72 Core
Replies: 6
Views: 2083

Re: Feature Request v7 MacSec CCR 72 Core

Looks like the processor used on the CCR line does support MacSec. This is key as MacSec is a PHY level operation.

+1 for this especially with the WAN MacSec extensions to is can be used over MetroEthernet connections.

http://www.tilera.com/files/drim__TILE- ... B_7682.pdf
by jkarras
Tue Jul 07, 2015 5:18 am
Forum: Forwarding Protocols
Topic: VoIP VLAN Routing
Replies: 2
Views: 1235

Re: VoIP VLAN Routing

The tool you pick depends on the design criteria. It sounds like you want to keep the voice traffic separate from other production IP traffic. If this is the case you will want to put the VLAN into a VRF on your MPLS network. http://wiki.mikrotik.com/wiki/Manual:Layer-3_MPLS_VPN_example I assume you...
by jkarras
Tue Jul 07, 2015 2:17 am
Forum: General
Topic: Winbox losing MAC connection to RB850Gx2
Replies: 42
Views: 11158

Re: Winbox losing MAC connection to RB850Gx2

Agreed if this model didn't have a serial port it would be impossible to do initial IP config from blank.
by jkarras
Tue Jun 23, 2015 10:30 pm
Forum: General
Topic: ssl not working with nat
Replies: 6
Views: 1517

Re: ssl not working with nat

by jkarras
Tue Jun 23, 2015 10:28 pm
Forum: General
Topic: ssl not working with nat
Replies: 6
Views: 1517

Re: ssl not working with nat

Are you blocking ICMP outbound? As has been mentioned you have a MTU issue. Its probably more preferred to leave general Ethernet interfaces at 1500. I assume your PPPoE connection is controlled by an ISP if so no amount of changing the local MTU will fix things. The reason is MTU changes must be ma...
by jkarras
Sat Jun 13, 2015 4:24 pm
Forum: General
Topic: Apply IPSec policy to all traffic on GRE tunnel -- impossible?
Replies: 9
Views: 1984

Re: Apply IPSec policy to all traffic on GRE tunnel -- impossible?

In the IPSEC policy just change the protocol from all to GRE. This will then cause only the encryption of GRE packets leaving all other traffic in the clear.

Out of curiosity what other traffic are you worried about being encrypted by the more open policy?
by jkarras
Sat Jun 13, 2015 4:02 pm
Forum: Forwarding Protocols
Topic: Encrypt 10Gb/s Links
Replies: 5
Views: 1777

Re: Encrypt 10Gb/s Links

Can you encrypt data layer 2 multi hop when we only have control of devices both ends not in the middle? Depends on the type of service. If its a MetroEthernet e-line service like EPL it should work fine. If it is a EVPL service there will be issues. If your switches connecting to the service suppo...
by jkarras
Sat Jun 13, 2015 4:38 am
Forum: General
Topic: Winbox losing MAC connection to RB850Gx2
Replies: 42
Views: 11158

Re: Winbox losing MAC connection to RB850Gx2

hi everyone i`m new on mikrotik i have a problem with rb850gx2 when i upgarde it to v6.29.1 i cant acces it even with ip or with mac i dosn`t show the mac.and it keep restarting .even when i try to reset it.it`s the same any idea. thanks in advance Best to start a new thread rather than tack a sepa...
by jkarras
Thu Jun 11, 2015 6:10 pm
Forum: General
Topic: EoIP + Cisco Macsec
Replies: 2
Views: 1217

Re: EoIP + Cisco Macsec

It should work fine with the new WAN extensions. With out the WAN extensions it may work but it depends on a how the L2vpn is setup.
by jkarras
Thu May 21, 2015 11:27 pm
Forum: Forwarding Protocols
Topic: Routing, VRF help
Replies: 1
Views: 758

Re: Routing, VRF help

You'll need to setup MPLS between the three routers so that they can pass VRF routing information between each other.

Take a look at this wiki article for an example. It may need to be adapted slightly but everything is there.

http://wiki.mikrotik.com/wiki/Manual:La ... PN_example
by jkarras
Wed May 13, 2015 3:13 pm
Forum: RouterBOARD hardware
Topic: Grounding rack with mikrotik's
Replies: 9
Views: 1480

Re: Grounding rack with mikrotik's

No it does not.
by jkarras
Fri May 08, 2015 10:17 pm
Forum: RouterBOARD hardware
Topic: Grounding rack with mikrotik's
Replies: 9
Views: 1480

Re: Grounding rack with mikrotik's

You should only have one ground point. If you have multiple ground rods they need to be tied together and only fed from one conductor. Shielded cable needs to be terminated into shielded patch panels or jacks. The shield only protects from EMI. Surge protectors protect equipment from voltage spikes....
by jkarras
Wed Jan 28, 2015 5:33 am
Forum: General
Topic: Amazon AWS VPN -- A Working Configuration Example and Bug
Replies: 39
Views: 28014

Re: Amazon AWS VPN -- A Working Configuration Example and Bu

To get around the two SA same policy issue did you try setting each policy with a different priority?
by jkarras
Tue Jan 27, 2015 9:34 pm
Forum: General
Topic: double gw mentioning in dhcp-server? How to use?
Replies: 9
Views: 1280

Re: double gw mentioning in dhcp-server? How to use?

Is the CPE always a router of some kind? I am thinking business clients here not home routers. If so it sounds like you should setup BGP between your network and the CPE allowing the routing to help with the decision. That or move to a fully routed backbone removing the VLAN bridges and implement VR...
by jkarras
Tue Jan 27, 2015 8:05 pm
Forum: General
Topic: double gw mentioning in dhcp-server? How to use?
Replies: 9
Views: 1280

Re: double gw mentioning in dhcp-server? How to use?

What your describing is the need for first hop redundancy VRRP is created for solve just that problem. What is done after the first hop is up to your routing policies. I have exactly this scenario setup to add first hop redundancy to our ISP for devices that can't just use a dynamic routing protocol...
by jkarras
Tue Jan 27, 2015 7:37 pm
Forum: General
Topic: VPN and QoS (802.1p and DSCP)
Replies: 4
Views: 1153

Re: VPN and QoS (802.1p and DSCP)

I believe any of these methods will preserve the DSCP marking across the tunnel. Should be easy to test by taking a packet capture.
by jkarras
Tue Jan 27, 2015 4:23 pm
Forum: General
Topic: double gw mentioning in dhcp-server? How to use?
Replies: 9
Views: 1280

Re: double gw mentioning in dhcp-server? How to use?

The trouble is leaving it up to the client (if they even support it) is basically making it unknown. Its best if the network behaves in a deterministic way. If you use VRRP and other routing techniques to present a consistent experience to the customer it will reduce the support unknown. Basically i...
by jkarras
Tue Jan 27, 2015 6:34 am
Forum: General
Topic: VPN and QoS (802.1p and DSCP)
Replies: 4
Views: 1153

Re: VPN and QoS (802.1p and DSCP)

By preserve do you mean it makes it to the other side of the tunnel? Or do you mean it moves the marking up a level to the tunnel IP header?
by jkarras
Tue Jan 27, 2015 6:31 am
Forum: General
Topic: Problem - logged out: lost dhcp lease
Replies: 3
Views: 1427

Re: Problem - logged out: lost dhcp lease

What does your DHCP config look like. Are you using RADIUS?
by jkarras
Tue Jan 27, 2015 6:18 am
Forum: General
Topic: double gw mentioning in dhcp-server? How to use?
Replies: 9
Views: 1280

Re: double gw mentioning in dhcp-server? How to use?

Clients typically only support one default route. You should look into VRRP to solve your issue.
by jkarras
Sat Jan 24, 2015 3:41 am
Forum: RouterOS v6 RC and v7 BETA
Topic: [FEATURE REQUEST] Two Factor Authentication
Replies: 22
Views: 13613

Re: [FEATURE REQUEST] Two Factor Authentication

My reason for pointing out the other vendors was only to answer the others above who said other vendors supported two-factor. Good point on the single home router. Anything past one device would increase the administration quite a bit as there would be one entry in the app for every router. Centrall...
by jkarras
Sat Jan 24, 2015 2:38 am
Forum: Forwarding Protocols
Topic: Port Forward from no default Gateway problem
Replies: 2
Views: 799

Re: Port Forward from no default Gateway problem

Is there a default gateway defined in the VRF(routing mark) in question?
by jkarras
Sat Jan 24, 2015 2:29 am
Forum: RouterOS v6 RC and v7 BETA
Topic: [FEATURE REQUEST] Two Factor Authentication
Replies: 22
Views: 13613

Re: [FEATURE REQUEST] Two Factor Authentication

Like has been mentioned earlier any site with large deployments is likely using RADIUS for central administration authentication anyway. Adding on Google Auth to FreeRADIUS is pretty simple way to get this done today. I can't think of any competing products that offer OTP on the switch or router its...
by jkarras
Wed Jan 21, 2015 2:08 am
Forum: RouterBOARD hardware
Topic: Choosing the right mikrotik hardware
Replies: 2
Views: 751

Re: Choosing the right mikrotik hardware

The only difference between these two models is the amount of memory it has. If your are going to take a full BGP feed from your ISPs go with the -em model. If not the non -em model should work fine.

There are 4 SPF slots on the device so if that number works for you then you should be good.
by jkarras
Mon Jan 19, 2015 5:37 am
Forum: Forwarding Protocols
Topic: BGP Implementation
Replies: 17
Views: 2489

Re: BGP Implementation

If you must implement BGP you could look at turning on BFD to help with the timing issue. Won't solve everything but will help.
by jkarras
Thu Jan 15, 2015 6:46 am
Forum: General
Topic: IPv6 RAs leaking out of VLANs - IPv6 unusable.
Replies: 5
Views: 1567

Re: IPv6 RAs leaking out of VLANs - IPv6 unusable.

The trouble is you have both tagged frames and untagged frames on the same port. The PC if not VLAN aware will pick up both. In other words you have port 17 setup as a partial trunk then expect it to not send both tagged and untagged frames out of it.

What is your intended use?
by jkarras
Thu Jan 15, 2015 12:46 am
Forum: General
Topic: Help required with MTU settings
Replies: 5
Views: 1303

Re: Help required with MTU settings

Did your ISP state what their L3 MTU was set at? You need to match what they set their side to or you'll end up with odd packet drops when packet reassembly happens.

Like the previous poster mentions do a ping test but instead of pinging the Internet ping the next hop towards your ISP.