MikroTik

NathanA

"shared via MAP-T" We might have found our problem. MAP-T is a technology that ISPs can use to route IPv4 traffic over a native IPv6 network statelessly (no tunneling/encapsulation), while also (optionally) allowing one IPv4 address to be shared amongst multiple users (as an alternative t...

NathanA

There is a better way. You DID read the documentation, didn't You? There is clearly stated "If newly created address is manual link-local address this setting allows to override dynamically created IPv6 link-local address." I literally quoted that exact same sentence from the documentatio...

NathanA

Sorry to dig this fossil of a thread up again... I realize that there were multiple different underlying causes contributing to "the" CCR2004 watchdog reboot problem. There are multiple entries addressing "stability" issues with CCR2004 spread out over various ROS releases. And t...

NathanA

In this monster thread from a couple of years ago where this was discussed ad infinitum , I wrote and posted such a script triggered by DHCPv6 lease changes that seems to be fairly universally applicable and fairly robust. We also relied on this script for a while. But then, as hinted at at the end ...

NathanA

The line /ipv6/address> add address=fe80::230/64 interface=mwahaha auto-link-local=yes Sets the link local address fe80::230/64 to the bridge called mwahahaha I'm starting to think this is a bug.... If you read the documentation for the "auto-link-local" parameter, it does clearly state t...

NathanA

maybe is not so simple for a vendor to officially include an x86 cpu embedded in a router, maybe there is some bureaucracy, validation, and costs we as a consumers are not fully aware of I don't know if anyone else here is following the Mono Gateway router project of Tomaž Zaman on Youtube, but he ...

NathanA

Well the margin is not that wide. Even the most powerful Xeon-E CPU is now only 95W TDP. i think is not that simple i think many people have a limited power, cooling and space available in some places This is jumping back to an older response, but yes, one of the advantages to purpose-built hardwar...

NathanA

Interesting. Again, what ROS ver#? Was just about to respond that I found a 7.18.2 device on our network with a GUA already on the LAN bridge assigned from a pool, and added a ULA to the same interface as a test. No problems detected, and I did not have to reboot it after the add: [admin@MikroTik] >...

NathanA

It seems weird to me that ROS would actually be paying attention to what "class" of address is being assigned to an interface (GUA or ULA)...a client that needs to pay attention to RFCs about network class priorities, sure, but a forwarding router...? So I have a hard time believing that i...

NathanA

Being "behind CGNAT" would mean that your ISP is giving you a private IP address on your WAN connection. It sounds like this is clearly not the case. Hopefully this is just a side-effect of you testing random things, but although you said you tried various in-interface or in-interface-list...

NathanA

The use of netinstall version 6 won't limit you on RouterOS version 6. I think @mkx understands this. What he is responding to is that it seemed like the OP had originally been under the impression that Netinstall version has to match ROS version being installed, if you read earlier posts closely. ...

NathanA

Perhaps I worded that poorly. Some of them showed up, but not all six of them. Likely the SFP+ ports and not the 2.5G ports.

Ahhh. "all six did not" (what was written), vs. "not all six of them did" (what was intended)

NathanA

As per the recommendations I've seen on these forums, I did not use the "Add Default Route" setting in the DHCPv6 client, and instead relied on RAs from the ISP (with "accept-router-advertisements=yes" ) to create a default route, which all worked fine. I would not necessarily s...

NathanA

Well, I have no different way to write "the issue is not about updating RoS". You wrote: "the issue is not about updating the Ros [...], it is about updating it in such a way that the device after the update behaves like the other one" This is a confusing sentence. When you used...

NathanA

5. And use netinstall-cli command. This maybe to get around all obstacles in Windows such as antivirus, firewalls, etc. To get around the problem of "malformed packet". If you actually read through the whole thread (it's long, I know), the "malformed packet" issue is somehow a b...

NathanA

[...] and because I don't want my static records to fail when the internet is down. :lol: Mostly curious: is that actually a side-effect of this bug, though? Will it allow its response to your request to be influenced by any responses it gets from upstream? Does it actually seem to generate delay t...

NathanA

I tested about five different boxes at the time, and so I can't honestly remember which ports worked and which didn't, but suffice it to say, all six did not show up on that box Wait...ALL six did not show up? That doesn't make much sense. Now I'm not so sure about this particular anecdote accurate...

NathanA

8086:125c Both awesome as well as interesting; thanks much. The only thread I had been able to unearth so far with anybody at all talking about i226-V compatibility with ROS is this one from late 2023, which seems to imply that the interfaces do actually show up for them. In light of your testimony...

NathanA

Curious if you tried changing the gateway of your ::/0 route to the link-local address of the next-hop vs. its GUA? Obviously if the GUA isn't working until you force-clear its entry from the neighbors table, that seems like broken behavior, but I'm mostly curious if this largely "solves" ...

NathanA

(I have a box very similar to the one he's looking at buying, and IIRC only the SFP+ worked on ROS7; the 2.5's did not.) Do you happen to know what ethernet chip was being used for the 2.5s (PCI vendor and device IDs would be even cooler)? And curious when was the last time you tried it (what ROS v...

NathanA

Depending on your network ... If you have a network that is a /24 ( example 192.168.1.0/24 defined on an ethernet interface example: 192.168.1.1/24 ) then you can not route a /29 from that network and route it somewhere else. I think it should be possible with proxy-arp turned on on the interface t...

NathanA

The machine you linked to on Ali appears to be this Topton product . Though I've yet to pull the trigger on any of them, I've been keeping my eye on this and similar boxes by other manufacturers, as I too have a strong interest in good value x86 hardware that can run ROS on it bare-metal. When it co...

NathanA

Any further thoughts? I had assumed you saw my last responses, where I dug up two 3011s with identical "factory-firmware" versions to your two, and can reproduce the same problem you are experiencing on my one with 3.27. That seemed to settle the matter in my mind, at least as far as any ...

NathanA

What ROS version? I just tested on 6.49.*, and so far I can't reproduce on that version at the very least. If this is happening, you should be able to see the router transmitting the DNS request. So, have you tried running the sniffer with interface=<wan>, ip-proto=udp, port=53, direction=tx, and do...

NathanA

Hmm, that mostly looks correct. The other thing that gives me pause is that the 'wireguard' interface wouldn't be a VLAN, and yet you said one of the VLANs on the client was SLAAC'ing from the 'wireguard' prefix. I also failed to notice until just now that you had previously written that the RAs you...

NathanA

Rather than MT RA daemon broadcasting (well, multicasting) out of the wrong interfaces, I would be leaning more in the direction of a possible misconfiguration in your bridge VLAN filtering config that is causing traffic to leak between VLANs. But you didn't include your whole config, so...

NathanA

I do seem to recall various threads, very similar to this one, that popped up right around the time the 850Gx2 was released, with people experiencing weird management problems to it. The thing is, I've never been able to reproduce any of those issues myself, with any of my 850s. I just took one with...

NathanA

Yes. "device-mode" is set to advanced, but I'm sure "routerboard" under device-mode says "no"; see: the very last line on the help page that @tdw linked to.

NathanA

RouterOS has its own bespoke scripting language; see here for documentation. It looks like on RouterOS 7, there is an "inactive" status for LTE interfaces that exists. Looks like this can be checked programmatically with something like... /interface/lte/get lte1 inactive ...which returns a...

NathanA

Nathan your hurting my brain, is there any reason to separate connection tracking clearing of change IP and down and change of ISP? and if not, I'm not arguing about that at all. What I'm doing is what people in the industry call "thinking out-loud about a possible workaround". then MT si...

NathanA

So, I am not 100% clear how this is working, but I just ran an experiment with Hurricane Electric Tunnel Broker (which also uses SIT encapsulation, same as 6RD), where instead of using the separate routed prefix they assign to my tunnel, I took the /64 assigned directly on the tunnel itself, and on ...

NathanA

...and the usual userland tools ("conntrack-tools"). That's what I'm talking about: the userland conntrack tools. Yes, I expect ROS is using the same kernel APIs. In the past, though, I have found statically-linked builds of similar tools to be a requirement when trying to run them on top...

NathanA

Because the current way with list building and iteration is really cumbersome, slow and resource intensive." Apologies; I missed that. And yes, in fact the deletions are only performed until the first reference is encountered where the connection has timed out while preparing the list of items...

NathanA

also numbering of versions is the third worst in the universe. :lol: Eh. I get it. It's not uncommon to patch an older branch of software, for users who have already confirmed that branch works for them and don't want to take on the risk of regressions in a newer major release. (What MikroTik histo...

NathanA

What's difficult to understand here? In meantime try to netinstall the device with netinstall64 7.16.2 Post #26, 8 days ago Except that you're wrong, because Netinstall 7.16.2 ALSO does not work on these early 3011 routers. I just went back from 7.18.2 one version at a time, and discovered that the...

NathanA

I really would like my conntrack -D. I am curious what you are looking for that is not currently possible with /ip/firewall/connection/remove [find where <blah>] ? That slide in the MUM deck talking about masquerade vs. src-nat is interesting, because I have used src-nat before in scenarios with mu...

NathanA

You can find it at #4, but at the end of the list, so it's not sorted ;-) D'oh! I know it's not sorted, but I looked for them, I swear! 🤦 Everything works like expected with these parameters: Yes, I suspect that with that set to "1", the VoIP phones are seeing the LLDP-MED advertisement a...

NathanA

4. If I set a manually configured IP+gateway on the client everything worked, connecting to the main router or the extender. I do understand that. However, if broadcast traffic were somehow broken or blocked in only one direction, you could still theoretically get this outcome where a static IP wor...

NathanA

Regarding IPv6, there are no other configuration possibilities (enable v6 on LAN -> you see a 6RD prefix assigned, or turn off.) There is no IPv6 static route screen? Are you able to divulge the make and model of this router? I would also be curious who your ISP is... I suppose I was initially expe...

NathanA

The Reolink has PoE ports for the cameras, and a single LAN line to the Hex or whatever. The Hex does not deal with cameras, only the traffic selected to be obtained from the NVR. Ahh. I allowed myself to jump to conclusions when it was mentioned that there were 4 cameras, and then people started t...

NathanA

lldp-med-net-policy-vlan must be " disabled ". But if you go to the WebGUI, it always set the value to "1", even if it is disabled . Nice sleuthing! Can you elaborate on the ROS version you are running where you are seeing this issue? I was going to respond earlier that I was co...

NathanA

Actually I solved the problem.

You do not need to create a custom script to solve the problem. Simply do NOT check "Apply default config" in Netinstall. Just tested this out on brand-new hAP ax2 to verify. Problem solved.

NathanA

I already know about previous problems in peripherals that have an old factory bootloader and why. And of course I already expected that the other router that work had bootloader version 3.4x or later. You "knew about previous problems" with "old factory bootloader" and "wh...

NathanA

Here's how they sit right now Okay, good. We already see a difference. Let's pretend for a second that "current-firmware" on both is the same, since you stated that at least at one point in time, they were ("bad" used to also be on 7.18.2), and you saw no change in behavior. We ...

NathanA

Sigh. I fear what we have now is a "too many cooks in the kitchen" problem here, and now you are getting tossed to and fro as if by wind. All of these suggestions about things for you to try were being thrown around here by others because they didn't trust that you had actually tried two d...

NathanA

Interesting idea, though it assumes that they actually account for a "software license" as part of the total cost of the device. Since MT is the "OEM" in this case, pre-loading their own software onto their own hardware (a-la "Apple"), that might not be the case. If it ...

NathanA

And I did create that route in the ...... routing menu ......
But that is not where it should be ...

The return route should be under IP routes

And people wonder why we ask for config exports from their routers...

NathanA

I will have 4 PoE cameras connected to the NVR In this case, I'd actually be tempted to get a hEX PoE instead. You get 5 gigabit ports wired up to the internal switch chip instead of 4 on the hEX refresh (plus an SFP port which isn't wired to switch), so you won't have to worry about your uplink po...

NathanA

Use DHCPv6 client and configure it to receive a prefix on WAN interface. Admittedly OP was a little ambiguous about this, but he did already mention he had tried to set up a DHCPv6 client. The ambiguity is that OP did not make it clear whether this client had been configured to attempt to acquire a...

NathanA

From my point of view DHCP issues could be the pattern. To me, this seems doubtful. According to your description, the problem was linked to particular bridge members (two different wireless interfaces that are members of two different bridges). If this were purely a DHCP issue, then it seems like ...

NathanA

Okay, I found the answer to why the "latest" file in the .05 directory returns ".04" in the contents, over in this thread . You can read about how people had problems after upgrading to .05. They tried to downgrade themselves, but weren't able to...every image file they grabbed f...

NathanA

There was some discussion of the scheme here: Binary diffs?? Oooof. If true, and if the only two files that are made available are the last full-flash release + the diff between that base version and the most recent version, then it would suggest that the only two choices that likely remain would b...

NathanA

exactly I have seen too that the release 3 is working but other are not working. [...] The .9 is not working. I tried updating to the latest beta with no resolution of the issue. Do firmware upgrades of the LTE radio always get downloaded from the internet? If yes, is it still possible for someone ...

NathanA

In my prior posts in this topic , I was using a Hex-Poe I now also have some Hex-S routers. hEX S is of course way faster, since it has a dual-core + hyperthreaded CPU in it @ 880MHz, while the hEX PoE has a single-core, single-threaded CPU @ 800MHz. So not entirely apples-to-apples comparison. My ...

NathanA

Okay so I've tried to find the file of my full config that i got with the export file command, but I can't find it in any of the hyper-v folders, so if there's a specific part of the config you need to see I'll manually check and send it here It doesn't export to "Hyper-V folders". It exp...

NathanA

What part of, he has tried two 3011s side-by-side multiple times connected to the same PC in each instance, and one ALWAYS works with Netinstall, and the other ALWAYS does not, do people not seem to understand?

Again, could he be leaving out details? Sure. But we're going around in circles, here.

NathanA

The netinstall process is reported as being extremely fragile[1], so it is hard to say if *anything* can affect it. It's pretty clear how it works. For RouterBOARDs, it's similar to, but not exactly the same as, PXE netboot (and on x86, it *IS* PXE), so, initial stage is BOOTP based, then it downlo...

NathanA

Just to amend: if your WAN IP address is not truly static (as in: set manually under IP -> address) and the rest of router setup is (more or less) default, then instead of using "dst-address" matcher it's often better to use "in-interface-list=WAN" matcher. Using "in-interf...

NathanA

What curious here is they did update the OpenFlow docs pretty recently: [...] Maybe hope it's coming back, but IDK. The command-line examples are clearly from 7.x (having '/' instead of ' ' between each branch of the command tree). Also, from the page update history, it looks like the first version...

NathanA

Then WHY (the heck) is the PC sending requests for 10.73.73.1 and for 10.73.73.31? :?: I do believe these are red herrings. Undoubtedly ARP requests for 10.73.73.1 are being transmitted because I'd imagine that @Michiganbroadband configured the IP address on his ethernet interface in Windows static...

NathanA

Brief follow-up: After only looking for a couple of minutes, I wasn't able to round up a hEX PoE or a hAP ac (which has very similar CPU to hEX PoE) to run some really quick tests with. I'm sure we have some around here somewhere so I will look more deeply later for an available one. But I did find ...

NathanA

Ip route has a 0.0.0.0/0 route with gateway being ether3 interface, Don't set "gateway" to an interface. Set it to the next-hop IP address. I'm guessing/assuming this is likely to be 77.88.99.1, but of course that is only a guess...talk to the provider/host and find out what IP they are u...

NathanA

I configure the src and dst ports to 22, [...] You should not be matching on src-port for a port forward. The host initiating the connection to your SSH server will be sourcing their side of the connection from a random TCP port, not from 22. Only the DESTINATION port is guaranteed to be 22. So one...

NathanA

I posted a different thread about this a few weeks back, but I'm currently tracking an issue with ROS 7.x where connection tracking suddenly breaks the forwarding of IPv4 fragments after some as-yet-undetermined threshold is crossed (can't tell yet if it is throughput, PPS, # of tracked connections,...

NathanA

ccr2116 v7.16.2 [...] cpu 14-15% with offload enabled disabling fasttrack-hw offload leads cpu to 22-24% re-enabling fasttrack-hw offload cpu returns to 14-15% ccr2216 v7.16.2 [...] cpu 16-18% with offload enabled disabling fasttrack-hw offload leads cpu to 33-36% re-enabling fasttrack-hw offload c...

NathanA

Arguably the simplest way to create dst-nat / port forward rules when you have a dynamic IP is to just match on in-interface=<WAN>, and not try to chase the changing IP address at all. Though of course if you also want to implement hairpin NAT, this won't work, because your LAN-sourced traffic will ...

NathanA

Same here on a Hex S. Had to switch to AES-256 with SHA-256 (SHA-512 not hardware encrypted) or else unit would keep rebooting on phase 2 establishing in 7.19 and just not work in 7.18. Oh. Wild. I was suggesting the OPPOSITE: that the crashing was happening when it was USING hardware encryption of...

NathanA

Hello, thank you for your quick response. I appreciate the help provided. My ISP-A has a 150MB bandwidth, and I also have ISP-B with a 4MB bandwidth. I want all client traffic to go through ISP-A, but I want clients to be shown the public IP of ISP-B. Unless you own those IP addresses (guessing not...

NathanA

After all of your tests and answers, I am inclined to think you are right that there is something uniquely wrong with the one 3011 unit. Now the obvious question is, what is it? First, just to clear up a few possible misconceptions: Netinstall does NOT re-flash RouterBOOT. If there is something wron...

NathanA

On my Hex Poe , I have enabled Fasttrack. Got some increase but not a huge amount. I would be interested in seeing the config. I have personally tested Fasttrack vs. non-Fasttrack on RB951G, which has slower and older CPU in it than hEX PoE does, and can confirm I get results very close to what Mik...

NathanA

In my LAB , I have a Hex PoE connected to a 1-Gig network. the Hex PoE has a slow CPU and only reaches about 250 to 280 Meg - but a different much faster Mikrotik can allow the same PC to hit near Gig nat speeds. I still don't understand why you don't just implement Fasttrack. You can achieve near-...

NathanA

I don't know if we are managing to talk past each other, or what. You keep mentioning NAT444. My understanding of the theory behind NAT444 (which perhaps is wrong) is that *something* is still taking up the majority of the connection tracking workload. It's just that if you are having the customer C...

NathanA

Pretty much the same way regular normal nat works but the port and IP address are both re-mapped.

Then it's not stateless, and thus it's not really saving you any CPU cycles.

I don't see where you think the CPU savings are coming from with the change you are suggesting.

NathanA

If a customer computer gets an ip address of 192.168.0.10 , then outbound traffic and all 65,535 ports would be CGN-Natted ports 34,500 -through- 34,749 . Which results in a remote located internet server seeing all connections from the this customer LAN PC coming from the live IP address with orig...

NathanA

It's either-or: I think you intended to communicate this, but just to be clear: it is possible to selectively NAT traffic sitting behind any given interface, which means you can in fact have both hosts with public IPs and hosts with private IPs sitting on the same LAN/network segment, mingling toge...

NathanA

Also , what I propose re MAC the address option during a restore could be used on another already configured router ( with other users & passwords & wireless configurations & routes & ... & ... ) and quickly make it an identical clone. With .rcs import files , the .rsc import fi...

NathanA

My understanding is that this is in fact exactly what "action=netmap" does. I have not, however, benchmarked it against "action=masquerade" or action="src-nat". I suspect any improvement in performance would be negligible, since I'm pretty sure most of the CPU being tak...

NathanA

Whoever uses SSTP needs to understand that it is highly inefficient, by design . Exactly. Whenever I run into this topic, I like to link to this page: Why TCP Over TCP Is A Bad Idea SSTP is a last-ditch, "I'm desperate and literally nothing else will work" VPN protocol. If someone is in t...

NathanA

When you say Netinstall works to one RB3011 but not to this other one, are you actually doing exact apples-to-apples comparison/testing? In other words, you are plugging eth1 of both RB3011s directly into the exact same ethernet port of the exact same PC? It's not like you are physically hooking one...

NathanA

I'd just add while the simple: /interface/ethernet/reset-mac-address [find] works for ethernet... if you had other types of interfaces, those require additional (and varying script) work to reset OTHER interface types. The only other non-Ethernet hardware interface type I can think of that RouterOS...

NathanA

I just looked at two boxes from ac2 as well as physical stickers on the devices. The international one says "INTL/US", product code RBD52G-5HacD2HnD-TC. The numbers after the serial number are "347/r3". The US one has product code RBD52G-5HacD2HnD-TC-US, the numbers after the se...

NathanA

The problem is of course source address selection. When a host has more than one address, to my knowledge, most hosts that have a direct presence/address-assignment within the same prefix as the destination they are trying to reach will properly source from the address they possess within that same...

NathanA

Okay. So the RB will not be (strictly speaking) a bridge but a router. The ISP will send packets for any address from the /29, including the .0 and .7, to the RB, and the RB may attach the whole /29 to its bridge interface, wasting 3 of the total 8 addresses for its own address, the network address...

NathanA

When we configure a new Mikrotik CPE , we restore a master configuration on the 2'nd Mikrotik - then must perform a /interface ethernet reset-mac-address for each interface. You likely know this, but just in case & for the benefit of everyone else, instead of having to issue separate commands &...

NathanA

With an ipv6 prefix change, my connections fully internal to my network will be broken. My hunch is that even those in the IPv6 idealist camps would say this isn't the case, since if you are using it "as intended", you will have multiple addresses per interface, and that intra-LAN, your h...

NathanA

This is (mostly) solved for RAs. Even if the (I seem to remember 2h) grace period is maintained on end-user devices: * connections still break after that * does the provider side maintain the route for this suggested grace period? * if the provider does not maintain the route, does it (just for fun...

NathanA

Yep. Should have been solved (like there are framed routes in ipcp). IPCP itself doesn't really know about "framed routes", which is just an implementation detail on the PPP server side. (And it actually is a long-standing pity both that IPCP can't tell the connecting client what IPv4 CID...

NathanA

It turns out that there is a lot that I agree with you on...and some that I don't. 🙂 I'm not sure that treating a mobile device as a singular endpoint is the worst thing. Of course this does not allow for the broadband over 3/4/5G scenario, which should obviously be handled in some other fashion. I ...

NathanA

I just can't understand the reason for all the strange implementations ISPs come up with. (And "strange" barely begins to describe my general annoyance.) At least when it comes to 3GPP networks, changes on such large networks (and the devices that connect to them) seem to move at the Spee...

NathanA

You could research on Sangoma that's what we used in the old days I don't know if this works with x86 MikroTik PC never try them :) I believe ROS supported some Sangoma cards waaaaaaaaaaaaaaaaaaaaaaaaaay back in v2.9. In v3, I seem to recall support for all sync serial interface cards was dropped e...

NathanA

The 16G-2S+ variant of the CCR2004 was never released running v6, and v6 has no support for its networking hardware. The 12S+2XS variant was initially released with v6, but many people have reported instability with it (though most of those reports seemed to calm down after the release of 6.49+). It...

NathanA

why not just use IPv6 NAT? (With non-ULA internal addressing...)

If not ULA (which is obviously undesirable due to how most client network stacks treat them), then what IP space would you suggest such a set-up use?

NathanA

I remember doing a bunch of testing of IPv6 over LTE on ROS a year or two ago, and coming away with the distinct impression that it had to be proxying NDP; however, in fairness, at this moment I cannot recall the specifics of how or why I concluded that. I just discovered RFC 7278 , and I suppose it...

NathanA

I remember raising this point before, but apparently it wasn't in my prior reply to this thread (from 3 years ago...). So it bears repeating here: The craziest part of this is, RouterOS actually HAS an NDP Proxy. It's just that it is ONLY available if you configure IPv6 over an LTE connection! If yo...

NathanA

The thing that angers me the most is, when updating a hap ac2 from a ROS 6 version, to >=7.17.x the cpu-frequency is set to something around 730mhz... Not to derail the conversation too much, but I'm pretty sure that the CPU freq default setting on RouterOS 6 / RouterBOOT 6 was to fix it at 716MHz....

NathanA

Just to be clear, my post was about fast path via nf_flowtable, not L2MTU. Different features and different context. You were perfectly clear. The context is that of assuming that MT made the seemingly logical choice by choosing a networking feature that might be provided natively in the mainline k...

NathanA

Is hAP ac2 still being manufactured? I understand the hardware revision might have happened at some point in the past, so all your points are valid regardless. They don't publish any end-of-life dates or even product release dates. The hardware page on the main website only has the archived section...

NathanA

Very often MT will +1 the revision # if they make even the smallest of hardware tweaks (typically as long as that tweak also requires software support). So for example, maybe they had to switch NOR flash vendors for one of their manufacturing runs/batches, and older versions of ROS do not support th...

NathanA

I also have a 256MB unit where /system/routerboard reports as "-TC" at the end of the model#. It also reports the same in its MNDP broadcasts (IP > Neighbor table entries on neighboring routers, and also in Winbox Neighbors tab). I had never noticed the -TC before! We have hundreds and hun...

NathanA

As a first step, could you try downgrading one of your crashing L009s back to 7.16, and see if the crashes stop? That would at least lend more evidence to the theory of a grievous regression in 7.17+ that affects at least this product...

NathanA

I got this info from a friend I met this weekend. Support for " fast path " (aka Linux " flowtables ") is standard functionality in Linux kernel 5.6, which is what ROS v7 runs on. Flowtables were introduced around 2017/2018 with full user-space support in Linux 5.1 and use relat...

NathanA

a general one... As i can see, v6.49 uses all 4 CPUs for Download and Upload traffic (sfp1 > ether1 = Download, ether1 > sfp1 = Upload). With v7.x (7.18.2 in my tests, but also other versions act the same) Download is handled by CPU 0 only, while Upload will be handled by 0,1,2,3 so 100%. [...] The...

NathanA

I have no idea why the switching performance without Fast Path and Hardware Offload in RouterOS 6 is much better though. The numbers are lower than RouterOS 7 with Fast Path available though. So even with RouterOS 6 it would be better to not use DHCP Snooping on the hEX / hEX S. I think the conclus...

NathanA

The last time I actually checked this field thoroughly (it was a few years ago), MT ceased to support new installs of x86 bare metal devices. I don't know where you came up with that as I'm quite sure that has never been the case. In fact, arguably, with the release of RouterOS 7, it's better than ...

NathanA

The dumbest problem was this hidden 1,5mb flash usage. I don't disagree. (Well, maybe that combined with the fact that 16MiB of fixed nonvolatile storage was ever a thing on any model.) Really, though, I was annoyed by the entire problem-set as a whole (and not one any specific part), which is what...

NathanA

I was looking at the RouterOS license levels and noticed there’s no level 2. The feature gap between 1 and 3/4 is also pretty extreme. It's a category of question in tech that is as old as time: "What happened to Windows 9?" "Why isn't there IPv5?" 😂 Now, I actually knew the ans...

NathanA

Just tried with an RBwAPGR-5HacD2HnD / 7.18.2 Same Config as above. Ping and Winbox over IPSec works instantly - no Downgrade needed with that device. Seems to be an issue with that hEX S... I do know that different SoCs implement different levels of encryption hardware offload that IPsec on Router...

NathanA

Sounds like a kind of "secret key" (rather than a password). Good idea. But won't help for already deployed devices. Not in all scenarios, but definitely in certain ones, it absolutely can. One such scenario would be, as I mentioned earlier, if you have end-to-end control of the network t...

NathanA

Wow, that's amazing that Getic can sell licenses so cheaply. The wholesale rate they get must be crazy. CHR license keys and "regular" license keys are different and not interchangeable, from the perspective that a CHR key can only be applied to a CHR instance, and a regular key to a bare-...

NathanA

I have a pool of ready to use CHR licenses I can use to activate/build a replacement CHR when it does what you are describing. Is using an extra/different license actually any faster than simply blowing the original one away, spinning up a virgin one, and applying the original license back to it &a...

NathanA

I'm starting to think it is just certain packets being sent that the driver doesn't like, I don't think it necessarily means performance is degraded. You may be onto something, and I have suspected something similar for a while. I will note that I have not put ROS 7 on any of our bare-metal x86 rou...

NathanA

[...] removed the password label without noting it down, [...] I'm not talking about that (I agree that removing the label is a bad idea). I'm talking about, as I said before, *already deployed* devices. Implying, I am not physically in the same room with said device, nor would it be easy nor conve...

NathanA

As I already suggested, wouldn't it be enough to use the factory password for security? As dang21000 points out, not all devices have default factory password. For the ones that do, if they have already been deployed and the factory password was changed, and we didn't keep a record of the factory p...

NathanA

My concern is that there will come another media storm, where Mikrotik routers are singled out for being parts of some botnet, and (also in the name of security and with good intentions) another set of features will be restricted by a new device mode. Then at least some people in some situations wi...

NathanA

I agree with most of the complaints about the implementation and how this has been handled; the device-mode restrictions are very annoying to have to deal with, especially when it is a remote device that you have upgraded and that you previously had full control of prior to the upgrade. That said, i...

NathanA

we need this setup to access the LAN there are many network enabled device we need to configure noone at that house is able to do so. In your original post, you said this: This means all internet traffic from House 2 should be routed through the RB5009 at House 1. Naturally, this makes it sound lik...

NathanA

what uses Intenet the way that needs to be routed via House2? OP hasn't said this explicitly, but what this "smells" like to me is, there is probably some online resource that is geographically restricted to the area where House 2 exists (like maybe video streaming service or something), ...

NathanA

I have a few CCR1xxx at my disposal to do some testing with, so now that I am so invested in understanding the nature of this problem, I'll try to set aside some time to run a few deeper experiments. 😉 Okay, I quickly grabbed a CCR1036-8G-2S+ off of the shelf (I acknowledge this is not the same mod...

NathanA

The text diagram appears to show the RB5009 all on its lonesome, nothing downstream. A drawing might have been helpful. He has both explained in the original post & confirmed in follow-ups that the RB5009 is going to be hanging off of a private LAN, sitting behind a NAT, with a single connectio...

NathanA

IIRC there was routerboot change sometime around 6.48, which was (later?) required for proper support of newer kernel, present in v7. Where exactly is this stated or documented? ROS changelogs do include "routerboot" entries in them going back to the 6.x days, and yet I can find no mentio...

NathanA

Activating DHCP-Snooping on v6.69.6 does not decrease speed to round about 300M. The 849,70 MBit/s shown on that Screenshot is 100% of ISP-Speed. Do note that it is still true in this screenshot that bridge fast path is not working...fast path counters in Bridge > Settings are all at 0. Also, no po...

NathanA

This is what I will try. Actually I noticed yesterday that my house1 isp router though assigns ipv4 to ether1 it does not assign the ipv6. my isp router has ispv6 capability it assigns to other device. Not sure why ether1 of rb5009 does not get one. I do not think that the default config sets up a ...

NathanA

So it appears the mismatch in the routerBOARD firmware and the OS firmware was the issue. or at least it appears to have fixed it for now :) thanks for the help everyone ! I think time will have to tell if this actually fixed the issue. I personally have never seen mismatched RouterOS and RouterBOO...

NathanA

Quick addendum to my last post: I did just think of one other possible way you can access WebFig with the default config over the LAN without changing your PC's IP address: if your PC has IPv6 enabled (and if it is anywhere close to recent, it should), you can try to talk to the router via the LAN l...

NathanA

2)If I connect the RB5009 to ISP router via ether2 then ISP router do not assign any IP. so cant access RB5009 I did tell you this would be the case. Default config ONLY has DHCP *client* on ether1. ether2-ether8 only run DHCP *server* and has a static private IP of 192.168.88.1. You either need to...

NathanA

Better the naysayers of those who implicitly suggest deleting the default configuration and therefore the firewall with all that it entails because is more easy, creating yet another machine that will cause, in one way or another, DDoS... Did you ACTUALLY read OP's post? Because it was pretty clear...

NathanA

To *directly* answer the OP's main question: Different MikroTik router models come with different default out-of-box configurations. Most home/SOHO models will have a default config that treats first copper ethernet port (ether1) as "WAN", and the remaining ports as a single common switche...

NathanA

I doubt logging to disk is going to reveal anything. It sounds like RouterOS itself is shutting down cleanly and resetting the CPU fine & the problem is not happening until after the bootloader is engaged, so nothing interesting is going to get logged...if it can't get past loading kernel then w...

NathanA

I think Recent versions of Ros V7 don't have the upgrade from V6 conversion functionality any more. I am not sure where you got that idea. Please read the docs , which explicitly state the following: In most RouterOS setups that run fine with the aforementioned v6 versions, no extra steps are requi...

NathanA

I am saying it's nearly impossible to configure switchport vlans if you are not already experienced with Mikrotik routers/switches. [...] Mikrotik switchport Vlan documentation is not consistent and not similar to other products ( CLI and/or GUI ). I get the argument. I guess all I was trying to de...

NathanA

Is your "IOT interface" / the VLAN mentioned that "BR1" interface? I missed the 'fdec:<blah>' address on the interface called "IOT" until it was pasted in in the comment posted while I was writing up my last response, heh. Yeah, that's a ULA address, which is basically...

NathanA

1. The weird thing is I am getting a random Dynamic Global address on only one of my VLANs and I have no idea why. I get link-local addresses on each of my interfaces. And a single DG address on a VLAN. [...] 2. Any ideas why I am getting a random address on the IOT interface? Is your "IOT int...

NathanA

So in which way my statement doesn't apply to your example?

Please read my response directly above your last (posted about an hour prior). It explains...well, as much as can possibly be explained, heh. In short, I had a most massive frain bart.

NathanA

I think @mkx was specifically talking about adding the bridge port named "bridge" (as in the CPU-facing port) as a tagged port. Oh my goodness! I think you're right! 🤦‍♂️ And in retrospect when I re-read that part of my reply with that in mind, it doesn't even make sense...yes of course h...

NathanA

Look at the device in the OP of this thread, it's a RB5009, a router. Look at OP's current config that he/she wants to extend with VLAN, it's a ROUTER! Fair point. But then read through the rest of the thread up to this point, where we all kind of got a bit off the beaten path, and the conversation...

NathanA

In principle you don't want to set bridge port as tagged member of a VLAN if you don't intend CPU to interact with that VLAN over that bridge. [...] So I'm eager to hear use case for such setup. Huh? That's just not true. Maybe you are assuming that the MT in question is a router that will also be ...

NathanA

Since 7.16 we have this: *) bridge - added dynamic tagged entry when VLAN interface is created on vlan-filtering bridge; That removes the risk of forgetting to add the bridge CPU port to the "tagged" list of VLANs (which in older versions means no L3 access to the router through those VLA...

NathanA

The part I will agree with you on is that I don't understand what is preventing them from unifying the front-end VLAN config interface as much as possible across the different models of switch chips used in the different products. I understand that not all switch chips support all of the same featur...

NathanA

I'd just add on routers with a default configuration, enabling vlan-filtering=yes is complete safe to do at the START in RouterOS 7.16+. While, typical advice is to set vlan-filtering=yes last. I'm not sure that the best advice anymore. Since default use VLAN 1, that actually why enabling vlan-filt...

NathanA

In CLI, you can do an export and copy a specific line. If you execute that line (with some adjustments) you can execute it. There is also 'copy-from=' property, and you can modify whatever parameters you want on the new cloned object at the time of creation as well: /ip/firewall/filter/add copy-fro...

NathanA

You only need two back-to-back newlines for all cases. No space needed.

Heh, I swear I have tried that in the past, too. Let's give it a shot (again?)...

Bleh.

Test.

Yep, works (now?); thanks.

NathanA

How is it "reserved"? Or, how is "bridging between access ports to VLAN XYZ" different from "bridging between untagged ports"? What would be the purpose of a managed switch if you could not make an "untagged port" (= access one) a member of whatever VLAN you ...

NathanA

Thank you for that hint on that matrix. Is there also any matrix available where we can see which Mikrotik have which Switch-Chip inside? You can see the list of products that contain each switch chip model, and which particular interfaces/ports are attached to those switch chips, right below the s...

NathanA

Yeah, but you forgot to add my mighty conclusion: Because I'm not convinced of your conclusion, just as you are not convinced of mine. 😜 You don't need to use a backtick to add an empty new line, just use a space plus newline I swear I've tried that before on previous incarnations of the forum, and...

NathanA

but on many switches [...] vlan 1 is sort of hard coded [for this purpose], so if you have to interoperate with these, vlan 1 should be handled with care. Perhaps this is what you are getting at, but most of these aforementioned switches will reserve VID 1 as an "untagged" VLAN, and likel...

NathanA

To me, the key question still is: Does FastPath require a hard dependency on patched drivers, or can ROS use skb with standard hooks? ` Yes, of course. That's what we are discussing. Unfortunately, at the moment, I feel that we (on the outside of MT engineering) lack enough evidence to definitively...

NathanA

That said, I’ll concede that “interface driver support” might not necessarily mean modifying the driver. It could just mean that the driver and underlying hardware must not interfere with FastPath requirements ` Eh, maaaaaaybe? But if that were the case, you'd have to validate a lot of things about...

NathanA

The default 30d / 7d are > of default 3d on server side (not MikroTik problem, are default RFC values...) So for internal network the IPv6 expires 4 day later of what is already expired... ` Sorry, but unless I'm missing something, this theory makes no sense. Even if what you said is true that the ...

NathanA

Do you know how it actually works under the hood? ` I have not read through the source code, so no. ` My guess is that Mikrotik uses their own attributes (likely within skb->cb[]) to flag packets that can bypass things like firewall, NAT, or queuing. This would work across all architectures, includ...

NathanA

i think there is no priority for Mikrotik with this matter if it was important they at least will tried to get the old MPLS feature working even being mutually exclusive with l3 hw offload on v7, at least until they can make it work simultaneously, but nothing close to that happened... ` I agree th...

NathanA

i think v6 MPLS working feature got in the way of L3 hw offload maybe thats the reason to drop the MPLS feature as a temporary measure.. ` Maybe you're right; since we have no visibility into the situation from the outside, we can only speculate. But this just goes back to my concluding point : ` T...

NathanA

you forgot to mention only worked on some specific devices (CRS317-1G-16S+ and CRS309-1G-8S+) ` I didn't "forget to mention it". The context was, as StubArea51 put it, "day one of the Marvell chips being introduced". The Marvell switch chips are only used in certain products, of...

NathanA

I get why it's not an "ideal" solution, but given that the choice is seemingly between waiting for a change to ROS code, using PPPoE, or not using a MT as a CPE when on Orange...why is it not an option to put the WAN interface in a bridge by itself, hang a VLAN interface off of that, and t...

NathanA

Note, we are then not using the [...] Hotspot Pool to assign a customer a Hotspot IP as we have done that via PPPoE/Radius, [...] Maybe I'm missing something, but why couldn't you create an IP Pool on your BRAS that you assign to Hotspot Server as Address Pool, and then if a subscriber's traffic ne...

NathanA

I've been pretty negative recently in my posts here (I would argue justifiably, though that's neither here nor there at the moment), but I want to take a moment to offer well deserved praise and give credit where credit is due. So: THANK YOU MikroTik (genuinely) for FINALLY getting around to impleme...

NathanA

Fastpath and Fasttrack generally speaking do NOT work on x86. It is true that these have nothing whatsoever to do with HW offiload. However, both of these features require specific support to be added to the network interface driver (ethernet chip, etc.). MikroTik only bothers to do this for network...

NathanA

Admittedly the subject is somewhat misleading, but there's already another thread about this. Haven't seen MT address this one way or the other. Hard to believe that they aren't aware of it, though, if they are using the forum at all themselves.

NathanA

Maybe we are the betatesters for the next MikroTik product, a server load balancer? (after the storage server) I too have felt like this is a "CDN"-esque issue. In addition to the "forum not available" errors, the transmission time-outs, pages only loading halfway, etc. the othe...

NathanA

I've advocated for it since day one of the Marvell chips being introduced. My guess is that if it's not added in 7.16 beta, there is prob some blocker they have to work on to get it running/stable/etc. Here's the thing: it EXISTED in RouterOS 6, and works perfectly freaking *fine* on RouterOS 6. Th...

NathanA

xt_<blah> are typically Linux netfilter modules. xt_misc doesn't seem to appear in Linux mainline releases, but the source code for it is included in MikroTik GPL sources. It's not commented much, but as far as I can tell from a quick glance it adds some of the uniquely-MikroTik firewall/NAT/mangle ...

NathanA

That's bit 0.

Fair point.

NathanA

I know this is a couple weeks old already, but I just noticed it. So allow me to link you to a post I made over on STH about how to patch any X520 EEPROM so that it will accept any SFP module , without needing to modify the kernel driver or pass kernel boot parameters (neither of which you are going...

NathanA

You've got the right idea, and are very close. Don't manually set "untagged" ports on your bridge VLANs. When you set a bridge port member PVID, it automatically/dynamically gets added as "untagged". Manually setting "untagged" just lets you force a VLAN to egress a por...

NathanA

I did receive some response: https://box.mikrotik.com/d/81912835977544a291c9/ [...] Note, all of the files are 3+ years old. While the kernel is not new, I'm a bit skeptical there are ZERO kernel patches/changes in 3 years.... But in fairness I have not studied the disclosed file yet, so IDK... I h...

NathanA

i don't believe the issue is the flash, but how the free space is calculated. You could be right, but also, MT has no real incentive to help try to troubleshoot this issue on that particular model with the modification you did, since it would set a precedent for accepting responsibility for things ...

NathanA

I mean what NathanA said about NPKs. RouterOS internal security has been changed several times, there are all kinds of internal integrity checks. You can't install self-made NPK files. v7 was a very big change as such, but even during v7 many changes have been made to security in this regard and ot...

NathanA

just curious how the plan for that would look like with ROS? NPK packages are signed and i assume also at boot time when kernel is loaded, You might assume wrong. I'm not sure about ROS 7 (haven't dug too deeply into its guts yet), but at least with ROS 6 (or at least for most of its existence...ma...

NathanA

I just ran into this bug a day or two ago while trying to migrate an existing set-up from RouterOS 6 to 7. I have not had a chance to "officially" report it yet, but bug reporting to MT has become useless recently, taking weeks to get a response only to be told that they can't reproduce th...

NathanA

In past years, for various versions of RouterOS 5 and 6, I have asked & obtained the kernel sources from MikroTik. At the time, they were usually pleasantly swift to respond; but I did note that there was usually a delay of a few days if I was the first person to ask for the kernel sources to a ...

NathanA

I've got good news, and I've got bad news. I have re-tested IPv4 fragmented packets passing through a router running on RouterOS 7 without involving any bridging (just pure L3 forwarding). The "good" news is that if the bridge is not involved, then RouterOS 7 *does* re-assemble IPv4 packet...

NathanA

There seem to be some new problems when connection tracking and forwarding of IPv4 fragments are combined together, on RouterOS 7. I realize that RouterOS 7 uses a much newer version of the Linux kernel underneath the covers, and that a lot changed in the underlying network stack of Linux between Ro...

NathanA

My org uses X520-DA2 in some x86 routers, and other than a couple of quirks that I haven't gotten around to posting about yet, they have been working surprisingly well for us. The concept of L2MTU is a RouterOS-specific thing, and has to be explicitly supported by the underlying driver for the inter...

NathanA

And what in the release notes so far leads you to believe that? Do you have some eye defects? ` Yes, but mostly brain defects! ` I clearly linked to the change log from MikroTik regarding V7.8. ` Sorry, my browser did not jump down to the specific post in that very long thread the first time I clic...

NathanA

There is also tons of philosophy around ` I will definitely cop to personally falling more in the camp of caring about practicality, vs. philosophy. One example is that I'm not about to blame ISPs for not necessarily being able to adhere to people's idealized versions of what they should or shouldn...

NathanA

Back on 7 November 2022, I wrote: ` So, I see now after testing a bit more that there is a problem. It's actually not a problem with the 60 seconds, though. The problem is that, 10 seconds after lease renewal happens, the IP addresses assigned from the pool briefly go "invalid" and then ba...

NathanA

What is the current status of this long-requested feature in latest ROS 7? ` It works. It even works in ROS v6. So if it's not working for you, then I'm not sure what to tell you...I'd perhaps take the time to perform some packet captures of the exchange between your RADIUS server and your PPPoE se...

NathanA

While I agree that is bad behavior, there is a case to be made against using dynamic pools for PD: https://www.ripe.net/publications/docs/ripe-690 ` It's hard to know how to respond to this because it is entirely unclear what part of this very long thread you're responding to, or whether you read t...

NathanA

All, I just edited my previous reply with my DHCPv6 client script in order to replace it with an updated version. The original version of the script that I published here would indiscriminately disable and re-enable the IPv6 address during every lease renewal, in order to force the dynamic ND prefix...

NathanA

I think MikroTik fixed it on 7.8? ` And what in the release notes so far leads you to believe that? ` The solution, but still doesn't solve dynamic crap: https://datatracker.ietf.org/doc/html/rfc8978 ` Please try to keep up. RFC 6204 was published 12 years ago. Many consumer platforms' IPv6 stacks ...

NathanA

I don't have anything set under the DHCPv6 client section. ` LTE does not use DHCPv6 for communicating v6 address assignments. It essentially uses RAs and SLAAC. So it would do you no good to try to set up a DHCPv6 client. The script I wrote that does a "poor man's" implementation of RFC ...

NathanA

Doesn't seem to do very much, at least not when added to a BGP Connection.

`
From viewtopic.php?t=191693#p972927 --
`

bgp multipath / add-path is not implemented.

NathanA

If true, still not an excuse for poor post-sale support. If you are going to put it on the market, then you need to be prepared to support it, which includes fixing the broken ones.

NathanA

i have only one case a ccr1072 with showing only 8gb of ram, the interesting thing is that the damn router works ok, but has a light load (6gbps of traffic), no performance problems either ` Yes acknowledged, like I said we have experienced 1072s that sometimes only have faulty memory count (but ar...

NathanA

It looks like this interface is supported in Linux via a driver called "enic", which I don't believe is included in RouterOS. MikroTik developers would have to be the one to build and include the driver within RouterOS; as elbob2002 mentions, you cannot install 3rd-party drivers on top of ...

NathanA

i think MikroTik Lack of validated network design guidelines is the main reason of ccr1072 deployment miscarriages i have "rescued" several docens of ccr1072 which were at doorstops i think in most cases misconceptions about product scaling drove customers toward flawed network designs ` ...

NathanA

Has there been some sort of consensus what is actually wrong with some of these ? As you say some from day 1 gave us non stop issues.We had to retire them and replace with ubnts. I have 3x 1072 doorstops at the office. Weird how the 1016's and 1032's just pretty much work forever.Our failure rate o...

NathanA

I concur that if you have a 1072 that you are experiencing frequent reboots on, the hardware is usually faulty. On the 1072 routers we have that work flawlessly, we have no crashing/stability issues that can be traced to RouterOS 6.x. There are a shocking number of faulty 1072s out there. Symptoms a...

NathanA

I just submitted this bug report to MikroTik through their service desk. But I thought I'd also post it here, just in case anybody else has maybe run into weird oddities on their network with random dropped packets and/or stalled or aborted TCP flows that there was seemingly no rhyme or reason for. ...

NathanA

FYI IPv6 ECMP in ROSv6 does not exist. RouterOS was able to handle ECMP Ipv6 routes, but actual forwarding can happen only over one gateway. ` You mean "packets with the same source address , destination address , source interface , routing mark and ToS are sent to the same gateway" (http...

NathanA

I can't believe that this has been around for as long as it has, and nobody ever noticed it? I tested from latest 6.49.x back to RouterOS 5.x, but it probably has existed for much much longer? In short, if the route to reach a particular recursively-looked-up ECMP gateway disappears, and if the part...

NathanA

I see the same thing: lease time is only 60 seconds long. It would be nice to be able to adjust it, but in practice it doesn't seem to be causing any problems. Client has to renew every 30 seconds, but oh well... ` So, I see now after testing a bit more that there is a problem. It's actually not a ...

NathanA

One thing that may have gotten lost in the shuffle (and because of the horrible forum software's way of formatting quote-replies): my initial response here was not to pawlisko, whose response just happened to get in between me and the one I was really responding to, which was pe1chl's comment that &...

NathanA

I just love that analogy, and exactly the same all Telecom were saying going against MNP. Oh - thousands lines of code, databases, who will be responsible, etc. My number started years ago with Sprint, then it went to T-Mobile, than to At&T, to now Verizon. As a consumer I don't care. It has to...

NathanA

There is significant pushback on address translation in the IPv6 standard bodies. Maybe they can make it formally forbidden to issue dynamic IPv6 prefixes to fixed line consumers. ` Strongly, strongly disagree. Having think tanks...err, "standards bodies" dictate how operators that are ac...

NathanA

Hi there. Yeah 6.48.1 Works, BUT you can't have 2 customers with this attribute, as far I tested. [...] BUT the second customer is refused to connect with this message: "pppoe,ppp,error could not add dhcpv6 server with pool : server with such name already exists (7)" ` I can't reproduce t...

NathanA

advertise-dns=yes option on IPv6 ND is already present from years... ` You don't understand the original question. User's ISP only gives out /64, via SLAAC. But ISP RAs do not contain DNS information. Instead, ISP offers DNS information via DHCPv6 info. Since RouterOS does not have ND-Proxy, user i...

NathanA

Delegated-IPv6-Prefix RADIUS attribute support for PPPoE server still not working in 6.49.6? [...] I'm not brave enough to try ROS v7 yet - or should I? Even ROSv7 is not supporting... :lol: ` Passing Delegated-IPv6-Prefix attribute in RADIUS Access-Accept reply works perfectly for me in 6.49.x. I ...

NathanA

EDIT : Note that the script code in this post was last updated on 23 February 2023 Sorry for the thread bump, but this seemed the best place to put this. Inspired by previous postings here, I have taken a swing at implementing RFC6204/RFC7084/RFC9096 via scripting. But this time, in such a way that...

NathanA

Because dynamic interfaces can come and go, I have a need to make a snapshot of what interfaces exist at a given point in time, and then search through the snapshot rather than do a real-time search. For example, instead of... /interface find name~"ether" ...I want to first capture & s...

NathanA

I'm trying to set up a single L2TP server on RouterOS that can negotiate IPCP, BCP, or both. This part works. What I can't figure out is how to get a RouterOS L2TP *client* to *only* request BCP on an L2TP connection. I can make it request IPCP-only (by not specifying "bridge port" in the ...

Search found 1000 matches