MikroTik

mpreissner

Need a little help. Haven't used Mikrotik in a WHILE, so I'm struggling to remember how to do things. I have a hex, but need to use it as a switch for about a week. Simple config...need one trunk port carrying VLAN 1 and 1002, need 2 access ports carrying VLAN 1002. I've factory defaulted the hex, s...

mpreissner

but only bridge is added to LAN, and that means untagged traffic / vlan=1. Ah! The concept of grouping interfaces as LAN is a little odd to me. After assigning the Management VLAN interface to LAN, I'm able to reach my desired management IP address both from an access port on my management VLAN as ...

mpreissner

Here's my export so you can see where I am... /interface bridge add admin-mac=B8:69:F4:AE:58:0E auto-mac=no comment=defconf name=bridge \ vlan-filtering=yes /interface vlan add interface=bridge name=DMZ vlan-id=300 add interface=bridge name=GuestWireless vlan-id=901 add interface=bridge name=Interna...

mpreissner

Thanks! So far so good...but here's the next piece...I've added a DHCP server to my "Management" VLAN (100) interface, and I can get an address, so that works fine. However, I am unable to connect to the address I put on that interface via Winbox (using IP or MAC) or mactelnet. I can still...

mpreissner

Hey everyone...it's been a while since I've been active up here...but now I'm in a bit of a bind and need some help with setting up my new hex. Situation: I have an older RB750GL that's been running great for a while (ROS 6.40.5) using the older Master/slave port setup. I recently had to change an a...

mpreissner

When you're using EAP, you're not authenticating to the RouterOS system, you're authenticating to a Microsoft NPS server. MikroTik doesn't currently support any EAP methods for their VPN implementations. MikroTik only knows how to pass PAP, CHAP, MSCHAPv1, and MSCHAPv2 to RADIUS in their PPP module,...

mpreissner

If you have to have the same layer 2 domain across both sites, then a split DHCP implementation is the best way to go. It ensures survivability for each site if the tunnel between the sites goes down. You should be able to achieve this with GRE, but if you already have EOIP working, I'd just stick w...

mpreissner

LACP is supposed to be supported in the new version of SwOS (I think version 2.1 and up), and should be supported in a future version of ROS, but only on the CRS 3xx series switches (I think, could be wrong). The current port trunking is static link aggregation, and is not compatible with LACP.

mpreissner

Instead of using the phone's VPN client, why don't you set up an SBC on a public IP with your telephony servers (or port forward to it) and set the phone up to use SIP-TLS and SRTP...you'll achieve effectively the same thing...all RTP and signaling from the phone to any endpoint behind the SBC will ...

mpreissner

I would recommend against anything meant to intentionally weaken encryption. RC4 is a deprecated protocol. All the major browsers and OS's have dropped support for it. If you're concerned about AES eating up too much CPU, then use a stronger router. The cost is inconsequential compared to the cost o...

mpreissner

Yeah, I'm talking about SwOS too, given that this is the SwOS forum. You're right, LACP has been around in RouterOS for ROUTERS (i.e. in software), but it's currently unsupported for switches (i.e. in hardware). While you can technically implement it on the CRS line due to the limited layer 3 functi...

mpreissner

Probably an issue in the queue config. I'm definitely not an expert with how MikroTik does QoS...I have no need for it on my network, so I don't think I can help you any further with it.

mpreissner

LACP is in development. Not sure if it'll be supported on the CSS or other SwOS-only devices, but they do intend to support on the the new CRS3xx series which can dual-boot into SwOS or ROS. Might only be available on the ROS side when it is released.

mpreissner

SMB uses TCP port 445 by default. The ports you've set up in your mangle rules are associated with NetBIOS.

mpreissner

You need to remember that the default action for MikroTik firewall is Accept. If you do not put a Drop All rule at the bottom of each firewall chain, your router will Accept all packets that hit that chain. This is a HUGE oversight from MikroTik in terms of security, but easily correctable. You need...

mpreissner

No. SwOS is a MikroTik proprietary operating system designed to run on specific hardware.

mpreissner

They're slower because they use TCP instead of UDP, which is what gets them by firewalls...making them a pretty smart choice. As for congestion collapse...I've never had my SSTP tunnel collapse on me, but given that all the encryption is currently done in software, it's not hard to peg a CPU with a ...

mpreissner

I don't think it's fair to call OpenVPN or SSTP dumb...depending on the environment, some organizations block just about everything outbound except TCP ports 80 and 443. In such situations, things like OpenVPN and SSTP are the only options, as they're the least likely to get block by outbound filter...

mpreissner

Mac version doesn't appear to be available yet. Started Winbox 3.7 on my Mac, hit Check for Updates, came back No new updates available.

mpreissner

where should i find a trusted stable xca application? all the ones on sourceforge look so dodgy Sourceforge is the only reputable place to download XCA. True, the last update to the application was about 15 months ago, but I believe the developer still actively maintains it...just haven't been many...

mpreissner

Look, I appreciate that you're trying to learn something, but this is a forum specifically for RouterOS and MikroTik products. If you want to ask a question about those, go right ahead, but this is not the place to learn general networking concepts and technologies. Sign up for a class at a local co...

mpreissner

Duo Security is a good option if you need multifactor authentication of your users.

mpreissner

If you actually use the layer 3 functionality of your current switch, the CRS will likely not hold up as it is effectively a layer 2 switch with minimal layer 3 capability (mostly just for management functionality). If all you need is wire-speed layer 2 in a managed switch, the CRS may work well, an...

mpreissner

Intercept all DNS traffic and blackhole anything that goes out to an icloud URL.

mpreissner

Please refrain from making useless posts like this. If you're experiencing a problem, we need a detailed description if you expect any kind of help. What settings are disappearing?

mpreissner

If you write firewall rules like that, you'll end up missing things. Best practice is to create a rule that allows your management access, and then create a DROP ALL rule at the bottom of the chain. As you find you need to allow additional traffic, you simply add a rule above the DROP ALL rule. You ...

mpreissner

Add a firewall rule on the INPUT chain that only allows WinBox, SSH, and HTTPS from one of your internal networks. Then add a firewall rule right below that to drop all traffic to your device. These two rules ensure that ONLY traffic from you is allowed to go directly to your device.

mpreissner

Have you tried translating the untagged traffic into another VLAN? I think the biggest problem you're going to have is that Bridge only operates at the CPU...there is no hardware bridging implemented at the switch chip, so any bridging between the two switch chips is going to involve the CPU. I do t...

mpreissner

You can use any number of tools to generate your own certificates. I think MikroTik has the OpenSSL libraries in place to generate your own certs via command line, or you make your own from Terminal on your Mac. I like using the XCA application (available for Win, Mac, and *nix). It's a nice GUI pro...

mpreissner

So, your egress vlan tag section should only include ether1, ether 8, and switch1-cpu, since you said that you're treating ether2-7 as untagged (access) ports. You'll use the ingress-vlan-translation section to set the default VLAN ID for those ports. You didn't include your ip > firewall section, w...

mpreissner

If you want wire-speed layer 2 switching, then you need the master/slave relationship in place. It doesn't really matter which port acts as the "master" though, since they all share a single 1 gbps link to the CPU anyway. I'd recommend you do all configuration via the Console port until yo...

mpreissner

Any druthers on pricing for the new CRS317? Will you also start offering your own 10GBASE-T SFP+ module to support Cat-6a copper runs? Cheapest 10GBASE-T module I've found is about $370, with many wanting $500+.

mpreissner

Anyone looked at the possibility of installing the oVirt guest agent into the CHR for use on KVM?

mpreissner

RB750GL and CRS226 both running 6.34.1. Services like Skype and Jabber keep dropping/reconnecting across multiple computers. None of my coworkers (all remote) are experiencing this, so it's got to be either my ISP connection or something in my home network. I'm not seeing any packet drops or errors ...

mpreissner

Why do you even have telnet open? It's an old and insecure protocol, you should only be using SSH.

This. Stop using unsecure protocols!

mpreissner

You need to consult your ISP. There will be absolutely no benefit if they don't support a higher MTU.

mpreissner

Any chance we can get EAP support for SSTP VPN? I have everything working from Windows 7 clients using MS-CHAPv2, but I'd love to use PEAP with EAP-MS-CHAPv2. Since EAP support is already available to the wireless/hotspot functionality in ROS, I can't imagine it would be a huge development effort to...

mpreissner

I would add to pukkita's response... 4) Will it support VPN from Windows 10 based clients? About 4-5 VPN users at a time. Yes. It does support "Windows-native" SSTP. While it does support SSTP, it does not support NAP, nor does it support any type of EAP for authentication. If you intend t...

mpreissner

You don't want to run bandwidth tests FROM the devices themselves, you want to run the tests THROUGH the devices. All CRS devices have weak CPUs, so they simply can't support the kind of results you're expecting using the traffic generator. The CRS is primarily a layer-2 device, and can pass layer-2...

mpreissner

If you use Winbox, you can actually filter your rules by chain, so you can work with only one chain at a time. Makes things a little easier to see.

mpreissner

I think what this post really says is DON'T USE A MIKROTIK FOR FIREWALLING.

mpreissner

No. All their current products are listed on www.routerboard.com. If it's not there, it doesn't exist yet.

mpreissner

So here's the thing to remember: RouterOS process NAT rules before it does Filter rules, so an Accept rule on the input chain will never get hit if you're NATing the traffic. If you want to forward external port 8150 to port 80 on your camera, you need to do 2 things: 1) add the appropriate dst-nat ...

mpreissner

The best thing to do is to end all chains with the following: /ip firewall filter action=drop This drops ALL traffic that does not match an explicit allow rule above it. You can optionally add a log=yes and log-prefix="drop-<chain>-and-log" parameters so you can trace down any dropped traf...

mpreissner

Proximus - do you have a "Drop All" rule at the bottom of your forward chain? By default, ROS uses an Accept All policy, which you can't actually change, so if you're not dropping unwanted forwarding traffic with an explicit rule at the bottom of your forward chain, then you're correct, yo...

mpreissner

You need 2 rules to properly port forward. You already have the NAT rule, but now you need a filter rule in the FORWARD chain. Use this...assuming your inbound interface is ether1: /ip firewall filter add chain=forward dst-port=1194 protocol=udp dst-address=10.0.0.3 in-interface=ether1 action=accept

mpreissner

I would imagine that if you can emulate any ROS supported CPU, you can probably install that platform into a virtual machine. You'll have to keep in mind, though, that the drivers bundled with any given platform are for the hardware in those supported platforms, so you may not have all the drivers n...

mpreissner

So think of it like this...the vulnerability is present, but it is irrelevant because everything runs as root. The DirtyCOW vulnerability is used to escalate privileges from a non-root user to root. If nothing runs as a non-root user, then there's really no local accounts that would need to escalate...

mpreissner

If a hardware platform has limitations on handling a physical port, then why that port is even there to begin with? Just my thought of course. I was not expecting much from the CRS, but at least to handling file transfers from two workstations connected to 1GB ports and a SAN connected to the 10GBE...

mpreissner

A single licensing scheme would be nice. Something to the effect of this: You purchase X number of licenses, which are tracked through a support portal. When you install an instance of ROS (virtual or bare metal), you input a key obtained from the support portal that is linked to your account. The r...

mpreissner

Use L2TP over IPsec. You should find plenty of documentation on how to set up MikroTik side.

mpreissner

Hmm...it seems to me that you can do exactly what you're saying. Just buy an ROS license (most people would probably do well with a level 4 license - $45) and install using x86. You just have to remember that even the x86 platform doesn't support all hardware, so you'll need the check for compatibil...

mpreissner

Oh, he's just upset because he didn't take the time to understand that CHR is virtual ONLY and didn't get appropriate hardware to support it. And apparently it's OUR problem. HAHAHA

mpreissner

The CHR doesn't have all the drivers it would need to run on bare metal. It is intended to ONLY run in a hypervisor as a guest virtual machine. If your intent was to run virtual machines, you should've picked up hardware that has native support for virtualization. Even cheap $200 barebones systems n...

mpreissner

So there are a few things you need to consider. You're running multiple VLANs, but you haven't made any mention of a router or bridge to allow for inter-VLAN communications. Both the CRS226 and CRS125 have limited routing capabilities (the 125 actually has a stronger CPU), and so they can function a...

mpreissner

How is your DHCP set up? Do you have a DHCP server or relay configured for each VLAN? Have you defined IP Pools/DHCP Scopes?

mpreissner

Not only that, but the CPU is also optimized specifically for networking functions. The latest numbering scheme with the Xeon CPU's uses the last digit in the product code to identify different CPU optimizations. For instance, the Xeon D-1520 is a general purpose CPU, good for running any OS, virtua...

mpreissner

Best practice would be to not use the routers as the DHCP server. They don't share any state information with each other when doing VRRP, so I can only assume they wouldn't share DHCP lease information. Set up a DHCP relay on the VRRP interface and point it to a standalone DHCP server.

mpreissner

http://wiki.mikrotik.com/wiki/Manual:CR ... #Mirroring

mpreissner

Interesting how they've release Winbox with support for 6.38 when 6.38 is still only in RC release...I'd think they should release Winbox and ROS at the same time.

mpreissner

But, when using Bridge, all ports share a single 1 gbps link to the CPU, so your layer 2 performance will suffer horribly. If you need to see all the traffic from a single port when using Master/slave port configuration, use port mirroring.

mpreissner

Don't be that optimistic about that 35W power consumption. A RAM module can draw up to 15W... And there are other parts inside it, too. They did not put that 200W power supply in there for nothing. You're right, but the CPU is typically the most power-hungry component in any computer, short of a hi...

mpreissner

RB260GSP with outdoor enclosure would be very welcome or RB750P outdoor Powerbox with gigabit ports.

RB260GS in outdoor enclosure with 4x or 5x POE in would be great.

This thread is specifically for CRS hardware, not SwOS based prodcuts...

mpreissner

The new 6.38RC software enables STP/RSTP on the CRS...hopefully those features will make it to the final release. I've never seen issues like you seem to be having. The CRS can be tricky to configure, so I'd double check your configs again. Might be something simple you overlooked. Otherwise, nobody...

mpreissner

Since the CRS's run ROS, not SwOS, it would probably be worth posting this info in one of the main ROS forums...probably the General forum. Not a huge number of people troll the SwOS forum, so you'll get more exposure there.

mpreissner

Well, that's promising, but I'm not going to run RC firmware on my production network. Since it appears to require adding your master ports to a bridge to enable the switch-chip functionality, I wonder what the performance impact will be on the CRS CPU as a result of implementing STP.

mpreissner

This has been requested before. Not likely to happen. Ever. I have a feeling that the SwOS products are going to get discontinued at some point as MT really doesn't appear to put much time/effort into SwOS development. They're more focused on their CCR and CRS product lines, and ROSv7 dev.

mpreissner

It can establish a VPN connection, but it doesn't have accelerated cryptography support, and so it's going to max out at several tens of megabits/second. Putting a router on-site with accelerated crypto (850, 1100, CCR), and letting the APs connect to the CHR/VPN through that will help to reach max...

mpreissner

I'm hoping some of you can answer this question, as I haven't messed around with any MT wireless gear. I'm currently operating a corporate network in the cloud, and we're looking to extend secure wireless access to remote locations. If I've got a CHR acting as a VPN head to our cloud environment, ca...

mpreissner

The storage is not a problem. Since it is all text based information in a database it can be compacted to the maximum (I have see Oracle databases of 450 Mb been reduced to 14 kB files....). And what LaRP says: Yes, it is a backdoor. Not on Mikrotik or any router, but it is in essence a "door&...

mpreissner

I agree...I bought into MikroTik for my home because I thought I was getting a good deal for a switch with 10gb ports, but the inability to make redundant switching paths or do 802.3ad based aggregation has become a serious issue for me. I feel I'd almost be better off switching my core network over...

mpreissner

Switch VLAN settings control what VLAN tags your switch will allow or process. Creating a VLAN interface creates it at the CPU, which is necessary for inter-VLAN routing. The CRS can do some limited routing, but its CPU isn't strong enough for heavy use.

mpreissner

One way you could go is to procure a SIP trunk service from your ISP. Effectively, this will cause all traffic for your VoIP calls to go over a special network the provider uses specifically for VoIP. If you have an IP PBX at each site with SIP trunk service at each site, you should get great call q...

mpreissner

If you're running a virtual solution, go with CHR instead of x86. Resource requirements aren't really any different, but the CHR is 64-bit versus x86 which is only 32-bit. Will make a difference if you're running BGP or other high memory loads.

mpreissner

You may not have any issues at all using QoS. Many provider do state that QoS is not supported across the Internet, but especially if all your offices are on the same ISP, and you're using business class Internet service, QoS is likely enabled, but they won't tell anyone about it. Most ISP's now off...

mpreissner

are vlans proccesed in the cpu or in the switch chip directly ? VLANs can be handled at both the switch chip and the CPU. The switch chips are VLAN-aware so you can support multiple logical switches on a single piece of hardware. To route between VLANs, though, you have to make the CPU aware of the...

mpreissner

What you need to remember is that packets processed by dst-nat have to come from somewhere. Right now, you only have a dst-port defined. Try adding an in-interface parameter or a dst-address parameter to your NAT rule. If you have a dynamic public IP, I'd recommend simply defining the in-interface a...

mpreissner

Thank you, this was helpfull. I am trying to do a similar thing. The proxy works and I get to the user access page on the individual servers behind the one public address using the reverse proxy. The problem is that after logging into my services the API is not http so the connection breaks. I am t...

mpreissner

I just want to see a low power, low cost 24 port 10gb SFP+ switch...maybe with stacking cables or 40gbps uplinks. Although stacking would be preferred so you could treat multiple stacked units as a single switch and only have one management IP. Or a version of ROS that we could load on ODM switches ...

mpreissner

Yes, if you remove the master/slave configuration, it's the same as directly connecting the port to the CPU. Unfortunately, in the CRS, all ports share a singe 1 gbps link to the CPU, so it's a major bottleneck. Using bridging on a CRS is not advisable. The key to working with the CRS is proper conf...

mpreissner

While you can use the CRS as a router, the CPU is very weak and you will not get great results depending on your needs. Since port 1 is your WAN, I'd make port 2 the master to all other ports. This allows you to take advantage of the switch chip and run layer 2 communications at wire speed.

mpreissner

Hi There, We are using a Supermicro 5018 MLNT4 (https://www.supermicro.com/products/system/1U/5018/SYS-5018A-MLTN4.cfm) with onboard C2000 SoC I354 Quad Nic. This nic is not supportes... PLEASE ADD THE DRIVERS ! You're best bet there is to install a hypervisor on that server and run the CHR rather ...

mpreissner

I like to think of the "port" not as the physical interface that I plug a cable into, but rather as an addressable part of the logic board. Remember, even "switch1-cpu" is considered a port. MikroTik's description tripped me up a lot when I first started with RouterOS, but you'll...

mpreissner

Please add support for EAP types on VPN connections as you do for wireless. Without EAP support, many security features such as NAP enforcement (using Microsoft NPS as RADIUS) won't work. Specifically, we need support for PEAP and EAP-MSCHAPv2 to get NAP working. Also consider allowing the ability t...

mpreissner

So, it doesn't look like anyone responded to my thread about implementing SSTP with NAP, but has anyone gotten EAP working with the SSTP server? I don't really care what type, I'll be happy with EAP-MSCHAPv2 or PEAP (eventually want to use smart cards for user certificate based auth), but for now, I...

mpreissner

Treat the SFP+ ports as normal ports. It all comes down to how you configure them. I have a storage server plugged into one, and a hypervisor plugged into the other on mine. You can use them as either access or trunk ports...that's the beauty of ROS...they let you do what you want with the ports ins...

mpreissner

What you're doing is creating a hybrid port. See the wiki...http://wiki.mikrotik.com/wiki/Manual:Sw ... d_Ports.29

mpreissner

So I've successfully gotten an SSTP VPN set up on my 750GL, authenticating against Microsoft NPS/Active Directory on Server 2012r2. The next step is to see if I can use NPS for NAP enforcement on my remote Windows 7 clients. Has anyone tried this? I have to make sure I can support this to phase out ...

mpreissner

So I've made an effort to give you a working config that is also, for the most part, secure. It will need tweaking depending on your exact networking needs. There are also a few parts where you'll need to insert information, such as defining NTP servers for your switch. Note that I've made some chan...

mpreissner

Looks like your firewall is doing a lot of work - way more than it should have to. Give me some time to rework your config...I think we can come up with something a bit simpler. Can you post a full export instead of a compact? Need to look at the full firewall rules to find out what's going on. Quic...

mpreissner

Yeah, you definitely don't want to user bridging for what seems to be simple layer 2 operations. Better to not use bridging at all...rely on the switch chip for layer 2, and only use the CPU for routing. The CRS really isn't meant for CPU intensive tasks like routing or bridging...the layer 3 functi...

mpreissner

Use CCR1009-8S-1S+ for routing, and CRS226 for switching. Link them via SFP+, and run dedicated WAPs instead of something built in. The new wAP AC's look pretty nice and will provide you a much more flexible installation, better wireless coverage, and great speeds throughout the house.

mpreissner

Sounds like a problem related to MTU vs. L2MTU. Check your settings.

mpreissner

First, nobody can begin to postulate on what the issue may be that's causing this behavior, as you haven't provided much information regarding your setup. Second, this is a user forum, and while many MikroTik employees are active here, is not the official MikroTik support channel. If you're having a...

mpreissner

The switch chip does all the tagging. You have to add switch1-cpu to parts of the configuration so the CPU can understand which VLANs each packet belongs to.

mpreissner

Since speed isn't really a factor, you can use the CRS as your router, assuming your ISP connects via RJ45 or SFP. Set port 1 as your ISP uplink (assuming RJ45, otherwise set SFP), make port 2 the master port, and all other ports slave. Apply your two VLANs to port 2 from the Interfaces menu. From t...

mpreissner

Personally, I would ditch the bridges. The CRS is meant as a switch, and as such, it has a weak CPU. Bridging operates at the CPU, so this is a waste of resources at the CRS, especially considering the hardware supports wire-speed switching without touching the CPU. If you don't have a separate rout...

mpreissner

So, to start, it looks like your SXT isn't advertising at 1000M. Check the "Ethernet" tab for your SXT interface and ensure that 1000M full and Auto Negotiation is checked. Can't say what's going on at the Lenovo...perhaps you've got an outdated driver, or maybe a bad cable. 100M ethernet ...

mpreissner

Hii, just t make sure guys, i want to buy this SuperServer 5018D-FN8T and installed mikrotik on it, is this device support mikrotik ROS? are the built in 10G NICs working fine? You can try to install the x86 ROS on it, but it may not work with all the NICs. Best bet is to run a hypervisor like VMwa...

mpreissner

Yup, almost everything these days is either H.323 or SIP. If you have an actual POTS line at your home, chances are it's hitting a TDP/SIP gateway of some type at the CO, and then flying across the provider's fiber backbone. I spent several years deploying and managing an enterprise-wide VoIP soluti...

mpreissner

If your use case requires a large amount of RAM, the x86 won't be able to handle it. Max RAM for the x86 ROS is only 2 GB. The CHR is 64-bit, and can address as much RAM as you could possibly need.

mpreissner

STP is already supported in ROS when using bridges. STP is currently not implemented on CRS, and it doesn't look like MT has any real plans of implementing it despite a lot of desire for it from the forums.

mpreissner

Love this idea! I think, though, that you probably will need to get into some How-To's, as theory can be applied across all vendor's equipment assuming they support the same features. I think where the MT community is lacking is clear understanding on how to implement some of various technologies ...

mpreissner

Change the hardware. The CRS is intended to be used AS A SWITCH. It's layer 3 capabilities (including PPPoE) run on the CPU, not the switch chip, and the CPU is too weak to do much. Bridging also runs at the CPU, so not only are you taxing it with PPPoE, but also with the bridging. You're runnin...

mpreissner

So, give up on LACP on the CRS...it doesn't exist. CRS only supports static link aggregation (NOT 802.3ad compliant). You can do 802.3ad at the CCR through bonding, but the CRS doesn't have enough CPU to support even 1 gbps of throughput over bonded ports. Not sure how it would work if you had LA...

mpreissner

I don't think you know what a core router does. Core routers run routing protocols and mpls. Redundancy is done via these. Now I agree a firewall should have such a mechanism, but mikrotik are routers. So, I think you and I are thinking of two different types of networks. You're thinking Enterpri...

mpreissner

All about risk management. Four letters... VRRP. Sent from my SM-G920I using Tapatalk VRRP is great for edge routers, but not for core routers. MT really needs to implement a different type of clustering that supports state synchronization for seamless failover without dropping connections. Then,...

mpreissner

On CRS or other devices with switch chip?

mpreissner

Looks pretty neat, but without official support, I doubt many would try it. Personally, I would love to see a CARP implementation, or some other extension of VRRP that supports state synchronization and HA auto-failover. Also a simplified multi-WAN load balancing capability would be nice. I'm abo...

mpreissner

I don't think you're going to have much success doing what you describe. Bonding is performed at the CPU, whereas master/slave is a switch chip function. Bonded ports have to be passed through to the CPU instead of using a master/slave configuration. Now, you could easily pass the two SFP ports t...

mpreissner

Keep in mind that the CCR1009 has a switch chip for the first four ports...that part of the config won't be applicable anymore, but there's no reason the rest of the config shouldn't be valid.

mpreissner

Yes, fasttrack is a wonderful thing. Keep in mind though, that not all connections can use fasttrack, so depending on the specific connections that end up getting routed through your CRS, they may or may not get fasttracked, so user speeds can vary significantly.

mpreissner

You're using a CRS, which is intended to be used as a switch. It has a very weak CPU, so layer 3 capabilities are minimal - mostly just there for management purposes. If you run bandwidth tests between two endpoints on the same subnet, you should see wire-speed as that never goes to the CPU. Depe...

mpreissner

Good to know. I haven't used the serial console. I typically do most of my config via SSH or WinBox. You might want to try WinBox, as it can connect at layer 2, so even if you screw something up in the config and lock yourself out of the WebFig or SSH, you usually can still connect with WinBox.

mpreissner

Download iperf to endpoints on either side of your routers. As said by others, you need to test THROUGH the router, not FROM the router.

mpreissner

Try 9600 baud. It's very rare to find a serial connection that runs at 115200.

mpreissner

I also hope that

Hope is a virtue...even when misplaced haha

mpreissner

If it's not on www.routerboard.com, it doesn't exist.

mpreissner

I've never had to use egress-vlan-translation to get my Ubiquiti AP's working correctly, so I'm not sure why you did. As far as you WAN connection dropping, it does seem to be something in the routing. One thing to remember is that while the CRS does have routing capabilities, it's weak CPU limits...

mpreissner

Your question has little meaning without more detail. What kind of environment is this? What is the purpose...are you trying to tunnel your internal network to an IPV6 broker because your ISP only provides IPv4 at this time? Or just trying to set up a VPN server to listen on an IPv6 address? Nob...

mpreissner

Set up switch port to allow traffic with desired VLAN tags: /interface ethernet switch vlan add ports=ethXX,ethXX,... vlan-id=10 learn=yes /interface ethernet switch vlan add ports=ethXX,ethXX,... vlan-id=20 learn=yes Set up ingress vlan translation to treat untagged traffic as tagged: /interface et...

mpreissner

Is the fiber terminated with an LC connection? Or is it SC? ST? There are multiple types of terminations, and you need to make sure you get the right SFP module to work with the connector that's on your fiber. It's very odd that the ISP wouldn't supply the ONT. In any case, I can't say whether i...

mpreissner

That's exactly right. If the transfer stream is single-threaded, you won't get more than a single link's bandwidth. Only multi-threaded data streams will be able to take advantage of the aggregated link. Try using the Trunk feature in the switch chip menu. It's not LACP, but rather is Static Link...

mpreissner

So the one thing to remember is that you will ALWAYS get better performance over a wire than using wireless. I try to wire everything that I can and minimize my use of wireless, not just for security reasons, but also just for plain old performance. I can't speak to how good MT's wireless products...

mpreissner

In my scenario forget the router or inter-switch communication. In my case I am attempting to replace the 1810G that is the core switch of my network, where my PC an several other computers/users connect and access a NAS that is connected with a two interface LACP. Its for multi-computer performa...

mpreissner

Hate to resurrect an old thread, but I'm actually pretty interested in this as well. If you're in a position to do some testing, I would recommend a phased approach. First, get smart card authentication working within your Windows environment. I'd recommend using Active Directory with AD Certifica...

mpreissner

Also, if you're running in VMware, you could use the CHR instead of the x86 platform. That would give you a 64-bit instance instead of a 32-bit ROS.

mpreissner

What you have to realize is that the wireless interfaces have to be bridged to the wired interfaces. The bridge is implemented in software, so it consumes a lot of CPU. Any high-speed AC wireless transfers will result in a good amount of CPU usage. Even if you assigned a completely separate subne...

mpreissner

That all depends on your ISP. If your incoming fiber is two-strand, you've got full-duplex fiber which is great, and the AON has much better potential speed than a PON (surprising the provider opted for this setup because it's much more expensive than PON). Your ISP should be providing an ONT to t...

mpreissner

Exactly. The basic switching is perfectly fine, and I would settle for the 4k frames if I could do bonding without bridging over the CPU. Its disappointing that the basic features like this don't work as expected. This switch should be plenty for a basic home network. So, the use of the RB2011 ma...

mpreissner

I see a performance diference between ports. My setup is the following SFP=> Wan (down 800Mb/s up 250Mb/s bandwith) eth1 Master of eth2-5 eth6 Master of eth7-10 bridge eth1 & and eth6 Speedtest with a cable from eth1 ==> 780Mb/s down 240Mb/s up Speedtest with a cable from eth6 ==> 650Mb/s down ...

mpreissner

I haven't looked into it specifically, but you can probably set up a single postfix server to act as a proxy/relay for both domains. Effectively, you would forward all mail ports to this one postfix server which would accept inbound mail for both domains, and then forward them on to their respectiv...

mpreissner

The limitation isn't just the CPU itself, but also that all ports share a single 1 gbps link to the CPU. This means that regardless of the CPU strength, you will never achieve more than 1 gbps of routing performance.

mpreissner

Your only option at this point is to use the Trunk feature in the CRS switch menu. This is Static Link Aggregation, not LACP (802.3ad) which as pointed out, is not yet supported on hardware (even though the hardware is capable of it). I'm curious why you're using a CRS125 for routing...it does hav...

mpreissner

Not me, but I'm currently using http://routerboard.com/SplusDA0001 with a SolarFlare SFN5162. I use both of these on a FreeNAS and a CentOS 6 KVM hypervisor hooked up to a CRS226. iperf results got me about 9.8 Gbps between the two.

mpreissner

You need to know how much total throughput you need to choose the right product. Additional features like QoS, the complexity of your firewall rules, and a number of other things will drag down total throughput much more than the number of users.

mpreissner

You can't use Bonding on slave ports. Bonding is performed at the CPU, but when you designate a port as a slave, that port is now controlled by the switch chip, not the CPU. To use ports 4 and 5 as a bonded pair, you'll need to remove them from the Master/Slave configuration, allowing the CPU to per...

mpreissner

So, first, MT doesn't support LACP in hardware on the CRS, only in software. That means that the bonding is done at the CPU. When working with slave ports, those ports are controlled by the switch chip, not the CPU, hence your problem. To enable link aggregation on slave ports, you need to use the S...

mpreissner

I agree that being able to run Snort or another IDS/IPS function on the router would make for a simplified deployment, but you also have to remember that it would necessitate stronger hardware to maintain a given throughput. Personally, I run pfSense as an inline transparent firewall that sits betwe...

mpreissner

WTF did I just read ? quote from MT Bonding modes manual: 802.3ad 802.3ad mode is an IEEE standard also called LACP (Link Aggregation Control Protocol). It includes automatic configuration of the aggregates, so minimal configuration of the switch is needed. This standard also mandates that frames w...

mpreissner

One of the best clustering setups I've seen is what CheckPoint does with their security gateways. Their management software allows you to deploy your firewall rules to the cluster (so it installs on all cluster members simultaneously), as well as manage individual member configs that get pushed at t...

mpreissner

Without firewall, with a simple firewall you max out a half that. True, but either way, the RB2011 still has the ability to outperform the CRS for layer 3 throughput because its physical design allows for up to 1.5 gbps versus only 1 gbps on the CRS. The CPU is not the limiting factor, otherwise th...

mpreissner

Except for the fact that the CRS will max out at 1 gig since all ports share a single 1 gbps link to the CPU, whereas the RB2011 can reach up to 1.5 gbps. So, not quite the same, but yes, the RB2011 actually can route more than the CRS because of the physical architecture.

mpreissner

The ERL should definitely do a better job than the CRS for routing, but for the price, you probably could've gotten a base RB2011 and the interface for configuration would be much more familiar with the CRS - and the RB2011 would easily have met your needs for gigabit routing. Since the ERL doesn't ...

mpreissner

Well, I did a bit of reading and see where the problem is (mDNS using link-local-only multicast group) so obviously routing won't fix the issue. Perhaps some interesting nat/mangle gymnastics are possible.... I think the most available solution for ROS users at the moment is to launch a Metarouter ...

mpreissner

The problem is that the multicast routing that MT supports doesn't properly handle Bonjour/Zero-conf. I've researched and tried a ton of different ways to do it, and it just never worked. But if you have a working setup that does mDNS service reflection between subnets, please write up a how-to and ...

mpreissner

The CRS can only achieve 500+ using fastpath...and not every connection can use it! This is why you should use a ROUTER for ROUTING, and a SWITCH for SWITCHING. The Zhone is already doing NAT (most likely), so your internal IPV4 addresses are hidden from the outside world. Unless you've got a shady ...

mpreissner

To begin, MT does not support LACP in any way. They only support static link aggregation. The RB2011 has two switch chips in it...a 5 port 100mbps switch and a 5 port 1gbps switch. The 1gbps switch is connected to the CPU via a single 1gbps link, and the 100 mbps switch is directly attached to the C...

mpreissner

It's been asked for a LOT. Really, they could make it work by compiling an avahi-daemon package that would run on RouterOS. Somehow I don't think this would be too difficult, but apparently it's just not at the top of their list.

mpreissner

Yeah, what you're talking about is clustering. Treating two physical routers as a single object that has built-in failover/redundancy and/or load-balancing capabilities. Almost every major routing product out there supports this...Cisco, CheckPoint, PaloAlto, etc. It definitely simplifies configurat...

mpreissner

x64 hardware was not very common (especially with regard to network infrastructure devices) when the original x86 ROS was developed. MT developed for the more common platform. Now that almost everything manufactured is x64-capable, and it's more common to see open systems (x86_64) running a variety ...

mpreissner

If you use the CRS as a switch (it's intended purpose), you should be able to get the same speeds as when your computer is plugged directly into the router. The CRS has a weak CPU and cannot easily handle the kind of speeds you're looking for. Set up the CRS with ports 2-24 as slave to port 1. This ...

mpreissner

From your described usage, it sounds like the CRS would be a good fit. Of course, we'd all prefer a 48 port version, but if you're OK cascading multiple 24 port units using the SFP+ ports, that should work well for you. I use the CRS226 as my core at home (multiple VLANs, VERY high usage). I do exac...

mpreissner

I can't speak specifically to RouterOS, but all x86 platforms are limited to a max of 4GB RAM if they don't support PAE. Since ROS is Linux-based, and Linux has had PAE for a LONG time, it may support more than 4GB, but there aren't too many applications that would require that much.

mpreissner

Can we get https support added to the web interface? And maybe a RADIUS client for centralized authentication? The lack of even minimal security for the administrative interface is troubling...and it shouldn't be hard to correct either of these issues...

mpreissner

You could also deploy it as CHR on VMware. That'll give you a 64-bit install versus the x86 which is only 32-bit. Plus, the advantages of running in VMware are numerous...not being tied to a specific piece of hardware, the ability to increase the hardware resources available to the VM without having...

mpreissner

It also comes in handy when you keep your network gear in a locked server rack instead of on a shelf by the TV.

mpreissner

Port 1-4 on the CCR1009 share a single 1 Gbps link to the CPU. As long as you ISP links do not add up to more than 1 Gbps, you can definitely use those four ports for your WAN connections.

mpreissner

OSPF has no relevance to what you've said you want to do. OSPF is a routing protocol, but you've said nothing about routing...only that you want to run fiber and use VLANs. VLAN is a layer 2 technology, and doesn't require routers to implement. I suppose you could make a "ring" of routers ...

mpreissner

If it works as expected, I think you probably did a pretty good job. One thing to keep in mind is that the CRS products are designed primarily as a switch and have limited routing capabilities. Depending on how much throughput you need between your internal network or how large your ISP link is, the...

mpreissner

Unfortunately, MikroTik doesn't support STP/RSTP on the CRS hardware at this time. The best ways I know of to add loop protection is to introduce another brand switch into the stack that does support STP/RSTP, or use a CCR or other MikroTik router wired to the top and bottom switches of the stack. B...

mpreissner

Just a quick correction, PCIe is always full-duplex meaning that PCIe 2.0 x1 provides you with 4Gbps full-duplex (So 4 up and down at the same time). So PCIe 2.0 x1 should indeed be enough to be able to saturate all 4 ports at full-duplex Gigabit speeds. Quindor is exactly right. PCIe bandwidth is ...

mpreissner

Because MikroTik has not implemented STP/RSTP in the switch chip hardware, you would have to use a software bridge, which is processed at the CPU instead of the switch chip. The CRS line of products does not have a strong enough CPU to get anywhere near wire speed across 24 ports. There is one way y...

mpreissner

A better option would be some type of unified management platform whereby routers in a VRRP configuration could be managed as a single unit, obviating the need to manually sync all the settings from the master to the slave. Or an automated process whereby a slave unit auto-synchronizes to the master...

mpreissner

RouterOS is optimized as a ROUTER and is best used as such. You're better off buying a proper ATA and keeping all telephony functions separate. Keep in mind, if they were to add ATA functionality, they'd have to also add RJ-11 ports to have compatibility with most analog phones. I use a Raspberry Pi...

mpreissner

Unfortunately, MikroTik does not support ring-type networks with their hardware. Are you trying to set up a Token-Ring, or simply a series of daisy-chained switches that loops back on itself? I can tell you to forget about Token-Ring, but if you plan to loop a series of switches, you'll end up with ...

mpreissner

If you use port trunking as suggested by Becs, you can reach up to the aggregate of the number of links in bandwidth. When you trunk two ports together, they automatically do load-balancing, but if one of the links fails, all traffic reverts to the one remaining active link. You're still limited to ...

mpreissner

Need more information on your setup. Are you actually using Bridging, or are you Routing?

mpreissner

For VLAN config, this is highly dependent upon your environment. Everything will be configured through the /interface ethernet switch menu. To enable a particular VLAN ID on a port: /interface ethernet switch vlan add ports=enter,ports,here vlan-id=xxx learn=yes To make an access port: /interface et...

mpreissner

Forget about bridging. The CRS is a wire-speed hardware switch. Bridges run in software, and the CPU on the CRS is really weak. Set all ports as slave to a single master port, and do your VLAN configuration from the switch chip menu.

mpreissner

Add this firewall rule to the very top of your INPUT chain: /ip firewall filter add chain=input action=accept protocol=tcp dst-address=your.mgmt.ip.address in-interface=!WAN-interface dst-port=22,443,8291 and this firewall rule to the very bottom of your INPUT chain: /ip firewall filter add chain=in...

mpreissner

Good to know. Knowing that your products validate the signature before installing updates should be a great relief to those who were worries about ROS getting hijacked. Unless your code-signing private key gets compromised, we don't need to worry about hacked versions of ROS making their way onto ou...

mpreissner

Personally, I like deploying SBC's instead of enabling SIP ALG's on routers. Of course, this requires multiple public IP's, which are not cheap. For the time being, I simply don't expose my VoIP system directly to the Internet. All my extensions are internal, or routed through VPN into my network, s...

mpreissner

Of course...we've all been there. But if it was that important of an issue, we'd have already taken our business elsewhere by now. Ask yourself this...if R1CH hadn't made a posting about the lack of HTTPS support, would you have made this comment...? I can tell you that there are several companies t...

mpreissner

There are multiple types of MitM attacks. DNSSEC does provide MitM protections for cases of DNS spoofing/session redirection, but not for other types of MitM like browser hijacking. All of your speculation about the security of MT's site is based on specific scenarios you have engineered in your min...

mpreissner

But this IS sensitive data - it's the very operating system of a networking device! If someone were to MitM your connection to the Mikrotik site, and provide a malicious version of RoS, you'd never know. They would be able to back-door your network, or monitor for cleartext pii, credit card numbers...

mpreissner

Just because they're not supporting encrypted connections doesn't mean there's no security or compensating controls. Think about it...you're not downloading any sensitive information, so there's really no reason to encrypt it. MikroTik does provide a hash sum for the downloads, so you can verify the...

mpreissner

So here's how I have my FORWARD chain configured. It's not as locked down as I intend it to be, but it does everything I need it to at the moment...(note, I've removed the dst. addresses from my "Accept inbound..." rules) Screen Shot 2016-03-11 at 11.18.15 AM.png As you can see, the fasttr...

mpreissner

You can't include them in the switch because they have no connection to the switch chip. You want to set ports 2, 3, and 4 as slave to port 1 which will create a 4 port wire-speed switch. Any devices connected to those ports will share the 1 Gbps link between the switch chip and the CPU (really, you...

mpreissner

Search the forum and search Google. Plenty of people have done this.

mpreissner

The NAT chain is part of pre-routing processing. Every packet that goes through the router goes through a pre-routing, routing, and post-routing process. Your dst-nat rule effectively tells the router that the inbound packet should go to the FORWARD chain, as the packet should transit the router, ra...

mpreissner

You should definitely be able to push more than 20 mbps through NAT, but remember, the CRS is designed primarily as a switch, not a router, so you're only going to get so much out of it at layer 3.

mpreissner

Generally, it is. That's why I restrict all my UPnP devices to a single subnet with nothing sensitive. Regardless, it doesn't look like the UPnP function is working correctly when enabled.

mpreissner

Agreed . We are actually moving away from Mikrotik on the distribution routing side due to lack of SFP+ port scalability . Would be awesome if they made some sort of Mikrotik flavor available on the ONIE whitebox platforms. While the lack of a high port density 10gb switch is definitely an issue, c...

mpreissner

+1 in need of a 24 port SFP switch with at least 2 x SFP+. Preferably with e.g a dual core processor. The processor won't make any difference unless you're bridging or routing, which is not the intended purpose of the CRS devices. Personally, I'd rather see a 24 port SFP+ switch, or an upgraded CRS...

mpreissner

So I have UPnP enabled, but it doesn't seem to be working correctly. I don't have any dynamic dst-nat rules popping up in my NAT chain, and internal devices that rely on UPnP-based port forwarding are not working properly. Specifically, I can see a lot of the traffic that should be forwarded getting...

mpreissner

The CRS is intended as a wire-speed switch (layer 2). It has minimal layer 3 capabilities. If you check the performance metrics on routerboard.com, you'll see that it's only capable of a maximum of 984 mbps bridging/routing, and that's assuming that ALL packets are 1500 bytes. More realistic numbers...

mpreissner

Happens in both Chrome and Safari on OS X, as well as Chrome on Windows 7. Can't even get it to load at all in IE11.

mpreissner

I'll have to try that. I was able to get back online after restoring from my backup, but as previously stated, when viewed through Webfig, all my firewall rules constantly shift around. However, if I look at it through Winbox, everything appears normal. At this point, I'm very cautious about making ...

mpreissner

Unfortunately, I can't help you there with the LCD. I actually disabled my LCD as I consider it to be a security risk. It allows anyone to walk up to the switch and get interact with it without authentication. As long as the rest of the switch works correctly, that's all I care about.

mpreissner

A few things to keep in mind about this setup... The RB2011 is only capable of between about 700 mbps and 1500 mbps (1.5 gbps) depending on how you have it configured. Additionally, you have a single cable carrying both VLANs to the router. This means they have to contend for bandwidth. Also, the bl...

mpreissner

Just curious why you're using a bridge at the routers. It's very CPU intensive since you're actively forcing traffic to use the bridges to get from one switch to the other. You could run a link between the two switches so that anything in the same layer 2 domain wouldn't have to cross a software bri...

mpreissner

The easiest way to ensure that you're testing the layer 2 bandwidth is to plug two machines into any two ports. You'll get a good 1 gbps. The CRS can be a little tricky to program correctly. I would create a Management VLAN and attach it to the Master port in the switch group. A Master port only mea...

mpreissner

While the switch doesn't support dynamic link aggregation, it does support static link aggregation using the interface > ethernet > switch > port > trunk menu. This should not create a switching loop if set up on both switches. I could've sworn jumbo frames were up to 9k on the CRS, but I could be w...

mpreissner

Back online, but still seeing some serious wonkiness in the firewall page of webfig. All my rules keep moving around...

mpreissner

Is there any way to view the contents of the backup file so that I can at least see the config I had in place to manually rebuild it?

mpreissner

So I got back online after a factory reset, but I am unable to restore from my backup. The router keeps telling me "Bad Password" on the backup file, even though I never set a password. This is frustrating, as I had way too much going on in my config to remember...any thoughts?

mpreissner

My RB750GL just crashed. Was able to get it back online by rebooting it, but it's acting crazy. Nothing seems to be routing, and if I look at my firewall rules, the rules keep shifting around by themselves. I'm having to hotspot my phone just to get to the forum for some help. Anyone seen this happe...

mpreissner

I don't think any MikroTik VPN implementation can connect directly to an LDAP directory, but you can proxy to it using a RADIUS server. You can probably also add in a 2FA solution, but that gets more complicate. I'd just stand up an OpenVPN Access Server behind your router, static NAT TCP 443 and UD...

mpreissner

For connecting the switches, just run a cable (or multiple cables) between the two. For a single cable, you'll just need to set up a VLAN trunk on both switches for the connected ports. If you use multiple cables, you'll want to set up a port trunk. The port trunk is effectively a static link aggreg...

Search found 357 matches