MikroTik

eternal0

After upgraded to RouterOS v7, cpu-frequency is missing. Only RB4011 hit this issue, other RouterBoards with RouterOS v7 works fine. [admin@MikroTik] > sys resou pri ... total-memory: 1024.0MiB cpu: ARMv7 cpu-count: 4 # There should be "cpu-frequency" after this property. cpu-load: 3% free...

eternal0

Still not working now.

eternal0

What Hypervisor are you running CHR on ?

Hyperviser is KVM. Hardware acceleration is enabled if we use AES-GCM so that AES-NI is supported by this.

eternal0

From v6.39 changelog:

*) ipsec - enable aes-ni on i386 and x64 for cbc, ctr and gcm modes;

That confused me why AES-CBC cannot get accelerated on my CHR host.

The IPsec connection is from RB850Gx2 to CHR with sha256/AES-256-CBC. The hardware acceleration works fine on my RB850Gx2.

eternal0

As is well known that only AES-CBC hardware acceleration is supported by specific RouterBoard.
However, I can see the hardware acceleration flag on my CHR host if AES-GCM is used and no hardware acceleration flag if AES-CBC is used.
RouterOS version is 6.39.2
Any idea?

eternal0

I'm using CAPSMAN to provide wifi access. However, many iOS and Android devices disconnect very frequently with "group key timeout" in RouterOS log.
For legacy wireless ap, I can change group-key-update time to a longer one, but there isn't any way to change it in CAPSMAN.
Any solution?

eternal0

Same issue.
It seems like this issue exist for a long time:
http://forum.mikrotik.com/viewtopic.php?t=103679

eternal0

Still waiting for it.
RB3011UiAS-RM is too big.
RB850Gx2 do not have enough ethernet ports. At least 8.
CRS's performance is poor.
CCR1009-8G-1S-PC is too expensive.

eternal0

Probably not the case for the original poster, but I just wanted to mention that CHR uses 64-bit instruction sets and can utilize much more than 2GB: "Minimum 32MB of RAM (maximum supported 2GB, except on Cloud Core devices and CHR installations, where there is no maximum)" I wonder why C...

eternal0

+1 for UDP.
TCP is much slower than UDP at high latency or high packet loss environment.

eternal0

ok, on it

You mean hAP ac have 802.3af/at PoE in, or other device have this?

eternal0

eternal0

I've also just found this thread: https://www.privateinternetaccess.com/forum/discussion/2845/openvpn-router-speeds/p2 By the sounds of it Microtik can do OpenVpn 256-bit @ 7Gbps.. Am I missing something? "Well I am getting a Miktotik CCR1009 now after being sold watching a friend of mine push...

eternal0

In my environment, a 2-core i5-4350U device is more powerful than CCR1009 as a VPN server (EoIP+IPsec, SSTP, OVPN).

eternal0

OpenSSL is 100% CPU based and single threaded. In order to achieve what you want you will need a high-mhz CPU. X86 is really the only option. Not entirely true. OpenSSL can take advantage of kernel-module based crypto engines (/proc/crypto) Some ARM/MIPS hardware actually has crypto offload hardwar...

eternal0

1st issue is that RouterOS only supports TCP OpenVPN, that's it. UDP is not supported in any way and they say it won't ever be. OpenVPN? Mikrotik doesn't have one. OpenSSL is 100% CPU based and single threaded. In order to achieve what you want you will need a high-mhz CPU. X86 is really the only o...

eternal0

Hi all, I need to get "avg-rtt" result of "ping" command in scripts. Is this possible? Some one suggested "flood-ping" command. However, "flood-ping" will get "system is busy (12)" error if there is another instance running so it is not suitable for ...

eternal0

1037U or J1900 + 1GB RAM + 4GB Flash + 8 or 4 GBE + RouterOS L4 only cost less than 200us.
What is the performance compared with RB850Gx2, RB1100AHx2, CCR1009 and the new RB3011?

eternal0

My RB951G-2HnD can be stable at 700MHz for 1 month, and will be kernel failure every few hours at 750MHz.

eternal0

Normal: Null + AES-256-GCM
Hardware accelerated RouterBOARD: sha256 + AES-256-CBC

eternal0

eternal0

I'm using RB850Gx2 running RouterOS 6.31.
It seems like only AES-xxx-CBC is supported by hardware encrytion, and the other AES-xxx-CTR/AES-xxx-GCM still use software encryption.
Is this real?

Another question is whether to support hardware encryption on SSTP and OVPN?

eternal0

Same problem on RB951G-2HnD ether1 as a LAN port.

eternal0

It seems like RouterOS does not support ECDSA.

eternal0

Some firewall can identify and block the OpenVPN connection, so I think SSTP is the best.
SSTP client can work on Windows/Linux/OS X/Android.

eternal0

Can you try another VPN instead? Such as L2TP, SSTP, and OVPN. If all of your routers have public IP, you can use EoIP, IPIP or GRE.

eternal0

Yes, you can transport 1500 bytes packets across the l2tp tunnel with no fragment. The L2TP packet will be fragmented if the size is over 1480 bytes. The cost is performance.

eternal0

How can this be accomplished? 1. Bridge each VLAN to the EoIP tunnel at both ends? (this works with dedicated EoIP tunnels for each VLAN) 2. Bridge each Ethernet Port to the EoIP tunnel at both ends? (this is not working). Please let us know if there is another option where this can be done using a...

eternal0

When you are running test, please take a look at "Tools -> Profile".

eternal0

Set up an ipip tunnel on both routers.
Configure mark routing rule and disable NAT for vpn users on router 1.
Configure NAT on router 2.

eternal0

It's the first RouterBoard based on ARM CPU. Thus it might encounter some problems.

eternal0

Just bridge your ethernet and EoIP device on both of your router, it will work. VLAN in VLAN in EoIP also work fine. EoIP can be the same as physical layer-2 network, except the performance. The maximum throughput over an EoIP tunnel is 400Mbps on my two CCR1036 routers because it seems like the tun...

eternal0

Have you tried calea?

eternal0

Same issue after upgraded to RouterOS 6.28 mipsbe.
Reboot can fix this issue on RB951G-2HnD, but make no effect on my RB751G-2HnD.
6 sector writes per second.

eternal0

2 Bonding tunnels ? No bonding, only 1 EoIP/IPIP/GRE tunnel. We also tested 2 EoIP and 2 EoIP as bonding slave(balance-rr). It seems like all tunnels share 400Mbps throughput. Maybe the tunnel module of RouterOS is single threaded, CCR series is not suitable for VPN tunnel, and we need a x86 device...

eternal0

Two CCR1036 connet directly to each other. 1000Mbps link speed. Bandwith test can get 990Mbps result.
If we set up an EoIP/IPIP/GRE tunnel between them, no encryption, the maximum throughput in tunnel is 400Mbps. The usage of cpu1 is 100% and the others is idle.

Is there any problem?

eternal0

eternal0

We need to config vlan and bridge, but I'm confused with two configurations below.
bridge1
|--ether1

1. vlan1 interface=ether1
2. vlan1 interface=bridge1

What's the difference between 1 and 2?

eternal0

For most RouterBoard devices: RAM is enough (if you do not use MetaROUTER, and all RouterBoard with multi-core CPU do not have this feature), CPU performance is poor.

eternal0

Try "ping 192.168.2.1" on your SSTP server. It seems like your SSTP server doesn't have the proper route for your client's subnet.

eternal0

But you suggest using SSTP/OVPN as point 1 in your solution. Do I misunderstand?

I suggest it for security(RSA4096+SHA512+AES256).
If you need high performance, use IPIP/PPTP instead. Of course, you still need to configure Mangle Rule and Routing Table.

eternal0

Hi eteranl, thank you for sharing this solution. As I have read EoIP suffers performance, is there a better alternative? Would this work? 1. SSTP/OVPN to connect each WAN to each pper 2. MPLS/VPLS over VPN tunnel If you can accept tcp connection reset on failover, just use any Tunnel is OK. EoIP an...

eternal0

Some packages is not stable.
For example, sstp, ovpn and dns server often crash in some 6.x version, you must reboot your router if it doesn't work.

If you use it only for static routing, bridging, and firewall, RouterOS can work for several months without reboot.

eternal0

1.Use SSTP/OVPN to connect to each IP. You need to configure Mangle Rule and Routing Table to make the network flow using proper WAN connection.
2.Set up EoIP tunnel for each SSTP/OVPN.
3.Set up bonding for each pair of EoIP tunnel. In your case you need 3 bonding.
4.Enjoy!

eternal0

Which model?
CCR1036 is much powerful than my old H3C F1000, and very cheap. However, MikroTik doesn't support HA. VRRP failover is too slow in some cases.

eternal0

You can't use RouterOS as a syslog server.
However, you can install OpenWRT in MetaROUTER. It is possible to run syslog server and many other applications on OpenWRT.

eternal0

I think old script works well in 6.24. :local ddnsuser "username@changeip" :local ddnspass "password@changeip" :local ddnshost "domain@changeip" :local ddnsinterface "interface_name" :global ddnslastip :local ddnsip [ /ip address get [/ip address find interfac...

eternal0

It seems ECDSA certificate cannot work on RouterOS. The key size is "unknown", and I can't import private key to the router.

eternal0

Same problem in CCR1036-8G-2S+EM.
10G SFP+ module works well on both side. But with 1G SFP module, the router show link OK on the status and no link on the switch at the other end.

eternal0

Hello.
I use ROS 6.15 x86 and plug a WNA1100(AR9271)
It appears in reosurces->USB, but there is no interface in wlan interfaces.
If I use ROS 5.20, it works fine!
Why?

I also tested WNA1100 on RB751G-2HnD and RB951G-2HnD running ROS 6.15, it doesn't work as on x86 platform.

Search found 50 matches