MikroTik

chiem

DNS doesn't seem stable in this release: [admin@ccr2116] /ip/dns> export # 2024-03-25 17:50:06 by RouterOS 7.14.1 # software id = 7WRZ-DFWZ # # model = CCR2116-12G-4S+ # serial number = XXXXXXXXXXX #error exporting "/ip/dns" (timeout) #error exporting "/ip/dns/static" (timeout)

chiem

Someone wrote a python script to generate a Wireguard config file using PIA credentials and a chosen region: https://github.com/hsand/pia-wg I took that and added some features to it a while ago, along with a new script to send a Wireguard config to RouterOS: https://github.com/kchiem/pia-wg NOTE: T...

chiem

Hello Mikrotik,

Not sure where to report this, but one of the two nameservers that answer your /ip/cloud ddns results for mynetname.net appears to be misconfigured. It's responding with nxdomain for names that should exist.

chiem

Right now, updating/upgrading a container appears to require stopping a container, removing it, re-adding it, and then starting it. This is made more difficult by the fact that /container/export doesn't provide the full command needed to re-add a container--it's missing the remote-image attribute. C...

chiem

That in fact is also a "problem with the ISP"...

chiem

Any word on the "invalid mtu #### on <interface> from <mac>" warnings that was reported by w0lt in the 7.9 beta thread and myself and others in the 7.9 release thread?

It's still in 7.9.2 and I see nothing in these logs about it.

chiem

invalid mtu 9086 on sfp-sfpplus1 from fe80::ea5c:aff:fe83:f43c fe80::/10 is the prefix for IPv6 link-local addresses, so it means one of your LAN hosts Actually, as stated, this is upstream of my LAN. sfp-sfpplus1 is connected to my ISP's gateway device, I have no control over its settings. I figur...

chiem

After upgrading, I'm getting these:

invalid mtu 9086 on sfp-sfpplus1 from fe80::ea5c:aff:fe83:f43c

.. warnings. Not sure what to do about it, since it's the upstream gateway to the router and I have no control over it, and the interface is set to mtu 1500.

chiem

No fix for the non-compliant mixing of static and upstream DNS results?

chiem

There's a bug in the DNS static vs caching implementation here. A/AAAA/SOA records can not coexist with CNAME records. If one of them is static, the other set needs to be filtered from the upstream. Edit: it appears that CNAMEs in general can't coexist with all other record types, so if something ot...

chiem

*) dns - do not query upstream DNS servers for matched regex records; *) dns - query upstream DNS servers for other record types even if static entry exists; I didn't have time to test rc4, but it looks like the ability to blacklist ipv6 entries has been restored--thank you! It would appear that th...

chiem

chiem - Can you please provide a simple static DNS entry example (from export) that has been broken ni v7.7 ? Exactly as I've mentioned, but here's an example in v7.6: netflix.com returns both A and AAAA records: $ dig netflix.com a ; <<>> DiG 9.18.9 <<>> netflix.com a ;; global options: +cmd ;; Go...

chiem

In v7.6, I could use static dns regex entries to modify AAAA results to ::ffff to block ipv6 for certain hostnames. This doesn't work now--it returns ::ffff and nothing else. How do I get the same behavior in v7.7rc2? Can someone from Mikrotik comment on this? I've complained about this lost functi...

chiem

In v7.6, I could use static dns regex entries to modify AAAA results to ::ffff to block ipv6 for certain hostnames. This doesn't work now--it returns ::ffff and nothing else. How do I get the same behavior in v7.7rc2? Static CNAME entries also don't seem to be working in some cases, for example: $ s...

chiem

*) dns - do not query upstream DNS servers for matched regex records;

Please don't? I use regex records to modify AAAA results to ::ffff to essentially disable ipv6 for some addresses (for split tunneling purposes). Or provide an alternate way to do that.

chiem

Can't you do:

/ip/firewall/filter/add action=accept chain=input dst-port=8291 protocol=tcp src-address-list=your-address-list

?

chiem

Not true. You can have fasttrack work on connections that aren't mangled. Sindy explains a lot of it here:

viewtopic.php?t=182096

chiem

https://help.mikrotik.com/docs/pages/vi ... edfeatures

How about some documentation on how the /ip/dns/static address-list field is supposed to be used?

chiem

I think what you need is an external DNS name, not a static one. And the A/AAAA records must have a shorter TTL than the CNAME records. In that case, when the A/AAAA records have expired and the toplevel name is queried again, only the cached CNAME records are returned and no A/AAAA. The resolver s...

chiem

Mikrotik said they couldn't reproduce the CNAME chain issue, and neither can I: Config: /ip dns static add cname=bar name=foo type=CNAME /ip dns static add cname=baz name=bar type=CNAME /ip dns static add address=1.2.3.4 name=baz /ip dns static add cname=www.youtube.com name=youtube type=CNAME ... $...

chiem

There may be a 3rd issue, but I abstained from reporting it until #1 is fixed to be sure--but it appeared to me that static DNS results were bypassed if the upstream result was a CNAME.

chiem

Something's not kosher with the way CNAME DNS results are handled in this version. On FreeBSD, I'm only getting results on the first lookup: $ ping -4c1 www.yahoo.com PING new-fp-shed.wg1.b.yahoo.com (74.6.231.21): 56 data bytes 64 bytes from 74.6.231.21: icmp_seq=0 ttl=31 time=57.504 ms --- new-fp-...

chiem

So.. IP Services www and www-ssl don't work on ipv6. The ports just gets answered and closed. I think these used to work, but not sure..

chiem

I have an idea why Mikrotik doesn't care about IPv6:

latvia-ipv6.png

chiem

how to get to : *) dns - added "address-list" parameter for static DNS entries (CLI only); *) dns - added "match-subdomain" option for static entries (CLI only); match-subdomain was demonstrated here: https://forum.mikrotik.com/viewtopic.php?t=187950#p948005 It's the same functi...

chiem

*) dns - added "address-list" parameter for static DNS entries (CLI only);

WOW!

What is it?

chiem

Why is it "foolish" to use the microsd? The Dude package already runs on the microsd, is that foolish? You are the foolish, the microsd it hosts only the database, don't be a know-it-all, that you risk saying bullshit. The executable code is in the nand along with routeros ... And the dud...

chiem

But even assuming that once "optimized", compiled and compressed, are 3M the package, the system already occupies 15M... And it is completely useless and foolish to name the external memory, which you know perfectly well that it will never contain packets loaded at system startup, even fo...

chiem

You are sure we are both talking about the same thing?
Memory or Nand?

RAM is what I understood the 32M required to be. As for storage, the hEX has a microsd slot if the onboard flash isn't enough.

chiem

In my hEX S I have free 1892 KiB, where is sufficent room for 32M???

In my hEX, I have free 200.6 MiB. There is the sufficient room for 32M.

chiem

We only can do it for ARM systems, no plans for MIPS now.

Why? ZeroTier saids their SDK runs on MIPS and takes about 32 mb, and they use AES for encryption. Seems like it would be great on a hEX.

chiem

Site-2-site from hEX s to RB4011, with iPerf3 I get up to around 150Mbps which is which is max throughput capped by ISP. No tuning of Wireguard at all, both sites are running 7.3(.1).

Hmm... IIRC, I only got 40 mbps with wireguard between a HEX and a CCR2004.

chiem

Thank you for the confirmation, and explaining it all!

chiem

But it seems to me you've misunderstood one thing - after passing through the last rule of chain prerouting, the packet does not continue to chain mark-conns ; the only way for a packet to enter mark-conns is by being sent there from some other chain using jump . No, I assumed that part. What I'm t...

chiem

They are, yet there is a reason to have them "twice". You need to save CPU cycles, so rules #3 and #4 handle mid-connection packets, which come already marked with connection-mark , and packets matching these rules do not continue further down the rule chain as passthrough=no is set for t...

chiem

https://forum.mikrotik.com/viewtopic.php?t=138659 Thanks for the pointer. The post you linked points towards this: https://forum.mikrotik.com/viewtopic.php?f=2&t=134048&p=659612#p659676 From that, I get that fasttrack- connection fast tracks the connection based on the incoming packet, whic...

chiem

I see from your rules that you have a wire guard connection to Private Internet Access VPN, if the PIA naming is not leading somewhere else. Would you be willing to share your setup? I am a beginner regarding Wireguard, and having something like a template would be invaluable. Apologies for the thr...

chiem

On a single connection, 1.25Gbps (one core at 98%) I am using vlan tagging Pretty depressing performance there. Using around 15% cpu at 2Gbps (vs 0% with L3HW for ipv4), worst core at ~50%, using multiple connections. CCR2116 cores are Cortex-A72 vs A57 for the CCR2004 so that's another +25%. Good ...

chiem

I've now deployed a half-dozen 2116's across my network, one of which replaced my busiest 2004. They can be found for just under US$800. They're essentially a CCR3XX switch with a 40Gbps connection to the CPUs, and so far I'm impressed with their performance. Thanks for pointing out the CCR2116. Wh...

chiem

It is not like this feature is critical. It only means you need to buy a slightly more powerful device in order to handle the speed of your internet connection. For example, I have a 180Mbps internet connection and a RB4011 router, and I do not need any fasttrack whatsoever (v4 nor v6). I have a CC...

chiem

I sincerely hope the focus for the coming month will be on fixing things that are broken or still missing (relative to v6) and not on working on new features. I'm not asking for it to be prioritized over stability fixes, but it's not even on the roadmap yet according to the last official statement ...

chiem

Is this enough user attention for a priority boost?

viewtopic.php?t=175513

chiem

+1...

chiem

#11 - I ask ( not required ) , that you post in this Mikrotik forum what country/city your are located in and your btest throughput results.

Bay Area, CA. Reached 3.0 gbps up, 2.3 gbps down.

chiem

*) ask to close all WinBox instances before WinBox upgrade, otherwise upgrade will fail;

You can upgrade WinBox within itself? How?

chiem

You must be from alternate future.

Go ahead and prove him wrong please.

chiem

Screenshot 2018-10-23 at 08.41.39.png

The question was about V7 Beta, not V7 Alpha.

chiem

+1

Wireguard is supposed to be extremely simple. Please don't take 3+ years to support it.

chiem

My understanding is that routing-marks are used to route though the l2tp interface. Routes with routing-marks are bypassed with fast-track as well. Yes, I'm using: /ip firewall mangle add action=mark-routing chain=prerouting comment=VPN dst-address=!192.168.0.0/16 new-routing-mark=vpn passthrough=y...

chiem

So I actually cannot understand how disabling fasttracking could have speeded up your L2TP/IPsec processing. Can you compare the CPU load with and without fasttracking the L2TP traffic? I can't really compare cpu load with and without fasttracking on the l2tp tunnel since with fasttracking, I get a...

chiem

Actually, I forgot that the problem isn't with fasttrack and IPsec, since it's slow with or without it. The problem is with fasttrack and tunnels. Is there a way to disable fasttrack just for tunneled traffic? Edit: It looks like I can just filter it by interface: /ip firewall add action=fasttrack-c...

chiem

Did you resolve the problem with the 750Gr3? Sorry about the delay, YES! Disabling: /ip firewall add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related disabled=yes .. fixed the issue. Is it possible to enable fasttrack for non-IPse...

chiem

Check for full/half duplex mismatch settings and errors like collisions on 100Mb/s Ethernet interfaces

If those were issues, they should have affected the transfer rate with and without l2tp/ipsec, but that was not the case.

chiem

*bump*

chiem

I've tried all the way down to 600.

chiem

At home, I have a CCR1009 on an 1000/50 mbps (down/up) connection. L2TP/IPsec through my VPN provider gets me 200+ mbps down, and 10-20 mbps up. The upload could be faster, but it's usable. At my 2nd house, I have an RB750Gr3 on a 60/5 mbps connection. The same L2TP/IPsec through the same VPN provid...

chiem

Thanks for the feedback guys. It looks like DMZ needs to be a separate feature in RouterOS.

chiem

Yet again, HELP !?

chiem

Per subject, how does one set this up to work ? The DMZ port forwarding rule is static and at the end of my static list of ip/firewall/nat rules. UPnP port forwards are dynamic and added to the end of that list, but never reached since the DMZ matches everything. I have to manually move the DMZ rule...

chiem

Can the hairpin NAT rule: add action=masquerade chain=srcnat comment=hairpin dst-address=192.168.0.0/24 out-interface=bridge-local src-address=192.168.0.0/24 .. be simplified further to remove the choice of LAN subnet to this: add action=masquerade chain=srcnat comment=hairpin in-interface=bridge-lo...

chiem

Hairping NAT is what you need. Your problem is that your port forwards are set for in-interface=ether1-gateway, but when connecting from LAN, in-interface is going to be bridge-local, so nothing gets forwarded. You can: a) Replace in-interface=ether1-gateway with dst-address=<your wan address> if y...

chiem

Help ?

chiem

This two day delay before a post goes up is rather annoying.

chiem

I'm a new user running 6.2 on an RB2011UAS-RM. These are my ip/firewall/filter rules: add chain=input protocol=icmp add chain=input connection-state=established add chain=input connection-state=related add action=drop chain=input in-interface=ether1-gateway Here's a subset of my ip/firewall/nat rule...

Search found 64 matches