MikroTik

spippan

good to have you here then, to clear everything up

spippan

Wait Are You using Mikrotik's default firewall? The last input rule is /ip/firewall/filter/add action=drop chain=input comment="defconf: drop all not coming from LAN" in-interface-list=!LAN log=yes Did You put your 172.30.0.0/24 range on the LAN adress list? there is only an INTERFACE LIS...

spippan

maybe is not so simple for a vendor to officially include an x86 cpu embedded in a router, maybe there is some bureaucracy, validation, and costs we as a consumers are not fully aware of I don't know if anyone else here is following the Mono Gateway router project of Tomaž Zaman on Youtube, but he ...

spippan

check srcnat config on the client if there are any...
if there are more than 1 IP on an interface you can control the outbound src-ip

spippan

while strictly not vouching for THOSE boxes ... consider installing proxmox on one of them and use virtualized CHR (with PCIe passthrough if supported) to test and after that purchase a P10 or P-unlimited license.

allthough i doubt VT-d is supported on either of those 2 models.

spippan

beware ... telnet is TCP
wireguard uses UDP

which ROS version are you using?
the latest ROS (7.19rc1) shows used/active ports in

/ip/service print

spippan

Self-hosted (Docker or Linux package) should be the minimum. To be able to be installed/run anywhere - Pi, VPS, CHR, RB5009 etc. A MikroTik cloud redirect for initial provisioning (like Meraki/Fortinet) would be great too. Top features I’d like to see: - Zero-touch provisioning (based on MAC/SN or ...

spippan

likely there will be LHG 5 ax & LHG XL 5 ax up next

spippan

Winbox IPv6 connectivity, when?
Its 2025, i shouldn't have to resort to IPv4 to manage an IPv6 forwarding device.

this is already here for ages

spippan

First of all, why do you need to do this ?? Workaround: Insert a script and choose Run After Reset. would suggest this approach too. test this on a local MT first and examine if the default configuration can be altered as far as you need to access it remotely. e.g. setup a firewall input allow rule...

spippan

or peek over how Ubq... is handling things with their controller in v9 right now (which i just updated today effortlessly)
great visibility and feature set

spippan

So it's been 4 months since this roadmap was put out and I was told in March that the 5G ATL should be out about now (early April) .. I am under pressure to evaluate 5G outdoor CPEs before June installs so if anyone has a clue when the ATL would be shipping I'd be grateful to know if I should hold ...

spippan

would like to know that too

spippan

@fischerdouglas

It would be very nice if more people made some proper testing, steps to repeat, etc. as a normal bug tracker requires.
...
What I miss the most are the use cases!...

+1 on that
more use cases/examples would go a long way in the docs

spippan

I have multiple VRRP (legacy IP and v6) running on CCR2216 with ROS 7.18.2 without issues. Maybe config related? how did you configure conn-sync? could you provide your config. of those 2216s please? i have 2x2 CCR2004 on 7.14.3 where i depend on a working VRRP setup, so if this works for you, it m...

spippan

All switches and routers have been updated to RouterOS 7.18.2 RouterBOARD 7.18.2 L3 HW Offloading is disabled on all switches Bridge VLAN filtering with user vlan and mgmt vlan is configured on the routers and switches The rstp protocol is used (root bridge - gw1) When rebooting the Primary MLAG sw...

spippan

we tested 7.19beta7 and it is working fine about bgp on x86 and arm64!
thanks Mikrotik.

can confirm too. same for me.

BGP (+BFD) now good again and no odd up to 100% CPU load any longer

spippan

and do not forget to take possible lightning strike in account and plan in an arrestor if the mounting point is one of your highest points out there

spippan

It's different and takes some time to adjust if you're coming from other vendors. Once you do though, it's pretty well laid out. and TBH it is - if one is familiar with cisco, juniper, vyos, etc... - really not that hard to use CLI on ROS EVERY CLI has its own learning curve ... i think that is jus...

spippan

...but when it takes forum searches and video tutorials to setup a plain NAT for a web server then it's a problem. I...ugh. KISS is thrown out the window with these damn things.

well .. do not use advanced stuff then.

no one forces you to use MT anyways i guess

spippan

+1 for ATL LTE18. * assuming you're not in North America ** and it not "5G" And note they have announced, but not released, a few newer 5G models... if there is not urgency, something to consider. +1 if you can wait for the new 5G stuff to be released finally, wait for that. there are als...

spippan

7.15.x was the last version where BGP worked OK

true.

spippan

/ip dns static add address-list=whatsapp_IPs disabled=no forward-to=1.0.0.2 match-subdomain=yes name=whatsapp.net ttl=1d type=FWD add address-list=whatsapp_IPs disabled=no forward-to=1.0.0.2 match-subdomain=yes name=whatsapp.com ttl=1d type=FWD Can you please explain what the purpose of forward-to ...

spippan

Sorry sippan, what is BS is false hope and promises.
If you are unable to inspect encrypted traffic, then do pray tell what effing magic do you use........

how do you corelate encrypted traffic in this?

the question was routing-related, wasn't it?

spippan

Hello, Good day Team, I want to filter the WhatsApp and TikTok traffic in Mikrotik and route it over a Specific WAN/VPN because WhatsApp and TikTok are blocked somewhere. How can I capture this traffic? (In Firewall Mangle conten t or RAW content ) Which one is most effective? Or please help me wit...

spippan

Probably neither you need an expensive router add then pay for subscription services to handle DPI etc.........

BS. -.-

spippan

Hi, I'm stuck on a problem with what seems to be simple topic on every other switch I have except Mikrotik :) I have CRS309-1G-8S+ with a number of tagged traffic on each interface. I have sfp-sfpplus1 which is uplink port toward DHCP server. On some sfp-sfpplus2-6 there are devices that are using ...

spippan

Not hyping it down, but its actual use as a data vlan is very niche (rare). yes and no ... in more complex setups - sure. segregation is a plus and in that case, vlan1 should not be used. okay otherwise the use of vlan1 also as a normal data vlan is no problem at all after all. if only for the sake...

spippan

Sorry for blurring the picture for you, my response was mainly triggered by @erlinden as I am kind of tired of everyone treating VLAN 1 as black magic that has to be avoided by all means, hence that approach spreads as a meme (in the meaning of a "human software" virus, not the funny pict...

spippan

remember the SRC IP you want to use here has to be a local ip address on the router which can reach the DNS upstream (routing-wise) for the srcNAT to work correctly

spippan

you might need to use a srcnat rule

something like:

/ip firewall nat add action=src-nat chain=srcnat dst-address={IP adr. of DNS upstream} dst-port=53 protocol=udp to-addresses={SRC IP which you want to use}

spippan

Okay, thank you very much for your help. I managed to complete the configuration on both antennas. I have a question: When does the antenna switch from the 60 GHz band to the 5 GHz band? What parameters does it check before switching bands? (Signal strength? Tunnel speed? Something else?) >When doe...

spippan

does the "Copy" button ( 2 ) on an existing rule not work for you? nat_26-03-2025.png I'm sorry, i didn't see it anyway you could improve the functionality by adding the button also to Firewall and NAT pages, so that it's not needed to open each rule, this will make the job faster thanks ...

spippan

In CLI, you can do an export and copy a specific line. If you execute that line (with some adjustments) you can execute it. There is also 'copy-from=' property, and you can modify whatever parameters you want on the new cloned object at the time of creation as well: /ip/firewall/filter/add copy-fro...

spippan

does the "Copy" button ( 2 ) on an existing rule not work for you?

nat_26-03-2025.png

spippan

maybe this helps a little. a 60+5GHz Pair with 60GHz as primary link and automatic 5GHz failover you have to create a bond with the 2 wireless interfaces (60GHz + 5GHz) (mode = active/passive) then add the BOND interface to the bridge additionally to the ethernet interface. optionally disable VLAN f...

spippan

Would be interesting to see the same tests run on the RDS2216. Any chance you could try that?

do you mean from RDS2216 <-> RDS2216 ?

spippan

Wireguard does not respond an incoming request from the same IP address to which that request has arrived because it is actually not a server in the narrow sense. So it treats any packet it sends as a standalone one rather than a part of some connection. So even though the initial hanshake packet f...

spippan

Well endpoint has to be a specific WAN for the client to reach the right ROUTER. The VRRP is for the inside facing users from what I understand. But its a good point for discussion. Looking forward to what comes out of this thread. not if you have a public IP (WAN facing) VRRP instance... which in ...

spippan

can you show "/ip route print" ?

it might be something with "pref-source" for your def.route/wan-route
had this issue with a VRRP setup some months ago and have it running ever since with WG+openvpn

spippan

there you have it

What's new in 7.19beta6 (2025-Mar-19 09:56):
*) net - remove support for automatic multicast tunneling (AMT) interface (introduced in v7.18);

spippan

...fast-forward=no....

disables ARP? really? haven't seen that ever after
and i have setup a lot of bridges... old and new fashioned way
arp always working so far with fast-forward set to "yes"

spippan

netinstall HAS a -v flag on linux
and the problem here is wrong subnetting (/32)
set your interface ip subnet mask at least to /30

spippan

AD:
i tried it with disabling BFD also (no screenshots) and it did not solve the high cpu load

spippan

I mean what NathanA said about NPKs. RouterOS internal security has been changed several times, there are all kinds of internal integrity checks. You can't install self-made NPK files. v7 was a very big change as such, but even during v7 many changes have been made to security in this regard and ot...

spippan

None of that is true though, some really old info

what exactly?

spippan

But if you try to write files to flash so that you fill the space, does it work?

very good point !

spippan

the new bgp implementation in 7.19beta (all betas) seems not working fine on x86 platform, it is overloading the cores with very high routing usage. we experience high (70-90%) on a lot of cores, with normal irq usage where have high cpu. regards oh, i just saw this happens on CHR too below on CHR ...

spippan

ok then there might be something "new" or maybe it is related to a deeper level problem like offloading of the NIC(s) not working correctly at this point. were you able to reboot the x86 router ? (i know - quite hard when BGP is involved, 'cause it might impact a whole other aspects when ...

spippan

SwOS is rock solid as is, I have some CRS317’s with over 500 days of uptime running on our ISP. The only request that many of us have, is to implement basic security prompts. You can easily press a button on the GUI by accident and bring down an entire network. I had an incident with a tech were he...

spippan

just curious how the plan for that would look like with ROS? NPK packages are signed and i assume also at boot time when kernel is loaded, You might assume wrong. I'm not sure about ROS 7 (haven't dug too deeply into its guts yet), but at least with ROS 6 (or at least for most of its existence...ma...

spippan

ok then there might be something "new" or maybe it is related to a deeper level problem like offloading of the NIC(s) not working correctly at this point. were you able to reboot the x86 router ? (i know - quite hard when BGP is involved, 'cause it might impact a whole other aspects when a...

spippan

netinstall to the rescue if all other methods fail.

spippan

You can recompile the kernel to update or load third-party software and hardware drivers. The initrd.cpio file is extracted from the original BOOTX64.EFI, then compiled into the new kernel. By replacing the BOOTX64.EFI file, the kernel can be updated to enable more features without waiting for upda...

spippan

also always remember to set the client firewall (windows or linux) to allow netinstall to access the network correctly and just for sake keeping, if possible, only have you ethernet interface active on which the MT device is connected. i often have fallen to that pit in the past (:

spippan

OK, let's do this in correct order and one step at a time. Correct order: /interface bridge add /interface bridge port add /interface bridge vlan add /interface vlan add Do we agree on this? If I understand correctly, what you're saying is that a key to understanding this is to learn it in this spe...

spippan

the new bgp implementation in 7.19beta (all betas) seems not working fine on x86 platform, it is overloading the cores with very high routing usage. we experience high (70-90%) on a lot of cores, with normal irq usage where have high cpu. regards BFD active on any bgp session(s) ? that might be the...

spippan

if nobody has reported it yet TLDR. the VLAN overview goes crazy with many VLAN interfaces (about 100 in a QinQ setup) (see gif)
WinBox 4.0beta18

Peek 2025-03-13 16-27.gif

on which column do you sort here?
in other words - what is the active sorting criteria in the interface list?

spippan

...some "sortby=" on a print be helpful.

+1

spippan

Why not? If https is used, then client can verify authenticity of server it's talking to. Yes, npk files do have some verification built in (I believe that packages are digitally signed by MT so it's not trivial to alter the contents). But two layers of security are better than one. And we definite...

spippan

Could you please reimplement "Open in new winbox"? Maybe even as a right-click or shift-click on "Connect" and "Connect to RoMON"? +100 for this I have 271 devices at the moment, it is PITA to always have to scroll to the previous location in history when I have to go ...

spippan

spippan

...they do

never had any issues
also with plugging them into a Cisco or Ubiquiti

spippan

@teslasystems
damn impressive.

hope MT UX designers take notes here!

spippan

thx. BFD in BGP now working again (as it did not work in 7.18beta4 - i don't know if it was addressed in b5, b6, rc1 or rc2)

spippan

also hi from AT
to help the forum understand your setup better:
- provide your configs (sanitized!) ( /export hide-sensitive file=somename )
- a (schematic) network diagram of your setup also helps, if done properly, a lot

spippan

Totally agree. And keyboard-shortcuts!!!

as i wanted back in v3 --> viewtopic.php?p=980023#p980023

spippan

@merkkg

... enumerate valid usernames in Mikrotik routers ...

"enumerate" is a bit of over exaggerated

spippan

this might help

https://community.openvpn.net/openvpn/w ... ectGateway

spippan

...or try to work wiith dhcp matcher options
this maybe could help

https://help.mikrotik.com/docs/spaces/R ... dorClasses

spippan

is every wifi connecting client known? if so, create static leases and set the dhcp server pool to "static only"

so only known wifi clients (MAC addresses of the wifi cards) will be handed a lease.

spippan

note on container settings in v7.18beta4

had to change the Registry URL from "https://registry-1.docker.io/v2/" --> to --> "https://registry-1.docker.io"
now i can pull containers again

spippan

@teslasystems

this cat always screams and posts in that manner are unfortunately usual. try to not bother to much ... one cannot re-educate or soften a stiff spaghetti even if it is on point

maybe "just roll with it" might be a good option

spippan

at least 32MB would be "kind"

oh and on that occasion... static route BFD check would be nice ... viewtopic.php?t=186941#p1073107

spippan

it is surely the ZTE which does not behave correctly WAN port is not in a bridge. of course not (; i'll see what i could do about it. currently i changed the bridge-mode of the ZTE MC801A back to NAT, deactivated dhcp completely there and assigned a static IP. on the wan port of the MT it is 172.16....

spippan

You can even buy off the shelf dedicated MACSEC media converters now-a-days : https://www.extremenetworks.com/products/adapters-and-converters/switch-adapters-and-converters/lrm-and-macsec-adapter ...which requires an additional license for MACsec operation AND an extreme-networks host switch to ev...

spippan

thx @mkx i know how dhcp works and a renew may occur half of max-lease-time. here it is not the case. given lease is valid for 4h but still there are NAKs way before lease-time ever reaches, for say, 2h left. if there is a release or just a renew, normally it works totally fine. the problem addition...

spippan

in 7.16.2 (running on a 1100AHx4) it filters out communities which are not in the given list.

what do you expect to happen? that the route would not become active if a given community is not sent with the route-info?

spippan

same issue on 5G network "3 AT" with a ZTE MC801A in bridge mode every once in a while i receive a NAK from the WAN side (the ether1 which is connected to the ZTE 5G modem in bridge mode) 172.16.88.1 is the local IP of the ZTE device (my MT has 172.16.88.2/26 on ether1-WAN additionally for...

spippan

*) 60ghz - improved system stability; More details on this please - does it affect all devices, or just the newer 802.11ay ones (the older 802.11ad have been quite stable in my experience, still running 6.49.x on them)? would also love to see more information on that. got about 6 setups with 60GHz ...

spippan

+1 on nz_monkey regarding VXLAN comments and eVPN. Could I add in( no doubt a new switch chip for future products ), but hardware offloaded MACSEC as part of the underlay. "And include jumbo frames ( aka 9000 byte + frame)" My use case is commercial datacenter/carrier providers(via L2) to...

spippan

side note

love how engaged MT support is on 7.17 and 7.18bXX forum threads the last days.
feels like things really start to get moving again

spippan

Feature which will help me considerably are L3HW offloading full vrf support not only the main table As well as Full MPLS Offloading or multicore processing I'm using CCR2216 and i'm happy to do any testing thats needed and provide feedback. i++; on VRF Hardware Offload! L3VPN (over MPLS or over EV...

spippan

About HW VXLAN. Supported devices are ones that support L3HW offloaded fasttrack/NAT : CRS309-1G-8S+, CRS317-1G-16S+, CRS312-4C+8XG, CRS326-24S+2Q+, CRS326-4C+20G+2Q+, CRS354-48G/P-4S+2Q+, CRS504-4XQ, CRS510-8XS-2XQ, CRS518-16XS-2XQ, CRS520-4XS-16XQ, CCR2116-12G-4S+, CCR2216-1G-12XS-2XQ. The main g...

spippan

do we have any update on [SUP-134566]: BGP-VRF V7?

when that feature will be implemented.
It works perfectly fine on v6

what is the problem here?

cannot find SUP-134566 when i search for it here

spippan

do we have any update on [SUP-134566]: BGP-VRF V7?

when that feature will be implemented.
It works perfectly fine on v6

what is the problem here?

cannot find SUP-134566 when i search for it here

spippan

"Wireless" is fine with 7.17, but "wifi-qcom-ac" is crap, unfortunately. I have had long time open memory leak ticket SUP-147911 for hAP ac^2. This ticket has been closed without solution - but it is bullet proof the leak is related to "wifi-qcom-ac", because "wir...

spippan

But the question was about Filter, not about Sort. And there is already a Filter button, that lets you filter by any column, and by multiple columns. My idea is only about usability for filtering: pls. see the image from the post from @mszru. I appreciate that the filter function is implemented. I ...

spippan

just reading along - hope to see a solution on that topic as well before i consider switching to AX PtP links

spippan

...or if one has "n" customers on a CCR cluster and customers are in their own VRF respectively
so in no case whatsoever it is remotely stupid

spippan

so we wait.

cummulus (and therefore linux) is able to do that

spippan

spippan

Why, network better -- dont create overlapping subnets............ Wireguard works just fine, if done properly. (caveat home user, dont support real work) and also here ... it does not have to do something with overlapping networks. don't always assume stuff without properly knowing any background.

spippan

how does asking for VRF support for wireguard and allegedly "not knowing how to properly use wireguard" relate to each other??

spippan

Same issue, very badly waiting for WireGuard vrf support

same.
VRF support for Wireguard Interfaces! => viewtopic.php?p=1117383#p1117383

spippan

VRF support for Wireguard Interfaces! Please!

spippan

add bridge=BR1 interface=ether3 pvid=187 - if I add this admit-only-vlan-tagged i'm losing access to the other VLAN's

try setting the PVID to 1 (or 4094 when not used otherwise) --> 187 coming in tagged and also PVID set to that VLAN ID does not go well in ROS ... still

spippan

Responding to my own post, it seems that this is no longer CLI only, I think newer Winbox versions matches this option in DNS, ability to select VRF. Someone please correct me, maybe there is more to it. I would very much like DNS to work on any VRF, not only main or whatever I (single only) select...

spippan

As for the ticket system: there is a default filter to show only open issues in the list. you need to change the filter to "any status".

bummer ... thanks for the hint.

spippan

Responding to my own post, it seems that this is no longer CLI only, I think newer Winbox versions matches this option in DNS, ability to select VRF. Someone please correct me, maybe there is more to it. I would very much like DNS to work on any VRF, not only main or whatever I (single only) select...

spippan

...

@inazmul

why are you using my avatar picture?

spippan

Not really but Arista, Cisco, Juniper (and many others) all have decent macsec enabled switches.
...

if it is just for MACsec securing dark fibre and need to stay on a budget (sort of) consider a look towards the fs.com S5800-48F4SR
it supports MACsec wirespeed

spippan

hopefully 2025 will change this and MT decides to enable MACsec hw-offload

spippan

hope dies last. we will see. not that i depend on MT for my L2... certainly not.

spippan

yes somehow but the switching capacity is very limited VS with real stacking solution on Cisco / Juniper and another pita if my memory serves correctly is MSTP and Double Tag Stacking yep, it's not quite performing in more serious setups unfortunately waiting on v7.18 for more L2 functionality (;

spippan

stacking on the other hand can go up to 8 switches with most vendors which support stacking. Another missed opportunity with Mikrotik Stacking / Virtual Chassis in Juniper world is pretty much after sought feature can be done with bridge controller (at least with a "lite" feature set at l...

spippan

In the documentation on MLAG only examples with two switches in a MLAG configuration can be found. Is it possible to create a MLAG with 3-4 switches in a ring topology instead of a fully meshed topology? Other vendors like Aruba support stacking in a ring topology. no. stacking and MLAG are differe...

spippan

I'd like to suggest a public status page for Mikrotik services. So people don't have to flood forum and support helpdesk with all the same "omg, it is down" reports.

+1

spippan

something like an entry in the context menu Of which menu? You are surely aware that when device is in sleep mode, it doesn't transmit anything and all caches (e.g. ARP cache, list of DHCP leases, etc.) will forget about it probably long before you'd want to send WoL packet to it, aren't you? Which...

spippan

Static DHCP leases have the MAC Address saved, so on that context menu (which seems to be the screenshot from) makes perfect sense.

exactly. thank you sir!

spippan

What's new in v4.0beta13: *) implement opened windows list *) implement global menu search *) bump minimal macOS version to 12.0, because 11.0 is EOL and dropped by Qt *) accept button with Enter/Return keys also on Windows and macOS *) fix max u32 value processing on some fields *) fix visual 1px ...

spippan

...
I think, it will be usefull to have context option "Wake On Lan" in ip / dhcp-server / leases.
...

i just thought this option would come in handy!
something like an entry in the context menu

Screenshot from 2024-12-02 12-15-23.png

spippan

@matkor

please have a good and thorough read here https://medium.com/@im0nk3yar0und/secur ... cb28161f9e

and reconsider the decision to expose SSH to the internet ... by not even changing the default port tcp/22 to something else!

spippan

one could use https://help.mikrotik.com/docs/spaces/R ... DNS-Adlist

and specifiy a local file where the unwanted domain/fqdn entries are listed

spippan

How do i import saved session to new winbox4

right click the space in "Saved" view

28_11_2024.png

spippan

with beta12 WB4 is coming to a useful state more and more. 1 - please change the startup behaviour or save the last state at least to start the " Select from: " menu in the last state or to start in the " Saved " view 2 + 3 - please focus the cursor to the "Password" fi...

spippan

as in the latest 7.17beta5 changelog, mikrotik is obviously working on bridge and mlag performance
so hopefully on 7.17 final or 7.18 MLAG is finally USABLE

viewtopic.php?p=1108704#p1109249

spippan

You can try the reverse thing: create a single VRRP, create VLANs on top of VRRP. This should work, if it's ok that a single VRRP handles all VLANs at once.

tested it in EVE-NG
one VRRP interface and all vlans "under" this VRRP does NOT work ... as i expected

spippan

You can try the reverse thing: create a single VRRP, create VLANs on top of VRRP. This should work, if it's ok that a single VRRP handles all VLANs at once. how would that look like facing the switch(es) ? that would require the VRRP participating routers to be connected to a full trunk port and th...

spippan

as for now (2024-11-11) nv2 is not available for any AX devices!

spippan

but be aware, as for now, it would not be possible to resolve DNS queries in the VRF "management" with DNS servers set in "IP > DNS > Servers" (according to MT support this is known and will be addressed somewhen in the future) DNS upstream only resides in the "main" VR...

spippan

Yes, it looks nice, and will indeed fill in a gap in the market and be good for many "basic" switching applications.. That said, for me : Big talk of future upgrades; sorry, tell me what I am getting now, not what may or may not come.. Will stick with Cisco, as you know what your getting ...

spippan

so, could *) crypto - use hardware accelerator for GCM cipher in TLS connection on Alpine CPUs; ...mean a pathway to use MACsec with hardware offload in the near future? (yeah i know, MACsec and TLS connection does not go along in the same sentence - but the option to use hw-offload for GCM ciphers...

spippan

an that is bad??
But putting myself in their shoes, if every time they release a change a horde of zombies appears shouting (even though it's in testing), it's only natural that they start hiding their actions more.

that's the nature of this community i learnt over the years now. sad.

spippan

would be like to see a dhcp failover setup on MT too

spippan

why deleting the defconf firewal-rules when apparently not really understanding how ROS ("iptables") firewall works essentially?

if not building smth sophisticated or speacial-purposed, take the default FW configuration from routerboard factory configuration and build up from there

spippan

WinBox 4 is great in a lot of ways, but in one particular way it is a HUGE regression..... TABS! Can we please have tabs back in all elements of WinBox 4. Not having them makes using WinBox 4 very cumbersome and time consuming SFP Info in WinBox 4 = a lot of wasted space 00MTCapture.PNG SFP Info in...

spippan

@spippan, not sure what you setup is, but you can always look at this https://github.com/netsampler/goflow2 In there is a docker compose that sets everything up including some ready to use grafana charts to see network traffic https://github.com/netsampler/goflow2/tree/main/compose/kcg thanks a lot...

spippan

What's new in 7.17beta4 (2024-Oct-18 11:32): *) crypto - use hardware accelerator for GCM cipher in TLS connection on Alpine CPUs; *) ssh - added option to configure SSH ciphers (replaced allow-none-crypto parameter); so, could *) crypto - use hardware accelerator for GCM cipher in TLS connection o...

spippan

bridge - added interface-list support for VLAN : the best features!!!!

This will simplify VLAN tables!thank you mikrotik.

is there any docs how we are ablte to use this feature? or best-practice?

EDIT: found it where it is used... (screenshot)

Screenshot from 2024-10-15 23-02-56.png

spippan

No, Fully active, and we are currently updating the software(not pushing to customers for now). As the founder of the software, I am busy with my wedding and the company's establishment and testing the new features, working on the trial and demo possibilities for the pro version ( asked by many cus...

spippan

is it working with 7.15.3? maybe stay there a little longer?

one thing you can try additionally now, try to disable the windows client firewall shortly for testing

spippan

And Mikrotik disrupted my company's work so how did MT do that? was it MT who did not test your setup and your configuration on the applied firmware? was it MT who did not test essential functions of your setup vital to your company working? do not ever apply untested (by yourself in your environme...

spippan

fischerdouglas compilation Have you MikroTik guys considered splitting the DNS service as was done with the Wifi packages? Separating different things of different interest into Packages? .... In regards to have a "more advanced" DNS service in a separate package is not a bad idea at all,...

spippan

This rule does get hit if you use it as intended, yes. Any NAT rule that you have dst-nat to an internal computer will be on the forward chain. You can use this default rule instead of a default drop-all so that anything dst-natted will be allowed instead of creating both a nat rule and a filter ru...

spippan

This works, except when you go to terminal inside winbox, you have to login again with a new otp code because most of the time your 30 second window has already expired before you open the terminal window. the whole point of TOTP add a local user which is only allowed from 127.0.0.1 and use that us...

spippan

Hi all, I'm having a clean out of unused Firewall rules and I can't for the life of me figure out the purpose of this default rule. add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed" As fa...

spippan

a quick thought ... is auto-negotiation enabled on those 40G links? is FEC configured on the 40G links on both sides? i'd try to set the link speeds to fixed on both ends and configure FEC accordingly ("fec74" on 40G) Edit: I see FEC74 doesn't have anything to do with forward error correc...

spippan

make sure there is no "ufw" or "firewalld" or "iptables" service active (regardless of rules being present or not) and deaktivate all other interfaces other than the one connecting to your router if nothing of that works, good chance there is something down with the boo...

spippan

could be a combination of

tcp-close-wait-timeout + tcp-close-timeout

try to look at the ip > firewall > connections section, maybe this will be visible there what is happening.

spippan

a roadmap would be nice (*wishful thinking*)

spippan

have you checked for any active firewall on your PC?
and why arch? just boot a live iso like debian of fedora, check to see if any firewall is surely disabled and run netinstall on cli

netinstall has never let me down on any of my 3 linux machines

spippan

what does "/ip/firewall/connection/tracking/print" show?

spippan

Need colors in log. Like Red for errors and other.

+2
still not (re)implemented

and also finally a TIMEOUT when moving the mouse between menu items on the left (like, not instant. a short delay when moving between e.g. MPLS and Routing entries

spippan

wonder if there are any 98DX or other marvell chips in use by MT are able to do this (did not read all whitepapers - maybe someone knows someone who might have some insight 🤷‍♂️ ) https://forum.mikrotik.com/viewtopic.php?t=211511 Unfortunately, L3HW doesn't support VRF yet. The hardware (switch chi...

spippan

Please have a good look at this part of the documentation: https://help.mikrotik.com/docs/display/ROS/WiFi#WiFi-CAPusing%22wifi-qcom-ac%22package: Can you share the /interface wifi export of both the CAPsMAN and the CAP? /interface/wifi/export Remove serial and any other private info. I have both a...

spippan

MLAG on 2 x CRS354-48G-2S+2Q+ switches continues to be a problem. MLAG peer link is a 802.3ad (LACP) bond interface utilising two Q+ (40G) ports with MikroTik DACs. We've tried swapping the DACs which made no difference. Bond and slave interface status shows zero 'link down' events but MLAG peer st...

spippan

maybe a bit of a stretch but tried v7.15? also with the "extra-nics.npk" from the ISO file? ( https://download.mikrotik.com/routeros/7.15/CHANGELOG ) not sure if this is even compatible/possible but maybe worth a shot I have tried using version 7.15 but there is no “extra-nics.npk” during...

spippan

there are 3 attributes which come to play here maybe this guide helps or clearifies some stuff -> https://administrator.de/forum/mikrotik-dyn-vlan-und-mac-auth-in-ros-7-2-2466135253.html EDIT: the article shows the mikrotik user-manger radius implementation but the 3 attributes are standardized no m...

spippan

AFAIK the capsman v3 with wifi-qcom-ac does not play well when it comes to datapaths and VLANs ... never figured it out my own with 2 hap ac²

spippan

From my perspective, VRF Hardware Offload in conjunction with MPLS (i.e. MPLS VPNv4) is the most important functionality that should be added. wonder if there are any 98DX or other marvell chips in use by MT are able to do this (did not read all whitepapers - maybe someone knows someone who might h...

spippan

maybe a bit of a stretch but tried v7.15?
also with the "extra-nics.npk" from the ISO file? (https://download.mikrotik.com/routeros/7.15/CHANGELOG)

not sure if this is even compatible/possible but maybe worth a shot

spippan

Thank you Mkx, I've already try adding a chain forward accept rule with the src address. The result was that some traffic was captured by the rule, but the site still fails. Any ideas? try to add another route below but set the said ip address as dst-address and enable connection-state "establ...

spippan

latest NIC firmware installed? those cards sometimes do not initialize when a boot happens

spippan

i assume but cannot verify (not using ipv6 anymore at the moment)

but you can check with a ipv6 drop rule on the '"input" and "forward" chaing with "log=yes" to see what happens (if something happens)

spippan

Hello, have you ever experienced that the nic installed on the Dell server is not detected in Mikrotik? I have this problem, where the nic is detected up on the Dell 630 IDRAC but is not on / running on Mikrotik OS version 7.16 or 7.15.3. When disabled on the other side it turns on, only in the Mik...

spippan

LL in context of ipv6 is commonly refered to as LinkLocal. it is not too hard to co-relate if ipv6 is disabled completely on ros, no LL adr. generation happens, no ipv6 routing/forwarding accurs, hence ipv6 communication is not active through the router or to the router i terms of ipv6 firewall - ca...

spippan

some solid work on bridge regarding mlag and VLANs (will have to rework some bridge setups xD )

thanks a lot for the impressive work you doing here! pace is on!! cheers guys

spippan

... The secret that no one will tell you.. either because they have not lost time testing.. is the NIC cards... in order to suceed with Multi-CPU x86_64 on RouterOS v7.15.xx stable version.. is the Network cards... because they are related to IRQ on the CPU.. basically the more IRQs slots available...

spippan

DNS-01 support for LE would be amazing. I’m not punching holes for port 80 from the world to internal gear but I already use DNS-01 to handle internal certificates for k8s. This is definitely the right path forward. DNS-01 with LE would be awesome!! had to setup cloudflare for a nginx reverse wildc...

spippan

========== NEW QUESTION ========== Thank you all for input. New question. What specific features would you like to provision in these controller type of setups. What is your #1 use case, which config is most often needed to apply "en masse" or to multiple devices? P.S: it seems nearly all...

spippan

@normis Winbox 4 beta 6

Can't add new interface lists. I can create them in the terminal and then add / remove members in Winbox but can't create a new list.

works in beta8

spippan

...
It appears like a rather compact device, probably around 10x15x3 cm.

I haven't found actual photos, but I only had a quick peek.

https://fccid.io/TV7WAPGR52AX/Test-Repo ... on-7634095 shows a little preview in the antenna radiation pattern exhibits

spippan

Chateau will likely be "H53UiG-5HaxQ2HaxQ" and probably around 500€
wAP ax will likely be "wAPG-5HaxD2HaxD"

looking forward to wAPax

spippan

well there is something cooking....

spippan

filter rules work on top-down first-match base as a rule of thumb in ROS (and mostly in any OS of other vendors too)
so the first rule a connection matches into will be executed and no following rule for that matched connection

spippan

spippan

As an internet Service Provider, that also is considering more of a Managed Service Provider role: For my own stuff, locally-hosted servers are a must, and containers (or an NPK on a CCR2xxx/CHR would be cool). I like how Ubiquiti keeps UniFi separate from UISP. I use UniFi to manage customer's int...

spippan

1) a + b as maybe 2 seperate installments or a as a subcategory in b 2) self hosted on X86 preferably 3) main features (for a start): firmware revision with up/downgrade of many devices maybe also in groups/sites (like the UISP from U) config push and backup with diff (change management) archive mon...

spippan

normis asked some questions...

viewtopic.php?t=211012

spippan

experiments with VRFs to implement an automatic failover between 2 ISPs Maybe I'm missing something here... But what is the point of using VRF for ISP failover? — VRFs have nothing to do with "automatic failover". Failover works without VRFs, and so layering VRF on top of failover mechani...

spippan

thanks @jaclaz i'll go through that ... curious about that.

spippan

spippan Are you using 4.0beta6? Could you please create a support ticket regarding the NAT login issue along with supuout.rif file made after the issue appears and other details - what system is the WinBox running on? I tried reproducing the issue, but it seems to work as expected. Is the "aut...

spippan

i do not know for sure but could this interfere somehow? /interface wifi channel add band=5ghz-ax disabled=no name="5 GHz" skip-dfs-channels=all width=20/40mhz /interface wifi configuration add channel="5 GHz" channel.skip-dfs-channels=all country=Romania datapath="VLAN 24&q...

spippan

Yes, it is like in any other configuration with vrf parameter.

is there a possible solution to resolve to upstream dns from e.g. a management VRF?

unfortunately this is not allowed:

/ip dns set servers=1.1.1.2@management

spippan

issued SUP-160816 on 2024-07-31 with not a single reaction had the same idea with a mgmt vrf where i needed DNS resolution ... went the "main VRF only it is then.." route This parameter means that DNS listens for queries from the clients in a specified VRF. As far as I understand you have...

spippan

we discovered that netflows are not generated when they are about inter vlan l3hw accelerated traffic. observing this on CCR2216 where we had spike of traffic (l3hw) on a vlan on these was not reported on our netflow collector. SUP-165456 generated OT: (sorry) @rpingar what netflow solution do you ...

spippan

if connection is not on the default port but gets redirected internally to 8291 (def. port) with a NAT redirect i cannot login from the WAN side winbox v3 - no problem winbox v4 - no login possible (tried a static user and a 2FA user - v3 was OK but v4 error on both tries) service itself is running ...

spippan

Is there any chance of Multicore Processing of Following in ROS v7.x:

1. MPLS + VPLS
2. PPPOE
3. VXLAN

+1 for VXLAN!

also waiting on MACsec in hw-offload
...and wishing on WireGuard to be available for hw-offload but that is a whole different story

spippan

v7.16rc4 - DNS VRF does not work. When setting: /ip dns set vrf=mgmtvrf the system always sends DNS queries via the main vrf, regardless of this setting. issued SUP-160816 on 2024-07-31 with not a single reaction had the same idea with a mgmt vrf where i needed DNS resolution ... went the "mai...

spippan

But don't you already have these as "return routes"?: add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=bridge routing-table=vrf_orange suppress-hw-offload=no add disabled=no distance=1 dst-address=192.168.1.0/24 gateway=bridge routing-table=vrf_starlink suppress-hw-offload=no...

spippan

+1
I also noticed you can't just enter the IP and hit enter like in winbox3, now it's a bit more cumbersome to have to then first click start.

yes the ENTER key functionality has not arrived yet ... same with applying changes

spippan

yesterday on linux - today some thoughts on windows beta6 - windows which get dragged inside WBox4 lag behind mouse cursor (knwon bug but on windows VERY sluggish) - missing the "Find" text field to quickly highlight saved routers (patiently we wait :lol: ) - still i think that would be a ...

spippan

with beta6 it is getting up quite a notch! tabs+custom tabs+additional windows from same category -> excellent! WBox4 is getting more and more usable! good work mikrotik! few bits and bites which are on my mind immediately - indent for "child interfaces" (VLANs under the parent IF) or &quo...

spippan

have you tried to set this in "MAC mode":

Screenshot from 2024-09-13 00-54-16.png

spippan

can we have the "enter" key back for applying and closing a window
e.g. change the name of an interface and just press enter instead of CLICKING on apply/ok ?

spippan

wAP ax will be a very small device and is coming very very soon (question of days or weeks)
Is it nearly ready yet?? Don't we usually find stuff on the FCC websites in advance?

hm https://fccid.io/TV7

spippan

Need the group feature back badly. This is a show stopper for us as we sort clients that way.

+1

spippan

I'm not sure that any of you know what beta means when developing a GUI application. Please, report bugs that you find while using the app and/or if something doesnt make sense or if you find something to have more sense to be in a certain way. Its a beta for a reason, any missing features need to ...

spippan

a "no" then

spippan

this is considered PtP addressing and works fine
Not everybody knows the name for it ... and certainly not everybody knows how to use it properly ... hence post by @TheCat12 (which is, unlike yours, useful)

now some more know though

spippan

css610 host mac addresses per vlan? anytime soon?

spippan

This looks lovely, and I'll check it out. Windows, MacOS, and Linux. However, one killer bit I'd love to see added to Winbox: public key auth. We have an ongoing war internally about killing off winbox because it means our techs are storing passwords in their laptops. Personally, I use SSH at least...

spippan

There is a small hack to use /31 addresses - one address to be the local address and the remote one to be specified as the network. For example, site 1 - address=192.168.1.0 & network=192.168.1.1 , site 2 - address=192.168.1.1 & network=192.168.1.0 this is considered PtP addressing and work...

spippan

People are so gotten used to grey XP style interface, but are not used to the name? We call it winbox, because is easy to say and everyone knows what it is

why is this even a ef'ing thing? i do not get it

e.g. "rOSbox" would sound somewhat silly IMO

spippan

first, v7 has a newer and more feature rich kernel

but as always - it depends.

e.g. i am running v7 and v6 in prod environments depending on the situation. dependent on where which device gets deployed. (60/5GHz PtP backup link for example runs v6 on to occasions)

spippan

did not see it being mentioned but: -> if you are in IP > Firewall > Filter Rules (or > NAT) and copy a rule and create it by clicking apply and/or OK the rule does not get positioned under the rule from which it has been copied from. instead it gets created on the end of the list -> how can there b...

spippan

is there maybe anything which disallows or filters 00-00-5E-00-01-.. mac addresses? vrrp interfaces use those No such things. I had no success at all until I googled for esxi that mac spoofing should be enabled and found where to fix that for hyper-v. Now it's this. Gonna give it a try on a sr-iov ...

spippan

We are certainly looking into better options for distributing on linux Please, PLEASE, not flatpak or Snap. Pretty please? 10/10 -> Make one tar.gz, static linked with whatever You used to build it. Everything is userland, everything is run from the /home/$USER. Just extract to <wherever>, and run/...

spippan

TIL: there is
Code: Select all
/ip/dns/cache/all/print
which shows you really all cache entries.

Unlike
Code: Select all
/ip/dns/cache/print

thanks ... didn't know about that or at least never realized this was there

Search found 749 matches