Community discussions

Search found 197 matches

by maznu
Tue May 28, 2019 12:33 pm
Forum: Useful user articles
Topic: How to opitimize list of IP4 addresses
Replies: 7
Views: 1818

Re: How to opitimize list of IP4 addresses

This tool exists http://manpages.ubuntu.com/manpages/disco/en/man1/aggregate.1.html Also you can use https://github.com/snar/bgpq3 , for example: bgpq3 -A -4 -j AS-FACEBOOK Here I'm using JSON output format so that I can have access to a prefix-length range, but you could equally use bgpq3 -A -4 AS...
by maznu
Fri Apr 05, 2019 1:35 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

I have done several tests with GNS3 using CHR 6.44.2 (stable) and as long as the router has enough memory, it doesn't crash. In my tests, the attack 'steals' around 180 MiB. Using a CHR with 256 MB, system resources shows a total memory of 224 MiB and free-memory of 197 MiB before attack. During th...
by maznu
Thu Apr 04, 2019 6:14 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

It is an upgrade problem because of no free space on the router, not related to this thread at all.
I have 6.43.14 installed on a hAP ac lite (64Mb RAM), and it is still vulnerable. Ticket#2019040222005195 and Ticket#2019032922005182
by maznu
Thu Apr 04, 2019 5:14 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

This is far from over.

Please refer to ticket 2019040422005244 and advise.
I'm hearing reports that this isn't fixed on routers with 64Mb or less of RAM. Is your ticket about this, eben? Or something else? :-|
by maznu
Thu Apr 04, 2019 2:31 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

What I don't understand: why is it not possible to firewall against it. When you limit the addresses that are routed, e.g. by dropping traffic in the raw prerouting table, does it still create entries for the dropped traffic in the route cache or neighbor table? Why? If you DROP in PREROUTING then ...
by maznu
Thu Apr 04, 2019 12:44 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

Just wondering what will happen / be the effect when "under attack" and hitting memory limit? * on neighbour mem limit * on routing cache limit Router will survive, but what with the legit connections? The tests I did on 6.45beta23 suggested different levels of memory usage would be used for the IP...
by maznu
Thu Apr 04, 2019 12:18 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

Fixel also in long-term - 6.43.14
and Current - 6.44.2
Attacked both, and both releases fix CVE-2018-19299. Fantastic news — but now the hard work for all us network operators begins:

1. 🔬 test

2. 🧠 plan

3. 🔨 deploy

4. 🔍 monitor

5. 🍺🍻🎉

6. 😴 🛌
by maznu
Tue Apr 02, 2019 7:43 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

With extreme fragmentation, it can result in no contiguous memory that satisfies the malloc() or realloc() and you either segfault in userland or (I'd imagine) panic in the kernel, hence the reboot even with memory theoretically available. The data structure that the Linux kernel used in RouterOS v...
by maznu
Tue Apr 02, 2019 5:26 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

More testing has yielded more data. This has not been properly replicated by anyone else that I know of, so take it as plausible hypothesis. I think I found more fallout from the ipv6 flaw: boxes that have their ND cache or their ipv6 route cache run up but not to the point of OOM reload experience...
by maznu
Tue Apr 02, 2019 10:42 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

@maznu - beta23 fixes both vulnerability? Did you test? I emailed MikroTik yesterday, tweeted, and posted about this on the 6.45beta thread - yes! MikroTik has said that another beta is expected to make the settings on the affected components more "optimal" for devices with low RAM. I hope it lands...
by maznu
Tue Apr 02, 2019 2:03 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

Also, send @maznu a present/gift/bounty/4011. He sure as hell earned it.
That's very kind, but after we've all got the patch in longterm and stable, I want to know how I can mail order a crate of beer to MikroTik's offices to say thank you for getting this fixed.
by maznu
Mon Apr 01, 2019 8:17 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

maznu - can you contact me via Twitter? I sent you a tweet already.
My timeline exploded a bit, as you might imagine. I'm @maznu on Twitter, DMs are open :)
by maznu
Mon Apr 01, 2019 5:31 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

where the reporter didn't report it as a security concern and left it for 6 months till he was able to get a CVE The full timeline will be available next week. But when I reported this in April 2018, my request to MikroTik was to plead with support to treat this as a serious security vulnerability,...
by maznu
Mon Apr 01, 2019 12:08 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71354

Re: v6.45beta [testing] is released!

Congratulations! I have tested this beta and I confirm that with 300 Mb RAM the router's memory doesn't fill. A CHR with 300 Mb of RAM with OSPF-v3 has 237 Mb of free-memory and during the attack it keeps on around 200 Mb. Hopefully this fix will be in long-term and current branches soon. I concur....
by maznu
Sun Mar 31, 2019 8:50 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

FastNetMon may work if the netflow is being generated by an intermediate device in the path (like off of a tap), it's very fast and can potentially mitigate assuming null routing is performed before cache write. EDIT: with only: * a route back to the attacker * and only a default null route in my v...
by maznu
Sun Mar 31, 2019 3:48 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71354

Re: v6.45beta [testing] is released!

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you tr...
by maznu
Sun Mar 31, 2019 3:45 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71354

Re: v6.45beta [testing] is released!

Seems that one of these was considered as CVE and another one was not. Since author of these CVEs still has a problem, seems that actually #1 was not included in this CVE. However, this "problem" actually is not much of an issue. RouterOS IPv6 route cache max size by default is 1 million. If you tr...
by maznu
Sun Mar 31, 2019 12:07 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

Sorry @maznu but I don't get the same md5sum you expected. Maybe mine is a different but correlated attack It is possible we are using different tools to trigger the same issue — there is more than one way to make some IPv6 packets. ;-) If you're happy to discuss in private anyway, please drop me a...
by maznu
Sun Mar 31, 2019 12:03 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

I have been spreading the word around in other forums. If it's of any interest / help I am happy to act as a remote test case providing no harm is done. At this stage, my best advice would be that people monitor the memory usage on their routers and graph it. If your memory usage is stable for many...
by maznu
Sun Mar 31, 2019 11:50 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

As a consequence, I am now assuming the exploit is out there in the wild and is being used. Thanks for this information, @MichaelHallager. I've saw something similar several times in the first two weeks of March this year, and advised MikroTik on 2019-03-15 about this, asking for urgent action. At ...
by maznu
Sun Mar 31, 2019 11:18 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

When I launch the attack, the chr reboots but the other routers are not affected by the attack. Firewall rules seems not to be effective. But if I increase the chr memory from about 300 MiB to 3000 MiB the router seems to be ok: the free memory goes between 2200 and 2400. As my lab is made in gns3 ...
by maznu
Sun Mar 31, 2019 11:02 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

now that we know what command to run @IPANetEngineer: do you want to compare notes now that we are probably on the same page? Prompted by something MikroTik told me last thing on Friday about the nature of the underlying problem, and following my own research last night, I've got some good news to ...
by maznu
Sun Mar 31, 2019 1:16 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

If you haven't already, I would strongly encourage those of you who discovered and reverse engineered these bugs to compare notes and check that they are in fact the same methods - the last thing we need is for MikroTik to release a fix for the original issue, and then find that those who reverse e...
by maznu
Sat Mar 30, 2019 5:47 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

despite the author has being less than helpful about providing details. I have provided MikroTik with every detail at every step of the way. I cannot provide anyone else with any more detail at all as this would literally give them the means to carry out the attack. I have not shared any mitigation...
by maznu
Sat Mar 30, 2019 10:30 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

Normis...i'm pretty confident we have replicated the conditions of one of the CVEs from doing some digging on our own for this issue. Without the rules, the router crashed. When we added the rules the router stayed online. Meanwhile CVE-2018-19299 still needs fixing, because even with those perform...
by maznu
Sat Mar 30, 2019 8:33 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

Maznu, do the following: ip service disable [find] Verify that even with all Mikrotik access media services the problem occurs? Yes, that is still vulnerable (my test lab has no services enabled because it has no Internet connectivity - only console access). These IPv6 handling problems are not abo...
by maznu
Fri Mar 29, 2019 10:52 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

Maznu, thank you for showing that you are seeking a solution for the whole community. Could you inform me if disabling SSH and Winbox service also works the exploit? Using RoMon only can be a "temporary" solution? How you access the router isn't the major factor here… I'm not sure I understand your...
by maznu
Fri Mar 29, 2019 6:23 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

Normis...i'm pretty confident we have replicated the conditions of one of the CVEs from doing some digging on our own for this issue. Without the rules, the router crashed. When we added the rules the router stayed online. May I please add "discovered independently by a third party" to the timeline...
by maznu
Fri Mar 29, 2019 5:23 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

For CVE-2018-19299, Are systems that do not have IPv6 connection tracking enabled affected?
Yes.
by maznu
Fri Mar 29, 2019 5:12 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

No. He did not send proof of concept for all issues, just a generic report about a crash. When he now said that CVE number such and such is not fixed, It was not clear, since we don't know what he will publish in that CVE. There is not a single issue, there are multiple issues, we fixed most, now h...
by maznu
Fri Mar 29, 2019 3:23 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

This version fixes: 1) Soft lockup when IPv6 router is forwarding IPv6 packets; 2) Soft lockup when the router is forwarding packets to a local network (directly connected) due to large IPv6 Neighbor table. We are still working on improvements for IPv6 Neighbor table processing in userspace which c...
by maznu
Fri Mar 29, 2019 3:09 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

We fixed the crashes that were reported to us. You said, we have not fixed "The CVE". I don't know what you will publish in the CVE. You have only provided a video that doesn't help at all. The CVE, CVE-2018-19299, was communicated to you in October 2018. It is literally just the number that MITRE ...
by maznu
Fri Mar 29, 2019 3:03 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

For everyone here, I wanted to clarify, that to my best knowledge, the author of the CVE has not contacted MikroTik and we are in the dark as to what he plans to publish. There has been plenty of communications on this matter, normis. The most recent, specifically about what I plan to publish, was ...
by maznu
Fri Mar 29, 2019 3:00 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

For those who won't notice it otherwise: MT just announced ROS 6.45 beta version which includes fix for these two issues. Hopefully fix will land in other (stable and long term) branches shortly. CVE-2018-19299 is not fixed in 6.45beta22, I am afraid. Please clarify https://www.youtube.com/watch?v=...
by maznu
Fri Mar 29, 2019 1:40 pm
Forum: Announcements
Topic: v6.45beta [testing] is released!
Replies: 305
Views: 71354

Re: v6.45beta [testing] is released!

will it be backported to versions 6.40.x and 6.43.x? Version 6.45beta22 has been released. !) ipv6 - fixed soft lockup when forwarding IPv6 packets (CVE-2018-19299); !) ipv6 - fixed soft lockup when processing large IPv6 Neighbor table (CVE-2018-19298); Sorry, but CVE-2018-19299 is not fixed in 6.4...
by maznu
Fri Mar 29, 2019 1:35 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

For those who won't notice it otherwise: MT just announced ROS 6.45 beta version which includes fix for these two issues.

Hopefully fix will land in other (stable and long term) branches shortly.
CVE-2018-19299 is not fixed in 6.45beta22, I am afraid.
by maznu
Fri Mar 29, 2019 12:19 pm
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

So all this "close to year" shouting is overestimation. So i suggest to keep calm and wait for release, as MikroTik admitted 2nd CVE as vulnerability.
Second "bug" was acknowledged by MikroTik on 2018-04-20.
by maznu
Fri Mar 29, 2019 10:05 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

I believe I saw you comment that this can't be mitigated in MIkroTik at Layer3. What about using a MikroTik router at Layer 2 (or a non-MikroTik) inline in bridge mode before the Internet connection and using the firewall to filter out whatever is in the crafted packet that creates the issue? I'm a...
by maznu
Fri Mar 29, 2019 10:02 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

We aim to fix the issue before the mentioned publication date.
That is very welcome news, normis.

If you or your developers wish to contact me privately for any further information, you've got my email address.

Good luck!
by maznu
Fri Mar 29, 2019 9:57 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

If you just have the package enabled and absolutely no configuration from an IPv6 perspective are you okay?
I also would like to know this.
If you cannot route IPv6 packets, you should be safe.
by maznu
Fri Mar 29, 2019 8:28 am
Forum: General
Topic: UKNOF 43 CVE
Replies: 223
Views: 40112

Re: UKNOF 43 CVE

Would somebody please post some additional information about this. I need to understand what is the problem, the potential impact and what vulnerabilities are possible. Where can I find information to read/learn about this? MikroTik acknowledged this issue on 2018-04-20. To learn more about it: I a...
by maznu
Fri Mar 29, 2019 8:07 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15441

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

why r u being so disruptive and trying to break mikrotik? Multiple MikroTik staff have repeatedly and continuously called this a "bug" and not a "vulnerability". If reporting "bugs" is now deemed disruptive then could someone please stop the world, because I would like to get off. Meanwhile, indust...
by maznu
Fri Mar 29, 2019 1:26 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15441

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

The common practice to go public with a vulnerability is to do it in coordination with affected vendor, and their release of a fix. To do otherwise is irresponsible and unprofessional. I have been asking MikroTik for exactly this approach for nearly a year. They will not commit to a date, or even t...
by maznu
Fri Mar 29, 2019 1:23 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15441

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Thankfully I'm in the position to do the above (and just have on my edge routers, in fact). I am nothing short of apoplectic that I've had to, however. Secretly hoping that either 6.44.1 was a fix for this or that it's a complete hoax. Either is better than what appears to be reality. Edit: It real...
by maznu
Fri Mar 29, 2019 1:15 am
Forum: General
Topic: Running IPv6 on Mikrotik? You're out of business in 12 days time
Replies: 32
Views: 15441

Re: Running IPv6 on Mikrotik? You're out of business in 12 days time

Hi, I'm Marek Isalski. I've been trying desperately to get MikroTik to resolve this issue since they acknowledged it on 2018-04-20. I know for a fact other people have figured this vulnerability out, and I believe I've seen exploitation of it in the wild in the last 2-4 weeks. MikroTik's response to...
by maznu
Wed Dec 05, 2018 3:54 pm
Forum: Forwarding Protocols
Topic: OSPF loses routes after days
Replies: 23
Views: 2512

Re: OSPF loses routes after days

How many routes do you have? We have not experienced this issue at all with OSPFv2 with 450 OSPFv2 routes and 130 routers. It's been completely stable. 760000 in BGPv4, 60000 in BGPv6 And was several hundred in OSPFv2 (/32 per customer device), and several hundred in OSPFv3 (/48, /56, /64 per custo...
by maznu
Wed Dec 05, 2018 9:06 am
Forum: Forwarding Protocols
Topic: OSPF loses routes after days
Replies: 23
Views: 2512

Re: OSPF loses routes after days

The log will repeat this when it breaks until I flap the instance: 08:28:37 route,ospf,info OSPFv2 neighbor 10.255.0.3: state change from Full to 2-Way 08:29:18 route,ospf,info Database Description packet has different master status flag 08:29:18 route,ospf,info new master flag=false 08:29:18 route...
by maznu
Sat Nov 17, 2018 8:24 pm
Forum: RouterBOARD hardware
Topic: Anyone tried the new CRS305-1G-4S+IN switch? [SOLVED]
Replies: 1
Views: 1070

Re: Anyone tried the new CRS305-1G-4S+IN switch? [SOLVED]

We're using one for OEO of a 10G wave: https://twitter.com/NetworkMoose/status ... 4025182209

Thumbs up for this device so far!
by maznu
Sat Oct 13, 2018 10:27 am
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38815

Re: Security announcement blog

I have never seen increasing memory usage due to IPv6 forwarding. But apparently your use case or configuration is different. This is an out-of-the-box configuration, plus IPv6, NOTRACK, and some static routes. MikroTik confirmed to me back in March that they have reproduced this issue. I'm just ho...
by maznu
Fri Oct 12, 2018 1:23 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38815

Re: Security announcement blog

ND is like ARP. It is used to find the hardware address corresponding to the IPv6 address. Transit routers to not use it. (but they could use tracking) To refer you back to my post, and why ND is not to blame (despite using an "ND exhaustion tool"): RaspberryPi ---- hAP ac2 ---- hEX If I run this o...
by maznu
Fri Oct 12, 2018 12:55 pm
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38815

Re: Security announcement blog

So it is ND (also indicated by the name of the tool). No, you're doing exactly the same thing MikroTik support did — that is, not reading the addresses that are being targetted. Despite using a tool for ND crashing, it is not ND which is causing the problem — it's just an easy to find tool which wi...
by maznu
Fri Oct 12, 2018 11:27 am
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38815

Re: Security announcement blog

As Normis already wrote, these are not really bugs but you are merely exhausting the capacity of the router, either for IPv6 ND or for IPv6 connection tracking.
Happens with IPv6 set to NOTRACK. It's not tracking causing this.
by maznu
Fri Oct 12, 2018 10:36 am
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38815

Re: Security announcement blog

Here is the original message I sent to support on 2018-04-16: I have just run a trial with two MikroTik devices, all running latest release candidate. RaspberryPi ---- hAP ac2 ---- hEX On the raspberry pi, eth0 = 2a01:9e02:0:4242:xxxx:xxxx:xxxx:xxxx/64 (autoconf address, doesn't matter) On the hAPac...
by maznu
Fri Oct 12, 2018 10:30 am
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38815

Re: Security announcement blog

Can it be prevented with firewall? It can be firewalled by not routing any IPv6. But if you have a RouterOS device anywhere in the path between one subnet and another subnet, even if not directly connected to that router, and it is forwarding IPv6 packets, it is vulnerable to being crashed. Maybe y...
by maznu
Fri Oct 12, 2018 10:23 am
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38815

Re: Security announcement blog

Yes, it is exactly that. Denial of service from some type of IPv6 packet flood, where router runs out of resources. It was answered, that we accept this as a bug, but we would not call it a vulnerability, because there are many ways how to exhaust resources of any device. If I send IPv6 packets at ...
by maznu
Mon Oct 08, 2018 10:09 am
Forum: Announcements
Topic: Security announcement blog
Replies: 120
Views: 38815

Re: Security announcement blog

FYI https://threatpost.com/poc-attack-escalates-mikrotik-router-bug-to-as-bad-as-it-gets/138076/ Thankfully those CVEs appear to be fixed in 6.40.9 and 6.42.7. Good to see that MikroTik is taking RouterOS security seriously with those CVEs. Meanwhile, I'm still waiting for MikroTik to confirm when ...
by maznu
Sun Oct 07, 2018 7:40 pm
Forum: General
Topic: Birmingham MUM 2018
Replies: 13
Views: 1110

Re: Birmingham MUM 2018

Relief.. written and spellchunked! :D
Literally hours to spare! Time for a celebratory drink… ;-)
by maznu
Sun Oct 07, 2018 3:20 pm
Forum: General
Topic: Unable to get more than 175 IP's
Replies: 18
Views: 1694

Re: Unable to get more than 175 IP's

but as soon as I hook up more than 175 IP's the network does not accept more IP and crashes everything until I remove the devices. What do you mean by "hook up more than 175 IPs"? Do you mean you've got 175 devices connecting to the 2.4GHz WLAN? Or you've got more than 175 devices connecting to the...
by maznu
Thu Oct 04, 2018 12:16 am
Forum: Beginner Basics
Topic: BGP peer announce commands
Replies: 1
Views: 249

Re: BGP peer announce commands

Usually I would either: 1) redistribute connected in /routing bgp instance (so that routes that your BGP-speaking router is connected to are "announced" via BGP) and/or 2) add a "network" in /routing bgp network which you want to announce ("synchronised" if you don't want the announcement to be made...
by maznu
Wed Oct 03, 2018 1:03 pm
Forum: General
Topic: Birmingham MUM 2018
Replies: 13
Views: 1110

Re: Birmingham MUM 2018

definitely there Monday
Glad to hear it, coz you're one of the speakers ;-)

(look forward to hearing yours — it's very much in everyone's minds with the worms currently floating around the Internet — well done for volunteering to speak at the MUM!)
by maznu
Tue Oct 02, 2018 9:07 pm
Forum: General
Topic: Birmingham MUM 2018
Replies: 13
Views: 1110

Birmingham MUM 2018

Ok, who is going? Is anyone up for dinner/drinks the evening before…?
by maznu
Sat Sep 29, 2018 1:34 am
Forum: RouterBOARD hardware
Topic: What happened to the CRS305-1G-4S+IN?
Replies: 23
Views: 6503

Re: What happened to the CRS305-1G-4S+IN?

I want a bunch of these! * tiny 10G "ring" device (with options for 1G and 10G customer connections) * 10G inline mirror for IPS/etc * not-quite-transparent 10G transponder * OEO for wavelength regeneration (again, not quite transparent because it won't pass LACP/etc) I can see plenty of uses, and I...
by maznu
Fri Sep 14, 2018 1:32 pm
Forum: General
Topic: Can't Install Updates ("ERROR: could not save package")
Replies: 2
Views: 449

Re: Can't Install Updates ("ERROR: could not save package")

I can't install updates because I'm interrupted by the message "ERROR: could not save package". This problem only exists on one of my MikroTiks. Does anyone recognize this symptom? Any help would be much appreciated. Check the /file or "File" menu — it might be you've got a big autosupout.rif file ...
by maznu
Mon Sep 03, 2018 8:31 pm
Forum: General
Topic: Feature Request: TACACS/TACACS+
Replies: 35
Views: 8595

Re: Feature Request: TACACS/TACACS+

At least disable the local users if AAA is configured and reachable. TACACS would be nice, but the current radius is functional, just doesnt disable local accounts. Why not just set your one local admin account to have an impossible IP address restriction, and then you've still got console-level ac...
by maznu
Wed Jul 18, 2018 8:30 am
Forum: General
Topic: Issues with software release 6.40.8
Replies: 1
Views: 339

Re: Issues with software release 6.40.8

Are both ends of the link set to autonegotiate? Have they both agreed on 100-full or 1000-full? Or did was one end set to 100-full and the other has "negotiated" 100-half?
by maznu
Thu Jul 12, 2018 8:39 pm
Forum: Forwarding Protocols
Topic: BGP propagation time
Replies: 3
Views: 501

Re: BGP propagation time

Full tables? That's all you can do, unfortunately. The BGP implementation isn't amazing (constant scanning of tables), single-core, and the CCR's individual cores are not amazing for computation. Alternatively look at this excellent EU MUM talk for how to use CHR on 64-bit Intel for higher convergen...
by maznu
Thu Jul 12, 2018 5:36 pm
Forum: Forwarding Protocols
Topic: MIkrotik BGP Monitoring
Replies: 55
Views: 18919

Re: MIkrotik BGP Monitoring

For those of you using https://prometheus.io for monitoring, there are two options:

* https://gitea.faelix.net/FAELIX/ros2prom (requires Python, pipenv)
* https://github.com/nshttpd/mikrotik-exporter (which does not calculate bits-per-second on ports, for example)
by maznu
Tue Jul 10, 2018 9:36 am
Forum: Forwarding Protocols
Topic: Matching routes for originating-AS is VERY slow
Replies: 4
Views: 714

Re: Matching routes for originating-AS is VERY slow

Will we ever see some improvement here? MikroTik teased a new BGP implementation some years ago, part of the mythological "RouterOS v7". More recently we've been hearing, "almost everything we were going to put in v7 is now in v6"… except things like not crashing when pushing lots of IPv6 packets, ...
by maznu
Mon Jul 09, 2018 11:05 am
Forum: Forwarding Protocols
Topic: Matching routes for originating-AS is VERY slow
Replies: 4
Views: 714

Re: Matching routes for originating-AS is VERY slow

Our "solution" was to take a BGP feed into a routeserver on Bird, and point https://github.com/sileht/bird-lg at it.
by maznu
Fri Jun 29, 2018 6:49 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

Unfortunately problem is not resolved yet. I also can not give you any ETA for such fixes.
When problem will be resolved, then RouterOS release notes will include such fix description.
I guess we keep on waiting, and hoping...
by maznu
Thu Jun 28, 2018 12:32 pm
Forum: The User Manager
Topic: Paypal
Replies: 24
Views: 3357

Re: Paypal

by maznu
Thu Jun 28, 2018 12:27 pm
Forum: Announcements
Topic: v6.42.5 [current]
Replies: 124
Views: 23072

Re: v6.42.5 [current]

danielduffin, blackwp - Please contact support@mikrotik.com and send supout file. Are you sure that downgrade to 6.42.4 fixes the problem? Ther are no UM related changes in this version The problem might be related to PayPal deprecating old versions of TLS on 26th June: https://www.paypal.com/au/we...
by maznu
Thu Jun 28, 2018 12:26 pm
Forum: Announcements
Topic: v6.42.5 [current]
Replies: 124
Views: 23072

Re: v6.42.5 [current]

is anyone else getting this error with userman and who do i resolve it PayPal - ssl connection error: handshake failed: error 14077410 (6) Thank you Yes we can confirm this error also. No Paypal payments being accepted. We tried adding an ssl cert to the RB but that didn't work either. "Mikrotik......
by maznu
Mon Apr 23, 2018 5:20 pm
Forum: Forwarding Protocols
Topic: IPv6 BGP Connection Reset
Replies: 1
Views: 378

Re: IPv6 BGP Connection Reset

A common reason for this is that the address families within the BGP session do not match. For example, I've always configured bird6 to talk to RouterOS BGP with only IPv6 address-family enabled.
by maznu
Tue Apr 17, 2018 5:44 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

I think all the emails back and forth were testing Maris' patience, but I am so incredibly grateful that they have listened and we have understood each other.
"We will test this scenario."
Excellent news - and good luck, MikroTik team!
by maznu
Tue Apr 17, 2018 3:49 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

Response from Maris: You can exhaust resources of any device by simply sending large amount of data. Set up ipv6 firewall to protect your router. Best way is to limit amount of accepted icmpv6 packets in IPv6 RAW firewall. I have asked them to reconsider, as this isn't traffic destined for the route...
by maznu
Mon Apr 16, 2018 8:46 pm
Forum: Forwarding Protocols
Topic: IS-IS
Replies: 44
Views: 13659

Re: IS-IS

we may see it in v7 whenever that comes out. :-)
Can't tell if those are the words of a man who has had a sneak peek of something…

…or words that are heavily laden in sarcasm! ;-)
by maznu
Mon Apr 16, 2018 3:05 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

[Ticket#2018041622003823] opened for the ICMPv6 transit crash.
by maznu
Sun Apr 15, 2018 10:16 pm
Forum: Forwarding Protocols
Topic: Choosing short path for an internet address from multiple gateways
Replies: 5
Views: 583

Re: Choosing short path for an internet address from multiple gateways

Speaking theoretical if you redistribute your full views into ospf, then yes. But i have not heared any success stories on doing that. I would strongly advise against redistributing 700k BGP routes into OSPF. Probably better to have your loopbacks in OSPF and carry your full tables in BGP. …now if ...
by maznu
Sat Apr 14, 2018 10:45 pm
Forum: Forwarding Protocols
Topic: "Ring" Configuration
Replies: 3
Views: 1025

Re: "Ring" Configuration

i called iparchitechs and the sales person quoted me $2,500.00 - $5,000.00 to configure 5 routers! I think that is a little steep. Your hardware is probably going to be a similar sort of expenditure. I'm not sure how much you're paying for your fibre ring, but I imagine there are ongoing costs for ...
by maznu
Sat Apr 14, 2018 10:36 pm
Forum: Forwarding Protocols
Topic: Choosing short path for an internet address from multiple gateways
Replies: 5
Views: 583

Re: Choosing short path for an internet address from multiple gateways

If you are receiving full tables (almost 700k routes now) from both your upstreams, then by default RouterOS will use AS path length as one of the criteria for BGP route selection. Assuming you've not set higher local preference or metrics on the routes (by using "in" filters), then you will be gett...
by maznu
Fri Apr 13, 2018 7:09 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

Maybe it is connection tracking. I added a "notrack" rule to ipv6 raw prerouting, and RouterOS still crashes. Of course pumping a gigabit of ICMP probes like those friendly programs do will kill the router. I could understand if the router dropped packets because it does not have the CPU power to p...
by maznu
Fri Apr 13, 2018 6:55 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

This doesn't seem to affect Linux itself, wonder what crazy stuff Mikrotik are doing with IPv6 to introduce a vulnerability like this? Maybe this is just a case of bad values for some IPv6 sysctl parameters — e.g. memory exhaustion by the kernel because of a value set too large. It will be interest...
by maznu
Fri Apr 13, 2018 6:49 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

In addition to everything else this is what I'm seeing. Just transiting a high volume of ICMPv6 traffic is enough to cause the router to reboot. I updated to 6.42rc56 this morning and no stealth fixes were contained in that release. It's trivial to reboot spam any MikroTik router w/ndpexhaust26 on ...
by maznu
Fri Apr 13, 2018 4:31 pm
Forum: General
Topic: Mikrotik and Environment.
Replies: 12
Views: 963

Re: Mikrotik and Environment.

In the UK there were various government and non-government initiatives (usually in the form of grants to businesses) to reduce material waste, resource usage in manufacturing, etc. I would not be surprised if the PR team at MikroTik has thought about "Corporate Social Responsibility". It's a good st...
by maznu
Fri Apr 13, 2018 3:36 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

I'm a bit confused about what is your problem. When it is in the ND it should only affect reachable networks. Are you getting a static prefix from your ISP? (e.g. a /48) Did you make sure to have an "unreachable" route for your entire prefix in the route table? (with only /64 routes to your reachab...
by maznu
Fri Apr 13, 2018 2:58 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

So ... Grab a Linux box, put it on your LAN and prepare to LULz to the point of tears. At this time, this is now another IPv6 deficiency that will prevent me from recommending MikroTik products for anything other than home routing. The fact the router can be REBOOTED simply by an end-user running n...
by maznu
Fri Apr 13, 2018 1:19 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

Another one for our IPv6 address space scanning shitlist: add address=2607:f140:4800::/48 list=shitpit It's likely being done by one of the authors of this paper (or someone working with them) at Berkeley University: https://conferences.sigcomm.org/imc/2017/papers/imc17-final245.pdf I've been conta...
by maznu
Fri Apr 13, 2018 1:18 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

Start laughing or crying at that point because your HEX is rebooting. Yes, rebooting. Target a Cisco 1841 w/15.0 code and default settings ... nothing happens. Confirmed. It'll OOM a CCR with 2GB RAM and 256k IPv6 neighbour entries. It doesn't even need to be to a subnet which is directly connected...
by maznu
Sun Apr 08, 2018 12:29 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

Start laughing or crying at that point because your HEX is rebooting. Yes, rebooting. Target a Cisco 1841 w/15.0 code and default settings ... nothing happens.
For what it's worth, I've raised this with MikroTik support, Ticket#2018040822000592.
by maznu
Sun Apr 01, 2018 11:10 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

Not sure if it's from the host failing because of an OOM state Oh, yes, and the other reason I don't think it's an OOM: Increasing the IPv6 neighbour cache size (e.g. doubling it) is an instant fix. At least till the tables have filled up again. But that bought me enough time to figure out where th...
by maznu
Sun Apr 01, 2018 11:08 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

Now, in Linux I wonder what entries the garbage collector purges. The op has stated he loses connectivity. Not sure if it's from the host failing because of an OOM state or because the router loses the neighbor table data for downstream devices while being scanned. If it's the latter I'd suspect th...
by maznu
Sat Mar 31, 2018 7:39 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

In the time it's taken me to email their network abuse contact, and shitpost about them on Twitter, they've probed ~150k addresses. Fun times. I received a reply just now: Hi Marek, We've added your prefix […] to our blacklist. We spread probes as evenly as possible across routed prefixes, and shuf...
by maznu
Sat Mar 31, 2018 12:48 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

They're doing a sort of enumerative scan of IPv6 address space, depth-first, which results in about 100pps of IPv6 traffic from them. That soon fills up a neighbour cache on a smaller device (even if you've set it to 100k+ entries), and pretty soon afterwards your little device loses its connectivi...
by maznu
Sat Mar 31, 2018 12:47 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

Another one for our IPv6 address space scanning shitlist: add address=2607:f140:4800::/48 list=shitpit It's likely being done by one of the authors of this paper (or someone working with them) at Berkeley University: https://conferences.sigcomm.org/imc/2017/papers/imc17-final245.pdf They're doing a ...
by maznu
Mon Mar 26, 2018 1:38 pm
Forum: General
Topic: RouterOS making unaccounted outbound winbox connections [SOLVED]
Replies: 64
Views: 30766

Re: RouterOS making unaccounted outbound winbox connections [SOLVED]

I finally got my hands on an infected device, spent some time with it, and can confirm that this appears to be Hajime I can confirm that upgrading to 6.40.6 removes the /flash/etc/rc.d directory tree, which of course deletes the startup script and thus renders the Hajime binaries in /flash/bin iner...
by maznu
Mon Mar 26, 2018 12:01 pm
Forum: General
Topic: RouterOS making unaccounted outbound winbox connections [SOLVED]
Replies: 64
Views: 30766

Re: RouterOS making unaccounted outbound winbox connections [SOLVED]

checks if port 80 is available, then uses the vulnerability that was fixed in 6.38.5 to copy itself into that system Does it require valid username and password to do that, or is it sufficient to have access to the webserver? If it's a botnet using ChimayRed, as suggested earlier in the thread, the...
by maznu
Sun Mar 25, 2018 11:19 pm
Forum: General
Topic: RouterOS making unaccounted outbound winbox connections [SOLVED]
Replies: 64
Views: 30766

Re: RouterOS making unaccounted outbound winbox connections [SOLVED]

360 Netlab are tweeting: "So the old Hajime botnet is coming back with a new exploit which was published only about 13 days ago ( https://www.exploit-db.com/exploits/44284/ ), it also looks for some old exploits like tr-064 but nothing exciting there." — https://twitter.com/360Netlab/status/97793220...
by maznu
Sun Dec 31, 2017 11:58 am
Forum: General
Topic: connect 2sfp+ to CCR1009-7G-1C-1Splus ?
Replies: 2
Views: 319

Re: connect 2sfp+ to CCR1009-7G-1C-1Splus ?

Unfortunately the answer is in the subject. The designation of the product as 1Splus means it has 1-SFP-plus port. The "1C" (combo) port is either RJ45 or SFP - i.e. will only work at 1Gbit/sec. You'll need a 2S+ router if you want 10G uplink and a separate 10G connection to a switch.
by maznu
Thu Oct 19, 2017 12:26 pm
Forum: Forwarding Protocols
Topic: BGP Dual-homing using 2 x CCR1016-12G or just one CLOUD CORE CCR1036-12G-4S-EM. What would you do?
Replies: 5
Views: 806

Re: BGP Dual-homing using 2 x CCR1016-12G or just one CLOUD CORE CCR1036-12G-4S-EM. What would you do?

Thanks for the answer Zerobyte. What about resources/capacity, would it take a full route and 100Mbps from each ISP ? Easily routes 100Mbit/sec - but be careful how lots of rules in /ip firewall filter etc might impact performance. Full routing tables: on CCR it takes maybe 5 minutes to converge. Y...
by maznu
Mon Oct 16, 2017 3:34 pm
Forum: General
Topic: CRS326 - 6.40.4 -- does it support LACP? [SOLVED]
Replies: 4
Views: 1082

Re: CRS326 - 6.40.4 -- does it support LACP? [SOLVED]

The CRS326 Link Aggregation without CPU utilization in RouterOS is planned in near future.
Hoping this will be coming to the CRS317 (and others) at the same time…?
by maznu
Sun Oct 01, 2017 4:17 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

That type of scanning technique is indeed pointless or dimwitted, however it may have served it's purpose... That might be the real context. It was still >2million more attempts (many hours) before this "attack" ceased. Maybe neighbour cache exhaustion was the purpose… never heard back from the uni...
by maznu
Sun Sep 24, 2017 10:36 pm
Forum: General
Topic: CCR1072 and 1036 using FICON protocal on SFP
Replies: 3
Views: 607

Re: CCR1072 and 1036 using FICON protocal on SFP

If by FICON you mean https://en.wikipedia.org/wiki/FICON, then bad news: FICON isn't IP over ethernet. MikroTik devices don't speak Fibre Channel, and they don't speak FICON.
by maznu
Thu Sep 21, 2017 12:38 am
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Re: Remote Host Scanning our IPv6 Network

And kudos for using the doc prefix in your example. :) Thanks. Currently I'm unsure whether this scan (coming from a university network) is "legitimate research" or "pwned box" — as yet, no response from their abuse contact — otherwise my example might have named-and-shamed the device in question ;-)
by maznu
Wed Sep 20, 2017 6:26 pm
Forum: General
Topic: Remote Host Scanning our IPv6 Network
Replies: 50
Views: 5726

Remote Host Scanning our IPv6 Network

A few days ago one of our routers was hitting IPv6 neighbor cache exhaustion. The symptoms were occasional unreachability via IPv6. I pulled up Torch and found someone was actually scanning our network, probing consecutive addresses in a /64 to see if anything responded! Dropping this traffic is eas...
by maznu
Mon Aug 21, 2017 12:09 am
Forum: Beginner Basics
Topic: CHR VPS
Replies: 2
Views: 628

Re: CHR VPS

Would Switzerland be good enough (latency), or is Germany required (sovereignty)?
by maznu
Sat Aug 05, 2017 2:01 pm
Forum: Announcements
Topic: v6.40.1 [current]
Replies: 74
Views: 23085

Re: v6.40.1 [current]

Having some OVPN problems having done an upgrade on clients from 6.38.5 to 6.40.1. Server is 6.37.5 still. No VPN session stays up more than a minute: 11:53:40 ovpn,info,account XXXX logged in, A.B.C.D 11:53:40 ovpn,info <ovpn-XXXX>: connected 11:54:20 ovpn,info <ovpn-XXXX>: terminating... - nothing...
by maznu
Tue Jul 18, 2017 10:24 am
Forum: RouterBOARD hardware
Topic: CRS317 - any fresh info about that buddy?
Replies: 8
Views: 1336

Re: CRS317 - any fresh info about that buddy?

Maybe not yet in stock. So just email a few of them to find out.
Normis: is there any news on the super special MPLS features on this chipset that you hinted about in January…?
by maznu
Tue Jul 18, 2017 10:09 am
Forum: RouterBOARD hardware
Topic: CRS317 - any fresh info about that buddy?
Replies: 8
Views: 1336

Re: CRS317 - any fresh info about that buddy?

Already available! Suggested price is $399 and yes, it can forward 160Gb/s wire speed. Search google for the part number and you can find that some distributors have it on their web page, if not, ask them.
Stealth release :-)
by maznu
Sun Jul 16, 2017 2:23 pm
Forum: General
Topic: Compatible DWDM SFP+ Modules?
Replies: 6
Views: 986

Re: Compatible DWDM SFP+ Modules?

100km? I have never heard that the DWDM SFP+ can reach up to 100 km. How is it possible?
Mostly they're just "good" 80km optics with some extra Forward Error Correction thrown in. :-)
by maznu
Thu Jul 13, 2017 2:35 pm
Forum: RouterBOARD hardware
Topic: CRS317 - any fresh info about that buddy?
Replies: 8
Views: 1336

Re: CRS317 - any fresh info about that buddy?

We're in the market for some of these… would love to know if we're buying 'Tik or might have to go elsewhere.
by maznu
Fri Jul 07, 2017 2:01 pm
Forum: General
Topic: My IPv6 Triage List for ROS
Replies: 48
Views: 5498

Re: My IPv6 Triage List for ROS

Excellent thread. I would like to add: IPv6 route rules and VRF The ability to do /ipv6 route rule routing-mark="foo" ... (and corresponding /ipv6 route routing-mark="foo" ... ) would be fantastic. Even older Linux kernels support this already (3.2.0 test box seems to have it), so we just need a way...
by maznu
Sun Jun 11, 2017 7:23 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208035

Re: Feature requests

About the WireGuard idea, are you a time traveller writing to us from future? :)
Spoiler alert: Trump gets impeached!

…but I'm not going to reveal which one is released first: WireGuard v1.0 and RouterOS v7.0 :)
by maznu
Sun Jun 11, 2017 1:45 am
Forum: General
Topic: Feature requests
Replies: 1160
Views: 208035

Re: Feature requests

You know how everyone's always saying "we want UDP support in OpenVPN" and "we want LZO"? And MikroTik say that their OVPN implementation is really nasty code that's hard to work on? How about instead we look to the future: WireGuard https://www.wireguard.io Clients for every major OS, modern crypto...
by maznu
Fri Jan 20, 2017 3:06 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 80686

Re: Feature Req: IKEv2 server and client

user-name radius attribute is equal to clients local-identity, IOS by default puts its ip address as local-identity. Eap username and password for authentication is inside eap message. What a lovely information leak... Thanks for the info, mrz! Now to build the FreeRADIUS configuration from hell :-)
by maznu
Mon Jan 16, 2017 10:20 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 80686

Re: Feature Req: IKEv2 server and client

6.39rc12 and 6.38.1 are both still sending through an IP address (the road warrior's local IP) as the "Username" attribute in RADIUS. Isn't this meant to be the Username I specified in the iOS IKEv2 client? 185.134.196.4.36540 > 185.134.196.12.1812: [udp sum ok] RADIUS, length: 111 Access Request (1...
by maznu
Sat Jan 14, 2017 1:45 am
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 80686

Re: Feature Req: IKEv2 server and client

iPhone client (IKEv2, User Authentication, with username and password), talking to v6.39rc12 with FreeRADIUS. The RADIUS packet received has the Username set to the iPhone's IP address - not the username specified in the "Authentication" section of iOS. Is this expected behaviour? Shouldn't this be ...
by maznu
Sat Dec 24, 2016 1:48 am
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 80686

Re: Feature Req: IKEv2 server and client

I'm trying to set up eap-radius with Windows NPS, but i keep getting these errors on my windows radius server: An Access-Request message was received from RADIUS client 192.168.xx.xx with an Extensible Authentication Protocol (EAP) message but no Message-Authenticator attribute. Anyone know how to ...
by maznu
Thu Dec 22, 2016 4:17 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 80686

Re: Feature Req: IKEv2 server and client

Next RC will include message-authenticator attribute
…if this forum had a "like" button, I would press it :-)

Thank you!
by maznu
Wed Dec 21, 2016 9:59 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 80686

Re: Feature Req: IKEv2 server and client

...and same on 6.38rc52 :-)
by maznu
Wed Dec 21, 2016 9:52 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 80686

Re: Feature Req: IKEv2 server and client

We've had some success getting IKEv2 and RADIUS and EAP talking to each other... but we've hit an interesting stumbling block. We're using CHR 6.38 rc 51. The RADIUS packets generated by IKEv2 authentication attempts do not have a Message-Authenticator attribute: 19:43:57.474594 IP (tos 0x0, ttl 63,...
by maznu
Sat Dec 10, 2016 1:37 pm
Forum: General
Topic: Feature Req: IKEv2 server and client
Replies: 291
Views: 80686

Re: Feature Req: IKEv2 server and client

I asked this in the 6.38rc thread, but maybe here is better. I will admit that I've not kept up with how quickly the IKEv2 support has moved in these RCs. Well done to MikroTik's developers for doing this so fast! My question is whether or not it is possible to create an IKEv2 configuration on Route...
by maznu
Sat Dec 10, 2016 1:29 pm
Forum: Wireless Networking
Topic: DFS
Replies: 1
Views: 767

Re: DFS

This DFS and radar detect is killing me. It takes forever to detect radar before an access point starts running. since 6.37 It would appear there's no way to disable it so I had to downgrade everything back to 6.36. Please mikrotik help!! You might want to watch the talk about DFS from the MikroTik...
by maznu
Mon Dec 05, 2016 10:37 pm
Forum: Announcements
Topic: v6.38rc [release candidate] is released
Replies: 331
Views: 75204

Re: v6.38rc [release candidate] is released

*) ipsec - various additional work in IKEv2 support; I will admit that I've not kept up with how quickly the IKEv2 support has moved in these RCs. Well done to MikroTik's developers for doing this so fast! My question is whether or not it is possible to create an IKEv2 configuration on RouterOS whi...
by maznu
Sat Dec 03, 2016 8:40 pm
Forum: General
Topic: Firewall - PPS Limit
Replies: 6
Views: 1474

Re: Firewall - PPS Limit

VLAN's and not really an option, because for each VLAN I will loose some public IP's. You can use /32 addressing and not lose any IP addresses. On the router (which will be the default gateway, 192.168.12.1 in this example, for all your VLANs): /ip address interface=vlan45 address=192.168.12.1/32 n...
by maznu
Thu Nov 24, 2016 12:41 am
Forum: Virtualization
Topic: Can I install Cloud Hosted Router (CHR) on XEN server?
Replies: 9
Views: 4248

Re: Can I install Cloud Hosted Router (CHR) on XEN server?

I've had no problems getting CHR to run under Ganeti with Xen as the hypervisor. That's not necessarily the same thing as "Xen Server", but it will run under a Xen dom0. I used a HVM domU, but specified paravirtual NICs and IOEMU for the HDD. I've not yet found a way to get it to run as a paravirtua...
by maznu
Wed Nov 23, 2016 6:59 pm
Forum: Forwarding Protocols
Topic: BGP Multihoming
Replies: 10
Views: 3378

Re: BGP Multihoming

Do you have a "strict" reverse path filter in /ip settings? Have both your upstream providers made sure that their upstreams in turn have sorted out BGP prefix filters, ACLs, etc? A clue of AS number and/or the prefixes you're announcing would help a bit - or you could use a tool like BGPlay to see ...
by maznu
Tue Nov 22, 2016 11:07 pm
Forum: General
Topic: Decline of Mikrotik?
Replies: 102
Views: 26613

Re: Decline of Mikrotik?

in the switching market, they have a very strong proposition on features/performance for a 1U switch now that loop prevention protocols are coming out. I'm looking forward to an announcement of 10GE switches by MikroTik. The CCR1072 was a strong hint that this could happen. Of course, the user inte...
by maznu
Tue Nov 22, 2016 6:26 pm
Forum: General
Topic: Decline of Mikrotik?
Replies: 102
Views: 26613

Re: Decline of Mikrotik?

Who do you see as competitors to MikroTik that are are currently beating them in innovation at the same price point? Right now, I don't. I thought that I'd been clear in all my posts in this thread. I see that there are bugs, but I've had bugs on every platform I've ever used - just as you've said ...
by maznu
Mon Nov 21, 2016 10:44 pm
Forum: General
Topic: Decline of Mikrotik?
Replies: 102
Views: 26613

Re: Decline of Mikrotik?

While relevant, lets not get distracted too much from the larger theme with this routing filter issue I agree. The route filter issue... I think Alex Hart meant we shouldn't get distracted from the larger theme: this thread is originally a discussion about whether we think RouterOS is moving forwar...
by maznu
Wed Nov 16, 2016 12:29 pm
Forum: General
Topic: Decline of Mikrotik?
Replies: 102
Views: 26613

Re: Decline of Mikrotik?

That would be a completely different bug, and I cannot confirm it.
Maybe it is a fasttrack or route cache bug. That could be. I don't use those features.
+1, cannot confirm. Haven't had any phonecalls about reachability problems.

We don't have fasttrack, but we do have routecache.
by maznu
Wed Nov 16, 2016 12:23 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12872

Re: Why source-based blackhole instead of firewall drop

With RP Filter set to loose it should.
Ahhhh, that's the bit I didn't grok. I'd only ever encountered reverse path filtering in a strict sense as part of a poor-man's BCP38. Ok, that's interesting.

Thanks - I learned something today.
by maznu
Wed Nov 16, 2016 11:50 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12872

Re: Why source-based blackhole instead of firewall drop

I think the last question I have about this for Murmaider is: Will your RP-based blackhole approach work where there are multiple valid routes (learned by BGP) to external addresses, but only one is "active" in the RouterOS routing table? Because we see traffic come in on interfaces which aren't nec...
by maznu
Wed Nov 16, 2016 11:40 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12872

Re: Why source-based blackhole instead of firewall drop

Can you please share the code for this source based blackhole? From above I can see that I have to packet mark so filter is still involved?! Two different people debating different approaches. Murmaider's using a loose RP filter and route injection to trick the router into dropping packets. I'm usi...
by maznu
Wed Nov 16, 2016 9:52 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12872

Re: Why source-based blackhole instead of firewall drop

You can still use these, just have them trigger a script that speaks to the mikrotik API, for example: # /usr/bin/blackhole.php <attacker ip> <time> It calls the mikrotik api and stores this in a db or flat file. then have a cron that runs every minute that looks in the db / flat file for items whi...
by maznu
Wed Nov 16, 2016 9:24 am
Forum: Forwarding Protocols
Topic: CCR1072-1G-8S+ or a Supermicro server with x86 routerOS ?
Replies: 7
Views: 2197

Re: CCR1072-1G-8S+ or a Supermicro server with x86 routerOS ?

means no matter if its 1072 or supermicro with x86, during full routes propagation, it will still use just 1 core ? All the cores are used for routing packets between interfaces, so if you've got many Gbps of traffic you will see CPU usage on all the cores. But only one core is running the BGP proc...
by maznu
Wed Nov 16, 2016 9:19 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12872

Re: Why source-based blackhole instead of firewall drop

2 & 3 - We do this using Wanguard. It detects the hacking / attack traffic and informs the filter (honeypot in your case) to inject a route into the mikrotik to redirect this traffic to itself where it can be captured for analysis. This is also filtered and the clean traffic can then be injected ba...
by maznu
Wed Nov 16, 2016 9:08 am
Forum: Forwarding Protocols
Topic: CCR1072-1G-8S+ or a Supermicro server with x86 routerOS ?
Replies: 7
Views: 2197

Re: CCR1072-1G-8S+ or a Supermicro server with x86 routerOS ?

I read somewhere Microtik CCR1072-1G-8S+ cannot handle multiple cores processing even its 72 cores ? Is it true ? The BGP implementation on RouterOS 6 will only use one core for doing the BGP update processing. If you're planning on having this router take a full transit table, that means that one ...
by maznu
Tue Nov 15, 2016 8:07 pm
Forum: General
Topic: Decline of Mikrotik?
Replies: 102
Views: 26613

Re: Decline of Mikrotik?

Can we have more details sent to support? Do you modify routing filters frequently? We've seen this problem several times on CCR with very recent versions of RouterOS. Day-to-day, I kept thinking I was going mad because I am sure I set up filters correctly. Disable the peer, enable it, same problem...
by maznu
Tue Nov 15, 2016 7:59 pm
Forum: General
Topic: Decline of Mikrotik?
Replies: 102
Views: 26613

Re: Decline of Mikrotik?

Are there really that much WISPs that need Linux commandline (bash or whatever), and DON'T need performance and features of CCR ??? This concern looks *really* far-fetched to me.. MikroTik obviously recognise there is a future in "Software Defined Network" because they have an experimental OpenFlow...
by maznu
Tue Nov 15, 2016 7:40 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12872

Re: Why source-based blackhole instead of firewall drop

Do you not lose fastpath by doing this though? Yes, but in our use case that isn't something I'm worried about. I need to use an address-list (so lose fastpath) so that I can redirect abusive traffic: 1) to display a "stop typing your password wrong!" message to customers failing to log themselves ...
by maznu
Tue Nov 15, 2016 2:05 pm
Forum: Wireless Networking
Topic: UK P2P trial with Mikrotik Kit suggestion
Replies: 3
Views: 557

Re: UK P2P trial with Mikrotik Kit suggestion

I don't believe any of the main UK distributors for MikroTik equipment will sell anything which is not permitted for use in the UK (e.g. I don't believe LinITX or MSDist sell any of the 900MHz gear). We've done a couple of "not quite line of sight" installs with MikroTik SXT devices - e.g. several b...
by maznu
Tue Nov 15, 2016 1:59 pm
Forum: General
Topic: London UK MUM 2016 - Nov 14th
Replies: 40
Views: 4035

Re: London UK MUM 2016 - Nov 14th

Thanks to everyone at MikroTik for putting on this event. And thanks to the other speakers for their presentations - good to meet so many of you and talk about firewalling, network security, DDoS attacks, abusive traffic mitigation...

Looking forward to the next one :-)
by maznu
Tue Nov 15, 2016 1:55 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12872

Re: Why source-based blackhole instead of firewall drop

Firewalling can be bad mmmkay Firewalling is great and everyone should use it, but try to do this as close to the edge (as close to the customer / server) of your network as possible. Do not firewall on your border routers (your routers between your network and the internet) unless you absolutely h...
by maznu
Tue Nov 15, 2016 1:47 pm
Forum: Forwarding Protocols
Topic: BGP and routing filter improvement suggestions
Replies: 58
Views: 16823

Re: BGP and routing filter improvement suggestions

BGP flow-spec. While routers in the DFZ can use a public IP2ASN database, for anybody with a complex peering network it'd be amazing to have ASN numbers within NetFlow/IPFIX data.
by maznu
Tue Nov 15, 2016 1:42 pm
Forum: General
Topic: Decline of Mikrotik?
Replies: 102
Views: 26613

Re: Decline of Mikrotik?

One of the things that struck me from the UK MUM yesterday was the desire for better scripting within RouterOS. There's a real danger of losing out to Ubiquiti's Edge Router, which has a more feature-filled full Linux shell for its command-line. I already see plenty of WISPs consider Ubiquiti for th...
by maznu
Wed Aug 10, 2016 11:17 am
Forum: RouterBOARD hardware
Topic: RB3011: temperature spikes to 90°C!
Replies: 10
Views: 2290

Re: RB3011: temperature spikes to 90°C!

I've seen similar behavior on my 3011 unit as well. I believe it's just erroneous data returned by routeros. It spikes for a second or two and then returns to normal values. Ok, at least it doesn't sound like I have a faulty unit - though the three units I do have all spike by different amounts, bu...
by maznu
Wed Aug 10, 2016 11:14 am
Forum: RouterBOARD hardware
Topic: RB3011: temperature spikes to 90°C!
Replies: 10
Views: 2290

Re: RB3011: temperature spikes to 90°C!

I could not determine if that router has a fan
No fan, completely silent operation. Just very strange spikes! :)
by maznu
Tue Aug 09, 2016 3:24 pm
Forum: RouterBOARD hardware
Topic: RB3011: temperature spikes to 90°C!
Replies: 10
Views: 2290

RB3011: temperature spikes to 90°C!

A picture says a thousand words. http://fs.maz.nu/rb3011-temp.png These two routers are new, in an air-conditioned data-centre, with minimal CPU load (3%). The temperatures come from SNMP, as reported by the MIB iso.3.6.1.4.1.14988.1.1.3.10.0 Does anybody else see this behaviour? Is it incorrect tem...
by maznu
Sun Jul 17, 2016 1:58 am
Forum: General
Topic: Radius Attribute for Local Address in PPPoE Profiles
Replies: 13
Views: 4463

Re: Radius Attribute for Local Address in PPPoE Profiles

Similarly, it'd be great if we could use RADIUS to specify the profile to use for a PPP/VPN connection. There's already a Mikrotik-Group attribute which would be meaningless on a PPP session. Could MikroTik re-use that for profile name on PPP?
by maznu
Thu May 19, 2016 9:52 pm
Forum: General
Topic: Pre-purchase advise please
Replies: 20
Views: 15941

Re: Pre-purchase advise please

[quote="bcsteeve"]But are there any queues going on there?[/quote]

No queues, but plenty of firewall rules, and BGP... oh, and it is a VPN endpoint for their roadwarriors.
by maznu
Thu May 19, 2016 9:13 pm
Forum: General
Topic: DNSsec/DNScrypt plan?
Replies: 5
Views: 2469

Re: DNSsec/DNScrypt plan?

In the last couple of days, DNS over TLS was published as an RFC: https://datatracker.ietf.org/doc/rfc7858/ This addition to DNS - nicknamed "dprive" - would deprive intelligence agencies of their ability to sniff DNS traffic. I think that would be an amazing thing for MikroTik's RouterOS to support...
by maznu
Thu May 19, 2016 9:07 pm
Forum: General
Topic: Pre-purchase advise please
Replies: 20
Views: 15941

Re: Pre-purchase advise please

We have a customer with a 100/100Mbit link, and their RB2011 doesn't get above 25% CPU load.
by maznu
Wed Jan 06, 2016 10:45 am
Forum: General
Topic: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?
Replies: 26
Views: 2777

Re: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?

There's been a really useful thread about this on some other hardware (but related to the switch chip, probably) here: http://forum.mikrotik.com/viewtopic.php?f=1&t=97895
by maznu
Tue Dec 15, 2015 8:23 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="madmucho"]Please let us know[/quote]

I will report back soon, madmucho. The plan is to move the switches on Friday night this week...
by maznu
Tue Dec 08, 2015 12:53 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

v6.33 firmware 3.22 CRS226-24G-2S+

Uptime 30d 15:28:47
Link Downs 0
Last Link Up Time Nov/07/2015 19:26:14

I guess it's time to go to production...
by maznu
Tue Nov 24, 2015 7:18 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

v6.33: 16 days, still going strong.

But I notice this:

[quote]What's new in 6.33.1 (2015-Nov-17 09:55):
*) CRS2xx - fixed occasional switchip resets (broken in 6.33);
[/quote]

I guess that means the good developers at MikroTik are looking at this thread? ;-)
by maznu
Tue Nov 17, 2015 4:42 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

v6.33: 10 days in lab, no flaps or crashes (just 70Mbit/s test traffic continuous). That's much better than we ever had with the CRS226 before. But we will test for another 5-7 days more.
by maznu
Thu Nov 12, 2015 2:58 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="madmucho"]I spend very long time to debug that with Mikrotik support. Is something wierd in on low level on this model.[/quote] Thanks for your information, madmucho. We've been testing a CRS226 running v6.33 in our lab for five days now (only a few MAC addresses, only ~70Mbit/sec of traffic...
by maznu
Sat Nov 07, 2015 9:20 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="madmucho"]6.32.3 still problem.[/quote]

I see that 6.33 has landed. I have two CRS226 switches which we pulled from production. I shall get these running in our lab, send several hundred Mbit/sec across them, and see what happens over the next few days.
by maznu
Wed Nov 04, 2015 6:11 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="madmucho"]problems with CRS226 still presist[/quote]

Are you joking?! The CRS226 will still flap all its ports and reset randomly, and MikroTik haven't found a solution yet?
by maznu
Mon Aug 24, 2015 12:40 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="madmucho"]Any news regarding described problem? [/quote]

We replaced our CRS226 with a CRS125, and it has been stable for a few weeks.

We have not yet tried 6.31 on CRS226, so please do not interpret my silence as "problem fixed" — I do not yet know.
by maznu
Sat Aug 01, 2015 11:21 am
Forum: General
Topic: CCR Freeze
Replies: 7
Views: 1214

Re: CCR Freeze

[quote="kgninfos"]as the last time (leap second issue) my CCR did not responded interface led ware constant[/quote]

kgninfos: we had one of our CCRs crash at exactly 2015-08-01 00:00 UTC. It was still running 6.27, and had crashed at the leapsecond too. What version were you running?
by maznu
Tue Jul 21, 2015 2:45 pm
Forum: General
Topic: [feature request] Graphing PINGS to IP address
Replies: 10
Views: 2745

Re: [feature request] Graphing PINGS to IP address

[quote="normis"]We already have implemented it, have you tried "tool traceroute 8.8.8.8" in the recent months? [/quote] Normis: I think the OP suggests that it be possible to have a traceroute or ping to an IP address running in the background for a long period of time, and that historic data is vie...
by maznu
Mon Jul 20, 2015 8:23 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

From Janis today:

"We have reproduced this problem, we have a setup in lab where ports are flapping on CRS226. The developer may fix it any day, it should be soon."

Fingers crossed!!
by maznu
Sat Jul 18, 2015 1:24 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

Having switched to the 125, with identical software and router configuration, it's been rock solid stable for almost 10 days.

uptime: 1w2d19h37m11s

Definitely a problem with the CRS226.
by maznu
Thu Jul 09, 2015 1:33 am
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="105547111"]I'd compare resources both and play around. Ive got to pack up mine now, but Ive got two more sipouts for support showing link downs with nothing connected! [/quote] Glad to hear your 125 is working ok. Similarly our third 125 has replaced the 226 (for now). The only change we had...
by maznu
Tue Jul 07, 2015 10:42 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="105547111"]As I've still got a several days left to return the 226 for a full refund, I ordered a 125-RM[/quote] Funnily enough, our 125 arrives tomorrow morning. We'll swap out the 226 for the 125 (there are two other 125s on our network, been running fine for 60 days). And then make the 22...
by maznu
Tue Jul 07, 2015 9:27 am
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="maznu"]Trying 6.30rc29 now... hasn't flapped in a whole 1 hour so far! [/quote] 6.30rc29: kernel crash and switch reboot after under 10 hours. I can't keep on testing firmware that is this unreliable, so am downgrading to v6.29.1 which at least will run for five days before all the ports flap.
by maznu
Mon Jul 06, 2015 9:37 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

Tried 6.30rc28 for ten minutes. Ports were flapping so much (every couple of minutes) that the switch was unusable.

Trying 6.30rc29 now... hasn't flapped in a whole 1 hour so far!
by maznu
Mon Jul 06, 2015 4:34 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="maznu"]No flaps yet, but random reboots isn't better. [/quote] Well, we just had the flaps: 14:18:34 interface,info ether02-mmr link down 14:18:34 interface,info ether23-wap1 link down 14:18:34 interface,info ether01-mmr link down 14:18:34 interface,info ether06-mmr-metronet link down 14:18:...
by maznu
Fri Jul 03, 2015 6:45 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

Random reboot after about 18-24 hours running v6.30rc22:

14:04:16 system,error,critical router was rebooted without proper shutdown

No flaps yet, but random reboots isn't better.
by maznu
Thu Jul 02, 2015 2:21 pm
Forum: General
Topic: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?
Replies: 26
Views: 2777

Re: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?

[quote="IPANetEngineer"]Just curious....are the flapping ports connected to other MikroTik equipment or another vendor? If it's another vendor, which one is it? [/quote] For us: CCR1009 (x2), MikroTik mAP 2n (x1), and two connections to other suppliers who use a mix of Cisco and another vendor's equ...
by maznu
Thu Jul 02, 2015 2:18 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="pchott"]Any response that in 6.30 would be fixed?[/quote] All I know is what Janis from MT Support sent in my exchange on the ticket: Please upgrade to RouterOS release candidate version 6.30rc22. If the changes in the latest version do not solve this problem completely, supout files from th...
by maznu
Wed Jul 01, 2015 1:32 pm
Forum: General
Topic: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?
Replies: 26
Views: 2777

Re: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?

[quote="becs"]But the CRS226 interface resets seem to appear due to insufficient CPU resources in routing or bridging applications. We are working to address this issue in upcoming RouterOS version.[/quote] Thanks, becs. Glad to hear you're looking at this. The CRS226 we have had problems with is no...
by maznu
Wed Jul 01, 2015 1:23 pm
Forum: General
Topic: Leap second bug present on TILE devices?
Replies: 49
Views: 10325

Re: Leap second bug present on TILE devices?

[quote="normis"]4) synchronization to server that have proper Leap Second implementation, not just time adjustment on next synchronization [/quote] This is interesting. Of the two identical CCRs we have, the one that crashed was synchronised to our stratum 1 DCF time server. Our DCF time server was ...
by maznu
Wed Jul 01, 2015 12:41 pm
Forum: General
Topic: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?
Replies: 26
Views: 2777

Re: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?

[quote="pukkita"]Seems history is repeating with CRS226, sending supout.rif and opening a ticket is the course of action to take. [/quote] We opened the ticket many weeks ago now. Each time it happens, we tell MikroTik and send a supout, they say nothing. It happens again, they tell us to install th...
by maznu
Wed Jul 01, 2015 12:33 pm
Forum: General
Topic: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?
Replies: 26
Views: 2777

Re: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?

[quote="pukkita"]Have not yet used CRS226 but per your comments it looks not enough stable to put it in production. [/quote] Very few people seem to be reporting this problem. Also, it is strange that the person who started this thread has the same problem with the CCR1009. We also have two CCR1009,...
by maznu
Wed Jul 01, 2015 12:29 pm
Forum: General
Topic: Leap second bug present on TILE devices?
Replies: 49
Views: 10325

Re: Leap second bug present on TILE devices?

Two CCR1009-8G-1S-1S+

Both v6.27 with v3.22 firmware.
Both with "ntp" package installed and enabled.
Both with "NTP Server" enabled.
Both with "NTP Client" enabled and syncing to (different) NTP servers.

One crashed at 23:59:60.
One running ok.
by maznu
Wed Jul 01, 2015 12:24 pm
Forum: General
Topic: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?
Replies: 26
Views: 2777

Re: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?

[quote="pukkita"]A general preventive measure with routers behaving weird, specially due to previous bugs, is a reset to no defaults (exporting the configuration to a rsc file before), then reload the configuration to make sure all gets initialized correctly. [/quote] Have done that. Have also repla...
by maznu
Wed Jul 01, 2015 12:14 pm
Forum: General
Topic: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?
Replies: 26
Views: 2777

Re: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?

Sorry, we update the firmware at the same time as updating the software.

All on 3.22, which is the most up-to-date for CRS226.
by maznu
Wed Jul 01, 2015 12:09 pm
Forum: General
Topic: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?
Replies: 26
Views: 2777

Re: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?

[quote="pukkita"]Make sure firmware is updated.[/quote]

That's not helping, pukkita. 6.27, 6.28, 6.29, 6.29.1, and 6.30rc22 all seem to have the same problem.
by maznu
Tue Jun 23, 2015 11:02 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="105547111"]It included the supout that shows a clean reboot then 9 hours later all the ethers in use cycled :-) [/quote] Oh dear. I guess I will be saying the same thing in a few days' time, then. I hope our supout files help, at least! Our ticket is #2015052766000629 (opened almost a month ...
by maznu
Tue Jun 23, 2015 12:25 am
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

[quote="105547111"]I'll keep you posted it will NEVER go 24h stay tuned!
[/quote]

Thanks - and good luck! :)
by maznu
Mon Jun 22, 2015 11:36 pm
Forum: General
Topic: CCR226 2S+ v6.27 all ports flap
Replies: 11
Views: 2030

Re: CCR226 2S+ v6.27 all ports flap

We replaced the CRS226. After five days: the same problems.

We have been told by MikroTik support to try 6.30rc22. We will install this tomorrow, and test for another six days.
by maznu
Mon Jun 22, 2015 11:20 pm
Forum: General
Topic: CRS226-24G-2S-RM ether drops intermittent
Replies: 50
Views: 8938

Re: CRS226-24G-2S-RM ether drops intermittent

We have had the same problems with the CRS226: http://forum.mikrotik.com/viewtopic.php?p=485373#p485373 We even tried a different CRS226, but after 5 days and 16 hours, the same problems: all ports go down for a second, then come back up. Another 20 minutes later, they all go down for a few seconds,...
by maznu
Wed Jun 10, 2015 7:03 pm
Forum: General
Topic: CCR226 2S+ v6.27 all ports flap
Replies: 11
Views: 2030

Re: CCR226 2S+ v6.27 all ports flap

…and today, after about six days of uptime, a kernel failure.

16:50:22 system,error,critical System rebooted because of kernel failure
16:50:22 system,error,critical router was rebooted without proper shutdown
by maznu
Mon Jun 08, 2015 6:27 pm
Forum: General
Topic: CCR226 2S+ v6.27 all ports flap
Replies: 11
Views: 2030

Re: CCR226 2S+ v6.27 all ports flap

After 5 days, 17 hours, v6.29.1 has had the same problem: down up down up. 15:39:15 interface,info ether01-mmr link down 15:39:15 interface,info ether02-mmr link down 15:39:15 interface,info ether06-mmr-metronet link down 15:39:15 interface,info ether21-mmr-exa link down 15:39:15 interface,info ethe...
by maznu
Tue Jun 02, 2015 11:47 pm
Forum: General
Topic: [feature request] Graphing PINGS to IP address
Replies: 10
Views: 2745

Re: [feature request] Graphing PINGS to IP address

FireBrick routers could be one to take some inspiration from: when used as an LNS for ADSL, they will send an LCP ping every second to every device authenticated to them, and record latency for each device. That might be overkill for smaller MikroTik devices, but how amazingly useful would it be for...
by maznu
Tue Jun 02, 2015 8:06 pm
Forum: General
Topic: CCR226 2S+ v6.27 all ports flap
Replies: 11
Views: 2030

Re: CCR226 2S+ v6.27 all ports flap

[quote="chechito"]have you tryed 6.29.1??[/quote]

Not yet, no... it took three days since installing 6.29 for the first down/up flaps… guess we'll have to give it a go, and hope to hear something back from MikroTik on ticket #2015052766000629
by maznu
Tue Jun 02, 2015 10:31 am
Forum: General
Topic: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?
Replies: 26
Views: 2777

Re: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?

[quote="maznu"]MikroTik suggested we upgrade to 6.29. So now we're running v6.29 - it's only been 10 hours so far... but seems ok?[/quote]

Alas, yesterday our CRS226 - running v6.29 - flapped all its switch ports 5 times.
by maznu
Tue Jun 02, 2015 10:29 am
Forum: General
Topic: CCR226 2S+ v6.27 all ports flap
Replies: 11
Views: 2030

Re: CCR226 2S+ v6.27 all ports flap

No joy. Yesterday... jun/01 03:30:50 interface,info ether02-mmr link down jun/01 03:30:50 interface,info ether23-wap1 link down jun/01 03:30:50 interface,info ether01-mmr link down jun/01 03:30:50 interface,info ether06-mmr-metronet link down jun/01 03:30:50 interface,info ether21-mmr-exa link down ...
by maznu
Fri May 29, 2015 1:08 pm
Forum: General
Topic: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?
Replies: 26
Views: 2777

Re: CCR1009: ether1 through ether4 sporadically drop then instantly come back up - switch chip problem?

We had a similar problem with a CRS226 running v6.27. All 24 ports would flap for a few seconds down/up/down/up/down/up, randomly between 8-36 hours. We tried v6.28, but other bugs caused even bigger problems, so we downgraded to v6.27. MikroTik suggested we upgrade to 6.29. So now we're running v6....
by maznu
Fri May 29, 2015 12:47 pm
Forum: General
Topic: CCR226 2S+ v6.27 all ports flap
Replies: 11
Views: 2030

Re: CCR226 2S+ v6.27 all ports flap

MikroTik support suggested we try upgrading to v6.29. 10 hours, no flaps. But it's still too early to be sure - the port down/up/down/up we saw was random between 8-36 hours...!
by maznu
Wed May 27, 2015 6:37 pm
Forum: General
Topic: CCR226 2S+ v6.27 all ports flap
Replies: 11
Views: 2030

CCR226 2S+ v6.27 all ports flap

Hello! My first post on the MT forums is a problem... :( We have this switch, running 6.27 (downgraded from 6.28 which was buggy). For about one week now, randomly (every 8-24 hours), the switch takes all the ports down: 14:01:11 certificate,info CRL updated for cert_3 16:15:22 interface,info ether0...