MikroTik

sri2007

this is becoming important, today we found a problem with an eBGP peer with a Huawei or Cisco router at the other end, the debug process shows that they're receiving the cluster-list & originatorid as part of the BGP attributes, which by default makes them discard the routes. example (from my la...

sri2007

Default Route Received =========== > ip route print Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 ADb 0.0.0.0/0 74.50.211.9 20 1 Db 0.0.0.0/0 123.253....

sri2007

HI the only way of achieving that is with some Traffic Engineering tunnels at RouterOS. I've tried to deploy ECMP with LDP using a similar idea with two AirFiber 5XHD in a load balancing scenario and it didn't work.

sri2007

Yeah, actually the only way of achieving something similar to ECMP is with VPLS + TE tunnels, a real ECMP is not possible with RouterOS, I think that some other vendors allow that, but with RouterOS is not doable, actually that's my limitation to deploy LDP in my network because ECMP is a must.

sri2007

as far as I understand, OSPF doesn't work in that way, the OSPF interface cost is only added at the routes advertised (out); usually a broadcast or a PTMP network-type is configured between several routers at the same node, and you'll need to consider that in a broadcast OSPF will chose a Designated...

sri2007

If you have a couple of MT's and two different providers then it will be the best solution to configure them in an HA design, and it depends on some others factors in your network to build an active/active solution, we can build that using BGP (easy way and some load balancing to advertise some pref...

sri2007

Hi!! Can you please help us with a drawing for that solution? I'm wondering if all of those PPPoE Servers are directly connected to the core router and you're using iBGP as routing protocol between those routers??

sri2007

It depends if your iBGP routes are originated within your own AS; or do they come from a different AS??

sri2007

Ok - next question is re-adjacency – with OSPF can take up to 5mins will iBGP be the same How many routes and routers do you have and what OSPF network types are you using - boradcast, point-to-point, etc? We have just short of 800 routes with over 60 routers, ospf type is mostly PTP Then your answ...

sri2007

You can do that by increasing the local-preference to your prefixes learned from the ISP2 -> but it will affect your entire network by electing only the uplink through ISP2

//routing filter add chain=isp2-in action=accept set-bgp-local-pref=1000

sri2007

MTU could also be an issue here. How are you using EoIP? Is it just native EoIP or is it running inside another tunnel i.e. PPTP or L2TP? If the latter, absolutely only use L2TP as thats the only UDP based VPN that MikroTik supports at this point in time Either way i'd manually set the MTU to 1500 ...

sri2007

What I did was to add to the NAT rule: protocol=!ospf So, an example src nat rule may look like: add action=src-nat chain=srcnat comment="my new nat rule" protocol=!ospf src-address=192.168.88.0/24 to-address=192.168.1.11 This really threw me for a long while - If there is a better way to...

sri2007

Seems like the config side is ok, what I'll suggest you to check are two things, are you able to ping the remote tunnel destination from the Mikrotik / cisco? if that doesn't work, you'll need to check your routing table, if it works -> do you have some firewall rules configured at the Mikrotik side?

sri2007

Yes you're going to need to split your network in multiple areas, a couple of months ago I was experimenting the same issue, all of my network (like 350 routers) were configured in a single backbone area, and the amount of LSAs was massive, that implied when a single path goes down, that update was ...

sri2007

Sounds interesting, can you post the BGP config & routing-filter configured at each edge server?

sri2007

It depends of the amount of traffic that you're moving, for a standard configuration (NAT, a single simple queue, BGP, OSPF, 30 firewall rules), a single RB3011-UIAS-RM can work up to 400Mbps with peaks of 50-60% of CPU, if you want more than that you can try with the RB1100AHx4 (throughput of about...

sri2007

Hello everyone, actually I've never seen that issue in 6.44.5 long-term again, I agree that the best solution is use point-to-point interfaces specially between routers, I'll use ptmp interfaces only at special occasions where there are lots of routers who try to establish adjacencies between them.

sri2007

yes the switch does support link aggregation, for balance XOR do I have to configure on both ends, how would it know to aggregate upload? Thank you. No prob! Just a quick question, what's the model / vendor for the switch ?? If that's a Mikrotik then it will work with BalanceXOR at both sides, if n...

sri2007

Thank you, I had tried bonding rr, may be i configured it wrong, as there was jitters and some people could not pay ps4 online games. as they started to freeze in between. No prob! I've always tried with 802.3ad or Balance-XOR, those modes with layer2-and-3 hashing algorithm always gave me good res...

sri2007

Yep, that's true, but for me if I see the uplink moving 1Gig of traffic and there's no 10Gig interfaces, best solution will be deploy a bonding of 2-3 interfaces, so the load is going to be load balanced over all interfaces and you omit the hard part of working with two or three different layer2 dom...

sri2007

Actually, a few months ago I tested a CCR1009-7G-1C-1S+ in a really high temperature environment, it was working fine with 80 celsius degrees, and it started to reboot when the router was going over 85 celsius degrees aprox, the log that it showed was rebooted because of high CPU temperature reached...

sri2007

Hello, I've never seen that before, but just to be sure that your FNA is getting the prefixes, there is a way at the FNA partners portal where you can check all of the prefixes received at the Facebook servers (insights tab). Also can you share your filters please? Have you tried by doing a resend a...

sri2007

Hi, if you want to check your advertisements, please check the results of the command: /routing bgp advertisements print If the results aren't ok, you'll need to talk with your provider if they're allowing your public subnet at their filters and you can check that by using any looking glass provider...

sri2007

Hi, if you want to keep it at OSPF, I'll use a new area solution, so each branch office is a different area and your HQ is at backbone area (0.0.0.0), and you can use some area-range commands to summarize LSAs from backbone area to any remote areas, and also those new areas may be a stub or nssa are...

sri2007

Hi, the best solution (if your switch allows you) is to configure a bonding using 802.3ad or balance-xor, it will do a load balance of your traffic over 2 or plus (8 at max) interfaces. If you want to configure a bridge, I'll double check that the layer2 domain won't cause any loop.

sri2007

+1 Yes please! The load-balancing feature is the only one fixture that stops me to deploy MPLS in my network

sri2007

+1 please, that may be a good idea to find statistic information about a device

sri2007

Hello everyone, the code is actually working in RouterOS 6.43.16; but if you want to add a biggest message, you'll need to add %20 instead of a space; so please update the Wiki.

New code from text:

text=Time:%20[Time];%20Device:%20[Device.FirstAddress];%20Status:%20[Service.Status]"

sri2007

:shock: yep you're right... seems like that allow rule that I've configured in my firewall is useless :( ; however there's a new way of blocking neighbors directly at the /ip neighbors discovery-interface, using interface-lists, the steps are first add a new list named as you want (deny-mndp, it's m...

sri2007

No prob!! I think that this is the idea of the forum :) But, yes.. I can't believe it yet, it's been like a week that we did that change and the network has stay stable, interesting point here, I do have some GRE tunnels between cities, with a lower MTU and RoMON enabled before and it still was work...

sri2007

Hi everyone, or at least who read this before and had no idea about a solution; I think that we found the real issue, it was related to RoMON; we had that fixture enabled in our entire network for a long time (when we were using the default L2MTU) and it keeps running with the part of my network wit...

sri2007

+1 I'd like to see that new action too.

sri2007

That's because your mixing concepts, a VLAN is in a layer2 domain, and VRRP is in layer3, what that means is that you can create different VLANs interfaces facing your switch, and configuring VRRP over the VLAN instead of the VLAN over the VRRP.

sri2007

and i have Connection Tracking and setting Routing-Marks ...
And for some reason you haven't shown us any of that, so we have no idea what's happening...

x2!

sri2007

I think that best way of achieving your goal will be deploy OSPF at your network, at redesign everything to /30 WANs. But, the main question here will be how will your remote CHRs be connected to your couple Central routers??

sri2007

Hello, yes you can set communities using RouterOS easily, those can be done using route-filters, you can check that here:

https://wiki.mikrotik.com/wiki/Manual:R ... ng_filters

Summary version, there is a set-bgp-community & append-bgp-community that can work for you.

sri2007

Hello! I've configured that solution before ant it works, you'll need to set up iBGP inside your network and all of your Edge routers with a route reflector in the middle with OSPF as IGP and it can works, also you can try your scripts at EVE-NG or GNS3, that works for me when I have some weird idea...

sri2007

Hi!! I've tried that before too, same result, the default route suddenly disappear, I've changed that to a multi area solution without stub or nasa area type in the middle and everything went fine.

sri2007

Hi!! Seems like we're not able to use the export to a file either

the result is truncated too.

sri2007

Hello!! I think that you should think at the forwarding traffic too, a CCR1009 can handle easily like 4Gbps of traffic if you disable the connection tracking and configure this router as an edge router only, which means BGP / OSPF (probably as the IGP) and that's it, it works really nice!! I've play...

sri2007

millenium7, if your WISP grows enough you'll see that an OSPF structured design combined with BGP is a great advantage, I've seen so many networks that grows in many directions became really unstable You can't always structure it the way OSPF wants you to due to its inherently restrictive enterpris...

sri2007

Got you, then you won't be able to do a load balancing using OSPF or any other protocol between you and your providers, best solution will be PCC, or a most interesting design doing the load balancing based in nodes, like node a is going to be nated only by provider A; and if that goes down, that no...

sri2007

At only 7 sites in and 250 routes, we are already looking for a new solution before we grow out of control. The concept of Area0, no area-to-area communication (must go through area0) and all area's must connect to 0, no ability to summarize except at ABR's is just awful for WISP design where the n...

sri2007

Hi!, i don't think that OSPF is designed to be used between service providers, if you want to do that, we'll need more info to help you, basically two main questions; 1. Do you establish any BGP peer between your providers and you?? or 2. Do your providers assign you public IP addresses and your rou...

sri2007

No prob amt! Actually I don't have issues related to ECMP, I think that OSPF do the load balancing per connection, and I don't care if the traffic is symmetric (same interface in/out), in my tests the only inconvenience is when my customers need to to a classic bandwidth test using speediest.net, so...

sri2007

Hello everyone! Hope you can help us, and I want to check if I'm wrong or the RouterOS has a bug (currently using 6.42.12 long-term) Our topology consists in like 350 routers deployed around the country, and it's working with OSPF (multitarea) + BGP; everything was going fine, except when we got the...

sri2007

It depends on the ccr1009 model. Not all shares the same block diagram

Enviado desde mi Mi A2 mediante Tapatalk

Got you! thanks!! I've tried that with the CCR1009-7G-1C-1S+ using the 6.42.12 long-term version.

sri2007

Hello Brough, answering your questions: Actually, we're handling like 200 wireless links (Airfiber 5XHD / AirFiber24X / Netmetal) deployed around the country, and found an interesting problem in RouterOS, that problem was caused by a L2MTU mismatch (I don't have the reply from the Mikrotik suport te...

sri2007

ECMP load-balancing works great too, it's my best solution to deploy a 20gig ring between two cities in the country, or even to aggregate some wireless links (using AirFiber 5xHD) to add them as a single port to increase the total throughput of that node. do you use any mangle rule while using ecmp...

sri2007

The load balancing scenario that you're looking can be accomplish using those prepends (recommended by ahmadzai), but it can be done by publishing a most specific prefix by one provider and a summarized version of that by the other (as example: 1.1.0.0/24 advertised to ISP A / 1.1.1.0/24 advertised ...

sri2007

Hello, the best solution for you will be deploy different VLANs to connect each wireless link; so you'll need to configure the addressing into the VLAN interface directly and the OSPF cost will be attached to that vlan too.

sri2007

Wow, that's interesting, but I've done those bondings using the balanced-xor mode instead of 802.3ad using the first 4 ports of the CCR1009, that config works great it goes up to 3.5Gbps (real traffic) being forwarded between two Mikrotiks (CCR1009 + CRS326) -> that's because the lack of 10gig ports...

sri2007

Actually what sindy told you is true, L2TP & OpenVPN are two totally different protocols, so you'll need to chose one and configure the server and client with the perfect protocol for you, based in my experience, the best server is OpenVPN, it's easy to deploy, it's safe if you add the right SSL...

sri2007

Hello guys!! I think that I'm the one who can help you, currently my network is like 350 routers which were deployed under the same backbone area, that network is actually moving like 30gbps of traffic in a Mikrotik only architecture (at the routing level), the entire BGP/OSPF network is actually mo...

sri2007

It is a known problem that virtual link does not work properly in ROSv6.

Hello mrz, do you know if the issue with virtual link is still present at the last version of ROSv6?

sri2007

Hello, you should be able to distribute the default route using the default-originate option at the peer configuration (if you want to distribute that default route every time then choose always; and if you only want to send that route only if the router receives the default route from a provider th...

sri2007

Hi I currently have that network running successfully without issues related to asymmetric traffic flow. And totally I recommend you to disable connection tracking it will totally improve your router behavior, just be careful if you're using NAT or any firewall rule related to tracking (like matchin...

sri2007

ohh, ok got it... so the main question here will be, does the router B have interfaces assigned to each area (I mean area 0, area 1 and area 2); or only each PowerBox has one interface at the backbone area and the other one in the default area? The rule is that only the ABR (area border router) or t...

sri2007

Hi, can you help us bu posting the filters for each prefix? and the peer configuration too?

sri2007

HI! I think that the best solution for you will be to work with both protocols in a recursive way, I mean, you'll need to set up OSPF for convergence and loopback distribution only, it won't announce any public IP on it, so you can set up an iBGP session between each router to the RouteReflector (us...

sri2007

HI! if you're trying to summarize routes using OSPF, then the PPPoE server will be the ABR (area border router) or ASBR; but you'll need to standardize your subnets, as example PPPoE 1 will have clients at only one range (a.e. 172.16.0.0/24); then you can do a redistribute connected and the add a su...

sri2007

hello! If you have already an IPSec Site-to-Site between Google and your Mikrotik then I think that you'll need to create some special routes using policies and rules to reach the remote server, theoretically I think that it is possible, however can you please post the configs at both sites?

sri2007

Hi! I think that you'll need some routes between your devices, can you upload a simple diagram of your network? it may be easiest to understand your problem.

sri2007

Hi, if you're experimenting that i'll check the layer2 domain of your network, is the PPPoE server and the DHCP server running on the same router ?

sri2007

Question for you - for that 'switch stack', is it a single switch or a group of switches in some kind of failover configuration? I am using a single switch at this point, a CRS326, as I am still testing. The idea is to add failover once I get it working. Hi! Well, we've developed this design by usi...

sri2007

Well that works, but I can tell a new solution for that issue, at the router add as many bridges as providers, then add only VLAN 1 to bridge 1, VLAN 2 to bridge 2 and so on, what’s the idea, if you set up a bridge interface you can manually change your MAC address so it will work too. I’m assuming ...

sri2007

Hi! I thing that the best solution for you will be testing this new drawing, it's one of our most stable and scalable designs that we've done before. And checking your things: First one: Few things: 1: I had routing loops due to default route problems in ibgp, moving default routing to ospf sorted i...

sri2007

Hello, do you have any firewall rules enabled? The first step for me will be testing that you can reach the remote router by sourcing the local side of that tunnel, if you can do that, then I'll configure that IP as local-address on each GRE tunnel, then you'll need to double check if there is any r...

sri2007

Thank you sri2007. Your post made me realize that I was on the right track. I could not get it working with a Router connected to the modems, so I took your advice and connected a CRS switch, and used SwOS to set up the VLAN access ports and trunk, and it all worked out very well. Thanks again. Set...

sri2007

Hi stoser, I'll use a switch in the middle to connect all of your modems (providers), then I'll assign them a single VLAN in access mode and then you'll need to setup PPPoE client interfaces at the Router A only and it will work. Check this image, it's one of our most successful designs that we've b...

sri2007

Hi

@sri2007
Your link did not get trough, so it does not work.

@Jotne, sorry for that, it's fixed now.

sri2007

Hi, check this URL:

https://wiki.mikrotik.com/wiki/Advanced ... _Scripting

sri2007

Hi, check this URL:

https://wiki.mikrotik.com/wiki/Advanced ... _Scripting

sri2007

Setting up iBGP: Simply define BGP peers between the two routers with update source being set to the router's loopback IP. That's the most easy way of doing this, you'll need to enable OSPF as the IGP protocol to distribute the loopbacks interface and then you can configure iBGP between them, and a...

sri2007

Theoretical.
If you dont need this route at R2 you should filter it in inbound filter on R2 _and_ this route has to be external.

That means that this route needs to be originated by an ABR (Area Border Router) or an ASBR (Autonomous System Border Router).

sri2007

Hi! According to some vulnerability issues who are coming popular these days, I thing that configure some firewall rules at the input chain is a must, if not, you're Mikrotik will be really easy to compromise using some exploits.

sri2007

The Question have been answered but one could put it this way. Say this "number" is just a number. Sure it looks like an IP'adress. BUT for analogy think of it as a Color value. When routers have only few links this is what think and call SIMPLE OSPF network. the reson for this ID is not ...

sri2007

Hi, yes that's how local pref works, if you want to set some priority at the router without passing that to the entire iBGP network, then you can use weight.

sri2007

Hi, I'll try to upgrade the RouterOS into the most stable bugfix version.

sri2007

Hi, I think that you'll need to do some filters at the output chain by setting some BGP attributes and only allowing a single default route as filter in the input-chain, that will work for you.

sri2007

Yep, you'll need new firewall rules at all of your sites who have any public IP address configured.

sri2007

Hi!! the craziest network that I've seen is about 700subs in a flat bridged/switched one... but we really recommend to everyone move into a routed network instead of a switched one, by using OSPF with BGP, you can configure OSPF as an IGP which can handle everything related to convergence, load bala...

sri2007

Hi, are those in the same area, can you help us with the OSPF config for both routers?

sri2007

Hi, I think that you'll need to double check the administrative distance for the default route learned from each ISP, if that's an eBGP then it should be 20 instead of an iBGP distance of 200.

sri2007

IP MTU < MPLS MTU <= L2MTU.
1508 < 1550 <= 1598

are my values wrong here?

thanks,

Not really your values are fine... My fingers are wrong haha

sri2007

Hi, actually there is a rule using different MTU values, IP MTU < MPLS MTU <= L2MTU.

sri2007

Just setup your iBGP peers with same AS number.

Yes that will work, i'll also include an OSPF design as an IGP, and also establish the iBGP sessions using loopbacks instead of WANs.

sri2007

Hi alfredo, there is also a different way of improving the BGP convergence with mikrotik v6; and that's using CHR hosted by servers, you can take a look at this idea in the following link:

https://mum.mikrotik.com//presentations ... 817868.pdf

sri2007

Hi, you don't need to disable the BGP session...

The purpose is to temporarily run single-homed to get a fast boot time. Will filtering still achieve this?

Yes they do, you'lll need filters at the input-chain of that BGP peer by allowing only the default route and discarding everything.

sri2007

Hi, according to my experience at 10Gbps DAC, some cables are standard by brand, if you want to connect the mikrotik with an Intel PC, it will probably work; if you're trying to connect different mikrotiks using that DAC the it will definitely work, however if your idea is to connect to a different ...

sri2007

Hi, you'll need to create some filters discarding everything except the default route, here is a link that you can find information about it:

https://wiki.mikrotik.com/wiki/Manual:R ... ng_filters

sri2007

Hi, yes i think that is possible, but only using VPLS tunnels in the middle, if you want to add another header stage like L2TP/IPSec and PPP it will decrease the MTU by default.

sri2007

Yes there is an option who removes the private AS: remove-private-as (yes | no; Default: no) If set, then BGP AS-PATH attribute is removed before sending out route update if attribute contains only private AS numbers. removal process happens before routing filters are applied and before local AS num...

sri2007

Hi, have you tried to disable the /ip firewall service-port sip ?

sri2007

Hi, i've seen that log before and that's because there is an issue in the OSPF topology, which may be probably be originated by a router with a duplicated IP address, or by a misconfigured OSPF design. Can you help us with more details of your network.

sri2007

Hi, you can access to the files folder using FTP; like ftp://x.x.x.x (i'll check that the ftp service is enabled at the mikrotik)

sri2007

Yep, for me too was imposible to accomplish this using SwOS... the LACP was formed but the load balancing wasn't working so the entire traffic was using only one interface. Then we moved this to RouterOS 6.41 which supports bonding using hardware, and it worked fine, until now...

sri2007

hi, which Mikrotik hosts the Dude Server? Does it have a license installed?

sri2007

Hi, i think that you'll need to config MPLS over the entire network, which includes your Core routers, if you set up a GRE tunnel, and then the VPLS over that GRE, the header can be so high and that's why you're experimenting that slowness.

sri2007

Hi, I think that I'll try to configure that access point as a bridge instead of router, so you can have everything in the same subnet, which is enough for a home use. But if you want to keep that AP as a router, then yes it's possible to do that, but the main questions will be if this Mikrotik is NA...

sri2007

Yes it's really common that some firewall rules drop the hellos for routing protocols, but I've seen some NAT rules that can do the same too by masquerading the packets into a different address.

sri2007

Hi.. and also if you want to take a look a deeper view of the packet flow through RouterOS, then you'll need to check this link:

https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6

sri2007

Hi, I'll double check if this router has any NAT rule configured... and check if this NAT rule is not masquerading the OSPF hello packets.

sri2007

Hi, I think that your problem is related to the OSPF filter that you're applying. /routing filter> export add action=accept chain=OSPF-IPv4-Route-Filters distance=200 prefix=192.168.0.0/16 prefix-length=16-24 add action=discard chain=OSPF-IPv4-Route-Filters [admin@crs1.kmp1.domain.net] /routing filt...

sri2007

Hi, I think that you’ll need an external server with a Public IP address on it, but it’s probable that this dorm router block any VPN packet. So can you test if this works:

http://www.superfreevpn.com

sri2007

Hi welcome to Mikrotik world! I think that you can have all of the information related to VLANs in the following link:

https://wiki.mikrotik.com/wiki/Manual:Interface/VLAN

sri2007

Well, you can configure an entire OSPF scenario without any NAT in the middle... you can also do a load balancing scenario with ECMP (Equal Cost MultiPath) but everything is related with OSPF, I think that you'll only need to find the perfect design with the exact costs at each interface.

sri2007

Hi, what kind of VPN are you configuring??

sri2007

Hi, if you have three different PPPoE Clients at your Mikrotik, I think that you can't aggregate them as a single link, the idea of a bonding is to add physically similars ports (like two or more ethernet interfaces) to increase bandwidth by doing load-balancing based on layer2 or layer3 information

sri2007

Hi you can accomplish this by using simple queues at your Mikrotik, check at this link for more info about them

https://wiki.mikrotik.com/wiki/Manual:Q ... on_Example

sri2007

Hi, if I'm understanding you, you're trying to configure an OSPF Traffic Engineering solution? If not, I'll check the costs in the entire topology, and probably remove any static route in the middle...

sri2007

mmm yes you're right.. also I found a different way, but you'll need a L2TP or PPTP server on the other side.

sri2007

There are several ideas; but the most stable ones that I've used before are: OpenDNS (208.67.222.222 & 208.67.220.220); Level3 (4.2.2.1 & 4.2.2.2) ; Quad9 (9.9.9.9 & 149.112.112.112)

sri2007

Hi, I think that you'll need access to that Dorm router, if that's the one who has the public IP, then you'll need to do some port-forwarding to your own Mikrotik.

sri2007

I think that there are two different domains being confused here; if want to split your collision domain, then just add all of your interfaces in a single bridge (collision domain is related to layer2 networks, where in the old times there was a HUB in the middle, so the collision domain was shared ...

sri2007

Hi I don't think so, nowadays there is a new version which allows you to do lots of stuff using hardware (RouterOS 6.42.x) that's really easy to manage and it allows you to do some stuffs with software too (just keep in mind the CPU limit at really high speeds). Check this link: https://wiki.mikroti...

sri2007

Hi, quick question... are you trying to reach the APP using any DNS service in the middle? If not, try to add a new NAT rule, instead of using masquerade with an out-interface, you can use a src-nat, by matching the server dst-address.

sri2007

Or maybe the next solution will be to re-design using WANs only instead of loopbacks, at least until RouterOS 7 arrives

sri2007

Hi! You may be able to configure some bridge-filter rules too:

https://wiki.mikrotik.com/wiki/Manual:I ... e_Firewall

And also, if you're configuring bridges, and you want to filter something, you may need to disable fastpath.

sri2007

I really depends on your design... there are so many different scenarios where loopbacks are included, and one of most important ones is to deploy iBGP between internal routers, where the loopbacks are really important. I use loopback interfaces at backbone areas but if use another area with area-id...

sri2007

Hi Bernarda, there are different ways, but you'll need a public IP address in the edge router, then you can enable a VPN server or just port-forwarding, and it will work.

sri2007

Hi, depending on your design, but most of the times I'll choose to use the same area for all of the subnets configured in a router.

sri2007

Good morning, usually those subsides messages means that the BGP session is finished by the remote router, have you considered increasing the timers, in the configuration lines I'm not watching that you're not configuring the keepalive timer, that may be a probable reason why your getting this code,...

sri2007

Hi! Is there any dynamic routing protocol between your providers and your router, probably BGP??; If not, and you're using only static routes, there is an option called check-gateway, where you can configure kind of smart static routes, where the router is always pinging the destination address, and...

sri2007

Cool!!! That's great!!

sri2007

It really depends on the network design, because if all your customers behind the PPPoE will be whithin the same subnet (/24 with several /32), then you only need to advertise the /24 with an aggregate or network command. If not, then I think that there is no other way than redistribute connected

sri2007

Hi, yes, it should be the same idea, however if you're planning to use recursive routing complemented with BGP it will probably not work so good, I think that's a bug with Mikrotik.

sri2007

Hi! I think that proxy won't work with HTTPS, it can break all of the security stuffs behind HTTPs and its probably that your browser detects a false positive man-in-the-middle attack.

sri2007

Also, are you able to access to those ports internally from any connected PC? Do you have any packet match in the Mikrotik rules? You can also enable log messages for those rules and test if packets are coming and if they are being translated.

sri2007

Hi, just disable SPT (set to protocol=none)... but I guess that your wireless link configuration may be blocking something, according to your network diagram (everything in the same bridge), if the ospf connection goes down it shouldn't affect the reachability of your network devices between the sam...

sri2007

I think that you'll need to move to OSPF instead of RIP, nowadays OSPF is the industrial standard for dynamic routing and depending on your network, it can work with BGP too

sri2007

HI: But I recommend to you to redistribute PPPoE global addresses with BGP tools. Manage OSPF only for your core network as a transport protocol to redistribute ptp links and your loopbacks That's absolutely true... the most scalable way of advertising networks is with BGP working as an EGP and OSPF...

sri2007

Is your Router able to reach the internet? does it have any DNS configured?

sri2007

If your server is at home, and you really want to use a public IP configured at the CHR, then I suggest an EoIP or GRE tunnel between your CHR and a home router, if not, then the L2TP VPN may works with private addressing, and then you'll need to do some dst-nat / src-nat rules at the CHR.

sri2007

Got you, that seems like the AirFiber is blocking something in the middle, are they configured as bridge? Do you have any diagram that you can upload here? I just need to understand the Layer3 / Layer2 diagram between both routers and both AirFibers... do you have any log related to bad ethernet neg...

sri2007

Hi, I think that you'll need to check if your switch support layer2 MTU higher than 1530bytes, usually everything related with MPLS seems to be related to MTU, just remember there are 3 types of MTU: L3MTU, MPLS-MTU and L2MTU; and it must follows this order: L3MTU < MPLS-MTU <= L2MTU

sri2007

Until now, I think that the we can do it with some kind of scripting in the middle, which may be sensing lot of parameters, that's only an idea, I've never did that before, but the Transit traffic with unbalanced circuits worked great for me, I've configured that before between 3 circuits, and yes, ...

sri2007

Interesting, you may be able to reach your remote wan interface from the local router (WAN1 -> WAN 2), do you have your timers configured with default values?

sri2007

Hi... that's correct, if your provider doesn't support communities, then you don't have too much work, however, have you tried to use prepends? if you're provider doesn't support communities, I think that its local preference value are default for everything (100), you'll need to double check this w...

sri2007

Quick question, are you able to reach via Mac-telnet your remote router?? Or do you see that remote router as an LLDP Neighbor (/ip neighbors print) ??

sri2007

Hi, there is also a fixture called filter under bridge that can be used for this. Please check at this link to find more info: https://wiki.mikrotik.com/wiki/Manual:I ... e_Firewall

sri2007

So, there is any option to reach a external peer using the same upstream that they are using to reach me. I have 2 upstreams: Adamo + Telefonica If RETN is reaching me using Telefonica, why my mikrotik is reaching RETN via Adamo? That's telling me that your Mikrotik has a most specific route to rea...

sri2007

MPLS cloud must have only transit routes, not customer routes That's correct, you may need to use OSPF as an IGP which will be the one who can cares about convergence, load balancing, and loopback distribution, and BGP as an EGP distributing your LANs subnets or public blocks. That config is a base...

sri2007

I think that I can works with a script, but it will involve some work trying to figure it out which circuit is experimenting interference.

sri2007

Well, I'll try to setup up two RRs instead, and you'll need to configure network or aggregate networks at the PPPoE routers which are the one (I think that they handle a unique /24, is that right?, if you do this then you'll be advertising this public block to all of your routers within this network...

sri2007

btw, you can check this link for a most specific analysis too: https://mum.mikrotik.com/presentations/ ... 562405.pdf

sri2007

And you may need to check the Layer2 Switch in the middle too, i'd check if the plans are properly tagged and the port configuration is correct (between trunks & access)

sri2007

Hi, but you can work with OSPF and a kind of ECMP... please, take a look in this link: http://www.stubarea51.com/2017/05/27/wi ... gineering/

sri2007

Hi! In the core pope routers ( considering that those will be dynamic IP address), you can redistribute connected under BGP instance (if you have two separate networks (/24), and all of your customers in the PPPoE 1 will be within the same /24; then you'll only need to advertise the summarize versio...

sri2007

It's signaling other BGP neighbors about networks with some rules for them. Also BGP is path vector protocol, and it's not necessary to learn all topology like OSPF/ISIS. In Internet we don't need it. BGP can pass through many "families" of routes like l2vpn, l3vpn, ipv4 and ipv6. Also yo...

sri2007

HI, have you tried updating the RouterOS version ?

sri2007

But if you want to configure a load balancing scenario, OSPF works as an IGP (which supports ECMP), and you need to configure BGP as en EGP, so the OSPF is the one who cares about, quick convergence, load balancing and distribution of internal loopbacks, then you'll need some iBGP sessions between y...

sri2007

Hi:

Do you mean when your client goes in IP > NEIGHBOR and see your MAC and IP?
If that's it, you can disable the discover:
Code: Select all
/ip neighbor discovery set bridge-interface discover=no

that's true, and you can block those packets with a firewall rule too (LLDP works with UDP/5678).

sri2007

Hi ubikrotik: You'll need to double check if you have configured the entire parameters with OSPF, in order to keep your neighbors up, particularly with the timers (hello / dead interval ), i've worked with AF4x, AF5x, AF24x and i've never seen that behavior, you'll need to upgrade RouterOS and AirOS...

sri2007

Hi faast, what i will do is to avoid redistributions in the entire network, and you may want to work with OSPF as an IGP only for quick convergence, load balancing mechanism (ECMP) and distribution for internal loopbacks, the you'll need to configure BGP as an EGP an it will be only one allowed to m...

sri2007

I'll check if all of the path the MTU is configured right, as I told you before, there are three kinds of MTU, and you may setup as follows: - L3 MTU < MPLS MTU <= L2 MTU MPLS MTU can be configured with at least 1508bytes, and you may want to check if Layer2 switches in the middle can handle this fr...

sri2007

I think that I'll work with an EoIP or GRE tunnel between them.

sri2007

I've never seen that on any other architectures... but if you have designed your network with OSPF, then you will be able to prevent asymmetric routing (which by the way, in some situations works really great, as example when you want to send the upstream traffic over one link and the downstream tra...

sri2007

Seems, like you have configured different costs per interface under /routing ospf interfaces; if you're trying to setup ECMP, you'll need to create two interfaces with same cost between those routers, and please double-check at both sites, because you may have a load balancing for the upstream and a...

sri2007

HI MatthiasMerkel... I prefer to design an internal OSPF network which can route my whole network (this may be done with Layer2circuits / EoIP / GRE Tunnels between all DC), once that you have OSPF working, you are able to configure BGP as an EGP, so you can use your publics IPs anywhere and them wi...

sri2007

Hi rgear13, I think that you are experimenting some MTU issues, most common errors with MPLS are those, so i'll check that, remember that there are three kinds of MTU, L3MTU, L2MTU and MPLS-MTU, and that must be well configured behind the hole path. You may able to find some extra information at: ht...

sri2007

HI directlogic, well you have an interesting scenario... first double check the filters and check if you're receiving your new IPs from the 450G in the CCR, if everything is correct at that way, you will need to go to advertisements and check if this router is sending your new prefixes to your provi...

sri2007

Hi! I strongly recommend of using BGP for transporting your public IPs, but only as a complementary protocol keeping OSPF as an IGP within your network.

sri2007

Hi northboy, 1. The best idea is to use your OSPF network as an IGP and then complement this network with BGP (iBGP within your network & eBGP with your providers), then you can control the entire failover process (if a provider goes down or maybe one of your internal circuits goes down too), an...

sri2007

Hi, I'll probably double check auth password on both sides, and I could also check if I can see this remote router as a LLDP neighbor too, the only way that two VRRP neighbors won't become master/backup is that they are not able to communicate between them, there are firewall rules that can block th...

sri2007

Yep, you must need to check your NAT rules, OSPF is not the only that is affected by NAT, BGP does it too

sri2007

Hi,, I think that the best one to do this is a CHR hosted by VMWare or HyperV, please take a look of this video / presentation from MUM at Berlin:

https://www.youtube.com/watch?time_cont ... cgdGA1W_0o

sri2007

Hi zhangxiao:

I shall prefer the option B... If you're able to configure a firewall or nat rule with fewer posible lines, this firewall isn't going to affect the performance of your router

sri2007

Hi eonye.. here is the real answer for that error, this one is a reply to a Mikrotik Support mail: Hello, problem may arise if one peer looses connectivity and reestablish adjacency. In this case sequence numbers are not reset and your mentioned error may appear. Unfortunately there are no fix for t...

sri2007

Hello SwissWISP here is the real answer for that error, this one is a reply to a Mikrotik Support mail: Hello, problem may arise if one peer looses connectivity and reestablish adjacency. In this case sequence numbers are not reset and your mentioned error may appear. Unfortunately there are no fix ...

sri2007

Hello guys... here is the real answer for the OSPF & MD5 authentication error, this one is a reply to a Mikrotik Support mail: Hello, problem may arise if one peer looses connectivity and reestablish adjacency. In this case sequence numbers are not reset and your mentioned error may appear. Unfo...

sri2007

Hello guys... here is the real answer for that error, this one is a reply to a Mikrotik Support mail: Hello, problem may arise if one peer looses connectivity and reestablish adjacency. In this case sequence numbers are not reset and your mentioned error may appear. Unfortunately there are no fix fo...

sri2007

Hi guys!! We’ve worked with several CHR as eBGP routers, and those have a good performance, we also recommend to install an hypervisor because you can add any CHR that you require... however, while we wait for RouterOS 7 which may handle BGP in a multicore way, there are some extra awesome routers w...

sri2007

Hello! I believe that you can ping between those IPs is because you're behind a NAT router from your provider... And if that's true, you won't be able to establish an EoIP tunnel between these routers, the best way that you can get to install a vpn server / client is by using L2TP or PPTP or any oth...

sri2007

You can configure VRF on each interface, and with some route rules you can handle easily what you're trying to do.

sri2007

Hello, my first suggestion will be to try pinging each neighbor to discard any issues in that circuit. Is that a fiber or wireless circuit?

sri2007

Hello, from my experience the best way of doing this is by handling PPPoE Servers on each tower, but it really depends the amount of subscribers, because if you're trying to queueing 2000 of subscribers per router, then it'll experiment some high cpu peaks in a massive event (as example, some provid...

sri2007

You don't. Area is determined by ospf network configuration and instance is determined by area configuration. That's right, you need to configure the area under the instance that you need; then you can configure the network in the area that you configured before. Finally, need to see if the interfa...

sri2007

Hi, i guess that you're missing some config with the import-export route-distinguishers between both VRFs... Please post the VRF configuration to see if we can help you here...

sri2007

Hello, why are you configuring LAG ports as static? and the second one, to configure a LAG with SwOS it's like a LACP so it has some modes where those switches can negotiate the LAG port: Passive: Place port in listening state, use LACP only when it's countrary port uses active LACP mode Active: Pre...

sri2007

Hello.. The MTU is not able con be configured in SwOS, however, there is a table which helps to know if a CRS or CSS support jumbo frames. Actually, you can find it here: https://wiki.mikrotik.com/wiki/Manual:CRS_features and here https://wiki.mikrotik.com/wiki/Manual:CRS3xx_series_switches But to m...

sri2007

Unfortunately stacking is not available with Mikrotik Switches yet, however you can find that feature with other switches (FS, Dell); and those ones works great with Mikrotik Solutions. We've developed lots of WISPs with those switches.

sri2007

There is no problem with RouterOs in current version 6.41 as far as I know. Never se any cpu hit on it as long as you only do stuff that is currenty supported att the hardware offload (switch chip) level. Once you are in software the cpu's in the boxes is way to weak. In your use case. RouterOS 6.4...

sri2007

Hello, I agree with airbanduk; you need to configure two VRF in that router with two separate interfaces and you can get two different logical routers in the same physical router, this is called MPLS VRF Lite. Hola! Estoy de acuerdo con airbanduk, lo que debes configurar ahí es una VRF en el equipo ...

sri2007

Hi! I believe that the best option for using VPN is with router that support IPSec hardware encryption (RB750Gr3 for example) that one seems to be a small router but it it's a most powerfull one than the Rb2011.

sri2007

Hello! In the CCR it's really easy, as Here is what I do: On the firewall: (Assumes Ether2 is the interface you want to trunk. /interface vlan add interface=ether2 name="vlan1" vlan-id=1 add interface=ether2 name="vlan2" vlan-id=2 add interface=ether2 name="vlan3" vlan-...

sri2007

Hello tommo4:

You're experiencing a simple routing issue, as ZeroByte told you earlier you need to configure a new static route between your devices...

Can you upload any diagram so we can help you easily??

sri2007

Hi!!! I believe that it can work by configuring your Mikrotik and your network to work with OpenDNS, in that site you can block anything, and really need to do extra things in the Mikrotik, as for example, denying any proxy communication, denying any VPN port, denying UltraSurf and doing a dst-nat t...

sri2007

Hi!! We've created hundred of WISP around the world.. I guess that we've worked in every continent by developing Mikrotik Solutions (Wireless and Core Design)

sri2007

hello!! yesterday was a busy monday... 1. The RFC explicit saids this: "Usually, a cluster of clients will have a single RR. In that case, the cluster will be identified by the BGP Identifier of the RR. However, this represents a single point of failure so to make it possible to have multiple R...

sri2007

Actually, according to the RFC 4456 ( https://tools.ietf.org/html/rfc4456 ) it's a must, even when you configure a big network with multiple RR, then you can add different Cluster-IDs. One of the best practices is exactly what you said, each router need to be configured as a route-reflector client f...

sri2007

You need to configure both Route-reflector in the same cluster ID.

sri2007

Hello, we suggest to use a MPLS MTU of 1530bytes.

sri2007

Hello, if you already own a L2 PTP circuit between both locations, then it's as easy as understand that you have a simple cable between both routers, so you don't need to worry about any encapsulation to reach your remote location. Later you can create your own MPLS network over that circuit, and ev...

sri2007

Hello, by reading your post, it suggests me that you have a NAT issue, the best way to solve that is to know all of the ports wich Minecraft uses, i don't believe that the only port is TCP/25565? you can check that with any online port-forwarding tool, and also you can enable logs in the NAT rule wh...

sri2007

Hello, Mikrotik is still developing SwOS, that's why you dont see that port as trunk, however, in practice you only need to configure each VLAN into each physical port within the same LAG Trunk, don't forget to disable RSTP too. And it should be working, I've deployed that config in several CSS and ...

sri2007

Hi!! I don't recommend to move into RouterOS, because its probable that you'll experiment some issues regarding to a high CPU usage with high levels of traffic, the best way to do this is in a SWoS version, and you can configure any VLAN in the vlans tab, you can see this link in order to get more i...

sri2007

Hello, absolutely the best solution is about using EoIP tunnels, once I configured one of those tunnels between two CCR and the througput was 1Gbps (limited by the gigabit interface that i was using). I've made several test with jperf and bandwithtest and it was 1Gbps of real throughput, that tunnel...

sri2007

Yep, Dude has some issues related to SNMP, because it works in a 32bit world, however if you're using any RouterOS device, you can configure the mastering port to use routeros instead of snmp, and everything works greats, the port speeds are accurate, then conf is like this: bgp port routeros1.JPG A...

sri2007

Hello!!! I've used Dude v6 with about 40 maps and 200 devices (routers, switches, access points, DVR, servers) and it works great, it's configured with SNMP, RouterOS, PING and DNS probes. Yes it has some isues (most are easy and you can find solutions in the forum) but in general The Dude is workin...

Search found 206 matches