MikroTik

uCZBpmK6pwoZg7LR

It is not entirely true, PE can still be protected and client behind PE as well. Only thing that you cannot do is destination nat on traffic from MPLS cloud to CE. DNAT to local interface(bridge assigned to vrf works) "works" is too loud word in that case, at least it reach PREROUTING, FO...

uCZBpmK6pwoZg7LR

Thank you very much for your concerns and bringing it up to the attention. v7 is now using new linux kernel with proper VRF implementation, which of course will lead to completely different operation principles. VRF has its own vrfinterface which is used as a loopback for all the traffic that needs...

uCZBpmK6pwoZg7LR

I can say even more since ros 7.14 it will be no firewall in PE routers . PE-CE segment will be not protected. will be not possible to SNAT and DNAT VPN4 traffic on PE router.

uCZBpmK6pwoZg7LR

Hi guys. I think it is time to move that to public. We started to worry about future of mikrotik. Look like that they lost their leading developers who understand network technologies. In October 2023 i reported to mikrotik problem that VPN4 packets from MPLS interface to VRF marked in firewall as p...

uCZBpmK6pwoZg7LR

- There are no known problems with VPNv4 and route reflectors. There is a known/not yet fixed problem with VPLS and route reflectors.

What about silent firewall ignore on CPE for traffic which came from VPN4 to VRF (SUP-141699) ?

uCZBpmK6pwoZg7LR

1- v7.14 is still in beta
2- I'm having a similar problem with static routes in VRFs: viewtopic.php?t=202612&start=300#p1051523

try to use ipaddress%inface@table

uCZBpmK6pwoZg7LR

ROS 7.14 very nice. Now firewall for VPRN traffic to VRF on CPE mikrotik routers just completely and silently ignored . DNAT to VRF also don`t work.
Well done.

uCZBpmK6pwoZg7LR

Care to share how much MPLS traffic you have at peak and is it in tile arch?, we have a pilot MPLS implementation base on v6 (mpls atom/pseudowire) in one of our PoP and just running < 500mb at peak In excess of 20Gbit worth of L3VPN traffic per CCR1072 router. How you got it ? I cannot pass 1gb/s ...

uCZBpmK6pwoZg7LR

Tell me please, what are the advantages of a "exposed lo" interface over the old way?

I seen mention that it potentially can fix issue with MPLS VPN4 security firewall bug.

uCZBpmK6pwoZg7LR

Is this ChatGPT? What the hell are you talking about? An ISP should never put any kind of data plane firewall in an MPLS core. MPLS core P and PE routers only have firewall rules for the control plane of the P and PE routers. What dumb approach is this? CE devices should have localised firewall as ...

uCZBpmK6pwoZg7LR

Don`t use MPLS VPN4 ROS 7 because you CPE will be completely open for remote side of tunnel. Firewall fail to detect inbound interface and mark it as unknown and if you filter something using : add action=drop chain=input in-interface=<mpls interface> traffic will reach you CPE without any limitatio...

uCZBpmK6pwoZg7LR

I lost any hopes that MPLS related bugs in ROS 7 will be fixed. Started to look for another router brand without success for now.

uCZBpmK6pwoZg7LR

Please fix SUP-130540 and SUP-130672

uCZBpmK6pwoZg7LR

Fix at last firewall problem with interface unknown to interface unknown. Due to this issue mikrotik firewall does not work at all for MPLS VPN4 traffic. You have critical security issue but continue to fix useless docker containers.

uCZBpmK6pwoZg7LR

Please fix bug SUP-125227 and SUP-129944 (traffic from interface unknown to interface unknown) . It is not possible to use firewall due to it.

uCZBpmK6pwoZg7LR

try to remove interface from vrf assignment and put back. quite often it helps. I normally remove iface , wait 3 - 5 seconds and put back

uCZBpmK6pwoZg7LR

Good day/morning/night. I have most probably quite weird question. Do exist some kind of limitation in mikrotik about amount active unique VPN4 tunnels in network. I have a tiny mpls based network where i have quite a lot of VPN4 tunnels and i cannot pass more than 200 active unique VPN4 tunnels. Wh...

uCZBpmK6pwoZg7LR

any plans to fix interface unknown in firewall for mpls vpn4 traffic ?

uCZBpmK6pwoZg7LR

1) make routing mark at mangle prerouting for public WAN port 1.1.1.1:tcp/22
2) dnat using routing mark 1.1.1.1:tcp/22 -> 10.255.255.254:22

uCZBpmK6pwoZg7LR

I just wanted to post a quick update. It appears the upgrading to 7.10 fixed the VPNv4 issues we had.

Nope not everything fixed. Traffic to bridge interface which is member of VRF still don`t hit mangle prerouting and also not possible to ping it from another side of tunnel.

uCZBpmK6pwoZg7LR

any chance to fix MPLS packets which does not follow packet flow diagram in case if destination ip is interface ip address member of VRF ( ie input interface unknown isue)?

uCZBpmK6pwoZg7LR

Netherlands ?

https://www.dectdirect.nl/nl/cloud-core ... s-2xq.html

2 on stock.

I usually buy there.

Thanks CCR2116-12G-4S+ is not ccr2216-1g-12xs-2xq. And look on price

1st one 1k EUR.

uCZBpmK6pwoZg7LR

Having a quick look around the german markets: 5 shops with CCR2216-1G-12XS-2XQ shippable 1 shop with CCR2004-1G-12S+2XS shippable 4 shops with CCR2004-16G-2S+ shippable 4 shops with CCR2004-16G-2S+PC shippable 5 shops with RB1100DX4 shippable 2 shop with CCR1072-1G-8S+ shippable 3 shops with RB500...

uCZBpmK6pwoZg7LR

I have one question. Is Mikrotik plan to close their doors? Last time we do quite a lot of installations of CCR routes inside our network and last 3 months we observe situation that it is not possible to buy anymore in European Union Mikrotik routers CCR series. Current nearest delivery date is 30 J...

uCZBpmK6pwoZg7LR

Added quoted text. Nobody reported the bug to MikroTik before May 10th. (and by the way it's an useless bug) As i told before most probably somebody under false flag (if to believe to Mktik) entitled itself as Mikrotik person and took a part at pwn2own and got details about attack. Well done. It me...

uCZBpmK6pwoZg7LR

And it's even more shameful that you write bullshit without knowing what you're writing. Tell me more or i can say same about you. Ok this is just Mikrotiks words against somebody else words. Basically it means that somebody who was entitled as Mikrotik representation may be false entitled was awar...

uCZBpmK6pwoZg7LR

It is extremely shame not to fix critical vuln during almost half year. So it means that somebody could root your device for relatively small amount of money.

uCZBpmK6pwoZg7LR

We are stuck in a hard place here. We ordered a few of CCR2004-16G-2S+ (ARM64) because CCR1009-7G-1C-1S (TILE) are longer available and we need the 10G SFP+ port for some of our customers. The CCR2004-16G-2S+ (ARM64) does not have the ability to downgrade to ROSv6. We would've done that in a heart ...

uCZBpmK6pwoZg7LR

Better create ticket in their support . i created but if it will be more people i presume it will get more priority. PS: today i got a weird answer from support where they say something like that now router decide to which VRF routes have to be installed using RD instead of RT. Due to it . It is lo...

uCZBpmK6pwoZg7LR

Just downgrade to ROS 7.8 i have exactly same issue . Downgrade solve it . You are right... That fixed it, everything came up with the exact configuration. So is the solution to run on 7.8 for VPNv4 VRF and not stable 7.9? Better create ticket in their support . i created but if it will be more peo...

uCZBpmK6pwoZg7LR

Just downgrade to ROS 7.8
i have exactly same issue . Downgrade solve it .

uCZBpmK6pwoZg7LR

downgrade to 7.8 and try again

uCZBpmK6pwoZg7LR

try to set preffered source ip in routing table or in route rules.

uCZBpmK6pwoZg7LR

export your config nothing really special : /routing bgp template set default address-families=vpnv4 disabled=no multihop=yes router-id=\ 10.29.193.27 routing-table=main /routing bgp connection add address-families=vpnv4 as=65530 connect=yes disabled=no local.address=\ 10.29.193.27 .role=ibgp-rr-cl...

uCZBpmK6pwoZg7LR

vpn4 works!!!

mwaaa MT

For me now it is completely broken.
Now VPN4 on ROS7 not add routes to VRF

uCZBpmK6pwoZg7LR

We are working of BFD support.
From brief look over reported BGP issues in the this topic, they should be polished and fixed in 7.9.

pe1chl, do you have any issue with BGP in 7.8?

VPRN ?? if you fix VPRN i ll drink beer until fall under table.

uCZBpmK6pwoZg7LR

Plase fix VPRN route reflector

what is wrong with that?

mikrotik transmit self instead of learned NEXT_HOP value and ignore propagate setting for vrf route. Due to it VPRN completely broken

uCZBpmK6pwoZg7LR

Plase fix VPRN route reflector

uCZBpmK6pwoZg7LR

It is already fixed in v7.7 and v7.8betas Can u explain more exactly what you have fixed for bpg vpn4? It still have problem with best path calculation? Thx It was fix of issue that MT send reflected route back to sender with own self as nexthop . Due to it sender installed reflected route which it...

uCZBpmK6pwoZg7LR

pls fix BGP-VRF-VPNv4 - working with RR

Agree. This issue is upgrade blocker cannot migrate due to it to ROS 7.

uCZBpmK6pwoZg7LR

I have a problem with SRC-NAT, it is not matching all the connections so there are connections that are passing through the router without being NATed.

This problem persist since 6.xx.xx.

uCZBpmK6pwoZg7LR

I'd love to see VTI implemented on RouterOS, but I kinda lost hope. I'd even gladly swap Wireguard for VTI.

I think it will be somewhere at 2033. :) They cannot fix yet standard functionality like VPRN already more than year. And it block upgrades.

uCZBpmK6pwoZg7LR

Any plans for fix broken VPN4 bgp reflection ? Are you experiencing issues with a Routeros v7 Route Reflector? I am testing against a Cisco Route Reflector, and it seems to work properly. No, i using VPN4 ie l3 vpn (VPRN). inside vrf ROS 7 transmit self nexthop instead of mpls hop. Ie ROS7 just ign...

uCZBpmK6pwoZg7LR

Any plans for fix broken VPN4 bgp reflection ?

uCZBpmK6pwoZg7LR

Is it planned to fix BGP propagate? Option do not work for VPN4. VPN4 is completely broken due to it.

uCZBpmK6pwoZg7LR

Feels like really crutches.

uCZBpmK6pwoZg7LR

Well it look like that really exist issue with ipsec vpn performance on Mikrotik devices. I did some tests with following environment : ipsec_slow_mkt.png 1) on web server i placed linux kernel 200 megabytes file 2) datacenter with web server have internet channel 1Gbit/s up /1Gbit/s down 3) locatio...

uCZBpmK6pwoZg7LR

Have same issue with Cisco SG350 and CBS350 poe switches. Everything what i connect to it work except cAP ac.

uCZBpmK6pwoZg7LR

it is broken. Better fill in bug report.

uCZBpmK6pwoZg7LR

MPLS over Tunnels still broken

uCZBpmK6pwoZg7LR

Hi. In reality it is works but due to bugs unusable. LDP session establish but label enabled routes not properly mapped in local and remote mapping tables. Due to it all mapping tables become invalid and forwarding table empty. I created SUP-80288 about this. And suggest you to do same to increase p...

uCZBpmK6pwoZg7LR

Well . Mikrotik in their documentation say that it have to work over : " In general it is recommended that all routes between VRF should be exchanged using BGP local import and export functionality. If that is not enough, static routes can be used to achieve this so-called route leaking. "...

uCZBpmK6pwoZg7LR

Hi. Guys do somebody have same weird issue as me. CCR1036 6.48.3 When you add vrf rd , export , import and after you enable bgp vrf . label in out assigned to 0 in and 0 out also vrf routes not added to MPLS forwarding table Do i need to disturb support or somebody know quick fix . Basically same se...

uCZBpmK6pwoZg7LR

Hi. I have an issue . After i changed Dynamic label range . All ldp interfaces became red and never go up anymore.
I tried to enable and disable LDP it not solve issue .
Do somebody have an idea how to solve it. Reboot of router is not an option .

uCZBpmK6pwoZg7LR

Is this bug solved already ? or V7 , 8 , 9 , 10?

uCZBpmK6pwoZg7LR

In my config started bit better after complete removal All interface rules in Tools -> Graphing. From my side i can tell that it is no relation to 100mb or 1gb . I have 3 devices which are 100mb only. And links flapped untill i removed Graphing. Most probabaly exist multiply issues 1) Combination 10...

uCZBpmK6pwoZg7LR

Yes this is main target of such simple example. This extraction of config illustrate that mikrotik cannot filter ipv6 prefixes. if i understand right this script have to block advertisement of all ipv6 and ipv4 prefixes. But in reality it block only ipv4 prefixes. Most probably just a bug. PS : Dele...

uCZBpmK6pwoZg7LR

Hi. Any idea how to filter ipv6 routes ? I have on my router simple test : /routing filter add action=discard address-family=ip chain=BGP_OFFICE_OUT prefix=0.0.0.0/0 prefix-length=0-128 add action=discard address-family=ipv6 chain=BGP_OFFICE_OUT prefix=::/0 prefix-length=0-128 add action=log address...

uCZBpmK6pwoZg7LR

Hi, Where the truth ?
Capsman show 30dbm on 5g. Same interface on AP wap ac which connected to capsman show 19dbm and antenna-gain on same ap 2dbm.

uCZBpmK6pwoZg7LR

What is default antenna-gain for wap ac and cap ac ? Because i cannot set even regulatory domain on my routers.
In documentation written 0 is default but if i set 0 then it is not possible to set regulatory domain.

uCZBpmK6pwoZg7LR

Issue was due to Interfaces->Detect Internet feature. After complete disable this buggy and crap feature everything started to work.

uCZBpmK6pwoZg7LR

Hi, Thanks for your answer.
I just checked firewall and i not see any fasttrack rules there.
I also checked WanBridge . It have STP : none.
So most probably issue somewhere else. May be another ideas ?
Well i fighting with this issue already month or so without any result.

uCZBpmK6pwoZg7LR

Well i have very weird issue on RB3011UIAS. Mikrotik pass traffic only for 40 seconds every 1 minute. When I do a ping for example to google from mikrotik . 40 seconds pingable and 20 seconds not pingable. It is look like time slots of internet. What is strange : In moment when i start Packet sniffe...

uCZBpmK6pwoZg7LR

...and finally I got what are you trying to prove :) No difference in behaviour between CCR and all others I mentioned above. The answer is in your log: obviously, in such case there is no in-interface, so it doesn't match your first rule. extraction from /interface print 1 RS ether2LAN ether 1500 ...

uCZBpmK6pwoZg7LR

Tried on hEX, hAP ac2, hAP mini - nothing like this.

Exactly HAP ac2 affected with version 6.43.4
and at least 5 different HEX lites with different versions of firmware have same issue.
Most probably something else inside mikrotik affect this .

uCZBpmK6pwoZg7LR

/interface bridge add admin-mac=B8:69:F4:7F:9B:C1 auto-mac=no name=bridgeLAN /interface bridge port add bridge=bridgeLAN interface=ether2LAN add bridge=bridgeLAN interface=ether3LAN add bridge=bridgeLAN interface=ether4LAN add bridge=bridgeLAN interface=ether5LAN add bridge=bridgeLAN interface=wlan...

uCZBpmK6pwoZg7LR

Hi Mikrotik. How to interpretate this error ? Why it cannot do config overwrite ? 14:03:43 tr069,warning couldn't apply config overwrite 14:03:43 tr069,debug starting session, events: [7 TRANSFER COMPLETE, M Download (1), ] 14:03:43 tr069,debug send: Inform 14:03:43 tr069,debug rcvd: InformResponse ...

uCZBpmK6pwoZg7LR

In following example simple tr069-client without any certificate checks /tr069-client set acs-url=https://example.com enabled=yes password=test \ periodic-inform-interval=1m username=test example.com - have valid asterisk certificate from DigiCert. I also tried Letsencrypt one with same results . It...

uCZBpmK6pwoZg7LR

Nobody knows or it is bug in Mikrotik ? Ok some extra config to recreate issue /routing bgp peer add address-families=ip,l2vpn in-filter=BGP_IN name=Main nexthop-choice=force-self out-filter=BGP_OUT remote-address=10.29.0.37 remote-as=65001 ttl=default /routing filter add append-bgp-communities=&quo...

uCZBpmK6pwoZg7LR

Working even over l2tp

uCZBpmK6pwoZg7LR

Hi. Static example : /ip route add routing-mark=RED dst-address=0.0.0.0/0 gateway=1.1.1.1@main Question : Can i do the same for multi VRFs dynamically using default route from BGP ? I tried to use append rd in filters for default route which i got from upstream but it is not work. Route not appear i...

uCZBpmK6pwoZg7LR

Is it possible after 17 years of active development to have implementation for Key and Sequence Number Extensions to GRE in Mikrotik.
We really realy need it.
Thanks.

uCZBpmK6pwoZg7LR

In case of usage Winbox for edition Routing->Filters. After some operations Router Filters representation in GUI is not same as output command /routing filter print . Look like it happeing because Winbox not updating Route Filters window with real data after insert/delete etc. Issue happens on 6.39....

uCZBpmK6pwoZg7LR

In case of usage routing-table in bgp instance routes advertised list is empty but routes advertise and install in routing table for examaple /routing bgp> instance print Flags: * - default, X - disabled 0 * name="default" as=65530 router-id=0.0.0.0 redistribute-connected=no redistribute-s...

uCZBpmK6pwoZg7LR

I have a question is it in policy of mikrotik company during upgrade of firmware completely brake configuration which was working on previous version ? For example today i upgraded production router CCR 1036 to bugfix release. And after reboot Ovpn stopped to work with TLS error, Firewall filter rul...

uCZBpmK6pwoZg7LR

As i undertand following rules must not accept inbound routes and outbound routes ospf [ktoto@TunnelBroker] /routing> filter print Flags: X - disabled 0 chain=ospf-in invert-match=no action=discard set-bgp-prepend-path="" 1 chain=ospf-out invert-match=no action=discard set-bgp-prepend-path...

uCZBpmK6pwoZg7LR

Good morning. Is it possible to remove completely RouterOs from Mikrotik device and install Linux on routerboard (CCR1009 )? I am even ready to compile everything myself. But may be exist somewhere install ready distribution. I moved to mikrotik from cisco. And found that amount of issues and bugs a...

uCZBpmK6pwoZg7LR

Hi guys. Today morning i detected following issue. (CCR1009 6.33) ping src-address=10.111.114.199 10.51.25.1 SEQ HOST SIZE TTL TIME STATUS 0 22 (Invalid argument) 1 22 (Invalid argument) 2 22 (Invalid argument) 3 22 (Invalid argument) sent=4 received=0 packet-loss=100% 10.51.25.0/24 network on anoth...

Search found 78 matches