Community discussions

MikroTik App

Search found 1199 matches

by Larsa
Sat Apr 20, 2024 11:26 am
Forum: RouterOS beta
Topic: SFP info dont appear in ROS v7 x86
Replies: 5
Views: 1685

Re: SFP info dont appear in ROS v7 x86

As I wrote in another thread, PCIe passthrough and IO-SRV require specially tailored drivers from the manufacturer, i.e. not something MT is involved with. Additionally, special APIs are needed to manage the driver, and these must be adopted by CHR for each new device to enable ROS management a scen...
by Larsa
Fri Apr 19, 2024 11:33 pm
Forum: RouterOS beta
Topic: Feature Request for x86 and CHR for SFP Menu tab
Replies: 4
Views: 1132

Re: Feature Request for x86 and CHR for SFP Menu tab

PCIe passthrough and IO-SRV require specially tailored drivers from the manufacturer, i.e. not something MT is involved with. Additionally, special APIs are needed to manage the driver, and these must be adopted by CHR for each new device to enable ROS management a scenario that probably won’t happen.
by Larsa
Fri Apr 19, 2024 11:30 pm
Forum: RouterOS beta
Topic: SFP info dont appear in ROS v7 x86
Replies: 5
Views: 1685

Re: SFP info dont appear in ROS v7 x86

When running CHR in a virtual machine, all NICs and drivers are managed by the virtual host.
by Larsa
Thu Apr 18, 2024 11:34 pm
Forum: Scripting
Topic: Can't Query Graphql site
Replies: 12
Views: 562

Re: Can't Query Graphql site

Possibly in a slim container, if the hardware allows, but it feels a bit overkill. I mean, it should be possible to get 'fetch' to work, but how to locate the root cause of the error is probably the $100,000 question. Have you checked it's not an SSL certificate issue on either side?
by Larsa
Thu Apr 18, 2024 11:03 pm
Forum: Beginner Basics
Topic: Using RB5009 in bridge mode [SOLVED]
Replies: 14
Views: 1128

Re: Using RB5009 in bridge mode [SOLVED]

You only need ISP/ONT <-> (PPPoE) Rb50009 <-> LAN (unless the 'second router' has a magical feature set you can't live without). The Rb50009 will manage both PPP and DHCP.
by Larsa
Thu Apr 18, 2024 12:49 pm
Forum: RouterOS beta
Topic: Feature Request for x86 and CHR for SFP Menu tab
Replies: 4
Views: 1132

Re: Feature Request for x86 and CHR for SFP Menu tab

As CHR runs in a virtual environment, all NICs/SFPs are managed by the host environment. When it comes to x86 'bare metal' setups, support for NIC drivers is limited.
by Larsa
Wed Apr 17, 2024 12:38 pm
Forum: Beginner Basics
Topic: Loading ONIE images on Mikrotik Switches
Replies: 6
Views: 429

Re: Loading ONIE images on Mikrotik Switches

Hi @Evaluator, and welcome to the forum! Although ONIE is a great idea, I believe it might be difficult to implement on a large portion of MikroTik's product range since many of the low-end devices have limitations in terms of memory and storage. However I'd love to see ONIE supported on future mid-...
by Larsa
Wed Apr 17, 2024 11:45 am
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1107

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

@phascogale: Firewalla , along with other 'Smart' or 'Next-Generation' firewalls, cannot perform deep packet inspection on encrypted traffic without utilizing SSL/TLS termination. They primarily rely on fundamental info such as endpoint ip addresses, stream sizes, etc. Even SNI (ESNI) is encrypted n...
by Larsa
Tue Apr 16, 2024 10:48 pm
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1107

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

Layer 7 firewalls are pretty useless without SSL Termination which usually requires extensive configuration.
by Larsa
Mon Apr 15, 2024 3:51 pm
Forum: Forwarding Protocols
Topic: Single-hop BFD session is not restored after reboot or power outage
Replies: 6
Views: 690

Re: Single-hop BFD session is not restored after reboot or power outage

I would like to get some feedback from the developers.

Since this is a user forum, I believe you have a better chance of getting a response if you direct your question to: support@mikrotik.com.
by Larsa
Mon Apr 15, 2024 3:30 pm
Forum: Virtualization
Topic: CHR tx-queue-drops-per-second
Replies: 7
Views: 9255

Re: CHR tx-queue-drops-per-second

Not necessarily. It ultimately depends on how well the driver is developed specifically for each solution. With a single NIC used solely by one guest OS, the difference is probably not even measurable with modern drivers. The major difference is that a NIC using PCI passthrough (VMware DirectPath) b...
by Larsa
Fri Apr 12, 2024 8:59 pm
Forum: Beginner Basics
Topic: Mikrotik documentation
Replies: 10
Views: 709

Re: Mikrotik documentation

Cron job :D You underestimate Atlassian. It's such a complicated mess. Well, Jira/Confluence might be perceived as 'messy' in the same way as ROS might be for novices. 😉 These products are complex toolkits capable of doing almost anything but requires solid knowledge and experience to set up effect...
by Larsa
Thu Apr 11, 2024 8:39 pm
Forum: Virtualization
Topic: Public IP on Azure CHR
Replies: 3
Views: 391

Re: Public IP on Azure CHR

@mugeno - if you've already paid for it and obtained the public IP address, this guide serves as a good starting point: " Microsoft - Associate a public IP address to a virtual machine ". Here is some other good stuff about Azure networking: https://learn.microsoft.com/en-us/azure/virtual-...
by Larsa
Thu Apr 11, 2024 1:03 am
Forum: Forwarding Protocols
Topic: OSPF default route
Replies: 3
Views: 460

Re: OSPF default route

Now I get it. I completely missed the part that CMC wasn't configured with OSPF.
by Larsa
Mon Apr 08, 2024 7:43 pm
Forum: Forwarding Protocols
Topic: OSPF default route
Replies: 3
Views: 460

Re: OSPF default route

Checkout "originate-default" in "help.mikrotik.com/docs/display/ROS/OSPF". It can also be combined with routing filters.
by Larsa
Fri Apr 05, 2024 12:29 am
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1531

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

SD-WAN has been around for over a decade and is now more or less a de facto standard so calling it 'hype' feels somewhat exaggerated. A general guideline is to consider implementing SD-WAN when your network exceeds 10 links. Anyhow, regarding this particular case it's important to consider future ne...
by Larsa
Thu Apr 04, 2024 12:40 am
Forum: Beginner Basics
Topic: Not getting wireline speeds
Replies: 28
Views: 1221

Re: Not getting wireline speeds

@trivex, no offense intended, but a great place to start your research before buying any networking gear is always the manufacturer's own website. MikroTik has organized all its products into categories like switches, routers, and more: mikrotik.com/products.
by Larsa
Tue Apr 02, 2024 8:32 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1531

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

By "THIRD PARTY," I presume you mean third-party "cloud services." Most SD-WAN solutions offer both cloud-based services and on-premises support. If you prefer, Mikrotik ZeroTier includes an on-premises controller that makes you independent of third-party cloud services. However,...
by Larsa
Tue Apr 02, 2024 5:04 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 126875

Re: v7.15beta [testing] is released!

What's new in 7.15beta9 (2024-Mar-27 21:55): *) console - added "sanitize-names" property under "/console/settings" menu (option for replacing reserved characters with underscores for files, disabled by default); Thank you! The opt-in method is preferred when introducing breakin...
by Larsa
Tue Apr 02, 2024 4:43 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1531

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

We initially started using WireGuard but as we scaled up it became unmanageable (a real pain in the neck to be honest) to administer so we've completely transitioned to ZeroTier for OOB administration. Also, the overhead for path search traffic is negligible, even in 4G. ZeroTier is extremely easy t...
by Larsa
Fri Mar 29, 2024 11:18 pm
Forum: General
Topic: Wireguard education? [SOLVED]
Replies: 3
Views: 342

Re: Wireguard education? [SOLVED]

Check out the Pro Custodibus blogs about WireGuard which are absolutely outstanding in my opinion. For example, start with "Primary WireGuard Toplogies"

Happy Easter!
by Larsa
Fri Mar 29, 2024 10:39 pm
Forum: General
Topic: Wireguard education needed
Replies: 7
Views: 776

Re: Wireguard education needed

The issue is not really a configuration issue as much as a question on how the VPN protocol works, and if this can be explained. Check out the Pro Custodibus blogs about WireGuard which are absolutely outstanding in my opinion. For example, have a look at " Primary WireGuard Toplogies " I...
by Larsa
Mon Mar 25, 2024 7:35 pm
Forum: Scripting
Topic: execute & parse
Replies: 15
Views: 863

Re: execute & parse

Couldn't agree more. There is clearly something flawed when all sorts of workarounds pop up in the flow..
by Larsa
Mon Mar 25, 2024 6:48 pm
Forum: Scripting
Topic: execute & parse
Replies: 15
Views: 863

Re: execute & parse

:return [[:parse ":global $1 ; :return [\$$1 $2]"]] Yeah, that's a good one-liner. Here's another neat trick if you want to call system scripts with arguments. This also works with "[/file get /dirname/scriptname contents]" if you prefer to store your scripts in a different loca...
by Larsa
Thu Mar 21, 2024 10:27 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3383

Re: v7.15beta broke backup file naming

Regarding 7.15beta8 (2024-Mar-21 09:12) and inconsistent rules for valid characters in filenames. Check viewtopic.php?p=1065213#p1065213
by Larsa
Thu Mar 21, 2024 10:17 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 126875

Re: v7.15beta [testing] is released!

The arbitrary acceptance and rejection of certain characters in filenames cause unnecessary support system disruptions. There is still a bug in 7.15beta8 (2024-Mar-21 09:12) that prevents our backup and version control systems from working properly when filenames contains spaces due to script incom...
by Larsa
Thu Mar 21, 2024 8:11 pm
Forum: General
Topic: Loop Dos CVE-2024-2169 Mikrotik
Replies: 3
Views: 691

Re: Loop Dos CVE-2024-2169 Mikrotik

Just a friendly reminder: Never ever expose TFTP or similar services directly to the internet. Doing so poses serious security risks, otherwise you don't have to worry about CVE-2024-2169.
by Larsa
Thu Mar 21, 2024 7:53 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

What's new in 7.15beta8 (2024-Mar-21 09:12): *) wireguard - added option to mark peer as responder only (CLI only); *) route - rework of route attributes; Regrettably, I haven't spent as much time on testing as I planed, but wonder if this might possibly solve the issue with the handshake response ...
by Larsa
Thu Mar 21, 2024 4:38 pm
Forum: General
Topic: CHR or Ethernet router?
Replies: 5
Views: 662

Re: CHR or Ethernet router?

In short:

1. If you're running CHR/x64, use IPsec. This platform can scale up practically infinitely.
2. If you're running a Mikrotik with AES hardware acceleration, use IPsec. Check throughput limitation using the 512-byte column on the product page.
3. In all other cases, use WireGuard.
by Larsa
Thu Mar 21, 2024 1:27 pm
Forum: General
Topic: CGNAT IP range conflict between Starlink and Tailscale site-to-site VPN
Replies: 1
Views: 389

Re: CGNAT IP range conflict between Starlink and Tailscale site-to-site VPN

Some suggestions: Set up your own TailScale address pool , use IPv6, or switch to ZeroTier. RB5009 has built-in support for ZeroTier which allows you to pick any or multiple private subnets and also set individual static addresses on any device. There is no problem running ZeroTier and Tailscale in ...
by Larsa
Wed Mar 20, 2024 9:57 pm
Forum: General
Topic: Configuration for hidden ZeroTier features
Replies: 9
Views: 676

Re: Configuration for hidden ZeroTier features

I hadn't looked at the ZT changes in a bit – the config has gotten grow a lot. I just don't see how RouterOS could keep up in a reasonable time frame. Yeah, it feels like I've been waiting far too long for both Multipath and Trusted Path for ROS. And yes, JSON support would be awesome! Another thin...
by Larsa
Wed Mar 20, 2024 9:01 pm
Forum: General
Topic: Configuration for hidden ZeroTier features
Replies: 9
Views: 676

Re: Configuration for hidden ZeroTier features

Yeah, looks like we need to start collecting some dough to sort this out once and for all! ;-) The ZeroTier client library itself is very small and accessible using a single API. Configuration is managed using parameters that are either retrieved from a configuration file or controlled directly via ...
by Larsa
Wed Mar 20, 2024 7:31 pm
Forum: Scripting
Topic: DDNS Cloudflare script
Replies: 3
Views: 615

Re: DDNS Cloudflare script

Hello @nocivo! If you want to explore similar solutions to figure out how they work, you can search for mikrotik Cloudflare script on github.
by Larsa
Wed Mar 20, 2024 5:23 pm
Forum: General
Topic: Use Mikrotik's HotSpot solution to unblock Wireguard???
Replies: 24
Views: 1863

Re: Use Mikrotik's HotSpot solution to unblock Wireguard???

There are some highly important factors I think you should consider before making any decisions: Encryption and throughput bottlenecks: WireGuard encryption (ChaCha20) is software-based and lacks hardware acceleration support (on any platform) unlike IPsec. Consequently, the total throughput is cons...
by Larsa
Wed Mar 20, 2024 4:46 pm
Forum: General
Topic: Configuration for hidden ZeroTier features
Replies: 9
Views: 676

Re: Configuration for hidden ZeroTier features

Well, I would also call those options hidden since they all are a part of the current ZeroTier version included with RouterOS which simply lacks the ability to configure them. Adding AES hardware acceleration would also be a major enhancement as well as an upgrade to v1.12. This version prevents pat...
by Larsa
Wed Mar 20, 2024 4:14 pm
Forum: General
Topic: REQUEST: Paid technical support plans
Replies: 16
Views: 961

Re: REQUEST: Paid technical support plans

I'd start by hiring the Canadian Lama, he's probably dead cheap but still a rascal at finding bugs and possible workarounds! 😋
by Larsa
Wed Mar 20, 2024 12:49 am
Forum: General
Topic: Use Mikrotik's HotSpot solution to unblock Wireguard???
Replies: 24
Views: 1863

Re: Use Mikrotik's HotSpot solution to unblock Wireguard???

There are some GPO hacks using scripting that might be used as a basline but I'd never use them as a replacement for SD-WAN. You still have to support end users or the branch office with manual administration when things go south. If you prefer not to depend on a third-party web server provider for ...
by Larsa
Tue Mar 19, 2024 11:29 pm
Forum: General
Topic: Use Mikrotik's HotSpot solution to unblock Wireguard???
Replies: 24
Views: 1863

Re: Use Mikrotik's HotSpot solution to unblock Wireguard???

I strongly advise against using WireGuard in this case. Manually administering 150 WireGuard connections will likely be a counterproductive solution. It will probably result in complex manual administrational (nightmare) tasks with the risk of long lead times and ultimately lead to increased costs f...
by Larsa
Tue Mar 19, 2024 6:02 pm
Forum: General
Topic: WireGuard useful learning [Linux]
Replies: 8
Views: 944

Re: WireGuard useful learning [Linux]

It's true that OpenVPN is often configured in a "client/server" style especially for remote access use cases. However, the same applies to WireGuard. Both of these tunnel protocols, along with IPsec and SSTP, have the flexibility to act as "initiators" or passive "responders...
by Larsa
Mon Mar 18, 2024 9:08 pm
Forum: General
Topic: WireGuard useful learning [Linux]
Replies: 8
Views: 944

Re: WireGuard useful learning [Linux]

I'm sorry, but I have terrible allergies to such things so I've never dared to try! ;-) Btw, @DarkNate, can you please explain what a "client/server" tunnel is to a dummy like me?
by Larsa
Mon Mar 18, 2024 7:22 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3383

Re: v7.15beta broke backup file naming

Okay, I thought your question was: 'My question remains valid: why do you need spaces? Or is it just a personal decision?' (Or did I miss something??)
by Larsa
Mon Mar 18, 2024 7:12 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3383

Re: v7.15beta broke backup file naming

@t0mm13b: *) console - replace reserved characters to backup and certificate export file names with underscores;

Yes @t0mm13b, you've nailed the core issue of this thread!
--

@infabo: I think it was stated pretty clear in the previous post. Is there anything I need to clarify?
by Larsa
Mon Mar 18, 2024 7:07 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3383

Re: v7.15beta broke backup file naming

SUP-147326 - "v7.15beta brakes file naming and script compatibility"
by Larsa
Mon Mar 18, 2024 6:45 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3383

Re: v7.15beta broke backup file naming

@infabo The real question to be asked is: why do you need them? @infabo: If you had read the thread from the beginning, you wouldn't have needed to ask that question. @t0mm13b: The core issues are compatibility and why Mikrotik's proposed changes would break existing scripts and support systems. De...
by Larsa
Mon Mar 18, 2024 4:12 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3383

Re: v7.15beta broke backup file naming

I'd prefer if we focus on OP's issue of how to best preserve script compatibility when it comes to potential limitations in file naming. In my opinion, at an absolute minimum, "spaces" and printable 7-bit ASCII characters that are compatible across common file systems (Windows, Linux, macO...
by Larsa
Thu Mar 14, 2024 11:59 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 126875

Re: v7.15beta [testing] is released!

The major issue at stake here is script compatibility when using spaces (and similar common characters) in filenames, not control characters or UTF-8/16.
by Larsa
Thu Mar 14, 2024 10:01 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3383

Re: v7.15beta broke backup file naming

The technical stuff you write about might very well be true, and I truly agree regarding the poor choices that MT is about to make in this case. As I wrote in an another comment: To maintain script compatibility as much as possible, I believe it would be easier to focus on allowed characters rather ...
by Larsa
Thu Mar 14, 2024 8:33 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 126875

Re: v7.15beta [testing] is released!

Problem is: where do you define the bounds. Characters like / : \ can also cause trouble. People have used date/time as part of a filename and ran into "inexplicable problems". At least that does not happen anymore. To maintain script compatibility as much as possible, I believe it would ...
by Larsa
Thu Mar 14, 2024 5:44 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3383

Re: v7.15beta broke backup file naming

@jaclaz, regarding the second link, it seems less focused on the actual problem regarding script compatibility issues caused by spaces in filenames and more like 'whataboutism' disguised as academic debate. I mean, this has a serous impact for both the OP and others who rely scripts that handle spac...
by Larsa
Thu Mar 14, 2024 4:08 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3383

Re: v7.15beta broke backup file naming

Well, no! ;-) Windows defaults to UTF-16 as its internal representation but has strong support for working with UTF-8 in addition to the legacy CP-1252 and similar encodings. For example, Notepad uses either ANSI or UTF-8. The rest of the world defaults to UTF-8. However, none are limited to legacy ...
by Larsa
Thu Mar 14, 2024 3:45 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3383

Re: v7.15beta broke backup file naming

All major operating systems like Windows, macOS, Linux, z/OS, Android and iOS utilize UTF-8. What other OS might have the compatibility issue you are referring to?
by Larsa
Thu Mar 14, 2024 2:48 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 126875

Re: v7.15beta [testing] is released!

That's beside the point. You should NEVER EVER break script compatibility unless absolutely necessary. And the potential identity issue you're describing is merely a side effect of the change that breaks script compatibility, not the root cause! I do have a certain understanding they want to avoid c...
by Larsa
Thu Mar 14, 2024 2:31 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 126875

Re: v7.15beta [testing] is released!

MikroTik has once AGAIN managed to break script compatibility by prohibiting something as common as spaces(!) in file names. I have zero understanding of this as it affects our current solutions for version control and backup which now must be modified and tested on all nodes before we can even cons...
by Larsa
Thu Mar 14, 2024 1:42 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3383

Re: v7.15beta broke backup file naming

This is yet another piece of evidence and major reason one should try to avoid RoS scripting in production at all costs as Mikrotik might break compatibility without notice at any time. Since this isn't the first time (and probably not the last) that Mikrotik breaks script compatibility, I think it'...
by Larsa
Wed Mar 13, 2024 2:06 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2413

Re: SR-IOV with CHR - What hypervisors are you using ?

OT - Yeah, BPF has evolved from a pure filtering mechanism into a highly versatile virtual machine (VM) or "sandbox" within the kernel. Just as Wasm, source code is compiled in user-space to bytecode and executed using JIT within the VM. eBPF is incredibly flexible and might work wonders i...
by Larsa
Wed Mar 13, 2024 2:03 pm
Forum: Beginner Basics
Topic: Slow Throughput CHR virtual within Proxmox [SOLVED]
Replies: 8
Views: 1664

Re: Slow Throughput CHR virtual within Proxmox [SOLVED]

I've made the same mistake plenty of times. My first thought that always pops up is there might be an issue with the NIC before I finally realize I forgot to activate the license, i.e. CHR is running in 'free license mode'. I think MikroTik should introduce some kind of warning when running in 'free...
by Larsa
Wed Mar 13, 2024 1:21 am
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2413

Re: SR-IOV with CHR - What hypervisors are you using ?

Neither DPDK nor eBPF/XDP is in any way related to SR-IOV, which is a standard hardware-level technology for I/O virtualization offering bare-metal throughput. Additionally, ROS uses Linux kernel netfilter/nftables, not Berkeley Packet Filter or DPDK which are a bunch of user-land network drivers an...
by Larsa
Tue Mar 12, 2024 11:45 pm
Forum: General
Topic: Intel I210 compatibility (pcie 1x)
Replies: 3
Views: 817

Re: Intel I210 compatibility (pcie 1x)

Hi! Since this is mainly a user forum, you have better chance of getting a relevant answer directly from Mikrotik by contacting support@mikrotik.com.
by Larsa
Fri Mar 08, 2024 1:31 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

@Anav - I'm biding my time by exploring possible alternatives since I have no need for quick fixes. Meanwhile, I do appreciate and rely on your tireless effort to make life easier for the users in this forum! 😘 @Amm0: You read my mind! I was thinking of testing that along with some variations of nat...
by Larsa
Thu Mar 07, 2024 11:14 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

Considering the recent fiasco where the change of date format broke script compatibility we want to minimize script use in production environments whenever possible. And the sad thing is, the date format could have been easily fixed without breaking script compatibility. This 'small' oversight makes...
by Larsa
Thu Mar 07, 2024 9:21 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

@wfburton/Amm0, I have a similar idea that doesn't involve separate routing tables.
by Larsa
Thu Mar 07, 2024 8:35 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

Yep, that sounds about right! The whole exercise has currently resulted in two different issues: Q1. Why are WireGuard handshake responses sent through default gateway rather than the originating interface? My initial research indicates this is a known issue with some proposed fixes already sent ups...
by Larsa
Thu Mar 07, 2024 6:47 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

You'll probably have a greater chance of getting assistance in connecting VyOS with ROS if you open a separate thread for it.
by Larsa
Thu Mar 07, 2024 6:27 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

WireGuard, like IPsec, doesn't appear as a service like FTP, they have separate configuration menus. Btw, what are you trying to say using the VyOS commands?
by Larsa
Thu Mar 07, 2024 6:03 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

Yup, it's the starting point itself that creates the initial hurdle in a multi-WAN environment. I'm trying to identify how different configurations behave, for example by using different subnets on the WAN interfaces. One test I've performed is with ether1 as the default gateway and five WAN interfa...
by Larsa
Thu Mar 07, 2024 1:09 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

@anav: RoS is acrtually following correctly its Operating System code on how to route traffic. I'm sorry, but there is no such thing! The Linux network engine is configured and controlled dynamically entirely by ROS. That's how Linux-based routers operates. It does whatever you tell it to do. If yo...
by Larsa
Wed Mar 06, 2024 5:11 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

Haha, but of course! My personal take on this is that all built-in services should behave the same when it comes to routing and connection tracking. I see no obvious reason why they shouldn't.
by Larsa
Wed Mar 06, 2024 5:06 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

I'm pretty sure the standard response would be it's a feature, not a bug! :-) But it is the kernel that actually stores, manages, and executes the routing rules using nftables, it's just the configuration hassle that occurs in userland, i.e. ROS. The connection tracker is tightly coupled to the nfta...
by Larsa
Wed Mar 06, 2024 4:29 pm
Forum: Wireless Networking
Topic: Due Dilligence Question - Cube 60ACPro [SOLVED]
Replies: 15
Views: 1084

Re: Due Dilligence Question - Cube 60ACPro [SOLVED]

As the new 60Pro AC implements 802.11ay it should support AES-GCM or WPA3.
by Larsa
Wed Mar 06, 2024 4:09 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

One wouldn't need specialized DHCP scripts if Mikrotik fixed its connection tracker to use the incoming interface address as the outgoing source address. I'll try to create a simple diagram and some packet traces that illustrate the whole thing, but considering your previous response you seem to hav...
by Larsa
Wed Mar 06, 2024 3:52 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

@Anav, unfortunately you're still missing the point but Ammo seems to grasp it. In short, ROS connection tracker mishandles WireGuard handshakes. It forces response packets through the default gateway, breaking the protocol if the initial handshake came from a different interface. See Example 2 for ...
by Larsa
Wed Mar 06, 2024 2:38 pm
Forum: Wireless Networking
Topic: Due Dilligence Question - Cube 60ACPro [SOLVED]
Replies: 15
Views: 1084

Re: Due Dilligence Question - Cube 60ACPro [SOLVED]

The OP asked what type of security is used which unfortunately isn't stated in the product description. Presumably, the wireless encryption is performed with some kind of AES-GCM/WPA3, but to be sure drop an email to sales@mikrotik.com. EDIT: feel free to ask the Mikrotik sales team to update the pr...
by Larsa
Wed Mar 06, 2024 1:49 am
Forum: General
Topic: WANGUARD DUAL WAN HA
Replies: 4
Views: 364

Re: WANGUARD DUAL WAN HA

thanks for the answer. How did you go about configuring routing policies for multiple vans? I have set incoming connection marking and routing marking for the appropriate WAN link, but it does not work for wireguard because during the handshake, the peer that responds to the query sends traffic thr...
by Larsa
Wed Mar 06, 2024 1:22 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

Well, NO! but let me get back to you with a full trace FYI. I dare you to set up your own lab environment with just two WAN interfaces and test it yourself. You don't have to bother using dynamic IP addresses. The task you are to perform is to connect a WireGuard client with a fully functioning conn...
by Larsa
Wed Mar 06, 2024 12:50 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

@wfburton, please create a seperate thread if you are not intressed in this specific topic. @Anav, all that dst-nat, prerouting, and connection marking stuff you posted about is completely irrelevant when it comes to the handshake dilemma. Are you sure you understand where the issue occurs according...
by Larsa
Tue Mar 05, 2024 10:28 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

I'm sorry, but I don't understand what you mean by "user/group policy" and "User333 belongs to vpn333 group connect to wan333" ?? How does this in any way relate to the asymmetric routing issues that I described earlier in example 2?
by Larsa
Tue Mar 05, 2024 10:19 pm
Forum: General
Topic: How to assing a dynamic route to a routing table
Replies: 4
Views: 340

Re: How to assing a dynamic route to a routing table

I can use the script, but I consider it a dirty work, why Mikrotik simply don't let us to assing a default gateway from dynamic connection to a routing table? This is also a mystery. I completely agree! And I truly hope Mikrotik implements a simpler solution like /routing/rule src-interface =xxxx o...
by Larsa
Tue Mar 05, 2024 9:47 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

I guess I dont understand your point then, wish I could help but its beyond my knowledge scope. It isn't that complicated. Here's a brief illustration of how the issue with WireGuard differs from a built-in service like FTP that works as expected. Let's use a couple of examples to show the handshak...
by Larsa
Tue Mar 05, 2024 2:19 am
Forum: General
Topic: WANGUARD DUAL WAN HA
Replies: 4
Views: 364

Re: WANGUARD DUAL WAN HA

I've done it myself so there should be no problem at all using OSPF and optional BFD for fast failover.

Another option is to use ZeroTier which automatically utilizes all available links and also enables easy access from mobile devices, home offices, etc.
by Larsa
Tue Mar 05, 2024 1:27 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

Thanks for the response but that wasn't a particularly good suggestion for a cleaner policy routing to address the issue with multiple WAN addresses. As I've mentioned several times now: 1) you are not able to make use of mangling during the handshake process until it is completed. 2) To complete th...
by Larsa
Tue Mar 05, 2024 12:20 am
Forum: General
Topic: WireGuard useful learning [Linux]
Replies: 8
Views: 944

Re: WireGuard useful learning [Linux]

Let me rephrase that for both of you! ;-)
WireGuard is an encrypted tunnel protocol that can be used in all types of topologies, including client/server, spoke/hub, mesh, and much more. @mozerd, great articles btw!
by Larsa
Mon Mar 04, 2024 11:38 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

Re: WireGuard Multi-WAN Policy Routing

G'day Anav, my sincere apologies if this is a bit to complex for you! :-) I meant precisely what I wrote: a conceptual question regarding issues with the internal WireGuard handshake process in a multi-WAN environment with no specific scenario in mind. One challenge with the WireGuard initial handsh...
by Larsa
Mon Mar 04, 2024 9:01 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 82
Views: 5124

WireGuard Multi-WAN Policy Routing

I have a conceptual question regarding WireGuard in a multi-WAN environment using dynamic addresses. Problem: in ROS, when a passive WireGuard peer receives its initial handshake (i.e., when connection-state = new), the state machine doesn't keep track of either the destination address or the inboun...
by Larsa
Fri Mar 01, 2024 10:45 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 588
Views: 144593

Re: v7.14 [stable] is released!

@hargen: I can confirm that it works, but one has to wait for 20 attempts before receiving the message "Handshake for peer did not complete after 20 attempts, giving up," and then it goes silent. If you re-enable "Keep alive" it starts all over again. Well spotted in finding the ...
by Larsa
Fri Mar 01, 2024 9:41 pm
Forum: Beginner Basics
Topic: CAKE
Replies: 3
Views: 387

Re: CAKE

You are welcome, have a nice weekend!
by Larsa
Fri Mar 01, 2024 8:32 pm
Forum: Beginner Basics
Topic: CAKE
Replies: 3
Views: 387

Re: CAKE

Yeah, Cake is only implemented in v7.
by Larsa
Fri Mar 01, 2024 8:13 pm
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 913

Re: OSPF over Wireguard links

Yeah, good suggestion. If the wg-interface used for OSPF isn't listed in the LAN device list, you'll need to specify that port explicitly. This also affects the forward chain for routing.
by Larsa
Fri Mar 01, 2024 6:35 pm
Forum: Forwarding Protocols
Topic: BUG: OSPFv3 stub area Intra-Area-Router doesn't get default route
Replies: 1
Views: 236

Re: BUG: OSPFv3 stub area Intra-Area-Router doesn't get default route

We are working on a similar case but we need to verify that it's not caused by a misconfiguration due to some old static routes or an actual bug. Please feel free to report back any feedback from Mikrotik.
by Larsa
Fri Mar 01, 2024 4:58 pm
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 913

Re: OSPF over Wireguard links

I'm sorry, but that simply isn't true! Are you taking advice from ChatGPT? ;-)
by Larsa
Fri Mar 01, 2024 4:50 pm
Forum: Virtualization
Topic: CHR 7.14/7.15b4 can't find network interface in Vultr
Replies: 9
Views: 1461

Re: CHR 7.14RC3/RC4 can't find network interface in Vultr

Is 7.14 removing some NIC drivers?

Similar issues have been reported regarding other virtual environments. Check forum.mikrotik.com/viewtopic.php?t=205097 for possible workarounds
by Larsa
Fri Mar 01, 2024 4:09 pm
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 913

Re: OSPF over Wireguard links

Nice picture, but unfortunately it's pretty difficult to say anything else since it lacks info about networks and interface addresses. Let's begin with router 2 and 3. Btw, is this a single or multi-area topology?
by Larsa
Fri Mar 01, 2024 12:36 am
Forum: General
Topic: Possible? ZeroTier Low Bandwidth Mode
Replies: 9
Views: 761

Re: Possible? ZeroTier Low Bandwidth Mode

Thanks for all your comments and hoping that MikroTik will upgrade the ZT package to a higher version soon. I hope so too, but the current version of ZeroTier in ROS actually supports features like Multi-Path, Low Bandwidth, Trusted Path, as well as hardware AES acceleration. However, none of these...
by Larsa
Thu Feb 29, 2024 11:04 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 588
Views: 144593

Re: v7.14 [stable] is released!

Regarding "wireguard, debug: Sending handshake initiation to peer (0.0.0.0:0)" on passive peers. This is just pure speculation and I might be completely wrong; but after some troubleshooting it seems that MNDP might trigger passive WireGuard peers to attempt to establish a connection despi...
by Larsa
Thu Feb 29, 2024 10:24 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 588
Views: 144593

Re: v7.14 [stable] is released!

@strods, what about "Sending handshake initiation to peer (0.0.0.0:0)" from passive peers? Btw, IMO flooding standard "info" with misleading error messages sends wrong signals. > @Znevna: You have packets flying towards those peers. Stop the packets, the flooding will stop. Or hi...
by Larsa
Thu Feb 29, 2024 9:42 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 588
Views: 144593

Re: v7.14 [stable] is released!

Something fishy is going on with passive WireGuard peers since it seems they are all trying to establish an active connection to the destination address 0.0.0.0, port 0. The WireGuard debug log is flooded with entries like: " wireguard, debug: WG-xxxx: ... Sending handshake initiation to peer (...
by Larsa
Thu Feb 29, 2024 9:23 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 588
Views: 144593

Re: v7.14 [stable] is released!

I'm getting endless messages 'Handshake for peer did not complete after 5 seconds, retrying (try 2)' in log. I've upgraded a couple of lab routers and I'm getting the exact same status flooding from all passive WireGuard peers, ie those defined without endpoint addresses. This applies to both IPv6 ...
by Larsa
Thu Feb 29, 2024 6:29 pm
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 913

Re: OSPF over Wireguard links

Unfortunately, there is no built-in automatic "discovery" functionality in OSPF. All included networks/subnets must be explicitly defined somewhere. For example, if a router is connecting two areas (i.e. acting as an OSPF Area Border Router) both networks must be defined for their respecti...
by Larsa
Thu Feb 29, 2024 5:03 pm
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 913

Re: OSPF over Wireguard links

I'm not exactly sure what you mean by "OSPF for routing networks behind the router," but you have to define all networks that should be routed using OSPF. Adjacent ones don't propagate automatically. Here are a couple of short and concise step-by-step labs that might cover what you need: &...
by Larsa
Wed Feb 28, 2024 11:12 pm
Forum: Virtualization
Topic: CHR image for ARM systems?
Replies: 14
Views: 5729

Re: CHR image for ARM systems?

Ampere Computing LLC, with brands like Ampere Altra and Ampere One, is a family of processors with different design objectives where some models are optimized for networking.
by Larsa
Wed Feb 28, 2024 9:12 pm
Forum: Beginner Basics
Topic: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to
Replies: 17
Views: 1182

Re: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to

It's working alright, though you'll need to be more specific about your intentions regarding subnetting and NATting, for example if you plan to use ULA or specify a prefix, etc. Additionally, including a brief overview of your network topology might help members of this forum better understand your ...
by Larsa
Wed Feb 28, 2024 7:50 pm
Forum: Beginner Basics
Topic: MikroTik | SXTR&FG621-EA LTE - no internet [SOLVED]
Replies: 8
Views: 780

Re: MikroTik | SXTR&FG621-EA LTE - no internet [SOLVED]

Great, well done! Regarding the lte1 ipv4 address you are correct as the 100.75.30.120 ip is a CGNAT address. Enable IPv6 to obtain a public ip address (IPv6 GUA).
by Larsa
Wed Feb 28, 2024 5:48 pm
Forum: Beginner Basics
Topic: MikroTik | SXTR&FG621-EA LTE - no internet [SOLVED]
Replies: 8
Views: 780

Re: MikroTik | SXTR&FG621-EA LTE - no internet [SOLVED]

Okay, you have at least a registered LTE connection which is a good start. Run these commands so we might see where it cracks. Btw, feel free to mask out any public ip address if not NATed. /interface/lte/monitor lte1 once without-paging /ip/address/print /ip/route/print proplist=dst-addres,gateway,...
by Larsa
Wed Feb 28, 2024 7:39 am
Forum: General
Topic: Mikrotik Professionals Conference in Prague March 7th-8th 2024
Replies: 12
Views: 1772

Re: Mikrotik Professionals Conference in Prague March 7th-8th 2024

Unfortunately I don't have the opportunity to participate but a colleague of mine will be there.

EDIT:
Forgot to mention that he will be wearing a bat hat if you want to pass along a message to me! ;-)
by Larsa
Tue Feb 27, 2024 7:41 pm
Forum: Beginner Basics
Topic: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to
Replies: 17
Views: 1182

Re: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to

IPv6 subnetting works just like IPv4, meaning you divide the /64 prefix into smaller parts, each of which has to use its own DHCPv6 server for the respective subnet. There are plenty of resources online. For more detailed information, Google "subnet IPv6 /64 prefix" and "MikroTik NAT6...
by Larsa
Tue Feb 27, 2024 5:23 pm
Forum: General
Topic: WinBox Software license agreement
Replies: 15
Views: 1518

Re: WinBox Software license agreement

Will there be a native version for macOS as well?

OT - Btw, please add support to
- detach child windows from the MDI parent area
- move the "Windows" menu (the one with all active windows) to the title bar, or make the location configurable.
by Larsa
Tue Feb 27, 2024 5:09 pm
Forum: Beginner Basics
Topic: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to
Replies: 17
Views: 1182

Re: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to

As previously mentioned, T-Mobile assigns a /64 prefix as standard and it might be pretty hard to explain the different subnet options if you're not familiar with IPv6. As a personal side note, the initial intent with IPv6 was to provide everyone with enough subnet space (prefixes) and host addresse...
by Larsa
Tue Feb 27, 2024 4:41 pm
Forum: Beginner Basics
Topic: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to
Replies: 17
Views: 1182

Re: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to

Nowadays, most MNOs typically assign a /64 prefix to mobile devices and the same applies to T-Mobile. For details regarding T-Mobile, Google " T-Mobile IPv6 /64 Prefix " or call T-Mobile tech support . If you want/need subnetting using a stationary broadband router, here are some options: ...
by Larsa
Mon Feb 26, 2024 8:56 pm
Forum: General
Topic: How to change WG handshake timeout
Replies: 3
Views: 372

Re: How to change WG handshake timeout

AFAIK, you cannot alter the setting of Rekey-Timeout as it is most likely hardcoded to 5 seconds. Check the constants used for the timer state system in paragraph 6.1 of the paper "https://www.wireguard.com/papers/wireguard.pdf. 6.1 The following constants are used for the timer state system: S...
by Larsa
Mon Feb 26, 2024 3:02 pm
Forum: General
Topic: SQM - using FQ-CODEL in interface queues and fasttrack
Replies: 6
Views: 1439

Re: SQM - using FQ-CODEL in interface queues and fasttrack

Okay, then I suppose they're using some other type of traffic pacing control required by fq-codel. A potential transition to standard BQL would likely simplify code management in the long run.
by Larsa
Sun Feb 25, 2024 8:05 pm
Forum: General
Topic: SQM - using FQ-CODEL in interface queues and fasttrack
Replies: 6
Views: 1439

Re: SQM - using FQ-CODEL in interface queues and fasttrack

AFAIK, device drivers also need to support BQL. Since it's just a matter of pretty basic counters, it shouldn't be too complicated to implement. However, considering that BQL has been around for about 10-12 years, are you absolutely sure they haven't implemented it already or using some equivalent p...
by Larsa
Fri Feb 23, 2024 12:59 pm
Forum: Wireless Networking
Topic: Chateau 5G R16: request for modem's AT Command documentation
Replies: 10
Views: 1060

Re: Chateau 5G R16: request for modem's AT Command documentation

You might have misunderstood or somehow missed what I wrote but the session is "controlled" by PCF. When a dedicated flow is initiated from the network its initial set of flow control parameters are retrieved from the MNO's "operations center" (OSS/BSS) which manages the contract...
by Larsa
Thu Feb 22, 2024 6:58 pm
Forum: Wireless Networking
Topic: Chateau 5G R16: request for modem's AT Command documentation
Replies: 10
Views: 1060

Re: Chateau 5G R16: request for modem's AT Command documentation

Guaranteed bit-rate might not be the only consideration for CCTV/VMS systems but I get your point. Capabilities like for example guaranteed latency, bandwidth/bitrate, QoS, and reliability within PDUs are controlled by the 5G Core Network through the "Policy Control Function" (PCF). The NM...
by Larsa
Thu Feb 22, 2024 1:01 pm
Forum: General
Topic: Public-Mikrotik-Bandwidth-Test-Server(s)
Replies: 1010
Views: 1128603

Re: Public-Mikrotik-Bandwidth-Test-Server(s)

@mdadmin, what are you trying to imply and what source(s) are you relying on? Check https://multirbl.valli.org/dnsbl-lookup ... 4.120.html
by Larsa
Wed Feb 21, 2024 6:48 pm
Forum: Wireless Networking
Topic: Chateau 5G R16: request for modem's AT Command documentation
Replies: 10
Views: 1060

Re: Chateau 5G R16: request for modem's AT Command documentation

@sbert, do you have a specific issue you're trying to address using dedicated flow? Dedicated flow relies on the capabilities of the user equipment and the services provided by the MNO. Some advanced 5G devices may support it but it's not a common feature on consumer devices equipped with chips like...
by Larsa
Wed Feb 21, 2024 2:49 pm
Forum: Wireless Networking
Topic: Chateau 5G R16: request for modem's AT Command documentation
Replies: 10
Views: 1060

Re: Chateau 5G R16: request for modem's AT Command documentation

Replaced with a more detailed post down below.
by Larsa
Tue Feb 20, 2024 9:06 pm
Forum: General
Topic: DDNS issue with ECMP in ROSv7
Replies: 2
Views: 298

Re: DDNS issue with ECMP in ROSv7

It's pretty hard to say anything at all without knowing how, when, which DDNS provider, RouterOS 7 version, network topology, etc..
by Larsa
Tue Feb 20, 2024 6:28 pm
Forum: Beginner Basics
Topic: Wireguard simple firewall rule
Replies: 8
Views: 724

Re: Wireguard simple firewall rule

@l2sverige, check for any traffic on the wg interface using Winbox Tools -> Packet Sniffer. If not, there might be a mismatch in the wg peer configuration, either with the keys or the allowed addresses.
by Larsa
Tue Feb 20, 2024 6:04 pm
Forum: Beginner Basics
Topic: Wireguard simple firewall rule
Replies: 8
Views: 724

Re: Wireguard simple firewall rule

Haha! Well, I think my solution is WAY better since it's just a single firewall rule which restricts any source to the destination. Remember KISS ;-D ;-D
by Larsa
Tue Feb 20, 2024 5:54 pm
Forum: Virtualization
Topic: CHR using Apple Virtualization Framework (via UTM)
Replies: 51
Views: 4029

Re: CHR using Apple Virtualization Framework (via UTM)

@Ammo, thanks for very interesting info! Personally I love Parallels Desktop but for various reasons we are exploring alternative solutions. UTM/VMF might be an option when it becomes stable enough. Will definitely look into it further..
by Larsa
Tue Feb 20, 2024 5:23 pm
Forum: Beginner Basics
Topic: Wireguard simple firewall rule
Replies: 8
Views: 724

Re: Wireguard simple firewall rule

@l2sverige - as suggestion create a new WireGuard interface, for example "WG-restricted", and place all connections (peers) that need to be restricted to 10.0.0.10-10.0.0.12 on that interface. Don't add "WG-restricted" to the LAN interface list, instead use: "/ip/firewall/fi...
by Larsa
Tue Feb 20, 2024 8:01 am
Forum: General
Topic: IPv6 prioritization on WireGuard Peers with IP Cloud mixed A/AAAA DNS Records?
Replies: 2
Views: 388

Re: IPv6 prioritization on WireGuard Peers with IP Cloud mixed A/AAAA DNS Records?

There is no "vanilla" except for the actual tunnel protocol. The resolver and wg peer setup process is implementation-specific and you can make it work using standard configuration settings on a regular Linux machine. However, in this case I am looking for a solution for MikroTik boxes whe...
by Larsa
Tue Feb 20, 2024 12:15 am
Forum: General
Topic: IPv6 prioritization on WireGuard Peers with IP Cloud mixed A/AAAA DNS Records?
Replies: 2
Views: 388

IPv6 prioritization on WireGuard Peers with IP Cloud mixed A/AAAA DNS Records?

We are working with some customers where the regional NMO will soon phase out all public IPv4 addresses to be replaced by CGNAT. The NMO has implemented IPv6, though only dynamic /64 prefixes are available. To address this potential issue, we would like to prioritize IPv6 connectivity on all affecte...
by Larsa
Mon Feb 19, 2024 12:28 pm
Forum: General
Topic: CVE abuse of Linux Kernel stopped
Replies: 0
Views: 346

CVE abuse of Linux Kernel stopped

An end is being put to the misuse of CVE reports from individuals and companies outside the Linux kernel community. Hopefully, this will lead to fewer inaccurate CVE reports. [2024-02-17] phoronix.com - Linux 6.8-rc5 Released With Documented Process For CVE Security Vulnerabilities https://github.co...
by Larsa
Sat Feb 17, 2024 11:47 pm
Forum: Virtualization
Topic: CHR Hosted in Azure?
Replies: 9
Views: 859

Re: CHR Hosted in Azure?

No problems running V7 on Azure. I recommend using Bicep to streamline your CHR installations for easier deployment on Azure.
by Larsa
Fri Feb 16, 2024 10:33 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2272

Re: Wireguard from Linux not working [SOLVED]

FIXED!!!

Thank you for the feedback and great to hear you’ve managed to locate the root cause. Even though it might be challenging when things don't work as expected, you usually learn a whole lot during the troubleshooting process.

Have a nice weekend!
by Larsa
Thu Feb 15, 2024 10:13 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2272

Re: Wireguard from Linux not working [SOLVED]

To begin with I think your English is almost perfect, so there are absolutely no problems understanding what you mean. Back to business: The standard system log in RouterOS for Wireguard lacks logging at the packet level so you need to use WinBox "Packet Sniffer" to trace the Wireguard ing...
by Larsa
Thu Feb 15, 2024 3:42 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2272

Re: Wireguard from Linux not working [SOLVED]

When testing your Linux WireGuard Config following link provides you with excellent clues I absolutely love the format of the Pro Custodibus blogs ! A brilliantly elaborate pedagogy using images in combination with a well-thought-out flow of explanatory text is among the best resources you can find...
by Larsa
Wed Feb 14, 2024 9:32 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2272

Re: Wireguard from Linux not working [SOLVED]

I had a quick glance at the configuration, though only for WireGuard and the firewall. Everything seems to be in order, and considering that the mobile devices are working, there probably isn't any issue with your RB2011. Thus, unfortunately you'll have to continue troubleshooting with your Linux bo...
by Larsa
Wed Feb 14, 2024 3:25 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2272

Re: Wireguard from Linux not working [SOLVED]

Here is a link to Anav's user guide "Wireguard Success For The Beginner" which might come in handy..
by Larsa
Wed Feb 14, 2024 12:37 am
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2272

Re: Wireguard from Linux not working [SOLVED]

@resca: Have you checked the handshake status of the Wireguard peer using WinBox? When everything is okay, the handshake timer will increment up to two minutes and then start over again. If the handshake is okay, you might have other problems like routing or a firewall blocking the payload traffic.
by Larsa
Wed Feb 14, 2024 12:24 am
Forum: Beginner Basics
Topic: Tilde sign in Terminal (Mac) [SOLVED]
Replies: 37
Views: 2700

Re: Tilde sign in Terminal (Mac) [SOLVED]

Yeah, the Magic Keyboard is a winner!
by Larsa
Tue Feb 13, 2024 11:24 pm
Forum: Beginner Basics
Topic: Tilde sign in Terminal (Mac) [SOLVED]
Replies: 37
Views: 2700

Re: Tilde sign in Terminal (Mac) [SOLVED]

That usually works fine with "normal" keyboards. However, on a MacBook, pressing shift + grave accent + space might, under certain conditions, produce "±". That's why using opt+n might be a better choice. MacBook keyboards equipped with a hat key (^) can use it in combination wit...
by Larsa
Tue Feb 13, 2024 11:05 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2272

Re: Wireguard from Linux not working [SOLVED]

I believe that packet-level tracing provides an excellent starting point to ensure that packets reach their destination without obstacles along the way. However, it's up to you to choose the tools that best fit your situation. A tip to improve your chances of getting help in this user forum is to at...
by Larsa
Tue Feb 13, 2024 10:33 pm
Forum: Beginner Basics
Topic: Tilde sign in Terminal (Mac) [SOLVED]
Replies: 37
Views: 2700

Re: Tilde sign in Terminal (Mac) [SOLVED]

Well thanks, but Opt+n followed by spacebar is still the standard procedure for producing a plain 'tilde'..
by Larsa
Tue Feb 13, 2024 9:08 pm
Forum: Beginner Basics
Topic: Tilde sign in Terminal (Mac) [SOLVED]
Replies: 37
Views: 2700

Re: Tilde sign in Terminal (Mac) [SOLVED]

On a US Mac keyboard, use Opt+N and then press spacebar to generate "~".
by Larsa
Tue Feb 13, 2024 8:07 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2272

Re: Wireguard from Linux not working [SOLVED]

To check how the raw Wireguard packets might appear on the Mikrotik, use Winbox by going to "Tools -> Packet Sniffer". Select the WAN interface and port 13231. Click on [Apply], [Start], and finally the [Packets] button to open the window where the tracing is displayed. Remember to press t...
by Larsa
Tue Feb 13, 2024 12:51 am
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2272

Re: Wireguard from Linux not working [SOLVED]

@resca; since you only have one peer on the Mikrotik, ensure there isn't already an active session on it. If the handshake of the peer is under two minutes there is likely an active tunnel.
by Larsa
Tue Feb 13, 2024 12:41 am
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2272

Re: Wireguard from Linux not working [SOLVED]

I forgot to mention that the Wireguard endpoint in the Mikrotik also needs to match the network addresses of the received packets. Even if the Linux box is using the correct keys, ROS will simply discard the packets if the "allowed addresses" do not match the Linux address. You can enable ...
by Larsa
Tue Feb 13, 2024 12:08 am
Forum: Beginner Basics
Topic: RB5009 not getting DynamicIP from Comcast Cable MODEM (Solved)
Replies: 11
Views: 828

Re: RB5009 not getting DynamicIP from Comcast Cable MODEM

@Axo123, test if DHCP is working properly by running WinBox "Tools -> Packet Sniffer" on the WAN interface. When the router sends out a DHCPREQUEST, you should receive a DHCPOFFER with an IP address. As a side note, some sites impose restrictions where you are allowed to use only one IP ad...
by Larsa
Mon Feb 12, 2024 7:05 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2272

Re: Wireguard from Linux not working [SOLVED]

@resca, to trace traffic on the Linux box, use for example, "tcpdump -i name-of-wg-interface". On the MikroTik, use Winbox "Tools -> Packet Sniffer" and select the wg-interface to trace packets in real-time. If you don't receive any traffic on the Linux box, you might have a fire...
by Larsa
Sun Feb 11, 2024 11:33 am
Forum: General
Topic: Winbox on Mac always false-starts?
Replies: 5
Views: 973

Re: Winbox on Mac always false-starts?

I have exactly the same behavior with WinBox on macOS/Wine (both version 8/9) when "Open in New Window" is checked. I started debugging Wine in a development environment but never managed to identify the root-couse. The problem closely resembles old MS Windows issues that occurred when a p...
by Larsa
Fri Feb 09, 2024 12:10 am
Forum: General
Topic: RouterOS Virtual Private Networks, which one to choose?
Replies: 7
Views: 806

Re: RouterOS Virtual Private Networks, which one to choose?

2. Zerotier: Allows one to stitch together all your subnets as if they were on the same subnet, L2 connection. Great for multicasting etc but harder to separate out users from each other as its one happy LAN. Note; Relies on zerotier servers (third party). That's not entirely true. ZeroTier default...
by Larsa
Wed Feb 07, 2024 1:45 pm
Forum: General
Topic: Mikrotik V7 - PPTP not recommended
Replies: 10
Views: 815

Re: Mikrotik V7 - PPTP not recommended

There's nothing inherently wrong with PPTP any more than with GRE or even older tunnels like IPIP from the mid-1980s, but they all require encryption to secure the connection. The primary reason why PPTP is considered insecure on ROS is that Mikrotik didn't bother to implement stronger encryption me...
by Larsa
Thu Feb 01, 2024 3:07 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2413

Re: SR-IOV with CHR - What hypervisors are you using ?

No problem using SR-IOV on KVM provided the NIC and drivers support it. We have some 10-year-old legacy servers (HP DL380 G5/G6 IIRC) in our testlab to play with and they run just fine using SR-IOV. Regarding the new licensing model and considering all the frustrating comments where many feel comple...
by Larsa
Wed Jan 31, 2024 11:05 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2413

Re: SR-IOV with CHR - What hypervisors are you using ?

Another interesting platform is Nutanix Acropolis Hypervisor (AHV) which is based on the open-source KVM hypervisor and includes standard features such as live migration and VM-centric snapshots. Nutanix has tools to migrate ESXi to their platform. Read more about it in the article "All About H...
by Larsa
Wed Jan 31, 2024 7:23 pm
Forum: RouterBOARD hardware
Topic: L009 and ZeroTier
Replies: 20
Views: 2030

Re: L009 and ZeroTier

Thank you, but it looks like a rather old post from Sep '23. I can't find any statement from ZeroTier regarding a new license model and it seems more like two customers have complained about incorrect license quotes.
by Larsa
Wed Jan 31, 2024 7:01 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2413

Re: SR-IOV with CHR - What hypervisors are you using ?

Btw, here is the new Broadcom VMware licensing model for those unlucky ones who lack the original perpetual licenses. "Foundation" is needed to enable SR-IOV, DirektPath (PCI Passthroug) etc. A one-year subscription is about 40% more expensive.
VMware lic.jpg
by Larsa
Wed Jan 31, 2024 5:21 pm
Forum: RouterBOARD hardware
Topic: L009 and ZeroTier
Replies: 20
Views: 2030

Re: L009 and ZeroTier

@gotsprings, I noticed the Reddit discussion speculating about a possible new licensing model but haven't seen any official statement regarding this. Do you know where to find it?
by Larsa
Wed Jan 31, 2024 4:58 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2413

Re: SR-IOV with CHR - What hypervisors are you using ?

OpenNebula, Proxmox VE, KVM, Xen, XCP-ng, Virt-Manager, oVirt ... and others all utilize more or less the same fundamental Linux kernel capabilities. However, they differ in their integration methods for installation/configuration, admin GUI, Docker support, tools for operations, monitoring, online ...
by Larsa
Wed Jan 31, 2024 2:42 pm
Forum: General
Topic: Oxidized backup issue [SOLVED]
Replies: 3
Views: 956

Re: Oxidized backup issue [SOLVED]

Just as a reference, here is the official Oxidized RoS plugin that supports the new v7 date header with the courtesy of Brian Candler (candlerb)
https://github.com/ytti/oxidized/blob/master/lib/oxidized/model/routeros.rb
by Larsa
Wed Jan 31, 2024 12:57 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2413

Re: SR-IOV with CHR - What hypervisors are you using ?

Certainly, license costs might have a decisive significance but the original question was primarily about performance and which platforms are available with SR-IOV. However, my comment was aimed more at a general recommendation considering Proxmox VE or proprietary solutions like vSphere/Hyper-V. Wh...
by Larsa
Wed Jan 31, 2024 10:54 am
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2413

Re: SR-IOV with CHR - What hypervisors are you using ?

Proxmox VE can definitely be a performant open-source solution if you are willing to invest time in how to configure PCIe Passthrough and SR-IOV , analyze and fix potential issues yourself. However, if you need data center features such as hight end performance, central administration and monitoring...
by Larsa
Wed Jan 31, 2024 8:44 am
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2413

Re: SR-IOV with CHR - What hypervisors are you using ?

SR-IOV is supported in almost all virtual hosts, including ESXi. It's up to the NIC device driver to implement the capabilities. I'd start by checking the SR-IOV capabilities of your NICs and drivers with the manufacturers. Similar to specialized variants such as DirectPath, DirectIO etc which only ...
by Larsa
Tue Jan 30, 2024 8:17 pm
Forum: General
Topic: On-Premise / Azure VPN S2S (IPsec) Connection
Replies: 3
Views: 1042

Re: On-Premise / Azure VPN S2S (IPsec) Connection

Hi, there are plenty of guides online. Here are some examples: - Azure VPN Gateway and Mikrotik IPSEC/IKE Configuration - MikroTik site-to-site IPsec VPN connection to Azure Resource Manager based gateway - Azure VPN [SOLVED] Youtube: - Easy IPSEC Site-To-Site VPN Guide, MikroTik ROSv7 Microsoft: - ...
by Larsa
Tue Jan 30, 2024 7:20 pm
Forum: General
Topic: Mikrotik Professionals Conference in Prague March 7th-8th 2024
Replies: 12
Views: 1772

Re: Mikrotik Professionals Conference in Prague March 7th-8th 2024

Thank you, what a pleasant surprise and especially that the event is held in cozy Prague. Cheers!
by Larsa
Tue Jan 30, 2024 11:07 am
Forum: General
Topic: CVE-2023-6200 - ICMPv6 RA packet, causing arbitrary code execution [SOLVED]
Replies: 4
Views: 831

Re: CVE-2023-6200 - ICMPv6 RA packet, causing arbitrary code execution [SOLVED]

CVE-2023-6200 Detail - " AWAITING ANALYSIS " This vulnerability is currently awaiting analysis. The remote attack is potentially possible in the local network only Ongoing analysis is still being conducted regarding when, how, etc. It's not possible at this time to point out which platfor...
by Larsa
Mon Jan 29, 2024 2:06 pm
Forum: General
Topic: Feature requests
Replies: 1743
Views: 638181

Re: Feature requests - CHR on Bare Metal for faster Network throughput

CPU PCI-E lanes can't handle/sustain that speed - other factors will be problem too ( example: LATENCY ). The ASR9K/NCS series can do that kind of job. ASR9x and similar models nowadays act more like "regular" linux blade servers with Cisco Linux (IOS XR). Blade cards mainly utilize stand...
by Larsa
Sat Jan 27, 2024 11:10 am
Forum: General
Topic: Feature requests
Replies: 1743
Views: 638181

Re: Feature requests

As I mentioned in another comment, in terms of CHR performance using today's modern drivers supporting DirectIO/DirectPath/SR-IOV, it's as fast as bare metal and the overhead of the supervisor is barely measurable. A properly configured virtual system can easly push many hundreds of gigabits without...
by Larsa
Thu Jan 25, 2024 8:33 pm
Forum: Beginner Basics
Topic: User Manual request for WAP LTE6 Kit
Replies: 9
Views: 658

Re: User Manual request for WAP LTE6 Kit

\interface lte1 allow-roaming yes <- something like that in terminal and I've not set myself as SU ... did I make it good or not ? You had it almost right, it should be: " /interface/lte/set lte1 allow-roaming=yes " When using web admin, you should find the check box under: WebFig -> Inte...
by Larsa
Thu Jan 25, 2024 4:43 pm
Forum: General
Topic: Oxidized backup issue [SOLVED]
Replies: 3
Views: 956

Re: Oxidized backup issue [SOLVED]

Since it's just the top line that is set with the actual export date, you can simply skip that using a rewrite rule in Oxidized.

# 2024-01-25 09:35:49 by RouterOS 7.12.1
# software id = KAVV-XYZQ
# . . .
# . . .
by Larsa
Thu Jan 25, 2024 4:24 pm
Forum: Beginner Basics
Topic: User Manual request for WAP LTE6 Kit
Replies: 9
Views: 658

Re: User Manual request for WAP LTE6 Kit

You are most welcome! : -) Btw, fixed broken link "Getting started - First Time Configuration"
by Larsa
Thu Jan 25, 2024 2:46 pm
Forum: Beginner Basics
Topic: User Manual request for WAP LTE6 Kit
Replies: 9
Views: 658

Re: User Manual request for WAP LTE6 Kit

Mikrosoft docs: - RouterOS Documentation - Getting started - First Time Configuration - wAP ac kit-series documentation Some usefull user articles: - Beginner Basics - New User Config - Firewall Setup - Other useful user articles Edit: fixed broken link "Getting started - First Time Configurati...
by Larsa
Thu Jan 25, 2024 2:14 pm
Forum: Forwarding Protocols
Topic: IS-IS
Replies: 134
Views: 53283

Re: IS-IS

why use CHR ?? is mikrotik v7 RoS runs great in bare metal... OT - In my opinion, one of the major advantages of CHR is that the platform becomes hardware-agnostic and also enables it to move or upgrade "live" including network sessions to new hw without any downtime (aka Hyper-v/vSphere ...
by Larsa
Wed Jan 24, 2024 3:56 pm
Forum: Beginner Basics
Topic: ikev2 vpn speed
Replies: 16
Views: 1399

Re: ikev2 vpn speed

According to Mikrotik's product page for hAP lite TC , it supports the latest version ROS v7.13.2 if you want to try upgrading. There's some information on their website and various posts in the forum on how to upgrade. Remember to first make a backup if you would like to go back to v6. https://help...
by Larsa
Wed Jan 24, 2024 2:40 pm
Forum: Beginner Basics
Topic: ikev2 vpn speed
Replies: 16
Views: 1399

Re: ikev2 vpn speed

Okay, why is that? As far as i know, WireGuard is supported on all platforms using ROS v7.
by Larsa
Tue Jan 23, 2024 9:40 pm
Forum: Beginner Basics
Topic: ikev2 vpn speed
Replies: 16
Views: 1399

Re: ikev2 vpn speed

Okay, that’s probably the main reason for the bottleneck.

If possible, give WireGuard a try as it tends to be a bit more lenient when it comes to software encryption.
by Larsa
Tue Jan 23, 2024 9:34 pm
Forum: Beginner Basics
Topic: ikev2 vpn speed
Replies: 16
Views: 1399

Re: ikev2 vpn speed

Check if your router model supports hardware acceleration for AES (IPSec). If not, encryption will be performed using software and the maximum throughput
will be limited to the CPU power.

https://help.mikrotik.com/docs/display/ ... celeration
by Larsa
Sat Jan 20, 2024 5:22 pm
Forum: RouterBOARD hardware
Topic: L009 and ZeroTier
Replies: 20
Views: 2030

Re: L009 and ZeroTier

Unfortunately still software encryption on all platforms. Hopefully it will be addressed in future releases of ROS.
by Larsa
Thu Jan 18, 2024 4:04 pm
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 37458

Re: Forum moderation volunteers

by Larsa
Thu Jan 18, 2024 2:47 pm
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 37458

Re: Forum moderation volunteers

Until now, the only outcome of this discussion was a few guideline posts being removed. I might be wrong, but I think @Anav foremost wants MikroTik to engage much more in practical matters regarding the forum on order to create better conditions to eliminate structural problems that unnecessarily o...
by Larsa
Wed Dec 20, 2023 11:15 am
Forum: General
Topic: Wireguard very slow
Replies: 10
Views: 2442

Re: Wireguard very slow

Since WireGuard utilizes ChaCha20, which is pure software encryption, the bottleneck is almost always the CPU power. When the CPU hits 100% on either endpoint, that's the maximum throughput you will get.
by Larsa
Mon Dec 18, 2023 12:20 pm
Forum: Virtualization
Topic: CHR tx-queue-drops-per-second
Replies: 7
Views: 9255

Re: CHR tx-queue-drops-per-second

”Try to using cpu affinity for dedicated CHR cpu and SR-IOV to bypass esxi kernel for using dedicated CHR NIC.”

Yeah, that should be pinned somewhere as best practice.
by Larsa
Fri Dec 15, 2023 4:28 pm
Forum: RouterBOARD hardware
Topic: x86 Mikrotik v7 performance - choosing the x86 CPU
Replies: 9
Views: 5798

Re: x86 Mikrotik v7 performance - choosing the x86 CPU

A suggestion is to start by focusing on the network interface which is generally the most crucial component whether is used as "bare metal" or as a virtual Network Interface Card (vNIC) in CHR. A well-developed driver is also a prerequisite and can be a showstopper determining whether the ...
by Larsa
Fri Dec 15, 2023 11:36 am
Forum: Announcements
Topic: v7.13rc [testing] is released!
Replies: 178
Views: 52007

Re: v7.13rc [testing] is released!

An LTS/SLTS kernel should for obvious reasons be a better choice, AFAIK v5.6.3 is not a such version.
by Larsa
Wed Dec 13, 2023 12:22 pm
Forum: Announcements
Topic: v7.13rc [testing] is released!
Replies: 178
Views: 52007

Re: v7.13rc [testing] is released!

That link is for podcasters only. This is for us normal people ;-)

https://open.spotify.com/show/7sq8IetuZCDDKEvuLX3SL2
by Larsa
Tue Dec 12, 2023 9:49 pm
Forum: Containers
Topic: Hardware accelerated encryption
Replies: 3
Views: 2202

Re: Hardware accelerated encryption

If we're talking about AES, just search "linux arm aes instructions" on Google eg

https://www.linaro.org/blog/accelerated ... ux-kernel/
by Larsa
Tue Dec 12, 2023 9:00 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12591

Re: Multi-WAN Load Balancing Starlink issue

As I mentioned earlier, it’s feasible with SD-WAN in general using open-source or paid solutions. There is no magic with the VPS; it's simply another node employing the SD-WAN protocol that might be used as default gateway to internet for the SD-WAN network. SD-WAN is by design fault-tolerant and ut...
by Larsa
Mon Dec 11, 2023 10:05 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12591

Re: Multi-WAN Load Balancing Starlink issue

@Gotsprings, I don’t get what you mean by "load-balanced single IP." Zerotier, Tailscale, and most other SD-WAN solutions can utilize multipath and internal load balancing with an "exit node" to a public IP on internet. It’s just a matter of configuration.
by Larsa
Mon Dec 11, 2023 6:07 pm
Forum: Announcements
Topic: v7.13rc [testing] is released!
Replies: 178
Views: 52007

Re: v7.13rc [testing] is released!

Confirmed, WireGuard is blocked by ISP.
Unlikely, but try changing the port number. Btw, this is OT thus please create a new thread to continue troubleshooting.
by Larsa
Wed Nov 22, 2023 11:14 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12591

Re: Multi-WAN Load Balancing Starlink issue

If Mikrotik marketing was more aggressive, you could call RouterOS tunnels+mangle+scripts as a "software-defined WAN" too ;).

Yup, so it is!

Regarding 'black box' solutions like B.L, Gartner also expressed concern about the lack of technical details.
by Larsa
Wed Nov 22, 2023 9:27 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12591

Re: Multi-WAN Load Balancing Starlink issue

@Amm0, BigLeaf is just a regular SD-WAN solution with options like public internet access branded “cloud routing”.
by Larsa
Sun Nov 19, 2023 2:02 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12591

Re: Multi-WAN Load Balancing Starlink issue

Well, I beg to differ. I believe that there is absolutely no exaggeration in striving to achieve simple configuration and administration of VPN links for network management. On the contrary, SD-WAN like ZerTier is way much easier to manage compared to manually configured static links like WireGuard,...
by Larsa
Sun Nov 19, 2023 12:15 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 12591

Re: Multi-WAN Load Balancing Starlink issue

Just a side note before jumping on the SD-WAN train with solutions like BigLeaf, first make sure your objectives are in order before making any decisions. Fwiw, ZeroTier is already integrated into ROS v.7. As for remote management, I’d choose ZeroTier anytime over WireGuard but the latter might serv...
by Larsa
Wed Nov 15, 2023 6:26 pm
Forum: RouterBOARD hardware
Topic: MikroTik AMPERE CPU (coming soon)
Replies: 18
Views: 8427

Re: MikroTik AMPERE CPU (coming soon)

The Altra series (30/64/80C) isn't exactly cheap but would probably fit pretty well as a natural successor to the CCR1036/72..
by Larsa
Fri Sep 15, 2023 12:57 pm
Forum: General
Topic: WireGuard vs IPSec performance
Replies: 14
Views: 12879

Re: WireGuard vs IPSec performance

Well, perhaps for some special case using a single tunnel.

A beefy CPU typically includes an even more beefy AES hw acceleration. If performance is a concern use IPsec otherwise invest in a Wireguard server farm. ;- )
by Larsa
Fri Sep 15, 2023 12:07 pm
Forum: General
Topic: WireGuard vs IPSec performance
Replies: 14
Views: 12879

Re: WireGuard vs IPSec performance

Bottom line to achive maximum throughput:
- Use IPsec when hardware acceleration is available at both ends.
- In other cases, use Wireguard.
by Larsa
Fri Sep 15, 2023 11:43 am
Forum: Beginner Basics
Topic: ipsec vpn create SA, but no traffic from remote site to Microtik
Replies: 5
Views: 1428

Re: ipsec vpn create SA, but no traffic from remote site to Microtik

Thanks. A brief description of the network topology would be helpful for getting an idea of how everything is connected and which site that is problematic, for example: <hex local sub-net x.x.x.x ipsec> Wan xx <internet> Wan xx <windows SITE1 ipsec local subnet x.x.x.x.> <hex local sub-net x.x.x.x i...
by Larsa
Fri Sep 15, 2023 9:35 am
Forum: Beginner Basics
Topic: ipsec vpn create SA, but no traffic from remote site to Microtik
Replies: 5
Views: 1428

Re: ipsec vpn create SA, but no traffic from remote site to Microtik

I If you provide a config export, it would greatly help to analyse the problem.

Did you setup policies to match the correct subnets and src-nat to allow IPsec to intercept egress packets? How is the remote site configured and do you have control over it?
by Larsa
Thu Sep 14, 2023 11:28 pm
Forum: RouterOS beta
Topic: Very high CPU usage on PCC Loadbalancing with 7.x
Replies: 22
Views: 11651

Re: Very high CPU usage on PCC Loadbalancing with 7.x

@msatter: Yes, the previous v6 kernel global routing cache (that was prone to pollution attacks) has been removed and replaced with a more efficient (faster) multi-layer cache in the v7 kernel. However, in some specific scenarios it might consume more CPU resources which could be noticeable on older...
by Larsa
Thu Sep 14, 2023 8:46 pm
Forum: RouterOS beta
Topic: Very high CPU usage on PCC Loadbalancing with 7.x
Replies: 22
Views: 11651

Re: Very high CPU usage on PCC Loadbalancing with 7.x

Once again, that's a myth and misconception spread on this forum. The current V7 kernel utilizes a more modern network stack that divides the cache into distinct layers, achieving greater efficiency where it's most needed. Some relevant reading on the subject: Routing Decisions in the Linux Kernel -...
by Larsa
Thu Sep 14, 2023 8:03 pm
Forum: General
Topic: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C
Replies: 7
Views: 1144

Re: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C

If the installation is intended for commercial use in an IXP as OP stated in the first post, that network diagram might become pretty complex and might not be suitable to share in this forum.

The crucial question is on which side of the IXP, or perhaps on both sides (i.e., CO=L2 or ISP=L3).
by Larsa
Thu Sep 14, 2023 7:12 pm
Forum: General
Topic: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C
Replies: 7
Views: 1144

Re: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C

Just BGP-EVPN for use with VXLAN. - S6730-H24X6C is an L2 switch with some limited L3 functionality. - CCR1072-1G-8S+ is a high-end L3 router . Which of the two suits best depends entirely on your business case. Hence my previous question: Is the objective of the solution to act as an interconnectio...
by Larsa
Thu Sep 14, 2023 6:52 pm
Forum: General
Topic: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C
Replies: 7
Views: 1144

Re: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C

Thanks, but did you notice my previous questions?
by Larsa
Thu Sep 14, 2023 6:03 pm
Forum: General
Topic: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C
Replies: 7
Views: 1144

Re: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C

Are you sure you have the correct model number? The S6730 series are essentially L2 switches with some L3 functionality. Is the target solution supposed to act as an interconnection point (IXP) for a Communication Service Provider using some form of L2 MPLS or pure L3 on the ISP side?
by Larsa
Thu Sep 14, 2023 10:33 am
Forum: General
Topic: Packet sniffer - where it sniffs?
Replies: 6
Views: 2753

Re: Packet sniffer - where it sniffs?

If this thread is only about best practices for using Packet Sniffer on IPsec traffic, then this answer is OT. Plain IPsec usually doesn't pose any significant issues. If your IPsec peer is active (ie established SA for each ip), it typically involves routing problems like forgetting to set 'src-nat...
by Larsa
Wed Sep 13, 2023 10:20 am
Forum: General
Topic: No access to Mikrotik (winbox, android etc.) when connected via Wireguard
Replies: 4
Views: 1020

Re: No access to Mikrotik (winbox, android etc.) when connected via Wireguard

Add the wireguard interface to the interface-list LAN (Interfaces->tab “interface list”)
by Larsa
Tue Sep 12, 2023 3:05 pm
Forum: General
Topic: CCR1009 slow ipsec on 7.xx vers.
Replies: 13
Views: 1918

Re: CCR1009 slow ipsec on 7.xx vers.

Well, you either troubleshoot or downgrade. If you still want to troubleshoot the root cause, bring a laptop back home and try different key sizes that match the CCR hardware offload. Start using pure IPsec. Then test it again at work. Once everything works as expected, you can start adding other tu...
by Larsa
Tue Sep 12, 2023 2:07 pm
Forum: General
Topic: CCR1009 slow ipsec on 7.xx vers.
Replies: 13
Views: 1918

Re: CCR1009 slow ipsec on 7.xx vers.

Okay, so the network topology looks like this:

Work PC (IPsec initiator) -> Office default gateway (Fortigate) -> Home (CCR IPsec responder), where the Fortigate just acts as a regular internet gateway, correct?
by Larsa
Tue Sep 12, 2023 11:52 am
Forum: General
Topic: CCR1009 slow ipsec on 7.xx vers.
Replies: 13
Views: 1918

Re: CCR1009 slow ipsec on 7.xx vers.

Whether the VPN tunnel is persistent or not is completely irrelevant. However, I still don't get it regarding the "PC". Please be more precise and describe what the network topology looks like in more detail and where the problem occurs: 1. PC (IPsec 'road warrior') -> Home 2. PC (IPsec 'r...
by Larsa
Tue Sep 12, 2023 9:18 am
Forum: General
Topic: CCR1009 slow ipsec on 7.xx vers.
Replies: 13
Views: 1918

Re: CCR1009 slow ipsec on 7.xx vers.

Well, your description is very unprecise as to exactly what problem you are referring to. If it concerns a road warrior connection with, for example a smartphone using IPsec, there is nothing strange about 10-20 Mbit. Regarding the Office (Fortigate model ???) to Home (CCR1009) connection, I'd say t...
by Larsa
Mon Sep 11, 2023 11:02 pm
Forum: General
Topic: CCR1009 slow ipsec on 7.xx vers.
Replies: 13
Views: 1918

Re: CCR1009 slow ipsec on 7.xx vers.

Just a suggestion, start by conducting regular IPsec tests in both directions to verify that encryption hardware acceleration is functioning properly. Then, dig into stuff like MTU and other tunnel settings.

Btw, what encryption methods are supported in hardware by the Fortigate?
by Larsa
Mon Sep 11, 2023 10:02 pm
Forum: General
Topic: CCR1009 slow ipsec on 7.xx vers.
Replies: 13
Views: 1918

Re: CCR1009 slow ipsec on 7.xx vers.

It's completely impossible to say since you forgot to mention the small detail about what you're running at home and what encryption method is being used...
by Larsa
Mon Sep 11, 2023 6:29 pm
Forum: Beginner Basics
Topic: I can't connect via ssh to routeros
Replies: 3
Views: 1198

Re: I can't connect via ssh to routeros

@Samiojtm1, never ever open services like ssh for public access from internet. Instead use VPN to access your local network. Here are som usefull user guides courtesy of @Anav: - Beginner Basics - The DEFACTO DEFAULT FIREWALL Setup - New User Pathway To Config Success - Wireguard Success For The Beg...
by Larsa
Mon Sep 11, 2023 1:17 pm
Forum: General
Topic: DDoS Protection Firewall
Replies: 5
Views: 3241

Re: DDoS Protection Firewall

How protect then our microtik's ip from ddos

MikroTik and other manufacturers of regular routers typically don't have built-in ability to stop DDoS attacks. To address this issue you need to utilize external services like Cloudflare, Google Cloud Armor and similar solutions.
by Larsa
Sun Sep 10, 2023 10:28 pm
Forum: General
Topic: IPSec slow
Replies: 3
Views: 1495

Re: IPSec slow

Please check the product page for CPU model and IPSec performance specs. Then check the IPsec specs to determine which encryption method should be used at both ends in order to optimize hardware acceleration.
by Larsa
Sun Sep 10, 2023 10:41 am
Forum: General
Topic: ZeroTier setup optimization advice
Replies: 3
Views: 1061

Re: ZeroTier setup optimization advice

Yeah, unfortunately. We can only hope that MT will enable hardware acceleration anytime soon for AES (where available in hw that is) which was introduced already in ZeroTier 1.6.
by Larsa
Thu Sep 07, 2023 10:09 pm
Forum: General
Topic: CCR2116 VPN (Wireguard Encryption) [SOLVED]
Replies: 3
Views: 1619

Re: CCR2116 VPN (Wireguard Encryption) [SOLVED]

WireGuard’s ChaCha20 encryption lacks hardware acceleration on all platforms (not just on Mikrotik) unlike IPsec which is the preferred way if you are looking for fast VPN throughput. Check the product IPsec specs . When vector extensions such as AVX get wider and faster like on upcoming high end AR...
by Larsa
Thu Sep 07, 2023 9:57 pm
Forum: General
Topic: iPad not auto-reconncting to Wireguard after router reboot
Replies: 13
Views: 1667

Re: iPad not auto-reconncting to Wireguard after router reboot

can you explain exactly what On-Demand does?

When your iPad is trying to connect to something that matches the destination address, WireGuard will enable the tunnel automatically.
by Larsa
Thu Sep 07, 2023 9:56 pm
Forum: General
Topic: iPad not auto-reconncting to Wireguard after router reboot
Replies: 13
Views: 1667

Re: iPad not auto-reconncting to Wireguard after router reboot

[quote=TomSF post_id=1024038 can you explain exactly what On-Demand does?
[/quote]

When your iPad is trying to connect to something that matches the destination address, WireGuard will enable the tunnel automatically.
by Larsa
Wed Sep 06, 2023 3:33 pm
Forum: RouterOS beta
Topic: Why isn't macvlan support a priority for MikroTik?
Replies: 16
Views: 5967

Re: Why isn't macvlan support a priority for MikroTik?

Could you please share an export of just the MACVLAN config?
by Larsa
Wed Sep 06, 2023 1:11 pm
Forum: Virtualization
Topic: CHR + ESXi 6.7 U3 tx-drops with VLANs
Replies: 3
Views: 6920

Re: CHR + ESXi 6.7 U3 tx-drops with VLANs

Just be aware that e1000 is a legacy driver that should be used only for troubleshooting the root cause of issues with VMXNET3 which is the preferred driver for production use.
by Larsa
Tue Sep 05, 2023 9:10 pm
Forum: Beginner Basics
Topic: Using ChatGPT to make a QOS script for PS5, Opinions?
Replies: 9
Views: 2965

Re: Using ChatGPT to make a QOS script for PS5, Opinions?

ChatGPT is just a dumb language model that makes up a lot of stuff so you can never ever trust it to supply the correct facts. It's better to find another source for your project.
by Larsa
Mon Sep 04, 2023 7:58 pm
Forum: RouterOS beta
Topic: Why isn't macvlan support a priority for MikroTik?
Replies: 16
Views: 5967

Re: Why isn't macvlan support a priority for MikroTik?

Has anyone gotten this to work yet using 7.12?
by Larsa
Tue Aug 29, 2023 3:44 pm
Forum: General
Topic: Block Network Access (mutual communication) between 2 VPN user on same VPN server but different network
Replies: 8
Views: 1419

Re: Block Network Access (mutual communication) between 2 VPN user on same VPN server but different network

@miankamran7100
Suggestion:
- Add both IP addresses to an address list called "Blocked"
- create a "forward" rule with the action "drop." and set the source and destination address lists to "Blocked."
by Larsa
Sun Aug 27, 2023 10:50 pm
Forum: RouterOS beta
Topic: RB5009 Wireguard only 150 Mbps
Replies: 30
Views: 15740

Re: RB5009 Wireguard only 150 Mbps

WireGuard encryption (ChaCha20) lacks support for hardware acceleration which makes it entirely dependent on CPU speed at both ends.
by Larsa
Sun Aug 27, 2023 9:57 pm
Forum: RouterOS beta
Topic: Why isn't macvlan support a priority for MikroTik?
Replies: 16
Views: 5967

Re: Why isn't macvlan support a priority for MikroTik?

Great! I haven't had time to try it yet so It would be nice if you could share a sample config using export.
by Larsa
Sat Aug 26, 2023 12:02 am
Forum: General
Topic: ROS X86 10G SFP+ issue
Replies: 14
Views: 2800

Re: ROS X86 10G SFP+ issue

If you can't get SFP+ to work with the built-in x86-64 RoS drivers your only option is virtualization using CHR on for example ESXi or Hyper-V. ESXi usually works very well on most HP servers like the DL360 offering performance close to bare-metal speed using the built-in NICs. If you prefer Windows...
by Larsa
Fri Aug 25, 2023 10:33 am
Forum: General
Topic: ROS X86 10G SFP+ issue
Replies: 14
Views: 2800

Re: ROS X86 10G SFP+ issue

I'm not aware of any 'magic' walls so far, only misconfigured systems. We're able to shovel several hundred gigabits using modern io-srv and no-copy drivers without any major inpact on our bng systems. That goes for both IB and ETH drivers.
by Larsa
Fri Aug 25, 2023 9:42 am
Forum: General
Topic: ROS X86 10G SFP+ issue
Replies: 14
Views: 2800

Re: ROS X86 10G SFP+ issue

Bare Metal slaughters CHR performance. The key is using the right NICs. Mellanox ConnectX 4,5,6 I find to be solid. That's a myth and might have been true in the old days of virtualization. Mellanox ConnectX Ethernet cards are good, even v3, and most HP server built-in NICs are sufficient as well. ...
by Larsa
Thu Aug 24, 2023 10:32 pm
Forum: General
Topic: ROS X86 10G SFP+ issue
Replies: 14
Views: 2800

Re: ROS X86 10G SFP+ issue

@tareqbd, do yourself a big favour and buy an MT box, or at least skip flaky x86-68 drivers and instead go with ESXi using CHR or a similar option for close-to-bare-metal speed.
by Larsa
Thu Aug 24, 2023 8:49 pm
Forum: RouterOS beta
Topic: Why isn't macvlan support a priority for MikroTik?
Replies: 16
Views: 5967

Re: Why isn't macvlan support a priority for MikroTik?

I'll check if I can find an MT box to play with at home. Our current ISP/CO can offer 4 IP addresses over the same cable using the media converter XG6846, but requires a distinct MAC addresse for each one.
by Larsa
Thu Aug 24, 2023 7:48 pm
Forum: RouterOS beta
Topic: Why isn't macvlan support a priority for MikroTik?
Replies: 16
Views: 5967

Re: Why isn't macvlan support a priority for MikroTik?

tried using the CLI yet?
by Larsa
Wed Aug 23, 2023 11:10 pm
Forum: General
Topic: New RouterOS theme
Replies: 21
Views: 4148

Re: New RouterOS theme

I agree, it shouldn't take too much effort to correct fairly simple design flaws.
by Larsa
Tue Aug 22, 2023 8:24 pm
Forum: Wireless Networking
Topic: [Issue] Atheros AR9888 not working
Replies: 20
Views: 4081

Re: [Issue] Atheros AR9888 not working

It just doesn't work... That's also what MikroTik support responded to my issue and there are no plans to support it (see my former post https://forum.mikrotik.com/viewtopic.php?p=1020606#p1010808 ). I guess we are out of luck, since even if you could configure the wifi in a hypervisor and pass it ...
by Larsa
Tue Aug 22, 2023 5:09 pm
Forum: Wireless Networking
Topic: [Issue] Atheros AR9888 not working
Replies: 20
Views: 4081

Re: [Issue] Atheros AR9888 not working

Settings not available using the V-NIC have to be administered by the host.

Check: “hyper-v add wifi adapter
by Larsa
Tue Aug 22, 2023 9:39 am
Forum: Wireless Networking
Topic: [Issue] Atheros AR9888 not working
Replies: 20
Views: 4081

Re: [Issue] Atheros AR9888 not working

Well, simply put: you either wait forever to get support for an odd chipset/NIC on bare metal or utilize virtualization.

In general, if the NIC is working properly in Windows, it usually works in Hyper-V as well.
by Larsa
Mon Aug 21, 2023 10:11 pm
Forum: Wireless Networking
Topic: [Issue] Atheros AR9888 not working
Replies: 20
Views: 4081

Re: [Issue] Atheros AR9888 not working

It doesn’t matter what type of nic (eth, wireless, etc) is available in windows; you simply add an arbitrary one and it will appear as a virtual nic in hyperv

I'm running RoS using hyperv without any issues on a 10-year-old Intel NUC equipped with a Celeron.
by Larsa
Mon Aug 21, 2023 6:35 pm
Forum: Wireless Networking
Topic: Mikrotik, when you will fix WiFi on x86 platform in ROS 7 ?
Replies: 2
Views: 1803

Re: Mikrotik, when you will fix WiFi on x86 platform in ROS 7 ?

A suggestion is to use CHR on Hyper-V. There is minimal overhead, and it eliminates the need to worry about chipset and device driver support, which are instead handled by the Host OS (Windows).
by Larsa
Mon Aug 21, 2023 6:34 pm
Forum: Wireless Networking
Topic: [Issue] Atheros AR9888 not working
Replies: 20
Views: 4081

Re: [Issue] Atheros AR9888 not working

A suggestion is to use CHR on Hyper-V. There is minimal overhead, and it eliminates the need to worry about chipset and device driver support, which are instead handled by the Host OS (Windows).
by Larsa
Sat Aug 19, 2023 11:18 pm
Forum: General
Topic: Multiple interfaces, same subnet - directing return traffic to proper interface
Replies: 21
Views: 2304

Re: Multiple interfaces, same subnet - directing return traffic to proper interface

Check Sob's answer in this thread regarding a vrrp hack for multiple mac addresses.
by Larsa
Fri Aug 18, 2023 1:46 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 125912

Re: v7.12beta [testing] is released!

Cause they try to avoid the linux naming convention whenever possible! ;-)
by Larsa
Fri Aug 18, 2023 1:35 pm
Forum: General
Topic: RB3011 - still a good choice?
Replies: 22
Views: 2692

Re: RB3011 - still a good choice?

That's by design since grouping the two switch chips together makes the bridge cpu-bound. I don't get how v6 might overcome that limitation?
by Larsa
Fri Aug 18, 2023 12:28 pm
Forum: General
Topic: RB3011 - still a good choice?
Replies: 22
Views: 2692

Re: RB3011 - still a good choice?

Be sure to put the latest v6 ROS since the is the route-cache. The missing route cache in v7 have a big performance hit on 3011. It's a myth and misconception. The current V7 kernel utilizes a more modern network stack that has the cache divided into distinct layers, achieving greater efficiency wh...
by Larsa
Thu Aug 17, 2023 10:46 pm
Forum: Beginner Basics
Topic: LTE interface traffic FW
Replies: 21
Views: 2880

Re: LTE interface traffic FW

Jinx 😁
by Larsa
Thu Aug 17, 2023 10:43 pm
Forum: Beginner Basics
Topic: LTE interface traffic FW
Replies: 21
Views: 2880

Re: LTE interface traffic FW

Recursive routing might possibly be another solution with a few additional rules for the VPN service: “MultiWAN with RouterOS
by Larsa
Thu Aug 17, 2023 9:36 pm
Forum: Beginner Basics
Topic: Bandwidth management
Replies: 4
Views: 1137

Re: Bandwidth management

SPAM?
by Larsa
Thu Aug 17, 2023 9:36 pm
Forum: General
Topic: Routing
Replies: 4
Views: 981

Re: Routing

SPAM?
by Larsa
Thu Aug 17, 2023 4:38 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 125912

Re: v7.12beta [testing] is released!

Okay, we simply have to wait for a clarification from MikroTik when they decide to update the online manual..
by Larsa
Thu Aug 17, 2023 3:33 pm
Forum: Forwarding Protocols
Topic: PLEASE SUGGEST ME OSPF CONFIGURATION
Replies: 4
Views: 2071

Re: PLEASE SUGGEST ME OSPF CONFIGURATION

Correct, that was the intention behind my question. OSPF comes with various quirks that one must be aware of, thus there is no standard configuration that can be applied in this case. You either bring in a consultant or learn the hard way by studying and performing hands-on testing in the lab and ge...
by Larsa
Thu Aug 17, 2023 3:14 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 125912

Re: v7.12beta [testing] is released!

@Larsa: Endpoint-Independent NAT: https://help.mikrotik.com/docs/pages/vi ... pendentNAT

Thanks! Care to give a brief usage example?
by Larsa
Thu Aug 17, 2023 1:28 pm
Forum: Forwarding Protocols
Topic: PLEASE SUGGEST ME OSPF CONFIGURATION
Replies: 4
Views: 2071

Re: PLEASE SUGGEST ME OSPF CONFIGURATION

Is this a commercial setup?
by Larsa
Thu Aug 17, 2023 12:44 pm
Forum: Announcements
Topic: v7.12beta [testing] is released!
Replies: 263
Views: 125912

Re: v7.12beta [testing] is released!

*) firewall - added "ein-snat" and "ein-dnat" connection NAT state matchers for filter and mangle rules

Any info/docs on ein-dnat and ein-snat?
by Larsa
Thu Aug 17, 2023 10:15 am
Forum: Beginner Basics
Topic: Please check my configs - first time setting up Mikrotik network. [SOLVED]
Replies: 12
Views: 2264

Re: Please check my configs - first time setting up Mikrotik network. [SOLVED]

This guide might possibly help you a bit along the way: "New User Pathway To Config Success" (courtesy of @Anav)
by Larsa
Thu Aug 17, 2023 8:16 am
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 165553

Re: v7.11 [stable] is released!

What is Wifi Wave 2 for?

Wave2 = core device drivers supplied by the chip manufacture. Previous drivers were developed by MT.
by Larsa
Tue Aug 15, 2023 10:48 pm
Forum: Announcements
Topic: v7.11.2 [stable] is released!
Replies: 348
Views: 165553

Re: v7.11 [stable] is released!

WG/ChaCha lack support för HW acceleration
by Larsa
Fri Jul 14, 2023 12:41 am
Forum: Wireless Networking
Topic: Looking for equipment to improve rural 4G signal reception and speed
Replies: 55
Views: 8973

Re: Looking for equipment to improve rural 4G signal reception and speed

Mkx, great sum-up. You should definitely try to write a LTE HOW-TO guide considering your pedagogical skills!
by Larsa
Thu Jul 13, 2023 11:04 pm
Forum: Wireless Networking
Topic: Looking for equipment to improve rural 4G signal reception and speed
Replies: 55
Views: 8973

Re: Looking for equipment to improve rural 4G signal reception and speed

Using a mast on the roof might provide you with a decent line-of-sight to the nearest tower that will possible allow you to utilize Carrier Aggregation (CA). In such scenario, the LHG LTE6 kit might be a suitable option. We've got some customers in the archipelago who have a line-of-sight of approx ...