Community discussions

MikroTik App

Search found 1774 matches

by Larsa
Wed Dec 04, 2024 4:41 pm
Forum: General
Topic: Really bad queue bug in v7 on x86
Replies: 2
Views: 505

Re: Really bad queue bug in v7 on x86

This is just a user forum; please report issues directly to Mikrotik support.
by Larsa
Wed Dec 04, 2024 10:33 am
Forum: General
Topic: RDP HELP!
Replies: 9
Views: 581

Re: RDP HELP!

It doesn't necessarily have to be the router that's the main problem. A tip is to troubleshoot using the Windows Event Log on both the RDP clients and the server. A good place to start is the guide " Microsoft - Troubleshoot Remote Desktop Disconnected Errors ". This might also be useful: ...
by Larsa
Tue Dec 03, 2024 7:06 am
Forum: Beginner Basics
Topic: Port forwarding FQDN
Replies: 3
Views: 295

Re: Port forwarding FQDN

@AE8U, try to avoid exposing your internal network devices with open ports whenever possible. Instead, consider using VPN like WireGuard or ZeroTier. MikroTik has a built-in DDNS feature for handling dynamic IP changes called IP Cloud.
by Larsa
Fri Nov 29, 2024 8:33 pm
Forum: General
Topic: RouterOS blatantly ignores pref-src. Can this really be a bug?
Replies: 39
Views: 2455

Re: RouterOS blatantly ignores pref-src. Can this really be a bug?

When I started the thread earlier, the initial handshake had to finish before the connection state became "established"[*] which prevented mangling from working. I see you’re using NAT, which might be affecting things similarly to routing rules. Have you tried running a packet trace (assum...
by Larsa
Fri Nov 29, 2024 7:27 pm
Forum: General
Topic: RouterOS blatantly ignores pref-src. Can this really be a bug?
Replies: 39
Views: 2455

Re: RouterOS blatantly ignores pref-src. Can this really be a bug?

Perhaps you didn't read the whole thread and might have missed the most crucial parts: 1) During WG's initial handshake, there's no "connection state," so mangle rules can't apply 2) The initial handshake response always egresses through the default gateway unless you trick ROS into using ...
by Larsa
Fri Nov 29, 2024 6:14 pm
Forum: General
Topic: RouterOS blatantly ignores pref-src. Can this really be a bug?
Replies: 39
Views: 2455

Re: RouterOS blatantly ignores pref-src. Can this really be a bug?

I just tested the rules as I have quoted on an rb5009 running 7.17rc1, and the mangle absolutely works for the initial handshake. Alright, good to know it works with 7.17rc1. Not sure when this changed, but it didn’t work before. If mangle works, that’s a third option along with NAT and routing rul...
by Larsa
Fri Nov 29, 2024 5:32 pm
Forum: General
Topic: RouterOS blatantly ignores pref-src. Can this really be a bug?
Replies: 39
Views: 2455

Re: RouterOS blatantly ignores pref-src. Can this really be a bug?

@divB, you're absolutely right to point out that this is a flawed implementation of WireGuard and it drove me nuts too before the root cause was identified. The good news is that it’s actually pretty easy for MikroTik to fix if they decide to. WireGuard works perfectly on Linux with the standard too...
by Larsa
Sun Nov 24, 2024 6:00 pm
Forum: General
Topic: AWS Wireguard Slow
Replies: 21
Views: 1293

Re: AWS Wireguard Slow

@Slartybart: Yeah, you’ll probably be just fine sticking with WireGuard. Another reason to go with it is that it’s much easier to manage than IPsec if you’re not experienced. If you somehow need maximum throughput, you might want to look into getting IPsec to work with hardware acceleration. -- @hol...
by Larsa
Sun Nov 24, 2024 9:13 am
Forum: General
Topic: AWS Wireguard Slow
Replies: 21
Views: 1293

Re: AWS Wireguard Slow

Thank you, but yet again, not a single word about IPsec hardware acceleration which WireGuard completely lacks.

Still, it’s always nice to see such enthusiastic contributions from a cheerful enthusiast. :-D
by Larsa
Sun Nov 24, 2024 12:27 am
Forum: General
Topic: AWS Wireguard Slow
Replies: 21
Views: 1293

Re: AWS Wireguard Slow

Haha, yeah, that article was really 'professional,' but hey, not bad for a basement hacker who clearly has no clue whatsoever about AES hardware acceleration. Nice try though! :-D
by Larsa
Sun Nov 24, 2024 12:15 am
Forum: General
Topic: Map Lite - Cant get this thing to work!
Replies: 6
Views: 1643

Re: Map Lite - Cant get this thing to work!

Hey @muaazteladia, welcome to the forum! Great to see more knowledgeable and dedicated people joining us. Have a nice weekend! :-)
by Larsa
Sat Nov 23, 2024 8:24 pm
Forum: General
Topic: AWS Wireguard Slow
Replies: 21
Views: 1293

Re: AWS Wireguard Slow

@holvoetn: When testing Tik to Tik with both devices capable of HW offloading IPSEC, WG is still faster. My view ... Well, I’m not sure what you’re basing your claims on, but IPsec with hardware acceleration is always faster than WireGuard— and that’s a fact! :-D Also, all AWS instance types, like ...
by Larsa
Sat Nov 23, 2024 1:40 pm
Forum: General
Topic: AWS Wireguard Slow
Replies: 21
Views: 1293

Re: AWS Wireguard Slow

@Slartybart: As WireGuard relies entirely on ChaCha20, which is a pure software encryption , throughput depends directly on the CPU power, so a slower CPU means slower throughput. For maximum throughput on AWS, consider using IPSec, though be aware that there might be a throughput cap depending on t...
by Larsa
Fri Nov 22, 2024 5:23 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

You can't just set up one subdomain in cloudflare and keep the rest in another DNS server, the NS servers have to be set to cloudflare, all mikrotik.com DNS will be managed through there. Yes, you can! There are several ways to do this, like DNS subdomain delegation, partial CNAME setups, and more....
by Larsa
Fri Nov 22, 2024 4:40 pm
Forum: Scripting
Topic: Script triggered by SMS: can I use the phone number in the script [SOLVED]
Replies: 8
Views: 737

Re: Script triggered by SMS: can I use the phone number in the script [SOLVED]

Aha, now I get what you're asking about! We had the exact same thoughts when we first started testing this feature. It’s really an unfortunate combination of poor documentation and a design flaw in the SMS script execution functionality. You don’t get any info about which number triggered the script...
by Larsa
Fri Nov 22, 2024 12:24 am
Forum: Scripting
Topic: Script triggered by SMS: can I use the phone number in the script [SOLVED]
Replies: 8
Views: 737

Re: Script triggered by SMS: can I use the phone number in the script [SOLVED]

The SMS data contains the phone number of the sender who initiated the script with the ':cmd' syntax. Maybe I'm misunderstanding what you're trying to achieve, but we're using scripts with MT LTE CPEs to perform actions like checking status, reboots, etc, as a last resort if our normal out-of-band m...
by Larsa
Thu Nov 21, 2024 10:58 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

There's no need to fake anything since there are no restrictions on anonymous access (tho creating a post is). Your suggestion might very well work, but it could end up being like robbing Peter to pay Paul. :D
by Larsa
Thu Nov 21, 2024 10:02 pm
Forum: Scripting
Topic: Script triggered by SMS: can I use the phone number in the script [SOLVED]
Replies: 8
Views: 737

Re: Script triggered by SMS: can I use the phone number in the script [SOLVED]

Long story short, unfortunately you can’t use digits as indexes in scripts, only in the terminal. Instead, you’ll need to use indexes like "id," as shown below, where "id" is just a variable that can be named anything /tool sms :foreach id in=[inbox find where message~"^*.&q...
by Larsa
Thu Nov 21, 2024 6:50 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

Just an example of Cloudflare's pricing model : Pro - for professional websites that aren’t business-critical, $25 /month. Business - for small businesses operating online, $250 /month. All plans come with unmetered DDoS protection, they just differ in uptime SLA and number of rules for advanced set...
by Larsa
Thu Nov 21, 2024 6:03 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

No, just " forum.mikrotik.com ". But don’t take my word for it, call or email some of them and they’ll explain how it works. Btw, here's a list of popular DDoS protection service providers. Most providers have their services spread out across all continents, and in many cases, you can pick...
by Larsa
Thu Nov 21, 2024 5:22 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

Now would be a good time to check the logs for user agents. May come up empty thou since you can use any valid user agents. I’m only gonna say this once: with a proper DDoS firewall that also catches other bad stuff, you don’t have to bother about invalid user agents since they’ll get blocked anywa...
by Larsa
Thu Nov 21, 2024 4:45 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

We have disabled the search robots, except biggest ones, but the attacks are regular DDoS attacks going to different IP every time. We are trying to optimize the forum servers to handle bigger loads, but the attacks keep getting bigger too. Since PHPBB is old software, another option would be to mi...
by Larsa
Thu Nov 21, 2024 1:33 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

Well, here we go again! Now at about 1200 sessions and still climbing. Someone must be really pissed at MT...
by Larsa
Thu Nov 21, 2024 10:49 am
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

No problem. We’ll keep using Winbox 3/Wine for now, since v4 still has too many limitations anyway.
by Larsa
Wed Nov 20, 2024 2:10 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

Since guest session counts are back to normal, I’m guessing MT introduced some kind of measure, but I doubt we’ll ever find out what it was.
by Larsa
Tue Nov 19, 2024 11:33 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

If you need serious DDoS protection as a front-end service, it takes massive computing resources, expert skills, and experience.

Normally, IMO that’s not something a company like MT could manage on-premise by themselves.
by Larsa
Tue Nov 19, 2024 10:00 pm
Forum: Forwarding Protocols
Topic: Wireguard issues with OSPF [SOLVED]
Replies: 9
Views: 1376

Re: Wireguard issues with OSPF [SOLVED]

@anav, it’s your call!

Once you figure out what triggers OSPF LSA state changes on a single WireGuard interface (using OSPF type PTP) connected to multiple peers/subnets, adding two tunnels to your VPS will be a breeze.
by Larsa
Tue Nov 19, 2024 9:27 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

Sorry, my bad!

I meant before MT gives in and adds a third-party DDoS protection service.
by Larsa
Tue Nov 19, 2024 8:06 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

Haha! 😛

Either way, it really doesn’t matter how it’s done, the pikes in guest session count clearly points to a classic DDoS attack (IMO)

It’ll be interesting to see who holds out the longest in this battle, MT or the DDoS drivers. This kind of volume is pretty cheap to buy on the dark web. 
by Larsa
Tue Nov 19, 2024 7:43 pm
Forum: Forwarding Protocols
Topic: Wireguard issues with OSPF [SOLVED]
Replies: 9
Views: 1376

Re: Wireguard issues with OSPF [SOLVED]

Suddenly an OSPF expert!? 😘
by Larsa
Tue Nov 19, 2024 2:24 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

But I always block all search bot and never had an issue with max session limit hit. And yes even Google misbehaves at times. It’s extremely rare nowadays for big companies using index bots to misbehave. If there’s a problem, it’s usually a misconfiguration on your end. Also, legal index bots don’t...
by Larsa
Tue Nov 19, 2024 1:35 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

These “legal” index bots don’t cause spikes in guest session counts, so it’s most likely a DDoS attack going on.

EDIT: I still occasionally get “500 Internal Server Error.”
by Larsa
Tue Nov 19, 2024 7:01 am
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

Yup, seems like there’s still some kind of DDoS attack going on. The session count keeps bouncing between a few hundred and 1200-1300.
by Larsa
Sat Nov 16, 2024 5:38 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

A spike in session counts is usually a good indicator of a DDoS attack.
by Larsa
Sat Nov 16, 2024 3:10 am
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 773
Views: 156212

Re: v7.17beta [testing] is released!

No worries ya all!

Should MT decide to keep device mode in its current glorious form, just remember—we’re always here for you! 😄

Button-pushers.com

IMG_2527.jpeg
by Larsa
Sat Nov 16, 2024 12:57 am
Forum: Announcements
Topic: v7.17beta [testing] is released!
Replies: 773
Views: 156212

Re: v7.17beta [testing] is released!

… Sometimes on obscure places (hard, hard to reach physically). Still they insist on the button push confirmation thing.

There must be an alternative approach.

No worries, we rent out specially trained button-pushers worldwide.
IMG_2529.jpeg
by Larsa
Sat Nov 16, 2024 12:18 am
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

Yeah, that “help” doesn’t do much to stop real DDoS attacks. Pretty sure MT staff mentioned this in the forum too.

A must-read for the MT team: ”Distributed denial-of-service (DDoS) protection
by Larsa
Fri Nov 15, 2024 10:21 pm
Forum: General
Topic: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]
Replies: 94
Views: 6814

Re: FOR THE LOVE OF "DEITY OF CHOICE" FIX YOUR FRIGGEN (forum) WEBSITE [SOLVED]

Might be time to try out a frontend like Cloudflare or similar to get rid of the DDoS attacks.
by Larsa
Fri Nov 15, 2024 1:13 pm
Forum: General
Topic: AZURE AD/ Entra ID
Replies: 1
Views: 285

Re: AZURE AD/ Entra ID

I assume you're talking about a radius connection to NPS. If you dont already have it, just set up a tunnel to your Azure AD - oh, sorry, I meant Entra ID ! :wink: Btw, I honestly can’t stand these pointless brand renames.. https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-po...
by Larsa
Fri Nov 15, 2024 12:09 am
Forum: Forwarding Protocols
Topic: Wireguard issues with OSPF [SOLVED]
Replies: 9
Views: 1376

Re: Wireguard issues with OSPF [SOLVED]

It’s pretty tough to help out if you don’t explain exactly what’s not working, share a brief overview of the network topology and provide a full config export (minus anything that needs to be left out for privacy reasons). Also, using a single WireGuard interface with multiple active peers can be tr...
by Larsa
Thu Nov 14, 2024 10:56 pm
Forum: General
Topic: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.
Replies: 35
Views: 5051

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

You’re spot on, it’s exactly the vetting process that’s the weak link! There are plenty of techical tools to lock down a GitHub repo, but it’s up to the owners/admins to decide how to use them. In the case of the XZ backdoor, the attacker got in using social engineering which let the villains access...
by Larsa
Thu Nov 14, 2024 8:37 pm
Forum: General
Topic: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.
Replies: 35
Views: 5051

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

Probably true, but there’s always a chance of hidden backdoors, like the "XZ backdoor". With popular solutions, it’s easier to spot and handle malicious hacks and put in countermeasures because of the sheer number of people involved. But if you’re using less reliable sources, the risk goes...
by Larsa
Thu Nov 14, 2024 7:10 pm
Forum: General
Topic: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.
Replies: 35
Views: 5051

Re: 💀⚠️CRITICAL: Never trust who provides scripts containing "/import" from "/tool fetch" from external sources.

@LAYERWEB - What rextended is suggesting is that you should avoid trusting or automatically downloading third-party ROS scripts. An untrusted source could include elements that compromise your router’s security. If you want to work with scripts, download only raw data and write your own script direc...
by Larsa
Thu Nov 14, 2024 5:26 pm
Forum: Beginner Basics
Topic: How to configure PBR in CCR2116-12G-4S+ v7.8
Replies: 3
Views: 309

Re: How to configure PBR in CCR2116-12G-4S+ v7.8

The interweb grinds to a halt, the family descends into chaos, and Koemleang gets verbally roasted! 😆
by Larsa
Thu Nov 14, 2024 7:19 am
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2015

Re: VRRP with single WAN and Single LAN Address

Just curious if you happened to check the ESXi logs to find the root cause? Anyway, feel free to get back here if you find anything interesting for future reference.
by Larsa
Wed Nov 13, 2024 5:23 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2015

Re: VRRP with single WAN and Single LAN Address

If you don’t find any obvious reason in ROS for the VRRP state change, check the ESXi logs for the virtual NIC (referring to my previous post).
by Larsa
Wed Nov 13, 2024 12:59 am
Forum: Beginner Basics
Topic: Coming from Cisco with a newbie question
Replies: 1
Views: 255

Re: Coming from Cisco with a newbie question

This might be a good start: ”Using RouterOS to VLAN your network
by Larsa
Wed Nov 13, 2024 12:02 am
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2015

Re: VRRP with single WAN and Single LAN Address

After discussing the issue internally with some techs, our best guess at this point is that the flip-flop behavior might be caused by a VMware Virtual Network Adapter 'state change' which can happen for various reasons like network congestion, resource constraints, virtual switch misconfigurations, ...
by Larsa
Tue Nov 12, 2024 7:50 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2015

Re: VRRP with single WAN and Single LAN Address

Alright, got it. As for load balancing (ie vrrp load sharing) and grouping, have you checked if the ROS version has what you need? It might be worth a look, since it doesn’t have all the ‘bells and whistles’ of the Cisco IOS XR equivalent.
by Larsa
Tue Nov 12, 2024 6:04 pm
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2015

Re: VRRP with single WAN and Single LAN Address

Thanks, but I have to admit I'm pretty confused by the network diagram as the image doesn’t seem to follow a clear visual logic and it’s hard to make sense of it without additional context. For example, how does the red-dashed VRRP relate to the four nodes (VRRP1, VRRP2, CHR1, CHR2)? And what role d...
by Larsa
Tue Nov 12, 2024 12:12 am
Forum: General
Topic: VRRP with single WAN and Single LAN Address
Replies: 34
Views: 2015

Re: VRRP with single WAN and Single LAN Address

Just curious, but why not fully utilize the VSM functionality since you already have a bunch of ASR 9Ks? I mean, why use CHRs as edge routers?

Btw, this is how you add an image to a post:
how to upload an image.png
by Larsa
Mon Nov 11, 2024 11:43 pm
Forum: General
Topic: WireGuard site to site routing help
Replies: 23
Views: 1377

Re: WireGuard site to site routing help

I will definitely look into it, but at the moment I dont understand how it works and how it could possibly add failover to a mesh topology? i dont have any other vpn service or second ISP with enough bandwidth to handle alternative routes Got it. Just want to add that OSPF isn’t really tied to othe...
by Larsa
Mon Nov 11, 2024 10:49 pm
Forum: Forwarding Protocols
Topic: OSPF/MPLS Migrations on 7.16.1
Replies: 5
Views: 1364

Re: OSPF/MPLS Migrations on 7.16.1

@digitallystoned - If you think it might be a bug, it’s probably better to check with Mikrotik Support . Otherwise, I’d suggest coming back with a simple network diagram to make it easier to follow your thought process, plus a full export from both devices (minus anything that needs to be left out f...
by Larsa
Mon Nov 11, 2024 8:50 pm
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

Well, according to Apple Support 'Forget Network' should clear cached auths. Unless there’s a new flaw in iOS 18 I don’t know about..
by Larsa
Mon Nov 11, 2024 8:44 pm
Forum: General
Topic: SMTP Limiting per Users Per day
Replies: 10
Views: 2053

Re: SMTP Limiting per Users Per day

SMTP is always open for business-grade connections and normally closed for regular consumers. If a botnet manages to steal the username and password for your email account, it’ll use ports 587 or 465.
by Larsa
Mon Nov 11, 2024 8:01 pm
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

Usually, you just need 'Forget Network' to clear cached auths.
by Larsa
Mon Nov 11, 2024 10:43 am
Forum: Scripting
Topic: "ip route find where' strange behavior
Replies: 10
Views: 726

Re: "ip route find where' strange behavior

@akliouev - look for ”Reserved variable names” in the link the link that @Infabo just posted.
by Larsa
Sun Nov 10, 2024 7:57 pm
Forum: General
Topic: WireGuard site to site routing help
Replies: 23
Views: 1377

Re: WireGuard site to site routing help

I wouldn’t call it overkill. OSPF is actually pretty easy to set up and used with the BFD option you get quick failover if a link goes down. You can always add OSPF later if you want, and you can run it on top of the static routes, which then act as backup routing.
by Larsa
Sun Nov 10, 2024 7:17 pm
Forum: General
Topic: WireGuard site to site routing help
Replies: 23
Views: 1377

Re: WireGuard site to site routing help

If each of your 4 nodes is connected to all the others (ie 6 tunnels in your config), then the answer is yes. But if the other nodes only connect to a central node, the answer is no.
by Larsa
Sun Nov 10, 2024 5:33 pm
Forum: General
Topic: WireGuard site to site routing help
Replies: 23
Views: 1377

Re: WireGuard site to site routing help

@Usbuild - Once you’ve made some progress and set up your WireGuard tunnels, you can start considering a true "mesh solution" where all nodes connect with each other. This setup makes the network more redundant in case any link goes down. Wireguard Mesh.png To avoid adding static routes, t...
by Larsa
Sun Nov 10, 2024 3:14 pm
Forum: General
Topic: ZeroTier Version Upgrade
Replies: 12
Views: 2101

Re: ZeroTier Version Upgrade

Completely agree! I find it hard to understand why MT doesn’t enable the interface for all standard ZeroTier options that are available on every other platform except ROS.
by Larsa
Sun Nov 10, 2024 10:59 am
Forum: General
Topic: ZeroTier Version Upgrade
Replies: 12
Views: 2101

Re: ZeroTier Version Upgrade

Jinx (well, almost) :D
by Larsa
Sun Nov 10, 2024 8:35 am
Forum: General
Topic: ZeroTier Version Upgrade
Replies: 12
Views: 2101

Re: ZeroTier Version Upgrade

What's new in 7.17beta2 (2024-Sep-27 10:07):
zerotier - upgraded to version 1.14.0
by Larsa
Sat Nov 09, 2024 6:10 pm
Forum: Beginner Basics
Topic: How to change the IMEI of Mikrotik SXT LTE6 kit
Replies: 6
Views: 566

Re: How to change the IMEI of Mikrotik SXT LTE6 kit

Did you follow the guide? There are about 13 commands listed in the example, which one failed?
by Larsa
Thu Nov 07, 2024 3:48 pm
Forum: General
Topic: how to block youtube shorts?
Replies: 12
Views: 1065

Re: how to block youtube shorts?

Btw. setting up SSL decryption is a very common and easy thing, as long as you control all end devices, so that they trust your certificate authority. The most complex part of setting up SSL decryption at a company is to convince the company lawyers and the workers council. At least in Europe. Yeah...
by Larsa
Thu Nov 07, 2024 12:26 pm
Forum: General
Topic: how to block youtube shorts?
Replies: 12
Views: 1065

Re: how to block youtube shorts?

If this is for parental control, some endpoint protection software can manage it, and there are also paid cloud services available for this purpose. For corporate setups, ng-generation firewalls using the middle-man model require a highly complex and expensive configuration, which involves intervent...
by Larsa
Wed Nov 06, 2024 6:55 pm
Forum: Beginner Basics
Topic: How to change the IMEI of Mikrotik SXT LTE6 kit
Replies: 6
Views: 566

Re: How to change the IMEI of Mikrotik SXT LTE6 kit

If current IMEI is not accepted by your provider, isn't it more logical to switch provider ? It happens that "obscure" NMOs to try to lock customers into equipment that can only be sold by them through various restrictions. In those cases, you might have change the IMEI to one that unlock...
by Larsa
Wed Nov 06, 2024 6:42 pm
Forum: Beginner Basics
Topic: How to change the IMEI of Mikrotik SXT LTE6 kit
Replies: 6
Views: 566

Re: How to change the IMEI of Mikrotik SXT LTE6 kit

@zionlook: Check this out: https://gist.github.com/Anime4000/e9213bd4eaef502e4675d736c564fb5c # Query which mode /interface lte at-chat lte1 input="AT*PROD\?" "output: *PROD: 0" = production mode "output: *PROD: 1" = non-production mode # Disable LTE interface /interfac...
by Larsa
Wed Nov 06, 2024 4:47 pm
Forum: General
Topic: PPTP no longer working
Replies: 4
Views: 358

Re: PPTP no longer working

@sambo521: Is your customer really okay with using your own equipment as an in-house, co-located router? TBH, this sounds a bit fishy, especially if it’s a big company that likely already has a remote access VPN solution (probably IPsec-based). I'd recommend using that instead. If possible, please g...
by Larsa
Tue Nov 05, 2024 2:18 pm
Forum: Beginner Basics
Topic: Multiple MikroTik on Zerotier Network
Replies: 5
Views: 946

Re: Multiple MikroTik on Zerotier Network

I might have missed or misunderstood something when I read the description and checked the config, but it seems like you’re using the same subnet for your local networks and ZeroTier, which can get tricky if you’re not careful. Are you planning to bridge (Layer 2/Ethernet) or route (Layer 3/IP) all ...
by Larsa
Tue Oct 29, 2024 9:35 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

I suspect you might have missed something, misunderstood, or simply skipped over some posts, so I’ll graciously ignore the grumbling tone. Mr. Znevna, just tell me how I can help you improve your, let’s say, ‘hat-wagering’ skills. Or perhaps you have anything more intriguing to say besides the whini...
by Larsa
Tue Oct 29, 2024 7:47 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

Can you quote any part of it which mentions drivers for the Host OS? I haven't had time to check the actual references, but if you mean the drivers for PCIe IO-SRV support, you might for example checkout the vfio-pci driver for Linux, the FreeBSD ppt driver or the Microsoft Windows Driver Model ( W...
by Larsa
Tue Oct 29, 2024 3:15 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

Like addressing a FreeBSD request for the unsupported Bhyve? Why not fix the UEFI Boot issue instead? You guys never stop surprising me! ;-)
by Larsa
Tue Oct 29, 2024 2:58 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

Well, @mrz, purely educational as a reply to a previous post. But why do you care? This is a user forum, right?! On a more serious note, though, I genuinely (really!) don’t understand Mikrotik’s priorities here. Why address a FreeBSD request for the unsupported Bhyve when there are more pressing iss...
by Larsa
Tue Oct 29, 2024 12:32 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

If you're interested in some technical details on SR-IOV, down below are some solid explanations from Red Hat and Intel about different PCI hardware abstraction layers. I’d especially recommend Red Hat’s intro, which covers PCIe Physical Functions (PFs) and PCIe Virtual Functions (VFs), and Intel’s ...
by Larsa
Tue Oct 29, 2024 10:11 am
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

Thanks for making that clear once and for all.

And please tell me you didn’t spend an entire weekend just to enable it for FreeBSD! ;-)
by Larsa
Mon Oct 28, 2024 11:59 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

Please stop embarrassing yourselves! My best advice is to start exploring how VM drivers work and the differences between various hypervisors, particularly in handling IO-SRV and how it compares to regular PCI passthrough variants like ESXi DirectPath. And once again, all hypervisors have their own ...
by Larsa
Mon Oct 28, 2024 11:10 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

if you really pulled off getting MikroTik to add SR-IOV for the T540 in CHR [...] in such a short time in the past i have often complained, loudly and at length, about my issues with MikroTik support. but this case, i opened the ticket on Saturday, and they provided the new build at 10:30 on Monday...
by Larsa
Mon Oct 28, 2024 6:07 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

@crosswind - I’ll be the first to tip my hat and give you a shoutout (maybe even eat the hat) if you really pulled off getting MikroTik to add SR-IOV for the T540 in CHR running on the unsupported FreeBSD Bhyve in such a short time. Ps..If that’s the case, I have a bone to pick with MikroTik for not...
by Larsa
Mon Oct 28, 2024 3:32 pm
Forum: RouterOS beta
Topic: Feature Request - NAT64/DNS64 CGN
Replies: 36
Views: 27245

Re: Feature Request - NAT64/DNS64 CGN

PLAT or CLAT, which runs on the end user’s device, or ROS CLAT for centralized translation, tunneling, or other purposes?

FYI, most pure IPv6 ISPs support MAP-E (RFC 7597), which can be managed by IPIPv6 in Mikrotik ROS.
by Larsa
Mon Oct 28, 2024 2:58 pm
Forum: Beginner Basics
Topic: Unable to route via VLANs
Replies: 16
Views: 1158

Re: Unable to route via VLANs

Still trying to get to grips with the eccentricities of Mikrotik VLANs (Much more familiar with Cisco's implementation, so this is a bit of an adjustment for me) Yeah, it's because ROS VLAN bridging is based on Linux DSA (Distributed Switch Architecture) which can be pretty tricky to grasp because ...
by Larsa
Sat Oct 26, 2024 11:51 pm
Forum: Beginner Basics
Topic: Secondary WAN and failover setup hap ax2 (7.16) for a beginner [SOLVED]
Replies: 60
Views: 3890

Re: Secondary WAN and failover setup hap ax2 (7.16) for a beginner [SOLVED]

Just keep in mind that Netwatch might be pretty unreliable on LTE when using Carrier Aggregation (CA), which is the default mode for most connections.
by Larsa
Sat Oct 26, 2024 6:52 pm
Forum: General
Topic: Suggestion for 1500+ VPN endpoints
Replies: 6
Views: 1155

Re: Suggestion for 1500+ VPN endpoints

I was a bit unclear - I meant an example use case for the type of work the organization does, like a neighborhood association or a security solution with SLAs for emergency response, or something similar, possibly with redundancy requirements, etc. Yeah, 1.5 Gbit/s requires heavy-duty equipment for ...
by Larsa
Sat Oct 26, 2024 5:13 pm
Forum: General
Topic: Suggestion for 1500+ VPN endpoints
Replies: 6
Views: 1155

Re: Suggestion for 1500+ VPN endpoints

Besides a decent management interface, you will need a proper VPN concentrator that is powerful enough to handle the expected number of concurrent encrypted VPN sessions. What’s the use case?
by Larsa
Sat Oct 26, 2024 3:04 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

I did my best to help, but it seems like you’re more interested in semantics and playing the ‘I said, you said’ blame game. Please refer to my previous message regarding supported platforms. Good luck!
by Larsa
Sat Oct 26, 2024 2:52 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

RouterOS as a bare metal x86_64 installation might possibly have drivers for the Chelsio T540, but you need to check with support. If you need help to install CHR on FreeBSD, you can refer to this guide: " Creating a Mikrotik CHR - RouterOS 7 - Bhyve VM in FreeBSD " Depending on what you a...
by Larsa
Sat Oct 26, 2024 2:12 pm
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

CHR runs fine on FreeBSD as long as you set up the VM with a compatible VF for SR-IOV or configure the standard drivers properly. That said, SR-IOV won’t give you any extra performance unless you’re sharing the NIC with multiple VMs so the easiest way to get started with bhyve with is to bridge a ta...
by Larsa
Sat Oct 26, 2024 11:07 am
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

please read my original post, which is about whether RouterOS x86 / CHR has driver for Chelsio T540-CR VF device. i do not get error or warning, but device does not appear in /interface/print. this is nothing to do with FreeBSD - question is whether RouterOS has driver for this device. This is wher...
by Larsa
Sat Oct 26, 2024 10:44 am
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

Yep, it’s also up to the host OS drivers to enable SR-IOV support. The virtual machine can check if SR-IOV is available, but if you try to turn it on without driver support, you’ll just get an error or warning. The host OS still needs proper support for everything required by the virtual machine, so...
by Larsa
Sat Oct 26, 2024 9:27 am
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

No, virtual machines support only a limited set of virtual drivers required for the virtual guest to function properly. The host OS drivers are responsible for managing this support. You need to configure it properly like: https://forums.freebsd.org/threads/sr-iov-chelsio-error-in-guest.70653/. If y...
by Larsa
Sat Oct 26, 2024 6:36 am
Forum: General
Topic: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]
Replies: 47
Views: 2535

Re: RouterOS x86, no support for Chelsio T540 VF? [SOLVED]

When using CHR, the NIC drivers must be compatible with and managed by the virtual machine host operating system (ie FreeBSD).

So, MikroTik support won’t really help here - you’ll need to check out the FreeBSD Forums instead.
by Larsa
Fri Oct 25, 2024 7:59 pm
Forum: RouterBOARD hardware
Topic: Recommend router and switch connected with private fiber
Replies: 38
Views: 2974

Re: Recommend router and switch connected with private fiber

He talked about running into a splice tray and pigtail. Yeah, that's pretty much standard procedure. It's usually not a big deal, but if you ask nicely, they might throw in a 30-foot (or even longer) pigtail that you can roll up in the splice tray. That way, you can move it somewhere else if you ne...
by Larsa
Fri Oct 25, 2024 1:04 pm
Forum: General
Topic: S-RJ01 installed in server motherboard - not working
Replies: 2
Views: 308

Re: S-RJ01 installed in server motherboard - not working

Is there any way of knowing if these two are compatible?

When using CHR, the NIC drivers must be compatible with and managed by the virtual machine host operating system. Also make sure to enable SR-IOV.
by Larsa
Fri Oct 25, 2024 11:36 am
Forum: Wireless Networking
Topic: worst performance of NetBox 5AX.. Is there any user who uses this NetBox 5AX??
Replies: 23
Views: 3643

Re: worst performance of NetBox 5AX.. Is there any user who uses this NetBox 5AX??

There’s a chance some mistakes slipped in by accident, so please post the configuration with the latest suggestions.
by Larsa
Thu Oct 24, 2024 10:04 pm
Forum: General
Topic: How to change WG handshake timeout
Replies: 8
Views: 1238

Re: How to change WG handshake timeout

It could be due to several things, like having a WireGuard peer acting as the initiator (ie you have defined the endpoint-address and port) but the receiver isn't responding, or for some reason an established connection has stopped working. An earlier version of Ros logged way too much by mistake bu...
by Larsa
Thu Oct 24, 2024 9:09 pm
Forum: General
Topic: How to change WG handshake timeout
Replies: 8
Views: 1238

Re: How to change WG handshake timeout

Those settings are protocol-defined standard values that are hardcoded at compile time. Check out: WireGuard on GitHub. Also, read my previous post: viewtopic.php?p=1105092#p1058871.

Why do you want to change these values, which would break the protocol definition?
by Larsa
Thu Oct 24, 2024 6:29 pm
Forum: Wireless Networking
Topic: wAP ax?
Replies: 246
Views: 28692

Re: wAP ax?

As an AP, bridging is more than adequate and the routing test results don't really matter much as difference isn't that significant anyway. It's only relevant if you're planning to use the AP as your main router.
by Larsa
Thu Oct 24, 2024 5:51 pm
Forum: Wireless Networking
Topic: Iphone 11 wifi
Replies: 4
Views: 396

Re: Iphone 11 wifi

Check your iPhone Wi-Fi logs: viewtopic.php?t=211009#p1098002. If you can't figure it out using the logs, post your AP config in this thread.
by Larsa
Thu Oct 24, 2024 8:30 am
Forum: General
Topic: BGP sessions close when another session to the same IP closes
Replies: 8
Views: 2145

Re: BGP sessions close when another session to the same IP closes

@mblfone - This is just a user forum. Please open a bug report with Mikrotik support.
by Larsa
Wed Oct 23, 2024 6:39 pm
Forum: Forwarding Protocols
Topic: BFD, ipv6 & bgp multihop problem
Replies: 3
Views: 1800

Re: BFD, ipv6 & bgp multihop problem

I’d say it’s way too hard to figure out the network topology without a clear network diagram.
by Larsa
Tue Oct 22, 2024 9:18 pm
Forum: General
Topic: 1 Packet over Multiple Routs?
Replies: 14
Views: 1419

Re: 1 Packet over Multiple Routs?

And imagine if top management and all the development gurus were on the crashed airplanes! 🤯🤯🤯
by Larsa
Tue Oct 22, 2024 4:06 pm
Forum: General
Topic: IPsec VPN Mikrotik - Sonicwall not using full internet speed
Replies: 8
Views: 927

Re: IPsec VPN Mikrotik - Sonicwall not using full internet speed

Hey @ToothyGardener, thanks for that LLM-generated response that was pretty much just a reworded version of my last post, but with some extra fluff thrown in. (## SPAM warning ##)
by Larsa
Tue Oct 22, 2024 2:54 pm
Forum: General
Topic: Mikrotik support please have a look!
Replies: 4
Views: 441

Re: Mikrotik support please have a look!

Or as someone on Reddit put it: "This device is not intended for the average user, so don’t blame the hardware if you have trouble getting it to work. If you're unable to configure it properly, consider buying a consumer-friendly equipment instead."
by Larsa
Tue Oct 22, 2024 10:27 am
Forum: General
Topic: IPsec VPN Mikrotik - Sonicwall not using full internet speed
Replies: 8
Views: 927

Re: IPsec VPN Mikrotik - Sonicwall not using full internet speed

If using two RB4011s works, check if the TZ500 could be the bottleneck and whether it supports hardware acceleration with AES-256. If not, you’ll need to find an encryption method that both sides can use with hardware acceleration. Take a look at the RB4011s (CPU AL21400) in this table: https://help...
by Larsa
Tue Oct 22, 2024 12:44 am
Forum: General
Topic: l2tp subnet routing router to router
Replies: 11
Views: 590

Re: l2tp subnet routing router to router

I went from openvpn (no udp support in Tik) to ipsec (hardware encryption) to wireguard. Wireguard blows ipsec with hardware encryption out of the water in terms of performance. @NetWorker - WireGuard uses pure software encryption (ChaCha20), so it’ll never beat IPsec when it’s using hardware accel...
by Larsa
Mon Oct 21, 2024 8:51 pm
Forum: Beginner Basics
Topic: RouterOS on Proxmox
Replies: 4
Views: 511

Re: RouterOS on Proxmox

@FredRoot - You can’t manage USB network devices directly from CHR. You need to set up and manage the TP-Link T4U from the host OS first, then add it to Proxmox like a regular network device. Check this out: add usb network device to proxmox
by Larsa
Mon Oct 21, 2024 6:41 pm
Forum: General
Topic: [Feature Request] Data Center Bridge support
Replies: 29
Views: 6050

Re: [Feature Request] Data Center Bridge support

@galvesribeiro, yeah, this is great news and probably essential for MT if they are aiming to enter the data center market with their new 100G switches. It looks like there's support for both the older v1 L2 and current v2 L3 (UDP), with highly configurable ETS scheduling and bandwidth allocation. Ov...
by Larsa
Mon Oct 21, 2024 4:55 pm
Forum: General
Topic: IPsec VPN Mikrotik - Sonicwall not using full internet speed
Replies: 8
Views: 927

Re: IPsec VPN Mikrotik - Sonicwall not using full internet speed

You need to use an IPsec encryption setup that matches AES hardware offloading on both sides.
by Larsa
Sun Oct 20, 2024 10:51 pm
Forum: General
Topic: Weird bug 7.15 x86 - NIC stops working until full RouterOS reinstall
Replies: 3
Views: 416

Re: Weird bug 7.15 x86 - NIC stops working until full RouterOS reinstall

The only advice I can give, if you can’t ensure your system is ROS-compliant, is to use CHR. If configured correctly, you won’t notice any difference in performance.
by Larsa
Sun Oct 20, 2024 9:49 pm
Forum: General
Topic: User Manager for 30K Subscribers [SOLVED]
Replies: 19
Views: 1178

Re: User Manager for 30K Subscribers [SOLVED]

I have never used, but I understood that with rose-storage I can fake a disk on RAM, so we could use it to avoid issues on write needs. Just be aware you will lose ALL writes if you are unable to sync a RAM drive to permanent storage. My recommendation is to use at least some kind of delayed-write ...
by Larsa
Sun Oct 20, 2024 7:58 pm
Forum: General
Topic: User Manager for 30K Subscribers [SOLVED]
Replies: 19
Views: 1178

Re: User Manager for 30K Subscribers [SOLVED]

That might be the case, but it really depends on how the developers have set up the SQLite settings, like journal_mode, cache_size, temp_store, synchronous, and how they handle client busy timeouts, etc. And of course, the maximum number of concurrent transactions. If the underlying file system for ...
by Larsa
Sun Oct 20, 2024 6:05 pm
Forum: General
Topic: User Manager for 30K Subscribers [SOLVED]
Replies: 19
Views: 1178

Re: User Manager for 30K Subscribers [SOLVED]

Yeah, the VM should be pretty easy to scale up with standard measures, and depending on how MT implements SQLite caching, you might even be able to use it as an in-memory database if you add a lot of RAM. But since SQLite is single-threaded, how it handles command queuing with a bunch of concurrent ...
by Larsa
Sun Oct 20, 2024 2:58 pm
Forum: General
Topic: User Manager for 30K Subscribers [SOLVED]
Replies: 19
Views: 1178

Re: User Manager for 30K Subscribers [SOLVED]

You're absolutely right, so I've clarified the answer!

That said, it's a pity that RoS User-Manager doesn't offer the same configuration options as for example FreeRadius where you can set it up to use an external database server.
by Larsa
Sun Oct 20, 2024 9:54 am
Forum: General
Topic: User Manager for 30K Subscribers [SOLVED]
Replies: 19
Views: 1178

Re: User Manager for 30K Subscribers [SOLVED]

I think you’re missing the point, it’s about running a separate RADIUS server. Plus, SQLite isn’t really made for this kind of workload anyway.
by Larsa
Sat Oct 19, 2024 10:23 pm
Forum: General
Topic: Weird bug 7.15 x86 - NIC stops working until full RouterOS reinstall
Replies: 3
Views: 416

Re: Weird bug x86 - NIC stops working until full RouterOS reinstall

Just a guess, but your NIC probably isn’t supported. If that’s the case, I’d recommend running RoS using CHR instead.
by Larsa
Sat Oct 19, 2024 6:17 pm
Forum: General
Topic: User Manager for 30K Subscribers [SOLVED]
Replies: 19
Views: 1178

Re: User Manager for 30K Subscribers [SOLVED]

@fischerdouglas; I'm not sure I get the question. Are you asking about: 1) The total number of users in the database, 2) The number of concurrent users connecting to a RAS server, or 3) whether all those hosts are connecting to a single RADIUS server at the same time? For the number of users in the ...
by Larsa
Fri Oct 18, 2024 11:46 pm
Forum: Beginner Basics
Topic: How to install new Winbox beta on Linux
Replies: 13
Views: 1419

Re: How to install new Winbox beta on Linux

I did try run from terminal and this is what I got (sorry, but my knowledge of Ubuntu is very limited)

@Enrico: From the command line, try:
$ chmod +x Winbox
$ ./Winbox
by Larsa
Wed Oct 16, 2024 6:54 pm
Forum: Wireless Networking
Topic: Solving 20km wireless link issues
Replies: 150
Views: 242298

Re: Solving 20km wireless link issues

I’d say that’s pretty impressive for an initial alignment of a 31 km link, especially considering it was raining.
by Larsa
Wed Oct 16, 2024 5:58 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 27
Views: 1244

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

@Plink4, here's a hint to get you on track. Read this how-to: viewtopic.php?p=1051720&#p1051720
by Larsa
Wed Oct 16, 2024 1:39 pm
Forum: General
Topic: Is RouterOS a real-time system?
Replies: 5
Views: 567

Re: Is RouterOS a real-time system?

What lower latency are you comparing it to, exactly?

There are specialized appliances with userspace networking built using DPDK and similar libraries, if that’s what you’re referring to..
by Larsa
Tue Oct 15, 2024 10:11 pm
Forum: Beginner Basics
Topic: LHG LTE6 needs restart twice a day to work
Replies: 17
Views: 1649

Re: LHG LTE6 needs restart twice a day to work

It is a bit of a cat-and-mouse game with these towers/etc. And since part of CA, beyond more bandwidth, is shifting load to other bands. Dropping a band to force CPE like LHG to actually use CA... seems like something the LTE network might do to keep the primary bands clear if possible. Yeah, but t...
by Larsa
Tue Oct 15, 2024 9:52 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 27
Views: 1244

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

@Plink4, I think @anav was pretty clear that he's only willing to keep helping if you provide the full router config (i.e., a full export). Otherwise, you’ll need to reach out to a Mikrotik consultant: https://mikrotik.com/consultants.
by Larsa
Tue Oct 15, 2024 4:57 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 27
Views: 1244

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

Suggesting either a wireguard VPN connection or a zerotier connection (LARSA can help with), that will allow you to securely access your resources behind the mikrotik router while away. I suppose which is readily available on the CHR would be a starting point. @anav, since this is a ROS installatio...
by Larsa
Tue Oct 15, 2024 4:49 pm
Forum: Beginner Basics
Topic: LHG LTE6 needs restart twice a day to work
Replies: 17
Views: 1649

Re: LHG LTE6 needs restart twice a day to work

We're managing a bunch of LTE/NR CPEs and have figured out that you need at least two payload packets per second to keep CA running. Some operators skip the ICMP traffic in this. So far, what’s been working best for us is sending BFD Hello packets (24-byte payload) every 300 ms, ie about three packe...
by Larsa
Tue Oct 15, 2024 4:15 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 27
Views: 1244

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

So, you do have a public IP after all, but it's dynamic and connected to another Mikrotik router?? To be honest, I'm not sure I fully understand what you're trying to explain! Before we go any further, could you provide a full network topology? It doesn't have to be a super detailed diagram, just a ...
by Larsa
Tue Oct 15, 2024 4:04 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 27
Views: 1244

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

Are you kidding, what do you mean by " I don’t have any public IP. The one I have is connected to my MikroTik " ??? Before we move forward, please provide a complete network topology. It doesn’t need to be an advanced diagram, but it should include all the relevant network components, from...
by Larsa
Tue Oct 15, 2024 2:27 pm
Forum: General
Topic: Remote Access to Local OLTs via VPN on MikroTik Without Public IP
Replies: 27
Views: 1244

Re: Remote Access to Local OLTs via VPN on MikroTik Without Public IP

@Plink4; it's a bit hard to follow your network setup because, in your first post, you said " my MikroTik CHR does not support ZeroTier, " and then later you mentioned, " Just to clarify, I don’t have a MikroTik Cloud Hosted Router (CHR). " A few questions just to clear things up...
by Larsa
Tue Oct 15, 2024 11:25 am
Forum: Beginner Basics
Topic: LHG LTE6 needs restart twice a day to work
Replies: 17
Views: 1649

Re: LHG LTE6 needs restart twice a day to work

Before you made those changes, did you check if CA was really the underlying problem? Just so you know, if you disable CA, your transfer speed will be significantly limited.
by Larsa
Tue Oct 15, 2024 8:17 am
Forum: General
Topic: Asking for help: Setting Up a Multi-Site in-house Wireguard network [SOLVED]
Replies: 10
Views: 738

Re: Asking for help: Setting Up a Multi-Site in-house Wireguard network [SOLVED]

@Larsa, I appreciate your input. However, I've already made the decision to go with Mikrotik for my networking hardware (or most of it...I do have a couple of secondhand Netvanta PoE switches), and I like the idea of minimizing the number of fingers in my networking pie. Besides, $45 for a Level 1 ...
by Larsa
Tue Oct 15, 2024 1:01 am
Forum: General
Topic: Asking for help: Setting Up a Multi-Site in-house Wireguard network [SOLVED]
Replies: 10
Views: 738

Re: Asking for help: Setting Up a Multi-Site in-house Wireguard network [SOLVED]

Sorry @Anav, but for this topology, I’d definitely go with the free version of ZeroTier for an easy setup and administration, without needing a central VPS/CHR or anything like that. ZeroTier also makes it much easier to add mobile devices like phones and laptops, and it handles CG-NAT really well. ...
by Larsa
Mon Oct 14, 2024 10:51 pm
Forum: Wireless Networking
Topic: How to reach IoT with Zerotier?
Replies: 1
Views: 290

Re: How to reach IoT with Zerotier?

You need to add a route to your local network in ZeroTier Central. Just go to Networks -> Settings -> Advanced -> Managed Routes. For general questions about ZeroTier, check out discuss.zerotier.com . Also, make sure to allow ZeroTier network traffic to the LAN on your router. You can do this by add...
by Larsa
Mon Oct 14, 2024 10:35 pm
Forum: Beginner Basics
Topic: LHG LTE6 needs restart twice a day to work
Replies: 17
Views: 1649

Re: LHG LTE6 needs restart twice a day to work

You might be losing Carrier Aggregation (CA) when the LTE modem (UE) deactivates a secondary carrier to save power because full aggregation isn’t needed when data usage is low and the device doesn’t require the full bandwidth. This can also happen at the base station for the same reasons, depending ...
by Larsa
Mon Oct 14, 2024 2:59 pm
Forum: General
Topic: enabling/disabling routes takes a long time
Replies: 7
Views: 572

Re: enabling/disabling routes takes a long time

No need to use OSPF if you're already familiar with BGP. Both protocols use BFD in pretty much the same way to achieve fast failover between routes. Either way, give it a try - it’s not hard to set up. Otherwise, it works as usual: one route for the primary link and one for the backup. Just set attr...
by Larsa
Mon Oct 14, 2024 12:45 pm
Forum: General
Topic: enabling/disabling routes takes a long time
Replies: 7
Views: 572

Re: enabling/disabling routes takes a long time

I have not worked with OSPF before. It is a shared router, also running BGP, so I am a bit reluctant to try that.

@benw: BFD works just as well with BGP for a quick reroute if you lose the primary link. Manually rerouting with a script is like reinventing the wheel.
by Larsa
Mon Oct 14, 2024 8:01 am
Forum: Beginner Basics
Topic: I can't install mikrotik os x86.
Replies: 11
Views: 891

Re: I can't install mikrotik os x86.

Mikrotik RoS runs on a slimmed-down Linux kernel that's customized for embedded devices so it doesn't have broad driver support for generic x86-64 hardware. On the other hand, Linux distros like Ubuntu are a whole different story - they usually offer full support for most x86-64 hardware.
by Larsa
Sat Oct 12, 2024 7:19 pm
Forum: General
Topic: CHR v7.16.1 Hyper-V - No DHCP/broken connectivity on 3rd ethernet interface
Replies: 2
Views: 353

Re: CHR v7.16.1 Hyper-V - No DHCP/broken connectivity on 3rd ethernet interface

Each Hyper-V Virtual Switch can only be mapped to one external (physical) NIC at a time. So, if you’ve got multiple physical adapters, you’ll need to assign a new virtual switch for each one.

Each virtual switch can host unlimited virtual adapters for the guest OS.
by Larsa
Fri Oct 11, 2024 11:27 pm
Forum: General
Topic: enabling/disabling routes takes a long time
Replies: 7
Views: 572

Re: enabling/disabling routes takes a long time

You might use two parallel routes with OSPF/BDF for a seamless failover in just a few milliseconds.
by Larsa
Fri Oct 11, 2024 1:25 pm
Forum: General
Topic: Wi‑Fi 7 / 802.11be
Replies: 81
Views: 29458

Re: Wi‑Fi 7 / 802.11be

I'll bring it up to him, but this wish might be hard to fulfill. :D
by Larsa
Fri Oct 11, 2024 11:55 am
Forum: General
Topic: MPLS-TE [SOLVED]
Replies: 8
Views: 867

Re: MPLS-TE [SOLVED]

@nichky - I think you'll get better attention if you post the issue in the thread v7.17beta [testing] is released!
by Larsa
Fri Oct 11, 2024 9:51 am
Forum: General
Topic: High 'networking'-load with IPSec using CCR2004
Replies: 5
Views: 869

Re: High 'networking'-load with IPSec using CCR2004

Yeah, and to be more specific – if either end of the IPsec tunnel doesn’t have AES hardware acceleration, that’s going to set the limit for the total throughput you can get.
by Larsa
Fri Oct 11, 2024 9:38 am
Forum: General
Topic: High 'networking'-load with IPSec using CCR2004
Replies: 5
Views: 869

Re: High 'networking'-load with IPSec using CCR2004

If you have a CCR2004 at both ends, make sure to enable proper AES hardware acceleration for IPsec:

https://help.mikrotik.com/docs/display/ ... celeration
by Larsa
Fri Oct 11, 2024 3:26 am
Forum: Beginner Basics
Topic: I can't install mikrotik os x86.
Replies: 11
Views: 891

Re: I can't install mikrotik os x86.

Are you sure your hardware setup is supported? If not, you might want to try using CHR instead.
by Larsa
Thu Oct 10, 2024 9:14 pm
Forum: General
Topic: 464XLAT support Mikrotik ?
Replies: 11
Views: 4409

Re: 464XLAT support Mikrotik ?

I'm not sure about VIVO Brazil, but most pure IPv6 ISPs support MAP-E (RFC 7597) which lets you tunnel IPv4 traffic using an IPIPv6 tunnel in ROS, for example like this: viewtopic.php?t=146917#p724273
by Larsa
Wed Oct 09, 2024 10:25 pm
Forum: Forwarding Protocols
Topic: BGP PBR instead of ECMP
Replies: 5
Views: 621

Re: BGP PBR instead of ECMP

@SwaggerRO - What @mrz meant, to be more precise, is that the 'new-routing-mark' name needs to match the 'routing-table' name. So, for example: /ip firewall mangle add chain=prerouting src-address=192.168.1.1 action=mark-routing new-routing-mark= to_ISP1 passthrough=no add chain=prerouting src-addre...
by Larsa
Tue Oct 08, 2024 8:32 pm
Forum: Scripting
Topic: Experiments with [:convert] for bits&bytes +CSV from /iot/...
Replies: 5
Views: 861

Re: Experiments with [:convert] for bits&bytes from /iot/...

These are really nice examples of various use cases, thank you! 😄
by Larsa
Sun Oct 06, 2024 10:22 pm
Forum: Forwarding Protocols
Topic: Bgp vpls with route reflector not working Rosv7
Replies: 3
Views: 498

Re: Bgp vpls with route reflector not working Rosv7

Mikrotik has fixed a lot of issues over the years so it’s pretty hard to say exactly what you’re referring to in this case. You could run a functionality test using something like GNS3, or describe your network setup with more details about the problem, and share your config files. You can also chec...
by Larsa
Sun Oct 06, 2024 2:01 pm
Forum: Forwarding Protocols
Topic: Difference between VPLS and VPLS BGP signalling [SOLVED]
Replies: 1
Views: 366

Re: Difference between VPLS and VPLS BGP signalling [SOLVED]

BGP is a bit more complex than LDP, but it’s a better fit for large-scale VPLS deployments:

https://help.mikrotik.com/docs/display/ROS/VPLS
by Larsa
Fri Oct 04, 2024 7:37 pm
Forum: Wireless Networking
Topic: Connect Mikrotik router to wifi with only a QR code
Replies: 4
Views: 485

Re: Connect Mikrotik router to wifi with only a QR code

On Android, Connect your phone using the QR. Then hit the share network on your phone. It will display the SSID and password.

This requires Android 10 or iOS 18.
by Larsa
Thu Oct 03, 2024 6:33 pm
Forum: Beginner Basics
Topic: the irrationality of [find]
Replies: 18
Views: 1002

Re: the irrationality of [find]

I totally agree. Everything should be handled consistently and users shouldn't have to know all the little exceptions that could lead to serious issues. At the very least, the documentation should have clear warnings about these risks.
by Larsa
Thu Oct 03, 2024 4:13 am
Forum: Beginner Basics
Topic: the irrationality of [find]
Replies: 18
Views: 1002

Re: the irrationality of [find]

Yeah, and as a workaround, you’ll need to use for example a foreach loop. Something like this:

/ip hotspot user
:foreach user in=[find name~"^adam"] do={
reset-counters $user
another-command $user
etc…
}
by Larsa
Wed Oct 02, 2024 2:46 pm
Forum: General
Topic: LACP doesn't work in CHR
Replies: 9
Views: 1497

Re: LACP doesn't work in CHR

Yeah, and in some environments it’s enabled by default. @iocampomx; for future reference could you let us know what OS and virtual environment you're running GNS on?
by Larsa
Wed Oct 02, 2024 11:30 am
Forum: General
Topic: LACP doesn't work in CHR
Replies: 9
Views: 1497

Re: LACP doesn't work in CHR

Glad you got it working! I'd still suggest upgrading to CHR ROS v7 since there've been major improvements in the new kernel’s network stack. For example it handles LACP better allowing for improved hardware resource utilization especially in dynamic environments with multiple link members and multi-...
by Larsa
Wed Oct 02, 2024 6:01 am
Forum: General
Topic: LACP doesn't work in CHR
Replies: 9
Views: 1497

Re: LACP doesn't work in CHR

Same here, I've tried multiple things & parameters. I'm using CHR within GNS3. I'm using Wireshark to monitor traffic. CHR is only sending one package once you disable the bonding interface, example: I'm using version 6.49.17 with the free license. It might be an issue with the configuration se...
by Larsa
Tue Sep 24, 2024 4:04 pm
Forum: Scripting
Topic: ✂ Rextended Fragments of Snippets
Replies: 107
Views: 94304

Re: ✂ Rextended Fragments of Snippets

Yeah, just noticed it! 😄
by Larsa
Tue Sep 24, 2024 4:01 pm
Forum: Scripting
Topic: ✂ Rextended Fragments of Snippets
Replies: 107
Views: 94304

Re: ✂ Rextended Fragments of Snippets

This is the 100th post in this thread! :D

Edit:
oh no, it became the 101th, dam it! 😁
by Larsa
Mon Sep 23, 2024 2:27 pm
Forum: General
Topic: Winbox 4
Replies: 4
Views: 846

Re: Winbox 4

Use the main "WinBox 4 is here" thread for any related issues or questions: viewtopic.php?t=210505
by Larsa
Mon Sep 23, 2024 7:06 am
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

@k2dI5umrD9VO:
Link to Apple Support: https://getsupport.apple.com/products
by Larsa
Sun Sep 22, 2024 9:49 pm
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

@iustin: I have this same problem...

Link to Apple Support: https://getsupport.apple.com/products
by Larsa
Sat Sep 21, 2024 1:48 pm
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

We've been using both the preview and the latest releases of iOS 18 and macOS 15 (Sequoia) for a while now. I also checked with some colleagues who've spent a lot of time at different customer sites (including some Mikrotik setups) and none of them have had the issues described in this thread. My wi...
by Larsa
Thu Sep 19, 2024 5:34 pm
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

@k2dI5umrD9VO: As I tried to explain earlier, since the issue originates from your iOS device, you should contact Apple Support and let them handle the matter accordingly.

I mean, if it worked with iOS 17 but not with iOS 18, you can’t blame MikroTik for it, can you?
by Larsa
Thu Sep 19, 2024 3:34 pm
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

Link to Driver Log TXT-File from Macbook: https://1drv.ms/t/s!AsOJquxuP-h5hewWtvJA2Rp3Tq-XGQ?e=yTxxJA Just a suggestion; when sharing a log this big, try giving a hint about when the issue happened so people know where to start looking. Also, this log is primarily meant for the Apple Developer foru...
by Larsa
Thu Sep 19, 2024 1:27 pm
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

Hey folks! Want to know what's really going on when your Apple device is having Wi-Fi issues?? If YES , then check the wifi logs on your DEVICE : 1. iOS Profiles and Logs Wi-Fi for iOS/iPadOS Instructions Profile 2. macOS Profiles and Logs Direct link: Wi-Fi Logs For macOS Wi-Fi issues, please foll...
by Larsa
Thu Sep 19, 2024 11:52 am
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

What do you mean by mixed languages? @erlinden: Sorry, I meant to say regional settings. The same company that added deliberate slowdowns to older hardware and it still surprises you? What do you think MS is doing with their Co-Pilot story? Same purpose—push hardware sales (MS license will come wit...
by Larsa
Thu Sep 19, 2024 10:43 am
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

Like I said earlier, it's an intermittent issue with Apple iOS 18. And honestly, why waste time with pointless trial and error when you can just check the device Wi-Fi logs to find the real problem faster?
by Larsa
Thu Sep 19, 2024 7:52 am
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

Yeah, forgot to mention we're using 7.15.3 with FT enabled. I remember some Apple devices (at least in the past) could have issues with mixed languages on APs within the same SSID domain. Anyway, troubleshooting Wi-Fi on Apple devices can be pretty tricky so instead of wasting time with trial and er...
by Larsa
Thu Sep 19, 2024 3:14 am
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

Alright, I’m not sure then. You could check the iOS Wi-Fi logs to find the cause, or if all else fails, roll back to iOS 17.

Look for the section “Wi-Fi for iOS/iPadOS” in iOS Profiles and Logs
by Larsa
Thu Sep 19, 2024 2:59 am
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

Did you try forgetting the network and then reconnecting, or is that when you ran into another issue?
by Larsa
Thu Sep 19, 2024 1:59 am
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

I had the same issue and I fixed it by following a suggestion I found on Reddit: just disable the private address, forget the network, reconnect, and then re-enable the private address again. Anyway, no one seems to know exactly why this happens with iOS 8.
by Larsa
Thu Sep 19, 2024 1:26 am
Forum: Wireless Networking
Topic: iOS 18 Wi-Fi connectivity issue [SOLVED]
Replies: 81
Views: 10104

Re: iOS 18 Wi-Fi connectivity issue [SOLVED]

@k2dI5umrD9VO: It’s not related to ROS. This is a known issue with iOS 18 (and also in the previews) but no one has figured out the root cause or how to fix it: https://www.google.com/search?q=%22iOS+ ... reddit.com
by Larsa
Tue Sep 10, 2024 4:34 pm
Forum: General
Topic: CCR2004 as ZeroTier VPN concentrator
Replies: 5
Views: 721

Re: CCR2004 as ZeroTier VPN concentrator

The issue isn’t with ZeroTier itself but rather the MikroTik implementation which is flawed due to using an older version (v1.10.3) with various bugs and lacking the ability to configure standard ZeroTier features such as custom root servers, multi-path, trusted-path, allow DNS, etc. ZeroTier can ha...
by Larsa
Mon Sep 09, 2024 11:27 pm
Forum: General
Topic: CCR2004 as ZeroTier VPN concentrator
Replies: 5
Views: 721

Re: CCR2004 as ZeroTier VPN concentrator

we are planning to setup hub and spoke network using Mikrotik and ZeroTier. As a start there will be 500-2000 spokes. And in the next following years will growing up, total it will have up to 30K spokes. ZeroTier is a full-mesh SD-WAN that automatically utilizes point-to-point connections when at l...
by Larsa
Tue Sep 03, 2024 8:46 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

Many users request return of the Tabs to the top bar. One of my colleagues has nice idea - most of the time, you only work with few selected tabs. So what about an icon in the drop-down list, to open a Tab in a new Window, would in fact pin the Tab to the top bar instead? But of course! That way, e...
by Larsa
Tue Sep 03, 2024 4:36 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

Exactly my point!
by Larsa
Tue Sep 03, 2024 4:31 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: WinBox 4 is here

The detached window feature would make sense if there is only one Winbox instance running at a time. Since mostly several Winbox instances are running, detaching windows would create even more usability issues. Well, maybe for inexperienced people who don't work with networks and aren't familiar wi...
by Larsa
Tue Sep 03, 2024 4:14 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

Got it! Please add it to the list for Customer Enhancement Requests. Thanks!
by Larsa
Tue Sep 03, 2024 4:08 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

Maybe you expect something to happen, that was never intended to happen? This is what is SUPPOSED to happen. As designed: https://imgur.com/a/RwZRKRH Yes, that could absolutely be the case but I suspect there might be some confusion here regarding the terminology. As I tried to explain previously a...
by Larsa
Mon Sep 02, 2024 8:39 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

Thanks! By any chance, do you have access to the default gateway at 10.20.100.1? If so, could you check if there's a route set up to 10.2.120.0/24 via 10.20.100.15? If it's a MikroTik router, you can run the command: ' /ip/route/print ' and paste the output here. If not, while troubleshooting, we ca...
by Larsa
Mon Sep 02, 2024 6:43 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

@Normis: That does not make it clearer. The post already shows how to to it. Is there an issue with this button? 1. Yeah, that's correct. There an issue with button. The button shown in the red rectangle below doesn't work as expected. As explained by @STMT: " It is possible to detach the wind...
by Larsa
Mon Sep 02, 2024 4:28 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

n/a
by Larsa
Mon Sep 02, 2024 2:54 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

Larsa, unclear abut detachment from workspace, can you describe the issue?

You still can't detach a window from the WinBox main workspace and move it around freely on screen. Please check out @STMTs reply here: viewtopic.php?t=210505#p1093920.
by Larsa
Mon Sep 02, 2024 12:54 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

@normis, could you please add fixing the detachment of windows from the workspace to the list. According to @STMT, this was already provided but currently isn’t working.
by Larsa
Fri Aug 30, 2024 8:08 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

What's new in v4.0beta3:

*) fix crash on macOS 11

1. I can confirm that v4.0beta3 is working with macOS 11 - thanks! It's blisteringly fast, I must say.
2. Detaching windows from the workspace still doesn't work, though.
by Larsa
Thu Aug 29, 2024 8:19 pm
Forum: Virtualization
Topic: CHR - WiFi card not detected [SOLVED]
Replies: 2
Views: 1848

Re: CHR - WiFi card not detected [SOLVED]

ROS can't handle any network cards when running as CHR in a virtual machine. You'll need to configure the WiFi card in Ubuntu first, then add it to VirtualBox as a regular network interface.
by Larsa
Thu Aug 29, 2024 7:23 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

I agree with what @sirbryan says.
by Larsa
Thu Aug 29, 2024 1:03 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

It's shown in the window title when you're not connected

Great, thanks! 🙏
by Larsa
Thu Aug 29, 2024 12:58 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

We are trying to find such an old macbook and will test. So far, no help needed, Larsa. Thanks! Most of our field engineers are forced to use slightly older MacBooks (and you can probably guess why) using macOS 12/13 and equipped with Intel CPUs because we need to run a bunch of Windows-based legac...
by Larsa
Thu Aug 29, 2024 12:42 pm
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

It is possible to detach window if you open the drop-down menu and click the button next to the submenu name Thanks, but that doesn't work for me because the window is still locked to the WinBox workspace (ie the child window is still locked to the parent workspace) Environment: WinBox 4.0Beta1, Wi...
by Larsa
Thu Aug 29, 2024 11:11 am
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

Craches on Intel Macook macOS 11.7.10. Tried several times.

@normis: let me know if the developers want a core dump and I'll sort it out.
by Larsa
Thu Aug 29, 2024 11:04 am
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

Feedback:
1. A dropdown menu or similar submenu is currently missing for open windows.
2. Add the ability to detach a window from the WinBox workspace.
by Larsa
Thu Aug 29, 2024 10:42 am
Forum: Announcements
Topic: 📣 WinBox 4 is here 📣
Replies: 1553
Views: 376891

Re: 📣 WinBox 4 is here 📣

Craches on Intel Macook macOS 11.7.10. Tried several times. Process: WinBox [4220] Path: /Applications/WinBox.app/Contents/MacOS/WinBox Identifier: my.example.com Version: 0.1 (0.1) Code Type: X86-64 (Native) Parent Process: ??? [1] Responsible: WinBox [4220] User ID: 503 Date/Time: 2024-08-29 09:37...
by Larsa
Thu Aug 29, 2024 9:33 am
Forum: General
Topic: Virtual Subnet Trough Ipsec Tunnel - Mikrotik To Cisco
Replies: 6
Views: 979

Re: Virtual Subnet Trough Ipsec Tunnel - Mikrotik To Cisco

Since you're using the same subnet as someone else on the Cisco side you'll need to use src-nat. Btw, why not use 192.168.160.0/24 since the Cisco admin already assigned it to you.
by Larsa
Wed Aug 28, 2024 10:31 pm
Forum: RouterOS beta
Topic: FEATURE REQUEST: BBR(Bottleneck Bandwidth and Round-trip propagation time) Congestion Control
Replies: 15
Views: 10502

Re: FEATURE REQUEST: BBR(Bottleneck Bandwidth and Round-trip propagation time) Congestion Control

FYI, BBR needs to be implemented only on the endpoints (eg like web browsers and servers) where data is being sent and received. It does not require any modifications or implementations in the routers or other network infrastructure. The only tunneling protocol I can think of that uses TCP is OpenVP...
by Larsa
Tue Aug 27, 2024 8:15 pm
Forum: Forwarding Protocols
Topic: IP Directed Broadcast In CISCO Equivalent In Mikrotik
Replies: 12
Views: 2499

Re: IP Directed Broadcast In CISCO Equivalent In Mikrotik

It works. Use this simple test below where ether1 sends 192.168.90.255 to port 2000 (but any port will do) => dst-nat broadcast => to ether2 as 192.168.80.255. Bridging the two interfaces with a filter that allows udp with an optional port number works just as well. /ip firewall nat add action=dst-n...
by Larsa
Tue Aug 27, 2024 1:20 am
Forum: General
Topic: WireGuard without public IP [SOLVED]
Replies: 2
Views: 2153

Re: WireGuard without public IP [SOLVED]

One of the ends needs a public IP address. If not, you might use ROS BTH (Back to Home) or ZeroTier which can manage without it.
by Larsa
Mon Aug 26, 2024 9:57 pm
Forum: RouterBOARD hardware
Topic: Default password Frustration
Replies: 101
Views: 13067

Re: Default password Frustration

So I'm a white fly compared to everyone else? The basics, like blocking spoofing and blocking incoming connections on standard ports, for me is the a-b-c of civilization... Yeah, you're definitely an angel compared to the typical run-of-the-mill ISPs. At most they block like egress smtp and similar...
by Larsa
Mon Aug 26, 2024 6:40 pm
Forum: Forwarding Protocols
Topic: IP Directed Broadcast In CISCO Equivalent In Mikrotik
Replies: 12
Views: 2499

Re: IP Directed Broadcast In CISCO Equivalent In Mikrotik

What type of device are you using and what does the dst-nat rule look like? Have you checked with the built-in packet sniffer to see if any broadcast traffic is reaching the interfaces?
by Larsa
Mon Aug 26, 2024 3:53 pm
Forum: RouterBOARD hardware
Topic: Default password Frustration
Replies: 101
Views: 13067

Re: Default password Frustration

ISPs don't offer free protection against botnets, DDoS attacks or anything like that. While they probably should provide it as an option for the general public IMO, these services are mainly for businesses and are usually pretty expensive because they require a lot of investment from the provider. C...
by Larsa
Sun Aug 25, 2024 9:01 pm
Forum: General
Topic: Can we upgrade zerotier and add Moon functionality?
Replies: 3
Views: 1436

Re: Can we upgrade zerotier and add Moon functionality?

The option to add your own user-defined root servers (moons) was introduced back in Zerotier v1.2.0 but unfortunately there’s still no way to manage these settings in ROS. You can add the root servers yourself in a private server, container or VPS.
by Larsa
Fri Aug 23, 2024 12:00 am
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

Sorry my bad, I forgot you were on ROS v6. Try the commands below. I'm heading home now so I'll get back to you tomorrow. /ip/route/print /ip/address/print /ip/firewall/nat/export EDIT On your workstation, run the following If Windows: netstat -rn && ipconfig If Linux/Mac: netstat -rn &&...
by Larsa
Thu Aug 22, 2024 10:24 pm
Forum: General
Topic: Problem with download on x86 PC
Replies: 4
Views: 1126

Re: Problem with download on x86 PC

Back up the settings with a full export, reset to the default firewall config, and then rerun the tests again. If everything goes smoothly, you can start adding back the queues one by one and check the speed regularly to find the problematic one. Just curious, why all the static IPs and related queu...
by Larsa
Thu Aug 22, 2024 8:55 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

Could you log in to the router in cabinet 1 and ping any devices in the 10.2.120.0/24 range? Also, run the following commands in a terminal and paste the output here: /ip route print proplist=dst-address,routing-table,gateway,immediate-gw,distance,local-address /ip address print proplist=address,net...
by Larsa
Thu Aug 22, 2024 8:39 pm
Forum: General
Topic: Feature request : Multipath TCP (MPTCP) support
Replies: 14
Views: 10422

Re: Feature request : Multipath TCP (MPTCP) support

Well, L3 multipath/bonding shouldn't be mixed up with MPTCP which was mainly developed as an endpoint (app) protocol to facilitate transparent handover/failover/bonding. Sure, there are some special hacks to use it as a more general communication protocol but that's not very common ie you won’t find...
by Larsa
Thu Aug 22, 2024 4:39 pm
Forum: General
Topic: HGSMII for 2.5 Gbps link
Replies: 9
Views: 5317

Re: HGSMII for 2.5 Gbps link

FYI, HGSMII doesn’t have any magical plug-and-play features. It’s basically like other tech that helps manage internal devices. Since it’s just an internal component, you won’t even notice it and it doesn’t communicate with your ISP or anything.
by Larsa
Thu Aug 22, 2024 4:22 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

Okay, I'll check it out later. Bwt, have you had a chance to try out the new nat rules I posted earlier?
by Larsa
Thu Aug 22, 2024 4:15 pm
Forum: General
Topic: Feature request : Multipath TCP (MPTCP) support
Replies: 14
Views: 10422

Re: Feature request : Multipath TCP (MPTCP) support

Hey @8023, what's your use case?

MPTCP doesn't need any special support in the router itself, it's generally used between the app connection endpoints like from a mobile device or car to a central service.
by Larsa
Wed Aug 21, 2024 3:01 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

It looks like you might have missed some details in my last post or misunderstood it. Here's what you need to do; start by removing all five lines and replace them with: add chain=srcnat dst-address=10.20.100.0/20 src-address=10.2.120.0/24 action=masquerade add chain=srcnat dst-address=10.0.0.0/24 s...
by Larsa
Wed Aug 21, 2024 2:30 pm
Forum: Forwarding Protocols
Topic: IP Directed Broadcast In CISCO Equivalent In Mikrotik
Replies: 12
Views: 2499

Re: IP Directed Broadcast In CISCO Equivalent In Mikrotik

You can use bridge filters (i.e bridge ip firewall ) or just set up a simple dst-nat broadcast forwarding like the example below. Use a specific destination port number to limit the scope of the ip directed broadcast: /ip firewall nat add action=dst-nat chain=dstnat in-interface=ether1 dst-address-t...
by Larsa
Mon Aug 19, 2024 10:26 pm
Forum: General
Topic: Wireguard in 2nd WAN [SOLVED]
Replies: 34
Views: 5579

Re: Wireguard in 2nd WAN [SOLVED]

@Sindy, would you mind taking a look at this: viewtopic.php?p=1092257#p1092239

Thanks in advance!
by Larsa
Mon Aug 19, 2024 10:04 pm
Forum: General
Topic: Wireguard in 2nd WAN [SOLVED]
Replies: 34
Views: 5579

Re: Wireguard in 2nd WAN [SOLVED]

/ip firewall nat chain=dstnat dst-address-type=local in-interface= WANX protocol=udp dst-port= YYYYY action=dst-nat to-addresses=ip.of.wan. PRIMARY That look very generic! ;-) Sorry, I forgot about the OSPF example. I'm traveling for a customer visit for a day or two so it’ll have to wait until I'm...
by Larsa
Mon Aug 19, 2024 9:17 pm
Forum: General
Topic: Wireguard in 2nd WAN [SOLVED]
Replies: 34
Views: 5579

Re: Wireguard in 2nd WAN [SOLVED]

That's what I meant when I asked if it's even possible to create a generic solution that's not port-specific.
by Larsa
Mon Aug 19, 2024 8:35 pm
Forum: General
Topic: Wireguard in 2nd WAN [SOLVED]
Replies: 34
Views: 5579

Re: Wireguard in 2nd WAN [SOLVED]

NAT trick is cleaver.

Yeah, totally! @Sindy, what's you take on dst-nat vs policy routing as a fix for the multiwan wireguard bug? Do you think it's possible to create a generic solution that only affects WireGuard's initial handshake?
by Larsa
Mon Aug 19, 2024 8:26 pm
Forum: General
Topic: Wireguard in 2nd WAN [SOLVED]
Replies: 34
Views: 5579

Re: Wireguard in 2nd WAN [SOLVED]

To be picky, the rejection of the return traffic by the originating device is not wireguard specific its networking common... The problem is that the wireguard programming in RoS is doing something weird.............. in that its bypassing standard routing and rules in RoS.,. Anav, how the security...
by Larsa
Mon Aug 19, 2024 4:22 pm
Forum: General
Topic: Wireguard in 2nd WAN [SOLVED]
Replies: 34
Views: 5579

Re: Wireguard in 2nd WAN [SOLVED]

Yeah, the first WireGuard handshake is like a secret handshake between two routers (Peer A and Peer B) that want to communicate securely. Peer A sends a "hello" (handshake initiation packet) to Peer B which responds with a "hello back" (handshake response packet). But because the...
by Larsa
Mon Aug 19, 2024 4:05 pm
Forum: 3rd party tools
Topic: Introducing MikroWizard: An Open-Source Solution for MikroTik Router Management
Replies: 71
Views: 15726

Re: Introducing MikroWizard: An Open-Source Solution for MikroTik Router Management

Quick question: is the 8 GB RAM requirement an absolute minimum or is there a chance it could run on a Raspberry Pi 4 with 4 GB of RAM?
by Larsa
Mon Aug 19, 2024 2:52 pm
Forum: Forwarding Protocols
Topic: IP Directed Broadcast In CISCO Equivalent In Mikrotik
Replies: 12
Views: 2499

Re: IP Directed Broadcast In CISCO Equivalent In Mikrotik

There isn’t a specific setting, you build it using arp proxy, broadcast forwarding and so on depending on what you’re aiming for. What’s the use case?
by Larsa
Mon Aug 19, 2024 10:40 am
Forum: Forwarding Protocols
Topic: IP Directed Broadcast In CISCO Equivalent In Mikrotik
Replies: 12
Views: 2499

Re: IP Directed Broadcast In CISCO Equivalent In Mikrotik

Yeah, it's doable with ROS but you should be aware that it might be a security risk as mentioned in the Cisco manuals. It’s also disabled by default. What's the use case?
by Larsa
Sun Aug 18, 2024 9:45 pm
Forum: General
Topic: Wireguard in 2nd WAN [SOLVED]
Replies: 34
Views: 5579

Re: Wireguard in 2nd WAN [SOLVED]

Yeah, that was the solution I was thinking of but I had NAT in mind and just didn’t have the energy to figure out a good variation like the one you just showed.
by Larsa
Sun Aug 18, 2024 9:11 pm
Forum: General
Topic: Wireguard in 2nd WAN [SOLVED]
Replies: 34
Views: 5579

Re: Wireguard in 2nd WAN [SOLVED]

Great, perfect with an alternative workaround! Any thoughts on the pros and cons compared to policy routing?
by Larsa
Sun Aug 18, 2024 3:09 pm
Forum: General
Topic: Wireguard in 2nd WAN [SOLVED]
Replies: 34
Views: 5579

Re: Wireguard in 2nd WAN [SOLVED]

Does that fix the initial handshake issue?
by Larsa
Sun Aug 18, 2024 2:33 pm
Forum: General
Topic: Wireguard in 2nd WAN [SOLVED]
Replies: 34
Views: 5579

Re: Wireguard in 2nd WAN [SOLVED]

Basically, the ROS implementation has a bug where Wireguard's initial handshake always gets sent back through the default gateway instead of the interface the traffic came from which makes the connection fail due to a protocol error. And since the handshake isn’t tracked, you can’t use mangle to man...
by Larsa
Fri Aug 16, 2024 11:13 pm
Forum: General
Topic: Routing question
Replies: 11
Views: 1635

Re: Routing question

That’s a pretty standard setup. I can post an example next week. Have a nice weekend, cheers!🍺
by Larsa
Fri Aug 16, 2024 10:18 pm
Forum: General
Topic: Routing question
Replies: 11
Views: 1635

Re: Routing question

OSPF + BFD with two tunnels/routes (one per channel) is really easy to set up, very robust and provides rerouting in just a few milliseconds.
by Larsa
Fri Aug 16, 2024 8:16 pm
Forum: Beginner Basics
Topic: IPSec site to site VPN
Replies: 4
Views: 1261

Re: IPSec site to site VPN

Unfortunately it’s pretty tough to figure out what’s wrong just from a couple of screenshots. Try posting an export of both router configurations and maybe someone in this user forum can help out. Check out this guide on how to export and post your configuration: https://forum.mikrotik.com/viewtopic...
by Larsa
Thu Aug 15, 2024 10:58 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

Okay, I think I’ve got it! The network drawing is a bit misleading (or is actually missing some crucial info) because it turns out that ether5-gateway is actually connected to the operator network 10.20.100.0/20 and the rest of the PLC network seems to be bridged together as a single 10.2.120.0/24 s...
by Larsa
Thu Aug 15, 2024 9:00 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

About the somewhat misleading wording "Siemens HMI's through their 3rd party website..." it's not actually an external connection but a web-based PLC operator monitor add-on called WinCC/WebUX.
by Larsa
Thu Aug 15, 2024 8:06 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

Yeah, that's probably correct but in this instance we're talking about an internal router for PLC process control that isn’t connected to the internet. Unfortunately OP inherited the whole setup so it’s not a great idea to make major changes like upgrading to v7 without first having full control of ...
by Larsa
Thu Aug 15, 2024 7:16 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

So, cabinet #1 router ether5-gateway ( 10.20.100.15/20 ) is connected to the local device network where the S7 PLC and SIMATIC HMI are, but those devices are using different subnet address like 10.2.120.11 according to the network diagram. This is really getting to wierd for me to grasp and I feel l...
by Larsa
Thu Aug 15, 2024 6:36 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

dst-address=10.20.104.54 => IP address on the controller network side of the router. If that's the router in cabinet 1, shouldn’t it be 10.2.120.1 ? to-addresses=10.2.120.11 => IP address of the SIMATIC HMI. ie, ' /ip firewall nat add action=dst-nat chain=dstnat dst-address= 10.2.120.1 dst-port=443 ...
by Larsa
Thu Aug 15, 2024 6:20 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

You can skip "in-interface=bridge-local", you should get a match just using "dst-address=10.20.104.54" and "dst-port=443". Btw, you are sure you can reach 10.20.104.54 by pinging it, which btw I asume is one of the cabinet routers?
by Larsa
Thu Aug 15, 2024 6:00 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

No worries, I was just curious. Let me know how it goes after you’ve tested it.
by Larsa
Thu Aug 15, 2024 4:14 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

Alright, let me make sure I’ve got this straight: all the devices on the control network (where the laptop is) are on the same subnet (10.20.x.x/16) connected to the "IDF1 PLC Network Switch" but their IP addresses are organized by equipment type. So, back to the original issue: since all ...
by Larsa
Thu Aug 15, 2024 3:03 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

2. The laptop is connected to 10.20.101.x where all the computers connect to. It can currently access all the ethernet connected devices on 10.20.101.x through 10.20.111.x (except the 3. Each cabinet has it's own router, they are wired in series like the diagram shows 2. What subnet is 100.20.101.x...
by Larsa
Thu Aug 15, 2024 2:47 pm
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

I'd like to be able to access the HMI screens in Cabinets 1,2,3 from their web interface like 2 similar Simatic HMIs in our building... 1. Access from where exactly? 2. Is the controll laptop network 10.20.x.x connected directly to the PLC-network 10.20.100.x ie on the same subnet? 3. Is there a se...
by Larsa
Thu Aug 15, 2024 12:40 pm
Forum: General
Topic: Routing to second WAN device admin
Replies: 4
Views: 1049

Re: Routing to second WAN device admin

@chilloutalready; If you're trying to connect to modem #2 from your LAN (which subnet is it btw?) you shouldn't need mangle rules. Your 5G devices are already on different local subnets so you just need regular routing. Or is this a problem that only happens when you connect via VPN? How about posti...
by Larsa
Thu Aug 15, 2024 9:58 am
Forum: Beginner Basics
Topic: 3rd party system installed, can't connect to any devices on the router.
Replies: 40
Views: 3156

Re: 3rd party system installed, can't connect to any devices on the router.

Hi @chewbo, welcome to the forum! Aren’t the PLC devices supposed to be managed by the controller (HMI) on the internal bus or do you need to access them separately? This is usually done through a separate gateway which sometimes is built into the controller. As for the technician not bringing his o...
by Larsa
Wed Aug 14, 2024 8:06 pm
Forum: General
Topic: Messed up routing between multiple wireguard tunnels
Replies: 15
Views: 1424

Re: Messed up routing between multiple wireguard tunnels

This seems like a classic case of an XY problem, made even harder to understand due to an overly complicated network diagram and an even more confusing technical walkthrough.

My understanding is that you want all clients from site 1 to route to the internet via site 2. Is that correct?
by Larsa
Wed Aug 14, 2024 6:16 pm
Forum: General
Topic: Messed up routing between multiple wireguard tunnels
Replies: 15
Views: 1424

Re: Messed up routing between multiple wireguard tunnels

And what role does BGP play in all of this? Is iBGP used for internal routing?
by Larsa
Wed Aug 14, 2024 3:25 pm
Forum: General
Topic: Routing to second WAN device admin
Replies: 4
Views: 1049

Re: Routing to second WAN device admin

If you're accessing your HEX through something like WireGuard you'll always use the same local IP address for the router no matter where you are.
by Larsa
Wed Aug 14, 2024 2:02 pm
Forum: General
Topic: Dual ISP setup with static IP and PPPoE on RB450Gx4 - routing issue with WiFi Routers and ZeroTier
Replies: 3
Views: 1196

Re: Dual ISP setup with static IP and PPPoE on RB450Gx4 - routing issue with WiFi Routers and ZeroTier

You forgot to mention where all your local devices are connected (bridge?). Generally, this can be solved pretty easily with policy routing or routing marks if the devices are on different subnets. What’s your plan for using ZeroTier? Is it for remote access, site-to-site networking, etc? Btw, expor...
by Larsa
Tue Aug 13, 2024 8:15 pm
Forum: Beginner Basics
Topic: Reach LAN from Zerotier with own controller
Replies: 9
Views: 1104

Re: Reach LAN from Zerotier with own controller

Alright, dual stack (hmm...). It might be a routing issue since there aren't any replay packets and I don't see any ICMP packets coming in. As a temporary workaround for IPv4, try a source NAT approach using the command below. Just replace ZZZZZ with your ZT subnet and XXXXX with the name of your LA...
by Larsa
Tue Aug 13, 2024 6:11 pm
Forum: Beginner Basics
Topic: Reach LAN from Zerotier with own controller
Replies: 9
Views: 1104

Re: Reach LAN from Zerotier with own controller

Can you spot any traffic from the ZT interface to your LAN using the ROS packet sniffer?

Btw, what does the zerotier-cli peer status say?