MikroTik

Larsa

Even if the process only listens on specific interfaces, you can still knock out the network stack if traffic isn't getting filtered anywhere all the way down and past the input chain. That'd definitely be a serious security flaw. Like I said before, I'll try to dig into it more if I get some time t...

Larsa

Try blocking DHCP with: /ip firewall raw add chain=prerouting action=drop protocol=udp dst-port=67 I was just thinking, if the firewall doesn’t filter port 67 in raw (or anywhere else for that matter), then ROS would basically be wide open to DHCP-based DDoS attacks, which would be totally crazy. I...

Larsa

It’s most likely a matter of priority, which is why I think direct contact with sales about a real business case is probably the best way to convince management to implement VTI.

Larsa

@Larsa: It really doesn't. Try blocking DHCP with:

We use filters and redirects with input and output chains for DHCP all the time, and it’s always worked fine. I’ve never had any reason to use raw, but I’ll give it a shot later.

Larsa

OT, just one last time, just to kill off the totally wrong idea that DHCP UDP traffic somehow gets special treatment by ROS. All you need to do is turn on filter logging for any firewall chain handling the DHCP client or server. You’ll see entries like: firewall,info DHCP PORT 67/68 input: in:brwlt ...

Larsa

Flawed DHCP logging is really a topic of its own. DHCP simply uses the standard UDP ports 67 and 68, nothing complicated or mysterious about it.

Larsa

From the firewall’s point of view, it’s just regular UDP traffic like anything else. Just do a packet trace on port 67 or 68 and you’ll see for yourself.

Larsa

OT: Raw sockets have nothing to do with which ingress or egress UDP port numbers are used for DHCP. It's just a way for the program to tinker with the inner parts of the datagram. As for the diagram, DHCP definitely belongs in the services circle, both as a client and a server managed by all levels ...

Larsa

So, you’re saying ROS has some built-in, hidden special rule for DHCP standard UDP ports 67/68 that no one really understands how it works? But I agree, It’s about time some standards body like the IETF actually documented how DHCP really works, don’t you think!?

Larsa

Maybe I’m missing the point, but DHCP is of course handled by the firewall. Otherwise it would be a huge security risk.

Larsa

There are plenty of ways to connect your hybrid LAN with MikroTik RouterOS to Azure or Entra ID (Azure AD) using IPsec, BGP, WireGuard, or whatever you prefer.

Larsa

@kintho, you should also check to possbiblity to update FortiOS to a suitable version. There have been just as many fixes, additions, and changes to IPSec as there have been in ROS over the same period. Any issues you run into with ROS could just as easily be caused by FortiOS. To minimize compatibi...

Larsa

Beta 0.3 looks great!

Larsa

Looks great, I’ll try it out later this weekend!

Larsa

I think NAT input/output chains are pretty much edge cases, but they definitely have their uses. You might include them in the main diagram, or if you prefer, group them with other, more complex use cases like IPSec and WireGuard encryption loopback in a separate diagram.

Larsa

Well, a bit OT, but IPSec is no weirder than WG, just comes with a lot more bells and whistles. WG does spoof checking on the initial handshake where the egress interface gets messed up. But back to packet flow; both are common denominators for the same reason ie when using “loopback” packet scenari...

Larsa

n/a…

Larsa

This obviously applies to all IP protocol types, so in this context ICMP isn’t really a special case. If you’re going to keep any ICMP tools, I’d say ping is short and to the point. WireGuard and IPsec are also protocols that get a lot of questions. Same goes for Winbox, NTP, DNS and probably a few ...

Larsa

Probably should drop traceroute for the same reason.

Larsa

@jaclaz, just a minor detail: shouldn’t the text in the purple "nat" boxes to the left be something like “/ip firewall srcnat” and “/ip firewall dstnat” instead of just “/ip firewall nat”?

Larsa

@pushkink, any idea what kind of traffic pattern we’re seeing here? Could be handy to know, just to match it up with the timeline.

Larsa

@Amm0: Once the diagram is finished, it’s time to start adding different use cases. I’m thinking maybe 8–10 examples should be enough to cover most of the common scenarios. And maybe then we’ll finally have some flowcharts that everyone can actually follow for things like WG, IPsec, and all the new ...

Larsa

MPLS uses Protocol 138 along with LDP/OSPF/BGP ie whatever routing protocol you’re using and needs to be managed with the firewall. Yeah, RoMON is Layer 2 but still counts as a ROS service.

Personally, I’d stick to more familiar services like DNS, FTP, etc..

Larsa

Well, maybe they’re at different levels in the stack, but they still have to be handled by the internal services to work, so they definitely belong in the box. But those were just examples, so just throw in whatever you think fits best. Personally, I’d go with a few that are pretty well known and re...

Larsa

- DNS
- DHCP
- NTP
- Winbox
- WebFig
- Rest API
- SSH
- IPSec
- L2TP/PPTP/SSTP
- Wireguard
- ZeroTier
- OpenVPN
- SNMP
- BGP/OSPF/RIP/MPLS
- FTP
- CAPsMAN
- RoMON

Larsa

That looks a bit weird with that steady increase between 12:30 and 14:30, almost like a memory leak. Do a full export so we can take a look, and maybe “someone” might even have time to do a quick test in the lab. What kind of traffic is going on? Regarding hardware support, since there’s no official...

Larsa

Are you talking about something like the gray circle (with services) in my suggestion, or are you referring to a completely different approach?

Larsa

Jinx @jaclaz.

Yours was way more professional!

P.S.
Just noticed the picture in your first post - cracked me up!

Larsa

One way to make the traffic to and from the router more visual might be to add a symbol right in the middle of the diagram that represents the router itself and its different services.

Larsa

Yeah, it’s pretty clear that complaining in this thread isn’t going to change anything anytime soon. Honestly, the only way to get some real attention is to reach out directly to sales and show them a real business case.

Larsa

How did you get the MQTT setup working so the router sends the same data as the HA MikroTik Router integration on its own, without any polling involved?

Larsa

@jaclaz: The latest version looks really good! Awesome work!

Larsa

Since MPTCP is just a regular client-server (point-to-point) Layer 4 protocol that extends normal TCP (on a per-socket basis using the sockopt IP_PROTO_MPTCP), you need to build an entire ecosystem around it, kind of like with WireGuard. On top of that, you have to add an extra interface layer with ...

Larsa

Well, what don't you understand? Oskars at support already told you there's no timeline to discuss and to keep checking official announcements. That's pretty clear - they don't have a timeline to share, and when they do have news, it'll be in the official announcements like in the release notes. If ...

Larsa

@phobos: How exactly do you plan to use MPTCP on a Mikrotik? It’s designed primarily as an endpoint solution, not really for use directly on routers. Are you thinking about tunneling, or do you have something else in mind?

Larsa

@nwhisper - Yeah, read this: viewtopic.php?p=1147497#p1133870

Larsa

I have yet to find a single person who has reported that Fastpath/Fasttrack works for them on their non-RouterBOARD hardware. I don't believe it works on x86, period, and given the diversity of third-party hardware out there, I don't believe MikroTik has any interest in making it work or supporting...

Larsa

”If these issues persist, I believe I could persuade my bosses to consider switching to a more established vendor virtualised environment , like what most professionals usually do." Hmm, yet another bare metal idiocracy again. If you can’t admit your own mistakes by not checking the hardware co...

Larsa

Regarding connection tracking, I agree this could be an issue.

It’s most likely not. We run plenty of high-end, albeit virtualized, platforms and have never had any issues with connection tracking or fast track on any of them.

Larsa

Can you suggest commands or guides to troubleshoot this? I know this can be done in plain Linux, but here we have a restrictive shell. Since you are running bare metal, you’re pretty much on your own because the usual troubleshooting tools aren’t available, which means troubleshooting ROS is basica...

Larsa

This thread is primarily for built-in eSIMs based on information from the MikroTik documentation so please keep questions and feedback about the guide in this thread, and let’s continue the rest of the discussion in Amm0’s thread. Last answer for this OT: The R11e-LTE6 modem for LHG LTE6 supports eS...

Larsa

We’ve got loads of LHG LTE6 units installed, and swapping SIM cards in them a couple of times was a real pain, so now we’re looking into switching to eSIMs to avoid having to do that again. Which models have you tested this on?

Larsa

You should be able to identify the chip manufacturer using the EID (eUICC Identifier). I’m curious if the EID is somehow included in the eSIM profile itself and can be viewed by ROS, or if there are any other ways to retrieve that information perhaps using AT commands?

Larsa

1. You can find the options for both phase 1 and phase 2 here: RouterOS > Virtual Private Networks > IPsec
2. Make sure you pick a phase 2 encryption that both Cisco and MikroTik can hardware offload, which entirely depends on the models you’re using.

Larsa

@ros44: Physical card for eSIMs from esim.me

Thanks for the feedback! Do you know which brand of eSIM esim.me provides, or are there several brands to choose from? I’m also curious in the questions @jaclaz brought up.

Larsa

https://forum.mikrotik.com/viewtopic.php?t=216027 @ortazebra; I’m a bit confused to be honest You posted two messages that seem to be about the same product. First you say it does not work, then you say it works with two different products that have the same model name. Could you explain a bit more...

Larsa

Well, in theory this should work, but as always there are potential compatibility issues to keep in mind.

Take a look at this thread posted today by @Amm0: "Product Request: MikroTik should sell a 'physical eSIM' for older devices (or suggest some 3rd-party eSIM)"

Larsa

Are you monitoring resources like CPU and memory too, or just checking for BGP issues?

PS: My advice still stands, anyone running a just-released ROS version in production is definitely playing high-stakes.

Larsa

Second that!

Larsa

This is how you activate an eSIM on your MikroTik router with the mobile network operator of your choice: Get the eSIM SM-DP+ address and activation code (or QR code) from your mobile operator. Log in to your MikroTik router via WebFig or WinBox. Go to Interfaces > LTE > eSIM Management. Add new eSI...

Larsa

Does this help ? https://tiktube.com/w/gwMqv7r2AwB3zLAoeWP7FT Nope, that’s only for MikroTik’s own virtual roaming data plans (“ MikroTik Connectivity ”) @john231: Is there a guide somewhere else? It only talks about the new connectivity app. No explanation on how to use another ISP besides Mikroti...

Larsa

Yes, you can use eSIMs from any mobile network operator (MNO) with supported MikroTik routers. Here’s how to activate (provision) an eSIM in RouterOS, as explained in the MikroTik Help docs: RouterOS > Mobile Networking > LTE eSIM

Larsa

If by “affordable” you mean $700 for a CPE AP without an antenna and $2,500 for a sector base station, then yes, a real bargain! Just don’t forget to budget for the CPE antenna ($180-$350) plus mounting gear and maybe a small loan. 😃

Larsa

Larsa

Nope, not that one. I’ll see if I can find the thread that was a bit more recent... This is a pretty long thread about CCR2216 L3HW offloading, but do check out @EdPa’s explanation, which sums things up spot on: https://forum.mikrotik.com/viewtopic.php?p=1134576#p1136615. If you’re interested in de...

Larsa

viewtopic.php?t=183142

Nope, not that one. I’ll see if I can find the thread that was a bit more recent.

Larsa

Ohhhh hEX S (2025), 2.5Gb SFP. When will we be able to see the block diagram?

On the product home page for hEX S (2025). Direct link to block diagram.

Larsa

Well, there are a bunch of other ways to hardware offload, but as long as you don’t throttle the CPU at 100%, there’s no need to worry about it. But if you do find yourself hitting 100% all the time, it might be worth looking into route selection for hardware offload. There’s a thread about this fro...

Larsa

I strongly advise against using v7.19.1 in production since it’s just been released. We’re sticking with v7.15.3 until the 19.x branch proves stable enough for production use.

Larsa

..👍

Larsa

Got it, redundancy makes sense. And yep, each BGP session with Cogent and HE at each location will give you a full table if you request it.

Larsa

4 full tables shouldn’t be an issue with 16 GB RAM. Just curious, though: why do you need 4 full BGP tables? Are you running a big exchange or acting as a transit network?

Larsa

Full tables and almost unlimited peers. How many do you need?

Larsa

@pushkink; Most likely a NIC issue, like an interrupt storm hammering the CPU. Your setup should easily handle hundreds of gigabits, so something’s clearly off.

Larsa

Nice! Please let us know if this ends up being the new “stable enough” to replace 7.15.1 (we’re still running that too)

Larsa

Placement of Remove is very bad - it should be in separate place and away from window closing button I totally agree! I've hit the remove button by mistake plenty of times just because of the poor placement. It would also be great if there were an opt-in option to show a confirmation popup when try...

Larsa

Looks like the topology image is missing. Just edit the post and add it using the “Attachments” section in the lower left. Anyway, it should be the default setting but can you try setting "match-by=remote-id" on the identity? Also, please export "/ip/ipsec" since it's way easier ...

Larsa

You can easily get a bend-insensitive, UV-resistant, and weatherproof OM3 multimode fiber for about $1.50/ft or less. Just make sure it’s outdoor-rated and ideally armored if you're mounting it along a wall and around corners.

Larsa

@Jetman77, welcome to the forum! Just a quick note: as the name suggests, SPDK (Storage Performance Development Kit) is just a development kit, not a full appliance, so to make use of it, you’ll need an actual SPDK-based app. As for running an SPDK-based app in a Mikrotik RouterOS v7 container, that...

Larsa

Fixed.

Larsa

@wolkenschaufler, you're using the wrong URL. It should be: " https://<username>:<passwd>@dyndns.strato.com/nic/update?hostname=<domain>&myip=<ipaddr>,<ip6addr> ". Check this out for more info: https://www.strato.de/faq/hosting/so-einfach-richten-sie-dyndns-fuer-ihre-domains-ein

Larsa

@PrimeYeti; Even though the CRS520-4XS-16XQ has a pretty decent CPU and 4 GB of RAM, it's mainly a switch. The 4 GB is kind of borderline for handling full BGP IPv4 and IPv6 tables anyway, especially if you want to run other stuff too. If that's the case, take a look at the CCR2116, CCR2216 or the C...

Larsa

Right now its Tarana and nothing else. They take preamble puncturing to the next level....

Well, at $21,500.00, it better puncture preambles, postambles and possibly the space-time continuum: https://www.wavonline.com/Tarana-Wireless-35-0171-001

Larsa

Please read: viewtopic.php?p=1142201&#p1133887

Larsa

An alternative solution that doesn’t require scripting is to enable Netwatch logging with " /system logging add prefix=debug topics=netwatch ", and then check all the values in the log: 07:39:10 netwatch,debug debug: [ type: icmp, host: 1.1.1.1 ] Stats: 07:39:10 netwatch,debug debug: [ OK ...

Larsa

Yes, it would really help to have RouterOS v7 use more recent wireguard sources - it would improve performance considerably. Notable WireGuard changes since kernel 5.6.3, which was released on 2020-04-15: | Date | Kernel | Summary +------------+--------+---------------------------------------------...

Larsa

You need to use curly brackets when running commands in the terminal to keep everything in the same "scope":

{
:local myhost 8.8.8.8
:put $myhost
}

Or:

{ :local myhost 8.8.8.8; :put $myhost }

Larsa

What’s a ”x86 base box AP device” ?

Larsa

Totally agree with the previous speaker!

Larsa

Are you implying that MikroTik just enabled all the drivers available in kernel version 5.6.3 in the x86 release? Obviously not all available on the market, like third-party drivers, but a bunch of Mikrotik legacy and most of the mainstream drivers, like for example the NICs listed below. You simpl...

Larsa

You need to check what hardware those boxes use, like for example network card, storage controller, and so on. Then make sure drivers for those hardware devices are included by default in Linux version 5.6.3. It's not possible to add any custom drivers yourself. If you are not sure how to check this...

Larsa

Znevna/Paternot: Alright, so we’re at the “pics or it didn’t happen” stage now. :-D No one is claiming that hardware acceleration breaks the laws of thermodynamics. Of course it uses CPU resources, just not the main cores in the same way software-based encryption does. That is actually the whole poi...

Larsa

I don't know, seems to have some fixation on hardware acceleration. . . . Are there any tests somewhere to support those hundreds of tunnels without any CPU load posted somewhere and to see that indeed the CPU can do something else just as it did without any tunnels active, and that any other load ...

Larsa

WireGuard pushes impressive single-tunnel speeds on an RB5009UG, but it also comes with high CPU utilization. IPsec with hardware offload is built for a different use case, with hundreds of simultaneous tunnels and barely any load on the CPU.

Bottom line: pick the right tool for the job.

Larsa

The weaker side will always set the pace no matter what, especially when you’re talking about low-end devices used by hobbyists.

In that case, I wouldn’t even consider IPsec. I’d go with WireGuard instead, like I mentioned in my first post.

Larsa

What I was trying to say, if my comment wasn’t clear, is that you’re mixing apples and oranges. A more useful comparison might be something like USD per WG Mbit or along those lines. Since ChaCha20 throughput depends directly on raw CPU power, more power means more $$$, simple as that. Have a look a...

Larsa

WireGuard's ChaCha20 doesn't differentiate between ingress and egress traffic, so performance in either direction just boils down to traffic density and normal stuff like queue depth, tx/rx ring size, etc. Parallelism, on the other hand, is purely an implementation detail, unless you're running the ...

Larsa

Yeah, or maybe the new IBM z17 or why not the El Capitan? You see my point?

Larsa

@pe1chl; While it's true that hardware acceleration generally offloads a VPN concentrator itself, the speed of each connection is still limited by its slower end-point. In other words, to achieve maximum throughput for a IPsec tunnel, both ends still need to utilize AES hardware acceleration.

Larsa

TL;DR - WireGuard encryption performance, general info about hardware acceleration and WireGuard throughput testing.. The WireGuard encryption The ChaCha20 cipher used in WireGuard currently lacks hardware acceleration on most platforms and architectures, which means it runs entirely in software, in...

Larsa

Maybe it would be worth building a statically-linked copy of the 'conntrack' userland app, and trying to see if it would work on a jailbroken router... 👀 Not really necessary. Just look into the standard kernel module xx_conntrack and the usual userland tools ("conntrack-tools"). That sho...

Larsa

Again, OT! Please start a separate thread and I’ll respond there, alright? Anyway, just to spice up the debate before the new thread: 256 full-speed IPsec tunnels with almost no CPU impact equal, at most, 5–10 full-speed WireGuard tunnels with 100% CPU consumption [/color] on a CCR2216. And that’s a...

Larsa

@blacksnow, OT – please start a separate thread on the subject. This one's about ROS v7.19rc.

Larsa

I don't agree with this. If you want to say, "vpn concentrators where high throughput and scalability are required, ipsec with offload is the only practical solution on RouterOS" maybe that is true. But if we are talking hardware/software solutions outside of what Mikrotik provides etc, t...

Larsa

I thought I was the only one noticing a performance drop in Wireguard Since WireGuard relies entirely on software-based encryption (ChaCha20), speed is limited by the endpoint with the weakest CPU. It’s good for home setups and out-of-band management for a single connection, but for VPN concentrato...

Larsa

Currently it is hard to impossible - because formal syntax or grammar definitions do not exist. So LLM will deliver bull**t until forever. Yep, they do. It’s pretty much standard practice and kind of an essential building block when constructing compilers or scripting languages. LLM coding models a...

Larsa

We’ve had no stability issues whatsoever with either WireGuard or IPsec for a long time now. IPsec parallel throughput with hardware offload on the high-end models is really solid, with no noticeable drop in performance as long as you stay within the recommended connection limits. The only limitatio...

Larsa

Still it needs to learn by actual good examples which for rsc there are not much available as for other languages which can mislead AI. Exactly. You can create training data in many different formats, like the annotated pseudo code snippets below to complement the AST. There are plenty of other way...

Larsa

Looks like you pushed a release candidate (beta) to production. Probably not the smartest move.

Larsa

Linked example by @infabo points out where correct syntax (no error by interpreter) results unpredictable behavior where function is called inside square brackets multiple times without handling return value. If interpreter doesn't throw error for such written code, then grammar specification langu...

Larsa

It's not hard at all. LLM models just need to be trained with formal syntax or grammar specification languages like EBNF, ANTLR, etc and might be complemented with structured representations such as ASTs. There are plenty of tools and well-documented processes for this online.

Larsa

The models below show the correct syntax, but sources point to forums, not the official docs.

Mistral 7B (mistral.ai)
Claude 3 Opus (claude.ai)
gemini.google.com (Gemini 1.5 Pro)

These don't show the correct syntax:

grock (perplexity.ai)
ChatGPT (copilot.microsoft.com)

Larsa

Haha, yeah, I totally agree!

Larsa

Nice to see you're aiming for some kind of intelligent model but I assume you meant OpenAI's gpt-4.1, since GPT 4.5 is just a ChatGPT preview. That said, the responses from "The Dude AI" are surprisingly bad and do not come close to what you get from public chat models like ChatGPT, Claude...

Larsa

Did you try any of the AI site builders I linked to?

Larsa

Google "AI website builder" or just ask your favorite AI.

Larsa

Well, since you keep repeating yourself over and over again, don't listen to @Amm0's or my advice, and don't even bother to answer my questions, you're on your own. Good luck!

Larsa

Support gave you a proper answer. You can run any L2 traffic you want over Zerotier, but you need to know how to manage it using ZT flow rules together with correct ROS routing and firewall rules. And yes, it works as expected. Have you checked your firewall and the logs for OSPF LSA messages? Have ...

Larsa

Just a tip, @unlikely: make a full network topology diagram, do a complete export, start packet sniffing, turn on OSPF logging, and if you still think there’s a bug somewhere, send everything over to support. But I still don't get why you're insisting on using L2 instead of just doing it the normal ...

Larsa

@xrlls, you should probably open your own thread since it gets complicated when mixing two different use cases in the same thread.

Larsa

@Amm0; Yeah, exactly. It might be something as simple as a firewall blocking the LSA packets. If they sniff the packets and turn on OSPF LSA logging, they should be able to figure out pretty quickly what's actually going on.

Larsa

Absolutely, completely agree!

Larsa

@xrlls, like I told @unlikely, there’s no way to give you a real answer because you haven’t shared a full network topology or explained what you’re actually trying to do. From what I can tell, it sounds like you’re a bit unclear on basic L2/L3 networking. Maybe @Amm0 can help you out here.

Larsa

@unlikely: There is no way to give you a real answer because you have not shared a complete network topology or explained your actual goals.

Without that, any suggestion would be pointless guessing.

Larsa

Since MT already uses Confluence/Jira, they can just publish a link to each page that automatically creates a ticket with a comment. There are also both free and paid add-ons that can create visible comment sections, kind of like the ones you see on Microsoft’s help sites.

Larsa

@unlikely, I get what you are saying about using ZeroTier as backup and your WireGuard links not needing static neighbor setup. BUT still, the same idea I mentioned to @xrlls applies here. If you already have ZeroTier in the mix, running OSPF on top is just extra work without any benefit, quite the ...

Larsa

@xrlls, I think I get your reasoning, but I also think you are unnecessarily complicating things. If you're already using ZeroTier, then running OSPF on top of it is simply redundant. ZeroTier can fully handle dynamic route distribution and failover without needing a separate routing protocol like O...

Larsa

I'm pretty convinced they are using something like Lex/Yacc or Flex/Bison, so it should extremly easy to put together a BNF. You really have to wonder what the actuall problem is, right? Another major issue, as you pointed out, is the amount of unclear information, outright errors, and missing detai...

Larsa

Yeah, it’s probably because MT picked some cheap or freebie version that can’t really handle much, like Gemini 2.0 Flash-mini or similar. ;-) They could have at least trained their own model with BNF or similar first, so we wouldn’t have to deal with all the nonsense answers (hallucinations). But li...

Larsa

I mean some of the routers partecipating in OSPF are connected all to the same ZeroTier network / L2 domain, so brodcast mode should be possible. But every routers also belongs to other networks. Thanks for the clarification. I get that OSPF can work over the shared L2 domain, but that still leaves...

Larsa

What I don't know is whether AI understands the syntax of the language and therefore can write any new code. All AI models fully understand formal syntax descriptions for scripting languages, like standard BNF ( Backus–Naur Form ) and similar. The real issue is that Mikrotik has never bothered to p...

Larsa

Do you get the same result with Google's speed test (just Google "internet speed test") when you're plugged directly into an Ethernet port?

IMG_2908.png

IMG_2910.png

Larsa

@Amm0; Last I checked, Balticnetworks and Wavonline still had a bunch of RDS2216 in stock. Otherwise, you could import directly from the UK/EU/Lithuania, where I think tariffs are still around 10 % (at least for a couple of months more). If you order it from Lithuania, the seller should remove the 2...

Larsa

Mikrotik ROS v7 is currently missing some TE features like fast reroute and link/node protection. I'm just guessing here, but that might be why the TE tunnels don't react properly to the OSPF LSA messges and recover on their own.

Larsa

If you read reasonably carefully, you’ll probably notice that DBC is really just a collective term for a wide range of use cases and protocols, which you can find in the project links for the protocols I mentioned in my previous post. In other words, there is no fixed way to define DBC in terms of w...

Larsa

You can start by reading these and then come back here if you have any futher questions. Mikrotik Help > RouterOS > Bridging and Switching Mikrotik Help > RouterOS > Bridging and Switching > Switch Chip Features Mikrotik Help > RouterOS > Bridging and Switching > Switch Chip Features > Private VLAN ...

Larsa

@syadnom, just curious but is there a particular use case you have in mind for this?

Larsa

The OP said " OSPF over a ZeroTier L2 domain (so mode broadcast), " which sounds a bit contradictory. OSPF is basically a L3 routing helper, so I don't get how Layer 2 fits into the picture after reading the thread. I can understand running OSPF on one of the nodes to expose the ZT network...

Larsa

Haha, classic! Ah yeah, the ol vacation tech support package – been there, fixed that, didn’t get a t-shirt!

Larsa

There is absolutely no distinction in the type of devices used by ZeroTier. It can be ten smartphones or ten routers connecting the same number of subnets. What matters is the number of activated devices listed in the management console. Also, there's no such thing as a "controller route count&...

Larsa

It is extremely extremely extremely difficult to make any modern Windows "shut up" on the network, and this has been true since, gosh, XP? Vista? So darn well near 2 decades, at least. If random ARP requests from the host PC broke Netinstall, then it wouldn't even be possible for it to wo...

Larsa

ZeroTier doesn’t have visible “routes”, just virtual networks and devices/routers associated to a virtual network. Since last year, new free accounts get 10 devices/routers total, while older accounts had 25 (still valid). Extra licenses are very cheap. When someone asks about OSPF or other routing ...

Larsa

Just curious, but why even bother using OSPF on a Layer 2 network? Even using OSPF with IP seems kind of weird since all internal routing is already built into ZeroTier, right? Maybe I’m missing something here...

Larsa

Here are the same exports in code blocks # 2025-04-17 20:43:26 by RouterOS 7.18.2 # model = CRS312-4C+8XG /interface bridge add admin-mac=08:55:31:B1:9C:96 auto-mac=no comment=defconf name=bridgeLocal \ port-cost-mode=short /interface ethernet set [ find default-name=combo1 ] advertise="1G-base...

Larsa

Any particular reason you need to upgrade to v7.18 when everything’s working fine with 7.16?

If you really do need v7.18 and you’re sure you’ve run into a bug, I’d recommend reporting it to Mikrotik support. You could always try the classic Windows trick, a reboot.

Larsa

Alright, then I’ve probably misunderstood what you’re looking for. Anyway, here’s how you enable OSPF logging: " /system logging add action=memory topics=ospf,!packet ". With this setting, you should be able to track both inbound and outbound OSPF LSA messages without being flooded by low-...

Larsa

Check if the default route you see is actually comming from OSPF using ”routes print where ospf”.

If so, enable OSPF logging (without packets, i.e. !packets) to trace the sender.

Larsa

Yeah, it’s unfortunately more common than you might think, especially at small and mid-sized facilities designed by “old-school PLC guys” who lack basic networking knowledge.

Larsa

No, that's just for the CS-series (EIP2 and EIP21S). Most Omron PLCs with built-in TCP/IP support use DHCP nowadays. Gateways, Modbus adapters, and Sysmac controllers require manual configuration using Sysmac Studio or CX-Programmer via USB.

Larsa

@chaosinc; Much better! Just a few quick follow-up questions and suggestions to make the diagram easier to follow: Which VLANs are the different subnets actually connected to? To make the diagram clearer, I’d suggest labeling each subnet with its corresponding VLAN ID right where it applies. For exa...

Larsa

@chaosinc; And since there is no internet connection where you would normally use the term 'WAN', I suggest using ' PLC LAN ' and ' Management LAN ' to describe the different subnets. As @lurker888 pointed out, create a simple but complete network topology that includes IP addresses for all subnets ...

Larsa

All PLCs with TCP support that I’ve worked with allow basic network settings like dynamic or static IP address, subnet mask, DNS, and default gateway. What brand are you using in this case?

Larsa

Thanks, but is there anything new here for @chaosinc to consider, or did I miss something? Anyway, we had a thread about a similar setup for a production plant last year. I’ll see if I can dig it up.

Larsa

@gosha; Managing hundreds of manual tunnels is a nightmare without proper enterprise-grade network management tools. If your Mikrotik routers are ARM based, I strongly recommend checking out ZeroTier that is part of ROS v7. It supports Layer 2 bridging and can scale to manage hundreds or even thousa...

Larsa

Makes sense and I agree that the pattern might indicate something is off with how those models (or a specific ethernet PHY) handle certain flow conditions. That said, it's probably a wise idea at this point to file a bug report with support, and providing a sniffer trace would probably be a good ide...

Larsa

@codelogic; FWIW, most FTTH providers use a soft-cap with line speed set to max, meaning that buffering and traffic shaping are handled upstream in the distribution network at the POP switch.

Larsa

Just to add a few details to what @CGGXANNX explained so clearly. TCP congestion control is indeed smarter and more adaptive, but it only begins to work once packets are actually received by the TCP stack. If frames are dropped earlier due to buffer overflows and the router ignores incoming pause fr...

Larsa

dst-nat only changes the destination address, so when a packet from your laptop (say 10.0.80.50) hits 10.0.80.201, Mikrotik forwards it to the TP-Link at 192.168.250.1, but the source IP still remains 10.0.80.50. If the TP-Link doesn't have a proper gateway or route to 10.0.80.0/24, it won't know wh...

Larsa

Hello @chaosinc and welcome to the forum! The issue is likely that your TP-link doesn't send return traffic back through the Mikrotik, probably because it lacks a proper default gateway or a route back to it. If you can't fix it, you'll need to use src-nat or masquerade on the outbound traffic from ...

Larsa

Yeah, with how slowly the bgp/mpls stuff is getting sorted, it seems they're short on resources in that area..

Larsa

Well, considering you haven’t received any feedback at all, it’s unlikely there’ll be any fix or addition in v7.19, and certainly not in v7.20 either, so what’s the point in trying to rush the closure of v7.19? Btw, are there any threads describing your issues? Would be interesting to read what you’...

Larsa

That's what v7.19.1, v7.19.2 and 7.19.x is for @merkkg: Only if you have an active issue involving existing functionality in v7.19 that has been confirmed by support. Otherwise, you need to request access to v7.20 for internal testing, provided that support has confirmed your request for new functi...

Larsa

No, please don't rush v7.19. Instead, prioritize stability for everyone’s sake. @merkkg, if you have a business case, request access to v7.20 for internal testing.

Larsa

@horasjey, why not post it here, so others can make use of it as well?

Larsa

Yes, since tagging happens at the interface level, through the VLAN or bridge setup. The router first checks the routing table to figure out which interface to send the packet to, and that interface (like vlan50) adds the VLAN tag to the outbound traffic.

Larsa

The simplest approach is probably to go with regular routing: 1. In the Zerotier's management console -> Network Management -> Managed Routes , add 'destination' 10.252.0.0/24 'via' 10.10.10.3 2. On Router 3, add: ' /ip route add dst-address=10.252.0.0/24 gateway=vlan50 ' If you want multiple vlans/...

Larsa

Just to be very clear: the WireGuard protocol requires that the destination address of the initial handshake request MUST match the source address of the initial handshake response , otherwise the session will be dropped. If the handshake succeeds, then it is fine for the address to change, and Wire...

Larsa

You're probably getting the "no policy found/generated" error because a dynamic policy is missing. In road warrior setups like the one you're trying to set up, you normally use a policy template. Try adding a new or modify the IPsec policy with the "Template" option checked (Poli...

Larsa

WireGuard’s philosophy does not mean much unless there is a real issue to solve. If you are referring to a solid issue, like reply packets going out through the wrong WAN interface and the client rejecting them or something similar, could you please clarify what exact behavior you are seeing or refe...

Larsa

If you're trying to catch hammering offenders, it might be best to use a firewall filter with "psd" or alternatively log the handshake source IP using a script tied to interface monitoring. Just be careful not to lock out legit IPs by mistake. Always have a protected OOB management entranc...

Larsa

Just a thought, even if you’ve uploaded the new cert, maybe IPsec still using the old (expired) one. One way to make sure is to remove the expired certs and then check the ipsec settings.

Larsa

...The problem is not with initial handshake where wireguard responds. But with subsequent packets were wireguard initiates the sending. Do you mean the subsequent packets from the clients after they’ve connected to the WireGuard server, or are you referring to when the WireGuard server sends traff...

Larsa

Just to be clear, my post was about fast path via nf_flowtable, not L2MTU. Different features and different context. The idea that MT would deliberately replace or downgrade standard fast path functionality already present in the kernel and supported by current and future mainstream drivers is hard ...

Larsa

Since when does EOIP have a handshake, I use EOIP within a wireguard tunnel LOL, not outside of it. That's exactly what I was wondering about, especially with that packet capture @lurker888 posted with interface "eoip-wan2" as in: "0 3.736 rx eoip-wan2 192.168.33.1:13231 192.168.112....

Larsa

@lurker888, does EOIP really have the same handshake issue as WG, like I described above?

Larsa

@hannesclp; You could tag internal routes in BGP and filter based on that when redistributing into OSPF, but as StubArea51 pointed out, you’re running into a classic design challenge. Instead of trying to filter millions of routes on R1 and R2, I also think the best solution is to separate network f...

Larsa

Haha, I wouldn’t have asked if I had already tested it. Either way, I agree it’s strange they haven’t made use of 'fwmark' to send the initial handshake response back out through the same interface it originally came from. IMO, the WireGuard implementation in ROS v7 is still flawed in that respect.

Larsa

It’s already part of standard Linux NIC drivers. Fast path (Linux Flowtables) is built-in functionality in modern kernels since 5.1. More details here: viewtopic.php?p=1137088#p1137088

Larsa

I got this info from a friend I met this weekend. Support for " fast path " (aka Linux " flowtables ") is standard functionality in Linux kernel 5.6, which is what ROS v7 runs on. Flowtables were introduced around 2017/2018 with full user-space support in Linux 5.1 and use relate...

Larsa

Okay, but have you actually tested the "hard down" theory? Anyhow, we still use routing rules, which we consider clean and easy, and they work with MACVLAN too. And we'll keep using this approach until Mikrotik fixes the issue where the initial WireGuard handshake always leaves through the...

Larsa

Exporting your config to share in the forum is actually pretty easy. Here's a quick step-by-step guide on how to do it: viewtopic.php?t=203686#p1051720

Larsa

@ehbowen, fixing the export is actually pretty easy. Here's a guide on how to do it: "How to export your Mikrotik config and share it (Step-by-Step guide)"

Larsa

@ehbowen; Yeah, remote access over WireGuard can definitely be a bit tricky to get just right. Here are a few key things to check: 1. Since remote management like Winbox targets the router itself, you need to explicitly allow that in the firewall "input" chain for each router. For example:...

Larsa

I really don’t mind which one is considered the “correct” solution, as long as it works. But feel free to do a deeper analysis of the different options with their pros and cons.

Larsa

You're running into two pretty common IKEv2 issues: - " no policy found/generated " This usually means the router can't generate a matching IPsec policy. Check your peer, identity, and proposal settings. Make sure remote-id and my-id on the Mikrotik match what's coming from the StrongSwan ...

Larsa

@dante4; DCB is just a very vaguely defined umbrella term that says absolutely nothing about the underlying QoS protocols. If you're wondering how Datacenter QoS protocols like ETS, PCP/PFC, AQM, DCBX, or CN are implemented in RouterOS v7, check out the Mikrotik docs, for example the links below: ht...

Larsa

Nah, we're just asking for the mainstream core functionality to be present in MPLS, BGP and OSPF, and for it to actually work.

Larsa

Since you're not acting as an ISP and the BGP session is only with your colocation provider (as your default gateway), you can skip BGP and just go with OSPF for internal routing. Turn on BFD for OSPF to get quick routing failover, otherwise you'll be stuck with the default 40-second delay. You can ...

Larsa

Just a quick follow-up question: why use both BGP and OSPF?

Larsa

That was a pretty broad and general question.

More specifically, what exactly are you wondering about?

Larsa

Yeah, that ghost nexthop might actually be a clue. It usually shows up when the router knows about the route but can’t resolve the next-hop inside that VRF. Most likely, it's because the next-hop isn’t reachable from the guest VRF. That could be why the Azure route isn't showing up properly. Try res...

Larsa

...ROS versions where they supposedly fixed the issue, i.e. that WireGuard’s initial handshake is going out via the default gateway instead of the inbound interface. Might’ve been mentioned in this or the other big thread on the topic. @Mimiko, I found the post. Turns out it was @lurker888 who ment...

Larsa

And multihop and nexthop-choice are configured on the Mikrotik?

Larsa

Unfortunately, MACVLAN still needs either routing rules or @Sindy's NAT trick to work properly.

Larsa

@Mimiko, your only options are either routing rules or NAT, unless you’re on one of the newer ROS versions where they supposedly fixed the issue, i.e. that WireGuard’s initial handshake is going out via the default gateway instead of the inbound interface. Might’ve been mentioned in this or the othe...

Larsa

This is just a user forum. Please report bugs directly to MikroTik support: https://mikrotik.com/support

Larsa

@Josephny, please listen to BartoszP's advice — they're legit. My recommendation: don’t use an external DNS server for your local needs and private addresses (for a bunch of different reasons)

Larsa

Did you read the blogs, and have you also checked how multihop and nexthop-choice are configured on your MikroTik?

Larsa

No need for public A records if you run your own internal DNS server with a split DNS setup. You can map a domain like mqtt-ha.mydomain.local (or whatever) to 10.100.0.1 and have all your IoT devices point to that DNS server. It’s best practice in setups like this and is simple, reliable and fully u...

Larsa

One thing you could try is adding a RAW rule to see if those fragments even hit the router’s CPU. RAW is processed before conntrack or filters, so it might be a good way to check if something’s silently dropping them early. Use something like this: " /ip firewall raw add chain=prerouting fragme...

Larsa

I might’ve missed or misunderstood something, but here are a few quick follow-up questions: 1. Is the Azure route (10.130.0.0/20) completely missing in the guest VRF, or is it there but inactive? If it’s inactive, it could be due to an unreachable next-hop or a higher route distance. 2. Are you usin...

Larsa

True word or gossip?

As Amm0 mentioned, check out the latest RFC as they’re working on now: RFC 9759 – Unified Time Scaling (synchronizing timers for MPLS). 😉

Larsa

Ah, but of course, I totally missed that screenshot detail, good catch!

That clears it up then. The connectivity issue clearly has nothing to do with that, so yep, looks like it was just a red herring.

Larsa

please don't scare me, I got 8 BGP connections and a AS on a CCR running 7.15 since July I think and just considering to update and saw this :P

We’re still on 7.15 and won’t upgrade until there’s a long-term version with at least three patch releases.

Larsa

It would also be valid to ask why input src-nat is omitted from the official packet flow diagrams by Mikrotik, while being fully and correctly supported.

Yeah, that question has come up a few times before. Personally, I think those packet flow diagrams have a lot of room for improvement!

Larsa

Hello @thomasz and welcome to the forum! Yes, both the RB5009 and L009 can handle this setup just fine. You can create two separate networks (either using VLANs or by assigning different ports) and connect each mesh system to its own network while still sharing the same internet connection. The RB50...

Larsa

@lurker888: Great summary! Just wondering, why go with a bridge instead of assigning the addresses straight to the wg interface in this case? @Mimiko: You’ve probably already thought about it, but just a heads-up that each client still needs a unique public key in a separate peer entry, otherwise Wi...

Larsa

Just a thought, and maybe I'm missing something, but can't you give full access just between the Chromecast and Streaming Host 1?

Larsa

It seems you're running into a weird issue caused by multiple RA ULA prefixes being advertised on the same network. Your Mikrotik is advertising fd9d:..., but your Apple TV is also sending out RAs for fdf7:.... Devices like Home Assistant, the Apple Home app, and the HomeKit bridge might end up usin...

Larsa

Okay, but first try to explain what you're trying to accomplish without using too many technical terms.

Search found 2260 matches