MikroTik

Larsa

Thanks so much, I completely missed this! Breaking changes like these should come with bold warning signs. It’s also a typical sign that Mikrotik’s developers and managers still don’t get their business customers. Mikrotik could at least try by adding a section called 'Breaking changes' in the relea...

Larsa

When I reread your first post, I realized I totally missed two key details: that you’ll be using the switch standalone and with PoE. With that in mind and since you will only run pure Dante traffic, pretty much any switch with PoE will do.

Ps..
Looks like you’re double-quoting your replies.

Larsa

It doesn’t necessarily have to be ROS; it could be storage constraints, hardware or network failure, power shutdown, or other environmental issues. So there’s no point in continuing to speculate until you can access the server.

Larsa

It might work, but if this is for a recording setup and Dante is sharing the network with other bulk traffic, I’d say QoS is essential to maintain audio quality. Dante is pretty sensitive to latency and jitter, so QoS makes sure that Dante streams are prioritized over other types of network traffic....

Larsa

only have the model, but i canot reach the server x86 Supermicro SYS-530MT-H8TNR Okay, when you have access, please provide the full config, including NICs, storage boards, etc. Btw, it might be worth checking if the setup complies with Mikrotik’s requirements. Just a tip: if the Supermicro is co-l...

Larsa

@SMARTNETTT – Hopefully just on a lab server then, right? If this is regarding a bare metal x86, provide the manufacturer, model, and full configuration — without that, your warning is pretty useless! If it happens multiple times and your configuration is supported, open a support ticket with Mikrot...

Larsa

@orfeous, Starting from ROS v7.15, all Mikrotik QoS-capable switches can use Dante. For more info on switches supporting Dante, check out these links: Mikrotik help - Bridging and Switching - MikroTik QoS-Capable devices ("QoS Device Support") Mikrotik help - Bridging and Switching - Appli...

Larsa

XFRM has been a part of IPsec since Linux 2.6, released in December 2003.

Larsa

Here are some other troubleshooting suggestions. Sorry if I misunderstand or missed anything both of you already tried! - Check that Windows trusts the Mikrotik CA Open certmgr.msc. Go to "Trusted Root Certification Authorities". Check that the signing CA of the Mikrotik certificate is the...

Larsa

Just a long shot, but have you tried checking with extended logging on Windows? 1. "C:\> netsh trace start VpnClient per=yes maxsize=0 filemode=single" 2. Test the VPN connection 3. "C:\> netsh trace stop" 4. Open the .etl file using Event Viewer (eventvwr.msc). The .etl files ar...

Larsa

@Guscht: Can't help, but a notice: It's 2025, IPsec is an old, outdated overcomplicated, error-prone dinosaur. If possible, use a modern technology like Wireguard. Sure, IPsec is a "dinosaur" — just one that happens to be the standard for countless enterprises, governments, and critical i...

Larsa

...a fiber socket in each guest room... Even though it sounds a bit unusual to me, it’s possible it exists. But I can’t remember ever seeing it in a hotel, and I’ve traveled quite a bit. I mean, bringing your own fiber optic patch cables plus an SFP/RJ45 Ethernet media converter doesn’t exactly fee...

Larsa

Thank you so much!

Larsa

OpenConnect is already supported as an add-on container app service.

Larsa

Have you ever seen a hotel or student housing with an SFP port in the wall, or did you mean something else? Usually, when fiber (passive or not) is installed in a property for the end user, it's typically terminated with Ethernet or WiFi.

Larsa

v3 is already abandoned. They've said many times that there won't be any changes. Only security fixes. I afraid that some day, after updating to new RouterOS, it will show "Protocol is not supported"... And I also feel bad with this stupid design in v4. For me it's like a toy currently, I...

Larsa

We went from something that worked fine on windows and emulated well on others, most of the time, to something that doesn't work as well as the old one anywhere...

Yeah, I feel the same way. I really hope MT won't retire v3 before everything’s up to par.

Larsa

We're running a script-based approach since MT hasn't implemented SNMP for OSPF LSA yet (only for BGP). Check out "OSPF SNMP monitoring" in the "Routing Protocol Overview".

Larsa

WireGuard works well for monitoring and management, but it’s not the best choice for large-scale operations that require many connections and high throughput. In these cases, IPSec is the only real option. If someone finds IPSec tricky to set up, it’s likely more a matter of experience and expertise...

Larsa

My take on this is pretty simple: 1. Carrier aggregation is a must to get decent speeds with CAT6. 2. I'm pretty sure the China box won't do much better than the MT if properly configured. 3. Most built-in external antennas on 4G CPEs are used for Wi-Fi nowadays, not the LTE radio. For example, with...

Larsa

@sirbryan, that’s not gonna happen. ROS is designed as an embedded NOS with its own limitations. When it comes to running ROS as CHR, there are way better options. Plus, MT lacks the skill set and experience, and ROS is too unreliable for storage solutions like hyper-convergence.

Larsa

For RAM I'd say WG definitely ... because IPsec is part of ROS since ages and I'm sure they did whatever possible to reduce its memory footprint. I don't think they put the same amount of energy into WG so far. I'm not saying anything about CPU utilization, but probably WG fares better (everybody's...

Larsa

That was a lot to take in and maybe a bit tricky to get a clear picture of. Here are a few things that might help clarify things: What exactly isn’t working? - Are all Zerotier peers unreachable from the LAN, or just some? - Can LAN devices ping any Zerotier IPs, or is all Zerotier traffic failing f...

Larsa

OSPF with BFD = fast reroute within a few ms.

Larsa

It pretty easy to understand using recursive routing in this simple terms: A → B (A needs to reach B) B → C (B is reachable via C) So, A → C (indirectly via B) Example using recursive routing with ROS: 1. Set A to go via B: /ip route add dst-address=A gateway=B 2. Resolve B via C: /ip route add dst-...

Larsa

@oreggin, if you're looking for advanced MPLS/BGP solutions, you’ll probably need to consider other brands—but that also comes with additional costs. Since this is just a user forum, if you have a serious business case, you might want to contact MikroTik directly at sales@mikrotik.com or support@mik...

Larsa

I've also been thinking about getting some Ecobees. Do you use them standalone, or together with something like Home Assistant or another system?

Larsa

OSPF only handles routing between nodes in a network and doesn’t impact performance per se. Building your own mesh network works fine with a few nodes, but as the number of nodes increases, the number of tunnels grows exponentially (see below). OSPF is pretty easy to configure, but you have to do it...

Larsa

@MikroTikMarc, looks like you guys had a great time!

Gotta say, your presentation on YouTube how to build a complex OSPF lab for under $100 using Proxmox and CHR was awesome too!

Btw, here’s the link to the blog page that was mentioned in the presentation: https://admiralplatform.com/blog-page/

Larsa

With IPv6, you get a public IP; with IPv4, only CGNAT

Larsa

Yeah, and if MT is using their own Layout Manager, scaling might not work as well if DPI awareness isn't handled properly. The built-in Layout Manager scales just fine on high-resolution screens. Try the example app "Thermostat".

Larsa

I’m not sure what you mean by “concentrator” in this case so you'll need to be more specific than that. Btw, did you manage to spot the root cause by checking how OSPF adds default routes to the routing table in one of the black nodes? That said, MED is primarily designed to influence inbound traffi...

Larsa

@JavierCastilla: Which is the support service and how can I register my devices for that?

I was referring to the business impacted by a failing service, not the one that made the equipment.

Larsa

@Dida: What difference does it make if 1 or 200 services are down?

Are you being sarcastic? If we’re talking business, there’s a massive difference. One service down is a problem, but 200? That’s a full-blown disaster—support is in for an absolute nightmare of a day!

Larsa

@kevag: seems the service is down since yesterday ..200+ routers dont resolve. can this be verified by mikrotik officials ? any news when this will come back in service? MikroTik IP Cloud DDNS is free, which means there’s no SLA. With 200+ routers, I’d definitely start looking into global services ...

Larsa

The service might be down at the moment. It happens occasionally...

Larsa

ok now I want to create a iBGP filter rule to execute this...

I thought you were having trouble with OSPF. What are you trying to solve with BGP? Some more background would help.

Larsa

I prefer "auto-mac=smart" because it adapts to new conditions automatically.

Larsa

@SiB: I remember that problems on LHGR and some connector spray help or office tape :) And this was a popular problem with fist and second revision of LHGR. Second problems was how exit(take out) a sim card - this was not easy job. Yeah, I remember a few years ago when we switched MNO and had to sw...

Larsa

You can use Docker on Windows with the built-in WSL2, which is a Hyper-V virtual machine where you can run any distro you like, such as Ubuntu. To set up Docker, install either Docker Desktop following this this guide or without Docker Desktop using this tutorial.

Larsa

Haha, Anav, I see you're out here securing your files and your finances at the same time! 😂 Maybe if we tweak that command a bit: # chmod +Money Boom! Instant economic growth! 💰💸 As for joining the EU... yeah, I think Canada prefers its maple syrup debts over Mediterranean siestas. But hey, if your ...

Larsa

I know why, but I still think making users set the bridge MAC manually is an ugly kludge.

Larsa

Seriously, I don't know what the admin-mac is or what it is used for. I read some of the threads, faithfully staying in my 20-40% comprehension level, and I see that it is, by default, set to the same mac-address as the lowest numbered eth port, and that there might be a problem is/when restoring f...

Larsa

@anav - If I were you, I'd ditch the self-hosted controller and just use the cloud-based one (my.zerotier.com). Regarding your files, just: "# chmod +r *". Fixed!

Larsa

Thanks AMMO, so controller is limited to CLI, is there a sense it will migrate to Winbox eventually.

Way too complex, so I don’t think so. But you can add your own web-based manager: ZeroUI.

Larsa

Just highlight, once again, an grip of mine is the Mikrotik's ZT client does not support low-bandwidth, bonding, etc. as a "full" ZT client on PC/Mac does. And these restrictions still come in when using the controller, as traffic will go via the interface, not controller. Yeah, unfortuna...

Larsa

@NA9D - Unfortunately, you're still a bit limited when it comes to running fully autonomous operations since ROS doesn't let you configure root servers. But with your own ZeroTier controller and ZeroUI , you not only get a slick web interface, but you also have full control over network rules, authe...

Larsa

Here’s a simulation for 2.4 GHz signal loss in a somewhat dense forest using 36 dBm EIRP , with a minimum received power sensitivity of -90 dBm which BTW is extremely weak . You typical need at least -80 dBm for a somewhat stable connection and -67 dBm or better for normal performance. Typical fores...

Larsa

Please don't double-post. I've already answered your question here: viewtopic.php?p=1123269#p1123298

Larsa

@blondasek, @maigonis - This is just a user forum. If you haven't already, please email a support.rif to support@mikrotik.com.

Larsa

I completely agree, especially regarding the steps to establish a good baseline. All major players like as Cisco, Juniper, and others, provide clear guidelines for the initial setup. I mean, how hard can it be? ;) Regarding the handbook (I assume you're referring to a user guide), it's a great idea....

Larsa

Unfortunately, you do need line of sight for WiFi to work on 2.4/5 GHz. No amount of dark magic will get through 1.3 km of trees. Check Sindy’s previous answer on this.

Larsa

Well, to begin with, the documentation for the controller is a masterpiece of vagueness, to say the least. 😉 Unfortunately, the people who wrote it forgot to include an example of how to add a route to a gateway. The only cryptic and inconsistent explanation you get is: routes (IP@GW; Default: ) Pus...

Larsa

..but I do have some small houses all connected via twisted pair… This is overhead (exposed to UV, cold, rain, etc.)..

Shouldn’t be a problem if you're using a protective conduit or an outdoor-rated cable that’s UV-resistant and built to handle cold, moisture, and all kinds of weather.

Larsa

With the short distance, you can go for a super flexible multimode ... @OP mentioned 1.3km distance ... and that's direct distance. Which is way longer than 550m limit for multimode fiber. So if @OP decides for digging, it should be single-mode ... which is most often laid inside protective tube. D...

Larsa

Talk to Verizon? I can think of any number of forms of torture I'd prefer....

Same here, I’d rather have a dentist appointment without anesthesia!

Larsa

@Josephny; If you're planning to install fiber yourself and have your own machinery, just go ahead and use a narrow trenching blade. A depth of about 15-16 inches should be enough. There are plenty of reinforced microducts with pre-installed fiber designed for direct burial in the ground for about 2...

Larsa

Regarding fiber, if you're the landowner and somewhat handy, you can rent a small walk-behind trencher to lay the fiber in a ditch. To terminate it, you can rent a Fusion Splicer and use splice-on connectors, or go with mechanical connectors if you want to skip the splicing. There are also plenty of...

Larsa

Unfortunately, OSPF does not perform load balancing by itself; it only sets up routes in the routing table. Instead, you can use bonding, which is explained here: https://help.mikrotik.com/docs/spaces/ROS/pages/8323193/Bonding. If you plan to use the routers at two different locations, set up two Eo...

Larsa

Check out multicast UDP in the rules engine: https://docs.zerotier.com/rules/

Larsa

Same here, "Cmd +/-" for zooming on Macs is pure muscle memory these days.

Larsa

@dtaht - Good summary. Any guess on the current status of L4S among the key stakeholders? Can you picture a real-life scenario where BBRv3 coexists with fq_codel or L4S? And yeah, it would probably be a good idea to switch from in-house queue managers to BQL.

Larsa

@Larsa I am looking what is the best solution for this kind scenario: Secure connection to site to site - IPSEC prefered. Site A: has subnet A1 which has to have access to Site B subnet B1 and B2. Site B: has two subnets B1 and B2 to access from/to Site A subnet A1. Since your setup is a single sit...

Larsa

Just curious, what is a "normal resolution" nowadays according to MT?

Larsa

It is impossible to fix all scaling issues in Windows. Windows is very bad at DPI scaling compared to other OS and Winbox is definitely not the only program that has small pixel level issues at these settings. Since Winbox is now made in QT, we will not be able to fix all issues, at this point, mos...

Larsa

I think it’s a pretty good idea for a lot of reasons.

Larsa

@fischerdouglas: yeah, plus L3VPN/MPLS-TE, MPLS-MGMT and BGP/MPLS L3 VPN (128)...

Larsa

…a valid BGP table from them in every single AFI/SAFI…

All SAFIs? Well, then you’re in for a long wait! 😉

Larsa

I agree, but I also want to stress that loading 4 full tables on an internet border gateway is not the only use-case for BGP. Somewhat OT: I’m not trying to diminish the problems you’re dealing with (and I really hope MT puts some effort into fixing it), but BGP was basically designed for routing b...

Larsa

Okay, if the VPS is running some kind of Windows, did you restart it after changing the AssumeUDPEncapsulationContextOnSendRule settings? Here are a few more ideas: - Even if the ISAKMP session is established, a firewall or NAT might be blocking the ESP packets between the client and server. Double-...

Larsa

Same here, v4 still needs some more work before it’s usable.

Larsa

Just a guess, but check this out: viewtopic.php?t=175528

Larsa

@encrypted - Welcome to the forum! You might get more attention if you post your issue in the dedicated thread: "WinBox 4 is here".

Larsa

I’m not exactly sure what you’re looking for. Are you trying to add more sites or just filter certain types of traffic? It might be helpful if you could clarify your needs with a brief description of what you’re trying to achieve without IPsec-specific terms.

Larsa

No problem, here you are:

C:\> a:install

Jokes aside, you should be able to install Docker on a PC running Windows.

Larsa

VLANs should only be chosen between 2 and 1002 (or 1005 depending on the manual or manufacturer)

Well, not really. But only if you use switches in the early Brontosaurus period ie VTPv1/2

Larsa

Well, it might be, but IMO I doubt it, since the core dataplane library, libstrongswan, itself is about 10-15 MB, and that’s without any cryptographic backends at all. Then you need the control plane with all the management tools and user interfaces. On the other hand, MT might have a special stripp...

Larsa

If you find a solution using ROS, please share how you fixed it. Otherwise, there's always StrongSwan, which lets you to dynamically configure policies and assign specific IP ranges or subnets based on the peer's identity (like as FQDN or other attributes) similar to how it was done with racoon

Larsa

@pe1chl, does it matter which side is the responder or initiator? If not, both ends could act as initiators using DDNS. Regarding dynamic IPs, the same basic issues apply as with WG. Most ISPs don’t change IPs mid-session as long as the traffic is frequent enough, so some kind of keep-alive mechanis...

Larsa

@mwisniewski, how do iperf3 tests for UDP or TCP with different packet sizes impact throughput and CPU usage? Have you tried different algorithms for IPsec Hardware acceleration? Is there an RB4011 on both ends?

Larsa

Check out this example: https://mikrocloud.com/blog/qos/tos-and-dscp. For a more versatile way to prioritize important traffic without specifying traffic types, CAKE might be a better option. Check out this blog: " CAKE Configuration " and this thread: https://forum.mikrotik.com/viewtopic....

Larsa

Yeah, there are BIMMF fibers (Bend-Insensitive Multimode Fibers) designed for really tight spaces that can be bent with a radius as small as 7.5 mm to 15 mm (depending on the cable specs). BIMMF can be bought pre-terminated in different fixed lengths too. @mmbln - If you can't find a suitable condui...

Larsa

Bookmarked for future use!

Larsa

What kind of problems are you referring to? Got any good examples? From what I can tell, there’s no direct relationship between OSPF (IP), MLAG (L2), and ECMP (IP) When it comes to your specific issue, it’s hard to follow exactly what’s going on since your description mixes server environments with ...

Larsa

I remain curious as for the reasoning for overriding the default flow mode.

Just trying to follow the reasoning, 'overriding' as in any of the examples in this thread?

Larsa

@dakobg – Since this is just a user forum, you might get more attention by contacting Mikrotik support or sales directly, particularly if you have a business case that requires VTI.

Larsa

The issue starts when each WAN point learns the OSPF routes via iBGP, My concentrator then sees the routes coming from both WAN points, picks 1 to get to all said routes, and uses the other as a backup to get to all routes. the only logical thing I can think of is to add filters to add a weigh metr...

Larsa

Yes, that’s the correct understanding. It’s just as protected as a router should be by default. Opening services to the internet involves major risks, bug or not. This applies to all types of routers, not just Mikrotik.

Larsa

@mdd: Do you mean SVI (Switched Virtual Interface) as a VLAN interface?

Regarding IPsec’s built-in "traffic selectors", I agree with Sindy; it can easily become an overcomplicated mess and is better handled using routing or other filtering mechanisms.

Larsa

@nkourtzis - Just curious, why are you using OSPF on top of ZeroTier?

Larsa

@Byron – I might have missed or misunderstood something, so this is just a guess: I presume you’re advertising default gateways for both "network stacks" through the red (backup) link. To start troubleshooting, try checking one of the nodes and looking at the distance in the routing tables...

Larsa

From a performance perspective WireGuard is far superior … I 100% agree with @CGGXANNX …

Well, let's say it's a very good and performant solution for the prosumer enthusiast that plays well with single connections.

Larsa

You're welcome!

I forgot to mention that the same issue with dynamic IP addresses might affect Wireguard too, since it's not just unique to IPsec.

Larsa

A dynamic IP address with IPSec generally isn't a problem if you're using DDNS, as long as the IP address doesn't change in the middle of a session. If you're using some sort of keep-alive traffic like IPsec dpd-interval, it's unlikely to happen. In case it does, there are household scripts that can...

Larsa

If you were just using GRE, the tunnel wasn’t encrypted, so you’d get speeds pretty close to raw line speed. WireGuard’s encryption is done in software since it doesn’t support hardware acceleration on any platform. If you want a faster encrypted tunnel, go for an IPsec-based one. Just make sure you...

Larsa

You’d probably have to ask Mikrotik directly to get the real reason. Since this is just a user forum, we can only guess, and our opinions probably don’t affect their design decisions anyway. One plus of running ZeroTier externally is that you get full access to all configuration settings, which are ...

Larsa

Intel TME doesn’t add much in a locked-down setup like Mikrotik ROS since the environment is already pretty tightly controlled, leaving little room for the kind of physical memory attacks TME is designed to prevent in servers using Intel processors etc.

Larsa

AWS Security Groups are pretty much limited to basic Layer 3 stuff.

Larsa

FWIW, one should at least be aware that WINS has several security vulnerabilities that Microsoft hasn’t and won’t patch. If possible, I’d avoid WINS altogether. That said, it’s possible to run WINS in parallel while implementing IP-based name resolution using, for example, Samba as an Active Directo...

Larsa

FWIW, one should at least be aware that WINS has several security vulnerabilities that Microsoft hasn’t and won’t patch. If possible, I’d avoid WINS altogether. That said, it’s possible to run WINS in parallel while implementing IP-based name resolution using, for example, Samba as an Active Directo...

Larsa

WINS is a 31-year-old, obsolete Microsoft legacy service and an implementation of the NetBIOS Name Service (NBNS) that was needed for MS Windows 95 and earlier versions. Starting with Windows XP in 2001 , newer versions switched to using DNS, so WINS isn’t really necessary anymore. Since it’s no lon...

Larsa

WINS is a 31-year-old, obsolete Microsoft legacy service and an implementation of the NetBIOS Name Service (NBNS) that was needed for MS Windows 95 and earlier versions. Starting with Windows XP in 2001 , newer versions switched to using DNS, so WINS isn’t really necessary anymore. Since it’s no lon...

Larsa

If this installation is for a business, I’d recommend opting for a wired setup with PoE and avoiding Hikvision for obvious reasons.

Larsa

Assuming that more than one request comes from each unique IP, implementing rate limits can at least help mitigate the issue. It would require someone with a strong dislike for MikroTik and control over an entire ASN to send, for example, 5000 requests using 5000 unique IPs. You can easily grab che...

Larsa

It's definitely not a crawler, and it seems like the DDoS attacks are getting worse.

DDoS 01142025.png

Larsa

Sorry Sindy, that’s where our opinions go in completely different directions. Heat management is a challenge even in colder climates, so I’m pretty sure you’ll never be able to go fanless in backbone installations in a country like Congo. Also, if you suspect that Mikrotik uses fans with poor bearin...

Larsa

The 98DX82xx in the CRS317 supports large packet buffers, just like other high-end switches that come with a large amount of RAM. My guess is we'll see this implemented in the datacenter switches first.

Larsa

As I mentioned in my previous post, I think a fanless desktop switch like the CRS309 isn’t a good choice for a climate like Congo’s, especially with 10G SFPs that generate a lot of heat. That said, the CRS317 would probably be a better fit as a backbone switch. It’s a shame MikroTik hasn’t implement...

Larsa

The suggested modifications and tips for cabinet ventilation probably work great, but I’d try to avoid DIY solutions as much as possible. When you're building fiber solutions in rural areas with long distances between all tech hubs and distributed switch cabinets, you definitely want everything to b...

Larsa

First of all, I don’t think a passive (fanless) switch like the CRS309 is a good choice for a climate like Congo’s, especially with 10G SFPs that can generate a lot of heat. Secondly, you really need to do some serious hands-on testing to ensure those YXFiber China modules actually work with MikroTi...

Larsa

DDoS again? I'm getting a lot of 500 Internal Server Errors..

Larsa

You probably need to provide some more details to get a decent answer, such as: Is it for a business case using dark fiber? A single link or an aggregator of multiple 10G links to different locations (how many)? Is there a need for redundancy? Which compatible SFP+ modules? Need L2 filtering?

Larsa

@merkkg - If you’ve got an important business case, you can ask support for a special custom patch to test in the meantime. If you’re just eager for new features, it’s probably better to wait for a stable version.

Larsa

Completely agree. I don't see the point of rushing things for the sake of it!

Larsa

Jinx is what you say when two people say (or write, in this case) almost the same thing at the same time. Is there a similar saying in Greek?

Larsa

Great summary!

Larsa

Please add a built-in 'auto-rate' that dynamically adjusts Cake's settings to match network speeds when LTE/NR congestion fluctuates.

Larsa

@LFHarada – you could ask sales and marketing for any product brochures at 'sales@mikrotik.com' or use the product galleries to import pics into Visio, for example: https://mikrotik.com/product/crs504_4xq ... tn-gallery.

Larsa

You can already use Snort with ROS. But how were you thinking of implementing IPS/IDS with Snort when almost all traffic is encrypted these days?

Larsa

Since you didn’t provide an export or details about the virtual environment, here’s a guess: try increasing the RAM for the ROS virtual guest and monitor memory usage after the next restart.

Larsa

Jinx! But with way better details than I was able to provide.

Larsa

@nkourtzis: With 60 sites/subnets, it’s hard to recommend anything other than an SD-WAN solution like ZeroTier. It costs around $105/month and requires minimal effort for setup, operations, and management compared to other options. Plus, ZT handles CGNAT and dynamic ip addresses. If high-speed links...

Larsa

What about platform security? Not a single word mentioned (unless I missed it).

Larsa

That LTE is supposed to be terribly slow isn’t true.

Larsa

Happy holidays everyone!

Larsa

@UltraIsp4883; please don't cross-post (https://forum.mikrotik.com/viewtopic.php?t=213209) And as @Anav pointed out: It’s pretty tough to help out if you don’t explain exactly what’s not working, share a brief overview of the network topology and provide a full config export (minus anything that nee...

Larsa

It’s pretty tough to help out if you don’t explain exactly what’s not working, share a brief overview of the network topology and provide a full config export (minus anything that needs to be left out for privacy reasons). This migh help: https://forum.mikrotik.com/viewtopic.php?t=203686#p1051720 Ot...

Larsa

From: @rextended to @jontne
From @normis:
We have identified the issue and a fix is coming shortly.

Yeah, since Normis is not saying the issue has actually been fixed, just that they've identified it. So we’ll have to wait for feedback, hopefully coming when it's done.

Larsa

You should add a status check for the update API. There are tons of scripts on GitHub you can check out to see how it’s done: "github mikrotik cloudflare ddns script"

Larsa

Is there any alternative solution we can use to ensure a stable connection? We depend on this service for critical operations, so having a reliable alternative or knowing when it will be restored would be greatly appreciated. Pro tip: Don’t use these services for business-critical operations. We’ve...

Larsa

Still down. Likely a DDOS attack on all services since even the forum feels sluggish.

Larsa

@webtelza: This is just a user forum. Please report bugs directly to Mikrotik support: https://mikrotik.com/support.

Larsa

You’re aware this comment is from July 26, 2016, right? A true blast from the past, Cheers!

Larsa

This is just a user forum; please report issues directly to Mikrotik support.

Larsa

It doesn't necessarily have to be the router that's the main problem. A tip is to troubleshoot using the Windows Event Log on both the RDP clients and the server. A good place to start is the guide " Microsoft - Troubleshoot Remote Desktop Disconnected Errors ". This might also be useful: ...

Larsa

@AE8U, try to avoid exposing your internal network devices with open ports whenever possible. Instead, consider using VPN like WireGuard or ZeroTier. MikroTik has a built-in DDNS feature for handling dynamic IP changes called IP Cloud.

Larsa

When I started the thread earlier, the initial handshake had to finish before the connection state became "established"[*] which prevented mangling from working. I see you’re using NAT, which might be affecting things similarly to routing rules. Have you tried running a packet trace (assum...

Larsa

Perhaps you didn't read the whole thread and might have missed the most crucial parts: 1) During WG's initial handshake, there's no "connection state," so mangle rules can't apply 2) The initial handshake response always egresses through the default gateway unless you trick ROS into using ...

Larsa

Same thread that Amm0 posted previously: viewtopic.php?t=205278

Larsa

I just tested the rules as I have quoted on an rb5009 running 7.17rc1, and the mangle absolutely works for the initial handshake. Alright, good to know it works with 7.17rc1. Not sure when this changed, but it didn’t work before. If mangle works, that’s a third option along with NAT and routing rul...

Larsa

@divB, you're absolutely right to point out that this is a flawed implementation of WireGuard and it drove me nuts too before the root cause was identified. The good news is that it’s actually pretty easy for MikroTik to fix if they decide to. WireGuard works perfectly on Linux with the standard too...

Larsa

@Slartybart: Yeah, you’ll probably be just fine sticking with WireGuard. Another reason to go with it is that it’s much easier to manage than IPsec if you’re not experienced. If you somehow need maximum throughput, you might want to look into getting IPsec to work with hardware acceleration. -- @hol...

Larsa

Thank you, but yet again, not a single word about IPsec hardware acceleration which WireGuard completely lacks.

Still, it’s always nice to see such enthusiastic contributions from a cheerful enthusiast.

Larsa

Haha, yeah, that article was really 'professional,' but hey, not bad for a basement hacker who clearly has no clue whatsoever about AES hardware acceleration. Nice try though!

Larsa

Hey @muaazteladia, welcome to the forum! Great to see more knowledgeable and dedicated people joining us. Have a nice weekend!

Larsa

@holvoetn: When testing Tik to Tik with both devices capable of HW offloading IPSEC, WG is still faster. My view ... Well, I’m not sure what you’re basing your claims on, but IPsec with hardware acceleration is always faster than WireGuard— and that’s a fact! :-D Also, all AWS instance types, like ...

Larsa

@Slartybart: As WireGuard relies entirely on ChaCha20, which is a pure software encryption , throughput depends directly on the CPU power, so a slower CPU means slower throughput. For maximum throughput on AWS, consider using IPSec, though be aware that there might be a throughput cap depending on t...

Larsa

You can't just set up one subdomain in cloudflare and keep the rest in another DNS server, the NS servers have to be set to cloudflare, all mikrotik.com DNS will be managed through there. Yes, you can! There are several ways to do this, like DNS subdomain delegation, partial CNAME setups, and more....

Larsa

Aha, now I get what you're asking about! We had the exact same thoughts when we first started testing this feature. It’s really an unfortunate combination of poor documentation and a design flaw in the SMS script execution functionality. You don’t get any info about which number triggered the script...

Larsa

The SMS data contains the phone number of the sender who initiated the script with the ':cmd' syntax. Maybe I'm misunderstanding what you're trying to achieve, but we're using scripts with MT LTE CPEs to perform actions like checking status, reboots, etc, as a last resort if our normal out-of-band m...

Larsa

There's no need to fake anything since there are no restrictions on anonymous access (tho creating a post is). Your suggestion might very well work, but it could end up being like robbing Peter to pay Paul.

Larsa

Long story short, unfortunately you can’t use digits as indexes in scripts, only in the terminal. Instead, you’ll need to use indexes like "id," as shown below, where "id" is just a variable that can be named anything /tool sms :foreach id in=[inbox find where message~"^*.&q...

Larsa

Just an example of Cloudflare's pricing model : Pro - for professional websites that aren’t business-critical, $25 /month. Business - for small businesses operating online, $250 /month. All plans come with unmetered DDoS protection, they just differ in uptime SLA and number of rules for advanced set...

Larsa

No, just " forum.mikrotik.com ". But don’t take my word for it, call or email some of them and they’ll explain how it works. Btw, here's a list of popular DDoS protection service providers. Most providers have their services spread out across all continents, and in many cases, you can pick...

Larsa

Now would be a good time to check the logs for user agents. May come up empty thou since you can use any valid user agents. I’m only gonna say this once: with a proper DDoS firewall that also catches other bad stuff, you don’t have to bother about invalid user agents since they’ll get blocked anywa...

Larsa

We have disabled the search robots, except biggest ones, but the attacks are regular DDoS attacks going to different IP every time. We are trying to optimize the forum servers to handle bigger loads, but the attacks keep getting bigger too. Since PHPBB is old software, another option would be to mi...

Larsa

Well, here we go again! Now at about 1200 sessions and still climbing. Someone must be really pissed at MT...

Larsa

No problem. We’ll keep using Winbox 3/Wine for now, since v4 still has too many limitations anyway.

Larsa

/dev/null ??

Larsa

Since guest session counts are back to normal, I’m guessing MT introduced some kind of measure, but I doubt we’ll ever find out what it was.

Larsa

If you need serious DDoS protection as a front-end service, it takes massive computing resources, expert skills, and experience.

Normally, IMO that’s not something a company like MT could manage on-premise by themselves.

Larsa

@anav, it’s your call!

Once you figure out what triggers OSPF LSA state changes on a single WireGuard interface (using OSPF type PTP) connected to multiple peers/subnets, adding two tunnels to your VPS will be a breeze.

Larsa

Sorry, my bad!

I meant before MT gives in and adds a third-party DDoS protection service.

Larsa

Haha!

Either way, it really doesn’t matter how it’s done, the pikes in guest session count clearly points to a classic DDoS attack (IMO)

It’ll be interesting to see who holds out the longest in this battle, MT or the DDoS drivers. This kind of volume is pretty cheap to buy on the dark web.

Larsa

Suddenly an OSPF expert!?

Larsa

But I always block all search bot and never had an issue with max session limit hit. And yes even Google misbehaves at times. It’s extremely rare nowadays for big companies using index bots to misbehave. If there’s a problem, it’s usually a misconfiguration on your end. Also, legal index bots don’t...

Larsa

This was a new one:

IMG_2561.jpeg

Larsa

These “legal” index bots don’t cause spikes in guest session counts, so it’s most likely a DDoS attack going on.

EDIT: I still occasionally get “500 Internal Server Error.”

Larsa

Yup, seems like there’s still some kind of DDoS attack going on. The session count keeps bouncing between a few hundred and 1200-1300.

Larsa

A spike in session counts is usually a good indicator of a DDoS attack.

Larsa

No worries ya all!

Should MT decide to keep device mode in its current glorious form, just remember—we’re always here for you! 😄

Button-pushers.com

IMG_2527.jpeg

Larsa

… Sometimes on obscure places (hard, hard to reach physically). Still they insist on the button push confirmation thing.

There must be an alternative approach.

No worries, we rent out specially trained button-pushers worldwide.

IMG_2529.jpeg

Larsa

Yeah, me too!

Larsa

Yeah, that “help” doesn’t do much to stop real DDoS attacks. Pretty sure MT staff mentioned this in the forum too.

A must-read for the MT team: ”Distributed denial-of-service (DDoS) protection”

Larsa

Might be time to try out a frontend like Cloudflare or similar to get rid of the DDoS attacks.

Larsa

I assume you're talking about a radius connection to NPS. If you dont already have it, just set up a tunnel to your Azure AD - oh, sorry, I meant Entra ID ! :wink: Btw, I honestly can’t stand these pointless brand renames.. https://learn.microsoft.com/en-us/azure/vpn-gateway/tutorial-site-to-site-po...

Larsa

It’s pretty tough to help out if you don’t explain exactly what’s not working, share a brief overview of the network topology and provide a full config export (minus anything that needs to be left out for privacy reasons). Also, using a single WireGuard interface with multiple active peers can be tr...

Larsa

You’re spot on, it’s exactly the vetting process that’s the weak link! There are plenty of techical tools to lock down a GitHub repo, but it’s up to the owners/admins to decide how to use them. In the case of the XZ backdoor, the attacker got in using social engineering which let the villains access...

Larsa

Probably true, but there’s always a chance of hidden backdoors, like the "XZ backdoor". With popular solutions, it’s easier to spot and handle malicious hacks and put in countermeasures because of the sheer number of people involved. But if you’re using less reliable sources, the risk goes...

Larsa

@LAYERWEB - What rextended is suggesting is that you should avoid trusting or automatically downloading third-party ROS scripts. An untrusted source could include elements that compromise your router’s security. If you want to work with scripts, download only raw data and write your own script direc...

Larsa

The interweb grinds to a halt, the family descends into chaos, and Koemleang gets verbally roasted!

Larsa

Just curious if you happened to check the ESXi logs to find the root cause? Anyway, feel free to get back here if you find anything interesting for future reference.

Larsa

And there is MikroWizard:
- viewtopic.php?t=209925
- https://mikrowizard.com

Larsa

If you don’t find any obvious reason in ROS for the VRRP state change, check the ESXi logs for the virtual NIC (referring to my previous post).

Larsa

This might be a good start: ”Using RouterOS to VLAN your network”

Larsa

After discussing the issue internally with some techs, our best guess at this point is that the flip-flop behavior might be caused by a VMware Virtual Network Adapter 'state change' which can happen for various reasons like network congestion, resource constraints, virtual switch misconfigurations, ...

Larsa

Alright, got it. As for load balancing (ie vrrp load sharing) and grouping, have you checked if the ROS version has what you need? It might be worth a look, since it doesn’t have all the ‘bells and whistles’ of the Cisco IOS XR equivalent.

Larsa

Thanks, but I have to admit I'm pretty confused by the network diagram as the image doesn’t seem to follow a clear visual logic and it’s hard to make sense of it without additional context. For example, how does the red-dashed VRRP relate to the four nodes (VRRP1, VRRP2, CHR1, CHR2)? And what role d...

Larsa

Just curious, but why not fully utilize the VSM functionality since you already have a bunch of ASR 9Ks? I mean, why use CHRs as edge routers?

Btw, this is how you add an image to a post:

how to upload an image.png

Larsa

I will definitely look into it, but at the moment I dont understand how it works and how it could possibly add failover to a mesh topology? i dont have any other vpn service or second ISP with enough bandwidth to handle alternative routes Got it. Just want to add that OSPF isn’t really tied to othe...

Larsa

@digitallystoned - If you think it might be a bug, it’s probably better to check with Mikrotik Support . Otherwise, I’d suggest coming back with a simple network diagram to make it easier to follow your thought process, plus a full export from both devices (minus anything that needs to be left out f...

Larsa

Well, according to Apple Support 'Forget Network' should clear cached auths. Unless there’s a new flaw in iOS 18 I don’t know about..

Larsa

SMTP is always open for business-grade connections and normally closed for regular consumers. If a botnet manages to steal the username and password for your email account, it’ll use ports 587 or 465.

Larsa

Usually, you just need 'Forget Network' to clear cached auths.

Larsa

@akliouev - look for ”Reserved variable names” in the link the link that @Infabo just posted.

Larsa

I wouldn’t call it overkill. OSPF is actually pretty easy to set up and used with the BFD option you get quick failover if a link goes down. You can always add OSPF later if you want, and you can run it on top of the static routes, which then act as backup routing.

Larsa

If each of your 4 nodes is connected to all the others (ie 6 tunnels in your config), then the answer is yes. But if the other nodes only connect to a central node, the answer is no.

Larsa

@Usbuild - Once you’ve made some progress and set up your WireGuard tunnels, you can start considering a true "mesh solution" where all nodes connect with each other. This setup makes the network more redundant in case any link goes down. Wireguard Mesh.png To avoid adding static routes, t...

Larsa

Completely agree! I find it hard to understand why MT doesn’t enable the interface for all standard ZeroTier options that are available on every other platform except ROS.

Larsa

Jinx (well, almost)

Search found 1907 matches