Community discussions

MikroTik App

Search found 1362 matches

by Larsa
Fri Jun 14, 2024 8:49 pm
Forum: General
Topic: SDWAN on LTE device
Replies: 2
Views: 218

Re: SDWAN on LTE device

@daniel3083, check this link with Mikrotik ARM LTE/5G products that can run ZeroTier.
by Larsa
Fri Jun 14, 2024 12:56 pm
Forum: Beginner Basics
Topic: Zerotier and routing tables
Replies: 9
Views: 487

Re: Zerotier and routing tables

You're most welcome! Feel free to get back with any further questions. :-D
by Larsa
Fri Jun 14, 2024 12:52 pm
Forum: General
Topic: Long Term release or new functions?
Replies: 13
Views: 794

Re: Long Term release or new functions?

My vote is for a stable long-term release on par with ROS v6, then new features.
by Larsa
Fri Jun 14, 2024 11:19 am
Forum: Beginner Basics
Topic: Zerotier and routing tables
Replies: 9
Views: 487

Re: Zerotier and routing tables

If you don't own the entire 91.168.0.0/22 range, it's probably wise to change it to something else. Otherwise, you risk routing your network traffic to the real owners out there on the interweb..
by Larsa
Thu Jun 13, 2024 11:25 pm
Forum: Beginner Basics
Topic: Zerotier and routing tables
Replies: 9
Views: 487

Re: Zerotier and routing tables

That could very well be the case, but then there are a ton of typos in the first post. :-D
by Larsa
Thu Jun 13, 2024 8:46 pm
Forum: Beginner Basics
Topic: Zerotier and routing tables
Replies: 9
Views: 487

Re: Zerotier and routing tables

The icon indicates that the chosen IP address range overlaps with a public (global) address space. Avoid using a public IP address spaces for your own LAN or the Zerotier network, instead choose a sufficiently large subnet from 10.0.0.0/8, 172.16.0.0/12 or 192.168.0.0/16 (or allow ZeroTier to pick o...
by Larsa
Thu Jun 13, 2024 6:41 pm
Forum: Beginner Basics
Topic: Zerotier and routing tables
Replies: 9
Views: 487

Re: Zerotier and routing tables

The RB1100AHx2 uses a PPC architecture which unfortunately doesn't support ZeroTier, but your Chateau does. You don't have to poke around with the routing tables yourself, just follow these simple steps: 1. Use ZeroTier Central (my.zerotier.com), go to Networks > Settings > Advanced > Managed Routes...
by Larsa
Thu Jun 13, 2024 10:07 am
Forum: Beginner Basics
Topic: Basic firewall hardening
Replies: 11
Views: 563

Re: Basic firewall hardening

Excellent summary! This should be included as the introduction to the chapter "Securing Your Router."
by Larsa
Wed Jun 12, 2024 9:55 pm
Forum: Forwarding Protocols
Topic: OSPF not installing connected routes [SOLVED]
Replies: 5
Views: 326

Re: OSPF not installing connected routes [SOLVED]

OSPF doesn't break any subnet relationships except the ones you configure it to. I suspect it might be due to some lingering static routes or maybe dynamic routes left over from other routing protocols. The fact that the GRE tunnel stopped working also points to this. Check routing tables and trace/...
by Larsa
Wed Jun 12, 2024 4:44 pm
Forum: Forwarding Protocols
Topic: OSPF not installing connected routes [SOLVED]
Replies: 5
Views: 326

Re: OSPF not installing connected routes [SOLVED]

Try setting interface type=ptp on the tunnel (or possibly ptp-unnumbered for an unnumbered Cisco device). The network prefix for tunnel (ptp) interfaces should be the address of the endpoint. https://help.mikrotik.com/docs/display/ROS/OSPF#OSPF-Matchers . Something like this " add area=0 networ...
by Larsa
Sun Jun 09, 2024 11:05 pm
Forum: General
Topic: SQM - using FQ-CODEL in interface queues and fasttrack
Replies: 9
Views: 1978

Re: SQM - using FQ-CODEL in interface queues and fasttrack

It doesn't necessarily have to be BQL, custom-developed queue counters work just as well. Queue managers like fq-codel need these to get real-time information about driver queue length, etc.
by Larsa
Sat Jun 08, 2024 11:26 pm
Forum: Forwarding Protocols
Topic: Redistributing active IPsec tunnel destinations
Replies: 5
Views: 347

Re: Redistributing active IPsec tunnel destinations

I might've gotten everything wrong, and this is probably a really dumb suggestion since you already asked about and are using iBGP(?) for the internal network, but why not switch to an automatic full mesh with something like OSPF/PTP + BDF? Off the top of my head, it feels like that solution would b...
by Larsa
Fri Jun 07, 2024 10:58 am
Forum: General
Topic: Questions about IPSEC
Replies: 7
Views: 415

Re: Questions about IPSEC

I'm not quite sure which specific mode config you're referring to that's deprecated. As for split-include, you can do it but why would you want unencrypted traffic routed outside of the tunnel at all that could be exploited by attackers, so it's pretty important to be aware of the security risks inv...
by Larsa
Fri Jun 07, 2024 8:44 am
Forum: General
Topic: Questions about IPSEC
Replies: 7
Views: 415

Re: Questions about IPSEC

IPSec AES hardware encryption can matter a lot compared to WireGuard which uses only software encryption (ChaCha20).

IPsec is not limited to just IKEv2. Btw, how is it incomplete?
by Larsa
Thu Jun 06, 2024 10:46 pm
Forum: General
Topic: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]
Replies: 31
Views: 1781

Re: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]

Great you got it working finally! Glad you didn't have to chase packets with a packet sniffer, right? :-D And thanks for the feedback, valuable info that confirms the issue!
by Larsa
Thu Jun 06, 2024 5:03 pm
Forum: General
Topic: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]
Replies: 31
Views: 1781

Re: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]

.. The "Allow Default " checkbox should work same as other clients, and except itself from a route it added, if the right box was checked. Yeah, I'll definitely make sure to emphasize that in the bug report. EDIT: Is there anything regarding "allow global" that should be reporte...
by Larsa
Thu Jun 06, 2024 4:37 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 794

Re: cycle outgoing IP addresses

Awesome code

Grreat, thanks! Are there any other hidden gems for phpBB that can be used in this forum?
by Larsa
Thu Jun 06, 2024 3:53 pm
Forum: General
Topic: cycle outgoing IP addresses
Replies: 17
Views: 794

Re: cycle outgoing IP addresses

How did you manage to format the "code box" as in the previous post "script for schedule to rotate IP address from a list code" ??
by Larsa
Thu Jun 06, 2024 2:50 pm
Forum: General
Topic: Questions about IPSEC
Replies: 7
Views: 415

Re: Questions about IPSEC

If hardware acceleration is available on both sides go with IPSec; otherwise use WireGuard. You'll need at least one public IP on either side, if not available use ZeroTier.
by Larsa
Thu Jun 06, 2024 11:15 am
Forum: General
Topic: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]
Replies: 31
Views: 1781

Re: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]

I actually meant “ allow default ”. It works initially but any changes or deletions afterward don’t show up in ROS. It works fine with Win, Linux, and macOS though. Normally you wouldn’t change the address or turn off the default route very often from ZeroTier Central, but if you did it might be goo...
by Larsa
Thu Jun 06, 2024 2:02 am
Forum: Forwarding Protocols
Topic: BGP V7 filter question
Replies: 5
Views: 387

Re: BGP V7 filter question

Check "num-list" in " https://help.mikrotik.com/docs/display/ROS/Route+Selection+and+Filters ". You can also use regex as described in the section "Regex Testing Tool" Example of num-list: /routing/filter/num-list add list=MYLIST-AS range=20000 add list=MYLIST-AS range=...
by Larsa
Wed Jun 05, 2024 11:22 pm
Forum: General
Topic: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]
Replies: 31
Views: 1781

Re: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]

@dlerner97, thanks for the network diagram though the ZT addresses and the Azure gateway 192.168.188.1 are missing. A few questions: 1. Are multiple sites built the exact same way, ie with the same subnet 192.168.250/251? 2. What's the role of 192.168.188.1 (Azure) in all of this? 3. Is there a subn...
by Larsa
Wed Jun 05, 2024 8:29 pm
Forum: General
Topic: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]
Replies: 31
Views: 1781

Re: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]

I'm having trouble wrapping my head around this sentence: "These allow us to use consistent IP addresses for each device across robots. For example, all robot computers have the same IP address but each is remotely accessible through the dedicated router ZeroTier interface along with a port for...
by Larsa
Tue Jun 04, 2024 10:24 pm
Forum: General
Topic: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]
Replies: 31
Views: 1781

Re: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]

I'm on my way to a meeting and will be back later or tomorrow for more details if needed so this will be a 'quick and dirty' answer. There are several ways to solve this: ordinary routing, mangle, or policy routing with something like the example below: 1. /routing table add name=ZerotierTable fib 2...
by Larsa
Tue Jun 04, 2024 2:03 pm
Forum: General
Topic: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]
Replies: 31
Views: 1781

Re: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]

Since this seems to be more of a hypothetical discussion, it's kinda hard to give more specific advice on how to implement it. Are you familiar with using policy routing with ROS in general? Perhaps you could provide a brief description of the network topology that includes the Mikrotik router and t...
by Larsa
Tue Jun 04, 2024 12:27 am
Forum: General
Topic: Mikrotik hex S can't handle with 500Mbps - CPU 95%
Replies: 6
Views: 447

Re: Mikrotik hex S can't handle with 500Mbps - CPU 95%

You likely have something in your firewall that's making it CPU-bound and unable to use Fasttrack. If you post your config someone might take a look at it.
by Larsa
Tue Jun 04, 2024 12:14 am
Forum: General
Topic: fq_codel and cake-maint project starting up this month
Replies: 5
Views: 446

Re: fq_codel and cake-maint project starting up this month

Yeah, a bunch of "best practice" configurations for some common use cases would definitely help a lot of people. Like Cake Recipes for ROS. Especially since CAKE is supposed to be easy to get started with but has tons of options.
by Larsa
Mon Jun 03, 2024 11:50 pm
Forum: General
Topic: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]
Replies: 31
Views: 1781

Re: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]

As I mentioned, with ROS, you don't have control over the nftable chain and need to use policy routing to explicitly manage different paths for default routes. For example, you might have one default route for the router itself and another for the ZeroTier network. Then you can use the allowDefault ...
by Larsa
Mon Jun 03, 2024 11:33 pm
Forum: General
Topic: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]
Replies: 31
Views: 1781

Re: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]

That's pretty basic. Let's say: 1. Your local network (LAN) is 192.168. 10 .0 , with a ZeroTier address of 172.16.10.10 . 2. Zerotier network is 172.16.10.0 , 3. The "Exit Node" you want to route your LAN to is on network 192.168.20.0 with a ZeroTier address of 172.16.10.50 . In Zerotier C...
by Larsa
Mon Jun 03, 2024 9:16 pm
Forum: General
Topic: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]
Replies: 31
Views: 1781

Re: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]

Well, the settings 'allow global' and 'allow default' still do exactly the same on ROS as on any other clients. It's just the administrative client interface that MT has added to ROS, not modified the actual client code (i.e. ZeroTier One). Anyhow, you don't need any of those settings to tunnel non-...
by Larsa
Mon Jun 03, 2024 2:38 pm
Forum: General
Topic: QoS Hardware Offloading (QoS-HW)
Replies: 68
Views: 14864

Re: QoS Hardware Offloading (QoS-HW)

@Raimondsp, great example! Someone should add this to the docs.
by Larsa
Mon Jun 03, 2024 12:00 am
Forum: General
Topic: fq_codel and cake-maint project starting up this month
Replies: 5
Views: 446

Re: fq_codel and cake-maint project starting up this month

what features do you need? Script-les (ie built-in) auto-adjustment of fluctuating connection speed like LTE/NR etc. Thanks! :-D Regarding driver queues and counters, MTs' tailor-made variants probably need to be reviewed in the event of a transition to BQL. But in the long run, I believe it will b...
by Larsa
Sun Jun 02, 2024 11:15 pm
Forum: General
Topic: MVRP usage [SOLVED]
Replies: 10
Views: 689

Re: MVRP usage [SOLVED]

MVRP and similar protocols are often used in SDN switches to manage VLANs in virtual environments.
by Larsa
Sun Jun 02, 2024 12:48 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1862

Re: Connection issues with hAP AC2, any problems with my config?

Okay, don Anav! :-D Anyhow, that's just the internal carrier (aka zerotier virtual ethernet switch) but I do understand it's somewhat confusing when reading the docs..
by Larsa
Sat Jun 01, 2024 10:28 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1862

Re: Connection issues with hAP AC2, any problems with my config?

Subnets = IP = L3, or did i miss somthing?
by Larsa
Sat Jun 01, 2024 8:29 pm
Forum: General
Topic: Connection issues with hAP AC2, any problems with my config?
Replies: 32
Views: 1862

Re: Connection issues with hAP AC2, any problems with my config?

ZeroTier defaults to Layer 3 (IP). Layer 2 needs to be configured explicitly.
by Larsa
Fri May 31, 2024 6:36 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 848

Re: Can I only use mikrotik as a firewall?

@Larsa: Advanced ddos??, that is the responsibility of ISPs ( and like minded groups of ISPs) and those in charge of the systems of the internet. According to whom? The only advanced protection against DOS/DDOS attacks that I know about is through additional services for businesses. Do you know of ...
by Larsa
Fri May 31, 2024 1:47 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 848

Re: Can I only use mikrotik as a firewall?

Concur!
by Larsa
Fri May 31, 2024 1:46 pm
Forum: General
Topic: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]
Replies: 31
Views: 1781

Re: ZeroTier Gateway Tunneling On MikroTik Device [SOLVED]

This problem doesn't actually have anything to do with ROS. You'll probably get better help on Zerotier Community Support , or if you have a commercial license contact Zerotier support directly. In short, Zerotier does exactly what you're saying it to do with 'Allow Default' which overrides the defa...
by Larsa
Fri May 31, 2024 1:24 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 848

Re: Can I only use mikrotik as a firewall?

For preventing attacks, controlling internet access, redirects and VPN.

RoS doesn't support advanced prevention of DoS/DDoS or similar attacks. You'd be better off sticking with Sophos or purchasing those services from Cloudflare.
by Larsa
Fri May 31, 2024 10:18 am
Forum: RouterBOARD hardware
Topic: Which router for ~100 clients
Replies: 33
Views: 2749

Re: Which router for ~100 clients

@gotsprings, since the description of your use case is limited and you haven't specified what type of business it's used for, it's basically impossible to assess the best solution. It seems more like you need load balancing with redundancy to a central server solution and for that you don't really n...
by Larsa
Thu May 30, 2024 10:40 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 848

Re: Can I only use mikrotik as a firewall?

I currently use Sophos Firewall and want to switch to Mikrotik. What do you think?

It all depends on what you are using Sophos for. Could you provide a brief description?
by Larsa
Thu May 30, 2024 10:05 pm
Forum: General
Topic: Can I only use mikrotik as a firewall?
Replies: 14
Views: 848

Re: Can I only use mikrotik as a firewall?

Absolutely not. Where did you even hear that nonsense? Btw, what exaclty do you mean by a more 'complete' firewall ?
by Larsa
Thu May 30, 2024 9:31 pm
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 914

Re: Wireguard setup to VPN LTE RBSXTR

If the IP address from the web browser matches the one in the IP Cloud, then you have a 'public' address. Now it's time for @Anav to help you out. :-D
by Larsa
Thu May 30, 2024 9:17 pm
Forum: RouterBOARD hardware
Topic: Which router for ~100 clients
Replies: 33
Views: 2749

Re: Which router for ~100 clients

Okay, got it. Agregating 3 somewhat (intermittently) shaky wan links to a datacenter. Seems like load balansing using asymetict links tweaked with quality and capacity settings should do it. Check out Multipath Balance-Aware and beyond. If you want to set up a testbed, it's not as fancy to configure...
by Larsa
Thu May 30, 2024 1:36 pm
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 914

Re: Wireguard setup to VPN LTE RBSXTR

Yeah, that would work too tho OP needs to enable "IP Cloud" first. The benefit of IP Cloud is that you can view both IPv4 and IPv6 (if enabled).
by Larsa
Thu May 30, 2024 12:47 pm
Forum: General
Topic: DHCP frantic requests with wrong expires-after value
Replies: 8
Views: 977

Re: DHCP frantic requests with wrong expires-after value

Have you checked out the new v7.15 that dropped today? If you're still having trouble and since this is just a user forum, I suggest sending in a bug report to 'support@mikrotik.com'.
by Larsa
Thu May 30, 2024 12:06 pm
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 914

Re: Wireguard setup to VPN LTE RBSXTR

Yup, just the IP! :-D
by Larsa
Thu May 30, 2024 11:57 am
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 914

Re: Wireguard setup to VPN LTE RBSXTR

Interesting, it doesn't seem like 'ident.me' is on any DNSBL. What about https://myip.dnsomatic.com, https://api.ipify.org, or https://myip.cam?
by Larsa
Thu May 30, 2024 11:40 am
Forum: RouterBOARD hardware
Topic: Which router for ~100 clients
Replies: 33
Views: 2749

Re: Which router for ~100 clients

I'd say SD-WAN solutions like Netmaker, ZeroTier, Tailscale and similar, pretty much cover everything you need for small businesses, let's say up to 10-20 branch offices with people on the move or working from home. They're very easy to install and get going with great bang for your buck, with solid...
by Larsa
Thu May 30, 2024 10:42 am
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 914

Re: Wireguard setup to VPN LTE RBSXTR

@rolo95, to check if you have a 'public' IPv4 address, open 'https://4.ident.me' from the browser on the same network as your RBSXTR. Compare the address with the one on your LTE interface. If they're the same, you've got a public IPv4 address. To check if you have an IPv6 address, open 'https://6.i...
by Larsa
Wed May 29, 2024 10:53 pm
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 914

Re: Wireguard setup to VPN LTE RBSXTR

Forgot to ask, but do you get a public IPv4 address on the RBSXTR? Btw, most carriers offer IPv6 these days. Have you tried it out? If that's the case, it shouldn't be a problem using WireGuard.

Also, if your RBSXTR is on the same IPv4 CG-NAT network as your cell, it should also work with WireGuard.
by Larsa
Wed May 29, 2024 10:06 pm
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 914

Re: Wireguard setup to VPN LTE RBSXTR

I was totally convinced BHT worked on everything, but it only works on Arm, Arm64, and Tile. So for RBSXTR you gotta stick with regular Wireguard.
by Larsa
Wed May 29, 2024 8:31 pm
Forum: Beginner Basics
Topic: Wireguard setup to VPN LTE RBSXTR
Replies: 21
Views: 914

Re: Wireguard setup to VPN LTE RBSXTR

If you're lucky, maybe @Anav can help you out. He's like the Big shot when it comes to Wireguard on this forum.
by Larsa
Wed May 29, 2024 7:37 pm
Forum: RouterBOARD hardware
Topic: Which router for ~100 clients
Replies: 33
Views: 2749

Re: Which router for ~100 clients

Most SD-WAN solutions does offer support for different kind of aggregation types. ZeroTier has several Standard Policies listed below but also offer Custom Policies as well as Segmentation . This allows you to aggregate multiple links of different types into different "circuits" using vari...
by Larsa
Wed May 29, 2024 7:28 pm
Forum: General
Topic: winbox timeout from wan port but ping works
Replies: 12
Views: 806

Re: winbox timeout from wan port but ping works

I think Wireguard would work great. Start a new thread asking for help with setting up Wireguard (like "How to setup Wireguard for RBSXTR") using the same text you just described about your need to connect your Android with Wireguard. Include the previous export and mention which Mikrotik ...
by Larsa
Wed May 29, 2024 6:06 pm
Forum: General
Topic: winbox timeout from wan port but ping works
Replies: 12
Views: 806

Re: winbox timeout from wan port but ping works

It's a pity they don't support the MIPS platform for BTH for some weird reason. But there's always the "regular" WireGuard that BHT also uses. The important thing is that you never expose ROS services directly to the internet. Btw, you can attach files to your posts using the "Attachm...
by Larsa
Wed May 29, 2024 1:01 pm
Forum: General
Topic: winbox timeout from wan port but ping works
Replies: 12
Views: 806

Re: winbox timeout from wan port but ping works

...i added the firewall run so to open port 8291 but no luck, i cant connect to the router with winbox from the wan port @rolo95 - Just some friendly advice: never ever expose your router services, like port 8291, for external access through the internet on the LTE/WAN port. Instead, use a VPN like...
by Larsa
Wed May 29, 2024 10:29 am
Forum: General
Topic: MAP-E(RFC 7597)
Replies: 8
Views: 3216

Re: MAP-E(RFC 7597)

Yeah, there is obviously room for improvements.
by Larsa
Wed May 29, 2024 10:09 am
Forum: General
Topic: MAP-E(RFC 7597)
Replies: 8
Views: 3216

Re: MAP-E(RFC 7597)

Yes, you can use any MikroTik router other than just the RB4011. Iliad likely recommended it because of the SFP+ port, but you can get the RB5009, which is more powerful for a similar price.
by Larsa
Wed May 29, 2024 9:42 am
Forum: General
Topic: MAP-E(RFC 7597)
Replies: 8
Views: 3216

Re: MAP-E(RFC 7597)

Okay, got it!

Your ISP is a pure IPv6 provider, so you need a tunnel for the IPv4 traffic. Yes, it's doable using the IPIPv6 tunneling in ROS which is supported by any Mikrotik Router. Just follow the instructions in https://www.iliad.it/docs/VoIP/Guida_Mikrotik_e_VoIP.pdf
by Larsa
Wed May 29, 2024 6:28 am
Forum: RouterBOARD hardware
Topic: Which router for ~100 clients
Replies: 33
Views: 2749

Re: Which router for ~100 clients

ZeroTier supports all of that, like most other SD-WANs do. Performance-wise, it all depends on the platform. There's not much any other SD-WAN solution can do about it, be it Bigleaf or others..
by Larsa
Wed May 29, 2024 12:23 am
Forum: General
Topic: MAP-E(RFC 7597)
Replies: 8
Views: 3216

Re: MAP-E(RFC 7597)

Do you have a specific use case in mind you need this for?
by Larsa
Tue May 28, 2024 11:41 pm
Forum: The Dude
Topic: Notifications
Replies: 6
Views: 644

Re: Notifications

Are you sure you tested it on an Exchange account with MFA enabled?
by Larsa
Tue May 28, 2024 11:25 pm
Forum: General
Topic: RB5009 and 2Gb/s internet speed [SOLVED]
Replies: 19
Views: 1645

Re: RB5009 and 2Gb/s internet speed [SOLVED]

Keep in mind RB5009 isn't good for 2Gbit with PPPoE connection.

@GolemPL; like I said in the other thread, there might be something fishy going on with your router config or possibly your ISP. I suggest you open your own thread and export you config to sort it out.
by Larsa
Tue May 28, 2024 10:40 pm
Forum: Beginner Basics
Topic: Port forward for Minecraft server 25565
Replies: 3
Views: 432

Re: Port forward for Minecraft server 25565

@s0und2019: Are you running your own Minecraft server and want to open an "incoming" port for your friends to connect to?

Otherwise, you don't need to do anything if you're connecting to someone else's server..
by Larsa
Tue May 28, 2024 7:30 pm
Forum: RouterBOARD hardware
Topic: Which router for ~100 clients
Replies: 33
Views: 2749

Re: Which router for ~100 clients

ZeroTier is a "zero trust" solution, meaning it always uses end-to-end encryption. It works like DNS, with root servers (a.k.a ZeroTier "moons") for establishing the initial connection. Afterwards, all clients communicate directly to each other, like a giant mesh network, as long...
by Larsa
Tue May 28, 2024 6:25 pm
Forum: RouterBOARD hardware
Topic: Which router for ~100 clients
Replies: 33
Views: 2749

Re: Which router for ~100 clients

Regarding Bigleaf, RoS already has a built-in SD-WAN solution called ZeroTier, which is considerably cheaper. With SD-WAN such as ZeroTier installed on your laptops and phones, you have constant access to your office anytime, but without having to "dial up your office VPN". You're always c...
by Larsa
Tue May 28, 2024 4:22 pm
Forum: General
Topic: Advice on how to grow an ISP network
Replies: 9
Views: 970

Re: Advice on how to grow an ISP network

Really great overview and summary! You're clearly passionate about designing network architectures. Totally agree with you on OSPF and the challenges of iBGP full mesh.
by Larsa
Tue May 28, 2024 3:29 pm
Forum: RouterBOARD hardware
Topic: RB5009 performance issue
Replies: 7
Views: 673

Re: RB5009 performance issue

@GolemPL, it sounds like you might have some heavy firewall rules, queues or software encrypted tunnels that are causing all the traffic to be CPU-bound.
by Larsa
Tue May 28, 2024 3:03 pm
Forum: Forwarding Protocols
Topic: ROS v7 - OSPF - Area Range - Bug [SOLVED]
Replies: 3
Views: 343

Re: ROS v7 - OSPF - Area Range - Bug [SOLVED]

Thanks! RoS version?
by Larsa
Tue May 28, 2024 2:48 pm
Forum: Forwarding Protocols
Topic: ROS v7 - OSPF - Area Range - Bug [SOLVED]
Replies: 3
Views: 343

Re: ROS v7 - OSPF - Area Range - Bug [SOLVED]

It would be really helpful for other users facing similar issues if you could share the solution as well.
by Larsa
Tue May 28, 2024 1:29 pm
Forum: General
Topic: Advice on how to grow an ISP network
Replies: 9
Views: 970

Re: Advice on how to grow an ISP network

The original article is still available from IP ArchiTechs: https://iparchitechs.com/webinar-isp-design-separation-of-network-functions.

This one might also provide some general tips: https://www.daryllswer.com/edge-router-bng-optimisation-guide-for-isps
by Larsa
Tue May 28, 2024 12:49 pm
Forum: The Dude
Topic: Notifications
Replies: 6
Views: 644

Re: Notifications

If the Microsoft 365 Security Default settings are enabled on a tenant, you can still create an App Password after you set up MFA on the user account or Shared Mailbox. BUT, authentication with the App Password doesn’t work if the Security Default settings are enabled. Maybe this will change in the ...
by Larsa
Tue May 28, 2024 12:06 pm
Forum: The Dude
Topic: Notifications
Replies: 6
Views: 644

Re: Notifications

As apparently it doesnt work with office 365 SMTP You need to create a unique email account app password for this to work. Go to: Settings > Office 365 -> Security & Privacy > Additional Security Verification > App Passwords. Office 365 SMTP server settings: SMTP Server address: smtp.office365....
by Larsa
Tue May 28, 2024 10:48 am
Forum: Scripting
Topic: Empty $leaseActIP in DHCP script
Replies: 5
Views: 434

Re: Empty $leaseActIP in DHCP script

Available DHCP variables Mikrotik help - These are available variables that are accessible for the event script: . bound : "1" = lease is added or changed; "0" = lease is removed server-address : DHCP server address lease-address : lease address provided by a server interface : n...
by Larsa
Sun May 26, 2024 6:48 pm
Forum: General
Topic: Multi Starlink WANs, VOIP and live stream broadcast
Replies: 5
Views: 1087

Re: Multi Starlink WANs, VOIP and live stream broadcast

I think IPv6 is a good way to go, but since there are still plenty of pure IPv4 apps you probably want to run, I'd consider adding dual stack support, i.e. also add ipv4. Regarding queues, I might have missed something, but I still think CAKE is particularly well-suited for use with Starlink to hand...
by Larsa
Sat May 25, 2024 9:17 am
Forum: Beginner Basics
Topic: VU+ ZERO 4K satellit receiver port forward
Replies: 33
Views: 1362

Re: VU+ ZERO 4K satellit receiver port forward

First off, don't open any ports to the internet. Use a VPN instead, like WireGuard or ZeroTier. Then you can access it using its local IP address.

If you're trying to figure out how to access the receiver on your local network, you'll first need to find its IP address.
by Larsa
Fri May 24, 2024 10:53 pm
Forum: Scripting
Topic: Auto update script for Hurricane Electric IPv6 Tunnel broker ipv4 endpoint behind NAT
Replies: 2
Views: 448

Re: Auto update script for Hurricane Electric IPv6 Tunnel broker ipv4 endpoint behind NAT

1. Print all IP Cloud info to terminal /ip/cloud/print 2. Assign the IP Cloud IPv4 address to a variable and print it. { :local ipv4addr [/ip/cloud/get public-address] :put $ipv4addr } 3. Assign all IP cloud information into an array, pick the IPv4 address, and then print it. { :local ipcloud [/ip/c...
by Larsa
Fri May 24, 2024 7:28 pm
Forum: Beginner Basics
Topic: Connection to LAN behind Mikrotik LHGG LTE6 kit using Zerotier
Replies: 6
Views: 608

Re: Connection to LAN behind Mikrotik LHGG LTE6 kit using Zerotier

Glad to hear you figured it out, well done!
by Larsa
Thu May 23, 2024 11:17 pm
Forum: General
Topic: Site to Site IPsec (IKEv1) connects and establishes connection but does not ping between LAN
Replies: 7
Views: 512

Re: Site to Site IPsec (IKEv1) connects and establishes connection but does not ping between LAN

Did you try pinging like pe1chl suggested?
pe1chl?? what is this?

It's not a thing, it's a user (@pe1chl). :-D Check out his post just above regarding ping..
by Larsa
Thu May 23, 2024 9:37 pm
Forum: Beginner Basics
Topic: Connection to LAN behind Mikrotik LHGG LTE6 kit using Zerotier
Replies: 6
Views: 608

Re: Connection to LAN behind Mikrotik LHGG LTE6 kit using Zerotier

Remove ' 192.168.195.0/24 via 192.168.195.245 ' and then add ' 192.168.188.0/23 via 192.168.195.128 ' to 'Managed Routes'. This basically tells all your Zerotier devices that if they want to reach anything in the 192.168.188.0 range, they should send their traffic to 192.168.195.128 (i.e. your LHGG)...
by Larsa
Thu May 23, 2024 7:27 pm
Forum: General
Topic: Site to Site IPsec (IKEv1) connects and establishes connection but does not ping between LAN
Replies: 7
Views: 512

Re: Site to Site IPsec (IKEv1) connects and establishes connection but does not ping between LAN

Are your peers active? Do you have the required IPsec policy enabled, and are your local subnets open for access in the firewall? add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="accept out ipsec policy&quo...
by Larsa
Thu May 23, 2024 7:16 pm
Forum: Beginner Basics
Topic: LTE/5G Modem RSRP, SINR, RSRQ ranges and labels (excellent, good, etc.)
Replies: 4
Views: 614

Re: LTE/5G Modem RSRP, SINR, RSRQ ranges and labels (excellent, good, etc.)

Firstly, some sources show different ranges for 4G/LTE and 5G/NR. Some sources suggest 5G/NR needs a cleaner signal, thus higher positive values to achieve the same 'excellent' label. The 5G high-speed band FR2 (mmWave) need stronger and better signal quality to work well, but otherwise, it's prett...
by Larsa
Thu May 23, 2024 4:32 pm
Forum: Beginner Basics
Topic: Connection to LAN behind Mikrotik LHGG LTE6 kit using Zerotier
Replies: 6
Views: 608

Re: Connection to LAN behind Mikrotik LHGG LTE6 kit using Zerotier

@lotan; looks like you have the same subnet (192.168.0) on both sides which might be an issue if you haven't already split the network in half. Besides that, all you need to do is: 1) Add the ZeroTier interface on your LHGG to the "LAN" interface list. (WinBox: Interfaces->Interface List) ...
by Larsa
Thu May 23, 2024 1:39 pm
Forum: Beginner Basics
Topic: LTE/5G Modem RSRP, SINR, RSRQ ranges and labels (excellent, good, etc.)
Replies: 4
Views: 614

Re: LTE/5G Modem RSRP, SINR, RSRQ ranges and labels (excellent, good, etc.)

Should be the same for both 4G/LTE and 5G/NR which you can find most anywhere ie something like below. These numbers are just meant to give you a general idea. RSRP (Reference Signal Received Power): The strength of the signal your device receives from the cell tower. Level RSRP (dBm) Description Ex...
by Larsa
Wed May 22, 2024 1:53 pm
Forum: General
Topic: How can I access ISP router from lan
Replies: 5
Views: 494

Re: How can I access ISP router from lan

Then you could connect your computer directly to your ISP's router. If that doesn't help, it's some other issue we can't help you with.
by Larsa
Wed May 22, 2024 12:09 pm
Forum: General
Topic: How can I access ISP router from lan
Replies: 5
Views: 494

Re: How can I access ISP router from lan

Just type http://192.168.10.1 into your browser, or am I missing something?
by Larsa
Wed May 22, 2024 12:05 pm
Forum: RouterBOARD hardware
Topic: Cant access wAP series R11e -LTE
Replies: 1
Views: 311

Re: Cant access wAP series R11e -LTE

Use WinBox and try to connect using the MAC address under the "Neighbors" tab.
by Larsa
Wed May 22, 2024 12:00 pm
Forum: Beginner Basics
Topic: Run VPN for specific application
Replies: 2
Views: 361

Re: Run VPN for specific application

Unfortunately, there's no trigger to automatically fire up NordVPN, like when you use a specific port or IP address. Why can't you just leave NordVPN on all the time and, say, only route certain traffic through it?
by Larsa
Wed May 22, 2024 10:36 am
Forum: General
Topic: LHG LTE6 kit: is this performance normal?
Replies: 7
Views: 908

Re: LHG LTE6 kit: is this performance normal?

At that distance, you should get at least -10 dB (RSRQ). It's the signal strength that makes me wonder it might be the wrong tower. Put your iPhone in field test mode by dialing: *3001#12345#* . Check the connection IDs and compare them to your LHG. EDIT: We've got a whole bunch of customer setups w...
by Larsa
Wed May 22, 2024 10:27 am
Forum: General
Topic: LHG LTE6 kit: is this performance normal?
Replies: 7
Views: 908

Re: LHG LTE6 kit: is this performance normal?

...
by Larsa
Wed May 22, 2024 9:40 am
Forum: General
Topic: Multi Starlink WANs, VOIP and live stream broadcast
Replies: 5
Views: 1087

Re: Multi Starlink WANs, VOIP and live stream broadcast

Set up your Starlinks in " Bypass Mode " to obtain distinct WAN addresses, use the Cake queue manager to automatically prioritize traffic like VOIP and use Mikrotik Starlink load balancing . If you're thinking about setting up VLANs, a good place to start is by reading the user article &qu...
by Larsa
Wed May 22, 2024 12:24 am
Forum: General
Topic: Access Lan Devices through windows Wireguard Client
Replies: 13
Views: 875

Re: Access Lan Devices through windows Wireguard Client

And of course, listen to Anav, who's the real WireGuard expert here! :-)
by Larsa
Wed May 22, 2024 12:02 am
Forum: General
Topic: Access Lan Devices through windows Wireguard Client
Replies: 13
Views: 875

Re: Access Lan Devices through windows Wireguard Client

So not possible unless i setup site to site? Yes it's possible but as for "site-to-site" it really comes down to "allowed ip addresses" in both ends for the WG config and your firewall rules including NAT/Masquerade etc. Think of WireGuard as a super long virtual ethernet cable....
by Larsa
Tue May 21, 2024 11:51 pm
Forum: General
Topic: Access Lan Devices through windows Wireguard Client
Replies: 13
Views: 875

Re: Access Lan Devices through windows Wireguard Client

Yeah, just set up a site-to-site VPN with Wireguard and route the two subnets to each other.
by Larsa
Tue May 21, 2024 9:50 pm
Forum: General
Topic: LHG LTE6 kit: is this performance normal?
Replies: 7
Views: 908

Re: LHG LTE6 kit: is this performance normal?

@jrychter; are you totally sure you're aiming the antenna at the right tower? There's an easy way to check this. First, run a speed test on your phone to enable CA (carrier aggregation). Then immediately put your phone in field test mode and compare its cell IDs with the ones in your LHG.
by Larsa
Tue May 21, 2024 2:50 pm
Forum: Wireless Networking
Topic: Mikrotik Filter Script for Starlink, Anti Stow, Anti Lag, Anti Torrenting, Gaming priority
Replies: 1
Views: 491

Re: Mikrotik Filter Script for Starlink, Anti Stow, Anti Lag, Anti Torrenting, Gaming priority

You might be able to shave off a few milliseconds on the MikroTik or by running something like Cake under heavy load, but most of the lag usually comes from Starlink, which unfortunately isn't great for gaming when it comes to latency. Anti-Stow has nothing to do with MikroTik and requires firmware ...
by Larsa
Tue May 21, 2024 1:32 pm
Forum: RouterBOARD hardware
Topic: GRE Zscaler can't load website
Replies: 3
Views: 587

Re: GRE Zscaler can't load website

L009 doesn't have IPsec/AES hardware acceleration so encryption happens in software. This means your L009 cpu performance will determine how fast things can go. Check cpu stats when performing tests..
by Larsa
Mon May 20, 2024 9:48 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

Do you not understand what DPDK/VPP is? There is no "appliance", it's 100% software-only using CPU. MikroTik only needs to delete the code for netfilter framework dataplane and replace with with DPDK/VPP for the dataplane, control and MGMT plane will retain netfilter framework code (ideal...
by Larsa
Mon May 20, 2024 8:15 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

RouterOS CHR/bare-metal — DPDK/VPP DPDK is a set of user-space libraries that normally won't fit into an embedded system. I don't see the point of using ROS to develop a bare-metal DPDK appliance for a tailor-made solution on a market Mikrotik doesn't operate within (i.e. way out of their league). ...
by Larsa
Mon May 20, 2024 7:45 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

But you've been going on about how MikroTik should look into DPDK. What are you trying to say? That MikroTik should develop DPDK high end appliances, or did I miss something like an alternative to DPDK? Similarly, any other options out there will need a ton of memory to work their best, which is exa...
by Larsa
Mon May 20, 2024 7:29 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

@Larsa, when I say VyOS, I specifically only cared about the dataplane options (DPDK 100GB code is not the only option), which would be perfect for MikroTik embedded ROS (on modern arm64 hardware). DPDK in an MT embedded system using a standard SoC? You're joking, right? BTW, it's not 100GB of code...
by Larsa
Mon May 20, 2024 6:35 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

You're way off base! It's in no way not fair to compare an embedded NOS like MT/ROS to VyOS, which is a full-fledged Debian Linux solution primarily for x86_64 boxes or virtual NOSes that at a minimum requires 2 GB of storage and 512 MB of RAM. ROS should be compared with NOS built on embedded syste...
by Larsa
Mon May 20, 2024 4:17 pm
Forum: Virtualization
Topic: MULTI CHR
Replies: 4
Views: 592

Re: MULTI CHR

You don't need a license key for the free version of CHR. Just download and install, that's all.
by Larsa
Mon May 20, 2024 1:51 pm
Forum: Virtualization
Topic: MULTI CHR
Replies: 4
Views: 592

Re: MULTI CHR

If you're looking to evaluate CHR/ROS, you can use the free, unlicensed version which is limited to 1 Mbps but otherwise has full functionality.
by Larsa
Fri May 17, 2024 11:54 pm
Forum: General
Topic: LHGGR underperforming LTE speeds [SOLVED]
Replies: 30
Views: 2035

Re: LHGGR underperforming LTE speeds [SOLVED]

I don't think that MTU mismatch would explain shitty download and decent upload ...

A 'shitty download and decent upload' usually indicates a crowded base station, probably because a lot of streaming...
by Larsa
Fri May 17, 2024 11:17 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

Yeah, it's a pity the extended version of BPF hasn't been introduced as standard in macOS. It might be because Apple doesn't sell "network-related" hardware, IDK. And since macOS extensions (kext) are moving away from the kernel, third-party versions of eBPF will probably disappear.
by Larsa
Fri May 17, 2024 7:41 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

Allthough macOS PF is pretty okay, the standard interface (i.e., Apple > Settings > Network > Firewall) is pretty much a disaster and pfctl is too cumbersome IMO. I wouldn't cope without Litle Snitch (or LuLu).
by Larsa
Fri May 17, 2024 6:20 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

... start by getting rid of Broadcom in an anti-competitive lawsuit across the globe. I bet the entire WVM sphere (absolutely no pun intended ;-) ) would totally agree with that as well.. You're making this a complex explanation. It's called UI/UX design and programming. That's what MikroTik (and t...
by Larsa
Fri May 17, 2024 2:18 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

Well, sort of. It still is the chip that sets the limitations. Though SAI offers significantly greater flexibility in managing the configuration process from user space (ie ROS) directly to the driver without having to adopt to and pass through the Linux kernel DSA interface structures (which BTW wa...
by Larsa
Thu May 16, 2024 10:13 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1812

Re: Winbox IKEv2 strange issue

I already had the NAT rule from years gone by but had it disabled.

Told you so! :wink:
by Larsa
Thu May 16, 2024 10:08 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 7082

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

It was an issue with the firewall and a disabled NAT rule, according to the other thread. Either way, the root cause was a flawed configuration.
by Larsa
Thu May 16, 2024 8:58 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1812

Re: Winbox IKEv2 strange issue

@mongobongo; Well, good for you! Though a reboot is hardly a long-term solution since you obviously didn't manage to isolate the root cause of the issue. And please don't blame support for doing their job, or anyone else for that matter, for not telling you to reboot your own equipment. And I really...
by Larsa
Thu May 16, 2024 7:37 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1812

Re: Winbox IKEv2 strange issue

@Mongobongo; I've read all your posts several times and I am still confused. Let's focus on the part from your 'napkin' diagram that isn't working. What do you mean by 'Only one way communication'? Have you checked you have two active peers/SA on both sides, or do you mean you only receive traffic f...
by Larsa
Thu May 16, 2024 7:14 pm
Forum: General
Topic: MLAG hopelessly broken?
Replies: 29
Views: 7688

Re: MLAG hopelessly broken?

@spippan: Regarding FS, what do you think of their own FSOS compared to Mikrotik ROS or any kind of ONIE? Is there a big difference in cold boot time between them?
by Larsa
Thu May 16, 2024 6:37 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1812

Re: Winbox IKEv2 strange issue

I can help you get a working Wireguard tunnel between your two MT devices, but this requires at least one of the devices has a public IP, or is connected to an upstream router (yours or ISP) that can forward a wireguard port to your device. Please advise. @Anav: it's the same requirement for IPsec/...
by Larsa
Thu May 16, 2024 6:36 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1812

Re: Winbox IKEv2 strange issue

Once again, in order for us to understand your issue, please combine the following information into a single post : 1. Briefly describe your issue(s) in one or two sentences (e.g., "I cannot connect to Router B using WinBox on my PC through Router A."). 2. Provide a simple network topology...
by Larsa
Thu May 16, 2024 6:04 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

(I cannot understand that Microsoft still has not fixed this design error in 2024) I can. The current Windows network stack (L1-L4) has, due to historical reasons, a numerous serious flaws and limitations. Addressing these issues would require a complete rewrite of the entire stack from scratch whi...
by Larsa
Thu May 16, 2024 5:35 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1812

Re: Winbox IKEv2 strange issue

You don't need advanced tools to illustrate your network topology. Use plain text, like "x.x.x.x A -> internet -> y.y.y.y B," as I suggested (where x.x.x.x and y.y.y.y are IP addresses). To help us understand your issue, please describe it briefly in one or two sentences, such as "I c...
by Larsa
Thu May 16, 2024 5:08 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1812

Re: Winbox IKEv2 strange issue

Hi, please provide a simple network topology diagram, for example: "Host A (client) xxxx -> Internet -> Host B (server) xxxx" along with version info and the most current configuration files (if all devices are Mikrotik that is). Then, we might be able to help you out one step at a time. P...
by Larsa
Thu May 16, 2024 2:52 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 7082

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

@mongobongo - I do understand your frustration, but please try to take a deep breath or two to avoid a possible heart attack. 😉 Since standard support is free and Mikrotik does not offer paid, prioritized support, you sometimes have to wait for your ticket to be handled. For how long, it depends on ...
by Larsa
Wed May 15, 2024 5:20 pm
Forum: General
Topic: Feature request : Multipath TCP (MPTCP) support
Replies: 10
Views: 9018

Re: Feature request : Multipath TCP (MPTCP) support

MPTCP is necessary only on the end devices unless it was a specific service in ROS that you were considering?
by Larsa
Wed May 15, 2024 2:13 am
Forum: Scripting
Topic: my script gets data running in terminl but not from system scripts
Replies: 9
Views: 583

Re: my script gets data running in terminl but not from system scripts

Yeah, you’re probably correct from a purely technical standpoint, but since this isn’t the first time someone has encountered this issue, I still consider it a flaw.

If the interactive terminal were behaving differently, we wouldn’t be having this discussion IMO.
by Larsa
Wed May 15, 2024 1:16 am
Forum: Scripting
Topic: my script gets data running in terminl but not from system scripts
Replies: 9
Views: 583

Re: my script gets data running in terminl but not from system scripts

@ak313 - RoS has an undocumented flaw when running the terminal in interactive mode that allows indexing objects with regular numbers. When a script is run in 'batch mode' a true index type is required by using [get ...] resulting in something like '*1'. You can also test this by entering '*1' in an...
by Larsa
Tue May 14, 2024 10:37 pm
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 343
Views: 108818

Re: v7.15rc [testing] is released!

> Hi, can you update the zerotier package too please, the new Version is out 1.14.0 Also the capability to orbit to private moons please Concur. Version 1.2.0 already introduced user-defined root servers or "moons". ROS still lacks an interface for administering Root Servers, Multipath, T...
by Larsa
Sun May 12, 2024 11:22 pm
Forum: Beginner Basics
Topic: Not able to post on forum
Replies: 9
Views: 527

Re: Not able to post on forum

Your ISP won't be able to sort this out. You need to get in touch with the blocklist providers yourself.

I also recommend that you try to identify and address the source of why your IP was banned. Otherwise, there is a risk that it will happen again.
by Larsa
Sun May 12, 2024 10:04 pm
Forum: Beginner Basics
Topic: Not able to post on forum
Replies: 9
Views: 527

Re: Not able to post on forum

Check out why and how to unblock your IP here: https://www.spamhaus.org/faqs/general-questions. Additionally, check if your IP is banned elsewhere using: https://multirbl.valli.org/
by Larsa
Fri May 10, 2024 11:06 pm
Forum: Containers
Topic: Run container on event - DHCP
Replies: 4
Views: 2582

Re: Run container on event - DHCP

But you can, although you need to use various tricks to identify the different hotel networks and create script to perform appropriate actions accordingly. Additionally, check https://help.mikrotik.com/docs/display/ROS/DHCP#DHCP-LeaseScriptExampleLeasescriptexample . You can also schedule scripts to...
by Larsa
Wed May 08, 2024 2:11 pm
Forum: Announcements
Topic: Long range wireless links - share your experience
Replies: 50
Views: 49806

Re: Long range wireless links - share your experience

Well, it depends on the speed you're aiming for at that distance. You could always get a pair of AirFiber XRs for $2000 or explore some other point-to-point brands using licensed bands. Additionally, for a 30km connection, you'll probably need antenna towers aprox 250 feet in height. The bottom line...
by Larsa
Mon May 06, 2024 6:28 pm
Forum: RouterBOARD hardware
Topic: NetMetal ax temperature at sunny outdoor location
Replies: 3
Views: 415

Re: NetMetal ax temperature at sunny outdoor location

It's a pity that NetBox 5 AX only operates at 5GHz. Otherwise, it would probably be a better choice because of the white plastic case.
by Larsa
Fri May 03, 2024 7:28 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

And defended by AI - the ultmate AI war! Skynet will become reality in the near future! :-D
by Larsa
Fri May 03, 2024 6:32 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

Yeah, that's a pretty neat example of how powerful the XDP/eBPF combo is.
by Larsa
Fri May 03, 2024 3:40 pm
Forum: RouterBOARD hardware
Topic: Cascading switches
Replies: 9
Views: 642

Re: Cascading switches

There are no benefits in disabling STP for sure and I was only looking at the uplink "line" not the different endpoints.

Yeah, that makes sense.
by Larsa
Fri May 03, 2024 3:26 pm
Forum: RouterBOARD hardware
Topic: Cascading switches
Replies: 9
Views: 642

Re: Cascading switches

Thanks @mkx, I'm quite aware of the functionality. In this case 'devices' additionally includes L2 communication links that some BMS systems automatically generates for extra redundancy. It might also mean possible redundancy between the switches, as most fibers (presumably multimode in this case) a...
by Larsa
Fri May 03, 2024 1:54 pm
Forum: RouterBOARD hardware
Topic: Cascading switches
Replies: 9
Views: 642

Re: Cascading switches

@jvanhambelgium - Just curious, why do you want to turn off STP considering there will likely be multiple devices connected to each switch? BTW, I suspect there might be some kind of BMS/HVAC management system hooked up to each building.
by Larsa
Thu May 02, 2024 6:40 pm
Forum: General
Topic: [Feature Request] Data Center Bridge support
Replies: 24
Views: 3809

Re: [Feature Request] Data Center Bridge support

Okay, but are you sure IEEE 802.1Qbb implements PCB as required by DCB? How about ECN, ETS and DCQCN? It is important that all facts are available. Licensing costs must also be considered. Even if a SoC has the necessary hw support, activating a specific function may require additional licensing. Th...
by Larsa
Thu May 02, 2024 6:03 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 164
Views: 11323

Re: [Discussion] MikroTik configuration abstraction complexity

I've seen what VPP/DPDK achieves on x86 machines and it's really impressive. I have not had the possibility to see results on the ARM architecture. Yeah, but VPP/DPDK is a pure user-space solution (appliance) typically used by the telco industry so it's unlikely to be integrated into the MT product...
by Larsa
Thu May 02, 2024 5:41 pm
Forum: General
Topic: [Feature Request] Data Center Bridge support
Replies: 24
Views: 3809

Re: [Feature Request] Data Center Bridge support

If you do it with software, chances are you are still relying on the kernel, just like a normal NIC. The whole point of using it is to have hardware acceleration and bypass the kernel altogether. Doing it in software is like having an EV and charge it using a Diesel generator :D Yeah, that's the ma...
by Larsa
Thu May 02, 2024 5:14 pm
Forum: General
Topic: [Feature Request] Data Center Bridge support
Replies: 24
Views: 3809

Re: [Feature Request] Data Center Bridge support

@galvesribeiro Again, Mikrotik hardware support it on most of their modern switch chips. Well, it's more like MikroTik hardware supports the most cost-effective chips. Which router/switch SoCs supports flow and congestion control like PFC, ECN, ETS, DCTCP, etc? A NIC starting with $15 Connect-X 3 al...
by Larsa
Thu May 02, 2024 4:54 pm
Forum: General
Topic: [Feature Request] Data Center Bridge support
Replies: 24
Views: 3809

Re: [Feature Request] Data Center Bridge support

@galvesribeiro RoCE does work with any regular switch/router. However as I pointed out previously, efficiency regarding latency, flow control and buffering will of course vary depending on the environment. RoCE simply transports regular Ethernet frames to another NIC using L2/L3. The receiving NIC's...
by Larsa
Thu May 02, 2024 2:45 pm
Forum: Beginner Basics
Topic: Unable to block YOUTUBE,FAEBOOK,...
Replies: 4
Views: 424

Re: Unable to block YOUTUBE,FAEBOOK,...

Just like Rextended pointed out, it's nearly an impossible task with a standard router. There are plenty of threads about it, such as the recent one viewtopic.php?p=1072794
by Larsa
Thu May 02, 2024 1:39 pm
Forum: General
Topic: [Feature Request] Data Center Bridge support
Replies: 24
Views: 3809

Re: [Feature Request] Data Center Bridge support

@galvesribeiro - as you pointed out, "Enterprise and Data Center products" is a marketing term and can mean anything. If you are in the data storage business, it's probably wise to assess your technical requirements before making a purchase. RoCE traffic can be transported over any standar...
by Larsa
Tue Apr 30, 2024 11:13 pm
Forum: Beginner Basics
Topic: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x
Replies: 6
Views: 609

Re: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x

You might want to have a look at a public NAT64 services as a workaround: https://nat64.net/public-providers
by Larsa
Mon Apr 29, 2024 11:52 pm
Forum: General
Topic: How to block YouTube effectively
Replies: 37
Views: 3633

Re: How to block YouTube effectively

And Youtube runs over UDP when possible, which "TLS host" does not support. Well yes, sort of. ;-) It all depends on the video source and whether you're using the HTML5 video player which supports several streaming protocols such as HLS, RTMP/RTMPS, and DASH. For example, MPEG-DASH (high-...
by Larsa
Mon Apr 29, 2024 5:03 pm
Forum: General
Topic: How to block YouTube effectively
Replies: 37
Views: 3633

Re: How to block YouTube effectively

Nowadays, even the SNI field (TLS Host) is often encrypted using ESNI encryption.
by Larsa
Mon Apr 29, 2024 4:43 pm
Forum: General
Topic: Advice on choosing WiFi equipment
Replies: 15
Views: 843

Re: Advice on choosing WiFi equipment

Well, that's also an option. Though, I wouldn't bet on a high success rate in this case...
by Larsa
Mon Apr 29, 2024 3:22 pm
Forum: General
Topic: Advice on choosing WiFi equipment
Replies: 15
Views: 843

Re: Advice on choosing WiFi equipment

@MDZT, just be aware that certain 60GHz equipment designed for long-range might encounter issues with shorter distances. I recommend checking with Mikrotik support before making a purchase.
by Larsa
Fri Apr 26, 2024 12:08 pm
Forum: Scripting
Topic: Schedule
Replies: 5
Views: 474

Re: Schedule

What's wrong with that suggestion? Imo, it's simple and easy to understand. :if (26 = [:pick begin=8 end=10 [/system/clock/get date as-string]]) do={ :put "today is the 26th" } or perpahs :local day [:pick begin=8 end=10 [/system/clock/get date as-string]] :if ($day = 26) do={ :put "t...
by Larsa
Fri Apr 26, 2024 12:13 am
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 343
Views: 108818

Re: v7.15rc [testing] is released!

If you can't find it in the release notes, it's probably not there, right? You'll have to manage with the already built-in flow control. If you really want BQL, I believe it's better to open a support ticket with a well-founded argument about why, instead of mentioning it in a user forum. EDIT: @hol...
by Larsa
Thu Apr 25, 2024 5:01 pm
Forum: Beginner Basics
Topic: BTH between two mikrotik devices [SOLVED]
Replies: 9
Views: 2857

Re: BTH between two mikrotik devices [SOLVED]

I think @Normis' suggestion sounds good, i.e., if you have Arm-based devices, you’re able to install ZeroTier (which can cope with CG-NAT) directly on the routers. Alternatively, you might use a computer on each network to act as a hub and install ZeroTier, TailScale, or similar software.
by Larsa
Thu Apr 25, 2024 12:30 pm
Forum: Scripting
Topic: Is 8MB in a variable from a txt file is possible?
Replies: 54
Views: 3801

Re: Is 8MB in a variable from a txt file is possible?

I believe that https://iplists.firehol.org has the most comprehensive collection of IP address lists, statistics, and clickable maps indicating where the crooks are located. Palo Alto is one of many contributors.
by Larsa
Wed Apr 24, 2024 2:40 pm
Forum: Scripting
Topic: How to use fetch tool with IPv6
Replies: 9
Views: 821

Re: How to use fetch tool with IPv6

Yeah, that's likely a functional but ugly workaround for a flawed dual-stack management. Let's hope MT will fix this eventually.
by Larsa
Wed Apr 24, 2024 12:37 am
Forum: Scripting
Topic: How to use fetch tool with IPv6
Replies: 9
Views: 821

Re: How to use fetch tool with IPv6

@Radek01: The short answer is: you can't.

The reason is that ROS unfortunately lacks capabilities to control the dual-stack for embedded tools and services such as IPsec, WireGuard, DNS, IP Cloud, resolver, fetch, etc.
by Larsa
Tue Apr 23, 2024 11:14 pm
Forum: General
Topic: fetch error since 7.13: "failure: ERROR parsing http: there was no content-length or transfer-encoding"
Replies: 7
Views: 1198

Re: fetch error since 7.13: "failure: ERROR parsing http: there was no content-length or transfer-encoding"

Hi @brunolabozzetta! Since this is a user forum, it's probably better if you contact MikroTik directly via email at "support@mikrotik.com" or open a support ticket using the link "https://help.mikrotik.com/servicedesk/servicedesk." //BR, Larsa.
by Larsa
Sat Apr 20, 2024 11:26 am
Forum: RouterOS beta
Topic: SFP info dont appear in ROS v7 x86
Replies: 5
Views: 1994

Re: SFP info dont appear in ROS v7 x86

As I wrote in another thread, PCIe passthrough and IO-SRV require specially tailored drivers from the manufacturer, i.e. not something MT is involved with. Additionally, special APIs are needed to manage the driver, and these must be adopted by CHR for each new device to enable ROS management a scen...
by Larsa
Fri Apr 19, 2024 11:33 pm
Forum: RouterOS beta
Topic: Feature Request for x86 and CHR for SFP Menu tab
Replies: 4
Views: 1363

Re: Feature Request for x86 and CHR for SFP Menu tab

PCIe passthrough and IO-SRV require specially tailored drivers from the manufacturer, i.e. not something MT is involved with. Additionally, special APIs are needed to manage the driver, and these must be adopted by CHR for each new device to enable ROS management a scenario that probably won’t happen.
by Larsa
Fri Apr 19, 2024 11:30 pm
Forum: RouterOS beta
Topic: SFP info dont appear in ROS v7 x86
Replies: 5
Views: 1994

Re: SFP info dont appear in ROS v7 x86

When running CHR in a virtual machine, all NICs and drivers are managed by the virtual host.
by Larsa
Thu Apr 18, 2024 11:34 pm
Forum: Scripting
Topic: Can't Query Graphql site
Replies: 26
Views: 1718

Re: Can't Query Graphql site

Possibly in a slim container, if the hardware allows, but it feels a bit overkill. I mean, it should be possible to get 'fetch' to work, but how to locate the root cause of the error is probably the $100,000 question. Have you checked it's not an SSL certificate issue on either side?
by Larsa
Thu Apr 18, 2024 11:03 pm
Forum: Beginner Basics
Topic: Using RB5009 in bridge mode [SOLVED]
Replies: 14
Views: 3785

Re: Using RB5009 in bridge mode [SOLVED]

You only need ISP/ONT <-> (PPPoE) Rb50009 <-> LAN (unless the 'second router' has a magical feature set you can't live without). The Rb50009 will manage both PPP and DHCP.
by Larsa
Thu Apr 18, 2024 12:49 pm
Forum: RouterOS beta
Topic: Feature Request for x86 and CHR for SFP Menu tab
Replies: 4
Views: 1363

Re: Feature Request for x86 and CHR for SFP Menu tab

As CHR runs in a virtual environment, all NICs/SFPs are managed by the host environment. When it comes to x86 'bare metal' setups, support for NIC drivers is limited.
by Larsa
Wed Apr 17, 2024 12:38 pm
Forum: Beginner Basics
Topic: Loading ONIE images on Mikrotik Switches
Replies: 6
Views: 667

Re: Loading ONIE images on Mikrotik Switches

Hi @Evaluator, and welcome to the forum! Although ONIE is a great idea, I believe it might be difficult to implement on a large portion of MikroTik's product range since many of the low-end devices have limitations in terms of memory and storage. However I'd love to see ONIE supported on future mid-...
by Larsa
Wed Apr 17, 2024 11:45 am
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1328

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

@phascogale: Firewalla , along with other 'Smart' or 'Next-Generation' firewalls, cannot perform deep packet inspection on encrypted traffic without utilizing SSL/TLS termination. They primarily rely on fundamental info such as endpoint ip addresses, stream sizes, etc. Even SNI (ESNI) is encrypted n...
by Larsa
Tue Apr 16, 2024 10:48 pm
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1328

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

Layer 7 firewalls are pretty useless without SSL Termination which usually requires extensive configuration.
by Larsa
Mon Apr 15, 2024 3:51 pm
Forum: Forwarding Protocols
Topic: Single-hop BFD session is not restored after reboot or power outage
Replies: 6
Views: 821

Re: Single-hop BFD session is not restored after reboot or power outage

I would like to get some feedback from the developers.

Since this is a user forum, I believe you have a better chance of getting a response if you direct your question to: support@mikrotik.com.
by Larsa
Mon Apr 15, 2024 3:30 pm
Forum: Virtualization
Topic: CHR tx-queue-drops-per-second
Replies: 8
Views: 10640

Re: CHR tx-queue-drops-per-second

Not necessarily. It ultimately depends on how well the driver is developed specifically for each solution. With a single NIC used solely by one guest OS, the difference is probably not even measurable with modern drivers. The major difference is that a NIC using PCI passthrough (VMware DirectPath) b...
by Larsa
Fri Apr 12, 2024 8:59 pm
Forum: Beginner Basics
Topic: Mikrotik documentation
Replies: 10
Views: 834

Re: Mikrotik documentation

Cron job :D You underestimate Atlassian. It's such a complicated mess. Well, Jira/Confluence might be perceived as 'messy' in the same way as ROS might be for novices. 😉 These products are complex toolkits capable of doing almost anything but requires solid knowledge and experience to set up effect...
by Larsa
Thu Apr 11, 2024 8:39 pm
Forum: Virtualization
Topic: Public IP on Azure CHR
Replies: 3
Views: 543

Re: Public IP on Azure CHR

@mugeno - if you've already paid for it and obtained the public IP address, this guide serves as a good starting point: " Microsoft - Associate a public IP address to a virtual machine ". Here is some other good stuff about Azure networking: https://learn.microsoft.com/en-us/azure/virtual-...
by Larsa
Thu Apr 11, 2024 1:03 am
Forum: Forwarding Protocols
Topic: OSPF default route
Replies: 3
Views: 597

Re: OSPF default route

Now I get it. I completely missed the part that CMC wasn't configured with OSPF.
by Larsa
Mon Apr 08, 2024 7:43 pm
Forum: Forwarding Protocols
Topic: OSPF default route
Replies: 3
Views: 597

Re: OSPF default route

Checkout "originate-default" in "help.mikrotik.com/docs/display/ROS/OSPF". It can also be combined with routing filters.
by Larsa
Fri Apr 05, 2024 12:29 am
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1890

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

SD-WAN has been around for over a decade and is now more or less a de facto standard so calling it 'hype' feels somewhat exaggerated. A general guideline is to consider implementing SD-WAN when your network exceeds 10 links. Anyhow, regarding this particular case it's important to consider future ne...
by Larsa
Thu Apr 04, 2024 12:40 am
Forum: Beginner Basics
Topic: Not getting wireline speeds
Replies: 28
Views: 1433

Re: Not getting wireline speeds

@trivex, no offense intended, but a great place to start your research before buying any networking gear is always the manufacturer's own website. MikroTik has organized all its products into categories like switches, routers, and more: mikrotik.com/products.
by Larsa
Tue Apr 02, 2024 8:32 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1890

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

By "THIRD PARTY," I presume you mean third-party "cloud services." Most SD-WAN solutions offer both cloud-based services and on-premises support. If you prefer, Mikrotik ZeroTier includes an on-premises controller that makes you independent of third-party cloud services. However,...
by Larsa
Tue Apr 02, 2024 5:04 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 132526

Re: v7.15beta [testing] is released!

What's new in 7.15beta9 (2024-Mar-27 21:55): *) console - added "sanitize-names" property under "/console/settings" menu (option for replacing reserved characters with underscores for files, disabled by default); Thank you! The opt-in method is preferred when introducing breakin...
by Larsa
Tue Apr 02, 2024 4:43 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1890

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

We initially started using WireGuard but as we scaled up it became unmanageable (a real pain in the neck to be honest) to administer so we've completely transitioned to ZeroTier for OOB administration. Also, the overhead for path search traffic is negligible, even in 4G. ZeroTier is extremely easy t...
by Larsa
Fri Mar 29, 2024 11:18 pm
Forum: General
Topic: Wireguard education? [SOLVED]
Replies: 3
Views: 443

Re: Wireguard education? [SOLVED]

Check out the Pro Custodibus blogs about WireGuard which are absolutely outstanding in my opinion. For example, start with "Primary WireGuard Toplogies"

Happy Easter!
by Larsa
Fri Mar 29, 2024 10:39 pm
Forum: General
Topic: Wireguard education needed
Replies: 7
Views: 860

Re: Wireguard education needed

The issue is not really a configuration issue as much as a question on how the VPN protocol works, and if this can be explained. Check out the Pro Custodibus blogs about WireGuard which are absolutely outstanding in my opinion. For example, have a look at " Primary WireGuard Toplogies " I...
by Larsa
Mon Mar 25, 2024 7:35 pm
Forum: Scripting
Topic: execute & parse
Replies: 15
Views: 1064

Re: execute & parse

Couldn't agree more. There is clearly something flawed when all sorts of workarounds pop up in the flow..
by Larsa
Mon Mar 25, 2024 6:48 pm
Forum: Scripting
Topic: execute & parse
Replies: 15
Views: 1064

Re: execute & parse

:return [[:parse ":global $1 ; :return [\$$1 $2]"]] Yeah, that's a good one-liner. Here's another neat trick if you want to call system scripts with arguments. This also works with "[/file get /dirname/scriptname contents]" if you prefer to store your scripts in a different loca...
by Larsa
Thu Mar 21, 2024 10:27 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3604

Re: v7.15beta broke backup file naming

Regarding 7.15beta8 (2024-Mar-21 09:12) and inconsistent rules for valid characters in filenames. Check viewtopic.php?p=1065213#p1065213
by Larsa
Thu Mar 21, 2024 10:17 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 132526

Re: v7.15beta [testing] is released!

The arbitrary acceptance and rejection of certain characters in filenames cause unnecessary support system disruptions. There is still a bug in 7.15beta8 (2024-Mar-21 09:12) that prevents our backup and version control systems from working properly when filenames contains spaces due to script incom...
by Larsa
Thu Mar 21, 2024 8:11 pm
Forum: General
Topic: Loop Dos CVE-2024-2169 Mikrotik
Replies: 3
Views: 819

Re: Loop Dos CVE-2024-2169 Mikrotik

Just a friendly reminder: Never ever expose TFTP or similar services directly to the internet. Doing so poses serious security risks, otherwise you don't have to worry about CVE-2024-2169.
by Larsa
Thu Mar 21, 2024 7:53 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

What's new in 7.15beta8 (2024-Mar-21 09:12): *) wireguard - added option to mark peer as responder only (CLI only); *) route - rework of route attributes; Regrettably, I haven't spent as much time on testing as I planed, but wonder if this might possibly solve the issue with the handshake response ...
by Larsa
Thu Mar 21, 2024 4:38 pm
Forum: General
Topic: CHR or Ethernet router?
Replies: 5
Views: 771

Re: CHR or Ethernet router?

In short:

1. If you're running CHR/x64, use IPsec. This platform can scale up practically infinitely.
2. If you're running a Mikrotik with AES hardware acceleration, use IPsec. Check throughput limitation using the 512-byte column on the product page.
3. In all other cases, use WireGuard.
by Larsa
Thu Mar 21, 2024 1:27 pm
Forum: General
Topic: CGNAT IP range conflict between Starlink and Tailscale site-to-site VPN [SOLVED]
Replies: 2
Views: 2811

Re: CGNAT IP range conflict between Starlink and Tailscale site-to-site VPN [SOLVED]

Some suggestions: Set up your own TailScale address pool , use IPv6, or switch to ZeroTier. RB5009 has built-in support for ZeroTier which allows you to pick any or multiple private subnets and also set individual static addresses on any device. There is no problem running ZeroTier and Tailscale in ...
by Larsa
Wed Mar 20, 2024 9:57 pm
Forum: General
Topic: Configuration for hidden ZeroTier features
Replies: 9
Views: 751

Re: Configuration for hidden ZeroTier features

I hadn't looked at the ZT changes in a bit – the config has gotten grow a lot. I just don't see how RouterOS could keep up in a reasonable time frame. Yeah, it feels like I've been waiting far too long for both Multipath and Trusted Path for ROS. And yes, JSON support would be awesome! Another thin...
by Larsa
Wed Mar 20, 2024 9:01 pm
Forum: General
Topic: Configuration for hidden ZeroTier features
Replies: 9
Views: 751

Re: Configuration for hidden ZeroTier features

Yeah, looks like we need to start collecting some dough to sort this out once and for all! ;-) The ZeroTier client library itself is very small and accessible using a single API. Configuration is managed using parameters that are either retrieved from a configuration file or controlled directly via ...
by Larsa
Wed Mar 20, 2024 7:31 pm
Forum: Scripting
Topic: DDNS Cloudflare script
Replies: 4
Views: 1743

Re: DDNS Cloudflare script

Hello @nocivo! If you want to explore similar solutions to figure out how they work, you can search for mikrotik Cloudflare script on github.
by Larsa
Wed Mar 20, 2024 5:23 pm
Forum: General
Topic: Use Mikrotik's HotSpot solution to unblock Wireguard???
Replies: 24
Views: 2224

Re: Use Mikrotik's HotSpot solution to unblock Wireguard???

There are some highly important factors I think you should consider before making any decisions: Encryption and throughput bottlenecks: WireGuard encryption (ChaCha20) is software-based and lacks hardware acceleration support (on any platform) unlike IPsec. Consequently, the total throughput is cons...
by Larsa
Wed Mar 20, 2024 4:46 pm
Forum: General
Topic: Configuration for hidden ZeroTier features
Replies: 9
Views: 751

Re: Configuration for hidden ZeroTier features

Well, I would also call those options hidden since they all are a part of the current ZeroTier version included with RouterOS which simply lacks the ability to configure them. Adding AES hardware acceleration would also be a major enhancement as well as an upgrade to v1.12. This version prevents pat...
by Larsa
Wed Mar 20, 2024 4:14 pm
Forum: General
Topic: REQUEST: Paid technical support plans
Replies: 16
Views: 1078

Re: REQUEST: Paid technical support plans

I'd start by hiring the Canadian Lama, he's probably dead cheap but still a rascal at finding bugs and possible workarounds! 😋
by Larsa
Wed Mar 20, 2024 12:49 am
Forum: General
Topic: Use Mikrotik's HotSpot solution to unblock Wireguard???
Replies: 24
Views: 2224

Re: Use Mikrotik's HotSpot solution to unblock Wireguard???

There are some GPO hacks using scripting that might be used as a basline but I'd never use them as a replacement for SD-WAN. You still have to support end users or the branch office with manual administration when things go south. If you prefer not to depend on a third-party web server provider for ...
by Larsa
Tue Mar 19, 2024 11:29 pm
Forum: General
Topic: Use Mikrotik's HotSpot solution to unblock Wireguard???
Replies: 24
Views: 2224

Re: Use Mikrotik's HotSpot solution to unblock Wireguard???

I strongly advise against using WireGuard in this case. Manually administering 150 WireGuard connections will likely be a counterproductive solution. It will probably result in complex manual administrational (nightmare) tasks with the risk of long lead times and ultimately lead to increased costs f...
by Larsa
Tue Mar 19, 2024 6:02 pm
Forum: General
Topic: WireGuard useful learning [Linux]
Replies: 8
Views: 1019

Re: WireGuard useful learning [Linux]

It's true that OpenVPN is often configured in a "client/server" style especially for remote access use cases. However, the same applies to WireGuard. Both of these tunnel protocols, along with IPsec and SSTP, have the flexibility to act as "initiators" or passive "responders...
by Larsa
Mon Mar 18, 2024 9:08 pm
Forum: General
Topic: WireGuard useful learning [Linux]
Replies: 8
Views: 1019

Re: WireGuard useful learning [Linux]

I'm sorry, but I have terrible allergies to such things so I've never dared to try! ;-) Btw, @DarkNate, can you please explain what a "client/server" tunnel is to a dummy like me?
by Larsa
Mon Mar 18, 2024 7:22 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3604

Re: v7.15beta broke backup file naming

Okay, I thought your question was: 'My question remains valid: why do you need spaces? Or is it just a personal decision?' (Or did I miss something??)
by Larsa
Mon Mar 18, 2024 7:12 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3604

Re: v7.15beta broke backup file naming

@t0mm13b: *) console - replace reserved characters to backup and certificate export file names with underscores;

Yes @t0mm13b, you've nailed the core issue of this thread!
--

@infabo: I think it was stated pretty clear in the previous post. Is there anything I need to clarify?
by Larsa
Mon Mar 18, 2024 7:07 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3604

Re: v7.15beta broke backup file naming

SUP-147326 - "v7.15beta brakes file naming and script compatibility"
by Larsa
Mon Mar 18, 2024 6:45 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3604

Re: v7.15beta broke backup file naming

@infabo The real question to be asked is: why do you need them? @infabo: If you had read the thread from the beginning, you wouldn't have needed to ask that question. @t0mm13b: The core issues are compatibility and why Mikrotik's proposed changes would break existing scripts and support systems. De...
by Larsa
Mon Mar 18, 2024 4:12 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3604

Re: v7.15beta broke backup file naming

I'd prefer if we focus on OP's issue of how to best preserve script compatibility when it comes to potential limitations in file naming. In my opinion, at an absolute minimum, "spaces" and printable 7-bit ASCII characters that are compatible across common file systems (Windows, Linux, macO...
by Larsa
Thu Mar 14, 2024 11:59 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 132526

Re: v7.15beta [testing] is released!

The major issue at stake here is script compatibility when using spaces (and similar common characters) in filenames, not control characters or UTF-8/16.
by Larsa
Thu Mar 14, 2024 10:01 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3604

Re: v7.15beta broke backup file naming

The technical stuff you write about might very well be true, and I truly agree regarding the poor choices that MT is about to make in this case. As I wrote in an another comment: To maintain script compatibility as much as possible, I believe it would be easier to focus on allowed characters rather ...
by Larsa
Thu Mar 14, 2024 8:33 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 132526

Re: v7.15beta [testing] is released!

Problem is: where do you define the bounds. Characters like / : \ can also cause trouble. People have used date/time as part of a filename and ran into "inexplicable problems". At least that does not happen anymore. To maintain script compatibility as much as possible, I believe it would ...
by Larsa
Thu Mar 14, 2024 5:44 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3604

Re: v7.15beta broke backup file naming

@jaclaz, regarding the second link, it seems less focused on the actual problem regarding script compatibility issues caused by spaces in filenames and more like 'whataboutism' disguised as academic debate. I mean, this has a serous impact for both the OP and others who rely scripts that handle spac...
by Larsa
Thu Mar 14, 2024 4:08 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3604

Re: v7.15beta broke backup file naming

Well, no! ;-) Windows defaults to UTF-16 as its internal representation but has strong support for working with UTF-8 in addition to the legacy CP-1252 and similar encodings. For example, Notepad uses either ANSI or UTF-8. The rest of the world defaults to UTF-8. However, none are limited to legacy ...
by Larsa
Thu Mar 14, 2024 3:45 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3604

Re: v7.15beta broke backup file naming

All major operating systems like Windows, macOS, Linux, z/OS, Android and iOS utilize UTF-8. What other OS might have the compatibility issue you are referring to?
by Larsa
Thu Mar 14, 2024 2:48 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 132526

Re: v7.15beta [testing] is released!

That's beside the point. You should NEVER EVER break script compatibility unless absolutely necessary. And the potential identity issue you're describing is merely a side effect of the change that breaks script compatibility, not the root cause! I do have a certain understanding they want to avoid c...
by Larsa
Thu Mar 14, 2024 2:31 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 132526

Re: v7.15beta [testing] is released!

MikroTik has once AGAIN managed to break script compatibility by prohibiting something as common as spaces(!) in file names. I have zero understanding of this as it affects our current solutions for version control and backup which now must be modified and tested on all nodes before we can even cons...
by Larsa
Thu Mar 14, 2024 1:42 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3604

Re: v7.15beta broke backup file naming

This is yet another piece of evidence and major reason one should try to avoid RoS scripting in production at all costs as Mikrotik might break compatibility without notice at any time. Since this isn't the first time (and probably not the last) that Mikrotik breaks script compatibility, I think it'...
by Larsa
Wed Mar 13, 2024 2:06 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2816

Re: SR-IOV with CHR - What hypervisors are you using ?

OT - Yeah, BPF has evolved from a pure filtering mechanism into a highly versatile virtual machine (VM) or "sandbox" within the kernel. Just as Wasm, source code is compiled in user-space to bytecode and executed using JIT within the VM. eBPF is incredibly flexible and might work wonders i...
by Larsa
Wed Mar 13, 2024 2:03 pm
Forum: Beginner Basics
Topic: Slow Throughput CHR virtual within Proxmox [SOLVED]
Replies: 8
Views: 3661

Re: Slow Throughput CHR virtual within Proxmox [SOLVED]

I've made the same mistake plenty of times. My first thought that always pops up is there might be an issue with the NIC before I finally realize I forgot to activate the license, i.e. CHR is running in 'free license mode'. I think MikroTik should introduce some kind of warning when running in 'free...
by Larsa
Wed Mar 13, 2024 1:21 am
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2816

Re: SR-IOV with CHR - What hypervisors are you using ?

Neither DPDK nor eBPF/XDP is in any way related to SR-IOV, which is a standard hardware-level technology for I/O virtualization offering bare-metal throughput. Additionally, ROS uses Linux kernel netfilter/nftables, not Berkeley Packet Filter or DPDK which are a bunch of user-land network drivers an...
by Larsa
Tue Mar 12, 2024 11:45 pm
Forum: General
Topic: Intel I210 compatibility (pcie 1x)
Replies: 3
Views: 849

Re: Intel I210 compatibility (pcie 1x)

Hi! Since this is mainly a user forum, you have better chance of getting a relevant answer directly from Mikrotik by contacting support@mikrotik.com.
by Larsa
Fri Mar 08, 2024 1:31 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

@Anav - I'm biding my time by exploring possible alternatives since I have no need for quick fixes. Meanwhile, I do appreciate and rely on your tireless effort to make life easier for the users in this forum! 😘 @Amm0: You read my mind! I was thinking of testing that along with some variations of nat...
by Larsa
Thu Mar 07, 2024 11:14 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

Considering the recent fiasco where the change of date format broke script compatibility we want to minimize script use in production environments whenever possible. And the sad thing is, the date format could have been easily fixed without breaking script compatibility. This 'small' oversight makes...
by Larsa
Thu Mar 07, 2024 9:21 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

@wfburton/Amm0, I have a similar idea that doesn't involve separate routing tables.
by Larsa
Thu Mar 07, 2024 8:35 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

Yep, that sounds about right! The whole exercise has currently resulted in two different issues: Q1. Why are WireGuard handshake responses sent through default gateway rather than the originating interface? My initial research indicates this is a known issue with some proposed fixes already sent ups...
by Larsa
Thu Mar 07, 2024 6:47 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

You'll probably have a greater chance of getting assistance in connecting VyOS with ROS if you open a separate thread for it.
by Larsa
Thu Mar 07, 2024 6:27 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

WireGuard, like IPsec, doesn't appear as a service like FTP, they have separate configuration menus. Btw, what are you trying to say using the VyOS commands?
by Larsa
Thu Mar 07, 2024 6:03 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

Yup, it's the starting point itself that creates the initial hurdle in a multi-WAN environment. I'm trying to identify how different configurations behave, for example by using different subnets on the WAN interfaces. One test I've performed is with ether1 as the default gateway and five WAN interfa...
by Larsa
Thu Mar 07, 2024 1:09 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

@anav: RoS is acrtually following correctly its Operating System code on how to route traffic. I'm sorry, but there is no such thing! The Linux network engine is configured and controlled dynamically entirely by ROS. That's how Linux-based routers operates. It does whatever you tell it to do. If yo...
by Larsa
Wed Mar 06, 2024 5:11 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

Haha, but of course! My personal take on this is that all built-in services should behave the same when it comes to routing and connection tracking. I see no obvious reason why they shouldn't.
by Larsa
Wed Mar 06, 2024 5:06 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

I'm pretty sure the standard response would be it's a feature, not a bug! :-) But it is the kernel that actually stores, manages, and executes the routing rules using nftables, it's just the configuration hassle that occurs in userland, i.e. ROS. The connection tracker is tightly coupled to the nfta...
by Larsa
Wed Mar 06, 2024 4:29 pm
Forum: Wireless Networking
Topic: Due Dilligence Question - Cube 60ACPro [SOLVED]
Replies: 15
Views: 3167

Re: Due Dilligence Question - Cube 60ACPro [SOLVED]

As the new 60Pro AC implements 802.11ay it should support AES-GCM or WPA3.
by Larsa
Wed Mar 06, 2024 4:09 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

One wouldn't need specialized DHCP scripts if Mikrotik fixed its connection tracker to use the incoming interface address as the outgoing source address. I'll try to create a simple diagram and some packet traces that illustrate the whole thing, but considering your previous response you seem to hav...
by Larsa
Wed Mar 06, 2024 3:52 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

@Anav, unfortunately you're still missing the point but Ammo seems to grasp it. In short, ROS connection tracker mishandles WireGuard handshakes. It forces response packets through the default gateway, breaking the protocol if the initial handshake came from a different interface. See Example 2 for ...
by Larsa
Wed Mar 06, 2024 2:38 pm
Forum: Wireless Networking
Topic: Due Dilligence Question - Cube 60ACPro [SOLVED]
Replies: 15
Views: 3167

Re: Due Dilligence Question - Cube 60ACPro [SOLVED]

The OP asked what type of security is used which unfortunately isn't stated in the product description. Presumably, the wireless encryption is performed with some kind of AES-GCM/WPA3, but to be sure drop an email to sales@mikrotik.com. EDIT: feel free to ask the Mikrotik sales team to update the pr...
by Larsa
Wed Mar 06, 2024 1:49 am
Forum: General
Topic: WANGUARD DUAL WAN HA
Replies: 4
Views: 414

Re: WANGUARD DUAL WAN HA

thanks for the answer. How did you go about configuring routing policies for multiple vans? I have set incoming connection marking and routing marking for the appropriate WAN link, but it does not work for wireguard because during the handshake, the peer that responds to the query sends traffic thr...
by Larsa
Wed Mar 06, 2024 1:22 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

Well, NO! but let me get back to you with a full trace FYI. I dare you to set up your own lab environment with just two WAN interfaces and test it yourself. You don't have to bother using dynamic IP addresses. The task you are to perform is to connect a WireGuard client with a fully functioning conn...
by Larsa
Wed Mar 06, 2024 12:50 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

@wfburton, please create a seperate thread if you are not intressed in this specific topic. @Anav, all that dst-nat, prerouting, and connection marking stuff you posted about is completely irrelevant when it comes to the handshake dilemma. Are you sure you understand where the issue occurs according...
by Larsa
Tue Mar 05, 2024 10:28 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

I'm sorry, but I don't understand what you mean by "user/group policy" and "User333 belongs to vpn333 group connect to wan333" ?? How does this in any way relate to the asymmetric routing issues that I described earlier in example 2?
by Larsa
Tue Mar 05, 2024 10:19 pm
Forum: General
Topic: How to assing a dynamic route to a routing table
Replies: 4
Views: 453

Re: How to assing a dynamic route to a routing table

I can use the script, but I consider it a dirty work, why Mikrotik simply don't let us to assing a default gateway from dynamic connection to a routing table? This is also a mystery. I completely agree! And I truly hope Mikrotik implements a simpler solution like /routing/rule src-interface =xxxx o...
by Larsa
Tue Mar 05, 2024 9:47 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

I guess I dont understand your point then, wish I could help but its beyond my knowledge scope. It isn't that complicated. Here's a brief illustration of how the issue with WireGuard differs from a built-in service like FTP that works as expected. Let's use a couple of examples to show the handshak...
by Larsa
Tue Mar 05, 2024 2:19 am
Forum: General
Topic: WANGUARD DUAL WAN HA
Replies: 4
Views: 414

Re: WANGUARD DUAL WAN HA

I've done it myself so there should be no problem at all using OSPF and optional BFD for fast failover.

Another option is to use ZeroTier which automatically utilizes all available links and also enables easy access from mobile devices, home offices, etc.
by Larsa
Tue Mar 05, 2024 1:27 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

Thanks for the response but that wasn't a particularly good suggestion for a cleaner policy routing to address the issue with multiple WAN addresses. As I've mentioned several times now: 1) you are not able to make use of mangling during the handshake process until it is completed. 2) To complete th...
by Larsa
Tue Mar 05, 2024 12:20 am
Forum: General
Topic: WireGuard useful learning [Linux]
Replies: 8
Views: 1019

Re: WireGuard useful learning [Linux]

Let me rephrase that for both of you! ;-)
WireGuard is an encrypted tunnel protocol that can be used in all types of topologies, including client/server, spoke/hub, mesh, and much more. @mozerd, great articles btw!
by Larsa
Mon Mar 04, 2024 11:38 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

Re: WireGuard Multi-WAN Policy Routing

G'day Anav, my sincere apologies if this is a bit to complex for you! :-) I meant precisely what I wrote: a conceptual question regarding issues with the internal WireGuard handshake process in a multi-WAN environment with no specific scenario in mind. One challenge with the WireGuard initial handsh...
by Larsa
Mon Mar 04, 2024 9:01 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5934

WireGuard Multi-WAN Policy Routing

I have a conceptual question regarding WireGuard in a multi-WAN environment using dynamic addresses. Problem: in ROS, when a passive WireGuard peer receives its initial handshake (i.e., when connection-state = new), the state machine doesn't keep track of either the destination address or the inboun...
by Larsa
Fri Mar 01, 2024 10:45 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 671
Views: 209429

Re: v7.14 [stable] is released!

@hargen: I can confirm that it works, but one has to wait for 20 attempts before receiving the message "Handshake for peer did not complete after 20 attempts, giving up," and then it goes silent. If you re-enable "Keep alive" it starts all over again. Well spotted in finding the ...
by Larsa
Fri Mar 01, 2024 9:41 pm
Forum: Beginner Basics
Topic: CAKE
Replies: 3
Views: 456

Re: CAKE

You are welcome, have a nice weekend!
by Larsa
Fri Mar 01, 2024 8:32 pm
Forum: Beginner Basics
Topic: CAKE
Replies: 3
Views: 456

Re: CAKE

Yeah, Cake is only implemented in v7.
by Larsa
Fri Mar 01, 2024 8:13 pm
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 1125

Re: OSPF over Wireguard links

Yeah, good suggestion. If the wg-interface used for OSPF isn't listed in the LAN device list, you'll need to specify that port explicitly. This also affects the forward chain for routing.