MikroTik

OlofL

DHCPv6 server lease sync (with routes automatically added/removed to ia_pd)
DHCPv6 client/server full support (ia_na)

OlofL

Im trying to learn mpls/ospf/bgp "ipvpn" setup. traffic between PE1 loopback and PE2 loopback is switched through mpls. traffic between ce1 and ce2 doesn't get switched by mpls, so an ip packet reaches P1 and its dropped because it doesnt have route to CE2. What am I missing here? Config: ...

OlofL

Stateful DHCPv6 Server? KEA based ?

Please tell if you build this.
Would be nice to have dhcpv6 server sync leases with another router.

OlofL

Anyone tested this with 7.4beta4 and containers?

OlofL

In fact, there does not seem to be any channels - there are only different snapshots of the SAME channel of RouterOS releases. This is obvious and already claimed by Mikrotik staff in forum when 7.3 was released. It would be more optimal to actually have two or more development channels where fixes ...

OlofL

after upgrading to 7.3.1 ip ssh is not working... I tried : [*] change any options and press apply [*] press "regenerate host key" [*] import ssh pubkey to user [*] upgrade to 7.4beta, downgrade again [*] export ssh-host-key [*] export host priv+pub files from another mikrotik and import t...

OlofL

OlofL, 7.3 in general is much better than 7.2.x except this one issue with SFP on RB3011. This sounds so stupid. Its not "much better" for me. It broke everything. So basically you make 7.3 release candidate. Wait a few days and see how much forum is spammed. If less than 5 new angry topi...

OlofL

There are no changes since rc2. How can you not test the RB3011 SFP bug before releasing this into " stable "? Very fun downgrading routers at remote sites today! How can I go from 6.x to 7.2.x? If I set channel=upgrade it will chose 7.3 as of now. Should I just manually upload 7.2.x NPK ...

OlofL

Unfortunately you cannot, it is an annoying omission from RouterOS. I am pretty sure I have seen a workaround on this before ? Anyways, if I am remembering wrong, how do you make sure clients removes the ipv6 address in the wrong prefix if this happens after reboot? Can mikrotik send old RA with a ...

OlofL

I have a pool of a /56 network. db8:2001:1128:2400::/56 I want to assign ipv6 addresses from my lan interfaces using only "::1/64" command. add address=::1 from-pool=TT interface=ether5 add address=::1 from-pool=TT interface=ether6 add address=::1 from-pool=TT interface=ether7 But how do I...

OlofL

Selective configuration sync between two or more "clustered" devices (firewall/mangle etc)
Some kind of HA...

Container support!

Smart firewall address list support (geoip, Adblock, bad IPs)

OlofL

When the Mikrotik connection tracking sees the end of a TCP conversation (FIN -> ACK+FIN -> ACK) the tracking entry is removed. Any repeated or unsolicited invalid transmissions from a client, e.g. FIN+ACK, RST+ACK or RST will not create a new connection tracking entry so no NAT will be applied. Th...

OlofL

How did you measured that 99.9%?

I didn't. Just a wild guestimate:)
It's probably closer to 99.999%

OlofL

Try adding a firewall rule add action=drop chain=forward connection-state=invalid after the accept established/related.

I can try. But explain please why you think this will help?
Even if packet is "invalid" and accepted by outgoing firewall rule - it should still be NAT'ed - right?

OlofL

Issue: not all packets are NAT'et on the mikrotik router. It seems like 99.9% of packets are NAT'et. But the upstream firewall are seeing lots of martian source packets (rp_filter strict) I have this setup with Mikrotik router. /system/routerboard/print routerboard: yes model: CCR1036-8G-2S+ serial-...

OlofL

@hkusulja after 4 hours with Azure Premier support, we were able to get both IPSec tunnels up with Mikrotik and the BGP connection stablished on both tunnels as well Today. I'm receiving the VNet routes advertised by Azure and they appear both in my Routes table. However, None of the routes I'm adv...

OlofL

When containers?

OlofL

How do I enable this? I cannot see anything in docs nor in CLI. (v7.2 stable)
https://help.mikrotik.com/docs/pages/vi ... eId=328218

OlofL

How about a 100G switch with a few more ports?
This is the perfect switch for a spine and leaf topology ip fabric.
But it needs more ports on the spine layer!

OlofL

I would like to see something like CCR2116-4G-12S+, even something without RJ45, just pure SFP+ with 1G management port, like old CCR2004. This is really nice piece of HW, but only 4 SFP+ isn't usable for me. I agree - and sfp28 interfaces aswell :) copper ports are useless now for this type of rou...

OlofL

Not negating adding a new feature here but what is exactly the problem we're trying to solve here? While ed25519 is newer and has some advantages (e.g. smaller key size, marginally faster authentication) does it really add any significant value to ROS? In Ubuntu 22.04 ssh-rsa is depricated and you ...

OlofL

Doesnt it support it in 7.2rc2? Nope, explained here: https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-L3HWDeviceSupport I have read that document, but I still dont understand. To my understanding, it should be able to? I also read https://forum.mikrotik.com/vi...

OlofL

And for inter-VLAN routing you also need /ip firewall filter add action=fasttrack-connection chain=forward connection-state=established,related hw-offload=yes This device doesn't support hw-offload with fasttrack. :( Doesnt it support it in 7.2rc2? *) l3hw - added HW offloaded FastTrack support for...

OlofL

I just want to borrow the thread, how has this affected performance? How much resources do you need for such lists? Im looking to use similar numbers in my firewalls.

@Kelalatir

OlofL

Good read, is there a way to tweak the max amount of fasttrack connections? For instance less memory for l3hw offload but more memory for fasttrack?

OlofL

Can CCR2116 do HW-offload/fasttrack on LACP interface? With latest RoS 7.1.3 Looking at the block diagram, it has a switch chip connected to the interfaces. https://i.mt.lv/cdn/product_files/CCR2116-12G-4S_211233.png While we're at it, can any of the CCR2004 do the same thing? CCR2004-16G-2S+ has a ...

OlofL

How can I sync DHCPv6 server leases between two routers? What I like about RouterOS is that it does install a dynamic special route in its route table for the PrefixDelegation. Which means I dont need to use a routing protocol on the clients for my upstream router to reach the prefixes. But, how do ...

OlofL

I have not tested RoS7 and containers since they pulled before hitting stable?

But this seems a bit overkill now that Suricata can be ran inside containers and hopefully containers will be back in RoS7 soon?

OlofL

They have said they are in development of a new cross-platform Winbox replacement. Presumably this will allow them to create different GUI designs that will be more suitable for something like this. Source on this? Also why dont they scrap winbox alltogether and just use the web gui with the new AP...

OlofL

I'm interested in 5G/4G LTE data devices WITHOUT Wifi or extra ports, more of a modem/router for cellular to Gigabit+ Ethernet.

1. CAT16+
3. No, 4G LTE/5G Only, minimize the old stuff.

This, and with console port for ease of management.

OlofL

/routing ospf interface-template
add area=ospf-area-1 networks=192.168.89.0/24 priority=0 type=nbma

change this to:
type=ptp

(and the equivalent on frr side)

OlofL

Agree on all points. I would like to add that ipv6 fasttrack is also very much needed!

OlofL

Yes, this is how I use it with OSPF. I use it as site2site. The mikrotik side is behind NAT/dynamic IP (it has fiber with 4G failover). Note that you have to allow-address 0.0.0.0/0 if you dont know all networks that should be allowed in the future. The most important part is to add wireguard interf...

OlofL

What you have shown in your examples is exactly what routing/route/print does. How do I check longer prefixes or resolve a shorter route? It would be nice to resolve 172.23.253.1 to a route in the table. [olof@80003p-cpe002] /ip/route> print where dst-address=172.23.253.0/24 Flags: A - ACTIVE; s, y...

OlofL

News letter is not saying this is stable.
Lol

OlofL

When IPv6 fasttrack?

OlofL

Also, I think you want the "check-gateway" on your 1.1.1.1 route. But not sure if that's the only issue here.

No, the correct way is to "check-gateway" on the gateway.

And no, there are no more issues, it works fine this way.

OlofL

But I found a workaround... I had to disable the mangle rules to get this working, also just enable lte apn to add default route. If your goal is use ether1 as primary (and has static default gateway ** ), and you set the default route distance in the LTE APN, that may enough without any mangle rul...

OlofL

BTW Right guess it's actually load balance the networks, that's what the "+" means in the route table in v7 – does have A for active on both The nitty gritty is v7 changed routing, thus @avnu's suggestion to post there. But yeah the "v7 docs" suggest distance=2: https://help.mik...

OlofL

I have an LtAP LTE6 and run ROS v7.1rc7 I have a static default route on ether1 And dynamic IP from LTE with dynamic gateway and higher distance. I want to ping-check a remote host (eg 8.8.8.8/1.1.1.1) via static default route. (because the default gateway can be up, and isp network down) If ping-ch...

OlofL

Can any of the LTAP mini or LtAP LTE6 be installed with an internal disk?

I see LTE6 has "Second miniPCIe slot for expansions".

Its not clear to me searching the forum whether this port can be used for a disk.

OlofL

I have no issues. I run 6.48, and only a small OSPF network.
65 days uptime. I have not seen random reboots at all.

OlofL

When fasttrack for ipv6?

OlofL

Use case: office that uses 10G RJ45 ports to edit large media files on local LAN.

I'd love to see a switch with more 10G rj45 ports. 24XG and 48XG with 4SFP+ and/or 2QSFP+ for uplinks.

The CRS12-8XG-4C is great, but I need more ports!

OlofL

Finally a good update! Lots of work in core protocols and core functionality and not much of the new fancy pancy toys

OlofL

Feature request: DHCP sync Now that vrrp and conntrack sync is in v7, it would be nice if DHCP-server could sync its leases aswell. What I particulary like about DHCPv6 in mikrotik is that it dynamically adds a route to the prefix-delegated prefix aswell. So if this request goes through, that is an ...

OlofL

I tried to upgrade from 6.48.1 to development channel 7.1rc4. I don't know firmware version, but it was probably lower than 6.48.1. Logs hint it is 6.47.7 Seems like I bricked my device (RB4011) Logs from console connection when booting. :00000050 AL31400X-140 RouterBOOT booter 6.47.7 RB4011iGS+ CPU...

OlofL

Since we now have IPv6 VRF support, I do not see the reason why not.

How about EVPN with vxlan? is that going to be added soon too?

OlofL

This is 2021 final quarter. Please implement a proper IPv6 stack. It is till way behind other vendors. Recursive routing is still not implemented. Time for mikrotik to pull up the socks. Docker and stuff can still wait, core functionalities of a router must be the priority. Totally agree. There see...

OlofL

NO THANKS! I will manage my VPNs on my own, don't need and don't want any external service for that. Wireguard is working perfectly, thank you for that. OpenVPN is still working as it used to for years (slow but reliable). BTW, instead of adding random mostly useless stuff, why first don't make use...

OlofL

Can't believe that "Delegated-IPv6-Prefix" didn't fixed in this release also. How many months do we have to wait to fix this option in stable release? Is it really hard to get fix from 6.49beta and implement it? Unbelievable... What is this bug? Im just trying to implement ipv6 using dhcp...

OlofL

Is v7.1rc1 also known as "beta 7"?

https://help.mikrotik.com/docs/display/ ... col+Status

OlofL

Yes, the question is, why separate the IoT, if you don't really need to separate ? Because the IOT device might have more than one service that its broadcasting. And with a mDNS repeater function, you could chose which services to rebroadcast on another network. And then firewall to only allow the ...

OlofL

I'd rather say it's channel=frustrated_support_engineers ... frustrated by incompetent users who can't read warnings, written with letters of usual size and colour. Right, so Mikrotik releases an official "stable" software, that is released... on a forum ... page 10 pages down... in a thr...

OlofL

I can put it here too. This is 7.0.3 for Chateau only: https://box.mikrotik.com/f/7e3cad5779804d0b878d/?dl=1 We should put a big disclaimer next to it: DO NOT INSTALL v7.0.3 ON ANYTHING BUT CHATEAU! But I doubt it will solve people's inability to read. What /system/package/update channel is this? c...

OlofL

Shameless bump

OlofL

I am trying to redisitribute my connected routes. I have two routes 172.17.10.0/24 and 172.17.2.0/24 that are directly connected. BGP neighborship is up. My attempt: /routing bgp template set default as=65536 redistribute=connected /routing bgp connection add local.role=ebgp name=cust123 output.filt...

OlofL

Too many complaints about beta or alpha. It is a testing release so bad things happen. Whether it is beta or alpha, I do not see the point, you install it and take the risk of things not working as supposed to. Remember that mikrotik tries to put lot of features in one box so it is not that easy to...

OlofL

I'm a bit disappointed, would like to see more focus on stability and features that not in V7 but are available in V6 instead of brand new features. Totally agree. Also it would be interesting in seeing progress on protocols here: https://help.mikrotik.com/docs/display/ROS/v7+Routing+Protocol+Statu...

OlofL

ability to enter a user password in hashed format is a must have in 2021. one must be able to use scripts to push user passwords, and then i cannot have them stored in clear text.

OlofL

Moreover, connection sync does not work with the standard VRRP preemption. For example, if the master rebooted and gets back online with a higher VRRP priority value, it becomes the VRRP master again according to the VRRP protocol. But at this moment, the master does not have connections synced fro...

OlofL

11 years later - any update on this? i still need this feature.

OlofL

Why do you want to use a /32? Do you want symmetrical routing so that you can do proper conntrack? I did some testing recently, but I did the other way around, I was using /32 on the physical interfaces, and using /24 or whatever on the VRRP interfaces. This way I was able to get symmetrical routing...

OlofL

It says that /31 is not supported, so that people stop asking whether /31 is supported or not. What does this even mean? Are you adding features on the v7 status page just to say it's not going to be supported? And why should we stop asking for features that are not supported? Isn't that the whole ...

OlofL

Good find. I will upgrade my lab and test beta5

OlofL

Bug report:

lacp transmitt has policy layer3 and layer4 does not work on CCR2004.

RouterOS only sends out traffic on ONE member on 6.x

I tried:
6.48.1 doesnt work
6.49beta27 doesnt work
7.1beta5 does work - send traffic out of all lacp members.

OlofL

/31 is officially unsupported.

Can you support it in v7 please? :) Since it's supported (works) one way already :)

OlofL

Great news! Great work on the 5G and IOT stuff lately.

I was hoping for some more love and update on routeros v7 and more CCR routers with more than 4 or more SFP+ interfaces :)

OlofL

Bug: RouterOS beta 7.1beta4 - RFC3021 - does not route out on a /31 - but accepts traffic from a /31 I heard rumours on RouterOS v7 will support RFC3021, which is great. Comparing to v6, it will atleast accept traffic from a /31 IP. Ping from "north" with source address 10.0.2.3 - Can ping...

OlofL

hello, do you know if this was related to when you put some bandwidth on the router?
i had a similar issue, where LTE interface was dropping as soon as I actually got some real traffic on it with a few 10s of megabits...

OlofL

I have a eBGP peer, and one iBGP peer [my router] <-linknetwork1-> [eBGP peer] <- linknetwork2(172.31.23.8/30) -> [my iBGP peer](192.168.13.0/24) My eBGP peer advertises linknetwork2 to my router. (172.31.23.8/30) and is Active My iBGP peer advertises 192.168.13.0/24 with nexthop linknetwork2. My ro...

OlofL

I now have one CCR2004 in prod. Uptime only 10 days, but no issues so far.
Running 6.48.1.
Very simple configuration-
Only two static routes, some mangle rules and a few firewall rules.

OlofL

What hardware offload does CCR2004 have?
Can it do L3 offload on LACP link?

OlofL

I have mostly copied the ideas from this video, https://www.youtube.com/watch?v=67Dna_ffCvc BUT... it is almost 6 years old now, so maybe setups are more elegant/changed Everything seems to work fine now, but I need some quality assurance before going live, since I have never played around with mang...

OlofL

From the routerosv7 help pages. https://help.mikrotik.com/docs/display/ROS/ROSv7+Basic+Routing+Examples /routing ospf interface add network=192.168.0.0/24 area=backbone_v2 There are no add commands under interface. Interface-template does work. [admin@MikroTik] /routing/ospf> interface/ find print [...

OlofL

BUG report: v7.1beta4, using GNS3 with CHR IMG file. Same setup as post above. These bugs are probably related. The export command does not exist under. /routing ospf or /routing bgp They where available in RouterOS v6. However, /routing export exists, but it hangs. [admin@MikroTik] /routing/ospf> e...

OlofL

BUG Report: When reporting an issue, please follow this template: Version number (if the issue is upgrade related, specify which version was installed before as well); Has the /system routerboard command changed name or been removed btw? [admin@MikroTik] > /system/package/update/print channel: stabl...

OlofL

I have this issue on the new Mikrotik LTE Audience. I have upgraded to latest lte modem firmeware. I have tested all different routerboard software (testing/beta/stable) Upgraded routerboard firmware. I can reproduce this issue with LTE disconnecting by just starting a simple speedtest. Any news on ...

OlofL

What am I missing to get the management IP working on my switch? I have followed the guide from the wiki, but I am not getting any IP connectivity. L2 forwarding works just fine for all vlans. All ports are supposed to be in trunk all vlan-mode. Followed the second example on this page: https://wiki...

OlofL

this is tempting features, espeically with the new LTE6 mpic-e I am looking for a RB4011s sick performance, but with a built in 4G/5G modem. This would be awesome to do a selfbuilt SD-wan solution with dynamic ipsec tunnels.... +1 for LTE /mini pci-e slot with simcard support! Then I could build my...

OlofL

Google took me here. Shameless bump? cant find a setting for sampling rate. NetFlow does not have sampling rate. Sampling rate is for sFlow, mainly used in Switches. At this time, RouterOS does not support sFlow However, many (all I tried) vendorrs support sampling in netflow/ipfix. Besides routeros.

OlofL

Google took me here.
Shameless bump?

cant find a setting for sampling rate.

OlofL

Guys calm down, first we need to finish openvpn over udp.
You need to wait another two decades until alpha version of vti is available.

OlofL

Is there a a RB4011 or something in that range of perfomance that has 4G/5G built in? Im looking for a good CPE, like the RB4011. If main line goes down, I intend to use mobile broadband failover. The custom boards from mikrotik are so far too weak. I need RB4011 because of gigabit ipsec performance...

OlofL

As of 6.46.2, this still doesnt work.

OlofL

Hello, I dig up this topic because I have a similar issue. For load balancing purpose, I need to establish 2 gre tunnels between 2 routers. On one side I have 1 wan only, with a good bandwith, and on the otherside, I have 2 wan with low bandwith. Everything seems to go well, as both tunnels are run...

OlofL

I am seeing some issues with routes over a /29 gre interface.
This has been observed since I went to v6.46.

viewtopic.php?f=2&t=157756&p=775916#p775705

Bug?

OlofL

I will set this to unsolved again, because I just had an equal case where the ip route for my ipsec gre link network is not routing properly...
And this time that trick is not working :/

OlofL

Agree with this. Adding password with a hash is very critical, and a dealbreaker when automating big projects.

OlofL

Same problem here. It helped to restart VPN server on router side and delete clients and configure them again on client side. Hope that helps. I'm not sure but I think that Mikrotik might have some ipsec issues in versions 4.63.1-3. Do you also have a RB4011? Also, I downgraded to channel=long-term...

OlofL

Same problem here. It helped to restart VPN server on router side and delete clients and configure them again on client side. Hope that helps. I'm not sure but I think that Mikrotik might have some ipsec issues in versions 4.63.1-3. @Elliot I have restarted the vpn several times, on both ends. Howe...

OlofL

Recently my gre tunnel over my ipsec tunnel stopped working. Remote site is using vyos. Ping works, so ipsec tunnel is obviously up, however, gre doesnt work. Here is a ping between both routers loopback interfaces. Which is in the ipsec policy. /ping src-address=172.24.32.54 172.18.255.26 count=3 S...

OlofL

How do I unset a value under /system logging action? I set the remote src-address to a value, but I see no way to unset it. There is no unset under this configuration stanza. Also, I cannot remove ` remote ` since its a default rule. So, how do I remove the `src-address` value in /system logging act...

OlofL

Hello @orx did you find any patterns?

OlofL

Any updates on this one?

In the world of automation, it would be nice to generate a list of users.
I need to not know the passwords of the other users.

For most other network OS's we have, there is an option to paste the encrypted password.

OlofL

Hello, I have a scenario where I need a backup connection over LTE. The LTE connection has a private IPv4 from provider , and is subjected to change any time. I have the LtAP from mikrotik, and I need to setup a VPN with dynamic routing to play together with a VyOS router. Mikrotik behind NAT, dynam...

OlofL

/routing pim export

no config

reboot
enable igmp proxy - still invalid.. hmm?
@losty ?

OlofL

Same problem here... Router is rebooting almost 10 times every hour. /system routerboard print routerboard: yes model: RB4011iGS+ serial-number: xxxx firmware-type: al2 factory-firmware: 6.43.8 current-firmware: 6.44.3 upgrade-firmware: 6.44.3 /log print 09:37:22 system,error,critical router was reb...

OlofL

I was trying to connect a Huawei E3372 LTE modem. I used the mikrotik microusb to usb cable that came with the RB2011 router. I can confirm this was a power issue. I was using RB2011 with a 5v 0.8a power. Changed to 5v 1.2a power, still same issue. Changed to a RB3011 with the 5v, 1.2a power - and p...

OlofL

Hello, Im trying to do some simple ansible scripts to push some config to routeros. Im on routeros 6.43 and ansible 2.7 and trying the ansible modules: raw , command and the new routeros_command https://docs.ansible.com/ansible/latest/modules/routeros_command_module.html. None succeeeds, and they ju...

OlofL

I intend to limit WAN to LAN and LAN to WAN (up/download) bandwidth per host, with some burst traffic The wiki says on the fasttrack page: "Fasttracked packets bypass firewall, connection tracking, simple queues, queue tree ..." I am not getting a queue working, where I want to shape bandw...

OlofL

My setup: Mikrotik RB2011 with public IP and L2TP server enabled, use IPSEC and PSK. # feb/20/2018 12:56:31 by RouterOS 6.41.2 My clients are connecting from behind NAT to the public IP. On another setup, I use local /ppp secret users and they connect just fine from behind NAT. (Server still public ...

OlofL

It's weird. I got it up running once. It showed up under /interface lte But then I had to unplug the device, and now its not showing up again. Have tried reboot router and unplug a couple of times without success. are you using original OTG? This was probably it. I was using a one dollar china cabl...

OlofL

It's weird. I got it up running once. It showed up under /interface lte

But then I had to unplug the device, and now its not showing up again.

Have tried reboot router and unplug a couple of times without success.

OlofL

just Unplug Power wait few seconds then plug it back Nope. Model 2011UiAS Serial Number 4CA904EC4A14 Firmware Type ar9344 Factory Firmware 3.10 Current Firmware 3.41 Version 6.41rc47 (testing) And /port> print Flags: I - inactive # DEVICE NAME CHANNELS USED-BY BAUD-RATE 0 serial0 1 Serial Console a...

OlofL

on which board you test that?
Check if the usb port is added under system ports.

RB2011.

And no, nothing under system ports. Just the serial interface.

OlofL

Im pretty sure it means the second one. The first one would be impossible

OlofL

I cannot get this one started. Interface LTE shows nothing. Nothing in logs. RouterOS 6.41RC47. Ubuntu reports this as [23892.376108] usb 2-3.2: new high-speed USB device number 13 using xhci_hcd [23892.481169] usb 2-3.2: New USB device found, idVendor=12d1, idProduct=1f01 [23892.481172] usb 2-3.2: ...

OlofL

Or any solution in 2017?

This actually worked on a macos sierra client: under /ppp secrets just select user and add under routes=1.1.1.0/24

The user is connecting with L2TP IPSEC.
Now I have split tunneling and users doesnt hog cpu of my weak little rb2011

I haven't tried on windows though.

OlofL

I'm getting IPTV from my ISP on a tagged vlan (101) on interface sfp1. It should go out untagged on ether5 where my IPTV decoder is located. I'm not getting the IPTV to work. From what I know, the decoder should get a DHCP address from ISP IPTV network. I can see traffic going in and out on bridge p...

OlofL

So much info is missed out here. How is your "/ip firewall export" looking like?
What is using CPU when you access Internet?
Check out /tool profile

OlofL

Just to be safe since you've obfuscated the IPs. The SA src or dst is not included in either range to be tunneled correct? That would explain why it goes down as soon as it comes up. Alternatively you may have a layer 1 (physical) issue at one of the sites. Have you ruled that out? Possibly w/a sus...

OlofL

The thread is a bit old, but I'm having similar issues. I'm trying to collect using nProbe + ntopng, and I see that v9 and IPFIX flows contain post-NAT address information, but this seems to be ignored by nProbe/ntopng - did you ever find a solution? I'm having the same problem whereby clients appe...

OlofL

Hello, I've had a flapping IPSE Ctunnel for a while now. I cannot find out what the problem is. I can't see in logs on either side that VPN has stopped/started. Other side seem to get unreachable for a good 5-10 minutes and then back up again on its own. I am not 100% sure it is a VPN problem though...

OlofL

As you can see in picture, the netflow 5 flows are captured after dst-nat is done.

The behavior seem to differ in ipfix. Is this a bug or working as intended?

ipfix vs netflow5.PNG

OlofL

It seems like traffik flow is captured pre dst nat. This means when I'm analyzing it looks like all traffic is headed for my WAN IP. Is it possible to get the traffik flow to capture flows post dst nat? The ipv4 next hop address field is populated with the right destination nat address. I am capturi...

OlofL

Hm, tried to test network performance between windows PC connected by gigabit cable (cat.5e) to hAP AC and MacBook Pro connected by wifi 5ghz (1000-1300Mbit connection). Why transfer speed is so low? iperf -c 192.168.1.253 -t 30 -i 5 ------------------------------------------------------------ Clie...

OlofL

Read the fasttrack thread instead asking what is it. Unfortunately it has some problems as it is quite newly introduced feature.

The thread is huge, why would you just not answer here instead?

OlofL

It's not metrics... I want all 10.x.x.x traffic from every location to route through Location A / Provider A. I want all 192.x.x.x. traffic from every location to route through Location B / Provider B. I think it has to do with masquerade and srcnat, but what I've tried hasn't worked. Currently I h...

OlofL

Seems like this might have been a bug connected to the browser. The routers where earlier upgraded from 6.4 to 6.32, but deleting browser cache helped.

OlofL

I don't think it is possible to set on Mikrotik. You have to do it on the clients.
Powershell:

Set-VPNConnection -Name "Your-Connection" -DNSSuffix "something.local"

OlofL

So... I got a 4g/LTE USB Dongle with a SIM card in it. The problem is whenever I reboot my router or disable/re-enable the LTE interface, it adds a default route with it's address as the gateway. This overrides my default routes and screws up everything for me. Anyone familiar with this issue? I do...

OlofL

/ip firewall nat src-address=192.168.88.0/24 action=masquerade out-interface=ether3 chain=src-nat

meaning
address incoming to router with address 192.168.88.0/24 will be source-nated
with technique masquerade (meaning it will use the outgoing address of interface) ether3.

OlofL

Hello, if I create a rule from command line with two connection-states in one rule: /ip firewall filter add connection-state=established,related dst-address=192.168.213.0/24 chain=forward comment="est/rel to guests" If I then open this rule from the webgui the connection-state is removed, ...

Search found 124 matches