Community discussions

Search found 120 matches

by Murmaider
Thu Mar 07, 2019 9:12 am
Forum: Forwarding Protocols
Topic: should i replace CCR1072 with baltic vengangce? 1072 with 5 full feeds only 5 Gbps?
Replies: 6
Views: 602

Re: should i replace CCR1072 with baltic vengangce? 1072 with 5 full feeds only 5 Gbps?

Hi, Argh. Quagga is not for me. Filters and Community is use. On All uplinks. On 4gbit/s is the end near... I will still use mt. I will Look at mum in Vienna for „baltic“ Router and his Speed. I Hope, that there use better intel i9 because i7. I7 is 2 years old... Cheers. Christian Why not put toge...
by Murmaider
Thu Feb 21, 2019 7:39 am
Forum: Forwarding Protocols
Topic: Problem while using VRRP between routers with BGP
Replies: 7
Views: 522

Re: Problem while using VRRP between routers with BGP

what size is the range you are advertising to your provider?

if for example it's a /23

advertise the two /24's on R1 and advertise the /23 on router 2, this will force traffic coming in on router 1.
by Murmaider
Thu Feb 21, 2019 7:11 am
Forum: Forwarding Protocols
Topic: Random OSPF State Down
Replies: 9
Views: 509

Re: Random OSPF State Down

What is the output of the below on all your core and office site routers:
/routing ospf interface print
by Murmaider
Sun Feb 17, 2019 10:06 am
Forum: RouterBOARD hardware
Topic: CCR1036 Power Supply
Replies: 61
Views: 8600

Re: CCR1036 Power Supply

looks like a new revision of ccr1036 is coming soon

with dual PSU


https://mikrotik.com/product/CCR1036-8G-2SplusEM


ccr1036 revision.jpg
I don't understand the logic behind dual PSU's that aren't hot-swappable.
by Murmaider
Sun Feb 17, 2019 10:02 am
Forum: Forwarding Protocols
Topic: OSPF Redistribute Problem
Replies: 18
Views: 1119

Re: OSPF Redistribute Problem

not sure why it would do that, but you could use the ospf-out route filter and create a default discard rule so it doesn't advertise any routes.
by Murmaider
Mon Feb 11, 2019 3:01 pm
Forum: RouterBOARD hardware
Topic: CCR1072 with only 8GB RAM
Replies: 1
Views: 332

Re: CCR1072 with only 8GB RAM

One of the ram modules has probably failed.
by Murmaider
Mon Feb 11, 2019 2:59 pm
Forum: Forwarding Protocols
Topic: OSPF advertising connected networks
Replies: 2
Views: 267

Re: OSPF advertising connected networks

Try advertise them as type 2. Setup the ospf-in and ospf-out filters. On the out filters, add the lan ranges you want your router to advertise to the other router. On the in filter, add the lan ranges you want to accept from the other router. Then create a default discard rule on both the ospf-in an...
by Murmaider
Mon Jan 14, 2019 8:16 am
Forum: Forwarding Protocols
Topic: iBGP and eBGP
Replies: 3
Views: 458

Re: iBGP and eBGP

I'm no expert, however: Could you not setup an IBGP sessions between R1 and R2 and set force-self on R1 when advertising BGP to R2. Create a filter on R2 to set the prefixes received from R1 to R2 to have a local pref of 500 On R11 prepend the routes advertised to R2 if you dealing with a larger ip ...
by Murmaider
Thu Dec 13, 2018 12:54 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 108
Views: 13016

Re: CCR1072 watchdog reboot

Can we get a Mikrotik response please. The 1072 is ideal with the redundant PSU's but I cannot be rebooting it once or more a week. At the very least like Doush said, give us a v6.38.xx that is patched. specifically for the CCR1072. I 2nd this, otherwise I'm just going to downgrade to 6.38.7 and fi...
by Murmaider
Tue Dec 11, 2018 3:06 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 108
Views: 13016

Re: CCR1072 watchdog reboot

Ours which had been running on version 6.38 for months and months without any issues, was upgraded to 6.42.9 a month ago and today it randomly rebooted with no clear reason why.
by Murmaider
Mon Oct 15, 2018 2:42 pm
Forum: Forwarding Protocols
Topic: OSFP Keeps Losing Routes!!! [SOLVED]
Replies: 11
Views: 1606

Re: OSFP Keeps Losing Routes!!! [SOLVED]

We've had a similar issue to this when Dynamic interfaces were making their way into OSPF (like a vrrp interface for example). Our solution was to statically create the OSPF interfaces and set the default to passive. For example in your case: /routing ospf interface add interface=ether2 network-type...
by Murmaider
Mon Oct 01, 2018 10:54 am
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 119
Views: 23120

Re: v6.42.9 [long-term] is released!

Does this upgrade include the fix for the CCR-1072's that keep crashing when trying to run them at 1200Mhz ? (viewtopic.php?f=3&t=122525)
by Murmaider
Fri Sep 28, 2018 10:26 am
Forum: Announcements
Topic: v6.40.9 [bugfix] is released!
Replies: 56
Views: 13132

Re: v6.40.9 [bugfix] is released!

Anyone running 6.40.9 + the 3.41 firmware on a CCR-1072 ?
If so, have you come across any issues (other than the webserver issue).
by Murmaider
Wed Sep 26, 2018 2:15 pm
Forum: RouterBOARD hardware
Topic: CCR1036 Power Supply
Replies: 61
Views: 8600

Re: CCR1036 Power Supply

Is this PSU issue still a problem when buying new CCR-1036 units or has this now been resolved?
by Murmaider
Fri Aug 24, 2018 6:47 pm
Forum: RouterBOARD hardware
Topic: CCR1072-1G-8S+ max number of routes
Replies: 5
Views: 1162

Re: CCR1072-1G-8S+ max number of routes

Hi there, Does anyone know what the limit of the routing table is on the CCR1072-1G-8S+ ? For instance, my current HP HSR6602 can have 4 million routes at max. I am looking to replace this HP with possibly the 1072 as BGP router. Hope to hear from you! Chris On our 1072 we have over 2 million route...
by Murmaider
Wed Jan 24, 2018 6:11 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 108
Views: 13016

Re: CCR1072 watchdog reboot

@berlo - did you need to reboot after you disabled route cache?
by Murmaider
Thu Dec 14, 2017 1:42 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: [exploit-db.com] MikroTik 6.40.5 ICMP - Denial of Service
Replies: 16
Views: 3168

Re: [exploit-db.com] MikroTik 6.40.5 ICMP - Denial of Service

You can choose, secure router or fast throughput. You are choosing to disable router security? Fastpath is not for all situations. What specifically would you like us to resolve, load of the device when it is doing something? All devices are loaded by all tasks that they perform. Then I would highl...
by Murmaider
Thu Dec 14, 2017 11:15 am
Forum: RouterOS v6 RC and v7 BETA
Topic: [exploit-db.com] MikroTik 6.40.5 ICMP - Denial of Service
Replies: 16
Views: 3168

Re: [exploit-db.com] MikroTik 6.40.5 ICMP - Denial of Service

Yes - that's precisely why the topic says Denial of Service, and not Exploit :lol: Funny how most devices have things like control plane policing, to limit things like this. No it didn't. From the post and from the link: DB Verified:  Exploit Standard firewall prevents this. Even if you need to ke...
by Murmaider
Mon Dec 04, 2017 1:25 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 108
Views: 13016

Re: CCR1072 watchdog reboot

Yes and now ccr was raised to 28 in all Europe. All are working fine and we never experienced more random reboots. Also we experienced better performance on routes with > 1kk routes installed disabled route cache. You loose some % CPU, about 10% more, but you will not experiencing packetloss/stop f...
by Murmaider
Thu Oct 19, 2017 7:52 am
Forum: RouterOS v7
Topic: RouterOS v7.0 beta1 - when?
Replies: 471
Views: 110228

Re: RouterOS v7.0 beta1 - when?

Stop asking and switch to another vendor :lol:. I'm currently switching to another vendor. Cumulus on ONIE + router. More than 240Mpps of performance, tested. ;-) 7Tb/s with prefixes that are loaded on TCAM module. Regards, What vendor has routers with ONIE? I thought this was only for sdn switches.
by Murmaider
Sun Sep 24, 2017 4:06 pm
Forum: Forwarding Protocols
Topic: DDOS BGP protection [automate communitys?]
Replies: 13
Views: 4526

Re: DDOS BGP protection [automate communitys?]

Connect your links to fast 10g switches and then connect your mikrotiks to those switches. So traffic to and from your network goes over the switches. Setup port mirroring on your uplink ports on the switches to mirror to a single port (or a few if it's high traffic) Buy wanguard from andrisoft and ...
by Murmaider
Tue Sep 19, 2017 7:07 am
Forum: General
Topic: Unable to ping from mikrotik
Replies: 7
Views: 947

Re: Unable to ping from mikrotik

The only difference between Ping and Trace (besides the TTL in the ICMP Type 8 outbound packet) is the return packet for the in-between hops. The return packet will be an ICMP type 11 for in between hops for a trace and an ICMP type 0 for the final hop. A ping will always have an ICMP type 0 as the...
by Murmaider
Fri Sep 15, 2017 3:22 pm
Forum: General
Topic: Unable to ping from mikrotik
Replies: 7
Views: 947

Unable to ping from mikrotik

On one of our routers we have a strange issue were the mikrotik can't ping anything at all, but is able to successfully traceroute to them. - The router is running the latest 6.38.7 bugfix and has no firewalling enabled on it at all. - All it does is perform BGP / OSPF and nothing else is configured...
by Murmaider
Tue Aug 22, 2017 9:26 am
Forum: RouterBOARD hardware
Topic: CCR1072 one way traffic flow - advice needed
Replies: 1
Views: 343

Re: CCR1072 one way traffic flow - advice needed

For the watchdog reboots, please make sure that you are running your router at 1000Mhz and not 1200Mhz.

We had a lot of random watchdog reboots when the cpu was set to 1200Mhz
by Murmaider
Fri Jun 30, 2017 5:45 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 2823

Re: Set CPU frequency to 1200MHz on ccr1072

Honestly i think they never developed/tested this product at 1200Mhz so they not know what reply on support request. Checking the exact error we see that the issue is related to hardware bug on 1200Mhz (that i think tile fixed on TLR4-07280DG-12CE A0a with 1866 memory support) and not on o.s. level...
by Murmaider
Fri Jun 30, 2017 4:24 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 2823

Re: Set CPU frequency to 1200MHz on ccr1072

hi, yes my previous consideration was wrong, the issue is confirmed on CPU overclock. We identified it keeping serial console opened and after reboot you see a message related to cpu error, something like: "processor error" I would love to get a response from Mikrotik Staff regarding this issue. Th...
by Murmaider
Fri Jun 30, 2017 9:23 am
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 2823

Re: Set CPU frequency to 1200MHz on ccr1072

after furter investigation we realized that the issue is not on cpu frequency that was changed 7 days ago, but the flow exporter. We did some changes todat like move from all interfaces to selected one and changing inactive and active timeouts. I reverting back these parameters, meanwhile generated...
by Murmaider
Fri Jun 30, 2017 9:17 am
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 108
Views: 13016

Re: CCR1072 watchdog reboot

Yes, we have downgraded to 1000Mhz and we not had more unexpected reboot
I'm going to give this a try, thanks a lot.
by Murmaider
Thu Jun 29, 2017 11:32 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 108
Views: 13016

Re: CCR1072 watchdog reboot

I too am experiencing this.

We do however have our units overclocked to 1200Mhz... I wonder if that may be the issue.
by Murmaider
Sat Jun 24, 2017 2:29 pm
Forum: General
Topic: Discussion about bugfix, current and rc versions
Replies: 29
Views: 5878

Re: v6.38.7 [bugfix] is released!

There are 3 different releases: bugfix, stable and release candidate. Is that so difficult to understand? That is precisely what I say. 6.38.7 (Bugfix only) 6.39.2 (Current) "STABLE" 6.40rc24 (Release candidate) The bugfix Should be on the stable (assumption without errors) Umm no, bugfix is just t...
by Murmaider
Wed Jun 07, 2017 3:08 pm
Forum: General
Topic: Mikrotik vs FortiGate
Replies: 3
Views: 3714

Re: Mikrotik vs FortiGate

If you looking for firewalling and packet inspection, then the Fortigate is the way to go, they work brilliantly and we have them deployed all over our infrastructure. However take the fortigate numbers with a pinch of salt. Once you enable things like anti-virus flow filtering and DPI then these nu...
by Murmaider
Mon May 29, 2017 8:46 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: Feature requests
Replies: 1061
Views: 180797

Re: Feature requests

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers. It is important to know what is going on with your network, and with the AS included a lot of things can be done. Thanks!! :D this is one of the most highly requested features. It has been promised for...
by Murmaider
Thu May 25, 2017 9:26 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 10641

Re: Why source-based blackhole instead of firewall drop

Doesn't the firewall RAW drop disable ipv4 fastpath? If it does, then the blackhole would appear to be better.
by Murmaider
Thu May 25, 2017 9:09 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 10641

Re: Why source-based blackhole instead of firewall drop

I've setup my test environment again with the static arp and you are 100% correct - I'll update the first post of this topic to reflect this. In my tests I could only get the CPU up to 88%, doing RAW drop managed to get the cpu down to 18%. When doing blackhole with route cache disabled, I managed t...
by Murmaider
Wed May 24, 2017 7:03 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 10641

Re: Why source-based blackhole instead of firewall drop

Interesting, any idea why in my test and video the CPU usage drops to 0% with the blackhole + RP Filter, but with raw the CPU stays at 14% ? I am not sure if your test is correct. If you are getting DDoSed you cannot stop the incoming packets from reaching the router regardless of how you drop them...
by Murmaider
Wed May 24, 2017 3:16 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 10641

Re: Why source-based blackhole instead of firewall drop

100% CPU in all tests. Route cache is just an additional load on CPU. Whenever new packet arrives, it goes through route cache table to find matching hash, if there is no match new src/dst hash entry is generated. Interesting, any idea why in my test and video the CPU usage drops to 0% with the bla...
by Murmaider
Wed May 24, 2017 2:37 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 10641

Re: Why source-based blackhole instead of firewall drop

RP filter in this case doesn't make any difference. But route cache does.
With disabled route cache:
blackhole = 4.45Mil pps
raw drop = 4.2Mil pps

Why does disabling the route cache increase the pps?

What CPU was observered at blackhole 4.45Mpps?
by Murmaider
Wed May 24, 2017 11:47 am
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 2823

Re: Set CPU frequency to 1200MHz on ccr1072

Thanks for replying. I read all of your posts on this forum. I am really new to mikrotik. You are suggesting us to use blackhole which is ip null route right ? That method is that we cant use. we cant null client's ip otherwise they will leave us. We need to protect them no matter what happens. If ...
by Murmaider
Tue May 23, 2017 6:19 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 10641

Re: Why source-based blackhole instead of firewall drop

@Murmaider there seems to be some flaw in your tests. Lets make a real load on the router CCR1072 with 10G link DDOS attack from x.0.0.0/8 different addresses 64byte packet size Attack to routers address (connected route no firewall) = 1.01Mil pps with 100% CPU load Blackhole route = 1.6Milion pps ...
by Murmaider
Tue May 23, 2017 2:40 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 10641

Re: Why source-based blackhole instead of firewall drop

It was meant for an example few posts above, drop in RAW will be significantly faster than routing marks and connection marks. Even in your test compared 18% to 14% it is roughly 30% faster, which is exactly how RAW was advertised and it does not overload connection tracking. Of course blackhole is...
by Murmaider
Tue May 23, 2017 1:22 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 10641

Re: Why source-based blackhole instead of firewall drop

I would suggest to use raw firewall rules to drop DDOS packets.
Hi mrz,

I tested the RAW firewall rules vs normal firewall rules above in this thread (viewtopic.php?f=2&t=114664&p=599485#p568217), and the performance is almost identical.
by Murmaider
Tue May 23, 2017 12:37 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 10641

Re: Why source-based blackhole instead of firewall drop

Can someone post the complete rules for fighting DDoS using "blackhole" ? The rules below are ok ? Smb was saying there should be any mangle rule so it work better. /ip firewall filter add action=jump chain=forward connection-state=new jump-target=detect-ddos add action=return chain=detect-ddos dst...
by Murmaider
Tue May 23, 2017 12:28 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 2823

Re: Set CPU frequency to 1200MHz on ccr1072

We run ours at 1200Mhz and it seems to work just fine. we are thinking to buy CCR1072 for just firewall is it a right move ? here our topic: https://forum.mikrotik.com/viewtopic.php?f=13&t=121781 I would definitely not use an CCR as a firewall that you are expecting to take punishment, the clock sp...
by Murmaider
Mon May 15, 2017 3:01 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 2823

Re: Set CPU frequency to 1200MHz on ccr1072

Interesting use case for Mikrotik. Do you have any strategy in place for DDoS attacks? How well is the 1072 handling that many peers? For DDoS - Andrisoft Wanguard + RTBH and Source-based blackhole - (set RP Filter to Loose is an absolute must - https://forum.mikrotik.com/viewtopic.php?t=114664). Y...
by Murmaider
Mon May 15, 2017 12:25 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 2823

Re: Set CPU frequency to 1200MHz on ccr1072

Interesting use case for Mikrotik. Do you have any strategy in place for DDoS attacks? How well is the 1072 handling that many peers? For DDoS - Andrisoft Wanguard + RTBH and Source-based blackhole - (set RP Filter to Loose is an absolute must - https://forum.mikrotik.com/viewtopic.php?t=114664). Y...
by Murmaider
Sun May 14, 2017 7:03 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 2823

Re: Set CPU frequency to 1200MHz on ccr1072

We run ours at 1200Mhz and it seems to work just fine.
by Murmaider
Sat May 06, 2017 8:10 am
Forum: RouterBOARD hardware
Topic: CCR-1072 - Random Kernel Failure
Replies: 0
Views: 721

CCR-1072 - Random Kernel Failure

I'm currently running 6.37.4 on one of our CCR-1072 which is about 6 months old and it randomly reboots with the following in the logs: 02:00:11 system,error,critical router was rebooted without proper shutdown, probably kernel failure 13:30:34 system,error,critical kernel failure in previous boot T...
by Murmaider
Wed Apr 19, 2017 6:11 pm
Forum: RouterOS v6 RC and v7 BETA
Topic: ETA v8
Replies: 21
Views: 3708

Re: ETA v8

I guess you are waiting for some specific feature, not the number or the date.
multi-threaded bgp seems to be at the top of the list...
by Murmaider
Mon Apr 10, 2017 7:31 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 10641

Re: Why source-based blackhole instead of firewall drop

Hello, can you help me? Fastnetmon identifies the attacked IP, but I can not get exabgp to advertise to mikrotik. Hi, There are 2 ways to do this: 1) Use fastnetmon's mikrotik plugin - https://github.com/pavel-odintsov/fastnetmon/tree/master/src/mikrotik_plugin It speaks to the mikrotik API and han...
by Murmaider
Mon Jan 30, 2017 5:15 pm
Forum: RouterBOARD hardware
Topic: info CCR1072-1G-8S+
Replies: 25
Views: 7143

Re: info CCR1072-1G-8S+

We are considering buying 2 of these CCR1072-1G-8S+ for our co-location BGP and replace our old servers running vyatta. I've read through the BGP tests on http://www.stubarea51.net and it looks impressive, my only concern is regarding the reliability and stability of this unit. A number of people h...