Community discussions

Search found 121 matches

by Murmaider
Wed Jul 03, 2019 9:34 am
Forum: Announcements
Topic: v6.45.1 [stable] is released!
Replies: 416
Views: 69923

Re: v6.45.1 [stable] is released!

170 updates and changes and not one BGP improvement...
by Murmaider
Thu Mar 07, 2019 9:12 am
Forum: Forwarding Protocols
Topic: should i replace CCR1072 with baltic vengangce? 1072 with 5 full feeds only 5 Gbps?
Replies: 6
Views: 965

Re: should i replace CCR1072 with baltic vengangce? 1072 with 5 full feeds only 5 Gbps?

Hi, Argh. Quagga is not for me. Filters and Community is use. On All uplinks. On 4gbit/s is the end near... I will still use mt. I will Look at mum in Vienna for „baltic“ Router and his Speed. I Hope, that there use better intel i9 because i7. I7 is 2 years old... Cheers. Christian Why not put toge...
by Murmaider
Thu Feb 21, 2019 7:39 am
Forum: Forwarding Protocols
Topic: Problem while using VRRP between routers with BGP
Replies: 7
Views: 843

Re: Problem while using VRRP between routers with BGP

what size is the range you are advertising to your provider?

if for example it's a /23

advertise the two /24's on R1 and advertise the /23 on router 2, this will force traffic coming in on router 1.
by Murmaider
Thu Feb 21, 2019 7:11 am
Forum: Forwarding Protocols
Topic: Random OSPF State Down
Replies: 9
Views: 951

Re: Random OSPF State Down

What is the output of the below on all your core and office site routers:
/routing ospf interface print
by Murmaider
Sun Feb 17, 2019 10:06 am
Forum: RouterBOARD hardware
Topic: CCR1036 Power Supply
Replies: 61
Views: 10290

Re: CCR1036 Power Supply

looks like a new revision of ccr1036 is coming soon

with dual PSU


https://mikrotik.com/product/CCR1036-8G-2SplusEM


ccr1036 revision.jpg
I don't understand the logic behind dual PSU's that aren't hot-swappable.
by Murmaider
Sun Feb 17, 2019 10:02 am
Forum: Forwarding Protocols
Topic: OSPF Redistribute Problem
Replies: 18
Views: 1560

Re: OSPF Redistribute Problem

not sure why it would do that, but you could use the ospf-out route filter and create a default discard rule so it doesn't advertise any routes.
by Murmaider
Mon Feb 11, 2019 3:01 pm
Forum: RouterBOARD hardware
Topic: CCR1072 with only 8GB RAM
Replies: 1
Views: 421

Re: CCR1072 with only 8GB RAM

One of the ram modules has probably failed.
by Murmaider
Mon Feb 11, 2019 2:59 pm
Forum: Forwarding Protocols
Topic: OSPF advertising connected networks
Replies: 2
Views: 424

Re: OSPF advertising connected networks

Try advertise them as type 2. Setup the ospf-in and ospf-out filters. On the out filters, add the lan ranges you want your router to advertise to the other router. On the in filter, add the lan ranges you want to accept from the other router. Then create a default discard rule on both the ospf-in an...
by Murmaider
Mon Jan 14, 2019 8:16 am
Forum: Forwarding Protocols
Topic: iBGP and eBGP
Replies: 3
Views: 727

Re: iBGP and eBGP

I'm no expert, however: Could you not setup an IBGP sessions between R1 and R2 and set force-self on R1 when advertising BGP to R2. Create a filter on R2 to set the prefixes received from R1 to R2 to have a local pref of 500 On R11 prepend the routes advertised to R2 if you dealing with a larger ip ...
by Murmaider
Thu Dec 13, 2018 12:54 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 125
Views: 17811

Re: CCR1072 watchdog reboot

Can we get a Mikrotik response please. The 1072 is ideal with the redundant PSU's but I cannot be rebooting it once or more a week. At the very least like Doush said, give us a v6.38.xx that is patched. specifically for the CCR1072. I 2nd this, otherwise I'm just going to downgrade to 6.38.7 and fi...
by Murmaider
Tue Dec 11, 2018 3:06 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 125
Views: 17811

Re: CCR1072 watchdog reboot

Ours which had been running on version 6.38 for months and months without any issues, was upgraded to 6.42.9 a month ago and today it randomly rebooted with no clear reason why.
by Murmaider
Mon Oct 15, 2018 2:42 pm
Forum: Forwarding Protocols
Topic: OSFP Keeps Losing Routes!!! [SOLVED]
Replies: 11
Views: 2130

Re: OSFP Keeps Losing Routes!!! [SOLVED]

We've had a similar issue to this when Dynamic interfaces were making their way into OSPF (like a vrrp interface for example). Our solution was to statically create the OSPF interfaces and set the default to passive. For example in your case: /routing ospf interface add interface=ether2 network-type...
by Murmaider
Mon Oct 01, 2018 10:54 am
Forum: Announcements
Topic: v6.42.9 [long-term] is released!
Replies: 119
Views: 26065

Re: v6.42.9 [long-term] is released!

Does this upgrade include the fix for the CCR-1072's that keep crashing when trying to run them at 1200Mhz ? (viewtopic.php?f=3&t=122525)
by Murmaider
Fri Sep 28, 2018 10:26 am
Forum: Announcements
Topic: v6.40.9 [bugfix] is released!
Replies: 56
Views: 15202

Re: v6.40.9 [bugfix] is released!

Anyone running 6.40.9 + the 3.41 firmware on a CCR-1072 ?
If so, have you come across any issues (other than the webserver issue).
by Murmaider
Wed Sep 26, 2018 2:15 pm
Forum: RouterBOARD hardware
Topic: CCR1036 Power Supply
Replies: 61
Views: 10290

Re: CCR1036 Power Supply

Is this PSU issue still a problem when buying new CCR-1036 units or has this now been resolved?
by Murmaider
Fri Aug 24, 2018 6:47 pm
Forum: RouterBOARD hardware
Topic: CCR1072-1G-8S+ max number of routes
Replies: 5
Views: 1591

Re: CCR1072-1G-8S+ max number of routes

Hi there, Does anyone know what the limit of the routing table is on the CCR1072-1G-8S+ ? For instance, my current HP HSR6602 can have 4 million routes at max. I am looking to replace this HP with possibly the 1072 as BGP router. Hope to hear from you! Chris On our 1072 we have over 2 million route...
by Murmaider
Wed Jan 24, 2018 6:11 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 125
Views: 17811

Re: CCR1072 watchdog reboot

@berlo - did you need to reboot after you disabled route cache?
by Murmaider
Thu Dec 14, 2017 1:42 pm
Forum: General
Topic: [exploit-db.com] MikroTik 6.40.5 ICMP - Denial of Service
Replies: 16
Views: 3591

Re: [exploit-db.com] MikroTik 6.40.5 ICMP - Denial of Service

You can choose, secure router or fast throughput. You are choosing to disable router security? Fastpath is not for all situations. What specifically would you like us to resolve, load of the device when it is doing something? All devices are loaded by all tasks that they perform. Then I would highl...
by Murmaider
Thu Dec 14, 2017 11:15 am
Forum: General
Topic: [exploit-db.com] MikroTik 6.40.5 ICMP - Denial of Service
Replies: 16
Views: 3591

Re: [exploit-db.com] MikroTik 6.40.5 ICMP - Denial of Service

Yes - that's precisely why the topic says Denial of Service, and not Exploit :lol: Funny how most devices have things like control plane policing, to limit things like this. No it didn't. From the post and from the link: DB Verified:  Exploit Standard firewall prevents this. Even if you need to ke...
by Murmaider
Mon Dec 04, 2017 1:25 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 125
Views: 17811

Re: CCR1072 watchdog reboot

Yes and now ccr was raised to 28 in all Europe. All are working fine and we never experienced more random reboots. Also we experienced better performance on routes with > 1kk routes installed disabled route cache. You loose some % CPU, about 10% more, but you will not experiencing packetloss/stop f...
by Murmaider
Thu Oct 19, 2017 7:52 am
Forum: General
Topic: RouterOS v7.0 beta1 - when?
Replies: 609
Views: 154891

Re: RouterOS v7.0 beta1 - when?

Stop asking and switch to another vendor :lol:. I'm currently switching to another vendor. Cumulus on ONIE + router. More than 240Mpps of performance, tested. ;-) 7Tb/s with prefixes that are loaded on TCAM module. Regards, What vendor has routers with ONIE? I thought this was only for sdn switches.
by Murmaider
Sun Sep 24, 2017 4:06 pm
Forum: Forwarding Protocols
Topic: DDOS BGP protection [automate communitys?]
Replies: 13
Views: 4880

Re: DDOS BGP protection [automate communitys?]

Connect your links to fast 10g switches and then connect your mikrotiks to those switches. So traffic to and from your network goes over the switches. Setup port mirroring on your uplink ports on the switches to mirror to a single port (or a few if it's high traffic) Buy wanguard from andrisoft and ...
by Murmaider
Tue Sep 19, 2017 7:07 am
Forum: General
Topic: Unable to ping from mikrotik
Replies: 7
Views: 1211

Re: Unable to ping from mikrotik

The only difference between Ping and Trace (besides the TTL in the ICMP Type 8 outbound packet) is the return packet for the in-between hops. The return packet will be an ICMP type 11 for in between hops for a trace and an ICMP type 0 for the final hop. A ping will always have an ICMP type 0 as the...
by Murmaider
Fri Sep 15, 2017 3:22 pm
Forum: General
Topic: Unable to ping from mikrotik
Replies: 7
Views: 1211

Unable to ping from mikrotik

On one of our routers we have a strange issue were the mikrotik can't ping anything at all, but is able to successfully traceroute to them. - The router is running the latest 6.38.7 bugfix and has no firewalling enabled on it at all. - All it does is perform BGP / OSPF and nothing else is configured...
by Murmaider
Tue Aug 22, 2017 9:26 am
Forum: RouterBOARD hardware
Topic: CCR1072 one way traffic flow - advice needed
Replies: 1
Views: 391

Re: CCR1072 one way traffic flow - advice needed

For the watchdog reboots, please make sure that you are running your router at 1000Mhz and not 1200Mhz.

We had a lot of random watchdog reboots when the cpu was set to 1200Mhz
by Murmaider
Fri Jun 30, 2017 5:45 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3407

Re: Set CPU frequency to 1200MHz on ccr1072

Honestly i think they never developed/tested this product at 1200Mhz so they not know what reply on support request. Checking the exact error we see that the issue is related to hardware bug on 1200Mhz (that i think tile fixed on TLR4-07280DG-12CE A0a with 1866 memory support) and not on o.s. level...
by Murmaider
Fri Jun 30, 2017 4:24 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3407

Re: Set CPU frequency to 1200MHz on ccr1072

hi, yes my previous consideration was wrong, the issue is confirmed on CPU overclock. We identified it keeping serial console opened and after reboot you see a message related to cpu error, something like: "processor error" I would love to get a response from Mikrotik Staff regarding this issue. Th...
by Murmaider
Fri Jun 30, 2017 9:23 am
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3407

Re: Set CPU frequency to 1200MHz on ccr1072

after furter investigation we realized that the issue is not on cpu frequency that was changed 7 days ago, but the flow exporter. We did some changes todat like move from all interfaces to selected one and changing inactive and active timeouts. I reverting back these parameters, meanwhile generated...
by Murmaider
Fri Jun 30, 2017 9:17 am
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 125
Views: 17811

Re: CCR1072 watchdog reboot

Yes, we have downgraded to 1000Mhz and we not had more unexpected reboot
I'm going to give this a try, thanks a lot.
by Murmaider
Thu Jun 29, 2017 11:32 pm
Forum: RouterBOARD hardware
Topic: CCR1072 watchdog reboot
Replies: 125
Views: 17811

Re: CCR1072 watchdog reboot

I too am experiencing this.

We do however have our units overclocked to 1200Mhz... I wonder if that may be the issue.
by Murmaider
Sat Jun 24, 2017 2:29 pm
Forum: General
Topic: Discussion about bugfix, current and rc versions
Replies: 29
Views: 6696

Re: v6.38.7 [bugfix] is released!

There are 3 different releases: bugfix, stable and release candidate. Is that so difficult to understand? That is precisely what I say. 6.38.7 (Bugfix only) 6.39.2 (Current) "STABLE" 6.40rc24 (Release candidate) The bugfix Should be on the stable (assumption without errors) Umm no, bugfix is just t...
by Murmaider
Wed Jun 07, 2017 3:08 pm
Forum: General
Topic: Mikrotik vs FortiGate
Replies: 3
Views: 5128

Re: Mikrotik vs FortiGate

If you looking for firewalling and packet inspection, then the Fortigate is the way to go, they work brilliantly and we have them deployed all over our infrastructure. However take the fortigate numbers with a pinch of salt. Once you enable things like anti-virus flow filtering and DPI then these nu...
by Murmaider
Mon May 29, 2017 8:46 pm
Forum: General
Topic: Feature requests
Replies: 1160
Views: 207995

Re: Feature requests

I don't know if it was already sugested.. but mikrotik Traffic Flow could include BGP AS Numbers. It is important to know what is going on with your network, and with the AS included a lot of things can be done. Thanks!! :D this is one of the most highly requested features. It has been promised for...
by Murmaider
Thu May 25, 2017 9:26 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

Doesn't the firewall RAW drop disable ipv4 fastpath? If it does, then the blackhole would appear to be better.
by Murmaider
Thu May 25, 2017 9:09 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

I've setup my test environment again with the static arp and you are 100% correct - I'll update the first post of this topic to reflect this. In my tests I could only get the CPU up to 88%, doing RAW drop managed to get the cpu down to 18%. When doing blackhole with route cache disabled, I managed t...
by Murmaider
Wed May 24, 2017 7:03 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

Interesting, any idea why in my test and video the CPU usage drops to 0% with the blackhole + RP Filter, but with raw the CPU stays at 14% ? I am not sure if your test is correct. If you are getting DDoSed you cannot stop the incoming packets from reaching the router regardless of how you drop them...
by Murmaider
Wed May 24, 2017 3:16 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

100% CPU in all tests. Route cache is just an additional load on CPU. Whenever new packet arrives, it goes through route cache table to find matching hash, if there is no match new src/dst hash entry is generated. Interesting, any idea why in my test and video the CPU usage drops to 0% with the bla...
by Murmaider
Wed May 24, 2017 2:37 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

RP filter in this case doesn't make any difference. But route cache does.
With disabled route cache:
blackhole = 4.45Mil pps
raw drop = 4.2Mil pps

Why does disabling the route cache increase the pps?

What CPU was observered at blackhole 4.45Mpps?
by Murmaider
Wed May 24, 2017 11:47 am
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3407

Re: Set CPU frequency to 1200MHz on ccr1072

Thanks for replying. I read all of your posts on this forum. I am really new to mikrotik. You are suggesting us to use blackhole which is ip null route right ? That method is that we cant use. we cant null client's ip otherwise they will leave us. We need to protect them no matter what happens. If ...
by Murmaider
Tue May 23, 2017 6:19 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

@Murmaider there seems to be some flaw in your tests. Lets make a real load on the router CCR1072 with 10G link DDOS attack from x.0.0.0/8 different addresses 64byte packet size Attack to routers address (connected route no firewall) = 1.01Mil pps with 100% CPU load Blackhole route = 1.6Milion pps ...
by Murmaider
Tue May 23, 2017 2:40 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

It was meant for an example few posts above, drop in RAW will be significantly faster than routing marks and connection marks. Even in your test compared 18% to 14% it is roughly 30% faster, which is exactly how RAW was advertised and it does not overload connection tracking. Of course blackhole is...
by Murmaider
Tue May 23, 2017 1:22 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

I would suggest to use raw firewall rules to drop DDOS packets.
Hi mrz,

I tested the RAW firewall rules vs normal firewall rules above in this thread (viewtopic.php?f=2&t=114664&p=599485#p568217), and the performance is almost identical.
by Murmaider
Tue May 23, 2017 12:37 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

Can someone post the complete rules for fighting DDoS using "blackhole" ? The rules below are ok ? Smb was saying there should be any mangle rule so it work better. /ip firewall filter add action=jump chain=forward connection-state=new jump-target=detect-ddos add action=return chain=detect-ddos dst...
by Murmaider
Tue May 23, 2017 12:28 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3407

Re: Set CPU frequency to 1200MHz on ccr1072

We run ours at 1200Mhz and it seems to work just fine. we are thinking to buy CCR1072 for just firewall is it a right move ? here our topic: https://forum.mikrotik.com/viewtopic.php?f=13&t=121781 I would definitely not use an CCR as a firewall that you are expecting to take punishment, the clock sp...
by Murmaider
Mon May 15, 2017 3:01 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3407

Re: Set CPU frequency to 1200MHz on ccr1072

Interesting use case for Mikrotik. Do you have any strategy in place for DDoS attacks? How well is the 1072 handling that many peers? For DDoS - Andrisoft Wanguard + RTBH and Source-based blackhole - (set RP Filter to Loose is an absolute must - https://forum.mikrotik.com/viewtopic.php?t=114664). Y...
by Murmaider
Mon May 15, 2017 12:25 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3407

Re: Set CPU frequency to 1200MHz on ccr1072

Interesting use case for Mikrotik. Do you have any strategy in place for DDoS attacks? How well is the 1072 handling that many peers? For DDoS - Andrisoft Wanguard + RTBH and Source-based blackhole - (set RP Filter to Loose is an absolute must - https://forum.mikrotik.com/viewtopic.php?t=114664). Y...
by Murmaider
Sun May 14, 2017 7:03 pm
Forum: RouterBOARD hardware
Topic: Set CPU frequency to 1200MHz on ccr1072
Replies: 22
Views: 3407

Re: Set CPU frequency to 1200MHz on ccr1072

We run ours at 1200Mhz and it seems to work just fine.
by Murmaider
Sat May 06, 2017 8:10 am
Forum: RouterBOARD hardware
Topic: CCR-1072 - Random Kernel Failure
Replies: 0
Views: 802

CCR-1072 - Random Kernel Failure

I'm currently running 6.37.4 on one of our CCR-1072 which is about 6 months old and it randomly reboots with the following in the logs: 02:00:11 system,error,critical router was rebooted without proper shutdown, probably kernel failure 13:30:34 system,error,critical kernel failure in previous boot T...
by Murmaider
Wed Apr 19, 2017 6:11 pm
Forum: General
Topic: ETA v8
Replies: 21
Views: 4116

Re: ETA v8

I guess you are waiting for some specific feature, not the number or the date.
multi-threaded bgp seems to be at the top of the list...
by Murmaider
Mon Apr 10, 2017 7:31 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

Hello, can you help me? Fastnetmon identifies the attacked IP, but I can not get exabgp to advertise to mikrotik. Hi, There are 2 ways to do this: 1) Use fastnetmon's mikrotik plugin - https://github.com/pavel-odintsov/fastnetmon/tree/master/src/mikrotik_plugin It speaks to the mikrotik API and han...
by Murmaider
Mon Jan 30, 2017 5:15 pm
Forum: RouterBOARD hardware
Topic: info CCR1072-1G-8S+
Replies: 25
Views: 7536

Re: info CCR1072-1G-8S+

We are considering buying 2 of these CCR1072-1G-8S+ for our co-location BGP and replace our old servers running vyatta. I've read through the BGP tests on http://www.stubarea51.net and it looks impressive, my only concern is regarding the reliability and stability of this unit. A number of people h...
by Murmaider
Sat Jan 21, 2017 3:56 pm
Forum: General
Topic: Performance of CCR1072-1G-8S+
Replies: 4
Views: 847

Re: Performance of CCR1072-1G-8S+

Your should get that provided you have fathpath on for GRE, it does mean you can't (and shouldn't) firewall on the devices.
by Murmaider
Sat Jan 14, 2017 7:41 am
Forum: General
Topic: Missing mikrotik snmp OID's
Replies: 14
Views: 2342

Missing mikrotik snmp OID's

Hi, There seems to be some OID's missing on the CCR-1072 (running 6.36.4), for example: > /system health print oid active-fan: .1.3.6.1.4.1.14988.1.1.3.9.0 voltage: .1.3.6.1.4.1.14988.1.1.3.8.0 temperature: .1.3.6.1.4.1.14988.1.1.3.10.0 processor-temperature: .1.3.6.1.4.1.14988.1.1.3.11.0 current: ....
by Murmaider
Tue Dec 27, 2016 2:02 pm
Forum: General
Topic: Routing performance
Replies: 1
Views: 386

Re: Routing performance

I'm using the 1072 as a core L3 device in an ISP. I'm also using 2 x 1036 as LNSs and they are doing the job pretty well. Each LNS is forwarding 800 Mbps and they are connected to eth1 and eth2 10G interfaces on the 1072. There is almost no traffic between LNSs. Each LNS is mainly talking to the co...
by Murmaider
Mon Dec 26, 2016 5:16 am
Forum: Forwarding Protocols
Topic: iBGP & 2x eBGP
Replies: 6
Views: 1734

Re: iBGP & 2x eBGP

There is a way to resolve situation if we advertising /22 network from both places? Advertise the /22 on both routers. Then advertise each /24 on their "preferred" router. So in your case, the first 3 /24's will be on router 1 and then 4th one on router 2. All /24's are smaller network blocks, they...
by Murmaider
Sat Dec 24, 2016 11:33 am
Forum: General
Topic: DOS approach
Replies: 6
Views: 788

Re: DOS approach

by Murmaider
Wed Dec 21, 2016 8:17 am
Forum: General
Topic: Fighting DDOS and SYN flooding - optimal settings?
Replies: 4
Views: 4980

Re: Fighting DDOS and SYN flooding - optimal settings?

Thanks Murmaider, Actually tonight I stumbled across the last forum post you link to. I have now swapped the drop rule for a blackhole route. But I still have to detect src/dst addresses for the attacks and mangle the packets, that will have a CPU impact as well? I have played a little bit more aro...
by Murmaider
Fri Dec 16, 2016 8:09 pm
Forum: General
Topic: feature: show ospf and bgp on snmp
Replies: 9
Views: 3603

Re: feature: show ospf and bgp on snmp

You might be able to script it for Observium to monitor your mikrotik through the API. We use Zabbix for monitoring, so for BGP monitoring we have a script with connects to the mikrotik API and returns information which zabbix can monitor. For example: # ./bgpcheck.php exabgp uptime 3w4d12h54m53s # ...
by Murmaider
Fri Dec 09, 2016 2:21 pm
Forum: General
Topic: Current or Bugfix
Replies: 1
Views: 586

Current or Bugfix

Which one do you run on your Production routers?
by Murmaider
Fri Dec 09, 2016 5:58 am
Forum: General
Topic: CCR1036-8G-2S+ maximum single TCP connection throughput
Replies: 5
Views: 1078

Re: CCR1036-8G-2S+ maximum single TCP connection throughput

That being said - what server can process a single stream of data at 2Gbps? I believe your hard disks will max out way before the network does. :o 2Gbps = 256MB/sec An SSD can easily do 480MB/sec and NVME drives can do up to 3GB/sec (24Gbps) Add some raid to the mix and you can increase these numbe...
by Murmaider
Thu Dec 08, 2016 6:37 am
Forum: General
Topic: UDP attack
Replies: 5
Views: 1468

Re: UDP attack

Firewall work sequential. Meaning that traffic is matched against each rule in order from top to bottom until a matching rule is found. So if you have for example a rule to allow all traffic to the router and then after it a rule to block traffic, no matching will ever be done on the 2nd rule as the...
by Murmaider
Sat Dec 03, 2016 6:40 am
Forum: General
Topic: DDoS story, or WARNING: use 'conection-limit' with caution!
Replies: 112
Views: 63048

Re: DDoS story, or WARNING: use 'conection-limit' with caution!

I want to build a super powerful router that can handle 30GIG of ddos attack using firewall rules without any problems what do you guys recommend You won't stop a 30Gb/sec DDoS with firewall rules. Firewalls are a access control technology designed to secure unauthorized entry or to limit / restric...
by Murmaider
Thu Nov 24, 2016 3:57 am
Forum: General
Topic: HotSpot DoS
Replies: 10
Views: 1437

Re: HotSpot DoS

IP => Settings Switch RP Filter => Strict Could this cause any problems? The default setting is disabled and I just want to make sure that nothing else will be affected by this. Strict mode can cause problems in asynchronous routing (traffic going in one router and coming out of another router) - i...
by Murmaider
Wed Nov 23, 2016 10:29 am
Forum: General
Topic: HotSpot DoS
Replies: 10
Views: 1437

Re: HotSpot DoS

IP => Settings

Switch RP Filter => Strict
by Murmaider
Tue Nov 22, 2016 5:16 am
Forum: General
Topic: What am I doing wrong?
Replies: 1
Views: 232

Re: What am I doing wrong?

Do you have a forwarding rule to allow Established & Related connections?
/ip firewall filter
add action=accept chain=forward connection-state=established,related
by Murmaider
Mon Nov 21, 2016 7:31 pm
Forum: General
Topic: Decline of Mikrotik?
Replies: 102
Views: 26606

Re: Decline of Mikrotik?

Just an interesting side note, I do BGP on MIkroTik every day and I can't say I've run into this very often, but I do a soft-refresh in and out every time I change the filter because MikroTik isn't the only one who has this issue. I've been burned by similar behavior on Cisco 6500, 7600, ASR and Ne...
by Murmaider
Mon Nov 21, 2016 7:13 pm
Forum: General
Topic: change log
Replies: 1
Views: 566

Re: change log

by Murmaider
Thu Nov 17, 2016 11:05 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

When this is so efficient then it is may interesting to transparent for the users to use a different screen to input this. Since short we have the RAW option that should be more efficient but is not that much of a difference. So a user could enter this in the RAW section and an added "action" would...
by Murmaider
Wed Nov 16, 2016 1:19 pm
Forum: Forwarding Protocols
Topic: Need Suggestion CCR
Replies: 3
Views: 724

Re: Need Suggestion CCR

Why can't they LACP trunk the 2 ports together to give you 200Mb?
by Murmaider
Wed Nov 16, 2016 1:09 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

Source address can be an individual ip or a network range. Oh, so is there an easy way to do this for all IPs in a address-list without using mangle/filter/etc before? To use the address list, the interface has to accept the packet first in order to mangle it (by using the firewall). What I mean is...
by Murmaider
Wed Nov 16, 2016 12:20 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

I think the last question I have about this for Murmaider is: Will your RP-based blackhole approach work where there are multiple valid routes (learned by BGP) to external addresses, but only one is "active" in the RouterOS routing table? With RP Filter set to loose it should. Loose RP Filter check...
by Murmaider
Wed Nov 16, 2016 11:45 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

Can you please share the code for this source based blackhole? From above I can see that I have to packet mark so filter is still involved?! For the mikrotik, enable RP Filter under IP => Settings (set to loose) Then to add a blackhole use: /ip route add distance=1 dst-address=<source address> type...
by Murmaider
Wed Nov 16, 2016 9:52 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

Ah interesting. How does the Wanguard get the traffic in the first place to determine what is an attack? Is it working off NetFlow/IPFIX data? Or is it connected to a mirror port or something? It supports both Flow Sensors or Packet Sensor. We use the Packet Sensor (create a mirror port on your swi...
by Murmaider
Wed Nov 16, 2016 9:35 am
Forum: Forwarding Protocols
Topic: CCR1072-1G-8S+ or a Supermicro server with x86 routerOS ?
Replies: 7
Views: 2196

Re: CCR1072-1G-8S+ or a Supermicro server with x86 routerOS ?

we are currently handling 4Gbps of traffic using an old cisco router, which we are removing now. we want to use microtik due to its versatility. confused what to buy, CCR1072-1G-8S+ or a supermicro server with Xeon E5 Single processor 2640v4 10 cores with 2 x 3 10G NIC cards ? The price comes to sa...
by Murmaider
Wed Nov 16, 2016 6:48 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

Do you not lose fastpath by doing this though? Yes, but in our use case that isn't something I'm worried about. I need to use an address-list (so lose fastpath) so that I can redirect abusive traffic: 1) to display a "stop typing your password wrong!" message to customers failing to log themselves ...
by Murmaider
Tue Nov 15, 2016 5:20 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

Hard data prooves... I have expected better results. Good job. Just to be sure I've tested a few different attack variations with the initial tests being syn flood attacks. I've now tested: - udp flood attacks - syn attack with random source and spoofed source - udp attack with random source and sp...
by Murmaider
Tue Nov 15, 2016 3:00 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

While I agree that having lots of "/ip firewall filter" entries will slow your router down (CPU has to go through each rule in sequence), using an address-list should consolidate a lot of blocked IPs into one firewall rule. I believe address-list is implemented as the Linux kernel's IPSET feature f...
by Murmaider
Tue Nov 15, 2016 1:15 pm
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Re: Why source-based blackhole instead of firewall drop

Nice. What about to drop in raw table according to the blacklist while an attacking ip address was identified by firewall rules and put on the list? By this I assume you mean what is referred to in this post - http://forum.mikrotik.com/viewtopic.php?f=2&t=54607&start=50#p463532 which refer's to thi...
by Murmaider
Tue Nov 15, 2016 10:55 am
Forum: General
Topic: Why source-based blackhole instead of firewall drop
Replies: 49
Views: 12869

Why source-based blackhole instead of firewall drop

EDIT : There was an initial flaw in my testing, jump to this post https://forum.mikrotik.com/viewtopic.php?f=2&t=114664#p599689 which shows that using the firewall RAW DROP has the same efficiency as source-based blackhole + route cache disabled - thanks mrz & cha0s Disclaimer: I am by no means a n...
by Murmaider
Sun Nov 13, 2016 10:23 am
Forum: General
Topic: Decline of Mikrotik?
Replies: 102
Views: 26606

Re: Decline of Mikrotik?

It is more than 2 and a half years since we talk about v7 Longhorn...

Longhorn / Unicorn.. a huh a clue..
by Murmaider
Sat Nov 12, 2016 7:15 pm
Forum: Forwarding Protocols
Topic: bgp to route reflector
Replies: 3
Views: 998

Re: bgp to route reflector

As the route-reflector is not directly connected, try adding multihop=yes

routing bgp peer add remote-address=1.1.1.1 remote-as=65000 address-families=vpnv4 update-source=lo1 multihop=yes
You will also need to enable multihop on the route-reflector.
by Murmaider
Sat Nov 12, 2016 7:10 pm
Forum: Forwarding Protocols
Topic: OSPF Crash
Replies: 7
Views: 1088

Re: OSPF Crash

Have you assigned an address to your loopback and set the router-id for OSPF to be this loopback address?

It's always best to assign OSPF to the lookback address as this "interface" never goes down.
by Murmaider
Fri Nov 11, 2016 2:02 am
Forum: General
Topic: 72 Core CCR
Replies: 13
Views: 3895

Re: 72 Core CCR

Thanks I will try this I do have like 60 firewall rules shoe I leave only the DDoser and DDosed rule in place? I would remove all firewall rules entirely and disable connection tracking as this will enable Fastpath on the router automatically (You can confirm by going to IP => Settings). Let Wangua...
by Murmaider
Thu Nov 10, 2016 9:59 am
Forum: General
Topic: 72 Core CCR
Replies: 13
Views: 3895

Re: 72 Core CCR

Yes I do have other firewall rules but only blocking ports and access list. As to fasttracking connection how do I set that up. I will also ask my provider for the BGP info Ok so the performance you are getting is exactly on par with what Mikrotik advertises. Go here https://routerboard.com/CCR1072...
by Murmaider
Wed Nov 09, 2016 10:47 am
Forum: General
Topic: 72 Core CCR
Replies: 13
Views: 3895

Re: 72 Core CCR

Getting DDos attack on my new 72 Core CCR I already implemented the rule below and still kills my router I have a 10G backbone and when it hits 3gig of DDos it dies on me. Also when I call my provider it never reach 10Gig. Any idea what to do??? or just get a better router /ip firewall filter add c...
by Murmaider
Tue Nov 01, 2016 4:27 am
Forum: Forwarding Protocols
Topic: BGP Full Table time
Replies: 11
Views: 5015

Re: BGP Full Table time

BUT what if the active route for 8.8.8.8 is 8.8.8.0/23, then your example would miss it. And then if there's multiple routes at different sizes and different local prefs you could potentially get a range of active routes and you'd still have to figure it out. I need to know what the current active ...
by Murmaider
Mon Oct 31, 2016 4:53 pm
Forum: Forwarding Protocols
Topic: BGP Full Table time
Replies: 11
Views: 5015

Re: BGP Full Table time

Mikrotik BGP has a memory leak... I have this on my ccr1016 and CHR ... Then 1-2 peer with full table are reconnect, used memory increased by 300-400mb and Mikrotik doesn't reply on winbox and SSH only mac-telnet work... In this case one core is at 100% load and there are random troubles with routi...
by Murmaider
Sun Oct 30, 2016 12:14 am
Forum: RouterBOARD hardware
Topic: CCR-1016-12S-1S+ power supply replacement
Replies: 12
Views: 1936

Re: CCR-1016-12S-1S+ power supply replacement

I wonder if Miro holds the CCR-1072 PSU's since they hotswap? I guess the only real option is to find an online spares supplier and ship a couple spares to keep on hand. Ah, but isn't that the distributors job? Then I may just as well stop supporting the distributors and import everything myself......
by Murmaider
Sun Oct 30, 2016 12:09 am
Forum: RouterBOARD hardware
Topic: CCR-1016-12S-1S+ power supply replacement
Replies: 12
Views: 1936

Re: CCR-1016-12S-1S+ power supply replacement

I wonder if Miro holds the CCR-1072 PSU's since they hotswap?

I guess the only real option is to find an online spares supplier and ship a couple spares to keep on hand.

EDIT : here is one place - http://shop.meconet.de/MikroTik-Router- ... anguage=en
by Murmaider
Sat Oct 29, 2016 6:20 am
Forum: RouterBOARD hardware
Topic: CCR-1016-12S-1S+ power supply replacement
Replies: 12
Views: 1936

Re: CCR-1016-12S-1S+ power supply replacement

Yes, I'm not disputing that they CAN get them. The point is they WONT get them. Fundamental difference between the two
Does Miro honestly not stock them? What about Scoop, they sell Mikrotik hardware.
by Murmaider
Sat Oct 29, 2016 6:08 am
Forum: RouterBOARD hardware
Topic: S-RJ01 SFP Module: Connector Type: LC?!?!
Replies: 3
Views: 720

Re: S-RJ01 SFP Module: Connector Type: LC?!?!

Is it not just a cosmetic thing?
Is the RJ-45 module working as expected?
by Murmaider
Wed Oct 26, 2016 7:03 am
Forum: General
Topic: Firewall Match Packets Originating from CPU
Replies: 3
Views: 484

Re: Firewall Match Packets Originating from CPU

Allow input for established and related packets
Allow outgoing packets for all
by Murmaider
Tue Oct 25, 2016 5:39 pm
Forum: General
Topic: Firewall rules + fastpath
Replies: 4
Views: 877

Re: Firewall rules + fastpath

Where are the IP SERVICE rules located?
by Murmaider
Sat Oct 22, 2016 7:33 pm
Forum: General
Topic: Filter traffic on the same network
Replies: 4
Views: 533

Re: Filter traffic on the same network

On the forward chain:
- create a rule to allow traffic from anywhere to the server and specify the destination ports on the server.
- create a rule to allow traffic from your server to anything.
- create a rule to drop all traffic to the server.
by Murmaider
Sat Oct 22, 2016 6:45 pm
Forum: General
Topic: Unreplied connections
Replies: 3
Views: 684

Re: Unreplied connections

If you don't have a very dynamic routing environment (for example traffic coming into the network on one router and leaving through another router) then you can enable Reverse Path Filtering. Go to IP -> Settings Set RP Filter to strict. If you do have a dynamic routing environment, then create some...
by Murmaider
Sat Oct 22, 2016 6:35 pm
Forum: General
Topic: Filter traffic on the same network
Replies: 4
Views: 533

Re: Filter traffic on the same network

Lets take a step back, can you elabotate on "interfering with this system once every while" What happens on this mail server(s) and why do you think its unwanted traffic? How do you fix the problem currently? The thing with filtering the traffic is it helps to know what exactly you looking for in th...
by Murmaider
Sat Oct 22, 2016 6:28 pm
Forum: General
Topic: Firewall help
Replies: 1
Views: 329

Re: Firewall help

Make life easier for yourself and rather just have a default deny rule on the input chain.
The only explicitly allow access on the input chain for yourself and/or your network.

Also move your services (ssh, winbox, etc) off the default ports. For example run ssh on port 22222.
by Murmaider
Fri Oct 21, 2016 7:18 am
Forum: General
Topic: Firewall rules + fastpath
Replies: 4
Views: 877

Firewall rules + fastpath

Generally I like to follow the principal of "don't firewall on your routers and don't route on your firewalls" But in saying that, there is a use case whereby you want to limit ip access to the router itself. An example would be limiting ip access to your BGP peers and your management network. These...
by Murmaider
Tue Oct 18, 2016 8:03 pm
Forum: General
Topic: BGP on CCR1036-8G-2S+EM
Replies: 7
Views: 1591

Re: BGP on CCR1036-8G-2S+EM

I fully agree with @ZeroByte. But I need to say that my experiences with VyOS are horrible (reboot - BGP config gone, OSPF routes are propagated to other routers but not shown in the propagating router's table, SNMP crashing and reboot is needed, ....). I would for sure prefer RouterOS over VyOS. V...
by Murmaider
Tue Oct 18, 2016 7:25 pm
Forum: General
Topic: BGP on CCR1036-8G-2S+EM
Replies: 7
Views: 1591

Re: BGP on CCR1036-8G-2S+EM

That's interesting, we currently have 2x VyOS machines each handling 4x BGP peers (2 transit, 2 INX's on each machine) and OSPF for IGP. However we are looking at the CCR-1072 for replacing these, but feedback on the CCR's regarding stability and reliability as a whole seem so mixed with same saying...
by Murmaider
Tue Oct 18, 2016 7:56 am
Forum: General
Topic: BGP on CCR1036-8G-2S+EM
Replies: 7
Views: 1591

Re: BGP on CCR1036-8G-2S+EM

ZeroByte,

Judging by your post, it seems that Mikrotik has some real BGP issues. Do you perhaps know why are people then choose to use them as Big Iron or BGP Border routers in a DC type environment?
Surely the instability does not justify the cost saving?
by Murmaider
Fri Oct 14, 2016 5:54 pm
Forum: General
Topic: Issue with VRRP and Vlan Interfaces
Replies: 3
Views: 644

Re: Issue with VRRP and Vlan Interfaces

Why does VLAN 3600 and VLAN 3620 have the same network range?
by Murmaider
Fri Oct 14, 2016 1:43 pm
Forum: Forwarding Protocols
Topic: BGP Full Table time
Replies: 11
Views: 5015

Re: BGP Full Table time

But 1minutes 33 seconds doesn't seem slow at all, it seems rather normal to me.

ROS v7 is a pie in the sky and most people have been waiting 4/5 years for it, we could still be having this discussion in 4/5 years time.
by Murmaider
Thu Oct 13, 2016 7:23 pm
Forum: Forwarding Protocols
Topic: BGP Full Table time
Replies: 11
Views: 5015

BGP Full Table time

Hi, I am a bit confused regarding this. I have seen many (MANY) posts regarding the BGP convergence time with Full Tables taking a long time. I then see a test by stubarea51 (http://www.stubarea51.net/2015/07/25/mikrotik-ccr1072-1g-8s-review-part-2-bgp-performance/) which shows the 1072 taking on a ...
by Murmaider
Mon Feb 08, 2016 6:26 am
Forum: RouterBOARD hardware
Topic: HP DAC - CCR compatibility
Replies: 6
Views: 1157

Re: HP DAC - CCR compatibility

Awesome, thanks for the responses, I'm going to give the HP DAC cables a try and hope that the Mikrotik works with them. It sounds like the most likely option that will work.
by Murmaider
Sun Feb 07, 2016 8:33 pm
Forum: RouterBOARD hardware
Topic: HP DAC - CCR compatibility
Replies: 6
Views: 1157

Re: HP DAC - CCR compatibility

It's the HP 3800 switches - http://www8.hp.com/za/en/products/netwo ... id=5171624
I think that's ProVision
by Murmaider
Sun Feb 07, 2016 7:17 pm
Forum: RouterBOARD hardware
Topic: HP DAC - CCR compatibility
Replies: 6
Views: 1157

HP DAC - CCR compatibility

Does anyone know if the HP J9281B 1m DAC cable (http://www8.hp.com/lamerica_nsc_carib/e ... id=4000725) would work with connecting a CCR-1036 to an HP Switch?

Alternatively does anyone know if the Mikrotik 1m DAC cable will work when connecting to the HP switch?
by Murmaider
Thu Feb 04, 2016 9:42 pm
Forum: RouterBOARD hardware
Topic: CCR1072 Ip address crash (RouterOS 6.34)
Replies: 1
Views: 451

Re: CCR1072 Ip address crash (RouterOS 6.34)

Did you find a solution to this?

How come you not running their 6.32.3 "stable" release?
by Murmaider
Thu Jan 28, 2016 4:45 am
Forum: RouterBOARD hardware
Topic: Mikrotik CCR1072 Fault issue.
Replies: 12
Views: 1908

Re: Mikrotik CCR1072 Fault issue.

Between this and the post of random SPF+ ports not working or just dying we are seriously reconsidering whether or not we want to invest in these units. It definitely doesn't instill confidence in the product.
by Murmaider
Fri Dec 11, 2015 10:28 pm
Forum: RouterBOARD hardware
Topic: CCR1072 stops responding to traffic via some SFP+ cages
Replies: 9
Views: 1707

Re: CCR1072 stops responding to traffic via some SFP+ cages

Have you tried forcing the speed of the SPF to 1Gbit rather than auto?
I've seen a couple of posts about needing to do that when using a 1gbit spf in a spf+ port.
by Murmaider
Mon Nov 09, 2015 6:38 am
Forum: Forwarding Protocols
Topic: Cisco to MikroTik command translation - BGP
Replies: 2
Views: 1136

Re: Cisco to MikroTik command translation - BGP

Wow, that's a really awesome article, thanks!
by Murmaider
Wed Nov 04, 2015 5:27 pm
Forum: RouterBOARD hardware
Topic: SFP and compatibility with Cisco
Replies: 6
Views: 4074

Re: SFP and compatibility with Cisco

Just out of interest, how reliable are the Mikrotik SFP's and SFP+'s or are all SFP's much the same now days?
by Murmaider
Tue Nov 03, 2015 11:52 am
Forum: RouterBOARD hardware
Topic: info CCR1072-1G-8S+
Replies: 25
Views: 7536

Re: info CCR1072-1G-8S+

The device itself also must be made to support ECC, so just using ECC modules will not improve anything (except maybe that ECC modules will be higher quality in general). So would you still recommend the CCR1036's in a data center environment doing bgp/ospf/etc, even though it does not use ECC ram?
by Murmaider
Tue Nov 03, 2015 10:35 am
Forum: RouterBOARD hardware
Topic: info CCR1072-1G-8S+
Replies: 25
Views: 7536

Re: info CCR1072-1G-8S+

CCR1036 uses regular laptop type SODIMM modules. CCR1072 uses soldered-on ECC RAM. Hi Normis, Thanks for confirming that. Do you know if the CCR1036 does support ECC ram (if we had to swop the modules out). Also, I understand the purpose of ECC ram in a server environment, but does ECC ram matter i...
by Murmaider
Mon Nov 02, 2015 9:17 pm
Forum: RouterBOARD hardware
Topic: info CCR1072-1G-8S+
Replies: 25
Views: 7536

Re: info CCR1072-1G-8S+

I assume this was the http://routerboard.com/S-85DLC05D module?

On a side note, I don't suppose you know if the CCR1036 uses ECC ram or not, I know the CCR1072 does?
by Murmaider
Mon Nov 02, 2015 5:42 pm
Forum: RouterBOARD hardware
Topic: info CCR1072-1G-8S+
Replies: 25
Views: 7536

Re: info CCR1072-1G-8S+

Hi, If you're wanting to connect the CCR1072 via a 10 Gig SFP+ module to an HP switch at 10 gig, then yes it is definitely supported. No I mean if I have an SFP+ transceiver in the Mikrotik and a normal 1G SFP transceiver in the HP switch, will the link work at 1G? I ask because I would rather popul...
by Murmaider
Mon Nov 02, 2015 6:29 am
Forum: RouterBOARD hardware
Topic: info CCR1072-1G-8S+
Replies: 25
Views: 7536

Re: info CCR1072-1G-8S+

Thanks IPANetEngineer for the comprehensive and reassuring response. It's nice to see someone with so much experience responding to questions like mine, it's much appreciated. I've read through a lot of the articles on http://www.stubarea51.net - very awesome site I must say! I agree with you about ...
by Murmaider
Sat Oct 31, 2015 8:42 am
Forum: RouterBOARD hardware
Topic: info CCR1072-1G-8S+
Replies: 25
Views: 7536

Re: info CCR1072-1G-8S+

Response further below... Moderator took very long to publish my reply.
by Murmaider
Fri Oct 30, 2015 10:47 am
Forum: RouterBOARD hardware
Topic: info CCR1072-1G-8S+
Replies: 25
Views: 7536

Re: info CCR1072-1G-8S+

We are considering buying 2 of these CCR1072-1G-8S+ for our co-location BGP and replace our old servers running vyatta. I've read through the BGP tests on http://www.stubarea51.net and it looks impressive, my only concern is regarding the reliability and stability of this unit. A number of people ha...