Community discussions

Search found 134 matches

by nathan1
Thu Oct 17, 2019 7:33 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Hello, trying to install ha-mikrotik on two fresh long term ROS 6.44.5 CCR1036-8G-2S+ : On the first node: [admin@HA-1] > /import HA_init.rsc Script file loaded and executed successfully [admin@HA-1] > $HAInstall interface="ether8" macA="CC:2D:E0:BD:9F:A8" macB="CC:2D:E0:BD:9F:D4" password="passw0r...
by nathan1
Thu Sep 26, 2019 10:09 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Thanks for sharing your script. Yes, i was thinking about a man in the middle Attack on this Board. As far as i know the file Sync goes through smb or FTP? So with man in the middle you can gather information about PSK etc. Or i am completley wrong? I know it depends on my different Setup were the ...
by nathan1
Thu Sep 26, 2019 9:17 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

OK, yes the layer2 ist extented but i would use a complete different way for Sync. So If i Install a EOIP Tunnel before hainstall would this Work if i select the EOIP Interface? May you Share your Script? No, that won't work and I'd strongly advise against trying to do something like that. The sync...
by nathan1
Thu Sep 26, 2019 8:44 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

OK, One Last question, would it be possible to secure the Sync Ports especually through EOIP Tunnel or something? I need to make a Setup where the routers are not placed in the same room. And is it possible to build IPSec Tunnels with certificates? With PSK it works great in a failover, but will th...
by nathan1
Thu Sep 26, 2019 2:33 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Thanks! It's working now :) Just another question, if I execute SwitchRole i get the following output: /delay 2; :do { /ip smb shares add comment=HA_AUTO name=mkdir disabled=yes directory=/skins } on-error={} /ip smb shares set [find comment=HA_AUTO] directory="pub" /ip smb shares set [find comment...
by nathan1
Thu Sep 26, 2019 1:44 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Hi, but i need to add those scripts on the vrrp (on Master and on Backup) or? Or is there any logic included, that all scripts with *_on_backup will be executed? Thanks Only on the master, you never make changes on the standby once you have setup ha-mikrotik. Add the scripts on the master and eithe...
by nathan1
Wed Sep 25, 2019 2:27 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Thanks for this great script, i try to get it working on two CCR1009-7G-1C-1S+. After Some troubles it seems to work. Another question, is there any possibility to use the usr-led for showing which router is active and which one is passive? Thanks in advance. You can create two scripts that will au...
by nathan1
Wed Sep 25, 2019 2:24 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Hello, trying to install ha-mikrotik on two fresh long term ROS 6.44.5 CCR1036-8G-2S+ : On the first node: [admin@HA-1] > /import HA_init.rsc Script file loaded and executed successfully [admin@HA-1] > $HAInstall interface="ether8" macA="CC:2D:E0:BD:9F:A8" macB="CC:2D:E0:BD:9F:D4" password="passw0r...
by nathan1
Wed Sep 25, 2019 2:22 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

The problem is after switchrole. When active reboots, always B becomes active router. The sequence is as follows: Router B(active) - switchrole - router A (standby) reboots - router B reboots also after a 60s delay - router A is online again at first as active - router B is online a little bit time...
by nathan1
Mon Sep 16, 2019 3:32 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Actually, can you do "/interface vrrp print" on both? Did you keep that vrrp priority change that you temporarily added? They should both be 100 and it should be reset by ha_startup, ha-mikrotik does not support different VRRP priorities - it has no preference for A vs B and cannot currently suppor...
by nathan1
Fri Sep 13, 2019 10:59 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

6.45.6
When I run I just got a blank space like is was no value


"
[admin@MikroTik1] > :put $HAInstall

[admin@MikroTik1] >

"
Please try with 6.44.5 if you want to try it.
by nathan1
Fri Sep 13, 2019 10:40 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

last stable one

When I load the ha_init.rsc I got this msg
that was loaded
if I go to the sys scripts I see a bunch of scripts added
Can you confirm the version? It does not work beyond 6.44.5 right now (see bbs2web post above).
What does " :put $HAInstall" show?
by nathan1
Fri Sep 13, 2019 10:32 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

yes I imported
no no error /no logs
Did it say anything? like "Script file loaded and executed successfully"?
What RouterOS version?
by nathan1
Fri Sep 13, 2019 10:29 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Hi My last time I had played with this was very time ago I am trying to play it again but I can't find it to make it work I got stuck after importing the file to load the scripts them I do not what to do it I past this on the terminal but nothing happens `$HAInstall interface="ether3" macA="00:0C:2...
by nathan1
Fri Sep 13, 2019 9:49 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

$HASwitchRole now is working. Router A becomes active after run that command, but when router B reboots, router A change its role to standby and always router B becomes active router [admin@MikroTik_HA_A_STANDBY] > log print 00:25:28 system,info router rebooted 00:25:28 health,warning PSU2 entered ...
by nathan1
Fri Sep 13, 2019 9:46 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

$HASwitchRole now is working. Router A becomes active after run that command, but when router B reboots, router A change its role to standby and always router B becomes active router [admin@MikroTik_HA_A_STANDBY] > log print 00:25:28 system,info router rebooted 00:25:28 health,warning PSU2 entered ...
by nathan1
Fri Sep 13, 2019 9:22 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Hi nathan1

This solution can work on the Chr version?
I believe there were some folks that tried successfully but I have not personally done it.
by nathan1
Fri Sep 13, 2019 9:21 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Ftp was enabled when i put that code [admin@MikroTik_HA_A_STANDBY] > :if ([:len [/file find where name="HA_run-after-hastartup.rsc"]] > 0) do={ {... /import HA_run-after-hastartup.rsc {... } [admin@MikroTik_HA_A_STANDBY] > /delay 5 [admin@MikroTik_HA_A_STANDBY] > #We need FTP to do our HA work [adm...
by nathan1
Fri Sep 13, 2019 9:02 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

The result of $HAPushStandby, router A (standby) reboots [admin@MikroTik_HA_B_ACTIVE] > $HAPushStandby mkdirCode: :foreach k in=[/file find type!="directory"] do={ :local xferfile [/file get $k name]; if ([:pick "$xferfile" 0 3] != "HA_") do={ :put "removing $ xferfile"; /file remove $k; } }; /dela...
by nathan1
Fri Sep 13, 2019 8:55 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

$HAPushBackup seems to do nothing. If i run on active (router B), i can see at log file how user ha has logged in and out, but if i run $HAPushBackup on standby (router A), i can't see any log on active (router B) Sorry, wrong command. Try $HAPushStandby. It will only work from active to standby. C...
by nathan1
Fri Sep 13, 2019 8:37 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Very odd. Everything seems to be working but for some reason the script is not completing. I think I need to put some more trace in and give you another build to try to track this down. I can put a test release on github in about 2 hours. Just to confirm, if you enable ftp on the standby. Does a $HA...
by nathan1
Fri Sep 13, 2019 8:23 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Any errors running this?
:if ([:len [/file find where name="HA_run-after-hastartup.rsc"]] > 0) do={
   /import HA_run-after-hastartup.rsc
}
/delay 5
#We need FTP to do our HA work
/ip service set [find name="ftp"] disabled=no
by nathan1
Fri Sep 13, 2019 7:36 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Thanks again Nathan1. The init script from github is the same, i haven't added or removed any line. Yes you're right, this is router A active. This is the same with router A when it becomes standby itself after bootstrap of router B I've doing some tests, and if i enable ftp server on router A and ...
by nathan1
Fri Sep 13, 2019 6:53 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

/log print [admin@MikroTik_HA_A_ACTIVE] > /log print 00:25:28 system,info router rebooted ... 00:26:14 script,warning ha_startup: START 00:26:14 script,warning ha_startup: 0.1 00:26:14 script,warning ha_startup: 0.2 00:26:14 script,warning ha_startup: 0.3 ... 00:26:14 script,warning ha_startup: ver...
by nathan1
Fri Sep 13, 2019 5:42 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

[admin@MikroTik_HA_B_ACTIVE] > /tool fetch src-path=HA_boot_log.txt dst-path=testing.txt address=$haAddressOther user=ha password=$haPassword mode=ftp status: failed failure: connection failed [admin@MikroTik_HA_B_ACTIVE] > On router A, ftp server is always disabled. If I enable it manually [admin@...
by nathan1
Fri Sep 13, 2019 3:50 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

.... [admin@MikroTik_HA_B_ACTIVE] > /tool fetch src-path=HA_boot_log.txt dst-path=testing.txt address=$haAddressOther user=ha password=$haPassword mode=ftp status: failed failure: connection failed [admin@MikroTik_HA_B_ACTIVE] >[/Codebox] Please try it again but run the test command before you do a...
by nathan1
Thu Sep 12, 2019 10:00 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Hi, I'm testing with a pair of CCR1036 with 6.44.5 software, and it's not working well. At first, i bootstrapped correctly router A, i can see it active but, once router B is synced, after reboot, B becomes active and automatically A becomes in standby mode. Then, if i try to switchrole, i get this...
by nathan1
Tue Aug 06, 2019 2:08 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

RouterOS 6.45+ sets the VRRP interface to standby when the associated parent interface is not running. Whilst this makes perfect sense for classic VRRP implementations it causes a problem with the use of VRRP in the context of this high availability implementation. The problem is that since the syn...
by nathan1
Mon Jun 17, 2019 2:20 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

I noticed the copying of files to be a problem. Is it possible for you to change that in your script to exclude anything beginning with 'log.' ? Reason is I was logging to disk any errors to try and help troubleshoot the issues we were having when we couldn't catch it in time, but when the router r...
by nathan1
Mon Jun 17, 2019 6:13 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

When there is a change detected in config, what is the procedure the standby router does to update its config? Does it find the exact change and then input that command. Or does it do a backup/restore from the config on the active router? It does a backup and restore along with copying files it fin...
by nathan1
Thu Jun 13, 2019 1:11 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Do you run this on any routers other than 1009's? I also want to ask if its normal behavior for the standby to regularly reboot? I don't know the exact interval but maybe once every 2 hours? We were running the older version on 6.42.3 and aside from the standby rebooting it did seem to work fine fo...
by nathan1
Fri May 10, 2019 4:22 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Nathan1 It's a long time when I had played with this. So I don't know if have this already. It's possible to have a public management ip active on the standby router? If this already have ignore this post. Sent from my XT1580 using Tapatalk Hey Raffav, I do this with NAT from the master to the stan...
by nathan1
Thu May 09, 2019 6:14 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

It's a bit complicated to explain and my english is not so good.
I've made some changes to avoid that need, and all it's working fine.
Very great job Nathan1, congratulations
Sounds great, glad you got it to work.
by nathan1
Fri May 03, 2019 9:27 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Hi nathan1, I'm trying to put vrrp interface HA_VRRP on a bride, but i'm not be able to do this. Is it possible or not? Thanks,
I have never tried nor would I recommend this. May I ask what the design is to require this?
by nathan1
Fri Apr 26, 2019 2:54 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Nathan1 It's a long time when I had played with this. So I don't know if have this already. It's possible to have a public management ip active on the standby router? If this already have ignore this post. Sent from my XT1580 using Tapatalk Hey Raffav, I do this with NAT from the master to the stan...
by nathan1
Wed Apr 17, 2019 3:02 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Just a question ,should it work if i use two RB1100AHx4? I'm not sure I've seen anyone use RB1100 yet, most of us us the CCR line. If I remember correctly, someone did successfully run it on the RB750, which I think bodes well for you. You may be the first on the RB1100. I believe it should work an...
by nathan1
Wed Apr 17, 2019 12:36 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Hello, I am trying to use the scripts with two routers (1100Hx2 and 1100Dx4) with RouterOS version 6.44.2 but I am unable to make it working. Are these models ok? My problem is that after the initial $HAPushStandby any connection to the slave does not work anymore, if I try to do $HAPushStandby aga...
by nathan1
Fri Mar 29, 2019 2:21 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Havn't updated yet. In the meantime we're waiting for our old device to get back from an RMA request, new one not going in yet and probably won't as i'm unsure of any config differences. I know for instance the new one has 2x SFP+ instead of 1x SFP+ and 1x SFP so that could cause an issue. But do s...
by nathan1
Fri Mar 29, 2019 12:58 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

It does yes. Can I suggest changing the wording though?, 'FOR A' implies the mac you are giving it Maybe 'NEW MAC OF A' is clearer? Do not proceed with the upgrade, hopefully you did not use rc1. There is an issue after ~24 hours of runtime with the new RouterOS that I am trying to debug. Problem i...
by nathan1
Fri Mar 29, 2019 12:19 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

It does yes. Can I suggest changing the wording though?, 'FOR A' implies the mac you are giving it
Maybe 'NEW MAC OF A' is clearer?
Definitely. I just changed it to be consistent with the original installation instructions. Let me know if you think it still needs more clarification.
by nathan1
Fri Mar 29, 2019 12:10 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

One thing that's not so clear in your rebuild instructions [NEW MAC FOR A] Because you say 'FOR' A. Do you mean the new MAC you are going to give out, or put in the existing MAC that A has? I.e. OldA (dead) - Ether1: 11:11:11:11:11:11 - .... - Ether8: 11:11:11:11:11:18 OldB - Ether1: 22:22:22:22:22...
by nathan1
Thu Mar 28, 2019 9:48 pm
Forum: General
Topic: Feature Request: SNMP-GET output to variable
Replies: 9
Views: 1248

Re: Feature Request: SNMP-GET output to variable

Generalized my code into a function. Not tested very well but seems to work in a few tests: :global snmpGetFunc do={ #Hack to be able to snmp-get an OID and capture the output into a variable (via a temporary file) #:put "host=$host oid=$oid community=$community tmpfile=$tmpfile" :do { :local snmpGe...
by nathan1
Thu Mar 28, 2019 9:16 pm
Forum: General
Topic: Feature Request: SNMP-GET output to variable
Replies: 9
Views: 1248

Re: Feature Request: SNMP-GET output to variable

+1 for this. I discovered it a few years ago too but never complained, I should have. I've worked around it like this: :do { :execute script={/tool snmp-get x oid=1.2.3.4.5 community=public} file=fetch1.txt /delay 5 :local blah [/file get fetch1.txt contents] :put $blah } It isn't great because :exe...
by nathan1
Thu Mar 28, 2019 5:45 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

You're a legend for following up with this so quickly and in depth. Thank you very much I'll wait for the tested update See prior post but specifically for you, since you are dealing with recovering a failed standby, I wanted to double check that it still works as expected and write some docs. I ju...
by nathan1
Thu Mar 28, 2019 5:15 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

This is the rc1 for 6.42.11 / 6.43.13 / 6.44.1 and I expect it to be the final release. I am now running it on 6 pairs in production. If anyone wants to test this on their lab setup and report back, please do: https://github.com/svlsResearch/ha-mikrotik/releases/tag/v0.6rc1 Following along from this...
by nathan1
Tue Mar 26, 2019 2:27 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

6.43.13 is going to require that you upgrade ha-mikrotik before you upgrade to 6.43.13 to safely use. The existing code will not work reliably. The fixed code is still being tested and I expect it will be tested/working within a few days, please check here for updates: https://github.com/svlsResearc...
by nathan1
Mon Mar 25, 2019 4:24 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Please see this issue on github for folks looking for updates on newer RouterOS: https://github.com/svlsResearch/ha-mikrotik/issues/7

TLDR: 6.43.13 is testing well so far. See more on the github issue.
by nathan1
Mon Mar 25, 2019 2:39 pm
Forum: General
Topic: Cloud Backup
Replies: 20
Views: 3728

Re: Cloud Backup

This is a nice feature, but it has one weakness: You have to remove the backup before uploading a new one. In case the removal succeeds but the upload fails you do not have a backup at all (at least in cloud). So you should consider to either provide two upload slots, so one backup can be removed w...
by nathan1
Mon Mar 25, 2019 2:23 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

how can i do a software upgrade after installing your ha sytem? Just update the primary and then the secondary goes active when the primary reboots after that upgrade the second one will the patch be still there after upgrade? Yes, this is the easiest way to do it, if you don't mind the extra reboo...
by nathan1
Mon Mar 25, 2019 2:02 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

I have deployed 6.43.13 to a pair and I will report back if it appears stable.
by nathan1
Mon Mar 25, 2019 1:52 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Went to change out the dead router and noticed MikroTik has a new hardware revision of CCR series which require 6.43.5 as the minimum RouterOS version and cannot be downgraded any further. I've read on the github page there's a known bug with 6.43.x and its causing reboots and intermittent issues C...
by nathan1
Thu Feb 21, 2019 12:00 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

So we have had a hardware failure on one of the routers and this script saved us a lot of downtime However now comes the time to replace with another router. I have an identical model here There are no instructions on what to do to bring a new standby router back into the mix (preferably without an...
by nathan1
Wed Oct 03, 2018 3:07 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Quick question, if I may: why is it neccessary to reboot the standby router once it receives new configuration?
"/system backup load" is used to keep the general configuration in sync, which requires a reboot.
by nathan1
Thu Aug 30, 2018 3:42 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

I have not been able to test it on 6.42.x just yet, you may be the first. It is on my todo list. VRRP should not be flapping at all - are they directly connected or are you going via a switch? anything interesting in the logs? Were you running 6.38.x before going to 6.42.x? Did you have any of this ...
by nathan1
Sun Feb 18, 2018 5:20 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Let's pick it up from here on github. I have integrated your changes into a test branch for us: https://github.com/svlsResearch/ha-mikrotik/commits/bbs2webtest Issues created for the exclusions: https://github.com/svlsResearch/ha-mikrotik/issues Excluded for now: No rancid escape fix here. If you st...
by nathan1
Sun Feb 18, 2018 4:50 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

With regard to changing to a /29...we are going to need a better upgrade procedure. Upgrades (rather undocumented) have always consisted of basically just doing an /import HA_init.rsc, pushing, switch roles, push, done. If we change the default VRRP addressing and then use this method then this will...
by nathan1
Sun Feb 18, 2018 3:10 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

All sound good and I will integrate them but two questions: Nice catch on rancid, it actually impacts me as well. I think we need to fix rancid and give it a stricter prompt for export. Even if we escape ha-mikrotik, it will still break rancid if there is any other script on the devices that use ] >...
by nathan1
Sun Feb 11, 2018 3:02 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Hey bbs2web, Nice work debugging it for your platform. We can put a an on-error around the silent-boot so it works correctly in both cases. I assume you changed the VRRP address as well when you changed it to a /29? I'd only be reluctant to switch it to a /29 since it won't cover what I have used fo...
by nathan1
Mon Feb 05, 2018 7:02 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

No problem not using CCRs, they are definitely expensive for many deployments. I just wanted to let you know that you are the first one that I know of to test alternative platforms, so good for all of us. I would like to hear how well it works for you after you run for a while. The boot delay sounds...
by nathan1
Mon Feb 05, 2018 6:15 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Many thanks to Nathan1 for this solution. I tested first on a pair of small RB925ui-5ac2nD. Didn't succeed at first try because lack of instructions, but after 2 hours the pair was working as intended. Then I installed the script on a pair of RB3011UiAS-RM and looks fine. It is still in my lab but ...
by nathan1
Sun Nov 05, 2017 2:38 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Hi guys. Do you have to change MSS to 1360, to achieve max performance or you still have reordering issue, if you don't change MSS... ? Yes, I have my MTU dropped to 1400 on my EoIP interfaces. Last I checked, if packets need to be fragmented, it will fallback to software. This might look like a re...
by nathan1
Thu Aug 10, 2017 11:43 am
Forum: General
Topic: Suggestion: add route check gateway based on link quality
Replies: 2
Views: 606

Re: Suggestion: add route check gateway based on link quality

This code will let you write check gateway code based on any scripting result:
viewtopic.php?f=1&t=81083#p598336

+1. I agree it would be nice for it to be built in to RouterOS but they take their time adding features like this.
by nathan1
Thu Aug 10, 2017 5:51 am
Forum: General
Topic: 6.40.1: startup scripts allowed to run before hardware initialization is complete (Ethernet interfaces missing)
Replies: 2
Views: 647

Re: 6.40.1: startup scripts allowed to run before hardware initialization is complete (Ethernet interfaces missing)

Thanks for the pointer, I seemingly haven't run into this specific case until recently on the CCR with 6.40.1. Unfortunately a constant delay is going to be detrimental to the high availability code. I am going to work around it with a spin loop every 100ms until the interfaces show up. :while ([:le...
by nathan1
Wed Aug 09, 2017 11:07 pm
Forum: General
Topic: 6.40.1: startup scripts allowed to run before hardware initialization is complete (Ethernet interfaces missing)
Replies: 2
Views: 647

6.40.1: startup scripts allowed to run before hardware initialization is complete (Ethernet interfaces missing)

It seems that 6.40.1 (maybe 6.40) has either allowed or made it more likely that a scheduler startup script race (start-time=startup) will be run before the hardware is fully initialized. I added some debugging to ha-mikrotik to capture this and it can be seen discussed in this bug: https://github.c...
by nathan1
Fri Jun 09, 2017 5:36 pm
Forum: Scripting
Topic: Obtaining value of /tool snmp-get into variable
Replies: 0
Views: 362

Obtaining value of /tool snmp-get into variable

Hi,

Does anyone have a clever way to get the value of an SNMP OID into a variable?
The only thing I've been able to come up with is an :execute call with a file output and then reading it back and parsing, which isn't great.

Thanks
by nathan1
Fri May 19, 2017 8:05 pm
Forum: Scripting
Topic: Scripting for redundancy of 2 Mikrotik Routers
Replies: 2
Views: 1934

Re: Scripting for redundancy of 2 Mikrotik Routers

This code does exactly that - maintains two identical RouterOS boxes with the same configuration/files: https://github.com/svlsResearch/ha-mikrotik Note, during a failover, clients WILL notice. RouterOS has no way to prevent this. However, depending on how you set it all up - users will be able to r...
by nathan1
Fri May 19, 2017 5:17 pm
Forum: Scripting
Topic: ROUTE_CHECK: Scripted route failover code
Replies: 0
Views: 444

ROUTE_CHECK: Scripted route failover code

I originally posted this here https://forum.mikrotik.com/viewtopic.php?f=1&t=81083&p=598336#p598336 but I am posting a new topic to give it some more visibility for folks looking for this. I wrote some code a few years ago that I have been running to do per-route checking along with distance adjustm...
by nathan1
Fri May 19, 2017 5:28 am
Forum: General
Topic: Routing Failover w/o Scripting example (Wiki) - tweaking a bit?
Replies: 2
Views: 1435

Re: Routing Failover w/o Scripting example (Wiki) - tweaking a bit?

If you are willing to use a script...take a look at my post here: viewtopic.php?f=1&t=81083&p=598336#p598336
The code can do exactly what you want.
by nathan1
Tue May 16, 2017 1:13 am
Forum: General
Topic: enhance "check-gateway" feature - use arbitrary check IP
Replies: 29
Views: 28777

Re: enhance "check-gateway" feature - use arbitrary check IP

I wrote some code a few years ago that I have been running to do per-route checking along with distance adjustments (weighting for different lines). You can use any RouterOS command for the route check by creating a comment on the route that starts with "ROUTE_CHECK:". This allows you to use specifi...
by nathan1
Wed Apr 12, 2017 4:58 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

@Jocksor, unfortunately I'm not using EoIP. I'm just using the basic IPSec in tunnel mode. On the IPSec wiki page, there are some optimizations for the RB1100AHx2 to set the irq's, would this help on the CCR? I tried some of those 1100 optimizations on the CCR, but in my case it didn't really make ...
by nathan1
Tue Apr 04, 2017 2:27 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

These are the results that I got before I sorted out my MTU. The fragmentation will fry it. Have you confirmed that you aren't getting fragmentation over the tunnel? So far as I can tell, this is not the case. However, if you made changes and got the performance expected, perhaps I am missing somet...
by nathan1
Fri Mar 31, 2017 10:16 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Itcould be great if anyone with 72core router could verify if it work,too. Has anyone tried GRE over IPSec transport? Or SMB traffic on windows clients? That's been what we have had issues with. Looking forward to this fix filtering down - I'll be sorely tempted to use current rather than waiting f...
by nathan1
Wed Mar 22, 2017 12:36 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Has anyone tried GRE over IPSec transport? Or SMB traffic on windows clients? That's been what we have had issues with. Looking forward to this fix filtering down - I'll be sorely tempted to use current rather than waiting for bugfix.... theprojectgroup tested SMB: https://forum.mikrotik.com/viewto...
by nathan1
Wed Mar 22, 2017 2:05 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

FYI - I am running single tunnel EoIP and can achieve single flow 700Mbit TCP - MTU 1400.
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=aes-128-cbc lifetime=30m name=default pfs-group=modp1024
by nathan1
Wed Mar 15, 2017 1:07 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Also confirming that this is looking very good. I have deployed it across my global network, backed up by a set of CCRs using the old software setup, in the event that the rc fails. Seeing peak performance around 800Mbit single TCP stream on my fastest connection (1Gbit @ .7ms). Currently using sha1...
by nathan1
Sun Mar 12, 2017 5:13 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

So I did some additional testing, I can actually push around 800Mbit with a UDP flow and CPU usage is pretty good. However, when I run a TCP benchmark, CPU usage is very high (networking/cpu under profile) which I believe is constraining the TCP throughput now. I think I may have an issue with frag...
by nathan1
Sun Mar 12, 2017 3:37 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

So I did some additional testing, I can actually push around 800Mbit with a UDP flow and CPU usage is pretty good. However, when I run a TCP benchmark, CPU usage is very high (networking/cpu under profile) which I believe is constraining the TCP throughput now. I think I may have an issue with fragm...
by nathan1
Sat Mar 11, 2017 3:48 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

We were unable to get GCM working with the particular Cisco ASA version we have on the remote end, so we've been stuck using hardware encryption (aes-128-cbc). Most of our use case is high latency low bandwidth so not sure we can add much to the discussion right now. We do run some RB1100AHx2 with ...
by nathan1
Sat Mar 11, 2017 3:24 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Nathan1, what sort of speeds are you getting per flow, and how high is the latency between the devices? At least there is some progress... Latency is .7ms RTT and I was seeing around 300Mbit, very similar to the ctr. Blasting UDP peaks around 350Mbit, in clear I can push 1Gbit. I was only able to b...
by nathan1
Sat Mar 11, 2017 12:44 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Nathan1, what sort of speeds are you getting per flow, and how high is the latency between the devices? At least there is some progress... Latency is .7ms RTT and I was seeing around 300Mbit, very similar to the ctr. Blasting UDP peaks around 350Mbit, in clear I can push 1Gbit. I was only able to b...
by nathan1
Sat Mar 11, 2017 12:41 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

So I believe that I have the rc working with sha1/aes-128-cbc but performance is not what I'd expect. Re-ordering does appear to be fixed but performance isn't anywhere near line rate (1Gbit in this case). mrz, can you elaborate on what we should be seeing for performance on a single IPSec session w...
by nathan1
Fri Mar 10, 2017 7:36 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Peer proposal is phase1 and has nothing to do with hardware acceleration. Phase2 proposal can be selected in "/ip ipsec proposal" menu, this is hardware acceleration related. Phase 2 was not completing for me with sha256/aes-256-cbc, just seemed to stall. What proposal do you recommend testing with?
by nathan1
Fri Mar 10, 2017 4:57 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

What's new in 6.39rc51 (2017-Mar-10 12:50): !) tile - fixed IPsec hardware acceleration out-of-order packet problem, significantly improved performance; mrz, is EoIP in this version obeying the default proposals? I've attempted switching to hardware accelerated proposals and then recreating the EoI...
by nathan1
Fri Mar 10, 2017 3:35 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

What's new in 6.39rc51 (2017-Mar-10 12:50):

!) tile - fixed IPsec hardware acceleration out-of-order packet problem, significantly improved performance;
:shock:

Thanks for the update! Testing soon...
by nathan1
Fri Feb 17, 2017 11:25 pm
Forum: General
Topic: CCR1009/RB3011, recommended settings for best VPN performance?
Replies: 7
Views: 2389

Re: CCR1009/RB3011, recommended settings for best VPN performance?

See this thread: http://forum.mikrotik.com/viewtopic.php?f=1&t=112545 So if I understand it correctly, by using HW acceleration on a CCR you may instead encounter a reorder problem? Yay! :-) Unfortunately I didn't find anything on the RB3011... I don't think the RB3011 supports hardware acceleratio...
by nathan1
Fri Feb 17, 2017 10:37 pm
Forum: General
Topic: CCR1009/RB3011, recommended settings for best VPN performance?
Replies: 7
Views: 2389

Re: CCR1009/RB3011, recommended settings for best VPN performance?

Well, of course we want to have encryption. ;-) But what I was wondering about is what type of encryption algorithm (e.g. DES, AES, etc) that would be most efficient in terms of hardware acceleration in order to get the highest possible speed without to much load on the main processor on a RB3100 c...
by nathan1
Fri Feb 17, 2017 7:21 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

750Mbit/sec EoIP + IPSec is pretty nice. I'm stuck with 14 of the 1009s doing 250Mbit at best. If I had known about the re-ordering issue before I deployed these 1009s, I'd be on the AHx2. I think we are now going on over a year without resolution now and the CCR platform continues to be advertised...
by nathan1
Fri Feb 17, 2017 6:55 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

We've been struggling to get GCM (i.e. software only encryption) working between our CCR1009s and Cisco ASAs. As such I'm in a real pickle having recommended Mikrotik. We'll take any kind of workaround right now (e.g. run CCR1009 as single core router) until there is a proper fix. For now, RB1100AH...
by nathan1
Fri Feb 17, 2017 5:20 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

We've been struggling to get GCM (i.e. software only encryption) working between our CCR1009s and Cisco ASAs. As such I'm in a real pickle having recommended Mikrotik. We'll take any kind of workaround right now (e.g. run CCR1009 as single core router) until there is a proper fix. For now, RB1100AH...
by nathan1
Tue Jan 31, 2017 3:33 pm
Forum: RouterBOARD hardware
Topic: CCR1009-7G IPSec performance
Replies: 9
Views: 2879

Re: CCR1009-7G IPSec performance

No, I hadn't seen that issue. Thanks for the heads up. If this turns into another "Fixed in v7" issue then I won't be holding my breath. They claim we are close but who knows. If you end up finding a nice solution that is a CCR form factor/price range and can push ~1Gbit, let us know. Most of us in...
by nathan1
Tue Jan 31, 2017 5:42 am
Forum: RouterBOARD hardware
Topic: CCR1009-7G IPSec performance
Replies: 9
Views: 2879

Re: CCR1009-7G IPSec performance

Are you aware of the CCR/Tile issues with IPSec hardware acceleration? http://forum.mikrotik.com/viewtopic.php?f=1&t=112545
Afaik, the new units suffer just the same.
by nathan1
Thu Jan 19, 2017 3:13 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

My ticket on this as of 1/18/2017:
We will continue to work on this problem when ike2 main features will be finished.
The wait goes on.
by nathan1
Mon Dec 19, 2016 7:13 pm
Forum: Announcements
Topic: MikroTik News December 2016 (Issue #74)
Replies: 94
Views: 22240

Re: MikroTik News December 2016 (Issue #74)

New CCR1009....Can we expect 6.38 to give us a fix for the IPSec hardware acceleration ordering?
by nathan1
Fri Dec 02, 2016 6:09 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

My latest update from support on this (from yesterday) is: "We are working on the ipsec problem right now." I'm not sure what that means for timeline, but it does show they are giving attention to this issue that I brought up with them about 1 year ago now. Have you been poking them via email or di...
by nathan1
Tue Nov 22, 2016 6:10 am
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Dude, you should try to include this script you made in the Wiki. It seems really solid and it solves one major need for enterprise needs. I don't think the Mikrotik wiki is actually community driven, unless I misunderstand something. Are you aware of a way to add an entry? The edit history also se...
by nathan1
Mon Nov 21, 2016 10:30 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: RE: Re: Suggestion: Completely virtual router based on two physical routers

@nathan1 i was testing this on a lab using 2 450g, but for some reason on the first HA cyclce , the "B" became the active and the "A" the standby but the HA work normal only this Letter switch do you have this problem ? There is no affinity for a primary right now. So this works as designed. Did yo...
by nathan1
Mon Nov 21, 2016 10:06 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Give this a go: https://github.com/svlsResearch/ha-mikrotik It does exactly what you are asking for, except for stateful connection synchronization. I have been using it to run 6 pairs of CCR1036 for over a year now. @nathan1 i was testing this on a lab using 2 450g, but for some reason on the firs...
by nathan1
Mon Nov 21, 2016 9:55 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Give this a go: https://github.com/svlsResearch/ha-mikrotik It does exactly what you are asking for, except for stateful connection synchronization. I have been using it to run 6 pairs of CCR1036 for over a year now. @nathan1 i was testing this on a lab using 2 450g, but for some reason on the firs...
by nathan1
Sun Nov 20, 2016 9:20 pm
Forum: General
Topic: Suggestion: Completely virtual router based on two physical routers
Replies: 137
Views: 17198

Re: Suggestion: Completely virtual router based on two physical routers

Give this a go: https://github.com/svlsResearch/ha-mikrotik
It does exactly what you are asking for, except for stateful connection synchronization. I have been using it to run 6 pairs of CCR1036 for over a year now.
by nathan1
Mon Nov 07, 2016 8:39 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

http://forum.mikrotik.com/viewtopic.php?f=21&t=114253&p=567026#p566410 Have you picked up on something that may offer us relief or just another reference point? Do you feel like they are trolling us? Their newsletter specifically states: http://download2.mikrotik.com/news/news_73.pdf To get the bes...
by nathan1
Tue Oct 25, 2016 12:01 am
Forum: General
Topic: mikrotik hacked!?
Replies: 14
Views: 3810

Re: mikrotik hacked!?

I have a small network behind the NAT-ed internet, ALL ports closed from internet, however my NVR (Network Video Recorder) was hacked last weekend and it was used for the DynDNS attack.: http://thehackernews.com/2016/10/iot-camera-mirai-ddos.html my network is not reachable from external, unless th...
by nathan1
Thu Oct 20, 2016 11:28 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Can someone tell me if this reasoning is correct? Even though the new hex r3 can support HW accelerated encryption without these reordering issues, it seems that there is no way to use one of those successfully on a site-to-site VPN with a CCR one one endpoint. As I understand it, the only way to f...
by nathan1
Tue Oct 18, 2016 4:28 pm
Forum: General
Topic: Feature request: IPMI functionality for CCR
Replies: 7
Views: 1834

Re: Feature request: IPMI functionality for CCR

600$? really? its joke? oh lol IPMI functionality should add to CCR price no more than 30$ I don't think you will ever see true IPMI functionality on Mikrotik gear, even high end networking gear doesn't have it. Have you considered a serial server? Serial is generally enough for 99% of the cases, a...
by nathan1
Tue Oct 18, 2016 2:43 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Does anyone know whether this occurs with regular TCP/UDP streams too (so without HW encryption)? Secondly, is SSTP working ok or is that HW accelerated too? Bit of a shocker this thread:-) Yes, it impacts all traffic. Note that you can use IPSec ciphers/hashes that will not use hardware encryption...
by nathan1
Tue Oct 18, 2016 4:46 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Yes, I noticed the difference, thats why I posted it. :) mrz said that everything should be ok with this, and it looked better than yours. :) But ok, I "forgot" to use preload so here is the new one, different destination address, but still using the same tunnel: sudo ping -c 10 -l 10 192.168.110.1...
by nathan1
Mon Oct 17, 2016 7:39 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread) Not 100% sure what nathan1 meant by adding ping output to first post, but this ping is going aes-128-cbc eoip tunnel (hex3 - hap lite): 64 bytes from 192.168.50.1: seq=0 ttl=63 time=16.875 ms 64 bytes from 192.168.50.1...
by nathan1
Mon Oct 17, 2016 6:21 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Yes, it does. It was already announced that hex 3 has HW support. Hey, Mikrotik finally joined the thread. Does routeros have support for the hardware support the hex 3 offers, or is it like the 3011 that doesn't yet? Hey Alex, did you take a look at http://www.mikrotik.com/download/share/hexr3.pdf...
by nathan1
Mon Oct 17, 2016 6:17 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Yes, it does. It was already announced that hex 3 has HW support.
mrz, can you speak to the problem we are all fighting here? Does the hex3 maintain packet order per-flow?
by nathan1
Mon Oct 17, 2016 6:01 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

So the hex r3 was just released and supposedly supports hardware encryption on a MIPS chip. Has anyone found out if this platform maintains order? It would be amusing if they do which would mean these $60 units outperform our $500+ units. http://www.mikrotik.com/download/share/hexr3.pdf http://forum...
by nathan1
Sun Oct 09, 2016 5:39 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

I only use the CCRs for site to site IPSec so the 7450 looks like a solid alternative. Thanks for the pointer.
by nathan1
Sat Oct 08, 2016 3:32 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Brocade MLXs. Having 400gbit of IPSec throughout and 2.4million hardware route scale is just a happy side effect. The reality is. We collapsed a lot of devices into 1 per building (9 total MLXs). The internet facing units have the newer 20 port 10gig IPSec enabled line cards. Very nice looking unit...
by nathan1
Wed Oct 05, 2016 7:29 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

The problem with misordered packets is that the receiving side has to wait for everything to come in so it can reorder them and feed them to the application. This results in the connection slowing down and scaling the window size smaller in order to guarantee delivery. You could tweak the settings ...
by nathan1
Tue Oct 04, 2016 10:19 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

SMB with Windows is one that is greatly impacted but the traffic being out of order. I wonder why you reported the problem to MikroTik and expect them to fix it, instead of to Microsoft who are the actual owner of the problem? After all, IP specifies an unsequenced unreliable datagram delivery, and...
by nathan1
Tue Oct 04, 2016 7:33 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

>>Is your L2TP/IPSec tunnel is using hardware accelerated crypto? Yes >>The Mikrotik is load balancing on a per packet basis, which effectively will distribute the load randomly across some set of cores. Ok, how can i change this to per-connection basis? One core should be enough to handle 100Mbit/...
by nathan1
Tue Oct 04, 2016 6:58 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Even if RouterOS somehow forced all of the packets for a single IPSec session (not per inner flow) to hit a single core so they remain ordered then the performance would still be better than the software encryption workaround, at least in many use cases. I'd even be happy to designate a single core...
by nathan1
Mon Oct 03, 2016 11:55 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Even if RouterOS somehow forced all of the packets for a single IPSec session (not per inner flow) to hit a single core so they remain ordered then the performance would still be better than the software encryption workaround, at least in many use cases. I'd even be happy to designate a single core ...
by nathan1
Tue Sep 27, 2016 6:16 pm
Forum: General
Topic: IPSec throughput max 8Mbps and routers dont seem to be using Hardware Acceleration
Replies: 6
Views: 822

Re: IPSec throughput max 8Mbps and routers dont seem to be using Hardware Acceleration

Just a bump to see if anyone has any other thoughts, maybe focused around why my CPU is doing no IPSec processing? Take a look at this post and see if these settings improve your performance: http://forum.mikrotik.com/viewtopic.php?f=2&t=97164&p=559201#p559201 Avoid hardware acceleration on the CCR...
by nathan1
Mon Sep 26, 2016 9:30 pm
Forum: General
Topic: IPSec throughput max 8Mbps and routers dont seem to be using Hardware Acceleration
Replies: 6
Views: 822

Re: IPSec throughput max 8Mbps and routers dont seem to be using Hardware Acceleration

Just a bump to see if anyone has any other thoughts, maybe focused around why my CPU is doing no IPSec processing?
Take a look at this post and see if these settings improve your performance: http://forum.mikrotik.com/viewtopic.php ... 01#p559201
Avoid hardware acceleration on the CCR.
by nathan1
Mon Sep 26, 2016 9:30 pm
Forum: General
Topic: CCR EOIP over IPSEC performance
Replies: 6
Views: 2225

Re: CCR EOIP over IPSEC performance

How are you testing the throughput? I have 12 1009-8G-1S-1S+ in production and I can push the following: Latency(RTT) Bandwidth (iperf -c -P8) 5ms 330Mbit 22ms 255Mbit 1ms 320Mbit Note that on paper, the CCR can push 1Gbit+ over IPSec with hardware acceleration but good luck reconstructing that str...
by nathan1
Mon Sep 26, 2016 9:28 pm
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Re: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

I asked for another update on 8/30/16 via email to my ticket on this issue and was basically told to stop asking for updates and just watch the changelog.
Yep, this is basically what I got the last time I tried to get information. Rather disappointing.
by nathan1
Mon Sep 26, 2016 5:16 am
Forum: General
Topic: CCR EOIP over IPSEC performance
Replies: 6
Views: 2225

Re: CCR EOIP over IPSEC performance

I noticed that your config disables connection tracking. Did you happen to take note of the performance difference with and without conn-tracking enabled? If it's significant, I may need to look into adding a dedicated router for eoip tunnels -- because I'm not sure that disabling connection-tracki...
by nathan1
Sat Sep 24, 2016 2:39 am
Forum: General
Topic: Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)
Replies: 134
Views: 26298

Is re-ordering fixed yet with IPSec and hardware acceleration? (Updating thread)

Fixed. See below and recent posts. Update: 3/12/2017 : 6.39rc51 is shown to have fixed the re-ordering issue. Testing is still being done to confirm performance. Please test if you can. This has been confirmed by fixed by two users. Bandwidth @ 1ms is around 700Mbit (1Gbit link) single stream TCP o...
by nathan1
Fri Sep 23, 2016 8:32 pm
Forum: General
Topic: CCR EOIP over IPSEC performance
Replies: 6
Views: 2225

Re: CCR EOIP over IPSEC performance

How are you testing the throughput? I have 12 1009-8G-1S-1S+ in production and I can push the following: Latency(RTT) Bandwidth (iperf -c -P8) 5ms 330Mbit 22ms 255Mbit 1ms 320Mbit Note that on paper, the CCR can push 1Gbit+ over IPSec with hardware acceleration but good luck reconstructing that stre...
by nathan1
Mon Jun 13, 2016 7:29 am
Forum: General
Topic: Very low TCP transfer speed on IPIP+IPsec on CCR1009 and CCR1036
Replies: 11
Views: 4087

Re: Very low TCP transfer speed on IPIP+IPsec on CCR1009 and CCR1036

My last update was June 10th: We are working on the problem. It will be in one of the upcoming releases. You  will definitely see it in changelog. I fear we could be waiting a very long time. It sounds like you have gone with aes-256-ctr to force it over to software as a workaround? Was this your fi...
by nathan1
Mon Jun 13, 2016 7:09 am
Forum: General
Topic: Very low TCP transfer speed on IPIP+IPsec on CCR1009 and CCR1036
Replies: 11
Views: 4087

Re: Very low TCP transfer speed on IPIP+IPsec on CCR1009 and CCR1036

Hey Alex, It looks like I am fighting the same annoying battle:  http://forum.mikrotik.com/viewtopic.php?f=2&t=106960 I also have a ticket open with MT as of April 7th (#2016040766000158) and I continue to get vague "we are working on it" with no timeline. Out of curiosity, when did you notify them ...
by nathan1
Mon Apr 11, 2016 5:00 am
Forum: General
Topic: Poor mans config sync: vrrp
Replies: 7
Views: 3450

Re: Poor mans config sync: vrrp

I'd suggest you guys give this a try: https://github.com/svlsResearch/ha-mikrotik
Full and automatic configuration sync, you manage one unit and the other one stands by as a slave.
It has been in production for about 4 months at 6 different sites.
by nathan1
Fri Apr 08, 2016 3:02 pm
Forum: General
Topic: EoIP packet reordering with IPSec - load balancing across cores per packet vs per flow
Replies: 3
Views: 1488

Re: EoIP packet reordering with IPSec - load balancing across cores per packet vs per flow

For anyone that might be running into this problem, MikroTik has confirmed the issue and I have been told: "We are trying to fix ipsec right now. It could be ready for next version or one after that." (TIcket #2016040766000158).
by nathan1
Wed Apr 06, 2016 4:27 am
Forum: General
Topic: EoIP packet reordering with IPSec - load balancing across cores per packet vs per flow
Replies: 3
Views: 1488

EoIP packet reordering with IPSec - load balancing across cores per packet vs per flow

Note: Post edited to confirm that it only seems to happen with EoIP and IPSec. It doesn't happen without the IPSec secret enabled. Hi, On a CCR1009-8G-1S-1S+ running 6.34.2: I have recently discovered a significant amount of packet reordering when using EoIP with an ipsec secret. I believe packets ...
by nathan1
Sat Jan 23, 2016 8:23 am
Forum: General
Topic: Configuration replication? Clustering?
Replies: 8
Views: 2406

Re: Configuration replication? Clustering?

I have released this for testing:
https://github.com/svlsResearch/ha-mikrotik
by nathan1
Sat Jan 23, 2016 8:22 am
Forum: General
Topic: Hardware Redundancy / Clustering / Standby Router
Replies: 6
Views: 4227

Re: Hardware Redundancy / Clustering / Standby Router

As promised: https://github.com/svlsResearch/ha-mikrotik If you are bold enough to test this, please heed my warnings. Have a proper test setup with out of band access. If you do have a proper setup and want to give me some feedback of your tests, I'm happy to offer some guidance. The code is extrem...
by nathan1
Fri Jan 22, 2016 4:40 am
Forum: General
Topic: Hardware Redundancy / Clustering / Standby Router
Replies: 6
Views: 4227

Re: Hardware Redundancy / Clustering / Standby Router

ZeroByte: I do agree that a continuous realtime sync done internally by Mikrotik is the best way to go about it, but this feature has been requested of Mikrotik for quite some time, without the feature being added. Short of that, having a hot(cold in some sense) standby that is ready to takeover whe...
by nathan1
Wed Jan 20, 2016 7:36 am
Forum: General
Topic: Hardware Redundancy / Clustering / Standby Router
Replies: 6
Views: 4227

Re: Hardware Redundancy / Clustering / Standby Router

I actually just finished implementing my own version of this using pairs of CCR1009s. Interested in testing it? I have it detecting changes and pushing and restore a system backup to a secondary. It uses a VRRP interface (directly connected between the pair on ether1) to heartbeat and decide what to...
by nathan1
Sat Jan 16, 2016 7:08 pm
Forum: General
Topic: Configuration replication? Clustering?
Replies: 8
Views: 2406

Re: Configuration replication? Clustering?

Have guys guys tried to roll your own? I'm roughly playing an automated backup of one router to another one and then use a VRRP directly connected interface to detect and takeover/giveup all the interfaces (except for the directly connected VRRP one). It roughly seems to work OK, I lose some private...