[quote=wfburton post_id=1060895 time=1709657229 user_id=215408]
As far as cache size, the host file is about 4.8mb. Why is it using 19mb then? And I don’t believe changing the cache TTL would help. This is a host file and not different than any host file you would you on your pc. Maybe, MT can change the logic and only cache the local network address and cache only hosts that gets a hit in the host file.
[/quote]
Ever heard of data structures, indices, hashtables, trees, memory alignment, etc…? If MikroTik just put your 4.8MiB file in 4.8MiB RAM performance will be horrible because for every DNS query RouterOS have to do a linear scan through hundreds of thousands of unaligned lines of text. For efficient lookup, and also insertion, deletion (because the cache table is dynamic) including lookup & deletion by TTL, your text file will need to be parsed and transformed/stored in appropriate data structures in memory, with multiple associated indices (hostname, TTL, RR type). There also will be holes in between because the data need to be aligned and not all buckets are filled, especially after random insertion/deletion. Of course it can be multiple times bigger than the original raw text file.
[quote=wfburton post_id=1060902 time=1709659313 user_id=215408]
Right. I don’t see any hits. But, I’m not currently using it and probably won’t. Just to heavy to run on CRS309-1G-8S+
[/quote]
I’m getting 97% coverage according to the top addblock testing site from google. I guess they may add features if it picks up steam?
It must be using the same DNS resolver (e.g. effected by cache size). I’d just prefer it was a generic way to dynamically load a “normal” /etc/host with real hosts – that be useful as “poor man’s zone file” to load same hosts on multiple routers. e.g. I don’t want 0.0.0.0 as hosts, but a URL that’s periodically download with a list of DNS host is useful
On the performance issue, time will till. I’m pretty sure a Pi-Hole container is more heavy than adlist (now perhaps more capable). e.g. Pi-Hole more likely to have impact on router performance than resolving a host in the native DNS resolver, which I presume is populated by the “adlist”.
I think main package should not contain any VPN. It should be separated package. All nas functionality (smb, dlna, … ) should be in separated packages. It is really only mikrotik fault that even hapac2 which is only few years old has not enough memory. And separate some functionality into packages so people can choose what features they need is realy must have feature. Please Mikrotik, don’t make e-waste from only few year old devices. Your router are really expensive but when someone buys it, it expecta that it will have software support and not that it will be abandoned in few years just becase not enough space on device.
what are you talking about? PPSK feature exists since forever, long before other vendors supported it.
WiFi → Access List (capsmanv2)
Wireless → CAPsMAN → Access List (legacy capsman)
Wireless → Wireless → Access List (standalone ap)
PPSK feature only works with WPA2 and below, regardless of the vendor.
what are you talking about? PPSK feature exists since forever, long before other vendors supported it.
WiFi → Access List (capsmanv2)
Wireless → CAPsMAN → Access List (legacy capsman)
Wireless → Wireless → Access List (standalone ap)
PPSK feature only works with WPA2 and below, regardless of the vendor.
Package size for devices with 16 MB flash is definitely an bigger issue. I have a hap ac2 at home with routeros (system) and wifi-qcom-ac packages here and hit the 0kb free mark earlier just with config, 0 additional files on disk
Two problems arise here:
Config added after the 0kb mark is not saved consistently - meaning that you could risk an inconsistent state after rebooting, not knowing which parts are actually saved without rebooting and running /export. Regular reboot (via Cli/Winbox) shows “router was rebooted without proper shutdown, probably kernel failure” after booting - probably due to flash corruption(???)
For example while trying out the new DLNA feature (and for that setting up an smb share on an external usb disk) i encountered random reboots (watchdog timer). Problem is that I am unable to even report the issue correctly at this point because there is no chance to create an Supout.rif file - due to lack of disk space. So hitting a dead end here
Don’t get me wrong here - I appreciate the new features and everything, but the limit of 16MB devices will be hit sooner or later (in this case real soon, unfortunately)
As for a solution, I would propose an additional (i.e. routeros-minimal) system package with just the bare minimum and split the rest (Advanced Routing, VPN, …) into separate packages. Advantage would be even that you even could install extra packages (i.e. zerotier or whatever) without running out of space - just as needed for the use case per device.
Maybe it would be even possible to create a “RouterOS Package Builder” where the user could decide which of the main features he wants to install - or make installation of extra packages available via cli/winbox with checkboxes. Probably not feasible, but just an idea in my head
Not a fan of the idea to create an LTS release for these devices - would kill innovation considering that some recent devices ship with 16 MB flash.
Maybe it would be even possible to create a “RouterOS Package Builder”
I liked the ROSv6 way, when you were able to deselect different modules.
In my opinion it’s also a security risk to have “everything” enabled by default.
If you don’t do dynamic routing, why BGP, OSPF, RIP… stuff installed. If you do not need NAS-stuff, why DLNA? If you do not use IPv6, why the whole IPv6-stuff? Why the WiFi-stuff on devices without WiFi? Now they will say, yeah for CAPsMAN… But honestly, if you are going to implement a such brainfu**ed thing like CAPsMAN, you WILL be able to install this as an aditional package. Was in my opinion no good decision for ROSv7, told them (MT), got ignored…
Making RouterOS modular for all components is likely to cause not only a large development undertaking but also a headache for developers in maintaining the code. It also can negatively impact latency, interoperability and would make testing even more cumbersome. Not to mention I’m sure the goal at MT is to have an AIO package that works on any platform and offers all the features out of the box (especially with the Cloud/AI frenzy).
Outside of the AIO package, containerization is their offer of support towards advanced customization for user-specific needs that are not covered in what they plan to fundamentally build/support in the RouterOS package. This development approach isn’t unusual, as it stands right now if you look at the linux kernel there is a reason why it is called a monolithic kernel and also why it is leagues more performant than many other operating systems. The same thing applies here, especially since they aren’t just using the default linux implemented features and instead developing their own derivatives.
I urge people to look towards the future and push MT to make better component choices on the hardware side than to continue to say lets waste development cycles around an artificially imposed constraint. (Yes I know, it will cost us consumers money in the end, but if we really want the best for the future we have to share some of the burden.)
Regarding lack of innovation with a LTS-Lite release, I don’t see that happening, all it means is that feature-wise the 16MB constraint on some devices is already preventing anything other than bug fixes from coming down the pipe for those devices (which is realistic, things don’t last forever, even Torvalds eventually deprecated old drivers in the linux kernel to clean it up). Newer devices will continue to push the development/innovation further, not to mention CHR already opens up the hardware perspective on many fronts.
TLDR: MT release a new range of comparables for all the devices that have just 16MB-128MB storage. Unfortunately, even the CCR2216 only has 128MB (fine for now, but not really future proof) for internal storage, and while you can slot some M.2 drives in there you can’t use them for booting purposes… so at some point if the package size grows enough that could even become an issue.
Sorry but should I say to my guest please can you give me your MAC addresses so you can connect to right VLAN ??? No, in my opinion that is not proper PPSK, that is workaround.
Well, of course actually PPSK is not proper and is a workaround. But it is a convenient workaround offered by some other vendors.
At work we are using WPA2-EAP with MSCHAPv2 username/password and a certificate for authentication of the AP.
That is “the proper way to do it”. Each user gets a username/password stored in a RADIUS server, when authenticated the RADIUS server sends a VLAN number and the user is put in that VLAN. This also has the advantage that each user has a different encryption key on the WiFi, so it is not possible to eavesdrop on other users and do man-in-the-middle attacks when you know the PSK.
Works fine in a corporate environment where you can distribute config using some management system or other local methods, but for the home it is not very convenient of course. Not to mention that low-end devices (IoT etc) usually do not support WPA2-EAP.
At home I use “usermanager” with MAC authentication via RADIUS, so all users connect to the same SSID/password but depending on the “group” of the entry in the user manager list I can assign the different devices a different VLAN.
That works fine with all devices, but unfortunately:
there is no way to enter a “default user” in usermanager so a new device cannot connect at all until you figure out its MAC address and enter it in the users list. that requires watching the log to see what MAC is rejected (with access list that can be avoided, but unfortunately when usermanager rejects the request there is no way to “fall back to” an access list rule).
the new WiFi driver does not support this, at least not the setting of VLAN number (did not check if it allows MAC authentication via RADIUS).
Also quite often IoT devices have problem with WPA2-EAP, i tried that and most of IoT devices refused to connect. I tried user manager, you helped me and it was working nice but as you said, good for corporate not home user.
This shouldn’t be a problem for mikrotik to implement and I believe that there are many users that would like to see this feature. It’s not a problem that I can’t use wpa3 then. Long strong password and WPA2 is enough for me.
Is there some cloud provider that has AMPERE that is known to work and/or “supported”?
I tried on large AMPERE box on Equinix Metal cloud, since they support AMPERE. But Equinix requires an iPXE boot for non-standard Linux…but could NOT figure out the right iPXE script to boot it.
Overall, a CHR .IMG of “AMPERE” be more WAY more handy for testing the beta than bare metal IMO… Not sure many folks have AMPERE sitting around ;).
Updated my RB5009 today and it’s lost it’s ability to route certain VLANs out via VPNs from within VRFs. Not sure what’s going on exactly yet. But it works fine on 7.13 (didn’t try 7.14 as it would break my WAN link due to the VLAN MTU issues).
