Community discussions

MikroTik App
 
BenjaminLucas
just joined
Topic Author
Posts: 1
Joined: Sun Apr 26, 2020 11:45 am

V7 questions?

Sun Apr 26, 2020 11:58 am

Hello there. Thank you for your work on v7. I tried it on a VM and It looks like a promising version, with the fresh kernel and all. I have two questions:

1. Are upstream kernel patches to 4.14 going to be incorporated into the v7 kernel? I can see that upstream it is already at v4.14.148.

2. Do you plan to publish v7 on the "development" upgrade channel and if yes, about when?

Thank you again!
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Tue Apr 28, 2020 4:58 pm

@BenjaminLucas, which VM do you use for such testing?

Do you or anybody else can tell me whether RouterOS can be tested also in an LXC (or LXD) container in Linux as well?

I too am waiting for the 7.0 release version. An expected release schedule would indeed be good to know, for own plannings / deployments etc.
 
Paternot
Long time Member
Long time Member
Posts: 697
Joined: Thu Jun 02, 2016 4:01 am
Location: Niterói / Brazil

Re: V7 questions?

Tue Apr 28, 2020 5:45 pm

Hello there. Thank you for your work on v7. I tried it on a VM and It looks like a promising version, with the fresh kernel and all. I have two questions:
2. Do you plan to publish v7 on the "development" upgrade channel and if yes, about when?
They already publish it in the development channel. Get any RoS device running the 6.x series, open package manager and change the train to development. RoS 7beta5 will appear.

It is beta, tough. I wouldn't recommend it to a production environment.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 978
Joined: Tue Oct 11, 2005 4:53 pm

Re: V7 questions?

Tue Apr 28, 2020 7:26 pm

Do you or anybody else can tell me whether RouterOS can be tested also in an LXC (or LXD) container in Linux as well?
ROS cannot work as a container.
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Tue Apr 28, 2020 8:49 pm

Do you or anybody else can tell me whether RouterOS can be tested also in an LXC (or LXD) container in Linux as well?
ROS cannot work as a container.
Do you happen to know whether RouterOS can be installed on the following dual-core ARM device with multiple Gigabit interfaces:
http://wiki.banana-pi.org/Banana_Pi_BPI-R1
https://linux-sunxi.org/Lamobo_R1
That device has microSD, and one can also attach a SATA SSD to it (and booting from the SSD is possible too).
 
Sob
Forum Guru
Forum Guru
Posts: 5483
Joined: Mon Apr 20, 2009 9:11 pm

Re: V7 questions?

Tue Apr 28, 2020 9:57 pm

No, it can't.

Out of curiosity, what would be the point? It doesn't make sense price wise, RouterOS license would cost you almost as much as the board. And all the things you can attach to board would be useless, because you'd have RouterOS and it doesn't allow to install any custom stuff.
People who quote full posts should be spanked with ethernet cable. Some exceptions for multi-topic threads may apply. Not intended as incentive for masochists.
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 978
Joined: Tue Oct 11, 2005 4:53 pm

Re: V7 questions?

Tue Apr 28, 2020 10:42 pm

Do you or anybody else can tell me whether RouterOS can be tested also in an LXC (or LXD) container in Linux as well?
ROS cannot work as a container.
Do you happen to know whether RouterOS can be installed on the following dual-core ARM device with multiple Gigabit interfaces:
http://wiki.banana-pi.org/Banana_Pi_BPI-R1
https://linux-sunxi.org/Lamobo_R1
That device has microSD, and one can also attach a SATA SSD to it (and booting from the SSD is possible too).
ROS can ONLY be installed on official RouterBoards, x86 PCs/Servers and as a Virtual Machine (CHR) on ESXi, KVM, HyperV (and I think Xen too).
 
mkx
Forum Guru
Forum Guru
Posts: 4221
Joined: Thu Mar 03, 2016 10:23 pm

Re: V7 questions?

Tue Apr 28, 2020 10:53 pm

... as a Virtual Machine (CHR) on ESXi, KVM, HyperV (and I think Xen too).
According to official docs works under VirtualBox as well.
BR,
Metod
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Tue Apr 28, 2020 11:38 pm

No, it can't.

Out of curiosity, what would be the point? It doesn't make sense price wise, RouterOS license would cost you almost as much as the board. And all the things you can attach to board would be useless, because you'd have RouterOS and it doesn't allow to install any custom stuff.
Just for POC :-)
Ok, if nothing else/own can be installed and no Linux root access is possible then... nothing for me then... :-)
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1625
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: V7 questions?

Mon May 18, 2020 2:49 pm

no Linux root access is possible then... nothing for me then... :-)
Do you have any other RouterOS with Linux root access?
Why ask for it on v7?
What do you miss on RouterOS since you need root access?
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Mon May 18, 2020 3:44 pm

no Linux root access is possible then... nothing for me then... :-)
Do you have any other RouterOS with Linux root access?
Why ask for it on v7?
What do you miss on RouterOS since you need root access?
I'm new to RouterOS. I read that ROS is working on top of Linux.
We have an Ubiquiti EdgeRouter and an EdgeSwitch and they too have their own operating system (called EdgeOS) working on top of Linux.
Since in EdgeOS one can easily get access to the underlying Linux environment, even root access, I was thinking it maybe is similar in RouterOS, but which unfortunately is not the case :-(
I need access to Linux for running own code written in C/C++ to implement the low-level part for an own high-performing advanced central firewall on switch devices (not router).
Ie. our requirement is a very special use-case, not necessarily a mainline use-case.
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1625
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: V7 questions?

Mon May 18, 2020 4:22 pm

With more than 300 post, you are not 100% new user.
RouterOS is closed source, so no underlying access.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Mon May 18, 2020 5:10 pm

With more than 300 post, you are not 100% new user.
I think I'm now for about 1.5 months a user here :-)
RouterOS is closed source, so no underlying access.
Too bad. Then we can do our said project only on the Ubiquiti EdgeSwitch-24 device. Unfortunately it has no 10G ports unlike the CRS326 :-(
Never mind, later we can switch to the 48-port version of that device as that one has some 10G ports.
We currently are just evaluating these 24+x port switch devices, ie. testing their capabilities and trying to choose the right platform for that particular project.
 
andriys
Forum Guru
Forum Guru
Posts: 1352
Joined: Thu Nov 24, 2011 1:59 pm
Location: Kharkiv, Ukraine

Re: V7 questions?

Mon May 18, 2020 8:21 pm

I need access to Linux for running own code written in C/C++ to implement the low-level part for an own high-performing advanced central firewall on switch devices (not router).
Good luck!.. :)
 
mducharme
Trainer
Trainer
Posts: 944
Joined: Tue Jul 19, 2016 6:45 pm

Re: V7 questions?

Tue May 19, 2020 6:54 pm

I need access to Linux for running own code written in C/C++ to implement the low-level part for an own high-performing advanced central firewall on switch devices (not router).
Ie. our requirement is a very special use-case, not necessarily a mainline use-case.
You have talked about this before, but I really do not understand why you do not want the router to do the firewalling and want the switch to do it instead? It seems like you are trying to reinvent the wheel.
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Tue May 19, 2020 7:05 pm

You have talked about this before, but I really do not understand why you do not want the router to do the firewalling and want the switch to do it instead? It seems like you are trying to reinvent the wheel.
I already told: I need a central firewall on the switch, not on the router, because of performance reasons, as well to monitor also all the traffic inside the LAN for any possible "anomalies"...

Imagine this example:
I can set up a cheap PC with 2x quad port NICs (such NICs cost only about $25 at ebay), so then in total I have 9 independent ports, ie. a router with 9 independent ports. On this PC I can of course do everything, build a router or switch or bridge, a Multi-LAN/WAN router, install any server software I wish, etc. etc.
I was just expecting to have such a ready-made device with more ports and with some 10G ports, ie. a CRS326 with its 26 ports is a wonderful device for this task, but only if I also could have access to the underlying Linux to install my special firewall stuff that uses this library: https://www.netfilter.org/projects/libn ... index.html
 
mducharme
Trainer
Trainer
Posts: 944
Joined: Tue Jul 19, 2016 6:45 pm

Re: V7 questions?

Tue May 19, 2020 7:29 pm

I already told: I need a central firewall on the switch, not on the router, because of performance reasons, as well to monitor also all the traffic inside the LAN for any possible "anomalies"...
"Performance reasons" simply means that your router is not powerful enough and you need a more powerful router. You can also scale horizontally and use multiple routers. Firewalling all traffic within the LAN can be accomplished by using local-proxy-arp on the router interface and blocking direct computer-to-computer communication over layer 2, this will cause all traffic from one computer to another on the same subnet to be sent through the router firewall as though they were on different subnets. This would accomplish your goal to monitor all traffic inside the LAN. As I said, you are putting in a great deal of effort into reinventing the wheel.
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Tue May 19, 2020 7:34 pm

@mducharme, thanks for your comments, but I already have made my mind up.
Outsiders seem to have a hard time to follow my thoughts and requirements. Never mind.
Case closed.
 
mducharme
Trainer
Trainer
Posts: 944
Joined: Tue Jul 19, 2016 6:45 pm

Re: V7 questions?

Tue May 19, 2020 7:47 pm

@mducharme, thanks for your comments, but I already have made my mind up.
Outsiders seem to have a hard time to follow my thoughts and requirements. Never mind.
Case closed.
For one thing you never explained your requirements, they are vague, some "special use-case" and you posted the other thread already having decided on your solution and asking why it didn't work. When you don't explain your requirements and thoughts, how is anybody supposed to follow them?

You might be able to install OpenWRT on the CRS, there are OpenWRT builds for MikroTik devices (need to save your license first). I have never tried.

Even if you do install OpenWRT on that switch and add your libnetfilter code, I don't think the performance will be acceptable. The switch devices do not have very fast CPUs in them because they are designed to be switches, not routers.
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Thu May 21, 2020 1:13 am

@mducharme, just a switch panel with 24+ GbE ports with PCIe3 x16 interface would do it too: just install the adapter in a PC and connect the panel to that adapter (don't know which type of cabling is used for that), and ready you are: eth0, eth1 ... eth24. But where to find such a switch panel with PCIe adapter?
IMO 16 PCIe3 lanes should be sufficient for 24 GbE ports, since each lane has 8 Gbps halfduplex (= 8000 Mbps), ie. 16 Gbps fullduplex --> then up to even 128 GbE ports should be possible with just 1 such x16 PCIe adapter (16x8x2=256 Gbps fullduplex capacity of one x16 adapter). S.a.
https://en.wikipedia.org/wiki/PCI_Express
https://en.wikipedia.org/wiki/List_of_i ... Main_buses
https://en.wikipedia.org/wiki/List_of_i ... a_networks
 
mducharme
Trainer
Trainer
Posts: 944
Joined: Tue Jul 19, 2016 6:45 pm

Re: V7 questions?

Thu May 21, 2020 3:44 am

@mducharme, just a switch panel with 24+ GbE ports with PCIe3 x16 interface would do it too: just install the adapter in a PC and connect the panel to that adapter (don't know which type of cabling is used for that), and ready you are: eth0, eth1 ... eth24. But where to find such a switch panel with PCIe adapter?
IMO 16 PCIe3 lanes should be sufficient for 24 GbE ports, since each lane has 8 Gbps halfduplex (= 8000 Mbps), ie. 16 Gbps fullduplex --> then up to even 128 GbE ports should be possible with just 1 such x16 PCIe adapter (16x8x2=256 Gbps fullduplex capacity of one x16 adapter). S.a.
Right, but to me it is not simply a matter of making sure that you have a wide enough PCIe bus to carry all the traffic at once. Unless I am missing something obvious, you are still expecting each packet to be processed by the CPU individually. So even if the PCI bus supports enough bandwidth that it could carry the traffic for 24 GbE ports simultaneously without issue, it doesn't necessarily mean that the CPU will process the packets quickly enough to be able to come anywhere close to maxing out the bus. The CPU would have to be powerful enough to do so, and the code would have to be sufficiently optimized. You might have the best luck with this with a traditional desktop or server CPU, but I don't quite know how you would turn this into a switch, as I have never heard of such a device that you describe as a "switch panel" with a PCIe interface. Also, if the CPU is going to have to process each packet individually with firewall rules, I don't see how this would be significantly faster/more efficient vs. routing the packets and using a traditional firewall. You are talking about bridging the packets and having the CPU examine each one vs. routing the packets and having the CPU examine each one. How is the former much more efficient than the latter?

As an example - on an RB4011, routing with fast path is slower than bridging with fast path, but percentage-wise there isn't a huge difference.
RB4011-performance.PNG
That shows that RB4011 bridging is 20% faster than RB4011 routing. I'm sure you would find this across the board pretty much regardless of architecture. This should also be true on a PC with Intel CPU. So you are wanting to develop an entirely new system from scratch for a 20% performance improvement vs a router with a firewall?
You do not have the required permissions to view the files attached to this post.
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Thu May 21, 2020 6:38 am

@mducharme, it's technically a router with 24+ independent ports. How is this panel with all the ports usually called? I called it simply a "switch panel", but no, it does not need to be a switch. What is important is that each port is independent (own MAC, IP, and also own routing table), and regarding internal routing among the ports itself: Linux has that all built in, including the iptables firewall.
And a cheap 4C/8T CPU should be more than sufficient for this job, maybe even a 2C/4T x86_64 PC or embedded CPU.
What will it cost: $70 CPU, $60 MoBo, $40 RAM, plus that port panel with its PCIe adapter, in total maybe less than $250.
Also an interesting project: https://www.openvswitch.org/
And SDN: https://en.wikipedia.org/wiki/Software- ... networking
 
mducharme
Trainer
Trainer
Posts: 944
Joined: Tue Jul 19, 2016 6:45 pm

Re: V7 questions?

Thu May 21, 2020 9:36 pm

@mducharme, it's technically a router with 24+ independent ports. How is this panel with all the ports usually called? I called it simply a "switch panel", but no, it does not need to be a switch.
I don't know what you mean by "panel with all the ports". You can buy 4 port PCIe ethernet cards that are about $200 each. If you buy six of them and install into one PC, then you basically get a 24 port switch. So, the cost ends up being $1200 worth of network cards plus the motherboard/CPU/RAM/PSU/chassis. I'm also not entirely confident that a $70 CPU could handle it, if you are going to be doing inspection and L2 firewalling for all packets, the bridging speed could decrease significantly. I think such a PC-switch would cost $2000 at minimum for a single system with 24 ports.
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Fri May 22, 2020 3:49 pm

I don't know what you mean by "panel with all the ports".
24 port RJ45 patch panel, for under $30, for example:
https://www.ebay.de/itm/19-Patchpanel-C ... SwsEteqZ~N

You can buy 4 port PCIe ethernet cards that are about $200 each.
You can buy cheaper models for about $25, take a look at this shop, or search at ebay:
https://www.servershop24.de/en/componen ... -and-more/

One can of course also buy a brand new CSS326 for $139 or a CRS326 for $189 and try to use it with an alternative OS.
 
mducharme
Trainer
Trainer
Posts: 944
Joined: Tue Jul 19, 2016 6:45 pm

Re: V7 questions?

Fri May 22, 2020 6:19 pm

24 port RJ45 patch panel, for under $30, for example:
https://www.ebay.de/itm/19-Patchpanel-C ... SwsEteqZ~N
Patch panels don't have any electronics at all, they are basically passive pass-thru systems - just wires and plastic and a metal frame. They are designed so that a solid-core cable running from a wall jack to a switch doesn't plug directly into the switch but instead wires into the patch panel, and then a shorter stranded-core patch cable runs from the panel to the switch. This is in part for better cable management and also due to the fact that the solid core cable that runs through walls is not as flexible and can be damaged more easily if bent, and if it is damaged then you have to rerun the cable to the jack. Cabling to the patch panel means that cable never has to move (since you can wire to a new switch with a short patch cable) and reduces the risk of damage that would require rerunning the drop.

A patch panel won't really help for your application, except as part of a normal structured cabling system.
Last edited by mducharme on Fri May 22, 2020 7:39 pm, edited 1 time in total.
 
mducharme
Trainer
Trainer
Posts: 944
Joined: Tue Jul 19, 2016 6:45 pm

Re: V7 questions?

Fri May 22, 2020 7:35 pm

One can of course also buy a brand new CSS326 for $139 or a CRS326 for $189 and try to use it with an alternative OS.
It would have to be the CRS - the CSS has a much smaller flash that would only admit the comparatively tiny SwOS (2MB instead of 16MB).

Even though the CRS *may* work, you are potentially running into limitations here due to the CPU. To have the CPU process all packets using the module you want to use, I believe you would have to use software bridging instead of offloading to the switch chip. What that means is that the switch slows down in terms of total possible throughput from about 40+ Gbps to around 1 Gbps. So suppose the switch has 20 hosts connected and actively using it at one moment, that gives you about 50Mbps per host, so the 1Gbps switch has essentially turned into a < 100Mbps switch. Adding your firewalling will increase the load on the CPU and further decrease the throughput. So I am wondering whether you would be happy with a solution that gave you ~15Mbps per port on the switch?
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Fri May 22, 2020 8:08 pm

@mducharme, I want redirect to the CPU only the initial SYN packet of TCP connections as I'm interested only in TCP. So this would make up less than 1% of all the packets, the rest would be processed by the switch chip and its ACL as normal.
 
mada3k
Member Candidate
Member Candidate
Posts: 217
Joined: Mon Jul 13, 2015 10:53 am
Location: Sweden

Re: V7 questions?

Fri May 22, 2020 9:43 pm

Then you just need to mirror ports to the CPU to monitor the actual traffic.

Otherwise it sounds like you want to build a software based switch/bridge. This will be slow, power-consuming and costly.
Manages some CCR's, RB750Gr3, RB922 and wAP's
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Fri May 29, 2020 5:20 pm

Then you just need to mirror ports to the CPU to monitor the actual traffic.

Otherwise it sounds like you want to build a software based switch/bridge. This will be slow, power-consuming and costly.
It's not for monitoring, it's for firewall. It's also not about building any switch/bridge.
Do you know the role of the SYN packet in a TCP session?
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: V7 questions?

Sat May 30, 2020 4:36 am

Then you just need to mirror ports to the CPU to monitor the actual traffic.

Otherwise it sounds like you want to build a software based switch/bridge. This will be slow, power-consuming and costly.
It's not for monitoring, it's for firewall. It's also not about building any switch/bridge.
Do you know the role of the SYN packet in a TCP session?
Why not stick to the subject at hand instead of chest beating about your TCP syn packet amazing deep knowledge - did you invent it?
RoS is not your solution go search somewhere else - we will all be happier. ;-P
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Sat May 30, 2020 10:03 am

Then you just need to mirror ports to the CPU to monitor the actual traffic.

Otherwise it sounds like you want to build a software based switch/bridge. This will be slow, power-consuming and costly.
It's not for monitoring, it's for firewall. It's also not about building any switch/bridge.
Do you know the role of the SYN packet in a TCP session?
Why not stick to the subject at hand instead of chest beating about your TCP syn packet amazing deep knowledge - did you invent it?
RoS is not your solution go search somewhere else - we will all be happier. ;-P
Hey anav you [censored], why leave the field to such [censored] like you who even don't know the SYN in TCP? :-)
You are in my ignore list. Stay out of all my discussions. [censored]?
Last edited by andriys on Sun May 31, 2020 11:33 pm, edited 1 time in total.
Reason: Please refrain from insulting others
 
User avatar
Jotne
Forum Guru
Forum Guru
Posts: 1625
Joined: Sat Dec 24, 2016 11:17 am
Location: jo.overland at gmail.com

Re: V7 questions?

Sat May 30, 2020 10:41 am

I do agree with anav, asking for syn packets in a "V7 question" topic is a bit off. Better to start another thread.
 
How to use Splunk to monitor your MikroTik Router(s)

MikroTik->Splunk
 
 
User avatar
mutluit
Long time Member
Long time Member
Posts: 505
Joined: Wed Mar 25, 2020 4:04 am

Re: V7 questions?

Sat May 30, 2020 11:12 am

I do agree with anav, asking for syn packets in a "V7 question" topic is a bit off. Better to start another thread.
If you look in #18 viewtopic.php?f=1&t=160401#p794620, I had already closed the case, but later I still got asked.
And yes, a new thread on SYN was already started: viewtopic.php?f=1&t=161656
I don't know why this anav guy is so hostile to me. I put him into my ignore list. He has to stay out of all my discussions b/c of his sick and hostile comments to my postings.
 
anav
Forum Guru
Forum Guru
Posts: 4261
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada

Re: V7 questions?

Sat May 30, 2020 4:23 pm

It seems you are asking for MT to change a significant part of complex code for your single use case.
Seems rather selfish to me, but if it benefits a wide range of users then perhaps MT will implement it.
So I reserve judgment on that particular aspect of your spam posts.

However, if you recall, your pompous statements such as these, warrant returns.........
@mducharme, thanks for your comments, but I already have made my mind up.
Outsiders seem to have a hard time to follow my thoughts and requirements. Never mind.
Case closed.


and what about this condescending remark to mducharm??.......
It's not for monitoring, it's for firewall. It's also not about building any switch/bridge.
Do you know the role of the SYN packet in a TCP session?


If you cannot take the heat, then get out of the kitchen!!
No I will not go away. :-)
I'd rather manage rats than software. Follow my advice at your own risk! (Sob & mkx forced me to write that!)
 
User avatar
Cha0s
Forum Veteran
Forum Veteran
Posts: 978
Joined: Tue Oct 11, 2005 4:53 pm

Re: V7 questions?

Sun May 31, 2020 2:26 pm

I don't know why this anav guy is so hostile to me. I put him into my ignore list. He has to stay out of all my discussions b/c of his sick and hostile comments to my postings.
Aww, did your feelings got hurt? :mrgreen:

Who is online

Users browsing this forum: No registered users and 10 guests