v6.40rc [release candidate] is released! (New bridge implementation delayed till 6.41rc)

FIPTech · Tue Jul 11, 2017 12:55 pm

I think i would be interesting to have an option inside Winbox to automatically create a vlan rule on a brige when adding a vlan interface to it.

This would create a vlan rule with the vlan id of the interface, including all bridge ports.

idlemind · Tue Jul 11, 2017 2:17 pm

How can spanning tree port states be seen? (show spanning-tree equavelant)
Code: Select all
/interface bridge monitor bridge1

/interface bridge port monitor [find where bridge=bridge1]

/interface bridge msti monitor [find]

Thanks becs

raffav · Tue Jul 11, 2017 2:38 pm

I think i would be interesting to have an option inside Winbox to automatically create a vlan rule on a brige when adding a vlan interface to it.

This would create a vlan rule with the vlan id of the interface, including all bridge ports.

Agree but winbox isn't alway possible to use.

I still think that step need to be simplified

Enviado de meu XT1580 usando Tapatalk

idlemind · Tue Jul 11, 2017 4:02 pm

How can spanning tree port states be seen? (show spanning-tree equavelant)
Code: Select all
/interface bridge monitor bridge1

/interface bridge port monitor [find where bridge=bridge1]

/interface bridge msti monitor [find]
Thanks becs

Victory, I now feel confident enough to migrate some additional VLANs over now

Request: Could you make the priority able to be set and displayed as an integer?

[admin@rtr1] > interface bridge port monitor [ find where bridge=br-master1 ]
                   interface: eth4                     eth5
                      status: in-bridge                in-bridge
                 port-number: 1                        2
                        role: root-port                alternate-port
                   edge-port: no                       no
         edge-port-discovery: yes                      yes
         point-to-point-port: no                       no
                external-fdb: no                       no
                sending-rstp: yes                      yes
                    learning: yes                      no
                  forwarding: yes                      no
     internal-root-path-cost: 10                       10
           designated-bridge: 0x2000.8C:B6:4F:20:21:80 0x2000.8C:B6:4F:20:21:80
    designated-internal-cost: 0                        0
      designated-port-number: 57                       58
            multicast-router: no                       no

FIPTech · Tue Jul 11, 2017 4:32 pm

I think i would be interesting to have an option inside Winbox to automatically create a vlan rule on a brige when adding a vlan interface to it.

This would create a vlan rule with the vlan id of the interface, including all bridge ports.
Agree but winbox isn't alway possible to use.

I still think that step need to be simplified

Enviado de meu XT1580 usando Tapatalk

Another possibility would be to optionally create a default vlan rule for newly created bridges, allowing all tagged vlan-id on all ports of the bridge. If this does not trig a performance issue.

I tried to put such a rule, with vlan-ids 2-4094. This does not seem to rise the CPU %.

FIPTech · Tue Jul 11, 2017 4:41 pm

According to a simple test i've just done on a vlan aware bridge, it is not possible to use tagged vlan 1 and untagged traffic at the same time.

As soon as a bridge vlan rule is set with vlan-ids=1 and bridge ports added as tagged, Winbox connection (connected on the bridge untagged vlan IP) is lost.

This result seems to confirm what i felt yesterday : because of the internal vlan id = 1 used for untagged external traffic, It is not possible to use untagged and tagged vlan-id=1 traffic at the same time.

The hardware switches i'm used to, (procurves) do allow to use untagged and tagged vlan=1 at the same time without any problem. More, vlan=1 is the default vlan vlan-id in those switches. This mean that it is not uncommon to see vlan 1 tagged inside an hybrid trunk, with untagged traffic from another vlan. In this case, it is not possible to connect such an hybrid trunk on a Mikrotik vlan aware bridge.

Please confirm. If i'm right this should be clearly stated in the documentation, or better, corrected in the code.

raffav · Tue Jul 11, 2017 5:09 pm

@FIPTech
i still don't underhand what is your point with vlan1 tag/untag and what you want to do

Chupaka · Tue Jul 11, 2017 5:10 pm

It is not possible to use untagged and tagged vlan-id=1 traffic at the same time.

you mean, untagged on some ports and tagged on others? or both untagged and tagged on the same port (schrodinger vlan)?..

raffav · Tue Jul 11, 2017 5:54 pm

Another possibility would be to optionally create a default vlan rule for newly created bridges, allowing all tagged vlan-id on all ports of the bridge. If this does not trig a performance issue.

I tried to put such a rule, with vlan-ids 2-4094. This does not seem to rise the CPU %.

i think some like that

# This part you tell Mikrotik the port mode
/interface bridge port
add bridge=br-trunk1 interface=ether23 |\
add bridge=br-trunk1 interface=ether19 | TRUNK PORTS
add bridge=br-trunk1 interface=ether22 |/

add bridge=br-trunk1 interface=ether2 pvid=2 |\
add bridge=br-trunk1 interface=ether3 pvid=2 | \
add bridge=br-trunk1 interface=ether4 pvid=2 | \
add bridge=br-trunk1 interface=ether5 pvid=2 | \
add bridge=br-trunk1 interface=ether6 pvid=2 | \
add bridge=br-trunk1 interface=ether7 pvid=2 | \
add bridge=br-trunk1 interface=ether8 pvid=2 | ACCESS PORTS
add bridge=br-trunk1 interface=ether17 pvid=2 | /
add bridge=br-trunk1 interface=ether18 pvid=2 | /
add bridge=br-trunk1 interface=ether14 pvid=4 | /
add bridge=br-trunk1 interface=ether15 pvid=5 | /
add bridge=br-trunk1 interface=ether17 pvid=2 | /
add bridge=br-trunk1 interface=ether20 pvid=220|/

/interface bridge vlan
## Make Mikrotik smart enough to understand that vlans belong to the same bridge
# Tell that on eth is allowed only this tagged vlan
add bridge=br-trunk1 interface=ether23 tagged-vlan-ids=2,4,5,6,7,99,210,220

# Tell that on eth is allowed only this tagged vlan
add bridge=br-trunk1 interface=ether19 tagged-vlan-ids=4,5,6,7,99

# Tell that on eth is allowed only this tagged vlan
add bridge=br-trunk1 interface=ether22 tagged-vlan-ids=210,220
#----------------------------------
# a Hybrid mode e.g
add bridge=br-trunk1 interface=ether22 tagged-vlan-ids=210,220 utagged-vlan-ids=2

pe1chl · Tue Jul 11, 2017 6:05 pm

It is not possible to use untagged and tagged vlan-id=1 traffic at the same time.
you mean, untagged on some ports and tagged on others? or both untagged and tagged on the same port (schrodinger vlan)?..

I think he means "have vlan 1 tagged on some port, and at the same time have some other vlan untagged on that or another port".

While vlan 1 is nothing special, it would not be the first case where it causes problems to use it tagged. In the past I have
also tried to hunt down bugs on other manufacturer's switches, and even faced the situation where the manuf "could not reproduce"
the problem and it was because the Windows driver for the ethernetcard he uses to debug the problem (or maybe even Windows itself)
invisibly deleted a VLAN 1 tag from the packet even before wireshark gets it. Wireshark under Linux showed the problem clearly.

I think in a complex VLAN scenario with tagged/untagged use, one simply should not use VLAN 1 or not use it for something important.

idlemind · Tue Jul 11, 2017 6:13 pm

According to a simple test i've just done on a vlan aware bridge, it is not possible to use tagged vlan 1 and untagged traffic at the same time.

As soon as a bridge vlan rule is set with vlan-ids=1 and bridge ports added as tagged, Winbox connection (connected on the bridge untagged vlan IP) is lost.

This result seems to confirm what i felt yesterday : because of the internal vlan id = 1 used for untagged external traffic, It is not possible to use untagged and tagged vlan-id=1 traffic at the same time.

The hardware switches i'm used to, (procurves) do allow to use untagged and tagged vlan=1 at the same time without any problem. More, vlan=1 is the default vlan vlan-id in those switches. This mean that it is not uncommon to see vlan 1 tagged inside an hybrid trunk, with untagged traffic from another vlan. In this case, it is not possible to connect such an hybrid trunk on a Mikrotik vlan aware bridge.

Please confirm. If i'm right this should be clearly stated in the documentation, or better, corrected in the code.

FIPTech, I'm not following you. I just did a test with 2 MikroTik's and 2 Cisco routers in GNS3. I used the new VLAN aware bridges with the PVID set to 1. I added an IP directly to the bridge. I setup the link between the MIkroTik's to send traffic untagged for VLAN1 and the Cisco routers to tag VLAN1 with an IP on that sub-interface.

This creates a situation where VLAN1 is untagged on the MikroTik's and tagged on the link to the Cisco devices. It all works fine and as expected you can see the tag applied out of the Cisco router into the MikroTik and then the tag is popped on it's way to the second MikroTik.

Now, you do have to tell the Cisco device what VLAN to assign untagged traffic to, in my case I picked 999 (random). You can't have untagged and tagged traffic on the same physical interface for the same VLAN. Think a trunk link, you have to set a native/untagged VLAN (1 by default) and you have to assign the VLANs that are tagged. Also, Cisco allows you tag all traffic including the default VLAN (a best practice similar to configuring a non-routable native) this just tells the Cisco switch to tag the default VLAN and drop any untagged packets. The take-away is you don't have a single interface with untagged and tagged packets on it. I can't speak for HP but if they are doing that it would seem like a loop or VLAN hop point to me.

Diagram (can't post images in this thread)

(m1) MikroTik Connected to c1 Cisco Router and m2 MikroTik

/interface bridge
add name=br-master1 protocol-mode=stp vlan-filtering=yes
/interface bridge port
add bridge=br-master1 interface=ether4
add bridge=br-master1 interface=ether1
add bridge=br-master1 interface=ether2
/interface bridge vlan
add bridge=br-master1 untagged=ether1,ether2 vlan-ids=999
add bridge=br-master1 tagged=ether1,ether2 vlan-ids=1

/ip address
add address=192.168.1.11/24 interface=br-master1 network=192.168.1.0

(m2) MikroTik connected only to m1 MikroTik

/interface bridge
add name=br-master1 protocol-mode=stp vlan-filtering=yes
/interface bridge port
add bridge=br-master1 interface=ether4

/ip address
add address=192.168.1.21/24 interface=br-master1 network=192.168.1.0

(c1) Cisco router config

interface FastEthernet0/0
 no ip address
 duplex auto
 speed auto
!
interface FastEthernet0/0.1
 encapsulation dot1Q 1
 ip address 192.168.1.31 255.255.255.0
!
interface FastEthernet0/0.999
 encapsulation dot1Q 999 native

Success

c1#ping 192.168.1.21 repeat 4

Type escape sequence to abort.
Sending 4, 100-byte ICMP Echos to 192.168.1.21, timeout is 2 seconds:
!!!!
Success rate is 100 percent (4/4), round-trip min/avg/max = 4/9/20 ms

idlemind · Tue Jul 11, 2017 6:31 pm

I think in a complex VLAN scenario with tagged/untagged use, one simply should not use VLAN 1 or not use it for something important.

^^ Exactly the reason I create and use VLAN999 on all of my switch to switch (or VLAN speaking router) links as the untagged VLAN. I also ensure that no IP addressing is ever applied to VLAN999. This is 1 of 2 recommended approaches for dealing with VLAN hopping. The other is to tag all traffic including the native VLAN. This method is less common and essentially discards any untagged traffic (in a similar fashion as having it on a non-routable VLAN).

raffav · Tue Jul 11, 2017 6:41 pm

I think in a complex VLAN scenario with tagged/untagged use, one simply should not use VLAN 1 or not use it for something important.
^^ Exactly the reason I create and use VLAN999 on all of my switch to switch (or VLAN speaking router) links as the untagged VLAN. I also ensure that no IP addressing is ever applied to VLAN999. This is 1 of 2 recommended approaches for dealing with VLAN hopping. The other is to tag all traffic including the native VLAN. This method is less common and essentially discards any untagged traffic (in a similar fashion as having it on a non-routable VLAN).

exactly
"native vlan" is most comum used to management and a good practice is to move the native to another vlan id

FIPTech · Tue Jul 11, 2017 9:50 pm

It is not possible to use untagged and tagged vlan-id=1 traffic at the same time.
you mean, untagged on some ports and tagged on others? or both untagged and tagged on the same port (schrodinger vlan)?..
I think he means "have vlan 1 tagged on some port, and at the same time have some other vlan untagged on that or another port".

While vlan 1 is nothing special, it would not be the first case where it causes problems to use it tagged. In the past I have
also tried to hunt down bugs on other manufacturer's switches, and even faced the situation where the manuf "could not reproduce"
the problem and it was because the Windows driver for the ethernetcard he uses to debug the problem (or maybe even Windows itself)
invisibly deleted a VLAN 1 tag from the packet even before wireshark gets it. Wireshark under Linux showed the problem clearly.

I think in a complex VLAN scenario with tagged/untagged use, one simply should not use VLAN 1 or not use it for something important.

Yes, i mean put on the same trunk (hybrid) untagged traffic and tagged VLAN 1. This is not working with vlan aware bridges (except if you are using "PVID=something else than 1" to change the untagged traffic vlan-id).

Because vlan 0 is reserved, or used for priority when no specific vlan is necessary (normally considered as untagged by switches), it should be safer to use internally vlan-id=0 for untagged traffic.

This should remove the conflict between untagged and tagged vlan1.

Here is the dynamic vlan rule added for untagged traffic when you create a bridge :

1 D bridge=bridge vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge,ether2

You can see here that if you add a tagged vlan with vlan-id=1, it will conflict with untagged traffic.

FIPTech · Tue Jul 11, 2017 9:55 pm

It is not possible to use untagged and tagged vlan-id=1 traffic at the same time.
you mean, untagged on some ports and tagged on others? or both untagged and tagged on the same port (schrodinger vlan)?..
I think he means "have vlan 1 tagged on some port, and at the same time have some other vlan untagged on that or another port".

While vlan 1 is nothing special, it would not be the first case where it causes problems to use it tagged. In the past I have
also tried to hunt down bugs on other manufacturer's switches, and even faced the situation where the manuf "could not reproduce"
the problem and it was because the Windows driver for the ethernetcard he uses to debug the problem (or maybe even Windows itself)
invisibly deleted a VLAN 1 tag from the packet even before wireshark gets it. Wireshark under Linux showed the problem clearly.

I think in a complex VLAN scenario with tagged/untagged use, one simply should not use VLAN 1 or not use it for something important.

Yes, i mean put on the same trunk (hybrid) untagged traffic and tagged VLAN 1. This is not working with vlan aware bridges (except if you are using "PVID=something else than 1" to change the untagged traffic vlan-id).

Because vlan 0 is reserved, or used for priority when no specific vlan is necessary (normally considered as untagged by switches), it should be safer to use internally vlan-id=0 for untagged traffic.

This should remove the conflict between untagged and tagged vlan1.

Here is the dynamic vlan rule added for untagged traffic when you create a bridge :

1 D bridge=bridge vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge,ether2

You can see here that if you add a tagged vlan with vlan-id=1, it will conflict with untagged traffic.

I've used vlan1 tagged mixed with untagged traffic without problems in the past with procurve switches as well as Mikrotiks.

idlemind · Tue Jul 11, 2017 10:18 pm

Ya, I don't get why you'd want to do that. At the very least it would tell the switch to duplicate all traffic.

Say I have 2 MikroTiks, m1 and m2. They are connected by a single Ethernet connection, say ether1 on each. You literally want all untagged traffic to be treated as VLAN1 as well as tagging any VLAN1 traffic over that same link? At the very, very least you'd be sending all traffic that traverses that link for VLAN1 twice and likely in the old per VLAN STP bridges it was likely shutting one of the 2 paths off or ignoring the traffic from the underlying bridge by nature. Neither produce a best practices view in my personally opinion.

Now, you can take the same MikroTik's, m1 and m2. They could be connected by two Ethernet connections, say ether1 to ether1 and ether2 to ether2. For the ether1 connection VLAN1 could be untagged and ether2 it could be tagged and it wouldn't cause any problem.

All in all, we may not be understanding what you are trying to accomplish. I don't think there is any valid reason to remove untagged traffic mapping to PVID1 by default and assigning the IP for VLAN1 to the bridge. I'd simply reconfigure any offending switch (if the HPs do this well, 1 I'm not surprised and 2 setup the port to work appropriately). The same behavior is exhibited by other network hardware and I think the assumption comes from the IEEE dubbing VLAN1 the default VLAN which translates well to humans as untagged traffic by default.

Just my 0.02.

pe1chl · Tue Jul 11, 2017 11:28 pm

I've used vlan1 tagged mixed with untagged traffic without problems in the past with procurve switches as well as Mikrotiks.

I agree with you that it should work and indeed it does work on Procurve (I have such a scenario at work) but before that we had
switches from another manufacturer (no longer on the market, but its name started with a digit) and they behaved very curiously.

So, especially when setting up a new network, I would not recommend that setup. Either keep VLAN 1 untagged or use some other
VLAN number, as others already wrote. In the meantime, hope that MikroTik fixes it.

For an interesting time, configure a switch with multiple VLAN, with a hybrid port (VLAN 1 untagged and VLAN 2 and 3 tagged),
then configure monitoring of that port (mirroring to another port) and watch how the untagged VLAN appears on that port.
Look at both ingress and egress traffic for the untagged VLAN 1. Use a Linux box to watch it.

idlemind · Tue Jul 11, 2017 11:52 pm

Are you able to dump a configuration from the ProCurve's showing a single port untagged for VLAN1 and tagged for VLAN1? I'd be extremely surprised if that is the case as well as confused as to how that isn't at the least causing the link to bridge traffic twice if not forming a loop.

I know this is wandering dangerously off-topic of the actual content of the RC release so we may need to take it to a new thread. I can create one. At this point I'm more curious as to how something like that would actually work. I'm pretty sure what you're describing is definitely not standard behavior. The Cisco switches and routers I have in my lab won't let me do it. I don't have any ProCurve hardware to lab with, largely because they fall into the each model is configured differently category and that annoys me (at least since the 3com purchase).

FIPTech · Wed Jul 12, 2017 1:24 am

Are you able to dump a configuration from the ProCurve's showing a single port untagged for VLAN1 and tagged for VLAN1? I'd be extremely surprised if that is the case as well as confused as to how that isn't at the least causing the link to bridge traffic twice if not forming a loop.

I know this is wandering dangerously off-topic of the actual content of the RC release so we may need to take it to a new thread. I can create one. At this point I'm more curious as to how something like that would actually work. I'm pretty sure what you're describing is definitely not standard behavior. The Cisco switches and routers I have in my lab won't let me do it. I don't have any ProCurve hardware to lab with, largely because they fall into the each model is configured differently category and that annoys me (at least since the 3com purchase).

No you are right tagged for vlan1 and untagged for vlan1 at the same time on the same port is not possible.
But it is definitely possible to have tagged vlan 1 on a port, and untagged vlan 1 on other ports.

With a Ros vlan aware bridge, untagged traffic goes (default situation) to vlan 1. But if you create a vlan interface on the bridge with vlan-id=1, it does not seem possible to get tagged traffic on it.

This is the problem. I can't understand why untagged traffic is assigned vlan 1. Untagged by default should go to the native bridge interface (this is the case actually), but should not steal vlan-id=1 so that we can use tagged traffic with vlan-id=1. untagged should use a special vlan marker internally, not in the range 1-4094. 0 should be possible i think, or something else out of the normal vlan range.
I've just make a try that is confirming a not working vlan1 vlan interface on the bridge.

In short, with the default untagged vlan-id=1 assignation, it is not possible to bridge a tagged traffic with vlan-id=1 isolated from the untagged traffic.

This vlan rule, dynamically created, show that :

 1 D bridge=bridge vlan-ids=1 tagged="" untagged="" current-tagged="" current-untagged=bridge,ether2

idlemind · Wed Jul 12, 2017 3:33 am

... and migration complete. I'm switched over to RouterOS doing MSTP with 1 of my Cisco switches and inter-VLAN routing. The hex is also talking plain STP (fallback) with another one of my Cisco switches so I have redundant uplinks. The hex is also doing inter-VLAN routing. All of my VLANs are dual-stack (IPv4/6) without any problems so far.

Now ... to do some speed tests and eventually try adding a WLAN or virtual AP interface in as a bridge port to ensure that works. Right now my lab WiFi is provided by an OpenWRT TP-Link.

sparker · Wed Jul 12, 2017 8:02 am

Can show a simple example of the configuration of the MSTP between the three MikroTik permissible?

Wed Jul 12, 2017 12:36 pm

Here is a simple MSTP configuration example for insight. It could be used on 3 routers connected in a ring.

#1) Create a bridge with ports:

/interface bridge
add name=bridge1 protocol-mode=none vlan-filtering=no

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2

#2) Configure VLANs:

/interface bridge vlan
add bridge=bridge1 tagged=bridge1,ether1,ether2 untagged="" vlan-ids=10
add bridge=bridge1 tagged=bridge1,ether1,ether2 untagged="" vlan-ids=20
add bridge=bridge1 tagged=bridge1,ether1,ether2 untagged="" vlan-ids=30
add bridge=bridge1 tagged=bridge1,ether1,ether2 untagged="" vlan-ids=40

#3) Assign VLANs to MST instances:

/interface bridge msti
add bridge=bridge1 identifier=1 vlan-mapping=10,20
add bridge=bridge1 identifier=2 vlan-mapping=30,40

#4) Enable VLAN Filtering and MSTP:

/interface bridge set bridge1 protocol-mode=mstp vlan-filtering=yes

#5) Check MSTP status:

/interface bridge msti monitor [find]

Wed Jul 12, 2017 12:53 pm

Version 6.40rc38 has been released.

Important note!!! Backup before upgrade!
RouterOS v6.40rc36 contains new bridge implementation that supports hardware offloading (hw-offload).
This update will convert all interface "master-port" configuration into new bridge configuration, and eliminate "master-port" option as such.
Bridge will handle all Layer2 forwarding and the use of switch-chip (hw-offload) will be automatically turned on based on appropriate conditions.
The rest of RouterOS Switch specific configuration remains untouched in usual menus for now.
Please, note that downgrading to previous RouterOS versions will not restore "master-port" configuration, so use backups to restore configuration on downgrade.

Before an upgrade:
1) Remember to make backup/export files before an upgrade and save them on another storage device;
2) Make sure the device will not lose power during upgrade process;
3) Device has enough free storage space for all RouterOS packages to be downloaded.

Changes since previous 6.40rc release:
*) certificate - update and reload old certificate with new one if SKID matches;
*) email - added support for multiple attachments;
*) firewall - added "none-dynamic" and "none-static" options for "address-list-timeout" parameter;
*) firewall - fixed crash on fasttrack dummy rule manual change attempt;
*) ikev2 - fixed duplicate policy checking with "0.0.0.0/0" policies;
*) lte - added initial fastpath support (except SXT LTE and Sierra modems);
*) mmips - added support for NVME disks;
*) ppp - added output values for "info" command for finding the GSM base station's location ("LAC" and "IMSI");
*) ppp - fixed "user-command" output;
*) quickset - simplified LTE status monitoring;
*) rb1100ahx4 - fixed startup problems (requires additional reboot after upgrade);
*) ssl - added Wildcard support for "left-most" DNS label (will allow to use signed Wildcard certificate on VPN servers);
*) userman - do not send disconnect request for user when "simultaneous session limit reached";
*) userman - added "/tool user-manager user clear-profiles" command;

If you experience version related issues, then please send supout file from your router to support@mikrotik.com. File must be generated while router is not working as suspected or after crash.

John39 · Wed Jul 12, 2017 1:52 pm

The new update does not solve the problem I described earlier
viewtopic.php?f=21&t=123335&start=50#p607285

Wed Jul 12, 2017 2:32 pm

John39 - There are no related fixes mentioned in chagelog. Have you contacted support@mikrotik.com? Are you sure that problem was introduced in 6.40rc version and downgrade to older version fixes this problem?

SPKA16 · Wed Jul 12, 2017 2:45 pm

*) lte - added initial fastpath support (except SXT LTE and Sierra modems);

Any updates when we can expect fastpath support for PPPoE Client interfaces?

Wed Jul 12, 2017 3:06 pm

Any updates when we can expect fastpath support for PPPoE Client interfaces?

It is supported since 6.35. And there also were improvements in 6.39. Check changelogs out for details.

Cha0s · Wed Jul 12, 2017 3:10 pm

Any updates when we can expect fastpath support for PPPoE Client interfaces?
It is supported since 6.35. And there also were improvements in 6.39. Check changelogs out for details.

It doesn't work on RB850Gx2.

Wed Jul 12, 2017 4:03 pm

Please take a look at list of supported router models:
https://wiki.mikrotik.com/wiki/Manual:Fast_Path

Also please note that this topic is created for discussions related to 6.40rc release. Please create new topics for unrelated questions or write directly to support@mikrotik.com

Wed Jul 12, 2017 4:19 pm

It doesn't work on RB850Gx2.

RB850Gx2 Ethernets doesn't have fastpath support, MT doesn't have their own driver there, they use ones provided by CPU manufactures so that IPsec hardware acceleration works. I asked about this at the MUM.

John39 · Wed Jul 12, 2017 4:34 pm

John39 - There are no related fixes mentioned in chagelog. Have you contacted support@mikrotik.com? Are you sure that problem was introduced in 6.40rc version and downgrade to older version fixes this problem?

No.I thought this problem can be solved on the forum.

John39 - There are no related fixes mentioned in chagelog. Have you contacted support@mikrotik.com? Are you sure that problem was introduced in 6.40rc version and downgrade to older version fixes this problem?

Yes, I'm sure the upgrade to version 6.39.2 or earlier fixes this problem.

doneware · Wed Jul 12, 2017 6:43 pm

*) mmips - added support for NVME disks;

what possible current mmips based router has slot/interface to get an nvme ssd attached to it? afaik nvme is pcie, and the hexR3 (the sole mmips based mikrotik device) doesn’t have anything similar...

anuser · Wed Jul 12, 2017 8:10 pm

*) mmips - added support for NVME disks;
what possible current mmips based router has slot/interface to get an nvme ssd attached to it?

Preparing for the future: viewtopic.php?f=2&t=121533

raffav · Wed Jul 12, 2017 11:36 pm

@ Mikrotik Staff

using CRS125-24G-1S-2HnD is better/more performace
using this new way or keep using the switch menu
for trunk/access vlan ?

idlemind · Thu Jul 13, 2017 1:30 am

I'm noticing with 6.40rc36 on a hex (gr3) traffic that has to pass from my wired network (cisco switches) to my wireless side (openwrt) begins to get roughly 50% packet loss after ~6 hours. It happened overnight into this morning and now again at the end of the day. The OpenWRT AP is running Chaos Calmer and connected to an "access" port of a new VLAN aware bridge running MSTP.

interface bridge vlan print 
Flags: X - disabled, D - dynamic 
 #   BRIDGE                                                               VLAN-IDS  CURRENT-TAGGED                                                              CURRENT-UNTAGGED                                                             
 0   br1                                                                  1         eth2                                                                        br1                                                                          
                                                                                    eth3                                                                       
 1   br1                                                                  11        br1                                                                         eth4                                                                         
                                                                                    eth2                                                                       
                                                                                    eth3                                                                       
 2   br1                                                                  12        br1                                                                        
                                                                                    eth2                                                                       
                                                                                    eth3                                                                       
 3   br1                                                                  41        br1                                                                        
                                                                                    eth2                                                                       
                                                                                    eth3                                                                       
 4   br1                                                                  42        br1                                                                        
                                                                                    eth2                                                                       
                                                                                    eth3                                                                       
 5   br1                                                                  999       br1                                                                         eth2                                                                         
                                                                                                                                                                eth3

As soon as I reboot the OpenWRT router it begins to act normally again, this ran fine with the original software bridges for several months without ever doing this. I'll be upgrading to rc38 tonight yet but I don't expect it to fix it.

^^ EDIT 1: Ignore this, I'm pretty sure this was a bad AP. I replaced it with a cap lite and it's been working great since. Just a very random time for the AP to have problems I think.

raffav · Thu Jul 13, 2017 2:56 am

@ Support
it not first time that this happens

Thu Jul 13, 2017 7:12 am

*) mmips - added support for NVME disks;

what possible current mmips based router has slot/interface to get an nvme ssd attached to it? afaik nvme is pcie, and the hexR3 (the sole mmips based mikrotik device) doesn’t have anything similar...

Maybe M33 ??
https://mum.mikrotik.com/presentations/EU17/2017-eu.pdf
second to last slide

sparker · Thu Jul 13, 2017 7:20 am

Here is a simple MSTP configuration example for insight. It could be used on 3 routers connected in a ring.

Many thanks!

null31 · Thu Jul 13, 2017 8:19 am

I upgraded the CHR to rc38 from rc36.
No firewall rules, no bridges and no master-ports configured before the upgrade.
I have only the dude server running there.

Is this error normal after the reboot to upgrade?

Thu Jul 13, 2017 10:40 am

null31 - Do not worry. This message should not appear on CHR. We will fix this in upcoming releases and get rid of unrelated error message after upgrade.

Thu Jul 13, 2017 2:40 pm

*) mmips - added support for NVME disks;

what possible current mmips based router has slot/interface to get an nvme ssd attached to it? afaik nvme is pcie, and the hexR3 (the sole mmips based mikrotik device) doesn’t have anything similar...

The upcoming RouterBoard M3 has a M.2 slot which could be used for a NVMe SSD....

blingblouw · Thu Jul 13, 2017 4:22 pm

*) mmips - added support for NVME disks;

what possible current mmips based router has slot/interface to get an nvme ssd attached to it? afaik nvme is pcie, and the hexR3 (the sole mmips based mikrotik device) doesn’t have anything similar...
The upcoming RouterBoard M3 has a M.2 slot which could be used for a NVMe SSD....

What is this?

null31 · Thu Jul 13, 2017 5:09 pm

What is this?

Page 42.
https://mum.mikrotik.com/presentations/ ... 937069.pdf

msatter · Fri Jul 14, 2017 12:10 am

IMPORTANT INFORMATION ON 6.40RC38

Yes, everything that saves to file from console is broken, export to file print to file etc. We will try to fix this in future rc versions.

viewtopic.php?f=1&t=123497#p607883

In the current RC (6.40RC38) or since the new bridge setup instead of master-slave ports I get a big drop in speed on PPPoE after an few hours. Under heavy load but with fastracking then one of the four cores goes to 100% on upload and download about it is 85%. The last core is mostly used.

When doing the speedtest I got with (pre-RC36) Master-Slave directly the maximum download speed, with the Bridge there is a build-up to normal speed. So it burst-ed well over 700Mbit/s and dropped to 235Mbit/s and now it is maximum 200Mbit/s after the build-up.

Update: this morning after 8 uptime of the PPPoE, the speeds are still as they should be so I will check later today how the speed are.

msatter · Fri Jul 14, 2017 2:28 pm

Not getting happier about this and I had to revert back current 39.2 to have my settings back. The backups I have all say "provide password" and I what am think WHAT password!!!! I tired many but none did work so that means all my carefully made backups are toast or is there some way to use them. The export .rsc are all trowing errors so that is also a no go.

This sets me back a few months in changes made in firewall and a lot of scripting I did in that time. I cant even go back to 6.40rc38 because of I have only the .backup and no .rsc.

Is there a reliable way to backup you settings so one can restore their router in case of disaster?

So back ot Bridge and Master. The load on the cores are with master more even and none is stressed to the utmost.

With bridge I have 100% on core four and with Master I have maximum 67% on one of the cores on upload.

I wanted to show two pictures showing the difference in speed but I can't find the attach option any more. So bad luck all the way.

raffav · Fri Jul 14, 2017 2:36 pm

Not getting happier about this and I had to revert back current 39.2 to have my settings back. The backups I have all say "provide password" and I what am think WHAT password!!!! I tired many but none did work so that means all my carefully made backups are toast or is there some way to use them. The export .rsc are all trowing errors so that is also a no go.

This sets me back a few months in changes made in firewall and a lot of scripting I did in that time. I cant even go back to 6.40rc38 because of I have only the .backup and no .rsc.

Is there a reliable way to backup you settings so one can restore their router in case of disaster?

So back ot Bridge and Master. The load on the cores are with master more even and none is stressed to the utmost.

I wanted to show two pictures showing the difference in speed but I can't find the attach option any more. So bad luck all the way.

When you press the backup button on winbox is encrypted by default, if you don't set up password you locked out,you lost the backup.. [emoji30]
2 options
Check don't the box to don't set password or put a password on

Enviado de meu XT1580 usando Tapatalk

msatter · Fri Jul 14, 2017 2:43 pm

Got lucky and could revert to 6.40rc32 and use the backup that I so carefully made......YEAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAAH

So I am back to a situation of only seven day's ago and I am happy there.

I thinking now that it is more to it. I did try before to restore that same backup in the process.
It seems that I have to go first to pre-RC and than back to upgrading to the RC of which I have the backup.

I don't want try to restore the backup of 6.40rc38 because of the bridge behavior.

imanewbie · Sat Jul 15, 2017 6:23 pm

Unable to export configuration to a file

Is anyone else having this issue? I can run /export from the CLI, but if I do:

/export file=x (or /export file="x")

No files get created.

I'm trying on both a CCR1016-12G and on a hAP ac.

Thanks,
Tom

Zaffo · Sat Jul 15, 2017 8:16 pm

Unable to export configuration to a file
(...)
Tom

Known issue. See viewtopic.php?f=1&t=123497#p607883

I ran into this myself today while trying out the new bridge implementation, took me a sec to remember I had read something about it. Does anyone know if there is a list of known issues kept somewhere we can see it?

boldsuck · Sat Jul 15, 2017 10:20 pm

Unable to export configuration to a file

Is anyone else having this issue? I can run /export from the CLI, but if I do:

/export file=x (or /export file="x")

No files get created.

I had the same problem yesterday. RB2011UAS

I thought I was too stupid to find the file.

ISSUE since rc38
Webfig:
No File download possible
ftp download is OK

msatter · Sat Jul 15, 2017 10:27 pm

Give it a rest. It is known at Mikrotik and they will fix it before the final version...I assume.

Chupaka · Mon Jul 17, 2017 2:52 pm

WinBox: in IP -> Neighbours it says 'UPtime'. Should be 'Uptime', I believe

kometchtech · Mon Jul 17, 2017 4:34 pm

Unable to export configuration to a file

Is anyone else having this issue? I can run /export from the CLI, but if I do:

/export file=x (or /export file="x")

No files get created.
I had the same problem yesterday. RB2011UAS
I thought I was too stupid to find the file.

ISSUE since rc38
Webfig:
No File download possible
ftp download is OK

It seems that it was corrected by rc41 as in Changelog of RouterOS 6.40rc41.
It applied by CCR 1009 and confirmed.

idlemind · Mon Jul 17, 2017 5:22 pm

Speaking of rc41 ... No announcment on the forums yet.

Most curiously:

!) bridge hw-offload implementation reverted back to pre-6.40rc36 state (testing will continue in v6.41rc);

^^ MikroTik, what does this mean for rc38 to rc41? Will our bridge configs be mangled or useless? Will the become full software based VLAN aware bridges?

Chupaka · Mon Jul 17, 2017 5:30 pm

No more IGMP Snooping?

Mon Jul 17, 2017 6:31 pm

v6.40 is scheduled for release, so we reverted hw-offload as well as igmp-snooping, because it requires more testing and bugfixes.
Most likely it will be back in v6.41rc

pe1chl · Mon Jul 17, 2017 7:06 pm

Does that mean that "master port" functionality will remain? Or will everything still be converted to bridges but now without hw offload and IGMP snooping?

upower3 · Mon Jul 17, 2017 7:34 pm

There is one interesting line in CHANGES for 6.40.rc42:

*) pppoe-server - fixed situation when some of 100+ pppoe-servers can become invalid on reboot;

Is it possible to know since which version this bug exists? 6.39 is vulnerable or not, for CCR1009?

idlemind · Mon Jul 17, 2017 9:08 pm

v6.40 is scheduled for release, so we reverted hw-offload as well as igmp-snooping, because it requires more testing and bugfixes.
Most likely it will be back in v6.41rc

I'll keep on 6.40rc38 until 6.41rc hits the downloads then. Can't say i'm interested in reverting my new VLAN aware bridges back to the old way and then back again into VLAN aware bridges. Good progress. Don't fall asleep at the wheel. I hope you guys got some good initial testing on MSTP / VLAN ware bridging.

Xymox · Mon Jul 17, 2017 9:53 pm

Well... That was fun... hahahaha..

Not exactly sure what happened on my CCR, it seemed fine at first.. My bridges seemed fine. I have no master/slave ports.. That was last nite.. This morning I wake up and things are astray.. I have a DNS server and its TX port on ethernet seems to have nothing coming from it. Ive hooked it to a few devices. So something in a Linux server has gone astray - really odd timing if its unrelated.. The CCR is still working I just changed to a external DNS to bypass the server and all is well. Im going to look at the server shortly.

I moved back to the stable release during troubleshooting on the CCR.

When i read the warning about backing up, I decided to copy over to a partition before doing anything. You guys should recommend that more often. Its a great reason to have partitions. I have not flipped back yet, but, I think I will as going from 38 to 41 who knows...

Now the more interesting router was the 2011UiAS-2HnD ... While that seemed to work ok and I did not notice any obvious networking issues, the display light was now tied to port one activity light. So the display was going on/off with the activity light.. SOrta "Help me ! Im in trouble here !"... haha..

Your beta's are normally pretty much like stable releases. So im sure to a lot of people this might have been alarming to have issues with a beta. BUT. I found your beta procedures really great. Your WARNED EVERYBODY - DO A BACKUP -.. In my case I READ the release notes before pushing the button. So I grabbed EVERYTHING off each router and then set a partition before running the beta.. SO for me these were ZERO issues when things got weird.

Not sure any of the above really helps with the beta test, but I try and give feedback when on a beta and something goes astray.

Xymox · Mon Jul 17, 2017 9:59 pm

Everybody using RC's should also be using partitions. This makes for instant fall back and no worries.

Xymox · Mon Jul 17, 2017 11:41 pm

Hmmm.. Did I see the routerboard firmware go from 3.33 to 3.39 during that someplace ? Maybe I have just not checked in a while. It would be a lot more annoying to have to fact reset it to get back to its factory 3.18 and then update firmware and then restore settings from a export/import.

Hopefully 3.39 in routerboard firmware is OK to use with 6.40.RC21 ? or 6.39.2 ?

I saw a lot of weird things occur on my network. I cant say they are related, but, ive never had anything go wacky in 6 months and then everything went wacky at the same time I did 6.40RC38..Then 41..

That was a pretty weird set of events. Im back on 6.39.2 on the 2011 and 6.40.RC21 on the CCR. These were my last stable partitions.

Maybe cuz it was monday ?

idlemind · Tue Jul 18, 2017 1:59 am

I confirmed w/6.40rc41 the VLAN aware bridges are reverted. I did not test what happens when they are reverted when upgrading from 6.40rc38 to 6.40rc41. Also, odd to have such limited communication on the release from MikroTik.

When can we expect to see 6.40 announced and 6.41rc started back with the VLAN aware implementation.

Tue Jul 18, 2017 8:59 am

What's new in 6.40rc41 (2017-Jul-17 09:03):

!) bridge hw-offload implementation reverted back to pre-6.40rc36 state (testing will continue in v6.41rc);
!) wireless - added Nv2 AP synchronization feature "nv2-modes" and "nv2-sync-secret" option;
*) bonding - fixed 802.3ad mode on RB1100AHx4;
*) export - fixed export to a file (introduced in v6.40rc39);
*) hotspot - added "address-list" support in "walled-garden" IP section;
*) hotspot - fixed firewall accept rules created by "/ip hotspot walled garden ip" (introduced in v6.40rc18);
*) ike1 - create tunnel policy when no split net provided;
*) ike1 - wait for cfg set reply before ph2 creation with xAuth;
*) ipsec - allow to specify chain in "firewall" peer option;
*) ppp - fixed non-standard PAP or CHAP packet handling;
*) pppoe-server - fixed situation when some of 100+ pppoe-servers can become invalid on reboot;
*) routerboard - added "caps-mode" option for "reset-configuration";
*) sfp - fixed invalid temperature reporting when ambient temperature is less than 0;
*) winbox - make IPSec policies table an order list;
*) winbox - show "/interface wireless cap print" warnings;

Important: This means all the new bridge/switch/igmp-snooping functionality is removed and will return in 6.41rc. The reason is that we found that these new features need more testing, and v6.40 was too close to release, so it would delay the release for some time. Those of you who used the RC, there is no painless way to upgrade or downgrade.

The choices are:
1) reconfigure and repair by hand
2) wait until 6.41RC

Xymox · Tue Jul 18, 2017 11:46 am

This was very easy to roll back with a partition. Just make the partition active that was right before the upgrade. Took seconds.. As I mentioned, everyone doing RCs should use partitions. I copy my current RC and config over to a partition before I try out a new RC. Any issue, I just move back..

I had to with 38, upgraded to 41. On the 2011 it was still causing the display to flash. So 41 did not fix something from 38. So I "made active" my original partition and the issue was gone.

I really think Mikrotik should discuss using partitions in addition to backups.

expert · Tue Jul 18, 2017 12:16 pm

I really think Mikrotik should discuss using partitions in addition to backups.

Can I make partition(s) on my mAP Lite? It has only 32MB disk space.

bajodel · Tue Jul 18, 2017 12:17 pm

This was very easy to roll back with a partition. Just make the partition..

You are right, but try to use partitioning on a hEX (or any other "zero flash") devices!
There is no common sense in putting 16mb flash on new devices.. IMHO .. the real reason is obviously NOT save 2 bucks

bratislav · Tue Jul 18, 2017 12:31 pm

I really think Mikrotik should discuss using partitions in addition to backups.
Can I make partition(s) on my mAP Lite? It has only 32MB disk space.

Are you sure about that? mAP lite should have 64MB RAM and 16MB flash ... and no you cant use partitions ...

anuser · Tue Jul 18, 2017 2:04 pm

After upgrading from 6.40rc38 to 6.40rc41 I do not see any 5Ghz client being connected on many of my WAP AC devices. Normally I get a ratio of 60:40 for 2.4Ghz:5Ghz.

biatche · Tue Jul 18, 2017 3:21 pm

This was very easy to roll back with a partition. Just make the partition active that was right before the upgrade. Took seconds.. As I mentioned, everyone doing RCs should use partitions. I copy my current RC and config over to a partition before I try out a new RC. Any issue, I just move back..

I had to with 38, upgraded to 41. On the 2011 it was still causing the display to flash. So 41 did not fix something from 38. So I "made active" my original partition and the issue was gone.

I really think Mikrotik should discuss using partitions in addition to backups.

+1

This is a wonderful idea. I didn't even know this was possible till you mentioned so as well some means to boot once off a secondary partition?

Chupaka · Tue Jul 18, 2017 5:11 pm

https://wiki.mikrotik.com/wiki/Manual:I ... pt_example

DHCP-Client does not run 'script=' on lease refresh (e.g. when gateway changes but IP address stays the same).

idlemind · Tue Jul 18, 2017 5:40 pm

Important: This means all the new bridge/switch/igmp-snooping functionality is removed and will return in 6.41rc. The reason is that we found that these new features need more testing, and v6.40 was too close to release, so it would delay the release for some time. Those of you who used the RC, there is no painless way to upgrade or downgrade.

Normis, what is the time-line for 6.40 GA and 6.41rc?

pe1chl · Tue Jul 18, 2017 7:15 pm

This is a wonderful idea. I didn't even know this was possible till you mentioned so as well some means to boot once off a secondary partition?

It can boot off the secondary partition when booting off the first partition fails. Although it is not clearly defined what failing to boot really means.
I would have liked some feature like "boot off secondary partition when internet connection (or some VPN) fails to establish within X minutes" but
you will have to program that yourself using a script, and it is not straightforward, you cannot e.g. use a "/tool netwatch down-script" directly because
it is ALWAYS called on reboot.

Furthermore, unfortunately the use of partitions is no longer possible on the low-end models of the current product programme. A year or two ago
the low-end models still had enough flash to use partitions, but today many models have ony 16GB flash.

idlemind · Tue Jul 18, 2017 7:41 pm

I'm with you guys. I'm not sure what class embedded designers are taught to use tiniest flash chip available on the market but I'd like to alter that curriculum. That said, I do get that in the hardware world, cents does multiply out to dollars when the sale quantity gets high enough. It seems like an area were you could cheaply separate yourself from other router brands even with a 128mb or 256mb flash chip.

For poops and giggles, a quick google search shows:

0.61 USD = 32MB flash chip
3.43 USD = 256MB flash chip
9.52 USD = 1GB flash chip

These numbers are very quick and dirty. Naturally the product would have to be vetted to make sure it fits the design and volume purchase discounts could soften the cost. I was just hoping to put a cost per unit for the upgrade into print in hopes of giving us all a little perspective on what kind of price impact we'd see if MikroTik moved to larger chips and passed that cost onto consumers. A device like the hap AC already in that +100 USD cost may handle an additional ~9 USD different easier than say a cap lite. I personally would be very happy with a 256MB (even 128MB) upgrade at a ~3 USD impact per device across the product line. The cost increase for storage capacity would be a justifiable reason that would increase my likelyhood to purchase MikroTik. That is just me, I can't speak for all forum members in all markets.

buzzdee · Tue Jul 18, 2017 10:41 pm

As of version 6.37 I had some trouble using RoMon with R52 equipped devices in station mode.
viewtopic.php?f=21&t=114926&p=569766#p569766

The 6.40rc's i've tried so far (6.40rc32 and 6.40rc41) have solved this issue.

qq4569712 · Tue Jul 18, 2017 10:42 pm

Currently RouterOS6.40rc does support any of EAP authentication methods?
Yes, the below methods.

In the V6.40rc41 version, I can not find this option. Please tell me the details of the setup steps and methods, thanks. Please forgive me, my English is very bad

null31 · Tue Jul 18, 2017 11:45 pm

In the V6.40rc41 version, I can not find this option. Please tell me the details of the setup steps and methods, thanks. Please forgive me, my English is very bad

The EAP section is on Wireless > Security Profiles > Profile entries (via winbox).

I forgot to ask.
Do you want the Mikrotik as EAP Client or as EAP Access Point?
The print that I showed is about EAP Client.

Now about EAP AP:
Page 16.
> https://mum.mikrotik.com//presentations ... 009077.pdf (Spanish language)

biatche · Tue Jul 18, 2017 11:59 pm

I'm with you guys. I'm not sure what class embedded designers are taught to use tiniest flash chip available on the market but I'd like to alter that curriculum. That said, I do get that in the hardware world, cents does multiply out to dollars when the sale quantity gets high enough. It seems like an area were you could cheaply separate yourself from other router brands even with a 128mb or 256mb flash chip.

For poops and giggles, a quick google search shows:

0.61 USD = 32MB flash chip
3.43 USD = 256MB flash chip
9.52 USD = 1GB flash chip

These numbers are very quick and dirty. Naturally the product would have to be vetted to make sure it fits the design and volume purchase discounts could soften the cost. I was just hoping to put a cost per unit for the upgrade into print in hopes of giving us all a little perspective on what kind of price impact we'd see if MikroTik moved to larger chips and passed that cost onto consumers. A device like the hap AC already in that +100 USD cost may handle an additional ~9 USD different easier than say a cap lite. I personally would be very happy with a 256MB (even 128MB) upgrade at a ~3 USD impact per device across the product line. The cost increase for storage capacity would be a justifiable reason that would increase my likelyhood to purchase MikroTik. That is just me, I can't speak for all forum members in all markets.

+1

MT products come to many of us as an enterprise product, failover/secondary boot would be awesome. Of course I'll mention it in feature requests later otherwise that @andriys will flame for 'spamming' this thread.

Wed Jul 19, 2017 12:36 am

You are right, but try to use partitioning on a hEX (or any other "zero flash") devices!
There is no common sense in putting 16mb flash on new devices.. IMHO .. the real reason is obviously NOT save 2 bucks

This does seem strange in today's world.... but then again, as Idlemind points out - $2 for every unit sold can translate to hundreds of thousands or millions of dollars less in profits for a particular unit if it's popular...

bajodel · Wed Jul 19, 2017 3:36 am

.. less in profits ..

I see yours point, but ..

hEX/RB750Gr3 >> 5 Gbit ethernet, poe in, CPU with 4 Threads 2 core 880 MHz, usb port, sd port, 256 mb ram, voltage sensor and pcb temp sensor.. and 16mb flash !?

I think there were other rooms for saving 2 $ , why put 256 mb ram and quad core cpu .. temp and voltage monitor, usb and SD interfaces..
I can easily understand that design choice on a mAP or similar device, but on hEX it's seems unbalanced.. IMHO.

qq4569712 · Wed Jul 19, 2017 8:40 am

In the V6.40rc41 version, I can not find this option. Please tell me the details of the setup steps and methods, thanks. Please forgive me, my English is very bad
The EAP section is on Wireless > Security Profiles > Profile entries (via winbox).

I forgot to ask.
Do you want the Mikrotik as EAP Client or as EAP Access Point?
The print that I showed is about EAP Client.

Now about EAP AP:
Page 16.
> https://mum.mikrotik.com//presentations ... 009077.pdf (Spanish language)

Thanks null31, i try to try mikrotik route to build an iKEV2 VPN server, i have no radius, my client is windows7, i read wik i but still can not succeed. Would you like to help me?

bratislav · Wed Jul 19, 2017 12:10 pm

You got this wrong ... flash chips are declared in Megabits ... so the prices you found are for 4MB, 32MB and 128MB respectively ...

I'm with you guys. I'm not sure what class embedded designers are taught to use tiniest flash chip available on the market but I'd like to alter that curriculum. That said, I do get that in the hardware world, cents does multiply out to dollars when the sale quantity gets high enough. It seems like an area were you could cheaply separate yourself from other router brands even with a 128mb or 256mb flash chip.

For poops and giggles, a quick google search shows:

0.61 USD = 32MB flash chip
3.43 USD = 256MB flash chip
9.52 USD = 1GB flash chip

These numbers are very quick and dirty. Naturally the product would have to be vetted to make sure it fits the design and volume purchase discounts could soften the cost. I was just hoping to put a cost per unit for the upgrade into print in hopes of giving us all a little perspective on what kind of price impact we'd see if MikroTik moved to larger chips and passed that cost onto consumers. A device like the hap AC already in that +100 USD cost may handle an additional ~9 USD different easier than say a cap lite. I personally would be very happy with a 256MB (even 128MB) upgrade at a ~3 USD impact per device across the product line. The cost increase for storage capacity would be a justifiable reason that would increase my likelyhood to purchase MikroTik. That is just me, I can't speak for all forum members in all markets.

qoole · Wed Jul 19, 2017 2:18 pm

You got this wrong ... flash chips are declared in Megabits ... so the prices you found are for 4MB, 32MB and 128MB respectively ...

I don't think he did get it wrong, 8gbit (1gbyte) FLASH on digikey can cost as little as between $6.16 (each in 1000 of quantity) and $9.45 (each in 1 of quantity).
That's Micron branded stuff too.

Digikey search: https://goo.gl/4ACaA5

msatter · Wed Jul 19, 2017 2:54 pm

I have myself a RB750Gr3 and have indeed had some troubles with only 16MB flash. After getting some direction by Mikrotik I got the way it is meant to work. Firm upgrades don't are uploaded to the flash but the RAM.

It works very well and a liitle over half of the Flash os used for the firmware. All the stuff that not has to survive a restart is put in RAM.

To save stuff that has to be saved but not in the flash for that you can put SD card in.

I am very satisfied how all this works and if needed Mikrotik can put extra loadable packages on the SD card.

The Mikrotik not that expensive for the value you get back and constant development is a great addition.

On that development I advise to activate besides RC also development for the bold steps like Master to Bridge because many are using RC as current and a rollback is not without some nasty catches as I had to undergo. The solution was for me to flash the current and the step to to the wanted RC. Otherwise the backups made before were not usable.

Wed Jul 19, 2017 3:08 pm

Mikrotik will not put extra loadable packages to external storage due to safety reasons. And 16MB flash is really too small because it does not allow you to use multiple partitions for your safety purposes.

msatter · Wed Jul 19, 2017 8:37 pm

Ehm, putting packages even on the SD is not smart but I was carried away by the thought of Mikrotik offering compression not only in the. npk files.

Maybe a plus version of the low cost routers is doable allowing more advanced users to have space to use partitions and the CPU supports that.

Kindis · Thu Jul 20, 2017 12:28 am

Can we close this thread and open a new one with a better title as the new bridge is removed. Less confusing

Chupaka · Thu Jul 20, 2017 11:16 am

Renamed the topic a bit

anuser · Fri Jul 21, 2017 1:12 pm

I´m standing directly in front of the WAP AC and got disconnect with group key timeout on 5Ghz while downloading files (Sony Z1 Compact with Android 5.1) RouterOS release is 6.40.rc41
I updated to routerboard firmware: 3.39 before I saw this behavior. How can I downgrade routerboard firmware?

pe1chl · Fri Jul 21, 2017 2:29 pm

You can downgrade RouterOS, it is not required to downgrade the firmware.
Just select the "Current" branch in System->Packages->Update.

mducharme · Sun Jul 23, 2017 9:21 pm

Any chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.

upower3 · Sun Jul 23, 2017 9:24 pm

Any chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.

Better use API call, will be faster way I suppose, like

/interface/wireless/registration-table

and play with.

Cha0s · Sun Jul 23, 2017 9:32 pm

Any chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.
Better use API call, will be faster way I suppose, like
Code: Select all
/interface/wireless/registration-table
and play with.

This is not realistic.
SNMP is the defacto standard. All monitoring software (Cacti, Observium/LibreNMS, etc) supports SNMP. None that I know of supports RouterOS API. At least not without custom/3rd party plugins.

You can already monitor the signal using SNMP but you only get a MAC Address to identify the client by and it's not really easy to tell which is which as mducharme mentioned.

upower3 · Sun Jul 23, 2017 9:38 pm

This is not realistic.

I do understand your pain but Mikrotik is quite slow with SNMP so far. Keep asking, maybe one day?..

What I can offer (well, kind of) is to use you own SNMP server software to reply to specific SNMP requests while query MT's API for information. Not nice at all but at least it'll work.

I did that trick with Zabbix by feeding values to Zabbix server with zabbix-send for values I wasn't able to get via SNMP. I compute the list of calls I need to do, then connect to mikrotik, run one by one these requests and in one bunch send it via zabbix-send. So to say, it lowered the burned o MT CPU, since every new connection (with auth) seems to adds up load.

Dirty and unstable trick, I know, for API calls may be changed one day, but the same is true for OIDs.

Cha0s · Sun Jul 23, 2017 9:50 pm

For a single router or even a few, I understand that this is a solution. I've done similar stuff myself for BGP monitoring.

But when you already manage hundreds of routers with limited access policy (ie: NO API) using these kinds of 'hacks' are not scalable or manageable. Hence not realistic for production environment.

Not to mention the fact that you will flood the logs with tons of API logins/logouts every X (usually 1 or 5) minutes.
And disabling the logins logging is not realistic either

upower3 · Sun Jul 23, 2017 10:24 pm

scalable or manageable. Hence not realistic for production environment.

Oh, I see you're wise person already, will not teach you this way

I can't say how many routers you need to monitor from you initial question. Yes, let's wait for MT to help with this.

They should add scripting into SNMP server, so you can set OID and which script to execute to reply the query

This is where MT win all the time - scripting!

biatche · Sun Jul 23, 2017 10:51 pm

Any chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.

+1 support for this

pe1chl · Sun Jul 23, 2017 11:10 pm

They should add scripting into SNMP server, so you can set OID and which script to execute to reply the query This is where MT win all the time - scripting!

That feature is actually available! But it is a bit hard to find and understand.

Jotne · Mon Jul 24, 2017 12:32 am

Any chance you could add 'Radio Name' in the SNMP wireless registrations table? It is great having graphs of wireless clients but I do not know which is which without the name. Thanks.
+1 support for this

+1

I do use SYSLOG and SNMP with SPLUNK to get all what I need for monitoring.

idlemind · Mon Jul 24, 2017 1:28 am

APIs are good but tbh SNMP is far easier to work with in NMS tools. I've found a handful of OIDs I'd really like to see supported. Particularly IPv6 traffic tracking and connection counts. Saying it's solved with scripting to custom OIDs is a total hack over supporting standardized mibs.

mducharme · Mon Jul 24, 2017 6:33 am

APIs are good but tbh SNMP is far easier to work with in NMS tools. I've found a handful of OIDs I'd really like to see supported. Particularly IPv6 traffic tracking and connection counts. Saying it's solved with scripting to custom OIDs is a total hack over supporting standardized mibs.

Yes, and adding the "Radio Name" field is something that should, IMO, be relatively easy for them to do.

pe1chl · Mon Jul 24, 2017 11:59 am

that should, IMO, be relatively easy for them to do.

There is probably a list of things that are relatively easy to do that is so long that it requires considerable effort to sort it all out...

upower3 · Mon Jul 24, 2017 12:46 pm

By the way, I now can see two block diagrams for routers, one for non-switched config and other is for switched. So as 6.41 is out both still be there but "switched" become "attached to the same bridge", right?

Also, on this diagram:

am I right to say that if I set 2-4 ports to be switched, and port 1 as non-switched, then port 1 will be 1 Gbps, and four remaining will share another 1 Gpbs in routing scenario?

idlemind · Mon Jul 24, 2017 5:31 pm

By the way, I now can see two block diagrams for routers, one for non-switched config and other is for switched. So as 6.41 is out both still be there but "switched" become "attached to the same bridge", right?

Also, on this diagram:

am I right to say that if I set 2-4 ports to be switched, and port 1 as non-switched, then port 1 will be 1 Gbps, and four remaining will share another 1 Gpbs in routing scenario?

Running 6.40rc38 (won't be upgrading until 6.41rc is released) I don't get hardware offload on any ports. That's ok for me because I have the hex doing intervlan routing which is done in CPU anyways per MikroTik support. I have a separate layer 2 switch that is capable of faster speeds between the hex and my various devices for intravlan traffic.

HeadCraft · Tue Jul 25, 2017 11:39 am

As in v6.39.2 still not changing dynamic ipsec src. address in policies and peers, when setting it in ipip tunnel interface in local address setting. And if I delete dynamic entries in ipsec policies or peers, the will not appear anymore until reboot, or set another dst address.

Tue Jul 25, 2017 11:47 am

@HeadCraft be more specific, what you described works:

[admin@rack1_b3] /interface ipip> /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 

 1  D  ;;; ipip-tunnel4
       src-address=1.1.1.1/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt 
       level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0 
[admin@rack1_b3] /interface ipip> print 
Flags: X - disabled, R - running, D - dynamic 
 #     NAME         MTU ACTUAL-MTU LOCAL-ADDRESS   REMOTE-ADDRESS       KEEPALIVE                               DSCP
 0     ipip-tu...  auto       1480 1.1.1.1         1.1.1.2              10s,10                               inherit
 
 [admin@rack1_b3] /interface ipip> set 0 local-address=2.2.2.2 
[admin@rack1_b3] /interface ipip> /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 

 1  D  ;;; ipip-tunnel4
       src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt 
       level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0

HeadCraft · Tue Jul 25, 2017 3:02 pm

@HeadCraft be more specific, what you described works:

[admin@rack1_b3] /interface ipip> /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 

 1  D  ;;; ipip-tunnel4
       src-address=1.1.1.1/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt 
       level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0 
[admin@rack1_b3] /interface ipip> print 
Flags: X - disabled, R - running, D - dynamic 
 #     NAME         MTU ACTUAL-MTU LOCAL-ADDRESS   REMOTE-ADDRESS       KEEPALIVE                               DSCP
 0     ipip-tu...  auto       1480 1.1.1.1         1.1.1.2              10s,10                               inherit
 
 [admin@rack1_b3] /interface ipip> set 0 local-address=2.2.2.2 
[admin@rack1_b3] /interface ipip> /ip ipsec policy print 
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default template=yes priority=0x10000 

 1  D  ;;; ipip-tunnel4
       src-address=2.2.2.2/32 src-port=any dst-address=1.1.1.2/32 dst-port=any protocol=ipencap action=encrypt 
       level=require ipsec-protocols=esp tunnel=no proposal=default priority=0x20000 ph2-count=0

Sorry, I just found why it is not working correct (may be I doing it incorrect). The reason is that I use mikrotik DDNS as destination address in tunnel. So situation is:

[admin@MikroTik] > /interface ipip
add allow-fast-path=no ipsec-secret=123 !keepalive local-address=1.1.1.1 name=\
    ipip-tunnel1 remote-address=google-public-dns-a.google.com

After creating interface with dns there is no ipsec policies at all.

[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default 
       template=yes

Lets reboot the router, and we see the policy:

[admin@MikroTik] > ip ipsec policy print
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default 
       template=yes 

 1  D  ;;; ipip-tunnel1
       src-address=1.1.1.1/32 src-port=any dst-address=8.8.8.8/32 dst-port=any 
       protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=no 
       proposal=default priority=0 ph2-count=0

Now we will change settings in tunnel interface:

[admin@MikroTik] > /interface ipip set [find name=ipip-tunnel1] local-address=3.3.3.3

But we still see old ip in policies

[admin@MikroTik] > ip ipsec policy print                                             
Flags: T - template, X - disabled, D - dynamic, I - invalid, A - active, * - default 
 0 T * group=default src-address=::/0 dst-address=::/0 protocol=all proposal=default 
       template=yes 

 1  D  ;;; ipip-tunnel1
       src-address=1.1.1.1/32 src-port=any dst-address=8.8.8.8/32 dst-port=any 
       protocol=ipencap action=encrypt level=require ipsec-protocols=esp tunnel=no 
       proposal=default priority=0 ph2-count=0

And in peers

[admin@MikroTik] > ip ipsec peer print  
Flags: X - disabled, D - dynamic, R - responder 
 0  D  ;;; ipip-tunnel1
       address=8.8.8.8/32 local-address=1.1.1.1 auth-method=pre-shared-key secret="123" 
       generate-policy=no policy-template-group=default exchange-mode=main 
       send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 
       enc-algorithm=aes-128,3des dh-group=modp1024 lifetime=1d dpd-interval=2m 
       dpd-maximum-failures=5

After rebooting the router we will see new ip.

Wed Jul 26, 2017 2:37 pm

Version 6.41rc has been released:
viewtopic.php?f=21&t=123936

Who is online