MikroTik

DarkNate

MikroTik is working on mDNS repeater, but that will come together with a global DNS overhaul, and it will be an improvement in all areas, not just this one. This is also why it takes some time to make. Would be great if you fixed the IGMP Proxy problem with: 1. Documentation as users are not able t...

DarkNate

Any suggestions for my case?
I'm not sure what I'm missing.

Reach out to MikroTik support. Give them the supout export file. This needs to be solved by them, not me.

DarkNate

The modern way is to reject their auth request via AAA/RADIUS, that's it. With DHCP of course, you need to configure additional options for security.

DarkNate

I do think @DarkNate's point here has been not been absorbed... Generally people (but not always) in this forum, including egoistic relics (I'm 60 years old, so I know better), do not absorb any of my points. But that's their loss lol, I'm not the one struggling to get the network layer working cor...

DarkNate

Unless you are an advanced networking user or engineer, I agree. Using VLANs at home makes no sense for the added complexity and bullshit hacks required. For me personally, I don't use VLANs for “security”. I use it for labbing, there's main VLAN, guest VLAN and labbing VLAN. Each having different I...

DarkNate

An ignoramus can always learn, the know-it-all cannot. No they can never learn. A newbie/curious person on the other hand can: The important thing is not to stop questioning. Curiosity has its own reason for existing. One cannot help but be in awe when one contemplates the mysteries of eternity, of...

DarkNate

But don't fool us all... […] but like I said somewhere else, stupidity can only be cured by medical treatment, hopefully. […] ain't that common sense from grade 1 in school, maths class? 1+1=3 from your friend's notes? […] Will you stop offending forum users? Not sure what you mean about fooling? W...

DarkNate

Hello @DarkNate, apologies for not having followed your example, it was not clear that the "loopback" interface was the one that did the trick. This is what I tested without success, maybe due to a misconfig on my side: /interface bridge add arp=disabled name=loopback protocol-mode=none /...

DarkNate

Probably DarkNathan forget to export the VLANs and is why his config do not work for others that blindly copy & paste without understand what are doing… I didn't forget to add. This whole thread is about inter-VLAN routing, I expect people already configured the VLANs, wtf do I need to teach th...

DarkNate

I did a PCAP on my end. So IPv4 (IGMP) does get queried by the proxy/MikroTik. But IPv6 (MLD) does not. And this could impact apps that explicitly rely only on IPv6 Multicast or prefer IPv6, so of course you're not going to see it working. The experts in this thread should demand for IPv6 MLD suppor...

DarkNate

Here is my config for following Nate's suggestion. Both Airplay and Chromecast still don't work. Config looks fine. But possibly, I could've missed something. Run a torch/packet sniffer and perform analysis on what happens when you try Chromecast. Something, somewhere is dropping the packet. Multic...

DarkNate

Also @DarkNate recommends a loopback, but the upstream could be the VLAN where you your doing the browsing from ("main"/base/mgmt/etc) and the "IoT VLANs" point to that "main VLAN" and that might be more friendly to the default firewall than adding a loopback bridge. U...

DarkNate

The fact is another, the problem is the absolute trust that is given to smartphones and computers, which are seen as ultra-secure and without any espionage problems... Instead the "IoT", which are products that come from exactly the same manufacturers, just from another brand, are the dev...

DarkNate

IOT. This category of devices is now more prolific than every before. In homes, smb, and enterprises. We’re looking for tools to allow us to segregate these devices, yet interact the way that is convenient to those that are paying IT/Network support/engineers. With how much iPhone , bonjour, AirPla...

DarkNate

why would someone need to have that? worse, why even relay such network noise? That's the existential question here. But [...] at the end it is Mikrotik's pure business decision [...] And... it sounds like this could be resolved by better docs on IGMP Proxy for those that want to go this route. An ...

DarkNate

why would someone need to have that? worse, why even relay such network noise?

People want it because they like flooding their networks at home with BUM. No clue why.

DarkNate

The guy is the toxic avenger. He may have some experience, but how he has been allowed to touch big networks with such a bad attitude is just horrible. These forums (and other places) are meant to help people with Mikrotik, not belittle others. I never claimed to be an expert, yet he starts with na...

DarkNate

I'm interested into how this IGMP proxy works because it might fix my issue hopefully. I have a server which runs on a subnet (192.168.3.0/24) and other devices on another one (10.10.10.0/24). No VLANs, just two subnets set up on two bridges. I installed jellyfin on the server, and it happens now t...

DarkNate

With 7.9beta4, IPv6 now also seems to work in conjunction with cellular ISPs which regularly change the prefix via lte1 without having to reset the clients. Cellular ISPs should actually be using Mobile IPv6 with Anycast for customer prefixes and shouldn't really change prefixes at least within a g...

DarkNate

Doesn't work. Used your specific example, including adding ipv6 GUA on the loopback, still no packets traverse the IGMP Proxy As already explained, since you're expert I suggest you talk to official MikroTik support, packet count will be zero in IGMP Proxy when it is working correctly. Why? Ask the...

DarkNate

I've tested your solution for IGMP Proxy, and that doesn't work for mdns. No packets traverse the proxy. If I set the loopback as the upstream... 0 packets recieved / transmitted on either of the 3 interfaces. If I set the vlan10 as the upstream, RX packets are seen on that interface, but not anywh...

DarkNate

Like I said, MikroTik doesn't support auto aggregate, like Juniper.

DarkNate

Let's see if this second attempt will be the good one :) /interface bridge add frame-types=admit-only-vlan-tagged igmp-snooping=yes igmp-version=3 mld-version=2 name=Bridge protocol-mode=mstp vlan-filtering=yes /ip address add address=192.168.10.1/24 interface=LAN network=192.168.10.0 /ip address a...

DarkNate

There are problems with your config overall, you failed to properly add CPU input/output affinity, this will kill your router's CPU when deploying large tables. in/out affinity mode should match CPU model of your router for all BGP peers including iBGP. Here what I will do, I will share my config fr...

DarkNate

ISIS is normalised and preferred. Segment routing would be great for proper traffic engineering and routing symmetry in large scale ISPs. Even without MPLS/VXLAN.

I hope MikroTik supports both soon.

DarkNate

Sounds like you're talking about edge routers for IP Transit/IXP/PNI? In which case, you shouldn't be using VRRP, but have a proper network architecture whereby you set up iBGP with OSPF underlay between the routers, and correctly configure local pref and other BGP attributes in each other for recei...

DarkNate

If you've gone done the road of subnetting your LAN, IGMP Proxy should not be a huge leap. And if it was, maybe you should re-think segmenting your network in the first place? VLANs + mDNS containers hacks takes like 10 minutes total for a noob. IGMP Proxy, takes 5 seconds to configure for all VLAN...

DarkNate

Whoever it is, if someone is going to make sweeping recommendations in a public forum, they need to be prepared to back up those claims, and/or provide additional context, and not get frustrated when others don't always understand where they're coming from. The original problem has absolutely nothi...

DarkNate

You've clearly never tested and configured IGMP Proxy correctly. If you did, you'd know it's only two-three lines of config to get it working:
viewtopic.php?t=174354#p982910

Like I said, it will handle all multicast/IGMP traffic.

DarkNate

Apparently the original topic discussed here (changing prefix does not result in deleting old prefix at clients) has been fixed in version 7.9beta. So it could be a good idea for those affected by that to test this version. It's fixed, via hack. But still it doesn't resolve the issue with DNS host ...

DarkNate

You want to make me look like a troll while he insults others? For me it's already over here. And it would be better if he deigns to get off the podium and help others without offending them who have no instruction. See why I want to exit this platform. This dude just can't stop replying/trolling t...

DarkNate

You can keep comments/posts. Just delete user profile account. My expertise is better spent in other platforms and forums.

Unfortunately MikroTik forum is infested with trolls. And I see many other members complaining about this over the years as well.

DarkNate

The title says it. I'd like to have this forum account permanently deleted. No need for confirmation emails etc, this is the confirmation.

Thanks in advance to MikroTik staff who fulfills this request.

DarkNate

Hello, I wannt to authenticate winbox or ssh with second factor. The problem is with password, which mikrotik sends this mschapv2, so its hasched. Authenticator cannot recognize it and I get blank pass field. Is there any option to change mschapv2 to pap for example or whatever . What's about dot1x...

DarkNate

That address list is just RFC6890. IPv4 is already exhausted eons ago, RFC6890 is the ONLY bogon in IPv4. IPv6 is a complex and different story, that's not covered in the OP's blog post. You'll need to search for other sources regarding IPv6. iptables src and dst address types have special meanings ...

DarkNate

Aggregates on ROSv7 is similar to JunOS. In JunOS, we create a prefix list containing the aggregates, we then use the route aggregation feature to auto-generate discard routes the moment there's a contributing route for an aggregate. In ROSv7, we create a prefix list (address list) containing the ag...

DarkNate

Go fully layer 3 and use iBGP between CRS<>CRS and eBGP for CRS to CCR. Enable ECMP using route filters on each device, set route learnt distance to 1 for both paths on each device to get even load balancing.

Remove MLAG/VRRP completely in this way.

DarkNate

They support LLDP-MED. Check out /ip/neighbor. I can't recall if in V6, but it's in V7 for sure. https://help.mikrotik.com/docs/display/ROS/Neighbor+discovery#Neighbordiscovery-LLDP RouterOS v6 is EOL, who cares? And yes it's supported on v7, but never seen anyone using LLDP-MED in production.

DarkNate

IP SLA is a fancy term created by Cisco. In Linux world we call this recursive routing, you can use recursive routing. But MikroTik has Netwatch tool to make your life easier, use it with some basic scripting and you're good to go. Set up test for TCP to google.com or whatever. FYI: RouterOS is 100%...

DarkNate

@PortalNET PPPoE is an encapsulation protocol, it made sense in the era of hubs and massive L2 domains back in 1998 with DSL era. Now we are living in PON world with QinQ/VLAN support. There's no reason to use PPPoE except to stick to an outdated protocol just as many do with IPv4 instead of IPv6. A...

DarkNate

That being, neither IGMP Proxy nor mDNS reflection with Avahi is "correct". They're both "as bad as each other" in regards to the mDNS RFC. Pick one, make it work, and knock yourself out. IGMP Proxy is closest to an internet standard than mDNS reflector/Avahi bullshit is. IGMP P...

DarkNate

You're only proving my argument that MikroTik has made it super complex.

DarkNate

Please explain, what is the meaning of such a MTU replacement? The final (home) users will still be 1500. For example, to install 9000 on the server, NAS and switch, through which you will do backup, I still understand. And just change on all devices - I don’t understand what the point is. You need...

DarkNate

THanks, in another thread you noted to use two raw rules to stop private IPs from leaking in or out of a router when using NAT. Is this a replacement for bogon rules or an addition to? I have used bogon rules but prefer doing so in ip routes - blackhole. I don't remember what you mean. The blackhol...

DarkNate

HI DarkNate, yeah. its true but there is a legacy node in between which we can not increase the MTU. thats why we neeeded to set the tcp mss will mangle work on MPLS packet. thanks in advance Regards, indula Configure MTU in the path on both sides to match legacy node including MPLS overhead. This ...

DarkNate

I'm 100% sure I didn't. I use this same bridge/VLAN config at 15 sites on 20+ routers, including hAP AC2, CCR1009, CCR2004, CCR2116, RB3011, RB4011, RB5009, and the aforementioned CRS317 and CRS310's, where it all works perfectly (for the most part; L3HW offload can be finicky when making changes)....

DarkNate

TCP MSS mangling is never a good solution. The good solution is to properly configure MTU jumbo frames end-to-end on your network to ensure zero fragmentation.

The post here contains an MTU section:
viewtopic.php?p=988493#p864371

DarkNate

Here's an odd one. I've spent hours overnight and this morning trying to figure out why a newly-deployed 310 won't properly offload routed traffic. I migrated the config from an RB4011 to the 310, similar to what I've done at other sites, which are working fine. The only difference is that this one...

DarkNate

Conn_track values is for everybody, every host, every device, the world. WAN MTU should be capped to 1500 at home. I've never heard of an ISP that can carry jumbo frames inter-AS for residential. Largest possible MTU on LAN everywhere is fine, as long as L3 MTU matches on all routers, switches, what...

DarkNate

I wish I knew where the rp-filter one fits in the packet flow diagram that's something I've never understood. Now the exact interplay with them and firewall's invalid and/or NAT get complex, so I'm not sure there is some hard-and-fast rule here... Maybe? In vanilla Linux, rp-filter likely occurs be...

DarkNate

If everyone is on a public IP, then I agree that DROP INVALID in forward is unnecessary, it's main purpose in a NAT setup is to prevent leakage of private IPs onto the internet. Ideally you would not do any kind of conntrack when using public IPs. If you're using NAT, you should drop using the raw ...

DarkNate

Time Bump.

The author is still updating and maintaining the article as of 2023.

DarkNate

The INVALID rule will still function to prevent non-NATted connections from going out. It offers no extra "security" to use strict tracking, it only causes users grief when their valid connections get dropped by over-aggressive timeouts or router reboots. How is a client sending an ACK to...

DarkNate

I had it off to begin with. I turned it on 2 days ago. CPU usage did not decrease. Actually, turning on loose TCP tracking seems to have solved my RDP/Remote Desktop issues. The connection doesn't drop anymore (which might be an issue with TCP timings, as the post I marked as answer suggests). You ...

DarkNate

You should turn off loose TCP tracking when you want to burn your CPU and performance.

DarkNate

Here's another example of what MikroTik's poor approach leads to, a dumb problem:
viewtopic.php?t=194073

Folks like that or people from Cisco/Juniper world who sees threads like that, will assume it's a bug and stay away from MikroTik.

DarkNate

If you want to use it purely for AP/L2, then config should be like this:
viewtopic.php?t=193818#p986333

DarkNate

you are right but i think MikroTik in its roots started with a strange way to do bridging (version 5 etc) and many people started to using it and learned that way i think in 6.41 MikroTik tryed to correct course with Bridge VLAN filtering with some sucess but had up to some extend still allow old s...

DarkNate

Which one has larger range? EU or US?

DarkNate

I've read this thread multiples over the months. The real problem here is complexities and unclear visibility of this L3 offloading, what gets offloaded (routes), why, etc. We certainly don't have this much of a headache working with L3 offloading on other vendors. MikroTik needs to make some change...

DarkNate

moderator action

Why would you benchmark using such ancient devices in the first place? My CCR1036 can do 20G+ on IPv6 no problem. For home, buy a hAP ax2/ax3 or RB5009UG+S+IN

DarkNate

I use the ax2 as an L2 switch + Wi-Fi only. So it's not routing anything, it's just switching. For 5GHz, I get 800Mbps down peak, and 900Mbps up peak. I set TX power for 5GHz to 40. 2GHz to defaults. It never really overheated or anything. Maybe the people who has massive issues, have misconfig beca...

DarkNate

And what in the release notes so far leads you to believe that? Do you have some eye defects? I clearly linked to the change log from MikroTik regarding V7.8. https://forum.mikrotik.com/viewtopic.php?p=982113#p982113 Please try to keep up. RFC 6204 was published 12 years ago. Many consumer platform...

DarkNate

Dynamic IPv6 is because of bad ISPs to begin with:
https://www.ripe.net/publications/docs/ ... ed-harmful

The solution, but still doesn't solve dynamic crap:
https://datatracker.ietf.org/doc/html/rfc8978

DarkNate

haha. A. THERE IS NO GUIDE!!! B. THEY define parameters. C. Give some weak examples from terminal window approach, which is totally USELESS as I config wifi from WINBOX primarily ( yeah other parts of the config I do both but not wifi ) I smell a user article if MKX doesnt make one LOL MikroTik doc...

DarkNate

i dont think that more than 25.000 concurrent users per BNG PPPoE server can be a good idea You can Virtualize several of this BNG on a server capable of doing that massive task, maybe a server of 32 cores (Only real Performance cores not eficiency intel cores) 25.000? Decimal? You mean 25 concurre...

DarkNate

We've seen the same problem before with certain transit providers that have a habit of giving you the wrong IPv6 address, takes 3 months to realise it, while blaming you for those three months.

I recommend you check with them indeed.

DarkNate

The reason is that the connection networks and the internet services are handled by different companies here, that are forced to open their services to anyone who requests. So, there are companies that manage fiber, DSL and cable networks to connect customers, and there are (other) companies that p...

DarkNate

I think MikroTik fixed it on 7.8?

viewtopic.php?p=982113#p982113

DarkNate

@DarkNet, you missed my point for the third time and seem to focus more on your own thoughts instead of responding with a focus on the arguments. You are also changing direction of the conversation with new and irrelevant facts (whataboutism) but never mind. As for "your migration", you'v...

DarkNate

NAT wars are vendor-agnostic. This seems to be a win here, no? or at least a battle won... Well I agree. Though I was speaking more generally. You can find a lot of misinformation on this forum or similar forums all over the internet. Nobody reads 2023 networking fundamental books and assume everyt...

DarkNate

Maybe the war is over? https://i.ibb.co/W6x6XWB/Screenshot-2023-02-21-at-12-03-55-PM.png [ Janas from MTU video above, did a presentation on the evils of masquerade a while back, so above from https://youtu.be/D80_a_O86jc?t=20 ] Unfortunately the war is not over. Because very few experts as those i...

DarkNate

Fact: UPnP is the recommended and currently most used solution for gaming consoles at home, whether you like it or not. If you want a change, talk to the manufacturers or do you own thing. Thanks for the clarification regarding "NAT" but that is beside the point. Why bother doing a limite...

DarkNate

Hmm... Well, as much as I love your sweet talk and diplomatic rhetoric, I unfortunately have to disappoint you in several ways: As I stated earlier UPnP works fine for the vast majority of consumers (+>99.95%) but as always there are some few exceptions. IMO, it's better to shape up the security ar...

DarkNate

Improving NAT is important not just for gaming. RFC 4787 + later updates are called Best Current Practice for good reasons, based on a lot of experience gained with existing NAT implementations (older than the RFCs - Linux iptables NAT hasn't changed much since early 2000s). Too many things depend ...

DarkNate

You are killing me, I almost died laughing....hahahahahaha. MT, please give in to our cuddy and add the follwing for all devices . a. BGP fast failover (BFD) b. Other necessary fixes for v6 -> v7 parity ... x. ZeroTier One Client, it's just 4-5 megs, ie drop the Controller to a separate pkg.. y. Ze...

DarkNate

Yes, this makes sense if mapped to different public ports and remote devices receive which port to use via the game server. We will try to add this feature, however, I cannot promise any timeframe. I should emphasised this is not just for “gaming”, this applies to Video calls/Voice Calls over IP, B...

DarkNate

That is what I have asked previously where is the magic? If both consoles are using the same source port and the same dst-address with the same dst port, then, when 1.2.3.4:3478 sends packet to 3.4.5.6:12345 what magic should happen for router to guess which one of 192.168.88.x:1234 is the real rec...

DarkNate

You cannot share a single public IP:port with two internal hosts you idiot. If you have two Xboxes, you use a separate port for each. https://portforward.com/portforward-two-xboxes/ Xbox has allowed the use of port 3074 (UDP and TCP) only. However, if you have another Xbox console you cannot forward...

DarkNate

Ok I don't think we are on the same page. Posting my export so you can get a better idea of whats going on, for brevity I have removed all other interfaces to avoid confusion. My ultimate goal is to get traffic offloaded between VLANs regardless if one VLAN is carrying WAN traffic it is still consi...

DarkNate

Using this tool: https://github.com/HMBSbige/NatTypeTester/releases/tag/6.2.0 1. I enabled src nat netmap rule for my public /32 to my private /24 /ip fi nat add action=netmap chain=srcnat comment="netmap for egress" ipsec-policy=out,none out-interface-list=WAN src-address=100.64.0.0/24 to...

DarkNate

So, on PS5/XBOX, you cannot connect with other P2P online players as a NAT1 user, because the PS5/XBOX detects that you are not a NAT1 user. Of course, you can try contacting Sony or Microsoft with a URL and ask them why it's not working. Therefore, game console players still need Fullcone NAT. No ...

DarkNate

Ok just to make sure I understand this: I have sfp28-1 through sfp28-4 as LAN networks (no VLANs), then sfp28-5 (VLAN 1-7 for some other LAN networks) and sfp28-12 (VLAN 4000 for WAN). According to MikroTik https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-Inter...

DarkNate

Without enabling firewall, using netmap as you suggested, it is unable to display Fullcone NAT in NatTypeTester. You can test it yourself, I have uploaded the NatTypeTester software. I think the reason is that the PC is accessing port 3478, but the returned data source is from a random port between...

DarkNate

In my network topology, I have a managed switch that has access ports to some workstations and then I also have an access port for WAN (because I don't want to use a Ethernet to SFP+ module). So some networks are on VLAN 1-7 and then the WAN is on VLAN 4000. There are two uplinks from the single sw...

DarkNate

Since you know that netmap has limitations, I thought you didn't know. So we need to use Fullcone NAT for regular users, instead of telling them to understand this and that, as well as IPv6. They just need to know that enabling this will make gaming easier, and that there may be security risks. It'...

DarkNate

@DarkNate, It seems that you may have some misunderstandings about the use of network for gaming consoles at home. I guess you don't play gaming consoles, so you may not be familiar with it. It's not your fault. Firstly, in the home scenario, netmap can only solve part of the problems of srcnat, wh...

DarkNate

Sure you don't, nobody is. Yet we're not douches all the time in this forum. So how is netmap taking care of your port forwards? You don't port forward in the first place for apps such as VoIP/Gaming etc. Did you even read anything? Apparently not. https://forum.mikrotik.com/viewtopic.php?t=165060#...

DarkNate

You don't have to be a douche all the time. Netmap makes sense when you have multiple public IP's, but using netmap for a whole internal subnet to just one public IP? how does that work in real world? I'm not getting paid to explain myself here. Either use netmap or don't. It's applicable to a /32 ...

DarkNate

How is that example different vs using masquerade? Did you even read the official MikroTik docs and also Linux man page on what masquerade does? Do you not understand why it is different from modern src nat/netmap? No? Then keep using masquerade and don't expect P2P/VoIP to work correctly without T...

DarkNate

Haha, maybe not exactly what I had in mind but you're on the right track! :- ) I intended a reasonably useful guide for gamers so we can finish the discussing about full cone NAT. You obviously have the skills but maybe it's too easy or consumer-friendly for your taste?? I mean, I've shared the NAT...

DarkNate

When I was in high school, networks weren't really a thing yet. And in the networks I maintain, NAT is normally not used except for the basic use in internet access. I would never try to setup a system like the starter of this topic wants to have. I am not in gaming, and I consider the whole proble...

DarkNate

Open NAT = The IP:Port is accessible from the internet, same thing as hosting on port 80/443. Moderate NAT = The IP:Port is not directly accessible via internet, but it is accessible via STUN binding for P2P/WebRTC/ICE Strict NAT = The IP:Port is not accessible whatsoever, and you'll need to perform...

DarkNate

I should note, these dumb terms were invented by Cisco, so that back in the early 2000s they could sell their firewall appliances where NAT is marketed as a security tool. Invented by cisco, right. But wasn't the marketing folks. cisco bought dozens of home routers as part of the work that went int...

DarkNate

The so what? Does this mean for consoles to work as expected (including voice), all one needs is.........??? - nothing Ros 7.7 fixes all issues - upnp only - port forwarding only - something else on RoS - some combo of the above - throw console in garbage ( and gamers have to get a life ) You don't...

DarkNate

On my 2116's, once I load up full routes from two providers, it mentions the HW table is full and it only keeps /25's or larger. The log shows something like 45 routes, although I have a hard time believing that there are only 45 /25's or larger in a table with 1.4M routes. It would be nice to have...

DarkNate

Sorry for hoping on an old thread, but I'm running the CCR2216 and also experience issues similar to this for reference here is my issue described a bit more in detail. I'm using the CCR2216-1G-12XS-2XQ and I've setup vlans on a single bridge interface as documented. I have L3HW offload working but...

DarkNate

@DarkNate, appreciated your help, followed suggestions on the previous post but not working, could be my fault. Tried setting the bridge as upstream and then the VLAN2, printer was not visible on both cases, connected to VLAN1 and worked immediately. I'm OK with IGMP Proxy, the MT complicated way i...

DarkNate

Are you doing VLANs correctly? You're supposed to use a bridge:
https://help.mikrotik.com/docs/display/ ... +switching

DarkNate

I should note, these dumb terms were invented by Cisco, so that back in the early 2000s they could sell their firewall appliances where NAT is marketed as a security tool. In the real world on Linux in 2023, these terms make no sense once you look into the actual source code and the function of the ...

DarkNate

Full cone NAT is simply 1:1 IP:Port mapping between internal IP and external IP. Any half decent network engineer should know this. If they don't, they should go back to networking fundamentals in high school. This is already provided in the Edge and BNG guide for ISPs here in the CGNAT section, whi...

DarkNate

Just use this to decide on which VLAN configuration to use for what model, no confusion whatsoever.

https://help.mikrotik.com/docs/display/ ... +switching

DarkNate

@DarkNate You are little bit arrogant, aren't you? That you are expert in multicast routing does not mean that everyone else must be too. Good for you, but call anyone else lazy-bum? Not everyone needs to know multicast routing even if they work in IT. Mikrotik sells wireless APs on consumer market...

DarkNate

I'll give that at some small scale multicast may be more efficient – but you can't IGMP proxy a large enterprise/campus/etc network – exactly where it breaks down is harder to predict. And compared to TTL-based caching of unicast DNS-SD results, I'm not sure even at smaller scales... But certainly ...

DarkNate

"Sorry bro" but unicast is way more efficient than multicast. Not saying don't use IGMP or a container to solve mDNS via milticast... but I can totally see why Mikrotik doesn't add this. e.g. If mDNS proxy is implemented, the RFC is broken because on RFC mDNS must not be forwarded outside...

DarkNate

Well I'm not sure using OpenWRT is needed either. If you use just one LAN at a home, that solves the problem too. And if you're are using VLANs, don't put stuff that needs multicast (e.g. mDNS [AirPrint, etc.]) on different subnets, also solve this. Since there are containers that support mDNS, tha...

DarkNate

That's one way to look at it. But why is MikroTik selling hAP ax lite into the home market? Most home users are not network engineers. Your argument sounds similar to: IMO, the nano editor is for lazy bums who refuse to learn vi. ... MikroTik sells hardware running a single version of RouterOS, the...

DarkNate

igmp-snooping will disable bridge hardware offloading on many low-end devices, multicast-querier must be disabled on the router? Thanks I still can achieve 1Gig end-to-end routing performance inter-VLAN on RB450Gx4, hAP ax2 etc. I don't see what's the problem with losing hardware offloading. As lon...

DarkNate

Just deploy IGMP Proxy correctly: https://help.mikrotik.com/docs/display/ROS/IGMP+Proxy Upstream interface will be loopback, “downstream” interface will be the L3 subinterface VLANs that sit on top of the bridge. Enable IGMP Snooping on the bridge, disable multicast querier. I use it, and mDNS along...

DarkNate

There is no hope of this being fixed for arm. All tickets are closed as previously fixed. The main read in here is unless you’re on the newest arm64 stuff they don’t care and will never address this issue. Best solution find a second device to host wireguard, mdns, whatever else MikroTik won’t incl...

DarkNate

@holvoetn
Wasted time, people instantly install anything new, they install it right away, they don't care if it's alpha, beta or omega, and often don't even read the release notes...

Even sigma?

DarkNate

"ipv6 - improved handling of "advertise" IPv6 address status changes;"

What does this actually mean or do?

DarkNate

I refer more to these Switch Chip Features -> Rule Table (not Bridge -> Packet Filter) Switch Chip Rule Table runs at wirespeed Hardware Accelerated https://help.mikrotik.com/docs/display/ROS/Switch+Chip+Features#SwitchChipFeatures-RuleTable this are able to include useful parameters like: dst-addr...

DarkNate

Why is that better and will that work on all MT routers?

Are you new to computer science in general? Do you not know flash memory has limited write capacity?

Do you also not know all MikroTik hardware dating back to the first models that supports ROSv7, supports tmpfs? Are you new to MikroTik?

DarkNate

I will break it down in plain English: 1. Using only stateless-ness on edge routers, ensures your router will never die during massive DDoS or even just massive traffic spikes. And also ensures you are dropping traffic before it never enters conn_track avoiding waste of resources. 2. DDoS protection...

DarkNate

For home users? Stateful + stateless rules is fine on a single router. Now you are contradicting yourself //// remember........---> If you completely use only RAW table and therefore your router is stateless, even a 20G multi-gigabit DDoS will not cause the router to crash or reboot. But start usin...

DarkNate

About this matter I have a doubt: Doing Traffic filtering on a switch by using Hardware ACLs before traffic reach the router can be a feasible way to firewall a router without loosing the high performance fast-path mode? Read the official explanation: https://help.mikrotik.com/docs/display/ROS/Brid...

DarkNate

Hi Dark Nate, Do you recommend then simply getting another MT router to act as stateless edge router that gets public IP and if so, how do you then feed the next router ( my current router ) with that connection so that internet still flows in both directions?? Do you create a LAN on the stateless ...

DarkNate

Have you tried reset with "no default configuration" option? Or even netinstall?

Yes. No. I do not want to netinstall as that's what I just did 5 days ago with this new box using 7.7. It's a lot of efforts for bugs that should be fixed by MikroTik.

DarkNate

But I am curious, OP is a certified MikroTik trainer. Does MikroTik certifications not teach this basic Linux networking 101 stuff to their trainers?

This makes me doubt the expertise and in-depth knowledge of MikroTik certified trainers.

DarkNate

RAW table supports the ability to filter only for input chain if you want. Use dst-address-type=local. That's what input chain does, except RAW is before conn_track, and input is after. If you completely use only RAW table and therefore your router is stateless, even a 20G multi-gigabit DDoS will no...

DarkNate

It would be better if it uses tmpfs in ROSv7.7 instead of the flash memory.

DarkNate

Upgraded a hAP ax2 to this version and now I keep getting a log message on every reboot with this: "error while running customized default configuration script: no such item" Any way to fix this? Downgrading back to 7.7 stable, didn't fix it. 5GHz Wi-Fi is “running” but clients fail to con...

DarkNate

I don't agree. Stateful-ness has nothing to do with NAT, it's the other way around (it's not possible to perform sensible NAT without being aware of connection state). When it comes to NPTv6, it can indeed work as stateless ... but that doesn't prevent firewallv6 from work in stateful manner. And s...

DarkNate

NPTv6 unfortunately is also buggy. In my experiments it is matching the firewall rule /ipv6 firewall filter add action=drop chain=forward comment="defconf: drop invalid" connection-state=invalid log=yes Here what is in logs: 23:03:10 firewall,info forward: in:bridge out:he, connection-sta...

DarkNate

Please double check what you really getting on network side. right now netmap behaves like masquerade. /ipv6 firewall nat add action=netmap chain=srcnat out-interface=he src-address=fd66:xxxx::/48 to-address=2600:xxxx:xxxx::/48 /ipv6 firewall nat add action=netmap chain=dstnat dst-address=2600:xxxx...

DarkNate

ipv6 netmap seems to be still broken in this release It's probably your configuration. Works fine for me, including NPTv6 via mangle which is better than netmap as it is stateless. add action=netmap chain=srcnat out-interface-list=WAN src-address=2400:cb00:75::/64 to-address=2400:cb00:75:1::/64 add...

DarkNate

While your observation is pretty much spot on, the explanation why it's so is complete garbage. Which part of the following is unclear? And also note, I'm not a wireless network engineer nor am I an expert in hardware and silicon production aka I'm not a physicist or a chemist unlike others in this...

DarkNate

ROS v7.7 stable is still generating link-local addressing for *disabled* VPN interfaces such as GRE or WireGuard. When will MikroTik fix this?

DarkNate

How do you get such speeds with ax2 through 3 brick walls? In my case, with ax3, a single brick wall kills the signal strength to like -70 dbi and speed drops to like 80 mbps at best. Constant disconnects included. The settings are pretty much the same as yours. Assuming your configuration is A to ...

DarkNate

May I know what need to configure in ax2 to get this speed? My ax2 only can get 600Mbps max Use single bridge configuration where your LAN ports and both wireless interfaces are in the same bridge, segregate them with VLAN filtering if you need to. Then enable bridge fastpath/forward and configure ...

DarkNate

hAP ax2 works fine for me. 850Mbps download peak performance and around 920Mbps upload peak performance with minimal bufferbloat using FQ_Codel.

For $99, good luck finding a gigabit AP other than hAP ax2.

DarkNate

A question which is still not clarified for me. We need IP/Firewall/Filter, NAT, Mangle, RAW + Bridge/Filter, NAT + Simple Queues. I assume from what I have read so far, L3 HW-Offload ist not achievable with this needs? You can offload some but all the traffic when queues are in play using FastTrac...

DarkNate

One question: how can you use custom MAC address per port if you use single bridge? (Yes, I know one can change MAC address on interface directly and skip using bridge, but let's say one needs some bridge functionality as well, e.g. bridge filters). I did check this out before answering, and it is ...

DarkNate

you should not use a router that runs Linux.

Lol what? What do you think Cisco IOS, JunOS Evolved, and Nokia SR runs on? Windows? What matters is support for hardware offloading of whatever you need that for, in this case single/multiple bridge. Of which only one is supported.

DarkNate

I disable the LCD on all lower-end models.

On CCR devices that support it, I set a timeout for it to disable itself, and simply tap if I need to look at it.

DarkNate

I wouldn't call IPoE legacy exactly. It's still the primary L2 mode for UNI ports on most of the Metro Ethernet gear out there like Calix, Adtran, Ciena, etc. Lots of BNG deployments use IPoE I mean, IPoE (static IP mapping/config on CPE side) is a PITA and that's legacy for me, why not just DHCP e...

DarkNate

I wouldn't call IPoE legacy exactly. It's still the primary L2 mode for UNI ports on most of the Metro Ethernet gear out there like Calix, Adtran, Ciena, etc. Lots of BNG deployments use IPoE I think it’s as legacy as IPv4. They’ll be there for a few decades. I use IPoE with Vyos in a pair of BNG a...

DarkNate

This assumes that maximum data plane performance is the only consideration when building a network. I think this is a case where "it depends" is very relevant. The ability to abstract physical interface dependencies in config is something that shouldn't be overlooked. When throughput perf...

DarkNate

When the difference in performance is not noticable (and in my case I did not notice it), it does not matter. Even when in a purist view it does. For quite some time (when RouterOS still supported it) I have used configurations without any bridge at all, with VLAN configuration in the switch menu, ...

DarkNate

IPoE is legacy like PPPoE. You should use DHCP as is with RADIUS and option 82 + any other option that you need. https://docs.splynx.com/networking/authentication_of_customers/mikrotik_dhcp_radius I think I haven't explained well. I want to assign the addresses "one by one" in /32 like in...

DarkNate

i think the "single bridge" thing is very relevant mostly on new equipment which includes an integrated Switch like ccr2116/2216 i have the same habit of using a bridge for wan interface even when using only a single port as a useful tool to do some L2 trouble-shooting, if you dont enable...

DarkNate

Hi, my problem is similar but looks like this methods didn't resolve it. I have 3 switches: SW1: BPDU guard enable on all port (non Mikrotik) SW2: MT device, there is only a bridge and all ports are a member of it, STP set to NONE SW3: MT device, there is only a brdige, and all ports are a member o...

DarkNate

I am not a home user but I use only 1Gbit lines. And note that I am not trying to emulate a switch, I use a single port on a bridge. That already is an optimized situation that you probably are not familiar with. I have tested the CPU usage before and after I migrated a CCR1009 to this config and t...

DarkNate

I know this is marked solved, but may I make an unpopular suggestion that would work. NATv6 using the fc00::/7 network reserved for private networks. It's not quite the same as RFC1918, but it does give us some ipv6 space that is not going to be centrally registered, so possibility of collisions if...

DarkNate

IPoE is legacy like PPPoE.

You should use DHCP as is with RADIUS and option 82 + any other option that you need.

https://docs.splynx.com/networking/auth ... hcp_radius

DarkNate

Then you filter directly on the switch itself against by using the same method I described. That's it. No BUM traffic will leak to other interfaces.

DarkNate

I explained the reason for putting the WAN interface in a bridge. It makes it easy to move it to another physical port, while keeping all the configuration. While lots of configuration (e.g. firewall) can now be handled via an interface list, so there is no more need to put "ether1" in ea...

DarkNate

Do a clean netinstall of ROS v7.6, then simply re-configure using the exported file from the terminal (not the backup feature). You'll be fine then.

DarkNate

1. You are supposed to use only a single bridge for all your non-upstream ports and interfaces – You then separate them using VLAN filtering as you need Source: https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-Creatingmultiplebridges That would make things more...

DarkNate

This worked for me after working with support. RouterOS supports the standardized M/R/STP protocols, and you can select which ports will not participate in the spanning tree using "edge=yes". So these ports will not send and ignore standardized BPDUs (01:80:C2:00:00:00). However, RouterOS...

DarkNate

1. You are supposed to use only a single bridge for all your non-upstream ports and interfaces – You then separate them using VLAN filtering as you need Source: https://help.mikrotik.com/docs/display/ROS/L3+Hardware+Offloading#L3HardwareOffloading-Creatingmultiplebridges I do not know why people thi...

DarkNate

m8, remove the "top secret" parts from the export if you want help.
Like calling your doctor and saying "it hurts" while not telling where.

He's a moronic patient clearly lol. At this point, it's clearly a troll.

DarkNate

No, I am not. I am just not allowed to do that. There are some very strict rules in our company so it is cannot be done. But I appreciate you hostility. I cannot use just bridge to connect these two ports. Every QSFP port has his own subnet. 1. What kind of secret sauce are you building using Mikro...

DarkNate

First, you come here asking for help but can't export configuration? Are you stupid or what? Second, without the export, I will assume you're actively going against MikroTik guidelines i.e. to ensure using a single bridge for all downstream and redundant intra-AS ports to ensure hardware offloading/...

DarkNate

Using /31 directly on RouterOS v7.6 works fine for BGP over here.

DarkNate

maybe because of that MIkroTik wireless interface default queue is SFQ type off course newer Codel and Cake can perform better Tested using default SFQ vs default FQ_Codel queue type on wireless interface for hAP ax2. Couldn't see any performance benefit whatsoever in iPerf3/latency measurements du...

DarkNate

If the entire routing table cannot fit in the hardware memory, routes with longer prefixes are offloaded to the switch chip while the shorter prefixes are left to the CPU. HW offloading of particular routes can be suppressed via routing filters ( documentation ) CPU usage depends on the software/ha...

DarkNate

I have a dream of a Mikrotik router with hardware forwarding tables large enough to hold multiple full BGP tables. One day soon I hope this will be reality ! even with other vendors that is difficult to achieve and quite expensive It wouldn't be so difficult if MirkoTik and other proprietary vendor...

DarkNate

Sounds like a combination of bad configuration, bridge misconfig, using conn_track in the wrong place, bad MTU. Implement the guidelines here and see if it solves your issue:
viewtopic.php?t=176358

DarkNate

I read the thread, but still have some doubts. Let's say I have a single CCR2216-1G-12XS-2XQ unit, whereby I religiously follow the proper bridge configuration to ensure hardware offloading etc. And there is no connection_tracking/NAT. I'm assuming BGP affinity for input/output is set to “alone” per...

DarkNate

Definitely not working as of 7.6 stable netinstall.

DarkNate

What is a reasonable value for the TCP established timeout, and how will this affect the end-user internet experience? Follow the guidelines here. With the DDoS rules in place along with rubbish traffic being dropped in the raw table, the conn_track table will never get flooded. https://forum.mikro...

DarkNate

If your ISP is doing dynamic PD instead of persistent PD, they are intentionally breaking IPv6 specs and in particular SLAAC. No amount of lifetime value tweaking can fix that other than them fixing their shit and learning BCOP 690. https://www.6connect.com/blog/is-your-isp-constantly-changing-the-d...

DarkNate

Since it's not my script, it just uses my method to download the multipart file, everything else I haven't checked. Let's say it might work for ipv6 if you change these things: from :local update do={ to :local updatev6 do={ replace all 8 occurrencies of /ip with /ipv6 replace all 8 occurrencies of...

DarkNate

I got the regex, but not sure how to fit it in the script. (([0-9a-fA-F]{1,4}:){7,7}[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,7}:|([0-9a-fA-F]{1,4}:){1,6}:[0-9a-fA-F]{1,4}|([0-9a-fA-F]{1,4}:){1,5}(:[0-9a-fA-F]{1,4}){1,2}|([0-9a-fA-F]{1,4}:){1,4}(:[0-9a-fA-F]{1,4}){1,3}|([0-9a-fA-F]{1,4}:){1,3}(:[0-9a-...

DarkNate

On RouterOS v7.6 the conn_track table is automatically increased based on RAM.

Do not upgrade to v7 directly though, as that is known to cause issues. Do a neinstall and then copy/paste export config.

DarkNate

While this is perfectly possible on RouterOS. But Tik hardware is not designed for QoE appliances. This will tax the CPU like hell in a production environment.

DarkNate

Ah, crap, totally forgot about address type matcher in iptables. Yeah, there's no need for a script at all then. I will just use the matcher = local and call it a day.

DarkNate

Check if "Multicast Querier" is enabled on the bridge. https://forum.mikrotik.com/viewtopic.php?p=906424#p906140 Which part of the OP quoted below is not clear to you? However, the moment I enable multicast carrier on the bridge itself, IPv6 SLAAC/RA/NA/NS traffic all begins to break and ...

DarkNate

Crosspost Reddit thread So I have a single CCR1036 on ROS 7.6 whereby I used this config guide to configure bridge and bridged based VLAN: https://forum.mikrotik.com/viewtopic.php?t=143620#p706998 Also, because MikroTik recommends that type of config for this model: https://help.mikrotik.com/docs/d...

DarkNate

I have a unique use case whereby I have a firewall list called “interface” and in this list, all the IP addresses found in IP>Address or IPv6's are put into the list in respective firewalls. How do I dynamically do this with scripting? Fetch IP>Address, compare with existing list on firewall, then r...

DarkNate

I would use NDP/SLAAC as is and just run iBGP between the host and the router for pushing and learning routes. Routing should be handle routing protocols.

Run FRR on the host and configure.

DarkNate

This config works fine, but the issue is, it will “set/change” the DNS even if it's already set correctly and hence hurt the flash memory. Is there a way to make it smarter to first fetch the value of the existing config, compare it with the input string and make config change only if there's not a ...

DarkNate

then PPPoE does not solve the situation neither because with the right skillset. That doesn't stop anything.

Sure. You're arguing against DHCP. But since we agree both PPPoE/DHCP can't be stopped with the right skillset, why use PPPoE and lose MTU overhead/CPU overhead?

DarkNate

But how do we "discard" based AS-PATH instead of prefix list?

DarkNate

Man, what are you talking about? That's possible on PON too with the right skillset. That doesn't stop anything.

DarkNate

How does DHCP MAC binding, options etc fail to work on BNG level even if the last-mile is a dumb switch? In all cases, the MAC binding should work.

DarkNate

if your access network is open (ethernet switches ) you will need to stick with PPPoE for auth

Why? Perform MAC binding and use various DHCP options that you need or want and client ID.

DarkNate

Can you suggest what king of authentication would be used along with DHCP? DHCP options of your choice based on your needs, DHCP client ID, DHCP+RADIUS https://docs.splynx.com/networking/authentication_of_customers/mikrotik_dhcp_radius https://mum.mikrotik.com/presentations/GE12/interllcom.pdf http...

DarkNate

Then dump your AAA software and switch vendor to one that keeps up with the times.

DarkNate

rp-filter should be set to loose mode for assymetric routing. But overall, assymetric routing is bad traffic engineering. What you should do is announce the largest possible aggregates of all your prefixes to both upstreams, equally without prepending or more specifics. More specifics should be use...

DarkNate

Or move to DHCP and dump PPPoE. PPPoE has MTU and CPU overhead due to encapsulation, DHCP does not have any such issues.

DarkNate

Just replace ip with ipv6 and must be created a valid RegEx to identify IPv6 address for replace ipv4 RegEx. the regex must cover all cases for example ::, ffff::, xxx::192.168.0.1, xxxx:xxxx::xx:x:1, xxx:xx:xxxx::x:x:x/xxx etc etc etc I got the regex, but not sure how to fit it in the script. (([0...

DarkNate

rp-filter should be set to loose mode for assymetric routing. But overall, assymetric routing is bad traffic engineering. What you should do is announce the largest possible aggregates of all your prefixes to both upstreams, equally without prepending or more specifics. More specifics should be used...

DarkNate

Anyone knows how to make OP script work for IPv6 address lists as well?

DarkNate

WireGuard doesn't rely on PMTUD inside the tunnel.

Set it to 1420 on the router where WAN interface is 1500, set it to 1420 on the client side app as well. PMTUD at OS level on each side will ensure packet size don't exceed 1420 and of course don't block ICMP like an idiot would.

DarkNate

Prevents NAT bypass. But you can remove the rule and drop anything in the raw table destined towards RFC6890 subnets directly.

DarkNate

Don't forget to route all the GUA blocks to black hole on the edge router to prevent layer 3 loops:

DarkNate

Netmap isn't stateless, did you even try this on your router at all? It clearly loads conn_track and stateful tracking. Did you not see how RTSP works smoothly for clients behind netmap instead of src nat? Did you not read my previous replies that explains it? The link you share isn't NETMAP Mr Expe...

DarkNate

Same problem on fresh netinstalled v7.3.1 on RB3011.

Sometimes the clients are IPv6 reachable, sometimes they are not. It is completely random. IPv4 works fine.

DarkNate

Instead of whining here about broken P2P protocols on NATted IPv4, switch to netmap, remove src nat on both src nat and dst nat chain in the Linux based router OSes.

ALG is irrelevant for most protocols if you know how to do NATting properly on Layer 3/4 aka netmap.

DarkNate

And every freakin distributor loves to lock in the end user with their specific solution aka "triple play" and likes. And besides VLAN and other related stuff, all using specific port numbers, transport initialization, multiple streams using different transports and sometimes even proprie...

DarkNate

Bottom line, it's virtually impossible to implement a general RTSP "helper" since there isn't just one "standard". Quite the opposite there are many different ones including proprietary solutions and they all differ depending of intended application. with NAT/masqerade. Where RT...

DarkNate

“Packages” or “packets”, like they aren't synonyms and mean completely different things.

Netinstall itself is a “package” of code, packets are a networking term.

DarkNate

Do a netinstall of v7 long-term release, ensure /system routerboard firmware is also on the same version.

DarkNate

Somewhere in the history of the internet, engineers started mistaking NAT Traversal (including ALG, STUN etc) as a “Firewall” intelligence feature. Let's say all your devices have public IPv4 addresses, there's no NAT involved. And you accept established, related, icmp (PMTUD) but you drop the rest ...

DarkNate

The reply is too long and hence I'm breaking this into threads @mods, this is not a spam. For inter-VLAN it does not matter, VLAN is a L2 concept. You can have 4000+ VLANs, use netmap and the same logic works as long as you have sufficient public IP addresses available for handling 10k+ hosts on all...

DarkNate

Further to note RTSP is a combination protocol: RTP is used for streaming the audio/video/whatever over UDP. RTSP itself is used for pausing/rewinding the stream over TCP. https://en.wikipedia.org/wiki/Real_Time_Streaming_Protocol This is exactly what is shown in my screenshot, RTSP is the establish...

DarkNate

Have you actually deep dived into the Linux kernel? Is that necessary to hold an opinion? Only kernel hackers need reply? No userland experience is relevant? There's no differentiation between the two except on MikroTik. Since that's the tool I have, and that's the owner of forum of the OS I'm repl...

Search found 643 matches