Community discussions

MikroTik App

Search found 1251 matches

by Larsa
Fri May 17, 2024 11:54 pm
Forum: General
Topic: LHGGR underperforming LTE speeds
Replies: 25
Views: 890

Re: LHGGR underperforming LTE speeds

I don't think that MTU mismatch would explain shitty download and decent upload ...

A 'shitty download and decent upload' usually indicates a crowded base station, probably because a lot of streaming...
by Larsa
Fri May 17, 2024 11:17 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 138
Views: 9624

Re: [Discussion] MikroTik configuration abstraction complexity

Yeah, it's a pity the extended version of BPF hasn't been introduced as standard in macOS. It might be because Apple doesn't sell "network-related" hardware, IDK. And since macOS extensions (kext) are moving away from the kernel, third-party versions of eBPF will probably disappear.
by Larsa
Fri May 17, 2024 7:41 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 138
Views: 9624

Re: [Discussion] MikroTik configuration abstraction complexity

Allthough macOS PF is pretty okay, the standard interface (i.e., Apple > Settings > Network > Firewall) is pretty much a disaster and pfctl is too cumbersome IMO. I wouldn't cope without Litle Snitch (or LuLu).
by Larsa
Fri May 17, 2024 6:20 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 138
Views: 9624

Re: [Discussion] MikroTik configuration abstraction complexity

... start by getting rid of Broadcom in an anti-competitive lawsuit across the globe. I bet the entire WVM sphere (absolutely no pun intended ;-) ) would totally agree with that as well.. You're making this a complex explanation. It's called UI/UX design and programming. That's what MikroTik (and t...
by Larsa
Fri May 17, 2024 2:18 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 138
Views: 9624

Re: [Discussion] MikroTik configuration abstraction complexity

Well, sort of. It still is the chip that sets the limitations. Though SAI offers significantly greater flexibility in managing the configuration process from user space (ie ROS) directly to the driver without having to adopt to and pass through the Linux kernel DSA interface structures (which BTW wa...
by Larsa
Thu May 16, 2024 10:13 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1396

Re: Winbox IKEv2 strange issue

I already had the NAT rule from years gone by but had it disabled.

Told you so! :wink:
by Larsa
Thu May 16, 2024 10:08 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 6882

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

It was an issue with the firewall and a disabled NAT rule, according to the other thread. Either way, the root cause was a flawed configuration.
by Larsa
Thu May 16, 2024 8:58 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1396

Re: Winbox IKEv2 strange issue

@mongobongo; Well, good for you! Though a reboot is hardly a long-term solution since you obviously didn't manage to isolate the root cause of the issue. And please don't blame support for doing their job, or anyone else for that matter, for not telling you to reboot your own equipment. And I really...
by Larsa
Thu May 16, 2024 7:37 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1396

Re: Winbox IKEv2 strange issue

@Mongobongo; I've read all your posts several times and I am still confused. Let's focus on the part from your 'napkin' diagram that isn't working. What do you mean by 'Only one way communication'? Have you checked you have two active peers/SA on both sides, or do you mean you only receive traffic f...
by Larsa
Thu May 16, 2024 7:14 pm
Forum: General
Topic: MLAG hopelessly broken?
Replies: 26
Views: 6626

Re: MLAG hopelessly broken?

@spippan: Regarding FS, what do you think of their own FSOS compared to Mikrotik ROS or any kind of ONIE? Is there a big difference in cold boot time between them?
by Larsa
Thu May 16, 2024 6:37 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1396

Re: Winbox IKEv2 strange issue

I can help you get a working Wireguard tunnel between your two MT devices, but this requires at least one of the devices has a public IP, or is connected to an upstream router (yours or ISP) that can forward a wireguard port to your device. Please advise. @Anav: it's the same requirement for IPsec/...
by Larsa
Thu May 16, 2024 6:36 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1396

Re: Winbox IKEv2 strange issue

Once again, in order for us to understand your issue, please combine the following information into a single post : 1. Briefly describe your issue(s) in one or two sentences (e.g., "I cannot connect to Router B using WinBox on my PC through Router A."). 2. Provide a simple network topology...
by Larsa
Thu May 16, 2024 6:04 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 138
Views: 9624

Re: [Discussion] MikroTik configuration abstraction complexity

(I cannot understand that Microsoft still has not fixed this design error in 2024) I can. The current Windows network stack (L1-L4) has, due to historical reasons, a numerous serious flaws and limitations. Addressing these issues would require a complete rewrite of the entire stack from scratch whi...
by Larsa
Thu May 16, 2024 5:35 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1396

Re: Winbox IKEv2 strange issue

You don't need advanced tools to illustrate your network topology. Use plain text, like "x.x.x.x A -> internet -> y.y.y.y B," as I suggested (where x.x.x.x and y.y.y.y are IP addresses). To help us understand your issue, please describe it briefly in one or two sentences, such as "I c...
by Larsa
Thu May 16, 2024 5:08 pm
Forum: General
Topic: Winbox IKEv2 strange issue
Replies: 38
Views: 1396

Re: Winbox IKEv2 strange issue

Hi, please provide a simple network topology diagram, for example: "Host A (client) xxxx -> Internet -> Host B (server) xxxx" along with version info and the most current configuration files (if all devices are Mikrotik that is). Then, we might be able to help you out one step at a time. P...
by Larsa
Thu May 16, 2024 2:52 pm
Forum: General
Topic: [Formal Complaint] Support is ignoring my problem for 3 weeks
Replies: 50
Views: 6882

Re: [Formal Complaint] Support is ignoring my problem for 3 weeks

@mongobongo - I do understand your frustration, but please try to take a deep breath or two to avoid a possible heart attack. 😉 Since standard support is free and Mikrotik does not offer paid, prioritized support, you sometimes have to wait for your ticket to be handled. For how long, it depends on ...
by Larsa
Wed May 15, 2024 5:20 pm
Forum: General
Topic: Feature request : Multipath TCP (MPTCP) support
Replies: 10
Views: 8856

Re: Feature request : Multipath TCP (MPTCP) support

MPTCP is necessary only on the end devices unless it was a specific service in ROS that you were considering?
by Larsa
Wed May 15, 2024 2:13 am
Forum: Scripting
Topic: my script gets data running in terminl but not from system scripts
Replies: 9
Views: 451

Re: my script gets data running in terminl but not from system scripts

Yeah, you’re probably correct from a purely technical standpoint, but since this isn’t the first time someone has encountered this issue, I still consider it a flaw.

If the interactive terminal were behaving differently, we wouldn’t be having this discussion IMO.
by Larsa
Wed May 15, 2024 1:16 am
Forum: Scripting
Topic: my script gets data running in terminl but not from system scripts
Replies: 9
Views: 451

Re: my script gets data running in terminl but not from system scripts

@ak313 - RoS has an undocumented flaw when running the terminal in interactive mode that allows indexing objects with regular numbers. When a script is run in 'batch mode' a true index type is required by using [get ...] resulting in something like '*1'. You can also test this by entering '*1' in an...
by Larsa
Tue May 14, 2024 10:37 pm
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 305
Views: 78754

Re: v7.15rc [testing] is released!

> Hi, can you update the zerotier package too please, the new Version is out 1.14.0 Also the capability to orbit to private moons please Concur. Version 1.2.0 already introduced user-defined root servers or "moons". ROS still lacks an interface for administering Root Servers, Multipath, T...
by Larsa
Sun May 12, 2024 11:22 pm
Forum: Beginner Basics
Topic: Not able to post on forum
Replies: 9
Views: 469

Re: Not able to post on forum

Your ISP won't be able to sort this out. You need to get in touch with the blocklist providers yourself.

I also recommend that you try to identify and address the source of why your IP was banned. Otherwise, there is a risk that it will happen again.
by Larsa
Sun May 12, 2024 10:04 pm
Forum: Beginner Basics
Topic: Not able to post on forum
Replies: 9
Views: 469

Re: Not able to post on forum

Check out why and how to unblock your IP here: https://www.spamhaus.org/faqs/general-questions. Additionally, check if your IP is banned elsewhere using: https://multirbl.valli.org/
by Larsa
Fri May 10, 2024 11:06 pm
Forum: Containers
Topic: Run container on event - DHCP
Replies: 4
Views: 2486

Re: Run container on event - DHCP

But you can, although you need to use various tricks to identify the different hotel networks and create script to perform appropriate actions accordingly. Additionally, check https://help.mikrotik.com/docs/display/ROS/DHCP#DHCP-LeaseScriptExampleLeasescriptexample . You can also schedule scripts to...
by Larsa
Wed May 08, 2024 2:11 pm
Forum: Announcements
Topic: Long range wireless links - share your experience
Replies: 35
Views: 28749

Re: Long range wireless links - share your experience

Well, it depends on the speed you're aiming for at that distance. You could always get a pair of AirFiber XRs for $2000 or explore some other point-to-point brands using licensed bands. Additionally, for a 30km connection, you'll probably need antenna towers aprox 250 feet in height. The bottom line...
by Larsa
Mon May 06, 2024 6:28 pm
Forum: RouterBOARD hardware
Topic: NetMetal ax temperature at sunny outdoor location
Replies: 3
Views: 330

Re: NetMetal ax temperature at sunny outdoor location

It's a pity that NetBox 5 AX only operates at 5GHz. Otherwise, it would probably be a better choice because of the white plastic case.
by Larsa
Fri May 03, 2024 7:28 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 138
Views: 9624

Re: [Discussion] MikroTik configuration abstraction complexity

And defended by AI - the ultmate AI war! Skynet will become reality in the near future! :-D
by Larsa
Fri May 03, 2024 6:32 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 138
Views: 9624

Re: [Discussion] MikroTik configuration abstraction complexity

Yeah, that's a pretty neat example of how powerful the XDP/eBPF combo is.
by Larsa
Fri May 03, 2024 3:40 pm
Forum: RouterBOARD hardware
Topic: Cascading switches
Replies: 9
Views: 578

Re: Cascading switches

There are no benefits in disabling STP for sure and I was only looking at the uplink "line" not the different endpoints.

Yeah, that makes sense.
by Larsa
Fri May 03, 2024 3:26 pm
Forum: RouterBOARD hardware
Topic: Cascading switches
Replies: 9
Views: 578

Re: Cascading switches

Thanks @mkx, I'm quite aware of the functionality. In this case 'devices' additionally includes L2 communication links that some BMS systems automatically generates for extra redundancy. It might also mean possible redundancy between the switches, as most fibers (presumably multimode in this case) a...
by Larsa
Fri May 03, 2024 1:54 pm
Forum: RouterBOARD hardware
Topic: Cascading switches
Replies: 9
Views: 578

Re: Cascading switches

@jvanhambelgium - Just curious, why do you want to turn off STP considering there will likely be multiple devices connected to each switch? BTW, I suspect there might be some kind of BMS/HVAC management system hooked up to each building.
by Larsa
Thu May 02, 2024 6:40 pm
Forum: General
Topic: [Feature Request] Data Center Bridge support
Replies: 24
Views: 3553

Re: [Feature Request] Data Center Bridge support

Okay, but are you sure IEEE 802.1Qbb implements PCB as required by DCB? How about ECN, ETS and DCQCN? It is important that all facts are available. Licensing costs must also be considered. Even if a SoC has the necessary hw support, activating a specific function may require additional licensing. Th...
by Larsa
Thu May 02, 2024 6:03 pm
Forum: General
Topic: [Discussion] MikroTik configuration abstraction complexity
Replies: 138
Views: 9624

Re: [Discussion] MikroTik configuration abstraction complexity

I've seen what VPP/DPDK achieves on x86 machines and it's really impressive. I have not had the possibility to see results on the ARM architecture. Yeah, but VPP/DPDK is a pure user-space solution (appliance) typically used by the telco industry so it's unlikely to be integrated into the MT product...
by Larsa
Thu May 02, 2024 5:41 pm
Forum: General
Topic: [Feature Request] Data Center Bridge support
Replies: 24
Views: 3553

Re: [Feature Request] Data Center Bridge support

If you do it with software, chances are you are still relying on the kernel, just like a normal NIC. The whole point of using it is to have hardware acceleration and bypass the kernel altogether. Doing it in software is like having an EV and charge it using a Diesel generator :D Yeah, that's the ma...
by Larsa
Thu May 02, 2024 5:14 pm
Forum: General
Topic: [Feature Request] Data Center Bridge support
Replies: 24
Views: 3553

Re: [Feature Request] Data Center Bridge support

@galvesribeiro Again, Mikrotik hardware support it on most of their modern switch chips. Well, it's more like MikroTik hardware supports the most cost-effective chips. Which router/switch SoCs supports flow and congestion control like PFC, ECN, ETS, DCTCP, etc? A NIC starting with $15 Connect-X 3 al...
by Larsa
Thu May 02, 2024 4:54 pm
Forum: General
Topic: [Feature Request] Data Center Bridge support
Replies: 24
Views: 3553

Re: [Feature Request] Data Center Bridge support

@galvesribeiro RoCE does work with any regular switch/router. However as I pointed out previously, efficiency regarding latency, flow control and buffering will of course vary depending on the environment. RoCE simply transports regular Ethernet frames to another NIC using L2/L3. The receiving NIC's...
by Larsa
Thu May 02, 2024 2:45 pm
Forum: Beginner Basics
Topic: Unable to block YOUTUBE,FAEBOOK,...
Replies: 4
Views: 391

Re: Unable to block YOUTUBE,FAEBOOK,...

Just like Rextended pointed out, it's nearly an impossible task with a standard router. There are plenty of threads about it, such as the recent one viewtopic.php?p=1072794
by Larsa
Thu May 02, 2024 1:39 pm
Forum: General
Topic: [Feature Request] Data Center Bridge support
Replies: 24
Views: 3553

Re: [Feature Request] Data Center Bridge support

@galvesribeiro - as you pointed out, "Enterprise and Data Center products" is a marketing term and can mean anything. If you are in the data storage business, it's probably wise to assess your technical requirements before making a purchase. RoCE traffic can be transported over any standar...
by Larsa
Tue Apr 30, 2024 11:13 pm
Forum: Beginner Basics
Topic: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x
Replies: 6
Views: 493

Re: How to route a IPv6 pool to local IPv4 e.g.192.168.101.x

You might want to have a look at a public NAT64 services as a workaround: https://nat64.net/public-providers
by Larsa
Mon Apr 29, 2024 11:52 pm
Forum: General
Topic: How to block YouTube effectively
Replies: 37
Views: 2499

Re: How to block YouTube effectively

And Youtube runs over UDP when possible, which "TLS host" does not support. Well yes, sort of. ;-) It all depends on the video source and whether you're using the HTML5 video player which supports several streaming protocols such as HLS, RTMP/RTMPS, and DASH. For example, MPEG-DASH (high-...
by Larsa
Mon Apr 29, 2024 5:03 pm
Forum: General
Topic: How to block YouTube effectively
Replies: 37
Views: 2499

Re: How to block YouTube effectively

Nowadays, even the SNI field (TLS Host) is often encrypted using ESNI encryption.
by Larsa
Mon Apr 29, 2024 4:43 pm
Forum: General
Topic: Advice on choosing WiFi equipment
Replies: 15
Views: 801

Re: Advice on choosing WiFi equipment

Well, that's also an option. Though, I wouldn't bet on a high success rate in this case...
by Larsa
Mon Apr 29, 2024 3:22 pm
Forum: General
Topic: Advice on choosing WiFi equipment
Replies: 15
Views: 801

Re: Advice on choosing WiFi equipment

@MDZT, just be aware that certain 60GHz equipment designed for long-range might encounter issues with shorter distances. I recommend checking with Mikrotik support before making a purchase.
by Larsa
Fri Apr 26, 2024 12:08 pm
Forum: Scripting
Topic: Schedule
Replies: 5
Views: 398

Re: Schedule

What's wrong with that suggestion? Imo, it's simple and easy to understand. :if (26 = [:pick begin=8 end=10 [/system/clock/get date as-string]]) do={ :put "today is the 26th" } or perpahs :local day [:pick begin=8 end=10 [/system/clock/get date as-string]] :if ($day = 26) do={ :put "t...
by Larsa
Fri Apr 26, 2024 12:13 am
Forum: Announcements
Topic: v7.15rc [testing] is released!
Replies: 305
Views: 78754

Re: v7.15rc [testing] is released!

If you can't find it in the release notes, it's probably not there, right? You'll have to manage with the already built-in flow control. If you really want BQL, I believe it's better to open a support ticket with a well-founded argument about why, instead of mentioning it in a user forum. EDIT: @hol...
by Larsa
Thu Apr 25, 2024 5:01 pm
Forum: Beginner Basics
Topic: BTH between two mikrotik devices [SOLVED]
Replies: 9
Views: 2617

Re: BTH between two mikrotik devices [SOLVED]

I think @Normis' suggestion sounds good, i.e., if you have Arm-based devices, you’re able to install ZeroTier (which can cope with CG-NAT) directly on the routers. Alternatively, you might use a computer on each network to act as a hub and install ZeroTier, TailScale, or similar software.
by Larsa
Thu Apr 25, 2024 12:30 pm
Forum: Scripting
Topic: Is 8MB in a variable from a txt file is possible?
Replies: 54
Views: 3592

Re: Is 8MB in a variable from a txt file is possible?

I believe that https://iplists.firehol.org has the most comprehensive collection of IP address lists, statistics, and clickable maps indicating where the crooks are located. Palo Alto is one of many contributors.
by Larsa
Wed Apr 24, 2024 2:40 pm
Forum: Scripting
Topic: How to use fetch tool with IPv6
Replies: 9
Views: 616

Re: How to use fetch tool with IPv6

Yeah, that's likely a functional but ugly workaround for a flawed dual-stack management. Let's hope MT will fix this eventually.
by Larsa
Wed Apr 24, 2024 12:37 am
Forum: Scripting
Topic: How to use fetch tool with IPv6
Replies: 9
Views: 616

Re: How to use fetch tool with IPv6

@Radek01: The short answer is: you can't.

The reason is that ROS unfortunately lacks capabilities to control the dual-stack for embedded tools and services such as IPsec, WireGuard, DNS, IP Cloud, resolver, fetch, etc.
by Larsa
Tue Apr 23, 2024 11:14 pm
Forum: General
Topic: fetch error since 7.13: "failure: ERROR parsing http: there was no content-length or transfer-encoding"
Replies: 7
Views: 1087

Re: fetch error since 7.13: "failure: ERROR parsing http: there was no content-length or transfer-encoding"

Hi @brunolabozzetta! Since this is a user forum, it's probably better if you contact MikroTik directly via email at "support@mikrotik.com" or open a support ticket using the link "https://help.mikrotik.com/servicedesk/servicedesk." //BR, Larsa.
by Larsa
Sat Apr 20, 2024 11:26 am
Forum: RouterOS beta
Topic: SFP info dont appear in ROS v7 x86
Replies: 5
Views: 1902

Re: SFP info dont appear in ROS v7 x86

As I wrote in another thread, PCIe passthrough and IO-SRV require specially tailored drivers from the manufacturer, i.e. not something MT is involved with. Additionally, special APIs are needed to manage the driver, and these must be adopted by CHR for each new device to enable ROS management a scen...
by Larsa
Fri Apr 19, 2024 11:33 pm
Forum: RouterOS beta
Topic: Feature Request for x86 and CHR for SFP Menu tab
Replies: 4
Views: 1272

Re: Feature Request for x86 and CHR for SFP Menu tab

PCIe passthrough and IO-SRV require specially tailored drivers from the manufacturer, i.e. not something MT is involved with. Additionally, special APIs are needed to manage the driver, and these must be adopted by CHR for each new device to enable ROS management a scenario that probably won’t happen.
by Larsa
Fri Apr 19, 2024 11:30 pm
Forum: RouterOS beta
Topic: SFP info dont appear in ROS v7 x86
Replies: 5
Views: 1902

Re: SFP info dont appear in ROS v7 x86

When running CHR in a virtual machine, all NICs and drivers are managed by the virtual host.
by Larsa
Thu Apr 18, 2024 11:34 pm
Forum: Scripting
Topic: Can't Query Graphql site
Replies: 26
Views: 1536

Re: Can't Query Graphql site

Possibly in a slim container, if the hardware allows, but it feels a bit overkill. I mean, it should be possible to get 'fetch' to work, but how to locate the root cause of the error is probably the $100,000 question. Have you checked it's not an SSL certificate issue on either side?
by Larsa
Thu Apr 18, 2024 11:03 pm
Forum: Beginner Basics
Topic: Using RB5009 in bridge mode [SOLVED]
Replies: 14
Views: 3545

Re: Using RB5009 in bridge mode [SOLVED]

You only need ISP/ONT <-> (PPPoE) Rb50009 <-> LAN (unless the 'second router' has a magical feature set you can't live without). The Rb50009 will manage both PPP and DHCP.
by Larsa
Thu Apr 18, 2024 12:49 pm
Forum: RouterOS beta
Topic: Feature Request for x86 and CHR for SFP Menu tab
Replies: 4
Views: 1272

Re: Feature Request for x86 and CHR for SFP Menu tab

As CHR runs in a virtual environment, all NICs/SFPs are managed by the host environment. When it comes to x86 'bare metal' setups, support for NIC drivers is limited.
by Larsa
Wed Apr 17, 2024 12:38 pm
Forum: Beginner Basics
Topic: Loading ONIE images on Mikrotik Switches
Replies: 6
Views: 615

Re: Loading ONIE images on Mikrotik Switches

Hi @Evaluator, and welcome to the forum! Although ONIE is a great idea, I believe it might be difficult to implement on a large portion of MikroTik's product range since many of the low-end devices have limitations in terms of memory and storage. However I'd love to see ONIE supported on future mid-...
by Larsa
Wed Apr 17, 2024 11:45 am
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1269

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

@phascogale: Firewalla , along with other 'Smart' or 'Next-Generation' firewalls, cannot perform deep packet inspection on encrypted traffic without utilizing SSL/TLS termination. They primarily rely on fundamental info such as endpoint ip addresses, stream sizes, etc. Even SNI (ESNI) is encrypted n...
by Larsa
Tue Apr 16, 2024 10:48 pm
Forum: General
Topic: Is Mikrotik's Firewall is enough to protect a medium enterprise.?
Replies: 21
Views: 1269

Re: Is Mikrotik's Firewall is enough to protect a medium enterprise.?

Layer 7 firewalls are pretty useless without SSL Termination which usually requires extensive configuration.
by Larsa
Mon Apr 15, 2024 3:51 pm
Forum: Forwarding Protocols
Topic: Single-hop BFD session is not restored after reboot or power outage
Replies: 6
Views: 764

Re: Single-hop BFD session is not restored after reboot or power outage

I would like to get some feedback from the developers.

Since this is a user forum, I believe you have a better chance of getting a response if you direct your question to: support@mikrotik.com.
by Larsa
Mon Apr 15, 2024 3:30 pm
Forum: Virtualization
Topic: CHR tx-queue-drops-per-second
Replies: 8
Views: 10028

Re: CHR tx-queue-drops-per-second

Not necessarily. It ultimately depends on how well the driver is developed specifically for each solution. With a single NIC used solely by one guest OS, the difference is probably not even measurable with modern drivers. The major difference is that a NIC using PCI passthrough (VMware DirectPath) b...
by Larsa
Fri Apr 12, 2024 8:59 pm
Forum: Beginner Basics
Topic: Mikrotik documentation
Replies: 10
Views: 779

Re: Mikrotik documentation

Cron job :D You underestimate Atlassian. It's such a complicated mess. Well, Jira/Confluence might be perceived as 'messy' in the same way as ROS might be for novices. 😉 These products are complex toolkits capable of doing almost anything but requires solid knowledge and experience to set up effect...
by Larsa
Thu Apr 11, 2024 8:39 pm
Forum: Virtualization
Topic: Public IP on Azure CHR
Replies: 3
Views: 463

Re: Public IP on Azure CHR

@mugeno - if you've already paid for it and obtained the public IP address, this guide serves as a good starting point: " Microsoft - Associate a public IP address to a virtual machine ". Here is some other good stuff about Azure networking: https://learn.microsoft.com/en-us/azure/virtual-...
by Larsa
Thu Apr 11, 2024 1:03 am
Forum: Forwarding Protocols
Topic: OSPF default route
Replies: 3
Views: 522

Re: OSPF default route

Now I get it. I completely missed the part that CMC wasn't configured with OSPF.
by Larsa
Mon Apr 08, 2024 7:43 pm
Forum: Forwarding Protocols
Topic: OSPF default route
Replies: 3
Views: 522

Re: OSPF default route

Checkout "originate-default" in "help.mikrotik.com/docs/display/ROS/OSPF". It can also be combined with routing filters.
by Larsa
Fri Apr 05, 2024 12:29 am
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1810

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

SD-WAN has been around for over a decade and is now more or less a de facto standard so calling it 'hype' feels somewhat exaggerated. A general guideline is to consider implementing SD-WAN when your network exceeds 10 links. Anyhow, regarding this particular case it's important to consider future ne...
by Larsa
Thu Apr 04, 2024 12:40 am
Forum: Beginner Basics
Topic: Not getting wireline speeds
Replies: 28
Views: 1349

Re: Not getting wireline speeds

@trivex, no offense intended, but a great place to start your research before buying any networking gear is always the manufacturer's own website. MikroTik has organized all its products into categories like switches, routers, and more: mikrotik.com/products.
by Larsa
Tue Apr 02, 2024 8:32 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1810

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

By "THIRD PARTY," I presume you mean third-party "cloud services." Most SD-WAN solutions offer both cloud-based services and on-premises support. If you prefer, Mikrotik ZeroTier includes an on-premises controller that makes you independent of third-party cloud services. However,...
by Larsa
Tue Apr 02, 2024 5:04 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 130205

Re: v7.15beta [testing] is released!

What's new in 7.15beta9 (2024-Mar-27 21:55): *) console - added "sanitize-names" property under "/console/settings" menu (option for replacing reserved characters with underscores for files, disabled by default); Thank you! The opt-in method is preferred when introducing breakin...
by Larsa
Tue Apr 02, 2024 4:43 pm
Forum: General
Topic: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]
Replies: 34
Views: 1810

Re: Connectivity to customers mikrotiks via Wireguard. Good idea? [SOLVED]

We initially started using WireGuard but as we scaled up it became unmanageable (a real pain in the neck to be honest) to administer so we've completely transitioned to ZeroTier for OOB administration. Also, the overhead for path search traffic is negligible, even in 4G. ZeroTier is extremely easy t...
by Larsa
Fri Mar 29, 2024 11:18 pm
Forum: General
Topic: Wireguard education? [SOLVED]
Replies: 3
Views: 431

Re: Wireguard education? [SOLVED]

Check out the Pro Custodibus blogs about WireGuard which are absolutely outstanding in my opinion. For example, start with "Primary WireGuard Toplogies"

Happy Easter!
by Larsa
Fri Mar 29, 2024 10:39 pm
Forum: General
Topic: Wireguard education needed
Replies: 7
Views: 841

Re: Wireguard education needed

The issue is not really a configuration issue as much as a question on how the VPN protocol works, and if this can be explained. Check out the Pro Custodibus blogs about WireGuard which are absolutely outstanding in my opinion. For example, have a look at " Primary WireGuard Toplogies " I...
by Larsa
Mon Mar 25, 2024 7:35 pm
Forum: Scripting
Topic: execute & parse
Replies: 15
Views: 933

Re: execute & parse

Couldn't agree more. There is clearly something flawed when all sorts of workarounds pop up in the flow..
by Larsa
Mon Mar 25, 2024 6:48 pm
Forum: Scripting
Topic: execute & parse
Replies: 15
Views: 933

Re: execute & parse

:return [[:parse ":global $1 ; :return [\$$1 $2]"]] Yeah, that's a good one-liner. Here's another neat trick if you want to call system scripts with arguments. This also works with "[/file get /dirname/scriptname contents]" if you prefer to store your scripts in a different loca...
by Larsa
Thu Mar 21, 2024 10:27 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3497

Re: v7.15beta broke backup file naming

Regarding 7.15beta8 (2024-Mar-21 09:12) and inconsistent rules for valid characters in filenames. Check viewtopic.php?p=1065213#p1065213
by Larsa
Thu Mar 21, 2024 10:17 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 130205

Re: v7.15beta [testing] is released!

The arbitrary acceptance and rejection of certain characters in filenames cause unnecessary support system disruptions. There is still a bug in 7.15beta8 (2024-Mar-21 09:12) that prevents our backup and version control systems from working properly when filenames contains spaces due to script incom...
by Larsa
Thu Mar 21, 2024 8:11 pm
Forum: General
Topic: Loop Dos CVE-2024-2169 Mikrotik
Replies: 3
Views: 751

Re: Loop Dos CVE-2024-2169 Mikrotik

Just a friendly reminder: Never ever expose TFTP or similar services directly to the internet. Doing so poses serious security risks, otherwise you don't have to worry about CVE-2024-2169.
by Larsa
Thu Mar 21, 2024 7:53 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

What's new in 7.15beta8 (2024-Mar-21 09:12): *) wireguard - added option to mark peer as responder only (CLI only); *) route - rework of route attributes; Regrettably, I haven't spent as much time on testing as I planed, but wonder if this might possibly solve the issue with the handshake response ...
by Larsa
Thu Mar 21, 2024 4:38 pm
Forum: General
Topic: CHR or Ethernet router?
Replies: 5
Views: 708

Re: CHR or Ethernet router?

In short:

1. If you're running CHR/x64, use IPsec. This platform can scale up practically infinitely.
2. If you're running a Mikrotik with AES hardware acceleration, use IPsec. Check throughput limitation using the 512-byte column on the product page.
3. In all other cases, use WireGuard.
by Larsa
Thu Mar 21, 2024 1:27 pm
Forum: General
Topic: CGNAT IP range conflict between Starlink and Tailscale site-to-site VPN [SOLVED]
Replies: 2
Views: 2528

Re: CGNAT IP range conflict between Starlink and Tailscale site-to-site VPN [SOLVED]

Some suggestions: Set up your own TailScale address pool , use IPv6, or switch to ZeroTier. RB5009 has built-in support for ZeroTier which allows you to pick any or multiple private subnets and also set individual static addresses on any device. There is no problem running ZeroTier and Tailscale in ...
by Larsa
Wed Mar 20, 2024 9:57 pm
Forum: General
Topic: Configuration for hidden ZeroTier features
Replies: 9
Views: 725

Re: Configuration for hidden ZeroTier features

I hadn't looked at the ZT changes in a bit – the config has gotten grow a lot. I just don't see how RouterOS could keep up in a reasonable time frame. Yeah, it feels like I've been waiting far too long for both Multipath and Trusted Path for ROS. And yes, JSON support would be awesome! Another thin...
by Larsa
Wed Mar 20, 2024 9:01 pm
Forum: General
Topic: Configuration for hidden ZeroTier features
Replies: 9
Views: 725

Re: Configuration for hidden ZeroTier features

Yeah, looks like we need to start collecting some dough to sort this out once and for all! ;-) The ZeroTier client library itself is very small and accessible using a single API. Configuration is managed using parameters that are either retrieved from a configuration file or controlled directly via ...
by Larsa
Wed Mar 20, 2024 7:31 pm
Forum: Scripting
Topic: DDNS Cloudflare script
Replies: 4
Views: 1250

Re: DDNS Cloudflare script

Hello @nocivo! If you want to explore similar solutions to figure out how they work, you can search for mikrotik Cloudflare script on github.
by Larsa
Wed Mar 20, 2024 5:23 pm
Forum: General
Topic: Use Mikrotik's HotSpot solution to unblock Wireguard???
Replies: 24
Views: 2008

Re: Use Mikrotik's HotSpot solution to unblock Wireguard???

There are some highly important factors I think you should consider before making any decisions: Encryption and throughput bottlenecks: WireGuard encryption (ChaCha20) is software-based and lacks hardware acceleration support (on any platform) unlike IPsec. Consequently, the total throughput is cons...
by Larsa
Wed Mar 20, 2024 4:46 pm
Forum: General
Topic: Configuration for hidden ZeroTier features
Replies: 9
Views: 725

Re: Configuration for hidden ZeroTier features

Well, I would also call those options hidden since they all are a part of the current ZeroTier version included with RouterOS which simply lacks the ability to configure them. Adding AES hardware acceleration would also be a major enhancement as well as an upgrade to v1.12. This version prevents pat...
by Larsa
Wed Mar 20, 2024 4:14 pm
Forum: General
Topic: REQUEST: Paid technical support plans
Replies: 16
Views: 1022

Re: REQUEST: Paid technical support plans

I'd start by hiring the Canadian Lama, he's probably dead cheap but still a rascal at finding bugs and possible workarounds! 😋
by Larsa
Wed Mar 20, 2024 12:49 am
Forum: General
Topic: Use Mikrotik's HotSpot solution to unblock Wireguard???
Replies: 24
Views: 2008

Re: Use Mikrotik's HotSpot solution to unblock Wireguard???

There are some GPO hacks using scripting that might be used as a basline but I'd never use them as a replacement for SD-WAN. You still have to support end users or the branch office with manual administration when things go south. If you prefer not to depend on a third-party web server provider for ...
by Larsa
Tue Mar 19, 2024 11:29 pm
Forum: General
Topic: Use Mikrotik's HotSpot solution to unblock Wireguard???
Replies: 24
Views: 2008

Re: Use Mikrotik's HotSpot solution to unblock Wireguard???

I strongly advise against using WireGuard in this case. Manually administering 150 WireGuard connections will likely be a counterproductive solution. It will probably result in complex manual administrational (nightmare) tasks with the risk of long lead times and ultimately lead to increased costs f...
by Larsa
Tue Mar 19, 2024 6:02 pm
Forum: General
Topic: WireGuard useful learning [Linux]
Replies: 8
Views: 988

Re: WireGuard useful learning [Linux]

It's true that OpenVPN is often configured in a "client/server" style especially for remote access use cases. However, the same applies to WireGuard. Both of these tunnel protocols, along with IPsec and SSTP, have the flexibility to act as "initiators" or passive "responders...
by Larsa
Mon Mar 18, 2024 9:08 pm
Forum: General
Topic: WireGuard useful learning [Linux]
Replies: 8
Views: 988

Re: WireGuard useful learning [Linux]

I'm sorry, but I have terrible allergies to such things so I've never dared to try! ;-) Btw, @DarkNate, can you please explain what a "client/server" tunnel is to a dummy like me?
by Larsa
Mon Mar 18, 2024 7:22 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3497

Re: v7.15beta broke backup file naming

Okay, I thought your question was: 'My question remains valid: why do you need spaces? Or is it just a personal decision?' (Or did I miss something??)
by Larsa
Mon Mar 18, 2024 7:12 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3497

Re: v7.15beta broke backup file naming

@t0mm13b: *) console - replace reserved characters to backup and certificate export file names with underscores;

Yes @t0mm13b, you've nailed the core issue of this thread!
--

@infabo: I think it was stated pretty clear in the previous post. Is there anything I need to clarify?
by Larsa
Mon Mar 18, 2024 7:07 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3497

Re: v7.15beta broke backup file naming

SUP-147326 - "v7.15beta brakes file naming and script compatibility"
by Larsa
Mon Mar 18, 2024 6:45 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3497

Re: v7.15beta broke backup file naming

@infabo The real question to be asked is: why do you need them? @infabo: If you had read the thread from the beginning, you wouldn't have needed to ask that question. @t0mm13b: The core issues are compatibility and why Mikrotik's proposed changes would break existing scripts and support systems. De...
by Larsa
Mon Mar 18, 2024 4:12 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3497

Re: v7.15beta broke backup file naming

I'd prefer if we focus on OP's issue of how to best preserve script compatibility when it comes to potential limitations in file naming. In my opinion, at an absolute minimum, "spaces" and printable 7-bit ASCII characters that are compatible across common file systems (Windows, Linux, macO...
by Larsa
Thu Mar 14, 2024 11:59 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 130205

Re: v7.15beta [testing] is released!

The major issue at stake here is script compatibility when using spaces (and similar common characters) in filenames, not control characters or UTF-8/16.
by Larsa
Thu Mar 14, 2024 10:01 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3497

Re: v7.15beta broke backup file naming

The technical stuff you write about might very well be true, and I truly agree regarding the poor choices that MT is about to make in this case. As I wrote in an another comment: To maintain script compatibility as much as possible, I believe it would be easier to focus on allowed characters rather ...
by Larsa
Thu Mar 14, 2024 8:33 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 130205

Re: v7.15beta [testing] is released!

Problem is: where do you define the bounds. Characters like / : \ can also cause trouble. People have used date/time as part of a filename and ran into "inexplicable problems". At least that does not happen anymore. To maintain script compatibility as much as possible, I believe it would ...
by Larsa
Thu Mar 14, 2024 5:44 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3497

Re: v7.15beta broke backup file naming

@jaclaz, regarding the second link, it seems less focused on the actual problem regarding script compatibility issues caused by spaces in filenames and more like 'whataboutism' disguised as academic debate. I mean, this has a serous impact for both the OP and others who rely scripts that handle spac...
by Larsa
Thu Mar 14, 2024 4:08 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3497

Re: v7.15beta broke backup file naming

Well, no! ;-) Windows defaults to UTF-16 as its internal representation but has strong support for working with UTF-8 in addition to the legacy CP-1252 and similar encodings. For example, Notepad uses either ANSI or UTF-8. The rest of the world defaults to UTF-8. However, none are limited to legacy ...
by Larsa
Thu Mar 14, 2024 3:45 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3497

Re: v7.15beta broke backup file naming

All major operating systems like Windows, macOS, Linux, z/OS, Android and iOS utilize UTF-8. What other OS might have the compatibility issue you are referring to?
by Larsa
Thu Mar 14, 2024 2:48 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 130205

Re: v7.15beta [testing] is released!

That's beside the point. You should NEVER EVER break script compatibility unless absolutely necessary. And the potential identity issue you're describing is merely a side effect of the change that breaks script compatibility, not the root cause! I do have a certain understanding they want to avoid c...
by Larsa
Thu Mar 14, 2024 2:31 pm
Forum: Announcements
Topic: v7.15beta [testing] is released!
Replies: 503
Views: 130205

Re: v7.15beta [testing] is released!

MikroTik has once AGAIN managed to break script compatibility by prohibiting something as common as spaces(!) in file names. I have zero understanding of this as it affects our current solutions for version control and backup which now must be modified and tested on all nodes before we can even cons...
by Larsa
Thu Mar 14, 2024 1:42 pm
Forum: General
Topic: v7.15beta broke backup file naming
Replies: 46
Views: 3497

Re: v7.15beta broke backup file naming

This is yet another piece of evidence and major reason one should try to avoid RoS scripting in production at all costs as Mikrotik might break compatibility without notice at any time. Since this isn't the first time (and probably not the last) that Mikrotik breaks script compatibility, I think it'...
by Larsa
Wed Mar 13, 2024 2:06 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2625

Re: SR-IOV with CHR - What hypervisors are you using ?

OT - Yeah, BPF has evolved from a pure filtering mechanism into a highly versatile virtual machine (VM) or "sandbox" within the kernel. Just as Wasm, source code is compiled in user-space to bytecode and executed using JIT within the VM. eBPF is incredibly flexible and might work wonders i...
by Larsa
Wed Mar 13, 2024 2:03 pm
Forum: Beginner Basics
Topic: Slow Throughput CHR virtual within Proxmox [SOLVED]
Replies: 8
Views: 3570

Re: Slow Throughput CHR virtual within Proxmox [SOLVED]

I've made the same mistake plenty of times. My first thought that always pops up is there might be an issue with the NIC before I finally realize I forgot to activate the license, i.e. CHR is running in 'free license mode'. I think MikroTik should introduce some kind of warning when running in 'free...
by Larsa
Wed Mar 13, 2024 1:21 am
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2625

Re: SR-IOV with CHR - What hypervisors are you using ?

Neither DPDK nor eBPF/XDP is in any way related to SR-IOV, which is a standard hardware-level technology for I/O virtualization offering bare-metal throughput. Additionally, ROS uses Linux kernel netfilter/nftables, not Berkeley Packet Filter or DPDK which are a bunch of user-land network drivers an...
by Larsa
Tue Mar 12, 2024 11:45 pm
Forum: General
Topic: Intel I210 compatibility (pcie 1x)
Replies: 3
Views: 832

Re: Intel I210 compatibility (pcie 1x)

Hi! Since this is mainly a user forum, you have better chance of getting a relevant answer directly from Mikrotik by contacting support@mikrotik.com.
by Larsa
Fri Mar 08, 2024 1:31 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

@Anav - I'm biding my time by exploring possible alternatives since I have no need for quick fixes. Meanwhile, I do appreciate and rely on your tireless effort to make life easier for the users in this forum! 😘 @Amm0: You read my mind! I was thinking of testing that along with some variations of nat...
by Larsa
Thu Mar 07, 2024 11:14 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

Considering the recent fiasco where the change of date format broke script compatibility we want to minimize script use in production environments whenever possible. And the sad thing is, the date format could have been easily fixed without breaking script compatibility. This 'small' oversight makes...
by Larsa
Thu Mar 07, 2024 9:21 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

@wfburton/Amm0, I have a similar idea that doesn't involve separate routing tables.
by Larsa
Thu Mar 07, 2024 8:35 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

Yep, that sounds about right! The whole exercise has currently resulted in two different issues: Q1. Why are WireGuard handshake responses sent through default gateway rather than the originating interface? My initial research indicates this is a known issue with some proposed fixes already sent ups...
by Larsa
Thu Mar 07, 2024 6:47 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

You'll probably have a greater chance of getting assistance in connecting VyOS with ROS if you open a separate thread for it.
by Larsa
Thu Mar 07, 2024 6:27 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

WireGuard, like IPsec, doesn't appear as a service like FTP, they have separate configuration menus. Btw, what are you trying to say using the VyOS commands?
by Larsa
Thu Mar 07, 2024 6:03 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

Yup, it's the starting point itself that creates the initial hurdle in a multi-WAN environment. I'm trying to identify how different configurations behave, for example by using different subnets on the WAN interfaces. One test I've performed is with ether1 as the default gateway and five WAN interfa...
by Larsa
Thu Mar 07, 2024 1:09 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

@anav: RoS is acrtually following correctly its Operating System code on how to route traffic. I'm sorry, but there is no such thing! The Linux network engine is configured and controlled dynamically entirely by ROS. That's how Linux-based routers operates. It does whatever you tell it to do. If yo...
by Larsa
Wed Mar 06, 2024 5:11 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

Haha, but of course! My personal take on this is that all built-in services should behave the same when it comes to routing and connection tracking. I see no obvious reason why they shouldn't.
by Larsa
Wed Mar 06, 2024 5:06 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

I'm pretty sure the standard response would be it's a feature, not a bug! :-) But it is the kernel that actually stores, manages, and executes the routing rules using nftables, it's just the configuration hassle that occurs in userland, i.e. ROS. The connection tracker is tightly coupled to the nfta...
by Larsa
Wed Mar 06, 2024 4:29 pm
Forum: Wireless Networking
Topic: Due Dilligence Question - Cube 60ACPro [SOLVED]
Replies: 15
Views: 2961

Re: Due Dilligence Question - Cube 60ACPro [SOLVED]

As the new 60Pro AC implements 802.11ay it should support AES-GCM or WPA3.
by Larsa
Wed Mar 06, 2024 4:09 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

One wouldn't need specialized DHCP scripts if Mikrotik fixed its connection tracker to use the incoming interface address as the outgoing source address. I'll try to create a simple diagram and some packet traces that illustrate the whole thing, but considering your previous response you seem to hav...
by Larsa
Wed Mar 06, 2024 3:52 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

@Anav, unfortunately you're still missing the point but Ammo seems to grasp it. In short, ROS connection tracker mishandles WireGuard handshakes. It forces response packets through the default gateway, breaking the protocol if the initial handshake came from a different interface. See Example 2 for ...
by Larsa
Wed Mar 06, 2024 2:38 pm
Forum: Wireless Networking
Topic: Due Dilligence Question - Cube 60ACPro [SOLVED]
Replies: 15
Views: 2961

Re: Due Dilligence Question - Cube 60ACPro [SOLVED]

The OP asked what type of security is used which unfortunately isn't stated in the product description. Presumably, the wireless encryption is performed with some kind of AES-GCM/WPA3, but to be sure drop an email to sales@mikrotik.com. EDIT: feel free to ask the Mikrotik sales team to update the pr...
by Larsa
Wed Mar 06, 2024 1:49 am
Forum: General
Topic: WANGUARD DUAL WAN HA
Replies: 4
Views: 393

Re: WANGUARD DUAL WAN HA

thanks for the answer. How did you go about configuring routing policies for multiple vans? I have set incoming connection marking and routing marking for the appropriate WAN link, but it does not work for wireguard because during the handshake, the peer that responds to the query sends traffic thr...
by Larsa
Wed Mar 06, 2024 1:22 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

Well, NO! but let me get back to you with a full trace FYI. I dare you to set up your own lab environment with just two WAN interfaces and test it yourself. You don't have to bother using dynamic IP addresses. The task you are to perform is to connect a WireGuard client with a fully functioning conn...
by Larsa
Wed Mar 06, 2024 12:50 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

@wfburton, please create a seperate thread if you are not intressed in this specific topic. @Anav, all that dst-nat, prerouting, and connection marking stuff you posted about is completely irrelevant when it comes to the handshake dilemma. Are you sure you understand where the issue occurs according...
by Larsa
Tue Mar 05, 2024 10:28 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

I'm sorry, but I don't understand what you mean by "user/group policy" and "User333 belongs to vpn333 group connect to wan333" ?? How does this in any way relate to the asymmetric routing issues that I described earlier in example 2?
by Larsa
Tue Mar 05, 2024 10:19 pm
Forum: General
Topic: How to assing a dynamic route to a routing table
Replies: 4
Views: 400

Re: How to assing a dynamic route to a routing table

I can use the script, but I consider it a dirty work, why Mikrotik simply don't let us to assing a default gateway from dynamic connection to a routing table? This is also a mystery. I completely agree! And I truly hope Mikrotik implements a simpler solution like /routing/rule src-interface =xxxx o...
by Larsa
Tue Mar 05, 2024 9:47 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

I guess I dont understand your point then, wish I could help but its beyond my knowledge scope. It isn't that complicated. Here's a brief illustration of how the issue with WireGuard differs from a built-in service like FTP that works as expected. Let's use a couple of examples to show the handshak...
by Larsa
Tue Mar 05, 2024 2:19 am
Forum: General
Topic: WANGUARD DUAL WAN HA
Replies: 4
Views: 393

Re: WANGUARD DUAL WAN HA

I've done it myself so there should be no problem at all using OSPF and optional BFD for fast failover.

Another option is to use ZeroTier which automatically utilizes all available links and also enables easy access from mobile devices, home offices, etc.
by Larsa
Tue Mar 05, 2024 1:27 am
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

Thanks for the response but that wasn't a particularly good suggestion for a cleaner policy routing to address the issue with multiple WAN addresses. As I've mentioned several times now: 1) you are not able to make use of mangling during the handshake process until it is completed. 2) To complete th...
by Larsa
Tue Mar 05, 2024 12:20 am
Forum: General
Topic: WireGuard useful learning [Linux]
Replies: 8
Views: 988

Re: WireGuard useful learning [Linux]

Let me rephrase that for both of you! ;-)
WireGuard is an encrypted tunnel protocol that can be used in all types of topologies, including client/server, spoke/hub, mesh, and much more. @mozerd, great articles btw!
by Larsa
Mon Mar 04, 2024 11:38 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

Re: WireGuard Multi-WAN Policy Routing

G'day Anav, my sincere apologies if this is a bit to complex for you! :-) I meant precisely what I wrote: a conceptual question regarding issues with the internal WireGuard handshake process in a multi-WAN environment with no specific scenario in mind. One challenge with the WireGuard initial handsh...
by Larsa
Mon Mar 04, 2024 9:01 pm
Forum: General
Topic: WireGuard Multi-WAN Policy Routing
Replies: 83
Views: 5696

WireGuard Multi-WAN Policy Routing

I have a conceptual question regarding WireGuard in a multi-WAN environment using dynamic addresses. Problem: in ROS, when a passive WireGuard peer receives its initial handshake (i.e., when connection-state = new), the state machine doesn't keep track of either the destination address or the inboun...
by Larsa
Fri Mar 01, 2024 10:45 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 662
Views: 193507

Re: v7.14 [stable] is released!

@hargen: I can confirm that it works, but one has to wait for 20 attempts before receiving the message "Handshake for peer did not complete after 20 attempts, giving up," and then it goes silent. If you re-enable "Keep alive" it starts all over again. Well spotted in finding the ...
by Larsa
Fri Mar 01, 2024 9:41 pm
Forum: Beginner Basics
Topic: CAKE
Replies: 3
Views: 426

Re: CAKE

You are welcome, have a nice weekend!
by Larsa
Fri Mar 01, 2024 8:32 pm
Forum: Beginner Basics
Topic: CAKE
Replies: 3
Views: 426

Re: CAKE

Yeah, Cake is only implemented in v7.
by Larsa
Fri Mar 01, 2024 8:13 pm
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 1019

Re: OSPF over Wireguard links

Yeah, good suggestion. If the wg-interface used for OSPF isn't listed in the LAN device list, you'll need to specify that port explicitly. This also affects the forward chain for routing.
by Larsa
Fri Mar 01, 2024 6:35 pm
Forum: Forwarding Protocols
Topic: BUG: OSPFv3 stub area Intra-Area-Router doesn't get default route
Replies: 1
Views: 272

Re: BUG: OSPFv3 stub area Intra-Area-Router doesn't get default route

We are working on a similar case but we need to verify that it's not caused by a misconfiguration due to some old static routes or an actual bug. Please feel free to report back any feedback from Mikrotik.
by Larsa
Fri Mar 01, 2024 4:58 pm
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 1019

Re: OSPF over Wireguard links

I'm sorry, but that simply isn't true! Are you taking advice from ChatGPT? ;-)
by Larsa
Fri Mar 01, 2024 4:50 pm
Forum: Virtualization
Topic: CHR 7.14/7.15b4 can't find network interface in Vultr
Replies: 9
Views: 1555

Re: CHR 7.14RC3/RC4 can't find network interface in Vultr

Is 7.14 removing some NIC drivers?

Similar issues have been reported regarding other virtual environments. Check forum.mikrotik.com/viewtopic.php?t=205097 for possible workarounds
by Larsa
Fri Mar 01, 2024 4:09 pm
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 1019

Re: OSPF over Wireguard links

Nice picture, but unfortunately it's pretty difficult to say anything else since it lacks info about networks and interface addresses. Let's begin with router 2 and 3. Btw, is this a single or multi-area topology?
by Larsa
Fri Mar 01, 2024 12:36 am
Forum: General
Topic: Possible? ZeroTier Low Bandwidth Mode
Replies: 9
Views: 831

Re: Possible? ZeroTier Low Bandwidth Mode

Thanks for all your comments and hoping that MikroTik will upgrade the ZT package to a higher version soon. I hope so too, but the current version of ZeroTier in ROS actually supports features like Multi-Path, Low Bandwidth, Trusted Path, as well as hardware AES acceleration. However, none of these...
by Larsa
Thu Feb 29, 2024 11:04 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 662
Views: 193507

Re: v7.14 [stable] is released!

Regarding "wireguard, debug: Sending handshake initiation to peer (0.0.0.0:0)" on passive peers. This is just pure speculation and I might be completely wrong; but after some troubleshooting it seems that MNDP might trigger passive WireGuard peers to attempt to establish a connection despi...
by Larsa
Thu Feb 29, 2024 10:24 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 662
Views: 193507

Re: v7.14 [stable] is released!

@strods, what about "Sending handshake initiation to peer (0.0.0.0:0)" from passive peers? Btw, IMO flooding standard "info" with misleading error messages sends wrong signals. > @Znevna: You have packets flying towards those peers. Stop the packets, the flooding will stop. Or hi...
by Larsa
Thu Feb 29, 2024 9:42 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 662
Views: 193507

Re: v7.14 [stable] is released!

Something fishy is going on with passive WireGuard peers since it seems they are all trying to establish an active connection to the destination address 0.0.0.0, port 0. The WireGuard debug log is flooded with entries like: " wireguard, debug: WG-xxxx: ... Sending handshake initiation to peer (...
by Larsa
Thu Feb 29, 2024 9:23 pm
Forum: Announcements
Topic: v7.14.3 [stable] is released!
Replies: 662
Views: 193507

Re: v7.14 [stable] is released!

I'm getting endless messages 'Handshake for peer did not complete after 5 seconds, retrying (try 2)' in log. I've upgraded a couple of lab routers and I'm getting the exact same status flooding from all passive WireGuard peers, ie those defined without endpoint addresses. This applies to both IPv6 ...
by Larsa
Thu Feb 29, 2024 6:29 pm
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 1019

Re: OSPF over Wireguard links

Unfortunately, there is no built-in automatic "discovery" functionality in OSPF. All included networks/subnets must be explicitly defined somewhere. For example, if a router is connecting two areas (i.e. acting as an OSPF Area Border Router) both networks must be defined for their respecti...
by Larsa
Thu Feb 29, 2024 5:03 pm
Forum: Forwarding Protocols
Topic: OSPF over Wireguard links
Replies: 11
Views: 1019

Re: OSPF over Wireguard links

I'm not exactly sure what you mean by "OSPF for routing networks behind the router," but you have to define all networks that should be routed using OSPF. Adjacent ones don't propagate automatically. Here are a couple of short and concise step-by-step labs that might cover what you need: &...
by Larsa
Wed Feb 28, 2024 11:12 pm
Forum: Virtualization
Topic: CHR image for ARM systems?
Replies: 18
Views: 7100

Re: CHR image for ARM systems?

Ampere Computing LLC, with brands like Ampere Altra and Ampere One, is a family of processors with different design objectives where some models are optimized for networking.
by Larsa
Wed Feb 28, 2024 9:12 pm
Forum: Beginner Basics
Topic: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to
Replies: 17
Views: 1375

Re: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to

It's working alright, though you'll need to be more specific about your intentions regarding subnetting and NATting, for example if you plan to use ULA or specify a prefix, etc. Additionally, including a brief overview of your network topology might help members of this forum better understand your ...
by Larsa
Wed Feb 28, 2024 7:50 pm
Forum: Beginner Basics
Topic: MikroTik | SXTR&FG621-EA LTE - no internet [SOLVED]
Replies: 8
Views: 913

Re: MikroTik | SXTR&FG621-EA LTE - no internet [SOLVED]

Great, well done! Regarding the lte1 ipv4 address you are correct as the 100.75.30.120 ip is a CGNAT address. Enable IPv6 to obtain a public ip address (IPv6 GUA).
by Larsa
Wed Feb 28, 2024 5:48 pm
Forum: Beginner Basics
Topic: MikroTik | SXTR&FG621-EA LTE - no internet [SOLVED]
Replies: 8
Views: 913

Re: MikroTik | SXTR&FG621-EA LTE - no internet [SOLVED]

Okay, you have at least a registered LTE connection which is a good start. Run these commands so we might see where it cracks. Btw, feel free to mask out any public ip address if not NATed. /interface/lte/monitor lte1 once without-paging /ip/address/print /ip/route/print proplist=dst-addres,gateway,...
by Larsa
Wed Feb 28, 2024 7:39 am
Forum: General
Topic: Mikrotik Professionals Conference in Prague March 7th-8th 2024
Replies: 12
Views: 1814

Re: Mikrotik Professionals Conference in Prague March 7th-8th 2024

Unfortunately I don't have the opportunity to participate but a colleague of mine will be there.

EDIT:
Forgot to mention that he will be wearing a bat hat if you want to pass along a message to me! ;-)
by Larsa
Tue Feb 27, 2024 7:41 pm
Forum: Beginner Basics
Topic: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to
Replies: 17
Views: 1375

Re: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to

IPv6 subnetting works just like IPv4, meaning you divide the /64 prefix into smaller parts, each of which has to use its own DHCPv6 server for the respective subnet. There are plenty of resources online. For more detailed information, Google "subnet IPv6 /64 prefix" and "MikroTik NAT6...
by Larsa
Tue Feb 27, 2024 5:23 pm
Forum: General
Topic: WinBox Software license agreement
Replies: 15
Views: 1591

Re: WinBox Software license agreement

Will there be a native version for macOS as well?

OT - Btw, please add support to
- detach child windows from the MDI parent area
- move the "Windows" menu (the one with all active windows) to the title bar, or make the location configurable.
by Larsa
Tue Feb 27, 2024 5:09 pm
Forum: Beginner Basics
Topic: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to
Replies: 17
Views: 1375

Re: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to

As previously mentioned, T-Mobile assigns a /64 prefix as standard and it might be pretty hard to explain the different subnet options if you're not familiar with IPv6. As a personal side note, the initial intent with IPv6 was to provide everyone with enough subnet space (prefixes) and host addresse...
by Larsa
Tue Feb 27, 2024 4:41 pm
Forum: Beginner Basics
Topic: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to
Replies: 17
Views: 1375

Re: IPV6 with T-mobile USA home internet gateway and single /64 address no prefix how to

Nowadays, most MNOs typically assign a /64 prefix to mobile devices and the same applies to T-Mobile. For details regarding T-Mobile, Google " T-Mobile IPv6 /64 Prefix " or call T-Mobile tech support . If you want/need subnetting using a stationary broadband router, here are some options: ...
by Larsa
Mon Feb 26, 2024 8:56 pm
Forum: General
Topic: How to change WG handshake timeout
Replies: 3
Views: 387

Re: How to change WG handshake timeout

AFAIK, you cannot alter the setting of Rekey-Timeout as it is most likely hardcoded to 5 seconds. Check the constants used for the timer state system in paragraph 6.1 of the paper "https://www.wireguard.com/papers/wireguard.pdf. 6.1 The following constants are used for the timer state system: S...
by Larsa
Mon Feb 26, 2024 3:02 pm
Forum: General
Topic: SQM - using FQ-CODEL in interface queues and fasttrack
Replies: 6
Views: 1569

Re: SQM - using FQ-CODEL in interface queues and fasttrack

Okay, then I suppose they're using some other type of traffic pacing control required by fq-codel. A potential transition to standard BQL would likely simplify code management in the long run.
by Larsa
Sun Feb 25, 2024 8:05 pm
Forum: General
Topic: SQM - using FQ-CODEL in interface queues and fasttrack
Replies: 6
Views: 1569

Re: SQM - using FQ-CODEL in interface queues and fasttrack

AFAIK, device drivers also need to support BQL. Since it's just a matter of pretty basic counters, it shouldn't be too complicated to implement. However, considering that BQL has been around for about 10-12 years, are you absolutely sure they haven't implemented it already or using some equivalent p...
by Larsa
Fri Feb 23, 2024 12:59 pm
Forum: Wireless Networking
Topic: Chateau 5G R16: request for modem's AT Command documentation
Replies: 10
Views: 1150

Re: Chateau 5G R16: request for modem's AT Command documentation

You might have misunderstood or somehow missed what I wrote but the session is "controlled" by PCF. When a dedicated flow is initiated from the network its initial set of flow control parameters are retrieved from the MNO's "operations center" (OSS/BSS) which manages the contract...
by Larsa
Thu Feb 22, 2024 6:58 pm
Forum: Wireless Networking
Topic: Chateau 5G R16: request for modem's AT Command documentation
Replies: 10
Views: 1150

Re: Chateau 5G R16: request for modem's AT Command documentation

Guaranteed bit-rate might not be the only consideration for CCTV/VMS systems but I get your point. Capabilities like for example guaranteed latency, bandwidth/bitrate, QoS, and reliability within PDUs are controlled by the 5G Core Network through the "Policy Control Function" (PCF). The NM...
by Larsa
Thu Feb 22, 2024 1:01 pm
Forum: General
Topic: Public-Mikrotik-Bandwidth-Test-Server(s)
Replies: 1015
Views: 1139564

Re: Public-Mikrotik-Bandwidth-Test-Server(s)

@mdadmin, what are you trying to imply and what source(s) are you relying on? Check https://multirbl.valli.org/dnsbl-lookup ... 4.120.html
by Larsa
Wed Feb 21, 2024 6:48 pm
Forum: Wireless Networking
Topic: Chateau 5G R16: request for modem's AT Command documentation
Replies: 10
Views: 1150

Re: Chateau 5G R16: request for modem's AT Command documentation

@sbert, do you have a specific issue you're trying to address using dedicated flow? Dedicated flow relies on the capabilities of the user equipment and the services provided by the MNO. Some advanced 5G devices may support it but it's not a common feature on consumer devices equipped with chips like...
by Larsa
Wed Feb 21, 2024 2:49 pm
Forum: Wireless Networking
Topic: Chateau 5G R16: request for modem's AT Command documentation
Replies: 10
Views: 1150

Re: Chateau 5G R16: request for modem's AT Command documentation

Replaced with a more detailed post down below.
by Larsa
Tue Feb 20, 2024 9:06 pm
Forum: General
Topic: DDNS issue with ECMP in ROSv7
Replies: 2
Views: 309

Re: DDNS issue with ECMP in ROSv7

It's pretty hard to say anything at all without knowing how, when, which DDNS provider, RouterOS 7 version, network topology, etc..
by Larsa
Tue Feb 20, 2024 6:28 pm
Forum: Beginner Basics
Topic: Wireguard simple firewall rule
Replies: 8
Views: 956

Re: Wireguard simple firewall rule

@l2sverige, check for any traffic on the wg interface using Winbox Tools -> Packet Sniffer. If not, there might be a mismatch in the wg peer configuration, either with the keys or the allowed addresses.
by Larsa
Tue Feb 20, 2024 6:04 pm
Forum: Beginner Basics
Topic: Wireguard simple firewall rule
Replies: 8
Views: 956

Re: Wireguard simple firewall rule

Haha! Well, I think my solution is WAY better since it's just a single firewall rule which restricts any source to the destination. Remember KISS ;-D ;-D
by Larsa
Tue Feb 20, 2024 5:54 pm
Forum: Virtualization
Topic: CHR using Apple Virtualization Framework (via UTM)
Replies: 51
Views: 4420

Re: CHR using Apple Virtualization Framework (via UTM)

@Ammo, thanks for very interesting info! Personally I love Parallels Desktop but for various reasons we are exploring alternative solutions. UTM/VMF might be an option when it becomes stable enough. Will definitely look into it further..
by Larsa
Tue Feb 20, 2024 5:23 pm
Forum: Beginner Basics
Topic: Wireguard simple firewall rule
Replies: 8
Views: 956

Re: Wireguard simple firewall rule

@l2sverige - as suggestion create a new WireGuard interface, for example "WG-restricted", and place all connections (peers) that need to be restricted to 10.0.0.10-10.0.0.12 on that interface. Don't add "WG-restricted" to the LAN interface list, instead use: "/ip/firewall/fi...
by Larsa
Tue Feb 20, 2024 8:01 am
Forum: General
Topic: IPv6 prioritization on WireGuard Peers with IP Cloud mixed A/AAAA DNS Records?
Replies: 2
Views: 405

Re: IPv6 prioritization on WireGuard Peers with IP Cloud mixed A/AAAA DNS Records?

There is no "vanilla" except for the actual tunnel protocol. The resolver and wg peer setup process is implementation-specific and you can make it work using standard configuration settings on a regular Linux machine. However, in this case I am looking for a solution for MikroTik boxes whe...
by Larsa
Tue Feb 20, 2024 12:15 am
Forum: General
Topic: IPv6 prioritization on WireGuard Peers with IP Cloud mixed A/AAAA DNS Records?
Replies: 2
Views: 405

IPv6 prioritization on WireGuard Peers with IP Cloud mixed A/AAAA DNS Records?

We are working with some customers where the regional NMO will soon phase out all public IPv4 addresses to be replaced by CGNAT. The NMO has implemented IPv6, though only dynamic /64 prefixes are available. To address this potential issue, we would like to prioritize IPv6 connectivity on all affecte...
by Larsa
Mon Feb 19, 2024 12:28 pm
Forum: General
Topic: CVE abuse of Linux Kernel stopped
Replies: 0
Views: 373

CVE abuse of Linux Kernel stopped

An end is being put to the misuse of CVE reports from individuals and companies outside the Linux kernel community. Hopefully, this will lead to fewer inaccurate CVE reports. [2024-02-17] phoronix.com - Linux 6.8-rc5 Released With Documented Process For CVE Security Vulnerabilities https://github.co...
by Larsa
Sat Feb 17, 2024 11:47 pm
Forum: Virtualization
Topic: CHR Hosted in Azure?
Replies: 9
Views: 963

Re: CHR Hosted in Azure?

No problems running V7 on Azure. I recommend using Bicep to streamline your CHR installations for easier deployment on Azure.
by Larsa
Fri Feb 16, 2024 10:33 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2413

Re: Wireguard from Linux not working [SOLVED]

FIXED!!!

Thank you for the feedback and great to hear you’ve managed to locate the root cause. Even though it might be challenging when things don't work as expected, you usually learn a whole lot during the troubleshooting process.

Have a nice weekend!
by Larsa
Thu Feb 15, 2024 10:13 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2413

Re: Wireguard from Linux not working [SOLVED]

To begin with I think your English is almost perfect, so there are absolutely no problems understanding what you mean. Back to business: The standard system log in RouterOS for Wireguard lacks logging at the packet level so you need to use WinBox "Packet Sniffer" to trace the Wireguard ing...
by Larsa
Thu Feb 15, 2024 3:42 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2413

Re: Wireguard from Linux not working [SOLVED]

When testing your Linux WireGuard Config following link provides you with excellent clues I absolutely love the format of the Pro Custodibus blogs ! A brilliantly elaborate pedagogy using images in combination with a well-thought-out flow of explanatory text is among the best resources you can find...
by Larsa
Wed Feb 14, 2024 9:32 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2413

Re: Wireguard from Linux not working [SOLVED]

I had a quick glance at the configuration, though only for WireGuard and the firewall. Everything seems to be in order, and considering that the mobile devices are working, there probably isn't any issue with your RB2011. Thus, unfortunately you'll have to continue troubleshooting with your Linux bo...
by Larsa
Wed Feb 14, 2024 3:25 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2413

Re: Wireguard from Linux not working [SOLVED]

Here is a link to Anav's user guide "Wireguard Success For The Beginner" which might come in handy..
by Larsa
Wed Feb 14, 2024 12:37 am
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2413

Re: Wireguard from Linux not working [SOLVED]

@resca: Have you checked the handshake status of the Wireguard peer using WinBox? When everything is okay, the handshake timer will increment up to two minutes and then start over again. If the handshake is okay, you might have other problems like routing or a firewall blocking the payload traffic.
by Larsa
Wed Feb 14, 2024 12:24 am
Forum: Beginner Basics
Topic: Tilde sign in Terminal (Mac) [SOLVED]
Replies: 37
Views: 2943

Re: Tilde sign in Terminal (Mac) [SOLVED]

Yeah, the Magic Keyboard is a winner!
by Larsa
Tue Feb 13, 2024 11:24 pm
Forum: Beginner Basics
Topic: Tilde sign in Terminal (Mac) [SOLVED]
Replies: 37
Views: 2943

Re: Tilde sign in Terminal (Mac) [SOLVED]

That usually works fine with "normal" keyboards. However, on a MacBook, pressing shift + grave accent + space might, under certain conditions, produce "±". That's why using opt+n might be a better choice. MacBook keyboards equipped with a hat key (^) can use it in combination wit...
by Larsa
Tue Feb 13, 2024 11:05 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2413

Re: Wireguard from Linux not working [SOLVED]

I believe that packet-level tracing provides an excellent starting point to ensure that packets reach their destination without obstacles along the way. However, it's up to you to choose the tools that best fit your situation. A tip to improve your chances of getting help in this user forum is to at...
by Larsa
Tue Feb 13, 2024 10:33 pm
Forum: Beginner Basics
Topic: Tilde sign in Terminal (Mac) [SOLVED]
Replies: 37
Views: 2943

Re: Tilde sign in Terminal (Mac) [SOLVED]

Well thanks, but Opt+n followed by spacebar is still the standard procedure for producing a plain 'tilde'..
by Larsa
Tue Feb 13, 2024 9:08 pm
Forum: Beginner Basics
Topic: Tilde sign in Terminal (Mac) [SOLVED]
Replies: 37
Views: 2943

Re: Tilde sign in Terminal (Mac) [SOLVED]

On a US Mac keyboard, use Opt+N and then press spacebar to generate "~".
by Larsa
Tue Feb 13, 2024 8:07 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2413

Re: Wireguard from Linux not working [SOLVED]

To check how the raw Wireguard packets might appear on the Mikrotik, use Winbox by going to "Tools -> Packet Sniffer". Select the WAN interface and port 13231. Click on [Apply], [Start], and finally the [Packets] button to open the window where the tracing is displayed. Remember to press t...
by Larsa
Tue Feb 13, 2024 12:51 am
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2413

Re: Wireguard from Linux not working [SOLVED]

@resca; since you only have one peer on the Mikrotik, ensure there isn't already an active session on it. If the handshake of the peer is under two minutes there is likely an active tunnel.
by Larsa
Tue Feb 13, 2024 12:41 am
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2413

Re: Wireguard from Linux not working [SOLVED]

I forgot to mention that the Wireguard endpoint in the Mikrotik also needs to match the network addresses of the received packets. Even if the Linux box is using the correct keys, ROS will simply discard the packets if the "allowed addresses" do not match the Linux address. You can enable ...
by Larsa
Tue Feb 13, 2024 12:08 am
Forum: Beginner Basics
Topic: RB5009 not getting DynamicIP from Comcast Cable MODEM (Solved)
Replies: 11
Views: 873

Re: RB5009 not getting DynamicIP from Comcast Cable MODEM

@Axo123, test if DHCP is working properly by running WinBox "Tools -> Packet Sniffer" on the WAN interface. When the router sends out a DHCPREQUEST, you should receive a DHCPOFFER with an IP address. As a side note, some sites impose restrictions where you are allowed to use only one IP ad...
by Larsa
Mon Feb 12, 2024 7:05 pm
Forum: General
Topic: Wireguard from Linux not working [SOLVED]
Replies: 36
Views: 2413

Re: Wireguard from Linux not working [SOLVED]

@resca, to trace traffic on the Linux box, use for example, "tcpdump -i name-of-wg-interface". On the MikroTik, use Winbox "Tools -> Packet Sniffer" and select the wg-interface to trace packets in real-time. If you don't receive any traffic on the Linux box, you might have a fire...
by Larsa
Sun Feb 11, 2024 11:33 am
Forum: General
Topic: Winbox on Mac always false-starts?
Replies: 5
Views: 1036

Re: Winbox on Mac always false-starts?

I have exactly the same behavior with WinBox on macOS/Wine (both version 8/9) when "Open in New Window" is checked. I started debugging Wine in a development environment but never managed to identify the root-couse. The problem closely resembles old MS Windows issues that occurred when a p...
by Larsa
Fri Feb 09, 2024 12:10 am
Forum: General
Topic: RouterOS Virtual Private Networks, which one to choose?
Replies: 7
Views: 824

Re: RouterOS Virtual Private Networks, which one to choose?

2. Zerotier: Allows one to stitch together all your subnets as if they were on the same subnet, L2 connection. Great for multicasting etc but harder to separate out users from each other as its one happy LAN. Note; Relies on zerotier servers (third party). That's not entirely true. ZeroTier default...
by Larsa
Wed Feb 07, 2024 1:45 pm
Forum: General
Topic: Mikrotik V7 - PPTP not recommended
Replies: 10
Views: 871

Re: Mikrotik V7 - PPTP not recommended

There's nothing inherently wrong with PPTP any more than with GRE or even older tunnels like IPIP from the mid-1980s, but they all require encryption to secure the connection. The primary reason why PPTP is considered insecure on ROS is that Mikrotik didn't bother to implement stronger encryption me...
by Larsa
Thu Feb 01, 2024 3:07 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2625

Re: SR-IOV with CHR - What hypervisors are you using ?

No problem using SR-IOV on KVM provided the NIC and drivers support it. We have some 10-year-old legacy servers (HP DL380 G5/G6 IIRC) in our testlab to play with and they run just fine using SR-IOV. Regarding the new licensing model and considering all the frustrating comments where many feel comple...
by Larsa
Wed Jan 31, 2024 11:05 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2625

Re: SR-IOV with CHR - What hypervisors are you using ?

Another interesting platform is Nutanix Acropolis Hypervisor (AHV) which is based on the open-source KVM hypervisor and includes standard features such as live migration and VM-centric snapshots. Nutanix has tools to migrate ESXi to their platform. Read more about it in the article "All About H...
by Larsa
Wed Jan 31, 2024 7:23 pm
Forum: RouterBOARD hardware
Topic: L009 and ZeroTier
Replies: 20
Views: 2206

Re: L009 and ZeroTier

Thank you, but it looks like a rather old post from Sep '23. I can't find any statement from ZeroTier regarding a new license model and it seems more like two customers have complained about incorrect license quotes.
by Larsa
Wed Jan 31, 2024 7:01 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2625

Re: SR-IOV with CHR - What hypervisors are you using ?

Btw, here is the new Broadcom VMware licensing model for those unlucky ones who lack the original perpetual licenses. "Foundation" is needed to enable SR-IOV, DirektPath (PCI Passthroug) etc. A one-year subscription is about 40% more expensive.
VMware lic.jpg
by Larsa
Wed Jan 31, 2024 5:21 pm
Forum: RouterBOARD hardware
Topic: L009 and ZeroTier
Replies: 20
Views: 2206

Re: L009 and ZeroTier

@gotsprings, I noticed the Reddit discussion speculating about a possible new licensing model but haven't seen any official statement regarding this. Do you know where to find it?
by Larsa
Wed Jan 31, 2024 4:58 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2625

Re: SR-IOV with CHR - What hypervisors are you using ?

OpenNebula, Proxmox VE, KVM, Xen, XCP-ng, Virt-Manager, oVirt ... and others all utilize more or less the same fundamental Linux kernel capabilities. However, they differ in their integration methods for installation/configuration, admin GUI, Docker support, tools for operations, monitoring, online ...
by Larsa
Wed Jan 31, 2024 2:42 pm
Forum: General
Topic: Oxidized backup issue [SOLVED]
Replies: 3
Views: 1082

Re: Oxidized backup issue [SOLVED]

Just as a reference, here is the official Oxidized RoS plugin that supports the new v7 date header with the courtesy of Brian Candler (candlerb)
https://github.com/ytti/oxidized/blob/master/lib/oxidized/model/routeros.rb
by Larsa
Wed Jan 31, 2024 12:57 pm
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2625

Re: SR-IOV with CHR - What hypervisors are you using ?

Certainly, license costs might have a decisive significance but the original question was primarily about performance and which platforms are available with SR-IOV. However, my comment was aimed more at a general recommendation considering Proxmox VE or proprietary solutions like vSphere/Hyper-V. Wh...
by Larsa
Wed Jan 31, 2024 10:54 am
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2625

Re: SR-IOV with CHR - What hypervisors are you using ?

Proxmox VE can definitely be a performant open-source solution if you are willing to invest time in how to configure PCIe Passthrough and SR-IOV , analyze and fix potential issues yourself. However, if you need data center features such as hight end performance, central administration and monitoring...
by Larsa
Wed Jan 31, 2024 8:44 am
Forum: Virtualization
Topic: SR-IOV with CHR - What hypervisors are you using ?
Replies: 22
Views: 2625

Re: SR-IOV with CHR - What hypervisors are you using ?

SR-IOV is supported in almost all virtual hosts, including ESXi. It's up to the NIC device driver to implement the capabilities. I'd start by checking the SR-IOV capabilities of your NICs and drivers with the manufacturers. Similar to specialized variants such as DirectPath, DirectIO etc which only ...
by Larsa
Tue Jan 30, 2024 8:17 pm
Forum: General
Topic: On-Premise / Azure VPN S2S (IPsec) Connection
Replies: 4
Views: 1545

Re: On-Premise / Azure VPN S2S (IPsec) Connection

Hi, there are plenty of guides online. Here are some examples: - Azure VPN Gateway and Mikrotik IPSEC/IKE Configuration - MikroTik site-to-site IPsec VPN connection to Azure Resource Manager based gateway - Azure VPN [SOLVED] Youtube: - Easy IPSEC Site-To-Site VPN Guide, MikroTik ROSv7 Microsoft: - ...
by Larsa
Tue Jan 30, 2024 7:20 pm
Forum: General
Topic: Mikrotik Professionals Conference in Prague March 7th-8th 2024
Replies: 12
Views: 1814

Re: Mikrotik Professionals Conference in Prague March 7th-8th 2024

Thank you, what a pleasant surprise and especially that the event is held in cozy Prague. Cheers!
by Larsa
Tue Jan 30, 2024 11:07 am
Forum: General
Topic: CVE-2023-6200 - ICMPv6 RA packet, causing arbitrary code execution [SOLVED]
Replies: 4
Views: 905

Re: CVE-2023-6200 - ICMPv6 RA packet, causing arbitrary code execution [SOLVED]

CVE-2023-6200 Detail - " AWAITING ANALYSIS " This vulnerability is currently awaiting analysis. The remote attack is potentially possible in the local network only Ongoing analysis is still being conducted regarding when, how, etc. It's not possible at this time to point out which platfor...
by Larsa
Mon Jan 29, 2024 2:06 pm
Forum: General
Topic: Feature requests
Replies: 1744
Views: 644188

Re: Feature requests - CHR on Bare Metal for faster Network throughput

CPU PCI-E lanes can't handle/sustain that speed - other factors will be problem too ( example: LATENCY ). The ASR9K/NCS series can do that kind of job. ASR9x and similar models nowadays act more like "regular" linux blade servers with Cisco Linux (IOS XR). Blade cards mainly utilize stand...
by Larsa
Sat Jan 27, 2024 11:10 am
Forum: General
Topic: Feature requests
Replies: 1744
Views: 644188

Re: Feature requests

As I mentioned in another comment, in terms of CHR performance using today's modern drivers supporting DirectIO/DirectPath/SR-IOV, it's as fast as bare metal and the overhead of the supervisor is barely measurable. A properly configured virtual system can easly push many hundreds of gigabits without...
by Larsa
Thu Jan 25, 2024 8:33 pm
Forum: Beginner Basics
Topic: User Manual request for WAP LTE6 Kit
Replies: 9
Views: 684

Re: User Manual request for WAP LTE6 Kit

\interface lte1 allow-roaming yes <- something like that in terminal and I've not set myself as SU ... did I make it good or not ? You had it almost right, it should be: " /interface/lte/set lte1 allow-roaming=yes " When using web admin, you should find the check box under: WebFig -> Inte...
by Larsa
Thu Jan 25, 2024 4:43 pm
Forum: General
Topic: Oxidized backup issue [SOLVED]
Replies: 3
Views: 1082

Re: Oxidized backup issue [SOLVED]

Since it's just the top line that is set with the actual export date, you can simply skip that using a rewrite rule in Oxidized.

# 2024-01-25 09:35:49 by RouterOS 7.12.1
# software id = KAVV-XYZQ
# . . .
# . . .
by Larsa
Thu Jan 25, 2024 4:24 pm
Forum: Beginner Basics
Topic: User Manual request for WAP LTE6 Kit
Replies: 9
Views: 684

Re: User Manual request for WAP LTE6 Kit

You are most welcome! : -) Btw, fixed broken link "Getting started - First Time Configuration"
by Larsa
Thu Jan 25, 2024 2:46 pm
Forum: Beginner Basics
Topic: User Manual request for WAP LTE6 Kit
Replies: 9
Views: 684

Re: User Manual request for WAP LTE6 Kit

Mikrosoft docs: - RouterOS Documentation - Getting started - First Time Configuration - wAP ac kit-series documentation Some usefull user articles: - Beginner Basics - New User Config - Firewall Setup - Other useful user articles Edit: fixed broken link "Getting started - First Time Configurati...
by Larsa
Thu Jan 25, 2024 2:14 pm
Forum: Forwarding Protocols
Topic: IS-IS
Replies: 143
Views: 54617

Re: IS-IS

why use CHR ?? is mikrotik v7 RoS runs great in bare metal... OT - In my opinion, one of the major advantages of CHR is that the platform becomes hardware-agnostic and also enables it to move or upgrade "live" including network sessions to new hw without any downtime (aka Hyper-v/vSphere ...
by Larsa
Wed Jan 24, 2024 3:56 pm
Forum: Beginner Basics
Topic: ikev2 vpn speed
Replies: 16
Views: 1460

Re: ikev2 vpn speed

According to Mikrotik's product page for hAP lite TC , it supports the latest version ROS v7.13.2 if you want to try upgrading. There's some information on their website and various posts in the forum on how to upgrade. Remember to first make a backup if you would like to go back to v6. https://help...
by Larsa
Wed Jan 24, 2024 2:40 pm
Forum: Beginner Basics
Topic: ikev2 vpn speed
Replies: 16
Views: 1460

Re: ikev2 vpn speed

Okay, why is that? As far as i know, WireGuard is supported on all platforms using ROS v7.
by Larsa
Tue Jan 23, 2024 9:40 pm
Forum: Beginner Basics
Topic: ikev2 vpn speed
Replies: 16
Views: 1460

Re: ikev2 vpn speed

Okay, that’s probably the main reason for the bottleneck.

If possible, give WireGuard a try as it tends to be a bit more lenient when it comes to software encryption.
by Larsa
Tue Jan 23, 2024 9:34 pm
Forum: Beginner Basics
Topic: ikev2 vpn speed
Replies: 16
Views: 1460

Re: ikev2 vpn speed

Check if your router model supports hardware acceleration for AES (IPSec). If not, encryption will be performed using software and the maximum throughput
will be limited to the CPU power.

https://help.mikrotik.com/docs/display/ ... celeration
by Larsa
Sat Jan 20, 2024 5:22 pm
Forum: RouterBOARD hardware
Topic: L009 and ZeroTier
Replies: 20
Views: 2206

Re: L009 and ZeroTier

Unfortunately still software encryption on all platforms. Hopefully it will be addressed in future releases of ROS.
by Larsa
Thu Jan 18, 2024 4:04 pm
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 38291

Re: Forum moderation volunteers

by Larsa
Thu Jan 18, 2024 2:47 pm
Forum: General
Topic: Forum moderation volunteers
Replies: 238
Views: 38291

Re: Forum moderation volunteers

Until now, the only outcome of this discussion was a few guideline posts being removed. I might be wrong, but I think @Anav foremost wants MikroTik to engage much more in practical matters regarding the forum on order to create better conditions to eliminate structural problems that unnecessarily o...
by Larsa
Wed Dec 20, 2023 11:15 am
Forum: General
Topic: Wireguard very slow
Replies: 10
Views: 2786

Re: Wireguard very slow

Since WireGuard utilizes ChaCha20, which is pure software encryption, the bottleneck is almost always the CPU power. When the CPU hits 100% on either endpoint, that's the maximum throughput you will get.
by Larsa
Mon Dec 18, 2023 12:20 pm
Forum: Virtualization
Topic: CHR tx-queue-drops-per-second
Replies: 8
Views: 10028

Re: CHR tx-queue-drops-per-second

”Try to using cpu affinity for dedicated CHR cpu and SR-IOV to bypass esxi kernel for using dedicated CHR NIC.”

Yeah, that should be pinned somewhere as best practice.
by Larsa
Fri Dec 15, 2023 4:28 pm
Forum: RouterBOARD hardware
Topic: x86 Mikrotik v7 performance - choosing the x86 CPU
Replies: 9
Views: 6349

Re: x86 Mikrotik v7 performance - choosing the x86 CPU

A suggestion is to start by focusing on the network interface which is generally the most crucial component whether is used as "bare metal" or as a virtual Network Interface Card (vNIC) in CHR. A well-developed driver is also a prerequisite and can be a showstopper determining whether the ...
by Larsa
Fri Dec 15, 2023 11:36 am
Forum: Announcements
Topic: v7.13rc [testing] is released!
Replies: 178
Views: 53041

Re: v7.13rc [testing] is released!

An LTS/SLTS kernel should for obvious reasons be a better choice, AFAIK v5.6.3 is not a such version.
by Larsa
Wed Dec 13, 2023 12:22 pm
Forum: Announcements
Topic: v7.13rc [testing] is released!
Replies: 178
Views: 53041

Re: v7.13rc [testing] is released!

That link is for podcasters only. This is for us normal people ;-)

https://open.spotify.com/show/7sq8IetuZCDDKEvuLX3SL2
by Larsa
Tue Dec 12, 2023 9:49 pm
Forum: Containers
Topic: Hardware accelerated encryption
Replies: 3
Views: 2418

Re: Hardware accelerated encryption

If we're talking about AES, just search "linux arm aes instructions" on Google eg

https://www.linaro.org/blog/accelerated ... ux-kernel/
by Larsa
Tue Dec 12, 2023 9:00 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 13280

Re: Multi-WAN Load Balancing Starlink issue

As I mentioned earlier, it’s feasible with SD-WAN in general using open-source or paid solutions. There is no magic with the VPS; it's simply another node employing the SD-WAN protocol that might be used as default gateway to internet for the SD-WAN network. SD-WAN is by design fault-tolerant and ut...
by Larsa
Mon Dec 11, 2023 10:05 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 13280

Re: Multi-WAN Load Balancing Starlink issue

@Gotsprings, I don’t get what you mean by "load-balanced single IP." Zerotier, Tailscale, and most other SD-WAN solutions can utilize multipath and internal load balancing with an "exit node" to a public IP on internet. It’s just a matter of configuration.
by Larsa
Mon Dec 11, 2023 6:07 pm
Forum: Announcements
Topic: v7.13rc [testing] is released!
Replies: 178
Views: 53041

Re: v7.13rc [testing] is released!

Confirmed, WireGuard is blocked by ISP.
Unlikely, but try changing the port number. Btw, this is OT thus please create a new thread to continue troubleshooting.
by Larsa
Wed Nov 22, 2023 11:14 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 13280

Re: Multi-WAN Load Balancing Starlink issue

If Mikrotik marketing was more aggressive, you could call RouterOS tunnels+mangle+scripts as a "software-defined WAN" too ;).

Yup, so it is!

Regarding 'black box' solutions like B.L, Gartner also expressed concern about the lack of technical details.
by Larsa
Wed Nov 22, 2023 9:27 pm
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 13280

Re: Multi-WAN Load Balancing Starlink issue

@Amm0, BigLeaf is just a regular SD-WAN solution with options like public internet access branded “cloud routing”.
by Larsa
Sun Nov 19, 2023 2:02 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 13280

Re: Multi-WAN Load Balancing Starlink issue

Well, I beg to differ. I believe that there is absolutely no exaggeration in striving to achieve simple configuration and administration of VPN links for network management. On the contrary, SD-WAN like ZerTier is way much easier to manage compared to manually configured static links like WireGuard,...
by Larsa
Sun Nov 19, 2023 12:15 am
Forum: General
Topic: Multi-WAN Load Balancing Starlink issue
Replies: 99
Views: 13280

Re: Multi-WAN Load Balancing Starlink issue

Just a side note before jumping on the SD-WAN train with solutions like BigLeaf, first make sure your objectives are in order before making any decisions. Fwiw, ZeroTier is already integrated into ROS v.7. As for remote management, I’d choose ZeroTier anytime over WireGuard but the latter might serv...
by Larsa
Wed Nov 15, 2023 6:26 pm
Forum: RouterBOARD hardware
Topic: MikroTik AMPERE CPU (coming soon)
Replies: 18
Views: 9018

Re: MikroTik AMPERE CPU (coming soon)

The Altra series (30/64/80C) isn't exactly cheap but would probably fit pretty well as a natural successor to the CCR1036/72..
by Larsa
Fri Sep 15, 2023 12:57 pm
Forum: General
Topic: WireGuard vs IPSec performance
Replies: 14
Views: 13262

Re: WireGuard vs IPSec performance

Well, perhaps for some special case using a single tunnel.

A beefy CPU typically includes an even more beefy AES hw acceleration. If performance is a concern use IPsec otherwise invest in a Wireguard server farm. ;- )
by Larsa
Fri Sep 15, 2023 12:07 pm
Forum: General
Topic: WireGuard vs IPSec performance
Replies: 14
Views: 13262

Re: WireGuard vs IPSec performance

Bottom line to achive maximum throughput:
- Use IPsec when hardware acceleration is available at both ends.
- In other cases, use Wireguard.
by Larsa
Fri Sep 15, 2023 11:43 am
Forum: Beginner Basics
Topic: ipsec vpn create SA, but no traffic from remote site to Microtik
Replies: 5
Views: 1449

Re: ipsec vpn create SA, but no traffic from remote site to Microtik

Thanks. A brief description of the network topology would be helpful for getting an idea of how everything is connected and which site that is problematic, for example: <hex local sub-net x.x.x.x ipsec> Wan xx <internet> Wan xx <windows SITE1 ipsec local subnet x.x.x.x.> <hex local sub-net x.x.x.x i...
by Larsa
Fri Sep 15, 2023 9:35 am
Forum: Beginner Basics
Topic: ipsec vpn create SA, but no traffic from remote site to Microtik
Replies: 5
Views: 1449

Re: ipsec vpn create SA, but no traffic from remote site to Microtik

I If you provide a config export, it would greatly help to analyse the problem.

Did you setup policies to match the correct subnets and src-nat to allow IPsec to intercept egress packets? How is the remote site configured and do you have control over it?
by Larsa
Thu Sep 14, 2023 11:28 pm
Forum: RouterOS beta
Topic: Very high CPU usage on PCC Loadbalancing with 7.x
Replies: 22
Views: 11832

Re: Very high CPU usage on PCC Loadbalancing with 7.x

@msatter: Yes, the previous v6 kernel global routing cache (that was prone to pollution attacks) has been removed and replaced with a more efficient (faster) multi-layer cache in the v7 kernel. However, in some specific scenarios it might consume more CPU resources which could be noticeable on older...
by Larsa
Thu Sep 14, 2023 8:46 pm
Forum: RouterOS beta
Topic: Very high CPU usage on PCC Loadbalancing with 7.x
Replies: 22
Views: 11832

Re: Very high CPU usage on PCC Loadbalancing with 7.x

Once again, that's a myth and misconception spread on this forum. The current V7 kernel utilizes a more modern network stack that divides the cache into distinct layers, achieving greater efficiency where it's most needed. Some relevant reading on the subject: Routing Decisions in the Linux Kernel -...
by Larsa
Thu Sep 14, 2023 8:03 pm
Forum: General
Topic: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C
Replies: 7
Views: 1187

Re: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C

If the installation is intended for commercial use in an IXP as OP stated in the first post, that network diagram might become pretty complex and might not be suitable to share in this forum.

The crucial question is on which side of the IXP, or perhaps on both sides (i.e., CO=L2 or ISP=L3).
by Larsa
Thu Sep 14, 2023 7:12 pm
Forum: General
Topic: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C
Replies: 7
Views: 1187

Re: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C

Just BGP-EVPN for use with VXLAN. - S6730-H24X6C is an L2 switch with some limited L3 functionality. - CCR1072-1G-8S+ is a high-end L3 router . Which of the two suits best depends entirely on your business case. Hence my previous question: Is the objective of the solution to act as an interconnectio...
by Larsa
Thu Sep 14, 2023 6:52 pm
Forum: General
Topic: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C
Replies: 7
Views: 1187

Re: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C

Thanks, but did you notice my previous questions?
by Larsa
Thu Sep 14, 2023 6:03 pm
Forum: General
Topic: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C
Replies: 7
Views: 1187

Re: CCR1072-1G-8S+ vs el huawei cloud engine S6730-H24X6C

Are you sure you have the correct model number? The S6730 series are essentially L2 switches with some L3 functionality. Is the target solution supposed to act as an interconnection point (IXP) for a Communication Service Provider using some form of L2 MPLS or pure L3 on the ISP side?
by Larsa
Thu Sep 14, 2023 10:33 am
Forum: General
Topic: Packet sniffer - where it sniffs?
Replies: 6
Views: 2776

Re: Packet sniffer - where it sniffs?

If this thread is only about best practices for using Packet Sniffer on IPsec traffic, then this answer is OT. Plain IPsec usually doesn't pose any significant issues. If your IPsec peer is active (ie established SA for each ip), it typically involves routing problems like forgetting to set 'src-nat...
by Larsa
Wed Sep 13, 2023 10:20 am
Forum: General
Topic: No access to Mikrotik (winbox, android etc.) when connected via Wireguard
Replies: 4
Views: 1032

Re: No access to Mikrotik (winbox, android etc.) when connected via Wireguard

Add the wireguard interface to the interface-list LAN (Interfaces->tab “interface list”)