Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
zennik
Jun 9, 2002

Pendent posted:

Two days before they were set to go away a flapping peer caused one of my edge routers to poo poo itself so badly it actually physically bounced a bonded interface.

Please learn from my mistakes everyone. Do not trust mikrotik with anything you care about.

That's a bit excessive.

They're great for OSPF rings, and non-fullroute BGP peering.

Adbot
ADBOT LOVES YOU

jeeves
May 27, 2001

Deranged Psychopathic
Butler Extraordinaire

zennik posted:

That's a bit excessive.

They're great for OSPF rings, and non-fullroute BGP peering.

Mikrotik is great for OSPF. Less great for VLANs. Definitely no good for BGP.

Using them for internal nodes/points of presence via OSPF is a-ok. The RB3011 or even CCR1009 handles multi-gig perfectly fine.

SamDabbers
May 26, 2003



Seems like the CCRs would be good as bang-for-the-buck MPLS P routers, what with the fastpath forwarding and all. Anyone using them for that?

Pendent
Nov 16, 2011

The bonds of blood transcend all others.
But no blood runs stronger than that of Sanguinius
Grimey Drawer
I've had some buggy OSPF behavior even, mostly around route advertisements for directly connected networks. Then there's the random stability issues where they'll reboot more or less at random with a message about kernel failure in the log. I've still got 30-40 of various models in the field but their days are numbered.

thebigcow
Jan 3, 2001

Bully!

Sir Bobert Fishbone posted:

So I think I might just be an idiot, but I'm a little out of my depth here and am wondering if someone might be able to help.

I picked up an RB4011 (non wifi) last week. I've got it in the basement and connected on port 1 to port 4 on my hAP AC, which is powering the RB4011 via PoE. The idea is to have the hAP act as a switch for my entertainment center, as well as to provide wifi to the house. The RB4011 will handle the ethernet connections throughout the rest of the house.

Basically this part works, though I don't know if I did it right. All interfaces on the hAP are bridged together, and I configured the DHCP client to get addresses from the RB4011. It's working just fine.

BUT now I want to set up a VLAN for some of the home automation gear I have, most of which is over WiFi (and hence would be set up on a Virtual WLAN on the hAP?) but also consumes a couple ports on the RB4011. There are a bunch of references online that purport to tell me how to do this, but I can't for the life of me get it to work. Can someone help me wrap my mind around what needs done here?

They changed how VLANs are configured and all of my knowledge is out of date.

First rule of VLAN is never mix untagged and tagged traffic on the same interface. On the RB4011 The wan interface will be untagged, and I keep one interface as an "oh poo poo" port that is also untagged and has a recorded IP address so I can just plug in a laptop with a correct IP for that network size and start fixing. The interface going to the hAP will be set for every VLAN that will cross it, as will the interface on the hAP itself.

I know I'm forgetting a bunch because I haven't messed with this in a year. Make sure you have backups, the correction version of netinstall, and enough time to fiddle and it won't be too bad.

Sir Bobert Fishbone
Jan 16, 2006

Beebort

thebigcow posted:

They changed how VLANs are configured and all of my knowledge is out of date.

First rule of VLAN is never mix untagged and tagged traffic on the same interface. On the RB4011 The wan interface will be untagged, and I keep one interface as an "oh poo poo" port that is also untagged and has a recorded IP address so I can just plug in a laptop with a correct IP for that network size and start fixing. The interface going to the hAP will be set for every VLAN that will cross it, as will the interface on the hAP itself.

I know I'm forgetting a bunch because I haven't messed with this in a year. Make sure you have backups, the correction version of netinstall, and enough time to fiddle and it won't be too bad.

Cool, thanks! It's super annoying because half of the documentation out there deals with the 'old' way and half deals with the 'new', so it's taking me much longer to figure out how this all works.

PUBLIC TOILET
Jun 13, 2009

Lately I've been having a random reboot issue on my own hAP AC with the latest long-term firmware and oddly enough it seems to stop if I disable Watchdog. Not sure if anyone's had a similar issue. Regardless, I'm planning on testing an overhaul of my home network to Ubiquiti. Probably the USG with a PoE switch, cloud key and AP. The hAP ACs, RB951Gs, etc. I've deployed have been working *okay* for years now but I want to expand out and try some different hardware. Definitely curious about VPN and hardware-offloading performance so I'd like to try that.

It just seems like small or simple/flat networks MikroTik can handle well but once you start building complex ones or ones with 600mbit or greater from the ISP, they just falter.

zennik
Jun 9, 2002

PUBLIC TOILET posted:

Lately I've been having a random reboot issue on my own hAP AC with the latest long-term firmware and oddly enough it seems to stop if I disable Watchdog. Not sure if anyone's had a similar issue. Regardless, I'm planning on testing an overhaul of my home network to Ubiquiti. Probably the USG with a PoE switch, cloud key and AP. The hAP ACs, RB951Gs, etc. I've deployed have been working *okay* for years now but I want to expand out and try some different hardware. Definitely curious about VPN and hardware-offloading performance so I'd like to try that.

It just seems like small or simple/flat networks MikroTik can handle well but once you start building complex ones or ones with 600mbit or greater from the ISP, they just falter.

Known long-standing bug.

Watchdog enabled without a valid IP defined, will just randomly bug out and trigger a reboot.

Disable watchdog, or give it a valid IP to 'watch' for.

redeyes
Sep 14, 2002

by Fluffdaddy

zennik posted:

Known long-standing bug.

Watchdog enabled without a valid IP defined, will just randomly bug out and trigger a reboot.

Disable watchdog, or give it a valid IP to 'watch' for.

OH f. That is why one of my RB3011 has been making GBS threads its pants once a day.

PUBLIC TOILET
Jun 13, 2009

zennik posted:

Known long-standing bug.

Watchdog enabled without a valid IP defined, will just randomly bug out and trigger a reboot.

Disable watchdog, or give it a valid IP to 'watch' for.

:ughh:

I'm sure this has been brought up before, but has anyone had positive experience with enabling/configuring IPv6 in RouterOS? The documentation I'm reading makes me believe that if I install the package and turn it on, firewall rules, bridges, rules, etc. will all need to be reconfigured.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
P sure a bug reported >6 years ago still exists where ospf3 won't install a /128 loopback address making your igp useless anyway.

https://forum.mikrotik.com/viewtopic.php?f=14&t=51124

EssOEss
Oct 23, 2006
128-bit approved

PUBLIC TOILET posted:

I'm sure this has been brought up before, but has anyone had positive experience with enabling/configuring IPv6 in RouterOS? The documentation I'm reading makes me believe that if I install the package and turn it on, firewall rules, bridges, rules, etc. will all need to be reconfigured.

I use IPv6 in some dead simple home user configuration. It works fine out of the box, as long as you keep in mind that IPv4 and IPv6 are completely separate protocols and need completely separate configuration. If you just switch on IPv6 without defining any IPv6 firewall rules, you won't have any IPv6 firewall action happening.

You won't damage your IPv4 config by turning on IPv6, though - they are entirely independent.

redeyes
Sep 14, 2002

by Fluffdaddy

PUBLIC TOILET posted:

:ughh:

I'm sure this has been brought up before, but has anyone had positive experience with enabling/configuring IPv6 in RouterOS? The documentation I'm reading makes me believe that if I install the package and turn it on, firewall rules, bridges, rules, etc. will all need to be reconfigured.

Sure its really easy actually. Best thing to do is install the v6 package and reset the device with latest firmware installed. This will setup 'default' working IPv6 firewall rules. Then you need to configure a v6 Client and RA, AND assign a v6 IP to the Interface.

Partycat
Oct 25, 2004

redeyes posted:

Sure its really easy actually. Best thing to do is install the v6 package and reset the device with latest firmware installed. This will setup 'default' working IPv6 firewall rules. Then you need to configure a v6 Client and RA, AND assign a v6 IP to the Interface.

This worked perfectly on time warner/spectrum though I wasn’t able to figure out how to easily serve the box’s assigned v6 address for DNS

PUBLIC TOILET
Jun 13, 2009

redeyes posted:

Sure its really easy actually. Best thing to do is install the v6 package and reset the device with latest firmware installed. This will setup 'default' working IPv6 firewall rules. Then you need to configure a v6 Client and RA, AND assign a v6 IP to the Interface.

I'll give this a shot on a spare RB951G I just pulled from production. I only noticed recently the standard default RouterOS configuration seems much more simple now. That just goes to show how long it's been since I've reset one of these to factory and merely tweaked the default configuration. I give MikroTik brownie points for that as it makes it faster for me to configure one of these for someone out of the box.

The Ubiquiti gear I've been using now has been a lot better, though. Sorry MikroTik.

jeeves
May 27, 2001

Deranged Psychopathic
Butler Extraordinaire
Do an /export of what the Mikrotik defaults are, and then do a /system reset-configuration no-defaults=yes no-backups=yes or whatever it exactly is.

That will wipe the Mikrotik almost completely. Then either console in or Winbox in via MAC address and copy over a better config with exactly what you want on it.

I never trust Mikrotik's defaults. It is nice to just wipe them.

jeeves
May 27, 2001

Deranged Psychopathic
Butler Extraordinaire
Also be sure to do a /system routerboard upgrade as well as a normal software package/OS upgrade.

I had a co-worker update a bunch of CRS125s we were going to use for a bunch of low level last-mile deployments and they didn't do the second upgrade step of needing to update the firmware as well. I'm surprised how Mikrotik doesn't really advertise this that much with the upgrade process.

SlowBloke
Aug 14, 2017
In case you are like me and you need to get some quick and dirty network diagram with network bandwidth usage (and you cannot be assed to get cacti/observium/librenms up and running), you can set up a free CHR instance and use the dude without any restriction. It might lack the finesse of the more famous platform but it does the trick in a hurry.

EDIT: It seems like there is a new major release (6.44), updating my CHR pretty much nuked most of the conf, maybe i was unlucky but watch out and backup everything before upgrading.

SlowBloke fucked around with this message at 18:39 on Feb 26, 2019

thebigcow
Jan 3, 2001

Bully!
I want a RBSXTsq2nD and the QMP wall mount but none of the places I usually look have both in stock.

:(

thebigcow
Jan 3, 2001

Bully!
RBSXTsq2nD says it works with 20-70mm pipe, but the hose clamp they ship with it says 30-70. Currently shooting across a big room indoors, cable tied onto PVC clamped onto a 3M Command broom holder. She gets 98 Mb/s with no firewall rules at 29% CPU.

The quick mount pro is a strange animal. The pictures show a clip, but the the RBSXTsq2nD requires a pipe. You have to disassemble the mount and swap out the clip part for a pipe part. It feels well made for what it is.

thebigcow
Jan 3, 2001

Bully!
https://forum.mikrotik.com/viewtopic.php?f=2&t=147048

MikroTik IPv6 bug is being presented at a conference in less than two weeks. Hope you don't use it (I do).

jeeves
May 27, 2001

Deranged Psychopathic
Butler Extraordinaire
Just work for a company that is fukken cheap enough to use Mikrotiks but old enough to be sitting on a humorous amount of IPv4 that they use way too liberally!

Problem solved! At least for me.

Thanks Ants
May 21, 2004

#essereFerrari


That is very on-brand for Mikrotik.

https://www.youtube.com/watch?v=vJBUdAMrKJw

Thanks Ants fucked around with this message at 19:27 on Mar 30, 2019

redeyes
Sep 14, 2002

by Fluffdaddy
My loving ISP using Mikrotiks and IPv6 and guess what happens every once in a while.

thebigcow
Jan 3, 2001

Bully!
They claim it's fixed now. They also broke DHCPv6.

In the newsletter they said some recent update turned on hardware IPsec on the RB3011

Thanks Ants
May 21, 2004

#essereFerrari


For a little all-in-one home router box with Wi-Fi and IPSec VPN support, it looks like I’d struggle to do better than an hAP ac2, and then for better performance it’s a jump up to an RB4011. Have I missed something? All the home router vendors VPN support seems to extend as far as being able to push 20Mbps as an OpenVPN client, and the OpenWrt device support is a huge list of caveats.

yoloer420
May 19, 2006
If you're thinking about using these for OpenVPN, don't. They don't support LZO or UDP with OpenVPN. IPSec/L2TP works pretty well now though if that's what you want to use.

Thanks Ants
May 21, 2004

#essereFerrari


Nope it would be IPsec only, and I'd pick proposals that are accelerated:

https://wiki.mikrotik.com/wiki/Manual:IP/IPsec#Hardware_acceleration

EssOEss
Oct 23, 2006
128-bit approved


Why is my cAP Lite storage all used up with no files listed and barely any packages installed? I am trying to upgrade and the base operating system alone is 12 MB. How do I even debug this?

Barebones bridge config, nothing special:

code:
# jul/17/2019 09:49:31 by RouterOS 6.43.2
# software id = 58G1-RL1N
#
# model = RouterBOARD cAP L-2nD
# serial number = 792E0714BEC3
/interface bridge
add fast-forward=no name=bridge1
/interface ethernet
set [ find default-name=ether1 ] advertise=\
    10M-half,10M-full,100M-half,100M-full,1000M-half,1000M-full
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa2-psk eap-methods="" management-protection=allowed \
    mode=dynamic-keys name=best-wifi supplicant-identity="" \
    wpa2-pre-shared-key=hunter2
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-onlyn channel-width=20/40mhz-eC \
    disabled=no frequency=2437 mode=ap-bridge security-profile=best-wifi ssid=\
    "best wifi" wireless-protocol=802.11 wps-mode=disabled
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface=wlan1
add bridge=bridge1 interface=ether1
/ip dns
set servers=2606:4700:4700::1111,2606:4700:4700::1001
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Europe/Berlin
/system identity
set name=wuper
/system ntp client
set enabled=yes
/system routerboard settings
set silent-boot=no
/tool user-manager database
set db-path=flash/user-manager

EssOEss fucked around with this message at 07:52 on Jul 17, 2019

thebigcow
Jan 3, 2001

Bully!
It should still update. Normis had a post on it that I can't find but I think it stores the update in RAM while it works.

They've gotten stingy with storage on low end units, but from their perspective how much does a CPE or AP really need?

The RB450G had half a gig, there was a guy who sold them with an Asterisk VM as a one box internet/phone/voicemail solution.

EssOEss
Oct 23, 2006
128-bit approved
Yeah, it finally upgraded after a few tries. However, that being said, what is actually taking up this "used" disk space if the file explorer shows effectively nothing?

jeeves
May 27, 2001

Deranged Psychopathic
Butler Extraordinaire

EssOEss posted:

Yeah, it finally upgraded after a few tries. However, that being said, what is actually taking up this "used" disk space if the file explorer shows effectively nothing?

Probably a memory leak-like diskspace usage knowing Mikrotik.

It never hurts to do a clean format once in a while. You can do a full export of the code via /export and then copy and paste the whole thing back once upgraded.

Use:
"/system reset-configuration skip-backup=yes no-defaults=yes"

Then use Winbox via MAC address neighbors to get back in to copy your profile back on to a nicely blanked (with no default configs) device.

Be sure to run a "/sys rou upgrade" too besides just the package/software upgrade. Each new OS version now has a new matching firmware version as well.

edit - NOTE: /export doesn't show custom users if you did any of that.

jeeves fucked around with this message at 18:56 on Jul 19, 2019

EssOEss
Oct 23, 2006
128-bit approved
Yeah, I did that - still shows the mystery "used" disk space!

originalnickname
Mar 9, 2005

tree
Has anyone used that 4 port SFP+ switch Microtik put out? Any thoughts on performance? I really like the low power draw, and I especially like the idea of getting an SFP+ switch for a couple hundred bucks..

alyandon
Dec 9, 2001
Poster of the Month for July!
Fun Shoe
So, I applied the latest long-term 6.44.5 branch to my RB3011 and reboot. Shortly afterward, I receive the following email from my rancid monitor:

quote:

[ ... snip ... ]
@@ -142,7 +142,7 @@ set www-ssl certificate=self-signed-mgmt-cert disabled=no
set api disabled=yes
set api-ssl certificate=self-signed-mgmt-cert
/ip ssh
- set strong-crypto=yes
+ set allow-none-crypto=yes forwarding-enabled=remote strong-crypto=yes
/ip traffic-flow
set cache-entries=128k enabled=yes inactive-flow-timeout=30s
/ip traffic-flow target

I really wonder what kind of drugs Mikrotik developers are on that they manage to release a patch that does that to customers.

alyandon fucked around with this message at 19:57 on Jul 24, 2019

thebigcow
Jan 3, 2001

Bully!
Somewhere unpronounceable is a massive WISP that demanded that feature and you know it.

Partycat
Oct 25, 2004

Does that just mean to allow the none auth mechanism ?

SamDabbers
May 26, 2003



The none/null cipher exists solely to test the key negotiation handshake (e.g. TLS, IKE) and should basically never be used, or even a configurable option, outside of a development environment. It definitely should never be set as a default.

Thanks Ants
May 21, 2004

#essereFerrari


mikrotik.txt

Adbot
ADBOT LOVES YOU

CuddleChunks
Sep 18, 2004

SamDabbers posted:

The none/null cipher exists solely to test the key negotiation handshake (e.g. TLS, IKE) and should basically never be used, or even a configurable option, outside of a development environment. It definitely should never be set as a default.

Is bestest config, friend. Is to make you more secure.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply