|
If you're able to, do a full export of your config and then wipe the Mikrotik. Put on your config line by line (like past basic routing) and see when the error starts with rancid not collecting data properly. That way you can at least see where the problem lies. Basically make sure you're not using any defaults and try to understand each line that the Mikrotik uses on its script when you do a full export.
|
#
?
Feb 27, 2020 19:14
|
|
|
|
| # ? Apr 19, 2024 10:44 |
|
|
I'm considering dipping my toes into MikroTik by picking up this switch for my home lab. My experience with MikroTik was 10 minutes at a client site trying to figure out what the heck was going on and why the WiFi died so I don't really know what I'd be getting into. Coming from a Cisco + Ubiquiti background, how much trouble would I have with this switch?
|
|
#
?
Apr 10, 2020 16:53
|
|
|
I have one of those. The interface and feature set is pretty basic, but it fits the use case of "inexpensive, 10G ports, and does VLANs."
|
|
#
?
Apr 10, 2020 16:58
|
|
|
Actuarial Fables posted:I'm considering dipping my toes into MikroTik by picking up this switch for my home lab. My experience with MikroTik was 10 minutes at a client site trying to figure out what the heck was going on and why the WiFi died so I don't really know what I'd be getting into. Eh, probably not much. They are a little different to manage but its simple for a network guy to learn imo.
|
|
#
?
Apr 10, 2020 16:59
|
|
|
Learn to use Winbox to connect to a device via MAC neighbor, which is basically a Ethernet serial connection. Then do an /export command and look at what is already on the device by default. This is very Cisco-style as everything listed is a command you could enter on your own, line by line. Then zero out the config via: /system reset-configuration no-defaults=yes skip-backup=yes To get rid of lame defaults you don't need. The biggest weirdness about Mikrotik switches right now is that they compressed switch code into software bridge code, and it does some sort of magic on the fly to decide if something uses a switch chip or software routing. So to make a switch, simply make a bridge and add ports to that bridge. Quickest way to start working with a MT switch and at least have it functional while you learn other stuff on it; /interface bridge add name=SwitchLAN /interface bridge port add bridge=SwitchLAN interface=ether2 add bridge=SwitchLAN interface=ether3 add bridge=SwitchLAN interface=ether4 add bridge=SwitchLAN interface=sfp1 ...etc Note: the Layer2/MAC address winbox connection lets you get in without needing a serial cable or IP on a port, but it makes the connection really shaky, especially when doing bridge ports above. Just reconnect if you get dropped until you can eventually get in via Layer3. I have to use Cisco everything at my new job and I kinda miss Mikrotiks. I don't miss how flakey the hardware can obviously be, but I do miss that under 30 second boot time to rule out if something just needed a fukken reboot to fix! jeeves fucked around with this message at 17:12 on Apr 10, 2020 |
|
#
?
Apr 10, 2020 17:09
|
|
|
That's good advice for a CRS running RouterOS, but the CSS line only runs SwOS which only has a web interface. If you get locked out of a SwOS device you have to do a config reset and log in with the default IP.
|
|
#
?
Apr 10, 2020 17:22
|
|
|
Thanks! I'll start seriously looking at my budget to see if I can afford this. I was also looking at the CRS version as well. The ~$50 price increase could be trouble, but if it makes it more fun then I'll have to consider it. jeeves posted:I don't miss how flakey the hardware can obviously be
|
|
#
?
Apr 10, 2020 17:37
|
|
|
SwOS is pretty lame. I forgot it exists because I think one of the inherent strengths of Mikrotiks is the flexibility of RouterOS. As for Mikrotiks being flakey, they're just known to not be the top tier of quality of other stuff, but that's what you get for being able to buy them for 1/10th the price of anything else. As long as you keep them up to date on their firmware and know that they'll most likely need to be rebooted once every three months or so you'll be fine. Most complaints I've seen with them are old greybeards who treat them like Ciscos and never update the suckers ever and then complain that they got hacked from an exploit that was patched like a year ago.
|
|
#
?
Apr 10, 2020 18:20
|
|
|
Don't use them for Wi-Fi (unless it's their own proprietary PtP/PtMP links). Other than that, I have no issue with their kit.
|
|
#
?
Apr 10, 2020 19:42
|
|
|
Thanks Ants posted:Don't use them for Wi-Fi (unless it's their own proprietary PtP/PtMP links). Other than that, I have no issue with their kit. Whys that? Ive installed a billion HAP2s and they work great for the money.
|
|
#
?
Apr 10, 2020 20:49
|
|
|
Decided to go for the CRS model over the CSS. It was delivered today so I've been playing around with it, and so far I've managed to get myself locked out three times by messing up vlan config. I think I've got a handle on it now - the main issue was that I didn't realize that you have to set a pvid value on the port itself in addition to adding the port as untagged in the bridge vlan config. In the process of moving my lab over to this switch now. Thanks again for the advice!
|
|
#
?
Apr 17, 2020 20:25
|
|
|
Mikrotik's definite lack of hand holding makes dealing with vlans being a pain. It sounds like you got through the worst of it.
|
|
#
?
Apr 17, 2020 21:38
|
|
|
It didn't help that things would break if you enabled tagging or disabled or moved things to interfaces or bridges in the wrong order.
|
|
#
?
Apr 17, 2020 22:24
|
|
|
Probably a long shot since this thread hasn't been ping'd in like 5 months, but if anyone is interested I found an RB2011 hiding in my bin of routers. https://forums.somethingawful.com/showthread.php?threadid=3896193
|
|
#
?
Sep 15, 2020 21:07
|
|
|
Guess I'll update on my CRS-326 experience. It's good! Ran into some beginner traps though - I created a bonded interface using the balance-rr mode, which seemed great because my virtualization servers have multiple gigabit interfaces and my storage server is connected on one of the 10g ports, but the CRS326 can't hardware offload that mode so I ended up with sub-gigabit speeds until I did some benchmarks and discovered my error. However, after getting it set up correctly I haven't had to touch it and really that's the end goal for networking equipment. The biggest issue with the switch isn't even about the switch itself, but the power adapter. It's this clunky wall wart that I can't fit on my UPS. I had a spare passive PoE adapter from a UniFi AP so I've just been using that to power the switch instead. Not sure why they went with passive PoE input instead of 802.3af/at, but whatever. Once I find a steady source of income I'm considering upgrading my virtualization servers to 10gbit and picking up a CRS305 to connect them to my storage server, but until then I'm happy with the 326.
|
|
#
?
Sep 16, 2020 16:45
|
|
|
I keep stock of a bunch of (local equivalents) of these for situations where I need to get power bricks away from the PDUs they are plugged into https://www.monoprice.com/product?p_id=35047
|
|
#
?
Sep 16, 2020 17:18
|
|
|
I'm a little in over my head here as networking isn't my strong point, though what I'm trying to achieve shouldn't be that difficult. We have a Mikrotik at the root of our network, and then internet is beamed from place to place via a bunch of Cambium point to point gear. We have a couple of locations where I'm being asked to assign IP ranges specific to some proprietary gear, these ranges are different from the existing IP setup, its 172.x.x.x now and they need 192.168.x.x. I'm thinking I should create a VLAN for each of these other ranges, I've created the VLAN interface, the VLAN itself, created the first IP range and assigned to the VLAN. But, assuming any of this is right, this is where I'm stuck. Not sure how to move the subscriber module over to that interface. I see some VLAN stuff in the SM console but it doesn't look like what I need. Any help here would be great.
codo27 fucked around with this message at 17:52 on Mar 25, 2021 |
|
#
?
Mar 25, 2021 17:47
|
|
|
VLAN and bridge groups are basically virtual interfaces that you can assign IPs or whatever to, and then assign ports for that virtual interface to 'exit' out of. Only difference is a VLAN can then be segregated downstream on switches, whereas a bridge group is basically a big switch group in layer 3 on the router. Once you create your virtual interface, you have to basically add the physical ports to it, or else it is just a nebulous virtual device with no 'exits' so to speak. code:code:
|
|
#
?
Mar 25, 2021 23:17
|
|
|
jeeves posted:you have to basically add the physical ports to it, or else it is just a nebulous virtual device with no 'exits' so to speak. So what if everything basically comes from one physical port on the router? Cause thats what it is. It goes out to the p2p access point from there and then to various SMs across site.
|
|
#
?
Mar 26, 2021 11:40
|
|
|
You can add the same physical port to multiple vlans.
|
|
#
?
Mar 26, 2021 13:19
|
|
|
Yeah in the Cisco world you make VLANs as virtual interfaces first, assign IPs and poo poo to those VLANs as if they were an interface. Then you when you're messing around with the specific physical port's code, you designate a specific that port as either 'access' or 'trunk' for those vlans. Otherwise it won't know to touch the VLAN data and doesn't do anything with it. Access = VLAN tag gets stripped on data exiting the port, applied on data entering. Trunk = VLAN tag doesn't get stripped but passed along. Mikrotiks are kind of stupid with VLANs because the code has been kind of jury rigged on after the fact. (Case in point, you are forced to use their bridge code to even make a device act like a switch, if it has a switch chip.) If you make a port a switch port, it will happily pass VLAN traffic all over the place. Tons of "leaking" VLANs in that you have tagged VLAN data going out ports they were not meant to, or hitting customer devices and the customer device goes "what is this?" and drops it-- hopefully. Basically, make a virtual VLAN interface, then per VLAN assign physical ports to it. I don't even think they let you make a VLAN now without first putting at least one port? Then you need some sort of egress port stripping to make it an access port instead of trunk, as by default it's just trunk (Actually by default each port is a switch once you add it to their new bridge-group switch code). I forget the exact code as it's been a while since I've used Mikrotik for anything but a powerful home router (with no VLANs). Also, Mikrotiks do not make great core routers for ISPs. They are great midpoint/endpoint (next hop up from customer) routers for wireless gear and poo poo, but not a core router for a network. This is because there is like always a 1% chance that poo poo just crashes on a Mikrotik at all times. Like 24/7. A reboot will fix it, but like every so often they will just have something freeze up and crash until said reboot. Mikrotik's answer is basically "well at least they reboot quickly and are cheap!" Edit - if I remember correctly there was like a VLAN implementation at my old job that had a bunch of access/endpoint switches like stuck on v6.40 because if you updated past that version it broke the vlan code and no one (basically me) could ever figure out how to fix it. That was 4 years ago. At least those switches which I know are still in production have private management IPs and shouldn't be accessible to the internet for obv exploitation of old firmware reasons. So yeah, good luck with VLANs on Mikrotiks! jeeves fucked around with this message at 18:11 on Mar 27, 2021 |
|
#
?
Mar 27, 2021 18:08
|
|
|
jeeves posted:Also, Mikrotiks do not make great core routers for ISPs. They are great midpoint/endpoint (next hop up from customer) routers for wireless gear and poo poo, but not a core router for a network. This is because there is like always a 1% chance that poo poo just crashes on a Mikrotik at all times. Like 24/7. A reboot will fix it, but like every so often they will just have something freeze up and crash until said reboot. I vaguely recall this is because Mikrotik's implementations of various dynamic routing protocols are single threaded and too many updates in a short time basically DoS the device. It doesn't even have to be exterior gateway protocol, the example I was given was a Mikrotik box running OSPF and acting as a VPN server (with a /30 subnet per connection) - the routes weren't being summarized, so routing updates from too many VPN connections opening or closing at once caused the entire thing to fall over. That was a long time ago though, so maybe things have improved somewhat.
|
|
#
?
Mar 28, 2021 08:47
|
|
|
Oh, hey, this thread isn't dead yet. Netgate and Ubiquiti have both been pissing me off (Netgate with how they're totally unable to own up to loving up, like with the WireGuard poo poo, and Ubiquiti with their abysmal "stable" releases and, now, putting ads in the controller software), and I'm starting to think about looking to see what else is out there for alternatives. I've heard people talking about Mikrotik for years, but I don't know much about it. So, I have some questions, and I'm hoping somebody might have some thoughts on them. How are people's experiences with it these days? I saw some mention of it being kind of unstable and needing to be rebooted every month or two. Is that still the case? And how loud are the fans? Unfortunately, I don't really have a place to put my networking gear that's out of the way, so quieter stuff is definitely better. Ubiquiti's been great for that. Also, how is it for DNS these days? I have a subdomain for my home devices, and pfSense has been great about letting me manage that, while forwarding requests for addresses at the rest of the domain to the upstream DNS servers. Can the Mikrotik stuff do something similar? I see it does DNS caching, but I'm not seeing much about intercepting requests for a subdomain. How much of a pain in the rear end is it to set up OpenVPN? The documentation on running an OpenVPN server on these things seems a little, uh, thin. Also, do they really not support anything better than SHA1 for auth? And which mode do they run AES in? GCM? When I started looking at this, I was assuming that it was a controller/device model for licensing. But, reading the licensing page, it sounds like it's per-device instead. While I don't imagine I'd run into any of the limits for what they currently license for, if they were to introduce some new feature in the future that required, say, a level 5 license, would I be unable to use it on any devices with level 4 licenses, even if I had a device with a level 5 license as well? For management, would I need to go into each device and configure it individually, or is it possible to do that from a centralized place? I'm on a Mac, so running Winbox would mean doing all my configuration in a VM, which, while possible, wouldn't be ideal. If I could configure everything from a single CLI or web UI or something, that'd be much better. One of the features of the Ubiquiti stuff that I've appreciated is that they're big on the SDN model, which makes management really simple. Swap out an AP or a switch? Just adopt the new one, and it's good to go. It looks like Mikrotik might use a more traditional model for that (configure each device individually, then deploy it), which I can understand, but . . . well, I'm hoping I'm wrong. Is there any meaningful difference other than how it's configured out of the box between one of their high-end switches and one of their routing appliances if they both run RouterOS? It seems like it should be possible to reconfigure a switch to do routing work, if the hardware works out better for a particular use case. How's their multigig stuff been? I've started to transition my network to 10gig, and my ISP is going to start offering some sort of multigig service level in the future. So, ideally, I'd like to be in a place where I can make good use of it.
|
|
#
?
Apr 11, 2021 22:29
|
|
|
Kreeblah posted:Oh, hey, this thread isn't dead yet. 1. It’s relatively stable but it’s not going to rack up months or years of uptime if you keep it current with updates. Most base to intermediate kit is fan less so it shouldn’t be a problem noise wise. 2. You are far better off subscribing to the free tier of cloudflare, upload your current domain objects and just use the mikrotik as a cache from that. 3. Never done openvpn, only l2tp, which is far from the best compared to other systems. 4. Every mikrotik router device is sold with a full license, you need to worry about license only if you white box your router(best option is a chr vm). 5. Every device is standalone AFAIK. You can manage ap in a sorta managed way. 6. Their high end l3 switches suck rear end at routing so forget about it. 7. Their latest routers provide a sfp+ cage so you should be golden for nbase/10g.
|
|
#
?
Apr 11, 2021 22:46
|
|
|
SlowBloke posted:1. It’s relatively stable but it’s not going to rack up months or years of uptime if you keep it current with updates. Most base to intermediate kit is fan less so it shouldn’t be a problem noise wise. Yeah, I don't mind rebooting for updates. I can plan for those. It's poo poo randomly keeling over that I'd like to avoid, especially since I was switched to permanent WFH last year. The thing with the DNS stuff is that I already have a DNS provider that I have most of the domain hosted with. I have some specific entries within my network which return different results so I can access them at the same FQDNs as I can from outside my network (pfSense returns an internal IP for specific FQDNs which is the host that the external IP gets NATed to for that service). I guess I could run an actual internal DNS server if I need to, though. I did see that the devices are sold with full licenses. It's more the restrictions at various levels that I was concerned about. I definitely don't want to white box something if I can avoid it, though. The "we might ask you to mail in the dead hard drive" thing for running it on bare metal just sounds like a pain in the rear end, and while I know that people do run routing off a VM, I'd be way more comfortable with a physical device. That's good to know about the management poo poo (unfortunate, but not surprising) and switches/routers. Thanks!
|
|
#
?
Apr 12, 2021 00:42
|
|
|
I just got myself a hEX and set it up. Internet works, yay. However I'm having trouble doing simple port forwarding. I have a web server sitting on my computer on the network at 192.168.0.16. I did code:How do I fix this? I'm completely lost, the guides just say adding that should make it work! Network is 192.168.0.0/24, my public IP is handed out by DHCP and NAT is enabled.
|
|
#
?
Apr 20, 2021 18:21
|
|
|
Are you trying to use your external IP from within your internal network to access your web server on that same network? Does it work when you access that external IP from outside your network? If so, look into hairpin NAT configuration.
|
|
#
?
Apr 20, 2021 18:34
|
|
|
Sir Bobert Fishbone posted:Are you trying to use your external IP from within your internal network to access your web server on that same network? Does it work when you access that external IP from outside your network? If so, look into hairpin NAT configuration. I'll read that too, maybe I'll understand better these things. Thanks! Edit: I can't get the web server to work on my LAN at all if using public DNS address or IP, the Mikrotik interface blocks port 80. How do I disable this, I don't want anyone accessing my LAN by guessing the weak password on the router  Edit 2: I guess the router only shows up on the inside but how do I get my services to work within the wifi/ethernet region? For example, I cannot backup my photos automatically for my nextcloud thing now as I get the router login page instead of outside forwarded port. Is this where the hair pin is required? Edit 3: Reading that again with thought, yeah. Okay, this is what I have: code:code:Doesn't seem to work. What am I missing? Edit: to answer that, the in-interface should be IP: quote:To funny, and by the way, its not a limitation on the MT, its up to the user as per many other functions to program that into the router. as per their forums. Kivi fucked around with this message at 12:28 on Apr 21, 2021 |
|
#
?
Apr 20, 2021 19:07
|
|
|
https://wiki.mikrotik.com/wiki/Hairpin_NAT <-- read that to understand the problem I myself solved the problem in a slightly different way: First, a priority 0 rule to handle the hairpin nat: code:For example, here is the port 22 forward for SSH to an internal server. code:alyandon fucked around with this message at 05:37 on Apr 22, 2021 |
|
#
?
Apr 22, 2021 05:34
|
|
|
alyandon posted:https://wiki.mikrotik.com/wiki/Hairpin_NAT <-- read that to understand the problem
|
|
#
?
Apr 22, 2021 11:10
|
|
|
Kivi posted:Thanks, got it working (and understood the "problem") with that forums post but I'll definitely use your way as I thought the WAN IP address "hack" bit hack-ey and bad but couldn't find more proper way to do it. Sorry about the wiki link then - I just didn't want to assume anything. Mikrotik is really geared at dealing with scenarios where you get static assignments. They don't even currently support IPv6 NPT which means I have to deal with rebooting/renumbering all my machines when my ISP decides to change my /56 allocation. :-/
|
|
#
?
Apr 22, 2021 21:28
|
|
|
Yeah, mapping a NAT to a WAN static IP uplink: crazy easy. Oh your WAN is DHCP? Well gently caress you! Time to learn how to do a bunch of firewall poo poo!
|
|
#
?
Apr 22, 2021 21:32
|
|
|
Sturdy little switches. https://twitter.com/nuclearlighter/status/1384800853849264130?s=21
|
|
#
?
Apr 22, 2021 21:42
|
|
|
Actually they are not sturdy. They are basically hollow and poo poo. Id guess thats actually why it lived, the boards arnt secured down well so they can kind of float.
|
|
#
?
Apr 23, 2021 00:05
|
|
|
Hm, I think it's usually considered a sign of quality when it doesn't break.
Fame Douglas fucked around with this message at 09:24 on Apr 23, 2021 |
|
#
?
Apr 23, 2021 00:13
|
|
|
Is there any performance issues if I just use all the ports on the hEx (ports 2-5 that are as bridge) and not separate cheap switch? I remember my ERL or ER-X having limitation when using more than just one port, degrading the performance. I tried reading about it but it's super confusing.
|
|
#
?
Apr 23, 2021 09:10
|
|
|
Kivi posted:Is there any performance issues if I just use all the ports on the hEx (ports 2-5 that are as bridge) and not separate cheap switch? I have a hEx running the 7.x beta and currently don't see performance problems. However, it is not something I've scrutinized carefully either. My RB3011 had weird port flapping issues when transferring large amounts of data between the two different switch port groups. I ended up having to disable cpu flow control in order to obtain line rate without port flapping so I've started slowly moving stuff off it and onto TP-Link managed switches (T1500G). They support snmp polling, are decently cheap for the given feature set and seem to be reliable.
|
|
#
?
Apr 23, 2021 18:10
|
|
|
Kreeblah posted:I did see that the devices are sold with full licenses. It's more the restrictions at various levels that I was concerned about. To be extra clear - you always get the maximum license level if you purchase a Mikrotik branded device. For the CHR (virtual device) variant you get to choose a license based on the max throughput but it still has all features enabled.
|
|
#
?
Apr 24, 2021 21:35
|
|
|
Kivi posted:Is there any performance issues if I just use all the ports on the hEx (ports 2-5 that are as bridge) and not separate cheap switch? Should be fine with default config, Mikrotik usually hangs all ports off a switch chip. Look at the block diagram: https://mikrotik.com/product/RB750Gr3#fndtn-downloads
|
|
#
?
Apr 27, 2021 02:35
|
|
|
|
| # ? Apr 19, 2024 10:44 |
|
|
OmniCorp posted:Sturdy little switches. Curved for your ergonomic pleasure
|
|
#
?
Apr 30, 2021 16:31
|
|