Mikrotik Routers (RouterBoard & RouterOS)

Lowyat.NET forums

Lowyat.NET Kopitiam Garage Sales

Lowyat.NET Rules and Regulations FAQ Help Search Members

Welcome Guest ( Log In | Register )

Lowyat.NET -> Networks and Broadband

Bump Topic Add Reply RSS Feed

9 Pages < 1 2 3 4 > » Bottom

Outline · [ Standard ] · Linear+

Enterprise Networking Mikrotik Routers (RouterBoard & RouterOS), User and owner discussion group

views

kwss	Jan 7 2024, 08:07 AM Return to original view \| IPv6 \| Post #21
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(asellus @ Jan 7 2024, 07:48 AM) Don't tell me that you did not know that the firewall rule is just a wrapper for an iptables command, or ip6tables to be exact. That's why I mentioned iptables directly instead of routerOS firewall. When I talk about Shodan, I am talking about client-level security in general, not IPv6 only to be exact. The devices you see in Shodan are all devices with lousy client-level security implementations, but you assume that all devices out there has stellar client-level security implementations, at least for IPv6. You rely too much on the hope that device manufacturers will implement robust security on their IPv6-supporting devices, but not all will do so, just like Sony. Kuat pusing. The rules for IPv6 firewall in Mikrotik absolutely emulate NAT firewall. Now you want to spin about iptables implenentation. After trying to cheat and confuse old people about Shodan, you now talk about device security that happens for both IPv4 and IPv6. But previously sounds like absolutely an IPv6 only problem. Want to bring in PS5 too eh? Just because it's IPv6 stack has a vulnerability. But you clearly left out an important point. The first vulnerability is from WebKit, then it chain a kernel exploit which involves the IPv6 stack. So is it a kernel bug or IPv6 bug?
Card PM	Report Top Like Quote Reply

kwss	Jan 7 2024, 09:14 AM Return to original view \| Post #22
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(maxiscool @ Jan 7 2024, 09:04 AM) Probably that the option, the last I did was just factory reset, perhaps can give this a try when I have more free time to do this. I did not test speed in particular but I have no issue for 500Mbps on default Speedtest,believedjust using IPv4. You can try this first: System > Packages > Check Installation If it says no error I am not really sure if netinstall will solve it. I am just suggesting it as nuclear option as I have no idea why toggling IGMP Snooping will give you an IPv6 prefix even with nothing connected to the router. It just sounds impossible. Did you remember anything you changed manually the last time you factory reset it? Also can you screenshot me Bridge > Ports? This post has been edited by kwss: Jan 7 2024, 09:16 AM
Card PM	Report Top Like Quote Reply

kwss	Jan 7 2024, 11:03 AM Return to original view \| IPv6 \| Post #23
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(maxiscool @ Jan 7 2024, 10:58 AM) Here you go, I have even try disable all the bridge to test it out. Hi, it's Bridge > Ports Second tab on top ya
Card PM	Report Top Like Quote Reply

kwss	Jan 7 2024, 11:35 AM Return to original view \| IPv6 \| Post #24
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(Quanta @ Jan 7 2024, 11:20 AM) Disabled all IPv6 filter rules and not helping. Able to max out to 320Mbps and CPU is still 100% when speedtesting. Can you double check if "Fast Forward" is enabled inside your bridge setting? Just to confirm IPv6 > Firewall - NAT, Mangle, Raw and Address List are all disabled too right? If you enable Fast Forward, you need to reboot for it to take effect. This post has been edited by kwss: Jan 7 2024, 11:41 AM
Card PM	Report Top Like Quote Reply

kwss	Jan 7 2024, 09:24 PM Return to original view \| IPv6 \| Post #25
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(Quanta @ Jan 7 2024, 01:52 PM) Did you enable or use anything in Queue? If not, can you post your Tools > Profile when your CPU usage is 100%? On your Address List, they are all non-routable because outside of 2000::/3. Just drop them with route table, it's the highest performance method of doing it. Except the documentation prefix which is a bogon anyway, you can just blackhole it with one extra route table entry. Just curious what's the reason you added untracked to an accept rule? Cannot see your full ruleset but seems like they are repeated twice? This post has been edited by kwss: Jan 7 2024, 09:51 PM
Card PM	Report Top Like Quote Reply

kwss	Jan 7 2024, 09:27 PM Return to original view \| IPv6 \| Post #26
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(maxiscool @ Jan 7 2024, 08:13 PM) I see. Attached. Can you explain more about your iptv and vlan10 why they are done like that?
Card PM	Report Top Like Quote Reply

kwss	Jan 7 2024, 09:54 PM Return to original view \| Post #27
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(maxiscool @ Jan 7 2024, 09:43 PM) iptv basically following this guide for Unifi IPTV 600 Vlan 10 for "guest" network, no LAN access. OK, I am quite sure you duplicated them and did it wrong. Maybe that triggered a bug in RouterOS. Example: You bridge vlan500 into your main bridge. So yes, something broken in Layer 2 like I said earlier. Can you make the column wider and screenshot again? I want to see the whole thing. And if you don't mind, each of the bridge setting. This part need to redo and I think your Layer 2 problem will be solved, no need to netinstall
Card PM	Report Top Like Quote Reply

kwss	Jan 8 2024, 12:57 AM Return to original view \| Post #28
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(maxiscool @ Jan 7 2024, 10:10 PM) See if this can see the settings CODE /interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-master internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=sfp1 internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 internal-path-cost=10 path-cost=10 add bridge=UniFi-IPTV ingress-filtering=no interface=vlan.600-TrunkPort5 internal-path-cost=10 path-cost=10 add bridge=UniFi-IPTV hw=no ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10 add bridge=bridge ingress-filtering=no interface=vlan.500-TrunkPort5 internal-path-cost=10 path-cost=10 add bridge=UniFi-IPTV ingress-filtering=no interface=vlan.600 internal-path-cost=10 path-cost=10 add bridge=bridge ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10 add bridge=bridge ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10 add bridge=bridge.vlan10 ingress-filtering=no interface=wlan3 internal-path-cost=10 path-cost=10 add bridge=bridge.vlan10 ingress-filtering=no interface=vlan.10-TrunkPort5 internal-path-cost=10 multicast-router=disabled path-cost=10 add bridge=bridge.vlan10 ingress-filtering=no interface=vlan.10-Guest internal-path-cost=10 multicast-router=disabled path-cost=10 add bridge=bridge.vlan10 interface=vlan.10-TrunkPort4 internal-path-cost=10 path-cost=10 Yea this is useful. However I am still missing some context. Can please export me the whole /interface ? I need to know how your port is physically connected as well as your vlan mapping This post has been edited by kwss: Jan 8 2024, 01:02 AM
Card PM	Report Top Like Quote Reply

kwss	Jan 8 2024, 10:01 AM Return to original view \| IPv6 \| Post #29
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(Quanta @ Jan 8 2024, 08:05 AM) 1. Queue - yes enabled queue tree CODE Flags: X - disabled, I - invalid 0 name="queue-upload" parent=fromHSBB_IN packet-mark=no-mark limit-at=91M queue=fq-code1 priority=8 max-limit=100M burst-limit=101M burst-threshold=97M burst-time=5s bucket-size=0.1 1 X name="queue-download" parent=bridge packet-mark=no-mark limit-at=310M queue=fq-code1 priority=8 max-limit=350M burst-limit=400M burst-threshold=320M burst-time=8s bucket-size=0.01 2. Tools> Profile CODE [@MikroTik-TDM] > tool/profile Columns: NAME, USAGE NAME USAGE www 0.3% ethernet 0.1% console 0.5% dns 0.3% networking 19% radv 0% management 1.7% ssl 0.3% dhcp 0.2% profiling 0.1% queuing 0.3% bridging 0.8% unclassified 6% total 29.6% 3. Address list from IPV6 [attachmentid=11488503] 4. Filter Rules are default, never add additional rules. Do you get higher speed if you disable all your Simple Queue and Queue Tree? This post has been edited by kwss: Jan 8 2024, 10:04 AM
Card PM	Report Top Like Quote Reply

kwss	Jan 8 2024, 10:06 AM Return to original view \| IPv6 \| Post #30
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(Quanta @ Jan 8 2024, 10:04 AM) same lingering around 300-350Mbps after disabling all filter rules, address lists I updated my post after you post. I mean Simple Queue and Queue Tree. I am no longer seeing firewall anywhere in the Profile and it's not using 100% CPU anymore
Card PM	Report Top Like Quote Reply

kwss	Jan 8 2024, 10:14 AM Return to original view \| IPv6 \| Post #31
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(maxiscool @ Jan 8 2024, 07:43 AM) I will share the export later. This is how it is connected. Can I have the export of /interface? I am trying to make sense of your diagram. Where you connect your IPTV? Can I have the reason why you want to trunk 500 and 600 into your switch if your Unifi comes in from Port 1 and your router actually does the PPPoE and all?
Card PM	Report Top Like Quote Reply

kwss	Jan 9 2024, 03:28 AM Return to original view \| Post #32
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(maxiscool @ Jan 8 2024, 07:40 PM) Update the diagram. The 500 actually is just for trunk the Internet to the switch, Unifi TV box is connected to the switch that is why 500 & 600 is trunk See if this is what you looking for? CODE /interface bridge add name=UniFi-IPTV port-cost-mode=short add admin-mac=XX:XX:XX:XX:XX:XX auto-mac=no comment=defconf name=bridge \ port-cost-mode=short add name=bridge.vlan10 port-cost-mode=short /interface ethernet set [ find default-name=ether2 ] name=ether2-master /interface vlan add interface=ether4 name=vlan.10-TrunkPort4 vlan-id=10 add interface=ether5 name=vlan.10-TrunkPort5 vlan-id=10 add interface=ether1 name=vlan.500 vlan-id=500 add interface=ether5 name=vlan.500-TrunkPort5 vlan-id=500 add interface=ether1 name=vlan.600 vlan-id=600 add interface=ether5 name=vlan.600-TrunkPort5 vlan-id=600 /interface pppoe-client add add-default-route=yes default-route-distance=0 disabled=no interface=vlan.500 name=UniFi-Internet user=username@unifi OK, I have to give you the credit for hacking things together when what you described won't work in the first place. I also want to rant how shitty Mikrotik config is. They are a hard to read and untangle. Nokia and Juniper are great. Cisco is already kind of bad but Mikrotik is at the bottom of all. Let's go into the errors you made. You bridge IPTV into the native VLAN on port 5. You also bridge it to VLAN 600 on port 5. So all the BUM traffic flow twice into port 5 to your switch. Since IPTV hijaack your native VLAN on the port to your switch, you will never get Internet... ever! On top of that you have traffic flooding twice into the port towards your switch. You proceed to hack around the situation by bridging VLAN 500 into your main bridge. Now you trunk VLAN 500 into your switch and you get Internet. But what you just did is bridge the interface meant for PPPoE into your main VLAN. Now everything meant for your local network get sent to TM. All the traffic end up in the PPPoE interface, get sent to VLAN 500, and loopback into your LAN, get sent to PPPoE interface again. Over and over again. So from here onward, do you want to take this as an exercise and fix it yourself? Or I point to you what to modify?
Card PM	Report Top Like Quote Reply

kwss	Jan 9 2024, 09:51 AM Return to original view \| Post #33
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(maxiscool @ Jan 9 2024, 06:16 AM) Yeah, could you please help to change things for the right way? In Bridge > Ports, remove "UniFi-IPTV" bridge with interface "ether5". In Bridge > Ports, remove "bridge" with interface "vlan.500-TrunkPort5". Add bridge=bridge with interface=ether5. In Interfaces > VLAN. Remove "vlan.500-TrunkPort5". In your switch, remove vlan 500. You Internet now should works on untagged interface. Finally review all your "bridge.vlan10". I don't know if they are intended but some have changed ingress-filtering and multicast-router disabled. I did not lab this out but it should work.
Card PM	Report Top Like Quote Reply

kwss	Jan 9 2024, 10:49 PM Return to original view \| IPv6 \| Post #34
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(maxiscool @ Jan 9 2024, 07:23 PM) /interface bridge port add bridge=bridge comment=defconf ingress-filtering=no interface=ether2-master internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf hw=no ingress-filtering=no interface=sfp1 internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf ingress-filtering=no interface=wlan1 internal-path-cost=10 path-cost=10 add bridge=bridge comment=defconf ingress-filtering=no interface=wlan2 internal-path-cost=10 path-cost=10 add bridge=UniFi-IPTV ingress-filtering=no interface=vlan.600-TrunkPort5 internal-path-cost=10 path-cost=10 add bridge=bridge hw=no ingress-filtering=no interface=ether5 internal-path-cost=10 path-cost=10 add bridge=bridge disabled=yes ingress-filtering=no interface=vlan.500-TrunkPort5 internal-path-cost=10 path-cost=10 add bridge=UniFi-IPTV ingress-filtering=no interface=vlan.600 internal-path-cost=10 path-cost=10 add bridge=bridge ingress-filtering=no interface=ether3 internal-path-cost=10 path-cost=10 add bridge=bridge ingress-filtering=no interface=ether4 internal-path-cost=10 path-cost=10 add bridge=bridge.vlan10 ingress-filtering=no interface=wlan3 internal-path-cost=10 path-cost=10 add bridge=bridge.vlan10 ingress-filtering=no interface=vlan.10-TrunkPort5 internal-path-cost=10 path-cost=10 add bridge=bridge.vlan10 ingress-filtering=no interface=vlan.10-Gesuto internal-path-cost=10 path-cost=10 add bridge=bridge.vlan10 ingress-filtering=no interface=vlan.10-TrunkPort4 internal-path-cost=10 path-cost=10 Ok, does this looks correct. I've remove the VLAN on switch, a quick test looks ok. Now does that mean I do no need to trunk 500 for vlan , only need the trunk 600 for IPTV? Sadly, my IPv6 still does not appear. The proper way to eliminate bug in network OS, any network OS is to backup the config, then proceed to do the full change. You just remove the iptv for ether5 and add to "bridge". Then you disable vlan500 trunk only. You must fully do the change by removing it and the vlan trunk because the vlan is an active component in RouterOS state machine. Fingers crossed it works after that. Else the saga continues.. Yes with this method you don't need to trunk your internet anymore.. This post has been edited by kwss: Jan 9 2024, 10:57 PM
Card PM	Report Top Like Quote Reply

kwss	Jan 9 2024, 11:24 PM Return to original view \| IPv6 \| Post #35
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(maxiscool @ Jan 9 2024, 11:09 PM) Do you mean factory restore and restore configuration? No. You did not follow all my steps properly. I still see the bridge for 500. Just disabled. The vlan500 trunk is still active. You need to delete them n Bridge > Ports, remove "bridge" with interface "vlan.500-TrunkPort5". In Interfaces > VLAN. Remove "vlan.500-TrunkPort5". This post has been edited by kwss: Jan 9 2024, 11:31 PM
Card PM	Report Top Like Quote Reply

kwss	Jan 10 2024, 12:16 AM Return to original view \| IPv6 \| Post #36
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(neuromancerx @ Jan 10 2024, 12:02 AM) I'm planning to set up a new networking system for my new double-storey house. I'm thinking of placing a MikroTik CSS610-8G-2S+IN on the first floor and a CRS112-8G-4S-IN on the second floor, with multimode fiber for the interconnect. Is it possible to configure LACP between a CRS running RouterOS and a CSS running SwOS? EDIT: Not supported for CRS112, supported on CSS610 https://help.mikrotik.com/docs/pages/viewpa...ageId=103841835 "The Trunking in the Cloud Router Switches provides static link aggregation groups with hardware automatic failover and load balancing. IEEE802.3ad and IEEE802.1ax compatible Link Aggregation Control Protocol is not supported." https://help.mikrotik.com/docs/display/SWOS...0+series+Manual "IEEE 802.3ad (LACP) compatible link aggregation is supported, as well as static link aggregation to ensure failover and load balancing based only on Layer2 hashing. Up to 16 link aggregation groups with up to 8 ports per group are supported." Original message: I did a quick glance at 1xx/2xx switch and example. It's never mentioned so my guess would be no. Don't quote me on it though, just a very quick glance This post has been edited by kwss: Jan 10 2024, 12:49 AM
Card PM	Report Top Like Quote Reply

kwss	Jan 10 2024, 09:39 PM Return to original view \| IPv6 \| Post #37
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(Quanta @ Jan 10 2024, 07:23 AM) Any links/tips to downgrade from RouterOS7.x to RouterOS6.x? They have an official guide. Seems straightforward https://help.mikrotik.com/docs/display/RKB/...rading+RouterOS Did you still get low speed after disabling all the Simple Queue and Queue Tree?
Card PM	Report Top Like Quote Reply

kwss	Jan 11 2024, 09:41 AM Return to original view \| Post #38
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(Quanta @ Jan 11 2024, 07:17 AM) no hope with RB750 on ipv6. still at 350Mbps. I think I have bricked it when trying to install openwrt's initramfs after successfully downgraded to 6.49.2. Will try to debrick it when I have time. So sorry to hear that. Follow the netinstall process to unbrick it.
Card PM	Report Top Like Quote Reply

kwss	Jan 12 2024, 11:57 PM Return to original view \| IPv6 \| Post #39
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(maxiscool @ Jan 12 2024, 11:55 PM) Tried, still IPv6 does not appear. One question, how should I configure if I still want to trunk my vlan500? You can use any number. Just not the VLAN used by TM.
Card PM	Report Top Like Quote Reply

kwss	Jan 13 2024, 10:22 AM Return to original view \| IPv6 \| Post #40
Regular Senior Member 1,207 posts Joined: Aug 2018	QUOTE(neuromancerx @ Jan 13 2024, 09:20 AM) Thanks man for the research. So the CRS is not supporting LACP, only static bonding without any control protocol. The biggest effort is actually pulling the cable between the floors. I actually don't mind whether it is a copper or fiber, the cost is not that significant (apart from additional cost for the SFP/SFP+). Redundancy is important, that's why I am pulling two cables. I can start with 1G if I want and replace it with a 10G SFP in the future. But yeah, thanks for the input. In Mikrotik term bonding means using the switch CPU to do it instead of the switch chip. You will not get wirespeed. Be warned!
Card PM	Report Top Like Quote Reply

« Next Oldest · Networks and Broadband · Next Newest »

9 Pages < 1 2 3 4 > » Top

Add Reply Options

Change to:

0.0296sec

0.62

7 queries

GZIP Disabled
Time is now: 28th November 2025 - 12:42 AM

All Rights Reserved © 2002- 2025 Vijandren Ramadass (~unite against racism~)

Removal Request

Powered by Invision Power Board © 2025 IPS, Inc.