MikroTik - Search

tangent

terminals only understand characters,

We’ve had F1 onANSI X3.64 compatible terminalsat least since the VT220, released in 1983. If you’re using a terminal emulator that can’t send F1, get a better terminal emulator; they’re plentiful.

tangent

Therack mount kit for the RB5009allows you to rack as few as one of these.

tangent

完整的配置:https://pastebin.com/8Y8dAuAc许多曲estions: Where's that "/ip/route/print" output I asked for? Your config is too complicated for me to reconstruct the dynamic routing rules from the static commands. Until you post what result you got from all this, my only option is to dup...

tangent

@fragtion: Are you using the recommended NAT-based network configuration for your containers, or are you doing as the OP is doing and binding the veth straight to the bridge? I've done the latter for justifiable cause , and it can work, but I'm using these "routers" as glorified switches, ...

tangent

Giventhis prior post, I’ll guess that you’ve created a routing error, sending all traffic thru the container.

Post the output of “/ip/route/print”.

tangent

It stops because you may be assigning a different static IP to each subsequent box, and so you need to pass a different -a parameter each time. (The -i alternative is a recent addition.) If each box gets the exact same config instead, such as because each one gets the variable parts via DHCP, it’s t...

tangent

something is left from before.

It’scommon configuration flotsam.

tangent

Spectacular things are great in year 1. In year 5, when upstream development has moved on to other projects, what once looked whizzy now looks outdated, and it's barely limping by in maintenance mode. In year 10, you're hand-patching the framework merely to get it to run on modern platforms, because...

tangent

Web frameworks have a half-life of about five years. Day 1, you select the current hotness and all is well, but by the time your app sees its first decade, people are going, “You wrote it inwhat? Are youloony?”

tangent

why should Quick Set require default settings? MikroTik, not being idiots, have provided sensible starting defaults. If you're asking why these sensible starting defaults aren't the same as an empty configuration, it's because an empty configuration says "do nothing," and so it does nothi...

tangent

invalid mtu 9086 on sfp-sfpplus1 from fe80::ea5c:aff:fe83:f43c fe80::/10 is the prefix for IPv6 link-local addresses, so it means one of your LAN hosts (the one that’s assigned itself that IP) is trying to use jumbo packets and is getting slapped down by the router. It’s likely harmless, since the ...

tangent

That’s why I gave you a CLI command. Cut and paste its text output into a “[code]”block.

tangent

You can get small stick-on heat sinks that might help, but without knowing the SFP module in question, that's nearly pure speculation. With recent versions of RouterOS 7, the hEX line regains the ability to identify SFP module details. Care to share, jhony? I'd like to see the output of… /interface/...

tangent

iperf3 reports packet loss at the end. Is it 0%?

What happens if you switch it into UDP mode? That lets you dial in a target bandwidth, -u -b. Without TCP’s retransmission help, it will fall apart and start losing packets at some point; where?

tangent

谢谢,anav。你应该提到distincti的关键on between the two approaches: mine uses a Linux VM from the command line, whereas the other article assumes you have a Windows VM and want to use the netinstall GUI. I'm half-tempted to ask you to remove the other link, though. It ticks every item o...

tangent

SFP port, while nice, will add quite a bit to the price The hEX PoE and hEX S are around the same price, and they have an SFP port. What I really want is SFP+ so each copper port has a dedicated 1G back to the core, but for a travel router, I'll give that dream up. I wouldn't expect to get these fe...

tangent

I try to pull jc21/nginx-proxy-manager on CHR CHR implies a hypervisor, so why are you using containers? Put this on a VM out on the host. I see no reason to confine this to RouterOS's emaciated "container" feature. Don't tell me it's because of efficiency. This 600 meg container is an ab...

tangent

I've spent some time playing with the new hAP ax lite and ax², and I find I want a few small changes, which will turn either one into an ideal travel router. The simplest, cheapest option is to upgrade the USB-C port on the "lite" so that it will not only accept PD at a variety of voltage ...

tangent

Thanks to your prompting, I did try a dumb switch, and it did work, but that led me to the question, "Why?" I quickly tracked it down to the Trusted setting on bridge ports in my CRS328, all disabled except for the one port toward my DHCP provider. NetInstall includes a BOOTP step, which i...

tangent

I thought it was worth cross-posting my latest RouterOS article here because it includes a method for resetting the default password on one of the new routers using netinstall-cli. It's tested and working here. There are subtleties, but if you have a default configuration you want to apply anyway, y...

tangent

I've just worked through all the subtleties and published themhere.

Enjoy!

tangent

ROS 7 merged a bunch of packages into the main one , including “multicast.npk”. If it were not so, CLI menus like "/routing/pimsm" wouldn't exist until you installed the optional package. Note that routing-related features got a complete overhaul in ROS 7, so your referenced post from 201...

tangent

Relevant threadshereandhere.

tangent

Fritzbox -> rb5009 -> switch ? I already argued against back-to-back routers above. To address your broader question, the cameras can go anywhere else on the LAN; that's one of the things VLANs give you. Presumably each camera is nearer one of the PoE switches than another, so that would set your b...

tangent

Forget OCR and all the associated issues (highly inaccurate for one) Ever heard of the Dunning-Kruger effect ? OCR has been used in critical real-time industry-scale applications for decades. For computer-printed text, it's a solved problem, to the extent that researchers have been focusing on hand...

tangent

never knew they added a reset button straight to netinstall function, that didn't exist when I started using netinstall

I traced it back as far asFebruary 2020, in RouterOS 6.

tangent

I'm pretty sure he means 7.10beta, whenever that appears.

tangent

I assume your "attack senario" is something like the following: Partly, but I'm taking the OP's prior statements into account, where he's apparently in charge of a WISP that's taken over other smaller WISPs and now needs to take control of all the equipment they left behind and to do it w...

tangent

the device is essentially inoperable as a network device until the user intervenes and is forced to not just leave it with default credentials. Hang on a sec. Your plan is to have a mode where someone remote can blank out the configuration and provide a new one, including a new non-empty password, ...

tangent

Mikrotik RB5009UPr+S+IN as my main router I don't see why you want that model given that you have an Internet router already — the FritzBox — and you want to add a PoE switch. If it were me designing it, I'd move the PoE role to a separate switch, then either choose the non-PoE model of the 5009 an...

tangent

the idea of netinstall is terrible because…it's no better than a randomized password as that gear is unserviceable to anyone other than you and your company Someone else's password is as good as random already. Or that's the idea, anyway, since the alternative is that you can guess the password, wh...

tangent

netinstall is not always an option…you aren't configuring them all in the same physical location You know what we need to fix that problem? A global network that will let us coordinate data across multiple sites, each with their own local network, like an inter-network kind of thing. Hey, I know, w...

tangent

The Llama MT Password Reading Magnifying Glass!! You joke, but while I do have solutions to that problem, they all suck: The benchtop illuminated magnifier with auxiliary lens I bought for micro-soldering works great for reading the new password labels, but only when I'm in my lab, it being clamped...

tangent

所以是什么problem with random 4 letters as a suffix to the part of serial number .. which is different as well each time ... as a default password? Extending the serial number might be okay, depending on how difficult it is to make the router give it up over a LAN link. The only measure I'm aw...

tangent

DELETED

tangent

4 ports on AX Lite or 5 for AX2 / AX3, that's only 1 port difference ? That fifth port amounts to a big difference if you need PoE. The ax² has PoE in and out, while the "lite" has no PoE at all. Lack of PoE output falls out of the very different powering options between these two: the US...

tangent

…"it silently fails to start"…Mikrotik said they would fix this You don't need to tell me. I'm the one who diagnosed the empty directory issue and reported it to MikroTik. :) And that is why I was able to build the "tangentsoft/echo:latest" container for you. ARM64 is powerful e...

tangent

/container/add remote-image=hello-world:latest root-dir=hello interface=veth1 logging=yes … status remains stopped. Of course the status is "stopped." It runs, prints out its "hello, world" message, then stops. That's what that container does. And that's all it does. That isn't ...

tangent

This is due to change in dockerhub. …and a good one, since it means we're moving toward a world of standards-based container tech, which will help break Docker, Inc's hold on this key technology. The day RouterOS goes fully OCI-compliant will be a great day. Multiple workarounds are already posted ...

tangent

I filed the suggestion, and MikroTik says they'll think about changing the behavior. In other news, I have a more complete set of test results up now. I was surprised at the 29% best-case margin between the hAP ax lite and the ax². I thought it'd be more nearly night-and-day due to the 64-bit CPU an...

tangent

Since you're quoting me, I suppose you're hoping that I've developed this into a cookie-cutter solution in the meantime? Sorry, I have no interest in doing so. I don't own any UniFi gear. I was approaching it as a practical puzzle, not as a problem I had to solve for personal reasons. How about this...

tangent

Thanks again, Amm0. I'll stick with static IP on this switch. It is, after all, core infrastructure. I just thought I'd be cute and allow whole network re-IPing by using DHCP as much as possible. I've been made to change my subnet more than once over the years. What I really want is for RouterOS to ...

tangent

I'm somewhat confused by what you're expecting to get out of this. You have trouble reading words in manuals written by professional technical writers, but you expect you'll have better luck with words written by networking geeks who like as not don't even speak English as a first language on a web ...

tangent

For the archives, there's a potential problem with doing this: by putting the veth into the bridge, it participates in ROS's logic for deciding what MAC to give the bridge. I don't understand its rules, but I do know that in one test of this here, it ended up giving my bridge a different random MAC ...

tangent

Next step: try it on the CRS328, with its piddlin' 16 megs of flash.

Womp, womp: 356 Mbit/sec with 4 parallel streams.

I guess that's what I get for using an 800 MHz ARM CPU for traffic generation.

Well, at least it runs.

tangent

Yes, thank you, @Larsa. These are the principles I was expounding on in the mDNS repeater thread. Between what you see on trunk in my Fossil now andthe removed setcap stuff, I do think one could get that container under a meg.

Once again, not my itch, but the code's there for the taking now.

tangent

In completely separate news , I figured out what the Alpine layer was adding that allowed the container to start on ROS: it won't create the /dev, /proc, /run, or /sys mount points for you. If any single one of those is missing, it will unpack successfully, but then silently fail to start. Between t...

tangent

less than 5MB It's closer to seven megs unpacked: $ docker create --name foo --platform linux/arm64 taoyou/iperf3-alpine $ docker export foo | pv -b > /dev/null 6.97MiB (pv is the PipeViewer tool.) You might want to be aware that this line at the top of the taoyou container's Dockerfile switches th...

tangent

the bridge will use ARP to figure that out. That's what I thought, and I'm certain I tried something like that. Simply removing the IP from the bridge and restarting the container didn't help. I had to reboot the router to get it working. I guess there was stale routing information in there or some...

tangent

In support of another project , I was trying to avoid the NAT layer in the standard container setup . I succeeded in adding veth1 straight to the single hardware bridge, avoiding the software "docker" bridge that MT recommends in their docs, but where I failed is in giving it an IP address...

tangent

我一直在寻求使最小的iperf3 container for RouterOS. This constitutes weekend entertainment for me. What can I say; I nerd hard. What I have so far is here . If you've got 0.2 megs to spare on your router, give it a spin. I'm getting 3.3 Gbit/sec test results to my RB4011 runni...

tangent

That's only the host key part. It doesn't let you set up pre-shared ed25519 keys per user.

One hopes the latter piece is coming later in the 7.9 beta process.

tangent

Official Wine64 from official repository Then you should be pointing people here , not at the personal GitHub repository of Dean M Greer, alias Gcenx, who merely happens to be the current macOS port maintainer for Wine. Or, you could point people here , the macOS page in the official Wine Wiki, whe...

tangent

@tangent, I think we're making the same point :) I don't, because "hashes" prove nothing unless you trust the source of the hashes. If the hashes come from the same source a the packages, why are you trusting the hashes to prove the trustworthiness of the packages? At best, all checking S...

tangent

It does check hashes automatically. Not quite my point. By " unimpeachable ," I mean that Homebrew has a track record of many years of providing trustworthy packages, and they've got a a reasonable governance model to protect that reputation. If anyone ever did push something harmful into...

tangent

So what's the difference with auditable public GitHub project that redistributed by brew? Not only is Homebrew all but unimpeachable as a source of trustworthy binaries, the same source of those tarballs Normis is recommending we use instead has a "How to Install Wine on Mac" guide that t...

tangent

Lean and mean, I like! Yeah, especially since its closest competition is something like Gitlab CE , at 1.25 GB (gigabytes!) compressed, and something like 4 gigs when running. I get that it does more, but I dare say a whole lot of GitLab users could get by just fine with Fossil. This thread inspire...

tangent

Perhaps I'm misunderstanding you I'm saying use both: Alpine in the first stage to install the necessary build tools and run "gcc -static mdns_repeater.c -o mdns_repeater", then "FROM scratch" to copy that binary into the actual container, resulting in something more on the orde...

tangent

Alpine Linux is a very lean and productive platform For the first (builder) stage, sure, but I think it's possible to get the second stage down to "FROM busybox" or, better, "FROM scratch", leaving only a single statically linked binary inside the container. Whether it's 100k as...

tangent

While you're right that the OP asked for remote DHCP renew, not reboot, rebooting the router would probably do what the OP actually wants. The nice thing about that method is that there's a dedicated user policy for that. It's always dangerous to assume that the client knows what they want and can p...

tangent

create also separate user with read group Better, create a new group with only the "reboot" policy enabled. assign script owner to that user. There shouldn't be any need for custom RSC scripting on the RouterOS side. SSH lets you send the "/system/reboot" command string directly...

tangent

i created an extended container image That's a very fine contribution. However, it looks like the upstream container could be trimmed down considerably: The run.sh script seems entirely superfluous. Look at the last line: all it does is pass its input parameters (given as CMD in the Dockerfile) to ...

tangent

Generic Android SSH clients will expose you to the same risk of misconfiguration.

If you need an Android app that does nothing but reboot a remote router, offering zero other functionality, I fear you're going to have to write it yourself.

tangent

Container…I'm using now a mipsbe RB750r2 RouterOS's container feature doesn't run on MIPS devices today and likely never will . SSH over Cgi request: cool, but it needs an external server (ok, it's available), an active internet connection, a public IP, expose port 22 to interent, Interesting but n...

tangent

command by SSH: do you know if there is any app that can do it by a button? If it suffices to double-click the icon and wait for it to do its work, with no need any explicit feedback on the command's success or failure, your OS GUI of choice should have a way to launch any SSH command you like. Wit...

tangent

Wrong. 239.0.0.0/8 are defined to be per interface in RFC2365, so there no need to look at mDNS RFCs. Wrong argument. The same you could say about IGMP proxy - so no need to look for IGMP RFCs. Yes. All that RFC means is that the packets in that IP range don't automatically flow from one network to...

tangent

30$ more will get you 3x more ports and a better SWOS Or you can spend less and get less. Funny, that. The differences go beyond those two points , though. If I were in the CSS market — and I'm not; CRS for me, all the way — the option to have a modern platform in half the width with a wider PoE ra...

tangent

I suspect you've been caught by the disk renaming stuff in 7.7 and 7.8, so the old config no longer mounts the intended disk. The files are therefore ending up inside the container, not out in external storage. Rebuilding the container with proper ROS 7.8 disk names will solve it. If you absolutely ...

tangent

I have extensively researched… I wouldn't use the word "extensive" until I had the answer to the question you pose already in hand. Instead, you've got a question so vaguely posed it makes me doubt you've done more than a preliminary survey of the available options. You don't even name th...

tangent

The “lost+found” directory is wherefsckputs damaged file fragments when it detects data corruption. Files placed there aren’t meant to be used as-is.

Container images being what they are, there’s zero reason to try recovering a damaged file. Just go download the immutable image again.

tangent

OK.. not sure if you read my post tbh... As for myself, I believe you're depending on us to read your mind for all of the details you've left unstated, yet which are perfectly clear inside your own mind. :) I have no 'preconceptions' A single shared IP space across multiple networks absolutely does...

tangent

This feels like a bug in the layer that translates generic ROS configuration rules into specific switch chip programming commands. You’ve done a great job of diagnosing it as far as you can from the user level. It’s time to report it to MT support. Best distill the essential info into the actual rep...

tangent

I'm trying to figure out the best way Your question reads as if you believe you've already come up with "the best way" and are now trying to arm-twist the universe into conforming. Let go of your preconceptions! multiple separate networks sharing multicast You don't come right out and say...

tangent

It's inthe OP's GitHub repo for this project.

tangent

it is running a whole other operating system Containers share the kernel of the host, so it isn't a whole-other anything. Containers don't run without the host's kernel to handle the syscalls of the binaries inside. This is why Docker for macOS and Windows have to maintain a hidden Linux VM in the ...

tangent

Any MIPS devices with more than 16MB of storage? With a little sorting on the product matrix , I count 32 products. Compressing it to product families , we get: BaseBox 2, 5, 6 CRS109-8G-1S-2HnD-IN CRS125-24G-1S-2HnD-IN KNOT LR8 & LR9 kits mANTBox 15s & 19s; mANTBox 2 12s NetBox 5 NetMetal ...

tangent

new "rose-storage"…ARM, ARM64, Tile and x86 Several comments: The clients should be added to MIPS, since they need network storage the worst of all machine types. I don't care whether it's SMB, NFS, iSCSI, or nVME-over-TCP, all four, or some subset, but something would be welcome. I can l...

tangent

It sounds like they’re using anIGMP querierto pinch off “unwanted” streams and you’re either blocking those requests or preventing the replies from getting back out.

Open IGMP to your WAN port.

tangent

I don’t know what’s up with your container, but I do know enough to be confident that you’re thread-jacking. What you’ve got going on has nothing to do with the OP’s problems in this thread.

tangent

The lack of TLS and SSH in SwOS is a deal-killer for me.

MikroTik, this proposed CRS610 is pretty much the product I was wanting back when I got into RouterOS. At the time, the closest thing available was a CRS328-24P, which is massively overkill for my purposes.

tangent

RouterOS 7.2 was current when this thread was started, but while there have been several "dot1x" items in the changelog through 7.7, the current stable version, none advertise a feature you might call "allow only authenticated devices." Therefore, why would you expect that 802.1x...

tangent

I don’t see “/ip dhcp-server network gateway=…”

tangent

As a rule, the old wiki for RouterOS 6, and the new help site for 7.

Rarely, something hasn’t been moved over to the new site yet, so the wiki will end up more helpful with v7. The incidence of this can be expected to drop over time.

tangent

is this a copy/counterfeint? The only way I think someone who isn't a MikroTik EE could know that is for you to post high-res pictures of both sides of the PCB, then hope someone else here with the same device — which you should identify explicitly, rather than make us guess — is interested enough ...

tangent

I'm not talking about taxable asset depreciation, and I didn't tell you you had to replace everything on the 3-5 year business amortization schedule. I'm saying that you should structure your business to have the capital equipment paid off in that time, so that if you do have to replace it, you aren...

tangent

I don't get any extra income from upgrading IPv6 onto that old network Do your customers agree that their ongoing subscription costs go to pay for badly-outdated technology? if they want to upgrade to IPv6 I will upgrade them at there cost. Why would one customer have to bear the entire cost of upg...

tangent

old legacy equipment which has it's own routing, bridges, spanning trees and management networks. Bridges pass Ethernet frames. They don't care about IPv4 vs IPv6. (Or IPX, or DECnet, or…) Some bridging implementations allow assigning an IP for management purposes, including RouterOS's, but having ...

tangent

Even if I could get IPV6 space There's no "if" about it. You can. You just haven't, yet. many of my RF and Fibre Links can't carry it because the equipment doesn't support it. Seriously? Name and shame, please. IPv6 is now literally decades old. What equipment are you using that is that f...

tangent

>>>> I don't OWN any IP range in IPV6 It's currently free to get a /40 or smaller from ARIN if you already have a v4 block from them. If you're elsewhere in the world, governed by a different addressing authority, there's likely a similar policy. You might not even have to go through that bit of bu...

tangent

The clients have IPV6 ethernet cards That's highly unlikely. In the vast majority of Internet-connected hosts, IPv6 is part of the OS kernel. The primary exception is if you have high-end network interfaces with TCP offloading . Otherwise, IPv6 is well above the level of the "Ethernet card,&qu...

tangent

What other info do you require to solve this? A trace of a run of the app with working DNS resolver? While the actual RouterOS developers would be in a better position to answer that than me, given that you cannot provide a reproducing test case, I'd expect a solid second-best to be: With 7.7rc3, c...

tangent

Use Torch to find the source MAC address. If it hasn’t been spoofed (as that 0.0.0.0 source IP has) it’ll guide you to the matching VM configuration.

If the malware is smart enough and deeply enough dug into your systems that it can spoof the MAC, too, then it sucks to be you today.

Sorry.

tangent

a simple tutorial

Already done.

tangent

Here's another: screen-sharing to conference room displays. The plan to put a bad-ass LED wall in the boardroom might give the CEO a fuzzy, but if you tell him he can't have it because there's a Chinese ODM board at the heart of it that's as full of holes as a block of Jarlsberg, he's gonna buy the ...

tangent

it's a lot of work, for what they think are "questionable" use cases. There are far better use cases. Here's one: AirPrint in a corporate environment. It's convenient in BYOD shops to let people print from their iPhones or whatever, but if you think printers that haven't received firmware...

tangent

Did you buy something that you can run a container on? If not then yes you’re going to regret this purchase. I'm not certain about that. I still think this approach is worth trying. If you're wondering why I don't try it and report back, it's because on the networks I manage that have mDNS devices,...

tangent

using the security card isn't a valid excuse I think I might be one of the most likely of this forum's members to go around waving the "security" flag, and even I will tell you that a flat refusal to support mDNS forwarding on security grounds is bogus. mDNS forwarding is a routing decisi...

tangent

spending thousands and thousands of dollars…with zero monitoring. Simple answer: you aren't paying for monitoring. The money's going into other things, which some of us find more valuable. The interface absolutely sucks. Oh, I've seen a lot worse, but sure, I'll grant that there are prettier things...

tangent

You’re mixing two separate issues. CPU usage involved with on-device bandwidth test, and TCP vs UDP. They’re entirely orthogonal. TCP isn’t slow because of the CPU. It’s slow because TCP-in-TCP is always bad, on all CPUs, everywhere.

tangent

Yes, you have to change it. Routing rules that try to say "from 192.168.1.0/24 to 192.168.1.0/24" will result either in loops or dead-ends. The only way this is difficult is if you haven't got DNS set up locally and have a bunch of references to raw IPs. If everyone's referring to hosts by...

tangent

CRS328-24P <-> CRS312 with 1m Mikrotik DAC, port flapping every 2 hours. both switch running Stable 7.6 Please don't hijack unrelated threads. We are clearly not talking about cases like yours here. That should be obvious even to a newbie: nowhere in the world does "every 2 hours" qualify...

tangent

…merged individual packages, only bundle, and a few extra packages remain…

tangent

Nothing jumps out at me, and if I may judge from the silence of others, at anyone else, either. If you were running RouterOS, I’d next suggest posting the sanitized configuration and the logs you get on connection. Since you aren’t, my advice is to switch to RouterOS. If that doesn’t clear things up...

tangent

If you knew what mattered here, you’d have the problem solved already. How about you take a step back and accept that you’re here for another perspective. If I ask you for something you didn’t think to provide, that’s your alternative perspective, right there.

tangent

I ask for the unusual pieces of your environment, and you give me the boring elements most proximate to your switch? Are youtryingto be difficult?

Unusual = not the things everyone else here is using.

Environment = complete surroundings.

Try drawing a network map.

tangent

The implication is that this isn’t happening to anyone else.

So, what’s unusual about your environment? If the problem isn’t internal to the device…

tangent

The "buildx build" vs "build" distinction doesn't matter. If the old image builder works, so will the new one. If you need the new one (buildx) to get some feature not available in the old one, then use the new one. The platform name differences aren't important. The container bu...

tangent

I wasn't successful at building that container on my Mac and uploading it, so instead... It builds and exports just fine here: $ git clone https://github.com/fschuindt/docker-smb $ cd docker-smb $ docker build -t smb --platform=linux/arm/v7 . # for 32-bit ARM $ docker build -t smb --platform=linux/...

tangent

That's a neat trick. How? You can find a lot of images for that in https://hub.docker.com/search?q=routeros I wasn't so much interested in "how can I download that myself" as in "how can I make that myself?" However, your link led me to this Dockerfile , which shows one way: wra...

tangent

i have installed mikrotik RouterOS in docker That's a neat trick. How? Usually it's the other way around . it using port 115 No, it's using IP protocol 115. ( Source .) Ports are a TCP or UDP abstraction, but you're speaking of L2TPv3 over IP. anyone can help me for forwarding that port in docker? ...

tangent

Everything broken again under Ventura. I found and fixed two such problems: 1. The new System Settings app changes the UI layout, but the setting referred to above is still there, under Privacy & Security → Security. (Scroll down.) 2. The OS installer nuked my ~/.wine directory, causing it to f...

tangent

Incidentally, this thread inspired me to come up witha better analogy.

tangent

Mikrotiks are generally "pets" It isn't necessarily so. Larger organizations will have an automated deployment process that takes a stock RouterOS box, upgrades it to some tested firmware release, maybe sets a skin, applies a configuration, tests it all, and shuts it down, ready for deplo...

tangent

I'll probably stick with RPi and SSH.

Containers are not VMs. Get your head around that, and you'll start to see why containerization is taking over the world.

tangent

长时间供电电线voltag更高e. All else being equal, yes. it's current times wire resistance equals power loss. Sorry, but you've jumbled several concepts. Current (I) times wire resistance (R) equals voltage loss (V) , not power loss (P) . V=IR. Rearranged to solve for I — I=...

tangent

it would let so much ports unused if I used the 24 ports POE?

There are 8-port PoE-out switches in the MikroTik line. The newest is theCSS610-8P, though you'll lose RouterOS support by going that way. TheCRS112-8Psolves that, but it's much older tech.

tangent

容器最终用一个新的MAC地址你hould never count on a container to have a fixed internal address. It meant to be dynamic, since a container runtime cannot generically predict what order the containers will come up in, nor how many there will be. In the specific case of RouterOS, ...

tangent

Or is my logic flawed ?

Nope; it's precisely correct, often phrased as the "cattle vs pets" analogy. If you can't "slaughter" your cattle and bring new ones into their place without major disruption, you're doing something wrong.

tangent

There must be a conditional element to the symptom, then, because I also have a single "full" user that isn't named "admin", and I was able to use the iOS app to update three different routers to 7.7rc1 today, never once needing to give it my password again.

tangent

It would be great to have option to nest docker in a docker, or at least have an option to mount /var/run/docker.sock

I don’t believe RouterOS is running full-fat Docker Engine. By all the signs, it’s a barebonesOCIruntime, closer to crun or systemd-nspawn.

There is no API socket to be had.

tangent

A multi-dc outlet would allow me to plug it to the UPS easily. Taking the PoE path means only the power delivery device needs UPS power. A nice bonus falls out of this if you were using the fiber port on the 5009 as the LAN core uplink. While you might be tempted to reject this idea since you can't...

tangent

Such service would be inaccesible to 2/3 users (global average). IPv6 deployment rates are fairly well correlated with GDP; the low-ranked countries on one measure tend to be the low-ranked countries on the other. Paramount’s accountants might’ve chosen to leave some small fraction of dollars on th...

tangent

添加一个CRS310, CRS328-4C-20S、CRS317或CRS326 -24S+ to keep LAN traffic off the router. Per the diagram sindy posted, you will still end up loading the CPU with WAN traffic due to the SFP+ port on the RB4011 not being handled by the switch chip, but routing is a CPU function on the RB4011 anyway....

tangent

…unlikely (although not impossible) that there will be any new MIPSBE Mikrotik devices… The CRS518 was released just this last July on MIPSBE. Perhaps you meant "no MIPSBE wireless routers"? However, to the point of this subthread, maybe the goal is to push such devices into the role of C...

tangent

Like this.

tangent

mounting files instead of folders are not yet implemented. Until that lack is filled, you can copy all the files out of the directory in the image containing the one you want to modify, make your changes, and then mount the changed directory over the top of the original. Containers implement a unio...

tangent

的following code is the dockerfile...#!/bin/bash A Dockerfile isn't a Bash shell script. It contains shell script sections, but it won't run if you say "bash Dockerfile". Drop the shebang line; it makes a counterfactual declaration. RUN apk add python3 && apk add py3-pip You sho...

tangent

Wifi Multicast , to be received by all connections, is sent out at the basic rate (6Mbps mostly if not tuned) I understand that. I am simply predicting that if you increase the basic rate to cover your IPTV stream's needs, you'll still run into problems. is not ACKed nor retransmitted For IPTV, the...

tangent

i need a python package That's one way. Another is linked indirectly above, PyInstaller . That packages the Python interpreter, your program, and any modules it requires into a self-contained package you can COPY over from the first-stage build. This way, you might not even need Alpine as a base. I...

tangent

i looked in the "opt"-file but nothing is in there. Yes, because you didn't read the multi-stage guide I linked you to above. As formulated, you've thrown the first stage away entirely, replacing it with the second stage. You need at least one "COPY" or "ADD" command i...

tangent

FROM python:3.6 There's your space problem, right there: you've indirectly based your container on the flabby buildpack-deps image, which accounts for essentially all of the space your container takes. Your actual application adds approximately zilch to the size of the base. It's fine to use such b...

tangent

This containergets the effect you want using VLANs.

Still, if the “interface” parameter doesn’t take a list, it’s worthfiling a feature requestfor it.

tangent

You've got a device with 16 MiB of flash and you're trying to load a 290 MiB container . I'm guessing it's trying to download the image to the internal flash and failing. You might have to "export" the image using Docker Desktop, upload that to the USB drive thru scp or WinBox, then use th...

tangent

I see that I still have 2 or 3 things to learn about networking ;-) It's a fascinating and deep field. "Plug the cables in and turn it on" is step 1, not the final step. I'll try to follow the tunnel idea. ♂️ Maybe N-way MIMO and the latest 802.1abgnxyzqrtstuv standard will keep your ...

tangent

Multicast wifi is only at basic rates, single channel, with no ACK or retransmits. The issue with multicast being throttled over most WiFi implementations is a side issue. Yes, it's bad, and yes, it contributes to the problem, but I've seen the same problems I reference in the other posts with unic...

tangent

It’s not expected to work. Existing threads:1,2.

tangent

Usingthe very same test data sourceanav gave above, you’re likely to top out around 270 Mbit/sec.

CRS devices are switches first and foremost, not routers.

tangent

The embedded “>” is a prompt character, indicating you should have pressed enter after the first line, then copied the second one in.

You could also remove the angle bracket entirely. It’ll work as a single-line command.

tangent

I am looking for something that can be rack mounted.

Both the 4011 and 5009 have rack mount kits available.

If cost is the issue, a 1U rack mount shelf is $20.

If presence of WiFi is the issue, it can be turned off.

tangent

In case it's unclear, the resulting damage wasn't from tripping: it was merely from being trodden on occasionally. This cable was sold as bend-resistant plenum type, so I figured it'd put up with this abuse well enough. Nope. The stuff positively fell apart over the course of a year, resulting in th...

tangent

…across the walking path!

IMG_0057.jpg

tangent

I think you'll find this article enlightening even though it doesn't have anything specifically to do with your problem. Simply seeing the options for how to solve a problem with bridges vs VLANs vs both under RouterOS should help you to put that other "talk" into context, then begin to ev...

tangent

I want to setup ubuntu docker container on RouterOS…

Containers are not VMs.

tangent

should expect the exact "same" general behavior?

No.

tangent

I've already told you at least twice that you need to pass those same options to the container on the RouterOS side in the "cmd" parameter.

/container/add cmd="172.19.50.238:8082 172.19.48.1:8083" ...

tangent

latest long-term version RouterOS

It was fixed in 7.4, which is “stable,” not LTS.

tangent

But this still does not explain the "randomness" of the Container quiting. I expect you're simply seeing the normal variation in starting and stopping delays. Keep in mind, this isn't a full-power desktop computer, there's a virtualization and containerization layer to deal with atop that...

tangent

apache2: could not open error log file /var/log/apache2/error.log.
12:41:51 container,info,debug AH00015: Unable to open logs

So map /var/log/apache2 to a volume the container can write to.

tangent

I currently have a problem with crashing Containers. Why do you characterize a result of "done" as "crashing?" I'd take it literally: it's done with what you asked it to do. Indeed, I can't see that you've told these containers to do anything, so it comes back and says, "I'...

tangent

I have VLANs for normal PCs, Guests, SIP-Phones, Cameras, House-stuff and untrusted appliances. I also separated the KNX stuff, as i want to carefully configure rules for this. One of the characteristics of VLANs vs router-separated switches or vs multiple isolated bridges on a single switch is tha...

tangent

…thefalse beliefthatjust put the httpson that deviceand it becomes safe...

It’s a good start, though.

tangent

Really impressive that there is really someone who makes all this effort to "annoy" a "home" network ... You haven’t been paying attention to security at all, then. LAN equipment attacks are HUGE . Also, there’s no reason to restrict this to “home” networks. Just for one example...

tangent

…apart from disfiguring it, with the SwOS you can do nothing… Such lack of imagination. Given admin access on a SwOS box, I can: create a transparent network tap permit DHCP poisoning fry unsuspecting nodes by applying forced passive PoE pierce VLAN barriers mangle traffic …and doubtless more if ...

tangent

how is it possible to connect different vlans to a multicast address? With a multicast router. And what protocol, your next question will be, does one route multicast with? Answer: PIM-SM . RouterOS also has a proprietary IGMP proxy service that may be of use here. There have been reports of bugs w...

tangent

Presumably one of the things you want to monitor is the behavior of the router itself. Since it matters less that it’s working correctly internally than that it provides external service to the LAN, external monitoring is more useful anyway, telling you more of what you want to know.

tangent

If you have a hypervisor, you don’t need RouterOS containers. Install a host OS of your choice alongside the CHR, then install the container there, atop Docker Engine. Not only do you get the ability to run rootful containers, it’ll likely run better and faster that way besides.

tangent

It seems to me that you’re waiting on upstream changes here. Separately, this is a terribly inefficient container: Node.js, minimum 256 MB storage to load and run, and who knows how much RAM to run atop that. I wouldn’t run this on anything less than an RB5009, and I’d prefer to run it on a proper s...

tangent

There else should I check please?

You said you posted the client's router rules, we checked them, and Znevna now blames your router. Is the next step not obvious? Post your router's sanitized configuration so we can check it, too.

If you aren't willing to do that, then check it yourself.

tangent

Of course in v7 use/export show-sensitive terse

I've modifiedmy backup toolto add both of these things. Thanks.

tangent

If these are “MikroTik routers”, why do their MAC OUI prefixes belong to Intel anda subsidiary of Foxconn?

tangent

IsUPnPenabled?

tangent

How much bandwidth we can use in bridge mode? Potentially, all of it. If you want a more specific answer, pose a more specific question. Why we can't use all bandwidth in bridge mode? Most likely because you haven't got a pure bridge and are forcing traffic down through the router's CPU. Except o...

tangent

My backup toolproduces diffs as part of its regular behavior. The docs explain why you’re better off not using git for this, but if you must, it wouldn’t be difficult to convert it.

tangent

just one single 2.5Gb port... For 1G WAN and 2.5G uplink to the LAN core, leaving 1.5G aggregate for the other three ports before you get any congestion. Me, I wanted an SFP+ port for the same reason. Overkill, but then you could have fiber back to the core, 2.5G to the WAN, and no congestion for t...

tangent

The dynamic route overrides the default route entirely for your LAN traffic, sending everything to ether8. Surely you want a /32 pointing to your management host here? If you must have a /24 to allow multiple hosts behind ether8, realize that you've got a router here now, not a switch. CPU load is e...

tangent

What does "/ip route print" say?

Will you post the new combined RSC as I asked you to above, so we don't have to piece it together in our heads?

tangent

Nobody sane runs containers on internal flash.

This one is functionally read-only. It shouldn’t materially shorten the lifetime of the host router.

tangent

there is actually no need for a native ARM build

…says the guy with a gig of flash.

Those wanting containers for several CPU types on smaller routers will appreciate not having to pay the cost of a CPU emulator.

tangent

Nice; now we just need a native ARM build of netinstall from MikroTik. (Request already put in as SUP-89685, but reposting to add more votes might help.) Instead of passing the name of a file in as an environment variable and mapping the storage for same in from a volume, I think it would be simpler...

tangent

There's a big fat warning They're merely saying that if you map a file or directory on the host into the container, the safety guarantees of the container go out the window for that file or directory . If you want an example, they're saying if you bind-mount the host's /etc into the container, you'...

tangent

Linux requires loopback filesystem driver for that I don't interpret the OP's question as asking about filesystems-on-files, which is what you need the loop driver for. Instead, I believe he's asking about bind-mounting single files into place inside the container. This is useful when the container...

tangent

Routeros is a picky community. ;-) Computers are picky things. Those of us who've learned to become facile with them learn not to use the wrong terminology and to jump on instances of it where we see it elsewhere as a sign of either sloppy or outright incorrect thinking. When you're asking for help...

tangent

When you say USB and mount together, you imply block devices and file systems. HID devices are neither. You can’t “mount” a keyboard in Linux. As to your actual question, you might be able to do an mknod(8) call and map the dev node in that way. It depends in part on whether the SYS_MKNOD capability...

tangent

Is it possible to "mount" usb devices in a container ?

Did you eventryto read the docs? Thin as they currently are,they do cover this.

tangent

How can it affect the CPU load so drastically?

Why do you believe an old CRS1xx era switch chip has the brains to understand L3 down to the level that it can make decisions about TCP connections?

It might, but I wouldn't bet on it.

Thus the experiment.

tangent

As I tried to point out up-thread, anything involving "/ip firewall" is going to make packets hit the CPU. …on ROS 6, the presence of complete IP firewall doesn't prevent L2 forwarding among switch chip ports in hardware. There are a number of points I think we're getting separated on her...

tangent

/ip firewall connection tracking Is that still in your config, BrateloSlava? As I tried to point out ip-thread, anything involving "/ip firewall" is going to make packets hit the CPU. That, or it'll be ineffective because another part of the config (e.g. fast-path) causes the packets to b...

tangent

“MikroTik hardware comes with an embedded license. You cannot move this license to a new system in any way…”

(First search result in the docs for “license,” by the way.)

tangent

Six years stretches the word “patience” all out of shape. This in a world where RouterOS has dropped DSA (as it should) leaving only the semi-obsolescent RSA, a tech older than most of the board’s participants, I’d warrant. It’s past time for this lack to be filled. The option to DIY a fix for ourse...

tangent

Bingo. If you want line-rate switching, you cannot do anything to the packets that forces them to cross the CPU. That includes firewalling, but it isn’t limited to it. The packets have to stay on the switch chip. This series has ACL rules that work purely at the switch chip level, but they’re less p...

tangent

My AdGuardHome runs fine with an IP from the subnet sitting on the main bridge

Good to know; thanks.

This brings us back to the skimpy state of the docs, of course.

tangent

Sounds like VLANs to me.

tangent

how does this intercsect with my problem..? Your device — one of the CRS326 models based on the header of your RSC file — isn't a CRS1xx or 2xx, so you can't have multiple bridges per switch chip. I'm going to guess it's one of the 24G models based on details of your bridge setup. From that, we can...

tangent

雷竞技官网网站下载硬件卸载只作用于一个桥interface. It's more nuanced than that. The CRS1xx/2xx series allow up to 7 hardware-accelerated bridges. Everything else allows one per switch chip . That qualifier is important, because several of the products in MikroTik's lineup have more than o...

tangent

You can create any number of certificates of any type, including those marked as "key-usage=key-cert-sign." You can then use those "CA" certs to sign any other certificates arbitrarily.

If you're asking about some narrower purpose, please be explicit about it.

tangent

I tried using the "command" argument That establishes a listener on the remote host via a different SSH tunnel than the one you used to get to the remote server, so it won't tunnel back through your firewall. RouterOS does support tunneling, both directions, though it's disabled by defaul...

tangent

where should one install the Docker Engine? doesn't it require another Linux/Win VM…? You've got two basic options: You're running a type-1 hypervisor (e.g. ESXi) so you have no choice but to spin up a VM running the container runtime environment alongside CHR and whatever else you're running. Ther...

tangent

It's far better to either run another VM on the same host. For a small user like me, paying for an extra VM is an overhead I don't need. Docker Engine is far lighter than a single VM, and it's far more capable than RouterOS's Containers feature is ever likely to be. If you want even lighter-weight ...

tangent

我也测试拉特OS 7和1级表示“允许”e That sounds like CHR, in which case containers are kind of silly. It's far better to either run another VM on the same host, or if this is running on a Type 2 Hypervisor (e.g. VirtualBox, Hyper-V) then start Docker Engine out on the host, alongsid...

tangent

No, you're right: the current RouterOS docs on containers positively suck compared to what you get for other container platforms. Your next-best option is SSHing into a box running the containers.npk package, typing "/container", and then pressing the F1 and Tab keys a lot. Between that, t...

tangent

if you consider that as a customer you should "help yourself" that's inded fine. There's tremendous value in choosing solutions that give you the freedom to build your own solutions atop the platform. If the method avoids lock-in, so much the better. Later today, I'll be working with a di...

tangent

Most arguments that I read are "something is missing/not good enough on the mikrotik device and I want to add/replace it". What's wrong with that argument? It's a perfectly valid use case. The cost argument is not valid either as cheap and power efficient devices can be found on the marke...

tangent

I was looking into documentation and I didn't see how one would do port mapping with Containers in ROS 7.

How did you missthis? It's precisely the same thing as "docker create --publish 80:80".

tangent

Why not NFS Sure, fine. While we're dreaming, let's ask for iSCSI, too. That would be more likely to get accepted I dunno. Both facilities are equally available in the kernel. Most NASes speak SMB by default. Obviously Windows does, too, but what might surprise you is that Apple went over to SMB fr...

tangent

Would it be possible to add permissions for mounting As far as I can tell, that requires CAP_SYS_ADMIN, the shameful secret capability that grants a user a whole raft of abilities . I wouldn't be surprised if MikroTik said, "Nah, are you nuts? We're not giving you that one! It'd let you root t...

tangent

In case anyone's wondering why there wasn't a prior post from me titled "CRS328 sucks ," it's because I had a whole list of candidates for why I wasn't getting the advertised speed, and I use this 10G link rarely enough that I had yet to eliminate any of the possibilities: Host OS weirdne...

tangent

If you're unwilling to implement VLAN boundaries, my next suggestion is to run Torch on the camera's network interface to see what it's saying. It might not be using the IP you're blocking, thus giving the behavior you observe, for example.

tangent

There's too much griping on this board, so in an effort to counter some of that, I offer this: % iperf3 -c … Connecting to host …, port 5201 [ ID] Interval Transfer Bitrate [ 5] 0.00-1.00 sec 1.09 GBytes 9.37 Gbits/sec [ 5] 1.00-2.00 sec 1.09 GBytes 9.41 Gbits/sec [ 5] 2.00-3.00 sec 1.09 GBytes 9.40...

tangent

Is this hAP ac³ your Internet router, with the modem in bridge mode, connected to ether1? If not, my best guess is that your RouterOS bridge configuration bypasses the firewall by offloading everything it can to the built-in switch chip. A related possibility is all that VPN stuff you've got going i...

tangent

the source of the login attempts are the interfaces of the router itself You're saying this .253 address is assigned to the router itself? If so, I'd use Torch to grab some frames and analyze them in Wireshark, to see if I could get some more detail down in the packets. 38K attempts in a day or two...

Search found 869 matches