Re: [MT-AU Public] Public Digest, Vol 39, Issue 4
Hi Mike, I haven't tried yet, has anyone else faced this same issue? I'll try to roll it back if I'm on my lonesome with this one. Cheers, Steve On Thu, May 4, 2017 at 10:00 AM, <public-request@talk.mikrotik.com.au> wrote:
Send Public mailing list submissions to public@talk.mikrotik.com.au
To subscribe or unsubscribe via the World Wide Web, visit http://talk.mikrotik.com.au/mailman/listinfo/public_talk. mikrotik.com.au
or, via email, send a message with subject or body 'help' to public-request@talk.mikrotik.com.au
You can reach the person managing the list at public-owner@talk.mikrotik.com.au
When replying, please edit your Subject line so it is more specific than "Re: Contents of Public digest..."
Today's Topics:
1. Re: Mikrotik options for fast IPSEC throughput (Mike Everest) 2. BGP convergence (Alex Samad) 3. Re: BGP convergence (Damien Gardner Jnr) 4. SSH in RouterOS 6.39.1 (Steve Hille) 5. Re: SSH in RouterOS 6.39.1 (Mike Everest)
----------------------------------------------------------------------
Message: 1 Date: Wed, 3 May 2017 11:56:14 +1000 From: "Mike Everest" <mike@duxtel.com> To: "'MikroTik Australia Public List'" <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik options for fast IPSEC throughput Message-ID: <1b2101d2c3b0$728d50d0$57a7f270$@duxtel.com> Content-Type: text/plain; charset="utf-8"
Watch out for the RB1100AHx4 coming soon - 'dude edition' features 4 core 1.4GHz cpu, accelerated encryption (for up to 2200mbps IPSEC) and included 60 gig microSD storage.
Available soon at 'you know where' ;-)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Chris Herrmann Sent: Wednesday, 3 May 2017 10:31 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Mikrotik options for fast IPSEC throughput
Hi all, cross-posting from ITPA apologies for any duplication...
I have a MK RB2011UAS at home and it works a treat. But? in the real world it will only handle about 16Mbps IPSEC throughput and flakes out after that. This model has been brilliant because heaps of features, it works? and it?s cheap. But it obviously won?t scale to 100Mit throughput, let alone 100+.
So? just wondering what Mikrotik options I can look at after this model?
- Will be running dual wan
- Don?t need POE or Wifi
- Needs to be faster than the RB2011 specifically when handling IPSEC.
- Prefer Gbit interfaces but not required
- If it?s in the same ?family? as the RB2011 that would be good
It?s for a small office so not looking for anything carrier grade. But internet speeds have moved on (sort of) finally?
Cheers,
Chris _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
------------------------------
Message: 2 Date: Thu, 4 May 2017 10:42:14 +1000 From: Alex Samad <alex@samad.com.au> To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: [MT-AU Public] BGP convergence Message-ID: <CAJ+Q1PWJPVW5wxNBVxNjUBw0hZuL8T+6Z1uWbRw+zBUMHsacCA@mail. gmail.com> Content-Type: text/plain; charset=UTF-8
Hi
Question
4 routers (CCR's), each has connection to Internet vlan. each connect to a ISP. call them a b c d.
there is a vrrp on the internet vlan which is used as dgw.
receiving full table from ISP, so somehere between 800k-1.2M prefixes.
I go onto router a and disable the isp link.
I can see inbound slowly peeter off
The interesting things is that the DGW disappears from the route table on router A, but routers B,C,D still have all the prefixes advertised from the ISP connected on router A, still in their routing table.
so packet hit the VRRP and then get routed to router A, it has a iBGP DGW and sends it back to router B,C,D, they check routing table and send it back to router A. loop . death.
took about 3 min for the routes to be pulled from the routing table in B,C,D.
How can I make this/convergence work faster, can I ?
Alex
------------------------------
Message: 3 Date: Thu, 4 May 2017 10:58:06 +1000 From: Damien Gardner Jnr <rendrag@rendrag.net> To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] BGP convergence Message-ID: <CAPrfDLU46aRrEzgdb7FuEoEx2kq-9h4=b5DnDL1=1HaC+cUMmQ@mail. gmail.com> Content-Type: text/plain; charset=UTF-8
The way I used to get around this was to not carry a full table. Each router would filter the accepted routes to default route, and one or two AS hops on each ISP. Then I preferenced my cheapest transit provider as the best default route.
Convergence was MUCH faster :)
On 4 May 2017 at 10:42, Alex Samad <alex@samad.com.au> wrote:
Hi
Question
4 routers (CCR's), each has connection to Internet vlan. each connect to a ISP. call them a b c d.
there is a vrrp on the internet vlan which is used as dgw.
receiving full table from ISP, so somehere between 800k-1.2M prefixes.
I go onto router a and disable the isp link.
I can see inbound slowly peeter off
The interesting things is that the DGW disappears from the route table on router A, but routers B,C,D still have all the prefixes advertised from the ISP connected on router A, still in their routing table.
so packet hit the VRRP and then get routed to router A, it has a iBGP DGW and sends it back to router B,C,D, they check routing table and send it back to router A. loop . death.
took about 3 min for the routes to be pulled from the routing table in B,C,D.
How can I make this/convergence work faster, can I ?
Alex _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
------------------------------
Message: 4 Date: Thu, 4 May 2017 09:21:40 +0800 From: Steve Hille <stevehille84@gmail.com> To: public@talk.mikrotik.com.au Subject: [MT-AU Public] SSH in RouterOS 6.39.1 Message-ID: <CAB+S9V9Bs5iN+0UXkETj17KgEnTt4SzexjzyutasLS5 cdybq1Q@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
Greetings all,
I downloaded the latest version this morning as a test on one of our devices and now I can no longer SSH to it, I logged in with Winbox and under IP -> Services, SSH is no longer listed but Telnet is!
Does anyone know how I turn it back on?
Cheers,
Steve
------------------------------
Message: 5 Date: Thu, 4 May 2017 11:26:53 +1000 From: "Mike Everest" <mike@duxtel.com> To: "'MikroTik Australia Public List'" <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] SSH in RouterOS 6.39.1 Message-ID: <1da901d2c475$8362e580$8a28b080$@duxtel.com> Content-Type: text/plain; charset="us-ascii"
Ouch!
Did you try downgrade to previous version?
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Steve Hille Sent: Thursday, 4 May 2017 11:22 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] SSH in RouterOS 6.39.1
Greetings all,
I downloaded the latest version this morning as a test on one of our devices and now I can no longer SSH to it, I logged in with Winbox and under IP -> Services, SSH is no longer listed but Telnet is!
Does anyone know how I turn it back on?
Cheers,
Steve _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
------------------------------
Subject: Digest Footer
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
------------------------------
End of Public Digest, Vol 39, Issue 4 *************************************
Hi Steve, I think you may have replied to the wrong item ;) Your issue was missing ssh server after upgrade to 6.39.1? I am aware of at least one other issue with that version, but not exactly what you describe. The other case I heard about was broken DHCP server with 6.39.1 - downgrade to latest bugfix version (6.37.5) fixed all problems ;-) Cheers! Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Steve Hille Sent: Thursday, 4 May 2017 6:02 PM To: public@talk.mikrotik.com.au Subject: Re: [MT-AU Public] Public Digest, Vol 39, Issue 4
Hi Mike,
I haven't tried yet, has anyone else faced this same issue? I'll try to roll it back if I'm on my lonesome with this one.
Cheers,
Steve
On Thu, May 4, 2017 at 10:00 AM, <public-request@talk.mikrotik.com.au> wrote:
Send Public mailing list submissions to public@talk.mikrotik.com.au
To subscribe or unsubscribe via the World Wide Web, visit http://talk.mikrotik.com.au/mailman/listinfo/public_talk. mikrotik.com.au
or, via email, send a message with subject or body 'help' to public-request@talk.mikrotik.com.au
You can reach the person managing the list at public-owner@talk.mikrotik.com.au
When replying, please edit your Subject line so it is more specific than "Re: Contents of Public digest..."
Today's Topics:
1. Re: Mikrotik options for fast IPSEC throughput (Mike Everest) 2. BGP convergence (Alex Samad) 3. Re: BGP convergence (Damien Gardner Jnr) 4. SSH in RouterOS 6.39.1 (Steve Hille) 5. Re: SSH in RouterOS 6.39.1 (Mike Everest)
----------------------------------------------------------------------
Message: 1 Date: Wed, 3 May 2017 11:56:14 +1000 From: "Mike Everest" <mike@duxtel.com> To: "'MikroTik Australia Public List'" <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] Mikrotik options for fast IPSEC throughput Message-ID: <1b2101d2c3b0$728d50d0$57a7f270$@duxtel.com> Content-Type: text/plain; charset="utf-8"
Watch out for the RB1100AHx4 coming soon - 'dude edition' features 4 core 1.4GHz cpu, accelerated encryption (for up to 2200mbps IPSEC) and included 60 gig microSD storage.
Available soon at 'you know where' ;-)
Cheers!
Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Chris Herrmann Sent: Wednesday, 3 May 2017 10:31 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] Mikrotik options for fast IPSEC throughput
Hi all, cross-posting from ITPA apologies for any duplication...
I have a MK RB2011UAS at home and it works a treat. But? in the real world it will only handle about 16Mbps IPSEC throughput and flakes out after that. This model has been brilliant because heaps of features, it works? and it?s cheap. But it obviously won?t scale to 100Mit throughput, let alone 100+.
So? just wondering what Mikrotik options I can look at after this model?
- Will be running dual wan
- Don?t need POE or Wifi
- Needs to be faster than the RB2011 specifically when handling IPSEC.
- Prefer Gbit interfaces but not required
- If it?s in the same ?family? as the RB2011 that would be good
It?s for a small office so not looking for anything carrier grade. But internet speeds have moved on (sort of) finally?
Cheers,
Chris _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
------------------------------
Message: 2 Date: Thu, 4 May 2017 10:42:14 +1000 From: Alex Samad <alex@samad.com.au> To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: [MT-AU Public] BGP convergence Message-ID:
<CAJ+Q1PWJPVW5wxNBVxNjUBw0hZuL8T+6Z1uWbRw+zBUMHsacCA@mail.
gmail.com> Content-Type: text/plain; charset=UTF-8
Hi
Question
4 routers (CCR's), each has connection to Internet vlan. each connect to a ISP. call them a b c d.
there is a vrrp on the internet vlan which is used as dgw.
receiving full table from ISP, so somehere between 800k-1.2M prefixes.
I go onto router a and disable the isp link.
I can see inbound slowly peeter off
The interesting things is that the DGW disappears from the route table on router A, but routers B,C,D still have all the prefixes advertised from the ISP connected on router A, still in their routing table.
so packet hit the VRRP and then get routed to router A, it has a iBGP DGW and sends it back to router B,C,D, they check routing table and send it back to router A. loop . death.
took about 3 min for the routes to be pulled from the routing table in B,C,D.
How can I make this/convergence work faster, can I ?
Alex
------------------------------
Message: 3 Date: Thu, 4 May 2017 10:58:06 +1000 From: Damien Gardner Jnr <rendrag@rendrag.net> To: MikroTik Australia Public List <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] BGP convergence Message-ID: <CAPrfDLU46aRrEzgdb7FuEoEx2kq- 9h4=b5DnDL1=1HaC+cUMmQ@mail. gmail.com> Content-Type: text/plain; charset=UTF-8
The way I used to get around this was to not carry a full table. Each router would filter the accepted routes to default route, and one or two AS hops on each ISP. Then I preferenced my cheapest transit provider as the best default route.
Convergence was MUCH faster :)
On 4 May 2017 at 10:42, Alex Samad <alex@samad.com.au> wrote:
Hi
Question
4 routers (CCR's), each has connection to Internet vlan. each connect to a ISP. call them a b c d.
there is a vrrp on the internet vlan which is used as dgw.
receiving full table from ISP, so somehere between 800k-1.2M prefixes.
I go onto router a and disable the isp link.
I can see inbound slowly peeter off
The interesting things is that the DGW disappears from the route table on router A, but routers B,C,D still have all the prefixes advertised from the ISP connected on router A, still in their routing table.
so packet hit the VRRP and then get routed to router A, it has a iBGP DGW and sends it back to router B,C,D, they check routing table and send it back to router A. loop . death.
took about 3 min for the routes to be pulled from the routing table in B,C,D.
How can I make this/convergence work faster, can I ?
Alex _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
--
Damien Gardner Jnr VK2TDG. Dip EE. GradIEAust rendrag@rendrag.net - http://www.rendrag.net/ -- We rode on the winds of the rising storm, We ran to the sounds of thunder. We danced among the lightning bolts, and tore the world asunder
------------------------------
Message: 4 Date: Thu, 4 May 2017 09:21:40 +0800 From: Steve Hille <stevehille84@gmail.com> To: public@talk.mikrotik.com.au Subject: [MT-AU Public] SSH in RouterOS 6.39.1 Message-ID: <CAB+S9V9Bs5iN+0UXkETj17KgEnTt4SzexjzyutasLS5 cdybq1Q@mail.gmail.com> Content-Type: text/plain; charset=UTF-8
Greetings all,
I downloaded the latest version this morning as a test on one of our devices and now I can no longer SSH to it, I logged in with Winbox and under IP -> Services, SSH is no longer listed but Telnet is!
Does anyone know how I turn it back on?
Cheers,
Steve
------------------------------
Message: 5 Date: Thu, 4 May 2017 11:26:53 +1000 From: "Mike Everest" <mike@duxtel.com> To: "'MikroTik Australia Public List'" <public@talk.mikrotik.com.au> Subject: Re: [MT-AU Public] SSH in RouterOS 6.39.1 Message-ID: <1da901d2c475$8362e580$8a28b080$@duxtel.com> Content-Type: text/plain; charset="us-ascii"
Ouch!
Did you try downgrade to previous version?
Cheers, Mike.
-----Original Message----- From: Public [mailto:public-bounces@talk.mikrotik.com.au] On Behalf Of Steve Hille Sent: Thursday, 4 May 2017 11:22 AM To: public@talk.mikrotik.com.au Subject: [MT-AU Public] SSH in RouterOS 6.39.1
Greetings all,
I downloaded the latest version this morning as a test on one of our devices and now I can no longer SSH to it, I logged in with Winbox and under IP -> Services, SSH is no longer listed but Telnet is!
Does anyone know how I turn it back on?
Cheers,
Steve _______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.co m.au
------------------------------
Subject: Digest Footer
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com. au
------------------------------
End of Public Digest, Vol 39, Issue 4 *************************************
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au
On Thu, 2017-05-04 at 16:02 +0800, Steve Hille wrote:
I haven't tried yet, has anyone else faced this same issue? I'll try to roll it back if I'm on my lonesome with this one.
First up, PLEASE trim your messages if you are replying to a digest. Is ssh not in the list of services, or is it present in the list but not enabled? Also, is IPSec there? Is it possible that somehow the security package was not in what you installed? Regards, K. -- ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~ Karl Auer (kauer@nullarbor.com.au) work +61 2 64957435 http://www.nullarbor.com.au mobile +61 428 957160 GPG fingerprint: 58F8 09D4 97E4 D74A 0940 44BC 8D6D C28C 3BC9 B0CB Old fingerprint: 6D59 8AE6 810D 44E3 7626 7040 4DD6 F89F 3053 4774
participants (3)
-
Karl Auer
-
Mike Everest
-
Steve Hille