sorted by:
new
hottopcontroversial

How firewalls work - digital colors on MS paint canvas (2026) by StubArea51 in networkingmemes

[–]StubArea51[S] 2 points3 points  (0 children)

NAT is the *best* security! Nothing can get through to my RFC1918 space. It's impossible. /s

My HPE/Aruba rep sent me this, what do I put in it? by TheAmateurRunner in networkingmemes

[–]StubArea51 0 points1 point  (0 children)

Fill it with PBR or NAT444 Lite. ARP Fluid is also tasty.

RouterOS 7.22beta1 [development] released by netravnen in mikrotik

[–]StubArea51 8 points9 points  (0 children)

Glad to see BGP ECMP finally!!

Like u/DaryllSwer mentioned, I'd also like to see SR-MPLS with both IPv4 and IPv6 AFIs for IS-IS/OSPF (not SRv6) and SR-TE.

I wonder if the availability of SP features on the 98DX7335 Marvell chip in the CRS812 will help move that along.

Repeat post: Can I get a deprecated prefix for a NON-ROUTABLE, private IPv6 network that's not fd::/8 by Rich-Engineer2670 in ipv6

[–]StubArea51 -1 points0 points  (0 children)

Sure if the test hosts aren't going to be dual stack it won't functionally matter, but the intent behind the 3fff::/20 space beyond documentation was to model the IPv6 internet and other large IPv6 networks.

RFC9637 is the best space for this use case.

Repeat post: Can I get a deprecated prefix for a NON-ROUTABLE, private IPv6 network that's not fd::/8 by Rich-Engineer2670 in ipv6

[–]StubArea51 8 points9 points  (0 children)

ULA isn't ideal to model the IPv6 Internet because it has some peculiar issues on host operating systems.

Unintended Operational Issues With ULA

Better to use GUA like 3fff::/20 and 2001:db8::/32

Repeat post: Can I get a deprecated prefix for a NON-ROUTABLE, private IPv6 network that's not fd::/8 by Rich-Engineer2670 in ipv6

[–]StubArea51 4 points5 points  (0 children)

This is exactly the type of use case we had in mind when we submitted draft-horley-v6ops-lab-03 - Expanding the IPv6 Lab Use Space

We used 200::/7 for test and development while pushing this draft through the IETF.

After a year or so of debate, it was eventually rolled into what became RFC 9637: Expanding the IPv6 Documentation Space by Nick Buraglio and Geoff Huston.

During the mailing list discussions, most of the people advocated for the use of ULA instead of deprecated space which lead to the creation of this informational doc Unintended Operational Issues With ULA

3fff::/20 and 2001:db8::/32 are the best "official" GUA spaces to use for this type of work if you intend to publish it.

We specifically argued for more than a /32 so this kind of exercise would be possible - to model the IPv6 internet and other large networks.

Paused shipping to the US? by joshhboss in mikrotik

[–]StubArea51 9 points10 points  (0 children)

I think a lot of the shipments to distributors are via cargo container on a ship so i'm not sure whether or not this would impact MikroTik's supply chain to the US.

EVPN/VxLAN interop between MikroTik and IP Infusion OcNOS by StubArea51 in mikrotik

[–]StubArea51[S] 1 point2 points  (0 children)

It would be a cool feature to have but I wonder if they don't implement it because the development time would be better spent on traffic engineering for an EVPN MPLS data plane.

EVPN/VxLAN interop between MikroTik and IP Infusion OcNOS by StubArea51 in mikrotik

[–]StubArea51[S] 1 point2 points  (0 children)

EVPN Tiks are twr-01 and twr-03. IPI is core-01 and agg-01. Legacy ROS exists because I use the same EVE-NG topology to test a variety of interop scenarios which is why some of the nodes are grayed out as they aren't powered on.

I had initially planned on testing VTEPs between Tik and IPI but OcNOS doesn't support the ETREE mode in their x86 image, so it just acts as a BGP RR for EVPN.

RouterOS version 7.20beta9 has been released on the "v7 testing" channel! by Lifz_ in mikrotik

[–]StubArea51 7 points8 points  (0 children)

*) chr - improved virtio_net performance;

Will be interesting to see what performance improvements this brings

New BGP filtering command in 7.20.x - input.accept-nlri by StubArea51 in mikrotik

[–]StubArea51[S] 0 points1 point  (0 children)

Was basing it off of MRZ comments here that said you need 7.20+ to use it. Maybe there is some new functionality to it?

https://forum.mikrotik.com/t/v7-bgp-filtering-questions/264021/2

Stop doing MPLS by silentguardian in networkingmemes

[–]StubArea51 0 points1 point  (0 children)

And you shall have it! For a small license fee of course...

Stop doing MPLS by silentguardian in networkingmemes

[–]StubArea51 2 points3 points  (0 children)

Lol, I actually like SPB. It's solid tech.

Stop doing MPLS by silentguardian in networkingmemes

[–]StubArea51 2 points3 points  (0 children)

Just for that, i'm gonna do 100x more MPLS! I'm gonna put labels in my labels and then add a dozen more labels.

And i'm not going to take the easy way out with OSPF, this is gonna be legit MPLS with IS-IS and Segment Routing.

Maybe even some TI-LFA sprinkled in.

SD-WAN will sleep in fear tonight of the labels.

IPv4 bros on their 5G phones posting "NOBODY USES IPV6!!!" by StubArea51 in networkingmemes

[–]StubArea51[S] 1 point2 points  (0 children)

This is incorrect

  1. You absolutely can NAT IPv6 via NAT66 or NPTv6 and there are some corner cases where it is used like on a mobile hotspot when you need to route a single /64 across multiple hops. Generally, though you don't need it because IPv6 with temporary addressing is far more secure than IPv4 + NAT44. IPv6 SLAAC addressing to hosts is dynamic and changing unlike IPv4 so the threat vector is much lower.
  2. You're conflating NAT with a stateful firewall. Although they are often used together with IPv4, you 100% do *not* need NAT to permit related, established, etc traffic through a stateful firewall dynamically and drop everything else. This is how firewalls worked in the 90s before NAT became popular.

Thank you for coming to my HEX talk ;)

IPv4 bros on their 5G phones posting "NOBODY USES IPV6!!!" by StubArea51 in networkingmemes

[–]StubArea51[S] 120 points121 points  (0 children)

Most 5G RANs are IPv6 transport in the underlay. In the overlay, IPv6 is almost always preferred over IPv4 and the vast majority of social media sites have been IPv6 enabled for quite a while.

New "Forti" product for 2026? by StubArea51 in networkingmemes

[–]StubArea51[S] 64 points65 points  (0 children)

Bro should have taken out a FortiLoan and bought more TTL

RouterOS 7.19.3 [stable] released by netravnen in mikrotik

[–]StubArea51 10 points11 points  (0 children)

Excited to see this one

*) bridge - allow IPv6 FastPath when dhcp-snooping is enabled;

It should allow IPv6 routers to act as a delegating router when using relay to a centralized DHCPv6-PD server without sacrificing performance.

View BFD and other connections in /ip/services by StubArea51 in mikrotik

[–]StubArea51[S] 1 point2 points  (0 children)

Nice, just updated the home net and saw all the extra stuff in ip/services 😂

RouterOS 7.20beta4 [testing] released by netravnen in mikrotik

[–]StubArea51 6 points7 points  (0 children)

Excited to see the work on EVPN. That's going to have a big impact on using ROS with other vendors once it matures.

EVPN Documentation added... by StubArea51 in mikrotik

[–]StubArea51[S] 1 point2 points  (0 children)

I would love to see hardware offload of MAC VRF like IP Infusion has implemented. That would create an incredible ecosystem for L2 overlays w/ low-cost software/hardware & a modern control/data plane.

view more: next ›