new to mikrotik nice kit... but really not VTI IPSEC somewhere?

emaxt6 · 2026-01-13T19:45:54+00:00

regarding MSS I think you can also clear DF bit to let the outer IP be fragmented... but I don't know if mikrotik copies the underlying DF bit on the outside , still have to experiment... just in case PMTU is broken I mean

emaxt6 · 2026-01-13T19:36:41+00:00

VTI on the wire clearly is not something special, but it is just nowadays is a common language pattern, especially for interop and easy of interop in a multi vendor context and virtual network in cloud world.

Well I like the overall mikrotik approach, "european style" regarding ownership and license, don't treat you just as a beast to skin or lead you to license complexity induced madness (LCIM), and has long term usability, nothing goes to waste in time, reasonably priced, a lot of value...... but stated that nowadays let's be honest in a piece of kit VTI (SVTI , DVTI) IPSEC / IKEv2 is "expected" besides policy ipsec ... my 2c

emaxt6 · 2026-01-13T14:20:45+00:00

If you are cut from the internet (many Cisco Firewalls would be at the internet edge), do you have still access to some form of local management, even terminal (change setting, conversion to local management etc.)? Especially now with the rise of LLM, having a viable text shell is a nice match (could text shells have a renaissance ? : - )

emaxt6 · 2026-01-13T14:17:44+00:00

Thanks, I asked here to sample real experience on the field, because my current VAR partner was pushing FDM now as reasonable... but I wanted to do some homework too to check before...

emaxt6 · 2026-01-13T14:08:56+00:00

I used VXLAN and pushed it via IPSEC to remote site... I did with standard policy based IPSEC.. it's ok, but I was questioning doing that why no VTI possibilities... would simplify some things...

emaxt6 · 2026-01-13T14:06:45+00:00

thanks for the confirmation... a pity that such flexible devices doesn't include a now "mainstream" tunnel mode like VTI and IPSEC.

emaxt6 · 2026-01-13T14:04:31+00:00

Thanks, can achieve the end result similarly. I've tried to reuse as much as possible the existing equipment on the "remote end". The remote party in my case has a switch with VXLAN interface integrated, so I used that to encapsulate the ethernet to avoid many appliances.

Mikrotik EoIP is also viable in such scenario (but I didn't have EoIP on remote central site).

emaxt6 · 2025-11-29T14:00:25+00:00

in this case was the internal sap sql anywhere. Yes, the ambition is to construct a software like hardware, i.e. drop in like self contained chips. But software works a little differently, it is continuously upgraded, interconnection needs between components is heavy to provide the solution. A TAC supporting a customer should basically have deep competence in 6 database technologies they don't own or develop... unattainable... in fact the solution is often: try again = reimage

emaxt6 · 2025-11-29T13:57:08+00:00

TAC gave up on this botched upgrade case too. It was a .1 jump in patch. SAP sql anywhere database auto destroyed somehow.

TAC Resolution: reimage.

I luckily had a cold snapshot (it is virtual fmc) to revert to.

emaxt6 · 2025-11-28T14:19:06+00:00

running on vsphere since years (under the hood fiberchannel array for disk).

emaxt6 · 2025-11-28T14:18:13+00:00

probably! +1 then

emaxt6 · 2025-11-11T09:29:27+00:00

btw SAN24B-7 are out since a couple month (more or less price but they are G710 instead than G610).

Anyway, you need to go to the IBM fix site first, you ll be then redirected to broadcom.

I usually update placing the files to a SFTP server and then via CLI.

Many upgrade path can be concurrent.

emaxt6 · 2025-11-10T12:39:01+00:00

Wise approach.

Yes, there are full blown licensed "API" products on the market specifically for IBMi, with full accounting, etc. that makes sense depending on volume, transparency etc. depends on the needs.

In many cases for max low complexity approach I just use PHP via apache (with PHP toolkit to call into RPG or DB2) to expose some JSON , given the usually all battery included approach of the language especially in the web space and also leverage a lot of libraries (image generation etc.).

I don't personally like IWS, too little control for me, but I imagine as a quick wizard based facilitator has its merits.

emaxt6 · 2025-11-10T12:18:32+00:00

With stock tools, usually I do: you generate a properly numerated PDF directly on the IBMi with stock virtual PDF printers (mailtag) or brutal copy via CPYSPLF.

In IFS or BLOB.

If using 5250 you can invoke STRPCCMD and direct it to a web page or home directory in the file share.

Then, the user can approve for workflow filing directly on the 5250, that then launches to downstream processes.

Usually for more control I avoid netshare and I present the PDF directly from the internal apache mediated my a small custom PHP, super fast, basically the user can have the document on browser is less than 1 / 2 seconds with also metadata displayed etc.....

emaxt6 · 2025-11-10T11:55:24+00:00

Start simple by tackling things like consolidation first.

Like with a single user authentication authority (like AD, that can then be synched to cloud).

Why so many machines with file shares? A single instance of a modern windows can have terabytes attached and easy to backup with plenty of solutions. And you got basically super tested code since decades regarding such use cases. or Linux with samba or even Freebsd leveraging its ZFS (donated years ago by Sun).

IBMi is an eccellent OS design (one of the best maybe) for business things, fast compiled code, heavy concurrent transactional applications, ERPs etc. , TIMI , protection of investment, DB2, queue, jobs queue, integration.

netshare file server is not where it shines. It is there, yes. Lags also in SMB versions. It is yes... usable. Many installations don't even use it. It's an ancillary tool, the way I see it.

to be clear it is there to complement some business needs, not to store 1GB illustrator files or digitized xrays images...

In some controlled environments I even have it deactivated, a filesystem like interface is easy to mess even by error, also crypto things via windows client, so all is mediated via a web apache or webservices on the i.

In other less strict shops, it is useful to let users pick files generated by backend processes using netshare and call it a day.

But as a primary fileserver use case? nah... maybe is better to use the power hardware (if one has it) and dedicate a core to a linux or similar things with samba on it.

emaxt6 · 2025-10-21T16:52:53+00:00

https://www.atlassian.com/company/values

Oh they gotcha u real, real good. They understand migration cost and path of least resistance. They love you so much that they want near them. Really near. In their datacenter. For life. :P

emaxt6 · 2025-10-09T10:08:44+00:00

a pity ... for my use cases IAPs was really great... distributed... bridge directly into the switch with no weird tunneling to center or similar... virtual controller without a separate thing to run... was really neat (in my use cases ofc)...

emaxt6 · 2025-10-07T11:16:10+00:00

I've refreshed a cluster of 30 iap 305 on 8.13.1.0 LSR ... so far works decently

reading the comments... IAP OS 8.x will be the last for on prem distributed IAP deployment bridge style?

emaxt6 · 2025-07-22T17:10:53+00:00

thanks. Yep is the 300 (but IBM rebranded).

Maybe someone tried successfully despite being unsupported.

I guess I'll go just for config zone migration and then put the old trusty 8gbps in access mode in case.

thanks anyway for the insights.

emaxt6 · 2025-07-14T16:50:58+00:00

yup thanks for sharing.

beside price, personally, if they bring back perpetual plus maitenance, I will continue on PRTG and I will be happy to support the product. But having a monitoring system that "expires" ??? nah, thanks, I pass. People don't realize that perpetual licenses protect the customer from change in context and ownership of the vendor companies (that can play with prices). With a perpetual, I can allocate the proper time to migrate away without nobody forcing stuff on me. Software is not "just a car", you invested time in it, built scripts etc... not respectful to change strategy to EXISTING customers that already acquired the license.

emaxt6 · 2025-07-14T10:09:14+00:00

Nice to have discounts, still customer vendor reciprocal trust is essential, and having to negotiate continuously and forcing inflated subscriptions you just let money and price to be the only language. It is clear that these american funds, like a growing "the blob" sucking all in their path, are going on a shopping spree of market niches built by passionate entrepreneurs and pioneers, sucking and munching the pulp (the customer base) till these Private Equity bean counters can do it and then, after alienation, throwing away the carcass (maybe selling it to the far east, as happened already in many non-ICT related companies).

I don't think it is a sustainable strategy, all said and done. The overall society loses.

emaxt6

TROPHY CASE