Mastodawn

L3HW offloading of PBR/additional routing tables?

L3HW offloading of PBR/additional routing tables? - Star Trek Website

Hi, I am considering upgrading my router (RB750Gr3). I am eyeing the CRS309-1G-8S+IN in the hopes that the fast ISP in town eventually expand to my street (10G fiber). My question is about L3HW offloading, and how it plays with PBR. Currently, I have a number of rules (/routing/rule), some based on source IP and some on VLAN. The purpose is to route certain traffic through VPNs (WireGuard, but I run on a separate computer, not on the router itself). Example: VLAN10 routes all traffic through main routing table, VLAN20 routes local traffic through router but sends external traffic through VPN-1, and VLAN30 sends everything through VPN-2. I use a number of different VPNs, so it’s not just a binary “main route or VPN.” I am unclear how this plays with L3HW offloading. This page ( https://help.mikrotik.com/docs/spaces/ROS/pages/62390319/L3+Hardware+Offloading#L3HardwareOffloading-Inter-VLANRoutingwithUpstreamPortBehindFirewall/NAT [https://help.mikrotik.com/docs/spaces/ROS/pages/62390319/L3+Hardware+Offloading#L3HardwareOffloading-Inter-VLANRoutingwithUpstreamPortBehindFirewall/NAT] ) mentions pbr-cap/usage/lpm-bank but I am unclear if that’s referring to what I’d be using. That page also says that only the main routing table is HW offloaded in the context of VRF, so I wasn’t sure if that also applied to PBR. The question then, is, does L3HW offloading 1) Just Work for PBR /routing/rule, 2) only work via Fasttrack (perhaps requiring some redirect-to-cpu switch rules), or 3) ain’t gonna work? To preempt a few questions: I know Fasttrack is a last resort. I am a single household, I don’t have concerns about TCAM exhaustion. I am considering a CRS instead of a “true” router due to cost and reduced energy footprint. I also know that I don’t “need” 10G; if it is ever offered on my street it’ll be via an ISP with a “best effort” policy, i.e., they don’t have throttled tiers, so 10G is their only offering (cheaper than we’re paying now for asymmetric cable). Thanks!

Show thread

qjkxbmwvz Nov 9

I managed to get it working with IPv6 mangle.

I seem to need 3x mangle rules, preroute mark connection, preroute mark routing, and forward mark routing. I also needed to disable fasttrack for marked connections.

The downside is that there seems to be a performance hit, as mangle is (I guess?) more resource intensive than simple routing rules.

qjkxbmwvz Nov 8

Persistent routing rule for specific IPv6 host?

https://startrek.website/post/31444203

Persistent routing rule for specific IPv6 host? - Star Trek Website

What I want: I want to be able to route specific clients through different interfaces (WireGuard tunnels), and I want this behavior to persist upon disconnect/reconnect. Clients can change which tunnel, with several VLANs being able to use the tunnels (so a client A on VLAN 124 and client B on VLAN 789 can both use VPN tunnel X or Y at their discretion). What I have: IPv4 works fine (routing rule src address -> routing table). IPv6 works, but is not persistent, as clients change their IPv6 address. (I have a dinky script where I enter IPv4 address and country, and it will grab a VPN peer from a json file, set it up, and add the IPv4+current IPv6 address to the routing rules. This works well currently; I use Mullvad.) Any recommendations? Ideas: use IPv6 mangle based on MAC address, but I have been having trouble getting this to work (extremely slow). Another idea is to have a script run and grab the IPv6 address of client (either by hostname or by DHCP lease+MAC info), but I’m not sure if it’s possible to trigger a script upon IPv6 neighbor discovery. Any help appreciated!

qjkxbmwvz Oct 2

"Correct" way to route through endpoints given "wrong" star topology?

https://startrek.website/post/29822568

"Correct" way to route through endpoints given "wrong" star topology? - Star Trek Website

I have everything working, but I’m unsure if I implemented it the “right” way. What I want: selectively route traffic from my home router through other computers. My setup: Home router (Mikrotik) is double NAT (ISP router is shared, I can’t modify its settings, dynamic IP, no port forwarding…). I have a VPS with a static IP. Home router has a WireGuard link to VPS; I have raspberry pis at families’ houses, connected to VPS via WireGuard, through which I want to route traffic. So: WireGuard forms a star topology, with the VPS (not the router!) at the center. As I understand, each gateway must be directly accessible (1 hop away), so I did not have luck using my router to set a route through a WireGuard raspberry pi—both my router and the pi are peers to the VPS (and can communicate fine with each other), but they are not direct peers to each other. A traceroute is home router → vps → pi. AFAIK given that they both have dynamic IPs, I cannot make them direct peers (?). What I did: I ended up using tunnels to create another star topology network on top of the WireGuard network, but this time with the router at the center. I did this with GRE tunnels—I wanted something with minimal overhead, and because this is entirely on top of the WireGuard network, I wasn’t worried about any encryption at all (should I be?). Other tunnels (and even WG over WG?) would presumably work, too. It is pretty neat now that it works—I have a separate SSID which routes all traffic through one of the pis. My question: This all seems rather complicated; did I do this the “right” way, or are there better ways of handling this?

Show thread

qjkxbmwvz Sep 14, 2024

Ended up with the Yaesu FT710, with a GR5V Jr. in the attic. Internal tuner tunes 40-6 with the exception of 15m and 17m. Very pleased with it so far! Several digital DX so far (Australia, Brazil, Samoa, Japan, Alaska, Hawaii — I’m at CM87/California).

To-do list includes low loss coax (100ft run of who-knows-what currently); debug intermittent Ethernet issues (Ethernet runs parallel to feedline — choke balun/better choking of feedline?); possibly get remote tuner (one step at a time…). Fun stuff!

qjkxbmwvz Mar 19, 2024

Recommendations for first HF rig?

https://startrek.website/post/8259562

Recommendations for first HF rig? - Star Trek∶Website

Howdy! I got my Technician in early 2000s, and last year finally upgraded to Extra. Looking to set up a very basic shack. I’m looking for an HF setup, with most of my use probably using digital modes, but would like the ability to use voice. Current transceiver is on loan from girlfriend’s dad, a Ten-Tec Scout 555 — 50W HF unit with separate modules for each band. One limitation of this is that the modules set the mode, so it’s LSB on 40m, making e.g. FT8 not possible (without some hacking of code or perhaps hacking the module). Antenna is end-fed with an off-the-shelf 49:1. Currently only have 20m half-wave, but have just enough room for a 40m half-wave in the attic, which is the ultimate goal. For digital modes, it looks like there are sort of 3 classes of radio: * “full digital” where the radio has e.g. a USB port and handles audio, transmit, and frequency set. * Some computer-control with RS232, but uses computer audio+adapter to transmit. * No digital, use adapter to transmit. This is what the current setup uses (and it works great!) I’m leaning towards a conventional transceiver, e.g., something from ICOM, Kenwood, Yaesu, (or others) rather than an SDR unit. I’d like the ability to go up to 50-100W if possible. I don’t have a hard-and-fast budget; would like to keep it <$1000 if possible; mostly just looking at used transceivers. Something like a Kenwood TS-590 looks pretty amazing and very “plug-and-play” (but pushing up against price). Something like a Yaesu FT-920 looks pretty feature-rich too; and even something more affordable like an ICOM 706 or even a 725 is probably more radio than I need. Or just grab a new 7300 and call it a day! Anyway…clearly, I don’t know exactly what I want, but figured I’d ask folks with more experience if they have any wisdom. Thanks!