|
Isn't port forwarding under NAT?
|
# ? Jun 27, 2011 20:42 |
|
|
# ? May 15, 2024 04:32 |
|
mono posted:Here's all I got when I did that (I X'd out part of the ID since I'm not sure if oops, try: ip fir nat export
|
# ? Jun 28, 2011 00:06 |
|
mono posted:I'm delving into the MikroTik world and I'm having a hell of a time with port forwarding. I followed the Anypony guide and although the forwarding works fine (I started with 80 and 443 to an SBS 2011 box and I can access it from the outside no problem) it kills any outgoing traffic to 80 and 443 from inside the network. I'm wondering if I screwed something up elsewhere in Winbox, or if I'm missing something. I'm running 5.5 on an RB750G (it had the same behavior before upgrading it to 5.5). Any help is appreciated. the rule either needs to filter traffic by destination address or in. interface
|
# ? Jun 28, 2011 03:22 |
|
CuddleChunks posted:oops, try: ip fir nat export Here you go: code:
|
# ? Jun 28, 2011 15:10 |
|
Those rules NAT everything hitting the ports. You need one more condition for them to trigger selectively. In my case, I put in my static IP from the WAN side so my rule looks like this: /ip firewall nat add action=dst-nat chain=dstnat comment="" \ disabled=no dst-address=XX.XX.XX.XX dst-port=80 protocol=tcp \ to-addresses=192.168.17.3 to-ports=80 I've bolded the dst-address field to make it stand out more.
|
# ? Jun 28, 2011 16:50 |
|
CuddleChunks posted:Those rules NAT everything hitting the ports. You need one more condition for them to trigger selectively. In my case, I put in my static IP from the WAN side so my rule looks like this: Awesome, looks like that's all I needed. Thanks!
|
# ? Jun 28, 2011 17:50 |
|
I read a rumour about a unit like the RB750G but with a built-in N wireless card coming out soon. Unfortunately, I can't remember where I read it. Although I do see this on page 1: Nubile Cactus posted:Also looks like they will be releasing a 750G with wireless built in soon as a sort of more advanced home AP. Should be pretty awesome once it comes out. Would love to know how long I'd have to wait for this to come out.
|
# ? Jul 7, 2011 03:15 |
|
Arnika - they announced it in their product brochure but the release date keeps slipping. RB751G I think is the model number or something like that. It looks sexy as hell but we still have to wait for now.
|
# ? Jul 7, 2011 04:39 |
|
Does anyone have QOS setup? Just wondering if there are any good setups to throttle down torrent/newsgroup traffic and prioritize web/gaming etc?
|
# ? Jul 9, 2011 21:05 |
|
There's a lot of QoS info on their wiki. The layer 7 page links to these importable layer7 rules that you can use in QoS for app layer control. I did this as a test with torrent traffic at work and while it wasn't 100%, it was quite effective. Torrent, NNTP, HTTP are on there. "Gaming" probably depends on the game. Quake and doom are there!
|
# ? Jul 9, 2011 21:12 |
|
krackpot posted:Does anyone have QOS setup? Just wondering if there are any good setups to throttle down torrent/newsgroup traffic and prioritize web/gaming etc? the way to do it is specify mangle rules to mark the packets, and then create a queue tree to limit and distribute bandwidth based on that marking. layer7 tagging works too, but at a higher cpu cost, and certain services may be untaggable. queue trees will do exactly what you tell them, so it's easy to create (subtly) broken setups if you aren't familiar with HTB. edit: the *only* way to do it NOTinuyasha fucked around with this message at 05:37 on Jul 11, 2011 |
# ? Jul 11, 2011 05:34 |
|
Another fairly basic problem here: I setup another 750G router with a static WAN address, and although the router can connect to the Internet fine (pinging 4.2.2.2 from Winbox responds) I can't get out with any other devices attached. I can ping the router fine, but nothing beyond it (cable modem IP, gateway, etc). Any ideas?
|
# ? Jul 12, 2011 19:03 |
|
Is it doing NAT?
|
# ? Jul 12, 2011 21:48 |
|
I haven't changed any NAT rules, so whatever's there with a stock configuration is it (masquerade rule?)
|
# ? Jul 12, 2011 23:56 |
|
I don't recall there being any default NAT rules unless you enabled a basic firewall set from the web interface. Either way nat/firewall are likely the issue.
|
# ? Jul 13, 2011 00:04 |
|
mono posted:I haven't changed any NAT rules, so whatever's there with a stock configuration is it (masquerade rule?) By default, there's no NAT. You can get that, though, with a one-liner. Something like: /ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=ether1 (Obviously you change that to reflect the interface that faces "outside.")
|
# ? Jul 13, 2011 18:58 |
|
Welp, my old router was taking a poo poo, so I decided that gently caress everything, it's time to get a big boy router. So I bought a 493G with a R2N wireless card, and two 7 dBi omni antennas. Now it's time to figure out how to do multi-queue QoS on two or more connections with different link speeds and throughput caps.
|
# ? Jul 15, 2011 08:59 |
|
Methylethylaldehyde posted:Now it's time to figure out how to do multi-queue QoS on two or more connections with different link speeds and throughput caps. Hahaha I love Mikrotiks. The very idea that you can consider doing this kind of nonsense without paying thousands of dollars is a real joy. Good luck to you!
|
# ? Jul 15, 2011 17:52 |
|
CuddleChunks posted:Hahaha I love Mikrotiks. The very idea that you can consider doing this kind of nonsense without paying thousands of dollars is a real joy. Good luck to you! Yeah, they're powerful little devices. Hopefully doing that won't be akin to striking myself repeatedly in the dick with a hammer.
|
# ? Jul 16, 2011 02:48 |
|
This thread is awesome. I work for a small ISP that uses a lot of Mikrotik stuff. I do mostly tech support and PC repair but this thread has helped me start getting my nose dirty when stuff breaks or needs to be reconfigured when our network dude isn't available. Also I acquired a 450G to play around with on my desk. Question: We use hotspot authentication through a web interface in a couple apartment buildings we provide with wireless. The problem is game consoles. Right now the only way to get them to work is to manually plug in MAC addresses. There has to be a way to get the Mikrotiks to recognize console traffic and let it bypass authentication. I couldn't find any info though.
|
# ? Jul 20, 2011 14:48 |
|
Does the mac address registration stuff do any wildcarding? If so you could try to determine a valid range that may mean 'Sony', 'Microsoft', 'Nintendo'. If you did get that to work it would be extremely easy to bypass, but hey it's something. OR possibly setup a virtual AP with a different SSID and have completely different authentication settings?
|
# ? Jul 20, 2011 22:30 |
|
ManicJason posted:Question: We use hotspot authentication through a web interface in a couple apartment buildings we provide with wireless. The problem is game consoles. Right now the only way to get them to work is to manually plug in MAC addresses. There has to be a way to get the Mikrotiks to recognize console traffic and let it bypass authentication. I couldn't find any info though. There is a scripting section to use for the hotspot but as far as I've ever done, I just added folks to the Bypassed section under IP Bindings. Yes, it's manual and tedious but that's what we've done at hotels and spots with Hotspot running. The official forums may have more help in that regard since loads of folks do crazy things with their hotspot services that we haven't tried.
|
# ? Jul 21, 2011 00:27 |
|
I've just started using my first outdoor Mikrotik, a RB/SXT. Set them up on the roof of some office buildings that are about 3500' apart and they're work quite well thus far. I've had the bandwidth test running for two days now and it's 60mbps TX/RX simultaneously even though some rain over night. It's 5ghz unlicensed so I could run into interference problems but I just wanted to chime in to say that I'm surprised by the throughput that these can get at such a cheap price (~$90/each). The real test will be getting through a Wisconsin winter. I'd be curious to hear what type of success any of you have had with any of their equipment outdoors and for longer distances.
|
# ? Aug 14, 2011 18:12 |
|
I haven't used that specific unit, but I have a couple dozen backhaul links, that can push 30-40Mbps (depending on band, channel width, whether the climber put up a dual-polarity antenna) over ten miles or more, and one link that gets about 50Mbps over 23 miles (with a little ACK tuning to account for the distance of the link). Interference in the 5GHz bands rarely is an issue, because there isn't (yet) as much other junk in that band. Everyone has a 2.4 router or a cordless phone, but 5GHz gear seems to be a lot less common. The short distance of your link, combined with a couple decent antennas, should mitigate most of your concerns.
|
# ? Aug 15, 2011 03:47 |
|
falz - We use RB1xx, RB2xx, RB4xx, RB5xx, RB7xx, RB1000's and probably a few other boards I can't remember. The RB100 series and RB411's are setup with panel antennas in little outdoor cases. For the last several years we've had them in all the nasty weather the West can throw at them and they have held up remarkably well. It's been a very good fit for us and the extra features they offer has made them extremely powerful for building out our network.
|
# ? Aug 15, 2011 18:21 |
|
If I want to place an OpenVPN server behind a NAT'd firewall, I just use port mapping to have the RouterOS firewall push all data destined for a certain port to the internal LAN IP (and port) of the OVPN server, right? I made a new NAT rule: /ip firewall nat add chain=dstnat dst-port=1194 action=dst-nat protocol=udp to-address=10.0.1.100 to-port=1194 It connects fine, but I can't ping from the connected client to the Mikrotik LAN. And from the Mikrotik LAN I can't ping the OVPN server or the connected client. Any ideas? On a 493G with RouterOS 5.6.
|
# ? Sep 3, 2011 20:18 |
|
It's probably unrelated to the Mikrotik but it would be helpful if you could post both the client/server config files and the log from both ends.
|
# ? Sep 3, 2011 21:15 |
|
I've got a pptp VPN set up here at work that I created a few weeks ago. When I connect to the VPN from home, I can browse the internet fine, and my IP shows up as my work's IP. Problem is, I can't see any of the 10.0.1.x stuff. What am I forgetting to do or doing improperly?
|
# ? Sep 15, 2011 21:01 |
|
Your work has a firewall?
|
# ? Sep 15, 2011 21:17 |
|
Nitr0 posted:Your work has a firewall? the firewall/router/whatever is the mikrotik which is also running the vpn
|
# ? Sep 15, 2011 21:25 |
|
Nothing silly like overlapping ip ranges?
|
# ? Sep 15, 2011 21:39 |
|
Nitr0 posted:Nothing silly like overlapping ip ranges? I don't think so, originally I setup the Local/Remote addresses under the secrets tab under PPP using 10.0.0.20 and 10.0.0.21, but I changed it to 10.0.1.20 and 10.0.1.21 thinking that might be my issue. Didn't seem to affect anything, still can't ping 10.0.1.99 as a vpn client outside of the office. DHCP could potentially overlap since it's set to 10.0.1.0/24 (which I can change I guess), but i'm looking at leases and they're all in the 10.0.1.100-254 range. e: would changing it to 10.0.1.0/25 be a good idea? That should keep the range between 10.0.1.128 and 10.0.1.255 e2: 'IP-->Pool' in winbox is the thing keeping the dhcp range between 10.0.1.100-199 I guess PuTTY riot fucked around with this message at 21:54 on Sep 15, 2011 |
# ? Sep 15, 2011 21:44 |
|
American Jello posted:e: would changing it to 10.0.1.0/25 be a good idea? That should keep the range between 10.0.1.128 and 10.0.1.255 If you do an ipconfig on your vpn-connected computer what IP address do you get? What does it show for the gateway? Can you ping that? Can you ping any of the machines within that subnet (assuming they are pingable)? Your initial config looks like you're on a different network than the other machines assuming a /24 subnet. Now, with you in the same subnet things should be much better. One curiosity, what's the IP address you have on the machine before bringing up PPTP? I want to make sure you're in a 192.168.x range or something like that so that your computer knows where to send packets.
|
# ? Sep 15, 2011 22:16 |
|
before connecting to vpn: after: I'm assuming it has something to do with the subnet mask being 255.255.255.255.
|
# ? Sep 15, 2011 23:01 |
|
lol. Are you on telus? Looks like multiple problems. You have no gateway so that's not going to work. If you're on telus then check this thread http://www.dslreports.com/forum/r26300507-PPTP-VPN-connections-fail-through-Telus. That thread looks like it fails before gre authentication though so I don't think it's your problem. Nitr0 fucked around with this message at 23:07 on Sep 15, 2011 |
# ? Sep 15, 2011 23:05 |
|
Nitr0 posted:lol. Are you on telus? I'm in the US, uverse at home metro-e AT&T at work. Why is the gateway relevant for LAN traffic and if it wouldn't work why does WAN traffic across the VPN work? I am getting a work ip from home according to whatismyip.com.
|
# ? Sep 15, 2011 23:27 |
|
I just set this up at home as a test. Follow the instructions in the Mikrotik Wiki and make sure you are in the same network range as your other network devices AND that you setup Proxy-ARP on the ethernet interface hosting those other connections. That's the missing step I needed in order to start talking to machines on my remote LAN. code:
|
# ? Sep 15, 2011 23:57 |
|
CuddleChunks posted:I just set this up at home as a test. Follow the instructions in the Mikrotik Wiki and make sure you are in the same network range as your other network devices AND that you setup Proxy-ARP on the ethernet interface hosting those other connections. That's the missing step I needed in order to start talking to machines on my remote LAN. This is exactly what I was missing. It's working like it should now, thanks a bunch.
|
# ? Sep 16, 2011 04:41 |
|
Just out of curiosity could you do a route print from your windows machine while connected to the vpn.
Nitr0 fucked around with this message at 07:03 on Sep 16, 2011 |
# ? Sep 16, 2011 05:19 |
|
|
# ? May 15, 2024 04:32 |
|
|
# ? Sep 16, 2011 06:39 |