|
So, I just picked up a Mikrotik, and things have been going great with it so far except for one little thing. I picked the device up because I thought that my Asus RT-N16 was rebooting and the Mikrotik is now doing the same. It got a random watchdog restart. I've read a few things on the Mikrotik website about it and some of their forums, but there was no solid reasoning for it. Did anyone else run into this and narrow it down to exactly what was causing it?
|
# ? Apr 16, 2013 05:05 |
|
|
# ? May 15, 2024 04:18 |
|
Atreus posted:So, I just picked up a Mikrotik, and things have been going great with it so far except for one little thing. I picked the device up because I thought that my Asus RT-N16 was rebooting and the Mikrotik is now doing the same. It got a random watchdog restart. I've read a few things on the Mikrotik website about it and some of their forums, but there was no solid reasoning for it. Did anyone else run into this and narrow it down to exactly what was causing it? It's funny that you have two different devices from different manufacturers on the blink. Do you have good quality ac power coming from the mains? I wouldn't imagine a bad cable causing a router to random / watchdog restart.
|
# ? Apr 16, 2013 13:06 |
|
Well, one of the things is I've had the Asus for awhile and I figured it was just at the end of its rope. I've had it in some pretty warm conditions, so I believed that may have been the case. This is however making me rethink what could be causing it, going to go get a UPS after work. The modem is on the same power outlet and doesn't have a problem, is why I didn't think that route before. Does the supout have something that may indicate power as the cause? I took a quick look over it and didn't see anything related to that.
|
# ? Apr 16, 2013 15:04 |
|
SamDabbers posted:You may want to take a look at the packet flow diagram for RouterOS. The "input" chain in the firewall is for packets destined to the router itself, not packets that will ultimately be forwarded (the "forward" chain) somewhere else. Right now there's an implicit "accept all" rule in the "forward" chain, which is why things appear to be working. Look at the counters on the rules you have in Winbox; some of them are likely not being hit. Not sure what caused it, but I've just had to completely reset my MikroTik thanks to your configuration (on my birthday no less). I made a backup of my firewall configuration, then input yours through the terminal verbatim and then after doing so I could no longer load websites and then couldn't reconnect to the router through SSH or WinBox. Not sure if they'll offer it, but I've e-mailed MikroTik support for assistance with cleaning up my firewall rule-set and better explaining how it should be configured, etc. I think the biggest trouble I have so far with this router is understanding the proper implementation and design of the firewall. I understand what you were explaining in your post with regards to input/forwards rules and actually seeing the rule-set built within WinBox makes it easier for me to comprehend. However, after making those changes and reading it over again, I just don't understand what the problem was that caused it to stop functioning. PUBLIC TOILET fucked around with this message at 20:37 on Apr 16, 2013 |
# ? Apr 16, 2013 18:57 |
|
PUBLIC TOILET posted:Not sure what caused it, but I've just had to completely reset my MikroTik thanks to your configuration (on my birthday no less). I made a backup of my firewall configuration, then input yours through the terminal verbatim and then after doing so I could no longer load websites and then couldn't reconnect to the router through SSH or WinBox. Sorry to hear that! (Also happy birthday!) Did you take out the existing filter and NAT rules first? The "Allow all from LAN" rule on the input chain is pretty important to have in before the default drop, or you will be locked out. One thing I've noticed is that the Mikrotik terminal doesn't handle a large block of text pasted in, probably due to buffering. If you're going to try again, try doing it one line at a time. Also, I didn't test the OpenDNS redirect thing myself, since I don't use it. You can set the DHCP server to hand out the OpenDNS IPs and just omit the transparent redirect thing, unless you really need to force it. SamDabbers fucked around with this message at 20:39 on Apr 16, 2013 |
# ? Apr 16, 2013 20:35 |
|
SamDabbers posted:Sorry to hear that! (Also happy birthday!) Yeah what I did was clear out all of the Filter Rules first, then input yours line-by-line through a new terminal window. One thing I did notice was when I reached the point of adding the ones allowing the outgoing traffic from the LAN, the paste didn't look correct. There were spaces and periods between the forward-slash and the next command. I also didn't know what the ideal single rule would have been that you mentioned as being an alternative to the multiple outgoing traffic rules. After the filter rules were done, I erased the NAT rules and then did those line-by-line as well. With regards to DNS resolution, I've done it a different way this time through WinBox. Under IP -> DNS, I've specific both OpenDNS servers under the "Servers" fields. Under "Static", I've also added both OpenDNS servers there as well. I then went to IP -> DHCP Client, disabled "Use Peer DNS". This appears to be working. PUBLIC TOILET fucked around with this message at 20:43 on Apr 16, 2013 |
# ? Apr 16, 2013 20:41 |
|
PUBLIC TOILET posted:Yeah what I did was clear out all of the Filter Rules first, then input yours line-by-line through a new terminal window. One thing I did notice was when I reached the point of adding the ones allowing the outgoing traffic from the LAN, the paste didn't look correct. There were spaces and periods between the forward-slash and the next command. I also didn't know what the ideal single rule would have been that you mentioned as being an alternative to the multiple outgoing traffic rules. After the filter rules were done, I erased the NAT rules and then did those line-by-line as well. Ah, that could be the multi-line thing screwing it up. Try deleting the backslash and making each rule all one line before pasting it. The single-rule version in the forward chain would look exactly like the one in the input chain, i.e. code:
PUBLIC TOILET posted:With regards to DNS resolution, I've done it a different way this time through WinBox. Under IP -> DNS, I've specific both OpenDNS servers under the "Servers" fields. Under "Static", I've also added both OpenDNS servers there as well. I then went to IP -> DHCP Client, disabled "Use Peer DNS". This appears to be working. The "Static" part is unnecessary; that is for adding custom DNS records when using the Mikrotik as a DNS server. Are your clients using the Mikrotik's address (192.168.88.1 by default) as the DNS server address? You can change what DNS IPs they get in IP -> DHCP Server under the Network tab. If you do that, then the OpenDNS NAT stuff is unnecessary. To make it easier to see what went wrong, can you paste the output of "/ip firewall export"? Also, which version of RouterOS are you running? SamDabbers fucked around with this message at 20:59 on Apr 16, 2013 |
# ? Apr 16, 2013 20:49 |
|
On the topic of firewalling, this may (but likely won't) interest those of you running IPv6 through your Mikrotik. Look at what I found in my log:code:
code:
SamDabbers fucked around with this message at 22:32 on Apr 16, 2013 |
# ? Apr 16, 2013 21:26 |
|
You shouldn't need a firewall rule to tell a device not to forward link-local messages across other links, even if you're paranoid.
|
# ? Apr 16, 2013 21:40 |
|
Ninja Rope posted:You shouldn't need a firewall rule to tell a device not to forward link-local messages across other links, even if you're paranoid. I agree that the IPv6 stack should just handle this, but there are two things to note about the logged packets:
Edit: Actually, this might be a misconfigured/buggy load balancer. I can reliably trigger this sequence of packets by loading https://www.sprint.com over IPv6. For reference, Sprint "owns" 2600::/29. SamDabbers fucked around with this message at 22:54 on Apr 16, 2013 |
# ? Apr 16, 2013 21:52 |
|
Okay, I've removed the OpenDNS servers from the Static DNS section. I've still left them specified under IP -> DNS and I've went ahead and modified the DNS servers under the DHCP Server section so that it points to the two OpenDNS servers and not the router (192.168.88.1). Thank you for that. I had thought about that when I was re-configuring the router (why am I trying to NAT OpenDNS? There has to be a way to statically force the server upon the clients.) Glad you pointed me in the right direction, I just couldn't locate the proper area to input that. It might just be a WinBox bug but when I opened a new terminal window, went to "ip firewall filter" and pasted: code:
code:
|
# ? Apr 16, 2013 23:05 |
|
Can someone tell me what the difference between doing a bridge vs assigning ports a "master port"? What is the preferred method?
|
# ? Apr 16, 2013 23:43 |
|
PUBLIC TOILET posted:It might just be a WinBox bug but when I opened a new terminal window, went to "ip firewall filter" and pasted: You should remove the '\' from the middle when you make it all one line. That backslash is there to tell the terminal that the next line is technically part of the current one, so it's not needed when it is actually all one line. IT Guy posted:Can someone tell me what the difference between doing a bridge vs assigning ports a "master port"? Using a bridge is in software, whereas a "master port" uses the hardware switch chip. Where a bridge is useful vs. switch chip is when you want to bridge interfaces that aren't on the same switch chip, or you want to do something more advanced like run RSTP on the bridge. You can combine the two, e.g. set ports 3,4,5 to use port 2 as the master port, then bridge port 2 to an L2TP interface. The switch chip will handle traffic between the ethernet ports, but whatever's on the other side of the L2TP interface will be bridged to the local LAN via software.
|
# ? Apr 16, 2013 23:54 |
|
SamDabbers posted:Using a bridge is in software, whereas a "master port" uses the hardware switch chip. Where a bridge is useful vs. switch chip is when you want to bridge interfaces that aren't on the same switch chip, or you want to do something more advanced like run RSTP on the bridge. You can combine the two, e.g. set ports 3,4,5 to use port 2 as the master port, then bridge port 2 to an L2TP interface. The switch chip will handle traffic between the ethernet ports, but whatever's on the other side of the L2TP interface will be bridged to the local LAN via software. Very informative, thanks.
|
# ? Apr 16, 2013 23:56 |
|
SamDabbers posted:You should remove the '\' from the middle when you make it all one line. That backslash is there to tell the terminal that the next line is technically part of the current one, so it's not needed when it is actually all one line. No luck. I removed all of my firewall configuration, imported yours once more line-by-line but it still caused the router to stop functioning properly. After I import it, I can see the log dropping connection attempts and whatnot. However, once I try to open a website, it fails to resolve it. Below is an export of the firewall after re-configuring it with your settings: code:
|
# ? Apr 18, 2013 00:14 |
|
Ditch these lines: add action=drop chain=input disabled=no add action=drop chain=forward disabled=no You're crippling traffic moving from your LAN to the router or your LAN to the outside world.
|
# ? Apr 18, 2013 02:16 |
|
CuddleChunks posted:Ditch these lines: By removing these it'd change the default policy to allow everything from everywhere. Linux/Mikrotik firewalling is first-match, and traffic coming from the LAN to either the router or the outside world should be matched by the rules above these. PUBLIC TOILET posted:No luck. I removed all of my firewall configuration, imported yours once more line-by-line but it still caused the router to stop functioning properly. After I import it, I can see the log dropping connection attempts and whatnot. However, once I try to open a website, it fails to resolve it. Below is an export of the firewall after re-configuring it with your settings: Interesting. That configuration closely mirrors my own, which works fine on my RB750GL. The telling thing is that the counters are all zero on all rules except "allow established" and the default log/drops at the end. I didn't realize this is a 951G, so you probably need to change the in-interface from 'ether2-master-local' to 'bridge-local' on all the rules that specify an in-interface. The default configuration sets up a bridge between the wireless and wired interfaces. Can you post a screenshot of the Interfaces section of Winbox? SamDabbers fucked around with this message at 02:45 on Apr 18, 2013 |
# ? Apr 18, 2013 02:28 |
|
SamDabbers posted:By removing these it'd change the default policy to allow everything from everywhere. Linux/Mikrotik firewalling is first-match, and traffic coming from the LAN to either the router or the outside world should be matched by the rules above these. Sure, here you go. These are all the default. The only option I recall changing was making all of the ethernet interfaces 1Gbps.
|
# ? Apr 18, 2013 02:46 |
|
PUBLIC TOILET posted:Sure, here you go. These are all the default. The only option I recall changing was making all of the ethernet interfaces 1Gbps. Ok, so for each rule that specifies in-interface=ether2-master-local, change it to in-interface=bridge-local and everything should start working.
|
# ? Apr 18, 2013 02:52 |
|
Out of curiosity, why aren't you using the default ruleset? The built-in one you get after a sys reset works right out of the box.
|
# ? Apr 18, 2013 03:13 |
|
CuddleChunks posted:Out of curiosity, why aren't you using the default ruleset? The built-in one you get after a sys reset works right out of the box. Just trying to secure it a little bit is all and create decent logging rules so I can see what's actually going on. I'm also trying to customize some things (the remote access server for instance) and learn/understand how the firewall itself works. It's probably my biggest weakness with this router and I'd like to be able to work with it a bit. Ideally I'd like to obtain a paper-back manual or decent book on it but I don't really see much with regards to learning RouterOS. I'd like to use MikroTik hardware moving forward if I have to set one up for family, friends, etc. but obviously I need to learn it first. For instance, right now I don't understand why it has to be changed to the local bridge from the local master interface. I should check out that flowchart again. PUBLIC TOILET fucked around with this message at 04:19 on Apr 18, 2013 |
# ? Apr 18, 2013 04:04 |
|
PUBLIC TOILET posted:For instance, right now I don't understand why it has to be changed to the local bridge from the local master interface. I should check out that flowchart again. So I take it that worked? The reason that it has to be changed to the bridge interface is because the IP address is assigned to the bridge interface. Look under IP -> Addresses. Traffic sent to the router's IP will appear to the firewall to come in on the bridge interface.
|
# ? Apr 18, 2013 04:27 |
|
SamDabbers posted:So I take it that worked? The reason that it has to be changed to the bridge interface is because the IP address is assigned to the bridge interface. Look under IP -> Addresses. Traffic sent to the router's IP will appear to the firewall to come in on the bridge interface. I actually didn't try it yet, but looking at the IP Addresses, there's only the ether1-gateway specified grabbing the IP from the ISP and there's also the wireless LAN interface in the list. Did you mean the DHCP Server? Because that has the bridge-local interface specified.
|
# ? Apr 18, 2013 05:00 |
|
PUBLIC TOILET posted:I actually didn't try it yet, but looking at the IP Addresses, there's only the ether1-gateway specified grabbing the IP from the ISP and there's also the wireless LAN interface in the list. Did you mean the DHCP Server? Because that has the bridge-local interface specified. Think of the bridge as a virtual switch in software. It has 3 ports assigned to it: wlan1, ether2-master-local (and, implicitly, all its slaves), and the router CPU. The "port" that "connects" to the router CPU is labeled "bridge-local" in the config, and is treated just like any other interface when it comes to the IP layer stuff like DHCP and firewall. So there should be two IP addresses under IP -> Addresses: your ISP public address on ether1-gateway, and 192.168.88.1 on bridge-local.
|
# ? Apr 18, 2013 05:22 |
|
SamDabbers posted:Think of the bridge as a virtual switch in software. It has 3 ports assigned to it: wlan1, ether2-master-local (and, implicitly, all its slaves), and the router CPU. The "port" that "connects" to the router CPU is labeled "bridge-local" in the config, and is treated just like any other interface when it comes to the IP layer stuff like DHCP and firewall. So there should be two IP addresses under IP -> Addresses: your ISP public address on ether1-gateway, and 192.168.88.1 on bridge-local. I think I understand what you mean. Everything hits the bridge-local first, then it's funneled to the appropriate interface(s) rather each interface acting independently when it comes to the initial switching? So in essence, it would go bridge-local -> ether1-gateway -> ether2-master-local AND/OR wlan1 with regards to the way this is configured and what is being utilized. After modifying the script to use bridge-local, it would appear as though we're good now. Much appreciated, thank you. I've been referencing the MikroTik wiki for direction on most things, but are there any actual paper-backs out there on RouterOS/MikroTik? It seems like the closest thing I can find are the planned training events they hold across the country. My next objective is to work on IPsec. PUBLIC TOILET fucked around with this message at 06:25 on Apr 19, 2013 |
# ? Apr 19, 2013 06:16 |
|
They tend to post slides and videos from those events.
|
# ? Apr 19, 2013 15:47 |
|
PUBLIC TOILET posted:I think I understand what you mean. Everything hits the bridge-local first, then it's funneled to the appropriate interface(s) rather each interface acting independently when it comes to the initial switching? So in essence, it would go bridge-local -> ether1-gateway -> ether2-master-local AND/OR wlan1 with regards to the way this is configured and what is being utilized. This is more what I was trying to describe. The purpose of the bridge is to make the wireless clients part of your wired LAN. PUBLIC TOILET posted:After modifying the script to use bridge-local, it would appear as though we're good now. Much appreciated, thank you. I've been referencing the MikroTik wiki for direction on most things, but are there any actual paper-backs out there on RouterOS/MikroTik? It seems like the closest thing I can find are the planned training events they hold across the country. My next objective is to work on IPsec. Glad it works! The wiki is the "official" documentation, but a quick google comes up with some books written by Mikrotik trainers. I haven't attended any training sessions, nor read either of these books, so I can't make a recommendation. http://www.learnmikrotik.com/index.php/get-the-book.html http://www.amazon.com/Learn-RouterOS-Dennis-Burgess/dp/055709271X
|
# ? Apr 19, 2013 16:50 |
|
I'll recommend against the second of those books (Dennis Burgess' "Learn RouterOS"). The book is self-published, and it shows, with overly-conversational writing and a complete absence of copy-editing. Further, the content is too basic IMO. If you know the basics of, say, BGP, you'll probably be able to figure out how to set up BGP in RouterOS pretty easily; the book doesn't really add much value there. If you don't know the underlying concepts, this book won't explain them; and if you do, you probably don't need the book to figure out how to work the GUI widgets. Had it been more of a cookbook, starting with basic concepts that can be odd to Mikrotik novices (bridging Ethernet and wireless interfaces, for instance, can seem a bit weird if you've never done it before), and building on that, it might have been worthwhile. Dennis tried to write a book that could be all things to all comers, and it didn't turn out well at all.
|
# ? Apr 20, 2013 17:01 |
|
I just started work at an ISP and they got tons of Mikrotik stuff, so discovering there is a whole thread on here about it is awesome!
|
# ? Apr 20, 2013 20:32 |
|
I've just started looking at RouterOS vis a RB750GL that was kicking around. It all seems straightforward enough, one thing that I can't see a simple explanation for though is how VLANs work. I've come up with the following conclusions while I was in the shower, can you correct me if they are wrong?
|
# ? Apr 25, 2013 02:26 |
|
Actual VLANs and tagging are a pain in the butt in RouterOS. To keep things locally only you could just use different bridges and interfaces. To do tagging you have to mess with bridges, vlan interfaces, physical interfaces. to simply create vlan101 and 102 and tag on interfaces ether4 and ether5:code:
Oh and if you wanted these vlans to to l3: code:
|
# ? Apr 25, 2013 03:07 |
|
Thanks, that makes sense albeit it's quite longwinded how VLANs have to be created on each interface they need to be tagged on and can't be called the same thing.
|
# ? Apr 26, 2013 18:19 |
|
What's the best way for me to do a diagnostic of a specific device that connects to the network through the MikroTik router? I have a device that I want to complete network diagnostics on and see what's happening behind the scenes when it tries to communicate with the router. I can see in the normal log that it establishes a connection at 10mbit, then it disconnects, then it reconnects at 100mbit. After that it receives the DHCP lease but sometimes the device still won't have network connectivity.
|
# ? Apr 29, 2013 00:05 |
|
You could enable more logging topics on the tik, but really it sounds like troubleshooting step by step- ping gw, ping routed IP, ping hostname, telnet to a TCP port, etc.
|
# ? Apr 29, 2013 00:10 |
|
PUBLIC TOILET posted:What's the best way for me to do a diagnostic of a specific device that connects to the network through the MikroTik router? TOOLS TOOLS TOOLS TOOLS! There's so many TOOLS for you to choose from! From within Winbox: Tools -> Ping Tools -> Packet Sniffer (super handy for gathering data to analyze in Wireshark) Tools -> Torch System -> Logging (add a topic and send it to memory to get extensive debug info dumped into the logs) Hopefully somewhere in that pile of Tools will be something that helps you solve your issue.
|
# ? Apr 29, 2013 16:59 |
|
Right, I have my VLANs nailed down and testing them thanks to some dodgy Realtek diagnostic utility that has let me create multiple virtual adapters on my PC. However, when I get a DHCP lease it seems to start at the top of the range and count backwards, is this normal? My DHCP pool is defined as 192.168.0.29-192.168.0.254 and with one client connected it gets .254, next client gets .253 etc. It just seems a bit weird.
|
# ? May 1, 2013 00:14 |
|
Caged posted:Right, I have my VLANs nailed down and testing them thanks to some dodgy Realtek diagnostic utility that has let me create multiple virtual adapters on my PC. It's not uncommon, my RB750GLs does the same thing. Depending on manufacturer you can see all sorts of different DHCP behaviour from linearly from the beginning or end of the pool, to truly random and everything in between for some reason.
|
# ? May 1, 2013 02:12 |
|
It's not a big deal, everything works fine and eventually once I'm done testing the DHCP will be handled by a Windows server as part of AD. I just wanted to check this wasn't abnormal. Thanks.
|
# ? May 1, 2013 13:35 |
|
Yeah, MikroTiks all start with the top of the range and head backwards. I don't know why but that's how they roll.
|
# ? May 1, 2013 17:06 |
|
|
# ? May 15, 2024 04:18 |
|
Is the configuration of the dhcp of these devices pretty robust? At the moment we are using a bunch of so/ho routers, some with DD-WRT. We use a Windows servers for dhcp that usually I can dhcp-relay to. The problem is that on dd-wrt you can't relay from vlans (I don't think). I'd like to start segregating our network while still utilizing our dhcp server. I see the wiki on some of this stuff, so it seems possible; Tell me if this is stupid, because I'm only really an amateur at the moment.
|
# ? May 1, 2013 18:14 |