|
Caged posted:I had OpenVPN connecting through a RB750GL with zero issues up to about a month ago when I got bored with it and replaced it with something else.
|
#
?
Aug 14, 2013 08:55
|
|
|
|
| # ? May 16, 2024 00:42 |
|
|
Sounds like an MTU issue. You need yo ensure path MTU discovery works end to end (basically don't block ICMP). You could manually mangle packets in routeros to do that too but blegh.
|
|
#
?
Aug 14, 2013 18:50
|
|
|
falz posted:Sounds like an MTU issue. You need yo ensure path MTU discovery works end to end (basically don't block ICMP). You could manually mangle packets in routeros to do that too but blegh. So... where does MicroTik break this? If it works with DD-WRT, OpenWRT, and pfsense, where would I go looking in RouterOS?
|
|
#
?
Aug 14, 2013 20:14
|
|
|
evol262 posted:So... where does MicroTik break this? If it works with DD-WRT, OpenWRT, and pfsense, where would I go looking in RouterOS? Allowing connection-state=related on the appropriate chains should allow ICMP error messages through. What are your OpenVPN settings?
|
|
#
?
Aug 14, 2013 21:19
|
|
|
SamDabbers posted:Allowing connection-state=related on the appropriate chains should allow ICMP error messages through. What are your OpenVPN settings? code:
|
|
#
?
Aug 14, 2013 21:51
|
|
|
Looks like routeros 6.1 has a fun bug where the DHCP server hangs with 100% CPU and doesn't hand out any more addresses. Emailed their support, but I'm sure the response from support will be to upgrade to something that has been tested even less extensively. There's lots of reports on their forum as well about this. How do you even ship something with a bug like that? (http://forum.mikrotik.com/viewtopic.php?f=1&t=74311 the latest point release also has a different 100% cpu bug  )edit: 6.2rc1 had the bug. Don't know if 6.2 does. Who wants to upgrade and find out? pubic void nullo fucked around with this message at 17:39 on Aug 18, 2013 |
|
#
?
Aug 18, 2013 17:00
|
|
|
Goddamnit MikroTik. 
|
|
#
?
Aug 19, 2013 16:18
|
|
|
support@mikrotik.com posted:Hello, quote:*) fixed bug - sometimes some types of interfaces would stop working;
|
|
#
?
Aug 20, 2013 15:27
|
|
|
pubic void nullo posted:OK, whatever. Let's see what I'm getting into. Browsing the changelog for 6.2... In Latvia
|
|
#
?
Aug 21, 2013 21:17
|
|
|
thebigcow posted:In Latvia Apparently. I'm continually amazed that they keep making "production" releases with such severe regressions. It's implicitly expected in beta/RC releases that things will break while they implement new features, but once the "dot zero" release drops they should only be making bug fixes. Where's the QA team at? I'd like to see them change to a three-part versioning system/development discipline, e.g. x.y.z where x = major release (new routing subsystem, kernel) y = feature release (add/change minor config knobs, new hardware support) z = bugfix/patch build (no functionality or interface changes) Also, a public repo for the GPL components would be nice, but will never happen.
|
|
#
?
Aug 21, 2013 21:59
|
|
|
They also like making hardware revisions without saying anything as some people found out with the RB2011.
|
|
#
?
Aug 22, 2013 15:50
|
|
|
Heads up, apparently there's a pretty horrible exploit in the sshd shipping in RouterOS 5 and 6. You aren't exposing SSH to the outside world, right? Right?
|
|
#
?
Sep 3, 2013 08:20
|
|
|
Oh poo poo. I have the ssh service disabled, but only to get rid of the log noise generated by bad logins. Isn't it enabled by default? That's gonna gently caress up a lot of people. Edit: Looks like you can only use that exploit to crash sshd, not gain access. So it's not really that big of a deal. NOTinuyasha fucked around with this message at 15:54 on Sep 3, 2013 |
|
#
?
Sep 3, 2013 15:50
|
|
|
Already fixed?quote:What's new in 6.3 (2013-Sep-03 12:25):
|
|
#
?
Sep 3, 2013 21:40
|
|
|
If I want to prioritise only one service over all others I believe from my reading that I can simply mark that traffic with a new mark, and have everything else not marked and form the queues around that? Im still reading and I am new to networks in general but it seems thats the theory. I can then say everything that is marked with X should receive priority while everything else should just share what is left over. In this case I need to work on ensuring RDP has priority over people saturating my link.
|
|
#
?
Sep 4, 2013 00:52
|
|
|
drk posted:Already fixed?
|
|
#
?
Sep 4, 2013 01:22
|
|
|
Despite the xauth additions, it still doesn't look like it supports xauth groups, so you still can't use it as a cisco client without using metarouter. Too bad, it's what I wanted to use it for...
|
|
#
?
Sep 5, 2013 19:42
|
|
|
I have a little script here that comes in handy. It pulls the block list from dshield.org ( a regularly updated list of the top 20 botnet/malware producing networks ) and slaps them into an address list to do with what you please. code:code:
|
|
#
?
Sep 9, 2013 18:17
|
|
|
Thanks for the script! That's really nifty!
|
|
#
?
Sep 11, 2013 00:06
|
|
|
Question. I'm the sysadmin for a company of about 400 people, 300 with computers and has ~12 remote branches. It's very rural and the IT budget suffers hard because of this. I was considering rolling out MikroTik at all our branch locations to save some money for more important things like upgrading our loving 40% Windows XP machines. The only thing I'm not sure about is the VPN. Is there any stable VPN solution you guys use with MikroTik? Or can someone recommend third party?
|
|
#
?
Sep 13, 2013 13:29
|
|
|
They support several different types of VPNs. Are you talking point to point between sites or client VPNs for you to occasionally connect to a site?
|
|
#
?
Sep 13, 2013 14:12
|
|
|
Both. Each branch (including the central office) would be connected to each other via site to site VPN in a full mesh configuration (for voip) rather than star, and then each branch would also allow client VPN access.
|
|
#
?
Sep 13, 2013 14:36
|
|
|
Sure you can do GRE or IPIP tunnels and encrypt with IPSec for the site to site links. That would allow you to run IGP (ospf) to allow traffic to other sites to follow other tunnels if you want to. However, depending on the # of sites you'll run in to scalability issues. 3 sites = 3 VPN tunnels on each router (9 configs), 4 = 16 configs, etc. I don't think RouterOS has any cisco-style DMVPN that I believe deals with that situation. Hub and spoke would be better if you had a logically central site, possibly a data center, where you could have a VPN to redundant routers at that location so each spoke site would only require two tunnels to a well connected/well peered up ISP. For client VPN you can take your pick - OpenVPN, PPTP, IPSec client. Also you should get some real point to point layer 2 connection if you want VOIP to work properly between sites. Trusting random DSL or cablemodem connections over the internet probably won't turn out so well. My $.02.
|
|
#
?
Sep 13, 2013 14:54
|
|
|
Hi, thread. RouterOS 6.4 breaks WinBox input forms randomly. That is all.
|
|
#
?
Sep 13, 2013 15:16
|
|
|
falz posted:Sure you can do GRE or IPIP tunnels and encrypt with IPSec for the site to site links. That would allow you to run IGP (ospf) to allow traffic to other sites to follow other tunnels if you want to. However, depending on the # of sites you'll run in to scalability issues. 3 sites = 3 VPN tunnels on each router (9 configs), 4 = 16 configs, etc. I don't think RouterOS has any cisco-style DMVPN that I believe deals with that situation. Perfect, thanks, I'll do some more research on this. Wolf on Air posted:Hi, thread. RouterOS 6.4 breaks WinBox input forms randomly. That is all.  Thanks for the heads up. Was just about to load it on a new router. IT Guy fucked around with this message at 15:33 on Sep 13, 2013 |
|
#
?
Sep 13, 2013 15:31
|
|
|
Honestly I would probably look at Vyatta for your hub VPN concentrator, because at least that way if you're hitting CPU bottlenecks, you can move the config over to a faster machine.
|
|
#
?
Sep 13, 2013 22:25
|
|
|
RouterOS runs on x86 too. A few of the rb1xxx's have crypto offload as well.
|
|
#
?
Sep 14, 2013 13:14
|
|
|
My old Soekris net5501 with a 500MHz AMD Geode is hitting the CPU limits at around 130Mbps aggregate bandwidth on my new glorious 100/100 home connection. My firewall/QoS ruleset is way too heavy for it  It's lasted me since 2007! Wolf on Air fucked around with this message at 15:51 on Sep 14, 2013 |
|
#
?
Sep 14, 2013 15:45
|
|
|
My heart bleeds for you and your 100/100 connection, you lucky bastard.
|
|
#
?
Sep 14, 2013 15:58
|
|
|
I just installed a new Mikrotik router for a client. It's working great with one exception. They have a VOIP unit on the network that can't make or receive calls. I setup the NAT to forward the appropriate ports to the static LAN IP on the device but it still doesn't work. I also tried turning off the NAT helper service ports for SIP and H323 but that didn't work. I suspect it may be a masquerading issue? Before I gently caress around with this more, does anyone have any ideas? The client had a SonicWALL unit prior and we had to enable both "SIP Transformations" and "H323 Transformations" to get it to work.
|
|
#
?
Sep 16, 2013 14:51
|
|
|
SIP natively has NAT issues. Does their SIP device support a STUN server? That would allow it to determine its public IP to put in the SIP header instead of its actual rfc1918 private IP. The sonicwall could've been doing some fuckery to rewrite the header with appropriate public IP.
|
|
#
?
Sep 16, 2013 15:28
|
|
|
There's a SIP helper on the Mikrotik's that I've found causes more problems than it solves, if you're just using a SIP trunk or one device then you can disable it. You should be able to enter the external IP in the SIP client (PBX, handset etc), and then it's just a case of making sure the relevant ports are forwarded (don't forget SIP voice traffic travels over UDP).
|
|
#
?
Sep 16, 2013 15:58
|
|
|
IT Guy posted:I just installed a new Mikrotik router for a client. It's working great with one exception. They have a VOIP unit on the network that can't make or receive calls. I setup the NAT to forward the appropriate ports to the static LAN IP on the device but it still doesn't work. I also tried turning off the NAT helper service ports for SIP and H323 but that didn't work. Can you ping the VoIP unit from within the Mikrotik? Is it using the same IP range as all the other LAN devices? What indicator lights does it show when it boots up?
|
|
#
?
Sep 16, 2013 17:32
|
|
|
So gently caress me. Ignore everything I said. The issue was a simple I had the NAT settings forward to the wrong IP address. I fixed that, tried the voip again, didn't work, re-enabled the SIP and H323 IP helpers and voila, it's working.
|
|
#
?
Sep 16, 2013 17:38
|
|
|
You may want to check to see if your SIP device supports STUN/Nat server entry anyway so you don't have to mess with the router's config to make it work (other than the NAT entry inbound)
|
|
#
?
Sep 16, 2013 19:54
|
|
|
Ugh, I'm seriously irritated with my RB751. It's becoming more and more vexing as to what configuration settings are best for my home wireless setup. The RB750 chugs along without a hitch while this thing freaks out and resets itself or drops link on me. Part of that was goofy drivers on my laptop but it's also just generally lovely behavior from the 751. I think I've got things stabilized and am hoping this will be the last time I have to put any time into fiddling with this horrid contraption. What's worse is that we sell these things like hotcakes at work and I worry that they are performing like poo poo for our customers. We don't get any complaints about them until they burn up but somehow I got one of the  ones I guess. How about you folks? Any gripes about the RB751 series or any of the other offerings?
|
|
#
?
Sep 30, 2013 17:16
|
|
|
I have a 751 running as a basic bridged AP and it's been rock solid for me. I don't have any Apple products though, so that may have something to do with it. Edit: A bad power brick may be causing the reboots. Try swapping it out. SamDabbers fucked around with this message at 18:10 on Sep 30, 2013 |
|
#
?
Sep 30, 2013 17:49
|
|
|
I know this is the Mikrotik thread, but I figured since they're in the same price-level, someone might know... Has anyone used the EdgeRouter Lite system from Ubiquiti, and if so, what did you think of them?
|
|
#
?
Sep 30, 2013 18:11
|
|
|
nexxai posted:Has anyone used the EdgeRouter Lite system from Ubiquiti, and if so, what did you think of them? I have one, and I love it. It runs kinda warm, but that's really the only complaint I have about it. The developers are amazingly responsive to bug reports and feature requests, and being able to run arbitrary Linux software on it is fantastic. The only things that aren't open-source are Ubiquiti's custom web GUI and the hardware offload kernel modules, so it's really easy to tinker with if you want to do something it doesn't support out of the box. Also, OpenVPN is fully supported, even in UDP mode 
SamDabbers fucked around with this message at 18:23 on Sep 30, 2013 |
|
#
?
Sep 30, 2013 18:16
|
|
|
|
| # ? May 16, 2024 00:42 |
|
|
Yeah, they're great little boxes, but they do have CPU limits in how much you can do with them. QoS tends to tax things more than anything else.nexxai posted:Has anyone used the EdgeRouter Lite system from Ubiquiti, and if so, what did you think of them? Also if you have a pc laying around, you can install the community version of Vyatta and run the current revision of the same software the Ubiquiti's running. CrazyLittle fucked around with this message at 20:50 on Sep 30, 2013 |
|
#
?
Sep 30, 2013 20:47
|
|