|
kiwid posted:Ah yes it is, but why? Is there a setting for this in your vpn software?
|
#
?
Dec 9, 2013 19:24
|
|
|
|
| # ? May 22, 2024 10:06 |
|
|
Does anyone know if Mikrotik routers can be made into firewalls that are just straight pass through devices without changing the IP addresses of the things behind it? This is a request coming in from a client who may be asking for something that is impossible to do, but I thought I would ask here first.
|
|
#
?
Dec 9, 2013 20:36
|
|
|
Isn't that called not using NAT?
|
|
#
?
Dec 9, 2013 20:40
|
|
|
thebigcow posted:Is there a setting for this in your vpn software? No there isn't. It's just Windows 8 built in client but I haven't specified my DNS in the settings.
|
|
#
?
Dec 9, 2013 22:34
|
|
|
Caged posted:Isn't that called not using NAT? Yeah but they want it to be a firewall as well, and I was curious if Mikrotiks could do both (non-NAT + controllable firewall)
|
|
#
?
Dec 9, 2013 22:55
|
|
|
jeeves posted:Yeah but they want it to be a firewall as well, and I was curious if Mikrotiks could do both (non-NAT + controllable firewall) Absolutely. NAT and filtering are independent features that work together, but there's no requirement to NAT if you just want to filter.
|
|
#
?
Dec 9, 2013 23:01
|
|
|
Most vendors call that 'transparent' mode, as opposed to routed or NAT mode.
|
|
#
?
Dec 11, 2013 03:06
|
|
|
BurgerQuest posted:Most vendors call that 'transparent' mode, as opposed to routed or NAT mode. To elaborate a bit: it depends on whether you're talking about layer 2 or 3. "Transparent" typically refers to a layer 2 firewall application, where the interfaces on which filtering is done are bridged together and don't have an IP address assigned. Devices on either side of the firewall don't "see" the firewall, in much the same way that a switch is "transparent" to devices connected to it. Mikrotiks can do this, though support is limited for protocols other than IPv4. Layer 3 or "routed" mode is how firewalls are typically deployed, where IP addresses are assigned to each interface and packets are selectively routed based on the filtering rules configured. In contrast to "transparent" mode, devices on either side of the firewall "see" it as an IP router. NAT is a feature typically associated with layer 3 (IP NAT) but the Mikrotik can also do address translation at layer 2 (MAC NAT). It's not particularly useful for wired networks, but can be useful in certain wireless networks due to the way 802.11 associates a single MAC address with a single radio in non-WDS mode. SamDabbers fucked around with this message at 04:51 on Dec 11, 2013 |
|
#
?
Dec 11, 2013 04:49
|
|
|
Hey everyone, was told to post over here for some assistance. I have the RB450G and I am trying to create a VLAN (2) and "pass" it to my Dell Powerconnect 2724 switch via port 1. My current configuration is as follows : [admin@MikroTik] /interface> print Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE 0 R ether1-gateway ether 1 R ether2-master-local ether 2 R ether3-slave-local ether 3 R ether4-slave-local ether 4 R ether5-slave-local ether 5 R vlan2 vlan /interface vlan # NAME MTU ARP VLAN-ID INTERFACE 0 R vlan2 1500 enabled 2 ether4-slave-local /ip address Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE 0 ;;; default configuration 192.168.1.1/24 192.168.1.0 ether2-master-local 1 192.168.2.1/24 192.168.2.0 vlan2 2 D xxx.xxx.xxx.xxx/21 xxx.xxx.xxx.xxx ether1-gateway Once the address is added I can ping the gateway (192.168.2.1) from terminal in the mikrotik. On the switch I have port 1 set to tag vlan2 and then untag on ports 17 and 18 (the ports are connected to NICs in my ESXi boxes with no VLAN set in the vswitch). I cannot ping the gateway from the VM I have setup. I am rather new to Mikrotik so have pity on me! 
|
|
#
?
Dec 21, 2013 04:47
|
|
|
How easy are these things to set up these days? I'm helping a (very) small business get their office network up, and we need a wired router to go along with the uniFi unit. Can someone like me with minimal networking experience get one set up to just work as a boring, no-frills router? If not, any other suggestions (the wired router market for small businesses is not huge at this point).
|
|
#
?
Dec 21, 2013 04:55
|
|
|
mAlfunkti0n posted:Hey everyone, was told to post over here for some assistance. Is your switch a layer 2 or 3 switch? If layer 2, does it have an IP address on your management vlan? If layer 3, do you have your default route setup?
|
|
#
?
Dec 21, 2013 04:58
|
|
|
kiwid posted:Is your switch a layer 2 or 3 switch? If layer 2, does it have an IP address on your management vlan? If layer 3, do you have your default route setup? It is a layer 2 switch, it's IP is on the management vlan (192.168.1.0 and its IP is 192.168.1.5)
|
|
#
?
Dec 21, 2013 05:00
|
|
|
mmm11105 posted:How easy are these things to set up these days? I'm helping a (very) small business get their office network up, and we need a wired router to go along with the uniFi unit. Can someone like me with minimal networking experience get one set up to just work as a boring, no-frills router? If not, any other suggestions (the wired router market for small businesses is not huge at this point). You don't have to use the command line interface if you don't want. It has a full web GUI and Windows GUI. It's not overly complicated but it's also not as easy as setting up a SOHO router.
|
|
#
?
Dec 21, 2013 05:00
|
|
|
mAlfunkti0n posted:It is a layer 2 switch, it's IP is on the management vlan (192.168.1.0 and its IP is 192.168.1.5) So port 1 on the switch is plugged into port 4 on the RB450G, correct? What IP address are you setting in your VMs and what gateway IP? Your setup sounds fine. I checked my config and the only thing I have different is that I have a DHCP server on my vlan interface. edit: Have you tried turning off the master port for interface ether 4? kiwid fucked around with this message at 05:06 on Dec 21, 2013 |
|
#
?
Dec 21, 2013 05:03
|
|
|
kiwid posted:So port 1 on the switch is plugged into port 4 on the RB450G, correct? Correct, Port 1 on switch goes to port 4 on the RB450G. I am running Ubuntu from the ISO (just to test) and have assigned it 192.168.2.5 with a gateway of 192.168.2.1 Im really starting to think this switch is screwy. I had a 16 port model as well and it was odd.
|
|
#
?
Dec 21, 2013 05:06
|
|
|
mAlfunkti0n posted:Correct, Port 1 on switch goes to port 4 on the RB450G. And just to be sure, you're untagging vlan2 on ports 17 and 18, right? Not the management vlan? Also, can you rule out the mikrotik by plugging in two machines to each port on the switch and see if they can ping each other? edit: does your switch have any diag tools that you can ping 192.168.2.1 from the switch? kiwid fucked around with this message at 05:12 on Dec 21, 2013 |
|
#
?
Dec 21, 2013 05:10
|
|
|
kiwid posted:And just to be sure, you're untagging vlan2 on ports 17 and 18, right? Not the management vlan? Correct untagging vlan2 on ports 17 and 18. The Dell switch can ping other machines, not sure if that's what you were asking or not. The mikrotik has all of its ports connected to other devices right now and those are working. Is that what you were asking? Sorry, my brain is starting to shut down this evening. Edit : I connected one of the ESXi servers (second NIC that I am trying to use on VLAN2) and changed the VLAN port on the vSwitch to None and then 2 just to test. Setting it to 2 and I still can't ping 192.168.2.1, setting it to none and then assigning a 192.168.1.225 IP (management vlan) and I can ping 192.168.1.1 and 192.168.2.1. mAlfunkti0n fucked around with this message at 05:21 on Dec 21, 2013 |
|
#
?
Dec 21, 2013 05:16
|
|
|
mAlfunkti0n posted:Correct untagging vlan2 on ports 17 and 18. What happens if you set port 17 and 18 to tag vlan 2 and untag the management vlan, then in ESXi set the VM Network a vlan id of 2? edit: also on the switch, if the above doesn't work, did you try setting the port type for 17 and 18 to an access port instead of trunk and untagging vlan 2? kiwid fucked around with this message at 05:32 on Dec 21, 2013 |
|
#
?
Dec 21, 2013 05:25
|
|
|
kiwid posted:What happens if you set port 17 and 18 to tag vlan 2 and untag the management vlan, then in ESXi set the VM Network a vlan id of 2? So it seems on the switch that you cant untag the management vlan when you have assigned he port to another VLAN, it just leaves the port assignment blank. I have tried tagging vlan 2 on ports 17 and 18 and trying both setting the vSwitch to VLAN 0 (none) or VLAN 2 .. sadly neither work.
|
|
#
?
Dec 21, 2013 05:35
|
|
|
mAlfunkti0n posted:So it seems on the switch that you cant untag the management vlan when you have assigned he port to another VLAN, it just leaves the port assignment blank. I have tried tagging vlan 2 on ports 17 and 18 and trying both setting the vSwitch to VLAN 0 (none) or VLAN 2 .. sadly neither work. Hmm, I'm not sure, it sounds like your switch config. If I was you I'd uncomplicate the testing by getting esxi out of the question and hooking up just a physical device and go from there. Can you do an /interface ethernet print kiwid fucked around with this message at 05:45 on Dec 21, 2013 |
|
#
?
Dec 21, 2013 05:41
|
|
|
kiwid posted:Hmm, I'm not sure, it sounds like your switch config. If I was you I'd uncomplicate the testing by getting esxi out of the question and hooking up just a physical device and go from there. Yeah, I am thinking it is as well. Honestly I really dislike these because they offer zero configuration options other than the web UI and its an old old old web UI that doesn't like anything other than IE6. I will boot up another machine on it an play around.
|
|
#
?
Dec 21, 2013 05:45
|
|
|
mAlfunkti0n posted:Yeah, I am thinking it is as well. Honestly I really dislike these because they offer zero configuration options other than the web UI and its an old old old web UI that doesn't like anything other than IE6. I will boot up another machine on it an play around. Does the web gui look like this? 
|
|
#
?
Dec 21, 2013 05:49
|
|
|
kiwid posted:Does the web gui look like this? Looks similar to that. My navigation links are not nested, but the rest of the UI is the same.
|
|
#
?
Dec 21, 2013 05:52
|
|
|
mAlfunkti0n posted:Looks similar to that. My navigation links are not nested, but the rest of the UI is the same. The only other thing I owuld try is to set ports 17 and 18 as access ports under the vlan port settings:  and make sure vlan 2 is untagged on those two ports. Keep port one as a trunk port with the management vlan untagged, vlan 2 tagged. Otherwise I give up. Oh, can you print /interface ethernet print and make sure ports ether 3,4 and 5 have ether 2 as the master port. Other than that, I'm lost. Keep in mind, if you set the port as an access port, you can't set the vlan id in esxi.
|
|
#
?
Dec 21, 2013 05:56
|
|
|
kiwid posted:The only other thing I owuld try is to set ports 17 and 18 as access ports under the vlan port settings: Sadly mine doesn't have the option for access mode, it's rather simple. I believe I probably need to part ways with this switch and pick up a less irritating one. On the topic of eithernet ports, they are set to ether 2 as the master port. I greatly appreciate your help with everything! Edit : Interestingly I changed the assignment of ether4's master port to none and on the VM (ESXi host is now directly connected to the 450G) I can now ping the 192.168.2.1 gateway. And testing further I can ping 192.168.1.1 and ping google.com as well. Going to connect it to the switch now. This seems to be due to the fact that I had the switch port 1 connected to ether 5. Still need to do further testing. mAlfunkti0n fucked around with this message at 06:36 on Dec 21, 2013 |
|
#
?
Dec 21, 2013 05:59
|
|
|
Just figured it out after reading and re-reading the switching details on the RB450G. So, here is whats up: I am running the default configuration for the RB450G, which has ether port 1 as a WAN port, with Ether port 2 as the switch and then ports 3-5 slaved to it. Because of this, essentially, ports that are slaved basically don't do anything, it is all done via ether port 2. So assigning VLANs to ports 3-5 won't work because they are slaved. Assigning the VLANs to ether port 2 allows everything to function properly. Here are the details from Mikrotik : Port Switching Switching feature allows wire speed traffic passing among a group of ports, like the ports were a regular ethernet switch. You configure this feature by setting a "master-port" property to one ore more ports in /interface ethernet menu. A 'master' port will be the port through which the RouterOS will communicate to all ports in the group. Interfaces for which the 'master' port is specified become inactive - no traffic is received on them and no traffic can be sent out. Edit : Just tested with the Dell switch in place and everything is working. mAlfunkti0n fucked around with this message at 16:52 on Dec 22, 2013 |
|
#
?
Dec 22, 2013 16:01
|
|
|
Interesting. Glad you solved it. I've been using a bridge rather than the hardware switching so that'd be why mine was working and yours isn't.
|
|
#
?
Dec 22, 2013 17:41
|
|
|
mmm11105 posted:How easy are these things to set up these days? I'm helping a (very) small business get their office network up, and we need a wired router to go along with the uniFi unit. Can someone like me with minimal networking experience get one set up to just work as a boring, no-frills router? If not, any other suggestions (the wired router market for small businesses is not huge at this point). <points up above to the VLAN conversation> SEE? Look at how easy these things are to setup! Hahaha, actually in the 5.x and 6.x firmware they have a new Quick Setup feature that makes them dirt simple to setup, even for non-technical folks. Out of the box they Do the Right Thing with their default config to get you up and running as if it were a SOHO router. Couple that with the fact that they are cheap as hell and you probably won't go wrong if you give one a try. Best of all, you can back up the config when you have your office setup and when the poor unit dies to some power surge or some other awful thing, you just drop that config into a new unit and are back up in running in minutes. Vroom vroom!
|
|
#
?
Dec 22, 2013 18:48
|
|
|
CuddleChunks posted:<points up above to the VLAN conversation> SEE? Look at how easy these things are to setup! Yeah, that is the fun thing with Mikrotik is that there are a billion ways to configure (it seems) the device to do what you want. I have spent days now on the issue above, but honestly had I sat and thought about what I was reading it probably would have kicked in a bit sooner. However, for the price and the features Mikrotik devices are hard to beat. kiwid posted:Interesting. Glad you solved it. What are the advantages/disadvantages of using bridges vs the hardware switching? I would imagine CPU usage would be higher since the bridge is software.
|
|
#
?
Dec 23, 2013 03:41
|
|
|
mAlfunkti0n posted:What are the advantages/disadvantages of using bridges vs the hardware switching? I would imagine CPU usage would be higher since the bridge is software. I have device that has two switch chips and wlan so I bridge them together and use the bridge interface, otherwise I'd use the hardware chip. kiwid fucked around with this message at 04:57 on Dec 23, 2013 |
|
#
?
Dec 23, 2013 04:55
|
|
|
Hardware switching is line speed between ports on the same switch chip, and software bridging is CPU bound but you can use it with any group of ports and inspect/filter/mangle the traffic. Basically, hardware switching is preferred if it's possible with your hardware and topology.
|
|
#
?
Dec 23, 2013 05:58
|
|
|
Does anyone know how much better the antennas on the 2011 are compared to the internal antenna on the 951G? I'm considering using two to make a wireless bridge in an old building and would rather use the nondescript white 951G than have a big black and red box with an lcd screen and antenna poking out.
|
|
#
?
Dec 26, 2013 18:05
|
|
|
How's the wireless in the 2011 series? Debating whether to go for one of those or a 750GL + a UniFi LR. What's my best bet for good WiFI reception/extensibility and how annoying would setting up a UniFi in a MicroTik system be?
|
|
#
?
Dec 27, 2013 01:10
|
|
|
mmm11105 posted:How's the wireless in the 2011 series? Debating whether to go for one of those or a 750GL + a UniFi LR. I have a CRS which is basically a 24 port 2011, and I have no complaints about the WiFi. Gets full coverage in a 2200 sq ft house, average 70-80 megabit over the WiFi to the internet.
|
|
#
?
Dec 27, 2013 03:20
|
|
|
Hey folks - Time for noob questions again! 1. How's 6.x doing? On 5.25 right now, wondering if I should take the plunge at this point to go to 6.x. RB450G 2. What is the least painful VPN method to set-up? I'm not an expert in this field, but I enjoy the hell out of the setup we have at work where I turn on the Juniper Pulse client and it only VPN's the traffic it needs too (i.e. it doesn't completely cut off every active connection on my machine). I think this is IPSec? 3. Related to above, I assume along with those I can setup a separate IP address pool for machines that VPN in? 4. Asked this one before I think; I'm kinda torn between leaving some internal resources on the same network as all the other machines, vs. putting them on their own VLAN'd 'management' network. If I wanted to do this, can I have DHCP/MikroTik be smart enough to place certain MAC addresses in a certain VLAN / IP address pool?
|
|
#
?
Dec 30, 2013 03:23
|
|
|
movax posted:2. What is the least painful VPN method to set-up? I'm not an expert in this field, but I enjoy the hell out of the setup we have at work where I turn on the Juniper Pulse client and it only VPN's the traffic it needs too (i.e. it doesn't completely cut off every active connection on my machine). I think this is IPSec? Ipsec is the encryption protocol. You're thinking about a "split tunnel" where your regular internet bound traffic is not tunneled over the VPN, but VPN remote-network traffic is. Yes mikrotik should be able to do this. PPTP is the simplest vpn to setup, but also the least secure since encryption can be option with PPTP. Don't use PPTP if you're using a VPN for security reasons. Yes, VPN clients should have their own subnet so that you can establish access policies. Treat VPN clients like a separate zone.
|
|
#
?
Dec 30, 2013 20:14
|
|
|
movax posted:1. How's 6.x doing? On 5.25 right now, wondering if I should take the plunge at this point to go to 6.x. RB450G movax posted:2. What is the least painful VPN method to set-up? I'm not an expert in this field, but I enjoy the hell out of the setup we have at work where I turn on the Juniper Pulse client and it only VPN's the traffic it needs too (i.e. it doesn't completely cut off every active connection on my machine). I think this is IPSec? movax posted:3. Related to above, I assume along with those I can setup a separate IP address pool for machines that VPN in? movax posted:4. Asked this one before I think; I'm kinda torn between leaving some internal resources on the same network as all the other machines, vs. putting them on their own VLAN'd 'management' network. If I wanted to do this, can I have DHCP/MikroTik be smart enough to place certain MAC addresses in a certain VLAN / IP address pool? SamDabbers fucked around with this message at 20:32 on Dec 30, 2013 |
|
#
?
Dec 30, 2013 20:29
|
|
|
SamDabbers posted:ROS 6 has the ability to provide basic XAUTH and MODECFG support for IPsec VPNs (the way Cisco/Juniper do with their client programs), and you should be able to get similar functionality using the Shrew Soft VPN client. I haven't played with it yet, but there's an example config on the Mikrotik wiki. I gave that example config a try, and doesn't seem to be working; do I need to add a NAT rule or firewall rule somewhere for port 500?
|
|
#
?
Jan 2, 2014 04:34
|
|
|
movax posted:I gave that example config a try, and doesn't seem to be working; do I need to add a NAT rule or firewall rule somewhere for port 500? Where is it failing? Can you successfully connect but not pass traffic, or is the Shrew Soft client unable to connect at all? You should allow at least UDP/500 and UDP/4500 (and probably protocol 50 - ESP) on the INPUT chain for IPsec to work. You'll probably also need some rules in the FORWARD chain to allow the VPN pool subnet to talk to the internal network and vice-versa. Maybe post your sanitized config so we can take a look?
|
|
#
?
Jan 2, 2014 04:40
|
|
|
|
| # ? May 22, 2024 10:06 |
|
|
We've been using an ancient Adtran 1224R switch/router for our cable modem at the. It's just for wifi and testing, our company internet connection is separate. The other day we upgraded to 60mb from 30mb, and not only are we limited to 50mb through that device (it does 61mb though a consumer D-Link router) it will freeze up and reboot if we max the connection out with torrents. The docs claim 30,000 pps which at 1.5kb each would be 45mb so that sounds about right. Does the $99 rb2011il seem like the perfect replacement or what? Basically needs to just do NAT and DHCP for about 200 devices and handle peaking out the connection without freezing up. The D-Link needs reset every few days so I can't use that.
|
|
#
?
Jan 2, 2014 04:51
|
|
