|
SamDabbers posted:Where is it failing? Can you successfully connect but not pass traffic, or is the Shrew Soft client unable to connect at all? Yeah, I can't connect at all, but I don't have those rules set up either on the INPUT chain. Tried adding them to the input chain as such: code:
|
# ? Jan 2, 2014 04:53 |
|
|
# ? Jun 10, 2024 12:51 |
|
Bob Morales posted:We've been using an ancient Adtran 1224R ... The RB2011iL should be able to handle that. Consider getting the RB2011UiAS for the additional memory, which would allow for more concurrent TCP connections. The Ubiquiti EdgeRouter Lite is another option worth considering for the same $99. It has 512MB RAM, hardware acceleration for packet forwarding (they claim 1Mpps) and IPsec, and the OS is a fork of Vyatta. movax posted:Yeah, I can't connect at all, but I don't have those rules set up either on the INPUT chain. Tried adding them to the input chain as such: Try turning on logging for IPsec on the Mikrotik and see if anything interesting shows up in the logs when you're attempting to connect. Also, check that the encryption and hash algorithms match on both sides for both phases. code:
code:
SamDabbers fucked around with this message at 05:28 on Jan 2, 2014 |
# ? Jan 2, 2014 05:12 |
|
I have a Procurve with this config:code:
I've gotten most of this to work due to sheer poking around on the router, but I am curious what is the tagged/untagged equivalent command on Mikrotiks?
|
# ? Jan 8, 2014 06:08 |
|
Got our Mikrotik RB2011U or whatever in. Feels super cheap and lighter than the cardboard box that it comes in. If you tied a balloon to it, it would float away. That said the web interface is pretty kick rear end and it held up overnight to 65Mbs+ worth of torrents and random downloads. The touch screen was a little weird at first but being able to swipe through the list of interfaces and see the traffic graph for each one is pretty neat.
|
# ? Jan 8, 2014 14:15 |
|
jeeves posted:I have a Procurve with this config: There are two ways to accomplish this. You can either do it via bridge groups(will potentially limit your potential throughput). Or you can do it through the switch chip. If you want to do it through the switch chip, there's a little bit of work behind it. You have to slave all of the ports to one master port, and then you ingress/egress VLAN translation for port defaults. For tagged VLANs, you need to use 'VLAN Tagging' to tag it on a particular port. This is, in my opinion, more easily done through Winbox since it gives a better visual representation of what is going on.
|
# ? Jan 10, 2014 01:19 |
|
Here's an example config using the switch chip. In this example, we take Ether 1-8 and slave them together. We then setup ether2-8 to use VLAN 100 as the port default. We go on the ingress and tell it everything coming over VLAN 0(default, no vlan, untagged) is going to instead go out into the switch-chip as VLAN 100 Then we do the reverse for the egress: Tell it everything on Switch-chip VLAN 100 is going to come out of those ports on VLAN 0. I then tag vlan 100 on Ether1 to use that as an uplink Once all that is done, I go in, create my VLAN interface for the actual RouterOS to communicate with, and assign an IP to it. EDIT: This config is designed and tested on a Mikrotik CRS. I have not tested this config on any other Routerboard yet. code:
zennik fucked around with this message at 01:47 on Jan 10, 2014 |
# ? Jan 10, 2014 01:31 |
|
I'm pretty new with Mikrotik + VLANs, so thanks for the help. I basically got dumped this project from my lead engineer who has years experience with Cisco/Procurve type stuff, and he said "Figure out VLANs on Mikrotik because I don't want to!" Here's what I did with bridges to get ether1 connected to a VLAN1 out to the internet: code:
I'll look into the switching thing, but I'm still trying to wrap my head around doing tagging/untagging with all of this. Edit- Talked to the guy who dumped this on me, and it looks like the Procurves he uses only ever use one trunk/upstream port. So doing the hardware switching is probably the way to go. jeeves fucked around with this message at 21:46 on Jan 10, 2014 |
# ? Jan 10, 2014 20:13 |
|
If you want, draw up a basic rundown of how you want it configured and I can help you with a config.jeeves posted:I'm pretty new with Mikrotik + VLANs, so thanks for the help. I basically got dumped this project from my lead engineer who has years experience with Cisco/Procurve type stuff, and he said "Figure out VLANs on Mikrotik because I don't want to!"
|
# ? Jan 11, 2014 22:34 |
|
zennik posted:If you want, draw up a basic rundown of how you want it configured and I can help you with a config. Basically I need to have this set up: - ether1, and ether3-ether8 on VLAN id 1, with this VLAN being the gateway/upstream/trunk. I already figured this out via my usage of bridging in my above code, but since there will only be one upstream/trunk per CloudRouter, using the hardware switching is probably better. (This is because these CR are being prepped to replace the more expensive/older Procurve units). Port one has a IP address of the router, and the upstream won't connect unless it is on VLAN1. - ether2 has another VLAN, in this instance VLAN id 8. It is to be the downstream routed VLAN to a customer, specifically with a /30. They want more after this (a /29 hanging off of that /30), but I want to try to wrap my head around this before going further. I think once I figure out the translation of tagging to mikrotiks I can probably figure out the rest. Here's the exact procurve setup that this Mikro is supposed to emulate (with the snmp crap taken out this time) : code:
jeeves fucked around with this message at 03:21 on Jan 12, 2014 |
# ? Jan 12, 2014 03:19 |
|
Not a problem. Also, just to verify, what model Mikrotik is this?jeeves posted:Basically I need to have this set up:
|
# ? Jan 12, 2014 03:48 |
|
CloudRouter Switch. I left it at work, but I can get a complete model number on Monday, but I think all CRS are somewhat the same, RouterOS functionality-wise, right?
|
# ? Jan 12, 2014 05:11 |
|
jeeves posted:CloudRouter Switch. I left it at work, but I can get a complete model number on Monday, but I think all CRS are somewhat the same, RouterOS functionality-wise, right? Correct. I'll work on this later this afternoon and get that pasted here for you.
|
# ? Jan 13, 2014 18:15 |
|
I recently heard from a friend who has a CRS that they couldn't get VLAN poo poo working on it properly at all (leaking traffic all over), and after a while Mikrotik support told him that they hadn't actually gotten around to implementing all the parts in the backend that are exposed in the UI, so what happens is, the function for not forwarding prohibited traffic (or whatever he meant, I'm not actually sure) to all VLANs is working, but not the associating-ports-with-VLANs part, so if you do that, you're going to lose all connectivity. Typical Mikrotik behaviour.
|
# ? Jan 14, 2014 22:35 |
|
Wolf on Air posted:I recently heard from a friend who has a CRS that they couldn't get VLAN poo poo working on it properly at all (leaking traffic all over), and after a while Mikrotik support told him that they hadn't actually gotten around to implementing all the parts in the backend that are exposed in the UI, so what happens is, the function for not forwarding prohibited traffic (or whatever he meant, I'm not actually sure) to all VLANs is working, but not the associating-ports-with-VLANs part, so if you do that, you're going to lose all connectivity. Well, that is disheartening, especially since a whole bunch of CRS purchases for my company are basically hinging on me figuring out this VLAN stuff ASAP-- even though I've already heard from 2 other people in person that "Mikrotiks are great... for everything other than VLANs." Is there anything in writing from Mikrotik forums or such about this issue that I can present to my superiors about this?
|
# ? Jan 14, 2014 23:58 |
|
I think I might have missed something but if you want something with a bunch of switch ports on just buy a switch, and trunk it to a Mikrotik router if you want. I can't see any advantage to letting Mikrotik do switching when there's so many other established reliable options.
|
# ? Jan 15, 2014 00:49 |
|
I was going to say the same thing, then realized that 'cheap copper gig ports' is the reason for tikswitch.
|
# ? Jan 15, 2014 01:28 |
|
I'd struggle to pick a switch with Mikrotik's reputation over something like an HP 1810-24G. Granted the 'tik probably has more features but at the end of the day it's a switch and reliability rules the day.
|
# ? Jan 15, 2014 02:04 |
|
falz posted:I was going to say the same thing, then realized that 'cheap copper gig ports' is the reason for tikswitch. This is the reason my job (a local ISP branching out into heavy wireless infrastructure work) wants to use Mikrotik-- cheap gigabit switch that can maybe do router things. Basically they're trying to stop relying on Procurve 2980s and such.
|
# ? Jan 15, 2014 02:41 |
|
jeeves posted:This is the reason my job (a local ISP branching out into heavy wireless infrastructure work) wants to use Mikrotik-- cheap gigabit switch that can maybe do router things. Basically they're trying to stop relying on Procurve 2980s and such. Prices are ebay-style.
|
# ? Jan 16, 2014 00:14 |
|
falz posted:Let's just stop you right there and save the trouble- switch to Ubiquiti for all of your bridges+p2mp stuff, use Cisco switches - 2950g are $40 (100mb ports) or 4948 ($800) / 2970g ($300) if you need gig copper. 3560-poe are only $250ish too and can power RocketM5-Ti nicely for p2p or sectors. For routing, some Cisco 3825 ($200 w/ 1gig ram). You'll be in much better shape than replacing all your tik poo poo in a year after lots of pain. This is very, very good advice. You will have a far easier time managing your network without having to deal with Mikrotik's notoriously buggy implementations. I will also add that switches should switch, routers should route, and wireless bridges should wirelessly bridge; there are always compromises with combo devices. The older Cisco gear requires quite a bit more power though. There are stable, lower-power options out there for switching and routing if your power budget at your POPs/towers won't support that kind of load. Of course, you sacrifice some functionality by not going with Cisco, since IOS supports everything you could possibly want to do with a network, but that doesn't matter if your design doesn't need those features.
|
# ? Jan 16, 2014 01:04 |
|
Sorry for the delay, here's a config that should accomplish what you want. Also, they aren't incorrect in their suggestions on using a better switch. The CRS is a work in progress and not all the features on the switch-chip work, as of yet. That being said, if you aren't having any issues as of right now with throughput(ie, you should be fine up to around 200-300 megabit), then sticking with the bridge group is the safest bet for the time being. code:
|
# ? Jan 16, 2014 05:20 |
|
Thanks for the code, zennik. It's really helpful to have some sort of starting code to work with to show my superiors on this project instead of just being like "well I couldn't really get it to work but everyone says it sucks anyhow so lets just keep using Mikrotiks for just the small stuff like routers in front of customers' office ports and or switches off of wireless points of presence" And yeah, this whole project is basically my superiors wow'd by how cheap RB750s are for small things, and "Oh gently caress they make CRS now for only $200? We should replace ALL OF OUR PROCURVES WITH THESE DUE TO $$$$$$$$$$" which is a bit scary to me.
|
# ? Jan 16, 2014 06:12 |
|
Don't forget to factor in the ProCurve next-day lifetime replacement warranty if you need to do cost comparisons. And the fact that they work, of course.
|
# ? Jan 16, 2014 14:48 |
|
jeeves posted:Thanks for the code, zennik. It's really helpful to have some sort of starting code to work with to show my superiors on this project instead of just being like "well I couldn't really get it to work but everyone says it sucks anyhow so lets just keep using Mikrotiks for just the small stuff like routers in front of customers' office ports and or switches off of wireless points of presence" Having worked with people like that in the past, for nearly 8 years... I can say without a doubt that if that is their mentality, then prepare to become very well versed in Mikrotiks. Yes, ProCurves and similar switches would be nicer... but unless you have to meet some kind of compliance standards as far as security... well, the bleedover that occasionally happens when doing VLANs in Mikrotiks is fairly manageable. Just understand that especially on the RB750, your CPU is limited. Pick the right Routerboard for the right deployment.
|
# ? Jan 17, 2014 01:46 |
|
I couldn't get the above switch code to work, probably because I failed to mention that ether1 was going to be the trunk port that VLAN1 was going through. I got the trunk port to work with bridging at least, I just need to figure out if ingress/egress-vlan-translation and tagged-ports for vlan-ids work with bridging. Or maybe just try to convert the below to switch code versus bridge code Here's the bridge code that I used to get ether1 on VLAN1 and out to see the world, but now I need ether2 on VLAN8 to see the world through VLAN1/ether1: code:
code:
jeeves fucked around with this message at 20:13 on Jan 17, 2014 |
# ? Jan 17, 2014 19:31 |
|
So I have a new setup to work with for a client. I picked up an RB750 and a Unifi AP. One of the requirements is that we block access to all web traffic except a couple of sites, no problem .. so I thought. Using the web proxy as normal, however, one of the pages is HTTPS and will not load. Is there any way to allow this site?
|
# ? Jan 28, 2014 00:19 |
|
mAlfunkti0n posted:So I have a new setup to work with for a client. I picked up an RB750 and a Unifi AP. One of the requirements is that we block access to all web traffic except a couple of sites, no problem .. so I thought. I've never done this using a proxy, but I know you can set up firewall rules to block all traffic except Layer7 protocols you specify. I use this to block facebook and google apps and such, but you could do the reverse, block all EXCEPT for the patterns you specify.
|
# ? Jan 28, 2014 00:39 |
|
Oh hey, this thread. I got my issue to work with VLANs, basically I had to set up a bridge to get the router itself to have an IP address to log in through, and then had to set up a switch code to have the vlans trunk through the main port.
|
# ? Jan 28, 2014 00:43 |
|
zennik posted:I've never done this using a proxy, but I know you can set up firewall rules to block all traffic except Layer7 protocols you specify. I use this to block facebook and google apps and such, but you could do the reverse, block all EXCEPT for the patterns you specify. Ahh, I will check this out. Thanks!
|
# ? Jan 28, 2014 00:44 |
|
Next Mikrotik quandry: is it possible to have multiple networks share one trunk? Currently I have like 3 Mikrotiks, each feeding a different office. So each Mikrotik has a single upstream (with an individual network IP) and 4 DHCP addresses. I'm trying to consolidate these Mikrotiks into a single Cloudrouter-- my gut tells me they can all share a single upstream, but I know the easiest way to do this is to make a dedicated upstream for each of the consolidated Mikrotiks in the CRS. Basically instead of: code:
code:
jeeves fucked around with this message at 00:48 on Feb 4, 2014 |
# ? Feb 4, 2014 00:44 |
|
jeeves posted:Next Mikrotik quandry: is it possible to have multiple networks share one trunk? Maybe I'm misunderstanding your post but what you're describing is exactly vlans.
|
# ? Feb 4, 2014 01:42 |
|
kiwid posted:Maybe I'm misunderstanding your post but what you're describing is exactly vlans. It's been a long day and I guess I didn't know how to describe what I was looking for, especially since I know gently caress all about VLANs (as my previous posts show). I basically want to try to compress a bunch of other smaller RB750s into one CloudRouter, but save as many ports as I can by having only one WAN port on the CRS instead of one per RB750. The sub networks that the RB750s used to be on need to stay completely different (hence the easy but dumb solution of preserving the old RB750s' WAN ports on the CRS), but I figure I'd try to save some ports and have only one WAN port. If I was breaking all of the small networks (with their own WAN IPs) into a VLANs from the shared WAN port, how would I get it to route the traffic to specific subnets? Basically I currently have a managed switch giving out IPs, which go down to individual WAN ports on a bunch of RB750s. The RB750s then split those off into DHCP internal IPs for the office jacks that it serves (one RB per office). I'm trying to consolidate all of those RBs into one CRS, with maybe just one WAN port, but no VLAN trunking pushed down from the original managed switch. I may be describing this incorrectly, as by the end of today I couldn't even get the CRS to route traffic from a WAN port to a bunch of NAT'd DHCP ports (trying it the dumb way of having one WAN per subnet), even though the setup was pretty much mirroring what I do on a working office upstream RB750s. So yeah, I may be missing something simple here. edit - I should probably take this quandry to a networking thread, as it is more general VLAN planning than Mikrotik specific. jeeves fucked around with this message at 17:03 on Feb 4, 2014 |
# ? Feb 4, 2014 05:35 |
|
Hi I recently got a RB951G-2HnD (running 6.9) and am loving it. Just using it for basic home usage. I have an OpenVPN that I have running an a VPS that I use to watch Netflix in Australia. Previously I had a router running TomatoUSB with an OpenVPN client, and all was well. I was wondering if it would be possible to have the RB configured so that interfaces [1-3] are the standard home setup, with interface 4 routing everything over the OpenVPN, including DNS requests. Therefore I will only have to switch which ethernet port my PS4 is in to go on the VPN or not. I've managed to configure my OpenVPN client successfully, and it connects and maintains connection. The rest eludes me as networking is not my strong point. My current configuration is as follows: code:
|
# ? Feb 8, 2014 05:05 |
|
ssergE posted:Hi Too tired to give you a whole config. But basically you can do it 2 ways. You can take those other ports and put them on their very own bridge, create their own subnet, and then create a NAT Src-nat rule with the action src-nat being the IP on your OVPN interface, or alternatively the out interface being your OVPN interface. Option 2 is to just create individual src-nat rules for specific internal IPs.
|
# ? Feb 9, 2014 16:24 |
|
Is there an updated tutorial / guide somewhere on setting up QoS via PCQ on RouterOS 6.x? Basically want to set up QoS such that with (example numbers) 10Mbit w/ 1 users, he gets 10mbit, 2 users, each is guaranteed at least 5mbit, etc. My old setup with PCQ seemed to work OK, but of course I forgot to back it up.
|
# ? Feb 17, 2014 06:17 |
|
This is probably a pretty dumb question, but haven't been able to be 100% based on licensing rules and such. I've got a 951-2Hnd or something or another with an L4 license and 5.25 ROS. I heard something about not being able to upgrade versions with that license unless it's one behind. What can I actually upgrade to, or am I stuck with 5.25 unless I fork out extra dollars?
|
# ? Feb 18, 2014 18:04 |
|
Atreus posted:This is probably a pretty dumb question, but haven't been able to be 100% based on licensing rules and such. 951 should be able to run the latest, no problem. You'll just have to manually drop in the 6.x ROS package file, as the auto updater wont upgrade from 5.x to 6.x
|
# ? Feb 18, 2014 19:14 |
|
What he said. http://wiki.mikrotik.com/wiki/Manual:License#Licenses_and_RouterOS_upgrades
|
# ? Feb 18, 2014 20:10 |
|
movax posted:Is there an updated tutorial / guide somewhere on setting up QoS via PCQ on RouterOS 6.x? If you find any, can you link it? I think this is something I'll be looking at in the near future.
|
# ? Feb 20, 2014 16:49 |
|
|
# ? Jun 10, 2024 12:51 |
|
Just got a couple RB2011-lettersgohere for a project and a few things stood out, mostly because MikroTik has nothing but pictures from the front of the device.
|
# ? Feb 26, 2014 05:18 |