|
thebigcow posted:Does anyone know the minimum system requirements for Winbox? Windows XP 120kb of HD space 2MB of RAM
|
#
?
Mar 21, 2014 04:36
|
|
|
|
| # ? Jun 5, 2024 06:29 |
|
|
Oh. Thank you.
|
|
#
?
Mar 21, 2014 04:58
|
|
|
Or WINE, works fine there.
|
|
#
?
Mar 21, 2014 16:35
|
|
|
I do tech support for a couple of small business clients using these old netgear fvs318 vpn routers: http://www.newegg.com/Product/Product.aspx?Item=N82E16833122007 They're solid devices for VPN wired, except that the LAN to WAN bandwidth tops out at around 5 megabit for regular traffic. Due to adding more IP stuff recently, that's not cutting it anymore (they mostly have cable/fios for business so this cuts down their bandwidth pretty badly). They need the VPN support, and the OP mentions that IPsec murders throughput on a Mikrotik. Would it cause problems similar to the netgear where the total bandwidth would be severely hampered, or would they be able to manage maybe 20 megabit for normal NAT LAN to WAN traffic while using a VPN connection which has very low bandwidth requirements? I was looking at the RB750GL or RB2011iL as a potential drop-in replacement. Considering the pricing I may just pick up the RB750GL just to try it out (I have one of the netgears spare) if there isn't a lot of information about this specific situation available.
|
|
#
?
Mar 31, 2014 00:31
|
|
|
Still having clients dropping from the WiFi even enabling the Adaptive Noise Immunity setting. I'm pretty tired of this, what are some other robust WiFi routers out there I can use? I see some recommendations for the ASUS ones but I don't know how their interface is.
|
|
#
?
Mar 31, 2014 01:07
|
|
|
Rexxed - the rb750gl should do well for you. I've got one at home and it's a real trooper. I think it's a safe bet to try that model. There are other routerboard models with a ton more power if needed. Public Toilet - ugh, I got tired of fiddling with wireless at home and ditched my rb751 for an AirPort Extreme base station 5th gen. Works great.
|
|
#
?
Mar 31, 2014 03:00
|
|
|
CuddleChunks posted:Rexxed - the rb750gl should do well for you. I've got one at home and it's a real trooper. I think it's a safe bet to try that model. There are other routerboard models with a ton more power if needed. Well AirPort Extreme is all well and good, but I like the extensive configuration of the MikroTik equipment. Are there any other affordable, Cisco-alternative WiFi/router solutions out there that perform well? I see there's the Buffalo AirStation AC 1750 and the upcoming Linksys WRT1900AC. What about a MikroTik router/switch solution with an entirely separate WiFi AP solution (like Ubiquiti)? Would a Gigabit MikroTik router/switch with a Ubiquiti WiFi AP make more sense and be reliable?
|
|
#
?
Mar 31, 2014 04:22
|
|
|
PUBLIC TOILET posted:Would a Gigabit MikroTik router/switch with a Ubiquiti WiFi AP make more sense and be reliable? This is what I do, and it works really well.
|
|
#
?
Mar 31, 2014 11:44
|
|
|
For most things in this market segment they are separate hardware. Yes it could have wireless in it, but as long as warranty isn't an issue you could be running the router portion for a decade without needing to do anything with it. The wireless part, probably not. My rb750 got accessed via WAN with default admin credential within about 60 seconds of plugging it in, so I have yet to get it properly set up or I would be more helpful here. Regarding wireless, some devices seem to choose to implement authentication credential wrapping in exciting ways which does not work in many enterprise environs. I don't know why that is but if you can use cert based auth I would hope that gets around that poo poo.
|
|
#
?
Mar 31, 2014 22:22
|
|
|
CuddleChunks posted:Rexxed - the rb750gl should do well for you. I've got one at home and it's a real trooper. I think it's a safe bet to try that model. There are other routerboard models with a ton more power if needed. So I did get the RB750GL and it's taken me a few days to get the VPN working in a test environment, but it seems like there are a number of settings that need to be accounted for that are obscured by netgear's boxed router UI. I've finally managed to get one of the netgears and the mikrotik establishing a tunnel with IPSec so after a few issues are sorted out I could set them up as a drop in replacement solution. I'd like to redo all of the VPN routers as one brand but I don't get a choice but to replace them one at a time and also keep the VPN running, so keeping the netgears compatible was a big plus. You can get an idea of the difference in setting the devices up from: http://www.unwiredadventures.com/unwire/2013/01/ipsec-vpn-between-mikrotik-and-netgear-prosafe-vpn-firewall.html which was a useful guide and almost my exact situation but didn't actually work until I changed some of the settings. If anyone else does a lot of IPSec VPN with the mikrotik do you sometimes get your Installed SAs "stuck" and keeping the connection from working? I've learned to flush the Installed SAs when I'm having issues and it seems to fix some problems I'm having. This usually would show up in the Netgear's VPN logs as the mikrotik not having an incoming SA, despite one being listed on mikrotik's Installed SA list. It seems like I'm not the only one, so there are work arounds like setting up flushing scripts if there's no active connection, which is fine but a little tedious: http://forum.mikrotik.com/viewtopic.php?f=2&t=48269 It seems like there are also some situations in which the mikrotik is able to open a tunnel for VPN communication with the Netgear and not the other way around. I've read about another work-around script to ping from the mikrotik to the other router to keep the connection alive. I'm also looking at some scripts that handle dyndns or other dynamic domain name server updating setups, since they're used on a couple of sites without static IPs. With Dyndns going paid account only next month, is there a service that anyone likes better? I don't think the $25 a year for their service is going to be a huge deal but if there's someone who is reliable and free or cheaper, I'd be interested to know about them. Anyway, it's a little tedious to have to use so many work arounds to little issues but I blame the Netgear more than mikrotik for most of them, and there are solutions to many available on the mikrotik support forums. If I get a different model will the RouterOS setup be the same (aside from more interfaces)? At one site they may need a 9 port model like the RB493G.
|
|
#
?
Apr 10, 2014 11:39
|
|
|
Rexxed posted:If I get a different model will the RouterOS setup be the same (aside from more interfaces)? At one site they may need a 9 port model like the RB493G. Other than features specific to that model it will be the same, which means you should be able to export your vpn settings and use them on a different unit after changing any specific numbers that need changing.
|
|
#
?
Apr 10, 2014 16:08
|
|
|
Another thing I neglected to mention is my original intention of high bandwidth while a VPN is active. These netgears are old technology and it's a known issue with them, but just because it's working so well, here's the Netgear FVS318: ... and here is the Mikrotik:  They're using the same configurations behind my regular router which has identical results as the mikrotik.
|
|
#
?
Apr 11, 2014 00:17
|
|
|
What encryption are you using?
|
|
#
?
Apr 11, 2014 02:28
|
|
|
I've had it working with 3DES and AES256. Since the existing VPN (with a couple of units I'd rather not reconfigure if I don't need to since they're not that easy to get to) is on 3DES I will probably stick with that. It seems that unlike other configuration options, which encryption algorithm is used makes no difference. I'm not too concerned with the bandwidth of the VPN tunnel itself since the devices talking to each other on the VPN are mostly small embedded systems that don't generate a lot of traffic. With the old netgears, however, the entire network at that site would bottleneck at the WAN port. Being small offices it wasn't a big deal until they added VOIP and then one site got some security cameras that have tcp/ip streaming services. Now I'm just trying to resolve the bottlenecks so things behave better.
|
|
#
?
Apr 11, 2014 03:22
|
|
|
I'm amazed that little box can do it. Its hard to find vpn sizing information and when you do it tends to be the shittiest possible encryption methods.
|
|
#
?
Apr 11, 2014 04:13
|
|
|
L2TP/IPSEC woes. I mean, it works. But: Complex psk ->doesn't negotiate to phase2. This works with racoon and openswan, but I can live with this. PPP pool inside my existing IP space (dhcp isn't mikrotik controlled) -> connects but doesn't route. Clients can get to the mikrotik and vice versa, but not to the rest of the network. OK... PPP pool in another subnet. Totally fine. Can ssh to other hosts and vice versa. But DNS doesn't work (DNS server is internal). I can ssh to the DNS server, though. UDP problems? Client is android, so limited troubleshooting. PPP pool in another subnet. External DNS. Works perfectly. Except DNS isnt mine. I'm content to reroute traffic, but I can't really live without internal dns. What can I do to get that working, at least? And can I set an ipsec group name? Didn't see it in the docs
|
|
#
?
Apr 11, 2014 07:02
|
|
|
Try enabling proxy-arp on the LAN interface. That should allow the clients to talk to the rest of the network when you have your PPP pool in the same CIDR subnet. I'm not sure if Android supports it, but you could try configuring DHCP Option 121 and/or Option 249 (same syntax, different option number) for Windows clients.
|
|
#
?
Apr 11, 2014 08:08
|
|
|
SamDabbers posted:Try enabling proxy-arp on the LAN interface. That should allow the clients to talk to the rest of the network when you have your PPP pool in the same CIDR subnet. Proxy arp is already enabled. Doesn't resolve it. And option 121 is already enabled (for other reasons), but routing pretty much works. I don't care about it being in the same subnet, it's just what I tried first since all the mikrotik examples did it and said "proxy arp is all you need". I do care about internal DNS. It's mindboggling that the VPN client can SSH to the DNS server but DNS resolution fails. This is what I really want resolved. I'm gonna try connecting an actual client to it today to see if I can get anything useful out of tcpdump, but any ideas here?
|
|
#
?
Apr 11, 2014 15:13
|
|
|
Have you verified that the firewall allows UDP/53 from an L2TP client to your internal DNS server? Any chance you could post or pastebin a sanitized config?
|
|
#
?
Apr 11, 2014 15:52
|
|
|
SamDabbers posted:Have you verified that the firewall allows UDP/53 from an L2TP client to your internal DNS server? Any chance you could post or pastebin a sanitized config? E: 100% my fault. BIND ACL was too restrictive. evol262 fucked around with this message at 17:51 on Apr 11, 2014 |
|
#
?
Apr 11, 2014 17:08
|
|
|
Different question: Can RouterOS approximate flat IPsec VPNs with group names and passwords? Getting multi-client working is a headache; iOS and OSX want AES256, but Windows and NetworkManager-l2tp want 3DES, so there are multiple peer profiles for negotiation, Linux goes Aggressive by default, so there's a different peer to handle the intermittent case, etc. Or is there a set of documentation for "how to prevent RouterOS from being an incredibly finicky VPN server"? The site-to-site IPsec stuff is working great, but this is so bad it's making me contemplate scrapping it as an endpoint and going back to Openswan.
|
|
#
?
Apr 11, 2014 19:55
|
|
|
Fun thing I just discovered on v6.12, which came out yesterday: Old VLAN code working on 6.11: code:New export code of the above if put into 6.12: code:It looks like they completely redid the VLAN page on their wiki, so I am going to dive into it: http://wiki.mikrotik.com/wiki/Manual:CRS_examples I am glad I tested this before deploying 12 of them in the field for VLAN access switches.
|
|
#
?
Apr 17, 2014 00:35
|
|
|
Dumb question for you guys. Today I set up a Mikrotik as an endpoint for a site to site VPN. Everything is working great but I can't get into it with Winbox when I'm on the remote end of the VPN. I can only do it if I'm actually at the branch office. What do I need to change to let me remote into the Mikrotik?
|
|
#
?
Apr 17, 2014 01:01
|
|
|
Crossbar posted:Dumb question for you guys. Today I set up a Mikrotik as an endpoint for a site to site VPN. Everything is working great but I can't get into it with Winbox when I'm on the remote end of the VPN. I can only do it if I'm actually at the branch office. Are you using the mac address or the ip address? Is the firewall set to allow winbox traffic on that interface?
|
|
#
?
Apr 17, 2014 05:07
|
|
|
thebigcow posted:Are you using the mac address or the ip address? Is the firewall set to allow winbox traffic on that interface? I'm trying to connect to the LAN IP address of the Mikrotik. I can ping it but Winbox doesn't connect. I didn't add any firewall rules. The only thing I did was set up a NAT rule so traffic going over the tunnel didn't get NATed.
|
|
#
?
Apr 17, 2014 13:29
|
|
|
We currently use a UTM as a firewall/gateway/router. Is it common for people to put a MikroTik behind a UTM and basically just use the UTM as a firewall/gateway only or do most people just use the UTMs routing features as well? Sometimes there are things we'd like to do that are just easier on a MikroTik device like port limiting, etc, but a MikroTik can't replace the security of a UTM.
|
|
#
?
Apr 17, 2014 14:17
|
|
|
http://download2.mikrotik.com/news_57.pdf April newsletter features new CCR models with redundant power supplies and little wire clips to hold the cords. I'm waiting for pictures of a sketchy European install with a Y cable.
|
|
#
?
Apr 29, 2014 20:55
|
|
|
Anyone notice a bug with VLANs causing a switch to act like a hub? It's basically forwarding data out all ports and wtf switches shouldn't be doing that.
|
|
#
?
May 20, 2014 00:37
|
|
|
is spanning-tree enabled on the bridge?
|
|
#
?
May 20, 2014 00:59
|
|
|
falz posted:is spanning-tree enabled on the bridge? I don't use a bridge for my VLAN, on the CRS125 it is all done with switching. Oh wait no, I have to use a bridge for my trunk because I can't get the VLAN to see out to the internet unless I associate the VLAN to bridge, and then IP to bridge, and then bridge to ether1. All of the documentation says I can associate IP -> VLAN -> interface, but it doesn't seem to work for me. code:Edit - rSTP is on for the trunk bridge: code: (Sorry for the annoying smudges, my work wants to protect our public-IP internal sitenames.) ether1, ether23, and ether24 are on VLAN1. ether2 is to a customer router on another VLAN-- with currently nothing live (and empty router), and ether3 and ether4 are radios to remote sites. Note how the traffic is almost mirrored hub-style out ether2, ether4, ether23, and ether24. I was worried that traffic was being mirrored back up the backhaul of ether1 causing collisions or some hub poo poo, but that's not an issue. It's just that the canary and web power switch (ether23 & ether24) which usually sit at 0 Tx/Rx 99% of the time have such high bandwidth to them, which made me notice this issue. Plus ether2's current router has no customers on it, so it should be at 0 Tx/Rx as well. It doesn't help that we've already deployed like a dozen of these CRS125s as VLAN points of presence for are wireless network, so I'm trying to track down this issue before it becomes a bigger problem. Any help is appreciated-- the Mikrotik forums seem to be a cesspool of mostly unanswered questions. jeeves fucked around with this message at 06:39 on May 20, 2014 |
|
#
?
May 20, 2014 06:16
|
|
|
Anyone here know of any good tutorials on setting up "The Dude" to manage all my clients remotely. Struggling to wrap my head around this program and any tutorials or videos I find are in Latvian. Thanks.
|
|
#
?
May 20, 2014 13:33
|
|
|
Crazy C posted:Anyone here know of any good tutorials on setting up "The Dude" to manage all my clients remotely. Struggling to wrap my head around this program and any tutorials or videos I find are in Latvian. Thanks. It's a bit of a PITA, and no longer officially supported. But, I can try and answer any questions as best as I can. What are you having trouble with, specifically?
|
|
#
?
May 20, 2014 15:21
|
|
|
add devices, if they're routeros add auth and it can see their interface. if not add the SNMP info and they can see their interface traffic. draw lines between things and specify which interface that line is associated with and it will display traffic on the link every few seconds. That's about all Ive ever used it for, works fine for that.
|
|
#
?
May 20, 2014 16:00
|
|
|
Edited, I think I fixed the problem.
jeeves fucked around with this message at 04:14 on Jun 5, 2014 |
|
#
?
May 22, 2014 00:31
|
|
|
Have you tried filing something with support? Its entirely possible that what you have set up is correct but is simply broken in 6.12 because Latvians.
|
|
#
?
May 22, 2014 06:24
|
|
|
thebigcow posted:Have you tried filing something with support? Its entirely possible that what you have set up is correct but is simply broken in 6.12 because Latvians. They'll deny it and tell you to try 6.13rc1. Someone else will have to report it too before they'll acknowledge the problem because Latvians. Edit: Maybe you can prune the VLANs from the ports in /interface ethernet switch vlan? What does the unicast FDB show? It shouldn't flood if it has learned the destination MAC. SamDabbers fucked around with this message at 16:03 on May 22, 2014 |
|
#
?
May 22, 2014 15:37
|
|
|
It's super flooding. We have a remote site over a radio from one of our hub sites, and it is receiving all of the traffic of the hub site as Rx data on the remote site. I've disabled all of the ports on the remote site except the uplink just to verify this, and yeah tons of broadcast traffic going through the hub site is hitting the remote site over the radio. This was with their 'just use switch code' vlan implementation, of slaving ether2-24 to ether1 (the trunk). That is all well and good for an edge case (except of course when it acts like a hub) but then when you put a downlink to another site on one of those switch ports you basically just extend the switch out-- especially when this poo poo acts like a hub.
|
|
#
?
May 22, 2014 16:11
|
|
|
Change your remote site wireless link to a routed /30. Won't fix your bug but that traffic and broadcast traffic will no linger be making GBS threads up the airwaves.
|
|
#
?
May 23, 2014 00:07
|
|
|
falz posted:Change your remote site wireless link to a routed /30. Won't fix your bug but that traffic and broadcast traffic will no linger be making GBS threads up the airwaves. Half of our networks are routed /30s and the other half are VLAN links. We'd have to redo a bunch of poo poo, but it is kind of a last option right now. I kind of wish we could just dump all of the VLANs and just do routed paths and blocks, but the guy who made the network really liked VLANs when they worked on Procurves, so we can't really renumber everything now. Plus he really likes how customers are just one hop on a seemingly private VLAN instead of a /30 sharing a bunch of public traffic. Too bad that stuff worked perfectly on Procurves but they no longer wanted to pay for Procurves. It looks like 6.13 firmware upgrade may fix this issue, but who knows what else is actually fixed. Like if I actually need to manually enable port isolation for every port or what. Of course we have a bunch of big customers hanging off of the hub so I have to wait until Tuesday morning at 6AM to do the firmware upgrade, but we'll see if the traffic drops off. This poo poo worked perfectly on Procurves, and it looked like it was working fine when I personally tested with the CRSes, but then this cropped up-- I wonder what else will now. jeeves fucked around with this message at 05:27 on May 23, 2014 |
|
#
?
May 23, 2014 05:24
|
|
|
|
| # ? Jun 5, 2024 06:29 |
|
|
I ordered a RB750GL to replace the router portion of my combination router/modem supplied by my ISP and it arrives today. I'm hoping to set up some simple queues to prevent torrent usage from flooding the network and causing everything else to go to poo poo. Basically I'd like people to be able to use BitTorrent to download stuff but not cause huge latency for games, voip, or any other latency sensitive connection. Am I in for a world of hurt experimenting with this stuff? Is there an idiots guide to RouterOS queues out there? I'm fairly competent when it comes to network setup, queues are the only thing that's a little beyond what I've traditionally dealt with. The most QoS setup I've done before is configuring QoS in Tomato.
|
|
#
?
Jun 4, 2014 21:28
|
|