|
PUBLIC TOILET posted:I should have noted that both routers are running v5.26. Isn't the cloud feature in version 6+? Yes. Its a free dynamic dns thingy that's baked in.
|
# ? Mar 20, 2015 17:15 |
|
|
# ? Jun 5, 2024 05:41 |
|
jeeves posted:Just upgrade to 6.27 unless the license on your Mikrotik won't let you. I like this idea. I might even try it on my router and remove the existing SSH firewall rule. The only thing I'm not sure about is how/where to start a whitelist for this. I looked around online but most of the information I see is how to create whitelists for a web proxy.
|
# ? Mar 21, 2015 02:14 |
|
PUBLIC TOILET posted:I like this idea. I might even try it on my router and remove the existing SSH firewall rule. The only thing I'm not sure about is how/where to start a whitelist for this. I looked around online but most of the information I see is how to create whitelists for a web proxy. What questions about the whitelist do you have? Basically take your home IP, and add it to "/ip firewall address-list", and tag it with the name 'whitelist' (or anything). Then, when you make the firewall rule, the src-address-list=!whitelist command tells it to apply to any IP that is NOT on that 'whitelist' name you made before. Or instead of making a whitelist like that, you can just use one IP in the firewall filter, however that may lock you out eventually or such if you screw up or if your IP changes.
|
# ? Mar 21, 2015 03:13 |
|
jeeves posted:What questions about the whitelist do you have? Basically take your home IP, and add it to "/ip firewall address-list", and tag it with the name 'whitelist' (or anything). Then, when you make the firewall rule, the src-address-list=!whitelist command tells it to apply to any IP that is NOT on that 'whitelist' name you made before. Okay, thank you. I had a feeling it was the "Address Lists" option in Winbox under Firewall but I wasn't sure because I had never used that feature before. I wanted to confirm in my head where everything would appear within the Winbox interface once I thought about each command that jeeves had mentioned. Wouldn't I also have to build another firewall rule that forwards destination port 8291 from the WAN to the router's IP address? And also build a NAT rule for it? PUBLIC TOILET fucked around with this message at 04:24 on Mar 21, 2015 |
# ? Mar 21, 2015 03:36 |
|
PUBLIC TOILET posted:Okay, thank you. I had a feeling it was the "Address Lists" option in Winbox under Firewall but I wasn't sure because I had never used that feature before. I wanted to confirm in my head where everything would appear within the Winbox interface once I thought about each command that jeeves had mentioned. No. The input firewall chain is for traffic going from the internet to the router itself. The forward chain is for traffic passing through the router (i.e. internet to LAN). Since traffic to the router is never going through NAT or being passed through to the LAN you just need the rule in the input chain.
|
# ? Mar 21, 2015 13:55 |
|
The_Franz posted:No. The input firewall chain is for traffic going from the internet to the router itself. The forward chain is for traffic passing through the router (i.e. internet to LAN). Since traffic to the router is never going through NAT or being passed through to the LAN you just need the rule in the input chain. Thank you for the clarification. One other, unrelated issue. I'm working to configure a task in the scheduler where it will perform a "/system reboot" once a week at 6am. The time I entered was one week at 06:00 hours (because I figure it's measured in military time on the router.) I've been noticing that the router will instead reboot at around 12am. I checked the clock settings and they're set to New York/-4 GMT, but I think the current time is incorrect. I have Google's NTP servers specified for synchronization (time1.google.com/time2.google.com via IP address.) If I have NTP servers specified, should I then set the clock section to "manual" instead of New York/-4 GMT? Not sure why the clock is off but I don't know if it's a mis-configuration in my router, or if it's the fault of the Google NTP servers.
|
# ? Mar 23, 2015 16:35 |
|
When you say "I think the current time is incorrect" what do you mean?
|
# ? Mar 23, 2015 17:32 |
|
thebigcow posted:When you say "I think the current time is incorrect" what do you mean? When I look at the clock settings, it shows me the current time in 24h format, but I'm pretty sure it's not the correct eastern time it should be. I would double-check via winbox but I can't at the moment because I apparently did not whitelist the correct IP address for remote access. I can however provide you with the configuration I currently have: code:
|
# ? Mar 23, 2015 18:13 |
|
"/system clock print" will give you the current read out of what time your Mikrotik thinks it is.code:
code:
jeeves fucked around with this message at 20:15 on Mar 23, 2015 |
# ? Mar 23, 2015 20:12 |
|
Here's what I have:code:
edit: it should read as 06:00:00 shouldn't it? edit 2: yeah, that was it. i'm an idiot. PUBLIC TOILET fucked around with this message at 23:20 on Mar 23, 2015 |
# ? Mar 23, 2015 23:09 |
|
Scheduler is weird. If you have it set to a specific time you have to set it to a future date or else it won't even run-- which I guess makes sense but it kind of weird. Here's my code I did to upgrade the RouterOS + Router firmware late at night when hopefully some people arn't using it: code:
Edit - I had manually downloaded the router package upgrade and left it in the files folder of the router, it was just waiting for the initial reboot. That's why step #1 is a reboot.
|
# ? Mar 24, 2015 00:23 |
|
Warning: crude network diagram and noobish question ahead. I'm still learning 'intermediate' networking concepts, so please bear with me. I purchased a RB750GL (arriving Wednesday) to replace a Netgear FVS318g on my home network. Since installing the GVS318, my download speeds have dropped from 50mb to 12mb. I remove it and they go back to the 50mb I'm paying for, so obviously it's a bottleneck and needs to go. For security reasons, I would like to separate my wired clients (4) and my wireless clients (8-12 at any time). Here is a diagram of what I'm hoping to achieve: I would like to make it so no traffic passes between the wired and wireless clients, while still allowing both of these groups to access the internet. Do I need to use vlans to accomplish this? If so, is the dumb switch (Dlink dgs-108) going to be a problem? Thanks for any help you can provide and let me know if you need any more info. *edit* AEBS = Airport Extreme Basestation. Just to be clear
|
# ? Mar 24, 2015 03:28 |
|
Mr. Clark2 posted:Warning: crude network diagram and noobish question ahead. I'm still learning 'intermediate' networking concepts, so please bear with me. AFAIK you can go into interfaces, then whichever port you plugged the airport into, and change its master port to none to remove it from the switch chip and have everything done in software. Use port five to make things a little easier. Then you'll need to change firewall rules, give it an address on a different network, etc. Make a backup before you start fussing
|
# ? Mar 24, 2015 04:19 |
|
Add 192.168.2.1/24 to ether2, then add 192.168.1.1/24 to ether3. Then slave ether4 and ether5 to master port ether3. You can do all of that without needing a dumb switch, and the two networks will not see each other due to two separate gateways/subnets. In /ip firewall nat, add a nat statement to make 192.168.1.1 and 192.168.2.1 see the WAN IP on ether1. jeeves fucked around with this message at 04:40 on Mar 24, 2015 |
# ? Mar 24, 2015 04:38 |
|
The switch is in there because the room where all the wired clients are located only has one wall jack for ethernet. I rent so it's impossible to run cabling into the room, so the switch has to stay.
|
# ? Mar 25, 2015 01:43 |
|
So I'm not sure why but even after creating the whitelist and adding the appropriate IP address, attempting to connect to my router via winbox from one of the whitelisted IP addresses is being blocked. Below is a screen capture of the log: And here's what my firewall configuration looks like: code:
PUBLIC TOILET fucked around with this message at 02:28 on Mar 25, 2015 |
# ? Mar 25, 2015 02:26 |
|
Packets hit rules in the order they are listed so you need to put your Winbox rule above the "drop everything" rule or the packet will be dropped before it hits the Winbox rule. You also need to have your Winbox rule accept whitelisted connections instead of dropping non-whitelisted connections or allowed packets will just fall through to the drop rule.
|
# ? Mar 25, 2015 05:33 |
|
The_Franz posted:Packets hit rules in the order they are listed so you need to put your Winbox rule above the "drop everything" rule or the packet will be dropped before it hits the Winbox rule. You also need to have your Winbox rule accept whitelisted connections instead of dropping non-whitelisted connections or allowed packets will just fall through to the drop rule. Holy poo poo it works! Thanks everyone!
|
# ? Mar 26, 2015 14:15 |
|
PUBLIC TOILET posted:Holy poo poo it works! Thanks everyone! Yeah, I always forget that aspect of firewall filters because when I code them I always put them in order from the start. Of course I do so few filters on there (I just do the whitelist filters on initial installs, we have another guy who does followup filters) that I forget about the drag-and-drop aspect of the order. Good to hear you got it working. Mikrotiks are great for home once you understand them.
|
# ? Mar 26, 2015 19:33 |
|
jeeves posted:Yeah, I always forget that aspect of firewall filters because when I code them I always put them in order from the start. Of course I do so few filters on there (I just do the whitelist filters on initial installs, we have another guy who does followup filters) that I forget about the drag-and-drop aspect of the order. I've been quickly researching MikroTik books on Amazon to learn more about them. Any recommendations?
|
# ? Mar 26, 2015 20:01 |
|
PUBLIC TOILET posted:I've been quickly researching MikroTik books on Amazon to learn more about them. Any recommendations? I've picked up just from work. I use them mostly as layer 3 switches, and for them to do basic routing and very basic VLANs. We have a master router that is a very beefy non-Mikrotik Vyatta that does all of the heavy lifting like OSPF and BGP, but the Mikrotiks are all the lower end stuff on remote sites and such. I can't recommend much, but I can post a few example scripts of some of the basic stuff I do at work once I take out the public IPs. I try to comment up my stuff really well.
|
# ? Mar 26, 2015 21:03 |
|
So...what exactly does it mean when a port is "slaved" to another port? I'm guessing that changes I make to the master interface will also be applied to the slaved interfaces? I'm going through the documentation but some of the English is...not so good (but still better than my Latvian).
|
# ? Mar 26, 2015 21:07 |
|
I sanitized one of my work's RB750GL configs that we use as a canary unit to see if power fails at a remote site and also as a basic DHCP router. WAN IP would be 1.1.1.100, with a gateway of 1.1.1.1 code:
Edit - alternatively, if you want to make this into a 5 port switch that has a managed IP address: code:
Granted, you could put all of your switch code onto ether2 and then just slave/switch ether3-5 to ether2, but I think that's a bit more messy than doing software routing via a bridge group (Test-LAN in the above). The switch chip may be quicker, but you can do more firewall rules right on the bridge group if you want to. You may want to factory reset a Mikrotik and look at the defaults they put in, as I think they usually do the switch-chip DHCP by default too. And don't forget you can use the 'export' command at any 'directory' to get only the results of what the code would look like at a certain place, and then use the 'print' command to see what the current running status of that area is. jeeves fucked around with this message at 21:33 on Mar 26, 2015 |
# ? Mar 26, 2015 21:27 |
|
Mr. Clark2 posted:So...what exactly does it mean when a port is "slaved" to another port? I'm guessing that changes I make to the master interface will also be applied to the slaved interfaces? I'm going through the documentation but some of the English is...not so good (but still better than my Latvian). It means they act as ports on a switch instead of being handled individually by the software. The master port is then what you specify when you want to communicate with all of the slave ports in the switch group. You can only slave ports to a master if they are physically connected to the same switch chip.
|
# ? Mar 26, 2015 21:39 |
|
The_Franz posted:It means they act as ports on a switch instead of being handled individually by the software. The master port is then what you specify when you want to communicate with all of the slave ports in the switch group. Yeah, CloudCoreRouter (CCR) units don't allow for slaving, since there is no switch chip. They're a full router and not a Layer3 switch like the CloudSwitchRouters (CRS) are. This means you can't do VLANs on it which require "/interface ethernet switch vlan" code on CCR units whereas on CRS you can. Little RB750 guys have a switch chip even though they are labeled as routers.
|
# ? Mar 26, 2015 22:03 |
|
Is there a write-up somewhere of what the new features are in RouterOS v6 compared to v5 aside from the changelog?
|
# ? Mar 30, 2015 20:00 |
|
PUBLIC TOILET posted:Is there a write-up somewhere of what the new features are in RouterOS v6 compared to v5 aside from the changelog? Not really, but to be honest there isn't really a reason to stick with v5. They don't do bug patches for old versions or such, once they started v6 they stopped doing all updates to v5 I think.
|
# ? Mar 30, 2015 20:15 |
|
So I have an RB2011 sitting around that I've been messing with. My background is mostly Cisco with some dabbling in ZyXEL. Trying to set it up via CLI is whaaaack compared to cisco.
|
# ? Mar 31, 2015 01:57 |
|
Prescription Combs posted:So I have an RB2011 sitting around that I've been messing with. My background is mostly Cisco with some dabbling in ZyXEL. I find that it is really Cisco that is wack but it's just been so dominant for the decades that people are used to wackedness and anything else seems non-normal. I mean no shutdown? Really? gently caress you Cisco. The Linux-y nature of Mikrotik is actually pretty easy to pick up compared to Cisco stuff, mostly because it was made most likely as a reaction to Cisco.
|
# ? Mar 31, 2015 20:35 |
|
Junos
|
# ? Mar 31, 2015 21:03 |
|
Finally got router on a stick working on a trunk to a managed switch with a handful of vlans. jeeves posted:I find that it is really Cisco that is wack but it's just been so dominant for the decades that people are used to wackedness and anything else seems non-normal. I'll admit it is MUCH easier to pick up. I'm digging it now that I'm starting to wrap my brain around the config structure/nuances.
|
# ? Apr 1, 2015 18:27 |
|
Out of curiosity, is anyone using LTE for fail-over on their MikroTik routers? Looking at the supported LTE cards, but I'm not sure if anyone has specific recommendations. I'm thinking in my area the best LTE coverage is likely Verizon or T-Mobile. Is this functionality difficult to configure in RouterOS? I also see some of these devices were tested on certain RouterOS revisions.
|
# ? Apr 3, 2015 03:15 |
|
So kind of unrelated to the RouterOS but moreso on the hardware, I was hoping to get an idea or best cost to link up two houses that are about 150ft apart with LOS. Is it as simple as getting two SXT2Lites and pointing them at each other for the physical aspect? Don't wanna blow money on something that might not work when it first gets cranked up.
|
# ? Apr 15, 2015 02:13 |
|
Atreus posted:So kind of unrelated to the RouterOS but moreso on the hardware, I was hoping to get an idea or best cost to link up two houses that are about 150ft apart with LOS. Is it as simple as getting two SXT2Lites and pointing them at each other for the physical aspect? Don't wanna blow money on something that might not work when it first gets cranked up. I was going to give this a try with my LOS network I'm going to set up, they look to be about 100 dollars each and that throughput seems pretty incredible. I'd assume you'd get pretty much the maximum rated with only 150 feet to span. https://www.ubnt.com/airmax/nanobeam-ac/
|
# ? Apr 15, 2015 02:35 |
|
That's a tiny gap - make sure you take into account the fresnel zone when calculating line of site, there's a nice tool on the Proxim website for working out the height that you need to get each antenna at. For 150ft though it's going to be tiny. A pair of NanoStation M5 Locos will be more than good enough, and you will have to turn the Tx on each down a lot. If you need more than 100 Mbps of real throughput then look at the ACs ^
|
# ? Apr 15, 2015 08:54 |
|
My experience has been with the Mikrotik routers and I have set them up at home. Checking out the Nanobeam loco either M5 or M2, and look like good products at a good price. Fresnel zone might be difficult to deal with if that's the case. Is it possible to get a different device for a smaller span or has a larger spread? Or am I worrying about nothing?
|
# ? Apr 15, 2015 15:18 |
|
Unrelatedly, I have really been impressed with the Cloud Core 1009. My work has been using the poo poo out of dozens of CRS125 units, but their CPU just isn't good enough to do much more than switching (they are just L3 switches). That's fine for VLAN switching stuff, but where we need actual routing done it is just starting to not cut it. The RB750 units have pretty much the same CPU as the CRS, and until recently they've only had the $1000 model CCR 1036 which was pretty over kill for us. The CCR1009 is only like $420 but also has a switch chip on 4 ports too, and an SFP+ along with SFP. It's really nice for a mid-end beefy router, seeing how the 9x1.2Ghz CPU and 2GB of ram is miles above the CRS/RB750's 600mhz CPU and 128mb of ram. I kind of wish we could go back and sell our like 5-6 CCR1036 units we bought in the last year before the CCR1009 came out. We really don't need much at our remote sites than this new unit.
|
# ? Apr 15, 2015 16:30 |
|
jeeves posted:The CCR1009 is only like $420 but also has a switch chip on 4 ports too, and an SFP+ along with SFP. It's really nice for a mid-end beefy router, seeing how the 9x1.2Ghz CPU and 2GB of ram is miles above the CRS/RB750's 600mhz CPU and 128mb of ram I got a CCR1009 for my home network after my poor little RB493G ended up sitting at 100% CPU usage while trying to push ~100mb/sec of traffic with some packet tagging and routing rules. Same rules, same tagging, 250mb/sec stream, CPU sits at ~8% or so. Thing is a loving beast. And now that glorious latvian engineering has a chance to unbork all the things they messed up with the tile chipset, they're remarkably stable.
|
# ? Apr 15, 2015 20:13 |
|
Atreus posted:My experience has been with the Mikrotik routers and I have set them up at home. Checking out the Nanobeam loco either M5 or M2, and look like good products at a good price. Fresnel zone might be difficult to deal with if that's the case. Is it possible to get a different device for a smaller span or has a larger spread? Or am I worrying about nothing? The ubiquiti gear is solid. I'd recommend you go for a pair of those itty bitty nanostation loco M5's. We use loads of them here at work and they are good gear.
|
# ? Apr 15, 2015 21:17 |
|
|
# ? Jun 5, 2024 05:41 |
|
Methylethylaldehyde posted:I got a CCR1009 for my home network after my poor little RB493G ended up sitting at 100% CPU usage while trying to push ~100mb/sec of traffic with some packet tagging and routing rules. Same rules, same tagging, 250mb/sec stream, CPU sits at ~8% or so. Thing is a loving beast. And now that glorious latvian engineering has a chance to unbork all the things they messed up with the tile chipset, they're remarkably stable. How many things are still limited to one core? Other than general Latvian quirks that seems to be most of the bitching about Tilera based models on their forums. I thought they were going to abandon PowerPC but then the RB850Gx2 came out. Also Normis said the new RB3011 was based on this and I have no idea what it is.
|
# ? Apr 16, 2015 05:29 |