|
I'm at a loss as to this particular issue I'm having between a MikroTik router and a Raspberry Pi. I'm on 6.38.7 (latest bugfix release) and the Raspberry Pi is (now) current on all updates. Prior to today when I did apt-get upgrades, etc. on the Pi, this wasn't a problem. Everything was fine on the Pi and the MikroTik. However, (now) everything is up to date and for some reason, the Raspberry Pi will not show up in the DHCP lease reservation list on the MikroTik. I've tried everything I can possibly think of/researched online but no matter what I do, the Pi will not show up in the DHCP server lease list. Here's what's wild-- The Pi still works fine. It still has the same IP address it had when it was showing up in the list, still responds on the network, etc. Even more unusual? I will use the IP Scan tool in the MikroTik to scan the bridge interface and voila, the Raspberry Pi appears in the IP Scan list with the correct IP address. So basically the only problem is the Pi will not appear at all in the DHCP server lease list so that I can right-click and set it to static. Even if I manually create a static entry from scratch, it will sit there with a "waiting" status and never bind. This all started after the last apt-get upgrade I did from the Pi and I have no idea what changed in what package.
|
# ? Oct 10, 2017 04:34 |
|
|
# ? Jun 10, 2024 10:31 |
|
PUBLIC TOILET posted:I'm at a loss as to this particular issue I'm having between a MikroTik router and a Raspberry Pi. I'm on 6.38.7 (latest bugfix release) and the Raspberry Pi is (now) current on all updates. Prior to today when I did apt-get upgrades, etc. on the Pi, this wasn't a problem. Everything was fine on the Pi and the MikroTik. If this is the standard debian based Raspbian based install, what does /etc/network/interfaces say?
|
# ? Oct 10, 2017 19:29 |
|
maybe i missed something but it sounds as if the system still has its IP assigned but has not renewed it's lease? Does it use dhclient or something else? Is that process still running? check out the dhclient man page, you could force it to renew the lease...
|
# ? Oct 10, 2017 19:35 |
|
No idea what changed but now it has magically appeared within the DHCP lease list on the MikroTik (as a dynamic entry.) I've since set it to static with the desired IP, rebooted it and appears to be working.
|
# ? Oct 11, 2017 02:13 |
|
I updated my internet connectivity recently and I discovered that my old Linksys e3000 router running tomato was unable to handle the full speed of the connection. I purchased a Netgear R6700 and received instead an R6700v2 that uses a completely different internal chipset that has no support for third party firmware. So, yeah - Netgear pulled a stunt like Linksys did with the venerable WRT54G. In a fit of rage, I decided that I am done with consumer networking gear and bought a Mikrotik RB3011UIAS-RM to replace the router (along with an Ubiquiti AP lite for wireless). The experience has been almost zen-like watching 300+ Mbps of traffic transiting this device while its cpu usage peaked at maybe 6%. However, I miss one thing from Tomato in particular and I have yet to come up with a good equivalent. Tomato had a very simple interface for accounting traffic against internal IP addresses so that I can see at a glance how much data the devices on my network are using and how much they have used historically. Are there any decent open source/free solutions out there that can get me the data that tomato provided? The only partial solutions I've run across involve setting up something like cacti to poll the router via snmp or using netflow to feed something like nfsen. However, it really only gives me an idea of how much traffic is being used overall - it doesn't help me answer the question of "which device on my network is using the most traffic/how much traffic has it been historically using over relevant time periods like days, weeks, months". Any help or guidance would be greatly appreciated.
|
# ? Oct 11, 2017 17:04 |
|
Does this help? https://wiki.mikrotik.com/wiki/Manual:IP/Accounting You'll probably still need external tools to get good information from it
|
# ? Oct 11, 2017 17:59 |
|
You can also enable graphing per port and segregate traffic by port if needed. I use the accounting in Unifi controller to keep an eye on my WiFi and everything else gets a dedicated port. But, really, does it matter? You can pull connection info from the Mikrotik if something is going crazy. Just pull up active connections and sort by total data.
|
# ? Oct 11, 2017 18:28 |
|
thebigcow posted:Does this help? Looks like the data is ephemeral so it would require an external tool to scrape the data and the given URL for accessing it via the web interface only works over http. The https://blah/accounting/ip.cfg url returns a 404. I'll probably just write a netflow packet dissector, throw the flow data into a database and put a frontend on that. FunOne posted:You can also enable graphing per port and segregate traffic by port if needed. WRT does it matter - yes it does. It's trivial enough to notice if something is going absolutely crazy and identify the culprit but I really want to have the historical information on a per-IP basis available for review after the fact. The Unifi controller does help me manage the wireless stuff since I'm using their AP but it doesn't help with the wired stuff. alyandon fucked around with this message at 18:45 on Oct 11, 2017 |
# ? Oct 11, 2017 18:31 |
|
alyandon posted:
What about routing each ip through it's own child queue and graphing those queues? Maybe that would work? Might have to assign static IPs to everything and write a bunch of rules.
|
# ? Oct 11, 2017 19:09 |
|
FunOne posted:What about routing each ip through it's own child queue and graphing those queues? Maybe that would work? That would probably work but oh man that really sounds like a tremendous PITA to set up and keep updated as devices come and go. At this point it really sounds like writing my own netflow dissector is probably the best route to go unless there is a better open source tool available than nfsen. Edit: Just for posterity - I'm going to use nfsen for the time being. It's a horrid interface but it does allow you to dump aggregate netflow data over arbitrary time ranges because it maintains mappings of time -> nfcapd files. alyandon fucked around with this message at 20:29 on Oct 13, 2017 |
# ? Oct 11, 2017 19:28 |
|
Okay so I guess my Raspberry Pi issue is not resolved. I watched the lease expiration time wind down from 3 days (which is what I have the lease time set to overall) and it now says "waiting" under status. Restarted the Raspberry Pi and it still says "waiting", but the Pi is on the network and reachable.
|
# ? Oct 14, 2017 03:34 |
|
Is there anything in your PI's logs complaining about dhclient not being able to renew the dhcp lease? Not that it solves your problem - but you could always use a static IP address assignment instead of using static dhcp leases.
|
# ? Oct 14, 2017 04:14 |
|
alyandon posted:Is there anything in your PI's logs complaining about dhclient not being able to renew the dhcp lease? I'm fairly new to these devices and my GNU experience is minimal. I did try to enable DHCP debug logging, but it didn't create any debug logs within /tmp. I combed through syslog but didn't see anything unusual. It's going to the router, asking for a lease and it gets the correct address. I just don't understand why in the MikroTik it says "waiting". My only thought is it's not passing its MAC ID to the MikroTik so that the MikroTik can say "there's the MAC ID I'm looking for, here's your static address."
|
# ? Oct 14, 2017 15:00 |
|
According to https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server a status of "waiting" means that no client has requested a lease for that static dhcp assignment. It's going to be impossible to tell what's going on without dhclient's logs though. You can always try running dhclient manually from the command line as root and noting its output.
|
# ? Oct 14, 2017 17:01 |
|
Bugfix 6.39.3 is available. edit: fixes for the WPA2 exploit are in 6.39.3 thebigcow fucked around with this message at 20:07 on Oct 16, 2017 |
# ? Oct 16, 2017 16:59 |
|
I just found out that at&t now offers gigabit fiber at my address, so in a few weeks my old 750GL isn't going to cut it anymore. I'm guessing that an RB3011 should cut it as long as I don't do any heavy traffic shaping. Are there any IPSEC numbers for this device? I can't seem to find anything on Mikrotik's forums and it doesn't do HW crypto acceleration, even though the chip allegedly supports it and they've been "working on it" since it came out 2 years ago.
|
# ? Oct 25, 2017 15:14 |
|
The_Franz posted:I just found out that at&t now offers gigabit fiber at my address, so in a few weeks my old 750GL isn't going to cut it anymore. I'm guessing that an RB3011 should cut it as long as I don't do any heavy traffic shaping. Are there any IPSEC numbers for this device? I can't seem to find anything on Mikrotik's forums and it doesn't do HW crypto acceleration, even though the chip allegedly supports it and they've been "working on it" since it came out 2 years ago. It will never support it. The new RB1100AHx4 at twice the price is specifically advertised for IPSEC performance. https://mikrotik.com/product/rb1100ahx4 https://mikrotik.com/product/RB1100Dx4 Otherwise the 850 will get kind of close. https://mikrotik.com/product/RB850Gx2
|
# ? Oct 25, 2017 16:07 |
|
And in Ubiquiti land there's the EdgeRouter 4 and EdgeRouter 6 on the way, in case you wanted to try a different flavour of bugs.
|
# ? Oct 25, 2017 16:24 |
|
Mister, in this thread we buy hardware from a former Soviet Socialist Republic and we enjoy it.
|
# ? Oct 25, 2017 16:41 |
|
thebigcow posted:It will never support it. The new RB1100AHx4 at twice the price is specifically advertised for IPSEC performance. I don't actually need anywhere near wire speed IPSEC performance, I was just curious if there were any numbers for the 3011. I only have a couple of IPSEC+GRE tunnels between myself and a couple of relatives so we can easily share files when working on projects (and they're on sub-100Mbps cable) and I like to be able to VPN into my home NAS on occasion. As long as it can achieve full-speed when doing basic SOHO routing duty, that's all I really care about. I know it's underpowered for doing queues at full speed, but I can't imagine needing QoS with gigabit bandwidth.
|
# ? Oct 25, 2017 16:52 |
|
I can't find any information on this, but is it even remotely possible to filter active connections by an IP range? Specifically, within IP -> Firewall -> Connections -> Filter. I want to create a temporary filter that would essentially be:code:
|
# ? Oct 26, 2017 03:56 |
|
VLAN tables are crashing on our access network remote site CRS125s! Time to finally upgrade to Juniper EX2200s or such! I will miss being able to log into a router via Winbox's GUI and see active updates of how much traffic is going through ports and poo poo. Does Juniper have anything close to that, or do you have to have outside monitoring on the ports like Cacti or poo poo constantly polling SMNP? Being my company's lower ranked network guy I am super new to Juniper where as our main network dude just does BGP and poo poo on the core Juniper and we never really have to log into it to check bandwidth for troubleshooting (how much traffic is going to a remote stub or something that could potentially be bottlenecked by infrastructure radios).
|
# ? Oct 26, 2017 04:32 |
|
Juniper have J-Flow which can get the same thing done
|
# ? Oct 26, 2017 07:42 |
|
PUBLIC TOILET posted:I can't find any information on this, but is it even remotely possible to filter active connections by an IP range? Specifically, within IP -> Firewall -> Connections -> Filter. I want to create a temporary filter that would essentially be: Not got access to a mikrotik at the moment, so can't say for that specific field but generally netmasks can be used anywhere that a single address can be used. In this case you'd specify "192.168.88.0/24" as the address.
|
# ? Oct 26, 2017 10:00 |
|
robostac posted:Not got access to a mikrotik at the moment, so can't say for that specific field but generally netmasks can be used anywhere that a single address can be used. The manual says that field also supports a range, try a dash between the addresses. You can also do an address list if you need multiple ranges covered by the same firewall rule.
|
# ? Oct 26, 2017 17:34 |
|
Speaking of address lists: since updating to 6.39.3 address lists with a timeout are disappearing well before they should. edit: 24 hour timeout disappeared in less than 20 minutes. edit edit: exactly 14 minutes thebigcow fucked around with this message at 19:16 on Oct 26, 2017 |
# ? Oct 26, 2017 17:47 |
|
PUBLIC TOILET posted:I can't find any information on this, but is it even remotely possible to filter active connections by an IP range? Specifically, within IP -> Firewall -> Connections -> Filter. I want to create a temporary filter that would essentially be: /ip firewall connection print where dst-address~"192.168.88" (Use ~ to do string regex like matching) Buried in the docs under scripting: “~” binary operator that matches value against POSIX extended regular expression Print all routes which gateway ends with 202 /ip route print where gateway~"^[0-9 \\.]*202\$" Other fun/useful trick command: "in" /ip route print where dst-address in 192.168.0.0/16 (Gets all routes in the 192.168.0.0/16 subnet) unknown fucked around with this message at 19:43 on Oct 26, 2017 |
# ? Oct 26, 2017 19:36 |
|
robostac posted:Not got access to a mikrotik at the moment, so can't say for that specific field but generally netmasks can be used anywhere that a single address can be used. That did it, thanks! Also, as a heads up, trying to filter like this: "192.168.88.1-254" doesn't work. As far as I can tell, the only filters you can use in this instance are exact IPs (192.168.88.123), or a range using the netmask (192.168.88.0/24).
|
# ? Oct 26, 2017 21:10 |
|
unknown posted:/ip firewall connection print where dst-address~"192.168.88" Ah, okay. Yeah, your second command is what winbox is essentially doing in the instance I mentioned above. I'll have to remember the first command you mentioned, though.
|
# ? Oct 26, 2017 21:11 |
|
PUBLIC TOILET posted:That did it, thanks! Also, as a heads up, trying to filter like this: "192.168.88.1-254" doesn't work. As far as I can tell, the only filters you can use in this instance are exact IPs (192.168.88.123), or a range using the netmask (192.168.88.0/24). Try 192.168.88.1-192.168.88.254
|
# ? Oct 26, 2017 21:19 |
|
thebigcow posted:Try 192.168.88.1-192.168.88.254 That worked.
|
# ? Oct 27, 2017 03:15 |
|
Is there a way to enable rDNS for IPv6 via winbox? I only see IPv4 attributes and a v6 server is being advertised upstream.
|
# ? Oct 27, 2017 04:10 |
|
Partycat posted:Is there a way to enable rDNS for IPv6 via winbox? I only see IPv4 attributes and a v6 server is being advertised upstream. There's an option under DHCP client to have it grab DNS that might work. If you know the v6 server address you can put it in the fields under IPv4 DNS. It would have been really great if the people who came up with SLAAC had included DNS.
|
# ? Oct 27, 2017 16:05 |
|
Are there any guides on setting up an ipsec vpn on my rb3011 that are written for mere mortals?
|
# ? Oct 28, 2017 05:33 |
|
alyandon posted:Are there any guides on setting up an ipsec vpn on my rb3011 that are written for mere mortals? I don't think I ever found a great all in one guide when I was setting that stuff up a couple of years ago. I did a lot of research and did a lab setup on my LAN (with my LAN as the internet and two routers with their own LANs and NAT doing IPSec to each other) prior to setting those up for a business. My issue was getting them to talk to awful netgear routers and then later on to SonicWalls, although once done it wasn't too bad. The only really difficult thing about IPSec is the acronyms for everything and that each brand of router keeps their settings in different configuration screens. Ultimately you want the settings on both sides to be identical to each other (with the local and remote addresses flipped) to get it working. For Mikrotiks specifically some issues I had were that if you use a domain name (like say one end of the VPN is a dynamic host but you've setup dyndns or somesuch) it won't resolve that automatically, I had to copy and modify someone else's script that checks domain names and updates the IP in the appropriate field if it's changed. You also need to setup NTP for timekeeping since it needs to be pretty accurate on both sides. Sorry I don't have a good guide handy, I spent a while piecing it all together. Hopefully someone else has a better resource.
|
# ? Oct 28, 2017 08:24 |
|
I guess I'm going to put setting up an ipsec vpn on the backburner until I have time to really spend on research. Just reading over the materials I could find, it really looks like usability hasn't improved much in last 15 years with most documentation very much targeted towards non-road warrior/static ip setups. For now, I'll just continue using openvpn.
|
# ? Oct 31, 2017 19:01 |
|
It's bean a while since I've bought a routerboard. I'm looking for the cheapest 2.4ghz AC router with a few gigabit ports. Suggestions?
|
# ? Nov 3, 2017 14:01 |
|
kiwid posted:It's bean a while since I've bought a routerboard. I'm looking for the cheapest 2.4ghz AC router with a few gigabit ports. Suggestions? You need 5ghz bands in order to get AC. All of the really cheap Mikrotik stuff only comes with fast ethernet ports (100mbs) not gigabit. Your two wireless router options with gigabit ports would be: RB951G-2HnD - 2.4 ghz wifi hAP ac - AC wifi
|
# ? Nov 3, 2017 14:25 |
|
thebigcow posted:Speaking of address lists: since updating to 6.39.3 address lists with a timeout are disappearing well before they should. is not bug. is feature.
|
# ? Nov 4, 2017 07:56 |
|
|
# ? Jun 10, 2024 10:31 |
|
CuddleChunks posted:is not bug. is feature. try latest rc build. is best build.
|
# ? Nov 4, 2017 16:43 |