|
ok, one more question for tonight. I've got a sharepoint site and a staging site, and right now i'm using something similar to: /ip dns static add name=123.com address=192.168.0.2 to resolve the internal IP. Is there a way to do this outside of DNS? My laptop users have ipconfig /flushdns once in a while. Say 123.com resolves to 123.123.123.123 externally. Can I instead do something like redirect all traffic outbound with a 123.123.123.123 destination to 192.168.0.2?
|
#
?
May 18, 2011 04:18
|
|
|
|
| # ? Apr 23, 2024 15:06 |
|
|
American Jello posted:ok, one more question for tonight. I've got a sharepoint site and a staging site, and right now i'm using something similar to: A NAT rule should do this for you. Set 123.... as the destination address and NAT traffic to that address to 192.x. Something like this: /ip firewall nat add chain=dstnat action=dst-nat to-addresses=192.168.0.2 \ to-ports=80 protocol=tcp dst-address=123.123.123.123 dst-port=80 That will redirect all port 80 traffic with destination address "123.123.123.123" to your internal server. I think it will work if you leave off the ports specification. I'd prefer to be specific but who knows.
|
|
#
?
May 18, 2011 19:08
|
|
|
Weird Uncle Dave posted:There are several different ways to do failover on Mikrotik, but none of them seem to handle the particular weird failure mode I'm trying to cover. Doing failover by just setting two default gateways, and using check-gateway is easy, and often "good enough." I want to handle the possibility that the failure is four or five hops upstream, though. (I work for an ISP and want to handle the rare possibility that all our upstreams are broken, so the end-user could still see everything within our network but not anything beyond that.) Set up an ASN and use BGP on your external connections.
|
|
#
?
May 20, 2011 02:40
|
|
|
My original question was for one of my residential customers who pays fifty bucks a month for my fixed-wireless service, and wanted to fail-over to a satellite connection. Sorry if that wasn't clear; we do run BGP in the NOC. No way in Hell you can run BGP over WildBlue.  (Turns out he just bought some off-the-shelf failover router, which is just fine by me, though I may still play with this at home, where I have both my employer's service and a DSL line.) Edit: we actually used to use a PC with RouterOS for our BGP router, worked great, but the boss went all "CALEA compliance!" crazy and this was before they wrote their own CALEA package, so it got replaced with an Imagestream router. May replace the Imagestream with another RouterOS-based PC in the near future to keep up with how big the BGP table is growing... Weird Uncle Dave fucked around with this message at 22:14 on May 20, 2011 |
|
#
?
May 20, 2011 22:12
|
|
|
Does anyone have any experience with this guy? http://www.ubnt.com/unifi Would you recommend running 2-3 of these in an office of ~25 users? Is there something better I could be running? N over 100mbit seems kind of silly to me, but I guess that's the tradeoff for PoE. The software looks pretty cool. Can I tie it into our (as of now non-existent) AD domain for authentication? Do these do better mounted on the wall or ceiling? Also I kind of dig the smoke alarm look.
|
|
#
?
May 23, 2011 15:22
|
|
|
American Jello posted:Does anyone have any experience with this guy? We have had good luck with their nanostations (with some firmware upgrades) but haven't tried that product out yet.
|
|
#
?
May 26, 2011 17:02
|
|
|
Weird Uncle Dave posted:My original question was for one of my residential customers who pays fifty bucks a month for my fixed-wireless service, and wanted to fail-over to a satellite connection. Sorry if that wasn't clear; we do run BGP in the NOC. Re: your failover question, I'm fairly certain you can specify the outbound interface for pings. You could probably set a dual homed router up with two default routes active simultaneously, and set the preferred connection to have a lower metric. When you start losing ping responses on an interface, you can flip the metric, and the router will then prefer the other route. This means you can do your testing on each interface, leave them up, but the actual internet bound traffic will just go out through the lower metric connection. I'm not sure, however, how well the Mik scripting stuff would handle this. As for swapping over to a Mikrotik BGP router, don't be in such a hurry. There's a memory leak when using BGP, to the point an 1100 with two sessions active starts dying and requires a reboot after ~6 weeks.
|
|
#
?
May 27, 2011 03:43
|
|
|
Roseo posted:There's a memory leak when using BGP, to the point an 1100 with two sessions active starts dying and requires a reboot after ~6 weeks.
|
|
#
?
May 27, 2011 03:55
|
|
|
quote:As for swapping over to a Mikrotik BGP router, don't be in such a hurry. There's a memory leak when using BGP, to the point an 1100 with two sessions active starts dying and requires a reboot after ~6 weeks. Hm. Lovely. There were no memory issues when we actually used a Mikrotik-running PC for our network's BGP, but that was back in 2.8 or maybe 2.9. Heck, maybe there were issues, but BGP feeds were about half the size they are now, and with 1 GB of RAM in 2005, even if there were a leak it'd probably have been years before anyone noticed. I think, at the time, they were just using a re-badged Zebra or Quagga, and supposedly at some point they just wrote their own BGP implementation from scratch.
|
|
#
?
May 27, 2011 04:48
|
|
|
There's a thread on Mikrotik's website about full feeds on RB1100. Apparently its cpu has a hard time with the updates. RouterOS on PC hardware appears to be the recomended way. I've been testing openbgpd on openbsd and that's been a very workable/inexpensive solution.
|
|
#
?
May 27, 2011 21:55
|
|
|
Suppose I have a box with multiple PPPOE DSL connections, thus multiple default routes of equal distance. If I just wanted to balance outgoing traffic, and NAT everything, this would be easy.... The boss' (horrible) plan for this box is to co-lo another box somewhere far away, running a PPTP server, create multiple PPTP tunnels (one per DSL line), run EOIP on those tunnels, bond each of the EOIPs together, bridge the bonded interface with a physical interface on each end, and run BGP over the bridge (remember, the far end is at a co-lo where we can get a plain Gig-E port from any of a couple dozen ISPs). Sadly, I think I can make this work, except for this part: is it possible to create a PPTP client instance and force that PPTP client to only use a specific interface (say, one on pppoe-out1, another on pppoe-out2, and so on)? If I can do that, the rest of this nightmare should be simple by comparison.
|
|
#
?
Jun 3, 2011 22:06
|
|
|
Weird Uncle Dave posted:Sadly, I think I can make this work, except for this part: is it possible to create a PPTP client instance and force that PPTP client to only use a specific interface Pretty sure the answer is "no". I checked a live mikrotik and the manual: http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP and see no way to bind the client to a particular interface.  Sorry.
|
|
#
?
Jun 3, 2011 22:51
|
|
|
falz posted:4.17 or 5.2? 4.x for certain. I'm not throwing 5 on anything till it's actually mature. It may be fixed, but I doubt it.
|
|
#
?
Jun 4, 2011 18:28
|
|
|
Roseo posted:4.x for certain. I'm not throwing 5 on anything till it's actually mature. It may be fixed, but I doubt it. 4.17 box, ~1000 bgp prefixes in RIB, ~300 from ospf. BGP was enabled between week 21/22 which is where it plateaus:  5.4 box (was 5.0, 5.2) ~5000 bgp prefixes in RIB, ~300 from ospf. BGP was enabled before the first graph but I don't remember exactly when. Odd that memory usage is more steady since it has less RAM and far more routes: 
|
|
#
?
Jun 4, 2011 18:55
|
|
|
I'm considering running this on a laptop jammed in a waterproof case, running a Sierra Wireless 598U USB 3G modem and traffic out the LAN port on the laptop. Its an ancient Compaq Armada PIII 1GHz with 512MB RAM and an 80GB hard drive. I'd be definitely running the proxy, some QoS, DHCP, and not much more. Thoughts?
|
|
#
?
Jun 5, 2011 00:26
|
|
|
American Jello posted:
http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention I implemented this for FTP/SSH bruteforce attempts against our core routers at work and it's been blocking those jerk-offs rather well. I check the dynamically expanding list of blocked IPs and if I start to see a list growing some the same network (especially from China/Russia) I just add the whole netblock to the block list.
|
|
#
?
Jun 5, 2011 16:35
|
|
|
DJ Commie posted:I'm considering running this on a laptop jammed in a waterproof case, running a Sierra Wireless 598U USB 3G modem and traffic out the LAN port on the laptop. Its an ancient Compaq Armada PIII 1GHz with 512MB RAM and an 80GB hard drive. I'd be definitely running the proxy, some QoS, DHCP, and not much more. Thoughts? Barring any weirdness on install, this should work very nicely. The hard drive may be the weak point as it's years old and will be nearer the end of its life but no biggie. Just back up your config once you've got it stable and then when that one dies you can throw in an SSD or something and be on your way again.
|
|
#
?
Jun 5, 2011 16:54
|
|
|
While this is a fine idea, why not have a default deny rule to the Mikrotik via the input chain but allow trusted IPs in an address list?
|
|
#
?
Jun 5, 2011 17:25
|
|
|
CuddleChunks posted:Barring any weirdness on install, this should work very nicely. The hard drive may be the weak point as it's years old and will be nearer the end of its life but no biggie. Just back up your config once you've got it stable and then when that one dies you can throw in an SSD or something and be on your way again. Awesome, thanks! The network card is an Intel Pro 100+ anyway, so it works with just about any Linux release. The drive isn't too old, being much much newer than the laptop, but yeah its really the point of failure. The connection itself is only like 3Mb/1Mb and a 50GB/mo quota so I don't think I'll be caching for than a few gigs, so maybe I'll try for a cheap SSD. If there was a Routerboard that could this (caching via IDE/CF and USB 3G modem), I'd definitely go for that over a stinky old laptop. Budget would be $250 or so before the cache disk. DJ Commie fucked around with this message at 20:36 on Jun 5, 2011 |
|
#
?
Jun 5, 2011 20:33
|
|
|
falz posted:While this is a fine idea, why not have a default deny rule to the Mikrotik via the input chain but allow trusted IPs in an address list? Unfortunately my company uses FTP/SFTP to transfer files to clients at different remote locations while on the road. Since we can never be sure what IP they are coming from, and usually they are accessing it from a public Wifi/hotel access which changes IPs frequently, so trying to maintain a whitelist would be more hassle than it is worth. We've just about finished our ShareFile-like web portal which will replace this FTP/SFTP system, but until then keeping brute forcers out is a priority.
|
|
#
?
Jun 5, 2011 22:19
|
|
|
The RB411/433 range looks to be a good idea for my purpose, though the miniPCI slots and wifi (probably) would be unused. I could just get a 32GB MicroSDHC card for the proxy cache, it'd be more than plenty probably and the read/write is still far over the speed of the Internet connection. I don't think my ISP has anything other than USB modems, since the specific Sierra 598u/Novatel U760 modem is part of the plan. I see they are both supported by RouterOS, so thats good! The less TDP, the better, as I'd love to stay away from fans as I would love to put this in a pelican case or similar. I have 30-50F Temp swings, high wind in the deployment area. External antenna for 3G probable, connected via powerline ethernet to a gigabit switch in the house. Routerboard would provide all the network services itself. edit: Actually I can use ANY device that uses Sprint's 3G network, so if someone has a recommendation for one in MiniPCI/mPCIe or USB that definitely has an antenna connector and can be purchased sans plans of any kind, I'm all ears. DJ Commie fucked around with this message at 23:00 on Jun 5, 2011 |
|
#
?
Jun 5, 2011 22:56
|
|
|
falz posted:I enabled BGP on a few of them within the last month and haven't noticed any leaks (yet?). How many routes were you feeding it? 2x full tables on a RB1000. At ~2 weeks of uptime it's gone from 200 MB ram free to 70 MB free. After another week or two it'll sawtooth for a while, then a week or two after that randomly drop routes, not accept SSH sessions, and generally be crappy till a reboot. Roseo fucked around with this message at 04:59 on Jun 7, 2011 |
|
#
?
Jun 7, 2011 04:57
|
|
|
Weird Uncle Dave posted:Sadly, I think I can make this work, except for this part: is it possible to create a PPTP client instance and force that PPTP client to only use a specific interface (say, one on pppoe-out1, another on pppoe-out2, and so on)? If I can do that, the rest of this nightmare should be simple by comparison. Following up on myself: If you can't do it, fake it. I was able to get the desired effect here by putting several IPs on the "remote" box, having each PPTP client connect to a different IP, and using policy routing (to force connections to IP1 to use pppoe-out1 as its gateway, IP2 uses pppoe-out2, and so on).
|
|
#
?
Jun 7, 2011 15:25
|
|
|
Weird Uncle Dave posted:I was able to get the desired effect here by putting several IPs on the "remote" box, having each PPTP client connect to a different IP, and using policy routing (to force connections to IP1 to use pppoe-out1 as its gateway, IP2 uses pppoe-out2, and so on). Nice solution. Now document it so the next poor bastard doesn't wonder what crack you were smoking.
|
|
#
?
Jun 7, 2011 16:31
|
|
|
Roseo posted:2x full tables on a RB1000. At ~2 weeks of uptime it's gone from 200 MB ram free to 70 MB free. After another week or two it'll sawtooth for a while, then a week or two after that randomly drop routes, not accept SSH sessions, and generally be crappy till a reboot.
|
|
#
?
Jun 7, 2011 19:07
|
|
|
CuddleChunks posted:Nice solution. Now document it so the next poor bastard doesn't wonder what crack you were smoking. As soon as it's all up and running, and the other end of this nightmare is safely racked in a co-lo, a very long article in the in-house wiki will be written. I may try to MS Paint an onion, showing the PPPOE, PPTP, EOIP, bonding, bridge, and finally BGP, just to make someone cry.
|
|
#
?
Jun 7, 2011 19:09
|
|
|
Anyone upgrade from 4.17 to 5.4? What's the process? Backup settings, upgrade, check settings migrated correctly?
|
|
#
?
Jun 15, 2011 20:38
|
|
|
krackpot posted:Anyone upgrade from 4.17 to 5.4? We have a few units running the 5.x series and that was exactly the process. It wasn't particularly notable now that we're past the 3.x to 4.x license thing. Ooh, I should mention that in the OP.
|
|
#
?
Jun 15, 2011 21:35
|
|
|
I've upgraded a few- just uploaded the image, rebooted and all was fine. Certainly doesn't hurt to /export first.
|
|
#
?
Jun 15, 2011 22:52
|
|
|
I only do the /export if the unit is a real PITA to get to, because I can't recall ever having any upgrade issues.
|
|
#
?
Jun 16, 2011 02:45
|
|
|
Still don't trust the 5.x series that much after reading the many threads of the people having problems after upgrading. Does anyone have some sort of hosts file script that they use on their Mikrotik? Have it access and download one of the many updated hosts files on the internet regularly to block malware/stat tracking sites?
|
|
#
?
Jun 22, 2011 02:05
|
|
|
You should be able to easily add dns entries based on one of those host files if your mikrotik is your dns server. Unknown if there's a limitation if there's that much data in local dns though.
|
|
#
?
Jun 22, 2011 02:09
|
|
|
Anyone tried to get Metarouter to work with OpenWRT to get OpenVPN (with UDP / lzo)? Apparently the folks have Mikrotik haven't added the options for those two in their own OpenVPN service within RouterOS. I'm just not understanding the bridging etc to get the OpenWRT MR machine to get onto my regular network.
|
|
#
?
Jun 23, 2011 04:48
|
|
|
I installed OpenWRT in a metarouter when the RB1100 first came out. It crashed the entire device so I didn't try again. Hopefully more stable now?
|
|
#
?
Jun 23, 2011 13:36
|
|
|
I tried it out on my RB493G and it's a hit and miss (edit: I should mention that I'm doing this from routerOS ver 5.4). Sometimes it locks out Winbox and sometimes I can't access it through the Console. It also does not shutdown properly. I really wish they'd implement the UDP and lzo on their version of the OpenVPN. :S
|
|
#
?
Jun 24, 2011 03:32
|
|
|
More specifics. is it pingable? are you accessing it via LAN or wifi? do you get an error? is the ssh/telnet/winbox port responding at the time? etc..
|
|
#
?
Jun 24, 2011 15:56
|
|
|
I'm guessing there's a conflict with my bridging etc. But if I leave it standalone, connecting through the console is a hit and miss. I've only managed to login through the console twice. Winbox is also unstable when running it even as standalone. It will disconnect and refuse the connection. But the internet and everything else remains online and suffers no problems. I'm not sure if it's the fault of the upgrade to 5.4 or just MetaRouter being unstable in general. I suppose it's less hassle to have a OpenVPN box behind the Mikrotik without the limitations the devs run into implementing UDP and lzo.
|
|
#
?
Jun 25, 2011 08:40
|
|
|
I'm delving into the MikroTik world and I'm having a hell of a time with port forwarding. I followed the Anypony guide and although the forwarding works fine (I started with 80 and 443 to an SBS 2011 box and I can access it from the outside no problem) it kills any outgoing traffic to 80 and 443 from inside the network. I'm wondering if I screwed something up elsewhere in Winbox, or if I'm missing something. I'm running 5.5 on an RB750G (it had the same behavior before upgrading it to 5.5). Any help is appreciated.
|
|
#
?
Jun 27, 2011 18:04
|
|
|
mono posted:I'm delving into the MikroTik world and I'm having a hell of a time with port forwarding. I followed the Anypony guide and although the forwarding works fine (I started with 80 and 443 to an SBS 2011 box and I can access it from the outside no problem) it kills any outgoing traffic to 80 and 443 from inside the network. I'm wondering if I screwed something up elsewhere in Winbox, or if I'm missing something. I'm running 5.5 on an RB750G (it had the same behavior before upgrading it to 5.5). Any help is appreciated. Open up winbox, click on New Terminal on the left. In the terminal window type: ip fire mang export Right-click on the window and select "Copy All". Paste that into notepad, clean out any of the boring intro crap and paste the rules you wrote here. That should give us a clear idea of what your rules look like.
|
|
#
?
Jun 27, 2011 19:11
|
|
|
|
| # ? Apr 23, 2024 15:06 |
|
|
CuddleChunks posted:Open up winbox, click on New Terminal on the left. Here's all I got when I did that (I X'd out part of the ID since I'm not sure if that's a license key or not): code:
|
|
#
?
Jun 27, 2011 19:23
|
|