|
You should always have a managed switch so you can use VLANs, debug issues on ports, graph traffic with SNMP, and so on.
|
#
?
Nov 9, 2011 00:07
|
|
|
|
| # ? Apr 19, 2024 00:43 |
|
|
I just picked up a RB1000 from SAMart for my home network and I'm pretty happy with it so far, but I'm having a bit of trouble getting port forwarding working quite right. Here are the NAT rules in question (for forwarding ssh, http, and svn to an internal server): code:Earlier in the thread, I saw someone suggest specifying a dst-address, but my external IP address is dynamic, so that won't work unless I want to update the rules every time my IP changes. Suggestions? Edit: Oh, and while I'm at it, is there a way to tell the dhcp server to reserve address X for MAC address Y and always assign that way? I know I can just set static IPs on all of the machines I want to have them, but it would be easier to have the router do it, especially in the case of laptops that get used on another network sometimes. Thoom fucked around with this message at 06:31 on Nov 20, 2011 |
|
#
?
Nov 20, 2011 06:21
|
|
|
Thoom posted:I just picked up a RB1000 from SAMart for my home network and I'm pretty happy with it so far, but I'm having a bit of trouble getting port forwarding working quite right. code:I always have a default deny rule at the end of my filter rules. If you have this then you must also have a matching firewall rule to allow the NAT'd traffic. I pretty much always use something like this: code:Thoom posted:Edit: Oh, and while I'm at it, is there a way to tell the dhcp server to reserve address X for MAC address Y and always assign that way? I know I can just set static IPs on all of the machines I want to have them, but it would be easier to have the router do it, especially in the case of laptops that get used on another network sometimes. falz fucked around with this message at 16:37 on Nov 20, 2011 |
|
#
?
Nov 20, 2011 16:30
|
|
|
falz posted:I've only ever dealt with static IPs. It's possible that your router may have to run a script to figure out your new IP or use a dyndns type of service. I've got a script checking my public IP every minute and updating the dyndns service if necessary. Is there a way to introduce a variable to the NAT rules, or would I need to have the script delete and re-create them each time? quote:In my example below 1.2.3.4 is the public IP here. I'm also a fan of address lists hence the use of them: What does this rule do? quote:I always have a default deny rule at the end of my filter rules. If you have this then you must also have a matching firewall rule to allow the NAT'd traffic. I pretty much always use something like this: It looks like I'm going to have to read up on what these chain things are and how they work.
|
|
#
?
Nov 20, 2011 19:31
|
|
|
That rule is the 'general outbound NAT' rule. RouterOS has its own scheduler so you write a script and schedule it to run at whatever frequency you choose. Chains are just a Linux iptables thing. The reason I have a 'jump to customer' rule then the rest of the rules in 'customer' is only because that's what Mikrotik does if you enable the default firewall rules (at least in older versions such as 3.x). It's always worked fine so I've always used that in my config template.
|
|
#
?
Nov 21, 2011 02:23
|
|
|
I figured it out. A successful port forwarding rule with a dynamic IP looks like this:code:I have some more questions, if you don't mind. Is it the case that the drop rule flags the packet for being dropped, but it still continues down the chain in case there's a later accept rule? Or do both drop and accept end the chain immediately? The documentation isn't very clear on this. Also, the 'customer' chain looks like it continues from the 'forward' chain, but wouldn't packets bound for an internal server be pointed at the router's WAN IP and thus get dropped by the 'input' chain? code:faiz posted:That rule is the 'general outbound NAT' rule. How does that rule differ from code:I very much appreciate all the help. I'm new to doing networking at this kind of low level.
|
|
#
?
Nov 21, 2011 06:08
|
|
|
Hey y'all. Searched the thread but didn't come up with anything. Is there an easy guide to QoS somewhere? I just need to throttle one system by MAC address. It's a PS3, and when Netflix is fired up it destroys the wireless connection.
|
|
#
?
Nov 29, 2011 00:30
|
|
|
I did some googling and found some info on a Mikrotik forum thread about throttling netflix and other long-haul port 80 traffic but lordy. An easy QoS guide? No such thing. At least, not that I've bumped into. I'll see if I can cobble together some basic instructions for the case you've mentioned.
|
|
#
?
Nov 30, 2011 01:16
|
|
|
CuddleChunks posted:I did some googling and found some info on a Mikrotik forum thread about throttling netflix and other long-haul port 80 traffic but lordy. An easy QoS guide? No such thing. At least, not that I've bumped into. I'll see if I can cobble together some basic instructions for the case you've mentioned. Awesome, all I really want is to throttle one MAC address, even if it's all traffic to that address.
|
|
#
?
Nov 30, 2011 01:32
|
|
|
Does it have to be a MAC address? It would be pretty easy to configure either a simple queue or some PCQ for a certain IP. Layer 2 QoS requires much more fiddling.
|
|
#
?
Nov 30, 2011 10:56
|
|
|
Weiz posted:Does it have to be a MAC address? It would be pretty easy to configure either a simple queue or some PCQ for a certain IP. Layer 2 QoS requires much more fiddling. That should work just fine
|
|
#
?
Nov 30, 2011 13:58
|
|
|
Okay, this is driving me insane, and fast. No idea what happened Sunday night, but my wireless starting behaving oddly, so I rebooted the modem and the Mikrotik RB793G router. After, nothing would connect to the Internet. So, I wiped the settings and did it again, still nothing. Concerned that I screwed up something with that, I pasted my export from right after I set it up before. Still nothing. Said screw it, and plugged in an old Netgear router. At first it wouldn't get an IP address, but if I rebooted the modem, it would. Today on a whim, I plugged the Mikrotik into the Netgear and ran a cable to my laptop so I could test it while having internet access. If I shut off wireless and used the cable, it worked. Unplugged everything, plugged the Mikrotik directly to the modem, turned it all back on, nothing. What the gently caress. modem - mikrotik - computer = no internet access modem - netgear - mikrotik - computer = internet access Image of the settings: http://dl.dropbox.com/u/7932649/mikrotik2.jpg Export file: http://dl.dropbox.com/u/7932649/mikrotik%20wtf2.txt Please help! I don't know what I'm doing wrong, and I'd like to know what's wrong so that I come away from this having learned something, not just having fixed it. Alarbus fucked around with this message at 03:32 on Dec 1, 2011 |
|
#
?
Dec 1, 2011 03:29
|
|
|
alg posted:That should work just fine Simple queue will be the easiest to set up: http://www.mikrotik.com/documentation/manual_2.5/Basic/Queue.html#ip_queue_simple
|
|
#
?
Dec 1, 2011 03:39
|
|
|
Alarbus posted:Okay, this is driving me insane, and fast. No idea what happened Sunday night, but my wireless starting behaving oddly, so I rebooted the modem and the Mikrotik RB793G router. After, nothing would connect to the Internet. So, I wiped the settings and did it again, still nothing. Concerned that I screwed up something with that, I pasted my export from right after I set it up before. Still nothing. Said screw it, and plugged in an old Netgear router. At first it wouldn't get an IP address, but if I rebooted the modem, it would. If ether1 is your WAN port it shouldn't be bridged with your wlan and switch ports. Try taking it off of bridge1.
|
|
#
?
Dec 1, 2011 05:46
|
|
|
CuddleChunks posted:I did some googling and found some info on a Mikrotik forum thread about throttling netflix and other long-haul port 80 traffic but lordy. An easy QoS guide? No such thing. At least, not that I've bumped into. I'll see if I can cobble together some basic instructions for the case you've mentioned. This is the thread I'm reading about throttling netflix bandwidth. http://forum.mikrotik.com/viewtopic.php?f=2&t=47865 Ignore the sperging about FCC regulations and such from people who don't know what the hell they are talking about and focus in on the mangle rules being added. If that's not enough to get you going I'll see if I can write up something a little more specific. What you should do for your own sanity is give your PS3 a static IP on the network. You're going to love this though - go to IP -> DHCP-Server -> Leases and find the MAC of your PS3. Click the "Make Static" button at the top of winbox. Ta-da, static DHCP lease so now when you write your firewall rules you know exactly which IP to reference.
|
|
#
?
Dec 2, 2011 20:00
|
|
|
Yea, I gave it a static lease and used that Simple Queue posted above. Worked great. Thanks Microtik thread 
|
|
#
?
Dec 2, 2011 20:06
|
|
|
The_Franz posted:If ether1 is your WAN port it shouldn't be bridged with your wlan and switch ports. Try taking it off of bridge1. Delayed response due to travel, but thanks! This was it. Also, not testing when Comcast is being stupid is pretty helpful.
|
|
#
?
Dec 5, 2011 22:23
|
|
|
Grumble just got a RB751U that seemed to post fine (showed the wifi AP) and then proceeded to start the LED flash of death. Not a great first step in testing for a massive rollout. edit: and the reseller is out of stock till late December arggg.
|
|
#
?
Dec 6, 2011 21:03
|
|
|
Allegedly there's a fix where you plug in a highervoltage power supply to kick it back in to shape. I'd check the MikroTik forums first though.
|
|
#
?
Dec 7, 2011 00:39
|
|
|
falz posted:Allegedly there's a fix where you plug in a highervoltage power supply to kick it back in to shape. I'd check the MikroTik forums first though. Yeah not going to risk that got an RMA so, but it looks like rOc-nOc has every single one (865 in stock).
|
|
#
?
Dec 7, 2011 07:19
|
|
|
What is recommended for a home network with N wifi? The RB751 seems the obvious choice, but it is not a gigabit device. If I want to have gigabit should I use an RB450G? And then some sort of wifi AP? The Ubiquiti PowerAPN was mentioned on the first page of this thread. I have a consumer Buffalo router with G wifi that has an antenna that is hanging by its wire and a bad habit of freezing every time I surf a little too hard. I am in a NETWORKING TECHNOLOGIES program (CCNA mill) and would like something to mess about with.
|
|
#
?
Dec 8, 2011 05:11
|
|
Associate Christ
|
I decided on the RB751 and have been very happy with it. I used to work for an ISP that used Mikrotiks pretty heavily, but this is the first time I've had one at home. I feel like it justified its purchase immediately when I was uploading my music to iTunes Match. My entire connection was capped out. No option in iTunes to limit bandwidth. I fired up Winbox, opened torch, grabbed the destination IP, and added a simple queue, capping the upload to 500kbps. So easy and awesome.
|
|
#
?
Dec 8, 2011 06:59
|
|
|
Viktor posted:Yeah not going to risk that got an RMA so, but it looks like rOc-nOc has every single one (865 in stock). An RMA is the right thing in this case but yeah there is a trick where you put on a higher voltage power supply, let the unit boot, then take it back to stock and it somehow fixes it. One of the guys at work was remarking about this and another guy at work who bought the same unit you had ended up doing this voltage swap trick. The units are rated from 12 - 48V on their inputs because they rule so loving hard. Not like some routers I'm not going to name that don't have a goddamn fuse in them so when you mistakenly plug a higher voltage power supply in, ha ha there goes $600USD up in a whiff of blue smoke.
|
|
#
?
Dec 8, 2011 08:24
|
|
|
Kaluza-Klein posted:What is recommended for a home network with N wifi? I'm more or less in the same boat and have been for some time. The RB751 sounds perfect for me, but ideally I'd like internal gigabit switching. I suppose one could just connect a gigabit switch to one of the ports on the Mikrotik but that's kind of a half-rear end solution. Are there plans for something like an RB751G? I can't remember.
|
|
#
?
Dec 12, 2011 16:54
|
|
|
COCKMOUTH.GIF posted:I'm more or less in the same boat and have been for some time. The RB751 sounds perfect for me, but ideally I'd like internal gigabit switching. I suppose one could just connect a gigabit switch to one of the ports on the Mikrotik but that's kind of a half-rear end solution. Are there plans for something like an RB751G? I can't remember. Maybe I am being dumb, but isn't the other problem with that setup that N wifi is faster than fast ethernet? You are effectively limiting fancy N wifi to 100Mbit/s, rite?
|
|
#
?
Dec 12, 2011 19:06
|
|
|
COCKMOUTH.GIF posted:I'm more or less in the same boat and have been for some time. The RB751 sounds perfect for me, but ideally I'd like internal gigabit switching. I suppose one could just connect a gigabit switch to one of the ports on the Mikrotik but that's kind of a half-rear end solution. Are there plans for something like an RB751G? I can't remember. They are coming out with a 751G although the only known timeframe is "coming soon". The RB2011 devices should be shipping in a couple of weeks as well, some configurations of which will offer gigabit switching with wireless hardware built-in. It's probably going to cost a bit more than the 751 devices though. Kaluza-Klein posted:Maybe I am being dumb, but isn't the other problem with that setup that N wifi is faster than fast ethernet? You are effectively limiting fancy N wifi to 100Mbit/s, rite? I'm guessing that the logic is "most people won't use the wired ports anyways and ISP speeds generally don't go above 100Mbps". The_Franz fucked around with this message at 22:45 on Dec 12, 2011 |
|
#
?
Dec 12, 2011 22:40
|
|
|
The_Franz posted:I'm guessing that the logic is "most people won't use the wired ports anyways and ISP speeds generally don't go above 100Mbps". Also, wireless spectrum is divided among the number of active clients connected, so 3 people connected to 150mbps wifi-n get ~50mb each, whereas 3 people connected to a 1gb switch can have 1gb each to other switch ports.
|
|
#
?
Dec 13, 2011 17:51
|
|
|
CrazyLittle posted:Also, wireless spectrum is divided among the number of active clients connected, so 3 people connected to 150mbps wifi-n get ~50mb each, whereas 3 people connected to a 1gb switch can have 1gb each to other switch ports. Yeah, I suppose for most purposes gigabit is not usually a factor. I have a wired file server that copies files to a single wireless device on the LAN and I think gigabit might actually be effective, but I guess it is a very limited use case. Also, what technically is an active client? If some clients are idle, does a single active client get closer to full bandwidth, or is bandwidth divided between connected devices no matter what? Also also I have an RB450G in the mail I am excited. I wonder how many days it will take me to figure it out :o.
|
|
#
?
Dec 13, 2011 18:13
|
|
|
Kaluza-Klein posted:Also, what technically is an active client? If some clients are idle, does a single active client get closer to full bandwidth, or is bandwidth divided between connected devices no matter what? Think of wifi as talking in a room full of people, and only one person can talk at a time, but everyone else can listen. Switched wired networks is like each person having a direct telephone line to every other person in the room, and each person can talk/listen at the same time. Another option for people who want wifi with a gig backbone, is getting a RB750G as their router, and then using another RB wifi access point connected to it. *shrug* CrazyLittle fucked around with this message at 19:34 on Dec 13, 2011 |
|
#
?
Dec 13, 2011 19:32
|
|
|
Woah, this post brought to you by an RB450G! I have so many questions. . . I am using this for a home LAN, btw. This device has 5 ports. One port is designated for the WAN input, and the other 4 are just to be used as a switch for the LAN. The device worked right out of the box with the default config, but also I tried to scrap that and use the anypony guide (http://users.moscow.com/groovydave/mt/) to get it going from scratch on my own. That sort of got me there, but the dhcp server never seemed very happy. 1. The default config differs from the anypony guide in that it does not have you set a master port and slave ports for the switch. Reading the mikrotik wiki on the switch chip (http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features) it seems like doing the master/slave format is more efficient, as traffic on the LAN never has to be processed by the router cpu. Is this correct? I am not sure what the default config is doing. I think it bridges all the ports? If I do use the switch chip with master/slave, I don't want to switch-all-ports, right? As eth1 is going to be the WAN input and doesn't need to be switched? 2. Also, the default config creates some firewall filters that anypony doesn't touch on: code:3. Also, I set the services to only be reachable from the LAN. I think: code:I think that is all for now! I am sure to have many questions about QoS coming up.
|
|
#
?
Dec 17, 2011 21:31
|
|
|
Kaluza-Klein posted:1. This is true, but if you're doing anything else at all to the traffic (like, say, QoS'ing it, as you've mentioned) it won't work. You might as well just get rid of the switching stuff and go straight to creating a bridge interface and sticking ether2-ether5 in there now. quote:
First, note that these rules are all for the "input" chain. Since Mikrotik is, internally, Linux, it helps to know a bit about how Linux does its firewalling. The "input" chain is for traffic destined for the router itself, and nothing else; the "output" chain is for traffic leaving the router itself. Anything you want to do for traffic going through the router, you have to add to the "forward" chain. Anyway, the above rules allow ICMP traffic (including pings) to the router itself on all interfaces, then allow "established" and "related" traffic to the router itself that comes in on ether1, then drops everything else. This only affects traffic to your router on ether1 (presumably the WAN IP), and nothing else. Pretty much the equivalent of not allowing any sort of remote access to the WAN port. I'm not sure about the last question, since I don't have a unit handy.
|
|
#
?
Dec 18, 2011 22:14
|
|
|
Weird Uncle Dave posted:Since Mikrotik is, internally, Linux, it helps to know a bit about how Linux does its firewalling. The "input" chain is for traffic destined for the router itself, and nothing else; the "output" chain is for traffic leaving the router itself. Anything you want to do for traffic going through the router, you have to add to the "forward" chain. So let's say you have computer A outside your network, and computer B inside your network. If A wants to open a connection to B, is that request handled by the input chain or the forward chain? If the latter, how does that work, since the packet is technically bound for the router's public IP?
|
|
#
?
Dec 18, 2011 22:45
|
|
|
Input is just for traffic destined to IP addresses on your router, so router protection such as permitting management from trusted networks, allowing pings for troubleshooting, blocking the rest.
|
|
#
?
Dec 18, 2011 23:13
|
|
|
Thoom posted:So let's say you have computer A outside your network, and computer B inside your network. If A wants to open a connection to B, is that request handled by the input chain or the forward chain? If the latter, how does that work, since the packet is technically bound for the router's public IP? Usually, that would be handled by the NAT and connection-tracking rules. Assuming you have the usual home NAT rule - technically a "source" NAT rule (as opposed to "destination" NAT) - the router will already know that B requested to talk with A on port X, and when traffic from A on port X comes in, it'll rewrite it and send it on to B. I think NAT rules are in the "prerouting" chain, which is (as the name implies) rules that are applied before the traffic hits the "forward" chain and is routed to wherever it's going.
|
|
#
?
Dec 18, 2011 23:25
|
|
|
Weird Uncle Dave posted:Assuming you have the usual home NAT rule - technically a "source" NAT rule (as opposed to "destination" NAT) - the router will already know that B requested to talk with A on port X, and when traffic from A on port X comes in, it'll rewrite it and send it on to B. Weird Uncle Dave posted:I think NAT rules are in the "prerouting" chain, which is (as the name implies) rules that are applied before the traffic hits the "forward" chain and is routed to wherever it's going.
|
|
#
?
Dec 18, 2011 23:32
|
|
|
Weird Uncle Dave posted:I think NAT rules are in the "prerouting" chain, which is (as the name implies) rules that are applied before the traffic hits the "forward" chain and is routed to wherever it's going. http://wiki.mikrotik.com/wiki/Manual:Packet_Flow There isn't one single flowchart that describes this scenario, but the order of events here, I believe is: Input Interface -> Not a bridge -> Prerouting Prerouting has Connection Tracking, Mangle Prerouting, and Destination NAT. I am not sure which combination of those that a reply packet to an established masqueraded session will be touched by, but by the time the packet exits the Prerouting phase, it's destination is now the internal private IP instead of the public external IP of the router. Next is the routing decision, and because the destination IP is now the private internal address, it is sent to the Forwarding phase instead of the Input phase. The Forward phase contains the Filter Forward step, so that is where the filter rules will be checked, and then you finish up with Postrouting and any extra Bridging.
|
|
#
?
Dec 19, 2011 01:09
|
|
|
Does this help?
|
|
#
?
Dec 19, 2011 02:52
|
|
|
Weird Uncle Dave posted:This is true, but if you're doing anything else at all to the traffic (like, say, QoS'ing it, as you've mentioned) it won't work. You might as well just get rid of the switching stuff and go straight to creating a bridge interface and sticking ether2-ether5 in there now. Hey! Thank you for your help. Sorry about my delay in replying, holidays and all that. . . I am not sure I understand why switching doesn't allow QoS, etc. See this image: http://wiki.mikrotik.com/wiki/File:Switch4.png So I couldn't do QoS on traffic that never leaves the LAN, but if a LAN host wants to talk to the WAN, I can QoS that, right? Since this is just for a home network, I can't say that there is a whole lot of steady traffic bumping around the LAN side by itself. Am I completely misunderstanding this? Two new questions! I have what claim to be CAT6 cables connecting my PC to the 450G, but it rarely shows a gigabit connection. When first plugged in the PC reports gigabit, but it seems to drop to 100Mbit after dhcp, or something. I have no idea how to trouble shoot this. Looking at the awesome diagram from feld, I "get" the forward/input/output chains now, I think. Trying to do QoS on ssh traffic: code:
|
|
#
?
Dec 21, 2011 23:46
|
|
|
Is your mark rule triggering? Check the firewall tab in Winbox (my preferred way to puzzle these out). Look at the packet count and when you try to make an SSH connection does the rule up its count by one? I think you might need to set the rule to chain=forward for things to trigger on marking the packet. For the QoS rule I usually set a lower bound of guaranteed bandwidth using the limit-at setting. Then the max-limit locks an upper bound for bandwidth.
|
|
#
?
Dec 22, 2011 06:49
|
|
|
|
| # ? Apr 19, 2024 00:43 |
|
|
CuddleChunks posted:Is your mark rule triggering? Check the firewall tab in Winbox (my preferred way to puzzle these out). Look at the packet count and when you try to make an SSH connection does the rule up its count by one? Ah, I am actually getting somewhere with this now, thank you! You are correct that the mangle rule needed to use the forward chain, not the output chain. Then action is seen on the rule when I ssh. Nothing was seen on the queue tree, however, until I again changed the mangle rule, switching mark-connection to mark-packet. Now the queue tree lights up as well! So now it appears to be working, but I am not 100% sure things are all that faster. What I have created is only affecting the outgoing packets, correct? They are not affecting incoming packets? Also also, this further highlights my misunderstanding of input/output/forward chains. When I looked at feld's chart, I was imagining that traffic that never leaves the LAN doesn't even come into play there, and then any traffic from the LAN that has to travel over to the WAN side enters where it says "Socket and Output routing". Now I see that that is really saying locally generated traffic, ie traffic generated by the router itself, and that all traffic enters the router on the top left, both WAN and LAN. Am I getting closer now? Also, for the QoS, I really did pull those limit numbers out of my rear end. I have no idea what they really need to be :/
|
|
#
?
Dec 22, 2011 14:47
|
|