|
I just started work at an ISP and they got tons of Mikrotik stuff, so discovering there is a whole thread on here about it is awesome!
|
#
¿
Apr 20, 2013 20:32
|
|
|
|
| # ¿ May 6, 2024 20:31 |
|
|
Does anyone know if Mikrotik routers can be made into firewalls that are just straight pass through devices without changing the IP addresses of the things behind it? This is a request coming in from a client who may be asking for something that is impossible to do, but I thought I would ask here first.
|
|
#
¿
Dec 9, 2013 20:36
|
|
|
Caged posted:Isn't that called not using NAT? Yeah but they want it to be a firewall as well, and I was curious if Mikrotiks could do both (non-NAT + controllable firewall)
|
|
#
¿
Dec 9, 2013 22:55
|
|
|
I have a Procurve with this config:code:I've gotten most of this to work due to sheer poking around on the router, but I am curious what is the tagged/untagged equivalent command on Mikrotiks?
|
|
#
¿
Jan 8, 2014 06:08
|
|
|
I'm pretty new with Mikrotik + VLANs, so thanks for the help. I basically got dumped this project from my lead engineer who has years experience with Cisco/Procurve type stuff, and he said "Figure out VLANs on Mikrotik because I don't want to!" Here's what I did with bridges to get ether1 connected to a VLAN1 out to the internet: code:I'll look into the switching thing, but I'm still trying to wrap my head around doing tagging/untagging with all of this. Edit- Talked to the guy who dumped this on me, and it looks like the Procurves he uses only ever use one trunk/upstream port. So doing the hardware switching is probably the way to go. jeeves fucked around with this message at 21:46 on Jan 10, 2014 |
|
#
¿
Jan 10, 2014 20:13
|
|
|
zennik posted:If you want, draw up a basic rundown of how you want it configured and I can help you with a config. Basically I need to have this set up: - ether1, and ether3-ether8 on VLAN id 1, with this VLAN being the gateway/upstream/trunk. I already figured this out via my usage of bridging in my above code, but since there will only be one upstream/trunk per CloudRouter, using the hardware switching is probably better. (This is because these CR are being prepped to replace the more expensive/older Procurve units). Port one has a IP address of the router, and the upstream won't connect unless it is on VLAN1. - ether2 has another VLAN, in this instance VLAN id 8. It is to be the downstream routed VLAN to a customer, specifically with a /30. They want more after this (a /29 hanging off of that /30), but I want to try to wrap my head around this before going further. I think once I figure out the translation of tagging to mikrotiks I can probably figure out the rest. Here's the exact procurve setup that this Mikro is supposed to emulate (with the snmp crap taken out this time) : code:jeeves fucked around with this message at 03:21 on Jan 12, 2014 |
|
#
¿
Jan 12, 2014 03:19
|
|
|
CloudRouter Switch. I left it at work, but I can get a complete model number on Monday, but I think all CRS are somewhat the same, RouterOS functionality-wise, right?
|
|
#
¿
Jan 12, 2014 05:11
|
|
|
Wolf on Air posted:I recently heard from a friend who has a CRS that they couldn't get VLAN poo poo working on it properly at all (leaking traffic all over), and after a while Mikrotik support told him that they hadn't actually gotten around to implementing all the parts in the backend that are exposed in the UI, so what happens is, the function for not forwarding prohibited traffic (or whatever he meant, I'm not actually sure) to all VLANs is working, but not the associating-ports-with-VLANs part, so if you do that, you're going to lose all connectivity. Well, that is disheartening, especially since a whole bunch of CRS purchases for my company are basically hinging on me figuring out this VLAN stuff ASAP-- even though I've already heard from 2 other people in person that "Mikrotiks are great... for everything other than VLANs." Is there anything in writing from Mikrotik forums or such about this issue that I can present to my superiors about this?
|
|
#
¿
Jan 14, 2014 23:58
|
|
|
falz posted:I was going to say the same thing, then realized that 'cheap copper gig ports' is the reason for tikswitch. This is the reason my job (a local ISP branching out into heavy wireless infrastructure work) wants to use Mikrotik-- cheap gigabit switch that can maybe do router things. Basically they're trying to stop relying on Procurve 2980s and such.
|
|
#
¿
Jan 15, 2014 02:41
|
|
|
Thanks for the code, zennik. It's really helpful to have some sort of starting code to work with to show my superiors on this project instead of just being like "well I couldn't really get it to work but everyone says it sucks anyhow so lets just keep using Mikrotiks for just the small stuff like routers in front of customers' office ports and or switches off of wireless points of presence" And yeah, this whole project is basically my superiors wow'd by how cheap RB750s are for small things, and "Oh gently caress they make CRS now for only $200? We should replace ALL OF OUR PROCURVES WITH THESE DUE TO $$$$$$$$$$" which is a bit scary to me.
|
|
#
¿
Jan 16, 2014 06:12
|
|
|
I couldn't get the above switch code to work, probably because I failed to mention that ether1 was going to be the trunk port that VLAN1 was going through. I got the trunk port to work with bridging at least, I just need to figure out if ingress/egress-vlan-translation and tagged-ports for vlan-ids work with bridging. Or maybe just try to convert the below to switch code versus bridge code Here's the bridge code that I used to get ether1 on VLAN1 and out to see the world, but now I need ether2 on VLAN8 to see the world through VLAN1/ether1: code:code:jeeves fucked around with this message at 20:13 on Jan 17, 2014 |
|
#
¿
Jan 17, 2014 19:31
|
|
|
Oh hey, this thread. I got my issue to work with VLANs, basically I had to set up a bridge to get the router itself to have an IP address to log in through, and then had to set up a switch code to have the vlans trunk through the main port.
|
|
#
¿
Jan 28, 2014 00:43
|
|
|
Next Mikrotik quandry: is it possible to have multiple networks share one trunk? Currently I have like 3 Mikrotiks, each feeding a different office. So each Mikrotik has a single upstream (with an individual network IP) and 4 DHCP addresses. I'm trying to consolidate these Mikrotiks into a single Cloudrouter-- my gut tells me they can all share a single upstream, but I know the easiest way to do this is to make a dedicated upstream for each of the consolidated Mikrotiks in the CRS. Basically instead of: code:code:jeeves fucked around with this message at 00:48 on Feb 4, 2014 |
|
#
¿
Feb 4, 2014 00:44
|
|
|
kiwid posted:Maybe I'm misunderstanding your post but what you're describing is exactly vlans. It's been a long day and I guess I didn't know how to describe what I was looking for, especially since I know gently caress all about VLANs (as my previous posts show). I basically want to try to compress a bunch of other smaller RB750s into one CloudRouter, but save as many ports as I can by having only one WAN port on the CRS instead of one per RB750. The sub networks that the RB750s used to be on need to stay completely different (hence the easy but dumb solution of preserving the old RB750s' WAN ports on the CRS), but I figure I'd try to save some ports and have only one WAN port. If I was breaking all of the small networks (with their own WAN IPs) into a VLANs from the shared WAN port, how would I get it to route the traffic to specific subnets? Basically I currently have a managed switch giving out IPs, which go down to individual WAN ports on a bunch of RB750s. The RB750s then split those off into DHCP internal IPs for the office jacks that it serves (one RB per office). I'm trying to consolidate all of those RBs into one CRS, with maybe just one WAN port, but no VLAN trunking pushed down from the original managed switch. I may be describing this incorrectly, as by the end of today I couldn't even get the CRS to route traffic from a WAN port to a bunch of NAT'd DHCP ports (trying it the dumb way of having one WAN per subnet), even though the setup was pretty much mirroring what I do on a working office upstream RB750s. So yeah, I may be missing something simple here. edit - I should probably take this quandry to a networking thread, as it is more general VLAN planning than Mikrotik specific. jeeves fucked around with this message at 17:03 on Feb 4, 2014 |
|
#
¿
Feb 4, 2014 05:35
|
|
|
welp, my company just spent $8000 on 30 new CloudRouter Switches and 2 new CloudCores. Woo! They're to replace aging 2948s, but dear god I hope this doesn't wind up biting my company in the rear end.
|
|
#
¿
Feb 26, 2014 06:00
|
|
|
CuddleChunks posted:O_O good lord that's a lot of hardware. Good luck to you on those. yeah, major WISP infrastructure overhaul.
|
|
#
¿
Feb 26, 2014 07:53
|
|
|
Fun thing I just discovered on v6.12, which came out yesterday: Old VLAN code working on 6.11: code:New export code of the above if put into 6.12: code:It looks like they completely redid the VLAN page on their wiki, so I am going to dive into it: http://wiki.mikrotik.com/wiki/Manual:CRS_examples I am glad I tested this before deploying 12 of them in the field for VLAN access switches.
|
|
#
¿
Apr 17, 2014 00:35
|
|
|
Anyone notice a bug with VLANs causing a switch to act like a hub? It's basically forwarding data out all ports and wtf switches shouldn't be doing that.
|
|
#
¿
May 20, 2014 00:37
|
|
|
falz posted:is spanning-tree enabled on the bridge? I don't use a bridge for my VLAN, on the CRS125 it is all done with switching. Oh wait no, I have to use a bridge for my trunk because I can't get the VLAN to see out to the internet unless I associate the VLAN to bridge, and then IP to bridge, and then bridge to ether1. All of the documentation says I can associate IP -> VLAN -> interface, but it doesn't seem to work for me. code:Edit - rSTP is on for the trunk bridge: code: (Sorry for the annoying smudges, my work wants to protect our public-IP internal sitenames.) ether1, ether23, and ether24 are on VLAN1. ether2 is to a customer router on another VLAN-- with currently nothing live (and empty router), and ether3 and ether4 are radios to remote sites. Note how the traffic is almost mirrored hub-style out ether2, ether4, ether23, and ether24. I was worried that traffic was being mirrored back up the backhaul of ether1 causing collisions or some hub poo poo, but that's not an issue. It's just that the canary and web power switch (ether23 & ether24) which usually sit at 0 Tx/Rx 99% of the time have such high bandwidth to them, which made me notice this issue. Plus ether2's current router has no customers on it, so it should be at 0 Tx/Rx as well. It doesn't help that we've already deployed like a dozen of these CRS125s as VLAN points of presence for are wireless network, so I'm trying to track down this issue before it becomes a bigger problem. Any help is appreciated-- the Mikrotik forums seem to be a cesspool of mostly unanswered questions. jeeves fucked around with this message at 06:39 on May 20, 2014 |
|
#
¿
May 20, 2014 06:16
|
|
|
Edited, I think I fixed the problem.
jeeves fucked around with this message at 04:14 on Jun 5, 2014 |
|
#
¿
May 22, 2014 00:31
|
|
|
It's super flooding. We have a remote site over a radio from one of our hub sites, and it is receiving all of the traffic of the hub site as Rx data on the remote site. I've disabled all of the ports on the remote site except the uplink just to verify this, and yeah tons of broadcast traffic going through the hub site is hitting the remote site over the radio. This was with their 'just use switch code' vlan implementation, of slaving ether2-24 to ether1 (the trunk). That is all well and good for an edge case (except of course when it acts like a hub) but then when you put a downlink to another site on one of those switch ports you basically just extend the switch out-- especially when this poo poo acts like a hub.
|
|
#
¿
May 22, 2014 16:11
|
|
|
falz posted:Change your remote site wireless link to a routed /30. Won't fix your bug but that traffic and broadcast traffic will no linger be making GBS threads up the airwaves. Half of our networks are routed /30s and the other half are VLAN links. We'd have to redo a bunch of poo poo, but it is kind of a last option right now. I kind of wish we could just dump all of the VLANs and just do routed paths and blocks, but the guy who made the network really liked VLANs when they worked on Procurves, so we can't really renumber everything now. Plus he really likes how customers are just one hop on a seemingly private VLAN instead of a /30 sharing a bunch of public traffic. Too bad that stuff worked perfectly on Procurves but they no longer wanted to pay for Procurves. It looks like 6.13 firmware upgrade may fix this issue, but who knows what else is actually fixed. Like if I actually need to manually enable port isolation for every port or what. Of course we have a bunch of big customers hanging off of the hub so I have to wait until Tuesday morning at 6AM to do the firmware upgrade, but we'll see if the traffic drops off. This poo poo worked perfectly on Procurves, and it looked like it was working fine when I personally tested with the CRSes, but then this cropped up-- I wonder what else will now. jeeves fucked around with this message at 05:27 on May 23, 2014 |
|
#
¿
May 23, 2014 05:24
|
|
|
This may be a good place to start: http://wiki.mikrotik.com/wiki/Traffic_Priortization,_RouterOS_QoS_Implemetation Basically the best way to find Mikrotik help is to look for someone who was nice enough to post a config of something they used themselves and got working, and the modify it to your own needs.
|
|
#
¿
Jun 4, 2014 21:33
|
|
|
falz posted:I read RouterOS changelogs almost exclusively to see hilarious bugs that exist on the CCR boxes. Oh, and I guess on all boxes. Like the most recent "oops your DHCP wasn't working or on or whatever"
|
|
#
¿
Jun 19, 2014 22:17
|
|
|
Methylethylaldehyde posted:So initial trip report on the CCR1009, well built, has an actual power supply in the back (redundant even!). The on screen display is shockingly useful for doing the initial interface addressing, and to reset the config when you gently caress up the password because Logitech decided that cheaping out on a keyboard is a great idea. In any sort of production environment, be sure to set the LCD's PIN. I learned that you can reset the entire config from the LCD the hard way when one of my field techs was playing around with the unit as he was installing it at a wireless site.
|
|
#
¿
Jun 20, 2014 15:55
|
|
|
thebigcow posted:It also shows the wpa key on 2011 and CRS models with wireless. Ha. Just ha. Besides laffo stuff like that, and the VLAN insanity before they finally clamped down their lovely VLAN code into something workable post 6.12-- I've been enjoying learning the Mikrotik stuff.
|
|
#
¿
Jun 20, 2014 23:06
|
|
|
You don't have to actually install Wine for the Winbox port, just download someone else's port of it. Only issue is that it takes a little while to initially load, and when Winbox fails a connection it closes the program by default, so you have to constantly open/close Winbox manually to make a new connection or such. I just use a VM of Windows for Winbox needs, as it runs a little faster than the wine port.
|
|
#
¿
Jul 1, 2014 18:41
|
|
|
CuddleChunks posted:RouterOS 6.17 is out (yes I see they call it 6.16 in the changelog. Heh, Latvian number): Certain models of CCR crashed on 6.16, so they fixed that one thing and just made the whole thing become 6.17. It's basically a 6.16a. Unrelatedly, I have been tasked to figure out how to test for jitter with a Mikrotik. Anyone have any clues that could guide me in the right path?
|
|
#
¿
Jul 18, 2014 19:55
|
|
|
I'm pretty sure they test by seeing if one of them boots and then going 'eh, good enough!' Of course I am sure it's just like 10 guys tops doing all of this, so I don't blame them. They probably get paid way more than I do and also gets awesome Latvian socialist healthcare and everything for their taxes!
|
|
#
¿
Aug 16, 2014 01:35
|
|
|
I take it SFP modules can't be switched together? I'll have to use a software bridge? On this CCR model with 12 SFP ports there isn't even an option in the interface to set a master port to them.
|
|
#
¿
Aug 21, 2014 16:08
|
|
|
thebigcow posted:Looks like it. There isn't a block diagram for that model, but on the other CCR models it shows every port connected directly to the CPU instead of through a switch chip. It sucks that I'll have to software bridge it but on a CCR I wonder how fast that would be due to the beefer CPU. I've always just assumed software bridging is much, much slower than switch chip stuff. The router only has a 350-500Mbps uplink connection via radio, so the bridging slower speeds probably don't matter.
|
|
#
¿
Aug 21, 2014 19:23
|
|
|
chmods please posted:New newsletter, new gear: http://download2.mikrotik.com/news/news_61.pdf All CRS models are marketed as switches, probably because all of the ports go into a single switch chip or something. It's a level 3 switch which is sort of like a router or something I never really understand it.
|
|
#
¿
Aug 23, 2014 20:07
|
|
|
I have been playing around with this CCR for a job and I can't get something basic like a bunch of SFP ports to work together in a bridge group-- something that works on a CRS when I try similar code. I have the 12 SFP port CCR1016-12S-1S+, and I would like to try to add sfp2 through sfp12 to a bridge group to share one subnet, so that a CRS or other router can be plugged in to the other end of the SFP and use an address in the bridge port's subnet. This doesn't seem to work on this CCR model, whereas it works on a Cloud Router Switch (CRS) if I change the interfaces from sfp to ether. code:When I put the code above to work on a CRS (but change sfp1-12 to ether1-12), it works perfectly. Why is this? Do bridge ports / bridge groups work differently on CCRs? Am I missing something super simple?
|
|
#
¿
Aug 26, 2014 04:17
|
|
|
I am not a book posted:I'm about to pull the trigger on a 750GL. I absolutely need wifi though, is there a suggested AP besides an Apple product? Use anything. 750GL is like the gold standard of Mikrotiks, you can't go wrong. I've used like dozens of them all over my work's network. Just know you can connect via MAC address since it has no serial port.
|
|
#
¿
Aug 26, 2014 04:59
|
|
|
thebigcow posted:Seems like it should work. Are you sure your SFP is working? Can you ping the CCR itself? Any errors in the log? Can you print the config as its running and paste it here? I'll work on it tomorrow. The funny thing is that weird things are going on with the CCR-- it doesn't detect an SFP module that my CRS defintily does, and now the last 3 lights for SFP9-12 are online even though nothing is in the ports.
|
|
#
¿
Aug 26, 2014 06:44
|
|
|
thebigcow posted:Maybe you just have a bad unit. I am hoping. I am glad that we had ordered a shelf spare that I am doing a lab with now. I also realized I updated the first unit to the newest firmware-- not remembering that CCRs are like way more buggy on new firmware then RB750s/CRS125s that I have been using for a year+ now. My lab is using the 6.11 firmware they shipped with. I'm going to guess it is entirely a firmware issue :mikrotik:
|
|
#
¿
Aug 26, 2014 18:51
|
|
|
Turns out my SFP issues seem to be auto-negotiation based problems, not bridge group ports. It says auto-negotiation incomplete on the interfaces. Fun times.
|
|
#
¿
Aug 26, 2014 20:52
|
|
|
Exact same problem on the other CCR. Basically the SFP interfaces don't auto-negotiate all of the time, due to half-duplex advertisement being turned off by default-- I think.
|
|
#
¿
Aug 27, 2014 10:50
|
|
|
thebigcow posted:Is that the SFP it came with or one of your own? Mikrotik's own SFP connectors off of Routerboard.com I'm guessing it was some poo poo to do with the CCR's firmware, as plugging the same SFP connectors into CRSes and they lit up immediately. Fun fact as well: the last 3 link lights on the CCR for SFP9-12 are on, but nothing is plugged into them. This was the same with both the main and spare I used, and I am pretty sure it has nothing to do with my script I put in. Maybe I should downgrade this thing to NOT the latest firmware.
|
|
#
¿
Aug 27, 2014 16:21
|
|
|
|
| # ¿ May 6, 2024 20:31 |
|
|
One is like a 50whatever radio, the other is 1000whatever. When I turned it on to test it, it completely drowned out my old Netgear's AP signal. In the back of my mind it makes me kind of think I shouldn't have it on my desk next to where I sleep, but oh well-- STRONG WIFI COVERAGE FOR ME.
|
|
#
¿
Sep 9, 2014 16:07
|
|