|
yarrmatey posted:We are also in the midst of changing our Simple Queues to PCQs. We found that with Simple Queues, customers with routers that were constantly attempting DHCP queries (mostly Belkins) would cause packet loss on the router when it tried to apply the Simple Queue rules from the Radius response to the DHCP query.
|
#
¿
Oct 1, 2011 05:50
|
|
|
|
| # ¿ May 15, 2024 16:14 |
|
|
Dang, which kind of routerboards do you have? I don't remember seeing this problem and I've done quite a few f/w upgrades from 3.x to 4.x remotely now. However, I think we upgrade the license key *before* dumping on the new f/w to avoid any problems.
|
|
#
¿
Oct 7, 2011 17:25
|
|
|
Ah, we're doing this with tons of RB411's. I'm not familiar directly with the models you've mentioned except for the 450G's. What's fun is upgrading an RB112 or RB133C to 4.x. ahahah Not a hapy combination.
|
|
#
¿
Oct 7, 2011 17:48
|
|
|
I can test this out on Monday but the basic idea is: - build two vlans on your mikrotik and your pfsense box - Customer, Unsecured - put your virtual AP's onto the appropriate vlan's - bridge the customer vlan onto your regular lan - build a dhcp server specifically for the unsecured vlan Now the two networks can exist side by side and won't talk to each other directly, though you'll want to make sure they use different ip ranges and you may want to add a specific block rule in your firewall so that they can't talk to the other network. I'm a little concerned that you're throwing a high power card at your problem. I don't think it's going to give you the coverage patterns you're looking for unless you get very different antennas. Worse, if you end up getting antennas with a splitter then you may see some really weird behaviors if people in wildly different parts of the warehouse try to link up and haul bulk data. Covering a large spatial area is tricky and uses different tactics than long-distance connections. I hope this unit will work for you but in the end I think you'll either go back to multiple AP's (lots of 751's perhaps) or will have to rig more antennas so that the signal is properly distributed into the areas you want it. Keep in mind that the client computers have to be loud enough to reach back to your AP - a loud AP does you no good if you are talking to quiet little laptops. CuddleChunks fucked around with this message at 19:07 on Oct 8, 2011 |
|
#
¿
Oct 8, 2011 19:03
|
|
|
One of my coworkers came in today with a RB751U 2HnD that wouldn't boot. He had found some grumblings on the official forums about using a higher powered power supply with the unit as a fix. His shipped with a 12V power brick. We plugged in a 24V power supply and the unit lit up and resumed normal operation. We switched back to the 12V supply and the board booted normally. Weird! I'll let you know if it glitches again since he'll come crying into work looking for a 24V adapter but that might be something to keep on-hand all the time.
|
|
#
¿
Oct 18, 2011 00:11
|
|
|
Setup two separate IP addresses, two IP pools, two dhcp servers and then assign one server to ether1 and the other to wlan1. Write a firewall rule to drop traffic and you're set. You don't need vlans in this case. ip address add address=192.168.2.1/24 interface=ether2 ip address add address=192.168.3.1/24 interface=wlan1 The rest of the commands I do through winbox but that's the basic idea.
|
|
#
¿
Oct 25, 2011 19:28
|
|
|
I'm talking to some folks about it to see if any are interested. I'm not going to ask you to hold it, but we're looking around to see if we need another of these units. That's a great price by the way.
|
|
#
¿
Nov 2, 2011 23:51
|
|
|
I did some googling and found some info on a Mikrotik forum thread about throttling netflix and other long-haul port 80 traffic but lordy. An easy QoS guide? No such thing. At least, not that I've bumped into. I'll see if I can cobble together some basic instructions for the case you've mentioned.
|
|
#
¿
Nov 30, 2011 01:16
|
|
|
CuddleChunks posted:I did some googling and found some info on a Mikrotik forum thread about throttling netflix and other long-haul port 80 traffic but lordy. An easy QoS guide? No such thing. At least, not that I've bumped into. I'll see if I can cobble together some basic instructions for the case you've mentioned. This is the thread I'm reading about throttling netflix bandwidth. http://forum.mikrotik.com/viewtopic.php?f=2&t=47865 Ignore the sperging about FCC regulations and such from people who don't know what the hell they are talking about and focus in on the mangle rules being added. If that's not enough to get you going I'll see if I can write up something a little more specific. What you should do for your own sanity is give your PS3 a static IP on the network. You're going to love this though - go to IP -> DHCP-Server -> Leases and find the MAC of your PS3. Click the "Make Static" button at the top of winbox. Ta-da, static DHCP lease so now when you write your firewall rules you know exactly which IP to reference.
|
|
#
¿
Dec 2, 2011 20:00
|
|
|
Viktor posted:Yeah not going to risk that got an RMA so, but it looks like rOc-nOc has every single one (865 in stock). An RMA is the right thing in this case but yeah there is a trick where you put on a higher voltage power supply, let the unit boot, then take it back to stock and it somehow fixes it. One of the guys at work was remarking about this and another guy at work who bought the same unit you had ended up doing this voltage swap trick. The units are rated from 12 - 48V on their inputs because they rule so loving hard. Not like some routers I'm not going to name that don't have a goddamn fuse in them so when you mistakenly plug a higher voltage power supply in, ha ha there goes $600USD up in a whiff of blue smoke.
|
|
#
¿
Dec 8, 2011 08:24
|
|
|
Is your mark rule triggering? Check the firewall tab in Winbox (my preferred way to puzzle these out). Look at the packet count and when you try to make an SSH connection does the rule up its count by one? I think you might need to set the rule to chain=forward for things to trigger on marking the packet. For the QoS rule I usually set a lower bound of guaranteed bandwidth using the limit-at setting. Then the max-limit locks an upper bound for bandwidth.
|
|
#
¿
Dec 22, 2011 06:49
|
|
|
You might try: /ip firewall nat add action=dst-nat chain=dstnat disabled=no \ dst-port=8080 protocol=tcp to-addresses=192.168.88.253 \ to-ports=8080 in-interface=ether1-gateway The difference is the "in-interface" parameter. Instead of specifying a range of IP's to NAT on, you say, "packets inbound on this interface get checked". See if that starts triggering.
|
|
#
¿
Dec 30, 2011 03:34
|
|
|
Kaluza-Klein posted:I am trying to setup a rule to catch and prioritize my own bit torrent traffic on my home network. It is encrypted traffic, so the regular L7 rules don't seem to see it. Lock your torrent client to a specific port on your computer. Build your rule to queue traffic that talks to that port and now you can shape it like a mofo.
|
|
#
¿
Dec 31, 2011 00:47
|
|
|
Kaluza-Klein posted:I am having a weird problem with my Roku (netflix streaming device). It connects to the wifi access point which is connected to the RB450G. It works perfectly, but it does not show up in the DHCP leases of the RB450G, which is running the only DHCP server on the network. If you check IP -> ARP does its MAC show up in there? Kaluza-Klein posted:Then there is the issue of Netflix streaming in a browser from most any computer in the house. I haven't found a layer 7 protocol for netflix. Googling has only found people with huge lists of IP addresses of netflix servers that they build rules off of. Maybe this is the only way? Need to build 150 queue rules for some apartment complex? No harder than going through and updating a list in notepad (or Excel if some of the fields can auto-increment) and then pasting the command into the terminal window. Vroom!
|
|
#
¿
Jan 3, 2012 00:59
|
|
|
DaCheese posted:I was forwarding an A record on my domain to my current IP at home and trying to hit the machine that port 8080 is forwarded to. When I went to the domain:8080 from my home network, it never worked. Just got back to working with this since I have been fighting some hardware issues on another machine this week and thought to test it from a remote shell and it works. Inside my network I have to use the local IP. This is normal. Your pc does an nslookup for the domain, the A record points to your external IP address, the request gets handed off and tends to die because that loopback behavior isn't well supported. There are a couple ways around this: - Edit the HOSTS file on your local computer and enter the domain name in there with its LAN IP address. This is probably the cleanest way since your HOSTS file should be read before DNS lookups. - Go to IP -> DHCP-Server -> Networks in Winbox. Double-click on your network and then enter a domain name for your LAN under DNS Domain (or just "domain" from the CLI). When computers register with the dhcp server they should inject themselves into a little table so that you can go to: localcomputername.mylan.lan and have results come back. That's a little fussier than editing the hosts file because your test queries won't go to myinternetdomainname.com but they should show up on the same machine all the same. There is likely a third way to do this and that's to look for packets that are trying to do this loopback behavior and then redirecting them via the NAT engine. I don't have a good feel for how you'd write the rule but it should be possible.
|
|
#
¿
Jan 6, 2012 02:38
|
|
|
Thank you for finding that. Hahah I dug around for a while but couldn't remember the term used. Then it turns out, it wasn't one I'd tried searching for. Go go Mikrotik.
|
|
#
¿
Jan 6, 2012 21:40
|
|
|
VPN setup is a little fiddly from what I remember but not too terrible. How much bandwidth do you want to push through the tunnels? These units don't have VPN accelerator hardware which keeps them cheap but if you are looking for gigabit throughput then you should look elsewhere.
|
|
#
¿
Jan 10, 2012 18:00
|
|
|
You may want an RB450G to have plenty of processing power to handle all these tunnels but hell, since you're moving a few hundred kbps or so over each of the tunnels it wouldn't surprise me in the least if a cheapass RB750G worked just fine for this scenario. Thanks for the explanation, it makes a lot more sense what you are doing. EoIP tunnels are pretty crazy but also cool as heck. Establishing those between sites would be awesome if you were deploying mikrotiks at all the remote locations. If you already have an infrastructure that speaks IPSEC then creating static tunnels makes more sense. I honestly don't have a good feel for how powerful these machines are in the application you've described. It's the bomb for my home network and we use them all over the place in various forms. The RB450G's have a ton more memory and better throughput ratings compared to the 750's.
|
|
#
¿
Jan 11, 2012 00:07
|
|
|
I'm glad it's running smoothly for you. You dont' need to do anything else but it might be a good idea to go to the first post of this thread and walk through backing up your config. Then, if you get the urge to experiment you can get back to this working configuration without much hassle. QoS is loving voodoo but there are online guides about it. I keep saying I'll write something up but in my heart I know that it's not true. here's how you set it up: <image of chicken being slaughtered and its blood smeared around arcane symbols> And then you change to a PCQ and <several scantily clad ladies prance about in diaphanous gauze> but not before setting to mark your packets and <dark lord summoned, QoS now working>. See? It's easy!
|
|
#
¿
Jan 21, 2012 00:30
|
|
|
Hahaha that will *crush* your puny Netgear. Let us know if you have any questions.
|
|
#
¿
Feb 8, 2012 22:18
|
|
|
It looks like it's a static lease. Notice there's no "D" in the dynamic column. If you check the Roku's page does it show that it has that IP address? Did you set the Roku to that static IP so it isn't trying to request DHCP?
|
|
#
¿
Feb 18, 2012 00:25
|
|
|
What are you trying to do with your queue? This is the main reference on it: http://wiki.mikrotik.com/wiki/Manual:Queue But if you tell us what you want to accomplish that will help with writing up something that will work. Oh and this is important: /queue tree menu - for implementing advanced queuing tasks (such as global prioritization policy, user group limitations). Requires marked packet flows from /ip firewall mangle facility.
|
|
#
¿
Feb 18, 2012 01:41
|
|
|
sparticus posted:Ugh. I just picked up a RB450G and when I power it on, I get the beeps but no connection lights on the ethernet ports. This is my first Routerboard so I am not sure what the startup sounds are suppose to be like. Any pointers? That chirping at the start sounds like it's unhappy with the power supply. What voltage do you have? The double-beeps at the end says it has finally booted. One thing I'd do is plug a serial cable into the port and watch the boot process directly. It spits out a bunch of handy data in there. I'd also try a 24v power supply. On the other hand, you have a new unit that is being weird out of the box. Talking to your vendor is a smart move since it's new. It should just work, dangit.
|
|
#
¿
Mar 6, 2012 18:50
|
|
|
sparticus posted:Is there anything I can check through the serial port to see if the ethernet ports are dead? I believe you can see if it's booting to the flash drive, which will load the mikrotik OS. If it's not doing that due to some foolishness at the factory then you can set it there. I don't remember right now if there is a specific diagnostic you can do but I'm very concerned that you aren't getting link lights. In the end, you probably have a bad board and they should get it replaced right away.
|
|
#
¿
Mar 6, 2012 19:14
|
|
|
sparticus posted:Are there any scripts or graphing tools that are similar to vnstat to monitor and log monthly bandwidth? Heh, I need to sort this out myself. Just moved to a new internet provider and I want to fly under their radar for moving data. I've got lots of options - tag traffic, add it to a queue and then query via SNMP, use The Dude to poll directly, run NetFlows on a machine and poll the mikrotik, just leave the unit on battery backup and check it near the end of the month.  I'm spoiled for options though getting any one of them (except the last) setup is a little fiddly. I may end up setting up the Dude because I know it works out of the box with mikrotiks.
|
|
#
¿
Mar 13, 2012 01:46
|
|
|
zennik posted:create a bridge group, add the wireless interface and the ethernet interface to said bridge group. Setup the wireless as a pseudo-bridge or as a station wds link. Plug in wireless info, voila. Look at this loving voodoo right here. Who the hell knows what any of this means? <logs in via telnet, follows examples from wiki> -- or -- <logs in via winbox, follows description above> -- or -- <logs in via webbox under 5.x, points and clicks and poo poo>  Oh Mikrotik, I love your crazy voodoo magic more with every day. damnit - Zennik gave you the right description. If any of that was unclear, here's some more detail on how to do it from Winbox. - Log into your unit - Click Interfaces on the left - Click + to add a Bridge. Accept the defaults and hit OK - Click Bridge on the left then the Ports tab. Add ether1 and wlan1 into your bridge (click + and choose the interface, defaults for the rest). - Click Wireless and double-click wlan1. Change its settings under the wireless tab as noted above - station-pseudobridge or station-bridge should do the trick. - Click the Security tab of wireless and update the default profile to have your WPA key. You want Mode: Static Keys Required, then choose WPA PSK (or WPA2). Enter your key and hit OK. That should give you a bridging wireless device that's locked onto your local wifi network.
|
|
#
¿
Mar 15, 2012 23:56
|
|
|
I think you do two things - set them into separate IP ranges and add a firewall rule to block traffic from one IP range to another. Those two should do a good job in keeping the interfaces separate while still allowing normal outbound traffic. You can probably fiddle around with hotspot stuff too, but the above should be the poor man's way to handle it.
|
|
#
¿
Mar 20, 2012 22:07
|
|
|
It is Latvian networking, comrade. Is good. Is most good.
|
|
#
¿
Apr 3, 2012 21:30
|
|
|
chronofx posted:Does this make sense/sound reasonable to y'all, or is Mikrotik excessive for my needs? I'd mainly be going with the Mikrotik750GL to get good hardware at a low price. I'm not a networking professional but I figure I could probably figure out how to set up what I need in the GUI (basics like bandwidth monitoring, port forwarding, etc). I love my little RB750G more and more every day. I'd say that you would be dumb *not* to get one since they are flexible and powerful. On the other hand, I work with mikrotik software every day for work so its interface doesn't intimidate me anymore. I have gotten used to doing things in the winbox and terminal interfaces and use both to program up boxes. One thing that *is* loving voodoo is QoS/Packet shaping. The tools are there in the mikrotik and there's documentation online but it's seriously weird stuff. On the other hand, your little unit is capable of handling a lot of weird rules and trickery that other routers will balk at.
|
|
#
¿
Apr 6, 2012 18:04
|
|
|
Oh baby, the new RB751 is a sleek little machine. We're replacing our customer routers with these because we love MikroTik and have an unhealthy fascination with the company and their products. To that end I've built a setup script for my techs and field guys to use for easy configuration. It leverages the built-in config on one of these boards and makes it so that you just answer a couple questions, cut and paste the script onto a clean config and whammo - your router is programmed. Then one of my buddies came by and said, "why are you using that? Haven't you seen Quick Setup?"  Nooooooo. Welp, there goes the need for my pretty pony guide and my dumb setup script. Actually, the script is still handy because it enforces consistency across our routers and builds in some scripts so we can switch between DHCP and PPPoE mode. Good times.
|
|
#
¿
Apr 25, 2012 20:02
|
|
|
Upgrade to f/w 5.15 and look in the top-left of Winbox. It's a button up there that brings up a bigass Quick Setup page for you to fill in and set many of the router settings in one go.
|
|
#
¿
Apr 27, 2012 07:18
|
|
|
Yeah, that's one major annoyance with Routerboards - their supply chain is horrible. They announce new boards and then it will be months and months before any units actually ship. Oops, we ran out again, sorry! They perform well but are frustrating to get.
|
|
#
¿
May 8, 2012 16:34
|
|
|
Man, do you know how much of a pain in the rear end it is to get a windows 7 computer and a winxp computer to talk to one another over VPN? IT's horrible! Win7 won't do MS-CHAP anymore and getting that backfilled into XP is a fool's errand. Getting XP to talk to a drat Win7 box is stupid as hell because of homegroups and nonsense there. Oh wait, what's this badass PPTP server sitting on my desk that makes it easy as hell? Helloooooo Mikrotik.  Notes: - Remember to *enable* the PPTP server. Failing to click that checkbox makes you look dumb when the win7 machine gripes about there not being any further vpn connections available (error 802). - Set the Local Address of your PPTP profile to something not in the same range as your LAN. It's a quirk of Mikrotik vpn setups but it doesn't like to see the initial IP's on the same subnet. - Turn on Proxy-ARP for the Bridge or ether interface that you have tied to your LAN. This allows your remote computer to talk into the LAN successfully. I can write a proper guide later, though I mostly followed the setup from some existing guides. The above tricks were helpful since I worked through getting PPTP setup for a business customer a week ago. Good times.
|
|
#
¿
May 13, 2012 19:37
|
|
|
I'll straight up disagree with the gent in the Home Networking thread who poo-poo'ed getting the RB2011L-IN (in a hot red case) because he didn't think it would handle the data load you're hoping to put it through. I believe in my heart, and based on how these units perform at the ISP I work at, that one of those will fit your needs nicely. Setting up the QoS stuff is going to take up most of your time while VLANs and setting up distinct interfaces is a snap. With some good planning at the start I think you'll have a good experience with Mikrotik and routerboard gear. Best of all, you're only into the hardware about $100. Time is a different matter. Since you haven't worked with these before it will take some learning but we're here to help.
|
|
#
¿
Jun 13, 2012 17:33
|
|
|
Yes. It's gonna rock your world. I'm not going to hem and haw here, the performance stats posted on Routerboard's site put the max throughput with connection tracking and routing active at 33Mbps for small packets. It's much higher for big packets. Until your WAN link is pushing more than 33Mbps of 64KB packets upstream (unlikely) you will be fine with this hardware. If you want to give yourself some extra breathing space then the RB450G is a good choice. It has a lot more RAM for handling bigger connection tables. Same fast processor under the hood though it has fewer ports than the RB2011L. In this case, that's not a big deal, you'll be hooking up to switches. http://www.roc-noc.com/mikrotik/routerboard/rb450g-complete.html
|
|
#
¿
Jun 13, 2012 19:23
|
|
|
I'd look into the Ubiquiti Unifi system instead. They are rocking for managing several pods, the price is low and their performance at the places we've installed them has been very good. We run Mikrotik AP's all over the place but for filling up a house with signal, the Unifi gear is worth checking out.
|
|
#
¿
Jun 13, 2012 21:02
|
|
|
movax posted:Alright, 450G came in today! woo hoo! Let us know how it works out for you. It should be magic.
|
|
#
¿
Jun 15, 2012 19:54
|
|
Will play around with it this weekend and see what it can do.
|
Nah, turn off external SSH entirely and use winbox. It uses an SSL-style encrypted tunnel to link up. Works great so that your logs don't fill with ssh attacks. As for QoS, that's a complicated topic. I don't have any good guides yet but I'm still poking around. I'll see if I can dig any up. It goes from easy to mind-bending pretty quick is the main complaint. Still, it's a powerful device and other folks have figured this out so it's mostly my own dumbness making it hard.
|
|
#
¿
Jun 17, 2012 08:50
|
|
|
Please wear your baggiest shorts because the rogue boner you're going to get after using Torch is potentially devastating to the integrity of your clothes. Open Winbox, connect to your mikrotik. Click Tools -> Torch Select your interface (probably ether2) and put checkmarks in "protocol" and "port" then hit start. Oh hey there crazy traffic, where the hell are you going?  Barring there being a layer 2 problem of some sort, this should reveal the naughty machines in short order. Oh, what kind of VPN are you setting up? There are some sneaky tricks for handling PPTP-type VPN's I had to work through recently and have some suggestions. Haven't setup an IPSEC style tunnel yet.
|
|
#
¿
Jun 22, 2012 06:32
|
|
|
|
| # ¿ May 15, 2024 16:14 |
|
|
A monitoring program like Cacti does a great job of pulling info from the router and summarizing it for you. http://docs.cacti.net/plugin:mikrotik will help you work with your new gear.
|
|
#
¿
Jun 26, 2012 02:31
|
|