|
Chiming in as a Mikrotik user at home and work. At home I was able to replace switch, router, wireless access point with a RB493. At work they make great customer premise equipment. In at least one case we're running OSPF, BGP and MPLS VPN and we've never had an issue. BGP is just for MPLS, not full ipv4 routes. Will be experimenting with full routing tables on some RB1100s soon to see how they handle it. Probably faster than some NPE-400s doing full tables.
|
# ¿ Feb 15, 2011 00:04 |
|
|
# ¿ Apr 29, 2024 16:39 |
|
5.0 and came out and 5.1 quickly after to fix some bugs. I ran 5.0 at home for a bit then upgraded to 5.1, no issues so far on a rb493. 5.x has a richer web interface if that's your thing- it seems to mostly replicate winbox. * Changelog
|
# ¿ Apr 15, 2011 01:03 |
|
Weiz posted:Are you insane? They are still fixing bugs in version 4 and you're going to install something that JUST came out. I run into plenty of bugs on Cisco hardware as well, at least with Mikrotik you can just post on the forum and they generally look into it. krackpot posted:There are new products for 2011 (http://www.mikrotik.com/download/share/hu11.pdf).
|
# ¿ Apr 28, 2011 00:23 |
|
Instead of disabling ssh and weeding through logs full of static from the internet you should just apply some basic router protection firewall rules. Set up an address list of allowed management and monitoring networks and block pretty much everything else except ICMP on the input chain. I also always have a log rule just before deny that is only enabled for troubleshooting purposes.
|
# ¿ May 18, 2011 03:44 |
|
Roseo posted:There's a memory leak when using BGP, to the point an 1100 with two sessions active starts dying and requires a reboot after ~6 weeks.
|
# ¿ May 27, 2011 03:55 |
|
There's a thread on Mikrotik's website about full feeds on RB1100. Apparently its cpu has a hard time with the updates. RouterOS on PC hardware appears to be the recomended way. I've been testing openbgpd on openbsd and that's been a very workable/inexpensive solution.
|
# ¿ May 27, 2011 21:55 |
|
Roseo posted:4.x for certain. I'm not throwing 5 on anything till it's actually mature. It may be fixed, but I doubt it. 4.17 box, ~1000 bgp prefixes in RIB, ~300 from ospf. BGP was enabled between week 21/22 which is where it plateaus: 5.4 box (was 5.0, 5.2) ~5000 bgp prefixes in RIB, ~300 from ospf. BGP was enabled before the first graph but I don't remember exactly when. Odd that memory usage is more steady since it has less RAM and far more routes:
|
# ¿ Jun 4, 2011 18:55 |
|
While this is a fine idea, why not have a default deny rule to the Mikrotik via the input chain but allow trusted IPs in an address list?
|
# ¿ Jun 5, 2011 17:25 |
|
Roseo posted:2x full tables on a RB1000. At ~2 weeks of uptime it's gone from 200 MB ram free to 70 MB free. After another week or two it'll sawtooth for a while, then a week or two after that randomly drop routes, not accept SSH sessions, and generally be crappy till a reboot.
|
# ¿ Jun 7, 2011 19:07 |
|
I've upgraded a few- just uploaded the image, rebooted and all was fine. Certainly doesn't hurt to /export first.
|
# ¿ Jun 15, 2011 22:52 |
|
You should be able to easily add dns entries based on one of those host files if your mikrotik is your dns server. Unknown if there's a limitation if there's that much data in local dns though.
|
# ¿ Jun 22, 2011 02:09 |
|
I installed OpenWRT in a metarouter when the RB1100 first came out. It crashed the entire device so I didn't try again. Hopefully more stable now?
|
# ¿ Jun 23, 2011 13:36 |
|
More specifics. is it pingable? are you accessing it via LAN or wifi? do you get an error? is the ssh/telnet/winbox port responding at the time? etc..
|
# ¿ Jun 24, 2011 15:56 |
|
There's a lot of QoS info on their wiki. The layer 7 page links to these importable layer7 rules that you can use in QoS for app layer control. I did this as a test with torrent traffic at work and while it wasn't 100%, it was quite effective. Torrent, NNTP, HTTP are on there. "Gaming" probably depends on the game. Quake and doom are there!
|
# ¿ Jul 9, 2011 21:12 |
|
Is it doing NAT?
|
# ¿ Jul 12, 2011 21:48 |
|
I don't recall there being any default NAT rules unless you enabled a basic firewall set from the web interface. Either way nat/firewall are likely the issue.
|
# ¿ Jul 13, 2011 00:04 |
|
Does the mac address registration stuff do any wildcarding? If so you could try to determine a valid range that may mean 'Sony', 'Microsoft', 'Nintendo'. If you did get that to work it would be extremely easy to bypass, but hey it's something. OR possibly setup a virtual AP with a different SSID and have completely different authentication settings?
|
# ¿ Jul 20, 2011 22:30 |
|
I've just started using my first outdoor Mikrotik, a RB/SXT. Set them up on the roof of some office buildings that are about 3500' apart and they're work quite well thus far. I've had the bandwidth test running for two days now and it's 60mbps TX/RX simultaneously even though some rain over night. It's 5ghz unlicensed so I could run into interference problems but I just wanted to chime in to say that I'm surprised by the throughput that these can get at such a cheap price (~$90/each). The real test will be getting through a Wisconsin winter. I'd be curious to hear what type of success any of you have had with any of their equipment outdoors and for longer distances.
|
# ¿ Aug 14, 2011 18:12 |
|
Simple is routing only. Adding anything such as NAT, firewall rules, etc becomes more complex and would benefit less from whatever fix this is. It's really the same as in Cisco-land, the pps specs they annpunce are for routing only.
|
# ¿ Sep 20, 2011 15:05 |
|
yarrmatey posted:Does anyone have any experience with the PowerRouter product line? I am seriously considering one as a second upstream-facing router running BGP along with a decent cisco box. Off topic but if you're looking for cheap BGP look at OpenBGPD on OpenBSD as well. I have some in production and have had zero issues. A few are edge and a few are RR's. falz fucked around with this message at 16:27 on Oct 1, 2011 |
# ¿ Oct 1, 2011 16:16 |
|
You can run something like DD-WRT under something Mikrotik calls MetaRouter. Not exactly what you're looking for but close. RouterOS is Linux underneath for what it's worth.
|
# ¿ Oct 18, 2011 12:45 |
|
You should always have a managed switch so you can use VLANs, debug issues on ports, graph traffic with SNMP, and so on.
|
# ¿ Nov 9, 2011 00:07 |
|
Thoom posted:I just picked up a RB1000 from SAMart for my home network and I'm pretty happy with it so far, but I'm having a bit of trouble getting port forwarding working quite right. code:
I always have a default deny rule at the end of my filter rules. If you have this then you must also have a matching firewall rule to allow the NAT'd traffic. I pretty much always use something like this: code:
Thoom posted:Edit: Oh, and while I'm at it, is there a way to tell the dhcp server to reserve address X for MAC address Y and always assign that way? I know I can just set static IPs on all of the machines I want to have them, but it would be easier to have the router do it, especially in the case of laptops that get used on another network sometimes. falz fucked around with this message at 16:37 on Nov 20, 2011 |
# ¿ Nov 20, 2011 16:30 |
|
That rule is the 'general outbound NAT' rule. RouterOS has its own scheduler so you write a script and schedule it to run at whatever frequency you choose. Chains are just a Linux iptables thing. The reason I have a 'jump to customer' rule then the rest of the rules in 'customer' is only because that's what Mikrotik does if you enable the default firewall rules (at least in older versions such as 3.x). It's always worked fine so I've always used that in my config template.
|
# ¿ Nov 21, 2011 02:23 |
|
Allegedly there's a fix where you plug in a highervoltage power supply to kick it back in to shape. I'd check the MikroTik forums first though.
|
# ¿ Dec 7, 2011 00:39 |
|
Input is just for traffic destined to IP addresses on your router, so router protection such as permitting management from trusted networks, allowing pings for troubleshooting, blocking the rest.
|
# ¿ Dec 18, 2011 23:13 |
|
Yes, and it should auto find it by clicking the '...' in winbox. Also the default ip is 192.168.88.1.
|
# ¿ Dec 31, 2011 00:20 |
|
I just created this thread on Mikrotik's forum for this. Please all pile on so they realize it's an issue. It's likely that they will want a support case opened as well, I don't have a current customer with this issue so I don't have the required details to open one at the moment.
|
# ¿ Jan 9, 2012 15:07 |
|
Mikrotik would give you just about any VPN option you want that follows a standard. Site to site you can do encrypted GRE or IPIP so you can use routing protocols, PPTP for site to site (which seems silly to me), L2TP, IPSec and wacky layer2 stuff like EOIP. Client VPNs can use PPTP, OpenvPN, and I think something else. It is quite nice to be able to run The Dude directly on the router to monitor the intside of a customer's site. If you have SNMP enabled on your devices (servers, switches, routers, printers, etc) you can draw a network map that has a near real time graph of throughput between devices. It can also do basic checks on services like HTTP, DNS and alert if needed. All running on a $60+ router.
|
# ¿ Jan 10, 2012 20:09 |
|
If it has a switch chip you should be able to get wire speed as long as it's being used. Routing speed depends on features + pps. Enabling NAT alone probably halves your speed (guess). If it's all larger packets at a short rate you can likely achieve decent results. They have test results for straight up routing in a pdf on routerboard.com, take that info and divide it in half, or even up to 80% lower and see where that puts you.
|
# ¿ Feb 24, 2012 20:23 |
|
nexxai posted:Where would I find this out? * Atheros8316 is present on RB493G(ether1+ether6-ether9, ether2-ether5), * ICPlus178C is present on RB493 series(ether2-ether9)
|
# ¿ Feb 25, 2012 00:33 |
|
They have graphs built in, but you can poll them directly with snmp as you would expect.
|
# ¿ Mar 13, 2012 00:33 |
|
A few new products here: http://mum.mikrotik.com/presentations/PL12/PL12.pdf Looks like they still haven't figured out SFP yet since the first RB2011 (2011L-IN) has none. Rundown: * CCR 1036 - previously mentioned * 48V to 24V power converter * RB400L - lower cost? * "Metal" 1.3watt 5ghz outdoor radio * SXT G - RB/SXT but with gig port
|
# ¿ Apr 3, 2012 14:59 |
|
I don't have the link handy, but Mikrotik lists two other antennas that are known to fit on their spec sheet or a forum thread announcing it. One of them is a small indoor sector.
|
# ¿ Apr 7, 2012 15:33 |
|
'/export compact' is a lot easier to read
|
# ¿ Jun 4, 2012 23:51 |
|
Aren't each of your 10.x networks behind NAT?
|
# ¿ Jun 5, 2012 16:29 |
|
If you need to VPN in from a client PC just use PPTP or OpenVPN. Or forward remote desktop port and connect to it and daisy chain from there without VPN. For network stats, just enable interface graphing and have them bookmark http://router/graphs/ code:
|
# ¿ Jul 6, 2012 14:32 |
|
Should be just fine. You would bridge Ethernet and wlan interfaces to create the separation. You could do separate wlan radios or use virtual APs with a single radio (I think). Or you could take it even further and use VRFs to separate the routes, or metarouters which is a separate instance of RouterOS running using the interfaces of your choosing.
|
# ¿ Jul 7, 2012 20:27 |
|
I have a few RouterOS VMs on ESX and they're fine. I'm not running any routing protocols or VRRP however, which I hear can have issues due to VMWare and multicast. Also as previously mentioned, you may want to check out Metarouter. I've only run it once to test and had it crash a lot, but that was right after it came out.
|
# ¿ Jul 7, 2012 23:34 |
|
|
# ¿ Apr 29, 2024 16:39 |
|
movax posted:Sorry for double-post, but this is un-related to above post. Is there a software-way to completely secure the serial port, including disabling it's usage during boot loading? I disabled it currently by setting baud-rate to 0, and disabled the software jumper as well. Anything else to do protect it against physical connections/mucking around?
|
# ¿ Jul 9, 2012 16:21 |