Does anyone know if the RBGrooveA-52HPn will do 10mhz channel width in 2ghz band? For the US version. I just bought a NetmetalAC version and only now see that it does NOT support 10mhz channels.... This should be upfront on a package, brochure, and the PDF file...…… Another piece of equipment headed...
Thanks for the inputs Rudy! I know that my issue seems to be a 'one off' experience but I thought since I can't seem to isolate the issue that's at work here that bringing it to the community and see what I may have missed here. I have my guys installing another new line. We'll install and test that...
I have three different cables leading to the area where this was happening. Tried all three - no go. Had three brand new gigabit PoEs w/me, two Mikrotik and one Ubi**** - also no go's. I am not new to the port flapping issue - been at this with MT for 15 years now. All my outdoor cables are shielded...
Morning everyone - I haven't posted in a while as most things Mikrotik have worked well within their inherent limitations - nonetheless is is great equipment for the price point and I don't think you can find anything more flexible to configure. With all that being said...I've been testing the 60g r...
Decsus - For part 'one' of your plan, take a look at how PCQ queues work in the manual/wiki. Essentially if you set a maximum bandwidth to a pcq queue then all connections through that queue will get equal portions of the available bandwidth, i.e. if you set the max at 15mbps and there are only 3 cl...
slimprize - You should have in your access list this: /interface wireless access-list> print Flags: X - disabled ****BEGIN**** 0 mac-address=00:00:00:00:00:00 interface=wlan signal-range=-120..120 authentication=yes forwarding=yes ap-tx-limit=0 client-tx-limit=0 private-algo=aes-ccm private-key=&quo...
rushlife - First - you can't delete dynamic routes...the system just won't let you. I take from your post you're just trying to mark connections/packets with route marks so what you probably want to do is just get the dynamic routes / gateways and copy them to a route table, i.e. wan1, wan2. Then yo...
slimprize - Hard to tell fro sure why your IPhone won't connect but here's a few things to check.... I noticed in your wireless interface export above that this setting isn't present meaning it's probably at a default setting: preamble mode. For Apple products it has to be set at: preamble-mode=long...
myazdian - well you have several options available to you. 1) You can start by optimizing your singular links. No NAT, No Filters, disable multicast package. Utilize fast path. If your signal levels are in the -50 to -65 range and the noise floor is low enough you should be able to get a single link...
saintofinternet - there are no full-duplex cards available. Anything like this would be pseudo full-duplex. That being said I use two triple chain cards w/three dual-pol antennas. One of the antennas I set at a 45 degree polarity angle. This allows the 3 chains to be on different polarities. Althoug...
Framer policy affects how much the cpu gets involved in ordering the packets in to a jumbo frame. I found that policy=none saves cpu time, it also sends the packets out in the same order received. Best fit would probably my second choice if I had to make one. Which optoin is best depends on the cpu ...
phoenixdreamer - Well looking at your diagram above, specifically the highlighted RB951-4: You said ether ports 1, 4, & 5 are in bridge1 You also say that ether ports 2-5 and WLan are in bridge2.... You can't have multiple ports has p/o two different bridges and expect it to work properly, in fa...
Martin - you might try posting in the Switch OS forum....
I have two of these and they are in a production environment so I don't want to fool w/them. Ordering some new ones in the new year, just don't have one on hand at the moment...
Martin - A CRS226.... Well it would have been helpful to know that earlier..... I do not have a CRS handy to work this out with you on.... From what I remember though you have to assign the DHCP server to a port and VLAN (on that port) has to have the port you selected as being able to pass the traf...
Ok Martin - we're headed in the right direction.... Let's add a dhcp server to ether2, then set your Mac to get a dhcp address.... If you can get that to work, then delete the dhcp server and /ip pool on the mikrotik. Add your bridge, you had ether 2 & 3 in it last time, do the same. Move your I...
Sounds like all the ports are a slave of ether1.... Open the interfaces tab and check each ether port. I would suggest that for the moment that you set 'master port' to none on all interfaces.... Also - remember, you can't have the same ip block on two different interfaces (ports) w/o disabling one ...
Martin - ip dhcp-server network add address=172.16.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=172.16.1.1 Gateway should be 172.16.10.1....... It could also be a hardware issue. Can you set an IP address on a different port, w/o a bridge and connect the Mac for just a short test - to test the Mikroti...
Hi ggorbalan - Far be it from me to tell you how to setup your network but it does seem a bit convoluted..... If it were me I'd go straight routing instead of PTP to the second groove, but that's just me. You are going to have to inject routing in there somewhere to be able to get to your clients. O...
the add-arp and always-broadcast configurations shouldn't normally be required, especially the ARP item, since normal ARP behavior on the IP interface (BR-10) should dynamically discover the MAC addresses of the client devices. You'd only need this if your LAN was doing some type of filtering on br...
Martin - Even with a static IP in the range of 172.16.10.2 - 172.16.10.254 you should be able to ping 172.16.10.1 from either ether2 or ether3. What does /IP ARP in the Mikrotik show when you have a PC connected to either ether2 or 3 with a properly configured IP address? What does your static entry...
Artec - I would probably use the /IP Firewall NAT feature, specifically dst-nat. Simply dst-nat, action=dst-nat chain=dstnat to-addresses=10.1.70.1 src-addr=10.30.0.1 This rule will only allow him to access 10.1.70.1, no matter what IP address he puts in..... Now if this user also accesses the Inter...
Martin
I don't see this complete entry, specifically arp and broadcast:
/ip dhcp-server
add add-arp=yes address-pool=default-dhcp always-broadcast=yes disabled=no \
interface=BR-10 lease-time=3d name=default
Sba -
I think you still need to keep the proxy-arp on. Secondly, when accessing different networks you can always use masq out the interface you need to use on your main router with the source address(s) being your VPN client and/or group.....
Soap - You didn't give us much to go on here.... How about exporting your config and posting it here. Obfuscate any public IP addresses and of course any 'secrets' that might show up. Then someone can help you. Without IP addresses, firewall settings and your hotspot settings it is kinda of hard to ...
ggorbalan - You really haven't given enough information on your network. Obfuscating your internal IP addresses is not necessary.... Where is your gateway to the Internet? What is the internal IP address there? What is your 750gl doing? How about showing the IP addresses on that (the private ones, n...
Snoopy86 -
Winbox, IP / DHCP-Server, go to the Leases tab. There you will see the leases for each client. Open the client(s) you want to give a 'static' dhcp address to, once that client is open you can select 'Make static'. From then on that client will always get that IP address....
Mamoman - Looks like you are missing a few components: The below is from RoS 6.33 DNS entries are bogus of course..... /ip pool add name=default-dhcp ranges=172.16.10.5-172.16.10.10 /ip dhcp-server add add-arp=yes address-pool=default-dhcp always-broadcast=yes disabled=no \ interface=BR-10 lease-tim...
There are a lot of ways to bond connections and there is a lot of hardware/software devices you can purchase that claim (I use claim because I have only used a very few, some worked, some didn't and even those early ones that did, did not load balance properly....) to be able to bond different Inter...
Pharrow - Bonding, bonds two ends of a connection together. You have to have Mikrotiks at both ends of the connection..... If you bring in four cable connections, two to each location (within your home) yes you could bond the connection from bedroom to bedroom, but not to the rest of the world. You ...
Trolley - You will need to go to the Mikrotik Wiki and start putting the pieces together. Here is the generic setup.... 1) Since 'Main House' has the Internet connection and you are using the 'Machinery Shed' as basically a 'relay' then you will need to setup Main House as WDS AP-Bridge. Machinery S...
DL7JP - I am surprised that a lot of folks haven't jumped all over this one...... It is really a matter of what works best for you. I've been at this stuff for years, even before there was the 'real' Internet. The debate has raged on about routed vs 'smart' bridges as to what is quicker, provides a ...
shyamjadhav05 - to help you out we need a look at your config in both boxes.... Go in to terminal mode from winbox..... type: /ip firewall nat [return] /export [return] Now copy that to a file (using notepad or something like that). Next type: /ip route [return] /export [return] Copy this output to ...
1) What is a 'local' environment? 2) You first speak about your company and then your home, what is it you are trying to do? Bond a connection from your home to the company and back or what? 3) Never had any real luck doing bonding w/dynamic IP addresses. Static public IP addresses - no problem bond...
'Similar to' is not the same as 'exactly like'. With that being said, post an export of your firewall settings and we'll help. Without it, it's a waste of time to try and guess exactly what you have there.
Just taking a stab in the dark that your filter rule(s) are the ones blocking this so here is a snippet that you would put in the /ip firewall filter table: /ip firewall filter add chain=forward disabled=no src-address=192.168.254.0/24 add chain=forward disabled=no dst-address=192.168.254.0/24 Somew...
Here is the snippet: /ip firewall mangle add action=mark-connection chain=forward disabled=no new-connection-mark=/27 \ src-address=192.168.2.32/27 add action=mark-packet chain=forward connection-mark=/27 disabled=no \ new-packet-mark=/27 You have to use your own connection mark/packet mark verbiage...
I just src-nat using the masquerade function of the src-nat facility. I make the dst-addr the address of the VPN and also the out-interface the PPTP (VPN) interface. That seems to do the trick just fine for me.
Just some observations on your PCC config Nic335... Not sure which way you are 'expecting' traffic to originate, e.g., are there servers behind your router that you expect to have publicly accessible IP addresses or is this pretty much 'users' going to the Internet through your router. It doesn't ma...
Undecided - First thing I noticed was that you mark your connections and then add a routing mark, what I didn't see was whether or not passthrough was enabled as each connection was evaluated....this is important. Second thing I noticed was that you have no /ip route rules listed.... Not sure how yo...
Support - Just as a follow-up to my ticket, I reverted to just the wireless package (disabled the wireless-fp package) no issues with running bandwidth tests or having the RB get rebooted by the ping watchdog. So it is definitely something with either the .AC card and/or the wireless-fp package. Tha...
For anyone with the same issues. I have contacted support. I expect to hear from them soon. Below is an excerpt of what was sent. I have a RB912UAG-5HPnD w/a Mikrotik 802.ac card with ROS 6.27 installed with the wireless-fp package active. I have attached the autosupout.rif file. 1) After a ping wat...
Well I was able to resolve my own issue. I was upgrading units from 5.26 to 6.27 and got this as an error: "routerboard-6.27-mipsbe.npk - package missing " That is what package update is telling me when I tried downloading the latest update. The solution was to upgrade to an earlier versio...
The distributor would not issue an RMA to me to return the units - hence why I am perturbed over this. I can't supply them with a supout.rif file and the units are over 30 days since purchase..... It just seems pretty damn odd that these units failed and the thousands of RBs I have out in the field,...
Not to be 'snipity' Normis but where would such a spike come from on the ethernet port? One Ethernet port of this unit was connected to a RB411 Ethernet port. The only other used port was connected to a PC. Both the PC and the RB411 are fine - no issues. I use shielded cable with the drain wires con...
To answer the posed questions: This is a 951-2n indoor unit w/5 ethernet ports and no USB or serial port. I have used both older and the newest netinstall versions along with ROS versions 5.24, 5.25, 5.26, 6.2, 6.14, and 6.17. With Netinstall; I get it showing Ready for the RB in the status window, ...
I am getting more than a little perturbed over the trend I am seeing w/regards to RB951 models 'bricking' after what is assumed to be a power 'spike'. I have had three now that have bricked themselves, two I was able to recover the first time. When it happened a second time the two I was able to rec...
Sure - try this: go to /ip firewall filter. Add rule, chain=input in-interface=the Public side interface protocol=udp dst port=53 action=drop Then add, chain=input in-interface=the Public side interface protocol=tcp dst port=53 action=drop These rules will drop any query to you public side interface...
farazhamzaa - Hotspot default queue type is hotspot-default and that is an SFQ type..... I recommend you set the queue type to 'default'. Then go to the 'queue type' tab and open default and make sure it has 50 to 100 packets as the size. This should make your queue scheme work much closer to what y...
farazhamzaa - What type of queue are you using? pfifo, pcq, or what? The 17 second period you are seeing is 'longest-burst-time' in action. longest-burst-time = burst-threshold * burst-time / burst-limit, substituting your numbers in gives us; longest-burst-time = 500000 * 60 / 1800000 longest-burst...
Farazhamzaa Your requirements: 256k/1800k and after 30 second the move back to limit at 256k/900k Using your initial example of; 256k/1800k and after 30 second the move back to limit at 256k/900k, let's look at what should happen. What I understand your setup to be is Limit-at=256k Max-limit=900k Bu...
noob - I see a number of issues, you're all over the map on this config. Is there a reason you have a bridge interface? Seems to me that you don't need one. Since you have a bridge (currently) w/only ether1 in it, you need to enable the firewall rule set for bridge. You also need to add 'stuff' to t...
farazhamzaa - I know what you are seeing is confusing in regards to the Burst limitation. Read this and see if it helps you understand what all the settings mean. It also has a graphical representation of what is happening. If that does not help post back and I'll see if I can add some additional ex...
Downlots:
You should be able to use the interface as the gateway instead of an IP address to force the VPN/L2TP out a particular interface. Everything else would be the same.
I had something similar happen recently. The bonded router in my NOC said the ethernet port had successfully negotiated a 100mbps full duplex connection. My switch (8 feet of CAT6 cable) said it also had negotiated a 100mbps full duplex connection. But when I looked at the switch stats it was showin...
I'd start by taking the EoIP tunnel out of the bridge. Next, from what I recall in regards to EoIP tunnels, first you have to use a mac address that does not belong to the interface, this range has been designated as non-public MAC addresses suitable for private use; 00:00:5E:80:xx:xx I don't rememb...
I've been using L2TP tunnels for quite some time now in bonding multiple lines to form larger data 'pipes'. It has worked very well until of late. I had to replace an aging PC based router. I tried using the older ROS 2.9.50 but the PC was too new and wouldn't run properly with it so I ended up upgr...
You can try looking at this old post from ChangeIP. I used something similar in a few locations and it works well for bonding DSL lines, provided of course the lines are not too heavily contended. The bonding scenario was developed with ROS 2.9 but should only require slight modifications under ROS ...
I am seeing the same thing at present...very annoying. This is a brand new unit - 5 days old. Have ROS 5.12 on it w/the latest firmware 2.38 installed. Card TX set to default, setup as a 'standard' router type device, (client) ether1->wlan--><- wlan (AP) ether1 ->Internet, it's the client radio. Thom
dacr33d - First, which version of ROS are you using? Second, did you update the firmware for the board (/system routerboard [enter] then type print [enter] to see the firmware version) Go to (winbox) Wireless menu, go to the Registration tab. Click on the 'radio' you are associated with. Go to the S...
For all of you wanting to know why this is happening...read on. I had originally removed the 'el-cheapo' switch I had had in place between the two DSL lines and my 'main' router Ethernet interface when I installed the new RB493 because I had set a number of Ethernet ports on the RB493 to emulate swi...
Well this is a weird one...two replies to the same ping request sent. Have an RB493, with ROS 5.7 and the firmware is upgraded to the latest version as well. eth ports 3, 4, & 5 are set with eth2 as their 'master' port - in other words, 2, 3, 4, & 5 are set up as a switch. Eth2 has two IP bl...
Multicast = general router 'housekeeping' / networking tasks such as exchanging routing information. etc. Ubiquiti - from what I read regarding their implementation, has allowed a departure from the standard and allows the 'user' (you) to select at what speed the Ubiquiti will attempt to exchange mu...
sergejs - The last I read the new userman is still in beta, and I am still seeing several posts regarding issues with it. So until userman is stable under ROS 4.x then I won't be switching the couple of units that are the base Usermanagers for a couple networks over to ROS 4.x Hope that answers your...
sergejs - Chris, please clarify your issue. Post us screenshot as well. Sergejs - show a screen shot of what? Steger is correct, I am using a Linux box for my mail server and have RBs all around the world sending email via a mail server. Now that ROS 3.30 uses TLS the RBs seem to want to answer the ...
Thanks MRZ, but as I said the webpage would not load correctly so I could NOT get to the part of the webpage I needed. I know how to do it, just couldn't 'get there from here' as it were...... That's why I asked for the direct link - which you provided.
Went to this site: http://routerboard.com/ and all that shows up is the RB433 series, and in Internet Explorer it shows an 'error' on page' with a missing object.... Kind of hard to get the firmware without getting a full webpage. So MT, how about a direct link to the RB133 latest firmware? In fact ...
schiele - Well sir you sure know how to make it interesting.... :) I do not believe that What's UP Gold will allow different ports for SNMP. Since you do not have multiple public IP addresses then you'll need to pursue the VPN route. To do that though you will have to make different IP or VPN networ...
schiele - How do you plan to reach the 5 APs? Do they have a public IP address? If no, then there are a couple of possibilities...you could have a VPN connection to the Hotspot controller from your SNMP server, that would give it 'local' access to the 5 APs through the Hotspot controller LAN IP addr...
kurd - Not enough information.... What version of ROS (i.e. 3.13 or 3.24, etc) are you using? What are you using for your PoE voltage to run the RB600? You really can not use four 2.4ghz channels and not have a lot of issues with dropped connections, lost beacons, disconnect due to extensive data, e...
gabak - It's an ugly way to do it but you can simply bridge wlan, eth1 and eth2 in the same bridge port. While there enable the IP firewall for the bridge. Then you can set all your firewall rules in the regular firewall and they will work.... Once that's done, you assign the IP address to the bridg...
clarkstyx - Yes there sure is.... Go to the MT manual, look up the Firewall section - specifically mangle. There it will give you examples on how to mark connections/packets. Once you have the packets marked, proceed over to the Queue portion of the MT manual, there it gives examples on how to limit...
Ibersystems - Well just in general, you said you only disabled one dsl line - it looks like there are two that are 'unknown' above. Next, it looks like you are still marking connections for all three dsl lines. Lastly - there have been reports of issues with Hotmail and PPoE...something to look in t...
murimi - There are a couple ways that come to mind - like Hotspot and Usermanager. The simplest is probably use the DHCP server and bind the MAC addresses to a particular IP address, that way whenever they are on they will always get the same IP - and if they go static on you then it should block th...
IGadget -
The simple answer is in the routing table;
100.100.100.160/27 or 28 or 29 , depends on how many IPs you want to route over to the other building, GW=172.16.0.2 (LAN interface of building 2). At building 2 you can either use NAT or put the public IPs on one of your interfaces.
Owen - Can you from (old) tower 2 see the associated wlan2 card on (old) tower 1? (Wireless registration tab). Next, quoting you above; Tower2 (Old role as repeater new role as main tower) 10.7.0.1 network 10.7.0.0 broadcast 10.7.0.255 interface wlan1 10.7.0.2 network 10.7.0.0 broadcast 255.255.255....
channingzou - i use rb532a , 54G wireless card ,not in turbo mode,and do not setup any firewall or queues related to local network, i got data transfer speed about 1.3MB right now, but still far from 25mbps. thanks any help. If you go back and read what I wrote you'll see there are several factors t...
chrone - I see this issue pretty consistantly. Using RB333, RB433AH and RB411 - all with ROS 3.22 and lateast firmware - 2.20 I believe. Previous ROS 2.9.50 on RB500 or Intel CPU did not exhibit this behavior. There was another post on this, and it had something to do with time out values being chan...
kazemm - Well you need to read the manual to get the whole story. Basically you need to go in to winbox, then the menu on the left, go to IP, then click on Route. A new window opens. Here you add your default route. Click on the ' + ' a window will open here you add the following; dst-addr=0.0.0.0/0...
BDISP - It's in the manual..... Winbox, then IP, Web-Proxy. Once there go to the first tab, click on the 'settings' tab. This takes you to another window that has all the settings for the web-proxy drive including selecting the drive, stopping the proxy, sizing it, formating and checking the drive f...
Yes - it looks like you need to turn the cache off. Fomat the cache again, and then check the cache drive. Once that all works again then you can re-enable the proxy.....
kameelperdza - Your rules are very specific - if the MAC address matchs the rule and the it is going out the bridge=eoip1 then it is done, if none match then you are dropping everything..... You really need to make sure that the MAC addresses you are specifing are the correct ones...... Lastly, sinc...
ihernandez - Sure - there are a number of reasons..... Bad cable(s) or connections at the card(s). Bad cable connection from the card to the antenna (bad cable-loose ground, water intrusion, etc). Antenna damage. LoS issues, such as 'knife edge defraction', or an obstacle closer to one antenna than ...
tombrdfrd66 - Well the basics of your plan sound well founded..... Since I don't know what you PPoE setup is like I can not imagine what you are going to need for mangle rules...you pretty much have everyone 'captured' at the PPoE gateway to start with.... The only questions I would have is are the ...
xordi - You're just not getting it. Let me try one last time.... Once you mark a connection ( LAN -> WAN ) when the WAN source replies the related connection is also marked with the SAME connection mark. As I explained above...you can mark any kind of traffic you want. I was showing how to mark the ...
xordi - Ok I have a little better understanding of what you are trying to do. You do not have to separately mark 'return' traffic coming in the WAN interface. You marked the connection as it went through the router already. The only time you would want to mark traffic coming in on the WAN interface ...
tombrdfrd66 - Well not to disagree with you but a more extensible answer to your issue is the one I sugeested above where by you mark the connections as before but use the ' ! ' (not) dst-addr list function to make the final decision on whether to route locally (via the main table) or send the reque...
xordi - I am not going to fix the whole setup but I am going ot point out a few things and hopeflly that and the docs you have handy will do the rest for you... 0 ;;; WWW chain=prerouting action=mark-connection new-connection-mark=all_conn_www passthrough=yes protocol=tcp src-port=80,443 This will o...
tombrdfrd66 - On second thought..... Post your mangle rules for routing. Maybe this will help you so try it first and if it doesn't then post everything asked for.... In your mangle rules for routing - where you are marking your routes.... In the magle rule itself, I surmise from the article that yo...
kameelperdza - Look, what everyone is trying to tell you is that you have a VERY BAD signal there. Your Line of Sight (LoS) is bad or your are badly misaligned with the AP side. With a very bad siganl you can not get good throughput. No matter what you do, until you get your signal issue resolved yo...
pastranini - Without your actual configuration it is hard to tell what has gone wrong. But from your description it sounds like you do not have a persistant connection for HTTPS (banks). You need to share your configuration here - post it on the forum. I suspect that you used some form of loadbalanc...
tombrdfrd66 - Sure - but basically what you are asking for is policy based routing - it's in the wiki.... If the wiki doesn't do it for you then paste your config up here and any other relative 'data' and we'll see what we can do.... By the way - how did that link across the water turn out? R/ Thom
First - you'd never be able to make a wireless bridged network that large work - the bridge transmissions on a wireless network would kill your throughput....
That having been said.... A class 'B' network woud be;
10.1.0.0/16 (255.255.0.0) would be 10.1.0.0 - 10.1.255.255
channingzou - First thing - local to local does NOT invole the MT box unless you are transferring to/from that box. Local to local would just connect to the boxes involved directly. That having been said, the MT box will not significantly reduce the transfer speed if it is the one the files are bein...
pellumb - Sounds like you are trying to use a feature known as WDS (Wirelss Distribution System). Does the Trendnet support WDS? Check on their firmware - make sure you have their latest firmware (Trendnet). Look at the MT docs on WDS - this will tell you how to set the AP (AP-WDS mode) and how othe...
Each chain is traversed independently from top to bottom. DNAT is done in the prerouting chain which is processed before the any routing decision is made, while SNAT is done in the postrouting chain. So the order you add rules in are only significant for a specific chain. If you add the SNAT rules ...
akram - See below...I removed most of the 'disabled' entries. Made comments in the body of the text below. Study it and be sure to look over the MT docs to understand what I did.... Basically it is 'policy routing'. The policy is when a chosen IP makes a request to get something from the Internet, t...
kameelperdza - You receive signal strength at 1.2km with that setup should be in the order of -50db, not -77db. I suspect that one of your cards is 'blown'. The other possibility can be that you have water intrusion in one or more cables causing you to lose a lot of signal..... Has anything changed ...
remuss - fatonk is correct - your received siganl is too low causing your CCQ (quality of the link) to be poor. Rough calcs here but the free space loss across 25km is 136db. I did some calcs based on the distance being 25km. Output power of the card at 350mw, the antenna gain set to 24db, and with ...
remuss - Well you told us quite a bit but not enough.... What is the signal level at both ends of this link? You might be able to improve the link signal by going to LMR400 from your case to the antenna. Ufl to n-female (bulkhead). LMR 400 N-male to whatever the antenna takes. If you can shorten the...
kameelperdza - Looks like you are connecting at -77db Is that normal for this connection? What is the setup; distance km or miles, antenna gain, card type (like R52H or XR something), what band 2ghz, 5ghz ? Can you show both sides of the link? Let's see if we can figure out if you are getting the ri...
happydaddy - Well you have quite a mess there - so let's start again.... Need to see - and please label the client and the AP; /ip address print - both /ip route print - both /ip route rule print - both /ip firewall nat print - both I also see you still have a bridge in there and it is not disabled....
happydaddy - Well you'll need to show a bit more of your config.... PPoE. route, ip address, ip firewall, ip dns, etc for the AP. In terminal mode you can use /ip address print or /ip address export I like using the print method, but export will work ok. You'll need to do this for all of the above. ...
Sounds like you need to use higher gain antennas - your received signal strength -79 to -85db is getting close to what the cards are will to work with at all.... I believe the R52H best receive sensitivity is either -92 or -95.....
kameelperdza - Well has the weather improved there yet? Did you system come back to normal? If yes to the above - then you have too small of a 'fade margin'. Typically, you want about 30db difference between the noise floor and the received signal in areas that have severe weather issues at the lowe...
If you setup everything as suggested then you will only have to masqurerade data going out the interface that points to the Internet. Everything inside would be on private network IPs.
illiniwireless - First a little constructive criticism...get off the bridge kick. The convenience of 'seeing' everything at once is costing you 30%+ in lost bandwidth capability. Use 'The Dude' or some other program to monitor your network. Save the backhaul and AP IPs in Winbox so you can jump righ...
akram - To answer that question you'll need to post your config. Go to terminal mode (either in winbox, left hand menu 'New Terminal' or telnet/ssh to the MT box). /ip address export /ip route export /ip router rule export /ip firewall nat export Copy and paste the results here. If you renamed your ...
Eric - Well I really didn't expect anyhting exotic - just checking to see there was not something that you may have overlooked.... I have not used that board but have used the older 150 series...what I found was the ether ports are not necessarily in order - and that would seem the case in your desc...
akram - Not really sure what your intended meaning is with 'ISA server' but it sounds like a 'regular' Internet Gateway / Router. So really all you have to do is configure the MT to be the gateway for all your internal systems on one ethernet interface and on the second connect it to the ISA server....
OluNesta - Well you need to post your config for help with your firewall settings - /ip firewall nat export /ip firewall filter export /ip firewall mangle export and under /ip wwebproxy your settings there as well..... Here is the Wiki page for a lot of MT configs: http://wiki.mikrotik.com/wiki/Mikr...
kameelperdza - It is not so much the noise floor as it is the difference between the noise floor and the received signal - this is called Signal-to-Noise ( S/N ) ratio. What you are looking for is about 20db or more between the noise floor and the received signal, i.e., received signal = -65db, nois...
gustkiller - Well you can set the signal level in the wireless table to 'dis-associate' once a signal level has droped below a certain level in the CPE. I suppose that would simulate forcing the CPE to re-associate with the stronger AP. It only takes a second or so for this to happen - so yes that w...
rodolfo - /interface wireless nstreme set wlan1 comment=RadioSlave disable-csma=no enable-nstreme=yes \ enable-polling=yes framer-limit=3600 framer-policy=exact-size There are a couple of things - in the above config you can check mark disable-csma so it equals 'yes'. ( disable-csma=yes ). You can a...
rickr - add action=accept chain=input comment=\ "Allow access to router from known network" disabled=no src-address-list=\ safe Probably the above rule... You are limiting communication to the router itself (chain=input) based on a src-address-list = safe. So if the address you are connect...
miahac - You can just use the Hotspot on AP1. Set the radius service on the other APs to point to AP1. Even better setup Usermanager on Hotspot AP1 (or get a cheap PC - better than using the AP for usermanager) then run Hotspot on each AP, have the APs authenticate against the Usermanager - all that...
miahac - Sounds like you need to set the 433s in pseudo-bridge mode instead of station and then bridge the wlan & ether interface. If I remember correctly you also had to use the WDS mode as well.... I believe there is a wiki on that. Take a look. I will too as it has been sometime since I used ...
MasterofDisaster - Your english is fine - I understand what you are saying. I just hope you understood what I said...as in I was not trying to be 'mean spirited' with my reply - educational was my intent. You started off saying the you had used the wiki to implement load balancing and everything was...
MasterofDisaster - Ok well the main problem here is you 'started' to use the loadbalancing wiki and didn't finish implementing all of it. Go back, read the wiki article on loadbalancing, and then put all the required items in your router. Like right now you have 5 default routes to the internet, the...
dipson - Well I hate to break it to you this way but yes - the 2.4ghz band is really full..... Looks to me that your best frequency would be 2462.... At least there most of the competing signals are -88db and lower (lower being -90db, etc). See in 802.11b/g your center frequency is the 'channel' you...
MasterofDisaster - Please post your config again; /ip route export /ip route rule export /ip firewall nat export /ip firewall mangle export Just to let you know - from inside your network you will have to go directly to the server via it's private IP 192.168.15.12 From outside your internal network ...
dipson - It seems I am missing sometin out here. For the data rates, assuming the worst camera connection is 36mbps does that mean I will select 24mbps and deselect other rates or I will select 24mbps and below while deselecting 36,48 and 56mbps. Kindly clerify this for me please. In your example ab...
ferdinandbabst - Sure you can - just like any other dst-nat rule. add chain=dstnat action=dst-nat to-addresses=192.168.1.10 to-ports=10010 in-interface=etherX dst-address=PUBLIC IP dst-port=10010 protocol=tcp comment="Camera 1" disabled=no add chain=dstnat action=dst-nat to-addresses=192.1...
gimmepatiencequickly - Well you have a couple of things going on here.... Your first dst-nat rule is correct. The second rule (ether2 - I don't know what you're trying to do there....192.168.1.5 shouldn't be showing up on that interface.....) Your src-nat rule.... Isn't the cisco nat'ing for you? Ev...
Hello Oladipupo, Nice to hear from you. I can understand why you are using WDS vice routing - though in the end if they are just looking at the streaming video - would they really have to 'administer' the network? As to the access list - this is straight forward - use the MAC address of you want con...
MasterofDisaster - There are two possibilities that I see.... 1) In your src-nat rule for the server, change the 'to-ports=' to 0-65535 2) Your load balancing setup is interferring with the server 'returning' the connection to the correct dsl / ethernet port. You'll have to look in the MT under /too...
chadd - Well it certainly isn't the towers being too close.... As to the 10mhz channel - the radio broadcasts at 5mhz above and below the center frequuency for a total of 10mhz channel width.... As to diconnects - have you per chance mixed ROS versions? ROS 2.9.46 on the AP and ROS 3.x on the client...
MasterofDisaster - 3 chain=srcnat action=src-nat to-addresses=0.0.0.0 to-ports=1195 src-address=192.168.15.12 protocol=udp the "to-addresses=0.0.0.0" above is the problem. to-addresses should be the same value (IP) as your x.x.x.x value in your dst-nat rule (rule 2). What is rule 1? You di...
chadd - Do these towers 'see' each well? I know you are using 10mhz channels but the cards 'listen' at 20mhz channel width and TX on 10mhz channels. I see that they are just at the limits of 20mhz between the two towers.... Is it possible to move one of these higher or lower in frequency to get them...
You are probably going to have a difficult time having ROS 3.10 and ROS 2.9.51 connect via nstreme as well..... There are some differences between the ROS 2.9.51 and 3.10 versions.
tombrdfrd66 - SurferTim makes a good point on the radio card connectors - a or b. I didn't research the card type to see if it had two different antenna ports - this is definitly something to look at as you are almost exactly 20db down from what you should be - and that is what you usually get when ...
MasterofDisaster - First - I mis-read the interface scheme you had - my original interpretation was that INTERN was = INTERNET.... I overlooked the dsl1, dsl2, & dsl3 as the 'Internet' interfaces... But back to the task at hand..... You want any request to IP x.x.x.x on UDP port 1195 to be dst-n...
dipson - You are asking a lot and you are asking a lot of the equipment to get the job done....4mbps+ across 3 radios in WDS mode...... If you have to use the 2.4ghz then make your access lists now so you can lock each camera to a particualr AP. Set the scanning frequency list for each AP/WDS node. ...
tombrdfrd66 - I can't tell you exactly what is worng but I can tell you that what you are getting and what you should be getting are far different. According to just about every calc I can do you should be in the neighborhood of -65db at both ends of your connection. 17db power, plus 12db antenna, m...
Does your MT work without web-proxy enabled? (You would have to turn off the dst-nat rule where you redirect port 80 to 8080) If yes - then you may need to format your cache drive and let it build the cache. If no - then post the rest of your config and lets get the basics working first.... / R Thom
It seems to me that you may be way over thinking this...... :) 1) Most cable modems have WAN / LAN where the public IP is on the WAN side and you have a 'private' IP on the LAN side. The modem NAT's the private IP to the public..... Seems to me that all you need to do in a case like this is have eac...
What we found was changing the power supply to an 18vdc vice the 24vdc we originally had seems to have 'fixed' the issue. If you look through the forum you'll see mention of this type of issue on the RB333 - it has to do with the internal voltage monitoring circuit that shuts the RB off if the input...
If you set a log entry to save to 'disk' it will save it in flash memory as surmised. Then just open the log normally right after a reboot to see the log entry.
marek001 - Well marek001 - you have not supplied enough information for anyone to help you.... Here - and now i have set the ip-range for vpn and i have a ip range for my local area... Lan and wlan - Nod1 - 192.168.10.0/24 and Nod2 - 192.168.11.0/24 vpn ip - 170.0.51.0/24 You talk about 192.x... and...
Dren - Each end of the bonded interfaces have to be at the same respective locations. Meaning you need one at the ISP end and one at the tail end. Now as long as you and your friend are at the same physical location on one end and you can get a box setup at the ISP end then you can use your friend's...
EngAMoktar - Along with setting your DNS in your MT box as noted above with your public DNS IPs - I suspect you are using the newer MT ROS so set the UDP packet size to 1024 vice the 'standard' 512 bytes. Also watch your cache size for DNS - if you run out of cache it can cause issues (I didn't say ...
acim -
Take all that stuff out of bridge mode and route everything - that will help you a lot to start with.
With 3 cards on top of each other you are bound to get some interference, move one of the cards to the other RB (the one with the single card in it). That will also help.
Blignaut - Tried to answer via email - the email got returned.... Well let's first try some filtering to get your bandwidth under control and then we'll get to the rest of it.... Everything here is in Winbox. I generally start with a ' / ' to indicate a menu item on the left hand menu of Winbox, the...
blignaut - might be better if you conatct me directly off forum...that way we don't clutter up the forum with little notes... You can post what you did after we're done - that will help other folks when they go looking for answers.... RB532A - is that the one w/32mb of memory? That may not be enough...
blignaut - Pros and cons - Pros for Usermanager and Hotspot together - one place to add/delete/disable users. Accounting stats are avaialble and you can get reports of users usage based on criteria you select. Cons - more than 50 users requires a higher license level $$, requires some knowledge of r...
blignaut - Working on it.... You have sort of a mess there. I see you are using AP1 as the hotspot 'controller' for that entire network. Was that your intention or just the way things ended up? Do you want a separate Hotspot Controller on each AP OR (read the next paragraph)? It is entirely possible...
blignaut - It would be better if you posted either 'printouts' or exports of the aforementioned sections... While in winbox - left hand menu - New Terminal, click on that..... When the window opens, make it 'full size' by dragging the corners or double clicking on the top blue bar for that window. /...
blignaut - First - why are you using bridge and WDS - this looks perfect for a statically routed setup.... On to the issue at hand....where is the hotspot 'controller' - AP1? Or did you setup a Hotspot on each AP? How did you connect to AP1 - Wlan x? or via ethernet? The reason you can see everythin...
jokefake24 - Well first off you'll need to read the manual more fully. As to Networks A & B 'talking' to each other - they already can. You'll have to set your cpu's up to use IP address for printing vice using a computer name since they are in different networks. As to making network B use the ...
thomaspc - So - what is the problem - is it you are outside your network you can't see the internal webserver on it's 'now' public IP address or is it that you can not see the internal webserver by name http://www.xxx.xxx from 'inside' your network? Reading your post again...looks like you are tryin...
I use a lot of 5ghz (802.11a) in my metro areas.... 2.4ghz is just too full of noise from consumer gear..... I split the band and use the higher 5ghz for backhauling data to/from the site and then use the lower 5ghz for the clients - works fine for me.
migo - Your 'text art' map doesn't make sense.... Typically the issue you are describing would be that you didn't change the MAC address on the bond interface. Read the manual and the wiki about bonding - it is very specific about changing the MAC for the bond interface (not the Wlan card or eth, th...
marcelocbf - - Setting the same SSID, on the setorial antennas will make users associate back and forth between the cards ? Actually, my question would be ... how much strength difference between channels a wireless card decide to associate to another (average) ? Typically the client will associate ...
Blachawk - Sure - my suggestion would be to take the MTs out of bridged mode.... Bondingrr works just fine without a bridge. That way when you put the IP of the Moto radio in - the MT knows where to find it. Right now as a bridge it expects the IP to be accessible on BOTH lines - hence only receivin...
Hi Chris - First - thanks for the compliments - you seemed to be desperate so helping you out was a pleasure.... I see from your post that you had an IP conflict - you forgot to change the IP on the Desktop back to it's original IP didn't you - so it still had 192.168.1.1 as it's IP which conflicted...
edgarsw - I might be missing something but here goes... I do not see how you are going to 're-route' traffic from the Cisco through the DMZ to the MT and then through the MT to another public IP through the Internet cloud to your Lotus server and back again.... Perhaps your drawing is in error? If n...
maximo64 -
Why don't you just setup a VPN (ppp menu) or PPtP - whatever you want to call it..... Give the VPN an unused IP on the other side of MT Edge. Turn on Proxy Arp for that interface. Once connected via VPN you can call the routers by their local IP addresses right from winbox....
rednetwifi - For getting a ping to go out a specific port you'd need to use policy routing.... Typically you would use mangle to mark the connection, use the connection mark to add a routing mark. Then over in /ip routes you need to add two things.... One, a route in a named route table for your int...
mickeymouse690 - (Chris) It was a pleasure to talk with you last nite.... Please don't forget to post here, when you get done absorbing all the info and the configs we created last nite - including how you decided how to setup future CPEs on your Hotspots, your lessons learned. They will help someon...
mickeymouse690 - Well here's a stab at it - great talking to you on the phone.... RT1 - eth1 gets it's IP from your Internet router (dlink I think you said...) RT1 - Wlan1 - let's give it an IP of 10.8.82.1/24 Interface=Wlan1 In winbox / ip route add ( + ) the routes to the other wlans and hostspot ...
mickeymouse690 - Not really sure what the heck you're trying to do here.....why bridge and wds everything? Why don't you just route everything where it needs to go and set the Hotspots up on the desired interfaces (WLans I presume)? You can NAT out at your ISP linkup - so only one NAT.... Maybe a li...
_Petya_ Well it really depends on how much you want to do with the units on each end.... RB433ah or RB600 will certainly do a good job. With the proper setup they should be able to pass 50mbps+ with dual wlan cards...and still have the cpu processing power to do a good amount of QoS servicing.... Pa...
InoX - This is not a competition to me - if you can get it to work & work well then I'd like to see the config as I could use the extra speed myself. My experience is that once you to start to load traffic in both directions the whole thing slows down. Add bonding on top of that (with bondingrr ...
cylent - Well you 'discoverd' probably the only method that will work. Possibly, and I will repeat that, possibly, you can setup eth3 as a DHCP relay under DHCP server.... I haven't tried this but the functionality is there.... Alternately you should be able to setup just a standard routed situation...
InoX - I am talking about serious transfer rates...yes I know you can get 50Mbps with a single tubo channel and Nstreme - in ONE direction - I've done it pleny of times. You can also get about 70Mbps using only UDP - so what? I even duplicated MT's 300Mbps setup in my lab. But what the challege is t...
lookout - Well it looks like for the most part that you have used the names I gave the interfaces in my example and not the names you gave the interfaces..... add chain=sanity-check in-interface=Local src-address=!192.168.1.0/24 action=jump jump-target=drop comment="Drop everything that goes fr...
jknudsen - 150Mbps is a dream - the RBs cannot push that much data across a wireless tcp link under even the best circumstances. I have run at least 50 different configs trying to get 100Mbps across a radio set pair. When I used Nstreme and bonding with 4 wireless interfaces at each end I was finall...
Ibersystems - This is more of a 'beginner' question than a wireless question. Basically what you would need to do it route a subnet of your public IP block to your remote office. There on the 'local' side of the MT station, you would place the Public IP gateway you routed to the MT station. For exam...
lookout - Ok lookout - here goes..... 1) Make sure you use masquerade for the private network in /ip firewall nat like so; src-addr=put_your_local_network_IP_block_here out-interface=Internet_interface action=masq 2) Firewalling - this is a short excerpt from an article by Dmitry (which you should l...
lookout - Well I am glad you found your issue - as I noted in my response - it looked like a netwmask / IP address / or basic route issue.... As to SPI by the MT firewall.... It does do SPI, but you have to tell it what you are looking for.... As it let's say you only want your clients to use your m...
jknudsen - The backfire antenna is a good antenna - so are most of the 23/24db 5ghz antennas out there - so either selection will probably work just fine for you. As to bonding.... I have a couple of bonded setups running. I tried nstreme and nstreme dual..... I am not happy about the throughput on ...
CastorTroy - Well yes you will have to setup some scripts and mangle rules so your scripts will ping a specific host through a specific gateway (one of your data lines). And if the ping fails x times in y seconds/minutes then disable that route.... I did some scripts and such for " WirelessRudy...
lookout - It would be real helpful if you would go in to the teminal (console) and do a; /ip address export /ip route export /ip firewall nat export /ip dhcp server export and let us see what your config is at the moment so we can all point you in the right direction.... What is kind of sounds like ...
MyThoughts - Boy that is a lot of queues..... :) I would bet money you are using a PC based ROS distro, and you're using ROS 3.12 or ROS 3.13. From what I have seen on my ROS 3.13 router it acts similiar to yours. Look at your mangle rules and you'll notice that they are probably not counting corect...
lordzar - Not to be critical - by why the heck do you want to bridge everything anyway? NORMALLY you would give your servers a private IP and use 1:1 nat'ing for them on a particular private IP block, and then do masq for clients from another private IP block. And/or if you HAVE to have public IPs o...
chris021 - Well I looked at the wiki and I did not see any further examples of using different chains the way you planned to use them - there are some there that do it differently that you can draw from to do your own...perhaps you lack the expertise with ROS to do this so I will show a partial exam...
fball - enk's solution won't work as the first src-nat rule will get excuted before the netmap src-nat rules will be seen....the order in which the rules are applied are important.... Your idea is more correct...however....... scrnat: 10.4.2.2 -> 144.92.249.228 10.4.x.x -> 144.92.249.226 dstnat: 144...
chris021 Here is a link to the wiki for just such a case - there are two examples here and there are a few others for just routing regarding 'local' and international traffic... http://wiki.mikrotik.com/wiki/Bandwidth_Managment_and_Queues Basically what you are going to do is mark the connections in...
Mark - Just posting some clarifications here so the other folks know what you started with, what you wanted, and what you ended up with..... Mark wanted to be able to add a second Hotspot to service other clients in his area. Did not want to disturb the current client base. He also did NOT want to u...
rpuerto - Well then first might I suggest that you get the latest manual for MikroTik - it's version 3. A link is posted here on the firum somewhere - do a search..... To 'print out' your configs.... In winbox, left side, click on 'New Termial', a telnet window will open. Double click on the top blu...
lormar - Mark - Quoting you " I use the hotspot existing profile. If I do remove the hotspot from the VAP I will have to change all the firewall settings and etc. Seems a lot of work but willing to do it if I can get it done quick as I have connected individuals most of the hours of the day. I ...
Hi Mark - I have a pretty busy business - so it has taken a little while to get back to your post. Let's see - you have your original Hotspot depicted above. First - take the hotspot off of the VAP wlan2 interface in your original unit. You'd want that (wlan2 your 'new' Virtual AP) to be just a stra...
yudigadget - You need to study the firewall mechanisms more throughly.... 9 chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http passthrough=no 10 chain=tcp-services connection-mark=http action=mark-packet new-packet-mark=packet_http_in pass...
lormar (Mark) Well you have sort of told us what you are trying to do - but you need to post some of your config here so we can tell you where you went wrong.... Basically it sounds like you want the origianl Hotspot to feed your new one and still handle clients as well. That sounds straight forward...
iam8up - There is no issue with running 2.4ghz and 900mhz together. What I said above was be careful running a SR9 and SR/XR or any other 2.4ghz card with it. The reason - the SR9 the data is first formated and sent out a 2.4ghz very low power amp, it is then fed to a 900mhz down converter/amplifier...
mickeymouse690 - I don't know how everyone missed this but you don't have enough channel space to run that many 900mhz that close together..... Your very best bet is to run the 5ghz as backhauls between sites. That will at least free up some 900mhz channel space. If you are going to use 2.4ghz be mi...
10.1.4.250/32 - this format will only affect that single address. You'll have to use the firewall filter or mangle or both so this address does not get 'serviced'.
nitrium - Where to start.... Radius is about control but also adds security as well.... You can simply have it authenticate by MAC address or get sophisticated and have it send the wpa and ask for a username and password...it is entirely up to you..... As to WDS - well there certainly are situations...
nitrium - There are at least a dozen ways to add security in various ways and combinations.... Already mentioned are radius and wpa2 wireless coding. There is also 'hidden' essid, access and connect lists in the APs, with MAC / SSID checking. Much of this can be used in conjunction with radius. This...
I am going to have to qoute Nickb here adding only that you remove the diversity switch as well..... SMA would be the ultimate in carrier class reliability (threaded connector, heavier cable), but MT would need to space their MiniPCI slots further apart to support it. I would love to see SMA cards, ...
thinair - Well I would certainly dump the bridge that's for sure..... There are a lot ways to switch over to routed, and maintain a decent amount of security and control..... For us - we lock things down by MAC address, use aes-ccm keys, and a few other things. We have a very secure network.... I ha...
expunge - Well it really sounds like you have the bonding setup incorrectly..... I have a couple of similiar setups with VRRP at each each end, then a dual wireless system in a second box off to the main site, dual wireless box, VRRP. The other setups do not have the VRRP but do have separate boxes ...
CanWAN - Sure - if you read the wiki - it is for ROS 2.9.xx You are using ROS 3.0 Nth is different under 3.0 First go look at the ROS3.0 'nth' presentation on the wiki. Mod the load balancing to match your needs, and remember 'nth' under 3.0 only takes two paramenters - not three like 2.9.xx R/
fabricioviana - Well it sounds like you are trying to redirect 'someone' to your internal web server that is coming in on your internal interface..... Now the way you put things in general above, this web server has a public IP that can be seen from the outside world, you are just trying to redirect...
rpuerto - ROS / Hotspot does not really care about timeouts....the only issue with that would be DNS. The issue you are describing - 'Bad Gateway or Gateway unavailable ' would typically be because you have the hotspot configured incorrectly..... Post your hotspot config and we'll take a look at it ...
lukef - You need to post your Hotspot config and the queue config.... In terminal mode /ip hotspot print.... Similiar for queue config. You can copy and past the terminal output in to the forum here. It sounds like Hotspot bandwidth limiting (queues) are taking priority over the simple queues you se...
sergiom99 - Well I can see what the issue is - your src-nat rule - masquerade. While using masq does save you a lot of trouble in keeping track of your 'public' IP it is not helping you with your current issue.... Perhaps we could use the script that ChangeIP gave you and set the IP and use src-nat ...
sergiom99 - I see your rules above - question - when you added these rules - what about the other rules before them? Rule order is critical in achieving your goal - so how about posting your rules (nat rules) from 0 to say 10, and let's see what you have and we'll figure out how to get your rules in...
sergiom99 - You would just use the dst-port portion of the nat rules; chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=0-65535 dst-address=xxx.xxx.xxx.xxx should look similiar to this; chain=dstnat protocol=tcp dst-port=9000 action=dst-nat to-addresses=192.168.1.2 to-ports=9000 dst-addr...
Sergiom99 This what I use and I can see my servers inside and out by the public name or IP. 12 XServer NAME comment chain=srcnat action=src-nat to-addresses=xxx.xxx.xxx.xxx.xxx to-ports=0-65535 src-address=192.168.1.2 13 chain=dstnat action=dst-nat to-addresses=192.168.1.2 to-ports=0-65535 dst-addre...
A little better explanation of your solution would go a long way towards helping others when this type of issue arises... That what the forum is for.....
techsimp - My first and probably most obvious question is - where is your config? Simply telling us that everything is bridged does not really help.... Pls post IP addresses and routes at the very least from your MT. Showing the interfaces with their config would be good too. My first observation - ...
jaws - You did not say what the ROS version was in all of the units - they should be the same. Also check the underlying firmware - in terminal mode "/system routerboard print", the two version listed should be the same - if not then "/system routerboard upgrade" answer yes, then...
morfius - Well you should be able to get 40mbps with the RB150 on a wired network.... Post your config as it sounds like something is wrong with your config. You are able to get 45mbps to your ISP - where do you live :) If you are talking about 'internal' network speed you should get wire speed - so...
sergiom99 - First thing that comes to mind is - why don't you have a static public IP if you are running services for users?? Aside from that.... Since your users appear to be using 'dynhost.mydomain' as their dns...you could simply remove the in-interface in rule #2 and that should do it....the oth...