MikroTik

UniKyrn

Yes, that rule would kill Internet connectivity. If you're going to do this by IP address, then you need two rules, in the following order. 1) Allow anything from 192.168.16.0/20 to 192.168.16.1, so that they can talk to the gateway address. 2) Drop anything from 192.168.16.0/20 to 192.168.16.0/20 s...

UniKyrn

At least using the winbox interface, there is a little checkbox next to the Dst. Address field that is the "not" option. Simply check that box and enter your gateway address, then it'll match on anything that is "not" the gateway address. You could also do it by the src and dst i...

UniKyrn

well thx mr unikyrn..but i cnat change the coustomers CPE.. i just need a solution on my tower only....could mikrotik can be treated as a hardware firewall....

Then why are you asking for recommendations for a better CPE, since you can't use them?

UniKyrn

Buy another one and have it shipped next day delivery to you.

UniKyrn

You need to control the traffic from the customer before it uses your AP's bandwidth, not afterwards, so the control has to occur at the customer side. A MikroTik would be a good station machine that could also handle the traffic shaping.

UniKyrn

If you lost the bios, about all you're going to do with that board is return it to the factory for repair.

UniKyrn

If that flash is having problems with the first few sectors, it's not worth fighting with because even if you fix it now, you'll be doing it again and again and ... As for the license, that depends on who you bought it from. If you bought it from a reseller, then all they can do is sell you a new li...

UniKyrn

I've some experience with links handling about half that number of users. It isn't really the number of users you should worry about because as a backhaul link, you're already going to be turning off connection tracking and anything else that would slow down the CPU. What you should be focusing on i...

UniKyrn

An amp will make things worse than they already are, and depending on where you are, would be illegal as well. Use the sectors and tilt them down so that the radiation pattern is aimed at your intended area of coverage. If you can, go with one radio per antenna. That allows for more customers and if...

UniKyrn

A 15db omni has a very flat radiation pattern, it's hearing every noise source for a long distance away and every one of those sources can cause the radio to wait for a clear channel before transmitting a frame. In addition, because of that radiation pattern, close in sources are going to be underne...

UniKyrn

Why not add a firewall rule to throw away the PPPoE frames from his routers MAC address?

UniKyrn

When you allow them to connect, what kind of signal strengths to you get from them? I don't see that many unique MAC's in your posting so this appears to be just a small number of stations running unconfigured. If they connect, what's the reason given for their disconnection?

UniKyrn

My guess would be that you've got non-customers who haven't configured their computers to attach to a specific SSID, so they're trying to attach to the strongest signal they hear, which is you. There aren't many ways to fix that, if the owners of those computers won't fix their config. You could alw...

UniKyrn

Does the log specify the reason for the deauth?

If you've got customers with poor connections, the AP has to spend more time trying to exchange packets with those customers, to the exclusion of better connections. That drops the throughput pretty rapidly.

UniKyrn

I have to suspect that if they can't login to your network, they'll call and you can tell them the reason they're blocked that way. :) If you let them on your network, I'd recommend that you at least assign them an IP that you don't route to the Internet. Then route all traffic from that IP network ...

UniKyrn

If they're authenticating to your network via PPPoE, why don't you simply change their password to block them?

UniKyrn

And why are you using an RB112 as an AP when MikroTik explicitly tells you it's designed for use as a CPE device because of it's low horsepower?

UniKyrn

Yes, managed switches can be a bit expensive, you might check out surplus sites for older models that have been discontinued and are available cheaper. Without buying new equipment, I can't think of any way to remotely deal with problem customers. The NAT server at their end does a pretty good job o...

UniKyrn

I'm assuming that the client radios in the various builds are connected to a switch that then fans out to each customer in the building that has signed up for service. Either start using managed switches so you can remotely disable specific ethernet ports with clients haven't paid, or send out a tec...

UniKyrn

Is your NAT rule written so that it only NAT's your 172.16 source address, or is it NAT'ing anything on your internal interface that goes out your external interface? That 192.168 address is obviously being NAT'd or it wouldn't be talking to anybody. That's a pretty odd source and destination port c...

UniKyrn

China, why am I NOT surprised. You might consider input rules that drop any traffic from outside your network, except for protocols you actually need the router to respond to. Otherwise every worm, compromised PC and idiot on the planet is going to try and break into your router.

UniKyrn

Yup, IDE gone bad on Board. Kind sucks since it was only 2 years old. It's out of warranty then so you'd have to pay shipping and the cost to repair it. Unless you really need those PCMCIA ports, replacing it with a newer model should be cheaper than repairing it or buying a new one, unless you get...

UniKyrn

What kind of diagnostic work have you done to determine where the problem is? I can think of at least five different ways to have a POE powered router fail, most of them do not involve the router itself.

UniKyrn

How does RouterO/S respond to a bad block in the filesystem that happens to be within the config file? Does it perhaps delete the config because it's unusable? Does it run a chkdsk on the filesystem at mount time that might delete the config file because the FAT is damaged?

UniKyrn

Unless they've redesigned the RB11, the onboard 3.3V regulator can not supply enough current to power an XR5 at full output. That's why it works when you lower the power.

UniKyrn

What interface is the IP on the MikroTik assigned to?

UniKyrn

Put the MikroTik in station mode and have it associate to the SSID of the other AP.

UniKyrn

i wondered about this also, the downside is that they have a smaller MTU now when using PPPOE?

Yes, there will be a performance loss and since it was specified that these were colo and dedicated servers, they might not even have PPPOE available.

UniKyrn

It would be a pain to maintain, especially if your customers tend to swap equipment often at their end of the wire, but you could build firewall rules that allowed incoming packets from them that met specific MAC/IP combinations, and dropped anything else.

UniKyrn

I've worked with several rackmount RouterOS systems that had multiple 4 port ethernet cards in them. Each port had different IP networks configured on it and the box routed traffic between the interfaces and our upstream links. Unless you're doing something exotic like multicast/IGMP, a RouterOS sys...

UniKyrn

Over the years there have been reports that the POE port on a RB5xx is a little more sensitive to static or electrical surges than the old RB2xx series was. I remember taking a lot more calls to RMA a 5xx for blown POE ports than I did for 2xx boards. Ground everything, use lightning/surge protector...

UniKyrn

It's certainly possible to drop TCP packets that have the RST flag set, using the RouterOS firewall, so you should be able to do what you're asking with a single rule. Using WinBox and adding a rule to the input firewall table: Specify an input interface of your (Comcast Cable Modem? :), protocol TC...

UniKyrn

You can also use the forward firewall rules to block DHCP requests headed TO a wireless client and replies coming FROM wireless clients.

UniKyrn

Disable their authentication and bounce their connection so they are thrown off your network. Then wait for them to call, explain they get their connection back when they certify their PC has been cleaned up. Also explain that if they lie about their PC being cleaned up, the account is canceled perm...

UniKyrn

Out of curiosity, when you find one of these routers providing free access to your service, do you leave the cat5 to that apartment connected or do you disconnect that customer and wait for them to call you?

UniKyrn

What is the netmask that goes with those IP's? Are you assuming it's /24 or is the ISP telling you it's a /24?

UniKyrn

You're going to have to put a smarter switch there then, one that can do packet filtering. You could probably build one yourself using RouterO/S, some 4 port ethernet cards and a small PC, or check places like D-Link/NetGear and see if their smart switches have that ability.

UniKyrn

It's been awhile since I played with Canopy gear, but I think I remember them having the ability to filter packets. You might be able to filter DHCP requests headed towards your customers and DHCP replies coming from them.

UniKyrn

That is why PPPoE connections are preferable, where clients are assigned IP addresses by your system, and authentication occurs on USERNAME PASSWORD Basis. With PPPoE, clients cannot connect to your system unless they have a USERNAME PASSWORD. The downside to PPPoE is the RSS/MTU change that's requ...

UniKyrn

Add a firewall rule(s) that blocks all packets from unallocated IP's.

When you catch somebody screwing with your network infrastructure, terminate their account. Somebody who will screw your network over should be doing it to your competitors network, not yours.

UniKyrn

I've babysat a number of 532 based AP's, and while they did better than the 230's, they still didn't have the power to keep up with more than 50 users, roughly. Even then I disabled things like connection tracking, we used /26 real IP on the wireless side so I didn't need CT for NAT. No firewall rul...

UniKyrn

One other difference between PPPoE and PPPoA is the frame size, ATM has a larger MTU than Ethernet. In practice though, since everything on your internal network is probably Ethernet, you wouldn't notice the difference.

UniKyrn

You might mount the drive in a computer and try a netinstall of a new O/S, and select the save config option. That would get the drive bootable again and you could then export the config.

UniKyrn

Trying to limit it creates the same arms race, based on what I saw while I ran an ISP. Example, we're on the MT forum and an MT can block, but not limit all forms of P2P. Add to that the problem of legit uses of P2P becoming more common. I quit counting the calls we got about World of Warcraft updat...

UniKyrn

Nothing like passing the buck. lol Do you really want a customer that trashes an AP without regard for anybody but himself to be your problem, or would you rather it was your local competitor who's support phone was ringing off the hook with customers threatening to leave because their service wasn...

UniKyrn

Don't bother trying to limit P2P traffic, it doesn't work against some P2P clients and it just gets you involved in an arms race you're always behind in. You'd be better off making sure your Terms of Service included clauses forbidding interfering with the access of other customers or running servic...

UniKyrn

While you can reduce your downtime by mirroring drives and keeping hot spares for hardware failures, the unfortunate truth is that Router O/S is not designed with enterprise level recovery in mind. In the best of cases you're going to have to swap in a mirrored drive, but in the case of a hardware f...

UniKyrn

If they are supposed to use your mail server for outgoing email, block port 25 outbound to anything except your servers IP and turn on logging for the forwarding rule that does the blocking. If they are free to use any mail server they wish, you'll find out they're virused when your network gets bla...

UniKyrn

Block UDP port 67 as a destination to and source from your customer networks.

UniKyrn

Start with figuring out what device has that MAC address shown in the error message. That error is usually warning you that the radio received a packet with a source MAC that wasn't authorized to talk to it.

UniKyrn

Did the boards fail while in service? If so, the ether port has probably taken a static zap and it's been fried.

UniKyrn

That's the basic idea, yep.

UniKyrn

Have you tried modifying that dst-nat rule's input settings so your own customers are excluded from matching it? IP range would be a good way, though if you have several internal ranges you'd need multiple exclusions.

UniKyrn

Stopping the radio from forwarding packets is only half the problem, the AP has to be told to block that kind of traffic also. In your firewall "forwarding" tables, you'd want a rule that blocked any packet that ingressed via a wireless port and that tried to egress via a wireless port. Af...

UniKyrn

If you can use WDS, do so. It doesn't require that you change the MTU so you don't wind up fragmenting ethernet frames into two wireless frames as they go across the EoIP tunnel.

UniKyrn

Having spent three years running a WISP, I do know a bit about this stuff and we're drifting from the original question. The number of clients an AP can support is not strictly related to the horsepower of the AP. You have to have a fast enough machine to push the packets around at the speed the rad...

UniKyrn

What does your plan say to do when there are no interference free channels?

UniKyrn

It depends where the interference is. If it's close to one of your clients, just clients in that area are likely to have problems. It's more likely though that the interference is close to your AP, after all, you mounted it someplace where it could see everything for a long distance, which means it ...

UniKyrn

Get in line with the rest of us, my request to make those error counters visible is over three years old now.

UniKyrn

And the flash had a bootable copy of RouterOS on it already? Did the board take a static or electrical hit of somekind? If the flash had a bootable image on it, then it's sounding like the IDE interface on the RB230 has gone bad. Those boards were becoming special order items on their way to being d...

UniKyrn

traffic is growing a lot when they are connected

What kind of traffic? Are you looking at an ARP or Broadcast storm between the two routers? Maybe you've got a device inside the network that's connected to both the A and B networks and you've got a loop that is causing problems.

UniKyrn

Do you recognize the MAC's as belonging to a valid customer of yours? That IP is an "all nets" broadcast IP, but only MT could tell you if the router really received a packet with that IP in it, or if you're looking at an entry where the IP defaulted to -1 as an uninitilized value. Maybe t...

UniKyrn

Make sure the flash module hasn't worked free of the socket far enough to not make a connection. If that isn't it, then it sounds like the flash has gone bad. You'll have to buy a new flash and relicense the board.

UniKyrn

RB112's are typically licensed by MT at the factory, and then the license is transfered to the control of the reseller that buys the boards for resale. If you have the serial number of the board, then the records should exist showing when it was sold and which license scheme was in effect at the tim...

UniKyrn

You add a firewall rule that drops packets that enter via the hotspot interface and that want to exit via the same interface. Or you add a firewall rule that drops packets where the source IP is your hotspot network and the destination isn't your hotspot gateway address. Add them at the MT that is a...

UniKyrn

The idea is still the same. The hotspot users are probably talking to the gateway IP which is assigned to the local ethernet port. You want to drop packets which ingress on that port and want to egress on that same port back to a different hotspot user. Valid packets would ingress on the local port ...

UniKyrn

Drop any packet that ingresses from a non-ethernet port that tries to egress from a non-ethernet port.

UniKyrn

It's not documented in the PDF I have, but if you open a terminal window to your AP, look at the "special-logon" command. Basically you create a special user on the AP that links a telnet session directly to a serial port.

UniKyrn

I Googled for "solar charge controller rs232" and got a lot of hits for controllers that could be remotely monitored. You'd have to write some scripts or have a central system poll/monitor each AP. With the central approach, you'd probably be able to graph the data using MRTG and have a hi...

UniKyrn

Almost any of the APC SmartUPS's would probably work, if you can figure out how to remove the electronics and attach them to your solar array. You'd have to find the 117V sensing stuff and disable it since you won't have line voltage, and you might have to disable the charging circuit so it doesn't ...

UniKyrn

A UPS implies that you'd be charging batteries, to power an inverter, to power the UPS full of batteries, to power a wall wart, to power the RB. That's a lot of conversions and associated efficiency losses. You might be better off running straight from the batteries, and using the Serial Port Monito...

UniKyrn

They will not give you a new key. Even at a lower price. Nobody except MikroTik can "give" you a new key unless they want to pay for one out of their own pocket and not charge you for it. When you buy a licensed flash from a retailer, they don't generate a key for it themselves, they go b...

UniKyrn

The hotspot will have to be assigning real/routable IP to hotspot users, or SIP/RTP won't work.

UniKyrn

If your omni is already mounted in its final location and you only hear a couple of residential AP's on a scan, yep, that's a quiet area. I've seen one up high on a hilltop come back with several screens of other AP's, the site was pretty much unusable.

UniKyrn

You don't mention whether you're using B or G, so I'll assume B since it's longer range. With that kind of gear, in a quiet rural setting, I'd bet on 10 miles or more. Swap that CM9 for an SR2 or similar card and you might push out to 15, figure 10 with a solid 11Mbit link and falling off to 1Mbit a...

UniKyrn

If i have offended youo so or anyone else

Nope, not offended.

UniKyrn

no this is not what I'm talking about. The device you pointed us to is not a single card that does all three bands, it's an AP with two seperate wireless cards in it, one for each band. WX-7800A contains two separate wireless connectivity radio transceivers, which support all three popular wireless...

UniKyrn

No, I don't think anybody makes a card that can do 2.4G and 5G at the same time, and I'm hoping that wasn't what hellbound was actually asking about.

UniKyrn

You're talking about two radio cards, merging the antenna's into one tower cable, and then splitting them apart at the top, right? Two of those duplexers costs less than just putting a second run of LMR up the tower? You're going to be introducing signal loss with each additional connection point al...

UniKyrn

Use WDS where possible, because it allows bridging of the 1500 byte frames without having to split them into two smaller frames the way EoIP has to.

UniKyrn

If you're using 802.11B, then you've only got about 3.3Mbits of usable bandwidth, so 2.5Mbit is a sizable piece of that. Depending on how many other customers you have connected, it's probably just keeping the radio busy with that one heavy data stream and polling everybody else duing the poll loop.

UniKyrn

Dropping the MTU will help to a certain extent, the packet has less air time so the chances of it being interfered with are smaller. While it might seem odd, you can also dial down the speed of the link and while the packets spend more time "in the air", the slower speeds are more resistan...

UniKyrn

What brand lightning arrestors were you using on the Cat5?

UniKyrn

I've seen the same thing. Starting with 2.9 roughly, the link speed will drop back to the basic level if it's not being used. That change played hell with the customer graphs we kept because we couldn't tell any more if a slow speed was because the link was having problems or if was just idle.

UniKyrn

If you're taking routes from two peers and only seeing one set used, my guess would be that the peer in question is artificially setting the weight of their routes lower. I've seen that happen with XO here in the US. If that's what's happening, then you're screwed, at least with the basic BGP module...

UniKyrn

I'd expect a brownout to lockup the machine or completely reboot it though, not just make it act a little weird. A memory corruption from a brownout should crash the machine rather quickly if it occurs in code that's being used.

UniKyrn

Do you have a bridged interface on that router? Connection tracking is probably tracking the state of all the traffic it hears, not just traffic specific to that router. In a routed network, that's traffic to the router or that passes through it, but in a bridged network it starts watching just abou...

UniKyrn

Memory leaks in the code? How long do these systems have to be running before you start seeing the problem? I've seen 230's and 532's go a little weird like that after being up for months without a reboot.

UniKyrn

Have you ACTUALLY ever delt with cisco or juniper with their releases? your luckey if they even load it on a router before releasing it. I worked for Alcatel for three years and we weren't allowed to release anything without the QA group doing a complete regression test, no exceptions. If we change...

UniKyrn

How many small ISP's do you know of that have a test lab all? no I'm warning people that MT's implementation is not feature rich, how can you say that, if you have not even used it for more than a year? since 2.8 almost everything has changed And we'd know this how? The 2.9 PDF manual doesn't even ...

UniKyrn

Not in 2.8, and we stopped doing automatic upgrades after the 2.8 fiasco where they didn't regression test changes to BGP and broke routing for anybody who upgraded. That was about 2.8.24 or 2.8.26 I believe. Taking your border router down for an upgrade is enough trouble for an ISP, taking it down...

UniKyrn

How many small ISP's do you know of that have a test lab with a duplicate border router sitting there for the occasional test? And for the record, I'm not saying don't use BGP, I'm warning people that MT's implementation is not feature rich, nor do they have a good track record for regression testin...

UniKyrn

Not in 2.8, and we stopped doing automatic upgrades after the 2.8 fiasco where they didn't regression test changes to BGP and broke routing for anybody who upgraded. That was about 2.8.24 or 2.8.26 I believe. Taking your border router down for an upgrade is enough trouble for an ISP, taking it down ...

UniKyrn

You can't disable a peer using WinBox, only delete them. I assume you're talking about a disable option that's only available from the command prompt.

UniKyrn

Be aware that you'll lose a lot of the ability to configure your BGP sessions if you move to ROS. The last place I worked, our border router was a ROS box after the ancient Cisco box we had couldn't handle the full routing table any more. We were dual homed, full tables from each provider. Something...

UniKyrn

Yes, I'm serious, loosing an occasional packet is normal, these aren't perfect systems.

UniKyrn

You're pushing a link 18KM, getting a packet dropped every 15-20 minutes and you think you've got a problem? I suspect most WISP's pray to have as few problems as that. :) You get packet losses even on hardwire, don't be surprised when an 18KM RF link looses packets also. That's why TCP had retries....

UniKyrn

rb532's work with 8602's a lot better than a rb112 will. Go read the specs for the power available on each RB, then read the specs for the max power required for a single 8602. You're lucky you haven't burned out the voltage regulater on that rb112, and it sure isn't going to be stable. You can have...

UniKyrn

Replace that RB112 with an RB532 and try again.

UniKyrn

You go into the properties for the wireless interface and set TX Power to something besides "default", which is max output normally. I believe 400mw is 26db, so try setting it to 22 or 23 and see if it becomes more stable. Also, be aware that you can't get 400mw out of that card when using...

UniKyrn

With those trees in the way like that, you're definitly going to want a directional high gain antenna. Every db is going to count. aviper brings up an interesting question, you're using 900Mhz specific antenna's, right?

UniKyrn

Are you running that SR2 at max output? It's current requirements and the available current on the miniPCI slot of a 230 are right at the edge. Try backing the power off to 200 or 300mw as a test and see if performance improves. There is probably more current available to the PCMCIA slots which is w...

UniKyrn

A 6db Omni at the AP isn't going to get you far, especially with that mag-mount on the car. Those gains aren't much above what you'd get just sticking an cheap residential AP up there instead of a MikroTik. You're not saying just what cards you were using with what antennas during your tests, I'm ho...

UniKyrn

Can I Power a 802.11a/b/g 400mW Senao NMP-8602 with a RB11? Do not use that combination at full power output. The specs for the 8602 list it's possible maximum current draw at more than the RB11 voltage regulator is spec'd to provide. You'll need to set the output power to less than 400mw to be safe.

UniKyrn

Like I said, identify those customers, throw them off your network, let them trash somebody elses network instead of yours. Your competition will be crippled and you'll pick up customers because your network is actually usable.

UniKyrn

If you're using routerboards as your AP's though, and you've got connection tracking turned on, you've still got a vested interest in keeping P2P traffic away from those machines. There is a noticable performance hit when the AP has to track thousands of attempted connections instead of a hundred or...

UniKyrn

Look, stop hoping MikroTik can solve all your P2P problems, they're always going to be a step behind the latest software. If you're an ISP, make sure your terms of service forbid P2P traffic and then start monitoring your customers. When you catch them, and P2P traffic leaves a very obvious trail in...

UniKyrn

I'd normally recommend you go buy a hell of a lot of books about network design, but since you're already in motion, it's too late for that. Now you need to find somebody that can get your network working, and it may be harsh, but you pay them what they ask. Starting a WISP is not just buying the ha...

UniKyrn

I don't believe you understand just how big the task you've just taken on is going to be. I second the suggestion that you find a qualified network and systems admin to help you.

UniKyrn

Are you sure the unit is crashing? I saw this kind of behaviour when disabling interfaces that were part of bridge groups and with a serial console, traced it back to the bridge not cleaning up the MAC correctly. The unit continued to run, but wouldn't communicate over any of the interfaces that rem...

UniKyrn

Idealy you'd want blocking at both ends of your network. Blocking at your border router would prevent all the incoming connection attempts from messing with your network and that machine probably has more horsepower than your AP's. Blocking at the AP would prevent the user from hogging the AP. And f...

UniKyrn

Have you ever thought about the resources it takes for control attempts? Given we're in the MikriTik Forum, it's reasonable to believe we're talking about P2P traffic over wireless. Ok, think about what that traffic looks like compared to normal residential traffic. Your normal user is going to esta...

UniKyrn

If you seriously want to ban P2P traffic on your network, then the best tool you've got is your own eyes and brain. Graph the traffic for each of your customers and then do periodic spot checks of those graphs. P2P traffic leaves patterns you'll learn to recognize and if you've got connection tracki...

UniKyrn

Make sure "forwarding" is turned of on that interface, or your customers will continue talking directly to each other through the radio and any filtering you try to do in the router won't be very effective. You can then put firewall rules in the forwarding table of the router that block th...

UniKyrn

In the case of a config problem, you can simply implement a backup schedule for the config of the machine, make sure you keep an exact copy of the OS version you're using also. This would cover you in cases of operator error or drive failure. You'd have to relicense the new drive, but you'd be able ...

UniKyrn

Cell towers can and do cause problems with 802.11b stuff. The problem appears to be the RF plasma "cloud" surrounding their antennas because of their much higher power output. You wouldn't think this was true just looking the the frequencies in use and their harmonics, but I've seen it hap...

UniKyrn

Yes, you're CPU bound. I believe MT posted something about 700Mhz or better being the lower limit for the CPU if you wanted to run nstreme at full speed. This effectivly eliminates any of the single board systems normally discussed around here for wi-fi use and moves you into the PC with miniPCI ada...

UniKyrn

Are you running in-line lightning arrestors on the Cat5? Lightning season is starting where I am and we've already had a few failures. The most common failure is the ethernet port, that long length of Cat5 going up to the radio makes a wonderful antenna all on it's own and a good static zap from a n...

UniKyrn

Out of curiosity, are you running those 532's with two SR cards at their full output? How long is the cable from the power injector to the AP? Theory claims that a 532 can power two 400mw cards. In practice, I've seen a 50% success rate, one of the failures actually blew up the 532. I've also seen r...

UniKyrn

After climing down the tower my wife noticed the connectiong start/stoping. Going back up the tower and wiggling the connectors I found one of the u.ul connectors to be faulty. quest is if this connector was shorting out the radio could this cause the mikrotik unit to basicly go dead until a power ...

UniKyrn

How is it that your customer keeps changing his IP address?

And why is he still a customer after the first time you catch him screwing with your network ...

UniKyrn

It came up to 36Meg link for a while but now it's jumping up and down and falling all the way back to 6Meg. Is the speed falling when the link is idle, or when you're pumping traffic through it? For what ever reason, it's normal for those cards to drop the speed when they aren't doing anything. Pri...

UniKyrn

You better keep a close eye on memory usage. I bet those packages were disabled by default because you're trying to run in only 16Meg of memory instead of the larger memory available on the RB532's.

UniKyrn

One possibility is that you've got a customer with a CPE that's registering with it's own MAC, but passing LAN traffic through with the original source MAC instead of its MAC. I've had customers using Linksys Bridges with custom firmware show this kind of nonsense. While the flood is occuring, disco...

UniKyrn

I like your fake DHCP for 127.0.0.0! LOL I thought about putting a rule in for the 192.168.0.0/24 network, but even though it's listing that as a source, these are broadcast ICMP packets. So I don't think an IP rule is going to catch that. You can also put an ICMP specific rule in the firewall forw...

UniKyrn

We don't have 192.168.0.0/24 on our own network or on any of our routers. Then put a firewall rule at the router the customers are talking to that drops all 192.168.0.0/16 (fakenet) traffic. That's one of the first things I do on a new AP, just to keep stupid customer routers from flooding our netw...

UniKyrn

I've noticed that problem on 11b also, only one client could connect at a -95db, which appears to be the same default value for 2.9.14 that the old -100db used to be. That's what you see for a strength before packets flow and you get a real reading. I've had better luck on 11a with them, at least at...

UniKyrn

The card is recognized as an Atheros AR5413 card and it works, mostly. One of the things that doesn't appear to be correct though is the power versus speed table. I'm assuming the driver is simply defaulting to some safe table because it hasn't been taught about this card yet. Any idea when official...

UniKyrn

Sorry, I thought you were using the MT as the AP.

UniKyrn

If you've got a machine that can do it, I highly recomment graphing the signal strength and speed of your customer connections. It gives you the history of their connection and when something like this starts to occur, you can look at those graphs and have a good idea if the problem is local to the ...

UniKyrn

Ok, so it's a documented bug, but it's still a bug. When will it be fixed?

UniKyrn

I'd have to agree, it'll probably be fracked royally by the upgrade. I'd probably build a replacement radio that was programmed correctly and swap it with the existing unit, rather than try to upgrade the existing one in place, if I had the hardware available.

UniKyrn

No, the correct answer is "fix the config conversion so that it doesn't break things". I got lucky with the unit I was working on, there was a secondary way to access it remotely that I could use to get into it and fix things. Most people would end up climbing the tower to swap the radio o...

UniKyrn

I thought I'd read a note that they'd gotten the upgrade problem fixed, but it's still causing problems. I took a router with a very basic config, it's a backhaul link. There is one bridge with one ethernet and one wds interface in it. After upgrading to 2.9.12 as a test, I managed to get back into ...

UniKyrn

Do a web search for SR5 cards and look at the specs. As the speed of the link is increased above 24Mbit, the power output of the card is reduced. 24Mbit is the highest rated speed that still produces 400mw output. By the time you get to 54Mbit, the output drops to 100mw. Then do a search for the 802...

UniKyrn

Then, if you're going for range instead of speed, lock the speed of each end of the link to 24Mbit, which gets you the 400mw the card can produce. If you let the speed go higher than 24Mbit, the card starts reducing the power output.

UniKyrn

You can't, the RB532 can't run the 2.8 OS.

UniKyrn

That's your warrantee you heard scream.

UniKyrn

Not if you run them at maximum output.

UniKyrn

Yeah, I've been getting reports from customers that the POE port in the 532's they have are failing. Most of the failures I've heard of, just the ethernet part dies, you can still use the port to power the unit. I'm wondering if that new chip they used might not be more sensitive to static than the ...

UniKyrn

Yep, now what you've given us a better picture of the setup, it doesn't sound like a power issue so I'll let somebody else make suggestions now.

UniKyrn

Ok, that answer tells me you didn't understand the question. An SR5 card can draw slightly more than 5W of power at 3.3V from the miniPCI slot it is plugged into, worst case. A lot of systems can't supply that much power and what you'll see is the card go unstable under heavy xmit, which is the time...

UniKyrn

If you're running an SR5 at 24Mbits, are you sure it's getting its full 5W of power?

UniKyrn

I couldn't tell you, you'd have to try it and see. I don't know if the config was modified by the upgrade process. You might have to downgrade to 2.8, restore the config, then upgrade to 2.9 again with individual packages to get everything right.

UniKyrn

When upgrading from 2.8 to 2.9, do NOT use the all in one package. The first time it boots as the version upgrade occurs, it ONLY installs the system package from the all in one package, nothing else. If you can get access to the unit again, install the all in one package a second time and it will t...

UniKyrn

It it's an isolated tunnel between two offices of the same client, I'd agree and I add special rules ahead of my general blocks just for that tunnel. If it's for general wireless clients and the tunnel is just the backhaul to the core of the network, block'em and forget'em. That crap has no business...

UniKyrn

One of the first sets of rules I add to any forwarding fire table is a block of the Netbios ports 135-139. It's a defense against customers who can't keep their local networks from leaking that junk out into ours.

UniKyrn

It's been requested, it just doesn't appear to be a high priority.

UniKyrn

Are you throttling both directions? Keep in mind that there are going to be hundreds of incoming connections attempts from people trying to get file segments from your customer and connection tracking is going to have to deal with them as well.

UniKyrn

One experimental backhaul we're testing uses a pair of 532's bumped to 333Mhz, SR5's and Nstreme. One end is configured for bridge with WDS and the other end is configured for station-wds. At twenty miles we're getting signal strengths of -72db to -75db when the link speed is manually limited to 24m...

UniKyrn

Max Segment Size. A normal Ethernet Frame is 1500 bytes, but with the PPPoE header added, you have to change that to 1492. That option quietly turns on a mangling rule to modify TCP headers to adjust the MSS on connections as they are created.

UniKyrn

Did you catch the place in the PPP profile labled "Only One" also? I'm not sure what that's doing, but it might also limit you to one pppoe session per mac address. We run with one session limit turned on and your description matches what we see pretty closely.

UniKyrn

Did you happen to turn on the "One Session per Host" setting on the PPPoE server?

UniKyrn

Does your ISP know you've got both IP blocks? Who's announcing the routing for them to the rest of the Internet? You? Your ISP? If you've done the routing right, with the gateway for the netblock on the second interface being the IP address of the first interface, everything will simply work.

UniKyrn

One firewall forwarding rule; all-p2p->drop

UniKyrn

14W I believe, according to the specs for the board, and the board itself uses 2-3W without any cards installed. The specs are available at routerboard.com the last time I checked.

UniKyrn

It's unfortunate, but sometimes it does come down to disconnecting the customer, especially if they've already been warned to stop what they're doing. Your AP is YOUR shared resource, not their private one.

UniKyrn

The hotspot-temp rules in the firewall define what's allowed by unauthenticated users, so whether it's port 25 or any other port, adding an accept rule to that ruleset should be enough to let users through without logging in. You might consider limiting the bandwidth or the rate of SYN packets throu...

UniKyrn

Are you really sure you want to open port 25 for just anybody who walks by?

UniKyrn

Here's the info for APC models.

http://www.networkupstools.org/protocols/apcsmart.html

UniKyrn

It could also be that they'll have less interest since they dropped the USB port from the 5XX series. Unless they plan on dropping support for PCMCIA radios though, the RB230 should be around for awhile and it's got two USB ports.

UniKyrn

I've never researched the protocol(s), I don't know.

UniKyrn

Quite a lot of the UPS's now come with USB cables for monitoring. Any chance we could get a driver in the RouterOS to allow monitoring a UPS plugged into the USB port? Something we could script against so that we could have a MT at a remote site send us email when the UPS reports a power failure, or...

UniKyrn

As best I recall from a conversation last year with MT, the bug is actually in hardware also, something about the wrong resistors being put on the board, or something like that. That's why it hasn't simply been fixed in software by now I suspect.

UniKyrn

This is a change from 2.8 behaviour, right? I've had a couple of users connect to us using Linksys Ethernet Bridges that appear to send using the MAC of the source computer, not the MAC of the radio card. Under 2.8 these show up as multiple entries in the wireless association table. I assume in 2.9 ...

UniKyrn

Is the AP using a Prism or Atheros card? We've got one 13.3 mile link using a Tranzeo client to a prism AP, but I've seen longer links exhibit that associate/disconnect sequence and I believe the AP was simply deciding the ACK time was too great and so it wouldn't let the client stay associated. Ath...

UniKyrn

Oh, sorry, I thought I remembered you saying you could pick it up from a laptop close by, but not further away. Even without a pigtail at all you should be able to hear the AP on a laptop next to it so as long as you've configured it for AP-Bridge instead of the default Station mode, then I'd have t...

UniKyrn

If you can pick it up at all from a laptop or something, then the card is working. If you do a scan, can you hear any of the other AP's in the area? This still sounds like a shorted pigtail or something.

UniKyrn

Or possibly you've got the pigtail on the wrong connector. Try switching the antenna config and see if it gets better.

UniKyrn

An AP interface won't show as Running unless at least one radio has associated with it, I believe.

UniKyrn

Are you using PPPoE to authenticate your client connections? If so, run cfgmaker with the option to configure interfaces by name and you'll get a list that includes each individual client. Then just edit out anything you didn't want, like the ethernet or raw wireless interfaces. As the clients come ...

UniKyrn

With or without WDS, 802.11b's throughput isn't going to be much more than 3Mbps, that I've ever seen on any of our customer links. If you're trying to bridge traffic between a couple of radios though, WDS is more efficient on an MT than anything else I've tried and MT recommends WDS itself.

UniKyrn

If you end up with fewer rules, it's worth it.

UniKyrn

If your clients come through internal interfaces, it would probably be easier to drop requests from the external interface instead of adding all those other rules.

UniKyrn

And if you route them at least a /29, they can have up to five public systems.

UniKyrn

I've done it by assigning the customer a fixed IP for their PPPoE session, then routing a subnet to that fixed IP, works fairly well. You do need more than a toy router at the other end though.

UniKyrn

They have the problem also, they just have more of a bandwidth buffer to absorb it usually.

UniKyrn

If it's a wireless client, it's still going to be having a serious effect on the AP they are connected to because it's going to consume valuable bandwidth before the router gets a chance to drop the packets. Virus's, ping floods, those kinds of things can quickly cripple an AP. At least in our case,...

UniKyrn

Hummm, I thought I remembered reading it was a polling protocol, sorry.

UniKyrn

There is another limitation that come in for 802.11b, it's a polling protocol and the more radios that are registered, the more polling that gets done. Past a certain point the radio is so busy polling that it can't pass traffic efficiently and still poll everybody. As a general rule, I don't put mo...

UniKyrn

If that third party AP doesn't support WDS, then station-WDS mode isn't going to help you. As best I can tell that simply allows you to use WDS while in station mode instead of you're being an AP. So you're going to need to be in station mode for the link to the other AP for a start. Now I've never ...

UniKyrn

If everybody is in that 120-180 degree arc, I'd put a good waveguide antenna up there. I've seen problems with omni's up high like that, while they can see for miles, the problem is "they can see for miles", they get to hear all the noise from every source imaginable. Add to the fact they ...

UniKyrn

Put an accept rule in the "input" rules with the source address being the ones you want to allow and set the interface to your external interface, then after them, put in a drop rule that covers everything else from the external interface. Make sure you also accept input from your peers if...

UniKyrn

I think I'd consider putting in rules to allow routing protocols to work with your upstream providers, maybe allowing pings of the router itself, but blocking everything else. As long as you put it in the "input" chain, is should only effect traffic that terminates at the router, and won't...

UniKyrn

Have you considered firewall rules in the "input" table to limit access to your own network?

UniKyrn

Are those IP's from inside or outside your network?

UniKyrn

I can try. I've setup WDS between pairs of MT's for some of backhauls.

UniKyrn

If you're simply routing traffic from the D-Link's to the MT, then yes, WDS would give you a bit higher performance. Is the RV Park generating the kinds of loads where you think you need to squeeze every drop of performance out of the MT? :) If the D-Link's do WDS, then you'll need to read up on how...

UniKyrn

External modem set to auto-answer, serial cable to MT, you're in business.

UniKyrn

Probably not, BGP in the MT is not very configurable.

UniKyrn

As our border router we use a 1.7Ghz P4 machine with two upstream links, each with a BGP feed from the provider. For a year now that machine has been running pretty much without a problem, it's been running 2.8.10 for quite awhile now. Yesterday, after being up for about 2800 hours without a reboot,...

UniKyrn

Sounds like somebody installed some package files for the wrong version of the O/S on there. If it boots, go into the files area and remove them.

UniKyrn

Sorry, I don't know.

UniKyrn

The quickest way would probably be with a firewall rule in the "forwarding" table that blocked any packet that came in from a wireless interface and didn't exit on the ethernet interface.

UniKyrn

That only prevents the radio card from directly forward packets from one wireless client to the other. The packets can still pass from client to client through the router itself if you don't block them.

UniKyrn

Yeah, I've notice that a lot of introductory questions go unanswered also, and I've even skipped a few of them myself. If I had to guess at why that happens, my guess would be that MT expects people to have a good fundimental knowledge of networking and to have read the manual. Questions that demons...

UniKyrn

Pinging anything other than itself or the other router would be a function of your routing table, not the EoIP tunnel. It sounds like you were missing a route someplace. FYI, between two wireless systems like that, you'll find that WDS works better (high bandwidth) than an EoIP tunnel between them. ...

UniKyrn

I believe you only need to add the WDS interfaces to the bridge if you're trying to create something like a P2P transparent link. If all you're doing is linking the AP's together and letting normal routing handle traffic to the external net, you probably don't need them in the bridge. Since I use th...

UniKyrn

I should also note that if I use an EoIP tunnel between the two p2p boxes instead of WDS, the speed drops to about 12Mbit. The L3 routing of that traffic really does drag the box down instead of leaving it as L2 bridging with WDS.

UniKyrn

Using the bandwidth test tool built into the O/S. The station doing the testing is an external 1.8Ghz machine and the station being tested is the far end of the p2p link, the near end is wired to 100Mbit lan containing the testing machine. I usually do a UDP receive, then a send, and get roughly the...

Search found 245 matches