Community discussions

MikroTik App

Search found 77 matches

by invader zog
Sat May 16, 2020 6:38 pm
Forum: General
Topic: Custom --log-level in firewall rules or filtering on log file actions...
Replies: 2
Views: 663

Re: Custom --log-level in firewall rules or filtering on log file actions...

I’ve been getting by with that, but there are some cons: 1) I’m sending all of the “new connections” traffic to my syslog server when I don’t need it. This means 99% of the traffic sent to it is being filtered out so I'm wasting a lot of network bandwidth + our syslogger is being pushed pretty hard ...
by invader zog
Fri May 15, 2020 11:22 pm
Forum: General
Topic: Custom --log-level in firewall rules or filtering on log file actions...
Replies: 2
Views: 663

Custom --log-level in firewall rules or filtering on log file actions...

I had a smaller set of firewall logging rules that let me know when there were behaviors that should catch my eye. Logs are forwarded to a remote syslog server and it has some rules that will fire off warning emails when certain phrases are detected in the logs. This all worked wonderfully until... ...
by invader zog
Wed Dec 05, 2018 10:51 pm
Forum: Wireless Networking
Topic: Multiple APs + seamless + wired backbone
Replies: 3
Views: 988

Re: Multiple APs + seamless + wired backbone

Thanks for the suggestions. I'll back out my efforts w/ RSTP. In order to more easily troubleshoot what was going on, I setup a virtual AP on each of the three with a unique SSID and configured my phone to use these. This makes it a lot easier to tell which AP the phone is connected to (i.e. vs. dig...
by invader zog
Sat Dec 01, 2018 3:56 am
Forum: Wireless Networking
Topic: Multiple APs + seamless + wired backbone
Replies: 3
Views: 988

Multiple APs + seamless + wired backbone

I'm not a Mikrotik noob and have spent *many* hours digging through threads and wiki posts to no avail. I have 3 MTs. Each of them runs an AP. One of them is connected to my internet connection The other two have wired and wireless ports bridged and connect back to a switch that all three devices co...
by invader zog
Thu Jul 26, 2018 8:44 pm
Forum: General
Topic: RB493G just started repeatedly crashing (~10 minutes)
Replies: 5
Views: 932

Re: RB493G just started repeatedly crashing (~10 minutes)

FYI the issues were hardware related (the MT not the power supply). All issues were resolved w/ a hardware swap.
by invader zog
Thu May 31, 2018 9:04 pm
Forum: General
Topic: RB493G just started repeatedly crashing (~10 minutes)
Replies: 5
Views: 932

Re: RB493G just started repeatedly crashing (~10 minutes)

Are the capacitors shot? Are they raised or leaking from the tops? Have you tried powering with a different method? It should support POE as well as the DC plug. I haven't opened the case to check the hardware, but that sounds like it is worth looking into. We have ordered another 493G that should ...
by invader zog
Thu May 31, 2018 7:42 am
Forum: General
Topic: RB493G just started repeatedly crashing (~10 minutes)
Replies: 5
Views: 932

Re: RB493G just started repeatedly crashing (~10 minutes)

A few more observations: Performed a fresh install via NetInstall - no difference Updated to the latest RC - no difference Each port on the MT represents a different network. I did a number of experiments turning off different segments of traffic (including all access to the internet) and was able t...
by invader zog
Thu May 31, 2018 2:39 am
Forum: General
Topic: RB493G just started repeatedly crashing (~10 minutes)
Replies: 5
Views: 932

RB493G just started repeatedly crashing (~10 minutes)

No changes to the config have been made in weeks. Starting last night every 5-10 minutes or so the router is rebooting. May/30/2018 09:36:23 system,error,critical router was rebooted without proper shutdown May/30/2018 09:43:07 system,error,critical router was rebooted without proper shutdown May/30...
by invader zog
Thu Mar 24, 2016 1:35 am
Forum: General
Topic: RB493AH crashing once/day after RouterOS + Firmware upgrade :(
Replies: 1
Views: 508

RB493AH crashing once/day after RouterOS + Firmware upgrade :(

Two days ago I upgraded our FW from Firmware 2.23 to 3.24 and the packages to 6.34.3 (do not recall what version I was at before). Yesterday, the FW crashed (or at least no longer communicated on the network). A reboot resolved. I enabled the watchdog and configured it w/ automatic supout (both savi...
by invader zog
Thu Sep 18, 2014 7:54 pm
Forum: General
Topic: Queue on a bridged interface not working?
Replies: 3
Views: 1622

Re: Queue on a bridged interface not working?

Thx. I did have a target set (0.0.0.0/0) but I changed it to 10.0.0.0/24 to be safe and I applied an upload max limit to the two sub queues.

Working now :)
by invader zog
Thu Sep 18, 2014 7:05 am
Forum: General
Topic: Queue on a bridged interface not working?
Replies: 3
Views: 1622

Queue on a bridged interface not working?

I've been attempting to get a simple queue setup. I have the packet and connection marks working fine -- but when I view the queue statistics, it never shows any traffic. I suspect that this is because I am using a bridged wired/wireless configuration (this is a home setup) What I'm really trying to...
by invader zog
Tue Nov 19, 2013 12:17 am
Forum: General
Topic: PCQ queue -> adjust priority instead of rate limiting?
Replies: 1
Views: 726

PCQ queue -> adjust priority instead of rate limiting?

I've created PCQ queues on a guest wireless hostspot we maintain such that each user gets 768kbs of bandwidth and a 30S burst of 3Mbs. After the burst window is over, the users are limited to 768kbs. What I'd really like is that after the burst window is over, that they are just reduced in the prior...
by invader zog
Tue Oct 22, 2013 10:23 pm
Forum: General
Topic: Trouble creating rule to allow limited outbound SMB traffic
Replies: 0
Views: 782

Trouble creating rule to allow limited outbound SMB traffic

The subject is slightly misleading. Desired behavior (feel free to attack the logic of my desired behavior BTW): If one of our desktops is attempting too much outbound SMB traffic, I want to quarantine it from the Internet. Unfortunately, malformed URLs in HTML can lead to accidental SMB traffic (i....
by invader zog
Thu Jan 31, 2013 5:26 pm
Forum: RouterBOARD hardware
Topic: Non-networked access to RB 751U possible?
Replies: 4
Views: 943

Re: Non-networked access to RB 751U possible?

I understand that certain USB->Serial solutions are allowed (i.e. http://www.newegg.com/Product/Product.aspx?Item=N82E16812120751), but I was wondering if it is possible to connect from say a laptop with only a USB connection to the MT (i.e. USB to USB) or would you need to do something convoluted l...
by invader zog
Wed Jan 30, 2013 10:00 pm
Forum: RouterBOARD hardware
Topic: Non-networked access to RB 751U possible?
Replies: 4
Views: 943

Non-networked access to RB 751U possible?

I'm used to using the RBs that have serial ports and didn't notice that some of the newer models no longer have them. Does this mean that the RB 751U can only be accessed through it's network ports?

Can I get console access to the RB 751 directly through the USB port?
by invader zog
Thu Jan 20, 2011 11:59 pm
Forum: General
Topic: Q: MT + HTTP Proxy + Load
Replies: 0
Views: 426

Q: MT + HTTP Proxy + Load

I have ~200 desktops sitting behind our RB493AH. We have a fairly complicated set of rules because we have multiple internet connections so there is a fair amount of packet, connection, and route marking going on. Average CPU load during the day is ~20%. I know that MT has an HTTP proxy server built...
by invader zog
Thu Jan 20, 2011 11:55 pm
Forum: General
Topic: Redirecting some external IP requests to internal..
Replies: 5
Views: 2964

Re: Redirecting some external IP requests to internal..

You can also add static hosts to your DNS server. We need to be able to selectively apply the restrictions (i.e. some people are allowed unrestricted access). I was toying w/ using AD to push out a "hosts" file to restricted machines at login or setting up another DNS server that has entries for th...
by invader zog
Thu Jan 20, 2011 11:52 pm
Forum: General
Topic: Mikrotik as OVPN server
Replies: 9
Views: 2761

Re: Mikrotik as OVPN server

Gave up on OVPN in Mikrotik. USing IPSEC tunnels with certificates instead. I spent some time playing w/ the OVPN functionality in MT and found it to be too crippled to be useful. It's probably nice for a simple point to point VPN, but if you are looking for a VPN system for users, I think you are ...
by invader zog
Thu Jan 20, 2011 6:43 am
Forum: General
Topic: Redirecting some external IP requests to internal..
Replies: 5
Views: 2964

Re: Redirecting some external IP requests to internal..

I got it working right before I left by moving the substitution server to one in the DMZ since I couldn't solve the "Hairpin" problem. Using a server in the DMZ is perfectly acceptable so I'm just going to stick w/ that for now. Thanks for the info on the Hairpin NAT. :) I've been having a hell of a...
by invader zog
Thu Jan 20, 2011 3:24 am
Forum: General
Topic: Redirecting some external IP requests to internal..
Replies: 5
Views: 2964

Redirecting some external IP requests to internal..

We are denying access to a few web site/IPs. I know that the proxy functionality is the preferred way to do so, but I'm nervous about redirecting all of our HTTP requests through the Mikrotik (i.e. proxy servers sometimes can be the source of difficult to troubleshoot issues). While it is not elegan...
by invader zog
Thu Jun 03, 2010 2:22 am
Forum: General
Topic: OpenVPN woes...
Replies: 4
Views: 1121

Re: OpenVPN woes...

I ended up getting this config to work. The problem was that 192.168.0.0 was defined as an invalid IP address in some of the FW rules. Unfortunately, this config feels very "gimped". The apparent need to manually create a series of address pools, lack of comprsesion, need to create all certificates/...
by invader zog
Wed Jun 02, 2010 8:02 pm
Forum: General
Topic: OpenVPN woes...
Replies: 4
Views: 1121

Re: OpenVPN woes...

Yes, RouterOS can assign routable IP address to the client. In ppp profile you can specify firewall chain and use it to block unwanted packets for specific users. Client side certificate verification is also supported. Thanks for the information! What documentation/resources would you recommend for...
by invader zog
Wed Jun 02, 2010 2:44 am
Forum: General
Topic: OpenVPN woes...
Replies: 4
Views: 1121

OpenVPN woes...

I'm reasonably familiar with the configuration of OpenVPN client/server on windows/Linux. We have a Linux VM running right now that is serving as an OpenVPN server. I was hoping that I could decommission the server and migrate the functionality to the Mikrotik. I've been running into some walls gett...
by invader zog
Fri Aug 15, 2008 7:08 am
Forum: General
Topic: Virtualization RouterOs
Replies: 50
Views: 6048

Re: Virtualization RouterOs

I've thought about running RouterOS in a VM a few times. How could you configure the host machine's network settings so that it wasn't exposed... (i.e. I'm used to using bridged mode where both the host and virtual adapters are on the same network)...
by invader zog
Thu Aug 14, 2008 4:24 am
Forum: General
Topic: High CPU on "vanilla" RB333
Replies: 0
Views: 675

High CPU on "vanilla" RB333

I just noticed a worrisome issue. The CPU on our RB333 that is used for a small wireless hotspot is going back and forth between 10% and 100% each time it updates (i.e. from winbox -> system -> resources) I'm not sure if this is an odd GUI issue or if something else could be causing the CPU to keep ...
by invader zog
Thu Aug 14, 2008 4:20 am
Forum: General
Topic: Invalid Connections
Replies: 4
Views: 1223

Re: Invalid Connections

which version of RouterOS?
v3.0 on a RB333.

BTW, I do not know if it is related or not but, I was experiencing some high CPU load issues. I just bounced it. By now, the users have left so I can't tell if the issue was resolved by a reboot or not...
by invader zog
Thu Aug 14, 2008 2:54 am
Forum: General
Topic: Invalid Connections
Replies: 4
Views: 1223

Re: Invalid Connections

I'm having similar problems on one of my 3 mikrotiks. This is the MT that we use to run a wireless hotspot in the building connected to its own DSL line. The rule that drops packets w/ connection state=invalid on the forward chain is going crazy dropping packets. Most of them are ACK,FIN from intern...
by invader zog
Thu Jul 24, 2008 10:24 am
Forum: General
Topic: FTP sessions triggering port scanning rules...
Replies: 6
Views: 2443

Re: FTP sessions triggering port scanning rules...

could you perhaps copy and past the script for the port scan rule? here is the script from the wiki which ive tested and works perfectly,tried give this one a go and see if you problem persists... /ip firewall filter add action=add-src-to-address-list address-list="port scanners" address-list-timeo...
by invader zog
Thu Jul 24, 2008 3:48 am
Forum: General
Topic: FTP sessions triggering port scanning rules...
Replies: 6
Views: 2443

Re: FTP sessions triggering port scanning rules...

have you tried adding the mikrotik default firewall rules which includes allowing established and related connections under the input chain? This is for people who are behind the firewall and are (via SNAT) connecting to external FTP servers. This should be hitting the Forward chain. In either case...
by invader zog
Wed Jul 16, 2008 2:58 am
Forum: General
Topic: Possible connection tracking problem??
Replies: 23
Views: 4044

Re: Possible connection tracking problem??

Are you using web-proxy?

May sound basic, but it's usually the obvious which is overlooked....
We aren't doing any web proxying (i.e. the MT neither serves nor makes use of any proxy servers)...
by invader zog
Tue Jul 15, 2008 9:18 pm
Forum: General
Topic: Possible connection tracking problem??
Replies: 23
Views: 4044

Re: Possible connection tracking problem??

I was poking around some of the MT documentation and they wrote: tcp-syn-received-timeout (time; default: 1m) - maximal amount of time connection tracking entry will survive after having seen a matching connection request (SYN) tcp-syn-sent-timeout (time; default: 1m) - maximal amount of time connec...
by invader zog
Tue Jul 15, 2008 12:31 am
Forum: General
Topic: Possible connection tracking problem??
Replies: 23
Views: 4044

Re: Possible connection tracking problem??

they are being dropped because the NAT table no longer knows them. Thats why they hit the input chain because they are no longer in NAT. Most of the time this is normal if they are FIN or RST type. ChangeIP -- thank you for expressing more clearly than I was able to exactly what I believe the probl...
by invader zog
Tue Jul 15, 2008 12:26 am
Forum: General
Topic: FTP sessions triggering port scanning rules...
Replies: 6
Views: 2443

FTP sessions triggering port scanning rules...

I have a port scan rule that adds IPs to a "black list" for a period of time when detected. The rule based on: PSD Weight Threshold 21 Delay Threshold 00:00:03 Low Port Weight: 3 High Port Weight: 1 gets triggered when FTPing to remote hosts. Any suggestions on how I can tune this rule to avoid this?
by invader zog
Sat Jul 12, 2008 11:23 am
Forum: General
Topic: Possible connection tracking problem??
Replies: 23
Views: 4044

Re: Possible connection tracking problem??

BTW, SYN/ACK is what my tarpit setting returns to a potential intruder. Maybe someone is going somewhere they are not supposed to be? Maybe they are getting tarpitted? But why to the input chain? ADD: Check this out. http://en.wikipedia.org/wiki/Portscanning Look a few paragraphs down under the hea...
by invader zog
Sat Jul 12, 2008 6:05 am
Forum: General
Topic: Possible connection tracking problem??
Replies: 23
Views: 4044

Re: Possible connection tracking problem??

I should have looked closer. How do you have the log entry setup? Did you put a log action just before the "chain=input action=drop"? Is anyone on your net reporting weird "page cannot be displayed" errors or the like? It does seem like HTTP connections are occasionally being dropped (i.e. sometime...
by invader zog
Sat Jul 12, 2008 5:28 am
Forum: General
Topic: Possible connection tracking problem??
Replies: 23
Views: 4044

Re: Possible connection tracking problem??

I don't see a problem. Most of those are probably looking for an open relay email server to spam through. There are some among those that are really bad people, looking only to make your life very uncomfortable. Those are hackers and spammers. They should be dropped. I would not waste the log stora...
by invader zog
Sat Jul 12, 2008 12:51 am
Forum: General
Topic: Possible connection tracking problem??
Replies: 23
Views: 4044

Possible connection tracking problem??

Greetings, When I enable logging for packets that are dropped in the input chain, I get flooded with entries that look like this: input: in:Public DSL out:(none), src-mac 00:0f:cc:89:18:24, proto TCP (SYN,ACK), 72.246.103.18:80->75.54.4.45:2897, len 48 input: in:Public DSL out:(none), src-mac 00:0f:...
by invader zog
Sun Sep 09, 2007 12:03 am
Forum: General
Topic: Lots of Input DropTCP (ACK,RST) from HTTP requests...
Replies: 9
Views: 2634

Re: Lots of Input DropTCP (ACK,RST) from HTTP requests...

in:DSL out:(none) .... proto TCP (ACK,RST), web.server.ip.address:80->mikro.tik.ip.address:someport, len 40 That isn't a SYN/FIN packet. Let's see some examples along with the traffic that immediately preceeded it. Regards Andrew Sorry -- I wasn't very clear. I had theorized that the traffic could ...
by invader zog
Sat Sep 08, 2007 9:25 pm
Forum: General
Topic: Lots of Input DropTCP (ACK,RST) from HTTP requests...
Replies: 9
Views: 2634

Re: Lots of Input DropTCP (ACK,RST) from HTTP requests...

I also noticed my "sanity check" rule that accepts related connections gets no hits on bytes or packets That's probably normal. FTP data connections are the only things I've noticed that trigger these rules. SYN/FIN packets are a good indication of a port scan. Do some checks on the IP addresses ge...
by invader zog
Thu Sep 06, 2007 12:55 am
Forum: General
Topic: Lots of Input DropTCP (ACK,RST) from HTTP requests...
Replies: 9
Views: 2634

Re: Lots of Input DropTCP (ACK,RST) from HTTP requests...

I'm still getting tons of these entries. I also noticed my "sanity check" rule that accepts related connections gets no hits on bytes or packets.
by invader zog
Fri Aug 31, 2007 5:51 pm
Forum: General
Topic: MT is routing traffic from Public interface to Private
Replies: 10
Views: 5167

Re: MT is routing traffic from Public interface to Private

Filter and NAT are different sections, that can be the point. Which exactly example is not one that satisfy you and what exactly you want to change (note that Wiki allows you to change any example or create your own) ? http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php I could be misinterpretin...
by invader zog
Fri Aug 31, 2007 5:43 pm
Forum: General
Topic: Lots of Input DropTCP (ACK,RST) from HTTP requests...
Replies: 9
Views: 2634

Re: Lots of Input DropTCP (ACK,RST) from HTTP requests...

As RST packets are part of normal TCP operations I wouldn't drop them. They're only a problem if they're combined with other flags such as SYN which is illegal and can indicate a port scan. Regards Andrew Andrew, Thanks! I got that from the Dmitry on firewalling Mikrotik Wiki There was also this ru...
by invader zog
Fri Aug 31, 2007 6:12 am
Forum: General
Topic: MT is routing traffic from Public interface to Private
Replies: 10
Views: 5167

Re: MT is routing traffic from Public interface to Private

The rules I am referring to are the same sets provided in the MT documentation and the MT wiki. I think it is strange to give out a set of firewalls as a baseline for protecting your network that are based upon the assumption of a public internet connection and a private NAT'd back network that don'...
by invader zog
Thu Aug 30, 2007 12:47 am
Forum: General
Topic: Lots of Input DropTCP (ACK,RST) from HTTP requests...
Replies: 9
Views: 2634

Re: Lots of Input DropTCP (ACK,RST) from HTTP requests...

It looks like it might have something to do with this rule:

add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment="Drop TCP RST"
by invader zog
Wed Aug 29, 2007 9:12 pm
Forum: General
Topic: Lots of Input DropTCP (ACK,RST) from HTTP requests...
Replies: 9
Views: 2634

Lots of Input DropTCP (ACK,RST) from HTTP requests...

I have a logging entry before the drop all on my input chain. Every(?) HTTP request creates an entry like this: DROP input: in:DSL out:(none) .... proto TCP (ACK,RST), web.server.ip.address:80->mikro.tik.ip.address:someport, len 40 I've also noticed that the byte/packet count for the Accept establis...
by invader zog
Wed Aug 29, 2007 8:38 am
Forum: General
Topic: MT is routing traffic from Public interface to Private
Replies: 10
Views: 5167

Re: MT is routing traffic from Public interface to Private

Mikrotik is a router. It is simply routing packets from one network to the other. To stop this you can add a firewall filter rule on the forward chain matching packets in the private and out the public and vice versa. -Gerard Gerard, Thanks -- I think that this is what I did. Isn't it strange thoug...
by invader zog
Wed Aug 29, 2007 5:42 am
Forum: General
Topic: MT is routing traffic from Public interface to Private
Replies: 10
Views: 5167

Re: MT is routing traffic from Public interface to Private

I was able to get the desired behavior by putting a rule in the forward chain that basically says deny everything and then adding specific rules for each DNAT entry. This is a bit of a pain (i.e. double entry)... is this the way it should be done? It makes sense, but none of the MT examples in the W...
by invader zog
Wed Aug 29, 2007 4:00 am
Forum: General
Topic: MT is routing traffic from Public interface to Private
Replies: 10
Views: 5167

Re: MT is routing traffic from Public interface to Private

BTW, I also tried blowing out my FW config and using the primitive one at: http://wiki.mikrotik.com/wiki/Securing_your_router / ip firewall filter add chain=input connection-state=established comment="Accept established connections" add chain=input connection-state=related comment="Accept related co...
by invader zog
Wed Aug 29, 2007 3:42 am
Forum: General
Topic: MT is routing traffic from Public interface to Private
Replies: 10
Views: 5167

MT is routing traffic from Public interface to Private

I've got to be missing something really obvious. :( I have a bit of an unusual MT config: Interface: DSL (Goes to a DSL modem) Interface: Public (Goes to a network of desktops that will have Internet access and limited access to machines on corporate back network) Interface: Private (Corporate back ...
by invader zog
Thu Aug 16, 2007 8:13 am
Forum: General
Topic: connections dropping (FTP, IM, RDP, etc)
Replies: 3
Views: 1033

Re: connections dropping (FTP, IM, RDP, etc)

Two questions: 1) Are you using Load Balancing or Bonding? 2) Are you using your MT to dial out to the internet (if you are using PPPoE to access your ISP) If your answer is 1, my solution is not to load balance those ports giving problems (or better yet, DON'T LOAD BALANCE AT ALL! IT HAS THE TENDE...
by invader zog
Fri Jun 29, 2007 1:37 am
Forum: General
Topic: how to route FTP (passive and active) over a particular gate
Replies: 2
Views: 956

Re: how to route FTP (passive and active) over a particular gate

I guess you may try with 'connection-type=ftp', as communications occur on unspecified port. I must be missing something. I wrote a pre-routing rule: In Interface: Private (i.e. Back Lan) Connection Type: FTP Action: Mark Routing (routing mark: t1) Passthrough: No I don't see any bytes/packets hitt...
by invader zog
Thu Jun 28, 2007 2:22 am
Forum: General
Topic: how to route FTP (passive and active) over a particular gate
Replies: 2
Views: 956

how to route FTP (passive and active) over a particular gate

I'd like to route all outbound FTP traffic (i.e. traffic initiated within the company) over our T1 interface. I understand how to do this with other protocols (i.e. mangle pre-routing w/ a routing mark + a routing rule based on the routing mark), but I'm not sure how to do this for passive FTP trans...
by invader zog
Wed Jun 27, 2007 9:48 am
Forum: General
Topic: block local traffic
Replies: 3
Views: 937

Re: block local traffic

Hi, I know that this issue was already speak in the forum but i didnt see the solution. How can i block all my local traffic ? I don't want that the people that is under the LAN can ping or see each other. Thanks Andres perhaps this could be accomplished in your switch configuration (i.e. each port...
by invader zog
Wed Jun 27, 2007 9:29 am
Forum: General
Topic: can't get destination nat working when dual honed...
Replies: 5
Views: 1056

Re: can't get destination nat working when dual honed...

I did everything through the GUI.... I didn't mark individual packets -- i.e. I did a mark connection and mark routing. I also didn't use a routing lookup table, I just set up routes that are activated when a routing market is present (i.e. just add the route in the GUI as if it was a route for ever...
by invader zog
Wed Jun 27, 2007 12:39 am
Forum: General
Topic: can't get destination nat working when dual honed...
Replies: 5
Views: 1056

Re: can't get destination nat working when dual honed...

hi, I understand what you have done but I am not sure what this interface points to: mangle pre-routing: interface: private action: mark routing: t1 mangle pre-routing: interface: private action: mark routing: dsl Thanks Mark I have three interfaces: DSL (x.x.x.x), T1 (y.y.y.y), and Private (z.z.z....
by invader zog
Tue Jun 26, 2007 11:35 am
Forum: General
Topic: SSH connection and Loadbalancer
Replies: 6
Views: 1292

Re: SSH connection and Loadbalancer

this is a variant of the problem i've been strugglign with -- read a few of my posts for some solutions...
by invader zog
Tue Jun 26, 2007 11:33 am
Forum: General
Topic: route traffic based on source (dual honed)
Replies: 1
Views: 605

Re: route traffic based on source (dual honed)

I'm going to need to test more (after some sleep), but I think that srcnat rules may be part of the solution...
by invader zog
Tue Jun 26, 2007 10:35 am
Forum: General
Topic: route traffic based on source (dual honed)
Replies: 1
Views: 605

route traffic based on source (dual honed)

I want to route my servers to go over our T1 and everyone else to go over the DSL line I have default routes to 0.0.0.0 set up for both the T1 and the DSL (with the DSL having a lower distance) I then added a mangle prerouting rule that says: source interface: private address:10.1.2.0/24 action: mar...
by invader zog
Tue Jun 26, 2007 9:44 am
Forum: General
Topic: can't get destination nat working when dual honed...
Replies: 5
Views: 1056

Re: can't get destination nat working when dual honed...

after who-knows-how-many hours, I finally got it working. I had to add a ton of logging statements through every possible chain to figure it out. *sigh* solution: mangle pre-routing: interface: t1 action: mark connection: t1 mangle pre-routing: interface: dsl action: mark connection: dsl mangle pre-...
by invader zog
Tue Jun 26, 2007 8:30 am
Forum: RouterBOARD hardware
Topic: forward port 22 to internal address
Replies: 3
Views: 1390

Re: forward port 22 to internal address

I'm having similar problems. I don't think the answer is as simple as destination NAT. If he has two different WAN connections, how does the firewall know which WAN connection to send the response from the dNATed server to?
by invader zog
Tue Jun 26, 2007 8:28 am
Forum: General
Topic: can't get destination nat working when dual honed...
Replies: 5
Views: 1056

can't get destination nat working when dual honed...

Scenario: we have a T1 and a DSL connection. I want to enable destination nat on both external IPs to an internal mail server. The DSL connection and T1 are set up as gateways (i.e. via a route to destination 0.0.0.0) with the DSL connection having a lower distance. I plan on configuring some machin...
by invader zog
Wed Jun 13, 2007 8:45 pm
Forum: General
Topic: connections dropping (FTP, IM, RDP, etc)
Replies: 3
Views: 1033

connections dropping (FTP, IM, RDP, etc)

We seem to have an issue with our Router Board 532 dropping TCP connections. Since I switched us over to MikroTik, those of us who use IM clients have seen our connections to the IM servers periodically disconnect the reconnect throughout the day. After receiving some complaints about FTP from some ...
by invader zog
Thu Apr 12, 2007 7:23 pm
Forum: General
Topic: IM connections dropping/reconnecting through the day
Replies: 1
Views: 699

IM connections dropping/reconnecting through the day

Since I switched everyone over to using the MikroTik router, I've been getting complaints from all of our IM users that they are getting large numbers of disconnect/reconnects through the day. When I set up the Mikrotik FW, I also set up a DSL connection in addition to our T1. At first I had it set ...
by invader zog
Thu Feb 01, 2007 11:43 pm
Forum: General
Topic: Route traffic to default gateway based upon traffic type
Replies: 3
Views: 909

mangle and set routing marks

and set up routing to use marks.
Thanks for the pointer! :)
by invader zog
Thu Feb 01, 2007 2:25 am
Forum: General
Topic: Route traffic to default gateway based upon traffic type
Replies: 3
Views: 909

Route traffic to default gateway based upon traffic type

Hello, I've seen a number of examples that demonstrate how to do traffic shaping based upon mangle rules/queues. Our Mikrotik FW is connected to a bonded pair of T1s as well as a DSL line. The DSL line is "flaky" compared to the T1s although it is much faster on the downstream. I would like to set t...
by invader zog
Thu Feb 01, 2007 2:10 am
Forum: General
Topic: IM connections dropping...
Replies: 7
Views: 1621

[removed -- my analysis was wrong. problem persists]
by invader zog
Fri Jan 26, 2007 6:56 pm
Forum: General
Topic: IM connections dropping...
Replies: 7
Views: 1621

first you say you don't have any firewall ... and then you say you have made what wiki suggested (a firewall) ... so which one is it? you should read up on firewall. input chain is all traffic going to your router (like persons attacking it, or connecting to it). what could be the cons to using it?...
by invader zog
Fri Jan 26, 2007 6:48 pm
Forum: General
Topic: IM connections dropping...
Replies: 7
Views: 1621

unless you are using load-balancing over multiple gateways there should not be any problem with IMs EDIT: check what ports this messenger is using and check if anything happens with these ports (they might be dropped to protect from viruses etc.etc.) I do have multiple gateways, but they are set up...
by invader zog
Fri Jan 26, 2007 10:11 am
Forum: General
Topic: FW reporting a lot of dropped packets...
Replies: 2
Views: 757

Hmmm, the input chain is for filtering packets that are directly addressed to the router, so it should only affect your browsing experience if you are using a proxy on the MikroTik (as then the router itself is actually doing the HTTP requests). So tell us more about your setup... Best regards, Chr...
by invader zog
Fri Jan 26, 2007 10:09 am
Forum: General
Topic: IM connections dropping...
Replies: 7
Views: 1621

Setup a log rule on your forward firewall chain on the ports to the program you are having problems with. Also, another great tool is torch. I don't have any rules in my forward chain. I followed the pattern from the Mikrotik Wiki. To be honest, I'm not sure what the pros/cons of doing everything i...
by invader zog
Fri Jan 26, 2007 4:17 am
Forum: General
Topic: IM connections dropping...
Replies: 7
Views: 1621

IM connections dropping...

I've noticed that since I switched to using the Mikrotik FW that my IM connections seem to be dropping more often. Any ideas for things to look at for debugging purposes?
by invader zog
Fri Jan 26, 2007 3:34 am
Forum: General
Topic: FW reporting a lot of dropped packets...
Replies: 2
Views: 757

FW reporting a lot of dropped packets...

I must be doing something very stupid :( I have these rules in place: add chain=input connection-state=established action=accept comment="accept established connection packets" disabled=no add chain=input connection-state=related action=accept comment="accept related connection packets" disabled=no ...
by invader zog
Wed Jan 10, 2007 7:08 am
Forum: General
Topic: Can't get PPPoE client working...
Replies: 8
Views: 1794

Is their a option on your DSL modem for bridge mode? If yes, set it in bridge mode, then setup MT as PPPOE client with your username and password. It should work! Regards Mr G that was what I was trying to do first, but I've had no luck. I don't know much about PPPoE, but I've yet (i.e. whether the...
by invader zog
Sat Jan 06, 2007 8:43 pm
Forum: General
Topic: Can't get PPPoE client working...
Replies: 8
Views: 1794

Oh by the way you want to turn off NAT on the dsl modem and do the pppoe connection on the DSL modem. This is what I ended up doing to get things working -- however, I never managed to get the PPPoE working on Mikrotik --- I am still using the PPPoE client of the modem. Did you have any luck with t...
by invader zog
Sat Jan 06, 2007 12:11 am
Forum: General
Topic: Can't get PPPoE client working...
Replies: 8
Views: 1794

Bump :)
by invader zog
Wed Jan 03, 2007 9:14 pm
Forum: General
Topic: Can't get PPPoE client working...
Replies: 8
Views: 1794

Can't get PPPoE client working...

My DSL ISP is SBCGlobal. They require that we use PPPoE to access our "static" IPs. Our DSL modem is an older Netopia Cayman 3220. I can get it to authenticate to SBCGlobal's PPPoE and get an IP address/gateway. I can then configure it to disable NAT and DHCP and basically use it as the gateway for ...