Community discussions

Search found 35 matches

by cgallery
Fri Mar 15, 2019 3:47 am
Forum: General
Topic: What is this NAT fule for? [SOLVED]
Replies: 4
Views: 281

Re: What is this NAT fule for? [SOLVED]

In that case, do you have proxy ARP enabled on LAN interface? Right. So I tried enabling proxy ARP earlier today on the LAN interface (Ether2) but it didn't seem to make any difference. I had thought I should enable proxy ARP on the bridge, but didn't want to do so in case it interrupted their serv...
by cgallery
Fri Mar 15, 2019 1:14 am
Forum: General
Topic: What is this NAT fule for? [SOLVED]
Replies: 4
Views: 281

Re: What is this NAT fule for? [SOLVED]

If you give addresses to VPN clients from other subnet than 192.168.1.0/24, they would not be able to connect to Windows devices with default config (even ping wouldn't work), because their firewall allows access only from same subnet by default. Correct way to fix it would be to change firewall on...
by cgallery
Fri Mar 15, 2019 12:31 am
Forum: General
Topic: What is this NAT fule for? [SOLVED]
Replies: 4
Views: 281

What is this NAT fule for? [SOLVED]

I have a router setup some time ago to act as an L2TP (ipsec) server to Windows 7/iPhone devices. Works great. I tried to duplicate that today for someone else and was basically copying my rules over to a new device. I have two NAT rules: 0 chain=srcnat action=masquerade out-interface-list=WAN log=n...
by cgallery
Wed Jan 16, 2019 12:03 am
Forum: General
Topic: One Mikrotik, many businesses?
Replies: 2
Views: 314

Re: One Mikrotik, many businesses?

Okay thank you for the feedback, I'll look into the VLAN alternative.
by cgallery
Tue Jan 15, 2019 10:21 pm
Forum: General
Topic: One Mikrotik, many businesses?
Replies: 2
Views: 314

One Mikrotik, many businesses?

I have a client that is a small nonprofit in a suite of offices that are too large, so they're adding other small non-profits instead of moving. They'd all like to share a single Internet connection, but they'd all like to have their own segregated networks. They'd also like to chip in and have a si...
by cgallery
Fri Jan 11, 2019 8:21 pm
Forum: General
Topic: Rb4011 issues
Replies: 1
Views: 416

Re: Rb4011 issues

Forget it, I figured out that they're talking to me via port #1. The instructions say to stick my connection into #1 and devices into 2...10.

Thanks anyhow.
by cgallery
Fri Jan 11, 2019 8:03 pm
Forum: General
Topic: Rb4011 issues
Replies: 1
Views: 416

Rb4011 issues

I have two RB4011-based devices, sourced from different locations, that I'm trying to perform initial setup on. They both behave the same way. If I connect my PC to ports >= 2, there doesn't appear to be any sort of DHCP server running. When I set the IP on my NIC to 192.168.88.10, I cannot ping 192...
by cgallery
Mon Aug 27, 2018 7:33 pm
Forum: Wireless Networking
Topic: 60Ghz Wireless Wire Dish kits?
Replies: 1
Views: 404

60Ghz Wireless Wire Dish kits?

I'm in the USA. Are these legal to use here? Will U.S. distributors have them soon? Searches on eBay or Amazon seem to only turn-up overseas sellers. If I buy a kit of two, can I add a third unit? Imagine I have two buildings I'd like to connect to a main office building. The two buildings are separ...
by cgallery
Fri Aug 03, 2018 2:55 am
Forum: General
Topic: ssh over IPsec hanging with router running PPPoE client
Replies: 0
Views: 274

ssh over IPsec hanging with router running PPPoE client

I have an Untangle appliance at the main office, running their IPSec app. I have four remote sites, two running older SonicWall devices and two running Mikrotik RB2011UiAS-2HnD-IN units. The SonicWall connections are solid, no problems with any devices attached behind them. The first RB2011UiAS-2HnD...
by cgallery
Fri Jul 27, 2018 6:09 pm
Forum: General
Topic: ipsec and pppoe drop rule
Replies: 5
Views: 379

Re: ipsec and pppoe drop rule

Again, thank you for all the constructive help. I have some other routers configured similarly to this one, I'll make sure I'm using ssh in the near future. Right now I'm just watching to see if my modification to the pppoe drop rule keeps the tunnel working, it seemed to stop sending traffic a coup...
by cgallery
Fri Jul 27, 2018 4:31 pm
Forum: General
Topic: ipsec and pppoe drop rule
Replies: 5
Views: 379

Re: ipsec and pppoe drop rule

Holy smokes that is helpful, you don't have any idea how much I appreciate this help. It will take me a little while to digest this (especially the part about adding the pppoe interface to the WAN), but I will note that the purpose of that "whitelist" address list for remote management is, for me to...
by cgallery
Fri Jul 27, 2018 5:08 am
Forum: General
Topic: ipsec and pppoe drop rule
Replies: 5
Views: 379

Re: ipsec and pppoe drop rule

BTW, if I add Src. Address ! 192.168.2.0/23 to that drop rule in question above, I seem to be able to ping the router from the other side of the tunnel, and seems to prevent accessing the router's webfig, etc., from the WAN, but I'm not sure if that would be the correct approach. Any thoughts on that?
by cgallery
Fri Jul 27, 2018 4:54 am
Forum: General
Topic: ipsec and pppoe drop rule
Replies: 5
Views: 379

ipsec and pppoe drop rule

Howdy. My firewall rules are below. I've setup a new unit pretty much identically to other units I have working with IPsec, but this is the first unit I've used with PPPoE (with rules added for PPPoE). If I disable this rule: add action=drop chain=input comment="part of pppoe I guess" in-interface=p...
by cgallery
Fri Jul 13, 2018 6:39 pm
Forum: General
Topic: Need tech/installer Burnsville (Minneapolis) MN
Replies: 0
Views: 213

Need tech/installer Burnsville (Minneapolis) MN

Hello. I'm in Milwaukee and have a client with a location in Burnsville (Minneapolis) MN that needs a Mikrotik router I'll supply setup/tested. Very simple setup, I just need them to be able to access the Internet, I'll setup the VPN, etc., remotely. Please contact me if you're interested. I suppose...
by cgallery
Mon Jul 02, 2018 7:12 pm
Forum: General
Topic: Reset counters on interface not working?
Replies: 0
Views: 184

Reset counters on interface not working?

I'm running RouterOS v6.42.3. I wanted to keep track of how much data I'm using and saw that the counters for the Eth1 interface had total traffic. So I figured that would be fine, I could reset it once a month and keep an eye on it. Except clicking "reset counters" doesn't do anything? Am I expecti...
by cgallery
Mon Jul 02, 2018 7:11 pm
Forum: General
Topic: Traffic flow server apps?
Replies: 0
Views: 187

Traffic flow server apps?

What are you guys running as your server app for gathering traffic-flow data from Mikrotik routers?

I'm pretty much all Windows, so I'd need something that works in that world.

I found ntop from the Mikrotik wiki but that seems to be analysis once you have the data, I need to put the data somewhere.
by cgallery
Fri Jun 29, 2018 2:30 pm
Forum: General
Topic: Block browsing on some IP addresses?
Replies: 2
Views: 283

Re: Block browsing on some IP addresses?

What would the rule blocking 80 and 443 look like?

And thank you.
by cgallery
Fri Jun 29, 2018 1:48 pm
Forum: General
Topic: Block browsing on some IP addresses?
Replies: 2
Views: 283

Block browsing on some IP addresses?

Any good methods to block web browsing on individual machines on a network connected to a Mikrotik router?
by cgallery
Sat Jun 23, 2018 6:17 pm
Forum: General
Topic: Webfig: Comments on same-line?
Replies: 1
Views: 221

Webfig: Comments on same-line?

I've been learning the Mikrotik way for a couple of months now, enjoying the projects immensely. I've deployed my third unit yesterday (RB750Gr3). I've setup two RB2011UiAS-2HnD-IN units as well, one for me and one for a client. I like the WebFig, I haven't found anything I need to do, that I can't ...
by cgallery
Mon Jun 11, 2018 6:52 am
Forum: General
Topic: More than 254 IPs needed! What options do I have?
Replies: 16
Views: 1245

Re: More than 254 IPs needed! What options do I have?

Change your subnet to /23. 512 addresss. It works fine.
by cgallery
Mon May 07, 2018 3:58 am
Forum: General
Topic: Picking a DHCP hostname to static DNS script
Replies: 4
Views: 1094

Re: Picking a DHCP hostname to static DNS script

Alright much to think about. Can anyone point me to scripts that use the DHCP Lease Script option instead of being run at scheduled intervals? Found one. Googled "mikrotik leasebound dns" after reading the manual's section on DHCP lease scripts and seeing leasebound was a passed global. https://gist...
by cgallery
Sun May 06, 2018 5:16 pm
Forum: General
Topic: Picking a DHCP hostname to static DNS script
Replies: 4
Views: 1094

Picking a DHCP hostname to static DNS script

I see there are a few different scripts for setting-up and tearing-down static DNS names from hostnames from the DHCP server. I found some on the MikroTik wiki, and I found some in the forum here, and I found some at various web pages. I'm not sure what the merits of each are. I will at some point p...
by cgallery
Thu May 03, 2018 7:09 am
Forum: General
Topic: "Optimal Mangle" from "RouterOS by Example" performance?
Replies: 16
Views: 2233

Re: "Optimal Mangle" from "RouterOS by Example" performance?

I think I (FINALLY) get it.

When I mark the connection, I'm not manipulating a packet but rather "labelling" a connection (with conntrack?) in a way that I can subsequently easily test.

You guys are so patient.
by cgallery
Wed May 02, 2018 5:31 pm
Forum: General
Topic: "Optimal Mangle" from "RouterOS by Example" performance?
Replies: 16
Views: 2233

Re:

Comment #6 is spot on. I use this methodology, what I call 2-step QoS, on a fairly involved tree queue for all egress traffic. I only have to deep inspect the first packet of a new connection, and then rely on the fast conntrack table to apply packet marks for enforcement. Using this method I can e...
by cgallery
Wed May 02, 2018 5:02 pm
Forum: General
Topic: "Optimal Mangle" from "RouterOS by Example" performance?
Replies: 16
Views: 2233

Re: "Optimal Mangle" from "RouterOS by Example" performance?

i will try to explain it on a simplified way if you design your mangle to make all traffic to go across all mangle rules your CPU usage will be higher, for example if you have 15.000 packets per second of traffic and 100 mangle rules, that is 1.500.000 comparisons per second But if from that 15.000...
by cgallery
Wed May 02, 2018 4:23 pm
Forum: General
Topic: "Optimal Mangle" from "RouterOS by Example" performance?
Replies: 16
Views: 2233

Re: "Optimal Mangle" from "RouterOS by Example" performance?

Interesting, I can see how it would help with clarity and debugging but still don’t see how you avoid examining every packet and marking the packets that match.

Hmmm.
by cgallery
Wed May 02, 2018 2:57 pm
Forum: General
Topic: "Optimal Mangle" from "RouterOS by Example" performance?
Replies: 16
Views: 2233

"Optimal Mangle" from "RouterOS by Example" performance?

I got the "RouterOS by Example" book (Kindle Edition) by Stephen Disher. Reading trough it, I came to discussion of the Mangling feature, where he talks about how CPU intensive packet mangling can be, if we have to look at every packet. So he suggests an "Optimal Mangle" method, a two step process w...
by cgallery
Sun Apr 29, 2018 6:18 pm
Forum: General
Topic: "L2TP Client" vs. "L2TP Server"
Replies: 4
Views: 509

Re: "L2TP Client" vs. "L2TP Server"

Ok got it, thank you for all your help, Sindy!
by cgallery
Sun Apr 29, 2018 4:26 pm
Forum: General
Topic: "L2TP Client" vs. "L2TP Server"
Replies: 4
Views: 509

Re: "L2TP Client" vs. "L2TP Server"

Thank you for the help! Yes I was being overwhelmed by trying to read those IPsec logs, they were overwhelming my browsers. But I finally figured out I could “echo” them to an active telnet session and that helped. I was able to disable modp on the default IPSec Proposals on the Mikrotik and then I ...
by cgallery
Sun Apr 29, 2018 3:03 am
Forum: General
Topic: "L2TP Client" vs. "L2TP Server"
Replies: 4
Views: 509

"L2TP Client" vs. "L2TP Server"

I followed instructions I found in the wiki to setup the PPP/L2TP server on my Mikrotik RouterOS 6.42 (stable). In fairly short order, I was able to setup the unit to accept connections from both my iPhone and also Windows clients. Having a few Windows Server 2008 machines already performing this ta...
by cgallery
Thu Apr 26, 2018 6:25 pm
Forum: Beginner Basics
Topic: RB2011UiAS-2HnD-IN optimizing VPN performance?
Replies: 2
Views: 717

Re: RB2011UiAS-2HnD-IN optimizing VPN performance?

Ran another test while checking my CPU utilization on my Mikrotik and the router's CPU never went much above 50%, which seems reasonable given that I'm getting about half the VPN performance that this unit is supposed to be capable of. Not sure if the Mikrotik prevents the VPN from over-utilizing th...
by cgallery
Wed Apr 25, 2018 7:34 pm
Forum: Beginner Basics
Topic: RB2011UiAS-2HnD-IN optimizing VPN performance?
Replies: 2
Views: 717

RB2011UiAS-2HnD-IN optimizing VPN performance?

I've been learning about the RB2011UiAS-2HnD-IN, and I think it is fantastic. I setup a VPN (RB2011UiAS-2HnD-IN as server, Windows 7 as client) using L2TP/IPsec and I'm getting about 10-Mbps which is very respectable for a $130 unit!!! I'm testing with both Lan_SpeedTest.exe and also by just transfe...
by cgallery
Tue Apr 24, 2018 9:01 pm
Forum: Beginner Basics
Topic: VPN clients cannot access router for DNS [SOLVED]
Replies: 4
Views: 495

Re: VPN clients cannot access router for DNS [SOLVED]

The following could work, however, I don't exactly know your current firewall configuration. #The firewall rules must be in the input chain port 53(TCP and UDP) #The interface(ether1) is your LAN /ip firewall filter add action=accept chain=input dst-port=53 in-interface=ether1 protocol=tcp add acti...
by cgallery
Tue Apr 24, 2018 8:57 pm
Forum: Beginner Basics
Topic: VPN clients cannot access router for DNS [SOLVED]
Replies: 4
Views: 495

Re: VPN clients cannot access router for DNS [SOLVED]

Just to answer my own question, I found that adding a firewall rule above "defconf: drop all not coming from LAN" was the ticket. My rule: Chain: input Protocol: 17 (udp) Dst. Port: 53 In. Interface: all pnp Action: accept (Edit to add: While this works, the suggestion to change my drop rule from !L...
by cgallery
Tue Apr 24, 2018 5:38 am
Forum: Beginner Basics
Topic: VPN clients cannot access router for DNS [SOLVED]
Replies: 4
Views: 495

VPN clients cannot access router for DNS [SOLVED]

Hi, new user here. Device is an RB2011UiAS-2HnD-IN. Firmware and O/S have been updates to the latest stable versions available. I have no problems getting my VPN clients (IOS right now) to connect (via l2tp/IPsec), and everything works great so long as I don't use my router's IP address for the DNS ...