MikroTik

yancho

You need to add routing information:
https://wiki.mikrotik.com/wiki/Manual:S ... ic_Routing

yancho

1) unplug the device from power
2) press and hold the reset button and power up the device
3) hold hold hold :) ~15..20sec or until the device shows up in Netinstall

yancho

I've had a number of similar cases. Last time yesterday. Neinstall has always helped.
Network should remain stable after entering Etherboot

yancho

Yes, but with only one window, I already see 200 kbps...

Torch?

yancho

viewtopic.php?f=21&t=140165

yancho

/ip service set winbox address=192.168.88.0/24 /user set 0 address=192.168.88.0/24 Also CLI has autocompleation. Start typing user like /us press [TAB] you should see /user then /user [TAB] "aaa group add disable enable find removeactive ssh-keys comment edit export print set " all availa...

yancho

WW

frequency: 58320
mcs: 8
phy-rate: 2.3Gbps
signal: 50
rssi: -68
tx-sector: 28
tx-sector-info: center
rx-sector: 96
distance: 124.56m

yancho

Assuming there are no other gateway routers or subnets minimum configuration could be

Untitled.png

yancho

If you want Telnet https://en.wikipedia.org/wiki/Telnet then use any Telnet client. If you want MAC Telnet MikroTik RouterOS proprietary protocol https://wiki.mikrotik.com/wiki/MAC_access then use Winbox and type Mikrotik router MAC address https://en.wikipedia.org/wiki/MAC_address in "Connect ...

yancho

If you need telnet - putty
if you need MAC telnet for Windows - Winbox

2018-05-21 19_43_09-Screenshot (31).png ‎- Photos.png

yancho

Winbox

yancho

https://wiki.mikrotik.com/wiki/Manual:Netinstall

yancho

If you have the same subnet on two ports how does the router know where to send traffic?
Why you can't use different subnet for the management port?

yancho

20mhz only-N nv2 11 clients 30-40Mbps

yancho

Your router acts as open DNS https://support.aa.net.uk/Category:Open_DNS_Resolvers
Drop incoming DNS traffic on WAN interface

/ip firewall filter
add chain=input in-interface=ether1-WAN protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether1-WAN protocol=tcp dst-port=53 action=drop

yancho

Try Winbox neighbor discovery http://wiki.mikrotik.com/wiki/Manual:Winbox

yancho

ROS version?

I have seen smiiliar topics so maybe possible bug
http://forum.mikrotik.com/viewtopic.php ... 5&p=516633
http://forum.mikrotik.com/viewtopic.php ... 8&p=518342

yancho

Also set band to 5Ghz-only-N frequency mode to "regulatory domain" and channel-width to 20mhz
Then do frequency scan to find free frequency.

yancho

Might be an MTU problem.

yancho

You should install additional multicast package!

yancho

Try Tools -> Torch. Torch this is real time traffic monitoring tool

yancho

Router = server?

If so Wiki have some examples http://wiki.mikrotik.com/wiki/Firewall
If server is server behind router and providing some services to outside then we need more information.

yancho

Over wireless you can try WMM http://wiki.mikrotik.com/wiki/Manual:WMM

yancho

IPANetEngineer seriously? 10 Gbps over wireless?

yancho

Use VPLS less overhead and not CPU intensive

yancho

Try simple queues. I never used those interface bandwidth limits also after quick search found similar topic http://forum.mikrotik.com/viewtopic.php?t=79908#p461150

yancho

Advice! Start with a very basic configuration like IP, routes, DNS, DHCP, NAT. Disable everything in /firewall filter . When all is working fine, keep this configuration, maybe make backup or create export files and then start securing network using firewall.

yancho

This is signal strength level at different rates together with time how long were these rates used. Nothing to do with MIMO.

yancho

You should adjust pcq parameters: pcq-rate: maximal available data rate of client or stream based on pcq-classfier pcq-burst-rate: maximal data rate which can be reached while the burst for is allowed pcq-burst-threshold: this is value of burst on/off switch pcq-burst-time: period of time, in second...

yancho

coylh example missing very important detail

pcq-classifier=dst-address or src-address

And yes RTM

http://wiki.mikrotik.com/wiki/Manual:Qu ... Q_Examples

yancho

First of all - enable safe mode before playing with configuration :) Second, configure transparent proxy (link to wiki http://wiki.mikrotik.com/wiki/Manual:IP/Proxy ), set max-cache-size to none (you don't need cache anything) Third, create proxy access list - first rules allow "good" webp...

yancho

Yes that is global setting

yancho

I bet on wrong chain. You should use forward input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain forward - u...

yancho

When bridging set

/interface bridge settings set use-ip-firewall=yes

yancho

I don't think it's possible...

yancho

You can use scan list: http://wiki.mikrotik.com/wiki/Manual:Wi ... #scan-list

yancho

54Mbps ir savienojuma ātrums, teorētiski iespējamais ātrums būs 2x mazāks, reālais ātrums dzīvē vēl mazāks... Skaists kopsavalikums par ātrumiem - sākot ar 7lpp http://mum.mikrotik.com/presentations/AU11/au-savage.pdf 2.4Ghz un vēl jo vairāk 5Ghz tiešā redzamība ir ļoti vēlama, ja grib nodrošināt st...

yancho

1. mark connection 2. mark packets 3. use this packet mark in simple queue Like this: / ip firewall mangle add chain=prerouting protocol=tcp dst-port=5000 dst-address=100.100.100.100 action=mark-connection \ new-connection-mark=5000_connection passthrough=yes add chain=prerouting connection-mark=500...

yancho

Or http://wiki.mikrotik.com/wiki/CALEA

yancho

Use torch http://wiki.mikrotik.com/wiki/Manual:Tr ... l_torch.29 to monitor traffic
or add some firewall rules that match and drop/log those computers http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter and lots of examples in WIKI

yancho

Use src/dst nat instead.

yancho

Is "antenna mode" set to "antenna b" for a reason?

yancho

Does counters in the queues statistics shows any traffic?

yancho

This question is a very popular try search forums
like: http://forum.mikrotik.com/viewtopic.php?f=2&t=21178

yancho

First there is "auto upgrade" under system (never tried this feature).
Second - you can upgrade using Dude http://wiki.mikrotik.com/wiki/Upgrading ... _with_Dude

yancho

Open terminal then type

/queue export

and paste output there.

yancho

Create bridge and add both interfaces to it.

/interface bridge add
/interface bridge port add bridge=bridge1 interface=ether1
/interface bridge port add bridge=bridge1 interface=wlan1

Now add ip address to the bridge1 and that's it.

yancho

Maybe http://wiki.mikrotik.com/wiki/CALEA is what you looking for.

yancho

Think it should work right? remember, no IP specified in the queue rule.

Specify all wireless subnet not a single ip like 192.168.1.0/24

yancho

Add ip, gateway, dns to the external - internet interface(ip->address/routes/dns). Check connectivity to internet from router using ping or tracert(tools). If you want dynamic ip's to clients use dhcp server setup(ip->dhcp server) if there is dhcp, then go to system->packages enable dhcp and reboot ...

yancho

Give more information about what your router configuration, maybe you have many simple queues and filter rules?
We have similar setup - pushing 100down/50up and CPU goes up to 20%

yancho

First limit and prioritize upload (http,voip,p2p) there are many topics(forum and wiki) about how to do that. And yes for download try pcq.

yancho

If you have one queue per client then not a big difference, anything except "default-small" - check out manual http://wiki.mikrotik.com/wiki/Queue#Queue_Types for more details. Also consider moving to queue trees & PCQ http://wiki.mikrotik.com/wiki/Bandwidth_Managment_and_Queues basic ...

yancho

Change queue type - "default-small" not working

yancho

When it happens again make supout files, describe problem, include forum threads, and send it to support@mikrotik.com

yancho

Never seen such a problem. Anyway post router configuration and share ROS version. Without any additional information its impossible to check anything.

yancho

Can you give more details about network topology? Like: how AP's are connected to each other, where is the internet connected to?

yancho

Short preamble http://forum.mikrotik.com/viewtopic.php ... 4&p=112780
And there is answer what is short preamble http://www.wifihowto.org/?mo=HowTo;Item=24

yancho

Mangle+address lists+queue tree
http://wiki.mikrotik.com/wiki/Bandwidth ... and_Queues there are nice examples
"QoS Best Practice @ MUM Czech Republic 2009" is really the best

yancho

Can you post

/ip firewall nat print

and

/ip firewall filter print

yancho

Why not? If you are using static addressing set whatever DNS you prefer on a client PC. Using DHCP? Again not a problem. create 2 different DHCP server setups.

yancho

How about other firewall filter and nat rules?

yancho

Contact support!
Make supout.rif file and send it to support@mikrotik.com along with your problem.
And hope tha MT team could reproduce those problems.

yancho

Ok, but how the squid proxy is connected? Your MT config looking good. Maybe squid is between ADSL and MT and transparently filtering your traffic?

yancho

Can you give more information about your network topology? Looks like you have 3 ethernet & 4 wireless interfaces.

yancho

wireless or wired network?

yancho

Winbox connects and starts to download plugins but very very very slow.

yancho

Now port is open it should work.

yancho

Once again if you want more assistance please tell us more about you network topology! If MT router connected directly to internet and has public IP- then zero configuration! If it is behind some other router/firewall etc - then you should forward winbox ports!

yancho

Looks like there is some bug or change in 3.30 queues. After executing command /queue tree set queuename max-limit=xM packet mark attribute disappears. /queue tree set queuename max-limit=xM packet-mark=somemark instead works ok. Maybe you have the same problem with simple queues - packet marks are ...

yancho

Wrong IP addressing. Ethernet and VLAN cant share same ip subnet (192.168.70.0/24)

yancho

No:) Can you post vlan and ip configuration from the both routers!? As I remember in some earlier RouterOS versions you need to change MAC of the VLAN interface. Because default values was the same.

yancho

Can't see any problems in this configuration.
You can try temporally disable all rules in input chain. (Input used to filter traffic entering the router. Forward to filter traffic going through.)
Is there any NAT rules? And SSH, telnet, HTTP to the router works?

yancho

Please post your firewall configuration!

yancho

"Outgoing messages form Microsoft Outlook 2007" are SMTP traffic to port TCP 25 right? Then add one rule that allows (accept) all traffic to tcp:25 or your outgoing mail server IP and that's it.

yancho

You can type in terminal

/ip firewall nat print

and

/ip firewall filter print

to show us your firewall configuration.

yancho

Change lines to 0 at system->logging->actions

yancho

Routerboard or PC ? If RB then read http://wiki.mikrotik.com/wiki/MikroTik_ ... d_Recovery

yancho

Are you testing from same subnet 192.168.202.0/24? If yes you should add another nat rule for internal traffic!

yancho

Not sure, but maybe simple queues without mangling works better?
Anyhow you can use torch tool for realtime traffic monitoring, or you are using queues to collect SNMP data? If yes there is other ways to monitor/collect/count per user bandwidth usage.

yancho

Wow 600 mangle and 300 queues

What a hell you are trying to limit? Its possible to share bandwidth equally even between 1000 users with few mangle rules and using few PCQ queues! Take a look http://wiki.mikrotik.com/wiki/Bandwidth ... and_Queues

yancho

Block this MAC in firewall input chain

/ip firewall filter add action=drop chain=input  src-mac-address=AA:AA:AA:AA:AA:AA

yancho

Hi, let me introduce you with your new friends:
http://www.mikrotik.com/documentation.html
http://wiki.mikrotik.com/wiki/Most_basic_questions
http://wiki.mikrotik.com/

yancho

Did you tried to create bridgeusing this example with ethernet and wireless interfaces?

yancho

Upload picture using attachment not as hotlink to your computer

No you don't need use RIP for p2p link.

yancho

Ask wiki

-> http://wiki.mikrotik.com/ This is a good starting for beginner: http://wiki.mikrotik.com/wiki/Internet_Sharing

yancho · Re: Winbox 2.2.14 http://demo.mt.lv/

http://demo.mt.lv/

yancho

Use FTP to transfer package.

yancho

If you have masquarde rule check is there out interface set to public interface or source ip's is set to your private network.

yancho

Thx JJCinAZ.

yancho

We have following config: Two different subnets: /ip address address=10.0.0.3/24 interface=wlan1 address=192.168.1.3/27 interface=wlan1 Default gateway is from subnet 10.0/24 preferred source from other subnet 192.168.1.0/27: /ip route dst-address=0.0.0.0/0 gateway=10.0.0.1 pref-src=192.168.1.3 This...

yancho

In the mikrotik I set the TX in BRIDGE mode with 5ghz - 5180mhz antenna gain 19dbi and manual tx power to 11dbm RX in WDSSLAVE mode with 5ghz - 5180mhz antenna gain 19dbi and manual tx power to 11dbm Brr, Why you start with so complicated config? Reset all and start from scratch. Change only necess...

yancho

You may use fake ip like 0.0

yancho

routerboard 153, current-firmware: 2.12, RouterOS: 3.6

I noticed that rb 153 works better with 2.9.x
We had one AP - 2 sectors about 20 clients per sector, after update to 3.x - traffic rates was ok, but it was almost impossible to winbox or telnet/ssh to this board. CPU load constantly was 100%.

yancho

Did you forward both protocols tcp and udp? Maybe first try to forwad all ports(0-65535) and see what happens.Also you could try UPnP (check manual for more information).

yancho

Jumpers

yancho

/ip firewall nat add chain=dstnat dst-address=192.168.2.1 protocol=tcp dst-port=34000 action=dst-nat to-addresses=10.34.100.3 to-ports=34000
should work much better

yancho

We had similar issue when cpu usage constantly hit 100%. Looked like router stopped reply dns requests directed to internal dns cache.

yancho

In Ethernet network (wired network using switches) all users are in the same physical layer and using Media Access Control is is hard (almost impossible) to make hierarchy - who is main router and who client. There is no security. As normis mentioned before way to disable forwarding between Ethernet...

yancho

Someting like

add chain=srcnat action=src-nat  src-address=172.16.100.0/24 dst-address=172.16.100.202  protocol=tcp to-addresses=gateway.ip to-ports=0-65535

should help.

yancho

it's possible with layer 7 filtering avaible in router os version 3.x

yancho

Example in wiki http://wiki.mikrotik.com/wiki/Bruteforc ... %26_SSH%29

yancho

Edit: Why my quoting isn't working?

Check your board settings: http://forum.mikrotik.com/ucp.php?i=prefs&mode=post "BBCode" should be enabled, or just uncheck "disable bbcode" before submiting.

yancho

http://forum.mikrotik.com/viewtopic.php?f=7&t=19291

yancho

http://forum.mikrotik.com/viewtopic.php?f=2&t=12870 this one worked fine for me

yancho

There is similar topic: http://forum.mikrotik.com/viewtopic.php ... 927&hilit=

yancho

Practical maximum 802.11 g/a throughput (in ideal conditions) is around 25Mbps. So stop dreaming about 54mbps, it's air rate. You can't get anywhere closer.

yancho

Wiki will be good start for you: http://wiki.mikrotik.com/ -> http://wiki.mikrotik.com/wiki/Routing -> http://wiki.mikrotik.com/wiki/Two_gateways_failover

yancho

I think you mistyped something. It's not possible to have such ip and subnet mask combination like: 10.5.50.200/24. Subnet mask for one host is /32 not /24. And router really have ip 10.5.50.0? So this should work: / ip address add address=169.18.0.x/24 interface=Public add address=169.18.0.y/24 int...

yancho

Can you give some more details about your network configuration is it nated or routed. If it's natted - then you should also add local address to address list.

yancho

Where you lost subnet mask for 200.100.200.0 ?
Also if you have any other rules after packet-mark you should use action accept.

yancho

1. ROS manual: http://www.mikrotik.com/testdocs/ros/2.9/ :arrow: http://www.mikrotik.com/testdocs/ros/2.9/ip/flow.php about packet flow in router :arrow: http://www.mikrotik.com/testdocs/ros/2.9/ip/mangle.php how to mangle packets :arrow: http://www.mikrotik.com/testdocs/ros/2.9/ip/address_list.php ...

yancho

Your nat rule should work to connections from outside world - you can check it using http://www.net2ftp.com/ or ask someone else to try to connect. But looks like you are trying access FTP from LAN - 192.168.0.x ? If so try: add chain=srcnat action=src-nat to-addresses=(your local gateway ip) to-por...

yancho

DNS mostly is UDP not TCP !!! This works for me like a charm: / ip firewall nat add chain=dstnat protocol=udp dst-port=53 action=redirect to-ports=53 \ comment="" disabled=no add chain=dstnat protocol=tcp dst-port=53 action=redirect to-ports=53 \ comment="" disabled=no / ip dns s...

yancho

Or change default ssh port to something else like 222.

yancho

http://wiki.mikrotik.com/wiki/Firewall there are some nice examples how to secure router.

yancho

Use nslookup :

nslookup www.google.com

Name:    www.l.google.com
Addresses:  209.85.135.99, 209.85.135.103, 209.85.135.104, 209.85.135.147
Aliases:  www.google.com

And allow them all.

yancho

You should do this in the forward chain not output! First allow tcp traffic from your clients ips to 111.222.333.3:25 Second drop all tcp traffic to port 25 Something like this: / ip firewall filter add chain=forward src-address=(your private-nated ips) dst-address=111.222.333.3 protocol=tcp dst-por...

yancho

You can't reset password using jumpers.
http://wiki.mikrotik.com/wiki/MikroTik_ ... d_Recovery

yancho

Then best results you should get setting channels like: http://www.extremetech.com/article2/0,1 ... 281,00.asp

yancho

elj03 and elj04 has the same frequency, try change frequency to 2412, 2432, 2452, 2472

yancho

Try'd mac-telnet? if you only messed up ip configuration, router still should be accessible via mac-telnet (available via winbox, click three dots near "conncet to")

yancho

You can't call this internet. It would be access to next router

yancho

http://en.wikipedia.org/wiki/Virtual_LAN
http://www.mikrotik.com/testdocs/ros/2. ... e/vlan.php

yancho

How about RAM? By default the proxy cache can use as much disk space as there is allocated for it. When the system allocates the space for the proxy cache, 1/7th of the total partition (disk) size is reserved for the system, but not less than 50MB. The rest is left for the proxy cache. The system RA...

yancho

If you have 2.9 version, use the following rule to block the Winbox data, 'ip firewall filter add src-address=client_network_addres dst-port=8291 dst-port=tcp action=drop comment=drop_local_client_Winbox_traffic'. with some corrections ;) / ip firewall filter add chain=input src-address=client_netw...

yancho

Yes, you can use export - import command.

yancho

janisk, yep you are right, but mainly it's UDP traffic. The DNS assumes that messages will be transmitted as datagrams or in a byte stream carried by a virtual circuit. While virtual circuits can be used for any DNS activity, datagrams are preferred for queries due to their lower overhead and better...

yancho

Change protocol to UDP

yancho

MT1 and PC1 has the same ip !?

PC1: 192.168.10.254 GW: 192.168.10.1

MT1
ether1: 192.168.10.254

But anyway you should use masquarade on MT2, becouse adsl router can deal only with 192.168.123.0/24 subnet.

yancho

Maybe: http://wiki.mikrotik.com/wiki/Multiple_Web_Servers

yancho

From version 2.8 manual:

Troubleshooting:

The priority setting does not work!

In order to take the priority setting in account, you have to specify limit-at parameter. Otherwise This setting will be ignored or will not work correctly

So try to set limit-at value for all queues.

yancho

Try to use nslookup to resolve all ip:

nslookup www.uwm.edu
Name:    batch1.csd.uwm.edu
Addresses:  129.89.169.224, 129.89.7.9, 129.89.70.230
Aliases:  www.uwm.edu

yancho

Try to move masquerade rule to the bottom.

yancho

/ ip firewall filter add chain=forward src-address-list=all_services action=accept comment="allow 192.168.0.x full access" disabled=no add chain=forward protocol=tcp dst-port=110 src-address-list=mail action=accept comment="allow pop3 to 192.168.0.y" disabled=no add chain=forwar...

yancho

Maybe first try to enable those rules

yancho

http://en.wikipedia.org/wiki/SYN_cookies

yancho

How about the chinese ?

http://www.google.lv/translate

yancho

Droping all bittorent:

/ip firewall filter add chain=forward p2p=bit-torrent action=drop

yancho

Mabye start some other business like sheep breeding

There are no need for queues p2p filtering and so on....

yancho

http://www.mikrotik.com/docs/ros/2.9/gu ... #1.1.1.1.2

RAM - minimum 32 MiB, maximum 1 GiB; 64 MiB or more recommended

yancho

1. Create bridge

 /interface bridge add name=bridge

2. Add interfaces to bridge, ether1 and ether2 are interfaces names

/interface bridge port add ether1 bridge=bridge
/interface bridge port add ether2 bridge=bridge

Manual and how-to is outdated :cry:

yancho

interface ethernet set interfacename mac-address=XX:XX:XX:XX:XX:XX

yancho

http://forum.mikrotik.com/viewtopic.php?t=7238 there is an example how to use address list for that purpose

yancho

upz sory little typing error:

ip firewall filter add chain=forward src-address=bad.user.ip action=drop

yancho

ip firewall filter add chain=forward src-address=bad.user.ip action=drop

yancho

Change

chain=srcnat action=masquerade

to

chain=srcnat out-interface=ADSL action=masquerade

yancho

add chain=forward in-interface=NIC3 dst-port=21 action=accept
add chain=forward in-interface=NIC3 dst-port=80 action=accept
add chain=forward in-interface=NIC3 dst-port=110 action=accept
add chain=forward in-interface=NIC3 action=drop

yancho

MT has an archive

just change http://www.mikrotik.com/download/all_pa ... 2.9.14.zip to http://www.mikrotik.com/download/all_packages_2.9.X.zip

yancho

Notice the resource counters at the top.. (I have not seen this before..)
Also notice 4 of them are marked CPU ??

Things that make you go " HMMMM...."

:lol:

Craig

you can add more than one resource counter :wink:

yancho

Not broken, just hotlinking disabled!

yancho

After device reboot or connection timeout link bandwidth charts displays very high values.

yancho

Maybe try something like:

chain=forward in-interface=Local protocol=tcp dst-port=1024-65535 connection-limit=20,32 action=drop

yancho

http://www.mikrotik.com/Documentation/wireless_test.pdf

yancho

add chain=prerouting p2p=all-p2p action=mark-connection new-connection-mark=p2p-con passthrough=yes add chain=prerouting connection-mark=p2p action=mark-packet new-packet-mark=p2p passthrough=no (all p2p) add chain=prerouting protocol=tcp dst-port=53 action=mark-connection new-connection-mark=dns-co...

yancho

Once more: http://www.mikrotik.com/docs/ros/2.9/guide/basic.
There is nothing there at the link you gave. What is it supposed to be.

Correct url should bet without dot :) -> http://www.mikrotik.com/docs/ros/2.9/guide/basic

yancho

Maybe we should start worry:

Core Improved: add protocol header encrypt option

yancho

http://www.mikrotik.com/docs/ros/2.9/ip/traffic-flow

yancho

or use /system shudown :)

yancho

1)upload file to router via ftp
2)use terminal command /import filname

yancho

Limit upload... http://www.faqs.org/docs/Linux-HOWTO/AD ... HOWTO.html

yancho

MAC telnet

yancho

Open winbox, click New terminal, hit [ctrl] + [x] to enter safe mode, leave terminal open and operate in winbox... Thats it. Now you get safe mode in winbox.

yancho

I guess yours masquerade rule is little bit wrong:

chain=srcnat action=masquerade

change to:

chain=srcnat out-interface=Public action=masquerade

yancho

http://forum.mikrotik.com/viewtopic.php?t=5480

yancho

thanks, and the statistics also would be nice...

yancho

I newer had any problems with upgrading from 2.9.x to 2.9.y
Also you can backup configuration using /export or /system bakcup

yancho

I think it would be nice..

yancho

First half: p2p upload limited to 512kbps pcq
second: without any limits for upload

yancho

The same problem...
Copy data folder to secure place, install beta12 from http://www.mikrotik.com/download/dude-i ... beta12.exe and replace data folder

yancho

to screen/terminal: export
to file: export file=somefilename

yancho

To dariit var ar: 1)ssh 2)telnet 3)winbox 4)webbox Pirmaas divas ir parastam lietotaajam nedraudziigas vides melns fons un balti burti :) lai tiktu caur ssh, vajadzees kaadu ssh klientu, piemeeram putty lai tiktu caur peedeejiem triis veram valjaa kaadu interneta paarluuku, rakstam ruutera adresiiti...

yancho

I think you should allow add chain=forward connection-state=related action=accept comment="accept related packets" disabled=no add chain=forward connection-state=established action=accept comment="accept established packets" disabled=no and for droping all trafic beter use add ch...

yancho

The main disscusion was about how to find [enter] on keyboard

yancho

Not small, bet very nice "full-length film" about internet http://www.warriorsofthe.net/

yancho

Your internet is for free? Droping all except standart web port is very cruelly...
You should specify port, like /ip firewall filter add src-address=10.10.0.0/16 dst-port=!80 action=drop chain=forward protocol=tcp

yancho

First put allow(accept) rules then drop. And subnet mask for one host is /32 like 10.0.0.100/32.

yancho

Network map become incantive after changing device name to nonenglish characters like ā ņ ö and so on.

yancho

i think you should add static dns entry with your router ip and some name

yancho

Set second route as default and then route rest traffic to first gateway...

yancho

To be sure for 100% yes :)

Typically, UDP is employed as the transport mechanism for DNS queries and responses and TCP for Zone refresh activities.

yancho

/ip firewall filter add chain=input src-address=!10.0.0.0/24 protocol=udp dst-port=53 action=drop

yancho

It's not possible. Because AP acts like hub or even wire. Communication goes to AP and back to clients but not to switch behind AP! (if clients have same subnet address). Only if client is in different subnet, then traffic goes to router/gateway.

yancho

There are some examples in how to: http://www.mikrotik.com/docs/ros/2.8/howto/howto

yancho

demo2.mt.lv login: demo

yancho

yep http://forum.mikrotik.com/viewtopic.php ... kmp+packet

yancho

And the answer is: RouterOS dosn't support daylight saving.
You have to change time zone manualy to +02:00 and change back to +02:00 at end of october and so on... There are some discussions about same problem: http://forum.mikrotik.com/viewtopic.php ... t=daylight

yancho

yep it works for ip changes log you can use something like: /ip firewall rule forward add src-address=!x.x.x.x/32 src-mac-address=xx:xx:xx:xx:xx:xx action=drop log=yes but this code don't log mac changes for log mac changes, i guess this should help: /ip firewall rule forward add src-address=x.x.x.x...

yancho

open winbox
open new terminal
type /ip firewall filter export
copy paste

yancho

/ ip firewall dst-nat 
add dst-address=80.55.159.106/32:80 protocol=tcp action=nat to-dst-address=192.168.1.200 to-dst-port=80  disabled=no

/ ip firewall src-nat 
add action=masquerade disabled=no 
add dst-address=192.168.1.200/32:80 protocol=tcp action=nat to-src-address=192.168.1.2  disabled=no

yancho

/ip firewall dst-nat add in-interface=ether1 change to ether2 protocal=tcp dst-address:!:80 action=redirect to-dst-port=8080

the same in : ip firewall dst-nat add in-interface=ether2 protocal=tcp dst-address:!192.168.0.1/24:80 action=redirect to-dst-port=8080

yancho

Maybe Squid for windows

yancho

http://forum.mikrotik.com/viewtopic.php?t=3677

yancho

Or change www service port, or add your computer ip in "available from"

yancho

Try to add static entry with any name and your router ip.

yancho

/ip firewall rule forward dst-address=domain.ip/32 action=drop

yancho

Try:
/ip firewall mangle add dst-address=10.16.13.0/24 protocol=tcp src-port=80 mark-flow=mark80

yancho

How about export/import -> http://www.mikrotik.com/docs/ros/2.8/sy ... ent#9.61.3

yancho

http://free.grisoft.com

yancho

Yes, there is connection-limit parameter in the firewall:

add action=reject protocol=tcp src-address=10.0.0.188/32 connection-limit=50

This pasthrought 50 connections and rejects all over.

Search found 207 matches