So, your problem is because the public ip address always change on those machine? You can try to set up pptp client on those sxt, dial out to your other mikrotik router somewhere else. Make sure the router have permanent public ip address. If you want to access the sxt, you can login to the router f...
you can just set RB600 as a bridge wireless AP. It will be the same if you use cable to interface of RB1000.
If you want to use 2 ethernet on RB1000 connected to 2 APs, move the hotspot service to a bridge, and put those two ethernet as member of bridge port.
The power is too high. It's better to make it -50 to -60.
Make sure you choose quite far frequency for each interface.
Have you try to load the traffic? if there is no traffic, some times data rate goes down.
Have you try to set data rate manually ?
It's better you make a parent queue and put 20 Mbps as the limit-at and max-limit.
For both child queue, put limit-at=10mbps and max-limit=15mbps.
if both client run together, they will have max 10 mbps each.
You don't need 2 routers to do load balance. Just put those 2 backbone on one router, and also the LAN network. So you need at least 3 ethernet port on your router. You can just split the connection base on protocol/port using mangle or policy route.
for priority, do you make parent queue for the priority rules ? If you don't have one, Router will think that you have unlimited bandwidth, so no matter what priority that connection has, router will pass the traffic.
are you using routerboard or PC?
sometimes, if you use high power wireless cards, the power is not enough for all cards.
you an also monitor the CPU load and see if it reach 100%.... so you need more powerful board.
If you want to do mark for source or destination IP Address, and you don't have any NAT on your firewall, you don't have to use Conn-Mark. You can do it with Packet Mark. If you want to mark protocol and port, it's better you use Conn-Mark first, as after handshaking, the port number will change. We...
if both network connected to the same router, you don't have to set any rule to make any machine can ping to other machine on other network. make sure each machine use proper default gateway. router will route this 2 networks. but if you want to run application using widows file sharing, you have to...
sometimes, problem happen not in the next gateway, but somewhere in internet.
check gateway feature in static route, check only the connection to the gateway.
if you want to set a fail over system and check your line further,
you have to use netwatch and do scripts if gateway problem happen.
I think, it show that your configuration work perfectly. You have to understand, each data transaction use both upload and download. Client send request to server, this is upload traffic, and then server will respond and sending data back to the client (download traffic). If you don't have upload qu...
Hello all friends.....! I just know this interesting discussion. Quite surprise, my wiki topic, and also my pdf become reference on this topic. My presentation is based on MT ver 2.9, and once again, it's not possible to know which traffic is MISS and which traffic is HIT. I'm glad in ver 3.0 we can...
in addition of using DNS cache, you can also redirect DNS query trafic to the DNS cache.
so, whatever DNS server configured in the client, they will do query to your DNS cache.
as web-proxy is a local process, you need to utilize chain output in mangle. add these rules to firewall mangle. chain=output out-interface=!LAN action=mark-connection new-connection-mark=odd passthrough=yes connection-state=new nth=1,2,0 chain=output out-interface=!LAN action=mark-routing new-routi...
RB333 should be better than RB532, even the CPU clock is the same.
RB333 have different CPU architecture and also have QUICC co-processor. So, it's not only a 333MHz board. It's faster.
What type of remote login?
You can use simple script to login (using username and password) through telnet,
or if you want more advance, you can use API.
Hi, It's what UPnP (universal Plug & Play) for. No matter how you set IP on your laptop/PC, you can connect to the hotspot gateway (after entry the username and password). IP configuration on laptop will be ignored by the router. This feature makes it's easier the manage a hotspot area, we don't...
I just tried it indoor. So far this card work as it should be. Several db below SR, in 2.x and also 5.x GHz. I tried to load the card for 2 days... and still work fine.
In RB500 (and I think also in RB1xx), you can only use webproxy-test package.
There is no webproxy package.
This package will enable IP PROXY application, not IP WEB-PROXY.
Hi, you should understand, every TCP data packet, required uplink and downlink. HTTP download doesn't mean you don't need uplink traffic. The client still need uplink to send HTTP request, and after handshake process, then it makes downlink traffic. In your case, maybe you need to open more uplink p...
If you give information about software-id and license-key, your reseller should be able to give you new license-key.
Or, you need to contact the reseller where you bought your RoS.
another way, you can make a mangle/firewall filter to add src-address to address-list for any protocol and connection the make, and set any time for deleted from address-list (ex: 5 minutes). and you can do print for that address-list.
You have to look at IP Flow diagram on Manual.
Simple queue (I think dynamic queue will be the same with simple queue, IMHO) will placed on global-in and global-out chain.
With queue tree, usually we put them on interface (latest process on IP flow)
In this case, when you only have one sub-queue, using parent is is not useful.
Parent queue will be useful if you have several sub-queues, parent will handle queue of total usage of sub-queues.
It should work. You can use prerouting for limiting downlink and uplink, just specify different interface.
For uplink, use interface gateway, and for downlink, use interface local.
As we know, web-proxy in v3 is a new re-written proxy by Mikrotik. In several topics, there are discussion about how to do queue or routing based on web-proxy. Example: 1. To make different queue rule for traffic HTTP MISS or HIT. Now, this can not be done with mangle, but I think should be possible...
You need to do connection-mark first, and use it while you do packet-mark. 1 chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http-conn passthrough=yes 2 chain=prerouting protocol=tcp dst-port=80 connection-mark=http-conn action=mark-packet new-packet-mark=Http pa...
When you set max-limit = burst threshold, and your client take all traffic as max-limit all the time, there is no change the client will have burst. Burst is useful for client who doesn't always take the max-limit. If you want the client have burst, even if they use all the max-limit, you can set bu...
You need to post the complete rule of your mangle, in order us to help you.
It's really not enough to troubleshot while you only say "route-mark = web"
If you redirect all TCP:80 traffic to web-proxy, there will NOT be any direct HTTP traffic.
All traffic will go through proxy, either the proxy already have the cache or proxy will request from internet.
You don't need to change the order, as those are parent and sub queue.
If you want more burst, make burst threshold lower.
With your setting, it will make the traffic always on 64 kbps, burst happend only in the first 6 or 7 seconds.
If you are connecting to IP Address, should not be any problem.
But if you do mac-connection, I prefer to use only one interface on laptop (or PC), and disable other interfaces.
I will come to this MUM... with almost 15 hours flight and 13 hours connecting time at frankfurt.
Anyone can give information how to get to the hotel from airport? If I have to use taxi, how much it will cost ? Thx in advance!
Hi, From your bandwidth usage, I suggest : 1. You advertise 1 /24 to the HTTP provider, and you make a good proxy server to handle all http request. And set this as transparant. 2. You advertise the other /24 to the other provider. All client should use these IP, not the proxy block IP. 3. You can a...
You can try to advertise different subnet size to each peer. For example (your IP are 10.0.0.0 - 10.0.1.255 or /23): Peer A for 10.0.0.0/24 Peer B for 10.0.0.1/24 You can advertise to : Peer A: - 10.0.0.0/24 - 10.0.0.0/23 Peer B: - 10.0.0.1/24 - 10.0.0.0/23 So if you have peer problem with Peer A, 1...
The detail is not enough to know where the error is.
But from the tracert result, I guess you should add several static routes (back to source IP) on several router in side B, after router 10.0.52.2.
If all those IP in the same subnet, you can only use one ethernet card. If it's /32 IP, as it's in different subnet, you can use 3 cards, or you can also use 1 card. About load balance all of your connection, you can see on MT wiki, using conn-track, nth, and src-nat each conn-track to each public IP.
I have not check this solution, but maybe this will work for your case.
You put the static default route to table, and route mark the traffic for non office IP. So, when PPPoE client connected, and add default rout, it will only effect the office network, not the other network.
What is the strange thing, and what do you expect ? 2 name="1-Local-down" parent=localnet packet-mark=down-packet limit-at=600000 queue=pcq-download priority=2 max-limit=600000 burst-limit=0 burst-threshold=0 burst-time=0s 3 name="3-Proxy download" parent=localnet packet-mark=Pro...
I didn't see any strange thing from your example. Both rules are for client, not for proxy. One rule is for direct connection, and the other is for down traffic through proxy. You can not compare also the statistic in the winbox by downloding small file or several seconds test. The refresh time of t...
Sure it's possible to do it by address-list, but there are several problems. But, how if the user using NAT and have several computer behind the NAT. Only the first user get redirected. Another thing, is the user using local address assigned by DHCP? Do they use a recycle address ? Once the IP inser...
/queue tree print oid Flags: X - disabled, I - invalid 0 name=.1.3.6.1.4.1.14988.1.1.2.2.1.2.16777216 packet-mark=.1.3.6.1.4.1.14988.1.1.2.2.1.3.16777216 bytes=.1.3.6.1.4.1.14988.1.1.2.2.1.5.16777216 packets=.1.3.6.1.4.1.14988.1.1.2.2.1.6.16777216 1 name=.1.3.6.1.4.1.14988.1.1.2.2.1.2.16777217 pack...
The problem will arise, when one CPE see two access point (with the same SSID) with almost the same signal level. This can make the client connected to one and then move to the other one, back and forth.
I think it's a static route problem. You miss to a / sevaral static route rule(s) on the router. But sorry, I can not tell you which one u missed, unless you make your network diagram, and and print your setup more detail here.
Have you tried the bandwidth test ? It can show prediction of how big your wireless link is. You can compare this data with the occupied link after you put 25 IP phone.
:foreach i in=[/ip firewall addr find list=dynamic-list ]\
do= { \
:set w [/ip fire addr get $i address]
/ip fire add rem [/ip fi add find address=$w]
/ip fire add add list=static-list address=$w
}
I don't think it's possible using ROS scripting.
But you can make a simple PHP or any other language to do that.
Checking on other server first.... than telnet to the router and disable the rule.
make the datarate static. if you need 5 mbps in total, make the datarate at least twice. use the G or G-Turbo mode. disable the DFS if you make a long range link (>15 km), set the ack-timeout manually. see the table on manual. try to test the throughput using bandwidth test, see if you already got g...
You need bridge network.
With mikrotik as wireless client, you can not simply make it as bridge network, unless you have access to the WAN Access Point, and make WDS setting, or bridge EoIP.
for downstream packet, if you are using src-nat or masquerading, you have to use connection mark first, and then packet mark. Why? The translation process of src-nat will be held at almost the last step in the router. So when the packet come from the internet, no way to know to whom the client have ...
You have to specify the different between BROWSING and DOWNLOADING.
Both action is using TCP Port 80. Remember, most of the time in RouterOS, we will talk in layer3.
I don't think this is the proper forum for your problem, as it's not related with Mikrotik at all. But I think you can show the data to the ISP, and ask them to solve it. But be careful, if you can not download full T1 from 1 source, it doesn't mean the problem must be your ISP. The problem can be a...
I think the uplink traffic won't be a problem. You still have enough pipe for 10 users.
For downlink, use the queue tree. You can make a parent queue, so the router knows that you only have 512000 speed. Put all other queue inside the parent queue. Put limit-at as 51200 and max-limit as 56000.
What antenna are u using in room?
What's the signal strength when u place both box side by side?
Do u want to put those boxes with 5km distance with the same antenna u are using inside the rooms?
C'mon..... be realistic!
You can do it with simple firewall rule. src-address=[ip-pool] dst-address=xxxxxxx action=accept src-address=[ip-pool] dst-address=xxxxxxx action=accept src-address=[ip-pool] dst-address=xxxxxxx action=accept src-address=[ip-pool] dst-address=xxxxxxx action=accept src-address=[ip-pool] dst-address=x...
Routed network will do better than bridge. The broadcast traffic will not go to whole network. If you put DHCP, the client will change AP (if one have trouble) without any problem. The IP subnet will change, but I'm sure they will not know and care, as long as they can connect.
I think there is no way to make QOS base on percent.
You need to define, how many kbps/mbps for each traffic.
You can do it with mangle, and then use the packer mark on queue tree.
Maybe you can try this example P > FIREWALL > MANGLE 0 ;;; up traffic chain=prerouting in-interface=LAN src-address=192.168.0.4 action=mark-packet new-packet-mark=test-packet-up passthrough=no 1 chain=forward src-address=192.168.0.4 action=mark-connection new-connection-mark=test-conn passthrough=ye...
If you want certain traffic goes and back on the same pipe, you need to do SRC-NAT to IP Address given from that ISP. You can not just route the traffic, unless you do BGP and you can choose which IP blocks advertise though one ISP and another ISP.
There are several ways to do that: 1. You can try to split your IP blocks to several smaller subnet, and do routing for the second subnet you put behind the router. 2. You can use dst-nat to translate request to certain IP Address to one of local IP Address. You can still host, for example webserver...
try to set mt2 as bridge and make sure there is not routing/nat on wireless equipment
you can also try to make EoIP from MT2 to MT1, and do bridge for that EoIP with appropriate ethernet
If you only need to block (not queue) un-authorized mac-address, you can try to use this script > ip firewall filter > add chain=forward in-interface=LAN src-mac-address=11:22:33:44:55:66 action=accept ..... repeat for evey mac-address you need to allow ..... and at last, you need to add drop filter...
> ip firewall filter
> add chain=forward in-interface=LAN src-mac-address=11:22:33:44:55:66 action=accept
..... repeat for evey mac-address you need to allow
..... and at last, you need to add drop filter
> add chain=forward in-interface=LAN action=drop
I think this is not the PPPoE problem. Have you tried the setting without PPPoE with 2 users connected to a switch after an AP station? This is bridge problem, where AP client can not pass the second client mac address. Mikrotik will see only the first mac-address. You need to set a NAT on the wirel...
I think this is not the PPPoE problem. Have you tried the setting without PPPoE with 2 users connected to a switch after an AP station? This is bridge problem, where AP client can not pass the second client mac address. Mikrotik will see only the first mac-address. You need to set a NAT on the wirel...
The great thing about Mikrotik is the manual is quite complete, more than 500 printed pages.
The bad thing about Mikrotik is the manual is complete, makes many people too lazy to read it.
I see, I didn't tought about it.
Maybe you can try to make a script on your payment web, after you add the the mac address on radius, the script will do telnet/ssh to the router, and delete the mac-address. So it will authenticate again. Not very easy, but I'm sure it's do able.
After you add the mac-address, don't redirect the user to the login page, but redirect the user to the page they want to browse before the payment process.
Eric, please do not confuse with limit-at, max-limit, priority, or parent in my script. The script I pasted in here only small peace of the whole script in my box. Very complicated if I have to explain one by one. Answering your question: 1. We are doing connection mark, and then packet mark. This i...
I think you have basic networking problem. Have you set the default route of each machine properly? What is the default route for the real network machine? Maybe you can try to do trace route to see where the traffic go.
I have RB230 with RB14 using 4 CM9/R52 cards, and it can work together. Yes, it's not 22 mbps each, but I got better than 1 mbps each with All card using 2.4 GHz.
is the software-id change or still the same?
if you bought the license from reseller, contact them, they should have backup of your license key.
or send email to support@mikrotik.com, dan inform them your software-id
I mean, make a test comparasion on the ground.
If one of the equipment have much smaller signal, I think it's hardware or cable or connector problem. You have to fix or replace it.
Have you check both AP on the ground, give them same small helical antenna and connect to the same AP. Same distance, and see the signal strength. Maybe you have problem in connector or cable.
You should put hotspot and regular network on different interface.
Or for regular user, you can try PPPoE.
User can choose if they want to login through hotspot or PPPoE.
Isnt your rule will drops every ip except one pair MAC+IP ? I mean it will work only for one client. Im using construction with lotof pass rules. One pass rule for one MAC+IP pair. At the end i have one rule to drop everyting whats not equal to previous passing rules. Gotmoh, I didn't check my scri...
Check the FTP Server configuration.
I don't think it's the problem on Mikrotik.
If one user can login, it means the D-NAT / Routing / Firewall in Mikrotik correctly configured.
Friend, you should read the manual first before asking here.
But, you can try using mac address protection:
/ip firewall filter add src-mac-address=[client mac address] src-address=![client correct ip address] action=drop
pekr, you should use bridge, not WDS to put 2 interface in one router into same subnet. You need STP only if you have a bridge loop, so you can set priority, like a routing in route traffic.
Bridge vs routing? You can see the different only if your traffic high enough.
If you are not using NAT (just plain routing), you can use several IPs from different ISP on one interface. But I didn't suggest this, as it will make big bridge network across several ISPs, and sometimes, you can have trouble with broadcast traffic. You can do route-mark and then do several default...
When you are using Mikrotik OS to do DHCP or Hotspot for the client, I think it's better to use one the high power interface, such as Prism 300 mWatt PCMCIA, or SR2 miniPCI card. The price for those cards are cheaper than a good 2,4 Access Point hardware.
Sorry that I can reply this topic just now. on 5211 chipset, if we are doing : /interface/wireless/info we get the list of the freq we can use, and here are : name="wlan2" interface-type=Atheros AR5211 supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps, 36Mbps,48Mbps,54Mbps 2ghz-b-channe...
Hi, I found a strange condition when installing RB230 outdoor with bridge. Here is the configuration: Client1 ------ Router 1 ------(wireless)------Router2 ------ Client2 Im using Atheros 5211 chipset on both router, and using 2,5 GHz freq. I put all interface on bridge1. Result : - Client1 can ping...
I try to use 3 different Atheros minipci cards. 5211, 5212, and 5213.
When I use them in 2.4 GHz range, both card have different frequency for each channel. Is there any way to connect these different card?
First, drop all drop firewall rule, and make sure that the default is allow/accept.
Then try to ping from a machine that is in same subnet with the interface host the ip you want to ping. If this work, it means your interface setting works fine, and maybe there is routing problem.