Community discussions

MUM Europe 2020

Search found 394 matches

  • 1
  • 2
by tneumann
Wed Jun 18, 2008 10:25 pm
Forum: General
Topic: Auth WPA2/PSK agaist radius server
Replies: 12
Views: 7403

Re: Auth WPA2/PSK agaist radius server

if Mikrotik developers will implement different WPA2 keys for various users over radius protocol.
What would be the advantage of your implementation compared to EAP with certificates, which is a standards-based technology that already works on RouterOS today?

--Tom
by tneumann
Mon Jun 02, 2008 10:19 pm
Forum: General
Topic: Auth WPA2/PSK agaist radius server
Replies: 12
Views: 7403

Re: Auth WPA2/PSK agaist radius server

Not with PSK, but if you use EAP the keys will be generated and supplied automatically...

So you should use WPA2/EAP to solve this.


--Tom
by tneumann
Thu May 29, 2008 8:55 pm
Forum: General
Topic: new feature:Dynamic ppp address-lists
Replies: 33
Views: 15631

Re: new feature:Dynamic ppp address-lists

Just define an ip pool per bandwidth you want to offer and map each user an ip from the corresponding pool. Than you just need a PCQ queue for each pool. Sure, that works, but it's not what I was asking for. When I asked about Radius Framed-Route attribute based routes above I was specifically talk...
by tneumann
Wed May 28, 2008 7:40 pm
Forum: General
Topic: new feature:Dynamic ppp address-lists
Replies: 33
Views: 15631

Re: new feature:Dynamic ppp address-lists

Sounds quite useful, thanks for that new feature! Is it also possible to get networks that are specified as Radius Framed-Route reply attributes dynamically inserted into that same address list in addition to the PPP peer host address? That would make the feature useful for clients that get Radius-a...
by tneumann
Wed Feb 06, 2008 11:57 pm
Forum: General
Topic: Datenvorratshaltung
Replies: 8
Views: 1195

Re: Datenvorratshaltung

h
... connection time... date, login...logout.....username....ip adress .. mac address...login name... maybe "connected to"..
If you use radius for authentication you'll get all that info without any additional work anyway.

--Tom
by tneumann
Sun Dec 30, 2007 1:24 pm
Forum: General
Topic: How to protect Against ping flooding
Replies: 2
Views: 897

Re: How to protect Against ping flooding

Ask your ISP to blackhole/discard the traffic on their side of the link. If you're running BGP with your ISP then maybe you can trigger the blackholing yourself via BGP. There are documented "best-practices" for this, see http://www.nanog.org/mtg-0410/soricelli.html . Maybe your ISP supports somethi...
by tneumann
Thu Nov 01, 2007 9:47 am
Forum: General
Topic: OSPF needs connection tracking?
Replies: 2
Views: 679

Re: OSPF needs connection tracking?

Did you take into account that OSPF does send
some packets to a Multicast destination address
in some situations? You'd need to allow these
packets to reach your router as well...


--Tom
by tneumann
Tue Sep 11, 2007 9:39 pm
Forum: General
Topic: how configure pcq
Replies: 6
Views: 1081

Re: how configure pcq

what is your setup or scenario, what are your requirements? Regards Faton i want to use it but i dont know how trottolino1970, I realize that you might indeed be looking for guidelines on how to solve your configuration problems, but you really are asking for help in the most uneffective way I can ...
by tneumann
Tue Sep 11, 2007 9:27 am
Forum: General
Topic: two mk
Replies: 3
Views: 555

Re: two mk

Like one in Texas and one in Arizona? Sure, go for it!

Seriously, please be more specific in describing your problem.

--Tom
by tneumann
Mon Sep 10, 2007 10:57 pm
Forum: General
Topic: Need seamless roaming for barcode readers ...
Replies: 8
Views: 1306

Re: Need seamless roaming for barcode readers ...

Ok, then you do not need WDS. Roaming will be possible. Configure all access points to use the same SSID and the same security-profile (i.e. WPA or WPA2 or WEP or Open or whatever you need). But the roaming will probably not be completely seamless as it takes some time for a client to (re-) associat...
by tneumann
Mon Sep 10, 2007 10:44 pm
Forum: General
Topic: How to create a HOTSPOT with to-address/address-pool??
Replies: 9
Views: 1685

Re: How to create a HOTSPOT with to-address/address-pool??

What kind of relation do you have with those other ISPs that you'd allow the user to choose from? And what kind of network interconnection does your hotspot have with those ISPs? For 4) and 5) to be at all possible you'd at least need a routed subnet from every ISP connected to your hotspot network....
by tneumann
Mon Sep 10, 2007 9:00 pm
Forum: General
Topic: How to create a HOTSPOT with to-address/address-pool??
Replies: 9
Views: 1685

Re: How to create a HOTSPOT with to-address/address-pool??

Do you have multiple ISPs routing addresses from their respective allocations to your hotspot router? That would be a very unusual setup, but how else would it be possible to allow the hotspot users to "switch ISPs" when they login? Anyway, usually inter-ISP hotspot roaming is not implemented based ...
by tneumann
Mon Sep 10, 2007 8:25 pm
Forum: General
Topic: How to create a HOTSPOT with to-address/address-pool??
Replies: 9
Views: 1685

Re: How to create a HOTSPOT with to-address/address-pool??

That does not answer any of my above questions.

--Tom
by tneumann
Mon Sep 10, 2007 7:36 pm
Forum: General
Topic: Need seamless roaming for barcode readers ...
Replies: 8
Views: 1306

Re: Need seamless roaming for barcode readers ...

It sounds like each of your AP will have a seperate LAN connection (wired ethernet)? I'm asking because you mentioned 'bridged ethernet and wireless'. If this is the case then you will not need WDS at all. It would only be useful if you have some APs that do not have their own wired uplink but inste...
by tneumann
Mon Sep 10, 2007 12:44 am
Forum: General
Topic: How to create a HOTSPOT with to-address/address-pool??
Replies: 9
Views: 1685

Re: How to create a HOTSPOT with to-address/address-pool??

You should not run hotspot and uplink on the same interface (ether1 in your case).

Furthermore, what are you trying to do with those 1.1.1.x and 10.5.50.x address ranges while at the same time you answered during the setup that you do not want to masquerade?

--Tom
by tneumann
Thu Sep 06, 2007 5:38 pm
Forum: General
Topic: Need seamless PEAP authentication ...
Replies: 6
Views: 4199

Re: Need seamless PEAP authentication ...

Did you try a security profile with WPA2-EAP and EAP passthrough on your MikroTik access point? In EAP passthrough mode all certificate verfication and PEAP handling are done between the client and the RADIUS server only, so this should work just fine provided that you have the needed Microsoft mojo...
by tneumann
Tue Sep 04, 2007 9:22 am
Forum: Wireless Networking
Topic: Securing wifi without having to enter keys??
Replies: 1
Views: 559

Re: Securing wifi without having to enter keys??

In a correctly configured EAP setup the radius server will automatically provide per-client keys.

--Tom
by tneumann
Tue Sep 04, 2007 12:39 am
Forum: General
Topic: Connect 2 networks over Internet
Replies: 4
Views: 2544

Re: Connect 2 networks over Internet

As a first step you should decide if you want (or need) both networks to operate as one broadcast domain (that is: bridged to each other) or as separate broadcast domains (then it will be routing between the networks). Your goals and requirements are not clear to me from what you wrote so far, so co...
by tneumann
Mon Sep 03, 2007 8:24 pm
Forum: General
Topic: connection tracking is routing possibile
Replies: 13
Views: 1485

Re: connection tracking is routing possibile

Is this the only reason that conn-trac would be used? Besides being able to actualy see whats happening on the network?
No, connection tracking is also needed for some functionality of the firewall (/ ip firewall filter)

--Tom
by tneumann
Mon Sep 03, 2007 12:24 am
Forum: Beginner Basics
Topic: plzzzzz so ergent
Replies: 9
Views: 1864

Re: plzzzzz so ergent

Your masquerading / srcnat does not work because the rule ip firewall nat add chain=srcnat action=masquerade out-interface=Public specifies the wrong out-interface. You're running a pppoe-client on your public interface towards your ISP, therefore the interface that will carry your outgoing traffic ...
by tneumann
Mon Sep 03, 2007 12:06 am
Forum: General
Topic: Connect 2 networks over Internet
Replies: 4
Views: 2544

Re: Connect 2 networks over Internet

by tneumann
Sun Sep 02, 2007 11:39 am
Forum: General
Topic: connection tracking is routing possibile
Replies: 13
Views: 1485

Re: connection tracking is routing possibile

Yes.
by tneumann
Sun Sep 02, 2007 11:30 am
Forum: General
Topic: net cut
Replies: 27
Views: 5611

Re: net cut

if I use EAP with certificates, do I need buy certificates service from somewhere? You can, but you don't need to. You can just as well run your own PKI. There are lots of tutorials on the net on how to setup a basic PKI (CA) with OpenSSL and a bunch of shell scripts, such as http://www.sourcequenc...
by tneumann
Fri Aug 31, 2007 9:38 am
Forum: General
Topic: net cut
Replies: 27
Views: 5611

Re: net cut

Yes, logically there'd need to be two AP, one for unsecured connections (offering registration only) and one WPA protected for full network access, but you can use the virtual-AP feature of RouterOS so that you do not need to buy and install two AP devices - both AP can run on the same radios. Regar...
by tneumann
Thu Aug 30, 2007 9:05 pm
Forum: General
Topic: net cut
Replies: 27
Views: 5611

Re: net cut

You could set up an open, unencrypted hotspot that allows only access to your user-registration page where you describe the services that you're offering to registered customers and allow potential customers to sign up for your services. Require them to identify themselves upon registration and to p...
by tneumann
Tue Aug 28, 2007 12:00 pm
Forum: General
Topic: Asking RADIUS
Replies: 5
Views: 792

Re: Asking RADIUS

There is no backup file. Backup means the accounting records will
also be sent to an additional, second radius server (this is the "backup server").

--Tom
by tneumann
Tue Aug 14, 2007 11:37 pm
Forum: General
Topic: Different Subnets... Different gateways...
Replies: 4
Views: 970

Re: Different Subnets... Different gateways...

Set the routing marks not only depending on the source-address but also on the destination-address, that is only set the subnet1 routing mark if the destination-address is not in subnet2 and set the subnet2 routing mark only if the destination-address is not in subnet1. Something like add chain=prer...
by tneumann
Sun Aug 05, 2007 2:38 pm
Forum: General
Topic: VLAN and Cisco trunk
Replies: 8
Views: 1856

Re: VLAN and Cisco trunk

nordex, we've been discussing this a few months ago, see http://forum.mikrotik.com/viewtopic.php?f=2&t=14686&hilit= Did you follow all the suggestion I made in that previous discussion? Especially the add chain=forward in-bridge=bridge1 out-bridge=bridge1 action=drop comment="" disabled=no part? And...
by tneumann
Wed Jul 11, 2007 8:59 am
Forum: General
Topic: PPTP + RADIUS: Framed-Route ignored
Replies: 5
Views: 2041

Re: PPTP + RADIUS: Framed-Route ignored

Why do you specify 10.200.0.10 as the next hop? You're assigning 10.200.200.2 to the client (with the Framed-IP-Address attribute), so you have to use that client IP address as the next hop if you want to add a route towards that client. Try this: "22110";"Framed-Route";":=";"10.200.0.3/32 10.200.20...
by tneumann
Mon Jul 09, 2007 8:06 pm
Forum: General
Topic: PPTP + RADIUS: Framed-Route ignored
Replies: 5
Views: 2041

Re: PPTP + RADIUS: Framed-Route ignored

Yes, of course it's supported.

See the RouterOS manual at http://www.mikrotik.com/testdocs/ros/2. ... radius.php

For the correct format of the Framed-Route attribute see http://www.ietf.org/rfc/rfc2865.txt (Chapter 5.22)


--Tom
by tneumann
Sat Jul 07, 2007 1:40 am
Forum: General
Topic: PPTP + RADIUS: Framed-Route ignored
Replies: 5
Views: 2041

Re: PPTP + RADIUS: Framed-Route ignored

The Framed-Route should use the Framed-IP-Address that is assigned to the client as the next hop.

--Tom
by tneumann
Thu May 31, 2007 10:52 am
Forum: General
Topic: OSPF and stub-areas
Replies: 4
Views: 1270

Re: OSPF and stub-areas

The networks ares direct connected and others are with static routes.
A stub area can not announce routes from external (i.e. static, connected) networks
towards the OSPF backbone. You'd need either a normal, full-featured area or at
least a NSSA for that.

--Tom
by tneumann
Thu May 24, 2007 11:43 pm
Forum: General
Topic: OSPF and stub-areas
Replies: 4
Views: 1270

How does router B know the route to "Network"? Is it directly connected? Or a static route?

--Tom
by tneumann
Thu May 24, 2007 10:25 am
Forum: General
Topic: Simple queue priorities
Replies: 2
Views: 847

You can not achieve much of an effect with priorities for downstream traffic on your end of the link. Priority queueing of your downloads should be performed on the ISP's router at the other end of the link.

--Tom
by tneumann
Fri May 18, 2007 5:07 pm
Forum: General
Topic: External IP address replaced with router
Replies: 21
Views: 2874

users internally can no longer get to the website by using the DNS name which points to the external IP. What would I need to change to resolve that?
Set up split dns on your nameservers.

--Tom
by tneumann
Fri May 18, 2007 12:05 am
Forum: Wireless Networking
Topic: Many card Bridging??
Replies: 9
Views: 1611

Adam,

the MikroTik Wiki has some examples at

http://wiki.mikrotik.com/wiki/Wireless_Setups

some of these use WDS and you might be able to learn from them for your project.

--Tom
by tneumann
Thu May 17, 2007 10:47 pm
Forum: Wireless Networking
Topic: Many card Bridging??
Replies: 9
Views: 1611

Can I put the wlan1 (backhaul link) of the repeater into station-WDS, and expect it to connect to another RB532 back at the tower that is operating in bridge-ap mode for clients? Yes, but make sure that the RB532 ap-bridge back at the tower has also enabled WDS. Enabling WDS in addition to ap-bridg...
by tneumann
Thu May 17, 2007 10:27 pm
Forum: Wireless Networking
Topic: Many card Bridging??
Replies: 9
Views: 1611

Adam, do not put a wireless interface that is in station mode into a bridge. Wireless interfaces that operate in station mode can not support transparent bridging (if you need to know why this is the case, please read the IEEE 802.11 standard chapters 7.1.3.1.5 and 7.2.2-Table 4). Every interface th...
by tneumann
Wed May 16, 2007 9:13 pm
Forum: Wireless Networking
Topic: WDS and EOIP
Replies: 1
Views: 679

Yes. They are at completely different protocol layers. EoIP does not exists on a wireless interface as such. It is a tunnel protocol that operates between two IP endpoints, and as such is not bound to a wireless interface but can of course operate on top of IP packets that are transmitted over wirel...
by tneumann
Wed May 16, 2007 9:00 pm
Forum: General
Topic: External IP address replaced with router
Replies: 21
Views: 2874

No, it will not. And why should it? Skynoc, did you try it for yourself? Try it and you'll see.

--Tom
by tneumann
Wed May 16, 2007 8:17 pm
Forum: General
Topic: pptp restriction
Replies: 5
Views: 924

jurisv,

you do not login via PPP from some IP address (except for PPTP). Are you talking about PPTP or are you talking about PPPoE? For PPPoE your question does not make sense.

--Tom
by tneumann
Wed May 16, 2007 9:21 am
Forum: General
Topic: External IP address replaced with router
Replies: 21
Views: 2874

this is normal Mukah
No, this is not normal. A destination NAT rule does not change the source address of the IP packets, only the destination address. If everything is configured correctly then you should still see the external source address of outside clients on you internal servers.

--Tom
by tneumann
Thu May 10, 2007 8:07 pm
Forum: General
Topic: PPPoE client behind an AP acting as client....Problem
Replies: 7
Views: 1269

sergejs already told you the most probable cause for your problem, but you did not comment on his suggestion. So did you take into account what he wrote? Did you check whether this does indeed affect you or not? Did you make sure that you have a transparent layer 2 connection between the PPPoE clien...
by tneumann
Sun May 06, 2007 8:45 pm
Forum: General
Topic: PPTP between two Mikrotiks
Replies: 11
Views: 2972

A PPTP interface will not work as a member of a bridge. Only ethernet-like interfaces should be put in a bridge. You can establish a PPTP tunnel for authentication and encryption between two MikroTik devices just like you already did, but then you also need to configure an EoIP tunnel on top of the ...
by tneumann
Sun May 06, 2007 4:35 pm
Forum: General
Topic: traffic counting
Replies: 3
Views: 828

There are some hints on radius installation on the MikroTik Wiki site at http://wiki.mikrotik.com/wiki/Assorted_examples.

--Tom
by tneumann
Sun May 06, 2007 11:56 am
Forum: General
Topic: traffic counting
Replies: 3
Views: 828

As you are using PPP already I think your best solution would be to install a radius server and let it do the accounting (maybe with Acct-Interim-Interval if you have long-running sessions and need up-to-date accounting values even during the lifetime of a users session).

--Tom
by tneumann
Sun May 06, 2007 12:00 am
Forum: General
Topic: Bandwith shaping with mangle and address lists problems
Replies: 9
Views: 2102

Smops,

there's a problem with your mangle rules. All your mangle rules with action=mark-connection should have passthrough=yes

--Tom
by tneumann
Sat May 05, 2007 2:46 pm
Forum: General
Topic: Hotspot Radius auto-logoff
Replies: 13
Views: 3735

ravin,

the remaining time is calculated in the function time_left_for_user() that you can find in the file func.sql on the URL I posted previously. In the file radius.conf you can see how time_left_for_user() is used to map its result to a Radius Session-Timeout reply item.

--Tom
by tneumann
Fri May 04, 2007 7:43 pm
Forum: General
Topic: VLAN and sharing an IP Address
Replies: 1
Views: 756

Re: VLAN and sharing an IP Address

Any problems with using the same ip address on a VLAN interface and on an ethernet interface at the same time?
This will not work. You should not configure the same IP address (or any overlapping networks, for that matter) on more than one interface.

--Tom
by tneumann
Tue Apr 24, 2007 11:42 pm
Forum: General
Topic: Disable NetBIOS via DHCP Server
Replies: 3
Views: 2636

Make sure you have a working WINS/NBNS server in place, then do something like this (adapt IP addresses to your network, of course) / ip dhcp-server option add name="nb-node-type-P" code=46 value="2" / ip dhcp-server network add address=192.168.10.0/24 gateway=192.168.10.1 wins-server=192.168.10.91 ...
by tneumann
Tue Apr 24, 2007 7:55 am
Forum: General
Topic: control by time
Replies: 5
Views: 1005

See http://www.mikrotik.com/testdocs/ros/2.9/root/queue.php

Simple queues have a time parameter that will help you with what you want to do.

--Tom
by tneumann
Tue Apr 24, 2007 12:38 am
Forum: General
Topic: Parallel networks and RADIUS
Replies: 8
Views: 1411

yes routing would sent 10.0.0.0/16 traffic to the default route over pppoe but why doesn't the firewall filter rule then pick them up and redirect them to wlan1? Because redirecting something is not the srcnat's job at all. The out-interface parameter in the srcnat rule is not an action parameter; ...
by tneumann
Mon Apr 23, 2007 2:33 pm
Forum: General
Topic: Parallel networks and RADIUS
Replies: 8
Views: 1411

Well, with this routing table it's clear that packets with destination 10.0.0.33 choose the default route and get sent out on the pppoe interface. It appears that you need to change your routing, and only after that works the way you need it to you then can take care of srcnat...

--Tom
by tneumann
Sat Apr 21, 2007 4:21 pm
Forum: General
Topic: Parallel networks and RADIUS
Replies: 8
Views: 1411

... the rules above should surely have the effect of giving every packet with a 10.0.0.0/16 destination address a source address of 10.0.3.2 (wlan1) True, if and only if the packet were to go out on interface wlan1 in the first place! ... and routing it via wlan1 That, on the other hand, need not b...
by tneumann
Sat Apr 21, 2007 11:22 am
Forum: General
Topic: Parallel networks and RADIUS
Replies: 8
Views: 1411

srcnat does not influence the route/next-hop/outgoing-interface that is used to forward a packet. It's the other way around, i.e. if the routing code decides that a packet will be send out on interface ppoe-out1 then a particular srcnat rule might be selected for this (because it has a matching out-...
by tneumann
Mon Apr 16, 2007 8:13 am
Forum: General
Topic: Mikrotik 2.9.x.x with Intel Core Duo
Replies: 2
Views: 728

RouterOS 2.9 supports one CPU only, regardless how many CPU cores your hardware has installed.

--Tom
by tneumann
Fri Apr 13, 2007 8:46 pm
Forum: General
Topic: WDS Bridge, PPPoE, PTMP Wireless, and VLANs oh my!
Replies: 4
Views: 1713

Yes, I mean packet duplication based on the nature of a bridge.
Do you have that much broadcast traffic on your network? After all, non-broadcast traffic should not be 'duplicated' but just send out on the (bridge member) interface on which the destination MAC can be reached...

--Tom
by tneumann
Thu Apr 12, 2007 9:26 pm
Forum: General
Topic: Mangle Question
Replies: 9
Views: 1588

Sounds like plain policy routing - it does not matter if the route to the destination is learned via BGP or not... so just configure policy routing and force it to use a certain next-hop. If that next hop is a BGP peer or would be irrelevant from what I understand.

--Tom
by tneumann
Thu Apr 12, 2007 7:37 pm
Forum: General
Topic: OSPF is loosing routes
Replies: 9
Views: 1909

NBMA and ptmp are more preferred in wireless networks.
Why?

--Tom
by tneumann
Thu Apr 12, 2007 6:36 pm
Forum: General
Topic: Mangle Question
Replies: 9
Views: 1588

BGP does not by itself have anything to do with mangeling. From my understanding I thought that you are already using mangeling for traffic shaping and now you want to additionaly implement BGP and use the traffic control features that BGP offers - which, as I already wrote - do not have any relatio...
by tneumann
Thu Apr 12, 2007 4:54 pm
Forum: General
Topic: Mangle Question
Replies: 9
Views: 1588

I have 5 BGP peers and use mangle to take a control to upstream traffic (balancing 3 international providers), how can I do that with BGP ? Traffic management with BGP is not an exact science. Because of the dynamic nature of the worldwide BGP routing table it's more of a moving target and an ongoi...
by tneumann
Thu Apr 12, 2007 4:40 pm
Forum: General
Topic: Mangle Question
Replies: 9
Views: 1588

Re: Mangle Question

Hi, can I put more than one dst-address into a single mangle rule ?
Yes, but not directly. Use an address-list. Define the list under /ip firewall address-list and then use that list in the mangle rule (use dst-address-list in the mangle rule instead of dst-address).

--Tom
by tneumann
Thu Apr 12, 2007 10:30 am
Forum: Wireless Networking
Topic: Wireless Repeater help
Replies: 8
Views: 1575

Do I need 2 wlan cards in each router to do this or can I bridge them using one per. Two WLAN cards (one for backbone (AP-to-AP) and the other for clients) is the cleanest solution and offers the best performance, but it is also possible to run inter-AP-WDS and clients on the same radio; but keep i...
by tneumann
Thu Apr 12, 2007 10:18 am
Forum: Wireless Networking
Topic: Wireless Repeater help
Replies: 8
Views: 1575

What is the difference between Static and Dynamic WDS? Dynamic WDS is mostly useful when you have a changing (dynamic) number of WDS peers, such as in a growing/changing mesh network. In your situation I'd suggest static WDS. Do the bridge interface names need to be the same on both units? No, does...
by tneumann
Wed Apr 11, 2007 10:51 pm
Forum: Wireless Networking
Topic: Wireless Repeater help
Replies: 8
Views: 1575

Configure both units to communicate with each other via WDS, create bridges on both units and add the WDS interfaces to the bridges. Run the hotspot on the bridge interface of the first unit.

--Tom
by tneumann
Wed Apr 11, 2007 12:30 pm
Forum: General
Topic: bridge & MAC address
Replies: 8
Views: 1966

Well, initially you said that the MT is configured as a bridge, now you say it is configured as a router... As already written in the other thread discussing the same thing: A router is not transparent to MAC addresses. If you absolutely must see the clients MAC addresses at the billing server then ...
by tneumann
Wed Apr 11, 2007 9:45 am
Forum: General
Topic: Sending the computer MAC
Replies: 1
Views: 606

Aren't you discussing the same setup in http://forum.mikrotik.com//viewtopic.php?t=15026 ? Anyway, as long as your MT device is routing and not bridging the billing server will always only see the MAC address of the MT device, never of any clients on the other side of the MT device. This is a fundam...
by tneumann
Wed Apr 11, 2007 9:39 am
Forum: General
Topic: bridge & MAC address
Replies: 8
Views: 1966

Now you're confusing me. At the start of this discussion (your first posting) you stated that the station's MAC address is seen, now you're telling us it's the MAC address of the MT router... so which one is it?

--Tom
by tneumann
Tue Apr 10, 2007 10:59 pm
Forum: General
Topic: Interconnection two LAN's in the same IP range.
Replies: 9
Views: 2076

I tried dstnat with action netmap and it seems to work.
Yep, thought so. Good job! Maybe you can document your solution in the Wiki once you're completely sure that it works as intended.

--Tom
by tneumann
Tue Apr 10, 2007 4:38 pm
Forum: General
Topic: Mikrotik stops routing
Replies: 2
Views: 819

Does the switch to which you've plugged all three ethernet ports at least support VLANs and did you create separate VLANs / port groups for the three network segments, or is the switch one 'flat' layer 2 device and all three network segments end up being connected to each other? If the latter is the...
by tneumann
Tue Apr 10, 2007 8:23 am
Forum: Wireless Networking
Topic: How to create station/client bridge without WDS?
Replies: 3
Views: 1155

RouterOS 3.0-beta is the first version to have that feature, 2.9 and earlier don't.

--Tom
by tneumann
Mon Apr 09, 2007 3:18 pm
Forum: General
Topic: Want to STOP Downloading
Replies: 6
Views: 1247

Is your 'transparent proxy' setup working at all with this configuration and just the blocking of '*.zip' and '*.exe' does not work or does the transparent proxy not work at all?

--Tom
by tneumann
Mon Apr 09, 2007 3:04 pm
Forum: General
Topic: disable web access - leave access to graphs
Replies: 3
Views: 2255

I don't think it can be done on the router itself, but a possible solution would be to setup an Apache webserver from where you'd reverse-proxy relevant parts of the URL-space to graph display pages on the router. For this it is especially convenient that the queue name is part of the URL, which is ...
by tneumann
Mon Apr 09, 2007 1:29 pm
Forum: General
Topic: Want to STOP Downloading
Replies: 6
Views: 1247

Well, it worked fine for me (I did test it before I posted my reply). Can you post an export of the relevant parts of your configuration?

--Tom
by tneumann
Mon Apr 09, 2007 11:14 am
Forum: General
Topic: Interconnection two LAN's in the same IP range.
Replies: 9
Views: 2076

My post was not asking for a solution, just asking if there is something similar possible, maybe with some other router, or, at least, in theory. Conceptually this can be solved with address translation of both networks in both directions. To recite your example with networks A and B both using 10....
by tneumann
Mon Apr 09, 2007 9:23 am
Forum: General
Topic: Want to STOP Downloading
Replies: 6
Views: 1247

/ ip proxy access add path="*.zip" action=deny
/ ip proxy access add path="*.exe" action=deny
--Tom
by tneumann
Sun Apr 08, 2007 5:45 pm
Forum: General
Topic: passthrough between the interfaces
Replies: 1
Views: 601

The only thing that comes close to what you describe would be bridging. Whether this would fit your needs and would even be possible with your ISP connection depends on a lot of details that you unfortunately did not provide...

--Tom
by tneumann
Sat Apr 07, 2007 11:05 pm
Forum: General
Topic: bridge & MAC address
Replies: 8
Views: 1966

Both sides of the connection (AP and station) must support WDS and must be configured to use it. If your Senao station does not support WDS then you will not be able to achieve transparent bridging and would need to replace that station with other, more capable hardware.

--Tom
by tneumann
Sat Apr 07, 2007 5:44 pm
Forum: General
Topic: Port
Replies: 16
Views: 2693

fpascual,

you defined the 'knocking' to port 2031 with UDP, but telnet uses TCP, hence you can not use a telnet to port 2031 to do the knocking...

You'd need a special tool that sends a UDP packet to port 2031, or change the knocking rule to use TCP, then you can use telnet just like you did.

--Tom
by tneumann
Sat Apr 07, 2007 3:27 pm
Forum: General
Topic: bridge & MAC address
Replies: 8
Views: 1966

Make sure you're using WDS on the link 'STATION ---> Access Point (MT RB)'

--Tom
by tneumann
Thu Apr 05, 2007 11:37 pm
Forum: General
Topic: network bifurcation
Replies: 7
Views: 1411

if he knows he wouldnt be here asking for a solution or an idea .. Well, yeah, for sure, but your comment did not help either. Ok, so the original question did not get any answers for several days by now. Can you think of reasons why this might be the case while at the same time several other discu...
by tneumann
Thu Apr 05, 2007 8:21 am
Forum: General
Topic: vlan on local network with nat
Replies: 5
Views: 1084

Well, I think there's no official name for that feature. Vendors call it whatever they want, I guess. For example, Allied-Telesyn calls it Protected Ports VLAN in the following document (chapter 27) http://www.alliedtelesyn.com/media/datasheets/s62-mi_ug_b_v140.pdf I've seen other names for the same...
by tneumann
Wed Apr 04, 2007 7:50 pm
Forum: General
Topic: vlan on local network with nat
Replies: 5
Views: 1084

The VLAN solution that savage outlined will work just fine, although nowadays there are more elegant solutions available. You might want to get a switch that does support the private VLAN feature. Private VLANs are VLANs that block direct communication between all connected devices but allow all of ...
by tneumann
Mon Apr 02, 2007 9:25 pm
Forum: General
Topic: Small LAN Based ISP
Replies: 1
Views: 824

Re: Small LAN Based ISP

1) Will i need any other server or router for PPPoE Server. 2) Will MikroTik will authenticate the users of i will need FreeRadius and MySql 3) Can i Limit Users for 64KUP 128K Down 4) Can i use Windows PPPoE Client or i will need some other Client 5) Can MikroTik work as a Web Proxy 1) No other de...
by tneumann
Mon Apr 02, 2007 8:36 am
Forum: General
Topic: Policy to Group
Replies: 13
Views: 1847

I am NOT going to use any authentication method
I understand that you do not want your users to authenticate, but nevertheless you could still use a hotspot or not. So what will it be?


--Tom
by tneumann
Sun Apr 01, 2007 9:43 pm
Forum: General
Topic: Routing issue - virtual AP's
Replies: 1
Views: 714

edspoon what do you mean by "make it see the marks on virtual AP's farther out" ? A routing-mark by itself is local to the router where it is defined and assigned. Unlike IP TOS bits or ethernet 802.1p priority information it is never written to a packet and thus can not travel from one router/AP to...
by tneumann
Sun Apr 01, 2007 12:35 pm
Forum: General
Topic: Policy to Group
Replies: 13
Views: 1847

Do you plan to use the MikroTik router as a hotspot or not? (Hotspot will give you more options to implement your requirements, IMHO).

--Tom
by tneumann
Sat Mar 31, 2007 5:45 pm
Forum: Wireless Networking
Topic: Regarding WIFI(Lan Sharing problem)
Replies: 2
Views: 639

Disable default-forwarding on the wireless interface. See the manual at

http://www.mikrotik.com/testdocs/ros/2. ... reless.php

on how to do this.

--Tom
by tneumann
Sat Mar 31, 2007 1:36 pm
Forum: General
Topic: Policy to Group
Replies: 13
Views: 1847

If you do not want to use any authentification, how do you plan to identify users and (after having identified them) determine to what group they belong?

--Tom
by tneumann
Mon Mar 26, 2007 11:26 pm
Forum: General
Topic: Lost Password
Replies: 4
Views: 1099

netinstall (erasing current configuration), then import backup of current configuration and set admin password right after that and before logging out.

--Tom
by tneumann
Mon Mar 26, 2007 7:22 pm
Forum: Wireless Networking
Topic: Linking Bridges wirlelessly
Replies: 1
Views: 739

You might try to run tagged vlans over the WDS links and then add the vlan interfaces as bridge ports where appropriate...

--Tom
by tneumann
Mon Mar 26, 2007 4:19 pm
Forum: Wireless Networking
Topic: Will this work on Microtik Hotspot
Replies: 5
Views: 1317

Usually this is done with Radius-Peering and using a Radius server that can proxy/relay requests to the cooperating ISP's Radius depending on the chosen realm of the connecting user.

--Tom
by tneumann
Sun Mar 25, 2007 12:54 am
Forum: General
Topic: Is it possible - identify by switch port ?
Replies: 9
Views: 2337

-Then through php I'll retrieve their mac address -through telnet I'll create mikrotik account This would be a lot cleaner and more reliable using radius (like I already suggested) with an underlying SQL database, then you'd need none of that ugly telnet and MAC-address-retrieval voodo. With radius...
by tneumann
Sun Mar 25, 2007 12:28 am
Forum: Wireless Networking
Topic: Bridging Transparent Multiple Wireless networks
Replies: 2
Views: 840

You need to use WDS between the AP and the stations and bridge the ethernet with the WDS interfaces.

--Tom
by tneumann
Sun Mar 25, 2007 12:26 am
Forum: General
Topic: Is it possible - identify by switch port ?
Replies: 9
Views: 2337

Even if you find and install a switch that can set an individual MAC address for each VLAN, how would the MAC address of that switch port ever be communicated to the MikroTik router? All you will ever see on the MikroTik router is the MAC address of a client that is connected to that switch ports, b...
by tneumann
Fri Mar 23, 2007 6:19 pm
Forum: Wireless Networking
Topic: ip address issue
Replies: 5
Views: 1223

192.168.2.0 is the network base address of 192.168.2.0/24 and therefore should not be the configured address of an interface.

--Tom
by tneumann
Thu Mar 22, 2007 11:32 pm
Forum: General
Topic: mac authentication and pppoe
Replies: 1
Views: 613

Use radius and check for Calling-Station-Id attribute in access request.

--Tom
by tneumann
Thu Mar 22, 2007 3:18 pm
Forum: General
Topic: How It is POSSIBLE
Replies: 7
Views: 1240

The Mikrotik Discovery Protocol operates on layer 2 and is indenpendant from IP addresses. It appears that there are other Mikrotik devices (owned and operated by another ISP) in the same broadcast domain as your devices. If you're using a shared network that you and the other operators agreed on us...
by tneumann
Wed Mar 21, 2007 6:23 pm
Forum: General
Topic: Need to somehow pass traffic transparently
Replies: 1
Views: 765

You are probably seeing MTU/MSS problems with your PPPoE users. Search for Path MTU Discovery (PMTUD) and MSS clamping.

--Tom
by tneumann
Wed Mar 21, 2007 12:59 am
Forum: General
Topic: Running hotspot on bridge??
Replies: 5
Views: 1587

It appears that your hotspot's default gateway is on address 10.1.0.1, which is part of the hotspot network itself and thus connected to the interface that the hotspot is active on (bridge1). That is not a good design. You should have a separate client-facing interface on which you run the hotspot a...
by tneumann
Tue Mar 20, 2007 7:44 pm
Forum: General
Topic: How to route network on IP?
Replies: 1
Views: 621

/ip route add dst-address=2.2.2.8/29 gateway=2.2.2.5
by tneumann
Sun Mar 11, 2007 11:49 am
Forum: General
Topic: Remote log
Replies: 1
Views: 697

Install a syslog server on your Linux machine and configure your routers to send remote logging to that server.

See the manual at http://www.mikrotik.com/testdocs/ros/2. ... ogging.php for details.

--Tom
by tneumann
Sun Mar 11, 2007 1:48 am
Forum: General
Topic: OSPF-out filter not working
Replies: 13
Views: 3057

/routing ospf status lsa print external no such command or directory (status) I believe that command is for v3beta and not supported on RouterOS 2.9 I do want to filter external routes... in-between areas. Yeah, the routing information initially came from an external source, but the place where you...
by tneumann
Sat Mar 10, 2007 5:06 pm
Forum: General
Topic: SMTP over l2tp
Replies: 2
Views: 812

Why do you need dst-nat at all when you're already using a VPN tunnel (L2TP)? Can't you just access the SMTP server directly over the tunnel, without any NAT?

--Tom
by tneumann
Sat Mar 10, 2007 11:30 am
Forum: General
Topic: Hotspot Radius auto-logoff
Replies: 13
Views: 3735

I've uploaded parts of the setup that I'm using with the Radiator radius server and a PostgreSQL database. See the following URL http://www.gosingen.net/mt/radius/ It's probably very specific to my local setup and mostly useless for everybody else given its lack of documentation, but anyway, maybe y...
by tneumann
Fri Mar 09, 2007 10:12 am
Forum: General
Topic: OSPF-out filter not working
Replies: 13
Views: 3057

Richard, OK, I kind of missed that you were specifically talking about inter-area filtering (though you clearly said so, I should have read your post more carfully). What I wrote about routers not being allowed to suppress LSAs is true within one area, inter-area is a different thing and of course r...
by tneumann
Thu Mar 08, 2007 10:55 pm
Forum: General
Topic: OSPF-out filter not working
Replies: 13
Views: 3057

When I put in the filters, they seem to apply to what routes that particular router generates only. Correct, and that's exactly how it should be. Example, I have a MT as a ABR between to areas, I only want to propagate some routes between the borders. This can not be done with OSPF filters. An OSPF...
by tneumann
Tue Mar 06, 2007 12:35 am
Forum: General
Topic: NetBios traffic over a VPN
Replies: 11
Views: 6369

Interesting the Linksys ones do this - I might investigate them further and see what kind of magic it is. Usually UDP broadcast forwarding, think DHCP relay with a different destination port (137 instead of 67). Anyway, I agree that a WINS server is a much cleaner solution. And while we are at it, ...
by tneumann
Sat Mar 03, 2007 11:32 am
Forum: Wireless Networking
Topic: Hotspot authentication several users behind 1 CPE antenna.
Replies: 8
Views: 1451

But how should my topologie look like when using MT base CPE´s?
Set them up as ´bridge´ (bridge all interfaces) and have a hub/switch behind them to connect to different users of the HotSpot?
Yes, and you need to use station-wds on the CPE to get transparent bridging.

--Tom
by tneumann
Fri Mar 02, 2007 11:31 pm
Forum: Wireless Networking
Topic: Hotspot authentication several users behind 1 CPE antenna.
Replies: 8
Views: 1451

The client CPE´s are all SmartBridges, I can´t actually change their behaviour I think. Well, then you'll have no way to fix this. Get another brand of CPE, one that does support fully transparent bridging (which - in the context of 802.11 - means WDS) or ask SmartBridges if they can tell you how t...
by tneumann
Fri Mar 02, 2007 4:38 pm
Forum: General
Topic: wrong time in clock system
Replies: 1
Views: 733

Synchronize your router to a NTP server.

--Tom
by tneumann
Wed Feb 28, 2007 10:57 pm
Forum: General
Topic: OSPF and PPPOE nightmare!
Replies: 42
Views: 17914

I know this, read this and tried this. From the config export you posted in an earlier message I'd say that you did not, at least the config you posted does not include a non-backbone area. If you did in fact try a multi-area setup then could you please post that configuration export as well? --Tom
by tneumann
Wed Feb 28, 2007 3:34 pm
Forum: General
Topic: OSPF and PPPOE nightmare!
Replies: 42
Views: 17914

magic, area ranges defined under /routing ospf area range are only relevant with inter-area routing; the range is used for summarization when routing information passes from one area into another, usually from non-backbone to backbone. OSPF also supports summarization of external routing information...
by tneumann
Tue Feb 27, 2007 2:22 pm
Forum: General
Topic: OSPF and PPPOE nightmare!
Replies: 42
Views: 17914

magic,

from your configuration I see that you did not define an OSPF area for the PPPoE range - all you have is the backbone area.

You need to define an additional (non-backbone) area to be summarized and put your PPPoE addresses into that area.

--Tom
by tneumann
Sun Feb 25, 2007 10:28 pm
Forum: General
Topic: reply-only problem.......
Replies: 14
Views: 2157

larmaid, Your IP setup looks OK with the IP address on the bridge interface and no IP addresses on the ether interfaces, but please recall what I already wrote: ARP has no meaning on interfaces that do not have IP configured. That alone practically answers your question: As there are no IP addresses...
by tneumann
Sun Feb 25, 2007 9:54 pm
Forum: General
Topic: reply-only problem.......
Replies: 14
Views: 2157

can any intruder get in by making his parameter like this :

192.168.1.101 mac 11:11:11:11:11:11
On a hotspot? Or on a plain IP interface?

--Tom
by tneumann
Sat Feb 24, 2007 11:30 pm
Forum: General
Topic: reply-only problem.......
Replies: 14
Views: 2157

If you have ether1,ether2,ether3 joined into a bridge then you should assign the IP address to the bridge interface and not assign any IP addresses to any of the physical ports ether1,ether2,ether3. Because all ARP related settings are only relevant for interfaces that have an IP address assigned (w...
by tneumann
Mon Feb 19, 2007 9:53 pm
Forum: General
Topic: Hotspot and vpn
Replies: 3
Views: 1031

Art, Hotspot requires transparent layer 2 connectivity between the router and the client. You can terminate VPN tunnels into a hotspot, but for this to be useful you'd need to configure EoIP on top of the VPN, run the hotspot on a bridge interface and make the EoIP interfaces member ports of the bri...
by tneumann
Mon Feb 19, 2007 3:25 pm
Forum: General
Topic: Blocking an OSPF Peer
Replies: 7
Views: 1144

janisk, you're right. As I wrote in my first reply I find believewireless' question rather strange and fail to see the point behind what he's trying to do. Maybe he'll enlighten us.

--Tom
by tneumann
Mon Feb 19, 2007 1:18 pm
Forum: General
Topic: Blocking an OSPF Peer
Replies: 7
Views: 1144

MT1 still will be able to connect to MT3 because MT2 will anounce MT3 network to MT1 if you set redistribute connected In the sense they they will be able to pass traffic between each other, yes, sure (if that would be the issue then thats what firewall filters are for). But they will not form an O...
by tneumann
Mon Feb 19, 2007 1:12 pm
Forum: General
Topic: Blocking an OSPF Peer
Replies: 7
Views: 1144

if mt supports it you can set ospf cost or priority i don`t remember which one it is to 0
That does only prohibit an OSPF router from becoming DR for a broadcast domain.

--Tom
by tneumann
Fri Feb 16, 2007 9:10 pm
Forum: General
Topic: Blocking an OSPF Peer
Replies: 7
Views: 1144

You could install firewall filters in the input chain of router-1 and router-3 where the filters on router-1 would block traffic with a source IP of router-3 and protocol=ospf (Protocol 89) and the filters on router-3 would block packets with a source IP of router-1 and protocol=ospf. Whether it is ...
by tneumann
Thu Feb 15, 2007 6:47 pm
Forum: General
Topic: OSPF and Default Route
Replies: 5
Views: 1195

Some config export would be helpful, so that we can see more about your OSPF areas and how interfaces are assigned to areas etc...

--Tom
by tneumann
Wed Feb 14, 2007 8:56 am
Forum: General
Topic: OSPF and Default Route
Replies: 5
Views: 1195

What do you mean by 'is for another interface'? Can you describe it in more detail and maybe post the relevant parts of your config?

--Tom
by tneumann
Sun Feb 11, 2007 11:19 pm
Forum: General
Topic: NetBios traffic over a VPN
Replies: 11
Views: 6369

As long as it is NetBIOS over IP (and not NetBEUI, which can't be routed) then it is just IP traffic like any other IP packets, so you do not need to do anything special with your VPN to make this work. If you're talking about what can be 'seen' in Windows Network Neighborhood then that's a differen...
by tneumann
Sun Feb 11, 2007 3:30 pm
Forum: Wireless Networking
Topic: Need help! for routing config!
Replies: 6
Views: 1229

Your problem is that both the AP and the station are using 192.168.1.0/24 on their LAN interfaces. You need to use different, non-overlapping networks on the AP and the station(s) otherwise routing will not be possible.

--Tom
by tneumann
Wed Feb 07, 2007 12:41 am
Forum: General
Topic: Pass netbios over a bridge
Replies: 12
Views: 2831

If the wlan and the ethernet interfaces are correctly bridged they will transparently pass any traffic between each other, including NetBIOS. There are no special settings needed.

--Tom
by tneumann
Sat Feb 03, 2007 8:20 pm
Forum: General
Topic: Block PPPOE Requests How-To
Replies: 1
Views: 881

by tneumann
Sat Feb 03, 2007 8:13 pm
Forum: Wireless Networking
Topic: MT v3.0b5 - CSMA Disable Throughput Data
Replies: 14
Views: 12822

The CPE automatically adapts to the frame size of the AP, you don't need to set it on the CPE.

--Tom
by tneumann
Fri Feb 02, 2007 1:27 am
Forum: General
Topic: Only allow registered mac adresses to authenicate PPPOE
Replies: 14
Views: 4011

Going back to your initial question where you talked about access-list and registation-table, it appears that you're trying to run PPPoE on wireless interfaces, right? Because the features you mention (access list, registration table) are only relevant for wireless. Well, the access-list is meant to...
by tneumann
Thu Feb 01, 2007 11:37 pm
Forum: General
Topic: Only allow registered mac adresses to authenicate PPPOE
Replies: 14
Views: 4011

set ip arp to reply-only and register mac adresses you want to authenticate with your PPPoE service Setting ARP to 'reply-only' will probably not help in this case. The functionality of ARP is only relevant for the IP protocol (as is provides a mapping of MAC addresses to IP addresses) but the MAC ...
by tneumann
Thu Feb 01, 2007 1:35 am
Forum: General
Topic: PPPOE and HOTSPOT
Replies: 2
Views: 640

When a user connects with PPPoE he can not use the hotspot and vice versa.

--Tom
by tneumann
Tue Jan 30, 2007 9:36 pm
Forum: Wireless Networking
Topic: hotspot with multipath route
Replies: 8
Views: 1960

Mikrotik-Group is indeed the correct Radius reply item to send back to the router with the Access-Accept message. The value of Mikrotik-Group should be the name of the profile and a profile with that name needs to already exist under /ip hotspot user profile on the router. Check your user profiles ...
by tneumann
Tue Jan 30, 2007 7:33 pm
Forum: General
Topic: [ask] bridging rule
Replies: 21
Views: 2216

ether 1 - with ip = 10.10.1.1/255.255.0.0 (local) (reply only) ether 2 - with ip = 10.10.2.1/255.255.0.0 (local) ether 3 - with ip = 10.10.3.1/255.255.0.0 (local) Address overlap... they're all 10.10/16 what i want to is all ether can connect each other without to creat a bridge.....!!!!! Well, if ...
by tneumann
Tue Jan 30, 2007 7:26 pm
Forum: Wireless Networking
Topic: inter-operability
Replies: 4
Views: 797

It wasn't clear from your first description that you're using WDS. Now what you said about the WDS setup of the 15 MikroTik routers that make up your campus wide network basically sounds OK (if they do WDS then indeed they need to 'see' each other, use the same channel etc.) But what about the Links...
by tneumann
Tue Jan 30, 2007 4:29 pm
Forum: Wireless Networking
Topic: inter-operability
Replies: 4
Views: 797

Are the indoor access-points connected to the outdoor MikroTik? If so, how are they connected and what's the network topology like? As for interference, it's a bad idea to run several access-points on the same frequency/channel if their RF signal coverage might overlap. You should specifically avoid...
by tneumann
Tue Jan 30, 2007 3:30 pm
Forum: General
Topic: Simple question (PHP)
Replies: 12
Views: 1591

Re: Simple question (PHP)

Does Mikrotik support PHP (hotspot).
On the router itself? No.

--Tom
by tneumann
Tue Jan 30, 2007 12:43 pm
Forum: Wireless Networking
Topic: hotspot with multipath route
Replies: 8
Views: 1960

Here's what you could try to do 1) Set up two different hotspot user profiles (groups), see http://www.mikrotik.com/testdocs/ros/2.9/guide/aaa_hotspot.php?permalink=0.13474025974025974 and set the incoming-packet-mark differently for each profile, let's say you assign incoming-packet-mark hs_group_a...
by tneumann
Tue Jan 30, 2007 11:57 am
Forum: Wireless Networking
Topic: TDM over IP (Wireless) help
Replies: 9
Views: 2144

If you're seeing 46ms latency on a wired ethernet link (crossover cable) then either the CPU of your routers is maxed out or you are having serious problems on that ethernet link (bad cable, failed auto-negotiation, duplex mismatch etc.)

Latency should be much lower under normal conditions.

--Tom
by tneumann
Mon Jan 29, 2007 12:17 pm
Forum: General
Topic: bridge Ethernet and Vlan interface
Replies: 19
Views: 4174

We use the same address range on different VLANs, because it is the most correct variant.
Yeah, right... Nevermind, I give up :shock:

--Tom
by tneumann
Sun Jan 28, 2007 4:47 pm
Forum: Wireless Networking
Topic: TDM over IP (Wireless) help
Replies: 9
Views: 2144

Standard nstream is half-duplex. The main point of nstream2 compared to nstream is to make it possible to build full-duplex links...

--Tom
by tneumann
Fri Jan 26, 2007 4:54 pm
Forum: General
Topic: bridge Ethernet and Vlan interface
Replies: 19
Views: 4174

Your network design is broken, as JJCinAZ already said. For example, in your network diagram addresses from the 192.168.3.0/24 network appear to be used on all three VLANs (Vlan1, Vlan2 and Vlan3). How is that supposed to work and what is the intention behind this? The same is true for 192.168.1.0/2...
by tneumann
Thu Jan 25, 2007 6:13 pm
Forum: General
Topic: bridge Ethernet and Vlan interface
Replies: 19
Views: 4174

It's not about the VLAN Id. The problem is that you have a VLAN defined on physical interface ether1 and then you are throwing ether1 and that VLAN together into one bridge. It's not a good idea to bridge a VLAN with the physical interface that this VLAN itself is defined upon. Why would that ever b...
by tneumann
Thu Jan 25, 2007 1:00 am
Forum: General
Topic: bridge Ethernet and Vlan interface
Replies: 19
Views: 4174

It doesn't make sense to have vlan1 and the native interface bridged because vlan1 is the native/default vlan anyway.
Yeah, that's what I've been telling him about five posts ago...

--Tom
by tneumann
Wed Jan 24, 2007 12:22 pm
Forum: General
Topic: bridge Ethernet and Vlan interface
Replies: 19
Views: 4174

It should work, but let's just hope that vlan1 is not defined on physical port ether1 itself, or is it?

--Tom
by tneumann
Sun Jan 21, 2007 8:10 pm
Forum: General
Topic: network other than pppoe dosent browse--PLZ HELP
Replies: 2
Views: 571

If you can ping and traceroute but TCP sessions appear to hang, it could be MTU problems in combination with broken Path MTU Discovery.

--Tom
by tneumann
Sat Jan 20, 2007 8:56 pm
Forum: General
Topic: Configuring VLAN between Cisco 1900 and RouterBoard 500
Replies: 6
Views: 1685

any one know if a cisco 2900 which supports vlans, woudl be compatable with vlan tagging on MT 2.9.39? Depends on the model and the installed IOS version. Any version that supports dot1q will do, versions that only support ISL will not work. All currently not EOL'd Catalyst 2900 versions (such as 2...
by tneumann
Wed Jan 17, 2007 1:55 pm
Forum: General
Topic: 10 VLANs with 1 DHCP Pool
Replies: 13
Views: 1732

sisw, it is perfectly normal for a router to provide layer 3 connectivity between it's interfaces. That's what a router is for, after all, and that is what is happening between your VLAN interfaces. If you want to restrict the communication between certain interfaces you need to add firewall filter ...
by tneumann
Sun Jan 14, 2007 8:42 pm
Forum: Wireless Networking
Topic: Bridge AP mode
Replies: 9
Views: 1554

Is there anywhere I can learn more about mikrotik? I've looked over the manual many times but find it difficult to follow at times. The Wiki at http://wiki.mikrotik.com/wiki/Main_Page offers more information on some topics and is more tutorial-like than the manual, which is more of a reference than...
by tneumann
Sun Jan 14, 2007 8:15 pm
Forum: Wireless Networking
Topic: Bridge AP mode
Replies: 9
Views: 1554

Create a bridge and add the wlan and the ether ports to the bridge but do not configure any IP address on neither the wlan nor the ether interface. Configure the IP address on the bridge interface instead.

--Tom
by tneumann
Sun Jan 14, 2007 3:11 pm
Forum: General
Topic: [RFC] Network Build for Student Accommodation Network
Replies: 7
Views: 1196

Yes, I have untagged frames on ether2. I would like to know why they're being picked up on vlan101 - shouldn't the vlan interfaces ignore all untagged?
Yes, they should not appear on the VLAN interface. Maybe you should have MT support look into this, could be a bug...

--Tom
by tneumann
Sat Jan 13, 2007 6:40 pm
Forum: General
Topic: Configuring VLAN between Cisco 1900 and RouterBoard 500
Replies: 6
Views: 1685

Cisco Catalyst 1900 ? Really? That's ancient! Where did you get that one from? Anyway, the Catalyst 1900 does not support 802.1q VLAN tagging/trunking, it only supports the older, Cisco proprietary ISL protocol, which is not compatible with other vendors, including MikroTik RouterOS. You will probab...
by tneumann
Sat Jan 13, 2007 4:41 pm
Forum: General
Topic: [RFC] Network Build for Student Accommodation Network
Replies: 7
Views: 1196

So on each of these three bridges (one per campus?) you are bridging together one "VLAN for PPPoE" and one "VLAN for hotspot"? If so, I would recommend against this design because then you'll end up running a PPPoE server and a hotspot on a common interface (the bridge interface), which is something...
by tneumann
Thu Jan 11, 2007 9:15 am
Forum: Wireless Networking
Topic: Hotspot Customers and PPPoE Customers
Replies: 3
Views: 739

Create virtual access points (see the RouterOS manual) and run hotspot and PPPoE on different virtual access points (and thus on different interfaces).

--Tom
by tneumann
Wed Jan 10, 2007 7:41 pm
Forum: General
Topic: EOIP/ARP problems
Replies: 5
Views: 2213

Re: EOIP/ARP problems

EoIP tunnel is bridged with Eth1. When we try to give Eth1 an IP address in same segment we cannot ping it
When Eth1 is a member port of a bridge then do not assign an IP address to Eth1 directly. Assign the IP address to the bridge interface instead.

--Tom
by tneumann
Tue Jan 09, 2007 11:21 am
Forum: General
Topic: Hotspot Radius auto-logoff
Replies: 13
Views: 3735

You need to send a Session-Timeout radius reply item from the radius server to the MikroTik router when the user connects. The Session-Timeout reply item holds the number of seconds that the session will be allowed to last in total; after that number of seconds the session will be disconnected by th...
by tneumann
Sun Jan 07, 2007 8:55 pm
Forum: General
Topic: 10 VLANs with 1 DHCP Pool
Replies: 13
Views: 1732

isn't adding 10 vlans into a bridge the same thing as not using vlans? Basically yes, but it gives you the ability to put layer 2 filters between the vlans. This is useful in situations where layer 2 connectivity is called for (such as for hotspot) but you would like to gain more control over the c...
by tneumann
Sun Jan 07, 2007 7:50 pm
Forum: General
Topic: OSPF issue with Cisco 2800 router [solved]
Replies: 10
Views: 4303

From the Mikrotik I can ping 224.0.0.5 and get a reply from the Cisco Router from the Cisco's interface IP. The Mikrotik does not reply. Pinging the multicast address is meaningless. Please post the output of /routing ospf export from the MikroTik router here, and -if possible- the complete running...
by tneumann
Sun Jan 07, 2007 7:45 pm
Forum: General
Topic: OSPF issue with Cisco 2800 router [solved]
Replies: 10
Views: 4303

Re: OSPF issue with Cisco 2800 router

IIf you have input rules in the firewall will this block the multicast traffic and Hello packets coming to the Mikrotik Yes, if the filter rules are not configured to allow for OSPF then it will be dropped. Routing protocol traffic does not automatically bypass firewall filters. Are you running rou...
by tneumann
Sun Jan 07, 2007 12:07 am
Forum: General
Topic: Bridge IPX over PPTP tunnel
Replies: 0
Views: 645

RouterOS itself does not support IPX routing. The only option you have is to create an EoIP tunnel on top of the VPN and then bridge the IPX packets over the EoIP tunnel.

--Tom
by tneumann
Sat Jan 06, 2007 2:00 pm
Forum: Wireless Networking
Topic: roaming on Hotspots
Replies: 2
Views: 999

For roaming without having to re-login it would be better if you implement multiple access points (as much as needed for good RF coverage of your area) but only one hotspot gateway (that all the AP connect to). Why do you feel the need to implement multiple hotspot gateways?

--Tom
by tneumann
Sat Jan 06, 2007 2:34 am
Forum: General
Topic: OSPF and PPPOE nightmare!
Replies: 42
Views: 17914

gpienaar, can you describe your network topology in more detail? You can not have a chain of non-backbone areas in OSPF. Every non-backbone area must be connected to the backbone. You can not have a non-backbone area behind another non-backbone area. You should not try to use virtual links to try to...
by tneumann
Fri Jan 05, 2007 11:21 am
Forum: General
Topic: Hotspot on vlan of bridge
Replies: 7
Views: 1672

You should define your VLAN interfaces on top of a physical ethernet port and not on top of the bridge interface, and then you need to add the VLAN interfaces as member ports to the bridge. Then run the hotspot on the bridge interface.

--Tom
by tneumann
Thu Jan 04, 2007 10:16 pm
Forum: General
Topic: RouterOS "ARP syndrome" or "ARP leak"
Replies: 12
Views: 2573

What IP address did you set as default gateway on the Windows PC when you did your ping tests?

--Tom
by tneumann
Thu Jan 04, 2007 10:13 pm
Forum: Wireless Networking
Topic: antenna divirsity in RouterOS !
Replies: 6
Views: 1329

No. Antenna diversity is currently not supported by RouterOS.

--Tom
by tneumann
Thu Jan 04, 2007 10:09 pm
Forum: General
Topic: OSPF and PPPOE nightmare!
Replies: 42
Views: 17914

gpienaar, are you running routing-test or the legacy routing package? I do not want to create a OSPF on or inside a PPPOE link! Ok, so what do you want, then? Is your problem that a route to each PPPoE client is propagated through your entire network as soon as the new client connects? What do you e...
by tneumann
Thu Jan 04, 2007 7:37 pm
Forum: Wireless Networking
Topic: increase recieve sensitivity
Replies: 6
Views: 1573

i knew that if i received a low signal in mi 15 dbi omni and the AMP is connected to the omni , then this low signal will be amplified too with the amplifier , then it will make the signal clearer for the radio which is connected with the AMP , is that true ? Not, not clearer, just louder . Assume ...
by tneumann
Thu Jan 04, 2007 7:15 pm
Forum: General
Topic: 10 VLANs with 1 DHCP Pool
Replies: 13
Views: 1732

you could bridge the 10 vlans and setup the dhcp-server on the bridge interface. you'd need to add a drop all rule in bridge firewall forward chain. Yep, exactly. I'm running such a setup with a hotspot on the bridge interface and it works beautifully to prohibit direct client-to-client communicati...
by tneumann
Thu Jan 04, 2007 7:07 pm
Forum: General
Topic: RouterOS "ARP syndrome" or "ARP leak"
Replies: 12
Views: 2573

Re: RouterOS "ARP syndrome" or "ARP leak"

pavlik386, your test setup itself is based on an invalid network configuration. With these parameters ether1 192.168.101.12/24 ether2 192.168.102.12/24 ether3 192.168.103.12/24 ether4 192.168.104.12/24 ether5 192.168.105.12/24 Windows adapter list: Description . . . . . . . . . . . : NVIDIA nForce N...
by tneumann
Sun Dec 31, 2006 2:34 pm
Forum: Wireless Networking
Topic: increase recieve sensitivity
Replies: 6
Views: 1573

I think you are going the wrong way about this. The obvious idea of combining an amplifier with an omni antenna usually does not work very well. The reason is that tx-power and rx-resitivity are one thing (the amp does help with those, at least if all you do is look at the numbers) but the other, at...
by tneumann
Sat Dec 30, 2006 5:05 pm
Forum: General
Topic: PPPoE Architecture [solved, thanks to sten & tneumann]
Replies: 18
Views: 3391

Re: [Newbie] PPPoE Architecture

when we are connected from DSL Router, the connection is not stable.
What does that mean exactly? Can you describe your problems in more detail please?

--Tom
by tneumann
Fri Dec 29, 2006 12:49 am
Forum: General
Topic: Shared radius server
Replies: 11
Views: 1450

The radius server is sitting on mikrotik1
Ok, so you're using the RouterOS integrated userman package as a radius server?

--Tom
by tneumann
Thu Dec 28, 2006 11:54 pm
Forum: General
Topic: Shared radius server
Replies: 11
Views: 1450

I'm missing the radius server in your network picture...

Where/how is it connected?
by tneumann
Thu Dec 28, 2006 11:46 pm
Forum: General
Topic: PPPoE Server trouble
Replies: 6
Views: 1300

So I guess I will need a new AP that supports the necessary, and works. What you need is a combination of client radio and access point that seamlessly works together to provide a transparent bridge between each of your end users and the PPPoE server. In the 802.11 world this requirement translates...
by tneumann
Thu Dec 28, 2006 11:39 pm
Forum: General
Topic: Shared radius server
Replies: 11
Views: 1450

I'm not asking about NAT on your MikroTik routers but if there are any other routers between your MikroTik routers (which are the radius clients) and the radius server, and if there is NAT on any of these other routers that may be between your routers and the radius server...

--Tom
by tneumann
Thu Dec 28, 2006 11:34 pm
Forum: General
Topic: BaseStation, VLAN, PPPoE question.
Replies: 2
Views: 1260

Re: BaseStation, VLAN, PPPoE question.

Will PPPoE work by assigning clients a public IP even though they are coming from the basestation which has a private IP. Sure, because PPPoE itself is a protocol that runs on layer 2 of the network. Most people (myself included) prefer to avoid any IP configuration at all on client-facing interfac...
by tneumann
Thu Dec 28, 2006 11:11 pm
Forum: General
Topic: PPPoE Server trouble
Replies: 6
Views: 1300

The clients are going through a hub, with then links up to a Saneo AP configured in bridge mode connecting to my AP. Really a Senao AP connecting to your AP (AP to AP - WDS?) or is this rather a Senao client radio? If the Senao radio is acting as a client to your AP (which I assume is the case) and...
by tneumann
Thu Dec 28, 2006 10:58 pm
Forum: General
Topic: Shared radius server
Replies: 11
Views: 1450

Is there NAT between your routers and the radius server?
by tneumann
Thu Dec 28, 2006 1:10 am
Forum: Wireless Networking
Topic: F$*@ing Spam
Replies: 2
Views: 763

No, chain=output is for outgoing traffic originating from the MikroTik router itself, no coming from other devices behind the router that are sending outbound traffic through the router. You must use chain=forward for this.

Other than that your filter rule looks OK.

--Tom
by tneumann
Sat Dec 23, 2006 11:02 pm
Forum: General
Topic: RouterOS as DNS Server
Replies: 7
Views: 1615

Yeah, well, it's more like adding static entries to the cache. RouterOS does not implement enough of DNS to allow it to be an authorative server for a zone. It can only act as a (caching) resolver. But that's enough in my book, a router is a router and a DNS server is something else.

--Tom
by tneumann
Thu Dec 21, 2006 9:19 pm
Forum: General
Topic: RADIUS - how to not account local traffic
Replies: 9
Views: 2048

maybe the option is not working and it only left there for decoration to make sure that MT ROS is a rich feature RouterOS What option do you mean? The account-local-traffic option that plam40 was taking about? That pertains only to traffic that is originating from/destined to the router itself, see...
by tneumann
Thu Dec 21, 2006 7:34 pm
Forum: General
Topic: NAT with many VLAN Interfaces - all of them in same Subnet?
Replies: 3
Views: 1521

Re: NAT with many VLAN Interfaces - all of them in same Subn

Do you know any vendor of routers or routing-switches who do support such a config? No, not with VLAN (or Ethernet) interfaces for customer access. The problem is that VLAN and Ethernet interfaces are not Point-to-Point by nature, therefore they can not have "unnumbered" IP addressing, and even if ...
by tneumann
Thu Dec 21, 2006 4:12 pm
Forum: General
Topic: RADIUS - how to not account local traffic
Replies: 9
Views: 2048

If you need to do accounting based on source and/or destination addresses your only choice is probably NetFlow. Radius accounting has no knowledge of where the traffic comes from or where it goes to.

--Tom
by tneumann
Thu Dec 21, 2006 3:27 pm
Forum: General
Topic: NAT with many VLAN Interfaces - all of them in same Subnet?
Replies: 3
Views: 1521

Re: NAT with many VLAN Interfaces - all of them in same Subn

What i would need is to have many VLAN Interfaces (one per subscriber), each of them having assigned the same IP on the Mikrotik side Not possible. Map IP Segment 192.168.1.0/24 in VLAN Interface cust0001 to official IP 89.111.123.4 Map IP Segment 192.168.1.0/24 in VLAN Interface cust0002 to offici...
by tneumann
Tue Dec 19, 2006 1:28 am
Forum: General
Topic: connection limit ( ok Im borring a little bit )
Replies: 60
Views: 12194

As you have given 32 for the netmask the limit will apply per each individual IP address. This is in the manual, by the way...

And you should use tcp-flags=syn with that rule, so that it only applies to TCP session setup.

--Tom
by tneumann
Tue Dec 12, 2006 10:56 pm
Forum: General
Topic: Huge list in ARP List
Replies: 3
Views: 1277

/ip arp
print from=[find address=A.B.C.D]
by tneumann
Tue Dec 12, 2006 11:04 am
Forum: General
Topic: 2 bgp peer auto failover how to?
Replies: 2
Views: 1014

That is not the way BGP is supposed to work. You should always advertise your network to both peers (and learn routes from both), and if you want to prefer one peer over do other when both are online then you can play tricks with AS PATH length, local preference and MED. There is no active/standy co...
by tneumann
Sun Dec 10, 2006 11:01 pm
Forum: General
Topic: Clarification of DNS settings please
Replies: 5
Views: 1240

When you have it switched off then clients can not use the router as a resolver at all; you need to configure your clients to use some other nameservers that are external to the router in this case. If you set it to on then clients may use the router as a resolver and it will forward the requests to...
by tneumann
Sun Dec 03, 2006 7:01 pm
Forum: General
Topic: Route filters works, but trespassing
Replies: 1
Views: 703

Link state protocols such as OSPF can only filter which routes are actually installed into a routers local routing table, but they are by definition not allowed to exclude selected LSAs from their advertisements, as this would break the link state calculation on other routers. Therefore filtering ro...
by tneumann
Tue Nov 28, 2006 2:01 pm
Forum: General
Topic: HELP-cant connect to local network
Replies: 3
Views: 868

Did you define the required static ARP entries after you've disabled dynamic ARP functionality?

--Tom
by tneumann
Wed Nov 15, 2006 9:38 am
Forum: General
Topic: Routed Network With PPtp Tunnel & Hotspot
Replies: 2
Views: 1118

What kind of VPN tunnel did you install between the end-router and the hotspot? You need to be aware that there needs to be transparent layer 2 connectivity between the client and the hotspot. In your situation that would only leave EoIP as the only possible VPN tunnel type, which would need RouterO...
by tneumann
Sat Nov 11, 2006 1:07 am
Forum: Wireless Networking
Topic: VLANs and Virtual AP's
Replies: 30
Views: 43010

- Create vlan interfaces on ether1
- Create virtual access point interfaces
- Create a bridge for each pair of virtual-AP and VLAN interface that should go together
- Do NOT included the native ether1 interface in any bridge


--Tom
by tneumann
Thu Nov 02, 2006 4:20 pm
Forum: General
Topic: OSPF Configuration
Replies: 3
Views: 1180

so on the area border routers, i need to redistribute default route? You have to decide how much routing information needs to be visible inside the non-backbone areas for them to achieve optimal routing decisions. If they have only one gateway towards the backbone anyway, then yes, only injecting a...
by tneumann
Wed Nov 01, 2006 9:48 pm
Forum: General
Topic: Please, need advice on SDH connection to a MT
Replies: 8
Views: 2056

The only noteworthy thing I can see in that configuration is the fixed speed- and duplex setting of on of the ethernet interfaces, where auto-negotiation is turned off and it is nailed to 100-fdx. Maybe the Huawei modem also has auto-negotiation disabled with a fixed setting off 100-fdx. In that cas...
by tneumann
Wed Nov 01, 2006 3:52 pm
Forum: General
Topic: Please, need advice on SDH connection to a MT
Replies: 8
Views: 2056

Re: Please, need advice on SDH connection to a MT

We have a CISCO router connected its fastethernet to a SDH How is that supposed to work? SDH and ethernet are different interface types, you should not plug one into the other... Or maybe you did not give us the whole picture and there is "something" between the Cisco's fastethernet port and your S...
by tneumann
Wed Nov 01, 2006 2:43 pm
Forum: General
Topic: netbios not working between bridged interfaces
Replies: 14
Views: 2668

The Static DNS entries are a good idea for a "work around", Explaining to customers they have to manually add every new machine when they can buy an AP for $25.00 that will do it right out of the box is a bit tricky......... So what does that $25 AP do different in your opinion? What algorithm or t...
by tneumann
Sun Oct 29, 2006 5:22 pm
Forum: General
Topic: Building a 3000+ CPE network, looking for advice
Replies: 18
Views: 4698

It is difficult to propose a solution without knowing your network topology, however with that number of nodes I'd design for a strictly routed backbone if at all possible.

Can you tell us more about your network topology?


--Tom
by tneumann
Fri Oct 27, 2006 10:46 pm
Forum: Wireless Networking
Topic: Block file sharing on WDS network
Replies: 7
Views: 1851

Even if they are running NetBIOS over IP (in contrast to some other option, like NetBEUI, which would also be possible over a bridged network), then any filter placed in /ip firewall filter will be ignored for that traffic because these filters only work in the IP forwarding chain, and as long as ev...
by tneumann
Sat Oct 21, 2006 11:43 pm
Forum: General
Topic: Telnet hotspot's user authentication - how to use it?
Replies: 2
Views: 2711

Do you have login-by=http-pap,... enabled in the hotspot profile for that hotspot?

--Tom
by tneumann
Sat Oct 21, 2006 4:27 pm
Forum: General
Topic: Cisco to MT VLAN trunking
Replies: 5
Views: 2846

Could you post the relevant sections of your RouterOS and your Cisco configuration here, please?

--Tom
by tneumann
Sat Oct 21, 2006 4:23 pm
Forum: Wireless Networking
Topic: Block file sharing on WDS network
Replies: 7
Views: 1851

Exactly what do you mean when you talk about "file sharing"? Do you mean P2P apps such as Gnutelle, eDonkey, etc. or are we talking about windows file sharing (SMB, NetBIOS)?

--Tom
by tneumann
Sat Oct 21, 2006 2:59 pm
Forum: Scripting
Topic: WiFi Signal for Hotspot in Login Page
Replies: 28
Views: 12346

how can I know the MAC-addrees or the Number for assined Item with Print oid command The MAC address of the associated client is part of its corresponding registration-table OID. Let's look at an actual example: [admin@AP] interface wireless registration-table> print # INT... RADIO-NAME MAC-ADDRESS...
by tneumann
Thu Oct 19, 2006 10:11 pm
Forum: General
Topic: DHCP problem with 2.9.33
Replies: 18
Views: 3572

i disabled and then enable the dhcp server and the I (invalid) flag dissapeared and is working fine, until i reboot... dhcp appears as Invalid again until i disable / enable server

I have the same problem with 2.9.33. It was OK with 2.9.32


--Tom
by tneumann
Sun Oct 15, 2006 1:52 pm
Forum: General
Topic: public IP network behind MT
Replies: 1
Views: 2276

This should just work as is, provided that your ISP is indeed routing your public /29 to you via your WiMAX access link. Did you make sure with them that they really do so?

--Tom
by tneumann
Sat Oct 14, 2006 1:19 am
Forum: General
Topic: Two IP series to run through Mikrotik - PLEASE help
Replies: 3
Views: 1231

Re: Two IP series to run through Mikrotik - PLEASE help

Can someone PLEASE assist me in how I need to set the Mikrotik up so that my clients can continue to use either a private or a public IP? One possible solution is described here: http://wiki.mikrotik.com/wiki/TransparentTrafficShaper Since it is transparent, it would not interfere with your existin...
by tneumann
Fri Oct 13, 2006 8:47 pm
Forum: Wireless Networking
Topic: Multiple SSID´s
Replies: 3
Views: 3302

Re: Multiple SSID´s

1. Do you think this configuration will work to isolate the customer’s virtual networks and to share the internet access too? Yes, but you need to be careful not to connect the virtual wireless networks in undesired ways when they all come together at the hotspot / uplink router. Maybe you can depl...
by tneumann
Mon Oct 09, 2006 1:27 am
Forum: General
Topic: ospf config help
Replies: 2
Views: 2028

What OSPF software are you running on the mail server? Regarding priority , this parameter is not meant to influence the preferrability of routes but the chance/egilibility of OSPF routers to become DR/BDR (designated routers) of an area. What you're looking for is the cost parameter, and that can b...
by tneumann
Sun Oct 08, 2006 4:52 pm
Forum: General
Topic: PPPoE client concentrator
Replies: 10
Views: 7077

I'm not sure if I didn't explain things well, but I thought it was a rather simple extension of a basic thing people do. I use RADIUS backed PPPoE to serve my clients. I figured it only made sense to use one router in a multi-tenant facility instead of 30 or 40. Where do you see the advantage in cr...
by tneumann
Sun Oct 08, 2006 1:04 pm
Forum: Wireless Networking
Topic: Don't
Replies: 18
Views: 3040

Which would be perfectly possible by adopting a system like on Ciscos: All changes are in memory only. Reboot, and they are gone away. Only a dedicated command writes the current running config to the flash and makes it permanent... I like the way Juniper does it on JunOS even better. In Cisco IOS ...
by tneumann
Sun Oct 08, 2006 12:18 pm
Forum: General
Topic: Duplex
Replies: 1
Views: 1981

No, there is no advantage in forcing your ethernet to half-duplex.

--Tom
by tneumann
Sun Oct 08, 2006 12:01 am
Forum: Wireless Networking
Topic: (How?) Drop packets between wireless clients
Replies: 7
Views: 1659

Ok, we're already doing routing. I just meant that the radio is in AP mode (ap-bridge). Ok, so how do the clients connect to the AP, that is, what do your clients do in addition to associating with the AP? Once associated, do you require them to run an additional protocol on top of the wireless con...
by tneumann
Sat Oct 07, 2006 1:05 pm
Forum: Wireless Networking
Topic: Layer 2 encryption between two wlan ifs
Replies: 2
Views: 909

If your only concern is to secure the data as long as it is travelling 'over the air' you could just use WPA(2) encryption on your wireless interfaces and be done with it. In contrast to VPN-based encryption technologies like IPsec or PPTP this would have the advantage that WPA does not use a signif...
by tneumann
Sat Oct 07, 2006 11:38 am
Forum: Wireless Networking
Topic: How to setup my MT CPE to connect to a MT in AP Bridge Mode
Replies: 7
Views: 1243

Can you steer me to the right page in the Manual for setting this up
For PPPoE:
http://www.mikrotik.com/docs/ros/2.9/interface/pppoe

For virtual-AP:
http://www.mikrotik.com/docs/ros/2.9/interface/wireless


--Tom
by tneumann
Sat Oct 07, 2006 12:26 am
Forum: Wireless Networking
Topic: How to setup my MT CPE to connect to a MT in AP Bridge Mode
Replies: 7
Views: 1243

Re: How to setup my MT CPE to connect to a MT in AP Bridge M

Basically I want to be able to have hotspot users and PPPoE users on the same AP. I'd recommend that you configure an additional virtual-AP interface on top of your existing physical AP interface and use the new virtual-AP for PPPoE only. This will give you a clean separation with different interfa...
by tneumann
Sun Oct 01, 2006 10:18 pm
Forum: Wireless Networking
Topic: Why doesnt a Station work as Bridge?
Replies: 9
Views: 1618

we're forced to use a full WDS bridge, which esposes customers to each other's broadcast traffic. bridge-filter on the CPE and pass on only the ethernet packet types that are relevant for PPPoE, then. The simple fact is that WDS is the correct solution to the problem and it is already fully support...
by tneumann
Thu Sep 14, 2006 6:48 pm
Forum: General
Topic: Interface Routing
Replies: 11
Views: 2193

It would be nice to have a routing filter that would also include interface or something.
Yeah, or a parameter under /ip dhcp-client to name a script that will be called after receiving a new client lease...


--Tom
by tneumann
Mon Sep 11, 2006 9:51 pm
Forum: General
Topic: Interface Routing
Replies: 11
Views: 2193

Re: Interface Routing

ip route add dst-address=10.0.0.0/24 gateway=ether1 Note that this is a particularly bad example for the requested feature, giving an ethernet interface as the gateway. If this feature is implemented at all then it should be implemented for point-to-point interfaces only. Why is using this with eth...
by tneumann
Sun Sep 10, 2006 9:21 pm
Forum: Wireless Networking
Topic: OSPF Routed Network w/ roaming?
Replies: 2
Views: 783

Re: OSPF Routed Network w/ roaming?

Are EOIP tunnels more efficient at knowing where a particular MAC address is vs bridged, or is it just the same thing? EOIP tunnels will become ports of a bridge, just like physical interfaces. It's the bridge that needs to know (learn) where (behind which port) a MAC address can be found, so EOIP ...
by tneumann
Tue Aug 22, 2006 11:32 pm
Forum: General
Topic: RADIUS or NetFlow?
Replies: 1
Views: 1281

From my personal experience I'd say that NetFlow is only preferred for either troubleshooting or if you need to account your customer's traffic in protocol- or IP address specific ways (for example if you'd like to sell a gigabyte of transit traffic more expensive than a gigabyte of traffic that sta...
by tneumann
Thu Aug 17, 2006 9:22 pm
Forum: General
Topic: Redirect All incoming request to specific internal IP addres
Replies: 2
Views: 1019

Did you also configure the corresponding srcnat rule for the outgoing traffic? See the 1:1 NAT example at

http://www.mikrotik.com/docs/ros/2.9/ip ... 5184717968

--Tom
by tneumann
Tue Aug 15, 2006 12:57 am
Forum: General
Topic: public ip to my server behind MT ( no NAT)
Replies: 10
Views: 2097

It looks like the IP address on your LOKAL interface is equal to the network base address? The address 87.250.108.128 is the network address of 87.250.108.128/29 and should not be used as an interface address for any device, just like a (sub-)networks broadcast address should not be assigned to an i...
by tneumann
Tue Aug 15, 2006 12:17 am
Forum: General
Topic: public ip to my server behind MT ( no NAT)
Replies: 10
Views: 2097

Post the relevant sections of your config here (interfaces, ip addresses, routing), that'll allow us to understand much better what is going on.

--Tom
by tneumann
Mon Aug 14, 2006 9:59 am
Forum: General
Topic: AGAIN ..... Limiting connections !!!
Replies: 7
Views: 1600

my problem is i'm using a satellite modem which has limited connections , i need any rule that deny any no of connections more that what the modem accept . How, exactly, does this modem define a "connection"? Does it really examine the TCP layer? Is this really just a modem or does this box try to ...
by tneumann
Mon Aug 14, 2006 12:36 am
Forum: General
Topic: AGAIN ..... Limiting connections !!!
Replies: 7
Views: 1600

Re: AGAIN ..... Limiting connections !!!

it suppose to limit each user connections to 8 only , i just wanna know whts the meaning of 8 ? is it 8 connections per sec ?? does it mean that the user can make 80 connections in 10 sec ?? No, it limits concurrent connections, not the creation rate of new connections. i put another line in the fi...
by tneumann
Fri Aug 04, 2006 8:52 pm
Forum: General
Topic: limiting udp connections ????????????
Replies: 2
Views: 1060

Re: limiting udp connections ????????????

I have sooooo many udp connections

No, you don't. You have exactly zero.


--Tom
by tneumann
Fri Aug 04, 2006 12:00 am
Forum: General
Topic: what method to prevent user/client change their IP address?
Replies: 10
Views: 1762

what different between

ARP=Enabled
ARP=Proxy-ARP
ARP=Reply-Only
The different modes are explained in the manual (link posted in previous answer). What facts are you missing that are not explained there?

--Tom
by tneumann
Thu Aug 03, 2006 11:56 pm
Forum: General
Topic: what method to prevent user/client change their IP address?
Replies: 10
Views: 1762

Did you do that on the AP or the CPE? You need to do it on the AP. Which interface in particular did you set that on? It should be set on the interface that the clients are connecting to, not on uplink or backhaul interfaces. I assume you can set multiple static ARP entries, if you want a client to...
by tneumann
Thu Aug 03, 2006 7:33 am
Forum: General
Topic: what method to prevent user/client change their IP address?
Replies: 10
Views: 1762

Please read the manual at http://www.mikrotik.com/docs/ros/2.9/ip/address


--Tom
by tneumann
Wed Aug 02, 2006 10:10 pm
Forum: General
Topic: what method to prevent user/client change their IP address?
Replies: 10
Views: 1762

Set arp=reply-only and define static ARP entries per client.
by tneumann
Mon Jul 31, 2006 10:28 pm
Forum: Wireless Networking
Topic: Bridged ether1/wlan1 (Station mode, no WDS)
Replies: 22
Views: 8593

I am using WDS on my network to accomplish the station bridge for PPPoE clients, but it has significant downsides. with a regular (non-wds) station, you can disable forwarding on the AP preventing people from easily creating their own networks inside of your AP. with using WDS you have to add the s...
by tneumann
Mon Jul 31, 2006 8:31 am
Forum: Wireless Networking
Topic: Bridged ether1/wlan1 (Station mode, no WDS)
Replies: 22
Views: 8593

so what makes sense to me is to simply broadcast the incoming packet to all computers on the wired side of the bridge.
And have all the other guys put their network adapters into promiscious mode and read my traffic? No, thanks :shock:
by tneumann
Sun Jul 30, 2006 8:21 pm
Forum: Wireless Networking
Topic: Bridged ether1/wlan1 (Station mode, no WDS)
Replies: 22
Views: 8593

They associate to the AP using their own MAC, and rewrite the source MAC address in any ethernet frame generated by the device(s) connected to its ethernet port to match its own MAC. (Read: MAC-NAT) These devices generally can bridge to a (fixed) number of ethernet devices over the wireless connect...
by tneumann
Sun Jul 30, 2006 2:29 pm
Forum: Wireless Networking
Topic: User Logging to URLs
Replies: 2
Views: 903

I think a solution to your requirements would involve sending the relevant information from the MT router (web-proxy URLs, hotspot logins, DHCP assignments, etc...) to a remote syslog server and then you'd write some scripts (perl would be good for this) to match and combine user login (session) sta...
by tneumann
Fri Jul 28, 2006 10:49 am
Forum: Wireless Networking
Topic: Need some help I’m desperate wireless link routed.
Replies: 9
Views: 1536

Yes it does work Ok then, I'm surprised and curious to the point that I have to build such a setup in the lab some day and sniff the wireless link just to see what exactly is going on. I do tend to use /29 for point to point most of the time as it can be handy to add another device to the subnet so...
by tneumann
Fri Jul 28, 2006 10:23 am
Forum: General
Topic: READ THIS if you use Radius
Replies: 13
Views: 5995

The proposed Xmit-Limit / Recv-Limit solution works, but I think it is not the most elegant way to do this. I find it disturbing to disconnect a customer (even very shortly) only because I would need this as a workaround for the accounting system. For some setups this might be acceptable (roaming ho...
by tneumann
Thu Jul 27, 2006 5:54 pm
Forum: Wireless Networking
Topic: Need some help I’m desperate wireless link routed.
Replies: 9
Views: 1536

Maybe setup the OSPF to automatically take care of the routing and the subnets like this: ether1 192.168.1.200/24 wlan1 10.0.10.100/32 | | | wlan1 10.0.10.101/32 Did you try to run this? I'd be suprised if it worked with those /32 netmasks on both sides of the wireless link. After all, 802.11 is a ...
by tneumann
Wed Jul 26, 2006 10:33 pm
Forum: Wireless Networking
Topic: Need some help I’m desperate wireless link routed.
Replies: 9
Views: 1536

the netmasks are 255.255.255.0
And you have not bridged the wireless interfaces? They're all routed? If so, then the IP addresses of your wireless links do indeed overlap and you should redesign your Layer 3 structure.

--Tom
by tneumann
Wed Jul 26, 2006 7:02 pm
Forum: Wireless Networking
Topic: Need some help I’m desperate wireless link routed.
Replies: 9
Views: 1536

The IP addresses on your wireless links look strange. What netmasks are you using on your interfaces? I suspect the IP addresses on your wireless links might overlap with each other. And did you check that all required routes are set up in both directions? Are you using a dynamic routing protocol? -...
by tneumann
Tue Jul 25, 2006 10:54 pm
Forum: General
Topic: Bridging questions
Replies: 2
Views: 828

Re: Bridging questions

1a) I have 3 wireless interfaces bridged, and I want them set to arp=reply-only, do I: set this on all three interfaces and / or the bridge? ARP is only relevant for interfaces that have one or more IP addresses assigned. In a bridged setup the IP address should always be set on the bridge interfac...
by tneumann
Tue Jul 25, 2006 10:37 pm
Forum: Wireless Networking
Topic: Wireless Sectors: Bridged APs or WDS?
Replies: 2
Views: 869

Re: Wireless Sectors: Bridged APs or WDS?

I'm setting up a new MT box for a tower site that has 3 sectors. (...) And so after reading about WDS, I'm thinking it would be better to configure this new MT box to use WDS, rather than configure it with different channels and SSIDs, especially since the wireless cards are so close together (more...
by tneumann
Mon Jul 24, 2006 9:28 pm
Forum: General
Topic: Strange Routing problem
Replies: 3
Views: 786

But still doesn't make sense to me. Static routes that i've added works on Destination IP address. Doesn't care where the packet orginates from (source). Yes, routing is usually based on the destination address, but exactly that is also true for the return traffic (for example the reply to your pin...
by tneumann
Fri Jun 23, 2006 10:58 am
Forum: General
Topic: remote logging to freeBSD
Replies: 1
Views: 669

syslogd comes standard with every installation of FreeBSD, and it's enabled to start at boot by default. Just make sure that you don't use the "-s" command line option to syslogd, as this disables remote logging. See the syslogd man page for details.
by tneumann
Sat May 06, 2006 12:46 am
Forum: Wireless Networking
Topic: Hotspot and PPPoe Devices
Replies: 2
Views: 740

That depends on what the protocols require and how your hotspot is set up. For example, we tend to hand out a pool of public IP addresses to our hotspot users and don't NAT the hotspot users at all (unless they don't use DHCP on the client machine, then the universal client will have no choice but t...
by tneumann
Sat May 06, 2006 12:41 am
Forum: General
Topic: routing-test for MIPS
Replies: 2
Views: 586

It's already available!

Just install the current routeros Package (2.9.23) and you'll have it
and may then enable it.

--Tom
by tneumann
Fri May 05, 2006 8:57 pm
Forum: Wireless Networking
Topic: Why my customer disconnect
Replies: 3
Views: 1511

Your area seems to be massively flooded with other 2.4 GHz applications. I'd move to 5 GHz under such conditions.

--Tom
  • 1
  • 2