MikroTik

marklodge

I have a dhcp server that assigns IPs from 172.16.1.10-17..16.3.10. Now when it reaches the end of 172.16.0. range, the next IP it assigns is 172.16.1.0 How can I set the DHCP server to not assign the .0 IP of each range

Attached screenshot

marklodge

I can't tell how much will 4k devices need, it depends on what they do and it can vary greatly. The same goes for concurrency limits. It's not like normal device sends dns queries all the time, so average rate should not be high. You should have some space for spikes, again the same thing. I'm big ...

marklodge

Your 10GB plan probably won't work, I think it uses only RAM. But it's unlikely that you'd ever need that much anyway, records time out, they don't last forever. But it of course depends on how big network you have. Other than that, all resolvers are same in principle. If you need only bare basics,...

marklodge

Purely from a DNS caching only perspective. Is a standalone BIND or Unbound DNS Caching server much different to Mikrotiks DNS cache feature? I have 7 towers, each has a mikrotik router acting as a PPPOE server, so I am thinking that I should just increase the cache size to like 10GB (using SD card ...

marklodge

I'm using it for a core router with 1gbps traffic, serving 800 clients, meaning many thousands of packets per second. My current CCR 1016 is showing around 36k p/s on the main WAN interface. And one of the CPU cores are 95% usage all the time, while the others are around 0 to 20% used. When you say ...

marklodge

I am reading the specs here:
https://mikrotik.com/product/CCR1036-12G-4S-EM
It says 36 cores x 1.2GHz CPU. Is this 36 cores? or 36 threads?

Please confirm

And what would be the x86 comparision to this?
Would a 4 core Dell poweredge server perform better than this CCR for routing/firewall etc?

marklodge

Why not just cut and paste and use the code block in the FONT line a the top of the EDIT block.
My firewall/AV setup
blocks pastebin LOL.

Because it was rather large, but I've did as you said.

marklodge

Removed

marklodge

i dont play whackamole with attempting to solve config issues. Just remove any sensitive bits (dont need to see any vpn stuff, dhcp leases, any firewall address lists, etc............. as a minimum interface ethernet ip addresses vlan config bridge config bridge port config birdge vlan config dhcp-...

marklodge

post your config
/export hide-sensitive file=yourconfig

Well, the original post is a very simplified version of my config. My actual config is more complex. Could I PM you my output?

marklodge

I have 4 devices, each of them has management vlan enabled as VLAN 10. 2 devices are connected to ether2 and the other 2 devices are connected to ether3 So, I create a VLAN with ID 10 on ether2 and another VLAN 10 on ether3. Then I create a Bridge called Management Bridge and give it an IP of 172.16...

marklodge

From my understanding you should just have to use a NAT rule to forward all traffic for the WAN to the IP of the pppoe client then a NAT rule to translate all traffic from pppoe client to the specific WAN IP. /ip firewall nat add chain=dstnat dst-address=45.45.45.2 action=dst-nat to-addresses=10.2....

marklodge

Advertise other subnets as external.

Please let me know how to do this

marklodge

How do I route a WAN IP to a PPPOE Client connected to an Edge router?
Here is a diagram that explains it all

wan-topppoe-edge.png

marklodge

RouterIDs are unique
If I run the subnet on one router only it does not propagate the clients on the router that the subnet is not running on.

marklodge

I want to be able to reach my clients CPE.

This is my setup: and I'm getting the error mentioned
The small circles represent pppoe-clients IP

11.png

marklodge

Thank you for the reply.
Would I need to change my network topology for ipv6 to work?
Will it work over the current pppoe setup?

Could you link me to some good resources to understand this better?

marklodge

I have a WISP setup. Simple PTMP and CPEs in router mode connecting via PPPOE How do I enable IPv6 for clients? I have the Mikrotik IPv6 package installed and enabled My WAN interface shows an IPv6 address SLAAC is enabled on CPE But my computer connected to the CPE does not receive an IPv6 address,...

marklodge

How can I add all of urlhaus's list of malware urls to a block list?
https://urlhaus.abuse.ch/api/#retrieve

marklodge

Should the MTU be set on the VPLS tunnels or on the ether interfaces, or both?

marklodge

404 on the chr 43.7 files

https://mikrotik.com/routeros/6.43.7/chr-6.43.7.vhdx

marklodge

/ip firewall nat add chain=srcnat out-interface-list=WAN src-address-list=group1 action=srcnat to-address=45.45.45.2 add chain=srcnat out-interface-list=WAN src-address-list=group2 action=srcnat to-address=45.45.45.3 And then disable/remove default masquerade rule. Thank you for this, I will try im...

marklodge

I have 500 pppoe clients and I have 5 WAN IPs from my provider
How do I set a different WAN IP for each 100 users?

Example:
4mb User group will use: 45.45.45.2
2mb User group will use: 45.45.45.3
etc

marklodge

Are all your 500 clients sharing the same address? Then this issue really cannot be avoided, because there will always be bad guys in there. However, you should still make sure your router and any client routers that you manage are properly configured and not part of the botnet. Yes, all are sharin...

marklodge

Environment: MikroTik CCR1016 as Core router Static IP 500 PPPoE connected clients Recently we've been getting the Unusual Traffic warning when doing a Google Search.Copied below: About this page Our systems have detected unusual traffic from your computer network. This page checks to see if it's r...

marklodge

As I recall, the NanoStation will happily pass VLAN traffic and is VLAN aware for the management interface, but I'm not aware of the ability to specify which VLAN to use for locally connected stations. Note that I am using them for a point to point link with a managed switch (CSS326-24G-2S) on each...

marklodge

Also models with QCA8337, Atheros8327, Atheros8316 switch chips seem to be able to use the same method as for CRS3xx, but their rule tables are smaller.

This is inaccurate, I tested the CRS3xx method on the Atheros8327 chip, but New VLAN ID is not supported

marklodge

While reading the datasheet here, these specs confused me:

• Up to 1.5 mpps throughput in regular mode
• Up to 17.8 mpps throughput in fastpath mode (wire speed)
• Up to 12 Gbps throughput with RouterOS queue/firewall configuration

What does Up to 1.5 mpps throughput in regular mode mean?

marklodge

You will then get usage data per customer that let you create simple bandwidth usage graphs, Thank you, I understand all that you have said, I will now setup a freeradius server and check it out. So, instead of sending the ppp secrets I will just be sending the same details to the Radius MySQL data...

marklodge

Using a specialized tool that analyzes SNMP and/or Netflow to generate a graph would be most efficient for the router indeed. If you're OK with sacrificing some of that efficiency for the purposes of customizable implementation, the other way would be to detect a new PPPoE interface appearing (see ...

marklodge

If you have shell access to your web server, you can run a PHP from the command line. You can also add it as a startup script if you want it to also restart with a server restart. Or use cron if you want to run it at regular intervals rather than continuously. If you run it continuously, you can us...

marklodge

I have a MySQL db of all ppp secrets, these get sent to the mikrotik via the PEAR2 API. I need to see how many of the ppp clients are active and then mark them as active on the local mysql db. Is there a reason you aren't just using RADIUS (ex. FreeRADIUS), which does all this for you (and more)? 1...

marklodge

I read here https://wiki.mikrotik.com/wiki/Manual:Queue that Priority Does not work on parent queue But I wish to confirm, as I have seen that dynamically created parent queues by some ISP Framework software has priorities set If I have the following parents and children: 2mbps-Home-Priority=5/5 -fr...

marklodge

I would like to know the same:
is there a way to tag packets from a specific MAC address(es) with a VLAN id?

marklodge

Yes, you can. All you need do is select the vlan interface while creating the hotspot for that vlan. You can check out my post on hotspot here. https://www.timigate.com/2017/11/how-to-solve-all-your-mikrotik-hotspot.html I have checked your post. I do understand that I can run a hotspot server on a...

marklodge

I wish to see how much bandwidth was used per PPP connection, how would I do this via API, I understand that the options are probably Graphing, SNMP or Netflow.
I just need the simplest way for now. I need to get the usage and create monthly, weekly graphs.

marklodge

This can be accomplished using MAC Based VLANs, correct?

marklodge

I have read this: https://forum.mikrotik.com/viewtopic.php?t=78145 But it is not working for me My application: I have a MySQL db of all ppp secrets, these get sent to the mikrotik via the PEAR2 API. I need to see how many of the ppp clients are active and then mark them as active on the local mysql...

marklodge

Thank you, so much!

marklodge

Using PEAR2_Net_RouterOS-1.0.0b6 The following works fine the in the Mikrotik Terminal. But I cant get it to work via the API. How would I do the following: :foreach user in=[/ip firewall address-list find find address=10.2.2.2] do={ /ip firewall address-list disable $user } Or ip firewall address-l...

marklodge

For some reason your shared host doesn't have the Phar extension, which is required to open PHAR files. It may be using PHP 5.2 or earlier, where Phar was not enabled by default, or it may be disabled by the host for some reason. If the problem is 5.2, there's no workaround - find a different host ...

marklodge

Hi
I have everything working fine on my local xampp install. I uploaded it to my shared hosting package and I get the following error:

 PHP Fatal error:  Class 'Phar' not found in /home/sharedhost/mysite/PEAR2_Net_RouterOS-1.0.0b6.phar on line 18

marklodge

I think that I posted in the wrong section, should I copy it here or just link it:

This is the post:
viewtopic.php?f=7&t=137675

marklodge

Attached diagram shows what I wish to accomplish. The idea is just to separate the traffic per AP, so that I can see count of users connected and traffic stats per AP. How can I accomplish this? The APs are Nanostation M2s, they support VLAN per interface [WLAN0.LAN0, or BRIDGE0]. hotspotPerVLAN.png

marklodge

Following this: https://wiki.mikrotik.com/wiki/Transparently_Bridge_two_Networks_using_MPLS I need to know, in a setup where I am using the tunnel as a psuedo wire from the main tower to a sub tower, does the VPLS interface need to be added to a bridge? The tunnel works fine without being added to a...

marklodge

Are you able to not use the Cisco? Does it provide any other purpose? Personally, I'd still not be using it.. Just connecting the fiber directly to the Mikrotik. No, the Cisco is leased to us by the fiber provider, actually we dont have access to it, only physical access of course, so that we can p...

marklodge

Sorry guys if I was not clear. 1. No this is not a homework question, this is for a real world deployment. 2. The cisco is leased to us by the fiber supplier, it is the Fiber Termination point. The Mikrotik is our own router, which we use to supply internet to the users. 3. The fiber supplier gives ...

marklodge

Attached diagram is my setup

Should I connect the server to the mikrotik or the cisco ?

acmetube.png

marklodge

Thats exactly it, you said:

If you add mine before them, it will allow queries for specific hostname

But it does not do this. [I adjusted it to myisp.com of course]

marklodge

I had thought that the solution received from Mikrotik was workable, but it is not, as it drops connections from the router itself too. So now, the router cannot resolve DNS or ping or anything.

Search found 191 matches