Community discussions

Search found 7734 matches

  • 1
  • 2
  • 3
  • 4
  • 5
  • 26
by fewi
Sat Feb 16, 2013 12:09 am
Forum: Scripting
Topic: download backup from other devices to mikrotik
Replies: 2
Views: 1572

Re: download backup from other devices to mikrotik

If the backup on the Ubiquiti device can be accessed via FTP or HTTP you can use "/tool fetch".
by fewi
Tue Dec 13, 2011 3:04 pm
Forum: Forwarding Protocols
Topic: IP no changeable but can online...
Replies: 3
Views: 1071

Re: IP no changeable but can online...

The Hotspot also contains a more elegant method for this, universal NAT. Just configure an IP pool on the Hotspot itself. It'll be used to 1:1 NAT everyone to a valid IP address.
by fewi
Tue Dec 13, 2011 3:39 am
Forum: Beginner Basics
Topic: Mikrotik Firewall
Replies: 6
Views: 1477

Re: Mikrotik Firewall

As cbrown said: You can't. Basic TCP/IP: hosts on the same network talk directly. They don't go through the router. If the traffic isn't going through the router you can't block the traffic on the router.

You'd need switches with layer 2 security features that let you do what you need to do.
by fewi
Sat Dec 10, 2011 5:50 am
Forum: General
Topic: URL Filtering
Replies: 1
Views: 759

URL Filtering

Hardly. Manually, sort of. You don't want to classify all web sites on existence, that is hard work. Use something like OpenDNS for free filtering. Not great, but free.
by fewi
Sat Dec 10, 2011 5:48 am
Forum: Forwarding Protocols
Topic: OSPF disappearing default route in RouterOS v4/v5
Replies: 4
Views: 1327

OSPF disappearing default route in RouterOS v4/v5

I haven't seen any threads with a solution, just threads reporting the bug.

Open up an official case with support to get traction on it. Either everyone has it wrong and it's not a bug and support will set you straight, or it is a bug and every report with debug output helps fix it.
by fewi
Sat Dec 10, 2011 12:41 am
Forum: Forwarding Protocols
Topic: OSPF disappearing default route in RouterOS v4/v5
Replies: 4
Views: 1327

OSPF disappearing default route in RouterOS v4/v5

Search the forums, there's other threads for this.
by fewi
Fri Dec 09, 2011 2:06 pm
Forum: General
Topic: Forwarding a puplic IP to CPE
Replies: 5
Views: 1147

Re: Forwarding a puplic IP to CPE

Of course. You would need to assign the IP via RADIUS, and in OSPF on the CPE facing router redistribute static IPs (possibly with a filter, though) into OSPF. The client dials up via PPPoE, gets an IP address via RADIUS, the CPE facing router establishes the tunnel and has a route to the /32 on the...
by fewi
Fri Dec 09, 2011 2:03 pm
Forum: Beginner Basics
Topic: Help understanding Mikrotik LOG
Replies: 8
Views: 1364

Help understanding Mikrotik LOG

Nothing. What else is there to do? There's nothing listening on the port anymore, and you can't stop the packet from arriving on your router port (unless you control the other end of the connection as well). Someone is trying a key on the door to your house. You changed the door so there's no longer...
by fewi
Fri Dec 09, 2011 1:34 pm
Forum: Scripting
Topic: DynDns scripts HTTPS
Replies: 5
Views: 1606

DynDns scripts HTTPS

Because fetch didn't support HTTPS.
by fewi
Fri Dec 09, 2011 1:50 am
Forum: Forwarding Protocols
Topic: let mikrotik run an ext webserver instead of internet access
Replies: 5
Views: 2668

Re: let mikrotik run an ext webserver instead of internet ac

As I already said if you have wildcard DNS entries you can do without an external DNS server. You do need the Hotspot so you can redirect requests for any web resource on any host that a client could possibly request. Alternatively your web server would have to take care of that. Remember, a client ...
by fewi
Fri Dec 09, 2011 1:48 am
Forum: General
Topic: can't ping or telnet or winbox into RB711-2Hn
Replies: 12
Views: 2064

Re: can't ping or telnet or winbox into RB711-2Hn

According to what you posted SSH is enabled.
by fewi
Thu Dec 08, 2011 11:32 pm
Forum: Wireless Networking
Topic: RouterOS (PPC) Upgrading Questions
Replies: 2
Views: 627

Re: RouterOS (PPC) Upgrading Questions

Settings persist through upgrades, but it would be wise to take a binary as well as text backup before any upgrades just in case something goes wrong.

http://wiki.mikrotik.com/wiki/Manual:Co ... Management
by fewi
Thu Dec 08, 2011 10:11 pm
Forum: General
Topic: can't ping or telnet or winbox into RB711-2Hn
Replies: 12
Views: 2064

Re: can't ping or telnet or winbox into RB711-2Hn

Those rules were part of 4.x, too. The different is the kind of board you use. http://wiki.mikrotik.com/wiki/Manual:De ... igurations documents the different default configurations of a variety of RouterBOARDs.
by fewi
Thu Dec 08, 2011 9:33 pm
Forum: Forwarding Protocols
Topic: let mikrotik run an ext webserver instead of internet access
Replies: 5
Views: 2668

Re: let mikrotik run an ext webserver instead of internet ac

Sure. Just run a normal DHCP server on the network announcing the router for DNS, add a wildcard entry for DNS that resolves all host names to some IP address, add a Hotspot, and redirect to the web server as a login page. Adding static DNS: http://wiki.mikrotik.com/wiki/Manual:IP/DNS#Static_DNS_Ent...
by fewi
Thu Dec 08, 2011 9:30 pm
Forum: General
Topic: Forwarding a puplic IP to CPE
Replies: 5
Views: 1147

Re: Forwarding a puplic IP to CPE

If you don't want to use NAT (which is good) you just route it over to the CPE. Since you already have a full OSPF network you could simply implement the IP network on a CPE interface, and then add the interface as passive to OSPF. That's it, the CPE now advertises that IP space and the rest of your...
by fewi
Thu Dec 08, 2011 8:48 pm
Forum: General
Topic: can't ping or telnet or winbox into RB711-2Hn
Replies: 12
Views: 2064

Re: can't ping or telnet or winbox into RB711-2Hn

/ip firewall address-list add list=management address=1.1.1.0/24 add list=management address=2.2.2.0/24 /ip firewall filter add chain=input src-address-list=management action=accept Then move the filter rule above the existing drop rule. Also refer to the manual: http://wiki.mikrotik.com/wiki/Manua...
by fewi
Thu Dec 08, 2011 7:53 pm
Forum: General
Topic: can't ping or telnet or winbox into RB711-2Hn
Replies: 12
Views: 2064

Re: can't ping or telnet or winbox into RB711-2Hn

/ip firewall filter add action=accept chain=input comment="default configuration" disabled=no protocol=icmp add action=accept chain=input comment="default configuration" connection-state=established disabled=no add action=accept chain=input comment="default configuration" connection-state=related d...
by fewi
Thu Dec 08, 2011 6:24 pm
Forum: General
Topic: can't ping or telnet or winbox into RB711-2Hn
Replies: 12
Views: 2064

Re: can't ping or telnet or winbox into RB711-2Hn

Of course. Select the text, right click, copy, then paste here. Just like any other text.
by fewi
Thu Dec 08, 2011 5:52 pm
Forum: General
Topic: can't ping or telnet or winbox into RB711-2Hn
Replies: 12
Views: 2064

Re: can't ping or telnet or winbox into RB711-2Hn

There's something wrong with your config. What exactly is wrong is hard to troubleshoot without seeing the configuration. Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip service print detail", and "/ip firewall export" together with a network ...
by fewi
Thu Dec 08, 2011 2:24 pm
Forum: RouterBOARD hardware
Topic: Availability of the RB751G
Replies: 101
Views: 20885

Availability of the RB751G

As long as it is $1 cheaper than twice as expensive I would be saving money, because right now I have to buy two devices (or one from a different manufacturer that has two chip sets - which is significantly more attractive because it is cheaper, uses less foot print, is easier to configure, and uses...
by fewi
Thu Dec 08, 2011 2:18 pm
Forum: RouterBOARD hardware
Topic: Availability of the RB751G
Replies: 101
Views: 20885

Re: Availability of the RB751G

Maybe this is where the misunderstanding is: I'm not saying I don't want to offer 2.4 at all. I want to offer both. There's so many clients now on 2.4 (because, as you said, everyone has a smart phone) that there's more 2.4 APs, so there's crazy interference. I wasn't kidding when I said I can see 1...
by fewi
Thu Dec 08, 2011 2:03 pm
Forum: General
Topic: Maximum Number of Port Forwards?
Replies: 1
Views: 587

Maximum Number of Port Forwards?

25 is no problem.

It does depend on how much other work the router is doing so it is hard to state a hard limit, but 25 is definitely feasible.
by fewi
Thu Dec 08, 2011 2:00 pm
Forum: RouterBOARD hardware
Topic: Availability of the RB751G
Replies: 101
Views: 20885

Availability of the RB751G

I personally have the same observation as Macgaiver above, most consumer devices still only support 2GHz.
Huh. All my laptops and tablets support 5Ghz.

At my workplace 55% of all connections are on 5Ghz, which is huge given that smart phones can only do 2.4.
by fewi
Wed Dec 07, 2011 11:24 pm
Forum: RouterBOARD hardware
Topic: Availability of the RB751G
Replies: 101
Views: 20885

Re: Availability of the RB751G

I do see 8 - 12 SSIDs from other neighbours
Lucky you, I see 17 right now.
by fewi
Wed Dec 07, 2011 10:08 pm
Forum: Scripting
Topic: dynDNS Update Script
Replies: 158
Views: 108829

Re: dynDNS Update Script

Sure, if the public IP is configured right on the router you can just check the interface IP directly. The fetch only happens in case you're behind NAT and need to update a public IP you can't access locally directly.
by fewi
Wed Dec 07, 2011 2:44 pm
Forum: Forwarding Protocols
Topic: Multihomed BGP and traffic reply path
Replies: 2
Views: 1485

Re: Multihomed BGP and traffic reply path

How do I set the reply traffic to go out over the same interface in came in on? You identify the networks it happens to and write a BGP policy (using routing filters) that assigns a weight or local preference to the route you want traffic to take. You basically have two routes to a given destinatio...
by fewi
Wed Dec 07, 2011 4:32 am
Forum: General
Topic: RouterOS v5.9 released
Replies: 166
Views: 41823

Re: RouterOS v5.9 released

Hopefully no one is using half duplex wired Ethernet connections anymore, though.
by fewi
Wed Dec 07, 2011 4:31 am
Forum: RouterBOARD hardware
Topic: where is netinstall?
Replies: 9
Views: 1619

Re: where is netinstall?

Fix up the BOOTP server so the router can access it. It's unlikely it's actually unable to boot from the network due to an error on the router, it's likely to be an error on the network or with the server. Take firewalls into account, particularly if you're on a recent version of Windows.
by fewi
Wed Dec 07, 2011 2:57 am
Forum: RouterBOARD hardware
Topic: Moving key from one router to another.
Replies: 7
Views: 3194

Re: Moving key from one router to another.

Either way you'll have to email support. This is a user forum, so people can't help you with licensing issues. I wouldn't expect too much. You ordered something you didn't need 5 years ago - I can't think of any vendors that would refund that, to be honest.
by fewi
Wed Dec 07, 2011 2:55 am
Forum: Forwarding Protocols
Topic: Block access between two ip address
Replies: 4
Views: 1600

Re: Block access between two ip address

you can give subnetmask 255.255.255.255 to your users (over dhcp, or manual) and then all packets will go trough mikrotik (gateway for users is mikrotik ip, ofcourse), and then u can control all theese packets. then u can make this rule: Just a word of warning: if you don't have strict control over...
by fewi
Wed Dec 07, 2011 1:08 am
Forum: General
Topic: Hotspot change of ISP
Replies: 2
Views: 648

Re: Hotspot change of ISP

Two things to try:

- check that DNS is OK and that the clients can resolve the Hotspots name as well as other Internet web hosts so they can request a login page in the first place
- check that NAT is OK

If that doesn't get you anywhere post actual configuration excerpts in text form.
by fewi
Tue Dec 06, 2011 11:34 pm
Forum: Beginner Basics
Topic: Port forwarding using WebfigV5.2
Replies: 2
Views: 949

Re: Port forwarding using WebfigV5.2

http://wiki.mikrotik.com/wiki/Manual:IP ... rt_mapping
That shows how to do it in the CLI. The field names in Winbox and Webfig mirror what the parameters are called on the CLI.
by fewi
Tue Dec 06, 2011 11:31 pm
Forum: Beginner Basics
Topic: Cache Server - Plan and Design
Replies: 25
Views: 8590

Re: Cache Server - Plan and Design

How can we know what 172.16.0.0/12 is on your network? It's private IP space. Nothing in this thread mentions it before. The rule means, literally: take all traffic to tcp/80 that comes in via ether3 and isn't going to 172.16.0.0/12, and send it to 172.19.65.250 on port tcp/3128 instead. What that m...
by fewi
Tue Dec 06, 2011 11:28 pm
Forum: General
Topic: Difference Between " walled-garden " and "walled-garden ip"
Replies: 11
Views: 5220

Re: Difference Between " walled-garden " and "walled-garden

Taken directly from the manual I posted: /ip firewall mangle add chain=prerouting in-interface=LAN \ dst-address=10.0.0.0/24 action=mark-packet \ new-packet-mark=exempt-up add chain=postrouting out-interface=LAN \ src-address=10.0.0.0/24 action=mark-packet \ new-packet-mark=exempt-down /queue type a...
by fewi
Tue Dec 06, 2011 11:25 pm
Forum: General
Topic: Hotspot redirect not working (mostly)
Replies: 10
Views: 9826

Re: Hotspot redirect not working (mostly)

You need to give your Hotspot a proper domain name with a valid TLD, such as "hotspot.local" instead of just "stjw-hotspotcontroller1". Everything else looks fine from what you posted.
by fewi
Tue Dec 06, 2011 7:21 pm
Forum: General
Topic: Hotspot redirect not working (mostly)
Replies: 10
Views: 9826

Re: Hotspot redirect not working (mostly)

If you need help you'll have to be more specific than "I got everything setup and working expect the hotspot login redirect is not working (for the most part)" - what is working? What isn't? Also post the relevant configuration in text format.
by fewi
Tue Dec 06, 2011 7:17 pm
Forum: General
Topic: No IGMP Proxy in RB750GL
Replies: 5
Views: 2408

Re: No IGMP Proxy in RB750GL

(I knew it that if I’ll “touch” the Mtik’s pride, solutions will come... :)
Bit of a dick move, really.
by fewi
Tue Dec 06, 2011 4:59 pm
Forum: General
Topic: IP issues
Replies: 7
Views: 1069

Re: IP issues

If you have a layer 3 switch you don't need the Mikrotik router. If you want to use the Mikrotik router you can't run the layer 3 switch at layer 3, and need to just assign an IP address to the router LAN interface and connect the switch and have it distribute that network at layer 2 to the other se...
by fewi
Tue Dec 06, 2011 3:00 pm
Forum: General
Topic: FIN scan originating from iphone
Replies: 2
Views: 1239

Re: FIN scan originating from iphone

What are you rules to detect FIN scans? FIN scans send a FIN to a port without a connection being open. This could of course happen entirely naturally - such as your router having fairly low connection time outs, lower than the device on the other end. If the phone is expecting the connection to sta...
by fewi
Tue Dec 06, 2011 2:53 pm
Forum: Beginner Basics
Topic: Help understanding Mikrotik LOG
Replies: 8
Views: 1364

Re: Help understanding Mikrotik LOG

Do you use SSH to access your router? If not best practice would be to disable the service.
by fewi
Tue Dec 06, 2011 2:50 pm
Forum: General
Topic: Hotspot with User Credits and Active Directory
Replies: 4
Views: 1844

Re: Hotspot with User Credits and Active Directory

Authentication for Hotspot: Is is MAC based or based on HTTP session? The other buildings would be behind their own router so I don't have to make one huge, gigantic subnet. Per MAC, but the "addresses-per-mac" property lets you govern how many IPs can log in per MAC. Generally speaking, though, Ho...
by fewi
Tue Dec 06, 2011 2:46 pm
Forum: Beginner Basics
Topic: Mikrotik as bandwidth manager
Replies: 3
Views: 1992

Re: Mikrotik as bandwidth manager

Read the wiki manuals on queueing, both PCQ and simple queues.
by fewi
Tue Dec 06, 2011 3:04 am
Forum: General
Topic: No IGMP Proxy in RB750GL
Replies: 5
Views: 2408

Re: No IGMP Proxy in RB750GL

Which incidentally is clearly stated in the manual: http://wiki.mikrotik.com/wiki/Manual:Routing/Multicast#Requirements Requirements Multicast is available on all architectures supported by RouterOS. Packages required: system multicast Note: v3.x routing-test and multicast packages are incompatible....
by fewi
Tue Dec 06, 2011 2:49 am
Forum: RouterBOARD hardware
Topic: RB750 Internet Usage
Replies: 6
Views: 2519

Re: RB750 Internet Usage

http://wiki.mikrotik.com/wiki/Switch_Chip_Features#Port_Switching Port Switching Switching feature allows wire speed traffic passing among a group of ports, like the ports were a regular ethernet switch. You configure this feature by setting a "master-port" property to one ore more ports in /interf...
by fewi
Mon Dec 05, 2011 9:53 pm
Forum: General
Topic: UPnP NAT Entry Timeout?
Replies: 17
Views: 5091

Re: UPnP NAT Entry Timeout?

It probably cleans them just fine, but it's a bit of a brute force approach: it'll also clear forwarding rules that are still active. So if the device/app that requested the UPnP hole be punched is still active you're dragging it out from under its feet. How it handles that would depend on the devic...
by fewi
Mon Dec 05, 2011 3:30 pm
Forum: General
Topic: wifi double nat
Replies: 1
Views: 762

Re: wifi double nat

That you need NAT very, very strongly indicates that the Untangle server doesn't have a route back to 192.168.2.0/24 via 192.168.1.227. I know you said you added one, but double check that. Also check that the Untangle server is set up to NAT 192.168.2.0/24 out its WAN interface and isn't restricted...
by fewi
Mon Dec 05, 2011 2:55 am
Forum: General
Topic: UPnP NAT Entry Timeout?
Replies: 17
Views: 5091

Re: UPnP NAT Entry Timeout?

Ah. Well, you can access the the connection table via "/ip firewall connection", access the dynamic rules and extract the ports used by them, and then look for connections in the connection table by that port. I doubt that you can determine when a rule was last used without some rather complex logic...
by fewi
Mon Dec 05, 2011 2:51 am
Forum: Scripting
Topic: Possible bug with global variables
Replies: 26
Views: 5804

Re: Possible bug with global variables

Maybe write to support to clarify and post the results back here. I'm curious about it, too, and would be interested to know.
by fewi
Mon Dec 05, 2011 1:21 am
Forum: General
Topic: UPnP NAT Entry Timeout?
Replies: 17
Views: 5091

Re: UPnP NAT Entry Timeout?

Disclaimer: I don't use UPnP. If you have tested that disabling and re-enabling UPnP actually flushes rules this is trivial: /ip upnp set enabled=no; /ip upnp set enabled=yes; Schedule that, and you're done. If that doesn't actually flush rules you could try this: I'd assume that UPnP creates dynami...
by fewi
Mon Dec 05, 2011 12:40 am
Forum: Scripting
Topic: Possible bug with global variables
Replies: 26
Views: 5804

Re: Possible bug with global variables

I don't know if this might be related: http://forum.mikrotik.com/viewtopic.php?f=9&t=52934&hilit=+netwatch+global+variable Netwatch executes the script, so it might run with different owner permissions and have the same scoping issue. As a workaround maybe write the global variable value into a file...
by fewi
Mon Dec 05, 2011 12:35 am
Forum: Beginner Basics
Topic: PPP package missing
Replies: 4
Views: 1255

Re: PPP package missing

Obviously the cleanest thing to do would be upgrade to 5.9 as it fixes bugs present in 5.6 and adds new features. But if you want to stay on 5.6 you can simply grab the 5.9 download link from the download page: http://download.mikrotik.com/all_packages-mipsbe-5.9.zip and edit it for 5.6: http://down...
by fewi
Mon Dec 05, 2011 12:30 am
Forum: Beginner Basics
Topic: Port knock with more ports
Replies: 2
Views: 644

Re: Port knock with more ports

That is not correct. To add additional steps you need to use multiple address lists. The first rule adds to a list called knock1, the second rule (second port) adds to a list called knock2 but only allows people on knock1, the third rule (third port) adds to a list called knock3 but only allows peop...
by fewi
Sun Dec 04, 2011 3:20 pm
Forum: General
Topic: Transparent proxy not caching that well
Replies: 8
Views: 3029

Re: Transparent proxy not caching that well

Why should it be better, though? That seems about right. Caching proxies achieve huge cache rates when they're used in front of web servers, where there are 10,000 resources to request and 8,000 of them are static and can be served from cache. For an ISP there just isn't much to cache, realistically...
by fewi
Sun Dec 04, 2011 3:31 am
Forum: Wireless Networking
Topic: thinking based on Tom'b review why wifi sucks, part II
Replies: 9
Views: 1982

Re: thinking based on Tom'b review why wifi sucks, part II

Mikrotik does not have any products that do beam forming.
by fewi
Sat Dec 03, 2011 9:57 pm
Forum: Beginner Basics
Topic: Where to obtain demo license ?
Replies: 3
Views: 779

Re: Where to obtain demo license ?

For basic questions it's always best to refer to the manual. It covers them rather well.

http://wiki.mikrotik.com/wiki/Manual:License
Licensing information can be read from CLI system console:
/system license print 
by fewi
Sat Dec 03, 2011 4:42 pm
Forum: Beginner Basics
Topic: Calculation Uptime when router was rebooted !!!
Replies: 3
Views: 637

Re: Calculation Uptime when router was rebooted !!!

v2.9.27
That version is mostly used by people who downloaded a cracked version illegally. If that's the case with you, don't expect support here.

If you do have a legal version first upgrade your router. The current versions are 5.x.
by fewi
Sat Dec 03, 2011 2:01 am
Forum: General
Topic: What is this? Mikrotik Simple queue
Replies: 6
Views: 1003

Re: What is this? Mikrotik Simple queue

Yes, indeed. So that router can't do anything about traffic arriving that it is then forced to throw away due to a queue. It can't control what packets are sent to it.
by fewi
Sat Dec 03, 2011 1:30 am
Forum: General
Topic: Best way to route traffic to main proxy server over internet
Replies: 4
Views: 709

Re: Best way to route traffic to main proxy server over inte

You could use PPTP - but if you don't need security you may want to evaluate how much traffic you are going to push down the tunnel. PPTP has encryption, which uses more CPU resources than a non-encrypted link. Maybe use the built in bandwidth test tool down the PPTP tunnel during off hours to simul...
by fewi
Sat Dec 03, 2011 1:27 am
Forum: General
Topic: public ip behind mikrotik
Replies: 10
Views: 3434

Re: public ip behind mikrotik

Exactly.

So again, you can just make your .2 a /24 as well, turn on proxy ARP, and route behind the Mikrotik router - but it would be far, far cleaner if you talked to the ISP and got them to insert a /30 like we discussed.

Good luck!
by fewi
Fri Dec 02, 2011 11:46 pm
Forum: General
Topic: public ip behind mikrotik
Replies: 10
Views: 3434

Re: public ip behind mikrotik

Because a) presumably the ISP router isn't configured for a /30 right now, because they gave you a /24 - that's why they're expecting all IPs on that /24 to be directly connected to them, which they're not b) it's much easier for the ISP to route you your full /24, which they can't do if you're alre...
by fewi
Fri Dec 02, 2011 11:05 pm
Forum: General
Topic: public ip behind mikrotik
Replies: 10
Views: 3434

Re: public ip behind mikrotik

If the ISP knows to route the public IPs to you via the /30 you can then do whatever you want to do with them behind the Mikrotik. For example, you can assign a public /30 to a router port and plug it into the server. The router uses the public on the Mikrotik LAN interface as its default gateway, t...
by fewi
Fri Dec 02, 2011 10:43 pm
Forum: General
Topic: What is this? Mikrotik Simple queue
Replies: 6
Views: 1003

Re: What is this? Mikrotik Simple queue

Well - no. How do you propose the router handle this situation? The uplink is delivering those packets to it. All it can do is throw them away, but even then bandwidth has already been used up. The last device in any position to do something about them is the uplink router. If that router is yours, ...
by fewi
Fri Dec 02, 2011 10:28 pm
Forum: General
Topic: What is this? Mikrotik Simple queue
Replies: 6
Views: 1003

Re: What is this? Mikrotik Simple queue

One possible explanation: the customer was using a protocol that doesn't adjust to traffic being thrown away, so 5 megs arrived at the router. The router proceeded to throw 3 megs away and serve 2 megs to the customer.

One common protocol that exhibits such behavior is bittorrents over UDP.
by fewi
Fri Dec 02, 2011 9:24 pm
Forum: General
Topic: Best way to route traffic to main proxy server over internet
Replies: 4
Views: 709

Re: Best way to route traffic to main proxy server over inte

EoIP provides no security whatsoever. PPTP mostly does. Without knowing what kind of requirements you have for the tunnel it's kind of hard to give a recommendation. Do you need security? That would rule out EoIP. Do you need broadcast and multicast packets to traverse the tunnel? That would rule ou...
by fewi
Fri Dec 02, 2011 7:53 pm
Forum: RouterBOARD hardware
Topic: mikrotik 5.9 softID cahnge
Replies: 2
Views: 1518

Re: mikrotik 5.9 softID cahnge

You can't change the soft ID. Your license is only valid for the soft ID you purchased it for, and you can't use the license on any other soft ID.
by fewi
Fri Dec 02, 2011 7:05 pm
Forum: General
Topic: Disk FUll
Replies: 8
Views: 834

Re: Disk FUll

I don't know, I don't use User Manager. Other people in this forum do. They have had the same problem (I remember reading about it). If you search the forums for your problem you'll come across one of those topics, and it will probably contain a solution.
by fewi
Fri Dec 02, 2011 7:03 pm
Forum: General
Topic: public ip behind mikrotik
Replies: 10
Views: 3434

Re: public ip behind mikrotik

Actually I'm suggesting your ISP adds an unrelated /30 (could even be private - they are 10.0.0.1/30 and you're 10.0.0.2) between your router and theirs, and then they add a route for 80.1.2.0/24 via 10.0.0.2 (your router). You can then do whatever you want with 80.1.2.0/24 behind your router becaus...
by fewi
Fri Dec 02, 2011 6:41 pm
Forum: General
Topic: public ip behind mikrotik
Replies: 10
Views: 3434

Re: public ip behind mikrotik

The canonical solution is to have that IP space routed to you rather than directly provisioned. Talk to whoever gives you that IP space to see if you can set that up. Alternatively you can set .2 as a /24 on the WAN side and enable proxy ARP, and then use smaller, overlapping subnets on the LAN side...
by fewi
Fri Dec 02, 2011 5:47 pm
Forum: The User Manager
Topic: Hotspot can not run in interface serving static ip
Replies: 6
Views: 1751

Re: Hotspot can not run in interface serving static ip

If you want users to be able to ping without logging in you could whitelist ICMP in the walled garden.
by fewi
Fri Dec 02, 2011 5:45 pm
Forum: General
Topic: Routing traffic from a hotspot through a specific WAN.
Replies: 1
Views: 428

Re: Routing traffic from a hotspot through a specific WAN.

Search the forum for "policy routing".
by fewi
Fri Dec 02, 2011 5:45 pm
Forum: General
Topic: Disk FUll
Replies: 8
Views: 834

Re: Disk FUll

It's definitely the UM database.

Search the forums, this has come up many times before.
by fewi
Fri Dec 02, 2011 3:30 pm
Forum: General
Topic: Disk FUll
Replies: 8
Views: 834

Re: Disk FUll

Have you CHECKED for logs? You're having people guess as you're not providing ANY information whatsoever.

Post the output of "/file print", "/system package print", and "/system resource print".
by fewi
Fri Dec 02, 2011 1:40 pm
Forum: General
Topic: Software ID upgrade from 7 to 8 code failure
Replies: 2
Views: 421

Software ID upgrade from 7 to 8 code failure

You don't need Internet access on the router, you need Internet access on the host running Winbox.
by fewi
Fri Dec 02, 2011 3:56 am
Forum: General
Topic: Disk FUll
Replies: 8
Views: 834

Re: Disk FUll

Do you maybe have an excessive amount of logs stored on the router?
by fewi
Thu Dec 01, 2011 4:33 pm
Forum: Forwarding Protocols
Topic: OSPF issue with multiple gateways for default route
Replies: 5
Views: 1427

Re: OSPF issue with multiple gateways for default route

Yes, do it on both sides. OSPF adds the cost of the interface it received a route through to the overall cost.
by fewi
Thu Dec 01, 2011 4:11 pm
Forum: Forwarding Protocols
Topic: OSPF issue with multiple gateways for default route
Replies: 5
Views: 1427

Re: OSPF issue with multiple gateways for default route

It won't have an adverse effect. This is called ECMP (equal cost multi path). Generally ECMP works fine as a technology, but can interact weirdly with other configuration parts of your environment. For example, if you have a stateful firewall that suddenly sees packets of a connection it didn't see ...
by fewi
Thu Dec 01, 2011 3:38 pm
Forum: General
Topic: About ROS for all MIPS-BE Architecture.
Replies: 3
Views: 842

Re: About ROS for all MIPS-BE Architecture.

That will work fine. Only the architecture matters.
by fewi
Thu Dec 01, 2011 2:11 pm
Forum: Beginner Basics
Topic: Full Speed for Local Webserver
Replies: 5
Views: 2467

Re: Full Speed for Local Webserver

http://wiki.mikrotik.com/wiki/PCQ_and_H ... rate_limit

That's a wild guess. You gave WAY too little details. You don't even describe how you currently rate limit users.
by fewi
Thu Dec 01, 2011 2:10 pm
Forum: General
Topic: 4.17 cool but bad dhcp issue when done worng
Replies: 2
Views: 908

Re: 4.17 cool but bad dhcp issue when done worng

That being said why is DHCP such a headache with RouterOS? Seems far more complicated then it should be.
It just gives you the options to customize it. Have you ever looked at configuring the ISC DHCPd reference package?
by fewi
Thu Dec 01, 2011 2:02 pm
Forum: Forwarding Protocols
Topic: OSPF issue with multiple gateways for default route
Replies: 5
Views: 1427

OSPF issue with multiple gateways for default route

Assign a slightly higher cost to one of the links that AP has to its neighbors. Now there won't be equal cost along both paths and it will choose one path only. http://wiki.mikrotik.com/wiki/Manual:Routing/OSPF#Interface Check what cost other interfaces have. Add half of that to the link you don't w...
by fewi
Thu Dec 01, 2011 1:36 pm
Forum: General
Topic: NAT question ( is it a bug ?)
Replies: 30
Views: 2230

NAT question ( is it a bug ?)

I can't help you.
by fewi
Thu Dec 01, 2011 2:52 am
Forum: General
Topic: RouterOS v5.9 released
Replies: 166
Views: 41823

Re: RouterOS v5.9 released

Dunno if you're still looking for download speed info. Here's my home connection in the Northeastern US: sh-3.2$ curl -O http://download2.mikrotik.com/all_packages-mipsbe-5.9.zip % Total % Received % Xferd Average Speed Time Time Time Current Dload Upload Total Spent Left Speed 100 13.6M 100 13.6M 0...
by fewi
Thu Dec 01, 2011 1:43 am
Forum: RouterBOARD hardware
Topic: New hardware for existing ROS X86 install
Replies: 2
Views: 736

Re: New hardware for existing ROS X86 install

You can stick that hard drive into any other machine and it will just work (as long as the hardware is supported by the built in drivers).
by fewi
Thu Dec 01, 2011 12:09 am
Forum: General
Topic: Using Mikrotik for a large-scale ISP
Replies: 1
Views: 584

Re: Using Mikrotik for a large-scale ISP

I'd like to know if I can use Mikrotik RouterOS to implement a good and stable solution for traffic shaping that can handle this amount of traffic (10 Gbps more or less)....
No. At those speeds you need something that does its work in hardware rather than software.
by fewi
Thu Dec 01, 2011 12:07 am
Forum: General
Topic: Difference Between " walled-garden " and "walled-garden ip"
Replies: 11
Views: 5220

Re: Difference Between " walled-garden " and "walled-garden

That has nothing to do whatsoever with the walled garden. The walled garden doesn't deal with rate limits.

Read this: http://wiki.mikrotik.com/wiki/PCQ_and_H ... rate_limit
by fewi
Wed Nov 30, 2011 3:33 pm
Forum: General
Topic: a routerboard to switch
Replies: 4
Views: 569

Re: a routerboard to switch

You may also be interested in this thread: http://forum.mikrotik.com/viewtopic.php?f=2&t=52286
by fewi
Wed Nov 30, 2011 4:31 am
Forum: General
Topic: a routerboard to switch
Replies: 4
Views: 569

Re: a routerboard to switch

So buy a cheaper switch and don't buy Cisco. "Somewhat like a Cisco" is an incredibly vague statement. The switch chips inside routerboards aren't very capable. They have nowhere near to even close to the functionality of a Cisco switch, so you should buy a switch that fits your budget and has the f...
by fewi
Wed Nov 30, 2011 3:29 am
Forum: Scripting
Topic: mac telnet login script?
Replies: 2
Views: 1532

Re: mac telnet login script?

Look into network management tools that let you apply configuration changes to many nodes, such as rancid. This is obviously not a particularly new or hard problem you're trying to solve, and it's been solved many times before and as a result there are many tools available. There's no point trying t...
by fewi
Wed Nov 30, 2011 2:53 am
Forum: Wireless Networking
Topic: routing to specific adsl connecting
Replies: 5
Views: 826

Re: routing to specific adsl connecting

A proxy would only work for web traffic (HTTP), so you could just dedicate one WAN link to that, and use the other for everything else. What do you mean by "large ISP"? A large ISP would have lots of links with other ISPs (peering), and set up a rather complicated billing system where they charge ea...
by fewi
Wed Nov 30, 2011 2:30 am
Forum: Beginner Basics
Topic: Setup complexity for basic RouterBOARD 750GL
Replies: 4
Views: 2750

Re: Setup complexity for basic RouterBOARD 750GL

Sort of. If you change the IP addressing on the LAN you'll have to adjust the range of IP addresses in the pool the DHCP server uses.
by fewi
Wed Nov 30, 2011 2:28 am
Forum: Wireless Networking
Topic: routing to specific adsl connecting
Replies: 5
Views: 826

Re: routing to specific adsl connecting

Nope. Same principle. The connection the proxy makes has NOTHING to do with the original connection from the user that prompted the proxy to fetch content. You can't make a routing decision based on properties that connection simply doesn't have. The source IP is the router itself.
by fewi
Wed Nov 30, 2011 2:13 am
Forum: Beginner Basics
Topic: Setup complexity for basic RouterBOARD 750GL
Replies: 4
Views: 2750

Re: Setup complexity for basic RouterBOARD 750GL

The RB750GL does that out of the box. Refer to the manual for default settings: http://wiki.mikrotik.com/wiki/Manual:De ... igurations
Everything you listed is a default setting.

For firmware upgrades also read the manual: http://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS
by fewi
Wed Nov 30, 2011 2:10 am
Forum: Wireless Networking
Topic: routing to specific adsl connecting
Replies: 5
Views: 826

Re: routing to specific adsl connecting

It won't be possible. Proxies take connections, terminate them on themselves, and then fetch the content for the client. Once they have fetched it they returned it. Therefore a proxy splits what would normally be a client/server connection and makes it two connections. Your WAN routers will only eve...
by fewi
Wed Nov 30, 2011 1:02 am
Forum: Wireless Networking
Topic: Annoying User Manager License Clarification
Replies: 1
Views: 580

Re: Annoying User Manager License Clarification

That is correct. You can have 200 Hotspot sessions on the level 4 device, all authenticated by the level 6 device.
by fewi
Wed Nov 30, 2011 1:00 am
Forum: General
Topic: a routerboard to switch
Replies: 4
Views: 569

Re: a routerboard to switch

My opinion: If you need a switch, buy a switch.
by fewi
Tue Nov 29, 2011 4:32 am
Forum: Beginner Basics
Topic: newbie questions
Replies: 4
Views: 818

Re: newbie questions

1. The switch chip switches on layer 2. It doesn't route. You can switch (at layer 2) at wire speed on the switch chip. You can route between VLANs in software. 3. I used it in a service provider setting. If you want a sales pitch you should get in touch with sales@mikrotik.com. In my opinion these ...
by fewi
Tue Nov 29, 2011 1:14 am
Forum: General
Topic: NAT question ( is it a bug ?)
Replies: 30
Views: 2230

Re: NAT question ( is it a bug ?)

Nope - it certainly doesn't hurt, but it's not necessary as such. I don't see anything wrong with what you pasted. It should work. That it doesn't mean that you either left something out, or edited it in such a way that it hides the problem. Again, it is close to impossible you found a bug in how Li...
by fewi
Tue Nov 29, 2011 1:10 am
Forum: General
Topic: IPsec - VPN iPhone
Replies: 7
Views: 3313

Re: IPsec - VPN iPhone

I hate to say it, but if you hate proprietary stuff: why are you using an iPhone?
by fewi
Tue Nov 29, 2011 1:09 am
Forum: General
Topic: no ip redirects
Replies: 1
Views: 642

Re: no ip redirects

There's no setting at such - drop them in the 'output' firewall filter chain. It's ICMP code point 5:1.
by fewi
Tue Nov 29, 2011 1:08 am
Forum: General
Topic: CPU Max out with IP Firewall
Replies: 2
Views: 467

Re: CPU Max out with IP Firewall

Routing vs switching doesn't make much of a difference - it's negligible. Depending on the packet size you were mostly seeing you probably just exceeded the 493G's capabilities. You can see its data rates here: http://routerboard.com/RB493G . The RB1100AH compares at approximately 3 times that of th...
by fewi
Mon Nov 28, 2011 5:12 pm
Forum: General
Topic: How to do traffic accounting but only for web traffic
Replies: 3
Views: 594

How to do traffic accounting but only for web traffic

Use NetFlow for accounting, and run it on the WAN interface.
by fewi
Mon Nov 28, 2011 2:52 pm
Forum: General
Topic: NAT question ( is it a bug ?)
Replies: 30
Views: 2230

Re: NAT question ( is it a bug ?)

It is exceedingly unlikely you found a bug in the Linux NAT implementation. It's far more likely your router is subtly misconfigured. Go back to the configuration you want to run. Then post it - so far you've only been showing snippets. That would include the output of "/ip address print detail", "/...
by fewi
Mon Nov 28, 2011 2:43 pm
Forum: General
Topic: Strange problem on DHCP-server
Replies: 1
Views: 392

Strange problem on DHCP-server

It's possible you have a rogue DHCP server on that network that gets to the clients faster.
by fewi
Mon Nov 28, 2011 2:41 pm
Forum: Beginner Basics
Topic: newbie questions
Replies: 4
Views: 818

newbie questions

1. Pentium IIIs don't have switch chips. Therefore they won't be acting as switches in hardware. 2. Not on the switch chip. But you can of course have VLAN interfaces in software on the router and route between them. 3. It works reasonably well. It works extremely well for the price. It doesn't have...
by fewi
Mon Nov 28, 2011 2:36 pm
Forum: General
Topic: IPsec - VPN iPhone
Replies: 7
Views: 3313

IPsec - VPN iPhone

The IPsec client in the iPhone uses XAUTH, which is a Cisco proprietary extension that RouterOS doesn't implement.
by fewi
Mon Nov 28, 2011 4:52 am
Forum: The User Manager
Topic: User Manager doesn't accept AAA of 3 hotspots on one 750 L4
Replies: 17
Views: 5259

Re: User Manager doesn't accept AAA of 3 hotspots on one 750

Disclaimer: I don't use User Manager. This might not work, but I think it's worth looking into. You can make loopback interfaces by creating an empty bridge without adding ports to it. This interface will always be up. You can then assign arbitrary /32s in RFC1918 space that you don't use anywhere e...
by fewi
Sun Nov 27, 2011 5:35 pm
Forum: General
Topic: RounterOS cannot access to internet .
Replies: 3
Views: 1540

Re: RounterOS cannot access to internet .

The addressing looks like right for the WAN circuit - at least it's consistent. Are you sure that's the right IP address? If I had a quarter for every time I screwed up an octet somewhere I'd be rich. If you're sure - can you see an ARP entry for 203.186.174.149 in "/ip arp print"? Is it possible th...
by fewi
Sun Nov 27, 2011 3:25 am
Forum: Beginner Basics
Topic: How can I see all the IP'c connected to the router
Replies: 8
Views: 25863

Re: How can I see all the IP'c connected to the router

OK. Those two things are entirely unrelated. Completely and utterly so. So let's keep your DHCP stuff in the two threads you made for this already - duplicating threads is frowned upon because it wastes people's time. Someone might spend 15 minutes typing up a reply in one thread only to find that's...
by fewi
Sun Nov 27, 2011 2:09 am
Forum: Beginner Basics
Topic: Assigning Static IP's & Client ID's
Replies: 7
Views: 10990

Re: Assigning Static IP's & Client ID's

Linking to your other thread about the same topic so people trying to help you out don't duplicate efforts all over the place: http://forum.mikrotik.com/viewtopic.php?f=13&t=56987
by fewi
Sun Nov 27, 2011 2:05 am
Forum: Beginner Basics
Topic: Assigned Static IP's Not being bound.
Replies: 7
Views: 2661

Re: Assigned Static IP's Not being bound.

Screenshots are an extraordinarily poor way to show the relevant details. Post the output of "/ip address print detail", "/interface print detail", "/ip pool print detail", "/ip dhcp-server print detail", "/ip dhcp-server network detail", and "/ip dhcp-server lease print detail". Wrap output in tags...
by fewi
Sun Nov 27, 2011 2:03 am
Forum: Beginner Basics
Topic: How can I see all the IP'c connected to the router
Replies: 8
Views: 25863

Re: How can I see all the IP'c connected to the router

Again, DHCP leases have nothing to do with ARP. Are you trying to troubleshoot ARP, or DHCP?

This command is literally what you would use:
/ip arp { remove [find] }
You would type exactly that, anywhere in the CLI.
by fewi
Sun Nov 27, 2011 1:38 am
Forum: General
Topic: 3G config change makes RB411U malfunction till full reset
Replies: 12
Views: 2495

Re: 3G config change makes RB411U malfunction till full rese

You need to do more troubleshooting and provide more information. Without access to the router it's kind of hard to have an opinion on this. Approach it like this first: - determine whether the router can use its configured DNS servers, or whether both the router and client hosts fail for this. For ...
by fewi
Sun Nov 27, 2011 1:32 am
Forum: Beginner Basics
Topic: How can I see all the IP'c connected to the router
Replies: 8
Views: 25863

Re: How can I see all the IP'c connected to the router

The ARP table is where a router maps MAC addresses to IP addresses. It has nothing to do with DHCP leases - static IP hosts would show here, too. In TCP/IP broadcast networks each host has a layer 2 address (its MAC address), which is used by directly connected hosts to talk to it. MAC addresses are...
by fewi
Sun Nov 27, 2011 12:31 am
Forum: General
Topic: 3G config change makes RB411U malfunction till full reset
Replies: 12
Views: 2495

Re: 3G config change makes RB411U malfunction till full rese

Conversely: maybe your ISP doesn't allow any name servers other than their own. Have you tested with the ISP's name servers? Unlikely but worth checking since we're not looking at the router like you are: are you 100% sure that there's no firewall filters in the input chain blocking users from using...
by fewi
Sat Nov 26, 2011 9:41 pm
Forum: Beginner Basics
Topic: Can some one explain more?
Replies: 2
Views: 614

Re: Can some one explain more?

Yup.
by fewi
Sat Nov 26, 2011 9:15 pm
Forum: General
Topic: Recommended configuration to increase LAN throughput?
Replies: 5
Views: 2060

Re: Recommended configuration to increase LAN throughput?

The switch chip acts in hardware. It doesn't process NAT, firewall filters, or anything else. It's literally like having a switch connected to the router, only the switch is inside the router.
by fewi
Sat Nov 26, 2011 8:40 pm
Forum: General
Topic: 3G config change makes RB411U malfunction till full reset
Replies: 12
Views: 2495

Re: 3G config change makes RB411U malfunction till full rese

Are those DNS server IPs allowing access from your router's IP address? whois says those IPs belong to "Telefonica de Espana". Is that your ISP? Have you tried other DNS servers, such as OpenDNS or Google?
by fewi
Sat Nov 26, 2011 8:34 pm
Forum: Beginner Basics
Topic: First time install Mikrotek and can not get internet from it
Replies: 5
Views: 948

Re: First time install Mikrotek and can not get internet fro

Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip firewall export", and an accurate network diagram.
by fewi
Sat Nov 26, 2011 8:32 pm
Forum: Beginner Basics
Topic: IPv6 connectivity over an IPv4 infrastructure with tunnelbr.
Replies: 22
Views: 2962

Re: IPv6 connectivity over an IPv4 infrastructure with tunne

OK, one more time, then I'll give up. HE assigned you routed prefixes in addition to the IPv6 addressing for the point to point tunnel. They are listed on your tunnel detail page as "routed prefixes". You need to assign that IPv6 address to your ether1-gateway interface (not the sit1 interface, that...
by fewi
Sat Nov 26, 2011 8:25 pm
Forum: General
Topic: torrent packet-mark catch succeeded, now how can I block it?
Replies: 7
Views: 2366

Re: torrent packet-mark catch succeeded, now how can I block

You can always combine src-address/dst-address or in-interface/out-interface with other matchers to get directionality.

But what's the point of blocking P2P one way?
by fewi
Sat Nov 26, 2011 8:24 pm
Forum: General
Topic: High CPU usage???
Replies: 1
Views: 18994

Re: High CPU usage???

by fewi
Sat Nov 26, 2011 8:23 pm
Forum: Forwarding Protocols
Topic: OSPF and failure on switched link
Replies: 7
Views: 1611

Re: OSPF and failure on switched link

No, there's something else wrong with your configuration or your configuration (possibly subtly) doesn't match the diagram you posted. This should work out of the box. It's irrelevant that both assumed DR roles, when there's no adjacency on the link then they'll route around it.
by fewi
Sat Nov 26, 2011 7:26 pm
Forum: Forwarding Protocols
Topic: OSPF and failure on switched link
Replies: 7
Views: 1611

Re: OSPF and failure on switched link

OSPF wouldn't be able to receive hellos on the link between R1 and R4 because of the switch being down, and after the dead timer expires (default 40 seconds on broadcast media, can be tweaked) the adjacency between R1 and R4 would be torn down and traffic would go through R1 -> R2 -> R3 -> R4.
by fewi
Sat Nov 26, 2011 6:57 pm
Forum: General
Topic: 3G config change makes RB411U malfunction till full reset
Replies: 12
Views: 2495

Re: 3G config change makes RB411U malfunction till full rese

Any computer in the LAN can ping any internet address(f.e. 8.8.8.8) - No computer can browse any website ... nothing works. Can the problem accurately be reduced to "hosts behind the LAN interface are unable to complete DNS lookups"? It sort of sounds like that. Check your configuration in "IP > DN...
by fewi
Sat Nov 26, 2011 5:28 pm
Forum: Beginner Basics
Topic: Have I lost my license?
Replies: 9
Views: 1874

Re: Have I lost my license?

They don't need debug output to troubleshoot a license issue for you.
by fewi
Sat Nov 26, 2011 5:27 pm
Forum: Beginner Basics
Topic: IPv6 connectivity over an IPv4 infrastructure with tunnelbr.
Replies: 22
Views: 2962

Re: IPv6 connectivity over an IPv4 infrastructure with tunne

We're going in circles here, and it's getting a little bit frustrating. First the tunnel is up, then it isn't, and now it is apparently because the router can ping out via IPv6. Please be more clear when posting or this isn't going to go anywhere. From my MikroTik I can ping goole’s IP 6 address. So...
by fewi
Sat Nov 26, 2011 5:20 pm
Forum: Beginner Basics
Topic: configure 450g mikrotik router for sharing internet conn.
Replies: 5
Views: 2465

Re: configure 450g mikrotik router for sharing internet co

one more thing i have noticed that only orange light is coming and green light is not buring. is there any problem with 450g router. Possibly. Console in - does the link show up? Does that cable work when you plug it into something else? Everything else you're asking about is covered by the wiki ar...
by fewi
Sat Nov 26, 2011 3:30 pm
Forum: General
Topic: Recommended configuration to increase LAN throughput?
Replies: 5
Views: 2060

Recommended configuration to increase LAN throughput?

The RB750GL has a switch chip, and will do wirespeed if you have those four clients on the same network and did not disable the switch chip.
by fewi
Sat Nov 26, 2011 3:26 pm
Forum: Beginner Basics
Topic: IPv6 connectivity over an IPv4 infrastructure with tunnelbr.
Replies: 22
Views: 2962

IPv6 connectivity over an IPv4 infrastructure with tunnelbr.

That is sufficient based on what you've shared so far.

Do you have firewall filter rules blocking the tunnel, maybe?
by fewi
Sat Nov 26, 2011 3:24 pm
Forum: Beginner Basics
Topic: Have I lost my license?
Replies: 9
Views: 1874

Have I lost my license?

by fewi
Sat Nov 26, 2011 1:30 am
Forum: General
Topic: torrent packet-mark catch succeeded, now how can I block it?
Replies: 7
Views: 2366

Re: torrent packet-mark catch succeeded, now how can I block

/ip firewall filter add chain=forward packet-mark=bittorent_in action=drop http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter#Properties Of course it would be better to use connection marks so you can block both ways - that way you also don't have to waste resources marking packets: once the c...
by fewi
Sat Nov 26, 2011 1:28 am
Forum: Beginner Basics
Topic: Have I lost my license?
Replies: 9
Views: 1874

Re: Have I lost my license?

You didn't upgrade your license format as you should have: http://wiki.mikrotik.com/wiki/Manual:Up ... nse_issues. You have three days to do so. If you're still within those three days just click the "upgrade license" button in Winbox. If you're not, email support.
by fewi
Fri Nov 25, 2011 10:39 pm
Forum: General
Topic: setting environment variable for proxy
Replies: 4
Views: 860

Re: setting environment variable for proxy

I'm pretty sure RouterOS doesn't support parent proxies that require credentials.
by fewi
Fri Nov 25, 2011 9:15 pm
Forum: General
Topic: setting environment variable for proxy
Replies: 4
Views: 860

Re: setting environment variable for proxy

I don't understand the question in the first place. What are you trying to do, and why?
by fewi
Fri Nov 25, 2011 9:07 pm
Forum: Beginner Basics
Topic: IPv6 connectivity over an IPv4 infrastructure with tunnelbr.
Replies: 22
Views: 2962

Re: IPv6 connectivity over an IPv4 infrastructure with tunne

I thought you said you had the HE tunnel up. Do you? Can you ping the other side? HE gave you two IP addresses: one for the tunnel, and a /48 or a /64 for LAN use depending on what you requested. Put that LAN IPv6 address on the ether1-gateway interface. Then clients behind it will start receiving I...
by fewi
Fri Nov 25, 2011 8:12 pm
Forum: Beginner Basics
Topic: IPv6 connectivity over an IPv4 infrastructure with tunnelbr.
Replies: 22
Views: 2962

Re: IPv6 connectivity over an IPv4 infrastructure with tunne

Sure. Though now I don't know what that gogo thing had to do with anything.

Just put the IP address in the routed network that HE gave you on ether1-gateway and make sure that 'advertise' is set to
'yes' on it, which is the default. That's it.
by fewi
Fri Nov 25, 2011 5:25 pm
Forum: General
Topic: wireless
Replies: 6
Views: 723

Re: wireless

The short answer is: you can't. The long answer is: it's really complicated to do that. You would need to somehow get shared accounts on address lists (this can be done by using RADIUS for DHCP) and then using queue trees. You can't do that with User Manager at all. Your simplest option is to just n...
by fewi
Fri Nov 25, 2011 4:50 pm
Forum: General
Topic: fix for public DNS returns farthest IP
Replies: 4
Views: 1865

Re: fix for public DNS returns farthest IP

I just wanted to post this link, really: http://www.afasterinternet.com/howitworks.htm That specifically addresses central DNS servers playing poorly with geo location services. I don't have an opinion on RouterOS as a DNS server, really. I don't use my routers as DNS servers. DNS is an infrastructu...
by fewi
Fri Nov 25, 2011 4:48 pm
Forum: Beginner Basics
Topic: IPv6 connectivity over an IPv4 infrastructure with tunnelbr.
Replies: 22
Views: 2962

Re: IPv6 connectivity over an IPv4 infrastructure with tunne

Maybe I misunderstood - I thought you were going to put some sort of CPE in front of the Mikrotik router. You would then have to forward things so the tunnel still terminates on the Mikrotik router, which no longer has a public IP address on it. If I did misunderstand please post a network diagram o...
by fewi
Fri Nov 25, 2011 3:53 pm
Forum: General
Topic: fix for public DNS returns farthest IP
Replies: 4
Views: 1865

Re: fix for public DNS returns farthest IP

http://www.afasterinternet.com/howitworks.htm Also, I vehemently disagree with this: For example - sticky DNS cache - that can prolong the DNS entries, for longer then their official specified times. Let's not go and break RFCs. If someone wants to set a low caching time you should always respect t...
by fewi
Fri Nov 25, 2011 3:14 pm
Forum: Beginner Basics
Topic: IPv6 connectivity over an IPv4 infrastructure with tunnelbr.
Replies: 22
Views: 2962

Re: IPv6 connectivity over an IPv4 infrastructure with tunne

Sounds like that should work without a problem, you'll just have to make sure you forward the tunnel traffic (IP protocol 41) to the Mikrotik router.
by fewi
Fri Nov 25, 2011 2:58 pm
Forum: Beginner Basics
Topic: redirect http to wan2 and force to it
Replies: 1
Views: 686

Re: redirect http to wan2 and force to it

Add a firewall rule that selects the same traffic that you apply a routing mark for WAN2 for, and drop that traffic when it goes out the WAN1 interface.
by fewi
Fri Nov 25, 2011 1:05 am
Forum: Beginner Basics
Topic: How to remove unused chain.
Replies: 1
Views: 907

Re: How to remove unused chain.

Reboot the router.

Though it really doesn't hurt one bit that Winbox still has it cached.
by fewi
Thu Nov 24, 2011 10:20 pm
Forum: General
Topic: RB1200 to Watchguard IPSec VPN
Replies: 9
Views: 6541

Re: RB1200 to Watchguard IPSec VPN

'require' would apply encryption. I guess "no proposal chosen" could also apply to there not being a matching phase 2 policy. It depends on the device generating the log. modp768 is a Diffie-Hellman group (DH1), and has nothing to do with SHA1, which is a hashing algorithm. It really would be easies...
by fewi
Thu Nov 24, 2011 9:34 pm
Forum: General
Topic: RB1200 to Watchguard IPSec VPN
Replies: 9
Views: 6541

Re: RB1200 to Watchguard IPSec VPN

That means the phase 1 proposals each router has configured don't have a match between them, so they can't pick one and stop negotiating. At least one phase 1 proposal must match exactly.
by fewi
Thu Nov 24, 2011 9:21 pm
Forum: General
Topic: RB1200 to Watchguard IPSec VPN
Replies: 9
Views: 6541

Re: RB1200 to Watchguard IPSec VPN

The configuration on the two routers doesn't match, at least for the phase 1 configuration. Double check everything. If you need a second/third/fourth pair of eyes on that post the configurations here.
by fewi
Thu Nov 24, 2011 9:19 pm
Forum: General
Topic: PPPoE + ADSL Modem in Bridge Mode and DHCP-client
Replies: 1
Views: 823

Re: PPPoE + ADSL Modem in Bridge Mode and DHCP-client

You can't get DHCP leases via PPPoE. PPPoE directly negotiates a client IP address instead. Check your IP addresses - you should already have a dynamic IP address on the PPPoE interface.
by fewi
Thu Nov 24, 2011 7:22 pm
Forum: General
Topic: web-proxy firewall rule
Replies: 4
Views: 1526

Re: web-proxy firewall rule

You generally want to accept ALL packets that are part of established connections, there's no need for any protocol or port qualifiers. If you didn't want those packets you shouldn't have allowed the connection to be established in the first place, after all. chain=input action=accept connection-sta...
by fewi
Thu Nov 24, 2011 6:26 pm
Forum: General
Topic: VRRP and failover questions
Replies: 6
Views: 1906

Re: VRRP and failover questions

Sorry, I had a type before. That's what I meant: it would be nice if a VRRP transitioned to the 'backup' state when its running state changed to 'down'. That way you still only need two scripts, and it's logically consistent (can't be master if you're down). You could make a NetWatch probe ( http://...
by fewi
Thu Nov 24, 2011 5:54 pm
Forum: General
Topic: VRRP and failover questions
Replies: 6
Views: 1906

Re: VRRP and failover questions

Urgh, that sucks. Maybe write an email to support and request that VRRP interfaces transition to a down state when the physical interface goes down. It makes no sense to consider it a master if it's impossible for the interface to be up, and this tiny change would make failover scenarios much more e...
by fewi
Thu Nov 24, 2011 5:50 pm
Forum: General
Topic: True WAN bonding through my data center location?
Replies: 19
Views: 5768

Re: True WAN bonding through my data center location?

Bonding non-like links (or even spreading packets in the same connection across non-like links) is usually an absolutely terrible idea. It leads to a lot of out-of-sequence TCP segments being delivered, which will cause ACKs to be delayed and TCP windows being negotiated down, while also probably le...
by fewi
Thu Nov 24, 2011 5:26 pm
Forum: Beginner Basics
Topic: Fatal exception in interupt - problem
Replies: 4
Views: 596

Re: Fatal exception in interupt - problem

That's outside of a VPN problem. The kernel is crashing. You either have bad hardware, or the hardware you have isn't compatible with the new version.

That picture is basically showing the Linux equivalent to a Blue Screen of Death in Windows.
by fewi
Thu Nov 24, 2011 4:39 pm
Forum: General
Topic: VRRP and failover questions
Replies: 6
Views: 1906

Re: VRRP and failover questions

a) no, can't get around that on RouterOS b) VRRP interfaces can have up/down scripts associated with them that fire when a router changes state between backup and master. You can use those to change the priority on the other VRRP interface, and enable pre-emption - that will cause the other interfac...
by fewi
Thu Nov 24, 2011 4:33 pm
Forum: General
Topic: NAT question ( is it a bug ?)
Replies: 30
Views: 2230

Re: NAT question

No. You have it completely backwards. You use whichever IP address isn't destination NATed to an inside host. The router can listen on ALL IP addresses configured on its interfaces, but will sometimes - when you configure destination NAT - send that traffic to somewhere else rather than listen to it...
by fewi
Thu Nov 24, 2011 4:30 pm
Forum: General
Topic: Destination NAT Problem with Public IP-Adresses
Replies: 1
Views: 853

Re: Destination NAT Problem with Public IP-Adresses

Based on what you're describing it's impossible to troubleshoot the network drop issue. You need to provide (or possibly establish for yourself) way more details. Do interfaces drop? Do you see link flaps? Are router utilizations going up (CPU spikes?)? And so on. All ports should be reachable. Chec...
by fewi
Thu Nov 24, 2011 4:24 pm
Forum: General
Topic: Accessing Mikrotik Cookies after Hotspot Login
Replies: 1
Views: 585

Re: Accessing Mikrotik Cookies after Hotspot Login

You have no control over the cookie RouterOS sets, so it's unlikely you can set one another server would also accept.
by fewi
Thu Nov 24, 2011 4:23 pm
Forum: Beginner Basics
Topic: NAT of Public IPs behind 750GL (Ipchains Noob)
Replies: 1
Views: 581

Re: NAT of Public IPs behind 750GL (Ipchains Noob)

First things first: any particular reason you're not just routing your customers public IPs instead of using NAT? Routing them to the customers would be much easier and enable them to do stuff like forward their own ports for whatever purpose they want (a common one is video games). You would also s...
by fewi
Thu Nov 24, 2011 4:21 pm
Forum: General
Topic: H.323 NAT for video conference
Replies: 6
Views: 6325

Re: H.323 NAT for video conference

RouterOS is Linux based, and thus uses Netfilter. Whenever you need details on the RouterOS firewall look up Netfilter and how it does it. Very simple explanation, you can of course find much more technical detail: http://en.wikipedia.org/wiki/Netfilter#Connection_Tracking http://en.wikipedia.org/wi...
by fewi
Thu Nov 24, 2011 4:17 pm
Forum: Beginner Basics
Topic: VLANs for Dummies
Replies: 14
Views: 5282

Re: VLANs for Dummies

You do have your terminology, because that has nothing to do with VLANs whatsoever, and is a fairly dirty approach that doesn't gain you squat. With the broadcast domain of all three networks overlaid to one logical or physical network you have absolutely no benefits in regards to security or traffi...
by fewi
Thu Nov 24, 2011 4:15 pm
Forum: General
Topic: NAT question ( is it a bug ?)
Replies: 30
Views: 2230

Re: NAT question

/ip firewall nat add chain=srcnat dst-adress-type=local action=src-nat to-address=1.1.1.1
No need for destination NAT - after all, traffic is to the router itself.
by fewi
Thu Nov 24, 2011 4:12 pm
Forum: General
Topic: web-proxy firewall rule
Replies: 4
Views: 1526

Re: web-proxy firewall rule

Just add "chain=input action=accept connection-state=established" to allow in all return traffic that the router originated, and keep the "output" chain empty.
by fewi
Thu Nov 24, 2011 4:11 pm
Forum: General
Topic: True WAN bonding through my data center location?
Replies: 19
Views: 5768

Re: True WAN bonding through my data center location?

I think the Background idear is to Bundle/Bonding Lines Where ISP dont Dell Bonded Services... Like MLPpp over DSL. In Gernany MLPPP is expensiv, A-DSL Bonding are very Interesting for me to, Datacenter with FiberConbection to locate a Second Mikrotik Like RB1200 oder RB2011 if avaible is no Proble...
by fewi
Thu Nov 24, 2011 6:09 am
Forum: Wireless Networking
Topic: simple WIFI access point setup on ROUTEROS
Replies: 2
Views: 2850

Re: simple WIFI access point setup on ROUTEROS

http://wiki.mikrotik.com/wiki/Manual:Ma ... ireless_AP

Found, incidentally, by running a Google search for "wiki mikrotik access point".
by fewi
Thu Nov 24, 2011 4:08 am
Forum: General
Topic: True WAN bonding through my data center location?
Replies: 19
Views: 5768

Re: True WAN bonding through my data center location?

There is as much overhead downloading the file from the data center as there is from a remote location. There's no such thing as a "file ready and queued" unless you bring WAN accelerators into play, which will cost you upwards of $50,000 (which would be a steal - decent solutions are six figures an...
by fewi
Thu Nov 24, 2011 2:29 am
Forum: General
Topic: True WAN bonding through my data center location?
Replies: 19
Views: 5768

Re: True WAN bonding through my data center location?

but however can potentially prove the flow rate as all source/destinations will be to one location at which point should be able to fetch the data from the remote side faster - and then creating a queue/buffering system to hold it. What? I've read that sentence several times and it doesn't make any...
by fewi
Thu Nov 24, 2011 2:27 am
Forum: General
Topic: Redirect MAC Authenticated Hotspot Users to Webpage
Replies: 11
Views: 3209

Re: Redirect MAC Authenticated Hotspot Users to Webpage

Ah, in that case this won't work. The modem logs in automatically so there's no redirect screen. The only things I can think of that would work is to expire the MAC address account and turn it off until they acknowledge new ToS on the login page, which would have to make some sort of API calls to te...
by fewi
Thu Nov 24, 2011 1:23 am
Forum: General
Topic: Redirect MAC Authenticated Hotspot Users to Webpage
Replies: 11
Views: 3209

Re: Redirect MAC Authenticated Hotspot Users to Webpage

It should work. Session timeout are a hard limit for that session - it has nothing to do with keepalive or idle timeouts. It literally means "log this user out after this much time, starting from log on". When you say the RADIUS server authenticated the MAC address of the CPE, do you mean that the H...
by fewi
Wed Nov 23, 2011 2:56 pm
Forum: Beginner Basics
Topic: Incredibly Basic Routing Question
Replies: 2
Views: 805

Re: Incredibly Basic Routing Question

There's no need to do any of that. If the router has IP addresses in two networks then it has routes to them on merit of being directly connected. It will automatically route between them. No need for adding routes, no need for NAT, it just works out of the box. If it doesn't work for you there's so...
by fewi
Wed Nov 23, 2011 3:35 am
Forum: General
Topic: Redirect MAC Authenticated Hotspot Users to Webpage
Replies: 11
Views: 3209

Re: Redirect MAC Authenticated Hotspot Users to Webpage

Unless you have an extremely inflexible RADIUS solution you can send out a Session-Timeout value that has nothing to do with when the account expires in the backend user database. If your RADIUS solution is that inflexible don't send a Session-Timeout attribute at all and inherit it from the default...
by fewi
Wed Nov 23, 2011 2:10 am
Forum: General
Topic: Redirect MAC Authenticated Hotspot Users to Webpage
Replies: 11
Views: 3209

Re: Redirect MAC Authenticated Hotspot Users to Webpage

http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#Access-Accept Session-Timeout - overrides session-timeout in the default configuration WISPr-Redirection-URL - URL, which the clients will be redirected to after successfull login Have the RADIUS server send the Session-Timeout attribute, set to 15...
by fewi
Tue Nov 22, 2011 10:39 pm
Forum: General
Topic: PPTP site to site problem
Replies: 4
Views: 1583

Re: PPTP site to site problem

Next hop == gateway, or not? If you're simply asking whether "next hop" means the same as "gateway" then yes, it does. Not sure I understand the question. That means the traffic will be NATed when passes the default route to internet and not when directed through PPTP? Not sure I understand this qu...
by fewi
Tue Nov 22, 2011 8:23 pm
Forum: General
Topic: Redirecting to Payment Reminder causes loop [SOLVED]
Replies: 13
Views: 2399

Re: Redirecting to Payment Reminder causes loop

Cool. Glad it's working now.

If you find out if it works in bridge mode maybe post back in this thread with results so others with the same question can find it.
by fewi
Tue Nov 22, 2011 8:12 pm
Forum: General
Topic: Redirecting to Payment Reminder causes loop [SOLVED]
Replies: 13
Views: 2399

Re: Redirecting to Payment Reminder causes loop

Don't know. It might work in bridge mode as long as you use the IP firewall for bridging ( http://wiki.mikrotik.com/wiki/Manual:Interface/Bridge#Bridge_Settings ) via "use-ip-firewall=yes". Have never tried that, though. All my RouterOS devices are routers. Just out of curiosity, what fixed it? DNS,...
by fewi
Tue Nov 22, 2011 7:52 pm
Forum: General
Topic: Redirecting to Payment Reminder causes loop [SOLVED]
Replies: 13
Views: 2399

Re: Redirecting to Payment Reminder causes loop

Another thought: does the router have DNS configured? As in, does "/ping myaccount.succeed.net" or ":put [:resolve myaccount.succeed.net]" work from the router CLI? If the proxy can't resolve the host the client requested then it can't hit the first rule because it doesn't know myaccount.succeed.net...
by fewi
Tue Nov 22, 2011 7:49 pm
Forum: General
Topic: Redirecting to Payment Reminder causes loop [SOLVED]
Replies: 13
Views: 2399

Re: Redirecting to Payment Reminder causes loop

Hits in proxy = 931 and counting on the deny, 0 on the allow (i am assuming this is bad) Yup, that's the problem. Not sure what's wrong, though. It should work based on what you posted. Any chance of upgrading the router past 4.14? 4.17 is the latest in the 4.x train, otherwise 5.8 is the most rece...
by fewi
Tue Nov 22, 2011 7:24 pm
Forum: Beginner Basics
Topic: how to setup logserver
Replies: 8
Views: 4544

Re: how to setup logserver

The best fit answer is still NetFlow.
by fewi
Tue Nov 22, 2011 7:22 pm
Forum: General
Topic: Redirecting to Payment Reminder causes loop [SOLVED]
Replies: 13
Views: 2399

Re: Redirecting to Payment Reminder causes loop

Superficially that looks fine. Devil in the details though. A couple more things to check: - when you resolve myaccount.succeed.net on the client, does it resolve to 74.116.200.5? - when you check the hits on the two proxy access rules, does the rule that permits traffic to 74.116.200.5 have any hit...
by fewi
Tue Nov 22, 2011 7:06 pm
Forum: General
Topic: Redirecting to Payment Reminder causes loop [SOLVED]
Replies: 13
Views: 2399

Re: Redirecting to Payment Reminder causes loop

Post your actual config.

The most likely cause is quite simply that you didn't properly allow traffic to the server hosting the payment information, causing the proxy to redirect people to it, it being disallowed, causing the proxy to redirect, and so on.
by fewi
Tue Nov 22, 2011 6:38 pm
Forum: General
Topic: PPTP site to site problem
Replies: 4
Views: 1583

Re: PPTP site to site problem

Let's assume the HQ network is 10.0.0.0/8 and the Mikrotik router LAN is 192.168.0.0/16. The PPTP tunnel has 172.16.1.1 on the HQ router, and 172.16.1.2 on the Mikrotik router. On the HQ router you need to add a route to 192.168.0.0/16 with a next hop of 172.16.1.2. On the Mikrotik router you need t...
by fewi
Tue Nov 22, 2011 2:35 pm
Forum: Wireless Networking
Topic: how many walls can i blast through??
Replies: 1
Views: 479

how many walls can i blast through??

Depends on the walls, and what is on the other end. And no, describing the walls and what is at the other end in a paragraph won't help. That question is impossible to answer, and doesn't make any sense to ask in the way you asked it. You may want to read about some wireless basics - the CWNA traini...
by fewi
Tue Nov 22, 2011 2:32 pm
Forum: Beginner Basics
Topic: how to disable ssh access on public interface of mikrotik
Replies: 1
Views: 4140

how to disable ssh access on public interface of mikrotik

Either adjust the listening ACL under IP services, or write a firewall filter that drops SSH in the input chain for packets that come into the router via the WAN interface.
by fewi
Tue Nov 22, 2011 2:26 pm
Forum: Beginner Basics
Topic: Hotspot equivalent of the FORWARD chain
Replies: 1
Views: 415

Hotspot equivalent of the FORWARD chain

It's either still in the forward chain or got redirected to the Hotspot acting like a proxy and got torn into two connections, which makes it impossible to run a layer 7 filter on the traffic. Redirected traffic includes SMTP and HTTP. Tough you can restore traffic flow for authenticated clients via...
by fewi
Mon Nov 21, 2011 3:45 pm
Forum: Beginner Basics
Topic: VLANs for Dummies
Replies: 14
Views: 5282

Re: VLANs for Dummies

What do you have to put in place to get access to one device on VLAN/subnet 1 from a device on VLAN/subnet 2 ? I'm thinking you need a static route - yet another thing I'm fuzzy on. Nothing. The router has interfaces on all VLANs so it just routes between them as long as the devices on the differen...
by fewi
Mon Nov 21, 2011 3:43 pm
Forum: Beginner Basics
Topic: IPv6 connectivity over an IPv4 infrastructure with tunnelbr.
Replies: 22
Views: 2962

Re: IPv6 connectivity over an IPv4 infrastructure with tunne

When you create an account and an actual tunnel the tunnel detail page has a drop down menu for generating configuration for all kinds of vendors, including Mikrotik.
by fewi
Mon Nov 21, 2011 2:27 pm
Forum: Beginner Basics
Topic: IPv6 connectivity over an IPv4 infrastructure with tunnelbr.
Replies: 22
Views: 2962

IPv6 connectivity over an IPv4 infrastructure with tunnelbr.

If you get a tunnel from tunnelbroker.net their examples contain one for Mikrotik, copy and paste. From there it's just a matter of setting up a stateful filter just like for IPv4, except you have to let ICMPv6 through to customers so MTU path discovery works.
by fewi
Mon Nov 21, 2011 3:28 am
Forum: RouterBOARD hardware
Topic: Moving key from one router to another.
Replies: 7
Views: 3194

Re: Moving key from one router to another.

With RouterOS the license is tied to the install media, in this case the NAND on the router. You cannot transfer that license.
http://wiki.mikrotik.com/wiki/Manual:Li ... he_License
by fewi
Mon Nov 21, 2011 2:00 am
Forum: Scripting
Topic: How to get value if route is enabled?
Replies: 1
Views: 1782

Re: How to get value if route is enabled?

First of all, there's no "enabled" for routes - there is !disabled, though. Secondly, you can't compare to that either. You have to find the routes by attributes and then check if anything is returned. This should work: :if (([:len [/ip route find where comment="natlut" and !disabled]] > 0) and ([:l...
by fewi
Sun Nov 20, 2011 9:48 pm
Forum: Beginner Basics
Topic: how to reset Routerboard500?
Replies: 1
Views: 436

Re: how to reset Routerboard500?

Use Netinstall: http://wiki.mikrotik.com/wiki/Manual:Netinstall and reinstall the OS, making sure not to check the "keep configuration" checkbox. Or look up the manual for the exact model (500 is a series of models, not a model) and look for a configuration reset jumper. Not sure if the 500 series h...
by fewi
Sun Nov 20, 2011 9:45 pm
Forum: General
Topic: Hotspot and Address Lists
Replies: 3
Views: 956

Re: Hotspot and Address Lists

That's simply not supported. The only supported way to bypass clients by IP is the "/ip hotspot walled-garden ip" section, which automatically and dynamically creates entries in the hs-auth and hs-auth-to firewall filter chains. That section doesn't take address lists, so you can't use address lists...
by fewi
Sun Nov 20, 2011 5:55 pm
Forum: Beginner Basics
Topic: VLANs for Dummies
Replies: 14
Views: 5282

Re: VLANs for Dummies

I'm also a bit unclear as to the practical differences between VLANs and just putting devices on different subnets. As I understand it, subnets isolate the broadcast between them, but again I'm still fuzzy on the whole thing. That's more or less it. "Subnet" or "network" is a different way to say "...
by fewi
Sun Nov 20, 2011 5:26 pm
Forum: General
Topic: RouterOS v5.8 released
Replies: 182
Views: 86981

Re: RouterOS v5.8 released

Not necessarily a bug - everything that isn't specified is considered 'idle', isn't it? So this could be a run away process that isn't explicitly listed. Take a supout.rif and send it to support@mikrotik.com
by fewi
Sun Nov 20, 2011 4:10 pm
Forum: Forwarding Protocols
Topic: PROBLEM ALLOWING CAMERA TRAFFIC OUT OF HOTSPOT (GARDENWALL)
Replies: 3
Views: 1141

PROBLEM ALLOWING CAMERA TRAFFIC OUT OF HOTSPOT (GARDENWALL)

Just ping the camera, then look at the ARP table of the router.
by fewi
Sat Nov 19, 2011 10:37 pm
Forum: Wireless Networking
Topic: Wireless Not Broadcasting
Replies: 18
Views: 8445

Re: Wireless Not Broadcasting

That's very confusing. There's no DHCP server set up. Also, your IP addressing on the WLAN interface is wrong - /32s are host addresses, that won't work. You should start by reading basic tutorials such as this: http://wiki.mikrotik.com/wiki/How_to_configure_a_home_router Then later expand to wirele...
by fewi
Sat Nov 19, 2011 10:33 pm
Forum: Beginner Basics
Topic: DHCP in Mikrotik
Replies: 2
Views: 625

Re: DHCP in Mikrotik

a) configure a normal DHCP server and get leases on all clients b) go to IP > DHCP Server > Leases and convert all the leases to static (in Winbox right click the lease and select "Make Static", on the CLI use "/ip dhcp-server lease { make-static [find] }" c) set the IP pool of the DHCP server to 'n...
by fewi
Sat Nov 19, 2011 9:34 pm
Forum: Wireless Networking
Topic: Wireless Not Broadcasting
Replies: 18
Views: 8445

Re: Wireless Not Broadcasting

Post the output of "/ip address print detail", "/ip route print detail", "/interface print detail", "/ip pool print detail", "/ip dhcp-server export", "/ip dhcp-server print detail", and "/ip firewall export". Wrap output in
 tags to keep it readable.
by fewi
Sat Nov 19, 2011 9:09 pm
Forum: Wireless Networking
Topic: Wireless Not Broadcasting
Replies: 18
Views: 8445

Re: Wireless Not Broadcasting

Thanks for the help Fewi.. Now, I got everything to broadcast. Now, I'm not getting a default gateway from the router. I've been reading over the wiki articles but I'm not getting very far. Now, when I setup the DHCP to pass out IP address, I want to set the interface to the WLAN correct? Since use...
by fewi
Sat Nov 19, 2011 4:15 am
Forum: General
Topic: Local access restriction
Replies: 3
Views: 762

Local access restriction

Then what you should really do is create a virtual AP so you can run the hotspot on a completely separate network, or just put a different IP network on the radio if you don't need it for the LAN. Then you can use the IP firewall to regulate traffic between the two networks because they will be diff...
by fewi
Sat Nov 19, 2011 4:13 am
Forum: General
Topic: local access
Replies: 1
Views: 322

local access

Is this related to anything? Did you mean to post a reply instead of a new thread?
by fewi
Sat Nov 19, 2011 4:12 am
Forum: General
Topic: Port Forwarding working only on first Nat rule
Replies: 7
Views: 1111

Port Forwarding working only on first Nat rule

Not sure, I don't have winbox available. It should say "destination port" somewhere near where you pick TCP as a protocol, going by memory.
by fewi
Sat Nov 19, 2011 3:35 am
Forum: General
Topic: Port Forwarding working only on first Nat rule
Replies: 7
Views: 1111

Port Forwarding working only on first Nat rule

xxx is my WAN ip [admin@MikroTik] > ip address print detail without-paging Flags: X - disabled, I - invalid, D - dynamic 0 ;;; added by setup address=192.168.1.1/24 network=192.168.1.0 interface=LAN actual-interface=LAN 1 ;;; added by setup address=xxx.xxx.xxx.116/24 network=xxx.xxx.xxx.xxx interfa...
by fewi
Sat Nov 19, 2011 3:29 am
Forum: Wireless Networking
Topic: Wireless Not Broadcasting
Replies: 18
Views: 8445

Wireless Not Broadcasting

Sort of. Text exports work better - check out the wiki manual on "configuration management". That said your screenshots do show what is wrong. First you should set a country so you are sure to comply with your regulatory domain. Not doing so doesn't make the cops come on over, but it would potential...
by fewi
Sat Nov 19, 2011 2:39 am
Forum: Wireless Networking
Topic: Wireless Not Broadcasting
Replies: 18
Views: 8445

Wireless Not Broadcasting

Post your config.
by fewi
Sat Nov 19, 2011 2:38 am
Forum: RouterBOARD hardware
Topic: bad blocks =36
Replies: 9
Views: 2429

bad blocks =36

It's not a problem, so there is no need for a solution. It's normal for some blocks to be declared bad due to many write cycles.

What is a problem is over 700k write cycles in 9 hours of uptime. What are you doing to have the router do so much disk IO?
by fewi
Sat Nov 19, 2011 12:54 am
Forum: General
Topic: Feature request: report wrong package type on update
Replies: 13
Views: 2037

Feature request: report wrong package type on update

Updating happens outside of RouterOS. When the router is running there are just files in the file system. When the router reboots right after the boot loader the router checks for those files and tries to install them, and them boots into the OS. You could take a lab unit and figure out what topics ...
by fewi
Sat Nov 19, 2011 12:15 am
Forum: General
Topic: Feature request: report wrong package type on update
Replies: 13
Views: 2037

Feature request: report wrong package type on update

I'm pretty sure it says in the logs that it was the wrong package type. Did you check the logs after a botched upgrade? Until you reboot it's just files like any other to the router, so it can't know until you've rebooted. Though it might be nice to have a new "system package verify-files" command y...
by fewi
Fri Nov 18, 2011 8:49 pm
Forum: Beginner Basics
Topic: View DNS query
Replies: 2
Views: 1503

Re: View DNS query

Not directly. Of course you can use torch or traffic capture or even just a filtered view of the IP firewall connections to see the destination address of DNS packets that have the router as the source. It doesn't really have a choice, though. Whatever servers are listed in "/ip dns" are the only DN...
by fewi
Fri Nov 18, 2011 8:48 pm
Forum: General
Topic: Slow RDP performance over IPSEC
Replies: 5
Views: 3244

Re: Slow RDP performance over IPSEC

Instead of just adjusting the MTU also force the MSS to be small enough to fit into the packets that now also have an IPsec header. See the FAQ for details on how to: http://wiki.mikrotik.com/wiki/Manual:RouterOS_FAQ#TCP.2FIP_Related_Questions I didn't do the math for this but 1360 bytes should be a...
by fewi
Fri Nov 18, 2011 8:46 pm
Forum: General
Topic: pcq problems
Replies: 3
Views: 829

Re: pcq problems

The export you posted above is wrong. Download should be using dst-address as the qualifier, upload should be having src-address as the qualifier. You have it the wrong way around. Think about it this way. For client download from the router's perpective the router is sending stuff to the client, so...
by fewi
Fri Nov 18, 2011 1:38 pm
Forum: General
Topic: Local access restriction
Replies: 3
Views: 762

Local access restriction

Traffic on the same network doesn't go through a router, those nodes talk directly. You cannot block that on the router.

Unless they're wireless clients, in which case you need to turn off default forwarding on the wireless interface.
by fewi
Fri Nov 18, 2011 1:36 pm
Forum: General
Topic: Adding BGP prefix to address-list
Replies: 3
Views: 639

Adding BGP prefix to address-list

Got some more details about what you're trying to do, and why?
by fewi
Fri Nov 18, 2011 4:38 am
Forum: General
Topic: Questions regarding Hotspot/IP Bindings
Replies: 1
Views: 604

Re: Questions regarding Hotspot/IP Bindings

You can view them via "/ip hotspot host print where bypassed". They don't show up in the active tab because they aren't logged in - only logged in users show on that tab. You can probably filter similarly via Winbox, I'd imagine. You cannot easily assign bypassed hosts a per user rate limit. They li...
by fewi
Thu Nov 17, 2011 7:49 pm
Forum: General
Topic: only 200 user can connect with DMA radius manager !
Replies: 2
Views: 687

Re: only 200 user can connect with DMA radius manager !

200 users happens to be the Hotspot limit for level 4 licenses: http://wiki.mikrotik.com/wiki/Manual:License

What level license are you running on the Mikrotik router?
by fewi
Thu Nov 17, 2011 1:38 pm
Forum: Beginner Basics
Topic: Winbox vs. Webfig
Replies: 10
Views: 6860

Winbox vs. Webfig

Webfig needs the browser. Compared to winbox this is a giant software consuming a lot of resources. I like tiny little software which just does the job it is made for. I've linksys switches which need Internet Explorer. A Funkwerk Voip-Solution which only works correct with Firefox... Winbox just w...
by fewi
Thu Nov 17, 2011 1:37 pm
Forum: General
Topic: how to disable dynamic IP in hotspot?
Replies: 3
Views: 1116

how to disable dynamic IP in hotspot?

http://wiki.mikrotik.com/wiki/Manual:IP ... P_Bindings

Make an IP binding of type blocked.
by fewi
Thu Nov 17, 2011 2:43 am
Forum: General
Topic: Simple P2P detection fails utterly
Replies: 3
Views: 995

Re: Simple P2P detection fails utterly

This leads me to suspect that "all-p2p" isn't anywhere near as comprehensive as its name suggests. It's not. It's a very old, built in matcher. The p2p protocols since then have evolved a lot, so it doesn't match a lot. It'll probably catch eMule traffic and whatnot...it's mostly useless today. Is ...
by fewi
Thu Nov 17, 2011 12:37 am
Forum: Scripting
Topic: HTTPD Server monitor/failover
Replies: 3
Views: 989

HTTPD Server monitor/failover

Write a script that fetches a page from the server. Then check if the file exists. If it doesn't then the server is down, so fire your down event. Then delete the file.

Schedule that to run as appropriate.

Keep in mind this will cost you quite a few write cycles on NAND.
by fewi
Wed Nov 16, 2011 9:25 pm
Forum: General
Topic: Questions about ECMP blance and PCC blance ???
Replies: 1
Views: 415

Re: Questions about ECMP blance and PCC blance ???

PCC does not have the problems associated with ECMP.
by fewi
Wed Nov 16, 2011 8:24 pm
Forum: Beginner Basics
Topic: Site - Site
Replies: 10
Views: 1597

Re: Site - Site

Cool, I put them on my reading list. Appreciate it. Aware of the man, of course, but always thought the books would be too technical. Will give them a shot.
by fewi
Wed Nov 16, 2011 2:44 pm
Forum: General
Topic: how to disable dynamic IP in hotspot?
Replies: 3
Views: 1116

Re: how to disable dynamic IP in hotspot?

Set the address pool of the Hotspot instance as well as all user profiles used by it to 'none'.
by fewi
Wed Nov 16, 2011 1:42 pm
Forum: Beginner Basics
Topic: Site - Site
Replies: 10
Views: 1597

Site - Site

I honestly love nothing more in these forums than being corrected when I'm hopelessly wrong and learning something in the process. Appreciate the info. I know way too little about the actual crypto implementations and maths behind it all. On that note: got any suggestions for a book that introduces ...
by fewi
Wed Nov 16, 2011 1:33 pm
Forum: General
Topic: upgrade of license....
Replies: 7
Views: 976

upgrade of license....

Yes. You bought a CPE, not an AP.
by fewi
Tue Nov 15, 2011 3:18 pm
Forum: General
Topic: DNS-based routing?
Replies: 8
Views: 2133

Re: DNS-based routing?

The built in resolver only returns one A record. You could do this with an external box checking IP space and making API calls. If you're using NAND based routers keep in mind that this could cause a huge amount of write cycles to NAND depending on how many API calls you make to update address lists...
by fewi
Tue Nov 15, 2011 3:16 pm
Forum: General
Topic: Hotspot logins
Replies: 4
Views: 671

Re: Hotspot logins

No, but that's not because of the RADIUS server. RouterOS won't let you send RADIUS accounting records for non-RADIUS (local) accounts. A given RADIUS server like FreeRADIUS can certainly handle arbitrary RADIUS accounting records. The router just won't let you get them there. Though I'm not sure wh...
by fewi
Tue Nov 15, 2011 2:45 pm
Forum: Scripting
Topic: Script for mass change users profile in hotspot
Replies: 2
Views: 1510

Re: Script for mass change users profile in hotspot

Sure. All of them:
/ip hotspot user { set [find] profile=newProfileName };
by fewi
Tue Nov 15, 2011 2:44 pm
Forum: General
Topic: DNS-based routing?
Replies: 8
Views: 2133

Re: DNS-based routing?

You can't do DNS based routing on RouterOS.
by fewi
Tue Nov 15, 2011 4:57 am
Forum: RouterBOARD hardware
Topic: redirect suspended account / customer to specific page
Replies: 7
Views: 3465

Re: redirect suspended account / customer to specific page

Queues have nothing to do with that. Nothing at all.
by fewi
Tue Nov 15, 2011 1:56 am
Forum: Beginner Basics
Topic: Site - Site
Replies: 10
Views: 1597

Re: Site - Site

PPTP and L2TP use MPPE for encryption, which means RC4. RC4 is, for all intends and purposes, broken. It's the underlying mechanism for WEP, for example. It can rekey frequently, but RouterOS doesn't expose parameters for tweaking that. So where does that leave you? Depends. How valuable is the data...
by fewi
Tue Nov 15, 2011 1:26 am
Forum: General
Topic: Few questions about VRRP
Replies: 4
Views: 1703

Re: Few questions about VRRP

Ah, that makes more sense - VRRP on two different interfaces.

I have no practical experience with doing that on RouterOS (I run the WAN interfaces separately and not against a shared UP) and guessing won't help you, so I'm afraid I can't be of much help here.
by fewi
Tue Nov 15, 2011 1:21 am
Forum: General
Topic: DHCP option 82 - actual status in 2011
Replies: 3
Views: 814

DHCP option 82 - actual status in 2011

The switch inserts option 82. The router has nothing to do with it, it takes the broadcast it receives from the switch with option 82 already in it and unicasts it against the DHCP server when performing relay. It should work. Can't say I've tried it, mind.
by fewi
Mon Nov 14, 2011 9:37 pm
Forum: General
Topic: Rate Limit on VLAN interface
Replies: 3
Views: 1606

Re: Rate Limit on VLAN interface

So set the max-limit of the simple queue higher than 2Mbps. Can you describe the problem you're having in more detail, and add output from the router? What are you trying to do? Both describe it in words, and show the relevant exported configuration you applied. What did you expect that configuratio...
by fewi
Mon Nov 14, 2011 9:10 pm
Forum: General
Topic: Few questions about VRRP
Replies: 4
Views: 1703

Re: Few questions about VRRP

1) that's the virtual IP address shared by the routers. Whichever router is the master has that IP address, when the master goes down a backup router jumps in and takes over for that IP address. This IP is separate from the unique IPs each router also needs. A common design is to have .1 be the virt...
by fewi
Mon Nov 14, 2011 4:58 pm
Forum: Wireless Networking
Topic: Using a backhaul and routing thru it.
Replies: 6
Views: 1252

Re: Using a backhaul and routing thru it.

It can't see that. It just sends traffic to the Mikrotik in the business area, which then makes routing decisions based on the source addresses generating traffic behing the Mikrotik in the rural area. In other words, all routing policy is contained within the business area MT that has the PPPoE upl...
by fewi
Mon Nov 14, 2011 3:14 pm
Forum: Wireless Networking
Topic: HotSpot for 2000 users
Replies: 2
Views: 1536

Re: HotSpot for 2000 users

a) The RB1100-AHx2 (which isn't out yet) should be able to handle 2,000 users, but to make sure you'd want to get an x86 box. This is the easy part. b) You would need a minimum of 50 APs for 2,000 users (40 clients per radio is about as high as you'd want to go for a low bandwidth application). Give...
by fewi
Mon Nov 14, 2011 3:09 pm
Forum: General
Topic: blank bridge mac address
Replies: 1
Views: 453

Re: blank bridge mac address

Depending on the model you could use the serial port to gain access.
by fewi
Mon Nov 14, 2011 3:36 am
Forum: Wireless Networking
Topic: Using a backhaul and routing thru it.
Replies: 6
Views: 1252

Re: Using a backhaul and routing thru it.

Yes. Use the IP firewall mangle section to mark connections, and to mark routing based on connection marks. Then have routes out via specific interfaces for those routing marks. Your post is kind of shy on details, so this is a made up example. Traffic to/from 192.168.1.10/32 will be routed out a co...
by fewi
Sun Nov 13, 2011 4:12 pm
Forum: Beginner Basics
Topic: how to block website
Replies: 12
Views: 34877

Re: how to block website

Blocking lots of sites via the proxy is unfeasible.

Use OpenDNS for DNS, and set up the account to not permit adult sites.

Then destination NAT all Hotspot DNS traffic to OpenDNS, and let PPPoE users use 'full view' DNS servers so they have access to everything.
by fewi
Sun Nov 13, 2011 4:10 pm
Forum: General
Topic: Hotspot logins
Replies: 4
Views: 671

Re: Hotspot logins

I don't think you can do this with User Manager, but you could certainly do this with FreeRADIUS with a SQL backend. It's going to require you to customize the RADIUS server, though. The general approach could be something like this: Use SQL for authentication as well as accounting. Have the router ...
by fewi
Sun Nov 13, 2011 3:10 pm
Forum: General
Topic: Multicast File Delivery
Replies: 3
Views: 402

Multicast File Delivery

You can't run your own programs inside routerOS.
by fewi
Sat Nov 12, 2011 10:42 pm
Forum: General
Topic: Multicast File Delivery
Replies: 3
Views: 402

Multicast File Delivery

No, you cannot. There's no service in RouterOS that lets you write wirelessly received data to a file.
by fewi
Sat Nov 12, 2011 4:44 pm
Forum: Beginner Basics
Topic: Hotspot redirecting to status
Replies: 3
Views: 835

Hotspot redirecting to status

The router always redirects to alogin.html after successful login. By default that page in turn redirects to the original page the user requested before being intercepted by the hotspot. Replace alogin.html with your own content that does not do that and you will be all set.
by fewi
Sat Nov 12, 2011 4:43 pm
Forum: General
Topic: Ramdisk above 2 GB
Replies: 1
Views: 413

Ramdisk above 2 GB

Nope.
by fewi
Sat Nov 12, 2011 3:56 pm
Forum: Beginner Basics
Topic: Hotspot redirecting to status
Replies: 3
Views: 835

Hotspot redirecting to status

Just edit alogin.html to contain whatever you want to show people.

This manual page contains all you need to know: http://wiki.mikrotik.com/wiki/Manual:Cu ... ng_Hotspot
  • 1
  • 2
  • 3
  • 4
  • 5
  • 26