MikroTik

krakenant

An update, we have a cloudcore on 6.7 running around 5000 users in the active tab (we aren't cleaning out idle or dead host sessions for 12 hours) without radius specified queue rules and it is working well. The only issue we have is DNS, the box can't keep up with the low TTL entries, and it over r...

krakenant

Depending on how crazy you get with your config you can probably get away with an 1100AHx2.

krakenant

The CCR plateau is still happening on a CCR1036 running 6.4 (6.5 is broken). With more than 400 users the bandwidth stays flat around 75Mbps, there are over 150Mbps available to this device. Something is not optimized for hotspot usage on the CCR. I sent an email with my last ticket, not sure if it ...

krakenant

I was unable to import a certificate on 6.5 on CCR1036, the window just hung, downgraded to 6.4 and it worked with no problem.

krakenant

The below should work. change the bridge name as needed, and you could even change it to specify wireless, eiop, ethernet etc.

:foreach int in=[/interface find] do={/interface bridge port add bridge=bridge interface=[/interface get $int name]}

krakenant

I'm going to test a RB912UAG-2HPnD in an 3rd party enclosure ( StationBox S ) as an outdoor AP. just waiting for the antenna (2x2 mimo omni ).

This is what we do.

krakenant

How does one get to test this feature?

krakenant

Normis, do you have any idea when all aspects of ROS will be optimized for the Tilera Chipset? We keep trying it and different parts fail. Right now the issue is throughput on a hotspot when we get above about 400 users. We have X86 devices that can do 3 times the number of users and bandwidth.

krakenant

From our experience the CCR isn't ready for hotspot use. The traffic on one of our sites had a negative trend where the bandwidth passed was lower when more users were online. This was contrary to what we experience with our X86 box as well as being contrary to logic.

krakenant

:put [/system resource get uptime]

krakenant

A network diagram and a redacted exported config would be a good start.

krakenant

:if ([/interface bridge port find where interface=$INTNAME] = "") do={} else={}
Alternatively if you want it o do something if it isn't blank:
:if ([/interface bridge port find where interface=$INTNAME] != "") do={} else={}

krakenant

:local INTNAME ether1 :put [/interface bridge port find where interface=$INTNAME] Everything after the :put will return nothing if it isn't in a bridge or a unique identifier if it is in the bridge. You could also add disabled=no and bridge="bridge1" to specify if the port is disabled in t...

krakenant

There is obviously something they haven't optimized yet that gets affected by having many users log into the device via the hotspot, whether that is NAT, Queues, etc. They should be able to deduce where it still needs to be optimized to work with large amounts of users given they should know what ha...

krakenant

MikroTik, I don't know what you have or haven't done, but the CloudCore is junk right now. We are running a hotspot with minimal firewall rules, a simple queue for each user based on a radius attribute and that's it. The unit is on 250Mbps fiber. The top image is from last night with the CCR, the bo...

krakenant

Put a 10 second delay before running the rest of your script. Also, make sure the entirety of the script (minus the delay) is surrounded by {}. I have a feeling MikroTik broke a lot of scripts when they changed the way imported scripts run.

Code for the delay
:delay 10s

krakenant

Regarding VLANs and bridges. If one makes a VLAN with a bridge as it's "interface" then attempt to add the VLAN as a bridge port on the bridge that is it's interface, it crashes the router and the router requires a restart. Is there a way you can either fix that behavior so that it doesn't...

krakenant

I think that port mirroring is a switch chip function, the cloud core doesn't use a switch chip.

I could be wrong, but that makes sense.

krakenant

No !
In fact it shows zero for all active Hotspot users Tx Rate

If you are doing per user queues, you will notice that those don't work either.

I submitted this bug weeks ago along with another bug and apparently this one got overlooked.

krakenant

MikroTik, Have the firewall and queue multi threading optimizations made it into the latest releases? There haven't been any specific mentions of it. normis wrote: RC7 currently Firewall doesn't have optimization for 36 cores, we will deliver that as soon as possible, and your performance should inc...

krakenant

MikroTik, Have the firewall and queue multi threading optimizations made it into the latest releases? There haven't been any specific mentions of it. normis wrote: RC7 currently Firewall doesn't have optimization for 36 cores, we will deliver that as soon as possible, and your performance should inc...

krakenant

MikroTik, Have the firewall and queue multi threading optimizations made it into the latest releases? There haven't been any specific mentions of it. RC7 currently Firewall doesn't have optimization for 36 cores, we will deliver that as soon as possible, and your performance should increase some 25-...

krakenant

Duplicate or delayed bridges would explain some of the DHCP server issues I ran into.

krakenant

I try not to bust your chops too much on beta and release candidate bugs, but the bugs I have come across with the CloudCore Router and DHCP are borderline reprehensible. The config we are using works everywhere on every piece of equipment on 5.22. On the latest RC7, DHCP doesn't work with a src add...

krakenant

Any chance you could make one of those. The groove and the Metal options have not worked well for us, and we need an outdoor AP for 2.4Ghz for clients.

krakenant

Enable both chains, set power mode to card rates, set tx power to 18dBm

krakenant

We have a database we keep all of our units in, we use an arbitrary (read sequential) numbering system. We use these arbitrary numbers as reference numbers and as the tunnel ID in reference to the unit. We are nearing the point where any new units won't be able to use existing scripts and EOIP tunne...

krakenant

Would it be possible to increase the allowable numbers for the tunnel ID above 65,535?

krakenant

per-connection-classifier=both-addresses:Y/X Divide by Y, X is the remainder Valid values for X will be 0 through Y-1. Lets say the hash comes up with a 6 for a given packet based off of the source and destination addresses and then 5 for another. 6 divided by 2 leaves no remainder, thus your rule w...

krakenant

Theoretically, though it depends on how much bandwidth you are feeding it and if you are doing per user bandwidth queuing.

ROS6 would help if you are doing per user bandwidth queuing..

krakenant

How does one get access to RC3 if it isn't showing up in ones account?

krakenant

I would kick $50 towards an App I can put on my phone that would allow me to run a Btest to a MikroTik router or AP.

krakenant

How are you planning to output it?

The below will put it in the terminal window for you.

:foreach int in=[/ip hotspot active find] do={:put [/ip hotspot active get $int mac-address]}

krakenant

http://forum.mikrotik.com/viewtopic.php?f=2&t=39906

That post is how I do it.

krakenant

Pavlan how many ports do you have on your bridges?

krakenant

That is far better speeds than I have been able to get on the RB751 (Not gigabit version), what speeds are you expecting? 6MBps isn't bad for the RB751, best real time throughput I have been able to get is 35Mbps.

krakenant

Did some toying around with the settings.

First, always disable chain 0 TX. That has been the single largest contributor to getting decent bandwidth.
If using N only, use advanced rates.
If using B G N use default rates.

I can get 35Mbps TCP throughput over it.

krakenant

We have thousands of RB751 devices installed to cover end users in buildings. There are many occasions where even if their signal is good they operated in B mode.

Not to compare MikroTik to Belair, but Belair has a mode to disallow B, so obviously there is some merit to the idea.

krakenant

I would love for there to be a way to exclude B mode but keep G and N mode without having to set custom rates.

krakenant

I am guessing you have something in your config that is causing the issue. If the DSL router is doing NAT, you need to specify it as your default gateway and not the ISPs public default gateway for your DSL line. Open new terminal and do a /export compact and post the results, it will be easier to a...

krakenant

Disable chain0 TX. That did it for us.

krakenant

The question marks are called diplexors, they split different frequencies into different lines, commonly used in the coax and satellite world.

krakenant

Thanks for validating what we found, though we were able to go much higher, at least with decent signal strengths.

Anyone else try it?

krakenant

Try disabling the TX on chain 0, that is what we found did the most good for us. It halves your TX power, but really, what consumer device really needs 1W of power from an AP. We have about 1500 RB751U devices out in the field. Let me know if this helps you too. Fairly certain the issues have someth...

krakenant

That is the way I do it. Excel is your friend in these instances, place the URLs in a column then use excel formulas to create your command line for each instance and use that as your script.

krakenant

It looks like you can mirror any physical ethernet port to another physical ethernet port. However, the MikroTiks have a built in packet capture client. It can capture all traffic coming into or going out of a port and allow you to view it with the built in packet capture client, or save it to a fil...

krakenant

Thanks, not sure how I missed that before, I was relying on the wiki though.

krakenant

What are the parameters/formats accepted for the VPLS ID? Looking at the default it is 0:0.
Is there a maximum on the number on either side of the colon?
Do the numbers on either side of the colon be the same?
Is the Colon necessary?

krakenant

C.Brown would you mind posting your /interface wireless export

We are having similar issues at some sites and I would like to compare our config to your working one.

krakenant

Any word back on this? I just got my first report of it and we are schedule to roll out more RB751s to our customers.

krakenant

Splunk is pretty handy if you have a lot of data. Not sure on cost, but they have a trial version.

krakenant

Long story short, we have an x86 hotspot controller on 5.14. The physical network is a flat layer 2 network with no VLANs, running across VDSL modems to switches. We had about ~200 user facing MikroTik RB751U units running user traffic back to the controller across EOIP tunnels with the EOIP tunnels...

krakenant

Long story short, we have an x86 hotspot controller on 5.14. The physical network is a flat layer 2 network with no VLANs, running across VDSL modems to switches. We had about ~200 user facing MikroTik RB751U units running user traffic back to the controller across EOIP tunnels with the EOIP tunnels...

krakenant

We use routertools in conjunction with the dude.

www.routertools.com.au

krakenant

For text parsing to work correctly you have to have a set format. In this case, if there was never an @ anywhere but at the end of the date you could do the below: :local comment [INSERT CODE TO RETRIEVE COMMENT HERE] :local dateend [:find $comment "@"] :local datebegin ($dateend - 10) :lo...

krakenant

Are you using HTTP or HTTPS for your redirect? We found that HTTPS redirects did not work with 5.9.

krakenant

If using a bridge on your hotspot router, you can create an access list type environment where you accept packets with a source IP that you recognize as a good source IP for the CPEs, and then drop everything else. If you are using DHCP you want a rule to allow that as well. I do this to prevent mob...

krakenant

Anyone have any idea why I can't add a GRE tunnel to a bridge, hotspot, or DHCP server? I can do so with EOIP which is basically GRE with some stuff added. How am I supposed to answer DHCP requests coming over the GRE tunnel if I can't treat it as a normal interface?

krakenant

If you posted your current set up, it would be beneficial. I assume your setup is something like the below AP1 Radio 1 - Backhaul Radio 2 - Access for clients AP2 Radio 1 - connected to AP1 Radio 1 for backhaul Radio 2 - Access for clients Etc. If so, over the backhaul radios, create a routed networ...

krakenant

We do an IP binding for that subnet. It disables the NAT and allows the users unfettered access.

krakenant

You can use netinstall over a serial cable to get back into the device.

krakenant

I have seen this as well on atleast one unit. The issue persisted through every firmware upgrade and downgrade all the way to 3.x to 5.2.

krakenant

This would be my suggestion:
http://wiki.mikrotik.com/wiki/Transpare ... using_MPLS

krakenant

I was actually able to do it (on accident) with two modems on the same IP segment. IE the MikroTik will do it. Ended up fixing the issue and sending things where they needed to go properly, but it was working for a while.

krakenant

Not saying it is possible but if one wanted to do this, they would set their default route to use the default gateway for ISP 1 and then create a source NAT rule using the IP of the ISP 2 connection.

krakenant

Set the PCC type to src-address only. otherwise it can cause other problems with banking sites etc.

krakenant

See the second half of my last post in this thread:
http://forum.mikrotik.com/viewtopic.php?f=2&t=39906

krakenant

The way I do it is thus:
Create bridge1
Create bridge2
Put address 192.168.1.1/24 on bridge1
Put address 192.168.2.1/24 on bridge2
Add Ether2 to bridge2
Create Vlan20 with bridge2 as the parent
add ether1 to bridge1
add ether2VLAN20 to bridge1
Profit...

krakenant

They were all working with 5.0. Then I added some mangle rules and a couple of routes that used those mangle rules. Since then my scripts that were working, no longer work due to being unable to find an active route with a dst-address of 0.0.0.0/0 despite there being one and nothing with that route ...

krakenant

Your options are 802.3af or a wall wart and a dongle. For the routerboard series that don't accept 802.3af you need a dongle anyway to plug into the PoE switch. Ubiquity makes some called instant 802.3af.

Unfortunately a wall wart and a dongle is likey your cheapest and best option.

krakenant

Try extending it one step further. Create a bridge, and place the single VLAN in that bridge. Do the same for your other VLANs and see if that gets what you want. If it doesn't create some filter rules to prevent the VLANs from crossing. Also, make sure that you do not have any IP properties or DHCP...

krakenant

I am starting to have issues with routes now. I have two routes (at least)that multiple x86 units, two on 5.2 and two on 5.0, won't find. The route is there, I can export or print and it is there, but if I do a print or a find where I specify a dst-address, the query returns nothing. It broke two of...

krakenant

I just got done with a load balancing (Round Robin /24 networks) and VRRP failover setup for a large venue. I just looked at it and it is around 1300 DHCP leases and 800 authenticated users. It took a ton of work to get everything right, mostly in bridge filter rules to keep the hotspots from floodi...

krakenant

You have to do a for or while command for it to loop. One thing I did to loop it was to add a counter logic, and while the counter was less than a number, continue running the while loop with a 1s delay at the end until the counter was higher than the timer. I basically set it so that when the count...

krakenant

The command line session.

krakenant

A couple of things that I would like to see: Have dst-MAC added as an available option. Currently SRC-MAC is an option but not DST-MAC address. Thus we cannot create a rule to log any traffic to or from a MAC address on a network that does DHCP. If the users address were to change, we have to reconf...

krakenant

Could you also add SRC-MAC address to the available options. We want to be able to set rules so that once a MAC address comes on the network, all traffic to and from that MAC address are automatically captured. Currently only the SRC-MAC is an option.

krakenant

The issue here is likely routing. Without more info on your setup, I can't give you a certain answer. You can only have one route to a given destination active at any given time, unless the route is for a specific packet/routing mark. Essentially, the IP all have the same default gateway, so only on...

krakenant

I have noticed that happens on just about anything. If you remove a setting that another is dependent on it goes red and appears not to work. In relation to VLANs still passing traffic it may be a bug but I can't really say.

krakenant

So we were doing some testing and I noticed an odd bug in both 4.11 and 4.6. When running a ping via the tool>ping utility in Winbox, it uses the computer's DNS settings to resolve host names, not the DNS of the MikroTik. Our confirmation steps are below. Set valid DNS on the MikroTik. Set your comp...

krakenant

Possibly permissions on the scheduler event? Generally that is what I forget to set.

krakenant

Add the Ethernet interface to a bridge.
Create the VLAN interfaces with the bridge as the parent interface.
Add those VLAN interfaces to another bridge. You cannot add them to the same bridge as the Ethernet interface.

krakenant

There is a graphing option under tools that can track it for you.

krakenant

I think I may have figured it out. Will write back once I have time to test.

krakenant

I am running into the problem, I have played around with it some, but most of the work I have done has been on production environments that I couldn't break. Essentially what I have is the need to hook multiple DSL modems into a routerboard, draw DHCP addresses. some of which might be in the same su...

krakenant

So per the rules we are marking the packet, not just the connection. When I switched the mangle rules to mark the connection and not the packets, it stopped causing the packet loss. Now I just need to figure out how to get a queue to work on connection mark, not just packet mark if that is even poss...

krakenant

Not as far as I can tell. I ran a test where I exempted our public IP and it still happened.

krakenant

Free MEM is flat at almost 450MB, We haven't been able to discern a CPU spike, though that was my first thought.

krakenant

We are attempting to severely limit filesharing at some of our sites. We have had these same rules working with several boxes that use radius authentication and everything is fine. However at a couple of sites that we are using an on board redirect and authentication, these same rules will cause pac...

krakenant

As I said, Radius doesn't work like that. It's not supported by Mikrotik, not supported by the industry at large. You'll have a hard time finding a NAS device which will allow you to do what you want. The HP MSM series access controllers allow it, so do Nomadix devices. We are using them for hotspo...

krakenant

Doesn't work like that. NAS-Identity is normally the hostname of the router (set in system identity on MT). If your identities are the same for what ever reason, it's bad designing IMHO. See if you can do something using NAS-IP-Address instead, surely, you can't have NAS devices with the same IP ad...

krakenant

I want/need the ability to set the NAS ID to be different for different radius profiles. if I use that method, all the radius profiles use the same NAS ID.

krakenant

The NAS identifier sent seems to be the Identity of the system, I haven't found a way to change this. Could a NAS Identifier field be added to the radius profile such that you can change the NAS Identifier for different radius profiles.

krakenant

are any of the interfaces on a bridge?

krakenant

I might be wrong but this is how I remember it being explained. The 802.11 standards allow for only one MAC address to be transmitted over the wireless. So in order for it to act as a bridge, you need to encapsulate the packets, such that the wireless cards only see one MAC address. Enter EOIP, WDS,...

krakenant

Add a bypass IP binding for the Radios.

krakenant

Ahh, then yes, using Ether1 Might be the problem.

krakenant

I thought the firewall was on Ether5.

Unless you set up Ether1 for VLAN trunking, the VLANs wouldn't be seen by Ether1. The VLAN tags would be stripped off at the bridge.

krakenant

Create an EOIP tunnel between them. If your hotspot isn't assigned to a bridge on the remote end, create a bridge, assign the interfaces you normally have the hotspot assigned to to this bridge. Then add the EOIP tunnel to the same bridge. On a MikroTik at your physical location, create a bridge, ad...

krakenant

What happens if you add a source address like the below:

chain=src-nat dst-address=A src-address=B dst-port=8291 protocol=tcp action=masquerade

krakenant

Is the entirety of your internet connection coming from the ADSL modem or is it coming from the firewall?

krakenant

Basically you do the following: On your access points: Create a bridge Add your wireless interface, and the LAN interface to this bridge Do this for any other access points you have. On your main MikroTik: Create a bridge Add the ethernet ports that your access points are plugged into to this bridge...

krakenant

If you are hooking a laptop directly to Ether5, you are not going to be able to ping the other devices because the traffic from the laptop is not being tagged. Try plugging ether 5 into your firewall, and try pinging from the firewall. If the routing in your firewall is set up correctly, the firewal...

krakenant

Can you post the exact masquerade rule? We generally specify the network under src-address like so:

chain=srcnat action=masquerade src-address=10.59.0.0/24 out-interface=WAN

krakenant

Can you get them both plugged into Ethernet and accessible from the internet? If you PM me access information I would be willing to try and set it up for you.

krakenant

Not exactly what I am looking for. Here is the description from the Belair Manual "When configured in secure port mode, the AP forwards to the associated wireless clients only those Layer 2 (Ethernet) frames for which the source MAC address and VLAN matches an entry its white list. The white li...

krakenant

These would be on Mikrotiks converted to APs, either wired or bridged. They wouldn't do any routing.

krakenant

Specifically DHCP, but windows broadcasts, etc. Belair has a feature that stops all broadcasts from going out the wireless interface, unless from a specified list of MAC addresses. I am looking to duplicate that feature. Any idea what to select in the firewall to target broadcast packets? I can figu...

krakenant

You are asking questions that have already been answered, in fact they have been answered so many times, they have WIKI articles. If you aren't willing to look for the answers, why expect other people to be willing to look them up for you? Using a simple Google search of "MikroTik wiki wireless...

krakenant

If the new network is exclusive to the original one(meaning they won't see eachother, you could make a private network on the LAN of the new MikroTik, and simply NAT their devices through the new IPs, though I think going ahead and making the static IP changes will be worth your time in the long run.

krakenant

Use mangle to mark the packets from the different subnets with different marks, then add default routes for them based on their marks.

krakenant

Sure it is possible, create a wireless bridge using the VPLS method on the wiki, I suggest using 5ghz for the bridge. Then, create the same SSIDs on the other wireless cards. If you don't know the MikroTik platform very well, I suggest reading and playing around with the setup, taking a course, or h...

krakenant

PM me your email address, we can discuss via Email.

krakenant

Use the below. This is port forwarding. if you need to do port mapping, you can change the dst-ports and to-ports.
/ip firewall nat add protocol=tcp dst-port=8080 action=dst-nat to-addresses=192.168.1.100 to-ports=8080

krakenant

I hope I am not too late and that the below helps. Please keep in mind, that the commands below are a guide for you, not absolute commands. You will have to adapt them for your other routers and other VLANs yourself (you aren't paying me to do your job for you yet) and the knowledge gained from adap...

krakenant

Set the addresses on the devices themselves. I doubt you will find a device that will do a DHCP reservation for multiple devices to the same IP. Alternatively, depending on the device, you could spoof the MAC address of the first device so that they all have the same MAC address. Either way, you wil...

krakenant

Two things come to mind immediately.

1: Your antennas are not rated for 5ghz, I had this happen to me, it was very very frustrating until I realized I was the problem.
2: bad connectors/pigtails

krakenant

At my company, we create virtual gateways on our radius system based on IP address. I don't know all the coding behind it, but basically, the redirect page will report the client IP address and we will assign their radius and login page based on their IP.

krakenant

How about you mangle the connection, and then set the next hop for that connection to the the other connection. It seems the MikroTik would send this traffic internally and not over the internet and once it reaches the other IP it wouldn't NAT it, but would then send it out the secondary IPs gateway...

krakenant

http://forum.mikrotik.com/viewtopic.php?f=2&t=39906

I listed the steps for configuring vlans at the bottom of that post. Post again if you need more help and I will try and check back later.

krakenant

Why are all of your ports trunk ports? If you want all devices to be able to talk to each other, there is no reason to do VLANs.

If you need a management address, just create VLAN100 on your uplink port and add the address to it.

krakenant

On router 1: Create a bridge interface. Create your EOIP tunnel to the public IP of router 2. Add the user PPTP interface to the to the bridge interface. Add the EOIP tunnel to the bridge interface. On router 2: Create a bridge interface. Create the EOIP tunnel to the public IP of router 1. Add the ...

krakenant

Here are the steps I took. Thank you for your help. I hope the below helps the next person with VLANs. On your Mikrotik router Create a bridge Create an IP address on that bridge Create a DHCP server on that bridge Create a VLAN interface with the VLAN ID you want tagged traffic (tagged traffic VLAN...

krakenant

basically what I need is for say port 1 to be the trunk, feeding VLANs up to the next device, and then the other ports on the switch each be tag any traffic from VLAN unaware devices with their own VLAN to effect client isolation

krakenant

Yup, I got as far as what you posted. I am wondering if there is a way under the switch to make a port tag untagged traffic as a specific vlan like you would in any other switch. I think I am kind of on the brink but am apparently missing something crucial.

krakenant

I have tried every way I can think of. Both just adding VLANs to the interface(from my research that is how you do trunking, and via the Switch menu on the left. Neither are turning the port into a native port and tagging untagged traffic like I need it to.

krakenant

Try something similar to the following. mark the packets with mangle /ip firewall mangle src-mac-address=00:00:00:00:00:00 action=add-src-to-address-list address-list=XXXXXXXXX then tell them which one of the addresses on your WAN to use. /ip firewall nat src-address-list=XXXXXXXXX action=src-nat to...

krakenant

Try this:

http://wiki.mikrotik.com/wiki/Transpare ... %28EoIP%29

krakenant

That from what I understand is pretty much how you do trunking, IE allowing a switch to pass a VLAN information to the mikrotik or another router, or even getting the Mikrotik to recognize VLANed traffic and assigning IP addresses and routing etc. What I need to know is how to get the mikrotik to ta...

krakenant

I am trying to get VLAN tagging of traffic to work. I think I have trunking figured out, but if I plug a non VLAN aware device in, the traffic just stays on the default untagged VLAN. I do not have a managed switch, instead I am using a Mikrotik RB750 and trying to get it to act as an edge port a wi...

krakenant

Use mangle in the firewall. There is an option for MAC ids.

krakenant

You have to have separate networks downstream, you can then assign each network to a public IP via NAT firewall rules.

krakenant

From my experience, if the user has a NAT device (Ex. a router) hooked up, and devices hooked up behind that, then only one device has to authenticate to allow all devices on the private network through. This is because the only device pulling an IP from the Hotspot router is the end users router. A...

krakenant

I have downloaded and attempted to install the 4.6 packages (mipsle and mibsle) and both units report a broken package error upon rebooting. Anyone else having similar problems?

krakenant

Add a bypassed IP binding for the MAC Address/IP address of the AP. Then do a NAT mapping binding a port other than 8291 to the IP of the AP and port 8291. A print of my firwall rules yields something like this. chain=dstnat action=dst-nat to-addresses=10.59.0.2 to-ports=8291 protocol=tcp dst-port=9...

Search found 135 matches