Community discussions

Search found 126 matches

by edmidor
Thu Mar 01, 2012 10:42 pm
Forum: Beginner Basics
Topic: HTB download queues in VoIP QoS examples
Replies: 1
Views: 837

HTB download queues in VoIP QoS examples

I've been looking through all the VoIP and non VoIP QoS examples here, and noticed interesting thing: For VoIP people tend to mangle in prerouting, and create both upload and download queue structure. Non-VoIP examples mangle in postrouting, and don't create download queues saying QoS on download is...
by edmidor
Thu Mar 01, 2012 7:04 pm
Forum: Beginner Basics
Topic: Working QoS configuration
Replies: 44
Views: 71593

Re: Working QoS configuration

How this config should be modified to give priority to packet order critical UDP connections, i.e. VoIP?
by edmidor
Sun Feb 26, 2012 11:31 pm
Forum: General
Topic: Migrating to Router on a stick
Replies: 2
Views: 914

Re: Migrating to Router on a stick

Already done that, thanks anyways. Managed to lock myself out of the router during first attempt - good I took a config backup :) As for why - to isolate VoIP adapters from broad- and multicast flying around; keep IP cameras on a separate firewalled subnet (they're exposed to outside when I port kno...
by edmidor
Thu Feb 23, 2012 6:26 am
Forum: General
Topic: Migrating to Router on a stick
Replies: 2
Views: 914

Migrating to Router on a stick

I used to have a simple "no VLAN" network: Router ==> Switch ==> all the rest I would like to migrate the entire thing to a router on a stick model. Since it's a live network, I fugured I'll migrate everything as is to a single VLAN, and once everything is stable I'll start adding VLANs and moving d...
by edmidor
Wed Feb 22, 2012 5:03 pm
Forum: Beginner Basics
Topic: Adding limited access AP - best way?
Replies: 2
Views: 632

Re: Adding limited access AP - best way?

Huh? NAT within LAN? Why?

If I plug it in as is I will be on the same ip range.

My question was whether I should set it up as a separate subnet or VLAN to ease its access control?

Send from Android phone
by edmidor
Wed Feb 22, 2012 6:45 am
Forum: Beginner Basics
Topic: Adding limited access AP - best way?
Replies: 2
Views: 632

Adding limited access AP - best way?

I currently have everything connected to a switch, linked to Mikrotik 450G - everything sees everything, no access limitations within LAN Now I need to add a new AP with limited access to a certain IPs, so I'm thinking to plug it into next free interface on the router to be able to apply Filter rule...
by edmidor
Sat Jun 04, 2011 4:52 am
Forum: Beginner Basics
Topic: Browser based port knocker
Replies: 11
Views: 2135

Re: Browser based port knocker

Thanks! Now when I'm connecting from outside everything is good. But when PC is connected via local WiFi, the applications setup to work via forwarded ports obviously can't connect, so I have to change settings to local URLs and ports. Is there any way to setup internal port forwarding from behind N...
by edmidor
Fri Jun 03, 2011 4:10 am
Forum: Beginner Basics
Topic: Browser based port knocker
Replies: 11
Views: 2135

Re: Browser based port knocker

Continuing on a paranoid note...

Is it possible to catch a scanning attempt - after X unsuccessful attempts block that IP for some time?
by edmidor
Sun Apr 17, 2011 4:05 am
Forum: Beginner Basics
Topic: Browser based port knocker
Replies: 11
Views: 2135

Re: Browser based port knocker

Yep, you're right - my misunderstanding

Thanks!!
by edmidor
Sun Apr 17, 2011 3:23 am
Forum: Beginner Basics
Topic: Browser based port knocker
Replies: 11
Views: 2135

Re: Browser based port knocker

Yep, that's what I thought :)

I was hesitating to permanently NAT this - it's kinda error prone - you open a permanent hole in firewall and put a temporary plug
by edmidor
Sun Apr 17, 2011 3:03 am
Forum: Beginner Basics
Topic: Browser based port knocker
Replies: 11
Views: 2135

Re: Browser based port knocker

Great, thanks! But how do I do conditional port forwarding? The presentation above and wiki page describe getting access to the router itself, not something behind it - so the decision happens in input chain. Port forwarding is a part of NAT settings, which happens before Filter where I can accept/r...
by edmidor
Sat Apr 16, 2011 11:00 pm
Forum: General
Topic: how to increase priority for VoIP packets
Replies: 4
Views: 2239

Re: how to increase priority for VoIP packets

PAP2T already marks its traffic with DSCP 26 and 46, no need in L7
by edmidor
Sat Apr 16, 2011 10:26 pm
Forum: Beginner Basics
Topic: Browser based port knocker
Replies: 11
Views: 2135

Browser based port knocker

I would like to setup a sort of port knocking to get temporary access to a particular box on my LAN (webcams streaming video and audio) from outside. The basic assumption is that I won't have any telnet/ssh or portknocker.exe client out there - only browser. I imagine a flow to be like that: - open ...
by edmidor
Tue Mar 08, 2011 2:54 pm
Forum: RouterBOARD hardware
Topic: Building office AP - antennas question
Replies: 5
Views: 740

Re: Building office AP - antennas question

Right, I guess my question is - do I really have to use 4 antennas for 2 cards?
Those off the shelf dual radio N routers usually have 2 or 3 rubber duckies...
by edmidor
Sat Mar 05, 2011 9:25 pm
Forum: RouterBOARD hardware
Topic: Building office AP - antennas question
Replies: 5
Views: 740

Building office AP - antennas question

My apologies for noob question, please help me to understand this first time I'm going to put together an access point for my little office - a routerboard with one G and one N card. Well, I looked at 411 series cases, they have holes for two antennas. But I have two cards - how can I squeeze all th...
by edmidor
Tue Nov 09, 2010 4:04 pm
Forum: Beginner Basics
Topic: How Queues are processed?
Replies: 48
Views: 5355

Re: How Queues are processed?

I have to confirm - it works when you do it as above. Since I moved to 450G I forgot about voip problems. On the other hand throttling presumes you know your max. The problem is that it always fluctuates, and if you set it to 450 (thinking you've got all 500), when it drops to 400 temporarily you go...
by edmidor
Thu Jun 24, 2010 3:42 am
Forum: General
Topic: API to control Filter/Mangle
Replies: 3
Views: 641

Re: API to control Filter/Mangle

Well, I suppose I could identify the filter record by # if it's at all possible.
All I need at this stage is enable/disable, but I can't find any example doing anything similar to that
by edmidor
Tue Jun 22, 2010 4:01 am
Forum: General
Topic: API to control Filter/Mangle
Replies: 3
Views: 641

API to control Filter/Mangle

Somehow I can't find how to enable/disable specific Filter/Mangle rules using API.
Is it possible?
by edmidor
Wed May 12, 2010 12:33 am
Forum: Beginner Basics
Topic: Outdoor wireless AP connection
Replies: 6
Views: 2221

Re: Outdoor wireless AP connection

Sergej, what is the right way to configure it with external AP connected to one of the Ether ports - i.e. not with a card in the router? Still WLAN interface, or just bridge with the ether port used by AP?

Also, if AP is to have its own subnet, should I put second DHCP server on that interface?
by edmidor
Tue May 11, 2010 11:48 pm
Forum: Beginner Basics
Topic: Ordering parts for access point - help needed
Replies: 12
Views: 1485

Re: Ordering parts for access point - help needed

Either one are not "just" GigE, they would be an overkill for what I need.

My concern is to buy and setup box with 10/100 ports just to find new GigE 411/433 in next month or two...
by edmidor
Tue May 11, 2010 11:42 pm
Forum: General
Topic: Sip Proxy With 2 fxo ports
Replies: 4
Views: 3047

Re: Sip Proxy With 2 fxo ports

I also believe such a box with FXO/FXS ports could be a huge hit for small business clientele.
I was looking for a convenient platform for my own project, but there's not much out there.
The only option I found is IP04
http://www.rowetel.com/ucasterisk/ip04.html
by edmidor
Tue May 11, 2010 4:58 pm
Forum: Beginner Basics
Topic: Ordering parts for access point - help needed
Replies: 12
Views: 1485

Re: Ordering parts for access point - help needed

Normis, can you hint if it's worth waiting for GigE 411/433?
I know you have nothing to announce yet :) but I'm asking for a hint, not an announcement
by edmidor
Tue May 11, 2010 2:25 pm
Forum: Beginner Basics
Topic: Ordering parts for access point - help needed
Replies: 12
Views: 1485

Re: Ordering parts for access point - help needed

the H model has a slightly better power output, however the MMCX connector is sturdier and holds better. If you don't intend to move it a lot, you can just take the R52Hn card, it's probably the best of the three. I saw one can't use it in 411 indoor case (overheating I guess). Is it correct? Can i...
by edmidor
Tue May 11, 2010 4:04 am
Forum: Beginner Basics
Topic: Outdoor wireless AP connection
Replies: 6
Views: 2221

Re: Outdoor wireless AP connection

I was going to do the same thing... but what's the point to create WLAN interface for external AP that router can't configure anyways? From router's perspective it's just another Ethernet device
by edmidor
Mon May 10, 2010 4:43 pm
Forum: Beginner Basics
Topic: Ordering parts for access point - help needed
Replies: 12
Views: 1485

Re: Ordering parts for access point - help needed

ok, great!

Now the radios, r52n vs r52Hn vs r52n-M - what's the difference, besides connectors? Which one is better choice for indoor AP?
by edmidor
Sat May 08, 2010 8:10 pm
Forum: RouterBOARD hardware
Topic: Ethernet port on rb411/rb433
Replies: 4
Views: 871

Re: Ethernet port on rb411/rb433

Citing from description of R52Hn:
High Performance (up to 300Mbps physical data rates and 200Mbps of actual user throughput)
I see people still reporting under 100mbps throughput regardless of the board - where's the bottleneck?
by edmidor
Sat May 08, 2010 5:00 pm
Forum: Beginner Basics
Topic: Ordering parts for access point - help needed
Replies: 12
Views: 1485

Ordering parts for access point - help needed

I'm building a shopping list for 411 or 433 based AP. Few silly questions... please help first time buyer :) 1. How many radios required for what they call "simultaneous dual-band AP"? One card can handle only one SSID, right? 2. How many antennas are required for those abgn R52... cards to operate ...
by edmidor
Fri May 07, 2010 5:54 pm
Forum: Wireless Networking
Topic: RB411 + R52n + 2 small omni antennas: no more than 81Mbps
Replies: 5
Views: 1296

Re: RB411 + R52n + 2 small omni antennas: no more than 81Mbp

What are the best real world numbers one can get on this hardware: for both connection and actual throughput?

P.S.
Found actual N throughput tests of mass-market routers... looks rather sad even for the better ones
http://www.smallnetbuilder.com/index.ph ... =&chart=71
by edmidor
Fri May 07, 2010 5:34 pm
Forum: RouterBOARD hardware
Topic: Ethernet port on rb411/rb433
Replies: 4
Views: 871

Re: Ethernet port on rb411/rb433

Could you elaborate?
If 411 used as AP, i.e. no NAT/firewall/QoS why can't it handle normal N rate in close range?
by edmidor
Fri May 07, 2010 4:40 pm
Forum: Wireless Networking
Topic: Best hardware options for office AP
Replies: 28
Views: 3548

Re: Best hardware options for office AP

Sounds interesting - how reliable is it? I'm just wondering what are advantage of rb433ah vs. RouterStation Pro that costs almost half of that? No RouterOS, but it's a mere AP, not a router... What I don't get is WTH MT doesn't put at least one GigE port on 411/433, it's 21st century unless I'm miss...
by edmidor
Fri May 07, 2010 6:42 am
Forum: Wireless Networking
Topic: Best hardware options for office AP
Replies: 28
Views: 3548

Re: Best hardware options for office AP

if you want 1 radio: rb411AH + r52n
If you want two radio: rb433+ 2x r52n
They both have 10/100 port. I do realize that on long links it's totally adequate, but for in-house wifi I hoped to actually use N speeds. Is rb800 the only option that has miniPCI and can go beyond 100mbps?
by edmidor
Thu May 06, 2010 9:38 pm
Forum: RouterBOARD hardware
Topic: Ethernet port on rb411/rb433
Replies: 4
Views: 871

Ethernet port on rb411/rb433

Why most smaller miniPCI equipped routerboards have 10/100 Ethernet port?
Doesn't it limit their throughput when used with N cards?
by edmidor
Thu May 06, 2010 7:18 am
Forum: Wireless Networking
Topic: New setup: pigtails for RB411 + R52Hn etc
Replies: 1
Views: 980

New setup: pigtails for RB411 + R52Hn etc

It's my first time dealing with MT wireless, so please excuse my silly question. I'm ordering RB411 with R52Hn for office AP - antennas are to be mounted on the rb411 case. What antennas/pigtales/connectors should I order for best results? Pigtales with MMCX tend to be very long (~30cm), are they su...
by edmidor
Wed May 05, 2010 7:16 pm
Forum: Beginner Basics
Topic: MUM in Canada?
Replies: 2
Views: 559

Re: MUM in Canada?

May be building another large city? :)
by edmidor
Wed May 05, 2010 6:17 pm
Forum: Wireless Networking
Topic: Best hardware options for office AP
Replies: 28
Views: 3548

Re: Best hardware options for office AP

What about overheating issues on R52 cards?
by edmidor
Mon May 03, 2010 6:37 pm
Forum: Wireless Networking
Topic: Best hardware options for office AP
Replies: 28
Views: 3548

Re: Best hardware options for office AP

Sigh... This is yet another example of one user saying "it works just fine"; Normis saying "it should work"; and another user saying: Has anybody tested this with for example notebook clients? Because I have, and the results are poor. I am not debating about the power, but rather the wireless side. ...
by edmidor
Mon May 03, 2010 7:29 am
Forum: Wireless Networking
Topic: Best hardware options for office AP
Replies: 28
Views: 3548

Re: Best hardware options for office AP

Is there any trick to make it running stable, or SR71 just do better job then R52 for "local" N connectivity?
by edmidor
Sat May 01, 2010 3:35 am
Forum: Wireless Networking
Topic: Best hardware options for office AP
Replies: 28
Views: 3548

Re: Best hardware options for office AP

I use 802.11n all day, every day..
I use an atom based AP. (Blackbird) (shameless plug)
I run high output SR71-E cards..
What? Blackbird SR71? It makes one cool access point, isn't it?
http://en.wikipedia.org/wiki/SR-71_Blackbird
by edmidor
Wed Apr 28, 2010 6:45 pm
Forum: General
Topic: v3.27 bug: ssh port forwarding is not working
Replies: 76
Views: 13278

Re: v3.27 bug: ssh port forwarding is not working

v4.8 - and it's still not there, sigh...
by edmidor
Wed Apr 21, 2010 6:19 pm
Forum: Wireless Networking
Topic: Best hardware options for office AP
Replies: 28
Views: 3548

Re: Best hardware options for office AP

I was referring to the ongoing controversy in replies: unstable, slow, problematic vs. "no problems at all".
Is there any common patters of usage or config between those who said MT is unusable as office access point due to instability and other issues?
by edmidor
Wed Apr 21, 2010 5:52 am
Forum: Wireless Networking
Topic: Best hardware options for office AP
Replies: 28
Views: 3548

Re: Best hardware options for office AP

Any of the RBs will work, if you're pushing GByte sized files then you may be better off using the H model boards they have faster CPU's.
Oh, that's confusing... So do we have N problems on routerboards, or any of RB will work?
by edmidor
Mon Apr 19, 2010 9:12 pm
Forum: Wireless Networking
Topic: Best hardware options for office AP
Replies: 28
Views: 3548

Re: Best hardware options for office AP

Hmm... So what do you guys use if MT doesn't work well?
I hardly believe everybody switched to DLink now...
by edmidor
Sun Apr 18, 2010 6:07 am
Forum: Wireless Networking
Topic: Best hardware options for office AP
Replies: 28
Views: 3548

Re: Best hardware options for office AP

It's office AP, does it need 2 radios?

Also, what are the issues with N in AP context?
by edmidor
Sat Apr 17, 2010 7:33 am
Forum: General
Topic: Global and interface queues - please help to understand
Replies: 8
Views: 1512

Re: Global and interface queues - please help to understand

But that implies I cannot restrict access from one machine to another within the same subnet, i.e. isolate 192.168.1.122 from the rest of 192.168.1.0/24; make sure it sees WAN but no other PCs. I thought it's possible - and if it is, the traffic must go through the router?
by edmidor
Sat Apr 17, 2010 6:23 am
Forum: General
Topic: Global and interface queues - please help to understand
Replies: 8
Views: 1512

Re: Global and interface queues - please help to understand

- Usual suggestion for simple QoS is upload queue on WAN interface, and download queue on LAN interface. But LAN interface handles both from-WAN AND local, within-LAN, traffic. Setting limit-at and max-limit parameters on LAN interface queue I intend to manage only from-WAN traffic - the actual dow...
by edmidor
Fri Apr 16, 2010 11:15 pm
Forum: RouterBOARD hardware
Topic: How RB800 compares against Cisco ASA5500?
Replies: 5
Views: 970

Re: How RB800 compares against Cisco ASA5500?

I meant advantages/disadvantages of having one or the other
by edmidor
Fri Apr 16, 2010 10:24 pm
Forum: RouterBOARD hardware
Topic: How RB800 compares against Cisco ASA5500?
Replies: 5
Views: 970

Re: How RB800 compares against Cisco ASA5500?

Not for me, but anyways - office router/firewall.
by edmidor
Fri Apr 16, 2010 6:53 pm
Forum: Wireless Networking
Topic: Best hardware options for office AP
Replies: 28
Views: 3548

Best hardware options for office AP

What is the current most recommended combination of routerboard and N wireless card(s) for office N access point?

No wireless links this time, rather a bunch of laptops with n cards; need as much throughput as possible, as we tend to copy large (GB) files quite often.
by edmidor
Fri Apr 16, 2010 4:56 pm
Forum: RouterBOARD hardware
Topic: RB750AR anytime soon ?
Replies: 28
Views: 5807

Re: RB750AR anytime soon ?

when?
by edmidor
Fri Apr 16, 2010 4:46 pm
Forum: RouterBOARD hardware
Topic: How RB800 compares against Cisco ASA5500?
Replies: 5
Views: 970

How RB800 compares against Cisco ASA5500?

How RB800 compares against Cisco ASA5500 10-user license?
by edmidor
Wed Apr 14, 2010 8:10 pm
Forum: General
Topic: RouterOS 5 beta
Replies: 97
Views: 18757

Re: RouterOS 5 beta

Sub-releases with bug fixes... Beta presumes having bugs
by edmidor
Wed Apr 14, 2010 7:30 pm
Forum: General
Topic: RouterOS 5 beta
Replies: 97
Views: 18757

Re: RouterOS 5 beta

How often MT does code drops on Beta5?
by edmidor
Fri Apr 09, 2010 11:30 pm
Forum: General
Topic: SIP helper
Replies: 6
Views: 2347

Re: SIP helper

Mine works OK, but that's one important thing to verify...
by edmidor
Fri Apr 09, 2010 11:19 pm
Forum: General
Topic: SIP helper
Replies: 6
Views: 2347

Re: SIP helper

SIP dynamically negotiates other ports for related connections (the control channel sets up data channels). The SIP helper inspects the control channel so that the stateful firewall knows about the related data channels. Yes, it works. Could you confirm that SIP helper just inspects packets, but do...
by edmidor
Wed Apr 07, 2010 2:57 am
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

So this child will be filled now with more, but smaller, queues then first I really don't get what's the point of doing that But if we now give this new child a lower priority then the previous one, we guarantee that newly made port 80 connections start with higher priority then already running "he...
by edmidor
Wed Apr 07, 2010 12:19 am
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

Most support net neutrality. But it usually presumes going against shaping for business/political reasons (p2p shaping by Comcast is a good example); technical traffic shaping always was there, and usually isn't really felt by users as it merely balances traffic.
by edmidor
Tue Apr 06, 2010 5:00 am
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

I don't know how many times I've read it... took a while to digest :) The problem seems to be still there - there will be many heavy connections marked as regular and waiting to be remarked as heavy. But while all of them are waiting the regular queue will be overloaded, which directly translates in...
by edmidor
Mon Apr 05, 2010 7:06 pm
Forum: General
Topic: Global and interface queues - please help to understand
Replies: 8
Views: 1512

Re: Global and interface queues - please help to understand

When you want to shape the total traffic for the device. Might not be useful for you, but it's nice to have. Global queues also fire before simple queues, so you can use them to override simple queues. I just want to understand when it's actually used - mind to give a little example? Include packet...
by edmidor
Mon Apr 05, 2010 6:48 pm
Forum: General
Topic: Global and interface queues - please help to understand
Replies: 8
Views: 1512

Re: Global and interface queues - please help to understand

I RTFM again... it's not clear.

So, I'd still appreciate your help here
by edmidor
Sat Apr 03, 2010 5:39 am
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

I monitored my qos setup over last week, what I noticed is that marking connections based on connection-bytes with connection-rate isn't good enough when connections are short lived - download manager opens dozens of connections for every file, and there are many of them (think 50-80 100M files in a...
by edmidor
Sat Apr 03, 2010 5:22 am
Forum: Beginner Basics
Topic: basic starting point....
Replies: 7
Views: 1124

Re: basic starting point....

Great you made it work. Last month I went through about the same stages you described.

I'm looking into playing with Ubiquiti right now (ordering nano and bullet M2). If you find anything interesting about ubnt - post it if you don't mind.
by edmidor
Sat Apr 03, 2010 5:12 am
Forum: General
Topic: Help on Dmitry on firewalling
Replies: 8
Views: 1231

Re: Help on Dmitry on firewalling

Great idea, thanks!
by edmidor
Fri Apr 02, 2010 7:40 am
Forum: General
Topic: Help on Dmitry on firewalling
Replies: 8
Views: 1231

Re: Help on Dmitry on firewalling

You can do that.
How? IP should be added only after successful SSH authentication. I don't see how can I detect it...
by edmidor
Fri Apr 02, 2010 7:08 am
Forum: General
Topic: Help on Dmitry on firewalling
Replies: 8
Views: 1231

Re: Help on Dmitry on firewalling

Sometimes static src-address is not an option.
It would be nice to have secure port knocking, ex: ssh into router using a key pair - IP automatically added into allowed list for some period of time...
by edmidor
Wed Mar 31, 2010 9:29 pm
Forum: General
Topic: Simple question about priority
Replies: 45
Views: 6502

Re: Simple question about priority

Good question! If we lowered max-limit, and the bottleneck on the "next device" has gone, router has no way to know that, as it now limits itself with the new low max-limit. I see two cases here: 1. Traffic is low as there no demand The entire idea of dynamic lowering of max-limit is relevant only w...
by edmidor
Tue Mar 30, 2010 7:02 pm
Forum: General
Topic: Global and interface queues - please help to understand
Replies: 8
Views: 1512

Global and interface queues - please help to understand

I'm trying to understand the global and interface queues. I read Wiki, and some discussions here, but few basic questions are still standing. - When you use global-in or global-out? Usually the goal is to control WAN in/out separately from LAN traffic, so why/when would you use a queue for ALL traff...
by edmidor
Tue Mar 30, 2010 4:39 pm
Forum: General
Topic: Simple question about priority
Replies: 45
Views: 6502

Re: Simple question about priority

Correction - it will not work as you expected, but it still works as you configure it, so I disagree with "breaks" part. That implies it's technically possible to configure the router QoS to handle sudden bandwidth dips without manual intervention. So far I didn't see anyone proposing a solution. A...
by edmidor
Tue Mar 30, 2010 3:18 am
Forum: General
Topic: Simple question about priority
Replies: 45
Views: 6502

Re: Simple question about priority

wrong?.. if your modem is connected to your router via 100 Mbps link, all packets are sent to the modem. and then the modem can drop packets in case of ADSL become congested. router doesn't know about dropped packets Why would it matter? You still have your real time WAN interface throughput at one...
by edmidor
Tue Mar 30, 2010 12:24 am
Forum: General
Topic: Simple question about priority
Replies: 45
Views: 6502

Re: Simple question about priority

It doesn't know your available bandwidth, but it knows how much data is being passed through its WAN interface at every moment of time. If top queue buffer is full for some period of time , and you're dropping packets, it means WAN interface passes as much as it can - and at that moment this is the ...
by edmidor
Mon Mar 29, 2010 11:49 pm
Forum: General
Topic: Simple question about priority
Replies: 45
Views: 6502

Re: Simple question about priority

I would say this feature is worth adding into RouterOS core, IMHO. Router knows the actual bandwidth going through WAN interface, and it also knows the max-limit on the queues chaining from/to this interface. There should be not a big deal to make it to auto-adjust the limit-at and max-limit accordi...
by edmidor
Mon Mar 29, 2010 4:54 pm
Forum: General
Topic: Simple question about priority
Replies: 45
Views: 6502

Re: Simple question about priority

That example describes a different situation - child queues explicitly exceed totals on parent queues, router is aware of that and can make educated decision how to recalculate limits to keep them in proportion. In the case I mentioned teh router doesn't know about the problem as totals on child que...
by edmidor
Mon Mar 29, 2010 2:32 am
Forum: General
Topic: Simple question about priority
Replies: 45
Views: 6502

Re: Simple question about priority

What happens on bandwidth fluctuations? Let's say we have two properly configured upload queues, both limit-at=400K, max-limit=500K, parent queue (WAN) max-limit=1M. Suddenly the actual bandwidth on WAN drops from 1M to 500K - technical problems on ISP side. Router still expects it to be 1M - how wi...
by edmidor
Sat Mar 27, 2010 6:03 am
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

Should've read it from the start. Much better now :) The remaining question is - theoretical max limit vs. actual throughput: if I have two upload queues with limit-at 500K each, on 1Mbps max at parent, and the actual throughput falls from 1M to 500K... how router would handle it? It guaranteed 500K...
by edmidor
Thu Mar 25, 2010 11:05 pm
Forum: General
Topic: HELP !!! router blocking/dropping voip calls after 30 sec
Replies: 45
Views: 11888

Re: HELP !!! router blocking/dropping voip calls after 30 s

.......... it's all greek to me what am i supposed to make or do ....?? That's the problems here. I think you have three options: 1. Accept the fact that this router has learning curve. Stop screaming and asking same thing again and again, go search, read, and learn, and come back only when it won'...
by edmidor
Thu Mar 25, 2010 9:04 pm
Forum: General
Topic: HELP !!! router blocking/dropping voip calls after 30 sec
Replies: 45
Views: 11888

Re: HELP !!! router blocking/dropping voip calls after 30 s

Are you sure he really need to "nat required ports from wan to your pbx"? PBX initiates connections to the provider, conntrack usually handles is as is. I don't have PBX in my LAN, just SIP agents, but I never had to NAT specific ports. The only issue with NAT I'd expect is if he want REINVITEs to w...
by edmidor
Thu Mar 25, 2010 5:54 pm
Forum: General
Topic: HELP !!! router blocking/dropping voip calls after 30 sec
Replies: 45
Views: 11888

Re: HELP !!! router blocking/dropping voip calls after 30 s

This whole issue has nothing to do with mikrotik, just as with any other router, SIP agent, or your beer fridge. It's flawed design (SIP for VoIP), and to make it work reliably 'admin' usually has to learn and try few things. If you don't like it - use Skype, implementation wise it's much superior t...
by edmidor
Thu Mar 25, 2010 3:29 pm
Forum: General
Topic: HELP !!! router blocking/dropping voip calls after 30 sec
Replies: 45
Views: 11888

Re: HELP !!! router blocking/dropping voip calls after 30 s

SIP is flawed protocol for VoIP, and it makes things very complicated. Every party comes up with their own workarounds, and in total you have so mane combinations so there simply can't be a general rule on routers and VoIP. For example, it all depends on: - do you use STUN - does your VoIP provider ...
by edmidor
Thu Mar 25, 2010 3:20 pm
Forum: General
Topic: v3.27 bug: ssh port forwarding is not working
Replies: 76
Views: 13278

Re: v3.27 bug: ssh port forwarding is not working

Is beta stable enough to use in production (just a small LAN) ?
by edmidor
Thu Mar 25, 2010 4:44 am
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

Running with your config for few days - VoIP works even with heavy download - thanks! :)

Question - how do you decide on limit-at value? Any general rules?
by edmidor
Thu Mar 25, 2010 2:35 am
Forum: General
Topic: HELP !!! router blocking/dropping voip calls after 30 sec
Replies: 45
Views: 11888

Re: HELP !!! router blocking/dropping voip calls after 30 s

Is your Asterisk in your LAN, or outside?
I have two line SIP adapter behind Mikrotik, registered to hosted PBX (pbxes.com) - no problems at all.
SIP helper is on. I set ports 5061 and 5062 as SIP ports.
by edmidor
Wed Mar 24, 2010 10:36 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

The group in Windows settings was set to group2 with AES-128... don't understand why it sends DH 2048 with 3des. So I changed peer settings on mikrotik to accept 3des, now it looks... well... shorter, but less clear what's wrong 16:30:34 system,info ipsec peer changed by admin-ssh 16:30:55 ipsec res...
by edmidor
Wed Mar 24, 2010 9:33 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

So I gave up on gre for the meanwhile, and decided to try IPSec again This is what I'm getting... any advise? 15:23:22 ipsec respond new phase 1 negotiation: 70.80.88.144[500]<=>24.113.235.32[12835] 15:23:22 ipsec begin Identity Protection mode. 15:23:22 ipsec received broken Microsoft ID: MS NT5 IS...
by edmidor
Wed Mar 24, 2010 6:07 pm
Forum: General
Topic: v3.27 bug: ssh port forwarding is not working
Replies: 76
Views: 13278

Re: v3.27 bug: ssh port forwarding is not working

@Mikrotik
Can't you guys just issue a patch with ssh fixes?
Not having SSH tunneling capability for so long is really a problem
by edmidor
Tue Mar 23, 2010 5:52 am
Forum: Beginner Basics
Topic: Minimizing the firewall
Replies: 10
Views: 846

Re: Minimizing the firewall

Right, unless something doesn't come through and you have no idea why it got dropped. Then, to debug it the reversed approach is applied, doesn't it?
by edmidor
Mon Mar 22, 2010 7:58 pm
Forum: Beginner Basics
Topic: Minimizing the firewall
Replies: 10
Views: 846

Re: Minimizing the firewall

Sure - but the router is facing the wild internet.
This is why I'm asking what would be the very minimal set of forward chain rules to keep is secure at least from the most obvious threats. There must be something, I can't just accept all essentially exposing my LAN.
by edmidor
Mon Mar 22, 2010 6:08 pm
Forum: Beginner Basics
Topic: Minimizing the firewall
Replies: 10
Views: 846

Re: Minimizing the firewall

The problems I'm trying to weed out are with inbound connections from outside, so purpose is exactly the opposite - open as much outside access as it's still relatively safe, make everything work, and then add limiting rules one by one over period of a week or so. Behind the router is merely a SOHO ...
by edmidor
Mon Mar 22, 2010 4:10 pm
Forum: Beginner Basics
Topic: Minimizing the firewall
Replies: 10
Views: 846

Minimizing the firewall

I build some 90-rules firewall (ip firewall filter) based on wiki examples. To debug my firewall issues (no pptp, etc) I would like to disable as much rules as I can, and once inbound connectivity is back, re-enable them one by one. The process can take few days. The questions is - what are the mini...
by edmidor
Mon Mar 22, 2010 4:02 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

I had both gre and pptp port accepted in input chain... Still doesn't work. Log says" "LCP timeout sending ConfReq". What's that? Is it inbound or outbound, same port? I thought this issue might be related to my other question here - for some reason I have a lot of unaccounted ACK packets, eventuall...
by edmidor
Mon Mar 22, 2010 6:13 am
Forum: General
Topic: HELP !!! router blocking/dropping voip calls after 30 sec
Replies: 45
Views: 11888

Re: HELP !!! router blocking/dropping voip calls after 30 s

I meant this
/ip firewall connection tracking print
and this
/ip firewall nat print
If you google for 30sec call drops you'll see it's a classic problem, usually explained by expired SIP connection, router starts to drop packets...
by edmidor
Mon Mar 22, 2010 5:08 am
Forum: General
Topic: HELP !!! router blocking/dropping voip calls after 30 sec
Replies: 45
Views: 11888

Re: HELP !!! router blocking/dropping voip calls after 30 s

What are your conntrack settings? 30sec - magic number...
by edmidor
Sun Mar 21, 2010 6:11 am
Forum: General
Topic: QoS: queues limits
Replies: 5
Views: 1061

Re: QoS: queues limits

It probably is the right proportion, when I saw 48mbps down the up was about 980kbps
by edmidor
Sun Mar 21, 2010 6:01 am
Forum: Beginner Basics
Topic: Dropped packets
Replies: 4
Views: 1299

Re: Dropped packets

I have no dstnat rules, the only NAT rule is [admin@MikroTik] /ip firewall nat> print 0 chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=ether1 The reason is there should not be any. A device behind NAT opens a connection to the server with main purpose to let the server conta...
by edmidor
Sat Mar 20, 2010 6:21 am
Forum: Beginner Basics
Topic: Dropped packets
Replies: 4
Views: 1299

Re: Dropped packets

That's one good question - looking at IPs, both used by devices sitting behind the router and NAT. Both devices maintain (keep-alive I guess) connection to their servers out there, so the servers can contact them when necessary. One of them is SIP adapter, it maintains reservation with the server so...
by edmidor
Sat Mar 20, 2010 5:34 am
Forum: Beginner Basics
Topic: Dropped packets
Replies: 4
Views: 1299

Dropped packets

I'm dropping input packets from the "good" services I use. I tried to figure out how to make other rules to catch them with no success. How can I accept them without accepting the nasty stuff? 23:15:10 firewall,info Input:Other input: in:ether1 out:(none), src-mac 00:0e:83:ca:d7:47, proto TCP (ACK,P...
by edmidor
Fri Mar 19, 2010 6:19 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

I'll try, thanks.

I have "drop invalid connections" in the very beginning - can it be the reason, should I move all "drop" rules to the end of the input and forward chains?
by edmidor
Fri Mar 19, 2010 2:25 am
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

Still struggling to make it work from outside... Here's the trace - any ideas? 14:28:36 pptp,info TCP connection established from 22.111.333.44 14:28:36 pptp,ppp,info <pptp-0>: waiting for call... 14:28:36 pptp,debug,packet sent Set-Link-Info to 22.111.333.44 14:28:36 pptp,debug,packet peers-call-id...
by edmidor
Wed Mar 17, 2010 10:20 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

Once the connection is established, data between client and internal network travel between LAN and PPTP-client interface, so you need to set up your firewall to allow that. Thanks! I hate to ask silly questions, but it happens a lot lately :) You mean I'm supposed to see something named as "PPTP-c...
by edmidor
Wed Mar 17, 2010 5:57 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

I can connect with PPTP from within LAN, but from outside it displays "Device connected" momentarily, and then fails with "Cannot connect" right after. I suppose I have to change firewall settings, but I'm not sure what ARP proxy does here. I have ether1 as WAN and ether2 as LAN. Most of my rules fo...
by edmidor
Wed Mar 17, 2010 3:20 am
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

Thanks Toni!
How can I make sure outbound VPN connection (Cisco VPN client) won't fall under 'heavy traffic'?
I'm not sure about the rate used by VPN, but I suppose it can be fast, and it lasts long...
by edmidor
Tue Mar 16, 2010 6:13 am
Forum: Beginner Basics
Topic: Total WAN usage?
Replies: 3
Views: 665

Re: Total WAN usage?

The graph shows "bits per second", while I need just "bits" - I want to know how much bandwidth did I use this or that month.
by edmidor
Tue Mar 16, 2010 5:49 am
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

What I posted was just a snip of the "Connection rate" configuration. This configuration is very good in situation where heavy download disturbs normal internet operation. I strongly suggest you to read the wiki about connection rate. With this configuration, you will be able to divide the heavy do...
by edmidor
Tue Mar 16, 2010 4:48 am
Forum: Beginner Basics
Topic: Total WAN usage?
Replies: 3
Views: 665

Total WAN usage?

Is there any way to know total monthly usage (upload and download) of WAN link, without user manager?
Total for the entire LAN, not per user or IP.
by edmidor
Mon Mar 15, 2010 5:11 pm
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

That probably would do, if I can detect his activity, slow him down to 2mbps, and after he finished 'abusing' the connection remove that limit - that what I'm looking for. The only question is "how".
by edmidor
Mon Mar 15, 2010 3:48 pm
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

@normis Download managers use different strategy comparing to browsing or "manual" download - their very purpose is to make max use of all available bandwidth to minimize the download time. Take into account a typical use case: some fifty 200kB files queued, 6-8 files at a time, each of then accesse...
by edmidor
Mon Mar 15, 2010 3:54 am
Forum: Beginner Basics
Topic: Return from a chain (firewall)?
Replies: 3
Views: 1209

Re: Return from a chain (firewall)?

Priceless!

Thanks a lot
by edmidor
Mon Mar 15, 2010 3:11 am
Forum: Beginner Basics
Topic: Return from a chain (firewall)?
Replies: 3
Views: 1209

Return from a chain (firewall)?

I'm looking at this Wiki example http://wiki.mikrotik.com/wiki/Home_Firewall I see a jump to 'virus' or 'bad people' chains, but these chains don't have return at the end. What happens if the packet isn't dropped in virus chain - how does it continue without return in virus chain? I see the same phe...
by edmidor
Mon Mar 15, 2010 12:32 am
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

is this "free download manager" using a given port? If yes, you can capture it's traffic using the port, other wise I will suggest to have a look at the "conection rate" There are quite a few such tools, but this one is one of more popular. http://www.freedownloadmanager.org I suppose it does regul...
by edmidor
Sun Mar 14, 2010 7:43 pm
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

Re: How to handle "download managers"?

No, nothing in there.

I was under impression that L7 is not a good idea for smaller routerboards (mine is 450G), as it will hog CPU and affect the overall performance - am I wrong here?
by edmidor
Sun Mar 14, 2010 6:19 am
Forum: General
Topic: How to handle "download managers"?
Replies: 35
Views: 7150

How to handle "download managers"?

Is there any way to detect and QoS download managers, such as "Free Download Manager"?
They can easily open tons of connections with pretty impressive download rate, and hog as much bandwidth as they can.

Is it possible to detect and queue this sort of traffic?
by edmidor
Sat Mar 13, 2010 8:41 pm
Forum: General
Topic: QoS: queues limits
Replies: 5
Views: 1061

Re: QoS: queues limits

Well, I was trying to ask how to determine limit-at and max-limit.
There are many examples indeed, all have some specific numbers with no much info on how to adjust them for my LAN
by edmidor
Fri Mar 12, 2010 9:05 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

That doesn't sound good. I never had such problems when I had to VPN from Windows PC to the office in last work places. Not sure what they used server-side, but it always was zero-config on my (client) side. Why isn't it possible with Mikrotik? Then I'll try from another direction: what is the most ...
by edmidor
Fri Mar 12, 2010 4:13 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

The "Adjusting IPSec settings" part is written for Windows XP. On Windows 7 security settings are arranged in different way, and some options are not there. I followed the instructions as much as I could, but it doesn't connect.

Have anyone made it work with Win7?
by edmidor
Fri Mar 12, 2010 1:26 am
Forum: Beginner Basics
Topic: Suggestion: web based Config Wizard
Replies: 2
Views: 677

Suggestion: web based Config Wizard

Looking at this board, I was thinking that a little web based tool could save a lot of essentially useless posts on this forum, bring more people to Mikrotik, and keep both newbies and gurus happy Simple wizard running on mikrotik site, not on the router, that would present forms of typical Linksys-...
by edmidor
Thu Mar 11, 2010 6:44 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

Good, now the dots are connecting... slowly but surely.

Thanks a lot!
by edmidor
Thu Mar 11, 2010 6:13 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

I saw this, my problem is with local-address=1.1.1.1 remote-address=1.1.1.2

Remote address isn't known, but the guide says I can use 0.0.0.0

But what should I do about the local address - it's dynamic IP. I have dynDNS, but I don't see how can apply it here.
by edmidor
Thu Mar 11, 2010 5:34 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

You haven't even posted what kind of VPN you want to use.
I mentioned Windows laptop
I don't have many choices there :)
by edmidor
Thu Mar 11, 2010 5:18 pm
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Re: Road warrior's VPN?

Guys, please help - I need to set it up before I leave!
by edmidor
Thu Mar 11, 2010 7:49 am
Forum: General
Topic: Road warrior's VPN?
Replies: 24
Views: 17062

Road warrior's VPN?

Here's the problem: need to VPN into my LAN from Windows laptop while traveling. Laptop's IP is unpredictable - airport, hotel, etc; 'home LAN' is on MT, behind dynamic DNS (dnsmadeeasy.com) I searched for the recipe, but most examples are dedicated to permanent VPN setups between two routers. How d...
by edmidor
Wed Mar 10, 2010 10:49 pm
Forum: Beginner Basics
Topic: DHCP for few IP ranges?
Replies: 1
Views: 382

DHCP for few IP ranges?

Perhaps a silly question, but I can't figure it out...
I want to segment my LAN into few IP ranges, say ether2 -> 192.168.2.0/24, ether3 -> 192.168.3.0/24

How do I setup DHCP server to serve appropriate IPs for each range?
by edmidor
Wed Mar 10, 2010 6:06 pm
Forum: Beginner Basics
Topic: Priority based QoS on residential link
Replies: 3
Views: 485

Re: Priority based QoS on residential link

Thanks!
by edmidor
Wed Mar 10, 2010 5:47 pm
Forum: Beginner Basics
Topic: Priority based QoS on residential link
Replies: 3
Views: 485

Re: Priority based QoS on residential link

Nobody is in typing mood, or there's anything wrong with the questions? :)
by edmidor
Wed Mar 10, 2010 4:01 pm
Forum: General
Topic: QoS: queues limits
Replies: 5
Views: 1061

QoS: queues limits

My link is 50mbps down and 1mbps up. I'm trying to set up QoS to prevent one fellow downloader to make others suffer - he does up to 30mbps from rapidshare, and I have to keep VoIP working, and browsing from other machines at reasonable speeds. What would you recommend - PCQ? Then what limits should...
by edmidor
Sun Mar 07, 2010 4:04 am
Forum: Beginner Basics
Topic: Basic router setup guide/tutorial ?
Replies: 97
Views: 37342

Re: Basic router setup guide/tutorial ?

I know this is a shameless self plug, but I've been doing some mikrotik classes with slides and all for FREE. All I'm hoping for is feedback. Mikrotik Basics -> http://gregsowell.com/?p=957 Intro to networking -> http://gregsowell.com/?p=954 Mikrotik Security(available 12/7/09)-> http://gregsowell....
by edmidor
Sat Mar 06, 2010 6:06 am
Forum: Beginner Basics
Topic: Priority based QoS on residential link
Replies: 3
Views: 485

Priority based QoS on residential link

I was recently told that priority based QoS doesn't work with residential modems, cable or DSL, with reason stated that such modems all have small buffer, and so it doesn't matter what packet arrives first, if modem's buffer is already full even the highest priority packets will have to wait - which...
by edmidor
Fri Mar 05, 2010 6:36 am
Forum: Beginner Basics
Topic: Question on upgrading home office LAN with Mikrotik
Replies: 1
Views: 352

Question on upgrading home office LAN with Mikrotik

I just started with my first Mikrotik, trying to figure out the best way to set it up for our home office network. Before that I had it all very simple, but now I want to do it the right way, and so I'd appreciate your advise on both network structure, and how to configure the router for it. I have ...