Community discussions

MUM Europe 2020

Search found 144 matches

by DLNoah
Sat Aug 13, 2016 11:31 pm
Forum: Beginner Basics
Topic: Resolved: RouterOS noob fighting with CRS-125
Replies: 4
Views: 725

Re: RouterOS noob fighting with CRS-125

Hello all, /ip address add address=217.122.136.1/28 interface=ether1 /ip route add dst-address=0.0.0.0/0 gateway=ether1 You've told the CRS what IP to use when communicating with the ISP, but you haven't told it which IP (on the ISPs side) it needs to communicate with when it's sending traffic upst...
by DLNoah
Tue Dec 01, 2015 8:54 pm
Forum: General
Topic: Network traffic pattern alerts when redundant link goes down.
Replies: 3
Views: 601

Re: Network traffic pattern alerts when redundant link goes down.

Are the wireless portions of your backhaul links bridged or routed?

So, what I mean is, where all in this diagram do IP addresses live, versus where are bridges?
Site1 Router EtherX --- Ether1 Site1 BH to Site 2 Wlan1 --- Wlan1 Site2 BH to Site1 Ether1 --- EtherX Site2 Router
by DLNoah
Thu Oct 01, 2015 5:31 pm
Forum: General
Topic: Ftp Port / ssh?
Replies: 1
Views: 427

Re: Ftp Port / ssh?

Have you tried specifying the dst-address and dst-port to match traffic for? Also, to confirm, "ether3 - valn100" is your WAN / incoming interface? If that interface is actually the internal interface the server connects to or something else, than that would be causing your problem (you'd be matchin...
by DLNoah
Thu Jun 25, 2015 10:36 pm
Forum: General
Topic: Weird IPSEC problem
Replies: 5
Views: 1149

Re: Weird IPSEC problem

Oops, my mis-read, sorry. I'm used to mis-configuring it myself where I put the connect-to IP in instead of the remote-LAN IP, glossed over your opening statement, sorry. Do you have a regular client connection that works with these settings? To me, the MT settings look correct and I'd be inclined t...
by DLNoah
Thu Jun 25, 2015 9:22 pm
Forum: General
Topic: Weird IPSEC problem
Replies: 5
Views: 1149

Re: Weird IPSEC problem

You need your /ip firewall nat rule (the bypass rule) to match the local and remote private networks. So, if the local side is 192.168.1.0/24 and the remote side is 192.168.2.0/24, your NAT bypass rule would be as follows: /ip firewall nat add chain=srcnat src-address=192.168.1.0/24 dst-address=192....
by DLNoah
Thu Jun 25, 2015 8:21 pm
Forum: General
Topic: [solved] CRS 125-24G-1S-RM / issues with ARP "forwarding" between tagged and untagged VLAN ports
Replies: 16
Views: 3509

Re: CRS 125-24G-1S-RM / issues with ARP "forwarding" between tagged and untagged VLAN ports

As a minimum to help you, we really need to see the /export compact of the switch when it's working. You can strip sensitive information like passwords from the config, but we especially need information like the ingress-vlan-translation and egress-vlan-translation settings. Was the unit set up from...
by DLNoah
Thu Jun 25, 2015 3:31 pm
Forum: Announcements
Topic: Comments about RouterOS release schedule
Replies: 35
Views: 11928

Re: Comments about RouterOS release schedule

I would rather see the sub-point release pattern continue indefinitely. If you want to limit only certain "feature releases" (e.g. 6.30) to long term support, so that you're not maintaining point releases for dozens of different versions, that's understandable. But the constant roulette of "will the...
by DLNoah
Mon Jun 01, 2015 3:33 pm
Forum: General
Topic: Simple queue problem in CCR-12g
Replies: 3
Views: 674

Re: Simple queue problem in CCR-12g

1 name="AA" target=ether4 parent=Main packet-marks="" priority=8/8 queue=default-small/default-small limit-at=0/0 max-limit=500M/500M burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s 2 name="BB" target=ether4 parent=Main packet-marks="" priority=8/8 queue=default-small/default-small limit-at=70...
by DLNoah
Fri May 29, 2015 7:47 pm
Forum: Announcements
Topic: v6.29 released
Replies: 193
Views: 51336

Re: v6.29 released

RB750 after upgrade from 6.28 DHCP client on ether1 don't work - status "searching". Settings are default. I downgraded to 6.28 - works fine. Demonster, is ether1 a member of a bridge, or otherwise a "slave" interface? (It should show an S in the status column if it is slaved). Back in the v6.0-v6....
by DLNoah
Fri May 29, 2015 5:28 pm
Forum: General
Topic: Simple queue problem in CCR-12g
Replies: 3
Views: 674

Re: Simple queue problem in CCR-12g

Can you post the output of "/queue simple print", and a screenshot of Torch showing traffic to the different destination addresses you're trying to match?
by DLNoah
Mon May 18, 2015 3:54 pm
Forum: General
Topic: Mangle - how to do right?
Replies: 52
Views: 16385

Re: Mangle - how to do right?

Oops, I guess you're right there. I shouldn't be answering forum posts first thing Monday morning :shock:
by DLNoah
Mon May 18, 2015 3:10 pm
Forum: General
Topic: Mangle - how to do right?
Replies: 52
Views: 16385

Re: Mangle - how to do right?

At first glance one would think in this rule will have the same exact effect using forward, cannot stop thinking there should be a reason for this but cannot find where's the subtlety? The most important reason to do it in pre-routing is that pre-routing mangle rule will fire before NAT, whereas fo...
by DLNoah
Mon May 18, 2015 3:08 pm
Forum: General
Topic: nasipaddress Freeradius report private IP (i want the pubblic)
Replies: 1
Views: 472

Re: nasipaddress Freeradius report private IP (i want the pubblic)

"nasipaddress" is the address of the device that submitted the Radius request (the router that is terminating the PPP or other session). You can control which address from your router is reported as the nasipaddress by changing the "Src. Address" parameter within the Radius Server definition of your...
by DLNoah
Wed May 13, 2015 5:52 pm
Forum: General
Topic: Mangle - how to do right?
Replies: 52
Views: 16385

Re: Mangle - how to do right?

That has been my experience with connection marking, yes. I'm usually connection marking in order to packet mark, but it should work the same with a routing mark.
by DLNoah
Wed May 13, 2015 2:20 pm
Forum: General
Topic: Mangle - how to do right?
Replies: 52
Views: 16385

Re: Mangle - how to do right?

Your connection mark rule does not have to match only TCP protocol. You can remove the "protocol=tcp" match from that rule and it will still work as expected (emulating TCP connection states for non-TCP traffic).
by DLNoah
Tue May 12, 2015 10:16 pm
Forum: General
Topic: Simple QOS for VOIP
Replies: 3
Views: 12960

Re: Simple QOS for VOIP

The setup we use for VOIP QOS is: 1) Create a parent queue to match the LAN interface (or the LAN network, if I know that instead). Set this queue up with the customer package limit for download & upload -- if you leave it unlimited, there will still be short hiccups of bad voice quality when a burs...
by DLNoah
Mon May 11, 2015 10:43 pm
Forum: General
Topic: Bridge Options
Replies: 6
Views: 815

Re: Bridge Options

With that configuration, you basically have a bridge loop -- you have LANbridge set up with all those Ethernet ports, and you have a VLAN interface that is a sub-interface of that bridge -- and then you add the vlan99 sub-interface to the same bridge it is a sub-interface of. In general, I would eit...
by DLNoah
Mon May 11, 2015 8:01 pm
Forum: General
Topic: Bridge Options
Replies: 6
Views: 815

Re: Bridge Options

The first configuration is adding UNTAGGED traffic from ether2 into the LANbridge, and accepting vlan10 and vlan20 tagged traffic as two additional separate interfaces (that are NOT part of the LANbridge) If you extend your first configuration like this: /interface bridge add name=LANbridge /interfa...
by DLNoah
Mon May 11, 2015 3:17 pm
Forum: General
Topic: Mangle - how to do right?
Replies: 52
Views: 16385

Re: Mangle - how to do right?

Your conn-mark and packet-mark rules should be in prerouting as well, and your packet-mark rule should allow passthrough. If you only want to routing mark, and aren't trying to do queuing or something else that requires the packet-mark, then you should be able to disable the packet-mark rule. It's f...
by DLNoah
Mon May 11, 2015 3:14 pm
Forum: General
Topic: Windows Vista / 7 Enterprise Edition DHCP ISsues
Replies: 6
Views: 967

Re: Windows Vista / 7 Enterprise Edition DHCP ISsues

/ip pool add name=hs-pool-14 ranges=192.168.10.2-192.168.15.254 add name=dhcp_pool1 ranges=10.10.10.50-10.10.11.200 /ip dhcp-server network add address=10.10.10.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=10.10.10.1 add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1 add address=1...
by DLNoah
Fri May 08, 2015 3:32 pm
Forum: General
Topic: Windows Vista / 7 Enterprise Edition DHCP ISsues
Replies: 6
Views: 967

Re: Windows Vista / 7 Enterprise Edition DHCP ISsues

We use a number of different MikroTik routers in our internal network and for our customers' internal networks, without any DHCP Server problems regardless of the Windows version on the client computers. Could you post some configurations from your MikroTik router, and some more information about th...
by DLNoah
Fri May 08, 2015 3:26 pm
Forum: General
Topic: Hotspot NAT problem
Replies: 1
Views: 542

Re: Hotspot NAT problem

The primary reason that pre-NAT addresses will pass through is when the client is sending TCP traffic "from an established stream" after the router has already seen a close (FIN) for that stream and removed the connection. You can add a firewall rule to drop or reject that traffic and mitigate most ...
by DLNoah
Fri May 08, 2015 3:21 pm
Forum: General
Topic: [SOLVED] DST-NAT problem: traffic seems to cannot access dstnat chain
Replies: 8
Views: 2188

Re: DST-NAT problem: traffic seems to cannot access dstnat chain

You need to remove this match connection-type="" from your NAT rule. Otherwise the rule will never match anything. In the Winbox GUI config, you just need to click the up-arrow to the right of Connection Type. From CLI, you may have to delete and re-create the rule (I'm not 100% sure here). The end ...
by DLNoah
Tue Mar 24, 2015 10:02 pm
Forum: Beginner Basics
Topic: Restore configuration from one router to another
Replies: 2
Views: 1199

Re: Restore configuration from one router to another

The best practice for transferring configuration between models is to use the "/export" CLI command (you can use the file= option to export to a file on the router that can be downloaded), and then either paste or "/import" the setup into the new router. In general, just taking a backup & restoring ...
by DLNoah
Fri Mar 13, 2015 8:48 pm
Forum: General
Topic: Winbox 3 RC
Replies: 639
Views: 129393

Re: Winbox 3 RC

See the picture...same ROS, same boards, WinBox RC 6 433_diff.png The boards are not running the same wireless package. The one on the left is running the old wireless package (no CAPsMAN present in the menu bar). The one on the right is running wireless-fp (CAPsMAN present in the menu bar). Wirele...
by DLNoah
Fri Mar 13, 2015 4:53 pm
Forum: General
Topic: Link CRS to CRS with two ports for aggregate trafic
Replies: 7
Views: 1399

Re: Link CRS to CRS with two ports for aggregate trafic

Using any CRS as your bandwidth test generator is going to limit the test, pure and simple.

The best way to test would be http://en.wikipedia.org/wiki/Iperf on two computers (which will easily have enough CPU to saturate a 2Gbps link).
by DLNoah
Thu Mar 12, 2015 8:07 pm
Forum: General
Topic: Link CRS to CRS with two ports for aggregate trafic
Replies: 7
Views: 1399

Re: Link CRS to CRS with two ports for aggregate trafic

Btest uses the CPU to generate and measure the traffic, so I would certainly expect to get poor results with Btest on a CRS (or RB2011 or RB9xx series) unit. It's recommended to test between two devices that are both connected to the CRS.
by DLNoah
Thu Mar 12, 2015 5:09 pm
Forum: General
Topic: _HUGE_ Packet loss on CRS125 :(((
Replies: 66
Views: 9483

Re: _HUGE_ Packet loss on CRS125 :(((

Ok. Even if I set IP address on port 19 running probe, take it out of switch (master port=none) when the problem still persist. So I assume the problem on SWITCH-CPU internal link. Wondering if it is hardware problem or it can be figured out by some software settings? One thing I haven't seen menti...
by DLNoah
Thu Mar 12, 2015 4:28 pm
Forum: General
Topic: Firewall rules for time based
Replies: 7
Views: 7681

Re: Firewall rules for time based

The comment is indicating that the rule is currently inactive because the time on the router doesn't fall within the time interval that the rule is supposed to be active. Also, with time-based rules, you need to make sure that the clock on the router is accurate -- you need to check both the Time Zo...
by DLNoah
Tue Mar 10, 2015 10:56 pm
Forum: The Dude
Topic: migrated dude from box to box and pings stop working
Replies: 10
Views: 3174

Re: migrated dude from box to box and pings stop working

http://forum.mikrotik.com/viewtopic.php?f=8&t=87616&p=440806&hilit=administrator#p440806 Within Windows (and Linux, under certain circumstances), pings are special and require escalated privileges. You must run The Dude (either the application or the service, if it's running in service mode) as an A...
by DLNoah
Tue Mar 10, 2015 10:55 pm
Forum: The Dude
Topic: No work ping - OS Windows 8
Replies: 4
Views: 2131

Re: No work ping - OS Windows 8

http://forum.mikrotik.com/viewtopic.php?f=8&t=87616&p=440806&hilit=administrator#p440806 Within Windows (and Linux, under certain circumstances), pings are special and require escalated privileges. You must run The Dude (either the application or the service, if it's running in service mode) as an A...
by DLNoah
Tue Mar 10, 2015 8:43 pm
Forum: Forwarding Protocols
Topic: Port Forwarding 5060' 5061' Using SIP Protocol.
Replies: 2
Views: 4842

Re: Port Forwarding 5060' 5061' Using SIP Protocol.

SIP can use either the UDP or TCP protocol. UDP is the "baseline" standard and is the more common, though more SIP services are moving toward TLS-based security (SIPS), which requires the TCP protocol. You will need to check with your SIP carrier which protocol they are using. If they and your phone...
by DLNoah
Wed Mar 04, 2015 10:13 pm
Forum: General
Topic: Firewall rules disputable question
Replies: 4
Views: 1167

Re: Firewall rules disputable question

In this specific case, the order doesn't really matter, because all three rules match different packets (no packet will match more than one). If your drop rule could potentially match packets that should be accepted (allowed), it must come last -- once packet is accepted (allowed) or dropped, no fur...
by DLNoah
Wed Mar 04, 2015 4:03 pm
Forum: Forwarding Protocols
Topic: OSPF overwrite static default-gateway. Possible ?
Replies: 29
Views: 5308

Re: OSPF overwrite static default-gateway. Possible ?

The only place I use it at, manual intervention is sufficient for my needs, so I haven't done any scripting work towards trying to automate the recovery.
by DLNoah
Wed Mar 04, 2015 3:41 pm
Forum: Forwarding Protocols
Topic: OSPF overwrite static default-gateway. Possible ?
Replies: 29
Views: 5308

Re: OSPF overwrite static default-gateway. Possible ?

In my experience, working with ROS v6.17 (and a few earlier versions of 6), it's sort of possible to get this to happen, but it will require manual (or scripted) intervention after network topology changes. On R1 (the primary out), you would continue as you have it set up -- the static default route...
by DLNoah
Wed Feb 25, 2015 4:04 pm
Forum: Beginner Basics
Topic: HELP :) CCR 1009 at home and (apparently) no clue
Replies: 5
Views: 1251

Re: HELP :) CCR 1009 at home and (apparently) no clue

You should NOT be bridging vlan102 (the WAN port, AKA the Internet port) with eth2 (your LAN port, AKA the inside network port) . Eth2 should be configured with a private IP address, DHCP server, all the standard setup of a home router. You then need to use a IP > Firewall > NAT rule (a masquerade ...
by DLNoah
Wed Feb 25, 2015 3:59 pm
Forum: General
Topic: CCR1009 & Ubiquiti issues! Need your help experts!!
Replies: 15
Views: 3374

Re: CCR1009 & Ubiquiti issues! Need your help experts!!

The wiki has a number of articles, such as Firewall Filter Rules , that can help for securing your router. As referenced by emils, we really can't tell just from your configuration what's going on. You're going to need to replicate the problem and gather troubleshooting information: 1) What exact er...
by DLNoah
Tue Feb 24, 2015 4:07 pm
Forum: Beginner Basics
Topic: HELP :) CCR 1009 at home and (apparently) no clue
Replies: 5
Views: 1251

Re: HELP :) CCR 1009 at home and (apparently) no clue

Hello, The ISP provides internet on VLAN 102 which i have managed, incredibly to make work. However this is where it stops for me, and I need some help... Bridge1 porting vlan102 and eth2 If I'm understanding your post correctly, it looks like you have vlan102 bound to ether1, as your WAN port, rec...
by DLNoah
Tue Feb 24, 2015 3:59 pm
Forum: General
Topic: CCR1009 & Ubiquiti issues! Need your help experts!!
Replies: 15
Views: 3374

Re: CCR1009 & Ubiquiti issues! Need your help experts!!

The DHCP Server log lines are normal behavior, based on what we see on our v6.x MikroTik equipment. For instance, just now 4 users out of the 70 has been disconnected, and i see that everything in the server is just fine except the attached log pic. , then i only restarted the Ubiquiti APs, the it w...
by DLNoah
Fri Feb 20, 2015 7:15 pm
Forum: General
Topic: Help to get Hairpin NAT working please?
Replies: 27
Views: 4663

Re: Help to get Hairpin NAT working please?

Looks like all of that traffic is destined for your local router (DNS traffic on UDP 53, Winbox traffic on TCP 8291, regular Windows/NETBIOS broadcasts on 137-138), but should be fine. You might also try disabling the "accept" for destination 192.168.27.0/24 and seeing if the hairpin still works wit...
by DLNoah
Fri Feb 20, 2015 5:29 pm
Forum: General
Topic: Help to get Hairpin NAT working please?
Replies: 27
Views: 4663

Re: Help to get Hairpin NAT working please?

Ok, so let's try changing the mangle rules as follows: Add two new mangle rules at the first priority (priority #0): /ip firewall mangle add chain=prerouting action=accept passthrough=no dst-address=192.168.27.0/24 in-interface=ether1-LAN log=no log-prefix="" place-before=0 /ip firewall mangle add c...
by DLNoah
Fri Feb 20, 2015 4:41 pm
Forum: General
Topic: Help to get Hairpin NAT working please?
Replies: 27
Views: 4663

Re: Help to get Hairpin NAT working please?

Given that Sniffer is showing the packets coming in the PPPoE interfaces, I believe that something must be causing the "to be hairpinned" traffic to get packet-marked and forced out the bonded-DSL routing rules. Could you get by with disabling all four mangle rules and the two "routing mark" routes ...
by DLNoah
Wed Feb 18, 2015 10:41 pm
Forum: General
Topic: Help to get Hairpin NAT working please?
Replies: 27
Views: 4663

Re: Help to get Hairpin NAT working please?

I assume by "firmware version" you mean the output of System > RouterBOARD. What version shows in the title bar when you log in: "user@ip (identity) - Winbox vX.XX ..."? The connection you're showing is what I would expect to see with the NAT rules in place. My expectation when you posted the mangle...
by DLNoah
Wed Feb 18, 2015 8:22 pm
Forum: General
Topic: Help to get Hairpin NAT working please?
Replies: 27
Views: 4663

Re: Help to get Hairpin NAT working please?

Hm, I'm not sure what else to look at. The rules you have in place work for me on RouterOS v6.19, for similar functionality I have up and going. When you double-click one of the IP > Firewall > Connections from your internal connection attempt, what does it show for "Reply Src Address" and "Reply Ds...
by DLNoah
Wed Feb 18, 2015 7:09 pm
Forum: General
Topic: Help to get Hairpin NAT working please?
Replies: 27
Views: 4663

Re: Help to get Hairpin NAT working please?

Can you post another Torch, and a filtered "IP > Firewall > Connections" list, please?
by DLNoah
Wed Feb 18, 2015 4:37 pm
Forum: General
Topic: Help to get Hairpin NAT working please?
Replies: 27
Views: 4663

Re: Help to get Hairpin NAT working please?

Ok, those are definitely effecting this traffic.

Can you try replacing dst-address=0.0.0.0/0 with dst-address=![PUBLIC IP]

Again, after you change the firewall rule, you will need to delete all connections (or restart the router) before the changes will take full effect.
by DLNoah
Wed Feb 18, 2015 4:01 pm
Forum: General
Topic: PBX and NAT
Replies: 2
Views: 1436

Re: PBX and NAT

add action = dst-nat chain = dstnat disabled = no protocol = udp src-address = \ 192.168.61.1 src-port = 5060 to-addresses = 94.230.138.71 to-ports = 5060 Your problem is most likely with this rule. What you're looking for is packets that match the following: Source Address = 192.168.61.1:5060 (udp...
by DLNoah
Wed Feb 18, 2015 3:39 pm
Forum: General
Topic: Help to get Hairpin NAT working please?
Replies: 27
Views: 4663

Re: Help to get Hairpin NAT working please?

I see from your route table you're using routing marks. Can you post your mangle rules that are applying the routing marks? I think that may be causing the problem; if the initial connection is hitting that routing mark, it isn't going to run the directly connected route to 192.168.27.0/24 in the ma...
by DLNoah
Wed Feb 18, 2015 3:33 am
Forum: General
Topic: Help to get Hairpin NAT working please?
Replies: 27
Views: 4663

Re: Help to get Hairpin NAT working please?

It looks like the NAT connection isn't getting created correctly in the firewall. Can you try rebooting the firewall or going to IP > Firewall > Connections and deleting all entries? If you had connections open in conntrack from before you changed the rules, they don't get automatically flushed on r...
by DLNoah
Wed Feb 18, 2015 1:46 am
Forum: General
Topic: Help to get Hairpin NAT working please?
Replies: 27
Views: 4663

Re: Help to get Hairpin NAT working please?

Uhm, the most obvious thing I can think of would be that there's more than one stream as part of the connection. But if that were the case, I would expect external users to have problems to, and I'm reading that you're not having that problem? What does Torch show when you're trying to make the conn...
by DLNoah
Tue Feb 17, 2015 10:42 pm
Forum: General
Topic: Help to get Hairpin NAT working please?
Replies: 27
Views: 4663

Re: Help to get Hairpin NAT working please?

The src-nat rule isn't matching anything because the original dst-nat rules aren't matching packets that came from your LAN (only matching in from the ppp interfaces). The normal setup for using Hairpin NAT would be similar to the following: - Public IP of 1.2.3.4, clients requesting on port 21392 -...
by DLNoah
Mon Feb 16, 2015 11:36 pm
Forum: Beginner Basics
Topic: Hotspot /22 subnet problem.
Replies: 14
Views: 2409

Re: Hotspot /22 subnet problem.

/ip address add address=192.168.8.1/24 comment="default configuration" interface=\ bridge-local network=192.168.8.0 Your MikroTik is configured to be part of 192.168.8.0/24, and thus doesn't see 192.168.9.1/22 as being in the same subnet. Fixing the subnet mask on the MikroTik should resolve the is...
by DLNoah
Wed Feb 11, 2015 6:21 pm
Forum: Beginner Basics
Topic: Change DHCP and Router IP results in DNS not working
Replies: 10
Views: 2493

Re: Change DHCP and Router IP results in DNS not working

Do you have a firewall rule (probably in the NAT chains) that is redirecting DNS to a specific IP, so as to "capture" other DNS servers and force them to use the router's DNS proxy?

Is Hotspot running on the router, and if so, is it still running correctly after the IP change?
by DLNoah
Wed Feb 11, 2015 6:19 pm
Forum: General
Topic: Winbox 3 RC
Replies: 639
Views: 129393

Re: Winbox 3 RC

Is it possible to show the port to which the winbox is connected in the header together with address?
+1 for this request
by DLNoah
Tue Feb 10, 2015 5:28 pm
Forum: Beginner Basics
Topic: Silly question: Source vs Destination. Is one always LAN and one always WAN?
Replies: 3
Views: 641

Re: Silly question: Source vs Destination. Is one always LAN and one always WAN?

As far as the router is concerned which is source and which is the destination? If an external IP triggers the connection, that IP would be the source. But if local IP initiated the connection, then they would be the source. Do we have to create double the rules depending on who triggers it? Or is ...
by DLNoah
Thu Feb 05, 2015 9:12 pm
Forum: General
Topic: Poor vlan performance on set of Mikrotik - tagged vlan's
Replies: 5
Views: 2261

Re: Poor vlan performance on set of Mikrotik - tagged vlan's

Well, ultimately, the CRS is a switch, and not designed specifically with routing functionality in mind. Are you master-port (switching) ether1-23, or whichever ports are your LAN together? The interface name you referenced in your config was bridge-LAN, so I presumed that ether1-23 were members of ...
by DLNoah
Thu Feb 05, 2015 8:47 pm
Forum: General
Topic: Poor vlan performance on set of Mikrotik - tagged vlan's
Replies: 5
Views: 2261

Re: Poor vlan performance on set of Mikrotik - tagged vlan's

Well, one thing I'm inferring from what config you did post is that you have the CRS set up with ports bridged (within Winbox, using the CPU) rather than using a master-port (switch chip based) setup. The CPU on the CRS is fairly limited (similar in capability to the RB2011), and the switch chip onl...
by DLNoah
Thu Feb 05, 2015 4:41 pm
Forum: General
Topic: RADIUS user authentication
Replies: 10
Views: 5917

Re: RADIUS user authentication

Ah, yeah, guess I misread his post as the log on RADIUS being what's not showing requests (which, in my experience, can happen if the RADIUS server is disregarding traffic as not being from an authorized client). Given that he's stated that "/user aaa use-radius" was enabled, I suspect the problem i...
by DLNoah
Thu Feb 05, 2015 3:24 pm
Forum: General
Topic: RADIUS user authentication
Replies: 10
Views: 5917

Re: RADIUS user authentication

I only have one request and one accept, which occur when I first set up the RADIUS server from the CRS. My debug from the RADIUS server shows it as an accounting request. If I try to ssh into the CRS, the request never even shows as an attempt in the RADIUS statistics on the CRS, nor does my RADIUS...
by DLNoah
Wed Feb 04, 2015 9:57 pm
Forum: General
Topic: RouterOS v6.26!
Replies: 72
Views: 24951

Re: RouterOS v6.26!

Device: SXTG-5HPacD RouterBoot fw: 3.22 RouterOS ver.: 6.26 Winbox version 3.0rc1 1. "Run after reset" - do not work. (After reset device configuration do not install *.rsc file.) alexboroda, I would suggest that you try resetting without the .rsc file and without any default configuration. After r...
by DLNoah
Wed Jan 28, 2015 3:00 pm
Forum: General
Topic: Route selection precedence
Replies: 3
Views: 770

Re: Route selection precedence

Route a) is more specific (24-bit subnet mask) than Route b) (16-bit subnet mask). Thus, Route a) will always be chosen.
by DLNoah
Wed Jan 28, 2015 2:28 pm
Forum: General
Topic: Route selection precedence
Replies: 3
Views: 770

Re: Route selection precedence

Routing (for any device that does routing) functions according to this priority: - Choose the most specific route - Choose the route with the lowest distance - Choose randomly among all equally valid routes When you use routing marks in your route table, those routes will only be checked for packets...
by DLNoah
Mon Jan 26, 2015 11:28 pm
Forum: General
Topic: Mikrotik & Windows Server 2008 Active Directory
Replies: 5
Views: 4371

Re: Mikrotik & Windows Server 2008 Active Directory

Authentication for Winbox/Telnet router logins via Active Directory will not work, unless you store the password in AD with reversible encryption (WARNING: NOT RECOMMENDED). Winbox/Telnet AAA only supports PAP authentication, which requires a cleartext-password to authenticate.
by DLNoah
Mon Jan 26, 2015 4:09 pm
Forum: General
Topic: Winbox 3 RC
Replies: 639
Views: 129393

Re: Winbox 3 RC

Two problems I've run into today with Winbox 3 RC, both involving "Open in New Window". With "Open in New Window" checked, I tried to MAC-Winbox into a CRS125 running RouterOS v6.15 that I was directly connected to by Ethernet. Winbox showed the login attempt, and the successful login, and then spaw...
by DLNoah
Thu Jan 15, 2015 3:18 pm
Forum: General
Topic: CRS Untagged VLAN Not Working Per Examples
Replies: 3
Views: 3297

Re: CRS Untagged VLAN Not Working Per Examples

With the caveat that I'm doing this on CRS125's running v6.19 and not CRS226's running v6.24 (so I can't guarantee the config is the same between what I'm doing and what you're doing), I would need to add the following configuration in addition to what you already have to my CRS125: /interface Ether...
by DLNoah
Wed Jan 14, 2015 4:05 pm
Forum: General
Topic: IPv6 RAs leaking out of VLANs - IPv6 unusable.
Replies: 5
Views: 1776

Re: IPv6 RAs leaking out of VLANs - IPv6 unusable.

Hm, well, that would seem (to me anyway) to rule out a configuration setting on the switch translating traffic onto vlan9. Nothing more I can think of at this point, sorry.
by DLNoah
Wed Jan 14, 2015 2:51 pm
Forum: General
Topic: IPv6 RAs leaking out of VLANs - IPv6 unusable.
Replies: 5
Views: 1776

Re: IPv6 RAs leaking out of VLANs - IPv6 unusable.

Do any of your Ethernet ports have master-port set (aka, are they running in switch mode)?

If so, what is the output of
/interface ethernet switch ingress-vlan-translation export compact
by DLNoah
Mon Jan 05, 2015 9:03 pm
Forum: General
Topic: Help, PPPoE+Radius streaming issues?
Replies: 7
Views: 1515

Re: Help, PPPoE+Radius streaming issues?

If it's freezing at precisely 10 minutes every single time, that would suggest to me some sort of session keepalive/timeout issue (especially in light of the fact that changing queue lengths didn't help).
by DLNoah
Wed Dec 31, 2014 5:28 pm
Forum: General
Topic: Help, PPPoE+Radius streaming issues?
Replies: 7
Views: 1515

Re: Help, PPPoE+Radius streaming issues?

Longer queue length = more CPU usage per queue. We went straight to 1000 because we don't have a ton of simple queues and it doesn't seem to be overloading the CPUs in our equipment. Your mileage may vary.

I can't speak to the other queue types, we haven't tried them.
by DLNoah
Tue Dec 30, 2014 7:37 pm
Forum: General
Topic: Help, PPPoE+Radius streaming issues?
Replies: 7
Views: 1515

Re: Help, PPPoE+Radius streaming issues?

Have you made any changes to the default settings for Queue Types (/queue type export compact)? The default queue for most dynamically added simple queues is default-small. The default settings for default-small is a pfifo (packet based first-in-first-out) queue with a max length of 10 packets. As a...
by DLNoah
Tue Dec 16, 2014 7:46 pm
Forum: General
Topic: Dstnat only from specific public IP - Access list?
Replies: 1
Views: 509

Re: Dstnat only from specific public IP - Access list?

If you match "src-address" or "src-address-list" in the dst-nat rule, that will work for restricting access by IP. To some extent, the VPN method would be "more secure", because IP addresses are spoofable (though, unless your router returns the spoofed traffic to the right spot, the person spoofing ...
by DLNoah
Tue Dec 16, 2014 6:10 am
Forum: Forwarding Protocols
Topic: Limit what routes OSPF redistributes
Replies: 3
Views: 885

Re: Limit what routes OSPF redistributes

And this is why I ask stupid questions on Internet forums -- because other people are way smarter than me :)

Thanks, wouldn't have even thought of that.
by DLNoah
Mon Dec 15, 2014 7:46 pm
Forum: Forwarding Protocols
Topic: Limit what routes OSPF redistributes
Replies: 3
Views: 885

Limit what routes OSPF redistributes

We have a few customers who have connections to two different POPs both on our network. In these cases, we've started deploying an RB2011 or similar as the CPE router that manages the two "upstream" connections for them. This router is configured to use OSPF to communicate with our POP routers and r...
by DLNoah
Wed Dec 10, 2014 6:13 pm
Forum: Announcements
Topic: RouterOS v6.23.1 special release
Replies: 9
Views: 7878

Re: RouterOS v6.23.1 special release

Is this release specific to an issue/driver introduced in v6.23, or are there previous potentially effected firmware versions?
by DLNoah
Fri Nov 14, 2014 4:12 pm
Forum: General
Topic: DHCP issue
Replies: 4
Views: 1132

Re: DHCP issue

Hence my statement that the problem is most likely a switch or other device in between your router and your DHCP client. For example, we recently had one of our FTTP locations start exhibiting this problem, because the management chassis (which functions as a switch) was dropping return traffic from...
by DLNoah
Fri Nov 14, 2014 3:35 pm
Forum: General
Topic: DHCP issue
Replies: 4
Views: 1132

Re: DHCP issue

"Offering without success" means that the MikroTik received a DHCPDISCOVER from the client and tried to respond with a DHCPOFFER (to provide the lease). The MikroTik then did not receive any response (DHCPREQUEST) from the client within 30 seconds. Generally, this problem will occur if you have a sw...
by DLNoah
Mon Oct 13, 2014 4:55 pm
Forum: General
Topic: Resolve Double NAT with bridge?
Replies: 3
Views: 1556

Re: Resolve Double NAT with bridge?

If you only get 1 public IP, you either have to double-NAT, or set up the Local Routers as non-NAT routers and put the necessary routes in the RB2011 to get traffic back to their LANs. No other choice will work, from a technological perspective. Some home-grade routers (Linksys, Belkin, etc) do supp...
by DLNoah
Mon Oct 13, 2014 3:43 pm
Forum: General
Topic: Resolve Double NAT with bridge?
Replies: 3
Views: 1556

Re: Resolve Double NAT with bridge?

Do you control all devices in this diagram, or where is your point of demarcation? If you control all devices, the simplest way to avoid double-NAT would be to simply not NAT on the Local Routers, and use static or dynamic routing to let the RB2011 router know which 192.168.X.X subnet is on which lo...
by DLNoah
Mon Oct 13, 2014 3:37 pm
Forum: General
Topic: EoIP over PPTP seems slow
Replies: 5
Views: 2031

Re: EoIP over PPTP seems slow

What encryption settings are you using, and what hardware are the routers? In general for encrypted tunnels, you should use ppc, tile, or x86 architecture routers. The ppc and tile architectures support hardware acceleration for encryption. Most x86 routers have "computer grade" CPUs that are able t...
by DLNoah
Wed Oct 08, 2014 11:43 am
Forum: General
Topic: Known issues and bugs - a list
Replies: 283
Views: 113255

Re: Known issues and bugs - a list

Issue: Can't add any DHCP options with v6.x The issue is mostly your configuration -- as of v6, the DHCP server is more picky about types matching what the DHCP Option is "supposed" to have. In the case of a string-literal option like the TFTP boot option 161, you need to put the option in double q...
by DLNoah
Mon Oct 06, 2014 3:21 pm
Forum: General
Topic: bridged network - cannot ping other hosts across MT routers
Replies: 5
Views: 3370

Re: bridged network - cannot ping other hosts across MT rout

On the RB951 bridged configuration, is the "master" wlan port enabled? I know that the virtual APs draw their band and channel settings from the physical port, but I'm not 100% sure whether or not they can work while the master port is disabled. When I apply your backup configuration, it leaves the ...
by DLNoah
Mon Oct 06, 2014 1:18 am
Forum: General
Topic: CCR1036-8G-2S+EM taken down by 200kpps DDoS
Replies: 9
Views: 2523

Re: CCR1036-8G-2S+EM taken down by 200kpps DDoS

If you're doing simple queuing on the CCR, you'll have better performance out of v6.19 and newer; MT made optimizations to the process that balances queue handling across the multiple cores.
by DLNoah
Fri Oct 03, 2014 7:47 pm
Forum: General
Topic: bridged network - cannot ping other hosts across MT routers
Replies: 5
Views: 3370

Re: bridged network - cannot ping other hosts across MT rout

Will need to see /export compact from at least the 2011 and one of the 951's that are having problems to provide more detailed help, but have you verified that there are no Firewall Filter/NAT rules that are catching your traffic and causing the problem? Might be worth disabling all rules on a tempo...
by DLNoah
Fri Oct 03, 2014 7:38 pm
Forum: General
Topic: Queue configuration best practice
Replies: 2
Views: 1580

Re: Queue configuration best practice

My question is whether its best to configure a single simple queue for each bandwidth limit and then just add targets as required or should I set up a single queue for each circuit At MUM US 2014, Uldis from MikroTik stated that as of v6.19, simple queues handling is such that the router will distr...
by DLNoah
Fri Oct 03, 2014 7:31 pm
Forum: General
Topic: CRS125-24 funky L2 bridging Behaviour? (no pppoe through)
Replies: 5
Views: 1143

Re: CRS125-24 funky L2 bridging Behaviour? (no pppoe through

In Winbox GUI, setting an admin-mac automatically disables auto-mac (changes it to auto-mac=no). Via command line/terminal, I always make sure I set both options; I've not done testing to figure out if ROS is intelligent enough to auto-disable auto-mac regardless of how an admin-mac is entered. I'd ...
by DLNoah
Fri Oct 03, 2014 4:48 pm
Forum: General
Topic: CRS125-24 funky L2 bridging Behaviour? (no pppoe through)
Replies: 5
Views: 1143

Re: CRS125-24 funky L2 bridging Behaviour? (no pppoe through

Do you have the PPPoE server bound to the ether2 port, or to the bridge on the CCR? Have you tried with ether2 removed from the bridge on the CCR (and/or with the PPPoE server bound to the bridge)? Which port is the bridge on the CCR taking its MAC from? Typically, if ether1 is running, I would expe...
by DLNoah
Fri Sep 26, 2014 10:43 pm
Forum: General
Topic: Mikrotik Cisco GRE IPsec tunnel not coming up
Replies: 7
Views: 2296

Re: Mikrotik Cisco GRE IPsec tunnel not coming up

Hm, not sure what else it might be. When you torch, do you see the traffic going out the ether5 (WAN) interface with the correct src & dst IP addresses? Can they try to ping from their side, and do you see that traffic coming in via torch? I've only ever really done VPN tunnels for site-to-site conn...
by DLNoah
Fri Sep 26, 2014 9:44 pm
Forum: General
Topic: Mikrotik Cisco GRE IPsec tunnel not coming up
Replies: 7
Views: 2296

Re: Mikrotik Cisco GRE IPsec tunnel not coming up

So, a typical VPN setup will result in something like this: 10.10.1.0/24 -- 10.10.1.1/24 10.20.2.1/24 -- 10.20.2.0/24 Site A LAN Site A Router Site B Router Site B LAN 1.1.1.1/30 WAN -- Internet -- WAN 2.2.2.2/30 In that sort of case, you would set up a VPN between the Site A and Site B routers, so ...
by DLNoah
Fri Sep 26, 2014 9:12 pm
Forum: General
Topic: Mikrotik Cisco GRE IPsec tunnel not coming up
Replies: 7
Views: 2296

Re: Mikrotik Cisco GRE IPsec tunnel not coming up

1) When creating IPsec tunnels in MT, you need to bypass your outbound NAT masquerade for traffic leaving on the IPsec tunnel. This happens because the IPsec tunnel doesn't create a virtual interface, so the NAT rule sees the traffic as going out the WAN port. In order to bypass this, add the follow...
by DLNoah
Tue Sep 23, 2014 11:22 am
Forum: General
Topic: CRS226 - Routing Between Switched Groups
Replies: 4
Views: 756

Re: CRS226 - Routing Between Switched Groups

What subnet masks do you have set up for those addresses? If, for example, the machines are Windows, the default subnet mask it will suggest for a 10.X.X.X address is 255.0.0.0, which would put the two networks in the same subnet.
by DLNoah
Mon Sep 22, 2014 3:37 pm
Forum: General
Topic: CRS226 - Routing Between Switched Groups
Replies: 4
Views: 756

Re: CRS226 - Routing Between Switched Groups

More specifically, the IPs on ether1/2 and the IP on the master port for ether8 need to be in different subnets. For example, this will work, as the DNS servers & PBX will route traffic for each other to the CRS, which will get it sent to the right place: CRS226 Ether1 - 10.1.1.1/24 DNS Server 1 - 1...
by DLNoah
Mon Sep 22, 2014 3:13 pm
Forum: Forwarding Protocols
Topic: Multiple default routes dual datacenter
Replies: 2
Views: 1827

Re: Multiple default routes dual datacenter

One thing I do for something similar is to have OSPF on both sides advertise a default route "if installed" -- if the Ethernet port goes down or the route is marked unavailable due to "check gateway" failing, then OSPF stops advertising the default route. (Note: this will work the best if the Vyatta...
by DLNoah
Fri Sep 19, 2014 3:00 pm
Forum: Forwarding Protocols
Topic: Suggestions for hub/spoke routing
Replies: 4
Views: 1376

Re: Suggestions for hub/spoke routing

They just added the ability to OVPN to DNS addresses in v6.4, and I haven't seen anything official to indicate that support has been dropped. In my experience, IPSec does work reliably on MT units; it's just a lot more complicated to configure than OVPN. Also, IPSec does not create a virtual interfa...
by DLNoah
Thu Sep 18, 2014 3:21 pm
Forum: Forwarding Protocols
Topic: Suggestions for hub/spoke routing
Replies: 4
Views: 1376

Re: Suggestions for hub/spoke routing

We do something similar for one of our customers, using OpenVPN Server on the MT at the main office ("A"), and OpenVPN clients at the satellite locations. We find that OVPN is a much lower setup overhead than IPSec (once you have the initial certificates made for OVPN), and the way it handles dynami...
by DLNoah
Wed Sep 17, 2014 4:20 pm
Forum: General
Topic: New equipment version restrictions - licensing problem
Replies: 3
Views: 1064

Re: New equipment version restrictions - licensing problem

as you might have noticed - router consists of many parts and for some of them there are updates from time to time. While we try to have same parts for same router type it is not possible all the time. As a result in newer RouterOS there are certain additional changes done so that new parts work ni...
by DLNoah
Wed Sep 17, 2014 4:00 pm
Forum: General
Topic: OpenVPN client backup option, help!
Replies: 1
Views: 851

Re: OpenVPN client backup option, help!

If you're willing to convert your architecture to routed and remove the EOIP tunnels, the simplest option would be as follows: 1) Have your alternative Internet connection register to a dynamic DNS name, and make sure that your clients are running at least v6.4 and have one or more valid DNS servers...
by DLNoah
Wed Sep 17, 2014 3:21 pm
Forum: General
Topic: New equipment version restrictions - licensing problem
Replies: 3
Views: 1064

New equipment version restrictions - licensing problem

We're an almost all MT network, roughly 8000 units in the field between tower infrastructure and CPEs. We've been following a firmware management practice of maintaining our network with a consistent firmware version; waiting several months between versions we test in order to try to test the most s...
by DLNoah
Tue Sep 16, 2014 3:11 pm
Forum: General
Topic: RouterOS DHCP + Freeradius - Queues
Replies: 19
Views: 5241

Re: RouterOS DHCP + Freeradius - Queues

Hello, I have DHCP Server on ROS getting leases and rate limits from freeradius database, it's working like it should but there is a problem with changing rate limits to connected users. After lease expire client is getting new lease but changed in database rate limits are not changed. Any idea how...
by DLNoah
Tue Sep 09, 2014 7:11 pm
Forum: General
Topic: EoIP alternative
Replies: 2
Views: 1363

Re: EoIP alternative

Alternately, (depending on your relationship with the customer) if each office is connected to the same POP, you could set up dedicated AP(s) at that POP for the customer, and set up their "WAN" router at your POP. So the topology would become something like: POP router <--> customer Internet router...
by DLNoah
Thu Sep 04, 2014 4:59 pm
Forum: Forwarding Protocols
Topic: Ros 6.18 some packets bypassing NAT
Replies: 6
Views: 2510

Re: Ros 6.18 some packets bypassing NAT

Basically, what you're seeing is a result of how connection tracking works, how TCP works, and how those effect NAT processing. When performing NAT, or otherwise having a firewall rule that requires connection tracking, the router keeps track of every connection that it sees. These connections will ...
by DLNoah
Thu Aug 28, 2014 8:06 pm
Forum: General
Topic: Only need switches function, which is more suitable?
Replies: 11
Views: 2285

Re: Only need switches function, which is more suitable?

Of note: if you use the RB750/RB750UP, the switch chip only includes ether2-5 (not ether1), so you'll have to use the CPU-based bridging. If you only use standard bridging with Fast Path on, you'll probably achieve close to 100Mbps aggregate bandwidth in that sort of configuration. But if you start ...
by DLNoah
Tue Aug 26, 2014 11:42 pm
Forum: General
Topic: admin VLANs and PPPOE question
Replies: 2
Views: 717

Re: admin VLANs and PPPOE question

The simplest thing would be to add vlan123 to each Ethernet interface, and then bridge those vlan123's together. The "Name" has to be unique per VLAN sub-interface, but doesn't have to be the VLAN number. The VLAN ID is the VLAN number, and doesn't have to be unique per VLAN sub-interface. So, the c...
by DLNoah
Tue Aug 26, 2014 11:35 pm
Forum: The Dude
Topic: Dude download 26/08/2014, where is RB version download
Replies: 4
Views: 2279

Re: Dude download 26/08/2014, where is RB version download

New versions of RouterOS (starting v6.15) no longer work with the Dude package. MikroTik removed the package, pending an update to The Dude that would restore compatibility.
by DLNoah
Tue Aug 26, 2014 11:31 pm
Forum: The Dude
Topic: PING probe doesn't work - 2008R2 -
Replies: 6
Views: 2634

Re: PING probe doesn't work - 2008R2 -

Is your ESXi guest running with an e1000 NIC, or a VMXNET para-virtualized adapter? If the latter, are the VMWare Tools installed & up to date? ----- One oddity we've seen with pings (and traceroutes) from the Dude on our network occurs when there is a "split route" from the Dude server to the targe...
by DLNoah
Tue Aug 19, 2014 8:36 pm
Forum: General
Topic: ISP gives block of 16 address -- Need help configuring plz!
Replies: 9
Views: 5139

Re: ISP gives block of 16 address -- Need help configuring p

The reason to exclude the 180.185.160.208/28 block from your masquerade rule is to prevent the router from rewriting those addresses (as well as any private IP addresses you currently have and plan to keep using) to your WAN IP. If you have the rule without the exclusion: add action=masquerade chain...
by DLNoah
Tue Aug 19, 2014 7:38 pm
Forum: General
Topic: In Winbox or CLI does ! tickbox mean NOT EQUAL TO <> ?
Replies: 2
Views: 615

Re: In Winbox or CLI does ! tickbox mean NOT EQUAL TO <> ?

Correct, the ! tickbox is negation (NOT).
by DLNoah
Tue Aug 19, 2014 7:34 pm
Forum: General
Topic: Bonding does't work
Replies: 14
Views: 2045

Re: Bonding does't work

Well, in my experience, signals of 20dB less than they "should be" usually indicate one of the following problems - Radio card with a bad amplifier - Improperly connected or bad pigtail connection from radio card to LMR - Water inside or other damage to LMR cable - Antenna with bad nosecone or other...
by DLNoah
Tue Aug 19, 2014 7:26 pm
Forum: General
Topic: SonicWall and PPPoE
Replies: 1
Views: 496

Re: SonicWall and PPPoE

Not that I have the answer to your question, but we had intermittent sudden disconnects & refusals to connect on SonicWALL TZ series hardware, several different models. We wound up giving up on them and switching to Static IPs.
by DLNoah
Tue Aug 19, 2014 5:58 pm
Forum: General
Topic: Bonding does't work
Replies: 14
Views: 2045

Re: Bonding does't work

I see that you're basically maxing the over-the-air capacity of wlan2 during that test (the rx rate is settled at 12Mbps). Is there a reason you're trying to bond two separate but adjoining 10MHz links, rather than just using one 20MHz link? From a capacity & throughput standpoint, the link would ru...
by DLNoah
Tue Aug 19, 2014 3:21 pm
Forum: General
Topic: Bonding does't work
Replies: 14
Views: 2045

Re: Bonding does't work

Disable the tunnels and bonding, and then test just wireless to wireless (so, from R1, test first to 10.10.1.2 and then to 10.10.2.2), what kind of throughput are you getting there? It looks to me like you've changed architecture from the beginning; initially your bonding was using the EOIP tunnels ...
by DLNoah
Mon Aug 18, 2014 8:56 pm
Forum: General
Topic: Bonding does't work
Replies: 14
Views: 2045

Re: Bonding does't work

It looks like I had actually mis-read your original configuration, my apologies. From the first configuration: ***Router-1*** /interface eoip add clamp-tcp-mss=yes mac-address=02:8F:50:48:AA:2C mtu=1500 name=eoip-tunnel1 \ remote-address=10.0.1.1 tunnel-id=1 add clamp-tcp-mss=yes mac-address=02:95:5...
by DLNoah
Thu Aug 14, 2014 3:28 pm
Forum: General
Topic: Bonding does't work
Replies: 14
Views: 2045

Re: Bonding does't work

Your EOIP tunnels won't run with the same IP address on both sides of the tunnel; you should change the IP addresses on one router or the other and update the EOIP tunnel settings accordingly. (So, for example, change the wlan1 and wlan2 IPs on router 2 to be 10.0.1.2/24 and 10.0.2.2/24 respectively...
by DLNoah
Tue Aug 05, 2014 10:51 pm
Forum: The Dude
Topic: PING probe doesn't work - 2008R2 -
Replies: 6
Views: 2634

Re: PING probe doesn't work - 2008R2 -

Every time I've moved/reinstalled the Dude, I've run into the following: In order for ping probes to work, the user the Dude is running as must have Local Administrator access on the machine. If you're running the Dude with its default installed options, it tends to run in the context of the user th...
by DLNoah
Tue Aug 05, 2014 5:56 pm
Forum: General
Topic: v6.18
Replies: 109
Views: 30503

Re: v6.18

I upgrade a RB411AH from 5.25 to 6.18. it has two virtual AP on wlan1 and two VLAN on ether1 interfaces. And two bridges to bridge each VLAN and virtual AP. this config seen still working on 6.18. But both VLANs and both virtual APs are "slave" (Interfaces marked by "S" on interface list). What can...
by DLNoah
Thu Jul 31, 2014 9:06 pm
Forum: General
Topic: Problem with hair pin
Replies: 7
Views: 1382

Re: Problem with hair pin

my server is on 10.0.6.0/24, port 5 (not switched) and clients acces server both from lan and wan. lan clients are on 10.0.4.0/24. Given this configuration, you don't need the Hairpin NAT rule at all, as long as your client computers and server all use the MikroTik as their default gateway (or some...
by DLNoah
Wed Jul 30, 2014 7:34 pm
Forum: General
Topic: Problem with hair pin
Replies: 7
Views: 1382

Re: Problem with hair pin

I have configured as static one domain, pointing to server internal ip, is it ok? lan machines uses dns mikrotik server as default and mikrotik is configured to use my isp dns to resolve. should I make any other change? thanks to all I guess I don't have a good idea as to what you're asking... Is t...
by DLNoah
Tue Jul 29, 2014 8:06 pm
Forum: General
Topic: Problem with hair pin
Replies: 7
Views: 1382

Re: Problem with hair pin

my web server is on port ether5 , 10.0.6.11. Looks to be incompatible with I tried to configure hairpin and the configuration is 14 ;;; web interno chain=srcnat action=masquerade protocol=tcp src-address=10.0.4.0/24 dst-address=10.0.6.11 out-interface=ether1 dst-port=80 So, try changing the out-int...
by DLNoah
Fri Jul 25, 2014 2:13 pm
Forum: General
Topic: freeradius_dhcp with mikrotik
Replies: 4
Views: 1615

Re: freeradius_dhcp with mikrotik

Hm, if it's assigning correctly in debugging mode, then what does the tail of the radius log (RHEL based default location is /var/log/radius/radius.log) show when you attempt an authorization with RADIUS running in service mode?
by DLNoah
Thu Jul 24, 2014 11:06 pm
Forum: General
Topic: freeradius_dhcp with mikrotik
Replies: 4
Views: 1615

Re: freeradius_dhcp with mikrotik

In order to get useful FreeRADIUS debug information with radiusd -X, you need to do the following: 1) Stop the FreeRADIUS service (service radiusd stop if you're on a RHEL based distro, not 100% sure of the Debian way to do it) 2) Use radiusd -X to start FreeRADIUS in debug mode 3) Make the DHCP req...
by DLNoah
Tue Jul 15, 2014 8:40 pm
Forum: General
Topic: OSPF and Radius behavour
Replies: 2
Views: 767

Re: OSPF and Radius behavour

Are you using the "Src. Address" option within your RADIUS settings? If you leave it unset, the behavior you're observing will result. We set it to a specific address on ours, and as long as that address exists on an active interface in the system (such as a loopback bridge), RADIUS requests will se...
by DLNoah
Mon Jul 14, 2014 11:33 pm
Forum: General
Topic: VoIP QoS not working correctly
Replies: 9
Views: 1488

Re: VoIP QoS not working correctly

Well, what jumps out to me from the screenshot is that nothing is hitting the SIP_IN and SIP_OUT queues for your queue tree. Can you post the results of /ip firewall mangle export compact and /queue tree export compact?
by DLNoah
Mon Jul 14, 2014 8:03 pm
Forum: General
Topic: OpenVPN Issue
Replies: 2
Views: 793

Re: OpenVPN Issue

Have you verified on the LAN devices and the OpenVPN device that they're both receiving the MT as their default gateway?

Do you have any rules in /ip firewall filter or /ip firewall nat?
by DLNoah
Mon Jul 14, 2014 3:37 pm
Forum: The Dude
Topic: Please Help, Can't discover anything with ping!
Replies: 1
Views: 955

Re: Please Help, Can't discover anything with ping!

Though you haven't specified, I'm assuming you're running The Dude on a Windows platform of Vista (or Server 2008) or newer. If that is the case, the following might be the source of your issue: In order for ping probes to work, the user the Dude is running as must have Local Administrator access on...
by DLNoah
Mon Jul 14, 2014 3:30 pm
Forum: General
Topic: How to merge use of Switch1 and Switch2 on RB2011
Replies: 1
Views: 2200

Re: How to merge use of Switch1 and Switch2 on RB2011

To my knowledge, the only way to get switch1 ports to talk to switch2 ports is to bridge the switch1 master port and the switch2 master port together. So your configuration would be something like: ether1-5 have master of sfp1 ether7-10 have master of ether6 bridge1 (or whatever you want to call it)...
by DLNoah
Mon Jun 30, 2014 7:28 pm
Forum: General
Topic: v6.15 released
Replies: 302
Views: 105314

Re: v6.15 released

We are having problems with the routing engine crashing on CC61036-12G-4S We loose all routes and BGP peers. You reboot the router and it all comes back and works fine for a couple of days. We are running 6.7 on our other datacentre CC61036-12G-4S and never had an issues with the routing engine cra...
by DLNoah
Thu Jun 19, 2014 5:20 pm
Forum: General
Topic: Redundant RADIUS servers for authentication : bug ???
Replies: 4
Views: 1079

Re: Redundant RADIUS servers for authentication : bug ???

Q: Am the only one who wants to have a redundant RADIUS servers ? Does anyone got it working somehow? Or is it just a RouterOS bug? Thank you for any info. We have redundant RADIUS for dhcp and hotspot working exactly as you detailed. If you look at the output of "/radius monitor" for each server, ...
by DLNoah
Thu Jun 05, 2014 4:20 pm
Forum: General
Topic: Denying Mikrotik-Rate-Limit Attribute
Replies: 7
Views: 1368

Re: Denying Mikrotik-Rate-Limit Attribute

Assuming you have control of the AAA server, the simplest thing to do is modify its query or underlying data so that it does not return the MikroTik-Rate-Limit attribute. If necessary, you can get into RADIUS virtual servers and using the realm option on your MikroTik unit to indicate which RADIUS s...
by DLNoah
Thu Jun 05, 2014 2:39 pm
Forum: The Dude
Topic: Dude on CentOS - ping probe not working
Replies: 5
Views: 2764

Re: Dude on CentOS - ping probe not working

Ping "local problem" issues generally trace to insufficient permissions. In native Windows land, the Dude requires Local Administrator permission to the box it's running on in order to send pings. I would assume that translates to the Dude process requiring root-level access (for at least the networ...
by DLNoah
Tue Jun 03, 2014 10:52 pm
Forum: General
Topic: Inline comments in WinBox
Replies: 12
Views: 4429

Re: Inline comments in WinBox

We pretty much all use "Load Previous Session", and "Inline Comments" has become a whole toilet-seat-up-versus-down debate because Winbox saves the previous user's option of (not) using Inline Comments. use different usernames for different people =) Actually, we do, and "Load Previous Session" sti...
by DLNoah
Fri May 23, 2014 10:07 pm
Forum: General
Topic: Inline comments in WinBox
Replies: 12
Views: 4429

Re: Inline comments in WinBox

For a sake, is there any option how to enable inline comments in WinBox everywhere and forever? I have to switch forms to inline comment after each login. Running Winbox in Wine. Are you using the Winbox option "Load Previous Session"? Because on our network, there are some people who do use Inline...
by DLNoah
Fri Apr 11, 2014 6:58 pm
Forum: The Dude
Topic: The dude local problem with window 8 or 8.1
Replies: 2
Views: 5337

Re: The dude local problem with window 8 or 8.1

Dear all, I always have problem with dude 3.6 install on window 8 or 8.1. After I add some device and monitor by service Ping, it always show the problem is Local Problem (all devices down but in the Local PC we can ping). "Local Problem" when trying to ping is caused by UAC -- specifically, the us...
by DLNoah
Fri Apr 11, 2014 6:56 pm
Forum: The Dude
Topic: What is the ideal hardware/software Dude setup?
Replies: 5
Views: 4958

Re: What is the ideal hardware/software Dude setup?

I'm trying on windows 8.1 now and can't get a simple ping probe to work. It seems that windows 7 or earlier are most compatible, so gonna stick with that for now. Thanks for comments. In order for ping probes to work, the user the Dude service is running as must have Local Administrator access on t...
by DLNoah
Wed Apr 02, 2014 10:26 am
Forum: General
Topic: VLANs on Bridged Interface
Replies: 5
Views: 569

Re: VLANs on Bridged Interface

What we've been doing on tower sites to segregate management and customer traffic is as follows: - Create LAN bridge for the ports that APs and other devices are connected to - Add the Ethernet interfaces to that bridge - Add a VLAN interface to the bridge for customer traffic So, as follows: RB2011...
by DLNoah
Fri Feb 14, 2014 10:39 pm
Forum: General
Topic: v6.10 released
Replies: 248
Views: 84023

Re: v6.10 released

What about port isolation on CRS? Is this fixed?? http://forum.mikrotik.com/viewtopic.php?f=2&t=81257&hilit=crs#p408039 I posted in your linked thread as well, but the non-destructive way to fix the CRS hub-style behavior was posted by MT Support on the v6.9 thread. See: http://forum.mikrotik.com/v...
by DLNoah
Fri Feb 14, 2014 10:34 pm
Forum: General
Topic: CRS documentation
Replies: 79
Views: 30692

Re: CRS documentation

For CRS units that were running a version in the 6.5-6.7 range, you need to do ONE of the following two steps in order to fix the port isolation: 1) Factory reset the unit, do not keep user configuration (obviously not suitable for units in the field) 2) Follow the instructions here: http://forum.mi...
by DLNoah
Mon Feb 03, 2014 3:19 pm
Forum: General
Topic: 6.9 released!
Replies: 223
Views: 81039

Re: 6.9 released!

However we still do not have a working CRS with vlan:s and swicthes, it still leaks traffic. Regards // // Peter Steen One thing support recommended to me when I communicated with them on my testing CRS behaving like a hub was to completely factory reset the CRS after applying v6.8rc1. I assume the...
by DLNoah
Thu May 02, 2013 9:54 pm
Forum: General
Topic: Configuration problem with Hotspot
Replies: 0
Views: 368

Configuration problem with Hotspot

I'm having trouble with HotSpot and Framed-IP-Address, trying to avoid tying up 2 IPs for a single client and banging my head against the wall. HS is running on a MT router, doing MAC authentication to a RADIUS server. Some of my customers have reserved addresses (Static DHCP) within my current conf...
by DLNoah
Wed May 01, 2013 8:05 pm
Forum: General
Topic: Bursting with wireless RADIUS auth and Mikrotik-Rate-Limit
Replies: 1
Views: 1178

Bursting with wireless RADIUS auth and Mikrotik-Rate-Limit

We're investigating moving toward bursting, but I've run into a problem with RADIUS auth on my wireless access points. Current setup: - RADIUS auth for wireless APs - RADIUS auth for DHCP (looking at moving to hotspot) - Using the Mikrotik-Rate-Limit RADIUS attribute to send rx-rate/tx-rate rx-burst...
by DLNoah
Tue Oct 09, 2012 10:14 pm
Forum: General
Topic: Problems with units bricking during upgrades
Replies: 4
Views: 933

Re: Problems with units bricking during upgrades

All three of the failed units are showing "execve: No such file or directory" right before they kernel panic when I boot them up on the bench. All three of them successfully re-installed with NetInstall and were able to recover/keep the old firmware image. All three units were RB435GAUH units accord...
by DLNoah
Thu Sep 27, 2012 4:09 pm
Forum: General
Topic: Problems with units bricking during upgrades
Replies: 4
Views: 933

Re: Problems with units bricking during upgrades

Some more information about the bricks we've had: Units successfully upgraded: 112 (21 are RB435G units) Units bricked: 3 (all RB435G units) The failed RB435G units were running 5.18, in bridge mode; 5.18, in station-wds mode; 5.19, in station-wds mode. The successful RB435G units include 6 running ...
by DLNoah
Wed Sep 26, 2012 9:51 pm
Forum: General
Topic: Problems with units bricking during upgrades
Replies: 4
Views: 933

Problems with units bricking during upgrades

I've recently begun doing a systematic upgrade of our wireless backhauls and site routers from various MT versions ranging from 5.4 to 5.19, upgrading to 5.20 (the most recent version we've tested stable). Out of about 50 wireless backhaul units upgraded so far, I've had 2 completely brick on me (as...
by DLNoah
Thu Dec 01, 2011 4:01 pm
Forum: The Dude
Topic: Getting peak traffic for links
Replies: 0
Views: 656

Getting peak traffic for links

We use The Dude to monitor the backhaul traffic on our WISP. We would like to retrieve the peak traffic over a specified period for all of our backhaul links in one report (preferably text based, as we have 40+ backhauls and thus a chart would be very hard to read). I've tried looking into the possi...
by DLNoah
Fri Mar 04, 2011 2:14 am
Forum: Wireless Networking
Topic: Why is this link not working well?
Replies: 1
Views: 577

Why is this link not working well?

I have a 5GHz-N link of approximately 15 miles between two towers that have LOS to each other. The antennas are Pacific Wireless (Laird Technologies now) 29dB 2' solid dishes, dual polarity. The radios are R52HN radios in RB433AH units on both sides, with a minimum of LMR-400 (assume 5' for each con...
by DLNoah
Fri Nov 12, 2010 5:47 pm
Forum: Beginner Basics
Topic: RouterOS configuration questions
Replies: 1
Views: 1082

RouterOS configuration questions

My company is in the process of converting from StarOS to MT for our WISP access points and CPE, and I've run up against a couple of "key tools" I use in the StarOS configuration interface that I can't intuit how to do with Winbox. Does a way to do the things I have listed below exist, and if so can...