Community discussions

Search found 170 matches

by CCDKP
Tue Apr 17, 2012 5:18 pm
Forum: RouterBOARD hardware
Topic: Is the RB450G enough for my needs?
Replies: 6
Views: 1664

Re: Is the RB450G enough for my needs?

Have you looked much at the Power Routers?

http://www.mikrotikrouter.com/

I inherited a 732 with a contract I took over and it has performed fantastically. I just don't know about the performance / cost ratio given the new products coming out.
by CCDKP
Tue Feb 28, 2012 7:09 am
Forum: General
Topic: Magazines and publications
Replies: 32
Views: 3600

Re: Magazines and publications

In the US: Linux Journal still has it's place as my offices "light" reading material. Linux Journal ceased to exist a few months ago. They don't print anymore. They have an online version only. This saddens me greatly. It also makes me realize I apparently need to get back to the office more often....
by CCDKP
Wed Feb 15, 2012 4:35 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Hi all: I am new to Mikrotik. I have an RB450G that I am planning to use as a router/hotspot in a free wireless environment. Since you are operating a free hotspot instead of a fixed ISP with paying customers, you may wish to consider something like I implemented way back on page 3 ( http://forum.m...
by CCDKP
Fri Feb 10, 2012 4:26 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

TKITFrank, While testing out some of the new rules, I hit a very interesting discovery. uTorrent 3.0 will try to established UTP connections over Teredo IPv6 tunnels, which are on by default on Windows Vista & Windows 7. If you fire up a decent sized torrent on a Windows 7 machine and look under "pe...
by CCDKP
Thu Feb 09, 2012 4:14 pm
Forum: General
Topic: Magazines and publications
Replies: 32
Views: 3600

Re: Magazines and publications

In the US: Linux Journal still has it's place as my offices "light" reading material. Linux Journal ceased to exist a few months ago. They don't print anymore. They have an online version only. This saddens me greatly. It also makes me realize I apparently need to get back to the office more often....
by CCDKP
Wed Feb 08, 2012 9:22 pm
Forum: General
Topic: Magazines and publications
Replies: 32
Views: 3600

Re: Magazines and publications

In the US: Linux Journal still has it's place as my offices "light" reading material. For online reading: Reddit.com/r/networking Reddit.com/r/sysadmin For listening in the car: packetpushers.net, although they do focus a bit too hard on datacenter-only solutions and tend to forget about the ISP / E...
by CCDKP
Tue Jan 31, 2012 4:03 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

CCDKP , do I understand right, these rules above work with encrypted option in torrent client enforced too? I suppose, their blocking effect comes at announce blocking level (where we use dns block) and doesn't depend on all other options? That is correct. The "Encrypt" option in a torrent client o...
by CCDKP
Sat Jan 28, 2012 1:10 am
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

So to summarize, both of the existing Bittorrent and Bittorrent_announce L7 filters should be removed in favor of: /ip firewall layer7-protocol add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|azver\\x01\$\ |get /scrape\\\?info_hash=|get /announce\\\?info_hash=|get /client/bitcomet...
by CCDKP
Fri Jan 27, 2012 4:48 pm
Forum: General
Topic: Artificial Ping delay
Replies: 6
Views: 1981

Re: Artificial Ping delay

I don't know about using it for a production run, but we have used WANEM in the shop for simulating latency and packet loss on the line. http://wanem.sourceforge.net/ For the record, Jitter is far more annoying than a fixed delay. Game code / players can compensate for fixed latency, jitter makes ad...
by CCDKP
Fri Jan 27, 2012 4:26 pm
Forum: General
Topic: Packet filtering inside in EoIP tunnel
Replies: 3
Views: 643

Re: Packet filtering inside in EoIP tunnel

Since you most likely have your EoIP tunnel as part of a bridge group, did you enable IP filtering on the bridge and use the bridge firewall?

http://wiki.mikrotik.com/wiki/Manual:In ... e_Firewall
by CCDKP
Sun Jan 22, 2012 10:48 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Ok, I disabled bittorrent_announce now (btw, can you explain in detail, what does this rule do, and why does yahoo start page correspond to it?), but it seems like nothing is changed. The two biggest flags for bittorrent are the scrape and announce commands sent to the trackers. For a long while, t...
by CCDKP
Sun Jan 22, 2012 12:09 am
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

You don't need the "bittorrent_announce" rule as it is covered by the "Bittorrent" rule. Anything the Announce rule is flagging is a false positive (yahoo.com's front page will get flagged). Also, do you have rules to redirect all DNS traffic to the mikrotik? If you don't, a client can just use thei...
by CCDKP
Sun Jan 22, 2012 12:05 am
Forum: General
Topic: ADSL Dynamic Bandwidth Allocation
Replies: 4
Views: 1921

Re: ADSL Dynamic Bandwidth Allocation

When you configure PCQ, you specify what mask you want for src or dst classifiers: add kind=pcq name=pcq_src pcq-classifier=src-address pcq-limit=50 pcq-rate=0 pcq-src-address-mask=24 pcq-total-limit=5000 add kind=pcq name=pcq_dst pcq-classifier=dst-address pcq-dst-address-mask=24 pcq-rate=0 pcq-tot...
by CCDKP
Fri Jan 13, 2012 5:42 pm
Forum: General
Topic: ADSL Dynamic Bandwidth Allocation
Replies: 4
Views: 1921

Re: ADSL Dynamic Bandwidth Allocation

Look into PCQ. It effectively does what you are asking for; it evenly shares the bandwidth between the clients. You do need to provide fairly accurate total bandwidth limits, though. If you set the max limit for a hypothetical 10Mbit, but then only get 6Mbit actual bandwidth from the ISP, QoS will n...
by CCDKP
Fri Jan 13, 2012 5:09 pm
Forum: Wireless Networking
Topic: Mesh handover network with no latency time or no packet loss
Replies: 13
Views: 5247

Re: Mesh handover network with no latency time or no packet

In all my experience, if you have a fast-moving target that will be switching constantly, then stock ospf if probably not the best choice, as the 10s hello timer means upwards of 30 seconds for some failover. You are able to turn the hello's down to 1s each, which would need to be done on all radios...
by CCDKP
Fri Jan 13, 2012 4:45 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Ok so i have been running that filter rule overnight and this time i havn't had issues with sites being blocked but it doesn't dent p2p,still runs at full speed It's good to hear you aren't seeing any false positives. If something comes up, please let me know. With Bittorrent, explicitly, if it get...
by CCDKP
Thu Jan 12, 2012 5:51 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

I've found that method also blocks users HTTP traffic and various other applications so its not 100% reliable,as stated previously policy based routing is currently the best way of doing it Could you get me an example of websites this blocks or captures of traffic it is flagging on? After fixing it...
by CCDKP
Wed Jan 11, 2012 7:07 pm
Forum: General
Topic: > 254 IPs
Replies: 3
Views: 3653

Re: > 254 IPs

Depending on how / what you are setting up, I would typically set: /ip address add address=192.168.0.1/23 disabled=no interface=<INTERFACE> network=192.168.0.0 /ip pool add name=DHCP2 ranges=192.168.1.6-192.168.1.249 add name=DHCP1 next-pool=DHCP2 ranges=192.168.0.6-192.168.0.249 /ip dhcp-server add...
by CCDKP
Wed Jan 11, 2012 6:42 pm
Forum: Wireless Networking
Topic: NV2
Replies: 5
Views: 1289

Re: NV2

Throughput varies based on the traffic demand. Put some traffic on the line and it should level out.
by CCDKP
Wed Jan 11, 2012 6:39 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

I posted this in another thread, but figured it would be useful here for anyone searching, since this seems to be the default thread to send people to: With the current state of encrypted bittorrent, there is no tracking it specifically. The traffic is explicitly designed to avoid being filtered and...
by CCDKP
Wed Jan 11, 2012 6:05 pm
Forum: General
Topic: Quality of Service
Replies: 4
Views: 872

Re: Quality of Service

Only problem is, we are an ISP. Comcast has been sued for blocking things like p2p. We are not wanting to block it, just to traffic shape it and give it lower priority than "normal" traffic. With the current state of encrypted bittorrent, there is no tracking it specifically. The traffic is explici...
by CCDKP
Tue Jan 10, 2012 10:22 pm
Forum: Wireless Networking
Topic: Double 2.4GHz Antenna Gain!
Replies: 9
Views: 2273

Re: Double 2.4GHz Antenna Gain!

The main use I have seen for TX-A/RX-B is to flex some of the FCC (and possibly other governing bodies) regulations. FCC regulations only limit the output power of the transmitter, it does not cover the receiver. To stay under the legal power, you might be limited to a 23dBi directional in a theoret...
by CCDKP
Fri Jan 06, 2012 7:04 am
Forum: General
Topic: PCQ Help
Replies: 4
Views: 1477

Re: PCQ Help

Thank you for your help on this. I find that the documentation in the wiki is sparse in certain areas. I had actually followed a confusing example from the wiki which is why I ended up mixing trees and simple queues. May I ask where does one really learn the magic? Do I have to attend MUM or get ce...
by CCDKP
Fri Dec 16, 2011 4:08 pm
Forum: RouterBOARD hardware
Topic: RB SEXTANT 5HnD for PtP setup Questions
Replies: 17
Views: 8011

Re: RB SEXTANT 5HnD for PtP setup Questions

Hello, I'm about to order two RB SEXTANT 5HnD for a Point-to-Point setup. They both wil be installed in line of sight and about 370 meters in between them. What speed wil I achieve, is this predictable? I already have contacted the Mikrotik Support and they say: We have achieved even 200Mbit real t...
by CCDKP
Fri Dec 16, 2011 12:46 am
Forum: RouterBOARD hardware
Topic: Availability of the RB751G
Replies: 101
Views: 21152

Re: Availability of the RB751G

Newsletter 35 Talks about the 1100AHx2, 750UP, and the Sextant 5HnD, and yet the 751G seems strangely missing.

On that note, do we even know what processor will be in it? I'm really hoping for a 680MHz here.
by CCDKP
Mon Dec 05, 2011 5:44 am
Forum: General
Topic: Network Storage over PPTP VPN
Replies: 3
Views: 1787

Re: Network Storage over PPTP VPN

I reconfigured the VPN, i am now using ipSec which is more secure. Since i have done this, i can now access the web interface of the NAS, but still cannot access the shares. I guess the MTU could still be at fault, even with the different type of tunnel? Thanks Any time you tunnel, the MTU changes....
by CCDKP
Fri Dec 02, 2011 5:11 pm
Forum: General
Topic: restarting the ipsec tunnel
Replies: 5
Views: 5720

Re: restarting the ipsec tunnel

On the IP Sec peer, make sure Dead Peer detection (DPD) is enabled. By default it tries every 120 seconds and reconnects after 5 failures. While this works a lot of the time, I have had a few instances similar to yours where DPD was misbehaving or there was some loss in the connection. Turning this ...
by CCDKP
Fri Dec 02, 2011 5:02 pm
Forum: General
Topic: Network Storage over PPTP VPN
Replies: 3
Views: 1787

Re: Network Storage over PPTP VPN

My guess is your MTU set not set correctly for the tunnel. On the PPTP server make sure Change TCP MSS is enabled in the PPTP profile.

When the MTU is mismatched, smaller packets like RDP work fine, but large data packets (like SMB) can be dropped.
by CCDKP
Fri Dec 02, 2011 12:59 am
Forum: Scripting
Topic: PLS HLP > Updating DYN.com DDNS IP's - from PPPoE Interfaces
Replies: 2
Views: 1267

Re: PLS HELP >> rOS 5.x - PPPoE Interfaces - update DYN.com

Here is another script that may be of some use: http://wiki.mikrotik.com/wiki/Dynamic_DNS_Update_Script_for_ChangeIP.com In particular, in your script change # get the current IP address from the internet (in case of double-nat) /tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-pat...
by CCDKP
Wed Nov 30, 2011 8:47 pm
Forum: General
Topic: need of high end bandwidth manager
Replies: 2
Views: 506

Re: need of high end bandwidth manager

I have had really good luck with the PowerRouter 732. I inherited it with a project and it has held up surprisingly well to everything I have thrown at it. There is also a larger version if you need it. http://www.mikrotikrouter.com/
by CCDKP
Sun Nov 27, 2011 9:23 am
Forum: Beginner Basics
Topic: Have I lost my license?
Replies: 9
Views: 1916

Re: Have I lost my license?

You have three days to do so. If you're still within those three days just click the "upgrade license" button in Winbox. If you're not, email support. Thank you fewi, as you can see in my post above, I had the timer active, I have created the account on mikrotik, they sent me the key file, I have u...
by CCDKP
Sun Nov 27, 2011 9:20 am
Forum: Beginner Basics
Topic: VLANs for Dummies
Replies: 14
Views: 5366

Re: VLANs for Dummies

you did see the thread title I picked says "for Dummies" in it, right? :) I think some of the confusion is coming from the definition of a "broadcast domain". A broadcast domain functions on Layer 2 of the OSI model, and is independent of IP addresses and subnets. If you were to send out a packet w...
by CCDKP
Sun Nov 27, 2011 8:01 am
Forum: General
Topic: torrent packet-mark catch succeeded, now how can I block it?
Replies: 7
Views: 2430

Re: torrent packet-mark catch succeeded, now how can I block

if I do what you have suggested, basically I am blocking the in-WAN pockets, and if I use connection mark I block both ways, what if I only want to block only out-WAN? thanks Without seeing your filter, I can't tell you what exactly you are catching, but if you are using the L7 bittorrent filter fr...
by CCDKP
Wed Nov 23, 2011 4:16 pm
Forum: Scripting
Topic: torrent tracker blocking through web proxy
Replies: 3
Views: 2870

Re: torrent tracker blocking through web proxy

The short answer, no. The long answer, yes, mostly. Torrent traffic is specifically designed to avoid detection and blocking. Even if you block tracker traffic, things like SSL trackers and encrypted DHT allow peer exchanges that make it almost impossible to detect. You can greatly cripple torrent t...
by CCDKP
Tue Nov 22, 2011 5:44 pm
Forum: Wireless Networking
Topic: Request Link Planner Software
Replies: 9
Views: 2338

Re: Request Link Planner Software

Since gmsmstr hasn't said anything yet, I figured I should throw in the plug for http://www.mywificoverage.com/. It is run by the guys over at linktechs.net (make of the PowerRouter). The free account lets you make a single link at a time, which should meet your needs.
by CCDKP
Tue Nov 22, 2011 5:23 pm
Forum: Scripting
Topic: automatic "reverse" SSH tunnel script for remote access?
Replies: 3
Views: 2240

Re: automatic "reverse" SSH tunnel script for remote access?

If the DSL modem performs PPPoE, most major models allow you to put them in to transparent bridge mode, at which point you can setup the PPPoE on the MikroTik and get your static IP directly on there. This has a number of nice advantages, but isn't always feasible. When that doesn't work, you are ab...
by CCDKP
Thu Nov 17, 2011 4:32 pm
Forum: General
Topic: Feature Request: GRE NAT Tracking (PPTP)
Replies: 2
Views: 3738

Re: Feature Request: GRE NAT Tracking (PPTP)

I thought I had that enabled during my testing. I will go back and try it again. Thank you.
by CCDKP
Thu Nov 17, 2011 12:23 am
Forum: General
Topic: mikrotik -> mikrotik pptp problem
Replies: 8
Views: 10056

Re: mikrotik -> mikrotik pptp problem

How do we ask mikrotik for a feature request ? using forums/bugtracker if exists ?
I created a Feature Request here:
http://forum.mikrotik.com/viewtopic.php?f=1&t=56780
by CCDKP
Thu Nov 17, 2011 12:15 am
Forum: General
Topic: Feature Request: GRE NAT Tracking (PPTP)
Replies: 2
Views: 3738

Feature Request: GRE NAT Tracking (PPTP)

As of 5.8, it appears that Conntrack and SNAT are unable to track multiple GRE tunnels to the same host. This problem manifests is self as multiple users behind a MikroTik NAT router are unable to PPTP VPN into the same remote server. more information is available in this thread: http://forum.mikrot...
by CCDKP
Wed Nov 16, 2011 6:31 pm
Forum: General
Topic: upgrade of license....
Replies: 7
Views: 1011

Re: upgrade of license....

Level 3 (CPE):
  • RB711-2Hn
  • RB711-5Hn
  • RB711-5Hn-U
  • RB711-5HnD
  • RB711G-5HnD
Level 4 (AP):
  • RB711UA-2HnD
  • RB711UA-5HnD
  • RB711GA-5HnD
Level 4 AP use is noted by "A"
by CCDKP
Wed Nov 16, 2011 5:09 pm
Forum: Beginner Basics
Topic: Site - Site
Replies: 10
Views: 1656

Re: Site - Site

got any suggestions for a book that introduces those topics at a reasonable level without immediate diving into page long formulas I wouldn't understand? If you follow the security world at all, you are probably familiar with Bruce Schneier. He is a great resource for learning about all things cryp...
by CCDKP
Wed Nov 16, 2011 7:23 am
Forum: Beginner Basics
Topic: Site - Site
Replies: 10
Views: 1656

Re: Site - Site

PPTP and L2TP use MPPE for encryption, which means RC4. RC4 is, for all intends and purposes, broken. It's the underlying mechanism for WEP, for example. It can rekey frequently, but RouterOS doesn't expose parameters for tweaking that. So where does that leave you? Depends. How valuable is the dat...
by CCDKP
Wed Nov 16, 2011 12:19 am
Forum: General
Topic: mikrotik -> mikrotik pptp problem
Replies: 8
Views: 10056

Re: mikrotik -> mikrotik pptp problem

Hello, ive a routerboard 450G at HQ, using for vpn server (pptp) it has about 50 users, and they had no problem until now. In a branch office, i changed the linux router, with a mikrotik (450G again). it does not do so much, just dhcp, and NAT for internet access. But i noticed that, from that bran...
by CCDKP
Sun Nov 13, 2011 12:16 am
Forum: General
Topic: VPN Passthrough Issue
Replies: 8
Views: 6538

Re: VPN Passthrough Issue

Do you have pptp or ipsec enabled on the router itself? Perhaps data is getting caught by that instead of forwarded away properly.
by CCDKP
Fri Nov 11, 2011 10:14 pm
Forum: General
Topic: VPN Passthrough Issue
Replies: 8
Views: 6538

Re: VPN Passthrough Issue

Double check in your filter rules that you have an allow entry for Related as we as Established connections.
by CCDKP
Fri Nov 11, 2011 12:24 am
Forum: General
Topic: IPSEC dropping - how to auto reconnect
Replies: 2
Views: 1823

Re: IPSEC dropping - how to auto reconnect

I believe what you are looking for is Dead Peer Detection (DPD). Make sure it is enabled under the IPSec Peer entry. The default is check every 120 seconds, fail after 5 losses, which seems a little long for me. I use 45/3 and haven't had much trouble.
by CCDKP
Fri Nov 11, 2011 12:18 am
Forum: Wireless Networking
Topic: Uncontrolled traffic flow between two mikrotik
Replies: 1
Views: 380

Re: Uncontrolled traffic flow between two mikrotik

try pulling up torch or the packet sniffer and look at those interfaces. It should give you a quick idea of what data is moving.
by CCDKP
Thu Nov 10, 2011 11:27 pm
Forum: General
Topic: mikrotik & ubiquiti routerstation
Replies: 8
Views: 1464

Re: mikrotik & ubiquiti routerstation

I know a lot of people around here use Ubiquiti radios, but have them connected to a MikroTik to do the heavy lifting (QoS, Hotspot, firewalling, etc). I have personally set up a few networks using a series of UniFi's for Layer2 connectivity, but then hooking them up to a 450G to handle QoS and rout...
by CCDKP
Thu Nov 10, 2011 8:33 pm
Forum: General
Topic: VPN Passthrough Issue
Replies: 8
Views: 6538

Re: VPN Passthrough Issue

What kind of VPN are they using? IPSec? PPTP?
by CCDKP
Thu Nov 10, 2011 5:18 pm
Forum: Beginner Basics
Topic: log DNS query
Replies: 3
Views: 6129

Re: log DNS query

If openDNS is telling you the offending DNS requests, then this is pretty simple. Step 1) Set Mikrotik DNS to use OpenDNS and capture all DNS queries: /ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=512 servers=208.67.222.222,208.67.220.220 /ip firewall ...
by CCDKP
Wed Nov 09, 2011 5:09 pm
Forum: General
Topic: Policy Routing - L2TP and multiple WANs
Replies: 13
Views: 9634

Re: Policy Routing - L2TP and multiple WANs

I have also run into this problem. Running v5.7. Does anyone have any advice on how to work around this problem until such time as it is resolved? As far as I can tell, this isn't a bug in L2TP, but rather a problem with how your rules are written. You can test this by trying to SSH, PPTP, or WinBo...
by CCDKP
Wed Nov 09, 2011 4:42 pm
Forum: General
Topic: How to block all P2P?
Replies: 4
Views: 875

Re: How to block all P2P?

Hello everyone, I'm in a bit of trouble: I'm going abroad for a few month and due to financial reasons ;) I'm going to rent my room during this time. Since I'm afraid the guy living here might use illegal p2p, I tried to solve it with a law/legal consultant and a modified rental contract. But that ...
by CCDKP
Mon Nov 07, 2011 3:34 am
Forum: General
Topic: Best place for QOS/queueing?
Replies: 5
Views: 1033

Re: Best place for QOS/queueing?

Quality of Service is about intelligently discarding packets when needed, so you want to apply QoS wherever you are discarding packets. If you are oversubscribing a backhaul, then you want QoS on the tower to make the most of the the backhaul. If the limitation is always at your internet connection,...
by CCDKP
Thu Nov 03, 2011 10:17 pm
Forum: General
Topic: PCQ Help
Replies: 4
Views: 1477

Re: PCQ Help

This is a very easy thing to set up, and probably my favorite feature of Mikrotik. If you are just looking for a basic flat PCQ setup, go ahead and just use simple queues. Mixing Simple Queues and Queue Trees is just going to cause a headache down the road. (Simple Queues generate their own Queue Tr...
by CCDKP
Thu Nov 03, 2011 9:42 pm
Forum: General
Topic: Local Site with VLANs and Remote Site with VLANS
Replies: 1
Views: 567

Re: Local Site with VLANs and Remote Site with VLANS

I have a setup of two sites both with Microtik RouterBoard 750. Site A has the following Setup ETH1 with 2VLANs (VLAN 1 = Internal Netwrok 192.168.7.1/16, VLAN 2 = Guest Network 192.169.5.1/24) ETH2 = Connected to Fibre Modem that connects to Site B Directly ETH3 = Public Intenet Modem Site B ETH1 ...
by CCDKP
Thu Nov 03, 2011 9:34 pm
Forum: Forwarding Protocols
Topic: (Exclusively) Vaccine X shot for Mikrotik server against VTS
Replies: 6
Views: 15496

Re: (Exclusively) Vaccine X shot for Mikrotik server against

VTS means V irus T rojan S pyware This list seems to mostly be ads and adult content sites. How is this designed to stop viruses? More and more we are seeing drive-by downloads hosted on throw-away sites or legitimate sites which have been hacked. Do these sites also host the command & control chan...
by CCDKP
Wed Nov 02, 2011 10:06 pm
Forum: General
Topic: TLS certificate
Replies: 2
Views: 627

Re: TLS certificate

what is tls certificate and what is the use of this hope i will get the good relpay thanks in advance TLS Certificate is sometimes called an SSL Certificate. The only time they are really needed is if you need to enable HTTPS on the web interface of the Mikrotik. Typically this is either when setti...
by CCDKP
Wed Nov 02, 2011 9:59 pm
Forum: General
Topic: PPTP-EOIP Bridge Question
Replies: 3
Views: 855

Re: PPTP-EOIP Bridge Question

I have created a branch office bridge that works great using PPTP and EOIP. I would like all traffic at the branch office that is not a destination in the 192.168.0.0/16 network be routed through the local internet connection. The goal is to allow the localized workstations to communicate with the ...
by CCDKP
Wed Nov 02, 2011 4:10 pm
Forum: Wireless Networking
Topic: Limit users connected to mikrotik AP
Replies: 2
Views: 1312

Re: Limit users connected to mikrotik AP

Dear Friends, Is there any method on limiting max users on 1 Wireless Adapter? like maximum accepting 20 users per wireless before denying a new user. This is a method for balancing load across 10 ap in one room (like mikrotik convention room). any pointers will be gladly accepted thanks The option...
by CCDKP
Wed Nov 02, 2011 3:36 pm
Forum: General
Topic: connlimit - UDP protocol
Replies: 18
Views: 4154

Re: connlimit - UDP protocol

sounds like that, but you cannot edit this with WinBox - it's grayed for everything except tcp %) After a bit of testing, it looks like you can apply connection-limit to UDP streams in 5.7, you just need to do it by the terminal window. Hopefully they will fix this in winbox soon. It looks like the...
by CCDKP
Wed Nov 02, 2011 3:34 pm
Forum: General
Topic: RouterOS v5.8 released
Replies: 182
Views: 87559

Re: RouterOS v5.8 released

It looks like they fixed the bug in Winbox that prevented you from setting connection limits with UDP (added in 5.7). Awesome.
by CCDKP
Fri Oct 28, 2011 4:59 pm
Forum: General
Topic: PPTP VPN Issues
Replies: 4
Views: 1467

Re: PPTP VPN Issues

Several of the 2wire models have serious issues dealing with non TCP/UDP protocols. Since PPTP relies on GRE, this poses a major problem with trying to forward PPTP. The best work-around we have found is to put the 2wire into bridge mode and have the mikrotik handle PPPoE. Although they don't "offic...
by CCDKP
Thu Oct 27, 2011 4:23 pm
Forum: General
Topic: Help With PCQ Queues
Replies: 2
Views: 557

Re: Help With PCQ Queues

Limit and Max-Limit apply to the PCQ group as a whole, divided evenly between the PCQ sub-streams. In the setup of the PCQ type, you can specify PCQ-Rate, which is the limit each sub-stream is held to. The Wiki has some nice visuals for this: http://wiki.mikrotik.com/images/thumb/c/cb/PCQ3.png/500px...
by CCDKP
Wed Oct 26, 2011 5:03 pm
Forum: General
Topic: Question About PCC
Replies: 1
Views: 326

Re: Question About PCC

Unfortunately, it just evenly splits new connections between the pipes, with no knowledge of the current utilization.

If someone has a script or trick to make it look at current / average data rates, that would be awesome (Please share!), but none exist to my knowledge.
by CCDKP
Wed Oct 26, 2011 4:56 pm
Forum: General
Topic: traffic prioritization
Replies: 5
Views: 1163

Re: traffic prioritization

Is there a way to leave my pcq rules in place and setup some simple queue rules to limit p2p traffic to a certain rate and prioritize anything destined for port 80? Maybe point me in the correct direction and I can probably figure it out. Something that helped a lot for one of my clients was to sta...
by CCDKP
Mon Oct 24, 2011 5:06 pm
Forum: Beginner Basics
Topic: Dynamic DNS support..
Replies: 3
Views: 662

Re: Dynamic DNS support..

Scripting it is. Thankfully there are already some nice scripts out there:
http://wiki.mikrotik.com/wiki/Dynamic_D ... for_dynDNS
by CCDKP
Tue Oct 18, 2011 11:09 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

and did small test with bit torrent and its getting much more them limit :( Bittorrent can use both TCP and UDP connections. Connection limiting on TCP is a bit touchier since so many things rely on it. The point of restricting the number of UDP connections isn't to completely kill Bittorrent, noth...
by CCDKP
Tue Oct 18, 2011 10:22 pm
Forum: Beginner Basics
Topic: RB 750GL (Level 4)-VLANs on Dell switch-DHCP server per VLAN
Replies: 9
Views: 1936

Re: RB 750GL (Level 4)-VLANs on Dell switch-DHCP server per

VLAN's in Mikrotik are simply another interface, and as such they are treated just like any "normal" interface as far as routing traffic is concerned. A lot of people get caught up with the idea of "trunk ports" and other Cisco or HP terminology. For clarity, I typically name my VLAN subinterfaces w...
by CCDKP
Tue Oct 18, 2011 4:47 pm
Forum: General
Topic: Trying to understand virus' better.
Replies: 4
Views: 1236

Re: Trying to understand virus' better.

Yea they are port based. I setup these rules based off an online course for Mikrotik I had found. I figured false positives would be pretty high with this method. Has someone scripted a better set of rules out there that really can detect them in a better manner? Here are my firewall rules. Thanks!...
by CCDKP
Tue Oct 18, 2011 4:27 pm
Forum: General
Topic: Password Recovery website
Replies: 20
Views: 6666

Re: Password Recovery website

Even the third party linysys-style router firmwares do password encryption within the config. You can change it, but you can never retrieve the old one. I'm sorry? :-) http://www.cisco.com/en/US/products/sw/iosswrel/ps1831/products_tech_note09186a00801746e6.shtml You'll note, similar to fe4r's situ...
by CCDKP
Thu Oct 13, 2011 10:22 pm
Forum: General
Topic: PPTP Server, client add to bridge
Replies: 4
Views: 13472

Re: PPTP Server, client add to bridge

After looking at that example, I wonder if I sent you down the wrong path. The instructions I mentioned were for a single pptp user to dial into a network. A roaming user VPNing in with a laptop. (see http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP#Connecting_Remote_Client ) The instructions you...
by CCDKP
Thu Oct 13, 2011 7:42 pm
Forum: General
Topic: PPTP Server, client add to bridge
Replies: 4
Views: 13472

Re: PPTP Server, client add to bridge

PPTP still has to hand out an IP address as part of the PPTP handshake. Create an IP Pool of addresses in the range of your internal network. in either the pptp profile or the secret, set the local IP to the bridge IP of the Mikrotik and the remote IP to the pool you created. Finally, under interfac...
by CCDKP
Thu Oct 13, 2011 6:33 pm
Forum: General
Topic: Trying to understand virus' better.
Replies: 4
Views: 1236

Re: Trying to understand virus' better.

What are you using for "virus rules"? Typically just filtering based on a single port number is prone to a LOT of false positives and is not recommended. From the best I can tell, your "virus" in example 1 is someone's phone making an ssl connection back to their company's webpage (most likely Excha...
by CCDKP
Thu Oct 13, 2011 4:35 pm
Forum: General
Topic: Password Recovery website
Replies: 20
Views: 6666

Re: Password Recovery website

So, this disable the manual reset (jumping the contacts)? Yes, but the device is still prone to PXE booting a "hostile" image and manually retrieving the password file. Disabling the Reset jumper makes it significantly more difficult, but still not impossible. Perhaps consider adding tamper seals t...
by CCDKP
Thu Oct 13, 2011 4:16 pm
Forum: General
Topic: failover mangle not able to send mail
Replies: 4
Views: 936

Re: failover mangle not able to send mail

The key is putting a specific /32 route for the test point out ISP1. When the ISP1 default route is "active", it has a lower distance and therefore is used over ISP2. When the script detects the line is down, it can set ISP1's gateway distance higher than ISP2's, resulting in ISP2 being used. Since ...
by CCDKP
Wed Oct 12, 2011 8:36 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Yes, it looks very promising. Router on my link is upgraded to 5.7 so testing is started on myself and unadjusted torrent client. Perhaps allow skype through L7 before dropping udp. ... Also, adding udp line with connection limit is possible only through terminal, not over winbox since connection l...
by CCDKP
Wed Oct 12, 2011 7:35 am
Forum: General
Topic: failover mangle not able to send mail
Replies: 4
Views: 936

Re: failover mangle not able to send mail

In all my failover setups, I set the default gateway, then add the second path as a default gateway with a higher distance. I then either use check-gateway to automatically disable the "main" route, or have my script change the metric of the "main" route to something higher than the backup link. The...
by CCDKP
Tue Oct 11, 2011 9:05 pm
Forum: General
Topic: Sniffing MAC adddress of connected switches
Replies: 5
Views: 751

Re: Sniffing MAC adddress of connected switches

MAC telnet is a proprietary mikrotik protocol, so unfortunately it won't work for other networking equipment.
by CCDKP
Tue Oct 11, 2011 9:03 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

In 5.7 they finally added the ability to use connection-limit to track UDP streams. I am still doing some testing, but initially it looks promising. add action=drop chain=forward connection-limit=16,32 disabled=no dst-port=!53 protocol=udp This limits each IP to 16 non-DNS UDP streams. 16 should be ...
by CCDKP
Tue Oct 11, 2011 8:54 pm
Forum: General
Topic: limit all torrent downloads
Replies: 5
Views: 5068

Re: limit all torrent downloads

Hi,

Have a look at this thread.
http://forum.mikrotik.com/viewtopic.php?t=21178
@TKITFrank, Leave it to you to post the link to that thread before I got back from lunch.
by CCDKP
Tue Oct 11, 2011 8:52 pm
Forum: General
Topic: multi-queue-ethernet-default
Replies: 2
Views: 5060

Re: multi-queue-ethernet-default

They talked about it in the 5.7 patch notes thread a little bit. http://forum.mikrotik.com/viewtopic.php?t=55021&p=280803 This queue type is designed for our new dual core router RB1100AHx2, but you can use it on interfaces with multiple rx/tx queues (check "/system resources irq" menu) on multi-cor...
by CCDKP
Tue Oct 11, 2011 7:23 pm
Forum: General
Topic: Password Recovery website
Replies: 20
Views: 6666

Re: Password Recovery website

At the end of the day, physical access is king. Even if Mikrotik used a hashing algorithm instead of the encoding they have now, brute force attacks could be used. If they removed the backup-before-reset feature, then the attackers would just PXEboot into a linux distro and mount the flash directly ...
by CCDKP
Tue Oct 11, 2011 4:51 pm
Forum: General
Topic: l2tp tunnels with multiple internet connections issues
Replies: 11
Views: 4291

Re: l2tp tunnels with multiple internet connections issues

can you post your rules maybe if its short?? /ip firewall mangle add action=mark-connection chain=prerouting disabled=no in-interface=ether1-ISP1 \ new-connection-mark=Out_ISP1 passthrough=yes comment="Mark ISP1 in as ISP1" add action=mark-connection chain=prerouting disabled=no in-interface=PPPoE_...
by CCDKP
Sat Oct 08, 2011 12:06 am
Forum: General
Topic: l2tp tunnels with multiple internet connections issues
Replies: 11
Views: 4291

Re: l2tp tunnels with multiple internet connections issues

Could you please post the dump from
/ip route export
/ip firewall mange export
I have three of these setups running right now (the latest of which I just set up last week), and all of them work great (dual WAN, failover, VPN on both links).
They are all on 450G's running 4.17, 5.4 or 5.7.
by CCDKP
Fri Oct 07, 2011 10:22 pm
Forum: General
Topic: l2tp tunnels with multiple internet connections issues
Replies: 11
Views: 4291

Re: l2tp tunnels with multiple internet connections issues

Route rules are processed in order IIRC, so make sure the new rule is at the top.

To make sure I am understanding this properly, an outisde client is connecting to the IP address of ISP1, but the mikrotik response is going out ISP2 with a source IP of ISP2?
by CCDKP
Fri Oct 07, 2011 10:17 pm
Forum: General
Topic: Way to many connections
Replies: 4
Views: 885

Re: Way to many connections

Your config looks fine, but the client using TCP for DNS so much is a little odd. TCP is only used if 1) UDP fails, or 2) the response is more than 512 bytes (typically due to DNSSec). So maybe your upstream was pushing DNSSec signed entries? Not sure, you might want to capture some traffic and take...
by CCDKP
Fri Oct 07, 2011 5:05 pm
Forum: General
Topic: l2tp tunnels with multiple internet connections issues
Replies: 11
Views: 4291

Re: l2tp tunnels with multiple internet connections issues

Try making routing rules that tell it certain source IP's belong to certain lines.
/IP route rule
add src-address=<ISP1 Wan IP>/32 action=lookup table=<ISP1>
add src-address=<ISP2 Wan IP>/32 action=lookup table=<ISP2>
add src-address=<ISP3 Wan IP>/32 action=lookup table=<ISP3>
by CCDKP
Fri Oct 07, 2011 4:59 pm
Forum: General
Topic: Way to many connections
Replies: 4
Views: 885

Re: Way to many connections

TCP 53 is DNS (if UDP lookup fails). My guess was improperly configured DNS on 10.0.0.1, or the client was set to use the wrong DNS server.
by CCDKP
Thu Oct 06, 2011 4:21 pm
Forum: General
Topic: how to limit total (in+out) user speed to 256kb/s using pcq?
Replies: 7
Views: 1154

Re: how to limit total (in+out) user speed to 256kb/s using

I moved from simple queues, and don't want to go back. I thought it's possible with queue tree too. This is bad.. I haven't so much speed that I may divide between my users... This feature (combined in+out limitation) would be nice in future ROS versions. Thanks anyway. Thinking about the question ...
by CCDKP
Wed Oct 05, 2011 4:41 pm
Forum: Beginner Basics
Topic: eoip tunnel
Replies: 3
Views: 693

Re: eoip tunnel

It tunnels all Layer 2 data. Since it's not IP / routing dependent, it can do things like transmit IPX, appletalk, multicast, ARP, etc. Most of the time you are better off doing pptp / l2tp / ipip and making it a routed link, but once in a while if you need to work with strange to legacy devices, Eo...
by CCDKP
Wed Oct 05, 2011 4:29 pm
Forum: General
Topic: how to limit total (in+out) user speed to 256kb/s using pcq?
Replies: 7
Views: 1154

Re: how to limit total (in+out) user speed to 256kb/s using

The easiest method (easy being relative) I can think of is making a simple queue for each user. Simple Queues let you specify total bandwidth as an option.
by CCDKP
Tue Oct 04, 2011 6:38 pm
Forum: RouterBOARD hardware
Topic: What does it mean.. wireless with two chains ?
Replies: 4
Views: 20049

Re: What does it mean.. wireless with two chains ?

802.11n allows the use of multiple "chains" (antennas) for some of it's advanced features. It is the core behind MIMO setups. If you want to know more, read up on 802.11n. Rick Frey did a great presentation at MUM US10 Video: http://www.tiktube.com/index.php?video=IJdn3iFHapCKJKJKnDDzqrLwplooJFKD= S...
by CCDKP
Tue Oct 04, 2011 6:33 pm
Forum: General
Topic: Weird peer-to-peer behavior?
Replies: 5
Views: 716

Re: Weird peer-to-peer behavior?

Fewi's guess is close if not spot on. The issue is someone is announcing a private IP (10.0.0.2) into a tracker, so client's are trying to connect to it. This can be caused by private VPN based trackers, a client with bad NAT detection, or someone trying to seed from the same LAN as the tracker. Thi...
by CCDKP
Tue Oct 04, 2011 6:10 pm
Forum: Wireless Networking
Topic: 802.11n Extension Channel
Replies: 26
Views: 9088

Re: 802.11n Extension Channel

While your fight is pretty funny, the argument is interesting.. I would like to know if really an extension channel "above control" is +30 and -10 from the frequency used or not.. I'm going to just dodge this while flame war and try to answer the question as best I can: Unless operating in regulato...
by CCDKP
Tue Oct 04, 2011 4:55 pm
Forum: Wireless Networking
Topic: Antenna mode??? a or b or both?
Replies: 3
Views: 1058

Re: Antenna mode??? a or b or both?

If you are dealing with 802.11n, then there are some major advantages toward using MIMO (Multiple In, Multiple out), including potentially increased throughput, better signal strength, noise resistance, etc. If you are dealing with a standard card (a/b/g like the R52), then there is no real practica...
by CCDKP
Wed Sep 28, 2011 5:24 pm
Forum: Forwarding Protocols
Topic: Firewall Against P2P
Replies: 5
Views: 1652

Re: Firewall Against P2P

add comment="" name=BITTORENT regexp="^(\\x13bittorrent protocol|azver\\x01\$|\ get /scrape\\\?info_hash=get /announce\\\?info_hash=|get /client/bitcomet/\ |GET /data\\\?fid=)|d1:ad2:id20:|\\x08'7P\\)[RP]\\r\\n" That regex filter is broken and won't catch most torrent seeding. it should be: add com...
by CCDKP
Tue Sep 27, 2011 9:46 pm
Forum: General
Topic: connlimit - UDP protocol
Replies: 18
Views: 4154

Re: connlimit - UDP protocol

If my eyes doesn't lie to me - it looks lime connection-limit starting from v5.7 is protocol independent. So you can start your UDP limitation. sounds like that, but you cannot edit this with WinBox - it's grayed for everything except tcp %) After a bit of testing, it looks like you can apply conne...
by CCDKP
Tue Sep 20, 2011 9:22 pm
Forum: General
Topic: Question about P2P.
Replies: 7
Views: 782

Re: Question about P2P.

From my post here: http://forum.mikrotik.com/viewtopic.php?f=2&t=54697 Torrents pose 2 major problems when it comes to QoS. First, it is VERY hard to mark the encrypted UDP streams, since they are specifically designed to avoid detection and tracking. Your best bet there is to mark everything that i...
by CCDKP
Fri Sep 16, 2011 7:21 pm
Forum: General
Topic: Howto setup PCC with Netwatch ??
Replies: 1
Views: 969

Re: Howto setup PCC with Netwatch ??

With some clever use of the routing table, you can effectively make check-gateway use external servers instead of just the gateway.
http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting
by CCDKP
Thu Sep 15, 2011 9:10 pm
Forum: General
Topic: Using Mikrotik with Comcast Cable
Replies: 17
Views: 3788

Re: Using Mikrotik with Comcast Cable

This might sound a little too obvious, but in the interest of trying everything, have you powercycled the cable modem? The ones around here generally need a reboot when you plug a different device in.
by CCDKP
Wed Sep 14, 2011 5:02 pm
Forum: Beginner Basics
Topic: about the product RBSXT
Replies: 3
Views: 735

Re: about the product RBSXT

Not to mention the RBSXT only has a 10/100 ethernet port. So while you could use a pair of them to get 100Mbit Full-Duplex, in a single direction you will never get better than 100Mbit.
by CCDKP
Wed Sep 14, 2011 4:55 pm
Forum: Beginner Basics
Topic: USB to Serial connection not workin
Replies: 2
Views: 1102

Re: USB to Serial connection not workin

You need a Null-Modem cable. They are the equivilent of a crossover cable for Serial.
http://www.amazon.com/Tripp-Lite-P450-0 ... 150&sr=1-1
by CCDKP
Wed Sep 14, 2011 4:27 pm
Forum: General
Topic: DHCP users - default speed
Replies: 4
Views: 672

Re: DHCP users - default speed

Optionally, look into some QoS rules. set up a PCQ Queue that limits each user to your required speed, then have mangle mark everyone in the DHCP range for that Queue.
by CCDKP
Tue Sep 13, 2011 10:16 pm
Forum: RouterBOARD hardware
Topic: Question about failover
Replies: 6
Views: 904

Re: Question about failover

You can do this without netwatch or scripting by using some clever routes. There is an article about it on the Wiki:
http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting
by CCDKP
Fri Sep 09, 2011 1:03 am
Forum: General
Topic: Using Mikrotik with Comcast Cable
Replies: 17
Views: 3788

Re: Using Mikrotik with Comcast Cable

Does Comcast use MAC filtering? I know our local cable provider does.

Perhaps try setting the MAC of the working router?
/interface ethernet set <Wan interface> mac-address=<MAC to Clone>
by CCDKP
Thu Sep 08, 2011 11:39 pm
Forum: General
Topic: PCQ and high (flooding) packet rate
Replies: 11
Views: 2874

Re: PCQ and high (flooding) packet rate

we're using v5.4 for now, and sometimes our PCQ queue shows erratic behaviour. that's my queue type: add kind=pcq name=unlim-35-upload pcq-classifier=src-address \ pcq-rate=512k pcq-limit=256 pcq-total-limit=65536 I'll preface this by saying I'm far from a PCQ expert, but my initial thought would b...
by CCDKP
Thu Sep 08, 2011 5:40 pm
Forum: General
Topic: Forget MikroTik Password
Replies: 3
Views: 3585

Re: Forget MikroTik Password

If you have a backup file, there is always http://mikrotikpasswordrecovery.com/ , though I would HIGHLY suggest changing your password after using it (they seem like good guys, but you can never be too safe). I have used this in a pinch to recover a 532 password, but it's somewhat complicated, your ...
by CCDKP
Thu Sep 08, 2011 5:25 pm
Forum: General
Topic: ARP - Duplicate use of xxx.xxx.xxx.xxx detected!
Replies: 3
Views: 3187

Re: ARP - Duplicate use of xxx.xxx.xxx.xxx detected!

Do you have Proxy-ARP enabled on the VLAN interface?
by CCDKP
Wed Sep 07, 2011 8:40 pm
Forum: General
Topic: Hotspot security question
Replies: 6
Views: 802

Re: Hotspot security question

One of our roaming partners raised a concern regaring the security of our hotspot implementation based on the following articles. http://www.irongeek.com/i.php?page=security/ddwrt-csrf-example http://www.gnucitizen.org/blog/persistent-xss-and-csrf-on-wireless-g-adsl-gateway-with-speedbooster-wag54g...
by CCDKP
Wed Sep 07, 2011 8:17 pm
Forum: General
Topic: disaster need help please
Replies: 15
Views: 1790

Re: disaster need help please

I have struggled with this issue a LOT in a corporate setting. You will always have employees that will get around your filter. It is impossible to fully block it while keeping high usability. Your best bet is to work with Human Resources and ENFORCE disciplinary action for intentionally bypassing t...
by CCDKP
Wed Sep 07, 2011 7:01 pm
Forum: Beginner Basics
Topic: Whitelisting several IP's to all inbound connections
Replies: 2
Views: 4790

Re: Whitelisting several IP's to all inbound connections

You can also put source restrictions directly on the NAT rule: /ip firewall address-list add list=web-server-access address=2.2.2.0/24 add list=web-server-access address=3.3.3.0/24 /ip firewall filter /ip firewall nat add chain=dstnat dst-address=1.1.1.1 protocol=tcp dst-port=80 action=dst-nat to-ad...
by CCDKP
Wed Sep 07, 2011 6:50 pm
Forum: General
Topic: OpenDNS - Catch all DNS traffic
Replies: 11
Views: 13503

Re: OpenDNS - Catch all DNS traffic

You also want to add /ip firewall nat add chain=dstnat in-interface=LAN protocol=tcp dst-port=53 action=redirect While it is true that DNS primarily uses UDP, it switches over to TCP whenever the answer is over 512 Bytes. With DNSSec deployment starting, we are seeing more and more TCP DNS requests ...
by CCDKP
Wed Sep 07, 2011 4:42 pm
Forum: Scripting
Topic: Easy way to wipe out routes
Replies: 6
Views: 940

Re: Easy way to wipe out routes

you shouldn't even need to find, just use
/ip address set address=192.168.1.1/24 interface=ether8
by CCDKP
Tue Sep 06, 2011 4:44 pm
Forum: Scripting
Topic: Easy way to wipe out routes
Replies: 6
Views: 940

Re: Easy way to wipe out routes

 /ip route remove [find]
This will clear out all static routes.
by CCDKP
Tue Sep 06, 2011 4:25 pm
Forum: Beginner Basics
Topic: Ping speed ans bandwidth test
Replies: 2
Views: 1364

Re: Ping speed ans bandwidth test

Using a bandwidth or ping test to the internet also tests the internet connection, which is usually the weak link. If you want to properly test JUST the wireless link, you need either a routerboard or PC on both ends for the testing. You do not want to use the routerboard running the wireless cards ...
by CCDKP
Tue Sep 06, 2011 4:20 pm
Forum: Beginner Basics
Topic: L7 firewall
Replies: 2
Views: 2194

Re: L7 firewall

The L7 project moved to the Clear Foundation , so they have the latest version now. The latest protocol detection list is still dated 2009, though: http://download.clearfoundation.com/l7-filter/l7-protocols-2009-05-28.tar.gz A word of note, there is a bug with their bittorrent detection if you want ...
by CCDKP
Fri Sep 02, 2011 5:13 pm
Forum: General
Topic: need help with prioritizing traffic
Replies: 3
Views: 705

Re: need help with prioritizing traffic

Torrents pose 2 major problems when it comes to QoS. First, it is VERY hard to mark the encrypted UDP streams, since they are specifically designed to avoid detection and tracking. Your best bet there is to mark everything that isn't torrent traffic and just increase it's priority. Secondly, the hea...
by CCDKP
Thu Sep 01, 2011 4:53 pm
Forum: RouterBOARD hardware
Topic: Which mmcx jack to use with only one antenna?
Replies: 3
Views: 1304

Re: Which mmcx jack to use with only one antenna?

I think this thread here pretty well covers them all: http://forum.mikrotik.com/viewtopic.php?f=3&t=38741 The general rule that gets me by, look at the silk screening, there is usually "J" or "ANT" followed by a number next to each antenna connector. Whichever is the lower of the two is the primary ...
by CCDKP
Thu Sep 01, 2011 4:36 pm
Forum: Beginner Basics
Topic: i want to block the facebook in my internal network
Replies: 43
Views: 20725

Re: i want to block the facebook in my internal network

Due to the nature of SSL, using Content=facebook isn't always going to capture facebook traffic and has a fairly high false-positive rate (in theory you could be dropping packets for any webpage that uses facebook connect, or the "like this on facebook" button). The only reliable method for blocking...
by CCDKP
Tue Aug 30, 2011 9:41 pm
Forum: General
Topic: Multiple WAN, cannot use second WAN from outside
Replies: 5
Views: 879

Re: Multiple WAN, cannot use second WAN from outside

Butch Evans has a blog entry that helped me fix this issue: http://blog.butchevans.com/2008/09/mikrotik-policy-routing-implementation-example/ Specifically the part about the routing rules. The long and short of it is: /ip route rule add dst-address=<LAN Network(s)> action=lookup table=main add dst-...
by CCDKP
Tue Aug 30, 2011 6:18 pm
Forum: General
Topic: simple port throttling
Replies: 6
Views: 1031

Re: simple port throttling

When I was learning PCQ and QoS, Janis's QoS talks from the MUM really helped a lot. Video: http://www.tiktube.com/index.php?video=JpcD3eCChqGnDlJFJEEsCvExClIoEKDH= Slides: http://mum.mikrotik.com/presentations/US09/megis_qos.pdf Something to be aware of that catches a lot of people, if you are perf...
by CCDKP
Tue Aug 30, 2011 4:46 pm
Forum: Wireless Networking
Topic: what wireless security
Replies: 2
Views: 525

Re: what wireless security

Also, WPA2 AES is the only encryption that can be used with 802.11N extensions. Keep in mind that WPA/WPA2 only apply to 802.11 wireless. If you use any of the proprietary protocols (like NV2), you need to use their built-in encryption. If you are using PPPoE, for your clients, you can always enable...
by CCDKP
Fri Aug 26, 2011 4:37 pm
Forum: Scripting
Topic: [FAIL2BAN] add banned IP's to addr list on remote RouterOS
Replies: 13
Views: 9548

Re: Remote SSH commands

I see how to add an address to a list, but not how to remove an address from a list. I only see how to remove a whole list. Basic Idea would not be to use any timeout on mikrotik device (not really standard feature and really unlikely to be implemented) but to rely on fail2ban itself (which handle ...
by CCDKP
Thu Aug 25, 2011 7:31 pm
Forum: Scripting
Topic: [FAIL2BAN] add banned IP's to addr list on remote RouterOS
Replies: 13
Views: 9548

Re: Remote SSH commands

Another option would be to use a custom rule on the firewall to trigger an event and add it to the address list. Use something like Hping3 or scapy to send a custom packet through the router with options you should never see in real traffic (ie, a bogon address, or an invalid ICMP type, obscure or i...
by CCDKP
Wed Aug 17, 2011 4:09 pm
Forum: Beginner Basics
Topic: Ip Config
Replies: 9
Views: 1419

Re: Ip Config

*.*.241.16/28 ( Public ips ) (Static ips) ether3
With a /28 network, .16 is the network address and not a valid IP. The valid range of IP's is .17-.30.
by CCDKP
Tue Aug 16, 2011 6:00 pm
Forum: Wireless Networking
Topic: Power/backup solutions discussed
Replies: 20
Views: 2127

Re: Power/backup solutions discussed

My more concern is ...is it safe to connect the Routerboard directly to battery leads. Just make sure whatever you end up choosing, you have some sort of fuse/circuit breaker in-line near the batteries. Most Gel/AGM batteries can push out 20-30A or more when shorted, which can lead to exploding bat...
by CCDKP
Tue Aug 16, 2011 4:10 pm
Forum: Beginner Basics
Topic: Block hackers from using my SMTP mail-server
Replies: 4
Views: 1112

Re: Block hackers from using my SMTP mail-server

Depending on the setup, a lot of times this is something that should be handled at the SMTP level instead of or in addition to at the router. Most likely you are configured as an open relay. If this is not your desired behavior, there are lots of sites that can help, one of which is SpamHelp: http:/...
by CCDKP
Wed Jul 13, 2011 5:25 pm
Forum: RouterBOARD hardware
Topic: Forgot my password on RB crossroads
Replies: 5
Views: 1095

Re: Forgot my password on RB crossroads

You need to hold the reset button in while you plug the power in then probably for a good 30 seconds while it boots. This will remove the configuration in the process. If you have a valid backup file, there iso an unofficial and unsupported tool which can usually extract the password from the .backu...
by CCDKP
Wed Jul 13, 2011 4:38 pm
Forum: RouterBOARD hardware
Topic: how to disable connection tracking in linux
Replies: 4
Views: 1396

Re: how to disable connection tracking in linux

i want use L7 filter without using connection tracking L7 filter requires connection tracking. From: http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Connection_tracking Features affected by connection tracking NAT firewall: connection-bytes connection-mark connection-type connection-state connecti...
by CCDKP
Wed Jul 13, 2011 4:27 pm
Forum: RouterBOARD hardware
Topic: RB750G vs RB750GL, why is the cpu clocked down?
Replies: 13
Views: 11022

Re: RB750G vs RB750GL, why is the cpu clocked down?

It also creates better separation between the 750G and the 450G lines.

400MHz is still a lot of power in one of these devices. If you really need something stronger, bumping up to a 450G isn't a far stretch.
by CCDKP
Tue Jul 12, 2011 7:30 pm
Forum: Wireless Networking
Topic: help / suggestion needed....
Replies: 2
Views: 515

Re: help / suggestion needed....

As much as I love Mikrotik for routers and Point-to-point links, for generic wifi distribution like you are looking for, look into Ubiquiti UniFi. They are a nice managed AP designed for blanketing an indoor area. Depending on how the network layout is, I typically use a RB450G as well to segregate ...
by CCDKP
Tue Jul 12, 2011 4:37 pm
Forum: Wireless Networking
Topic: SXT chain problem
Replies: 16
Views: 3888

Re: SXT chain problem

I originally had similar problems when I first got my SXT's. (see thread here: http://forum.mikrotik.com/viewtopic.php?f=7&t=51486 ) The fix ended up being an upgrade to 5.4 firmware. Even though there wasn't anything in the changelog relating to it, after the upgrade it started working great and wa...
by CCDKP
Fri Jul 08, 2011 5:10 pm
Forum: Beginner Basics
Topic: Claimed Infringement
Replies: 6
Views: 1343

Re: Claimed Infringement

BitTorrent is a tough one to track and block due to the advanced encryption it is starting to use. The built-in BitTorrent filter doesn't do a real great job of blocking it. Here is an enhanced L7 filter: /ip firewall layer7-protocol add comment="" name=bittorrent regexp="^(\\x13bittorrent protocol|...
by CCDKP
Thu Jul 07, 2011 12:35 am
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Yes... thanks for that one :) And for queue tree for P2P catch I used this because I could not manage this to work otherwise... So, it's working on me... don't ask how and why :D I've striped everything but P2P. If you guys find some other less stupid way THAT WORK to capture this, please let me kn...
by CCDKP
Wed Jul 06, 2011 11:52 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Hi guys... I'm back :) CCDKP, I replaced that rule and so far it's possibly brought some change. At least, less false positive hits and I've seen much less hits on ports 6881-6999 so I guess you are on a right track but I tested it for a short period of time. However, it looks like a correct change...
by CCDKP
Wed Jul 06, 2011 4:22 pm
Forum: Beginner Basics
Topic: Poor wireless performance
Replies: 5
Views: 863

Re: Poor wireless performance

How do you have the SXT mounted? What polarity is the antenna on the Groove?

Remember that Chain 0 on the SXT is horizontal polarity, not vertical.
by CCDKP
Tue Jul 05, 2011 9:37 pm
Forum: General
Topic: Multiple firewall graphs
Replies: 2
Views: 506

Re: Multiple firewall graphs

The images are always in a static location. Just make an HTML file that references them directly, you just need to fill in the IP addresses and the names of the interfaces you want to work with. If you are in Chrome or firefox, you can always right click on an image and select "Copy Image URL" Here ...
by CCDKP
Tue Jul 05, 2011 5:14 pm
Forum: Wireless Networking
Topic: PTP SXT 5HnD or Powerstation 5?
Replies: 7
Views: 1401

Re: PTP SXT 5HnD or Powerstation 5?

I don't think using a dish will grant me any help since the SXT will be mounted on a tower very high on the tip. The point of the dish is to narrow the beam width, which in turn should increase your signal (and distance). The July Mikrotik newsletter has a very nice reflector designed for the SXT i...
by CCDKP
Tue Jul 05, 2011 5:04 pm
Forum: Wireless Networking
Topic: p2p is killing my head
Replies: 4
Views: 749

Re: p2p is killing my head

One of the big issues with torrents and firewalls isn't always the bandwidth, but the number of connections. Also, most connections are UDP, and they don't back off when packets get dropped like TCP does. Is the 411AH performing NAT, or connection tracking at all? If you have graphing enabled, check...
by CCDKP
Tue Jul 05, 2011 4:45 pm
Forum: Beginner Basics
Topic: Can't SSH to Linux box after installing mikrotik 750g
Replies: 5
Views: 1686

Re: Can't SSH to Linux box after installing mikrotik 750g

I think CBrown is correct. It appears that your Dst-nat rule isn't quite correct. Mikrotik firewall rules are based around IP tables, which can take a little bit to get used to. When looking at the winbox interface for a rule, the first three tabs (General, Advanced, Extra) are all dedicated to sele...
by CCDKP
Tue Jun 28, 2011 4:53 pm
Forum: General
Topic: QoS nat limiting with pcq and QT
Replies: 10
Views: 5671

Re: QoS nat limiting with pcq and QT

I take vacation for a week and this is what I miss!

It looks like you pretty much have it by now, but for the sake of adding another example, I did PCQ with NAT on my P2P blocking script:
http://forum.mikrotik.com/viewtopic.php ... 83#p249583
by CCDKP
Thu Jun 23, 2011 5:33 am
Forum: Beginner Basics
Topic: VoIP QoS queueing
Replies: 2
Views: 1379

Re: VoIP QoS queueing

you must set a max-limit on the connection. Without it, the QoS does not know when it is time to intervene and start queueing packets appropriately. I would suggest setting "outgoing" to 95%-100% of your total upload bandwidth, then setting "Not VoIP" to 90%-95% of your total. This gives the VoIP tr...
by CCDKP
Fri Jun 17, 2011 4:58 pm
Forum: Wireless Networking
Topic: Mikrotik SXT 5HnD troughtput problem
Replies: 5
Views: 5682

Re: Mikrotik SXT 5HnD troughtput problem

The SXT, working with both extension channels (40Mhz) and two chains on different polarities can be a little much to jump right into. If you haven't seen it already, I would suggest checking out the tutorial on setting up SXT's for a point to point link: http://www.wispforum.net/entry.php?5-How-to-C...
by CCDKP
Fri Jun 17, 2011 6:35 am
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

So after checking into some user complaints, I discovered Yahoo.com has a very high false positive rate on the bittorrent_announce filter. Any site with the words both "get" and "announce" in the source will trigger. Has anyone found a good way to refine this filter to more bittorrent-specific detec...
by CCDKP
Wed Jun 15, 2011 7:15 am
Forum: General
Topic: QUEUES while using NAT?
Replies: 4
Views: 1743

Re: QUEUES while using NAT?

It's the other way around. If you have simple queues and queue trees attached to globals the simple queues get ignored and the queue trees take. I know the documentation says different. That does explain some results I have seen, but I wasn't about to go against the mighty word of Janis on just my ...
by CCDKP
Tue Jun 14, 2011 6:45 pm
Forum: General
Topic: Queue Trees not counting traffic...
Replies: 4
Views: 833

Re: Queue Trees not counting traffic...

My initial guess is that you don't have passthrough disabled on your packet marking rules. Have you seen the video that the Megis slides are from? http://www.tiktube.com/index.php?video=JpcD3eCChqGnDlJFJEEsCvExClIoEKDH= I found there were a few things in the talk that get lost in just reading the sl...
by CCDKP
Tue Jun 14, 2011 6:35 pm
Forum: General
Topic: QUEUES while using NAT?
Replies: 4
Views: 1743

Re: QUEUES while using NAT?

2nd problem: With no other queues I followed the documenation in creating a PCQ queue using queue tree. The download works as expected, allowing each user of the queue a set amount of bandwidth (dynamically creating queue's for each user). The upload does NOT work as expected. It allows ALL users t...
by CCDKP
Tue Jun 14, 2011 6:17 pm
Forum: General
Topic: Enforcing queue traffic limits on port forwards
Replies: 13
Views: 1879

Re: Enforcing queue traffic limits on port forwards

Limit-at and max-limit don't seem to aid me in throttling any single connection below an artificial ceiling. The solution involves completely reorganizing our IP layout, at which point we can replace our dumb relays with MikroTiks in Stationboxes and do things properly. Thanks to everyone who helpe...
by CCDKP
Tue Jun 14, 2011 4:52 pm
Forum: General
Topic: Help Pleassssseeee Torrents P2p Bandwith
Replies: 3
Views: 849

Re: Help Pleassssseeee Torrents P2p Bandwith

Bittorrent traffic is not detected by the p2p filter.

There is a GREAT deal of information regarding detection and blocking of bittorrent traffic in this thread:
http://forum.mikrotik.com/viewtopic.php?f=2&t=21178
by CCDKP
Thu Jun 09, 2011 9:32 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Dear Guys! I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success. I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit. Could you check...
by CCDKP
Tue Jun 07, 2011 8:12 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Dear Guys! I have just tried to configure mikrotik transparent traffic shaping for limit P2P traffic but without success. I have used TKITFrank configuration to mark P2P traffic then I have created queue tree for limit bandwidth but P2P traffic goes through router without any limit. Could you check...
by CCDKP
Tue Jun 07, 2011 5:50 pm
Forum: Wireless Networking
Topic: SXT NV2 Extension Channel Problems
Replies: 3
Views: 2722

Re: SXT NV2 Extension Channel Problems

It looks like upgrading the radios to 5.4 seems to have fixed my issues. I am easily holding 100Mbit full duplex now, with NV2, both chains enabled, and extension channels turned on.

--@CC_DKP
by CCDKP
Tue Jun 07, 2011 5:48 pm
Forum: General
Topic: Nv2 medium-access timeout problem
Replies: 12
Views: 4034

Re: Nv2 medium-access timeout problem

Extension channel adds another XXmhz channel above or below the current channel. If you're turning it on and having issues, make sure that XXmhz channel above or below your current channel is free and not used. You could be turning it on and getting interference from another link. In my case, both ...
by CCDKP
Wed May 25, 2011 5:42 pm
Forum: General
Topic: Queue size
Replies: 1
Views: 1996

Re: Queue size

The short answer: a lot of latency and congestion. The explanation: Intuitively, we would think that a bigger buffer is always better. Packet loss is the enemy, so the more data we can queue up, instead of dropping, the better, right? Unfortunately not. Large queue lengths have a very adverse effect...
by CCDKP
Tue May 24, 2011 5:53 pm
Forum: General
Topic: NV2 on AP decrease CCQ and TX/RX Rate
Replies: 3
Views: 1626

Re: NV2 on AP decrease CCQ and TX/RX Rate

Did you try pushing any traffic over the link? In my tests, the value shown for CCQ and speed on a newly-established link isn't accurate. Once I start moving data across the link (btest, FTP, etc), the CCQ and TX/RX rate jump up to the expected values.
by CCDKP
Tue May 24, 2011 5:47 pm
Forum: General
Topic: Nv2 medium-access timeout problem
Replies: 12
Views: 4034

Re: Nv2 medium-access timeout problem

Are you using an extension channel? I have a similar issue with a pair of SXT's I am trying to resolve, and for me the issue seems to be tied to both chains in TX/RX and an extension channel enabled. If I disable extension or disable TX or RX on one of the chains, the stability clears up.
by CCDKP
Tue May 24, 2011 5:37 pm
Forum: Wireless Networking
Topic: HT question
Replies: 1
Views: 509

Re: HT question

It is my understanding that NV2 currently requires 800ms guard intervals (long), so you can not achieve the fabled 300 Mbit while using it.
by CCDKP
Fri May 13, 2011 9:55 pm
Forum: RouterBOARD hardware
Topic: 433AH stop working (4 leds open)
Replies: 4
Views: 1494

Re: 433AH stop working (4 leds open)

If you have the serial hooked up, then power up the device, do you see any of the boot-up sequence?

Also, are you powering it via PoE or plug? Try switching to the other one and see if that helps.
by CCDKP
Fri May 13, 2011 9:52 pm
Forum: General
Topic: DSCP QOS with HTB and PCQ?
Replies: 2
Views: 1601

Re: DSCP QOS with HTB and PCQ?

The unofficial de-facto standard for learning QoS is Janis Megis's MUM talks. Here are the video and slides . The basic theory he covers is apply a first pass of marking and prioritization using mangle pre-routing and global-in, then applying a second round of PCQ bandwidth shaping using Mangle Forw...
by CCDKP
Fri May 13, 2011 9:20 pm
Forum: Beginner Basics
Topic: Point-to-point link security
Replies: 4
Views: 1155

Re: Point-to-point link security

I just recently had to go through and update a bunch of legacy devices (532's) from 2.9.4 to current. I had to upgrade via netinstall. I brought them up to 3.30 via netinstall, updated the license via winbox, then I was able to FTP upgrade to 4.17, update the license again, and finally update to 5.2...
by CCDKP
Tue May 10, 2011 4:39 pm
Forum: Wireless Networking
Topic: SXT NV2 Extension Channel Problems
Replies: 3
Views: 2722

Re: SXT NV2 Extension Channel Problems

[Hunch] Try This: Enable Extension channel on both devices, Then disable chain 1 TX/RX on both devices. Test. Then Enable Chain 1 TX/RX on both devices, and DISABLE Chain 0 TX ONLY on both devices. Test. [/Hunch] -Brad This weekend I was finally able to get out and run some tests at 350m. The added...
by CCDKP
Thu May 05, 2011 11:31 pm
Forum: Wireless Networking
Topic: SXT NV2 Extension Channel Problems
Replies: 3
Views: 2722

SXT NV2 Extension Channel Problems

I recently picked up a pair of SXT's to try out. This is my first venture into non-802.11 wireless, and i'm still pretty new to 802.11n in general, so please bear with me. I originally started with the tutorial from wispforum.com ( http://www.wispforum.net/entry.php?5-How-to-Connect-two-Mikrotik-SXT...
by CCDKP
Thu Mar 24, 2011 3:48 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

We are missing code that blocks new udp announcer from working. We can't be slaves to DNS "definitions". The problem is that DHT/uTP is an encrypted channel specifically designed to avoid filters and detection by ISP's. Attacking DNS is currently the only weak point we have been able to identify in...
by CCDKP
Wed Mar 23, 2011 11:23 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Just an update for everyone, I was playing with filters and found a slightly more efficient DNS capturing code. These 3 lines will redirect all DNS traffic to the router, effectively capturing all DNS, no matter what IP it is destined for. /ip firewall nat add action=redirect chain=dstnat comment="C...
by CCDKP
Fri Feb 18, 2011 6:04 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Also, that DNS list are quite outdated. There are also 1337.org, pow7.com, torrentz.com, istole.it and some others. Just look at a common tracker list in a torrent from piratebay for example. I believe you are missing the intention of the DNS blocking. The entries TKITFrank and I have listed are no...
by CCDKP
Thu Feb 17, 2011 12:34 am
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Hmmm... let's see if I'm getting this right. On my network there are 4 DNS entries used. 2 internal most commonly used and other two are openDNS. Will this affect those users? Enabling the DNS redirection would prevent customers from directly using OpenDNS. If you just wanted the basic OpenDNS spyw...
by CCDKP
Mon Feb 14, 2011 7:26 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Can you use a p2p block on a QoS stage and get traffic get dropped by PCQ setting on let's say source port classification? So let's say, everything that uses more that 10 connections per source port in a current queue? So, will it work that way? The QoS stage can not "drop" traffic directly, it can...
by CCDKP
Fri Feb 11, 2011 7:31 pm
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

Hi, I thing you are on to something here :) Please let us know how this is working. I would however skip the static ports for torrents and go with the all-p2p and the L7 filter to add them in a address list. To me static ports is to unreliable. The 450G is pretty fast and you can run it @800Mhz? Ha...
by CCDKP
Sat Jan 29, 2011 1:04 am
Forum: General
Topic: how block connection of p2p?
Replies: 291
Views: 154201

Re: how block connection of p2p?

I am currently working on implementing a P2P throttling implementation for a school's open Wifi. Reading mves's posts got me thinking and I wanted to bounce the idea off some people while I am getting it working. I am starting with a blacklist similar to what mves suggested. If I detect p2p traffic,...