MikroTik

joshaven

I'm running CHR on Citrix XenServer but it crashes when live migrating to another machine. Is there an alternative solution to XenServer Tools that can allow the guest to move between hosts without locking up? Does this work with other virtualization solutions?

joshaven

CloudFlare has been working out very well and I am glad to have implemented it. My lists are now much closer to the end users due to the CDN. When testing from locations around the US and internationally it has been at least doubling the speed of accessing my lists and the caching has been very effe...

joshaven

i'm using spamhaus, shield, openbl, malc0de, emerging threats and 8 honeypots in 8 different datacenter around the US. Also, the 200+ Mikrotik routers i manage report back what is hitting them. Are you interested in working together on this? I've been itching to expand my sources for a while now an...

joshaven

You should contact another user here - IntrusDave who is also doing a similar thing. Perhaps you can pool your resources and have an even larger detection surface. I think we are already pooling our resources without knowing it. Upon a spot-checking of his list, it looks like he is using Spamhaus a...

joshaven

I've looked into it for my service and it's just not a path that I want to go down. DNS can not deliver subnets, and breaking out a single class A into separate IP's would make the overall bandwidth skyrocket. The interesting thing about the DNS solution is that the router can be instructed from a ...

joshaven

You can write the zone to a textfile on the server after you have retrieved it and then send a reload command to Bind to activate this zone. I do it by simply taking a fixed header, then catting the list of addresses via a sed command that transforms the addresses in <tab>IN<tab>A<tab>ipaddress lin...

joshaven

For the single-address blacklist openbl, you could consider setting up a DNS name like openbl.joshaven.com with the A records for that list. Then a user of 6.36 or higher can just create an address list item with that domain name to receive the uptodate version of the list without any scripting and...

joshaven

For the single-address blacklist openbl, you could consider setting up a DNS name like openbl.joshaven.com with the A records for that list. Then a user of 6.36 or higher can just create an address list item with that domain name to receive the uptodate version of the list without any scripting and...

joshaven

For years I have provided a dynamic blacklist as a free service for MikroTik users who would like to subscribe to well maintained blacklists. Due to its popularity (over 6000 daily requests) I have recently upgraded my server environment to increase availability & reduce latency for users anywhe...

joshaven

Thanks a million... that was the info I needed.

For others: My resolution was to disable wireless-fp and enable wireless-cm2 under /system packages. After a reboot my interface was back. Seems that the wireless-fp package and the 5g interface are not yet friends at least not with 6.34.

joshaven

Anyone else having issues with the 5G wireless card disappearing after a netinstall on hAP ac lite?

Also, and probably more important... anyone know how to get the interface back?

joshaven

Are there plans for MikroTik to support proximity services for Wi-Fi devices?

http://www.wi-fi.org/discover-wi-fi/wi-fi-aware

joshaven

I'm not sure exactly what you are wanting to accomplish. Hit me off list at support@joshaven.com so we can discuss your need a little better.

FYI, I published not only the lists but the code I use to generate them so maybe you just need to look a the script I am running?

joshaven

kryptonite, what is stopping the request from coming in on WAN1 and leaving on WAN2? It may be not be port forwarding that is the problem. dst-nat aka port forwarding is a rewriting of the destination of the packet header. All it does is say what was once destined for the router ip is now destined f...

joshaven

Honestly, I haven't revisited the problem. I should be looking into this again soon. I see that MikroTik made changes relating to bridges and VLANSs with a recent software change so here is to hoping it was a bug that has been resolved. :D What's new in 6.32 (2015-Aug-31 14:47): ... *) bridge firewa...

joshaven

I have a switch that is tagging traffic from an AP to VLAN 23 through ether1 (trunk port) to my MikroTik. When I create a VLAN 23 on ether3 (e3v23) and install the gateway IP on the e3v23 interface everything is peachy-keen. I can then create a bridge (br-v23) and add the e3v23 interface to the brid...

joshaven

I have updated my packages for the convince of any Mac users out there. Winbox 3.0rc1 for Mac is freely available here (packaged with wine): http://joshaven.com/resources/tools/winbox-for-mac/ Thank you very much for including the nice little checkbox that allows the launcher to remain open when lau...

joshaven

Just setting the wireless protocol to nv2 is enough. You can also use the nv2 pass phrase key if you want encryption.

joshaven

The NV2 protocol doesn't cause trouble. The trouble is that the use of another radio in the same frequency space will be noise to the other radios. Choosing NV2 or 802.11 or any other protocol will give you the same interference.

joshaven

I believe these features are part of the wireless-fp so you can find the docs under the CAPsMAN page... http://wiki.mikrotik.com/wiki/Manual:CAPsMAN For your convenience I grabbed some interesting info for you from the page: "vlan-id -- VLAN ID to assign to interface if vlan-mode enables use of...

joshaven

This is a bug, not a feature. I can understand making a feature request but I don't think this is a bug. As far as I know RouterOS is functioning as designed. The router is choosing the outbound IP based on the route table because the packet is originating with the router and being sent to the dest...

joshaven

have not seen a solution for this. Pretty annoying. I believe janisk answered this... Mark the packets and return via the same interface. Other then that, I think you would have rewrite the reply but NAT would only address IPv4 traffic... Maybe there isn't another answer for this because there isn'...

joshaven

I am assuming that your talking about outdoor wireless. Running 802.11 in a outdoor fixed wireless environment is very problematic. (One of the main reasons is the hidden node issue: http://bit.ly/1zX8Uzi ). To get around this very problematic issue you would need to run a prosperity protocol like N...

joshaven

It is just one possible solution to an experimental network that I'm looking at.

joshaven

I am interested in knowing how the Virtual AP scales. For instance would an RB2011 run any differently with 4000 hidden SSID's then it does with 2 hidden SSID's? My question is not specifically about the number of SSID's but rather about how RouterOS scales with Virtual AP's. Secondarily, if anyone ...

joshaven

The PPC chip is much better then the MIPSBE so the step from RB2011 to 1100AHx2 is an extreme one. I would only use an RB2011 for a startup tower of 10 or so clients. The 1100 could handel 100 easily.

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

At first glance they look fine to me too

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

I would expect you could use simple queue and a pcc queue type to limit the speed.

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

I would suspect that the difference will be noticed in the wireless connections. What are your modulation and CCQ on the connections?

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

DLNoah is right. I think it is also helpful to note that the source address is determined by the route that is matched to send the packet out of the router. Again, you can specify the source address of the radius request in your radius settings that also what I did. Joshaven Potter http://joshaven.c...

joshaven

For simple queues... I use radius with the Mikrotik-Rate-Limit param which is handed out by freeradius. I am also pulling the user info from our billing system.

Usage info here: http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client
Look for: Mikrotik-Rate-Limit

joshaven

For VoIP (we run our own VoIP server) I match any traffic coming or going to our VoIP IP range. I split this traffic into VoIP management and VoIP traffic. I also match any network management traffic and UDP or TCP bandwidth tests and any traffic with an existing DSCP bit. I then use the tree queue ...

joshaven

I don't have much experience with the CCR but I expect that it will work very well for you. The PPC chip is much better then the MIPSBE so don't underestimate the 1100AHx2 based upon seeing a performance wall with the 2011. Even if the 1100 wasn't dual core and wasn't much faster per core just the c...

joshaven

You don't need multicast for pppoe. I suspect that the wireless is dropping and the tunnel is dropping with it. Try a longer keep alive timeout which may give the wireless a chance to reconnect before dropping the pppoe tunnel. You may have better luck with WDS on the wireless so it is truly bridgin...

joshaven

The router I pictured was a local router so that router only passes a bit over 40Mbps (7 day chart attached). I have an RB1100AHx2 right next to it that does distribution traffic peaking up to 300Mbps but that router isn't doing PPPoE or Simple Queues. It is however using the Queue Tree for QoS for ...

joshaven

Your matching more then you need to with (dst-address-type=local) and not matching the original destination address... Try: /ip firewall nat add chain=dstnat protocol=tcp dst-port=3389 dst-address=10.10.10.1 action=dst-nat to-addresses=192.168.0.10 comment="Forward RDP from 10.10.10.1 to 192.16...

joshaven

First I would question what is updating the no-ip.com dynamic dns service. I would suppose that it is your PC... if this is the case then the reason that the PC fixes things is actually because it is updating no-ip.com. The solution in this case would be to get something that is always on to do the ...

joshaven

I'm not sure if this will be helpful but at a first look of your config the thing that stands out is the master and slave naming of you interfaces... Are you using a combination of the switch chip along with bridging? If you are try removing the switch config and use only bridging. You shouldn't nee...

joshaven

For short distance CPE's you should use SXT's either the 5GHz or 2.4GHz depending on the frequency you need. For longer distance you will need something with the proper gain. If your doing outdoor wireless you really need something that is using a protocol that is designed to deal with some of the c...

joshaven

I've had hundreds of users using simple queues on an RB1100AHx2 on both RouterOS 5.x & 6.x without any trouble. Unless your pushing the limits of your hardware then do what ever works best for you and don't worry about what is the best performance wise because you'll be spending your time splitt...

joshaven

Use mangle rules to add routing marks to the packets that you want to go over each upline connection. Then have. Default route with the appropriate routing mark point to each uplink. I recommend using PCC to add routing marks by connection so that you don't end up sending traffic from one connection...

joshaven

Use the dstnat chain and the dst-nat action

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

You need to setup the same things that are in the. Default config. Then change the IP address DHCP network & ip pool. Check your ip firewall NAT rule and ensure it is matching your interface and not the 192.168.88.0/24 network. Joshaven Potter http://joshaven.com Sent from my iPhone using Tapatalk

joshaven

i need 4 wan folover

You should use PCC load balancing... here is a great writeup that should help:
http://mum.mikrotik.com/presentations/US12/steve.pdf

joshaven

SXT or QRT are both 2.4GHz integrated antenna products. http://routerboard.com/RBSXT2nDr2 http://routerboard.com/RBQRTG-2SHPnD You can also use a third party enclosure like: http://www.rfelements.com/en/products/enclosures/stationbox-mikro/ http://www.itelite.net/en/Katalog/24-GHz-80211-bg//MRA24012...

joshaven

Joshaven I need your advice here is my topology Site1 (all cables going in) 1 cable -> site1 -> (50m FTP awg 24) -> NSM2 (24v max:0.5a) -> ( 30m FTP awg 24) -> NSM2 (24v max:0.5a) 2 cable -> site1 -> (45m FTP awg 24) -> NSM2 (24v max:0.5a) -> ( 32m FTP awg 24) -> NSM2 (24v max:0.5a) 3 cable -> site...

joshaven

What I did was to power the line with 48 AC and use adapter on each device. the adapter is something like input:48AC to 24DC 0.5A I believe it is ok? Is it ? That will be fine as long as you sizing the wire properly. Please reference this calculator: http://www.nooutage.com/vdrop.htm At 48v I would...

joshaven

If you want to use your isp dns be sure that use-peer-dns is checked or add it manually use-peer-dns=yes in the same way as the default-route option. If you want your own/google dns then set them on the dhcp server if you have one or from webinf ip-dns/manually /ip dns set allow-remote-requests=yes...

joshaven

The issue is that you setup the PPPoE on the wireless interface then plugged the internet connection into a wired interface. Edit the PPPoE Client and change the interface to match the interface that the broadband provider is plugged into. The script you used must have been for having the PPPoE over...

joshaven

I ran some calculations (see attached) they are a little over simplified because the calculations I am using are the sum of all of the distances of the wire listed in the post... This means I am budgeting the power loss as if all of the draw was at the furthest point which is not the case. I am pret...

joshaven

Another option would be to run carrier wires along with the Ethernet cable that carried the power with larger connectors. You can get multi-amp 27v power supplies pretty easily. Then use a mikrotik Poe splitter to inject the power close to the radio.

joshaven

It sounds like your going to need a little more help then you'll generally get from the user forum. Let me know if you would like some detailed help. You can get my contact info from my website.

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

Can you use iBGP to pass just the desired routes to the next router then redistribute into OSPF without an OSPF filter?

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

You can get a multi-port passive PoE injector. Search the Internet for something like: WS-POE-8-ENC

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

I would suspect a config issue. Have you tried netinstalling the newest OS to be sure you have a clean slate then applying your config not from a binary backup?

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

Nice work, thanks for sharing.

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

It also seems odd that your only showing two modulations do you have most of the others disabled? I would go back to the default modulations if you have them customized.

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

The rx CCQ being so low means that much of the information your radio is receiving is not usable. I would suspect an antenna issue or some reflection issues. Do you have something large near by that the signal could be reflecting off of? I don't think its interference because your signal to noise le...

joshaven

PCC load balancing is described on the wiki:
http://wiki.mikrotik.com/wiki/Manual:PCC

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

You must increase you max UDP packet size. I recommend 4096. You will have truncated answers with 512. Also you will end up with DNS amplification attacks against your router if you have an open DNS. Either block UDP 53 from wan or limit it. Connections are unidirectional so you don't need to match ...

joshaven

I would get a dual core router that is PPC, tile, or x86. Get the best hardware that you have a budget for.

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

In case you haven't read them yet, MikroTik publishes test content outlines: http://www.mikrotik.com/training/

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

A vlan would give you layer 2 seporation but it wouldn't help you sort traffic between upline providers. The bottom like is that you need a default route with a routing mark then you need to add a routing mark to all traffic that you want to use that route through a mangle rule. You could choose the...

joshaven

I have had great luck running the dude 4 beta on windows server 2003 and Windows XP. I would expect it to run well on 7 as well. I almost always run the dude on virtual servers either vmware esxi in a production environment or when just using my computer it's on parallels because I'm a Mac user. I h...

joshaven

Yes if you setup rx and tx on both chains you could attach each chain to its own antenna and point them in different directions. For example an omni for the hotspot and a directional outdoor antenna for a client. All connections would come into the same WLAN network card so you may want to setup byp...

joshaven

It sounds to me like you have some form of config bug going on. I would either reset to factory settings and reconfigure it or do a netinstall and reconfigure it. I would not use a binary backup but you could shortcut the reconfiguration by using: /export file=backupFromExport The netinstall is bett...

joshaven

You should specify a source address of your public ip or an in interface because your dear-NAT rule would match more traffic then you would expect.

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

If your using encryption then make sure your not using WPA with tkip. UBNT has issues with tkip which could be the cause. If this is the case then simply changing to WPA AES should solve your issue.

Joshaven Potter
http://joshaven.com
Sent from my iPhone using Tapatalk

joshaven

Another approach that you may want to consider is PCC load balancing. This would match each connection with a different WAN rather then breaking it up by internal subnets. You can probably achieve a more even distribution of traffic this way. This is however assuming you don't need to associate spec...

joshaven

What are the EIRP limits for pmp links on each frequency band?

joshaven

If I use a dual chain MIMO AP. Then simply disable the chain0 on half CPEs and chain1 on other half CPEs, will I be able to reach 80-100 CPEs per AP? CPEs will be SXT lite5. AP will be RB912. The AP only talks to one client at a time so disabling a chain will only slow down the communications which...

joshaven

I have three lines, second-and third-line did a pcc, do pcc always remaining after the relevant part of the default route line to go up, not even made a packet to flow straight down the plant, we should get these flows where to go. I don't understand what your trying to communicate. Pasting a con...

joshaven

I would suppose that is traffic that is not part of the connection but rather "related" traffic. Difficult to understand. Per the documentation, the connection states are: established - a packet which belongs to an existing connection invalid - a packet which could not be identified for s...

joshaven

If you don't trust my server as a source then you can run the script on your own server. I provided the info for that already.

joshaven

Why do that outside RouterOS? The Scripting has more power to do that better!!! Reasons to not do it with RouterOS: 1) To not overload the sources with thousands of request for thousands of routers that may be requesting the files. 2) Because I have yet to see an example of parsing the source text ...

joshaven

You could do this all in perl. Run it on the web server and let the routerboard hit the script and download the file. I may have some time if anyone would be interested. Sent from my SCH-I545 using Tapatalk This could be easily done on demand but one of the reasons I am using a script run with cron...

joshaven

So do you scheduled this EXE to run on a regular basis and put the text files on a web accessible server to download into your routers on a regular basis? One of the main reasons I wrote the scripts that I did was to have my address lists self maintaining.

joshaven

It is normal to get packet loss with UDP bandwidth on Rx tests because of the way the test works. The remote end is getting packet loss on the Tx testing but it is not being reported to you with the tool... I would wager that testing from the remote end will show you the same results. If your having...

joshaven

Your going to be a lot better of with NV2 then 802.11. It will help fix some rate flapping issues that your bound to see with 802.11 (rate flapping meaning the modulation changing up and down which will cause high veneration in latency and decrease your CCQ). Also your signal levels are not great bu...

joshaven

Yes the MikroTik is a very good solution for broadband internet. You can even connect both your leased line and your broadband connection the mikrotik at the same time and split the traffic however you want to. The MikroTik is extremely flexible however it is also very easy to configure incorrectly....

joshaven

This is a nice solution.
How are you parsing the source text files into RouterOS add statements?
You posted additions (without a script) then you posted script statements that will remove in a loop.

joshaven

The graphs say it all, 29 clients of which 10 clients are on 1500K, the question I would ask is how long before they have to be moved to higher bandwidth package for no extra turnover? I have seen AP bandwidth increase just because customers demand a minimum speed at peak usage hours and then as th...

joshaven

Attached is a listing of a tower showing the bandwidth speeds provisioned and a three day usage graph covering these customers... Make your own judgements about bandwidth overselling. As you can see 131Mbps has been provisioned on this tower... if the 12x multiplier is correct then we would need to ...

joshaven

In case anyone is interested in scheduling updated blacklists based on maintained lists I have a writeup written a detailed howto: http://joshaven.com/resources/tricks/mikrotik-automatically-updated-address-list/ It consists of a script to download, remove the old entries & add the new ones for ...

joshaven

I generally add VLANs to interfaces then add the vlan interfaces to bridges. For instance I would create a bridge called VLAN5 then create a VLAN interface called e6v5 which would be ether6 vlan 5.... then add e6v5 to the VLAN5 bridge... I would continue this process until I have all of the VLANs pr...

joshaven

I would guess that your issue is with routing. Check the route tables on the computers to be sure that they are routing the traffic through the VPN.

Sent from my iPhone using Tapatalk

joshaven

Radio Mobile will give you propagation maps showing how far your signal will reach in your environment with your settings. You will need 30db of signal above your noise floor for full modulation you will also need to know your radios sensitivity.

Sent from my iPhone using Tapatalk

joshaven

I would say it is likely that your DNS has been being used in DNS amplification attacks. See this link for more info: https://www.us-cert.gov/ncas/alerts/TA13-088A

Sent from my iPhone using Tapatalk

joshaven

The max CPU temperature should be listed on the product page however it's probably 60C like most of the mikrotik equipment.

joshaven

You can get your answers from some freeware software called Radio Mobile. The learning curve is a bit steep so let me know if you would like me to get you some propagation maps. It is possible to use an SXT at 10km but I suspect that you would be better off with an external high gain antenna at this...

joshaven

You are not providing enough information. QOS isn't something you just turn on and if it is on some devise then it is probably just prioritizing based upon Class of service. Any traffic that is outside of your network probably has had the DSCP bits changed because it is common practice to distrust a...

joshaven

I would suppose that is traffic that is not part of the connection but rather "related" traffic.

joshaven

This can be done with a layer 7 match. However you may want to use virtual hosts or a reverse proxy like haproxy.

joshaven

This config sounds very confusing. Is your goal to bridge all of the vlans together?

joshaven

This post doesn't make since. I am guessing its a translation issue please ask the question again.

joshaven

One major caution I have for you is that your talking about customer installs. Customers will not know enough about the interface to login and get signal levels nor will they know that a -50 is a better receive signal then -80. The problem is that you'll end up with lower signal levels then if you h...

joshaven

Sorry but I'm out of ideas here without looking at it myself. I hope you get something from file submissions.

joshaven

Well, I am not able to convince my self to simply use WPA2 since the key will be easily know by a customer and than an attacker can listen to all unencrypted web traffic. Why would I even bother with encryption and take the performance overhead if it is not secure. Might as well leave the network o...

joshaven

I am not sure I fully understand your situation... however I think it is entirely reasonable to use standard WPA or WPA2 for a connection between customers and your infrastructure equipment. You don't have an obligation to secure the wireless data. The only party that can truly be responsible for th...

joshaven

Have you tried nexthop-choice=propagate which will: "try to propagate further the nexthop received; i.e. if the route has BGP NEXT_HOP attribute, then use it as the nexthop, otherwise fall back to the default case"? "set-in-nexthop (IP address;) set gateway value to the specific IP ad...

joshaven

If you have clients with pore modulations connected then that could explain your latency. What is the condition of each wireless client when your having latency? You could confirm that you have both chains enabled for send and receive as well as using B/G/N. If you wanted you could disable the lower...

joshaven

If synchronize=yes or default-originate=if-installed is used, the attributes of the announced route will be taken from routing table.

Hope this helps. Otherwise it may be helpful if you post configuration snippets.

joshaven

Remember: Radio mobile do not observe buildings.

Radio mobile has buildings under their land cover data. It is displayed on the map in light blue by default. I'm not saying that the simulations are perfect but I have found them very helpful.

Land Cover info:
http://www.g3tvu.co.uk/Land_cover.htm

joshaven

I would be surprised if BGP is doing that to you unless your dropping and re-establishing the full routing table. I am supposing that your checking the log & interface stats to see if your having interface issues. Check the status tab under the BGP peer. I have received just under 6 million upda...

joshaven

This was my only queue on the edge router. We do have speed queues on the local routers that are simple queues as well but they match on the interface (we are using PPPoE). If you going to try running this on the same router that your using to limit speed to customers then your going to need to doub...

joshaven

Email me if you are interested in having a phone conversation regarding these questions. I can help you with a lot of areas including creating RF propagation simulations that will show you your approximate coverage area with the various configurations and hardware that you are considering. josh (at)...

joshaven

My vote is strongly in favor of RouterOS over OpenWRT and I have run both.

joshaven

Wow, that is embarrassing... I hope I didn't mess you up and cause you to limit your entire network to those slow speeds... Your absolutely right, calling it P2P is not enough to match P2P traffic. I copied this from a disabled rule that was working before the RouterOS version 6 upgrade... The simpl...

joshaven

I cannot fully answer your question because I have never run a setup that is similar to your request however I can say that your limitation will be in hardware capability, if your running a high number of user and your resources are only moderately consumed then your fine. I don't recommend running ...

joshaven

I think it can not be done exactly as you are specifying. I don't know how you would average a speed per second over 2 minutes. Without the 2 minute requirement you could mark the connections meeting your other criteria like this: /ip firewall mangle add chain=postrouting protocol=tcp dst-port=443 o...

joshaven

It should be possible. I would expect that one of these would work depending on if your using single-mode or multi-mode:
http://routerboard.com/S-85DLC05D or http://routerboard.com/S-31DLC20D

These would work well in either a MikroTik router or switch

joshaven

Below is how you could create a PCQ for equal access along with limits. This limits P2P tgo 768k download & 64k upload for the entire network and allows 128k/64k for each user. You'll probably want to adjust the target interface along with the speeds to better fit your use case. This is a very h...

joshaven

I could do a link path analysis with various configurations using the radio mobile software (http://www.ve2dbe.com/index.html) which would give you a fairly accurate estimate of the signal quality of the link. Otherwise I recommend getting as close as you can with this tool http://www.ubnt.com/airli...

joshaven

I really don't know the circumstances of your issue but you probably could crate a packet mark and a couple of HTB queues to accomplish this. Note: I just typed this out and have not tested the config so if your having issues then check the commands out because they may have typo's or such. This app...

joshaven

You probably want to setup pcq

http://wiki.mikrotik.com/wiki/Manual:Queues_-_PCQ

joshaven

In your prerouting chain of the mangle add a connection mark based on the source address then add a routing mark to every packet that has that connection mark. Then add a default route that matches each routing mark for each uplink.

joshaven

routeros dns server does not only reply mx records when asked for this type. it also puts all other types like a or ns in the response. exchange server gets confused with this. there is a setting in the outgoing tranport to use external dns server. this will solve the problem but dont ask me why. C...

joshaven

In the Ubiquiti ones you can specify the "Management VLAN: Enable" then in the "VLAN ID:" box enter a number. VLAN management is also very easily accomplished on the MikroTik but the need is much more complicated then VLAN management as I understand the problem. The remote Site ...

joshaven

What is the one click in ubiquity?

joshaven

Thanks for the response. Will give it a try. Its complicated as compared to other products. This scenario can be easily achieved in other products like ubiquity's Nano Bridge, Airgrid etc. Just we have to create point to point link and tag the traffic with desired vlan. Will update on this. By the ...

joshaven

The complication is not due to the network design that I am proposing given my understand of your need not the product. The complication is that you cannot both keep tagged traffic together with untagged and keep them separate at the same time. If you need both layer 2 networks on the same back-haul...

joshaven

OK... I think I have a solution. The Untagged Network The SXT at site B should have the management IP on the "bridge1" interface which should have WLAN1 as the only port memeber. WDS should be using bridge1 as the default bridge. This means that there is no access from SiteB to the managem...

joshaven

Will any traffic go over the SXT connections that is on any other VLAN?

joshaven

Adding a single VLAN interface on each would not do what your wanting. If you wanted to fully bridge VLAN 300 across you would need to add a VLAN 300 to both ethernet interfaces and to both wireless interfaces and add all four vlan interfaces to a bridge. I suspect that you just want to recieve VLAN...

joshaven

Rate flapping can be in issue but I haven't found it to be a problem with recent releases of RouterOS. For fixed outdoor installations we run NV2 and have found the rates to be very stable and we do not limit the rate selections at all. For standard in-home we use 802.11n and also don't limit modula...

joshaven

The wireless data-rate is not a good way to control speed in your network. If you want to limit the speed of one or more of the wireless devices then you would be much better off using queues. Communication at lower data rates means slower communication but it doesn't use fewer resources, in fact it...

joshaven

You need to add a VLAN interface to the bridge in the router. If you want to bridge VLAN 300 all the way across then you'll have to have a VLAN 300 interface on each physical interface that the traffic will be crossing... in that case you will want a "VLANBridge" which has members like: &q...

joshaven

Yes the MikroTik switch will allow you to use VLAN's at the switch. However I personally don't use VLAN's in my home even though all of the equipment I am using is VLAN capable and I run a business in my pole barn off the same network. I cannot think of any reason to use VLANS in a small network.

joshaven

Are you doing NAT for all addresses at the edge router?

joshaven

Here are the basic steps: Match your inbound traffic in the prerouting chain that doesn't have a connection mark based upon the source address and add a connection mark. This makes it so that you will properly return something that originated from the outside world ( If this ever even happens ). Thi...

joshaven

Sorry, I wasn't familiar with the notation you used for the locations. I assumed you were using Decimal notation (16.35433) rather then Degrees Minutes and Seconds (16º 35" 43.3'). Here are the adjusted path's. As long as the paths are as clear as they look you should be fine. I am not seeing m...

joshaven

You don't have to specify a public ip to use PCC.

joshaven

Are your advertisements being received properly by your upline?

joshaven

Use PCC and assign more connections to the larger connection. http://wiki.mikrotik.com/wiki/Manual:PCC With PCC split into 4 streams and set the first 3 streams to have the same connection mark and the last to have a different mark. This will split 1.5:6 you can get fancier with the split but I'm no...

joshaven

This link should work with the following hardware: RB912UAG-5HPnD-OUT http://routerboard.com/RB912UAG-5HPnD-OUT 30DBi ARC-DA5830SD1 http://www.antennas.com/dish-antennas-2/dual-pol-dish-antennas/ RPSMA-NM-240-36 http://www.ispsupplies.com/categories/Our-Picks/RPSMA-NM-L240-36.html All of the above h...

joshaven

Yes in the same segment. As I understand the PPPoE service will pick up the requests somewhat evenly. Unlike DHCP you can have multiple PPPoE servers on one Layer 2 network. I have not ever had a need to do this so I don't have experience with it but I have read quite a bit on MikroTik and PPPoE and...

joshaven

I would think that the natural IP to respond would be the IP that received the request. The job of NAT is to change source IP's. Therefore it doesn't sound like a hack to me. It sounds strange to me that Cisco would receive info on one IP and respond from another. Are you sure that Cisco isn't rewri...

joshaven

Is the remote mikrotik using an external DNS? I wonder if it is sometes being queried and not answering as desired.

joshaven

You can use src NAT on ICMP to change the originating ip. You'll probably want to match the src addresses on the rule so as to not to match ICMP passing through the router.

joshaven

You need to read up on hotspot.

joshaven

I am willing to do some path analysis for you if you like. However for a 20km I would recommend a 2' or 3' dish and an rb911 radio board and a good enclosure. If you would like more info on the hardware I can send that as well. If the path is good then you can easily get over 50Mbps. What country ar...

joshaven

That looks like it should work to me. My guess is that the issue is in the routing table. Can you post the touting table?

joshaven

Have you verified that pins 4&5 are - an 8&9 are +24VDC after your power cross over?

joshaven

PCC will help you load balance both the upload and download on any TCP traffic that you initiate. The only way you can load balance incoming requests is to somehow load balance the IP address that the remote end is going to use to initiate the connection. If the remote end uses your IP from ISP A th...

joshaven

The traffic will be returning to the same IP that it is sourced from so I expect that it is not flowing out the better connection. I don't know enough about your traffic to tell you the best way. Here is something that should work for you but I am making a bunch of assumptions: * Create an address l...

joshaven

By PPP I am amusing you are referring to PPPoE not PPTP VPN. An RB1100-AHx2 ( Dual 1GHz PPC Chip ) can handle 300 easily but I suspect it cannot exceed 1000 PPPoE Terminations. I've not tried but I would expect the CCR to handle 3000 connections. We terminate PPPoE at each location so as to spread t...

joshaven

No marking, no nothing, the router is pretty much "out-the-box", with just that one additional route in the IP > Routes section. The uplink chosen will be choose via the routing function. The miens of communication between the firewalling functions which are identifying the traffic and th...

joshaven

If your sure your traffic is going through the proper connection then you can try disabling the SIP helper:
/ip firewall service-port disable sip

joshaven

How are you identifying and marking your VoIP traffic? I wonder if you aren't getting some of the VoIP traffic over each link. We identify VoIP traffic based upon either the source or destination being our VoIP server subnet. However if I didn't control the VoIP server subnet then I would probably b...

joshaven

Thanks for advice. 2nd instruction you said to send over one connection. Does it will work loanbalancing from ftp download or upload. Also can you please give me example of doing routing mark rule ..please FTP is TCP traffic which means that it has a connection. It isn't then so much about upload o...

joshaven

http://mum.mikrotik.com/presentations/US12/steve.pdf You put one fine detailed PDF document there. Nevertheless I think I found an error on the second page from the end. There you descirbed a isuse with assymetrical connections and created 4 PCC mangle rules Shouldn't these rules be 4/0, 4/1, 4/2 a...

joshaven

In order to not send your FTP over multiple connections you can: 1) Use PCC (per connection classifier). The connection tracking keeps track of what belongs to that one connection and the PCC load balances across your internet uplinks on a per connection basis rather then a per packet equal cost or ...

joshaven

If your security concerns are high (like millions of dollars of liability high) then I would recommend creating an IPSEC VPN tunnel. However, an IPSEC VPN is an order of magnitude more complicated to setup. As I understand, the main security concern with a PPTP VPN is that the initial connection (if...

joshaven

If I were trying to connect three locations and did not have really high security concerns then I would setup each location with its own subnet and create a VPN ring where each router knew how to reach each network directly. If you don't separate the three locations by subnet then you will likely en...

joshaven

I would use the queue tree. Set a queue on your WAN interface then two child queues one for the sync data and the other for everything else. Then you'll need to add packet marks in the post routing chain of the mangle feature so that you can identify the traffic to match it up to the queues. Set th...

joshaven

Hi joshaven thanks for your replay. but i need to route my pptp from one of my WAN connection (i have 2 WAN). so that i use 1 WAN for pptp and use other as simple use. i hope you understand my problem. You still need to add a route mark to the traffic that you want to go through the pptp connection...

joshaven

I would use the queue tree. Set a queue on your WAN interface then two child queues one for the sync data and the other for everything else. Then you'll need to add packet marks in the post routing chain of the mangle feature so that you can identify the traffic to match it up to the queues. Set the...

joshaven

Look at routing filters.

http://wiki.mikrotik.com/wiki/Manual:Ro ... ng_filters

joshaven

You probably need to be using PCC load balancing. I am not sure but I am guessing that the issue is that the FTP connection is ending up split between the two when it shouldn't be. If that is not the issue the. Possibly try both passive and active FTP modes.

joshaven

Create a mangle rule in the prerouting chain that matches the traffic that you want to go through the pptp with an action of adding a routing mark. Then create a route for 0.0.0.0/0 with the same routing mark that has the pptp interface as the gateway.

joshaven

can you please help me with this ?

http://forum.mikrotik.com/viewtopic.php?f=2&t=75086

Sorry, the hotspot feature is my biggest MikroTik weakness and cannot tell from what you posted what the solution would be.

joshaven

/ip firewall mangle add action=mark-routing chain=prerouting new-routing-mark=ISP_A passthrough=no src-address=192.168.2.2-192.168.2.20 add action=mark-routing chain=prerouting new-routing-mark=ISP_B passthrough=no src-address=192.168.2.21-192.168.2.40 /ip route add distance=1 gateway=ether1-ISP_A ...

joshaven

If you want your router to function between the ISP and the ISP provided router then you very well may not be able to do that without some crazy NAT rules which would be similar to a man in the middle (hack) approach. One thing you can do is bridge all used ports together and monitor the traffic. Wi...

joshaven

This conversation is overly complicated for the need here... Lets assume that the ISP is giving you three DHCP assigned IP addresses on the three VLANS that they are communicating on. Rename your external interface to WAN ( or translate the rest of my instructions accordingly ). Create three virtual...

joshaven

What is purpose of the VLAN's? The provider delivers Internet, IPTV and VOIP on VLAN's to me. To use them, you have to take them apart. The router of the provider does this standard. However, it is not possible to set DHCP or DNS itself. Is the traffic coming from NTU VLAN already tagged traffic? T...

joshaven

If I read the graphic correct, the interface belonging to vlan 4 is supposed to accept untagged traffic and to tag input traffic to vlan 4. As far as I know if vlan 4 is assigned that interface, the input traffic should be tagged and output traffic is tagged with the vlan is. This is not as desired...

joshaven

VLAN 4 and 6 should be untagged... As far as I know... :) I am not sure what you mean by VLAN 4 & 6 being untagged. The only untagged VLAN is VLAN1 which is the same as not having a VLAN. If you mean ports 2 & 3 should accept untagged traffic and should be able to communicate with devices o...

joshaven

The difference to the pictures is that VLAN 4 and 6 should be connected to port 2 to 4. Is this even possible? Yes it is possible. Create Ether2-VLAN4 and Ether3-VLAN4. Then create a VLAN4-Bridge interface that has Ether2-VLAN4 and Ether3-VLAN4 as port members. Then do the same for VLAN 6. /interfa...

joshaven

If two interfaces are bridged then they are in the same layer two network and devices can ping one another when they are in the same subnet. If the interfaces are nt bridged then they need to be in different subnets and use the router as a gateway between the two layer two and two layer three networ...

joshaven

I'm almost positive they would be 40mm fans. The x2 has 40mm and its the same sized router.

joshaven

In the ip firewall filters setup a rule that identifies the traffic and drop it. You may find it easiest to match source traffic of 10.x.x.0/24 an destination of 10.y.y.0/24 and drop that or you can match based on source and destination interfaces or bridge interfaces. There are other ways to match ...

joshaven

Router OS is a software defined routing platform and an issue like DHCP pool size would be a software level thig. So the answer is that a pool size for a /22 is absolutely fine. The thing your going to want to watch closely is your memory and more importantly your CPU load on that router. If your no...

joshaven

You need to identify the traffic with the ip firewall mangle feature and add a routing mark to the traffic. Then you need that connectons route to have the matching routing mark.

joshaven

Yes you can have multiple ip's on any interface. You may need to do some routing things to return traffic over spicific ip's though the return ip will be chosen based upon the route table.

joshaven

You need to add a virtual vlan interface on any of the ports that need to use that vlan. I believe you can add a vlan to a bridge or a bridge to a vlan. Think of the vlan as an interface. If you need vlan 4 on ether1 then create an ether1-vlan4 interface. If you need ports 2 & 3 to both have vla...

joshaven

The router will automatically route traffic between any subnets you have on your router. If you want multiple ports on the same subnet then you need to either have them all port members of the same bridge or use the switch settings if available on your hardware. If your traffic leaving your router t...

joshaven

Thank u for your reply. Does the version on the dude snmp.profile has to be the same as the trap version on the second figure? And what about the contact info and location are the obligatory?? I have generally have the dude set to SNMP version 2c because I have that set to the default in my copy of...

joshaven

hello joshaven. could you please post screen shots on how to set snmp between mirkotik routerboard and the dude??

joshaven

You could probably NAT the reply to change the reply address. The way a trace rout works is that multiple packets are sent to the final destination with too short of ttl times so the packet expires at each hop along the way. When the packet arrives expired at a router the router will generate a repl...

joshaven

see attached screenshot with a representation of how many devices and usage...

joshaven

Add a static rout to each and use the ping check gateway. Then add anther default route to each that has a router mark also with check gateway. That way the routes with the PCC mark will be followed unless the GW is not accessible in which case the route will become unavailable. If the PCC route is ...

joshaven

I know its fine with a few hundred (300 or 400). I've never reached a limit.

joshaven

Packet marks disappear between routers tos is preserved. A route mark is just a software thing in the mikrotik. The tos is part of the packet header.

joshaven

Does MK1 need to run in router mode? It sound to me a lot like my home network. I have an office in my barn without a direct internet connection and a house with internet. I have a bridge connecting the two locations so that I can have internet at both locations. I have the bridge configured as a tr...

joshaven

Do you have an internet connection connection to both locations or just one of them? Is MK2 running as a router or a bridge? If your goal is to simply have internet at the location that the MK2 router is at then you can just be sure that UBNT M5, MK AP Bridge WDS and MK 2 area all in the same layer ...

joshaven

Do you have two gateways of which your MikroTik is doing NAT for both? If so you probably want to use NAT rather then mangle. Packet marks do not stay with the packet. You cannot pass a routing mark between routers. If I had two ajacent routers I would use two layer2 networks to pre-sort the traffic...

joshaven

I am sure that adding the condition of dscp=6 does work. Are you trying to separate DSCP6 traffic from to one IP to go out one gateway and non DSCP6 out another gateway? I cannot infer from your examples what your goal is. Earlier you said you want all traffic from one IP to go to one place. I would...

joshaven

How do i check the arp table on the Mt router. Go to IP Arp: joshaven@10.220.12.2 (Albright-RB1100AHx2) - WinBox v5.20 on RB1100AHx2 (powerpc).jpg You talked about putting the modem in bridged mode how?. You'll have to check with the modem manufacture or vendor. Generally you can manage them with a...

joshaven

Do you have a route with that name? Also do you have traffic going else ware?

joshaven

It sounds to me like an arp issue or possibly a DHCP issue on the modem. You could check your ip arp table on the router under the working and not working condition. However if you put the modem in bridge mode I think you would bypass the issue all together.

joshaven

I would try putting the modem in bridge mode and running DHCP or pppoe or whatever the modem is doing directly on the router. If you cannot do that then figure out if the wired and wireless are both having the issue and also see if the router is loosing its ip connectivity with the modem.

joshaven

Your exact wording makes it a bit of trouble but its real easy to do similar things. Like add an ip that isn't in an exclusion list to a ban list when it has more then 5 concurrent smtp connections. You can also ban if in fifth smtp then add to fifth smtp if already in fourth on new tcp state and so...

joshaven

Can you seporate the DHCP networks by using vlans? If all of one Macs of one type are coming from one device like one AP then you probably could tag everything from that device. If not then maybe you could get creative with bridges and bridge filters. At any rate I would bet that the trick will be s...

joshaven

I don understand the purpose of rule 4. Can you post your desired outcome? It looks like your rule set would change all traffic to have DSCP 6.

Also it seems that all traffic from one ip will use a custom routing table called route1

joshaven

I am very happy with 5.20-5.25 for production use. We use many of each of the following in production: 493ah, 711, 2011, & 1100ahx2. We also have a hand full of 1200's but we find ports 9 & 10 to be problematic so I won't be buying any more of them.

joshaven

You can look at how your BGP advertisements are working here: http://lg.level3.net/bgp/lg_bgp_main.php If both ISP's are accepting your routes and your routes to them are correct then I don't know how it would be a BGP issue. It could be a firewalling issue however: Check to see if you are dropping ...

joshaven

I am not sure what you mean by IPX, do you mean the Novel protocol IPX (http://en.wikipedia.org/wiki/Internetwork_Packet_Exchange)? All BGP is doing is communicating routes. If enabling BGP is breaking something then I would suppose that your not advertising a route or not receiving route advertisem...

joshaven

Given the subnet length of /24 both 192.168.0.1 and 192.168.0.2 are within the same subnet. This means that they should be in on the same network. You can bridge two LAN ports together by creating a bridge which you may choose to call LAN. Then both ports can be added to to that LAN bridge. You can ...

joshaven

It sounds like you got it. You could call your upline and have them watch your routes and then ensure that you are not attempting to advertise something you shouldn't then try to advertise a private or something to ensure your filter is right. Or if you have a couple of routers you can build your ow...

joshaven

Don't specify the to-address. You don't want to masquerade as 0.0.0.0 you want to masquerade as your public address. By default it will masquerade as the address that is associated to the default route that it is following when leaving the router (your public).

Search found 438 matches