MikroTik

lctn

I am attempting to add the following to a script for a 750 box but it starts to err out with the word "do="

:if ([/ping x.x.x.x count=4] = 0) do={/interface disable interface ;/interface enable interface}

Is it OS specific or a simple syntax error?

lctn

Was able to upgrade to 5.26

routerboard: yes
model: 750GL
serial-number: 2CF90138C458
current-firmware: 2.36
upgrade-firmware: 3.09

Script still does not run though

lctn

I am a long way away from 6x. These boxes are only configured for eoip tunnels.

routerboard: yes
model: 750GL
serial-number: 2CF90138C458
current-firmware: 2.36
upgrade-firmware: 2.35

lctn

/system scheduler add disabled=no interval=0s name=rst-Interface on-event=disen policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ start-time=startup /system script add name=disen policy=\ ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \ source="/...

lctn

When I do that, the script name comes up red in scheduler:

# NAME START-DATE START-TIME INTERVAL ON-EVENT RUN-COUNT
0 rst-I... startup 0s disen

lctn

I am working with 750 box, attempting to get a script to run on startup. Script runs fine manually. I have altered the delay from 10-60 to see if that made a difference but it did not I have the following in system scheduler: add name=2 on-event="/system script run di sen" disabled=no start-time=sta...

lctn

Resolved it with a script:

{delay 20};
:if ([/ping x.x.x.x count=4] = 0) do={/interface disable interface ;/interface enable interface}

lctn

Didn't help

lctn

Rebooted box, and as before, the eoip interface does not pull a dhcp address: Here is what I have for the bridge: Flags: X - disabled, R - running 0 R name="bridge1" mtu=1500 l2mtu=1598 arp=enabled mac-address=02:74:A6:81:DA:DE protocol-mode=none priority=0x8000 auto-mac=yes admin-mac=00:00:00:00:00...

lctn

I have a number of 750 boxes across our WAN, located on different LAN subnets. Recently, I have had a couple of them that will not pick up a DHCP address on the EOIP tunnel interface unless I disable and enable the interface. Reboots do not work. I must telnet in and reset the interface before it wi...

lctn

I have to ask this question rather than experiment too much with my production environment. We are setting up a new data center. One of our firewalls is a Mikrotik CCR-1036. I want to clean up the cabling with ether1 connecting to our ISP and SPF 1 configured for all vlans (1,105-120), allowing me t...

lctn

Thank you! I'm continuing to work on the project, but am stuck on the ssh variable from the php script on the server. Trying to figure out how to change the connection variable to use: ssh -i /home/raymond/.ssh/id_dsa raymond@10.10.1.1 <?php $blocked=array(); exec('cat /var/log/suricata/fast.log | g...

lctn

Thank you! I is this a single script, or two different scripts and would it be created in system/scripts?

:global ip

local time ([/system clock get time]+("00:05:00"))
if ($time > "23:59:59") do={

:local time "00:05:00"

}

/ip firewall address-list add list=blacklist address=$ip comment=$time

lctn

I understand that $ip is a variable. However, it is not populated until a php script is run on the snort box and populates the black list with potential offenders. I just don't have enough knowledge yet on how to add the provided scripts from the wiki to the Mikrotik side correctly without getting e...

lctn

Here is an example of my what I am attempting to do: According to the wiki, I would create a scipt via the following: :global ip local time ([/system clock get time]+("00:05:00")) if ($time > "23:59:59") do={ :local time "00:05:00" } /ip firewall address-list add list=blacklist address=$ip comment=$...

lctn

Ubuntu 14 Mikrotik CCR1036 6.24 I am not sure if this is the best way to go, regarding an IPS/IDF solution, but I have been following this wiki: http://wiki.mikrotik.com/wiki/Mikrotik_IPS_IDS Traffic from the CCR is sent by snort via the following command and works fine: sudo ./trafr -s | snort -r -...

lctn

RB750 6.27 I am attempting to generate certificates for openvpn by following the wiki: http://wiki.mikrotik.com/wiki/Manual:Create_Certificates#Generate_certificates_on_RouterOS The first steps work fine: /certificate add name=ca-template common-name=myCa key-usage=key-cert-sign,crl-sign add name=se...

lctn

Couldn't get it to work with the addition of a rule. However, it works with the following (renamed the list): 3 chain=prerouting action=mark-routing new-routing-mark=verizon443 passthrough=yes protocol=tcp src-address=10.99.0.0/16 dst-address-list=!VBypass dst-port=443 log=no log-prefix=""

lctn

Thank you... I didn't realize multiple lists could have the same name. Much easier to manage!!.

I will give that a whirl!

lctn

OK.. I created three address list: /ip firewall address-list> print Flags: X - disabled, D - dynamic # LIST ADDRESS TIMEOUT 0 Google1 216.58.0.0/16 1 Google2 74.125.0.0/16 2 Google3 173.194.0.0/16 [admin@LCTN-FW] /ip firewall address-list> What would be the proper syntax for the pre-routing chain th...

lctn

One bit of missing info:

Mangle rule verizon443 routes to filter (10.10.1.85)
Mangle rule VBypass routes to public IP (same as everything that does not go through filter)

lctn

I have the following PBR rules for specific sites to bypass our content filter https filtering. The google filter is not working properly. I see counts go up when attempting to access drive.google.com (for my google rule), but traffic still ends up running through my catch all policy (verizon443) an...

lctn

I need Internet users to bypass our content filter for approved HTTPS sites. I can create individual rules, such as this to do that: ip firewall Mangle add chain=prerouting src-address=10.99.0.0/16 content=facebook action=mark-routing new-routing-mark=VBypass However, I would much prefer a list I ca...

lctn

I have the following scenario with traffic running through a Mikrotik CCR1036-12G-4s device, running 6.24 We have a number of Verizon Aps configured to run associated devices through a GRE tunnel between Verizon and our network, using a 10.99.0.0/16 subnet which is NATed to a public address. Policy ...

lctn

lctn

V 6.24 CCR1036-24G-4S I set up PBR to send port 80 and 443 traffic to a content filter for my 10.5.5.0/16 subnet and a test workstation (10.10.1.15). For the most part this works fine. However, because I am using transparent proxy mode my exclusion list for HTTPS traffic does not work. I would like ...

lctn

The problem was resolved by specifying the outbound interface for NAT

lctn

I have a peer that I have recommended use Mikrotik for a firewall. However, prompt support is very important to him. I appreciate the forums, but help is sporadic and I am not finding a recommended Mikrotik support engineer that promises this level of service. What company is out there that has a go...

lctn

lctn

Home Mikrotik # jan/06/2015 13:40:25 by RouterOS 4.3 # software id = 72YI-U7G2 # /interface ethernet set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment=\ "" disabled=no full-duplex=yes l2mtu=1524 mac-address=00:0C:42:5B:E5:98 \ master-port=none mtu=1500 name=ether1 speed=10...

lctn

I set up an openvpn interface to connect with my home and work office. From home, I can ping and access my work network. However, from work, I can only ping my home network from the Mikrotik device. PCs and servers on the 10.10.0.0/16 cannot ping anything on my home network. A traceroute stops at 10...

lctn

CCR1036-12G-4S ROS 6.19 This problem has occured 3 times now, about every 4-6 weeks of uptime. Pings to the internal network gateway (port 2 on device) will start acting erratic. Several pings will time out, then reply, followed by longer than normal successful ping times for a while, and then sudde...

lctn

That worked. Thank you!

However, is there a way to get the mac address of the device directly connected to ether1? I end up with a long list, but no way I know of to discern which mac is directly connected.

lctn

I have 2 vlans on this box: 106 & 107. Issuing /ip arp displays a couple mac addresses for vlan 106, but nothing else. Under interfaces, I have two bridges: v106 & v107, and of course, the vlans. issuing ip arp print where interface=ether2 (on vlan 107), =v107, or =107 do not produce any mac address...

lctn

This is what I get: [admin@Maccray-ITV] > ip arp print where interface=ether2 Flags: X - disabled, I - invalid, H - DHCP, D - dynamic # ADDRESS MAC-ADDRESS INTERFACE I am attempting to get the mac address of the device directly connected to ether2. May have asked for wrong info???

lctn

lctn

Yes, that worked!

Thank you

lctn

I know this must be simple, but I am not finding how to display the mac address of a device attached to a specific port that is part of another vlan??? /ip arp print works fine for default

RB-750G

lctn

Just getting aquainted with failover scripting. So far, what I have found for scripts and tutorials discuss bonding with failover. I need to find a script that simply enables/disables interfaces, based upon network availability. Does someone have a good doc and script for this? To clarify: I have a ...

lctn

I was able to get the primary and secondary tunnel to come up with the following config: GRE Interface: Flags: X - disabled, R - running 0 R name="verizon1" mtu=1476 l2mtu=65535 local-address=1.1.1.1 remote-address=2.2.2.2 dscp=0 1 R name="verizon2" mtu=1476 l2mtu=65535 local-address=1.1.1.1 remote-...

lctn

Still no success. I do not have a private network to ping on the other side, outside of the IP of the gre tunnel on the Verizon end. Here is the latest config changes and IPSec logs 3 chain=srcnat action=accept src-address=10.10.0.0/16 dst-address=10.98.0.0/30 log=no log-prefix="" 4 chain=srcnat act...

lctn

Just need a little clarity on this. In our setup, the far end of the tunnel private IP is 10.98.0.1/30 for their gre interface. Our end has 10.98.0.2/30 assigned to the gre interface. Traffic will flow from a Verizon AP (on a school bus) through the tunnel and pick up a 10.99.0.0/16 address from my ...

lctn

I am working on a GRE IPsec tunnel with Verizon. We get it to come up enough where info is populated in installed-sa. However, the traffic does not seem to return and we cannot ping the private address on either end Mikrotik: CCR1036-12G-4S rOS: 6.19 Here is a sample config Verizon believes would wo...

lctn

I am using a Mikrotik CCR1036 for a number of services (EOIP, Openvpn, routing, DHCP). I am attempting to set up a gre tunnel to Verizon. However, when I add a public IP to the gre interface it kills my production network. The network comes back up when I disbale the IP. The documentation seemed pre...

lctn

Got it working by adding new vlan interfaces to current vlan bridges.

lctn

Failed to mention, P1 on switch 1 is uplink to main HP switch, P5 connects to P1 of 2nd switch.

lctn

Thanks... I thought it was a special export function I didn't know about

lctn

My apologies, but I have no idea what you mean.

lctn

I need to simply extend several vlans to a 2nd 750g switch. In my setup, two or three ports on each switch will be configured for a single vlan. I have tried several configurations, but am not getting it to work Here is what I currently have configured on each switch: Switch1: /interface bridge add ...

lctn

the settings are the same, before and after the upgrade. Didn't matter what I changed the server to, still received the cipher error.

lctn

Found a 6.02 version and was able to downgrade. Not sure what to do about the cipher issue when I upgrade in the future.

lctn

In a time crucial situation.. upgraded to 6.7 and now ovpn will not work. I have many important connections that cannot be made. I am running a ccr1036-12g-4s Would like to downgrade, but system package downgrade is not working. Can't be positive I have the right, older os for ccr. Is there a link f...

lctn

Thnaks for the reply. That worked for simple http traffic, but not https. I added a 2nd rule when things did not work: iptables -t nat -A PREROUTING -p tcp --dport 443 -j DNAT --to 10.10.1.56:8080 This caused ssl string errors on the client. However, if I simply set the proxy manually to port 8080 o...

lctn

Running OS 6.2 on a CCR1036-12G-4S box. I've been reading similiar questions to what I need, but not getting prerouting with port forwarding to work. I need to translate destination port 80 to 8080 with the following configuration. Have done it before, but missing something. /ip firewall mangle> add...

lctn

Turned out I had a couple other issues getting in the way too, but your recommendations worked.

Thank you

lctn

I am atempting to create a 1 to 1 NAT or Netmap, so the private IP of a mail server uses a specific public IP. The inbound portion of the config works fine. However, the mail server cannot get out to the Internet, unless it uses my catch all masqurade rule, which uses a different IP. My goal is to h...

lctn

I need to add a 2nd RB 750G switch to my office and extend all vlans from switcch 1 to it. Currently, switch 1 (working) has port 1 connected to my main edge switch. I want to connect another 750G to switch 1 via port 5. I have tried a number of configurations, but am having difficulty getting thing...

lctn

I would be fine with that. I am poking around on the mikrotik.com site, trying to figure how I can load the config for reading, but not finding it.

Any pointers??

lctn

From digging, I see now that it is recommended to use export/import for working with backups. However, I need to restore a backup , or at least be able to read it to get the config info for a new box. I had a 450G box die. I have several backups, but get the following error when attempting to restor...

lctn

We purchased a couple CCR1036-12G-4S devices

lctn

Had our 2nd 450G box fail in a number of months. Love the Router OS, but need hardware not prone to failure. What do people recommend that would be Mikrotik, rack mounted, and excellent reliability? Needs at least 5-10 ports for flexibility.

lctn

I have a VOIP installer that needs a few DHCP Options, 156 or 66, and Option 4

I have to do this on the fly because of my schedule. Anyone have the config commands to do this?

lctn

We currently use a 450G box for vpns with eoip tunnels for each connection to stream 768K video to HD codecs. We often have up to 15-20 simultaneous connections. Once in a while the cpu will jump to 100% and stay there, even after dropping all connections. Resources show there is still over half the...

lctn

The only visual I have is a high number of connections to my relay servers. For this, I have just blocked subnets. I would guess there should be a way to identify a steady stream of port 25 packets, since normaltraffic should be in short burst.

Just guessing......

lctn

Recently, we have been clobbered with an immense amount of spam traffic. I would like to block abnormal traffic destined for port 25, so our MTAs do not have to deal with it at the server.

We are using a 450g unit as our firewall.

Any help is appreciated

Raymond

lctn

lctn

I have attached a config from one of the radios for review.

lctn

They are using a Sonic Wall for the guest access. I set the point to point wireless up a few years ago. Just using bridging and nstreme, nothing else. I will make arrangements to remote in tomorrow and retrieve the config info.

lctn

I'm helping a school that has set up a guest wireless access vlan across multiple buildings. It works fine for everyone, including the one out-building that is connected via bridged mikrotik radios using nstreme (5ghz). That is, as long as they go out to the Internet it works perfect. However, if th...

lctn

I upgraded to 5.4. Currently I have HT-MCS set to 12 and have 78Mb. I have set it to 15 and got 130. I am wondering about the stats on the attached jpeg. How is it I have 100%CCQ, but TX/RX CCQ 65/64. Is this acceptable or do I need to make some changes to improve things?

lctn

Just trying a simple config based on the wiki. I like the non-bridging solution (I know I have something wrong). I have port 5 attached to procurve vlan 106 and port 2 plugged into my laptop. I am expecting to ping 10.10.1.2/16 with my laptop Ip 10.10.1.90/16 This is what I have at the moment for a ...

lctn

Do you have a link for 5.4? I am not finding it. Just 4.17, and 5.7

lctn

I will try that.

Just an fyi: We moved the radios to the base of the tower, so we have about 115-125 feet of LMR on each tower, which is why the dbs are off some.

lctn

I understand some feel I should just get a true switch for this, but I already have a few routerboard 750g boxes around. I have been through a few vlan tutorials for the routerboard, but have not been able to get my configurations to work. Hoping someone is a whiz at this. I need to connect to an HP...

lctn

Had a typo. We are using SR71 5 Ghz radios. CCQ is 97-99% I have this same exact setup in several other locations and nstreme works great. Three links originate from this same central tower. One points west and works perfectly, using nstreme (278Mb). Another points NE and also works fine with nstrem...

lctn

I have a short 5 mile link that works perfect with the settings below, but all but dies when I enable nstreme. If I Uncheck nstreme, the link is good again, running at 78Mb Boards: 433AH Cards: SR17 Antennas: 32 Db dish with DP feed horns Distance 5 miles Db level 62-66 Using 5 Ghz N only Both chain...

lctn

I have a great nstreme "N" setup after getting some help on this forum: http://forum.mikrotik.com/viewtopic.php?f=7&t=45769 I have duplicated the hardware setup, except I am using RB411AH with RB 4.14 on my new project I will not have access to Internet on the job site and wanted to be sure I had a ...

lctn

We had to put in the following rules to block outbound port 25 traffic, except the mail from our LAN mail server. I need to log the IPs of workstations that are triggering the deny rule. How would I go about that? Rules: 1 ;;; Allow email from our approved SMTP senders list regardless of destination...

lctn

If I have 10 eoip tunnels on a single box. Does the server side need a unique IP for each tunnel ( I know each tunnel must have a unique id), or can the Server IP be the same for all tunnels as long as each client box has its own IP? (mikrotik to mikrotik). e.g client 1, local IP 10.5.5.1, remote 10...

lctn

We had a rockin setup, using Nstreme with 32db dual pol dishes. Had some power troubles, so decided to have an installer bring the radios down to the ground, using LMR 400. The connection ran at about -61-63 db while radios were near the dish, but after the adding the LMR we could not connect, nor s...

lctn

I upgraded the ASA over the weekend and it seems to have stabilized my ssh connections

lctn

A while back I made a post about RDP sessions dropping anytime traffic originated behind my 450g box and had to pass through our Cisco ASA 5520. Connections were always good if I did not pass through the ASA. The following rule stabilized things a great deal, but not a 100%: ip firewall mangle/add c...

lctn

I am running a 450g box as a router and vpn box and it works great in most cases. I am having a big problem staying connected to vpn and rdp sessions when I traverse a Cisco ASA unit on our WAN though. We haven't gotten to the bottom of it yet, but the ASA buffers are maxed out dealing with out of o...

lctn

I need to set up my 450 in a bridge so that it implicitly drops all traffic, but allows hosts by approved mac address. I was able to set up an input chain deny rule, based on mac address, but need to do the opposite by dropping all traffic, and then allowing only approved mac addresses through the b...

lctn

Looks like I have to disregard my previous posts. Windows just does a better job of reconnecting broken connections than Linux Rdesktop does. The problem continues and actually crops up when using ssh. It seems anything that requires a sustained connection when going through the cisco ASA will event...

lctn

A weird twist. I have been doing all my testing after I adjusted the MSS from a Linux laptop. The connection freezes within a couple minutes and has to be broken to create a new one. However, My Windows 7 laptop sitting right next to the Linux laptop connects just fine to the same workstation, witho...

lctn

Can someone post the exact command needed. I did what I thought was correct, based on the info provided, but am still having a problem staying connected.

lctn

Still missing something in my config. To make things simple, I shutdown my original firewall and set up my 450G box to do everything. Port 1 = Public IP Port 2 = 10.2.2.1 (gateway for 10.2 network) Port 3 = 10.5.50.1 (hot spot) Mythtv box Ip is 10.2.2.101 Mythtv Front end is 10.5.50.245 I can access...

lctn

Originally, The Frontend with Ip 10.5.50.245 uses 10.5.50.1 (hotspot) as a gateway and uses UPnp to play videos on the backend. The backend (10.2.2.101), uses a different gateway with IP 10.2.2.1. For a test I moved the wireless AP to the 10.2 network, renewed my lease to pull a 10.2 address, and th...

lctn

I am running a hotspot on ether3 of my 450g box and have a mythtv box on the local LAN which connects via ether2 of the same 450g box. I can access my mythtv web interface, ssh, etc, but my Myth Frontend cannot connect via UPNP. I have tried a number of firewall and walled garden rules, but am not g...

lctn

I have narrowed this down to an issue between my 450g and the Cisco ASA unit at the head of our WAN. Pings never drop off, but all RDP type traffic freezes soon after connecting and has to be terminated in order to start a new session. This is what I know: RDP from my home office to my work office d...

lctn

No answers for this question, but it seems the issue has been corrected by replacing switches on the far end.

lctn

Got it fixed by specifying the outbound interface.

Thanks for the reply

lctn

add action=masquerade chain=srcnat comment="" disabled=no add action=dst-nat chain=dstnat comment="" disabled=no dst-address=\ pub.lic.ip.24 dst-port=25 protocol=tcp to-addresses=10.10.4.22 to-ports=25.25 add action=dst-nat chain=dstnat comment="" disabled=no dst-address=\ pub.lic.ip.11 dst-port=25 ...

lctn

Duh.. Not sure why I used the word "masquerade". I forwarded port 25 from one public Ip to a private Ip on port 25 Here is the header of the message from my mailscanner: : IP Address Hostname Country RBL Spam Virus All 10.10.1.2 gateway-1.domainname.org (GeoIP Lookup Failed) It should show all the I...

lctn

I run mailscanners that are set o accept traffic coming from our private network. I just put in a 450g box to route traffic to the scanners and all is working well, except all inbound messages say they originated from my private IP, rather than the true public Ip as the source. Spammers are getting ...

lctn

I checked mcs 8 - 15 in supported and basic. let me know if that is incorrect.

I changed to "above control" and now have just under 60Mb throughput.

Very cool!

I have two other schools with the same equipment and problem. They will be thrilled to get this fixed.

Thank you!

lctn

Station config #2

lctn

Station config #1

lctn

Ap config #2

lctn

Experimented while waiting for a response. Enabled mcs 10 and mcs 12. Had 26 Mb each way. Put it back to mcs8 for now.

Ap config info #1

lctn

I was responding to the other person's question with my last post. OK.. I did everything you posted. It shows registration at 13 Mb, and band-width speed shows a total of 7-8Mb when testing "both". That is almost twice as much as I had before, so making progress. I tested 5180, 5320, and 5745. All r...

lctn

We get the same results no matter what frequency is used

lctn

Station Advanced and HT-MCS Tabs

lctn

AP Advanced and HT-MCS Tabs

lctn

Station config

lctn

I am not using nstreme.

Let me know if you need more of the configs

lctn

Tower installer certifies all dishes are aligned perfectly now. I am getting -49db-52-db on 7 mile links, but still have the same problem. Band-width test always start at 20+ Mb, and then dwindle down to 4Mb (max) in a 10 seconds or less. The speeds never go back up and ping times run from 400-1000 ...

lctn

We have many 750g units configured with a vpn and eoip tunnel. For the most part they work very well on our WAN. However, we have one remote site that must traverse the Internet to reach the other end of our VPN/EOIP tunnel. The box (connection) drops of several times in an hour, which is very disru...

lctn

I am have almost completed an upgrade for a member school district. We went with "N", but are having very disappointing results with the finished links. Boards: 433AH Cards: SR17 Antennas: 32 Db dish with DP feed horns Distance 7 miles Db level 68-70 Using 5 Ghz N only Both chains are checked and CC...

lctn

I am using a 450G board/switch. I looked around for something obvious, but didn't see anything off-hand. Is there a Mikrotik switch that supports 802.1x

lctn

I set up a hotspot gateway for a customer as a way of central management for a dozen Engenius APs. They do not like that the HS requires the browser to be open for logins, and are asking for a simple wep style password that keeps users logged in indefinitely. My gateway does not use any wireless int...

lctn

Thanks for the response. I am not sure how to configure the preferred method right now, but should be able to use the walled garden approach. From looking at the docs, it should be as simple as this: / ip hotspot walled-garden ip add dst-address=x.x.x.x action=accept That way I don't need to worry a...

lctn

I setup a hotspot gateway to service a dozen Engenius APS for a k12 school. After completing the project as agreed, staff pointed out all users login to the network (apple) with a client, prior to gaining access to their desktop, so there is no way to have the browser open to authenticate to the hot...

lctn

Is there a way to set successful hotspot logins to not expire, so users stay authenticated for many days, even if they reboot their wireless device?

lctn

Yes, the bridge filter is the way to go. I had created the following rules before discovering this last reply. It is different than what was posted, but it looks like I need to add the last "drop" rule. /interface bridge filter> 0 chain=forward out-interface=ether1 action=accept in-interface=ether2 ...

lctn

I am looking at it via winbox now, and understand the concept. Can you provide a sample rule(s) that allows all traffic to pass from specific mac address to port 2 and be redirected out port 1? Does the rule limitation mean I can only create up to 32 matching rules by mac address? Is there a work ar...

lctn

Is there a way to setup a 450g box with 5 ports to only allow specific mac addresses without using it as a router? I just want traffic to come in on port 2 and exit on port 1, but let clients pull dhcp addresses from the local subnet attached to port 1, if there mac address is approved.

lctn

That answers my question.... All APs would then need to be configured to talk to the radius server, not just the gateway.

lctn

To clarify, I am using radius with a hotspot gateway. All Aps use the gateway (port 1 goes to LAN, port 2 goes to APs), so I don't have to configure radius on each device. (I can change that if necessary). I'm not clear from the link provided if I can configure radius without using a hotspot. Just n...

lctn

Maybe I am approaching this wrong. Is there a way to use freeradius ,ldap,and mac authentication without using a hotspot?

lctn

That gets me close to what I need. So, my preferred setup does not allow for a user to be authenticated unless they open a browser? I am just thinking about the novice user trying to gain access to network resources via a server login, etc...

lctn

I have a working set up using a hotspot gateway, wpa2 , freeradius and ldap. I need to set up host authentication instead of user authentication. I am using LAM to manage ldap and have added a couple host accounts, but I keep getting a login page from the hotspot. I know you can do mac authenticatio...

lctn

We had an oversight on a project today and did not get the necessary cabling to configure our new radios for 802.11n. Regardless, I need to get the link up today and configure "N" later. Is there a doc on how to configure the sR71 to use only one antenna? The far end radio is using a cm9. Not sure i...

lctn

One thing I know can be eliminated is nating, since that will be done by their main firewall. Wasn't sure if there was more to change because of using the same subnet as their local network.

When you say 'local user". I am assuming you just mean add a user to "User Manager"

Thanks for the reply

lctn

I am setting up a wireless network for a school. The initial plan was to set up all APs to use a 450G box as a Hotspot and gateway. The 450g would then be setup to authenticate users via a freeradius server, pointing to an LDAP server. The tech I am working with has asked that I set things up very s...

lctn

For some reason, when I set up a RB450 as a router/firewall, RDP and VNC sessions freeze. I can close the connection and reestablish it without any problems. It almost seems graphics related, since often I the connection will stay alive until I start moving the mouse around, or scrolling a browser u...

lctn

Is there a good doc that walks through ALL steps needed to allow hotspot users to gain access to mail, web, ssh, etc...
I tried setting this up through "walled garden", but must be missing other necessary configuration changes that are necessary to get it to work.

lctn

I know this is boring to most, but I finally got freeradius and Open LDAP working to authenticate local unix users (exported to an .ldif). Now I just need to figure out how to configure Mikrotik to use it for wireless client access. I used the following docs and this forum to find the answers I need...

lctn

SurferTim I was able to get things working as you instructed (yeah). Users in the database that belong to the managers group now have full permissions in winbox. Not sure why, put the same users are rejected from the command line though: root@relay-1:/etc/freeradius# radtest raymond password 127.0.0...

lctn

I hadn't originally setup freeradius with mysql. I found a doc and got it done. Do I need to comment out all the info I had previously put in the clients.conf and user file? I see freeradius is walking through radius.conf and ultimately authenticating local unix users, not just what is in the user f...

lctn

Ok... I made the dictionary changes and do not get the "Group" error any longer, but both users (ex and ex2) still only have read access. It seems the Group attribute in their user name is not being implemented. I have it entered in "users" exactly as I have it in my original posts. Is there more to...

lctn

I have followed the tutorial to setup Mikrotik to use freeradius. I am having some success, but am getting an error when attempting to add the necessary info, per the tutorial. http://www.mikrotik.com/testdocs/ros/2.8/appex/user_rad.php The tutorial shows to add the following to /etc/freeradius/user...

lctn

I found this signature at the sourceforge l7 project. Is it as simple as creating a new signature with the following:

[FC]WS[\x01-\x09]|FLV\x01\x05\x09

lctn

I have not touched this yet, but have a need to implement layer7 traffic prioritization to give HTTP & HTTPS traffic priority over all forms of video streaming that utilize port 80. I was looking through the wiki and have not found a signature to mark Flash, Quick Time, etc... Is there a resource wh...

lctn

We have a network of video codecs on our WAN, which are on their own port based vlan. The codecs are all on the same public IP subnet. Our setup works perfectly, except for a single codec that is located on a LAN of one of our member schools. All codecs except for this one have a direct run to the o...

lctn

Sorry if this ends up being a duplicate post. I am not seeing my new post from earlier today. The dst-nat issue has been resolved. It turned out that although ether2 had a static address from our ISP, it was also pulling a second DHCP address. This added a second default route that led to nowhere. D...

lctn

I have a new 450G board with v 3.2 OS. I am having a couple problems with it. First, since rebooting the router (because of problem 2), all inbound dst-nat rules have stopped working, but local users have Internet access. I am outside the network at the moment, so I cannot trouble shoot till I get b...

lctn

I guess I am open to user/pass, just need it to be centralized, so I don't have to update every radio.

lctn

I was able to get the User Manager working, per the docs, but it seems to be authentication per radio, rather than central management if all radios. Is that accurate, or is there something I am missing in the docs? I prefer to use mac address authentication, if possible.

lctn

I have never set up authentication on my radios, and am now looking into a couple methods. I have a school with 4 radios that I would like to authenticate users to, but need management to be centralized. I was looking into freeradius, but had another wireless tech advise I go with using the hotspot ...

lctn

Flags: X - disabled, I - 0 chain=srcnat out-interface=ether2 action=masquerade 1 chain=srcnat out-interface=ether2 action=masquerade 2 chain=dstnat dst-address=pu.bl.ic.6 protocol=tcp dst-port=5900 action=dst-nat to-addresses=10.10.4.70 to-ports=5900 3 chain=dstnat dst-address=pu.bl.ic.3 protocol=tc...

lctn

I have a private IP on ether1, and am nating to a public on eth2. I have added several other public IPs to eth2 for servers that need to be accessed from the Internet. This part is working fine. From eth1 I can ping the public IPs, but I cannot access services, specifically telneting to port 25. Pub...

lctn

I ended up replacing the wireless cards, since we had already replaced the routerboard. It has not gone down for several weeks now, so not sure what the difference is, but glad it is working reliably now.

lctn

Is there a way to install a program like dansguardian on a cf, and configure the routerboard OS to work with it? A link to some docs would be a great help, if this is possible.

lctn

I have a point to point link that had been very stable for months, but has been going down frequently in the last few weeks. We have replaced the original equipment, thinking there was a hardware problem, but it seems to be traffic related. The radios lose connection, and you cannot ping anything th...

lctn

Never mind.... I figured out I had it set up correctly. The settings for the eoip tunnel force it to use the proper interfaces, so using "all" is the proper configuration.

lctn

A support specialiast at Wisp recommended I implement an ospf set up via an eoip tunnel, rather than use nstreme dual. The main reason was to keep the cpu usage down under heavy traffic. The white paper indicated I should set one tunnel with a metric of 10, and the second tunnel with a metric of 100...

lctn

If I am using 5.3, it would have been an error by wisp-router. I am not near them right now, but will verify. I am running in a lab environment, with dual feed horn, 29 db dishes, 50' apart.

lctn

Yes, that is what I tried, but at the moment, the only way I can get them to connect is by putting all 4 cards in the two aps on 5180. If I move to any other frequency I lose connection. This is true to even if I change all 4 cards to something like 5780. The second I change them back to 5180, every...

lctn

I am running nstreme dual on two 532 boards with cm9s. According to the docs I should separate TX and RX by 200 Mhz. By default the config uses frequency 5180, so I left TX there, and set RX to 5320. I set both radios (boxes) to this. As soon as I change RX to 5320 the radios lose connectivity, if I...

lctn

I have attempted to set up nstreme-dual according to the docs I found on the subject. The radios are not connectiong, so, obvioulsy, I am missing something and could use some advice. Here is what I have done so far. I am using RB532 boards with two cm9 cards each. Enabled all interfaces Made sure WD...

lctn

Is it necessary to use nstream on a link like this?

lctn

I am heading up a project that will implement 2 connections using nstream dual. These connections are each point to point. At this time I have selected RB532 boards, with cm9s , and dual feed horns with a 28 db grid dish for our 10 mile connection, and the same boards with cm9s, but am using 4 pa58-...

lctn

I was having trouble restoring a config from an old radio to a new one and figured out it was because they were different boards with different hardware. I am sure this will always be the case if a board dies in the future and I have to replace it. Is there a way to grab a text file of the config in...

lctn

I used the drag and drop feature of winbox from one radio to the next, but when select "restore" I get an error:

"Couldn't restore, invalid file name (6)

The file name is

MikroTik-04042006-1054.backup

lctn

Would you create a backup or just grab a specific file from the file list?

lctn

I am using 2.9.18 OS. I backed up one routerboard and am trying to restore it to a new board, but I am getting the following error:

Couldn't restore configuration. File too short (6).

I have used telnet and winbox to do the backups, but get the same error.

Search found 158 matches