MikroTik

JanJoh

So, while I have never been a big fan of the Queues in RouterOS, I usually have been able to get them to do what I want. But not this time. RB 760, with 7.2.3 eth1 connected to a 10M/10M link, delivered over gigabit copper. eth4 connected to a switch that in turn connects a few appliances eth5 gener...

JanJoh

Hello! I received a WAP LTE to replace a broken 4G modem. The old setup was some old Huawei, connected to our RB2011UiAS-RM. The 2011 was set up as a pretty standard NAT/DHCP-appliance for the devices behind it. So far so good. The RB2011 got its WAN address from the Huawei. Simple as it gets. BUT, ...

JanJoh

Noooooo... I don't beleive it... I had it correctly on my first try... i goofed the IP address when entering IP in the browser on my tablet... GAAAAH!

JanJoh

Uhm. Okay.. From my iMac running OSX10.11 the configuration works as it is. I can access stuff behind the router.

But not from an iOS device.

JanJoh

So, i followed this http://forum.mikrotik.com/viewtopic.php?f=2&t=112189#p557274 And my ipad can now connect via IPSEC adn i can view the routers homepage by acessing 172.25.75.1, yay! Then i tried a firewall rule to allow forwarded traffic from the l_j2 interface to 172.25.74.20 but, i am still...

JanJoh

Ok... Now i feel silly, but i found the problem with my original bridging firewall. I just needed a catch-all rule for the bridge to allow all traffic that was not blocked by previous rules... I messed up my sequencing of rules..

However.. Live and learn i guess?

JanJoh

There is a way to do this with layer3 forwarding and not having to renumber anything. The ethernet interface which is connected to the servers can work as an unnumbered interface. Let's say ether2 is this interface, and ether1 is the ISP interface. On these two interfaces, set arp=proxy-arp Configu...

JanJoh

OK, I thought I either needed to use a NAT or a route or bridge to filter. Nope, NATing can be used for various things, most commonly it is to mask an internal (private) IP address with an external (Public) IP address. Bridges, on Mikrotiks, are like SVI's on Cisco. It allows you to create a virtua...

JanJoh

That won't work. Some VMs have static IPs that simply can not be changed. The MT has been dropped in front of the machine to filter traffic as some of the VMs are exploitable. You haven't provided any information on why it won't work. There's no need to change IPs; you're already filtering traffic....

JanJoh

Why are you trying to bridge the firewall instead of simply creating rules that permit and or deny traffic? Use the "chain=forward" for the internal traffic. Configure a srcNAT with relevant networks being allowed to access the internet via it - ensure that you use masquerade. That won't ...

JanJoh

Ok, I have a RB2011UiAS Port 3 is upstream to my CoLoc (just the way it got wired up) Port 2 is connected to the primary interface of a vmware-box. Port 5 is connected to the IPMI interface of my box. Port 1-3 is assigned to "bridge-outside" and all seem well. What I would like to do now i...

JanJoh

Ok, I hava CRS on dynamic IP in my house. I have been reading up trying to figure out which is the "best "solution to be able to VPN to home from Windows/OSX/iPhone/Android (Yeah.. we sorta use 'em all, and none of the mobile devices are rooted/jailbroken... :) ) I have not been able to fi...

JanJoh

Anyway... I received the 2011 UiASRM that I had overnighted from Euro DK. And it appears my "kludge" works nicely. Ports 1-2 as a switch, and the troublesome NIC's behind a NAT. I'm happy, and it was a cheap solution. have you used switch rules??? or software bridge?? Neither. Ending up c...

JanJoh

Any and all help would be apprectiated. Could be a MAC address-lock with your provider. 1. Remove ethernet cable from modem 2. Power off modem 3. Leave modem powered of for an hour (ok, longer then needed, but still) 3. power up modem 4. Connect cable between modem and port 1 of Mikrotik. Any diffe...

JanJoh

After restarting everything for the 1000th time, somehow along the way the router started working, lord only knows why. Now to my next problem. Ran a speed test on our current router, its a NetGear, got 365mb download speed. Then ran exact same test with Mikrotik router, got 240mb download speed. W...

JanJoh

No internet access after adding an ip address that my ISP gave me how can i get back into my routerBoard, HotSpot, Userman and winbox are not connecting to my router again. RouterBoarb 951Ui-2HnD, Firmware v3.17

Do NOT hijack threads. Start your own.

JanJoh

Anyway...

I received the 2011 UiASRM that I had overnighted from Euro DK. And it appears my "kludge" works nicely. Ports 1-2 as a switch, and the troublesome NIC's behind a NAT.

I'm happy, and it was a cheap solution.

JanJoh

"Does somebody see a mistake?" Yeah... You are asking your unit to send ALL traffik to port 5000 to the internal NAS. Think about that a moment... ALL traffic to port 5000. REGARDLESS of destination address and REGARDLESS of source address will be processed by your rule. So, the rule does ...

JanJoh

Just realized something... I may have been loking at this the wrong way. I dont really need bridging. I could change the IP of my IPMI management card, and use the third NIC on the machine for management traffic. Hence, i could nat those two interfaces, and just connect the current NIC straight to t...

JanJoh

maybe a rb951g, its cheap, same cpu as crs125 and the integrated switch support rules that in theory can do the job of filtering i repeat, in theory (i have not tested) at wire speed without use of cpu beware rb951Ui integrated switch do not support rules Well, I need rack mounted equipment for the...

JanJoh

Depends on the load you want to pass through. Maybe using a switch to do bridging firewall is not a good idea due to expected low performance. If it is not your concern, implement the brute force rule set with address lists. Use the search function to find some examples. Well, i have a 100Mbps pipe...

JanJoh

Hello! I have been looking in the wiki, and googled and I think what i am after is simple, but i would like to verify. Basically, I've got a piece of equipment which is suseptible to DOS (Or rather, repeated failed login attempts to SSH makes it hang, and SSH cannot be disabled), out of support and ...

JanJoh

any sugestions?! I'd like to block the images when URL is https://www.google.pt/#q=sex Please help You can not really do that. As you are aware, SSL-traffic is encrypted. There are solutions for this, in which you use a proxy solution with two certificates. The firewall then can decrypt the query, ...

JanJoh

We bout tp-links before Mikrotik, but I have one old linksys wrt54g witch i can use as well. Problem is that i can not buy new equipment this year (company rules) :-(. So maybe some help regarding this ? Thanks Well, you certainly have picket the wrong hardware. I agree with previous poster that th...

JanJoh

Hello! I am trying to find a way to monitor CPU-load on the CRS, but i cannot find a OID for this,all i have is [admin@MikroTik] > /system resource print oid uptime: .1.3.6.1.2.1.1.3.0 total-memory: .1.3.6.1.2.1.25.2.3.1.5.65536 used-memory: .1.3.6.1.2.1.25.2.3.1.6.65536 cpu-frequency: .1.3.6.1.4.1....

JanJoh

Phase2 settings differ. On ROS you have 3des in Phase2 (default proposal), in pfSense is aes-128 chosen.

Good catch, i suppose thats what happens when you stare at a problem for too long

But, changing that did not make much difference.

Maybe i should just start over from scratch.

JanJoh

Ok, I've done some searching, and som experimenting, and not really getting anywhere. I have attached a quick sketch, and screenshots of pfSense. The machines on both sides have "internet access" via the FW on each side, so routing/nat seem ok. I realize that right now i am using static co...

JanJoh

I may be doing something silly, but it would appear that the "Hey, look at me guys, I am now a hub!"-behaviour of my CRS125 has returned after upgrading to 6.13 But the previous fix command (/interface ethernet switch port set [find] learn-restricted-unknown-sa=yes) does not seem to be acc...

JanJoh

I want to configure the CRS125 so port one is uplink and all other ports are downlink. Basically port 1 can talk to any port but port 5 can only talk to port 1 for security. The PPPoE server will go on port 1 for example. So how would you set that up? It would appear that you are talking about what...

JanJoh

Is there are way to resolve external dns:port requests to internal destination on the same ports ? ? Yes, there is. But it will not help in your case :) This is what SRV-records are meant for, but that of course means that the application needs to be SRV-aware, which i am willing to bet is not the ...

JanJoh

Ok, this is probably a "non starter", but why not ask. I have a /26-subnet assigned at a colocation provider where i run a handful och Machines. Now i have moved one of those Machines to my home for maintenance. I wonder if it would be possible to set up a subnet locally but only route SOM...

JanJoh

Hello. I know how to block users to access internet if they are not in MAC address list and or dont have IP from DHCP server. But what if some users brings own router and clone mac address from registered pc? We have this problem with some users which using router and give connection to friends (no...

JanJoh

So until then my best option is to return the 2 x CRS-125-24G to the re-seller, and to buy another switch that can fit my needs. I am sorry for the time spent on this. Thx. a lot for yours kindly responses! It depends on what you mean by "best option". But yes, as i have understood it, if...

JanJoh

This link http://www.smallnetbuilder.com/lanwan/lanwan-howto/30071-vlan-how-to-segmenting-a-small-lan?start=2 show it is possible what I want with VLANs and without any L3 firewall roules! It is not exactly my test case, but is very close to what I want . Yes, you can easily define that infrastruct...

JanJoh

That does not matter. VLAN are not magical. As log as you want "something to see something on Another interface, but NOT something at Another interface" that is a firewall. You will need to maintain your firewall with or without vlan. It does not matter if it says "Mikrotik", &q...

JanJoh

I want to use VLANs not firewall rules. I can not change the firewall ervery day because a client are gone from SW1 and is now in SW2, or maybe I missunderstood you? That does not matter. VLAN are not magical. As log as you want "something to see something on Another interface, but NOT somethi...

JanJoh

So, it can be done, but I lose a lot on the switch bandwith/performance/load?

Yes.

JanJoh

So, what is the subnet-configuration for all segments then? You said you could not alter the layout, so you must have access to this information. Like I wrote: All devices are in the same network IP space(172.16.23.x/24); Okaaaayyyy...... In that case, you will a number of bridges, and (and this is...

JanJoh

Ok, I try again: SW1,2,3 = switch SRV1,2 = server PC1,2 = management PC CRS-125 ports : V1,V2,W1,W2,W3,C1,C2 All devices use untag traffic( access ports ) on CRS - this devices do not have any vlan capabilities !! ACCESS rules : SRV1,SRV2: can access each other, and can be accesible from SW1. SW2, ...

JanJoh

I am installing a CRS-125-24 as a routed/switch. I have assigned a static to eth-1 and masqueraded internal ether ports. The device is working properly on all outbound traffic. When I attempt to access the csr-125 from internet, the device does not respond other than to a ping on the public address...

JanJoh

JanJo, I can not change my IP infrastructure. But I can use vlans. If it no possibile with this Mikrotik switch, ok, I will buy another switch from another brand maker. I do not have another option to solve this! Well, your original post is (quite frankly) extremely hard to understand. I atleast si...

JanJoh

But more on topic, I really see nothing in your post which indicates why you must use VLAN. Why not just stick everything in different subnets and just use routing/firewalling? What is your motivation to specifically use VLAN? If you DO wish to use VLAN, you will need to be more specific about your ...

JanJoh

- it is not legal in my country(EU country) to sold this kind of stuff without at lest 2 year warranty (but mikrotik sold this with 1 year); Well, since I went to law school (in another EU country) for quite a few years, and have worked quite a few years with international logistics of consumer pro...

JanJoh

Basically, I have my CRS as a "Normal home gateway", a 100/100 internet connection to interface 1, a basic NAT-setup, and a few inbound NAT. But, performance is pretty dissapointing to say the least My ISP has a special testing program which you are supposed to run, and it gives the follow...

JanJoh

Thank you so much for this info I get some idea from it, put please guide me to configured by video if passible for three 3G USB modem please. First of all, just a Control question. Are you doing this because you think you will be able to combine all the modems into a "single pipe" with b...

JanJoh

Ok, rebooting this question as the installation did not really occur as I had expected. The scenario is the same, but the zyxel ata-adapter is no longer connected to the Mikrotik. I have a switch elsewhere in the house to which the ATA is connected. In the attached drawing I want to obtain a setup w...

JanJoh

Rx is received from the view of that interface.
Tx is transmitted from the view of that interface.

I am not clear on what you actuallt find confusing?

JanJoh

We distribute both Mikrotik and ZyXEL so hopefully we can help. How is your Internet IP service delivered to you ? Has your provider given you a /29 subnet where First (or last) usable address is the Gateway you use ? Nope, no proper subnet. You get up to five addresses via DHCP. They are just indi...

JanJoh

You should create a bridge and add 2 ports. One coming from the ISP and the second one connected to the Zyxel. Let your ISP give you an public IP on that bridge for internet. Yeah, but will "everything" work if I add ether1-gateway to a bridge? No issues with masquerading of current setup...

JanJoh

Hello forum! Long time nerd/networker, but first time MikroTik user here! So, i bought a CRS125-24G-1S-RM given that it seemed to represent a very good value for money. It does, however, scare the crap out of me from a feature perspective given then price. Anyhow, I have got it pretty basic now. eth...

Search found 50 matches