Community discussions

Search found 43 matches

by j7n
Sat May 30, 2015 3:19 pm
Forum: Forwarding Protocols
Topic: Port forwarding issue. Help please.
Replies: 16
Views: 4028

Re: Port forwarding issue. Help please.

ALX1S, please keep your posts related to this problem into your own single thread. It's unlikely that your setup matches what is discussed here, aside from the fact that it also involves NAT. Synkronice, I'm afraid I do not have a good understanding how VRRP works. I didn't notice it at first. :oops...
by j7n
Sat May 30, 2015 6:51 am
Forum: Beginner Basics
Topic: Slight overloading connection causes errors on Miktorik
Replies: 27
Views: 3095

Re: Slight overloading connection causes errors on Miktorik

I can see you're using the switch chip for lan-to-lan, and not the router's CPU. set [ find default-name=ether2 ] comment=LAN set [ find default-name=ether3 ] master-port=ether2 set [ find default-name=ether4 ] master-port=ether2 set [ find default-name=ether5 ] master-port=ether2 It should be able ...
by j7n
Tue May 19, 2015 9:06 pm
Forum: Forwarding Protocols
Topic: Port forwarding issue. Help please.
Replies: 16
Views: 4028

Re: Port forwarding issue. Help please.

Looks like we are on to something. The connection is "invalid" because we webserver is sending Syn,Ack over what to the firewall appears to be a new, entirely different connection, not yet started with Syn. (this is probably wrong) If you want the web service to be available on both WANs simultaneou...
by j7n
Tue May 19, 2015 8:07 pm
Forum: Forwarding Protocols
Topic: Port forwarding issue. Help please.
Replies: 16
Views: 4028

Re: Port forwarding issue. Help please.

Do you have multiple WAN links with policy routing: "efm" and "adsl"? I'm considering the possibility that the response from the webserver might be going out over a wrong interface by default, not "bridge-efm" where the connection came in from. If you don't have Wireshark installed, you could use To...
by j7n
Tue May 19, 2015 4:26 pm
Forum: Forwarding Protocols
Topic: Port forwarding issue. Help please.
Replies: 16
Views: 4028

Re: Port forwarding issue. Help please.

Since there is only 1 log entry for dst-nat, and none for "my firewall rule", it seems that port forwarding was done correctly, but the connection was subsequently dropped by the firewall. Dst-nat acts on the packet before Filter does, and has rewritten the destination address and port. Try replacin...
by j7n
Tue May 19, 2015 2:55 pm
Forum: Forwarding Protocols
Topic: Port forwarding issue. Help please.
Replies: 16
Views: 4028

Re: Port forwarding issue. Help please.

I think the Accept rule doesn't match your connection because, by the time you are filtering in the Forward chain, the dst-port is already 80, and dst-address is 172.16.0.226. Normally the ports are the same and this does not become an issue.
by j7n
Mon May 18, 2015 7:29 am
Forum: Beginner Basics
Topic: Problem with mangle rule for UDP port 53 (DNS)
Replies: 4
Views: 2186

Re: Problem with mangle rule for UDP port 53 (DNS)

If I understand correctly, you want to use Unbound DNS server on another machine instead of the caching server built into RouterOS. Maybe you can give out the address of the Unbound box directly to the clients, and not do any redirection? If not: The src-address or in-interface of the Unbound box sh...
by j7n
Mon May 18, 2015 3:18 am
Forum: Beginner Basics
Topic: Problem with mangle rule for UDP port 53 (DNS)
Replies: 4
Views: 2186

Re: Problem with mangle rule for UDP port 53 (DNS)

Maybe your connection is already marked by another rule in the Prerouting chain, which comes before Input according to the Packet Flow . I'm not sure you can redirect a packet once it reaches Input , and is already going into the router, or can you? The typical place where you'd make the redirect is...
by j7n
Thu May 14, 2015 6:52 pm
Forum: Beginner Basics
Topic: NAT help
Replies: 2
Views: 541

Re: NAT help

I think hairpin NAT in combination with dst-address-type=local instead of one specific dst-address or in-interface will solve this problem. This will make port forwarding work on any of the router's interfaces. /ip firewall nat add action=src-nat chain=srcnat dst-address=192.168.1.0/24 src-address=\...
by j7n
Thu May 14, 2015 6:29 pm
Forum: RouterBOARD hardware
Topic: Router performance for FTTH (fiber to home) - 200 Mo download
Replies: 7
Views: 3376

Re: Router performance for FTTH (fiber to home) - 200 Mo download

I measured the performance between 2 Gigabit Ethernets with NAT. I get 260 Mbit with 10 f/w, 24 NAT, 15 Mangle rules with a couple address lists. After I disable everything in /ip firewall except 4 NAT rules to continue the test and maintain connection to the Internet I get, 370 Mbit . I transferred...
by j7n
Wed May 13, 2015 10:55 am
Forum: Beginner Basics
Topic: Help with firewall and NAT
Replies: 1
Views: 563

Re: Help with firewall and NAT

One thing to note is that if you want to affect a SSH server running on another computer, not on the router itself, those rules have to go into the foward chain , not input, or perhaps jump from forward into a custom chain for detailed inspection which is applicable only to ssh. While in forward, ds...
by j7n
Wed May 13, 2015 3:14 am
Forum: Beginner Basics
Topic: can't access my dvr from outsite
Replies: 26
Views: 3662

Re: can't access my dvr from outsite

service under modem : dvr1 9000 9000 192.168.1.110 dvr 80 80 192.168.1.110 These services should be forwarded to the mikrotik 20 (so that it can then translate the request further to the DVR) and not 110 (which doesn't exist in the new configuration). I suggested using another PC so that you have a...
by j7n
Wed May 13, 2015 12:55 am
Forum: Beginner Basics
Topic: can't access my dvr from outsite
Replies: 26
Views: 3662

Re: can't access my dvr from outsite

no app. on the modem ( media port of dvr 9000) There has to be an entry under Applications & Gaming: Name1 80 80 TCP 20 Enable Name2 9000 9000 TCP 20 Enable ..followed by anything else also needed.. couldn't reach outside this LAN Please clarify what you tried. Right now you have two LANs, one dire...
by j7n
Tue May 12, 2015 11:45 pm
Forum: Beginner Basics
Topic: can't access my dvr from outsite
Replies: 26
Views: 3662

Re: can't access my dvr from outsite

It should work even if the solution is not optimal. What is the current IP configuration on the DVR (address, subnet, gateway)? What do you have under Applications & Gaming on the modem (its own NAT)? Break the problem into steps: Can you reach the DVR from another PC on the same LAN? Can you reach ...
by j7n
Tue May 12, 2015 2:42 am
Forum: Beginner Basics
Topic: can't access my dvr from outsite
Replies: 26
Views: 3662

Re: can't access my dvr from outsite

I agree, avoiding double-NAT would simplify the setup. Otherwise... If the DVR is behind the Mikrotik , its IP should be in range 192.168.88.0/24 such as 192.168.88.110, and its gateway should be the Mikrotik 192.168.88.1. Reduce the size of the "dhcp" pool to make room for the DVR, or assign its MA...
by j7n
Sun May 10, 2015 1:41 am
Forum: Beginner Basics
Topic: What are your bad blocks percentages and router age?
Replies: 5
Views: 1167

Re: What are your bad blocks percentages and router age?

uptime: 33w4d5h57m44s version: 6.10 cpu: MIPS 74Kc V4.12 free-hdd-space: 109.5MiB write-sect-since-reboot: 203548 write-sect-total: 404999 bad-blocks: 0% board-name: RB2011UiAS-2HnD I believe the counter was reset after I upgraded ROS one time in total. I use graphing, saved to disk every 24 hours. ...
by j7n
Thu Jul 03, 2014 3:18 pm
Forum: RouterBOARD hardware
Topic: rb2011 lcd burn-in ?
Replies: 9
Views: 2791

Re: rb2011 lcd burn-in ?

Today I noticed LCD burn-in on one of my RB2011's as I dusted it off. I could clearly see faint rectangles and text of the main menu on top of all screens. I had set the LCD to read-only to prevent accidental configuration changes, and haven't accessed it for a couple months at least. The backlight ...
by j7n
Wed May 28, 2014 2:44 pm
Forum: Beginner Basics
Topic: How do I port forward and limit connections to specific IPs
Replies: 2
Views: 1665

Re: How do I port forward and limit connections to specific

This should work just fine to limit the availability of these servers to specific src-addresses. Any NAT rule can have src-address or src-address-list added to it if needed. I have used it to limit access to a SMB share. You can even have different servers for different source IPs on the same port. ...
by j7n
Mon May 19, 2014 10:33 pm
Forum: Beginner Basics
Topic: Hairpin NAT
Replies: 1
Views: 1674

Re: Hairpin NAT

I think dst-address can't be 1.1.1.1 and belong to localNet 192.168.1.0/24 at the same time. add action=masquerade chain=srcnat comment=masquerade dst-address-list=localNet src-address-list=localNet The above masquerade may work. I've only done this with a specific IP: action=src-nat to-addresses=1....
by j7n
Sat May 17, 2014 1:31 pm
Forum: General
Topic: WinBox clears Clipboard
Replies: 0
Views: 448

WinBox clears Clipboard

I have observed that WinBox from version 6.10 clears the Windows clipboard if I click in a text or combo box field to dismiss the context menu (cut/copy/paste/select all). For example, if I have a network address on the clipboard, and try to paste it into IP/Firewall but pick the wrong field for it,...
by j7n
Tue May 06, 2014 10:29 pm
Forum: Beginner Basics
Topic: Loadbalancing with 2 ISP's
Replies: 5
Views: 1603

Re: Loadbalancing with 2 ISP's

Add back the mark-routing actions in the prerouting chain that you appear to have removed, otherwise the connection marks have no effect. add action=mark-routing chain=prerouting connection-mark=mangle_BGC \ in-interface="Bridge LAN" new-routing-mark=routing_BGC add action=mark-routing chain=prerout...
by j7n
Mon May 05, 2014 9:53 pm
Forum: Beginner Basics
Topic: Loadbalancing with 2 ISP's
Replies: 5
Views: 1603

Re: Loadbalancing with 2 ISP's

I would also exclude ports from PCC, as MovingNetworksForward suggested, to keep protocols and web sites requiring multiple connections always see the same address for each client. Otherwise some FTP servers will not work, and some webpages require repeated logins, for example.
by j7n
Mon May 05, 2014 6:43 pm
Forum: Beginner Basics
Topic: Loadbalancing with 2 ISP's
Replies: 5
Views: 1603

Re: Loadbalancing with 2 ISP's

I believe these two lines are incorrect. /ip firewall mangle add action=mark-connection chain=prerouting dst-address-type=local in-interface="Bridge LAN" new-connection-mark=mangle_BGC per-connection-classifier=both-addresses-and-ports:1/0 add action=mark-connection chain=prerouting dst-address-type...
by j7n
Mon May 05, 2014 1:38 pm
Forum: General
Topic: system profiler and "unclassified" taking all CPU
Replies: 6
Views: 3950

Re: system profiler and "unclassified" taking all CPU

Perhaps you have the System -> RouterBoard window, which shows the BIOS version, open in Winbox?
by j7n
Mon May 05, 2014 12:54 pm
Forum: Beginner Basics
Topic: How to drop private-ip from internet to private network lan?
Replies: 6
Views: 1153

Re: How to drop private-ip from internet to private network

1) chain mangle prerouting - mark 'drop' where in=wan and dst=private-nets and dst!=R2-ip-addres 2) chain firewall forward - drop when mark=drop I am using this set of rules. Why do you not consider them optimal? I don't see any dropping options during Prerouting. specifically dont know how how to ...
by j7n
Fri May 02, 2014 10:34 am
Forum: RouterBOARD hardware
Topic: RB850Gx2 - Release date?
Replies: 193
Views: 47752

Re: RB850Gx2 - Release date?

What is the expected throughput increase of this router over the RB2011 ?
by j7n
Thu May 01, 2014 9:06 pm
Forum: Beginner Basics
Topic: smb from nas
Replies: 1
Views: 890

Re: smb from nas

Forwarding port 445 (Direct-SMB) to a Windows machine would allow to connect to its SMB service. See if the same works on the NAS. Try accessing the share from your LAN first by typing the device's IP address in Explorer. When dealing with Windows computers, I was only able to connect by IP or by t...
by j7n
Thu Apr 24, 2014 5:23 am
Forum: General
Topic: Save status counters and reload after reboot
Replies: 0
Views: 429

Save status counters and reload after reboot

Is it possible to save some status counters like traffic per interface and total sector writes to flash? I have chosen to save Graphing every 24 hours and that is happening. But total sector writes are being reset after unexpected reboots.
by j7n
Thu Apr 24, 2014 3:28 am
Forum: General
Topic: Is SMB reliable for you?
Replies: 3
Views: 915

Re: Is SMB reliable for you?

I am trying to connect from three Windows XP machines. Problems seem to occur on only one of them. I first tried to use direct UNC path. Mapping a network drive is a less elegant solution because the drive (with nearly no capacity) becomes visible to users. On the problematic computer Explorer would...
by j7n
Wed Apr 23, 2014 2:01 am
Forum: General
Topic: Is SMB reliable for you?
Replies: 3
Views: 915

Is SMB reliable for you?

I tried to host a few small configuration files on my RB2011 running ROS 6.10. Those files were supposed to be shared by several computers on my network to avoid the need to upload them to each machine. I made a directory called "conf" on the built in NAND, and created a SMB-internal user called Adm...
by j7n
Sun Apr 20, 2014 3:48 pm
Forum: Beginner Basics
Topic: Simple queue: Download speed is affected by Upload limit
Replies: 3
Views: 1317

Re: Simple queue: Download speed is affected by Upload limit

You could mark packets in Mangle where packet-size=150-9900, queue those, and leave small packets like ACK's unlimited. I believe 150 is the smallest packet µTorrent can use for payload. I have observed a strange effect where libtorrent/rtorrent clients would download no faster than their upload (ou...
by j7n
Thu Apr 10, 2014 11:13 am
Forum: General
Topic: [WINBOX] MultiTab
Replies: 19
Views: 3690

Re: [WINBOX] MultiTab

The Windows Taskbar, if configured for easy access (i.e. no icon grouping), is already equivalent to a "tab bar" and works well. It is my understanding that routers running different OS versions have entirely separate Winbox'es (sharing the loader). Is it at all straightforward to combine them into ...
by j7n
Mon Apr 07, 2014 10:20 am
Forum: Beginner Basics
Topic: Remote Winbox connection with two WANs
Replies: 3
Views: 1905

Re: Remote Winbox connection with two WANs

The information in Manual:PCC might be useful. You don't have to use PCC if you don't need it. In the Prerouting chain it should be possible to mark connections destined to the router. Also mark the packets belonging to those connections in Output. It is working for me to access router's services un...
by j7n
Fri Apr 04, 2014 10:09 pm
Forum: Beginner Basics
Topic: Access own public internet IP from local LAN
Replies: 6
Views: 3746

Re: Access own public internet IP from local LAN

You could avoid having separate port forwarding rules for traffic coming from LAN and WAN, by using "dst-address-type=local" to match the address of any router's interface. /ip firewall nat add action=dst-nat chain=dstnat dst-address-type=local dst-port=1234 protocol=tcp to-addresses=192.168.88.22 t...
by j7n
Fri Mar 21, 2014 3:39 pm
Forum: Beginner Basics
Topic: local name resolution
Replies: 10
Views: 10353

Re: local name resolution

I would start with using Winbox / Tools / Packet Sniffer configured to filter destination port 53 to see if DNS requests are made, to what destination, and also what is the content of the packets (if the names contain any suffix). Before every repeated lookup with ping, I'd use ipconfig /flushdns . ...
by j7n
Thu Mar 20, 2014 3:47 pm
Forum: Beginner Basics
Topic: Drop requests to NTP server while allowing NTP client
Replies: 8
Views: 4064

Re: Drop requests to NTP server while allowing NTP client

"connection-state=new" worked as you said; I just tried to get time from an Internet host and couldn't. I thought that options with connection/established would apply to UDP. There is indeed a 'connection' added with the UDP stream timeout, 01:00 on my system. I am connecting to two fixed NTP server...
by j7n
Thu Mar 20, 2014 1:10 pm
Forum: Beginner Basics
Topic: Drop requests to NTP server while allowing NTP client
Replies: 8
Views: 4064

Drop requests to NTP server while allowing NTP client

I had this firewall rule until now to prevent requests to DNS and NTP from WAN. But after a system crash I noticed that my NTP Client wasn't syncing time. After troubleshooting I found that the source port of the udp connection was also 123 and server replies were captured. add action=drop chain=inp...
by j7n
Mon Mar 17, 2014 9:21 pm
Forum: Beginner Basics
Topic: Port forwards only work inside?
Replies: 3
Views: 1189

Re: Port forwards only work inside?

0 chain=dstnat action=dst-nat to-addresses=192.168.0.34 to-ports=9987 protocol=udp dst-port=9987 Without any dst-address, this rule will prevent communication with other internet servers on port 9987. Add "dst-address-type=local". It should work anyway, unless there are more firewall rules below 9 ...
by j7n
Sat Mar 15, 2014 4:51 pm
Forum: Beginner Basics
Topic: Dual WAN with PCC, can't receive ICMP from router
Replies: 0
Views: 1031

Dual WAN with PCC, can't receive ICMP from router

I have configured two WAN links, to eth6 and wlan1 of the RB2011 with static IPs. Destinations from address lists "balticom" and "ltk" always use link one or two respectively. Host 192.168.15.17 always uses WAN link one. The rest are divided equally using PCC. The problem is that I can no longer use...
by j7n
Sat Mar 15, 2014 2:57 pm
Forum: Beginner Basics
Topic: High CPU usage of Winbox on RB2011
Replies: 7
Views: 3585

Re: High CPU usage of Winbox on RB2011

I have solved this problem. The CPU usage was caused by an open System -> RouterBoard window, which opened by default after upgrade and reboot, and was hidden behind other windows. After closing it, CPU load is at 10% now.
by j7n
Fri Mar 14, 2014 5:58 pm
Forum: Beginner Basics
Topic: High CPU usage of Winbox on RB2011
Replies: 7
Views: 3585

Re: High CPU usage of Winbox on RB2011

I did not know about the Profile tool. The category is unclassified . Now that I can look closer, if I create a 100 MBit connection, the percentage under 'unclassified' goes down, allowing the data transfer to take place normally. Then it rises again. http://dl.dropboxusercontent.com/u/61700377/scre...
by j7n
Thu Mar 13, 2014 10:41 pm
Forum: Beginner Basics
Topic: local name resolution
Replies: 10
Views: 10353

Re: local name resolution

This problem has to be solved in your Windows DNS client. Ping, as well as most other Windows software, uses its various methods of name resolution (dns, wins, Netbios) and cache. Nslookup bypasses it, and simply interprets the response of one chosen DNS server. To resolve the problem, go to your ne...
by j7n
Thu Mar 13, 2014 5:06 pm
Forum: Beginner Basics
Topic: High CPU usage of Winbox on RB2011
Replies: 7
Views: 3585

High CPU usage of Winbox on RB2011

I have purchased an RB2011 and upgraded RouterOS to v6.10 yesterday. It came with v6.5. I am observing high CPU usage when Winbox is open and the router is practically idle (6 interfaces are up, no traffic). CPU load is 60-70 percent. When Winbox is closed, the Touchscreen reports 8-10 percent load....