Community discussions

Search found 473 matches

  • 1
  • 2
by JJCinAZ
Mon Apr 22, 2019 7:23 pm
Forum: Scripting
Topic: DHCP Lease script - execution order wrong?
Replies: 7
Views: 545

Re: DHCP Lease script - execution order wrong?

Here's a quick try at it: # mac-address is case sensitive -- use upper only :local x [/ip dhcp-server lease find where mac-address="20:3A:07:F2:B6:3F"] :if ([:len $x] = 0) do={ # not found /tool fetch http-method=put url="http://192.168.1.25:8080/rest/items/pres_ch/state" \ mode=http http-header-fie...
by JJCinAZ
Mon Apr 22, 2019 1:59 am
Forum: Scripting
Topic: DHCP Lease script - execution order wrong?
Replies: 7
Views: 545

Re: DHCP Lease script - execution order wrong?

Yeah, not surprising there's a race condition there and it would be difficult for the DHCP server to serialize since it would have to have a single pipeline or a pipeline per-mac address which would be a lot of complication. You could try writing the script so that it doesn't care if it's an assignm...
by JJCinAZ
Mon May 30, 2016 5:52 pm
Forum: RouterBOARD hardware
Topic: RB1100still relevant for purchase or go CCR?
Replies: 5
Views: 1010

Re: RB1100still relevant for purchase or go CCR?

Have you looked at the rb850? Inexpensive, fast, hardware AES. It doesn't have the SFP but it sounds like that isn't a must.
by JJCinAZ
Tue Dec 15, 2015 1:16 am
Forum: General
Topic: IPv6 ND router-preference
Replies: 3
Views: 1029

Re: IPv6 ND router-preference

I'm adding my vote to this as well.

Joe
by JJCinAZ
Fri Nov 13, 2015 5:53 pm
Forum: Forwarding Protocols
Topic: 433AH OSPF Issue? V6.X
Replies: 3
Views: 1063

Re: 433AH OSPF Issue? V6.X

You would need to disable IPv6 to get rid of OSPFv3
by JJCinAZ
Sat Oct 24, 2015 1:27 am
Forum: General
Topic: Force traceroutes to always respond from loopback IP
Replies: 1
Views: 607

Re: Force traceroutes to always respond from loopback IP

This is normally accomplished by adding a route filter in OSPF as follows: /routing filter add chain=ospf-in set-pref-src=[/routing ospf instance get default router-id] However, this "broke" or changed somewhere between 6.3 and 6.30.4 (I didn't test in which exact version it changed). Apparently it'...
by JJCinAZ
Sat Oct 24, 2015 1:16 am
Forum: Scripting
Topic: Expire users a after number of days Stops Work after Upgrade to v.6.33rc11
Replies: 17
Views: 3048

Re: Expire users a after number of days Stops Work after Upgrade to v.6.33rc11

Right after your line:
:local date [ /ip hotspot user get $i comment ]
Add a log:
:local date [ /ip hotspot user get $i comment ]
:log info "DATE IS:$date"
You'll see something you don't expect to be in the comment.
by JJCinAZ
Wed Oct 21, 2015 7:04 pm
Forum: General
Topic: Duplicate MAC after Backup/Restore
Replies: 1
Views: 974

Re: Duplicate MAC after Backup/Restore

No you can't. The backup/restore is not meant to be used to duplicate configurations like that. You should try an "export compact" and then import/paste it into a new blank router. The export compact doesn't normally export any MAC addresses for Ethernets. You can also reset the MAC addresses to fac...
by JJCinAZ
Mon Oct 19, 2015 9:41 pm
Forum: Scripting
Topic: Expire users a after number of days Stops Work after Upgrade to v.6.33rc11
Replies: 17
Views: 3048

Re: Expire users a after number of days Stops Work after Upgrade to v.6.33rc11

Try logging the date variable each time through the loop.
by JJCinAZ
Mon Oct 19, 2015 6:16 pm
Forum: Scripting
Topic: Expire users a after number of days Stops Work after Upgrade to v.6.33rc11
Replies: 17
Views: 3048

Re: Expire users a after number of days Stops Work after Upgrade to v.6.33rc11

Right, so $days is wrong and that comes from the variable $date which comes from a hotspot user comment:
:local date [ /ip hotspot user get $i comment ]
So clearly, one of your hotspot users doesn't have a comment in the expected format.
by JJCinAZ
Mon Oct 19, 2015 5:21 pm
Forum: Scripting
Topic: Expire users a after number of days Stops Work after Upgrade to v.6.33rc11
Replies: 17
Views: 3048

Re: Expire users a after number of days Stops Work after Upgrade to v.6.33rc11

You should try inserting some ":log info ()" commands to debug your code. For example ... :foreach i in [ /ip hotspot user find where profile=PRIVATE ] do={ :if ([ :find [ /ip hotspot user get $i comment ] ] = 0 ) do={ :local date [ /ip hotspot user get $i comment ] :local montharray ( "jan","feb","...
by JJCinAZ
Tue Sep 29, 2015 9:05 pm
Forum: General
Topic: Unpingable IP's on local network
Replies: 16
Views: 1517

Re: Unpingable IP's on local network

I haven't use that selector in the mangle, but I think it only applied to traffic destined for a process on the router. Your intra-LAN traffic is not destined for a process on the router.

Instead of "dst-address-type=!local" you could try "dst-address=!192.168.0.0/16".
by JJCinAZ
Tue Sep 29, 2015 7:51 pm
Forum: General
Topic: Unpingable IP's on local network
Replies: 16
Views: 1517

Re: Unpingable IP's on local network

You're adding a route mark to all traffic, including that from 192.168.1.0/24 <->192.168.3.0/24. By adding the route mark, you are causing the traffic to only use routing table entries with those route marks and if you look at your routing table, you have no route to 192.168.1.0/24 or 192.168.3.0/24...
by JJCinAZ
Tue Sep 29, 2015 7:36 pm
Forum: RouterBOARD hardware
Topic: How often can I write to MT flash?
Replies: 1
Views: 560

Re: How often can I write to MT flash?

Well, some quick back-of-the-envelope calculations say that if you write once per hour, then you're writing 24MB per day. Now let's assume you have a 64MB flash with 32MB free, so let's assume that your overwriting the 32MB free only, and that means you're overwriting the 32MB every 1.3 days. If the...
by JJCinAZ
Mon Sep 28, 2015 6:56 pm
Forum: Beginner Basics
Topic: Problem with Simple script
Replies: 4
Views: 787

Re: Problem with Simple script

Sorry, left out a line: :local traf :local dntraf :local uptraf :local s :local a /queue simple :for i from=250 to=253 do={ :set s ("192.168.0.".$i."/32") :set a [/queue simple find where target=$s] :if ([:len $a] > 0) do={ :set a [:pick $a 0 1] :set traf [get $a bytes] :log info $traf :set uptraf [...
by JJCinAZ
Mon Sep 28, 2015 6:28 pm
Forum: General
Topic: High Availability GRE ?
Replies: 10
Views: 1888

Re: High Availability GRE ?

You could try an enable/disable of the PPPoE interface in the VRRP Master/Backup scripts, but now it sounds like your starting to violate the KISS principle.
by JJCinAZ
Mon Sep 28, 2015 2:31 pm
Forum: Beginner Basics
Topic: Routing between 2 subnet
Replies: 15
Views: 5826

Re: Routing between 2 subnet

You just need one NAT rule: /ip firewall nat add chain=srcnat out-interface=Internet action=masquerade Disable all the rules in the Forward chain on firewall filters: /ip firewall filter :foreach i in=[find where chain=forward] do={disable $i} If you can't communicate between the subnets, then you h...
by JJCinAZ
Sun Sep 27, 2015 7:25 pm
Forum: General
Topic: High Availability GRE ?
Replies: 10
Views: 1888

Re: High Availability GRE ?

Patrick has the right idea (IMHO). You might also look at running two routers in the data center, each on its own IP then you have two GRE tunnels from the remote site and the two routers at the DC use VRRP on the LAN IP only with OSPF to handle tunnel failover. Trying to use VRRP to move both IP's ...
by JJCinAZ
Sun Sep 27, 2015 7:20 pm
Forum: Beginner Basics
Topic: Routing between 2 subnet
Replies: 15
Views: 5826

Re: Routing between 2 subnet

Adding the following rules, now i can access the ftp server!, i just posted here if in-case someone needs it /ip firewall nat add action=masquerade chain=srcnat out-interface=ether2 add action=masquerade chain=srcnat out-interface=ether1 @descartes Are these the proper way to nat 2 different subnet...
by JJCinAZ
Sun Sep 27, 2015 7:08 pm
Forum: Beginner Basics
Topic: Problem with Simple script
Replies: 4
Views: 787

Re: Problem with Simple script

Here are some comments: - The find commands return an array or list of items. It's best if you stick to processing that as an array, hence the use the of the :len operator to test if we found anything. - The target is an Interface or a subnet, so for a single IP, it's really a /32 subnet. - You can ...
by JJCinAZ
Fri Sep 25, 2015 6:40 pm
Forum: General
Topic: binding a user to a specific WAN facing interface
Replies: 1
Views: 374

Re: binding a user to a specific WAN facing interface

That is possible with Policy Routing. There are a plethora of examples in forums and wiki.
by JJCinAZ
Thu Sep 24, 2015 11:38 pm
Forum: RouterBOARD hardware
Topic: MikroTik 750G bricked after upgrade to 6.32.2
Replies: 2
Views: 765

Re: MikroTik 750G bricked after upgrade to 6.32.2

Use NetInstall to reinstall OS from scratch.
by JJCinAZ
Thu Sep 24, 2015 11:37 pm
Forum: General
Topic: How to forward ping from outbound to PC on internal network
Replies: 3
Views: 737

Re: How to forward ping from outbound to PC on internal network

You should never receive that packet on an Internet connection, so by definition, no you can't "forward" it. You can get the router to send WOL packets using the /tool wol command. The question implies some sort of WAN connectivity between locations via some sort of tunnels and there are ways to get...
by JJCinAZ
Wed Sep 23, 2015 6:11 pm
Forum: General
Topic: How to create multiple EoIP tunnels ?
Replies: 19
Views: 9663

Re: How to create multiple EoIP tunnels ?

Yes, yes, and yes. The caveat here is the latency . You need to know your apps, their usage patterns, and the effects on user interactions. For example, a user may be used to a 200ms response to an action in their accounting application, but if the connectivity carrying the EoIP link makes everythin...
by JJCinAZ
Tue Sep 22, 2015 8:17 pm
Forum: Scripting
Topic: Event based executing a script
Replies: 3
Views: 1538

Re: Event based executing a script

You could allow them to send an SNMP command to your router which can run a script, but they can run any script on the router. The proper way to do this is to setup some sort of REST API server which they call to and that API server connects to the router to accomplish the command(s). This way, you ...
by JJCinAZ
Tue Sep 22, 2015 8:13 pm
Forum: General
Topic: Core Dump on CCR1009-8G-1S-1S+
Replies: 1
Views: 444

Re: Core Dump on CCR1009-8G-1S-1S+

That works fine on my CCR1009 with 6.33rc11.
by JJCinAZ
Tue Sep 22, 2015 5:41 pm
Forum: General
Topic: How to forward ping from outbound to PC on internal network
Replies: 3
Views: 737

Re: How to forward ping from outbound to PC on internal network

Yes. That's just a DST-NAT with a Protocol=icmp to get started. You can later restrict the icmp type to just 8 if you want.
by JJCinAZ
Tue Sep 22, 2015 12:39 am
Forum: Scripting
Topic: Expire users a after number of days Stops Work after Upgrade to v.6.33rc11
Replies: 17
Views: 3048

Re: Expire users a after number of days Stops Work after Upgrade to v.6.33rc11

Everywhere you have:
:for nodays from=0 to=$months do={
Try using:
:for nodays from=0 to=[:tonum $months] do={
by JJCinAZ
Mon Sep 21, 2015 9:02 pm
Forum: General
Topic: EoIP - transfer problems with large files via SMB-share
Replies: 2
Views: 1135

Re: EoIP - transfer problems with large files via SMB-share

Make sure you are not accidentally NAT'ing the connections across/through the EoIP tunnel. If this is happening, the SMB server will see multiple SMB sessions/users from the same IP. Each time it does, it will terminate the previous session/user and create a new one. Smaller/faster operations seem t...
by JJCinAZ
Mon Sep 21, 2015 8:56 pm
Forum: General
Topic: OSPF Issues
Replies: 3
Views: 460

Re: OSPF Issues

You seem to imply that this is a new fiber setup to a new site. You might try a NBMA neighbor setup so that multicast is removed from the equation. If your fiber is some sort of metro-LAN service, you might be seeing the multicast reflected.

Joe
by JJCinAZ
Mon Sep 21, 2015 5:03 pm
Forum: General
Topic: RouterOS Charts
Replies: 3
Views: 520

Re: RouterOS Charts

Sorry, no. There are no ways to configure the graphing for that. You would need to install something like Cacti or another SNMP graphing system and poll your devices, generating your own graphs.
by JJCinAZ
Thu Sep 17, 2015 8:03 am
Forum: General
Topic: Howto Force route for specific host via primary wan link
Replies: 10
Views: 2356

Re: Howto Force route for specific host via primary wan link

If I understand what you're trying to do, maybe you could add a blackhole route for the same destination with a higher distance. When the lower distance one becomes unreachable, the blackhole route will become active. For example: /ip route add disabled=no distance=1 dst-address=4.2.2.1/32 gateway=p...
by JJCinAZ
Wed Sep 16, 2015 7:12 pm
Forum: Scripting
Topic: Running scripts/commands on dynamic interfaces
Replies: 2
Views: 721

Re: Running scripts/commands on dynamic interfaces

You could switch to using static interfaces by creating OVPN-Client interfaces for each of your VPN clients. That way, interfaces will not disappear on you. Alternately, you'll need to run a script periodically which looks for the "parent=unknown" and fixes it. For example, if you added a comment to...
by JJCinAZ
Wed Sep 16, 2015 6:58 pm
Forum: General
Topic: Can CCR1009 Handle this ?
Replies: 26
Views: 2348

Re: Can CCR1009 Handle this ?

While it can probably handle that given the generic parameters specified (the devil is in the details), I would suggest you build a design which allows you to easily scale horizontally. In other words, create a design where you can simply add another CCR if you start to hit limits on the first CCR.
by JJCinAZ
Wed Sep 16, 2015 6:50 pm
Forum: Wireless Networking
Topic: In search of less jitter: locking NetMetal5 to lower rates and/or narrower bandwidth?
Replies: 4
Views: 853

Re: In search of less jitter: locking NetMetal5 to lower rates and/or narrower bandwidth?

Turning off the higher MCS values on the AP-side can help as the system doesn't try to move up to higher modulations. You can also turn off the A/G rates to keep control packets in higher modulations. Running with narrower bandwidth can also help as the smaller your channel, the lower the probabilit...
by JJCinAZ
Wed Sep 16, 2015 6:43 pm
Forum: RouterBOARD hardware
Topic: RB2011UiAS-2HnD-IN lcd upside down
Replies: 7
Views: 940

Re: RB2011UiAS-2HnD-IN lcd upside down

Being able to put some arbitrary text on the LCD via scripting would be great!
by JJCinAZ
Wed Sep 16, 2015 6:37 pm
Forum: General
Topic: UDP connection and NAT
Replies: 4
Views: 1112

Re: UDP connection and NAT

You can clear all the UDP connections in a script with the following:
/ip firewall connection
:foreach i in=[find protocol="udp"] do={remove $i}
by JJCinAZ
Wed Sep 16, 2015 6:29 pm
Forum: General
Topic: RouterOS Charts
Replies: 3
Views: 520

Re: RouterOS Charts

Yes, that's correct. It means you will normally not see quick bursts on the graph. For example, a user executing a speed test, which normally lasts less than 10 seconds, will not affect the 5-minute average very much. AFAIK, it's just RRD underneath. This tutorial has details (see the Consolidation ...
by JJCinAZ
Mon Sep 14, 2015 8:41 pm
Forum: Beginner Basics
Topic: RB2011UiAS-2HnD-IN; configuring VLAN10 802.1Q tagging with DHCP?
Replies: 2
Views: 820

Re: RB2011UiAS-2HnD-IN; configuring VLAN10 802.1Q tagging with DHCP?

You might try starting with the most simple config, starting from scratch (not starting from some wizard config): /system reset no-defaults=yes /interface vlan add name=e10-v10-WAN interface=ether10 vlan-id=10 disabled=no /interface bridge add name=br-lan /interface ethernet set ether2,ether3,ether4...
by JJCinAZ
Mon Sep 14, 2015 8:21 pm
Forum: Forwarding Protocols
Topic: 433AH OSPF Issue? V6.X
Replies: 3
Views: 1063

Re: 433AH OSPF Issue? V6.X

I can confirm that OSPF on v6.x with RB433AH and RB493AH works just fine with all sorts of other Routerboards. Have you captured the OSPF traffic between the two and looked at it with Wireshark? Maybe compare that with a capture from something else in your network where it is working?
by JJCinAZ
Mon Sep 14, 2015 8:14 pm
Forum: Beginner Basics
Topic: captive portal files
Replies: 2
Views: 451

Re: captive portal files

Just use the command:
/ip hotspot reset-html 0
You might need to replace the 0 with the number of your hotspot server instance, but if you only have one, it should be 0.
by JJCinAZ
Mon Sep 14, 2015 6:53 pm
Forum: Scripting
Topic: Simple queue not working in mikrotik V.6.15
Replies: 8
Views: 2046

Re: Simple queue not working in mikrotik V.6.15

I'm assuming you wanted the target-address to change, not the net mask on it. Also, you can't use the 'M' and 'k'. Finally, you cannot have a burst-limit less than the max-limit. Burst-limit should be larger than max-limit and you would also need a burst-time and burst-threshold. For example: :for i...
by JJCinAZ
Mon Sep 14, 2015 6:38 pm
Forum: General
Topic: When fastpath works pref-src not work
Replies: 3
Views: 639

Re: When fastpath works pref-src not work

I can confirm this changed in 6.30.x. Probably best to open a support ticket on the issue.
by JJCinAZ
Thu Sep 10, 2015 8:01 pm
Forum: Scripting
Topic: Add users to multiple Mikrotik Gateways
Replies: 5
Views: 728

Re: Add users to multiple Mikrotik Gateways

It is possible to have more than one radius server, but they both have to be operating from the same database. Usually this is accomplished by tying the radius servers into a database backend, but for simple authentication-only it could also be done by keeping static files synchronized via something...
by JJCinAZ
Tue Sep 08, 2015 7:45 pm
Forum: Scripting
Topic: Add users to multiple Mikrotik Gateways
Replies: 5
Views: 728

Re: Add users to multiple Mikrotik Gateways

Kris, I have to echo marrold -- use Radius. It's not that hard to setup (FreeRadius on a VM) and changes to users are instantaneous. With code to walk through 1200 routers and change users, it will take a lot of time and you have to deal with errors along the way. Also, you need a database of router...
by JJCinAZ
Thu Sep 03, 2015 8:23 pm
Forum: General
Topic: Connecting to either of 2 WAN links at same time
Replies: 7
Views: 1676

Re: Connecting to either of 2 WAN links at same time

Yes, I don't normally use the routing rules to accomplish that. Normally, I use the "main" routing table for WAN1 and the "WAN2" routing table for WAN2, I would check for new connections only, I'd mark routes for traffic passing through to and from the LAN, and I wouldn't have the source address. Al...
by JJCinAZ
Wed Sep 02, 2015 6:14 pm
Forum: General
Topic: inner-VLAN Latency
Replies: 6
Views: 804

Re: inner-VLAN Latency

I didn't spend too much time looking through that config, but you're likely spending way too much time trying to classify traffic with layer-7 filters -- they are expensive in CPU time. Have you tried disabling all your filters and mangles so that you're merely routing between subnets in the most si...
by JJCinAZ
Wed Sep 02, 2015 6:07 pm
Forum: Beginner Basics
Topic: Failover with 2 WAN
Replies: 2
Views: 762

Re: Failover with 2 WAN

Did you mean to be using Distance and not Scope? See: http://wiki.mikrotik.com/wiki/Manual:IP ... _selection
by JJCinAZ
Wed Sep 02, 2015 6:05 pm
Forum: Scripting
Topic: Log DHCP users on Mikrotik 6.31
Replies: 1
Views: 582

Re: Log DHCP users on Mikrotik 6.31

You could also look at transporting DHCP events to a central place using syslog. If you want to stick with the email-the-file method, look at rotating the log to a new file first, then email the old log.
by JJCinAZ
Wed Sep 02, 2015 5:58 pm
Forum: General
Topic: CRS Performance Problems???
Replies: 6
Views: 1471

Re: CRS Performance Problems???

You're having performance issues because you're configuration is sending every packet through the CPU on the CRS. You should not be using Bridging to accomplish this; rather, you should be using the switch-chip to accomplish this, else you'll never get wire speeds. Take a look at the CRS switch info...
by JJCinAZ
Tue Sep 01, 2015 7:05 pm
Forum: General
Topic: Connecting to either of 2 WAN links at same time
Replies: 7
Views: 1676

Re: Connecting to either of 2 WAN links at same time

You don't really want it to do that automatically -- that would reduce your flexibility in the future. Really all you're going to do is mark the new connections coming in on WAN1 and WAN2 and then you're going to look for that Connection Mark and, based on that, you'll be adding Routing Marks to out...
by JJCinAZ
Tue Sep 01, 2015 5:52 pm
Forum: General
Topic: Connecting to either of 2 WAN links at same time
Replies: 7
Views: 1676

Re: Connecting to either of 2 WAN links at same time

When one of the WAN links is not available however, it seems to work about half the time. That means it is doing exactly what you told it to do. You have effectively setup ECMP routing. Half the time, the reply packets to you are going through WAN1 and the other half, WAN2. Once that decision is ma...
by JJCinAZ
Thu Aug 27, 2015 7:45 pm
Forum: General
Topic: dstnat/port forwarding not working
Replies: 8
Views: 4272

Re: dstnat/port forwarding not working

Do you have a Src-NAT catching that RDP traffic when it shouldn't be?
by JJCinAZ
Thu Aug 27, 2015 7:40 pm
Forum: Forwarding Protocols
Topic: Monitoring Help
Replies: 1
Views: 457

Re: Monitoring Help

I might suggest that you create a dummy loopback adapter which can be monitored for up/down state via SNMP: /interface bridge add name=monitor1 /interface print oid The "print oid" command will give you the interface ID number for your SNMP monitoring. Next, use the Netwatch tool, some custom script...
by JJCinAZ
Sun Aug 23, 2015 2:00 am
Forum: General
Topic: rx,tx byte rate in interface menu
Replies: 7
Views: 1341

Re: rx,tx byte rate in interface menu

/interface monitor-traffic LAN once do={:put ($"rx-bits-per-second"/8) }
by JJCinAZ
Thu Aug 13, 2015 6:54 pm
Forum: Beginner Basics
Topic: Changing IP address without being kicked!!!
Replies: 3
Views: 585

Re: Changing IP address without being kicked!!!

Add your new IP. Adjust route or add specific route for your source. Connect to router in second instance using new ip. Delete old up. Change default route.
by JJCinAZ
Sun May 17, 2015 10:18 pm
Forum: Scripting
Topic: Change routes every 15 second
Replies: 6
Views: 779

Re: Change routes every 15 second

Is this what you're looking for? { :local routelist [/ip route find where (!disabled && comment~"^IP")] :if ([:len $routelist] > 0) do={ :foreach i in $routelist do={/ip route disable $i} :delay 15s :foreach i in $routelist do={/ip route enable $i} } } The if-statement is somewhat unneeded but it sk...
by JJCinAZ
Sun Apr 19, 2015 7:01 pm
Forum: General
Topic: Problem configuring NAT with multiple public ip on RB951G
Replies: 1
Views: 369

Re: Problem configuring NAT with multiple public ip on RB951G

You probably want to get rid of the Masq rule (rule #0) else it will catch all the traffic instead of rules 2 & 3.
by JJCinAZ
Tue May 06, 2014 6:20 pm
Forum: General
Topic: Issue with ports filter / NAT rules that no longer work.
Replies: 9
Views: 1253

Re: Issue with ports filter / NAT rules that no longer work.

Do I need both the Filter and the NAT statements? or should the Filter be the only rules I need? Assuming you have a rule "further down" in the Forward filter chain which would drop such traffic, then you do need the accept rules. I think CelticComms was onto something when he suggested torch, but ...
by JJCinAZ
Tue May 06, 2014 6:14 pm
Forum: Scripting
Topic: statements to run after DHCP IP-address
Replies: 10
Views: 1348

Re: statements to run after DHCP IP-address

Try:
:global test
:set test [:resolve www.google.nl]
:put $test
by JJCinAZ
Tue May 06, 2014 6:09 pm
Forum: RouterBOARD hardware
Topic: Omnitik port disable/enable takes down other interfaces
Replies: 22
Views: 3521

Re: Omnitik port disable/enable takes down other interfaces

This also occurs with Rb751 but only when ether1 is cycled. If ether1 is disabled and then renewables all the other ports (ether2 through ether5) reinitialize. It's normally not noticed but if you have a dynamic routing protocol like ospf running on e2, for example, the ospf session is reset as a re...
by JJCinAZ
Thu May 01, 2014 2:16 am
Forum: General
Topic: WebRTC NAT Issue
Replies: 1
Views: 1394

Re: WebRTC NAT Issue

There are no ALG's for WebRTC in RouterOS, there are only ALG's for SIP, FTP, TFTP, H323, and IRC. Only IP address and TCP/UDP port translations, due to standard source-NAT'ting, would be occurring with WebRTC. The WebRTC protocol RFC does require ICE, TURN, & STUN implementations in the WebRTC clie...
by JJCinAZ
Wed Feb 12, 2014 3:44 pm
Forum: General
Topic: IPSEC DST address 0.0.0.0/0 with hub/spokes and interconnect
Replies: 6
Views: 1850

Re: IPSEC DST address 0.0.0.0/0 with hub/spokes and intercon

You could try using GRE tunnels with IPSec transport mode protecting the GRE traffic. Then you could use routing as you expect. You can even use ospf to automatically manage your routes.
by JJCinAZ
Mon Dec 23, 2013 4:29 pm
Forum: General
Topic: Is this a command line bug?
Replies: 3
Views: 751

Re: Is this a command line bug?

Try:
ip dhcp-server lease print where status="bound"
by JJCinAZ
Tue Dec 03, 2013 5:05 pm
Forum: General
Topic: Multi WAN IP Sec
Replies: 9
Views: 2757

Re: Multi WAN IP Sec

Don't use IPSec tunnels; rather use GRE tunnels with IPSec transport mode. That will make it far easier to create redundancy in your setup.
by JJCinAZ
Wed Nov 20, 2013 6:35 pm
Forum: General
Topic: Multiple Unreplied Connections on SIP Traffic
Replies: 12
Views: 4739

Re: Multiple Unreplied Connections on SIP Traffic

I can't see it in your screen shot, but there could be a couple of things. First, it looks like you still have the sip nat helper enabled and if so, I recommend disabling it. Second, could your public IP address be changing such that the sip server is seeing you come from different addresses. With h...
by JJCinAZ
Wed Nov 20, 2013 4:29 pm
Forum: General
Topic: Multiple Unreplied Connections on SIP Traffic
Replies: 12
Views: 4739

Re: Multiple Unreplied Connections on SIP Traffic

You should enable the display of the reply-dst and reply-src addresses in the Connections list. That might show you something interesting.
by JJCinAZ
Mon Nov 18, 2013 7:53 pm
Forum: General
Topic: A question about no-mark
Replies: 4
Views: 930

Re: A question about no-mark

Ah, I see the confusion. There are two places you can use the 'no-mark' parameter. One is in the 'if' portion of a rule, e.g.: /ip firewall mangle add action=mark-connection chain=prerouting protocol=ospf connection-mark=no-mark \ new-connection-mark=Alpha passthrough=yes In this example, we are tes...
by JJCinAZ
Mon Nov 18, 2013 3:59 pm
Forum: General
Topic: A question about no-mark
Replies: 4
Views: 930

Re: A question about no-mark

It's just a way to test whether a mark has been previously assigned to the item. For example you may have a series of mark rules ordered from more to less specific and each checks for no-mark so as to not overwrite a more specific mark.
by JJCinAZ
Fri Nov 08, 2013 11:10 pm
Forum: General
Topic: v6.x - Hairpin NAT not working
Replies: 29
Views: 20046

Re: v6.x - Hairpin NAT not working

On v6 setup, have you tried disabling Fast Path under /ip settings?
by JJCinAZ
Wed Oct 30, 2013 5:41 pm
Forum: Beginner Basics
Topic: Wireless repeater
Replies: 10
Views: 2228

Re: Wireless repeater

You buy another sxt for client 1 location and you separate the two units there by enough space to avoid interference.
by JJCinAZ
Wed Oct 30, 2013 5:39 pm
Forum: RouterBOARD hardware
Topic: Mikrotik RouterBoard 1200
Replies: 1
Views: 693

Re: Mikrotik RouterBoard 1200

Mikrotik, or RouterOS more specifically, is a router and firewall device not an IDS, Spam filter, or other application-level policy/filter device. While it can be a part of these type solutions it doesn't have a magic button to do it. Maybe if you were much more specific in your question someone mig...
by JJCinAZ
Wed Oct 30, 2013 4:39 pm
Forum: General
Topic: RB2011 Default Port Configuration (Master/Bridge)
Replies: 18
Views: 10406

Re: RB2011 Default Port Configuration (Master/Bridge)

Yes, it could be more efficient depending on traffic patterns. You could also use one of the 10/100 ports as the Internet or upstream port instead of ether1 which is 10/100/1000, thus keeping your Lan ports all on the gigabit ports.
by JJCinAZ
Wed Oct 30, 2013 4:20 pm
Forum: General
Topic: RB1200: High CPU Usage results in ping loss
Replies: 4
Views: 1155

Re: RB1200: High CPU Usage results in ping loss

Try using only ports 1 through 5 instead of 6 through 10.
by JJCinAZ
Mon Oct 28, 2013 4:35 pm
Forum: General
Topic: Graphs Problem
Replies: 4
Views: 869

Re: Graphs Problem

Because the graphs are averaging X samples over Y time. The larger Y the more samples are smaller since IP traffic is generally bursty. If you were to run a constant-bit-rate application at R for 45 minutes then you would see a 30 minute average at the rate since all of the samples would be at R.
by JJCinAZ
Wed Sep 11, 2013 6:27 pm
Forum: General
Topic: VLAN 0 and 802.1p tag
Replies: 3
Views: 1494

Re: VLAN 0 and 802.1p tag

There is no place to put the priority value unless there is a tag. This is why tag ID 0 is allowed -- for layer-2 priority communications of packets belonging to no Vlan. In my experience there are many types of networking devices which get this wrong and will not allow a tag with a vlan ID of zero....
by JJCinAZ
Wed Sep 11, 2013 5:09 pm
Forum: General
Topic: Ipsec site to site issue
Replies: 4
Views: 640

Re: Ipsec site to site issue

You should probably not be executing a srcnat on the traffic between sites. In your post it sounded like you specifically doing so.
by JJCinAZ
Mon May 20, 2013 8:08 pm
Forum: General
Topic: New Packet flow diagram
Replies: 103
Views: 72240

Re: New Packet flow diagram

Like the new diagrams. One suggestion is to add detail on the "Use MPLS?" and "Use Route?". If you compare these decisions in the flow chart to the first decision after physical input, "In-Interface Bridge Port?", it seems to me that the first decision is much more self describing than the others --...
by JJCinAZ
Tue May 14, 2013 4:55 pm
Forum: General
Topic: Strange VLAN traffic
Replies: 1
Views: 382

Re: Strange VLAN traffic

If you put the interface into a bridge then you need to move the vlan to the bridge.
/interface vlan set ether1-v30 interface=br-v11
by JJCinAZ
Sun May 12, 2013 7:23 pm
Forum: General
Topic: Replacing ATT MPLS with Mikrotik Site to Site VPN
Replies: 6
Views: 1403

Re: Replacing ATT MPLS with Mikrotik Site to Site VPN

Could you be accidentally NAT'ing the traffic between sites and that's causing the BCM trunking to fail? Just a guess
by JJCinAZ
Mon May 06, 2013 7:13 am
Forum: General
Topic: IPsec Performance
Replies: 16
Views: 9390

Re: IPsec Performance

What's the other side?
by JJCinAZ
Sun May 05, 2013 8:04 pm
Forum: General
Topic: IPsec Performance
Replies: 16
Views: 9390

Re: IPsec Performance

With respect to tomaskir, my experience is that none of those routers (the 260GS is a switch not a router) will do 15-20Mbps of aes-128 IPSec. Here's the table of processors in use by each along with OpenSSL aes-128 benchmark speeds: MODEL: CPU: OpenSSL aes-128 Speed Benchmark RB/951G-2HnD: Atheros ...
by JJCinAZ
Wed Jan 16, 2013 5:09 pm
Forum: General
Topic: Queue Problems in RB1100AHx2 (SMP)
Replies: 11
Views: 3193

Re: Queue Problems in RB1100AHx2 (SMP)

We see the same thing. There is clearly a problem after 5.6 (v6 also has the issue). You can install 5.6 to clear up the packet loss in my testing. I submitted a bug report with exacting reproduction steps back on dec 18th. Got initial run-around but maybe they are starting to look more closely. You...
by JJCinAZ
Tue Sep 25, 2012 5:03 pm
Forum: General
Topic: SNMP answers on network address
Replies: 2
Views: 568

Re: SNMP answers on network address

That's actually correct behavior. The SNMP server is bound to all IP addresses on the router. The broadcast is one of those. Sending an snmp request to a broadcast address is perfectly valid and all hosts on the subnet should reply, all other things being correct. It's similar to doing a ping to a b...
by JJCinAZ
Wed Sep 19, 2012 6:08 pm
Forum: General
Topic: RB 1100AH x2 and simple queue problems...
Replies: 9
Views: 2664

Re: RB 1100AH x2 and simple queue problems...

On the RB1100AHx2 v5.20, we are seeing packet loss with any HTB queues enabled on an interface. Disabling the queues clears it up. There is no CPU overload and this only seems to affect the 1100AHx2 as far as we've seen. You only have to be pushing a few Mbps of traffic to start seeing the loss even...
by JJCinAZ
Tue Jul 10, 2012 8:46 pm
Forum: General
Topic: QoS before IPsec encrypting
Replies: 4
Views: 607

Re: QoS before IPsec encrypting

Yes, 2Mbps IPSEC max is about right for that router. You will start to get some additional latency and jitter even with queuing due to the high CPU usage. Try the RB1100AHx2 for more performance with encryption in IPSEC.
by JJCinAZ
Fri Jun 29, 2012 6:49 pm
Forum: General
Topic: QoS before IPsec encrypting
Replies: 4
Views: 607

Re: QoS before IPsec encrypting

You're question is kind of broken in that it's not nearly verbose enough. Try studying this diagram and then post again.
by JJCinAZ
Sat Jun 02, 2012 7:19 pm
Forum: Beginner Basics
Topic: Port on bridge will not enable
Replies: 2
Views: 3763

Re: Port on bridge will not enable

CelticComms is correct and that behavior will occur with any interface which is not in the "running" state. For wireless and some ethernet ports you can force the interface to always running with the command: /interface wireless set wlan disable-running-check=yes The option is particularly useful fo...
by JJCinAZ
Sat Jun 02, 2012 7:12 pm
Forum: Beginner Basics
Topic: 2 two DSL lines for RB750
Replies: 8
Views: 1884

Re: 2 two DSL lines for RB750

You could also just use two RB750's to achieve this and you get a more simple solution leading to more redundancy and security -- all for the low price of $39 (USD).
by JJCinAZ
Sat Jun 02, 2012 7:09 pm
Forum: General
Topic: Voip and RB750. that should be considered?
Replies: 7
Views: 2117

Re: Voip and RB750. that should be considered?

If you're looking for some "magic" box which you plug in to solve all your VoIP problems, you'll be disappointed with everything. You need a deep and wide understanding of VoIP and Networking to be able to properly setup high quality and reliable VoIP. That being said, your RB750 is not likely addin...
by JJCinAZ
Sat May 26, 2012 2:27 am
Forum: General
Topic: Bridged Firewall
Replies: 3
Views: 745

Re: Bridged Firewall

It should work just fine. Why not post your config and maybe someone can see what's wrong.
by JJCinAZ
Wed May 23, 2012 7:04 pm
Forum: General
Topic: RB750GL Vlan issues
Replies: 4
Views: 1397

Re: RB750GL Vlan issues

He means you need to do this: /interface vlan add arp=enabled disabled=no interface="lan bridge" l2mtu=1594 mtu=1500 name=vlan1 use-service-tag=no vlan-id=60 /interface bridge port add bridge="lan bridge" disabled=no edge=auto external-fdb=auto horizon=none interface=ether2 path-cost=10 point-to-poi...
by JJCinAZ
Mon Apr 30, 2012 6:30 pm
Forum: General
Topic: need to choose hardware to handle full BGP table
Replies: 7
Views: 1095

Re: need to choose hardware to handle full BGP table

I haven't asked lately, but I'm sure it's Cisco and Juniper.
by JJCinAZ
Fri Apr 27, 2012 6:49 pm
Forum: General
Topic: SFP Port Card
Replies: 2
Views: 559

Re: SFP Port Card

I highly recommend HotLava products: http://www.hotlavasystems.com
by JJCinAZ
Fri Apr 27, 2012 6:36 pm
Forum: General
Topic: need to choose hardware to handle full BGP table
Replies: 7
Views: 1095

Re: need to choose hardware to handle full BGP table

I'd recommend an x86 based system, dual-core with a simple SATA flash for boot, 2GB of RAM, and Intel-based NIC chipsets like the 82546 and 82573. Stay away from fancy array subsystems and try and stick with hardware from the Supported Hardware list. The KISS principal works well here. Attached are ...
by JJCinAZ
Mon Apr 23, 2012 12:58 am
Forum: General
Topic: EoIP interface on bridge randomly goes inactive
Replies: 2
Views: 1055

Re: EoIP interface on bridge randomly goes inactive

Thanks for posting the solution.
by JJCinAZ
Mon Apr 23, 2012 12:55 am
Forum: General
Topic: Connection mark (unknown 13)
Replies: 1
Views: 821

Re: Connection mark (unknown 13)

That usually indicates that the connection was marked by some mangle but then all rules naming or using that mark were deleted and so the textual label for mark #13 was removed, thus the connection list has no way to translate the value 13 to text.
by JJCinAZ
Mon Apr 23, 2012 12:34 am
Forum: Beginner Basics
Topic: Mikrotik RB711U, ROS-5.14 NAT issues for SIP to VoIP carrier
Replies: 10
Views: 6462

Re: Mikrotik RB711U, ROS-5.14 NAT issues for SIP to VoIP car

Yes, your understanding is correct. First, here is a good, general article on the connection tracking (conntrack) in iptables: http://people.netfilter.org/pablo/docs/login.pdf Second, the SIP helper is a sort of ALG (Application Layer Gateway) which has to inspect the SIP commands going back and for...
by JJCinAZ
Tue Apr 17, 2012 9:13 am
Forum: RouterBOARD hardware
Topic: very slow RB1100AHx2
Replies: 5
Views: 2314

Re: very slow RB1100AHx2

Working fine here. I have six deployed so far.
by JJCinAZ
Thu Mar 29, 2012 5:57 pm
Forum: Beginner Basics
Topic: Firewall issues passing traffic between VoIP switches.
Replies: 18
Views: 2697

Re: Firewall issues passing traffic between VoIP switches.

If you're just routing traffic between network segments, then you shouldn't be using any NAT. It sounds like issues with NAT and misunderstanding of the VoIP protocols involved. Assuming you're using SIP, you cannot just "open ports" to get things to work. SIP is just call control. There are also th...
by JJCinAZ
Fri Mar 16, 2012 5:55 pm
Forum: Beginner Basics
Topic: Mikrotik RB711U, ROS-5.14 NAT issues for SIP to VoIP carrier
Replies: 10
Views: 6462

Re: Mikrotik RB711U, ROS-5.14 NAT issues for SIP to VoIP car

It can work just fine even with NAT. I find it's not a Mikrotik issue but rather an issue with understanding of SIP, RTP, STUN, UDPTL, etc.
by JJCinAZ
Fri Mar 16, 2012 5:34 pm
Forum: Beginner Basics
Topic: Mikrotik RB711U, ROS-5.14 NAT issues for SIP to VoIP carrier
Replies: 10
Views: 6462

Re: Mikrotik RB711U, ROS-5.14 NAT issues for SIP to VoIP car

We run thousands of SIP sessions through hundreds of Mikrotik routers with no problems. I do recommend that you disable the SIP NAT helper though.
by JJCinAZ
Mon Mar 12, 2012 6:23 pm
Forum: General
Topic: strange bonding latency problem
Replies: 5
Views: 1792

Re: strange bonding latency problem

Well same theory but the buffering may be occurring in the NV2 code where it does packet aggregation. Im not in front of a router now but you could try disabling that for a test.
by JJCinAZ
Sun Mar 11, 2012 9:00 pm
Forum: General
Topic: WDS Network
Replies: 5
Views: 599

Re: WDS Network

Is your entire network bridged?
I think that was your answer.

Patient: Doctor, it hurts when I do this.
Doctor: Don't do that.

Byte the bullet now and setup a routed network.
by JJCinAZ
Sun Mar 11, 2012 8:55 pm
Forum: Beginner Basics
Topic: RB 1000 help required
Replies: 4
Views: 615

Re: RB 1000 help required

Try the training portal? http://www.mikrotik.com/training/next
by JJCinAZ
Sun Mar 11, 2012 8:52 pm
Forum: General
Topic: strange bonding latency problem
Replies: 5
Views: 1792

Re: strange bonding latency problem

That behavior doesn't sound absurd. It sounds like the algorithm in the bonding code is waiting for X amount of data or a timeout before sending. A single ICMP is not enough data to trigger an immediate send. When there is a high volume of traffic on the link, the ICMP traffic is carried along more ...
by JJCinAZ
Sun Mar 11, 2012 8:31 pm
Forum: General
Topic: External SIP server. No incoming sound.
Replies: 8
Views: 5295

Re: External SIP server. No incoming sound.

The 20 second timeout sounds like one of the two SIP partners (device or server in this case) is not receiving all the SIP messages and a SIP timer fires, terminating the call; or a NAT connection is broken on the RTP stream after 20 seconds. Here are some things to try (not in any particular order)...
by JJCinAZ
Fri Dec 23, 2011 12:47 am
Forum: General
Topic: masquerade bug
Replies: 13
Views: 941

Re: masquerade bug

If you delete the "corrupt" rule and re-add a completely new masq NAT rule:
/ip firewall nat export:
add action=masquerade chain=srcnat disabled=no protocol=tcp src-address=2.2.2.2
the dst-ports are not changed on the outbound traffic?
by JJCinAZ
Fri Dec 23, 2011 12:04 am
Forum: General
Topic: masquerade bug
Replies: 13
Views: 941

Re: masquerade bug

I don't agree with your interpretation of masquerade action. Masq action, IMHO, is a src-nat which simply picks the to-address based on the pref-src in the route chosen for the traffic. Contrast that with the src-nat action which uses the address specified in the rule. With both actions, if you have...
by JJCinAZ
Wed Dec 21, 2011 5:08 pm
Forum: General
Topic: WISPr implementation in Mikrotik doesnot work in Nintendo3DS
Replies: 3
Views: 945

Re: WISPr implementation in Mikrotik doesnot work in Nintend

I did it.
Mind posting how you did/fixed it for the benefit of all the forum users?
by JJCinAZ
Mon Nov 07, 2011 4:54 pm
Forum: General
Topic: Hotspot Redirect Problems with Macbook Pro and Windows 7
Replies: 19
Views: 12571

Re: Hotspot Redirect Problems with Macbook Pro and Windows 7

Almost sounds like an MTU problem.
by JJCinAZ
Wed Nov 02, 2011 1:27 am
Forum: Beginner Basics
Topic: SIP ALG vs SIP Helper
Replies: 20
Views: 48318

Re: SIP ALG vs SIP Helper

Yes, it's the same.
by JJCinAZ
Tue Nov 01, 2011 8:38 am
Forum: Beginner Basics
Topic: NetBios Broadcast over IPSec tunnels
Replies: 9
Views: 5851

Re: NetBios Broadcast over IPSec tunnels

No such thing in Router OS. For really old Windows networks, use WINS, else setup Active Directory servers.
by JJCinAZ
Tue Nov 01, 2011 8:34 am
Forum: Beginner Basics
Topic: SIP ALG vs SIP Helper
Replies: 20
Views: 48318

Re: SIP ALG vs SIP Helper

Yes, the VoIP technician is referring to the SIP Helper. Disable it with the command:
/ip firewall service-port disable sip
by JJCinAZ
Thu Oct 20, 2011 7:01 pm
Forum: General
Topic: Mk As Bridge can't forward broadcast (DHCP one specifically)
Replies: 2
Views: 677

Re: Mk As Bridge can't forward broadcast (DHCP one specifica

Two ports in a simple bridge configuration will forward broadcasts. Something else is going on.

You could attempt to enable a DHCP client on the bridge interface as a test to see if the routerboard can get an address from your ISP.
by JJCinAZ
Wed Oct 19, 2011 8:17 pm
Forum: General
Topic: DHCP relay not forwarding requests
Replies: 11
Views: 8652

Re: DHCP relay not forwarding requests

I can see the DHCP relay service on RouterOS count up the request coming in and you can see the request coming into the DHCP relay via a packet sniff, but the DHCP relay never seems to send out the request to the upstream DHCP server. In the case the other day, the DHCP server was a Windows 2008 ser...
by JJCinAZ
Wed Oct 19, 2011 7:42 pm
Forum: General
Topic: DHCP relay not forwarding requests
Replies: 11
Views: 8652

Re: DHCP relay not forwarding requests

I saw this on a v5.x router the other day. I've used the DHCP relay a number of times previously on version 2.x, 3.x, & 4.x but it seems to be broken with v5.x. I haven't had a chance to test further, but in the limited testing I did get to run, I see the DHCP relay count the request, but it never s...
by JJCinAZ
Wed Oct 19, 2011 7:29 pm
Forum: RouterBOARD hardware
Topic: RB751U-2HnD USB Port
Replies: 6
Views: 4471

Re: RB751U-2HnD USB Port

It also works for RS-232 serial adapters.
by JJCinAZ
Wed Oct 12, 2011 2:33 am
Forum: RouterBOARD hardware
Topic: Bricked RB751U-2HnD?
Replies: 52
Views: 21803

Re: Bricked RB751U-2HnD?

Here's another power oddity with the RB751U. Connect ethernet port 2, 3, 4, or 5 to an 802.3af POE switch. Then connect an 802.3af POE device like a VoIP phone to one of other ethernet ports 2, 3, 4 or 5 on the same RB751U. You'll notice that the POE device will start into a loop of power cycling. I...
by JJCinAZ
Thu Sep 01, 2011 6:06 pm
Forum: General
Topic: Question for ISP's, how do you assign static IP's?
Replies: 4
Views: 975

Re: Question for ISP's, how do you assign static IP's?

I highly suggest using a VLAN per customer on the AP. The SM will tag the traffic and you can tell the SM to only accept untagged packets for security purposes. We use a router per tower or ring and when a customer purchases a static IP, we subnet out a /30, /29, /28, etc. and put the gateway on the...
by JJCinAZ
Fri Aug 19, 2011 8:49 am
Forum: General
Topic: VLAN Clarification
Replies: 2
Views: 617

Re: VLAN Clarification

When an Ethernet interface is "captured" by a bridge then a VLAN on the interface itself will be become ineffective and the VLAN's master interface must be changed to the bridge. The VLAN does not automatically "move" to the bridge.
by JJCinAZ
Thu Aug 06, 2009 6:04 pm
Forum: General
Topic: Strange issue with Eth5 in bridge mode
Replies: 3
Views: 387

Re: Strange issue with Eth5 in bridge mode

Because the mac address of the bridge is changing on use. Watch it with serial console while you plug and unplug ethernets. After that, assign a fixed admin-mac to the bridge.
by JJCinAZ
Thu Jul 30, 2009 8:20 pm
Forum: Virtualization
Topic: Xen won't go
Replies: 29
Views: 10317

Re: Xen won't go

Does Xen require hardware virtualization in BIOS? My original system did not have hardware virtualization in BIOS.
Not that I know of. Did you get it working at all?
by JJCinAZ
Tue Jul 21, 2009 4:17 am
Forum: Scripting
Topic: Using fetch to retrieve IP lists
Replies: 43
Views: 15021

Re: Using fetch to retrieve IP lists

Is the script being "broken" in that the second fetch will not execute? The script engine seems to take the next like as input to the status display of the first fetch, so the second fetch doesn't get executed. In other words, have you figured out a way to get the script to "pause" until the fetch c...
by JJCinAZ
Fri Jul 17, 2009 9:11 pm
Forum: Wireless Networking
Topic: Solving 20km wireless link issues
Replies: 147
Views: 101426

Re: New 20km link, weird interference.

However, if one side was bad wouldnt the signal tx / rx be way different if it was only 1 side with the problem ? Not really. What if the pigtail at the data center side is a 20db attenuator? Wouldn't that affect tx/rx at the same time? If you had highly asymmetric signal levels, then you would sta...
by JJCinAZ
Fri Jul 17, 2009 8:00 pm
Forum: Wireless Networking
Topic: Solving 20km wireless link issues
Replies: 147
Views: 101426

Re: New 20km link, weird interference.

BTW: GREAT posting. Lots of clear data, good descriptions, graphs -- I wish everyone posted like that. Very professional.
by JJCinAZ
Fri Jul 17, 2009 7:59 pm
Forum: Wireless Networking
Topic: Solving 20km wireless link issues
Replies: 147
Views: 101426

Re: New 20km link, weird interference.

I believe the Frequency Use tool is only showing you 802.11a frames received. It does not measure raw energy received at the antenna like a spectrum analzer would. You could have an interference source and not know it from that tool. You could hook up a real spectrum analyzer to see what noise you m...
by JJCinAZ
Tue Jul 14, 2009 7:08 pm
Forum: General
Topic: Queues for vlans
Replies: 5
Views: 1237

Re: Queues for vlans

Not in any single rule/queue. Here are some quick ideas (i.e. I didn't think to terribly hard here so be careful): 1. Mark the traffic using a bridge rule to match VLAN tag and add a packet mark. Then add queues on the master interface. 2. Setup a heirarchy of queues in the queue tree such that you ...
by JJCinAZ
Tue Jul 14, 2009 6:55 pm
Forum: Virtualization
Topic: Xen won't go
Replies: 29
Views: 10317

Re: Xen won't go

Seems broken in 3.26 also. It will not obey the main memory parameter, thus leaving no memory for VM's.
by JJCinAZ
Fri Jul 10, 2009 8:58 pm
Forum: Beginner Basics
Topic: Traffic being cut in half.
Replies: 2
Views: 576

Re: Traffic being cut in half.

Ethernet duplex mismatch?
by JJCinAZ
Wed Jul 08, 2009 6:29 pm
Forum: General
Topic: block audio streaming
Replies: 4
Views: 5715

Re: block audio streaming

I can't since the Mikrotik guys frown on posting of other products here. Google is your friend. Search for web filtering appliances. I thought of another method. Setup an account on OpenDNS and force all your users to go through it. I do that with a firewall rule disallowing DNS from the LAN to the ...
by JJCinAZ
Wed Jul 08, 2009 4:52 pm
Forum: General
Topic: block audio streaming
Replies: 4
Views: 5715

Re: block audio streaming

That's hard to do with RouterOS. Audio streaming and Internet radio is done with HTTP on port 80 and other ports as well as with RTSP on various ports. A layer-7 filter can catch the RTSP but the HTTP streaming looks like any other web traffic. You really need a dynamic list of IP's, plus a bunch of...
by JJCinAZ
Fri Jun 19, 2009 2:48 am
Forum: Beginner Basics
Topic: EOIP
Replies: 5
Views: 945

Re: EOIP

Setup a layer-3 routed network.
by JJCinAZ
Thu Jun 18, 2009 7:44 am
Forum: Beginner Basics
Topic: EOIP
Replies: 5
Views: 945

Re: EOIP

EoIP doesn't "decrease the MTU" on any interface. The EoIP interface itself will transport a 1500 byte MTU just fine. Since the EoIP interface is encapsulating Ethernet frames in IP packets and sending those IP packets on networks supporting 1500 byte MTU's (usually) then the IP layer will fragment ...
by JJCinAZ
Thu Jun 18, 2009 7:30 am
Forum: Beginner Basics
Topic: how to block voice ports
Replies: 1
Views: 636

Re: how to block voice ports

It's virtually impossible to do. Skype, for example, encrypts it traffic and does not have a static port. You could block everything for the student and only allow access to approved IP addresses -- in other words a whiltelist scheme. However, that's a huge headache. You can sniff the traffic he's u...
by JJCinAZ
Wed Jun 10, 2009 8:00 am
Forum: General
Topic: failed to setup vm
Replies: 3
Views: 850

Re: failed to setup vm

It's a bug. You should be setting the main memory down to leave some open for Xen to give to other VM's, but that setting does not get obeyed in versions 3.23 or 3.24. Wait till 3.25 to see if it's fixed.
by JJCinAZ
Wed Jun 10, 2009 7:47 am
Forum: Beginner Basics
Topic: Firewall rule to accept VPN connections from outside
Replies: 2
Views: 660

Re: Firewall rule to accept VPN connections from outside

I don't know what you are doing with port 1460, but since you mentioned port 1723 I assume you are using PPTP. If so, then you need to also forward GRE protocol through from your DSL modem. Try disabling all drops (or the final drop) on the input chain and get to a working case first, then lock down.
by JJCinAZ
Mon Jun 08, 2009 7:23 am
Forum: Forwarding Protocols
Topic: RouterOS 3.20 BGP peer stability issue
Replies: 12
Views: 4204

Re: RouterOS 3.20 BGP peer stability issue

Was it stable using the routing or routing-test package on the 3.24?
by JJCinAZ
Tue May 26, 2009 1:51 am
Forum: General
Topic: 30 chanel PRI over Mikrotik
Replies: 9
Views: 1756

Re: 30 chanel PRI over Mikrotik

Assuming you are converting to VoIP of some type, yes it can be done. By this I mean that there is no built-in E1 TDM transport like that available on some PTP radios. Unless you are using NStream2, you will have a half-duplex link. This means you need to have good enough throughput to be able to tr...
by JJCinAZ
Fri May 15, 2009 7:14 pm
Forum: General
Topic: Bug in 3.23
Replies: 5
Views: 764

Re: Bug in 3.23

A script with the command above works on my 3.23 router. Try creating a new script from scratch?
by JJCinAZ
Fri May 15, 2009 7:11 pm
Forum: Beginner Basics
Topic: Point to point bridge
Replies: 1
Views: 501

Re: Point to point bridge

The best way is to use AP on one side and station-wds on the other. You can easily control the AP such that only your station can connect or run the AP side in mode=bridge which is identical to mode=ap-bridge except only one station can connect. As for WDS mode, which is different from the AP/bridge...
by JJCinAZ
Fri May 15, 2009 7:04 pm
Forum: General
Topic: Bug in 3.23
Replies: 5
Views: 764

Re: Bug in 3.23

Though I don't think it's your problem, you should have the equal sign: /queue simple print stats file=stats You said you tried putting that in a script and then executing the script from the scheduler and it didn't work. Did you try running the script manually and did it work? I haven't had problem...
by JJCinAZ
Fri May 15, 2009 6:58 pm
Forum: Beginner Basics
Topic: Vlan routing
Replies: 3
Views: 1792

Re: Vlan routing

You didn't express your IP addresses in CIDR notation, so that limits what people could help you with. If you have the proper IP addresses and subnets, no firewall rules blocking, NAT rules changing addresses, and proper default gateways on all hosts then the AP/routers should route the traffic norm...
by JJCinAZ
Fri May 15, 2009 6:53 pm
Forum: Beginner Basics
Topic: how to make public ip transparent
Replies: 1
Views: 643

Re: how to make public ip transparent

I would do that by bridging the public interface on the router with a VLAN on the LAN interface of the router. Then you can put the workstation in question on the VLAN and it use any of your public IP's (or at least those not used by the router itself). If you don't have a VLAN capable switch, then ...
by JJCinAZ
Fri May 15, 2009 6:37 pm
Forum: General
Topic: EoIP over PPTP copy large files errors
Replies: 5
Views: 1229

Re: EoIP over PPTP copy large files errors

When I sniff packets on the remote file server, it seems that all remote addresses are the IP of the router local to it I think that's the problem. You should be seeing source addresses of the workstations talking to the file server. It seems like you have something on the "router local to it" whic...
by JJCinAZ
Thu May 14, 2009 7:26 pm
Forum: General
Topic: EoIP over PPTP copy large files errors
Replies: 5
Views: 1229

Re: EoIP over PPTP copy large files errors

You need to sniff traffic coming into the file server and see what source address is getting used for the multiple sessions. You will see the session reset from the file server going back to an IP address. That should give you the next piece of evidence to track down which device is in the way.
by JJCinAZ
Thu May 14, 2009 7:22 pm
Forum: Wireless Networking
Topic: Using the "in between" frequencies
Replies: 12
Views: 1619

Re: Using the "in between" frequencies

For non-standard frequencies, you need to add the frequencies to the scan-list on the client.
by JJCinAZ
Thu May 14, 2009 7:19 pm
Forum: Wireless Networking
Topic: what is the best band to use as AP ?
Replies: 3
Views: 762

Re: what is the best band to use as AP ?

Well 2.4g bands are OFDM modulations at 12 to 54 Mbps. Certainly they are faster and OFDM can run in near-line-of-sight whereas the FSK modulations of the 2.4b "band" are really just line-of-sight. So to go faster than 11Mbps, you need to use 2.4g or 2.4b/g. If you don't need to talk with 2.4b units...
by JJCinAZ
Thu May 14, 2009 6:51 pm
Forum: General
Topic: EoIP over PPTP copy large files errors
Replies: 5
Views: 1229

Re: EoIP over PPTP copy large files errors

That sounds like you are inadvertantly NAT'ing the connection across the EoIP tunnel. I assume you are using an SMB file system, e.g. Windows file sharing. What happens is that the file server sees multiple SMB sessions from the same IP because a SRCNAT is catching the traffic across the tunnel. Whe...
by JJCinAZ
Thu May 14, 2009 5:19 pm
Forum: Wireless Networking
Topic: Help with using a Mikrotik Crossroads as an access point.
Replies: 2
Views: 570

Re: Help with using a Mikrotik Crossroads as an access point.

Keep your posts together on the same topic please. Look, try the following on the Crossroads: /system reset Confirm the reset then reconnect via serial, mac-telnet, or mac-winbox. /interface bridge add name=br-lan port add interface=ether1 bridge=br-lan port add interface=wlan1 bridge=br-lan /interf...
by JJCinAZ
Thu May 14, 2009 5:12 pm
Forum: Wireless Networking
Topic: Internet Gateways
Replies: 5
Views: 1001

Re: Internet Gateways

Have you tried searching the forums or reading the Wiki? This question is asked usually once a day and sometimes more than once a day. Study existing discussions and articles before asking for someone to write your config for you.
by JJCinAZ
Wed May 13, 2009 11:05 pm
Forum: General
Topic: Hot to allow access some ip ,but drop other ip ?
Replies: 7
Views: 786

Re: Hot to allow access some ip ,but drop other ip ?

It will only allow a connection to be initiated to 222.222.222.222 not initiated from. Once the connection is initiated, packets FROM 222.222.222.222 will be allowed back to the originator. That's why I originally said, "return packets will not pass".
by JJCinAZ
Wed May 13, 2009 7:19 pm
Forum: General
Topic: Hot to allow access some ip ,but drop other ip ?
Replies: 7
Views: 786

Re: Hot to allow access some ip ,but drop other ip ?

/ip firewall filter
add chain=forward action=accept connection-state=related place-before=0
add chain=forward action=accept connection-state=established place-before=0
by JJCinAZ
Wed May 13, 2009 6:49 pm
Forum: Wireless Networking
Topic: Help with using a Mikrotik Crossroads as an access point.
Replies: 2
Views: 570

Re: Help with using a Mikrotik Crossroads as an access point.

Your default gateway is not totally correct. It should normally be 0.0.0.0/0. That doesn't affect your AP functionally. You also should not need a DHCP relay. That would only be needed if you were on a seperate subnet. An AP is just a bridge -- no seperate subnet there.
by JJCinAZ
Mon May 11, 2009 8:22 pm
Forum: Beginner Basics
Topic: HOW to show always Hotspot login page without Internet?
Replies: 6
Views: 1527

Re: HOW to show always Hotspot login page without Internet?

Right, well then you can use what I said before. Add a wildcard DNS to allow the users' browsers to resolve and then use the hotspot to return a page with instructions. The router does not need access to the internet to be able to do that because of the wildcard DNS capability. Try it with Internet ...
by JJCinAZ
Mon May 11, 2009 7:28 pm
Forum: General
Topic: Hot to allow access some ip ,but drop other ip ?
Replies: 7
Views: 786

Re: Hot to allow access some ip ,but drop other ip ?

Try adding rules at the top of the list allowing Established and Related connections, else the return traffic will not pass.
by JJCinAZ
Mon May 11, 2009 7:25 pm
Forum: Beginner Basics
Topic: HOW to show always Hotspot login page without Internet?
Replies: 6
Views: 1527

Re: HOW to show always Hotspot login page without Internet?

The system will show them your Hotspot login page, if they are not logged in. Assuming you then authenticate them but still have no Internet connectivity, then the Internet doesn't work. While your original question is poorly worded, if you are asking how to get everyone to the Hotspot login page wh...
by JJCinAZ
Mon May 11, 2009 4:25 pm
Forum: Beginner Basics
Topic: HOW to show always Hotspot login page without Internet?
Replies: 6
Views: 1527

Re: HOW to show always Hotspot login page without Internet?

You need a wildcard DNS entry in the DNS server on the router else the client browsers will never do an HTTP get of anything. The DNS requests by the clients must resolve to something. It doesn't matter if the address returned is not reachable because the hotspot will intercede before the GET is all...
by JJCinAZ
Mon May 11, 2009 6:57 am
Forum: General
Topic: Bridging: Where did forwarding-protocols go on 3.x ?
Replies: 9
Views: 991

Re: Bridging: Where did forwarding-protocols go on 3.x ?

The bridge should pick up the mac address of the lowest running interface in the bridge. As long as its not zero, not all ones and not duplicated elsewhere it should be okay (there are minor exceptions to that). He really needs to switch to something like an EoIP tunnel instead of the OpenVPN tunnel...
by JJCinAZ
Sun May 10, 2009 9:23 pm
Forum: General
Topic: Dual WAN (one for Internet and another for VOIP and backup)
Replies: 7
Views: 1668

Re: Dual WAN (one for Internet and another for VOIP and backup)

G729 with a payload size of 20ms will consume 40 Kbps upload AND 40 Kbps download with 50 pps up and 50 pps down. G711 with a payload size of 20ms will consume 80 Kbps upload AND 80 Kbps download with 50 pps up and down as well. You have to take packets-per-second (pps) and bandwidth into account.
by JJCinAZ
Sun May 10, 2009 9:12 pm
Forum: General
Topic: Bridging: Where did forwarding-protocols go on 3.x ?
Replies: 9
Views: 991

Re: Bridging: Where did forwarding-protocols go on 3.x ?

Why is the address 192.168.2.240/32 showing up on both the vpn-bridge interface and on the open-vpn interface? I know the dynamic one from the open-vpn interface was assigned via the profile, but it would seem to me that you don't want the duplicate addresses. I don't think that should affect the la...
by JJCinAZ
Sun May 10, 2009 9:06 pm
Forum: General
Topic: Which brand fiber Lancard(1000basedLX)is supported by MT3.23
Replies: 4
Views: 1330

Re: Which brand fiber Lancard(1000basedLX)is supported by MT3.23

Well not really a just a patchcord. You need an SFP/Mini-GBIC adapter. You can get those for copper and fiber.
by JJCinAZ
Fri May 08, 2009 7:55 pm
Forum: General
Topic: Bridging: Where did forwarding-protocols go on 3.x ?
Replies: 9
Views: 991

Re: Bridging: Where did forwarding-protocols go on 3.x ?

Ah, OpenVPN interface in the bridge -- totally different story. I've never used an OpenVPN tunnel into a bridge for layer-2 connectivity so I can't help. Maybe someone else has done that. You could use an EoIP tunnel encrypted with IPSEC or OpenVPN.
by JJCinAZ
Fri May 08, 2009 7:52 pm
Forum: Wireless Networking
Topic: Distance Counter
Replies: 9
Views: 987

Re: Distance Counter

I wouldn't use 802.11 technology for a link of that distance and I don't post competing products in these forums, so I cannot recommend something.
by JJCinAZ
Fri May 08, 2009 6:54 pm
Forum: General
Topic: Bridging: Where did forwarding-protocols go on 3.x ?
Replies: 9
Views: 991

Re: Bridging: Where did forwarding-protocols go on 3.x ?

You didn't post enough details of your config for anyone to be able to help.
by JJCinAZ
Fri May 08, 2009 6:52 pm
Forum: Wireless Networking
Topic: Distance Counter
Replies: 9
Views: 987

Re: Distance Counter

Ay 60km with a grid dish? Good luck with that... You would need something like this: http://www.radiowavesinc.com/pdf/5.725-5.850_GHz_Parabolic_Subscriber_Antennas.pdf . Your freznel zone is going to be big -- you will need to take that into account. Finally, don't count on turbo-mode working at tha...
by JJCinAZ
Fri May 08, 2009 6:43 pm
Forum: General
Topic: 2 public IP and 2 local IP with defferent gateways
Replies: 2
Views: 390

Re: 2 public IP and 2 local IP with defferent gateways

Here's a stab at it not knowing your specifics. /ip address add address=x.x.x.2/m interface=e1-isp1 add address=y.y.y.2/m interface=e2-isp2 add address=192.168.1.0/24 interface=e3-local1 add address=192.168.2.0/24 interface=e4-local2 /ip firewall mangle add action=mark-routing chain=prerouting new-r...
by JJCinAZ
Thu May 07, 2009 7:59 pm
Forum: Wireless Networking
Topic: Strange Wireless Issue
Replies: 9
Views: 957

Re: Strange Wireless Issue

What's the bridge-mode on the station side set to? Look at the status of the bridge ports when you are in the failed state -- see if that gives you a clue. Also, are your IP addresses assigned to the bridge, the wlan interface, or the ether1 interface? If something is happening to the bridge and the...
by JJCinAZ
Wed May 06, 2009 12:14 am
Forum: General
Topic: VOIP and QOS
Replies: 7
Views: 3008

Re: VOIP and QOS

Well the order of the mangle matters within a chain. The mangle rules are executed multiple times in the packet flow with different chain selectors. For example, in the preroute stage, the mangle rules where chain=prerouting are executed in their order. Then later in the forward stage, the mangle ru...
by JJCinAZ
Tue May 05, 2009 7:52 pm
Forum: General
Topic: VOIP and QOS
Replies: 7
Views: 3008

Re: VOIP and QOS

I would use the following mangles: 0 chain=forward action=mark-packet new-packet-mark=NONVOIPpack passthrough=no connection-mark=NONVOIP 1 chain=forward action=mark-packet new-packet-mark=VOIPpack passthrough=no connection-mark=VOIP 2 chain=prerouting action=mark-connection new-connection-mark=VOIP ...
by JJCinAZ
Tue May 05, 2009 7:45 pm
Forum: General
Topic: Firewall Filter match logging
Replies: 1
Views: 362

Re: Firewall Filter match logging

Not directly. You can duplicate the rule in question (or rules in question), change the action to LOG and make sure the LOG version of the rule comes before the non-log version. That will log the match for that particular rule.
by JJCinAZ
Tue May 05, 2009 7:38 pm
Forum: Beginner Basics
Topic: HELP with public IP
Replies: 2
Views: 521

Re: HELP with public IP

Do you have more than one Ethernet port from the ISP? If not, just add the 217.x.x.16 ... 217.x.x.22 (next time show the CIDR prefix please) to the ether1 interface connected to the ISP. If the ISP is providing you two Ethernet interfaces, add the public's to the ether3 and connect that -- but I dou...
by JJCinAZ
Tue May 05, 2009 7:30 pm
Forum: Scripting
Topic: Advertising in the hotspot
Replies: 3
Views: 12583

Re: Advertising in the hotspot

I want to know step by step how to configure this options and also the scripting options for all this Maybe someone else would be willing to assist with such details. There are a number of paid consultants which can help you as well. You should take a look at: http://www.mikrotik.com/testdocs/ros/3...
by JJCinAZ
Mon May 04, 2009 8:19 pm
Forum: Wireless Networking
Topic: Strange Wireless Issue
Replies: 9
Views: 957

Re: Strange Wireless Issue

Since you are remote to the site, remember that SAFE-MODE is your friend.
by JJCinAZ
Mon May 04, 2009 7:51 pm
Forum: Wireless Networking
Topic: Strange Wireless Issue
Replies: 9
Views: 957

Re: Strange Wireless Issue

When you are in the failed state, look at the ARP table on the AP side to see if it has an entry for the IP on the other side. If so, see what interface that matches. If you have a bridge on the client side (you should) ensure the bridge is using an admin-assigned MAC and don't let it inherit a MAC ...
by JJCinAZ
Mon May 04, 2009 7:41 pm
Forum: Wireless Networking
Topic: Multicast question
Replies: 1
Views: 468

Re: Multicast question

Multicast on PTMP wireless is treated as Broadcast. Think about it, there is really just one path to all clients -- unlike a switch with multiple paths to clients. This also means that the multicast/broadcast goes out at the slowest Basic rate of the 802.11 device not the fastest because the AP must...
by JJCinAZ
Mon May 04, 2009 7:25 pm
Forum: General
Topic: Update docs for "reset-html", pls (ROS 3.23)
Replies: 4
Views: 817

Re: Update docs for "reset-html", pls (ROS 3.23)

You can have N number of hotspots so it's asking which one to reset. If you had first done a /ip hotspot print command you would have seen numbers listed next to each (just the one in your case) hotspot defined. Try the command /interface print to see the interfaces listed with indices listed next t...
by JJCinAZ
Mon May 04, 2009 7:22 pm
Forum: Beginner Basics
Topic: Basic Routing Question
Replies: 1
Views: 555

Re: Basic Routing Question

Just add the second public IP to the WAN interface on the router and then setup a new dst-nat rule to match on the new public IP, TCP, and port 80 with a to-address of your local IP you want that sent to. I would also add a srcnat rule to catch the return traffic from that host and src-nat that to t...
by JJCinAZ
Mon May 04, 2009 7:20 pm
Forum: Wireless Networking
Topic: Strange Wireless Issue
Replies: 9
Views: 957

Re: Strange Wireless Issue

So you can MAC ping the station from the AP but you can't IP ping the station from the AP, correct? What changed? Yes, I know, "nothing changed" is the standard answer, but something probably did. If you have MAC connectivity and no IP connectivity, then look for an ARP issue. Did you enable proxy-a...
by JJCinAZ
Mon May 04, 2009 7:12 pm
Forum: General
Topic: Can RouterOS Save Queue totals across reboots?
Replies: 3
Views: 471

Re: Can RouterOS Save Queue totals across reboots?

It is not possible to have queue totals saved to disk. You would need to write a polling system (using API or SSH scraping) or a push system (script collecting data and FTP that off the router disk). Search in forums and the Wiki to see what other people may have written. You could also use a system...
by JJCinAZ
Mon May 04, 2009 7:10 pm
Forum: General
Topic: Traffic flow bug
Replies: 33
Views: 9412

Re: Traffic flow bug

I've never had those issues with NTOP (http://www.ntop.org/overview.html) or commercial tools from IPSwitch and others. I can't vouch for flowd, pmacct, flow-tools, etc.
by JJCinAZ
Mon May 04, 2009 7:06 pm
Forum: Scripting
Topic: Advertising in the hotspot
Replies: 3
Views: 12583

Re: Advertising in the hotspot

The Hotspot advertising facility works by temporarily suspending the hotspot authentication of a user on a timer basis and forcing them to go to a URL you specify. If popup's are enabled, this occurs automatically on the users's next browser request. If popups are not enabled, the user must click to...
by JJCinAZ
Mon May 04, 2009 7:02 pm
Forum: Wireless Networking
Topic: forgot password
Replies: 5
Views: 1654

Re: forgot password

Try this link to find the Wiki info:

http://lmgtfy.com/?q=password+reset+sit ... krotik.com
by JJCinAZ
Tue Apr 28, 2009 6:15 pm
Forum: Scripting
Topic: Netwatch with latency?
Replies: 3
Views: 1100

Re: Netwatch with latency?

Have you looked at Cacti?

http://www.cacti.net/

If you had an x86 router, you could even try running the Xen package and then you could run Cacti aside the router.
by JJCinAZ
Tue Apr 28, 2009 6:09 pm
Forum: Beginner Basics
Topic: Creating VLAN's for different NAT'd users
Replies: 12
Views: 4378

Re: Creating VLAN's for different NAT'd users

Explain the use of the "PPPTP" [sic] in your first post. Did you mean PPP or PPTP? If you're acting as an ISP and you are trying to route through the public's to your customers AND you have a layer-2 connection to the customer, you can use VLAN's to assign to customers. Then you can either route a /...
by JJCinAZ
Tue Apr 28, 2009 7:39 am
Forum: Beginner Basics
Topic: My RouterOS v3.6 fails
Replies: 1
Views: 369

Re: My RouterOS v3.6 fails

It could not be that RouterOS doesn't work well with d-link switches. Try upgrading to 3.23. Downgrading is not pretty.
by JJCinAZ
Tue Apr 28, 2009 7:38 am
Forum: General
Topic: Bridging question
Replies: 1
Views: 553

Re: Bridging question

The VOIP guy who set up the phone system isn't that bright You can't throw a dead cat without hitting someone who's clueless about VoIP. Make sure you are not accidently NAT'ing the traffic moving across the AP. This can occur when you have enabled "IP Firewall" on bridging and you are not specific...
by JJCinAZ
Tue Apr 28, 2009 7:33 am
Forum: General
Topic: is an EoIP tunnel's running?
Replies: 2
Views: 453

Re: is an EoIP tunnel's running?

EoIP tunnels are just GRE tunnels and are stateless. They don't have an "up" or "down". They just encapsulate a packet and send it. If they receive a packup, they unencapsulate it. Look for ARP problem and see if the GRE packets are still arriving at your NAS. We have EOIP tunnels which run for year...
by JJCinAZ
Tue Apr 28, 2009 7:25 am
Forum: Beginner Basics
Topic: Creating VLAN's for different NAT'd users
Replies: 12
Views: 4378

Re: Creating VLAN's for different NAT'd users

For PPTP tunnel users, you do not need VLAN's. You need to setup one-to-one natting for the users after you setup static/reserved IP addresses for them.
by JJCinAZ
Tue Apr 28, 2009 7:17 am
Forum: Wireless Networking
Topic: forgot password
Replies: 5
Views: 1654

Re: forgot password

You'll have to reinstall OS using NetInstall
by JJCinAZ
Mon Apr 06, 2009 1:31 am
Forum: General
Topic: VoIP Passthrough Problem with Mikrotik ROS
Replies: 30
Views: 8312

Re: VoIP Passthrough Problem with Mikrotik ROS

Try capturing the SIP packets from the customer and open the capture file with Wireshark. Notice the SDP message in the SIP Invite and see what IP the device is telling the SIP partner to send audio back to.
by JJCinAZ
Tue Mar 17, 2009 6:59 pm
Forum: Wireless Networking
Topic: unstable ping with nstream
Replies: 27
Views: 6938

Re: unstable ping with nstream

tell me why is it ping stabile on wlan1 after I disable wlan2?
Because of self interference? ROS cannot synchronize the transmit on multiple radios, thus you get self-interference. Maybe break the RB433 into two units with some physical separation?
by JJCinAZ
Mon Mar 16, 2009 7:21 am
Forum: Wireless Networking
Topic: unstable ping with nstream
Replies: 27
Views: 6938

Re: unstable ping with nstream

I agree with jwcn, those ping times with NStream are normal. As I said before in the thread, however, you need to test ping times with a load on the link not just idle. Without NStream, your pretty, non-nstream ping times will go to hell when you load the link. With NStream, a loaded link will be mo...
by JJCinAZ
Fri Mar 13, 2009 7:08 am
Forum: General
Topic: QoS question - quick
Replies: 1
Views: 430

Re: QoS question - quick

You can "slow" packets by queuing them using one of the available queuing deciplines available. If and when that queue overflows, it will start to drop packets. Study the queuing deciplines in the documentation.
by JJCinAZ
Thu Mar 12, 2009 7:59 am
Forum: General
Topic: SIP Priority Queues
Replies: 3
Views: 2899

Re: SIP Priority Queues

Here are some quick hints: 1) You mark the SIP connections with your first mangle rule, but then you immediately change the mark to 'other' with the next rule. Maybe you should try passthrough=no. 2) You marked the connections, but you are not marking the packets. Queues work on Packet Marks not Con...
by JJCinAZ
Thu Mar 12, 2009 7:49 am
Forum: General
Topic: How to create multiple EoIP tunnels ?
Replies: 19
Views: 9663

Re: How to create multiple EoIP tunnels ?

IGMP and PIM would be functions of the bridging code not the EoIP tunnel.
by JJCinAZ
Thu Mar 12, 2009 7:45 am
Forum: Beginner Basics
Topic: mikrotik wake on lan!
Replies: 11
Views: 3985

Re: mikrotik wake on lan!

You could setup an EoIP tunnel and then use a remote PC or Linux to send a WOL Magic packet.
by JJCinAZ
Thu Mar 12, 2009 7:43 am
Forum: General
Topic: User Manager and HotSpot
Replies: 5
Views: 872

Re: User Manager and HotSpot

So you rebooted the Hotspot and not the User Manager? I don't have that problem. I too have split the User Manager and hotspots. My User Manager is running on 2.9.51 and has been up for 193 days. My hotspots are almost all 3.13 and a few 3.20 units. Again I haven't had to reboot those to keep them w...
by JJCinAZ
Sat Mar 07, 2009 7:02 pm
Forum: General
Topic: User Manager and HotSpot
Replies: 5
Views: 872

Re: User Manager and HotSpot

Yes! Just point additional hotspot at existing radius server (User Mgr) and add new hotspot to user mgr.
by JJCinAZ
Thu Feb 12, 2009 6:21 pm
Forum: The Dude
Topic: Centralized Authentication
Replies: 1
Views: 570

Re: Centralized Authentication

No it's not possible at this time, but that would be a great feature.
by JJCinAZ
Thu Feb 12, 2009 6:20 pm
Forum: General
Topic: identify packets marked by another MT, is it possible?
Replies: 3
Views: 629

Re: identify packets marked by another MT, is it possible?

Packet marks are really just values in a data structure holding the packet in the router internally. Only the packet itself is sent to an interface not anything else outside the packet (the packet mark is outside the packet). What mknnoc is suggesting is correct for a layer-3 model. In more detail, ...
by JJCinAZ
Thu Feb 12, 2009 6:11 pm
Forum: Beginner Basics
Topic: Can I retrieve data from queue graphic ?
Replies: 7
Views: 1277

Re: Can I retrieve data from queue graphic ?

Setup a separate Cacti server. Really, bite the bullet and you'll be happy.
by JJCinAZ
Thu Feb 12, 2009 6:10 pm
Forum: Beginner Basics
Topic: how to limit every src client to have only 2 connections?
Replies: 17
Views: 2552

Re: how to limit every src client to have only 2 connections?

Yes you can add src-address-list to the rule -- it just adds another "and if" to the logic. My 2-cents on the idea of limiting connections is that you'll just drive up support costs as you break various applications and have to take a support call on it. I rather like the method of bandwidth-jail wh...
by JJCinAZ
Thu Feb 12, 2009 6:04 pm
Forum: General
Topic: 3.18 and BGP w/ full routing tables
Replies: 10
Views: 1468

Re: 3.18 and BGP w/ full routing tables

We run full BGP tables from multiple peers on ROS 3.13 though we don't use the RB1000. Instead we use an Intel 1U platform with multicore CPU's. Lots of memory available and lots of CPU cycles available for BGP work, filtering, and routing. As for the fragment dropping, I believe I tested that with ...
by JJCinAZ
Thu Feb 12, 2009 5:57 pm
Forum: General
Topic: Edge/border router and connection tracking
Replies: 1
Views: 480

Re: Edge/border router and connection tracking

I handled it with brute force -- use a 3GHz host CPU with multiple cores, leave connection tracking on and filter as necessary. You other alternative is to use another router behind the BGP router for filtering and dedicate the BGP router to BGP work. You can protect that router by disallowing every...
by JJCinAZ
Thu Feb 12, 2009 5:48 pm
Forum: General
Topic: BGP over IPIP: Detect broken connectivity
Replies: 1
Views: 803

Re: BGP over IPIP: Detect broken connectivity

There is no such things as a sesssion with an IPIP tunnel and no higher protocol keepalives, so yep the tunnel interface is always running. To detect the failure you can do what you have, set the keepalive to 5s. That value is negotiated but is somewhat implementation dependant. Some implementations...
by JJCinAZ
Wed Feb 11, 2009 4:17 pm
Forum: General
Topic: Question about shaping (possible or not)
Replies: 17
Views: 3496

Re: Question about shaping (possible or not)

Macgaiver suggested a good idea to split the work load. I'd also suggest you use a separate router for BGP if you are running full tables. Think about RAID but with routers -- RAIR
by JJCinAZ
Sun Feb 08, 2009 8:23 pm
Forum: Wireless Networking
Topic: Link disconnection on data transfer
Replies: 3
Views: 507

Re: Link disconnection on data transfer

You didn't mention your frequency band, but -87 is probably too low of a signal level in most cases. When you transfer data, the errors go up and the link disconnects. You'll probably see it in the log if you enable Debug level. Get a better signal strength to solve it for good. You can try a quick ...
by JJCinAZ
Sun Feb 08, 2009 8:11 pm
Forum: The User Manager
Topic: Issues with PayPal referral and return to User Manager
Replies: 2
Views: 1151

Re: Issues with PayPal referral and return to User Manager

Do you have the following allowed or bypassed in your walled garden settings? *.akadns.net *.akamaiedge.net *.edgekey.net paypal.*.net *.paypalobjects.com *.paypal.com These are needed for Paypal standard website payments to work because they use Akami content distribution network. See docs ans Wkik...
by JJCinAZ
Thu Feb 05, 2009 4:39 pm
Forum: Wireless Networking
Topic: making PABX local.
Replies: 1
Views: 468

Re: making PABX local.

All Mikrotik can provide you is the capability to bridge the networks at layer-2 or route the networks at layer-3. The capabilities of the PABX's is up to the PABX's and their manufacture, so you would have to ask them.
by JJCinAZ
Wed Feb 04, 2009 9:03 pm
Forum: General
Topic: Feature requests
Replies: 1
Views: 736

Re: Feature requests

You can have multiple saved configs -- see /system backup save/load. There is also something called Safe-Mode (enabled with ctrl-X) which is much more useful IMHO than the startup/running configs of Cisco There is GRE tunneling with the EOIP interface type. It's not compatible with Cisco's GRE tunne...
by JJCinAZ
Wed Feb 04, 2009 8:56 pm
Forum: General
Topic: BGP international full routes in winbox makes router hang/ov
Replies: 5
Views: 978

Re: BGP international full routes in winbox makes router hang/ov

You could type in 10.10.0.0/16 in your query to find both networks in your example.
by JJCinAZ
Wed Feb 04, 2009 4:33 pm
Forum: Scripting
Topic: Serial port on Mikrotik Device
Replies: 5
Views: 1282

Re: Serial port on Mikrotik Device

Okay, that last reply was quite funny given your signature.
by JJCinAZ
Thu Jan 29, 2009 7:29 pm
Forum: General
Topic: BGP international full routes in winbox makes router hang/ov
Replies: 5
Views: 978

Re: BGP international full routes in winbox makes router hang/ov

1. No that's not a bug. The host CPU is busy creating that list you just requested and possibly sorting it. You could try enabling multi-cpu to take advantage of multiple cores and/or cpu's, but eventually some lock internally will slow you down since some thread of code has to read the list of rout...
by JJCinAZ
Thu Jan 29, 2009 7:19 pm
Forum: General
Topic: Setting Password
Replies: 2
Views: 419

Re: Setting Password

I don't think it's possible and that's on purpose. You could use Radius authentication for users, then you paste on a standard Radius client config to the routers and passwords are only stored on the Radius server.
by JJCinAZ
Thu Jan 29, 2009 7:15 pm
Forum: Scripting
Topic: Serial port on Mikrotik Device
Replies: 5
Views: 1282

Re: Serial port on Mikrotik Device

Not easily done. Search the forums for some kludges. What you really want/need is for Mikrotik to add expect to the router.
by JJCinAZ
Thu Jan 29, 2009 7:14 pm
Forum: General
Topic: ECMP - Load balancing not working properly
Replies: 42
Views: 13171

Re: ECMP - Load balancing not working properly

ECMP does exactly what it is supposed to do. Maybe the Wiki article needs to have more warnings that you have to understand protocols better. The real problem is up at Layer 7 where applications make assumptions about source IP addresses which are incongruent with IP networking. As a network enginee...
by JJCinAZ
Thu Jan 29, 2009 7:00 pm
Forum: General
Topic: Problems with voip, loa balancing issues
Replies: 3
Views: 1189

Re: Problems with voip, loa balancing issues

I can help some. First, disable whatever you're doing for load balancing now and see if the problem goes away. If so, then I would next move to a static load balancing since you said clients I assume you can route client A out connection 1, client B out connection 2, client C out connection 1, and s...
by JJCinAZ
Wed Jan 28, 2009 10:51 pm
Forum: Wireless Networking
Topic: OSPF Changing states: Full to Down..why?
Replies: 5
Views: 1859

Re: OSPF Changing states: Full to Down..why?

Yes, if you have too much packet loss or delay, the OSPF sessions can drop. Think about it, how does OSPF normally detect a dead link?

Should you use dedicated point-to-point links for backhaul? If it makes economic sense, then by all means do that.
by JJCinAZ
Wed Jan 28, 2009 10:47 pm
Forum: General
Topic: Bandwidth on a p4 1,6?
Replies: 1
Views: 413

Re: Bandwidth on a p4 1,6?

The traffic generation takes all the CPU cycles so it's hard to see if the router is burdened with packet generation or packet handling. You really need to setup hosts on both sides of each router and generate the traffic between those to get a real test.
by JJCinAZ
Wed Jan 28, 2009 10:43 pm
Forum: General
Topic: Active/Passive Hardware Clustering Mikrotik ROS
Replies: 6
Views: 1783

Re: Active/Passive Hardware Clustering Mikrotik ROS

You can use VRRP to setup a hot-spare router which will take over in case the first fails. THe connection tables, hotspot logins, and other state-dependant things are not dynamically replicated between units. Do a Google search on VRRP for more info.
by JJCinAZ
Wed Jan 28, 2009 10:37 pm
Forum: General
Topic: Block DHCP over EoIP Tunnel.
Replies: 2
Views: 1579

Re: Block DHCP over EoIP Tunnel.

Assuming this is RouterOS version 3.x, IP traffic passing through Bridge does not normally go through IP firewall rules unless you enable that in the Bridge options.

Your DHCP server setup seems flawed to me though. Why are you bridging the sites? Why not route them?
by JJCinAZ
Wed Jan 28, 2009 10:34 pm
Forum: Wireless Networking
Topic: Procedure for loading mikrotik OS on the PC.
Replies: 1
Views: 429

Re: Procedure for loading mikrotik OS on the PC.

Get the .ISO package of RouterOS, burn that on a CD, and boot the target PC with the CD. That will format the hard drive of the target and install RouterOS on it; assuming the hardware is supported. Note that RouterOS does not support SCSI drives so don't try installing on that.
by JJCinAZ
Wed Jan 28, 2009 10:29 pm
Forum: Beginner Basics
Topic: Firewall TCP SYN Issue
Replies: 1
Views: 860

Re: Firewall TCP SYN Issue

Could be lots of things. Did you disable connection tracking in the firewall? Assuming you are NAT'ing, you need connection tracking enabled. Did a host inside the firewall initiate a connection to the host from which the packets are coming? If so, maybe the outside host is responding to a request t...
by JJCinAZ
Wed Jan 28, 2009 8:23 pm
Forum: General
Topic: Problems with voip, loa balancing issues
Replies: 3
Views: 1189

Re: Problems with voip, loa balancing issues

So based on your message, I'll assume you disabled load balancing to see if the VoIP started working. I'll also assume you are using SIP protocol. If you load balance across more than one Internet connection, you have to ensure all the VoIP traffic stays on one. The issues are: 1) The SIP protocol i...
by JJCinAZ
Thu Jan 22, 2009 4:55 pm
Forum: General
Topic: VoIP Passthrough Problem with Mikrotik ROS
Replies: 30
Views: 8312

Re: VoIP Passthrough Problem with Mikrotik ROS

Try a SrcNat using a single public IP for the sip device. A sip call is composed of two separate connections -- the sip call control and the rstp audio streams. You will likely be using different IPs for the srcnat on those and many sip/nat compensation schemes will not like that.
by JJCinAZ
Sun Jan 18, 2009 10:26 pm
Forum: General
Topic: Possible Queue Tree Bug or Documentation problem
Replies: 4
Views: 937

Re: Possible Queue Tree Bug or Documentation problem

Serge,

I don't think the docs ever got fixed.

Joe
by JJCinAZ
Tue Dec 30, 2008 8:49 pm
Forum: General
Topic: Is there an easy to stop the routing of private subnets?
Replies: 1
Views: 549

Re: Is there an easy to stop the routing of private subnets?

Use firewall rules in the forwarding chain to prevent that. Maybe add the RFC-1918 privates to an address list: /ip firewall address-list add address=172.16.0.0/12 comment="" disabled=no list=RFC1918 add address=192.168.0.0/16 comment="" disabled=no list=RFC1918 add address=10.0.0.0/8 comment="" dis...
by JJCinAZ
Tue Dec 30, 2008 8:40 pm
Forum: General
Topic: Does Mangle rules slows down the router?
Replies: 4
Views: 1206

Re: Does Mangle rules slows down the router?

The execution of those rules are burning CPU cycles. How they are arranged can be important though. For example, if 90% of your traffic is marked by rule X, then try to put rule X farther up in the chain (assuming no passthrough). That causes 90% of the traffic to not process through the majority of...
by JJCinAZ
Sat Nov 29, 2008 9:55 pm
Forum: General
Topic: Browsing Stucks after few seconds/pages
Replies: 1
Views: 554

Re: Browsing Stucks after few seconds/pages

Maybe an MTU/MSS problem? Search the forums for MTU/MSS and PPPoE to get more info.
by JJCinAZ
Sat Nov 29, 2008 9:50 pm
Forum: Beginner Basics
Topic: UDP NAT & VOIP
Replies: 2
Views: 1193

Re: UDP NAT & VOIP

We run thousands of customers of VoIP through hundreds of ROS routers. Yes, it requires a great deal of knowledge of IP, TCP, UDP, NAT, SIP, RTSP, SDP, and other protocols, but the NAT functions of ROS are not broken. I will tell you that you should not use the SIP NAT helper as it's not good enough...
by JJCinAZ
Sat Nov 29, 2008 9:39 pm
Forum: General
Topic: dns-update problem
Replies: 3
Views: 1900

Re: dns-update problem

OBS: problem only in RB-333, in RB-133 i have no problems
Sounds like an endian bug to me. Maybe you should capture packets from the working RB-133 and then the non-working RB-333 and send those to support.
by JJCinAZ
Sat Nov 29, 2008 9:29 pm
Forum: Wireless Networking
Topic: EOIP Tunnel Question
Replies: 1
Views: 585

Re: EOIP Tunnel Question

While you may be seeing some emergent behavior due to code design, multithreading blocking, interrupt handling, etc. there are no built-in priorities. The EoIP interface takes a packet, encapsulates it in a GRE packet (breaking it into two fragments if necessary) and send the GRE packets on their wa...
by JJCinAZ
Sat Nov 29, 2008 9:22 pm
Forum: General
Topic: Masquerade only when destination NOT in address list?
Replies: 1
Views: 593

Re: Masquerade only when destination NOT in address list?

You're on the right track but you would need to use
dst-address-list=!private-address-list
and, of course, you would need to have created the correct subnet definitions in the address-lists.
by JJCinAZ
Sat Nov 29, 2008 9:18 pm
Forum: General
Topic: Mangle Rules [Solved]
Replies: 9
Views: 1086

Re: Mangle Rules

If your packet hits an accept, it's done processing the rules in that chain. If that chain is prerouting, then the rules for forwarding and postrouting will also be executed later for the same packet. Accepting the packet in one chain doesn't stop it from running through subsequent chains. Is that t...
by JJCinAZ
Fri Nov 28, 2008 8:11 am
Forum: RouterBOARD hardware
Topic: RB493 as bridge causing packeting loss
Replies: 1
Views: 787

Re: RB493 as bridge causing packeting loss

Never seen that. Try slowing the clock on the CPU in the BIOS (really should only affect 493AH, but it's worth a try). You can also slave the ports together on the 493 and a switch chip in hardware bridges the packets for you.
by JJCinAZ
Fri Nov 28, 2008 8:09 am
Forum: General
Topic: Mangle Rules [Solved]
Replies: 9
Views: 1086

Re: Mangle Rules

Yes. Look at the packet flow diagram. The packet goes through mangle many times.
by JJCinAZ
Fri Nov 28, 2008 8:08 am
Forum: General
Topic: RouterOS - NIC Intel PRO/1000 PT Dual
Replies: 1
Views: 696

Re: RouterOS - NIC Intel PRO/1000 PT Dual

I've used the Intel PRO/1000 MT Dual many times and it works well with ROS. I can't comment on the PT version though.
by JJCinAZ
Fri Nov 14, 2008 4:54 pm
Forum: General
Topic: Eoip through another Eoip
Replies: 3
Views: 771

Re: Eoip through another Eoip

Yes, the EoIP in an EoIP should work just fine. You're overhead will be huge due to the extra 84 bytes per packet. Make sure you have TCP MSS adjustments in place to minimize fragmentation.
by JJCinAZ
Thu Oct 23, 2008 7:15 pm
Forum: General
Topic: GRE and EoIP strangeness
Replies: 4
Views: 1486

Re: GRE and EoIP strangeness

Any thoughts on why the policy route would not use the source IP address I have selected as preferred? I used to use policy routing on v2.9 to select source addresses for various NAT'ed traffic but I moved away from that method in v3 due to policy routing problems. I haven't had time to sit down an...
by JJCinAZ
Thu Oct 23, 2008 7:50 am
Forum: General
Topic: GRE and EoIP strangeness
Replies: 4
Views: 1486

Re: GRE and EoIP strangeness

The EoIP tunnel is a simple beast. It simply encapsulates a packet and sends it to the destination address. On the receive side it simply receives a packet and unencapsulates it. There is no actual session with the EoIP tunnel. In fact, the EoIP interfaces are always "up" just because of that. There...
by JJCinAZ
Thu Oct 23, 2008 7:42 am
Forum: Beginner Basics
Topic: Configuring a Wireless Bridge connection
Replies: 1
Views: 28393

Re: Configuring a Wireless Bridge connection

Actually the manual does have that example. See http://www.mikrotik.com/testdocs/ros/2.9/interface/wireless_content.php#4.13.21.2 . You can also refer to the Wiki with two articles: http://wiki.mikrotik.com/wiki/Transparently_Bridge_two_Networks and http://wiki.mikrotik.com/wiki/Transparently_Bridge...
by JJCinAZ
Fri Sep 26, 2008 4:58 pm
Forum: General
Topic: Bridging all tagged and untagged vlan traffic
Replies: 21
Views: 25239

Re: Bridging all tagged and untagged vlan traffic

If an interface is captured by a bridge, then the vlan interface needs to be on the bridge.
by JJCinAZ
Sun Sep 14, 2008 8:16 am
Forum: Wireless Networking
Topic: station-wds and wds-slave difference
Replies: 7
Views: 8285

Re: station-wds and wds-slave difference

WDS-Slave is identical to AP-Bridge with the single exception that the WDS-Slave will first scan around like a station to see if it finds an AP with the appropriate SSID and then uses that frequency for running in AP-Bridge mode (yes it's running as an ap-bridge even through you have it set to WDS-s...
by JJCinAZ
Sun Sep 14, 2008 8:03 am
Forum: Wireless Networking
Topic: MAC wildcarts in hotspot and in usermange
Replies: 1
Views: 676

Re: MAC wildcarts in hotspot and in usermange

This would be great to allow iPhones on hotspots as well.
by JJCinAZ
Wed Sep 03, 2008 6:21 pm
Forum: General
Topic: Screwed up my license?
Replies: 11
Views: 2193

Re: Screwed up my license?

IMHO, I believe the software ID is based on the hard drive/storage drive only. If you didn't change the HD, then the software ID shouldn't change.
  • 1
  • 2