MikroTik

JohnTRIVOLTA

This seems to be a common pattern, looks like it's pretty much impossible to achieve more than 250-300 Mbit/s real world single client throughput with Mikrotik ac WiFi.
In case you ever manage to break this limit please let me know how you did it

For exemple this test
.

JohnTRIVOLTA

Hi friends, I have a router RBM33G with two full-size mpci-e cards / AR9380 for 2.4GHz and AR9880-WLE900VX for 5GHz /. All works just fine. My laptop have Intel AC7260. The connectivity is perfect at 5GHz ~ 40dBm, but I only achieve about max 300Mb/ps - average 250Mb/ps. I expected some speeds in th...

JohnTRIVOLTA

Fix the channel and change with no EU country for example Canada !

JohnTRIVOLTA

I have a large network deployed with lots of hAP AC2 with CAPsMAN and I have no such problems!
https://i.postimg.cc/3RF708fz/ccr-7.png

P.S.
You ask for AC models only - my mistake! But with old version of ROS about 6.42/3.XX stable , there is no such problem i mean ?!

JohnTRIVOLTA

Maybe the opposite may happen site to site ipsec over ppp connection !
I have already configured such a set up / site to site ipsec over sstp connection with BCP / and a double aes 256 encoding is obtained - the safest tunnel you can set

JohnTRIVOLTA

Synchronize time on routerboard with ntp client or manually ?
With ntp client!!!

NTP . In ROS this is System-SNTP client .

JohnTRIVOLTA

Synchronize time on routerboard with ntp client or manually ?

JohnTRIVOLTA

Check Interface List ... add other bridges in list LAN ?!

JohnTRIVOLTA

The better choice RB4011iGS+5HacQ2HnD-IN

JohnTRIVOLTA

Change this rule:
/ip firewall nat add action=masquerade chain=srcnat
with
/ip firewall nat add action=masquerade chain=srcnat out-interface=ether13WAN

JohnTRIVOLTA

Can you test L2TP ipsec with Multilink Protocol activated - MRRU=1600 on both sides ? Don't use tcp mss clamping - ppp profile set=no on both sites too ! Unsure how to use that setting properly, however with MTU=1420 and MRRU=1600, no clamp in FW nor PPP, I got about 5% less than with MTU=1460. Ser...

JohnTRIVOLTA

After lowering the MTU/MRU to 1420 for L2TP+ipsec to avoid fragmentation, I have some expected results: L2TP+IPSec 280 280 120/120 208 200 80/80 Can you test L2TP ipsec with Multilink Protocol activated - MRRU=1600 on both sides ? Don't use tcp mss clamping - ppp profile set=no on both sites too !

JohnTRIVOLTA

Blocking access to proxies doesn't sound like something that would help much. Unless you have some very strict filtering of all outgoing traffic, any worm will just use either custom ports, or if you block those, then regular https. And you pretty much have to allow that, if those 150 clients shoul...

JohnTRIVOLTA

It really depends on what exactly you need it for and how persistent users you have. Maybe if you block the most obvious servers, they will give up. The major thing against you is that all they need is just one working server. Behind a ccr I have a very sensitive network with about 150 clients. The...

JohnTRIVOLTA

I don't follow what happens in public proxy world, but what I got from Google was all without https, just http. But if you have different sources with https, then it's bad for you, because you can't see what's inside https connection, it's the whole point of https. And collecting address, good luck...

JohnTRIVOLTA

For now, this stops traffic to proxies that do not use https / SSL /. Unfortunately, most of the public are over https ! Тhe only solution for now is that I have to collect their ip addresses in lists .

JohnTRIVOLTA

I don't think you can. You can block some with L7 like this:
Code: Select all
/ip firewall layer7-protocol
add name=proxy regexp="^(CONNECT\\ .*|GET\\ https\?:\\/\\/.*)\\ HTTP\\/1\\."
But it's far from perfect.

Тhank you very much Sob !
I will try it ... I hope I will not block with it another traffic?

JohnTRIVOLTA

Hi guys, I have not found a way to effectively block traffic to public proxies so as not to bypass the rules in the firewall ! If anyone has such a solution, please share their experience ! P.S. I want to ask, if i can add a firewall rule in filter section on forward chain with conten=https and one ...

JohnTRIVOLTA

Your client wireless card may not be configured correctly to use 40MHz channel ?! Sometimes signal noise is the cause of the inability to use a wider frequency length !

JohnTRIVOLTA

Have you forgotten to put a gateway address on the computer to which we forward(dst-nat) the port ?

JohnTRIVOLTA

Thanks JohnTrivolta for replying. I tried that but, I'm running a dhcp server and clients under the bridged interface can't obtain an ip from server. Played around with mtu's but can't get it working. If you have properly configured your BCP, you must successfully expand transparently /L2/ the hots...

JohnTRIVOLTA

When i need some ppp based VPN i use multilink feature instead clamp mss ! You must set the MRRU = 1600 for example on both sides - try it !

JohnTRIVOLTA

Just use L2TP client with BCP on every clients router!

JohnTRIVOLTA

An important difference - cAP AC has separate antennas for each chain /4/ and better wireless performance for that! hAP AC2 has 2 combined antennas for both frequencies!

JohnTRIVOLTA

I think the hAP ac2 / RBD52G-5HacD2HnD-TC / is the right choice !

JohnTRIVOLTA

Don't expect more than 10 mb/ps with AES 128 CBC , the eoip tunnel use lot of cpu resources too!

JohnTRIVOLTA

Since I upgraded to 6.44.*, I currently have patch 6.44.1 and device CCR1036-12G-4S, can not connect Windows 10 clients with IPSEC, get error when trying to connect and I have not changed at all the configuration in the clients or router I have the same problem. I reverted it with version 6.43.13 L...

JohnTRIVOLTA

Does nobody have any Idea ;(

Just set MRRU=1610 on ppp connection on both sides !On the ppp profile dont use Change TCP MSS - put NO .

JohnTRIVOLTA

Sorry this discussion is NOT to include mangling LOL.

Ooo sorry .... by the way, all is clear and there is nothing to discuss, but I will follow the topic .

JohnTRIVOLTA

Requirement: There is only one IP used in vlan55, I want to direct this ip 129.168.55.25 to go out my ether1 cable WANIP. Right now the cable WANIP is my secondary fail over wanip, the primary is fibre bell. For my email on cable I simply create a route rule with the mail server IP as the destinati...

JohnTRIVOLTA

Hello, I managed to configure ovpn connection to my router. I set remote address of some user on 192.168.88.195. He is able to connect with every device in 192.168.88.0 network. How i can restrain his access and allow him only to connect only with one specific IP ? For instance, the user should be ...

JohnTRIVOLTA

So if I put a vpn server under a public ip pc or routerboard I could connect the sxt routerboard to that server and example Android phone to same server and then with this" kind of bridge " see sxt contents with Android phone and viceversa ?

Еxactly !

JohnTRIVOLTA

The ISP say that is possible by vpn. If would not possible to connect outside then why I can access with some proprietary app as synology or xiaomi to my nas or hub.? I think these app create a tunnel similar or equal to a vpn. A vpn tunnel would be as the vpn server goes outside of lan /internet a...

JohnTRIVOLTA

ROS Version 6.X no longer supports WiFi USB adapters ! You can only use Woobm for management purpose or an older version of ROS !

JohnTRIVOLTA

Wow, okay that is good to know. I wonder why hotspot functionality bypasses NAT rules??

This is my question too !

JohnTRIVOLTA

Hello Anav, thanks for the quick answer! I already use these rules and work well, but they do not work on the hotspot network unfortunately. There are clients who put a static DNS address and thus jump my router and resolve to the their DNS. I think there must be some rule/s/ between the dynamic one...

JohnTRIVOLTA

Hello friends. I have a router that has multiple networks and the router has a roll for dns. I have a problem with the hotspot, and can not intercept and redirect the different dns server addresses manually seted from clients. The standard rule can not intercept addresses from hotspots network only....

JohnTRIVOLTA

Where is this export of configuration or at least that of the firewall? I did not see it anywhere, so I am confined to what is specifically asked! Everything else bordered on divination skills and I do not have ones!

JohnTRIVOLTA

That sounds silly JT. What are you trying to accomplish?? VLAN to VLAN traffic is blocked by default at layer 2. VLAN to VLAN traffic is blocked at layer 3 unless you allow it with an allow rule. THe only thing the OP requires is an allow VLAN to WAN rule! Тhis is my answer for pegasus123 - its fir...

JohnTRIVOLTA

I use only one filter rule . First i add all vlans in interface list - VLANs and then put the one filter rule:
/ip fi fi add action=drop chain=forward in-interface-list=VLANs out-interface-list=VLANs

JohnTRIVOLTA

Oh man thank you! I did it wrong first time. Then I tried as you said but I cannot succeed. I made this to show how I did it. but it doesn't change anything .. i think https://ibb.co/RzVRqpW You forgot RUN in schedule : /system script run number=1 But this is not the main setup error. You must chan...

JohnTRIVOLTA

Did you do this?
Аdd the script in the system section - scripts with changed values as desired . Then add a schedule in system - schedule to run the script at a certain interval - an example of 15 minutes. That is all !

JohnTRIVOLTA

Simply set a minimum value /10dbm/ for the transmitting power of the wireless interface in the tx power section - all rates fixed and the script will work! Change the desired values in the script too !

JohnTRIVOLTA

Hello, the things you want can be configured, but you also need to set some settings in location A if you want a L2 level or extend transparently the LAN , if I understood right !

JohnTRIVOLTA

I think your problem is in the balancing mode used /PCC/. In the second router, you do not use balancing, and there is no problem for initiate the connection. For the test, you can stop the wan ports and leave only the wan for ipsec and try it again.

JohnTRIVOLTA

I'm really sorry. I have only seen the beginning of both configurations without scrolling them!
Now, when I look at the config, I think that the traffic that is between the two networks should be marked to be exactly where / which WAN port / will come out for balancing!

JohnTRIVOLTA

really hoping someone can point out what I'm doing wrong

I cant see any IpSec IKE2 Site to Site configuration ! You may have set up some L2TP with IpSec ppp connection and routing the networks on it - do you have any routes for them in both places ?

JohnTRIVOLTA

I think this rules will work : /ip firewall address-list add address=192.168.0.1-192.168.0.100 list=100private_addresses #just add your private ip addresses in address list# /ip firewall nat add action=accept chain=srcnat src-address-list=!100private_addresses add action=netmap chain=srcnat src-addr...

JohnTRIVOLTA

Hi
Can you please help me how to do Dynamic nat of apporx 100 private ip with /24 public ip pool . thanks

Use NETMAP for source nat !?

JohnTRIVOLTA

Try Debug and then russia2 for other frequencies .

Search found 180 matches