MikroTik

cmit

To question 2):

Yes, MikroTik IS based on Linux.

The new web-proxy is developed from ground up by MikroTik, IIRC. But that has more or less nothing to do with the question if it's based on Linux?!

Best regards,
Christian Meis

cmit

duh, how come you can post then? nothing has been down, new messages appear all the time.

The "was" in my message should have said enough - it's (of course) working now again

Best regards,
Christian Meis

cmit

I THINK he meant to activate HotSpot on the system, and modify the login page (which has not be a login page after all - it could just be a static page saying "Go away"). But I would not activate HotSpot just for that purpose - too many possibly undesired side-effects in my opinion... Best...

cmit

For me it was down since yesterday afternoon (CET)...

Best regards,
Christian Meis

cmit

You have to swap rules 3 and 4 in your mangle rules - the one putting packet-marks on all packets from a connection has to be last! This will only prioritize the DNS requests (i.e. outgoing DNS queries), as you are mangling/packet-markting according to DESTINATION port 53. So the counter behaviour y...

cmit

You could a) restrict access to the web interface (using the address range limitation of "/ip service" or the firewalling features) b) disable the www service (/ip service). Option b) doesn't hurt, you only cannot download the winbox.exe file from the router, if you would need it. With 2.9...

cmit

Well, I have no practical experience with such long distance links (and regulations here in Germany do surely not permit the necessary EIRP ;) ), but in theory there should be no unsolvable problem. Not too long ago two guys made a 279 km WiFi link (see here: http://www.wilac.net/modules.php?op=modl...

cmit

For completeness, you should also mangle the TCP variant of DNS. Just add another mangle rule to write a connection-mark, and put it BEFORE the rule placing the final packet marks: So just add the following: / ip firewall mangle add chain=prerouting protocol=tcp dst-port=53 action=mark-connection \ ...

cmit

Very surely not native, i.e. in one device. As MikroTik still does not support any ADSL modem, the only way to achieve this would be to combine at least two separate devices into one case, i.e. an ADSL modem and a MikroTik system. But I think that's not what you are looking for... Best regards, Chri...

cmit

As has been written here by MikroTik guys several times: The first public betas are planned for this autumn. You won't get anyone to name a release date right now. I personally wouldn't hold my breath for it... Example from the 2.9 development: The first beta came out in July 2004, the first relase ...

cmit

A colleague just had a similar problem. He was using the MAC-WinBox protocol (i.e. connecting not via ip address, bus via mac address to the RouterOS box). Using ip to connect solved all speed issues. I myself have run into issues from time to time with the MAC level protocols in RouterOS. As those ...

cmit

And not only that - at least for the response time for the forum dropped dramatically. Something seems to have been speed up

Best regards,
Christian Meis

cmit

Fine here, too!

Thanks, Normunds.

Best regards,
Christian Meis

cmit

And I thought something was wrong with me

Christian

cmit

Strange - but I have a spare mouse at hand, just in case the current one won't survive today because of this

Best regards,
Christian Meis

cmit

Perhaps they were testing the parallel processing for the new dual-cpu support in 3.x?

If yes, MikroTik will have to rework the synchronisation part of that

Best regards,
Christian Meis

cmit

Is it just me, or do you also experience this: I have to click every link/button TWICE in the forum for the page to reload or whatever I want to achieve. I do have this from several systems with different browsers. Is this some micros**t-ish "embedded confirmation dialog": Are you SURE you...

cmit

It will work fine for a point-to-multi-point network (and is what NStreme was designed for, amongst other - to work around hidden station problem etc.). The only thing (rather obvious) to observe is that all your clients have to MikroTik, too (and be configured for NStreme)... Best regards, Christia...

cmit

You at least have to configure NAT/masquerading, like this: /ip firewall nat add chain=srcnat out-interface=wan action=masquerade . And you don't assign a DNS server to your clients, so I suppose you will have a hard time doing anything with name resolution - i.e. practically everything. Best regard...

cmit

ROTFL - that was a good one

Best regards,
Christian Meis

cmit

Are you REALLY sure you are still masquerading your outgoing DNS requests?

Best regards,
Christian Meis

cmit

Double-no ...

Best regards,
Christian Meis

cmit

So now your Windows client (replacing the Cisco) must have a route to the subnet of client1 (or its' default route to the MikroTik)...

Best regards,
Christian Meis

cmit

Sorry, no Cisco guy

Have thrown out the last Cisco years ago.

But should be something like

ip route  192.168.10.0 255.255.255.252 192.168.10.253

or the like...

Don't you have a reference manual for the Cisco?

Best regards,
Christian Meis

cmit

You need to configure a route in the Cisco telling it to reach the subnet 192.168.10.0/30 over gateway 192.168.10.253!

Best regards,
Christian Meis

cmit

Then it probably is the missing route on the Cisco...

Best regards,
Christian Meis

cmit

Does the client have a default route to 192.168.10.2?

Does the Cisco also have a /30 netmask?

Best regards,
Christian Meis

cmit

Without using additional "help" (like WINS server, LMHOSTS file), windows machines can only communicate in the same subnet. So you would have to bridge you two LAN interfaces and use one common address space, for example...

Best regards,
Christian Meis

cmit

Beware of the difference: The access list is used for an AP interface, controlling which clients you want to be able to connect (or to deny access). The connect list is used on a wireless client (!) interface to control to which APs you want to connect. So: An AP interface will not use the connect l...

cmit

Aaah, now that sounds more like the old script-Eugene I know...

Best regards,
Christian Meis

cmit

I suppose he meant that changing (for example) the users' bandwidth assignment via changing the profile. But I agree with Sten that changing this on the fly would possible create to much trouble. And after all, switching profiles might mean that the users' ip address could change, which wouldn't wor...

cmit

Right now I don't have any RB532s left in the office, but installations at customer locations often do use ether2 for client connections, and those are the ports that are also labeled ether2 on the case...

Best regards,
Christian Meis

cmit

I personally have never seen such behaviour on a RouterBoard.
This can happen if you swap the physical network interfaces (like changing PCI nics), but this is hard on a RB532...

Best regards,
Christian Meis

cmit

Our director not allowed to use 5 or 10 ghz .In our country this frequency licenzed and most compnies using it.

He didn't write to use 5 or 10 Ghz frequencies, but 5 or 10 MHz channel bandwidth!

Best regards,
Christian Meis

cmit

I suppose what you want is to make long http downloads slower and "normal" websurfing (web browser) quick? As - like Normunds said - there's no technical difference between the two, the only thing you could do is use the bursting feature. Using that (you'll find several examples for it her...

cmit

It's really frustrating... When you want someone to help you here (which most guys do in their SPARE TIME, for free and for fun!), you have to describe your problem in a sensible way so that someone not knowing what's inside your mind can understand it. Just telling "I'm using Ethernet" do...

cmit

Max-Session-Time is not what you are after if used alone. This attribute tells RouterOS how long one "login" may last, i.e. if the user is allowed to have at most 1 (continuous) hour being online. This does however not stop him from logging in again immediately. What you are after has to b...

cmit

Ah - that was not really clear from your post.
What kind of wireless gear is between the boxes? Is this a routed or bridged wireless connection?

Best regards,
Christian Meis

cmit

That won't work out of the box. You cannot bridge a wireless station interface in RouterOS.
You have to use WDS for that. There are several examples on how to achieve a transparent bridge in RouterOS in the docs/wiki/forum.

Best regards,
Christian Meis

cmit

Make sure that - the PC netinstall is running on and your router are on the same layer 2 network - netinstall has the "boot from net" option enabled (can't remember it's real name right now...) - the RB is configured to boot from LAN (first) I've had some strange problems sometimes with a ...

cmit

Probabily , or probabily not ..... depend from answer .. you answer is not correct ( the first answer )

Just for completeness: Which answer is not correct?

Best regards,
Christian Meis

cmit

Marco, I don't know how other vendors are doing it, but I know of some code to accomplish this under Linux. You have to do MAC-NAT, inspect (and change on the fly) ARP requests/answers etc. to get a "real" transparent bridge. @MikroTik: Perhaps MikroTik would want to take a look at this co...

cmit

Zong,

version 2.9 has a completely reworked hotspot, which is configured totally different than in version 2.8 etc.

Read the manual on this - I think it's explained quite good there.

Best regards,
Christian Meis

cmit

Sleep well

Best regards,
Christian Meis

cmit

I see. It seems the order of your mangling rules is creating this problem. My examples always do it like this: - create a connection-mark for specific conditions (like protocol=tcp, dst-port=80 to mark a http-connection), with passthrough=yes - the next (!!) rule is the rule to mark all packets in t...

cmit

You only should have passthrough=yes for the rules with action=mark-connection. Rules with action=mark-packet should have passthrough=no in your case!

Best regards,
Christian Meis

cmit

Dmitry isn't actually marking packets in this example, but only creating connection-marks. Then it's right to have passthrough=no. In your example you will have to have passthrough=yes on the rules to mark connections, and passthrough=no on the rules that mark all packets belonging to a certain conn...

cmit

I think that you don't understand question. And is not a protocol limitation , but a routeros limitation , other os work. (...) Now , the question in simple mode for you can understand better: I don't want to argue with you. Being rude to people here on the forum will probably not get you more answ...

cmit

I'm not sure I understand what you want to achieve. If your want to dst-nat every outgoing SMTP connection so that just the dst-port is changed to 2525 (and the destination address is leaved unchanged), you would have to use 1 ;;; EMAIL chain=dstnat src-address=192.168.5.0/24 protocol=tcp dst-port=2...

cmit

If you actually want all your clients' outgoing SMTP traffic to the server 64.151.x.x, your first dst-nat rule should read like this: 1 X ;;; EMAIL chain=dstnat src-address=192.168.5.0/24 protocol=tcp dst-port=25 action=dst-nat to-addresses=64.151.x.x to-ports=2525 (and then, of course, not disabled...

cmit

Standard question, standard answer:

You can NOT bridge a wireless station (protocol limitation). Use WDS for that.
And PLEASE learn to use the search function of this forum - this question has been asked way too often already...

Best regards,
Christian Meis

cmit

Done

Best regards,
Christian Meis

cmit

"/tool netwatch" lets you ping ip address and execute scripts on up/down events...

Best regards,
Christian Meis

cmit

Then I'm out of ideas.

Do you perhaps have a chance to install the same card in another PC and try to run RouterOS there (just to see if it's recognized there)?

Best regards,
Christian Meis

cmit

And (if this hasn't changed in the very latest version) know that the user-manager can only be configured from the terminal/console, not via WinBox (until now).

Best regards,
Christian Meis

cmit

As long as connection-tracking is enabled (which it is by default), there's usually no need to configure the "reverse route".

Perhaps post your complete ip address config, ip routing and nat config?

Best regards,
Christian Meis

cmit

Eugene: So I understand that the fact the a queue is a child of another queue will automatically only treat traffic that is falling into it's parents' queue? So marking traffic only as "HTTP" (opposed to marking it as "HTTP for client A") does not lead to problem here? Best regar...

cmit

And you do have the wireless package installed and enabled? ("/system package print")

Best regards,
Christian Meis

cmit

Sorry if this sound stupid, but did you check that you have a license including wireless and actually have the wireless package installed and enabled?

Best regards,
Christian Meis

cmit

You could implement something like this using the burst features of MikroTik queueing. With that could give a higher bandwidth for the first seconds of a HTTP connection (i.e. for browsing) and limit the bandwidth for longer HTTP connections (i.e. downloads). Read more in the docs here: http://www.m...

cmit

If it even doesn't show up in the PCI resources, you should look for things like

a) BIOS configuration
b) physical installation (is the card firmly in the PCI slot?)
c) defective card (have another one to try?)

Best regards,
Christian Meis

cmit

You can configure the hotspot to allow the free trial users and assign a special profile for the trial (free) users (limiting to 5 kb, for example). If you configure "normal" hotspot users, those will of course be able to use your service without limitations (or only the limitation you imp...

cmit

OK, now I got what you want to achieve... dumb me! I haven't tried this myself, but could imagine the following could work: Mark the packets as in my previous example, so that you have packet-marks on all packet for "client 1, HTTP", "client 1, DNS" etc. Then create a simple queu...

cmit

Yes, it will. I wrote that and was under the impression that you want to achieve exactly what you get with this: packet-marks for every combination of source address and "protocol", to queue all those per user AND protocol.

Best regards,
Christian Meis

cmit

The hotspot "trial user" feature of RouterOS does exactly this! See the MikroTik Hotspot docs: http://www.mikrotik.com/docs/ros/2.9/ip/hotspot . If you put "30m/1d" as value for the trial-uptime parameter and active (only) the trial login method, each user (which is identified by...

cmit

Something like that? (From memory, check syntax...) /ip firewall mangle add src-address=xxx.xxx.xxx.xxx/32 action=mark-packet new-packet-mark=from_xxxx passthrough=yes add packet-mark=from_xxxx protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http-conn-from-xxxx passthrough=yes ad...

cmit

Sorry, I did not really read all of your rules completely - my bad. You should create a connection-mark based on some "protocol identifiers", like "TCP, dst-port 110". The rule after that should create the packet-mark, but just based on the fact if that packet belongs to a marked...

cmit

I have never used D-Link cards myself.
The D-Link website only has a "DWL-G520" no "DWL-520". That DWL-G520 should be Atheros, but I seem to remember that someone on the forum also had problems using this card - use the search function...

Best regards,
Christian Meis

cmit

Every rule where you set a packet-mark should have its' passthrough set to no in your example. So packets already marked do not pass the mangle rules further down. You passthrough=yes makes every packet traverse the following mangle rules also, and every packets is (again) matched by the last rule, ...

cmit

Just create a last (position is important!) mangle rule to mark all packets with a packet-mark of "the_rest" for example. Then every packet that's not already mangled before (take care of your passthrough=yes/no settings!) will get marked with "the_rest". You then can queue those...

cmit

Hmmm, your decision...

Best regards,
Christian Meis

cmit

What kind of D-Link cards?
Are they on the list of supported hardware on the MikroTik website?

What does "/system resource pci print" say?

Best regards,
Christian Meis

cmit

cylent, your first mangle rule should have passthrough set to "yes", otherwise no packets will get a http packet mark, so nothing can be possibly queued furtheron. So it should read 0 chain=prerouting protocol=tcp dst-port=80 action=mark-connection new-connection-mark=http-con passthrough=...

cmit

That might very well be the case...

The layer 2 approach will only work if you're on the same physical network segment with your router (i.e. "at home") - sorry for that confusion...

Best regards,
Christian Meis

cmit

Have you disabled telnet/ssh in "/ip services", by any chance?
Or does a firewall rule reject those connections?

Tried to do a layer 2 (MAC-telnet/MAC-WinBox) connection?

Best regards,
Christian Meis

cmit

Hi Allesio, sorry, but I REALLY cannot imagine that this is correct. I read the page you quoted (in broken-Google-english ;) ), and it really references this Gateworks product. But this REALLY is based on a XScale CPU, and I am very sure that there is NO XScale version of MikroTik. Perhaps someone f...

cmit

Really, I think WinBox encryption should be good enough, but anyway: Let's take PuTTY as SSH client in this example. Open PuTTY, enter the destination address (your RouterOS ip address), but do NOT click the "Open" button to connect yet. In the left options tree go to "Connection => S...

cmit

Hi Michael, you can create bandwidth limits quite simple for PPTP connections. Every PPTP client is assigned to a PPP profile, where you can configure simple rate limiting options. (PPP profiles docs see here: http://www.mikrotik.com/docs/ros/2.9/guide/aaa_ppp.content#13.4.2.1 , see parameter "...

cmit

Be careful - SIP and H.323 are two different protocols.

I don't know of any cards that could be plugged into a RB500 and are supported by RouterOS.

Best regards,
Christian Meis

cmit

Hi Peter, you might want to invest some time using the search function for this forum. There is plenty of content on this topic. WiMax support is planned for some future release, but nothing really decided yet, if I read MikroTik correcty. The 900 MHz cards from Ubiquiti are supported. The Ubiquiti ...

cmit

If you want to connect to two different wireless networks at the same time, you will need two wireless interfaces in your client...

Best regards,
Christian Meis

cmit

Those are based on XScale CPUs, which are not currently supported by MikroTik. And every question if those will be supported, was a clear "no" so far...

Best regards,
Christian Meis

cmit

Not yet...

Christian

cmit

I would say just returning a VERY low TTL (like only a few seconds max) should make this a non-issue. At least, if the clients implementation isn't broken. Clients not correctly interpreting the TTL value (and forgetting the cache entry after that few seconds in our case) could run into problems. Bu...

cmit

Action "redirect" always redirects to the local router itself - you have to use action "dst-nat" for that...

Please read the manual

...

Best regards,
Christian Meis

cmit

Set "default-forwarding=no" on your wireless interface...

Best regards,
Christian Meis

cmit

Hi GJS,

I have thrown together a small but effective (still experimental

) Windows executable that does just this - works as a DNS server and returns the same ip address for all A queries.

If interested, contact me offline (info at cmit dot de)...

Best regards,
Christian Meis

cmit

Your description of your first EoIP tunnel try reads good - create EoIP interfaces with the ip address of the adjacent wireless interface as then "remote-address". Then bridge The EoIP interface on each system with the ethernet interface, and you should be set. Things to watch out for: - G...

cmit

Look here: http://wiki.mikrotik.com/wiki/Transpare ... o_Networks for a how-to (using WDS, not EoIP).

If you really want EoIP - that's not too hard, too, but has a bit more performance overhead than WDS.

Best regards,
Christian Meis

cmit

Hi Sten - yep - I was thinking of our chat about this when I finally made out the reason (disabled conn-track)...

Does work with conn-track on though, so ...

Best regards,
Christian Meis

cmit

Yep - and that makes any mangle rule with connection-marks behave, well, let's say.... strange

Best regards,
Christian Meis

cmit

Hmmm, just stumbled across this when trying to introduce some basic traffic shaping/priorities on a bridge just filtering out NetBIOS and some other protocols until now. Somewhen I must have disabled connection-tracking on that system, and was wondering why the mangle rules (using connection-marks) ...

cmit

What "server" do you restart? Your MikroTik? Or something else?

Best regards,
Christian Meis

cmit

Could very well be interference then... Can you try to use another frequency?

What other wireless activities does a site survey/scan show you?
What is your CCQ/noise level?

Best regards,
Christian Meis

cmit

As the CCQ is a measurement of your network connection/signal quality, you would have to improve your signal quality. How to do that depends on the situation: - change frequencies to avoid interference - better/shorter cables - better antennas - using only lower data-rates on the radios, like only u...

cmit

Surely not

But I cannot answer details to this question - this would be left to MikroTik. For the moment it seems to be a fact that you may only have one interface active when using MAC level connections to your RouterOS devices.

Best regards,
Christian Meis

cmit

My experience is this: Any MAC-level protocol (MAC-WinBox, MAC-Telnet) does only work if you have only ONE (active) network interface on the machine WinBox is running on. Connections to a router using an IP address (of course) always work. I suppose this has to do with the fact that the MAC-level pr...

cmit

Yeah - sure. No problem, just install the same way as to a regular hard disk. We have lots of systems running on IDE-DOMs (the same thing), and you can even purchase those directly from MikroTik with the software already installed...

Best regards,
Christian Meis

cmit

Is the http service active under "/ip services"?

Best regards,
Christian Meis

cmit

Bump...

Just stumbled across that in a customer situation again, too.

Any chance to get this added soon? Can't be too hard...

Best regards,
Christian Meis

cmit

Uldis,
can you describe what the problem actually is, please?

Best regards,
Christian Meis

cmit

What does lead you to the suspicion that this is caused by the BRIDGE code?

Best regards,
Christian Meis

cmit

Could you be more specific and explain what problem you are seeing, your config, ...?

Best regards,
Christian Meis

cmit

Paid your bills?

Sorry, couldn't resist...

Best regards,
Christian Meis

cmit

It works for me...

Best regards,
Christian Meis

cmit

Why are you putting the wlan interfaces into bridges? Or is there some other interface in each bridge (like an Ethernet interface) which you just didn't mention? Apart from that you have to give us more detailed information on how you have configured things. For example: Wireless AP config (why shou...

cmit

Port 80 isn't needed anymore for a WinBox connection. You just would have to enable it to download the Winbox.exe itself. And if you feel WinBox communication with the RouterOS machine isn't secure enough and you like SSH, you can always tunnel your WinBox connection over a SSH connection :D ... Bes...

cmit

Hei Lee - that did the trick, thanks a lot!

RouterOS is booting now. Never did try disabling USB, because I was working on the local console via a (necessarily) USB keyboard and installing from an USB CD-ROM drive...

So piwi- go ahead and buy them

Christian

cmit

Hei piwi3910, we are using several different Portwell systems successfully too. But one model - the NAR5060 - simply refuses to boot MikroTik. I can run about every other OS I can think of, but MikroTik simply does NOT boot. No matter if I use a IDE-DOM or the onboard CF slot. Do you happen to have ...

cmit

Unfortunately I don't think you can get RouterOS to do this. Having to place a separate box at each location would be the cost of it, but clearly the only way, as it has to be available when you're offline. On the other hand something like a RB230/RB500/LinkSys WRT54G whatever would probably suffice...

cmit

I once was tempted to try the following (but never actually did): You COULD run a local DNS server that answers EVERY request with a dedicated ip address, may be the one of your hotspot. I'm quite sure it shouldn't be to hard to get this part running. Then the script detecting your uplink is down an...

cmit

No offense intended. I myself did something similar using the chat room several times

Christian Meis

cmit

That shouldn't matter in any way. As long as your routing config is good, it can be whereever you want it to...

Best regards,
Christian Meis

cmit

Unfortunately not, I think.

I would, too, really love to ability to send text to a serial port (from a script)....

Best regards,
Christian Meis

cmit

The queue types names are all "http" here (copy and paste

) - beware to adjust them to rdp/smtp/http respectively...

Best regards,
Christian Meis

cmit

Interesting way to do e-mail communicaton

SCNR

Christian Meis

cmit

If you don't have anything in "remote address", the router (PPPoE server) doesn't know what ip address(es) to hand out to connecting clients. So the error message is perfectly legitimate and that definitely was the cause of your problem. What led to this change (that remote address was emp...

cmit

200W? Do you grill your sheep with that?

Christian

cmit

4w's for 2.4

Humph!

200w for 5.725 to 5.825 PtP

Aaargh!

Best regards,
Christian Meis

cmit

It's not very difficult to bind outgoing HTTPS traffic to a specific WAN port: mangle it, policy-route it...

Best regards,
Christian Meis

cmit

OK, let me try to get this done from some short notes - don't have access to the system my tests are on :( ... My script worked by assigning every user to a dedicated uplink (that was required by the customer). This way you will absolutely be sure that the user will go out with the same source ip ad...

cmit

I had similar things on two boxes running 2.7.x back then sometimes ;) This symptom only appeared after roughly about 200 day of uptime and was also solved by a reboot. Haven't seen it since then on any of my boxes. I SUSPECT a memory leak was the culprit back then, but can't confirm of course... Be...

cmit

If one of the link goes down does it mean that some traffic won`t be routed at all. I surely hope to find the time to dig out and polish up my example. But in the mean time: It was working practically the same way (by adding new src-addresses to address-lists, but with a lower address-list-timeout)...

cmit

The problem with the setup discussed here is (could be) the following, if I'm not completely wrong: For "normal" internet usage this will work. But it WILL eventually send out connections from the SAME user over DIFFERENT uplinks. If you are now using a web application (like online banking...

cmit

Have you thought of the "usual suspects"? I.e. if you are connected to the router via an interface (an its' ip address) and put that interface into a bridge, it's NORMAL to loose ip connectivity (shortly), because a) the MAC address for that ip might change and b) the bridge will put inter...

cmit

As you are advised to configure it via console (just not via WinBox) I'd say it's obvious that the announced problem is not with BPG itself, but with the WinBox interface...

Best regards,
Christian Meis

cmit

No, that was a "2.10", so the next major release...

Best regards,
Christian Meis

cmit

And if your names resolve to changing ip addresses (like dyndns names), or belong to big websites (server clusters/load balancers/content delivery networks/... with multiple ip addresses) then you do have a problem... You HAVE to use ip addresses to configure firewall rules. So depending on what you...

cmit

... Perhaps someday...

Best regards,
Christian Meis

cmit

Do you want a beer and dinner with that as well? A whole section in the manuals, dedicated *just* to this... If I would pretend not to know about masquerading - would I qualify for another beer (and the dinner), too? :D Oh my, I fear the travel costs to Cape Town could ruin that good deal... :P Bes...

cmit

It's more because MikroTik doesn't really care about developing Prism/Hermes support very much these days. The focus clearly is on Atheros based cards. And if you look around here in the forum you'll find that MOST people do you Atheros based cards nowadays. Not meaning to comment on the quality of ...

cmit

The "ip services" menu does only affect which services run ON your RouterOS device (i.e. if you can telnet TO your router, or if you can access the web interface (HTTP)). It has nothing to do with traffic going through the router. As you haven't given any config information, it's hard to h...

cmit

I'd say that's sensible. From the RADIUS servers' point of view, the routers' request are coming from localhost (127.0.0.1), and from the routers' point of view he can reach the RADIUS server on localhost. So that's perfectly sensible (and does indeed work, as you already noted). Best regards, Chris...

cmit

Ehm, WPA2 (PSK) with TKIP and/or AES-CCM is available for quite some time now... What exactly do you miss?

Best regards,
Christian Meis

cmit

This is RadioMobile (freeware):
http://www.cplus.org/rmw/english1.html

Best regards,
Christian Meis

cmit

I think the things needed by many people would be a report where you select the user and then get a report on all "financial" transactions (like credit added etc.) and another one as usage report (include all sessions for that user).

Best regards,
Christian Meis

cmit

Nice one, Sam.

Wouldn't have been to hard for MikroTik to point out this feature - I (and several others) have asked for that for a long time, and always only got answers like "maybe later"...

Best regards,
Christian Meis

cmit

No, not easily. MikroTik will take over the whole harddisk at installation time. You could probably get something going on a system where you can hide/unhide complete harddrives, but ... Or you could run MikroTik in a virtual machine. VMware does work - read the forums, there are some reports on thi...

cmit

Nice! Looks quite complete for a basic config if you ask me.

Best regards,
Christian Meis

cmit

What exactly do you want to authenticate? The Windows logon? I don't get it, I suppose. I thought you wanted the laptops to connect to the AP, and the be able to log on "for internet usage" using their Active Directory username/password? If yes, they should enter those credentials into the...

cmit

We ended up terminating each connection with a dedicated router and the work with routing to those (using a transfer ip net) in a similar situation.

Not very elegant...

Best regards,
Christian Meis

cmit

OK, forget that one.

The debug messages for the user-manager just started to show up in the log correctly. Somehow my SSH session that was open in parallel with a "/log print follow" didn't show them - I only saw them in WinBox on another screen...

Best regards,
Christian Meis

cmit

Can you change the reporting feature so that you can select a user and have to report just include this user?

Best regards,
Christian Meis

cmit

How does the user-manager treat accounting data? Is it purged after a certain time, can we configure that time, can we manually delete acct data older than X, ...?

Best regards,
Christian Meis

cmit

Is the system logging topic "manager" the right one to create log rules for usage of the user-manager?
I created a rule with topic "manager,debug", but only get some sparse log entries for "system,info" when adding a new user, for example.

Best regards,
Christian Meis

cmit

I configured a user with a prepaid time of 2 hours. Used that to authenticate a SSH login to the RouterOS machine. After finishing a short session (duration 48s, displayed correctly) I'm displayed a remaining time of "1h:58m:57s" ???

Best regards,
Christian Meis

cmit

I fear that's not possible. As RouterOS always want the route (and that includes the default route) to be configured by entering the next hops' ip address, this won't work (as the gateway is the same on both uplinks). This WOULD work, if you could configure an interface based default route like Linu...

cmit

When extending the time for a user in the users list (not the detail view), the prepaid time is not refreshed and still shows the old value. You have to reload the page yourself to see the new values (by reloading, sorting by another column or the like).

Best regards,
Christian Meis

cmit

If I don't misunderstand you intentions, you could run a HotSpot on the MikroTik AP configured to authenticate via FreeRadius. Then set FreeRadius to authenticate the users against the Active Directory (which should be possible, but I haven't tried or even made sure that it can do that. But some RAD...

cmit

Well, of course.

But I think that should be our responsibility. If you REALLY f**k up that way, you (or I

) will have to reinstall via netinstall.

But having the feature would definitely be a good thing!

Best regards,
Christian Meis

cmit

Actually this does NOT solve the issue, which is a feature request I mention for (probably) years now ;-). It would be VERY (VERY VERY) handy to be able to put a script file on the router that will be executed exactly once after a "system reset". That way we could put either a "factor...

cmit

Search the forums. There's a description of the command to add user accounts to access the user manager (sorry, don't have it off hand). The user accounts used to authenticate are NOT the normal RouterOS accounts. And there are no default accounts, you have to CREATE at least one first! Best regards...

cmit

Well, I can assure you that RADIUS integration is working quite well (and several other forum users will probably state the same). This most probably is some problem with routing, firewalling or the like prohibiting communication between your MikroTik and the RADIUS server. Best regards, Christian M...

cmit

You already have a log entry in the clients' log stating "unclean reboot because of power failure" or something along that lines if it was a un-clean shutdown. You could just look into the log of the client (which you probably can arrange access to)...

Best regards,
Christian Meis

cmit

time is in seconds, octets = bytes

Best regards,
Christian Meis

cmit

I'd say the last two are more the number of packets?

Best regards,
Christian Meis

cmit

That's probably the countdown-timer for your warranty time :D ... Just kidding, but I haven't ever heard a radio card make any kind of noise (although I haven't put my ear near a 400 mW card...). Are you sure it's from the card itself? Does it do this only when there's traffic, or also when it's idl...

cmit

Why not just use the "real" hotspot feature of MikroTik for this? There's no need to actually have user accounts etc. - you could also just display the "login" page as a welcome page and have a button "go on" there (which would log the user in without further interactio...

cmit

MikroTik states that it works:
http://forum.mikrotik.com//viewtopic.php?t=7007...

That enough?

Best regards,
Christian Meis

cmit

I tend to agree with Wildbill...

Best regards,
Christian Meis

cmit

Perhaps if you could tell me how the AP 2000 does it, or what is so special that you want to achieve? I don't know the AP2000.

Or someone else can help?

Best regards,
Christian Meis

cmit

Well, I can think that your post will probably have something to do with destination NAT. But if you would post in English, you probably would get more help

Best regards,
Christian Meis

cmit

Correct me if I'm wrong, but you give out ip addresses from the 10.10.3.0/24 pool to disconnected users, and your dst-nat rule is looking for ip addresses from 10.10.2.0/24....

Best regards,
Christian Meis

cmit

"Me too"...

Best regards,
Christian Meis

cmit

So, anyone who has not contacted me via e-mail (Arco, Mike, Nuru, Dibatech?) just drop me a line at info at cmit dot de.

All others should have their eval version in their mailboxes...

Best regards,
Christian Meis

cmit

You webserver at 10.10.10.3 will get the HTTP requests as the clients sent them. I.e. it will be queried for webpages like http://www.yahoo.com, http://www.microsoft.com, http://www.you-name-it.net. Is your webserver config prepared to handle that? (I.e. IP-based HTTP hosting, not using any hostname...

cmit

You could also monitor the license expiry date via SNMP. Then your management system could warn you in time before a license is expiring.

Not sure if you can create an alarm using The Dude for that...

Best regards,
Christian Meis

cmit

Some more config information could help a lot:

- How are your wireless interfaces set up?
- How are ip addresses configured? Routes?
- Firewall rules?

Best regards,
Christian Meis

cmit

Yep, I changed virtually everything in the system. So the only constant would be something like RouterOS not liking the chipset on the mainboard or the like.
I don't have the system at hand, and will only be in office again on Friday I suppose...

Best regards,
Christian Meis

cmit

No, VGA/keyboard

Best regards,
Christian Meis

cmit

That would be the info at cmit dot de...

Best regards,
Christian Meis

cmit

We are using PPPoE over wireless in many situations without noteworthy problems. This is both with RouterOS and other devices as wireless clients. I don't see the immediate problems, as long as your wireless backbone is of good quality (i.e. no really big packet loss etc.). Best regards, Christian M...

cmit

So the RouterOS PPPoE server (and client) DOES support stateless encryption? Never saw it mentioned in the docs.

I know that MS refuses the negotiate stateless PPP encryption (for PPPoE).

Best regards,
Christian Meis

cmit

Hi guys, what are my possibilities to do further debugging in the following situation: I have a system where I can use netinstall to install any current RouterOS version without problems (network boot or from CD-ROM) onto all available media (here: CompactFlash, IDE DOM, standard hard disk). After t...

cmit

I'm sorry, but I'm not aware of a way to achieve this on MikroTik. Stateless MPPE encryption would surely be desireable, as this is a real gain for PPPoE connections over network links with high(er) packet loss (like any wireless network could be, at least from time to time). MikroTik: How about add...

cmit

Try changing your baudrate. Sounds like the console could be configured to use another baud rate...

Best regards,
Christian Meis

cmit

But that would be the way to go in my opinion.

At least I like to have WRITTEN confirmation that (and when) a problem was fixed. And I don't like guessing/trying if it was fixed by the fix for some other bug...

Best regards,
Christian Meis

cmit

OK, guys... No need to kiss anyone, actually (or do kiss your wife, if you have one ;) ). I'm totally burried in the finishing stages of a project and not really in the office for the rest of this week. I'll get back to everyone here and the ones who e-mailed me next week. Let me at least get it tra...

cmit

You're welcome

Best regards,
Christian Meis

cmit

Have not got my hands on a SR5 yet, but as far as I can judge, it can use both connectors for our "Mickey Mouse setup"

Best regards,
Christian Meis

cmit

Banging ... my ... head ... on ... the ... wall ...

Thanks! Of course - that was to expect, as I can see our Ciscos with it

Best regards,
Christian Meis

cmit

But you were thinking in the right direction

.

Using separate antennas for RX and TX allows you to use BIG "ears" without "shouting" so loud that your regulatory body will get angry

...

Best regards,
Christian Meis

cmit

The parameter you are looking for is "Framed-Pool". This one allows you to send the name of the ip pool to use to your RouterOS machine in an Access-Accept message.

Best regards,
Christian Meis

cmit

Ah, now I get what you intend to do (after re-reading your post). Well, that would be a sensible application, and should work without problems with changed MAC addresses. But it still is a fact that each RouterOS license is bound to the installation media it sits on, and so you cannot "move&quo...

cmit

The problem will be, that the configuration of the wireless card is tied to the MAC address of the wireless interface. So if you use your current setup to create the "backup CF", and then pop in a new wireless interface, the config and the interface possibly won't "get together" ...

cmit

Or might be a MTU problem?

Best regards,
Christian Meis

cmit

OK, let me pick that up.

I can see roughly what's happening when you press the "..." button in the WinBox connection dialog (broadcasts, ...) using a packet sniffer.

Would MikroTik open up the details of the possible responses of RouterOS devices?

Best regards,
Christian Meis

cmit

OK. Those advanced "time permissions" can only be handled using a RADIUS server for authentication. There you can configure your users' account limits to your hearts delight ;-). Might be that you need some custom scripting on the RADIUS server of your choice, but you can create (almost) e...

cmit

To configure a client to automatically (forced) disconnect after a certain online time, use the session timeout. This gives the maximum session uptime a user can have.

I don't understand your second question with online/offline timing. Can you explain more?

Best regards,
Christian Meis

cmit

Ok, found it ;) Short list of features: Small client app to help clients/customers to align their (RouterOS based) CPE. (The CPE is queried by SNMP.) The customer just enters the ip address of the CPE and presses "Start". The app is showing you: - system name - MAC (wlan) of you CPE - conf...

cmit

To see the whole routers' config, use /export But beware that the commands may not (probably WILL not) be in the right order to recreate this config. I.e. it might be that the command to add an interface to a bridge group is there before the bridge group is actually created. But apart from that this...

cmit

I just read all of your different posts... I would say that you REALLY should take the time to read the manual and get some basic ip network knowledge, if you don't have it. And two more suggestions: - Writing that MikroTik is making you crazy and is bad in some way or the other makes at least me as...

cmit

Good to hear the "click"

...

Best regards,
Christian Meis

cmit

That setup does actually work quite well.

I have setup several networks like that, and they work like a charm. Central hotspot on a bridge bridging all EoIP tunnel to the APs (connected back to the hotspot via 5 GHz wireless).

Best regards,
Christian Meis

cmit

Let me dig in the office on Tuesday. I think I have something like this flying around my hard disk...

If I just forget to come back here, a short reminder to info at cmit dot de might help

Best regards,
Christian Meis

cmit

Yep. You are missing the fact that you simply cannot bridge wireless-station interfaces in RouterOS...

You have to use WDS or EoIP for you needs. There are several threads here in the forum on this topic.

Best regards,
Christian Meis

cmit

Without testing - when your file is named "out.txt", I suppose you should also use "file=out.txt" and not just "file=out" in the command line?

Best regards,
Christian Meis

cmit

Just create two different PPP profiles with different rate limit parameters and configure each user to use the appropriate profile for his account type. Or if you are authenticating against a RADIUS server you can just send the ratelimit parameters you want for each account back to the MikroTik... B...

cmit

Now if only we could use this in Germany

...

Best regards,
Christian Meis

cmit

/export file=<your_filename_here> Take care of the leading slash - otherwise you would only export the part of the config tree you currently are in. So if you are in "/interface wireless", an export command without the leading "/" would only export the wireless interface setting...

Search found 1547 matches

Double-click required for all forum links?

Report for just one user?

Accounting data management

Logging of user-manager activity?

Inaccurate time accounting?

Small GUI bug

Debug possibilities for system not booting?

Don't use WPA(2) with Atheros compression in 2.9.18!

Changelog for RB500-BIOS V1.9?