MikroTik

edmidor

Sub-releases with bug fixes... Beta presumes having bugs

edmidor

How often MT does code drops on Beta5?

edmidor

Mine works OK, but that's one important thing to verify...

edmidor

SIP dynamically negotiates other ports for related connections (the control channel sets up data channels). The SIP helper inspects the control channel so that the stateful firewall knows about the related data channels. Yes, it works. Could you confirm that SIP helper just inspects packets, but do...

edmidor

So this child will be filled now with more, but smaller, queues then first I really don't get what's the point of doing that But if we now give this new child a lower priority then the previous one, we guarantee that newly made port 80 connections start with higher priority then already running &qu...

edmidor

Most support net neutrality. But it usually presumes going against shaping for business/political reasons (p2p shaping by Comcast is a good example); technical traffic shaping always was there, and usually isn't really felt by users as it merely balances traffic.

edmidor

I don't know how many times I've read it... took a while to digest :) The problem seems to be still there - there will be many heavy connections marked as regular and waiting to be remarked as heavy. But while all of them are waiting the regular queue will be overloaded, which directly translates in...

edmidor

When you want to shape the total traffic for the device. Might not be useful for you, but it's nice to have. Global queues also fire before simple queues, so you can use them to override simple queues. I just want to understand when it's actually used - mind to give a little example? Include packet...

edmidor

I RTFM again... it's not clear.

So, I'd still appreciate your help here

edmidor

I monitored my qos setup over last week, what I noticed is that marking connections based on connection-bytes with connection-rate isn't good enough when connections are short lived - download manager opens dozens of connections for every file, and there are many of them (think 50-80 100M files in a...

edmidor

Great you made it work. Last month I went through about the same stages you described.

I'm looking into playing with Ubiquiti right now (ordering nano and bullet M2). If you find anything interesting about ubnt - post it if you don't mind.

edmidor

Great idea, thanks!

edmidor

You can do that.

How? IP should be added only after successful SSH authentication. I don't see how can I detect it...

edmidor

Sometimes static src-address is not an option.
It would be nice to have secure port knocking, ex: ssh into router using a key pair - IP automatically added into allowed list for some period of time...

edmidor

Good question! If we lowered max-limit, and the bottleneck on the "next device" has gone, router has no way to know that, as it now limits itself with the new low max-limit. I see two cases here: 1. Traffic is low as there no demand The entire idea of dynamic lowering of max-limit is relev...

edmidor

I'm trying to understand the global and interface queues. I read Wiki, and some discussions here, but few basic questions are still standing. - When you use global-in or global-out? Usually the goal is to control WAN in/out separately from LAN traffic, so why/when would you use a queue for ALL traff...

edmidor

Correction - it will not work as you expected, but it still works as you configure it, so I disagree with "breaks" part. That implies it's technically possible to configure the router QoS to handle sudden bandwidth dips without manual intervention. So far I didn't see anyone proposing a s...

edmidor

wrong?.. if your modem is connected to your router via 100 Mbps link, all packets are sent to the modem. and then the modem can drop packets in case of ADSL become congested. router doesn't know about dropped packets Why would it matter? You still have your real time WAN interface throughput at one...

edmidor

It doesn't know your available bandwidth, but it knows how much data is being passed through its WAN interface at every moment of time. If top queue buffer is full for some period of time , and you're dropping packets, it means WAN interface passes as much as it can - and at that moment this is the ...

edmidor

I would say this feature is worth adding into RouterOS core, IMHO. Router knows the actual bandwidth going through WAN interface, and it also knows the max-limit on the queues chaining from/to this interface. There should be not a big deal to make it to auto-adjust the limit-at and max-limit accordi...

edmidor

That example describes a different situation - child queues explicitly exceed totals on parent queues, router is aware of that and can make educated decision how to recalculate limits to keep them in proportion. In the case I mentioned teh router doesn't know about the problem as totals on child que...

edmidor

What happens on bandwidth fluctuations? Let's say we have two properly configured upload queues, both limit-at=400K, max-limit=500K, parent queue (WAN) max-limit=1M. Suddenly the actual bandwidth on WAN drops from 1M to 500K - technical problems on ISP side. Router still expects it to be 1M - how wi...

edmidor

Should've read it from the start. Much better now :) The remaining question is - theoretical max limit vs. actual throughput: if I have two upload queues with limit-at 500K each, on 1Mbps max at parent, and the actual throughput falls from 1M to 500K... how router would handle it? It guaranteed 500K...

edmidor

.......... it's all greek to me what am i supposed to make or do ....?? That's the problems here. I think you have three options: 1. Accept the fact that this router has learning curve. Stop screaming and asking same thing again and again, go search, read, and learn, and come back only when it won'...

edmidor

Are you sure he really need to "nat required ports from wan to your pbx"? PBX initiates connections to the provider, conntrack usually handles is as is. I don't have PBX in my LAN, just SIP agents, but I never had to NAT specific ports. The only issue with NAT I'd expect is if he want REIN...

edmidor

This whole issue has nothing to do with mikrotik, just as with any other router, SIP agent, or your beer fridge. It's flawed design (SIP for VoIP), and to make it work reliably 'admin' usually has to learn and try few things. If you don't like it - use Skype, implementation wise it's much superior t...

edmidor

SIP is flawed protocol for VoIP, and it makes things very complicated. Every party comes up with their own workarounds, and in total you have so mane combinations so there simply can't be a general rule on routers and VoIP. For example, it all depends on: - do you use STUN - does your VoIP provider ...

edmidor

Is beta stable enough to use in production (just a small LAN) ?

edmidor

Running with your config for few days - VoIP works even with heavy download - thanks!

Question - how do you decide on limit-at value? Any general rules?

edmidor

Is your Asterisk in your LAN, or outside?
I have two line SIP adapter behind Mikrotik, registered to hosted PBX (pbxes.com) - no problems at all.
SIP helper is on. I set ports 5061 and 5062 as SIP ports.

edmidor

The group in Windows settings was set to group2 with AES-128... don't understand why it sends DH 2048 with 3des. So I changed peer settings on mikrotik to accept 3des, now it looks... well... shorter, but less clear what's wrong 16:30:34 system,info ipsec peer changed by admin-ssh 16:30:55 ipsec res...

edmidor

So I gave up on gre for the meanwhile, and decided to try IPSec again This is what I'm getting... any advise? 15:23:22 ipsec respond new phase 1 negotiation: 70.80.88.144[500]<=>24.113.235.32[12835] 15:23:22 ipsec begin Identity Protection mode. 15:23:22 ipsec received broken Microsoft ID: MS NT5 IS...

edmidor

@Mikrotik
Can't you guys just issue a patch with ssh fixes?
Not having SSH tunneling capability for so long is really a problem

edmidor

Right, unless something doesn't come through and you have no idea why it got dropped. Then, to debug it the reversed approach is applied, doesn't it?

edmidor

Sure - but the router is facing the wild internet.
This is why I'm asking what would be the very minimal set of forward chain rules to keep is secure at least from the most obvious threats. There must be something, I can't just accept all essentially exposing my LAN.

edmidor

The problems I'm trying to weed out are with inbound connections from outside, so purpose is exactly the opposite - open as much outside access as it's still relatively safe, make everything work, and then add limiting rules one by one over period of a week or so. Behind the router is merely a SOHO ...

edmidor

I build some 90-rules firewall (ip firewall filter) based on wiki examples. To debug my firewall issues (no pptp, etc) I would like to disable as much rules as I can, and once inbound connectivity is back, re-enable them one by one. The process can take few days. The questions is - what are the mini...

edmidor

I had both gre and pptp port accepted in input chain... Still doesn't work. Log says" "LCP timeout sending ConfReq". What's that? Is it inbound or outbound, same port? I thought this issue might be related to my other question here - for some reason I have a lot of unaccounted ACK pac...

edmidor

I meant this

/ip firewall connection tracking print

and this

/ip firewall nat print

If you google for 30sec call drops you'll see it's a classic problem, usually explained by expired SIP connection, router starts to drop packets...

edmidor

What are your conntrack settings? 30sec - magic number...

edmidor

It probably is the right proportion, when I saw 48mbps down the up was about 980kbps

edmidor

I have no dstnat rules, the only NAT rule is [admin@MikroTik] /ip firewall nat> print 0 chain=srcnat action=masquerade src-address=192.168.1.0/24 out-interface=ether1 The reason is there should not be any. A device behind NAT opens a connection to the server with main purpose to let the server conta...

edmidor

That's one good question - looking at IPs, both used by devices sitting behind the router and NAT. Both devices maintain (keep-alive I guess) connection to their servers out there, so the servers can contact them when necessary. One of them is SIP adapter, it maintains reservation with the server so...

edmidor

I'm dropping input packets from the "good" services I use. I tried to figure out how to make other rules to catch them with no success. How can I accept them without accepting the nasty stuff? 23:15:10 firewall,info Input:Other input: in:ether1 out:(none), src-mac 00:0e:83:ca:d7:47, proto ...

edmidor

I'll try, thanks.

I have "drop invalid connections" in the very beginning - can it be the reason, should I move all "drop" rules to the end of the input and forward chains?

edmidor

Still struggling to make it work from outside... Here's the trace - any ideas? 14:28:36 pptp,info TCP connection established from 22.111.333.44 14:28:36 pptp,ppp,info <pptp-0>: waiting for call... 14:28:36 pptp,debug,packet sent Set-Link-Info to 22.111.333.44 14:28:36 pptp,debug,packet peers-call-id...

edmidor

Once the connection is established, data between client and internal network travel between LAN and PPTP-client interface, so you need to set up your firewall to allow that. Thanks! I hate to ask silly questions, but it happens a lot lately :) You mean I'm supposed to see something named as "P...

edmidor

I can connect with PPTP from within LAN, but from outside it displays "Device connected" momentarily, and then fails with "Cannot connect" right after. I suppose I have to change firewall settings, but I'm not sure what ARP proxy does here. I have ether1 as WAN and ether2 as LAN....

edmidor

Thanks Toni!
How can I make sure outbound VPN connection (Cisco VPN client) won't fall under 'heavy traffic'?
I'm not sure about the rate used by VPN, but I suppose it can be fast, and it lasts long...

edmidor

The graph shows "bits per second", while I need just "bits" - I want to know how much bandwidth did I use this or that month.

edmidor

What I posted was just a snip of the "Connection rate" configuration. This configuration is very good in situation where heavy download disturbs normal internet operation. I strongly suggest you to read the wiki about connection rate. With this configuration, you will be able to divide th...

edmidor

Is there any way to know total monthly usage (upload and download) of WAN link, without user manager?
Total for the entire LAN, not per user or IP.

edmidor

That probably would do, if I can detect his activity, slow him down to 2mbps, and after he finished 'abusing' the connection remove that limit - that what I'm looking for. The only question is "how".

edmidor

@normis Download managers use different strategy comparing to browsing or "manual" download - their very purpose is to make max use of all available bandwidth to minimize the download time. Take into account a typical use case: some fifty 200kB files queued, 6-8 files at a time, each of th...

edmidor

Priceless!

Thanks a lot

edmidor

I'm looking at this Wiki example http://wiki.mikrotik.com/wiki/Home_Firewall I see a jump to 'virus' or 'bad people' chains, but these chains don't have return at the end. What happens if the packet isn't dropped in virus chain - how does it continue without return in virus chain? I see the same phe...

edmidor

is this "free download manager" using a given port? If yes, you can capture it's traffic using the port, other wise I will suggest to have a look at the "conection rate" There are quite a few such tools, but this one is one of more popular. http://www.freedownloadmanager.org I s...

edmidor

No, nothing in there.

I was under impression that L7 is not a good idea for smaller routerboards (mine is 450G), as it will hog CPU and affect the overall performance - am I wrong here?

edmidor

Is there any way to detect and QoS download managers, such as "Free Download Manager"?
They can easily open tons of connections with pretty impressive download rate, and hog as much bandwidth as they can.

Is it possible to detect and queue this sort of traffic?

edmidor

Well, I was trying to ask how to determine limit-at and max-limit.
There are many examples indeed, all have some specific numbers with no much info on how to adjust them for my LAN

edmidor

That doesn't sound good. I never had such problems when I had to VPN from Windows PC to the office in last work places. Not sure what they used server-side, but it always was zero-config on my (client) side. Why isn't it possible with Mikrotik? Then I'll try from another direction: what is the most ...

edmidor

The "Adjusting IPSec settings" part is written for Windows XP. On Windows 7 security settings are arranged in different way, and some options are not there. I followed the instructions as much as I could, but it doesn't connect.

Have anyone made it work with Win7?

edmidor

Looking at this board, I was thinking that a little web based tool could save a lot of essentially useless posts on this forum, bring more people to Mikrotik, and keep both newbies and gurus happy Simple wizard running on mikrotik site, not on the router, that would present forms of typical Linksys-...

edmidor

Good, now the dots are connecting... slowly but surely.

Thanks a lot!

edmidor

I saw this, my problem is with local-address=1.1.1.1 remote-address=1.1.1.2

Remote address isn't known, but the guide says I can use 0.0.0.0

But what should I do about the local address - it's dynamic IP. I have dynDNS, but I don't see how can apply it here.

edmidor

You haven't even posted what kind of VPN you want to use.

I mentioned Windows laptop
I don't have many choices there

edmidor

Guys, please help - I need to set it up before I leave!

edmidor

Here's the problem: need to VPN into my LAN from Windows laptop while traveling. Laptop's IP is unpredictable - airport, hotel, etc; 'home LAN' is on MT, behind dynamic DNS (dnsmadeeasy.com) I searched for the recipe, but most examples are dedicated to permanent VPN setups between two routers. How d...

edmidor

Perhaps a silly question, but I can't figure it out...
I want to segment my LAN into few IP ranges, say ether2 -> 192.168.2.0/24, ether3 -> 192.168.3.0/24

How do I setup DHCP server to serve appropriate IPs for each range?

edmidor

Thanks!

edmidor

Nobody is in typing mood, or there's anything wrong with the questions?

edmidor

My link is 50mbps down and 1mbps up. I'm trying to set up QoS to prevent one fellow downloader to make others suffer - he does up to 30mbps from rapidshare, and I have to keep VoIP working, and browsing from other machines at reasonable speeds. What would you recommend - PCQ? Then what limits should...

edmidor

Any advice?

edmidor

I know this is a shameless self plug, but I've been doing some mikrotik classes with slides and all for FREE. All I'm hoping for is feedback. Mikrotik Basics -> http://gregsowell.com/?p=957 Intro to networking -> http://gregsowell.com/?p=954 Mikrotik Security(available 12/7/09)-> http://gregsowell....

edmidor

I was recently told that priority based QoS doesn't work with residential modems, cable or DSL, with reason stated that such modems all have small buffer, and so it doesn't matter what packet arrives first, if modem's buffer is already full even the highest priority packets will have to wait - which...

edmidor

I just started with my first Mikrotik, trying to figure out the best way to set it up for our home office network. Before that I had it all very simple, but now I want to do it the right way, and so I'd appreciate your advise on both network structure, and how to configure the router for it. I have ...

Search found 126 matches