MikroTik

CelticComms

Add hairpin NAT. See the link in the first post of the thread.

CelticComms

What is the CPU load?

CelticComms

Are the routerboards connected to the 2950 on access ports? Trunk ports? More detail...?

CelticComms

If the /28 is routed to an address on your WAN interface then you just route the addresses into the DMZ and apply the required filters for functionality and security.

CelticComms

If you look at the traffic it will show on ether2 not ether4. If the interface and IP address are in conflict it seems to go with the IP address.

CelticComms

Are you using a web proxy? The Google sites generally redirect http to https now, so it sounds as if something is causing problems for the redirects.

CelticComms

You should show your network layout but the most likely reason that your rules had no effect is that the traffic between the clients and server are not going through the router. If for instance you have a switch on that subnet the router probably never sees intra-subnet traffic. Figure a way to get ...

CelticComms

add dst-address=0.0.0.0/0 gateway=int_to_isp This had been the only default route available and the mikrotik didnt use it. It will have tried to use the route but failed because it couldn't ARP for the target IP. Using the interface as the "route" even on a non PtP segment often works in ...

CelticComms

Allow NEW connections from office to guest but only allow ESTABLISHED and RELATED in the opposite direction.

CelticComms

No - traffic which doesn't match the rules continues on down and is implicitly accepted which is why you must have a drop all (remaining) at the end of the relevant chain.

CelticComms

The 2011 has variants with SFP but the only wireless option is built-in.

CelticComms

Are NSSA areas fixed in v6?

CelticComms

It looks as if you had no forward chain filters prior to adding that one - so in effect you have no "firewall" in the generally accepted meaning. Input chain filters only protect the router itself. Have a look at the wiki entry I referenced earlier. The place you want to be is where your l...

CelticComms

How did you create your firewall? Quickfig? Manually? Perhaps you should upload the output from /IP Firewall as it stands. The "firewall" is created by the application of a certain set of basic packet filters, state-aware packet filters and connection tracking to the router. Many Mikrotik ...

CelticComms

Do you have *any* forwarding chain rules at the moment? If you don't then you should read the following and block the inter-LAN traffic as part of generally securing your forwarding paths. http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter The basics are: Allow NEW connections from each LAN to ...

CelticComms

Check the order of your forward rules and make sure that the traffic from that MAC address is dropped before you hit the accept rule for that general path.

You should be able to use src MAC address in that way.

CelticComms

Upload your config using output from /export compact. Destination NAT is what you want and the devices need to be using the router's internal address as their default gateway.

CelticComms

I suggest that you tidy it up to have only current entries present. I don't know what the IP address allocations are at this point. Make sure that your public IPs are on the WAN facing interface and make sure that your basic inbound destinations NATs are working. I only saw one internal server menti...

CelticComms

The 2011 series is designed with home use in mind and does have a version with 2.4GHz wireless. The other unit is an x86 based platform and does not have WiFi built in. It can take a PCIe mini card for 3G/4G and can also take a disk drive if you want to run a web proxy. It is designed more for comme...

CelticComms

It is probably one the two items pictured here:

http://huaweihg612hacking.wordpress.com ... -from-eci/

CelticComms

It is hard to say from the description. What was the reason for the IPIP tunnel? Is the path between router B and A private or public?

CelticComms

Which modem device is it connected to?

CelticComms

Well one thing is that you have the gateway IP on Ether3:

add address=192.168.2.254/24 interface=ether3 network=192.168.2.0

That needs to be on the bridge.

CelticComms

If you are new to Mikrotik make life easy for yourself and use Winbox or Webfig.

The rule would be of the form:

add action=dst-nat chain=dstnat dst-address=public_IP dst-port=445 protocol=tcp to-addresses=internal_IP to-ports=445

CelticComms

There really is no such thing as bridge mode or router mode in RouterOS or on the RouterBoard products. Different elements of the same device can be bridging/switching while others are routing. Bridging/switching operates at level 2 of the network stack while routing operates at level 3. Other featu...

CelticComms

It will show the masqueraded address for queries from the local network but should show the public IPs for external queries.

That is a downside to using this trick. The better fix is to split the servers and local clients into different subnet/masks and force traffic through the router that way.

CelticComms

The method described using the loopback address is sometimes used but it it is router/host OS dependent and can be difficult to debug if it is not working so I am usually reluctant to even suggest it. It sounds as if the private link net version was suggested in which case the routing entry on the r...

CelticComms

1) You would typically have the public IPs to which you are source NATing outbound traffic on your WAN/outside interface - not the LAN/inside interface. 2) What cbrown indicated above will work if you only have relevant private IPs on the router interface that the server is connected to. If there is...

CelticComms

The auto-neg on the 1 Gb ports is handled by the Atheros 8327 which is also used in some other products including some TP-Link units. It would be interesting to know if a given VDSL device works OK with a non-Mikrotik 8327 port but ends up at 10Mb on the 2011.

CelticComms

The problem is that your original NAT entry is only NATing when the in-interface is Ether1 - presumably your WAN interface. The traffic from your local LAN subnet will never go through that NAT so the hairpin entry will never be triggered. If you make the original NAT entries dependent on your WAN p...

CelticComms

These are only the NAT entries. NAT traffic is also subject to the forwarding chain filters. Try making the entries including the hairpin entries and then upload the config using the output from /export compact.

CelticComms

I did not see any forward chain filters listed.

I suggest that you put the hairpin NAT entries in and then upload the output from /export compact so we can see the total config.

CelticComms

It is NATing traffic to TCP port 445 on Fa 0/1 to the same port on internal host 172.17.8.50. Presumably FA 0/1 is their WAN interface. That is the SMB port so I hope they have some restrictions in the firewall.... ;) You would achieve the same with a (hopefully restricted) destination NAT entry in ...

CelticComms

Hairpin NAT is what you need so if that hasn't solved the problem check your forwarding rules to make sure that you are allowing the hairpin traffic.

CelticComms

I wouldn't be surprised if Mikrotik have not been able to reproduce the problem reliably. There have been problems of the other OpenReach modem the HG612 having auto-neg problems on some PC ethernet card drivers although I have not seen such comments regarding the ECI V-2FUb/I Rev.B. The other 3 lin...

CelticComms

If you want to block access to the proxy server so that it can't even be accessed by manually setting the proxy on the PC then block access to it using input filters.

CelticComms

It looks as if the ISP has used part/all of your /56 as the link network. If they believe that the link network is 2A01:5B8:A1::/56 and that their router address on that is 2A01:5B8:A1::1 then it is not surprising that the subsequent routing to /64s on the routerboard is not working. Instead, ask th...

CelticComms

How is the ISP presenting the allocation 2A01:5B8:A1::/56 to you? If it is simply being sent to your interface then you should be able to allocate an IPv6 address on a /64 to the WAN interface and an IP address on another /64 to the LAN interface and routing should ensue. I suggest that you go back ...

CelticComms

You need to add 4 VLAN interfaces on the Mikrotik unit. Give these the VLAN numbers you desire and assign them to the Ether interface that you will use to connect to the HP switch. Then add 4 Bridges on the Mikrotik unit - e.g. VLBr10, VLBr20 etc. On the wireless interface you can assign one SSID to...

CelticComms

You can use Mangle to set a routing mark on the relevant traffic (set by src address or inbound interface or whatever allows the distinction) and then make a default route entry for ISP2 with that same routing mark.

CelticComms

How come I cant see or access WIFI AP on Ether3 port from VLAN10 or VLAN12, but I can access it from Mikrotik?

Matej

It could be a number of reasons but check the default gateway settings on the AP.

CelticComms

Are the two ISP ports joining the ring at the same location and what are they currently connected to on the Mikrotik side?

CelticComms

Yes - all networks are routed by default. By applying filters in the forwarding chain you can block the forwarding behaviour.

If you are using the device as a firewall you should configure IP Firewall. The following might be useful:

http://wiki.mikrotik.com/wiki/Securing_ ... rOs_Router

CelticComms

If I put the rule in the IP>FIREWALL FORWARD path to allow ESTABLISHED & RELATED for instance, how does the RB750 'know' the direction to apply these rules correctly. IP Firewall has no notion of LAN/WAN etc. - it just knows about interfaces, or bridge ports in the case where it is being applie...

CelticComms

The best way to access a router from a VPS would be VPN? It is better in the sense that it can provide authentication and confidentiality - the price for that is the overhead of the VPN method chosen. Accessing the API over a public network without a VPN is a significant security risk. If you only ...

CelticComms

This smells like a System Center issue.... Try using Torch in Winbox and look at ether1 (i.e. the interface that the router connects to the 5723 on). Click on all the option boxes including port and set the timeout to longer than the default 3 seconds - say 30 seconds. Now try your ping test - you s...

CelticComms

Use filters (in IP Firewall) in the forwarding chain to determine which paths are permitted and drop the remaining denied paths.

CelticComms

The bonding approach would work and can make use of both links when both are working. If the wireless gear is Mikrotik at both ends you have a lot of different options (some layer 2 approaches do not work well across multiple vendors). To bring clarity to the situation I suggest that you list and pr...

CelticComms

You can either do this by having redundant links at layer 3 - (i.e. IP routing with OSPF determining the route actually used) or you *could* have redundant links operating at layer 2 provided that you have STP taking care of layer 2 loop avoidance. If you are not familiar with layer 2, STP, ARP reso...

CelticComms

Sounds more like the PPPoE client couldn't determine the local IP address to be used by the PPPoE session - i.e. the address it expected to be supplied by the PPPoE server.

CelticComms

You could put the printer on a static IP and simply masquerade the traffic destined for it on egress from the routerboard. The printer will then see that traffic as originating from the routerboard's IP on its local subnet. Which HP printer model is this? I have seen some HP printers do weird things...

CelticComms

Look in the filters section of IP Firewall for entries in the forwarding chain. With no entries RouterOS will route anything to anywhere. I suspect that you have entries which are restricting the routing function. Also remember that the target must also know a route back to the ping originator. If t...

CelticComms

It may also be useful for you to look at VRFs under /IP Routing. By placing specific interfaces into a VRF the system will automatically mark traffic on those interfaces with the VRF routing mark and connected routing table entries for the relevant IPs will be marked with the appropriate routing mar...

CelticComms

Can you ping the ISP gateway? Which DNS servers are you using - are lookups working?

Do you have any NAT rules active?

Output from /export compact would be useful.

CelticComms

If you are looking for basic firewall functionality in the IPV6 firewall then you need to protect the routerboard itself by setting input filters and protect devices beyond the router by setting filters in the forwarding chain. In the forwarding chain you want to allow new connections from the LAN t...

CelticComms

Tell me please, your mikrotik ospf-router answer to ping 224.0.0.5 when link is up ?

No - annoyingly....

Are you using area type NSSA? I have seen that do very strange things on ROS 5.

CelticComms

I suggest that you install ROS 5.23 rather than any of the ROS 6 versions since there is more experience of IGMP on ROS 5 available at this point.

Then you need to be prepared to do some detective work.....

CelticComms

Is VLAN 1 tagged or untagged on the trunk?

It would be helpful if you uploaded the output from /export compact on the routerboard.

CelticComms

I'm not sure what you mean by "right routes for the VLANs". How are you providing IP numbers to the wireless clients? If you have an upstream device doing that then it would set the gateway as required. If you want the routerboard to do that you would have to attach DHCP servers to the VLA...

CelticComms

Some ISPs have delays on providing IPs to multiple MAC addresses via DHCP.

To check if that is a problem you can temporarily set the MAC address of the WAN port to be the same as the (known working) computer and see if that changes anything.

CelticComms

Are you sure that the upstream ISP doesn't filter certain ports?

CelticComms

I suggest that you test the port 82 forward on the "working" web site and then return it to the "problem" web site. If the web sites are on the same server and the forward works for one then it should work for the other. Perhaps there are absolute address references in the source...

CelticComms

DId you really mean that the web server is establishing a PPPoE connection or is the PPPoE DSL connection being handled by the Mikrotik unit?

Port 8080 is often used for caching. Have you checked that another port (say 82) doesn't cure the problem?

CelticComms

@CelticComms
i.e. you create VLAN interfaces and then bridge those interfaces to the Virtual AP interfaces.
Is there another way without bridging the interfaces and using a routing method?

Yes it would be possible but if there is no requirement to route bridging is more efficient.

CelticComms

If the computer is set to use the router for DNS service that would explain the ability to make DNS lookups. On a NAT system you will have to masquerade outbound traffic on that PPPoE interface. If you already have a masquerade entry for Ether1 (out-interface) change the interface to the PPPoE inter...

CelticComms

To access the tagged VLANs coming from the Cisco you need to create VLAN interfaces under /interface/vlan and assign them to the Ether port connected to the Cisco with the correct VLAN IDs. Then create the same number of bridges and add both the relevant VLAN interface and the corresponding WLAN (Vi...

CelticComms

What do you want at Ether 2 on the RouterBoard? Untagged or tagged?

If you have the option of using three tagged VLANS coming from the Cisco I would do so - it allows a cleaner config on the RouterBoard.

CelticComms

The question would be clearer if you could mark the diagram with where each VLAN is to be tagged or untagged. e.g. Cisco trunk ports using 802.1q by default have VLAN 1 as the native (untagged) VLAN.

CelticComms

How I said before, all computers and printers connected through switches. and (! important ! in one local net) i.e. if i ping from computer 192.168.1.100 to printer with IP 192.168.1.101, packets doesn't reach router. And i can't make firewall rules. OK - so you are talking about traffic within the...

CelticComms

Many commercial networks are heavily switched ...

Can you try to be a bit more precise with the question?

CelticComms

Do you have an existing DST NAT rule for port 5060? If you do you can simply limit its operation to a given SRC. Address or use a Src Address List for multiple addresses.

CelticComms

You could use mangle to mark routing on external traffic from those VLANs then have corresponding routing table entries specifying the gateway to be used by each routing mark.

CelticComms

In the destination NAT rule you can use either the Src. Address or Src. Address List to restrict the NAT rule to traffic from either a single address or list of addresses respectively.

CelticComms

You have to decide if the fiber link is going to be actually *on* one of those subnets or whether it will be its own link network linking the two networks together. Then of course the clients on in each building need to know to use the route to the other network so how do those clients currently get...

CelticComms

Don't try to use two DHCP servers. One server can do both the dynamic and static clients even in the different subnets on that one interface. Make sure that you also have the relevant Networks entries for both subnets under /IP DHCP Server.

CelticComms

Do you run BGP to your ISP or do they send traffic to you for your IPs based on a static route? In that case check that when the link goes down and you lose the internal routes to those IPs that you are not then forwarding the traffic back to your upstream ISP who is then forwarding them back to you...

CelticComms

Are these on the same router? Both DHCP servers show Ether1.

CelticComms

Make sure that you have an IP Pool assigned to the relevant DHCP server. Post output from /ip dhcp-server for comment.

CelticComms

The active dynamic OSPF entries appear in the RouterOS routing table with the ADo flag. You can see the LSAs behind those routes in the OSPF LSA tab.

CelticComms

I suggest looking at your routing and NAT entries to unravel this. If external clients are sending DNS queries to your IP range and your internal route to those IPs is down then you *might* be sending the traffic back out to your ISP who promptly sends it back to you giving the appearance of heavy t...

CelticComms

There are actually multiple IPs showing on both sides - both your IPs and external. Not really enough information to know what is going on, but assuming that you do actually run DNS services which are accessed from external addresses (i.e. DNS services for sites you are hosting etc.) check that when...

CelticComms

Look at your routing at RB1100A and see what paths are being chosen to Office A addresses. In the diagram you show the same /24 subnet for Offices A and B - is that a typo?

CelticComms

Or let me be clear - How does ROuterBoard decide which of the interfaces will have a role as root port?

The root port is that bridge's lowest cost path to the designated root bridge. See below:

http://en.wikipedia.org/wiki/Spanning_Tree_Protocol

CelticComms

If you have adjacency established then the answer to why there is no internet access is probably to be found in the routing table. Is OSPF inserting a default (internet) route? If not suspect the Cisco OSPF config. If you have a default (internet) route then check - does the outside world have a ret...

CelticComms

I'm not sure that I follow your question.

The traffic in the graphic is DNS lookups which are failing - note the zero rx rate.

CelticComms

I see a DHCP Server assigned to interface "IPTV Network" but no sign of an IP address assigned to that interface which is most likely why the DHCP Server is flagged invalid. Solution - add a valid IP address to interface "IPTV Network"!

CelticComms

If the extra /28 is ***routed*** to you via another IP range on your WAN link then you can simply use the extra /28 directly on the WAN interface and make sure that you are allowing necessary routing between the WAN and DMZ port in the forwarding rules.

CelticComms

I would flesh out what your topology/transport options are and then see whether the viable options point towards a static or dynamic routing model.

e.g. If most endpoints really only have one path back to the central systems then dynamic routing may be unnecessary.

CelticComms

If you are having problems forming adjacency also check: That OSPF traffic (protocol 89) is not blocked - should be able to see traffic from Cisco using Torch on RouterOS. That netmasks match - mismatched netmasks sometimes allow pings to succeed but adjacency will fail. That the Hello and Dead inte...

CelticComms

It looks as if you do not have a valid IP on the interface that the second DHCP server is attached to thus the DHCP server will show invalid.

CelticComms

Will the endpoints still be using some kind of cellular modem as their connection to the central location or do you have something else in mind?

CelticComms

What is the nature of the connections between the endpoints and the central location?

CelticComms

The bridge is implemented at the RouterOS level (uses CPU cycles) whereas the master/slave options refer to ports on switch chips which can be enslaved without giving RouterOS more work to do.

CelticComms

Some IP phones (e.g. Cisco) which have an on-board switch allow the tagging of the VOIP traffic. It is probably a good idea to check if the phones there have that capability.

CelticComms

The CCR could certainly act as an internal inter VLAN router. It would be easier to comment of you could list the goals that you have in mind for the introduction of VLANs. As Dobby said, it would also be useful to know how many clients/devices are in each building. Have you considered having any ad...

CelticComms

Which version of ROS are you running? Are you sure that the problem occurs when the 3G signal drops, or is it possible that the router itself is having an issue which results in the 3G connection dropping along with everything else.

CelticComms

What IP is the VPN client being given?
Is proxy arp running on the internal interface of the main router?
What does the routing table look like on the devices that you can't ping?

CelticComms

Oh really? Is that the case if they are based on a hotspot setup too? As long as the port is open in the input filter chain and the router has a valid IP route back to you it should be possible to simply enter the IP number directly. Note that in certain situations if you VPN to a front door device...

CelticComms

I guess it would be better if I could connect into the 'master' aka site 1 RB450G and then access winbox from there. But once I've connected into that RB how do I allow the discovery tool to find the others (i.e. firewall rules) If you know the IP address of those internal routers then you don't ne...

CelticComms

....................... but can I assign addresses to these static leases that are not in the regular DHCP pool?

Yes

CelticComms

Those threads primarily give further examples of why it is hard to use the equipment in the way that you are trying to. Perhaps if you can give some idea of the physical layout a rearrangement would be possible. e.g. placing the AP mode device at the router end would make life a lot easier.

CelticComms

I have same problem also. I'm between two rb2011 made eoip tunnel. Tunnel working properly, I can ping other side, but when I try to ping without fragment, packets greater than 1250 can not pass. This doesn't really sound the same as the instances in the thread. What is maximum non-fragmented MTU...

CelticComms

Check your firewall rules - and post if the problem isn't clear. I suspect that you will find that you are doing a SRC NAT or Masquerade on traffic leaving Eth2.

CelticComms

I remember that dst-limit was having some issues a while back - not sure about limit. I will have a look at some filters and see if I can swap one of mine to use limit temporarily.

CelticComms

Yes. Do you have an example based on my info above? Go into /IP Firewall and add a filter in the forwarding chain with nothing selected except Action=Drop. At that point no traffic will be routed between interfaces at level 3. You may then want to add specific rules *above* that "drop all"...

CelticComms

It would probably be less work and more secure to VPN to the first device and then access the Winbox interface on all of them via the (encrypted) VPN

CelticComms

Can you confirm whether your VDSL modem is in bridge mode - or are you double NATing?

CelticComms

................ For that, I have Set Up an DHCP Server for serving also this network, but it shows up red and won´t work. So what have to be done to get this thing realized? Thanks in advance Make sure that the interface has a valid IP number on it. If it doesn't the DHCP server will be flagged in...

CelticComms

If you have anything which can act as a WINS server it would be preferable.

RouterOS doesn't have one of those "check the box" options for Netbios broadcast that some consumer devices have. It can be done - but WINS is probably preferable.

CelticComms

For TCP and UDP traffic it would be possible to use connection rate to add addresses to a list based on total (in & out) connection rate. I'm not sure if there is a way to do it based on actual packet rate.

CelticComms

Is the bonded connection working but VLANs not?

Presumably you are bridging something else to the bonded interface?

CelticComms

anyone? is Ipsec enough for that? IPSEC would also provide encryption. To help narrow the choice decide if you want: a) IP (Level 3) connectivity b) Ethernet (Level 2) connectivity c) Encryption d) Authentication Different features create different overheads. e.g. encryption adds overhead but if th...

CelticComms

No entries in IP Firewall.

Now with the bridge configured the router is working like a simple switch, isn't it?

Yes -in simple terms a switch is simply a multi-port bridge.

Can you upload output from /export compact so we can see why you were not observing routing among the attached subnets?

CelticComms

At the end with the Windows PPTP client is there anything else on the local subnet that the Windows PC needs access to other than the gateway/router? If not and if you don't mind the Windows PC accessing the internet via "Location A" then PPTP and proxy-ARP could work until a better soluti...

CelticComms

If you set the gateways for each ISP to be checked (e.g. by PING) then that gives you a mechanism for marking the corresponding routes down if an ISP connection goes down. You can then add default routes pointing to the EFM link but with suitable distance settings such that those secondary routes ar...

CelticComms

Look in the IGMP Proxy settings under interfaces. On that upstream interface add 0.0.0.0/0 as an alternative subnet - you will see a place for that entry. I am suggesting this because you don't know what addresses the IPTV provider will be streaming from yet...

CelticComms

What entries do you have in /IP Firewall? If there are no entries in the forwarding chain then all traffic will normally be forwarded among the various attached networks according to the routing table.

CelticComms

On the IGMP proxy upstream interface temporarily add 0.0.0.0/0 under alternate subnets since there is a good chance that the servers are not on the same subnet. Once you see where the traffic comes from you can provide suitable limits.

CelticComms

Can you describe the path between the two systems and check the latency between them?

CelticComms

Which firmware version does the 598U show? e.g. I looked at a 598U which works fine in an RB411U (inc. cold starts) and it showed:

Model: T598 Rev 1.0 (2)
Revision: p2505002

These are visible in Info - the firmware revision is right at the start of the long "Revision" string.

CelticComms

Now I need to know how to give the priority to the vlan in the local network?

Have a look at this part of the WiKi:

http://wiki.mikrotik.com/wiki/Manual:Queue

CelticComms

Are you talking about the return traffic on an established connection or differences depending on who initiates the connection?

Have the forwarding rules been updated to take account of the expected traffic via the tunnel?

CelticComms

Port 11 is connected to the network processor via the same type interface as the two Atheros switch chips which support ports 1-5 & 6-10, whereas ports 12 & 13 are connected via PCIe interfaces. Ports 11 & 12 can be configured to failover (essentially join together at Level1) and port 13...

CelticComms

From your config it looks as if the PPPoE client "VDSL MediaNet Dial" uses VLAN7. The VLAN is just defining the broadcast domain for the PPPoE connection. It is the PPPoE client which will ultimately carry your local LAN subnet traffic to the ISP so it is the PPPoE client interface "V...

CelticComms

It looks is if 4 entries would get you there: A mangle rule with in-interface set to mark routing for traffic from ether4 as "ISP1". A mangle rule with SRC address list set to mark routing for traffic from four ISP1 subnets on ether3 as "ISP1". An address list containing the four...

CelticComms

does it mean, that I have to chance the 0.0.0.0 to 0.0.0.0/0 or what is the deal? The other Masquerade is for fibre connector, I have no sfp, so I have deaktivated the port. I think that you must have selected source NAT on that rule at some point thus the to-addresses setting appeared. I don't thi...

CelticComms

add action=masquerade chain=srcnat comment="default configuration" \ out-interface="VDSL Modem Uplink" to-addresses= 0.0.0.0 Before looking at anything else could you get rid of the 0.0.0.0 . 0.0.0.0/0 and 0.0.0 are not the same thing. Note that your other masquerade has no to-a...

CelticComms

I had already set it off, but change nothing.

You changed it since uploading the config?

CelticComms

Set the service tag option OFF. That is for 802.1ad use.

CelticComms

Have a look at this too:

http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting

CelticComms

I'm note sure what is being tagged to "10" or where you pinged and from where.

Can you upload the current output from /export compact and give a clear indication of what the settings are on the phone?

CelticComms

How you prioritize the traffic is another subject. As regards the VLAN itself once it is established you need to get down to basics. e.g. is it pulling an IP lease from the DHCP server on VLAN2? Can you ping the VLAN2 client using /Tools Ping?

CelticComms

What do you mean by set the network settings for that DHCP? Network and Pool is created... Sounds correct. If I don't set a vlan1, how to give a priority to the vlan2? On RouterOS you do not need to create VLAN1 as you would on a Cisco device. If VLAN1 is the untagged traffic on an Ethernet port th...

CelticComms

Create the VLAN interface for VLAN2 and assign it to the bridge. Add an IP the the VLAN2 interface, then add a DHCP server to the VLAN 2 interface with an appropriate IP Pool. Remember to also set the network settings for that DHCP server. If VLAN1 is "untagged" then you don't need to crea...

CelticComms

It would help if you could upload the config - output from /export compact.

It is not clear from the description if you are using NAT for clients or if the relevant outbound interfaces are masqueraded.

CelticComms

SIP just provides the control signalling. You need ports open for the RTP traffic (audio) too.

CelticComms

The switch has some VLAN features which may or may do what you want: http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features If you want to create the VLANs the generic way within RouterOS you: Create one or more VLAN interfaces and assign them to the relevant Ethernet interface. You can then assi...

CelticComms

The 433UAH and 433UAHL have 3 ethernet, USB and some PCI mini slots of you want to add WiFi. There are cases available which have enough space to allow the dongle to be internal and run the external antenna connection to the back of the case for connection of an external antenna.

CelticComms

I think i found it in
/ip addresses "add new"

That is correct if you simply want multiple subnets serviced by the same interface on the router.

CelticComms

Here are the firewall rules. Some are disable and some are used for hotspot but disabled currently. I'm also using mangle and NAT to make sure that traffic can pass even though the ISP doesnt allow routers (student ISP) but i hate not being able to use a firewall. At a very fast glance I only saw t...

CelticComms

It would be more useful to see your config (/export compact). The image doesn't really help.

The input filter chain in /IP Firewall control access to the router itself.

CelticComms

We operate both Mikrotik boards with USB modems internally to the enclosure and RouterOS running on third party embedded X86 boxes which have internal PCIe mini plus several gigabit ethernet interfaces. VPN from dynamic / private addresses at the remote Mikrotik end to a central Cisco unit can be do...

CelticComms

Can you describe that part of the BIOS settings? I thought I had configured one of those to ATA mode.

CelticComms

There are standard DOS attacks that use multicast etc. . If you upload your firewall rules we can comment on them.

CelticComms

???????????????????????????????

I suggested a specific test to carry out......

CelticComms

Try to be more specific - "not work" is rather vague.

Make sure that the interface is not in a bridge or slaved to another interface. Check the status of the interface - is it up? Speed? Duplex?

CelticComms

You add the DHCP client to the relevant interface in:

/IP
DHCP Client

CelticComms

Glad to hear that it solved the immediate problem. Don't forget to consider migrating to a VLAN solution at some point.

CelticComms

The description sounds like a fairly standard DOS attack. What are your current firewall rules?

CelticComms

And Leased line customer on LAN will be given IP 202.140.x.37-202.140.47.64. How will I write the route on MT ? These numbers seem a bit odd but to give you an example, try using a network allocation 202.140.x.32/28 You could either: A Place the IP 202.140.x.33 on your gateway router Allocate 202.1...

CelticComms

If you give the RouterBoard an IP address on 198.51.100.0/24 on the relevant interface then proxy arp will not reply to requests from that subnet.

If those switches support VLANs I would suggest moving to VLANs and dumping proxy arp.

CelticComms

Which device did TWC provide? If their modem can be placed in bridge mode you can take the static IP directly on the routerboard which makes VPN options easier.

CelticComms

The NAT and forwarding filter entries are probably where I would start.

If it is hard to sanitize for public posting you can contact me by email.

CelticComms

Could you explain what you mean by the hotspot server "going down".

3 users doesn't sound like a heavy load.

CelticComms

You probably want to DST NAT outbound DNS traffic unless it originates from your internal DNS server in which case it is allowed to pass outside as normal.

CelticComms

How are the static IP customers attached to the router? Also via PPPoE? Another way?

CelticComms

Try uploading your /export compact output so we can see the current situation.

CelticComms

Your problems are probably caused by using station pseudo-bridge mode with the "station" end connected to a router. On the PC try pinging both the routerboard at 0.30 and the gateway at 0.1. Then look at the ARP cache (arp -a). Are you seeing an ARP entry for 0.1 which is distinct from 0.3...

CelticComms

If the subnet that these clients are on is 192.168.0.0/24 connected to one router interface then traffic between 192.168.0.x and 192.168.0.y isn't going to be routed via the router so firewall filters would have no effect. If one of the addresses is actually the routerboard then use input filters to...

CelticComms

Try using trace route to see what is happening to the internal traffic.

CelticComms

Sounds like you may need hairpin NAT:

http://wiki.mikrotik.com/wiki/Hairpin_NAT

CelticComms

Very hard to comment without more context!

Presumably you expect 1 Gbps? Remember that 1000BASE-T uses all 4 pairs in a CAT5 cable so some cable faults will cause a link to revert to 100BASE-TX.

CelticComms

It really depends on what service you want to be available to clients behind that second router. e.g. you could have basic NAT for the R2's traffic on R1 and have NAT/PAT for the R2 clients on R2 if that allowed all required services to run. Many permutations - more info required to filter out possi...

CelticComms

OK - well you mentioned that the ADSL router was set to bridge but handing the ADSL router the layer 3 (IP) traffic on its IP address doesn't sound like normal bridge behaviour.

CelticComms

You mention 1.1.1.1 both in the context of the ADSL router having that address and it being the gateway on the RouterBoard and it isn't clear exactly what your setup is.

Could you post output from /export compact?

CelticComms

You need to apply the IP addresses / netmasks to the VLAN interfaces not the TRNK_LAN interface.

The DHCP servers are showing invalid status because you have them bound to interfaces which have no IP/netmasks.

CelticComms

You say that you disabled the auto-negotiation on the WAN port. The Cisco gear at the other end will then speed sense the line at 100 Mbps but will set the port to HALF DUPLEX even if your end is set to full duplex - and that kills the throughput due to late collisions etc. . Either you need to get ...

CelticComms

Can you post the output from /export compact so we can get an overview?

CelticComms

If you really just want to route (no NAT & no firewall) then you could place the WAN/LAN interfaces in 2 different VRFs (In IP / Route). Make 2 VRF entries and assign one WAN & LAN to each. Those interfaces will then only see routing entries for the other interfaces in their VRFs. That is a ...

CelticComms

The presence of bridges can confuse matters....

Probably best if you upload output from /export compact so we can get an overview.

CelticComms

In my configuration, I have a VLAN set up: /int vlan add vlan-id=254 name=VLAN254 interface=ether8 ... and an IP on the VLAN: /ip addr add address=192.168.16.2/24 interface=VLAN254 ... This one MikroTik itself can ping its own IP address there, but another MikroTik across a trunked connection canno...

CelticComms

OK - well if Torch doesn't show the connection attempt it sounds as if the problem is further back at the APN level....

CelticComms

clock accuracy should not be an issue Mikrotik can define the hardware compatibility or we can use the same SFP at both ends so there should not be clocking issue Ok - well tell that to all the OLT/ONT manufacturers! I'll wait for the prices to drop and use a system that doesn't depend on wishful t...

CelticComms

Is the RouterBoard the only device in path?

I ask because there are a bunch of devices from companies like Netgear which drop pings greater than 512 bytes.

CelticComms

What does the routing table look like on the RB1200? Have you only tried pinging from the command line? Any difference if you use the tool in Winbox and explicitly state the interface?

CelticComms

The router will route (forward) all traffic unless you stop it in the forwarding filters.

You can start with a simple rule in the forwarding chain with action=drop. Then add rules above it with action="accept" for any traffic that you actually want to forward.

CelticComms

If you make a PPTP interface specifically for that incoming PPTP user then you can simply limit the traffic in the forwarding filters based on a combination of inbound interface, src IP, destination IP etc.

CelticComms

If you want port 1 to be the WAN port then it would not be "bridged" to ports 2-5 in a typical LAN/WAN setup. The bridge is transporting the DHCP requests/responses to your upstream WAN connection's DHCP server and that is why you are getting WAN addresses assigned to LAN devices.

CelticComms

Is the connection working for internet access?

Make sure that the device at 192.168.1.103 is using the routerboard as its default gateway.

Does the APN actually allow inbound traffic? You can use Torch on the interface to see if you are seeing the inbound 3389 traffic.

CelticComms

If you dump some of that ARP traffic to a pcap file and look at it in WireShark you should be able to tell if it is circulating traffic.

CelticComms

It looked like you perhaps combined the text for a couple of rules - cut & paste issue maybe.

Upload the output from /export compact if you want your config checked.

CelticComms

The gateway is a routing entry. The IP allocation to an interface is just the IP number and netmask.

CelticComms

You can certainly put the additional public IP on your WAN interface but you would still need to NAT over to the server. Placing the public IP directly on the server can also be done even if that IP is part of the WAN linknet but that involves various ARP / ARP proxy features and is best only done o...

CelticComms

Check if the rules will take a range - 1.2.3.4-1.2.3.5.

A 2 host range has ending /31.

CelticComms

IP addresses are assigned to VLAN interfaces like any other interface.

Are you using Winbox?

CelticComms

Install the IPv6 package on the Mikrotik and allocate some /64s from the /48.

CelticComms

If you plan to NAT the traffic anyway (i.e. not put the public IPs on the server(s)) then placing the IPs on the public interface is should always work. Otherwise you really need to know how the traffic is being passed to be sure what will work and what will not. For example, if traffic for an addit...

CelticComms

That could work if the traffic for the relevant IP was being routed to another IP on the interface. If the upstream expects the IPs to all be directly ARPable then the something needs to respond to the ARP request.

CelticComms

Where were the additional public IPs applied in the alternate case? On the internal hosts?

CelticComms

How is the WAN interface normally NATted? If there is a default masquerade maybe you need a SRC NAT entry earlier to catch the specific conditions for the customer's outbound traffic.

CelticComms

In RouterOS only the bridge MAC address is seen by devices attached to bridge member ports so virtual interfaces will not help in this case - you would always be presenting PADI packets from the bridge MAC address. Are you trying to use some kind of free service? If the bearer circuit can support 30...

CelticComms

Check out queues:

http://wiki.mikrotik.com/wiki/Manual:Queue

CelticComms

If you look at those ARP entries the problem seems to be that the same MAC address is showing for 10.20.1.20 and 10.20.1.2 even although 10.20.1.2 is assigned to router B. I suspect this is being caused by something in the configuration of the radio devices. The ping request to is probably being cir...

CelticComms

Suggest you check the ARP table on router A and see what MAC address it thinks the ping target it is on. I

CelticComms

Where is the address 10.20.1.20 assigned to?

CelticComms

The section:

out-interface=WAN

looks unlikely since the server is presumably on a LAN interface.

Try removing that from the rule. Also, your server needs to be pointing to the RouterBoard as its default gateway.

CelticComms

You have run out of addresses in the pool. Either extend the pool, shorten the lease time or add additional pools (plus other implied config changes).

CelticComms

Since the question seems based on questionable assumptions I offer a tongue in cheek answer: Because it is more fun being Mikrotik! Mikrotik has done fairly well at identifying areas not served well by the likes of Cisco and hopefully the owners are seeing a reasonable return on the capital invested...

CelticComms

Had a very quick look while drinking coffee and didn't see a reason for the problem. Could you try a trace route?

CelticComms

For the RB450 that you want to behave as a switch just make sure that Ether2-5 have Ether 1 set as master and it should provide layer 2 switching.

Search found 1765 matches