MikroTik

Caci99

Well, to prioritize traffic, first you need to identify it among others. This can be done in mangle. I don't know much about OpenVPN, but you either identify by the port used by OpenVPN or by IP address that goes by one site to the other. Than you assign priority in queue tree with parent and child ...

Caci99

Ok. It is cheap. But having only 32MB of ram?? Now, when wee see that it is very limiting for running v6.x and expecting that v7.x will be again more requesting? Why? Powering by unreliable small tiny micro usb connector? Why? No POE in? Why? Not possible to use wide range of power adapters like fo...

Caci99

It looks promising, but a bit low on wireless power, very good price/feature ratio anyway. Isn't it time to have all ethernet ports on gigabit speed? What could be the cost of it? Nowadays all laptops and desktops, or network HDD cases ship with gigabit ethernet. I would also like to see a 5GHz prod...

Caci99

I have to admit I am bit lost with the scripting and rest. We were supposed to have an easy life, not make it harder. For me it was easy enough to browse on the download page when new version was out, click on torrent link and download. We even used to get email when new version was out, never mind ...

Caci99

Torrents will return after we surgically remove them from the RouterOS release system, and make them entirely separate. The biggest problem with torrents is the initial seeding. There exists no stable command line torrent client that we know of. I don't quite understand what you have said there :),...

Caci99

THX DD
upgraded a few rb's just to see how it goes.....
no torrent to share the love?
http://www.mikrotik.com/download/router ... 27.torrent

Though, there are no seeders to download from yet

Yes, thanks for the link. But why has Mikrotik removed the all file torrent link?

Caci99

Do you believe this is a problem related to RouterOS? I don't think so, because I don't think ROS changes the characters of the files. It must be related to the operating system from where you are trying to view the files, they might not support Cyrillic characters. To test it, try to browse the sam...

Caci99

I think it would be nice if the columns of winbox could be moved left or right, to rearrange them at one's needs.
I am talking about the columns of the connect window: address; session; group; note
I for example would have arranged them in this order: address; note; session ....

Can it be done?

Caci99

I guess you are talking about the Windows message Unidentified Network. Normally that happens because Windows detects that you are connected to a different router, that is discovered by Windows because of a different mac-address. Just chose public network. Also, next time, try to be more specific ab...

Caci99

What happened to the torrent link to download all packages? It isn't anymore on the download page, although adding it manually it works
http://www.mikrotik.com/download/router ... 26.torrent

Caci99

Actually, now that I am thinking of it again, I got it wrong

The connection that I calculated as 1125kB, means a connection at a given time, not over 30 seconds. I have to rethink about it again, sorry.

Caci99

Let's think of it this way. If a connection has 300kbs for 30s, it means there are at least 9000kbps or 1125kB. Create a rule in firewall mangle: /ip firewall mangle add chain=forward action=add-dst-to-address-list protocol=tcp address-list=test address-list-timeout=1m in-interface=WAN out-interface...

Caci99

but I understand there is a daily limit to the number of SMS notifications which will be sent ? Yes it does have, although I don't know how much. It depends on how sms you think you will get. Since google is in two step verification with sms, the limit must be a considerable number. Worth trying an...

Caci99

Hi all, I am trying to add the rule /ip firewall nat add chain=dstnat in-interface=LAN protocol=udp dst-port=53 action=redirect I do not have an interface called lan. Here is my interface list. Do I add the rules for each LAN interface or is there a way to globally address all of them? [admin@conSh...

Caci99

Oh well then

, one more thing learned

.
I guess you can edit the title of the topic as the opener of it.

Caci99

Try this
http://techawakening.org/free-sms-alert ... docs/1130/
It will send an sms with the subject of email inline

Caci99

Here is how I would have done it: /ip firewall mangle add chain=forward src-address=192.168.2.0/24 dst-address=192.168.3.0/24 action=accept add chain=forward src-address=192.168.3.0/24 dst-address=192.168.2.0/24 action=accept add chain=forward src-address=192.168.2.0/24 action=mark-connection new-co...

Caci99

Static Route Dst-Add: 0.0.0.0, Gateway: PPPoE Dst-Add: 0.0.0.0, Gateway: 192.168.1.1 Are these routes both active? I don't think so. Because without policy routing in place, the router will just chose one of the two. Anyway, try to add an accept rule before/above the masquerade rule: /ip firewall n...

Caci99

Are you using routing marks in /ip firewall mangle and in /ip route?

Caci99

As I understand it, hardware-queue is beneficial on switch like scenarios. The packets are processed on the hardware (NIC interface). In router situations, packets are inspected in source and destination, hardware queue will require CPU to do that, which in ethernet-default does not need it since et...

Caci99

There is a short explanation at the wiki: http://wiki.mikrotik.com/wiki/Manual:Queue#Queue_Types From this page: only-hardware-queue leaves interface with only hw transmit descriptor ring buffer which acts as a queue in itself. Usually at least 100 packets can be queued for transmit in transmit desc...

Caci99

Well, the idea is simple. One marks the traffic by means of mangle and then routes that traffic to the desired gateway in ip routes.
Either that gateway is not working, or dns settings on laptop are not correct (not able to resolve http).

Caci99

try this

/ip dhcp-server lease
print file=test where address>172.25.33.0 and address<172.25.34.0

Caci99

I am a bit baffled why this is not working. Let's try a different approach. Keep all the config that is needed for this one to work, i.e the mangle rules stay, leave only the masquerade rule in /ip firewall nat, and then disable all rest in nat and in /ip firewall filter and see if it works or not.

Caci99

Well, masquerade substitutes the source address with the one of the interface the packet is leaving. I am not sure why this helps your case, looks like the router does not keep track from where the connection is coming and does not reply from the same gateway. Masquerade helps it ( I don't know how ...

Caci99

Try with a general masquerade rule:

/ip firewall nat
add chain=srcnat action=masquerade

leave the other masquerade rules, but disable them for the purpose of testing.

Caci99

It should work, I don't see anything stopping it from working. Try it again, try it with pinging from laptop. Are you using dhcp-server? If yes what is the lease to the laptop, ip address, gateway, dns server? If not, post in here /ip firewall, /ip route, /ip addresses to have the whole picture in o...

Caci99

What about the masquerade rule? How is it set?
Try with a simple masquerade:

/ip firewall nat
add chain=srcnat action=masquerade

Caci99

On the mangle rules, change the last one passthrough=no

/ip firewall mangle
chain=prerouting action=mark-routing new-routing-mark=laptop passthrough=no connection-mark=laptop

that means that packets will not be processed any more and the mark will remain.

Caci99

Ok, at the moment of enabling those rules i can't ping/reach my internal network/hosts 192.168.10.0/24 from my vpn-pptp connection 192.168.30.0/24 network, why is that? That's because with policy routing in place, when network 192.168.10.0/24 tries to reach 192.168.30.0/24 instead of using the defa...

Caci99

Use routing marks in mangle, and after that apply the routing marks in routing table /ip firewall mangle add chain=prerouting src-address=computer1 action=mark-connection new-connection-mark=comp1 add chain=prerouting connection-mark=comp1 action=mark-routing new-routing-mark=comp1 same should be do...

Caci99

Yes, it is possible. In order to apply priority you should really understand how it works. You need at first a parent queue which will control its child queues. The child queues are were priority is applied. I would recommend use queue tree, but it can be done with simple queues as well. Read these ...

Caci99

and what configuration did you use to intercept time sync requests? Basically, the same as with dns requests redirect. That's where I got the idea from. NTP sends requests on udp protocol port 123: /ip firewall nat add chain=dstnat action=redirect to-ports=123 protocol=udp dst-address-type=!local d...

Caci99

Why you can't have the same Gateway check on DHCP that you have for static is anyone's guess... I guess that is the nature of the dhcp protocol, it doesn't look for the dhcp server until lease time expires (at my knowledge). And you can't modify a dynamic route, that's how mikrotik thought about it...

Caci99

I have it working fine actually on a RB951Ui-2HnD, ROS 6.22. I have it setup as client and server, and I even setup a "transparent" server, meaning that all computers on LAN do synchronize with the router even if they point to another server.

Caci99

Set the MTU to default (1500), then try pinging something on the internet without fragmentation first, do discover what mtu is accepted without fragmentation. And then set the MTU according to the result. /ping 4.2.2.2 do-not-fragment size=1500 repeat the ping changing the size until you get an answ...

Caci99

Try by bridging the two ethernet ports of first router and look if the second router can discover the pppoe server and create the pppoe-client on the second router. If that is not enough, set the arp=proxy-arp on the bridge interface, that should do it.

Caci99

Ok, some success :) I didn't bother trying to ping a device on the other subnet earlier, so cool yes it's blocking comms between addresses on the different subnets. I tried that input filter rule but I can still ping the gateway? The rule in input chain works. In your case it is not working because...

Caci99

As @rmmccann says, you should try it from one device of subnet A to another device on subnet B. For example, you have: /ip address add address=1.1.1.1/24 interface=ether3 add address=2.2.2.1/24 interface=ether4 With the above configuration and filter rules, you should not be able to ping 2.2.2.10 fr...

Caci99

Yeah I tried that and still no luck, used command line and then the gui in Winbox and still the connection continues to ping away happily between subnets. You should not try it from the router itself, which obviously can reach those subnets, otherwise wouldn't be able to route them. Try it from on ...

Caci99

When it fails what happens? Do you still have a gateway active on /ip routes form the dhcp client? I would suggest to turn the modem into bridge, so that you have one NAT only. For the failover, take a look at this article http://wiki.mikrotik.com/wiki/Advanced_Routing_Failover_without_Scripting it ...

Caci99

You need to find what IP addresses their servers have, or on what port they negotiate the updates, and then drop the connections on firewall filter in forward chain for those IP-s or ports.

Caci99

It is normal that subnets on the same router communicate with each other, as you have discovered. As soon as you add an IP on one interface, its subnet is part of the connected routes. To stop them from communicating with each other, you need firewall filter routes. For example, let suppose that you...

Caci99

What kind of installation is this?
If he does have a backup, he can reset the router and then restore the backup. Otherwise, he can only reset it and start from scratch, and put a decent username and password to protect the router.

Caci99

Unused marks will not disappear until reboot. For example.

Of course, but that doesn't affect the configuration in any way, they are just unused. The point being, you do not need to reboot the router when you do some changes.

Caci99

That's a long list of requests. It does not fit entirely in my 22" screen :) 1. I remember long time ago to have tested if two pppoe can be established on the same interface, and if recall it worked. But why would you need both of them on the same interface? It is always better to have them sep...

Caci99

Well, a packet can have only one mark, but if you are trying to achieve some QOS you should definitely know the flow diagram. You can a mark packet in prerouting chain and apply that mark in global-in queue, and then remark the packet in forward chain to apply it in global out queue. http://wiki.mik...

Caci99

There is no need for a reboot of the router to save the settings and changes that you made. They are saved on the fly as you made them.

Caci99

Badly working ethernets in RB133 running

I was about to ask about the 133c when I saw your post

. Those routers are loooong time ago

, I am positively surprised you still have them at hand.
Maybe it is Mikrotik way by not answering you, telling that it is time to ditch those routers

Caci99

I see you have done your research well, the RB951G-2HnD is a very good router for small to medium needs. I would recommend Mikrotik over Ubiquity anytime because of its stability and control. But again, when it comes to wireless situation, you can never be 100% secure, it is very dependable on the i...

Caci99

January 6 is holiday, isn't it? Also, the previous days were mostly holidays, so they might have some accumulated emails. Usually they answer within 24 hours.

Caci99

I think the best way is to block these kind of sites by dns filtering. First you need to setup a transparent dns redirecting: /ip firewall nat add chain=dstnat action=redirect to-ports=53 protocol=udp dst-address-type=!local dst-port=53 add chain=dstnat action=redirect to-ports=53 protocol=tcp dst-a...

Caci99

Check this post first: http://forum.mikrotik.com/viewtopic.php?f=3&t=70546#p359041 Check also /system routerboard settings set enable-jumper-reset=no If it still does not work, then boot the routerboard, complete the configuration you want and then export it: /export file=sxt5hpnd copy the file ...

Caci99

To understand limit-at and max-limit you need to understand how priority works. For example: /queue tree add name=download parent=ether2 max-limit=10M queue-type=default add name=priority_download parent=download limit-at=1M max-limit=10M priority=1 packet-mark=priority queue-type=pcqdown add name=o...

Caci99

The main difference is that in queue tree all packets will get processed at the same time through the queues, while in simple queue a packet must go through all queues until it matches the one about that specific packet. PCQ will ensure that traffic is distributed evenly in a flexible way, but it ca...

Caci99

I think it is because the www.alamaltarfeeh.com does not exist and can not be resolved from dns servers into an IP address. Try it with an actual domain name, like www.cnn.com

Caci99

So I was resolving the wrong address; smtp.google.com when it should have been smtp.gmail.com :/

I feel silly now..

There's nothing silly about it

, everybody makes wrong steps and learns from.
I have to google myself to see the gmail settings whenever I need to

.

Caci99

/tool e-mail
address: smtp.gmail.com
port: 587
start-tls: yes
from: user@gmail.com
user: user@gmail.com
password: your password

If you are using two step authentication in gmail, generate a password for a service, and use the generated password.

Caci99

I think the easiest way is netmap

http://wiki.mikrotik.com/wiki/Manual:IP ... :1_mapping

Caci99

Try webfig and the feature to design skins in webfig:

http://wiki.mikrotik.com/wiki/Manual:Webfig

Caci99

Thanks for the answer, but i guess device can't finish booting. As i said when i powered on even there is no plugged cable, nothnigs happened. But earlier it works when i reset with default configuration. In rare cases, I have seen that a routerboard won't boot when an update is done, but never whe...

Caci99

Th Routerboard HDD does not have any capability to store files for webproxy. You have set it to store files on internal HDD, it is causing very high write and read on it, and I am afraid you will wear the internal HDD pretty fast.

Caci99

When you do a reset, the routerboard probably will load the default configuration. With the default configuration you can connect via IP when the ethernet cable is on ether1 of the board, but you can not connect via mac-address. To connect via mac-address, connect the ethernet cable on one of the in...

Caci99

@flatbat I have worked with RB9512n and is just ... not that powerful to manage certain configurations. It could be could for pretty small offices, but that's it.
I like the idea proposed by @jarda, a central switch on each floor and Access Point like the cAP on the hallway for every 4 to 6 rooms

Caci99

I don't have such experience at all, but I don't like the RB951-2n, I would go for RB951Ui-2HnD. You might have a look at cAP2n as well.

Caci99

Shuold, but do not work properly MANY times - see manry problems with CCR's.

This is a forum where people post their problems. Very, very, very rarely you would see posts with success stories. It is an irony of life actually, you would notice a device exits when it gives problems

Caci99

Very interesting @jspool. I would have given some karma if the option would have still been there

.
Interesting how you have chosen to randomize the password. I will play a little bit when time will be available.
Thank you for sharing it.

Caci99

@jspool That will be great, can you post your solution to have a look at it?

Caci99

I am using latest firefox, and here is the empty spaces left and right when in full screen

Caci99

Too much space wasted, among others big margins on the left and on the right.

Caci99

Well, the RB750 has 100Mbps ethernet ports, so it will limit itself for 100Mbps

.
You can use simple queues to limit the customer by specifying the target IP address in the simple queue.

Caci99

Only when the IP is on the ssh_blacklist it is blocked. The first three stages are there so that you don't let yourself out if you accidentally input wrong credentials.
If you want to go a step further, you could even try port knocking http://wiki.mikrotik.com/wiki/Port_Knocking

Caci99

Have a look at this topic:
http://forum.mikrotik.com/viewtopic.php?f=2&t=73402

Still, I would like someone with better knowledge on RouterOS scripting, to do this within a routerboard, instead from a Windows machine.

Caci99

Wake up guys. It was 3 years ago...

You think the hotel is closed?

Caci99

So, to understand, you are using a RB411 with the only purpose of connecting a machine to the rest of the network. You either configure the 411 in bridge transparent mode, which is the logical choice since the machine needs to be part of the network, or you configure 411 as router and it will route ...

Caci99

even if you try for terminal? terminal might be a bit lighter than winbox, so it might be easier for the CPU to display the rules.

Caci99

Go to /system logging and try disabling one by one the log rules until the CPU drops. Than analyze the one causing it.

Caci99

Rules number 6 and 7 are those who would divide the traffic in two streams. From your picture it looks like they are not doing it, one has 300 000 packets, the other 150 000 packets. It does not seem right, I mean, the configuration is ok, but it is not doing the separation right, one rule grabs mor...

Caci99

The dns you specified on the dhcp server will get eventually distributed to the devices wich will get ip configuration from dhcp servers. It depends on what clients these devices are using. Windows client, to cut it short, will query the first dns server, and if it can not resolve it, will query the...

Caci99

It is still a bit of guess as the picture is not full yet, but if the client is downloading more than its queue, it means that part of traffic from the client is captured by the queue of the webserver which is first in order. Simple queues are executed in their order, once the traffic is captured by...

Caci99

In routerOS, is not recomended to use dns servers from different providers. Stick to one, google for example. The router will send requests to resolve dns names randomly at both servers specified. If they are from diferent providers, might cause problems.

Caci99

Have you tried ECMP configuration? The problem with ECMP is that it will flush the connections table every 10 minutes or so, thus reseting all the connections. This behavior is problematic for connections which require authentication, but it might work in your case and is pretty straitght forward.

Caci99

Let's take the first route for example: add check-gateway=ping comment=wan11 distance=1 gateway=192.168.160.1 routing-mark=to_wan1 If 192.168.160.1 is not reachable for any reason, traffic marked with routing-mark=to_wan1 has nowhere to go, because there is no backup route for it. So you need to add...

Caci99

Are you sure I must choose 'both addresses' only and not 'both addresses and ports'? I just want to clarify this because most of the dual wan load balancing script I've seen uses 'both addresses and ports'. This confused me. Read the wiki about the classifier, and you will get it better. If you div...

Caci99

OK. Should this use much bandwidth ? I'm on a 10 GB cap.

Oh no, not at all. It's just very small packets. I don't actually know how much but it is pretty small. You can monitor udp port=123 on the wan interface if you really want to know how much it uses.

Caci99

If the script does disable the route for that particular traffic, than you should have a backup route with bigger distance for that traffic, so that the router can switch the traffic through the other route. For example: /ip route add dst-address=0.0.0.0/0 gateway=pppoe-out1 distance=1 routing-mark=...

Caci99

That's the normal behavior, the routerboard does not have a battery inside to keep the memory up. Every time you reboot you need to use SNTP or NTP client to synchronize time and date.

Caci99

You better post your simple queues, to see how are those configured. I don't think any one can understand what is going on without having a look at the configuration involved.

Caci99

Have you tried opendns? Redirect transparently all dns requests to your router, and set opendns on the router dns. See if it can block requests to "malicious" websites

Caci99

Well, you have the explanation in the wiki itself, every rule is explained there. The accept action, means that that particular traffic is not processed by the other rules, it is excluded from being processed. The dst-type=!local means not local, and with local here is intended networks assigned in ...

Caci99

What do you mean by statistics for every user? To do that,you probably would need a PC with cacti in it for example, which would collect data from routerboard.
A good place to start is wiki http://wiki.mikrotik.com/wiki/Main_Page

Caci99

Sorry for late response I would change the classifier from "both addresses and ports" to "both addresses" Also, in the route table, for the normal route you are using a different gateway which I can't figure out where is coming from. I am talking about this: add check-gateway=pin...

Caci99

How are you testing it? From a single computer? Also, post your config in here, so we can have a look at it.

Caci99

Have you tried the pcc method?
http://wiki.mikrotik.com/wiki/PCC

Caci99

Take a look at this: http://wiki.mikrotik.com/wiki/Advanced_ ... _Scripting
It might help

Caci99

Because they are part of bridge interface, so are considered as slave of that bridge.

Caci99

It is about the order you put on the firewall filter. The rules which would allow the traffic should be put before/above the rule that drops it.

Caci99

Thanks for reply but unfortunately disconnections also occur in segment with no ptp links (all cables ) Oh well, I guessed it wrong then :) Anyway, the pppoe tunnel is pretty sensitive to not stable links, you might be experiencing some packet drops or port flapping. Also, activate the pppoe info i...

Caci99

i'm using a ptp link for a remote lan (ubnt nanostation) You have the answer right there. The wireless link can go down often for very short amount of time. In normal situations, when these disconnections occur you wouldn't notice them. But the pppoe tunnel is very sensitive, so at every disconnect...

Caci99

okay sir how I can know the necessary files from the unnecessary files .. and how i can degrade the version to 5.24 I wait your asnwer sir You can post in here the file list of your router to have a look at it. Type in terminal /file print without-paging copy and paste in here. To downgrade you jus...

Caci99

Your hdd is full, look at the bottom of the window of "file list". 61.4MB of 61.4MB used.
Clear it up and free the necessary space for the files to be uploaded.

Caci99

Try changing per-connection-classifier to both-addresses only and see what happens.

Caci99

Are the counters on mangle rules running? Do you see there packets captured by those mangle rules?

Caci99

Probably still in memory, a restart should delete it. But nothing to be concerned of.

Caci99

At the moment that it happens, look at the router for any strange behavior, any unusual traffic or high CPU. You should also protect your router from dns attacks: /ip firewall filter add chain=input action=drop protocol=tcp in-interface=ether1-gateway dst-port=53 add chain=input action=drop protocol...

Caci99

I have a lot of RB951Ui-2HnD and never had problem with them, but what are you describing is not unfamiliar. The electric shock does not come only from the power supply, mostly it will come from ethernet cables, specially if any of them runs outdoor. Have you tried the reset jumper if it can cancel ...

Caci99

In the access list of the web proxy have you tried to specify the source address? That should do it, like:

/ip proxy access
add src-address=192.168.1.x dst-host=whatever action=allow

Caci99

The only way to redirect to url, as far as I know, is by using webproxy. To do that first you need to enable it: /ip proxy set enable=yes The default port should be 8080 but you can change it if you need to. Of course you don't need any cache, the purpose of proxy in this case is only for redirectin...

Caci99

I just tested it and works fine. I am on ROS 6.18. Is the server within your network? What other rules do you have in /firewall nat and /firewall mangle?

Caci99

Do you know the ip of your webserver? Is this server hosting only one webserver?
The simple way to do it is:

/ip firewall nat
add chain=dstnat src-address=10.0.11.187 protocol=tcp action=dst-nat to-addresses=webserver_ip to-ports=80

Caci99

Glad to hear it helped I also added a "chain=input in-interface=!bridge-local action=drop" rule at the very end of the filter section to stop similar connections to the router Be carefull with that rule though, you might be blocking useful connections from your LAN to the router, might eve...

Caci99

I think with the solution that you provided let the customer to use only private ip assigned but linked to a public ip address. I still want the customer to just add his public ip address on his router . But it works the same, when from internet someone requests that public IP, it will connect to t...

Caci99

http://wiki.mikrotik.com/wiki/Manual:IP ... :1_mapping

Caci99

I would make slight changes to your config as follows: /ip firewall mangle add action=mark-connection chain=input connection-mark=no-mark in-interface=pppoe1 new-connection-mark=wan1 add action=mark-connection chain=input connection-mark=no-mark in-interface=pppoe2 new-connection-mark=wan2 add actio...

Caci99

2. "To allow traffic between the two networks you should add mangle rules which should stay on top of the others:" It is necesery? This trafic go trhoug router not olny by bridge? To mangle it, i must turn on bridge use-ip-firewall (i can/t do thent due to performace reason) The traffic b...

Caci99

First, you don't need two masquerade rules, remove the one: action=masquerade chain=srcnat src-address=192.168.2.0/24 to-addresses=0.0.0.0 What you are looking for requires careful mangle rules which will mark packets, and then use those packet marks in a queue tree using pcq. To allow traffic betwe...

Caci99

I need a lift, I would like to avoid that... You want to avoid lifting? :) Well I can't help you with that. so we need this feature for the future in the routerboard firmware You can make an /export compact and than add a script which will load the exported file via scheduler at startup. Never test...

Caci99

I just want to know if in the routerboard(bootloader) there is a possibility to do an tftp or other method...

Of course there is, you can use Netinstall, look for it in the wiki. But you just can't use it if not physically accessed.

Caci99

You mean the pppoe interface does have a static IP and does not get it from the server?
In that case just put the IP on the profile you are using for the pppoe interface (probably the default profile). You can find it in /ppp profile and there set the local address

Caci99

You have lost access both on ethernet side and wireless side?
Unfortunately, the only way to regain access is to physically access the device and reset it.

Caci99

Unfortunately users will not be getting a fixed IP And they will be part of the same address list, always. It might look as more work, but actually it could be less in future. Using address lists will help also having less queues by grouping them in queue tree instead of creating hundreds of dynami...

Caci99

I would go by using address list option on pppoe profile. Just assign an address list on the profile and live the rates blank on both, routeros and radius.
Then use address list to mark packets in mangle, and use those marks in queues.

Caci99

Hi to all i would like to know if possible to block teamviewer application? thanks I don't think it is possible to do it through firewall filter since teamviewer uses port 80 and 443. So I would go by adding static entries in dns, and redirecting dns requests to the router: /ip dns static add name=...

Caci99

Fine tuning the wireless performance may prove harder than you think, especially indoors. First of all, I would not recommend to connect to an AP which is in a different floor, because the signal is greatly influenced by the structure of the building itself. Second, how far are the APs from each oth...

Caci99

populated?
what you mean ???

By populated I mean, are there IP addresses in the address list?
Have you tried to specify an IP address as source instead of an address list?

Caci99

My guess is, it has to do with the masquerade rule. The masquerade rule normally should look like this: /ip firewall nat chain=srcnat action=masquerade out-interface=ether1 assuming ether1 is the interface which connects to the internet. If no out-ineterface is specified, than router will change the...

Caci99

- EC list is enabled in address list

It is enabled, but it is also populated, right?
Try removing from first rule the bit: dst-address-type=""

Caci99

First, you should add the addresses given to you on your WAN interface. That's where you connect to your ISP.
Secondly you can use netmap to do what you want http://wiki.mikrotik.com/wiki/Manual:IP ... :1_mapping

Caci99

Is the EC list populated? Which one of the two rules is not working (counters are running)? Is there any other mangle rule which might grab the traffic before the two you posted?

Caci99

Torch will keep the information gathered alive for three seconds, or whatever time you choose in timeout field.
Maybe it is that setting that populates more the torch.
Anyway, haven't bothered before to look at it like this.

Caci99

@rwaters
Nice spotting, that was it

Caci99

The information is "in" it, the problem is, can it be read from the switch chip, and if yes, what amount of resources would it require... I don't think that collecting 24 mac addresses is that much resource hungry. If the switch can survive a bridge interface, which is a "software&qu...

Caci99

Create a bridge and put the port in question on it.
It will allow you to see the MACs under bridge/hosts.

Kind of a workaround, but shouldn't the switch learn the mac addresses of the devices attached to it? This information got to be somewhere on it

. MikroTik could kindly make it available.

Caci99

Well, I have configured it as a switch, all interfaces are slaves to ether1, and I have disabled connection tracking on firewall. So it is not possible to sniff traffic. I was hoping that the switch would learn and know the mac addresses of the devices attached to it, as a matter of fact it must do ...

Caci99

Is there any chance to know the mac address of computers connected to the ethernet interfaces of CRS-s, even better the IP address

?

Caci99

@tigran
take a look at the solution worked out with the help of @rextended (you might add him some carma if it helps)
http://forum.mikrotik.com/viewtopic.php ... 52#p432730

Caci99

So, I tried it yesterday and today, and here is with what I came out: /ip firewall mangle add chain=prerouting action=accept src-address=1.1.1.1 dst-address=2.2.2.2 src-address-list=1h add chain=prerouting action=add-src-to-address-list src-address=1.1.1.1 dst-address=2.2.2.2 src-address-list=5min a...

Caci99

Good thinking, but I will try it tomorrow, maybe. Right now I am following world cup

. And you are very generous on carma points, while those should go to you

.
Tuscany eh, been there a couple of times, beatiful.

Caci99

Hello I would like to see a feature on address lists, which would enable to add the addresses on one address list to another once the time of the first expires. It is very helpful in configurations where one would like to give time specific services. For example, if I would want that someone browses...

Caci99

It really depends on what you want to do. Mangle is generally used for marking connections, packets which in turn can be farther used in routes and queues or address lists. In firewall filter you generally put rules for dropping, allowing connections etc. Mangle can process packets in prerouting or ...

Caci99

What can be the possible scenarios of use of this routerboard?

Caci99

You can play a little bit with limit option or dst-limit in /ip firewall mangle
http://wiki.mikrotik.com/wiki/Manual:IP ... Properties

Caci99

If I disable the interface or ip address on fiber link, then how come script will know the main fiber link is up and it should switch back ? I haven't tested it, but i guess if you disable the ip address, not the interface itself, you can execute a mac ping: /ping 00:01:02:03:04:05 interface=sfp1 a...

Caci99

What if you disable the address on fiber interface, instead of disabling the interface itself, and then test the link by arp ping? You should note first the mac address of the gateway. Just guessing.

Caci99

I am afraid this would require some scripting. The way I am thinking about it, is assign the IP to the two interfaces, but leave the backup interface disabled like: /ip address add address=1.1.1.1/24 interface=wlan1 add address=1.1.1.1/24 interface=sfp1 /interfaces set wlan1 disabled=yes Then, if th...

Caci99

The ip cloud is a nice feature, but trickier than I would have expected. It would be nice if in the future the user can specify it's own domain name so that it can be remembered.

Caci99

It is not clear why you need a second router in between, but if I understood it correctly you need netmap
http://wiki.mikrotik.com/wiki/Manual:IP ... :1_mapping

Caci99

Whenever I configure a dns cache on routerboard (accept dns requests), I do add the following rules on it, and so far it has worked:

/ip firewall filter
add chain=input action=drop protocol=tcp in-interface=WAN dst-port=53
add chain=input action=drop protocol=udp in-interface=WAN dst-port=53

Caci99

Hmm..So If I am not mistaking I should add the following rule:

/ip firewall nat add chain=srcnat src-address=192.168.20.0/24 dst-address=192.168.20.10 protocol=tcp dst-port=1000 out-interface=LAN action=masquerade

?

Yes

Caci99

Have a look at this
http://wiki.mikrotik.com/wiki/Hairpin_NAT

Caci99

Also, run torch (/tool torch) on the interface where the traffic is happening, and see what traffic it is and on which port, from whom to where.
A wild guess, it can be either proxy or dns.

Caci99

what is logging tryouts??

As @jarda eplained, they are just attempts to log in on to your router. I shouldn't be very concerned as long as you change the default user and the password. But if you want, you can add this to your firewall:
http://wiki.mikrotik.com/wiki/Bruteforc ... prevention

Caci99

Well, I don't much that "box" you have in there, but can't you put the box in between the modem and the RB450G, and do configurations on the box? Otherwise you are dealing with three NAT steps there, which is not that good. You would need rule for the box traffic on the RB450G: /ip firewal...

Caci99

What kind of service are you trying to offer through that proxy? Is it http? Is it a Radius? Either way, you don't need to redirect the traffic that way. For http service just add a rule of dstnat on your RB450G /ip firewall nat add chain=dstnat src-address="your desired IPs" protocol=tcp ...

Caci99

You have comprehended it right with small exceptions. Well done for trying it out yourself, is the best way to learn it ;) To answer some of your questions: If i understood PCQ correctly, with the suggest 10M parent and 512 per child The 512kbps I putted in limit-at in example, means that the queue ...

Caci99

I have done sometime queue on ethernet interfaces, and it works. I have no experience on bridge interface, the only way to find out is to test it. If you apply the queue on the bridge, it will affect all interfaces on that bridge.

Caci99

Well, considering that modem does not have capability of limiting the bandwidth of an interface, you need to put the RB951 in between, or a small managed switch (like RB260GS) which can do the limiting. You might want to try, to bridge ether4 and ether5 together on the 951 (in and out for cisco) and...

Caci99

Thanks for the suggestion, but as I stated in the op, the client won't accept the 1:1 nat Oops, missed that, sorry. How do they achieve that anyway? I mean, what is the actual config of the nod? Is the modem in bridge-mode and the public IP is on Cisco? Can't they just assign a private IP on it so ...

Caci99

Since you are applying the same limits on all IPs I would suggest to use pcq first. Then move all of it on queue tree. To do that mark packets for all IPs and mark packets for desired traffic (don't mix them). On the queue tree, create a parent queue with max-limit the bandwidth available to you and...

Caci99

I would have tried this: 1. Configure the modem as bridge, and connect RB951 to it. This way, it will be the RB951 who will manage it all, public IP, NAT, QOS etc. 2. Connect cisco to ether5 for example and PBX to ether4. Do a netmap on RB951 so that you can pass a public IP to the Cisco router. htt...

Caci99

If you want to block those pages completely, setup a transparent dns first: /ip firewall nat add chain=dstnat action=redirect to-ports=53 protocol=udp dst-address-type=!local dst-port=53 add chain=dstnat action=redirect to-ports=53 protocol=tcp dst-address-type=!local dst-port=53 This way, no matter...

Caci99

So it should be run into the modem?
Correct?

Yes.

Caci99

Dynamic dns client, I'm talking about public ip from my isp is dymanic
http://en.wikipedia.org/wiki/Dynamic_DNS

Oh, I see. Well that depends on the modem, what kind of dyndns it supports, since it the modem who gets the dynamic public IP.

Caci99

but how about dynamic dns client? Shouldn't I run it? You mean dhcp client? What about them? If you mean that tey do have a dynamic IP because of the dhcp server, then you can force the dhcp server to give them the same IP by setting the client as static in the lease table of dhcp server. Which way...

Caci99

There are too many nodes (NAT) involved in that map which is not good. If you can I would recommend to bridge them until you serve the final network. Anyway, there are two ways to reach to your camera. First is by doing a nat rule on every node: /ip firewall nat add chain=dst-nat dst-address=modem a...

Caci99

I think you also need a rule in the mangle placed before the PCC rules:

/ip firewall mangle
chain=prerouting in-interface=LAN dst-address=192.168.1.0/24 action=accept

This might help to not process this traffic and force it through the specified gateways of your PCC

Caci99

CPU at 66% wouldn't be a big issue. Anyway, it seems a bit strange because it looks as if you are using only small packets. According to Mikrotik, this router should hit 40Mbps tested with 64byte packets. With larger packets it can reach a lot more obviously. Try to find out what kind of traffic is ...

Caci99

Look in /tool profile what service is consuming the CPU

Caci99

Try a netstat on client PC and see what connections are active, also look at connection tracking on router what connections of the client are established.
Anyway, have you considered using radius for your purpose?

Caci99

I see, thought that by pressing the reset button would have forced the router into bootp, apparently that is not happening, right?

Caci99

You should be able to boot the RB into netinstall by keeping the reset button pressed until the power lights goes off. Quote from quick guide: In case you wish to boot the device from network, for example to use MikroTik Netinstall, hold the RESET button of the device when starting it until the LED ...

Caci99

I don't think that is possible when using nv2

Caci99

Do you mean 57kbps (not kpps)? That might be the problem. I don't have a CCR, so can't tell very much in regard, but I would suggest to use multi-queue-ethernet on the interfaces queues as first step. This type of queue is for multi-core routers like yours. Then try to increase the size of the type ...

Caci99

Do you see dropped packets in the queue? If yes, how many of them in relation to those passed.

Caci99

You can setup your router DNS with the opendns servers, and then redirect specific IP to your dns cache, like: /ip firewall nat add chain=dstnat action=redirect to-ports=53 src-address=192.168.88.100 protocol=udp dst-address-type=!local dst-port=53 and assign on the other computers another dns serve...

Caci99

Maybe it is not up to me to say it, but you're making your own issue as a general one. I know some guys that have CCR-s and are very happy with them. This is a user forum where can be asked for help or discussion and not airing your frustration with the equipment. Nothing is perfect, just gets bette...

Caci99

is there another way to solve this?

I think it is against the idea of https it self. https are secure connections, and wouldn't be apropriate for any to cache sensitive pages (except for NSA

)

Caci99

You can group these interfaces under a bridge interface, or you can using mangling in such way that you can then apply the markings from mangle under the queue tree using global as interface, for example: /ip firewall mangle chain=forward action=mark-packet protocol=tcp new-packet-mark=down_e2 in-in...

Caci99

Thank you @mrz, that is what I have basically done. But I am not seeing any connection established. It should appear under remote peers, right?

Caci99

Hello. I am completely new to Ipsec and as a result lost at it :). There is a company who is asking for an Ipsec connection and the counterpart is using Cisco ASA 5520. The IT of the other company has not been at help at all at assisting. So basically I configured Ipsec as per criteria given, but I ...

Caci99

Samsung S4 works too at modem level. How did you enable the internet sharing from mikrotik ? IP firewall masquerading ? Care to share some steps?

well, it is basically the same as with any other situation, masquerade, gateway, dns.

Caci99

If I recall correctly, the RB2011 has two switches, the first includes ether1 to ether5 and the second ether6 to ether10. Now first lets assume that your WAN port is ether1. You should group the interfaces of first switch under ether 2: /interface ethernet set master-port=ether2 ether3 set master-po...

Caci99

my question is if i can subscribe to a premium DNS server near in europe, Regards Tough question :), for me at least. If your current dns server does not satisfy your needs, try switching to an open dns server and cache the requests on your mikrotik router and then redirect all users with transpare...

Caci99

You want to build your own or you want to know which provider is better? What is the problem you are facing with DNS servers? Generally speaking, your local DNS provider should be better (if they have build a good one). That is because it is faster to reach and it will redirect you to the right serv...

Caci99

It is simple. Just normally create dynamic one and after establishing connection double click onto dynamic interface - name will be something like <pptp-in1> -> then select "copy" and rename new (static) interface to same name "pptp-in1". After disconnect pptp link you will have...

Caci99

Try something like this: /ip firewall filter add chain=forward action=drop protocol=tcp in-interface=LAN connection-limit=100,32 In the connection-limit field the 100 number is the total connections, the 32 is the netmask, so with this you are applying a 100 connection limit to every IP on your LAN ...

Caci99

Well, that would still create a dynamic pptp interface, right?

Caci99

I am trying to find in the wiki how to create a static PPTP interface, but can not find it.

Any one knows how to?

Caci99

have you tried specifying the incoming interface in your nat rule, like:

/ip firewall nat
add chain=dst-nat protocol=tcp in-interface=pppoe1 action=dstnat .... etc

Caci99

The only issue is that it won't reset when a good connection is established right? What do you mean by reset? A valid connection will connect at first attempt and the source IP will be part of the stage1 list which has a time out of 1m. Obviously, you would not attempt a second connection and after...

Caci99

Thanks , it's very helpful I need SSH service - and I don't always from witch computer I will try to enter it.(this is why I don't block the IP ) Port knocking as some already mentioned or you can use some filter rules which you can find on the wiki, like these for example: /ip firewall filter add ...

Caci99

Maximum recommended CAT5 length is 100 meters. Maybe that could be causing the problem? Yes, I know that, but it still connects. I have once even done a 160 meters long :) (good quality cable). How can the cable influence it? Maybe you are right, maybe some kind of electrical field or something (I ...

Caci99

Hello, a guess question :) I have a network made of two switches Core Router -->Switch+network -->Switch2+network Network is the same in both cases, the second switch is just an extension to another building. The cable that connects the two switches is some 120 meters long. What happens is that some...

Caci99

when i do a traceroute to 1.0.0.2 i never see 1.0.0.1 hop 13 and 14 are both showing 1.0.0.2 but when I do one to 1.0.0.1 I see 1.0.0.1. I'm sorry, my bad. If you execute traceroute from PBX you should reach 1.0.0.2 after two hops with no 1.0.0.1 in between. Anyway, I think you should test the conn...

Caci99

The PBX is connecting to our host who is Flowroute and it shows on there the ip address that is connected to it. The IP it is showing is the address of the Mikrotik not the PBX. Since it is a netmap, it is possible that PBX shows IP 1.0.0.1 instead of 1.0.0.2. Form the point of view of PBX, it does...

Caci99

Can you do an export of /ip firewall nat and post it in here? Also, how are you testing PBX, is the phone trying to connect from LAN or from outside your LAN?

Caci99

Yes, delete those rules or change the action on those rules to netmap. These rules should be the first, always, so that traffic of these rules does not get processed by the others.

Caci99

What you are trying to do is actually a one to one NAT. So your PBX will act as it has the WAN IP address. The rules are ok, but I would change them with action netmap: chain=dstnat dst-address=1.0.0.2 action=netmap to-address = 10.0.0.10 chain=srcnat src-address=10.0.0.10 action=netmap to-addresses...

Caci99

Try a simple queue with target the intended interface

Caci99

Because in the second rule, the packet going through, must meet both criteria in order to match it and be dropped. Obviously they don't match, meaning packets coming from 192.168.100.0/24 do not go out of bridge 1

Search found 1084 matches