MikroTik

Feklar

Go into the bridge and enable "use ip firewall" in order for it to work and display the port.

Feklar

With your setup, you're going to have to look at hairpin NAT in order to properly forward to the server. http://wiki.mikrotik.com/wiki/Hairpin_NAT It's an ugly hack, and not very clean and should be avoided if at all possible. The better solution would be to put your filter server on it's own subnet...

Feklar

A much cleaner, secure, and easier solution would be something along these lines. Also you cannot have the same subnet shared on multiple routed interfaces like you have it listed bellow. 1.) Set up a secondary SSID on all access points, and dedicate that SSID to the students, encrypt it or leave it...

Feklar

You are going to have to post your configuration, and a network diagram to get more specific help.

/ip firewall export
/ip route print detail
/ip address print detail

Feklar

For sharing one queue, not that I am aware of.

For the shared user, set up different profiles in Radius with a different port-limit attribute. Then assign the two kinds of "coupons" to the different profiles.

Feklar

No, there is no dynamic way for the router to switch what route has more weight. Randomize the it a bit more and things will even out some. The router has no way of knowing the speed or size of a connection when it is established.

Feklar

Look up and read on policy based routing. Several examples in the wiki and man examples in the forum. It is a question that comes up often.

Feklar

If you want all the ports to share the same layer2 network, but still prevent communication, make a bridge and put in those 4 ports, then specify the same horizon number for each port.

Feklar

Are you using a Ruckuss controller with the AP? If so, turn off client isolation on it or modify the firewall rules to allow access to certain private IP addresses. The APs when they are in controlled mode have a firewall that blocks all communication to private IP addresses by default.

Feklar

It appears you heavily use connection marks, and I'm sure you don't want to rework that, so your policy based routing will be much like the examples except that you will mark for routing directly. Also since you say your business subscribers are on the same LAN, I'm assuming they are using the same ...

Feklar

Basically you need to use a back end services for billing, creating login page, RADIUS etc. You can use someone else's service, build one out and develop it yourself, or purchase a package that might fit your needs. This is what we use for our back end system, and it works well for us. http://myinns...

Feklar

Try using this for your routing tables: http://wiki.mikrotik.com/wiki/Manual:Load_balancing_multiple_same_subnet_links Mainly this part: /ip route add gateway=10.1.101.1 add gateway=10.1.101.1%ether1 routing-mark=first add gateway=10.1.101.1%ether2 routing-mark=other I've never tried it, so I'm not ...

Feklar

It's a much better idea for you to post what you have and what you are expecting and what you are seeing. There are numerous working examples throughout the forum and in the wiki if you search for them. At a minimum provide: /ip firewall export /ip address print detail /ip route print detail A netwo...

Feklar

You are using the wrong mode for the radio card, change it.

Read the wiki example of Station modes I posted.
http://wiki.mikrotik.com/wiki/Manual:Wi ... de_station

Your other option is to set up the device to be a router and NAT out of the wireless interface.

Feklar

It would be best for you to read the manual about wireless.
http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless
http://wiki.mikrotik.com/wiki/Manual:Wi ... tion_Modes
http://wiki.mikrotik.com/wiki/Manual:Wireless_AP_Client

If you still need help, provide
/interface wireless export

Feklar

I have no idea what your interface names are. You'll have to replace them with the appropriate names yourself.

Feklar

/interface bridge add name="WLAN Bridge" /interface bridge port add bridge="WLAN Bridge" port=ether1 /interface bridge port add bridge="WLAN Bridge" port=wlan1 This bridges the two interfaces together in software making them act as one layer2 interface instead of two s...

Feklar

Have you bridged the Ethernet interface with the wireless interface? In general, each interface on a RouterBoard is it's own separate routed interface unless you tell it otherwise.

Feklar

Is that 3rd subnet routed to you via your first one? If not you can't use it like that short of using a proxy-arp setup that is an ugly hack and you'll want to contact your ISP before turning it on to make sure it won't cause them problems.

Feklar

What was your shared user set to under your profiles? Default is 1, if it was set to that, that means only one person can be signed in under a given account at any given time. If the logout procedure didn't fully work for whatever reason that would explain your problem.

Feklar

/system scheduler

Feklar

Look up policy based routing.

Feklar

You're running a very old version, so that could be part of the problem with the NTP server and Windows. I'm not sure about the settings on a version that old so I can't be much help there.

Feklar

Also the find function will help you a lot when trying to edit things via the CLI.

/ip proxy access remove [find dst-host=www.example.com]

Feklar

They are the same thing. Winbox just has it labeled differently than what is in the CLI. I don't use the proxy much, so I'm not 100% on this, but this is the rule you should need to deny all web sites. /ip proxy access add action=deny disabled=no dst-address=0.0.0.0/0 Put your accept rules above it....

Feklar

VoIP can be a bit tricky to detect and use properly. If you know the IP addresses of the handsets, it becomes much easier to do what you want since you just mark the connections based off of the IP address. 1.) Set up static leases for the handsets in the DHCP server and create an address list with ...

Feklar

MAC addresses are the main ones. It all depends on what you are configuring on each board really, and you want to use roughly the same OS version for the export and import as syntax can change. Another example might be PPP settings if you are using those and what different settings for each board.

Feklar

thank you for your answers. so i can use the RouterOS for both a Wifi Deployment and DSL deployment at the same time, with the Router OS authenticating both networks conncurently. As long as the MikroTik is the layer3 hop for both networks then yes. Each interface on a MikroTik can be it's own sepa...

Feklar

I'm not familiar with wireless bridges/links like that, but I think it might have to do with the method you chose to use in linking the sites together. Maybe a different mode will suite your needs better. There are several wiki examples submitted from users about layer2 wireless links. http://wiki.m...

Feklar

Yea thanks for ur reply but could i use mikrotik to do that ? If the MikroTik is the edge device, i.e. the access point yes. Or if a client needs to go "through" the MikroTik to talk to another client, you can block them. If it's just the layer3 hop on the network to the internet then no....

Feklar

That is because the access points themselves do ever actually pass or need to pass any traffic. If they are acting as an access point, that means they are a layer2 device, they just forward on what they are getting from the client. The hotspot will automatically time "clients" out of it's ...

Feklar

if you will have any kind of user/pass based authentication (like hotspot or pppoe) then the mac cloning will be useless for these violators, they will also need username+password Hello normis i run hotspot but in my school student still do mac cloning and bypass the hotspot is there nay way i coul...

Feklar

Backup creates a binary file that is meant to only work on the router it came from. Uploading it and using it on another router will often make a partially broken configuration. The better way to make backups and give configurations to other routers is via the /export command. It does have the drawb...

Feklar

http://forum.mikrotik.com/viewtopic.php?f=13&t=45259

Feklar

The MikroTik can be a captive portal via the hotspot functionality. The billing portion however requires some of your own development depending on what you need and want. It has some payment functions via the UserManager package that can be optionally installed, and there are posts about how to use ...

Feklar

Well both of the IP addresses are assigned, and there is nothing in your firewall that would prevent them from talking directly. I would have to say look at the PC then, check it's routing and ARP tables to see if something might be up with them. What happens when you connect the PC directly to ethe...

Feklar

Look up policy based routing. Several posts about it in the forums and there are guides in the wiki.

Feklar

It could very well be that it's a problem with your ISP modem. They don't always like to have the same MAC address for multiple IP addresses.

Please provide, we might be able to see something from these.

/ip address print detail
/ip route print detail
/ip firewall filter export

Feklar

It all really comes down to what your goals are and what you are trying to do with the network that will determine the best way to approach it. Each VLAN in a MikroTik is treated as it's own separate routed interface, it is after all is a router not a switch. This is not like a switch where there is...

Feklar

What are you looking to do? Set a hard cap on a per interface level? You can do this by manually setting up a queue for each interface, or editing the interface itself. /interface ethernet set 0 bandwidth=unlimited/unlimited If you are looking for something else, please be more descriptive of what y...

Feklar

You are correct that the check gateway function included when adding a route only checks the gateway itself, so if that is an address located directly on your Cisco and not further upstream, then it won't detect a problem further down the line. You can use netwatch, write your own script, or use a s...

Feklar

Check your firewall to see what you might be blocking. Also if you are running a proxy, check those rules. There's not enough information in your post to really begin to help at all. If you want more help/information you need to at least provide: /ip firewall export /ip route print detail /ip addres...

Feklar

If your ISP is routing that new block of IP addresses to you via your current subnet, then yes. Assign one of the IPs to the MikroTik on your LAN interface to become the default gateway for the clients, and set up the DHCP server. The MikroTik is a router, it will route between subnets and interface...

Feklar

It depends on your setup, and how you get that pool of IP addresses. Is your subnet routed to you, or does it only exist on the WAN of your router? If it's routed, it's just a matter of assigning the subnet and the pool of public IP addresses to the LAN of your router. If it's only on the WAN, thing...

Feklar

Ideally you'll have your own NTP server you can point the boards to and have them synced to. Otherwise search for NTP servers via Google and choose one. They can change however, especially if they are doing a free service, so it's best to have your own that you control.

Feklar

I don't understand what you are saying? With the script, when you ping you can specify a routing table for it to use, so you can make a test route, and use that to ping a remote address. The key is to ping an address that is on the internet, like Verizon's DNS servers. Since it's using a routing tab...

Feklar

You have two basic methods to implement fail-over, this should not require any modification to your current setup. 1.) Write a script that will test the lines for you via pings, or some other method. 2.) Use the scriptless method described in the Wiki and in the forum. http://wiki.mikrotik.com/wiki/...

Feklar

You're going to have to be a lot more descriptive of what your goals are and what your setup is in order to receive help. A network diagram would go a long ways towards helping. Bridging is a way of making a number of interfaces act as one signal layer2 interface via software. Since it's an Ethernet...

Feklar

No you don't have to clear it out every time, since old rules/connections may be applying it's just to clear it out this once. A reboot also works to clear out the connections table. Please do an /export of your current mangle rules. I want to see if there is something that was missed or that has ch...

Feklar

What method did you try? Modifying PCC or the first suggestion? Completely clear out the contentions table under IP->Firewall->Connections. The router remembers what route it's used for previous connections and will use it again if it can. Clearing out the connections table makes it forget a previou...

Feklar

The other method would be to change your PCC classifier, you have it set to "both-addresses-and-ports" and change it to "both-addresses". I went with that method above because you had that very specific rule for it listed. By taking out the port variables, PCC is a little less ra...

Feklar

/ip firewall mangle
add chain=prerouting action=mark-connection new-connection-mark=Single_conn passthrough=yes in-interface=LAN connection-state=related place-before=16

Feklar

FTP actually uses two sessions. Port 21 is the control session, and the data transfer session is negotiated off of that. The router can look into that control tunnel and determine a connection is "related" based off of that. Where you mark a connection for FTP, add in another rule with &qu...

Feklar

They have several version available, just edit the link manually, you can usually grab 3 or 4 versions back that way. As far as I know they do not maintain a publicly accessible repository of older versions. You can contact support and ask them for it, or someone on the forum might be nice enough to...

Feklar

Need more details to help in this case.

What are your firewall filter rules? I'm guessing that you have a specific filter rule that is dropping everything not explicitly accepted further up in the forward chain.

Feklar

Because they are on the 192.x.x.x subnet, they need to use a router to talk to a different subnet than they are on. Part of the basic hotspot setup is a firewall to prevent unauthorized users from doing this. This isn't really a "security" thing in your setup however, since both subnets ar...

Feklar

750gl was released post 5.x so I'm guessing 4.x will not work on it much like the RB1200.

Feklar

Do you have any rules in your forward chain? I'm only seeing them for the input chain in the rules you posted. Also I believe your NAT rule is wrong. 0 chain=dstnat action=dst-nat to-addresses=192.168.2.15 to-ports=22 protocol=tcp dst-address-type=local dst-port=2222 By the time dstnat happens, the ...

Feklar

The router will automatically route between all subnets. If they are on separate routed interfaces it is usually cleaner and more reliable. If you have the two subnets assigned to the 450 as described bellow and it's not working, you will likely need to check the routing tables on your two servers t...

Feklar

Without more details it is going to be very hard to offer more specifics, but here it goes. I'm assuming the IP address that you have is the public IP address of your DSL modem. Since the DSL modem is giving you DHCP, chances are the modem is also a router, and is acting as such, therefor the IP you...

Feklar

That it can match either the dst-port or src-port instead of just one or the other.

Feklar

If you're having a problem with clients generating too many sessions, you can always set up a firewall rule that will limit the number of allowed TCP sessions. This has to be a reasonable number however, for example, on most of our hotspots we have a TCP limit set to 200 sessions at a time, but some...

Feklar

You are using ECMP for load balancing, it works, but if I remember correctly it have very little to no fault tolerance for a link going down. While it will work for you, you might want to read up on PCC and use that instead of ECMP for load balancing just as a suggestion. If you're happy with it, th...

Feklar

Limit-at defines the minimum guaranteed amount of bandwidth given to that queue regardless of the priority.
Priority defines what queue will get access to the free bandwidth defined by their max limit when it is available.

Feklar

How you open a port mainly depends on your firewall filter. The default action of the filter is to "accept" since it's a router first, so if you aren't blocking anything in the forward chain of the filter, it will be able to pass through the filter just fine. Then all your router needs to ...

Feklar

In addition to needing to set up nat rules, since you have multiple WANs, you need to mark connections coming in for those services behind the router and mark them for routing. Without those rules the router won't know what routing table to use to get back to you, and that will result in the connect...

Feklar

In mangle you need to mark connections coming in on specific interfaces for input, and then use those connection marks in a mark for routing rule on the output chain. Also be sure to have routes in those specific routing tables. Without those rules and routing table, the router will use the main rou...

Feklar

The basic solution is you need to implement a method for the router to test a specific route to insure that it is working properly and if it's not disable it and clear out the connection table for that route. The reason why unplugging the router works is because it then puts the Ethernet link offlin...

Feklar

What kind of hotel is it? If it's an IHG, Marriot, or Hilton brand, you are in serious violation of franchise specs by having any of their PoS systems share the guest network without separation. Not to mention problems with PCI compliance if there is any form of credit card processing going on with ...

Feklar

Masquerade will always choose the route with the lowest weight and take the preferred source of that subnet or route. Adjust the preferred address for that route, or use src-nat as the action instead of masquerade.

Feklar

Traffic Flow (Netflows to the rest of the world). Set up a collector server and point your boxes to it. There are several free options for a netflows server/analyzer and several pay for options. It depends on how much time, money, and effort you want to put into it that will determine what you go wi...

Feklar

What exactly is the problem? The NAT counters are going up like they should, so that means it should be working. Without more description of what you are seeing, it's impossible to help. Also /export and /print wrapped in code brackets are almost always more helpful than screenshots. Screenshots nev...

Feklar

You can specify a range of addresses with src-nat as the action, but in my experience that makes things break more often than not in that kind of setup. Another option is to use netmap as the action, you just need to feed it a full subnet(including broadcast and network IPs), so make sure none of th...

Feklar

I haven't ever really seen that particular behavior before in a PCC setup. Are you using the built in hotspot web page, or a custom one? Does it load right when there is only one line active? One set of rules that you are missing is this before the PCC rules: / ip firewall mangle add chain=preroutin...

Feklar

http://forum.mikrotik.com/viewtopic.php?f=2&t=52184

About as close as you can get. Need version 5.4 or higher, and this only applies to webfig. It does nothing about the CLI or Winbox.

Feklar

http://routerboard.com/ Look at the product pages for benchmark testing. It all comes down to packets per second, what kind of services you are running on the board, number of firewall rules, etc. Everything that takes up CPU time reduces the number of packets a router can process. So the better que...

Feklar

Each interface on a MikroTik is it's own separate routed interface. This is unless the ports are bridged together or placed on the switch chip. This includes VLANs, when you add a VLAN to a MikroTik it treats it just like Linux treats a VLAN, as far as it's concerned, it's another routed interface t...

Feklar

Nothing is sticking out to me why it isn't working.

What mode is the stations radio card in?

Feklar

Yes, sorry I didn't catch that.

Please provide:
/interface bridge export
/ip address print detail
/ip firewall export

Feklar

A - More Memory H - High Power G - Gigabit Port U - USB R - Built in Wireless N - 802.11n 400 and 700 series use a different CPU from each other. 700 series have no console port and a plastic case, designed for a small home or office. 400 series have a console port, separate metal case, and a few ot...

Feklar

Each interface on a routerboard is generally going to be a separate routed interface. This means you will either need to put a subnet on the Ethernet interface and set up routes so traffic can get out, or bridge the Ethernet interface with the wireless so it acts as a layer2 device.

Feklar

http://myinnsite.com/ This is the solution that we use to manage all of our hotspots, and will do everything you are looking for. Ability to grant free access with dynamically created remote login pages. Basically you can make it a one click to connect, require access codes, user name and passwords ...

Feklar

You can provide an interface as the default route, yes. I just don't know how well that would work with your setup. I believe that feature is generally used when you have a PPP client that you need to connect to to provide access, and not when you have an Ethernet interface connected to a modem/rout...

Feklar

It is, but in order to do it you need to make your own routes, basically copy the ones installed by the DHCP client, with the appropriate marks. If you are worried about the gateway changing you can probably modify one of the dynamic DNS scripts in the user submitted wiki to modify or add the routes...

Feklar

http://wiki.mikrotik.com/wiki/Manual:Interface/Wireless#forwarding Correct. It just prevents clients that are connected to the same radio from sending packets to each other over the wireless card itself. This doesn't remove the ability to talk to other devices/clients on the network that are not con...

Feklar

Hotspot is basically a layer2 function. It is used to force people behind a given interface need to sign into the network in order to gain access. So your hotspot is doing exactly what it is supposed to. Masquerade is for NAT, and in this case is doing the same basic function of a src-nat. Network A...

Feklar

Default forwarding means that clients cannot talk to each other over the wireless interface itself, this however does not apply to all modes the radio card can be in. These "default" settings can be overwritten when making an access list for a specific client on the radio.

Feklar

By default each port on a 450 is generally it's own separate routed interface. Set up two interfaces with two different subnets, set up firewall rules to prevent these two interfaces from talking to each other, set up a hotspot on one interface, and set up your NAT rules so both subnets can get out.

Feklar

Add in an accept rule for local subnets before your PCC rules that you don't want load balanced, this includes WAN and LAN subnets. The PCC manual includes these rules.

Feklar

Use the firewall mangle rules to mark port 25 connections for routing out the correct interface before other load balancing rules(assuming you have them) with passthrough set to no, and then set up your NAT rule.

Feklar

With a simple dst-nat rule yes you can. You'll likely want to use a non-standard port so you're not killing your HTTP access to the router.

/ip firewall nat
add action=dst-nat chain=dstnat protocol=tcp dst-port=80 dst-ip="ip_of_router" to-address="ip_of_dvr" to-port=80

Feklar

You can't have the same subnet on two different routed interfaces. Routing just doesn't work like that, and by doing that, you have the end result of where you are now. You will likely need local access of some sort to fix the problem. Look into using safe mode in the future too, it can save you a l...

Feklar

The only real "reliable" way of doing this is using the connection-bytes attribute when marking packets for queues. If a connection exceeds a certain amount, say 1Mb, it's more than likely a download. The first 1Mb will get the full service, but everything else after that gets the lower li...

Feklar

Is your /24 routed to you, or does it only exist on the LAN of the ISPs router? If the /24 is routed to you, you can easily set up different subnets on whatever interfaces you want (though with a hotspot setup this isn't generally what is done because it's not designed for it). If however that /24 o...

Feklar

Have him set up a syslog server and set the remote logging policy on the router to his syslog server, and set up the topics he wants logged.

This doesn't necessarily prevent you from disabling this at some point, but somewhere along the line he's going to have to trust you.

Feklar

Specify the range in src-address or dst-address depending on what the rule is for. Or you can use address lists if you have multiple ranges/subnets to cut down on the number of rules.

Feklar

Not currently no. The closest you can get is VRRP, but that is just simple fail over, they don't share any state information between them.

Feklar

ROS v5.4: I am trying to implement "two gateways failover" ( http://wiki.mikrotik.com/wiki/Two_gateways_failover ), but my ISP is using DHCP for assigning me external IP and default gw. I can manipulate "distance" within the DHCP client settings, but there is no "check-gate...

Feklar

What else are you looking to do? You will likely want to configure the firewall to at least protect the router, there are several user submitted Wiki's on how to do this. QoS is a nice feature, but it is a very complex one as well. It would not be very easy to cover it in a few posts. It's better to...

Feklar

Based off of your requirements, this is your only real choice.
http://wiki.mikrotik.com/wiki/Manual:IP/Traffic_Flow

You'll need to program whatever collector you choose to figure out what is what for different kinds of traffic.

Feklar

The p2p matcher in RouterOS is out of date and won't match a lot of the more modern protocols. If you try to keep up and match everything p2p, it is an endless battle and one that you will spend a ton of time, effort, and money on. The easier solution is to just identify the "good" kinds o...

Feklar

1.) Use built in graphs. (Unreliable storage of data)
2.) Use SNMP to poll the router and store graphs off site. (reliable storage of data)
3.) Use Netflows to store traffic details and graphs. (reliable storage of data)

Feklar

Maybe I misunderstood your setup then. If you could post a diagram that would be more helpful in visualizing your setup. For active failover, you can try out VRRP, however I'm not sure how well it will work with hotspot. With VRRP routers do not share state information. So if the main router fails a...

Feklar

http://wiki.mikrotik.com/wiki/Main_Page

Feklar

The Horizon option only works locally on the router, it does not translate over to another router. On your APs you shouldn't have to worry about placing a horizon since you have wireless interface bridged with a EoIP tunnel, as long as the bridge itself does not have an IP assigned to it, the guest ...

Feklar

What are you looking to do? You have a full /29, is that routed to you, or only available on your WAN? If it's routed to you, you can just have that subnet on the LAN of your router and hand out those IPs there. However if it is only available on the WAN, that means you need to assign all of the IP ...

Feklar

You can use netmap as an action for the srcnat rule. This will dynamically NAT different private IPs out of different public IPs. As a side note however, you must feed it a complete subnet to use. So you'll have to divide it up into several smaller subnets to get as many addresses in there that you ...

Feklar

What version are you running? 5.1 had problems with at least the 400 series of boards hanging on an /export command. Maybe try upgrading to 5.4, or at least 5.2.

Feklar

Edit /etc/freeradius/users and place this near the top. DEFAULT Auth-Type := Accept Then it will just accept anything you feed it for a user name and password. The tricky part is getting your mail server to use Radius in the first place, hard coding it to accept is easy ;). @SurferTim, like you said...

Feklar

The closest that you are likely to get is either a firewall list with given IP addresses and logging when someone visits the IP address, but that won't get you the domain that they were visiting. You might be able to get closer to what you want with a dedicated more capable proxy server, something l...

Feklar

Only one firewall filter: to block icmp I can use web proxy to access same host and port on same ethernet ports. Besides dst-nat for forwarding, only NATting done is outbound masquerade. I'm testing w/ web browser; place ip_address:port number in address bar. Whenever I try to access the host, I se...

Feklar

Set the system -> log to log messages from proxy. Be ready for a TON of messages. If you don't have a remove syslog server, look into getting one going for better storage of data, indexing, and search.

Feklar

Saves CPU cycles primarily, and it's the only rules that I have of that type on the forward chain. Once a connection has a mark, every packet that is a part of that connection also has the same mark. Once that has happened, there is no need to process that packet further. You have to mark the connec...

Feklar

What causes this is the routing table. When a connection comes in on a certain route, I.E. your new DSL line, the router then looks at it's routing table to determine what route to use to respond back on. If the other internet connection you have has a lesser distance, it will then use that route to...

Feklar

Not that I am aware of. You could probably setup a secondary freeradius server that was hard coded to accept everything though.

Feklar

QoS is not a simple and quick thing that can be covered in a couple of posts. It will require you to spend hours of your time researching it and playing around with it to configure it and get it working the way you expect and want. Read the manual, read user examples, watch the videos. Once you thin...

Feklar

HDD space is the NAND, that's the flash memory of the routerboard. You should have around 50% free space on it after routerOS is installed, so yes plenty of space.

Feklar

The on board NAND should be enough to hold User Manager etc especially for just one network. Most boards come with at least a 64Mb NAND I want to say. You of course can add another store for extra storage if you wanted to run a Proxy off of the box or store local logs if the board supports it, I jus...

Feklar

Another thing to keep in mind with PCC is that you are using both addresses and ports as the classifier. While this will randomize things the most and in theory give you the most fair allocation of bandwidth, there is also a good chance that it will break certain things like banking web sites and so...

Feklar

Minimum you need a device with a level4 license so the wireless card can act as an AP. A 433 is a good place to start if you need the Ethernet interfaces. With that being said, User Manager takes up a lot of resources, so the exact board that you need really comes down to what you want it to be able...

Feklar

There are several people that make switched PDU's for reasonable prices depending on your needs. Some of them have serial ports you can connect to a modem, most will have an Ethernet interface and will ping given IP addresses and if they don't get a response power cycle an outlet. With that being sa...

Feklar

The board probably upgraded fine. Some series of boards had issues with 4.15-4.17 I believe where they wouldn't always shut down properly upon a reboot, so require a power cycle when they don't come back. Get someone to power cycle it physically and it should come back up with 5.2 installed.

Feklar

http://wiki.mikrotik.com/wiki/Main_Page

For the manual:
http://wiki.mikrotik.com/wiki/Category:Manual

Manual is maintained by MikroTik staff. Some other sections have user submitted examples and information.

Feklar

I'm not sure what your queue tree has to do with filter rules and blocking ports that you talked about in the op and the subject? Yes you can get certain queues to apply to or not apply to certain end users as long as you mark their packets appropriately and take that into account with the queue tre...

Feklar

That's because when you use the built in proxy, the client is now talking to the router and the router is services and getting the web requests. That means HTTP ect. have moved from the forward chain to the input/output chain. http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram You'll need to adjust y...

Feklar

Everything looks fine there too. I'm assuming you have a 750, did you disable the switch chip for the port that has the VLAN assigned to it? Master-port=none When you have the hotspot running do they get the login page, and just nothing after that? Do the memory logs show that they signed in success...

Feklar

Basic hotspot setup looks fine there at first glace. Please post the results of the following

/ip address print detail
/ip route print detail
/ip firewall export

Please wrap output in the code tags to make it easier to read.

Feklar

Your problem is coming into play because I'm guessing you still have ether1 and wlan1 bridged together. This gives the clients "direct" access to the WAN, which is something you don't want at all. All of the sudden you now have the netgear doing DHCP, the 411 doing DHCP, etc etc. many many...

Feklar

I think there is, I believe you set the address pool to "static-only", then set up your leases in the leases submenu.

http://wiki.mikrotik.com/wiki/Manual:IP ... er#General

Feklar

Then I don't believe there is a way for you to do that. You could quickly set up a FreeRadius server and hard code it to ACCEPT and change the router to start using that. That will likely be the quickest, easiest, and cheapest solution for you.

Feklar

Going to need a lot more detail to provide assistance. Like what kind of rules are you trying to add, and specifically what rules you added.

Feklar

There's not going to be really a clean or easy way for you to go about moving to a hotspot from not having one. The hotspot arp-poisons the network and will attempt to respond for everything, this is how it is able to act as the gateway for misconfiguration clients. You may be able to try setting Ad...

Feklar

Depends on how you are authenticating guests. If it's local authentication on the router itself, I doubt there is any way to do it.

If you are using a remote Radius server, you'll need to look at their documentation, but there is usually a way to hard code an ACCEPT for everything in them.

Feklar

@reverged I'm assuming the problem comes from loops being caused in the network if you do not have some sort of filter to prevent traffic entering from one VLAN leaving another. It may not be a noticeable issue with a very small amount of VLANs, but it certainly is a problem if you have several VLAN...

Feklar

I think it's this. I've stopped using this and gone purely to specifying the horizon option. It accomplishes the same thing, only seems to do it much better. interface bridge filter add in-interface="LAN-bridge" out-interface="LAN-bridge" action=drop You can bridge a physical por...

Feklar

Hi, I implemented this system QoS and I work great with the tree queue and the PCQ to control the speed of the clients, but to enable web.proxy speed ceases to function, each user is consuming the entire channel, someone has solved this problem? http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram It'...

Feklar

When you bridge several VLANs together (especially when they share the same physical port) you need to set up a filter to block them from talking to each other. Without it things break down very very quickly and stop working altogether. There are two ways of doing this that I am aware of. 1.) Specif...

Feklar

No there is not by using the switch chip. When you use the "slave port" option it places the ports on the switch chip and the CPU never sees the switched traffic. Since it never sees the traffic it cannot graph it. You can bridge your ports together to see this data, but then you will take...

Feklar

If it is enough to monitor the IP addresses visited, you can set info logging to a remote syslog server. Then set up a mange rule ip firewal mangle add chain=prerouting action=log connection-state=new protocol=tcp dst-port=80,443 log-prefix="WEBACCESS" This way you can also monitor SMTP,I...

Feklar

For example here is a queue tree that I often use: /queue tree add disabled=no limit-at=0 max-limit=10M name="Global Download" parent=LAN priority=8 add disabled=no limit-at=0 max-limit=1M name="Global Upload ISP1" parent=WAN priority=8 add disabled=no limit-at=8M max-limit=10M n...

Feklar

What is the domain name that you have set up in your hotspot profile? I think that needs a full domain name (hotspot.com) or something like that. The domain itself doesn't really need to exist anywhere else but on the router.

Feklar

Do you redirect your client's email to a local server for delivery? If not, that is probably the problem. SMTP is tricky. It is a 2-part challenge. 1) Most email servers will not relay email for an untrusted ip or domain. So because of this reason, I use the smtp-server setting in the hotspot profi...

Feklar

Also, is the home page of the PCs you are testing with HTTPS? If so try going to a HTTP web site. The hotspot cannot redirect HTTPS and display an HTTP web site.

Feklar

But if you are using the hotspot, does the end user need to authenticate against their server to send out messages? You can try having them turn off authentication on their machines and see if it works. If your users need to authenticate themselves against their server to be able to send out message...

Feklar

Basically you need to use a proxy for these specific IP addresses and to have the proxy log all HTTP requests. You can use the built in proxy server of the MikroTik but you may want to look into a more capable proxy that you can use transparently. http://wiki.mikrotik.com/wiki/Manual:IP/Proxy You ca...

Feklar

User submitted guides. http://wiki.mikrotik.com/wiki/Transparently_Bridge_two_Networks_using_MPLS_extended http://wiki.mikrotik.com/wiki/Transparently_Bridge_two_Networks_using_MPLS http://wiki.mikrotik.com/wiki/Transparently_Bridge_two_Networks_without_using_WDS_%28EoIP%29 http://wiki.mikrotik.com/...

Feklar

You can have as many subnets and IPs assigned to a given interface as you want. Please provide an /ip address print detail, that way we can see what you are trying to do, and might be able to give some advice. Each interface on the router can be it's own separate routed interface, so setting up a DM...

Feklar

If I remember correctly the local workgourp needs to be on the same subnet for it to work like you are expecting it to. Since you are using a VPN tunnel, this isn't likely to happen reliably. This is because you normally have two different LAN subnets on both sides of the connection so they can talk...

Feklar

Using a transparent proxy in the MikroTik can only handle HTTP, nothing else. You can definately forward everything to an external proxy server with a simple NAT rule, but it's then up to that server to handle the requests properly and is completely out of the hands of the MikroTik.

Feklar

Yes you can separate out each interface on a MikroTik and they will all act as their own separate routed interface. With that being said, it depends on your LAN more than anything else. You do not ever want to have two different DHCP servers running at the same time on the same logical layer2 networ...

Feklar

http://forum.mikrotik.com/viewtopic.php ... 25#p175525

Feklar

how? please help me to setup, i will be very Thankful to you always. http://www.ntop.org/news.php http://nfsen.sourceforge.net/ These are two free collectors you can use. Otherwise search for a netflows collector on the internet. You will likely need to set up a separate server and work out from th...

Feklar

Most any new MikroTik can handle anything you can throw at it in a home situation without any problems at all. What kind of bandwidth do you have at your home? With that being said, do you want to completely replace the Cisco AP? Also how many Ethernet ports do you want? A 493 will get you 9 Etherne...

Feklar

User Manager is basically just a Radius server that can run on top of MikroTik. http://wiki.mikrotik.com/wiki/User_Manager You can use most any Radius server you want as long as it has the MikroTik definition file so it knows what attributes it can use. We have our own back end system that uses Stee...

Feklar

For 15 end users the MikroTik proxy will be more than sufficient. I personally don't use it, so I don't know what kind of options may be there to block certain extensions. You might be able to use the path option for what you want, something like path=*.mp3 I also don't know how well the MikroTik pr...

Feklar

As long as you have control over your modem and can change the subnet, you can modify your "WAN" without any problem.

Feklar

http://wiki.mikrotik.com/wiki/Hairpin_NAT Or set the web server in a DMZ on a different routed interface and subnet to make it much much cleaner and easier to deal with. While this is technically possible, you are going to run into one main issue. How will you determine that someone has visited your...

Feklar

/ip firewall mangle chain=forward action=mark-connection new-connection-mark=Standart_con_down_100M passthrough=yes src-address-list=Standart_class_100M&40M connection-state=new chain=forward action=mark-packet connection-mark=Standart_con_down_100M new-packet-mark=Standart_con_down_100M That w...

Feklar

Tried that. My poblem with that is that I need the per connection classifier already to distribute packet marks for the queue. It would be nice if one could have two connection marks - one that can be used for setting a routing mark. You can mark packets directly too instead of relying on connectio...

Feklar

First of all, you are going to be very very hard pressed to block people from downloading files via HTTP. As far as the router knows and is concerned someone requesting a web site or downloading an ISO via HTTP are exactly the same thing. This is also true for HTTPS, and since it's encrypted you can...

Feklar

You can use the PCC classifier when marking for routing, or for anything else for in the firewall. It's just recommended on the connections since it uses less CPU time (only needs to be calculated once on a new connection). By using PCC on a mark-routing rule it has to calculate the PCC matcher for ...

Feklar

http://wiki.mikrotik.com/wiki/Hairpin_NAT Though that is an ugly setup to do. It would be much better and cleaner for you if you could put the server on it's own routed interface, with firewall rules, NAT etc, than doing it like that. Issue number 2, is you have the same subnet on two different rout...

Feklar

Why are you marking packets on postrouting? It's generally better to do so in the forward chain than there. Also without knowing what kind of queues you are using, you could potentially be having issues there. http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram Couple of issues that pop out at me: 1.)...

Feklar

Thanks Fewi! Early testing suggests that it did the trick! I guess the thing that confuses me most about queues is that limiting "upload" or "download" does not always work in the way I would expect. e.g. When I set the upload limit of my queues on the 750G, it actually restrict...

Feklar

Please check the user profile " transparent proxy= enable " and " open status page =always " , coz this will re-direct to home page Google or yahoo pr any page in set in browsing .. Thank you Transparent proxy and status page have nothing at all to do with a guest being redirect...

Feklar

You didn't mention that you had a parent-proxy setup. The rule I posted was to redirect all HTTP to the proxy server itself. Since you are running a proxy on the MikroTik itself, that means your first rule was right. What are your firewall filter rules? It's possible that is blocking something you d...

Feklar

Basically as Fewi said, getting the proxy to work with load balancing is ugly. However it is possible (at least in the lab). 1.) Mark connections going to tcp port 80 in the output chain, and apply your PCC matchers however you wish. 2.) Mark for routing on the output chain with your connection mark...

Feklar

1.) Is the home page HTTPS? Or are you using IE? The router cannot display a HTTP login page to someone that is trying to go to a HTTPS web site, it simply just does not work. Also IE tends to have problems with cached pages, so that might be the source of the problem. We generally just have people ...

Feklar

Look at the packet flow diagram to determine the best place to put queues and mark packets based on your setup: http://wiki.mikrotik.com/wiki/Packet_Flow#Diagram This is where it is very easy to get confused about QoS and marking packets and what is best to do where. It all comes down to your needs ...

Feklar

Thanks for the reply sir, yes i've gone through those manuals, but i really don't know to set or configure it, I'm just really newbie. If you don't mind will you give a samples which will i follow? according to my setup. Thanks and more power.. Alginne If you open WinBox and go to IP -> Hotspot, an...

Feklar

Your NAT rule is redirecting port 80 to the router on port 3128, so it won't work unless the router is set up to be the proxy and is listening on that port. Change the action to dst-nat and set the to-address to the Squid server's IP.

Feklar

Lost of options and things are possible with a hotspot. Here are the manuals to get you started. http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot/Profile http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot/User http://wiki.mikrotik.com/wiki/Manual:IP/Hotspo...

Feklar

Queues and QoS are probably one of the hardest things to understand and get working in any environment. It's a very complex subject and will require lots of playing around on your part to learn and set them up. I would recommend starting with this: http://wiki.mikrotik.com/wiki/Manual:Connection_Rat...

Feklar

Yes you can use proxy on a 750, but I probably wouldn't use it for more than maybe 20 active users at most. You'll also have to export your proxy logs to a syslog server for storage and indexing. There is not enough memory available on a 750 to contain a meaningful amount of logs. To make users use ...

Feklar

Hi, thanks for your reply Feklar. Ive came across a website while searching in google for a answer and it is basically exactly what my setup is except that my ISP give dynamic IP's and I dont need the "route traffic by type" section at the bottom. As a matter of fact, I got it right but w...

Feklar

hi ! I'm anew user of mikrotik ,and i have the same problem i think the MAC address in not unique it can change easily so ,is any way that we can make relation between the mikrotik and the client processor id?? my scenario is that.. 1- the login page in hotspot must contain block of code that reads...

Feklar

Going to need to know more about your setup to offer more specific help, but what you are looking for is called Policy Based Routing, and is simple enough to do. Something like a network diagram would help. What you basically do is take connections coming from the 192.168.3.0/24 subnet and mark thei...

Feklar

You need to set up a proxy and force all users to use it, depending on the board you have and the size of the network you might be able to get by with the built in proxy, or you will need a dedicated proxy server. The logs of the proxy should contain what URLs were visited.

Feklar

That is most likely because they are using a download manager that opens multiple sessions to download one file. In order to get the maximum effect in that case you'll want to use both addresses and ports as the PCC matcher and a 3rd party program.

Feklar

The PCC setup was designed as and is a load balancing method, that's why you use it and that is its advantage. No one connection can exceed it's maximum throughput, but because it load balances you have a good chance of having your 2nd or 3rd or 4th connection go out of the line that is free. Becaus...

Feklar

What line specifically are you talking about not working? The mangle rules look right and they paste fine into one of my routers. If you are talking about only one line being used, it's likely because of your PCC classifier. It it only taking it based off of the src-address, so this means that every...

Feklar

You can create that firewall rule before or after, just the custom pre-hotspot chain will not exist until the hotspot has been created. By using the pre-hotspot firewall chain, you are basically applying a NAT rule before the hotspot does any processing on the packet. The packet flow diagram shows y...

Feklar

So you want it to be that after the guest logged in once with a given access code it is no longer valid? If that is the case, that's not a MikroTik programing issue, that's a SQL database issue. You need to somehow program and define that after a guest has successfully used x access code that it is ...

Feklar

The main difference between that configuration and the one in the Wiki is that is specifies "hotspot=auth" on the PCC rules. That's what is doing most of the work in that case. You can also accomplish the same thing with a NAT rule. /ip firewall nat add action=accept chain=pre-hotspot hots...

Feklar

Set up a profile in free radius with the attributes listed above. Then assign access codes to those attributes.

Feklar

First glance you are missing one part. /ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth This rule prevents packets from being processed against the hotspot after someone has been authorized on the network. Because of the way the hotspot works, thi...

Feklar

The first thing that I would suspect would be a DNS problem. See if the router, or hosts can resolve that domain or not with the DNS servers specified in the router, then change the DNS servers and try again if they can't. Otherwise post an export of your firewall rules so that they can be reviewed ...

Feklar

http://wiki.mikrotik.com/wiki/RADIUS_Client Choose 2 of these for the data limits for received and sent. Mikrotik-Recv-Limit - total receive limit in bytes for the client Mikrotik-Recv-Limit-Gigawords - 4G (2^32) bytes of total receive limit (bits 32..63, when bits 0..31 are delivered in Mikrotik-Re...

Feklar

PCC and Hotspot isn't possible on the same machine. Arman PCC and Hotspot are very possible on the same router. I have it running successfully at around 50 locations for well over a year. Here is one example of a working setup. http://forum.mikrotik.com/viewtopic.php?p=175525#p175525 The problems y...

Feklar

1.) Figure out what IP addresses belong to google/yahoo. NSLookup will get you some of them. 2.) Add these IP addresses to an address list. 3.) In firewall mangle mark connections going to that address list in prerouting. 4.) Mark for routing based off of the connection mark in the previous step to ...

Feklar

The main thing to remember about load balancing in a MikroTik is it is based off of CONNECTIONS. What I mean to say is that the MikroTik randomizes what link it will decide to send a connection out of, and you can weight it towards one more than the other. With that being said, the router has no way...

Feklar

Torrents are some of the hardest programs to detect, especially on a layer3 device. You can guess based off of the p2p firewall matcher provided by MikroTik, but that is unreliable as the definitions are out of date. It is also very easy for someone to encrypt their p2p traffic, or even send it over...

Feklar

Define what you want to be a download, and what you want to go over the fiber link. Policy based routing is probably what you are looking for. With that being said however, if you expect it to be able to distinguish the difference between someone downloading a web page or an ISO file via HTTP, it wo...

Feklar

"/ip firewall export" wrapped in code brackets to make it more readable. Without that information we cannot supply help.

For good measure throw in:
/ip hotspot export
/ip address print detail
/ip route print detail

Feklar

Your upload parent should be you WAN interface. Your download should be your LAN interface(s). VoIP isn't ever very bandwidth intensive, but it is very sensitive to latency. In your case, since it appears you have two different LAN interfaces, on your normal LAN i would set a hard limit on the amoun...

Feklar

You have no limits defined at all in your queue tree. Without a max-limit at the very least, it will not work. The queue needs to know how much bandwidth is there before it can start to reorder packets or apply specific limits and priorities. Your max limit should be something around 90% of the tota...

Feklar

Use PCC: http://forum.mikrotik.com/viewtopic.php?p=175525#p175525 http://wiki.mikrotik.com/wiki/Manual:PCC http://wiki.mikrotik.com/wiki/How_PCC_works_%28beginner%29 Better for load balancing, and you get failover, where as with ECMP there is no failover at all. I also believe it solves a few proble...

Feklar

http://wiki.mikrotik.com/wiki/Hairpin_NAT

Though that is an ugly way to go about it. It would be much easier and cleaner for you to put the web server on a "DMZ". Basically give it it's own interface, subnet, etc, and set up firewall rules appropriately.

Feklar

I like to console/ssh my way into a router, I edit the stuff out of the /export that I don't need, and then copy that file and paste it into the console/ssh session. Any errors lines that are there have a red mark on them but that doesn't stop a paste like it does with a running script, so the whole...

Feklar

The main reason why you may not be seeing things fall back to your main route is because the router "remembers" where it has sent connections in the past. So your fiber connection goes down, and new connections start to use your cable, then your fiber comes back up. Because the router reme...

Search found 1724 matches