MikroTik

Jeroen1000

I asked MT about this MTU limitation. They assured me that the hardware supports jumbo frames and MTU should be increased in a future ROS version.

Good news. Better than mine as now we know the limitation can be removed. I hope future means this year though

Jeroen1000

I've been told it is currently an accepted bug. There is another topic where this was told. I hope it gets fixed quickly too:)

Jeroen1000

MRZ you were very right! For the VLAN interface you can only set an L2MTU of 1502 bytes (could nog get it to set 1504 or more). The MTU on the VLAN interface has to lowered (from 1500) to 1498 bytes in order for this to work. 1502 bytes - 4 bytes for VLAN header = 1498 bytes. This looks like an issu...

Jeroen1000

I'll check that. I have not changed the L2MTU. Perhaps I should set it at 1504. Can't check the defaults now as I'm not near the router

I believe to ping 1500 bytes you need to set the ping size to 1472 in windows? (8 bytes ICMP and 20 bytes ip header makes 1500). Right?

Jeroen1000

Hi Guys, As soon as I create an VLAN-interface on a port and assign an address to it I can no longer manage the router via Winbox. I can ping the address on the infercace though. Sometimes I can't even login to Winbox. When I can login, most tabs are empty (like the interfaces tab, vlans tab, firewa...

Jeroen1000

So, regarding the MTU. You can't even do Q in Q with a layer 3 MTU of 1500 bytes (20 bytes IP header + 1480 bytes payload).

That would yield 1480 + 20 + 4 + 4. Seeing a VLAN-tag is 4 bytes?

Jeroen1000

I've found the problem and solution. However, I don't fully understand it yet. In below configuration, the switch1-cpu port is set to DEFAULT-VLAN-ID 0. Putting is as access-port in VLAN20 solves the issue: 5 switch1-cpu Switch1 secure always-strip 20 Or setting its VLAN-MODE to fallback also does t...

Jeroen1000

This is so weird, what you could NOT see from my first post is that ETHER2 did not have a physical link (there was no device attached to the port). So I've now connected my ISP's cable modem to ETHER2. The modem was previously on ETHER5 (my WAN port). Again, I do not receive an IP address on ETHER2 ...

Jeroen1000

Pretty strange issue here. I've put ETHER2 as master-port for ETHER5 (=WAN PORT). After a reboot, ETHER2 fails to get a DHCP address from my ISP. When I disable and re-enable ETHER5, DHCP works. ETHER2 now obtains a DHCP-address from my ISP. I'm not sure what I'm doing wrong here. Any ideas fellow M...

Jeroen1000

I think you should google it, much information is to be found. I can start of with this: In terms of security, PPTP is obsolete. Only use with very long passwords (20 + characters) and not for matters where security matters. Is sometimes blocked by corporate firewalls. Setup is very easy. IpSec in c...

Jeroen1000

I've got the same problem. Disconnect within minutes. Tried all kinds of things like turning of the firewall rules that could potentially be a cause.

It seems that connecting to the routers internal LAN IP over a PPTP VPN is causing issues....

Jeroen1000

+1 thank you for this excellent overview. Much appreciated. So then, it does not route over 1 gigabit over a single upstream port? What is the 10 gigabit SFP+ port for then?

(sorry I have not updated myself since the Routerboard 450g series)

Jeroen1000

Apparently, my cable modem is introducing about 550ms of buffer bloat (worst case scenario) in the upload direction. This was tested without the router in place. A sensible thing to do is to move the bottleneck to the WAN-interface and then specify a suitable scheduling algorithm. Since my upload is...

Jeroen1000

You certainly have a strong handle on the matter. The port left of the router is ether1 (Trunk port). The port to the right is ether5 (WAN-port). But you already figured this out. I've haven't tested this (not at my home so danger of locking myself out) but I think it is also possible to create VLAN...

Jeroen1000

CelticComms is filling in the blanks in my knowledge gap. So by bridging VLAN20 (attached to ETHER1 if you refer to my screenshot) with the WAN port, I'm basically defining VLAN20 on ETHER 5 as an access port (untagged port). At the same time VLAN10+VLAN20 on ETHER 1 both remain tagged ports? Make s...

Jeroen1000

Yes, cloning works as I've tried it with a Draytek router once. Result: the STB had "internet" (read: access to ISP servers) access but non-ISP devices will not be able to reach the internet through that range of course. Using the clone trick, I could give the STB an address in a private r...

Jeroen1000

I'm doing the VLAN-solution using the setup above with the screen shot. Unfortunately, it involves a bridge as you can see. Getting it to work inside the LAN is a no go. The ISP decides its IP based on the MAC-address. The only other way I can think of is by using the solution Pellaeon suggested, as...

Jeroen1000

I thought of that, but that would require the tv box to be connected to the slaved port directly? So without any VLANs involved, right?

Jeroen1000

Clarifying is always hard. Perhaps I can create and upload a drawing if this attempt here is a bit unclear: Forget about the 192.168.0.0/24 LAN and VLAN10 for a minute. - My cable modem is 50 metres away from a TV setup box. This box NEEDS L2 access to the WAN-port of the cable modem in order to get...

Jeroen1000

Hi Pellaeon Thanks for your thoughts, I appreciate it. Your summary is kind off how I imagine things but it still has to become real for it to be able to fall together. First restriction, my ISP does not do any L2 VLAN-tagging whatsoever. And so, I'm stuck at first base: You can make a new virtual e...

Jeroen1000

Hi everyone, I've been trying to get my head around this but pratically doing this, is beyond my Mikrotik knowledge. Please bear with me here and ask questions if my explanation is unclear. PART A 1) I want to keep my WAN-facing interface at L2 and plug my cable modem into the WAN-interface. Moreove...

Jeroen1000

Hi,

From my testing with DIG, I'd say no. The "Max UDP Packet Size" option for the DNS settings does not seem to do anything:-)

Can anyone please confirm?

Thanks,
Jeroen

Jeroen1000

Yes thanks for letting us take a look. Really appreciated. You might want to sent out PM's instead of posting this publicly. I won't mess with it but someone might try:-)

Jeroen1000

It was just an example. And I have configured it as you describe Dobby. HOWEVER, you are not using the switch chip.
I do appreciate your effort though. And I know a router is not a switch but full VLAN support would still be a nice feature.

Jeroen1000

I "had" to buy a VLAN switch because the Routerboard does not allow tagged and untagged frames on the same port + configuring this switch chip for VLANs is ...quite daunting to say the least:) for instance, I couldn't get this simple thing with the switch chip: info: the WAN port is connec...

Jeroen1000

Good post. I like it. I for one would like to see a device like a routerboard 450G with VPN-acceleration and a fully featured switch chip.
One which has all or most features of a Dell VLAN switch. Right now there are some limitations that are quite known (I think).

Jeroen1000

It appears the test websites don't work well for every port. Normal SSH login attempts do appear to register.
Weird. Perhaps anybody can reproduce?

Jeroen1000

Thanks otgooneo but for some reason that does not work either. Note rule 2 is disabled so the log rule at position 9 should work for port 22. If I keep the rule where it is at position 9, it will work for port 7000 for instance, but not for port 100. It will work for port 30000 but not for port 6000...

Jeroen1000

Hello everyone, I'm trying to log SSH portscan attempts. When I enable rule 2, I can SSH into my router from anywhere. So it appears my ISP is not blocking port 22. Although my log rule works fine with many ports, it does _not_ seem to work with ports 900, 22, 700,... Any idea why it (rule 9) does n...

Jeroen1000

Good to see you've updated

. Although this part of the forum is kind of dead. I do also wonder whether SWOS is still being maintained...

Jeroen1000

Added an overview of the test setup:-) Actually, simplified: I need to put the WAN-port (ether5) in native VLAN1. And I need my trunk port (ether1) in native VLAN1 and in VLAN10. Devices in VLAN1 will then get a public IP. Devices in VLAN10 will need inter VLAN-routing to reach the internet (which R...

Jeroen1000

Hi all, On a LAN-interface (ether1), I have created VLAN20 that I bridge with the WAN-interface (ether5). This way, computers in VLAN20 can get a public IP from my ISP (via DHCP). Ether1 has some other VLANs too, but these have internet access via NAT. Is is possible to replace the bridge with somet...

Jeroen1000

Thanks Sam. Your script and service are top notch. Much appreciated.

cheers,
Jeroen

Jeroen1000

I made a few changes to it, and it seemed to run just fine. It updates my IP after correctly after I reboot the router. But when my IP changes afterwards, it simply does not work anymore until I reboot again. So, when the IP changes and the script runs: - The variable $network is empty (check out th...

Jeroen1000

+1 how about it:)

Jeroen1000

Sam, Some code of the script did not really work out for me so I changed a bit of coded and added some. Do you see any issues or is this ok? Next line of code yields an error: #:global ddnsip [ /ip address get [/ip address find interface=$ddnsinterface] address ] So I added: :local network [/ip addr...

Jeroen1000

Hi Sam, It just happens I already registered after a good look around on the forums here. Are both the sending of username and password and the update secured with SSL? This is probably something Mikrotik support can answer, but would you happen to know whether the certifcate of your site checked by...

Jeroen1000

Oh, didn't? so it does know? (off checking the wiki). That's too bad as I don't feel like looking for another solution:))

Nope it still does not. Blast!

Jeroen1000

I'm sure there is a reason why all the DynDNS update scripts are HTTP. Can anyone explain why HTTPS is not used?

cheers,
Jeroen

Jeroen1000

I'm happy to report I've got a working script now (source code below). However, When forcing an update DynDns reports "nochg 84.194.xxx.xxx" And thus it does not update the "Last Updated" timer, which may cause the account to expire. Anyone found a way around this? # Set needed v...

Jeroen1000

I found this snippet to get the IP however, it makes the script halt although the console does not indicate an error. :foreach int in=[/ip route find dst-address=0.0.0.0/0 active=yes ] do={ :if ([:typeof [/ip route get $int routing-mark ]] != str ) do={ :global ddnsinterface [/ip route get $int inte...

Jeroen1000

Is it possible to avoid disk writes if no update is required?

So avoiding this part:

/tool fetch mode=http address="checkip.dyndns.org" src-path="/" dst-path="/dyndns.checkip.html"
:local result [/file get dyndns.checkip.html contents]

thanks a lot,
Jeroen

Jeroen1000

Dear all, Fixed: an inactive rule was the culprit. So I deleted it:-). Must have been active while the gui said inactive... I've changed the DNS-servers in the Mikrotik to OpenDNS and now DNS no longer works. It has worked for some time though, like a week or so. When I remove the router's IP as the...

Jeroen1000

Thanks for the heads up Fewi.

I was afraid of that, it does get a lot messier this way but nevertheless still doable. I was hoping on a secret "AND" operator which would have allowed specifying multiple ports like in my faulty rule.

.

Jeroen1000

How would one go about this? I'm basing myself on this example I have found in the wiki: add chain=input protocol=tcp dst-port=1337 action=add-src-to-address-list address-list=knock \ address-list-timeout=15s comment="" disabled=no add chain=input protocol=tcp dst-port=7331 src-address-lis...

Jeroen1000

Capturing traffic kind of worked (good enough for confirmation purposes). Every time I trigger an NSLOOkUP from my workstation, the IP of OpenDNS is queried. I see an "IN" and and "OUT" packet so that would be request and response (reply). Perhaps I could try a port mirror and co...

Jeroen1000

Is there any way to view which DNS server Mikrotik is querying? Like an NSLOOKUP command equivalent? I'd like to check whether it is using the DNS server I have specified.

Thanks,
Jeroen

Jeroen1000

Still a very valuable topic. I find myself checking it too often

Jeroen1000

It is still pretty annoying I have to remember to use admin instead of what I use on all my other devices. Please make it so we can change that. I bet it should not be hard?

Best regards,
Jeroen

Jeroen1000

Since it is only on my home LAN, this bug is not critical but it is quite annoying. But, the thing is dirt cheap so you get what you pay for ofcourse. I'm actually a bit tempted to see whether this switch truly offers wire speed with VLANs set. I do hope so because if not, that would be very unaccep...

Jeroen1000

For some reason, rebooting the switch (via the gui) does not clear this. There are a bunch of MAC addresses listed from computers that have not been connected for months.

What can I do about this?

Jeroen1000

I'll put step 4 and the "why use a brigde" in this post. I don't think Mikrotik routes between VLANs by default (and it looks like you don't wan't this) so I think you only require a route to the internet. If you configure your WAN port correctly, this route will exist and your're basicall...

Jeroen1000

I don't know how it is with your setup, but over here I need to get a lease from my provider for my WAN port. With this I mean that the Mikrotik router's WAN-port will receive a public IP from my cable modem. In this scenario the router is actually a DHCP client (instead of server) because it will a...

Jeroen1000

I'll try to be of help. It"s more like a trial and error thing but perhaps I can be of some help. This applies to routed VLANs, which are slower than switched VLANs. 1. You need to create VLAN interfaces (I'd generally not use VLAN 1 as this holds special meaning). You can create the VLANs usin...

Jeroen1000

If you read other documentation on routerboard.com, it says it will operate until 65°. So I'm still inside the safe zone

.
Perhaps Normis will favour us with an official kind of reply?

Jeroen1000

I'm recording 64° right now and about 61° during evening and night. Will this cause damage?
I don't even know whether it is normal, it isn't that hot where I live. Could there per any chance be heatsink issues?

Best regards,
Jeroen

Jeroen1000

This feature does seem to generate a lot of interest! Since ROS is basically Linux, the security mechanisms in Linux can be used? Am I seeing this wrong? Linux password are stored pretty secure since they contain a salt. Don't know the details like usual:)

Jeroen1000

Could you just please check with your engineers. This kind of protection is as common as HTTPS websites. I can give you my Trurecrypt encrypted hard drive and you"ll never get access to my data when the drive is at rest (powered off). It also uses local login. Chupaka is not saying at all this ...

Jeroen1000

No, if you input 0FBECDE5 directly (if you use it as password instead of 1234), the hash algorithm will hash 0FBECDE5 and not 1234. This would yield, for instance, FBC3B9A2 and FBC3B9A2 does not equal 0FBECDE5. You have the secure storing of a password on one side (by hashing it as I described), and...

Jeroen1000

Chupaka can explain better I think. You can't log in with the hash. It is used for a different purpose. Basically, say my password is 1234 and the hash is 0FBECDE5. You store the hash. Next time someone inputs, lets say 4567. If you hash 4567 you will never ever ever get 0FBECDE5 but for instance 0F...

Jeroen1000

A lot of confusion about this so I'll bottom line it. It is possible. It is NOT overly hard to do. It is considered safe. One thing is, we want the password stored securely (I.E. hashed) and authenticate against this hash. Authentication exists by hashing the password that the user inputs, if the ha...

Jeroen1000

How so? I'm pretty confident you'll not break the current AES encryption any time soon. Current Linux password storing methods are considered quite safe. So I'm a bit surprised about your comment (and that any kind of encryption can be broken easily is just plain untrue, so you must mean something e...

Jeroen1000

It is not always easy to prevent (physical) access.
I'm just saying, in general, it is good pratice to use strong encryption.

The question can easily be stated the other way around: why not use strong encryption?

Jeroen1000

Still using pretty weak encryption anno 2011?

?

Jeroen1000

Because IPV4 addresses are almost depleted? So they have to instead of want to:))

Jeroen1000

I agree they are stable (note I only own 1). Do take notice of some of the threads mentioned. There are some limitations.
I also believe that they are capable of wire speed. I can't test this myself due to limitations on my computers.

Jeroen1000

I believe a physical port on Ros can only either be tagged or untagged. In Linux tagged (virtual) interfaces are eth0.10 or 0.20 for instance, and untagged ones are ethe0:1, eth0:2, etc... Those two 'kinds' of virtual interfaces can exist on the same physical port. This behaviour cannot be achieved ...

Jeroen1000

I have problems with bridging and VLANs. (Router OS 5.0). Ports of a bridge do have their child VLAN interface bridged togeter, even if other ports of the bridge do not have the same VLANs. You mean you group together ports in a bridge that belong to different VLANs? What is the use for doing that?

Jeroen1000

Damn, I was kind of still hoping on LACP Channels and to a lesser extent remote syslog. The first feature does make more sense on a 8 or 24 port switch anyway:).

Jeroen1000

For anyone wondering about this in the feature, here is the answer from support:

CPU freuency and usage is not proportional to throughput, never was and never will
be.
Memory throughput, internal bus speeds, RouterOS configuration also have impact

Jeroen1000

So I set my CPU to 100 MHZ. At that point the router can route + nat about 10 megabit (I can go to about 40). Strangely, the CPU indicates it is being used for about 30%. Same usuage then when it is on 680 MHZ. So I could conclude the CPU is not being maxed out at 100 MHZ but the fact I can only get...

Jeroen1000

How about fixing the discovery protocol while you guys are at it? Take a look here http://forum.mikrotik.com/viewtopic.php?f=17&t=50595

Also will we be able to change the username? Last question, what is 802.1q Tunneling?

Thanks,
Jeroen

Jeroen1000

Nice find actually! I do prefer having a real switch in front of the router now. Makes life so much easier. Routerboards are great though, but they do have their oddities. I'd say you get a lot more than you pay for but at times to many bugs exist.

Jeroen1000

What are you trying to do exactly? Can't figure it out from your post.

Jeroen1000

Owww, I may have been so frightened by my previous "biased" tests I didn't realized something: hardware switching isn't occuring at all unless master-port feature is used, and then occurs only within this defined virtual switch? That is what I make of it, without a master-port every ether...

Jeroen1000

If you can make a setup without the UPNP variable which leaks broadcasts, I'll setup my router the exact same way for verification. I don't think my current setup was a good indication for the switch leaking broadcasts. I just wanted to see whether it worked correctly. In the meantime I propose we t...

Jeroen1000

I'll try to recreate what you are doing when I have some more time. I can't break my current setup now as I have to many other stuff waiting to be done. So, ATM I do not have a master port and stuff. My setup is very very simple actually. I just created 2 VLANs on ether1 (ether1 is a trunk port, the...

Jeroen1000

I'll read this thoroughly. Looks like this may be an issue. Hmm ^^

Seeing I'm not a network specialiast or anything I'll voice some wild guess first thought. It is a bug and UPNP gets enabled on every interface? Can you also get normal broadcast traffic to show up on the TEST interface?

Jeroen1000

Exellently put. I enjoyed reading it! Greg is confused about the order of the chains through which packets travel. It seems he thinks it will hit the input chain first because packets coming from the WAN travel to the public address on the router. And the reason why it does not hit the input chain f...

Jeroen1000

For the rest of your problem, could you present some more information? Ip addresses and your testing secenario would be of a lot of help. I think you are not getting many replies because it is a bit vague. I'm sure we can figure out what is happening.

Jeroen1000

If you read around a bit, you will see that ROS cannot support tagged and untagged frames on the same interface (supposedly a hardware limitation). I practically wrote a book on it here on the forums before support said it could not be done. Read my threads and all this may become a lot clearer (it ...

Jeroen1000

I think I know what Greg's question is now. My penny dropped from reading his last post. The raw socket stuff has indeed little to do with it. I think he wants to know how to filter a WOL packet when forwarding a port (any port) to a host. Greg, is my assumption correct? @fewi, a site called depicus...

Jeroen1000

Sorry for my english. I don't mean wrong as in 'your fault'. I mean I think the rules are simply behaving correctly. If the NAT table is hit first, you might not be able to stop the packet anymore... This tought me everything I know about raw sockets. I fail to see how they are an immediate threat f...

Jeroen1000

After reading up I must conclude a raw socket can only be opened on a host where you have root access. A raw socket indeed bypasses the TCP/IP stack (and perhaps this way you can bypass iptables on the router) but I don't see how this can be done over the internet (unless someone has access to your ...

Jeroen1000

Thanks I'll try that. And I meant forward chain in my previous post. I think I can explain what happens but I'll need to see it first.
So from the outside you mean I can just send a WOL packet from a site like depicus.com?

http://www.depicus.com/wake-on-lan/woli.aspx

Jeroen1000

Then I should find out what a raw packet is also. Can you explain how you test? I want to try this 4 myself...

I do not know how intimate your knowledge with IP Tables is, but packets _not_ destined for the router can be filtered at the input chain (I'm not very good with IP Tables either lolz).

Jeroen1000

I don't quite get your question m8. Could you please explain more clearly? Perhaps a more concrete example would help. I even want to test it for you on my setup. If a connection is initiated from the WAN, the firewall should not allow this traffic (so it should block it) unless you forward specific...

Jeroen1000

Hi,

any word on this yet?

Jeroen1000

I'll post my Q here too, has the VLAN-bug been resolved now (mentioned here)

Jeroen1000

Is the VLAN-bug fixed now? I see no mention of it in the ROS 5.1 changelog.

This bug is fixed. Currently it needs to be tested internally. This issue will be resolved in v5.1.

Jeroen1000

v4.17 (as there is said to be a bug in 5.00 regarding VLANs). It seems to age until 143 seconds on the routerboard. Then the entry disappears. On SwOS I'm using firmware 1.4.

Jeroen1000

Hello,

No, the default IP on the switch has been changed to 192.168.0.251. The Mikrotik Discovery Protocol option has been checked.

I only get to see the switch on my routerboard 450G when I disable and then reenable discovery on its VLAN10 interface (= trunk to the 250GS)

Jeroen1000

This is probably the place to add another request so here goes:

Make the user login name configurable. I'd like to change it from "admin" to something more suitable as per my username/password policy.

Jeroen1000

When I enable this protocol on the correct interface on my RB450G, it finds my 250GS switch. However, the entry for the 250GS ages, and then disappears from the RB450G's neigbor list (this was after > 120 seconds). Isn't the 250GS supposed to send (broadcast?) neighbor messages to the router at some...

Jeroen1000

bug has been mentioned here also: http://forum.mikrotik.com/viewtopic.php?f=2&t=49810

I'm sure there will be a fix. Any time frame on this?

Jeroen1000

macgaiver, I'm not expecting that at all. It is (and probably was, judging from our testing) just not clear that certain setups can be accomplished. The questions are just to match the expected behaviour with the options' description. The main issue at play here is that it is rather hard to get a st...

Jeroen1000

I'm wondering whether we are experiencing the same issue with VLANs and reaching an IP-address on the router. I think this has to do with the /interface ethernet switch rule menu. You list it as issue f: "f, in 4.x series you cannot make rules to switch cpu port, and you can't communicate with ...

Jeroen1000

Willy, are you dutch? I would like to get in contact with you if possible.

Jeroen1000

Darn:-) could you explain your last post? What does this have to do with all of this? I'm very curious as I'm as stuck as stuck can be!

Why would a VLAN have a MAC address?

Jeroen1000

+1 good job!

Jeroen1000

Isn't port membership justs setting a default VLAN-ID? I too am noticing Mikrotik to be rather unsuportive with this:(

FIPtech how VLAN savvy are you? I could use some help determining whether a simple thing is possible:).

Jeroen1000

Can someone explain this issue more clearly please?

Jeroen1000

I've noticed something that has been bothering/driving me a bit mad. I'm not 100% sure but the Mikrotik 250GS switch seems to be based on the same Atheros switch chip that is in the RB450G. However, with Router OS, a very important option appears to be missing. Please read on if you are interested:)...

Jeroen1000

Hi everyone, I've never seen anyone attempt this and together with andrewluck I've been trying to get a wire-speed VLAN working. The "easy" part is setting up the VLAN itself (communication between hosts in the same VLAN). Mikrotik documentation has an example on how to do this. The hard p...

Jeroen1000

====> Discussion going on here I'm "closing" this topic down because it is getting way to complicated to follow. I've made some more advances and pinpointed where things go wrong. I do feel I'm very close to a solution but I have not been able to crack the (hopefully) final piece of the pu...

Jeroen1000

Update: So in the previous post I did: /interface vlan> print Flags: X - disabled, R - running, S - slave # NAME MTU ARP VLAN-ID INTERFACE 0 R VLAN10 1500 enabled 10 ether5 /ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 192.168.0.250/24 192.16...

Jeroen1000

Hi Andrew, I've got some good news to report. The devices * in VLAN 10 attached to the Cisco switch can now reach the router (and also have internet). What I did was as simple as everything but just a lucky shot to be honest: 1)I created a VLAN 10 (with corresponding VLAN ID 10)on the ether5 interfa...

Jeroen1000

haha so true, being concise is my expertise :D What you said did work though! I must admit I don't yet understand why this works. Does the CPU-port only accept untagged packets? However, to keep it clean I put my IP (192.168.0.251/24) on the trunk port (ether 5). So that's the only IP configured on ...

Jeroen1000

Good idea Andrew, I've had no luck getting everything to work. It's not a very complicated setup. I'll try to explain very clearly, do ask if I'm not doing so :) I've got following devices: 1) A correctly configured Cisco VLAN switch with a VLAN 10 (192.168.0.x) and a VLAN 20. VLAN 20 is special bec...

Jeroen1000

Well yeah, I shouldn't have called it a side-effect lol. However, you can't just put a port in a VLAN with Mikrotik. It is the rule table that decides (by the means of defining rules) where a tagged frame is allowed to go to. Say you have 3 ports on the Mikrotik that are in VLAN 10, lets call these ...

Jeroen1000

Andrew, I've set ether3 as master port and assigned an IP to it. Ether4 and 5, the slave ports, can now communicate with the CPU port (=the IP on the master port). However, as a side effect ether4 can now talk to ether5 without me allowing this. If I would like these ports to behave as in different ...

Jeroen1000

Thanks Andrew, I'll try that. I have made some progress though. It does show some quirky behaviour :lol: /ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK BROADCAST INTERFACE 0 192.168.0.240/24 192.168.0.0 192.168.0.255 ether4 /interface ethernet switch rule> print Fl...

Jeroen1000

Yep, I've got a gateway. I can ping between devices on the same network just fine (if I add rules to the rule table to allow this). I just can't ping any IP assigned to the router itself.

I.E. I do not know how to pass packets from the switch logic to the cpu port.

Jeroen1000

Still stuck:(. Does anyone know how to fix this one?

Jeroen1000

I had once(and at the time I thought I shouldn't worry about that), but I'm not at all sure whether it is really needed. I think you can just write rules to allow access to the CPU port. You see, with Mikrotik you need to write a rule to allow one access/untagged port, access to another. That is why...

Jeroen1000

I've found what was wrong. A Nat rule was forwarding all trafic to an internal host. Very stupid of me to overlook this. Oh well, another thing well learned I guess. The reason it takes a while for the issue to turn up after a reboot, is that a script was putting the correct (dynamic) WAN-ip in the ...

Jeroen1000

Oh oh master port? I'll check what it is but I've not tinkered with whathever that is. I only put an IP on ether3-local and tried to reach that:).
So I forgot a vital step if I understand you correctly:-)?

Jeroen1000

I dare not say in all respects. I can access the router from within my LAN. All LAN hosts can reach the internet. There is no high CPU load (on the router). Browsing is very snappy and without lag (on the hosts). So as far as I can tell, every else is normal. The only option left I can personally th...

Jeroen1000

Support is already on this, but perhaps someone has been through this before me. I'm running the Ros v4.17. When I restore my configuration, and the router comes online, I can ping its WAN-ip just fine (I'm pinging it from a workstation to which I connect using Radmin). All of the sudden it stops re...

Jeroen1000

I'm pinging from a computer connected directly to the mikrotik (port ether2-local). I'm having problems pinging any IP on the router itself. But client computers can ping eachother just fine.

And if the clients can't reach the router I can't even manage it apart from using the serial console.

Jeroen1000

Unfortunately, no dice. Must be something wrong with the rules themselves. I wonder what it could be as it all seems to logically fit.

Jeroen1000

I'm sure I rebooted but now I'm not sure I really did. I'll check out the table just to be sure.

Jeroen1000

Hi everyone, I've followed the article about the VLAN-switch chip on the wiki to create a VLAN that can take advantage of the full wire speed the switch chip offers. My VLAN is in essence working however, I cannot ping a single interface on the router. Please take a look at following: /interface eth...

Jeroen1000

Blast, sorry for the posting frenzy but it stopped working after a reboot. If I do not assign the public IP to the WAN interface (ether 5) I cannot ping the routers' WAN IP.

So the question is: why does assigning the public IP to the WAN-BRIDGE cause the router to stop responding to pings?

Jeroen1000

I've deleted my bridge and assigned the WAN IP to my WAN interface instead assigning it to the brigde. Then everything decided to work. I've then recreated the brigde and set everything to what it was when it did not work, except now it does work.

Must be some glitch:-).

Jeroen1000

Me again:) with a semi-bizarre issue. I've gotten my entire configuration working (with quite some help :) ) so I thought it might be useful to be able to manage the router when I'm not home. SSH, WINBOX, ... - you name it - all work as long as I'm in the LAN. But I can't even ping to the WAN IP at ...

Jeroen1000

I too could use some more explanation about the switch chip in my 450G regarding VLANs. Any current plans to expand this section?

Jeroen1000

If the stratum of Windows is 2, it will not accept the Mikrotik as a more reliable source. I had that issue first:). That kind of resolved itself after a reboot (Windows reboot that is). The Mikrotik has stratum 3, and Windows now (correctly) says it has 4. My question is specifically with the large...

Jeroen1000

I've set up NTP-client on my RouterBoard 450G and it is synchronised with a server. Then I installed the NTP-server package and configured it as follows: /system ntp server> print enabled: yes broadcast: no multicast: no manycast: no My Windows client update just fine from the server but I've notice...

Jeroen1000

I'm thinking UPnP is kind of risky. I briefly tried it and couldn'd be bothered to make it work. You are correct about the XBOX 360 not needing a "full DMZ host", I could simply look up the specific ports it uses. However, I've puzzled a script together that appears to be working. It's far...

Jeroen1000

That destination NAT rule forwards all new connections established from the WAN to your WAN interface to 192.168.0.5. It does that by changing the destination IP address from your public IP to 192.168.0.5. At that point the destination IP address is no longer an IP on a router interface, so that tr...

Jeroen1000

Alright :) , I've made some progress. I've determined what part of the config is causing my problem. I wanted to set a game console as DMZ. The problem with this is, is that my WAN interface has a public IP. This IP is dynamic. So I could not specify a destination address for the dstnat chain: Flags...

Jeroen1000

Well, probably it's just me doing something wrong. I have following rules set up: Flags: X - disabled, I - invalid, D - dynamic 0 ;;; Drop invalid connections chain=input action=drop connection-state=invalid 1 ;;; Allow established connections chain=input action=accept connection-state=established 2...

Jeroen1000

Valid points although for (1) the RB450 and RB493 should be able to do this (you can divide the switch chip). Doesn't make all too much sense since port count is pretty low.

and (5) is a really cool option.

Jeroen1000

What features are you missing? if you check out http://wiki.mikrotik.com/wiki/Manual:Switch_Chip_Features the Atheros8316 seems to be a fully featured switch chip. And I do agree entirely, using the routerboard just for routing (or inter vlan routing) is more powerful yet less complex. I know L3 swi...

Jeroen1000

Glad to hear you got it working. Thanks, just for clarity, my LAN now looks like so: Cable modem -------- (ether 5=WAN) Mikrotik (ether 1 = trunk) ------- -Cisco switch ------- VLAN 10 + VLAN 20 ......................................................(ether 2) ------ 'dumb' switch The ....... are jus...

Jeroen1000

Indeed, just enabling them made everything work. Many thanks for helping me achieve this. Something I found out is, that if you want more ports of the Mikrotik in VLAN 10 (internal lan) you must: 1) create a bridge 2) assign an IP to that bridge 3) assign VLAN 10 to the bridge 4) assign any port you...

Jeroen1000

Darn, I've setup the VLAN thing and no dice. Could you please take a look for potential errors? I had internet access _before_ I configured the VLANs, so most of this works apart from the actual VLAN stuff. On the cisco I put a port in VLAN 10 (access port) with matching PVID 10 and I configured the...

Jeroen1000

Most interesting topic this is. It all looks so easy, in theory. Basically what VLANs are is a way to logically divide up the same hardware so each section acts as it's own independent piece of hardware where one VLAN cannot see or talk to another VLAN. So with an untagged port any traffic leaving t...

Jeroen1000

Continuing my VLAN experiments, I've realised switching will give me full wire speed and bridging won't. Right now, I've got a 4-bay NAS connect and a 20-bay NAS connected to my network. One of both might end up on the MicroTik switch so wire speed will be a real plus when the 4-bay unit is being ba...

Jeroen1000

Thanks Feklar, I'll have lots of fun tinkering with it. Just out of curiosity (you seem to be a VLAN-expert) and not Mikrotik related, what would Cisco mean by this (I hope I'm not bothering you with all these questions) Tx Force untag: when this option is enabled, all egress frames from this port b...

Jeroen1000

Hi Feklar. First of all, thank you for taking the time to type up such an informative reply. I had discovered you explaining this somewhere else too, but I'm not sure I really thoroughly understand what is going on. Thank god I'm starting off relatively simple. I hope you can help me some more on th...

Jeroen1000

Hey everyone, I just got my MikroTik device and I'm very excited. I've just created a WAN-port which asks DHCP from my cable modem (=asking a public IP)and I've assigned the remaining 4 LAN ports to a bridge. My internal 192.168.x.x/24 network is being NATTED just fine. I owe the wiki and forum my t...

Jeroen1000

So we can't brick the unit that way. That's a good thing.

Will it affect the license? There are some posts saying it does, and others saying it does not.

Jeroen1000

Thank you for clearing this up Normis. Is the boodloader present on a seperate chip or is it on the storage NAND also? (I believe bootloaders only take very little space as a fully fledged BIOS is less than 10 MiB). I'm asking because I'm curious and as to what will happen if one opts to format the ...

Jeroen1000

I don't know to answer but a better topic title than "hi" may lead to faster answers.

Jeroen1000

I could be wrong but I've been searching for a good router also so I could give you lots of info but too keep it short, I believe the answer is "NO".

Jeroen1000

HDD is another word for NAND(meaning storage here) then. 1 GiB for the OS

isn't that total overkill? Oh, sorry I didn't connect the HDD to the NAND thing.

Can you find any reference connecting that 64 MB to the bootloader? It would make sense though.

Jeroen1000

@InoX, I can see the SDRAM, 256MB. That's just the system memory as it is used in computers.
But I'm trying to figure out the purpose of both the 512 MB NAND and the 64 MB NAND (both mentioned in the PDF I linked to).

Jeroen1000

Can anyone offer some more information about the other numbers?

Jeroen1000

I'm a bit confused about the spec's:-). Since my unit is just in the mail, I'm what you could call very new:) so I hope I can ask some more questions. In this PDF (http://www.routerboard.com/pricelist/download_file.php?file_id=143) it states "512MB onboard NAND memory chip, microSD card slot (o...

Jeroen1000

Dear community, Are there numbers about the expected LAN - > WAN and WAN -> LAN throughput (NATTED)? I'm looking for at least 100 megabit throughput (well in both directions if fiber to the home takes off). Also, can the switch (grouping 4 ports together) be configured for wire speed? At this moment...

Search found 202 matches