How Can I access all my MT Routers on My Network with WinBox ?
I can Access all Routers with Winbox when connected to Reapeater1.
But when connected to to the Main AP , I can not see any other MT Routers on the Network and can not ping any of them tru Winbox Tools ?
Please note , my system is working , Running Hotspot on Main AP with internet working on all my Reapeters.

What can I use the notify me when a Router or Links goes Down ? What systems do I need in Place , UPS , GSM ???
I am running long link between farms and need some kind of system monitoring the Links.
I have Tried the Dude but also when Connected on the AP side of Main AP , It only discovers my PC .

I need some Advice for the Guys who knows there stuff !!
If any one need more detail , please let me know .

Main AP
WLAN1 10.0.0.3 ( Back Bone to DSL Modem )
WDS - Bridge 10.5.50.0 ( To Clients and Reapeters running WDS ) Bridge/AP Mode
WLAN2 - 192.168.0.1

Reapeater 1
WLAN1 - ( WDS STAtION )
WLAN2 - ( WDS DYNAMIC ) BRIDGE/AP Mode
WDS-BRIDGE - 10.5.50.200

Repeater 2
WLAN1 - ( WDS STAtION )
WLAN2 - ( WDS DYNAMIC ) BRIDGE/AP Mode
WDS-Bridge - 10.5.50.201

blignaut -

First - why are you using bridge and WDS - this looks perfect for a statically routed setup…

On to the issue at hand…where is the hotspot ‘controller’ - AP1? Or did you setup a Hotspot on each AP?

How did you connect to AP1 - Wlan x? or via ethernet?

The reason you can see everything from the middle (repeater) is because of the bridge/wds. Why you can’t see anything from AP1 will depend on how you connect to AP1 - and various other factors like NAT and routes. We’ll need a more complete export of your AP1 setup to determine what you need to do. That will include IP address, Routes, Firewall NAT & filter. That should be sufficent…

As to your actual setup - using an UPS at each location is always smart. Monitoring - DUDE does a decent job, is easy to setup (once your network is properly setup). I use Cacti - but then I run a couple of hundred APs across several hundred miles so…

If it were me - I’d look to setting up a routed network, whether you use static, BGP, OSPF, MPLS or some flavor combination of the aforementioned - routing is really going to be your best solution.

R/

Galaxynet

Thanks for your support , Honestly , I have very limited knowledge of Mikrotik and would like to know more.
I will Post screenshots of my Setup for you. I have difficluty understanding the Firewall concept.

1. Hotspot is setup on AP1
2. I have Connected to AP1 thru the Wireless Side WLAN2 . ( Running Hotspot )

Thanks
Blignaut

blignaut -
It would be better if you posted either ‘printouts’ or exports of the aforementioned sections…

While in winbox - left hand menu - New Terminal, click on that… When the window opens, make it ‘full size’ by dragging the corners or double clicking on the top blue bar for that window.

/ip address print [enter]
OR
/ip address export [enter]

use one of the two methods above and get ;

/ip address
/ip routes
/ip routes rules
/ip firewall nat
/ip firewall filter

might as well dump your hotspot config as well-
I believe it is;
/ip hotspot server
/ip hostspot server profile

Well get what you can - the manual can help you here too - just look for the sections of interest - hotspot, IP address, etc. That will show you the command line version of the Winbox ‘commands’.

Once you get the print out or export - just copy and paste in to your favorite text editor, once you get all the ‘stuff’ you can copy and paste in to the forum here…

R/

[admin@MainTower] ip> address export

sep/25/2008 16:30:25 by RouterOS 2.9.51

software id = KHG5-PTT

/ ip address
add address=192.168.2.1/24 network=192.168.2.1 broadcast=192.168.2.255 interface=ether2 comment="" disabled=no
add address=192.168.3.1/24 network=192.168.3.0 broadcast=192.168.3.255 interface=ether3 comment="" disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether1 comment="" disabled=no
add address=10.0.0.3/24 network=10.0.0.0 broadcast=10.0.0.255 interface=wlan1 comment="" disabled=no
add address=10.5.50.0/24 network=10.5.50.1 broadcast=10.5.50.255 interface=wds-bridge comment="" disabled=no


[admin@MainTower] ip> route export

sep/25/2008 16:31:50 by RouterOS 2.9.51

software id = KHG5-PTT

/ ip route
add dst-address=0.0.0.0/0 gateway=10.0.0.2 distance=1 scope=255 target-scope=10 comment="" disabled=no
[admin@MainTower] ip> firewall export

sep/25/2008 16:32:20 by RouterOS 2.9.51

software id = KHG5-PTT

/ ip firewall nat
add chain=srcnat action=masquerade out-interface=wlan1 src-port=0-65535 dst-port=0-65535 protocol=tcp comment=""
disabled=no
add chain=srcnat action=masquerade src-address=10.5.50.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp
comment="masquerade hotspot network" disabled=no
add chain=srcnat action=masquerade out-interface=wlan2 src-port=0-65535 dst-port=0-65535 protocol=tcp comment=""
disabled=no
add chain=srcnat action=masquerade src-address=10.1.0.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp
comment="masquerade hotspot network" disabled=no
add chain=srcnat action=masquerade src-address=10.5.50.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp
comment="masquerade hotspot network" disabled=no
add chain=srcnat action=masquerade src-address=10.0.0.0/24 dst-address=10.5.50.1 src-port=0-65535
dst-port=0-65535 protocol=tcp comment="" disabled=no
add chain=srcnat action=accept src-address=192.168.0.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp
comment="" disabled=no
/ ip firewall filter
/ ip firewall service-port
set ftp ports=21 disabled=no
set tftp ports=69 disabled=no
set irc ports=6667 disabled=no
set h323 disabled=yes
set quake3 disabled=no
set gre disabled=yes
set pptp disabled=yes
/ ip firewall connection tracking
set enabled=yes tcp-syn-sent-timeout=5s tcp-syn-received-timeout=5s tcp-established-timeout=1d
tcp-fin-wait-timeout=10s tcp-close-wait-timeout=10s tcp-last-ack-timeout=10s tcp-time-wait-timeout=10s
tcp-close-timeout=10s udp-timeout=10s udp-stream-timeout=3m icmp-timeout=10s generic-timeout=10m
tcp-syncookie=no

admin@MainTower] ip firewall> nat export

sep/25/2008 16:33:58 by RouterOS 2.9.51

software id = KHG5-PTT

/ ip firewall nat
add chain=srcnat action=masquerade out-interface=wlan1 src-port=0-65535 dst-port=0-65535 protocol=tcp comment=""
disabled=no
add chain=srcnat action=masquerade src-address=10.5.50.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp
comment="masquerade hotspot network" disabled=no
add chain=srcnat action=masquerade out-interface=wlan2 src-port=0-65535 dst-port=0-65535 protocol=tcp comment=""
disabled=no
add chain=srcnat action=masquerade src-address=10.1.0.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp
comment="masquerade hotspot network" disabled=no
add chain=srcnat action=masquerade src-address=10.5.50.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp
comment="masquerade hotspot network" disabled=no
add chain=srcnat action=masquerade src-address=10.0.0.0/24 dst-address=10.5.50.1 src-port=0-65535
dst-port=0-65535 protocol=tcp comment="" disabled=no
add chain=srcnat action=accept src-address=192.168.0.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp
comment="" disabled=no
[admin@MainTower] ip firewall> filter export

sep/25/2008 16:34:20 by RouterOS 2.9.51

software id = KHG5-PTT

[admin@MainTower] ip hotspot> export

sep/25/2008 16:35:48 by RouterOS 2.9.51

software id = KHG5-PTT

/ ip hotspot
add name="hotspot1" interface=wds-bridge address-pool=hs-pool-6 profile=hsprof1 idle-timeout=5m
keepalive-timeout=none addresses-per-mac=2 disabled=no
/ ip hotspot service-port
set ftp ports=21 disabled=no
/ ip hotspot profile
set Default name="Default" hotspot-address=10.5.50.1 dns-name="" html-directory=hotspot rate-limit=""
http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d
split-user-domain=no use-radius=no
add name="hsprof1" hotspot-address=10.5.50.1 dns-name="www.ficksburgbroadband.co.za" html-directory=hotspot
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap,https,http-pap
http-cookie-lifetime=5m ssl-certificate=none split-user-domain=no use-radius=yes radius-accounting=yes
radius-interim-update=received nas-port-type=wireless-802.11 radius-default-domain="" radius-location-id=""
radius-location-name=""
/ ip hotspot user

/ ip hotspot user profile
set default name="default" idle-timeout=none keepalive-timeout=2m status-autorefresh=1m shared-users=2
transparent-proxy=yes open-status-page=always advertise=no
add name="uprof1" idle-timeout=none keepalive-timeout=none status-autorefresh=1m shared-users=1
transparent-proxy=no
/ ip hotspot walled-garden
add dst-host=www.standardbank.co.za action=allow comment="" disabled=no
add server=hotspot1 method=tcp dst-host=10.0.0.3 dst-port=8291 action=allow comment="" disabled=yes
/ ip hotspot walled-garden ip
add dst-address=10.5.50.1 protocol=tcp dst-port=8291 action=accept comment="" disabled=no


[admin@MainTower] ip hotspot profile> export

sep/25/2008 16:36:54 by RouterOS 2.9.51

software id = KHG5-PTT

/ ip hotspot profile
set Default name="Default" hotspot-address=10.5.50.1 dns-name="" html-directory=hotspot rate-limit=""
http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap http-cookie-lifetime=3d
split-user-domain=no use-radius=no
add name="hsprof1" hotspot-address=10.5.50.1 dns-name="www.ficksburgbroadband.co.za" html-directory=hotspot
rate-limit="" http-proxy=0.0.0.0:0 smtp-server=0.0.0.0 login-by=cookie,http-chap,https,http-pap
http-cookie-lifetime=5m ssl-certificate=none split-user-domain=no use-radius=yes radius-accounting=yes
radius-interim-update=received nas-port-type=wireless-802.11 radius-default-domain="" radius-location-id=""
radius-location-name=""
[admin@MainTower] ip hotspot profile>

blignaut -

Go to the hotspot section of your post above - remove the username and passwords - you can do it by editing your post…

R/

Thom

Tom

Any Update or Advice on my Problem

Thanks
Blignaut

blignaut -
Working on it… You have sort of a mess there.

I see you are using AP1 as the hotspot ‘controller’ for that entire network. Was that your intention or just the way things ended up? Do you want a separate Hotspot Controller on each AP OR (read the next paragraph)?

It is entirely possible to use Usermanager and Hotspot to setup a basic system to use a Hotspot on each AP and a single Usermanager to authenticate each user against - you will also be able to set limits for your users in Usermanager. Depending on the license level of the Usermanager system (level 4 handles 50 I believe, lvl 5 is like 200, and lvl 6 is unlimited…) - you’ll have to search the forum to make sure but I think that’s it… So before you decide you need to think about how many users now and future on the that network and how much $$ to spend getting there.

I’ll need to know what you want to do so I know where to point you to get this straightened out.

As to right now - I quoted below what you posted above and numbered them so I can comment by number…

1. add chain=srcnat action=masquerade out-interface=wlan1 src-port=0-65535 dst-port=0-65535 protocol=tcp comment=“” disabled=no

2. add chain=srcnat action=masquerade src-address=10.5.50.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp comment=“masquerade hotspot network” disabled=no

3. add chain=srcnat action=masquerade out-interface=wlan2 src-port=0-65535 dst-port=0-65535 protocol=tcp comment=“” disabled=no

4. add chain=srcnat action=masquerade src-address=10.1.0.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp comment=“masquerade hotspot network” disabled=no

5. add chain=srcnat action=masquerade src-address=10.5.50.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp comment=“masquerade hotspot network” disabled=no

6. add chain=srcnat action=masquerade src-address=10.0.0.0/24 dst-address=10.5.50.1 src-port=0-65535 dst-port=0-65535 protocol=tcp comment=“” disabled=no

7. add chain=srcnat action=accept src-address=192.168.0.0/24 src-port=0-65535 dst-port=0-65535 protocol=tcp comment=“” disabled=no

Rule 1, this src-nats or masquerades EVERYTHNG going out WLan1 to WLan1’s IP address - 10.0.0.3

Rule 2 - this will src-nat / masquerade the network 10.5.50.0/24 to 10.0.0.3 as well but probably never gets excuted because of rule 1, being ahead of it and so gets excuted first.

Rule 3 - not sure what you are trying to do here… This src-nat’s / masq everything leaving WLan2 to WLan2’s IP address - I do not know why you would want to do this. It is the reason you can’t see the rest of your network when connected to Wlan 2 - the hotspot on AP1 the main AP.

Rule 4 - what is this for?

Rule 5 - this is the same as rule 2…

Rule 6 - I know what this does but can’t fathom why you would have such a rule… There is no need for it.

Rule 7 - what are you hoping to accomplish with this rule? This does nothing except allow (accept) a src-address of 192.168.0.0/24 - it does nothing to it otherwise…

Ok blignaut - you have some thinking and reading to do…let me know what you’d like to do and we’ll try and get you pointed that way…

R/

Thom

Thanks Tom

What is the Pros and Cons of Running Multiple Hotspot Servers ? or One Server ?
I think I have a Level 4 Licence and 50 Users is Ok for now .

My Link is running to the Farms from router A thru B Thru C Thru D , So what is most reliable

What Rules can I delete for Now to Keep only my Hotspot Running ?

What is the function of masquerade ?

Thanks for Helping me with you knowledge

Blignaut

blignaut -

Pros and cons - Pros for Usermanager and Hotspot together - one place to add/delete/disable users. Accounting stats are avaialble and you can get reports of users usage based on criteria you select.
Cons - more than 50 users requires a higher license level $$, requires some knowledge of routing and VPN setup (easy stuff). Does tax the cpu some - so you can’t use say an RB133 or a RB112, but an RB500, or 400 series should do fine.


Rather than remove the rules - disable 2 - 7. Try it out to make sure everything is working… After a day or so then remove those rules.

Masquerade is a special form of src-nat nat = network address translation In a straight src-nat you have a src IP and you nat that to a specific IP as it leaves an interface…

Masquerade src-nats a packet according to the interface it leaves (and can decide on this if you also specify a src IP address (like 10.x.x.x) which to masq). This is especially helpful for dynamically supplied IP to WAN (Internet) interfaces… There are helpers that work for masq to facilitate VPN and other special protocols as well (included in masq service). Read the manual - it has a little more explanation about the difference between src-nat and masq.

R/
Thom

Thanks Tom

I am Running RB 532 at my Main AP . What Setup are we going with
I will Disable the rules from 2 to 7 and see what Happen

Thanks
Blignaut

blignaut -
might be better if you conatct me directly off forum…that way we don’t clutter up the forum with little notes… You can post what you did after we’re done - that will help other folks when they go looking for answers…

RB532A - is that the one w/32mb of memory? That may not be enough to run it… we can try. Let’s see you’ll NOT need routing-test, or any other test packages, but you will need the non-test packages. So if you have say routing-test enabled, then disable it and enable the ‘regular’ routing package, then restart the router… You’ll probably need to download and install Usermanager. Be sure that your ROS is the same version as Usermanager. I think you mentioned ROS 2.9.51, so be sure you get Usermanager with the same version number…2.9.51

R/

Thom

blignaut -

Bump…

Are you going to continue the discussion?

R/

Thom

Hi Tom

I have Disabled the following Rules 1 , 3 - 7 . Everthing is still working Fine.
what is the next step

Thanks
Blignaut

Tom

I have Update my Router with the Complete Package 3.14 .

I have the 532A with 64Mb Memory.
What RB should I used at main AP and for the Repeaters to Keep the cost of the repeaters down. ?
What Solar Equipment do I need to Run the Reapeter , 1 x 35Watt Pannel , Regulator and 12 V Batt ?
Running Hotspot , Can some on still access a Printer @ 10.5.50.100 , If you are connected at 10.5.50.20 with out putting in your username and password ?

Sorry for all the stupid Questions
Thanks
Blignaut

Hi Tom

I can see my Routers now , but getting this error on Mac Access 20561 and on IP I get Port 80 Problem.

Thanks for your Advice

Blignaut

Blignaut -

Answering via email…

R/
Thom

Blignaut - Tried to answer via email - the email got returned…


Well let’s first try some filtering to get your bandwidth under control and then we’ll get to the rest of it…

Everything here is in Winbox. I generally start with a ’ / ’ to indicate a menu item on the left hand menu of Winbox, the ‘commands’ after that are the menu item, and any sub item, and/or ‘tab’ in the window that pops up once the menu item is selected. Generally - if the entire word is CAPITALIZED then it is the name of something and that means an action on your part to usually change this to the appropriate name.

First; /bridge, ‘settings’ button click this, now click on Use IP Firewall - a check mark should appear. Say ‘Ok’.

Ok - to start - let’s do some filters.

/ip firewall filter(tab).
‘+’ to add new ones
add - src-addr= your network 10.5.50.0/24 (I believe that is your current network) in-interface=bridge (your bridge interface name) P2P=all, Action Tab, action=drop
This rule will drop ALL Point-to-Point protocols like WAREZ, Limewire, Rhapsody, Rapidshare, etc. That should help you right away.



Next you need to figure out what protocols you are willing to let run on your system. You have to have DNS (port 53), most likely you’ll need http - 80, https-443, pop-110, smtp-25/587, ftp-21, ntp123, snmp-161 & 162, ssh-22, winbox-8291(TCP). There are a lot of other protocols - so you need to do a little research to find the ones you want to allow besides the short list I put here… A couple of rules to setup some chains first - but these are after the above rule for P2P dropping.
The below is loosely based on this wiki article; http://wiki.mikrotik.com/wiki/Dmitry_on_firewalling I made the below one short and to the point. You will want to study this wiki (and the others) on Firewalling with MT.

I recommend that you add each of these rules and have them entered in - in a disabled state. That way you can turn them all on at once.


chain=forward src-addr=YOUR NETWORK in-interface=BRIDGE connection-state=established action(tab) action=accept
chain=forward src-addr=YOUR NETWORK in-interface=BRIDGE connection-state=related action(tab) action=accept
Allow established and related connections


chain=forward src-addr=YOUR NETWORK protocol=tcp in-interface=YOUR BRIDGE action(tab) action=jump jump-target=tcp
all the tcp type requests will go through this branch.

chain=forward src-addr=YOUR NETWORK protocol=udp in-interface=YOUR BRIDGE action(tab) action=jump jump-target=udp
all udp will go through this chain




TCP Chain

chain=tcp protocol=tcp scr-port=1024-65535 dst-port=53 action(tab) action=accept
chain=tcp protocol=tcp scr-port=1024-65535 dst-port=80 action(tab) action=accept
chain=tcp protocol=tcp scr-port=1024-65535 dst-port=25 action(tab) action=accept
now continue will all the TCP type protocols you want to let your clients use.
chain=tcp src-addr=YOUR NETWORK in-interface=BRIDGE connection-state=new action(tab) action=accept
chain=tcp action(tab) action=drop Here we drop any TCP services we did not allow…

UDP chain
chain=udp protocol=udp scr-port=1024-65535 dst-port=53 action(tab) action=accept
chain=udp protocol=udp scr-port=1024-65535 dst-port=123 action(tab) action=accept
now continue will all the UDP type protocols you want to let your clients use.
chain=udp src-addr=YOUR NETWORK in-interface=BRIDGE connection-state=new action(tab) action=accept
chain=udp action(tab) action=drop Here we drop any UDP services we did not allow…


Ping - allow
chain=forward protocol=icmp action(tab) action=accept

Now to drop anything that made it through that we don’t want…
chain=forward action(tab) action=drop




FROM THE FORUM:

Tom

I have Update my Router with the Complete Package 3.14 .

I have the 532A with 64Mb Memory.
What RB should I used at main AP and for the Repeaters to Keep the cost of the repeaters down. ? RB433AH probably when you need to add new ones… At the main AP - as soon as you can afford it, swap the 532 for a RB433AH- they are about 10 times faster than the RB532.
What Solar Equipment do I need to Run the Repeater , 1 x 35Watt Panel , Regulator and 12 V Batt ? I don’t know what your solar conditions are where you reside…you need at least (typically) twice the wattage that your equipment draws - so for RBs (not the 1000) 40 watts should be good for one RB. You also need a regulator that will maintain your battery output at 12vdc - and will turn off if the battery voltage drops below 11vdc (to keep your battery from being destroyed). Your batteries will also have to be ‘deep cycle’ type batteries to withstand the constant charging/discharging. You also need the ‘input’ or charging regulator as you already mentioned.
Running Hotspot , Can some on still access a Printer @ 10.5.50.100 , If you are connected at 10.5.50.20 with out putting in your username and password ? I don’t know… Right now with your hotspot setup the way it is (from what I can tell) you probably have to do that. When we get everything through the Usermanager/Hotspot and routed instead of bridged, I believe we can use MAC authentication, no username or password required, it will then depend on where those two units are (same AP or different AP). I would personally not plan on having that capability - more than likely you’ll need to setup a site to site VPN connection for that to happen, if it can be done, there is also ‘Internet printing’, using the shared printing feature in Windows that well may work for you…