Community discussions

MikroTik App
 
Quaziee
just joined
Topic Author
Posts: 24
Joined: Wed May 23, 2018 2:42 pm

Need Help keeping the peace at home

Fri Aug 24, 2018 4:49 am

My problem is lte is the only thing available to me for internet. My kids like to play games online and watch youtube hours on end. My wife streams music and video alot and is taking online classes. I have two lte modems at this time, because one wont handle my wife and kids. Ive tried the load balance route but my kids end up stealing all available bandwidth. So i was woundering if i can set up my RB3011 as three seperate routers so to speak. Have a network for the boys 192.168.2.0  with there own lte modem. And 2nd network for adults 192.168.3.0 when own lte modem no cross talk between those to networks. Then i would like one more 192.168.1.0 where the other two can see for printer and small server. Is this possible? If so can anyone help me?. Heres a quick drawing. Router right now is setup fo one network.

Thank you

David

Image

Sent from my LG-LS777 using Tapatalk

 
mducharme
Trainer
Trainer
Posts: 983
Joined: Tue Jul 19, 2016 6:45 pm

Re: Need Help keeping the peace at home

Fri Aug 24, 2018 5:04 am

Before you adopt this scheme (since it would be more complicated), have you tried the new kid control feature under IP->Kid Control? You can add the devices for your kid and give them a rate limit, that way they can't use all of the bandwidth.

What you want is possible, but is a bit more complicated to set up. I suggest the Kid Control feature only because it may accomplish your goal without making your setup more complicated.
 
Quaziee
just joined
Topic Author
Posts: 24
Joined: Wed May 23, 2018 2:42 pm

Re: Need Help keeping the peace at home

Fri Aug 24, 2018 5:13 am

I have, my only problem is the conection and vary from 2m to 20m. When i get 20 no problem but in the evenings when the cell tower gets load speed drops and thats when we start having problems.

Sent from my LG-LS777 using Tapatalk

 
mducharme
Trainer
Trainer
Posts: 983
Joined: Tue Jul 19, 2016 6:45 pm

Re: Need Help keeping the peace at home

Fri Aug 24, 2018 5:29 am

I have, my only problem is the conection and vary from 2m to 20m. When i get 20 no problem but in the evenings when the cell tower gets load speed drops and thats when we start having problems.
You'll need three different VLANs on your bridge - set the PVID for each bridge port to place those on the correct VLAN, and the VLAN interfaces to Interface-VLAN to assign the IPs. Assign the IPs to the VLAN interfaces and set up DHCP servers on each VLAN interface. Once you are done, enable safe mode and enable VLAN filtering by going to Bridge->bridge->VLAN tab and checking "VLAN filtering". If something was missed (and I might have missed something) then you may lose connectivity to the device at this point, which is why I would recommend enabling safe mode just in case. The VLAN setup won't take effect until you enable VLAN filtering.

You might need to adjust firewall and NAT rules as well to support the three different networks.

I would get that working first, and then worry about the routing part. For the routing, you will need to set up policy based routing, by adding a different default route that goes out the second LTE modem (with routing mark set to "kids") and then create a mangle rule that takes any packets from the kids network and sets routing mark kids, to force them out the second connection.
Last edited by mducharme on Fri Aug 24, 2018 7:44 am, edited 1 time in total.
 
mkx
Forum Guru
Forum Guru
Posts: 4346
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need Help keeping the peace at home

Fri Aug 24, 2018 7:37 am

Alternative to the VLAN based setup described by @mducharme would be to use more bridges inside RB (one per LAN) and to assign ether ports to each of bridge according to LAN of which connected devices should be part. There are a few reasons to choose this approach over VLAN based and vice versa:
  • VLAN based approach allows to keep using HW offload if VLAN operations (tagging and untagging) are configured directly on switch chip. If these operations are configured on bridge (this is the intended way on ROS greater than 6.41), HW offload is not possible which might reduce intra-LAN throughput on RBs with weaker CPUs
  • bridge based approach only allows HW offload on only one bridge (or, in case of RB3011 with its two switch chips, two bridges if ether ports are distributed between bridges according to hardware layout, consult RBs block diagram). Compared to using VLANs this may proove to be better anyway (see previous bullet)
  • VLAN based approach offers better flexibility of placing different devices to their LAN segment if one uses separate VLAN capable switches. Example: if there are two devices co-located, belonging to two different LANs, with VLAN based setup single UTP cable can be used to connect both to main router (a smart switch is needed at that location as well). Port based setup requires one UTP per LAN on each device location (and use of several dumb switches, one per LAN, in case of plenty devices at remote location)
  • when thinking about WiFi, VLAN based approach has advantage. On APs one can configure virtual AP with separate SSID and security profile and with different VLAN on the wired side of AP. Thus single AP device per location can offer wireless access to many LAN segments.
If physical network setup is really simple star with your RB in centre, then port-based setup might be better. If, on the other hand, physical setup is not as simple, VLAN based setup would be better due to higher flexibility. It is sligtly more complex to setup though.
BR,
Metod
 
Quaziee
just joined
Topic Author
Posts: 24
Joined: Wed May 23, 2018 2:42 pm

Re: Need Help keeping the peace at home

Fri Aug 24, 2018 3:33 pm

I setup using three bridges and 3vlan point to the bridges set some firewall rules and every network is seperate from the next. Internet work just to network assigned:) but print and server can not be access from kids or adults. And i got kicked from router before i could save and download rsc file. How do i get back on so i can make a rsc file and post on here?

Sent from my LG-LS777 using Tapatalk

 
mkx
Forum Guru
Forum Guru
Posts: 4346
Joined: Thu Mar 03, 2016 10:23 pm

Re: Need Help keeping the peace at home

Fri Aug 24, 2018 3:57 pm

Try to use WinBox with it's ability to connect via MAC.
BR,
Metod
 
Quaziee
just joined
Topic Author
Posts: 24
Joined: Wed May 23, 2018 2:42 pm

Re: Need Help keeping the peace at home

Fri Aug 24, 2018 4:08 pm

Tried not working for me, i can see the router but can not connect. I can connect to the cap lites i have. So it the router not winbox.


I got a console cable from a friend, was able to save file. Here it is,
You do not have the required permissions to view the files attached to this post.
 
mducharme
Trainer
Trainer
Posts: 983
Joined: Tue Jul 19, 2016 6:45 pm

Re: Need Help keeping the peace at home

Mon Aug 27, 2018 8:30 am

Tried not working for me, i can see the router but can not connect. I can connect to the cap lites i have. So it the router not winbox.
Your config looks OK to me, unless I missed something. Have looked at it a few times. As long as you are plugged into the router itself on one of the ports that is on the "Admin" bridge you should be able to log in. Is the MAC address set on the admin bridge the same as the MAC for one of the ports on the bridge, like ether2? This is normally the case.
 
Quaziee
just joined
Topic Author
Posts: 24
Joined: Wed May 23, 2018 2:42 pm

Re: Need Help keeping the peace at home

Mon Aug 27, 2018 3:47 pm

Thank you for looking it over turns out i need to move my firewall rules and everything started to work. Also cleaned it up a little and only using two networks instead of three. Ill post the setup after i get some sleep

Sent from my LG-LS777 using Tapatalk

 
Quaziee
just joined
Topic Author
Posts: 24
Joined: Wed May 23, 2018 2:42 pm

Re: Need Help keeping the peace at home

Tue Aug 28, 2018 3:54 am

# aug/27/2018 13:59:22 by RouterOS 6.42.7
# software id = 9MJQ-81B3
#
# model = RouterBOARD 3011UiAS
# serial number = 783E08F90914
/caps-man channel
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2412 name=2412
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2437 name=2437
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2462 name=2462
add band=2ghz-b/g/n control-channel-width=20mhz frequency=2472 name=2472
/interface bridge
add admin-mac=CC:2D:E0:27:C8:59 auto-mac=no comment=defconf name=Adult
add fast-forward=no name=Kids
/interface ethernet
set [ find default-name=ether2 ] comment=NightHawk
/interface vlan
add interface=ether1 name=Sxt vlan-id=200
add interface=ether1 name=vlan10 vlan-id=10
/caps-man datapath
add bridge=Kids name=Kids
add bridge=Adult name=Adult
/caps-man security
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=Kids
add authentication-types=wpa2-psk encryption=aes-ccm,tkip name=Adults
/caps-man configuration
add channel.frequency="" datapath=Huizenga hide-ssid=yes mode=ap name=\
add datapath=Kids mode=ap name=Kids security=Kids ssid=Kids
add datapath=Adult mode=ap name=Adults security=Adults ssid=Adults
/interface list
add comment=defconf name=WAN
add comment=defconf name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=Adults ranges=192.168.1.110-192.168.1.254
add name=Kids ranges=192.168.2.2-192.168.2.254
/ip dhcp-server
add address-pool=Adults disabled=no interface=Adult name=defconf
add address-pool=Kids disabled=no interface=Kids name=dhcp1
/caps-man manager
set enabled=yes
/caps-man provisioning
add action=create-dynamic-enabled master-configuration=Adults name-format=\
prefix-identity slave-configurations=Kids
/interface bridge port
add bridge=Adult comment=defconf interface=ether3
add bridge=Adult comment=defconf interface=ether4
add bridge=Kids comment=defconf interface=ether5
add bridge=Adult comment=defconf interface=ether6
add bridge=Adult comment=defconf interface=ether7
add bridge=Kids comment=defconf interface=ether8
add bridge=Kids comment=defconf interface=ether9
add bridge=Adult comment=defconf interface=ether10
add bridge=Adult comment=defconf interface=sfp1
add bridge=Adult interface=ether1
add bridge=Adult interface=vlan10
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface list member
add comment=defconf interface=Adult list=LAN
add interface=Sxt list=WAN
add interface=ether2 list=WAN
add interface=Kids list=LAN
/ip address
add address=192.168.1.1/24 comment=defconf interface=Adult network=\
192.168.1.0
add address=192.168.2.1/24 interface=Kids network=192.168.2.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=Sxt
add dhcp-options=hostname,clientid disabled=no interface=ether2
/ip dhcp-server lease
add address=192.168.1.10 client-id=1:6c:3b:6b:eb:51:e2 mac-address=\
6C:3B:6B:EB:51:E2 server=defconf
add address=192.168.1.11 client-id=1:64:d1:54:ff:d6:6b mac-address=\
64:D1:54:FF:D6:6B server=defconf
add address=192.168.1.104 client-id=1:3c:2a:f4:5:a:cb mac-address=\
3C:2A:F4:05:0A:CB server=defconf
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1 netmask=24
add address=192.168.2.0/24 gateway=192.168.2.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.1.1 name=router.lan
add address=8.8.8.8 name=8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=accept chain=forward dst-address=192.168.1.104 src-address=\
0.0.0.0/0
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
in-interface-list=!LAN
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
add action=drop chain=forward dst-address=192.168.1.0/24 src-address=\
192.168.2.0/24
add action=drop chain=forward dst-address=192.168.2.0/24 src-address=\
192.168.1.0/24
/ip firewall mangle
add action=mark-routing chain=prerouting new-routing-mark=Adults passthrough=\
yes src-address=192.168.1.0/24
add action=mark-routing chain=prerouting new-routing-mark=Kids passthrough=\
yes src-address=192.168.2.0/24
/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/ip route
add distance=1 gateway=192.168.5.1 routing-mark=Adults
add distance=1 gateway=192.168.10.1 routing-mark=Kids
/system clock
set time-zone-name=America/New_York
/system ntp client
set enabled=yes primary-ntp=45.79.111.167 secondary-ntp=45.79.111.114
/system routerboard settings
set auto-upgrade=yes baud-rate=9600 silent-boot=no
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
 
Itmonkee
just joined
Posts: 4
Joined: Tue May 15, 2018 10:29 am

Re: Need Help keeping the peace at home

Fri Aug 31, 2018 2:12 pm

My problem is lte is the only thing available to me for internet. My kids like to play games online and watch YouTube hours on end. My wife streams music and video alot and is taking online classes. I have two lte modems at this time, because one wont handle my wife and kids. Ive tried the load balance route but my kids end up stealing all available bandwidth. So i was wondering if i can set up my RB3011 as three seperate routers so to speak. Have a network for the boys 192.168.2.0  with there own lte modem. And 2nd network for adults 192.168.3.0 when own lte modem no cross talk between those to networks. Then i would like one more 192.168.1.0 where the other two can see for printer and small server. Is this possible? If so can anyone help me?. Heres a quick drawing. Router right now is setup fo one network.

Thank you

David

Image

Sent from my LG-LS777 using Tapatalk
This is just an observation and I thought I might offer a suggestion with regards to your issue and to propose a more simpler setup. The current configuration sure sounds like the problem I was having, wife has 2 devices streaming and works from home, kids have at least 3-4 devices streaming, and I'm just trying to use the Internet for either personal or business related stuff. The proposed solution you had seems to be a bit more complicated than it should be. Instead use 1 subnet, and begin to get more familiar with Quality of Service (QOS) as this is what it was made for. Get another sheet of paper, write a list of 1 - 8 and figure out what is critical and what is not critical. From here, start by making all Inbound / Outbound Forward traffic as Priority 8. Once this has been done, then start implementing rules that show what each type of traffic should have with the selected Priority Level. I have put together a list of P1 - P7 of how I have mine setup and has worked wonders, nothing like "Making The Network Great Again!" Please keep in mind, what you do to one direction, you must do the same to the other direction; as in if the VoIP traffic is set as P1 Inbound Forward you must set the VoIP Outbound Forward as a P1. I have also posted a link at the bottom from a website that talks about and gives a great example of where to start on QoS'ing your network, believe it or not, you will enjoy messing with the QoS Stuff.

Up/Down Forward Traffic
P1 - UDP - VoIP/FaceTime/Skype VoIP)
P2 - Network Management (RDP, SSH, Telnet, ICMP, WInbox, WebFig, and etc...)
P3 - Wife PC or Business Traffic
P4 - Web Traffic (TCP Port 80 & 443)
P5 - Gaming Consoles (PS / Xbox / Wii)
P6 - Movies / YouTube
P7 - Downloads / Torrents / Backups / Etc...
P8 - Default Traffic (All Unmarked Traffic)
*** This is just an example, feel free to move things around as you see fit to your network. ***


https://www.mikrotik-routeros.com/2014/ ... rees-v6-0/

Hope this helps.

Thanks | Regards,

John
 
Quaziee
just joined
Topic Author
Posts: 24
Joined: Wed May 23, 2018 2:42 pm

Re: Need Help keeping the peace at home

Fri Aug 31, 2018 2:44 pm

Itmonkee, i skimed that website, and it looks to me like you need to set limits. Upload and download. If thats the case i cant use it. My internet connections are both cellular. I live in an area where cable, dsl or any other constant speed internet is available. So my download speed very from as low as 1mbps to as high as 22mbps per connection, see pic. If you can base it on a percentage they by all means im in 100% to try it out.
DavidImage

Sent from my LG-LS777 using Tapatalk

Who is online

Users browsing this forum: No registered users and 42 guests