Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
CuddleChunks
Sep 18, 2004

Let's talk about the MikroTik Router Operating System!
code:

  MMM      MMM       KKK                          TTTTTTTTTTT      KKK
  MMMM    MMMM       KKK                          TTTTTTTTTTT      KKK
  MMM MMMM MMM  III  KKK  KKK  RRRRRR     OOOOOO      TTT     III  KKK  KKK
  MMM  MM  MMM  III  KKKKK     RRR  RRR  OOO  OOO     TTT     III  KKKKK
  MMM      MMM  III  KKK KKK   RRRRRR    OOO  OOO     TTT     III  KKK KKK
  MMM      MMM  III  KKK  KKK  RRR  RRR   OOOOOO      TTT     III  KKK  KKK

  MikroTik RouterOS 4.5 (c) 1999-2010       [url]http://www.mikrotik.com/[/url]

What is it? - It's a low-cost, full-featured networking platform.

How do you use it? - Download an image and install it on the compact flash card in your favorite Routerboard model or grab the x86 version and throw it on a spare PC.

What good is it? - Can't afford Cisco? MikroTik has many of the same capabilities at a fraction of the cost. Want a low-cost wireless networking platform? Add in some wireless cards and the MikroTikOS to get cheap and robust wireless solutions. Do you like Latvians? Dude, this was *written* by Latvians.

What does it look like? - You have four ways to interact with a MikroTik: telnet, ssh, Winbox and Webbox. The command-line interface gives you the most control over the unit and there are tasks that are most easily handled by using the command line. Fear not GUI friends, Winbox is there to present nearly all the same commands in a slick graphical layout. The Web interface has been updated and works nearly as well as Winbox.

Load up Winbox and enter the IP address (or MAC address) of the MikroTik you want to manage. You can save a ton of profiles here for handling an entire ISP's worth of these devices.


Once you are logged in, you are presented with a windowed interface for working with the unit. I've got the Interfaces window and the IP -> Firewall -> NAT window open. You can see some NAT rules I built to forward ports to computers on my network.


Click on the Terminal option on the left side of Winbox and you are taken to the command-line interface. I've just entered the "interface print" command to show you what a terminal session looks like.


How do I get it? - Go to http://www.mikrotik.com/ and download a demo. Play around, see if you like it. If you get hooked, you can get a RB750 5 port router/switch for $40 from http://www.roc-noc.com/mikrotik/routerboard/rb750.html It lacks a serial interface but is a solid unit for handling all kinds of routing and networking tasks. The RB750G adds gigabit ethernet ports.

Resources - The following places are great sources for more information on MikroTiks:
http://www.mikrotik.com - Their home site
http://wiki.mikrotik.com/wiki/Main_Page - Online documentation. It's pretty comprehensive.
http://forum.mikrotik.com/ - Some of the programmers of this project are active forum members. There's a lot of help to be had there for crazy networking problems. The best thread is the Bad Installation thread.
http://www.roc-noc.com/ - A place to buy MikroTikOS preinstalled to Routerboards.

Okay, but what do you really use it for? - I work for an ISP that over the last seven years has moved to use tons of MikroTik hardware. We route with them, provide hotspots, setup mesh networks, build backbones, setup AP's, setup CPE's, talk to Big Routers on the Internet with BGP and other crazy networking protocols. If we have to do something, Mikrotik is our go-to solution.

How the hell do we handle them? A mixture of monitoring systems and TheDude. It's a handy way to track lots of MikroTiks and manage them from a single interface.

I bought one for home use because I wanted to have something I was familiar with from work and because a $70 gigabit router that can speak BGP, IPSEC, handle a few thousand packets a second of throughput and all the torrenting you can throw at it without whining or requiring constant reboots was well worth my money. It's a rock solid home router, especially when you add a solid wifi access point (like an Apple Airport Extreme Basestation).

Backups - You've put time and effort into your config. You finally have all the little rules built and want to protect your work. What do you do?
- Log into your MikroTik via Winbox
- Click Files
- Click Backup
- Drag the backup file to your desktop.
You now have all the commands saved to rebuild the router froom scratch.

Starting from Scratch - If you want to start with a clean slate, open a terminal window through Winbox or log in through telnet and type: system reset Hit Y to confirm and the unit will flush the old configuration. Want to just reboot the unit? system reboot will accomplish that.

Scripting - There is a decent scripting language supported for automating tasks, responding to events and changing settings based on other input. It's handy for updating things like DynDNS entries or whatever. A buddy of mine has a ton of scripts and such built so that when he plugs in his Xbox it auto-queues his roommates down so that he can monopolize the connection. He's an rear end, but an rear end with a low ping.

Training - Remit shared this handy link to training videos from MikroTik University.


Moving from 3.x to 4.x firmware - To move from the 3.x series of firmware to the 4.x you will need to upgrade your license from the old 7 digit model to the new 8 digit model. Happily, this is super easy. If possible, upgrade your Mikrotik to 3.30 first. Then in Winbox click on System -> License -> Export Key. Save that to your desktop. Now, drop in the 4.17 firmware and reboot to upgrade. After the upgrade, log in with Winbox and you'll be greeted with a message warning that the license file has changed and would you like to upgrade to the new format? The answer is Yes. The widget that updates the MikroTik license uses your desktop to build a connection out to their servers. You *must* be able to connect to the Internet before hitting "Yes". Reboot once more and you're set with the new license. It's a good idea to update the underlying Routerboard firmware as well. Log in and type: "system router upgrade" in a terminal. Hit "y" to accept the upgrade and reboot. Now you can upgrade to the 6.x firmwares in one shot. Remember to upgrade the Routerboard firmware after you install the new RouterOS.

Update 10/8/2012: RB433's and other routerboards sometimes fail with swollen caps. There are four on the mainboard that fail so get out your soldering irons and fix your routerboards! I just got an RB433 back into operation with only a few (several) minutes work desoldering and reinstalling new capacitors. These boards are very forgiving for my clumsy soldering technique so don't be afraid to try it out. The worst you can do is make your busted routerboard totally non-bootable. Yee-haw!

:siren: Gripes :siren:
There are quirks to using these machines same as any other. Their DNS implementation is primitive as hell and doesn't let you specify custom responses for various domains. If you have an ISP that hijacks search responses this is a major nuisance.

Capacitors blow up on some models of routerboards. This causes your gear out in the field to start rebooting itself or not boot at all. It's obnoxious as hell but can be fixed by ripping off and resoldering new caps. Tedious, but fixable.

IPSEC and other heavy CPU activities murder throughput.

QoS / Queueing - what do you mean you don't understand hierarchical token buckets and the linux packet filtering table? Are you completely stupid? Ach, don't bother me with your trivial hu-man questions, I must go do many complicated things with reindeer so we can release new best gooder version of MikroTik yet! Read the wiki! (Hint: reading the wiki is confusing as poo poo). This is a feature that Mikrotiks *can* perform but getting them to gracefully prioritize packets and help you deal with scummy, bandwidth-hogging roommates is a huge pain in the rear end. It works but requires dark dark voodoo.

RB751 and Wireless - Apple products and regular wifi products sometimes poo poo the bed with RB751's. Their power settings are way out of whack, they have goofy defaults and tweaking this has become a major source of irritation for me. If you have Apple products that support 802.11n set the drat thing to N-only mode and use a WPA2 key with AES. If you have a network of mixed Apple and non-Apple devices then don't bother getting frustrated, get an Apple Airport Extreme Basestation.

Update 6/19/2014: Took out the programming guide, the new defaults work fine out of the box. Log in with a web browser and use their quick setup feature to assign an SSID and WPA key to the router, choose your wan settings and get online quickly. It's nice to see some defaults that make this more usable as a home router than before. 6.15 f/w has been released and works well.

Update 12/19/2014: Here are some settings that seem to work well for Apple products connecting to the wireless routers like RB951 and RB751:
code:
#Apple wifi helpers
/int wir set wlan1 wmm-support=enabled periodic-calibration=enabled \
hw-protection-mode=rts-cts hw-retries=15 frame-lifetime=0 \
adaptive-noise-immunity=ap-and-client-mode disconnect-timeout=00:00:15 \
distance=indoors multicast-helper=full
Universal Plug-n-Play is a handy thing at times, especially if you have an Xbox. It's not so nice if someone from the outside world messes with your router so you should filter their connection attempts.
code:
##Setup UPnP
/ip upnp interfaces add interface=ether1-gateway type=external 
/ip upnp interfaces add interface=bridge-local type=internal 
/ip upnp set enabled=yes
/ip fir fil add chain=input in-interface=ether1-gateway protocol=udp port=1900 \
    action=drop comment="remote UPnP drop"

CuddleChunks fucked around with this message at 20:17 on Dec 19, 2014

Adbot
ADBOT LOVES YOU

Quebec Bagnet
Apr 28, 2009

mess with the honk
you get the bonk
Lipstick Apathy
Just how good is their hardware? I've been looking at the RB493G for one location, which claims to be entirely gigabit ports. Will I be able to pull off fully gigabit connections? The locations needs 4-5 uplinks and 2-3 LAN ports (all behind a NAT).

My Rhythmic Crotch
Jan 13, 2011

How does this compare to something like OpenWrt? Is there another open source project that would be more of a direct comparison?

R1CH
Apr 7, 2002

The Ron Jeremy of the coding world

Derpes Simplex posted:

Just how good is their hardware? I've been looking at the RB493G for one location, which claims to be entirely gigabit ports. Will I be able to pull off fully gigabit connections? The locations needs 4-5 uplinks and 2-3 LAN ports (all behind a NAT).

I've been running an RB750G (same CPU) for a 50/5 connection with a lot of NAT and shaping rules. Can easily max out the downstream with low CPU usage and I've seen full 100MB/sec transfers over the LAN. The switch ports can either be assigned as a switch (all four ports act like one to the software) or individually - if in switch mode, LAN traffic is handled entirely by the hardware, otherwise it passes through the software which can impact CPU usage on the lower end models. You can certainly do full gigabit routing throughput on a single port, multiple gigabit streams through multiple ports might benefit from a higher end model.

nex
Jul 23, 2001

øæå¨æøåø
Grimey Drawer
You say you use this in a ISP-environment, interesting. Hope you don't mind me asking a few questions. :)

How big is your typical node (port/customer density)? Do you buy the boards prefabricated or do you create your own?

How does it work compared to Cisco when it comes to field replaceable parts, redundancy and general uptime?

What kind of Cisco platform did you replace?

BlackMK4
Aug 23, 2006

wat.
Megamarm
How does this compare to an Alix 2D3 or something with PFSense?

Quebec Bagnet
Apr 28, 2009

mess with the honk
you get the bonk
Lipstick Apathy

R1CH posted:

I've been running an RB750G (same CPU) for a 50/5 connection with a lot of NAT and shaping rules. Can easily max out the downstream with low CPU usage and I've seen full 100MB/sec transfers over the LAN. The switch ports can either be assigned as a switch (all four ports act like one to the software) or individually - if in switch mode, LAN traffic is handled entirely by the hardware, otherwise it passes through the software which can impact CPU usage on the lower end models. You can certainly do full gigabit routing throughput on a single port, multiple gigabit streams through multiple ports might benefit from a higher end model.

Sounds nice! There typically won't be multiple streams, but being able to burst gigabit and not kill the rest of the network at the same time is extremely compelling.

CuddleChunks
Sep 18, 2004

nex posted:

How big is your typical node (port/customer density)? Do you buy the boards prefabricated or do you create your own?
We buy them as half-assembled wireless CPE's where we just have to mount the board and case onto the antenna. We run a custom setup script that builds our different roles for the units and then it's time to hang the radios and wiggle them around until they are in alignment. One of the scripts actually beeps like crazy as you align it so you can use the speaker to tell you when you are pretty well dialed in for pointing back to the AP. RB411's are the mainboard in use currently.

nex posted:

How does it work compared to Cisco when it comes to field replaceable parts, redundancy and general uptime?
Our CPE's have a panel antenna, an outdoor case that mounts to the antenna, a routerboard, a wireless card (usually and Atheros), a pigtail for jumping between the card and the antenna and a second ethernet pigtail to jump to the external ethernet port. It then has a weather-resistant coupler so that the whole drat thing can be run via Power-over-Ethernet. You can replace just about every single part in there independently of any other. We've resurrected plenty of boards that burned up their little ethernet surge suppressor pigtail and just jumped them straight to the ethernet port. We've swapped radio cards in the field and done other repairs. Pretty much all of this work requires some screwdrivers and nut drivers. The other routerboard units just need a screwdriver to get into.

Cisco CPE's don't have any field replaceable parts that I'm aware of. I only have interacted with their Aironet series (350's, 1200's, 1300's) but they are all-in-one units and if they stop working you don't have any mechanism to repair them. The mikrotiks are more like a kit that you assemble into a single CPE.


nex posted:

What kind of Cisco platform did you replace?
We bought out an ISP and have ditched their oldass Aironet 350's and replaced them with Glorious MikroTiks everywhere that we possibly can. gently caress those things. Oh sure, it's cute that they can act as wireless repeaters... right up until you see someone repeating a lovely signal through other folks to rig up their network. It's ghastly.


BlackMK4 posted:

How does this compare to an Alix 2D3 or something with PFSense?
Who the gently caress uses pfSense? I kid, I kid. It would be comparable to that platform actually. However, I am not personally very well acquainted with pfSense so trying to do the things I know how to do in a mikrotik would take a lot of retraining.

An example may be helpful.

When I fire up my RB750 I am presented with 5 ethernet ports. One of which I renamed to etherWAN to make sure I could tell it apart in programming. If I want to set up a network on port 2 (port 1 is the WAN) then I would need to do the following:

- Define a set of IP addresses to use for my DHCP server
- Add a gateway address to my IP addresses to use for the server
- Setup NAT
- Setup a DHCP server
- Setup a default route (unless I'm using pppoe to get that)

That's a lot of clicking and fiddling. Like a Cisco, you impose order on a blank canvas of hardware. The default install comes with a ton of this setup but I like to work with the blank install. I started to type up the commands needed but unless you really want that level of detail I'll skip that part.

If you want to add a port forward then it's usually easiest to go this site: http://wiki.mikrotik.com/wiki/Forwarding_a_port_to_an_internal_IP and modify their command line. The command interpreter is *really* nice. It color codes commands, has tab completion and a nice parser so you only have to type partial commands.

This: interface wireless registration print
Becomes: int wir reg pr

I've heard pfSense has add-on modules and such and that's probably where you'd see the Mikrotiks start to fall short. They can forward traffic to a box for further processing but don't contain those modules themselves. Unlike a project like ClearOS that bundles a ton of packages and can add more, MikroTikOS is more of a standalone networking platform. For example it will interface with a web proxy but doesn't do that onboard.

NOTinuyasha
Oct 17, 2006

 
The Great Twist
I've been screwing around in Winbox for the last three hours juggling three different PPTP clients with my 750G, partying it up on thursday night as usual.

It's a rock solid router and I'm trying to convince my boss to start deploying these to clients.

NOTinuyasha fucked around with this message at 20:09 on Feb 11, 2011

Nubile Cactus
Aug 1, 2004
I am a cactus. :)
Also looks like they will be releasing a 750G with wireless built in soon as a sort of more advanced home AP. Should be pretty awesome once it comes out.

R1CH
Apr 7, 2002

The Ron Jeremy of the coding world
One incredibly annoying oversight / issue with the MT software is UPnP support. While it works great for opening incoming ports, the dynamic NAT entries it creates don't time out. So if your device or program doesn't remove them properly when it's done, or your system reboots / powers off / etc, you'll end up filling up your NAT table with garbage entries. This can manifest in just a couple of months depending on how much RAM your device has, how many UPnP enabled programs / devices you use and how many ports they decide to open.

You can remove them manually or just simply reboot it, but it's still pretty annoying.

Studebaker Hawk
May 22, 2004

I had never heard of Mikrotik until recently, but currently work with a firm that is providing "ISP" service to their building (fully bgp routed) and using these in some client production environment. It is cheap as hell and pretty powerful though something about the way the GUI is oriented is...kinda backwards.

Golden Mongoose
Oct 22, 2010
They have had issues in the past with their hardware having bad caps. If you bought a 450 in 2009, it will likely die in 1yr or thereabouts which can be annoying for those that deploy them in remote locations.

http://forum.mikrotik.com/viewtopic.php?f=3&t=39091

As for the software, I have found it to be very stable, aside from various bugs/features that don't work properly, but they can be worked around and eventually get fixed.

All and all, a very good value for the price.

enotnert
Jun 10, 2005

Only women bleed
I've been playing and learning on mine for a while now. It's capable of a lot of poo poo.

It may have been cuddle chunks who first told me and lead me in the right direction of what was loving up as I tried to configure PPPoE.

PUBLIC TOILET
Jun 13, 2009

Does the RB750G support UPnP? How would one put together some kind of wireless access with one of these? Would you have to also purchase this to do that? It seems like it has a pretty steep learning curve with WinBox compared to some of the typical consumer routers out there.

HangOverDeMayo
May 6, 2005
Hangover so hung, it beats a horse

Nubile Cactus posted:

Also looks like they will be releasing a 750G with wireless built in soon as a sort of more advanced home AP. Should be pretty awesome once it comes out.

Where did you see this?

I'm definitely not a professional but like to try messing with networking gear. I'll probably get a 750G just to start messing around with when I can but I am curious if it's possible to create a consumer-type gateway/router/switch. One with a GigE wan port and 4 GigE ports for the switch but I would also want dual radios for wireless. What would I be looking at to do this with the routerboards?

Also, how does upgrading the OS work?

enotnert
Jun 10, 2005

Only women bleed

COCKMOUTH.GIF posted:

Does the RB750G support UPnP? How would one put together some kind of wireless access with one of these? Would you have to also purchase this to do that? It seems like it has a pretty steep learning curve with WinBox compared to some of the typical consumer routers out there.

Basically yeah for now. . . Post below mentions some of what is to come out, with more end user grade routerboards with wireless built in.

Thats basically what I've got going on. Range is loving sick on it as well.

HangOverDeMayo posted:

Where did you see this?

I'm definitely not a professional but like to try messing with networking gear. I'll probably get a 750G just to start messing around with when I can but I am curious if it's possible to create a consumer-type gateway/router/switch. One with a GigE wan port and 4 GigE ports for the switch but I would also want dual radios for wireless. What would I be looking at to do this with the routerboards?

Also, how does upgrading the OS work?

You can kit out your own routerboard with wireless radios for a chunk more change (still rather cheap). Honestly most people I know just get a base routerboard, and maybe the 750g switch if they want to keep AP's on separate vlans. It's less of a pain than kitting out one single unit.

Upgrading is rather simple.

http://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS#Using_Winbox

HangOverDeMayo
May 6, 2005
Hangover so hung, it beats a horse
I figured it would be easier to just piece it together than create a single board for right now.

And I guess I was questioning more the licensing than the actual process of upgrading.

R1CH
Apr 7, 2002

The Ron Jeremy of the coding world
Wireless with routerboards can get kind of expensive as the consumer models like the RB750G don't have mPCI slots, so you need a better board, custom case, radio card, antennas, etc. Personally I just use a standard AP in AP mode (no routing etc) hooked into the MT device. It helps that I have a high quality AP, but you can pick up something like the Ubiquiti PowerAP pretty cheap and get a nice AP to hook into your network.

Obviously if you want more complicated things like wireless client segregation, per-client shaping, 802.1x, etc you'll want your wireless clients hanging directly off an wireless card from the MT board.

PUBLIC TOILET
Jun 13, 2009

R1CH posted:

Wireless with routerboards can get kind of expensive as the consumer models like the RB750G don't have mPCI slots, so you need a better board, custom case, radio card, antennas, etc. Personally I just use a standard AP in AP mode (no routing etc) hooked into the MT device. It helps that I have a high quality AP, but you can pick up something like the Ubiquiti PowerAP pretty cheap and get a nice AP to hook into your network.

Obviously if you want more complicated things like wireless client segregation, per-client shaping, 802.1x, etc you'll want your wireless clients hanging directly off an wireless card from the MT board.

Yeah I wouldn't be looking into anything that extensive. I'm just thinking of a cheap, MikroTik solution in my head that would provide a wireless AP and a routing solution in a two story house. Is the Ubiquiti radio a decent solution for that or does it seem like overkill for a house? I've never played with either product but I'm guessing you'd have to disable any routing on the Ubiquiti (if it even does any routing) and just make it pass-through to the MikroTik.

CuddleChunks
Sep 18, 2004

NOTinuyasha posted:

I've been screwing around in Winbox for the last three hours juggling three different PPTP clients with my 750G, parting it up on thursday night as usual.
:hfive:

I laughed at my buddy who keeps tanking his mikrotik as he tries to develop more and more complicated scripts but it's fun. The fact that it auto-responds to something plugging into one of the ethernet ports is pretty drat cool.


COCKMOUTH.GIF posted:

Does the RB750G support UPnP? How would one put together some kind of wireless access with one of these? Would you have to also purchase this to do that? It seems like it has a pretty steep learning curve with WinBox compared to some of the typical consumer routers out there.
Winbox *does* have a learning curve but I've found that the documentation on their wiki has been very helpful, but I have the distinct advantage of working with these every single day at work.


COCKMOUTH.GIF posted:

Yeah I wouldn't be looking into anything that extensive. I'm just thinking of a cheap, MikroTik solution in my head that would provide a wireless AP and a routing solution in a two story house.
RB411's in outdoor cases or RB450's in indoor cases are really nice for this purpose. An RB411 is what we're using for CPE's and they have been rock solid. We even set them up as a home router type thing and they rule for PPPoE termination. An RB450 with an Atheros wireless card is going to be an expensive piece of gear but oh so beautiful and tons of power to spare.

For ultimate cheapness, $40 RB750 for routing duties and a repurposed Linksys WRT54G running DD-WRT as the wifi AP. Put on a decent antenna on the Linksys and you'll be rocking the house. Sure, it will be a 100Mbps network but those two devices alone will kick a lot of rear end. Note: that's what I have at home. :)

Nubile Cactus
Aug 1, 2004
I am a cactus. :)

HangOverDeMayo posted:

Where did you see this?

I'm definitely not a professional but like to try messing with networking gear. I'll probably get a 750G just to start messing around with when I can but I am curious if it's possible to create a consumer-type gateway/router/switch. One with a GigE wan port and 4 GigE ports for the switch but I would also want dual radios for wireless. What would I be looking at to do this with the routerboards?

Also, how does upgrading the OS work?

They posted about it back in 09. E-mailed them recently. They said it was in development but they could share no more details.

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

Hi CuddleChunks! Thanks for starting this!

I also work at an ISP and we've been using them a lot. Mostly for endpoints of a point to point connection or when a customer needs a VPN and such. They're much much cheaper and nicer than ASAs. As far as reliability... we don't have many in the field for an extensive amount of time so it is hard to tell. They're pretty nice though.

As far as pfsense -- on x86 hardware pfsense will probably kill this in terms of routing capabilities if you're using a good NIC. My #1 gripe about Mikrotiks is that it's based on Linux. If they put in a bit more time and developed on FreeBSD they'd have a much more solid product with a better network stack and access to OpenBGPD which is MUCH better than the BGP software used here.

tl;dr I think you're crazy if you're replacing the core infrastructure of your ISP with Mikrotiks. However, it works great for vpns, firewalls, and endpoints.

Ginger Beer Belly
Aug 18, 2010



Grimey Drawer

Derpes Simplex posted:

Sounds nice! There typically won't be multiple streams, but being able to burst gigabit and not kill the rest of the network at the same time is extremely compelling.

Check out http://routerboard.com/pdf/routerboard_performance_tests.pdf

The 493G and 450G have the same processor as the 750G, but they also have 256Mb RAM vs only 32Mb RAM in the 750G. I don't think that is the sole reason the 400G's outpace the 750G (it may have to do with the switch chips used), but you may want to look at the 400G series for full gigabit bursting.

I also work at an ISP that uses MikroTik pretty extensively (276 RouterOS devices in the Dude, not counting any CPE.

I've got a BSD and cisco background, so I was pretty skeptical of the "Latvian Linux Appliance", but it has really grown on me, in a price/performance sense.

Wheelchair Stunts
Dec 17, 2005
Stupid question

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

I have to do some VPNs between Mikrotiks and ASAs soon. We don't have this specific setup in production anywhere yet as we usually do between Mikrotiks. Anyone know if there are any pitfalls I should beware?

CuddleChunks
Sep 18, 2004

feld posted:

I have to do some VPNs between Mikrotiks and ASAs soon. We don't have this specific setup in production anywhere yet as we usually do between Mikrotiks. Anyone know if there are any pitfalls I should beware?

Keep an eye on the MTU's involved. You may want to write a static clamping rule for traffic heading over the VPN. Cisco gear loves to sit around 1300 and if you get gear between yourself and the remote end that doesn't properly handle path MTU discovery then it can get really dicey for making your VPN's move traffic. They'll establish but lag out pretty quickly due to packet corruption.

A static clamp rule is under the Mangle section of the Firewall and looks generally like:
ip firewall mangle add action=change-mss chain=forward comment="" disabled=no dst-address=1.2.3.4 new-mss=1260 protocol=tcp tcp-flags=syn

The fun comes in figuring out if you need to tie that to an interface or to an IP or whatever. Whee! I don't remember our admins complaining too much about the IPSEC VPN setup but I'm sure there's something stupid that will rear its head.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
Chiming in as a Mikrotik user at home and work. At home I was able to replace switch, router, wireless access point with a RB493. At work they make great customer premise equipment. In at least one case we're running OSPF, BGP and MPLS VPN and we've never had an issue. BGP is just for MPLS, not full ipv4 routes. Will be experimenting with full routing tables on some RB1100s soon to see how they handle it. Probably faster than some NPE-400s doing full tables.

CubanRefugee
Jul 1, 2003

El Jefe
Reppin' the Row since '26.

CuddleChunks posted:

We bought out an ISP and have ditched their oldass Aironet 350's and replaced them with Glorious MikroTiks everywhere that we possibly can.

Who'd you guys buy out? Please tell me it was Cactus...

Also, as to not be a complete derail, thanks for the guide/thread, Cuddle. I'm eventually going to build a mikrotik at home to brush up on the old skills, so expect me to harass you more than usual.

NOTinuyasha
Oct 17, 2006

 
The Great Twist

CuddleChunks posted:

Winbox *does* have a learning curve but I've found that the documentation on their wiki has been very helpful, but I have the distinct advantage of working with these every single day at work.

Most official documentation only covers shell configuration. It gets worse if you run a pre-release like v5. You really need background in networking to figure it all out. Basic things come preconfigured (upnp is not one of those things, if I recall).

CuddleChunks
Sep 18, 2004

CubanRefugee posted:

Who'd you guys buy out? Please tell me it was Cactus...
Hahah I wish. No, this was an ISP down in the prairie region nearby. It's a constant source of nightmares because of their approach to networking. They did some seriously braindead things with setting up the gear and since none of that shows up until *after* the acquisition it's now our headache. We've expanded into cable internet as well and that's proving to be a joyful kick in the crotch as we find all sorts of messed up lines and poo poo all over the region. Wheee! Good times.



NOTinuyasha posted:

Most official documentation only covers shell configuration. It gets worse if you run a pre-release like v5. You really need background in networking to figure it all out. Basic things come preconfigured (upnp is not one of those things, if I recall).
Oh NOTinuyasha, don't worry too much about Winbox. Anypony can learn to work with it given a little time and some Friends to come and help! Why, I bet if we all put our heads together and learn to work together, we could make this Winbox reach for the stars!

Friendship (and mikrotik config) is Magic!


(but i'm not denying that it looks weird as hell at first. no doubt about that).
Would it be helpful to put together some screenshots of common tasks or something? How about a walkthrough on setting up a basic NAT-ed home network with some ports forwarded?

NOTinuyasha
Oct 17, 2006

 
The Great Twist

CuddleChunks posted:

Would it be helpful to put together some screenshots of common tasks or something? How about a walkthrough on setting up a basic NAT-ed home network with some ports forwarded?

Thispony is most interested in queue trees, the official documentation is awful and I've never gotten it to work right. I'd be delighted to see some example configurations...

I can see a raw beginners guide that translates common functions like 'port forwarding' into NAT/firewall entries in Winbox as useful for the thread since that sort of thing looks terribly overwhelming compared to home router UIs.

enotnert
Jun 10, 2005

Only women bleed

NOTinuyasha posted:

I can see a raw beginners guide that translates common functions like 'port forwarding' into NAT/firewall entries in Winbox as useful for the thread since that sort of thing looks terribly overwhelming compared to home router UIs.

Yeah, even basic port forwarding took me a week or two and a couple beers tweenst a friend working at a WISP all backended with mikrotik to figure out.

(I still have a demo port forward in my config labeled as 'get datte port ferwerd i sencha?')

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

Hi guys,

I need some VRRP help badly :(

The issue is this: I have two VRRP instances running on each RB1100. One is VRRP-External and the other is VRRP-Internal

The problem is that only whole device failover works. If the one that is MASTER for both is running and you unplug the internal interface only the internal interface fails over to the secondary router.

This is not good. Effectively what happens is the traffic keeps flowing to a router but now it has no way to get out because it is not master of the VRRP-External.

I'm sorely disappointed because I've been spoiled by BSD's CARP which automatically fails everything over if you enable preempt -- this is an extra feature they added apparently.

I assume this could be figured out with some script? So far I'm not having any luck figuring out what I need to do it. I've located some scripts but even when I tell them to run the run count doesn't go up... I'm referring to this thread: http://forum.mikrotik.com/viewtopic.php?f=9&t=42545


Thanks to anyone who can help!

PUBLIC TOILET
Jun 13, 2009

These devices seem like they have an intensive configuration behind them. Honestly that's the one thing holding me back from trying one. That and having to use a separate wireless AP device unless I shell out more money for a Mikrotik that supports a wireless card. The wireless thing doesn't sound too bad though if I just connect a WRT54GL to the Mikrotik for strictly wireless AP access.

adorai
Nov 2, 2002

10/27/04 Never forget
Grimey Drawer

feld posted:

Thanks to anyone who can help!
In vyatta you would use a vrrp sync group. Not sure if mikrotik has something similar, but since they are both based on linux I am guessing it does.

karoshi
Nov 4, 2008

"Can somebody mspaint eyes on the steaming packages? TIA" yeah well fuck you too buddy, this is the best you're gonna get. Is this even "work-safe"? Let's find out!

feld posted:

Hi guys,

I need some VRRP help badly :(

The issue is this: I have two VRRP instances running on each RB1100. One is VRRP-External and the other is VRRP-Internal

The problem is that only whole device failover works. If the one that is MASTER for both is running and you unplug the internal interface only the internal interface fails over to the secondary router.

This is not good. Effectively what happens is the traffic keeps flowing to a router but now it has no way to get out because it is not master of the VRRP-External.

I assume this could be figured out with some script? So far I'm not having any luck figuring out what I need to do it. I've located some scripts but even when I tell them to run the run count doesn't go up... I'm referring to this thread: http://forum.mikrotik.com/viewtopic.php?f=9&t=42545

Thanks to anyone who can help!

You ain't running no dynamic routing protocol (which should detect the removed cable and announce the lack of connectivity upstream to the external ~cloud~).
Static route solution: Add a cable between the 2 routers, add a static route with less precedence to the other router. Repeat for the external interfaces' routes.
I assume mikrotik has route precedence (linux kernel does) and that you have a spare port on each router and a spare cable :v:
Even with dynamic routing you may want to run a cable between redundant routers.

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

adorai posted:

In vyatta you would use a vrrp sync group. Not sure if mikrotik has something similar, but since they are both based on linux I am guessing it does.

Negative, it does not have this feature. Sounds like Vyatta did VRRP the right way...

karoshi posted:

You ain't running no dynamic routing protocol (which should detect the removed cable and announce the lack of connectivity upstream to the external ~cloud~).

Even running a dynamic routing protocol on the network would not solve it. I don't think you're considering that I'm using VRRP and no routing protocol can detect that a cable has been removed because of how VRRP works....

karoshi posted:

Static route solution: Add a cable between the 2 routers, add a static route with less precedence to the other router. Repeat for the external interfaces' routes.
I assume mikrotik has route precedence (linux kernel does) and that you have a spare port on each router and a spare cable :v:
Even with dynamic routing you may want to run a cable between redundant routers.

I was actually discussing this with a coworker last night and the only good solution we could come up with is to run a cable between both Mikrotiks and run OSPF.

* Cable gets unplugged
* Traffic routes to other Mikrotik which is in Backup mode for the uplink side
* OSPF routes traffic over to the other Mikrotik which has Master
* Off to the internet it goes!

This should work fine as long as VRRP plays nice and when you're the Backup it doesn't have the uplink's entries in the routing table. We have yet to test that, though.

feld fucked around with this message at 17:43 on Feb 17, 2011

karoshi
Nov 4, 2008

"Can somebody mspaint eyes on the steaming packages? TIA" yeah well fuck you too buddy, this is the best you're gonna get. Is this even "work-safe"? Let's find out!

feld posted:

Negative, it does not have this feature. Sounds like Vyatta did VRRP the right way...

Even running a dynamic routing protocol on the network would not solve it. I don't think you're considering that I'm using VRRP and no routing protocol can detect that a cable has been removed because of how VRRP works....

Router-A injects a connected route into OSPF, so does Router-B. OSPF domain sees two announcements for the client network.
Cable is cut, interface goes down, router-A doesn't announce route into OSPF anymore. Router-B is still injecting the connected route into OSPF, the OSPF area still can see an announcement to that route.

But client side (I'll assume a DHCP LAN full of PCs) aint't doing dynamic routing, so if the master VRRP loses upstream connectivity, you're hosed, yeah.

feld posted:


I was actually discussing this with a coworker last night and the only good solution we could come up with is to run a cable between both Mikrotiks and run OSPF.

* Cable gets unplugged
* Traffic routes to other Mikrotik which is in Backup mode for the uplink side
* OSPF routes traffic over to the other Mikrotik which has Master
* Off to the internet it goes!

This should work fine as long as VRRP plays nice and when you're the Backup it doesn't have the uplink's entries in the routing table. We have yet to test that, though.

You don't need OSPF just for the backup solution.
Router-A's got a connected route to the client LAN, now add a static route to that network via the crossover cable to R-B and a reciprocating route on B. Packets coming from upstream will reach the clients as long as 1 connection to the LAN stands. This will generate a nice routing loop if both LAN cables are cut, but then who cares?

For the other side I'll assume a default route. Add a static route on R-A pointing to R-B with a "distance" higher than 1 (the default distance for static routes) and vice versa. Again, you got yourself a nice routing loop if both upstreams are cut.
Grep http://wiki.mikrotik.com/wiki/Manual:IP/Route for "distance":

mikrotik posted:

Value used in route selection. Routes with smaller distance value are given preference. If value of this property is not set, then the default depends on route protocol:

connected routes: 0
static routes: 1
eBGP: 20
OSPF: 110
RIP: 120
MME: 130
iBGP: 200

TL,DR: use OSPF, gently caress this poo poo.

Adbot
ADBOT LOVES YOU

CuddleChunks
Sep 18, 2004

NOTinuyasha posted:

Thispony is most interested in queue trees, the official documentation is awful and I've never gotten it to work right. I'd be delighted to see some example configurations...
:cry: I'll see what I can do. I have ham-handedly helped with putting together some queueing systems and one of my coworkers is working with our other admins on learning some new hotness for queueing that will probably make all of my info obsolete.


NOTinuyasha posted:

I can see a raw beginners guide that translates common functions like 'port forwarding' into NAT/firewall entries in Winbox as useful for the thread since that sort of thing looks terribly overwhelming compared to home router UIs.
This I can do with my home unit. I'll put something together in a couple days.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply