Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Nitr0
Aug 17, 2005

IT'S FREE REAL ESTATE
Strange. I thought Windows included a gateway in an ipconfig for the pop interface.

Like this

Oh well, good to know.

Adbot
ADBOT LOVES YOU

CuddleChunks
Sep 18, 2004

Under XP it didn't show any gateway on my machine either, just the assigned IP and netmask.

krackpot
Apr 24, 2011
5.7 Released.
Changelog: http://www.mikrotik.com/download/CHANGELOG_5

This is particularly interesting:
*) improved ipv4 forwarding performance on all boards with simple configuration
by up to 30%;

CuddleChunks
Sep 18, 2004

krackpot posted:

5.7 Released.
Changelog: http://www.mikrotik.com/download/CHANGELOG_5

This is particularly interesting:
*) improved ipv4 forwarding performance on all boards with simple configuration
by up to 30%;

"All boards now run on PixiedustOS and use unicorn hooves to improve throughput by 200% over prior models. Do not look directly at Routerboards during assembly or warranty will be void."

I swear they have some creepy magic poo poo going on with these things sometimes. Still, that's cool as hell to read. I wonder what bottleneck they found and fixed.

Weird Uncle Dave
Sep 2, 2003

I could do this all day.

Buglord
I'd be more interested to know what they consider a "simple" configuration, given the ridiculous amount of stuff one can do with their software.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
Simple is routing only. Adding anything such as NAT, firewall rules, etc becomes more complex and would benefit less from whatever fix this is. It's really the same as in Cisco-land, the pps specs they annpunce are for routing only.

CrazyLittle
Sep 11, 2001





Clapping Larry

falz posted:

Simple is routing only. Adding anything such as NAT, firewall rules, etc becomes more complex and would benefit less from whatever fix this is. It's really the same as in Cisco-land, the pps specs they annpunce are for routing only.

Yep. In one interface, out another. Anything inbetween pushes the packets off into CPU land.

Ginger Beer Belly
Aug 18, 2010



Grimey Drawer
I'm heading to the Vegas MUM! (as well as the Ubiquiti AirMax Conference, and the Motorola Canopy stuff going on after Wispapalooza)

I also have a RB1100 and a couple of RB1200s in production in the network now. They appear to be performing well, except that one RB1200 has an unexplained cold-start and all our ROS 5.X devices going nuts on CPU from the Dude.

We are also going to be doing a massive network reconfig shortly where I convert all OSPF non-backbone areas into NSSA areas (we redistribute connected into OSPF instead of making all connected networks be native OSPF networks).

We are also in the midst of changing our Simple Queues to PCQs. We found that with Simple Queues, customers with routers that were constantly attempting DHCP queries (mostly Belkins) would cause packet loss on the router when it tried to apply the Simple Queue rules from the Radius response to the DHCP query.

Does anyone have any experience with the PowerRouter product line? I am seriously considering one as a second upstream-facing router running BGP along with a decent cisco box.

CuddleChunks
Sep 18, 2004

yarrmatey posted:

We are also in the midst of changing our Simple Queues to PCQs. We found that with Simple Queues, customers with routers that were constantly attempting DHCP queries (mostly Belkins) would cause packet loss on the router when it tried to apply the Simple Queue rules from the Radius response to the DHCP query.
Woah! That's is some seriously weird behavior. What OS are you running? We run PPPoE all over the place and they get a dynamic simple queue injected after hookup but I wonder if this is happening for us. Sadly, we've got a mixed bag of firmwares out there so I don't know if we're seeing this or not. Still, I wouldn't be surprised if it showed up on our network eventually.

Ginger Beer Belly
Aug 18, 2010



Grimey Drawer

CuddleChunks posted:

Woah! That's is some seriously weird behavior. What OS are you running? We run PPPoE all over the place and they get a dynamic simple queue injected after hookup but I wonder if this is happening for us. Sadly, we've got a mixed bag of firmwares out there so I don't know if we're seeing this or not. Still, I wouldn't be surprised if it showed up on our network eventually.

We've got a mix as well, but the bulk of the routers experiencing this were running 4.14 through 4.17. We've had to go to 5.7 on the PCQ routers because bursting w/PCQ wasn't available until 5.X.

We've had just enough routerboards (mostly 493AHs and 450Gs) lock up on upgrade that we wait for a field tech to be within 15 minutes of a tower before we'll do a remote upgrade, and that has left us with a lot of older images through the network.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010

yarrmatey posted:

Does anyone have any experience with the PowerRouter product line? I am seriously considering one as a second upstream-facing router running BGP along with a decent cisco box.
I haven't used powerrouter but it's just x86 hardware that has existed for years so it has a chance of being dated. Also look at products from places like Lanner who sell x86 appliances with multiple built in Intel gig interfaces. There's also an Atom box from roc-noc.com that I believe is a rebranded lanner that would probably work as well. Or simply any x86 server with a few NICs. I've heard that a full BGP table on mikrotik requires it as Routerboards are just too slow. I tried to lab up full routes on an rb1100 w/ 1.5gb RAM and the cpu just remains pegged.

Off topic but if you're looking for cheap BGP look at OpenBGPD on OpenBSD as well. I have some in production and have had zero issues. A few are edge and a few are RR's.

falz fucked around with this message at 16:27 on Oct 1, 2011

Weird Uncle Dave
Sep 2, 2003

I could do this all day.

Buglord

yarrmatey posted:

Does anyone have any experience with the PowerRouter product line? I am seriously considering one as a second upstream-facing router running BGP along with a decent cisco box.

Link Techs' PowerRouters? I used to use a 732 in exactly that role. Way too much CPU for the job, but better that than too little. Only got pulled because my boss suddenly decided he wanted something new, and not because of any technical problems with the existing setup.

Ginger Beer Belly
Aug 18, 2010



Grimey Drawer

yarrmatey posted:

We've had just enough routerboards (mostly 493AHs and 450Gs) lock up on upgrade that we wait for a field tech to be within 15 minutes of a tower before we'll do a remote upgrade, and that has left us with a lot of older images through the network.

So we may have narrowed down the lockup-on-upgrade problem. If you upgrade from 3.X to 4.X where it subsequently complains about an invalid license key, you hit system->license->update key, and then reboot (whether it is system->reboot, or from the update prompt), it will shutdown instead of restart, requiring a power cycle.

Anyone else experiencing this problem?

CuddleChunks
Sep 18, 2004

Dang, which kind of routerboards do you have? I don't remember seeing this problem and I've done quite a few f/w upgrades from 3.x to 4.x remotely now.

However, I think we upgrade the license key *before* dumping on the new f/w to avoid any problems.

Ginger Beer Belly
Aug 18, 2010



Grimey Drawer
Mostly 493AHs, 433AHs, and 450Gs with the occasional old 532/532A, 333, and 1 or 2 112/113s, Plus the new 1100 and 1200s. The Dude's count is ... 327 RouterOS devices, with only about 3 of them being CPE.

CuddleChunks
Sep 18, 2004

Ah, we're doing this with tons of RB411's. I'm not familiar directly with the models you've mentioned except for the 450G's. What's fun is upgrading an RB112 or RB133C to 4.x. ahahah Not a hapy combination.

insularis
Sep 21, 2002

Donated $20. Get well, Lowtax.
Fun Shoe
Maybe a Mikrotik guru would be kind enough to help me out. I just bought one of the Mikrotik RB751 boards with the 1 watt 802.11 a/b/g/n card. My intention was to replace the three dinky access points in our warehouse with one centrally managed one.

The RB751 will be plugged into a pfSense box on an auxiliary port, and bridged to the LAN. I've got this working, and the signal is decent. In case you're curious about the new board, the range is great, but the rate is much lower than I expected at about 24Mb/sec most of the time, with bursting to 90Mb/sec here and there.

Can someone help me out with creating a Virtual AP that will allow guests to use the wifi without having any access to the LAN? My goal is a WPA-protected wifi AP for employees, and an open, Internet-only one for guests.

Weird Uncle Dave
Sep 2, 2003

I could do this all day.

Buglord

insularis posted:

Can someone help me out with creating a Virtual AP that will allow guests to use the wifi without having any access to the LAN? My goal is a WPA-protected wifi AP for employees, and an open, Internet-only one for guests.

I've got something similar in my office. The way I did it, was to create two DHCP pools, one for the encrypted AP, a second one for the "open" AP, then did the firewalling based on the source IP address (i.e. if you're coming from the open AP, you're not allowed to access the office billing system).

insularis
Sep 21, 2002

Donated $20. Get well, Lowtax.
Fun Shoe

Weird Uncle Dave posted:

I've got something similar in my office. The way I did it, was to create two DHCP pools, one for the encrypted AP, a second one for the "open" AP, then did the firewalling based on the source IP address (i.e. if you're coming from the open AP, you're not allowed to access the office billing system).

Thanks, Weird Uncle Dave. I'm feeling confused over the Virtual AP stuff in RouterOS. I understand your technique, but I'm unsure of how to go about that with pfSense as the bridge and sole DHCP server (trying to avoid double-NAT). I don't have any idea how to get pfSense to serve out a particular range for one of Mikrotik's SSIDs and another for the Virtual AP SSID.

Are there any good tutorials on this sort of thing? The Mikrotik wiki hasn't been much help, and I can't find much on the web. Most of what I've found have been unresolved questions on their forums, or people that solve it and don't post what they did.

insularis fucked around with this message at 18:43 on Oct 8, 2011

Weird Uncle Dave
Sep 2, 2003

I could do this all day.

Buglord
You don't necessarily have to do NAT when using DHCP. Can you route a block of IPs from the pfSense to the Mikrotik box, and let the Mikrotik box act as the DHCP server for wireless clients only? Then you can have the pfSense do the firewalling based on IPs, even though it's not the one assigning them.

Mikrotik's documentation is very good at explaining how to do (most) things, but the fact that you can do so drat many different things with their software means they don't always cover everything. A decent place for discussion is this mailing list; it's quiet, but has a few mad geniuses subscribed (including a guy who literally wrote a book on the software).

CuddleChunks
Sep 18, 2004

I can test this out on Monday but the basic idea is:
- build two vlans on your mikrotik and your pfsense box - Customer, Unsecured
- put your virtual AP's onto the appropriate vlan's
- bridge the customer vlan onto your regular lan
- build a dhcp server specifically for the unsecured vlan

Now the two networks can exist side by side and won't talk to each other directly, though you'll want to make sure they use different ip ranges and you may want to add a specific block rule in your firewall so that they can't talk to the other network.

I'm a little concerned that you're throwing a high power card at your problem. I don't think it's going to give you the coverage patterns you're looking for unless you get very different antennas.

Worse, if you end up getting antennas with a splitter then you may see some really weird behaviors if people in wildly different parts of the warehouse try to link up and haul bulk data.

Covering a large spatial area is tricky and uses different tactics than long-distance connections. I hope this unit will work for you but in the end I think you'll either go back to multiple AP's (lots of 751's perhaps) or will have to rig more antennas so that the signal is properly distributed into the areas you want it. Keep in mind that the client computers have to be loud enough to reach back to your AP - a loud AP does you no good if you are talking to quiet little laptops.

CuddleChunks fucked around with this message at 19:07 on Oct 8, 2011

insularis
Sep 21, 2002

Donated $20. Get well, Lowtax.
Fun Shoe
Thanks, guys, I think this will get me there.

I would normally agree with you on the "loud card" thing. My original plan was to go with Ubiquiti Unifi gear, but for $60, I thought I'd give this a try first.

The warehouse/manufacturing floor is about 12,000 sq/ft (not huge) and fairly wide open. My network room in this particular building is nearly centrally located, and I've been easily able to maintain signal with a Thinkpad T410 with a standard Intel card.

My grumblings about the 751's speeds were from short to medium distance tests (10-80ft, LOS, various connecting equipment). It didn't seem any worse in the far corners of the building as of yet.

Thanks again for the help, I'll post back with my results next week.

pubic void nullo
May 17, 2002


More access points is always better than one gigantic AP. Unless the other two APs were WDS I would stick with three. If they were WDS, then either wire them or start looking at some really good antennas.

E: and you don't need unifi. Just get some Bullets and connect them onto your existing omni antennas (they are N connectors, right? if they are SMA antennas then I would agree that yes, your previous APs were dinky.)

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

insularis posted:

Thanks, Weird Uncle Dave. I'm feeling confused over the Virtual AP stuff in RouterOS. I understand your technique, but I'm unsure of how to go about that with pfSense as the bridge and sole DHCP server (trying to avoid double-NAT). I don't have any idea how to get pfSense to serve out a particular range for one of Mikrotik's SSIDs and another for the Virtual AP SSID.

Are there any good tutorials on this sort of thing? The Mikrotik wiki hasn't been much help, and I can't find much on the web. Most of what I've found have been unresolved questions on their forums, or people that solve it and don't post what they did.


Multiple bridges which bridge a vlan and the virtual AP. Routing does the rest. You serve the DHCP on separate VLANs.

insularis
Sep 21, 2002

Donated $20. Get well, Lowtax.
Fun Shoe

feld posted:

Multiple bridges which bridge a vlan and the virtual AP. Routing does the rest. You serve the DHCP on separate VLANs.

Feeling kind of dumb now ... I got this set up and working in about 20 minutes with a couple of false starts. It was all easier than I thought. VLANs and separate DHCP servers did the trick, and writing the rules was painless. Thanks to everyone for the great information and help.

The RB751 is working better now that I've changed the antenna profiles, physical location, and set the timing to "Indoor" ... getting good solid connections everywhere except for one room at 60Mb+/90Mb+.

Alarbus
Mar 31, 2010
Okay, I'm feeling really stupid, and this is driving me crazy. I bought a 493G, and I'm trying to set it up. I have the cable from the modem connected to ether1. I have my desktop connected to ether2. I'll deal with wireless configuration after I can get the physical LAN working, which hasn't happened yet.

I can get ether1 to get a proper IP address as a DHCP client. I cannot get it set up to serve an IP address to my desktop. Should ether1 or ether2 be the DHCP server? Also, I've been using Winbox, which doesn't matter to me, but why isn't the router found at 192.168.88.1 as a default for webfig?

I understand everything conceptually except for this part. Maybe it's just me, but this is the part that seems to be missing from the "Anypony" guide - which cable is connected where before starting. In the guide, is ether3 the local computer, or the WAN?

Thanks!

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

leave eth1 as-is

setup a bridge. add the rest of the eth ports and the wlan to the bridge

set the dhcp server to serve IPs on the bridge interface


it will now do what you expect.

Alarbus
Mar 31, 2010
In the ether1/ether2 confusion, I had misconfigured the LAN address. In the IP Addresses list, I now have the IP I get from Comcast assigned to ether1, and 192.168.88.1 assigned to ether2 (previously, this was also set to ether1, which clearly didn't work). This then let ether2 properly act as a DHCP server. Once I disabled and re-enabled the LAN connection on the desktop, I had an internal IP address.


Edit: Bridging did the trick! Thanks!

Alarbus fucked around with this message at 23:16 on Oct 16, 2011

CuddleChunks
Sep 18, 2004

One of my coworkers came in today with a RB751U 2HnD that wouldn't boot. He had found some grumblings on the official forums about using a higher powered power supply with the unit as a fix.

His shipped with a 12V power brick. We plugged in a 24V power supply and the unit lit up and resumed normal operation. We switched back to the 12V supply and the board booted normally.

Weird!

I'll let you know if it glitches again since he'll come crying into work looking for a 24V adapter but that might be something to keep on-hand all the time.

Ninja Rope
Oct 22, 2005

Wee.
What are the chances I could load Linux on a device like this and have full support for everything? I assume there wouldn't be any way to offload switched traffic from the CPU, since there's no standard driver/interface for that?

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
You can run something like DD-WRT under something Mikrotik calls MetaRouter. Not exactly what you're looking for but close. RouterOS is Linux underneath for what it's worth.

Weird Uncle Dave
Sep 2, 2003

I could do this all day.

Buglord
Is there something you're looking to do, that RouterOS can't do? It's a pretty versatile piece of software.

Anyway, since it's already running Linux, you almost certainly can clear out their software and install your own stuff. Most current Mikrotik hardware is based on MIPS chips (I think that one is big-endian, but I don't have one handy to check).

The_Franz
Aug 8, 2003

Some new details on the RB2011. They will be rolling out a total of seven different models starting in December and ending in February. Apparently they will be "a little above" the 400 series CPU-wise although they still haven't announced any hard specs.

http://www.mikrotik-routeros.com/?p=254

CuddleChunks posted:

One of my coworkers came in today with a RB751U 2HnD that wouldn't boot. He had found some grumblings on the official forums about using a higher powered power supply with the unit as a fix.

A relative of mine had a Linksys WRT54G that had begun it's death throws (needed a reboot every other day) so I got her a 751U to replace it. While setting it up I found that if you slave ports 2, 4 and 5 to port 3 as the master the router locks up on a reboot. Any other configuration works fine, but that particular setup causes it to freeze :wtf:.

Aside from that, this thing is awesome. Going from a lovely Linksys WRT54G that saw significant signal loss at 20 feet to a cheaper unit that was still showing a usable signal 1/4 mile down the street is pretty sweet.

The_Franz fucked around with this message at 03:38 on Oct 24, 2011

PapaLazarou
May 11, 2008

Decadent Federation Swine!
I just got a 751U, and was looking towards having two isolated subnets sharing a single internet connection. One would have the ethernet ports, and one wireless network. The second would be only have a VirtualAP. I'm running into a bit of a mental block thinking about how to set it up.

Edit: I'm thinking I'd create two VLANs on the WAN interface, bridge the interfaces appropriately, assign a dhcp server to each VLAN interface, and set a firewall rule the prevents crossing VLANs. Does this seem correct?

PapaLazarou fucked around with this message at 19:19 on Oct 25, 2011

CuddleChunks
Sep 18, 2004

Setup two separate IP addresses, two IP pools, two dhcp servers and then assign one server to ether1 and the other to wlan1. Write a firewall rule to drop traffic and you're set. You don't need vlans in this case.

ip address add address=192.168.2.1/24 interface=ether2
ip address add address=192.168.3.1/24 interface=wlan1

The rest of the commands I do through winbox but that's the basic idea.

Weird Uncle Dave
Sep 2, 2003

I could do this all day.

Buglord
I've got something similar to that on a workbench in my office - one wireless SSID, and most of the Ethernet ports, in one bridge, and a VirtualAP (with encryption) and the rest of the Ethernet ports in a second bridge, and one lonely Ethernet port for upstream connectivity.

CuddleChunks covered the rest: two separate IP pools (in my case, one on bridge1 and one on bridge2), two DHCP server instances (listening on the bridge1 and bridge2 interfaces), a few firewall rules that drop traffic from IPs in pool1 to pool2 and vice-versa.

One extra thing I did: I put in packet mangle rules that mark traffic coming from each interface, and have two separate src-nat rules, so that traffic coming from one bridge has (to the rest of the world) a different source IP than traffic coming from the other. This way, if you're on the secure VirtualAP, you can connect to the office printer and so on, but not from the other AP. You could also do that with firewall rules, but I already have ACLs elsewhere for that, and this saves me having to duplicate rules in the wireless AP.

Ben Murphy
Sep 9, 2001

I like him in spite of the fact that he's not me.
?

Ben Murphy fucked around with this message at 13:39 on Sep 20, 2014

CuddleChunks
Sep 18, 2004

I'm talking to some folks about it to see if any are interested. I'm not going to ask you to hold it, but we're looking around to see if we need another of these units. That's a great price by the way.

Ben Murphy
Sep 9, 2001

I like him in spite of the fact that he's not me.
?

Ben Murphy fucked around with this message at 13:33 on Sep 20, 2014

Adbot
ADBOT LOVES YOU

PapaLazarou
May 11, 2008

Decadent Federation Swine!

CuddleChunks posted:

Setup two separate IP addresses, two IP pools, two dhcp servers and then assign one server to ether1 and the other to wlan1. Write a firewall rule to drop traffic and you're set. You don't need vlans in this case.

ip address add address=192.168.2.1/24 interface=ether2
ip address add address=192.168.3.1/24 interface=wlan1

The rest of the commands I do through winbox but that's the basic idea.

Ah. Thanks. That worked. I don't know why I was having so much trouble thinking of that. I'll blame tiredness. Anyway, doing this has somehow made me the "network guy" at the company (startup), which is fairly frightening. Anyway, as they're temporarily renting two more new rooms for labs at the current space, and ultimately moving to a much larger building that has ports at each cubicle wired to patch panels in the server room.

I'm supposed to figure out how to add these two rooms.

The current equipment is a RB751 that replaced the cheapest home router they could get at Fry's. At the current location, there are 7 rooms, each with a single jack running to a patch panel in the closet. Four of these have permanent workspaces, two are labs and one is a conference room. Since this is pretty decentralized and rather temporary, my plan is to throw cheap Fry's gigabit switches (we already have four hanging around for some reason) in the four rooms with permanent workspaces, and both of the labs. The RB751 will be relocated to the conference room and provide a port for a voip computer. This would all be hooked up to an RB1200, with the ports in a switch group.

Since the new building is more centralized, we'd retire the cheap switches, and get some gigabit rackmounts.

Should I get some rackmounts now (there is a rack in the closet) keep the 751 between it and the outside world, and have everything connected to that? At what point is a managed switch necessary?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply