|
I seem to be having trouble getting port forwarding to work as well. I tried a few recommendations I have found to no avail. I do not have a static ip so I tried the following: [admin@Spaceballs: The Router] > ip fire nat export # jan/02/1970 01:11:35 by RouterOS 5.6 /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway add action=dst-nat chain=dstnat disabled=no dst-address-type=local dst-port=8080 protocol=tcp to-addresses=192.168.88.253 to-ports=\ 8080 This is on a RB751U. Any ideas? DaCheese fucked around with this message at 03:28 on Dec 30, 2011 |
#
?
Dec 30, 2011 02:49
|
|
|
|
| # ? Apr 25, 2024 08:34 |
|
|
You might try: /ip firewall nat add action=dst-nat chain=dstnat disabled=no \ dst-port=8080 protocol=tcp to-addresses=192.168.88.253 \ to-ports=8080 in-interface=ether1-gateway The difference is the "in-interface" parameter. Instead of specifying a range of IP's to NAT on, you say, "packets inbound on this interface get checked". See if that starts triggering.
|
|
#
?
Dec 30, 2011 03:34
|
|
|
I am trying to setup a rule to catch and prioritize my own bit torrent traffic on my home network. It is encrypted traffic, so the regular L7 rules don't seem to see it. My torrent program has an option to set a "Peer TOS Byte" in each IP header. I also have the same option in Crashplan (a cloud backup service). How do I mark these packets with a mangle rule? I don't see anything under the mangle options that seems to correspond to this field.
|
|
#
?
Dec 30, 2011 20:21
|
|
Associate Christ
|
CuddleChunks posted:You might try: No love. Still not sure what is going on. I have seen at least 3 different answers to this while researching via google but none of them seem to do anything for me. I left the default config and just altered as needed per a guide on the wiki to get wireless working. Is there anything in the default config that could be getting in my way? I also tried a routeros upgrade, which did not solve the issue either. Edit: also the log in winbox doesn't really show me much. Is there a better place that I can gather info from? Double edit: Forgive my ignorance, but I am in the process of learning, if I remove the configuration and start from scratch like in the Anypony guide, how do I connect to the router with winbox? Do I just connect via an ethernet cable and put the mac in winbox? DaCheese fucked around with this message at 23:09 on Dec 30, 2011 |
|
#
?
Dec 30, 2011 23:04
|
|
|
Yes, and it should auto find it by clicking the '...' in winbox. Also the default ip is 192.168.88.1.
|
|
#
?
Dec 31, 2011 00:20
|
|
|
DaCheese posted:No love. Still not sure what is going on. I have seen at least 3 different answers to this while researching via google but none of them seem to do anything for me. I left the default config and just altered as needed per a guide on the wiki to get wireless working. Is there anything in the default config that could be getting in my way? I also tried a routeros upgrade, which did not solve the issue either. When you test it, are the counters next to the NAT rule increasing? Did you put a rule in your firewall forward chain that allows traffic on port 8080 through?
|
|
#
?
Dec 31, 2011 00:36
|
|
|
Kaluza-Klein posted:I am trying to setup a rule to catch and prioritize my own bit torrent traffic on my home network. It is encrypted traffic, so the regular L7 rules don't seem to see it. Lock your torrent client to a specific port on your computer. Build your rule to queue traffic that talks to that port and now you can shape it like a mofo.
|
|
#
?
Dec 31, 2011 00:47
|
|
|
The_Franz posted:When you test it, are the counters next to the NAT rule increasing? Did you put a rule in your firewall forward chain that allows traffic on port 8080 through? Yes the bytes and packets counters move but not very much. For instance just now it is up to 1000 bytes. I probably got the filter wrong. Should it look like this: ip firewall filter add chain=forward action=accept protocol=tcp dst-port=8080 Edit: Ok. I have been trying this with minecraft as well, and, oddly enough, I see connection attempts in the server log but then it loses connection. It almost seems like it is just really throttled down somehow? Maybe that isn't the case, but I would think I shouldn't even see the attempts if forwarding wasn't working. DaCheese fucked around with this message at 02:09 on Dec 31, 2011 |
|
#
?
Dec 31, 2011 01:06
|
|
|
DaCheese posted:Edit: also the log in winbox doesn't really show me much. Is there a better place that I can gather info from?
|
|
#
?
Dec 31, 2011 07:24
|
|
|
CuddleChunks posted:Lock your torrent client to a specific port on your computer. Build your rule to queue traffic that talks to that port and now you can shape it like a mofo. Yeah, that is what I ended up doing. I am having a weird problem with my Roku (netflix streaming device). It connects to the wifi access point which is connected to the RB450G. It works perfectly, but it does not show up in the DHCP leases of the RB450G, which is running the only DHCP server on the network. Why would this be? It is very confusing! I am trying to have QoS rules so that the Roku devices gets high priority, as well as any Netflix traffic, but it is turning out to be difficult for me, and I think the fact that the RB450G seems unaware of the Roku might be part of the problem. add action=mark-packet chain=prerouting comment=Roku disabled=no new-packet-mark=priority_roku passthrough=no src-mac-address=00:0D:4B:11:11:11 This catches some traffic, 46 MB in a few days, but it has streamed many movies since then, so it is only catching a small fraction of it. I would be happy to match it to IP and assign the roku a static lease, but that is kinda hard to do since the RB450G doesn't seem to think the current lease exists in the first place! Then there is the issue of Netflix streaming in a browser from most any computer in the house. I haven't found a layer 7 protocol for netflix. Googling has only found people with huge lists of IP addresses of netflix servers that they build rules off of. Maybe this is the only way?
|
|
#
?
Jan 2, 2012 21:20
|
|
|
Kaluza-Klein posted:I am having a weird problem with my Roku (netflix streaming device). It connects to the wifi access point which is connected to the RB450G. It works perfectly, but it does not show up in the DHCP leases of the RB450G, which is running the only DHCP server on the network. If you check IP -> ARP does its MAC show up in there? Kaluza-Klein posted:Then there is the issue of Netflix streaming in a browser from most any computer in the house. I haven't found a layer 7 protocol for netflix. Googling has only found people with huge lists of IP addresses of netflix servers that they build rules off of. Maybe this is the only way? Need to build 150 queue rules for some apartment complex? No harder than going through and updating a list in notepad (or Excel if some of the fields can auto-increment) and then pasting the command into the terminal window. Vroom!
|
|
#
?
Jan 3, 2012 00:59
|
|
|
CuddleChunks posted:Are you sure it's set for DHCP? Also, you're not seeing it in winbox under IP -> DHCP-Server -> Leases? It does appear in the ARP table, but still not in the list of DHCP leases. It didn't even occur to me that the Roku might be set to use a static IP address. I certainly don't remember telling it to do that. . . So I checked the Roku settings, which are very limited, and there is certainly no option for static IP addresses. I redid its little "guided network setup" and now it has a new address and appears in the list of leases and arp table! Whatever! Fixed! What is not fixed, however, is my mangle rule! It still isn't seeing the vast majority of the traffic the roku is creating. other people fucked around with this message at 04:38 on Jan 3, 2012 |
|
#
?
Jan 3, 2012 04:29
|
|
|
Ok, this is funny. I was forwarding an A record on my domain to my current IP at home and trying to hit the machine that port 8080 is forwarded to. When I went to the domain:8080 from my home network, it never worked. Just got back to working with this since I have been fighting some hardware issues on another machine this week and thought to test it from a remote shell and it works. Inside my network I have to use the local IP.
|
|
#
?
Jan 6, 2012 02:05
|
|
|
DaCheese posted:I was forwarding an A record on my domain to my current IP at home and trying to hit the machine that port 8080 is forwarded to. When I went to the domain:8080 from my home network, it never worked. Just got back to working with this since I have been fighting some hardware issues on another machine this week and thought to test it from a remote shell and it works. Inside my network I have to use the local IP. This is normal. Your pc does an nslookup for the domain, the A record points to your external IP address, the request gets handed off and tends to die because that loopback behavior isn't well supported. There are a couple ways around this: - Edit the HOSTS file on your local computer and enter the domain name in there with its LAN IP address. This is probably the cleanest way since your HOSTS file should be read before DNS lookups. - Go to IP -> DHCP-Server -> Networks in Winbox. Double-click on your network and then enter a domain name for your LAN under DNS Domain (or just "domain" from the CLI). When computers register with the dhcp server they should inject themselves into a little table so that you can go to: localcomputername.mylan.lan and have results come back. That's a little fussier than editing the hosts file because your test queries won't go to myinternetdomainname.com but they should show up on the same machine all the same. There is likely a third way to do this and that's to look for packets that are trying to do this loopback behavior and then redirecting them via the NAT engine. I don't have a good feel for how you'd write the rule but it should be possible.
|
|
#
?
Jan 6, 2012 02:38
|
|
|
CuddleChunks posted:This is normal. Your pc does an nslookup for the domain, the A record points to your external IP address, the request gets handed off and tends to die because that loopback behavior isn't well supported. There are a couple ways around this: Thanks! That makes a lot of sense. The only real reason I was doing this was trying to test it by going out to the internet and coming back in from outside, but I can just be a little less lazy in the future. Edit: I just bothered to think about this for a second and I see now why it is silly. DaCheese fucked around with this message at 02:52 on Jan 6, 2012 |
|
#
?
Jan 6, 2012 02:44
|
|
|
code:I don't really understand MikroTik's whole issue with loopback.
|
|
#
?
Jan 6, 2012 18:37
|
|
|
NOTinuyasha posted:
They call it "hairpin nat" http://wiki.mikrotik.com/wiki/Hairpin_NAT
|
|
#
?
Jan 6, 2012 19:11
|
|
|
Thank you for finding that. Hahah I dug around for a while but couldn't remember the term used. Then it turns out, it wasn't one I'd tried searching for. Go go Mikrotik.
|
|
#
?
Jan 6, 2012 21:40
|
|
|
Anyone else having problems with the DNS server on MT units? It seems any DNS with low TTLs seems to randomly not resolve, it's super annoying. This most often happens with Amazon S3 and thus affects all kinds of websites. Happens across the LAN so it's not related to a single PC, it seems to return a NXDOMAIN (instead of a SERVFAIL) which my Windows PC happily caches until I flushdns, at which point it usually starts working again. One day I'll get a packet capture, but it's so random when it happens it's impossible to predict.
|
|
#
?
Jan 6, 2012 21:47
|
|
|
R1CH posted:Anyone else having problems with the DNS server on MT units? It seems any DNS with low TTLs seems to randomly not resolve, it's super annoying. This most often happens with Amazon S3 and thus affects all kinds of websites. Happens across the LAN so it's not related to a single PC, it seems to return a NXDOMAIN (instead of a SERVFAIL) which my Windows PC happily caches until I flushdns, at which point it usually starts working again. YES YES YES YES YES 100% exactly -- Amazon and all And now that I know someone else has experienced this we can properly blame the Mikrotik and work around it on a future re-deployment at this customers location. Thank you!
|
|
#
?
Jan 9, 2012 02:39
|
|
|
feld posted:YES YES YES YES YES 100% exactly -- Amazon and all SECONDING THIS! I have been trying to track down this problem for 2 weeks after one of my customers reported it!
|
|
#
?
Jan 9, 2012 07:14
|
|
|
I just created this thread on Mikrotik's forum for this. Please all pile on so they realize it's an issue. It's likely that they will want a support case opened as well, I don't have a current customer with this issue so I don't have the required details to open one at the moment.
|
|
#
?
Jan 9, 2012 15:07
|
|
|
Yeah seriously, jump all over it. Their default action is deny that a problem exists so anyone that is having this problem make a supout file and email support and keep crossposting to here/there.
Weiz fucked around with this message at 23:18 on Jan 9, 2012 |
|
#
?
Jan 9, 2012 23:16
|
|
|
so if I wanted a cheap routing device that could bridge multiple networks via vpn/pptp connections, would mikrotik be what I'm looking for? edit : I mean that can act as a client for multiple vpns or whatever. I feel like I'm being confusing in my wording. I'm probably not. I'm going to stop typing. mindphlux fucked around with this message at 17:57 on Jan 10, 2012 |
|
#
?
Jan 10, 2012 17:28
|
|
|
VPN setup is a little fiddly from what I remember but not too terrible. How much bandwidth do you want to push through the tunnels? These units don't have VPN accelerator hardware which keeps them cheap but if you are looking for gigabit throughput then you should look elsewhere.
|
|
#
?
Jan 10, 2012 18:00
|
|
|
CuddleChunks posted:VPN setup is a little fiddly from what I remember but not too terrible. How much bandwidth do you want to push through the tunnels? These units don't have VPN accelerator hardware which keeps them cheap but if you are looking for gigabit throughput then you should look elsewhere. Not too much. I have a couple clients I do work for where I have to mess with couple hundred meg files, but honestly their office only has a T-1, so that's pretty much the limiting factor there. I mainly want to use it to monitor devices on networks and do simple SMB sharing for small documents and stuff. I have about 12 clients in total, so it'd be cool to be able to set up like I dunno, thedude or something to just get an overall picture of what's going on with every site. right now I'm using a "cloud based" "remote monitoring and management" software from GFI to keep track of devices, but I have to pay per device and I'm not really happy with how it handles things, so was thinking about just setting up a bunch of VPNS and doing it all myself.
|
|
#
?
Jan 10, 2012 18:17
|
|
|
CuddleChunks posted:VPN setup is a little fiddly from what I remember but not too terrible. How much bandwidth do you want to push through the tunnels? These units don't have VPN accelerator hardware which keeps them cheap but if you are looking for gigabit throughput then you should look elsewhere. Though also keep in mind that pptp isn't encrypted, so it should be significantly less overhead on mikrotik than L2TP or IPSEC would be.
|
|
#
?
Jan 10, 2012 19:51
|
|
|
Mikrotik would give you just about any VPN option you want that follows a standard. Site to site you can do encrypted GRE or IPIP so you can use routing protocols, PPTP for site to site (which seems silly to me), L2TP, IPSec and wacky layer2 stuff like EOIP. Client VPNs can use PPTP, OpenvPN, and I think something else. It is quite nice to be able to run The Dude directly on the router to monitor the intside of a customer's site. If you have SNMP enabled on your devices (servers, switches, routers, printers, etc) you can draw a network map that has a near real time graph of throughput between devices. It can also do basic checks on services like HTTP, DNS and alert if needed. All running on a $60+ router.
|
|
#
?
Jan 10, 2012 20:09
|
|
|
mindphlux posted:so If you're looking for some sort of point-to-point bridge between routers you might want to consider EoIP, that's much cleaner. OpenVPN TAP adpaters are the coolest way to manage any client/server VPN (and that sounds more in-line with what you want), but MikroTik's implementation is total crap. All of that requires setup from the ground-up and a very specific set of requirements, it's probably not what you're looking for.
|
|
#
?
Jan 10, 2012 20:20
|
|
|
You may want an RB450G to have plenty of processing power to handle all these tunnels but hell, since you're moving a few hundred kbps or so over each of the tunnels it wouldn't surprise me in the least if a cheapass RB750G worked just fine for this scenario. Thanks for the explanation, it makes a lot more sense what you are doing. EoIP tunnels are pretty crazy but also cool as heck. Establishing those between sites would be awesome if you were deploying mikrotiks at all the remote locations. If you already have an infrastructure that speaks IPSEC then creating static tunnels makes more sense. I honestly don't have a good feel for how powerful these machines are in the application you've described. It's the bomb for my home network and we use them all over the place in various forms. The RB450G's have a ton more memory and better throughput ratings compared to the 750's.
|
|
#
?
Jan 11, 2012 00:07
|
|
|
Suppose I wanted the following setup (RB1000): ether1 is hooked up to my gigabit fiber line ether2 is hooked up to my local subnet' ether3 is hooked up to my 640k DSL line, which has 12 static IP addresses with access to all sorts of useful scientific and medical journals 2 VPNs. One that I can connect to from the outside world to access the local subnet. One that I can connect to from either the inside or outside to connect to the outside via the DSL line (to access said useful scientific and medical journals). My operating theory is that I want these VPNs to be L2TP over IPSec, but I have no idea how much work that entails and have heard some scary words like "SSL certificate" associated with IPSec. Can someone point me in the right general direction, please?
|
|
#
?
Jan 11, 2012 00:19
|
|
|
Just bought an RB450G, since my local ADSL exchange is being demolished to build a children's hospital so I'm 'forced' in to getting upgraded to fibre. In preparation for this my ISP sent me the cheapest netgear router, it doesn't even have gigabit ethernet ports. Looking forward to playing with Mikrotik!
|
|
#
?
Jan 11, 2012 08:32
|
|
|
Not that this is specific to MikroTik (it's 100% true with Cisco and everyone else too), but just because a device has gigabit ethernet ports doesn't mean it can handle that fast of an internet connection. Depending on the configuration it can switch internal traffic at 1gbps in each direction per port, but only relatively expensive gear can handle a gigabit internet connection (routing, NAT, ACLs, etc) at full speed.
|
|
#
?
Jan 11, 2012 11:27
|
|
|
CuddleChunks posted:VPN setup is a little fiddly from what I remember but not too terrible. How much bandwidth do you want to push through the tunnels? These units don't have VPN accelerator hardware which keeps them cheap but if you are looking for gigabit throughput then you should look elsewhere.
|
|
#
?
Jan 11, 2012 14:45
|
|
|
Ninja Rope posted:Not that this is specific to MikroTik (it's 100% true with Cisco and everyone else too), but just because a device has gigabit ethernet ports doesn't mean it can handle that fast of an internet connection. Depending on the configuration it can switch internal traffic at 1gbps in each direction per port, but only relatively expensive gear can handle a gigabit internet connection (routing, NAT, ACLs, etc) at full speed. Even the cheapest gig switches these days should be able to do 1+Gbit/s on its switching fabric. *Routing* gigabit is a different monster though.
|
|
#
?
Jan 11, 2012 19:11
|
|
|
What I was getting at is the service is 100mbit (which is more like 110mbit apparently) and that was an obvious bottleneck! I've been playing with my RB450g this morning and I'm all set up! Anyone got a decent set of rules for QOS in a home environment? I really just need priority for HTTP, skype and XBox live but a nice thorough set of rules would be nice.
|
|
#
?
Jan 12, 2012 07:03
|
|
|
Gism0 posted:Anyone got a decent set of rules for QOS in a home environment? I really just need priority for HTTP, skype and XBox live but a nice thorough set of rules would be nice.
|
|
#
?
Jan 13, 2012 15:11
|
|
|
The RB751G is now available - same as the RB751U, but with gigabit ethernet. http://routerboard.com/RB751G-2HnD
|
|
#
?
Jan 20, 2012 17:32
|
|
|
NOTinuyasha posted:The RB751G is now available - same as the RB751U, but with gigabit ethernet. STOP TELLING PEOPLE I WANT TO GET MY ORDER IN FIRST 
|
|
#
?
Jan 20, 2012 18:14
|
|
|
|
| # ? Apr 25, 2024 08:34 |
|
|
I just picked up a RB750GL the other day. The setup wasn't as bad as I had feared. Granted, I have a very simple network config. Just your typical, ~15 device household. Over all I'm very happy with the 750GL and it's nice to finally be able to shut off the over built Pfsense box I was using. Newbie question time. The router came pre-configured with ether1 as WAN and the rest of the ports slaved off of ether2. The only change I made was to enable some graphs and upnp. Are there any other things I should be configuring on a fresh 750? Clicking through webfig and winbox nothing else really jumped out at me as 'required' for my simple network requirements. My primary reason for going with the router board was to get a device that can handle our 100/5 internet speed which will be moving to 250/15 later this year. I found that the WNDR3700 couldn't keep up with the load we where putting on it. So far the 750GL has been rock solid and barely every peaks 30% cpu usage. One day I'll start looking at QoS, but it hasn't been an issue in the past. Overall I couldn't be happier with the the RB750GL and now it's time to start looking at wireless APs.
|
|
#
?
Jan 20, 2012 23:46
|
|
