|
falz posted:'/export compact' is a lot easier to read Oh. Easier still, if you are not being a moron. I hadn't set up a /30 (or any) network for the link between the two routers. I am a bit rusty. I also had to take the linked ports out of the switch bridge, etc. For comedies sake, I setup RIP! (BGP seemed a little extreme.) http://sprunge.us/GeCH Is /export compact a new command? The 751G has 5.11 and it doesn't recognize it.
|
#
?
Jun 5, 2012 01:36
|
|
Associate Christ
|
|
| # ? Apr 19, 2024 01:37 |
|
|
This is frustrating. I have 10.20.30.0/24 and 10.20.40.0/24, connected by 192.168.0.0/30. From the 10.20.30.0 router I can ping any host on the other two networks, and the same is true from the 10.20.40.0 router. All hosts can reach the default gateway (i.e. surf the internets). I cannot, however, ping from a host on the 10.20.30.0 network to the 10.20.40.0 or vice versa. Can some one enlighten me as to what is going on here? code:
|
|
#
?
Jun 5, 2012 15:59
|
|
|
Kaluza-Klein posted:
It's introduced in 5.12
|
|
#
?
Jun 5, 2012 16:19
|
|
|
Aren't each of your 10.x networks behind NAT?
|
|
#
?
Jun 5, 2012 16:29
|
|
|
falz posted:Aren't each of your 10.x networks behind NAT? As far as I know, NAT is only on packets leaving port 1 of the 10.20.30.0 network, or at least that was my intention. . . Now that I have updated the 751 to 5.17. . . 10.20.30.0 http://sprunge.us/HBCS 10.20.40.0 http://sprunge.us/SNJY edit: Ahhhhhh. I noticed one of my wifi devices is now online and connected to a local server, which wasn't working before. God knows what fixed it, because I didn't change anything. Now I can ping hosts between networks, BUT: code:other people fucked around with this message at 23:38 on Jun 5, 2012 |
|
#
?
Jun 5, 2012 16:45
|
|
|
Was referred here from the regular Home Networking thread. I've got a fraternity house to deliver internet too, and I'm sick of idiots loving up network configuration and breaking the pfSense box I set up. MikroTik was suggested as a possible alternative solution. The WAN connection is Comcast business through an incredibly, amazingly lovely SMC gateway that I desperately beg them to replace. More importantly, this means WAN traffic is at most 30/10 or so, not terribly demanding (I think). I'd like it to service ~30 users, and give me enough QoS power to murder anything that isn't regular HTTP traffic (people can't get their online assignments in because some retard is torrenting whatever the latest lovely anime is). Subnetting/VLAN features would also be nice; I'd like the camera DVR box + access control systems to live on their VLAN which gets priority access to the internet (for remote management). I have two 48port switches (Dell PowerConnects) as my primary switching fabric. The RB2011 was suggested; we do have an ancient 42U rack to install stuff in, but I'm not married to needing a rackmount case. I am actually sorely tempted to switch to a small, lockable wall-mount rack. So, I guess, is MikroTik the right solution here? I was recommended some Juniper gear like the SRX, but that's quite a bit pricier. Also, how anemic are the Atheros SoCs compared to the PPCs offered in the other Mikrotik models?
|
|
#
?
Jun 13, 2012 16:44
|
|
|
I'll straight up disagree with the gent in the Home Networking thread who poo-poo'ed getting the RB2011L-IN (in a hot red case) because he didn't think it would handle the data load you're hoping to put it through. I believe in my heart, and based on how these units perform at the ISP I work at, that one of those will fit your needs nicely. Setting up the QoS stuff is going to take up most of your time while VLANs and setting up distinct interfaces is a snap. With some good planning at the start I think you'll have a good experience with Mikrotik and routerboard gear. Best of all, you're only into the hardware about $100. Time is a different matter. Since you haven't worked with these before it will take some learning but we're here to help.
|
|
#
?
Jun 13, 2012 17:33
|
|
|
CuddleChunks posted:I'll straight up disagree with the gent in the Home Networking thread who poo-poo'ed getting the RB2011L-IN (in a hot red case) because he didn't think it would handle the data load you're hoping to put it through. I believe in my heart, and based on how these units perform at the ISP I work at, that one of those will fit your needs nicely. How much of a performance impact am I going to see with QoS though? I still a bit scared of the SoC performance vs. say, x86 or dedicated ASICs. Will I still get my full WAN bandwidth if QoS is busy slaughtering fifty torrents? And dumb question, but since I'm used to SOHO routers, MikroTik will happily take care of DHCP for me as well? Any DNSMasq analogues?
|
|
#
?
Jun 13, 2012 19:10
|
|
|
Yes. It's gonna rock your world. I'm not going to hem and haw here, the performance stats posted on Routerboard's site put the max throughput with connection tracking and routing active at 33Mbps for small packets. It's much higher for big packets. Until your WAN link is pushing more than 33Mbps of 64KB packets upstream (unlikely) you will be fine with this hardware. If you want to give yourself some extra breathing space then the RB450G is a good choice. It has a lot more RAM for handling bigger connection tables. Same fast processor under the hood though it has fewer ports than the RB2011L. In this case, that's not a big deal, you'll be hooking up to switches. http://www.roc-noc.com/mikrotik/routerboard/rb450g-complete.html
|
|
#
?
Jun 13, 2012 19:23
|
|
|
CuddleChunks posted:Yes. It's gonna rock your world. Ah yes, good call, that larger amount of RAM will be very helpful. Certainly don't need that many ports on the router itself as I have switches, like you said. I may order the RB450G tonight then, and evaluate it soon hopefully. I'm thinking about doing wireless as well, setting up 3 APs (one per floor). I was looking through the MikroTik options...looks like I can get a lot of boards that are either 2.4 or 5 (RB711x-xxx), but in order to do both, I'd need to get a RB with >= 2 Mini-PCI slots and then buy Mini-cards for them, which drives the cost up quite a bit.
|
|
#
?
Jun 13, 2012 19:52
|
|
|
I'd look into the Ubiquiti Unifi system instead. They are rocking for managing several pods, the price is low and their performance at the places we've installed them has been very good. We run Mikrotik AP's all over the place but for filling up a house with signal, the Unifi gear is worth checking out.
|
|
#
?
Jun 13, 2012 21:02
|
|
|
CuddleChunks posted:I'd look into the Ubiquiti Unifi system instead. They are rocking for managing several pods, the price is low and their performance at the places we've installed them has been very good. I just stumbled onto those units, they look pretty solid. Expensive to get 5GHz capability in addition to the 2.4GHz though, but ~$250 for 3 of those sleek little bastards isn't bad at all. Odd that the 300Mbps N is bottlenecked by the 100Mbit interface, but will just have to see how it performs. Hopefully each one can handle a few clients. May need to dig up another box to handle running the UniFi controller software. Also just ordered the RB450G, thanks for your help  Next step is to get my name on the Comcast account so I can call them up and either get my SMC set to bridge mode, or put in a SB5120 or something.Hopefully I can play with the RB450G enough at my place that when I go to do things remotely, I won't irreparably break things. e: Are there multiple access levels per-chance for RouterOS? Like, could I delegate out specific port forwarding requirements, or would I end up writing my own scripts to enable that type of functionality.
|
|
#
?
Jun 13, 2012 22:58
|
|
|
movax posted:I just stumbled onto those units, they look pretty solid. Expensive to get 5GHz capability in addition to the 2.4GHz though, but ~$250 for 3 of those sleek little bastards isn't bad at all. Odd that the 300Mbps N is bottlenecked by the 100Mbit interface, but will just have to see how it performs. Hopefully each one can handle a few clients. May need to dig up another box to handle running the UniFi controller software. The 300Mbps signalling rate (MCS15 on a 40Mhz channel) is really only going to get you 75-80Mbps real throughput bidirectional in ideal conditions, which a 100Mbps FE port can mostly handle. movax posted:e: Are there multiple access levels per-chance for RouterOS? Like, could I delegate out specific port forwarding requirements, or would I end up writing my own scripts to enable that type of functionality. There are different rights that you can grant different administrative users, but there really isn't any granularity to rights in modifying firewall/mangle rules. Can you expand a little on what you're wanting?
|
|
#
?
Jun 14, 2012 03:13
|
|
|
movax posted:How much of a performance impact am I going to see with QoS though? I still a bit scared of the SoC performance vs. say, x86 or dedicated ASICs. Will I still get my full WAN bandwidth if QoS is busy slaughtering fifty torrents? If you can differentiate everything by internal IP, you can do simple queuing, but more complex scenarios or CPU limitations may mean you need to check out PCQ. For some real-world numbers, I have a 450G at a tower peaking at 150/25Mbps layer-3 forwarding generic Internet traffic w/Connection Tracking turned off that hits about 65-69% CPU. A 493AH (same CPU as the 450G) has 55/11Mbps of customer-facing traffic w/Connection-Tracking on and PCQ queues and hits 85% CPU at peak. I'm going to do some digging and try to find my highest-traffic customer-facing simple queue router and see what it is doing CPU-wise.
|
|
#
?
Jun 14, 2012 03:44
|
|
|
Ginger Beer Belly posted:The 300Mbps signalling rate (MCS15 on a 40Mhz channel) is really only going to get you 75-80Mbps real throughput bidirectional in ideal conditions, which a 100Mbps FE port can mostly handle. Mainly, to make my life a little easier, if the guys need to forward some ports or something, I thought about delegating that out so I don't have to do every little thing. But maybe that is not such a good idea... Ginger Beer Belly posted:If you can differentiate everything by internal IP, you can do simple queuing, but more complex scenarios or CPU limitations may mean you need to check out PCQ. I can differentiate the camera/access-control machines by IP certainly, I'll give them static DHCP leases. The others though, will all be floating DHCP leases. I'd just like to kill torrents and such, and prioritize HTTP traffic.
|
|
#
?
Jun 14, 2012 03:47
|
|
|
Why not break the critical / high priority stuff out in its own private VLAN? Is there any particular reason why the tenants would need to access those with their desktops/laptops/phones?
|
|
#
?
Jun 14, 2012 05:55
|
|
|
CrazyLittle posted:Why not break the critical / high priority stuff out in its own private VLAN? Is there any particular reason why the tenants would need to access those with their desktops/laptops/phones? It would be cool if they could access the camera box; that's more for them anyway so Risk Management/etc can check tapes if/when a car gets broken into or something. Could I VLAN it off, but still setup some kind of uh, static route for it? Example: I would expose it remotely over some port (or VPN). So, I would access it at [url]http://[/url]<external house ip>:port. I know weird things can happen when you try to loopback (like if I tried to access [url]http://[/url]<external house ip>:port from within that network), but I don't know if you can set up some type of route that sees that you're trying to access your own internal network and direct things accordingly.
|
|
#
?
Jun 14, 2012 05:59
|
|
|
Alright, 450G came in today!  Will play around with it this weekend and see what it can do.
|
|
#
?
Jun 15, 2012 18:59
|
|
|
movax posted:Alright, 450G came in today! woo hoo! Let us know how it works out for you. It should be magic.
|
|
#
?
Jun 15, 2012 19:54
|
|
|
CuddleChunks posted:woo hoo! Let us know how it works out for you. It should be magic. Is there a good QoS guide available for RouterOS? That is my next area of interest. Winbox is incredibly slick and very easy to use. I need to get better at using SSH though, as I assume that is the ideal way to manage the unit remotely (unless you can setup port forwarding to let you point winbox at a target IP).
|
|
#
?
Jun 17, 2012 03:26
|
|
|
movax posted:I need to get better at using SSH though, as I assume that is the ideal way to manage the unit remotely (unless you can setup port forwarding to let you point winbox at a target IP). Why would you need port forwarding to access the router? Just make sure port 8291 is allowed in your firewall input chain and point Winbox to the public IP.
|
|
#
?
Jun 17, 2012 03:50
|
|
|
The_Franz posted:Why would you need port forwarding to access the router? Just make sure port 8291 is allowed in your firewall input chain and point Winbox to the public IP. Oh, duh  Is this horribly insecure to do? I suppose I can either change the listen port if I wanted, or have some kind of firewall rule that routes say port 12345 to 8291?
|
|
#
?
Jun 17, 2012 04:07
|
|
|
Nah, turn off external SSH entirely and use winbox. It uses an SSL-style encrypted tunnel to link up. Works great so that your logs don't fill with ssh attacks. As for QoS, that's a complicated topic. I don't have any good guides yet but I'm still poking around. I'll see if I can dig any up. It goes from easy to mind-bending pretty quick is the main complaint. Still, it's a powerful device and other folks have figured this out so it's mostly my own dumbness making it hard.
|
|
#
?
Jun 17, 2012 08:50
|
|
|
Actually trying to prioritize specific types of traffic really isn't gonna work very well. If you do any sort of QoS at all, I'd just use a queue to ensure fairness between connected devices:code:code:code:
|
|
#
?
Jun 19, 2012 15:29
|
|
|
I'm waiting for a 750 and a 750GL to arrive. I can't wait to check these out and hopefully start using them at client sites as Internet border devices. VPN functionality in hardware is something I've been looking forward to. I've been experiencing intermittent connectivity issues at home with my business class Comcast connection. Talked to a support rep and was told two of my computers where flooding the Comcast modem with traffic stressing the device / connection. Are there any tools I can leverage with these Mikrotiks to troubleshoot the issue?
|
|
#
?
Jun 22, 2012 06:02
|
|
|
Please wear your baggiest shorts because the rogue boner you're going to get after using Torch is potentially devastating to the integrity of your clothes. Open Winbox, connect to your mikrotik. Click Tools -> Torch Select your interface (probably ether2) and put checkmarks in "protocol" and "port" then hit start. Oh hey there crazy traffic, where the hell are you going?  Barring there being a layer 2 problem of some sort, this should reveal the naughty machines in short order. Oh, what kind of VPN are you setting up? There are some sneaky tricks for handling PPTP-type VPN's I had to work through recently and have some suggestions. Haven't setup an IPSEC style tunnel yet.
|
|
#
?
Jun 22, 2012 06:32
|
|
|
CuddleChunks posted:Oh, what kind of VPN are you setting up? There are some sneaky tricks for handling PPTP-type VPN's I had to work through recently and have some suggestions. Haven't setup an IPSEC style tunnel yet. Depending on the application, I could go either way. I work a lot with DVRs and security systems. These wouldn't need the layer 2 forwarding like my remote managed services administration applications would.
|
|
#
?
Jun 22, 2012 20:39
|
|
|
CuddleChunks posted:Oh, what kind of VPN are you setting up? There are some sneaky tricks for handling PPTP-type VPN's I had to work through recently and have some suggestions. Haven't setup an IPSEC style tunnel yet. An IPSEC+L2TP tunnel is really easy to set up. Despite having never done it before it only took me about 10 minutes to get up and running with this guide. Even if you aren't using Windows, the guide still has a nice step-by-step walkthrough for the Mikrotik side. The_Franz fucked around with this message at 23:19 on Jun 22, 2012 |
|
#
?
Jun 22, 2012 23:16
|
|
|
Hi all, For the sake of learning, I've bought myself 2 RB751Gs. One's running my home network and I'm doing some testing with the second one. One request I often get is an easy to read web monitor, or at least a traffic breakdown by IP or MAC - so a user knows how much traffic each host has passed over the WAN. What's the best way you guys have found for doing this with the mikrotiks?
|
|
#
?
Jun 26, 2012 02:18
|
|
|
A monitoring program like Cacti does a great job of pulling info from the router and summarizing it for you. http://docs.cacti.net/plugin:mikrotik will help you work with your new gear.
|
|
#
?
Jun 26, 2012 02:31
|
|
|
CuddleChunks posted:A monitoring program like Cacti does a great job of pulling info from the router and summarizing it for you. http://docs.cacti.net/plugin:mikrotik will help you work with your new gear. Thanks! I'll take a look at this tonight
|
|
#
?
Jun 26, 2012 05:50
|
|
|
Am I experiencing some sort of mental deficit? I can't find this fabled "Quick Setup" option anywhere on my 750GL.  Running v5.18 edit: Apparently Quick Setup only exists for wireless devices at this point. Hmm. 
frayed time fucked around with this message at 10:22 on Jun 26, 2012 |
|
#
?
Jun 26, 2012 10:12
|
|
|
fordan posted:I am starting to doubt the RB751G-2HnD is ever going to come out in the US. For US goons who care, apparently the FCC has finally waved its magic wand over the RB751G-2HnD and roc-noc has them in stock. Now to see how buggy their DHCP-PD implementation is and if the CMTS serving my home is enabled for v6.
|
|
#
?
Jun 26, 2012 19:11
|
|
|
fordan posted:For US goons who care, apparently the FCC has finally waved its magic wand over the RB751G-2HnD and roc-noc has them in stock. Now to see how buggy their DHCP-PD implementation is and if the CMTS serving my home is enabled for v6. Just bought one today. Actually bought a 951G before, while totally intending to buy a 751G-2HnD. So I guess I will now have two.
|
|
#
?
Jun 30, 2012 08:52
|
|
|
frayed time posted:Am I experiencing some sort of mental deficit? I can't find this fabled "Quick Setup" option anywhere on my 750GL. Yeah, I spent like 15 minutes looking for the loving option, before finding that out. Slowly whipping the drat thing into shape at the site I'm install it too (RB450G); at least good enough for me to remote admin it.
|
|
#
?
Jun 30, 2012 20:32
|
|
|
The_Franz posted:An IPSEC+L2TP tunnel is really easy to set up. Despite having never done it before it only took me about 10 minutes to get up and running with this guide. Even if you aren't using Windows, the guide still has a nice step-by-step walkthrough for the Mikrotik side. This is what I stumbled onto on the Mikrotik wiki, and it looks good, but I want to run it by folks who actually, you know, do this for a living. Basically, Winbox owns bones for letting me manage the router remotely, but I would like to VPN "in" so I can RDP into a few other machines/wireless APs. I've got essentially no experience with setting up VPNs, but I'm relatively certain that's what I need to do. (So end goal, I want a VPN so I can RDP into two boxes, and point a browser at various AP config pages). Seems like L2TP is "easy" to use/setup, and IPSec takes care of providing encryption/protection. If I understand correctly, the Mikrotik box acts as my VPN endpoint? e: Second goal, are there some nice pre-existing scripts/methods for generating read-only network stats? Basically, I just want a way for the tech chair person at the house to see if someone's gobbling down like 15Mbps at the expense of everyone else. This shouldn't matter as much once I get QoS working, but it was still requested. movax fucked around with this message at 15:43 on Jul 5, 2012 |
|
#
?
Jul 5, 2012 15:40
|
|
|
If you need to VPN in from a client PC just use PPTP or OpenVPN. Or forward remote desktop port and connect to it and daisy chain from there without VPN. For network stats, just enable interface graphing and have them bookmark http://router/graphs/ code:
|
|
#
?
Jul 6, 2012 14:32
|
|
|
falz posted:If you need to VPN in from a client PC just use PPTP or OpenVPN. Or forward remote desktop port and connect to it and daisy chain from there without VPN. OK, I'm giving the Dude a whirl and it is pretty sweet. Few things on that though: 1. Switch is a PowerConnect 3048, and SNMP is magic; so I know which clients are connected to which physical interface on the switch (I can see MAC Addresses). Can The Dude automatically scan/reconcile these to create the appropriate links? 2. My WiFi is currently a single UniFi AP, acting as a dumb bridge; as a result, The Dude sees like 20 devices connected to one switch port on the 3048. I tried manually adding the UniFi as a "bridge device", and the link to the switch gets a proper SNMP ID, but all the links "after" the AP have no SNMP ability (UniFi doesn't do AP). Basically, is there a way to say "hey, everyone connected to this one port on the switch is wireless", or should I be assigning a different pool of IPs to the wireless clients for differentiation? (I'm not sure how I'd do that in this case). 3. Dumb security question, but if I don't ask it, I'll never know. On boxes like ipcop/pfsense/etc, you have to explicitly open up ports for remote access. Same case on RouterOS? It looks like the remote access port for the dude already works, and I did not add an exception. I added basic rules for dumping bogons/various virus ports, from the MikroTik wiki but I'm not sure I'm doing it right.
|
|
#
?
Jul 6, 2012 18:21
|
|
|
movax posted:3. Dumb security question, but if I don't ask it, I'll never know. On boxes like ipcop/pfsense/etc, you have to explicitly open up ports for remote access. Same case on RouterOS? It looks like the remote access port for the dude already works, and I did not add an exception. The new default configs don't allow remote access. You have to open that up in Tools -> MAC Server. IP -> Services determines which configuration services are allowed. You will typically want to turn off SSH and Telnet so that the big bad world doesn't spam your logs with dumb breakin attempts. Pick a good password and make sure you can connect with Winbox for remote management and you'll be in great shape.
|
|
#
?
Jul 6, 2012 19:07
|
|
|
|
| # ? Apr 19, 2024 01:37 |
|
|
CuddleChunks posted:The new default configs don't allow remote access. You have to open that up in Tools -> MAC Server. Yep, I am setup for only Winbox right now. I guess I phrased my question weird though; by default, let's say someone is running some application server on port 12345, will the firewall allow that through if it is not explicitly allowed (or denied, for that matter)? I.E. My SNMP traffic isn't happily being Internet accessible right now. I forgot to turn on UPnP, I got complaints of Xboxes not working as well
movax fucked around with this message at 19:24 on Jul 6, 2012 |
|
#
?
Jul 6, 2012 19:18
|
|