|
If you accepted the default configuration and have been modifying that - no. Go to IP -> Firewall -> NAT and you can see what's actually being NATed into the network (probably nothing). IP->Firewall->Filter shows explicit allow/deny rules. Out of the box they don't have any rules to translate data into the network so you are fine.
|
#
?
Jul 6, 2012 22:48
|
|
|
|
| # ? Apr 17, 2024 00:47 |
|
|
I've admiring Microtik for some time now and I'm in a bit of a quandary. I'm not 100% positive I can get a RB device to do what I want it to. I need to link 3 servers + NAS (each with two GB ethernet ports) into a single network. these are SFF pcs and the entire setup is supposed to fit into a carry on bag. I also need a WIFI network and "WAN" link to client's network if needed. Ideally there would be two separate WIFIs - 1 connected to the the servers and a second linked with the "WAN" / corportate network. In effect we'd be talking about setting up two wireless networks - one of each side of a firewall. I drew an ugly diagram to describe what I mean below:  Microtik has me believing I can do all of this with the RB493G Using port 9 (the POE Port) as my client uplink. Rocnoc says that for $350 I can get this in one box. Assuming the above is true can I bind eth1 and Wlan2 (i forget the naming schema) into network 1, and the rest into network 2? Can I further vlan network 2 into multiple vlans by MAC? My fall back is a Cisco Sg300-10 + some consumer grade wifi router running a openwrt or derivative.
|
|
#
?
Jul 7, 2012 18:08
|
|
|
Should be just fine. You would bridge Ethernet and wlan interfaces to create the separation. You could do separate wlan radios or use virtual APs with a single radio (I think). Or you could take it even further and use VRFs to separate the routes, or metarouters which is a separate instance of RouterOS running using the interfaces of your choosing.
|
|
#
?
Jul 7, 2012 20:27
|
|
|
Yup. Easy peasy. You mention each server has two gig ethernet, are you planning on having both of those plugged in at the same time? On the VLAN front, those are tied to interfaces, not to MAC addresses in the Mikrotik world. Here's a bunch more info on that feature: http://wiki.mikrotik.com/wiki/Manual:Interface/VLAN http://wiki.mikrotik.com/wiki/Vlans_on_Mikrotik_environment
|
|
#
?
Jul 7, 2012 20:39
|
|
|
CuddleChunks posted:Yup. Easy peasy. I should be fine there, the servers will be running VMS so I can create "Red" and "Green" networks (to pull some terminology from Smoothwall) and route VMs to specific interfaces and isolation zones from there. Nice to know that. Now I just need to talk to the Roc-noc guys as to when they'll be getting these guys in. Is there a Microtik virtualization platform - similar to how I can create a virtual network full of cisco gear? Would be nice to test out some what how things are going.
|
|
#
?
Jul 7, 2012 22:02
|
|
|
Yeah there is some virtualization available though I haven't personally set it up. The guys at work have used it to good effect for testing and fiddling around. The wiki: http://wiki.mikrotik.com/wiki/Manual:Virtualization One method: http://www.techonia.com/install-mikrotik-virtualbox Since you don't have a routerboard to run this on I'm not sure what a VM will be able to expose in its blob of virtualized hardware. Still, it would be pretty easy to try out. You can run Mikrotik without a license for 24 hours and then it locks up so it's great for testing out strange configs without spring for the full license.
|
|
#
?
Jul 7, 2012 23:13
|
|
|
I have a few RouterOS VMs on ESX and they're fine. I'm not running any routing protocols or VRRP however, which I hear can have issues due to VMWare and multicast. Also as previously mentioned, you may want to check out Metarouter. I've only run it once to test and had it crash a lot, but that was right after it came out.
|
|
#
?
Jul 7, 2012 23:34
|
|
|
e: OK, looks like it does, but at least it's cut-down on the issue of unusable Internet access. Now to see if there's some kind of registration-system I can put into a place so I don't have to guess at whose PC is whose. I've got a few Microsoft MACs that are sucking down traffic like none other, but no idea if that's a Xbox/Zune/whatever. Setup PCQ similar to what posted last page, seems to be doing OK so far. Question though; WAN is Comcast Business, nominal speed is 12Mbit download, but as it is Comcast, it's possible to "PowerBoost" up to 16Mbit or so. Can I allow for this with the burst-settings in global queues? Right now I have the max-limit set to 11500kbit/s, and pcq-rate=0 to allow it balance between everyone. And would I need scripting to parse MACs for 360s (7C:1E:something), get their IPs, and add them to their own queue-class which can co-exist with the above? I'd like to cap them a bit lower. e2: this seems like a decent resource, I can maybe setup another pcq queue just for xbox clients. And also apply some application QoS on top of this. e3: Looks like I can use Traffic-Flow to feed ntop! Latvians loving own. :latvia: movax fucked around with this message at 06:14 on Jul 9, 2012 |
|
#
?
Jul 8, 2012 08:16
|
|
|
Sorry for double-post, but this is un-related to above post. Is there a software-way to completely secure the serial port, including disabling it's usage during boot loading? I disabled it currently by setting baud-rate to 0, and disabled the software jumper as well. Anything else to do protect it against physical connections/mucking around?
|
|
#
?
Jul 9, 2012 16:14
|
|
|
movax posted:Sorry for double-post, but this is un-related to above post. Is there a software-way to completely secure the serial port, including disabling it's usage during boot loading? I disabled it currently by setting baud-rate to 0, and disabled the software jumper as well. Anything else to do protect it against physical connections/mucking around?
|
|
#
?
Jul 9, 2012 16:21
|
|
|
movax posted:Sorry for double-post, but this is un-related to above post. Is there a software-way to completely secure the serial port, including disabling it's usage during boot loading? I disabled it currently by setting baud-rate to 0, and disabled the software jumper as well. Anything else to do protect it against physical connections/mucking around? Put a little sticky note over it with the words "Serious nerd poo poo" on it. They'll leave it alone.
|
|
#
?
Jul 9, 2012 19:17
|
|
|
CuddleChunks posted:Put a little sticky note over it with the words "Serious nerd poo poo" on it. They'll leave it alone. Yeah, perhaps that, or an actual lockable physical enclosure at some point. New question: PCQ has been doing great with pcq-rate=0 and a max-limit set, but in Torch I can see IP's that have like 7 or 8 connections going (probably stream), like:  Is PCQ being kind because others don't happen to be streaming/downloading/whatever heavily at the moment? I'd say the ports almost look UPnP like, but the destinations are all port 80 on various CDN networks, I believe. e: here is my QoS config: code:movax fucked around with this message at 02:42 on Jul 10, 2012 |
|
#
?
Jul 9, 2012 22:07
|
|
|
So, a problem for me has been monitoring internet use. I've seen a lot of people ask about it but nothing has really come out as completely useful, so I thought I'd share my current solution and ask for advice. Basically, all I do is have 2 mangle rules for each direction - First rule, is pre-routing source address of the PC for upload, and second rule is post routing destination address for download.  At then end of the billing cycle you can reset these and go from there. This means that you just assign each DHCP lease as static, create your rules and you can see who's hogging your internet. This is usually fine in a home environment with only a few users but I'd like something a little more.. robust. Is there any way to do this by mac address? Or at least without making a heap of mangle rules?
|
|
#
?
Jul 10, 2012 05:44
|
|
|
Does anyone have a number I can use to contact Roc-noc? they haven't responded to my query via the form yet.
|
|
#
?
Jul 10, 2012 20:03
|
|
|
Nystral posted:Does anyone have a number I can use to contact Roc-noc? they haven't responded to my query via the form yet. You might try Tom whom I've exchanged email with before: tom@roc-noc.com
|
|
#
?
Jul 10, 2012 23:15
|
|
|
Anyone had the chance to play with the new 2011 series boxes? http://routerboard.com/RB2011L-IN http://routerboard.com/RB2011LS-IN (w/ SFP port) Ordered one to see how it performs. Still no Jumbo frame support though. Ugh.
|
|
#
?
Jul 11, 2012 14:41
|
|
|
I'm thinking about ordering one of these for home use: http://www.roc-noc.com/mikrotik/routerboard/RB951-2n.html I'd love to read a review of it, but I can't seem to find a good, detailed review. This would be my first foray into MicroTik. The lack of an external antenna kind of worries me... which is why I want to see a review. Any experience with it here?
|
|
#
?
Jul 11, 2012 17:46
|
|
|
Short version: While I haven't used a RB951, I wouldn't expect too much. Spend a few more bucks and get an RB751 instead. Long version: Just before I left my last job (at a small WISP), I actually did an informal router bake-off. I took a RB751 (the older, larger version of the RB951), a Linksys WRT54GL (stock firmware, not hacked up with DD-WRT or anything), and a couple other routers (no-name companies the boss found on Newegg, and not relevant to this story). I put them all in the same place in the office, on the same channel (one that was relatively free of other 2.4GHz traffic), and turned them on. Then I pulled out my smartphone, and walked around the building, taking notes on signal level and such. By that admittedly-simple metric, the RB751 and WRT54G were pretty much equal, in terms of SNR and range. Obviously the throughput on the RB751 was better (it could do 802.11n, the other router could only do 802.11g), but otherwise they were fairly similar in RF performance. The RB951 you're asking about, has an antenna with 1dB lower gain, the radio itself has 13dB less transmit power, and you give up the option to connect an external antenna if you want RF diversity or just more gain. You save a little bit of physical space and a few dollars, but at least on paper you give up a LOT of RF capability. Edit: Oh, the 951 also has a slower-clocked CPU, and half the RAM.
|
|
#
?
Jul 12, 2012 19:48
|
|
|
You should have put the external antenna on the 751. In my (not so scientific) tests it's improved the signal by 10db.Nystral posted:Does anyone have a number I can use to contact Roc-noc? they haven't responded to my query via the form yet. I don't know if Tom's number is actually on the site but he's answered his personal cell phone for me in the middle of his lunch to listen to some pretty inane questions. feld fucked around with this message at 14:02 on Jul 13, 2012 |
|
#
?
Jul 13, 2012 13:59
|
|
|
Nystral posted:Does anyone have a number I can use to contact Roc-noc? they haven't responded to my query via the form yet. https://plus.google.com/117042725772999996270/about
|
|
#
?
Jul 13, 2012 19:02
|
|
|
Any of you guys play with Mikrotik's IPoE tunneling yet? How well does it work and how much overhead does it take up?
|
|
#
?
Jul 13, 2012 20:47
|
|
|
EoIP +42. From the manual:http://wiki.mikrotik.com/wiki/Manual:Interface/EoIP#Notes posted:Note: EoIP tunnel adds at least 42 byte overhead (8byte GRE + 14 byte Ethernet + 20 byte IP)  Seems like a bug, will confirm later next week.
|
|
#
?
Jul 13, 2012 20:56
|
|
|
unknown posted:Anyone had the chance to play with the new 2011 series boxes? I'm using a RB2011 as a core router for a small business office and the wireless campus it supports (wireless hotspot). Currently there are about 200 active hotspot accounts authenticating to the built-in RADIUS server, about a third of which are MAC addresses (for cell phones, office laptops and so on). The router is performing well and is better suited for the job than the $3000 SonicWall NSA3500 we had previously, and for approximately 5% of the price. The only complaint I have is that with the license level the RB2011 comes with, you can't do RADIUS accounting for this many people (it stops working at 20 active sessions). Authentication only.
|
|
#
?
Jul 14, 2012 03:11
|
|
|
arnika road posted:The only complaint I have is that with the license level the RB2011 comes with, you can't do RADIUS accounting for this many people (it stops working at 20 active sessions). Authentication only. Can't you pay out of pocket for a license upgrade? I thought at one point this was possible on certain hardware. It's not like $100 or whatever is going to kill you when you're talking about a $3,000 sonicwall 
|
|
#
?
Jul 14, 2012 17:42
|
|
|
EoIP is a thing of beauty. When my last employer moved across town, we just set up an EoIP tunnel between the old NOC and the new NOC, so no individual server was down for more than half an hour while we loaded it into the back of the boss' Jeep and drove it between locations. Aside from a bit of added latency, nobody really noticed. (Until the old mail server started soiling itself because it hadn't been moved in the previous seven years and we probably broke a fan or something, but that's not the fault of EoIP...)
|
|
#
?
Jul 15, 2012 03:56
|
|
|
falz posted:EoIP +42. From the manual: Mikrotik has issues with packet reassembly of out of order packets and drops them. (Not always, but has horrid buffers - especially in ppp type [l2tp,etc] encapsulation). PITA when someone re-engineers a wan circuit and changes the queuing from FIFO to something "intelligent". Awesome when it works, can be annoying to debug.
|
|
#
?
Jul 16, 2012 19:41
|
|
|
BaconBeast posted:Is there any way to do this by mac address? Or at least without making a heap of mangle rules? I'm adding another device and we'll see if picks up on that fact shortly. Config of the mikrotik has been minimal so far. It's not perfect and it may not be a deep enough view of the network for you, but fiddle around with that for a bit, see if it meets your needs. CuddleChunks fucked around with this message at 20:09 on Jul 16, 2012 |
|
#
?
Jul 16, 2012 19:49
|
|
|
Thanks very much for this, I've just set it going and will see what it gets but it looks pretty good.
|
|
#
?
Jul 21, 2012 09:59
|
|
|
Tom from roc-noc is a swell guy 
|
|
#
?
Jul 31, 2012 04:53
|
|
|
How good of a fit is their hardware for home use if you are a big dummy like me and only know the basics of setting up a regular made for home use router?
|
|
#
?
Jul 31, 2012 17:15
|
|
|
It has some type of setup wizard that should get you up and running right away. From there you can tweak it if you desire.
|
|
#
?
Jul 31, 2012 21:16
|
|
|
Porkchop Express posted:How good of a fit is their hardware for home use if you are a big dummy like me and only know the basics of setting up a regular made for home use router? You're probably not going to use a tenth of the features that this thing has. That's fine - neither do I. I set it up and rarely remember it's there because things just work. On the other hand, when i want to do some bandwidth testing on my home wireless links or do some other silly things I have a badass mikrotik sitting right there that I can test against. Want to segregate the roommates to their own connection? Click click click done.
|
|
#
?
Jul 31, 2012 21:24
|
|
|
CuddleChunks posted:Want to segregate the roommates to their own connection? Click click click done. Yeah thats what had piqued my interest, it seems like it could come in handy living with roommates.
|
|
#
?
Jul 31, 2012 21:27
|
|
|
Still no fix for the DNS server bug with low TTL hosts. I'm giving up hope at this point.
|
|
#
?
Aug 1, 2012 05:21
|
|
|
I recently procured a MikroTik RouterBOARD 750GL from a friend to use with throttling traffic on my home network. My network is a bit atypical. Long story short, I can't get internet access at my house, but 6mb fiber is ran to the house my brother-in-law is staying at about a half a mile away. I had it installed there and, for a few years now, have been running Ubiquiti PowerStations without a problem. Recently, however, my brother-in-law has become a serious bandwidth hog, leaving me unable to work because he's busy downloading porn and streaming & torrenting movies. What I want to accomplish is to create a whitelist of MAC addresses of devices on my network that are allowed full bandwidth, and anyone else on it is limited to 256kbps/96kbps. I have zero idea how to accomplish this. I have the Tik here on my desk and can connect it to WinBox, but I don't know what to beyond that. Any pointers or suggestions? I apologize for the crudeness of this diagram, but this is what I want to accomplish:  Basically, it shouldn't matter which router/AP you're connected to, if your device isn't listed, you get slow access.
|
|
#
?
Aug 2, 2012 20:53
|
|
|
TremorX posted:I recently procured a MikroTik RouterBOARD 750GL from a friend to use with throttling traffic on my home network. My network is a bit atypical. Long story short, I can't get internet access at my house, but 6mb fiber is ran to the house my brother-in-law is staying at about a half a mile away. I had it installed there and, for a few years now, have been running Ubiquiti PowerStations without a problem. Recently, however, my brother-in-law has become a serious bandwidth hog, leaving me unable to work because he's busy downloading porn and streaming & torrenting movies. Instead of approaching this with MAC address filtering, why not accomplish this at layer 3? If I'm looking at your diagram correctly, everything behind the linksys router is your brother-in-law's poo poo, and everything going to the ubiquiti stuff is yours. Create two NAT/DHCP pools, one on the port going to your stuff, and one for your brothers (Say your brother gets 192.168.2.x IP addresses when his stuff DHCPs, and your stuff gets 192.168.3.x). Tag all the traffic at the IP level and use one of the many tutorials out there to do queuing. I'm not a mikrotik expert so I cant outline how to do that step by step off the top of my head (far away from my house for a while), but anyone else can feel free to let me know if my logic is wrong here. Seems kinda mean to limit your brother to 256k though, at least give him 2-3 meg so YouTube videos won't buffer forever. Asymmetric POSTer fucked around with this message at 03:45 on Aug 5, 2012 |
|
#
?
Aug 5, 2012 03:41
|
|
|
mishaq posted:Instead of approaching this with MAC address filtering, why not accomplish this at layer 3? If I'm looking at your diagram correctly, everything behind the linksys router is your brother-in-law's poo poo, and everything going to the ubiquiti stuff is yours. Create two NAT/DHCP pools, one on the port going to your stuff, and one for your brothers (Say your brother gets 192.168.2.x IP addresses when his stuff DHCPs, and your stuff gets 192.168.3.x). Tag all the traffic at the IP level and use one of the many tutorials out there to do queuing. I think that'll work. I guess worse comes to worse, if he tries to jump over to a different network to get his fixx, I can sniff it out. I've got it working on my desk, now to install it. Alright, alright, I'll give him 1 megabit. But I don't have to like it.
|
|
#
?
Aug 7, 2012 02:07
|
|
|
Finally got around to plugging my R751G-2HnD. Is 47 out of 60 MiB normal memory usage when only one computer is running a few torrents?
|
|
#
?
Aug 7, 2012 04:53
|
|
|
TremorX posted:I think that'll work. I guess worse comes to worse, if he tries to jump over to a different network to get his fixx, I can sniff it out. I've got it working on my desk, now to install it. For what it's worth, I've never setup a MikroTik unit before, but with the magic of PCQ, I have 30 My reasoning behind PCQ is that now each client can only harm themselves. It took a day of informing everyone "if your internet feels slow, it's probably your fault", and putting up a simple status page that showed the router's ping to the Internet, and I never got complaints after that. I could probably make life easier for each user by QoS'ing to protect them from themselves (i.e. prioritizing their web traffic over torrents), but, eh. I'm not getting paid.
|
|
#
?
Aug 7, 2012 05:01
|
|
|
|
| # ? Apr 17, 2024 00:47 |
|
|
thebigcow posted:Finally got around to plugging my R751G-2HnD. Is 47 out of 60 MiB normal memory usage when only one computer is running a few torrents?
|
|
#
?
Aug 7, 2012 13:16
|
|