|
I bought an RB951 to provide wireless in the office. I gave it its own nic on our pfsense box and set up ospf. Routing table on the routerboard looks like this:code:Any ideas on where to start?
|
#
?
Mar 19, 2013 23:32
|
|
|
|
| # ? Apr 18, 2024 18:20 |
|
|
ManicJason posted:Am I still the only person with nightmarish Apple vs. Mikrotik issues? I see tons of people on other forums complaining about the same since iOS 6 on something like 50% of the Apple wireless radios (all Broadcom, I believe.) There are recommendations about changing pre-amble settings and explicitly setting the protocol as 802.11, but all of my Apple devices (MacBook Pro, iPad 2, iPhone 4) get 100% packet loss at random intervals between a minute of use and 30 minutes of use even after messing with those settings. Rarely it will fix itself after five minutes or so, but it is always fixed by turning the wireless radio off and back on on the Apple device. I'm glad I'm not going insane then. I don't yet have a MikroTik router, but I've been noticing issues with iOS devices connecting to my current wireless network and I'm using WPA-2 with AES. If I can even get the device to connect (usually after telling it to keep trying because I know it's the correct password), it will stay connected for a while but then eventually drop off. It will then repeat the process of me having to try again and again. I eventually just gave up on it. If I see the same issues with the MikroTik then at least I know it's not going to be the router's fault. Apple needs to get their poo poo together.
|
|
#
?
Mar 20, 2013 00:20
|
|
|
thebigcow posted:Any ideas on where to start? Add a bridge between the wlan1 and ether1 (whatever you have the pfsense plugged into). The unit won't do it by default. That should get traffic moving between the wlan and the ethernet interfaces. ManicJason - In general I haven't noticed any particular issues with my RB751 and my iPhone or iPod Touch. Both seem to do fine with wireless. Then again, I stopped upgrading iOS because I'm mad at Apple for the dumb things they do with each version. At work we've noticed the same thing you have - many Apple products are starting to act seriously buggy with MikroTik gear. One solution we found is to turn on WPA and WPA2 with both TKIP and AES as options. Then turn off 802.11n by setting the card to B/G modes and now you should be working smoothly again.
|
|
#
?
Mar 20, 2013 02:01
|
|
|
I heard that disabling TKIP and only allowing AES helped, though that was likely just for the bug that was fixed in the second iOS 6 update. I'll try turning off N if I have it on and will report back if it is a miracle fix. It may also be worth reactivating TKIP on the off chance that that particular bug was fixed. I had been ignoring all of these issues by hard-wiring, but I just moved to a place where that will be impractical.
|
|
#
?
Mar 20, 2013 09:54
|
|
|
It was already forwarding packets to other networks on the pfsense box. I tried adding the bridge, still wasn't able to get to the internet but winbox closed and couldn't reconnect until I used ssh from the pfsense box and removed the bridge. 
|
|
#
?
Mar 20, 2013 16:50
|
|
|
thebigcow posted:I tried adding the bridge, still wasn't able to get to the internet but winbox closed and couldn't reconnect until I used ssh from the pfsense box and removed the bridge. Sorry, I wasn't following your example very well. Looking at it further I don't know why in the hell you're setting things up the way you are. It's seriously puzzling. Why are you running OSPF on this tiny little box? Is it meant to be a wireless bridge or are you trying to make it a router of some sort? Does it hand out DHCP or otherwise interact at the IP level with the wireless clients? To my eyes that seems a strangely overkill use of the unit when you can make it into a wireless bridge and let your pfsense box handle all the heavy lifting as far as the networking goes. I'd love to know more about why you're setting it up the way you are.
|
|
#
?
Mar 20, 2013 17:23
|
|
|
I started out wanting just a wireless bridge. Then I thought about running a virtual ap with another network just for guests at the office that I would firewall off from our network and just allow internet access. Then I thought I should learn OSPF since I'm going to have a bunch of virtual machines running behind a pfsense vm in the near future. Then I ended up with my current mess. Right now ether1 has a direct connection to the pfsense box and both interfaces are on a /30. wlan1 and companyname each have a /26. The routerboard is running dhcp for both wireless connections. I can get from either wireless to anything on the other side of the pfsense box without problems. I spent yesterday using xabber to message people's desktops just because I could. The only thing that doesn't work is wireless to internet, and I'm not sure where to start. I may tear our ospf and just set static routes, or I may just make it a wireless bridge and not worry about it until I have more time.
|
|
#
?
Mar 20, 2013 18:11
|
|
|
thebigcow posted:Any ideas on where to start? Does the pfsense host have all the same goofy /30 and /26 routes back? If not, what does it have?
|
|
#
?
Mar 20, 2013 18:18
|
|
|
code:
|
|
#
?
Mar 20, 2013 18:33
|
|
|
Adding TKIP and turning off G made no difference at all. It looks like Mikrotik and Apple just don't play together anymore, so I get to buy some other AP to setup bridged. edit: I got some massive improvement on the time between failures by going back to 802.11B/G/N, specifying only long preamble-mode, and changing channels to the opposite end of the spectrum. Only changing the channel made a marked difference, but there isn't a lot of traffic on the original channel that I can see. I'll be delighted if it sticks to the 30 minutes or so between dying that I'm finally getting now. ManicJason fucked around with this message at 23:57 on Mar 20, 2013 |
|
#
?
Mar 20, 2013 21:11
|
|
|
I gave up and made it a simple wireless bridge 
|
|
#
?
Mar 21, 2013 22:37
|
|
|
I got my RB751G-2HnD all installed. I still have a few config issues for routing PPTP, but otherwise this thing is kicking the poo poo out of my old DIR-655. My old wifi would get a bit outside of my apartment before dropping to uselessness. Now I get to the other end of the building, in my car, and I'm still just barely getting a signal, through 50~ yards of building and 7 other apartments. I'm amazed at how good a signal it has for not having an external antenna. I almost want to toss one on it now just to see what it's capable of.
|
|
#
?
Mar 22, 2013 08:54
|
|
|
hahahah awesome.
|
|
#
?
Mar 22, 2013 19:50
|
|
|
Good lord I am tired of the RB751's and their stupid bullshit with Apple products and everyone else. I've spent the last few days tweaking and fiddling and reading the angry forums at Mikrotik.com to get some guidance on how these should be setup. Thing is, they have so drat many features that it's anyone's guess what you should change. Still, I hope the following is helpful and this constitutes the best knowledge I have for how to set one of these up for home use: Upgrade to 5.24 firmware, then upgrade the routerboard firmware to whatever it will take. That gives a good starting platform for all of this. Open a terminal window and paste in the following (after changing the two global variables to match your home setup): code:code:Good luck, let me know if this blows up your system so I can laugh and laugh and cry and laugh some more. Oh, and this works fine on the RB951's although they only have one tx/rx chain. CuddleChunks fucked around with this message at 21:26 on Mar 29, 2013 |
|
#
?
Mar 29, 2013 19:53
|
|
|
I can't do N only because I have a PS3 and a receiver that won't cooperate. I've totally given up on using my Mikrotik's radio and will probably not go back to Mikrotik at all once my current router needs upgrading. It's a shame. They're very configurable, but they're worthless when they won't work with any Apple devices at all, at least when you're an Apple developer. edit: That N configuration did totally solve my issues. I'll try out the mixed mode config and see if it has also dried my wifi tears. edit again: Nope, mixed mode has the same issue after five minutes or so of use. ManicJason fucked around with this message at 07:08 on Mar 30, 2013 |
|
#
?
Mar 30, 2013 06:30
|
|
|
CuddleChunks posted:Good lord I am tired of the RB751's and their stupid bullshit with Apple products and everyone else. I've spent the last few days tweaking and fiddling and reading the angry forums at Mikrotik.com to get some guidance on how these should be setup. Thing is, they have so drat many features that it's anyone's guess what you should change. Still, I hope the following is helpful and this constitutes the best knowledge I have for how to set one of these up for home use: Thanks for this. I just received an e-mail this week stating my RB951G-2HnD shipped from Latvia so if I have issues with Apple products I'll give your script a try.
|
|
#
?
Mar 30, 2013 17:51
|
|
|
Can anyone tell me what these highlighted rules are doing?  Rule 0 is to allow pinging the device. Rule 3 is one I've created to allow winbox from outside the NAT. Rule 4 is a catch all deny. What are rules 1 and 2? Edit: Bonus unrelated question, does RouterOS support firewalls between interfaces/zones? For example, can I setup firewall rules between vlans on the switch ports? I haven't looked this far into it yet. Edit 2: Never mind, figured out the firewall rules. IT Guy fucked around with this message at 18:28 on Apr 9, 2013 |
|
#
?
Apr 9, 2013 18:17
|
|
|
Rule 1 allows established connections through, this is so when something behind your nat connects to the internet the internet can respond back. Rule 2 is for related connections, I have no idea what that is. Either right click and select detail mode, or double click on a rule and you can see that those two are only for a certain connection state. Afaik you can firewall between interfaces. It has an input interface and output interface in the rule but I've never used it. edit: I take a long time to type
|
|
#
?
Apr 9, 2013 18:32
|
|
|
thebigcow posted:
Thanks for the answer. I did figure out the established connection thing but like you, I still do not know what the related is.
|
|
#
?
Apr 9, 2013 18:35
|
|
|
IT Guy posted:Thanks for the answer. I did figure out the established connection thing but like you, I still do not know what the related is. I may be incorrect, but I believe "related" enables things like active mode FTP and SIP, which require new connections on dynamic ports initiated from the Internet side to function.
|
|
#
?
Apr 9, 2013 18:41
|
|
|
That makes sense. Unrelated, I can't seem to get a DHCP IP from my ISP whatever I try. I'm using just a default configuration, haven't changed anything but the admin password and I never get a DHCP IP from my ISP on cable. However, if I plug the ether1-gateway interface into a private network with a DHCP server, I get a DHCP IP address right away. Has anyone experienced this? I've tried rebooting the modem but it doesn't help. I don't have to do any MAC address cloning bullshit. I have a SonicWALL TZ210 that works and picks up an IP and I also have two Linksys routers (WRT54GL and a E3200) that both pickup a DHCP IP from my ISP. I've opened a ticket with my ISP but I'm doubting they will support this.
|
|
#
?
Apr 10, 2013 02:50
|
|
|
I don't have any idea, what dhcp client settings do you have?
|
|
#
?
Apr 10, 2013 16:14
|
|
|
Just a sanity check, do you have a dhcp client enabled on the appropriate ethernet port?
|
|
#
?
Apr 10, 2013 16:24
|
|
|
DHCP client is on the SFP interface and the ether1-gateway interface. Modem is plugged into ether1-gateway. It's enabled and definitely works on any network except my ISP's cable that I've tested it on. I have a RB750 here at work that I'm going to bring home to make sure it's not the hardware.
|
|
#
?
Apr 10, 2013 18:04
|
|
|
I finally received my RB951G-2HnD from Latvia via USPS. Poked through this thread, some Google searching and the MikroTik wiki site in order to configure it and understand its intricacies. It's been a couple days and I finally just put it in production. I'm loving the poo poo out of this little mother fucker. I'm seriously impressed so far, it's practically light-years ahead of my old WRT54GL. I'm still working on configuring the static entries and some port forwarding but otherwise its been seamless. I didn't have to do any crazy workarounds to get iOS devices to work, either.
|
|
#
?
Apr 11, 2013 04:14
|
|
|
I could actually use some help with a couple of issues I haven't had luck resolving. The first one is probably simple. I have a static IP entry for my Windows Home Server so it always gets 192.168.88.200. The Windows Home Server has a domain on homeserver.com so it can happily associate itself to that domain for remote access. However, part of making this successful is to forward at least two out of three ports through the router. I've done some Googling and also browsed the MikroTik wiki but so far everything I've tried has created more problems. I've been trying to configure port forwarding through IP -> Firewall -> NAT. I've created two separate entries, one that tells the router to allow external connections on TCP inbound to port 443 only to 192.168.88.200. The other one is the same way only it allows external connections inbound to port 4125 only to 192.168.88.200. When I set this and enable it, it doesn't work, but it also causes my workstation to not reach some websites. So if the two rules are enabled, they also cause my workstation to not establish a connection to various websites. When I removed those two port forward entries, my workstation returned to normal. Scratch that last part, apparently it doesn't seem to do that any longer. I just tried to access http://192.168.88.200/ in a browser and it went to the server this time. Mind you I don't have any port forwarding rules configured at the moment. Here's what my current firewall configuration looks like: code:PUBLIC TOILET fucked around with this message at 03:33 on Apr 12, 2013 |
|
#
?
Apr 11, 2013 23:09
|
|
|
At first glance, your rules look correct. One thing I've always done though is made sure I'm a little more specific in my NAT rules. Here's an example of one I just set up last night to replace our dying OpenBSD firewall. I censored out our public IPs for security reasons. For some reason RouterOS can get odd about how it processes NAT/Firewall rules, so the more specific you can get, the better. code:I would change your two NAT rules to one rule, as such: code:EDIT: I just noticed your actual firewall filter rules at the beginning there. It wouldn't hurt to disable those, for now. zennik fucked around with this message at 18:17 on Apr 12, 2013 |
|
#
?
Apr 12, 2013 18:09
|
|
|
IT Guy posted:
Update: Turns out it was my ISP and they had to re-provision my account and give me a new modem. I don't even know why the gently caress, but it's fixed now. It wasn't the Mikrotik RouterBoard.
|
|
#
?
Apr 12, 2013 20:03
|
|
|
zennik posted:I would change your two NAT rules to one rule, as such: I removed the rules I created and added the one you created above. No luck. Is that correct, though? You have the src-address as the internal network and the to-addresses go directly to the server. Wouldn't that only allow internal traffic to go to the server and not external Internet traffic? You also don't specify any action ports so I presume I don't need to input any if I've already specified ports 443 and 4125? The filter rules you mention were the pre-configured ones that have been there since I hooked up the router. Not sure if they're safe to remove or not.
|
|
#
?
Apr 12, 2013 22:04
|
|
|
PUBLIC TOILET posted:I removed the rules I created and added the one you created above. No luck. Is that correct, though? You have the src-address as the internal network and the to-addresses go directly to the server. Wouldn't that only allow internal traffic to go to the server and not external Internet traffic? You also don't specify any action ports so I presume I don't need to input any if I've already specified ports 443 and 4125? The filter rules you mention were the pre-configured ones that have been there since I hooked up the router. Not sure if they're safe to remove or not. Notice the ! before the subnet, that means to match anything NOT in that subnet as the source. It shouldn't ever be an issue, but in rare cases it can be. Those filter rules are very safe to remove. They're just default rules for some basic firewall security, and could very well be the source of your problem.
|
|
#
?
Apr 12, 2013 22:07
|
|
|
zennik posted:Notice the ! before the subnet, that means to match anything NOT in that subnet as the source. It shouldn't ever be an issue, but in rare cases it can be. I can simply disable them and not have to delete them, correct? If so, disabling them hasn't resolved the issue. The NAT rule you provided is in there and enabled. I've also tried it with and without specifying the "In. Interface" as "ether1-gateway" but that doesn't seem to have an effect either.
|
|
#
?
Apr 12, 2013 22:39
|
|
|
PUBLIC TOILET posted:I can simply disable them and not have to delete them, correct? If so, disabling them hasn't resolved the issue. The NAT rule you provided is in there and enabled. I've also tried it with and without specifying the "In. Interface" as "ether1-gateway" but that doesn't seem to have an effect either. Correct. And that is a little odd, truth be told. I grabbed a 751 and tested a basic setup with a dhcp client WAN Ip and just a simple port forward as described and that's working for me. Wondering if there's something else going on here. Is your ISP possibly filtering port 80? EDIT: For that matter, not to ask a stupid question, but is your mikrotik pulling an actual WAN IP, or is it getting a 192.168, 10., or 172.12-31 IP? zennik fucked around with this message at 23:42 on Apr 12, 2013 |
|
#
?
Apr 12, 2013 23:34
|
|
|
zennik posted:Correct. I know that Time Warner blocks port 80 access, but I don't believe they block port 443 (HTTPS). That's why on the old router (WRT54GL w/Tomato), I had it set so that accessing the WAN IP or the DNS name with "https://" would go through the router directly to the server and the webpage would appear. For some reason that's not working with the MikroTik even after trying what you suggested, and after trying what other websites have suggested either. So I never bothered configuring port 80 access on the old router, but I did configure port 443 and port 4125 as required for WHS and it was working fine. Maybe there's a configuration/setting somewhere else in the router that's stopping it? Not sure where to look, though. PUBLIC TOILET fucked around with this message at 15:31 on Apr 13, 2013 |
|
#
?
Apr 13, 2013 00:31
|
|
|
When you try to access your server, exactly what URL are you going to? Are you putting in its internal IP address or trying to use the external IP?
|
|
#
?
Apr 13, 2013 02:38
|
|
|
CuddleChunks posted:When you try to access your server, exactly what URL are you going to? Are you putting in its internal IP address or trying to use the external IP? When I test the site internally, I'm able to reach the server via https://192.168.88.200/. When I test it externally after creating a NAT rule, I've tried it via the WLAN IP and by the DNS name as well. Neither one works, I receive an error in Chrome stating the connection was refused. I've also been testing with this site and this site. Both are stating that my IP and my DNS respond, but on port I think I have OpenDNS configured properly by using the following: code:code:code:PUBLIC TOILET fucked around with this message at 15:30 on Apr 13, 2013 |
|
#
?
Apr 13, 2013 03:30
|
|
|
How are you testing this externally? Are you remoted into another machine and are trying to reach your site? Do you have a buddy trying to reach this page for you? PS: It's working fine. Going to the link you provided brings up a windows home server page just fine. Nothing is wrong with your rules, or if you tweaked something since your post DON'T CHANGE IT!
|
|
#
?
Apr 13, 2013 08:18
|
|
|
CuddleChunks posted:How are you testing this externally? Are you remoted into another machine and are trying to reach your site? Do you have a buddy trying to reach this page for you? Really? Huh. I'll have to check that. Does my OpenDNS configuration look okay? By the way, I've checked the logs this morning and unsurprisingly I see an IP address from China has been trying to login through SSH. What is with these routers just allowing everything turned on by default? So now I have to specifically drop attempts via port 22 in the rules AND dig through logs? I'm just going to poke around some MikroTik wiki pages on securing the router. PUBLIC TOILET fucked around with this message at 15:44 on Apr 13, 2013 |
|
#
?
Apr 13, 2013 15:17
|
|
|
Go to IP -> Services and turn off all the services you don't want the Mikrotik to advertise. In other words, turn off the web server, the FTP port, SSH, telnet, etc. Turn off everything except winbox if you like and that should stop the bulk of probe attempts against your router. Your DNS setup looks fine.
|
|
#
?
Apr 13, 2013 17:18
|
|
|
CuddleChunks posted:Go to IP -> Services and turn off all the services you don't want the Mikrotik to advertise. In other words, turn off the web server, the FTP port, SSH, telnet, etc. Turn off everything except winbox if you like and that should stop the bulk of probe attempts against your router. You and zennik have been a big help, thank you. I've combed through some security practice information in the MikroTik wiki and modified/applied it to my router. The only services I currently have enabled are "ssh", "winbox" and "www". However, I do believe I have my firewall rules configured properly so that external access is denied to those services. Below is the current configuration, maybe either of you can tell me if I've done anything incorrectly. One thing I'm not sure about is if I should specify an in-interface for the "From LAN network" rule. I also have BitTorrent configured to utilize UPnP for port forwarding, but also allow incoming connections to port 29793. Not sure if the rules below screw that up. code:
|
|
#
?
Apr 13, 2013 17:27
|
|
|
|
| # ? Apr 18, 2024 18:20 |
|
|
You may want to take a look at the packet flow diagram for RouterOS. The "input" chain in the firewall is for packets destined to the router itself, not packets that will ultimately be forwarded (the "forward" chain) somewhere else. Right now there's an implicit "accept all" rule in the "forward" chain, which is why things appear to be working. Look at the counters on the rules you have in Winbox; some of them are likely not being hit. Some things to keep in mind when crafting firewall rules:
code:
SamDabbers fucked around with this message at 21:29 on Apr 13, 2013 |
|
#
?
Apr 13, 2013 18:26
|
|