|
Your nat rule moves the packet out of the input chain (packets with a destination address of the router) into the forward chain, so none of your firewall rules match that packet as they only apply to the input chain. If a packet doesn't match any rules it is accepted. Either change your filter rule to be on the forward chain, or just enable / disable the nat rule as needed.
|
#
?
Jun 17, 2013 16:44
|
|
|
|
| # ? Apr 26, 2024 00:44 |
|
|
I see. I assumed it was still on the input chain because technically the IP being hit is the WAN IP and then NAT forwards the traffic to my machine behind the NAT. So to get this to work I'd have to setup a firewall rule to drop the forward chain traffic on that port since by default it just goes through if their is a NAT rule setup? Then when I want to connect to the web interface I'd disable the drop firewall rule? That or I can ditch the firewall rules and just enable and disable the NAT rule as I need?
|
|
#
?
Jun 17, 2013 17:05
|
|
|
Gism0 posted:I upgraded to 6.1 the other day and it appears to have hosed my DHCP server. Oddly some of my devices still get the correct static IPs but some get nothing and fall back to a 169.x.x.x IP.  For gently caress's sake Mikrotik. Send them a bug report, though don't hold your breath if you need this fixed right away. In the meantime, you can roll back to prior firmwares pretty gracefully. Open up winbox and drag and drop a prior firmware into the Files folder. After transfer, go to System -> Packages and hit the Downgrade button. Reboot and it will reload the older firmware.
|
|
#
?
Jun 17, 2013 18:00
|
|
|
CuddleChunks posted:
I know right.. Thanks - I'm gonna try wiping the config and setting it up again, otherwise I'll go back to an older FW. edit: Before I had a chance to fix this my internet also stopped working from the devices with static IPs, so I did a hard reset and now DHCP is back and everything is peachy. 
Gism0 fucked around with this message at 05:10 on Jun 19, 2013 |
|
#
?
Jun 18, 2013 03:07
|
|
|
How would I go about setting up something to email me daily (or possibly even hourly) bandwidth usage? We have a server offsite behind a Mikrotik router that is used primarily to sync our backups. Sometimes we have users that upload gigs of unnecessary data to our file server which then attempts to replicate offsite and I'd like to catch this with some type of bandwidth monitor so I can stop the sync.
|
|
#
?
Jun 20, 2013 18:01
|
|
|
So, are one of you guys from Roc-noc? Thanks Tom.
|
|
#
?
Jul 3, 2013 00:57
|
|
|
Before I bitch to Time Warner again, has anyone heard of common issues with regards to a MikroTik router randomly experiencing packet loss? Just started this past week and I've had to call Time Warner support once already. Connection was experiencing 25-50% packet loss according to the RouterOS ping tool then the whole connection went dead. Overseas support did something to the cable modem that brought it back to normal. Now I'm experiencing the problem again only this time RouterOS is telling me it's around 15-25% packet loss. I'm quick to blame Time Warner for the issue but I just want to make sure there aren't any known random packet loss issues related to the MikroTik equipment.
|
|
#
?
Jul 4, 2013 05:10
|
|
|
PUBLIC TOILET posted:Before I bitch to Time Warner again, has anyone heard of common issues with regards to a MikroTik router randomly experiencing packet loss? Just started this past week and I've had to call Time Warner support once already. Connection was experiencing 25-50% packet loss according to the RouterOS ping tool then the whole connection went dead. Overseas support did something to the cable modem that brought it back to normal. Now I'm experiencing the problem again only this time RouterOS is telling me it's around 15-25% packet loss. I'm quick to blame Time Warner for the issue but I just want to make sure there aren't any known random packet loss issues related to the MikroTik equipment. Yes, and it's the main reason both myself and a coworker ditched our RB75(0|1)?g as home routers.
|
|
#
?
Jul 4, 2013 16:50
|
|
|
PUBLIC TOILET posted:Before I bitch to Time Warner again, has anyone heard of common issues with regards to a MikroTik router randomly experiencing packet loss? Just started this past week and I've had to call Time Warner support once already. Connection was experiencing 25-50% packet loss according to the RouterOS ping tool then the whole connection went dead. Overseas support did something to the cable modem that brought it back to normal. Now I'm experiencing the problem again only this time RouterOS is telling me it's around 15-25% packet loss. I'm quick to blame Time Warner for the issue but I just want to make sure there aren't any known random packet loss issues related to the MikroTik equipment. When the packet loss is happening, try hooking your PC directly up to the modem. If it's still happening, then it's Time Warner, and if not, it's the router.
|
|
#
?
Jul 4, 2013 16:56
|
|
|
I don't have any problems with TWC and my 750GL. I'm using the Motorola SBG6580 modem that they gave me. You might want to try adding a switch between the modem and the MikroTik, that fixed connection issues with my co-worker's RB951G.
|
|
#
?
Jul 4, 2013 17:23
|
|
|
No problems to report over here. I've got a motorola 6000 series cable modem and TWC with an RB750G anchoring the whole thing. Seems to tick right along without any glitches.
|
|
#
?
Jul 4, 2013 22:36
|
|
|
feld posted:Yes, and it's the main reason both myself and a coworker ditched our RB75(0|1)?g as home routers. What did you switch to? Is the alternative any better?
|
|
#
?
Jul 4, 2013 23:21
|
|
|
SopWATh posted:What did you switch to? Is the alternative any better? Pfft, I bet their fancy new routers can't do this: https://www.youtube.com/watch?v=wO-oORbvGVE  Imagine setting that script to fire on a schedule or whenever you pinged a certain port or endlessly. Hahah, the horror! Maybe it's better if routers don't start coming with speakers.
|
|
#
?
Jul 6, 2013 00:34
|
|
|
PUBLIC TOILET posted:Before I bitch to Time Warner again, has anyone heard of common issues with regards to a MikroTik router randomly experiencing packet loss? Just started this past week and I've had to call Time Warner support once already. Connection was experiencing 25-50% packet loss according to the RouterOS ping tool then the whole connection went dead. Overseas support did something to the cable modem that brought it back to normal. Now I'm experiencing the problem again only this time RouterOS is telling me it's around 15-25% packet loss. I'm quick to blame Time Warner for the issue but I just want to make sure there aren't any known random packet loss issues related to the MikroTik equipment. None that I am aware of. What are you pinging? Do a tracert and set up smokeping or pingplotter to at least narrow down where the loss is happening.
|
|
#
?
Jul 6, 2013 22:52
|
|
|
Remit posted:None that I am aware of. What are you pinging? Do a tracert and set up smokeping or pingplotter to at least narrow down where the loss is happening. Strangest thing but so far the problem hasn't come back. Last night I was tired of the random packet loss so I started going through hardware. I removed one of the switches connected to a port on the MikroTik but that didn't help. I then even went and measured the voltage from the electrical outlet to the MikroTik and the cable modem. The voltage was where it should be. Unplugged the power strip both devices are connected to from the electrical outlet and plugged it back in so both devices received a full power-cycle. After that I decided to do a ping test from the MikroTik to google.com and the problem never came back. I haven't had any packet loss since. I have no idea what had changed but so far the problem hasn't reappeared. So I don't know if the electrical outlet the power strip is connected to is going bad, or if the power strip was holding a charge causing the device(s) to fail. It just sounds impossible though so I'm at a loss as to what was causing the issue. I had done numerous power-cycles before that and the problem had persisted. PUBLIC TOILET fucked around with this message at 00:36 on Jul 7, 2013 |
|
#
?
Jul 7, 2013 00:34
|
|
|
Have any queues or interface limits that would cause it?
|
|
#
?
Jul 7, 2013 01:11
|
|
|
Remit posted:Have any queues or interface limits that would cause it? None to my knowledge. I don't recall configuring any limitations on the interfaces or queues.
|
|
#
?
Jul 7, 2013 16:54
|
|
|
Catching up on this thread when I realized I hadn't updated RouterOS in awhile...looks like I'll jump to 5.25 for now, and maybe wait for a few more point releases for 6.x until I jump to that.
|
|
#
?
Jul 7, 2013 19:32
|
|
|
SopWATh posted:What did you switch to? Is the alternative any better? Juniper J2320 / SRX210. Juniper's awesome, but it's far from cheap. The stability is worth the money for me.
|
|
#
?
Jul 8, 2013 16:38
|
|
|
I'm looking to put my RB493G on POE rather than the extra AC adapter. Anything I should look for in a POE injector? Are the Mikrotik ones that r0c-n0c sells good? I'll presumably want gigabit to get more than 10mb upstream to the modem.
|
|
#
?
Jul 8, 2013 17:00
|
|
|
feld posted:Juniper J2320 / SRX210. Hahah holy poo poo. Moving from a $70 router to a $2000 dollar unit should do the trick. Alarbus - you're not typically going to get gigabit over POE since 4 wires are used for power and the other 4 are for data. You can still run 100Mbps over the link and that should work fine with whatever device you have at the other end. We use loads of POE-24's with our gear and it looks like it should power up a 493G without issue.
|
|
#
?
Jul 8, 2013 18:16
|
|
|
Gigabit injectors are a thing, and I have several decent injectors that arent marked as gigabit capable that also works, the trick is which PoE mode they work in, Mode A uses the data pairs (pin 1,2 - 3,6) via phantom power. Mode B which uses pin 4,5 - 7,8 works fine too as long as the pairs are connected through and the producer has implemented proper phantom power.
|
|
#
?
Jul 9, 2013 19:07
|
|
|
CuddleChunks posted:Hahah holy poo poo. Moving from a $70 router to a $2000 dollar unit should do the trick. You can find J2320s on eBay for ~200. I didn't buy mine "new".
|
|
#
?
Jul 9, 2013 20:25
|
|
|
So, I figured that I would pick up a VPN to do some secure connection stuff online. I seem to be having a problem getting the PPTP functioning correctly. So far, I'm able to get it connected very slightly modifying this guide here http://wiki.hidemyass.com/Mikrotik_Router_PPTP_and_L2TP_Setup however I can't get any data to flow into PPTP after it connects. Is this something with my VPN or is it something that I have jacked up in the routing/firewall? The interface does show that it's attempting to send data. The Tx is way higher than the Rx. Anyone have any ideas?
|
|
#
?
Jul 31, 2013 00:29
|
|
|
Care to post a (sanitized) config? You may want to check out the goon-run VPN service in SA-Mart. I haven't used their services, and am not affiliated with them, but it looks like (from their kbase articles) they issue unique keys/certificates for each user, which actually confers some resilience to snooping. As always, the weakest part of any encryption scheme is in the key management and distribution. SamDabbers fucked around with this message at 02:51 on Jul 31, 2013 |
|
#
?
Jul 31, 2013 02:24
|
|
|
It's not Hidemyass, it's something different but practically uses the same method. It was the only thing I could locate that was populating a guide to use for the VPN server, I'd prefer to use something else, but it's my first time using a VPN connection on anything other than automated processes and was trying to just simply get it working, then looking at an alternative. It did a fairly good job at how to route traffic over to it, as RouterOS feels a lot different than anything I've used Cisco wise. Just taking random stabs at it. Let me see if I can get a config when I swing back to it.
|
|
#
?
Jul 31, 2013 03:08
|
|
|
For what it's worth, the PPTP client is horribly broken for me too and has been since who-even-knows and nobody else seems to recognize that there's a problem, as usual. I can just about get straight text TCP sessions to start, SSL just stalls forever. This is to OctaneVPN, the same servers work swimmingly with the built-in PPTP/IPsec clients in Mac OS X so I can't really blame the servers. Meanwhile, the router can't use IPsec because there isn't a complete XAUTH implementation for the client (more specifically it can't receive IP config data for dynamic addressing using whatever that extension's named, so it's useless for that purpose), which means OpenVPN is the only thing that works, except Mikrotik's client is slow as hell, tcp-only for that lovely tcp-in-tcp negative feedback resonance, and officially recognized as broken (which is why they refuse to extend it.) But at least it connects and doesn't drop 99% of all packets or whatever is going on; so I just run three and split the tcp sessions by ip/port hash.  All that gives me oh, 60% of the performance a straight tcp+ssl stream of the same number of sessions even though the VPN GW lives practically in the same datacenter as the endpoint server. :mikrotik:
|
|
#
?
Aug 5, 2013 22:26
|
|
|
That kind of sounds like an MTU issue. Try setting an MSS clamp to 1300 or something for outbound syn packets over the PPTP interface, like:code:
|
|
#
?
Aug 5, 2013 22:40
|
|
|
Okay, what the poo poo. I had futzed around with that for hours before, and made sure to enable the built-in MSS workaround on the PPP profile (which forces 1280 I think, and creates two dynamic rules) - and its rules were being hit for sure. Except apparently not taking effect. Now I set the interface MTU/MRU to 1440 (IIRC the GRE packet overhead is in that range, correct me if I'm wrong!) and the MSS clamp to 1240 because whatever, apparently making a good optimal guess at this is impossible; and now I actually get throughput (so thanks!), but it's really bouncing around with a lot of little stall gaps, and readouts jumping wildly between 3-8Mbps. My connection is capable of way more than that, and I see at least 50% more with the horrible triple-ovpn setup active, even though it draws three times as much CPU and is TCP-encapsulated instead of sorta-dumb datagrams like PPTP (I hear it doesn't deal with reordering at all, which is pretty much uuuh? territory) CPU profiling showing 60-70% idle, so there should be room for more there. And guess what? I had already added mangle rules to bypass my cool QoS scheduling (because double-counting is bad - you can tell when this is going on because your queues will show 2x the actual throughput), I have a cool stateful connection-tagging setup overall. But because iptables is objectively the worst firewall on the face of the planet, the connection tagging randomly vanishes, and the hellaciously terrible connection tracking just loses track of the GRE session. It might as well not exist, it sure doesn't show up in the 'connections' tab nor does it match any rules. Adding a stupid rule to catch all packets of protocol 47 does work (but is bad because then it's going deep into the rule stack instead of being headed off at the first five or so by a "connection-state: established" rule), and adding a rule that matches "connection-state: related" also matches even though the state-tracking doesn't know about the packets  And it it still doesn't show up in the connections list even just filtering for protocol 47. I hate computers, and I double-immelman-with-a-rosette hate loving anything that comes within a parsec of the Linux networking stack.  Well, thanks for trying, it did sort of help. Slightly. :mikrotik:
|
|
#
?
Aug 5, 2013 23:57
|
|
|
If you want good performance you probably want ipip if possible, I've used that for months at a time and didn't have any problems. My 750GL can pull 30Mbps through it. That's not really a VPN but it might do what you want. I've tried the OpenVPN client too and I can confirm it's garbage, the connection randomly reset every 4-24 hours for no reason, the statistics don't work, and the speed is poo poo. Options for enabling udp and disabling the cipher would've helped but MikroTik hates it's users too much to add any of that.
|
|
#
?
Aug 6, 2013 00:27
|
|
|
drat, look at all this MikroTik smacktalk happening in my thread. I'll have you know that only positive feelings and touchy-feely stuff about Our Glorious Latvian Masters is allowed in here and if I see any further negativity I'll router info WARNING: Disconnected due to error (Unknown -1) system info account user admin logged in from 12.1.21.4 via terminal and that's final! MikroTiiiiiiik!
|
|
#
?
Aug 6, 2013 00:32
|
|
|
Mikrotik makes interesting hardware, and the interface and features they've built on top of Linux are really quite nifty, but the combination of keeping the whole thing essentially closed-source (they barely comply with the letter of the GPL, and certainly not the spirit), terrible software engineering practices, and complete apathy toward customer support makes it really hard to seriously recommend them for anything but a few niche applications.
|
|
#
?
Aug 6, 2013 01:39
|
|
|
The lack of decent VPN capability isn't really a deal-breaker for me. It would have been nice to have a VPN service configured from the router, but I suppose if I want it that bad I'll just use it at the workstation-level. I've had little to no issues with my MikroTik since you folks helped me configure it. I wouldn't trade it for anything (unless it's a nice Cisco unit.) I would still recommend it for home networking to people that ask me.
|
|
#
?
Aug 7, 2013 03:45
|
|
|
If you aren't too fussed about the security then the PPtP VPN setup isn't too terrible. There are some annoyances with it, but in general it's been a stable VPN for me while I'm out and away from home. Let's me reach back in and fiddle with my home PC's and such. It's not the level of security of a proper IPSEC tunnel but for home use, bah, it works fine.
|
|
#
?
Aug 7, 2013 05:57
|
|
|
On the other hand, you can (supposedly) host Cisco-style-compatible basic incoming VPN since routeros 6.0, it's its client that's hosed. The IPsec itself is probably solid. Or if you're willing to gently caress around painfully on the client side you could always set up ISAKMP style IPsec, and that's been the case since forever.
|
|
#
?
Aug 7, 2013 12:39
|
|
|
"client" Heh. I seem to recall that box-to-box VPN's work fine (IPSEC, static tunnels). It's when you try to do roaming stuff that it all breaks down into horrible pieces.
|
|
#
?
Aug 8, 2013 17:17
|
|
|
IPsec was symmetric right until Cisco got its grubby hands on it and redefined everything. For that matter, it is exactly as hosed as 802.11x is. Good luck getting one authentication method to work across all clients unless it's TLS client certificates, and maybe not even that. Roaming as in trying to keep a continuous connection across IP changes with unclean tunnel shutdown? Yeah, probably "good luck with that." Maybe L2TP could do it in one-connection-per-user-only mode, assuming it actually closes the old ones with that on, haven't tested. Wolf on Air fucked around with this message at 17:58 on Aug 8, 2013 |
|
#
?
Aug 8, 2013 17:55
|
|
|
So the RB951G-2HnD supports jumbo frames up to 4074. I can see on mine the MAX-L2MTU is configured to 4074 already. If I want it to use the MAX of 4074, do I have to modify the "mpls-mtu" setting or will it just automatically start using it if I connect a device to it already configured for 4088?
|
|
#
?
Aug 9, 2013 23:48
|
|
|
Anyone have a clue as to why an OpenVPN connection through a RB2011 would be unusably slow? Is there some kind of horrible SPI enabled by defaults that I can remove or...?
|
|
#
?
Aug 13, 2013 23:17
|
|
|
|
| # ? Apr 26, 2024 00:44 |
|
|
I had OpenVPN connecting through a RB750GL with zero issues up to about a month ago when I got bored with it and replaced it with something else. Is it slow to establish the connection or slow with throughput?
|
|
#
?
Aug 14, 2013 00:14
|
|
