|
CrazyLittle posted:Yeah, they're great little boxes, but they do have CPU limits in how much you can do with them. QoS tends to tax things more than anything else. QoS is one of those things that the offload hardware doesn't support [yet?], so all packets are run through the CPU once you enable it. Other configurations that bypass the offload hardware include non-IPsec tunnels terminated on the router (OpenVPN, GRE, and PPTP/PPPoE/L2TP), and flow accounting (Netflow). If you're just doing plain IPv4/IPv6 routing, stateful firewall/NAT, IPsec, and/or VLANs (support added in the 1.3 beta firmware) then all of it should be offloadable. That said, it does sport a dual-core 500Mhz CPU, so it should be able to handle at least as much as an RB2011 without the hardware assist. EdgeOS was forked from Vyatta 6.3, so that's the version to experiment with if you're planning on moving the config to an EdgeRouter. The most noticeable change in the later versions of Vyatta compared to 6.3 is the configuration syntax for NAT, so just know that you'll have to use the older syntax on EdgeOS. The Vyatta documentation is excellent and 98% of it still applies to EdgeOS if the Ubiquiti wiki and forums how-tos don't go in-depth enough.
|
#
?
Sep 30, 2013 21:28
|
|
|
|
| # ? Apr 19, 2024 22:44 |
|
|
SamDabbers posted:Edit: A bad power brick may be causing the reboots. Try swapping it out.
|
|
#
?
Sep 30, 2013 21:36
|
|
|
Just for the sake of curiosity, what's the most affordable MikroTik router out there with decent, responsive and reliable VPN support? (i.e. support for services like HostVPN) Or does that not exist? I'm assuming you don't really get that until you get into the more commercial-grade, rack-mount routers from MikroTik.
|
|
#
?
Oct 1, 2013 01:36
|
|
|
All of their routers run the same software and have the same features. There are some differences in license levels though.
|
|
#
?
Oct 1, 2013 02:53
|
|
|
Yeah, if you can get the VPN service working with RouterOS, the only thing a Routerboard with a beefier CPU gets you is faster throughput. Even the low end models like the 750GL can push a few Mbps through a VPN tunnel with the right combination of traffic and encryption settings, but as the OP says, they're not really meant for high-speed VPN.
|
|
#
?
Oct 1, 2013 03:37
|
|
|
Is anyone here running the RB751G-2HnD? I've been having wired network dropout problems since 6.2, but after rolling back to 6.1 it's rock solid. The connection from my HTPC to my NAS drops for around 10mins at a time before re-establishing, i don't seem to have any connectivity problems from my wifi clients at the time this is occurring though. Can't see anything on their forums or the web describing the problem however..
|
|
#
?
Oct 1, 2013 05:18
|
|
|
GrandMaster posted:Is anyone here running the RB751G-2HnD? Try 6.4, 6.2 had all kinds of stability issues for me on my 751s and 2011s, 6.4 seems pretty solid so far.
|
|
#
?
Oct 1, 2013 05:30
|
|
|
Thanks for that, will give it a try tonight  My RB750GL on 6.2 & 6.3 has been stable, only the 751's were giving me grief.
|
|
#
?
Oct 1, 2013 05:55
|
|
|
GrandMaster posted:Is anyone here running the RB751G-2HnD? I have one of these and it runs great but I also run 5.something
|
|
#
?
Oct 1, 2013 18:27
|
|
|
I updated to 6.2 without thinking about it and I can't make uPNP work at all, even though it says it's enabled and the interfaces are defined. Very frustrating. I don't even know what version I was on prior to the update -- probably 5.something. Are there any caveats to downgrading? Is it the same process?
|
|
#
?
Oct 1, 2013 21:50
|
|
|
Upgrade to the latest 6 (6.4) before downgrading to see if it works there.
|
|
#
?
Oct 1, 2013 22:02
|
|
|
Looks like I got one of those RB2011 boxes with the ethernet ports that freeze up or something. Anyone else have the problem and know if the 6.4 upgrade works? (which includes new bios/firmware and therefore can't be downgraded)
|
|
#
?
Oct 2, 2013 20:43
|
|
|
Why not return it for a new one?
|
|
#
?
Oct 2, 2013 22:47
|
|
|
It's a bug, they addressed it in 6.2 I believe. 6.4 seems rock solid for everywhere we've used it. I don't think you'll have any trouble at all moving up to that AND it should fix the lockup error on the 2011.
|
|
#
?
Oct 2, 2013 23:13
|
|
|
I setup L2TP/IPSEC today for client VPN. It works great, however, can you do split tunnels with L2TP? I want my internet traffic and any other non-vpn traffic to go out my default gateway and only have my vpn network go through the tunnel. Running a trace route to google.com, it is going through the tunnel at the moment. Edit: Never mind, apparently I can do this on the client side in Windows by unchecking "Use default gateway on the remote network" in the TCP/IP settings of the adapter. With that being said, is there any way on the server side to force a full tunnel rather than a split tunnel or is that only available through proprietary client software? IT Guy fucked around with this message at 17:27 on Oct 4, 2013 |
|
#
?
Oct 4, 2013 16:53
|
|
|
Is there any way to use a DNS server in RouterOS?
|
|
#
?
Oct 15, 2013 00:26
|
|
|
IT Guy posted:Is there any way to use a DNS server in RouterOS? How do you mean? Do you want it to act as a DNS server (it can, kinda) or just hand out DNS server info to VPN/DHCP clients (easy)?
|
|
#
?
Oct 15, 2013 00:36
|
|
|
IT Guy posted:Is there any way to use a DNS server in RouterOS? Here's all the lowdown on DNS in RouterOS: http://wiki.mikrotik.com/wiki/Manual:IP/DNS
|
|
#
?
Oct 15, 2013 00:54
|
|
|
Weird Uncle Dave posted:How do you mean? Do you want it to act as a DNS server (it can, kinda) or just hand out DNS server info to VPN/DHCP clients (easy)? The former. CuddleChunks posted:Here's all the lowdown on DNS in RouterOS: http://wiki.mikrotik.com/wiki/Manual:IP/DNS Thanks it looks like the built in server through the cache will do me fine for now.
|
|
#
?
Oct 15, 2013 01:03
|
|
|
IP-> DNS-> allow remote requests
|
|
#
?
Oct 17, 2013 03:34
|
|
|
So the house I had a MikroTik installed at decided to have one of their guys go full retard and factory reset the MikroTik I left there, and then get really pissy and confused when I called them dumb and their poo poo stopped working. I finally got them to the point where I can administer it remotely, and there's still some poo poo hosed up: - Terminal always displays "error opening serial port, already used by Serial Console (6) And, is there a completely foolproof, braindead guide I can follow to getting VPN setup?
|
|
#
?
Oct 30, 2013 06:56
|
|
|
falz posted:You may want to check to see if your SIP device supports STUN/Nat server entry anyway so you don't have to mess with the router's config to make it work (other than the NAT entry inbound) Almost all modern routers/FW should have a helper or full-blown ALG function to fix issues like this.
|
|
#
?
Oct 30, 2013 07:09
|
|
|
How well does EoIP work? I have a customer demanding a layer 2 connection with one end on a VSAT link and the other our teleport. I'd like to build a tunnel with something from the remote site to our rack and present a layer 2 interface as economically as I can. They're only going to be connecting a layer 3 device via a /30 on each side. There is no NAT required on my side to build this tunnel.
|
|
#
?
Oct 31, 2013 12:20
|
|
|
EoIP works... okay. It's only as fast as the connection between the two endpoints, and there's some overhead (and invisible-to-the-end-user packet fragmentation with large packets, especially if you're doing jumbo frames or other craziness). I've used it for a couple short-term projects (moving servers between data centers in advance of moving the data centers' actual uplinks), but I dunno if I'd recommend it for a longer-term solution.
|
|
#
?
Oct 31, 2013 15:18
|
|
|
Anyone looking at the new Cloud Router Switch? Knowing MT I have a bad feeling that things will need to be split across certain port groups for performance.
|
|
#
?
Nov 7, 2013 06:08
|
|
|
thebigcow posted:Anyone looking at the new Cloud Router Switch? Knowing MT I have a bad feeling that things will need to be split across certain port groups for performance. According to the block diagram all of the ports are on one switch chip, so performance across port groups shouldn't be an issue, but until someone actually has one, who knows.
|
|
#
?
Nov 7, 2013 15:11
|
|
|
I have an RB2011UAS-2HnD-IN and when I VPN using L2TP/IPSEC md5/sha I can get max speeds of about 900kB/s. Looking at the CPU, it's at 100% when transferring like this. What is the cheapest routerboard I can buy that would get me about 5mB/s? Would I be better off building my own x86 box?
|
|
#
?
Nov 7, 2013 15:27
|
|
|
kiwid posted:I have an RB2011UAS-2HnD-IN and when I VPN using L2TP/IPSEC md5/sha I can get max speeds of about 900kB/s. Looking at the CPU, it's at 100% when transferring like this. What is the cheapest routerboard I can buy that would get me about 5mB/s? Would I be better off building my own x86 box? I've never found good sizing information, and a lot of what is out there suggests selecting the shittiest possible encryption method for performance. I think the next CPU up would be the RB1100AHx2 at about $350. There are a lot of people using Routerboards professionally on the Mikrotik forums, if you can get past English as a fourth language I would ask there.
|
|
#
?
Nov 7, 2013 17:36
|
|
|
kiwid posted:I have an RB2011UAS-2HnD-IN and when I VPN using L2TP/IPSEC md5/sha I can get max speeds of about 900kB/s. Looking at the CPU, it's at 100% when transferring like this. What is the cheapest routerboard I can buy that would get me about 5mB/s? Would I be better off building my own x86 box? If you have the option, can you change the cipher to something like twofish or AES?
|
|
#
?
Nov 7, 2013 18:55
|
|
|
thebigcow posted:I've never found good sizing information, and a lot of what is out there suggests selecting the shittiest possible encryption method for performance. I think the next CPU up would be the RB1100AHx2 at about $350. When it comes it IPSEC, 3DES is generally both the weakest and slowest encryption. AES128 is considerably faster and more secure. If you aren't stuck on Mikrotik, take a look at the Ubiquiti EdgeRouter. Even the $99 model has hardware IPSEC acceleration.
|
|
#
?
Nov 7, 2013 19:04
|
|
|
Ahh, sorry, it's authentication: sha1, encryption: 3des that I'm using. I tried AES256 but failed to connect. Is there a list of compatible auth/crypt that the built in Windows 8 client is compatible with? edit: Tried using AES128 but connection fails still. kiwid fucked around with this message at 19:27 on Nov 7, 2013 |
|
#
?
Nov 7, 2013 19:14
|
|
|
I don't know a think about microtik but I'm sure I have dial in L2TP running with AES on some fortigates that works fine with windows and iOS.
|
|
#
?
Nov 8, 2013 11:49
|
|
|
When I was trying to get this working, I think Windows necessitated leaving 3DES as the encryption algorithm under IPSec/Peers as it wouldn't connect otherwise, but if you tick off the AES-xxx boxes in the settings under IPSec/Proposals then Windows will use whatever encryption it determines is best. Once it was set this way then Windows could connect and it showed AES encryption under the connection properties display.
|
|
#
?
Nov 8, 2013 14:40
|
|
|
The_Franz posted:When I was trying to get this working, I think Windows necessitated leaving 3DES as the encryption algorithm under IPSec/Peers as it wouldn't connect otherwise, but if you tick off the AES-xxx boxes in the settings under IPSec/Proposals then Windows will use whatever encryption it determines is best. Once it was set this way then Windows could connect and it showed AES encryption under the connection properties display. This got me connected, thanks. However, AES-128 was even worse than 3DES for some reason.
|
|
#
?
Nov 13, 2013 20:57
|
|
|
MicroTik posted:What's new in 6.7 (2013-Nov-29 13:37): That's an interesting new feature and potentially very useful.
|
|
#
?
Dec 3, 2013 22:20
|
|
|
drk posted:That's an interesting new feature and potentially very useful. That's pretty sick actually! I haven't upgraded since 6.1, but that's pretty compelling to check out.
|
|
#
?
Dec 4, 2013 02:19
|
|
|
Now we just need to see how many totally unrelated bugs have been introduced
|
|
#
?
Dec 4, 2013 02:49
|
|
|
If I'm on my work's network and I VPN home to my routerboard over L2TP/IPSEC, I lose my single sign on capabilities on my work's network. As soon as I disconnect the VPN I'm able to authenticate to my work's resources via SSO again. What is happening and how do I fix it?
|
|
#
?
Dec 9, 2013 18:22
|
|
|
Is your DNS server being changed to the one on the other end of your VPN connection?
|
|
#
?
Dec 9, 2013 18:24
|
|
|
|
| # ? Apr 19, 2024 22:44 |
|
|
Caged posted:Is your DNS server being changed to the one on the other end of your VPN connection? Ah yes it is, but why? Here is the profile:  My DNS is still being changed.
|
|
#
?
Dec 9, 2013 18:33
|
|