|
Unfortunately, I don't actually have anything else that's wired (except the desktop, but it's upstairs next to the router). And I doubt I'll have the time and motivation to haul the desktop and monitor downstairs for testing. (Also, the desktop did work when I used it to configure and test the RB433, the only difference being that the RB433 is now about ten feet below the router instead of ten feet across from the router.)
|
# ? Jan 8, 2015 23:57 |
|
|
# ? Apr 24, 2024 06:22 |
|
Are you just connecting the TiVo to this so it can bridge up to the wifi upstairs? Try setting the wlan card to station-pseudobridge-clone and then plug the TiVo in, reboot the mikrotik and see if it starts working. Otherwise, post a config and we'll all scratch our heads and shrug. "Huh, Latvian engineering, whaddya gonna do."
|
# ? Jan 9, 2015 02:43 |
|
I switched the RB433 from a bridge to a router, doing NAT and acting as a DHCP server, and the TiVo got a lease and got online almost immediately. I'll fiddle with the configuration a bit more later, but it's fine for now (though admittedly not ideal because of the double NAT). Edit: Well, station pseudobridge clone means it can't even connect to the Time Capsule AP. Weird Uncle Dave fucked around with this message at 04:01 on Jan 9, 2015 |
# ? Jan 9, 2015 03:52 |
|
Does the bridge work if you set a static IP on the TiVo?
|
# ? Jan 9, 2015 13:03 |
|
Weird Uncle Dave posted:I'll fiddle with the configuration a bit more later, but it's fine for now (though admittedly not ideal because of the double NAT). Huh, weird. Now are you testing this with a laptop connected to the MikroTik? It need some device behind it to clone the MAC from before it will link up. That's how the pseudobridge-clone version works. Otherwise you can set it in station mode, make it a little NAT-ing device and go from there. Or, post a config and we'll take a look.
|
# ? Jan 9, 2015 19:54 |
|
The only device I have with an Ethernet port is the TiVo, which admittedly makes testing a bit tricky. Unless I could be bothered to drive to Micro Center and get some cheapo Ethernet USB adapter, but if I'm going there I may as well just buy a dedicated wireless bridge. Anyway, configs! This is the configuration when it's acting as a router. (It actually is in station mode, not station pseudobridge as that configuration claims, but it works either way.) Pretty standard stuff, wlan1 connects to the AP, Ethernet ports bridged and running a DHCP server, masquerade NAT on outgoing traffic. Works fine, as I type this sentence I'm using it on my desktop, and I confirmed the TiVo can get online with this same configuration as well. And this is the configuration for bridge mode. Wireless card as station pseudobridge, wlan1 and all etherx bridged together. No NAT. DHCP client on the bridge interface, but that's more for convenience than anything. (Winbox run under Crossover WINE on a MAC can't connect to devices by MAC, only by IP.) Desktop gets a DHCP address just fine, TiVo does not. In both cases, I removed my WPA security keys but didn't make any other changes. I did just discover than when my desktop is running through the bridge, the Apple AirPort Utility won't run... I'm really inclined to just say there's some strange interaction between Apple, Mikrotik, and TiVo, and let it be one of the great unsolved mysteries of Latvian software engineering. Nevertheless, another set of eyes on things certainly wouldn't hurt.
|
# ? Jan 10, 2015 17:05 |
|
Can you manually connect to an AP using the AirPort utility? It sounds like broadcast between LAN and WLAN isn't happening.
|
# ? Jan 10, 2015 17:17 |
|
Weird Uncle Dave posted:The only device I have with an Ethernet port is the TiVo, which admittedly makes testing a bit tricky. Unless I could be bothered to drive to Micro Center and get some cheapo Ethernet USB adapter, but if I'm going there I may as well just buy a dedicated wireless bridge. Log into your MikroTik and do a sys reset. Log back in and choose "NO - do not use the default config" Drop this config into a terminal window: http://pastebin.com/ZC7R659K You may need to enable the wlan card. Type this at the terminal prompt: int wir set wlan1 disabled=no That should wake everything up as a simplified bridge. Take a look and you should see it connect to your network. Once you've verified that it's on and connected see if that works for your TiVo.
|
# ? Jan 10, 2015 20:11 |
|
That looks like it's functionally identical to my bridge config (save that you enabled WPA in addition to WPA2, and a couple probably-irrelevant settings like DFS). Is there something I'm overlooking?
|
# ? Jan 13, 2015 01:15 |
|
Your current setup isn't working with the TiVo for some reason. The config I posted is pretty much the fewest commands needed to setup a wireless bridge and it shouldn't care what device is plugged in behind it. Hopefully that will get you running as a bridge. If not, it's hard to guess what the tivo is trying to do that isn't working.
|
# ? Jan 14, 2015 00:13 |
|
My setup was basically that, but with a DHCP client on the board. I pulled it out from behind the TV again, did a reset, pasted in those commands, and... still no love. Radio associates, doesn't appear to bridge DHCP requests or responses. Still works great on the desktop PC through the same bridge with the same configuration. There's some bizarre interaction between all these components that just plain doesn't want to work as a bridge for a TiVo Premiere. For now, I give. quote:"Huh, Latvian engineering, whaddya gonna do."
|
# ? Jan 14, 2015 20:39 |
|
Weird. Plug the bridge back in and set a static IP in the TiVo that's correct for your network (something in the same range as other computers but not being used by one of them). Can you ping the TiVo? Can it reach out to the network now? It's possible something isn't bridging correctly but that script I sent and your prior config both are pretty bog standard bridges.
|
# ? Jan 14, 2015 21:00 |
|
6.25 is outquote:*) fixed occasional crash when ipv6 was used;
|
# ? Jan 19, 2015 20:01 |
|
The sooner users accept that they are never working towards a stable release but just push their current working beta snapshot out the door for each month the better people's feelings towards Mikrotik will be.
|
# ? Jan 19, 2015 20:20 |
|
Oh I agree, its just funny to read.
|
# ? Jan 19, 2015 21:48 |
|
v6.24 posted:*) improved queue tree parent=global performance (especially on SMP systems and CCRs); v6.25 posted:*) fixed queue tree no-mark matching (was broken since 6.24); Because Latvia!
|
# ? Jan 21, 2015 20:43 |
|
I remember someone asking about IPsec performance recently, here's a thread with people who have tried things http://forum.mikrotik.com/viewtopic.php?f=3&t=91843
|
# ? Jan 21, 2015 20:59 |
|
Looking ahead a bit 6.26 - Fixed adding simple queues (was broken by 6.25) 7.0rc1 - Abandoning 6 entirely, pretending 7 will fix everything 7.0rc5 - Added new LCD options, router still reboots randomly and we don't care why 7.1 - Fixed broken LCD options. Queues still not working.
|
# ? Jan 22, 2015 00:41 |
|
thebigcow posted:
If those CCR numbers are for the models with Tile processors in them, something is very wrong somewhere.
|
# ? Jan 22, 2015 02:50 |
|
The_Franz posted:If those CCR numbers are for the models with Tile processors in them, something is very wrong somewhere. What was your experience with the CCR?
|
# ? Jan 22, 2015 05:53 |
|
thebigcow posted:What was your experience with the CCR? I should have said that it sounds like something is wrong. A lot of people have been complaining that the CCRs easily get 500+ Mbps when just using IPSEC but throughput plummets as soon as you use a tunnel. According to the people reporting the issue the CPU cores aren't even close to maxed out when this happens, it just sounds like some strange behavior that caps tunnel speeds at 150Mbps or slower. Some even report this low limit when the tunnel is unencrypted. Apparently the 6.24 changelog said something about improved load balancing when using tunnels so maybe this is much better now? It would also be nice if the people posting throughput numbers would include their settings to rule out things like too-big MTU sizes that cause fragmentation or using really slow 3DES encryption. The_Franz fucked around with this message at 08:09 on Jan 22, 2015 |
# ? Jan 22, 2015 07:04 |
|
Oh that way. The 1100AHx2 has hardware IPsec support and has existed for more than a year so that is going to skew things in its favor.
|
# ? Jan 22, 2015 17:17 |
|
thebigcow posted:Oh that way. The 1100AHx2 has hardware IPsec support and has existed for more than a year so that is going to skew things in its favor. The Tile models have hardware acceleration for AES-CBC as well. RouterOS didn't have support for it when they initially shipped, but they added it about year ago. IPSEC doesn't seem to be the issue here, according to the reports it's only when trying to encapsulate packets in a GRE or IPIP tunnel that the throughput takes a nosedive.
|
# ? Jan 22, 2015 17:39 |
|
Is there a time table for a refresh on the RB2011 series of devices? If we are being honest, it's still totally functional and then some, but my current first world problem is that I can't get more than 18mbs over a VPN, and I feel the need for unnecessary speed.
|
# ? Jan 22, 2015 17:56 |
|
Canine Blues Arooo posted:Is there a time table for a refresh on the RB2011 series of devices? If we are being honest, it's still totally functional and then some, but my current first world problem is that I can't get more than 18mbs over a VPN, and I feel the need for unnecessary speed. Unless they've put something in the newsletter, probably not. They aren't that old and are the basis of the entire CRS series. The RB850Gx2 would be the next step up, but its sold as a bare board and has a bizzare mtu limitation and they don't have posted performance information. edit: That thread I linked to above claims 40-50 mbps with an 850.
|
# ? Jan 22, 2015 18:08 |
|
I'm trying to lab something up in VMWare workstation with RouterOS 6.25 ahead of some hardware arriving. It's pretty basic and I've got the interfaces setup ok and I'm having trouble getting a really basic masquerade setup. LAN (10.100.50.0/24) - ether1 - ppp-out1 - Internet This is a USB 3G data dongle (pass through) that is connected just fine and from the router I can reach the internet. What I'm struggling to do is get LAN traffic to be masqueraded properly out the ppp-out1 interface. Here's some config/output: add add-default-route=yes allow=pap,chap,mschap1,mschap2 apn=live.vodafone.com data-channel=0 default-route-distance=1 dial-command=ATDT dial-on-demand=yes disabled=no info-channel=0 keepalive-timeout=30 \ max-mru=1500 max-mtu=1500 modem-init="" mrru=disabled name=ppp-out1 null-modem=no password="" phone="" pin="" port=usb1 profile=default use-peer-dns=yes user="" This seems to work ok for the PPP interface. /ip firewall nat add action=masquerade chain=srcnat out-interface=ppp-out1 A very simple masquerade rule. # DST-ADDRESS PREF-SRC GATEWAY DISTANCE 0 ADS 0.0.0.0/0 10.112.112.116 1 1 ADC 10.100.50.0/24 10.100.50.55 ether1 0 2 ADC 10.112.112.116/32 100.xxx.xxx.219 ppp-out1 0 Routing table looks ok to me. It know the LAN and has a default out the 3G. I'm not really familiar enough with RouterOS to know what I'm missing here. Thanks!
|
# ? Jan 27, 2015 04:30 |
|
What IP does your LAN computer have? Can it ping the IP of the default gateway (which should pass through the 3G connection). What does a traceroute from one of the LAN computers show? Your config looks correct so knowing more about the LAN would be handy. Oh, print out /ip addresses What are you handing out for IP's to your LAN?
|
# ? Jan 27, 2015 05:07 |
|
Ok, so I thought I'd rule out something weird happening with host-only networks and VMWare and put a small debian VM in the same LAN segment as ether1 is configured on. I've then configured a DHCP server on the routerOS instance on ether1, which is successfully handing an IP out to the debian VM: RouterOS ether1 IP: 192.168.179.200 DHCP server scope: 192.168.179.1-199 Debian VM gets the IP 192.168.179.199, and it retrieves a default gateway of 192.168.179.200. Now, despite this working ok, neither the debian VM nor the router itself can ping 192.168.179.200 which is assigned to ether1: [admin@MikroTik] /ip address> print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE 0 D 100.113.62.56/32 10.112.112.116 ppp-out1 1 172.168.179.200/24 172.168.179.0 ether1 [admin@MikroTik] > ping 192.168.179.200 SEQ HOST SIZE TTL TIME STATUS 0 192.168.179.200 timeout 1 192.168.179.200 timeout 2 192.168.179.200 timeout So now I'm really confused!
|
# ? Jan 27, 2015 05:41 |
|
Nevermind... I'm not sure what I'd done but a config reset + build from scratch has it working as expected now. I can reach the internet from my debian VM. Now to setup an IPSEC tunnel to our PoP and my work is done. Thanks!
|
# ? Jan 27, 2015 05:48 |
|
6.26 is out. First new bug is a garbled mess in the change log if you check through Winboxquote:What's new in 6.26 (2015-Feb-03 15:18):
|
# ? Feb 4, 2015 17:19 |
|
Noticed they have a new ceiling mount AP to go with the capsman software. 2.4 only because no one in Latvia has a radio for 5. Also saw this thing and I really want to see the installation where someone needs a compact, wall mount sfp to sfp+ aggregator.
|
# ? Feb 5, 2015 18:21 |
|
thebigcow posted:Also saw this thing and I really want to see the installation where someone needs a compact, wall mount sfp to sfp+ aggregator. It's perfect for putting in the basement/telco closet of a small building that's being wired for connectivity by an ISP. Challenge is the UPS/power source really.
|
# ? Feb 5, 2015 18:37 |
|
So if I am looking for some basic routing of my residential internet and a decent wireless AP, this is what I should buy, right? http://routerboard.com/RB2011UiAS-2HnD-IN All this patch breaking talk is making me anxious.
|
# ? Feb 5, 2015 19:08 |
|
AlternateAccount posted:So if I am looking for some basic routing of my residential internet and a decent wireless AP, this is what I should buy, right? This guy is potentially a pretty good choice too, and a bit less expensive. The key to Mikrotik software is: find a version that has the features you need, where everything works, and then never touch it again unless you have a very very good reason.
|
# ? Feb 5, 2015 19:50 |
|
Weird Uncle Dave posted:This guy is potentially a pretty good choice too, and a bit less expensive. Seconding both these points. The RB951 does a good job and is a solid entry point into the magical world of MikroTik.
|
# ? Feb 5, 2015 20:01 |
|
6.27 is out, turning off the cloud menu now removes your entry from their dns service.
|
# ? Feb 17, 2015 22:32 |
|
I inherited a free RB951-2n that I'm configuring for my parents so I can finally ditch their old Linksys router. I was able to /export compact the configuration from my RB951G-2HnD and successfully import it into the RB951-2n and modify accordingly. I would like to configure the ability for me to remote into it from the WAN, what's the recommended method for this? I'm thinking I would disable the SSH service entirely (or leave it enabled but block WAN access to port 22 in the firewall altogether.) I could then leave the winbox service enabled and remote into it that way. Is this the easiest, user-friendly way? Should I change the winbox port in that case? Maybe configure a new firewall rule to only allow access from a specific IP address? Although I don't have a static WAN IP.
|
# ? Mar 20, 2015 03:32 |
|
PUBLIC TOILET posted:I inherited a free RB951-2n that I'm configuring for my parents so I can finally ditch their old Linksys router. I was able to /export compact the configuration from my RB951G-2HnD and successfully import it into the RB951-2n and modify accordingly. I would like to configure the ability for me to remote into it from the WAN, what's the recommended method for this? I'm thinking I would disable the SSH service entirely (or leave it enabled but block WAN access to port 22 in the firewall altogether.) I could then leave the winbox service enabled and remote into it that way. Is this the easiest, user-friendly way? Should I change the winbox port in that case? Maybe configure a new firewall rule to only allow access from a specific IP address? Although I don't have a static WAN IP. Changing the port will keep an assortment of bots from banging on your door but isn't real security. http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention is someone elses script to drop after a number of failed connections. RouterOS supports SSH key log in but doesn't seem to have a way to turn off password log in. I couldn't tell you how to do it but if you enable the CLOUD menu on your device you could have a script on their router periodically resolve the address from your router and change a firewall entry to allow access. Maybe cobble something together from these http://wiki.mikrotik.com/wiki/Scripts edit: like this one http://wiki.mikrotik.com/wiki/Use_host_names_in_firewall_rules
|
# ? Mar 20, 2015 04:39 |
|
thebigcow posted:Changing the port will keep an assortment of bots from banging on your door but isn't real security. http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention is someone elses script to drop after a number of failed connections. RouterOS supports SSH key log in but doesn't seem to have a way to turn off password log in. I should have noted that both routers are running v5.26. Isn't the cloud feature in version 6+?
|
# ? Mar 20, 2015 05:14 |
|
|
# ? Apr 24, 2024 06:22 |
|
Just upgrade to 6.27 unless the license on your Mikrotik won't let you. Also, you can impliment an IP firewall list that only allows SSH connections from your whitelist. We do that at work since China is always banging away at SSH connections unless we whitelist, whereas the Winbox service gets only like 1-2 attempts a month. code:
|
# ? Mar 20, 2015 14:59 |