|
thebigcow posted:How many things are still limited to one core? Other than general Latvian quirks that seems to be most of the bitching about Tilera based models on their forums. The newer firmwares spread this over a lot more cores than before. I don't actually use this as much more than a DD-WRT box that's been fed a shitload of anabolic steroids, but even when I iperf the thing trying to make it sad, the cored load up pretty evenly.
|
#
?
Apr 16, 2015 07:20
|
|
|
|
| # ? Apr 29, 2024 09:54 |
|
|
PUBLIC TOILET posted:Out of curiosity, is anyone using LTE for fail-over on their MikroTik routers? Looking at the supported LTE cards, but I'm not sure if anyone has specific recommendations. I'm thinking in my area the best LTE coverage is likely Verizon or T-Mobile. Is this functionality difficult to configure in RouterOS? I also see some of these devices were tested on certain RouterOS revisions. I've not used LTE cards but it was very easy to create a dialer to bring up a connection on a supported 3G USB card when I set one up a few months ago.
|
|
#
?
Apr 16, 2015 09:57
|
|
|
Methylethylaldehyde posted:I got a CCR1009 for my home network after my poor little RB493G ended up sitting at 100% CPU usage while trying to push ~100mb/sec of traffic with some packet tagging and routing rules. Same rules, same tagging, 250mb/sec stream, CPU sits at ~8% or so. Thing is a loving beast. And now that glorious latvian engineering has a chance to unbork all the things they messed up with the tile chipset, they're remarkably stable. I was wondering why my home speeds were around 44Mb intra-network, then I took a look at my home RB750's CPU-- it hovers around 60% when copying files. I'm curious if that 60% is okay or if that's the bottleneck. I guess once we have a spare Cloud Core I'll bring it home and drop my home config onto it and see if speeds pick up-- the ability to move configs around easily is why Mikrotik really shines. We have a remote location that is getting dropped packets to it (2-4%) and the CPU out there hovers between 40-70%. I'm guessing that's the reason out there since it is just a CRS125 trying to do a little bit of routing, but the CRS and RB750 basically have the same CPU so I am curious if once a Mikrotik starts going above 60% then it starts getting bad speeds. I know that once you see it above 90% it really does-- I had a CRS hooked up to an SFP fiber for shits and tried to run a single speed tests and it came back with 70Mb down but the CPU was like 90%ish. Put in a CCR1036, and the speed test was 500Mb+ and the CPU never went above 0%. In retrospect I wish I had known about the CCR1009 as we have CCR1036s deployed in like 7 places due to the CPU bottleneck issue but we just do basic routing and a little bit of firewall at these remote sites so a CCR1009 would have been perfect for there.
|
|
#
?
Apr 16, 2015 15:26
|
|
|
jeeves posted:In retrospect I wish I had known about the CCR1009 as we have CCR1036s deployed in like 7 places due to the CPU bottleneck issue but we just do basic routing and a little bit of firewall at these remote sites so a CCR1009 would have been perfect for there. Don't beat yourself up over it, they have a constant stream of new products.
|
|
#
?
Apr 16, 2015 17:02
|
|
|
jeeves posted:I was wondering why my home speeds were around 44Mb intra-network, then I took a look at my home RB750's CPU-- it hovers around 60% when copying files. I'm curious if that 60% is okay or if that's the bottleneck. I guess once we have a spare Cloud Core I'll bring it home and drop my home config onto it and see if speeds pick up-- the ability to move configs around easily is why Mikrotik really shines. Why is your internal LAN-to-LAN traffic even hitting the CPU? Do you have the ports bridged instead of configured as a switch?
|
|
#
?
Apr 16, 2015 20:02
|
|
|
The_Franz posted:Why is your internal LAN-to-LAN traffic even hitting the CPU? Do you have the ports bridged instead of configured as a switch? What's the most optimal way to set these things up? I feel like I don't have my rb2011 setup optimally as my 50Mbps connection will spike the CPU up to nearly 60%...
|
|
#
?
Apr 16, 2015 22:03
|
|
|
Prescription Combs posted:What's the most optimal way to set these things up? I feel like I don't have my rb2011 setup optimally as my 50Mbps connection will spike the CPU up to nearly 60%... How many firewall rules? Couple connection http traffic or million connection torrent traffic?
|
|
#
?
Apr 16, 2015 22:49
|
|
|
thebigcow posted:How many firewall rules? Couple connection http traffic or million connection torrent traffic? 21 rules and few http connections like speed tests will kill the cpu.
|
|
#
?
Apr 16, 2015 23:37
|
|
|
I just ordered a RB951Ui-2HnD for the house. My router(WNDR 4500 v2) is starting to flake out, and DDWRT for it doesn't work great. I sort of want to set up WPA2-EAP. Do I need a radius server? It looks like I can use the built in eap-tls option for eap-methods? Create a certificate, upload it to the router. Generate and sign a client cert, and it should in theory just work and I can use the client cert for authentication? It also has a built in radius server, user manager, but looks like that doesn't support EAP? SSH IT ZOMBIE fucked around with this message at 00:04 on Apr 17, 2015 |
|
#
?
Apr 17, 2015 00:01
|
|
|
Prescription Combs posted:21 rules and few http connections like speed tests will kill the cpu. That seems nuts. Post the config and maybe someone can figure it out.
|
|
#
?
Apr 17, 2015 03:41
|
|
|
thebigcow posted:That seems nuts. Post the config and maybe someone can figure it out. Here's a sanitized config. Maybe I'm just doing something wrong with this thing. I'm used to Cisco  code:
|
|
#
?
Apr 17, 2015 04:12
|
|
|
The_Franz posted:Why is your internal LAN-to-LAN traffic even hitting the CPU? Do you have the ports bridged instead of configured as a switch? It's because I bridge-ported my ether2-ether5 to a software bridge (appropriately named DHCP-LAN), and then did my DHCP code on the bridge instead of switch/slaving ether3-ether4 to ether2, and doing my DHCP code on ether2. I know Mikrotik ships with the latter as the default config for DHCP, but I find the former a bit cleaner, code wise and layman understanding-wise. However, it definitely does take a CPU hit to do the former over hardware switching latter. My RB750 CPU was going up to 50%-60% in transferring a 10Gb file, and now it is barely hitting 2-6% while doing the same. I'm still bound to ~44Mb throughput, so it must be the a NIC somewhere on my network that is limiting the transfer speed and not the router itself. The main other reason I like to use software bridge/routing over switch ship 'routing' is that doing the former lets you packet sniff on the software bridge that the DHCP interfaces are bridge-ported to, while the latter does not. Good to know my RB750's CPU isn't limiting my hardware traffic. Looks like 60% CPU usage is fine. I've only definitely noticed packet loss and slowdowns at 90%+
|
|
#
?
Apr 17, 2015 07:41
|
|
|
Haha, holy poo poo. Got my router at home set up. Pulling 55mbit down now instead of 40. Also WPA2 EAP-TLS was a breeze to set up. /evil twin paranoia IPv6 comes next, couldn't get it working right on the old router! DDWRT has been a pain in the butt, this went together much faster and I love how the console config works! SSH IT ZOMBIE fucked around with this message at 05:41 on Apr 18, 2015 |
|
#
?
Apr 18, 2015 05:38
|
|
|
I'm kind of a networking baby http://pastebin.com/0AmEFNPm I can't assign an IPv6 address to both bridge-local and bridge-internetonly. Only one remains pingable, and the one that works flaps. Secondly, EUI-64 IP assignment out of a DHCP pool only seems to work for one interface at a time. If I try both, one gets marked invalid. Each interface has a diff mac, not sure why it's doing that! The end goal is probably to either firewall off or VLAN off traffic between the two bridges. Edit: Might be a routing issue - the networks overlap in the same /64 subnet. route print showed the gateway flapping for the /64 network since there are two interfaces with an IP on that network. So I subnetted the /64 range my ISP gave me and assigned 2604:6000:100a:8e:1:1::1/80 to the physical wlan interface, and 2604:6000:100a:8e:1:2::1/80 to the virtual. # DST-ADDRESS GATEWAY DISTANCE 0 ADS ::/0 fe80::201:5cff:fe36:3... 1 1 ADSU 2604:6000:100a:8e::/64 1 2 ADC 2604:6000:100a:8e:1::/80 bridge-local 0 3 ADC 2604:6000:100a:8e:2::/80 bridge-internetonly 0 Routes look normal, and both interfaces up. But now I lose the nifty ipv6 autoassignment features, that require a /64. So I statically assigned my network information on my pc, 2604:6000:100a:8e:1::F/80, and can ping everything as expected. I can move to the virtual access point, assign 2604:6000:100a:8e:2::F/80 and it works as well. But what do I do for auto network assignment now? I can't add two /80 pools for a couple DHCP servers, it bitches that it overlaps with the /64 pool created by the DHCP client on the WAN interface SSH IT ZOMBIE fucked around with this message at 22:52 on Apr 19, 2015 |
|
#
?
Apr 19, 2015 18:36
|
|
|
The answer is DHCP except some devices will give you problems no matter what with smaller than a /64.quote:I can't add two /80 pools for a couple DHCP servers, it bitches that it overlaps with the /64 pool created by the DHCP client on the WAN interface What exactly is your ISP giving you for addresses? If your WAN address is included in that /64 then you can't route anything and they really don't support IPv6 in any usable way.
|
|
#
?
Apr 20, 2015 01:16
|
|
|
Prescription Combs posted:Here's a sanitized config. Maybe I'm just doing something wrong with this thing. Nothing stands out but I realize just how much I lean on Winbox and how rarely I config anything.
|
|
#
?
Apr 20, 2015 01:22
|
|
|
thebigcow posted:The answer is DHCP except some devices will give you problems no matter what with smaller than a /64. They're giving me a prefix of 2604:6000:100a:8e::/64 RouterOS doesn't actually support getting a single WAN IP for IPv6, only supports prefix delegation? So my WAN is using link local. I manually assigned my LAN an IP of prefix::1. # ADDRESS FROM-POOL INTERFACE ADVERTISE 0 DL fe80::4e5e:cff:fe7a:9830/64 bridge-internetonly no 1 DL fe80::4e5e:cff:fe7a:9841/64 bridge-local no 2 G 2604:6000:100a:8e::1/64 bridge-local yes 3 DL fe80::4e5e:cff:fe7a:9840/64 ether1-gateway The ISP's router is also a link local address Routes: 0 ADS dst-address=::/0 gateway=fe80::201:5cff:fe36:381%ether1-gateway gateway-status=fe80::201:5cff:fe36:381%ether1-gateway reachable distance=1 scope=30 target-scope=10 1 ADC dst-address=2604:6000:100a:8e::/64 gateway=bridge-local gateway-status=bridge-local reachable distance=0 scope=10 Desktop auto configured with an IP of 2604:6000:100a:8e:e6ce:8fff:fe57:27cd Everything is working as expected to my knowledge, even inbound(firewall rules seem tricky...) Just can't split the pool into two /80 subnets for whatever reason to run a DHCP service on two networks, not supported? Trace route from me to google: traceroute6 to ipv6.l.google.com (2607:f8b0:4009:809::200e) from 2604:6000:100a:8e:b137:390c:babc:3313, 64 hops max, 12 byte packets 1 2604:6000:100a:8e::1 1.764 ms 1.308 ms 1.464 ms 2 * * * 3 2604:6000::4:0:2006:0:1236 21.730 ms 11.761 ms 10.809 ms 4 2604:6000::4:0:2006:0:20ee 14.789 ms 18.440 ms 15.274 ms 5 2604:6000:0:4::d0 38.362 ms 25.584 ms 23.981 ms 6 2001:1998:0:8::2a0 46.177 ms 2001:1998:0:8::12 42.135 ms 2001:1998:0:8::2a2 41.569 ms 7 2001:1998:0:4::104 42.772 ms 2001:1998:0:4::102 41.760 ms 2001:1998:0:4::104 52.821 ms 8 10gigabitethernet2.switch1.nyc7.he.net 55.169 ms 41.215 ms 40.979 ms 9 2001:4860:1:1::1b1b:0:39 37.297 ms 37.326 ms 37.057 ms 10 2001:4860::1:0:3be 38.455 ms 2001:4860::1:0:6572 41.773 ms 40.677 ms 11 2001:4860::8:0:4397 70.284 ms 2001:4860::8:0:4398 41.222 ms 39.556 ms 12 2001:4860::8:0:833f 35.477 ms 2001:4860::8:0:5900 38.208 ms 2001:4860::8:0:833f 35.491 ms 13 2001:4860::1:0:84b4 37.379 ms 38.674 ms 36.548 ms 14 2001:4860:0:1::1249 37.956 ms 37.922 ms 35.204 ms 15 ord31s22-in-x0e.1e100.net 38.272 ms 34.578 ms 36.888 ms Some trace route site to me: #traceroute 2604:6000:100a:8e:e6ce:8fff:fe57:27cd traceroute to 2604:6000:100a:8e:e6ce:8fff:fe57:27cd (2604:6000:100a:8e:e6ce:8fff:fe57:27cd), 30 hops max, 80 byte packets 1 2607:f2f8:1600::1 (2607:f2f8:1600::1) 1.920 ms 1.858 ms 1.843 ms 2 2001:504:13::1a (2001:504:13::1a) 134.486 ms 134.713 ms 134.933 ms 3 twcable-backbone-as7843.10gigabitethernet17.switch2.lax2.he.net (2001:470:0:2bf::2) 2.380 ms 2.370 ms 2.354 ms 4 2001:1998:0:4::11d (2001:1998:0:4::11d) 4.971 ms 2001:1998:0:4::11b (2001:1998:0:4::11b) 4.484 ms 6.717 ms 5 2001:1998:0:4::e0 (2001:1998:0:4::e0) 14.591 ms 2001:1998:0:4::14 (2001:1998:0:4::14) 52.460 ms 2001:1998:0:4::e0 (2001:1998:0:4::e0) 12.043 ms 6 2001:1998::66:109:6:9 (2001:1998::66:109:6:9) 13.263 ms 10.926 ms 13.423 ms 7 2001:1998:0:8::11 (2001:1998:0:8::11) 69.523 ms 2001:1998:0:4::a0 (2001:1998:0:4::a0) 58.097 ms 57.541 ms 8 2604:6000:0:4::cd (2604:6000:0:4::cd) 67.344 ms 67.242 ms 2001:1998:0:8::3b (2001:1998:0:8::3b) 70.647 ms 9 2604:6000:0:4:0:2006:0:20e7 (2604:6000:0:4:0:2006:0:20e7) 71.900 ms 2604:6000:0:4::cd (2604:6000:0:4::cd) 71.859 ms 2604:6000:0:4:0:2006:0:20e7 (2604:6000:0:4:0:2006:0:20e7) 65.051 ms 10 2604:6000:0:4:0:2006:0:20e7 (2604:6000:0:4:0:2006:0:20e7) 74.831 ms * * 11 * * 2604:6000:100a:8e::1 (2604:6000:100a:8e::1) 88.281 ms 12 2604:6000:100a:8e::1 (2604:6000:100a:8e::1) 97.821 ms 97.765 ms 85.837 ms SSH IT ZOMBIE fucked around with this message at 06:47 on Apr 20, 2015 |
|
#
?
Apr 20, 2015 06:42
|
|
|
RouterOS IPv6 implementation looks to be a bit fucky/half baked. Was messing around with mine and it won't even let me add a link-local addresses to interfaces  [admin@MikroTik] /ipv6> address add address=fe80::def interface=LAN-VLAN10 failure: can not add link local address [admin@MikroTik] /ipv6> really? Doesn't look like it supports a single WAN IP unless you manually specify it. Screwing around with the config to see if I can configure what you're trying to accomplish. Edit: RouterOS is really fucky with IPv6!!! So my ISP(TWC) will hand out a /56 if you use the "prefix-hint=::/56" command in the dhcp-client config. Easier to subnet this way. After some loving around I figured out that you don't need to set up the dhcp-server config to split out the network in to 'pools'. I grabbed a /56 from my ISP and carved it in to /64's per interface. Here's my config: code:My computer auto-config'd a /64. The other networks will auto-config as /64's in their respective subnets. In your case, /80's from the /64 assigned if your ISP doesn't hand out a /56. code:So I tried to add the above addresses previously as: /ipv6 address add address=2605:6000:6c01:210::/64 from-pool=ISP_6 interface=LAN-VLAN10 add address=2605:6000:6c01:220::/64 from-pool=ISP_6 interface=DMZ-KIDS-VLAN20 add address=2605:6000:6c01:230::/64 from-pool=ISP_6 interface=GUEST-VLAN30 add address=2605:6000:6c01:240::/64 from-pool=ISP_6 interface=bridge-wifi Buuuut, the mikrotik would only increment the /64 subnets by one digit in my findings. Weird as hell. Prescription Combs fucked around with this message at 10:44 on Apr 20, 2015 |
|
#
?
Apr 20, 2015 08:54
|
|
|
Prescription Combs posted:So my ISP(TWC) will hand out a /56 if you use the "prefix-hint=::/56" command in the dhcp-client config. Easier to subnet this way. That is really odd! Would not have thought of using the same pool for multiple subnets. My isp is also twc, I can get a /56. Thanks!
|
|
#
?
Apr 20, 2015 14:47
|
|
|
I need to learn IPv6 sometime but dear god do I want to keep putting it off forever. My job has a shitload of IPv4 blocks (company who got in on the ground floor of the internet), and they're always "who the gently caress cares about IPv6?" But I know as soon as I move to a new job I'm going to regret not learning it asap.
|
|
#
?
Apr 20, 2015 16:17
|
|
|
SSH IT ZOMBIE posted:That is really odd! Would not have thought of using the same pool for multiple subnets. My isp is also twc, I can get a /56. Thanks! It's just a weird way that RouterOS seems to handle prefix delegation. Rather than just informing you if your delegated IP block it arbitrarily makes it in to a pool that you have to carve from in a roundabout way per interface you want to have IPv6 'split' across interfaces. The way you were originally trying to do should work and it's just about exactly how I'd set it up on LARGE VENDOR device. Eh, Latvia. Maybe the engineers/devs who coded it in to the OS figured that most people would just use SLAAC instead of full on DHCPv6 through their ISP. The dhcp-server config in routerOS looks like it's setup to be the ISP handing out delegations to CPE's instead of setup for LAN assignments.
|
|
#
?
Apr 20, 2015 17:18
|
|
|
jeeves posted:I need to learn IPv6 sometime but dear god do I want to keep putting it off forever.
|
|
#
?
Apr 20, 2015 18:40
|
|
|
Ended up shelving the RB for an Edgerouter lite. Trying to do too much with the RB just makes it fall on its' face I still <3 you Mikrotik. You do so much for so little cost.
|
|
#
?
Apr 27, 2015 22:25
|
|
|
Prescription Combs posted:Ended up shelving the RB for an Edgerouter lite. Trying to do too much with the RB just makes it fall on its' face Hmm, what are you doing? Speedtest.net makes my CPU maybe go up to 20% on the RB951Ui-2HnD. I think that has the same CPU? Are you on the latest firmware? Your config - How come you're software bridging those ethernet ports to bridge-local instead of using the master-slave functionality? Should you add a source interface to rules like this? add chain=forward comment="Allow to printer" connection-state=established,related,new dst-address=192.168.10.52 dst-port=9100 protocol=tcp add chain=forward comment="Allow to printer" connection-state=established,related,new dst-address=192.168.10.52 dst-port=515 protocol=tcp [admin@MikroTik] > export # apr/27/2015 17:46:15 by RouterOS 6.27 # software id = BLXX-VW13 # /interface bridge add admin-mac=4C:5E:0C:7A:98:30 auto-mac=no name=bridge-internetonly add admin-mac=4C:5E:0C:7A:98:41 auto-mac=no mtu=1500 name=bridge-local /interface ethernet set [ find default-name=ether1 ] name=ether1-gateway set [ find default-name=ether2 ] name=ether2-master-local set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local /ip neighbor discovery set ether1-gateway discover=no /interface wireless security-profiles add authentication-types=wpa2-eap eap-methods=eap-tls management-protection=allowed mode=dynamic-keys name=eap-tls supplicant-identity="" tls-certificate=dnet-ca tls-mode=verify-certificate add authentication-types=wpa2-psk management-protection=allowed mode=dynamic-keys name=dnet wpa2-pre-shared-key=* /interface wireless set [ find default-name=wlan1 ] adaptive-noise-immunity=ap-and-client-mode band=2ghz-onlyn channel-width=20/40mhz-Ce disabled=no distance=indoors frequency=2437 ht-basic-mcs=\ mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,mcs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-18,mcs-20,mcs-22 l2mtu=1600 mode=ap-bridge security-profile=eap-tls ssid=dnet-eap add disabled=no l2mtu=1600 mac-address=4E:5E:0C:7A:98:50 master-interface=wlan1 name=wlan2 security-profile=dnet ssid=dnet /ip pool add name=dhcp ranges=192.168.88.10-192.168.88.254 add name=internetonly-dhcp ranges=192.168.50.10-192.168.50.254 /ip dhcp-server add address-pool=dhcp disabled=no interface=bridge-local name=default add address-pool=internetonly-dhcp disabled=no interface=bridge-internetonly name=dhcp-internetonly /system logging action set 0 memory-lines=2000 add disk-file-count=30 disk-file-name=disk1/usbdisklog disk-lines-per-file=5000 name=usbdisk target=disk /interface bridge port add bridge=bridge-local interface=ether2-master-local add bridge=bridge-local interface=wlan1 add bridge=bridge-internetonly interface=wlan2 /ip firewall connection tracking set tcp-established-timeout=4w2d tcp-syn-received-timeout=30s tcp-syn-sent-timeout=30s /ip address add address=192.168.88.1/24 comment="default configuration" interface=ether2-master-local network=192.168.88.0 add address=192.168.50.1/24 interface=bridge-internetonly network=192.168.50.0 /ip dhcp-client add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway use-peer-dns=no /ip dhcp-server network add address=192.168.50.0/24 dns-server=192.168.50.1 gateway=192.168.50.1 add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1 /ip dns set allow-remote-requests=yes servers=2001:4860:4860::8888,8.8.8.8 /ip dns static add address=192.168.88.1 name=router /ip firewall filter add action=reject chain=forward connection-state=invalid,new in-interface=bridge-internetonly out-interface=bridge-local add action=reject chain=forward disabled=yes in-interface=bridge-local out-interface=bridge-internetonly add chain=input comment="default configuration" protocol=icmp add chain=input comment="default configuration" connection-state=established add chain=input comment="default configuration" connection-state=related add chain=input comment="allow dhcp inbound broadcasts on gw port to keep them out of the log" in-interface=ether1-gateway port=67,68 protocol=udp add action=log chain=input comment="log connections to gw" connection-state=new in-interface=ether1-gateway add action=reject chain=input comment="block management ports on insecure network" dst-port=21,22,23,80,2000,8291 in-interface=bridge-internetonly protocol=tcp reject-with=icmp-port-unreachable add action=drop chain=input comment="default configuration" connection-state=new in-interface=ether1-gateway add chain=forward comment="default configuration" connection-state=established add chain=forward comment="default configuration" connection-state=related add action=drop chain=forward comment="default configuration" connection-state=invalid disabled=yes /ip firewall nat add action=masquerade chain=srcnat comment="default configuration" out-interface=ether1-gateway /ip ipsec policy set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0 /ip proxy set cache-path=web-proxy1 /ip service set telnet disabled=yes set api disabled=yes set winbox disabled=yes set api-ssl disabled=yes /ip upnp set enabled=yes /ip upnp interfaces add interface=bridge-local type=internal add interface=ether1-gateway type=external /ipv6 address add address=2604:6000:6700:3400:: advertise=no from-pool=ipv6-pool interface=ether1-gateway add address=2604:6000:6700:3401:: from-pool=ipv6-pool interface=bridge-local add address=2604:6000:6700:3402:: from-pool=ipv6-pool interface=bridge-internetonly /ipv6 dhcp-client add add-default-route=yes interface=ether1-gateway pool-name=ipv6-pool prefix-hint=::/56 use-peer-dns=no /ipv6 firewall filter add chain=input comment="allow router dhcp client" in-interface=ether1-gateway protocol=udp src-port=546,547 add chain=input comment="allow icmp for ND" in-interface=ether1-gateway protocol=icmpv6 add chain=forward comment="allow pinging local network from internet" protocol=icmpv6 add chain=forward comment="allow iMac ssh" disabled=yes dst-address=2604:6000:6700:3401:e6ce:8fff:fe57:27cd/128 dst-port=22 in-interface=ether1-gateway out-interface=bridge-local protocol=tcp add chain=forward comment="he web" disabled=yes dst-address=2604:6000:6700:3401:e6ce:8fff:fe57:27cd/128 dst-port=80 in-interface=ether1-gateway out-interface=bridge-local protocol=tcp add chain=forward disabled=yes in-interface=ether1-gateway protocol=udp add action=reject chain=input comment="block management ports on insecure network" dst-port=21,22,23,80,2000,8291 in-interface=bridge-internetonly protocol=tcp reject-with=icmp-port-unreachable add action=log chain=input comment="drop inbound to router log" connection-state=new in-interface=ether1-gateway add action=reject chain=input comment="drop inbound to router" connection-state=new in-interface=ether1-gateway reject-with=icmp-port-unreachable add action=log chain=forward comment="block inbound traffic to lan log" connection-state=new in-interface=ether1-gateway out-interface=bridge-internetonly add action=reject chain=forward comment="block inbound traffic to lan" connection-state=new in-interface=ether1-gateway out-interface=bridge-internetonly reject-with=icmp-port-unreachable add action=log chain=forward comment="block inbound trafic to local lan log" connection-state=new in-interface=ether1-gateway out-interface=bridge-local add action=reject chain=forward comment="block inbound trafic to local lan" connection-state=new in-interface=ether1-gateway out-interface=bridge-local reject-with=icmp-port-unreachable add chain=forward comment="accept everything not blocked" add chain=output add chain=input add chain=forward connection-state=invalid,new in-interface=bridge-internetonly out-interface=bridge-local /system clock set time-zone-autodetect=no time-zone-name=America/New_York /system leds set 5 interface=wlan1 /system logging set 0 topics=info,!firewall add action=usbdisk topics=firewall /tool bandwidth-server set enabled=no /tool graphing interface add /tool graphing queue add /tool graphing resource add /tool mac-server set [ find default=yes ] disabled=yes add interface=ether2-master-local add interface=ether3-slave-local add interface=ether4-slave-local add interface=ether5-slave-local add interface=wlan1 add interface=bridge-local /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=ether2-master-local add interface=ether3-slave-local add interface=ether4-slave-local add interface=ether5-slave-local add interface=wlan1 add interface=bridge-local SSH IT ZOMBIE fucked around with this message at 22:55 on Apr 27, 2015 |
|
#
?
Apr 27, 2015 22:46
|
|
|
Does anyone else know if MikroTik's website still has the version 2 of winbox available for download? It seems like every time I use version 3 and upgrade to a new release candidate, new issues appear.
|
|
#
?
Apr 28, 2015 02:10
|
|
|
PUBLIC TOILET posted:Does anyone else know if MikroTik's website still has the version 2 of winbox available for download? It seems like every time I use version 3 and upgrade to a new release candidate, new issues appear. Here you go, v2.2.18 You can find it on any MikroTik running an older firmware.
|
|
#
?
Apr 28, 2015 02:43
|
|
|
SSH IT ZOMBIE posted:Hmm, what are you doing? Speedtest.net makes my CPU maybe go up to 20% on the RB951Ui-2HnD. I think that has the same CPU? Are you on the latest firmware? Those printer rules were for the DMZ and GUEST segments to send jobs to the printer in the LAN segment. I don't really understand the master/slave interface configuration. It doesn't make much sense to me... Bridge is such an outdated term for switching ports. In my config, I had eth5 as a routed interface which trunked the 3 VLANs down to a managed switch. Is there a better way to do this on the RB? Can multiple VLANs be associated to a single bridge interface? http://wiki.mikrotik.com/wiki/Vlans_on_Mikrotik_environment The MT wiki on doing vlans is pretty much how I had mine set up. Here's a diagram of how it was all set up.. May do some more fuckery this weekend with the RB, the ERLite-3 is currently doing the exact same thing without even remotely breaking a sweat.  2 story house, PoE powered switch where all the cat5 comes in to a bundle in a little cabinet in a closet to distribute to each ethernet jack in the rooms throughout the house. Kids in a DMZ cause I don't want their minecraft viruses on the LAN. I jest. Prescription Combs fucked around with this message at 04:51 on Apr 28, 2015 |
|
#
?
Apr 28, 2015 04:49
|
|
|
Prescription Combs posted:I don't really understand the master/slave interface configuration. It doesn't make much sense to me... Bridge is such an outdated term for switching ports. Bridge is not a term for switching ports at all, you're bridging ports together so that all packets are forwarded through all ports and eats up a bunch of CPU because it has to do processing for all of your traffic between ports. Slaving ports to a master basically means that the slave ports will all be on the switch chip instead, and any configuration for that switch should be applied to the master port.
|
|
#
?
Apr 28, 2015 05:01
|
|
|
The test case CCR1009 (~$420 model that is pretty beefy with 8 Gig ether, 4x on switch port, SFP and SFP+ ports) started dropping ether1-ether4 every few hours, with no reason. I had my OSPF backhaul on ether1 and ether4, with ether2 and ether3 being random test spurs off. Yet, it dropped it sporadically every few hours, for like 1 second. Enough for it to try to send out an OSPF port down-- which it couldn't since both uplink/backhauls went down. I can't for the life of me figure out why. Everything on it is exactly the same code as a CCR1036 that works fine with the exact same script. Only thing I can think about is that ether1-4 are on the switch chip, but ugh. Fully up to date firmware/routerOS. And of course when I moved it to a new config with only ether1 as backhaul and not running ospf it stopped happening... great. I really want to love these $400 routers, but wtf. Of course posting the problem on the Mikrotik forum is like pissing into the wind.
|
|
#
?
Apr 28, 2015 07:04
|
|
|
jeeves posted:Of course posting the problem on the Mikrotik forum is like pissing into the wind. If it's dropping packets, but only from the switch ports, it may be a defective switch chip. It's known to happen on occasion, and if the poor little switch chip faults out, the router will fault the ports and relink them once the chip recovers. If it goes away completely once you stop using the chip, see about getting an RMA for it.
|
|
#
?
Apr 28, 2015 11:43
|
|
|
Haven't had a change to play around with one of these yet but looking to update a home network. One of the newer updates in the OP shows it has a default setup and wizard to get online quickly, is it that simple? I've messed around with Tomato and DD-WRT firmwares before. Running pfsense now so not a complete newbie at least. Bought the RB951G-2HND. Looking to just setup the highest power/range wifi for a friend since they live in middle of nowhere country farm land. Was eyeballing the Ubiquiti edgerouter series since I have their LR-AP and one of the UVC cameras but that looks a little too intimidating. poxin fucked around with this message at 22:23 on Apr 28, 2015 |
|
#
?
Apr 28, 2015 22:21
|
|
|
Methylethylaldehyde posted:If it's dropping packets, but only from the switch ports, it may be a defective switch chip. It's known to happen on occasion, and if the poor little switch chip faults out, the router will fault the ports and relink them once the chip recovers. If it goes away completely once you stop using the chip, see about getting an RMA for it. Well, I wasn't using the switch chip, the entire thing was just routing. But otherwise it sounds exactly right-- ether1-ether4 would drop for 1-2 seconds and then pick right back up. Aha, I figured it out why it hasn't been repeating. My coworker plugged into ether5 to do testing all weekend instead of ether1 like I asked. That would probably explain why it hasn't replicated the problem!
|
|
#
?
Apr 28, 2015 22:42
|
|
|
poxin posted:Haven't had a change to play around with one of these yet but looking to update a home network. One of the newer updates in the OP shows it has a default setup and wizard to get online quickly, is it that simple? I've messed around with Tomato and DD-WRT firmwares before. Running pfsense now so not a complete newbie at least. The defaults in the RB951 are for a router doing NAT with ether1 acting as WAN and 2-5 part of the LAN. Plug it in, it'll try and pick up an IP through DHCP off the WAN port and hand out IP's in the 192.168.88.x range to your computers. There's a web interface for basic config stuff but Winbox or the terminal are the more powerful ways to work with it. Hope it suits your needs.
|
|
#
?
Apr 29, 2015 03:00
|
|
|
CuddleChunks posted:The defaults in the RB951 are for a router doing NAT with ether1 acting as WAN and 2-5 part of the LAN. Plug it in, it'll try and pick up an IP through DHCP off the WAN port and hand out IP's in the 192.168.88.x range to your computers. There's a web interface for basic config stuff but Winbox or the terminal are the more powerful ways to work with it. You an also use the Pretty Pony Guide to Programming a Mikrotik Router, which is exactly what it sounds like. A glorious intersection point on the venn diagram of nerds who like ponies a little too much, and nerds who need to program their fancy new router. And still easier to follow than 90% of the guides posted on the forums and wiki. jeeves posted:Well, I wasn't using the switch chip, the entire thing was just routing. But otherwise it sounds exactly right-- ether1-ether4 would drop for 1-2 seconds and then pick right back up. You can also set up a fake network and use iperf to hammer the poo poo out of the ports to try and force a failure. The chips tend to fault way more under heavy load. Methylethylaldehyde fucked around with this message at 10:31 on Apr 30, 2015 |
|
#
?
Apr 30, 2015 10:28
|
|
|
poxin posted:Haven't had a change to play around with one of these yet but looking to update a home network. One of the newer updates in the OP shows it has a default setup and wizard to get online quickly, is it that simple? I've messed around with Tomato and DD-WRT firmwares before. Running pfsense now so not a complete newbie at least. The webui has a quick-set configurator thing on the main page that'll set you up with a reasonable home ap config. This youtube video also walks through setting up a similar model (750gl iirc) step by step if you want to fiddle with everything manually: https://youtu.be/ulDefmf1ces
|
|
#
?
May 2, 2015 14:25
|
|
|
I'm selling an RB2011L-IN, RB751U-2HnD, EdgeRouter Lite, and some GigE switches, among other things, in SA-Mart in case anyone's interested. Thanks 
|
|
#
?
May 14, 2015 23:53
|
|
|
Thinking about purchasing these CCR1009-8G-1S-1S+PC for ~12 branch locations. Anyone have any comments on these?
|
|
#
?
May 15, 2015 14:25
|
|
|
kiwid posted:Thinking about purchasing these CCR1009-8G-1S-1S+PC for ~12 branch locations. Anyone have any comments on these? The one I have at home works fine for what I use it for.
|
|
#
?
May 15, 2015 14:55
|
|
|
kiwid posted:Thinking about purchasing these CCR1009-8G-1S-1S+PC for ~12 branch locations. Anyone have any comments on these? I really, really, really like this model. It has like everything, without being ridiculously beefy like the higher end Cloud Core models. The first one we got apparently had a bad switch chip (see my above comments on this or the previous page) which made me doubt the model, but I am hoping that was just a one off because I really want to use this CCR1009 for everywhere.
|
|
#
?
May 15, 2015 17:28
|
|
|
|
| # ? Apr 29, 2024 09:54 |
|
|
Is there any word on whether or not they intend to do prepackaged multicore mips processors, or further move Tilera down in price? I'm looking for something that compares to the ERL/ERX from Ubnt and Mikrotik seems like it's missing a sweet spot in that area. My RB951G-2HnD is dying with all the queues and my VPN I have set up on it, and need something a bit stronger.
|
|
#
?
May 18, 2015 16:27
|
|
