|
I think i've sold and setup nearly 20 of the hAP lite models. Not a single loving problem. Granted this ain't in big networks but man, what great bang for the bux. Now 20 bux on amazon!
|
# ? Sep 3, 2015 01:14 |
|
|
# ? Apr 29, 2024 09:37 |
|
MikroTiks can be great value for the money, right until they blow up and cost you tons of downtime because the supply chain for these is bullshit and bugfixes are a joke. I feel your pain, jeeves. I also work with these drat things every day and am amazed at some of the weird poo poo we can do with them.
|
# ? Sep 3, 2015 01:48 |
|
I mean, like 99.9% of our network works fine at all times. It's only a rare instance when they blow up. But I can never loving trust Mikrotiks like I can other stuff. That's why they're so drat cheap.
|
# ? Sep 3, 2015 06:20 |
|
We used to use Mikrotiks a lot for client sites, and because of the latvian quality we kept a supply of backup units and config backups in case we needed to replace any. We tried replacing some of our aging Cisco's in our core with some CCR's and it was a huge mistake, ended up replacing them with juniper gear.
|
# ? Sep 3, 2015 08:05 |
|
I got a mikrotik from a buddy of mine to set up at my house. I'm pretty sure I've got everything setup okay, except the port forwards I set up don't seem to be working. I can see the tickers go up when I test them but my software doesn't end up connecting. I'm pretty sure everything else on the machine is default except for the wireless and the NAT rules for my ports. I'm brand new to this, so I'm not sure what other info to give. I can copy/paste whatever will help. This is so hard. I just wanted to sset up a router.
|
# ? Sep 3, 2015 18:24 |
|
Zapf Dingbat posted:I got a mikrotik from a buddy of mine to set up at my house. I'm pretty sure I've got everything setup okay, except the port forwards I set up don't seem to be working. I can see the tickers go up when I test them but my software doesn't end up connecting. I'm pretty sure everything else on the machine is default except for the wireless and the NAT rules for my ports. We need to know what IP address the computer you're forwarding to on the inside of the network has. Also, what services are you trying to forward. Then, log into your mikrotik, open a terminal window and full-screen it. Type the following commands: code:
|
# ? Sep 3, 2015 18:29 |
|
CuddleChunks posted:We need to know what IP address the computer you're forwarding to on the inside of the network has. Also, what services are you trying to forward. I know I'm not using UPnP on my software, so I disabled it. code:
|
# ? Sep 3, 2015 18:50 |
|
Those look correct to me. What service are you trying to run on your local computers? You've got at least two machines, see if they can connect to your service locally. You can even try telnet from one machine to another on the destination port to see if anything responds. Your mikrotik config looks right, I'd start looking into the computers to make sure they actually respond for the given request.
|
# ? Sep 3, 2015 20:51 |
|
I'm running Eventghost with Autoremote. I'm trying to send them commands externally. I haven't set up a dynamic DNS yet, but I'm testing it by just finding out what my IP currently is, disconnecting wifi on my phone, and sending the command. This works when my phone is connected to my LAN.
|
# ? Sep 3, 2015 21:13 |
|
Zapf Dingbat posted:
why is ether2-master a slave? It looks like it's slaved to ether1-gateway which you definitely don't want.
|
# ? Sep 3, 2015 23:20 |
|
Not sure. It came that way. I didn't really understand the master/slave thing. What's the optimal setup?
|
# ? Sep 3, 2015 23:27 |
|
Zapf Dingbat posted:Not sure. It came that way. I didn't really understand the master/slave thing. What's the optimal setup? Slave is Latvian non-PC notation for something that is on a switch chip bridge with master as the main port. Anything that goes into any port will go out any other port, like a switchh You can do something similar with a software bridge by first making a bridge, and then porting ether2-ether5 to that bridge. Except it will run at software bridge speed instead of switch chip speeds. Any IP addresses that are assigned to interface=ether2 will be repeated out any other port slaved to it. Same with interface=bridge in the above. edit - looking at your config you actually have two separate switch groups, one slaved to ether2 (for ether3-5) and one slaved to ether6 (for ether7-10). I think those 10 port RB451 or whatevers come with two switch groups by default. jeeves fucked around with this message at 23:51 on Sep 3, 2015 |
# ? Sep 3, 2015 23:47 |
|
Yeah nevermind, I checked mine and bridged connections all show that they are running as slaves too. Can you post the results of int eth print? Anyway, since you said the counters are incrementing on your dst-nat rules, it's likely that your computer is either A: Not accepting connections on that port/protocol B: Firewall is blocking those connections C: the to-address in your dst-nat rules is incorrect. Use netstat to check if your computer is actually listening on TCP 35636 and if so, check to make sure there's an exception in the windows firewall.
|
# ? Sep 3, 2015 23:55 |
|
Do yourself a favor, and connect via Winbox (on a PC) to your router via MAC address neighbor lookup, or via serial. NOTE: Make drat sure that you know how to the above before your reset the router in the below and cut yourself off from any IP connections. Then type: code:
Then copy and paste the below, editing in your WAN IP and and WAN route/gateway: code:
jeeves fucked around with this message at 04:17 on Sep 4, 2015 |
# ? Sep 4, 2015 00:27 |
|
theperminator posted:Yeah nevermind, I checked mine and bridged connections all show that they are running as slaves too. code:
On my HTPC, I have some lines from netstat saying TIME_WAIT on port 39805 with some external IPs and domains. On my other PC, it doesn't seem like 35636 is showing up in netstat, so I guess I have to check Eventghost. jeeves posted:In putting the top together, I found your problem: on port forwarding you have DST-ADDRESS=ether1-gateway when it should be your WAN IP When I pasted that output, I only saw ether1-gateway on "In. interface." Is that what you meant? I'll probably just reset and go with your config. edit: It's working now, I think. I don't know what the heck I changed, if anything. I'll continue to test it and I'll keep that config in mind if I have to go nukuler. Now I'm going to set up a script to update my ddns periodically. Thanks, though. It's just that there's not a lot of documentation out there that I can understand what with the Latvians. edit2: Any tips on getting to the router interface from outside either from web or winbox without inviting in people that want to steal my old people porn? Zapf Dingbat fucked around with this message at 01:49 on Sep 4, 2015 |
# ? Sep 4, 2015 01:30 |
|
Zapf Dingbat posted:
Look at my whitelist code on my template to keep people from trying to brute force your router itself. That will keep anyone trying to bombard your router with SSH attempts out. You can do something similar with Winbox's port, but honestly I barely ever see people try to brute force into Mikrotiks with Winbox. Also, remember you can always go into a specific area of the command line, like '/ip address' and use the export command to spit out exactly all of the code that the router has for that area. Or you can just do /export at the root (/) to export the entire config. It really help to read a whole config to know what's up with it, and it is also nice to know that if you export an entire config, you can always wipe your router and paste the entire thing back in. Like that template I made can be pasted into any blanked Mikrotik (with 10 ports).
|
# ? Sep 4, 2015 04:14 |
|
Well gently caress I'm stupid. I had assumed the default firewall configuration from the 'Quick Set' tool would have set a sane firewall. Nope. [edit] Has anybody found a novel workaround for the terrible OpenVPN (client?) implementation? I've got a couple of services I'd like to connect to through a VPN, but for the life of me can't make the OpenVPN client work. Horse Clocks fucked around with this message at 17:44 on Sep 5, 2015 |
# ? Sep 5, 2015 17:35 |
|
Heheh I just use the good old Windows PPTP client to talk to my MikroTik. Good enough for cheapass access.
|
# ? Sep 5, 2015 18:31 |
|
xlevus posted:[edit] Has anybody found a novel workaround for the terrible OpenVPN (client?) implementation? I've got a couple of services I'd like to connect to through a VPN, but for the life of me can't make the OpenVPN client work. AFAIK RouterOS doesnt support UDP mode or LZO compression with OpenVPN. UDP is the default mode for most OpenVPN servers and LZO is pretty common as well. If you need support for either one, you're going to have to run the OpenVPN client on something else. edit: apparently it might be possible to use MetaRouter running OpenWRT and its much better OpenVPN implementation. I've never used it though, might be a huge pain in the rear end to set up. No idea how well it would perform either. drk fucked around with this message at 20:58 on Sep 5, 2015 |
# ? Sep 5, 2015 20:01 |
|
CuddleChunks posted:Heheh I just use the good old Windows PPTP client to talk to my MikroTik. Good enough for cheapass access. PPTP is broken as poo poo, security wise. If you care about security, you're probably better off with the half assed Latvian OpenVPN implementation.
|
# ? Sep 5, 2015 20:16 |
|
I'm much closer to having a hotpsot on my RB2011UiAS-2HnD-IN (I love that snappy name, it must sound good in Latvian or something) that works (thanks to CuddleChunks). I'm getting IPs handed out on my Guest WiFi virtual AP. I'm however unable to route it appears, or be challenged with a hotspot web page. The basic config is this router is using eth 1 to connect to another MikroTik RB951 that's connected to the Internet (It's 192.168.88.1 below). It's a vanilla on the RB951 and not a problem. I just want to have a hotspot OurWiFi (guest wifi) (it's 192.168.99.1/24) for the few users and another one with WPA2 security (SecureAccess - 192.168.5.1/24) - and I may directly connect a couple machines via the other plentiful eth ports. Can anybody see how it's going off the rails here? Again, I wouldn't be this far without your help. But I need to retire the costly Meraki in a few days when it will stop working (license to imminently expire). code:
Also here's the route list -- Pref. Source is different for guest-access -- here's a screenshot: And finally as I mentioned above, when I get a guest-wifi IP, I cannot ping its gateway. Is this internal DNS? I don't know how loopback / routing works on RB or the hotspot works in general. Thanks in advance.
|
# ? Sep 5, 2015 22:31 |
|
Change the 192.168.99.0/24 IP to 192.168.99.1/24 in IP -> Addresses. Hopefully that will get everything rolling for you.
|
# ? Sep 6, 2015 00:23 |
|
CuddleChunks posted:Change the 192.168.99.0/24 IP to 192.168.99.1/24 in IP -> Addresses. But I cannot ping out, or browse [destination unreachable]. I have to say if I ever figure out this router, it will be a lot of fun to use.
|
# ? Sep 6, 2015 01:57 |
|
xlevus posted:Well gently caress I'm stupid. I had assumed the default firewall configuration from the 'Quick Set' tool would have set a sane firewall. If you only need to connect from windows, use SSTP. it uses SSL on port 443 and will punch through just about any firewall you're likely to end up behind.
|
# ? Sep 6, 2015 07:16 |
|
drk posted:AFAIK RouterOS doesnt support UDP mode or LZO compression with OpenVPN. UDP is the default mode for most OpenVPN servers and LZO is pretty common as well. If you need support for either one, you're going to have to run the OpenVPN client on something else. Yeah, the UDP and LZO thing is the problem. I think I'm going to try setting up a Raspberry Pi as a OpenVPN gateway, and then (to my best guess) set up routes for the destination addresses. Dual NAT... Yay.
|
# ? Sep 6, 2015 11:46 |
|
Djimi posted:I have to say if I ever figure out this router, it will be a lot of fun to use. code:
|
# ? Sep 6, 2015 19:07 |
|
Did you really just get a hotspot splash page working on a Mikrotik? drat, if I can get that to work as well then time to possibly ditch our reliance on aging routers (Linksys 8 year old WRT54G models) that support DD-WRT / Chillispot + our aging Radius server that is who knows how old?
|
# ? Sep 6, 2015 21:22 |
|
Djimi posted:This was the culprit for DNS The actual solution is to just add a blanket drop rule for your ether1-gateway interface, you should then add allow rules for things you want to allow.
|
# ? Sep 6, 2015 22:33 |
|
jeeves posted:Did you really just get a hotspot splash page working on a Mikrotik? Yup. It doesn't look too pretty right now but you get queried for a user/pass after associating. If you don't log in then you sit like a lump. Djimi - glad I could help.
|
# ? Sep 7, 2015 01:38 |
|
Seriously, people should be setting up their firewalls to drop input by default on their WAN interfaces. It honestly scares me seeing some of the poo poo people do considering it's their dayjob. theperminator fucked around with this message at 03:06 on Sep 7, 2015 |
# ? Sep 7, 2015 03:00 |
|
Would you please show us, in Mikrotik code, how that should be done? I've seen you reference it several times in recent pages, and I think all us new to ROS would like to learn more. For example, the dumb part of my brain hears "drop input by default on their WAN interface" and thinks "No web traffic gets through? No Skype data? What about Spotify (or SABnzbd, Steam, Windows Updates, etc. ad infinitum)?" Tapedump fucked around with this message at 03:49 on Sep 7, 2015 |
# ? Sep 7, 2015 03:45 |
|
The Input chain only affects traffic destined to your router, not devices behind it. NAT traffic is covered by the forward chain. So for example traffic that would end up being answered by the router's SSH service, winbox etc. code:
The Second rule will allow pings to your router itself from the internet The Third rule will block any traffic destined for your router that doesn't match the above two, but any traffic covered by a NAT rule will still be allowed as they are covered by the Forward chain. i.e any connections from your computer to the internet and their replies will not be effected
|
# ? Sep 7, 2015 04:56 |
|
Or you can turn off all services that are not ssh and winbox, and then implement a whitelist of known-good IPs that you want to allow into the Mikrotik.code:
If you have a public WAN IP and don't do something like this or what theperminator set up, you will quickly see your log fill up with log in attempts from China 24/7.
|
# ? Sep 7, 2015 05:56 |
|
Tapedump posted:Would you please show us, in Mikrotik code, how that should be done? I've seen you reference it several times in recent pages, and I think all us new to ROS would like to learn more. code:
theperminator posted:Seriously, people should be setting up their firewalls to drop input by default on their WAN interfaces. Yeah. It took me a few weeks until I realised that this isn't the default configuration. I guess there's some inane Mikrotik policy for it "We make router. Not educate internet security." [edit] Does anybody know of any PPPoE issues in the latest release? I upgraded recently, and my PPPoE connection keeps disconnecting at random. I can't tell if it's psychosomatic, an issue with the upgrade, my ADSL modem, my line or my ISP. Horse Clocks fucked around with this message at 11:02 on Sep 7, 2015 |
# ? Sep 7, 2015 08:07 |
|
theperminator posted:The Input chain only affects traffic destined to your router, not devices behind it. NAT traffic is covered by the forward chain.
|
# ? Sep 7, 2015 17:00 |
|
xlevus posted:Yeah. It took me a few weeks until I realised that this isn't the default configuration. I guess there's some inane Mikrotik policy for it "We make router. Not educate internet security." Those are basically the default rules now. I think they started showing up in 5.x but are definitely part of 6.x firmwares.
|
# ? Sep 7, 2015 19:54 |
|
Unless you use the x86 version, because potato router. I'm probably one of the few using a bunch of them inside vmware though.
|
# ? Sep 8, 2015 07:07 |
|
So apparently they managed to add the ability to add RSA keys to RouterOS. For whatever reason, I still can't get the things to function right. I still get incorrect passkey, even when the key isn't set up with one? Has anyone successfully got them to work? I'm generating them with Putty and using Winbox to transfer them over there, and add them. I also tried the command line and still didn't work.
|
# ? Sep 15, 2015 18:09 |
|
Interestingly enough, I'm able to scp something generated by ssh-keygen that is rsa and get it to work. Putty still is a mystery, though.
|
# ? Sep 15, 2015 18:45 |
|
|
# ? Apr 29, 2024 09:37 |
|
I did some work where I setup a MikroTik to allow a particular account to login via a DSA key I generated. When you bind the key to the account, it uses that as the auth method and I remember that I was no longer able to log in with that account with its assigned user/pass. However, I could use SSH to get in. What I remember is transferring the key over and then adding it to the user by going to System -> Users -> SSH Keys and importing the SSH key there. That allowed my box to remote into the mikrotik without having to type a password which was important because I was setting up a remote scripting thingy and needed to be able to process an awful lot of these without breaking my fingers typing all day.
|
# ? Sep 16, 2015 03:00 |