Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
Partycat
Oct 25, 2004

I am going to set up some PCQ based queue trees to break up a wan link for user fairness - I’m seeing some comment that if I just don’t set a limit on user queues it will just divide bandwidth evenly ?

Is there a reason to screw with the queue strategy ?

Any comment on performance hit with pcq instead of basic ?

Adbot
ADBOT LOVES YOU

PUBLIC TOILET
Jun 13, 2009

Not sure if anyone else has seen this issue, but with the new 3.15 version of Winbox, if I use that to login to my hAP AC, the open windows are all corrupted looking until you move them. Reverting to 3.14 corrects this graphical issue. :shrug:

redeyes
Sep 14, 2002

by Fluffdaddy
Thanks for the heads up.

thebigcow
Jan 3, 2001

Bully!
Anyone have experience with CAPsMAN?

I'm putting an AP in an office that doesn't have one so it seemed like a good time to learn it, but then I started reading the wiki page and my eyes glazed over. It's just a simple WPA2-PSK setup for crap internet.

redeyes
Sep 14, 2002

by Fluffdaddy
I thought CAPsMAN is for multiple AP management?

thebigcow
Jan 3, 2001

Bully!

redeyes posted:

I thought CAPsMAN is for multiple AP management?

It is, and I may have more in the future.

thebigcow
Jan 3, 2001

Bully!
Kind of wished I had used CAPsMAN because of shenanigans.

The cAP ac is neat. The big button in the middle turns the LEDs on and off. I was able to power it off the 10/100 POE port on an RB2011 if I forced POE on, but used the gigabit injector instead.

I swear those cabinets weren't there before and a measuring tape works as a fish tape for a couple feet of wall.

Thanks Ants
May 21, 2004

#essereFerrari


You can script the button as well

That Dang Lizard
Jul 13, 2016

what; an idiomt
I'm fairly new at the MikroTik game, can anyone advise the implications of having one ethernet interface with multiple IP addresses vs. one ethernet interface with multiple VLAN interfaces, each with its own IP address.

This is for a CHR install under MS Hyper-V (to be a cAPsMAN controller), and getting VLAN trunking on our failover cluster looks hard (or at least non-trivial enough to concern my boss), so I was wondering if that will mess up the fastpath/fasttrack forwarding (we're still waiting for the testing AP to arrive to play with, but the APs will probably be responsible for forwarding their own traffic - this is more in case we ever want all traffic going through the cAPsMAN server in future for some reason).

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
One has vlan tags on the ips, the other doesn't.

Partycat
Oct 25, 2004

So for a router-on-a-stick type setup, you'd create a bridge with the untagged VLAN PVID on it, add the Ethernet/whatever interface to it directly , also PVID to the bridge's PVID, then you can add VLAN interfaces to other VLANs and connect them to the bridge, then add the VLANs tagged to the bridge to expose them to the Ethernet port?

I've been having an interesting time trying to get my head around this, seems pretty simple and yet I get it where it all stops working until I flap an interface or something, seems like I'm doing it wrong.

e: yeah okay this works fine, just set the VLAN interface as an untagged member of the bridge, and stack on whatever you want. The bridge is actually probably unnecessary for a single phy. Took me a minute to get that the DHCP server is not intelligent enough to understand giaddr = network and that works.

PCQs don’t right now with rate = 0 and max limit set nothing happens .

Partycat fucked around with this message at 03:00 on Jul 3, 2018

That Dang Lizard
Jul 13, 2016

what; an idiomt

falz posted:

One has vlan tags on the ips, the other doesn't.

Cheers, I was hoping it would be that simple.

PUBLIC TOILET
Jun 13, 2009

PUBLIC TOILET posted:

Not sure if anyone else has seen this issue, but with the new 3.15 version of Winbox, if I use that to login to my hAP AC, the open windows are all corrupted looking until you move them. Reverting to 3.14 corrects this graphical issue. :shrug:

FWIW this bug is *still* present in v3.16.

Partycat
Oct 25, 2004

I had that happen at one point but I was not able to reproduce it reliably - after I deleted my session and started over it was fine .

EssOEss
Oct 23, 2006
128-bit approved
What's the sensible minimum set of "nothing incoming except when I say so" firewall rules to use? I see examples in the MT wiki and forums that are all over the place. For example, some have rules like "block incoming traffic from public network interface that has a private source IP address" or just "drop if connection type is invalid" - what actual benefit do such rules have? Do I need more than "allow incoming if established/related + drop everything else"?

PUBLIC TOILET
Jun 13, 2009

EssOEss posted:

What's the sensible minimum set of "nothing incoming except when I say so" firewall rules to use? I see examples in the MT wiki and forums that are all over the place. For example, some have rules like "block incoming traffic from public network interface that has a private source IP address" or just "drop if connection type is invalid" - what actual benefit do such rules have? Do I need more than "allow incoming if established/related + drop everything else"?

Honestly, I just use a variation of this:

https://www.manitonetworks.com/networking/2017/7/25/mikrotik-router-hardening

Been working well for years now.

Partycat
Oct 25, 2004

Partycat posted:

I am going to set up some PCQ based queue trees to break up a wan link for user fairness - I’m seeing some comment that if I just don’t set a limit on user queues it will just divide bandwidth evenly ?


Yes this is what it does

“Partycat” posted:

Is there a reason to screw with the queue strategy ?

PCQ is only PCQ. It worked great though so I didn’t play with anything else.

“Partycat” posted:

Any comment on performance hit with pcq instead of basic ?

Per user limited queues ate like 100% more CPU than global unlimited queue. As there was less queue depth this makes sense.

Ran this at a LAN with 250 users and probably 300 devices on a optiplex 780 with an i5 and while the overall CPU was 40-50% with higher core spikes this worked top notch.

The static DNS regex was annoying to implement but it worked in the end for Steam cache. Epics stuff wouldn’t cache due to cert verification so I’m told.

The DHCP to DNS scripting worked okay, time of day queues worked okay too. Really no complaints for $45 and an old computer.

redeyes
Sep 14, 2002

by Fluffdaddy
Does anyone know anything about IPv6 and Windows 10 latest spring edition? Specifically I never pull IPv6 DNS from my Mikrotik. Everything else seems to work fine. I'm not even sure if the problem is the Mikrotik because: https://social.technet.microsoft.co...itpronetworking

thebigcow
Jan 3, 2001

Bully!
The people that made IPv6 didn't think DNS was necessary for a working network setup, so everything that distributes DNS information with IPv6 is a hacked up poo poo show.

Imagine I went and found my Hurricane Electric shirt before typing this for maximum effect.

Pendent
Nov 16, 2011

The bonds of blood transcend all others.
But no blood runs stronger than that of Sanguinius
Grimey Drawer

thebigcow posted:

The people that made IPv6 didn't think DNS was necessary for a working network setup, so everything that distributes DNS information with IPv6 is a hacked up poo poo show.

Imagine I went and found my Hurricane Electric shirt before typing this for maximum effect.

I spent some time looking into migrating my network to IPv6 before eventually throwing up my hands and saying "Screw it, I can get a /22 for like $12k."

redeyes
Sep 14, 2002

by Fluffdaddy

Pendent posted:

I spent some time looking into migrating my network to IPv6 before eventually throwing up my hands and saying "Screw it, I can get a /22 for like $12k."

I have one of these new fiber ISPs which has 'carrier grade NAT'. It's basically double NAT. BUT they are fully IPv6 enabled so I set up my network with it. It's pretty cool to have so many publically available addresses.

Right now I'm just manually entering googles DNS on my Windows 10 box. I just cannot get it to pull DNS except over v4 and my ISP has bad v4 routing for whatever reason. My Linux box pulls DNS fine as does Android.

Pendent
Nov 16, 2011

The bonds of blood transcend all others.
But no blood runs stronger than that of Sanguinius
Grimey Drawer

redeyes posted:

I have one of these new fiber ISPs which has 'carrier grade NAT'. It's basically double NAT. BUT they are fully IPv6 enabled so I set up my network with it. It's pretty cool to have so many publically available addresses.

Right now I'm just manually entering googles DNS on my Windows 10 box. I just cannot get it to pull DNS except over v4 and my ISP has bad v4 routing for whatever reason. My Linux box pulls DNS fine as does Android.

I may or may not be one of those ISPs doing CGNAT, actually. If I can make it work at least.

EssOEss
Oct 23, 2006
128-bit approved
I recall reading on the Mikrotik forums some Mikrotik developer saying "Yeah, Windows will not pull IPv6 DNS from Mikrotik because IPv6 is so new that we have not bothered implementing all the specifications yet and will give it more time to settle".

Hardcoding IPv6 DNS in Windows settings was the only thing that worked for me.

Of course, you do not strictly speaking need IPv6 DNS to use IPv6 - you could still use IPv4 to access DNS like an animal.

redeyes
Sep 14, 2002

by Fluffdaddy

EssOEss posted:

I recall reading on the Mikrotik forums some Mikrotik developer saying "Yeah, Windows will not pull IPv6 DNS from Mikrotik because IPv6 is so new that we have not bothered implementing all the specifications yet and will give it more time to settle".

Hardcoding IPv6 DNS in Windows settings was the only thing that worked for me.

Of course, you do not strictly speaking need IPv6 DNS to use IPv6 - you could still use IPv4 to access DNS like an animal.

Cool, glad its not just me. Hardcoding DNS is easier than trying to figure out Mikrotik's bs.

Thanks Ants
May 21, 2004

#essereFerrari


Assigning IPv6 DNS servers on IPv6 can be done by running a DHCPv6 server and setting the 'other configuration' flag in the SLAAC config. You may have to define a DHCPv6 range but it should be ignored by clients.

EssOEss
Oct 23, 2006
128-bit approved
Can you paste a config that does that? It did not work for me. I was under the impression it is a Windows specific thing, so perhaps it works for Linux? I did not try Linux clients.

Thanks Ants
May 21, 2004

#essereFerrari


I haven't done it on Mikrotik hardware but assigning an address via SLAAC and specifying that other configuration can be grabbed from DHCP, and then putting IPv6 DNS servers in the DHCP scope works on Windows, Mac, and iOS.

redeyes
Sep 14, 2002

by Fluffdaddy
I got it working actually. All I had to do was check the 'Other Configuration' under IPv6, ND. drat that was easy, I've spent months trying to figure that out.

Thanks Ants
May 21, 2004

#essereFerrari


Can Mikrotik routers do an IPSec tunnel when only one end of the tunnel has a known IP address?

The problem I am trying to solve is that we have family in Spain but everyone has spent time in both countries and wants to watch TV, sports etc. from each others' countries. Rather than messing around with a commercial VPN service I was going to set up a tunnel between two cheap Mikrotik devices and use them to broadcast a Wi-Fi network at each location that would drop traffic onto the internet on the other side of the link. The router in London would be connected to a gigabit broadband service with a static IP, so there's no issue there. But the remote device wouldn't have a static IP and would probably be behind NAT as well, so would need to connect outbound to London.

I think the NAT traversal should be fine, but do I need to fiddle with dynamic DNS to get an IP address for the VPN configuration, or can this be made to work reliably without that?

unknown
Nov 16, 2002
Ain't got no stinking title yet!


Yes - they can also do connections to dynamic DNS addresses too. (Also look into stuff like SSTP or even just unecrypted EOIP tunnels instead of full on IPsec).

But be careful which hardware gear you get, as many/most of the gear can't do encryption processing at any serious rate - EoIP tunnel would work better in that situaton.

thebigcow
Jan 3, 2001

Bully!
I can't help with the configuration end, but the hEX supposedly does 470 Mb/s IPSec for around $50 and the RB1100AHx4 2.2 Gb/s for around $300. I'm sure there are a few dozen caveats to those test results.

FunOne
Aug 20, 2000
I am a slimey vat of concentrated stupidity

Fun Shoe
Is this a safe space to ask about Unifi gear as well? I recently upgraded the house to add a second AC-Lite AP, but on both of them I have ~20% utilization on the 2.4ghz spectrum (according to the dashboard) basically all the time. Doesn't seem to matter what channel I set it to, and the port stats from my router don't show meaningful traffic.

Any idea what I could be seeing?

SlowBloke
Aug 14, 2017

FunOne posted:

Is this a safe space to ask about Unifi gear as well? I recently upgraded the house to add a second AC-Lite AP, but on both of them I have ~20% utilization on the 2.4ghz spectrum (according to the dashboard) basically all the time. Doesn't seem to matter what channel I set it to, and the port stats from my router don't show meaningful traffic.

Any idea what I could be seeing?

That's frequency interference/overhead. Did you set transmit power to low/mid to 2,4/5?

FunOne
Aug 20, 2000
I am a slimey vat of concentrated stupidity

Fun Shoe

SlowBloke posted:

That's frequency interference/overhead. Did you set transmit power to low/mid to 2,4/5?

I have 2.4 on Mid & 5 on High.

SlowBloke
Aug 14, 2017

FunOne posted:

I have 2.4 on Mid & 5 on High.

Try lowering 2g to low on both to see if the interference goes away.

FunOne
Aug 20, 2000
I am a slimey vat of concentrated stupidity

Fun Shoe
Thanks. I guess if it is mostly interference then my decision to go extra APs to maximize 5ghz was the right call.

I wish it was more clear that the channel isn't necessarily busy "receiving" from clients but from neighboring APs chatting up the channel. I'm in the suburbs and lovely-cable-modem-WAPs occupy 20-40% of every channel in 2.4

Partycat
Oct 25, 2004

It's the same thing. If there's a frame there that the receiver can decode it has to listen to it and not transmit over it. So decipherable 802.11 frames are going to be channel utilization.

Turning your power down prevents you from generating as much co/adjacent channel interference yourself, but there's not much you can do about outside stuff other than go higher density 5G which just per how it works propagates less and has additional channel space.

FunOne
Aug 20, 2000
I am a slimey vat of concentrated stupidity

Fun Shoe

Partycat posted:

It's the same thing. If there's a frame there that the receiver can decode it has to listen to it and not transmit over it. So decipherable 802.11 frames are going to be channel utilization.

Right, but showing that in the dashboard as interference (dropped frames) instead of Rx would be more 'clear' about what is going on with the channels.
Especially since getting per-client information is a PITA with the dashboard as it is now. Are my devices chatty with each other or is someone else stomping on my BW?

Unfortunately, the answer is "get devices onto 5ghz because you can't make your neighbor's APs shutup"

EssOEss
Oct 23, 2006
128-bit approved
Sounds like you need some nice MikroTik statistics!

Adbot
ADBOT LOVES YOU

SlowBloke
Aug 14, 2017

EssOEss posted:

Sounds like you need some nice MikroTik statistics!



If you hate money like me you can do the same with unifi -> https://help.ubnt.com/hc/en-us/articles/115011813968-UniFi-AirTime-What-s-Eating-your-Wi-Fi-Performance-. It's as badly engineered as it looks from the docs, in no way equivalent as airmarshall as they like to claim in all their promo material.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply