|
I updated my internet connectivity recently and I discovered that my old Linksys e3000 router running tomato was unable to handle the full speed of the connection. I purchased a Netgear R6700 and received instead an R6700v2 that uses a completely different internal chipset that has no support for third party firmware. So, yeah - Netgear pulled a stunt like Linksys did with the venerable WRT54G. In a fit of rage, I decided that I am done with consumer networking gear and bought a Mikrotik RB3011UIAS-RM to replace the router (along with an Ubiquiti AP lite for wireless). The experience has been almost zen-like watching 300+ Mbps of traffic transiting this device while its cpu usage peaked at maybe 6%. However, I miss one thing from Tomato in particular and I have yet to come up with a good equivalent. Tomato had a very simple interface for accounting traffic against internal IP addresses so that I can see at a glance how much data the devices on my network are using and how much they have used historically. Are there any decent open source/free solutions out there that can get me the data that tomato provided? The only partial solutions I've run across involve setting up something like cacti to poll the router via snmp or using netflow to feed something like nfsen. However, it really only gives me an idea of how much traffic is being used overall - it doesn't help me answer the question of "which device on my network is using the most traffic/how much traffic has it been historically using over relevant time periods like days, weeks, months". Any help or guidance would be greatly appreciated.
|
#
¿
Oct 11, 2017 17:04
|
|
|
|
| # ¿ Apr 24, 2024 02:05 |
|
|
thebigcow posted:Does this help? Looks like the data is ephemeral so it would require an external tool to scrape the data and the given URL for accessing it via the web interface only works over http. The https://blah/accounting/ip.cfg url returns a 404.  I'll probably just write a netflow packet dissector, throw the flow data into a database and put a frontend on that. FunOne posted:You can also enable graphing per port and segregate traffic by port if needed. WRT does it matter - yes it does. It's trivial enough to notice if something is going absolutely crazy and identify the culprit but I really want to have the historical information on a per-IP basis available for review after the fact. The Unifi controller does help me manage the wireless stuff since I'm using their AP but it doesn't help with the wired stuff. alyandon fucked around with this message at 18:45 on Oct 11, 2017 |
|
#
¿
Oct 11, 2017 18:31
|
|
|
FunOne posted:What about routing each ip through it's own child queue and graphing those queues? Maybe that would work? That would probably work but oh man that really sounds like a tremendous PITA to set up and keep updated as devices come and go. At this point it really sounds like writing my own netflow dissector is probably the best route to go unless there is a better open source tool available than nfsen. Edit: Just for posterity - I'm going to use nfsen for the time being. It's a horrid interface but it does allow you to dump aggregate netflow data over arbitrary time ranges because it maintains mappings of time -> nfcapd files. alyandon fucked around with this message at 20:29 on Oct 13, 2017 |
|
#
¿
Oct 11, 2017 19:28
|
|
|
Is there anything in your PI's logs complaining about dhclient not being able to renew the dhcp lease? Not that it solves your problem - but you could always use a static IP address assignment instead of using static dhcp leases.
|
|
#
¿
Oct 14, 2017 04:14
|
|
|
According to https://wiki.mikrotik.com/wiki/Manual:IP/DHCP_Server a status of "waiting" means that no client has requested a lease for that static dhcp assignment. It's going to be impossible to tell what's going on without dhclient's logs though. You can always try running dhclient manually from the command line as root and noting its output.
|
|
#
¿
Oct 14, 2017 17:01
|
|
|
Are there any guides on setting up an ipsec vpn on my rb3011 that are written for mere mortals?
|
|
#
¿
Oct 28, 2017 05:33
|
|
|
I guess I'm going to put setting up an ipsec vpn on the backburner until I have time to really spend on research. Just reading over the materials I could find, it really looks like usability hasn't improved much in last 15 years with most documentation very much targeted towards non-road warrior/static ip setups. For now, I'll just continue using openvpn.
|
|
#
¿
Oct 31, 2017 19:01
|
|
|
So what's the general consensus here regarding 6.41.x? Safe to upgrade or stick with 6.40.x since that is now the bugfix only branch?
|
|
#
¿
Mar 23, 2018 16:37
|
|
|
So it looks like they've decided to update the bugfix branch from 6.40.9 to 6.42.9. Anyone here brave enough to have already updated? Any issues with bridge/switch config migrations?
|
|
#
¿
Oct 3, 2018 17:42
|
|
|
devmd01 posted:I'm jumping on the mikrotik train for home and just ordered a RB3011UiAS-RM. Time to start reading this thread! Prepare for some pain compared to consumer routers. Having to set up everything manually is not a lot of fun - especially figuring out how to do more obscure crap like NAT-reflection. However, currently watching my $160 RB3011 using <10% cpu while 400 mbit/s of traffic transits ether1. Totally worth it.
|
|
#
¿
Oct 15, 2018 16:16
|
|
|
redeyes posted:I used DNS instead of NAT reflection to access my webserver by name. Not sure if that is good enough. Most of the basic stuff like port forwarding was trivial enough to set up as I'm pretty handy with basic networking and iptables stuff. However, transitioning from a consumer router running Tomato that did so many things in the background like mapping dhcp clients to internal queues so that it could then account usage on a per-IP instead of per-interface basis, NAT-reflection, etc to setting up that mess of stuff was rough. I still don't have an easy answer to the per-IP accounting for non-persistent network devices other than forwarding netflow data from the router to a linux box and dissecting the information streams there.
|
|
#
¿
Oct 15, 2018 18:30
|
|
|
So, I applied the latest long-term 6.44.5 branch to my RB3011 and reboot. Shortly afterward, I receive the following email from my rancid monitor:quote:[ ... snip ... ] I really wonder what kind of drugs Mikrotik developers are on that they manage to release a patch that does that to customers. alyandon fucked around with this message at 19:57 on Jul 24, 2019 |
|
#
¿
Jul 24, 2019 19:52
|
|
|
RouterOS v7.0 limited beta https://forum.mikrotik.com/viewtopic.php?f=1&t=152003 Isn't this one of the heralds of the end times? Edit: I see someone has already beaten me to it. alyandon fucked around with this message at 15:24 on Oct 10, 2019 |
|
#
¿
Oct 9, 2019 21:26
|
|
|
Updated a RB3011 to 6.35.8 and now I get frequent emails from rancid about the following config entry changing:pre:192.168.13.1 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/configs/192.168.13.1 b/configs/192.168.13.1 index f530a19..21f239f 100644 - -- a/configs/192.168.13.1 @@ -50,7 +50,7 @@ add name=default-dhcp ranges=192.168.13.50-192.168.13.150 /ip dhcp-server add address-pool=default-dhcp authoritative=after-2sec-delay disabled=no interface=bridge lease-time=1d name=defconf /ipv6 dhcp-server - add address-pool=twc interface=bridge name=server1 + add address-pool=twc name=server1 /queue simple add name=root target="" /snmp community
|
|
#
¿
Feb 8, 2020 18:34
|
|
|
Nope - the only thing in my logs is rancid itself logging in to pull the configs along with the occasional dhcp related stuff. Also, it has apparently stopped doing this since Feb 8th. Why? Because Mikrotik. Edit2: And now it is doing it again. :-/ alyandon fucked around with this message at 17:08 on Feb 12, 2020 |
|
#
¿
Feb 12, 2020 04:15
|
|
|
I fat-fingered the version. I'm actually on 6.45.8.
|
|
#
¿
Feb 27, 2020 16:49
|
|
|
https://wiki.mikrotik.com/wiki/Hairpin_NAT <-- read that to understand the problem I myself solved the problem in a slightly different way: First, a priority 0 rule to handle the hairpin nat: code:For example, here is the port 22 forward for SSH to an internal server. code:alyandon fucked around with this message at 05:37 on Apr 22, 2021 |
|
#
¿
Apr 22, 2021 05:34
|
|
|
Kivi posted:Thanks, got it working (and understood the "problem") with that forums post but I'll definitely use your way as I thought the WAN IP address "hack" bit hack-ey and bad but couldn't find more proper way to do it. Sorry about the wiki link then - I just didn't want to assume anything. Mikrotik is really geared at dealing with scenarios where you get static assignments. They don't even currently support IPv6 NPT which means I have to deal with rebooting/renumbering all my machines when my ISP decides to change my /56 allocation. :-/
|
|
#
¿
Apr 22, 2021 21:28
|
|
|
Kivi posted:Is there any performance issues if I just use all the ports on the hEx (ports 2-5 that are as bridge) and not separate cheap switch? I have a hEx running the 7.x beta and currently don't see performance problems. However, it is not something I've scrutinized carefully either. My RB3011 had weird port flapping issues when transferring large amounts of data between the two different switch port groups. I ended up having to disable cpu flow control in order to obtain line rate without port flapping so I've started slowly moving stuff off it and onto TP-Link managed switches (T1500G). They support snmp polling, are decently cheap for the given feature set and seem to be reliable.
|
|
#
¿
Apr 23, 2021 18:10
|
|
|
jeeves posted:Trip report: installed 7.1 using the "Upgrade" branch, which then set me to "Stable" branch again afterwards. What hardware? I've got a RB3011 that I'm itching to upgrade so I can terminate my wireguard vpn on the router instead of a server behind it.
|
|
#
¿
Feb 20, 2022 19:26
|
|
|
jeeves posted:Make sure the firmware is up to date on random bugs like that, not just the RouterOS version. I had a similar issue with my RB3011 except in my case it was ports 6-10 constantly flapping during high speed transfers which I assume was the switch #2 getting reset. Turning off CPU flow control helped without having a noticeable impact on throughput.
|
|
#
¿
Jun 28, 2022 21:28
|
|
|
Since my experiences with Mikrotik disclosures hasn't been terrible (they seem to address vulns in reasonable time frames when they are aware of them) is there any particular reason I should doubt their claim that they weren't present at the event to receive the disclosure from ZDI?
|
|
#
¿
May 22, 2023 22:52
|
|
|
|
| # ¿ Apr 24, 2024 02:05 |
|
|
Actuarial Fables posted:Getting into MikroTik WiFi. Grabbed a cAP AX and I've got it configured through CAPsMAN and broadcasting successfully, but there's a lot of settings that I haven't touched (or tried to touch and broke) and leaving most everything as an unlisted Default makes me worried that I'm not properly securing my setup. I don't really have any experience with MikroTik wifi gear - but assuming it runs routerOS you can follow the same general guidance from here: https://help.mikrotik.com/docs/display/ROS/Securing+your+router The short answer is - if you are upgraded to the latest firmware and used the defaults that came with that you should be pretty safe. Just don't do something bone-headed like expose the management interface to the internet. alyandon fucked around with this message at 20:46 on Apr 4, 2024 |
|
#
¿
Apr 4, 2024 20:43
|
|