|
How have I not seen this thread before now? I also work for a mom-and-pop ISP that uses Mikrotik for a lot of wireless stuff, both point-to-point backhaul and some AP-type stuff (though we're phasing some of that out in favor of Ubiquiti AirMax gear). My network is pretty small (peak times are around 70-80Mbps, 1100 or so residential users), but a decent-sized PC runs the whole thing, including a couple BGP feeds, and never breaks a sweat. On the other end, we have dozens of RB750s out there; a $40 router that can do just about anything you could want - how could you not love it? Most of ours are little DHCP servers, but we also give them to customers for things like failover and load-balancing. If there were a decent backup/restore system for RouterOS, instead of all your backups being chock-full of device-specific MAC addresses to the point that you just have to copy-and-paste five lines at a time and cross your fingers, it'd be the best thing ever. Edit: OP, you might want to put in how to remove an existing configuration from the terminal (/system reset-configuration), in case someone inherits a box whose config is unknown and they want to wipe it, but don't get the "I've just been reset" popup in the first screen of your magical walkthrough. Weird Uncle Dave fucked around with this message at 20:35 on Mar 21, 2011 |
#
¿
Mar 21, 2011 20:24
|
|
|
|
| # ¿ Apr 25, 2024 07:31 |
|
|
My boss met Normis and a couple other folks from the company at a conference a few years back, and they all pronounced it mick-row-tick.
|
|
#
¿
Mar 29, 2011 14:44
|
|
|
Depending on what boards you get, you may not need the licenses. Every board comes with a RouterOS license of some sort; if they're all Level 4 licenses or higher, I think that's enough to do meshing. Basically, don't get a 411 or 711 board (or other super-cheap thing designed to be a client only, like the Crossroads line) and you'll probably be fine on that front. Instead of getting POE injectors, most boards also can run on a standard wall-wart, and those usually are a couple bucks cheaper. Plug: I usually buy my Mikrotik gear from these guys, but that's at least partly because they're fairly local to me (and because we get a discount for being in the same trade association). And they'll assemble your order for you, saving you a bit of labor. I don't think NanoStations would be a good fit for this, because of their directional antennas. If you didn't need meshing, the Ubiquiti UniFi gear would probably be perfect. (Or someone probably makes an indoor-friendly antenna for the Rocket. I've never done mesh stuff with Ubiquiti, so I can't vouch for how well it works.)
|
|
#
¿
Apr 21, 2011 20:43
|
|
|
Some of those new items make me feel funny in my special parts. The 750UP, with four POE-output ports, will take the place of a 750 and four power injectors; unless it's $250 it'll be cheaper, and involve less parts, than my present squirrely setup for some tower deployments (presently using a 750G, which goes out to a five-port switch with four POE ports). And depending on the price of the 751-2n, it might be my new go-to for higher-end SOHO deployments, where we want something that looks a bit more impressive than a Linksys. The Groove looks like their attempt to snag a bit of Ubiquiti's market share - my office has been using Ubiquiti Bullet devices like candy, but they can get hard to get because Ubiquiti doesn't know a supply chain from a paper bag. This too could be promising, though it would have made more of an impact a few months ago in my office (the boss already has decided Ubiquiti's MIMO/Airmax stuff is the Next Big Thing, and we've already got some 300 clients switched over to it).
|
|
#
¿
Apr 25, 2011 06:56
|
|
|
1W output power sounds probably-illegal (at least in the US) with just about any antenna people would use in the real world. Really, I've never understood why so many hardware makers insist on putting out boards with ever-increasing Tx power (Ubiquiti, I'm looking at your mini-PCI lineup), when all that really does is complicate things for everyone. Lower power with better antennas and more-sensitive receivers is almost always the way to go.
|
|
#
¿
May 10, 2011 16:46
|
|
|
Realistically, the odds of the FCC doing anything to a home user are zero, but I use a lot of this gear for work (we're a fixed-wireless ISP, and the boss has been to DC to chat up FCC commissioners a few times, so we try really hard to stay legal and set a good example in the industry). While Mikrotik themselves generally don't get FCC certifications for their gear, some resellers will get certs for a specific set of assembled parts. Mikrotik's general lack of concern for such things as "regulatory compliance" is part of why we're moving away from Mikrotik gear for a lot of wireless uses, though I still love RouterOS and we still use it for a lot of routing and general networking weird-projects. RouterOS will let you specify a regulatory domain, and enter things like antenna gain, and try to adjust radio power levels accordingly to keep you legal. It's not always accurate, but it's usually close, and a good idea in any event - should the FCC knock on your door, it'd be a good way to demonstrate that you were trying to stay legal, and they often are a bit more lenient if you're acting in good faith.
|
|
#
¿
May 10, 2011 17:26
|
|
|
There are several different ways to do failover on Mikrotik, but none of them seem to handle the particular weird failure mode I'm trying to cover. Doing failover by just setting two default gateways, and using check-gateway is easy, and often "good enough." I want to handle the possibility that the failure is four or five hops upstream, though. (I work for an ISP and want to handle the rare possibility that all our upstreams are broken, so the end-user could still see everything within our network but not anything beyond that.) I don't think I can just use a simple ping test to see if Upstream 1 is up, because let's say I ping something like 4.2.2.2. My script tests it, sees it can't ping that IP, switches to the secondary connection, pings, that IP suddenly is pingable again, switches back to the primary connection that's really still broken... Meanwhile, pinging something like my network's default gateway would have the same problem in reverse if it really is a last-mile outage. Any suggestions on getting out of this without a bunch of really complicated and fragile scripts?
|
|
#
¿
May 16, 2011 15:46
|
|
|
My original question was for one of my residential customers who pays fifty bucks a month for my fixed-wireless service, and wanted to fail-over to a satellite connection. Sorry if that wasn't clear; we do run BGP in the NOC. No way in Hell you can run BGP over WildBlue.  (Turns out he just bought some off-the-shelf failover router, which is just fine by me, though I may still play with this at home, where I have both my employer's service and a DSL line.) Edit: we actually used to use a PC with RouterOS for our BGP router, worked great, but the boss went all "CALEA compliance!" crazy and this was before they wrote their own CALEA package, so it got replaced with an Imagestream router. May replace the Imagestream with another RouterOS-based PC in the near future to keep up with how big the BGP table is growing... Weird Uncle Dave fucked around with this message at 22:14 on May 20, 2011 |
|
#
¿
May 20, 2011 22:12
|
|
|
quote:As for swapping over to a Mikrotik BGP router, don't be in such a hurry. There's a memory leak when using BGP, to the point an 1100 with two sessions active starts dying and requires a reboot after ~6 weeks. Hm. Lovely. There were no memory issues when we actually used a Mikrotik-running PC for our network's BGP, but that was back in 2.8 or maybe 2.9. Heck, maybe there were issues, but BGP feeds were about half the size they are now, and with 1 GB of RAM in 2005, even if there were a leak it'd probably have been years before anyone noticed. I think, at the time, they were just using a re-badged Zebra or Quagga, and supposedly at some point they just wrote their own BGP implementation from scratch.
|
|
#
¿
May 27, 2011 04:48
|
|
|
Suppose I have a box with multiple PPPOE DSL connections, thus multiple default routes of equal distance. If I just wanted to balance outgoing traffic, and NAT everything, this would be easy.... The boss' (horrible) plan for this box is to co-lo another box somewhere far away, running a PPTP server, create multiple PPTP tunnels (one per DSL line), run EOIP on those tunnels, bond each of the EOIPs together, bridge the bonded interface with a physical interface on each end, and run BGP over the bridge (remember, the far end is at a co-lo where we can get a plain Gig-E port from any of a couple dozen ISPs). Sadly, I think I can make this work, except for this part: is it possible to create a PPTP client instance and force that PPTP client to only use a specific interface (say, one on pppoe-out1, another on pppoe-out2, and so on)? If I can do that, the rest of this nightmare should be simple by comparison.
|
|
#
¿
Jun 3, 2011 22:06
|
|
|
Weird Uncle Dave posted:Sadly, I think I can make this work, except for this part: is it possible to create a PPTP client instance and force that PPTP client to only use a specific interface (say, one on pppoe-out1, another on pppoe-out2, and so on)? If I can do that, the rest of this nightmare should be simple by comparison. Following up on myself: If you can't do it, fake it. I was able to get the desired effect here by putting several IPs on the "remote" box, having each PPTP client connect to a different IP, and using policy routing (to force connections to IP1 to use pppoe-out1 as its gateway, IP2 uses pppoe-out2, and so on).
|
|
#
¿
Jun 7, 2011 15:25
|
|
|
CuddleChunks posted:Nice solution. Now document it so the next poor bastard doesn't wonder what crack you were smoking. As soon as it's all up and running, and the other end of this nightmare is safely racked in a co-lo, a very long article in the in-house wiki will be written. I may try to MS Paint an onion, showing the PPPOE, PPTP, EOIP, bonding, bridge, and finally BGP, just to make someone cry.
|
|
#
¿
Jun 7, 2011 19:09
|
|
|
I only do the /export if the unit is a real PITA to get to, because I can't recall ever having any upgrade issues.
|
|
#
¿
Jun 16, 2011 02:45
|
|
|
mono posted:I haven't changed any NAT rules, so whatever's there with a stock configuration is it (masquerade rule?) By default, there's no NAT. You can get that, though, with a one-liner. Something like: /ip firewall nat add action=masquerade chain=srcnat disabled=no out-interface=ether1 (Obviously you change that to reflect the interface that faces "outside.")
|
|
#
¿
Jul 13, 2011 18:58
|
|
|
I haven't used that specific unit, but I have a couple dozen backhaul links, that can push 30-40Mbps (depending on band, channel width, whether the climber put up a dual-polarity antenna) over ten miles or more, and one link that gets about 50Mbps over 23 miles (with a little ACK tuning to account for the distance of the link). Interference in the 5GHz bands rarely is an issue, because there isn't (yet) as much other junk in that band. Everyone has a 2.4 router or a cordless phone, but 5GHz gear seems to be a lot less common. The short distance of your link, combined with a couple decent antennas, should mitigate most of your concerns.
|
|
#
¿
Aug 15, 2011 03:47
|
|
|
I'd be more interested to know what they consider a "simple" configuration, given the ridiculous amount of stuff one can do with their software.
|
|
#
¿
Sep 20, 2011 15:00
|
|
|
yarrmatey posted:Does anyone have any experience with the PowerRouter product line? I am seriously considering one as a second upstream-facing router running BGP along with a decent cisco box. Link Techs' PowerRouters? I used to use a 732 in exactly that role. Way too much CPU for the job, but better that than too little. Only got pulled because my boss suddenly decided he wanted something new, and not because of any technical problems with the existing setup.
|
|
#
¿
Oct 1, 2011 19:05
|
|
|
insularis posted:Can someone help me out with creating a Virtual AP that will allow guests to use the wifi without having any access to the LAN? My goal is a WPA-protected wifi AP for employees, and an open, Internet-only one for guests. I've got something similar in my office. The way I did it, was to create two DHCP pools, one for the encrypted AP, a second one for the "open" AP, then did the firewalling based on the source IP address (i.e. if you're coming from the open AP, you're not allowed to access the office billing system).
|
|
#
¿
Oct 8, 2011 17:27
|
|
|
You don't necessarily have to do NAT when using DHCP. Can you route a block of IPs from the pfSense to the Mikrotik box, and let the Mikrotik box act as the DHCP server for wireless clients only? Then you can have the pfSense do the firewalling based on IPs, even though it's not the one assigning them. Mikrotik's documentation is very good at explaining how to do (most) things, but the fact that you can do so drat many different things with their software means they don't always cover everything. A decent place for discussion is this mailing list; it's quiet, but has a few mad geniuses subscribed (including a guy who literally wrote a book on the software).
|
|
#
¿
Oct 8, 2011 18:49
|
|
|
Is there something you're looking to do, that RouterOS can't do? It's a pretty versatile piece of software. Anyway, since it's already running Linux, you almost certainly can clear out their software and install your own stuff. Most current Mikrotik hardware is based on MIPS chips (I think that one is big-endian, but I don't have one handy to check).
|
|
#
¿
Oct 18, 2011 16:10
|
|
|
I've got something similar to that on a workbench in my office - one wireless SSID, and most of the Ethernet ports, in one bridge, and a VirtualAP (with encryption) and the rest of the Ethernet ports in a second bridge, and one lonely Ethernet port for upstream connectivity. CuddleChunks covered the rest: two separate IP pools (in my case, one on bridge1 and one on bridge2), two DHCP server instances (listening on the bridge1 and bridge2 interfaces), a few firewall rules that drop traffic from IPs in pool1 to pool2 and vice-versa. One extra thing I did: I put in packet mangle rules that mark traffic coming from each interface, and have two separate src-nat rules, so that traffic coming from one bridge has (to the rest of the world) a different source IP than traffic coming from the other. This way, if you're on the secure VirtualAP, you can connect to the office printer and so on, but not from the other AP. You could also do that with firewall rules, but I already have ACLs elsewhere for that, and this saves me having to duplicate rules in the wireless AP.
|
|
#
¿
Oct 25, 2011 21:03
|
|
|
Kaluza-Klein posted:1. This is true, but if you're doing anything else at all to the traffic (like, say, QoS'ing it, as you've mentioned) it won't work. You might as well just get rid of the switching stuff and go straight to creating a bridge interface and sticking ether2-ether5 in there now. quote:
First, note that these rules are all for the "input" chain. Since Mikrotik is, internally, Linux, it helps to know a bit about how Linux does its firewalling. The "input" chain is for traffic destined for the router itself, and nothing else; the "output" chain is for traffic leaving the router itself. Anything you want to do for traffic going through the router, you have to add to the "forward" chain. Anyway, the above rules allow ICMP traffic (including pings) to the router itself on all interfaces, then allow "established" and "related" traffic to the router itself that comes in on ether1, then drops everything else. This only affects traffic to your router on ether1 (presumably the WAN IP), and nothing else. Pretty much the equivalent of not allowing any sort of remote access to the WAN port. I'm not sure about the last question, since I don't have a unit handy.
|
|
#
¿
Dec 18, 2011 22:14
|
|
|
Thoom posted:So let's say you have computer A outside your network, and computer B inside your network. If A wants to open a connection to B, is that request handled by the input chain or the forward chain? If the latter, how does that work, since the packet is technically bound for the router's public IP? Usually, that would be handled by the NAT and connection-tracking rules. Assuming you have the usual home NAT rule - technically a "source" NAT rule (as opposed to "destination" NAT) - the router will already know that B requested to talk with A on port X, and when traffic from A on port X comes in, it'll rewrite it and send it on to B. I think NAT rules are in the "prerouting" chain, which is (as the name implies) rules that are applied before the traffic hits the "forward" chain and is routed to wherever it's going.
|
|
#
¿
Dec 18, 2011 23:25
|
|
|
Mr Chips posted:Does that one do the usual routing/firewalling too, or is it just an AP with a switch built in? They still run RouterOS, so you can do firewalling and routing and BGP and all the usual stuff.
|
|
#
¿
Feb 26, 2012 17:38
|
|
|
One of the last things I did at my old job (an ISP that had just started using 751s for customer routers) was basically that - a Web interface where you could type in the end-user's IP address and such, and it would spit out a configuration file for a 751. Where's this "quick setup"? I might pass it along to the folks at the old workplace.
|
|
#
¿
Apr 25, 2012 22:44
|
|
|
Short version: While I haven't used a RB951, I wouldn't expect too much. Spend a few more bucks and get an RB751 instead. Long version: Just before I left my last job (at a small WISP), I actually did an informal router bake-off. I took a RB751 (the older, larger version of the RB951), a Linksys WRT54GL (stock firmware, not hacked up with DD-WRT or anything), and a couple other routers (no-name companies the boss found on Newegg, and not relevant to this story). I put them all in the same place in the office, on the same channel (one that was relatively free of other 2.4GHz traffic), and turned them on. Then I pulled out my smartphone, and walked around the building, taking notes on signal level and such. By that admittedly-simple metric, the RB751 and WRT54G were pretty much equal, in terms of SNR and range. Obviously the throughput on the RB751 was better (it could do 802.11n, the other router could only do 802.11g), but otherwise they were fairly similar in RF performance. The RB951 you're asking about, has an antenna with 1dB lower gain, the radio itself has 13dB less transmit power, and you give up the option to connect an external antenna if you want RF diversity or just more gain. You save a little bit of physical space and a few dollars, but at least on paper you give up a LOT of RF capability. Edit: Oh, the 951 also has a slower-clocked CPU, and half the RAM.
|
|
#
¿
Jul 12, 2012 19:48
|
|
|
EoIP is a thing of beauty. When my last employer moved across town, we just set up an EoIP tunnel between the old NOC and the new NOC, so no individual server was down for more than half an hour while we loaded it into the back of the boss' Jeep and drove it between locations. Aside from a bit of added latency, nobody really noticed. (Until the old mail server started soiling itself because it hadn't been moved in the previous seven years and we probably broke a fan or something, but that's not the fault of EoIP...)
|
|
#
¿
Jul 15, 2012 03:56
|
|
|
Alarbus posted:poo poo. The process to 4.17 went fine, the process to 5.19 has not. I don't get the double beep, and WinBox doesn't see the router. Suggestions? I had a few rare problems with 3.x to 4.x upgrades, but never one that couldn't be resolved by power-cycling the router. If you've already done that, you might want to go read up on network boot, and maybe dig out a serial cable.
|
|
#
¿
Aug 13, 2012 20:21
|
|
|
TX297 posted:Alright, it seems since DNSChanger Monday Suddenlink has decided to hijack all my DNS requests and route them through their servers despite me having everything set up for OpenDNS. I can opt out of their stupid "search suggestions", but it switches back silently every 2 weeks and I like my connection to be RFC2308-compliant, but whatever. The Mikrotik DNS service is fairly limited (here's the wiki page). I don't think you can do NXDOMAIN or other custom responses; it basically only does A records. How are they doing what they're doing? Is your router getting DNS servers from your ISP, that they keep changing back/overriding, or are they actually intercepting and rewriting DNS packets? (If the latter, do you also have problems with other outside DNS, like Google's servers?)
|
|
#
¿
Aug 20, 2012 04:25
|
|
|
If you just need basic hot spot and payment processing functionality, Mikrotik can do that itself. Install the optional user-manager package, ideally on a separate unit (or one of the APs in a pinch), get PayPal integration and the ability to print up coupons. The user manager package is a bit quirky (the Web interface isn't that hot, for instance) but if the budget is tight it's certainly usable.
|
|
#
¿
Sep 17, 2012 03:25
|
|
|
CuddleChunks posted:Slap that together with a mounting bracket and boy howdy are you ready to light up some rural broadband. Yeee-HAW! Or you could just order in a bunch of Ubiquiti clients and have it done a few months ago  Honestly, I'm glad that Mikrotik is catching up in terms of useful form factors. My last employer (I left the WISP biz a few months back) bought and used a LOT of Ubiquiti Bullets, mainly because of the awesome shape and size; if these had been out a year ago, they likely would have bought a few hundred of them instead (because let's face it, Mikrotik software is ridiculously superior).
|
|
#
¿
Nov 27, 2012 22:24
|
|
|
Especially if you're using one device with two wireless cards (say, one for their connection upstream, and a second one as an in-house AP), that sounds like a recipe for horror. Did MetaRouter ever get fully-baked? I liked the idea of giving the customer their own little thing they can play with, without giving them full access to the device, but it seemed a little weird and clunky the last time I looked at it. (That was probably a couple years ago, though.)
|
|
#
¿
Nov 28, 2012 17:37
|
|
|
I haven't worked for a WISP in over a year, so I haven't been keeping up with Mikrotik hardware like I used to. Do they now offer, or plan to offer, any decent dual-band SOHO routers that don't require you to buy a board/two radios/antennas/pigtails and assemble them? What I want is basically a RB951, only with both 2.4GHz and 5GHz radios and antennas built-in. I know such a thing would likely be $150 or more, but that's a fair price for a good router.
|
|
#
¿
Mar 14, 2013 21:29
|
|
|
I'll recommend against the second of those books (Dennis Burgess' "Learn RouterOS"). The book is self-published, and it shows, with overly-conversational writing and a complete absence of copy-editing. Further, the content is too basic IMO. If you know the basics of, say, BGP, you'll probably be able to figure out how to set up BGP in RouterOS pretty easily; the book doesn't really add much value there. If you don't know the underlying concepts, this book won't explain them; and if you do, you probably don't need the book to figure out how to work the GUI widgets. Had it been more of a cookbook, starting with basic concepts that can be odd to Mikrotik novices (bridging Ethernet and wireless interfaces, for instance, can seem a bit weird if you've never done it before), and building on that, it might have been worthwhile. Dennis tried to write a book that could be all things to all comers, and it didn't turn out well at all.
|
|
#
¿
Apr 20, 2013 17:01
|
|
|
IT Guy posted:Is there any way to use a DNS server in RouterOS? How do you mean? Do you want it to act as a DNS server (it can, kinda) or just hand out DNS server info to VPN/DHCP clients (easy)?
|
|
#
¿
Oct 15, 2013 00:36
|
|
|
EoIP works... okay. It's only as fast as the connection between the two endpoints, and there's some overhead (and invisible-to-the-end-user packet fragmentation with large packets, especially if you're doing jumbo frames or other craziness). I've used it for a couple short-term projects (moving servers between data centers in advance of moving the data centers' actual uplinks), but I dunno if I'd recommend it for a longer-term solution.
|
|
#
¿
Oct 31, 2013 15:18
|
|
|
2.4GHz is even unusable in many rural areas, because WISPs tend to use it for last-mile. I know from my WISP days, it was always fun making sure a customer's cheapo Linksys router wasn't running on the same channel as their service connection, making them both perform terribly. If you want to stick with Mikrotik gear, you'll have to buy an add-on 5GHz card and matching antennas and pigtails, which will easily add $50 to the price of your gear. Or, like Caged said, get an Apple Airport or Time Capsule (the latter gives you a big hard drive and if they're Mac users free backups). It's solid stuff.
|
|
#
¿
Mar 3, 2014 22:46
|
|
|
I am not a book posted:I'm looking at the first script here, and I'm a little unsure about what is going on around line 10: The Mikrotik CLI is kinda sorta trying to pretend to be a file system. The "/ip dhcp-server lease" indicates that it's going into that "directory." Since you're there, you can just do 'find' instead of having to fully-qualify it with "/ip dhcp-server lease find". The second one probably isn't strictly necessary, but it certainly won't hurt anything.
|
|
#
¿
Nov 12, 2014 23:39
|
|
|
If there are IP addresses assigned to your wireless interface, they should be under /ip address. Are you sure you've actually assigned one?
|
|
#
¿
Nov 13, 2014 16:48
|
|
|
|
| # ¿ Apr 25, 2024 07:31 |
|
|
Got an odd problem with wireless bridging. The wireless AP on my home network is an Apple Time Capsule, and I've got an old RouterBoard 433 with whichever card was popular at that time (probably an R52N, don't feel like opening it up to check). I've bridged wlan1 and all the Ethernet interfaces together, and have the radio in station pseudobridge mode. The goal is basically to use this old board as a wireless bridge for a few things downstairs, far away from any wires (I hate wall fishing). So, the setup is: [ Apple Time Capsule ] <--- wireless ---> [ RB433 ] <-- ethernet --> [ end devices ] When I tested the above with my desktop PC, everything worked great. The PC pulled a DHCP IP from the Time Capsule, got online, everything was spiffy. Took the device downstairs, plugged it into the TiVo, and... nothing. The wireless connection is good (probably too good, actually, something like 50 points of SNR). But the TiVo says it can't get a DHCP address. I probably could work around this by having the RB433 act as a DHCP server and do NAT on the Ethernet interfaces, but that's not ideal, because double-NAT always is terrible, and because it probably would limit my ability to manage the TiVo remotely. Anyone seen issues where some DHCP clients don't like being behind a Mikrotik bridge? Any suggestions for other configurations to try?
|
|
#
¿
Jan 8, 2015 15:36
|
|