Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Chiming in as a Mikrotik user at home and work. At home I was able to replace switch, router, wireless access point with a RB493. At work they make great customer premise equipment. In at least one case we're running OSPF, BGP and MPLS VPN and we've never had an issue. BGP is just for MPLS, not full ipv4 routes. Will be experimenting with full routing tables on some RB1100s soon to see how they handle it. Probably faster than some NPE-400s doing full tables.

Adbot
ADBOT LOVES YOU

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


5.0 and came out and 5.1 quickly after to fix some bugs. I ran 5.0 at home for a bit then upgraded to 5.1, no issues so far on a rb493. 5.x has a richer web interface if that's your thing- it seems to mostly replicate winbox.

* Changelog

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Weiz posted:

Are you insane? They are still fixing bugs in version 4 and you're going to install something that JUST came out.
All software has bugs, there are features I want in 5.x so I'm running it at home. Also it works just fine for what I'm currently doing (wifi, switching, tunnels, ipv6, ipsec). I did install it on an RB1100 at work and came across a bug that others have as well (console process takes 100% cpu). This was on testing hardware and hasn't repeated.

I run into plenty of bugs on Cisco hardware as well, at least with Mikrotik you can just post on the forum and they generally look into it.

krackpot posted:

There are new products for 2011 (http://www.mikrotik.com/download/share/hu11.pdf).
Crypto offload on RB1100-AH looks like a winner, we were looking to use an 1100 as a central point for VPNs but supposedly they can only get about 40mbps using the CPU.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Instead of disabling ssh and weeding through logs full of static from the internet you should just apply some basic router protection firewall rules. Set up an address list of allowed management and monitoring networks and block pretty much everything else except ICMP on the input chain. I also always have a log rule just before deny that is only enabled for troubleshooting purposes.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Roseo posted:

There's a memory leak when using BGP, to the point an 1100 with two sessions active starts dying and requires a reboot after ~6 weeks.
4.17 or 5.2?

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


There's a thread on Mikrotik's website about full feeds on RB1100. Apparently its cpu has a hard time with the updates. RouterOS on PC hardware appears to be the recomended way. I've been testing openbgpd on openbsd and that's been a very workable/inexpensive solution.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Roseo posted:

4.x for certain. I'm not throwing 5 on anything till it's actually mature. It may be fixed, but I doubt it.
I enabled BGP on a few of them within the last month and haven't noticed any leaks (yet?). How many routes were you feeding it?



4.17 box, ~1000 bgp prefixes in RIB, ~300 from ospf. BGP was enabled between week 21/22 which is where it plateaus:




5.4 box (was 5.0, 5.2) ~5000 bgp prefixes in RIB, ~300 from ospf. BGP was enabled before the first graph but I don't remember exactly when. Odd that memory usage is more steady since it has less RAM and far more routes:

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


While this is a fine idea, why not have a default deny rule to the Mikrotik via the input chain but allow trusted IPs in an address list?

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Roseo posted:

2x full tables on a RB1000. At ~2 weeks of uptime it's gone from 200 MB ram free to 70 MB free. After another week or two it'll sawtooth for a while, then a week or two after that randomly drop routes, not accept SSH sessions, and generally be crappy till a reboot.
Ouch. I wonder if this is architecture specific? I thought most that ran RouterOS with full tables did so on x86 and not MIPS since the hardware handled it better.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


I've upgraded a few- just uploaded the image, rebooted and all was fine. Certainly doesn't hurt to /export first.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


You should be able to easily add dns entries based on one of those host files if your mikrotik is your dns server. Unknown if there's a limitation if there's that much data in local dns though.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


I installed OpenWRT in a metarouter when the RB1100 first came out. It crashed the entire device so I didn't try again. Hopefully more stable now?

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


More specifics. is it pingable? are you accessing it via LAN or wifi? do you get an error? is the ssh/telnet/winbox port responding at the time? etc..

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


There's a lot of QoS info on their wiki. The layer 7 page links to these importable layer7 rules that you can use in QoS for app layer control. I did this as a test with torrent traffic at work and while it wasn't 100%, it was quite effective. Torrent, NNTP, HTTP are on there. "Gaming" probably depends on the game. Quake and doom are there!

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Is it doing NAT?

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


I don't recall there being any default NAT rules unless you enabled a basic firewall set from the web interface. Either way nat/firewall are likely the issue.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Does the mac address registration stuff do any wildcarding? If so you could try to determine a valid range that may mean 'Sony', 'Microsoft', 'Nintendo'. If you did get that to work it would be extremely easy to bypass, but hey it's something.

OR possibly setup a virtual AP with a different SSID and have completely different authentication settings?

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


I've just started using my first outdoor Mikrotik, a RB/SXT. Set them up on the roof of some office buildings that are about 3500' apart and they're work quite well thus far. I've had the bandwidth test running for two days now and it's 60mbps TX/RX simultaneously even though some rain over night.

It's 5ghz unlicensed so I could run into interference problems but I just wanted to chime in to say that I'm surprised by the throughput that these can get at such a cheap price (~$90/each). The real test will be getting through a Wisconsin winter.

I'd be curious to hear what type of success any of you have had with any of their equipment outdoors and for longer distances.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Simple is routing only. Adding anything such as NAT, firewall rules, etc becomes more complex and would benefit less from whatever fix this is. It's really the same as in Cisco-land, the pps specs they annpunce are for routing only.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


yarrmatey posted:

Does anyone have any experience with the PowerRouter product line? I am seriously considering one as a second upstream-facing router running BGP along with a decent cisco box.
I haven't used powerrouter but it's just x86 hardware that has existed for years so it has a chance of being dated. Also look at products from places like Lanner who sell x86 appliances with multiple built in Intel gig interfaces. There's also an Atom box from roc-noc.com that I believe is a rebranded lanner that would probably work as well. Or simply any x86 server with a few NICs. I've heard that a full BGP table on mikrotik requires it as Routerboards are just too slow. I tried to lab up full routes on an rb1100 w/ 1.5gb RAM and the cpu just remains pegged.

Off topic but if you're looking for cheap BGP look at OpenBGPD on OpenBSD as well. I have some in production and have had zero issues. A few are edge and a few are RR's.

falz fucked around with this message at 15:27 on Oct 1, 2011

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


You can run something like DD-WRT under something Mikrotik calls MetaRouter. Not exactly what you're looking for but close. RouterOS is Linux underneath for what it's worth.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


You should always have a managed switch so you can use VLANs, debug issues on ports, graph traffic with SNMP, and so on.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Thoom posted:

I just picked up a RB1000 from SAMart for my home network and I'm pretty happy with it so far, but I'm having a bit of trouble getting port forwarding working quite right.

Here are the NAT rules in question (for forwarding ssh, http, and svn to an internal server):

code:
/ip firewall nat
add action=masquerade chain=srcnat disabled=no
add action=dst-nat chain=dstnat disabled=no dst-port=22 in-interface=ether2 \
    protocol=tcp to-addresses=192.168.29.100 to-ports=22
add action=dst-nat chain=dstnat disabled=no dst-port=80 in-interface=ether2 \
    protocol=tcp to-addresses=192.168.29.100 to-ports=80
add action=dst-nat chain=dstnat disabled=no dst-port=3690 in-interface=ether2 \
    protocol=tcp to-addresses=192.168.29.100 to-ports=3690
The problem is that it won't forward traffic that originates inside the network, because of the requirement that the traffic be coming over the WAN port (ether2). If I get rid of the requirement for in-interface=ether2, then it forwards outbound traffic to that internal machine.

Earlier in the thread, I saw someone suggest specifying a dst-address, but my external IP address is dynamic, so that won't work unless I want to update the rules every time my IP changes.

Suggestions?
I've only ever dealt with static IPs. It's possible that your router may have to run a script to figure out your new IP or use a dyndns type of service. In my example below 1.2.3.4 is the public IP here. I'm also a fan of address lists hence the use of them:
code:
/ip firewall address-list
 add disabled=no address=192.168.29.0/24 list=SUBNET-INSIDE

/ip firewall nat
 add action=dst-nat chain=dstnat dst-address=1.2.3.4 dst-port=22 protocol=tcp to-addresses=192.168.29.100 to-ports=22
 add action=dst-nat chain=dstnat dst-address=1.2.3.4 dst-port=80 protocol=tcp to-addresses=192.168.29.100 to-ports=80
 add action=dst-nat chain=dstnat dst-address=1.2.3.4 dst-port=3690 protocol=tcp to-addresses=192.168.29.100 to-ports=3690

 add action=src-nat chain=srcnat src-address-list=SUBNET-INSIDE to-addresses=1.2.3.4
The order of the NAT rules is important, try to move your "general outbound nat" rule below the individual rules.

I always have a default deny rule at the end of my filter rules. If you have this then you must also have a matching firewall rule to allow the NAT'd traffic. I pretty much always use something like this:

code:
/ip firewall filter
 ; protect router
 add action=accept chain=input comment="Permit Management to self" disabled=no src-address-list=SUBNET-INSIDE
 add action=accept chain=input comment="Permit ICMP" disabled=no protocol=icmp
 add action=log chain=input comment="Log before Deny"
 add action=drop chain=input comment="Deny Rest to self"

 ; jump to forwarding rules
 add action=jump chain=forward in-interface=ether2 jump-target=customer

 ; allow internal stuff to reach the internet
 add action=accept chain=customer connection-state=established
 add action=accept chain=customer connection-state=related

 ; permit NAT entries
 add action=accept chain=customer dst-address=192.168.29.100 dst-port=22 protocol=tcp in-interface=ether2
 add action=accept chain=customer dst-address=192.168.29.100 dst-port=80 protocol=tcp in-interface=ether2
 add action=accept chain=customer dst-address=192.168.29.100 dst-port=3690 protocol=tcp in-interface=ether2

 ; block the rest
 add action=log chain=customer comment="Log Blocked"
 add action=drop chain=customer comment="Default Deny"
Then watch the logged traffic for anything legit, disable the log rules when things are working properly and only enable if you have to debug something.

Thoom posted:

Edit: Oh, and while I'm at it, is there a way to tell the dhcp server to reserve address X for MAC address Y and always assign that way? I know I can just set static IPs on all of the machines I want to have them, but it would be easier to have the router do it, especially in the case of laptops that get used on another network sometimes.
IP-> DHCP Server-> Leases tab. Highlight the appropriate line and click the 'Make Static' button at the top. Winbox kind of breaks its UI standards by putting buttons at the tops of some windows.

falz fucked around with this message at 15:37 on Nov 20, 2011

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


That rule is the 'general outbound NAT' rule. RouterOS has its own scheduler so you write a script and schedule it to run at whatever frequency you choose.

Chains are just a Linux iptables thing. The reason I have a 'jump to customer' rule then the rest of the rules in 'customer' is only because that's what Mikrotik does if you enable the default firewall rules (at least in older versions such as 3.x). It's always worked fine so I've always used that in my config template.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Allegedly there's a fix where you plug in a highervoltage power supply to kick it back in to shape. I'd check the MikroTik forums first though.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Input is just for traffic destined to IP addresses on your router, so router protection such as permitting management from trusted networks, allowing pings for troubleshooting, blocking the rest.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Yes, and it should auto find it by clicking the '...' in winbox. Also the default ip is 192.168.88.1.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


I just created this thread on Mikrotik's forum for this. Please all pile on so they realize it's an issue. It's likely that they will want a support case opened as well, I don't have a current customer with this issue so I don't have the required details to open one at the moment.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Mikrotik would give you just about any VPN option you want that follows a standard.

Site to site you can do encrypted GRE or IPIP so you can use routing protocols, PPTP for site to site (which seems silly to me), L2TP, IPSec and wacky layer2 stuff like EOIP. Client VPNs can use PPTP, OpenvPN, and I think something else.

It is quite nice to be able to run The Dude directly on the router to monitor the intside of a customer's site. If you have SNMP enabled on your devices (servers, switches, routers, printers, etc) you can draw a network map that has a near real time graph of throughput between devices. It can also do basic checks on services like HTTP, DNS and alert if needed. All running on a $60+ router.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


If it has a switch chip you should be able to get wire speed as long as it's being used. Routing speed depends on features + pps. Enabling NAT alone probably halves your speed (guess). If it's all larger packets at a short rate you can likely achieve decent results. They have test results for straight up routing in a pdf on routerboard.com, take that info and divide it in half, or even up to 80% lower and see where that puts you.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


nexxai posted:

Where would I find this out?

EDIT: Nevermind. The big text at the top of the page lists "two switch chips".

Do I get to pick which ports each chip uses or is it split 4 on one and 5 on the other?
There's a group of ports for each switch chip. According to this:

* Atheros8316 is present on RB493G(ether1+ether6-ether9, ether2-ether5),
* ICPlus178C is present on RB493 series(ether2-ether9)

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


They have graphs built in, but you can poll them directly with snmp as you would expect.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


A few new products here:

http://mum.mikrotik.com/presentations/PL12/PL12.pdf

Looks like they still haven't figured out SFP yet since the first RB2011 (2011L-IN) has none.

Rundown:
* CCR 1036 - previously mentioned
* 48V to 24V power converter
* RB400L - lower cost?
* "Metal" 1.3watt 5ghz outdoor radio
* SXT G - RB/SXT but with gig port

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


I don't have the link handy, but Mikrotik lists two other antennas that are known to fit on their spec sheet or a forum thread announcing it. One of them is a small indoor sector.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


'/export compact' is a lot easier to read

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Aren't each of your 10.x networks behind NAT?

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


If you need to VPN in from a client PC just use PPTP or OpenVPN. Or forward remote desktop port and connect to it and daisy chain from there without VPN.

For network stats, just enable interface graphing and have them bookmark http://router/graphs/

code:
/tool graphing interface
 add
/tool graphing resource
 add
/tool graphing queue
 add
Or install The Dude on the router, install the dude client for them, create a network map in it and properly assign interfaces to links- you will get near real time stats of everything including health of routers (and printers and servers if you desire).

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


Should be just fine. You would bridge Ethernet and wlan interfaces to create the separation. You could do separate wlan radios or use virtual APs with a single radio (I think). Or you could take it even further and use VRFs to separate the routes, or metarouters which is a separate instance of RouterOS running using the interfaces of your choosing.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


I have a few RouterOS VMs on ESX and they're fine. I'm not running any routing protocols or VRRP however, which I hear can have issues due to VMWare and multicast.

Also as previously mentioned, you may want to check out Metarouter. I've only run it once to test and had it crash a lot, but that was right after it came out.

Adbot
ADBOT LOVES YOU

falz
Jan 29, 2005

01100110 01100001 01101100 01111010


movax posted:

Sorry for double-post, but this is un-related to above post. Is there a software-way to completely secure the serial port, including disabling it's usage during boot loading? I disabled it currently by setting baud-rate to 0, and disabled the software jumper as well. Anything else to do protect it against physical connections/mucking around?
What environment is said router in? There's only so much you can do to secure a device that untrusted users have physical access to. I would enable remote syslogging which will show you invalid login attempts if someone is trying to muck with it.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply