MikroTik

Hugh Hartman

I currently run v2.8.25 Bridge configuration and need some guidance in converting the following for 2.9.50 in the Bridge Firewall. 2.8.25 add mac-src-address=00:00:00:00:00:00 in-interface=all \ mac-dst-address=00:60:B3:3D:93:10 out-interface=all mac-protocol=all \ src-address=0.0.0.0/0 dst-address=...

Hugh Hartman

been on board since v.2.6--implemented v2.7 (Wisp) upgraded to v2.8.28 (PC&Wrap) one year ago in production and use v2.9.13 (PC)for testing....
I would like to try RB100 as CPE,,,but waiting a little longer..

I too love the product , but learned you have to pic the right platform and version.

Hugh Hartman

just change the port from 80 to a high number above 30,000,,as port scanners stop around there.

Hugh Hartman

Please post the actual rules

Hugh Hartman

I use bandwidth rules for p2p,,full pipe and individual uploads. As I understand that only addresses the TCP part of P2P ,,(even though it is layer 7 filtering) not UDP as that can only be dropped,,,so what i was looking for is a way to "count" UDP packets that are P2P and drop after a cer...

Hugh Hartman

UDP packets can only be dropped and you can not limit the connection numbers as UDP is connectionless... Is anyone aware, how to minumize the effects of mulitple UDP packets on an AP and/or network without dropping the entire protocol that is using it?. ie Bit-Torrent (P2P). beyond speed/burst etc.....

Hugh Hartman

FYI--upgraded one of my test units (transparent bridge configuration)to 2.9.13 from 2.8.28 without a hitch--
MANGLE and QUEUE TREE not working as documented by MT,, but to my surprise: Simple queues, custom queue types and Firewall chains all working.

Hugh Hartman

The simple answer is no--all a subscriber has to do is plug in another router using NAT and run off that. The complex answer, would be to inspect the packet for the IPid field and see what IP is being translated.. Google : "A Technique for Counting NATted Hosts" there is a pdf file from co...

Hugh Hartman

http://www.butchevans.com/readarticle.php?article_id=11

Hugh Hartman

I use 2.8 exclusively,,once a router is set into production it makes little sense to update for the sake of updating-- I will update when the licensure is get close to expiring to get the most recent P2P protocols. That said, there are times to update in order to get new features. I am however, read...

Hugh Hartman

please see update: thanks fatonk

http://forum.mikrotik.com//viewtopic.php?p=29355#29355

Hugh Hartman

please see update: thanks fatonk

http://forum.mikrotik.com//viewtopic.php?p=29355#29355

Hugh Hartman

Thanks, I was able to apply what you have done to rewrite a simple 4 rule bandwidth configuration for v2.8 as follows: / queue type queue type add name=Down kind=pcq pcq-rate=393216 pcq-limit=50 classifier=dst-address queue type add name=Up kind=pcq pcq-rate=98304 pcq-limit=50 classifier=src-address...

Hugh Hartman

I have retested this setup and it is not working per IP--when tested before it was working on each IP--
back to the books,,as i know there is a way to do this using PCQ without classifiers,,and adding an IP class which triggers the limits for each IP.

Hugh Hartman

http://www.butchevans.com/readarticle.php?article_id=10

This is for v 2.8--it would need to be converted for 2.9

Hugh Hartman

The queue type is changed to pcq without classifier, which causes each ip in the range to have the same ul/dl , individually and the limits are applied on that bases, not ul/dl for entire ip class.
you can add burst etc..

Hugh Hartman

this works in v 2.8--you would have to convert to 2.9

http://www.butchevans.com/readarticle.php?article_id=10

if you do--please post the code,,thanks

Hugh Hartman

Could this work?, it provides each IP with upload/download across a class of IP's,,as long as you want the same speed for each customer.

http://www.butchevans.com/readarticle.php?article_id=10

Hugh Hartman

from Eugene in previous threads discussing connection limits:

Every computer can make no more than 80 TCP connections through the router.

I had problems with hundreds of connections,,captured after using this rule and none exceeds the value 80.

Hugh Hartman

in v 2.8.28 this is the rule I use:

/ip firewall rule forward add protocol=tcp tcp-options=syn-only connection-limit=80 action=drop

Hugh Hartman

I use 80 without complaints, but started at 100 connections per/IP.

Hugh Hartman

Hugh Hartman

Did you re-point any CPE's after you replaced the antenna?

Hugh Hartman

you only edit the firewall rule to reflect the IP (or class) that you are allowing router access for configuration. input rules= to the router only. I leave out web-proxy. If you use safe mode, then you will erase the last 100 entries made in the current session, bringing you back to square one, sho...

Hugh Hartman

in winbox--ip/services--disable telnet or change the port #

Hugh Hartman

I use 2.8--so this may not apply:

I mangle the "whole pipe" using the local (in) and public (out) interfaces as the parent.---then this becomes the parent for all the traffic you are trying to shape:
I only use global-out for limiting P2P upload speeds on a per connection bases.

Hugh Hartman

Yes- I limit the connection time and the number of connections..

Hugh Hartman

RouterOS applies the queue tree first, then the simple queue.
I QoS in queue tree and bandwidth limit/burst in simple queues

Hugh Hartman

recently having a similair issue 1/15/06, I sent a support file as instructed by routerOS,,the response I received,,"please upgrade to 2.9.11, there is some kind of failure in your installation, upgrade should fix it." I was using 2.8.28 and wanted to continue,,so I removed the wireless pa...

Hugh Hartman

conchalnet
Are all the connections TCP or is there some UDP mixed in?

Hugh Hartman

Which Version?,,as 2.8.28 makes default priority 8,,so only a rule for ICMP would need to be added using a value in the limit-at field and change the priority to 1. ( you must have a value in the limit-at for the priority to take effect). Version 2.9--I understand defaults at priority 1--so all othe...

Hugh Hartman

We would need more information,
please copy the simple queue you have set up for one customer.

Hugh Hartman

usually you allow all UDP in the input rule which covers DNS at UDP 53

Hugh Hartman

Conchalnet: there are a couple of things I have done which seems to help. First limit the total number of TCP connections per IP (80-100): This will help with the saturation of TCP connections that occures with P2P programs. Next: many P2P programs will allow download based upon the amount of upload...

Hugh Hartman

You can verify what protocols are forwarded, by going to> Interfaces/bridge1/bridge... there you should see a check boxed for the protocols selected,, we use IP, ARP and Other. deselect IPv6, Apple-Talk and IPX. This cofiguration will allow all packets through for the protocols selected to pass thro...

Hugh Hartman

I notice you are dropping TCP in the above rule. Bit Torrent opens many UDP "connections", could that rule be modified to: /ip firewall filter add chain=forward protocol=udp p2p=all-p2p connection-limit=10,32 action=drop I already have a max connections for TCP on each IP,, but UDP is tric...

Hugh Hartman

I have been testing this for a few months on my home network,,with no issues:

http://www.butchevans.com/readarticle.php?article_id=10

Hugh Hartman

Could you mangle: passthrough for HTTP- IN traffic and then below an accept rule for the download if that can be identified? ie P2P:

dst-address=:80 protocol=tcp action=passthrough mark-flow=HTTP

action=accept mark-flow=P2P

then use the queue tree with the priority/speeds you want.

Regards, Hugh

Hugh Hartman

sroa said:Hi every one, I am new with MT and I was wondering if it is possible to handle real QoS and after that do Bandwidth Limiting. the simple anser is yes--do the QoS in the queue tree and then bandwidth limiting in the simple queues which gets applied after the queue tree.. Here is what I do f...

Hugh Hartman

Not sure how the hotspot works,,but here is a 2 rule PCQ scheme: In 2.8.28 create a basic PCQ type without classifiers: queue type> add name=users kind=pcq then queue it up under simple queue with the type created above: use target address for entire class and whatever limits you want,,just be certa...

Hugh Hartman

P2P feature was added in 2.8 so 2.7 won't work.

Hugh Hartman

Basic information about rates that may explain why default setting should be used:

http://archives.part-15.org/listarchive ... t=Mikrotik

Hugh Hartman

While I haven't used 2.9 yet,,I notice the recent release 2.9.9- yesterday "changed bridge configuration approach" Not sure if the documentation has been changed to reflect that--but that is the direction I would go. I have been waiting for the bridge issues to be resolved as most of my MT...

Hugh Hartman

http://forum.mikrotik.com//viewtopic.ph ... tion+limit

good points made in this thread--I learned 2.8 so use 2.8.28

Hugh Hartman

It is my understanding that UDP traffic can not be limited,,,just dropped

Hugh Hartman

A link to your configuration would be nice to compare as I am experimenting with PCQ -currently use queue tree & simple queues.
Thanks

Hugh Hartman

We use 30 minutes without any issues

Hugh Hartman

To answer your question the initial connect port for winbox can be changed to anything you wish:: IP/Services-www.= anyport. The problem you will face is that the Winbox console goes on either TCP port 3986 or TCP port 3987 for secure in V 2.8.28,, V 2.9 uses TCP port 8291. I do not know how/if you ...

Hugh Hartman

Yes!!! Mikrotik will do what you want as a transparent bridge, and either hardware works fine.

Hugh Hartman

limit-at is a guaranteed rate:
this link explains burst threshhold much better than I can:
http://www.butchevans.com/readarticle.php?article_id=6

Hugh Hartman

Change- primary-dns: 202.155.0.10 to 10.0.0.1 (Mikrotik IP)
make seconadary-dns:202.155.0.10

try those settings on the clients end as well

Hugh Hartman

Should a similair rule be set for TCP port 53 as well?

Hugh Hartman

This Article is pretty good to get you going:
http://www.butchevans.com/readarticle.php?article_id=6

Hugh Hartman

Yes we use it,,,started out with high usage customers and currently placing all customers with burst/throttle..CPU usage is only at 4-5% Max Limit 98304/524288 Burst Limit 131072/786432 Threshold 65536/262144 Burst time variable from 75s to 300s Those who leave the computer on and allow unlimited up...

Hugh Hartman

yikes: IP Address : 213.209.174.66 HostName : IP66NET174 Resolved : ip66net174.skylogicnet.it Operating System : probably Unix Time to live (TTL) : 47 (64) - 17 hop(s) away Open Ports (76) 25 [ Smtp => Simple Mail Transfer Protocol ] 220 AVG ESMTP Proxy Server 7.0.321/7.0.322 [267.3.3] 110 [ Pop3 =>...

Hugh Hartman

engineer---LANguard Network Scanner v (2.0 beta)
taloot--scanning now

Hugh Hartman

this scan does not look good: IP Address : 213.209.174.66 HostName : 1117415880.335 MAC : 00-00-00-00-00-00 (probably Dial-Up) UserName : (No one logged on) Operating System : probably Unix Time to live (TTL) : 47 (64) - 17 hop(s) away NETBIOS names (1) 1117415880.335 - Workstation Service Open Port...

Hugh Hartman

I use -40 as everyone understands that's COLD.......lol

Hugh Hartman

I was hoping that the most recent RouetrOS release would have Ares added in theP2P protocols, (my biggest reason to upgrade a perfect running system is to obtain new P2P protocols),so I upgraded to V2.8.27=no luck anyways, I have just started to look at ARES and find the default incoming request por...

Hugh Hartman

wifiradio--this is great news as I have been trying to find someone who has deployed these under extreme conditions,, outside of the tested Mikrotik range of operation... At the training in Pheonix we discussed trying your mentioned setup assuming it would generate enough heat. I would not be quick ...

Hugh Hartman

I don't have an answer, at this point we limit the upload of all traffic, using the brusting feature, on problem people who leave the P2P application on and max out u/l for extended periods.

Hugh Hartman

40' LMR 400 at each location,, try Tranzeo for AP's in cold climates as Mikrotik does not operate low enough for our climate,,,,but use Mikrotik on the ground, behind the Tranzeo AP .
I don't have any experience with 250' runs or anything other than LMR-400

Hugh Hartman

We see -40F for extended periods of time, plus windchill to -75F,,and have Mikrotik & AP's inside and use all-in-one CPE's rated to -60F.

Hugh Hartman

In following this thread, I could use a little clarification, if someone doesn't mind explaining.. I'm trying to understand DNS server vs DNS Cache. Am I correct that a Local "DNS server" will reslove addresses if the primary/secondary DNS server of the upstream provider is down? And DNS c...

Hugh Hartman

i run it on windows XP with no issues with neigbour viewer from the MT site,,FWIW

Hugh Hartman · support file sent 5/7/05,,,thank you

support file sent 5/7/05,,,thank you

Hugh Hartman

bump--edit to export file which was too lengthy

Hugh Hartman

I have RTFM and The How to's along with the threads, but still unable to pass traffic on the dst-nat rule,,,looks ok on the Src-nat end except all traffic is going out the 12.167.205.103 IP and not 1:1 NAT from 192.168.0.10 to 12.167.205.254. i can not surf,mail etc.,unless i activate masquerade,wha...

Hugh Hartman

MAC telnet should work as it is layer 2 protocol,,and you are blocked out of layer 3 (IP),

Hugh Hartman

remove your Limit At rates
decrease the burst threshold below the Max Limit by at least 10%
increase burst time

you may be allowing a burst too often.

Hugh Hartman

tryc:> pathping 64.233.161.99

Hugh Hartman

at the command prompt use this command, it will show you all hops c:>pathping http://www.google.com

Hugh Hartman

what version are you looking for?

Hugh Hartman

change the www service from port 80 to another port in the MT.

Hugh Hartman

Try This change this : ip firewall rule input add src-address=10.0.0.0/24 \ comment="Allow access from our local network. Edit this!" to this: ip firewall rule input add src-address=192.168.2.0/24 \ comment="Allow access from our Clienst IPs. " this will give you winbox from your...

Hugh Hartman

add the routerboad npk file, as the file allows the remote reboot of a MT "headless" without monitor or keyboard.

Hugh Hartman

download neighbor viewer from: http://www.mikrotik.com/download.html
it's at the bottom of the page,,,then you can MAC telnet into the MT,,as it bypassess firewall rules.

Hugh Hartman

yes--when you add the dst-nat rule /32 is used on the private IP,,and when you add the src-nat rule /32 is on the public IP

Hugh Hartman

RouterOS How to list has:

How to link public addresses to local ones.

Hugh Hartman

I recall this issue and searched the archives:
in bios is it in lba mode?
is quick boot disabled?
is the harddrive set to primary master?

There are other threads on this subject--try searching

Hugh Hartman

When using simple queues for bandwidth management is there any advantage in using target address over destination address?

Hugh Hartman

The problem with DHCP and the TR-CPE-200-15 was fixed with the latest firmware upgrade available from Tranzeo.

Hugh Hartman

Ok--in the bridge firewall rules/tools--where you allowed the MAC--you can add a comment which will attach to the entry and show each clients name if you desire.

much like the Name for the IP limiting entry in the Simple Queues.

Hugh Hartman

In order for the customer to do that, he would have to hack into a router with the proper login name and password.

Even so, I believe the hacker would get the error message as the premise router keeps the customers always on.

Not the best, as it wont match an IP to a MAC.

Hugh Hartman

I was unable to get that working in a bridged configuration v2.8. ended up using MAC filtering via the bridge interface firewall and limit traffic via IP in simple queues. Assign a static IP to each customer premise router. While a customer could break in, to gain access to the premise router and ch...

Hugh Hartman

bjohns--i have run into that on the radio association side of wireless with Cisco Br342 when the WGB software was loaded in error. What I am not able to determine is if an ethernet connection side of Tranzeo TR-CPE200-15 has the same type of limitation. At this point, we plan to go forward, as there...

Hugh Hartman

With a more testing I am finding that---with no MT behind this CPE,,you are unable to turn off clients via MAC addy in the
bridge interface at the NOC.

The CPE we are using must be adding it's MAC to allow traffic, even when the MAC of the clients is removed from the filter at the NOC.

Hugh Hartman

At the customers premise we use a cheap router and they are on a seperate network,,,we provide the router programed with their IP/subnet/gateway/dns entry. I must be confusing things here-- The section of our network I am talking about is: where we are using a CPE (for a backhaul) <> MT<> switch<> A...

Hugh Hartman

thanks for the info-- As you noted the MAC is usually limited to 1 MAC or unlimited, I have not seen a manufacturer limit to a specific number on the ethernet side. I have seen Cisco do this on the radio association side for the reasons you mention. I was seeking a way to not make this a seperate ne...

Hugh Hartman

I was not sure what took place at the packet level when you use the Bridge firewall feature for MAC filtering and simple ques for bandwidth limiting. The issue I am faced with is the CPE is multi MAC bridge support, however limited to 8 MAC's according to the manufacturer (tranzeo TR-CPE200-15). I a...

Hugh Hartman

Does a Mikrotik configured as a transparent bridge, bridging the ethernet interfaces and set between the CPE and the switch,,, change the packets to appear as 1 MAC?

Hugh Hartman

Hotspot may be used on wired networks

Search found 92 matches

converting from 2.8.25 to 2.9.50

Damage control for UDP

src-nat, dst-nat

destination vs target address for bandwidth queues

Mikrotik and MAC's in bridged configuration.