MikroTik

IntraLink

I just spent about 3 hours this morning trying to limit P2P using MT. Now that most clients on our network seem to be using encryption none of the packet or connection marking is really making any difference. I am using version 3.13. Basically it all comes back to just plain bandwidth throttling and...

IntraLink

All of the sampels show a simple firewall rule to drop traffic on all P2P, but it doesn't seem to touch clients runningn on NAT/Masquerade.

Any ideas?

IntraLink

It's odd, but when I change the Queue it appears to throttle this connectino in torch back down, but then it climbs back up to what the picture looks like.

Almost as if his nntp client found a way 'around' the queue limit after a couple of seconds for that one connection (3-4Mbps).

IntraLink

I am trying to throttle NNTP down to 256kbps per user/IP. I think I am almost there, but now the clients show one nntp connection as very high and the rest as lower like they are being throttled. This picture normally looks like 5-7 nntp connections all equal at about 3-400kbps (before the rules I e...

IntraLink

I had this command to remove a redirect rule in 2.9.x and now it appears broken in 3.13:

/ip firewall nat remove [/ip firewall nat find src-address=208.53.47.14]

Any ideas?

IntraLink

I have a RB1000 and a Dell 1650 with two intel GigE ports and a RB45 4 port GIGE card.

I set up VRRP from scratch on both servers and it thinks both sides are master apparently.

Can anyone tell me what to look for now to get this to work like it did on version 2.9x?

IntraLink

Is it possible to block just encryted P2P and then shape the rest of the non-encrypted P2P?

Or do you have to just drop all P2P or live with Encrypted P2P and shape the rest?

IntraLink

Normis et. al.,

Ben at PacWireless mentioned that Mikrotik was certifying the 3' dual polarity dish with Mikrotik/Routerboard hardware and systems.

Is this true?

If so, when will the certification process be complete and what is the FCC ID?

IntraLink

Jerry, you could go to someplace like wisp-router.com and pick up a routerboard 530 series board with three ethernet and an indoor case and power supply. That's pretty much all the equipment you need. You could even get that in a PoE version in an outdoor enclosure if you need to mount it by the SM....

IntraLink

;;; DNS Redirect for External DNS Old to External DNS New Servers chain=dstnat dst-address=209.63.0.2 protocol=tcp dst-port=53 action=dst-nat to-addresses=216.194.124.21 to-ports=53 chain=dstnat dst-address=209.63.0.2 protocol=udp dst-port=53 action=dst-nat to-addresses=216.194.124.21 to-ports=53 W...

IntraLink

I STILL haven't figured out how to control Mikrotik ARP requests from the MT router. WHAT type of incoming packets would cause MT to spew 1000's of ARP broadcast packets a second?? I've got a border router that routes a .252 class public IP and it's ARPing the entire public subnet when SOMETHING hit...

IntraLink

I can't use static ARP since the customer is allowed to change their MAC.

Any other ideas??

IntraLink

Thanks normis, that helps me feel better about our upcoming deployment of the 44G.

We'll let you know how it goes.

IntraLink

Hmmm... That's not good news.

I just hunted down 5 44G cards from aerial.net which BTW was an awesome company to work with and purchase went very smoothly.

So I'm waiting for the cards and we'll see if they have problems with VLAN...

IntraLink

Is there ANY way to limit ARP requests in MT?? Every so often I get slammed with my MT box doing thousands of ARP requests a second on my Public IP subnet. I'm assuming this is coming from the internet, but I can't find any way to limit or firewall this behaviour in Mikrotik. Basically I'm a sitting...

IntraLink

I used Winbox and set up a dst-nat on port 53 tcp and udp (mostly udp traffic) to the new IP and port 53.

Seems to work fine.

IntraLink

I'm looking at getting a couple of used Dell 1650 machines for use with MT at one of our locations. I think they have dual GigE ports on them and they are probably E1000 variety. This should work with MT, right? They are dual CPU, but I can just rip one CPU out or leave it in and MT 2.9 will recogni...

IntraLink

Can anyone confirm this fix works now with the 44G card?

IntraLink

Nevermind, I figured it out.

IntraLink

What does the rule look like if I need to redirect all of my customer DNS entries at 208.63.0.2 to 216.43.23.5 using my MT border router?

IntraLink

Wouldn't this be a simple solutions for your needs if you added a VLAN switch between the MT and the network, then tag/untagged the packets on the MT port? So MT doesn't use VLAN, you just untag the ports coming from the VLAN side of the network. So you could sort of "funnel" the VLANs to ...

IntraLink

That's what I was thinking. I did a torch and didn't see any highly unsual traffic, though it's hard to tell when it's 45Mbps of traffic going through it at any given time. I didn't notice unusually high packet counts on the interface either. But I'm sure it was something from the outside. How do I ...

IntraLink

This is on our broadcast domain, so it's our internal interfact and our MT internal interface MAC and gateway IP for our public customers. In other words we have a range 209.53.56.0/22 and 209.53.59.254 on the internal network interface as the customer Gateway. The ARP requestions are storming thous...

IntraLink

I'm getting like 1000-3000 ARP requests a second from my Mikrotik Router on the public IP's it's routing at times which is killing everything in my broadcast domain. What does this mean? Is this a DOS or DDOS attack from the outside? How do I limit thi behavior in MT?? Seens like there should be som...

IntraLink

Thanks a ton for the quick response. I've tried figuring out why it is doing this, but have no earthly idea. Doesn't seem to cause any errors in MT in the logs. I'm guessing something internal to MT. Or the router facing me from my provider. It simple stops receiving on that interface out of the blu...

IntraLink

My external interface named EXTERNAL sometimes has problems where I need to disable it and re-enable to get it working again.

I was thinking of using Netwatch on an external IP, but need a quick simple script to disable this interface, wait 5 seconds then re-enable it.

Any help is appreciated!

IntraLink

I set up NTP on the routeros to receive from Colorado.
I'm in Utah in MST but I can't seen to get the time the NTP server is reporting to work correctly.

It's still showing me as 7 hours ahead, though I put in -07.00 in the time offset field in winbox.

What am I doing wrong?

IntraLink

Even though that public address gateway for the public IP is on the internal interface too?

IntraLink

When doing 1 to 1 NAT on a routed system, what interface do I put the public IP on? I'm routing a C class 209.40.40.0/24 and want to one to one NAT 209.40.40.40 to internal 192.168.40.40. The gateway 209.40.40.254 is on the Internal interface, and the external interface has my connected IP for my pr...

IntraLink

ok, Ill bite which part is wrong? It seems like you've had some bad experience with Canopy so I'll elaborate a bit on our experience. Canopy works very much like a regular radio. You don't need Prizm. Everything we monitored on our MT network was available to monitor with Canopy via SNMP. Stuff lik...

IntraLink

Surfnet, everything you said about Canopy is totally wrong.
Maybe you should read the manual.

We've used Mikrotik and Canopy for over 4 years.
They both have their place IMO.

IntraLink

FYI we swapped everything out multiple times and it was the SR cards both the sr2 and sr5. We still use MT as a router among other things and the wireless does work well with other cards we've used. But now that we've gone Canopy our support calls were reduced by more than half. There's a time when ...

IntraLink

We ditched the SR cards because of this problem and soon will be upgrading the last of our Mikrotik wireless networks to Motorola Canopy.

It was fun while it lasted (he says sarcastically).

IntraLink

Ah, I think I see your point; two identical MAC addresses, one on each router on different switch ports. And this affects the whole interface MAC even after VRRP is removed? I'm sure your switch doesn't like that! If this is the case then can we expect a fix in .28? I'm waiting until this is resolve...

IntraLink

That sucks.

If that is a bug I hope they fix that soon. Please let us know what you find out.

I really don't want to install this and have the same issues and then have to re-install the whole router config because of a stuck virtual MAC.

IntraLink

Anyone confirm this fix yet for VRRP in .27?

IntraLink

Anyone tested the VRRP bug fixes yet?

I posted them my supout file and it appears they fixed a column printing error that I was seeing but I haven't upgraded yet to see. I'm waiting for someone else to see if the GARP and virtual MAC bug was fixed in .27 for VRRP first.

IntraLink

I've seen some RB or WRAP type boards that have 533 MHz cpus..might be enough for what u need. some of the major distributors had them. how much traffic and policy - ing do you plan on having through this machine? jo It is a border router so there would be a few policies on it for shaping and filte...

IntraLink

Not sure what you are asking here. Are you talking Motorola Canopy? There is nothing special about the Canopy radios IP wise. If you have a Mikrotik box sitting between your Canopy cluster and your internet connection then you can either bridge your Canopy clients through to your router or you can t...

IntraLink

So with NStream2 I should be able to get something near 45Mbps actual throughput?

200MHz separation is hard and I don't want to dig into our 5.8GHz spectrum.

What antennas are good for the dual polarized scenario in the 5.2GHz range?

IntraLink

Those cases are cool.

Now what to put in them? I saw some mini motherboards listed next to the case, but couldn't tell how fast they were.

To do past 100Mbps on the GigE port I need something decent, but not outragous and that MT supports.

IntraLink

What would be cool is two thin router like devices in one 1U enclosure each with their own power supply set up with VRRP.

Someone should sell something like that for a border router config.

IntraLink

I've got a couple of links that I would like to start using Mikrotik on at between 5-15 miles each. I'm currently getting about 25Mbps from a Proxim link using about 25Mhz of spectrum. Is this possible to do with a RB500 series, two 802.11a cards and NStream or NStream 2? Is dual polarized antenna b...

IntraLink

Can someone point me to a place to buy/build hardware for a MT server? I'm looking for a price point maybe under $500 for a 1U MT router with: 3 or more ethernet interfaces (at least 1 GigE ethernet adapter) Reasonably fast Pentium Processor Either solid state or low capacity HD (not storing anythin...

IntraLink

as always, send support file ... There is no help to anyone to simply say "it doesn't work". An appropriate reply would be "works for us" :D Sorry about that, where do I send the file, or what is the process for sending it? Nevermind, I figured it out and sent the support file.

IntraLink

The problem with the latest version is that you have to configure VRRP _from scratch_, not just upgrade the router. That's why Sam got negative result. Eugene Yeah, I upgraded from 2.9.7 and the interface assigned to the VRRP Virtual ID were all messed up. When I tried to delete all VRRP informatio...

IntraLink

Do we have to rebuild the VRRP definitions after upgrading to 2.9.24? Everything seems ok, but I don't think it's working. WinBox shows the M for master on the master box and the B for backup on the backup box, but shouldn't there be another indicator that they are talking to each other (I forget wh...

IntraLink

I don’t think I ever saw this questioned answered for the latest releases of MT v 2.9.20-24: What is the actual mw output by the SR-2 and SR-5 Ubiquity cards in “default” power settings mode in the latest MT versions? Someone had calculated it before and posted a chart of actual output per dB readin...

IntraLink

The antenna is a passive gain so it wouldn't change.

The only loss would be in your connectors/splitters.

IntraLink

I may try to upgrade some of our routers that are using VRRP this weekend and we'll see how it goes.

Any advice for upgrading VRRP enabled routers from version 2.9.7?

We use RSTP too. Did someone find out if that is enabled in this release or schedule for a future release?

IntraLink

Well, our Prism cards are PCMCIA so we would have had to keep them in our older RB230 units. Instead we replaced the apparently faulty SR-2 cards with some EM9 cards we had lying around from Mikrotik. Now the signals are very good and stable. No magical signal levels in the positive 100's and no reb...

IntraLink

How would that violate FCC regulations? The problem you might have with using one antenna is if the send of the first card in the box gets picked up on the receive of the other card in the box (dual). It's probably not going to kill it, but may desense it over time given the signal strength. I'm pre...

IntraLink

Nevermind, I found the solution by modifying this script posted a while ago:

http://forum.mikrotik.com//viewtopic.php?p=37553#37553

IntraLink

Thanks man, I used your script to reset my problematic wireless connection every 30 minutes until I can drive up the mountian and fix it.

IntraLink

Need to disable and re-enable wireless interface named NORTH every 30 minutes because of a problem we are having.

Would be good if the interface was disable for maybe 10 seconds before re-enabling.

Thanks for your help!

IntraLink

I think I have a bad batch of SR-2 cards then. This is happening on almost an hourly basis now. It happens in RB500, RB230, MT versions 2.9.23 and 2.9.7. Tried several different settings on these cards and this still happens and one card just seems to be fried because the power levels are low. I'm s...

IntraLink

Cool, that is what I was looking for, thanks!

IntraLink

I think it was that I was using a dollar sign $ in the comment and it didn't like that. Although I can use a dollar sign from the Winbox GUI.

IntraLink

I'm sure this is easier than it looks, but what is the command/script that will find an IP in the NAT rules and delete the rule?

Say I have a dst-nat rule for 10.20.20.24 set up and I want to delete that rule by searching for that IP, how is that done?

IntraLink

I'm trying to use comment with the addition of a NAT rule and the format says comment (text).

I tried comment='something like this' and comment="something like this" and both failed.

What is the format for the comment?

IntraLink

Default tx-power 802.11b disabled calibration

IntraLink

Is this a bug in MT or with SR-2 card where after a few minutes or hour all of the client signal levels report in the positive 100's and they can't pass traffic?

I've seen this before but can't remember what the cause was.
This is MT 2.9.23 on RB500 series with one SR-2 card.

Any ideas?

IntraLink

I like the idea of plugging in two managed switches, one each to a MT machine. But the real issue is what clients have in their ARP cache. So if they can create a virtual MAC then all of the problems disappear, right? Or does the switch freak out if the MAC suddenly appears on another port? I would ...

IntraLink

Would it be possible to make Winbox remember which monitor and full-screen settings it had?

I have multiple monitors on my desk and when I open winbox it defaults to the main monitor and forgets that I had it maximized.

No big deal, just wondering if some day this would be included...

IntraLink

It sounds like his subnet is being scanned and the router is looking for the MACs of IPs that aren't being used.

John

I think this might be the case.
So if something is scanning the subnet the router will try to resolve addresses continously for the duration of the scan. Is that what happens?

IntraLink

I think you misunderstand my request. Why would slowing down the ARP requests from the MT break my network? I'm not talking about REMOVING dynamic ARP, just slowing it down. All it would do is take longer for changes in the ARP table to update. Which means a change in the IP scheme might take longer...

IntraLink

My MT router is sending out like 30 arp requests a second for my 6 subnets. That's WAY too much.

Is there a parameter I can tell it in general to send out ARP broadcasts slower than that?

IntraLink

I like your fake DHCP for 127.0.0.0! LOL

I thought about putting a rule in for the 192.168.0.0/24 network, but even though it's listing that as a source, these are broadcast ICMP packets. So I don't think an IP rule is going to catch that.

IntraLink

What would I consider: 1. Help these users config their routers and hosts. 2. Try to see a patternt in most of the packets and drop the packets by this pattern. 3. Disconnect users that damage the network and tell them "fix your sh*t and you're back online" note: I would consider these, n...

IntraLink

Here is an example of what the packets look like: 0000 ff ff ff ff ff ff 00 0f b5 a4 cb 23 08 00 45 00 ........ ...#..E. 0010 00 3c 3e c3 00 00 06 01 b4 58 c0 a8 00 fe 00 00 .<>..... .X...... 0020 00 00 03 02 a9 d1 00 00 00 00 46 00 00 28 3e c3 ........ ..F..(>. 0030 00 00 01 02 05 f7 00 00 00 00 e0...

IntraLink

I've got a handfull of users crappy routers spewing ICMP Destination Unreachable packets all over the place. Is there a way in MT to just kill these all together? The only thing helping keep this under control is my managed switch storm packet settings. But they have a minimum threshold that is too ...

IntraLink

That was the information I was looking for.

Looks like we are going to look elsewhere as we are already at 350Mbps.
We need one interface to be able to do at least twice that full duplex.

Still, it is impressive that it can do 350Mbps for that price.

IntraLink

That platform does sound very nice! We are located in the United States (Utah) though. Have you ever linked up a couple of these boxes and run TCP Bandwidth tests from one or two machines connected through them on either side? That would be a good test I think of how much total traffic systems like ...

IntraLink

Thanks for the info.

About how much are those boxes?
Does MT support the 2 line LED display on those boxes (not that it's important, but it would be cool!)

Does anyone know if MT works on AMD 64 bit processors?

IntraLink

We've got a routing situation where we need to route multi-100Mbps traffic. Anyone doing this? We are currently pushing 350Mbps peak and our Alteon and Cisco are giving us problems (needing reboots and failing to handle massive DOS attacks etc). I've been pleased with the 100Mbps routing of Mikrotik...

IntraLink

There are a lot of operators including ourselves using 5Ghz PtMP. Really not much different than 2.4Ghz PtMP. Other than the usual fresnal and propagation properties differences between the bands, they operate similarly. Distance is about the same here because they are both limited to 36dB EIRP in t...

IntraLink

If most of the traffic is flowing in one direction and you are trying to get 4x6Mbps off an AP that might just be ok. You will definately have to ask around a lot to find someone who has actually pushed 6Mbps per client consistantly from 4 simultanious sources. I've never done it, but in theory its ...

IntraLink

The difference between b ang g modes is modulation and receive sensitivity (and sometimes power levels). G is not a good choice for folliage. It is OFDM modulation which is better for inter-city connections with possible reflections off of metal buildings. More power might push through the trees, bu...

IntraLink

Here is a web page I use often to calculate distance and power. It won't help you much with NLOS though. http://www.zytrax.com/tech/wireless/calc.htm The only way to determine NLOS connection is to do a site survey with actual equipment I've found. You might want to make sure the power you are givin...

IntraLink

I've heard several times to prioritize Voice type traffic by setting the TOS in mikrotik to 184 I think. But in winbox it has a drop down box for either 1 or 8 etc. not 184. What am I missing? And is this the correct solution for VoIP? Does this work if I set up the rule on an AP which has the ether...

IntraLink

I think what the person is trying to do is something like turning off "Default Forwarding" for a wireless interface, except between TWO wireless interfaces.

I was pretty sure a VLAN could do that, but am unsure what that would look like if the interfaces were bridged.

IntraLink

DirectWireless, do you have a visio or any type of drawing of your setup?
I'm having a hard time visualizing what you are doing, but it sounds very much like what we want to deploy.

IntraLink

Yeah, I'm seeing similar problems: Disconnected, Reassociating, Connected over and over again on the same clients. So what you are saying is I should remove the wireless package on my production AP, ftp the wireless legacy 2.9.7 package to my 2.9.6 Routerboard 230 and then reboot? How do I remove ju...

IntraLink

I thought I could just connect three managed switches running STP in a ring with any wireless connection in between.

Then when I actually plugged in the link to finish the MAN ring it killed my network and I had IP conflicts all over the place.

Do the wireless links have to be STP too??

IntraLink

I'm going to have to implement this too.

I'm guessing the configuration would be like a web proxy forward per IP.

So all web related traffic/ports would get dest-nat to the proxy.

IntraLink

I believe you need to assign the SAME IP to both the external and internal interface and then enable proxy-arp on the outside interface. If you are not bridged layer two internally then you probably need to proxy-arp the internal interface as well. Let us know if that works for you, or what is happe...

IntraLink

I think whatever interface you enable proxy-arp on is going to reply to ARPs for all IP's on all subnets assigned to that interface. Maybe that is your problem? I guess you should isolate one interface only facing your providor and assign it one of the public IP's only and enable proxy-arp. That way...

IntraLink

You're not maquerading on this link as well, are you?

IntraLink

Okay, I didn't know you could filter by URL with the web proxy.

Not quite as good as Dans Guardian, but should be able to implement Utah's new (and obnoxious) legislation requiring ISP's to implement their filter list upon customer request.

IntraLink

.NET, C++, doesn't matter much to me. This is the response I got from John: We don't have enough resources at the time to support this. We will consider this in the future. John So, I guess that leaves us with hacking it out or waiting for them to provide something. I guess the minqwm10.dll that com...

IntraLink

Hmm... I guess we could make a go without the encryption and set the end MT to no password or no user authentication. It really would help if they would release a library at the least. That way they can keep their stuff to themselves, but allow us to use the mechanism. Have you done a trace to figur...

IntraLink

I doubt this is possible, but I wonder if there is a way to run Dansguardian on MT? I would love to see some sort of content filtering option available for a MT box running on normal PC hardware. As I understand it right now the MT box can do transparent proxy with Squid. Is squid loaded on the MT b...

IntraLink

True. I've written a program to test bandwidth before. I would rather make have their code or a library as reference for the sake of compatibility. But if necessary we could reverse engineer it. Here is what I would like to see this used for: Have a client service which could on demand do a quick se...

IntraLink

I guess we don't even really need the source code, just a DLL with an API or .NET package etc.

I've emailed Janis about this, but not received a reply.
I think I'll email Arnis and see if he'll reply.

IntraLink

I would like to start a project buliding a Windows client taskbar program that would be able to communicate with the btest server in MT.

Does MT have that code/protocol somewhere?

Anyone want to work on this with me?

I'm planning on using the .NET platform in Windows to start with.

IntraLink

What, you don't live on this forum 24/7?!? :)

Thanks for the response.

In my case, do I enable proxy arp on my external interface then?

IntraLink

This forum is not the hotspot of information it should be.

So nobody here knows anything about proxy-arp?

IntraLink

Found this article that explains a few things, but the questions still remain about how this works with MT and how to set it up:

http://leaf.sourceforge.net/doc/howto/proxyarp.html

IntraLink

This was discussed before, but I’m still confused: I’ve got public IP’s running through my MT box over a bridged Ethernet interface. Since all of my client public assignments are using a MT assigned IP as their gateway I could just use proxy arp on one interface right? Couldn’t I remove the bridge a...

IntraLink

When we got training from Butch Evans it covered a lot of this material and I'm "certified", but I don't have time to engineer everything and test it before deploying it. I would gladly split the costs with you if you find someone to do this. You could try to contact Butch through butche (...

IntraLink

I am thinking FreeRadius. I think it will run on Windows?

Is it possible to chain RADIUS requests?
Like query one RADIUS server and then another RADIUS server in a list or in a series maybe?

Seems like that would be useful for a wide area hotspot or hotspot/roaming model.

IntraLink

We want to start AAA stuff with RADIUS and our MT routers and AP's.

What are you all using for RADIUS these days? Would prefer it run on Windows since the rest of our systems are running on Windows.

I'm thinking FreeRadius would be good.

IntraLink

Is there going to be a version that has 300mw or higher in the drop down box?

IntraLink

We installed a DemarcTech 300mw Prism 2.4Ghz card into a Routerboard the other day to test.

The drop down box for power only goes up to 200mw.

When will this be fixed, and what is the expected behaviour?

IntraLink

I'm still looking for any comments on this.

Anyone out there have a 2.4Ghz MT AP deployment that would like to compare experiences with signal strength?

We have since upgraded to 2.8.21 on these AP's. Nothing really changed with the upgrade though.

IntraLink

When I upgrade via ftp I usually upload the system package, reboot and then upload all of the utility packages. I think with this method I lose the settings, like the wireless configuration etc, right? Can I just upload the system and all of the utility packages at once and expect it to upgrade ever...

IntraLink

We've got signal strength readings anywhere from -28 to -74 as shown by the MT AP 2.8.17. Obviously the lower (-28) the better. But is there a known range that I should be targeting? In other words, when can the signal be too low (overpowering the AP) and when is it too high for it to be a solid con...

IntraLink

it is far more simple!! in wireless ap setting set `default-forwarding=no` and the clients will not be able to talk to eachother Okay, that is the first part of what I was looking for! Now, is there a way to make an exception to this rule for a couple of clients on that interface (probably not I'm ...

IntraLink

Because I'm combining two previously seperate AP's into one MT unit with two wireless interfaces that both have clients on the same subnet. If the interfaces are bridged, is there anyway to keep them from talking to each other (or clients from talking to each other on the same AP aka Intracell commu...

IntraLink

I set up the same masquerade for the 10.0.0.0/24 network on my MT box with two interfaces. The masq would only work for one interface at a time.

Is this a bug? Version 2.8.17.

IntraLink

I switched to MT for my AP's and just realized I can't find a Fragmentation threshold on the AP in the wireless settings!

All of my client units are using a threshold of 2048 instead of the default (2367 or whatever).

How do I change this setting in the AP to match my clients (SB AirBridge Totals)?

IntraLink

Awesome, thanks!

Now what is the best way to make my bridging redundant?

What would happen if I take two MT boxes, both bridging the same network segment? Does this create some sort of bridge loop if there is just a non-managed switch on one side of the bridge?

IntraLink

I didn't find a guide or much on the internet about this topic so thought I would try here: How would I set up two identical Mikrotik boxes to make them redundant? I have a few interfaces, one is bridged and another NATed. Is there a way to assign the SAME IP to two MT boxes as the gateway for the N...

Search found 113 matches