Basic router setup

chipxsd · Thu Apr 28, 2005 8:06 pm

Greetings!

I'm a 22 year old student from Slovenia. I volunteered to setup the network in our dorm. I found out about MikroTik couple of hours ago, so I don't have any clue how to setup MikroTik OS. So I was hoping I could turn to you guys on the forum to help me out?

Here's the thing. We have one DSL connection and three buildings (all three filled with pissed students w/o an internet connection) . We actually have a wireless network (a bunch of linksys APs), but that's not the point right now.

Each building has it's own (i don't know what's it called) subnet. Imagine that buildings have a lot of LAN switches inside:
- Building 1 - 192.168.0.xxx
- Building 2 - 192.168.1.xxx
- Building 3 - 192.168.2.xxx
... and i want each building to have it's own gateway.

I think the scheme below is pretty much self explanatory.

Now here are the main questions:
- can buildings see each other; will the windows sharing work between buildings; would ping 192.168.1.123 work if I was in "Building 1"; would UT2004 work ...
- How to limit user's connection speed; can I create a special group of users with different speed (punks: 128kbps; good students: 256kbps ... me 1024kbps) ?
- I read that RouteOS can limit P2P connections; is it possible to limit user's max. connections (only 100 ports can be opened by a single user at once)?
- Is it possible to setup a Radius server (for WiFi authentication) and how?

I already got the machine (i think it's) 1000MHz AMD, 128MB RAM, 4GB HDD and 5 (five) ethernet adapters. I downloaded the ISO and burned it on a CD.

If someone can help me and give me some basic instructions on how to setup the machine, i'd be very thankful!

maximan · Thu Apr 28, 2005 8:24 pm

Please, read the manual. On how to there are a lot of examples that you can do.
Maxi

blue · Thu Apr 28, 2005 8:36 pm

First of all, have to say hello to my neighbour form ex Yugoslavia

If You have elementar knowlege of routing it sholudn't be so hard to setup MTK. Just follow the manual. And now sone answers:

- you can ping each computer in network (except if it is firewalled). Also there is no limit in playing UT2004, but the windows sharing and My Network Places is still mistery to me because I have same situation with different subnets.

- the limiting is very simple and it is explained in manual under "simple queue"

- the limiting of P2P TCP packets is posibile, but P2P UDP is problem because UDP have no connections

- haven't played with radius

- that kind of machine (CPU) is more than enough. It is Linux based Router, not Microsoft

chipxsd · Thu Apr 28, 2005 9:00 pm

Thanks maximan & blue. Blue, greetings to you to

When doing different subnets, do I have to change the subnet mask to? (16 bit / 255.255.0.0) ?

I'm not really that concerned about windows sharing. I'll probably setup a FTP server somewhere and collect money to buy a big HDD. Every one that contributes will have an access to the FTP

I'll try to figure out RouterOS somehow. I already know how to setup DSL connection

http://www.mikrotik.com/docs/ros/2.8/ho ... ent#12.2.3
I think that this example will help me break the ice.

Blue, we have to keep in touch. You have to tell me how are things doing back there.

daiceman · Thu Apr 28, 2005 11:51 pm

Not much to really add, other than RADIUS can do all that you have requested with regards to the bandwidth controll. FreeRadius is really easy to setup with MT.

On a side note. Very nice graphic...

chipxsd · Fri Apr 29, 2005 3:14 am

It's getting kind of late now, I'll try what I can tomorrow. I'll let you know how it turns out.

On a side note. Very nice graphic...

That was made in Word in like 5 minutes. I'm actually a graphics designer, and I usually don't use Word for designing

dwright · Fri Apr 29, 2005 7:53 am

Now here are the main questions:
- can buildings see each other; will the windows sharing work between buildings;

Depends on the netmask you use. If you used a /22 which includes 4 class C's then yes. But then you would have to add a bridge and bridge all the building into one big network which can be mess. I would stick to your ip address scheme but use /24 which is just a single class C per building.

If someone can help me and give me some basic instructions on how to setup the machine, i'd be very thankful!

I can configure the basics for you remotely if you got the router online, I can even through in some useful firewall rules. let me know.

D~

chipxsd · Fri Apr 29, 2005 11:19 am

Ok, I've established a PPPoE connection. That means I'm having no troubles with username and password.

But there's this other problem. I can't get the IP from my ISP. What am i doing wrong?

Here's what i did:
- /interface enable ether1,ether2...
- /interface pppoe-client add interface=ether1 user=xxxx password=yyyy diabled=no

it dialed, authorized and connected

- /ip dhcp-client set enabled=yes interface=ether1

but lease print returns:
searching...

Am i missing something?

cmit · Fri Apr 29, 2005 11:48 am

Perhaps you have midunderstood PPPoE here: There should be no need to run DHCP on your WAN side - you get your ip address assigned by means of the PPPoE protocol. So your ISP won't be running a DHCP server on the WAN, and your DHCP client of course will not get anything (thus showing "searching"... constantly).

When PPPoE connection is up, do a "/ip address print" to see if you have a dynamically assigned ip address on you pppoe-out interface.

chipxsd · Fri Apr 29, 2005 11:51 am

woops...

yeah, i got the IP, alright. Thanks!

Let's see. What are the next steps:
- try to ping something
- route to ether2, ether3, ether4

chipxsd · Fri Apr 29, 2005 12:16 pm

i really don't get it, how this thing works.

dwright: your help would be really appriciated. If you could configure the machine remotely, be my guest. I can give you my current IP and administrator password.

Here's my email address: klemen.verdnik@gmail.com

I hope we can put this thing up today.

cmit · Fri Apr 29, 2005 12:31 pm

If you get along with dwright, I'd expect everything's running shortly. If not or he's got no time, feel free to post additional questions.

sten · Fri Apr 29, 2005 12:48 pm

I already got the machine (i think it's) 1000MHz AMD, 128MB RAM, 4GB HDD and 5 (five) ethernet adapters. I downloaded the ISO and burned it on a CD.

What kind of ethernet cards? You might want to add 128mb more of RAM if you run into problems with the firewall state table overflowing.

chipxsd · Fri Apr 29, 2005 12:56 pm

What do i have to do now?

- I assigned IP addresses to each ethernet adapter.

ip address add address 192.168.0.1/16 interface=ether2
...

0 D xxx.xxx.x.x ADSL
1 192.168.0.1/16 192.168.0.0 192.168.255.255 ether2
2 192.168.0.1/16 192.168.0.0 192.168.255.255 ether3
3 192.168.0.1/16 192.168.0.0 192.168.255.255 ether4
4 192.168.0.1/16 192.168.0.0 192.168.255.255 ether5

I don't know if i did this right or not.

- Then i added a gateway route entry:

ip route add gateway=<ip address i got from ADLS ISP>

And pinging worked. It pinged 164.8.10.10 with 30ms

I don't think i'm going anywhere with this. So i'd really like if someone would give me a hand with this.

What's the next step i need to do? Would someone explain it to me and then give me the instructions?

cmit · Fri Apr 29, 2005 1:08 pm

Some hints into the right direction:

- You can't assign the same IP to different interfaces. Also, you can't assign (even different) IPs from the same subnet to different interfaces.

Your setup should be like this (rough setup, no firewalling, no queueing, just to get you up and running!):

Don't set a default gateway manually (remove it!), just set the parameters "use-peer-dns" and "add-default-route" for your pppoe-client interface to "yes". This will assign correct values during PPPoE session handshake.

Assign the following IPs

/ip address add address=192.168.0.1/24 interface=ether2
/ip address add address=192.168.1.1/24 interface=ether3
/ip address add address=192.168.2.1/24 interface=ether4

(according to your picture, and do remove the IPs you assigned as stated in your last post, i.e. the 192.168.0.1 on ether2-5!)

Add a masquerding rule for traffic going out your ADSL connection:

/ip firewall src-nat add out-interface=ADSL action=masquerade

Allow DNS requests to your MikroTik:

/ip dns set allow-remote-requests=yes

How do you want to assign IPs to the clients in the buildings? Static, DHCP, PPPoE? In any case they should get an IP address from their appropriate subnet, and use the ip address of "their" interface in your MikroTik as default gateway and DNS server address.

This should give you a basically operating system. Remember: No firewall security (even for connections to your MikroTik from the internet), no queuing/bandwidth shaping etc. with this config.

Let us know how you are getting on with this...

chipxsd · Fri Apr 29, 2005 1:50 pm

Thanks cmit. It works! Internet works lika a charm. I can even ping other users from 192.168.0.177 to 192.168.1.10, with 1ms

- How do i set up a DHCP server. So users would get their IP automatically. Let's say from 192.168.0.100 to 192.168.0.254 for each etherX.
- And what are the basic firewall settings - so there won't be any intrusions on our system.

I'll try to figure out bandwitdh limit my self - if not, i know who to turn to

cmit · Fri Apr 29, 2005 2:12 pm

- How do i set up a DHCP server. So users would get their IP automatically. Let's say from 192.168.0.100 to 192.168.0.254 for each etherX.

Try:

/ip pool add name=ether2pool ranges=192.168.0.100-192.168.0.254
/ip pool add name=ether3pool ranges=192.168.1.100-192.168.1.254
/ip pool add name=ether4pool ranges=192.168.2.100-192.168.2.254
/ip dhcp-server add name=ether2dhcp address-pool=ether2pool disabled=no interface=ether2
/ip dhcp-server add name=ether3dhcp address-pool=ether3pool disabled=no interface=ether3
/ip dhcp-server add name=ether4dhcp address-pool=ether4pool disabled=no interface=ether4

- And what are the basic firewall settings - so there won't be any intrusions on our system.

You could start by setting the address parameter for all service under "/ip service" to a single address (like 192.168.0.10/32) or a subnet (like 192.168.0.0/24) from your internal address space. So you can only access your MikroTik from this address or subnet. Apart from that you should do some firewall filtering in the input chain, which is documented in some how-tos in the docs: http://www.mikrotik.com/docs/ros/2.8/howto/howto

chipxsd · Fri Apr 29, 2005 2:56 pm

How can you pass DNS and gateway settings to users, when they are getting the assigned IP.

And when i turn on the "Obtain an ip automatically" in WinXP, it doesn't work (first screenshot). But when i manually set the ip address, gateway and DNS settings, it works (second screenshot).

Here is the configuration i have to set manually:
IP: 192.168.0.177
SM: 255.255.255.0
GW: 192.168.0.1
DNS1: 193.189.160.11 or 164.8.10.10
DNS2: 193.189.160.12 or 164.8.100.100

Weird is, if i leave subnet mask on 255.255.255.0, i can ping other IPs (from 192.168.0.177 to 192.168.1.10). But if i change subnet mask settings to 255.255.0.0 i can't even reach them. And i saw that DHCP server configures my subnet mask to 255.255.0.0

Can this problem be solved?

Thanks again for the help.[/img]

Eugene · Fri Apr 29, 2005 3:33 pm

You should configure DNS resolution under /ip dns

/ip dns set primary-dns=<DNS server address>

For GW setting, read the following:
http://www.mikrotik.com/docs/ros/2.8/ip ... 0305841063

chipxsd · Fri Apr 29, 2005 7:20 pm

Finally. I configured the router the way I wanted, but there are still some features i whish the routerOS would have.

It's probably not possible, but i'll ask anyway: is it possible to disconnect someone with a specific MAC address? Here are a couple of students, trying to piss me off. They are manually configuring their IP addresses to ones where a wirelles routers should be - causing IP conflicts.

Some wireless routers have this feature which gives a user a specefic IP address - by looking his MAC address.

Router would allow a person using only his own IP. This would be my dream come true, if RouterOS had this feature.

pedja · Fri Apr 29, 2005 7:30 pm

If you make a static record in ARP table asigning specific IP to specific MAC, then that user will not be able to use any other IP. You also have to set DNS to lease static IP to that user. Look at DHCP / LEASES

I cant wait until you start setting traffic shaping. Manual is very uninformative and most of the questions about QoS are responded with look at the manual. SInce they started responding to you for these novice questions I hope they will continue in the same manner when you start with QoS, so other could learn something too

daiceman · Fri Apr 29, 2005 9:58 pm

If you make a static record in ARP table asigning specific IP to specific MAC, then that user will not be able to use any other IP. You also have to set DNS to lease static IP to that user. Look at DHCP / LEASES

I cant wait until you start setting traffic shaping. Manual is very uninformative and most of the questions about QoS are responded with look at the manual. SInce they started responding to you for these novice questions I hope they will continue in the same manner when you start with QoS, so other could learn something too

AMEN Brother!!!

chipxsd · Tue May 03, 2005 7:21 pm

ok, i bought the license now (finally)

And again with the novice questions.
- how do you backup your whole system
- how do you set bandwidth limit to users (let's say 192.168.0.100-192.168.0.254 each have 256k / 256k - on pppoe-out interface)
- i set up a firewall rule (forward), all TCP connections have 10 connections limit on interface pppoe-out - does that mean that each user has a 10 connection limit?

More questions comming up

Thank you again for the help.

ps: didn't know MikroTik could solve so much problems (and cure my headaches), best routing application ever - worth every buck

chipxsd · Wed May 04, 2005 4:59 pm

A million dollar question.

How do you limit each and everyone's bandwidth to 256kbit / 128kbit. That would mean, if there were 4 users - all uploading and downloading at the same time, final bandwidth would be 1024kbit / 512kbit.

I see that a lot of users have hundreds of connections opened on port 4672 and somewhere around that. I think, this is slowing down our connection a lot - how do i avoid that?

Can someone explain this to me, and provide me with solutions?

cmit · Wed May 04, 2005 5:13 pm

A million dollar question.

How do you limit each and everyone's bandwidth to 256kbit / 128kbit. That would mean, if there were 4 users - all uploading and downloading at the same time, final bandwidth would be 1024kbit / 512kbit.

You'll be happy when using PCQ for this - there is an example in the manual at http://www.mikrotik.com/docs/ros/2.8/ro ... e#6.54.7.5.
Where should I send my bank details for the transfer of the one million dollars?

I see that a lot of users have hundreds of connections opened on port 4672 and somewhere around that. I think, this is slowing down our connection a lot - how do i avoid that?

From memory that sounds like an eMule (peer-to-peer) port. You can limit this via the peer-to-peer-filtering and/or connection limiting features in RouterOS. Please have a look at the manual or search the forum - this has been described several times, and I'm a bit short on time right now...

Eugene · Thu May 05, 2005 5:31 pm

The correct link would be http://www.mikrotik.com/docs/ros/2.8/ro ... e|6.54.7.5

chipxsd · Wed May 11, 2005 1:55 pm

What could be the problem? Some of the pages, like http://www.hotmail.com won't load. I tried with IE, firefox even in linux. I only get the status message: waiting for reply.
It happenes even if I disable all the rules in firewall settings.

But if I use a proxy (one from this list: http://www.samair.ru/proxy/), all pages load just fine, but very slow. I noticed that yesterday it worked for about an hour, but then it stopped loading these pages.

Here are a couple of these sites:
http://www.hotmail.com
http://www.yahoo.com
http://www.najdi.si

It seems dynamic names are resolved ok, since I can ping those page - except load them

Can someone help me on this one? I can give you my IP address and my MT login username/password, if it would help?

Trisc · Thu May 26, 2005 12:54 am

Sounds like an MTU problem - try reducing the MTU on your client to say 1420 - do a Google for DrTCP utility to do this

Trisc

Basic router setup

Basic router setup

Re: Basic router setup

Re: Basic router setup

Who is online