MikroTik + HFS "speed limited"

yahoo876 · Thu Mar 17, 2011 3:17 pm

i am new to mikrotik, I have a pc mikrotik server with hotspot and DHCP server config. the problem is that i have a local HFS server and when user connects to it i got the src ip as Mikrotik server ip "192.168.0.254" and the speed is limited as specified in the user profile. what should i do to prevent the request from passing through the mikrotik server and use direct connection between the user pc and the HFS server.

fewi · Thu Mar 17, 2011 3:21 pm

Post a network diagram, please, with specific emphasis on how the server and clients connect to the router, and the IP addresses of a client and the server.

Also post the output of "/ip address print detail", "/ip route print detail", "/interface print", and "/ip firewall export".

yahoo876 · Thu Mar 17, 2011 3:54 pm

/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic 
 0   address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 interface=lan actual-interface=lan 
 1 D address=192.168.1.10/24 network=192.168.1.0 broadcast=192.168.1.255 interface=wan actual-interface=wan

/ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 0 ADS  dst-address=0.0.0.0/0 gateway=192.168.1.1 interface=wan gateway-state=reachable distance=0 scope=30 target-scope=10 

 1 ADC  dst-address=192.168.0.0/24 pref-src=192.168.0.254 interface=lan distance=0 scope=10 

 2 ADC  dst-address=192.168.1.0/24 pref-src=192.168.1.10 interface=wan distance=0 scope=10

/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                                                                                                        TYPE             MTU   L2MTU
 0  R  wan                                                                                                                         ether            1500 
 1  R  lan

/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
    udp-timeout=10s

/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no

image.jpg

fewi · Thu Mar 17, 2011 3:58 pm

Thanks!

If the client connected to that AP is referring to the HFS server as 192.168.0.18 that is straight up impossible. On TCP/IP networks hosts on the same broadcast domain talk directly and do not involve any routers.

How do clients get to the server? Do they refer to it by IP address, or by name? Does it work as intended by IP address? What does the name resolve to, and how is the name resolved?

yahoo876 · Thu Mar 17, 2011 4:04 pm

user connects using the ip address

http://192.168.0.18

but on the HFS server the connection shows the request source is 192.168.0.254 which is the "mikrotik ip"

the users ip is 192.168.0.x
and the HFS is 192.168.0.18

fewi · Thu Mar 17, 2011 4:15 pm

Given your network diagram (user connects to an AP, AP connects to a switch, server and router also connect to switch) I don't see how that can be true. If you have a client, e.g. 192.168.0.100/24, and he wants to talk to 192.168.0.18/24, he talks directly to the server. The router is not involved. That must be true, because it is how TCP/IP works.
If the router is for some reason seeing the traffic (and is NATing it to itself because of a masquerade rule you have configured that is too broad in its definition) then the client is not directly talking to 192.168.0.18. Figure out why, and make the client request 192.168.0.18.

yahoo876 · Thu Mar 17, 2011 4:21 pm

what you have said is 100% true, but this is the case. i don't know why is this happening !! i got a proxy id in the request heade , although the http proxy is disabled !!

Beone · Thu Mar 17, 2011 4:28 pm

i got a proxy id in the request heade , although the http proxy is disabled !!

Also in the client's browser settings?

ojeysky · Tue May 31, 2011 9:24 pm

user connects using the ip address
Code: Select all
http://192.168.0.18
but on the HFS server the connection shows the request source is 192.168.0.254 which is the "mikrotik ip"

the users ip is 192.168.0.x
and the HFS is 192.168.0.18

I am experiencing this too, and i have looked around and still can't figure out why this is happening. I observe this started from V4.12. So i will like to hear how you got around this. Thanks

fewi · Tue May 31, 2011 9:27 pm

Maybe the Hotspot is ARP poisoning the network because of a Universal NAT address pool.

Do you have an address pool configured under the "/ip hotspot" instance tied to the interface you're experiencing this on? If yes, try setting it to 'none', flush the ARP caches of the clients you're testing with (when in doubt reboot them) and then try again.

ojeysky · Tue May 31, 2011 9:35 pm

Maybe the Hotspot is ARP poisoning the network because of a Universal NAT address pool.

Do you have an address pool configured under the "/ip hotspot" instance tied to the interface you're experiencing this on? If yes, try setting it to 'none', flush the ARP caches of the clients you're testing with (when in doubt reboot them) and then try again.

Thanks for the prompt reply, yeah i have it set to none, but i am still experiencing the problem. I have 7 VLANs and it still show that the traffic is originating from the gateway of one of the VLANs.

This gateway subnet is not even under hotspot but the remaining 6Vlans are under hotspot. what else can i try?

Thanks

fewi · Tue May 31, 2011 9:37 pm

Is the server you're trying to access in the same broadcast domain as the clients accessing it, or is the traffic being routed between two networks?

ojeysky · Tue May 31, 2011 9:42 pm

Is the server you're trying to access in the same broadcast domain as the clients accessing it, or is the traffic being routed between two networks?

The server is on say VLAN2 with subnet 172.2.0.0/21 and gateway 172.2.0.1 (mikrotik ip)
I have 6 other Vlans on same mikrotik and all users from these different subnet that try to access to access the server(hfs) on vlan2 are reported with source 172.2.0.1.

NB: all the other 6 Vlans are on hotspot while the server vlan is not?

fewi · Tue May 31, 2011 9:45 pm

Your case is completely different from what the original poster experienced. He had same subnet traffic affected.

You just have a source NAT rule that is too broad and NATs traffic between all interfaces instead of just out to the Internet.

At a wild stab without seeing your config, first determine the name of the interface that connects you to the Internet. Let's assume it's called "WAN". Then find the rule in the src-nat chain that has an action of 'masquerade', edit it, and add 'out-interface=WAN'.

If you need further help with that post the output of "/ip address print detail", "/interface print detail", "/ip route print detail", and "/ip firewall nat export".

ojeysky · Tue May 31, 2011 9:57 pm

Your case is completely different from what the original poster experienced. He had same subnet traffic affected.

You just have a source NAT rule that is too broad and NATs traffic between all interfaces instead of just out to the Internet.

At a wild stab without seeing your config, first determine the name of the interface that connects you to the Internet. Let's assume it's called "WAN". Then find the rule in the src-nat chain that has an action of 'masquerade', edit it, and add 'out-interface=WAN'.

If you need further help with that post the output of "/ip address print detail", "/interface print detail", "/ip route print detail", and "/ip firewall nat export".

This is actually not different from what the other person raised, the only difference is i have Vlans. Even if i access the server from within the VLAN2 subnet it still report on the hfs that its from 172.2.0.1 which is the router gateway address. Out interface did not work either.

fewi · Tue May 31, 2011 10:06 pm

Please post the output of the commands I requested, and add "/interface ethernet print detail" and "/interface vlan print detail".

ojeysky · Tue May 31, 2011 10:43 pm

Please post the output of the commands I requested, and add "/interface ethernet print detail" and "/interface vlan print detail".

Hey it seems its working! but its quite starnge in that i usually don't have this problem when using V4.11. So i had to no specify out interface for each of the subnet and that did the trick! Now because i have multiple out interfaces, i may have to do for each of the subnets for other out interfaces.

Thanks

fewi · Tue May 31, 2011 10:45 pm

The NAT rules can usually be reduced to just one that covers all attached networks, and does to only for WAN traffic. It should look something like this:

/ip firewall nat add chain=srcnat out-interface=WAN action=masquerade

The Hotspot wizards add all kinds of rules that reference the specific IP space, that can be simplified manually.

Also, just on a sidenote, 172.2.0.1/21 is not private IP space. You may run into problems with that further down the road.

ojeysky · Tue May 31, 2011 10:52 pm

The NAT rules can usually be reduced to just one that covers all attached networks, and does to only for WAN traffic. It should look something like this:
Code: Select all
/ip firewall nat add chain=srcnat out-interface=WAN action=masquerade
The Hotspot wizards add all kinds of rules that reference the specific IP space, that can be simplified manually.

Also, just on a sidenote, 172.2.0.1/21 is not private IP space. You may run into problems with that further down the road.

Thats actually not a real ip, just typed something for illustration. Yeah i summarized it. Thanks

MasterTee · Sun Jun 19, 2011 6:14 am

you should change the ip of HFS sharing server from your subnet work to work fine like this

network have ip 50.60.70.0/24

HFS have ip 10.0.0.2

my computer ip is 50.60.70.100

and then add this rule to pass your traffic of sharing without authorithation


/ip firewall nat
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=10.0.0.2 \
    dst-port=80 protocol=tcp to-addresses=50.60.70.100 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=10.0.0.2 \
    dst-port=80 protocol=udp to-addresses=50.60.70.100 to-ports=80


/ip firewall mangle
add action=mark-packet chain=prerouting comment=ShareUpLoad disabled=no dst-port=80 \
    new-packet-mark=ShareUpLoad passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment=ShareDownLoad disabled=no \
    new-packet-mark=ShareDownLoad passthrough=no protocol=tcp src-port=80


/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=ShareUpLoad packet-mark=ShareUpLoad parent=global-in \
    priority=6 queue=ethernet-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
    max-limit=0 name=ShareDownLoad packet-mark=ShareDownLoad parent=\
    global-out priority=6 queue=ethernet-default

MikroTik + HFS "speed limited"

MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Re: MikroTik + HFS "speed limited"

Who is online