Page 1 of 1
MikroTik + HFS "speed limited"
Posted: Thu Mar 17, 2011 3:17 pm
by yahoo876
i am new to mikrotik, I have a pc mikrotik server with hotspot and DHCP server config. the problem is that i have a local HFS server and when user connects to it i got the src ip as Mikrotik server ip "192.168.0.254" and the speed is limited as specified in the user profile. what should i do to prevent the request from passing through the mikrotik server and use direct connection between the user pc and the HFS server.
Re: MikroTik + HFS "speed limited"
Posted: Thu Mar 17, 2011 3:21 pm
by fewi
Post a network diagram, please, with specific emphasis on how the server and clients connect to the router, and the IP addresses of a client and the server.
Also post the output of "/ip address print detail", "/ip route print detail", "/interface print", and "/ip firewall export".
Re: MikroTik + HFS "speed limited"
Posted: Thu Mar 17, 2011 3:54 pm
by yahoo876
/ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.0.254/24 network=192.168.0.0 broadcast=192.168.0.255 interface=lan actual-interface=lan
1 D address=192.168.1.10/24 network=192.168.1.0 broadcast=192.168.1.255 interface=wan actual-interface=wan
/ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
0 ADS dst-address=0.0.0.0/0 gateway=192.168.1.1 interface=wan gateway-state=reachable distance=0 scope=30 target-scope=10
1 ADC dst-address=192.168.0.0/24 pref-src=192.168.0.254 interface=lan distance=0 scope=10
2 ADC dst-address=192.168.1.0/24 pref-src=192.168.1.10 interface=wan distance=0 scope=10
/interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE MTU L2MTU
0 R wan ether 1500
1 R lan
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s \
tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m \
udp-timeout=10s
/ip firewall nat
add action=masquerade chain=srcnat comment="" disabled=no out-interface=wan
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
image.jpg
Re: MikroTik + HFS "speed limited"
Posted: Thu Mar 17, 2011 3:58 pm
by fewi
Thanks!
If the client connected to that AP is referring to the HFS server as 192.168.0.18 that is straight up impossible. On TCP/IP networks hosts on the same broadcast domain talk directly and do not involve any routers.
How do clients get to the server? Do they refer to it by IP address, or by name? Does it work as intended by IP address? What does the name resolve to, and how is the name resolved?
Re: MikroTik + HFS "speed limited"
Posted: Thu Mar 17, 2011 4:04 pm
by yahoo876
user connects using the ip address
but on the HFS server the connection shows the request source is 192.168.0.254 which is the "mikrotik ip"
the users ip is 192.168.0.x
and the HFS is 192.168.0.18
Re: MikroTik + HFS "speed limited"
Posted: Thu Mar 17, 2011 4:15 pm
by fewi
Given your network diagram (user connects to an AP, AP connects to a switch, server and router also connect to switch) I don't see how that can be true. If you have a client, e.g. 192.168.0.100/24, and he wants to talk to 192.168.0.18/24, he talks directly to the server. The router is not involved. That must be true, because it is how TCP/IP works.
If the router is for some reason seeing the traffic (and is NATing it to itself because of a masquerade rule you have configured that is too broad in its definition) then the client is not directly talking to 192.168.0.18. Figure out why, and make the client request 192.168.0.18.
Re: MikroTik + HFS "speed limited"
Posted: Thu Mar 17, 2011 4:21 pm
by yahoo876
what you have said is 100% true, but this is the case. i don't know why is this happening !! i got a proxy id in the request heade , although the http proxy is disabled !!
Re: MikroTik + HFS "speed limited"
Posted: Thu Mar 17, 2011 4:28 pm
by Beone
i got a proxy id in the request heade , although the http proxy is disabled !!
Also in the client's browser settings?
Re: MikroTik + HFS "speed limited"
Posted: Tue May 31, 2011 9:24 pm
by ojeysky
user connects using the ip address
but on the HFS server the connection shows the request source is 192.168.0.254 which is the "mikrotik ip"
the users ip is 192.168.0.x
and the HFS is 192.168.0.18
I am experiencing this too, and i have looked around and still can't figure out why this is happening. I observe this started from V4.12. So i will like to hear how you got around this. Thanks
Re: MikroTik + HFS "speed limited"
Posted: Tue May 31, 2011 9:27 pm
by fewi
Maybe the Hotspot is ARP poisoning the network because of a Universal NAT address pool.
Do you have an address pool configured under the "/ip hotspot" instance tied to the interface you're experiencing this on? If yes, try setting it to 'none', flush the ARP caches of the clients you're testing with (when in doubt reboot them) and then try again.
Re: MikroTik + HFS "speed limited"
Posted: Tue May 31, 2011 9:35 pm
by ojeysky
Maybe the Hotspot is ARP poisoning the network because of a Universal NAT address pool.
Do you have an address pool configured under the "/ip hotspot" instance tied to the interface you're experiencing this on? If yes, try setting it to 'none', flush the ARP caches of the clients you're testing with (when in doubt reboot them) and then try again.
Thanks for the prompt reply, yeah i have it set to none, but i am still experiencing the problem. I have 7 VLANs and it still show that the traffic is originating from the gateway of one of the VLANs.
This gateway subnet is not even under hotspot but the remaining 6Vlans are under hotspot. what else can i try?
Thanks
Re: MikroTik + HFS "speed limited"
Posted: Tue May 31, 2011 9:37 pm
by fewi
Is the server you're trying to access in the same broadcast domain as the clients accessing it, or is the traffic being routed between two networks?
Re: MikroTik + HFS "speed limited"
Posted: Tue May 31, 2011 9:42 pm
by ojeysky
Is the server you're trying to access in the same broadcast domain as the clients accessing it, or is the traffic being routed between two networks?
The server is on say VLAN2 with subnet 172.2.0.0/21 and gateway 172.2.0.1 (mikrotik ip)
I have 6 other Vlans on same mikrotik and all users from these different subnet that try to access to access the server(hfs) on vlan2 are reported with source 172.2.0.1.
NB: all the other 6 Vlans are on hotspot while the server vlan is not?
Re: MikroTik + HFS "speed limited"
Posted: Tue May 31, 2011 9:45 pm
by fewi
Your case is completely different from what the original poster experienced. He had same subnet traffic affected.
You just have a source NAT rule that is too broad and NATs traffic between all interfaces instead of just out to the Internet.
At a wild stab without seeing your config, first determine the name of the interface that connects you to the Internet. Let's assume it's called "WAN". Then find the rule in the src-nat chain that has an action of 'masquerade', edit it, and add 'out-interface=WAN'.
If you need further help with that post the output of "/ip address print detail", "/interface print detail", "/ip route print detail", and "/ip firewall nat export".
Re: MikroTik + HFS "speed limited"
Posted: Tue May 31, 2011 9:57 pm
by ojeysky
Your case is completely different from what the original poster experienced. He had same subnet traffic affected.
You just have a source NAT rule that is too broad and NATs traffic between all interfaces instead of just out to the Internet.
At a wild stab without seeing your config, first determine the name of the interface that connects you to the Internet. Let's assume it's called "WAN". Then find the rule in the src-nat chain that has an action of 'masquerade', edit it, and add 'out-interface=WAN'.
If you need further help with that post the output of "/ip address print detail", "/interface print detail", "/ip route print detail", and "/ip firewall nat export".
This is actually not different from what the other person raised, the only difference is i have Vlans. Even if i access the server from within the VLAN2 subnet it still report on the hfs that its from 172.2.0.1 which is the router gateway address. Out interface did not work either.
Re: MikroTik + HFS "speed limited"
Posted: Tue May 31, 2011 10:06 pm
by fewi
Please post the output of the commands I requested, and add "/interface ethernet print detail" and "/interface vlan print detail".
Re: MikroTik + HFS "speed limited"
Posted: Tue May 31, 2011 10:43 pm
by ojeysky
Please post the output of the commands I requested, and add "/interface ethernet print detail" and "/interface vlan print detail".
Hey it seems its working! but its quite starnge in that i usually don't have this problem when using V4.11. So i had to no specify out interface for each of the subnet and that did the trick! Now because i have multiple out interfaces, i may have to do for each of the subnets for other out interfaces.
Thanks
Re: MikroTik + HFS "speed limited"
Posted: Tue May 31, 2011 10:45 pm
by fewi
The NAT rules can usually be reduced to just one that covers all attached networks, and does to only for WAN traffic. It should look something like this:
/ip firewall nat add chain=srcnat out-interface=WAN action=masquerade
The Hotspot wizards add all kinds of rules that reference the specific IP space, that can be simplified manually.
Also, just on a sidenote, 172.2.0.1/21 is not private IP space. You may run into problems with that further down the road.
Re: MikroTik + HFS "speed limited"
Posted: Tue May 31, 2011 10:52 pm
by ojeysky
The NAT rules can usually be reduced to just one that covers all attached networks, and does to only for WAN traffic. It should look something like this:
/ip firewall nat add chain=srcnat out-interface=WAN action=masquerade
The Hotspot wizards add all kinds of rules that reference the specific IP space, that can be simplified manually.
Also, just on a sidenote, 172.2.0.1/21 is not private IP space. You may run into problems with that further down the road.
Thats actually not a real ip, just typed something for illustration. Yeah i summarized it. Thanks
Re: MikroTik + HFS "speed limited"
Posted: Sun Jun 19, 2011 6:14 am
by MasterTee
you should change the ip of HFS sharing server from your subnet work to work fine like this
network have ip 50.60.70.0/24
HFS have ip 10.0.0.2
my computer ip is 50.60.70.100
and then add this rule to pass your traffic of sharing without authorithation
/ip firewall nat
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=10.0.0.2 \
dst-port=80 protocol=tcp to-addresses=50.60.70.100 to-ports=80
add action=dst-nat chain=dstnat comment="" disabled=no dst-address=10.0.0.2 \
dst-port=80 protocol=udp to-addresses=50.60.70.100 to-ports=80
/ip firewall mangle
add action=mark-packet chain=prerouting comment=ShareUpLoad disabled=no dst-port=80 \
new-packet-mark=ShareUpLoad passthrough=no protocol=tcp
add action=mark-packet chain=postrouting comment=ShareDownLoad disabled=no \
new-packet-mark=ShareDownLoad passthrough=no protocol=tcp src-port=80
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=ShareUpLoad packet-mark=ShareUpLoad parent=global-in \
priority=6 queue=ethernet-default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name=ShareDownLoad packet-mark=ShareDownLoad parent=\
global-out priority=6 queue=ethernet-default