Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all! We have been experiencing an issue on site where threads have been missing the latest postings. The platform host Vanilla are working on this issue. A workaround that has been used by some is to navigate back from 1 to 10+ pages to re-sync the thread and this will then show the latest posts. Thanks, Mike.
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest

The Mikrotik RouterOS config, tips and tricks thread

12467

Comments

  • #152
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    1. Try edit your 2nd nat rule so it does not include a to address
    /ip firewall nat
    add action=masquerade chain=srcnat comment=masquerade out-interface=ether1-gateway

    2. Are you sure it's listening on 8080? Can you get to it from lan on port 8080? Check /ip services that the routers web login isn't listening on port 8080


  • #153
    Mattie112
    Registered Users Posts: 6 Mattie112


    Hi,

    Thanks for your reply. It totally forget i changed the webinterface of the router to 8080, this works now! However the hairpin nat still doesn't work. Do i need to add some firewall rules for it to work?


  • #154
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Mattie112 wrote: »
    Hi,

    Thanks for your reply. It totally forget i changed the webinterface of the router to 8080, this works now! However the hairpin nat still doesn't work. Do i need to add some firewall rules for it to work?

    No, it should just work as long as you have the destination nat portforward rules pointing to the same private IP. Try momentarily disabling the first nat rule sfp1-gateway, perhaps you could better explain what this is and why you are natting to it.

    Also, a neat trick with these is to copy the hairpin nat rule, change to action to log on this copied rule and place it just before the hairpin nat rule. You will get then get detailed logs as it happens which may provide the info you need to fix it.


  • #155
    Mattie112
    Registered Users Posts: 6 Mattie112


    The SPF is from the SPF interface (not used), the rule is already disabled (marked by an X). Thanks for the tip about logging, i will try to get some usefull information!


  • #156
    Mattie112
    Registered Users Posts: 6 Mattie112


    Unfortunatley i don't get any information in the log. In my previous (consumer model) router i didn't need to do anything to have my external IP work from the inside. Do you have an other tip? I now have #1 -> masquerade ether1-gateway, #2 -> hairpin log, #3 -> hairpin masquerade


  • Advertisement
  • #157
    VenomIreland
    Registered Users, Registered Users 2 Posts: 2,928 ✭✭✭VenomIreland


    Have my router running roughly a week now, added some basic firewall rules (to stop bots trying to use SSH) and some port forwarding rules, I'm wondering now are there any handy things I should do or any quality of life improvements? I was thinking of setting up a RasPi as a syslog server also, as I noticed the built in logs don't go back very far.


  • #158
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    VenomIreland wrote: »
    Have my router running roughly a week now, added some basic firewall rules (to stop bots trying to use SSH) and some port forwarding rules, I'm wondering now are there any handy things I should do or any quality of life improvements? I was thinking of setting up a RasPi as a syslog server also, as I noticed the built in logs don't go back very far.

    Pointless really, it would just fill up with DHCP requests, wireless association and disconnection and other useless info.

    You would be better put your time into figuring out bandwidth allocation and queues. You could give all your individual devices priorities and allocate a minimum target bandwidth and max bandwidth attained by each device (bandwidth shape). You can also use /ip firewall mangle to add connection and packet marks and add these marked packets to certain queues and give these queues priorities higher (or lower) than everything else (QOS).


  • #159
    Mattie112
    Registered Users Posts: 6 Mattie112


    Anybody any more ideas about my hairpin NAT problem?


  • #160
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Mattie112 wrote: »
    Anybody any more ideas about my hairpin NAT problem?

    This is puzzling, here's a few suggestions

    I have an accept lan filter rule
    /ip firewall filter
    add chain=input comment="acccept lan" in-interface=!ether1-gateway src-address=192.168.80.0/24

    other than that try disabling filter rule 5 and removing the to-addresses=0.0.0.0 from your main masq nat rule


  • #161
    Mattie112
    Registered Users Posts: 6 Mattie112


    No, still no luck :(

    However, i CAN ping my own address (don't know if that didn't worked before)


  • Advertisement
  • #162
    jdee99
    Registered Users Posts: 500 ✭✭✭jdee99


    Hi folks just brought a 9516 and am trying to connect it to UTVinterent broadband service. I can connect to the router wirelessly and wired with no problems what i can't seem to do is connect via pppoe to utv' servers. Can some one cast their eye over the export file and see if there is anything that i am doing wrong - heck of a step learning curve but if i can get it working it will hopefully sort out some of the access problems I have been having.

    MMM MMM KKK TTTTTTTTTTT KKK
    MMMM MMMM KKK TTTTTTTTTTT KKK
    MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
    MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
    MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
    MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

    MikroTik RouterOS 6.6 (c) 1999-2013 http://www.mikrotik.com/

    [?] Gives the list of available commands
    command [?] Gives help on the command and list of arguments

    [Tab] Completes the command/word. If the input is ambigous,
    a second [Tab] gives possible options

    / Move up to base level
    .. Move up one level
    /command Use command at the base level
    [admin@MikroTik] > export compact
    # jan/02/1970 00:42:42 by RouterOS 6.6
    # software id = XZQD-NEE5
    #
    /interface bridge
    add admin-mac=D4:CA:6D:BB:62:BB auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-gateway
    set [ find default-name=ether2 ] name=ether2-master-local
    set [ find default-name=ether3 ] master-port=ether2-master-local name=ether3-slave-local
    set [ find default-name=ether4 ] master-port=ether2-master-local name=ether4-slave-local
    set [ find default-name=ether5 ] master-port=ether2-master-local name=ether5-slave-local
    /interface pppoe-client
    add add-default-route=yes disabled=no interface=ether1-gateway name=pppoe-out1 password=xxxxxxxxxx use-peer-dns=yes user=cxxxxxxx@adsl.utvinternet.ie
    /interface wireless security-profiles
    set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk group-ciphers=tkip,aes-ccm mode=dynamic-keys unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=XXXXXXXX wpa2-pre-shared-key=XXXXXXX
    add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=ipad supplicant-identity="" unicast-ciphers=tkip,aes-ccm \
    wpa-pre-shared-key=XXXXXXXX wpa2-pre-shared-key=XXXXXXX
    /interface wireless
    set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=20/40mhz-ht-above country=ireland disabled=no distance=indoors frequency=2427 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge \
    security-profile=ipad ssid=Mirotik wireless-protocol=802.11
    /ip neighbor discovery
    set wlan1 discover=no
    /ip hotspot user profile
    set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
    /ip pool
    add name=dhcp ranges=192.168.2.2-192.168.2.254
    /ip dhcp-server
    add address-pool=dhcp disabled=no interface=bridge-local name=default
    /system logging action
    set 0 memory-lines=100
    set 1 disk-lines-per-file=100
    /interface bridge port
    add bridge=bridge-local interface=ether2-master-local
    add bridge=bridge-local interface=wlan1
    /ip address
    add address=192.168.2.1/24 comment="default configuration" interface=bridge-local network=192.168.2.0
    /ip dhcp-client
    add default-route-distance=0 dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
    /ip dhcp-server network
    add address=192.168.2.0/24 dns-server=192.168.2.1 gateway=192.168.2.1
    /ip dns
    set allow-remote-requests=yes servers=194.46.192.136,194.46.192.137
    /ip dns static
    add address=192.168.2.1 name=router
    /ip firewall filter
    add chain=input comment="default configuration" protocol=icmp
    add chain=input comment="default configuration" connection-state=established
    add chain=input comment="default configuration" connection-state=related
    add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
    add chain=forward comment="default configuration" connection-state=established
    add chain=forward comment="default configuration" connection-state=related
    add action=drop chain=forward comment="default configuration" connection-state=invalid
    /ip firewall nat
    add action=masquerade chain=srcnat comment="default configuration" out-interface=pppoe-out1 to-addresses=0.0.0.0
    add action=dst-nat chain=dstnat comment="For Fixed Camera" dst-port=5300 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.23 to-ports=5300
    add action=dst-nat chain=dstnat comment="For WebServer" dst-port=80 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.20 to-ports=80
    add action=dst-nat chain=dstnat comment="For PlanePlotter" dst-port=9742 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.25 to-ports=9742
    add action=dst-nat chain=dstnat comment="For Calibre" dst-port=8081 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.2 to-ports=8081
    add action=dst-nat chain=dstnat comment="For Flight Radar" dst-port=30003 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.25 to-ports=30003
    add action=dst-nat chain=dstnat comment="For basestation" dst-port=10001 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.17 to-ports=10001
    add action=dst-nat chain=dstnat comment="For Blitzortung Red" dst-port=8880 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.2.10 to-ports=8880
    /ip route
    add comment="Default route" distance=1 gateway=194.46.193.69
    /ip service
    set api disabled=yes
    /ip upnp
    set allow-disable-external-interface=no enabled=yes
    /ip upnp interfaces
    add interface=bridge-local type=internal
    add interface=pppoe-out1 type=external
    /system clock
    set time-zone-name=Europe/Dublin
    /system leds
    set 0 interface=wlan1
    /system ntp client
    set enabled=yes mode=unicast primary-ntp=194.164.127.6 secondary-ntp=130.88.203.12
    /tool mac-server
    set [ find default=yes ] disabled=yes
    add interface=ether2-master-local
    add interface=ether3-slave-local
    add interface=ether4-slave-local
    add interface=ether5-slave-local
    add interface=wlan1
    add interface=bridge-local
    /tool mac-server mac-winbox
    set [ find default=yes ] disabled=yes
    add interface=ether2-master-local
    add interface=ether3-slave-local
    add interface=ether4-slave-local
    add interface=ether5-slave-local
    add interface=wlan1
    add interface=bridge-local
    [admin@MikroTik] >

    The IP firewall Nat rules are for stuff i run for my website.

    Many thanks

    JD


  • #163
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Is it attempting to dial pppoe in the logs?


  • #164
    jdee99
    Registered Users Posts: 500 ✭✭✭jdee99


    Hi - yes it is initialising dialling and then terminating - disconnected. The user name and password that I have came from UTV


  • #165
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    Hi,

    Have been configuring my routerOS on and off over the last week or so. Have come across a LAN issue which seems to be router related.

    If I reset the router back to the default setting is it secure enough while I leave it like that and see if my LAN issue remains?

    Thanks

    W.


  • #166
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    whowantstwoknow wrote: »
    Hi,

    Have been configuring my routerOS on and off over the last week or so. Have come across a LAN issue which seems to be router related.

    If I reset the router back to the default setting is it secure enough while I leave it like that and see if my LAN issue remains?

    Thanks

    W.

    Yes, if you accept the default script the masquerade nat rule will protect your lan, ie drop packets from the internet it does not know about.


  • #167
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    Right,

    After much playing around with routerOS, went back to my old router setup to check. My problem is around the use of WHS and its clients. In this old setup I changed the WHS IP address to see if that was the cause (as thats the main difference to RouterOS as its default setup uses a different set of addresses). Turns out this change also had the same behaviour. I cant be bothered (WHS can be high maintenance sometimes) getting to the bottom of it.

    Therefore I will change RouterOS to mimic my old LAN IP setup. So is it just the gateway address and the DHCP Server IP range that needs changing? I need to change from 192.168.88.x to 192.168.61.x

    Thanks
    W.


  • #168
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    whowantstwoknow wrote: »
    Right,

    After much playing around with routerOS, went back to my old router setup to check. My problem is around the use of WHS and its clients. In this old setup I changed the WHS IP address to see if that was the cause (as thats the main difference to RouterOS as its default setup uses a different set of addresses). Turns out this change also had the same behaviour. I cant be bothered (WHS can be high maintenance sometimes) getting to the bottom of it.

    Therefore I will change RouterOS to mimic my old LAN IP setup. So is it just the gateway address and the DHCP Server IP range that needs changing? I need to change from 192.168.88.x to 192.168.61.x

    Thanks
    W.

    Simple, export the config with the export compact command, copy it into notepad++ and do ctrl + f search for 192.168.88. and replace all with 192.168.61. and paste that back into the router and reboot.

    http://notepad-plus-plus.org/


  • #169
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    Thanks,

    I did it the hard way and spent a good while not knowing why my VOIP wasnt working, eventually found the hidden old reference in ip DNS static!!! I'll be using the above in future.

    I've read this thread and probably put stuff in that is either:

    1) not working
    2) not necessary.

    So will problem post some of the export compact command for people to review, if they dont mind!!!

    Now I'm at the point of why I'm switching my router to Mikrotik, I need to be able to wake up my WHS server from the WAN. I spent all night trying to configure the ip filter nat rule to allow the likes of http://www.remotewakeup.com/en/ to wake up my WHS. Just couldnt get it to work. The router was able to wake it using the wol tool once I specified the bridge-local interface. Read various threads etc but whatever way the filter nat rule was configured it never registered any packets.

    Any pointers/ideas?

    Thanks again
    W

    PS: in the ip address section the LAN address reference 192.168.61.x is on the wlan1 interface, is that right?


  • #170
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    whowantstwoknow wrote: »
    Thanks,

    I did it the hard way and spent a good while not knowing why my VOIP wasnt working, eventually found the hidden old reference in ip DNS static!!! I'll be using the above in future.

    I've read this thread and probably put stuff in that is either:

    1) not working
    2) not necessary.

    So will problem post some of the export compact command for people to review, if they dont mind!!!

    Now I'm at the point of why I'm switching my router to Mikrotik, I need to be able to wake up my WHS server from the WAN. I spent all night trying to configure the ip filter nat rule to allow the likes of http://www.remotewakeup.com/en/ to wake up my WHS. Just couldnt get it to work. The router was able to wake it using the wol tool once I specified the bridge-local interface. Read various threads etc but whatever way the filter nat rule was configured it never registered any packets.

    Any pointers/ideas?

    Thanks again
    W

    PS: in the ip address section the LAN address reference 192.168.61.x is on the wlan1 interface, is that right?

    The ip address and dhcp server should be on the bridge. Your wireless and your master ethernet interface should be ports in this bridge


  • #171
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    Thanks for that, have made those necessary changes. Below is my export compact output. Went a bit made on the firewall filters!!!

    Still no luck with the WOL over the internet. Think I'm using the tool sniffer correctly, but see nothing coming in for udp port 9? I'm sure I've something wrong.

    Also had to disable the hairpin rule, should that be expected?

    Forgive all the queries, but is a bit of a learning curve :o
    # nov/27/2013 00:13:47 by RouterOS 6.6
# software id = 4X3Q-QATT
#
/interface bridge
add admin-mac=00:0C:42:B7:XX:XX auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
    20/40mhz-ht-above disabled=no distance=indoors frequency=2437 \
    ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=\
    SSID wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
    ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
    ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
    ether5-slave-local
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys wpa-pre-shared-key=XXX wpa2-pre-shared-key=\
    XXX
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=dhcp ranges=192.168.61.9-192.168.61.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.61.1/24 comment="default configuration" interface=\
    bridge-local network=192.168.61.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.61.9 client-id=1:0:25:90:c:53:1c mac-address=\
    00:25:90:0C:XX:XX server=default
add address=192.168.61.10 client-id=1:0:f:b5:db:84:17 mac-address=\
    00:0F:B5:DB:XX:XX server=default
/ip dhcp-server network
add address=192.168.61.0/24 comment="default configuration" dns-server=\
    192.168.61.1 gateway=192.168.61.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-udp-packet-size=512 \
    servers=89.101.160.5,89.101.160.4
/ip dns static
add address=192.168.61.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" disabled=yes \
    in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add chain=input comment="allow ICMP" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login \
    address-list-timeout=1d chain=input comment=\
    "list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=\
    ether1-gateway protocol=tcp
add chain=input comment="accept vpn gre" in-interface=ether1-gateway \
    protocol=gre
add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=\
    related
add action=drop chain=input comment="drop Invalid connections" \
    connection-state=invalid
add chain=input comment="allow established connections" connection-state=\
    established
add chain=input comment="acccept lan" in-interface=!ether1-gateway \
    src-address=192.168.61.0/24
add action=drop chain=input comment="drop everything else"
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=\
    "tcp from port 443 to 443 (lan ip 192.168.61.9)" dst-port=443 \
    in-interface=ether1-gateway protocol=tcp to-addresses=192.168.61.9 \
    to-ports=443
add action=dst-nat chain=dstnat comment="WOL WHS" \
    dst-port=9 port="" protocol=udp to-addresses=\
    192.168.61.255 to-ports=9
add action=masquerade chain=srcnat comment="hairpin nat rule" disabled=yes \
    dst-address=192.168.61.9 src-address=192.168.61.0/24 to-addresses=0.0.0.0
/ip service
set www disabled=yes
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external
/system leds
set 0 interface=wlan1
/system ntp client
set enabled=yes mode=unicast primary-ntp=140.203.204.77
/system scheduler
add interval=4w2d name="backup config" on-event=\
    "/system script run backup\r\
    \n" policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    start-time=startup
/system script
add name=backup policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    source="/export file=([/system identity get name] . \"-\" . \\\
    \n[:pick [/system clock get date] 7 11] . [:pick [/system clock get date] \
    0 3] . [:pick [/system clock get date] 4 6]); \\\
    \n/tool e-mail send to=\"address@email.com\" subject=([/system identity g\
    et name] . \" Backup \" . \\\
    \n[/system clock get date]) file=([/system identity get name] . \"-\" . [:\
    pick [/system clock get date] 7 11] . \\\
    \n[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4\
    \_6] . \".rsc\"); :delay 10; \\\
    \n/file rem [/file find name=([/system identity get name] . \"-\" . [:pick\
    \_[/system clock get date] 7 11] . \\\
    \n[:pick [/system clock get date] 0 3] . [:pick [/system clock get date] 4\
    \_6] . \".rsc\")]; \\\
    \n:log info (\"System Backup emailed at \" . [/sys cl get time] . \" \" . \
    [/sys cl get date])"
/tool e-mail
set address=173.194.66.108 from=<>MikroTik@gmail.com.com password=\
    pwd port=465 start-tls=yes user=address@email.com
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local


  • Advertisement
  • #172
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    WOL will not just work from the internet this way, it uses raw socket, see this thread. You need some device on your lan or router to send this special packet. It's a feature available in RouterOS http://wiki.mikrotik.com/wiki/Manual:Tools/Wake_on_lan


  • #173
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    Hi Smee,

    Thanks for that, I'll have a read and digest. I have the VOIP/ATA working behind the mikrotik, using the sip service, but cant seem to get the http admin access working. The ATA is connected to the LAN where the UPC modem use to be connected. I've enabled remote management specifying the ip address range of the LAN (ie 192.168.61.1->192.168.61.254) so that it can be controlled from any machine, but when I specify the ATA IP 192.168.61.x:38080, the browser doesnt reach the unit, just times out.

    Any idea what I'm doing wrong?


  • #174
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    whowantstwoknow wrote: »
    Hi Smee,

    Thanks for that, I'll have a read and digest. I have the VOIP/ATA working behind the mikrotik, using the sip service, but cant seem to get the http admin access working. The ATA is connected to the LAN where the UPC modem use to be connected. I've enabled remote management specifying the ip address range of the LAN (ie 192.168.61.1->192.168.61.254) so that it can be controlled from any machine, but when I specify the ATA IP 192.168.61.x:38080, the browser doesnt reach the unit, just times out.

    Any idea what I'm doing wrong?

    You sure it's not port 8080?


  • #175
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    smee again wrote: »
    You sure it's not port 8080?

    Well as per the image/link, it can be set to any value, the default is 8080, and I've tried that too.

    My logic is the ATA is connected to the LAN ONLY on its WAN port (as the ATA is acting as a client to the routerOS DHCP server). In the ATA remote setup, one has to specify the connecting IP address(es). So I have given the LAN IP range.

    But using the static IP address given to the ATA by the routerOS DHCP server, I cant ping the unit, (must double check but pretty sure I've this enabled on the ATA). I think thats the route of my problem. When the ATA is acting as the router, I have access to the admin screen via the LAN port...

    Thanks for your patience!!

    W.


  • #176
    VenomIreland
    Registered Users, Registered Users 2 Posts: 2,928 ✭✭✭VenomIreland


    Hey lads, my RB951G has been running fine the past while, only recently the port forwarding seems to have stopped working and I cannot access some servers I have running, any idea what's going on? 
    [xxxx@yyyy] /ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   chain=srcnat action=masquerade out-interface=pppoe-out1 

 1   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=9987 protocol=udp
     in-interface=pppoe-out1 dst-port=9987 

 2   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=30033 protocol=tc
     in-interface=pppoe-out1 dst-port=30033 

 3   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=8080 protocol=tcp
     in-interface=pppoe-out1 dst-port=8080 

 4   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=5050 protocol=tcp
     in-interface=pppoe-out1 dst-port=5050 

 5   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=8081 protocol=tcp
     in-interface=pppoe-out1 dst-port=8081 

 6   chain=dstnat action=dst-nat to-addresses=192.168.0.11 to-ports=32400 protocol=tc
     in-interface=pppoe-out1 dst-port=32400


  • #177
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    VenomIreland wrote: »
    Hey lads, my RB951G has been running fine the past while, only recently the port forwarding seems to have stopped working and I cannot access some servers I have running, any idea what's going on?

    Which ones? Can you access them locally?


  • #178
    VenomIreland
    Registered Users, Registered Users 2 Posts: 2,928 ✭✭✭VenomIreland


    smee again wrote: »
    Which ones? Can you access them locally?

    Everything but the first two entries couldn't be accessed outside my LAN. Tried this morning though (using my phone's 3G again) and it worked! No idea what was going on.


  • #179
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    whowantstwoknow wrote: »
    Well as per the image/link, it can be set to any value, the default is 8080, and I've tried that too.

    My logic is the ATA is connected to the LAN ONLY on its WAN port (as the ATA is acting as a client to the routerOS DHCP server). In the ATA remote setup, one has to specify the connecting IP address(es). So I have given the LAN IP range.

    But using the static IP address given to the ATA by the routerOS DHCP server, I cant ping the unit, (must double check but pretty sure I've this enabled on the ATA). I think thats the route of my problem. When the ATA is acting as the router, I have access to the admin screen via the LAN port...

    Thanks for your patience!!

    W.

    Well I've done some more testing, but still stuck...

    1) ATA as Router; Put this back in and configured it for remote management using port 8080. From outside my home I can access the admin screens etc... On the WAN setup I've enabled the respond to Pings...(and this worked from the outside test)

    2) So put the ATA back behind the routerOS, its acting as a DHCP client of the routerOS on its WAN port (nothing connected to its LAN port). I cant ping the dedicated static IP address from anywhere on the LAN, even in the winbox. This is my problem. As I have the RouterOS & ATA to function as a DHCP server using the same address range, switched the ATA as being the router connecting its LAN port and from a desktop did a ipconfig/renew. From here I could access the admin screen and see in the WAN setup that it had recorded the RouterOS's static IP address.

    So basically any idea why the device cant be pinged from the LAN? If I can solve this, I'm sure I'll be able to access the ATA admin screens....

    Thanks

    W.


  • #180
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    whowantstwoknow wrote: »
    Well I've done some more testing, but still stuck...

    1) ATA as Router; Put this back in and configured it for remote management using port 8080. From outside my home I can access the admin screens etc... On the WAN setup I've enabled the respond to Pings...(and this worked from the outside test)

    2) So put the ATA back behind the routerOS, its acting as a DHCP client of the routerOS on its WAN port (nothing connected to its LAN port). I cant ping the dedicated static IP address from anywhere on the LAN, even in the winbox. This is my problem. As I have the RouterOS & ATA to function as a DHCP server using the same address range, switched the ATA as being the router connecting its LAN port and from a desktop did a ipconfig/renew. From here I could access the admin screen and see in the WAN setup that it had recorded the RouterOS's static IP address.

    So basically any idea why the device cant be pinged from the LAN? If I can solve this, I'm sure I'll be able to access the ATA admin screens....

    Thanks

    W.

    Set the Wan port of the ATA to receive it's IP through DHCP, then make that IP it gets static in the Mikrotik DHCP server and forward the management port to that IP (or enable UPnP if the ATA supports it)


  • Advertisement
  • #181
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    Actually, from all this testing/switching, my ATA would only work intermittently. Could never understand why but now have an explanation (though its not ideal).

    For me to have a working ATA behind the RouterOS, I must 1st connect the ATA to the cable modem and have it do its stuff/register etc...

    Then move it behind the RouterOS, only connected via the WAN port, noting that it doesnt reboot. In this setup, the WAN doesnt have a LAN IP address, but I can still make calls. So in this setup if the power goes or I reboot the ATA, the WAN gets the RouterOS ip address, and the ATA/VOIP now doesnt work!!

    Is this expected behaviour for such a setup. As I said I can live with it but if the power ever goes and I'm not around, the other half wont have a phone line!!! :eek:

    I wonder if I should change the ATA DHCP LAN address range and connect the LAN port in the hope to see the ATA admin screens while the RouterOS is the LAN router. Is this possible?

    Thanks
    W.


  • #182
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Have you tried turning off the SIP helper in Firewall service ports
    /ip firewall service-port disable sip


  • #183
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    Hi Smee_again,

    Lets ignore whether the ATA is working from a VOIP perspective. When it was the LAN router and I did a ping tests from outside on the WAN, the results confirmed the operation of the "respond to ping" setting", ie (yes/no).

    When I put the ATA behind the RouterOS and reboot it so its served an ip address from the RouterOS, I still cant ping the device from the tools provided within the winbox utility. Its whats killing me!! I might reconfigure the ATA to be connected via its LAN port and disable the DHCP server and see if it can be pinged from there...

    Thanks
    W.


  • #184
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    Well,

    got a chance to test out the ATA's LAN port. First I changed the LAN port ip address to match the one that is being assigned to the WAN port by the RouterOS. Disabled the DHCP server on the ATA.

    Anytime I connect the ATA to the LAN using the WAN port and reboot, the RouterOS (using netwatch) shows the device using the ip address is down. If I then simply switch ports on the ATA, RouterOS will update the ip address as being up. Once on the lan I can access the ATA router status page, and it shows the WAN port behaving as a DHCP client, ie the assigned ip address, gateway etc...

    confused as hell at this stage!!! I just cant see to access the admin pages of the ATA, ping etc when connected via the WAN port. Of course as per my other observations, I can still make phone calls. This thread talks about putting the ATA behind a router, it all makes sense, but I just cant seem to get it working :mad:

    Also if the ATA is behind RouterOS and reboots, whatever VOIP registration is going on is failing. Any idea how to capture this traffic to see what it is?

    Thanks
    W


  • #185
    White Heart Loon
    Closed Accounts Posts: 1,788 ✭✭✭White Heart Loon


    Let the ATA receive an IP from the Mikrotik through DHCP and make it static in RouterOS DHCP Server. Surely you only need to connect to it once to configure it?


  • #186
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    Hi White,

    Yep thats what I've done, but the Mikrotik still cant communicate/ping/netwatch with the ATA if its connected via the WAN port (acting as a DHCP client). I statically configured the ATA LAN port to match that ip address so I could switch connections and inspect the ATA admin pages. As stated, it shows the configuration as one would expect, I've enabled the ATA's response to ping's option but still can access the ATA in anyway, but my VOIP still works though!!

    I'm at a lost to explain it....

    W.


  • Advertisement
  • #187
    Skalragg
    Registered Users, Registered Users 2 Posts: 281 ✭✭Skalragg


    Is there any way to display how long a neighbour relationship has been established in routing protocols like OSPF. In cisco routers/L3 switches you can view it in the cli but was looking and I couldnt see it anywhere.

    cheers


  • #188
    Tea_Bag
    Registered Users, Registered Users 2 Posts: 4,983 ✭✭✭Tea_Bag


    Hey guys. been lurking in this thread a while and finally picked up my first mikrotik, an RB2011UAS-2HnD.


    anyway, as i suspected, ive no idea what im doing. ive fiddled with some DD-WRT, but i'd say im still a novice.

    I followed the thread and set it up the best i can.

    can any of yea check over my setup and spot any problems?

    compact export:
    [admin@MikroTik] > export compact
# feb/03/2014 12:12:01 by RouterOS 6.7
# software id = RB2011U
#
/interface bridge
add admin-mac=D4:CA:6D:D8:48:E5 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
    20/40mhz-ht-above country=ireland disabled=no distance=indoors frequency=\
    2447 l2mtu=2290 mode=ap-bridge ssid=Temp wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
    ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
    ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
    ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
    ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway
/ip neighbor discovery
set ether1-gateway discover=no
set sfp1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    wpa-pre-shared-key=yourealeech wpa2-pre-shared-key=yourealeech
/ip hotspot profile
add dns-name=google hotspot-address=10.5.50.1 name=hsprof1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=hs-pool-1 ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=wlan1 \
    network=192.168.88.0
add address=10.5.50.1/24 comment="hotspot network" interface=sfp1-gateway \
    network=10.5.50.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-udp-packet-size=512 \
    servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add chain=input comment="allow ICMP" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login \
    address-list-timeout=1d chain=input comment=\
    "list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=\
    ether1-gateway protocol=tcp
add chain=input comment="accept vpn gre" in-interface=ether1-gateway \
    protocol=gre
add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=\
    related
add action=drop chain=input comment="drop Invalid connections" \
    connection-state=invalid
add chain=input comment="allow established connections" connection-state=\
    established
add chain=input comment="acccept lan" in-interface=!ether1-gateway \
    src-address=192.168.88.0/24
add action=drop chain=input comment="drop everything else"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=masquerade out-interface=\
    ether1-gateway
add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=\
    192.168.88.252 src-address=192.168.88.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24
/ip hotspot user
add name=user password=guest
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external
/lcd interface
set sfp1-gateway interface=sfp1-gateway
set ether1-gateway interface=ether1-gateway
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6-master-local interface=ether6-master-local
set ether7-slave-local interface=ether7-slave-local
set ether8-slave-local interface=ether8-slave-local
set ether9-slave-local interface=ether9-slave-local
set ether10-slave-local interface=ether10-slave-local
set wlan1 interface=wlan1
/lcd interface pages
set 0 interfaces="sfp1-gateway,ether1-gateway,ether2,ether3,ether4,ether5,ethe\
    r6-master-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,e\
    ther10-slave-local"
/system clock
set time-zone-name=Europe/Dublin
/system ntp client
set enabled=yes mode=unicast primary-ntp=140.203.204.77
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
add interface=bridge-local
[admin@MikroTik] >

    firewall:
    [admin@MikroTik] > ip firewall export
# feb/03/2014 01:03:47 by RouterOS 6.7
# software id = LPZD-ULH5
#
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add chain=input comment="allow ICMP" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login \
    address-list-timeout=1d chain=input comment=\
    "list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=\
    ether1-gateway protocol=tcp
add chain=input comment="accept vpn gre" in-interface=ether1-gateway \
    protocol=gre
add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=\
    related
add action=drop chain=input comment="drop Invalid connections" \
    connection-state=invalid
add chain=input comment="allow established connections" connection-state=\
    established
add chain=input comment="acccept lan" in-interface=!ether1-gateway \
    src-address=192.168.88.0/24
add action=drop chain=input comment="drop everything else"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=masquerade out-interface=\
    ether1-gateway
add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=\
    192.168.88.252 src-address=192.168.88.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24

    ip firewall nat export
    [admin@MikroTik] > ip firewall nat export
# jan/28/2014 08:35:15 by RouterOS 6.7
# software id = LPZD-ULH5
#
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=masquerade out-interface=\
    ether1-gateway
add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=\
    192.168.88.252 src-address=192.168.88.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24
[admin@MikroTik] >



    my setup is as follows:

    292086.jpg

    questions:

    1) is my firewall sufficient?:confused:
    2) i assume im double NAT'd. can i fix that with the limited access i have to my Thompson UPC router?
    3) suggest me a DNS server? does all my traffic flow through 2 DNS's technically due to passing through UPC's DNS on the Thompson router? (which cant be modified:mad:) can that be fixed?
    4) I want to monitor bandwidth passing through the router, or technically Ether1 port, on a monthly basis. ive worked out its in "queues" but that's as far as i get. I don't care for individual mac address monitoring or anything, just overall usage. help? any scripts to run? I can find my way around winbox/terminals.
    5) I want to set up a second WLAN, a guest network. i want this network limited to around 5MB down/3MB up. if its not too complex, i want the guest network to not have access to the internal WLAN1 or LAN1. can i monitor the guest network "WLAN2" bandwidth separately?

    i tried my hand at the hotspot setup but i made a hash of it so i think i deleted it but its popping up in some of that code some im not sure?


    thanks for even reading this far. if you have ANY tips/tricks/MUST-DO's/etc that you think a noob wouldn't know, any comments appreciated.:o


    OT: its been a while since ive been on boards, and im sorry to see Pog has closed his account. thanks for all the help here and elsewhere buddy :)


  • #189
    White Heart Loon
    Closed Accounts Posts: 1,788 ✭✭✭White Heart Loon


    Your firewall looks ok, but you really should reset it to default and start again to remove all of those hotspot configurations. Also, you'll need to get your UPC modem into a bridge, double NAT will cause lots of problems, DMZ makes this even messier.


  • #190
    White Heart Loon
    Closed Accounts Posts: 1,788 ✭✭✭White Heart Loon


    Wow, just discovered the new Routerboard CRS125-24G-1S-2HnD-IN, what a beast, check this:
    24Gigabit ports, SFP and Micro Usb port and 802.11n AP

    CRS125-24G-2HnD-1S-IN.jpg
    http://www.interprojekt.com.pl/mikrotik-routerboard-crs12524g1s2hndin-p-1473.html
    http://www.ebay.ie/itm/MikroTik-RouterBoard-CRS125-24G-1S-2HnD-IN-Cloud-Router-Switch-/181284411756?pt=US_Network_Switches&hash=item2a3564996c


  • #191
    whowantstwoknow
    Registered Users, Registered Users 2 Posts: 755 ✭✭✭whowantstwoknow


    Well got the ATA working as one would expect....almost!!

    It seems BOTH ATA ports MUST be connected to the LAN. So I have the WAN port as a DCHP client and the LAN port statically configured. In this configuration, if you reset the ATA behind the Mikrotik, it registers Ok with the SIP provider!! What has been throwing me is if the ATA is the main router and only the WAN port is connected, it registers fine too.

    The Mikrotik can only successfully ping the ATA WAN port if the LAN port is connected. Though I still cant access the ATA admin from the WAN port, but thats OK as its now available from the ATA's LAN port.

    The ATA LAN port's ip address comes up on the Mikrotik IP ARP list. I've made this record static, is that OK (not sure what ARP is, must read up)?

    Now off to see if its possible to "wake" a LAN device from the internet through the Mikrotik. Seen some links suggesting one can, but nothing has worked yet. I know you can logon to the Mikrotik and do it but I would imagine that makes the Mikrotik router less safe....

    Thanks

    W

    Hope this is of use to somebody else....


  • Advertisement
  • #192
    eddiem74
    Registered Users, Registered Users 2 Posts: 2,027 ✭✭✭eddiem74


    I often see this in the logs during the night where my pppoe connect seems to disconnect.

    296199.JPG

    I am using eircom eFibre (ZyXEL F1000) in bridge mode connected to my RB951G-2HND.

    Anyone else see similar?


  • #193
    witnessmenow
    Registered Users, Registered Users 2 Posts: 7,199 ✭✭✭witnessmenow


    Possibly strange scenario.

    I have eircom broadband and it is atrocious in the evening. during the day and night its fine, and its fairly mixed at weekends

    I was thinking of maybe trying out a mobile dongle as well as my eircom internet.

    I have a dongle that works with my mikrotik as I have used it before.

    Does anyone have suggestions on how I could set this up? Even from a practical sense rather than implementation.

    I have a server for downloading etc, at all times this should use eircom, I guess I make that have its own route that always ends up at the eircom so thats ok.

    But the other stuff in the house is the confusing part. Ideally it would use the best route to the internet at the time, but I dont know how practical that is.

    It wouldn't be the end of the world if I had to manually change the endpoint from BB to mobile when required.

    Any thoughts or ideas?


  • #194
    eddiem74
    Registered Users, Registered Users 2 Posts: 2,027 ✭✭✭eddiem74


    I am getting rid of my MikroTik RouterBoard RB951G-2HnD in case anyone is interested. I have it on adverts, was a bit to complicated for a novice home user.


  • #195
    mylesm
    Registered Users, Registered Users 2 Posts: 463 ✭✭mylesm


    Hello

    I have an ASUS RTN66u as my wireless router for my house it is connected to upc modem which is in Bridge mode

    I am Happy with ASUS but i need wireless coverage in garage I have Cat 5 cable run to garage

    is it possible to use a MikroTik RouterBoard 951G-2HnD as a Wireless Ap connected by the Cat 5 back to ASUS

    is it easy to set it up as an ap ie no routing I like the Asus because it gives me Guest network isolated from main network so visitors use guest network

    If possible i could reverse situation and use MikroTik RouterBoard 951G-2HnD
    as main router and use asus in garage as an ap

    But will MikroTik RouterBoard 951G-2HnD give me guest network seperate to main network

    Any advise please

    Thanks

    mylesm


  • #196
    same ol sh1te
    Closed Accounts Posts: 1,837 ✭✭✭same ol sh1te


    mylesm wrote: »
    is it possible to use a MikroTik RouterBoard 951G-2HnD as a Wireless Ap connected by the Cat 5 back to ASUS

    Yes, very easy
    mylesm wrote: »
    is it easy to set it up as an ap ie no routing I like the Asus because it gives me Guest network isolated from main network so visitors use guest network

    Not easy, adding another virtual network on a single interface is easy (virtual AP like the guest network you have on the Asus), extending that beyond the device itself isn't (vlans), it involves tagging the ethernet frames as they are transmitted (vlan tagging) so the next device knows which network they belong to.
    http://en.wikipedia.org/wiki/Virtual_LAN
    http://en.wikipedia.org/wiki/IEEE_802.1Q

    I have this in my own home, but I have lots of experience and only have Mikrotik devices which makes it a little easier accomplish


  • #197
    mylesm
    Registered Users, Registered Users 2 Posts: 463 ✭✭mylesm


    same ol sh1te wrote: »
    Yes, very easy



    Not easy, adding another virtual network on a single interface is easy (virtual AP like the guest network you have on the Asus), extending that beyond the device itself isn't (vlans), it involves tagging the ethernet frames as they are transmitted (vlan tagging) so the next device knows which network they belong to.
    http://en.wikipedia.org/wiki/Virtual_LAN
    http://en.wikipedia.org/wiki/IEEE_802.1Q

    I have this in my own home, but I have lots of experience and only have Mikrotik devices which makes it a little easier accomplish

    Thanks for reply

    I got mikrotik 951g-2hnd and just set it up with default config all wired ports are bridged and work fine connect to internet and lan devices no problem ie a nas drive on port 3 I can access from my pc plugged into port 2

    Internet is working no problem both wireless and wired so evertything is good

    But i cannot access my NAS over wireless i usually store my media on the nas

    Do I have to bridge the wireless lan to the wired or any idea please

    thanks again

    mylesm


  • #198
    same ol sh1te
    Closed Accounts Posts: 1,837 ✭✭✭same ol sh1te


    Yes, add the wireless interface to the bridge (default script should have added it). Also if the NAS is wireless make sure default forward is selected for the wireless interface otherwise it isolates the clients


  • #199
    mylesm
    Registered Users, Registered Users 2 Posts: 463 ✭✭mylesm


    same ol sh1te wrote: »
    Yes, add the wireless interface to the bridge (default script should have added it). Also if the NAS is wireless make sure default forward is selected for the wireless interface otherwise it isolates the clients
    Thanks again

    Nas is wired Into port 3 on router I can see it on wired network and read it but cannot connect to it from a wireless device if I revert to old router I can read it with wireless device no problem I only got microtik so maybe some issue with ip address will try to resolve over next few days
    Thanks again


  • #200
    mylesm
    Registered Users, Registered Users 2 Posts: 463 ✭✭mylesm


    Everything working great now brilliant router streaming 3 movies to 3 different devices and playing music on network media player rock steady

    On the Quick set screen there is a guest wireless network i enabled this and gave it a different name to my main wireless

    its works but on my asus router the guest network only had access to internet no access to internal lan which is what i want as i dont want guests snooping on my lan

    is it possible on the microtik to have guest network only having internet access

    anyway so far this is a great router cant believe the functions for the price

    thanks Again
    mylesm


  • #201
    same ol sh1te
    Closed Accounts Posts: 1,837 ✭✭✭same ol sh1te


    Without seeing your config I wouldn't know where to start, do an export compact and paste it here and I'll give you the commands.


  • Advertisement
Advertisement