Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all,
Vanilla are planning an update to the site on April 24th (next Wednesday). It is a major PHP8 update which is expected to boost performance across the site. The site will be down from 7pm and it is expected to take about an hour to complete. We appreciate your patience during the update.
Thanks all.

The Mikrotik RouterOS config, tips and tricks thread

Options
1356712

Comments

  • Options
    #62
    privilegue
    Registered Users Posts: 71 ✭✭privilegue


    Are non SME UPC lines PPPoE ? I am asking since I only have an SME line with 5 statics so just curious.

    edit:: my upc cisco modem is in bridge for the past 6 years.


  • Options
    #63
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    When you get it upgraded, it may be best to reset it to default (system->reset config) and then login to Winbox and accept the installing default config on first boot which is pretty much what you need (other than adding pppoe if needed)


  • Options
    #64
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe


    Cheers guys - I've set my UPC (EPC3925) router to bridge mode and turned off the wireless mode. Its IP is 192.168.100.1 when in bridge mode.
    I'll upgrade my Mikrotik and reset it. I don't think UPC is PPPOE according to this boards post; it uses the mac address...


  • Options
    #65
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Sniipe wrote: »
    I'll upgrade my Mikrotik and reset it. I don't think UPC is PPPOE according to this boards post; it uses the mac address...

    That's what I thought, but I'm not with UPC. The default config is what you need then so. It sets the router up as a standard residential gateway router, port 1 as Wan that accepts DHCP (dhcp client so you get an ip from UPC), lan ports 2-5 will be switched with bridge between lan and wifi and giving out DHCP (dhcp server) on the bridge. It also adds a NAT rule (masquerde rule in ip->firewall->Nat) and a very basic firewall dropping random packets from the Wan (ip->firewall->filter)


  • Options
    #66
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe


    Oh - so you are saying that it should work when I plug the upc router (ethernet port 1) into the WAN port on the mikrotik? Thats what I thought would happen as I didn't have to do anything for my previous router (DIR655). Its strange then that it didn't work when I tried it the first time.

    I'll let you know how I get on when I try it after work. thanks


  • Advertisement
  • Options
    #67
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Sniipe wrote: »
    Oh - so you are saying that it should work when I plug the upc router (ethernet port 1) into the WAN port on the mikrotik? Thats what I thought would happen as I didn't have to do anything for my previous router (DIR655). Its strange then that it didn't work when I tried it the first time.

    I'll let you know how I get on when I try it after work. thanks

    Yes, but you need to accept the default script. I don't use the web gui so I've no idea if this script is offered. The UPC modem needs to be in bridge mode, so you're not routing twice (double nat)


  • Options
    #68
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe


    Thanks for your help smee_again. I'm now online and I've my wifi working. I used one of the scripts to get my dns working which is fantastic. Webfig 6.4 looks pretty much the same as the winbox 6.4 Got my NTP working so I've good times.

    A few questions to get me on the road:
    1) How do I increase the wirless power?
    2) Is there a way to reserve IP addresses for given mac addresses?
    3) I'm able to get to a site internally http://192.168.88.248:5100 however I cannot gain access to it externally. I thought opening ports would be the same as forwarding them. I can access my webfig externally 
    /ip firewall nat
add action=dst-nat chain=dstnat comment="sample udp from port 5100 to 5100 (lan ip 192.168.1.248)" dst-port=5100 protocol=udp to-addresses=192.168.88.248 to-ports=5100
add action=dst-nat chain=dstnat comment="sample tcp from port 5100 to 5100 (lan ip 192.168.1.248)" dst-port=5100 protocol=tcp to-addresses=192.168.88.248 to-ports=5100
    5) Is there a place to view the MAC addresses, IP addresses with the device name?


  • Options
    #69
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Sniipe wrote: »
    Thanks for your help smee_again. I'm now online and I've my wifi working. I used one of the scripts to get my dns working which is fantastic. Webfig 6.4 looks pretty much the same as the winbox 6.4 Got my NTP working so I've good times.

    A few questions to get me on the road:
    1) How do I increase the wirless power?
    2) Is there a way to reserve IP addresses for given mac addresses?
    3) I'm able to get to a site internally http://192.168.88.248:5100 however I cannot gain access to it externally. I thought opening ports would be the same as forwarding them. 
    /ip firewall nat
add action=dst-nat chain=dstnat comment="sample udp from port 5100 to 5100 (lan ip 192.168.1.248)" dst-port=5100 protocol=udp to-addresses=192.168.88.248 to-ports=5100
add action=dst-nat chain=dstnat comment="sample tcp from port 5100 to 5100 (lan ip 192.168.1.248)" dst-port=5100 protocol=tcp to-addresses=192.168.88.248 to-ports=5100
    4) I'm trying to open my bit torrent port 6881 however the following doesn't seem to work 
    /ip firewall nat
add action=dst-nat chain=dstnat comment="sample udp from port 6881 to 6881 (lan ip 192.168.1.248)" dst-port=6881 protocol=udp to-addresses=192.168.88.248 to-ports=6881
add action=dst-nat chain=dstnat comment="sample tcp from port 6881 to 6881 (lan ip 192.168.1.248)" dst-port=6881 protocol=tcp to-addresses=192.168.88.248 to-ports=6881
    5) Is there a place to view the MAC addresses, IP addresses with the device name?

    1. It should be set to max power, in wireless select advanced and set it to 20/40Mhz HT above and in advanced tab set distance to indoors. I find these routers work best on channel 6 (2437 Mhz), use it if it's not congested in your house.
    2. Yes, easy. In ip->dhcp server->leases select the device and click make static. you can also add a comment
    3. your firewall rules are wrong, you have the wrong lan IP, they should be 192.168.88.x
    4. as above
    5. ip-> dhcp server will give you this

    How are you finding it? Bit of a learning curve but worth it.


  • Options
    #70
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    If you have consoles you may need to enable uPnP. To do this open a terminal (it opens a telnet connection to the router) and paste in the following
    /ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external

    You will see, winbox is laid out in the order you apply commands so it's pretty easy to follow the code to see what it does. You will see uPnP firewall rules getting added in ip->firewall->filter


  • Options
    #71
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Right, looking at the firewall port forwards, the ip is right, it's just in the ip in the comment that's wrong (you can change this comment to anything). There is no enable=yes in the commans therefore they will not be enabled and will be added but disabled. Select them in ip->firewall->nat and enable them


  • Advertisement
  • Options
    #72
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe


    I like the interface - there is just so much detail in it. I imagine I'll get used to finding things quicker. I can see the script go in and I can then confirm it by looking at the GUI. Is there a way to export a GUI rule into script?

    Also that 5100 port that I want to access, its now enabled however it still doesn't work. When I try go to the website I can see packets arrive on the statistics window for the rule... so it seems as if I'm missing something else small with it.

    I think I'll be recommending Mikrotik in future to friends. I like it so far. I'm going to look at VPN's next; I'd like to browse at work using my home network...


  • Options
    #73
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Sniipe wrote: »
    I like the interface - there is just so much detail in it. I imagine I'll get used to finding things quicker. I can see the script go in and I can then confirm it by looking at the GUI. Is there a way to export a GUI rule into script?

    Yes, to export the firewall nat rules just go "ip firewall nat export", same for any config you want to export
    Sniipe wrote: »
    Also that 5100 port that I want to access, its now enabled however it still doesn't work. When I try go to the website I can see packets arrive on the statistics window for the rule... so it seems as if I'm missing something else small with it.

    As above, do an export so I can see it
    Sniipe wrote: »
    I think I'll be recommending Mikrotik in future to friends. I like it so far. I'm going to look at VPN's next; I'd like to browse at work using my home network...

    Yes, there is so much possible with them. Be sure the dns cache is enabled and give devices on your lan the 192.168.88.1 addresss as dns (if not using DHCP). It really makes a great job of regular lookups speeding up browsing.


  • Options
    #74
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe


    Thats very cool that I can export. 
    [admin@MikroTik] > ip firewall nat export   
# sep/19/2013 09:47:51 by RouterOS 6.4
# software id = L1GL-8BGH
#
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=\
    "sample udp from port 6881 to 6881 (lan ip 192.168.88.248)" dst-port=6881 \
    protocol=udp to-addresses=192.168.88.248 to-ports=6881
add action=dst-nat chain=dstnat comment=\
    "sample tcp from port 6881 to 6881 (lan ip 192.168.88.248)" dst-port=6881 \
    protocol=tcp to-addresses=192.168.88.248 to-ports=6881
add action=dst-nat chain=dstnat comment=\
    "sample udp from port 5100 to 5100 (lan ip 192.168.88.248)" dst-port=5100 \
    protocol=udp to-addresses=192.168.88.248 to-ports=5100
add action=dst-nat chain=dstnat comment=\
    "sample tcp from port 5100 to 5100 (lan ip 192.168.88.248)" \
    connection-type="" dst-port=5100 port="" protocol=tcp to-addresses=\
    192.168.88.248 to-ports=5100

    I see from other forums that the issue may be that I need to define a "dst-address" - however I use dyndns for dynamic addresses. Or it could be post 5 in this thread...

    [edit]
    I got it working with this - however it probably won't work the next time the IP address changes (need to get my dynamic dns in there some how??) : 
    add action=dst-nat chain=dstnat dst-address=46.7.147.184 dst-port=5100 \
    protocol=udp to-addresses=192.168.88.248 to-ports=5175
add action=dst-nat chain=dstnat dst-address=46.7.147.184 dst-port=5100 \
    protocol=tcp to-addresses=192.168.88.248 to-ports=5100


  • Options
    #75
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Can you post the output of ip firewall nat print. The export doesn't say enabled=yes so looks like they're not enabled.

    Hairpin nat only affects you when coming from inside lan, use 3g to test it works from outside

    Edit, sorry, didn't see your edit


  • Options
    #76
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    You don't add your public ip to a firewall config, what you got there is completely wrong.
    add action=dst-nat chain=dstnat comment="my comment" dst-port=5100 protocol=tcp to-addresses=192.168.88.248 to-ports=5100
add action=dst-nat chain=dstnat comment="my comment udp" dst-port=5100 protocol=udp to-addresses=192.168.88.248 to-ports=5100

    This says that all packets arriving at the router with a destination port of 5100 gets forwarded to 192.168.88.248 port 5100

    BTW, every single packet arriving at your router from the internet will have your public ip as destination address, you do not need to specify this


  • Options
    #77
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe


    smee again wrote: »
    add action=dst-nat chain=dstnat comment="my comment" dst-port=5100 protocol=tcp to-addresses=192.168.88.248 to-ports=5100
add action=dst-nat chain=dstnat comment="my comment udp" dst-port=5100 protocol=udp to-addresses=192.168.88.248 to-ports=5100

    For some reason this doesn't work. I can see on the statistics table that some packets are coming in however I cannot see the web site externally.


  • Options
    #78
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Sniipe wrote: »
    For some reason this doesn't work. I can see on the statistics table that some packets are coming in however I cannot see the web site externally.

    Post the output an export of your firewall nat rules


  • Options
    #79
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe 


    add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment=\
    "sample udp from port 6881 to 6881 (lan ip 192.168.88.248)" dst-port=6881 \
    protocol=udp to-addresses=192.168.88.248 to-ports=6881
add action=dst-nat chain=dstnat comment=\
    "sample tcp from port 6881 to 6881 (lan ip 192.168.88.248)" dst-port=6881 \
    protocol=tcp to-addresses=192.168.88.248 to-ports=6881
add action=dst-nat chain=dstnat dst-address=46.7.147.184 dst-port=80 \
    protocol=udp to-addresses=192.168.88.1 to-ports=80
add action=dst-nat chain=dstnat dst-address=46.7.147.184 dst-port=80 \
    protocol=tcp to-addresses=192.168.88.1 to-ports=80
add action=dst-nat chain=dstnat dst-port=5100 protocol=tcp to-addresses=\
    192.168.88.248 to-ports=5100
add action=dst-nat chain=dstnat dst-port=5100 protocol=udp to-addresses=\
    192.168.88.248 to-ports=5100


  • Options
    #80
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Why have you your public ip in there? That isn't the way to go about things for a start.
    Also, you have port 80 forwarded to 192.168.88.1 (the router), the web admin of the router is on port 80. You enable/disable or change the port of web login in ip->services, does not need a rule. if you are trying to host something on port 80 behind the firewall you will need to change the web login to another port.

    Explain what rules you need and we can start again from scratch. It's best to delete or disable all rules except the nat rule


  • Options
    #81
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe


    smee again wrote: »
    Why have you your public ip in there? That isn't the way to go about things for a start.
    Also, you have port 80 forwarded to 192.168.88.1 (the router), the web admin of the router is on port 80. You enable/disable or change the port of web login in ip->services, does not need a rule. if you are trying to host something on port 80 behind the firewall you will need to change the web login to another port.

    Explain what rules you need and we can start again from scratch. It's best to delete or disable all rules except the nat rule

    Sorry I did a ninja edit on the rules.

    I need a rule for torrents on 192.168.88.248:6881 which seems to be working already.
    I need a rule for web access on 192.168.88.248:5100 which doesn't work.
    I need a rule for 192.168.88.1:8080 which doesn't work - access to my mikrotik router.

    The other rules I could disable. Except for the NAT one as you pointed out.


  • Advertisement
  • Options
    #82
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    For starters, change the port of web admin of the Mikrotik in ip->services, change it to port 8080. Then add the following filters so you can access the Mikrotik from outside.
    /ip firewall filter
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow web admin" dst-port=8080 protocol=tcp
    Leave nat rule and the 2 working rules for utorrent as they are working and delete the rest.

    Then add the firewall rule I posted above which should work for web access on port 5100
    /ip firewall nat
add action=dst-nat chain=dstnat comment="my comment" dst-port=5100 protocol=tcp to-addresses=192.168.88.248 to-ports=5100
add action=dst-nat chain=dstnat comment="my comment udp" dst-port=5100 protocol=udp to-addresses=192.168.88.248 to-ports=5100
    If working you will then be able to access the web server on http://yourpublicip:5100. If you can't it's most likely related to the web application, not the firewall. maybe it's not containing all traffic to port 5100, uses port 80?


  • Options
    #83
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe


    Thanks smee_again - this worked. It initially didn't work, but I've just checked it the next day from work and it did work thanks.
    I also set up my second Mikrotik as an AP. It was surprisingly easy with the Quickset rules.

    edit - I still can't connect at home, but outside of home I can connect to http://mypublicip:5100 (my workaround at home is to use my internal IP address, but its strange that I can't use the public one)


  • Options
    #84
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    To connect from inside your lan using your public IP you need to add a hairpin nat rule, set your dst-address to the IP of your device and place it after the main masquerade rule
    /ip firewall nat
add action=masquerade chain=srcnat comment="hairpin nat rule" disabled=no dst-address=192.168.88.248 src-address=192.168.88.0/24

    http://www.boards.ie/vbulletin/showpost.php?p=80067771&postcount=5


  • Options
    #85
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    First of all, get the latest 6.4 RouterOS on it, available here: http://www.mikrotik.com/download

    Much easier than that, you'd be as well get the Winbox utility, it's much more powerful than the web login but makes some things much easier (you can always use both). When you login on Winbox go to system->packages and check for updates, it should give you the option to install 6.4 and reboot.

    Then after reboot you need to update the firmware, go to system->routerboard and click update. Then go to system and select reboot.

    OK so am in the process of setting up my new RB951G-2HnD. :D I am new to this so please bear with me. :o

    I followed the above steps but it only upgraded me to V5.26, not version 6.4.

    Any ideas?

    Also, if I add the firewall rules via terminal from the 1st post will that allow PS3 access, etc... to the internet or? As although my son's PS3 is connected via cat6 to router he is not able to sign in to playstation network now. :confused:


  • Options
    #86
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    eddiem74 wrote: »
    OK so am in the process of setting up my new RB951G-2HnD. :D I am new to this so please bear with me. :o

    I followed the above steps but it only upgraded me to V5.26, not version 6.4.

    Any ideas?

    Also, if I add the firewall rules via terminal from the 1st post will that allow PS3 access, etc... to the internet or? As although my son's PS3 is connected via cat6 to router he is not able to sign in to playstation network now. :confused:

    OK update to 6.4 completed after downloading, copying to winbox file list and rebooting. :o

    Running the basic default configuration at the minute, have wireless working.

    Set-up for PS3 and uTorrent probably next and this is where I need help.


  • Options
    #87
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    eddiem74 wrote: »
    OK update to 6.4 completed after downloading, copying to winbox file list and rebooting. :o

    Running the basic default configuration at the minute, have wireless working.

    Set-up for PS3 and uTorrent probably next and this is where I need help.

    PS3 somewhat sorted now, forgot I had set a static IP with previous router :o, so set everything on PS3 to automatic as a temporary fix and connection worked. :)


  • Options
    #88
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    PS3 somewhat sorted now, forgot I had set a static IP with previous router :o, so set everything on PS3 to automatic as a temporary fix and connection worked. :)

    You may need to enable uPnP (plug and play) to get the best use of the PS3 (and Skype, uTorrent etc), they will then open their own ports in the firewall

    /ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external

    If you are using PPPoE change the external interface above to the PPPoE interface


  • Options
    #89
    Agueroooo
    Site Banned Posts: 4,925 ✭✭✭Agueroooo


    I forked out some serious money on a Asus Ac66u, but as I said I wish I had seen this thread first, but whats done is done.

    I could do with a wifi repeater somwere on the landing to increase coverage upstairs..would it be overkill to buy one of these to use just as a repeater for my Asus?
    And would it be difficult to config ?


  • Options
    #90
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    You may need to enable uPnP (plug and play) to get the best use of the PS3 (and Skype, uTorrent etc), they will then open their own ports in the firewall

    /ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external

    If you are using PPPoE change the external interface above to the PPPoE interface

    So I tried utorrent this morning via a wired connection without making this change and it was able to download without issue using default router settings.

    Additionally I did not set-up PPPoE as when I connected the Eircom router to ether1 port it connected me to the internet and wireless also worked out of the box so to speak.

    Only default changes I made so far were the wireless password and wireless channel, am using channel 4 as after a freq scan that seem less used.

    I would like to have the fastest wireless possible, so I seen mention of caching. I this something the router itself can do or do I need a separate server? I 'think' I need to look at a web proxy using a transparent configuration perhaps. :confused:

    Guidance welcome on the next things I should check / look at.


  • Advertisement
  • Options
    #91
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    If you just plugged it in to another modem or router, it means you did not set it up right. Whatever port forward rules you add on this Mikrotik will mean nothing as you will be double Natting (routing to a new subnet twice). Consoles will find the ports they open are blocked by the modem. It will work, but it will only work for connections originating from inside your lan, any connections coming from the internet will be dropped by the gateway modem/router as it will not know what to do with them.

    You need to bridge the modem and add PPPoE to the Mikrotik.


Advertisement