The Mikrotik RouterOS config, tips and tricks thread

mass_debater · 18-11-2015 11:47pm

Kenny Powers wrote: »

Thanks thats for the spam blocker I didn't spot that changed them to 100, its just my home router is there even any need for it?

looks like bridge-local should also be ether1-gateway

This rule add chain=forward action=drop seems to be blocking everything now

It's the syn flood protection, set it to at least 100. As it's the input chain its from all interfaces and could interfere with your own devices. Another way to do this is just to limit the connections passing through the router

add action=drop chain=forward comment="tcp connection limit" connection-limit=100,32 protocol=tcp tcp-flags=syn

The forward filter chain protects the devices on your lan, the drop will block all traffic passing through the router, shouldn't be there. You would be better add the following instead, see basic examples of protecting the router and customer here
http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

Kenny Powers · 19-11-2015 12:00am

Thanks for that ill do a bit more reading and start again, I just need something n=basic for home use the one on the first page is probably good enough

mass_debater · 05-02-2016 1:19pm

The first integrated dual band 802.11ac Mikrotik is available any day now. It's only 35 quid and has some amazing specs. I'm going to pre order

Triple-chain wireless 2.4 GHz
Triple-chain wireless 5 GHz
720 MHz CPU
128 MB of RAM
Five Gigabit Ethernet ports
SFP cage
Passive PoE output on port 5
USB port for 3G/4G modem

http://www.cdr.pl/download
http://www.ip-sa.com.pl/rb962uigs-5hact2hnt-p-2053.html

mass_debater · 05-02-2016 1:19pm

The first integrated dual band 802.11ac Mikrotik is available any day now. It's only 35 quid and has some amazing specs. I'm going to pre order

Triple-chain wireless 2.4 GHz
Triple-chain wireless 5 GHz
720 MHz CPU
128 MB of RAM
Five Gigabit Ethernet ports
SFP cage
Passive PoE output on port 5
USB port for 3G/4G modem

http://www.cdr.pl/download
http://www.ip-sa.com.pl/rb962uigs-5hact2hnt-p-2053.html

Kevin! · 11-02-2016 5:58pm

hAP ac and hAP ac lite are both available to purchase now

hAP AC
http://routerboard.com/RB962UiGS-5HacT2HnT

hap AC lite
http://routerboard.com/RB952Ui-5ac2nD

Kenny Powers · 24-02-2016 5:35pm

mass_debater wrote: »

The first integrated dual band 802.11ac Mikrotik is available any day now. It's only 35 quid and has some amazing specs. I'm going to pre order

Triple-chain wireless 2.4 GHz
Triple-chain wireless 5 GHz
720 MHz CPU
128 MB of RAM
Five Gigabit Ethernet ports
SFP cage
Passive PoE output on port 5
USB port for 3G/4G modem

http://www.cdr.pl/download
http://www.ip-sa.com.pl/rb962uigs-5hact2hnt-p-2053.html

Where are you seeing these for 35e?

I see it now which store is best to order from? Has anyone paid by bank transfer?

Also does anyone no if they have the same 1000mW WiFi Transmitter

mass_debater · 24-02-2016 6:31pm

Kenny Powers wrote: »

Where are you seeing these for 35e?

I see it now which store is best to order from? Has anyone paid by bank transfer?

Also does anyone no if they have the same 1000mW WiFi Transmitter

This is the one you want. Price was wrong and changed as soon as there was stock
http://www.ip-sa.com.pl/rb962uigs-5hact2hnt-p-2053.html

Kenny Powers · 24-02-2016 6:39pm

mass_debater wrote: »

This is the one you want. Price was wrong and changed as soon as there was stock
http://www.ip-sa.com.pl/rb962uigs-5hact2hnt-p-2053.html

Good man any idea what power these are I can't find anything?

The cheaper one doesn't look bad either as a wifi point?

mass_debater · 24-02-2016 6:49pm

Kenny Powers wrote: »

Good man any idea what power these are I can't find anything?

The cheaper one doesn't look bad either as a wifi point?

The 2.4Ghz will be the same 1000mW radio but you really want to be using 5Ghz to get the benefits of 802.11ac. 5Ghz doesn't has half the range of 2.4 and doesn't penetrate obstacles like block walls very well. I have my house setup with a 5Ghz AP behind the TV for the best speeds in the room I use most.

Kenny Powers · 24-02-2016 6:52pm

mass_debater wrote: »

The 2.4Ghz will be the same 1000mW radio but you really want to be using 5Ghz to get the benefits of 802.11ac. 5Ghz doesn't has half the range of 2.4 and doesn't penetrate obstacles like block walls very well. I have my house setup with a 5Ghz AP behind the TV for the best speeds in the room I use most.

Sweet does the cheaper one have the same radio do you know?

Have you bought from the company's above? Is it safe enough do a back transfer? Which would you use first?

Thanks

mass_debater · 24-02-2016 7:00pm

Kenny Powers wrote: »

Sweet does the cheaper one have the same radio do you know?

Have you bought from the company's above? Is it safe enough do a back transfer? Which would you use first?

Thanks

No, the cheaper one has different weaker radios

AfricanTech · 03-06-2016 8:40pm

Hello all

Complete newby here.

Does anyone have a simple script that will disconnect you from your Internet Service Provider (PPOE) and then reconnect you, that can be scheduled to run on a daily basis?

My ISP has a "non metered" window between 00h00 and 06h00, but it's not guaranteed to kick in on 00h00 (it may kick in as much as an hour later) unless you disconnect and reconnect.

Any help hugely appreciated.

mass_debater · 04-06-2016 12:07pm

A scheduled reboot will at a second past 12 will do it. Try this.
/system scheduler
add name="reboot router daily" on-event="/system reboot" start-date=jan/01/1970 start-time=00:00:01 interval=1d comment="" disabled=no

AfricanTech · 06-06-2016 10:44am

Thanks. I managed to work out how to do it without actually rebooting the router.

What the script basically does is to force a reconnect at a given time once a day.

Write the script in 2 steps.

First create the script

/system script add name=scriptForcedDslReconnect source=""

than open it in the editor and add the actual code

/system script edit 0

value-name:source

After this an editor window will open. Copy and paste following lines:

/interface pppoe-client set [find name="DSLConnection"] disabled=yes
/interface pppoe-client set [find name="DSLConnection"] disabled=no
/log info message="DSLConnection forced reconnect. Done!"

and press

CRTL-O

You can now check if all is correct with (everything should be colored in the script)

/system script print

Now we only need to add it to the scheduler

/system scheduler add name=schedulerForcedDslReconnect start-time=00:05:00 interval=24h on-event=scriptForcedDslReconnect

And done, it will disconnect and reconnect every day at 00h05.

mass_debater · 26-06-2016 11:48am

Right, I've decided to order 2 of the brand new Mikrotik wAP ac to change my home setup, ordering next week. I plan on disabling wireless on my RB951 and continuing to use it as router only and moving it to my cabinet in the attic. The APs are one for the landing upstairs, the second for behind the TV in the sitting room, the room we use most.
http://routerboard.com/RBwAPG-5HacT2HnD
http://www.ip-sa.com.pl/rbwapg-5hact2hnd-p-2079.html

I'll be using the Mikrotik Capsman access point controller which I've been reading amazing reports about. It's very like the Ubiquiti zero handoff, all APs use the same channel and are seen by the end user device as one Mac address, the controller controls authentication and the roam of the devices from AP to AP. With this setup I can easily deploy more APs in future, I'll possibly add more wAPs to cover the kitchen and garden at a later date, I can add one in each room if needed, it's good preparation for IOT.
http://wiki.mikrotik.com/wiki/Manual:CAPsMAN

mass_debater · 29-06-2016 10:19pm

Slight change of plan. I took advantage of the sterling rate and snapped up a Mikrotik cloud router switch from the UK. The switch on it's own was €190 delivered from interprojekt, but was only £132 sterling delivered from UK which is €160 atm so i saved €30 on a single switch. I still need 2x wAP AC but that can wait until next month.
https://istore.liberty-izone.com/shopexd.asp?id=26

Kenny Powers · 01-07-2016 7:19am

Anyone know what rule I need to use to stop access to my upc modem (in bridge mode) admin page. It's on a different subnet but can still be accessed.

Kenny Powers · 01-07-2016 7:20am

Is there a way to trigger a wol script when a VPN user connects?

mass_debater · 01-07-2016 6:18pm

Kenny Powers wrote: »

Is there a way to trigger a wol script when a VPN user connects?

Not easy but would be pretty simple to issue a command if you use ssh

mass_debater · 20-07-2016 9:11pm

My Mikrotik wAP ac's got delivered yesterday and I got Capsman configured last night on my Mikrotik CRS (Cloud Router Switch) and the APs connected. I had a few small issues but nothing serious. It took a bit of googling to figure I had to download the cm2 package on the CRS even though I already had all the configurable options in Winbox for Capsman.

Once you get your Capsman configuration setup with datapath (bridge-local on the CRS), channel and security you can setup a provision to push this config to individual (using it's radio Mac) or all APs (using 00:00:00:00:00:00) that are set to CAP mode and set to communicate with it. Configuring the CAP is literally 2 lines of code, telling it to run in CAP mode and the address of the Capsman. The config I'm pushing uses the same channel on both APs, the APs then appear as local interfaces on the CRS, Capsman handles all local forwarding.

On 5GHz ac roaming is completely flawless, I get a single high ping when roaming from one to the other. Roaming will depend on the client but any device I have that has ac works perfect. I have an aggressive access list rule forcing devices to look for a new AP when their signal drops below -80 which works well. Speeds are what I expected and on par to what I had before using an Eir F2000

I have very few devices that need roaming on 2GHz, my wifes One Plus X and my sons Nexus 4. My wife has said she has had one or two dropouts but I suspect I need to reduce the tx power as 2GHz is much more powerful than 5GHz and you can pick up both APs under -80 most places. Speeds are not that great, the 2GHz radio is maxing at about 30Mbit.

Capsman is nearly there, it's functioning well and with a few more updates and performance tweaks could be brilliant for a corporate network to quickly deploy new APs or change settings on all. I realise this is a little overkill for a home setup, but I'm in the business and it's in my interest understand this. I'd certainly recommend Capsman over Ubiquiti Zero handoff which I had plenty of issues with, also Ubiquiti has no 802.11ac product that supports zero handoff.

B1r0 · 28-12-2016 4:13pm

Hi.

Where can I buy the "hAP ac" wireless router?
https://routerboard.com/RB962UiGS-5HacT2HnT

I found an ebay listing, but I'd rather buy in Ireland if the price is not much higher.

Anyone that has tried it yet?

Thanks

The high horse brigade · 30-12-2016 10:12am

B1r0 wrote: »

Hi.

Where can I buy the "hAP ac" wireless router?
https://routerboard.com/RB962UiGS-5HacT2HnT

I found an ebay listing, but I'd rather buy in Ireland if the price is not much higher.

Anyone that has tried it yet?

Thanks

Here you go
https://www.irishwireless.net/rb962uigs-5hact2hnt?search=Hap%20ac

B1r0 · 31-12-2016 2:57pm

The high horse brigade wrote: »

Here you go
https://www.irishwireless.net/rb962uigs-5hact2hnt?search=Hap%20ac

Thanks!
Too bad it asks 20 euro for shipment.

Happy new year!

Sniipe · 23-01-2017 5:37pm

any idea if the "hAP ac" has much extra on RB951G-2HND? I'm curious if I could possibly do away with my 2 RB951G-2HND's and get a single hAP ac.

[edit]
I had a look:
Processor difference. hAP AC is 720mhz as opposed to 600mhz.
Same RAM, same # ports.
hAP AC has AC .
hAP AC consumes over twice as much watts.
5Ghz + 2.4Ghz as opposed to 2.4ghz.
[/edit]

The high horse brigade · 23-01-2017 5:50pm

Sniipe wrote: »

any idea if the "hAP ac" has much extra on RB951G-2HND? I'm curious if I could possibly do away with my 2 RB951G-2HND's and get a single hAP ac.

[edit]
I had a look:
Processor difference. hAP AC is 720mhz as opposed to 600mhz.
Same RAM, same # ports.
hAP AC has AC .
hAP AC consumes over twice as much watts.
5Ghz + 2.4Ghz as opposed to 2.4ghz.
[/edit]

Yeah, it's a nice jump and gives you dual band 802.11a.c. and sfp port.

Be aware that the range on 5ghz is short, half the coverage of 2ghz, it struggles to penetrate walls. I'm using 2x wAP ACs for seamless 5ghz coverage in my house but am only using one 2ghz radio as its coverage is ok and only 3 devices use it (not mine) everything else has 5ghz

Sniipe · 23-01-2017 6:14pm

The high horse brigade wrote: »

Be aware that the range on 5ghz is short, half the coverage of 2ghz,

Thanks for the heads up.

Sniipe · 27-01-2017 1:04pm

I upgraded my upc modem to a VM hub 3.0. I switched it to modem only mode. It then connects to my mikrotik. I expected it to be a seamless changeover. Anyway internet doesn't work through my mikrotik router. Was there something else I needed to do?

The high horse brigade · 27-01-2017 6:42pm

Sniipe wrote: »

I upgraded my upc modem to a VM hub 3.0. I switched it to modem only mode. It then connects to my mikrotik. I expected it to be a seamless changeover. Anyway internet doesn't work through my mikrotik router. Was there something else I needed to do?

Is a DHCP client set on the Wan interface and is it getting a ip address?

gctest50 · 07-03-2017 10:04pm

The handy cia guide to mikrotikory infection updatings

Bosca rewted :

V2.312/12/2011

•All implants updated to include support for beacon jitter and compresssed beacons.

•Beacon code was significantly re-worked as part of the beacon jitter and compression features.

The hope is that this also fixes the non-parsable characters that sometimes are sent by MikroTik implants (i.e. "spillage").

•Secure shell functionality was added to the following supported platforms: ◦MikroTik (all)

The high horse brigade · 08-03-2017 10:06pm

Official response
https://forum.mikrotik.com/viewtopic.php?f=21&t=119308&p=587512#p587512

witnessmenow · 20-02-2018 6:18pm

Not sure if anyone checks here anymore, but I have a question.

I want to setup two wans on my Mikrotik, but I don't want it to be failover

I have one DSL line and one Mobile broadband conneciton. The DSL has a modem in bridge mode and the Mobile Broadband has a modem/router.

I previously had Mikrotik connected to the DSL modem using PPPoE, but I changed DSL providers and while I was inbetween providers I connected the Mikrotik to the Mobile Broadband router as a DHCP client at the weekend and am using that as my wan connection.

My end goal would be to have both wans connected at the one time and that everything is routed over DSL other than specific devices (can be identified by MAC or IP). Basically I want only my PC to use mobile broadband and everything else to use DSL

Any good guides or suggestions on how to achieve this?

Thanks

diarmaidol · 21-02-2018 10:37am

You are looking to implement Policy based routing with NAT. (Nat kinda magically helps keeps your routing symmetrical as a side effect)

This deals with doing something similar for services over an Vpn , but the same idea will apply for you here except you have 2 actual Interfaces you can use for default route and not a vpn tunnel.

https://wiki.mikrotik.com/wiki/Policy_Base_Routing

What is the actual problem you are trying to solve? Are you trying to load balance a bit ? Microtik isn't fantastic with that.

witnessmenow · 23-02-2018 7:55pm

diarmaidol wrote: »

You are looking to implement Policy based routing with NAT. (Nat kinda magically helps keeps your routing symmetrical as a side effect)

This deals with doing something similar for services over an Vpn , but the same idea will apply for you here except you have 2 actual Interfaces you can use for default route and not a vpn tunnel.

https://wiki.mikrotik.com/wiki/Policy_Base_Routing

What is the actual problem you are trying to solve? Are you trying to load balance a bit ? Microtik isn't fantastic with that.

Hey, thanks for the link, will take a look now.

Not load-balancing, basically I want my PC to have a dedicated line out. I do some live streaming to do with my youtube channel so I bought got a sim card from three specifically for this (the upload of my DSL is about 500K up, its over 10M on three).

I don't want anything else in the house impacting the internet on the three line. Up to this I had two separate networks in the house, Mikrotik was one and the Three modem was the other. But I have network printers and NAS and other things so it would be very useful to have all on the same network

Headshot · 27-06-2018 7:36pm

I'm a new owner of a Mikrotik Routerboard 2011UiAS-2HnD

Im normally a Sonicwall guy but want to give Mikrotik ago.

Been blown away with the capabilities of this router, the amount of different things it can do is jaw dropping but can be quite confusing.

Just some questions Im hopping fellow Mikrotik owners can help me out with.

In lame man terms what are ment by the firewall chains input, output and forward.
From what i've read forward is used for anything devices behind the firewall but unsure what the others for?

Is there any good guides on creating an IPsec VPN?

The high horse brigade · 27-06-2018 7:45pm

Headshot wrote: »

I'm a new owner of a Mikrotik Routerboard 2011UiAS-2HnD

Im normally a Sonicwall guy but want to give Mikrotik ago.

Been blown away with the capabilities of this router, the amount of different things it can do is jaw dropping but can be quite confusing.

Just some questions Im hopping fellow Mikrotik owners can help me out with.

In lame man terms what are ment by the firewall chains input, output and forward.
From what i've read forward is used for anything devices behind the firewall but unsure what the others for?

Is there any good guides on creating an IPsec VPN?

Enjoy. Like you I was blown away by Mikrotik, now I have 4 devices in my home including a rackmount CRS and 2x wAPs and a RB951 controlled by Capsman with 3 VLANs, main, guest and iot

Here is a good guide for VPN
https://firstdigest.com/2015/01/mikrotik-l2tp-with-ipsec-for-mobile-clients/

Basically for firewall input is anything going to the router itself, forward is anything passing through the router

whowantstwoknow · 03-09-2018 11:14pm

Hi

Recently switched to vodafone SIRO and would like to get RouterOS to connect directly without their router in between but not sure where to begin.

came across this discussion https://community.vodafone.ie/t5/Fixed-Service-Technical-Support/Lightspeed-SIRO-router-specifications/td-p/206325

Any help would be much appreciated.

Thanks
W.

smook · 23-03-2021 3:21pm

Not sure if anyone is still watching this thread but looking for help setting this up. Have Vodafone gigabit broadband router and need help configuring this microtik to extend wifi throughout the house.

The Mikrotik RouterOS config, tips and tricks thread

Comments