The Mikrotik RouterOS config, tips and tricks thread

smee again

Have you tried turning off the SIP helper in Firewall service ports

/ip firewall service-port disable sip

whowantstwoknow

Hi Smee_again,

Lets ignore whether the ATA is working from a VOIP perspective. When it was the LAN router and I did a ping tests from outside on the WAN, the results confirmed the operation of the "respond to ping" setting", ie (yes/no).

When I put the ATA behind the RouterOS and reboot it so its served an ip address from the RouterOS, I still cant ping the device from the tools provided within the winbox utility. Its whats killing me!! I might reconfigure the ATA to be connected via its LAN port and disable the DHCP server and see if it can be pinged from there...

Thanks
W.

whowantstwoknow

Well,

got a chance to test out the ATA's LAN port. First I changed the LAN port ip address to match the one that is being assigned to the WAN port by the RouterOS. Disabled the DHCP server on the ATA.

Anytime I connect the ATA to the LAN using the WAN port and reboot, the RouterOS (using netwatch) shows the device using the ip address is down. If I then simply switch ports on the ATA, RouterOS will update the ip address as being up. Once on the lan I can access the ATA router status page, and it shows the WAN port behaving as a DHCP client, ie the assigned ip address, gateway etc...

confused as hell at this stage!!! I just cant see to access the admin pages of the ATA, ping etc when connected via the WAN port. Of course as per my other observations, I can still make phone calls. This thread talks about putting the ATA behind a router, it all makes sense, but I just cant seem to get it working :mad:

Also if the ATA is behind RouterOS and reboots, whatever VOIP registration is going on is failing. Any idea how to capture this traffic to see what it is?

Thanks
W

White Heart Loon

Let the ATA receive an IP from the Mikrotik through DHCP and make it static in RouterOS DHCP Server. Surely you only need to connect to it once to configure it?

whowantstwoknow

Hi White,

Yep thats what I've done, but the Mikrotik still cant communicate/ping/netwatch with the ATA if its connected via the WAN port (acting as a DHCP client). I statically configured the ATA LAN port to match that ip address so I could switch connections and inspect the ATA admin pages. As stated, it shows the configuration as one would expect, I've enabled the ATA's response to ping's option but still can access the ATA in anyway, but my VOIP still works though!!

I'm at a lost to explain it....

W.

Skalragg

Is there any way to display how long a neighbour relationship has been established in routing protocols like OSPF. In cisco routers/L3 switches you can view it in the cli but was looking and I couldnt see it anywhere.

cheers

Tea_Bag

Hey guys. been lurking in this thread a while and finally picked up my first mikrotik, an RB2011UAS-2HnD.


anyway, as i suspected, ive no idea what im doing. ive fiddled with some DD-WRT, but i'd say im still a novice.

I followed the thread and set it up the best i can.

can any of yea check over my setup and spot any problems?

compact export:

[admin@MikroTik] > export compact
# feb/03/2014 12:12:01 by RouterOS 6.7
# software id = RB2011U
#
/interface bridge
add admin-mac=D4:CA:6D:D8:48:E5 auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
    20/40mhz-ht-above country=ireland disabled=no distance=indoors frequency=\
    2447 l2mtu=2290 mode=ap-bridge ssid=Temp wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
    ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
    ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
    ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
    ether10-slave-local
set [ find default-name=sfp1 ] name=sfp1-gateway
/ip neighbor discovery
set ether1-gateway discover=no
set sfp1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \
    wpa-pre-shared-key=yourealeech wpa2-pre-shared-key=yourealeech
/ip hotspot profile
add dns-name=google hotspot-address=10.5.50.1 name=hsprof1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
add name=hs-pool-1 ranges=10.5.50.2-10.5.50.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/port
set 0 name=serial0
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=bridge-local interface=ether5
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=wlan1 \
    network=192.168.88.0
add address=10.5.50.1/24 comment="hotspot network" interface=sfp1-gateway \
    network=10.5.50.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=sfp1-gateway
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1 netmask=24
/ip dns
set allow-remote-requests=yes cache-size=4096KiB max-udp-packet-size=512 \
    servers=8.8.8.8,8.8.4.4
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add chain=input comment="allow ICMP" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login \
    address-list-timeout=1d chain=input comment=\
    "list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=\
    ether1-gateway protocol=tcp
add chain=input comment="accept vpn gre" in-interface=ether1-gateway \
    protocol=gre
add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=\
    related
add action=drop chain=input comment="drop Invalid connections" \
    connection-state=invalid
add chain=input comment="allow established connections" connection-state=\
    established
add chain=input comment="acccept lan" in-interface=!ether1-gateway \
    src-address=192.168.88.0/24
add action=drop chain=input comment="drop everything else"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=masquerade out-interface=\
    ether1-gateway
add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=\
    192.168.88.252 src-address=192.168.88.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24
/ip hotspot user
add name=user password=guest
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external
/lcd interface
set sfp1-gateway interface=sfp1-gateway
set ether1-gateway interface=ether1-gateway
set ether2 interface=ether2
set ether3 interface=ether3
set ether4 interface=ether4
set ether5 interface=ether5
set ether6-master-local interface=ether6-master-local
set ether7-slave-local interface=ether7-slave-local
set ether8-slave-local interface=ether8-slave-local
set ether9-slave-local interface=ether9-slave-local
set ether10-slave-local interface=ether10-slave-local
set wlan1 interface=wlan1
/lcd interface pages
set 0 interfaces="sfp1-gateway,ether1-gateway,ether2,ether3,ether4,ether5,ethe\
    r6-master-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,e\
    ther10-slave-local"
/system clock
set time-zone-name=Europe/Dublin
/system ntp client
set enabled=yes mode=unicast primary-ntp=140.203.204.77
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2
add interface=ether3
add interface=ether4
add interface=ether5
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=wlan1
add interface=bridge-local
[admin@MikroTik] >

firewall:

[admin@MikroTik] > ip firewall export
# feb/03/2014 01:03:47 by RouterOS 6.7
# software id = LPZD-ULH5
#
/ip firewall filter
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    sfp1-gateway
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add chain=input comment="allow ICMP" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login \
    address-list-timeout=1d chain=input comment=\
    "list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=\
    ether1-gateway protocol=tcp
add chain=input comment="accept vpn gre" in-interface=ether1-gateway \
    protocol=gre
add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid
add chain=forward comment="allow already established connections" \
    connection-state=established
add chain=forward comment="allow related connections" connection-state=\
    related
add action=drop chain=input comment="drop Invalid connections" \
    connection-state=invalid
add chain=input comment="allow established connections" connection-state=\
    established
add chain=input comment="acccept lan" in-interface=!ether1-gateway \
    src-address=192.168.88.0/24
add action=drop chain=input comment="drop everything else"
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=masquerade out-interface=\
    ether1-gateway
add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=\
    192.168.88.252 src-address=192.168.88.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24

ip firewall nat export

[admin@MikroTik] > ip firewall nat export
# jan/28/2014 08:35:15 by RouterOS 6.7
# software id = LPZD-ULH5
#
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=sfp1-gateway
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment=masquerade out-interface=\
    ether1-gateway
add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=\
    192.168.88.252 src-address=192.168.88.0/24 to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=10.5.50.0/24
[admin@MikroTik] >

my setup is as follows:



questions:

1) is my firewall sufficient?
2) i assume im double NAT'd. can i fix that with the limited access i have to my Thompson UPC router?
3) suggest me a DNS server? does all my traffic flow through 2 DNS's technically due to passing through UPC's DNS on the Thompson router? (which cant be modified:mad:) can that be fixed?
4) I want to monitor bandwidth passing through the router, or technically Ether1 port, on a monthly basis. ive worked out its in "queues" but that's as far as i get. I don't care for individual mac address monitoring or anything, just overall usage. help? any scripts to run? I can find my way around winbox/terminals.
5) I want to set up a second WLAN, a guest network. i want this network limited to around 5MB down/3MB up. if its not too complex, i want the guest network to not have access to the internal WLAN1 or LAN1. can i monitor the guest network "WLAN2" bandwidth separately?

i tried my hand at the hotspot setup but i made a hash of it so i think i deleted it but its popping up in some of that code some im not sure?


thanks for even reading this far. if you have ANY tips/tricks/MUST-DO's/etc that you think a noob wouldn't know, any comments appreciated.:o


OT: its been a while since ive been on boards, and im sorry to see Pog has closed his account. thanks for all the help here and elsewhere buddy

White Heart Loon

Your firewall looks ok, but you really should reset it to default and start again to remove all of those hotspot configurations. Also, you'll need to get your UPC modem into a bridge, double NAT will cause lots of problems, DMZ makes this even messier.

White Heart Loon

Wow, just discovered the new Routerboard CRS125-24G-1S-2HnD-IN, what a beast, check this:
24Gigabit ports, SFP and Micro Usb port and 802.11n AP


http://www.interprojekt.com.pl/mikrotik-routerboard-crs12524g1s2hndin-p-1473.html
http://www.ebay.ie/itm/MikroTik-RouterBoard-CRS125-24G-1S-2HnD-IN-Cloud-Router-Switch-/181284411756?pt=US_Network_Switches&hash=item2a3564996c

whowantstwoknow

Well got the ATA working as one would expect....almost!!

It seems BOTH ATA ports MUST be connected to the LAN. So I have the WAN port as a DCHP client and the LAN port statically configured. In this configuration, if you reset the ATA behind the Mikrotik, it registers Ok with the SIP provider!! What has been throwing me is if the ATA is the main router and only the WAN port is connected, it registers fine too.

The Mikrotik can only successfully ping the ATA WAN port if the LAN port is connected. Though I still cant access the ATA admin from the WAN port, but thats OK as its now available from the ATA's LAN port.

The ATA LAN port's ip address comes up on the Mikrotik IP ARP list. I've made this record static, is that OK (not sure what ARP is, must read up)?

Now off to see if its possible to "wake" a LAN device from the internet through the Mikrotik. Seen some links suggesting one can, but nothing has worked yet. I know you can logon to the Mikrotik and do it but I would imagine that makes the Mikrotik router less safe....

Thanks

W

Hope this is of use to somebody else....

eddiem74

I often see this in the logs during the night where my pppoe connect seems to disconnect.



I am using eircom eFibre (ZyXEL F1000) in bridge mode connected to my RB951G-2HND.

Anyone else see similar?

witnessmenow

Possibly strange scenario.

I have eircom broadband and it is atrocious in the evening. during the day and night its fine, and its fairly mixed at weekends

I was thinking of maybe trying out a mobile dongle as well as my eircom internet.

I have a dongle that works with my mikrotik as I have used it before.

Does anyone have suggestions on how I could set this up? Even from a practical sense rather than implementation.

I have a server for downloading etc, at all times this should use eircom, I guess I make that have its own route that always ends up at the eircom so thats ok.

But the other stuff in the house is the confusing part. Ideally it would use the best route to the internet at the time, but I dont know how practical that is.

It wouldn't be the end of the world if I had to manually change the endpoint from BB to mobile when required.

Any thoughts or ideas?

eddiem74

I am getting rid of my MikroTik RouterBoard RB951G-2HnD in case anyone is interested. I have it on adverts, was a bit to complicated for a novice home user.

mylesm

Hello

I have an ASUS RTN66u as my wireless router for my house it is connected to upc modem which is in Bridge mode

I am Happy with ASUS but i need wireless coverage in garage I have Cat 5 cable run to garage

is it possible to use a MikroTik RouterBoard 951G-2HnD as a Wireless Ap connected by the Cat 5 back to ASUS

is it easy to set it up as an ap ie no routing I like the Asus because it gives me Guest network isolated from main network so visitors use guest network

If possible i could reverse situation and use MikroTik RouterBoard 951G-2HnD
as main router and use asus in garage as an ap

But will MikroTik RouterBoard 951G-2HnD give me guest network seperate to main network

Any advise please

Thanks

mylesm

same ol sh1te

mylesm wrote: »

is it possible to use a MikroTik RouterBoard 951G-2HnD as a Wireless Ap connected by the Cat 5 back to ASUS

Yes, very easy

mylesm wrote: »

is it easy to set it up as an ap ie no routing I like the Asus because it gives me Guest network isolated from main network so visitors use guest network

Not easy, adding another virtual network on a single interface is easy (virtual AP like the guest network you have on the Asus), extending that beyond the device itself isn't (vlans), it involves tagging the ethernet frames as they are transmitted (vlan tagging) so the next device knows which network they belong to.
http://en.wikipedia.org/wiki/Virtual_LAN
http://en.wikipedia.org/wiki/IEEE_802.1Q

I have this in my own home, but I have lots of experience and only have Mikrotik devices which makes it a little easier accomplish

mylesm

same ol sh1te wrote: »

Yes, very easy



Not easy, adding another virtual network on a single interface is easy (virtual AP like the guest network you have on the Asus), extending that beyond the device itself isn't (vlans), it involves tagging the ethernet frames as they are transmitted (vlan tagging) so the next device knows which network they belong to.
http://en.wikipedia.org/wiki/Virtual_LAN
http://en.wikipedia.org/wiki/IEEE_802.1Q

I have this in my own home, but I have lots of experience and only have Mikrotik devices which makes it a little easier accomplish

Thanks for reply

I got mikrotik 951g-2hnd and just set it up with default config all wired ports are bridged and work fine connect to internet and lan devices no problem ie a nas drive on port 3 I can access from my pc plugged into port 2

Internet is working no problem both wireless and wired so evertything is good

But i cannot access my NAS over wireless i usually store my media on the nas

Do I have to bridge the wireless lan to the wired or any idea please

thanks again

mylesm

same ol sh1te

Yes, add the wireless interface to the bridge (default script should have added it). Also if the NAS is wireless make sure default forward is selected for the wireless interface otherwise it isolates the clients

mylesm

same ol sh1te wrote: »

Yes, add the wireless interface to the bridge (default script should have added it). Also if the NAS is wireless make sure default forward is selected for the wireless interface otherwise it isolates the clients

Thanks again

Nas is wired Into port 3 on router I can see it on wired network and read it but cannot connect to it from a wireless device if I revert to old router I can read it with wireless device no problem I only got microtik so maybe some issue with ip address will try to resolve over next few days
Thanks again

mylesm

Everything working great now brilliant router streaming 3 movies to 3 different devices and playing music on network media player rock steady

On the Quick set screen there is a guest wireless network i enabled this and gave it a different name to my main wireless

its works but on my asus router the guest network only had access to internet no access to internal lan which is what i want as i dont want guests snooping on my lan

is it possible on the microtik to have guest network only having internet access

anyway so far this is a great router cant believe the functions for the price

thanks Again
mylesm

same ol sh1te

Without seeing your config I wouldn't know where to start, do an export compact and paste it here and I'll give you the commands.

mylesm

Listen thanks very much and I dont want to bother you so dont spend too much time at this as you will see from config I have 2 wireless interfaces

ShelmarGarage is main one and I want that to access lan and internet

ShelmarGarageGuests is the guest network and I was wondering if I could restrict that to only access wan port ie no access to lan ports

It works like that on my ASUS router guest network only gets to internet so if I could get it like that on Microtik I would use microtik as my main router and use Asus as extension AP

Thanks again and as I have no experience in these type of routers only ever used consumer routers I hope this config is what you might ned to see what i am talking about



MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.15 (c) 1999-2014 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > /export compact
# jan/02/1970 02:06:01 by RouterOS 6.15
# software id = CCB8-P1HX
#
/interface bridge
add admin-mac=D4:CA:6D:BE:8D:FD auto-mac=no l2mtu=1598 name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
20/40mhz-ht-above disabled=no distance=indoors l2mtu=2290 mode=ap-bridge \
ssid=ShelmarGarage wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
ether5-slave-local
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys wpa-pre-shared-key=test1111 wpa2-pre-shared-key=test1111
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
wpa-pre-shared-key=test1111 wpa2-pre-shared-key=test1111
/interface wireless
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:BE:8E:01 master-interface=\
wlan1 name=wlan2 security-profile=profile ssid=ShelmarGarageGuests
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local lease-time=10m name=\
default
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=wlan2
/ip address
add address=192.168.1.2/24 comment="default configuration" interface=\
ether2-master-local network=192.168.1.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.1.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=forward comment="default configuration" connection-state=\
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
yes out-interface=ether1-gateway to-addresses=0.0.0.0
/ip upnp
set allow-disable-external-interface=no
/system leds
set 0 interface=wlan1
[admin@MikroTik] >

mylesm

I just came across this page i think this might achieve what i want what do you think I had to translate it

http://www.wirelessinfo.be/index.php/mikrotik/pages/vap1

same ol sh1te

mylesm wrote: »

I just came across this page i think this might achieve what i want what do you think I had to translate it

http://www.wirelessinfo.be/index.php/mikrotik/pages/vap1

Yeah, you'll need to remove wlan2 from bridge-local and add it to your new bridge using those instructions as guide.

There are issues with they way you have your Mikrotik configured, it is still a router. You still have a nat rule for ether1 but are obviously just using ether2-5. I would disable this rule (the masquerade rule under /ip firewall nat) and set the ether1 interface as slave to ether2 so you have 5 switched ports, no wan.

/ip firewall nat set 0 disabled=yes

/interface ethernet set ether1 name=ether1-slave-local speed=1Gbps master-port=ether2-master-local

The way it stands there is no default route therefore the router itself does not know the way out to the internet. Your devices get a DHCP lease giving them the default route, therefore we need to add one. If your Asus is 192.168.1.1 add this route

/ip route add dst-address=0.0.0.0/0 gateway=[COLOR="Red"]192.168.1.1[/COLOR] distance=1

I also notice you still have DHCP server enabled on this router and assigned to bridge-local, if your using the DHCP server on the Asus you'll need to disable the default one on the Mikrotik.

I can see an issue later when you get the guest network routing, the default gateway (Asus) is in the subnet you will be trying to blockn access to, you may have to edit the block rule to block every address but not the ip of the Asus

mylesm

Thanks Very much i will try this if I get microtik working with guest network I intend to use ASUS only as an ap wired to a lan port on the microtek the asus has an ap mode which disables DCHP etc

Thanks Again hopefully i will get it going i cant believe these routers are not more well known

same ol sh1te

mylesm wrote: »

Thanks Very much i will try this if I get microtik working with guest network I intend to use ASUS only as an ap wired to a lan port on the microtek the asus has an ap mode which disables DCHP etc

Thanks Again hopefully i will get it going i cant believe these routers are not more well known

Ah, then disregard what I said above, I took it that the Asus was your gateway

mylesm

Well thanks very much for your Help I now have microtik running as my main router with one wireless lan with same ip range as wired lan and a guest wireless with a different ip range and new firewall rules which prevent crossover in either direction

working great so far these microtik routers are certainly very flexible compared to consumer routers

same ol sh1te

mylesm wrote: »

Well thanks very much for your Help I now have microtik running as my main router with one wireless lan with same ip range as wired lan and a guest wireless with a different ip range and new firewall rules which prevent crossover in either direction

working great so far these microtik routers are certainly very flexible compared to consumer routers

Nice one, bandwidth shaping, packet marks, mangles and queues next, limit your guest users to a low speed and prioritise your main subnet users over guests. The fun has only started, if you're anything like me you'll be playing for weeks

mylesm

same ol sh1te wrote: »

Nice one, bandwidth shaping, packet marks, mangles and queues next, limit your guest users to a low speed and prioritise your main subnet users over guests. The fun has only started, if you're anything like me you'll be playing for weeks

Funny you should say that I was just wondering how to limit guest network bandwidth and prioritise my main network

I presume if i set no country on wireless it transmits at full power

mylesm

Xantia

Set it to Ireland to get the 13 WiFi channels otherwise you will only get the default 10
Set the frequency mode to manual-txpower for the max power
or set that to regulatory-domain for standard power settings

djr

hallo,

i'm new to mikrotik, having used snapgear, astaro, ipcop, smoothwall etc in the past. i'm a home user with the 120mbps UPC package, who also requires an IPsec or OpenVPN site-to-site set up with work (i'm the it manager). i'm currently running a snapgear SME575, which seems to be topping out at 60mbps WAN->LAN so i'm not seeing all my package speed. this is annoying, but can't be helped with this hardware. the cisco 3925 is in bridge mode, and if i directly connect anything via ethernet, i see 100+ mbps as expected.

so, i want to get rid of the snapgear, and put in something like a routerboard. i've been looking at this one, but am not sure if it's a case + board for that price...

i need it to run 100+ mbps on WAN->LAN, which it should, but i'm not sure what to expect with VPN throughput.

i'd much appreciate any advice on which hardware to buy, and whether that yoke linked above is complete overkill for my needs... i don't need any wifi capabilities, just a router/firewall & VPN.

thanks in advance,

dave.