Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
The Mikrotik RouterOS config, tips and tricks thread
Options
Comments
-
Have you tried turning off the SIP helper in Firewall service ports
/ip firewall service-port disable sip
0 -
Hi Smee_again,
Lets ignore whether the ATA is working from a VOIP perspective. When it was the LAN router and I did a ping tests from outside on the WAN, the results confirmed the operation of the "respond to ping" setting", ie (yes/no).
When I put the ATA behind the RouterOS and reboot it so its served an ip address from the RouterOS, I still cant ping the device from the tools provided within the winbox utility. Its whats killing me!! I might reconfigure the ATA to be connected via its LAN port and disable the DHCP server and see if it can be pinged from there...
Thanks
W.0 -
Well,
got a chance to test out the ATA's LAN port. First I changed the LAN port ip address to match the one that is being assigned to the WAN port by the RouterOS. Disabled the DHCP server on the ATA.
Anytime I connect the ATA to the LAN using the WAN port and reboot, the RouterOS (using netwatch) shows the device using the ip address is down. If I then simply switch ports on the ATA, RouterOS will update the ip address as being up. Once on the lan I can access the ATA router status page, and it shows the WAN port behaving as a DHCP client, ie the assigned ip address, gateway etc...
confused as hell at this stage!!! I just cant see to access the admin pages of the ATA, ping etc when connected via the WAN port. Of course as per my other observations, I can still make phone calls. This thread talks about putting the ATA behind a router, it all makes sense, but I just cant seem to get it working :mad:
Also if the ATA is behind RouterOS and reboots, whatever VOIP registration is going on is failing. Any idea how to capture this traffic to see what it is?
Thanks
W0 -
Let the ATA receive an IP from the Mikrotik through DHCP and make it static in RouterOS DHCP Server. Surely you only need to connect to it once to configure it?0
-
Hi White,
Yep thats what I've done, but the Mikrotik still cant communicate/ping/netwatch with the ATA if its connected via the WAN port (acting as a DHCP client). I statically configured the ATA LAN port to match that ip address so I could switch connections and inspect the ATA admin pages. As stated, it shows the configuration as one would expect, I've enabled the ATA's response to ping's option but still can access the ATA in anyway, but my VOIP still works though!!
I'm at a lost to explain it....
W.0 -
Advertisement
-
Is there any way to display how long a neighbour relationship has been established in routing protocols like OSPF. In cisco routers/L3 switches you can view it in the cli but was looking and I couldnt see it anywhere.
cheers0 -
Hey guys. been lurking in this thread a while and finally picked up my first mikrotik, an RB2011UAS-2HnD.
anyway, as i suspected, ive no idea what im doing. ive fiddled with some DD-WRT, but i'd say im still a novice.
I followed the thread and set it up the best i can.
can any of yea check over my setup and spot any problems?
compact export:[admin@MikroTik] > export compact # feb/03/2014 12:12:01 by RouterOS 6.7 # software id = RB2011U # /interface bridge add admin-mac=D4:CA:6D:D8:48:E5 auto-mac=no l2mtu=1598 name=bridge-local \ protocol-mode=rstp /interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\ 20/40mhz-ht-above country=ireland disabled=no distance=indoors frequency=\ 2447 l2mtu=2290 mode=ap-bridge ssid=Temp wireless-protocol=802.11 /interface ethernet set [ find default-name=ether1 ] name=ether1-gateway set [ find default-name=ether6 ] name=ether6-master-local set [ find default-name=ether7 ] master-port=ether6-master-local name=\ ether7-slave-local set [ find default-name=ether8 ] master-port=ether6-master-local name=\ ether8-slave-local set [ find default-name=ether9 ] master-port=ether6-master-local name=\ ether9-slave-local set [ find default-name=ether10 ] master-port=ether6-master-local name=\ ether10-slave-local set [ find default-name=sfp1 ] name=sfp1-gateway /ip neighbor discovery set ether1-gateway discover=no set sfp1-gateway discover=no /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys \ wpa-pre-shared-key=yourealeech wpa2-pre-shared-key=yourealeech /ip hotspot profile add dns-name=google hotspot-address=10.5.50.1 name=hsprof1 /ip hotspot user profile set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \ mac-cookie-timeout=3d /ip ipsec proposal set [ find default=yes ] enc-algorithms=3des /ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254 add name=hs-pool-1 ranges=10.5.50.2-10.5.50.254 /ip dhcp-server add address-pool=default-dhcp disabled=no interface=bridge-local name=default /port set 0 name=serial0 /system logging action set 0 memory-lines=100 set 1 disk-lines-per-file=100 /interface bridge port add bridge=bridge-local interface=ether2 add bridge=bridge-local interface=ether3 add bridge=bridge-local interface=ether4 add bridge=bridge-local interface=ether5 add bridge=bridge-local interface=ether6-master-local add bridge=bridge-local interface=wlan1 /ip address add address=192.168.88.1/24 comment="default configuration" interface=wlan1 \ network=192.168.88.0 add address=10.5.50.1/24 comment="hotspot network" interface=sfp1-gateway \ network=10.5.50.0 /ip dhcp-client add comment="default configuration" dhcp-options=hostname,clientid disabled=\ no interface=sfp1-gateway add comment="default configuration" dhcp-options=hostname,clientid disabled=\ no interface=ether1-gateway /ip dhcp-server network add address=192.168.88.0/24 comment="default configuration" dns-server=\ 192.168.88.1 gateway=192.168.88.1 netmask=24 /ip dns set allow-remote-requests=yes cache-size=4096KiB max-udp-packet-size=512 \ servers=8.8.8.8,8.8.4.4 /ip dns static add address=192.168.88.1 name=router /ip firewall filter add action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes add chain=input comment="default configuration" protocol=icmp add chain=input comment="default configuration" connection-state=established add chain=input comment="default configuration" connection-state=related add action=drop chain=input comment="default configuration" in-interface=\ sfp1-gateway add action=drop chain=input comment="default configuration" in-interface=\ ether1-gateway add chain=forward comment="default configuration" connection-state=\ established add chain=forward comment="default configuration" connection-state=related add action=drop chain=forward comment="default configuration" \ connection-state=invalid add chain=input comment="allow ICMP" protocol=icmp add chain=input comment="allow winbox" dst-port=8291 protocol=tcp add chain=input comment="allow api" dst-port=8728 protocol=tcp add action=add-src-to-address-list address-list=trying_to_login \ address-list-timeout=1d chain=input comment=\ "list IP's who try remote login" dst-port=20-23 protocol=tcp add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \ protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \ protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1h chain=input connection-state=new dst-port=22 \ protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1h chain=input connection-state=new dst-port=22 \ protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1h chain=input connection-state=new dst-port=22 \ protocol=tcp add chain=input comment="allow ssh" dst-port=22 protocol=tcp add chain=input comment="accept vpn" dst-port=1723 in-interface=\ ether1-gateway protocol=tcp add chain=input comment="accept vpn gre" in-interface=ether1-gateway \ protocol=gre add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp add action=drop chain=forward comment="drop invalid connections" \ connection-state=invalid add chain=forward comment="allow already established connections" \ connection-state=established add chain=forward comment="allow related connections" connection-state=\ related add action=drop chain=input comment="drop Invalid connections" \ connection-state=invalid add chain=input comment="allow established connections" connection-state=\ established add chain=input comment="acccept lan" in-interface=!ether1-gateway \ src-address=192.168.88.0/24 add action=drop chain=input comment="drop everything else" /ip firewall nat add action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes to-addresses=0.0.0.0 add action=masquerade chain=srcnat comment="default configuration" \ out-interface=sfp1-gateway add action=masquerade chain=srcnat comment="default configuration" \ out-interface=ether1-gateway to-addresses=0.0.0.0 add action=masquerade chain=srcnat comment=masquerade out-interface=\ ether1-gateway add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=\ 192.168.88.252 src-address=192.168.88.0/24 to-addresses=0.0.0.0 add action=masquerade chain=srcnat comment="masquerade hotspot network" \ src-address=10.5.50.0/24 /ip hotspot user add name=user password=guest /ip upnp set allow-disable-external-interface=no enabled=yes show-dummy-rule=no /ip upnp interfaces add interface=bridge-local type=internal add interface=ether1-gateway type=external /lcd interface set sfp1-gateway interface=sfp1-gateway set ether1-gateway interface=ether1-gateway set ether2 interface=ether2 set ether3 interface=ether3 set ether4 interface=ether4 set ether5 interface=ether5 set ether6-master-local interface=ether6-master-local set ether7-slave-local interface=ether7-slave-local set ether8-slave-local interface=ether8-slave-local set ether9-slave-local interface=ether9-slave-local set ether10-slave-local interface=ether10-slave-local set wlan1 interface=wlan1 /lcd interface pages set 0 interfaces="sfp1-gateway,ether1-gateway,ether2,ether3,ether4,ether5,ethe\ r6-master-local,ether7-slave-local,ether8-slave-local,ether9-slave-local,e\ ther10-slave-local" /system clock set time-zone-name=Europe/Dublin /system ntp client set enabled=yes mode=unicast primary-ntp=140.203.204.77 /tool mac-server set [ find default=yes ] disabled=yes add interface=ether2 add interface=ether3 add interface=ether4 add interface=ether5 add interface=ether6-master-local add interface=ether7-slave-local add interface=ether8-slave-local add interface=ether9-slave-local add interface=wlan1 add interface=bridge-local /tool mac-server mac-winbox set [ find default=yes ] disabled=yes add interface=ether2 add interface=ether3 add interface=ether4 add interface=ether5 add interface=ether6-master-local add interface=ether7-slave-local add interface=ether8-slave-local add interface=ether9-slave-local add interface=wlan1 add interface=bridge-local [admin@MikroTik] >
firewall:[admin@MikroTik] > ip firewall export # feb/03/2014 01:03:47 by RouterOS 6.7 # software id = LPZD-ULH5 # /ip firewall filter add action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes add chain=input comment="default configuration" protocol=icmp add chain=input comment="default configuration" connection-state=established add chain=input comment="default configuration" connection-state=related add action=drop chain=input comment="default configuration" in-interface=\ sfp1-gateway add action=drop chain=input comment="default configuration" in-interface=\ ether1-gateway add chain=forward comment="default configuration" connection-state=\ established add chain=forward comment="default configuration" connection-state=related add action=drop chain=forward comment="default configuration" \ connection-state=invalid add chain=input comment="allow ICMP" protocol=icmp add chain=input comment="allow winbox" dst-port=8291 protocol=tcp add chain=input comment="allow api" dst-port=8728 protocol=tcp add action=add-src-to-address-list address-list=trying_to_login \ address-list-timeout=1d chain=input comment=\ "list IP's who try remote login" dst-port=20-23 protocol=tcp add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \ protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist \ address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \ protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 \ address-list-timeout=1h chain=input connection-state=new dst-port=22 \ protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 \ address-list-timeout=1h chain=input connection-state=new dst-port=22 \ protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 \ address-list-timeout=1h chain=input connection-state=new dst-port=22 \ protocol=tcp add chain=input comment="allow ssh" dst-port=22 protocol=tcp add chain=input comment="accept vpn" dst-port=1723 in-interface=\ ether1-gateway protocol=tcp add chain=input comment="accept vpn gre" in-interface=ether1-gateway \ protocol=gre add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp add action=drop chain=forward comment="drop invalid connections" \ connection-state=invalid add chain=forward comment="allow already established connections" \ connection-state=established add chain=forward comment="allow related connections" connection-state=\ related add action=drop chain=input comment="drop Invalid connections" \ connection-state=invalid add chain=input comment="allow established connections" connection-state=\ established add chain=input comment="acccept lan" in-interface=!ether1-gateway \ src-address=192.168.88.0/24 add action=drop chain=input comment="drop everything else" /ip firewall nat add action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes to-addresses=0.0.0.0 add action=masquerade chain=srcnat comment="default configuration" \ out-interface=sfp1-gateway add action=masquerade chain=srcnat comment="default configuration" \ out-interface=ether1-gateway to-addresses=0.0.0.0 add action=masquerade chain=srcnat comment=masquerade out-interface=\ ether1-gateway add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=\ 192.168.88.252 src-address=192.168.88.0/24 to-addresses=0.0.0.0 add action=masquerade chain=srcnat comment="masquerade hotspot network" \ src-address=10.5.50.0/24
ip firewall nat export[admin@MikroTik] > ip firewall nat export # jan/28/2014 08:35:15 by RouterOS 6.7 # software id = LPZD-ULH5 # /ip firewall nat add action=passthrough chain=unused-hs-chain comment=\ "place hotspot rules here" disabled=yes add action=masquerade chain=srcnat comment="default configuration" \ out-interface=sfp1-gateway add action=masquerade chain=srcnat comment="default configuration" \ out-interface=ether1-gateway to-addresses=0.0.0.0 add action=masquerade chain=srcnat comment=masquerade out-interface=\ ether1-gateway add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=\ 192.168.88.252 src-address=192.168.88.0/24 to-addresses=0.0.0.0 add action=masquerade chain=srcnat comment="masquerade hotspot network" \ src-address=10.5.50.0/24 [admin@MikroTik] >
my setup is as follows:
questions:
1) is my firewall sufficient?
2) i assume im double NAT'd. can i fix that with the limited access i have to my Thompson UPC router?
3) suggest me a DNS server? does all my traffic flow through 2 DNS's technically due to passing through UPC's DNS on the Thompson router? (which cant be modified:mad:) can that be fixed?
4) I want to monitor bandwidth passing through the router, or technically Ether1 port, on a monthly basis. ive worked out its in "queues" but that's as far as i get. I don't care for individual mac address monitoring or anything, just overall usage. help? any scripts to run? I can find my way around winbox/terminals.
5) I want to set up a second WLAN, a guest network. i want this network limited to around 5MB down/3MB up. if its not too complex, i want the guest network to not have access to the internal WLAN1 or LAN1. can i monitor the guest network "WLAN2" bandwidth separately?
i tried my hand at the hotspot setup but i made a hash of it so i think i deleted it but its popping up in some of that code some im not sure?
thanks for even reading this far. if you have ANY tips/tricks/MUST-DO's/etc that you think a noob wouldn't know, any comments appreciated.:o
OT: its been a while since ive been on boards, and im sorry to see Pog has closed his account. thanks for all the help here and elsewhere buddy0 -
Your firewall looks ok, but you really should reset it to default and start again to remove all of those hotspot configurations. Also, you'll need to get your UPC modem into a bridge, double NAT will cause lots of problems, DMZ makes this even messier.0
-
Wow, just discovered the new Routerboard CRS125-24G-1S-2HnD-IN, what a beast, check this:
24Gigabit ports, SFP and Micro Usb port and 802.11n AP
http://www.interprojekt.com.pl/mikrotik-routerboard-crs12524g1s2hndin-p-1473.html
http://www.ebay.ie/itm/MikroTik-RouterBoard-CRS125-24G-1S-2HnD-IN-Cloud-Router-Switch-/181284411756?pt=US_Network_Switches&hash=item2a3564996c0 -
Well got the ATA working as one would expect....almost!!
It seems BOTH ATA ports MUST be connected to the LAN. So I have the WAN port as a DCHP client and the LAN port statically configured. In this configuration, if you reset the ATA behind the Mikrotik, it registers Ok with the SIP provider!! What has been throwing me is if the ATA is the main router and only the WAN port is connected, it registers fine too.
The Mikrotik can only successfully ping the ATA WAN port if the LAN port is connected. Though I still cant access the ATA admin from the WAN port, but thats OK as its now available from the ATA's LAN port.
The ATA LAN port's ip address comes up on the Mikrotik IP ARP list. I've made this record static, is that OK (not sure what ARP is, must read up)?
Now off to see if its possible to "wake" a LAN device from the internet through the Mikrotik. Seen some links suggesting one can, but nothing has worked yet. I know you can logon to the Mikrotik and do it but I would imagine that makes the Mikrotik router less safe....
Thanks
W
Hope this is of use to somebody else....0 -
Advertisement
-
I often see this in the logs during the night where my pppoe connect seems to disconnect.
I am using eircom eFibre (ZyXEL F1000) in bridge mode connected to my RB951G-2HND.
Anyone else see similar?0 -
Possibly strange scenario.
I have eircom broadband and it is atrocious in the evening. during the day and night its fine, and its fairly mixed at weekends
I was thinking of maybe trying out a mobile dongle as well as my eircom internet.
I have a dongle that works with my mikrotik as I have used it before.
Does anyone have suggestions on how I could set this up? Even from a practical sense rather than implementation.
I have a server for downloading etc, at all times this should use eircom, I guess I make that have its own route that always ends up at the eircom so thats ok.
But the other stuff in the house is the confusing part. Ideally it would use the best route to the internet at the time, but I dont know how practical that is.
It wouldn't be the end of the world if I had to manually change the endpoint from BB to mobile when required.
Any thoughts or ideas?0 -
-
Hello
I have an ASUS RTN66u as my wireless router for my house it is connected to upc modem which is in Bridge mode
I am Happy with ASUS but i need wireless coverage in garage I have Cat 5 cable run to garage
is it possible to use a MikroTik RouterBoard 951G-2HnD as a Wireless Ap connected by the Cat 5 back to ASUS
is it easy to set it up as an ap ie no routing I like the Asus because it gives me Guest network isolated from main network so visitors use guest network
If possible i could reverse situation and use MikroTik RouterBoard 951G-2HnD
as main router and use asus in garage as an ap
But will MikroTik RouterBoard 951G-2HnD give me guest network seperate to main network
Any advise please
Thanks
mylesm0 -
is it possible to use a MikroTik RouterBoard 951G-2HnD as a Wireless Ap connected by the Cat 5 back to ASUS
Yes, very easyis it easy to set it up as an ap ie no routing I like the Asus because it gives me Guest network isolated from main network so visitors use guest network
Not easy, adding another virtual network on a single interface is easy (virtual AP like the guest network you have on the Asus), extending that beyond the device itself isn't (vlans), it involves tagging the ethernet frames as they are transmitted (vlan tagging) so the next device knows which network they belong to.
http://en.wikipedia.org/wiki/Virtual_LAN
http://en.wikipedia.org/wiki/IEEE_802.1Q
I have this in my own home, but I have lots of experience and only have Mikrotik devices which makes it a little easier accomplish0 -
same ol sh1te wrote: »Yes, very easy
Not easy, adding another virtual network on a single interface is easy (virtual AP like the guest network you have on the Asus), extending that beyond the device itself isn't (vlans), it involves tagging the ethernet frames as they are transmitted (vlan tagging) so the next device knows which network they belong to.
http://en.wikipedia.org/wiki/Virtual_LAN
http://en.wikipedia.org/wiki/IEEE_802.1Q
I have this in my own home, but I have lots of experience and only have Mikrotik devices which makes it a little easier accomplish
Thanks for reply
I got mikrotik 951g-2hnd and just set it up with default config all wired ports are bridged and work fine connect to internet and lan devices no problem ie a nas drive on port 3 I can access from my pc plugged into port 2
Internet is working no problem both wireless and wired so evertything is good
But i cannot access my NAS over wireless i usually store my media on the nas
Do I have to bridge the wireless lan to the wired or any idea please
thanks again
mylesm0 -
Yes, add the wireless interface to the bridge (default script should have added it). Also if the NAS is wireless make sure default forward is selected for the wireless interface otherwise it isolates the clients0
-
same ol sh1te wrote: »Yes, add the wireless interface to the bridge (default script should have added it). Also if the NAS is wireless make sure default forward is selected for the wireless interface otherwise it isolates the clients
Nas is wired Into port 3 on router I can see it on wired network and read it but cannot connect to it from a wireless device if I revert to old router I can read it with wireless device no problem I only got microtik so maybe some issue with ip address will try to resolve over next few days
Thanks again0 -
Everything working great now brilliant router streaming 3 movies to 3 different devices and playing music on network media player rock steady
On the Quick set screen there is a guest wireless network i enabled this and gave it a different name to my main wireless
its works but on my asus router the guest network only had access to internet no access to internal lan which is what i want as i dont want guests snooping on my lan
is it possible on the microtik to have guest network only having internet access
anyway so far this is a great router cant believe the functions for the price
thanks Again
mylesm0 -
Without seeing your config I wouldn't know where to start, do an export compact and paste it here and I'll give you the commands.0
-
Advertisement
-
Listen thanks very much and I dont want to bother you so dont spend too much time at this as you will see from config I have 2 wireless interfaces
ShelmarGarage is main one and I want that to access lan and internet
ShelmarGarageGuests is the guest network and I was wondering if I could restrict that to only access wan port ie no access to lan ports
It works like that on my ASUS router guest network only gets to internet so if I could get it like that on Microtik I would use microtik as my main router and use Asus as extension AP
Thanks again and as I have no experience in these type of routers only ever used consumer routers I hope this config is what you might ned to see what i am talking about
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 6.15 (c) 1999-2014 http://www.mikrotik.com/
[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments
[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options
/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > /export compact
# jan/02/1970 02:06:01 by RouterOS 6.15
# software id = CCB8-P1HX
#
/interface bridge
add admin-mac=D4:CA:6D:BE:8D:FD auto-mac=no l2mtu=1598 name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
20/40mhz-ht-above disabled=no distance=indoors l2mtu=2290 mode=ap-bridge \
ssid=ShelmarGarage wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
ether5-slave-local
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
dynamic-keys wpa-pre-shared-key=test1111 wpa2-pre-shared-key=test1111
add authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys name=profile \
wpa-pre-shared-key=test1111 wpa2-pre-shared-key=test1111
/interface wireless
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:BE:8E:01 master-interface=\
wlan1 name=wlan2 security-profile=profile ssid=ShelmarGarageGuests
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp interface=bridge-local lease-time=10m name=\
default
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=wlan2
/ip address
add address=192.168.1.2/24 comment="default configuration" interface=\
ether2-master-local network=192.168.1.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.1.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.1.2 netmask=24
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=forward comment="default configuration" connection-state=\
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=\
yes out-interface=ether1-gateway to-addresses=0.0.0.0
/ip upnp
set allow-disable-external-interface=no
/system leds
set 0 interface=wlan1
[admin@MikroTik] >0 -
I just came across this page i think this might achieve what i want what do you think I had to translate it
http://www.wirelessinfo.be/index.php/mikrotik/pages/vap10 -
I just came across this page i think this might achieve what i want what do you think I had to translate it
http://www.wirelessinfo.be/index.php/mikrotik/pages/vap1
Yeah, you'll need to remove wlan2 from bridge-local and add it to your new bridge using those instructions as guide.
There are issues with they way you have your Mikrotik configured, it is still a router. You still have a nat rule for ether1 but are obviously just using ether2-5. I would disable this rule (the masquerade rule under /ip firewall nat) and set the ether1 interface as slave to ether2 so you have 5 switched ports, no wan./ip firewall nat set 0 disabled=yes
/interface ethernet set ether1 name=ether1-slave-local speed=1Gbps master-port=ether2-master-local
The way it stands there is no default route therefore the router itself does not know the way out to the internet. Your devices get a DHCP lease giving them the default route, therefore we need to add one. If your Asus is 192.168.1.1 add this route/ip route add dst-address=0.0.0.0/0 gateway=[COLOR="Red"]192.168.1.1[/COLOR] distance=1
I also notice you still have DHCP server enabled on this router and assigned to bridge-local, if your using the DHCP server on the Asus you'll need to disable the default one on the Mikrotik.
I can see an issue later when you get the guest network routing, the default gateway (Asus) is in the subnet you will be trying to blockn access to, you may have to edit the block rule to block every address but not the ip of the Asus0 -
Thanks Very much i will try this if I get microtik working with guest network I intend to use ASUS only as an ap wired to a lan port on the microtek the asus has an ap mode which disables DCHP etc
Thanks Again hopefully i will get it going i cant believe these routers are not more well known0 -
Thanks Very much i will try this if I get microtik working with guest network I intend to use ASUS only as an ap wired to a lan port on the microtek the asus has an ap mode which disables DCHP etc
Thanks Again hopefully i will get it going i cant believe these routers are not more well known
Ah, then disregard what I said above, I took it that the Asus was your gateway0 -
Well thanks very much for your Help I now have microtik running as my main router with one wireless lan with same ip range as wired lan and a guest wireless with a different ip range and new firewall rules which prevent crossover in either direction
working great so far these microtik routers are certainly very flexible compared to consumer routers0 -
Well thanks very much for your Help I now have microtik running as my main router with one wireless lan with same ip range as wired lan and a guest wireless with a different ip range and new firewall rules which prevent crossover in either direction
working great so far these microtik routers are certainly very flexible compared to consumer routers
Nice one, bandwidth shaping, packet marks, mangles and queues next, limit your guest users to a low speed and prioritise your main subnet users over guests. The fun has only started, if you're anything like me you'll be playing for weeks0 -
same ol sh1te wrote: »Nice one, bandwidth shaping, packet marks, mangles and queues next, limit your guest users to a low speed and prioritise your main subnet users over guests. The fun has only started, if you're anything like me you'll be playing for weeks
Funny you should say that I was just wondering how to limit guest network bandwidth and prioritise my main network
I presume if i set no country on wireless it transmits at full power
mylesm0 -
Set it to Ireland to get the 13 WiFi channels otherwise you will only get the default 10
Set the frequency mode to manual-txpower for the max power
or set that to regulatory-domain for standard power settings0 -
Advertisement
-
hallo,
i'm new to mikrotik, having used snapgear, astaro, ipcop, smoothwall etc in the past. i'm a home user with the 120mbps UPC package, who also requires an IPsec or OpenVPN site-to-site set up with work (i'm the it manager). i'm currently running a snapgear SME575, which seems to be topping out at 60mbps WAN->LAN so i'm not seeing all my package speed. this is annoying, but can't be helped with this hardware. the cisco 3925 is in bridge mode, and if i directly connect anything via ethernet, i see 100+ mbps as expected.
so, i want to get rid of the snapgear, and put in something like a routerboard. i've been looking at this one, but am not sure if it's a case + board for that price...
i need it to run 100+ mbps on WAN->LAN, which it should, but i'm not sure what to expect with VPN throughput.
i'd much appreciate any advice on which hardware to buy, and whether that yoke linked above is complete overkill for my needs... i don't need any wifi capabilities, just a router/firewall & VPN.
thanks in advance,
dave.0
Advertisement