The Mikrotik RouterOS config, tips and tricks thread

same ol sh1te

Yes, that would do you fine, yes it's a board in a case for that price.

The next step up would not be not a whole lot more expensive, has 24 gigabit ports and is rackmount
http://routerboard.com/CRS125-24G-1S-2HnD-IN
http://www.interprojekt.com.pl/mikrotik-routerboard-crs12524g1s2hndin-p-1473.html

Edit, I see you don't need wireless, you could go for a cheaper RB750 or 951
http://www.interprojekt.com.pl/mikrotik-routerboard-rb750gllevel-64mb-gbit-p-1130.html
http://www.interprojekt.com.pl/mikrotik-routerboard-rb951g2hnd-level-128mb-p-1370.html
or this next step up
http://www.interprojekt.com.pl/mikrotik-routerboard-crs12524g1sin-p-1471.html

djr

hi there,

thanks for the tips. i thought about this a bit more, and decided to go with this bad boy. i'll be able to (hopefully) get rid of an 8-port dumb hub, the snapgear previously mentioned, and a meraki AP in one fell swoop, which is nice.

i'll probably refer back to this thread a few times i'd say, to get VPN etc set up.

same ol sh1te

You're gonna love these routers, so powerful and configurable. They come with plenty of memory which will help for your vpn but also helps if you start adding connection & packet marks, mangles, queues etc. I'm curious as to what speeds you'll get. Have fun.

djr

just got the box installed there, arrived today. getting full speed ahead on my UPC connection which is fab. have the factory config still on it except for adjusting wifi, so still a lot of messing around to do.



delighted now i went ahead with it, as all my important computers can be on gigabit now. look forward to playing more and getting s2s VPN working next week...

same ol sh1te

Upgrade to latest v6 of RouterOS as it's better for wireless then do a wireless speedtest

djr

how do i confirm my version? i think i'm on 6.17, is that the latest?

having big problems getting a 2011 MBA connected

same ol sh1te

djr wrote: »

how do i confirm my version? i think i'm on 6.17, is that the latest?

having big problems getting a 2011 MBA connected

Yeah, that's the latest. Also go to system> routerboard in winbox and upgrade the firmware to latest.

djr

yeah, the firmware is coming up as 3.18, apparently the latest.

getting an ipad to auth now, but still not the mac. have tried switching channels multiple times, and tried with tkip on and off...frustrating

djr

have gone back to my Meraki MR12 for Wifi, will have to try again with the RB2011. used same channel, security, etcetc, but half the devices in the house couldn't see it. even tried the factory mikrotik config and just changed the channel, same problem, macbook air couldn't connect. still using RB2011 for everything else, will revisit when i have time. did anyone else have similar problems with osX and ios?

same ol sh1te

djr wrote: »

have gone back to my Meraki MR12 for Wifi, will have to try again with the RB2011. used same channel, security, etcetc, but half the devices in the house couldn't see it. even tried the factory mikrotik config and just changed the channel, same problem, macbook air couldn't connect. still using RB2011 for everything else, will revisit when i have time. did anyone else have similar problems with osX and ios?

Try changing it to AES only

djr

same ol sh1te wrote: »

Try changing it to AES only

yup, had tkip disabled, made no odds. May have been channel related, will give it another shot ðŸ˜

same ol sh1te

djr wrote: »

yup, had tkip disabled, made no odds. May have been channel related, will give it another shot ðŸ˜

I find channel 6 gives the best performance if it's not crowded in your locality

djr

same ol sh1te wrote: »

I find channel 6 gives the best performance if it's not crowded in your locality

6 worked great for all the non apple throughout alright, but not the Apple hear. Will try higher up

djr

\o/ got it working on channel 11, gettign 50mbps over wifi on the macbook air. not sure what the problem was before, there's only two other ssid's around here and they're on 5 and 7...

next thing is to get an rsa-key ipsec VPN set up with the firewall in work, manana.

same ol sh1te

djr wrote: »

\o/ got it working on channel 11, gettign 50mbps over wifi on the macbook air. not sure what the problem was before, there's only two other ssid's around here and they're on 5 and 7...

next thing is to get an rsa-key ipsec VPN set up with the firewall in work, manana.

That's your problem, setting it to channel 6 overlaps in the next adjacent 2 channels on either side. There's only 3 non overlapping channels, 1, 6 and 11.
http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/wifi-back-to-basics-24-ghz-channel-planning

You could also try channel 1 see if it performs any better. I can get 100mbit+ on lan over wireless, just switching, no Nat. There are a few settings your can also check in advanced, make sure it's set it to 20/40 Ht above, set it to indoors and default rates. Also there is another setting obey obligatory domain which will reduce the output power of the router, set it to manual.

djr

Cool, thanks. Will give those settings a blast. Not sure I'm going to be able to hit near 100mbps with the walls in this house, everything is concrete, built in the 50s. I'm happy with 40-50 at the moment. Can't use the lower channels, as have a baby monitor and wireless video sender around that area...

gouche

Was having trouble with my no-ip script to update my dynamic IP address.
It was only updating sometimes - but logging that it had updated

So I set up a script to check for IP changes and email me if there are any.
This way if No-IP doesn't update I can do it manually or just connect directly to IP.

Here's the script I used:

:global ipadd;
:local thisip [/ip address get [find where interface=pppoe-wan] address];

:if ($ipadd != $thisip) do={
    /tool e-mail send to=******@gmail.com subject="ip change" body="New ip $thisip";
    set ipadd $thisip;
} 
#else={
#    /tool e-mail send to=******@gmail.com subject="ip change" body="No change";
#}

The last few lines are commented out - I just used them for testing sending email. They just email 'No Change' if the IP is the same.
Just change the interface to whatever your WAN interface is and put your email in.

I had some issues setting up Gmail but finally got it working.
Online, people were saying to enable TLS and use port 587.
This didn't work for me so I enabled TLS and used default port 25 which did work.
Also had to enable POP in Gmail settings. Works like a charm now.

Gadgetman496

same ol sh1te wrote: »

That's your problem, setting it to channel 6 overlaps in the next adjacent 2 channels on either side. There's only 3 non overlapping channels, 1, 6 and 11.
http://blogs.aerohive.com/blog/the-wireless-lan-training-blog/wifi-back-to-basics-24-ghz-channel-planning

Probably a typo? If

same ol sh1te wrote: »

That's your problem, setting it to channel 6 overlaps in the next adjacent 2 channels on either side.

Then this can't be true?

same ol sh1te wrote: »

There's only 3 non overlapping channels, 1, 6 and 11.

same ol sh1te

gadgetman496 wrote: »

Probably a typo? If



Then this can't be true?

Not a typo

Kevin!

A family friend has huge issues with range in her house and I think a Mikrotik router would be the job in resolving that but..

I'm fairly computer literate and would have a good idea with your average household router (was contemplating installing the Asus RT-N66U) but the range on this seems to be far superior - is there a lot of setting up to do when bridging this with a vodafone fiber modem for standard internet usage? nothing complex apart from browsing and downloading will be required such as VPN usage etc

cheers

same ol sh1te

It's configured for NAT, you'll just need to get the Wan working but should be able to get that from the web GUI.

mylesm

I have MIcrotik rb951g-2hnd running now for a couple of weeks with a upc modem bridged

The Microtik looks after Guest Network wifi which also has a facility to limit download speed for guests works great

also have a nas and a wdtv connected to lan ports of microtik

I have an ASUS n66u in access point mode hardwired to lan port on microtik and this gives me 2 networks for private use one 2.4 and one 5ghz

all works really well router rock stable for last couple of weeks

I added some firewall rules from here and other forums just to lock down a bit better than default setup

I am not that experienced at this I would like to block icmp ping on the wan port that is if a ping request comes in from internet it gets dropped ie no reply

I use Shields up and it shows all my ports are stealth but i fail on ping response to achieve full stealth

If anyone could please tell me how to block ping please

thanks
myles

degsie

Have a look here:

http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/Filter

same ol sh1te

/ip firewall filter add action=drop chain=input comment="drop icmp" in-interface=ether1 protocol=icmp

Change to suit the name of your Wan interface

Kevin!

same ol sh1te wrote: »

It's configured for NAT, you'll just need to get the Wan working but should be able to get that from the web GUI.

brilliant, decided to give it a punt as I'm sure it'll prove to be a learning experience too! Do I need to configure PPOE or should the basic settings work?

cheers

same ol sh1te

Kevin! wrote: »

brilliant, decided to give it a punt as I'm sure it'll prove to be a learning experience too! Do I need to configure PPOE or should the basic settings work?

cheers

If the connection requires it you'll need to configure it. What ISP? What type of connection?

Kevin!

same ol sh1te wrote: »

If the connection requires it you'll need to configure it. What ISP? What type of connection?

The ISP is Vodafone and it's a fiber connection - I believe from reading the bridging thread that it does require it and that the username/password follows the form of user: serialnumber@vfiefttc.ie password: broadband - router model HG658c - will it prompt me to configure this with the initial installation wizard or will I have to amend the settings via winbox?

cheers

same ol sh1te

Kevin! wrote: »

The ISP is Vodafone and it's a fiber connection - I believe from reading the bridging thread that it does require it and that the username/password follows the form of user: serialnumber@vfiefttc.ie password: broadband - router model HG658c - will it prompt me to configure this with the initial installation wizard or will I have to amend the settings via winbox?

cheers

You'll have to configure it but this should be possible with the web gui if you want to get up and running before you get your head around winbox

gctest50

mylesm wrote: »

...........
If anyone could please tell me how to block ping please
..........

once you get that done , don't get carried away and block icmp passing through the yoke - it can break path discovery n stuff -

mylesm

same ol sh1te wrote: »

/ip firewall filter add action=drop chain=input comment="drop icmp" in-interface=ether1 protocol=icmp

Change to suit the name of your Wan interface

tried that still failed shields up as router was replying to ping

changed your rule above to be
add action=drop chain=output out-interface=ether1 protocol =icmp

now i pass shields up test with true stealth status

thanks again for your help