The Mikrotik RouterOS config, tips and tricks thread

Kevin!

Just got my Mikrotik router and I'm trying to configure it with a vodafone router - it seems unable to obtain a PPPOE link any idea's as to what I might be doing wrong?





thanks!

same ol sh1te

Try leaving the service name blank

Kevin!

same ol sh1te wrote: »

Try leaving the service name blank

Will try that when I'm home thanks! And is txpower automatically at 100%? If not, how do I amend it via webconfig

Thanks

same ol sh1te

Kevin! wrote: »

Will try that when I'm home thanks! And is txpower automatically at 100%? If not, how do I amend it via webconfig

Thanks

You'll need winbox, open the wireless interface, set to advanced and in the main wireless tab change frequency mode from regulatory domain to manual tx power. In advanced tab set distance to indoors and in tx power tab set tx power to default

Kevin!

same ol sh1te wrote: »

You'll need winbox, open the wireless interface, set to advanced and in the main wireless tab change frequency mode from regulatory domain to manual tx power. In advanced tab set distance to indoors and in tx power tab set tx power to default

Was being silly, thought it would go into WAN port when it's actually Ethernet #1, PPPOE authentication is now successful!

It seems that those settings for transmitting power had already been enabled by default, should that give it the full 1000mw power?

Cheers

same ol sh1te

Kevin! wrote: »

It seems that those settings for transmitting power had already been enabled by default, should that give it the full 1000mw power?

Yes.

Kevin!

Last question for you haha, I'm achieving good speeds on the laptop (50mb connection) getting about 46 over WiFi - but with my HTC m8 I'm getting a poor link speed and speed test.net reports it to be under 20mb - is the router assigning less speed to the mobile?http://i58.tinypic.com/b3lwyr.png

Thanks

same ol sh1te

Kevin! wrote: »

Last question for you haha, I'm achieving good speeds on the laptop (50mb connection) getting about 46 over WiFi - but with my HTC m8 I'm getting a poor link speed and speed test.net reports it to be under 20mb - is the router assigning less speed to the mobile?http://i58.tinypic.com/b3lwyr.png

Thanks

Try setting the wireless interface band on the Mikrotik to 2Ghz only N (as long as you have all N devices) and channel width as 20/40Mhz HT above. You can see the signal and speed wireless devices are connected at under wireless registration. My Nexus 5 connects at a max rate of 72mbps, your M8 will most likely be the same. Laptops with better antennas will have wireless cards set to do higher rates than phones and tablets with tiny antennas. For this reason tests will be better with laptops

mylesm

Hi Again

On the quickset screen of winbox there are 2 wireless options one main and one guest network

I set up guest network here and set download limit as well to 3M

this is all available on quickset screen and it works well

I tried to ping devices on my main lan while I am connected to guest network and I cannot ping them which is great as that is what I want

Can someone explain please how the guest network is isolated from main lan as it seems to get ip in same range as main lan
Thanks

mylesm

same ol sh1te

You'll need to stop using quickset and go deeper with winbox to find out the answer. I've never used quickset so therefore I know nothing about it or the features it offers. Is default forward enabled for the virtual wireless interface? Post an export compact of your config.

I can see from the RouterOS changelog that guest network was only added to quickset in March this year. Is it fully implemented yet?
https://www.mikrotik.com/download/CHANGELOG_6

mylesm

same ol sh1te wrote: »

You'll need to stop using quickset and go deeper with winbox to find out the answer. I've never used quickset so therefore I know nothing about it or the features it offers. Is default forward enabled for the virtual wireless interface? Post an export compact of your config.

I can see from the RouterOS changelog that guest network was only added to quickset in March this year. Is it fully implemented yet?
https://www.mikrotik.com/download/CHANGELOG_6

Thanks it seems to work good I was just trying to fond out how they implement it

heres my export thanks again











MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 6.18 (c) 1999-2014 http://www.mikrotik.com/

[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments

[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options

/ Move up to base level
.. Move up one level
/command Use command at the base level
[admin@MikroTik] > export compact
# aug/16/2014 13:22:57 by RouterOS 6.18
# software id = CCB8-P1HX
#
/interface bridge
add admin-mac=D4:CA:6D:BE:8D:FD auto-mac=no l2mtu=1598 name=bridge-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
20/40mhz-ht-above country=ireland disabled=no distance=indoors frequency=\
2412 hide-ssid=yes l2mtu=2290 mode=ap-bridge ssid=Microtik \
wireless-protocol=802.11
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether3 ] master-port=ether2-master-local name=\
ether3-slave-local
set [ find default-name=ether4 ] master-port=ether2-master-local name=\
ether4-slave-local
set [ find default-name=ether5 ] master-port=ether2-master-local name=\
ether5-slave-local
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless security-profiles
set [ find default=yes ] wpa-pre-shared-key=xxxxxxxxxxx wpa2-pre-shared-key=\xxxxxxxxxx

add name=profile wpa-pre-shared-key=xxxxxxxx wpa2-pre-shared-key=xxxxxxxxx
/interface wireless
add disabled=no l2mtu=2290 mac-address=D6:CA:6D:BE:8E:01 master-interface=\
wlan1 name=wlan2 security-profile=profile ssid=ShelmarGuest
/ip pool
add name=dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local lease-time=10m name=\
default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=wlan2
/interface wireless access-list
add ap-tx-limit=3000000 interface=wlan2
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
ether2-master-local network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
no interface=ether1-gateway
/ip dhcp-server lease
add address=192.168.88.248 mac-address=00:90:A9:3A:0C:A1 server=default
add address=192.168.88.252 client-id=1:d4:3d:7e:df:cc:34 mac-address=\
D4:3D:7E:DF:CC:34 server=default
add address=192.168.88.234 always-broadcast=yes client-id=1:0:21:85:7:fc:81 \
mac-address=00:21:85:07:FC:81 server=default
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes servers=208.67.222.222,208.67.220.220
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
ether1-gateway
add chain=forward comment="default configuration" connection-state=\
established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
connection-state=invalid
add chain=input comment="allow ICMP" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login \
address-list-timeout=1d chain=input comment=\
"list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1h chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=1h chain=input connection-state=new dst-port=22 \
protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=1h chain=input connection-state=new dst-port=22 \
protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=\
ether1-gateway protocol=tcp
add chain=input comment="accept vpn gre" in-interface=ether1-gateway \
protocol=gre
add action=drop chain=input comment="drop ftp" dst-port=21 protocol=tcp
add action=drop chain=forward comment="drop invalid connections" \
connection-state=invalid
add chain=forward comment="allow already established connections" \
connection-state=established
add chain=forward comment="allow related connections" connection-state=\
related
add action=drop chain=input comment="drop Invalid connections" \
connection-state=invalid
add chain=input comment="allow established connections" connection-state=\
established
add chain=input comment="acccept lan" in-interface=!ether1-gateway \
src-address=192.168.88.0/24
add action=drop chain=input comment="drop everything else"
add action=drop chain=input comment="drop icmp" disabled=yes in-interface=\
ether1-gateway protocol=icmp
add action=drop chain=output out-interface=ether1-gateway protocol=icmp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
out-interface=ether1-gateway to-addresses=0.0.0.0
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/ip upnp
set allow-disable-external-interface=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external
/system clock
set time-zone-name=Europe/London
/tool bandwidth-server
set enabled=no
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=wlan1
add interface=wlan2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=wlan1
add interface=wlan2
[admin@MikroTik] >

same ol sh1te

Like I thought, default forward is enabled for the virtual wireless interface. There is nothing there keeping guest from accessing your lan. It's a simple virtual interface with it's own security profile.

mylesm

same ol sh1te wrote: »

Like I thought, default forward is enabled for the virtual wireless interface. There is nothing there keeping guest from accessing your lan. It's a simple virtual interface with it's own security profile.

OK but if I log onto guest network I cannot access a nas on the lan if I log onto main wireless I can access nas on lan so something is blocking access from guest I was just trying to find out how
/interface bridge filter
add action=drop chain=forward in-interface=wlan2
add action=drop chain=forward out-interface=wlan2

Does that have something to do with it I just saw that looking through and it refers to wlan2

Thanks again

same ol sh1te

Yeah, that'd do it, missed that, I was looking in firewall

mylesm

same ol sh1te wrote: »

Yeah, that'd do it, missed that, I was looking in firewall

Great thanks for your help does that completely isolate WLAN 2 from e everything except wan it seems very easy way to do it so if I added wlan3 and added those lines to include wlan3 it would be isolated

same ol sh1te

mylesm wrote: »

Great thanks for your help does that completely isolate WLAN 2 from e everything except wan it seems very easy way to do it so if I added wlan3 and added those lines to include wlan3 it would be isolated

Yes

Kevin!

Is it possible to utilise the USB port to share an external hard drive over the network with a 951Ui-2HnD?

I'm looking to network share the drive with a combination of windows/mac computers,

cheers

same ol sh1te

Kevin! wrote: »

Is it possible to utilise the USB port to share an external hard drive over the network with a 951Ui-2HnD?

I'm looking to network share the drive with a combination of windows/mac computers,

cheers

Yes, it's what it's for

Kevin!

same ol sh1te wrote: »

Yes, it's what it's for

I would have assumed that, but the mikrotik website lists it purpose for other features
http://wiki.mikrotik.com/wiki/Manual:USB_Features

same ol sh1te

Kevin! wrote: »

I would have assumed that, but the mikrotik website lists it purpose for other features
http://wiki.mikrotik.com/wiki/Manual:USB_Features

Yes, a usb port has many uses including providing power, 3g dongle etc

witnessmenow

Howdy all,

I'm after setting up RB751G after about a year of giving it a break (long story)

But I'm looking for some pointers on a couple of things.

So my internet goes to absolute muck in the evening times so I'm considering getting the €10 rolling meteor internet for when eircom gets really bad.

I would to keep eircom as the main broadband, and maybe even manually set what devices I want to allow to use the meteor dongle if the internet is acting up. Any suggestions?

Also I have an Amiko Alien, anyone have the instructions for prioritising the pings from that?

Thanks!

Sniipe

I just noticed smee_again is banned. Thats a shame - he was very helpful here. I lost my settings and had to re-do them all again and was going thru this thread to figure out what I did the last time. I wouldn't have a clue if I didn't get as much help as I did from him.

dadach

hey, any tips of how to set up the connection in the routeros so my normal traffic is still going through my ISP, but for PS3, and Xfinity media player/satelite receiver i want to use VPN connection. is that doable?

diarmaidol

Yes,

It's known as policy routing...

I can't post URL's so maybe search the following

wiki.mikrotik.com Policy_Base_Routing

Not the most straight forward, you will need to understand IP routing to some level to get it working.

musembi

Hi,
I would really appreciate if someone posted to me the script to change my Mikrotik MTU from say 1500 to 576...

diarmaidol

Why do you want such a small MTU?

MTU is an port/interface setting not a router wide setting. based on the relevant MTU's for different interfaces the router will take the decision to fragment the packet or not.

There is an MTU page on the Microtik wiki

Kenny Powers

Can anyone advise on how I can set up the following, I just got a RB915G-2HnD I have access to it via winbox and web.

Is it possible to set up the following,

Port 1 WAN internet connection.

I want a separate subnets for Personal use on say port 2 and the Hotspot on Port 4&5

Also is it possible to do this with the WiFi, Set up two SSIDs one for personal and one for the hotspot access?

mass_debater

Kenny Powers wrote: »

Can anyone advise on how I can set up the following, I just got a RB915G-2HnD I have access to it via winbox and web.

Is it possible to set up the following,

Port 1 WAN internet connection.

I want a separate subnets for Personal use on say port 2 and the Hotspot on Port 4&5

Also is it possible to do this with the WiFi, Set up two SSIDs one for personal and one for the hotspot access?

Yes it's possible, you can create two bridges, use one for hotspot, the other for lan but you're going to have to read up, nobody will build a specific config like this for you. All the info you need is in the Mikrotik docs and manuals. I'll give you a few pointers, start with the default config, remove ports 4 and 5 from the switch and add them to a new bridge to which you setup your hotspot on a new virtual wireless interface.

Kenny Powers

mass_debater wrote: »

Yes it's possible, you can create two bridges, use one for hotspot, the other for lan but you're going to have to read up, nobody will build a specific config like this for you. All the info you need is in the Mikrotik docs and manuals. I'll give you a few pointers, start with the default config, remove ports 4 and 5 from the switch and add them to a new bridge to which you setup your hotspot on a new virtual wireless interface.

Thanks for that got it working but going to try vlans now instead of using bridge, Does this make sense will it give faster throughput?

I upgraded to V6.28 WAN to LAN speed dropped from 240 to 180/190 hotspot dropped to 100 using UPC speed test, also noticed CPU in the high 90% during the speed test, anyone else notice this? Is it possible to roll back to V6.15?

Thanks

mass_debater

Kenny Powers wrote: »

Is it possible to roll back to V6.15?

Download it and drag and drop it into files in Winbox and reboot the router.