Jump to content

Michael Ducharme

Member
  • Posts

    42
  • Joined

  • Last visited

Awards

This user doesn't have any awards

Recent Profile Visitors

The recent visitors block is disabled and is not being shown to other users.

Michael Ducharme's Achievements

  1. I second @brwainer's recommendation. Another option if you want PoE to power IP phones etc. is the CRS328: https://mikrotik.com/product/crs328_24p_4s_rm
  2. Even if it doesn't come up at 10Mbps, if that cable is running through a conduit to your house, you might be able to use it as a pull cable to pull a new length of twisted pair through. The only risk would be if it got stuck, so you would want to use some thin but strong tape that would be unlikely to catch on anything.
  3. I believe what you have to do is add only your desktop IP under "IP QoS" and nothing else, then your desktop will be prioritized over everything else.
  4. It should still be possible to do what you want - there should be a way to give the desktop priority over all the others (although perhaps not on a percentage basis). What settings do you have for each computer under QoS? can you share a screeenshot?
  5. Is there a single "QoS Bandwidth" field or are there several? If there is only one, you should set it to 90% of your speed that you can actually get from the ISP.
  6. In order for QoS to work, it has to know how much bandwidth you have in total so that it can limit the total of all traffic to that rate. The point of QoS is for your router to drop packets instead of the ISP, so in general you would configure the router with a maximum rate that is a bit below your maximum from the ISP - generally about 90%. So if you have 100Mbps download you would tell your router that you have 90Mbps in total for all clients to use. Perhaps you are misunderstanding the meaning of the "QoS Bandwidth" field and it is actually a field to tell your router this total bandwidth amount?
  7. Hmm.. That error doesn't even make sense. The gateway has IPs on both networks, so that should not error out. Your src port and dst port are not correct (you'd have to allow all, not just 24). The /24 goes in the IP field immediately after the IP, it is a CIDR address format used to refer to an entire subnet instead of just one address. But I have a feeling if this thing isn't smart enough to allow you to create the rule (because the router does have another IP in that subnet). At this point I would recommend just putting the thing in bridge mode if possible and using a third party router.
  8. Try adding a new firewall rule, I guess action would be accept, protocol all, src ip would be 192.168.1.0/24 and dst ip would be 192.168.2.0/24 and src port and dst port would be all (not sure how that is specified in your UI). Then you would do another rule in the other direction (src 192.168.2.0/24 and dst 192.168.1.0/24).
  9. If you mean you want the OpenVPN client to get an address on the internal network (connected only to the USG), that is not possible. The pfsense would have to be given an IP address on your internal network as well (behind the USG) so that it could bypass it for the VPN clients. The problem is that then your internet would stop working for all of the other clients behind the USG because the regular internet traffic would go out via the USG and come back in via the pfsense (since it would then have a direct route to the destination network, so it would prefer that to the path through the USG), and this triggers reverse path filtering protection blocking the traffic. I also don't understand the reason why you can't segment things virtually. Taking the USG out of the equation would fix everything. The only argument that I could see against that would be administrator control (ex. if you need to give other people access to manage the pfsense but not the USG). If you do need to keep them separate like this, you have two options: 1. Continue to have the clients getting IPs on the pfsense network, but add a firewall rule on the USG to allow all traffic from those client IPs to the internal network. That way they would have access to the resources without actually being on the internal network. 2. Set up the VPN on the USG and do port forwarding for the VPN ports on the pfsense
  10. The route configuration won't help, your router already has routes to those networks because it has IPs on those networks. You can in fact see the routes it already has for those networks in the screenshot you gave before. I'm wondering what the firewall "level" settings are. It is explaining normal mode but I don't know what the other options are.
  11. Why are you trying to decrease the signal strength? If I put my phone on top of my router it can't connect due to the signal being too strong but that shouldn't be the case even just a few feet away.
  12. OK - that screenshot is helpful and shows that both IP's are on the router itself. This device is set up in a very unusual way. I wonder if there is a firewall where you can add a rule to allow traffic between the br-lan (your wired network) and wl0 (the wireless)?
  13. I'm not convinced of that. Some devices will simply continue their existing lease without bothering to check in with the DHCP server to see if it is still valid, if they know they are reconnecting to the same network they had the lease on before. So your device could still "hang on" to the lease given by the disconnected router until expiry (often 24 hours later) unless you can manually release and renew. You say your computer has multiple network interfaces - is it possible that it has a DHCP server on it, or it might be on some other device, maybe not even one of the other routers. You can determine which device is acting as the DHCP server by checking the MAC address of the host that has the IP of the DHCP server. You can check it by doing the following: 1. at a command prompt, run ipconfig /all and note the IP address that is listed as the DHCP server for that interface (the one that has a 192.168.2.x IP) 2. ping that address from the command line (ping 192.168.2.whatever) 2. run "arp -a" from the command prompt to check the mac address for the DHCP server IP If the MAC address is that of a specific device where you know the MAC address (ex. if it is printed on the modem/router) then you know which device is acting as the DHCP server. If you do not recognize the MAC, check the vendor: https://macvendors.com/
  14. I haven't seen any DSL modem/router combos that would split the regular wifi network from the local network like this. I think you have another DHCP server on your network somewhere, possibly running on one of those other routers that you have, which is handing out IPs on that other subnet.
  15. We isolate customer traffic until it hits the BRAS (we use PPPoE). The ISP that I have for my home connection in the city (large cable provider) appears to use a combination of isolation and local proxy ARP. But most of the other ISPs that cover areas that we serve (rural, remote) do not have the greatest technical knowledge and tried isolation without a solution like local proxy ARP or PPPoE, only to get complaints from customers that they could not communicate with each other at all. So many of them simply turn off the customer isolation for the customers who complain, or don't use it at all. One small ISP that we absorbed had their customers rebooting their routers like 6 times in a row to get online, due to rogue DHCP servers from no customer isolation and they didn't know how to find or block the rogue DHCP, or even know that rogue DHCP was the cause. Occasionally even our techs manage to mess up a config here or there and have isolation disabled by mistake - we are a WISP and I've seen a few APs or switches go out that had isolation disabled, and it was sometimes only caught when a rogue DHCP situation appeared.
×