Showing posts with label Mikrotik. Show all posts
Showing posts with label Mikrotik. Show all posts

Sunday, 8 January 2017

Google Chromecast and Mikrotik Wireless

So i recently upgraded my wifi at home from a TP-Link to a Mikrotik hAP ac device/s, although the installation of CAPsMAN and provisioning of Configurations were rather quick and easy .. that was not the end.

This post will focus on the wireless connections between the Chromecast and Mikrotik AP.

As in most households these days multiple media devices, wireless speakers/assistants and tablets etc. need the ability to connect ot the wifi.

Below so far my tests and findings with the Google ChromeCast.



Mikrotik Version 6.37.3
Mikrotik Firmware (hAP ac) 3.34
Mikrotik Model RouterBOARD 962UiGS-5HacT2HnT
ChromeCast Firmware 1.22.78337
ChromeCast Model Chromecast 2



I have decided to simplify my SSID's and only have 2 available on the network: Private and Guest and have both bands (2ghz & 5ghz) / radios assigned to the same SSID's. The previous wireless installation had seperate SSID's for 2 ghz and 5 ghz.
 
Connecting the Chromecast to the network was a breeze, just launch the Google Home application, select devices > settings > Wi-Fi and enter the new credentials.

and then the fun started, family members start complaining they can't "see" the Chromecasr device to cast to, and constant reboot / power cycles started and I started to keep an eye on the Mikrotik log and wireless registration table (and funnily enough all seemed ok, but the user experience were correct the devices were no longer discoverable)

Initial setup:


I then decided to pidgeon hole the Chromecast onto it's own SSID and assign it only to one spesific radio, that way I can control & troubleshoot. I did so and created a Media SSID and assigned it to a radio. This is done by creating a new  CAP's provisioning with the target Radio MAC.


Provisioned the new configurations and learned lesson 1, for no money would the Chromecast want to join the new SSID, various other devices could connect to it though.

Lesson learned: I performed a factory reset (FDR) on the Chromecast and it seemlessly connected to the new newly created SSID.

I changed the configuration in the following order with all configurations experiencing the same result:

  1. Started with  band=2ghz-b/g/n with same behaviour
  2. Changed to band=2ghz-b/g as some people / forums suggested issues with n band, with same behaviour
  3. Changed to the 5ghz radios with band=5ghz-onlyac, FDR the Chromecast and registered it to the Media SSID.

Current working configuration:


So currently it seem very stable and working without issues.


Media band = 5ghz-onlyac
radio = only the closest 5ghz Radio to the Chromecast


It is running for 3 days without any issues so far.

Inconsistencies and possible Chromecast bugs:

  • I have one other Chromecast connected to the "Private" SSID without any issues at the moment, still to investigate further.
  • On the Google Splash screen the Wireless SSID disappear sometimes with a "backdrop" change (As I told the kids to look for that to determine if the Chromecast is connected or not it causes false negatives at the moment :-)   )

Next steps:

  • Let it run for a while and monitor.
  • Change the Media SSID to hidden.

Posted by at 13 comments:
Labels: ,

Friday, 1 January 2016

Mikrotik overlapping IP subnets on VPN link

As a common topic that needs to be resolved a lot of times I thought it would be good to do a basic write-up  of a basic double NAT configuration to resolve overlapping IP ranges over a link.

The sample scenario would be as depicted below:
Location A and B with duplicate IP ranges (192.168.0.0/24) on both sides and a VPN link between the two on network 172.16.0.0./30

For this example we would assume two random IP's that needs to be reached from either end, these will be 192.168.0.10 and 192.168.0.247


To make the mikrotik commands more descriptive all local networks (LAN A and LAN B) are connected to "ether2" interface and the link between the two routers to the "ether1" interfaces.

Router A:

/ip address
add address=192.168.0.1/24 interface=ether2
add address=172.16.0.1/30 interface=ether1


Router B:

/ip address
add address=192.168.0.1/24 interface=ether2
add address=172.16.0.2/30 interface=ether1

The next step would be to select two unused/free/unrouted IP ranges in the network that can be used at network A & B, for this example 192.168.98.0/24 and 192.168.99.0/24 were selected.

Install a route on router A to route all 192.168.99.0/24 traffic to the gateway address of router B (172.16.0.2)

Router A:

/ip route
add dst-address=192.168.99.0/24 gateway=172.16.0.2


Then install a source NAT rule that changes the source address of the packets from network A to 192.168.98.0/24. Packets will now have that changed source address and be forwarded to router B.

Router A:

/ip firewall nat 
add chain=srcnat src-address=192.168.0.2-192.168.0.254 dst-address=192.168.99.0/24 action=netmap to-addresses=192.168.98.2-192.168.98.254


Netmap is used to ensure there is a 1:1 mapping on the last octet; that way we will know what machine the traffic originated from.
On Router B a route needs to be installed to route the NATed traffic (.98.0/24) back to router A and destination NAT it to the real IP addresses in network B.

Router B:

/ip route
add dst-address=192.168.98.0/24 gateway=172.16.0.1

And the destination NAT rule to route the traffic to the 192.168.0.247 IP on network B (In this example one rule for each server you want to reach)

Router B:
/ip firewall nat
add chain=dstnat dst-address=192.168.99.247 action=dst-nat to-address=192.168.0.247
To reach 192.168.0.10 on router A do exactly the opposite, netmap the range to 192.168.99.x on router B and add a destination NAT on router A.


Router B:

/ip firewall nat 
add chain=srcnat src-address=192.168.0.2-192.168.0.254 dst-address=192.168.98.0/24 action=netmap to-addresses=192.168.99.2-192.168.99.254


Router A:
/ip firewall nat
add chain=dstnat dst-address=192.168.98.10 action=dst-nat to-address=192.168.0.10
This should complete the setup and you should be able to ping 192.168.99.247 from an IP on router A LAN subnet.

To further make things easier to use either DNS entries can be used or if the IP addresses you want to route to on the remote subnet are not used locally add them locally with a destination NAT so that you can use the real IP address locally to reach the remote server.

Sample:


Router A:
/ip firewall nat
add chain=dstnat in-interface=ether2 dst-address=192.168.0.247 action=dst-nat to-address=192.168.99.247


Posted by at 6 comments:
Labels:

Monday, 4 May 2015

Sublime Text Mikrotik plugin for text highlighting & auto complete



I had some challenges that I had to resolve on a network (more of that in my next post), and could only access the CLI with the need to see the complete config at once, I used Sublime Text to view the file however having to look at any log or configuration file in one colour is not fun.

Had a quick look and was in luck, there is a Mikrotik Sublime Text plugin, many thanks Kentzo. It can be installed via package manager or be found on Kentzo's Github repository.


The simplest method of installation is through the Sublime Text console as described here. The console is accessed via the ctrl+` shortcut or the View > Show Console menu. Once open, paste the appropriate Python code for your version of Sublime Text into the console.



import urllib.request,os,hashlib; h = 
'eb2297e1a458f27d836c04bb0cbaf282' + 'd0e7a3098092775ccb37ca9d6b2e4b7d';
 pf = 'Package Control.sublime-package'; ipp = 
sublime.installed_packages_path(); urllib.request.install_opener( 
urllib.request.build_opener( urllib.request.ProxyHandler()) ); by = 
urllib.request.urlopen( 'http://packagecontrol.io/' + pf.replace(' ', 
'%20')).read(); dh = hashlib.sha256(by).hexdigest(); print('Error 
validating download (got %s instead of %s), please try manual install' %
 (dh, h)) if dh != h else open(os.path.join( ipp, pf), 'wb' ).write(by)

After that simply go to Preferences > Package Control > and select install Package; then type the package you want to install.

Posted by at 8 comments:
Labels: ,

Wednesday, 6 October 2010

Syslog-ng server on Ubuntu

Well once you know what to do it is actually easy to get it going, however there is a few things you need to know:

  • Remote logging needs to be enabled on the server

  • Firewall needs to accept traffic for syslogs

  • on the client logs need to be forwarded to the syslog server

  • a log filter need to be created on the client


So a typical / basic setup that forwards everything to the servers default log destinations e.g. /var/log/syslog will look as follows:

Server side:
Basic config change to get the server accepting remote logs:
uncomment:
         udp();
Client side:
The most basic setup to forward all logs to the syslog-ng server:

destination server { udp("192.168.0.1" port (514)); };

log {
        source(s_all);
        destination(server);
};

I am also sending logs from my Mikrotik device to the syslog-ng server as follows:

[user@Mikrotik] > /system logging action print
Flags: * - default
 #   NAME                      TARGET REMOTE                                  
 0 * memory                    memory
 1 * disk                      disk 
 2 * echo                      echo 
 3 * remote                    remote 192.168.0.1:514                           
[user@Mikrotik] >

[user@Mikrotik] > /system logging print       
Flags: X - disabled, I - invalid
 #   TOPICS                          ACTION                          PREFIX   
 0   info                            memory                                   
 1   error                           memory                                   
 2   warning                         memory                                   
 3   critical                        echo                                     
 4   warning                         remote                          mikrotik

Happy logging.
Posted by at No comments:
Labels: , , ,

Sunday, 1 November 2009

Cacti - Mikrotik Signal Strength Graph for client connection

[caption id="attachment_174" align="aligncenter" width="603" caption="cacti signal strength graph"]cacti signal strength graph[/caption]

Well it took me some time and confusion to get this graph going; at the end of the day it was a configuration error and the misuse/confusion between different templates found on the net.

In summary this is the correct parameters:

Cacti version: 0.8.7e
Mikrotik Router OS: 4.2

Device:

  • Added device with SNMP v1 & Mikrotik Template

  • Make sure the Associated Data Queries - Mikrotik - Wireless - Client is working.


Data Sources:

  • Selected Data Template - Mikrotik - Wireless - Signal Strength ( NOT Mikrotik - Wireless - RegTable Signal Strength)

  • Custom Data - Index Value - This is the numerical value (e.g. 4) corresponding to the wireless interface index id you want the signal strength measured for.

  • Custom Data - Index Type - ifIndex


Data Queries:

  • Use the Mikrotik - Wireless - Client data query located at <path_cacti>/resource/snmp_queries/mikrotik_wireless_client.xml and make sure the Data input method is: Get SNMP Data (indexed)


That should do the trick.

Where did I go wrong:

I had to add a new device for this to work, but once working I could duplicate the graph and associate it with the correct device. - don't know if this is a cacti bug or not?

I used the RegTable signal strength data template in error
Posted by at No comments:
Labels: , ,
Subscribe to: Comments (Atom)