[AFMUG] Commnet tower application

2016-02-17 Thread Michael Gawlowski 
Has anyone out there submitted applications with them before?  They are asking 
for a proposed site plan and tower elevation plan along with the application. 
Does anyone know of some software that can help create visual plans like these? 

Thank you,
Michael Gawlowski
Triad Wireless, LLC

Re: [AFMUG] accessing router behind canopy NAT

2015-04-01 Thread Michael Gawlowski 
If you deleted all of your firewall rules then the MT won’t pass any traffic.  
You still have the 4 accept rules (2 forward and 2 input) in there right?

Mike

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Kurt Fankhauser
Sent: Tuesday, March 31, 2015 11:39 AM
To: af@afmug.com
Subject: Re: [AFMUG] accessing router behind canopy NAT

no havn't tried different port numbers


Kurt Fankhauser

Wavelinc Communications

P.O. Box 126

Bucyrus, OH 44820

http://www.wavelinc.com

tel. 419-562-6405

fax. 419-617-0110

On Tue, Mar 31, 2015 at 1:50 PM, Josh Luthman 
mailto:j...@imaginenetworksllc.com>> wrote:
If it's DMZed I can't imagine why you wouldn't be able to talk to it, have you 
tried different port numbers on the MT?


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Mar 31, 2015 at 1:33 PM, Kurt Fankhauser 
mailto:li...@wavelinc.com>> wrote:
I disabled all the firewall rules so nothing should be blocking.


Kurt Fankhauser

Wavelinc Communications

P.O. Box 126

Bucyrus, OH 44820

http://www.wavelinc.com

tel. 419-562-6405

fax. 419-617-0110

On Tue, Mar 31, 2015 at 1:03 PM, Josh Luthman 
mailto:j...@imaginenetworksllc.com>> wrote:

Uhm... No interfaces at all?  Do you have the default config on there blocking 
it?

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Mar 31, 2015 12:42 PM, "Kurt Fankhauser" 
mailto:li...@wavelinc.com>> wrote:
Which way Josh? With the NAT doing the DMZ trick? I dunno it just doesn't work 
for some reason.


Kurt Fankhauser

Wavelinc Communications

P.O. Box 126

Bucyrus, OH 44820

http://www.wavelinc.com

tel. 419-562-6405

fax. 419-617-0110

On Tue, Mar 31, 2015 at 12:39 PM, Josh Luthman 
mailto:j...@imaginenetworksllc.com>> wrote:
Why can't you access MT routers that way?


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Mar 31, 2015 at 12:36 PM, Kurt Fankhauser 
mailto:li...@wavelinc.com>> wrote:
If you manage the customer router (such as a Mikrotik) do you generally run the 
SM in NAT or bridged mode? I have been doing NAT on the Canopy SM's with the 
DMZ trick to the first IP address but when doing that I can't access the 
Mikrotik routers that way. Kind of wanted to keep the NAT in place because it 
stops the customer from hooking stuff up wrong and making a mess... But I could 
do bridged mode on those CPE's

Kurt Fankhauser

Wavelinc Communications

P.O. Box 126

Bucyrus, OH 44820

http://www.wavelinc.com

tel. 419-562-6405

fax. 419-617-0110

Re: [AFMUG] accessing router behind canopy NAT

2015-04-01 Thread Michael Gawlowski 
You’re right, Bill.  The filter rules I mentioned are not necessary.  I was 
thinking of the NAT masquerade rule.

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Bill Prince
Sent: Wednesday, April 01, 2015 11:01 AM
To: af@afmug.com
Subject: Re: [AFMUG] accessing router behind canopy NAT

If you delete all the rules, then there are no rules. It will accept anything 
from anywhere & forward them as well.


bp




On 4/1/2015 10:59 AM, Michael Gawlowski wrote:
If you deleted all of your firewall rules then the MT won’t pass any traffic.  
You still have the 4 accept rules (2 forward and 2 input) in there right?

Mike

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Kurt Fankhauser
Sent: Tuesday, March 31, 2015 11:39 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] accessing router behind canopy NAT

no havn't tried different port numbers


Kurt Fankhauser

Wavelinc Communications

P.O. Box 126

Bucyrus, OH 44820

http://www.wavelinc.com<http://www.wavelinc.com/>

tel. 419-562-6405

fax. 419-617-0110

On Tue, Mar 31, 2015 at 1:50 PM, Josh Luthman 
mailto:j...@imaginenetworksllc.com>> wrote:
If it's DMZed I can't imagine why you wouldn't be able to talk to it, have you 
tried different port numbers on the MT?


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Mar 31, 2015 at 1:33 PM, Kurt Fankhauser 
mailto:li...@wavelinc.com>> wrote:
I disabled all the firewall rules so nothing should be blocking.


Kurt Fankhauser

Wavelinc Communications

P.O. Box 126

Bucyrus, OH 44820

http://www.wavelinc.com<http://www.wavelinc.com/>

tel. 419-562-6405

fax. 419-617-0110

On Tue, Mar 31, 2015 at 1:03 PM, Josh Luthman 
mailto:j...@imaginenetworksllc.com>> wrote:

Uhm... No interfaces at all?  Do you have the default config on there blocking 
it?

Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373
On Mar 31, 2015 12:42 PM, "Kurt Fankhauser" 
mailto:li...@wavelinc.com>> wrote:
Which way Josh? With the NAT doing the DMZ trick? I dunno it just doesn't work 
for some reason.


Kurt Fankhauser

Wavelinc Communications

P.O. Box 126

Bucyrus, OH 44820

http://www.wavelinc.com<http://www.wavelinc.com/>

tel. 419-562-6405

fax. 419-617-0110

On Tue, Mar 31, 2015 at 12:39 PM, Josh Luthman 
mailto:j...@imaginenetworksllc.com>> wrote:
Why can't you access MT routers that way?


Josh Luthman
Office: 937-552-2340
Direct: 937-552-2343
1100 Wayne St
Suite 1337
Troy, OH 45373

On Tue, Mar 31, 2015 at 12:36 PM, Kurt Fankhauser 
mailto:li...@wavelinc.com>> wrote:
If you manage the customer router (such as a Mikrotik) do you generally run the 
SM in NAT or bridged mode? I have been doing NAT on the Canopy SM's with the 
DMZ trick to the first IP address but when doing that I can't access the 
Mikrotik routers that way. Kind of wanted to keep the NAT in place because it 
stops the customer from hooking stuff up wrong and making a mess... But I could 
do bridged mode on those CPE's

Kurt Fankhauser

Wavelinc Communications

P.O. Box 126

Bucyrus, OH 44820

http://www.wavelinc.com<http://www.wavelinc.com/>

tel. 419-562-6405

fax. 419-617-0110

[AFMUG] Dropping Chinese & Korean IP's in Mikrotik

2015-05-08 Thread Michael Gawlowski 
I have a blocklist of IP's and CIDR ranges that I would like to add in my 
mikrotik 1100's and 2011's.  Two questions:


1)  What is the best way to add these without doing one address or subnet 
at a time?

2)  Will there be a significant impact on router performance from adding so 
many rules in the firewall filter?  Most of these routers are expected to 
handle about 50-150Mbps depending on the model and location.

Thank you,

Mike Gawlowski
Triad Wireless, LLC
4226 S. 37th ST
Phoenix, AZ 85040
(602)-426-0542
Triadwireless.net

Re: [AFMUG] Mikrotik stable OS version

2015-05-13 Thread Michael Gawlowski 
Been running an 1100AX with 6.28 for 2 weeks no problems.  We have 5 1100AX’s 
on various other sites running 6.15 for 6+ months.  There’s nothing saying you 
can’t put 90 IP’s on one interface.
___
Mike Gawlowski
Triad Wireless, LLC
4226 S. 37th ST
Phoenix, AZ 85040
(602)-426-0542
Triadwireless.net

From: Af [mailto:af-boun...@afmug.com] On Behalf Of That One Guy /sarcasm
Sent: Wednesday, May 13, 2015 9:32 AM
To: af@afmug.com
Subject: Re: [AFMUG] Mikrotik stable OS version

for an interim move (I have to prove mikrotik to the boss) there could be as 
many as 90 at one point. Imagestream occasionally would get fussy if I had 
multiple router interfaces on the same physical network segment, does mikrotik 
get fussy about this?

On Wed, May 13, 2015 at 11:20 AM, Mike Hammett 
mailto:af...@ics-il.net>> wrote:
Likely no limit. How many are you trying to put on?


-
Mike Hammett
Intelligent Computing Solutions
http://www.ics-il.com

[Image removed by sender.][Image removed by 
sender.][Image 
removed by 
sender.][Image
 removed by sender.]

Midwest Internet Exchange
http://www.midwest-ix.com

[Image removed by sender.][Image removed by 
sender.][Image 
removed by sender.]

From: "That One Guy /sarcasm" 
mailto:thatoneguyst...@gmail.com>>
To: af@afmug.com
Sent: Wednesday, May 13, 2015 11:18:08 AM
Subject: Re: [AFMUG] Mikrotik stable OS version

Do these things have a limit to the number of secondary IPs you can put on an 
interface? I cant find it documented

On Wed, May 13, 2015 at 9:56 AM, Stefan Englhardt 
mailto:s...@genias.net>> wrote:
No problems with newer 6.x Version. We’ve 6.15 and 6.25 running on them.
Seems 6.x tree matures. But it is MT. You never know ;-)).


Von: Af [mailto:af-boun...@afmug.com] Im Auftrag 
von That One Guy /sarcasm
Gesendet: Mittwoch, 13. Mai 2015 16:51
An: af@afmug.com
Betreff: [AFMUG] Mikrotik stable OS version

just got in an rb1100ahx2 What is the current most stable software version 
recomended on these?

--
If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team.



--
If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team.




--
If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team.

Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

2015-05-13 Thread Michael Gawlowski 
I now have a FW script from Butch Evans that fixes this problem.  It takes any 
ftp, telnet or ssh attempt on the router and blocks the source IP for however 
long I want.  Thanks for the input, everyone.

_
Mike Gawlowski
Triad Wireless, LLC
4226 S. 37th ST
Phoenix, AZ 85040
(602)-426-0542
Triadwireless.net



From: Af [mailto:af-boun...@afmug.com] On Behalf Of Paul Stewart
Sent: Monday, May 11, 2015 12:02 PM
To: af@afmug.com
Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

Why block at all?  I know it’s a loaded question but I always take the approach 
that customers should be protecting themselves.  If they don’t protected 
themselves and create your network service effecting issues than disconnect 
them until they sort their stuff out.

Also, in my limited testing with Microtik boxes I found their firewall could 
easily be used to topple over the router – I wouldn’t put my “core router” in 
the middle of an attack until I had to … going by memory this was an RB1100 
with 25-30 firewall rules – less than 100 Mbs of dirty/malicious traffic and 
the box was taken offline.  This doesn’t make Microtik unique which is part of 
my point – even easier is inline IPS boxes that are underpowered in the first 
place.

From: Af [mailto:af-boun...@afmug.com] On Behalf Of Glen Waldrop
Sent: Monday, May 11, 2015 1:02 PM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

Not me, Michael Gawlowski.

We have similar problems, though I block subnets rather than entire countries, 
typically confirmed as consumer IP addresses before we do so.

I manage a router for a local cable company. I can't block every port on their 
customer's equipment. The random nature of the attacks makes detecting it 
extremely difficult.

I don't have these problems with my network, only the cable company's.





- Original Message -
From: Paul Stewart<mailto:p...@paulstewart.org>
To: af@afmug.com<mailto:af@afmug.com>
Sent: Monday, May 11, 2015 11:14 AM
Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

So it sounds like the original poster (Glen I believe it is) is looking to 
protect equipment that is not his?  Why not just firewall access to that 
equipment specifically or does it still need to be open access?

Firewalling by country is really dangerous … if you do this for every country 
that attacks you, you won’t be talking to the Internet much longer ;)

Something adaptive may be much more suggested … as David has one solution for 
below.

If you are protecting SSH access, consider using SSH keys if supported along 
with fail2ban or other tools …

Just some thoughts..
Paul


From: Af [mailto:af-boun...@afmug.com] On Behalf Of David Milholen
Sent: Monday, May 11, 2015 7:53 AM
To: af@afmug.com<mailto:af@afmug.com>
Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

I have a perl script that watches are bind logs for Denied queries and places 
those ips in a list then we add that list
to our drop all rule in the gateways for 30days. This is one level we use to 
prevent poisoning of dns or cash probes.
It has seemed to help with a whole bunch of other things as well.
On 5/8/2015 3:51 PM, Glen Waldrop wrote:
The problem we run into is that those same folks that are attacking our 
equipment are attacking the equipment behind our routers.

It is comparatively simple to secure our routers, not quite as easy to secure 
everything behind them, stuff that isn't ours.


- Original Message -
From: Sean Heskett<mailto:af...@zirkel.us>
To: af@afmug.com<mailto:af@afmug.com>
Sent: Friday, May 08, 2015 3:33 PM
Subject: Re: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

Plus whenever the net neutrality rules kick in it'll be illegal.

Shouldn't be necessary if you have your firewalls setup correctly.

2 cents

-Sean


On Friday, May 8, 2015, Paul Stewart 
mailto:p...@paulstewart.org>> wrote:
Ouch… are you sure you want to do that?  I wouldn’t ever tell someone how to 
run their company or network but you are just hiding in my opinion from the 
problems you are possibly having.  What about Romania for example?

I’ve seen a few ISP’s block whole countries and it wasn’t pretty…. People 
couldn’t email relatives in those countries, couldn’t pull up websites, 
companies/business customers couldn’t conduct business etc etc….

Just a thought ☺

Paul


From: Af 
[mailto:af-boun...@afmug.com]
 On Behalf Of Michael Gawlowski
Sent: Friday, May 8, 2015 3:25 PM
To: af@afmug.com
Subject: [AFMUG] Dropping Chinese & Korean IP's in Mikrotik

I have a blocklist of IP’s and CIDR ranges that I would like to add in my 
mikrotik 1100’s and 2011’s.  Two questions:


1)  What is the best way to add these without doing one address or subnet 
at a time?

2)  Will there be a significant impact on router perfo

Re: [AFMUG] mikrotik export compact, whats missing?

2016-08-05 Thread Michael Gawlowski 
That method has worked for me.  I think the device password was missing though.


From: Af [mailto:af-boun...@afmug.com] On Behalf Of That One Guy /sarcasm
Sent: Friday, August 05, 2016 12:27 PM
To: af@afmug.com
Subject: Re: [AFMUG] mikrotik export compact, whats missing?

we load firmware, reset/no default, then paste the text from the export

when building a new router we load firmware, reset/no default, paste the 
defaults from a text file for our network, then put everything site specific 
in. so it should move everything since we reset/no default from the get go?

On Fri, Aug 5, 2016 at 2:11 PM, Joe Novak 
mailto:jno...@lrcomm.com>> wrote:
any version past v6rc1 'export compact' is the default behavior for export, 
export verbose is supposedly the 'full' export.


http://wiki.mikrotik.com/wiki/Manual:Configuration_Management#Exporting_Configuration


On Fri, Aug 5, 2016 at 2:02 PM, That One Guy /sarcasm 
mailto:thatoneguyst...@gmail.com>> wrote:
the ospf key comes over
the device password does not
will eoip passphrase come over?

in failover if you have the export compact going into a different unit thats 
the same model, same firmware, is there anything other than setting the device 
password that needs done?

--
If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team.




--
If you only see yourself as part of the team but you don't see your team as 
part of yourself you have already failed as part of the team.

[AFMUG] Strict NAT message on Xbox One?

2016-05-06 Thread Michael Gawlowski 
Anyone had this issue? The customer is behind a ubiquiti running NAT with the 
ubiquiti using a public IP behind one of our Mikrotik's. The Mikrotik does not 
have any ports blocked, either. Any ideas?

Thank you,
Michael Gawlowski
Triad Wireless, LLC

[AFMUG] Mikrotik bandwidth monitor with The Dude?

2015-06-25 Thread Michael Gawlowski 
I am looking to monitor daily and monthly bandwidth on our 
MT's-hopefully through the Dude.  I have already set up SNMP successfully on a 
couple of sites but I'm not seeing anything in the polling section of the Dude 
to monitor daily/monthly bandwidth usage.  I do not need it on a per-user basis 
at this time, just the totals for the WAN port, for example.  The MT forum and 
wiki did show a script that would email stats but that is not preferred.  Does 
anyone know of a way to accomplish this?

Thank you,

Mike Gawlowski
Triad Wireless, LLC
4226 S. 37th ST
Phoenix, AZ 85040
(602)-426-0542
Triadwireless.net

[AFMUG] Netonix and MPLS

2016-04-15 Thread Michael Gawlowski 
Anyone have experience passing an MPLS circuit through a Netonix?  We have 1G 
fiber from the provider and would like to run that into the Netonix and out the 
48v POE port to the customer but it will not pass traffic.  I have this working 
through a Mikrotik (without POE) by putting the SFP and an Ethernet port in the 
same bridge group and then powering through the POE injector.  What is the 
difference between a bridge group on the MikroTik and the Netonix VLAN1?  I 
already checked the MTU size (increased to 1598) and that did not help.

Thanks,
Mike

[AFMUG] Bonded links and signal degradation

2017-04-07 Thread Michael Gawlowski 
We have some bonded links (2x10Gbps) going up that may experience rain fade.  
What would you recommend for routing protocols/QoS methods that can adjust to 
changing throughput capacity? I was thinking of an OSPF equal cost load 
balancing option with QOS but we still run in to the problem of adapting to the 
available throughput.

Is SDN pretty much the only option?  I found Cisco's onePK platform but didn't 
want to go that route unless absolutely necessary.  Something that works with 
MikroTik would be much more cost effective.

Thank you,
Mike Gawlowski
Triad Wireless, LLC

4226 S. 37th St
Phoenix, AZ 85040
(602)-426-0542
Triadwireless.net