Re: [AFMUG] Gonna need some help please.
I doubt the 2011 is touching the packets, if Frank installed the firewall script, make sure to add the ip address of the sip pbx/device to the 'bypass firewall' address list under ip,firewall,address lists, other than that, it's probably the ip needing to be updated on the providers end I'm guessing? No worries, glad I could assist! On Sun, Jul 7, 2019 at 3:30 PM Ken Hohhof wrote: > The Preseem guys upgraded the firmware on our traffic shaping box on July > 4, they recommended against July 5 because of the adage never make a change > the day before a holiday or the weekend in case something goes wrong and > you need support. But being Canadian, they were totally OK doing it on > July 4. > > > > > > *From:* AF *On Behalf Of *ch...@wbmfg.com > *Sent:* Sunday, July 7, 2019 5:00 PM > *To:* 'AnimalFarm Microwave Users Group' > *Subject:* Re: [AFMUG] Gonna need some help please. > > > > Supposedly we changed the IP on the trunking provider on July 3 end of > business day so we would have a few days to make it work. The phones quit > working then. > > > > *From:* Ken Hohhof > > *Sent:* Sunday, July 7, 2019 2:10 PM > > *To:* 'AnimalFarm Microwave Users Group' > > *Subject:* Re: [AFMUG] Gonna need some help please. > > > > Most SIP trunks authenticate either by password or IP address. If your IP > address changed, you may need to get the SIP provider to change the config > at their end. Or you may be able to change it yourself from a dashboard. > > > > *From:* AF *On Behalf Of *ch...@wbmfg.com > *Sent:* Sunday, July 7, 2019 3:01 PM > *To:* AnimalFarm Microwave Users Group > *Subject:* Re: [AFMUG] Gonna need some help please. > > > > Unless the RB2011 is doing something to sip packets... > > > > *From:* ch...@wbmfg.com > > *Sent:* Sunday, July 7, 2019 1:59 PM > > *To:* AnimalFarm Microwave Users Group > > *Subject:* Re: [AFMUG] Gonna need some help please. > > > > Many thanks to TJ yesterday. We are using our new IPs and everything but > the asterisk is working. > > > > Actually it is working but the SIP trunks are not. And we cannot contact > our SIP trunk provider it appears until tomorrow. They are manning the > phones but the Voip techs are not available. Should not have been a > problem. Just change IPs on both ends. But is is broken. I guess they > noticed it sometime last night because they took it upon themselves to > forward the office numbers to my wife’s cell phone... > > > > Thanks again TJ. Not sure how long we would have wandered in the darkness > until we found that IP in the bridge table. > > > > *From:* TJ Trout > > *Sent:* Saturday, July 6, 2019 4:43 PM > > *To:* AnimalFarm Microwave Users Group > > *Subject:* Re: [AFMUG] Gonna need some help please. > > > > yeah, and as long as you can reach the router we can make the changes > > > > https://www.teamviewer.com/en-us/teamviewer-automatic-download/ > > > > On Sat, Jul 6, 2019 at 3:26 PM Chuck McCown wrote: > > Silly me. TeamViewer. Like PC Anywhere... right? (Where did I put my > null modem cable)? > > Sent from my iPhone > > > On Jul 6, 2019, at 3:57 PM, TJ Trout wrote: > > Chuck, I can make any changes you need via teamviewer? > > > > On Sat, Jul 6, 2019 at 8:01 AM wrote: > > Thanks, we will get back on this. Unless you want to visit scenic Lake > Point, Utah today... > > > > *From:* Sterling Jacobson > > *Sent:* Friday, July 5, 2019 5:27 PM > > *To:* AnimalFarm Microwave Users Group > > *Subject:* Re: [AFMUG] Gonna need some help please. > > > > DHCP client is under IP->DHCP Client then just disable or remove it > altogether. > > > > You want to make sure you have a bridge under Bridge, and the Port tab of > the bridge you can add/remove ethernet ports to the bridge. > > Leave the WAN ethernet port you are using OUT of any bridge so it routes > by default. > > > > You would add an IP address 76.76.252.68/24 to your WAN Ethernet > interface by going to IP->addresses and adding that entry assigned to that > interface. > > You already have the gateway and DNS, so it should now route and you can > do stuff from the routerboard online so to speak. > > > > Make sure you have a strong password. > > > > Also I would go in to IP->Services and disable all but Winbox and then add > an internal IP range that you are handing out via DHCP as the only access > range ie. 192.168.x.x/24 or whatever you are handing out. > > > > You an upgrade to latest by going to System->packages and Check for > Updates, g
Re: [AFMUG] Gonna need some help please.
The Preseem guys upgraded the firmware on our traffic shaping box on July 4, they recommended against July 5 because of the adage never make a change the day before a holiday or the weekend in case something goes wrong and you need support. But being Canadian, they were totally OK doing it on July 4. From: AF On Behalf Of ch...@wbmfg.com Sent: Sunday, July 7, 2019 5:00 PM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. Supposedly we changed the IP on the trunking provider on July 3 end of business day so we would have a few days to make it work. The phones quit working then. From: Ken Hohhof Sent: Sunday, July 7, 2019 2:10 PM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. Most SIP trunks authenticate either by password or IP address. If your IP address changed, you may need to get the SIP provider to change the config at their end. Or you may be able to change it yourself from a dashboard. From: AF mailto:af-boun...@af.afmug.com> > On Behalf Of ch...@wbmfg.com <mailto:ch...@wbmfg.com> Sent: Sunday, July 7, 2019 3:01 PM To: AnimalFarm Microwave Users Group mailto:af@af.afmug.com> > Subject: Re: [AFMUG] Gonna need some help please. Unless the RB2011 is doing something to sip packets... From: ch...@wbmfg.com <mailto:ch...@wbmfg.com> Sent: Sunday, July 7, 2019 1:59 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. Many thanks to TJ yesterday. We are using our new IPs and everything but the asterisk is working. Actually it is working but the SIP trunks are not. And we cannot contact our SIP trunk provider it appears until tomorrow. They are manning the phones but the Voip techs are not available. Should not have been a problem. Just change IPs on both ends. But is is broken. I guess they noticed it sometime last night because they took it upon themselves to forward the office numbers to my wife’s cell phone... Thanks again TJ. Not sure how long we would have wandered in the darkness until we found that IP in the bridge table. From: TJ Trout Sent: Saturday, July 6, 2019 4:43 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. yeah, and as long as you can reach the router we can make the changes https://www.teamviewer.com/en-us/teamviewer-automatic-download/ On Sat, Jul 6, 2019 at 3:26 PM Chuck McCown mailto:ch...@wbmfg.com> > wrote: Silly me. TeamViewer. Like PC Anywhere... right? (Where did I put my null modem cable)? Sent from my iPhone On Jul 6, 2019, at 3:57 PM, TJ Trout mailto:t...@voltbb.com> > wrote: Chuck, I can make any changes you need via teamviewer? On Sat, Jul 6, 2019 at 8:01 AM mailto:ch...@wbmfg.com> > wrote: Thanks, we will get back on this. Unless you want to visit scenic Lake Point, Utah today... From: Sterling Jacobson Sent: Friday, July 5, 2019 5:27 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. DHCP client is under IP->DHCP Client then just disable or remove it altogether. You want to make sure you have a bridge under Bridge, and the Port tab of the bridge you can add/remove ethernet ports to the bridge. Leave the WAN ethernet port you are using OUT of any bridge so it routes by default. You would add an IP address 76.76.252.68/24 <http://76.76.252.68/24> to your WAN Ethernet interface by going to IP->addresses and adding that entry assigned to that interface. You already have the gateway and DNS, so it should now route and you can do stuff from the routerboard online so to speak. Make sure you have a strong password. Also I would go in to IP->Services and disable all but Winbox and then add an internal IP range that you are handing out via DHCP as the only access range ie. 192.168.x.x/24 or whatever you are handing out. You an upgrade to latest by going to System->packages and Check for Updates, get latest from current and download and update from the button. It will reboot and then you go to System->Routerboard and hit Update for updating the firmware, after a second or two it will say done and that you should reboot, so do that and you should be current. From: AF mailto:af-boun...@af.afmug.com> > On Behalf Of ch...@wbmfg.com <mailto:ch...@wbmfg.com> Sent: Friday, July 5, 2019 12:49 PM To: AnimalFarm Microwave Users Group mailto:af@af.afmug.com> > Subject: Re: [AFMUG] Gonna need some help please. From: ch...@wbmfg.com <mailto:ch...@wbmfg.com> Sent: Friday, July 5, 2019 12:48 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completel
Re: [AFMUG] Gonna need some help please.
Supposedly we changed the IP on the trunking provider on July 3 end of business day so we would have a few days to make it work. The phones quit working then. From: Ken Hohhof Sent: Sunday, July 7, 2019 2:10 PM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. Most SIP trunks authenticate either by password or IP address. If your IP address changed, you may need to get the SIP provider to change the config at their end. Or you may be able to change it yourself from a dashboard. From: AF On Behalf Of ch...@wbmfg.com Sent: Sunday, July 7, 2019 3:01 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. Unless the RB2011 is doing something to sip packets... From: ch...@wbmfg.com Sent: Sunday, July 7, 2019 1:59 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. Many thanks to TJ yesterday. We are using our new IPs and everything but the asterisk is working. Actually it is working but the SIP trunks are not. And we cannot contact our SIP trunk provider it appears until tomorrow. They are manning the phones but the Voip techs are not available. Should not have been a problem. Just change IPs on both ends. But is is broken. I guess they noticed it sometime last night because they took it upon themselves to forward the office numbers to my wife’s cell phone... Thanks again TJ. Not sure how long we would have wandered in the darkness until we found that IP in the bridge table. From: TJ Trout Sent: Saturday, July 6, 2019 4:43 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. yeah, and as long as you can reach the router we can make the changes https://www.teamviewer.com/en-us/teamviewer-automatic-download/ On Sat, Jul 6, 2019 at 3:26 PM Chuck McCown wrote: Silly me. TeamViewer. Like PC Anywhere... right? (Where did I put my null modem cable)? Sent from my iPhone On Jul 6, 2019, at 3:57 PM, TJ Trout wrote: Chuck, I can make any changes you need via teamviewer? On Sat, Jul 6, 2019 at 8:01 AM wrote: Thanks, we will get back on this. Unless you want to visit scenic Lake Point, Utah today... From: Sterling Jacobson Sent: Friday, July 5, 2019 5:27 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. DHCP client is under IP->DHCP Client then just disable or remove it altogether. You want to make sure you have a bridge under Bridge, and the Port tab of the bridge you can add/remove ethernet ports to the bridge. Leave the WAN ethernet port you are using OUT of any bridge so it routes by default. You would add an IP address 76.76.252.68/24 to your WAN Ethernet interface by going to IP->addresses and adding that entry assigned to that interface. You already have the gateway and DNS, so it should now route and you can do stuff from the routerboard online so to speak. Make sure you have a strong password. Also I would go in to IP->Services and disable all but Winbox and then add an internal IP range that you are handing out via DHCP as the only access range ie. 192.168.x.x/24 or whatever you are handing out. You an upgrade to latest by going to System->packages and Check for Updates, get latest from current and download and update from the button. It will reboot and then you go to System->Routerboard and hit Update for updating the firmware, after a second or two it will say done and that you should reboot, so do that and you should be current. From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:49 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. From: ch...@wbmfg.com Sent: Friday, July 5, 2019 12:48 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. ✔ Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1.✔ Add static DNS servers under IP->DNS✔ Remove the DHCP-client on ether1. Not sure how to do this Add the /29 to interface bridge-local ✔ Maybe Under IP->Firew
Re: [AFMUG] Gonna need some help please.
Most SIP trunks authenticate either by password or IP address. If your IP address changed, you may need to get the SIP provider to change the config at their end. Or you may be able to change it yourself from a dashboard. From: AF On Behalf Of ch...@wbmfg.com Sent: Sunday, July 7, 2019 3:01 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. Unless the RB2011 is doing something to sip packets... From: ch...@wbmfg.com <mailto:ch...@wbmfg.com> Sent: Sunday, July 7, 2019 1:59 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. Many thanks to TJ yesterday. We are using our new IPs and everything but the asterisk is working. Actually it is working but the SIP trunks are not. And we cannot contact our SIP trunk provider it appears until tomorrow. They are manning the phones but the Voip techs are not available. Should not have been a problem. Just change IPs on both ends. But is is broken. I guess they noticed it sometime last night because they took it upon themselves to forward the office numbers to my wife’s cell phone... Thanks again TJ. Not sure how long we would have wandered in the darkness until we found that IP in the bridge table. From: TJ Trout Sent: Saturday, July 6, 2019 4:43 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. yeah, and as long as you can reach the router we can make the changes https://www.teamviewer.com/en-us/teamviewer-automatic-download/ On Sat, Jul 6, 2019 at 3:26 PM Chuck McCown mailto:ch...@wbmfg.com> > wrote: Silly me. TeamViewer. Like PC Anywhere... right? (Where did I put my null modem cable)? Sent from my iPhone On Jul 6, 2019, at 3:57 PM, TJ Trout mailto:t...@voltbb.com> > wrote: Chuck, I can make any changes you need via teamviewer? On Sat, Jul 6, 2019 at 8:01 AM mailto:ch...@wbmfg.com> > wrote: Thanks, we will get back on this. Unless you want to visit scenic Lake Point, Utah today... From: Sterling Jacobson Sent: Friday, July 5, 2019 5:27 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. DHCP client is under IP->DHCP Client then just disable or remove it altogether. You want to make sure you have a bridge under Bridge, and the Port tab of the bridge you can add/remove ethernet ports to the bridge. Leave the WAN ethernet port you are using OUT of any bridge so it routes by default. You would add an IP address 76.76.252.68/24 <http://76.76.252.68/24> to your WAN Ethernet interface by going to IP->addresses and adding that entry assigned to that interface. You already have the gateway and DNS, so it should now route and you can do stuff from the routerboard online so to speak. Make sure you have a strong password. Also I would go in to IP->Services and disable all but Winbox and then add an internal IP range that you are handing out via DHCP as the only access range ie. 192.168.x.x/24 or whatever you are handing out. You an upgrade to latest by going to System->packages and Check for Updates, get latest from current and download and update from the button. It will reboot and then you go to System->Routerboard and hit Update for updating the firmware, after a second or two it will say done and that you should reboot, so do that and you should be current. From: AF mailto:af-boun...@af.afmug.com> > On Behalf Of ch...@wbmfg.com <mailto:ch...@wbmfg.com> Sent: Friday, July 5, 2019 12:49 PM To: AnimalFarm Microwave Users Group mailto:af@af.afmug.com> > Subject: Re: [AFMUG] Gonna need some help please. From: ch...@wbmfg.com <mailto:ch...@wbmfg.com> Sent: Friday, July 5, 2019 12:48 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. ✔ Add the static default route by adding a route to destination 0.0.0.0/0 <http://0.0.0.0/0> with gateway of 76.76.252.1.✔ Add static DNS servers under IP->DNS✔ Remove the DHCP-client on ether1. Not sure how to do this Add the /29 to interface bridge-local ✔ Maybe Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24 <http://192.168.88.0/24> . ✔ I think. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I t
Re: [AFMUG] Gonna need some help please.
Unless the RB2011 is doing something to sip packets... From: ch...@wbmfg.com Sent: Sunday, July 7, 2019 1:59 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. Many thanks to TJ yesterday. We are using our new IPs and everything but the asterisk is working. Actually it is working but the SIP trunks are not. And we cannot contact our SIP trunk provider it appears until tomorrow. They are manning the phones but the Voip techs are not available. Should not have been a problem. Just change IPs on both ends. But is is broken. I guess they noticed it sometime last night because they took it upon themselves to forward the office numbers to my wife’s cell phone... Thanks again TJ. Not sure how long we would have wandered in the darkness until we found that IP in the bridge table. From: TJ Trout Sent: Saturday, July 6, 2019 4:43 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. yeah, and as long as you can reach the router we can make the changes https://www.teamviewer.com/en-us/teamviewer-automatic-download/ On Sat, Jul 6, 2019 at 3:26 PM Chuck McCown wrote: Silly me. TeamViewer. Like PC Anywhere... right? (Where did I put my null modem cable)? Sent from my iPhone On Jul 6, 2019, at 3:57 PM, TJ Trout wrote: Chuck, I can make any changes you need via teamviewer? On Sat, Jul 6, 2019 at 8:01 AM wrote: Thanks, we will get back on this. Unless you want to visit scenic Lake Point, Utah today... From: Sterling Jacobson Sent: Friday, July 5, 2019 5:27 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. DHCP client is under IP->DHCP Client then just disable or remove it altogether. You want to make sure you have a bridge under Bridge, and the Port tab of the bridge you can add/remove ethernet ports to the bridge. Leave the WAN ethernet port you are using OUT of any bridge so it routes by default. You would add an IP address 76.76.252.68/24 to your WAN Ethernet interface by going to IP->addresses and adding that entry assigned to that interface. You already have the gateway and DNS, so it should now route and you can do stuff from the routerboard online so to speak. Make sure you have a strong password. Also I would go in to IP->Services and disable all but Winbox and then add an internal IP range that you are handing out via DHCP as the only access range ie. 192.168.x.x/24 or whatever you are handing out. You an upgrade to latest by going to System->packages and Check for Updates, get latest from current and download and update from the button. It will reboot and then you go to System->Routerboard and hit Update for updating the firmware, after a second or two it will say done and that you should reboot, so do that and you should be current. From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:49 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. From: ch...@wbmfg.com Sent: Friday, July 5, 2019 12:48 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. ✔ Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1.✔ Add static DNS servers under IP->DNS✔ Remove the DHCP-client on ether1. Not sure how to do this Add the /29 to interface bridge-local ✔ Maybe Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. ✔ I think. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. Where do we put in the new IPs or IP range associated with this block they gave me? 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- -- AF mailing list AF@af.afmug.com http://af.a
Re: [AFMUG] Gonna need some help please.
Many thanks to TJ yesterday. We are using our new IPs and everything but the asterisk is working. Actually it is working but the SIP trunks are not. And we cannot contact our SIP trunk provider it appears until tomorrow. They are manning the phones but the Voip techs are not available. Should not have been a problem. Just change IPs on both ends. But is is broken. I guess they noticed it sometime last night because they took it upon themselves to forward the office numbers to my wife’s cell phone... Thanks again TJ. Not sure how long we would have wandered in the darkness until we found that IP in the bridge table. From: TJ Trout Sent: Saturday, July 6, 2019 4:43 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. yeah, and as long as you can reach the router we can make the changes https://www.teamviewer.com/en-us/teamviewer-automatic-download/ On Sat, Jul 6, 2019 at 3:26 PM Chuck McCown wrote: Silly me. TeamViewer. Like PC Anywhere... right? (Where did I put my null modem cable)? Sent from my iPhone On Jul 6, 2019, at 3:57 PM, TJ Trout wrote: Chuck, I can make any changes you need via teamviewer? On Sat, Jul 6, 2019 at 8:01 AM wrote: Thanks, we will get back on this. Unless you want to visit scenic Lake Point, Utah today... From: Sterling Jacobson Sent: Friday, July 5, 2019 5:27 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. DHCP client is under IP->DHCP Client then just disable or remove it altogether. You want to make sure you have a bridge under Bridge, and the Port tab of the bridge you can add/remove ethernet ports to the bridge. Leave the WAN ethernet port you are using OUT of any bridge so it routes by default. You would add an IP address 76.76.252.68/24 to your WAN Ethernet interface by going to IP->addresses and adding that entry assigned to that interface. You already have the gateway and DNS, so it should now route and you can do stuff from the routerboard online so to speak. Make sure you have a strong password. Also I would go in to IP->Services and disable all but Winbox and then add an internal IP range that you are handing out via DHCP as the only access range ie. 192.168.x.x/24 or whatever you are handing out. You an upgrade to latest by going to System->packages and Check for Updates, get latest from current and download and update from the button. It will reboot and then you go to System->Routerboard and hit Update for updating the firmware, after a second or two it will say done and that you should reboot, so do that and you should be current. From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:49 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. From: ch...@wbmfg.com Sent: Friday, July 5, 2019 12:48 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. ✔ Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1.✔ Add static DNS servers under IP->DNS✔ Remove the DHCP-client on ether1. Not sure how to do this Add the /29 to interface bridge-local ✔ Maybe Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. ✔ I think. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. Where do we put in the new IPs or IP range associated with this block they gave me? 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com
Re: [AFMUG] Gonna need some help please.
yeah, and as long as you can reach the router we can make the changes https://www.teamviewer.com/en-us/teamviewer-automatic-download/ On Sat, Jul 6, 2019 at 3:26 PM Chuck McCown wrote: > Silly me. TeamViewer. Like PC Anywhere... right? (Where did I put my > null modem cable)? > > Sent from my iPhone > > On Jul 6, 2019, at 3:57 PM, TJ Trout wrote: > > Chuck, I can make any changes you need via teamviewer? > > On Sat, Jul 6, 2019 at 8:01 AM wrote: > >> Thanks, we will get back on this. Unless you want to visit scenic Lake >> Point, Utah today... >> >> *From:* Sterling Jacobson >> *Sent:* Friday, July 5, 2019 5:27 PM >> *To:* AnimalFarm Microwave Users Group >> *Subject:* Re: [AFMUG] Gonna need some help please. >> >> >> DHCP client is under IP->DHCP Client then just disable or remove it >> altogether. >> >> >> >> You want to make sure you have a bridge under Bridge, and the Port tab of >> the bridge you can add/remove ethernet ports to the bridge. >> >> Leave the WAN ethernet port you are using OUT of any bridge so it routes >> by default. >> >> >> >> You would add an IP address 76.76.252.68/24 to your WAN Ethernet >> interface by going to IP->addresses and adding that entry assigned to that >> interface. >> >> You already have the gateway and DNS, so it should now route and you can >> do stuff from the routerboard online so to speak. >> >> >> >> Make sure you have a strong password. >> >> >> >> Also I would go in to IP->Services and disable all but Winbox and then >> add an internal IP range that you are handing out via DHCP as the only >> access range ie. 192.168.x.x/24 or whatever you are handing out. >> >> >> >> You an upgrade to latest by going to System->packages and Check for >> Updates, get latest from current and download and update from the button. >> >> It will reboot and then you go to System->Routerboard and hit Update for >> updating the firmware, after a second or two it will say done and that you >> should reboot, so do that and you should be current. >> >> >> >> >> >> >> >> >> >> *From:* AF *On Behalf Of *ch...@wbmfg.com >> *Sent:* Friday, July 5, 2019 12:49 PM >> *To:* AnimalFarm Microwave Users Group >> *Subject:* Re: [AFMUG] Gonna need some help please. >> >> >> >> >> >> >> >> *From:* ch...@wbmfg.com >> >> *Sent:* Friday, July 5, 2019 12:48 PM >> >> *To:* AnimalFarm Microwave Users Group >> >> *Subject:* Re: [AFMUG] Gonna need some help please. >> >> >> >> OhAfter re-reading it looks like you're avoiding NAT by putting >> servers into a public /29. I completely misread what you were looking for. >> >> >> >> So yeah, by default the RB2011 will have the first Ethernet port set up >> as the WAN with DHCP, and everything exiting via that port gets >> masqueradedso you'll want to change that masquerade rule so it only >> matches the private IP's. >> >> >> >> Add the static IP to ether1. ✔ >> >> Add the static default route by adding a route to destination 0.0.0.0/0 >> with gateway of 76.76.252.1.✔ >> >> Add static DNS servers under IP->DNS✔ >> >> Remove the DHCP-client on ether1. Not sure how to do this >> >> Add the /29 to interface bridge-local ✔ Maybe >> >> Under IP->Firewall->NAT, edit the masquerade rule by removing the "out >> interface" criteria. Add a new criteria for source IP 192.168.88.0/24. ✔ >> I think. >> >> >> >> Now your DHCP clients get private IP's and NAT, but your servers with >> static IP's don't. I think that's the bare minimum, and it ought to be >> dead simple in Winbox. >> >> >> >> Where do we put in the new IPs or IP range associated with this block >> they gave me? >> >> >> >> >> >> 76.76.254.48/29 routed to 76.76.252.68 >> WAN IP: 76.76.252.68 >> Subnet: 255.255.255.0 >> Gateway: 76.76.252.1 >> >> Routed subnet info: >> 76.76.254.48/29 >> subnet mask: 255.255.255.248 >> available IP's: 76.76.254.49-54 >> >> -- >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
Silly me. TeamViewer. Like PC Anywhere... right? (Where did I put my null modem cable)? Sent from my iPhone > On Jul 6, 2019, at 3:57 PM, TJ Trout wrote: > > Chuck, I can make any changes you need via teamviewer? > >> On Sat, Jul 6, 2019 at 8:01 AM wrote: >> Thanks, we will get back on this. Unless you want to visit scenic Lake >> Point, Utah today... >> >> From: Sterling Jacobson >> Sent: Friday, July 5, 2019 5:27 PM >> To: AnimalFarm Microwave Users Group >> Subject: Re: [AFMUG] Gonna need some help please. >> >> DHCP client is under IP->DHCP Client then just disable or remove it >> altogether. >> >> >> >> You want to make sure you have a bridge under Bridge, and the Port tab of >> the bridge you can add/remove ethernet ports to the bridge. >> >> Leave the WAN ethernet port you are using OUT of any bridge so it routes by >> default. >> >> >> >> You would add an IP address 76.76.252.68/24 to your WAN Ethernet interface >> by going to IP->addresses and adding that entry assigned to that interface. >> >> You already have the gateway and DNS, so it should now route and you can do >> stuff from the routerboard online so to speak. >> >> >> >> Make sure you have a strong password. >> >> >> >> Also I would go in to IP->Services and disable all but Winbox and then add >> an internal IP range that you are handing out via DHCP as the only access >> range ie. 192.168.x.x/24 or whatever you are handing out. >> >> >> >> You an upgrade to latest by going to System->packages and Check for Updates, >> get latest from current and download and update from the button. >> >> It will reboot and then you go to System->Routerboard and hit Update for >> updating the firmware, after a second or two it will say done and that you >> should reboot, so do that and you should be current. >> >> >> >> >> >> >> >> >> >> From: AF On Behalf Of ch...@wbmfg.com >> Sent: Friday, July 5, 2019 12:49 PM >> To: AnimalFarm Microwave Users Group >> Subject: Re: [AFMUG] Gonna need some help please. >> >> >> >> >> >> >> >> From: ch...@wbmfg.com >> >> Sent: Friday, July 5, 2019 12:48 PM >> >> To: AnimalFarm Microwave Users Group >> >> Subject: Re: [AFMUG] Gonna need some help please. >> >> >> >> OhAfter re-reading it looks like you're avoiding NAT by putting servers >> into a public /29. I completely misread what you were looking for. >> >> >> >> So yeah, by default the RB2011 will have the first Ethernet port set up as >> the WAN with DHCP, and everything exiting via that port gets >> masqueradedso you'll want to change that masquerade rule so it only >> matches the private IP's. >> >> >> >> Add the static IP to ether1. ✔ >> >> Add the static default route by adding a route to destination 0.0.0.0/0 with >> gateway of 76.76.252.1.✔ >> >> Add static DNS servers under IP->DNS✔ >> >> Remove the DHCP-client on ether1. Not sure how to do this >> >> Add the /29 to interface bridge-local ✔ Maybe >> >> Under IP->Firewall->NAT, edit the masquerade rule by removing the "out >> interface" criteria. Add a new criteria for source IP 192.168.88.0/24. ✔ I >> think. >> >> >> >> Now your DHCP clients get private IP's and NAT, but your servers with static >> IP's don't. I think that's the bare minimum, and it ought to be dead >> simple in Winbox. >> >> >> >> Where do we put in the new IPs or IP range associated with this block they >> gave me? >> >> >> >> >> >> 76.76.254.48/29 routed to 76.76.252.68 >> WAN IP: 76.76.252.68 >> Subnet: 255.255.255.0 >> Gateway: 76.76.252.1 >> >> Routed subnet info: >> 76.76.254.48/29 >> subnet mask: 255.255.255.248 >> available IP's: 76.76.254.49-54 >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
You can either give me the wan IP + user and pass or you can go to teamviewer.com and download, choose run only and provide me with the ID + password, I can login to your computer and do the changes with you, in that case you don't need to provide me with any ip or credentials.. On Sat, Jul 6, 2019 at 3:17 PM Chuck McCown wrote: > Thanks, we may take you up on that. What do you need from us? IP, > username &password? > > Sent from my iPhone > > On Jul 6, 2019, at 3:57 PM, TJ Trout wrote: > > Chuck, I can make any changes you need via teamviewer? > > On Sat, Jul 6, 2019 at 8:01 AM wrote: > >> Thanks, we will get back on this. Unless you want to visit scenic Lake >> Point, Utah today... >> >> *From:* Sterling Jacobson >> *Sent:* Friday, July 5, 2019 5:27 PM >> *To:* AnimalFarm Microwave Users Group >> *Subject:* Re: [AFMUG] Gonna need some help please. >> >> >> DHCP client is under IP->DHCP Client then just disable or remove it >> altogether. >> >> >> >> You want to make sure you have a bridge under Bridge, and the Port tab of >> the bridge you can add/remove ethernet ports to the bridge. >> >> Leave the WAN ethernet port you are using OUT of any bridge so it routes >> by default. >> >> >> >> You would add an IP address 76.76.252.68/24 to your WAN Ethernet >> interface by going to IP->addresses and adding that entry assigned to that >> interface. >> >> You already have the gateway and DNS, so it should now route and you can >> do stuff from the routerboard online so to speak. >> >> >> >> Make sure you have a strong password. >> >> >> >> Also I would go in to IP->Services and disable all but Winbox and then >> add an internal IP range that you are handing out via DHCP as the only >> access range ie. 192.168.x.x/24 or whatever you are handing out. >> >> >> >> You an upgrade to latest by going to System->packages and Check for >> Updates, get latest from current and download and update from the button. >> >> It will reboot and then you go to System->Routerboard and hit Update for >> updating the firmware, after a second or two it will say done and that you >> should reboot, so do that and you should be current. >> >> >> >> >> >> >> >> >> >> *From:* AF *On Behalf Of *ch...@wbmfg.com >> *Sent:* Friday, July 5, 2019 12:49 PM >> *To:* AnimalFarm Microwave Users Group >> *Subject:* Re: [AFMUG] Gonna need some help please. >> >> >> >> >> >> >> >> *From:* ch...@wbmfg.com >> >> *Sent:* Friday, July 5, 2019 12:48 PM >> >> *To:* AnimalFarm Microwave Users Group >> >> *Subject:* Re: [AFMUG] Gonna need some help please. >> >> >> >> OhAfter re-reading it looks like you're avoiding NAT by putting >> servers into a public /29. I completely misread what you were looking for. >> >> >> >> So yeah, by default the RB2011 will have the first Ethernet port set up >> as the WAN with DHCP, and everything exiting via that port gets >> masqueradedso you'll want to change that masquerade rule so it only >> matches the private IP's. >> >> >> >> Add the static IP to ether1. ✔ >> >> Add the static default route by adding a route to destination 0.0.0.0/0 >> with gateway of 76.76.252.1.✔ >> >> Add static DNS servers under IP->DNS✔ >> >> Remove the DHCP-client on ether1. Not sure how to do this >> >> Add the /29 to interface bridge-local ✔ Maybe >> >> Under IP->Firewall->NAT, edit the masquerade rule by removing the "out >> interface" criteria. Add a new criteria for source IP 192.168.88.0/24. ✔ >> I think. >> >> >> >> Now your DHCP clients get private IP's and NAT, but your servers with >> static IP's don't. I think that's the bare minimum, and it ought to be >> dead simple in Winbox. >> >> >> >> Where do we put in the new IPs or IP range associated with this block >> they gave me? >> >> >> >> >> >> 76.76.254.48/29 routed to 76.76.252.68 >> WAN IP: 76.76.252.68 >> Subnet: 255.255.255.0 >> Gateway: 76.76.252.1 >> >> Routed subnet info: >> 76.76.254.48/29 >> subnet mask: 255.255.255.248 >> available IP's: 76.76.254.49-54 >> >> -- >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
Thanks, we may take you up on that. What do you need from us? IP, username &password? Sent from my iPhone > On Jul 6, 2019, at 3:57 PM, TJ Trout wrote: > > Chuck, I can make any changes you need via teamviewer? > >> On Sat, Jul 6, 2019 at 8:01 AM wrote: >> Thanks, we will get back on this. Unless you want to visit scenic Lake >> Point, Utah today... >> >> From: Sterling Jacobson >> Sent: Friday, July 5, 2019 5:27 PM >> To: AnimalFarm Microwave Users Group >> Subject: Re: [AFMUG] Gonna need some help please. >> >> DHCP client is under IP->DHCP Client then just disable or remove it >> altogether. >> >> >> >> You want to make sure you have a bridge under Bridge, and the Port tab of >> the bridge you can add/remove ethernet ports to the bridge. >> >> Leave the WAN ethernet port you are using OUT of any bridge so it routes by >> default. >> >> >> >> You would add an IP address 76.76.252.68/24 to your WAN Ethernet interface >> by going to IP->addresses and adding that entry assigned to that interface. >> >> You already have the gateway and DNS, so it should now route and you can do >> stuff from the routerboard online so to speak. >> >> >> >> Make sure you have a strong password. >> >> >> >> Also I would go in to IP->Services and disable all but Winbox and then add >> an internal IP range that you are handing out via DHCP as the only access >> range ie. 192.168.x.x/24 or whatever you are handing out. >> >> >> >> You an upgrade to latest by going to System->packages and Check for Updates, >> get latest from current and download and update from the button. >> >> It will reboot and then you go to System->Routerboard and hit Update for >> updating the firmware, after a second or two it will say done and that you >> should reboot, so do that and you should be current. >> >> >> >> >> >> >> >> >> >> From: AF On Behalf Of ch...@wbmfg.com >> Sent: Friday, July 5, 2019 12:49 PM >> To: AnimalFarm Microwave Users Group >> Subject: Re: [AFMUG] Gonna need some help please. >> >> >> >> >> >> >> >> From: ch...@wbmfg.com >> >> Sent: Friday, July 5, 2019 12:48 PM >> >> To: AnimalFarm Microwave Users Group >> >> Subject: Re: [AFMUG] Gonna need some help please. >> >> >> >> OhAfter re-reading it looks like you're avoiding NAT by putting servers >> into a public /29. I completely misread what you were looking for. >> >> >> >> So yeah, by default the RB2011 will have the first Ethernet port set up as >> the WAN with DHCP, and everything exiting via that port gets >> masqueradedso you'll want to change that masquerade rule so it only >> matches the private IP's. >> >> >> >> Add the static IP to ether1. ✔ >> >> Add the static default route by adding a route to destination 0.0.0.0/0 with >> gateway of 76.76.252.1.✔ >> >> Add static DNS servers under IP->DNS✔ >> >> Remove the DHCP-client on ether1. Not sure how to do this >> >> Add the /29 to interface bridge-local ✔ Maybe >> >> Under IP->Firewall->NAT, edit the masquerade rule by removing the "out >> interface" criteria. Add a new criteria for source IP 192.168.88.0/24. ✔ I >> think. >> >> >> >> Now your DHCP clients get private IP's and NAT, but your servers with static >> IP's don't. I think that's the bare minimum, and it ought to be dead >> simple in Winbox. >> >> >> >> Where do we put in the new IPs or IP range associated with this block they >> gave me? >> >> >> >> >> >> 76.76.254.48/29 routed to 76.76.252.68 >> WAN IP: 76.76.252.68 >> Subnet: 255.255.255.0 >> Gateway: 76.76.252.1 >> >> Routed subnet info: >> 76.76.254.48/29 >> subnet mask: 255.255.255.248 >> available IP's: 76.76.254.49-54 >> >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com >> -- >> AF mailing list >> AF@af.afmug.com >> http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
Chuck, I can make any changes you need via teamviewer? On Sat, Jul 6, 2019 at 8:01 AM wrote: > Thanks, we will get back on this. Unless you want to visit scenic Lake > Point, Utah today... > > *From:* Sterling Jacobson > *Sent:* Friday, July 5, 2019 5:27 PM > *To:* AnimalFarm Microwave Users Group > *Subject:* Re: [AFMUG] Gonna need some help please. > > > DHCP client is under IP->DHCP Client then just disable or remove it > altogether. > > > > You want to make sure you have a bridge under Bridge, and the Port tab of > the bridge you can add/remove ethernet ports to the bridge. > > Leave the WAN ethernet port you are using OUT of any bridge so it routes > by default. > > > > You would add an IP address 76.76.252.68/24 to your WAN Ethernet > interface by going to IP->addresses and adding that entry assigned to that > interface. > > You already have the gateway and DNS, so it should now route and you can > do stuff from the routerboard online so to speak. > > > > Make sure you have a strong password. > > > > Also I would go in to IP->Services and disable all but Winbox and then add > an internal IP range that you are handing out via DHCP as the only access > range ie. 192.168.x.x/24 or whatever you are handing out. > > > > You an upgrade to latest by going to System->packages and Check for > Updates, get latest from current and download and update from the button. > > It will reboot and then you go to System->Routerboard and hit Update for > updating the firmware, after a second or two it will say done and that you > should reboot, so do that and you should be current. > > > > > > > > > > *From:* AF *On Behalf Of *ch...@wbmfg.com > *Sent:* Friday, July 5, 2019 12:49 PM > *To:* AnimalFarm Microwave Users Group > *Subject:* Re: [AFMUG] Gonna need some help please. > > > > > > > > *From:* ch...@wbmfg.com > > *Sent:* Friday, July 5, 2019 12:48 PM > > *To:* AnimalFarm Microwave Users Group > > *Subject:* Re: [AFMUG] Gonna need some help please. > > > > OhAfter re-reading it looks like you're avoiding NAT by putting > servers into a public /29. I completely misread what you were looking for. > > > > So yeah, by default the RB2011 will have the first Ethernet port set up as > the WAN with DHCP, and everything exiting via that port gets > masqueradedso you'll want to change that masquerade rule so it only > matches the private IP's. > > > > Add the static IP to ether1. ✔ > > Add the static default route by adding a route to destination 0.0.0.0/0 > with gateway of 76.76.252.1.✔ > > Add static DNS servers under IP->DNS✔ > > Remove the DHCP-client on ether1. Not sure how to do this > > Add the /29 to interface bridge-local ✔ Maybe > > Under IP->Firewall->NAT, edit the masquerade rule by removing the "out > interface" criteria. Add a new criteria for source IP 192.168.88.0/24. ✔ > I think. > > > > Now your DHCP clients get private IP's and NAT, but your servers with > static IP's don't. I think that's the bare minimum, and it ought to be > dead simple in Winbox. > > > > Where do we put in the new IPs or IP range associated with this block they > gave me? > > > > > > 76.76.254.48/29 routed to 76.76.252.68 > WAN IP: 76.76.252.68 > Subnet: 255.255.255.0 > Gateway: 76.76.252.1 > > Routed subnet info: > 76.76.254.48/29 > subnet mask: 255.255.255.248 > available IP's: 76.76.254.49-54 > > -- > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com > -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
Thanks, we will get back on this. Unless you want to visit scenic Lake Point, Utah today... From: Sterling Jacobson Sent: Friday, July 5, 2019 5:27 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. DHCP client is under IP->DHCP Client then just disable or remove it altogether. You want to make sure you have a bridge under Bridge, and the Port tab of the bridge you can add/remove ethernet ports to the bridge. Leave the WAN ethernet port you are using OUT of any bridge so it routes by default. You would add an IP address 76.76.252.68/24 to your WAN Ethernet interface by going to IP->addresses and adding that entry assigned to that interface. You already have the gateway and DNS, so it should now route and you can do stuff from the routerboard online so to speak. Make sure you have a strong password. Also I would go in to IP->Services and disable all but Winbox and then add an internal IP range that you are handing out via DHCP as the only access range ie. 192.168.x.x/24 or whatever you are handing out. You an upgrade to latest by going to System->packages and Check for Updates, get latest from current and download and update from the button. It will reboot and then you go to System->Routerboard and hit Update for updating the firmware, after a second or two it will say done and that you should reboot, so do that and you should be current. From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:49 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. From: ch...@wbmfg.com Sent: Friday, July 5, 2019 12:48 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. ✔ Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1.✔ Add static DNS servers under IP->DNS✔ Remove the DHCP-client on ether1. Not sure how to do this Add the /29 to interface bridge-local ✔ Maybe Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. ✔ I think. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. Where do we put in the new IPs or IP range associated with this block they gave me? 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
DHCP client is under IP->DHCP Client then just disable or remove it altogether. You want to make sure you have a bridge under Bridge, and the Port tab of the bridge you can add/remove ethernet ports to the bridge. Leave the WAN ethernet port you are using OUT of any bridge so it routes by default. You would add an IP address 76.76.252.68/24 to your WAN Ethernet interface by going to IP->addresses and adding that entry assigned to that interface. You already have the gateway and DNS, so it should now route and you can do stuff from the routerboard online so to speak. Make sure you have a strong password. Also I would go in to IP->Services and disable all but Winbox and then add an internal IP range that you are handing out via DHCP as the only access range ie. 192.168.x.x/24 or whatever you are handing out. You an upgrade to latest by going to System->packages and Check for Updates, get latest from current and download and update from the button. It will reboot and then you go to System->Routerboard and hit Update for updating the firmware, after a second or two it will say done and that you should reboot, so do that and you should be current. From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:49 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. From: ch...@wbmfg.com<mailto:ch...@wbmfg.com> Sent: Friday, July 5, 2019 12:48 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. ✔ Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1.✔ Add static DNS servers under IP->DNS✔ Remove the DHCP-client on ether1. Not sure how to do this Add the /29 to interface bridge-local ✔ Maybe Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. ✔ I think. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. Where do we put in the new IPs or IP range associated with this block they gave me? 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
From: ch...@wbmfg.com Sent: Friday, July 5, 2019 12:48 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. ✔ Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1.✔ Add static DNS servers under IP->DNS✔ Remove the DHCP-client on ether1. Not sure how to do this Add the /29 to interface bridge-local ✔ Maybe Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. ✔ I think. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. Where do we put in the new IPs or IP range associated with this block they gave me? 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. ✔ Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1.✔ Add static DNS servers under IP->DNS✔ Remove the DHCP-client on ether1. Not sure how to do this Add the /29 to interface bridge-local ✔ Maybe Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. ✔ I think. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. Where do we put in the new IPs or IP range associated with this block they gave me? 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
Got it up. Had to try all the goofy passwords my son likes to use. Wrote it down this time. -Original Message- From: Ken Hohhof Sent: Friday, July 5, 2019 12:02 PM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. Asking specifically about connecting via discovery and MAC address? Or just in general? One could hope that access was restricted coming from the WAN side with a connect list or firewall rule. Also neighbor discovery might be disable on the WAN interface. I'd connect from the LAN side unless there's some reason to do otherwise. -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:50 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. Does it matter which port you connect to? WAN? -Original Message- From: David Coudron Sent: Friday, July 5, 2019 11:34 AM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. One of the nice things about the Mikrotik is that if you are on the same subnet, you can discover the device without have IP configured correctly. Look in Neighbors tab in the Winbox interface and it should list the device by Mac address if you are on the same subnet. Clicking the Mac address and Connect will allow you to get into the router and get it configured. No need to set a static IP on your computer if you don't want to. Regards, David Coudron david.coud...@advantenon.com | Mobile: 612-991-7474 Advantenon, Inc. i...@advantenon.com | 3500 Vicksburg Lane N, Suite 315, Plymouth, MN 55447 | www.advantenon.com | Phone: 800-704-4720 | Local: 612-454-1545 -Original Message- From: AF On Behalf Of Ken Hohhof Sent: Friday, July 5, 2019 12:14 PM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. 3 methods - command line, winbox, or webfig. I recommend winbox. It's an executable you can download here: https://mikrotik.com/download You will need the router IP address (default 192.168.88.1 but probably has been changed) and the username/password (default admin and blank password but almost certainly has been changed). -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:09 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OK, today is the day I attempt this. Already had the Voip company switch IPs so the phones are down until I make this change. Not sure how to log into the RB2011. I presume the normal default IPs for things like this. My IT son is visiting for the weekend. Once he decides to get up and join the ranks of the living hopefully he will come down to the shop and help me out. I may need assistance, wish me luck. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 7:46 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1. Add static DNS servers under IP->DNS Remove the DHCP-client on ether1. Add the /29 to interface bridge-local Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. On 6/24/2019 8:34 PM, Chuck McCown wrote: Thanks Still need a config for the RB. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 6:29 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. It can work behind NATI'm doing it. As I recall, I forwarded ports 5060-5070 and 10,000-15,000. In Asterisk config I had to * limit Asterisk to using those ports * specify the real WAN IP so that gets included in SIP messages * specify the LAN IP's so Asterisk knows when to use it's NAT hacks * probably canreinvite=no and nat=yes on SIP peers I didn't do anything on the router other than the port forwarding. You probably don't need 5,000 RTP portsbut you're probably also not using them for anything else so it's not going to hurt. This isn't going to be fiddling with your router config much, it's going to be mostly fiddling with Asterisk. Oh, I guess I did add some rules in the Mikrotik to automatica
Re: [AFMUG] Gonna need some help please.
Connect on Ether2. Some of them have firewall set up on WAN port. Ether2 usually always works. David Coudron david.coud...@advantenon.com | Mobile: 612-991-7474 Advantenon, Inc. i...@advantenon.com | 3500 Vicksburg Lane N, Suite 315, Plymouth, MN 55447 | www.advantenon.com | Phone: 800-704-4720 | Local: 612-454-1545 -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:50 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. Does it matter which port you connect to? WAN? -Original Message- From: David Coudron Sent: Friday, July 5, 2019 11:34 AM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. One of the nice things about the Mikrotik is that if you are on the same subnet, you can discover the device without have IP configured correctly. Look in Neighbors tab in the Winbox interface and it should list the device by Mac address if you are on the same subnet. Clicking the Mac address and Connect will allow you to get into the router and get it configured. No need to set a static IP on your computer if you don't want to. Regards, David Coudron david.coud...@advantenon.com | Mobile: 612-991-7474 Advantenon, Inc. i...@advantenon.com | 3500 Vicksburg Lane N, Suite 315, Plymouth, MN 55447 | www.advantenon.com | Phone: 800-704-4720 | Local: 612-454-1545 -Original Message- From: AF On Behalf Of Ken Hohhof Sent: Friday, July 5, 2019 12:14 PM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. 3 methods - command line, winbox, or webfig. I recommend winbox. It's an executable you can download here: https://mikrotik.com/download You will need the router IP address (default 192.168.88.1 but probably has been changed) and the username/password (default admin and blank password but almost certainly has been changed). -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:09 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OK, today is the day I attempt this. Already had the Voip company switch IPs so the phones are down until I make this change. Not sure how to log into the RB2011. I presume the normal default IPs for things like this. My IT son is visiting for the weekend. Once he decides to get up and join the ranks of the living hopefully he will come down to the shop and help me out. I may need assistance, wish me luck. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 7:46 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1. Add static DNS servers under IP->DNS Remove the DHCP-client on ether1. Add the /29 to interface bridge-local Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. On 6/24/2019 8:34 PM, Chuck McCown wrote: > Thanks > Still need a config for the RB. > > -Original Message- From: Adam Moffett > Sent: Monday, June 24, 2019 6:29 PM > To: af@af.afmug.com > Subject: Re: [AFMUG] Gonna need some help please. > > It can work behind NATI'm doing it. > As I recall, I forwarded ports 5060-5070 and 10,000-15,000. > In Asterisk config I had to > * limit Asterisk to using those ports > * specify the real WAN IP so that gets included in SIP messages > * specify the LAN IP's so Asterisk knows when to use it's NAT hacks > * probably canreinvite=no and nat=yes on SIP peers > > I didn't do anything on the router other than the port forwarding. You > probably don't need 5,000 RTP portsbut you're probably also not > using them for anything else so it's not going to hurt. This isn't > going to be fiddling with your router config much, it's going to be > mostly fiddling with Asterisk. > > Oh, I guess I did add some rules in the Mikrotik to automatically > blacklist IP's that generate too many Auth failure messages on SIP > ports. That keeps the Asterisk logs uncluttere
Re: [AFMUG] Gonna need some help please.
Asking specifically about connecting via discovery and MAC address? Or just in general? One could hope that access was restricted coming from the WAN side with a connect list or firewall rule. Also neighbor discovery might be disable on the WAN interface. I'd connect from the LAN side unless there's some reason to do otherwise. -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:50 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. Does it matter which port you connect to? WAN? -Original Message- From: David Coudron Sent: Friday, July 5, 2019 11:34 AM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. One of the nice things about the Mikrotik is that if you are on the same subnet, you can discover the device without have IP configured correctly. Look in Neighbors tab in the Winbox interface and it should list the device by Mac address if you are on the same subnet. Clicking the Mac address and Connect will allow you to get into the router and get it configured. No need to set a static IP on your computer if you don't want to. Regards, David Coudron david.coud...@advantenon.com | Mobile: 612-991-7474 Advantenon, Inc. i...@advantenon.com | 3500 Vicksburg Lane N, Suite 315, Plymouth, MN 55447 | www.advantenon.com | Phone: 800-704-4720 | Local: 612-454-1545 -Original Message- From: AF On Behalf Of Ken Hohhof Sent: Friday, July 5, 2019 12:14 PM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. 3 methods - command line, winbox, or webfig. I recommend winbox. It's an executable you can download here: https://mikrotik.com/download You will need the router IP address (default 192.168.88.1 but probably has been changed) and the username/password (default admin and blank password but almost certainly has been changed). -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:09 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OK, today is the day I attempt this. Already had the Voip company switch IPs so the phones are down until I make this change. Not sure how to log into the RB2011. I presume the normal default IPs for things like this. My IT son is visiting for the weekend. Once he decides to get up and join the ranks of the living hopefully he will come down to the shop and help me out. I may need assistance, wish me luck. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 7:46 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1. Add static DNS servers under IP->DNS Remove the DHCP-client on ether1. Add the /29 to interface bridge-local Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. On 6/24/2019 8:34 PM, Chuck McCown wrote: > Thanks > Still need a config for the RB. > > -Original Message- From: Adam Moffett > Sent: Monday, June 24, 2019 6:29 PM > To: af@af.afmug.com > Subject: Re: [AFMUG] Gonna need some help please. > > It can work behind NATI'm doing it. > As I recall, I forwarded ports 5060-5070 and 10,000-15,000. > In Asterisk config I had to > * limit Asterisk to using those ports > * specify the real WAN IP so that gets included in SIP messages > * specify the LAN IP's so Asterisk knows when to use it's NAT hacks > * probably canreinvite=no and nat=yes on SIP peers > > I didn't do anything on the router other than the port forwarding. You > probably don't need 5,000 RTP portsbut you're probably also not > using them for anything else so it's not going to hurt. This isn't > going to be fiddling with your router config much, it's going to be > mostly fiddling with Asterisk. > > Oh, I guess I did add some rules in the Mikrotik to automatically > blacklist IP's that generate too many Auth failure messages on SIP > ports. That keeps the Asterisk logs uncluttered, but isn't strictly >
Re: [AFMUG] Gonna need some help please.
Well, that would be bad. You want to at least change the password. Also update the firmware to 6.42.something or 6.43.something. There were some vulnerabilities fixed about 2 years ago. -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:49 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. Not so sure anything was changed. -Original Message- From: Ken Hohhof Sent: Friday, July 5, 2019 11:14 AM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. 3 methods - command line, winbox, or webfig. I recommend winbox. It's an executable you can download here: https://mikrotik.com/download You will need the router IP address (default 192.168.88.1 but probably has been changed) and the username/password (default admin and blank password but almost certainly has been changed). -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:09 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OK, today is the day I attempt this. Already had the Voip company switch IPs so the phones are down until I make this change. Not sure how to log into the RB2011. I presume the normal default IPs for things like this. My IT son is visiting for the weekend. Once he decides to get up and join the ranks of the living hopefully he will come down to the shop and help me out. I may need assistance, wish me luck. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 7:46 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1. Add static DNS servers under IP->DNS Remove the DHCP-client on ether1. Add the /29 to interface bridge-local Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. On 6/24/2019 8:34 PM, Chuck McCown wrote: > Thanks > Still need a config for the RB. > > -Original Message- From: Adam Moffett > Sent: Monday, June 24, 2019 6:29 PM > To: af@af.afmug.com > Subject: Re: [AFMUG] Gonna need some help please. > > It can work behind NATI'm doing it. > As I recall, I forwarded ports 5060-5070 and 10,000-15,000. > In Asterisk config I had to > * limit Asterisk to using those ports > * specify the real WAN IP so that gets included in SIP messages > * specify the LAN IP's so Asterisk knows when to use it's NAT hacks > * probably canreinvite=no and nat=yes on SIP peers > > I didn't do anything on the router other than the port forwarding. You > probably don't need 5,000 RTP portsbut you're probably also not > using them for anything else so it's not going to hurt. This isn't > going to be fiddling with your router config much, it's going to be > mostly fiddling with Asterisk. > > Oh, I guess I did add some rules in the Mikrotik to automatically > blacklist IP's that generate too many Auth failure messages on SIP > ports. That keeps the Asterisk logs uncluttered, but isn't strictly > necessary. > > -Adam > > > On 6/24/2019 8:10 PM, Forrest Christian (List Account) wrote: >> What are the symptoms? >> >> Are you getting call setup requests but no audio, etc? >> >> setting nat=yes and canreinvite=no fixes a lot of these, at the >> expense of having to have all of the call audio going through the >> asterisk box. Be aware that this suggestion might be dated since I >> haven't dealt with an astersisk setup for quite some time (mine just >> keeps chugging along wiht little maintenance). >> >> >> On Mon, Jun 24, 2019 at 5:34 PM wrote: >>> I have an asterisk system speaking to my SIP provider. One end or >>> the other (or both) do not tolerate NAT. We for years we have had a >>> Static for the SIP trunks. And a mix of other statics and DHCP >>> circuits for everything else we do. So coming from the ONT we first >>> hit a switch and then off to Asterisk, other servers and a RB ro
Re: [AFMUG] Gonna need some help please.
Does it matter which port you connect to? WAN? -Original Message- From: David Coudron Sent: Friday, July 5, 2019 11:34 AM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. One of the nice things about the Mikrotik is that if you are on the same subnet, you can discover the device without have IP configured correctly. Look in Neighbors tab in the Winbox interface and it should list the device by Mac address if you are on the same subnet. Clicking the Mac address and Connect will allow you to get into the router and get it configured. No need to set a static IP on your computer if you don't want to. Regards, David Coudron david.coud...@advantenon.com | Mobile: 612-991-7474 Advantenon, Inc. i...@advantenon.com | 3500 Vicksburg Lane N, Suite 315, Plymouth, MN 55447 | www.advantenon.com | Phone: 800-704-4720 | Local: 612-454-1545 -Original Message- From: AF On Behalf Of Ken Hohhof Sent: Friday, July 5, 2019 12:14 PM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. 3 methods - command line, winbox, or webfig. I recommend winbox. It's an executable you can download here: https://mikrotik.com/download You will need the router IP address (default 192.168.88.1 but probably has been changed) and the username/password (default admin and blank password but almost certainly has been changed). -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:09 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OK, today is the day I attempt this. Already had the Voip company switch IPs so the phones are down until I make this change. Not sure how to log into the RB2011. I presume the normal default IPs for things like this. My IT son is visiting for the weekend. Once he decides to get up and join the ranks of the living hopefully he will come down to the shop and help me out. I may need assistance, wish me luck. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 7:46 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1. Add static DNS servers under IP->DNS Remove the DHCP-client on ether1. Add the /29 to interface bridge-local Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. On 6/24/2019 8:34 PM, Chuck McCown wrote: Thanks Still need a config for the RB. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 6:29 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. It can work behind NATI'm doing it. As I recall, I forwarded ports 5060-5070 and 10,000-15,000. In Asterisk config I had to * limit Asterisk to using those ports * specify the real WAN IP so that gets included in SIP messages * specify the LAN IP's so Asterisk knows when to use it's NAT hacks * probably canreinvite=no and nat=yes on SIP peers I didn't do anything on the router other than the port forwarding. You probably don't need 5,000 RTP portsbut you're probably also not using them for anything else so it's not going to hurt. This isn't going to be fiddling with your router config much, it's going to be mostly fiddling with Asterisk. Oh, I guess I did add some rules in the Mikrotik to automatically blacklist IP's that generate too many Auth failure messages on SIP ports. That keeps the Asterisk logs uncluttered, but isn't strictly necessary. -Adam On 6/24/2019 8:10 PM, Forrest Christian (List Account) wrote: What are the symptoms? Are you getting call setup requests but no audio, etc? setting nat=yes and canreinvite=no fixes a lot of these, at the expense of having to have all of the call audio going through the asterisk box. Be aware that this suggestion might be dated since I haven't dealt with an astersisk setup for quite some time (mine just keeps chugging along wiht little maintenance). On Mon, Jun 24, 2019 at 5:34 PM wrote: I have an asterisk system speaking to my SIP provider. One end or the other (or both) do not tolerate NAT. We
Re: [AFMUG] Gonna need some help please.
Not so sure anything was changed. -Original Message- From: Ken Hohhof Sent: Friday, July 5, 2019 11:14 AM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. 3 methods - command line, winbox, or webfig. I recommend winbox. It's an executable you can download here: https://mikrotik.com/download You will need the router IP address (default 192.168.88.1 but probably has been changed) and the username/password (default admin and blank password but almost certainly has been changed). -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:09 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OK, today is the day I attempt this. Already had the Voip company switch IPs so the phones are down until I make this change. Not sure how to log into the RB2011. I presume the normal default IPs for things like this. My IT son is visiting for the weekend. Once he decides to get up and join the ranks of the living hopefully he will come down to the shop and help me out. I may need assistance, wish me luck. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 7:46 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1. Add static DNS servers under IP->DNS Remove the DHCP-client on ether1. Add the /29 to interface bridge-local Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. On 6/24/2019 8:34 PM, Chuck McCown wrote: Thanks Still need a config for the RB. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 6:29 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. It can work behind NATI'm doing it. As I recall, I forwarded ports 5060-5070 and 10,000-15,000. In Asterisk config I had to * limit Asterisk to using those ports * specify the real WAN IP so that gets included in SIP messages * specify the LAN IP's so Asterisk knows when to use it's NAT hacks * probably canreinvite=no and nat=yes on SIP peers I didn't do anything on the router other than the port forwarding. You probably don't need 5,000 RTP portsbut you're probably also not using them for anything else so it's not going to hurt. This isn't going to be fiddling with your router config much, it's going to be mostly fiddling with Asterisk. Oh, I guess I did add some rules in the Mikrotik to automatically blacklist IP's that generate too many Auth failure messages on SIP ports. That keeps the Asterisk logs uncluttered, but isn't strictly necessary. -Adam On 6/24/2019 8:10 PM, Forrest Christian (List Account) wrote: What are the symptoms? Are you getting call setup requests but no audio, etc? setting nat=yes and canreinvite=no fixes a lot of these, at the expense of having to have all of the call audio going through the asterisk box. Be aware that this suggestion might be dated since I haven't dealt with an astersisk setup for quite some time (mine just keeps chugging along wiht little maintenance). On Mon, Jun 24, 2019 at 5:34 PM wrote: I have an asterisk system speaking to my SIP provider. One end or the other (or both) do not tolerate NAT. We for years we have had a Static for the SIP trunks. And a mix of other statics and DHCP circuits for everything else we do. So coming from the ONT we first hit a switch and then off to Asterisk, other servers and a RB router. I am now switching to a /29 for everything. So the ONT ethernet will first hit a RB2011 iL-IN (assuming it is capable of doing what we need) and then go to our various other servers as well as the Asterisk system. I am not a router guy. I took exactly one Cisco router class probably back in 2003. I may have upgraded one Cisco router once back when you could buy one license but apply it to multiple devices. Not sure if they plugged that hole, I imagine they did. This sounds like it should be trivial. I hope it is trivial. But I would rather have the borg take a look at it before I start to try to download the RB manual and go into my autodidactical mode. Too old for this crap
Re: [AFMUG] Gonna need some help please.
One of the nice things about the Mikrotik is that if you are on the same subnet, you can discover the device without have IP configured correctly. Look in Neighbors tab in the Winbox interface and it should list the device by Mac address if you are on the same subnet. Clicking the Mac address and Connect will allow you to get into the router and get it configured. No need to set a static IP on your computer if you don't want to. Regards, David Coudron david.coud...@advantenon.com | Mobile: 612-991-7474 Advantenon, Inc. i...@advantenon.com | 3500 Vicksburg Lane N, Suite 315, Plymouth, MN 55447 | www.advantenon.com | Phone: 800-704-4720 | Local: 612-454-1545 -Original Message- From: AF On Behalf Of Ken Hohhof Sent: Friday, July 5, 2019 12:14 PM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. 3 methods - command line, winbox, or webfig. I recommend winbox. It's an executable you can download here: https://mikrotik.com/download You will need the router IP address (default 192.168.88.1 but probably has been changed) and the username/password (default admin and blank password but almost certainly has been changed). -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:09 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OK, today is the day I attempt this. Already had the Voip company switch IPs so the phones are down until I make this change. Not sure how to log into the RB2011. I presume the normal default IPs for things like this. My IT son is visiting for the weekend. Once he decides to get up and join the ranks of the living hopefully he will come down to the shop and help me out. I may need assistance, wish me luck. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 7:46 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1. Add static DNS servers under IP->DNS Remove the DHCP-client on ether1. Add the /29 to interface bridge-local Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. On 6/24/2019 8:34 PM, Chuck McCown wrote: > Thanks > Still need a config for the RB. > > -Original Message- From: Adam Moffett > Sent: Monday, June 24, 2019 6:29 PM > To: af@af.afmug.com > Subject: Re: [AFMUG] Gonna need some help please. > > It can work behind NATI'm doing it. > As I recall, I forwarded ports 5060-5070 and 10,000-15,000. > In Asterisk config I had to > * limit Asterisk to using those ports > * specify the real WAN IP so that gets included in SIP messages > * specify the LAN IP's so Asterisk knows when to use it's NAT hacks > * probably canreinvite=no and nat=yes on SIP peers > > I didn't do anything on the router other than the port forwarding. You > probably don't need 5,000 RTP portsbut you're probably also not > using them for anything else so it's not going to hurt. This isn't > going to be fiddling with your router config much, it's going to be > mostly fiddling with Asterisk. > > Oh, I guess I did add some rules in the Mikrotik to automatically > blacklist IP's that generate too many Auth failure messages on SIP > ports. That keeps the Asterisk logs uncluttered, but isn't strictly > necessary. > > -Adam > > > On 6/24/2019 8:10 PM, Forrest Christian (List Account) wrote: >> What are the symptoms? >> >> Are you getting call setup requests but no audio, etc? >> >> setting nat=yes and canreinvite=no fixes a lot of these, at the >> expense of having to have all of the call audio going through the >> asterisk box. Be aware that this suggestion might be dated since I >> haven't dealt with an astersisk setup for quite some time (mine just >> keeps chugging along wiht little maintenance). >> >> >> On Mon, Jun 24, 2019 at 5:34 PM wrote: >>> I have an asterisk system speaking to my SIP provider. One en
Re: [AFMUG] Gonna need some help please.
3 methods - command line, winbox, or webfig. I recommend winbox. It's an executable you can download here: https://mikrotik.com/download You will need the router IP address (default 192.168.88.1 but probably has been changed) and the username/password (default admin and blank password but almost certainly has been changed). -Original Message- From: AF On Behalf Of ch...@wbmfg.com Sent: Friday, July 5, 2019 12:09 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OK, today is the day I attempt this. Already had the Voip company switch IPs so the phones are down until I make this change. Not sure how to log into the RB2011. I presume the normal default IPs for things like this. My IT son is visiting for the weekend. Once he decides to get up and join the ranks of the living hopefully he will come down to the shop and help me out. I may need assistance, wish me luck. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 7:46 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1. Add static DNS servers under IP->DNS Remove the DHCP-client on ether1. Add the /29 to interface bridge-local Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. On 6/24/2019 8:34 PM, Chuck McCown wrote: > Thanks > Still need a config for the RB. > > -Original Message- From: Adam Moffett > Sent: Monday, June 24, 2019 6:29 PM > To: af@af.afmug.com > Subject: Re: [AFMUG] Gonna need some help please. > > It can work behind NATI'm doing it. > As I recall, I forwarded ports 5060-5070 and 10,000-15,000. > In Asterisk config I had to > * limit Asterisk to using those ports > * specify the real WAN IP so that gets included in SIP messages > * specify the LAN IP's so Asterisk knows when to use it's NAT hacks > * probably canreinvite=no and nat=yes on SIP peers > > I didn't do anything on the router other than the port forwarding. You > probably don't need 5,000 RTP portsbut you're probably also not > using them for anything else so it's not going to hurt. This isn't > going to be fiddling with your router config much, it's going to be > mostly fiddling with Asterisk. > > Oh, I guess I did add some rules in the Mikrotik to automatically > blacklist IP's that generate too many Auth failure messages on SIP > ports. That keeps the Asterisk logs uncluttered, but isn't strictly > necessary. > > -Adam > > > On 6/24/2019 8:10 PM, Forrest Christian (List Account) wrote: >> What are the symptoms? >> >> Are you getting call setup requests but no audio, etc? >> >> setting nat=yes and canreinvite=no fixes a lot of these, at the >> expense of having to have all of the call audio going through the >> asterisk box. Be aware that this suggestion might be dated since I >> haven't dealt with an astersisk setup for quite some time (mine just >> keeps chugging along wiht little maintenance). >> >> >> On Mon, Jun 24, 2019 at 5:34 PM wrote: >>> I have an asterisk system speaking to my SIP provider. One end or >>> the other (or both) do not tolerate NAT. We for years we have had a >>> Static for the SIP trunks. And a mix of other statics and DHCP >>> circuits for everything else we do. So coming from the ONT we first >>> hit a switch and then off to Asterisk, other servers and a RB router. >>> >>> I am now switching to a /29 for everything. So the ONT ethernet >>> will first hit a RB2011 iL-IN (assuming it is capable of doing what >>> we need) and then go to our various other servers as well as the Asterisk system. >>> >>> I am not a router guy. I took exactly one Cisco router class >>> probably back in 2003. I may have upgraded one Cisco router once >>> back when you could buy one license but apply it to multiple >>> devices. Not sure if they plugged that hole, I imagine they did.
Re: [AFMUG] Gonna need some help please.
OK, today is the day I attempt this. Already had the Voip company switch IPs so the phones are down until I make this change. Not sure how to log into the RB2011. I presume the normal default IPs for things like this. My IT son is visiting for the weekend. Once he decides to get up and join the ranks of the living hopefully he will come down to the shop and help me out. I may need assistance, wish me luck. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 7:46 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1. Add static DNS servers under IP->DNS Remove the DHCP-client on ether1. Add the /29 to interface bridge-local Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. On 6/24/2019 8:34 PM, Chuck McCown wrote: Thanks Still need a config for the RB. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 6:29 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. It can work behind NATI'm doing it. As I recall, I forwarded ports 5060-5070 and 10,000-15,000. In Asterisk config I had to * limit Asterisk to using those ports * specify the real WAN IP so that gets included in SIP messages * specify the LAN IP's so Asterisk knows when to use it's NAT hacks * probably canreinvite=no and nat=yes on SIP peers I didn't do anything on the router other than the port forwarding. You probably don't need 5,000 RTP portsbut you're probably also not using them for anything else so it's not going to hurt. This isn't going to be fiddling with your router config much, it's going to be mostly fiddling with Asterisk. Oh, I guess I did add some rules in the Mikrotik to automatically blacklist IP's that generate too many Auth failure messages on SIP ports. That keeps the Asterisk logs uncluttered, but isn't strictly necessary. -Adam On 6/24/2019 8:10 PM, Forrest Christian (List Account) wrote: What are the symptoms? Are you getting call setup requests but no audio, etc? setting nat=yes and canreinvite=no fixes a lot of these, at the expense of having to have all of the call audio going through the asterisk box. Be aware that this suggestion might be dated since I haven't dealt with an astersisk setup for quite some time (mine just keeps chugging along wiht little maintenance). On Mon, Jun 24, 2019 at 5:34 PM wrote: I have an asterisk system speaking to my SIP provider. One end or the other (or both) do not tolerate NAT. We for years we have had a Static for the SIP trunks. And a mix of other statics and DHCP circuits for everything else we do. So coming from the ONT we first hit a switch and then off to Asterisk, other servers and a RB router. I am now switching to a /29 for everything. So the ONT ethernet will first hit a RB2011 iL-IN (assuming it is capable of doing what we need) and then go to our various other servers as well as the Asterisk system. I am not a router guy. I took exactly one Cisco router class probably back in 2003. I may have upgraded one Cisco router once back when you could buy one license but apply it to multiple devices. Not sure if they plugged that hole, I imagine they did. This sounds like it should be trivial. I hope it is trivial. But I would rather have the borg take a look at it before I start to try to download the RB manual and go into my autodidactical mode. Too old for this crap. 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
I am the customer with the Asterisk. I am avoiding NAT by having it directly connected via static. But that is going away. It will have to live behind the RB and I don't know how to make that work. -Original Message- From: Ken Hohhof Sent: Monday, June 24, 2019 7:25 PM To: 'AnimalFarm Microwave Users Group' Subject: Re: [AFMUG] Gonna need some help please. I'm confused. When you talk about static IPs and NAT, are you talking about your customer's ATA, or the SIP trunk side of your Asterisk box? Or the customer side of your Asterisk box? Surely your Asterisk box has a static IP and no NAT. -Original Message- From: AF On Behalf Of Chuck McCown Sent: Monday, June 24, 2019 7:33 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. I don't recall the symptoms. We fixed it with the static and having it ahead of everything. -Original Message- From: Forrest Christian (List Account) Sent: Monday, June 24, 2019 6:10 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. What are the symptoms? Are you getting call setup requests but no audio, etc? setting nat=yes and canreinvite=no fixes a lot of these, at the expense of having to have all of the call audio going through the asterisk box. Be aware that this suggestion might be dated since I haven't dealt with an astersisk setup for quite some time (mine just keeps chugging along wiht little maintenance). On Mon, Jun 24, 2019 at 5:34 PM wrote: I have an asterisk system speaking to my SIP provider. One end or the other (or both) do not tolerate NAT. We for years we have had a Static for the SIP trunks. And a mix of other statics and DHCP circuits for everything else we do. So coming from the ONT we first hit a switch and then off to Asterisk, other servers and a RB router. I am now switching to a /29 for everything. So the ONT ethernet will first hit a RB2011 iL-IN (assuming it is capable of doing what we need) and then go to our various other servers as well as the Asterisk system. I am not a router guy. I took exactly one Cisco router class probably back in 2003. I may have upgraded one Cisco router once back when you could buy one license but apply it to multiple devices. Not sure if they plugged that hole, I imagine they did. This sounds like it should be trivial. I hope it is trivial. But I would rather have the borg take a look at it before I start to try to download the RB manual and go into my autodidactical mode. Too old for this crap. 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- - Forrest -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
Thanks, this is the kind of stuff I am ignorant about. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 7:46 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1. Add static DNS servers under IP->DNS Remove the DHCP-client on ether1. Add the /29 to interface bridge-local Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. On 6/24/2019 8:34 PM, Chuck McCown wrote: Thanks Still need a config for the RB. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 6:29 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. It can work behind NATI'm doing it. As I recall, I forwarded ports 5060-5070 and 10,000-15,000. In Asterisk config I had to * limit Asterisk to using those ports * specify the real WAN IP so that gets included in SIP messages * specify the LAN IP's so Asterisk knows when to use it's NAT hacks * probably canreinvite=no and nat=yes on SIP peers I didn't do anything on the router other than the port forwarding. You probably don't need 5,000 RTP portsbut you're probably also not using them for anything else so it's not going to hurt. This isn't going to be fiddling with your router config much, it's going to be mostly fiddling with Asterisk. Oh, I guess I did add some rules in the Mikrotik to automatically blacklist IP's that generate too many Auth failure messages on SIP ports. That keeps the Asterisk logs uncluttered, but isn't strictly necessary. -Adam On 6/24/2019 8:10 PM, Forrest Christian (List Account) wrote: What are the symptoms? Are you getting call setup requests but no audio, etc? setting nat=yes and canreinvite=no fixes a lot of these, at the expense of having to have all of the call audio going through the asterisk box. Be aware that this suggestion might be dated since I haven't dealt with an astersisk setup for quite some time (mine just keeps chugging along wiht little maintenance). On Mon, Jun 24, 2019 at 5:34 PM wrote: I have an asterisk system speaking to my SIP provider. One end or the other (or both) do not tolerate NAT. We for years we have had a Static for the SIP trunks. And a mix of other statics and DHCP circuits for everything else we do. So coming from the ONT we first hit a switch and then off to Asterisk, other servers and a RB router. I am now switching to a /29 for everything. So the ONT ethernet will first hit a RB2011 iL-IN (assuming it is capable of doing what we need) and then go to our various other servers as well as the Asterisk system. I am not a router guy. I took exactly one Cisco router class probably back in 2003. I may have upgraded one Cisco router once back when you could buy one license but apply it to multiple devices. Not sure if they plugged that hole, I imagine they did. This sounds like it should be trivial. I hope it is trivial. But I would rather have the borg take a look at it before I start to try to download the RB manual and go into my autodidactical mode. Too old for this crap. 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
OhAfter re-reading it looks like you're avoiding NAT by putting servers into a public /29. I completely misread what you were looking for. So yeah, by default the RB2011 will have the first Ethernet port set up as the WAN with DHCP, and everything exiting via that port gets masqueradedso you'll want to change that masquerade rule so it only matches the private IP's. Add the static IP to ether1. Add the static default route by adding a route to destination 0.0.0.0/0 with gateway of 76.76.252.1. Add static DNS servers under IP->DNS Remove the DHCP-client on ether1. Add the /29 to interface bridge-local Under IP->Firewall->NAT, edit the masquerade rule by removing the "out interface" criteria. Add a new criteria for source IP 192.168.88.0/24. Now your DHCP clients get private IP's and NAT, but your servers with static IP's don't. I think that's the bare minimum, and it ought to be dead simple in Winbox. On 6/24/2019 8:34 PM, Chuck McCown wrote: Thanks Still need a config for the RB. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 6:29 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. It can work behind NATI'm doing it. As I recall, I forwarded ports 5060-5070 and 10,000-15,000. In Asterisk config I had to * limit Asterisk to using those ports * specify the real WAN IP so that gets included in SIP messages * specify the LAN IP's so Asterisk knows when to use it's NAT hacks * probably canreinvite=no and nat=yes on SIP peers I didn't do anything on the router other than the port forwarding. You probably don't need 5,000 RTP portsbut you're probably also not using them for anything else so it's not going to hurt. This isn't going to be fiddling with your router config much, it's going to be mostly fiddling with Asterisk. Oh, I guess I did add some rules in the Mikrotik to automatically blacklist IP's that generate too many Auth failure messages on SIP ports. That keeps the Asterisk logs uncluttered, but isn't strictly necessary. -Adam On 6/24/2019 8:10 PM, Forrest Christian (List Account) wrote: What are the symptoms? Are you getting call setup requests but no audio, etc? setting nat=yes and canreinvite=no fixes a lot of these, at the expense of having to have all of the call audio going through the asterisk box. Be aware that this suggestion might be dated since I haven't dealt with an astersisk setup for quite some time (mine just keeps chugging along wiht little maintenance). On Mon, Jun 24, 2019 at 5:34 PM wrote: I have an asterisk system speaking to my SIP provider. One end or the other (or both) do not tolerate NAT. We for years we have had a Static for the SIP trunks. And a mix of other statics and DHCP circuits for everything else we do. So coming from the ONT we first hit a switch and then off to Asterisk, other servers and a RB router. I am now switching to a /29 for everything. So the ONT ethernet will first hit a RB2011 iL-IN (assuming it is capable of doing what we need) and then go to our various other servers as well as the Asterisk system. I am not a router guy. I took exactly one Cisco router class probably back in 2003. I may have upgraded one Cisco router once back when you could buy one license but apply it to multiple devices. Not sure if they plugged that hole, I imagine they did. This sounds like it should be trivial. I hope it is trivial. But I would rather have the borg take a look at it before I start to try to download the RB manual and go into my autodidactical mode. Too old for this crap. 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
I'm confused. When you talk about static IPs and NAT, are you talking about your customer's ATA, or the SIP trunk side of your Asterisk box? Or the customer side of your Asterisk box? Surely your Asterisk box has a static IP and no NAT. -Original Message- From: AF On Behalf Of Chuck McCown Sent: Monday, June 24, 2019 7:33 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. I don't recall the symptoms. We fixed it with the static and having it ahead of everything. -Original Message- From: Forrest Christian (List Account) Sent: Monday, June 24, 2019 6:10 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. What are the symptoms? Are you getting call setup requests but no audio, etc? setting nat=yes and canreinvite=no fixes a lot of these, at the expense of having to have all of the call audio going through the asterisk box. Be aware that this suggestion might be dated since I haven't dealt with an astersisk setup for quite some time (mine just keeps chugging along wiht little maintenance). On Mon, Jun 24, 2019 at 5:34 PM wrote: > > I have an asterisk system speaking to my SIP provider. One end or the > other (or both) do not tolerate NAT. We for years we have had a > Static for the SIP trunks. And a mix of other statics and DHCP > circuits for everything else we do. So coming from the ONT we first > hit a switch and then off to Asterisk, other servers and a RB router. > > I am now switching to a /29 for everything. So the ONT ethernet will > first hit a RB2011 iL-IN (assuming it is capable of doing what we > need) and then go to our various other servers as well as the Asterisk system. > > I am not a router guy. I took exactly one Cisco router class probably > back in 2003. I may have upgraded one Cisco router once back when you > could buy one license but apply it to multiple devices. Not sure if > they plugged that hole, I imagine they did. > > This sounds like it should be trivial. I hope it is trivial. But I > would rather have the borg take a look at it before I start to try to > download the RB manual and go into my autodidactical mode. Too old for this crap. > > > > > 76.76.254.48/29 routed to 76.76.252.68 > > WAN IP: 76.76.252.68 > Subnet: 255.255.255.0 > Gateway: 76.76.252.1 > > Routed subnet info: > 76.76.254.48/29 > subnet mask: 255.255.255.248 > available IP's: 76.76.254.49-54 > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- - Forrest -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
Thanks Still need a config for the RB. -Original Message- From: Adam Moffett Sent: Monday, June 24, 2019 6:29 PM To: af@af.afmug.com Subject: Re: [AFMUG] Gonna need some help please. It can work behind NATI'm doing it. As I recall, I forwarded ports 5060-5070 and 10,000-15,000. In Asterisk config I had to * limit Asterisk to using those ports * specify the real WAN IP so that gets included in SIP messages * specify the LAN IP's so Asterisk knows when to use it's NAT hacks * probably canreinvite=no and nat=yes on SIP peers I didn't do anything on the router other than the port forwarding. You probably don't need 5,000 RTP portsbut you're probably also not using them for anything else so it's not going to hurt. This isn't going to be fiddling with your router config much, it's going to be mostly fiddling with Asterisk. Oh, I guess I did add some rules in the Mikrotik to automatically blacklist IP's that generate too many Auth failure messages on SIP ports. That keeps the Asterisk logs uncluttered, but isn't strictly necessary. -Adam On 6/24/2019 8:10 PM, Forrest Christian (List Account) wrote: What are the symptoms? Are you getting call setup requests but no audio, etc? setting nat=yes and canreinvite=no fixes a lot of these, at the expense of having to have all of the call audio going through the asterisk box. Be aware that this suggestion might be dated since I haven't dealt with an astersisk setup for quite some time (mine just keeps chugging along wiht little maintenance). On Mon, Jun 24, 2019 at 5:34 PM wrote: I have an asterisk system speaking to my SIP provider. One end or the other (or both) do not tolerate NAT. We for years we have had a Static for the SIP trunks. And a mix of other statics and DHCP circuits for everything else we do. So coming from the ONT we first hit a switch and then off to Asterisk, other servers and a RB router. I am now switching to a /29 for everything. So the ONT ethernet will first hit a RB2011 iL-IN (assuming it is capable of doing what we need) and then go to our various other servers as well as the Asterisk system. I am not a router guy. I took exactly one Cisco router class probably back in 2003. I may have upgraded one Cisco router once back when you could buy one license but apply it to multiple devices. Not sure if they plugged that hole, I imagine they did. This sounds like it should be trivial. I hope it is trivial. But I would rather have the borg take a look at it before I start to try to download the RB manual and go into my autodidactical mode. Too old for this crap. 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
I don't recall the symptoms. We fixed it with the static and having it ahead of everything. -Original Message- From: Forrest Christian (List Account) Sent: Monday, June 24, 2019 6:10 PM To: AnimalFarm Microwave Users Group Subject: Re: [AFMUG] Gonna need some help please. What are the symptoms? Are you getting call setup requests but no audio, etc? setting nat=yes and canreinvite=no fixes a lot of these, at the expense of having to have all of the call audio going through the asterisk box. Be aware that this suggestion might be dated since I haven't dealt with an astersisk setup for quite some time (mine just keeps chugging along wiht little maintenance). On Mon, Jun 24, 2019 at 5:34 PM wrote: I have an asterisk system speaking to my SIP provider. One end or the other (or both) do not tolerate NAT. We for years we have had a Static for the SIP trunks. And a mix of other statics and DHCP circuits for everything else we do. So coming from the ONT we first hit a switch and then off to Asterisk, other servers and a RB router. I am now switching to a /29 for everything. So the ONT ethernet will first hit a RB2011 iL-IN (assuming it is capable of doing what we need) and then go to our various other servers as well as the Asterisk system. I am not a router guy. I took exactly one Cisco router class probably back in 2003. I may have upgraded one Cisco router once back when you could buy one license but apply it to multiple devices. Not sure if they plugged that hole, I imagine they did. This sounds like it should be trivial. I hope it is trivial. But I would rather have the borg take a look at it before I start to try to download the RB manual and go into my autodidactical mode. Too old for this crap. 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- - Forrest -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
It can work behind NATI'm doing it. As I recall, I forwarded ports 5060-5070 and 10,000-15,000. In Asterisk config I had to * limit Asterisk to using those ports * specify the real WAN IP so that gets included in SIP messages * specify the LAN IP's so Asterisk knows when to use it's NAT hacks * probably canreinvite=no and nat=yes on SIP peers I didn't do anything on the router other than the port forwarding. You probably don't need 5,000 RTP portsbut you're probably also not using them for anything else so it's not going to hurt. This isn't going to be fiddling with your router config much, it's going to be mostly fiddling with Asterisk. Oh, I guess I did add some rules in the Mikrotik to automatically blacklist IP's that generate too many Auth failure messages on SIP ports. That keeps the Asterisk logs uncluttered, but isn't strictly necessary. -Adam On 6/24/2019 8:10 PM, Forrest Christian (List Account) wrote: What are the symptoms? Are you getting call setup requests but no audio, etc? setting nat=yes and canreinvite=no fixes a lot of these, at the expense of having to have all of the call audio going through the asterisk box. Be aware that this suggestion might be dated since I haven't dealt with an astersisk setup for quite some time (mine just keeps chugging along wiht little maintenance). On Mon, Jun 24, 2019 at 5:34 PM wrote: I have an asterisk system speaking to my SIP provider. One end or the other (or both) do not tolerate NAT. We for years we have had a Static for the SIP trunks. And a mix of other statics and DHCP circuits for everything else we do. So coming from the ONT we first hit a switch and then off to Asterisk, other servers and a RB router. I am now switching to a /29 for everything. So the ONT ethernet will first hit a RB2011 iL-IN (assuming it is capable of doing what we need) and then go to our various other servers as well as the Asterisk system. I am not a router guy. I took exactly one Cisco router class probably back in 2003. I may have upgraded one Cisco router once back when you could buy one license but apply it to multiple devices. Not sure if they plugged that hole, I imagine they did. This sounds like it should be trivial. I hope it is trivial. But I would rather have the borg take a look at it before I start to try to download the RB manual and go into my autodidactical mode. Too old for this crap. 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
Re: [AFMUG] Gonna need some help please.
What are the symptoms? Are you getting call setup requests but no audio, etc? setting nat=yes and canreinvite=no fixes a lot of these, at the expense of having to have all of the call audio going through the asterisk box. Be aware that this suggestion might be dated since I haven't dealt with an astersisk setup for quite some time (mine just keeps chugging along wiht little maintenance). On Mon, Jun 24, 2019 at 5:34 PM wrote: > > I have an asterisk system speaking to my SIP provider. One end or the other > (or both) do not tolerate NAT. We for years we have had a Static for the SIP > trunks. And a mix of other statics and DHCP circuits for everything else we > do. So coming from the ONT we first hit a switch and then off to Asterisk, > other servers and a RB router. > > I am now switching to a /29 for everything. So the ONT ethernet will first > hit a RB2011 iL-IN (assuming it is capable of doing what we need) and then go > to our various other servers as well as the Asterisk system. > > I am not a router guy. I took exactly one Cisco router class probably back > in 2003. I may have upgraded one Cisco router once back when you could buy > one license but apply it to multiple devices. Not sure if they plugged that > hole, I imagine they did. > > This sounds like it should be trivial. I hope it is trivial. But I would > rather have the borg take a look at it before I start to try to download the > RB manual and go into my autodidactical mode. Too old for this crap. > > > > > 76.76.254.48/29 routed to 76.76.252.68 > > WAN IP: 76.76.252.68 > Subnet: 255.255.255.0 > Gateway: 76.76.252.1 > > Routed subnet info: > 76.76.254.48/29 > subnet mask: 255.255.255.248 > available IP's: 76.76.254.49-54 > -- > AF mailing list > AF@af.afmug.com > http://af.afmug.com/mailman/listinfo/af_af.afmug.com -- - Forrest -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com
[AFMUG] Gonna need some help please.
I have an asterisk system speaking to my SIP provider. One end or the other (or both) do not tolerate NAT. We for years we have had a Static for the SIP trunks. And a mix of other statics and DHCP circuits for everything else we do. So coming from the ONT we first hit a switch and then off to Asterisk, other servers and a RB router. I am now switching to a /29 for everything. So the ONT ethernet will first hit a RB2011 iL-IN (assuming it is capable of doing what we need) and then go to our various other servers as well as the Asterisk system. I am not a router guy. I took exactly one Cisco router class probably back in 2003. I may have upgraded one Cisco router once back when you could buy one license but apply it to multiple devices. Not sure if they plugged that hole, I imagine they did. This sounds like it should be trivial. I hope it is trivial. But I would rather have the borg take a look at it before I start to try to download the RB manual and go into my autodidactical mode. Too old for this crap. 76.76.254.48/29 routed to 76.76.252.68 WAN IP: 76.76.252.68 Subnet: 255.255.255.0 Gateway: 76.76.252.1 Routed subnet info: 76.76.254.48/29 subnet mask: 255.255.255.248 available IP's: 76.76.254.49-54 -- AF mailing list AF@af.afmug.com http://af.afmug.com/mailman/listinfo/af_af.afmug.com