Hi Mike, I always set the only allowed subnet via winbox to be the internal LAN, and we would only ever connect from the internal LAN. I’ve tested this setting thouroughly and I know my rule is OK, so I don’t believe this is the problem. This has also happened on routers that I haven’t personally set up, and that don’t have that rule in the firewall config. Regarding MTU, I have done exactly as you guys have mentioned with the mangle rule, testing the maximum packet size using ping with the do not fragment bit set, normally this comes out to be 1452, however I am still having problems with some of my clients. I’m starting to think perhaps I have just had a run of bad luck with crappy ADSL lines on residential customer sites. Ben On 27 Oct 2014, at 2:18 pm, Mike Everest <mike@duxtel.com> wrote:
Hi!
1) Any idea why a routerboard which has not had an admin password assigned to it would suddenly not accept the blank password and give a "incorrect password" error through winbox? Firewall rules were in place to only allow ip addressed from the internal LAN to connect so I'm pretty sure they weren't hacked and the password changed.
Allowed addresses? If you set allowed address attribute for user, then when attempt to access from some other address will fail as if bad credentials. Watch out for '0.0.0.0' instead of '0.0.0.0/0'! ;-)
2) ADSL and MikroTik - the ongoing saga. I was following with much interest the recent thread started by Mike about which ADSL modem to use. Seems the TP-Link 8817 is the one to go for, however I have tried this modem in various installs and have still has intermittent slowness and just plain weird packet loss / latency.
Check MTU on pppoe client? Sometimes MTU discovery can be broken by bad bridges on ISP access network causing unexpected fragmentation of pppoe packets. Try reducing MTU on your pppoe session like so:
/ip firewall mangle add protocol=tcp tcp-flags=syn action=change-mss new-mss=<new-size> chain=forward out-interface=<interface-name>
Change '<interface-name>' for the actual interface, e.g. 'pppoe-out1' Change '<new-size>' for a smaller value, start with something VERY small, like 1300 and then work your way up again until it breaks.
Cheers!
Mike.
_______________________________________________ Public mailing list Public@talk.mikrotik.com.au http://talk.mikrotik.com.au/mailman/listinfo/public_talk.mikrotik.com.au