Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

The Mikrotik RouterOS config, tips and tricks thread

Options
1235712

Comments

  • Options
    #122
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    Here is my current ports (I believe, sorry still learning):
    admin@MikroTik] /ip firewall> service print
Flags: X - disabled, I - invalid 
 #   NAME                                                                 PORTS
 0   ftp                                                                  21   
 1   tftp                                                                 69   
 2   irc                                                                  6667 
 3   h323                                                                
 4   sip                                                                  5060 
                                                                          5061 
 5   pptp

    After adding some of Smee's rules to my firewall:
    [admin@MikroTik] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 

 2   ;;; default configuration
     chain=input action=accept connection-state=related 

 3   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway 

 4   ;;; default configuration
     chain=forward action=accept connection-state=established 

 5   ;;; default configuration
     chain=forward action=accept connection-state=related 

 6   ;;; default configuration
     chain=forward action=drop connection-state=invalid 

 7   ;;; list IP's who try remote login
     chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 

 8   ;;; drop ssh brute forcers
     chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 

 9   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 

10   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 

11   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 

12   chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 

13   ;;; allow ssh
     chain=input action=accept protocol=tcp dst-port=22

    Look ok?


  • Options
    #123
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    I am also seeing a lot of this in the logs for 1 Android Phone:

    11:07:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
    11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:08:12 wireless,info 3C:43:8E:09:07:10@wlan1: connected
    11:08:13 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
    11:08:13 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
    11:16:55 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, extensive data loss
    11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:18:58 wireless,info 3C:43:8E:09:07:10@wlan1: connected
    11:19:00 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
    11:19:00 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
    11:22:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
    11:24:55 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:26:46 wireless,info 3C:43:8E:09:07:10@wlan1: connected
    11:26:49 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
    11:26:49 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10

    Is this normal?


  • Options
    #124
    gctest50
    Registered Users Posts: 9,605 ✭✭✭gctest50


    Are you using WPA2 on the wifi ?


  • Options
    #125
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    gctest50 wrote: »
    Are you using WPA2 on the wifi ?

    Yes, both WPA and WPA2 are checked per the user manual.

    http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Security_profile

    Although reading it again I now see password should be different for both keys and I think I configured them possibly the same. Could that be the issue?


  • Options
    #126
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    Here is my current ports (I believe, sorry still learning):
    admin@MikroTik] /ip firewall> service print
Flags: X - disabled, I - invalid 
 #   NAME                                                                 PORTS
 0   ftp                                                                  21   
 1   tftp                                                                 69   
 2   irc                                                                  6667 
 3   h323                                                                
 4   sip                                                                  5060 
                                                                          5061 
 5   pptp
    After adding some of Smee's rules to my firewall:
    [admin@MikroTik] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; default configuration
     chain=input action=accept connection-state=established 

 2   ;;; default configuration
     chain=input action=accept connection-state=related 

 3   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway 

 4   ;;; default configuration
     chain=forward action=accept connection-state=established 

 5   ;;; default configuration
     chain=forward action=accept connection-state=related 

 6   ;;; default configuration
     chain=forward action=drop connection-state=invalid 

 7   ;;; list IP's who try remote login
     chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 

 8   ;;; drop ssh brute forcers
     chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 

 9   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 

10   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 

11   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 

12   chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 

13   ;;; allow ssh
     chain=input action=accept protocol=tcp dst-port=22
    Look ok?

    Move your ssh rules 7-13 up the list to no 1, no 6 should be your very last rule, it's the explicit drop everything else rule


  • Advertisement
  • Options
    #127
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    I am also seeing a lot of this in the logs for 1 Android Phone:

    11:07:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
    11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:08:12 wireless,info 3C:43:8E:09:07:10@wlan1: connected
    11:08:13 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
    11:08:13 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
    11:16:55 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, extensive data loss
    11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:18:58 wireless,info 3C:43:8E:09:07:10@wlan1: connected
    11:19:00 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
    11:19:00 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
    11:22:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
    11:24:55 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
    11:26:46 wireless,info 3C:43:8E:09:07:10@wlan1: connected
    11:26:49 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
    11:26:49 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10

    Is this normal?

    Yes, it's normal, I get this too. Devices with a weak signal will drop off or be kicked and then reconnect. This will happen more for phones as you carry them in your pocket. You can check the signal under wireless registration, it's in dB so lower is better, a -60 is better than -80.


  • Options
    #128
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    Move your ssh rules 7-13 up the list to no 1, no 6 should be your very last rule, it's the explicit drop everything else rule

    Ok thanks, so like this?
    [admin@MikroTik] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; list IP's who try remote login
     chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 

 2   ;;; drop ssh brute forcers
     chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 

 3   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 

 4   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 

 5   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 

 6   chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 

 7   ;;; allow ssh
     chain=input action=accept protocol=tcp dst-port=22 

 8   ;;; default configuration
     chain=input action=accept connection-state=established 

 9   ;;; default configuration
     chain=input action=accept connection-state=related 

10   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway 

11   ;;; default configuration
     chain=forward action=accept connection-state=established 

12   ;;; default configuration
     chain=forward action=accept connection-state=related 

13   ;;; default configuration
     chain=forward action=drop connection-state=invali


  • Options
    #129
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    Ok thanks, so like this?


    Yep, that's it


  • Options
    #130
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    Also when I rebooted the router I noticed this in the logs:

    jan/02/1970 00:00:09 system,info router rebooted
    jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: initializing...
    jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: dialing...
    jan/02/1970 00:00:17 interface,info ether3-slave-local link up (speed 1000M, full duplex)
    jan/02/1970 00:00:18 interface,info ether1-gateway link up (speed 1000M, full duplex)
    jan/02/1970 00:00:18 interface,info ether2-master-local link up (speed 10M, half duplex)
    jan/02/1970 00:00:18 interface,info ether4-slave-local link up (speed 1000M, full duplex

    Is half duplex correct?

    And is there a way to have the clock use the correct time after a reboot and not have to be manually set. :mad:


  • Options
    #131
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Although if you are using PPPoE rule 10 is wrong, it should be set to drop invalid connections to the PPPoE interface


  • Advertisement
  • Options
    #132
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    Although if you are using PPPoE rule 10 is wrong, it should be set to drop invalid connections to the PPPoE interface

    Updated, thanks again. :)
    [admin@MikroTik] /ip firewall> filter print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; default configuration
     chain=input action=accept protocol=icmp 

 1   ;;; list IP's who try remote login
     chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 

 2   ;;; drop ssh brute forcers
     chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 

 3   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 

 4   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 

 5   chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 

 6   chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 

 7   ;;; allow ssh
     chain=input action=accept protocol=tcp dst-port=22 

 8   ;;; default configuration
     chain=input action=accept connection-state=established 

 9   ;;; default configuration
     chain=input action=accept connection-state=related 

10   ;;; default configuration
     chain=input action=drop in-interface=eircom-pppoe-out1 

11   ;;; default configuration
     chain=forward action=accept connection-state=established 

12   ;;; default configuration
     chain=forward action=accept connection-state=related 

13   ;;; default configuration
     chain=forward action=drop connection-state=invalid


  • Options
    #133
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    Also when I rebooted the router I noticed this in the logs:

    jan/02/1970 00:00:09 system,info router rebooted
    jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: initializing...
    jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: dialing...
    jan/02/1970 00:00:17 interface,info ether3-slave-local link up (speed 1000M, full duplex)
    jan/02/1970 00:00:18 interface,info ether1-gateway link up (speed 1000M, full duplex)
    jan/02/1970 00:00:18 interface,info ether2-master-local link up (speed 10M, half duplex)
    jan/02/1970 00:00:18 interface,info ether4-slave-local link up (speed 1000M, full duplex

    Is half duplex correct?

    Yes, but it usually negotiates with what you have connected to it, it may not go into full duplex until whatever it's connected to is turned on. Either that or the device it's connected to is forcing half duplex. Double check with "interface ethernet monitor 2"

    eddiem74 wrote: »
    And is there a way to have the clock use the correct time after a reboot and not have to be manually set. :mad:

    Yes, set NTP (network time protocol)
    /system ntp client
    set enabled=yes mode=unicast primary-ntp=134.226.81.3


  • Options
    #134
    lotas
    Registered Users Posts: 927 ✭✭✭lotas


    morning all.

    Anyone have any experience running MikroTik RouterOS on non RouterBoard hardware? I have an older Intel Core 2 Quad machine with 3Gb of ram and 2 Dual GigE Intel cards... I am thinking of replacing my RB1100 with this machine, since its got a lot more power, and given i already have 470Mbits/s into the house, the more processor power, the better, right? The RB1100 is a lot slower (1Gz PPC proc), has less memory (currently 1Gb, which i upgraded) and less storage (32Gb MicroSD, vs the 250Gb HDD in the intel box).

    Am i mad?

    Thanks.


  • Options
    #135
    gouche
    Registered Users Posts: 416 ✭✭gouche


    lotas wrote: »
    morning all.

    Anyone have any experience running MikroTik RouterOS on non RouterBoard hardware? I have an older Intel Core 2 Quad machine with 3Gb of ram and 2 Dual GigE Intel cards... I am thinking of replacing my RB1100 with this machine, since its got a lot more power, and given i already have 470Mbits/s into the house, the more processor power, the better, right? The RB1100 is a lot slower (1Gz PPC proc), has less memory (currently 1Gb, which i upgraded) and less storage (32Gb MicroSD, vs the 250Gb HDD in the intel box).

    Am i mad?

    Thanks.

    We have a couple of x86 machines running RouterOS to terminate PPPoE sessions.
    Works really well once set up which can be a bit of a headache.
    We have it installed on a removable USB.

    Check out this page for a list of compatible hardware.


  • Options
    #136
    lotas
    Registered Users Posts: 927 ✭✭✭lotas


    Thanks man... I managed to install 6.5 on the machine and it found the Intel cards... It seems to be running ok but no production data going though it yet... will run some tests on it over the next few days..

    You mentioned that you have it on a removable us key... MikroTik say the license is linked to the drive... If you take that drive out and stick it in a different box, does it work? Do you have a backup of that disk, just in case?

    Thanks.


  • Options
    #137
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    Here is a full export of my firewall filters, there are some very important drop invalid, allow established connections and accept lan rules in there
    add chain=input comment="allow icmp" protocol=icmp
    add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
    add chain=input comment="allow api" dst-port=8728 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
    add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
    add chain=input comment="allow ssh" dst-port=22 protocol=tcp
    add action=drop chain=input comment="drop ftp" disabled=yes dst-port=21 protocol=tcp
    add chain=input comment="accept vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
    add chain=input in-interface=ether1-gateway protocol=gre
    add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
    add chain=forward comment="allow already established connections" connection-state=established
    add chain=forward comment="allow related connections" connection-state=related
    add action=drop chain=input comment="drop invalid connections" connection-state=invalid
    add chain=input comment="allow established connections" connection-state=established
    add chain=input comment="accept lan" in-interface=!ether1-gateway src-address=192.168.80.0/24
    add action=drop chain=input comment="drop everything else"

    I have updated my router to include some more of your firewall entries, see below. I have highlighted above entries I have not included and I have highlighed below in my config entries I have that you don't which I am sure if fine.

    I was ensure if the PPPoE entry was correct having a drop action? :confused:
    /ip firewall filter
    add chain=input comment="allow icmp" protocol=icmp
    add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
    add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
    add chain=input comment="allow ssh" dst-port=22 protocol=tcp
    add action=drop chain=input comment="default configuration" in-interface=eircom-pppoe-out1
    add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
    add chain=forward comment="allow already established connections" connection-state=established
    add chain=forward comment="allow related connections" connection-state=related
    add action=drop chain=input comment="drop invalid connections" connection-state=invalid
    add chain=input comment="allow already established connections" connection-state=established
    add chain=input comment=" allow related connections " connection-state=related


  • Options
    #138
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    add action=drop chain=input comment="drop ftp" disabled=yes dst-port=21 protocol=tcp
    add chain=input comment="accept vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
    add chain=input in-interface=ether1-gateway protocol=gre
    First is a block FTP rule, disabled=yes means it's disabled
    The next two are to allow VPN on port 1723, VPN uses TCP and the Gre protocol http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation
    add chain=input comment="accept lan" in-interface=!ether1-gateway src-address=192.168.80.0/24
    add action=drop chain=input comment="drop everything else"
    The first is just a rule that allows all traffic from lan, you'll notice it's !ether1-gateway, ! means everything but, every interface that's not ether1-gateway, ie all the other interfaces. This makes the hairpin Nat rule more important if you are trying to get to web services with your public IP from lan.
    The second and last rule is just a drop everything else rule that catches everything not covered in the rules above. It needs to be the last rule. It may not be even necessary as a firewall will naturally drop any packets not covered by the rules but adding it will give statistics of what's dropped.


  • Options
    #139
    gouche
    Registered Users Posts: 416 ✭✭gouche


    lotas wrote: »
    Thanks man... I managed to install 6.5 on the machine and it found the Intel cards... It seems to be running ok but no production data going though it yet... will run some tests on it over the next few days..

    You mentioned that you have it on a removable us key... MikroTik say the license is linked to the drive... If you take that drive out and stick it in a different box, does it work? Do you have a backup of that disk, just in case?

    Thanks.

    Yes it will work in a different box.
    One of the reasons we installed it on a USB is for just this - makes it easily transferable.
    Also, if the key fails, it's easier to send to MikroTik to save the license than sending a hard drive.

    We take backups of the config nightly in case anything happens.
    If the proverbial hits the fan we can drop the config onto another USB or even an 1100.


  • Options
    #140
    lotas
    Registered Users Posts: 927 ✭✭✭lotas


    gouche wrote: »
    Yes it will work in a different box.
    One of the reasons we installed it on a USB is for just this - makes it easily transferable.
    Also, if the key fails, it's easier to send to MikroTik to save the license than sending a hard drive.

    We take backups of the config nightly in case anything happens.
    If the proverbial hits the fan we can drop the config onto another USB or even an 1100.

    Cool... just wondering though: if you take an image of the USB contents, like with dd on linux, can transferring the contents over work? i was planning on backing up the config nightly anyway, but to have a backup of the OS would be handy too... Will look into getting the machine to boot from USB key... think its possible, might even have some internal ports... also handy to know about future upgrades... just bring the key and license and your golden!

    Thanks!


  • Options
    #141
    lotas
    Registered Users Posts: 927 ✭✭✭lotas


    So, i have done some tests... not scientific, i may add, but tests non the less... Downloading though a server i have access to in France, i was getting somewhere like 180MBit/s on the RB1100... with the Core 2 Quad (a 6600 i think), i am managing to get 220MBits/s... I have 2 200Mb lines and a 70Mb line, but it seems that only one of the 200mb lines is being used (have a setting incorrectly set...). Anyway, thats a big different compared to the RB1100...

    dont get me wrong, the 1100 is an epic router, but if you have that amount of bandwidth, a high end desktop/server machine may be better... more tests to be completed over the weekend...


  • Advertisement
  • Options
    #142
    VenomIreland
    Registered Users Posts: 2,928 ✭✭✭VenomIreland


    I said I would be getting this a long time ago, but only finally getting around to it, where's the best place to order from, that will have it to me some time next week?


  • Options
    #143
    gouche
    Registered Users Posts: 416 ✭✭gouche


    lotas wrote: »
    So, i have done some tests... not scientific, i may add, but tests non the less... Downloading though a server i have access to in France, i was getting somewhere like 180MBit/s on the RB1100... with the Core 2 Quad (a 6600 i think), i am managing to get 220MBits/s... I have 2 200Mb lines and a 70Mb line, but it seems that only one of the 200mb lines is being used (have a setting incorrectly set...). Anyway, thats a big different compared to the RB1100...

    dont get me wrong, the 1100 is an epic router, but if you have that amount of bandwidth, a high end desktop/server machine may be better... more tests to be completed over the weekend...

    Is it just the regular 1100's you have?
    You could try an 1100AHx2, or maybe a Cloud Core Router.

    We swapped out one or two of our core routers (1100AH) with CCR's and noticed a huge difference.
    CPU usage went from 70-80% down to less than 5%!
    The CCR is an absolute beast of a router for the price!


  • Options
    #144
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    add action=drop chain=input comment="drop ftp" disabled=yes dst-port=21 protocol=tcp
    add chain=input comment="accept vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
    add chain=input in-interface=ether1-gateway protocol=gre
    First is a block FTP rule, disabled=yes means it's disabled
    The next two are to allow VPN on port 1723, VPN uses TCP and the Gre protocol http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation

    So the block FTP rule is just there in case you want to completely block FTP, so you enable it then right?

    Also, I use VPN for work at home, which seems to have been working ok, but I just had a read of the documentation again and seen this:
    The following ports must be open on your ISP, router and firewall to create a successful VPN connection.

    Work with your ISP (internet service provider) to verify and ensure the ports below are open:

    Packet filters for Point-to-Point Tunneling Protocol (PPTP)
    • TCP destination port of 1723 = PPTP tunnel maintenance traffic
    • IP Protocol ID of 47 = PPTP tunneled data
    Packet filters for Layer Two Tunneling Protocol over Internet Protocol security (L2TP/IPSec)
    • UDP destination port of 500 = Internet Key Exchange (IKE) traffic
    • UDP destination port of 1701 = allows L2TP traffic
    • UDP destination port of 4500 = IPSec network address translator traversal (NAT-T) traffic

    What entries should I add as a result to the firewall as I am using PPPoE? Same as what you have above or?


  • Options
    #145
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    So the block FTP rule is just there in case you want to completely block FTP, so you enable it then right?

    Also, I use VPN for work at home, which seems to have been working ok, but I just had a read of the documentation again and seen this:



    What entries should I add as a result to the firewall as I am using PPPoE? Same as what you have above or?

    The FTP rule is there because i once had it blocked, but not now.

    The VPN rules are there as I use the router as a VPN server for secure banking through my home connection when out and about on my phone/laptop.

    I think you do not fully understand how a firewall works, it is only concerned with filtering packets coming into the router on the wan interface (in your case a PPPoE interface). Any connections which originate on the router or inside the lan will be translated to your public IP and remembered for their return (NAT, the PPPoE masquerade rule you have as your first rule in ip firewall nat), therefore you do not need to add rules for outgoing, only incoming.


  • Options
    #146
    VenomIreland
    Registered Users Posts: 2,928 ✭✭✭VenomIreland


    VenomIreland wrote: »
    I said I would be getting this a long time ago, but only finally getting around to it, where's the best place to order from, that will have it to me some time next week?

    Anyone? I see IrishWireless are out of stock atm.


  • Options
    #147
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    VenomIreland wrote: »
    Anyone? I see IrishWireless are out of stock atm.

    http://www.interprojekt.com.pl/mikrotik-routerboard-rb951g2hnd-level-128mb-p-1370.html

    Standard shipping is usually 4-5days, you can pay more and get it quicker


  • Options
    #148
    VenomIreland
    Registered Users Posts: 2,928 ✭✭✭VenomIreland


    smee again wrote: »
    http://www.interprojekt.com.pl/mikrotik-routerboard-rb951g2hnd-level-128mb-p-1370.html

    Standard shipping is usually 4-5days, you can pay more and get it quicker

    Thanks man, gonna place the order now.


  • Options
    #149
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    The FTP rule is there because i once had it blocked, but not now.

    The VPN rules are there as I use the router as a VPN server for secure banking through my home connection when out and about on my phone/laptop.

    I think you do not fully understand how a firewall works, it is only concerned with filtering packets coming into the router on the wan interface (in your case a PPPoE interface). Any connections which originate on the router or inside the lan will be translated to your public IP and remembered for their return (NAT, the PPPoE masquerade rule you have as your first rule in ip firewall nat), therefore you do not need to add rules for outgoing, only incoming.

    Thanks, yes I am not a network guy so my understanding is limited. :o

    When I had set my rules this way:
    /ip firewall filter
    add chain=input comment="allow icmp" protocol=icmp
    add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
    add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
    add chain=input comment="allow ssh" dst-port=22 protocol=tcp
    add action=drop chain=input comment="default configuration" in-interface=eircom-pppoe-out1
    add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
    add chain=forward comment="allow already established connections" connection-state=established
    add chain=forward comment="allow related connections" connection-state=related
    add action=drop chain=input comment="drop invalid connections" connection-state=invalid
    add chain=input comment="allow already established connections" connection-state=established
    add chain=input comment=" allow related connections " connection-state=related

    Wireless stopped working...so I had to move the input rules for established and related connections up like this, then it started working again.
    /ip firewall filter
    add chain=input comment="allow icmp" protocol=icmp
    add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
    add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
    add chain=input comment="allow ssh" dst-port=22 protocol=tcp
    add action=drop chain=input comment="drop invalid connections" connection-state=invalid
    add chain=input comment="allow already established connections" connection-state=established
    add chain=input comment=" allow related connections " connection-state=related
    add action=drop chain=input comment="default configuration" in-interface=eircom-pppoe-out1
    add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
    add chain=forward comment="allow already established connections" connection-state=established
    add chain=forward comment="allow related connections" connection-state=related


  • Options
    #150
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    Thanks, yes I am not a network guy so my understanding is limited. :o

    When I had set my rules this way:



    Wireless stopped working...so I had to move the input rules for established and related connections up like this, then it started working again.

    I suggest you leave it alone unless you know what you're doing. You only need the 3 or 4 that came in the default config, change to suit your PPPoE interface. All the rest are just bells and whistles, the firewall will always drop packets it's not sure of
    /ip firewall filter
    add chain=input action=accept protocol=icmp comment="default configuration"
    add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration"
    add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration"
    add chain=input action=drop in-interface=ether1-gateway comment="default configuration"


  • Advertisement
  • Options
    #151
    Mattie112
    Registered Users Posts: 6 Mattie112


    Hi,

    I just got the RB2011UAS-2HnD and i really really like the great tips and tricks given here !

    However i have a few problems:

    1. I can't get Hairpin NAT to work
    2. I can't get port 8080 to forward to my server (other ports work, just 8080 does not)

    NAT output:
    [admin@MikroTik] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
 0 X ;;; default configuration
     chain=srcnat action=masquerade out-interface=sfp1-gateway

 1   ;;; default configuration
     chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway

 2   ;;; Hairpin NAT rule
     chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.250

 3   ;;; SERV: FTP
     chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=20-21 protocol=tcp in-interface=ether1-gateway dst-port=20-21

 4   ;;; SERV: HTTP
     chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 protocol=tcp in-interface=ether1-gateway dst-port=80

 5   ;;; SERV: DNS
     chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=53 protocol=tcp in-interface=ether1-gateway dst-port=53

 6   ;;; SERV: HTTPS
     chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=443 protocol=tcp in-interface=ether1-gateway dst-port=443

 7   ;;; SERV: MySQL
     chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=3306 protocol=tcp in-interface=ether1-gateway dst-port=3306

 8   ;;; SERV: RDP
     chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=3389 protocol=tcp in-interface=ether1-gateway dst-port=3389

 9   ;;; SERV: McMyAdmin 'main'
     chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=8080 protocol=tcp in-interface=ether1-gateway dst-port=8080

    Firewall Filter rules:
    [admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
 0   ;;; default configuration
     chain=input action=accept protocol=icmp

 1   ;;; default configuration
     chain=input action=accept connection-state=established

 2   ;;; default configuration
     chain=input action=accept connection-state=related

 3   chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=3333

 4   ;;; default configuration
     chain=input action=drop in-interface=sfp1-gateway

 5   ;;; default configuration
     chain=input action=drop in-interface=ether1-gateway

 6   ;;; default configuration
     chain=forward action=accept connection-state=established

 7   ;;; default configuration
     chain=forward action=accept connection-state=related

 8   ;;; default configuration
     chain=forward action=drop connection-state=invalid

    Router IP: 192.168.1.1
    Server IP: 192.168.1.250

    Any other tips are appreciated !


Advertisement