Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
Hi all! We have been experiencing an issue on site where threads have been missing the latest postings. The platform host Vanilla are working on this issue. A workaround that has been used by some is to navigate back from 1 to 10+ pages to re-sync the thread and this will then show the latest posts. Thanks, Mike.
Hi there,
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
There is an issue with role permissions that is being worked on at the moment.
If you are having trouble with access or permissions on regional forums please post here to get access: https://www.boards.ie/discussion/2058365403/you-do-not-have-permission-for-that#latest
The Mikrotik RouterOS config, tips and tricks thread
Comments
-
Why not have the dummy rule and allow disable external interface = Yes?
http://wiki.mikrotik.com/wiki/Manual:IP/UPnP0 -
I have HP PSC 1510 All In One printer beside the Mikrotik which I normally connect to a laptop via USB cable to print. I am just wondering would plugging the printer USB into the USB slot on the Mikrotik allow me to then share the printer around the home network or is that not supported?
Let me know, thanks!0 -
I have HP PSC 1510 All In One printer beside the Mikrotik which I normally connect to a laptop via USB cable to print. I am just wondering would plugging the printer USB into the USB slot on the Mikrotik allow me to then share the printer around the home network or is that not supported?
Let me know, thanks!
Best Google that one0 -
I forked out some serious money on a Asus Ac66u, but as I said I wish I had seen this thread first, but whats done is done.
I could do with a wifi repeater somwere on the landing to increase coverage upstairs..would it be overkill to buy one of these to use just as a repeater for my Asus?
And would it be difficult to config ?
I bought a second one of these purely as an access point (better than a repeater - because it has a wire to it). It was easy to get the wifi working. However my wired points on it aren't set up correctly yet.0 -
Difficulty setting up VPN. I tried to follow the instructions in this thread but am failing.
Setup VPN pooladd name=VPN-POOL ranges=192.168.88.90-192.168.88.99
Add New User/ppp secret add name=New_USER password=password1 service=pptp
Turn on PPTP server/interface pptp-server add name=pptp-in1 user="" /interface pptp-server server set enabled=yes max-mru=1460 max-mtu=1460
Set profile to assign IP's from pool and add it to the bridge...lost at this point - simply copying the code into the terminal doesn't work
0 -
Have you tried manually creating it in winbox using the commands as a guide? RouterOS has had many updates since that was posted, may be slightly different now0
-
Hi Smee_again, I tried to do it manually using winbox, but I'm failing... I will try and do a quick youtube vid of my process and post it here (when I get a time between juggling 2 babies ) By the way thanks for your help so far.0
-
-
Yeah, got the email yesterday. Fixes the annoying Winbox bug in 6.4 where setting open as read only on first open.0 -
Question: I have an RB1100 setup as my main router (main internet connections in here) and a RB951(insert random letters that dont make a lot of sense in here) as my Wifi box... I have managed to set the RB951* up as just an AP, but when doing so, i lost the ability to manage it using anything, including WinBox... Any ideas?
Also, as a related question, is 6.x stable enough to upgrade to now?0 -
Advertisement
-
Question: I have an RB1100 setup as my main router (main internet connections in here) and a RB951(insert random letters that dont make a lot of sense in here) as my Wifi box... I have managed to set the RB951* up as just an AP, but when doing so, i lost the ability to manage it using anything, including WinBox... Any ideas?
Assign an IP address to the ethernet port or bridge interface so you can manage it. You will always be able to get in on layer 2 telnet (by mac address). Run Winbox and click the [...] button and it will find your routerboard by it's mac address, click on the mac address and you're in. This is handy to know if you ever lock yourself out of the router by applying an incorrect firewall rule, IP is layer 3, the network layer.Also, as a related question, is 6.x stable enough to upgrade to now?
It's been stable for ages, wireless performance is miles better0 -
smee again wrote: »Assign an IP address to the ethernet port or bridge interface so you can manage it. You will always be able to get in on layer 2 telnet (by mac address). Run Winbox and click the [...] button and it will find your routerboard by it's mac address, click on the mac address and you're in. This is handy to know if you ever lock yourself out of the router by applying an incorrect firewall rule, IP is layer 3, the network layer.smee again wrote: »It's been stable for ages, wireless performance is miles better0
-
-
I added two firewall redirects to force all DNS requests on port 53 to the routers DNS cache. This is needed if you are using OpenDNS adult content filtering as setting a static DNS on the device to any public DNS is an easy way around the content filtering.
/ip firewall nat add action=redirect chain=dstnat comment="redirect dns" dst-port=53 protocol=tcp to-ports=53 add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53
0 -
Difficulty setting up VPN. I tried to follow the instructions in this thread but am failing.
Right, I just figured this so I'll share. There are a few things missing from what was posted earlier in the thread. My router is 192.168.80.1, change the subnet below to suit your own router
You need a pool of addresses and a single local address.
I used 192.168.80.90 as local and set the pool to 192.168.80.91-192.168.80.99 which is outside the DHCP pool and not used as static. I'm using the profile default-encryption, which may be already created but not set (this may be the difficulty you were having snipe). Set the DNS server as the routers IP/ip pool
add name=VPN-Pool ranges=192.168.80.91-192.168.80.99
/ppp profile
add name="default-encryption" local-address=192.168.80.90 remote-address=VPN-Pool use-mpls=default use-compression=default use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=yes address-list="" dns-server=192.168.80.1
Next you enable the server and add the interface/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface pptp-server
add disabled=no name=pptp-vpn-server user=""
Then all that you need to do is create users/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=vpnuser1 password=vpnpass1 profile=default-encryption routes="" service=pptp
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=vpnuser2 password=vpnpass2 profile=default-encryption routes="" service=pptp
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=vpnuser3 password=vpnpass3 profile=default-encryption routes="" service=pptp0 -
I have HP PSC 1510 All In One printer beside the Mikrotik which I normally connect to a laptop via USB cable to print. I am just wondering would plugging the printer USB into the USB slot on the Mikrotik allow me to then share the printer around the home network or is that not supported?
Let me know, thanks!smee again wrote: »Best Google that one
So I asked over on the MikroTik RouterOS forum and was told the RB951G-2HND does not support printers.
I was looking at the manual for my Zyxel Eircom F1000 and on page 181 it states you can connect a printer via its usb port for sharing over the network.
Given my Eircom router is now in bridge mode and I am using the RB951G-2HND as my main router is there any way I can take advantage of the Eircom USB printer sharing option still or?0 -
So I asked over on the MikroTik RouterOS forum and was told the RB951G-2HND does not support printers.
I was looking at the manual for my Zyxel Eircom F1000 and on page 181 it states you can connect a printer via its usb port for sharing over the network.
Given my Eircom router is now in bridge mode and I am using the RB951G-2HND as my main router is there any way I can take advantage of the Eircom USB printer sharing option still or?
Not if it's a bridge and being tunneled through (PPPoE is a layer 2 tunnel) it is not routable to on your network. That modem manual is very vague about print server, you sure it would work? Also, the disadvantage of setting a print server is that the scanner will not work unless directly connected to a pc.0 -
Noticed this in my logs this morning.
From a google of the IP address looks like a spammer from China?
Anything I should do about it.0 -
Noticed this in my logs this morning.
From a google of the IP address looks like a spammer from China?
Anything I should do about it.
Yeah, it's just random spambots trying to login to your ssh server, you see this once you have ssh enabled on the router. I have a few rules added to my config which makes a nice honeypot to tackle this./ip firewall filter
add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
2nd line logs IPs trying to login to the router over FTP, SSH or Telnet (ports 20-23)
The next few lines will prevent SSH brute force, the IP will be added to an address list on 3 stages and then added to an SSH blacklist and blocked for 10 days on the fourth failed attempt.
The last line is the rule that allows SSH
You will see the IP's build up in /ip firewall address-list. It's not my work, it's from here http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
Here is a full export of my firewall filters, there are some very important drop invalid, allow established connections and accept lan rules in there/ip firewall filter
add chain=input comment="allow icmp" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=drop chain=input comment="drop ftp" disabled=yes dst-port=21 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow established connections" connection-state=established
add chain=input comment="acccept lan" in-interface=!ether1-gateway src-address=192.168.80.0/24
add action=drop chain=input comment="drop everything else"0 -
Advertisement
-
-
Here is my current ports (I believe, sorry still learning):
admin@MikroTik] /ip firewall> service print Flags: X - disabled, I - invalid # NAME PORTS 0 ftp 21 1 tftp 69 2 irc 6667 3 h323 4 sip 5060 5061 5 pptp
After adding some of Smee's rules to my firewall:[admin@MikroTik] /ip firewall> filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; default configuration chain=input action=accept protocol=icmp 1 ;;; default configuration chain=input action=accept connection-state=established 2 ;;; default configuration chain=input action=accept connection-state=related 3 ;;; default configuration chain=input action=drop in-interface=ether1-gateway 4 ;;; default configuration chain=forward action=accept connection-state=established 5 ;;; default configuration chain=forward action=accept connection-state=related 6 ;;; default configuration chain=forward action=drop connection-state=invalid 7 ;;; list IP's who try remote login chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 8 ;;; drop ssh brute forcers chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 9 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 10 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 11 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 12 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 13 ;;; allow ssh chain=input action=accept protocol=tcp dst-port=22
Look ok?0 -
I am also seeing a lot of this in the logs for 1 Android Phone:
11:07:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:12 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:08:13 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:08:13 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
11:16:55 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, extensive data loss
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:58 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:19:00 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:19:00 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
11:22:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
11:24:55 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:46 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:26:49 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:26:49 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
Is this normal?0 -
Are you using WPA2 on the wifi ?0
-
Are you using WPA2 on the wifi ?
Yes, both WPA and WPA2 are checked per the user manual.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Security_profile
Although reading it again I now see password should be different for both keys and I think I configured them possibly the same. Could that be the issue?0 -
Here is my current ports (I believe, sorry still learning):
admin@MikroTik] /ip firewall> service print Flags: X - disabled, I - invalid # NAME PORTS 0 ftp 21 1 tftp 69 2 irc 6667 3 h323 4 sip 5060 5061 5 pptp
After adding some of Smee's rules to my firewall:[admin@MikroTik] /ip firewall> filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; default configuration chain=input action=accept protocol=icmp 1 ;;; default configuration chain=input action=accept connection-state=established 2 ;;; default configuration chain=input action=accept connection-state=related 3 ;;; default configuration chain=input action=drop in-interface=ether1-gateway 4 ;;; default configuration chain=forward action=accept connection-state=established 5 ;;; default configuration chain=forward action=accept connection-state=related 6 ;;; default configuration chain=forward action=drop connection-state=invalid 7 ;;; list IP's who try remote login chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 8 ;;; drop ssh brute forcers chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 9 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 10 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 11 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 12 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 13 ;;; allow ssh chain=input action=accept protocol=tcp dst-port=22
Look ok?
Move your ssh rules 7-13 up the list to no 1, no 6 should be your very last rule, it's the explicit drop everything else rule0 -
Advertisement
-
I am also seeing a lot of this in the logs for 1 Android Phone:
11:07:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:12 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:08:13 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:08:13 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
11:16:55 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, extensive data loss
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:58 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:19:00 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:19:00 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
11:22:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
11:24:55 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:46 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:26:49 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:26:49 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
Is this normal?
Yes, it's normal, I get this too. Devices with a weak signal will drop off or be kicked and then reconnect. This will happen more for phones as you carry them in your pocket. You can check the signal under wireless registration, it's in dB so lower is better, a -60 is better than -80.0 -
smee again wrote: »Move your ssh rules 7-13 up the list to no 1, no 6 should be your very last rule, it's the explicit drop everything else rule
Ok thanks, so like this?[admin@MikroTik] /ip firewall> filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; default configuration chain=input action=accept protocol=icmp 1 ;;; list IP's who try remote login chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 2 ;;; drop ssh brute forcers chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 3 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 5 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 6 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 7 ;;; allow ssh chain=input action=accept protocol=tcp dst-port=22 8 ;;; default configuration chain=input action=accept connection-state=established 9 ;;; default configuration chain=input action=accept connection-state=related 10 ;;; default configuration chain=input action=drop in-interface=ether1-gateway 11 ;;; default configuration chain=forward action=accept connection-state=established 12 ;;; default configuration chain=forward action=accept connection-state=related 13 ;;; default configuration chain=forward action=drop connection-state=invali
0 -
-
Also when I rebooted the router I noticed this in the logs:
jan/02/1970 00:00:09 system,info router rebooted
jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: initializing...
jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: dialing...
jan/02/1970 00:00:17 interface,info ether3-slave-local link up (speed 1000M, full duplex)
jan/02/1970 00:00:18 interface,info ether1-gateway link up (speed 1000M, full duplex)
jan/02/1970 00:00:18 interface,info ether2-master-local link up (speed 10M, half duplex)
jan/02/1970 00:00:18 interface,info ether4-slave-local link up (speed 1000M, full duplex
Is half duplex correct?
And is there a way to have the clock use the correct time after a reboot and not have to be manually set. :mad:0 -
Although if you are using PPPoE rule 10 is wrong, it should be set to drop invalid connections to the PPPoE interface0
-
Advertisement
-
smee again wrote: »Although if you are using PPPoE rule 10 is wrong, it should be set to drop invalid connections to the PPPoE interface
Updated, thanks again.[admin@MikroTik] /ip firewall> filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; default configuration chain=input action=accept protocol=icmp 1 ;;; list IP's who try remote login chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 2 ;;; drop ssh brute forcers chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 3 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 5 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 6 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 7 ;;; allow ssh chain=input action=accept protocol=tcp dst-port=22 8 ;;; default configuration chain=input action=accept connection-state=established 9 ;;; default configuration chain=input action=accept connection-state=related 10 ;;; default configuration chain=input action=drop in-interface=eircom-pppoe-out1 11 ;;; default configuration chain=forward action=accept connection-state=established 12 ;;; default configuration chain=forward action=accept connection-state=related 13 ;;; default configuration chain=forward action=drop connection-state=invalid
0 -
Also when I rebooted the router I noticed this in the logs:
jan/02/1970 00:00:09 system,info router rebooted
jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: initializing...
jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: dialing...
jan/02/1970 00:00:17 interface,info ether3-slave-local link up (speed 1000M, full duplex)
jan/02/1970 00:00:18 interface,info ether1-gateway link up (speed 1000M, full duplex)
jan/02/1970 00:00:18 interface,info ether2-master-local link up (speed 10M, half duplex)
jan/02/1970 00:00:18 interface,info ether4-slave-local link up (speed 1000M, full duplex
Is half duplex correct?
Yes, but it usually negotiates with what you have connected to it, it may not go into full duplex until whatever it's connected to is turned on. Either that or the device it's connected to is forcing half duplex. Double check with "interface ethernet monitor 2"And is there a way to have the clock use the correct time after a reboot and not have to be manually set. :mad:
Yes, set NTP (network time protocol)/system ntp client
set enabled=yes mode=unicast primary-ntp=134.226.81.30 -
morning all.
Anyone have any experience running MikroTik RouterOS on non RouterBoard hardware? I have an older Intel Core 2 Quad machine with 3Gb of ram and 2 Dual GigE Intel cards... I am thinking of replacing my RB1100 with this machine, since its got a lot more power, and given i already have 470Mbits/s into the house, the more processor power, the better, right? The RB1100 is a lot slower (1Gz PPC proc), has less memory (currently 1Gb, which i upgraded) and less storage (32Gb MicroSD, vs the 250Gb HDD in the intel box).
Am i mad?
Thanks.0 -
morning all.
Anyone have any experience running MikroTik RouterOS on non RouterBoard hardware? I have an older Intel Core 2 Quad machine with 3Gb of ram and 2 Dual GigE Intel cards... I am thinking of replacing my RB1100 with this machine, since its got a lot more power, and given i already have 470Mbits/s into the house, the more processor power, the better, right? The RB1100 is a lot slower (1Gz PPC proc), has less memory (currently 1Gb, which i upgraded) and less storage (32Gb MicroSD, vs the 250Gb HDD in the intel box).
Am i mad?
Thanks.
We have a couple of x86 machines running RouterOS to terminate PPPoE sessions.
Works really well once set up which can be a bit of a headache.
We have it installed on a removable USB.
Check out this page for a list of compatible hardware.0 -
Thanks man... I managed to install 6.5 on the machine and it found the Intel cards... It seems to be running ok but no production data going though it yet... will run some tests on it over the next few days..
You mentioned that you have it on a removable us key... MikroTik say the license is linked to the drive... If you take that drive out and stick it in a different box, does it work? Do you have a backup of that disk, just in case?
Thanks.0 -
smee again wrote: »Here is a full export of my firewall filters, there are some very important drop invalid, allow established connections and accept lan rules in thereadd chain=input comment="allow icmp" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=drop chain=input comment="drop ftp" disabled=yes dst-port=21 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow established connections" connection-state=established
add chain=input comment="accept lan" in-interface=!ether1-gateway src-address=192.168.80.0/24
add action=drop chain=input comment="drop everything else"
I have updated my router to include some more of your firewall entries, see below. I have highlighted above entries I have not included and I have highlighed below in my config entries I have that you don't which I am sure if fine.
I was ensure if the PPPoE entry was correct having a drop action?/ip firewall filter
add chain=input comment="allow icmp" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=eircom-pppoe-out1
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow already established connections" connection-state=established
add chain=input comment=" allow related connections " connection-state=related0 -
add action=drop chain=input comment="drop ftp" disabled=yes dst-port=21 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
The next two are to allow VPN on port 1723, VPN uses TCP and the Gre protocol http://en.wikipedia.org/wiki/Generic_Routing_Encapsulationadd chain=input comment="accept lan" in-interface=!ether1-gateway src-address=192.168.80.0/24
add action=drop chain=input comment="drop everything else"
The second and last rule is just a drop everything else rule that catches everything not covered in the rules above. It needs to be the last rule. It may not be even necessary as a firewall will naturally drop any packets not covered by the rules but adding it will give statistics of what's dropped.0 -
Thanks man... I managed to install 6.5 on the machine and it found the Intel cards... It seems to be running ok but no production data going though it yet... will run some tests on it over the next few days..
You mentioned that you have it on a removable us key... MikroTik say the license is linked to the drive... If you take that drive out and stick it in a different box, does it work? Do you have a backup of that disk, just in case?
Thanks.
Yes it will work in a different box.
One of the reasons we installed it on a USB is for just this - makes it easily transferable.
Also, if the key fails, it's easier to send to MikroTik to save the license than sending a hard drive.
We take backups of the config nightly in case anything happens.
If the proverbial hits the fan we can drop the config onto another USB or even an 1100.0 -
Yes it will work in a different box.
One of the reasons we installed it on a USB is for just this - makes it easily transferable.
Also, if the key fails, it's easier to send to MikroTik to save the license than sending a hard drive.
We take backups of the config nightly in case anything happens.
If the proverbial hits the fan we can drop the config onto another USB or even an 1100.
Cool... just wondering though: if you take an image of the USB contents, like with dd on linux, can transferring the contents over work? i was planning on backing up the config nightly anyway, but to have a backup of the OS would be handy too... Will look into getting the machine to boot from USB key... think its possible, might even have some internal ports... also handy to know about future upgrades... just bring the key and license and your golden!
Thanks!0 -
So, i have done some tests... not scientific, i may add, but tests non the less... Downloading though a server i have access to in France, i was getting somewhere like 180MBit/s on the RB1100... with the Core 2 Quad (a 6600 i think), i am managing to get 220MBits/s... I have 2 200Mb lines and a 70Mb line, but it seems that only one of the 200mb lines is being used (have a setting incorrectly set...). Anyway, thats a big different compared to the RB1100...
dont get me wrong, the 1100 is an epic router, but if you have that amount of bandwidth, a high end desktop/server machine may be better... more tests to be completed over the weekend...0 -
Advertisement
-
I said I would be getting this a long time ago, but only finally getting around to it, where's the best place to order from, that will have it to me some time next week?0
-
So, i have done some tests... not scientific, i may add, but tests non the less... Downloading though a server i have access to in France, i was getting somewhere like 180MBit/s on the RB1100... with the Core 2 Quad (a 6600 i think), i am managing to get 220MBits/s... I have 2 200Mb lines and a 70Mb line, but it seems that only one of the 200mb lines is being used (have a setting incorrectly set...). Anyway, thats a big different compared to the RB1100...
dont get me wrong, the 1100 is an epic router, but if you have that amount of bandwidth, a high end desktop/server machine may be better... more tests to be completed over the weekend...
Is it just the regular 1100's you have?
You could try an 1100AHx2, or maybe a Cloud Core Router.
We swapped out one or two of our core routers (1100AH) with CCR's and noticed a huge difference.
CPU usage went from 70-80% down to less than 5%!
The CCR is an absolute beast of a router for the price!0 -
smee again wrote: »add action=drop chain=input comment="drop ftp" disabled=yes dst-port=21 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
The next two are to allow VPN on port 1723, VPN uses TCP and the Gre protocol http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation
So the block FTP rule is just there in case you want to completely block FTP, so you enable it then right?
Also, I use VPN for work at home, which seems to have been working ok, but I just had a read of the documentation again and seen this:The following ports must be open on your ISP, router and firewall to create a successful VPN connection.
Work with your ISP (internet service provider) to verify and ensure the ports below are open:
Packet filters for Point-to-Point Tunneling Protocol (PPTP)- TCP destination port of 1723 = PPTP tunnel maintenance traffic
- IP Protocol ID of 47 = PPTP tunneled data
- UDP destination port of 500 = Internet Key Exchange (IKE) traffic
- UDP destination port of 1701 = allows L2TP traffic
- UDP destination port of 4500 = IPSec network address translator traversal (NAT-T) traffic
What entries should I add as a result to the firewall as I am using PPPoE? Same as what you have above or?0 -
So the block FTP rule is just there in case you want to completely block FTP, so you enable it then right?
Also, I use VPN for work at home, which seems to have been working ok, but I just had a read of the documentation again and seen this:
What entries should I add as a result to the firewall as I am using PPPoE? Same as what you have above or?
The FTP rule is there because i once had it blocked, but not now.
The VPN rules are there as I use the router as a VPN server for secure banking through my home connection when out and about on my phone/laptop.
I think you do not fully understand how a firewall works, it is only concerned with filtering packets coming into the router on the wan interface (in your case a PPPoE interface). Any connections which originate on the router or inside the lan will be translated to your public IP and remembered for their return (NAT, the PPPoE masquerade rule you have as your first rule in ip firewall nat), therefore you do not need to add rules for outgoing, only incoming.0 -
VenomIreland wrote: »I said I would be getting this a long time ago, but only finally getting around to it, where's the best place to order from, that will have it to me some time next week?
Anyone? I see IrishWireless are out of stock atm.0 -
VenomIreland wrote: »Anyone? I see IrishWireless are out of stock atm.
http://www.interprojekt.com.pl/mikrotik-routerboard-rb951g2hnd-level-128mb-p-1370.html
Standard shipping is usually 4-5days, you can pay more and get it quicker0 -
smee again wrote: »http://www.interprojekt.com.pl/mikrotik-routerboard-rb951g2hnd-level-128mb-p-1370.html
Standard shipping is usually 4-5days, you can pay more and get it quicker
Thanks man, gonna place the order now.0 -
smee again wrote: »The FTP rule is there because i once had it blocked, but not now.
The VPN rules are there as I use the router as a VPN server for secure banking through my home connection when out and about on my phone/laptop.
I think you do not fully understand how a firewall works, it is only concerned with filtering packets coming into the router on the wan interface (in your case a PPPoE interface). Any connections which originate on the router or inside the lan will be translated to your public IP and remembered for their return (NAT, the PPPoE masquerade rule you have as your first rule in ip firewall nat), therefore you do not need to add rules for outgoing, only incoming.
Thanks, yes I am not a network guy so my understanding is limited.
When I had set my rules this way:/ip firewall filter
add chain=input comment="allow icmp" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=eircom-pppoe-out1
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow already established connections" connection-state=established
add chain=input comment=" allow related connections " connection-state=related
Wireless stopped working...so I had to move the input rules for established and related connections up like this, then it started working again./ip firewall filter
add chain=input comment="allow icmp" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow already established connections" connection-state=established
add chain=input comment=" allow related connections " connection-state=related
add action=drop chain=input comment="default configuration" in-interface=eircom-pppoe-out1
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related0 -
Thanks, yes I am not a network guy so my understanding is limited.
When I had set my rules this way:
Wireless stopped working...so I had to move the input rules for established and related connections up like this, then it started working again.
I suggest you leave it alone unless you know what you're doing. You only need the 3 or 4 that came in the default config, change to suit your PPPoE interface. All the rest are just bells and whistles, the firewall will always drop packets it's not sure of/ip firewall filter
add chain=input action=accept protocol=icmp comment="default configuration"
add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration"
add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration"
add chain=input action=drop in-interface=ether1-gateway comment="default configuration"0 -
Advertisement
-
Hi,
I just got the RB2011UAS-2HnD and i really really like the great tips and tricks given here !
However i have a few problems:
1. I can't get Hairpin NAT to work
2. I can't get port 8080 to forward to my server (other ports work, just 8080 does not)
NAT output:[admin@MikroTik] > ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 X ;;; default configuration chain=srcnat action=masquerade out-interface=sfp1-gateway 1 ;;; default configuration chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway 2 ;;; Hairpin NAT rule chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.250 3 ;;; SERV: FTP chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=20-21 protocol=tcp in-interface=ether1-gateway dst-port=20-21 4 ;;; SERV: HTTP chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 protocol=tcp in-interface=ether1-gateway dst-port=80 5 ;;; SERV: DNS chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=53 protocol=tcp in-interface=ether1-gateway dst-port=53 6 ;;; SERV: HTTPS chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=443 protocol=tcp in-interface=ether1-gateway dst-port=443 7 ;;; SERV: MySQL chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=3306 protocol=tcp in-interface=ether1-gateway dst-port=3306 8 ;;; SERV: RDP chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=3389 protocol=tcp in-interface=ether1-gateway dst-port=3389 9 ;;; SERV: McMyAdmin 'main' chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=8080 protocol=tcp in-interface=ether1-gateway dst-port=8080
Firewall Filter rules:[admin@MikroTik] > ip firewall filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; default configuration chain=input action=accept protocol=icmp 1 ;;; default configuration chain=input action=accept connection-state=established 2 ;;; default configuration chain=input action=accept connection-state=related 3 chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=3333 4 ;;; default configuration chain=input action=drop in-interface=sfp1-gateway 5 ;;; default configuration chain=input action=drop in-interface=ether1-gateway 6 ;;; default configuration chain=forward action=accept connection-state=established 7 ;;; default configuration chain=forward action=accept connection-state=related 8 ;;; default configuration chain=forward action=drop connection-state=invalid
Router IP: 192.168.1.1
Server IP: 192.168.1.250
Any other tips are appreciated !0
Advertisement