Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

The Mikrotik RouterOS config, tips and tricks thread

Options
1246712

Comments

  • Options
    #92
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    If you just plugged it in to another modem or router, it means you did not set it up right. Whatever port forward rules you add on this Mikrotik will mean nothing as you will be double Natting (routing to a new subnet twice). Consoles will find the ports they open are blocked by the modem. It will work, but it will only work for connections originating from inside your lan, any connections coming from the internet will be dropped by the gateway modem/router as it will not know what to do with them.

    You need to bridge the modem and add PPPoE to the Mikrotik.

    My eircom router/modem was in bridge mode when I connected it to the Mikrotik ether1. I reviewed the online guide for initial configuration and it did not mention PPPoE so I did not add it as things appeared to be working. I will look into adding PPPoE.

    What about my query on caching?


  • Options
    #93
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    My eircom router/modem was in bridge mode when I connected it to the Mikrotik ether1. I reviewed the online guide for initial configuration and it did not mention PPPoE so I did not add it as things appeared to be working. I will look into adding PPPoE.

    PPPoE is the protocol being used to get your public IP on the Eircom modem, you need to add it on the Mikrotik so it gets your public IP, not the Eircom modem
    eddiem74 wrote: »
    What about my query on caching?

    Caching what? To cache web pages you'll need a pc and a lot of configuring and transparent redirecting, it's probably not worth the hassle. Enable the DNS cache to cache DNS requests so regular domains are not looked up each time, but returned from the router. Also, make sure the DHCP server is giving out the routers IP address as DNS in it's leases


  • Options
    #94
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    PPPoE is the protocol being used to get your public IP on the Eircom modem, you need to add it on the Mikrotik so it gets your public IP, not the Eircom modem



    Caching what? To cache web pages you'll need a pc and a lot of configuring and transparent redirecting, it's probably not worth the hassle. Enable the DNS cache to cache DNS requests so regular domains are not looked up each time, but returned from the router. Also, make sure the DHCP server is giving out the routers IP address as DNS in it's leases

    Thanks again for you time and patience Smee, I really appreciate it! :)

    Added PPPoE, was not sure about DNS Cache? When I checked IP->DNS it looked like caching was happening? :o Also is there a test I can do to confirm double NAT is not happening?

    Here's my current config from using 'export compact' does it look ok? Where should I look to improve things now? :confused:
    # oct/13/2013 10:03:32 by RouterOS 6.4
# software id = CCB8-P1HX
#
/interface bridge
add admin-mac=D4:CA:6D:BE:8D:FD auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors frequency=2427 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=MikroTik-BE8E01
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway max-mru=1484 max-mtu=1484 name=eircom-pppoe-out1 password=broadband1 use-peer-dns=yes user=eircom@eircom.net
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=REMOVED wpa2-pre-shared-key=REMOVED
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=wlan1 network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=eircom-pppoe-out1 to-addresses=0.0.0.0
/ip service
set api disabled=yes
/system clock
set time-zone-name=Europe/Dublin
/system leds
set 0 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local


  • Options
    #95
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    That looks good, to test you don't have double Nat do "ip address print" and you should see a public ip address marked D (dynamic) assigned to the eircom-pppoe-out1 interface, (a public ip is one that doesn't start with 192.168.x.x). Also if you do a traceroute (tracert on windows) to www.boards.ie on your pc it will show you the hops. Be sure to disable wireless and pppoe on the Eircom modem.

    The DNS cache is enabled and DHCP is giving out the router ip as DNS.


  • Options
    #96
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Handy that you posted your config, will work perfect for anyone with Eircom once they bridge their modem. Only thing they'd need to edit is the wireless SSID, security key, set their desired channel and set a router password


  • Advertisement
  • Options
    #97
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    That looks good, to test you don't have double Nat do "ip address print" and you should see a public ip address marked D (dynamic) assigned to the eircom-pppoe-out1 interface, (a public ip is one that doesn't start with 192.168.x.x). Also if you do a traceroute (tracert on windows) to www.boards.ie on your pc it will show you the hops. Be sure to disable wireless and pppoe on the Eircom modem.

    The DNS cache is enabled and DHCP is giving out the router ip as DNS.

    I think we are good?
    [admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic 
 #   ADDRESS            NETWORK         INTERFACE                                
 0   ;;; default configuration
     192.168.88.1/24    192.168.88.0    wlan1                                    
 1 D 95.45.108.211/32   95.45.108.1     eircom-pppoe-out

    275652.JPG


  • Options
    #98
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Spotted a mistake, you have 192.168.88.1/24 applied to wlan1, it should be bridge-local (which is wlan1 and the lan ports 2-5)


  • Options
    #99
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    Handy that you posted your config, will work perfect for anyone with Eircom once they bridge their modem. Only thing they'd need to edit is the wireless SSID, security key, set their desired channel and set a router password

    Actually I think there was an error in that, incoming traffic was working but I could not connect to internet, seems I needed to disable the DHCP Client for ether1, now seems all good.

    Should I now consider setting up UPnP?

    Updated Config.
    # oct/13/2013 11:54:11 by RouterOS 6.4
# software id = CCB8-P1HX
#
/interface bridge
add admin-mac=D4:CA:6D:BE:8D:FD auto-mac=no l2mtu=1598 name=bridge-local \
    protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=\
    indoors frequency=2427 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=\
    ap-bridge ssid=MikroTik-BE8E01
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway max-mru=1484 \
    max-mtu=1484 name=eircom-pppoe-out1 password=broadband1 use-peer-dns=yes \
    user=eircom@eircom.net
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=\
    dynamic-keys wpa-pre-shared-key=REMOVED wpa2-pre-shared-key=REMOVED
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m \
    mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=wlan1 \
    network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=\
    ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=eircom-pppoe-out1 to-addresses=0.0.0.0
/ip service
set api disabled=yes
/system clock
set time-zone-name=Europe/Dublin
/system leds
set 0 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local


  • Options
    #100
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    Spotted a mistake, you have 192.168.88.1/24 applied to wlan1, it should be bridge-local (which is wlan1 and the lan ports 2-5)

    Thanks, updated config:
    # oct/13/2013 12:03:12 by RouterOS 6.4
# software id = CCB8-P1HX
#
/interface bridge
add admin-mac=D4:CA:6D:BE:8D:FD auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors frequency=2427 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=MikroTik-BE8E01
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway max-mru=1484 max-mtu=1484 name=eircom-pppoe-out1 password=broadband1 use-peer-dns=yes user=eircom@eircom.net
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=REMOVED wpa2-pre-shared-key=REMOVED
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=bridge-local network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=eircom-pppoe-out1 to-addresses=0.0.0.0
/ip service
set api disabled=yes
/system clock
set time-zone-name=Europe/Dublin
/system leds
set 0 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local


  • Options
    #101
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    smee again wrote: »
    You may need to enable uPnP (plug and play) to get the best use of the PS3 (and Skype, uTorrent etc), they will then open their own ports in the firewall

    /ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=ether1-gateway type=external

    If you are using PPPoE change the external interface above to the PPPoE interface

    Updated config after adding UPnP:
    # oct/13/2013 12:36:30 by RouterOS 6.4
# software id = CCB8-P1HX
#
/interface bridge
add admin-mac=D4:CA:6D:BE:8D:FD auto-mac=no l2mtu=1598 name=bridge-local protocol-mode=rstp
/interface wireless
set 0 band=2ghz-b/g/n channel-width=20/40mhz-ht-above disabled=no distance=indoors frequency=2427 ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 mode=ap-bridge ssid=MikroTik-BE8E01
/interface ethernet
set 0 name=ether1-gateway
set 1 name=ether2-master-local
set 2 master-port=ether2-master-local name=ether3-slave-local
set 3 master-port=ether2-master-local name=ether4-slave-local
set 4 master-port=ether2-master-local name=ether5-slave-local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1-gateway max-mru=1484 max-mtu=1484 name=eircom-pppoe-out1 password=broadband1 use-peer-dns=yes user=eircom@eircom.net
/ip neighbor discovery
set wlan1 discover=no
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk mode=dynamic-keys wpa-pre-shared-key=REMOVED wpa2-pre-shared-key=REMOVED
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip pool
add name=default-dhcp ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=bridge-local name=default
/system logging action
set 0 memory-lines=100
set 1 disk-lines-per-file=100
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=wlan1
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=bridge-local network=192.168.88.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid interface=ether1-gateway
/ip dhcp-server network
add address=192.168.88.0/24 comment="default configuration" dns-server=192.168.88.1 gateway=192.168.88.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=established
add chain=input comment="default configuration" connection-state=related
add action=drop chain=input comment="default configuration" in-interface=ether1-gateway
add chain=forward comment="default configuration" connection-state=established
add chain=forward comment="default configuration" connection-state=related
add action=drop chain=forward comment="default configuration" connection-state=invalid
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=eircom-pppoe-out1 to-addresses=0.0.0.0
/ip service
set api disabled=yes
/ip upnp
set allow-disable-external-interface=no enabled=yes show-dummy-rule=no
/ip upnp interfaces
add interface=bridge-local type=internal
add interface=eircom-pppoe-out1 type=external
/system clock
set time-zone-name=Europe/Dublin
/system leds
set 0 interface=wlan1
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3-slave-local
add interface=ether4-slave-local
add interface=ether5-slave-local
add interface=wlan1
add interface=bridge-local

    Why not have the dummy rule and allow disable external interface = Yes?
    [admin@MikroTik] ip upnp> print
           		     enabled: yes
    allow-disable-external-interface: [B]yes[/B]
                     show-dummy-rule: [B]yes[/B]
[admin@MikroTik] ip upnp>


  • Advertisement
  • Options
    #102
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    Why not have the dummy rule and allow disable external interface = Yes?


    http://wiki.mikrotik.com/wiki/Manual:IP/UPnP


  • Options
    #103
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    I have HP PSC 1510 All In One printer beside the Mikrotik which I normally connect to a laptop via USB cable to print. I am just wondering would plugging the printer USB into the USB slot on the Mikrotik allow me to then share the printer around the home network or is that not supported?

    Let me know, thanks!


  • Options
    #104
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    I have HP PSC 1510 All In One printer beside the Mikrotik which I normally connect to a laptop via USB cable to print. I am just wondering would plugging the printer USB into the USB slot on the Mikrotik allow me to then share the printer around the home network or is that not supported?

    Let me know, thanks!

    Best Google that one


  • Options
    #105
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe


    Agueroooo wrote: »
    I forked out some serious money on a Asus Ac66u, but as I said I wish I had seen this thread first, but whats done is done.

    I could do with a wifi repeater somwere on the landing to increase coverage upstairs..would it be overkill to buy one of these to use just as a repeater for my Asus?
    And would it be difficult to config ?

    I bought a second one of these purely as an access point (better than a repeater - because it has a wire to it). It was easy to get the wifi working. However my wired points on it aren't set up correctly yet.


  • Options
    #106
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe


    Difficulty setting up VPN. I tried to follow the instructions in this thread but am failing.

    Setup VPN pool 
    add name=VPN-POOL ranges=192.168.88.90-192.168.88.99
    Add New User 
    /ppp secret
add name=New_USER password=password1 service=pptp
    Turn on PPTP server 
    /interface pptp-server
add name=pptp-in1 user=""
/interface pptp-server server
set enabled=yes max-mru=1460 max-mtu=1460
    Set profile to assign IP's from pool and add it to the bridge 
    ...lost at this point - simply copying the code into the terminal doesn't work


  • Options
    #107
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Have you tried manually creating it in winbox using the commands as a guide? RouterOS has had many updates since that was posted, may be slightly different now


  • Options
    #108
    Sniipe
    Registered Users Posts: 2,932 ✭✭✭Sniipe


    Hi Smee_again, I tried to do it manually using winbox, but I'm failing... I will try and do a quick youtube vid of my process and post it here (when I get a time between juggling 2 babies :) ) By the way thanks for your help so far.


  • Options
    #109
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    RouterOS v6.5 just released.

    http://www.mikrotik.com/download


  • Options
    #110
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    RouterOS v6.5 just released.

    http://www.mikrotik.com/download

    Yeah, got the email yesterday. Fixes the annoying Winbox bug in 6.4 where setting open as read only on first open.


  • Options
    #111
    lotas
    Registered Users Posts: 927 ✭✭✭lotas


    Question: I have an RB1100 setup as my main router (main internet connections in here) and a RB951(insert random letters that dont make a lot of sense in here) as my Wifi box... I have managed to set the RB951* up as just an AP, but when doing so, i lost the ability to manage it using anything, including WinBox... Any ideas?

    Also, as a related question, is 6.x stable enough to upgrade to now?


  • Advertisement
  • Options
    #112
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    lotas wrote: »
    Question: I have an RB1100 setup as my main router (main internet connections in here) and a RB951(insert random letters that dont make a lot of sense in here) as my Wifi box... I have managed to set the RB951* up as just an AP, but when doing so, i lost the ability to manage it using anything, including WinBox... Any ideas?

    Assign an IP address to the ethernet port or bridge interface so you can manage it. You will always be able to get in on layer 2 telnet (by mac address). Run Winbox and click the [...] button and it will find your routerboard by it's mac address, click on the mac address and you're in. This is handy to know if you ever lock yourself out of the router by applying an incorrect firewall rule, IP is layer 3, the network layer.
    lotas wrote: »
    Also, as a related question, is 6.x stable enough to upgrade to now?

    It's been stable for ages, wireless performance is miles better


  • Options
    #113
    lotas
    Registered Users Posts: 927 ✭✭✭lotas


    smee again wrote: »
    Assign an IP address to the ethernet port or bridge interface so you can manage it. You will always be able to get in on layer 2 telnet (by mac address). Run Winbox and click the [...] button and it will find your routerboard by it's mac address, click on the mac address and you're in. This is handy to know if you ever lock yourself out of the router by applying an incorrect firewall rule, IP is layer 3, the network layer.
    Thanks for the tip, but that second method is not working... will try assign a static IP and see if that works... just have to reset the box again...
    smee again wrote: »
    It's been stable for ages, wireless performance is miles better
    Cool... will chance upgrading the 951 first, then the 1100...


  • Options
    #114
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    lotas wrote: »
    Thanks for the tip, but that second method is not working... will try assign a static IP and see if that works... just have to reset the box again...

    Try directly connected to a lan port, you'll need to assign a static ip and gateway, won't matter what they are


  • Options
    #115
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    I added two firewall redirects to force all DNS requests on port 53 to the routers DNS cache. This is needed if you are using OpenDNS adult content filtering as setting a static DNS on the device to any public DNS is an easy way around the content filtering.
    /ip firewall nat
add action=redirect chain=dstnat comment="redirect dns" dst-port=53 protocol=tcp to-ports=53
add action=redirect chain=dstnat dst-port=53 protocol=udp to-ports=53


  • Options
    #116
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    Sniipe wrote: »
    Difficulty setting up VPN. I tried to follow the instructions in this thread but am failing.

    Right, I just figured this so I'll share. There are a few things missing from what was posted earlier in the thread. My router is 192.168.80.1, change the subnet below to suit your own router

    You need a pool of addresses and a single local address.
    I used 192.168.80.90 as local and set the pool to 192.168.80.91-192.168.80.99 which is outside the DHCP pool and not used as static. I'm using the profile default-encryption, which may be already created but not set (this may be the difficulty you were having snipe). Set the DNS server as the routers IP
    /ip pool
    add name=VPN-Pool ranges=192.168.80.91-192.168.80.99
    /ppp profile
    add name="default-encryption" local-address=192.168.80.90 remote-address=VPN-Pool use-mpls=default use-compression=default use-vj-compression=default use-encryption=yes only-one=default change-tcp-mss=yes address-list="" dns-server=192.168.80.1

    6034073

    Next you enable the server and add the interface
    /interface pptp-server server
    set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
    /interface pptp-server
    add disabled=no name=pptp-vpn-server user=""
    6034073


    Then all that you need to do is create users
    /ppp secret
    add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=vpnuser1 password=vpnpass1 profile=default-encryption routes="" service=pptp
    add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=vpnuser2 password=vpnpass2 profile=default-encryption routes="" service=pptp
    add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=vpnuser3 password=vpnpass3 profile=default-encryption routes="" service=pptp


  • Options
    #117
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    eddiem74 wrote: »
    I have HP PSC 1510 All In One printer beside the Mikrotik which I normally connect to a laptop via USB cable to print. I am just wondering would plugging the printer USB into the USB slot on the Mikrotik allow me to then share the printer around the home network or is that not supported?

    Let me know, thanks!
    smee again wrote: »
    Best Google that one

    So I asked over on the MikroTik RouterOS forum and was told the RB951G-2HND does not support printers. :(

    I was looking at the manual for my Zyxel Eircom F1000 and on page 181 it states you can connect a printer via its usb port for sharing over the network.

    Given my Eircom router is now in bridge mode and I am using the RB951G-2HND as my main router is there any way I can take advantage of the Eircom USB printer sharing option still or? :confused:


  • Options
    #118
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    So I asked over on the MikroTik RouterOS forum and was told the RB951G-2HND does not support printers. :(

    I was looking at the manual for my Zyxel Eircom F1000 and on page 181 it states you can connect a printer via its usb port for sharing over the network.

    Given my Eircom router is now in bridge mode and I am using the RB951G-2HND as my main router is there any way I can take advantage of the Eircom USB printer sharing option still or? :confused:

    Not if it's a bridge and being tunneled through (PPPoE is a layer 2 tunnel) it is not routable to on your network. That modem manual is very vague about print server, you sure it would work? Also, the disadvantage of setting a print server is that the scanner will not work unless directly connected to a pc.


  • Options
    #119
    eddiem74
    Registered Users Posts: 2,027 ✭✭✭eddiem74


    Noticed this in my logs this morning.

    277253.JPG

    From a google of the IP address looks like a spammer from China?

    Anything I should do about it. :confused:


  • Options
    #120
    smee again
    Closed Accounts Posts: 552 ✭✭✭smee again


    eddiem74 wrote: »
    Noticed this in my logs this morning.

    277253.JPG

    From a google of the IP address looks like a spammer from China?

    Anything I should do about it. :confused:

    Yeah, it's just random spambots trying to login to your ssh server, you see this once you have ssh enabled on the router. I have a few rules added to my config which makes a nice honeypot to tackle this.
    /ip firewall filter
    add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
    add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
    add chain=input comment="allow ssh" dst-port=22 protocol=tcp
    1st line logs IPs trying to remote desktop
    2nd line logs IPs trying to login to the router over FTP, SSH or Telnet (ports 20-23)
    The next few lines will prevent SSH brute force, the IP will be added to an address list on 3 stages and then added to an SSH blacklist and blocked for 10 days on the fourth failed attempt.
    The last line is the rule that allows SSH

    You will see the IP's build up in /ip firewall address-list. It's not my work, it's from here http://wiki.mikrotik.com/wiki/Bruteforce_login_prevention

    Here is a full export of my firewall filters, there are some very important drop invalid, allow established connections and accept lan rules in there
    /ip firewall filter
    add chain=input comment="allow icmp" protocol=icmp
    add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
    add chain=input comment="allow api" dst-port=8728 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
    add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
    add chain=input comment="allow ssh" dst-port=22 protocol=tcp
    add action=drop chain=input comment="drop ftp" disabled=yes dst-port=21 protocol=tcp
    add chain=input comment="accept vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
    add chain=input in-interface=ether1-gateway protocol=gre
    add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
    add chain=forward comment="allow already established connections" connection-state=established
    add chain=forward comment="allow related connections" connection-state=related
    add action=drop chain=input comment="drop invalid connections" connection-state=invalid
    add chain=input comment="allow established connections" connection-state=established
    add chain=input comment="acccept lan" in-interface=!ether1-gateway src-address=192.168.80.0/24
    add action=drop chain=input comment="drop everything else"


  • Advertisement
  • Options
    #121
    gctest50
    Registered Users Posts: 9,605 ✭✭✭gctest50


    eddiem74 wrote: »
    Noticed this in my logs this morning.

    277253.JPG

    From a google of the IP address looks like a spammer from China?

    Anything I should do about it. :confused:


    Change the port the board uses for SSH to reduce the attempts a little bit


    .


Advertisement