Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie

The Mikrotik RouterOS config, tips and tricks thread

16781012

Comments

  • #272
    Kenny Powers
    Registered Users, Registered Users 2 Posts: 983 ✭✭✭Kenny Powers


    mass_debater wrote: »
    Download it and drag and drop it into files in Winbox and reboot the router.

    Where do you download it from? I can't find it anywhere its probably staring me I the face. Do you just drop it in the root folder?


  • #273
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    Kenny Powers wrote: »
    Where do you download it from? I can't find it anywhere its probably staring me I the face. Do you just drop it in the root folder?

    Google should throw up some legacy archives. Yes, just paste it to root of the storage partition


  • #274
    Kenny Powers
    Registered Users, Registered Users 2 Posts: 983 ✭✭✭Kenny Powers


    Hi,

    I have the following set up below and it seems to work ok, I would like to do this on the switch chip
    To spare the CPU does anyone know how I go about doing this?

    /interface bridge
    add comment="VLAN 100 Bridge" name=bridge-vlan100 protocol-mode=none
    add comment="VLAN 200 Bridge" name=bridge-vlan200 protocol-mode=none

    /interface ethernet
    set [ find default-name=ether1 ] name=ether01-gateway-wan
    set [ find default-name=ether2 ] name=ether02-master-local
    set [ find default-name=ether3 ] master-port=none name=ether03-vlan100
    set [ find default-name=ether4 ] master-port=none name=ether04-vlan200
    set [ find default-name=ether5 ] master-port=none name=ether05-trunk

    /interface vlan
    add interface=ether5-trunk name=vlan100-ether5-trunk vlan-id=100
    add interface=ether5-trunk name=vlan200-ether5-trunk vlan-id=200

    /interface bridge port
    add bridge=bridge-vlan100 interface=ether3-vlan100
    add bridge=bridge-vlan100 interface=vlan100-ether5-trunk
    add bridge=bridge-vlan200 interface=ether4-vlan200
    add bridge=bridge-vlan200 interface=vlan200-ether5-trunk


  • #275
    Jambo
    Registered Users, Registered Users 2 Posts: 986 ✭✭✭Jambo


    Op thanks for the firewall scripts it is presently managing to keep someone with an IP in India at bay.

    I recently purchased a CRS125-24G-1S and I cant for the life of me tell where I am going wrong with setting it up ! DHCP Server just doesn't seem to function as expected and the IP Address of the unit keeps reverting to 0.0.0.0 from 192.168.88.1 .

    In summary - my ISP is UPC , Their Modem is bridged and is cabled to Ether 1 on the CRS125-24G-1S.

    When I login via winbox (6.30) , run quicksetup ( change config to Router, Change Address Acquisition to , select DHCP Server (Range 192.168.88.2-192.168.88.250) and NAT , change the default password the local ip reverts at some stage either immediately to 0.0.0.0 !

    In respect of the DHCP issues - the DCHP Server appears to be running correctly - however all devices on the lan do not appear in the lease list and each have ip addresses not in my IP pool ! occasionally my android phone shows up in the lease list !

    I did try running the DHCP Server on different interfaces without any positive results.

    All devices on the lan connected through the CRS125-24G-1S continue to have full wan access however its not ideal in the current setup

    I have reset the unit countless times without luck and the above issues remain the same.

    Any help would be appreciated.


  • #276
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    Set the DHCP server to the bridge that bridges lan ports ether2-5 and the wireless interface. You can check ip/dhcp client and make sure it's set to get DHCP on ether1, the address it gets assigned will appear in ip/addresses marked with a d for dynamic. You also set the lan ip of the router in ip/addresses, set it to ether2 or the bridge


  • Advertisement
  • #277
    Jambo
    Registered Users, Registered Users 2 Posts: 986 ✭✭✭Jambo


    Thanks for the reply.
    mass_debater wrote: »
    Set the DHCP server to the bridge that bridges lan ports ether2-5 and the wireless interface.

    There is no bridge active / inactive on the unit ! - BTW its a 24 port unit
    If I set up a bridge and try set the DCHP server to it the entry turns red !
    mass_debater wrote: »
    You can check ip/dhcp client and make sure it's set to get DHCP on ether1, the address it gets assigned will appear in ip/addresses marked with a d for dynamic.

    This is fine
    mass_debater wrote: »
    You also set the lan ip of the router in ip/addresses, set it to ether2 or the bridge

    Done but still no change ! Mikrotik is definitely a big learning curve


  • #278
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    Ok, I think you're not accepting the default script on initial boot after a factory reset which would setup all this or else this model is different and doesn't give the option of a default script. The default script usually turns ether1 into wan, and assigns the other ports to a switch, it then bridges between wireless and the switch ports and sets up a NAT rule and a basic firewall. I can put something together later for you after work to get you going.

    Can you do an export compact from terminal and paste it here


  • #279
    Jambo
    Registered Users, Registered Users 2 Posts: 986 ✭✭✭Jambo


    mass_debater wrote: »
    Ok, I think you're not accepting the default script on initial boot after a factory reset which would setup all this or else this model is different and doesn't give the option of a default script. The default script usually turns ether1 into wan, and assigns the other ports to a switch, it then bridges between wireless and the switch ports and sets up a NAT rule and a basic firewall. I can put something together later for you after work to get you going.

    Can you do an export compact from terminal and paste it here

    Any time I have done a reset I have (i think) left the default config load ( I don't select no configuration)

    Below is the export ( the issue was happening before the firewall rules were added)
    [admin@Aylesbury] > export compact
    # jul/10/2015 09:04:05 by RouterOS 6.30
    # software id = LELF-X0H6
    #
    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-master-local
    set [ find default-name=ether2 ] master-port=ether1-master-local name=\
    ether2-slave-local
    set [ find default-name=ether3 ] master-port=ether1-master-local name=\
    ether3-slave-local
    set [ find default-name=ether4 ] master-port=ether1-master-local name=\
    ether4-slave-local
    set [ find default-name=ether5 ] master-port=ether1-master-local name=\
    ether5-slave-local
    set [ find default-name=ether6 ] master-port=ether1-master-local name=\
    ether6-slave-local
    set [ find default-name=ether7 ] master-port=ether1-master-local name=\
    ether7-slave-local
    set [ find default-name=ether8 ] master-port=ether1-master-local name=\
    ether8-slave-local
    set [ find default-name=ether9 ] master-port=ether1-master-local name=\
    ether9-slave-local
    set [ find default-name=ether10 ] master-port=ether1-master-local name=\
    ether10-slave-local
    set [ find default-name=ether11 ] master-port=ether1-master-local name=\
    ether11-slave-local
    set [ find default-name=ether12 ] master-port=ether1-master-local name=\
    ether12-slave-local
    set [ find default-name=ether13 ] master-port=ether1-master-local name=\
    ether13-slave-local
    set [ find default-name=ether14 ] master-port=ether1-master-local name=\
    ether14-slave-local
    set [ find default-name=ether15 ] master-port=ether1-master-local name=\
    ether15-slave-local
    set [ find default-name=ether16 ] master-port=ether1-master-local name=\
    ether16-slave-local
    set [ find default-name=ether17 ] master-port=ether1-master-local name=\
    ether17-slave-local
    set [ find default-name=ether18 ] master-port=ether1-master-local name=\
    ether18-slave-local
    set [ find default-name=ether19 ] master-port=ether1-master-local name=\
    ether19-slave-local
    set [ find default-name=ether20 ] master-port=ether1-master-local name=\
    ether20-slave-local
    set [ find default-name=ether21 ] master-port=ether1-master-local name=\
    ether21-slave-local
    set [ find default-name=ether22 ] master-port=ether1-master-local name=\
    ether22-slave-local
    set [ find default-name=ether23 ] master-port=ether1-master-local name=\
    ether23-slave-local
    set [ find default-name=ether24 ] master-port=ether1-master-local name=\
    ether24-slave-local
    set [ find default-name=sfp1 ] master-port=ether1-master-local name=\
    sfp1-slave-local
    /interface wireless security-profiles
    set [ find default=yes ] supplicant-identity=MikroTik
    /ip pool
    add name=dhcp ranges=192.168.88.2-192.168.88.250
    /ip dhcp-server
    add address-pool=dhcp disabled=no name=dhcp1
    /ip address
    add address=192.168.88.1/24 interface=ether2-slave-local network=192.168.88.0
    /ip cloud
    set ddns-enabled=yes
    /ip dhcp-client
    add dhcp-options=hostname,clientid disabled=no interface=ether1-master-local
    /ip dhcp-server network
    add gateway=0.0.0.0
    add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
    /ip firewall filter
    add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 \
    protocol=tcp src-address-list=ftp_blacklist
    add chain=output content="530 Login incorrect" dst-limit=\
    1/1m,9,dst-address/1m protocol=tcp
    add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h chain=output content="530 Login incorrect" \
    protocol=tcp
    add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 \
    protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=22 \
    protocol=tcp
    add chain=input comment="allow ICMP" protocol=icmp
    add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
    add chain=input comment="allow api" dst-port=8728 protocol=tcp
    add action=add-src-to-address-list address-list=trying_to_login \
    address-list-timeout=1d chain=input comment=\
    "list IP's who try remote login" dst-port=20-23 protocol=tcp
    add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=1w3d chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage3
    add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1h chain=input connection-state=new dst-port=22 \
    protocol=tcp
    add chain=input comment="allow ssh" disabled=yes dst-port=22 protocol=tcp
    add action=add-src-to-address-list address-list=telnet_stage1 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp
    add action=drop chain=input comment="drop telnet brute forcers" dst-port=23 \
    protocol=tcp src-address-list=black_list
    add action=add-src-to-address-list address-list=black_list \
    address-list-timeout=1d chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage3
    add action=add-src-to-address-list address-list=telnet_stage3 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage2
    add action=add-src-to-address-list address-list=telnet_stage2 \
    address-list-timeout=1m chain=input connection-state=new dst-port=23 \
    protocol=tcp src-address-list=telnet_stage1
    /ip firewall nat
    add action=masquerade chain=srcnat out-interface=ether1-master-local
    add action=dst-nat chain=dstnat comment=\
    "sample udp from port 5000 to 5000 (lan ip 192.168.1.254)" disabled=yes \
    dst-port=5000 protocol=udp to-addresses=192.168.88.254 to-ports=5000
    add action=dst-nat chain=dstnat comment=\
    "sample tcp from port 5000 to 5000 (lan ip 192.168.1.254)" disabled=yes \
    dst-port=5000 protocol=tcp to-addresses=192.168.88.254 to-ports=5000
    /ip route
    add disabled=yes distance=1 gateway=188.141.118.1
    /system clock
    set time-zone-name=Europe/Dublin
    /system identity
    set name=Aylesbury
    /system routerboard settings
    set protected-routerboot=disabled
    /system script
    add name="Basic Firewall" owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/ip fir\
    ewall filter\r\
    \nadd action=accept chain=input comment=\"allow ICMP\" disabled=no protoco\
    l=icmp\r\
    \nadd action=accept chain=input comment=\"allow winbox\" disabled=no dst-p\
    ort=8291 protocol=tcp\r\
    \nadd action=accept chain=input comment=\"allow api\" disabled=no dst-port\
    =8728 protocol=tcp\r\
    \nadd action=add-src-to-address-list address-list=trying_to_login address-\
    list-timeout=1d chain=input comment=\"list IP's who try remote login\" dis\
    abled=no dst-port=20-23 protocol=tcp\r\
    \nadd action=drop chain=input comment=\"drop ssh brute forcers\" disabled=\
    no dst-port=22 protocol=tcp src-address-list=ssh_blacklist\r\
    \nadd action=add-src-to-address-list address-list=ssh_blacklist address-li\
    st-timeout=1w3d chain=input connection-state=new disabled=no dst-port=22 p\
    rotocol=tcp src-address-list=ssh_stage3\r\
    \nadd action=add-src-to-address-list address-list=ssh_stage3 address-list-\
    timeout=1h chain=input connection-state=new disabled=no dst-port=22 protoc\
    ol=tcp src-address-list=ssh_stage2\r\
    \nadd action=add-src-to-address-list address-list=ssh_stage2 address-list-\
    timeout=1h chain=input connection-state=new disabled=no dst-port=22 protoc\
    ol=tcp src-address-list=ssh_stage1\r\
    \nadd action=add-src-to-address-list address-list=ssh_stage1 address-list-\
    timeout=1h chain=input connection-state=new disabled=no dst-port=22 protoc\
    ol=tcp\r\
    \nadd action=accept chain=input comment=\"allow ssh\" disabled=no dst-port\
    =22 protocol=tcp\r\
    \nadd action=accept chain=input comment=\"accept vpn\" disabled=no dst-por\
    t=1723 in-interface=ether1-gateway protocol=tcp\r\
    \nadd action=accept chain=input comment=\"accept vpn gre\" disabled=no in-\
    interface=ether1-gateway protocol=gre\r\
    \nadd action=drop chain=input comment=\"drop ftp\" disabled=no dst-port=21\
    \_protocol=tcp\r\
    \nadd action=drop chain=forward comment=\"drop invalid connections\" conne\
    ction-state=invalid disabled=no\r\
    \nadd action=accept chain=forward comment=\"allow already established conn\
    ections\" connection-state=established disabled=no\r\
    \nadd action=accept chain=forward comment=\"allow related connections\" co\
    nnection-state=related disabled=no\r\
    \nadd action=drop chain=input comment=\"drop Invalid connections\" connect\
    ion-state=invalid disabled=no\r\
    \nadd action=accept chain=input comment=\"allow established connections\" \
    connection-state=established disabled=no\r\
    \nadd action=accept chain=input comment=\"acccept lan\" disabled=no in-int\
    erface=!ether1-gateway src-address=192.168.88.0/24\r\
    \nadd action=drop chain=input comment=\"drop everything else\" disabled=no\
    "
    add name="Basic Port Fwd" owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/ip fir\
    ewall nat\r\
    \nadd action=dst-nat chain=dstnat comment=\"sample udp from port 5000 to 5\
    000 (lan ip 192.168.1.254)\" disabled=yes dst-port=5000 protocol=udp to-ad\
    dresses=192.168.88.254 to-ports=5000\r\
    \nadd action=dst-nat chain=dstnat comment=\"sample tcp from port 5000 to 5\
    000 (lan ip 192.168.1.254)\" disabled=yes dst-port=5000 protocol=tcp to-ad\
    dresses=192.168.88.254 to-ports=5000"
    add name="Telnet Blocker" owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive source="/ ip fi\
    rewall filter\r\
    \nadd chain=input protocol=tcp dst-port=23 src-address-list=black_list act\
    ion=drop \\\r\
    \ncomment=\"drop telnet brute forcers\" disabled=no\r\
    \nadd chain=input protocol=tcp dst-port=23 connection-state=new \\\r\
    \nsrc-address-list=telnet_stage3 action=add-src-to-address-list address-li\
    st=black_list address-list-timeout=1d \\\r\
    \ncomment=\"\" disabled=no\r\
    \nadd chain=input protocol=tcp dst-port=23 connection-state=new \\\r\
    \nsrc-address-list=telnet_stage2 action=add-src-to-address-list address-li\
    st=telnet_stage3 address-list-timeout=1m \\\r\
    \ncomment=\"\" disabled=no\r\
    \nadd chain=input protocol=tcp dst-port=23 connection-state=new \\\r\
    \nsrc-address-list=telnet_stage1 action=add-src-to-address-list address-li\
    st=telnet_stage2 address-list-timeout=1m \\\r\
    \ncomment=\"\" disabled=no\r\
    \nadd chain=input protocol=tcp dst-port=23 connection-state=new \\\r\
    \naction=add-src-to-address-list address-list=telnet_stage1 address-list-t\
    imeout=1m comment=\"\" \\\r\
    \ndisabled=no"
    /tool romon port
    add
    [admin@Aylesbury] >


  • #280
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    Jambo wrote: »
    Any time I have done a reset I have (i think) left the default config load ( I don't select no configuration)

    Below is the export ( the issue was happening before the firewall rules were added)

    There is no default config, you have to accept the script to install one, this is your problem


  • #281
    Jambo
    Registered Users, Registered Users 2 Posts: 986 ✭✭✭Jambo


    mass_debater wrote: »
    There is no default config, you have to accept the script to install one, this is your problem


    When I have reset the configuration previously via webfig I am presented with the screen below.

    2mp0nko.gif

    I have not ticked/selected any box or selected any item to "run after reset"


  • Advertisement
  • #282
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    Jambo wrote: »
    When I have reset the configuration previously via webfig I am presented with the screen below.

    2mp0nko.gif

    I have not ticked/selected any box or selected any item to "run after reset"

    Forget about webfig, use winbox. When it resets login and accept the default config script. The router will run the script and reboot with a proper config


  • #283
    Jambo
    Registered Users, Registered Users 2 Posts: 986 ✭✭✭Jambo


    mass_debater wrote: »
    Forget about webfig, use winbox. When it resets login and accept the default config script. The router will run the script and reboot with a proper config

    Thats what I am sure I did multiple times yesterday - i will try again this evening once I am home as don't want to reset the unit from work and lose access to my system.


  • #284
    Jambo
    Registered Users, Registered Users 2 Posts: 986 ✭✭✭Jambo


    Jambo wrote: »
    Thats what I am sure I did multiple times yesterday - i will try again this evening once I am home as don't want to reset the unit from work and lose access to my system.

    Done another config reset from winbox , and set the basics up by working back to front now everything appears somewhat more stable and in line with what you would expect however only one 1 of the 5 current dchp (wired) clients are only showing up in the leases, the other 4 have ip addresses not in my pool ! ( My DCHP pool is 192.168.88.2-192.168.88.250 , where as the 4 rouge dchp clients all have ip's 89.100.173.xxx)

    Below are the steps I did getback on some what stable ground

    Below "Default Config" after reset
    [admin@MikroTik] > export compact
    # jan/02/1970 00:01:54 by RouterOS 6.30
    # software id = LELF-X0H6
    #
    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-master-local
    set [ find default-name=ether2 ] master-port=ether1-master-local name=\
    ether2-slave-local
    set [ find default-name=ether3 ] master-port=ether1-master-local name=\
    ether3-slave-local
    set [ find default-name=ether4 ] master-port=ether1-master-local name=\
    ether4-slave-local
    set [ find default-name=ether5 ] master-port=ether1-master-local name=\
    ether5-slave-local
    set [ find default-name=ether6 ] master-port=ether1-master-local name=\
    ether6-slave-local
    set [ find default-name=ether7 ] master-port=ether1-master-local name=\
    ether7-slave-local
    set [ find default-name=ether8 ] master-port=ether1-master-local name=\
    ether8-slave-local
    set [ find default-name=ether9 ] master-port=ether1-master-local name=\
    ether9-slave-local
    set [ find default-name=ether10 ] master-port=ether1-master-local name=\
    ether10-slave-local
    set [ find default-name=ether11 ] master-port=ether1-master-local name=\
    ether11-slave-local
    set [ find default-name=ether12 ] master-port=ether1-master-local name=\
    ether12-slave-local
    set [ find default-name=ether13 ] master-port=ether1-master-local name=\
    ether13-slave-local
    set [ find default-name=ether14 ] master-port=ether1-master-local name=\
    ether14-slave-local
    set [ find default-name=ether15 ] master-port=ether1-master-local name=\
    ether15-slave-local
    set [ find default-name=ether16 ] master-port=ether1-master-local name=\
    ether16-slave-local
    set [ find default-name=ether17 ] master-port=ether1-master-local name=\
    ether17-slave-local
    set [ find default-name=ether18 ] master-port=ether1-master-local name=\
    ether18-slave-local
    set [ find default-name=ether19 ] master-port=ether1-master-local name=\
    ether19-slave-local
    set [ find default-name=ether20 ] master-port=ether1-master-local name=\
    ether20-slave-local
    set [ find default-name=ether21 ] master-port=ether1-master-local name=\
    ether21-slave-local
    set [ find default-name=ether22 ] master-port=ether1-master-local name=\
    ether22-slave-local
    set [ find default-name=ether23 ] master-port=ether1-master-local name=\
    ether23-slave-local
    set [ find default-name=ether24 ] master-port=ether1-master-local name=\
    ether24-slave-local
    set [ find default-name=sfp1 ] master-port=ether1-master-local name=\
    sfp1-slave-local
    /ip address
    add address=192.168.88.1/24 comment="default configuration" interface=\
    ether1-master-local network=192.168.88.0
    /system routerboard settings
    set protected-routerboot=disabled
    /tool romon port
    add
    [admin@MikroTik] >


    Default Config after quick setup
    MMMM MMMM KKK TTTTTTTTTTT KKK
    MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
    MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
    MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
    MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

    MikroTik RouterOS 6.30 (c) 1999-2015 http://www.mikrotik.com/

    [?] Gives the list of available commands
    command [?] Gives help on the command and list of arguments

    [Tab] Completes the command/word. If the input is ambiguous,
    a second [Tab] gives possible options

    / Move up to base level
    .. Move up one level
    /command Use command at the base level

    [admin@MikroTik] > export compact
    # jan/02/1970 00:37:15 by RouterOS 6.30
    # software id = LELF-X0H6
    #
    /interface ethernet
    set [ find default-name=ether1 ] name=ether1-master-local
    set [ find default-name=ether2 ] master-port=ether1-master-local name=\
    ether2-slave-local
    set [ find default-name=ether3 ] master-port=ether1-master-local name=\
    ether3-slave-local
    set [ find default-name=ether4 ] master-port=ether1-master-local name=\
    ether4-slave-local
    set [ find default-name=ether5 ] master-port=ether1-master-local name=\
    ether5-slave-local
    set [ find default-name=ether6 ] master-port=ether1-master-local name=\
    ether6-slave-local
    set [ find default-name=ether7 ] master-port=ether1-master-local name=\
    ether7-slave-local
    set [ find default-name=ether8 ] master-port=ether1-master-local name=\
    ether8-slave-local
    set [ find default-name=ether9 ] master-port=ether1-master-local name=\
    ether9-slave-local
    set [ find default-name=ether10 ] master-port=ether1-master-local name=\
    ether10-slave-local
    set [ find default-name=ether11 ] master-port=ether1-master-local name=\
    ether11-slave-local
    set [ find default-name=ether12 ] master-port=ether1-master-local name=\
    ether12-slave-local
    set [ find default-name=ether13 ] master-port=ether1-master-local name=\
    ether13-slave-local
    set [ find default-name=ether14 ] master-port=ether1-master-local name=\
    ether14-slave-local
    set [ find default-name=ether15 ] master-port=ether1-master-local name=\
    ether15-slave-local
    set [ find default-name=ether16 ] master-port=ether1-master-local name=\
    ether16-slave-local
    set [ find default-name=ether17 ] master-port=ether1-master-local name=\
    ether17-slave-local
    set [ find default-name=ether18 ] master-port=ether1-master-local name=\
    ether18-slave-local
    set [ find default-name=ether19 ] master-port=ether1-master-local name=\
    ether19-slave-local
    set [ find default-name=ether20 ] master-port=ether1-master-local name=\
    ether20-slave-local
    set [ find default-name=ether21 ] master-port=ether1-master-local name=\
    ether21-slave-local
    set [ find default-name=ether22 ] master-port=ether1-master-local name=\
    ether22-slave-local
    set [ find default-name=ether23 ] master-port=ether1-master-local name=\
    ether23-slave-local
    set [ find default-name=ether24 ] master-port=ether1-master-local name=\
    ether24-slave-local
    set [ find default-name=sfp1 ] master-port=ether1-master-local name=\
    sfp1-slave-local
    /ip pool
    add name=dhcp ranges=192.168.88.1-192.168.88.250
    /ip dhcp-server
    add address-pool=dhcp disabled=no interface=ether1-master-local lease-time=\
    1d12h name=dhcp1
    /ip dhcp-client
    add dhcp-options=hostname,clientid disabled=no interface=ether1-master-local
    /ip dhcp-server config
    set store-leases-disk=1d12h
    /ip dhcp-server network
    add gateway=0.0.0.0
    add address=192.168.88.0/24 gateway=192.168.88.1 netmask=24
    /ip firewall nat
    add action=masquerade chain=srcnat out-interface=ether1-master-local
    /system routerboard settings
    set protected-routerboot=disabled
    /tool romon port
    add
    [admin@MikroTik] >

    No amount of reboots or resetting of the router and/or its clients is resolving what ever is going on, I have a good few screen shots also of these strange happenings


  • #285
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    I'll go through that in the morn, had a few ales, finding it hard read :)


  • #286
    roast
    Registered Users, Registered Users 2 Posts: 2,320 ✭✭✭roast


    Having serious craic here trying to set up a hairpin nat. Can't access my webserver from inside the network. Would greatly appreciate any help with this. I know I'm just missing something small. I tried moving the masquerade rule to the top of my NAT chain, but still had the same issue. I removed the port from the Hairpin rule (rule 2 below) also.

    Here's my config:
    Local address space: 192.168.0.0/24
    Webserver IP: 192.168.0.248
    WAN interface: ether1
    LAN interface: bridge1

    0    chain=dstnat action=dst-nat to-addresses=192.168.0.248 to-ports=80 
      protocol=tcp in-interface=ether1 dst-port=80 log=no log-prefix="" 

 1    chain=dstnat action=dst-nat to-addresses=192.168.0.248 to-ports=25 
      protocol=tcp in-interface=ether1 dst-port=25 log=no log-prefix="" 

 2    chain=srcnat action=masquerade protocol=tcp src-address=192.168.0.0/24 
      dst-address=192.168.0.248 out-interface=bridge1 dst-port=80 log=no 
      log-prefix="" 

 3    chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix=""

    Thanks in advance.


  • #287
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    Completely forgot about this thread, sorry. Seems like you're having fun anyway, you just never stop messing with these.

    Your Nat rule needs to be the top one, the hairpin Nat rule the second with your dst-nat rules after them as they are read from the top down. In your case it should be
    /ip firewall nat
add action=masquerade chain=srcnat comment=masquerade out-interface=ether1
add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=192.168.0.248 src-address=192.168.0.0/24


  • #288
    roast
    Registered Users, Registered Users 2 Posts: 2,320 ✭✭✭roast


    mass_debater wrote: »
    Completely forgot about this thread, sorry. Seems like you're having fun anyway, you just never stop messing with these.

    Your Nat rule needs to be the top one, the hairpin Nat rule the second with your dst-nat rules after them as they are read from the top down. In your case it should be
    /ip firewall nat
add action=masquerade chain=srcnat comment=masquerade out-interface=ether1
add action=masquerade chain=srcnat comment="hairpin nat rule" dst-address=192.168.0.248 src-address=192.168.0.0/24

    Thanks for the reply, I was hoping you'd show up! :D
    Yeah, there seems to be no end to the fun. I want to nail down this issue before I start to make a dogs dinner of it with extra WAN connections, that should be fun when I get to it...

    I tried what you suggested though, no luck unfortunately. Here's a print of my NAT rules as they stand now.
    0    ;;; Masq rule
      chain=srcnat action=masquerade out-interface=ether1 log=no log-prefix="" 

 1    ;;; Hairpin NAT
      chain=srcnat action=masquerade src-address=192.168.0.0/24 dst-address=192.168.0.248 log=no 
      log-prefix="" 

 2    ;;; HTTP
      chain=dstnat action=dst-nat to-addresses=192.168.0.248 to-ports=80 protocol=tcp 
      in-interface=ether1 dst-port=80 log=no log-prefix=""

    Thanks again.


  • #289
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    Remove the in-interface from your dst-nat rule
    add action=dst-nat chain=dst-nat comment=http dst-port=80 protocol=tcp to-addresses=192.168.0.24 to-ports=80


  • #290
    roast
    Registered Users, Registered Users 2 Posts: 2,320 ✭✭✭roast


    mass_debater wrote: »
    Remove the in-interface from your dst-nat rule
    add action=dst-nat chain=dst-nat comment=http dst-port=80 protocol=tcp to-addresses=192.168.0.24 to-ports=80

    Sorry for the delay!

    I tried that, and it works! But, something weird is happening. When I try to access certain websites (boards being one of them, coincidentally) it redirects to my internal web server. DNS checks out, I'm getting the right IP when I ping certain sites and I've flushed DNS and browser caches.


  • #291
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    roast wrote: »
    Sorry for the delay!

    I tried that, and it works! But, something weird is happening. When I try to access certain websites (boards being one of them, coincidentally) it redirects to my internal web server. DNS checks out, I'm getting the right IP when I ping certain sites and I've flushed DNS and browser caches.

    Yes, because you're using port 80, use another port for your web server like 8080 and get to it by putting :8080 after the ip or the domain name you're using


  • Advertisement
  • #292
    Jambo
    Registered Users, Registered Users 2 Posts: 986 ✭✭✭Jambo


    I know this is a bit of how long is a piece of string question - but since I moved from my TP Link Router / Modem to My Mikrotik Router / Switch I have been unable to remap my nas (Synology) box or any other shared drives to any pc / laptop on my LAN !

    Yet each device is visible from each machine in File Explorer / Network, web/management interfaces are accessible on the LAN without issue.

    Its possibly a case the answer is staring me in the face but can anyone suggest where to start looking ? I think I have covered most of the basics.


  • #293
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    Jambo wrote: »
    I know this is a bit of how long is a piece of string question - but since I moved from my TP Link Router / Modem to My Mikrotik Router / Switch I have been unable to remap my nas (Synology) box or any other shared drives to any pc / laptop on my LAN !

    Yet each device is visible from each machine in File Explorer / Network, web/management interfaces are accessible on the LAN without issue.

    Its possibly a case the answer is staring me in the face but can anyone suggest where to start looking ? I think I have covered most of the basics.

    Sounds like it could be DNS. Do you have local DNS setup on the Mikrotik? Set it to your providers two DNS servers then set the DHCP server to give out the router IP as the only DNS server to your devices. Also, enable the DNS cache, it makes a huge difference, addresses you visit often will load faster as the DNS request gets returned from the router doesn't need a lookup


  • #294
    roast
    Registered Users, Registered Users 2 Posts: 2,320 ✭✭✭roast


    mass_debater wrote: »
    Yes, because you're using port 80, use another port for your web server like 8080 and get to it by putting :8080 after the ip or the domain name you're using

    Thanks for this. It didn't fix the issue outright but I ended up putting my static WAN IP into the destination address on my HTTP rule and so far, so good.

    Massive thanks for the help with this, it was driving me nuts for ages. Legend! :D


  • #295
    peneau
    Registered Users, Registered Users 2 Posts: 285 ✭✭peneau


    Hi Everybody, I'm very much a novice in this area. As I'm in the market for a new router (home network) and in doing some research for same I came upon this thread so I hope you can help me with some questions/recommendations please. From this thread Mikrotik routers are highly regarded, so with that in mind I need a new 2.4 and 5ghz router that supports wireless, 3G mobile internet dongle connection, do Mikrotik produce a router with such specs ? Any advice/suggestions/recommendations greatly appreciated. Many thanks.


  • #296
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    There's no dual band off the shelf household Mikrotik yet, promised soon, this fall.
    http://alicevixie.blogspot.ie/2015/03/first-mikrotik-dual-band-ap.html

    You can assemble one with one of their Routerboards and all the bits or you can buy a third party.
    http://www.ispsupplies.com/categories/Indoor-Kits-Packages/MikroTik-Dual-Band-Indoor-802-11ac-Access-Point-Kit.html


  • #297
    peneau
    Registered Users, Registered Users 2 Posts: 285 ✭✭peneau


    Great, thank you for that, I'll have a go, much appreciated


  • #298
    svabos
    Registered Users Posts: 1 svabos


    hey /b
    could you help me setup my mikrotik better? I've managed to set it up using YT video tutorials but it doesn't release full potential this router has. So I have RB2011UiAS-2HnD-IN. Setup that i have is this:
    ISP cable modem -> eth1 -> mikrotik -> eth2-5 -> 3 PCs (1 gaming, 1 YT streaming and 1 misc) & 1 NAS
    - internet speed is around 12/2mbit
    - cable modem is set in bridge mode. It doesn't need pppoe or any credentials to get online.
    - PCs and NAS are connected to gigabit eth ports. I wanted it this way cause I use NAS as torrent box so I need gigabit connection to share fast downloaded stuff via LAN
    - I've set up simple queue so that no one of PCs can take whole internet connection to itself. Problem is that it's not the greatest solution for online gaming
    - i have basic firewall setup with around 9 rules and it blocks my torrent visibility in a way that i cant use neither upnp or port forwarding

    so, I would need:
    1. QoS or simple queue setup that could give me best ping in game on PC1 while PC2 is streaming YT, PC3 is surfing and NAS is seeding torrents. Games that are played are not connection hungry
    2. Firewall setup that doesn't block Upnp connections (of mikrotik and NAS) so that I can become visible for torrents

    thats it. cause I'm noob i would need really easy to follow explanation
    help?


  • #299
    Kenny Powers
    Registered Users, Registered Users 2 Posts: 983 ✭✭✭Kenny Powers


    Can anyone pass comment on this firewall filter, suggest improvements mistakes etc.? took bits from the first post on this thread and added bits from other forums.

    Cheers

    /ip firewall filter
    add chain=input action=accept comment="allow already established and related connections"
    connection-state=established,related
    add chain=input action=accept comment="allow ICMP" protocol=icmp
    add chain=input action=accept comment="allow vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
    add chain=input action=accept comment="" in-interface=ether1-gateway protocol=gre
    add chain=input action=accept comment="Accept DNS - UDP" disabled=no port=53 protocol=udp
    add chain=input action=accept comment="Accept DNS - TCP" disabled=no port=53 protocol=tcp
    add chain=input action=drop comment="Block all access to the winbox - except to support list disabled=no dst-port=8291 protocol=tcp src-address-list=!Support
    add chain=input action=drop comment="Block all access to the API - except to support list disabled=no dst-port=8728 protocol=tcp src-address-list=!Support
    add chain=input action=drop comment="drop ftp" disabled=no dst-port=21 protocol=tcp
    #Login
    add chain=input action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d comment="list IP's who try remote login" disabled=no dst-port=20-23 protocol=tcp
    #SSH
    add chain=input action=drop comment="drop ssh brute forcers" disabled=no dst-port=22 protocol=tcp src-address-list=ssh_blacklist
    add chain=input action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage3
    add chain=input action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1h connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
    add chain=input action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1h connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
    add chain=input action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1h connection-state=new disabled=no dst-port=22 protocol=tcp
    add chain=input action=accept comment="allow ssh" disabled=no dst-port=22 protocol=tcp

    #Syn Flood
    add chain=input action=add-src-to-address-list address-list=Syn_Flooder address-list-timeout=30m comment="Add Syn Flood IP to the list" connection-limit=30,32 disabled=no protocol=tcp tcp-flags=syn
    add chain=input action=drop comment="Drop to syn flood list" disabled=no src-address-list=Syn_Flooder

    #Port Scanner
    add chain=input action=add-src-to-address-list address-list=Port_Scanner address-list-timeout=1w comment="Port Scanner Detect" disabled=no protocol=tcp psd=21,3s,3,1
    add chain=input action=drop comment="Drop to port scan list" disabled=no src-address-list=Port_Scanner

    add chain=input action=accept comment="acccept lan" disabled=no in-interface=!bridge-local src-address=192.168.88.0/24
    add chain=input action=drop comment="" in-interface=!bridge-local

    add chain=forward action=fasttrack-connection connection-state=established,related
    add chain=forward action=accept comment="allow already established and related connections" connection-state=established,related
    add chain=forward action=drop comment="drop invalid connections" connection-state=invalid

    add chain=forward in-interface=bridge-local action=accept

    #Block Spam
    add chain=forward action=add-src-to-address-list address-list=spammers address-list-timeout=3h comment="Add Spammers to the list for 3 hours" connection-limit=30,32 disabled=no dst-port=25,587 limit=30/1m,0 protocol=tcp
    add chain=forward action=drop comment="Avoid spammers action" disabled=no dst-port=25,587 protocol=tcp src-address-list=spammers

    #Extra rules for ICMP access to the insides
    add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=8:0-255
    add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=17:0-255
    add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=15:0-255
    add chain=forward action=reject reject-with=icmp-host-unreachable protocol=icmp in-interface=!bridge-local out-interface=bridge-local icmp-options=30:0-255

    #TCP/UDP port 0 DDoS protection
    add chain=forward action=drop protocol=tcp port=0
    add chain=forward action=drop protocol=udp port=0

    add chain=forward action=drop
    add action=accept chain=input comment="Full access to SUPPORT address list" disabled=no src-address-list=Support
    add chain=input action=drop comment="drop everything else"


  • #300
    mass_debater
    Closed Accounts Posts: 3,072 ✭✭✭mass_debater


    Just noticed you have it set to 30 TCP connections per IP. Do you really need it that low. I use 50 for wireless and 100 for wired on a few hotspots I've configured. Lots of protocols including http will use that easily, not just torrents

    Looks ok other than that but I've only glanced at it


  • Advertisement
  • #301
    Kenny Powers
    Registered Users, Registered Users 2 Posts: 983 ✭✭✭Kenny Powers


    Thanks thats for the spam blocker I didn't spot that changed them to 100, its just my home router is there even any need for it?

    looks like bridge-local should also be ether1-gateway

    This rule add chain=forward action=drop seems to be blocking everything now


Advertisement