Advertisement
If you have a new account but are having problems posting or verifying your account, please email us on hello@boards.ie for help. Thanks :)
Hello all! Please ensure that you are posting a new thread or question in the appropriate forum. The Feedback forum is overwhelmed with questions that are having to be moved elsewhere. If you need help to verify your account contact hello@boards.ie
The Mikrotik RouterOS config, tips and tricks thread
Options
Comments
-
Here is my current ports (I believe, sorry still learning):
admin@MikroTik] /ip firewall> service print Flags: X - disabled, I - invalid # NAME PORTS 0 ftp 21 1 tftp 69 2 irc 6667 3 h323 4 sip 5060 5061 5 pptp
After adding some of Smee's rules to my firewall:[admin@MikroTik] /ip firewall> filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; default configuration chain=input action=accept protocol=icmp 1 ;;; default configuration chain=input action=accept connection-state=established 2 ;;; default configuration chain=input action=accept connection-state=related 3 ;;; default configuration chain=input action=drop in-interface=ether1-gateway 4 ;;; default configuration chain=forward action=accept connection-state=established 5 ;;; default configuration chain=forward action=accept connection-state=related 6 ;;; default configuration chain=forward action=drop connection-state=invalid 7 ;;; list IP's who try remote login chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 8 ;;; drop ssh brute forcers chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 9 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 10 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 11 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 12 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 13 ;;; allow ssh chain=input action=accept protocol=tcp dst-port=22
Look ok?0 -
I am also seeing a lot of this in the logs for 1 Android Phone:
11:07:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:12 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:08:13 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:08:13 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
11:16:55 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, extensive data loss
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:58 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:19:00 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:19:00 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
11:22:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
11:24:55 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:46 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:26:49 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:26:49 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
Is this normal?0 -
Are you using WPA2 on the wifi ?0
-
Are you using WPA2 on the wifi ?
Yes, both WPA and WPA2 are checked per the user manual.
http://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#Security_profile
Although reading it again I now see password should be different for both keys and I think I configured them possibly the same. Could that be the issue?0 -
Here is my current ports (I believe, sorry still learning):
admin@MikroTik] /ip firewall> service print Flags: X - disabled, I - invalid # NAME PORTS 0 ftp 21 1 tftp 69 2 irc 6667 3 h323 4 sip 5060 5061 5 pptp
After adding some of Smee's rules to my firewall:[admin@MikroTik] /ip firewall> filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; default configuration chain=input action=accept protocol=icmp 1 ;;; default configuration chain=input action=accept connection-state=established 2 ;;; default configuration chain=input action=accept connection-state=related 3 ;;; default configuration chain=input action=drop in-interface=ether1-gateway 4 ;;; default configuration chain=forward action=accept connection-state=established 5 ;;; default configuration chain=forward action=accept connection-state=related 6 ;;; default configuration chain=forward action=drop connection-state=invalid 7 ;;; list IP's who try remote login chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 8 ;;; drop ssh brute forcers chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 9 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 10 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 11 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 12 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 13 ;;; allow ssh chain=input action=accept protocol=tcp dst-port=22
Look ok?
Move your ssh rules 7-13 up the list to no 1, no 6 should be your very last rule, it's the explicit drop everything else rule0 -
Advertisement
-
I am also seeing a lot of this in the logs for 1 Android Phone:
11:07:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:00 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:08:12 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:08:13 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:08:13 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
11:16:55 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, extensive data loss
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:56 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:18:58 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:19:00 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:19:00 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
11:22:59 wireless,info 3C:43:8E:09:07:10@wlan1: disconnected, group key exchange timeout
11:24:55 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:30 wireless,info wlan1: data from unknown device 3C:43:8E:09:07:10, sent deauth
11:26:46 wireless,info 3C:43:8E:09:07:10@wlan1: connected
11:26:49 dhcp,info default deassigned 192.168.88.252 from 3C:43:8E:09:07:10
11:26:49 dhcp,info default assigned 192.168.88.252 to 3C:43:8E:09:07:10
Is this normal?
Yes, it's normal, I get this too. Devices with a weak signal will drop off or be kicked and then reconnect. This will happen more for phones as you carry them in your pocket. You can check the signal under wireless registration, it's in dB so lower is better, a -60 is better than -80.0 -
smee again wrote: »Move your ssh rules 7-13 up the list to no 1, no 6 should be your very last rule, it's the explicit drop everything else rule
Ok thanks, so like this?[admin@MikroTik] /ip firewall> filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; default configuration chain=input action=accept protocol=icmp 1 ;;; list IP's who try remote login chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 2 ;;; drop ssh brute forcers chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 3 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 5 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 6 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 7 ;;; allow ssh chain=input action=accept protocol=tcp dst-port=22 8 ;;; default configuration chain=input action=accept connection-state=established 9 ;;; default configuration chain=input action=accept connection-state=related 10 ;;; default configuration chain=input action=drop in-interface=ether1-gateway 11 ;;; default configuration chain=forward action=accept connection-state=established 12 ;;; default configuration chain=forward action=accept connection-state=related 13 ;;; default configuration chain=forward action=drop connection-state=invali
0 -
-
Also when I rebooted the router I noticed this in the logs:
jan/02/1970 00:00:09 system,info router rebooted
jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: initializing...
jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: dialing...
jan/02/1970 00:00:17 interface,info ether3-slave-local link up (speed 1000M, full duplex)
jan/02/1970 00:00:18 interface,info ether1-gateway link up (speed 1000M, full duplex)
jan/02/1970 00:00:18 interface,info ether2-master-local link up (speed 10M, half duplex)
jan/02/1970 00:00:18 interface,info ether4-slave-local link up (speed 1000M, full duplex
Is half duplex correct?
And is there a way to have the clock use the correct time after a reboot and not have to be manually set. :mad:0 -
Although if you are using PPPoE rule 10 is wrong, it should be set to drop invalid connections to the PPPoE interface0
-
Advertisement
-
smee again wrote: »Although if you are using PPPoE rule 10 is wrong, it should be set to drop invalid connections to the PPPoE interface
Updated, thanks again.[admin@MikroTik] /ip firewall> filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; default configuration chain=input action=accept protocol=icmp 1 ;;; list IP's who try remote login chain=input action=add-src-to-address-list protocol=tcp address-list=trying_to_login address-list-timeout=1d dst-port=20-23 2 ;;; drop ssh brute forcers chain=input action=drop protocol=tcp src-address-list=ssh_blacklist dst-port=22 3 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage3 address-list=ssh_blacklist address-list-timeout=1w3d dst-port=22 4 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage2 address-list=ssh_stage3 address-list-timeout=0s dst-port=22 5 chain=input action=add-src-to-address-list connection-state=new protocol=tcp src-address-list=ssh_stage1 address-list=ssh_stage2 address-list-timeout=1m dst-port=22 6 chain=input action=add-src-to-address-list connection-state=new protocol=tcp address-list=ssh_stage1 address-list-timeout=1m dst-port=22 7 ;;; allow ssh chain=input action=accept protocol=tcp dst-port=22 8 ;;; default configuration chain=input action=accept connection-state=established 9 ;;; default configuration chain=input action=accept connection-state=related 10 ;;; default configuration chain=input action=drop in-interface=eircom-pppoe-out1 11 ;;; default configuration chain=forward action=accept connection-state=established 12 ;;; default configuration chain=forward action=accept connection-state=related 13 ;;; default configuration chain=forward action=drop connection-state=invalid
0 -
Also when I rebooted the router I noticed this in the logs:
jan/02/1970 00:00:09 system,info router rebooted
jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: initializing...
jan/02/1970 00:00:15 pppoe,ppp,info eircom-pppoe-out1: dialing...
jan/02/1970 00:00:17 interface,info ether3-slave-local link up (speed 1000M, full duplex)
jan/02/1970 00:00:18 interface,info ether1-gateway link up (speed 1000M, full duplex)
jan/02/1970 00:00:18 interface,info ether2-master-local link up (speed 10M, half duplex)
jan/02/1970 00:00:18 interface,info ether4-slave-local link up (speed 1000M, full duplex
Is half duplex correct?
Yes, but it usually negotiates with what you have connected to it, it may not go into full duplex until whatever it's connected to is turned on. Either that or the device it's connected to is forcing half duplex. Double check with "interface ethernet monitor 2"And is there a way to have the clock use the correct time after a reboot and not have to be manually set. :mad:
Yes, set NTP (network time protocol)/system ntp client
set enabled=yes mode=unicast primary-ntp=134.226.81.30 -
morning all.
Anyone have any experience running MikroTik RouterOS on non RouterBoard hardware? I have an older Intel Core 2 Quad machine with 3Gb of ram and 2 Dual GigE Intel cards... I am thinking of replacing my RB1100 with this machine, since its got a lot more power, and given i already have 470Mbits/s into the house, the more processor power, the better, right? The RB1100 is a lot slower (1Gz PPC proc), has less memory (currently 1Gb, which i upgraded) and less storage (32Gb MicroSD, vs the 250Gb HDD in the intel box).
Am i mad?
Thanks.0 -
morning all.
Anyone have any experience running MikroTik RouterOS on non RouterBoard hardware? I have an older Intel Core 2 Quad machine with 3Gb of ram and 2 Dual GigE Intel cards... I am thinking of replacing my RB1100 with this machine, since its got a lot more power, and given i already have 470Mbits/s into the house, the more processor power, the better, right? The RB1100 is a lot slower (1Gz PPC proc), has less memory (currently 1Gb, which i upgraded) and less storage (32Gb MicroSD, vs the 250Gb HDD in the intel box).
Am i mad?
Thanks.
We have a couple of x86 machines running RouterOS to terminate PPPoE sessions.
Works really well once set up which can be a bit of a headache.
We have it installed on a removable USB.
Check out this page for a list of compatible hardware.0 -
Thanks man... I managed to install 6.5 on the machine and it found the Intel cards... It seems to be running ok but no production data going though it yet... will run some tests on it over the next few days..
You mentioned that you have it on a removable us key... MikroTik say the license is linked to the drive... If you take that drive out and stick it in a different box, does it work? Do you have a backup of that disk, just in case?
Thanks.0 -
smee again wrote: »Here is a full export of my firewall filters, there are some very important drop invalid, allow established connections and accept lan rules in thereadd chain=input comment="allow icmp" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add chain=input comment="allow api" dst-port=8728 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=drop chain=input comment="drop ftp" disabled=yes dst-port=21 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow established connections" connection-state=established
add chain=input comment="accept lan" in-interface=!ether1-gateway src-address=192.168.80.0/24
add action=drop chain=input comment="drop everything else"
I have updated my router to include some more of your firewall entries, see below. I have highlighted above entries I have not included and I have highlighed below in my config entries I have that you don't which I am sure if fine.
I was ensure if the PPPoE entry was correct having a drop action?/ip firewall filter
add chain=input comment="allow icmp" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=eircom-pppoe-out1
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow already established connections" connection-state=established
add chain=input comment=" allow related connections " connection-state=related0 -
add action=drop chain=input comment="drop ftp" disabled=yes dst-port=21 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
The next two are to allow VPN on port 1723, VPN uses TCP and the Gre protocol http://en.wikipedia.org/wiki/Generic_Routing_Encapsulationadd chain=input comment="accept lan" in-interface=!ether1-gateway src-address=192.168.80.0/24
add action=drop chain=input comment="drop everything else"
The second and last rule is just a drop everything else rule that catches everything not covered in the rules above. It needs to be the last rule. It may not be even necessary as a firewall will naturally drop any packets not covered by the rules but adding it will give statistics of what's dropped.0 -
Thanks man... I managed to install 6.5 on the machine and it found the Intel cards... It seems to be running ok but no production data going though it yet... will run some tests on it over the next few days..
You mentioned that you have it on a removable us key... MikroTik say the license is linked to the drive... If you take that drive out and stick it in a different box, does it work? Do you have a backup of that disk, just in case?
Thanks.
Yes it will work in a different box.
One of the reasons we installed it on a USB is for just this - makes it easily transferable.
Also, if the key fails, it's easier to send to MikroTik to save the license than sending a hard drive.
We take backups of the config nightly in case anything happens.
If the proverbial hits the fan we can drop the config onto another USB or even an 1100.0 -
Yes it will work in a different box.
One of the reasons we installed it on a USB is for just this - makes it easily transferable.
Also, if the key fails, it's easier to send to MikroTik to save the license than sending a hard drive.
We take backups of the config nightly in case anything happens.
If the proverbial hits the fan we can drop the config onto another USB or even an 1100.
Cool... just wondering though: if you take an image of the USB contents, like with dd on linux, can transferring the contents over work? i was planning on backing up the config nightly anyway, but to have a backup of the OS would be handy too... Will look into getting the machine to boot from USB key... think its possible, might even have some internal ports... also handy to know about future upgrades... just bring the key and license and your golden!
Thanks!0 -
So, i have done some tests... not scientific, i may add, but tests non the less... Downloading though a server i have access to in France, i was getting somewhere like 180MBit/s on the RB1100... with the Core 2 Quad (a 6600 i think), i am managing to get 220MBits/s... I have 2 200Mb lines and a 70Mb line, but it seems that only one of the 200mb lines is being used (have a setting incorrectly set...). Anyway, thats a big different compared to the RB1100...
dont get me wrong, the 1100 is an epic router, but if you have that amount of bandwidth, a high end desktop/server machine may be better... more tests to be completed over the weekend...0 -
Advertisement
-
I said I would be getting this a long time ago, but only finally getting around to it, where's the best place to order from, that will have it to me some time next week?0
-
So, i have done some tests... not scientific, i may add, but tests non the less... Downloading though a server i have access to in France, i was getting somewhere like 180MBit/s on the RB1100... with the Core 2 Quad (a 6600 i think), i am managing to get 220MBits/s... I have 2 200Mb lines and a 70Mb line, but it seems that only one of the 200mb lines is being used (have a setting incorrectly set...). Anyway, thats a big different compared to the RB1100...
dont get me wrong, the 1100 is an epic router, but if you have that amount of bandwidth, a high end desktop/server machine may be better... more tests to be completed over the weekend...
Is it just the regular 1100's you have?
You could try an 1100AHx2, or maybe a Cloud Core Router.
We swapped out one or two of our core routers (1100AH) with CCR's and noticed a huge difference.
CPU usage went from 70-80% down to less than 5%!
The CCR is an absolute beast of a router for the price!0 -
smee again wrote: »add action=drop chain=input comment="drop ftp" disabled=yes dst-port=21 protocol=tcp
add chain=input comment="accept vpn" dst-port=1723 in-interface=ether1-gateway protocol=tcp
add chain=input in-interface=ether1-gateway protocol=gre
The next two are to allow VPN on port 1723, VPN uses TCP and the Gre protocol http://en.wikipedia.org/wiki/Generic_Routing_Encapsulation
So the block FTP rule is just there in case you want to completely block FTP, so you enable it then right?
Also, I use VPN for work at home, which seems to have been working ok, but I just had a read of the documentation again and seen this:The following ports must be open on your ISP, router and firewall to create a successful VPN connection.
Work with your ISP (internet service provider) to verify and ensure the ports below are open:
Packet filters for Point-to-Point Tunneling Protocol (PPTP)- TCP destination port of 1723 = PPTP tunnel maintenance traffic
- IP Protocol ID of 47 = PPTP tunneled data
- UDP destination port of 500 = Internet Key Exchange (IKE) traffic
- UDP destination port of 1701 = allows L2TP traffic
- UDP destination port of 4500 = IPSec network address translator traversal (NAT-T) traffic
What entries should I add as a result to the firewall as I am using PPPoE? Same as what you have above or?0 -
So the block FTP rule is just there in case you want to completely block FTP, so you enable it then right?
Also, I use VPN for work at home, which seems to have been working ok, but I just had a read of the documentation again and seen this:
What entries should I add as a result to the firewall as I am using PPPoE? Same as what you have above or?
The FTP rule is there because i once had it blocked, but not now.
The VPN rules are there as I use the router as a VPN server for secure banking through my home connection when out and about on my phone/laptop.
I think you do not fully understand how a firewall works, it is only concerned with filtering packets coming into the router on the wan interface (in your case a PPPoE interface). Any connections which originate on the router or inside the lan will be translated to your public IP and remembered for their return (NAT, the PPPoE masquerade rule you have as your first rule in ip firewall nat), therefore you do not need to add rules for outgoing, only incoming.0 -
VenomIreland wrote: »I said I would be getting this a long time ago, but only finally getting around to it, where's the best place to order from, that will have it to me some time next week?
Anyone? I see IrishWireless are out of stock atm.0 -
VenomIreland wrote: »Anyone? I see IrishWireless are out of stock atm.
http://www.interprojekt.com.pl/mikrotik-routerboard-rb951g2hnd-level-128mb-p-1370.html
Standard shipping is usually 4-5days, you can pay more and get it quicker0 -
smee again wrote: »http://www.interprojekt.com.pl/mikrotik-routerboard-rb951g2hnd-level-128mb-p-1370.html
Standard shipping is usually 4-5days, you can pay more and get it quicker
Thanks man, gonna place the order now.0 -
smee again wrote: »The FTP rule is there because i once had it blocked, but not now.
The VPN rules are there as I use the router as a VPN server for secure banking through my home connection when out and about on my phone/laptop.
I think you do not fully understand how a firewall works, it is only concerned with filtering packets coming into the router on the wan interface (in your case a PPPoE interface). Any connections which originate on the router or inside the lan will be translated to your public IP and remembered for their return (NAT, the PPPoE masquerade rule you have as your first rule in ip firewall nat), therefore you do not need to add rules for outgoing, only incoming.
Thanks, yes I am not a network guy so my understanding is limited.
When I had set my rules this way:/ip firewall filter
add chain=input comment="allow icmp" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=drop chain=input comment="default configuration" in-interface=eircom-pppoe-out1
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow already established connections" connection-state=established
add chain=input comment=" allow related connections " connection-state=related
Wireless stopped working...so I had to move the input rules for established and related connections up like this, then it started working again./ip firewall filter
add chain=input comment="allow icmp" protocol=icmp
add chain=input comment="allow winbox" dst-port=8291 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_rdp address-list-timeout=1d chain=input comment="list IP's who try rdp" dst-port=3389 protocol=tcp
add action=add-src-to-address-list address-list=trying_to_login address-list-timeout=1d chain=input comment="list IP's who try remote login" dst-port=20-23 protocol=tcp
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add chain=input comment="allow ssh" dst-port=22 protocol=tcp
add action=drop chain=input comment="drop invalid connections" connection-state=invalid
add chain=input comment="allow already established connections" connection-state=established
add chain=input comment=" allow related connections " connection-state=related
add action=drop chain=input comment="default configuration" in-interface=eircom-pppoe-out1
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid
add chain=forward comment="allow already established connections" connection-state=established
add chain=forward comment="allow related connections" connection-state=related0 -
Thanks, yes I am not a network guy so my understanding is limited.
When I had set my rules this way:
Wireless stopped working...so I had to move the input rules for established and related connections up like this, then it started working again.
I suggest you leave it alone unless you know what you're doing. You only need the 3 or 4 that came in the default config, change to suit your PPPoE interface. All the rest are just bells and whistles, the firewall will always drop packets it's not sure of/ip firewall filter
add chain=input action=accept protocol=icmp comment="default configuration"
add chain=input action=accept connection-state=established in-interface=ether1-gateway comment="default configuration"
add chain=input action=accept connection-state=related in-interface=ether1-gateway comment="default configuration"
add chain=input action=drop in-interface=ether1-gateway comment="default configuration"0 -
Advertisement
-
Hi,
I just got the RB2011UAS-2HnD and i really really like the great tips and tricks given here !
However i have a few problems:
1. I can't get Hairpin NAT to work
2. I can't get port 8080 to forward to my server (other ports work, just 8080 does not)
NAT output:[admin@MikroTik] > ip firewall nat print Flags: X - disabled, I - invalid, D - dynamic 0 X ;;; default configuration chain=srcnat action=masquerade out-interface=sfp1-gateway 1 ;;; default configuration chain=srcnat action=masquerade to-addresses=0.0.0.0 out-interface=ether1-gateway 2 ;;; Hairpin NAT rule chain=srcnat action=masquerade src-address=192.168.1.0/24 dst-address=192.168.1.250 3 ;;; SERV: FTP chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=20-21 protocol=tcp in-interface=ether1-gateway dst-port=20-21 4 ;;; SERV: HTTP chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=80 protocol=tcp in-interface=ether1-gateway dst-port=80 5 ;;; SERV: DNS chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=53 protocol=tcp in-interface=ether1-gateway dst-port=53 6 ;;; SERV: HTTPS chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=443 protocol=tcp in-interface=ether1-gateway dst-port=443 7 ;;; SERV: MySQL chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=3306 protocol=tcp in-interface=ether1-gateway dst-port=3306 8 ;;; SERV: RDP chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=3389 protocol=tcp in-interface=ether1-gateway dst-port=3389 9 ;;; SERV: McMyAdmin 'main' chain=dstnat action=dst-nat to-addresses=192.168.1.250 to-ports=8080 protocol=tcp in-interface=ether1-gateway dst-port=8080
Firewall Filter rules:[admin@MikroTik] > ip firewall filter print Flags: X - disabled, I - invalid, D - dynamic 0 ;;; default configuration chain=input action=accept protocol=icmp 1 ;;; default configuration chain=input action=accept connection-state=established 2 ;;; default configuration chain=input action=accept connection-state=related 3 chain=input action=accept protocol=tcp in-interface=ether1-gateway dst-port=3333 4 ;;; default configuration chain=input action=drop in-interface=sfp1-gateway 5 ;;; default configuration chain=input action=drop in-interface=ether1-gateway 6 ;;; default configuration chain=forward action=accept connection-state=established 7 ;;; default configuration chain=forward action=accept connection-state=related 8 ;;; default configuration chain=forward action=drop connection-state=invalid
Router IP: 192.168.1.1
Server IP: 192.168.1.250
Any other tips are appreciated !0
Advertisement