Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)UFB setup with MikroTik Router RB2011iLS-IN (Vlan Tagging)
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
mrzeke

11 posts

Geek


  #1281103 11-Apr-2015 14:59
Send private message

nitrotech: And just to tidy up you might want to remove the dhcp client from ether1 (if there's on there)



this one ?  So how is the DHCP working with out this?  sorry im sure this is an idiot question...



mrzeke

11 posts

Geek


  #1281107 11-Apr-2015 15:10
Send private message

nitrotech: change 3rd rule to drop on pppoe interface -then click the nat tab and change the masquerade to pppoe interface then you should be sweet



Again thanks for all your help today.  Next step I am going to set up an access point that plugs into this Mikrotik. I am going to use a device than running DDwrt.  Im not going to ask you for a step by step like you have provided me here but can you give me a couple of tips.  Eg im assuming the Mikotik will do all the DHCP and the AP will just get tat information from the Mikrotik.  any basic things you can advise me to do.

again thanks a lot.  Have a great rest of your weekend ! 

zeke

nitrotech
1285 posts

Uber Geek


  #1281139 11-Apr-2015 16:10
Send private message

mrzeke:
nitrotech: And just to tidy up you might want to remove the dhcp client from ether1 (if there's on there)



this one ?  So how is the DHCP working with out this?  sorry im sure this is an idiot question...








Yep that's the one to delete - telecom uses PPPoE not DHCP so this is unnecessary

This is not to be confused with the DHCP server which dishes out addresses for you local network.



nitrotech
1285 posts

Uber Geek


  #1281144 11-Apr-2015 16:12
Send private message

mrzeke:
nitrotech: change 3rd rule to drop on pppoe interface -then click the nat tab and change the masquerade to pppoe interface then you should be sweet



Again thanks for all your help today.  Next step I am going to set up an access point that plugs into this Mikrotik. I am going to use a device than running DDwrt.  Im not going to ask you for a step by step like you have provided me here but can you give me a couple of tips.  Eg im assuming the Mikotik will do all the DHCP and the AP will just get tat information from the Mikrotik.  any basic things you can advise me to do.

again thanks a lot.  Have a great rest of your weekend ! 

zeke


Just give the AP a static IP on the same subnet as your internal network - eg 192.168.88.100 and then disable DHCP (as a minimum) on the AP (don't disable it on the mikotik. Oh and plug into a LAN port on the AP not the WAN port - very important

MadEngineer
4271 posts

Uber Geek

Trusted

  #1281275 11-Apr-2015 23:16
Send private message

Lock it down before you get pwnd.

There are many firewall styles, best is to only allow new forwards (through traffic) generated by internal devices (amongst a dozen other required firewall filters).  Google for mikrotik firewalling and copy one that includes that.

basic firewall operates in the manner of accept stuff you know about and absolutely drop everything else.

here's a question to make you think: how are devices on your network getting DNS? are you telling them all to get DNS from the Mikrotik? For that to work you'd need to enable remote dns requests ... are you only accepting dns from your internal devices?




You're not on Atlantis anymore, Duncan Idaho.

nitrotech
1285 posts

Uber Geek


  #1281276 11-Apr-2015 23:30
Send private message

MadEngineer: Lock it down before you get pwnd.

There are many firewall styles, best is to only allow new forwards (through traffic) generated by internal devices (amongst a dozen other required firewall filters).  Google for mikrotik firewalling and copy one that includes that.

basic firewall operates in the manner of accept stuff you know about and absolutely drop everything else.

here's a question to make you think: how are devices on your network getting DNS? are you telling them all to get DNS from the Mikrotik? For that to work you'd need to enable remote dns requests ... are you only accepting dns from your internal devices?


Sorry but I have to disagree with what you're saying re remote DNS requests - as long as the ap is tied into the local network as described above it will be treated the same as any other device on the local network.

I also don't understand what you are saying re firewall - there's already a drop all and unless I've missed something the op isn't planning on opening ports.

There are always extra things you can do to protect yourself from hackers - the most important is to change the default password (and username for extra protection)

MadEngineer
4271 posts

Uber Geek

Trusted

  #1281279 11-Apr-2015 23:40
Send private message

i'm not following your answer I think.  it's not just a local network device, it has a worldly IP as he is using it as a router and not just an AP.

if all input from the outside is disabled then the router itself cannot receive dns request replies.




You're not on Atlantis anymore, Duncan Idaho.

 
 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1281280 11-Apr-2015 23:42
Send private message

I've got basic firewalling on my post. Make sure you do it.




Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

MadEngineer
4271 posts

Uber Geek

Trusted

  #1281301 12-Apr-2015 00:23
Send private message

Here's a trimmed version of mine, basic run through if the comments are not enough:

drop all invalid. first to save invalid traffic hitting further rules
drop void addresses.  this is a list of addresses that simply should not be generating traffic, including non-routed IP ranges that I'm not using locally.
accept local input. two things here, not just only blinding accepting local traffic but also only local traffic from known addresses.
accept traffic from PPP (VPN). if someone can correctly login over VPN, I trust them, so long as again they are known
accept established.  if you can successfully connect, there's no point sending you through all the firewall rules again
accept VPN connections. self explanatory
accept limited pings. Mikrotik makes it easy to limit the number of pings
drop any other connections to the Mikrotik.
accept new forwards from local interfaces on local addresses.
allow related forwards. classically, ftp and other protocols.
accept Orcon. Esp VoIP
accept some port forwards. because of all the above, even if a port is opened in NAT through UPnP the traffic is blocked. these ports are for an internal service.
drop other forwards


NOT listed are a couple of effective fail to bans. Confucius say if you make a mistake x times, you're an idiot and can piss off for a while!



/ip firewall filter
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=input comment="Drop Void" src-address-list=void
add chain=input comment="Accept Trusted" in-interface=Lan src-address-list=\
    our-nets
add chain=input comment="Accept Trusted" in-interface=all-ppp \
    src-address-list=our-nets
add chain=input comment="Accept Established" connection-state=established
add chain=input comment="IPSec, ISAKMP, L2TP" dst-port=4500,500,1701 \
    protocol=udp
add chain=input comment="Accept limited ICMP" limit=50/5s,5 protocol=icmp
add action=drop chain=input comment="Drop Other Input"
add chain=forward comment="Accept local new forward" connection-state=new \
    src-address-list=our-nets
add chain=forward comment="Accept related" connection-state=related
add chain=forward comment="Accept established" connection-state=established
add chain=forward comment="Accept Orcon (SIP)" src-address-list=orcon
add chain=forward comment="Accept port forward" dst-port=7940 protocol=tcp
add chain=forward comment="Accept port forward" dst-port=7940 protocol=udp
add action=drop chain=forward comment="Drop other forward" log-prefix=\
    DropOtherFwd




You're not on Atlantis anymore, Duncan Idaho.

mrzeke

11 posts

Geek


  #1281302 12-Apr-2015 00:26
Send private message

MadEngineer: Here's a trimmed version of mine, basic run through if the comments are not enough:

drop all invalid. first to save invalid traffic hitting further rules
drop void addresses.  this is a list of addresses that simply should not be generating traffic, including non-routed IP ranges that I'm not using locally.
accept local input. two things here, not just only blinding accepting local traffic but also only local traffic from known addresses.
accept traffic from PPP (VPN). if someone can correctly login over VPN, I trust them, so long as again they are known
accept established.  if you can successfully connect, there's no point sending you through all the firewall rules again
accept VPN connections. self explanatory
accept limited pings. Mikrotik makes it easy to limit the number of pings
drop any other connections to the Mikrotik.
accept new forwards from local interfaces on local addresses.
allow related forwards. classically, ftp and other protocols.
accept Orcon. Esp VoIP
accept some port forwards. because of all the above, even if a port is opened in NAT through UPnP the traffic is blocked. these ports are for an internal service.
drop other forwards


NOT listed are a couple of effective fail to bans. Confucius say if you make a mistake x times, you're an idiot and can piss off for a while!



/ip firewall filter
add action=drop chain=input comment="Drop Invalid" connection-state=invalid
add action=drop chain=forward comment="Drop Invalid" connection-state=invalid
add action=drop chain=input comment="Drop Void" src-address-list=void
add chain=input comment="Accept Trusted" in-interface=Lan src-address-list=\
    our-nets
add chain=input comment="Accept Trusted" in-interface=all-ppp \
    src-address-list=our-nets
add chain=input comment="Accept Established" connection-state=established
add chain=input comment="IPSec, ISAKMP, L2TP" dst-port=4500,500,1701 \
    protocol=udp
add chain=input comment="Accept limited ICMP" limit=50/5s,5 protocol=icmp
add action=drop chain=input comment="Drop Other Input"
add chain=forward comment="Accept local new forward" connection-state=new \
    src-address-list=our-nets
add chain=forward comment="Accept related" connection-state=related
add chain=forward comment="Accept established" connection-state=established
add chain=forward comment="Accept Orcon (SIP)" src-address-list=orcon
add chain=forward comment="Accept port forward" dst-port=7940 protocol=tcp
add chain=forward comment="Accept port forward" dst-port=7940 protocol=udp
add action=drop chain=forward comment="Drop other forward" log-prefix=\
    DropOtherFwd



Thanks for your help.  

Do I do this via the command line?  how do I do this?  Do you have the same model router?
thank you very much.

MadEngineer
4271 posts

Uber Geek

Trusted

  #1281303 12-Apr-2015 00:46
Send private message

those firewall rules will apply to any Mikrotik device.

I should have added a word of warning: if you blindly paste all that into the console you'll find yourself unable to log back into it again. to prevent this you'll need to name the internal bridge interface as "Lan" and add your devices or internal network(s) to an address list named "our-nets" or whatever you desire with the rules to match.  eg: /ip firewall address-list add address=192.168.68.0/24 list=our-nets

it's based on this iirc: http://wiki.mikrotik.com/wiki/Basic_universal_firewall_script

be sure to read the notes on that page also. I suggest maximising the winbox window and watch the firewall rules populate as you enter the rules into the console, one by one. read up on the safe-mode function and backup your progress with different versions as you go.

the console commands are very easy to learn or translate between mouse clicks on winbox or the web interface.




You're not on Atlantis anymore, Duncan Idaho.

nitrotech
1285 posts

Uber Geek


  #1281316 12-Apr-2015 09:03
Send private message

We setup a basic firewall back in posts 13 and 14 however a more advanced firewall script is being suggested, whether necessary in your situation you will need to be the judge.

I would suggest removing all existing firewall rules before setting up the new ones and also remember that firewall rules are processed in order.

You will need to have the address lists correct before you start putting in these rules (above says .68 subnet however the mikrotik standard is .88 so just be sure first) and question whether you really need to accept certain traffic through the firewall.

I will hang up the support line now and leave you in the capable hands of MadEngineer and once again wish you all the best with your mikrotik.

chevrolux
4962 posts

Uber Geek
Inactive user


  #1281342 12-Apr-2015 10:07
Send private message

I will just add one thing....
if you want to muck around with the firewall In depth then male use of Safe Mode. It is a magical thing that will stop you getting locked out =)

1 | 2 
Filter this topic showing only the reply marked as answer View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00

eero Pro 7 Review
Posted 23-Jul-2025 12:07

BeeStation Plus Review
Posted 21-Jul-2025 14:21

eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01

WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32

RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26

Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24

Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05

Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01

Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01

Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22

Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46

Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42

D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34

Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15








Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.







RSS feeds
Main feed
Forums feed
Copyright
©2002-2025 Geekzone®
Site features
Geekzone BI dashboard
Geekzone Badges
Geekzone Status Page

 

Affiliate links
Samsung
AliExpress
Wise
Sharesies
GoodSync
Site Information
Subscribe to Geekzone
Privacy Statement
Forum Usage Guidelines (FUG)
Advertising
Trademark and copyright