Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


mattyb

254 posts

Ultimate Geek


#201688 30-Aug-2016 09:23
Send private message

I'm trying to setup a new Mikrotik RB951G-2HnD router on Spark Fibre. I've followed the guide from @michaelmurfy here (http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=161676) but I think the setup software is slightly newer now so some of the screenshots don't quite lineup and I'm not sure where I'm going wrong.

 

I've setup the quick setup screen like so:

 

Click to see full size

 

Then I've added the VLAN info:

 

Click to see full size

 

Then my interfaces screen doesn't look like the image in the guide, somehow I need to associate the VLAN with ether1-gateway, but there is no ether1-gateway, only ether1 in the VLAN screen???

 

Click to see full size

 

Any help would be much appreciated - many thanks in advance!

 

 

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
deadlyllama
1260 posts

Uber Geek

Trusted

  #1619452 30-Aug-2016 09:29
Send private message

Looks like you haven't told the PPPoE to go over your "Spark UFB" vlan interface.  Go to PPP (left hand sidebar) -> the pppoe interface and set the "Interfaces" to "Spark UFB".  In my screenshot (Inspire net UFB) the interfaces is set to "ether1-gateway" as Inspire Net don't VLAN tag their PPPoE.

 

Click to see full size




michaelmurfy
meow
13240 posts

Uber Geek

Moderator
ID Verified
Trusted
Lifetime subscriber

  #1619540 30-Aug-2016 11:11
Send private message

You're using the web interface instead of Winbox too. Use Winbox (look on the side near the bottom).





Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.


sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1619569 30-Aug-2016 11:47
Send private message

The web interface is terrible and still lacks features. I only ever use Winbox or SSH to configure (there are lots of things that are far quicker from the CLI).

 

 




mattyb

254 posts

Ultimate Geek


  #1619833 30-Aug-2016 19:43
Send private message

Sweet! Got it working.


sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1619880 30-Aug-2016 20:20
Send private message

Make sure you've correctly modified the drop all rule to PPPoE from Ether1 or you'll end up being the subject of a DNS amplification attack within hours.

 

 


mattyb

254 posts

Ultimate Geek


  #1619922 30-Aug-2016 21:16
Send private message

sbiddle:

Make sure you've correctly modified the drop all rule to PPPoE from Ether1 or you'll end up being the subject of a DNS amplification attack within hours.


 



That doesn't sound good. How do I do that?

MadEngineer
4271 posts

Uber Geek

Trusted

  #1619964 30-Aug-2016 22:03
Send private message

Run a /ip firewall filter export from the console and paste the result here.  We'll tell you what to update





You're not on Atlantis anymore, Duncan Idaho.

 
 
 

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.
mattyb

254 posts

Ultimate Geek


  #1620026 31-Aug-2016 07:27
Send private message

MadEngineer:

 

Run a /ip firewall filter export from the console and paste the result here.  We'll tell you what to update

 

 

I tried to follow the guide from @michaelmurfy....

 

 

 

[admin@MikroTik] > /ip firewall filter export
# aug/31/2016 07:26:16 by RouterOS 6.36.2
# software id = A8D8-MG7U
#
/ip firewall filter
add action=drop chain=input in-interface=pppoe-out1 protocol=icmp
add action=accept chain=input in-interface=pppoe-out1
add action=accept chain=input in-interface=pppoe-out1
add action=drop chain=input in-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
[admin@MikroTik] >

 

 

 

Any use to you?


sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1620033 31-Aug-2016 07:52
Send private message

Do you know have an allow for input established/related? And your generic input in rule is probably overriding the drop all rule.

 

Did you start from the default config or just create your own rules?

 

 


deadlyllama
1260 posts

Uber Geek

Trusted

  #1620051 31-Aug-2016 08:23
Send private message

/ip firewall add action=drop chain=input connection-state=!established dst-port=53 in-interface=pppoe-out1 protocol=udp

 

as the first rule in the chain (before any accepts -- I just drag and drop the rules in the web interface to rearrange them) will save you from being a DDoS amplifier.


sbiddle
30853 posts

Uber Geek

Retired Mod
Trusted
Biddle Corp
Lifetime subscriber

  #1620060 31-Aug-2016 08:39
Send private message

deadlyllama:

 

/ip firewall add action=drop chain=input connection-state=!established dst-port=53 in-interface=pppoe-out1 protocol=udp

 

as the first rule in the chain (before any accepts -- I just drag and drop the rules in the web interface to rearrange them) will save you from being a DDoS amplifier.

 

 

There is no need to do this since a DNS lookup via the WAN won't actually work anyway if you have the standard rules in place.

 

Here's my default rules I use for routers - this assumes a public IP on VLAN10 so needs to be changed if you're using PPPoE

 

------------------------------

 

add action=accept chain=input comment="allow icmp wan" log-prefix="" protocol=icmp
add action=accept chain=input comment="allow winbox wan" dst-port=8291 log-prefix="" protocol=tcp
add action=accept chain=input comment="allow established,related" connection-state=established,related log-prefix=""
add action=add-src-to-address-list address-list=port_scanner address-list-timeout=1w chain=input comment="port scanner detector & add to port scanner blacklist for 7 days" log-prefix="" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=syn_flooder address-list-timeout=30m chain=input comment="syn flood detector & add to syn flood blacklist for 30 mins" connection-limit=30,32 log-prefix="" protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="drop from port scan blacklist" log-prefix="" src-address-list=Port_Scanner
add action=drop chain=input comment="drop from syn flood blacklist" log-prefix="" src-address-list=Syn_Flooder
add action=drop chain=input comment="drop all from wan" in-interface="VLAN10 - UFB" log-prefix=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related log-prefix=""
add action=accept chain=forward comment="allow established,related" connection-state=established,related log-prefix=""
add action=drop chain=forward comment="drop invalid" connection-state=invalid log-prefix=""
add action=drop chain=forward comment="drop all from wan not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="VLAN10 - UFB" log-prefix=""

 

------------------------------

 

This allows ICMP, Winbox access on 8291 (which I normally restricted to an address range) and also detects a port scanner or SYN flood and blocks the address for 7 days for a port scanner or 30 mins for SYN flood. This includes the new "drop all from wan not DSTNATed": rule which became a standard rule in RouterOS from a few releases ago.

 

This also has fasttrack enabled which for most people will be beneficial, but you really need to understand the limitations of this and what it can break if you're going to use it.

 

 

 

 

 

 

 

 


MadEngineer
4271 posts

Uber Geek

Trusted

  #1620087 31-Aug-2016 09:37
Send private message

I prefer the new connections method, where new connections can only be accepted from the lan, with the exception of VPN, limited icmp, port forwards etc. Also isn't the order important ie have your local/established forwards/inputs (or most used/highest priority) first to save processing? You can test this by moving filters around while running something against your filters while watching the CPU. Possibly doesn't matter much now with fast track as that's always first? Also there's no drop all input and drop all forward at the end ...




You're not on Atlantis anymore, Duncan Idaho.

mattyb

254 posts

Ultimate Geek


  #1620166 31-Aug-2016 12:41
Send private message

Ok, now I'm pretty confused.

 

I think I've deleted all the default config (didn't read the guide correctly) and have added the rules I have now.

 

@sbiddle - would you suggest I add your rules? Would you mind making the changes I should make for Spark UFB and reposting so I can copy them?

 

 


MadEngineer
4271 posts

Uber Geek

Trusted

  #1620168 31-Aug-2016 12:44
Send private message

paste the result of /interface print (so we have a list of interface names) and we could amend sbiddle's firewall export for you to then import





You're not on Atlantis anymore, Duncan Idaho.

mattyb

254 posts

Ultimate Geek


  #1620400 31-Aug-2016 19:37
Send private message

MadEngineer:

 

paste the result of /interface print (so we have a list of interface names) and we could amend sbiddle's firewall export for you to then import

 

 

 

 

[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU
0 R ether1 ether 1500 1598 4074
1 RS ether2-master ether 1500 1598 4074
2 RS ether3 ether 1500 1598 4074
3 S ether4 ether 1500 1598 4074
4 S ether5 ether 1500 1598 4074
5 RS wlan1 wlan 1500 1600 2290
6 R Spark UFB vlan 1500 1594
7 R ;;; defconf
bridge bridge 1500 1598
8 R pppoe-out1 pppoe-out 1500
[admin@MikroTik] >

 

 

 

That help?


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic





News and reviews »

Air New Zealand Starts AI adoption with OpenAI
Posted 24-Jul-2025 16:00


eero Pro 7 Review
Posted 23-Jul-2025 12:07


BeeStation Plus Review
Posted 21-Jul-2025 14:21


eero Unveils New Wi-Fi 7 Products in New Zealand
Posted 21-Jul-2025 00:01


WiZ Introduces HDMI Sync Box and other Light Devices
Posted 20-Jul-2025 17:32


RedShield Enhances DDoS and Bot Attack Protection
Posted 20-Jul-2025 17:26


Seagate Ships 30TB Drives
Posted 17-Jul-2025 11:24


Oclean AirPump A10 Water Flosser Review
Posted 13-Jul-2025 11:05


Samsung Galaxy Z Fold7: Raising the Bar for Smartphones
Posted 10-Jul-2025 02:01


Samsung Galaxy Z Flip7 Brings New Edge-To-Edge FlexWindow
Posted 10-Jul-2025 02:01


Epson Launches New AM-C550Z WorkForce Enterprise printer
Posted 9-Jul-2025 18:22


Samsung Releases Smart Monitor M9
Posted 9-Jul-2025 17:46


Nearly Half of Older Kiwis Still Write their Passwords on Paper
Posted 9-Jul-2025 08:42


D-Link 4G+ Cat6 Wi-Fi 6 DWR-933M Mobile Hotspot Review
Posted 1-Jul-2025 11:34


Oppo A5 Series Launches With New Levels of Durability
Posted 30-Jun-2025 10:15









Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.