Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.




183 posts

Master Geek
+1 received by user: 8


Topic # 201688 30-Aug-2016 09:23
Send private message

I'm trying to setup a new Mikrotik RB951G-2HnD router on Spark Fibre. I've followed the guide from @michaelmurfy here (http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=161676) but I think the setup software is slightly newer now so some of the screenshots don't quite lineup and I'm not sure where I'm going wrong.

 

I've setup the quick setup screen like so:

 

Click to see full size

 

Then I've added the VLAN info:

 

Click to see full size

 

Then my interfaces screen doesn't look like the image in the guide, somehow I need to associate the VLAN with ether1-gateway, but there is no ether1-gateway, only ether1 in the VLAN screen???

 

Click to see full size

 

Any help would be much appreciated - many thanks in advance!

 

 

 

 


View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
895 posts

Ultimate Geek
+1 received by user: 285


  Reply # 1619452 30-Aug-2016 09:29
Send private message

Looks like you haven't told the PPPoE to go over your "Spark UFB" vlan interface.  Go to PPP (left hand sidebar) -> the pppoe interface and set the "Interfaces" to "Spark UFB".  In my screenshot (Inspire net UFB) the interfaces is set to "ether1-gateway" as Inspire Net don't VLAN tag their PPPoE.

 

Click to see full size


Mr Snotty
8072 posts

Uber Geek
+1 received by user: 4049

Moderator
Trusted
Lifetime subscriber

  Reply # 1619540 30-Aug-2016 11:11
Send private message

You're using the web interface instead of Winbox too. Use Winbox (look on the side near the bottom).





 
 
 
 


27252 posts

Uber Geek
+1 received by user: 6684

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1619569 30-Aug-2016 11:47
One person supports this post
Send private message

The web interface is terrible and still lacks features. I only ever use Winbox or SSH to configure (there are lots of things that are far quicker from the CLI).

 

 




183 posts

Master Geek
+1 received by user: 8


  Reply # 1619833 30-Aug-2016 19:43
Send private message

Sweet! Got it working.


27252 posts

Uber Geek
+1 received by user: 6684

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1619880 30-Aug-2016 20:20
One person supports this post
Send private message

Make sure you've correctly modified the drop all rule to PPPoE from Ether1 or you'll end up being the subject of a DNS amplification attack within hours.

 

 




183 posts

Master Geek
+1 received by user: 8


  Reply # 1619922 30-Aug-2016 21:16
Send private message

sbiddle:

Make sure you've correctly modified the drop all rule to PPPoE from Ether1 or you'll end up being the subject of a DNS amplification attack within hours.


 



That doesn't sound good. How do I do that?

1660 posts

Uber Geek
+1 received by user: 424


  Reply # 1619964 30-Aug-2016 22:03
Send private message

Run a /ip firewall filter export from the console and paste the result here.  We'll tell you what to update




183 posts

Master Geek
+1 received by user: 8


  Reply # 1620026 31-Aug-2016 07:27
Send private message

MadEngineer:

 

Run a /ip firewall filter export from the console and paste the result here.  We'll tell you what to update

 

 

I tried to follow the guide from @michaelmurfy....

 

 

 

[admin@MikroTik] > /ip firewall filter export
# aug/31/2016 07:26:16 by RouterOS 6.36.2
# software id = A8D8-MG7U
#
/ip firewall filter
add action=drop chain=input in-interface=pppoe-out1 protocol=icmp
add action=accept chain=input in-interface=pppoe-out1
add action=accept chain=input in-interface=pppoe-out1
add action=drop chain=input in-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
[admin@MikroTik] >

 

 

 

Any use to you?


27252 posts

Uber Geek
+1 received by user: 6684

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1620033 31-Aug-2016 07:52
Send private message

Do you know have an allow for input established/related? And your generic input in rule is probably overriding the drop all rule.

 

Did you start from the default config or just create your own rules?

 

 


895 posts

Ultimate Geek
+1 received by user: 285


  Reply # 1620051 31-Aug-2016 08:23
Send private message

/ip firewall add action=drop chain=input connection-state=!established dst-port=53 in-interface=pppoe-out1 protocol=udp

 

as the first rule in the chain (before any accepts -- I just drag and drop the rules in the web interface to rearrange them) will save you from being a DDoS amplifier.


27252 posts

Uber Geek
+1 received by user: 6684

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1620060 31-Aug-2016 08:39
Send private message

deadlyllama:

 

/ip firewall add action=drop chain=input connection-state=!established dst-port=53 in-interface=pppoe-out1 protocol=udp

 

as the first rule in the chain (before any accepts -- I just drag and drop the rules in the web interface to rearrange them) will save you from being a DDoS amplifier.

 

 

There is no need to do this since a DNS lookup via the WAN won't actually work anyway if you have the standard rules in place.

 

Here's my default rules I use for routers - this assumes a public IP on VLAN10 so needs to be changed if you're using PPPoE

 

------------------------------

 

add action=accept chain=input comment="allow icmp wan" log-prefix="" protocol=icmp
add action=accept chain=input comment="allow winbox wan" dst-port=8291 log-prefix="" protocol=tcp
add action=accept chain=input comment="allow established,related" connection-state=established,related log-prefix=""
add action=add-src-to-address-list address-list=port_scanner address-list-timeout=1w chain=input comment="port scanner detector & add to port scanner blacklist for 7 days" log-prefix="" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=syn_flooder address-list-timeout=30m chain=input comment="syn flood detector & add to syn flood blacklist for 30 mins" connection-limit=30,32 log-prefix="" protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="drop from port scan blacklist" log-prefix="" src-address-list=Port_Scanner
add action=drop chain=input comment="drop from syn flood blacklist" log-prefix="" src-address-list=Syn_Flooder
add action=drop chain=input comment="drop all from wan" in-interface="VLAN10 - UFB" log-prefix=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related log-prefix=""
add action=accept chain=forward comment="allow established,related" connection-state=established,related log-prefix=""
add action=drop chain=forward comment="drop invalid" connection-state=invalid log-prefix=""
add action=drop chain=forward comment="drop all from wan not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="VLAN10 - UFB" log-prefix=""

 

------------------------------

 

This allows ICMP, Winbox access on 8291 (which I normally restricted to an address range) and also detects a port scanner or SYN flood and blocks the address for 7 days for a port scanner or 30 mins for SYN flood. This includes the new "drop all from wan not DSTNATed": rule which became a standard rule in RouterOS from a few releases ago.

 

This also has fasttrack enabled which for most people will be beneficial, but you really need to understand the limitations of this and what it can break if you're going to use it.

 

 

 

 

 

 

 

 


1660 posts

Uber Geek
+1 received by user: 424


  Reply # 1620087 31-Aug-2016 09:37
Send private message

I prefer the new connections method, where new connections can only be accepted from the lan, with the exception of VPN, limited icmp, port forwards etc. Also isn't the order important ie have your local/established forwards/inputs (or most used/highest priority) first to save processing? You can test this by moving filters around while running something against your filters while watching the CPU. Possibly doesn't matter much now with fast track as that's always first? Also there's no drop all input and drop all forward at the end ...



183 posts

Master Geek
+1 received by user: 8


  Reply # 1620166 31-Aug-2016 12:41
Send private message

Ok, now I'm pretty confused.

 

I think I've deleted all the default config (didn't read the guide correctly) and have added the rules I have now.

 

@sbiddle - would you suggest I add your rules? Would you mind making the changes I should make for Spark UFB and reposting so I can copy them?

 

 


1660 posts

Uber Geek
+1 received by user: 424


  Reply # 1620168 31-Aug-2016 12:44
Send private message

paste the result of /interface print (so we have a list of interface names) and we could amend sbiddle's firewall export for you to then import




183 posts

Master Geek
+1 received by user: 8


  Reply # 1620400 31-Aug-2016 19:37
Send private message

MadEngineer:

 

paste the result of /interface print (so we have a list of interface names) and we could amend sbiddle's firewall export for you to then import

 

 

 

 

[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU
0 R ether1 ether 1500 1598 4074
1 RS ether2-master ether 1500 1598 4074
2 RS ether3 ether 1500 1598 4074
3 S ether4 ether 1500 1598 4074
4 S ether5 ether 1500 1598 4074
5 RS wlan1 wlan 1500 1600 2290
6 R Spark UFB vlan 1500 1594
7 R ;;; defconf
bridge bridge 1500 1598
8 R pppoe-out1 pppoe-out 1500
[admin@MikroTik] >

 

 

 

That help?


 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.