Mikrotik RB951G-2HnD on Spark Fibre

Forums › LAN (ethernet/Wifi/routers/Bluetooth) › Mikrotik RB951G-2HnD on Spark Fibre

mattyb

254 posts

Ultimate Geek

#201688 30-Aug-2016 09:23

I'm trying to setup a new Mikrotik RB951G-2HnD router on Spark Fibre. I've followed the guide from @michaelmurfy here (http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=161676) but I think the setup software is slightly newer now so some of the screenshots don't quite lineup and I'm not sure where I'm going wrong.

I've setup the quick setup screen like so:

Then I've added the VLAN info:

Then my interfaces screen doesn't look like the image in the guide, somehow I need to associate the VLAN with ether1-gateway, but there is no ether1-gateway, only ether1 in the VLAN screen???

Any help would be much appreciated - many thanks in advance!

1 | 2

1260 posts

Uber Geek

Trusted

#1619452 30-Aug-2016 09:29

Looks like you haven't told the PPPoE to go over your "Spark UFB" vlan interface. Go to PPP (left hand sidebar) -> the pppoe interface and set the "Interfaces" to "Spark UFB". In my screenshot (Inspire net UFB) the interfaces is set to "ether1-gateway" as Inspire Net don't VLAN tag their PPPoE.

michaelmurfy

meow
13240 posts

Uber Geek

Moderator

ID Verified

Trusted

Lifetime subscriber

#1619540 30-Aug-2016 11:11

You're using the web interface instead of Winbox too. Use Winbox (look on the side near the bottom).

Michael Murphy | https://murfy.nz
Referral Links: Quic Broadband (use R122101E7CV7Q for free setup)

Are you happy with what you get from Geekzone? Please consider supporting us by subscribing.
Opinions are my own and not the views of my employer.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1619569 30-Aug-2016 11:47

The web interface is terrible and still lacks features. I only ever use Winbox or SSH to configure (there are lots of things that are far quicker from the CLI).

mattyb

254 posts

Ultimate Geek

#1619833 30-Aug-2016 19:43

Sweet! Got it working.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1619880 30-Aug-2016 20:20

Make sure you've correctly modified the drop all rule to PPPoE from Ether1 or you'll end up being the subject of a DNS amplification attack within hours.

mattyb

254 posts

Ultimate Geek

#1619922 30-Aug-2016 21:16

sbiddle:
Make sure you've correctly modified the drop all rule to PPPoE from Ether1 or you'll end up being the subject of a DNS amplification attack within hours.

That doesn't sound good. How do I do that?

MadEngineer

4271 posts

Uber Geek

Trusted

#1619964 30-Aug-2016 22:03

Run a /ip firewall filter export from the console and paste the result here. We'll tell you what to update

You're not on Atlantis anymore, Duncan Idaho.

Equinox IT

Cloud spending continues to surge globally, but most organisations haven’t made the changes necessary to maximise the value and cost-efficiency benefits of their cloud investments. Download the whitepaper From Overspend to Advantage now.

mattyb

254 posts

Ultimate Geek

#1620026 31-Aug-2016 07:27

MadEngineer:

Run a /ip firewall filter export from the console and paste the result here. We'll tell you what to update

I tried to follow the guide from @michaelmurfy....

[admin@MikroTik] > /ip firewall filter export
# aug/31/2016 07:26:16 by RouterOS 6.36.2
# software id = A8D8-MG7U
#
/ip firewall filter
add action=drop chain=input in-interface=pppoe-out1 protocol=icmp
add action=accept chain=input in-interface=pppoe-out1
add action=accept chain=input in-interface=pppoe-out1
add action=drop chain=input in-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
[admin@MikroTik] >

Any use to you?

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1620033 31-Aug-2016 07:52

Do you know have an allow for input established/related? And your generic input in rule is probably overriding the drop all rule.

Did you start from the default config or just create your own rules?

deadlyllama

1260 posts

Uber Geek

Trusted

#1620051 31-Aug-2016 08:23

/ip firewall add action=drop chain=input connection-state=!established dst-port=53 in-interface=pppoe-out1 protocol=udp

as the first rule in the chain (before any accepts -- I just drag and drop the rules in the web interface to rearrange them) will save you from being a DDoS amplifier.

sbiddle

30853 posts

Uber Geek

Retired Mod

Trusted

Biddle Corp

Lifetime subscriber

#1620060 31-Aug-2016 08:39

deadlyllama:

/ip firewall add action=drop chain=input connection-state=!established dst-port=53 in-interface=pppoe-out1 protocol=udp

as the first rule in the chain (before any accepts -- I just drag and drop the rules in the web interface to rearrange them) will save you from being a DDoS amplifier.

There is no need to do this since a DNS lookup via the WAN won't actually work anyway if you have the standard rules in place.

Here's my default rules I use for routers - this assumes a public IP on VLAN10 so needs to be changed if you're using PPPoE

------------------------------

add action=accept chain=input comment="allow icmp wan" log-prefix="" protocol=icmp
add action=accept chain=input comment="allow winbox wan" dst-port=8291 log-prefix="" protocol=tcp
add action=accept chain=input comment="allow established,related" connection-state=established,related log-prefix=""
add action=add-src-to-address-list address-list=port_scanner address-list-timeout=1w chain=input comment="port scanner detector & add to port scanner blacklist for 7 days" log-prefix="" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=syn_flooder address-list-timeout=30m chain=input comment="syn flood detector & add to syn flood blacklist for 30 mins" connection-limit=30,32 log-prefix="" protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="drop from port scan blacklist" log-prefix="" src-address-list=Port_Scanner
add action=drop chain=input comment="drop from syn flood blacklist" log-prefix="" src-address-list=Syn_Flooder
add action=drop chain=input comment="drop all from wan" in-interface="VLAN10 - UFB" log-prefix=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related log-prefix=""
add action=accept chain=forward comment="allow established,related" connection-state=established,related log-prefix=""
add action=drop chain=forward comment="drop invalid" connection-state=invalid log-prefix=""
add action=drop chain=forward comment="drop all from wan not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="VLAN10 - UFB" log-prefix=""

------------------------------

This allows ICMP, Winbox access on 8291 (which I normally restricted to an address range) and also detects a port scanner or SYN flood and blocks the address for 7 days for a port scanner or 30 mins for SYN flood. This includes the new "drop all from wan not DSTNATed": rule which became a standard rule in RouterOS from a few releases ago.

This also has fasttrack enabled which for most people will be beneficial, but you really need to understand the limitations of this and what it can break if you're going to use it.

MadEngineer

4271 posts

Uber Geek

Trusted

#1620087 31-Aug-2016 09:37

I prefer the new connections method, where new connections can only be accepted from the lan, with the exception of VPN, limited icmp, port forwards etc. Also isn't the order important ie have your local/established forwards/inputs (or most used/highest priority) first to save processing? You can test this by moving filters around while running something against your filters while watching the CPU. Possibly doesn't matter much now with fast track as that's always first? Also there's no drop all input and drop all forward at the end ...

You're not on Atlantis anymore, Duncan Idaho.

mattyb

254 posts

Ultimate Geek

#1620166 31-Aug-2016 12:41

Ok, now I'm pretty confused.

I think I've deleted all the default config (didn't read the guide correctly) and have added the rules I have now.

@sbiddle - would you suggest I add your rules? Would you mind making the changes I should make for Spark UFB and reposting so I can copy them?

MadEngineer

4271 posts

Uber Geek

Trusted

#1620168 31-Aug-2016 12:44

paste the result of /interface print (so we have a list of interface names) and we could amend sbiddle's firewall export for you to then import

You're not on Atlantis anymore, Duncan Idaho.

mattyb

254 posts

Ultimate Geek

#1620400 31-Aug-2016 19:37

MadEngineer:

paste the result of /interface print (so we have a list of interface names) and we could amend sbiddle's firewall export for you to then import

[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU
0 R ether1 ether 1500 1598 4074
1 RS ether2-master ether 1500 1598 4074
2 RS ether3 ether 1500 1598 4074
3 S ether4 ether 1500 1598 4074
4 S ether5 ether 1500 1598 4074
5 RS wlan1 wlan 1500 1600 2290
6 R Spark UFB vlan 1500 1594
7 R ;;; defconf
bridge bridge 1500 1598
8 R pppoe-out1 pppoe-out 1500
[admin@MikroTik] >

That help?

1 | 2