Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


ForumsLAN (ethernet/Wifi/routers/Bluetooth)Mikrotik RB951G-2HnD on Spark Fibre


189 posts

Master Geek


# 201688 30-Aug-2016 09:23
Send private message

I'm trying to setup a new Mikrotik RB951G-2HnD router on Spark Fibre. I've followed the guide from @michaelmurfy here (http://www.geekzone.co.nz/forums.asp?forumid=66&topicid=161676) but I think the setup software is slightly newer now so some of the screenshots don't quite lineup and I'm not sure where I'm going wrong.

 

I've setup the quick setup screen like so:

 

Click to see full size

 

Then I've added the VLAN info:

 

Click to see full size

 

Then my interfaces screen doesn't look like the image in the guide, somehow I need to associate the VLAN with ether1-gateway, but there is no ether1-gateway, only ether1 in the VLAN screen???

 

Click to see full size

 

Any help would be much appreciated - many thanks in advance!

 

 

 

 

View this topic in a long page with up to 500 replies per page Create new topic
 1 | 2
948 posts

Ultimate Geek


  # 1619452 30-Aug-2016 09:29
Send private message

Looks like you haven't told the PPPoE to go over your "Spark UFB" vlan interface.  Go to PPP (left hand sidebar) -> the pppoe interface and set the "Interfaces" to "Spark UFB".  In my screenshot (Inspire net UFB) the interfaces is set to "ether1-gateway" as Inspire Net don't VLAN tag their PPPoE.

 

Click to see full size

Mr Snotty
8868 posts

Uber Geek

Moderator
Trusted
Lifetime subscriber

  # 1619540 30-Aug-2016 11:11
Send private message

You're using the web interface instead of Winbox too. Use Winbox (look on the side near the bottom).




Michael Murphy | https://murfy.nz
A quick guide to picking the right ISP | The Router GuideCommunity UniFi Cloud Controller | Ubiquiti Edgerouter Tutorial | Sharesies

 
 
 
 


28260 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1619569 30-Aug-2016 11:47
One person supports this post
Send private message

The web interface is terrible and still lacks features. I only ever use Winbox or SSH to configure (there are lots of things that are far quicker from the CLI).

 

 



189 posts

Master Geek


  # 1619833 30-Aug-2016 19:43
Send private message

Sweet! Got it working.

28260 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1619880 30-Aug-2016 20:20
One person supports this post
Send private message

Make sure you've correctly modified the drop all rule to PPPoE from Ether1 or you'll end up being the subject of a DNS amplification attack within hours.

 

 



189 posts

Master Geek


  # 1619922 30-Aug-2016 21:16
Send private message

sbiddle:

Make sure you've correctly modified the drop all rule to PPPoE from Ether1 or you'll end up being the subject of a DNS amplification attack within hours.


 



That doesn't sound good. How do I do that?

1906 posts

Uber Geek


  # 1619964 30-Aug-2016 22:03
Send private message

Run a /ip firewall filter export from the console and paste the result here.  We'll tell you what to update

 
 
 
 




189 posts

Master Geek


  # 1620026 31-Aug-2016 07:27
Send private message

MadEngineer:

 

Run a /ip firewall filter export from the console and paste the result here.  We'll tell you what to update

 

 

I tried to follow the guide from @michaelmurfy....

 

 

 

[admin@MikroTik] > /ip firewall filter export
# aug/31/2016 07:26:16 by RouterOS 6.36.2
# software id = A8D8-MG7U
#
/ip firewall filter
add action=drop chain=input in-interface=pppoe-out1 protocol=icmp
add action=accept chain=input in-interface=pppoe-out1
add action=accept chain=input in-interface=pppoe-out1
add action=drop chain=input in-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
add action=accept chain=forward out-interface=pppoe-out1
[admin@MikroTik] >

 

 

 

Any use to you?

28260 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1620033 31-Aug-2016 07:52
Send private message

Do you know have an allow for input established/related? And your generic input in rule is probably overriding the drop all rule.

 

Did you start from the default config or just create your own rules?

 

 

948 posts

Ultimate Geek


  # 1620051 31-Aug-2016 08:23
Send private message

/ip firewall add action=drop chain=input connection-state=!established dst-port=53 in-interface=pppoe-out1 protocol=udp

 

as the first rule in the chain (before any accepts -- I just drag and drop the rules in the web interface to rearrange them) will save you from being a DDoS amplifier.

28260 posts

Uber Geek

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  # 1620060 31-Aug-2016 08:39
Send private message

deadlyllama:

 

/ip firewall add action=drop chain=input connection-state=!established dst-port=53 in-interface=pppoe-out1 protocol=udp

 

as the first rule in the chain (before any accepts -- I just drag and drop the rules in the web interface to rearrange them) will save you from being a DDoS amplifier.

 

 

There is no need to do this since a DNS lookup via the WAN won't actually work anyway if you have the standard rules in place.

 

Here's my default rules I use for routers - this assumes a public IP on VLAN10 so needs to be changed if you're using PPPoE

 

------------------------------

 

add action=accept chain=input comment="allow icmp wan" log-prefix="" protocol=icmp
add action=accept chain=input comment="allow winbox wan" dst-port=8291 log-prefix="" protocol=tcp
add action=accept chain=input comment="allow established,related" connection-state=established,related log-prefix=""
add action=add-src-to-address-list address-list=port_scanner address-list-timeout=1w chain=input comment="port scanner detector & add to port scanner blacklist for 7 days" log-prefix="" protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=syn_flooder address-list-timeout=30m chain=input comment="syn flood detector & add to syn flood blacklist for 30 mins" connection-limit=30,32 log-prefix="" protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="drop from port scan blacklist" log-prefix="" src-address-list=Port_Scanner
add action=drop chain=input comment="drop from syn flood blacklist" log-prefix="" src-address-list=Syn_Flooder
add action=drop chain=input comment="drop all from wan" in-interface="VLAN10 - UFB" log-prefix=""
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" connection-state=established,related log-prefix=""
add action=accept chain=forward comment="allow established,related" connection-state=established,related log-prefix=""
add action=drop chain=forward comment="drop invalid" connection-state=invalid log-prefix=""
add action=drop chain=forward comment="drop all from wan not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface="VLAN10 - UFB" log-prefix=""

 

------------------------------

 

This allows ICMP, Winbox access on 8291 (which I normally restricted to an address range) and also detects a port scanner or SYN flood and blocks the address for 7 days for a port scanner or 30 mins for SYN flood. This includes the new "drop all from wan not DSTNATed": rule which became a standard rule in RouterOS from a few releases ago.

 

This also has fasttrack enabled which for most people will be beneficial, but you really need to understand the limitations of this and what it can break if you're going to use it.

 

 

 

 

 

 

 

 

1906 posts

Uber Geek


  # 1620087 31-Aug-2016 09:37
Send private message

I prefer the new connections method, where new connections can only be accepted from the lan, with the exception of VPN, limited icmp, port forwards etc. Also isn't the order important ie have your local/established forwards/inputs (or most used/highest priority) first to save processing? You can test this by moving filters around while running something against your filters while watching the CPU. Possibly doesn't matter much now with fast track as that's always first? Also there's no drop all input and drop all forward at the end ...



189 posts

Master Geek


  # 1620166 31-Aug-2016 12:41
Send private message

Ok, now I'm pretty confused.

 

I think I've deleted all the default config (didn't read the guide correctly) and have added the rules I have now.

 

@sbiddle - would you suggest I add your rules? Would you mind making the changes I should make for Spark UFB and reposting so I can copy them?

 

 

1906 posts

Uber Geek


  # 1620168 31-Aug-2016 12:44
Send private message

paste the result of /interface print (so we have a list of interface names) and we could amend sbiddle's firewall export for you to then import



189 posts

Master Geek


  # 1620400 31-Aug-2016 19:37
Send private message

MadEngineer:

 

paste the result of /interface print (so we have a list of interface names) and we could amend sbiddle's firewall export for you to then import

 

 

 

 

[admin@MikroTik] > /interface print
Flags: D - dynamic, X - disabled, R - running, S - slave
# NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU
0 R ether1 ether 1500 1598 4074
1 RS ether2-master ether 1500 1598 4074
2 RS ether3 ether 1500 1598 4074
3 S ether4 ether 1500 1598 4074
4 S ether5 ether 1500 1598 4074
5 RS wlan1 wlan 1500 1600 2290
6 R Spark UFB vlan 1500 1594
7 R ;;; defconf
bridge bridge 1500 1598
8 R pppoe-out1 pppoe-out 1500
[admin@MikroTik] >

 

 

 

That help?

 1 | 2
View this topic in a long page with up to 500 replies per page Create new topic



Twitter and LinkedIn »



Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:





News »

D Link ANZ launches EXO Smart Mesh Wi Fi Routers with McAfee protection
Posted 15-Oct-2019 11:31

Major Japanese retailer partners with smart New Zealand technology IMAGR
Posted 14-Oct-2019 10:29

Ola pioneers one-time passcode feature to fight rideshare fraud
Posted 14-Oct-2019 10:24

Spark Sport new home of NZC matches from 2020
Posted 10-Oct-2019 09:59

Meet Nola, Noel Leeming's new digital employee
Posted 4-Oct-2019 08:07

Registrations for Sprout Accelerator open for 2020 season
Posted 4-Oct-2019 08:02

Teletrac Navman welcomes AI tech leader Jens Meggers as new President
Posted 4-Oct-2019 07:41

Vodafone makes voice of 4G (VoLTE) official
Posted 4-Oct-2019 07:36

2degrees Reaches Milestone of 100,000 Broadband Customers
Posted 1-Oct-2019 09:17

Nokia 1 Plus available in New Zealand from 2nd October
Posted 30-Sep-2019 17:46

Ola integrates Apple Pay as payment method in New Zealand
Posted 25-Sep-2019 09:51

Facebook Portal to land in New Zealand
Posted 19-Sep-2019 18:35

Amazon Studios announces New Zealand as location for its upcoming series based on The Lord of the Rings
Posted 18-Sep-2019 17:24

The Warehouse chooses Elasticsearch service
Posted 18-Sep-2019 13:55

Voyager upgrades core network to 100Gbit
Posted 18-Sep-2019 13:52


Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Support Geekzone »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron


Updates »

Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.