Geekzone: technology news, blogs, forums
Guest
Welcome Guest.
You haven't logged in yet. If you don't have an account you can register now.


View this topic in a long page with up to 500 replies per page Create new topic
1 | 2 
27285 posts

Uber Geek
+1 received by user: 6717

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1620447 31-Aug-2016 21:21
Send private message

You basically just need to replace my references to VLAN10 - UFB with "pppoe-out1"

 

At the end of the day though you REALLY need to understand what you're actually doing. RouterOS has a steep learning curve and isn't a product if you want a simple router. It's very easy to make your system highly insecure if you're not careful.

 

 




184 posts

Master Geek
+1 received by user: 8


  Reply # 1686738 12-Dec-2016 21:58
Send private message

Trying to setup port forwarding on the Mikrotik router now... but must be missing something simple. Shouldn't this work?

 

 

 

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=8790 in-interface=ether1
protocol=tcp to-addresses=192.168.88.5 to-ports=8790

 

 

 

Not sure if the 'masquerade' action should be there or not - I'm still learning RouterOS.

 

 

 

Many thanks in advance.


 
 
 
 


1667 posts

Uber Geek
+1 received by user: 425


  Reply # 1686952 13-Dec-2016 10:47
Send private message

Use winbox to check the counters on that rule, it should be increasing as connection attempts are made. Also check that your deny rules are not increasing at the same time. Turn on logging at least temporarily for the relevant rules if required. Does the application your forwarding the data to only require tcp and not also udp?

Edit - Is ether1 your wan interface where the DHCP client is sitting?

27285 posts

Uber Geek
+1 received by user: 6717

Moderator
Trusted
Biddle Corp
Lifetime subscriber

  Reply # 1687014 13-Dec-2016 11:59
Send private message

If you're using PPPoE (which I assume you are based on your masquerade rule for outbound) then the rule needs to use that - ether1 is not your main interface.

 

 




184 posts

Master Geek
+1 received by user: 8


  Reply # 1694035 22-Dec-2016 21:18
Send private message

Ok, I've changed it to the following and still no luck:

 

add action=masquerade chain=srcnat comment="defconf: masquerade" out-interface=pppoe-out1
add action=dst-nat chain=dstnat dst-port=8790 in-interface=pppoe-out1 protocol=tcp to-addresses=192.168.88.5 to-ports=8790

 

Btw, I'm using www.canyouseeme.org to check if the port is open.

 

Below are my filter rules in case that helps diagnose, and also see my interface list earlier in this thread:

 

/ip firewall filter
add action=accept chain=input comment="allow icmp wan" \
protocol=icmp
add action=accept chain=input comment="allow winbox wan" \
dst-port=8291 protocol=tcp
add action=accept chain=input comment=\
"allow established,related" connection-state=\
established,related
add action=add-src-to-address-list address-list=port_scanner \
address-list-timeout=1w chain=input comment="port scanner de\
tector & add port to port scanner blacklist for 7 days" \
protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list=syn_flooder \
address-list-timeout=30m chain=input comment="syn flood dete\
ctor & add to syn flood blacklist for 30mins" \
connection-limit=30,32 protocol=tcp tcp-flags=syn
add action=drop chain=input comment=\
"drop from port scan blacklist" src-address-list=\
port_scanner
add action=drop chain=input comment=\
"drop from syn flood blacklist" src-address-list=\
syn_flooder
add action=drop chain=input comment="drop all from wan" \
in-interface=pppoe-out1
add action=fasttrack-connection chain=forward comment=\
"defcon: fasttrack" connection-state=established,related
add action=accept chain=forward comment=\
"allow established,related" connection-state=\
established,related
add action=drop chain=forward comment="drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"drop all from wan not DSTNATed" connection-nat-state=\
dstnat connection-state=new in-interface=pppoe-out1




184 posts

Master Geek
+1 received by user: 8


  Reply # 1700493 9-Jan-2017 12:28
Send private message

BUMP

 

Also, I'm thinking of switching to Bigpipe for UFB and using this router. Anyone know if they have good support people there that could help me with RouterOS? (rather than annoy people on this forum with my stupid questions)

 

Many thanks in advance.


Mr Snotty
8087 posts

Uber Geek
+1 received by user: 4055

Moderator
Trusted
Lifetime subscriber

  Reply # 1700494 9-Jan-2017 12:31
Send private message

mattyb:

 

BUMP

 

Also, I'm thinking of switching to Bigpipe for UFB and using this router. Anyone know if they have good support people there that could help me with RouterOS? (rather than annoy people on this forum with my stupid questions)

 

Many thanks in advance.

 

 

Yes they have good support and no they won't help you with RouterOS. You followed my Mikrotik guide? Other than that I think we've given you as much help as we possibly can I'm afraid. If you invest in a Mikrotik router you need to read the Wiki etc and be prepared to learn as they're not easy routers to configure.





1 | 2 
View this topic in a long page with up to 500 replies per page Create new topic



Twitter »

Follow us to receive Twitter updates when new discussions are posted in our forums:



Follow us to receive Twitter updates when news items and blogs are posted in our frontpage:



Follow us to receive Twitter updates when tech item prices are listed in our price comparison site:



Geekzone Live »

Try automatic live updates from Geekzone directly in your browser, without refreshing the page, with Geekzone Live now.


Geekzone Live »

Our community of supporters help make Geekzone possible. Click the button below to join them.

Support Geezone on PressPatron



Are you subscribed to our RSS feed? You can download the latest headlines and summaries from our stories directly to your computer or smartphone by using a feed reader.

Alternatively, you can receive a daily email with Geekzone updates.