Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
CuddleChunks
Sep 18, 2004

I'm glad it's running smoothly for you. You dont' need to do anything else but it might be a good idea to go to the first post of this thread and walk through backing up your config. Then, if you get the urge to experiment you can get back to this working configuration without much hassle.

QoS is loving voodoo but there are online guides about it. I keep saying I'll write something up but in my heart I know that it's not true. here's how you set it up: <image of chicken being slaughtered and its blood smeared around arcane symbols> And then you change to a PCQ and <several scantily clad ladies prance about in diaphanous gauze> but not before setting to mark your packets and <dark lord summoned, QoS now working>.

See? It's easy!

Adbot
ADBOT LOVES YOU

Gism0
Mar 20, 2003

huuuh?

DrCold posted:

Are there any other things I should be configuring on a fresh 750? Clicking through webfig and winbox nothing else really jumped out at me as 'required' for my simple network requirements.

I have a RB450G, interfaces set up the same way + PPPoE client on the WAN port, DHCP server on the 2nd port and NAT. Pretty much all you need for a simple network. I've been playing with QoS but it's not exactly simple, gonna take me a while to perfect it!

I have mine set up with a Ubiquiti Picostation, couldn't be happier!

async1ronous
May 23, 2003

I flopped the nuts straight
Reading through this thread has inspired me to get off our junk old Netgear RO318 router and into something a little bit more capable.



Now I have a month or so to figure this thing out before we cut over from our junk tiny T1 to business level cable internet.

CuddleChunks
Sep 18, 2004

Hahaha that will *crush* your puny Netgear. Let us know if you have any questions.

CrazyLittle
Sep 11, 2001





Clapping Larry
I wish I could put a few of those in some of my customers' buildings. :sigh:

Farking Bastage
Sep 22, 2007

Who dey think gonna beat dem Bengos!
I've noticed a bug lately in export compact.

It's leaving off things like port numbers on ip firewall rules. Mine blacklisted half the internet before I noticed it :)


Also Tarpit is nasty, dirty, evil, and wonderful.

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

CuddleChunks posted:

QoS is loving voodoo but there are online guides about it.

My biggest annoyance is QoS on anything Linux-based. I wish Mikrotik would just rip all that out and replace it with something nicer.

Farking Bastage
Sep 22, 2007

Who dey think gonna beat dem Bengos!
Exporting in 5.12 is definitely flaky. It picked up most of my rules, but it left off all the tcp flags on my portscanner rules so it basically started blacklisting everything :haw:

It's supposed to be this:

code:
add action=add-src-to-address-list address-list="port scanners" \

    address-list-timeout=2w chain=input comment="Drop Port Scanners" \

    disabled=no in-interface=ether1 protocol=tcp psd=21,3s,3,1

add action=add-src-to-address-list address-list="port scanners" \

    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \

    protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg

add action=add-src-to-address-list address-list="port scanners" \

    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \

    protocol=tcp tcp-flags=fin,syn

add action=add-src-to-address-list address-list="port scanners" \

    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \

    protocol=tcp tcp-flags=syn,rst

add action=add-src-to-address-list address-list="port scanners" \

    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \

    protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack

add action=add-src-to-address-list address-list="port scanners" \

    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \

    protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg

add action=add-src-to-address-list address-list="port scanners" \

    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \

    protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

add action=jump chain=input disabled=no in-interface=ether1 jump-target=\

    droplog src-address-list="port scanners"
but if I export, it comes out without the tcp-flags=fin,syn,rst,psh,ack,urg pieces.

That coupled with tarpitting does extremely unkind things to the tcp stack of anyone who tries to portscan me.

Farking Bastage fucked around with this message at 19:29 on Feb 9, 2012

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

Farking Bastage posted:

That coupled with tarpitting does extremely unkind things to the tcp stack of anyone who tries to portscan me.

The tarpit feature just has you hold connections open and slowly respond. You're really doing more harm to yourself. Sure, if some kid get your IP and portscans you they're kind of hosed, but anyone launching a real DDoS attack (scanning first, we'll say)? YOUR network stack will melt because you'll exceed 65535 open ports in no time.

Farking Bastage
Sep 22, 2007

Who dey think gonna beat dem Bengos!
If I did it right, It's drop/logging DDOS and blacklisting, dropping SYN attack stuff, and tarpitting the portscanners.

code:

/ip firewall filter
add action=accept chain=input comment="DNS - Approved list only" disabled=no \
    in-interface=ether1 protocol=udp src-address-list=dns src-port=53
add action=accept chain=input comment=\
    "Only allow internal traffic on ports other than your WAN port" disabled=\
    no in-interface=!ether1 src-address=10.10.120.0/24
add action=drop chain=forward comment="Drop all P2P" disabled=yes \
    in-interface=ether1 p2p=all-p2p
add action=drop chain=forward disabled=yes layer7-protocol=Bit-T-Newest
add action=drop chain=forward disabled=yes layer7-protocol=BITTORRENT
add action=tarpit chain=forward disabled=yes p2p=all-p2p protocol=tcp
add action=accept chain=input comment="NTP Allow - if mikrotik is not updating\
    \_from network but directly from pool.ntp.org" disabled=no in-interface=\
    ether1 protocol=udp src-address-list=ntp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input comment="Drop Port Scanners" \
    disabled=no in-interface=ether1 protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
    protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
    protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
    protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
    protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
    protocol=tcp
add action=add-src-to-address-list address-list="port scanners" \
    address-list-timeout=2w chain=input disabled=no in-interface=ether1 \
    protocol=tcp
add action=jump chain=input disabled=no in-interface=ether1 jump-target=\
    droplog src-address-list="port scanners"
add action=jump chain=forward comment="Drop DDoS" connection-state=new \
    disabled=no in-interface=ether1 jump-target=block-ddos
add action=drop chain=forward connection-state=new disabled=no \
    dst-address-list=ddosed in-interface=ether1 src-address-list=ddoser
add action=return chain=block-ddos disabled=no dst-limit=\
    30,30,src-and-dst-addresses/10s in-interface=ether1
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=\
    10m chain=block-ddos disabled=no in-interface=ether1
add action=add-src-to-address-list address-list=ddoser address-list-timeout=\
    10m chain=block-ddos disabled=no in-interface=ether1
add action=jump chain=forward comment="SYN Flood protect" connection-state=\
    new disabled=no jump-target=SYN-Protect protocol=tcp
add action=drop chain=input comment=\
    "SSH brute forcers blacklisting (3rd, 2nd, 1st)" disabled=no dst-port=22 \
    in-interface=ether1 protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
    address-list-timeout=0s chain=input connection-state=new disabled=no \
    dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 in-interface=ether1 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=22 in-interface=ether1 protocol=tcp
add action=drop chain=forward comment="drop ssh brute downstream" disabled=no \
    dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input comment=\
    "WinBox brute forcers blacklisting (3rd, 2nd, 1st)" disabled=no dst-port=\
    8291 in-interface=ether1 protocol=tcp src-address-list=wb_blacklist
add action=add-src-to-address-list address-list=wb_blacklist \
    address-list-timeout=0s chain=input connection-state=new disabled=no \
    dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=wb_stage3
add action=add-src-to-address-list address-list=wb_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=wb_stage2
add action=add-src-to-address-list address-list=wb_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=8291 in-interface=ether1 protocol=tcp src-address-list=wb_stage1
add action=add-src-to-address-list address-list=wb_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=8291 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="drop ftp brute forcers" disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_black_list
add action=add-src-to-address-list address-list=ftp_black_list \
    address-list-timeout=0s chain=input connection-state=new disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_stage3
add action=add-src-to-address-list address-list=ftp_stage3 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_stage2
add action=add-src-to-address-list address-list=ftp_stage2 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=21 protocol=tcp src-address-list=ftp_stage1
add action=add-src-to-address-list address-list=ftp_stage1 \
    address-list-timeout=1m chain=input connection-state=new disabled=no \
    dst-port=21 protocol=tcp
add action=drop chain=input comment="FTP brute forcers blacklisting" \
    disabled=yes dst-port=20,21 in-interface=ether1 protocol=tcp \
    src-address-list=ftp_blacklist
add action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=0s chain=output content="530 Login incorrect" \
    disabled=yes out-interface=ether1 protocol=tcp
add action=accept chain=output comment=\
    "Allow only 10 FTP login incorrect answers per minute" content=\
    "530 Login incorrect" disabled=yes dst-limit=1/1m,9,dst-address/1m \
    out-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow WinBox safe hosts" \
    connection-state=new disabled=no dst-port=8291 in-interface=ether1 \
    protocol=tcp src-address-list=safe
add action=accept chain=input comment="Allow SSH" connection-state=new \
    disabled=no dst-port=22 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow SSH safe hosts" \
    connection-state=new disabled=no dst-port=22 in-interface=ether1 \
    protocol=tcp src-address-list=safe
add action=accept chain=input comment="Allow WinBox" connection-state=new \
    disabled=no dst-port=8291 in-interface=ether1 protocol=tcp
add action=accept chain=input comment="Allow FTP" connection-state=new \
    disabled=yes dst-port=20-21 in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
    "Allow packets belonging to existing connections" connection-state=\
    established disabled=no in-interface=ether1 protocol=tcp
add action=accept chain=input comment=\
    "Allow packets related to existing connections" connection-state=related \
    disabled=no in-interface=ether1
add action=accept chain=forward comment=\
    "allow already established connections" connection-state=established \
    disabled=no in-interface=ether1
add action=accept chain=forward comment="allow related connections" \
    connection-state=related disabled=no in-interface=ether1
add action=add-src-to-address-list address-list=knock address-list-timeout=\
    15s chain=input comment="Port knocking the first stage" disabled=yes \
    dst-port=1337 in-interface=ether1 protocol=tcp
add action=add-src-to-address-list address-list=safe address-list-timeout=15m \
    chain=input comment="Port knocking whitelisting" disabled=yes dst-port=\
    7331 in-interface=ether1 protocol=tcp src-address-list=knock
add action=log chain=input comment="DROP ALL UNKNOWN LOG" disabled=yes \
    in-interface=ether1 log-prefix=droplog
add action=drop chain=input comment="drop invalid connections" \
    connection-state=invalid disabled=no in-interface=ether1
add action=drop chain=forward comment="drop invalid connections" \
    connection-state=invalid disabled=no in-interface=ether1 protocol=tcp
add action=drop chain=input comment="DROP ALL UNKNOWN" disabled=no \
    in-interface=ether1
add action=log chain=droplog comment="Tarpit Log and Drops" disabled=no \
    in-interface=ether1 log-prefix=tarpited protocol=tcp
add action=jump chain=droplog disabled=no in-interface=ether1 jump-target=\
    drop protocol=tcp
add action=tarpit chain=drop disabled=no in-interface=ether1 protocol=tcp
add action=drop chain=dropall comment="Drop jump to" disabled=no \
    in-interface=ether1
add action=accept chain=SYN-Protect comment="SYN Protect" connection-state=\
    new disabled=no limit=400,5 protocol=tcp
add action=log chain=SYN-Protect connection-state=new disabled=yes \
    log-prefix=synprotect protocol=tcp
add action=drop chain=SYN-Protect connection-state=new disabled=no protocol=\
    tcp
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Detect NAT Traversal" \
    disabled=yes in-interface=ether1 new-packet-mark=nat-traversal \
    passthrough=yes
add action=mark-connection chain=prerouting comment="Mark bittorrent" \
    disabled=no dst-port=6881-6889 in-interface=ether1 new-connection-mark=\
    bittorrent passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=prerouting comment="Mark DNS" disabled=no \
    new-connection-mark=dns passthrough=no protocol=udp src-port=53
add action=mark-connection chain=postrouting disabled=no dst-port=53 \
    new-connection-mark=dns passthrough=no protocol=udp
add action=mark-connection chain=postrouting comment="Mark SNMP" disabled=no \
    dst-port=161 new-connection-mark=snmp passthrough=no protocol=udp
add action=mark-connection chain=prerouting comment="Mark VNC" disabled=no \
    dst-port=5900-5901 in-interface=ether1 new-connection-mark=vnc \
    passthrough=no protocol=tcp src-port=1024-65535
add action=mark-connection chain=postrouting comment="Mark all Netbios" \
    disabled=no dst-port=137 new-connection-mark=netbios passthrough=no \
    protocol=udp
add action=mark-connection chain=prerouting comment="Mark WINBOX" disabled=no \
    dst-port=8291 in-interface=ether1 new-connection-mark=winbox passthrough=\
    no protocol=tcp src-port=1024-65535
add action=mark-packet chain=prerouting comment="Mark all HTTP Packets" \
    connection-mark=http_connection disabled=no in-interface=ether1 \
    new-packet-mark=http_packets passthrough=yes
add action=mark-connection chain=prerouting comment=\
    "Mark all HTTP Connections" disabled=no dst-port=80 in-interface=ether1 \
    new-connection-mark=http_connection passthrough=no protocol=tcp
add action=mark-connection chain=postrouting disabled=no dst-port=80 \
    new-connection-mark=http_connection_outbound out-interface=ether1 \
    passthrough=no protocol=tcp
add action=mark-packet chain=prerouting comment="Mark all ICMP Packets" \
    disabled=no in-interface=ether1 new-packet-mark=icmp_packet passthrough=\
    no protocol=icmp
add action=mark-packet chain=prerouting comment="Mark all OTHER packets" \
    disabled=yes in-interface=ether1 new-packet-mark=other_packets \
    passthrough=no
add action=mark-connection chain=prerouting comment=\
    "Mark all OTHER connections" disabled=yes in-interface=ether1 \
    new-connection-mark=other_connections passthrough=no
Also, this is for a home connection, so the likelihood of a full on DDOS is low.

e: due to export bugs, a lot of those firewall rules are incomplete
e2: Maybe I misunderstood tarpit. I thought it basically sent back ack flags regardless of whether a port is open or not causing an attacker's TCP stack to poo poo itself.

Farking Bastage fucked around with this message at 03:02 on Feb 10, 2012

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

Farking Bastage posted:

e2: Maybe I misunderstood tarpit. I thought it basically sent back ack flags regardless of whether a port is open or not causing an attacker's TCP stack to poo poo itself.

I can't comment further as my quick googling of what tarpitting was on mikrotiks seemed to describe what I was talking about. It sort of aligns with your description as well -- you're causing their scan to go slow by responding on all ports. But again, it could backfire.

Ninja Rope
Oct 22, 2005

Wee.
Not to rain on your parade, but no good scanners use the host's IP stack to do scans, it's all done in userland, so no matter what your machine does it's not going to jack their poo poo up. Also it's probably slower for them if you respond to nothing (they'll probably retry now and then to make sure the packets don't get lost) versus responding to everything. That just wastes your bandwidth and CPU time, doubly so if you're logging it.

Really though, who cares if you get scanned now and then? Welcome to the internet. Are you filtering out winnuke packets too?

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

Ninja Rope posted:

Not to rain on your parade, but no good scanners use the host's IP stack to do scans, it's all done in userland,

So the entire concept of making a tcp or udp connection to another host is done in userland? The utility runs in userland, sure, but the kernel still has to open a socket. Any network activity at all has to go through the kernel and network stack at some point or it simply will never reach your NIC and hit the wire. TCP connections don't die immediately when you're done unless they're closed cleanly (unlike tarpitting). They're held open for quite some time by default on nearly all platforms -- "CLOSE_WAIT". This is what kills you. You'll run out in no time.

And we're not even taking into consideration the limitations of session tracking on different platforms' firewalls.


edit: and really, this is only a serious issue in certain situations. On your home connection? You're probably fine. But if I was an intelligent-but-angry teenage angsty nerd who wanted to show you up I'd start by scanning before I launch an attack. And when I realize you're tarpitting me? Time to push out a script to 20 different hosts to each open defined port ranges to your router every X minutes. Doesn't take much traffic and now you're dead in the water.

feld fucked around with this message at 06:50 on Feb 10, 2012

Ninja Rope
Oct 22, 2005

Wee.

feld posted:

So the entire concept of making a tcp or udp connection to another host is done in userland?

Yes, nmap uses libdnet to craft packets in userland, so does unicornscan. Both programs implement their idea of TCP and IP internally. libdnet uses PF_PACKET on linux to send raw packets, but SOCK_RAW is available on other platforms if you don't mind the OS handling layer 2. You could also write to the ethernet device yourself, or let pcap do it for you via pcap_send or pcap_inject. nmap does have an option to let you use the host's stack, though (connect() scan).

You're also confusing the number of unique TCP and UDP port numbers (65535) with the number of active/outstanding connections. A host can have more than 65k open TCP connections if it has the memory.

If you scan the poo poo out of a host via TCP you could fill up the syn cache table, causing the host to drop new incoming connections. If supported the host may begin responding with SYN cookies, which use more CPU but no memory. Regardless of the protocol, if you scan fast enough you will eventually run the target out of CPU or bandwidth and you're just DoSing them at that point, though if he has a ton of firewall rules and logging enabled he will tap out sooner. Anyone actually trying to scan a host would do so slowly to help avoid detection and decrease the risk of packets being dropped. They'd also probably scan from multiple locations or from somewhere in China so the scan looks just like every other automated botnet scan.

Ninja Rope fucked around with this message at 23:03 on Feb 10, 2012

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

Ninja Rope posted:

You're also confusing the number of unique TCP and UDP port numbers (65535) with the number of active/outstanding connections. A host can have more than 65k open TCP connections if it has the memory.

I think we're simply misunderstanding each other here.

I certainly understand the concept of more than 65K open TCP connections. Like if you have a webserver and you have 100,000 clients hitting it at once. That's fine, assuming your webserver can handle it. It's your port 80 to 100,000 other ports, one on each of the clients.

But if this tarpitting pretends that every port of yours is open to slow a scanner down... Now you can easily have your ports 1-65535 being used up very quickly. You can't make further outgoing connections because there's none left in the pool. You're now dead in the water because all of your ports are exhausted.

See what I mean?

Ninja Rope
Oct 22, 2005

Wee.
That's true, if some hypothetical tarpit program created and bound one socket per unused ephemeral port the host would be unable to initiate any outgoing TCP connections. However, that would be the case as soon as the sockets were bound, not triggered when someone connected all of the ports. The Linux/iptables tarpitting implementation is done inside iptables and doesn't prevent the port from being used for other connections. I don't know how the Mikrotik tarpit implementation works, but I imagine it uses iptables.

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

Ninja Rope posted:

That's true, if some hypothetical tarpit program created and bound one socket per unused ephemeral port the host would be unable to initiate any outgoing TCP connections. However, that would be the case as soon as the sockets were bound, not triggered when someone connected all of the ports. The Linux/iptables tarpitting implementation is done inside iptables and doesn't prevent the port from being used for other connections. I don't know how the Mikrotik tarpit implementation works, but I imagine it uses iptables.

I'm still a little fuzzy about how the firewall would respond on a port but the OS has nothing bound to it. Either way, I completely ignored the fact that yes, something would have to be bound to EVERY port. :downs:

You've made an irrefutable point. Thanks for following up. :)

Ninja Rope
Oct 22, 2005

Wee.
I hope I didn't come off as if I was trying to bust your balls, I've been working on something related for a while and felt like sperging out. Sorry if I seemed like a dick. :)

If you want to look at the xtables (the internal name for the "new" iptables) tarpit module, the source is here. The "tarpit_tcp" function is where incoming packets are replied to. It looks like it doesn't keep any state, it simply sends a reply to anything that has the SYN or ACK flag set and not RST or FIN.

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

Ninja Rope posted:

I hope I didn't come off as if I was trying to bust your balls, I've been working on something related for a while and felt like sperging out. Sorry if I seemed like a dick. :)

Nope, no worries. And thanks for the link -- I'll browse the source later.

Cheers!

other people
Jun 27, 2004
Associate Christ
What the gently caress, Roku!

code:
[admin@mikrobox] /ip dhcp-server lease> print
Flags: X - disabled, R - radius, D - dynamic, B - blocked 
 #   ADDRESS                         MAC-ADDRESS       HOST-NAME                SERVER                RATE-LIMIT                STATUS 
 0   10.20.30.3                      00:21:97:2E:XX:XX gnubuntu                 server1                                         bound  
 1 D 10.20.30.6                      00:04:20:07:XX:XX vinylbox                 server1                                         bound  
 2 D 10.20.30.7                      00:1D:FE:D1:XX:XX                          server1                                         bound  
 3 D 10.20.30.4                      00:22:58:17:XX:XX printer                  server1                                         bound  
 4   10.20.30.80                     00:0D:4B:63:XX:XX                          server1              
 5 D 10.20.30.8                      00:16:CB:B6:XX:XX crapbook                 server1                                         bound  
 6 D 10.20.30.11                     00:16:CB:CB:XX:XX crapbook                 server1                                         bound  
 7 D 10.20.30.5                      7C:61:93:A2:XX:XX android-aaa8522e5a3aaaaa server1                                         bound 
10.20.30.80 is the Roku, which is streaming netflix as that output was generated. Why is the status not bound? Why, when I make a mangle for that MAC address, does it never catch anything?

The winbox interface lists 10.20.30.80 as unused and "waiting". No active address/mac/hostname/expiration.

CuddleChunks
Sep 18, 2004

It looks like it's a static lease. Notice there's no "D" in the dynamic column. If you check the Roku's page does it show that it has that IP address? Did you set the Roku to that static IP so it isn't trying to request DHCP?

other people
Jun 27, 2004
Associate Christ

CuddleChunks posted:

It looks like it's a static lease. Notice there's no "D" in the dynamic column. If you check the Roku's page does it show that it has that IP address? Did you set the Roku to that static IP so it isn't trying to request DHCP?

I made the DHCP lease static, because I was trying to mangle by IP since the mangle-by-mac was never picking it up. The Roku is using .80 via DHCP. I don't think the Roku even has the option to use static ips.

I will unstatic it and see what happens. . .

edit: Well now it is working. It grabbed .9 with no problem. I swear it wouldn't do this before!

Another question, should this queue tree not see all incoming traffic?

add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=18M name=Incoming parent=global-in priority=8 \
queue=default

other people fucked around with this message at 00:46 on Feb 18, 2012

CuddleChunks
Sep 18, 2004

What are you trying to do with your queue? This is the main reference on it: http://wiki.mikrotik.com/wiki/Manual:Queue But if you tell us what you want to accomplish that will help with writing up something that will work.

Oh and this is important:
/queue tree menu - for implementing advanced queuing tasks (such as global prioritization policy, user group limitations). Requires marked packet flows from /ip firewall mangle facility.

other people
Jun 27, 2004
Associate Christ

CuddleChunks posted:

What are you trying to do with your queue? This is the main reference on it: http://wiki.mikrotik.com/wiki/Manual:Queue But if you tell us what you want to accomplish that will help with writing up something that will work.

Oh and this is important:
/queue tree menu - for implementing advanced queuing tasks (such as global prioritization policy, user group limitations). Requires marked packet flows from /ip firewall mangle facility.

Yeah, I think I understand that the queue only operates on properly marked packets. Here is what I have:

code:
[admin@mikrobox] /ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic 
 0   ;;; SSH
     chain=forward action=mark-packet new-packet-mark=priority_high passthrough=no layer7-protocol=ssh 

 1   ;;; ARP/DHCP
     chain=postrouting action=mark-packet new-packet-mark=priority_critical passthrough=no protocol=udp out-interface=ether1-wan 
     src-port=68 dst-port=67 

 2   ;;; DNS
     chain=postrouting action=mark-packet new-packet-mark=priority_critical passthrough=no protocol=udp out-interface=ether1-wan 
     dst-port=53 

 3   ;;; TCP control packets
     chain=postrouting action=mark-packet new-packet-mark=priority_critical passthrough=no tcp-flags=fin,syn,rst protocol=tcp 
     out-interface=ether1-wan 

 4   ;;; TCP ack
     chain=postrouting action=mark-packet new-packet-mark=priority_critical passthrough=no tcp-flags=ack protocol=tcp 
     out-interface=ether1-wan packet-size=40-89 

 5   ;;; TCP new
     chain=postrouting action=mark-packet new-packet-mark=priority_critical passthrough=no connection-state=new protocol=tcp 
     out-interface=ether1-wan 

 6   ;;; Torrent
     chain=postrouting action=mark-packet new-packet-mark=priority_files passthrough=no protocol=tcp src-port=24648-25658 

 7   ;;; p2p
     chain=postrouting action=mark-packet new-packet-mark=priority_files passthrough=no p2p=all-p2p 

 8   ;;; Crashplan
     chain=postrouting action=mark-packet new-packet-mark=priority_crashplan passthrough=no dst-address=50.93.246.1-50.93.246.255 

 9   ;;; youtube
     chain=postrouting action=mark-packet new-packet-mark=priority_youtube passthrough=no layer7-protocol=youtube 

10   ;;; Roku
     chain=prerouting action=mark-packet new-packet-mark=priority_roku passthrough=no src-mac-address=00:0D:4B:63:17:BD 

11   ;;; Netflix
     chain=postrouting action=mark-packet new-packet-mark=priority_roku passthrough=no dst-address-list=netflix 

12   ;;; HTTP/HTTPS
     chain=postrouting action=mark-packet new-packet-mark=priority_surf passthrough=no protocol=tcp out-interface=ether1-wan 
     port=80,443 

[admin@mikrobox] /queue tree> print
Flags: X - disabled, I - invalid 
 0   name="Outgoing" parent=global-out limit-at=0 priority=8 max-limit=2M burst-limit=0 burst-threshold=0 burst-time=0s 

 1   name="High priority" parent=Outgoing packet-mark=priority_high limit-at=50k queue=default priority=4 max-limit=650k burst-limit=0 
     burst-threshold=0 burst-time=0s 

 2   name="Critical" parent=Outgoing packet-mark=priority_critical limit-at=50k queue=default priority=1 max-limit=500k burst-limit=0 
     burst-threshold=0 burst-time=0s 

 3   name="Surfing" parent=Outgoing packet-mark=priority_surf limit-at=100k queue=default priority=6 max-limit=2M burst-limit=0 
     burst-threshold=0 burst-time=0s 

 4   name="Roku" parent=Outgoing packet-mark=priority_roku limit-at=150k queue=default priority=5 max-limit=2M burst-limit=0 
     burst-threshold=0 burst-time=0s 

 5   name="Crashplan" parent=Outgoing packet-mark=priority_crashplan limit-at=0 queue=default priority=8 max-limit=1500k burst-limit=0 
     burst-threshold=0 burst-time=0s 

 6   name="Files" parent=Outgoing packet-mark=priority_files limit-at=0 queue=default priority=8 max-limit=1500k burst-limit=0 
     burst-threshold=0 burst-time=0s 

 7   name="Incoming" parent=global-in limit-at=0 queue=default priority=8 max-limit=18M burst-limit=0 burst-threshold=0 burst-time=0s
I have to admit, I copied the ARP/DHCP/TCP/DNS stuff straight from a mikrotik forum post. I think I kind of grasp what it is doing, but I don't know enough to know if it is a good idea!

All in all, it works quite well as is, but we still have trouble with the Netflix/Roku being very slow to load and dropping the stream if Crashplan/Bit torrent are going nuts.

I think part of the problem is that the roku/netflix mangle rule doesn't seem to catch the streaming video. Also the video stream is obviously a download stream.

Is it because the streaming stuff is being caught by the TCP ack mangle rule, or is all that streaming stuff UDP?

I don't really know what I am talking about.

Ninja Rope
Oct 22, 2005

Wee.
I can't speak for others, but Netflix streaming is TCP.

NOTinuyasha
Oct 17, 2006

 
The Great Twist
The incoming queue tree isn't functional, unless you didn't intend to use it in the first place? You don't have any connection tracking set up, so...

I don't think this rule will work as intended either:

code:
 3   ;;; TCP control packets
     chain=postrouting action=mark-packet new-packet-mark=priority_critical passthrough=no tcp-flags=fin,syn,rst protocol=tcp 
     out-interface=ether1-wan 
Since it will only match packets with those three flags set at once.

MikroTik QoS is still alien to me so I could very well be wrong about all that.

nexxai
Jul 17, 2002

quack quack bjork
Fun Shoe
I have a very simple question about raw speeds that I hope someone can answer.

I currently have 100/5 internet service which is scheduled to go to 250/15 some time this year. I also currently have 7 wired devices at my house which all have gigabit interfaces.

If I purchase an RB493, then:
- connect the WAN connection to port 1
- set up a switch group of ports 2-9 with which my wired devices will connect to
- set up port forwarding rules from WAN-to-LAN (e.g. forwarding RDP to an internal box, etc.)

Will I still see full gigabit traffic (let's say 900mbps, give or take, assuming TCP overhead) on the internal switch group as there will be no rules applied to it, and still get 250mbps from WAN-to-LAN, or will the fact that I've done even a little bit of NAT stuff (the port forwarding) drop the LAN-to-LAN speeds down significantly?

I won't be doing any QoS or any routing other than the basic WAN-to-LAN and LAN-to-WAN.

falz
Jan 29, 2005

01100110 01100001 01101100 01111010
If it has a switch chip you should be able to get wire speed as long as it's being used. Routing speed depends on features + pps. Enabling NAT alone probably halves your speed (guess). If it's all larger packets at a short rate you can likely achieve decent results. They have test results for straight up routing in a pdf on routerboard.com, take that info and divide it in half, or even up to 80% lower and see where that puts you.

nexxai
Jul 17, 2002

quack quack bjork
Fun Shoe

falz posted:

If it has a switch chip...
Where would I find this out?

EDIT: Nevermind. The big text at the top of the page lists "two switch chips".

Do I get to pick which ports each chip uses or is it split 4 on one and 5 on the other?

falz
Jan 29, 2005

01100110 01100001 01101100 01111010

nexxai posted:

Where would I find this out?

EDIT: Nevermind. The big text at the top of the page lists "two switch chips".

Do I get to pick which ports each chip uses or is it split 4 on one and 5 on the other?
There's a group of ports for each switch chip. According to this:

* Atheros8316 is present on RB493G(ether1+ether6-ether9, ether2-ether5),
* ICPlus178C is present on RB493 series(ether2-ether9)

Mr Chips
Jun 27, 2007
Whose arse do I have to blow smoke up to get rid of this baby?

NOTinuyasha posted:

The RB751G is now available - same as the RB751U, but with gigabit ethernet.

http://routerboard.com/RB751G-2HnD
Does that one do the usual routing/firewalling too, or is it just an AP with a switch built in?

Weird Uncle Dave
Sep 2, 2003

I could do this all day.

Buglord

Mr Chips posted:

Does that one do the usual routing/firewalling too, or is it just an AP with a switch built in?

They still run RouterOS, so you can do firewalling and routing and BGP and all the usual stuff.

Mr Chips
Jun 27, 2007
Whose arse do I have to blow smoke up to get rid of this baby?
thanks. I can see quite a few of those ending up in our branch offices if the pair ordered today end up doing what I want, and replacing ageing Cisco branch routers.

The_Franz
Aug 8, 2003

It looks like they finally started to release the RB2011 devices.

http://routerboard.com/RB2011L-IN

aluminumonkey
Jun 19, 2002

Reggie loves tacos
Ugh. I just picked up a RB450G and when I power it on, I get the beeps but no connection lights on the ethernet ports. This is my first Routerboard so I am not sure what the startup sounds are suppose to be like. Any pointers?

here is a video Boot Issues

aluminumonkey fucked around with this message at 03:48 on Mar 6, 2012

Remit
Nov 9, 2007
Is this a new RB450g, or a used one? Mine all sound similar, with the last 2 beeps meaning it is booted and ready. You can try this though:

http://wiki.mikrotik.com/wiki/Manual:Password_reset

aluminumonkey
Jun 19, 2002

Reggie loves tacos
This is a brand new 450G. I did the manual reset along with resetting it through the serial connection. I still get no power to the ethernet ports.

I am in contact with the supplier to see what my next options are.

CuddleChunks
Sep 18, 2004

sparticus posted:

Ugh. I just picked up a RB450G and when I power it on, I get the beeps but no connection lights on the ethernet ports. This is my first Routerboard so I am not sure what the startup sounds are suppose to be like. Any pointers?

here is a video Boot Issues

That chirping at the start sounds like it's unhappy with the power supply. What voltage do you have? The double-beeps at the end says it has finally booted. One thing I'd do is plug a serial cable into the port and watch the boot process directly. It spits out a bunch of handy data in there. I'd also try a 24v power supply.

On the other hand, you have a new unit that is being weird out of the box. Talking to your vendor is a smart move since it's new. It should just work, dangit.

aluminumonkey
Jun 19, 2002

Reggie loves tacos

CuddleChunks posted:

That chirping at the start sounds like it's unhappy with the power supply. What voltage do you have? The double-beeps at the end says it has finally booted. One thing I'd do is plug a serial cable into the port and watch the boot process directly. It spits out a bunch of handy data in there. I'd also try a 24v power supply.

On the other hand, you have a new unit that is being weird out of the box. Talking to your vendor is a smart move since it's new. It should just work, dangit.

The chirping went away after doing a grounding reset. Waiting to hear back from roc-noc.

Is there anything I can check through the serial port to see if the ethernet ports are dead?

Adbot
ADBOT LOVES YOU

CuddleChunks
Sep 18, 2004

sparticus posted:

Is there anything I can check through the serial port to see if the ethernet ports are dead?

I believe you can see if it's booting to the flash drive, which will load the mikrotik OS. If it's not doing that due to some foolishness at the factory then you can set it there. I don't remember right now if there is a specific diagnostic you can do but I'm very concerned that you aren't getting link lights. In the end, you probably have a bad board and they should get it replaced right away.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply