Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
CuddleChunks
Sep 18, 2004

Yeah it should be fine. There's lots of fiddly little options in the dhcp setup section.

Adbot
ADBOT LOVES YOU

BaconBeast
Aug 18, 2006
I'll take the hundy pounder and fries, thanks.
I've got a RB2011 which is working fantastically as a router for a charity.

I'm looking to setup the hotspot functionality on it (with AD as the radius server, It's going to supply the hotspot to about 150 active volunteers) however when I try and configure the hotspot and look in the router's files all I see are empty folders.

I've tried factory resetting the device and uninstalling and re installing the hotspot package to see if that replaces the files, is there anything else I can try?

feld
Feb 11, 2008

Out of nowhere its.....

Feldman

Has anyone seen an RB493 just suddenly begin failing to get DHCP from a cable modem? Had a customer call up with that and it was quite bizarre. Still think it's his ISP as it gets a link and everything. He can also plug in *any* other device and get his IP.


In other news, I have an RB750G that needs a new home. I have too many network devices. PM me if you're interested.

PUBLIC TOILET
Jun 13, 2009

CuddleChunks posted:

TOOLS TOOLS TOOLS TOOLS!

There's so many TOOLS for you to choose from! From within Winbox:

Tools -> Ping
Tools -> Packet Sniffer (super handy for gathering data to analyze in Wireshark)
Tools -> Torch
System -> Logging (add a topic and send it to memory to get extensive debug info dumped into the logs)

Hopefully somewhere in that pile of Tools will be something that helps you solve your issue.

Fair enough. I've went into System -> Logging, configured a new topic of "interface" as well as "debug" just below it. I'm guessing the results of this debug are supposed to appear in the log through Winbox? It doesn't seem to display any diagnostics after configuring the topic. Same result if I do /log -> print in a new terminal window. Is it because of the logging rules currently configured in the IP -> Firewall?

CuddleChunks
Sep 18, 2004

If you unplug and replug a live ethernet connection does the log fill with diagnostic info? That's what I would expect an interface log to show.

darkhand
Jan 18, 2010

This beard just won't do!
I'm trying to segregate our LAN somewhat at the moment. We have over 100 devices or so all on the same subnet, 192.168.2.0/24 . I don't know if it's related, but we started having our so/ho routers crapping the bed. I got it in my mind that I would fix this through segregating into subnets, and separate unsecured wifi. I'm trying to figure out the best way to do this, or if it's even needed?

I got a 10port + wireless routerboard, and it's pretty sweet. I need some help on how to accomplish setting this up.

So our entire network is attached to (unmanaged,cheap)switches throughout the building, then connected to our router/gateway which is 192.168.2.3. We have a Windows Server that does DHCP, file and print sharing, etc on 192.168.2.10

We have a central switch I think I can replace with the Routerboard. It will have 4 switches attached, which are the switches I want to subnet. I can assign addresses to interfaces like (WAN) 192.168.2.1, ether3 192.168.3.1, ether4 192.168.4.1, and ether5 192.168.5.1. I can then assign dhcp-relays to our central dhcp server, or I can just replicate the dhcp server's settings for WINS, DNS,etc. That should be able to segregate our museum, planetarium, and art gallery into subnets and connect to our gateway.

My hang-up is how should I route the subnets? I can bridge the interfaces, but from what I'm reading bridging forwards broadcasts, which is what I believe I want to cut down on. I assume this is a NAT issue, should/can I just turn NAT off, or should I forward all 192.0.0.0/8 ?

I only want them isolated from broadcasts, I still want them to be able to connect to each other, or atleast be able to connect to the server.

I'm in the middle of trying to learn a bunch of this stuff, so tell me if what I'm doing is idiotic

darkhand fucked around with this message at 05:38 on May 8, 2013

thebigcow
Jan 3, 2001

Bully!

darkhand posted:

I'm in the middle of trying to learn a bunch of this stuff, so tell me if what I'm doing is idiotic

It makes sense if you want to cut down on the amount of broadcast traffic. Keep in mind that:

a) You'll be using RouterOS DHCP server which means no good way to register the host names of DHCP clients with your Windows server

b) You'll be routing traffic between subnets on the Routerboard. This will be slower than a switch and may be a new bottleneck depending on how your network is used.

Each interface getting its own subnet will need to be taken off the switch chip, will need its own DHCP server settings and pool assigned, and an IP in that subnet which will be defined as the default gateway in DHCP. You shouldn't need to set up any routing as it already knows about the networks it has an interface on. I think you'll need to set up a WINS server on your Windows machine if it isn't already running or none of the Windows Networking stuff will work between subnets, this address is handed out by DHCP.

I've never done this so I'm probably missing/wrong about a few things :)

The Diddler
Jun 22, 2006


I've had a RB493G for a while, and while it took a couple of days to get it working, it's been rock solid for months. However, I need to set up QoS.

I currently have 2 devices hard wired with wireless running off of a Ubiquity Unifi AP. Due to my apartment layout, all of my streaming video is done over wifi. I would like to set it up so traffic on {Interface AP} has higher priority over {Interface A} and {Interface B} whenever it's required. I get the impression that what I want isn't exactly possible, but what's the easiest/most efficient way to get what I need?

Thanks Ants
May 21, 2004

#essereFerrari


Can someone idiot check what I'm doing here? I found something online which said the only thing I need to do to have a service on my LAN accessible from outside is to do this:

code:
add action=dst-nat chain=dstnat comment="WebDAV TCP 443" disabled=no \
    dst-address=a.b.c.d in-interface=ether1 protocol=tcp src-port=443 \
    to-addresses=192.168.0.22 to-ports=443
Where a.b.c.d is the external IP address I want to use for that service (I have a block of 8, they have all been added to the routers address list and all ping, I have set the preferred source address for the gateway etc, internet connectivity works as normal. However nothing can see the page running on port 443 in the example above. Am I supposed to also add a firewall rule, and how should it look if I am?

Edit: Scratch that. One of the dynamic routes has a preferred source which is one of the IPs that I don't want to use as our gateway and it's using this for some reason. Anyone got any ideas?

Thanks Ants fucked around with this message at 15:00 on May 19, 2013

SamDabbers
May 26, 2003



Caged posted:

Can someone idiot check what I'm doing here? I found something online which said the only thing I need to do to have a service on my LAN accessible from outside is to do this:

code:
add action=dst-nat chain=dstnat comment="WebDAV TCP 443" disabled=no \
    dst-address=a.b.c.d in-interface=ether1 protocol=tcp src-port=443 \
    to-addresses=192.168.0.22 to-ports=443
Where a.b.c.d is the external IP address I want to use for that service (I have a block of 8, they have all been added to the routers address list and all ping, I have set the preferred source address for the gateway etc, internet connectivity works as normal. However nothing can see the page running on port 443 in the example above. Am I supposed to also add a firewall rule, and how should it look if I am?

Looks good, but you'll also need to create a filter rule on the forward chain to allow the NAT'd traffic in. Use the private address in the filter rule, because NAT happens before filtering.

code:
add chain=forward comment="WebDAV TCP 443" connection-state=new dst-address=192.168.0.22 dst-port=443 protocol=tcp

Thanks Ants
May 21, 2004

#essereFerrari


Thanks, that makes sense but this still isn't working. Should the new NAT and Firewall rules be above the defaults if these are in Winbox? The default masquerade NAT rule is still in there which I believe is what's giving me working internet at the moment.

SamDabbers
May 26, 2003



Can you post an export of the /ip firewall section? Remember to sanitize your external IPs.

code:
[admin@routerboard] > /ip firewall
[admin@routerboard] /ip firewall> export

Thanks Ants
May 21, 2004

#essereFerrari


code:
# may/19/2013 14:14:43 by RouterOS 5.25
# software id = PKRJ-BZK6
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=forward comment="WebDAV TCP 443" connection-state=new disabled=no dst-address=192.168.0.22 dst-port=443 protocol=tcp
add action=accept chain=input comment="default configuration" disabled=no protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=no
add action=accept chain=input comment="default configuration" connection-state=related disabled=no
add action=drop chain=input comment="default configuration" disabled=no in-interface=ether1
add action=accept chain=forward comment="default configuration" connection-state=established disabled=no
add action=accept chain=forward comment="default configuration" connection-state=related disabled=no
add action=drop chain=forward comment="default configuration" connection-state=invalid disabled=no
/ip firewall nat
add action=dst-nat chain=dstnat comment="WebDAV TCP 443" disabled=no dst-address=xxx.222.84.211 in-interface=ether1 protocol=tcp src-port=443 to-addresses=192.168.0.22 to-ports=443
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1 to-addresses=0.0.0.0
add action=dst-nat chain=dstnat comment="3CX TCP 5060" disabled=no dst-address=xxx.222.84.210 in-interface=ether1 protocol=tcp src-port=5060 to-addresses=192.168.0.21 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX UDP 5060" disabled=no dst-address=xxx.222.84.210 in-interface=ether1 protocol=udp src-port=5060 to-addresses=192.168.0.21 to-ports=5060
add action=dst-nat chain=dstnat comment="3CX UDP 9000-9049" disabled=no dst-address=xxx.222.84.210 in-interface=ether1 protocol=udp src-port=9000-9049 to-addresses=192.168.0.21 to-ports=9000-9049
add action=dst-nat chain=dstnat comment="OpenVPN TCP 443" disabled=no dst-address=xxx.222.84.209 in-interface=ether1 protocol=tcp src-port=443 to-addresses=192.168.0.20 to-ports=443
add action=dst-nat chain=dstnat comment="OpenVPN UDP 1194" disabled=no dst-address=xxx.222.84.209 in-interface=ether1 protocol=udp src-port=1194 to-addresses=192.168.0.20 to-ports=1194
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no
Thanks for the help so far, I imagine it's something annoyingly basic.

SamDabbers
May 26, 2003



I have a hunch that the counters for all your dst-nat rules are zero. Change the src-port=x to dst-port=x in each rule and it should work. You want to match a packet destined to port x, no matter what the source port is.

As far as rule ordering goes, the only hard requirement is that the "accept" rules in the filter section have to go above the "drop" rule at the end of each chain. I'd put the "connection-state=established" and "connection-state=related" rules above your port forward rules, simply because the majority of your packets will be matched by them.

SamDabbers fucked around with this message at 15:32 on May 19, 2013

Thanks Ants
May 21, 2004

#essereFerrari


They were at zero, I changed those. However I think there's a more fundamental issue as there isn't a ping response to that address from the WAN side, and HTTPS connections still don't work. Pings to other addresses in the same IP block from our ISP work fine.

I've moved the HTTPS stuff onto the address that is working and everything's fine. I think I'll be calling the ISP next. Thanks for your help with everything though. Do you want a forums upgrade?

SamDabbers
May 26, 2003



Nah, I'm cool on the forums upgrades; just pay it forward :)

Good luck getting it straightened out with your ISP. Is the address that works, by chance, the address assigned in your Mikrotik to ether1? It won't respond to pings sent to addresses that aren't on one of its interfaces, and that's normal. You may need to configure your other addresses as secondary IPs on ether1 to get things working:

code:
/ip address add address=x.x.x.y netmask=255.255.255.255 interface=ether1
This would mean that you'd also need to change your masquerade rule to explicitly set the to-address, instead of having it pick automatically with 0.0.0.0.

SamDabbers fucked around with this message at 15:59 on May 19, 2013

Thanks Ants
May 21, 2004

#essereFerrari


This is what that section looks like:

code:
add address=xxx.222.84.208/22 comment=Router disabled=no interface=ether1 network=xxx.222.84.0
add address=xxx.222.84.210/22 comment=3CX disabled=no interface=ether1 network=xxx.222.84.0
add address=xxx.222.84.209/22 comment=OpenVPN disabled=no interface=ether1 network=xxx.222.84.0
add address=xxx.222.84.213/22 comment="Remote Desktop Gateway" disabled=no interface=ether1 network=xxx.222.84.0
add address=xxx.222.84.211/22 comment=WebDAV disabled=no interface=ether1 network=xxx.222.84.0
add address=xxx.222.84.212/22 disabled=no interface=ether1 network=xxx.222.84.0
add address=xxx.222.84.214/22 disabled=no interface=ether1 network=xxx.222.84.0
add address=xxx.222.84.215/22 disabled=no interface=ether1 network=xxx.222.84.0
They aren't specifically secondary addresses but they are all addresses on that interface. I've changed the NAT to:

code:
add action=src-nat chain=srcnat comment="default configuration" disabled=no out-interface=ether1 to-addresses=xxx.222.84.208
Edit: Addresses that work are .208, .210, .213, .214, .215. There's not really any pattern in that that I can see.

Edit again: I've removed all the addresses above except for

code:
add address=xxx.222.84.208/22 comment=Router disabled=no interface=ether1 network=xxx.222.84.0
And still having issues getting stuff to connect on certain IPs but working fine on others. I'll contact the ISP I think.

Edit again again: Spoke to the ISP, ended up setting a src-nat to send a client out of each of the IP addresses in turn after adding them back in, and it worked fine (verified it was going out on the correct IP as well). Pinged them all from outside the network and everything worked except .212. I'm lost now but I've worked around things and things are at a point where they are working well enough for now. Just SIP calls take ages to go out but I can live with that.

Thanks Ants fucked around with this message at 17:43 on May 19, 2013

Thanks Ants
May 21, 2004

#essereFerrari


Mikrotik posted:

RouterOS 6 released:

================================
What's new in 6.0 (2013-May-17 14:04):

*) ipsec - added /peer passive option which will prevent starting ISAKMP negotiation
and signifies xauth responder/initiator side;
*) RouterBOARD - default wireless config now includes password - serial number;
*) lte - support YOTA WLTUBA-107;
*) console - fixed crash when variable name was not specified for
*) hotspot - added mac-cookie login method;
http://wiki.mikrotik.com/wiki/Manual:Hotspot_Introduction#MAC_Cookie
*) lcd - show a message when system shutdown is complete;
*) lcd - added Log screen which is accessible through the Main Menu
and shows log messages where action=echo;
*) ipsec - added pre-shared-key-xauth and rsa-signature-hybrid authentication methods;
*) increased max l2mtu on CCR to 10226 bytes;
*) fixed crash on RB1200;
*) fixed bonding - did not work after remove, undo;
*) fixed queues - router could become unresponsive when configuring queues;
================================

http://mikrotik.com/download/

SamDabbers
May 26, 2003



Apparently IPv6 conntrack is broken in 6.0 final. Rules don't appear to create connections in the connections tab, so reply packets don't hit "allow established/related" rules and end up getting dropped. IPv4 conntrack still runs like a champ.

I like how random stuff breaks in every ROS release, no matter how seemingly unrelated it is to things they've put in the changelogs. The autoreply from support@mikrotik.com says to wipe the config and reenter it :thumbsup:

Anyone have a chance to tinker with a Ubiquiti EdgeRouter? I picked one up last week for my lab; this might be the perfect time to try it out.

SamDabbers fucked around with this message at 17:43 on May 21, 2013

1550NM
Aug 31, 2004
Frossen fisk
Does anybody have anything bad to say about the RB1200, I'm considering if for a replacment gateway for a wireless network with 60 mbps pipe and anywhere from 10 to 90 users at peak.

SamDabbers
May 26, 2003



I don't have any direct experience with the RB1200, but I have read some reports that it's somewhat underpowered. For $50 more you could get the RB1100Hx2, which is significantly more powerful with dual cores and double the RAM. The extra power can't hurt, especially if you'll have a bunch of queues.

1550NM
Aug 31, 2004
Frossen fisk
I'll check out the RB1100, I'm currently mostly window shopping Mikrotik after having been pleasantly surprised by the RB750s that I had to roll out in haste when another supplier failed to deliver.

My Mikrotik reseller is pretty aggressive about HS Network Manager in conjunction with Mikrotik hotspots for delivering guest network functionality.

Anybody here tried it ?. It seems on paper and in presentation as a pretty decent solution for managing and reselling Hotspot functionality.

CuddleChunks
Sep 18, 2004

I haven't seen it but we've deployed hotspot through the mikrotik in several locations. I think we end up building some custom web pages, turn on the hotspot service and plop those down into the mikrotik that's handling hotspotting.

Maybe this HSManager thing helps automate all that.

daita
May 22, 2013

CuddleChunks posted:

If you unplug and replug a live ethernet connection does the log fill with diagnostic info? That's what I would expect an interface log to show.

19:35:45 interface,info ether1 link down
19:35:47 interface,info ether1 link up (speed 100M, full duplex)

daita
May 22, 2013

1550NM posted:

Does anybody have anything bad to say about the RB1200, I'm considering if for a replacment gateway for a wireless network with 60 mbps pipe and anywhere from 10 to 90 users at peak.

Can't say much about the RB1200, but I can give you an idea of running more or less the same configuration with RB1100 (rOS 4.17) and I have no problem at all. CPU won't load more than 10% (cause I think the main difference between RB1100 and RB1200 is the cpu ?)
I am also using an RB493 (rOS 4.17) with 40 Users peak on 6x 24 Mbps ADSL Link, and it works fine as long as I take care of the users' database (wiping sessions and database rebuild) every week.

Anyone tried the last rOS 6.0 ? Are the CCR usable in prod environment ?

PUBLIC TOILET
Jun 13, 2009

daita posted:

19:35:45 interface,info ether1 link down
19:35:47 interface,info ether1 link up (speed 100M, full duplex)

:iia: Pretty much. Just as an update, I have to fiddle with the device to get it to connect and pull a lease from the router. Supposedly the device may be overheating (at least the NIC might be) and that's why this problem occurs. I just chalk it up to age and build quality. Sometimes if I erase the DHCP lease, disconnect the patch cable while it's powered on then plug it back in, it will reconnect, grab a lease and then connect at 100M. It is a strange one but unsurprising.

daita
May 22, 2013
have you tried with another ethernet cable ? :]

Remit
Nov 9, 2007

1550NM posted:

Does anybody have anything bad to say about the RB1200, I'm considering if for a replacment gateway for a wireless network with 60 mbps pipe and anywhere from 10 to 90 users at peak.

I have a RB1200 at one head end with about 220 customers. At 45Mbps with about 15 firewall rules the CPU hits about 35%. I would go with the 1100ah just to be safe

1550NM
Aug 31, 2004
Frossen fisk

Remit posted:

I have a RB1200 at one head end with about 220 customers. At 45Mbps with about 15 firewall rules the CPU hits about 35%. I would go with the 1100ah just to be safe

Yeah, the 1100ah it is. It's not that much more expensive, and choosing just enough is the reason that I have to look around for a decent replacement.

thebigcow
Jan 3, 2001

Bully!
Has anyone tried RouterOS 6 yet?

CuddleChunks
Sep 18, 2004

thebigcow posted:

Has anyone tried RouterOS 6 yet?

Yeah. The new icons are nifty, it seems to solve some problems with nstreme 2 which is good news. Seems stable though we don't have it in general use across the network yet. I've got the release candidate installed at home and it has been fine. I may update to the full version this weekend or something.

PUBLIC TOILET
Jun 13, 2009

CuddleChunks posted:

Yeah. The new icons are nifty, it seems to solve some problems with nstreme 2 which is good news. Seems stable though we don't have it in general use across the network yet. I've got the release candidate installed at home and it has been fine. I may update to the full version this weekend or something.

Yeah I see they have a new release (6.1) that came out on 6/12. I was going to ask if there are any known issues before upgrading from 5.25.

thebigcow
Jan 3, 2001

Bully!

PUBLIC TOILET posted:

Yeah I see they have a new release (6.1) that came out on 6/12. I was going to ask if there are any known issues before upgrading from 5.25.

With MikroTik its the unknown issues :ohdear:

SamDabbers
May 26, 2003



thebigcow posted:

With MikroTik its the unknown issues :ohdear:

This. And don't even bother contacting their support when you run into one.

When I upgraded to 6.0 final from rc14, IPv6 conntrack stopped working. That is, none of the rules would create state and everything was hitting the default drop rules. I sent a detailed writeup of the problem (a bug report, really) with a supout file to support@mikrotik.com, and it took over a week for someone to respond with a link to a pre-release build of 6.1 and "no, you're wrong; it works fine."

I like the hardware and RouterOS features; they're really quite interesting and powerful products, but I'd not put them in production, or even install minor point release updates on deployed units, without lots of testing and validation beforehand for a particular software release and hardware set. Between the random software defects in every point release, sometimes having to be "fixed" multiple times according to the changelog, and the company's terrible attitude towards support, I find it hard to recommend them for serious business purposes unless you're willing to support it all yourself.

Wolf on Air
Dec 31, 2004

Combat Instructor
Armed Forces, Time-Space Administration Bureau

SamDabbers posted:

When I upgraded to 6.0 final from rc14, IPv6 conntrack stopped working. That is, none of the rules would create state and everything was hitting the default drop rules. I sent a detailed writeup of the problem (a bug report, really) with a supout file to support@mikrotik.com, and it took over a week for someone to respond with a link to a pre-release build of 6.1 and "no, you're wrong; it works fine."

Oh, so you're the other guy who reported that.

quote:

Hello,

if after update you still have the issue, please generate support output file and
send it to us. We have another report that in 6.0 connection-tracking is not
working properly and we need to investigate this further.

He was polite enough to give me the 6.1-rc1 link (which did solve it).

SamDabbers
May 26, 2003



Wolf on Air posted:

Oh, so you're the other guy who reported that.

He was polite enough to give me the 6.1-rc1 link (which did solve it).

So the first report of a problem gets a denial, and the second gets acknowledged because someone else reported it too? :downsbravo:

I swapped that router out for an EdgeRouter Lite I'd been itching to try, so I haven't tried 6.1 on it yet. The ERL works pretty well, and since it's Debian/Vyatta and lets me have an actual bash shell, I can install standard Linux software and script around things that don't work exactly the way I want. There are some rough edges still since the firmware is still evolving, but I'm pretty impressed so far.

Also, Ubiquiti engineers seem to be far more responsive and helpful in their forums. Then again, the posters don't seem to be quite as terrible as those in the Mikrotik forums, which is just painful to read.

CuddleChunks
Sep 18, 2004

The mikrotik forum has exactly one thread worth reading - the horrible installs picture thread. That's funny as hell. Other than that, oh man, what a mess.

I'm generally pretty happy with MikroTik stuff but you're right, their poor customer support attitude and general wonkiness really hurts them from being taken seriously as a drop-in replacement for enterprise gear. They have almost all of the same features but their poo poo is broken in weird ways and continues to break unexpectedly as you move from revision to revision hoping that *this* will be the one where they fix your reported bug.

Dangit MikroTik, I really really want to love you but you make it so hard.

wolrah
May 8, 2006
what?

SamDabbers posted:

Then again, the posters don't seem to be quite as terrible as those in the Mikrotik forums, which is just painful to read.

Haha, try the UniFi section. Since ubiquitous WiFi is in high demand and they're the entry level of "real" solutions the retards are out in force. Most recently someone went full offensive against me for daring to suggest that MAC filtering on WiFi was not a security measure.

Gism0
Mar 20, 2003

huuuh?
I upgraded to 6.1 the other day and it appears to have hosed my DHCP server. Oddly some of my devices still get the correct static IPs but some get nothing and fall back to a 169.x.x.x IP.
I tried to set it up again but the command seems to fail (on webfig and winbox the next button just does nothing, and on the console it just sits there after typing 'setup')

Only registered members can see post attachments!

Adbot
ADBOT LOVES YOU

IT Guy
Jan 12, 2010

You people drink like you don't want to live!
I have a slight problem.

I have a server on the WAN that has a web interface. I don't want this accessable at all times so I decided I would just enable/disable a firewall rule on the MikroTik router in front of it when I need to access the web interface. The problem is, even with the firewall rule disabled, I can still connect to port 80 for some reason. I have full access to the box with the firewall rule disabled.

Here is my setup:




So, why am I still able to connect?

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply