More for Less: MikroTik Talk

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > More for Less: MikroTik Talk

redeyes: Sep 14, 2002; by Fluffdaddy

I think i've sold and setup nearly 20 of the hAP lite models. Not a single loving problem. Granted this ain't in big networks but man, what great bang for the bux. Now 20 bux on amazon!

# ? Sep 3, 2015 01:14

Adbot: ADBOT LOVES YOU

# ? Apr 29, 2024 09:37

CuddleChunks: Sep 18, 2004

MikroTiks can be great value for the money, right until they blow up and cost you tons of downtime because the supply chain for these is bullshit and bugfixes are a joke. I feel your pain, jeeves.

I also work with these drat things every day and am amazed at some of the weird poo poo we can do with them.

# ? Sep 3, 2015 01:48

jeeves: May 27, 2001; Deranged Psychopathic
Butler Extraordinaire

I mean, like 99.9% of our network works fine at all times. It's only a rare instance when they blow up.

But I can never loving trust Mikrotiks like I can other stuff. That's why they're so drat cheap.

# ? Sep 3, 2015 06:20

theperminator: Sep 16, 2009; by Smythe; Fun Shoe

We used to use Mikrotiks a lot for client sites, and because of the latvian quality we kept a supply of backup units and config backups in case we needed to replace any.

We tried replacing some of our aging Cisco's in our core with some CCR's and it was a huge mistake, ended up replacing them with juniper gear.

# ? Sep 3, 2015 08:05

Zapf Dingbat: Jan 9, 2001

I got a mikrotik from a buddy of mine to set up at my house. I'm pretty sure I've got everything setup okay, except the port forwards I set up don't seem to be working. I can see the tickers go up when I test them but my software doesn't end up connecting. I'm pretty sure everything else on the machine is default except for the wireless and the NAT rules for my ports.

I'm brand new to this, so I'm not sure what other info to give. I can copy/paste whatever will help.

This is so hard.

I just wanted to sset up a router.

# ? Sep 3, 2015 18:24

CuddleChunks: Sep 18, 2004

Zapf Dingbat posted:

I got a mikrotik from a buddy of mine to set up at my house. I'm pretty sure I've got everything setup okay, except the port forwards I set up don't seem to be working. I can see the tickers go up when I test them but my software doesn't end up connecting. I'm pretty sure everything else on the machine is default except for the wireless and the NAT rules for my ports.

I'm brand new to this, so I'm not sure what other info to give. I can copy/paste whatever will help.

This is so hard.

I just wanted to sset up a router.

We need to know what IP address the computer you're forwarding to on the inside of the network has. Also, what services are you trying to forward.

Then, log into your mikrotik, open a terminal window and full-screen it. Type the following commands:

code:

int print
ip fire nat export
ip upnp print
ip upnp int print

Right-click on the window and select "Copy All" then paste that in here. That'll give us enough info to work from. I want to see what interfaces you're using because there are some extra rules that can be handy to have (and Universal Plug-n-Play setup stuff that's nice).

# ? Sep 3, 2015 18:29

Zapf Dingbat: Jan 9, 2001

CuddleChunks posted:

We need to know what IP address the computer you're forwarding to on the inside of the network has. Also, what services are you trying to forward.

Then, log into your mikrotik, open a terminal window and full-screen it. Type the following commands:
code:
int print
ip fire nat export
ip upnp print
ip upnp int print
Right-click on the window and select "Copy All" then paste that in here. That'll give us enough info to work from. I want to see what interfaces you're using because there are some extra rules that can be handy to have (and Universal Plug-n-Play setup stuff that's nice).

I know I'm not using UPnP on my software, so I disabled it.

code:

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU
 0  R  ether1-gateway                      ether            1500  1598
 1  RS ether2-master-local                 ether            1500  1598
 2  RS ether3-slave-local                  ether            1500  1598
 3   S ether4-slave-local                  ether            1500  1598
 4  RS ether5-slave-local                  ether            1500  1598
 5   S ether6-master-local                 ether            1500  1598
 6   S ether7-slave-local                  ether            1500  1598
 7   S ether8-slave-local                  ether            1500  1598
 8   S ether9-slave-local                  ether            1500  1598
 9   S ether10-slave-local                 ether            1500  1598
10   S sfp1                                ether            1500  1598
11   S wlan1                               wlan             1500  2290
12  R  bridge-local                        bridge           1500  1598


/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=dst-nat chain=dstnat dst-port=35636 in-interface=ether1-gateway \
    log=yes protocol=tcp to-addresses=192.168.88.250 to-ports=35636
add action=dst-nat chain=dstnat dst-port=39805 in-interface=ether1-gateway \
    protocol=tcp to-addresses=192.168.88.254 to-ports=39805


 ip upnp print   
                           enabled: no
  allow-disable-external-interface: no
                   show-dummy-rule: no


 ip upnp interfaces print     
Flags: X - disabled, D - dynamic 
 #   INTERFACE                                      TYPE     FORCED-EXTERNAL-IP

I know those two local IPs and ports all match and are correct.

# ? Sep 3, 2015 18:50

CuddleChunks: Sep 18, 2004

Those look correct to me. What service are you trying to run on your local computers? You've got at least two machines, see if they can connect to your service locally. You can even try telnet from one machine to another on the destination port to see if anything responds.

Your mikrotik config looks right, I'd start looking into the computers to make sure they actually respond for the given request.

# ? Sep 3, 2015 20:51

Zapf Dingbat: Jan 9, 2001

I'm running Eventghost with Autoremote. I'm trying to send them commands externally. I haven't set up a dynamic DNS yet, but I'm testing it by just finding out what my IP currently is, disconnecting wifi on my phone, and sending the command.

This works when my phone is connected to my LAN.

# ? Sep 3, 2015 21:13

theperminator: Sep 16, 2009; by Smythe; Fun Shoe

Zapf Dingbat posted:

code:

Flags: D - dynamic, X - disabled, R - running, S - slave 
 #     NAME                                TYPE       ACTUAL-MTU L2MTU
 0  R  ether1-gateway                      ether            1500  1598
 1  RS ether2-master-local                 ether            1500  1598

why is ether2-master a slave? It looks like it's slaved to ether1-gateway which you definitely don't want.

# ? Sep 3, 2015 23:20

Zapf Dingbat: Jan 9, 2001

Not sure. It came that way. I didn't really understand the master/slave thing. What's the optimal setup?

# ? Sep 3, 2015 23:27

jeeves: May 27, 2001; Deranged Psychopathic
Butler Extraordinaire

Zapf Dingbat posted:

Not sure. It came that way. I didn't really understand the master/slave thing. What's the optimal setup?

Slave is Latvian non-PC notation for something that is on a switch chip bridge with master as the main port. Anything that goes into any port will go out any other port, like a switchh

You can do something similar with a software bridge by first making a bridge, and then porting ether2-ether5 to that bridge. Except it will run at software bridge speed instead of switch chip speeds.

Any IP addresses that are assigned to interface=ether2 will be repeated out any other port slaved to it. Same with interface=bridge in the above.

edit - looking at your config you actually have two separate switch groups, one slaved to ether2 (for ether3-5) and one slaved to ether6 (for ether7-10). I think those 10 port RB451 or whatevers come with two switch groups by default.

jeeves fucked around with this message at 23:51 on Sep 3, 2015

# ? Sep 3, 2015 23:47

theperminator: Sep 16, 2009; by Smythe; Fun Shoe

Yeah nevermind, I checked mine and bridged connections all show that they are running as slaves too.
Can you post the results of int eth print?

Anyway, since you said the counters are incrementing on your dst-nat rules, it's likely that your computer is either
A: Not accepting connections on that port/protocol
B: Firewall is blocking those connections
C: the to-address in your dst-nat rules is incorrect.

Use netstat to check if your computer is actually listening on TCP 35636 and if so, check to make sure there's an exception in the windows firewall.

# ? Sep 3, 2015 23:55

jeeves: May 27, 2001; Deranged Psychopathic
Butler Extraordinaire

Do yourself a favor, and connect via Winbox (on a PC) to your router via MAC address neighbor lookup, or via serial. NOTE: Make drat sure that you know how to the above before your reset the router in the below and cut yourself off from any IP connections.

Then type:

code:

/system reset-configuration skip-backup=yes no-defaults=yes

This will reset all settings on the device, meaning when you type /export next time it should be pretty blank. This will clear out any previous settings and also kill the weird port names, restoring them to ether1-ether10. If you can't get back into the router after doing this, push down the reset button to get the default settings with the lovely ether1-gateway type crap.

Then copy and paste the below, editing in your WAN IP and and WAN route/gateway:

code:

### Initial system configuration

# Initial configuration #1/6: Set system identity
/system identity set name="Mikrotik.ROUTER"

# Initial configuration #2/6: Disable/configure services
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl disabled=yes
set api disabled=yes
set api-ssl disabled=yes

# Initial configuration #3/6: Set the time using NTP [CHANGE TIMEZONE]
# Using random 0.pool.ntp.org IPs.
/system ntp client set enabled=yes primary-ntp=198.110.48.12 secondary-ntp=74.120.8.2
/system clock set time-zone-name=PST8PDT
/system clock manual set time-zone=-08:00

# Initial configuration #4/6: Set internal DNS for the router (using Google's)
/ip dns set servers=8.8.8.8 allow-remote-requests=no

# Initial configuration #5/6: Set SNMP reporting [OPTIONAL - UNCOMMENT IF DESIRED]
#/snmp community set [ find default=yes ] name=mikrotik_public
#/snmp set contact=YOUREMAIL@HERE.com enabled=yes location="Your location" trap-community=mikrotik_public

# SSH firewall #1/2: create a whitelist of IPs so only the below can log in via SSH.  
# NOTE= these lines need to be uncommented to work, plus you need to put in more IP addresses to the Whitelisted IPs
#/ip serveice ssh disabled=no
#/ip firewall address-list
#add address=1.1.1.0/18 list=whitelist comment="Whitelisted IPs"
#add address=10.0.0.0/24 list=whitelist comment="Whitelisted IPs"

# SSH firewall #2/2: block all SSH connections from IPs not on the above whitelist
#/ip firewall filter
#add action=reject chain=input dst-port=22 protocol=tcp reject-with=icmp-host-prohibited src-address-list=!whitelist \
#	comment="Reject SSH connections from IPs not on whitelist"


### ether1 = Uplink to WAN: 1.1.1.2/24, GW: 1.1.1.1 [PUT YOUR WAN IP HERE]
# Uplink to WAN #1/3: add IP address for uplink to WAN
/ip address
add address=1.1.1.2/24 interface=ether1 comment="Uplink to WAN"

# Uplink to WAN #2/3: add WAN route for the upstream gateway
/ip route
add dst-address=0.0.0.0/0 gateway=1.1.1.1 comment="Uplink to WAN"

# Uplink to WAN #3/3: add comment to identify the interface
/interface ethernet
set ether1 comment="Uplink to WAN"


### ether2-ether10 = DHCP block: 192.168.1.1/24 [192.168.1.150-.254 usable]
# DHCP block #1/8: set up a bridge group for the DHCP block
/interface bridge
add name=DHCP-LAN comment="DHCP block (ether2-ether10)"

# DHCP block #2/8: assign ether2-ether5 to the above bridge group
/interface bridge port
add bridge=DHCP-LAN interface=ether2
add bridge=DHCP-LAN interface=ether3
add bridge=DHCP-LAN interface=ether4
add bridge=DHCP-LAN interface=ether5
add bridge=DHCP-LAN interface=ether6
add bridge=DHCP-LAN interface=ether7
add bridge=DHCP-LAN interface=ether8
add bridge=DHCP-LAN interface=ether9
add bridge=DHCP-LAN interface=ether10

# DHCP block #3/8: add an IP address to bridge DHCP-LAN (ether2-ether10
/ip address
add address=192.168.1.1/24 interface=DHCP-LAN comment="DHCP block"

# DHCP block #4/8: create a pool of addresses for the DHCP to assign from
/ip pool
add name=DHCPpool ranges=192.168.1.150-192.168.1.254

# DHCP block #5/8: create a DHCP server on bridge DHCP-LAN using DHCPpool's addresses
/ip dhcp-server
add name=DHCP1 interface=DHCP-LAN address-pool=DHCPpool lease-time=9d23h29m disabled=no

# DHCP block #6/8: configure the network, gateway, and DNS addresses for the DHCP
/ip dhcp-server network
add address=192.168.1.0/24 gateway=192.168.1.1 dns-server=8.8.8.8

# DHCP block #7/8: add Default DHCP configuration firewall rules
/ip firewall filter
add chain=forward connection-state=established comment="Default configuration for DHCP"
add chain=forward connection-state=related comment="Default configuration for DHCP"
add action=drop chain=forward connection-state=invalid comment="Default configuration for DHCP"

# DHCP block #8/8: add firewall rule allowing the DHCP network to be forwarded out the upstream port [IP ADDRESS ON ETHER1]
/ip firewall nat
add chain=srcnat action=src-nat comment="NAT DHCP network to uplink" src-address=192.168.1.0/24 to-addresses=1.1.1.2

# Label interfaces examples:
/interface ethernet
#set ether2 comment="SVR"
#set ether3 comment="NAS"


### Extra DHCP settings
# DHCP Reservations based on MAC address, to force DHCP IPs to seem like they are static (or can be done on client side)
/ip dhcp-server lease
add address=192.168.1.100 client-id=1:00:11:22:33:44:55 comment="SVR (eth)" mac-address=00:11:22:33:44:55 server=DHCP1
add address=192.168.1.101 client-id=1:00:11:22:33:44:56 comment="NAS (eth)" mac-address=00:11:22:33:44:56 server=DHCP1

# Port forwarding
/ip firewall nat
add action=dst-nat chain=dstnat comment="Port forward for RDP to SVR" dst-address=1.1.1.2 dst-port=3999 protocol=tcp \
    to-addresses=192.168.1.100 to-ports=3999
add action=dst-nat chain=dstnat comment="Port Forward for Linux ISOs to NAS" dst-address=1.1.1.2 dst-port=39999 protocol=tcp \
    to-addresses=192.168.1.101 to-ports=39999


### Password
/password

In putting the top together, I found your problem: on port forwarding you have DST-ADDRESS=ether1-gateway when it should be your WAN IP

jeeves fucked around with this message at 04:17 on Sep 4, 2015

# ? Sep 4, 2015 00:27

Zapf Dingbat: Jan 9, 2001

theperminator posted:

Yeah nevermind, I checked mine and bridged connections all show that they are running as slaves too.
Can you post the results of int eth print?

Anyway, since you said the counters are incrementing on your dst-nat rules, it's likely that your computer is either
A: Not accepting connections on that port/protocol
B: Firewall is blocking those connections
C: the to-address in your dst-nat rules is incorrect.

Use netstat to check if your computer is actually listening on TCP 35636 and if so, check to make sure there's an exception in the windows firewall.

code:

int eth print
Flags: X - disabled, R - running, S - slave 
 #    NAME        MTU MAC-ADDRESS       ARP        MASTER-PORT      SWITCH     
 0 R  ether1...  1500 E4:8D:8C:29:31:95 enabled    none             switch1    
 1 RS ether2...  1500 E4:8D:8C:29:31:96 enabled    none             switch1    
 2 RS ether3...  1500 E4:8D:8C:29:31:97 enabled    ether2-master... switch1    
 3  S ether4...  1500 E4:8D:8C:29:31:98 enabled    ether2-master... switch1    
 4 RS ether5...  1500 E4:8D:8C:29:31:99 enabled    ether2-master... switch1    
 5  S ether6...  1500 E4:8D:8C:29:31:9A enabled    none             switch2    
 6  S ether7...  1500 E4:8D:8C:29:31:9B enabled    ether6-master... switch2    
 7  S ether8...  1500 E4:8D:8C:29:31:9C enabled    ether6-master... switch2    
 8  S ether9...  1500 E4:8D:8C:29:31:9D enabled    ether6-master... switch2    
 9  S ether1...  1500 E4:8D:8C:29:31:9E enabled    ether6-master... switch2    
10  S sfp1       1500 E4:8D:8C:29:31:94 enabled    none             switch1

I double and triple checked the IP and ports.

On my HTPC, I have some lines from netstat saying TIME_WAIT on port 39805 with some external IPs and domains.
On my other PC, it doesn't seem like 35636 is showing up in netstat, so I guess I have to check Eventghost.

jeeves posted:

In putting the top together, I found your problem: on port forwarding you have DST-ADDRESS=ether1-gateway when it should be your WAN IP

When I pasted that output, I only saw ether1-gateway on "In. interface." Is that what you meant?

I'll probably just reset and go with your config.

edit: It's working now, I think. I don't know what the heck I changed, if anything. I'll continue to test it and I'll keep that config in mind if I have to go nukuler. Now I'm going to set up a script to update my ddns periodically. Thanks, though. It's just that there's not a lot of documentation out there that I can understand what with the Latvians.

edit2: Any tips on getting to the router interface from outside either from web or winbox without inviting in people that want to steal my old people porn?

Zapf Dingbat fucked around with this message at 01:49 on Sep 4, 2015

# ? Sep 4, 2015 01:30

jeeves: May 27, 2001; Deranged Psychopathic
Butler Extraordinaire

Zapf Dingbat posted:

edit2: Any tips on getting to the router interface from outside either from web or winbox without inviting in people that want to steal my old people porn?

Look at my whitelist code on my template to keep people from trying to brute force your router itself. That will keep anyone trying to bombard your router with SSH attempts out. You can do something similar with Winbox's port, but honestly I barely ever see people try to brute force into Mikrotiks with Winbox.

Also, remember you can always go into a specific area of the command line, like '/ip address' and use the export command to spit out exactly all of the code that the router has for that area. Or you can just do /export at the root (/) to export the entire config.

It really help to read a whole config to know what's up with it, and it is also nice to know that if you export an entire config, you can always wipe your router and paste the entire thing back in. Like that template I made can be pasted into any blanked Mikrotik (with 10 ports).

# ? Sep 4, 2015 04:14

Horse Clocks: Dec 14, 2004

Well gently caress I'm stupid. I had assumed the default firewall configuration from the 'Quick Set' tool would have set a sane firewall.

Nope.

[edit] Has anybody found a novel workaround for the terrible OpenVPN (client?) implementation? I've got a couple of services I'd like to connect to through a VPN, but for the life of me can't make the OpenVPN client work.

Horse Clocks fucked around with this message at 17:44 on Sep 5, 2015

# ? Sep 5, 2015 17:35

CuddleChunks: Sep 18, 2004

Heheh I just use the good old Windows PPTP client to talk to my MikroTik. Good enough for cheapass access.

# ? Sep 5, 2015 18:31

drk: Jan 16, 2005

xlevus posted:

[edit] Has anybody found a novel workaround for the terrible OpenVPN (client?) implementation? I've got a couple of services I'd like to connect to through a VPN, but for the life of me can't make the OpenVPN client work.

AFAIK RouterOS doesnt support UDP mode or LZO compression with OpenVPN. UDP is the default mode for most OpenVPN servers and LZO is pretty common as well. If you need support for either one, you're going to have to run the OpenVPN client on something else.

edit: apparently it might be possible to use MetaRouter running OpenWRT and its much better OpenVPN implementation. I've never used it though, might be a huge pain in the rear end to set up. No idea how well it would perform either.

drk fucked around with this message at 20:58 on Sep 5, 2015

# ? Sep 5, 2015 20:01

drk: Jan 16, 2005

CuddleChunks posted:

Heheh I just use the good old Windows PPTP client to talk to my MikroTik. Good enough for cheapass access.

PPTP is broken as poo poo, security wise. If you care about security, you're probably better off with the half assed Latvian OpenVPN implementation.

# ? Sep 5, 2015 20:16

Djimi: Jan 23, 2004; I like digital data

I'm much closer to having a hotpsot on my RB2011UiAS-2HnD-IN (I love that snappy name, it must sound good in Latvian or something) that works (thanks to CuddleChunks).

I'm getting IPs handed out on my Guest WiFi virtual AP. I'm however unable to route it appears, or be challenged with a hotspot web page.

The basic config is this router is using eth 1 to connect to another MikroTik RB951 that's connected to the Internet (It's 192.168.88.1 below). It's a vanilla on the RB951 and not a problem.

I just want to have a hotspot OurWiFi (guest wifi) (it's 192.168.99.1/24) for the few users and another one with WPA2 security (SecureAccess - 192.168.5.1/24) - and I may directly connect a couple machines via the other plentiful eth ports.

Can anybody see how it's going off the rails here? Again, I wouldn't be this far without your help. But I need to retire the costly Meraki in a few days when it will stop working (license to imminently expire).

code:

# jan/02/1970 00:04:26 by RouterOS 6.23
# software id = ZS3N-K6BR
#
/interface bridge
add admin-mac=00:0C:42:8D:9B:A1 auto-mac=no name=bridge-local
add name=guest-access
/interface ethernet
set [ find default-name=ether1 ] name=ether1-gateway
set [ find default-name=ether2 ] name=ether2-master-local
set [ find default-name=ether5 ] name=ether5-guest
set [ find default-name=ether6 ] name=ether6-master-local
set [ find default-name=ether7 ] master-port=ether6-master-local name=\
    ether7-slave-local
set [ find default-name=ether8 ] master-port=ether6-master-local name=\
    ether8-slave-local
set [ find default-name=ether9 ] master-port=ether6-master-local name=\
    ether9-slave-local
set [ find default-name=ether10 ] master-port=ether6-master-local name=\
    ether10-slave-local
/interface wireless
set [ find default-name=wlan1 ] band=2ghz-b/g/n channel-width=\
    20/40mhz-ht-above disabled=no distance=indoors frequency=auto hide-ssid=\
    yes l2mtu=2290 mode=ap-bridge ssid=MikroTik-B65719 wireless-protocol=\
    802.11
/ip neighbor discovery
set ether1-gateway discover=no
/interface wireless
add default-forwarding=no disabled=no l2mtu=2290 mac-address=\
    D6:CA:6D:B6:57:1A master-interface=wlan1 name=guest-wlan ssid=OurWiFi \
    wds-cost-range=0 wds-default-cost=0
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=\
    tkip,aes-ccm management-protection=allowed mode=dynamic-keys name=WPA2 \
    supplicant-identity="" unicast-ciphers=tkip,aes-ccm wpa-pre-shared-key=\
    H0tsp0t! wpa2-pre-shared-key=H0tsp0t!
/interface wireless
add disabled=no l2mtu=2290 mac-address=00:0C:42:8D:9B:AA master-interface=\
    wlan1 name=secured-wlan security-profile=WPA2 ssid=SecureAccess \
    wds-cost-range=0 wds-default-cost=0
/ip hotspot profile
set [ find default=yes ] dns-name=western.local login-by=http-chap
add dns-name=western.local hotspot-address=192.168.99.1 login-by=http-chap \
    name=hsprof1
/ip pool
add name=dhcp ranges=192.168.5.20-192.168.5.250
add name=dhcp-pool ranges=192.168.5.10-192.168.5.254
add name=guest-pool ranges=192.168.99.10-192.168.99.100
add name=dhcp_pool1 ranges=192.168.99.20-192.168.99.250
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge-local name=default
add address-pool=dhcp_pool1 disabled=no interface=guest-access lease-time=3h \
    name=dhcp1
/ip hotspot
add address-pool=dhcp_pool1 disabled=no idle-timeout=none interface=\
    guest-wlan name=westhotspot profile=hsprof1
/port
set 0 name=serial0
/interface bridge port
add bridge=bridge-local interface=ether2-master-local
add bridge=bridge-local interface=ether3
add bridge=bridge-local interface=ether4
add bridge=guest-access interface=ether5-guest
add bridge=bridge-local interface=ether6-master-local
add bridge=bridge-local interface=sfp1
add bridge=bridge-local interface=wlan1
add bridge=bridge-local interface=secured-wlan
add bridge=guest-access interface=guest-wlan
/ip address
add address=192.168.88.1/24 comment="default configuration" interface=\
    ether2-master-local network=192.168.88.0
add address=192.168.5.1/24 interface=ether2-master-local network=192.168.5.0
add address=192.168.99.0/24 interface=guest-access network=192.168.99.0
/ip dhcp-client
add comment="default configuration" dhcp-options=hostname,clientid disabled=\
    no interface=ether1-gateway
/ip dhcp-server network
add address=192.168.5.0/24 comment=secured dns-server=192.168.5.1 gateway=\
    192.168.5.1
add address=192.168.88.0/24 comment="default configuration" dns-server=\
    192.168.88.1 gateway=192.168.88.1
add address=192.168.99.0/24 dns-server=8.8.8.8 gateway=192.168.99.1
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,192.168.5.1
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
    established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add chain=input comment="default configuration" protocol=icmp
add chain=input comment="default configuration" connection-state=\
    established,related
add action=drop chain=input comment="default configuration" in-interface=\
    ether1-gateway
add chain=forward comment="default configuration" connection-state=\
    established,related
add action=drop chain=forward comment="default configuration" \
    connection-state=invalid
add action=drop chain=forward comment="default configuration" \
    connection-nat-state=!dstnat connection-state=new in-interface=\
    ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=passthrough chain=unused-hs-chain comment=\
    "place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="default configuration" \
    out-interface=ether1-gateway
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
    src-address=192.168.99.0/24
/ip hotspot user
add name=guest password=blahblah
add name=luser password=notsohot
/lcd interface pages
set 0 interfaces="sfp1,ether1-gateway,ether2-master-local,ether3,ether4,ether5\
    -guest,ether6-master-local,ether7-slave-local,ether8-slave-local,ether9-sl\
    ave-local,ether10-slave-local"
/system identity
set name=MikroMG
/system ntp client
set enabled=yes primary-ntp=208.75.88.4 secondary-ntp=128.138.141.172
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3
add interface=ether4
add interface=ether5-guest
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether2-master-local
add interface=ether3
add interface=ether4
add interface=ether5-guest
add interface=ether6-master-local
add interface=ether7-slave-local
add interface=ether8-slave-local
add interface=ether9-slave-local
add interface=ether10-slave-local
add interface=sfp1
add interface=wlan1
add interface=bridge-local

It seems like a guest-access bridge or the guest-wlan "issue" ...?
Also here's the route list -- Pref. Source is different for guest-access -- here's a screenshot:

And finally as I mentioned above, when I get a guest-wifi IP, I cannot ping its gateway. Is this internal DNS? I don't know how loopback / routing works on RB or the hotspot works in general.
Thanks in advance.

# ? Sep 5, 2015 22:31

CuddleChunks: Sep 18, 2004

Change the 192.168.99.0/24 IP to 192.168.99.1/24 in IP -> Addresses.

Hopefully that will get everything rolling for you.

# ? Sep 6, 2015 00:23

Djimi: Jan 23, 2004; I like digital data

CuddleChunks posted:

Change the 192.168.99.0/24 IP to 192.168.99.1/24 in IP -> Addresses.
Hopefully that will get everything rolling for you.

I got into the hotspot login :monocle:

-- by entering http://ourwifi.
But I cannot ping out, or browse [destination unreachable]. :eng99:

I have to say if I ever figure out this router, it will be a lot of fun to use.

# ? Sep 6, 2015 01:57

theperminator: Sep 16, 2009; by Smythe; Fun Shoe

xlevus posted:

Well gently caress I'm stupid. I had assumed the default firewall configuration from the 'Quick Set' tool would have set a sane firewall.

Nope.

[edit] Has anybody found a novel workaround for the terrible OpenVPN (client?) implementation? I've got a couple of services I'd like to connect to through a VPN, but for the life of me can't make the OpenVPN client work.

If you only need to connect from windows, use SSTP. it uses SSL on port 443 and will punch through just about any firewall you're likely to end up behind.

# ? Sep 6, 2015 07:16

Horse Clocks: Dec 14, 2004

drk posted:

AFAIK RouterOS doesnt support UDP mode or LZO compression with OpenVPN. UDP is the default mode for most OpenVPN servers and LZO is pretty common as well. If you need support for either one, you're going to have to run the OpenVPN client on something else.

Yeah, the UDP and LZO thing is the problem. I think I'm going to try setting up a Raspberry Pi as a OpenVPN gateway, and then (to my best guess) set up routes for the destination addresses. Dual NAT... Yay.

# ? Sep 6, 2015 11:46

Djimi: Jan 23, 2004; I like digital data

Djimi posted:

I have to say if I ever figure out this router, it will be a lot of fun to use.

This was the culprit for DNS

code:

/ip firewall filter add chain=input in-interface=ether1-gateway dst-port=53 protocol=udp action=drop comment="No external DNS requests allowed"

Thanks again everyone and CChunks. :toot:

# ? Sep 6, 2015 19:07

jeeves: May 27, 2001; Deranged Psychopathic
Butler Extraordinaire

Did you really just get a hotspot splash page working on a Mikrotik?

drat, if I can get that to work as well then time to possibly ditch our reliance on aging routers (Linksys 8 year old WRT54G models) that support DD-WRT / Chillispot + our aging Radius server that is who knows how old?

# ? Sep 6, 2015 21:22

theperminator: Sep 16, 2009; by Smythe; Fun Shoe

Djimi posted:

This was the culprit for DNS
code:
/ip firewall filter add chain=input in-interface=ether1-gateway dst-port=53 protocol=udp action=drop comment="No external DNS requests allowed" 
Thanks again everyone and CChunks.

The actual solution is to just add a blanket drop rule for your ether1-gateway interface, you should then add allow rules for things you want to allow.

# ? Sep 6, 2015 22:33

CuddleChunks: Sep 18, 2004

jeeves posted:

Did you really just get a hotspot splash page working on a Mikrotik?

drat, if I can get that to work as well then time to possibly ditch our reliance on aging routers (Linksys 8 year old WRT54G models) that support DD-WRT / Chillispot + our aging Radius server that is who knows how old?

Yup. It doesn't look too pretty right now but you get queried for a user/pass after associating. If you don't log in then you sit like a lump.

Djimi - glad I could help.

# ? Sep 7, 2015 01:38

theperminator: Sep 16, 2009; by Smythe; Fun Shoe

Seriously, people should be setting up their firewalls to drop input by default on their WAN interfaces.

It honestly scares me seeing some of the poo poo people do considering it's their dayjob.

theperminator fucked around with this message at 03:06 on Sep 7, 2015

# ? Sep 7, 2015 03:00

Tapedump: Aug 31, 2007; College Slice

Would you please show us, in Mikrotik code, how that should be done? I've seen you reference it several times in recent pages, and I think all us new to ROS would like to learn more.

For example, the dumb part of my brain hears "drop input by default on their WAN interface" and thinks "No web traffic gets through? No Skype data? What about Spotify (or SABnzbd, Steam, Windows Updates, etc. ad infinitum)?"

Tapedump fucked around with this message at 03:49 on Sep 7, 2015

# ? Sep 7, 2015 03:45

theperminator: Sep 16, 2009; by Smythe; Fun Shoe

The Input chain only affects traffic destined to your router, not devices behind it. NAT traffic is covered by the forward chain.

So for example traffic that would end up being answered by the router's SSH service, winbox etc.

code:

/ip firewall filter
add chain=input connection-state=established,related in-interface=Eth1-CableGateway
add chain=input in-interface=Eth1-CableGateway protocol=icmp
add chain=input action=drop in-interface=Eth1-CableGateway

The first entry allows reply traffic to connections the router makes out to the internet itself, i.e when it does a DNS lookup etc
The Second rule will allow pings to your router itself from the internet
The Third rule will block any traffic destined for your router that doesn't match the above two, but any traffic covered by a NAT rule will still be allowed as they are covered by the Forward chain. i.e any connections from your computer to the internet and their replies will not be effected

# ? Sep 7, 2015 04:56

jeeves: May 27, 2001; Deranged Psychopathic
Butler Extraordinaire

Or you can turn off all services that are not ssh and winbox, and then implement a whitelist of known-good IPs that you want to allow into the Mikrotik.

code:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set www-ssl disabled=yes
set api disabled=yes
set api-ssl disabled=yes

# SSH firewall #1/2: create a whitelist of IPs so only the below can log in via SSH.  
/ip firewall address-list
add address=1.1.1.0/18 list=whitelist comment="Whitelisted IPs"
add address=10.0.0.0/24 list=whitelist comment="Whitelisted IPs"

# SSH firewall #2/2: block all SSH connections from IPs not on the above whitelist
/ip firewall filter
add action=reject chain=input dst-port=22 protocol=tcp reject-with=icmp-host-prohibited src-address-list=!whitelist \
	comment="Reject SSH connections from IPs not on whitelist"

The above will let anything on 1.1.1.0/18 or 10.0.0.0/24 into your router via SSH, but leave Winbox wide open. It simulates being a NAT IP (10.0.0.0/24) or a public IP (1.1.1.0/18).

If you have a public WAN IP and don't do something like this or what theperminator set up, you will quickly see your log fill up with log in attempts from China 24/7.

# ? Sep 7, 2015 05:56

Horse Clocks: Dec 14, 2004

Tapedump posted:

Would you please show us, in Mikrotik code, how that should be done? I've seen you reference it several times in recent pages, and I think all us new to ROS would like to learn more.

For example, the dumb part of my brain hears "drop input by default on their WAN interface" and thinks "No web traffic gets through? No Skype data? What about Spotify (or SABnzbd, Steam, Windows Updates, etc. ad infinitum)?"

In the end I went with:

code:

/ip firewall filter
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add chain=input comment="Allow Established connections" connection-state=established
add chain=input comment="Allow ICMP" protocol=icmp
add chain=input comment="Allow LAN" in-interface=!ether1-gateway src-address=192.168.1.0/24
add action=drop chain=input comment="Drop everything else

theperminator posted:

Seriously, people should be setting up their firewalls to drop input by default on their WAN interfaces.

It honestly scares me seeing some of the poo poo people do considering it's their dayjob.

Yeah. It took me a few weeks until I realised that this isn't the default configuration. I guess there's some inane Mikrotik policy for it "We make router. Not educate internet security."

[edit] Does anybody know of any PPPoE issues in the latest release? I upgraded recently, and my PPPoE connection keeps disconnecting at random. I can't tell if it's psychosomatic, an issue with the upgrade, my ADSL modem, my line or my ISP.

Horse Clocks fucked around with this message at 11:02 on Sep 7, 2015

# ? Sep 7, 2015 08:07

Tapedump: Aug 31, 2007; College Slice

theperminator posted:

The Input chain only affects traffic destined to your router, not devices behind it. NAT traffic is covered by the forward chain.

Ah! That is very helpful to understand, thank you! Also, thank you all for the code snippets, as they are helpful.

# ? Sep 7, 2015 17:00

CuddleChunks: Sep 18, 2004

xlevus posted:

Yeah. It took me a few weeks until I realised that this isn't the default configuration. I guess there's some inane Mikrotik policy for it "We make router. Not educate internet security."

Those are basically the default rules now. I think they started showing up in 5.x but are definitely part of 6.x firmwares.

# ? Sep 7, 2015 19:54

theperminator: Sep 16, 2009; by Smythe; Fun Shoe

Unless you use the x86 version, because potato router.

I'm probably one of the few using a bunch of them inside vmware though.

# ? Sep 8, 2015 07:07

Atreus: Sep 20, 2005

So apparently they managed to add the ability to add RSA keys to RouterOS. For whatever reason, I still can't get the things to function right. I still get incorrect passkey, even when the key isn't set up with one? Has anyone successfully got them to work?

I'm generating them with Putty and using Winbox to transfer them over there, and add them. I also tried the command line and still didn't work.

# ? Sep 15, 2015 18:09

Atreus: Sep 20, 2005

Interestingly enough, I'm able to scp something generated by ssh-keygen that is rsa and get it to work. Putty still is a mystery, though.

# ? Sep 15, 2015 18:45

Adbot: ADBOT LOVES YOU

# ? Apr 29, 2024 09:37

CuddleChunks: Sep 18, 2004

I did some work where I setup a MikroTik to allow a particular account to login via a DSA key I generated. When you bind the key to the account, it uses that as the auth method and I remember that I was no longer able to log in with that account with its assigned user/pass. However, I could use SSH to get in.

What I remember is transferring the key over and then adding it to the user by going to System -> Users -> SSH Keys and importing the SSH key there. That allowed my box to remote into the mikrotik without having to type a password which was important because I was setting up a remote scripting thingy and needed to be able to process an awful lot of these without breaking my fingers typing all day.

# ? Sep 16, 2015 03:00

The Something Awful Forums > Discussion > Serious Hardware/Software Crap > More for Less: MikroTik Talk

«‹›64 »