Register a SA Forums Account here!
JOINING THE SA FORUMS WILL REMOVE THIS BIG AD, THE ANNOYING UNDERLINED ADS, AND STUPID INTERSTITIAL ADS!!!

You can: log in, read the tech support FAQ, or request your lost password. This dumb message (and those ads) will appear on every screen until you register! Get rid of this crap by registering your own SA Forums Account and joining roughly 150,000 Goons, for the one-time price of $9.95! We charge money because it costs us money per month for bills, and since we don't believe in showing ads to our users, we try to make the money back through forum registrations.
 
  • Post
  • Reply
PUBLIC TOILET
Jun 13, 2009



Does the RB750G support UPnP? How would one put together some kind of wireless access with one of these? Would you have to also purchase this to do that? It seems like it has a pretty steep learning curve with WinBox compared to some of the typical consumer routers out there.

Adbot
ADBOT LOVES YOU

PUBLIC TOILET
Jun 13, 2009



R1CH posted:

Wireless with routerboards can get kind of expensive as the consumer models like the RB750G don't have mPCI slots, so you need a better board, custom case, radio card, antennas, etc. Personally I just use a standard AP in AP mode (no routing etc) hooked into the MT device. It helps that I have a high quality AP, but you can pick up something like the Ubiquiti PowerAP pretty cheap and get a nice AP to hook into your network.

Obviously if you want more complicated things like wireless client segregation, per-client shaping, 802.1x, etc you'll want your wireless clients hanging directly off an wireless card from the MT board.

Yeah I wouldn't be looking into anything that extensive. I'm just thinking of a cheap, MikroTik solution in my head that would provide a wireless AP and a routing solution in a two story house. Is the Ubiquiti radio a decent solution for that or does it seem like overkill for a house? I've never played with either product but I'm guessing you'd have to disable any routing on the Ubiquiti (if it even does any routing) and just make it pass-through to the MikroTik.

PUBLIC TOILET
Jun 13, 2009



These devices seem like they have an intensive configuration behind them. Honestly that's the one thing holding me back from trying one. That and having to use a separate wireless AP device unless I shell out more money for a Mikrotik that supports a wireless card. The wireless thing doesn't sound too bad though if I just connect a WRT54GL to the Mikrotik for strictly wireless AP access.

PUBLIC TOILET
Jun 13, 2009



If someone were in the market to purchase a MikroTik for home use, what would be the ideal solution that provides Gigabit switching and wireless connectivity?

PUBLIC TOILET
Jun 13, 2009



CuddleChunks posted:

It comes with a level 4 license out of the box at the $70 price point. No extra purchases needed.


For the person wanting a Mikrotik-based router and wifi AP there isn't a single product that combines the gigabit ports and wifi yet. Happily, there are rumblings that within a month they should have exactly that available for purchase. It would be worth waiting if you wanted to combine all of those features in a single mikrotik platform.

Sounds good, I'll just wait it out then. Do you have any more information on this? I'm interested in the learning experience behind the MikroTiks and it seems like they're fairly dependable.

PUBLIC TOILET
Jun 13, 2009



yarrmatey posted:

Haven't tested performance nor LACP support I'm afraid.


I'm going to also recommend the Ubiquiti UniFi. The (free) controller software was 2d based for planning coverage area, so the multi-story layout might be a bit tricky. How necessary is mesh capability, or can you get an ethernet drop to each AP?

We have 3 UniFi APs at our office and have been very happy with them.

I'm not sure I understand the software part of the UniFi. You would essentially setup your Mikrotik and make it use the UniFi as a wireless AP, then you have to use the UniFi software to configure the UniFi? You can't just access the UniFi via its IP address in a web browser?

PUBLIC TOILET
Jun 13, 2009



krackpot posted:

There are new products for 2011 (http://www.mikrotik.com/download/share/hu11.pdf).

The RB435G seems to be the successor to the RB433 (to which a quick setup guide was posted earlier in this thread). The PDF I linked above seems to mention that the chip operates at 800MHz, but that's the overclocked speed. It is the same chip they use in the RB450G.

RB450G still seems like a solid choice. Now I'm having trouble deciding what to go for

Looks like they took the PDF down. Still looks like the cheapest Gigabit router they have then is the RB435G? And that comes with the MiniPCI slots for use with the R52Hn (if wireless is desired). Then you need an enclosure for all of that with support for external antennas.

PUBLIC TOILET fucked around with this message at 19:51 on May 8, 2011

PUBLIC TOILET
Jun 13, 2009



krackpot posted:

Not sure if this is the same PDF file (http://www.mikrotik.com/download/share/generic.pdf)

RB435G is quite new. I got a response form the roc-noc guy saying a nice metal indoor enclosure wouldn't be ready for a few months.

I think if you wanted to populate the entire board with wireless cards, you'd need a custom enclosure anyways just for the antenna. You'd also need a beefier PSU and possibly better cooling.

RB751G sounds perfect to me. Q3 2011 on the other hand, not so much.

PUBLIC TOILET
Jun 13, 2009



Kaluza-Klein posted:

What is recommended for a home network with N wifi?

The RB751 seems the obvious choice, but it is not a gigabit device.

If I want to have gigabit should I use an RB450G? And then some sort of wifi AP? The Ubiquiti PowerAPN was mentioned on the first page of this thread.

I have a consumer Buffalo router with G wifi that has an antenna that is hanging by its wire and a bad habit of freezing every time I surf a little too hard. I am in a NETWORKING TECHNOLOGIES program (CCNA mill) and would like something to mess about with.

I'm more or less in the same boat and have been for some time. The RB751 sounds perfect for me, but ideally I'd like internal gigabit switching. I suppose one could just connect a gigabit switch to one of the ports on the Mikrotik but that's kind of a half-rear end solution. Are there plans for something like an RB751G? I can't remember.

PUBLIC TOILET
Jun 13, 2009



Does anyone know how difficult it may be to configure a commercial VPN service with a MikroTik? I've been experimenting with various VPN services on my current router (Linksys WRT54GL w/TomatoUSB ) but I'm experiencing the same download speed issues regardless of the VPN service I choose. I'm starting to believe that this router just can't handle the load required to download any large files while it's connected to a VPN. I've been meaning to buy RB751G-2HnD for a while now, but I don't know if it's going to have the same issue or not.

Has anyone configured a commercial VPN with the RB751G-2HnD and can attest to its file download performance while it's connected to the VPN? How complicated would it be to configure this in the RouterOS? Or would I achieve better VPN performance with something like the RB2011UAS-2HnD-IN?

PUBLIC TOILET fucked around with this message at 20:24 on Sep 30, 2012

PUBLIC TOILET
Jun 13, 2009



The_Franz posted:

I can't comment on commercial VPN providers, but I did recently setup a VPN with a 750GL (same CPU as the 751G) on one end and an RB2011 on the other. With both units in my lab basement I was able to push about 17mbps over an IPSEC + GRE setup with AES-128 encryption. The 750GL was the limiting factor as the CPU was pegged at 100% and the CPU in the RB2011 was hovering at around 70% so it would probably max out in the mid 20s. The RB2011 can be overclocked so you might be able to get 30-something mbps if you crank up the CPU speed.

Of course, if you want to use 3DES or AES-256 encryption the throughput would be lower than this due to additional CPU overhead.

Wow. That's pretty impressive. I'm looking at the CPU usage in TomatoUSB now when I'm downloading a file through the VPN. I'm hitting 100% on average every minute and around 60% every five minutes.

PUBLIC TOILET
Jun 13, 2009



CuddleChunks posted:

A quick trip report - we couldn't get stocks of the RB751 wireless routers in at work in the quantities we needed. They had them backordered to hell and back so we ended up switching to the RB951 series.

It's half the output power, half the processor and almost half the size of the RB751. It has no external antenna and no indicator light for the wifi card.

Despite that, it's a cute little trooper of a wireless router and you get all the power of the Mikrotik OS behind it. We haven't had any complaints about it out in the field so far and it's pretty dang cheap to order for your own use. All in all, I'd say it's a fully capable home router that's a serious contender for filling in the gaps between Apple and Asus's products and other cheap-as-dirt wifi routers.

Thanks for the heads up. Now I can wait until the RB951G-2HnD hits the market instead of having to buy the 7 series.

PUBLIC TOILET
Jun 13, 2009



CuddleChunks posted:

Yup. We finally got our 751's in off backorder. Hooray for seeing stacks of those sleek white boxes on our shelves again. It's been incredibly frustrating to consider having to move to another platform as our vendors got their supply chain sorted out.

Just for reference, most customers just want a router that is setup for service and has wifi on it. If you label tape the SSID and WPA key on the unit you've solved most support calls right there. It's a rarity for them to call for port forwards or any such trickery.

What's this script that's being spoken about? I haven't purchased a Mikrotik yet so I haven't had a chance to dabble with one yet. If I can get the hang of it then I'll probably use it as the standard router for anyone I support outside of work.

PUBLIC TOILET
Jun 13, 2009



falz posted:

MikroTik has a splash setup page for new/home users. For provisioning many, you can just paste a stock text config with a few variables changed.

Oh you mean through the web interface? I'm just trying to get a feel for how it's going to function without actually touching it yet. I noticed the IPSEC note in the OP where the router has the possibility of tripping on itself when it comes to handling the load. Would this be a potential issue if I were only utilizing a VPN tunnel (with regards to large file transfers)?

PUBLIC TOILET
Jun 13, 2009



thebigcow posted:

r0c-n0c has RB951G-2hnd in stock and bumped the price down on the RB751G

I actually just finally bought the RB951G-2HnD today. We'll see how well it works. I've been putting it off and finally decided to just pull the trigger. The WRT54GL I have with Tomato on it is getting long in the tooth.

PUBLIC TOILET
Jun 13, 2009



ManicJason posted:

Am I still the only person with nightmarish Apple vs. Mikrotik issues? I see tons of people on other forums complaining about the same since iOS 6 on something like 50% of the Apple wireless radios (all Broadcom, I believe.) There are recommendations about changing pre-amble settings and explicitly setting the protocol as 802.11, but all of my Apple devices (MacBook Pro, iPad 2, iPhone 4) get 100% packet loss at random intervals between a minute of use and 30 minutes of use even after messing with those settings. Rarely it will fix itself after five minutes or so, but it is always fixed by turning the wireless radio off and back on on the Apple device.

At this point, I'd say Mikrotik devices are totally incompatible with Apple. I'm about ready to throw my Mikrotik out the window and go back to crappy consumer wireless routers


edit: to clarify, these issues are all 100% Apple issues. It sounds like the issue now is that TKIP totally breaks Apple devices and AES has a bug that kills the connection after a certain time on half of Apple's devices.

I'm glad I'm not going insane then. I don't yet have a MikroTik router, but I've been noticing issues with iOS devices connecting to my current wireless network and I'm using WPA-2 with AES. If I can even get the device to connect (usually after telling it to keep trying because I know it's the correct password), it will stay connected for a while but then eventually drop off. It will then repeat the process of me having to try again and again. I eventually just gave up on it. If I see the same issues with the MikroTik then at least I know it's not going to be the router's fault. Apple needs to get their poo poo together.

PUBLIC TOILET
Jun 13, 2009



CuddleChunks posted:

Good lord I am tired of the RB751's and their stupid bullshit with Apple products and everyone else. I've spent the last few days tweaking and fiddling and reading the angry forums at Mikrotik.com to get some guidance on how these should be setup. Thing is, they have so drat many features that it's anyone's guess what you should change. Still, I hope the following is helpful and this constitutes the best knowledge I have for how to set one of these up for home use:

Upgrade to 5.24 firmware, then upgrade the routerboard firmware to whatever it will take. That gives a good starting platform for all of this.

Open a terminal window and paste in the following (after changing the two global variables to match your home setup):
code:
:global SSID  value="wireless"
:global WPAKEY value="home wifi" 
/int wir security-profiles add name=WPA2 authentication-types=wpa2-psk \
    management-protection=disabled mode=dynamic-keys  group-ciphers=aes-ccm \
    unicast-ciphers=aes-ccm wpa2-pre-shared-key=$WPAKEY
/int wir set wlan1 security-profile=WPA2 band=2ghz-onlyn \
    channel-width=20/40mhz-ht-above wireless-protocol=802.11 antenna-mode=ant-a \
    country="united states" ht-txchains=0,1 ht-rxchains=0,1 \
    dfs-mode=no-radar-detect distance=indoors frequency-mode=regulatory-domain \
     tx-power=11 tx-power-mode=card-rates mode=ap-bridge
If that doesn't get you going with decent speeds, or if you don't have all-N capable equipment, then roll on back to mixed mode like so:
code:
/int wir set wlan1 security-profile=WPA2 band=2ghz-b/g \
    channel-width=20mhz wireless-protocol=802.11 antenna-mode=ant-a \
    country="united states" ht-txchains=0 ht-rxchains=0 
Basically, the power levels get trimmed down a bit, it sets some antenna mode stuff for N-mode and turns it back off for mixed mode. WPA2 is used with AES exclusively. If you have gear that won't support that then it's easy to go into the wireless security profiles section and tweak things there.

Good luck, let me know if this blows up your system so I can laugh and laugh and cry and laugh some more. Oh, and this works fine on the RB951's although they only have one tx/rx chain.

Thanks for this. I just received an e-mail this week stating my RB951G-2HnD shipped from Latvia so if I have issues with Apple products I'll give your script a try.

PUBLIC TOILET
Jun 13, 2009



I finally received my RB951G-2HnD from Latvia via USPS. Poked through this thread, some Google searching and the MikroTik wiki site in order to configure it and understand its intricacies. It's been a couple days and I finally just put it in production. I'm loving the poo poo out of this little mother fucker. I'm seriously impressed so far, it's practically light-years ahead of my old WRT54GL. I'm still working on configuring the static entries and some port forwarding but otherwise its been seamless. I didn't have to do any crazy workarounds to get iOS devices to work, either.

PUBLIC TOILET
Jun 13, 2009



I could actually use some help with a couple of issues I haven't had luck resolving. The first one is probably simple. I have a static IP entry for my Windows Home Server so it always gets 192.168.88.200. The Windows Home Server has a domain on homeserver.com so it can happily associate itself to that domain for remote access. However, part of making this successful is to forward at least two out of three ports through the router. I've done some Googling and also browsed the MikroTik wiki but so far everything I've tried has created more problems.

I've been trying to configure port forwarding through IP -> Firewall -> NAT. I've created two separate entries, one that tells the router to allow external connections on TCP inbound to port 443 only to 192.168.88.200. The other one is the same way only it allows external connections inbound to port 4125 only to 192.168.88.200. When I set this and enable it, it doesn't work, but it also causes my workstation to not reach some websites. So if the two rules are enabled, they also cause my workstation to not establish a connection to various websites. When I removed those two port forward entries, my workstation returned to normal. In addition to that, when I browse to http://192.168.88.200 in a web browser, for some reason it takes me to the MikroTik's login screen. Port 80 shouldn't even be enabled or allowed to any machine on the internal network.

Scratch that last part, apparently it doesn't seem to do that any longer. I just tried to access http://192.168.88.200/ in a browser and it went to the server this time. Mind you I don't have any port forwarding rules configured at the moment.

Here's what my current firewall configuration looks like:

code:
[admin@MikroTik] > ip firewall export
# apr/11/2013 22:32:53 by RouterOS 5.24
# software id = PLN9-VJ6I
#
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s \
    tcp-close-wait-timeout=10s tcp-established-timeout=1d tcp-fin-wait-timeout=\
    10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s \
    udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=no \
    protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=\
    established disabled=no
add action=accept chain=input comment="default configuration" connection-state=\
    related disabled=no
add action=drop chain=input comment="default configuration" disabled=no \
    in-interface=ether1-gateway
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no \
    out-interface=ether1-gateway to-addresses=0.0.0.0
add action=dst-nat chain=dstnat disabled=no dst-port=443 in-interface=\
    ether1-gateway protocol=tcp to-addresses=192.168.88.200 to-ports=443
add action=dst-nat chain=dstnat disabled=no dst-port=4125 in-interface=\
    ether1-gateway protocol=tcp to-addresses=192.168.88.200 to-ports=4125
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

PUBLIC TOILET fucked around with this message at 02:33 on Apr 12, 2013

PUBLIC TOILET
Jun 13, 2009



zennik posted:

I would change your two NAT rules to one rule, as such:

code:
/ip firewall nat
add action=dst-nat chain=dstnat src-address=!192.168.88.0/24 disabled=no dst-port=443,4125 protocol=tcp to-addresses=192.168.88.200
Failing that, remove the src-address entry and try updating to RouterOS version 6. One thing about Mikrotik is there are alot of undocumented changes between versions. I've had to upgrade all of my routers to version 6 for various issues in version 5 that I kept running into.

EDIT: I just noticed your actual firewall filter rules at the beginning there. It wouldn't hurt to disable those, for now.

I removed the rules I created and added the one you created above. No luck. Is that correct, though? You have the src-address as the internal network and the to-addresses go directly to the server. Wouldn't that only allow internal traffic to go to the server and not external Internet traffic? You also don't specify any action ports so I presume I don't need to input any if I've already specified ports 443 and 4125? The filter rules you mention were the pre-configured ones that have been there since I hooked up the router. Not sure if they're safe to remove or not.

PUBLIC TOILET
Jun 13, 2009



zennik posted:

Notice the ! before the subnet, that means to match anything NOT in that subnet as the source. It shouldn't ever be an issue, but in rare cases it can be.

Those filter rules are very safe to remove. They're just default rules for some basic firewall security, and could very well be the source of your problem.

I can simply disable them and not have to delete them, correct? If so, disabling them hasn't resolved the issue. The NAT rule you provided is in there and enabled. I've also tried it with and without specifying the "In. Interface" as "ether1-gateway" but that doesn't seem to have an effect either.

PUBLIC TOILET
Jun 13, 2009



zennik posted:

Correct.

And that is a little odd, truth be told. I grabbed a 751 and tested a basic setup with a dhcp client WAN Ip and just a simple port forward as described and that's working for me. Wondering if there's something else going on here. Is your ISP possibly filtering port 80?

EDIT: For that matter, not to ask a stupid question, but is your mikrotik pulling an actual WAN IP, or is it getting a 192.168, 10., or 172.12-31 IP?

I know that Time Warner blocks port 80 access, but I don't believe they block port 443 (HTTPS). That's why on the old router (WRT54GL w/Tomato), I had it set so that accessing the WAN IP or the DNS name with "https://" would go through the router directly to the server and the webpage would appear. For some reason that's not working with the MikroTik even after trying what you suggested, and after trying what other websites have suggested either. So I never bothered configuring port 80 access on the old router, but I did configure port 443 and port 4125 as required for WHS and it was working fine. Maybe there's a configuration/setting somewhere else in the router that's stopping it? Not sure where to look, though.

PUBLIC TOILET fucked around with this message at 14:31 on Apr 13, 2013

PUBLIC TOILET
Jun 13, 2009



CuddleChunks posted:

When you try to access your server, exactly what URL are you going to? Are you putting in its internal IP address or trying to use the external IP?

When I test the site internally, I'm able to reach the server via https://192.168.88.200/. When I test it externally after creating a NAT rule, I've tried it via the WLAN IP and by the DNS name as well. Neither one works, I receive an error in Chrome stating the connection was refused. I've also been testing with this site and this site. Both are stating that my IP and my DNS respond, but on port 80 AND 443. Not sure why as the NAT rule doesn't mention allowing port 80. One thing I've noticed that might be causing problems in the first place though-- whether or not that NAT rule is enabled or disabled, if I open a browser on the internal network and type in https://removed, it will take me to the MikroTik router login page. I'm not sure why the router is associating itself with port 80 or why it's even enabled. Maybe DNS isn't configured properly on the router? How do I force the router and all internal devices to use OpenDNS?

I think I have OpenDNS configured properly by using the following:

code:
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=\
    208.67.222.222,208.67.220.220
and this:

code:
/ip firewall nat
add action=redirect chain=dstnat disabled=no dst-port=53 in-interface=ether2-master-local protocol=udp
I think that's the correct methodology. I've also done the following to block external access to port 80 (the testing sites I mentioned above confirm it's closed now). I've also decided for the hell of it to also accept incoming connection attempts to ports 443 and 4125 as well thinking that might fix things but it does not:

code:
add action=drop chain=input comment="default configuration" disabled=no dst-port=80 in-interface=ether1-gateway \
    protocol=tcp
add action=accept chain=input comment="default configuration" disabled=no dst-port=443,4125 in-interface=\
    ether1-gateway protocol=tcp

PUBLIC TOILET fucked around with this message at 14:30 on Apr 13, 2013

PUBLIC TOILET
Jun 13, 2009



CuddleChunks posted:

How are you testing this externally? Are you remoted into another machine and are trying to reach your site? Do you have a buddy trying to reach this page for you?

PS: It's working fine. Going to the link you provided brings up a windows home server page just fine. Nothing is wrong with your rules, or if you tweaked something since your post DON'T CHANGE IT!

Really? Huh. I'll have to check that. Does my OpenDNS configuration look okay? By the way, I've checked the logs this morning and unsurprisingly I see an IP address from China has been trying to login through SSH. What is with these routers just allowing everything turned on by default? So now I have to specifically drop attempts via port 22 in the rules AND dig through logs? I'm just going to poke around some MikroTik wiki pages on securing the router.

PUBLIC TOILET fucked around with this message at 14:44 on Apr 13, 2013

PUBLIC TOILET
Jun 13, 2009



CuddleChunks posted:

Go to IP -> Services and turn off all the services you don't want the Mikrotik to advertise. In other words, turn off the web server, the FTP port, SSH, telnet, etc. Turn off everything except winbox if you like and that should stop the bulk of probe attempts against your router.

Your DNS setup looks fine.

You and zennik have been a big help, thank you. I've combed through some security practice information in the MikroTik wiki and modified/applied it to my router. The only services I currently have enabled are "ssh", "winbox" and "www". However, I do believe I have my firewall rules configured properly so that external access is denied to those services. Below is the current configuration, maybe either of you can tell me if I've done anything incorrectly. One thing I'm not sure about is if I should specify an in-interface for the "From LAN network" rule. I also have BitTorrent configured to utilize UPnP for port forwarding, but also allow incoming connections to port 29793. Not sure if the rules below screw that up.

code:
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s \
    tcp-established-timeout=1d tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s \
    tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s

/ip firewall filter
add action=drop chain=input comment="Block HTTP requests" disabled=no dst-port=80 in-interface=ether1-gateway \
    protocol=tcp
add action=accept chain=input comment="Allow HTTPS/RWW (\\\\SERVER)" disabled=no dst-port=443,4125 in-interface=\
    ether1-gateway protocol=tcp
add action=accept chain=input comment="Accept established connections" connection-state=established disabled=no \
    in-interface=ether1-gateway
add action=accept chain=input comment="Accept related connections" connection-state=related disabled=no \
    in-interface=ether1-gateway
add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no \
    in-interface=ether1-gateway
add action=accept chain=input comment=UDP disabled=no in-interface=ether1-gateway protocol=udp
add action=accept chain=input comment="Allow limited pings" disabled=no in-interface=ether1-gateway limit=\
    50/5s,2 protocol=icmp
add action=drop chain=input comment="Drop excess pings" disabled=no in-interface=ether1-gateway protocol=icmp
add action=drop chain=input comment=SSH disabled=no dst-port=22 in-interface=ether1-gateway protocol=tcp
add action=drop chain=input comment=WinBox disabled=no dst-port=8291 in-interface=ether1-gateway protocol=tcp
add action=accept chain=input comment="From WLAN (Time Warner) network" disabled=no in-interface=ether1-gateway \
    src-address=76.180.32.0/20
add action=accept chain=input comment="From LAN network" disabled=no src-address=192.168.88.0/24
add action=log chain=input comment="Log everything else" disabled=no log-prefix="DROP INPUT"
add action=drop chain=input comment="Drop everything else" disabled=no

/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway \
    to-addresses=0.0.0.0
add action=redirect chain=dstnat comment=OpenDNS disabled=no dst-port=53 in-interface=ether2-master-local \
    protocol=udp
add action=dst-nat chain=dstnat comment="Remote Web Access (\\\\SERVER)" disabled=no dst-port=443,4125 \
    in-interface=ether1-gateway protocol=tcp src-address=!192.168.88.0/24 to-addresses=192.168.88.200

/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061 sip-direct-media=yes
set pptp disabled=no

PUBLIC TOILET
Jun 13, 2009



SamDabbers posted:

You may want to take a look at the packet flow diagram for RouterOS. The "input" chain in the firewall is for packets destined to the router itself, not packets that will ultimately be forwarded (the "forward" chain) somewhere else. Right now there's an implicit "accept all" rule in the "forward" chain, which is why things appear to be working. Look at the counters on the rules you have in Winbox; some of them are likely not being hit.

Some things to keep in mind when crafting firewall rules:
  • The first matching rule is the one that matters, so you want the bulk of your packets to be matched as early as possible to avoid excess processing latency. You can also take advantage of the ordering to do things like "accept from LAN; do something else from everywhere else" without having to explicitly name each of the interfaces/addresses/subnets for each "everywhere else."
  • Allowing "connection-state=established" takes care of the 2nd and all subsequent packets for a connection, so your other rules only have to match the first packet that initiates a connection.
  • NAT happens before filtering, so use translated addresses in the rules.
  • Place an explicit drop at the end of each chain you use since the default is accept, and then you only have to make rules for what you explicitly want to allow.
Here's how I'd clean up your ruleset, comments inline, remember the default action is accept:
code:
/ip firewall filter
add chain=input connection-state=established
add chain=input connection-state=related
# I like to match on the interface for traffic from my LAN,
# but you could also filter by src-address if you prefer
add chain=input comment="Allow all traffic from LAN" in-interface=ether2-master-local
add chain=input comment="Rate-limit pings" limit=50/5s,2 protocol=icmp
# Add specific drop rules for traffic you don't want logged here
add action=drop chain=input comment="SSH scans" dst-port=22 protocol=tcp
add action=log chain=input comment="Log everything else" log-prefix="DROP INPUT"
add action=drop chain=input

add chain=forward connection-state=established
add chain=forward connection-state=related
add chain=forward comment="Allow outgoing TCP traffic from LAN" connection-state=new protocol=tcp \
    tcp-flags=syn,!ack in-interface=ether2-master-local
add chain=forward comment="Allow outgoing UDP traffic from LAN" connection-state=new protocol=udp \
    in-interface=ether2-master-local
add chain=forward comment="Allow outgoing pings from LAN" connection-state=new protocol=icmp \
    icmp-options=8 in-interface=ether2-master-local
# Alternatively, you could omit the 3 previous rules and instead allow all traffic from the LAN
# interface with a single rule. I just prefer to see "everything else" logged.
add chain=forward comment="Allow HTTPS/RWW (\\\\SERVER)" connection-state=new protocol=tcp \
    dst-address=192.168.88.200 dst-port=443,4125 tcp-flags=syn,!ack in-interface=ether1-gateway
add action=log chain=forward comment="Log everything else" log-prefix="DROP FORWARD"
add action=drop chain=forward

/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1-gateway to-addresses=0.0.0.0
# Destination NAT can only map to a single address, or a consecutive range of addresses,
# hence only one of the OpenDNS servers is listed. I wouldn't use REDIRECT and the Mikrotik
# built-in DNS resolver, since it has well-known problems with e.g. low TTL records.
add action=dst-nat chain=dstnat comment="OpenDNS UDP" dst-port=53 protocol=udp \
    in-interface=ether2-master-local to-addresses=208.67.222.222
# Remember that DNS can use TCP too
add action=dst-nat chain=dstnat comment="OpenDNS TCP" dst-port=53 protocol=tcp \
    in-interface=ether2-master-local to-addresses=208.67.222.222
add action=dst-nat chain=dstnat comment="Remote Web Access (\\\\SERVER)" dst-port=443,4125 \
    protocol=tcp in-interface=ether1-gateway to-addresses=192.168.88.200
Edit: Made the code block play nicer with tables. Added a comment or two to the ruleset. Also

Not sure what caused it, but I've just had to completely reset my MikroTik thanks to your configuration (on my birthday no less). I made a backup of my firewall configuration, then input yours through the terminal verbatim and then after doing so I could no longer load websites and then couldn't reconnect to the router through SSH or WinBox.

Not sure if they'll offer it, but I've e-mailed MikroTik support for assistance with cleaning up my firewall rule-set and better explaining how it should be configured, etc. I think the biggest trouble I have so far with this router is understanding the proper implementation and design of the firewall. I understand what you were explaining in your post with regards to input/forwards rules and actually seeing the rule-set built within WinBox makes it easier for me to comprehend. However, after making those changes and reading it over again, I just don't understand what the problem was that caused it to stop functioning.

PUBLIC TOILET fucked around with this message at 19:37 on Apr 16, 2013

PUBLIC TOILET
Jun 13, 2009



SamDabbers posted:

Sorry to hear that! (Also happy birthday!)

Did you take out the existing filter and NAT rules first? The "Allow all from LAN" rule on the input chain is pretty important to have in before the default drop, or you will be locked out. One thing I've noticed is that the Mikrotik terminal doesn't handle a large block of text pasted in, probably due to buffering. If you're going to try again, try doing it one line at a time.

Also, I didn't test the OpenDNS redirect thing myself, since I don't use it. You can set the DHCP server to hand out the OpenDNS IPs and just omit the transparent redirect thing, unless you really need to force it.

Yeah what I did was clear out all of the Filter Rules first, then input yours line-by-line through a new terminal window. One thing I did notice was when I reached the point of adding the ones allowing the outgoing traffic from the LAN, the paste didn't look correct. There were spaces and periods between the forward-slash and the next command. I also didn't know what the ideal single rule would have been that you mentioned as being an alternative to the multiple outgoing traffic rules. After the filter rules were done, I erased the NAT rules and then did those line-by-line as well.

With regards to DNS resolution, I've done it a different way this time through WinBox. Under IP -> DNS, I've specific both OpenDNS servers under the "Servers" fields. Under "Static", I've also added both OpenDNS servers there as well. I then went to IP -> DHCP Client, disabled "Use Peer DNS". This appears to be working.

PUBLIC TOILET fucked around with this message at 19:43 on Apr 16, 2013

PUBLIC TOILET
Jun 13, 2009



Okay, I've removed the OpenDNS servers from the Static DNS section. I've still left them specified under IP -> DNS and I've went ahead and modified the DNS servers under the DHCP Server section so that it points to the two OpenDNS servers and not the router (192.168.88.1). Thank you for that. I had thought about that when I was re-configuring the router (why am I trying to NAT OpenDNS? There has to be a way to statically force the server upon the clients.) Glad you pointed me in the right direction, I just couldn't locate the proper area to input that.

It might just be a WinBox bug but when I opened a new terminal window, went to "ip firewall filter" and pasted:

code:
add chain=forward comment="Allow outgoing TCP traffic from LAN" connection-state=new protocol=tcp \ tcp-flags=syn,!ack in-interface=ether2-master-local
It went through fine. When I did the next line:

code:
add chain=forward comment="Allow outgoing UDP traffic from LAN" connection-state=new protocol=udp \ in-interface=ether2-master-local
The new dialog box appeared to configure a new rule as if it didn't know what to do with that line. I closed the dialog box, did it again and then it went through without a hitch. That's what happened the first time around when the router stopped functioning. I'll try erasing my configuration then importing yours once more after I clean up the code a little bit and save it to an .rsc file. If it errors out again, I'll paste the export here.

PUBLIC TOILET
Jun 13, 2009



SamDabbers posted:

You should remove the '\' from the middle when you make it all one line. That backslash is there to tell the terminal that the next line is technically part of the current one, so it's not needed when it is actually all one line.

No luck. I removed all of my firewall configuration, imported yours once more line-by-line but it still caused the router to stop functioning properly. After I import it, I can see the log dropping connection attempts and whatnot. However, once I try to open a website, it fails to resolve it. Below is an export of the firewall after re-configuring it with your settings:

code:
/ip firewall filter
add action=accept chain=input connection-state=established disabled=no
add action=accept chain=input connection-state=related disabled=no
add action=accept chain=input comment="Allow all traffic from LAN" disabled=\
    no in-interface=ether2-master-local
add action=accept chain=input comment="Rate-limit pings" disabled=no limit=\
    50/5s,2 protocol=icmp
add action=drop chain=input comment="SSH scans" disabled=no dst-port=22 \
    protocol=tcp
add action=log chain=input comment="Log everything else" disabled=no \
    log-prefix="DROP INPUT"
add action=drop chain=input disabled=no
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=forward connection-state=related disabled=no
add action=accept chain=forward comment="Allow outgoing TCP traffic from LAN" \
    connection-state=new disabled=no in-interface=ether2-master-local \
    protocol=tcp tcp-flags=syn,!ack
add action=accept chain=forward comment="Allow outgoing UDP traffic from LAN" \
    connection-state=new disabled=no in-interface=ether2-master-local \
    protocol=udp
add action=accept chain=forward comment="Allow outgoing pings from LAN" \
    connection-state=new disabled=no icmp-options=8:0-255 in-interface=\
    ether2-master-local protocol=icmp
add action=accept chain=forward comment="Allow HTTPS/RWW (SERVER)" \
    connection-state=new disabled=no dst-address=192.168.88.200 dst-port=\
    443,4125 in-interface=ether1-gateway protocol=tcp tcp-flags=syn,!ack
add action=log chain=forward comment="Log everything else" disabled=no \
    log-prefix="DROP FORWARD"
add action=drop chain=forward disabled=no
And this image followed by this image are screen-captures of both sections within WinBox after using your configuration. Should the out-interface be set to ether1-gateway?

PUBLIC TOILET
Jun 13, 2009



SamDabbers posted:

By removing these it'd change the default policy to allow everything from everywhere. Linux/Mikrotik firewalling is first-match, and traffic coming from the LAN to either the router or the outside world should be matched by the rules above these.


Interesting. That configuration closely mirrors my own, which works fine on my RB750GL. The telling thing is that the counters are all zero on all rules except "allow established" and the default log/drops at the end.

I didn't realize this is a 951G, so you probably need to change the in-interface from 'ether2-master-local' to 'bridge-local' on all the rules since the default configuration sets up a bridge between the wireless and wired interfaces. Can you post a screenshot of the Interfaces section of Winbox?

Sure, here you go. These are all the default. The only option I recall changing was making all of the ethernet interfaces 1Gbps.

PUBLIC TOILET
Jun 13, 2009



CuddleChunks posted:

Out of curiosity, why aren't you using the default ruleset? The built-in one you get after a sys reset works right out of the box.

Just trying to secure it a little bit is all and create decent logging rules so I can see what's actually going on. I'm also trying to customize some things (the remote access server for instance) and learn/understand how the firewall itself works. It's probably my biggest weakness with this router and I'd like to be able to work with it a bit. Ideally I'd like to obtain a paper-back manual or decent book on it but I don't really see much with regards to learning RouterOS. I'd like to use MikroTik hardware moving forward if I have to set one up for family, friends, etc. but obviously I need to learn it first.

For instance, right now I don't understand why it has to be changed to the local bridge from the local master interface. I should check out that flowchart again.

PUBLIC TOILET fucked around with this message at 03:19 on Apr 18, 2013

PUBLIC TOILET
Jun 13, 2009



SamDabbers posted:

So I take it that worked? The reason that it has to be changed to the bridge interface is because the IP address is assigned to the bridge interface. Look under IP -> Addresses. Traffic sent to the router's IP will appear to the firewall to come in on the bridge interface.

I actually didn't try it yet, but looking at the IP Addresses, there's only the ether1-gateway specified grabbing the IP from the ISP and there's also the wireless LAN interface in the list. Did you mean the DHCP Server? Because that has the bridge-local interface specified.

PUBLIC TOILET
Jun 13, 2009



SamDabbers posted:

Think of the bridge as a virtual switch in software. It has 3 ports assigned to it: wlan1, ether2-master-local (and, implicitly, all its slaves), and the router CPU. The "port" that "connects" to the router CPU is labeled "bridge-local" in the config, and is treated just like any other interface when it comes to the IP layer stuff like DHCP and firewall. So there should be two IP addresses under IP -> Addresses: your ISP public address on ether1-gateway, and 192.168.88.1 on bridge-local.

I think I understand what you mean. Everything hits the bridge-local first, then it's funneled to the appropriate interface(s) rather each interface acting independently when it comes to the initial switching? So in essence, it would go bridge-local -> ether1-gateway -> ether2-master-local AND/OR wlan1 with regards to the way this is configured and what is being utilized.

After modifying the script to use bridge-local, it would appear as though we're good now. Much appreciated, thank you. I've been referencing the MikroTik wiki for direction on most things, but are there any actual paper-backs out there on RouterOS/MikroTik? It seems like the closest thing I can find are the planned training events they hold across the country. My next objective is to work on IPsec.

PUBLIC TOILET fucked around with this message at 05:25 on Apr 19, 2013

PUBLIC TOILET
Jun 13, 2009



What's the best way for me to do a diagnostic of a specific device that connects to the network through the MikroTik router? I have a device that I want to complete network diagnostics on and see what's happening behind the scenes when it tries to communicate with the router. I can see in the normal log that it establishes a connection at 10mbit, then it disconnects, then it reconnects at 100mbit. After that it receives the DHCP lease but sometimes the device still won't have network connectivity.

PUBLIC TOILET
Jun 13, 2009



CuddleChunks posted:

TOOLS TOOLS TOOLS TOOLS!

There's so many TOOLS for you to choose from! From within Winbox:

Tools -> Ping
Tools -> Packet Sniffer (super handy for gathering data to analyze in Wireshark)
Tools -> Torch
System -> Logging (add a topic and send it to memory to get extensive debug info dumped into the logs)

Hopefully somewhere in that pile of Tools will be something that helps you solve your issue.

Fair enough. I've went into System -> Logging, configured a new topic of "interface" as well as "debug" just below it. I'm guessing the results of this debug are supposed to appear in the log through Winbox? It doesn't seem to display any diagnostics after configuring the topic. Same result if I do /log -> print in a new terminal window. Is it because of the logging rules currently configured in the IP -> Firewall?

PUBLIC TOILET
Jun 13, 2009



daita posted:

19:35:45 interface,info ether1 link down
19:35:47 interface,info ether1 link up (speed 100M, full duplex)

Pretty much. Just as an update, I have to fiddle with the device to get it to connect and pull a lease from the router. Supposedly the device may be overheating (at least the NIC might be) and that's why this problem occurs. I just chalk it up to age and build quality. Sometimes if I erase the DHCP lease, disconnect the patch cable while it's powered on then plug it back in, it will reconnect, grab a lease and then connect at 100M. It is a strange one but unsurprising.

PUBLIC TOILET
Jun 13, 2009



CuddleChunks posted:

Yeah. The new icons are nifty, it seems to solve some problems with nstreme 2 which is good news. Seems stable though we don't have it in general use across the network yet. I've got the release candidate installed at home and it has been fine. I may update to the full version this weekend or something.

Yeah I see they have a new release (6.1) that came out on 6/12. I was going to ask if there are any known issues before upgrading from 5.25.

PUBLIC TOILET
Jun 13, 2009



Before I bitch to Time Warner again, has anyone heard of common issues with regards to a MikroTik router randomly experiencing packet loss? Just started this past week and I've had to call Time Warner support once already. Connection was experiencing 25-50% packet loss according to the RouterOS ping tool then the whole connection went dead. Overseas support did something to the cable modem that brought it back to normal. Now I'm experiencing the problem again only this time RouterOS is telling me it's around 15-25% packet loss. I'm quick to blame Time Warner for the issue but I just want to make sure there aren't any known random packet loss issues related to the MikroTik equipment.

PUBLIC TOILET
Jun 13, 2009



Remit posted:

None that I am aware of. What are you pinging? Do a tracert and set up smokeping or pingplotter to at least narrow down where the loss is happening.

Strangest thing but so far the problem hasn't come back. Last night I was tired of the random packet loss so I started going through hardware. I removed one of the switches connected to a port on the MikroTik but that didn't help. I then even went and measured the voltage from the electrical outlet to the MikroTik and the cable modem. The voltage was where it should be. Unplugged the power strip both devices are connected to from the electrical outlet and plugged it back in so both devices received a full power-cycle. After that I decided to do a ping test from the MikroTik to google.com and the problem never came back. I haven't had any packet loss since. I have no idea what had changed but so far the problem hasn't reappeared.

So I don't know if the electrical outlet the power strip is connected to is going bad, or if the power strip was holding a charge causing the device(s) to fail. It just sounds impossible though so I'm at a loss as to what was causing the issue. I had done numerous power-cycles before that and the problem had persisted.

PUBLIC TOILET fucked around with this message at 23:36 on Jul 6, 2013

Adbot
ADBOT LOVES YOU

PUBLIC TOILET
Jun 13, 2009



Remit posted:

Have any queues or interface limits that would cause it?

None to my knowledge. I don't recall configuring any limitations on the interfaces or queues.

  • 1
  • 2
  • 3
  • 4
  • 5
  • Post
  • Reply