|
Can anyone tell me what these highlighted rules are doing? Rule 0 is to allow pinging the device. Rule 3 is one I've created to allow winbox from outside the NAT. Rule 4 is a catch all deny. What are rules 1 and 2? Edit: Bonus unrelated question, does RouterOS support firewalls between interfaces/zones? For example, can I setup firewall rules between vlans on the switch ports? I haven't looked this far into it yet. Edit 2: Never mind, figured out the firewall rules. IT Guy fucked around with this message at 18:28 on Apr 9, 2013 |
# ¿ Apr 9, 2013 18:17 |
|
|
# ¿ Apr 27, 2024 09:08 |
|
thebigcow posted:
Thanks for the answer. I did figure out the established connection thing but like you, I still do not know what the related is.
|
# ¿ Apr 9, 2013 18:35 |
|
That makes sense. Unrelated, I can't seem to get a DHCP IP from my ISP whatever I try. I'm using just a default configuration, haven't changed anything but the admin password and I never get a DHCP IP from my ISP on cable. However, if I plug the ether1-gateway interface into a private network with a DHCP server, I get a DHCP IP address right away. Has anyone experienced this? I've tried rebooting the modem but it doesn't help. I don't have to do any MAC address cloning bullshit. I have a SonicWALL TZ210 that works and picks up an IP and I also have two Linksys routers (WRT54GL and a E3200) that both pickup a DHCP IP from my ISP. I've opened a ticket with my ISP but I'm doubting they will support this.
|
# ¿ Apr 10, 2013 02:50 |
|
DHCP client is on the SFP interface and the ether1-gateway interface. Modem is plugged into ether1-gateway. It's enabled and definitely works on any network except my ISP's cable that I've tested it on. I have a RB750 here at work that I'm going to bring home to make sure it's not the hardware.
|
# ¿ Apr 10, 2013 18:04 |
|
IT Guy posted:
Update: Turns out it was my ISP and they had to re-provision my account and give me a new modem. I don't even know why the gently caress, but it's fixed now. It wasn't the Mikrotik RouterBoard.
|
# ¿ Apr 12, 2013 20:03 |
|
Can someone tell me what the difference between doing a bridge vs assigning ports a "master port"? What is the preferred method?
|
# ¿ Apr 16, 2013 23:43 |
|
SamDabbers posted:Using a bridge is in software, whereas a "master port" uses the hardware switch chip. Where a bridge is useful vs. switch chip is when you want to bridge interfaces that aren't on the same switch chip, or you want to do something more advanced like run RSTP on the bridge. You can combine the two, e.g. set ports 3,4,5 to use port 2 as the master port, then bridge port 2 to an L2TP interface. The switch chip will handle traffic between the ethernet ports, but whatever's on the other side of the L2TP interface will be bridged to the local LAN via software. Very informative, thanks.
|
# ¿ Apr 16, 2013 23:56 |
|
I have a slight problem. I have a server on the WAN that has a web interface. I don't want this accessable at all times so I decided I would just enable/disable a firewall rule on the MikroTik router in front of it when I need to access the web interface. The problem is, even with the firewall rule disabled, I can still connect to port 80 for some reason. I have full access to the box with the firewall rule disabled. Here is my setup: So, why am I still able to connect?
|
# ¿ Jun 17, 2013 16:20 |
|
I see. I assumed it was still on the input chain because technically the IP being hit is the WAN IP and then NAT forwards the traffic to my machine behind the NAT. So to get this to work I'd have to setup a firewall rule to drop the forward chain traffic on that port since by default it just goes through if their is a NAT rule setup? Then when I want to connect to the web interface I'd disable the drop firewall rule? That or I can ditch the firewall rules and just enable and disable the NAT rule as I need?
|
# ¿ Jun 17, 2013 17:05 |
|
How would I go about setting up something to email me daily (or possibly even hourly) bandwidth usage? We have a server offsite behind a Mikrotik router that is used primarily to sync our backups. Sometimes we have users that upload gigs of unnecessary data to our file server which then attempts to replicate offsite and I'd like to catch this with some type of bandwidth monitor so I can stop the sync.
|
# ¿ Jun 20, 2013 18:01 |
|
Question. I'm the sysadmin for a company of about 400 people, 300 with computers and has ~12 remote branches. It's very rural and the IT budget suffers hard because of this. I was considering rolling out MikroTik at all our branch locations to save some money for more important things like upgrading our loving 40% Windows XP machines. The only thing I'm not sure about is the VPN. Is there any stable VPN solution you guys use with MikroTik? Or can someone recommend third party?
|
# ¿ Sep 13, 2013 13:29 |
|
Both. Each branch (including the central office) would be connected to each other via site to site VPN in a full mesh configuration (for voip) rather than star, and then each branch would also allow client VPN access.
|
# ¿ Sep 13, 2013 14:36 |
|
falz posted:Sure you can do GRE or IPIP tunnels and encrypt with IPSec for the site to site links. That would allow you to run IGP (ospf) to allow traffic to other sites to follow other tunnels if you want to. However, depending on the # of sites you'll run in to scalability issues. 3 sites = 3 VPN tunnels on each router (9 configs), 4 = 16 configs, etc. I don't think RouterOS has any cisco-style DMVPN that I believe deals with that situation. Perfect, thanks, I'll do some more research on this. Wolf on Air posted:Hi, thread. RouterOS 6.4 breaks WinBox input forms randomly. That is all. Thanks for the heads up. Was just about to load it on a new router. IT Guy fucked around with this message at 15:33 on Sep 13, 2013 |
# ¿ Sep 13, 2013 15:31 |
|
I just installed a new Mikrotik router for a client. It's working great with one exception. They have a VOIP unit on the network that can't make or receive calls. I setup the NAT to forward the appropriate ports to the static LAN IP on the device but it still doesn't work. I also tried turning off the NAT helper service ports for SIP and H323 but that didn't work. I suspect it may be a masquerading issue? Before I gently caress around with this more, does anyone have any ideas? The client had a SonicWALL unit prior and we had to enable both "SIP Transformations" and "H323 Transformations" to get it to work.
|
# ¿ Sep 16, 2013 14:51 |
|
So gently caress me. Ignore everything I said. The issue was a simple I had the NAT settings forward to the wrong IP address. I fixed that, tried the voip again, didn't work, re-enabled the SIP and H323 IP helpers and voila, it's working.
|
# ¿ Sep 16, 2013 17:38 |
|
I setup L2TP/IPSEC today for client VPN. It works great, however, can you do split tunnels with L2TP? I want my internet traffic and any other non-vpn traffic to go out my default gateway and only have my vpn network go through the tunnel. Running a trace route to google.com, it is going through the tunnel at the moment. Edit: Never mind, apparently I can do this on the client side in Windows by unchecking "Use default gateway on the remote network" in the TCP/IP settings of the adapter. With that being said, is there any way on the server side to force a full tunnel rather than a split tunnel or is that only available through proprietary client software? IT Guy fucked around with this message at 17:27 on Oct 4, 2013 |
# ¿ Oct 4, 2013 16:53 |
|
Is there any way to use a DNS server in RouterOS?
|
# ¿ Oct 15, 2013 00:26 |
|
|
# ¿ Apr 27, 2024 09:08 |
|
Weird Uncle Dave posted:How do you mean? Do you want it to act as a DNS server (it can, kinda) or just hand out DNS server info to VPN/DHCP clients (easy)? The former. CuddleChunks posted:Here's all the lowdown on DNS in RouterOS: http://wiki.mikrotik.com/wiki/Manual:IP/DNS Thanks it looks like the built in server through the cache will do me fine for now.
|
# ¿ Oct 15, 2013 01:03 |