Community discussions

MUM Europe 2020

Search found 18 matches

by cmaney
Wed Jul 18, 2018 2:21 pm
Forum: General
Topic: Web filtering/whitelisting
Replies: 3
Views: 372

Re: Web filtering/whitelisting

Well, I have to admit that that wasn't the answer I was hoping for, but thank you for the response. I'll report back to that effect (and play with the new tls-host matching stuff on my own time).

Thanks!
by cmaney
Tue Jul 17, 2018 10:35 pm
Forum: General
Topic: Web filtering/whitelisting
Replies: 3
Views: 372

Web filtering/whitelisting

I've been asked to only allow users to access a small subset of domains and IP addresses on the internet (http and https). For example, say: *.acme.com and *.acme2.com and the IP of 12.34.56.78. All told, there are only about 12 domains and IP's that we want to allow. I've looked at several ways of ...
by cmaney
Mon Jan 15, 2018 8:07 pm
Forum: General
Topic: SMTP filtering [SOLVED]
Replies: 3
Views: 865

Re: SMTP filtering [SOLVED]

... I created a list with the firewall address-list command, that I named SMTP-Relay-Pemit. I have the following firewall rules: add chain=input comment="Allow smtp in" dst-address=[IP_WAN] dst-port=25 protocol=tcp src-address-list=SMTP-Relay-Pemit ... As stated earlier, you need to look at the 'fo...
by cmaney
Mon Jan 15, 2018 6:51 pm
Forum: General
Topic: IOS VPN into RB3011 behind Verizon NAT
Replies: 9
Views: 759

Re: IOS VPN into RB3011 behind Verizon NAT

The easiest/best solution is to call Verizon and tell them you need the modem in Bridge mode. Depending on the model of modem, they sometimes have a setting called "Cascaded router" that can also work, but is a bit counterintuitive to setup. They should be able to either do it remotely and walk you ...
by cmaney
Mon Jan 15, 2018 5:06 am
Forum: General
Topic: Need help with VPN and src-nat [SOLVED]
Replies: 6
Views: 1288

Re: Need help with VPN and src-nat [SOLVED]

Thank you both, @16again and @sindy! That was exactly the information I needed. I especially appreciated the tidbit about the netmap option. After fixing the NATs and then looking at the order of operations and making sure my filter rules were using the *real* addresses instead of the NAT'ed address...
by cmaney
Sat Jan 13, 2018 6:27 am
Forum: General
Topic: Need help with VPN and src-nat [SOLVED]
Replies: 6
Views: 1288

Re: Need help with VPN and src-nat [SOLVED]

Looks like I spoke too soon. The VPN is now working for traffic that originated on my LAN (the 192.168.101.0/24 that is NAT'ed to 172.16.20.0/24), but traffic that originates at the remote (Sonicwall) still hits the Mikrotik and does the "forward in:ether1 out:ether1" bit.

What am I missing?
by cmaney
Sat Jan 13, 2018 4:42 am
Forum: General
Topic: Need help with VPN and src-nat [SOLVED]
Replies: 6
Views: 1288

Re: Need help with VPN and src-nat [SOLVED]

After beating on this for an hour before breaking down and posting, I had an epiphany and disabled the 'no-track' option in /ip firewall raw that is normally required for VPNs and it started working.

So: With src-nat, don't use 'no track'!
by cmaney
Sat Jan 13, 2018 4:28 am
Forum: General
Topic: Need help with VPN and src-nat [SOLVED]
Replies: 6
Views: 1288

Need help with VPN and src-nat [SOLVED]

I am setting up a VPN between a 750G_r3 (6.40.5) and a SonicWall that is not under my control. For various valid reasons, I have to source-nat the traffic as it leaves my side and goes to the SonicWall. This works just fine: /ip firewall nat add action=src-nat chain=srcnat dst-address=192.168.102.10...
by cmaney
Fri Sep 01, 2017 6:10 pm
Forum: Scripting
Topic: 'grep' an output? [SOLVED]
Replies: 7
Views: 9105

Re: [SOLVED]

I found it easier to do a "pr file=abc" and ftp the file to a linux box and run cat abc | grep expression) Just a quick aside, but there is no need to cat the file and pipe it to grep on any Unix/Linux variant I've ever seen. You can simply use: grep expression abc So: grep 00:aa:15:aa:aa:aa myfile...
by cmaney
Fri Sep 01, 2017 6:00 pm
Forum: Scripting
Topic: Modifying /ip/firewall/filter with api/script
Replies: 12
Views: 3176

Re: Modifying /ip/firewall/filter with api/script

Sorry for the delayed response, but I wanted to thank everyone for the input. It's always nice to learn new/better/varied ways of doing things, and I appreciate the assistance. Everything is working now.
by cmaney
Thu Aug 24, 2017 12:28 am
Forum: Scripting
Topic: Modifying /ip/firewall/filter with api/script
Replies: 12
Views: 3176

Re: Modifying /ip/firewall/filter with api/script

pe1chl: "Note, however, that you do not need a matching firewall filter rule for each dst-nat rule that you create. This can be handled with a single rule that matches incoming forward traffic with connection-nat-state=dstnat" That's actually a really good point, and one that I will keep in mind. Th...
by cmaney
Fri Aug 18, 2017 10:55 pm
Forum: Scripting
Topic: Modifying /ip/firewall/filter with api/script
Replies: 12
Views: 3176

Re: Modifying /ip/firewall/filter with api/script

Yes! That is exactly what I needed! Thank you. I'll go play with it this weekend and report back.

(By the way, other than some initial hiccups figuring out how to get your API client, I have been very pleased with it. Great work!)
by cmaney
Fri Aug 18, 2017 9:37 pm
Forum: Scripting
Topic: Modifying /ip/firewall/filter with api/script
Replies: 12
Views: 3176

Re: Modifying /ip/firewall/filter with api/script

boen_robot: Thanks for your comment. I already mentioned why "place-before" won't work in this instance (although I guess I could always just use "place-before=0", but that's ugly.) I'll look at the "move" command, but if I understand you correctly, it will have the same problem, wouldn't it? (The p...
by cmaney
Thu Aug 17, 2017 8:56 pm
Forum: Scripting
Topic: Modifying /ip/firewall/filter with api/script
Replies: 12
Views: 3176

Re: Modifying /ip/firewall/filter with api/script

Anyone have any ideas? Or is there a better way to do this?
by cmaney
Thu Aug 17, 2017 7:51 pm
Forum: Scripting
Topic: Append script by API
Replies: 3
Views: 803

Re: Append script by API

I have not tried exactly what you're doing, but I solved the same problem by using a pre-loaded script to retrieve a configuration snippet via fetch and then import it. Then I just use the API to execute the pre-loaded script. Obviously, you can then load all kinds of things simply by changing what ...
by cmaney
Sat Aug 12, 2017 10:31 pm
Forum: General
Topic: Feature request: CTRL-W in line editing.
Replies: 3
Views: 1037

Re: Feature request: CTRL-W in line editing.

+1

Ctrl-w (delete previous "word")
Ctrl-u (delete to beginning of line)
Ctrl-h (delete one character)

Please!
by cmaney
Sat Aug 12, 2017 4:19 pm
Forum: Scripting
Topic: Improvments for WAN-Backup Script
Replies: 4
Views: 972

Re: Improvments for WAN-Backup Script

Here's something to think about, but please remember that I haven't tested it! Instead of just disabling and enabling default routes, why not change their administrative distances when the gateway changes? So: Connection A has a default gateway of 1.1.1.1 with an administrative distance of 1 and Con...
by cmaney
Sat Aug 12, 2017 1:42 am
Forum: Scripting
Topic: Modifying /ip/firewall/filter with api/script
Replies: 12
Views: 3176

Modifying /ip/firewall/filter with api/script

I can successfully use the API to add a firewall filter rule with no problems. The issue is that I'd like to add the rules in the appropriate place. For example, I'd like to add a filter rule *before* the default rule that has the comment: "defconf: drop all from WAN". The difficulty is that the num...