MikroTik

16again

MT vpn also uses a windows user login , so you could use user CAL instead

16again

Your ipsec policy matches traffic 192.168.200.2/32 <->192.168.200.1/32, but it should match traffic between GRE local and remote addresses 1.1.1.1 <->2.2.2.2 As these are your WAN IPs, ipsec policy also should match GRE traffic.....or tunneled traffic might re-enter the tunnel endlessly. A way aroun...

16again

This rule looks suspicious: add action=accept chain=forward comment=Test dst-address-list=192.168.1.42 \ dst-port=47808 protocol=udp src-address-list="PPTP Pool" src-port=47808 Drop the source port, as most protocols use a source port from a random pool Also , some endpoints don't have default gatew...

16again

Review logs , to see if VRRP didn't hick-up. Also, I'd focus on src-nat rules. Exclude VRRP source address from ever being masqueraded or sNAT-ted. Or in filter-out chain , block IPSEC packets to peers, sourced from .14 20 minutes recovery time......conntrack timeout for ESP is 10 minutes. Look into...

16again

afaik, inherent indeed means "use DF flag" of original packet. Note a GRE interface is unaware of its parent interface, all you specify is an IP local/remote addresses for the tunnel

16again

@pe1chl
Who said anything about dropping packets? In download queue, we're shaping traffic, that's delaying and not dropping.
imho, this is an effective way to keep total tcp throughput under control, leaving room for VOIP traffic

16again

with/without fastpath, the RB750Gr3 hardware should be able to do way more than this.
Check for full/half duplex mismatch settings and errors like collisions on 100Mb/s Ethernet interfaces

16again

On dNAT rules, set incoming interface=WAN interface

16again

SNI is a server thingy.
Opening a https webpage, always a certificate with name of website FQDN is requested. (this takes place after tcp 3 way handshake at session start)
In my understanding, this tls-host thingy is just a dedicated L7 filter, targeting this certificate name in SSL handshake

16again

For order of magnitude
Make the amount of data sent at set max speed fit for about 200milli seconds

16again

Hard to tell without seeing config.
Seems like you have a dNAT rule in place , that maps all traffic destined to udp port 5060 to 192.168.0.200.....but this rule is active for traffic entering LAN interface too !

16again

The mangle rules: Packets coming in on WAN are client download, and vice versa. Upload queue is attached to WAN interface. Masquerade has already taken place, so PCQ on source IP won't work Create parent queue on global interface, set BW at minimum equal to your VDSL up and down speed combined, then...

16again

I'm not sure how far you'll get with it....but this topic needs to have VRF mentioned in it.

16again

afaik , the idea behind an edge port, is that it automatically blocks when BPDUs are received. This prevents against both loops and your STP root being overthrown.

16again

"GCC: (GNU) 4.8.2" shows up multiple times in binary, so I guess GCC compiled it

16again

Getting the .10 address back...isn't a bad thing.
Real question: are the other IP addresses in pool still available for other pppoe clients?

16again

2) I'm also one of the people who commonly speaks out against the common practice of dropping all ICMP. Allowing all ICMP in isn't such a good idea as well. An ICMP ping sweep from internet to internal LAN will make the router start ND process for each and every internal host pinged. The potential ...

16again

SYN packets not being sent out, but answered locally....sounds to me like some SYN flood detection is enabled, and no longer working properly.

Normally, syn flood protects the other way around, protecting internal server from way too much half open sessions

16again

What is there to violate....when we want do decrease TX level. (which is good idea having multiple APs in "small" area)

If I want to violate regulations...what happens when I configure my antenna as if it does -20 dB gain?

16again

I guess these rules allow encrypted packets ("inner" VPN stuff) to pass, and probably translate into "iptables --pol ipsec" rules under the hood

16again

To get proper 1:1 nat relationship, I'd add a dst-nat rule as well.
Without it , sessions can only be set up in one direction

16again

Authentication between web server and web client ......should be done on the server and the client. Not on router in between.

Microsoft IIS can do this, pretty sure other decent webservers also will have this functionality

16again

Remote endpoints aren't aware of the GRE tunnel in between them , and its MTU. So they'll negotiate a too big packet size on tcp session setup. And routers will start fragmenting oversized tcp packets (ie most packets). When DontFragment bit was set, router will sent back "fragmentation needed" icmp...

16again

16again

sntp client is all that is needed to time-sync the device.....but it still needs access to external ntp server.
Since there's no external connection, do you have internal devices acting as ntp server? A windows AD controller already does this job

16again

no firewall rules in forward chain for fastpath ....is sort of OK
But this shouldn't rule out firewall rules in in-chain (which isn't fst-pathed to begin with)

@ pe1chl
The 1st UDP packet is in my definition the request, I we block it in in-chain, there will be no reply

16again

Most downloads are https, and L7 filter won't see filename.

Try matching on:
^..+\.(exe|iso|mp3|EXE|ISO|MP3).*$

16again

Not resolving (=dns) ....or not opening the website?
Since you're using pppoe, prime suspect is mss-clamp. Make sure to enable it

16again

Best example of related:
MT router listens in on ftp-control channel, and notices an active ftp download is about to take place, and opens the required ftp-data port (=related) automatically.

16again

Most likely Ethernet duplex mismatch
Play around with Ethernet speed and duplex settings

16again

established = state tracking has seen traffic in both directions.

I'd define it as: has passed traffic in one direction.

In home NAT environments, if your browser sends tcp syn, the 1st returning syn,ack already is related. (otherwise it would be blocked !)

16again

When you specify an interface as the gateway for a route: On point-to-multpoint links like ethernet, other router brands just start ARPing for the destination address, even if that address in NOT on the subnet. This will only work if other router has proxy-ARP enabled. This will result in huge ARP ...

16again

Only the CA itself has private key (K) , you don't need this on endpoints.
The local certificate for router itself is the only certificate that does require private key being included.

16again

Probably, counter is reset to 5:00 when new packet hits the "add src to address list" rule

16again

As you mention MTU=1500: Are customer packets passed being fragmented? The extra processing involved slows things down

16again

Discovery packets are sent from the MT router to broadcast IP 255.255.255.255:5678 , which isn't blocked by your rules

16again

since CA is also expired, restart from scratch generating all certificates

16again

On routed network, MAC addresses don't propagate: each router strips the original MAC address, and uses its own MAC address when sending out the packet

16again

afaik, you need to have a firewall rule alongside the dNAT rule, to actually allow the traffic in

16again

If those /29 address range is fixed (and it has to be as it isn't pushed on pppoe login), you can use all of these 8 addresses in NAT rules without assigning them to any interface !
You can use them in both src and dst NAT rules.

16again

1st thing that comes to mind:
Both LAN router and "firewall" need to have route back to 10.104.17.x network

16again

Judging by IP addresses, this already is a routed network.
You can trade in static IP routing for routing protocol. OSPF is always preferred.
On small network like this, you can use rip instead, it has advantage of easier route manipulation (filtering summarizing etc)

16again

How did you implement "1 - Use a filter rule that automatically adds the dst-address to a list whenever a particular domain is matched (using the content field) ?"

Is iptable --restore-mark done automatically on return traffic? Under actions, I don't see option to do it manually.

16again

To see internal addresses, I'd try sniffing on LAN interface, and use external private IP to stream it to.

16again

For starters, ignore the black part, it is only about burst behavior.

Focus on blue part , where packets are enqueued and dequeued. Dequeue speed is limited by speed tokens arrive, the orange part

16again

Are you using (or can you configure) symmetric RTP ports?
This way audio in and audio out will use same port-pair, so it can traverse statefull firewalls without h323 helper.

16again

New here....but maybe you can use ipv6 link local address to connect SSH to the box.
link local address can be derived from MAC address, still visible in arp table of your computer

16again

Add black-hole /32 route for unauthorized source IP .

Search found 48 matches