MikroTik

johnson73

To solve this problem you need to see the traffic rules of your firewall. If they are not defined correctly, it can affect the overall traffic flow as well as the stability of the vpn connection.
/export file=anynameyouwish (minus router serial number, public WANIP information, keys etc.)

johnson73

You don't like winbox so much? Use it and you won't have any problems.

johnson73

Mikrotik firewall always starts with "Input" chain. When the last rule of the input chain, Drop=All ends, continues with the Forward chain. Its order is important, the rules are followed from top to bottom, otherwise there will be no correct traffic operation. Please copy the entire firewa...

johnson73

These are all your firewall rules??

johnson73

Do you have a firewall configured at all? Open terminal, write: /IP/Firewall/filter/export Copy the config here.. When configuring a network for example office, we always separate subnets so that they do not see each other. One subnet for example is 10.10.0.0/24 (management)...LAN2- 10.20.0.0/24 (Us...

johnson73

@Baktery I didn't understand what your local network has to do with the external service provider. Does your mikrotik work as a firewall at all?? Open terminal, write: /IP/Firewall/filter/export Copy the config here.. It is not really understand from which side the port scan takes place, from the ro...

johnson73

Use Winbox and there will be no problems. https://mikrotik.com/download

johnson73

Wireguard couldn't be a solution? Haven't tried it? Maybe the information is useful.. https://gadgetmates.com/mikrotik-wireguard-vpn-setup

johnson73

Look carefully at your 8291 roll record. It's not really correct. If you write like this, it doesn't work either?

add action=accept chain=input dst-port=8291 protocol=tcp in-interface-list=WAN

johnson73

We always try to use an address list to define access. This will make it easier to define access. If access to Winbox is needed from the outside, we define the port and use the address-list, which contains the allowed addresses. This is of course not a good practice because the good practice is to u...

johnson73

In order for the traffic flow to be correct, we use "default" firewall rules as the basis for everything. Your configuration has a very large mix. In Mikrotik, firewall rules are executed from top to bottom and the order also matters. We don't mix up the sequence of places. I will copy the...

johnson73

Deleted the super long blacklist, it is not needed here.
The sequence of firewall rules is not correct for you. Remove the last 2 rules from the forward section...
And what was the point of this-
add action=drop chain=input dst-port=8291 in-interface-list=WAN protocol=tcp ?

johnson73

Sorry, I did, but since I encountered errors, I reverted back. going back would not be the best advice. You understand - you don't have correct firewall entries that affect firewall flow, security and the rest. If you have this mikrotik in the production environment as the primary one, then you abs...

johnson73

https://help.mikrotik.com/docs/pages/viewpage.action?pageId=328435 I see that you have not fixed the firewall filter. Your existing configuration does not ensure the correct traffic flow. Your firewall rules are crap and not secure at all. You will also have no security, because "Input chain&q...

johnson73

what do your firewall rules look like after the changes? It is not clear why your vpn does not work correctly. Do you have "interface list=Local-LAN" specified for your current Profile in PPP-profiles?

johnson73

https://timigate.com/2018/05/simple-steps-for-resetting-the-mikrotik-sxt-wireless-outdoor-radio.html You should succeed with netinstall. Unplug the power, press reset, - turn on the power and hold the button for at least 10 seconds, after that netinstall will start. If you let go sooner, it will be...

johnson73

If the office has a network and a server on which AD works and your laptop is registered (join) in the domain, then by creating a vpn ipsec connection with the office you should be able to open network folders without authorization. If this laptop is not "no join" to domain, then the acces...

johnson73

for more information - https://getlabsdone.com/how-to-setup-an ... fortigate/

johnson73

Question - why does your firewall start with - 1 to INET chain=forward action=accept src-address=192.168.10.0/24 in-interface-list=LAN out-interface-list=WAN log=no log-prefix="" In my example, which is safe to use , the order is completely different. You have thrown away the records. I ga...

johnson73

thank you I wasn't seeing it at first
I had to add another picture to see the attechment part

good luck

johnson73

so should I have my Polices in the exact order that you written? Yes, it would be desirable. In general, we always take the ``default'' firewall as the basis for everything and then supplement it with the entries we need. That's exactly what I have. Of course, look for yourself and fix what you hav...

johnson73

take the edit post and under "attachments" you will see the option "add" or delete.

johnson73

ok, use stronger encrypt. It is everyone's personal business. But I would recommend starting with the mikrotik side. If you get the mix right, I think you will get the result I already wrote that there is a mix on the mikrotik side. To be more precise, you are missing rules that ensure normal traffi...

johnson73

It's not so crazy, there is no need to give up mikrotik :) I have created ipSec connections for mikrotik-Fortigate and everything works correctly. 1) MT tunnel can't work correctly for you, because the firewall entries on the mikrotik end are in a complete mix. The flow of traffic packets will not b...

johnson73

A vpn connection is one of the authorization methods. The next authorization will already be the authorization defined for internal network share drives. Maybe the information about vpn config is also useful for you.. https://netpro.lv/en/basic-l2tp-ipsec-server-configuration-on-a-mikrotik-device/ M...

johnson73

Additional ports will need to be opened in the "Input" chain for L2TP authorization. We use address-list. Necessary corrections in the firewall section. We always use the ``default'' firewall as the basis for everything and supplement it with what we need as needed. In order for the traffi...

johnson73

samurai84, Am I trolling? Sorry friend, but maybe we didn't understand each other. You have a very strange firewall configuration structure, that's why I also asked about the "special" firewall. There is nothing irrelevant there. Sorry for my English, it's not my native language. Maybe the...

johnson73

1) Use the entry - add action=accept chain=input port=8291 protocol=tcp ....not a safe event. If there is a need to access Winbox from outside, it is safest to use a vpn connection. If vpn seems too complicated, we can use address-list, interface-lists, for specific IP addresses that have permission...

johnson73

''I would like to set it as a special firewall. '' Special? In order for the mikrotik router to work stably and the traffic flow to be correct, we use default'' firewall rules as a basis for everything. This is a kind of standard. You can supplement this default standard with your own rules, records...

johnson73

If you use Interface list , it will be easier to navigate and there will be a correct traffic flow. You have a slightly incorrect order of firewall rules. Good practice says that it is best to use the "drop=all" method. This means that at the end of the Input chain and forward chain, the l...

johnson73

Router RB962UiGS-5HacT2HnT, Version 7.14 - problems with the 5Ghz wifi module! I changed different channels, including auto mode, wifi jerks, connects to the Internet very slowly, traffic drops every little while. Everything is ok with 2.4Ghz. Default settings for the router. It was restarted 2 time...

johnson73

You will be able to access it physically, through an ethernet cable. If your computer does not have an ethernet port, you will need to find a cable transition from the port that is available for your computer to RJ45 to insert the cable.Of course, there is also an option via the Internet.

johnson73

We only use Winbox and everything will be fine. You can't even touch WebFig. There is no need to compare anything.
Configure all firewall rules based on the default firewall. Remember that the rules are enforced from top to bottom. First the ''input'' chain, then the ''forward'' chain.

johnson73

What version of ROS do you have?

johnson73

It is impossible to answer your questions because - 1) inaccurate information 2) it is not clear what configuration we are using. The basis for everything is default rules or some other configuration. 3) your description in general is one big mix 4) what does the circuit diagram look like (drawing o...

johnson73

yes, there is a mix. Wrong... There is also a bit wrong in the NAT section. First there must be a "masquarade" rule and then the others, which are responsible for some kind of port forward to a certain address, for example. We place Masquarade rules only if, for example, an ipsec tunnel is...

johnson73

If you use this CCR and you get the Internet from another mikrotik, which belongs to the ISP, then it would be advisable to delete all the mix that is there. There is a mega mix, no sequence, security, etc. We safely use default rules as the basis for everything. If everything is configured correctl...

johnson73

Speaking of the Mikrotik manual... Yes, it is good that there is a lot of information available, examples are available, etc., but that is not enough. The very basis for creating only the firewall section, for example, is described on the link help.mikrotik.com.. but this description is also not eno...

johnson73

Lumpy: What exactly are you interested in? Maybe we can help?

johnson73

If your CCR does not work as a primary router with NAT, but as Bridge mode, then you do not need a firewall on it.
I don't really understand what is the point of the CCR router... Does it perform the functions of a switch?

johnson73

oops, you're right
I don't know, but usually this rule is used when CapsMan is configured on the network. Isn't that so?
"accept to local loopback"

johnson73

In theory, an IPsec vpn will be enough. It will be more correct this way and let's not forget about the Forward section :) /ip firewall address-list add address=192.168.88.0/24 list=Admin {Input Chain} /ip firewall filter add action=accept chain=input comment="defconf: accept established,relate...

johnson73

Of course, mikrotik is not intended for serious dns protection. This is usually provided by your ISP provider. It is possible to prevent only minor flood attempts. But this will be offtopic.

johnson73

The Input section is where the traffic comes in, and the Forward section is for the traffic that goes through the router. Try to divide so that the "Input" chain ends with input=drop all and Forward ends with forward=drop all. Then it will be correct. You are missing entries. You can also ...

johnson73

QuantumAalpha.. We always use the "default" rules as the basis for the firewall section. User Mesquite posted an example for you. Use it as the basis for everything. "Good practice" shows that we always start the Input chain with "accept established, related" and not wi...

johnson73

too little information to understand where the problem is. Absolutely nothing is described, what type of vpn it is, what the firewall rules are, etc..

johnson73

Traffic freeze can also be due to incorrect operation of traffic flow. There have been many such cases. Firewall rule policy is executed from top to bottom and the order of entries also matters. We use "default" firewall rules as the basis for everything. Try to fix the firewall section an...

johnson73

Hello,
This topic might help you... viewtopic.php?t=198625
Maybe something from the firewall configuration itself is also useful. Everything is nicely described there

johnson73

first check if ports 500, 4500 and 1701 are open. Maybe they are really blocked by the ISP.
https://www.youtube.com/watch?v=A6MpmV2J1ME

johnson73

You need to fix the sequence of firewall rules because it is not really correct. Also, the final firewall rules are not correct The rules are enforced from top to bottom. First Input, only then forward, not all in one mixed batch. https://www.google.com/imgres?imgurl=https%3A%2F%2Fpacketmasters.file...

johnson73

And now you can't understand why you don't ping, etc.? It is impossible to answer this question because nor the firewall configuration is visible, which I have already asked several times. It ends up being a strange mess. Without seeing the firewall config, it is impossible to say anything more prec...

johnson73

sorry i forgot you have Ros6.xx

If it's not a big secret, do you use default firewall rules or is there another configuration?

johnson73

Why complicated? I am not a developer of mikrotik routers :) If such an option does not work, then you should try to configure L2tp. The truth is not mega complicated, because we use the settings shown in my picture as a basic example. There is no copied option - how to turn on the L2tp server, but ...

johnson73

if you understand the Russian language.. This link could also help you - https://www.youtube.com/watch?v=6YQZHitv9hE
Of course, I can explain in more detail with pictures point by point, but it will take a lot of time.

johnson73

You haven't answered the question about firewall configuration :) Open Terminal and execute this command? /export hide-sensitive file=myconfig From the beginning you mentioned L2tp connection, but now you are talking about PPTP connection. What is really needed? From a security point of view, I woul...

johnson73

Does your firewall use default rules or is it configured differently? In the L2tp ipsec configuration, you must first check the ``Input'' chain to see if the necessary 500,1701,4500 ports are open. Then we look at Vpn-pool, profiles, secrets, proposals and the rest. If you have a wrong firewall conf...

johnson73

Wrong order...
1) Unplug the device from power;
2) Press and hold the button right after applying power;
Note: hold the button until LED will start flashing;
3) Release the button to clear configuration;
https://help.mikrotik.com/docs/display/ROS/Reset+Button

johnson73

I see that you have a complete mess in the "Firewall filter" section. You can safely discard the redundant rules. For example - "drop ssh brute force" you can block the RAW chain because it will be more correct and it will cause less load. /ip firewall raw add action=drop chain=p...

johnson73

Thank you very much for the answer!

johnson73

Anav friend, sorry, I don't really understand you. I asked the author of the topic why he wants to block this 67-68 port, etc. You mean blocking these ports in RAW chain? For example, I do not block these ports additionally. I don't know why the author came up with that. This is in no way related to...

johnson73

What kind of traffic do you want to delete/block? Specifically 67-68 port? It can also be locked in the RAW section. It is not necessary to use Bridge-filter. Are you using default firewall settings?

johnson73

if mikrotik does not perform the firewall function, then these rules are not needed. I don't understand the use of mikrotik. In its place, you can put a switch if the primary firewall is Sonicwall and define the necessary Lan subnets etc. in it.

johnson73

The firewall section is not complete, which will affect not only traffic flow, but also security and everything else. There must be not only an "Input" chain, but also a "forward" chain. You can also use the default rules solution. https://router-os.github.io/Default-Filter-Rules...

johnson73

Of course, there will be variations in copying speed, because hAp ac2 is not one of the most powerful devices. Copying files through the router is a bit wrong. It usually doesn't. We use a switch in the internal network and all traffic load is passed through it. Try it for a test and you will see th...

johnson73

One example is how the "bad IP address" is dynamically placed in the black-list when port scanning is performed...
There are many such examples on the Internet. https://buananetpbun.github.io/mikrotik ... anner.html

johnson73

Do not compare Mikrotik with Zyxell, it is not correct. In a router, firewall rules have their own order and it is important. The rules are enforced from top to bottom and nothing else. You are wrong! Rules are usually not started with ``Jump'' but with /Input=allow-established,related.... Anav beau...

johnson73

When you open the forum page, it looks like this...
It doesn't matter which internet browser you open it with

johnson73

What configuration do you have in the firewall section? It is not visible in your post..
/ip/firewall/filter/export

johnson73

The order of firewall rules matters. The rules are enforced from top to bottom. On the MT1 router side, in the firewall Forward section, the last rule should be - add action=drop chain=forward comment="defconf: drop all from WAN not DSTNATed" \ connection-nat-state=!dstnat connection-state...

johnson73

CCR1009 update to 7.13 (default rules) 1) Additional options appeared in the general section - Wifi and Wireless :) This router model does not have wifi at all. 2) creating the most ordinary rule to access winbox from the outside world (input chain, dst port 8291, tcp..wan) - no access! Error- incor...

johnson73

Why? Probably because there is a problem in the configuration. Is the last rule of your Input chain "Input drop=all"? And the last rule of the forward chain? Forward drop=all?

johnson73

Forward chain is a bit out of order. Missing records. In general, everything could look like this - /ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="drop...

johnson73

this might help you https://www.youtube.com/watch?v=bgwNKNWeLKo

johnson73

I will share information from my experience. Maybe something from everything described will help you. I have had similar situations and facilities have also had mikrotik equipment. The most common errors were: 1) created too many public NAT connections to video cameras that did not have enough secur...

johnson73

as a test option, you can try disabling ipv6 firewall (disable ipv6). Leave only ipv4. Look what happens then..
Question: is the routerbord firmware also updated? System-routerborad-> Current firmware is the same as - upgrade firmware?

johnson73

Hello, In your firewall configuration, the last 3 rolls in the ipv4 section should be moved above - add action=drop chain=forward comment=\ "defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \ connection-state=new in-interface-list=WAN For proper firewall operation, the...

johnson73

thanks for the reply! ='' That leads us to know that if the far end network works at all it either has a different gateway or a different IP range. Either way obviously you wont be able to connect to devices in that network unless you told windows when it connects to use the remote gateway..''= if I...

johnson73

Hello, Perhaps someone has a good idea why it is not possible connect to local LAN devices with mikrotik ipsec+L2tp if I remove the option "Use default gateway" on a Windows computer? If this option is used, you can connect and everything works. Maybe I specified something wrong? Standard ...

johnson73

It is not possible to say anything more precisely until there is information about your configuration and connection

johnson73

If you work remotely then you should be very careful because you can accidentally disconnect the connection and everything else. I would recommend first for yourself - put together everything you need, for example in notepad. So that it is correct, start the firewall with Input etc. (as was describe...

johnson73

I asked you before, Why does the same interface have different IPs? Try to nicely separate the rules - ''Input'' chain those rules that refer to the input section. "Input" section - all incoming traffic. "Forward" section - traffic passing through the router. If you need to open ...

johnson73

Hello, Why does the same interface have different IPs? /ip address add address=192.168.88.1/24 comment="default configuration" disabled=yes \ interface=ether2 network=192.168.88.0 add address=192.168.1.1/24 interface=ether2 network=192.168.1.0 add address=10.10.10.1/24 interface=bridge_gue...

johnson73

Please write in English. It is not necessary to restart Mikrotiks many times. If this happens, it means that the configuration is not correct. To say something more precisely, you need to see the configuration. Have a chance to see it? Can you make a config "export"? /export file=anynameyo...

johnson73

Hello greccobruno, You have an incorrect firewall configuration. In order for the traffic to work correctly, the basis is always "default rules" and its plugins as needed. Firewall usually consists of 2 parts - Input (incoming traffic) and "Fowrard" (traffic passing through the r...

johnson73

Do you not have a firewall section for mikrotik at all? If you want to connect to the windows server located behind the mikrotik, then we create an L2tp ipsec connection. Good practice is use "default rules" which we supplement with a rule for 500.4500,1701 ports. We do not write this roll...

johnson73

Only one Firewall filter entry is visible from your copied configuration. Why? Where are the other rolls? To isolate access to two different Brides, you must first use "default rules", where you will also create the necessary entries. I would recommend using the following method - /ip fire...

johnson73

all people are not the same, some are friendly, some are not so friendly. People are different... My experience in this forum is positive, because long-term forum specialists have provided not only the best solutions, but also very good real configuration examples. One such forum member is @Anav and...

johnson73

@ comiconomenclaturist

add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=udp
add action=accept chain=input comment="Allow DNS to local" dst-port=53 \
    in-interface-list=LAN protocol=tcp

johnson73

Larsa, thank you very much for your help. The final problem, however, was in the irons. I changed the router.

johnson73

Hello Kartwall I would recommend you to use the "default" firewall rule solution, because there the order of the rules is in the correct order. Policy rules are executed from "top to bottom". You are a bit wrong. If you want to find out more about configuration, you can read this...

johnson73

Not seeing your firewall configuration, I would recommend always checking the vpn settings and the interface used for connection, check whether "arp=proxy-arp" is present.
https://jcutrer.com/howto/networking/mi ... leshooting

johnson73

I have the usual Windows built-in client.
Ok, I will try to test with ipsec without l2tp

johnson73

yes, one FG is this office gateway. And there are around 100 computers in the office and I'm the only one - I make a "dial in" to my home resource from my PC. Nothing more. It's easier to explain to you :) I also tried the test - I connected to my colleague's Mikrotik Rb4011 via L2tp from ...

johnson73

Everything is very simple. I have one PC that is in the office and from which I make a "dial-up" to my home mikrotik . No schematics, no pc2, pc3, etc. There are many computers in the office, but it is only about one computer of mine. As I wrote earlier, there are only "default rules&...

johnson73

You misunderstood me. The configuration can't be wrong because a persistent vpn tunnel is not used.The office router does not need to be configured in this case. I don't need to build an independent P2P tunnel mode Fortigate<-> mikrotik. I "dial in" from the office via l2tp ipsec at home M...

johnson73

As I already wrote at the beginning of the post, this is not a permanent tunnel mode P2P. It's a road warrior. I log out of Office at home to use home resources, data exchange, etc. In this case, it does not matter which router is located in the office. If, for example, I try to connect Home-> Offic...

johnson73

On the office side, there is a Fortigate firewall. ccr1009 is used at home. Everything was fine until I upgraded to version 7.xx
The problem is with the speed of sending from office to home.

johnson73

Hi everyone I have a problem with ipSec +l2tp vpn speed, mikrotik CCR1009(vers. 7.11, road warrior connection). After upgrading to version 7.x, iPsec L2tp remained slow. There were no such problems with the 6.x versions. In the office, the connection is 1gb/s, but at home 600Mbps. L2tp ipsec data tr...

johnson73

I have a similar problem with the mikrotik CCR1009(vers. 7.11, road warrior connection). When switching to the 7.x version, iPsec L2tp remained slow. There were no such problems with the 6.x versions. In the office, the connection is 1gb/s, but at home 600Mbps. L2tp ipsec data transfer speed is not ...

johnson73

@Adolfossl
You have an incorrectly built firewall. There is no correct beginning or end
Firewall rules in mikrotik must be built according to the following principle, as can be seen in the description - viewtopic.php?t=180838

johnson73

HI!
I hope the information from the Wiki will be useful - https://wiki.mikrotik.com/wiki/Manual:Interface/L2TP
And as another example, L2TP with encryption- https://ibb.co/pbT64kp

johnson73

After upgrade to 7.10 this device is ok.
RB4011
CCR1009

johnson73

The configuration shows that your firewall filter is incorrectly configured. As a recommendation, use the default firewall rules at first and then supplement them with the configuration you need. If you configure according to this tutorial, you will also have proper traffic flow and security. https:...

johnson73

I am using mikrotik wifi with iOs16.4 version. No problem, everything works fine even with previous versions. I don't use "Capman" mode, APs are connected to "bridge" mode.
Maybe the fault is in your configuration?

johnson73

this configuration will work correctly. You can use it safely. /ip firewall filter add action=accept chain=input comment="defconf: accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="defconf: drop invalid" conn...

johnson73

hmmm...fortigate bug? Probably...
Thanks for the information!

johnson73

it looks like Mikrotik hardware acceleration is not working. Usually the speed is 27-29Mbit/s if the HW acc is not working. or for models that do not have this HW acc.

johnson73

Are internet matches stable? Is the L2tp configuration on your mikrotik router something like this?
download/file.php?id=48815

johnson73

@Anav Can you please explain why it is not possible to access LAN internal resources using L2TP vpn connection if your method is used - Input Chai=drop All Forward chain=drop All If I specify In Interface= Wan in both chains, then everything is okay, you can access internal resources, everything pin...

johnson73

it takes a little time, you need to study in more detail

johnson73

You should fix the firewall section. There is no correct driving sequence, which accordingly affects the entire traffic operation. Always start with '' add action=accept chain=input comment="defconf: accept established,related,untracked".... "Input" section - this is the section ...

johnson73

can you post the configuration?
/export hide-sensitive

johnson73

What does the internet provider say? Is there any ISP modem being used? Is there a way to restart it?

johnson73

You want to start Mikrotik something like Fortigate web access, just to access the Wan interface? I have never seen such an interface on a mikrotik. I use Fortigate at work and have multiple branch connections available. If I need to access the Mikroik interface, I connect to it through Winbox, wher...

johnson73

You do not need to specify the 53 dns port at fasttrack. It won't be right. Fastttrack has only one rule that comes before the "forward" section. Optimize your firewall rules according to the following https://forum.mikrotik.com/viewtopic.php?t=180838 /ip firewall filter {Input Chain} add ...

johnson73

Updated hAP AC3 from 7.5 to 7.6. So far there are no problems.

johnson73

All CCR models have a hardware accelerator. 5 vpn tunnel without problems.
https://mikrotik.com/product/ccr2004_16 ... estresults

johnson73

After fixing your firewall filter, this should be more correct.. For proper firewall operation, it is recommended to use the method described here - https://forum.mikrotik.com/viewtopic.php?t=180838 /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related...

johnson73

after upgrade from v6.49.6 to v7.5 on CCR1009 without problems. I wonder why the new Ros v7 consumes so much more memory? For example, on the CCR1009 router with v.6.49.6, the ram consumption was around 740MiB at medium load With version v7.5 ram already shows 670 MiB. What if I put this version on ...

johnson73

maybe someone has tested version 7.4 on a device hAP_AC2? Works well? https://mikrotik.com/product/hap_ac2

johnson73

Oh yes! Thank you very much for the answer!

johnson73

update RB4011 ver. 6.49.6 to 7.4 without problems.
how to manage the ``Route-list-Rules'' section in the future? Rules must be executed only through Firewall filter?

johnson73

the situation was quite simple. This is home Lan-s. No servers, no hosting. I rarely use a P2P (torrent client) to download information that interests me. Everything. Then the problems started. Some time ago, I had a dynamic IP from the provider, and then there were no problems, because the IP chang...

johnson73

No, I don't host servers. Recently, there have been a lot of icmp, udp floods coming directly from Russian IP addresses. It's not a nice situation, but when I enable icmp-All, my Internet connection really slows down because the channel is overloaded at the time of attacks. It's not all the time, bu...

johnson73

I can say from experience that if I allow all incoming ICMP, icmp flood happens quite regularly to my IP. I started using the following method.. That could be right? Drop only incoming icmp Wan traffic, but allow all LAN icmp. For now, this option seems to help. Maybe have any other suggestions? Tha...

johnson73

I have had a similar case where iPsec worked very unstable between devices. Until the microtik router changed the firewall to the default (of course, adding its own required rules) there was no stable operation. That's why I always use microtik in the router as a basis for "default rules",...

johnson73

I recommend that you use the default firewall rules for the traffic to work properly. The two rollers that are visible in your configuration are not enough. Or use this suggestion - forum.mikrotik.com/viewtopic.php?t=180838 /ip firewall filter add action=accept chain=input comment="defconf: acc...

johnson73

I recommend that you use the @Anav firewall configuration method. https://forum.mikrotik.com/viewtopic.php?t=180838 Your firewall configuration is not really correct. And - fasttrack never puts a firewall in the beginning! The sequence of firewall rules greatly affects the overall performance of the...

johnson73

Is it right to use such a method? add action=jump chain=input comment=icmp in-interface-list=WAN jump-target=icmp \ protocol=icmp add action=accept chain=icmp comment="ICMP echo reply" icmp-options=0:0 \ in-interface-list=WAN protocol=icmp add action=accept chain=icmp comment="ICMP ne...

johnson73

Andoniar78 Looking at your firewall shows that the rules are not in the correct order. Mikrotik firewall policy is executed from top-> down. Usually "Fasttrack" is not the first. First is "Input, estabilished, related .. "", which ends with "Drop-All". Only then fo...

johnson73

I'm not sure, so I asked. I read something like this in other forums, so the question arose.

johnson73

If we compare Mikrotik with Ubiqity Unifi, then Unifi, for example, uses "Policy based firewall", which is easier to configure and possibly even more secure. It could be?

johnson73

Anav,
Why? Aruba instant wifi models are bad?

johnson73

Good luck with the pile of crap you have...... troubleshooting that will be a nightmare...... Is there a problem with my configurations? Yes. There are too many rules in your configuration that are not really needed. Recommend you to use Anav config example. I use it myself and everything works ver...

johnson73

As practice shows, there is no need to create special rules for winbox
((###Winbox add action=drop chain= ....). Just connect to your router using a VPN (for example:l2tp). It will be safer.

johnson73

Upgrade 7.1.1 vers. wAP Ac (architecture mipsbe). There are still problems with Upload speed. This is critically low. There was no such problem with version 6.49.2!

johnson73

WildRat,
Thank you very much !!!! I managed to downgrade. Now everything is working normally again as it should be.

johnson73

Update your wAP ac to version 7.1. I apply version 7.1 (stable), but the router shows (testing). It is not clear why .. The download is the same as it was but there are problems with the upload. It had to be around 350Mbit whatever it was before the upgrade! Downgrade is not possible. I am very disa...

johnson73

kalamaja,
look below ....

johnson73

thank you very much for your reply. Got it!

johnson73

Sindy,
Okay, I will apply scan protection. But the question remains what should I do with ICMP rule?? Leave as = accept All? Delete? Block echo request only? What is more correct? Maybe this icmp can block the Raw chain?
I'm sorry I don't understand a bit.

johnson73

between the router and the internet. Flood packets are coming from the Internet (Wan). OK, I'll try the @Jotne version. /ip firewall raw add action=drop chain=prerouting comment="Drop user that has tried ports that are not open and has been added to block list" in-interface=ether1 src-addr...

johnson73

Kevinds, Yes, there is a ping flood on my device at least twice a week, which puts a lot of strain on the channel. So I wanted to ask which example would be the best. Is this? /ip firewall filter add chain=input protocol=icmp action=jump jump-target=icmp add chain=icmp protocol=icmp icmp-options=0:0...

johnson73

Hello, In order not to create a new topic I want to ask how to properly block ICMP ping? There are many examples that block all icmp. Experts say this is not right. How is it right? as follows? /ip firewall filter add action=accept chain=input comment="Access Normal Ping" in-interface-list...

johnson73

Anav, everything is fine :) I mentioned earlier that I use an L2tp ipsec connection. This is a passive connection. I don't use tunnel mode. You have a lot of questions that I will not be able to answer at all :) Insert screen from vpn configuration. It will be easier. You may also find the following...

johnson73

Sorry I dont get this comment -'' No, it is not an external IP but an internal network address.'' -Sorry, I mixed something here myself :) . ''''My concern is HOW TO associate only the faux VPN address access to the router without such a wide open rule (input from everywhere).'''' - in my case the V...

johnson73

That source address is on the ROUTER somewhere and is the LANIP of the tunnel exit/entry behind into the LAN side of the router (just make sure its not an external public IP)!! - No, it is not an external IP but an internal network address. (2) What do you mean you cannot ping the VPN. Where are you...

johnson73

Yee! Everything is finally working well! There were no such rules, so there was also a vpn connect problem. '' '' PLUS add action = accept chain = input comment = 'allow remote config' src-address = IP of TUNNEL '' '' Thank you very much! :D p.s. '' You say - (5) There is no need for ICMP command in...

johnson73

I create Firewall rules at your suggestion. L2tp ipsec stopped working. You can connect to the router but no longer have access to the internal LAN and also the winbox. Creating "Input" chain rule access from LAN 8291, etc. Unable to connect. Left back -add action = drop chain = input comm...

johnson73

1) Okay, I'll remove it. I don't want to delimit it, but to specify a specific interface for it to work properly 2) ok, corrective 3) I watched the MUM webinar and there was a mention of that fact. That is why I stated exactly this. I watched the MUM webinar and there was a mention of that fact. Tha...

johnson73

Anav, At your suggestion, I create the following rules. Everything works fine, but there is a question - I want to use the rule for protection that I found in the @Jotne topic. /ip firewall filter add action=accept chain=input comment="Allow Established,Related" \ connection-state=establis...

johnson73

Following the recommendations of the forum members, I use the following method. It works well /ip firewall filter add action=jump chain=forward comment="Ddos protect" connection-state=new \ jump-target=block-ddos add action=return chain=block-ddos dst-limit=32,42,src-and-dst-addresses/10s ...

johnson73

Greenfun2, Say please or by connecting to the router via L2tp are you going to Winbox config? I have almost the same configuration just no UPnP. I create an Input rule to 8291 = allow from trust address and then it works for me. Anav, Do you use = Output = rules? Doesn't an ordinary home user need it?

johnson73

Anav, Notes: ''''1. Missing fastrack rule 2. Why are you letting icmp here? Not required and its too wide open anyway from anywhere?? 3. Why are you allowing local to internet traffic as you are not stopping that traffic by any rule so you dont need to make one to allow it ??? Besides the rule is so...

johnson73

# on top of forward chain I do not see this default rules add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy" add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy" Everything works without the...

johnson73

L2TP.....
# those rules are for WAN or LAN?
this applies to the WAN

johnson73

Anav, This configuration has been for me for many years no problem. You explained very much and well, but would you please not say what is wrong with my case? /ip firewall address-list add address=192.168.X.X/24 list=Allowed-IP /ip firewall filter add action=accept chain=input comment=\ "defcon...

johnson73

yes I agree. The default config does not specify permit dns from Wan, but the author had set it in his configuration. He asked if the configuration will be correct without errors ect .. Maybe he needs it? Maybe he typed it in by mistake? I personally blocked dns port 53 in the Raw chain section Than...

johnson73

ok if you need to allow dns 53 from everywhere, you can leave input chain = Allow dns.
Only after a while the author will have a question - why my router is so busy and there are problems with speed

johnson73

Everything is based on the default firewall rules. Complete them with the rolls you need. Leaving dns port 53 open is not a "good practice"! It is better to close it. https://forum.mikrotik.com/viewtopic.php?t=92793 The order of the firewall rules is also important because the rules are ex...

johnson73

okay, thanks for the answers.

johnson73

Are you saying that this example is wrong? I'm sorry, I don't understand anything.
https://help.mikrotik.com/docs/pages/vi ... d=28606504

johnson73

like this? No time limits? Or otherwise? /ip firewall filter add action=jump chain=input comment="Dos protect" connection-state=new \ jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,42,src-and-dst-addresses/10s add action=return chain=detect-ddos src-address=192.16...

johnson73

If you use Mikrotik yourself and if there is no secret, what will the solution for Dos do you use? Rules, ect

johnson73

yes, there has been no serious will attack. To be honest, the microtik will not be the device that will be able to provide good protection against Ddos. It requires a different brand and a different level of hardware. if there is no secret, what solution do you use?

johnson73

the external IP address of the attacker is blocked. The log file shows which external IP address is attacking your external IP address. CPU is not overloaded. Such a solution is put on a small hAp Lite 32mb. No problem .You can of course also drop everything. That method is also okay

johnson73

For example, I have been using such rules for many years. Everything works very well just have to look at the sequence of firewall rules where you copy them. They must not be the first. In the order from the top first comes Input- allow estabilshed, related, then drop invalid connect and so on. An e...

johnson73

sorry for the mistake

johnson73

Do you really need to use the IPV6 protocol?
Try disabling IPv6 and leaving only ipv4, with your existing default rules. Or will the situation be the same? Testing ...

johnson73

Such cases are quite common when an internet provider sends emails stating that your IP is open to a dns resolver. Without seeing you firewall configuration, let's say you use the default config. Close access to dns 53 port from the outside. It is best to use Raw chain so as not to overload the cpu....

johnson73

do you use default rules? Is there a different configuration? You can use this method in the "Input" section.
https://wiki.mikrotik.com/wiki/Brutefor ... prevention
And it would be advisable to turn off all unused services

johnson73

if you want you can not change anything for yourself, but I would recommend looking at the diagram where it is very clearly shown how the incoming packets are filtered. Section - "Packet flow chains" https://wiki.mikrotik.com/wiki/Manual:Packet_Flow The first will be "prerouting"...

johnson73

Axotic, In a firewall filter, policies are executed in a top-down order. You start with "input" and do not "drop" the first. I will copy the working filter rules that include both L2TP and PPTP. The last filter roll is always Forward drop-All, not "accept". To access in...

johnson73

Kevintkv, if your network does not have specific requirements, then the configuration that appears on the site will suffice for you.
https://www.manitonetworks.com/mikrotik ... wall-rules

johnson73

if you use default rules, you copy these policies before the last "drop input" rule add action=jump chain=input comment="Dos protect" connection-state=new \ jump-target=detect-ddos add action=return chain=detect-ddos dst-limit=32,42,src-and-dst-addresses/10s add action=return cha...

johnson73

Hello,
i use this method is okay.. https://www.psychz.net/client/question/ ... rotik.html

johnson73

I finished my wAP 5Hac T2Hnd from version 6.48 to 6.48.2. No problems have been observed yet.

johnson73

I have no problem with the other firewall rules. My main question was - to access the router from the internal network subnet necessarily need to specify the interface? I realized that yes
Thank you so much for the answers!

johnson73

The wiki link does not specify incoming Lan or Wan. You say it needs to be stated ... I don't understand a bit ..

johnson73

Thanks WeWiNet! Then can I safely use the version with source address(list) + input interface(list) ?

add action=accept chain=input comment="Allow access to router from known network" in-interface-list=!WAN \ src-address=192.168.88.0/24

johnson73

Hello specialists! Which of the rolls will work better? The first option specifies an in-interface-list (all except WAN) add action=accept chain=input comment="Allow access to router from known network" in-interface-list=!WAN \ src-address=192.168.88.0/24 . In the second - only subnets and...

johnson73

Thank you very much for the explanations!

johnson73

then can i just remove them from the common list?

johnson73

Ros are used in Input chain, Forward and output chain. Input and Forward circuits are used everywhere, but very rarely anyone uses an "Output" circuit. Is a firewall enough if I use Input and Forward chain? If we look at the Mikrotik wiki - wiki.mikrotik.com/wiki/Manual:Packet_Flow, we see...

johnson73

Updated RB962, wAP ac and RB2011 without issues.

johnson73

If you use ipsec and need to access local resources, then set the Proxy-arp option for the Bridge interface.
/interface bridge
add arp=proxy-arp name=bridge1

johnson73

https://forum.mikrotik.com/viewtopic.php?f=2&t=157092&p=773766&hilit=blocked+external+ip# You can use my firewall example to solve your problem. If you really need PPTP, put extra rules behind L2TP. I would advise you to use L2tp. You can block addresses using IP-Firewall-Raw chain. /ip ...

johnson73

solved the problem. Someone might find the information useful.
I had 6.43 firmware on this router. When changing the option in the system-Led section nothing changed. I installed the latest version 6.46.3 and only then did everything work correctly in the system-led section.

johnson73

It is normal? Is it for all these models?

johnson73

Hello!
The RB4011iGS + 5HacQ2HnD-IN started to glow at the bottom of the red light. What could it be? I can't find any info on such a miracle. Everything is working, the board is not overheating, the processor is not overloaded. What can it have to do with it?
Thank you!

johnson73

Hello! Please tell me, is it correct that the router L2tp roll shows packet movement all the time? If you don't have a l2tp connection, you don't have to? Is the roll in the wrong order in the configuration? Maybe you need something extra? My configs below ... Thank you. /ip firewall filter add acti...

johnson73

Thanks for the help mkx!

johnson73

My firewall ... I'm no expert. Default rules with additions. The question is simple - do you need to use a chain in the '' Bogon '' Input section or not? Does anyone use this at all? /ip firewall filter add action=accept chain=input comment=\ "defconf: accept established,related,untracked"...

johnson73

please tell me - maybe i can add 'BOGON address' in the 'raw' section as well? https://wiki.mikrotik.com/wiki/BOGON_Address_List
Isn't it more efficient than using the 'input' section? What is your experience?

johnson73

# #Make sure you move it above any rules that allow IPSEC traffic, otherwise it wont do anything. This will move it to rule 1 in your firewall list (or use winbox to drag it up the list)##

You were right. After this action, the 'raw' policy started to work.
Thank you very much aoakeley!

johnson73

Yes, these connection attempts take place regularly every night! In my case L2tp ipsec is used. Special logging is not turned on but red notifications are displayed. This IP address has been displayed for a very long time on some 30 mikrotik machines that use ipsec vpn. If tunnel mode is used and ex...

johnson73

At first I had an entry on -Input, but that didn't help. Red log messages appeared unchanged. If the rule works correctly then the log section shows these red statements or not?

johnson73

Hello! How good is it to block a specific external IP address? I did the following but it does not work because access attempts are repeated every night! /ip firewall raw add action=drop chain=prerouting in-interface=ether1 src-address-list=Block-address (in address list this IP- 216.218.206.0/24) T...

Search found 198 matches