Community discussions

Search found 21 matches

by thecrowbar
Wed Jan 30, 2013 5:37 pm
Forum: Beginner Basics
Topic: Hairpin NAT Problem RB493G
Replies: 2
Views: 1953

Hairpin NAT Problem RB493G

Hi all, I am having some trouble getting hairpin NAT working. I have a RB493. ether2 has been renamed as WAN. ether3-9 are part of a bridge that is named LAN. LAN has ip address 192.168.175.1/24. I have a host (192.168.175.100) that has MySQL on port 3306. Internet connection is a static IP assigned...
by thecrowbar
Mon May 04, 2009 3:45 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

Re: IPSec config with certificates

I have made more progress. One end of the tunnel (SmoothWall) is on a public static ip that has forward and reverse DNS set correctly. The RouterOS end is on a DSL connection with an IP that changes frequently. I created a new certificate for the SmoothWall that used its public IP as the ID and CN. ...
by thecrowbar
Mon May 04, 2009 12:03 am
Forum: General
Topic: IPSec Mikrotik/Cisco with rsa-signature
Replies: 5
Views: 5037

Re: IPSec Mikrotik/Cisco with rsa-signature

I have a IPSec VPN between a mikrotik and a SmoothWall (linux based) firewall using certificates. The SmoothWall is my certificate authority that signed both certs. I created one for the SmoothWall that used its public IP as the CommonName and the certificate ID. I also created another one for the m...
by thecrowbar
Fri May 01, 2009 8:14 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

Re: IPSec config with certificates

I now have an IPSec tunnel between a SmoothWall firewall and a routerboard. The setup is not yet workable for me though. I created two new signed certificates. For each certificate I used the public IP. I then setup those two certificates in RouterOS and the SmoothWall. Once the setup was complete I...
by thecrowbar
Fri May 01, 2009 12:07 am
Forum: General
Topic: Port forwarding - dyn IP
Replies: 1
Views: 363

Re: Port forwarding - dyn IP

[admin@test] /ip firewall nat> add chain=dstnat action=dst-nat to-addresses=10.1.1.20 to-ports=80 protocol=tcp in-interface=ADSL dst-port=8080
Change the value of ADSL to match what you called your WAN interface.

Cheers!
by thecrowbar
Thu Apr 30, 2009 11:41 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

Re: IPSec config with certificates

I am still having some issues, but I think they may be firewall related. Here is the log from the SmoothWall end: Apr 30 16:31:55 s_sys@smoothwall pluto[6191] conn242[2] 65.12.104.225 #5820: max number of retransmissions (2) reached STATE_MAIN_R2 Apr 30 16:31:55 s_sys@smoothwall pluto[6191] conn242[...
by thecrowbar
Thu Apr 30, 2009 3:05 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

Re: IPSec config with certificates

After the upgrade to 3.23 things are looking up! [admin@test] /certificate> print Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa 0 QR name="cert1" subject=***,CN=mikrotik1 issuer=CN=SmoothWall,*** serial-number="1C" email=mikrotik1@example.com invalid-before=apr/29/2009 18:57:29...
by thecrowbar
Thu Apr 30, 2009 2:31 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

Re: IPSec config with certificates

I am running 3.22. I will troll the docs and see if there is a way to do a remote upgrade. If not then it will be a day or two until I can get upgrade done.

Thanks!
by thecrowbar
Wed Apr 29, 2009 10:12 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

Re: IPSec config with certificates

This is the output from RouterOS when I try to import and decrypt my signed certificate and key. Maybe someone can see my problem. [admin@test] /certificate> print Flags: K - decrypted-private-key, Q - private-key, R - rsa, D - dsa [admin@test] /certificate> import passphrase: ********* certificates...
by thecrowbar
Wed Apr 29, 2009 9:55 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

Re: IPSec config with certificates

I think I have followed those steps except I used our company's CA from the SmoothWall firewall. Here are the exact steps I used: 1) Create a new signed certificate from the company's CA. 2) Export certificate and key as pkcs12 file 3) Use OpenSSL to convert pkcs12 to pem format 4) Import pem file i...
by thecrowbar
Wed Apr 29, 2009 5:34 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

Re: IPSec config with certificates

I have been reading up on the OpenSSL and converting certificates between formats. I think the problem I am having is that I am unable to decrypt my private key for the RouterOS cert. I have my ca public key in file cacert.pem. This is imported into the router. I have the public cert of my firewall ...
by thecrowbar
Wed Apr 29, 2009 3:52 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

Re: IPSec config with certificates

I had to sort out a RouterOS scripting issue before continuing with the IPSec config. Due to the lack of information on running an IPSec VPN with RouterOS and x.509 certificates I decided to take a step back and see if I could get things setup with pre-shared keys. After changing my /ip ipsec peer c...
by thecrowbar
Tue Apr 28, 2009 5:35 pm
Forum: Scripting
Topic: noob scripter need help with first script
Replies: 5
Views: 1226

Re: noob scripter need help with first script

The schedule was working even though the script name was showing in red on the console. Many thanks to SurferTim for helping me out.
by thecrowbar
Tue Apr 28, 2009 4:57 pm
Forum: Scripting
Topic: noob scripter need help with first script
Replies: 5
Views: 1226

Re: noob scripter need help with first script

I've got a basic script working. I updated the email on ADSL IP change script to work with RouterOS 3.22. I am now working on setting a schedule. The scheduler does not appear to be documented so if you have any pointers I would appreciate it.

Thanks!
by thecrowbar
Mon Apr 27, 2009 11:59 pm
Forum: Scripting
Topic: noob scripter need help with first script
Replies: 5
Views: 1226

Re: noob scripter need help with first script

That works! Apparently the get command does not echo its output. If I do

:put [/system clock get time]

The time is displayed on the console, but it does not work without the :put.

Anyway, that should get me started.

Thanks!
by thecrowbar
Mon Apr 27, 2009 9:43 pm
Forum: Scripting
Topic: noob scripter need help with first script
Replies: 5
Views: 1226

noob scripter need help with first script

I am just starting to learn how to get around in the RouterOS and am trying to create my first script. I found a simple script on the wiki and tried to do some simple things using examples from it. The problem is none of my get commands return any data. i.e. [admin@test] > /system package get router...
by thecrowbar
Mon Apr 27, 2009 4:43 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

Re: IPSec config with certificates

I need more help getting my IPSec going. From my SmoothWall I can see the connection start, but it never completes. Apr 27 09:28:05 s_sys@smoothwall pluto[5756] added connection description conn242 Apr 27 09:28:23 s_sys@smoothwall pluto[5756] conn242[1] xxx.xxx.xxx.5 #430291: responding to Main Mode...
by thecrowbar
Fri Apr 24, 2009 2:46 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

Re: IPSec config with certificates

I did not mention it, but I do have a proposal and a policy. I will check into the NAT rules. From searching the forums some comments would imply that the IPSec layer operates before routing. I took this to mean that it operates before NAT as well. I will check out the link and see if I can figure i...
by thecrowbar
Thu Apr 23, 2009 11:33 pm
Forum: General
Topic: [Solved] IPSec config with certificates
Replies: 18
Views: 14395

[Solved] IPSec config with certificates

I would like to setup a RB493 with IPSec tunnels using certificates rather than shared keys. One end of the tunnel will be a SmoothWall firewall (linux based) that I have configured several different vendors IPSec products to connect to. All of the other tunnels are using pre-shared keys. So far thi...
by thecrowbar
Thu Mar 19, 2009 2:14 pm
Forum: General
Topic: Update firewall/nat rules based on public IP
Replies: 2
Views: 577

Re: Update firewall/nat rules based on public IP

Thanks. I tried that, but had some problems. I tried again this morning and everything worked. This is the rule I added: add chain=dstnat action=dst-nat in-interface=WAN protocol=tcp dst-port=3306 to-address=192.168.105.100 This is what my NAT rules look like now: Flags: X - disabled, I - invalid, D...
by thecrowbar
Wed Mar 18, 2009 9:41 pm
Forum: General
Topic: Update firewall/nat rules based on public IP
Replies: 2
Views: 577

Update firewall/nat rules based on public IP

I have a RB493 and am trying to set it up to replace my old firewall/router. I am only using ether2-9. ether2 has been named WAN and is where my public IP will come from. Right now, for testing, it is set as a static IP. ether3-9 are connected to the bridge and I gave a private 192.168.x.x IP to the...