MikroTik

alphalt

Thanks for checking! By saying it work, do you mean that you also have this issue as me, when after changing rule back to original, it does not work anymore? For me it is like this: 1. add only dst-address-type=local rules works, counters are counting 2. add also src-address-type=local rules stops c...

alphalt

Ah yes, that is a very good point. With random source addresses list will overfill super fast as that pace and router should crash pretty fast. But it is something for sure to be tested! That is home router, so I do not really expect anybody to do DDoS on LAN. I was just thinking if my ISP will be h...

alphalt

Yes, I was using exactly same rules, but this one /ip firewall filter add action=return chain=detect-ddos dst-limit=32,32,src-and-dst-addresses/10s I was using with connection-state=new . Maybe that was not the best idea of doing so, but I didn't want all packets to bypass return rule. Now I'm think...

alphalt

Sorry, that was not very smart question from my side.

I figured it out what I did wrong. Packets did not get lost

I was SYNC flooding on LAN interface, not WAN, so all IPs from outside network were just rejected when it came to routing decision. All clear, case closed

Regards,

alphalt

Hi all, Today I just wanted to test how TCP SYN flooding protection works on my setup. So I ran this command from my PC to router: hping3 -c 15000 -d 120 -S -w 64 -p 80 --flood --rand-source 192.168.1.1 As you can see load is very heavy on to the router, but on a small fraction of SYN packets are ca...

alphalt

Hi all, I'm doing some tests with my home router installation and it seems that I can't get dst-address-type=local match to work. I just add first rule in input chain like this: chain=input action=passthrough protocol=icmp dst-address-type=local src-address-list=local-addr log=n> log-prefix="&q...

alphalt

Thanks for the answer. What about address lists? They can be very big ~50 000 if you use full bogons list. Then, if we add config needed and all packages of RouterOS, then I suppose not much left?

alphalt

Hi, I have read some of them, but mostly there was just complaint that it is too small. Not really info about limitation regarding firewall rules, address lists, etc. My question was if I might face any limitations for that. I'm not talking about installing Metarouter, second partition, backup confi...

alphalt

Hi all, I have a question regarding new boards with 16MB flash storage. I'm particularly interested in RBM33G. I was wondering if 16MB of flash storage will be enough? All RouterOS packages weights ~9.3 MB, then on top of that you have firewall rules, address lists (they can be quite big if using fu...

alphalt

Hi,
Ok, now it gives meaning. You can drop packets based on some properties just before you accept them, for example if you want to allow SSH traffic.Thanks, it answers my question.

alphalt

Hi, Thanks for reply. I think my question was not very clear. I will try to explain with the example from Mikrotik Wiki. Here is an example firewall script I found in the wiki: /ip firewall filter add chain=forward comment="Accept established and related packets" connection-state=establish...

alphalt

Hi all, My question might look like super beginner one, but I was always wondering about it. If I search through Mikrotik Wiki, I can find a lot of very nice firewall rule examples, where you can detect port scanning, brute force and so on. All these rules are based on detecting certain activity, fi...

alphalt

Hi,
Yes, I know that CPU is not most powerful, but it is capable of providing correct speed when I use my computer connected to router on Eth port. WAN connection and my computer connections are Gbit. The problem is on WiFi, it does not seem to provide enough speed from Eth1 port.

alphalt

Hi, Thanks for your reply. Yes, I use two antennas on R52n, but they are standard small "pigtails". Also I have enabled both chains. Once again, I have over 100 Mbps with the same card and same antennas when using BTest. So I suppose hardware is capable of passing through at high speed. On...

alphalt

Hi again,

I still haven't found any solution to this issue. Could somebody please tell me if information in my original post was no very clear. I would really like to have at least some ideas of where to search for a problem. So far nothing helps.

alphalt

Hi all, Recently I've faced quite strange problem with wireless speed on my R52n card. I use 433AH routerboard running 6.38.5 version of RouterOS. My hardware setup is as following: [ISP provided Zyxel ADSL router LAN] --> [Mikrotik LAN] --> WiFi clients The problem is as following: 1. If I connect ...

alphalt

Hi,

Maybe very old request, but... Metarouter support on microSD card.

alphalt

Hi, Read this http://www.frozentux.net/iptables-tutorial/iptables-tutorial.html#TRAVERSINGOFTABLES Remember that ESTABLISHED packets bypass SNAT and DNAT chains. From chapter 7: All connection tracking is handled in the PREROUTING chain, except locally generated packets which are handled in the OUTP...

alphalt

Ok, I've found an answer. Funny thing is that answer was in iptables manual

alphalt

At last I took clean router os machine, set NTP time server there and made some tests with packet logging on every possible chain without using any bridges. Situation is the same. Packets do not traverse snat chain if I query NTP server from local computer. Same situation is with ping packets to the...

alphalt

After some more test I see that packet traverse like this (I've used action 'log', no packet marking): Mangle Out (bridge interface) -> Filter Out (bridge interface) -> Mangle Postrouting (bridge interface) -> Bridge Out (eth3) -> Bridge Snat (eth3) This is completely different of what you can see i...

alphalt

Hi,

Thanks for replying. No. I've created this rule just for testing, so its the only one rule for packet mark. I'm experiencing same issue even if mangle/postrouting rule action is just passthrough.

alphalt

Hello to all, Recently I had an application that I needed to source NAT time server packets in order to solve 'server-ip-missmatch' issue, but found that thos epackets do not traverse through SRC-NAT chain. I've investigated a little bit and found that packets are traversing through mangle/postrouti...

alphalt

Ok, thanks for the info.

alphalt

Hi, I've tried to search for solution, but didn't find that much. I have Mikrotik as SSTP server and Windows 7 computer as client. It's impossible to make SSTP VPN tunnel with Windows 7 machine if option 'verify client certificate' is turned on on Mikrotik's server. So is there any solution for this...

alphalt

Hi,

Thanks for sharing you experience ! You use quite different approach for the problem, but I think it's also ok. I'm also thinking about Metarouter with OpenWRT on it with running snort. Then I could direct all traffic to the Metarouter, but I'm little bit afraid of performance issues.

alphalt

Hi all, Currently I'm searching for the best way to integrate IPS system on Mikrotik by not using any other hardware. I've searched forums and found that most people are using Snort. Today I've found very interesting site http://cipherdyne.org/fwsnort/. The main idea is to translate Snort rules to i...

alphalt

Hi, Please people help me somehow. I really have no idea on what it will happen to packet flow when Metarouter's interface is bound to physical host router's interface. I can't find much info in Wiki about that. Can someone just maybe add some red line on original packet flow diagram, how packet wil...

alphalt

ok, I've made some tests on this weekend and I have some questions still. Correct me if I'm wrong, but all packets destined to the host router will go to input chain despite that ether1 is bound to Metarouter. So as I understand I still need to redirect all packets to Metarouter if they are destined...

alphalt

Hi, Thank you vry much for the answer. Yes, nice idea ! I'm just wondering about packet flow... Anyway physically ether1 will be on ROS, so will packets enter INPUT chain ? I want to bypass somehow input chain and go directly to Metarouter and only the, after Metarouter I would like packets to pass ...

alphalt

Hi, I want to use Metarouter (OpenWRT image) on my routerboard, but I want to have some good ideas on how to do it. I want that all traffic comming from/to public on ether1 of my ROS firstly go to Metarouter and then reach ROS. Well I want to do it as it were two physical routers: WAN connected to O...

alphalt

/ip firewall mangle add chain=prerouting action=accept The same situation. Packet count 0. But I don't believe that they are not passing. Now I can't do that, but later I'll try to deny all traffic on prerouting and see if I still have connection through the Metarouter. By the way, I'm not using br...

alphalt

Ok, I've made few tests. Now it looks like it working just perfect except one thing. Which is really strange. Packet counters on Metarouter are increasing on DST-NAT and SRT-NAT with action passthrough, but counters for mangle PREROUTING and POSTROUTING with action passthrough are not incrasing. Thi...

alphalt

Yes, I understand that, and I could belive that packets are not reaching router at all, but I can see then with torch tool in the Metarouter itself. That's why I'm confused. If I see with torch that means (I hope) that packets should be processed further and at least they should reach mangle prerout...

alphalt

Hi,

I agree yes, but its not the case here, because 0 packets are going through this nat rule. Anyway problem is somewhere else. I will try today off course and let you know. I hope that you will help somehow to solve this issue.

alphalt

Guest router you mean Metarouter running on host ? If so, then I allready gave config here in the first post.

alphalt

There is no bridges on Metarouter side, only on host side, but I have no problems with packet flow on host. Well, what can you suggest for me to check ? I'm running out of ideas what can be wrong. The funniest thing is that packets are passing through metarouter and metarouter uses ip route table, b...

alphalt

It would be very nice if someone could reproduce this behaviour and help me on this. I'm really stuck. I can provide more info if needed.

alphalt

Hi, Thanks for replying. First of all, packets are going to Metarouter, because I can see that with torch on Metarouter, furthermore, it's a real config for internet, so I have internet connection if Metarouter is on and no internet if I turn off Metarouter. On my PC I use Metarouter's ether2 IP add...

alphalt

Very good, thanks for the info.

alphalt

Hi, When I create Metarouter and add dynamic interfaces I want to add IP address to vif1. I can do it with no problem, but when I reboot Metarouter assigned IP address shows that it is assigned to unknown interface even if after restart of Metarouter I have interface with the same name as before (vi...

alphalt

Hello, I'm making some experiments with Metarouter and trying to find solution which can suit my needs. So what I noticed is that zero packets are going through Metarouter's firewall filter, nat or prerouting any of the chains. That surprised me very much. So my host router config (ether1 is a publi...

alphalt

Hi,

Thanks for that !!!

alphalt

Hi all, I just noticed in the wiki http://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT that redirect definition says: redirect - replaces destination port of an IP packet to one specified by to-ports parameter But also it changes destination address to the one of the router's internal addresses as ...

alphalt

Ok, I just deleted whole openwrt folder and reinstalled everything from scratch. Now it's compiled and ok, but I have other problem. Just don't want to create new topic, so I'll try to ask here. So the problem is that I can create as much interfaces as I like in 'Metarouter' section in ROS, but when...

alphalt

Hi all, I'm trying to compile OpenWrt from snv as it is said in Mikrotik's Wiki, but I'm getting an error: patching file arch/mips/include/asm/fixmap.h Hunk #1 FAILED at 70. 1 out of 1 hunk FAILED -- rejects in file arch/mips/include/asm/fixmap.h patching file arch/mips/include/asm/io.h Hunk #1 succ...

alphalt

It seems I've found partial answer to my question. For sure there is no problems with ROS 5.11. I observed that my packets reaches LANbridge, but enters as "Bridge-INPUT" chain instead of "Bridge-FORWARD". Now I understand that everything is correct here, because later packet is ...

alphalt

Hello, I don't know if its correct forum and maybe my question will be silly, but please help me with that. So I have RB433AH and ports ether2 and ether3 are bridged in LANbridge . I've noticed very interesting thing: all packets going to outside (internet) from machine on ether2 goes to /ip firewal...

alphalt

End of the story. The problem was in enabling IP->uPNP. Now I can detect server and stream media, but one problem is still existing. I can detect DLNA server only in the moment when I start it. If I start server and only after I start the receiver the it is unable to detect server. In that case I ne...

alphalt

Ok, it's possible I'll go crazy. What I have: PIM is working, I can see state joined and everything seems to be ok, but I can't discover DLNA server from receiver. However, If I start another DLNA server on WiFi side and ONLY AFTER then I start DLNA server on LAN side then surprisingly I can discove...

alphalt

By the way, on DLNA server side I have configured route: "route add -net 239.0.0.0 netmask 255.0.0.0 eth0" and if I look at packet sniffer on MikroTik then I can see that DLNA server is sending packets to: 224.0.0.22 (igmp) and 239.255.255.250:1900 (udp) About WiFi. If DLNA server and rece...

alphalt

Hello,

At least I'm trying to use PIM. WiFi is installed into MikroTik router and this is Atheros 11N (R52N).

alphalt

Hello all, I'm going crazy trying to configure my router to route DLNA packets.... I've read manuals about multicasting and IGMPproxy, but still my system isn't working. My setup is: DLNA server <-----192.168.3.0/24 (LAN) -----> MikroTik <----- 172.16.3.0/20 (WiFi) -----> DLNA receiver Please give m...

alphalt

Thanks, you help to make a decission and maybe save money

alphalt

Hi all, I've found here some posts regarding IPTv on MikroTik and it seems that it is possible to set up it. So I don't like cables and I'm wondering if it will be possible configuration like that: ISP (also IPTv) ---> MikroTik AP ---wireless---> MikroTik Client --> TV I just like to know if it is t...

alphalt

Thank you all for advices ! I've got some very good ideas on IP address list management.

alphalt

Hello,

Thanks for advices, but one more question. How much addresses can hold one address list ? Is there any limit ?

alphalt

Thank you very much ! I think scripting would be the best choice for me.

alphalt

Hello,

Some of the firewall rules are based on WAN address which is dynamic. How to make firewall rule to read it and use current, because now I enter it manually and if it changes I should change all rules that uses it.

alphalt

Hello,

Lets say I have 500-1000 IP addresses of computers which I want to ban. This list is not generated dynamically. So how to enter it to router ? Is it possible to take it from file, make some list and use in firewall rules ?

alphalt

Agree... That's a lot. Its bad that I have already have one bad sector

I think I will go for Metarouter anyway and at the same time will wait for microSD support. Thanks for information !

alphalt

I see. Then I'll check what is better: Metarouter or new routerboard with OpenWRT installed on it. The most important think for me at this moment is snort installation. It would be nice to know how much approximate wites will be made per day to internal flash if I use Metarouter, but I think its too...

alphalt

The most important thing is that microSD support is on planing list.
Now I'll try to configure Metarouter on internal flash and start to use it. Hope it will be possible to mount microSD partition with Metarouter and install additional packages on it ?

alphalt

Hello, Thanks for answering ! I think RouterOS is full of features that any router need, but with OpenWRT we can have running linux machine so I was planning to install intrusion prevention system (snort) and also apache web server. I don't need for additional linux server running web server for exa...

alphalt

Hello, I've seen feature request for Metarouter image installations on microSD card, but I want to hear from developer if this feature is under plans or it will be never supported ? Its important to me because I have two options: wait for implementation of feature or buy another routerboard for full...

alphalt

Hello,

I was wrong. I have two different topics logging to micro-sd card and one topic just stops without any noticeable reason. I have no idea what's wrong....

alphalt

Then the only think left is to wait for ROS v5 and check again.

alphalt

Hello,

I set logging to 512 lines per file and at least until now I have no problems log to internal disk or micro sd card. So somehow I think that problem can be related to line count per file. But its not possible for me to confirm it.

alphalt

Hi,

Thanks for info. Hope to have response from creators. Anyway I inform here what is the success of lowering line count size of log.

alphalt

Somehow I think it is due to large line count per file. Yesterday I had the same problem logging to internal router's disk. I set logging and I can see messages in log viewer, but files is not created. Then I delete all logging topics whic log to disk then recrete them and logging starts, but I don'...

alphalt

Router OS v4.4 running on RB433AH

alphalt

Hello all, I've searched forums and wiki, but didn't find some useful info on my issue. The problem is that I configure logging to MMC card and as file name I enter micro-sd/logfile and set file count to 100. Everything seems ok and working, but when it should create next log file it just stops logg...

alphalt

Hello,

I'm sorry, but I haven't found any sollution. And somehow I think its the problem of dd-wrt. Maybe need to wait for newer releases of dd-wrt.

alphalt

Hello,

No, it wasn't possible, but I took the main idea of the script and changed it to meet my needs.

alphalt

Hello,

Thanks for replies. With sniffer help I got it and now everything seems clear and now configuration seems to be good.

alphalt

Ok, I'll try to explain situation more detail and maybe get any help then. The problem is that my WiFi and LAN are on separate networks and so when my SSH client is on WiFI and SSH server is on LAN side I get packets return with source address of router. My network configuration is as follows: LAN -...

alphalt

Hi, Thanks for sharing some experience here with us. I can post my configuration but I'm not using dd-wrt so it may not help you at all. Yes, I think so. I have a lot of different configurations from *working* systems, but still with no luck. I solved my problem by making DD-WRT as OpenVPN server an...

alphalt

Hi, Yes data and time are correct and I use NTP. If date and time is not correct error message is different. Anyway I gave up with this as for me its not possible to get even some debug information. Linksys resets connection and MikroTIK just say that auth algo is not supported. Thats just not too m...

alphalt

Hello, I have a very strange issue with SSH. My all computers at home runs linux and when I try to open SSH session from laptop's Gnome terminal to other computer, my SSH session just hang after successful login. Ok, I can blame linux here, but: 1. SSH works with PuTTY even through MikroTIK 2. SSH w...

alphalt

Thanks for reply. It is important no know. I'll use what you suggested.

alphalt

Hello,

I have configured logging to file on topic 'firewall'. I need to log SSH activity in firewall to separate file, but I can't use other topic than 'firewall'. Is it possible to do so ? I mean log all firewall activity to one file and SSH firewall activity to other file ?

alphalt

Hello again,

I have even changed Linksys router to newer model and installed the latest firmware with OpenVPN support. Problem is the same, the same error messages. From Windows is again everything ok. I'm totally lost.

alphalt

One thing that I noticed that is different between MT and other clients is how the route lines need to be worded. What do you mean about that ? I have no problems to connect to server from Windows PC. Problem is only from MT. I think route lines in not a problem here. My connection is constantly dr...

alphalt

Hi,

Adding debugging support gave me only one extra line which tells me the same that unknown auth alg. Not much help from this debug info....
Maybe MikroTik support team will also look at this topic and tell at least how to get more debugging information because now I get no clue what is going on.

alphalt

Hi, Are you logging ovpn at debug level like so: /system logging add action=memory disabled=no prefix="" topics=ovpn,debug I was using by default. Now I made like you propose. What does your DD-WRT OVPN config look like? Here it is: proto tcp-server port 1194 dev tun0 tls-server keepalive ...

alphalt

Hi, Thank you very much for your reply. Its very important for me to start this VPN connection, but now it seems that it is just not possible :( Ok, my password was longer than 7 symbols and I made it shorter - 4 symbols. Restarted MikroTik. Nothing helps. Firewall has rule for VPN and I can see cou...

alphalt

Hello all, I'm trying to setup MikroTik as OpenVPN client but with no success. I have done everything as in Wiki, but nothing works. My problems is the same as here http://forum.mikrotik.com/viewtopic.php?f=1&t=21087. No solutions so far. My server is DD-WRT on WRT350N router. Ok, you can tell m...

alphalt

Thank you for answers and good links !

alphalt

Hello, I'm wondering what can be the sequence of packets when using FTP client and RouterOS forward chain. For example its possible to let FTP packets go by making rule for destination port 21 and enabling FTP helper service. I'm interested in firewall rules when helper is disabled. Is it possible ?...

alphalt

Hello, I found very nice script here http://wiki.mikrotik.com/wiki/Bad-host-detection about detecting and dropping bad hosts. But this script drops everything if not in open-customers list. So what's the point of making some 24 hour lists if packets will be dropped anyway. Is there some mistakes in ...

alphalt

Hello, Now I'm configuring firewall on my RB433AH. I have found a lot of good topics and FAQ on it. But my question is: is it enough to make last rule in the firewall that just drops all incoming connections on WAN port ? For example, I make some accept rules first and the last rule blocks all other...

alphalt

Same here. Downgraded to 4.2. Support confirmed that bug exists in 4.3. We should wait for 4.4.

alphalt

Hi, I have RB433AH (not UAH), but in my case eth2 and eth3 is not working with v4.1. It was no problems with v4.0 RC1. I have found that this problem has something to do with switch option. I can see that both eth2 and eth3 are used in switch, but I have no chances to change something in switch - I ...

alphalt

It is never get to 255, the Default value is 254 (all)...,

You're wrong. See attachment.

alphalt

Hi,

Re-creating bridge won't help. After re-creation of bridge all ports refused to respond except Eth2. Then I just deleted ARP table in my PC and everything started to work fine.

alphalt

Hi all, I have set Eth2, Eth3, Eth4 and Eth5 in bridge mode and set bridge IP address to 128.16.0.254 (I use RB450G). So I connect my computer to either of ports and I can ping 128.16.0.254 without any problems. But if I connect PC to Eth5 I'm unable to ping 128.16.0.254 until I connect anything to ...

alphalt

Ok, I made it work if someone is interested. There was my error. In IPSec policy configuration there are protocol=254 and it must be 255.

alphalt

Thanks for reply. Now it seems everything ok with the config, but tunnel isn't running. I don't know why. Coonection shceme is following: PC(192.168.1.20)<---->RB(192.168.1.254)<--->Public(78.x.x.1)....Public(78.x.x.2)<--->RB(192.168.2.254)<--->PC(192.168.2.20) There is my config: ROUTER A Firewall ...

alphalt

Ok, as I understand I'll never get answer to such kind of question. I'll try to be more specific and not just as "nothing works, please help !". So, I think IPSec policy and peer settings are ok. I'm worried about firewall. NAT rules mentioned in configuration is ok also I think, but I mis...

alphalt

Hello, Recently I have bought RB450G and I have problem. I create IPSec tunnel and its just don't work. I've searched forums and nothing helps. Absolutely nothing. Some of support request isn't answered here. I ask you some help please. My situation is simple. Two RB450G which need to be configured ...

Search found 100 matches