Community discussions

Search found 97 matches

  • 1
  • 2
by sjoram
Sun Feb 24, 2019 11:38 am
Forum: General
Topic: PPPoE client issue
Replies: 0
Views: 262

PPPoE client issue

Having an issue with PPPoE Client (for ISP WAN connection) trying to replace a RB750 with a hEX unit. Using a Draytek Vigor 120 v2 as PPPoA to PPPoE bridge Working RB750 is on 6.42.6 hEX was on 6.43.8 but I'm planning to update to 6.43.12 before trying again PPPoE client config: /interface pppoe-cli...
by sjoram
Tue Feb 12, 2019 10:27 am
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 22140

Re: Blacklist Filter (Development Topic)

Hi Dave, Very sorry to hear of the challenges that life has thrown at you of late. I sincerely wish you and your family all the very best. Thank you for your work on this, you know yourself how much demand your servers have seen, so I am sure this is benefiting and making life easier for a lot of pe...
by sjoram
Sun Jan 27, 2019 2:42 pm
Forum: Scripting
Topic: Blacklist Filter (Development Topic)
Replies: 191
Views: 22140

Re: Blacklist Filter (Development Topic)

I found your Patreon. I looked at the different 'tiers' - $10 currently works out about £7.50 a month...I'd be more than happy to support your work. However, I do have a couple of questions (others with knowledge of your project may also have views) - sorry if this is not the best place to ask, but ...
by sjoram
Sun Jan 27, 2019 12:56 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 1009

Re: Best practice hardening/NAT rules

Thanks all - I spent about 6 hours in Winbox yesterday re-crafting my config from the existing RB750 onto the RB750Gr3. I have a new found appreciation for the ability to backup/export a configuration, though as mentioned I was never going to do that here! As an aside, in my professional life (ROS i...
by sjoram
Sun Jan 27, 2019 12:44 pm
Forum: General
Topic: Default fasttrack rule
Replies: 2
Views: 321

Re: Default fasttrack rule

Here are some of the rules that I think the default IPSec accept may cause problems with: IPSec Policy: add dst-address=10.5.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address=10.0.0.0/16 \ tunnel=yes add dst-address=10.6.0.0/16 sa-dst-address=x.x.x.x sa-src-address=x.x.x.x src-address...
by sjoram
Sun Jan 27, 2019 12:34 pm
Forum: General
Topic: Default fasttrack rule
Replies: 2
Views: 321

Default fasttrack rule

I have just re-built the configuration for one of my ROS devices (replacing a RB750 with RB750Gr3) and as such I was working from the "new" default configuration. I have not previously used the fasttrack functionality, but I read that by its nature, it bypasses certain things that may cause other pa...
by sjoram
Sun Jan 27, 2019 12:21 pm
Forum: General
Topic: defconf: drop all not coming from LAN really needed?
Replies: 12
Views: 3945

Re: defconf: drop all not coming from LAN really needed?

I actually don't quite understand the need for this rule. Isn't it best hinged on WAN? ...the main reason this was not done is that many RouterOS novices who configure PPPoE (very commonly needed as a method to connect to the Internet, accomplished by adding a new PPPoE client interface) are comple...
by sjoram
Fri Jan 18, 2019 6:24 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 1009

Re: Best practice hardening/NAT rules

I have come across that one, thanks. I don't think the 3MB RAM I have left will cope with that right now, but will look once to try it once I've upgraded!
by sjoram
Fri Jan 18, 2019 4:45 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 1009

Re: Best practice hardening/NAT rules

I've started looking to use address lists, both to permit legitimate traffic and block some rogues. The latter is proving a challenge on the 32MB RAM in RB750 (I've had to reduce the timeout to reduce the list size), another reason for hardware upgrade! Edit: Port knocking - why didn't I do that bef...
by sjoram
Fri Jan 18, 2019 3:23 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 1009

Re: Best practice hardening/NAT rules

Thanks guys. I think my problems stem from having moved over to RouterOS several years ago when: a) I still had a lot to learn about networking and firewalls/routing specifically. (Still do, but it's a lot better now!) b) I think earlier versions of ROS on which my config was built didn't have so ma...
by sjoram
Fri Jan 18, 2019 2:03 pm
Forum: General
Topic: Best practice hardening/NAT rules
Replies: 10
Views: 1009

Best practice hardening/NAT rules

Hi all, I currently have a RB750 and RB750GL at two different locations, which have been in place for a couple of years. These have a PPP client connection to the ISP on the WAN side. I have found over the past year or so a number of issues as a result of my misconfiguration of the devices and had s...
by sjoram
Thu Nov 29, 2018 12:39 pm
Forum: Scripting
Topic: Update interface address, DHCP server configuration in bulk
Replies: 1
Views: 282

Update interface address, DHCP server configuration in bulk

I have a RB750 that we occasionally use to pre-build a LAN environment simulating certain functions of the WAN router. I have no experience of scripting in RouterOS but would like to find a way of entering a new list of subnets which would then automatically update the following: 7 x VLAN interface ...
by sjoram
Wed Jul 25, 2018 10:12 pm
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4576

Re: Router compromised [SOLVED]

I believe mine may have been this: http://www.networkinghowtos.com/howto/mikrotik-routeros-remote-vulnerability-exploiting-the-winbox-service/ I have seen another post (which I will not reproduce here) detailing the exact steps required to perform the exploit. This leads me to believe my device may ...
by sjoram
Tue Jul 24, 2018 12:45 pm
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4576

Re: Router compromised [SOLVED]

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default? Whe...
by sjoram
Tue Jul 24, 2018 11:14 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4576

Re: Router compromised [SOLVED]

There was a breach earlier /maybe month ago or so/ and I've changed name of admin account and disable it, create another user with full access, upgrade firmware's /both/ and...the new username was used to access two of my routers. IP address of mikrotik.php script /empty/ was - 95.154.216.164 Did y...
by sjoram
Tue Jul 24, 2018 11:00 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4576

Re: Router compromised [SOLVED]

Whilst I am disappointed in myself that I have not 'hardened' my router(s) as well as I should have done in order to mitigate this type of attack, it has always been a concern to me that RouterOS seems to be quite so insecure 'out of the box' - should we not be striving to be secure by default?
by sjoram
Tue Jul 24, 2018 10:59 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4576

Re: Router compromised [SOLVED]

Fortunately, I have the logs from my device being captured via syslog. I am just trawling through these (1700 so far) and appear to have seen the first sign last night of when I noticed problems. This shows a SUCCESSFUL winbox login, followed by SOCKS config changes and scripts being added/removed. ...
by sjoram
Tue Jul 24, 2018 4:37 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4576

Re: Router compromised [SOLVED]

Ouch. Well "at least" it's not just me. I've spent 3 hours on it and it seems to have subsided - for now, at least.

Router has now been up 1h6m and the best it has otherwise managed in the past 3.5 hours was 15 mins.
by sjoram
Tue Jul 24, 2018 4:27 am
Forum: General
Topic: Router compromised [SOLVED]
Replies: 21
Views: 4576

Router compromised [SOLVED]

I found my RB750 crashing due to running out of RAM this evening.Upon deeper investigation, it appeared that unauthorised access had been obtained to the router. Some firewall "drop" rules were disabled and there was a "mikrotik.php" file along with some scripts running. I found the php file rather ...
by sjoram
Sun Mar 25, 2018 12:51 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2248

Re: DHCP relay problem

When I disable the rule of source (PPPoE Public IP) to destination 10.0.0.0/8, I can see (having added a passthrough rule) that counters for source public IP to destination 10.0.0.0/8 are increasing when DHCP requests are made. Therefore Router B is forwarding DHCP relay packets with a source of the...
by sjoram
Sat Mar 24, 2018 7:40 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2248

Re: DHCP relay problem

OK, so I've worked through all my NAT rules and confirmed that it's the srcnat rule "fixing" the source IP for traffic passing over the IPSec tunnel that's causing the problem. Traffic flow is: DHCP Server (10.0.0.5/16) <--> Switch <--> Router A <--> IPSec <--> Router B <--> Switch <--> DHCP Client ...
by sjoram
Mon Mar 05, 2018 5:32 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2248

Re: DHCP relay problem

Resurrecting an old thread here, folks. Apologies, it's been lower down my priority list for a while so hadn't got back to it. I haven't tried removing the source address on the DHCP relay but I don't see that it should cause a problem? The reason for the srcnat rule(s) is as per https://wiki.mikrot...
by sjoram
Fri Aug 04, 2017 3:32 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2248

Re: DHCP relay problem

*bump* Any thoughts anyone? A bug or something in my config I'm missing?
by sjoram
Tue Jun 06, 2017 6:14 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2248

Re: DHCP relay problem

/interface vlan add interface=ether2-master-local name=VLAN5 vlan-id=5 add interface=ether2-master-local name=VLAN10 vlan-id=10 add interface=ether2-master-local name=VLAN20 vlan-id=20 add interface=ether2-master-local name=VLAN40 vlan-id=40 add interface=ether2-master-local name=VLAN60 vlan-id=60 a...
by sjoram
Sat Mar 11, 2017 3:19 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2248

Re: DHCP relay problem

I've just spent some time looking at this again as I still haven't managed to get it resolved. From the client machine sending the DHCP requests, all Wireshark shows up is a bunch of DHCP Discover packets. The DHCP server is showing DHCP Discover packets and DHCP offer being returned. However the DH...
by sjoram
Mon Jan 23, 2017 6:51 pm
Forum: General
Topic: Best Routerboard for IPSec on DSL
Replies: 2
Views: 487

Best Routerboard for IPSec on DSL

Can anyone recommend the best current model Routerboard for use on xDSL when running an IPSec tunnel between 2 devices? I have read some devices are better as the hardware can accelerate encryption performance rather than relying so heavily on CPU? Bear in mind that I only use 2 x interfaces on both...
by sjoram
Tue Jan 03, 2017 10:06 pm
Forum: General
Topic: DHCP relay problem
Replies: 9
Views: 2248

DHCP relay problem

I have a problem with DHCP relay on some of my VLANs. It is working fine on one but not the others. The DHCP server is 10.0.0.5/16 on a HP switch with VLAN interface into RB750 There are other local VLANs on that switch using DHCP relay on the RB750 without issue. I have an IPSec VPN to a RB750GL, w...
by sjoram
Sat Oct 29, 2016 7:27 pm
Forum: General
Topic: Unreplied connections
Replies: 3
Views: 622

Re: Unreplied connections

I've now enabled reverse path filtering as well as tweaking the drop rules at the bottom of the chain...and things are looking much better now.
by sjoram
Sat Oct 22, 2016 1:46 pm
Forum: General
Topic: Unreplied connections
Replies: 3
Views: 622

Re: Unreplied connections

Update: I noticed the problem was more pronounced on one device than the other and there were subtle differences between the two in the rules configured to drop traffic.
I've tweaked this and will see how things go over the next week or so.
by sjoram
Sat Oct 22, 2016 1:26 pm
Forum: General
Topic: ISP requires VLAN and pbit set
Replies: 8
Views: 3886

Re: ISP requires VLAN and pbit set

Did you try limiting the MSS in TCP packets as per earlier posts? My 2x WAN connections are xDSL and only 20/2 and 80/20 respectively but I had major issues until I did this.
by sjoram
Sat Oct 22, 2016 1:20 pm
Forum: General
Topic: Unreplied connections
Replies: 3
Views: 622

Unreplied connections

I have 2x RouterOS running on 2x RB750 series routers. I'm having major problems with unreplied connections on both devices. Both the source and destination addresses are NOT on my local network, so I suspect there is some spoofing of the source addresses. My question is how can I block these reliab...
by sjoram
Sat Feb 13, 2016 12:25 pm
Forum: General
Topic: srcnat rule not working
Replies: 0
Views: 426

srcnat rule not working

Hi all, I have moved a device on my network from one VLAN with a /16 subnet onto another with a /30. It was on 10.5.0.0/16 (VLAN10) and has moved to 192.168.5.0/30 (VLAN5) RouterBOARD 750GL is 10.5.0.254 and 192.168.5.1 respectively. Device of interest was 10.5.2.2 now 192.168.5.2 I have a srcnat ru...
by sjoram
Sat May 16, 2015 10:26 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 1538

Re: Problem with DHCP Relay & IPSec

**Edited**

This is now resolved and was the result of a couple of configuration screw ups.

Namely, DHCP snooping on switch at main site & Source NAT rule covering traffic going between each site.
by sjoram
Sun May 03, 2015 1:31 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 1538

Re: Problem with DHCP Relay & IPSec

Yes the IPSec tunnel is working. Packet capture on the DHCP server doesn't show any DHCP packets originating from the remote network.
by sjoram
Sat May 02, 2015 10:20 pm
Forum: General
Topic: PPTP not reconnecting
Replies: 13
Views: 2863

Re: PPTP not reconnecting

I recommend the Draytek Vigor 120 modem.
I'm running this with a RB750 on ADSL2+ and works great.
Modem just worries about keeping the DSL in sync, RB750 handles the PPP login.
by sjoram
Sat May 02, 2015 9:53 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 1538

Re: Problem with DHCP Relay & IPSec

Bumping this as no replies and still haven't managed to resolve...
I've also attempted to deploy on my new FTTC (VDSL) circuit and had the same issue and that is not behind another NAT router....
by sjoram
Sat Mar 14, 2015 5:54 pm
Forum: General
Topic: Problem with DHCP Relay & IPSec
Replies: 6
Views: 1538

Problem with DHCP Relay & IPSec

Having an issue with DHCP Relay not working over an IPSec tunnel. I've found a few previous posts and tried suggestions there to no avail. This is only a temporary setup for a few months, so don't want to wasconte too much time on it, but would be nice to get working if possible. I'm currently using...
by sjoram
Sun Aug 10, 2014 4:27 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 5283

Re: IPSec - Dynamic IP with Double NAT

I'll check out the script, thanks.

Ref the tunnel not passing traffic after one end upgraded to v6.18 with other end still on v6.17, I've now upgraded the other RB750 and have both ends on v6.18 and the tunnel is now passing traffic.
by sjoram
Sun Aug 10, 2014 4:26 pm
Forum: General
Topic: v6.17 SNMP - Interface Stats
Replies: 56
Views: 16386

Re: v6.17 SNMP - Interface Stats

I have just upgraded to v6.18 and currently working. Will monitor and report back if it falls over again.
by sjoram
Wed Aug 06, 2014 2:48 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 5283

Re: IPSec - Dynamic IP with Double NAT

Update to this: I haven't found a way to deal automatically with the dynamic IP on one side yet, but it hasn't as yet changed - I'm not sure how the lease works from the ISP but it seems semi-sticky. But I've upgraded ROS on the RB750 at one end to v6.18 with the other end still on v6.17 and cannot ...
by sjoram
Sun Aug 03, 2014 11:42 am
Forum: General
Topic: v6.17 SNMP - Interface Stats
Replies: 56
Views: 16386

Re: v6.17 SNMP - Interface Stats

I've just tried the disable, reboot, enable, reboot to no avail. Some "sensors" are responding to an auto-discovery (see below) but not the ones (interfaces) that I'm interested in. Trying to manually add an interface "sensor", the device reports no interfaces are available. http://www.oram-net.net/...
by sjoram
Sun Jul 20, 2014 5:26 pm
Forum: Beginner Basics
Topic: NAT problem
Replies: 14
Views: 4702

Re: NAT problem

Just in case anyone does a search and is reading this thread, I resolved. http://forum.mikrotik.com/viewtopic.php?f=2&t=87170 /ip firewall nat add chain=dstnat action=dst-nat to-addresses=<private IP e.g. 10.0.0.5> to-ports=<private port e.g. 9326> protocol=tcp dst-address=<public IP> dst-port=<publ...
by sjoram
Sun Jul 20, 2014 5:15 pm
Forum: General
Topic: Doubts about pppoe MTU
Replies: 5
Views: 898

Re: Doubts about pppoe MTU

If I understand your problem correctly, see screenshots in below file.
You need one rule to cover in interface and another rule to cover out interface (same interface on both rules - your PPP interface).

http://www.oram-net.net/public/ROS-MSS.pdf
by sjoram
Sun Jul 20, 2014 5:06 pm
Forum: General
Topic: Hairpin NAT - Problem configuring
Replies: 2
Views: 1258

Re: Hairpin NAT - Problem configuring

Thanks, I re-read the wiki article yet again and the srcnat stuff finally clicked in my head.
I've configured & working.
by sjoram
Sun Jul 20, 2014 12:47 pm
Forum: General
Topic: Doubts about pppoe MTU
Replies: 5
Views: 898

Re: Doubts about pppoe MTU

My PPPoE MTU is 1432 but I had to use MSS clamping to reduce MSS on TCP SYN packets to 1386.
by sjoram
Sat Jul 19, 2014 1:23 pm
Forum: General
Topic: Hairpin NAT - Problem configuring
Replies: 2
Views: 1258

Hairpin NAT - Problem configuring

Trying to configure Hairpin NAT and I can't make it work. I need clients on 10.0.0.0/16 (VLAN 10) to be able to access the services as per the dstnat rules. Other VLANs and external connections can work the dstnat rules fine, it's just clients on the same VLAN/subnet as the server they are accessing...
by sjoram
Sat Jul 19, 2014 1:00 pm
Forum: General
Topic: v6.17 SNMP - Interface Stats
Replies: 56
Views: 16386

v6.17 SNMP - Interface Stats

I have been using PRTG Network Monitor to collect via SNMP interface (bandwidth) statistics. Since some time yesterday after upgrade to v6.17, the interfaces are no longer reporting via SNMP. I've deleted all SNMP "sensors" and re-run an auto-discovery and it has not found any of the interfaces as "...
by sjoram
Fri Jul 18, 2014 11:57 pm
Forum: General
Topic: IPSec - Dynamic IP with Double NAT
Replies: 11
Views: 5283

Re: IPSec - Dynamic IP with Double NAT

Right, I've managed to 'fudge' this. Phase1 came up no problems but when I enabled debug logging for IPSec, the RB750 with the double NAT gave the error that it ignored the packet because it does not listen on the public IP address. Since nothing going to the WAN interface of the RB750 from the WAN ...
by sjoram
Fri Jul 18, 2014 7:46 pm
Forum: General
Topic: RB750 Routerboard Upgrade problem
Replies: 7
Views: 2328

Re: RB750 Routerboard Upgrade problem

All good.
I've just done the ROS and RB upgrade.

Cheers
by sjoram
Fri Jul 18, 2014 7:41 pm
Forum: General
Topic: ISP requires VLAN and pbit set
Replies: 8
Views: 3886

Re: ISP requires VLAN and pbit set

Try the forward chain.
I have a mangle rule to change the MSS on packets in/out of WAN interface and mine uses forward chain.
  • 1
  • 2