Community discussions

Search found 429 matches

  • 1
  • 2
by soamz
Sat Aug 04, 2018 2:53 pm
Forum: General
Topic: Latest Winbox Buggy in Windows ?
Replies: 0
Views: 299

Latest Winbox Buggy in Windows ?

Something is wrong with the latest winbox file on windows.

It doesnt save the connections data, even if you click the icon of save.

Whats the issue ?
by soamz
Fri May 19, 2017 5:27 am
Forum: General
Topic: Microtik CCR-1036-12G-4S Weird Activity - Losing Connectivity
Replies: 1
Views: 377

Re: Microtik CCR-1036-12G-4S Weird Activity - Losing Connectivity

Forgot to add :

CCR1009 where the vlans are working are on latest RoS 6.37.2

And this CCR1016 and CCR1036 are on 6.30.2 and 6.32.4

Can RoS be an issue of VLANs not working ?
by soamz
Fri May 19, 2017 5:05 am
Forum: General
Topic: vlan for CCR1036 and CCR1016 doesnt work!
Replies: 1
Views: 446

vlan for CCR1036 and CCR1016 doesnt work!

I have a Huawei switch s5700, from where all the microtiks are connected. Microtik CCR1009 VLAN working smooth, where huawei port is access port for vlanX and then vlanX is in a bridge with the physical port in the same BRIDGE and CCR1009 is pinging fine. Exactly the same way, when we do for CCR1016...
by soamz
Fri May 19, 2017 4:28 am
Forum: General
Topic: Microtik CCR-1036-12G-4S Weird Activity - Losing Connectivity
Replies: 1
Views: 377

Microtik CCR-1036-12G-4S Weird Activity - Losing Connectivity

One of our PPPoE Router is Microtik CCR-1036-12G-4S, has close to 900-1100 concurrent PPPoE sessions 24x7, passing 500-600Mbps of traffic, with RoS 6.32.4 All of our PPPoE NAS Routers are connected to a huawei s5700 switch which comes from the Core Router CCR1072. Since the vlan from huawei to 1036 ...
by soamz
Thu Apr 27, 2017 9:47 am
Forum: General
Topic: Whats wrong with each Microtik OS versions ????
Replies: 11
Views: 1317

Re: Whats wrong with each Microtik OS versions ????

If 103.75.41.217 is your customer, you're not looking at smtp traffic to them, it's traffic from them to many remote mail servers. So either they went into spamming business or got hacked or something.
yes thats my customer.
I ended up blocking him 25.
by soamz
Thu Apr 27, 2017 5:11 am
Forum: General
Topic: Whats wrong with each Microtik OS versions ????
Replies: 11
Views: 1317

Re: Whats wrong with each Microtik OS versions ????

Change the chain to "Input", Forward only blocks traffic passing through the router. If you want to stop from sending email (port 25) from inside your network, change the chain to "Output" which will block all port 25 going out the wan port. Also make sure you specify which interface for input and ...
by soamz
Thu Apr 27, 2017 5:08 am
Forum: General
Topic: Whats wrong with each Microtik OS versions ????
Replies: 11
Views: 1317

Re: Whats wrong with each Microtik OS versions ????

If I torch my WAN port, howcome multiple different servers are trying to send email to one single customer ?

For sure, the customer is not that famous, who will get 100s of emails every second.

What could it be ?

See screenshot.
by soamz
Thu Apr 27, 2017 5:07 am
Forum: General
Topic: Whats wrong with each Microtik OS versions ????
Replies: 11
Views: 1317

Re: Whats wrong with each Microtik OS versions ????

Accept rule = The business customers IP have added to a address-list = verified-smtp-users So, basically accept rule will allow them to send emails from their computer using port 25. Add to src-address-list = Adding the customers who are trying to use port 25 to send emails. drop = dropping the cust...
by soamz
Thu Apr 27, 2017 5:05 am
Forum: General
Topic: Whats wrong with each Microtik OS versions ????
Replies: 11
Views: 1317

Re: Whats wrong with each Microtik OS versions ????

And I created the rules again and add to src list for drops = smtp-spammers But instead of my customer IP blocks getting added to the smtp-spammers list, I can see foreign IP blocks too. So, Im kind of confused, what the rule is doing. Is it blocking my customers or the ones who are trying to send e...
by soamz
Thu Apr 27, 2017 5:03 am
Forum: General
Topic: Whats wrong with each Microtik OS versions ????
Replies: 11
Views: 1317

Re: Whats wrong with each Microtik OS versions ????

I don't see any errors in your screenshots. mlpauls is right that the accept rule would be counterproductive when you want to drop the traffic. But nevertheless, the counters should show anything but zero. Looking at your SIP drop rules at the bottom proves that the firewall is working. So there mu...
by soamz
Wed Apr 26, 2017 5:17 pm
Forum: General
Topic: Whats wrong with each Microtik OS versions ????
Replies: 11
Views: 1317

Whats wrong with each Microtik OS versions ????

I simply wanted to block port 25. So I placed the rules as given by Microtik support, but there is absolutely 0 traffic hitting, while I can clearly see the wan port and lan port getting all spammers traffic. Attached is the screenshot of the firewall rule and torch of wan to show that, the rule doe...
by soamz
Sun Apr 23, 2017 12:42 pm
Forum: General
Topic: Any knows compatibility issues of CCR1072 with vlan passing through cisco switches ?
Replies: 3
Views: 516

Any knows compatibility issues of CCR1072 with vlan passing through cisco switches ?

Here is my current cabling. See attachment. But the traffic and mac address both are not reaching the 1072, over vlan10. 1072 is not even reading the mac address from the 1036 over vlan10. Whats the issue ? Any special config required in CCR1072 to accept traffic and learn MAC address from vlan10 th...
by soamz
Thu Dec 29, 2016 5:29 pm
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

The solution to the problem is switching to a routed network. You will also have more control of the traffic flowing through the network Thats what we did finally. it would be helpful if you share topology . I explained it in All india ISP Whatsapp group few days back. Are you in that group ?
by soamz
Thu Dec 29, 2016 2:48 pm
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

The solution to the problem is switching to a routed network.

You will also have more control of the traffic flowing through the network
Thats what we did finally.
by soamz
Thu Dec 29, 2016 1:50 pm
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

we experienced same problem recently, one of our pop switch unreachable from trunk side .
we isolate switch port by port and find out the problem is looping in one of access port of particular vlan.

Fixed it. It was a faulty DVR of one customer, which was disturbing the whole vlan
by soamz
Tue Aug 30, 2016 1:24 pm
Forum: Beginner Basics
Topic: MRTG dynamic PPPoE or PPTP interface
Replies: 21
Views: 3932

Re: MRTG dynamic PPPoE or PPTP interface

screenshots please.
by soamz
Tue Aug 30, 2016 1:08 pm
Forum: Beginner Basics
Topic: MRTG dynamic PPPoE or PPTP interface
Replies: 21
Views: 3932

Re: MRTG dynamic PPPoE or PPTP interface

Logout and login again. And see.
I doubt.

And screenshots upload please.
by soamz
Sat Aug 06, 2016 3:43 am
Forum: General
Topic: ISP Firewall Best Practices
Replies: 2
Views: 13678

Re: ISP Firewall Best Practices

It needs to goto border or edge ?
by soamz
Tue Aug 02, 2016 8:05 am
Forum: Forwarding Protocols
Topic: Microtik almost killed Huawei!!
Replies: 14
Views: 3180

Re: Microtik almost killed Huawei!!

What answer do you expect on Mikrotik forum ? Do you ask Toyota dealer which model of Ford or Volvo does he suggest ? :)
Hahahaha.. 
No, I mean from experts opinions, I know im staying with mirotik for my PPPoE. 
Just I need better hardware for Edge and Core. 
by soamz
Tue Aug 02, 2016 7:48 am
Forum: Forwarding Protocols
Topic: Microtik almost killed Huawei!!
Replies: 14
Views: 3180

Re: Microtik almost killed Huawei!!

Do you suggest Huawei NE or Juniper MX ?
by soamz
Tue Aug 02, 2016 7:40 am
Forum: Forwarding Protocols
Topic: Microtik almost killed Huawei!!
Replies: 14
Views: 3180

Re: Microtik almost killed Huawei!!

The NE20E-S series can hold 12M IPv4 routes in RIB and 4M IPv4 routes in FIB.
Oh wow, may be the sales person did not know.

So, my plan is it change edge and core to Huawei or Juniper next month and only usr microtik for PPPoE routers. 
by soamz
Sun Jul 31, 2016 3:12 pm
Forum: General
Topic: hosting looking glass into microtik files
Replies: 7
Views: 1002

Re: hosting looking glass into microtik files

how will a user see from frontend the ping and trace ?
by soamz
Sun Jul 31, 2016 1:03 pm
Forum: Forwarding Protocols
Topic: Microtik almost killed Huawei!!
Replies: 14
Views: 3180

Microtik almost killed Huawei!!

We flow a lot of traffic and lot of BGP routes, as we are peered to many CDN and providers.  Right now, the current setup is 1072 as edge.  I was thinking to change to Huawei NE20E-S2E as my Edge router, but Huawei said, its max limit is 25000 BGP routes only.  I was like, WTF!!!! Microtik 1072 is j...
by soamz
Sun Jul 31, 2016 12:15 pm
Forum: Wireless Networking
Topic: Stop all P2P / UDP except port 53
Replies: 8
Views: 4668

Re: Stop all P2P / UDP except port 53

Did you block chain:INPUT and in-interface:<your external interface>? Make sure you don't apply these rules on your internal interfaces. You're welcome to post your firewall, filter rules so we could have a look My network is : 3 upstreams, so 3 border routers > Then 2 core router in VRRP > Then PP...
by soamz
Sun Jul 31, 2016 5:14 am
Forum: Wireless Networking
Topic: Stop all P2P / UDP except port 53
Replies: 8
Views: 4668

Re: Stop all P2P / UDP except port 53

If your router is enabled for DNS ("Allow remote requests"), your router is vulnerable for DOS attacks from all sides, UNLESS you have a deliberate firewall rule to drop all TCP and UDP pot 53 traffic on your external interface(s). On all my routers, especially ones exposed to the Internet, I have ...
by soamz
Sat Jul 30, 2016 1:03 pm
Forum: Wireless Networking
Topic: Stop all P2P / UDP except port 53
Replies: 8
Views: 4668

Re: Stop all P2P / UDP except port 53

Yes, very bad!
You are probably being used as a DDoS reflector because of inappropriate firewalling of your internal DNS resolver.
But my DNS is only open for my own internal network, means my 5 blocks of /22 , not for outside world. 
by soamz
Sat Jul 30, 2016 12:27 pm
Forum: Wireless Networking
Topic: Stop all P2P / UDP except port 53
Replies: 8
Views: 4668

Re: Stop all P2P / UDP except port 53

My core router is getting 70Mbps UDP traffic. 

Is it bad ?

And I just applied this, 

/ip firewall filter add action=drop protocol=udp port=!53 chain=forward
by soamz
Sat Jul 30, 2016 11:41 am
Forum: General
Topic: Block UDP traffic
Replies: 7
Views: 6098

Re: Block UDP traffic

Im getting around 30% of my total traffic as UDP traffic as I see in my Netflow. 

Is there anything to worry ?
by soamz
Sat Jul 30, 2016 11:41 am
Forum: General
Topic: Correct way of protecting from SYN ?
Replies: 8
Views: 1269

Re: Correct way of protecting from SYN ?

Added to border router but it doesnt seem to be getting the packets. 
Looks like some issue. 
by soamz
Sat Jul 30, 2016 11:31 am
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re: How to block a DNS request from the outside world?

Still did not end to the final code. 
by soamz
Sat Jul 30, 2016 11:17 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Still not working :(
by soamz
Sat Jul 30, 2016 11:08 am
Forum: Scripting
Topic: How to ***really*** block invalid TCP and UDP packet
Replies: 43
Views: 36634

Re: How to ***really*** block invalid TCP and UDP packet

So whats the final version of code to add ?
by soamz
Fri Jul 29, 2016 9:17 pm
Forum: General
Topic: hosting looking glass into microtik files
Replies: 7
Views: 1002

Re: hosting looking glass into microtik files

No.
oh badluck :(
by soamz
Fri Jul 29, 2016 8:55 pm
Forum: General
Topic: hosting looking glass into microtik files
Replies: 7
Views: 1002

hosting looking glass into microtik files

Hi, we are hosted at a Data center where we have a core router only for PNI only. 
We need to host looking glass there. 

https://github.com/telephone/LookingGlass

Can we simply upload this to Microtik/Files and access it and get the results ?
by soamz
Thu Jul 28, 2016 2:08 pm
Forum: General
Topic: Tool: Realtime per IP traffic monitor for home/office
Replies: 289
Views: 306802

Re: Tool: Realtime per IP traffic monitor for home/office

thanks alot very good topic
Did you get it working ?
by soamz
Wed Jul 27, 2016 3:10 pm
Forum: The Dude
Topic: help with setting up pppoe users bandwidth graph
Replies: 23
Views: 3666

Re: help with setting up pppoe users bandwidth graph

Then only option I guess is to recheck if that specific monitoring section is added correctly in cacti side. I haven't used cacti that much to be able to give you some more specific details on problem debugging in that NMS. Did you try in MRTG ? I can do it then, just I did not know the format for ...
by soamz
Wed Jul 27, 2016 2:46 pm
Forum: The Dude
Topic: help with setting up pppoe users bandwidth graph
Replies: 23
Views: 3666

Re: help with setting up pppoe users bandwidth graph

Is snmp configuration correct both on device and NMS sides?
yes perfect, as its listing the ether traffic fine, as Im monitoring each ether traffic from same cacti too. 
by soamz
Tue Jul 26, 2016 7:18 pm
Forum: The Dude
Topic: help with setting up pppoe users bandwidth graph
Replies: 23
Views: 3666

Re: help with setting up pppoe users bandwidth graph

It shows blank. 
by soamz
Tue Jul 26, 2016 3:07 pm
Forum: The Dude
Topic: help with setting up pppoe users bandwidth graph
Replies: 23
Views: 3666

Re: help with setting up pppoe users bandwidth graph

Okay it works.  But what do I use from it ?  I got this,  [soamxxx@xxxx] > interface print oid where name~"JS080-monitoring1" Flags: D - dynamic, X - disabled, R - running, S - slave   0  R  name=.1.3.6.1.2.1.2.2.1.2.28 actual-mtu=.1.3.6.1.2.1.2.2.1.4.28 mac-address=.1.3.6.1.2.1.2.2.1.6.28         a...
by soamz
Tue Jul 26, 2016 3:04 pm
Forum: The Dude
Topic: help with setting up pppoe users bandwidth graph
Replies: 23
Views: 3666

Re: help with setting up pppoe users bandwidth graph

Okay let me try. 

BTW, is it okay to convert all customers to this static bind, or is there any down side of this ?

Why do everyone uses the moral dynamic PPPOE then ?
by soamz
Tue Jul 26, 2016 2:41 pm
Forum: The Dude
Topic: help with setting up pppoe users bandwidth graph
Replies: 23
Views: 3666

Re: help with setting up pppoe users bandwidth graph

Okay fine. 
I logged him out and then it auto logged in again. So, I guess login is working fine. 
Now what do I copy from this mcirotik user to monitor his graph in cacti or MRTG ?
His MAC ID ?
by soamz
Tue Jul 26, 2016 2:30 pm
Forum: The Dude
Topic: help with setting up pppoe users bandwidth graph
Replies: 23
Views: 3666

Re: help with setting up pppoe users bandwidth graph

For example, I took a customer who is live and using.  And simply entered his PPPoE username is username and in service name, placed my service name.  I see, his normal PPPOE doesnt show and only the binding one shows, but his account shows logged in and 0 usage.  How do we know if its done ? And yo...
by soamz
Tue Jul 26, 2016 2:17 pm
Forum: The Dude
Topic: help with setting up pppoe users bandwidth graph
Replies: 23
Views: 3666

Re: help with setting up pppoe users bandwidth graph

My bad I used incorrect term. I meant that you need to create static PPPOE server bindings for those users that you want to monitor. On next reconnect the dynamic server bindings will no longer appear and this user will now be tied to this static server binding. Then from this entry use oids for mo...
by soamz
Tue Jul 26, 2016 10:34 am
Forum: The Dude
Topic: help with setting up pppoe users bandwidth graph
Replies: 23
Views: 3666

Re: help with setting up pppoe users bandwidth graph

There is. You just cannot get static oids without interrupting the current the client. * From current dynamic session you can use those oids that it already has. The problem is that they will change on each client reconnect. * IF you add static pppoe server interface for that client the oids will r...
by soamz
Mon Jul 25, 2016 4:45 pm
Forum: The Dude
Topic: help with setting up pppoe users bandwidth graph
Replies: 23
Views: 3666

Re: help with setting up pppoe users bandwidth graph

You cannot. PPPOE client would start using static interface on next reconnect.
So there is no way to get usage traffic graphs of PPPoE customers ?
by soamz
Sun Jul 24, 2016 1:49 am
Forum: Beginner Basics
Topic: MRTG dynamic PPPoE or PPTP interface
Replies: 21
Views: 3932

Re: MRTG dynamic PPPoE or PPTP interface

I have not done this for that particular application but I faced the same issue in other cases. Of course you need to write a program/script that adds MRTG config for every new interface (customer in your case). But that is quite easy as it is only the addition of a fixed section with simple parame...
by soamz
Sat Jul 23, 2016 7:42 pm
Forum: Beginner Basics
Topic: MRTG dynamic PPPoE or PPTP interface
Replies: 21
Views: 3932

Re: MRTG dynamic PPPoE or PPTP interface

Should not be a problem with the proper MRTG configuration! Is not a MikroTik issue, it is about knowing how to configure and use MRTG. I have used MRTG with many different devices and this issue always occurs.  You need to find and use the proper interface reference. Have you done it ? can you sha...
by soamz
Sat Jul 23, 2016 7:35 pm
Forum: Scripting
Topic: Using Cacti to graph PPPOE Sessions
Replies: 14
Views: 8448

Re: Using Cacti to graph PPPOE Sessions

From winbox PPP > Interfaces > Double Click in a dynamic interface > Copy > Apply > OK

Before applying make sure you REMOVE the previos PPP Interface you are copying.
Sorry, that is confusing. 
Can you explain how to do that ?
by soamz
Sat Jul 23, 2016 7:32 pm
Forum: Beginner Basics
Topic: MRTG dynamic PPPoE or PPTP interface
Replies: 21
Views: 3932

Re: MRTG dynamic PPPoE or PPTP interface

Anu succeess yet ?

I need it asap!!!
by soamz
Sat Jul 23, 2016 7:32 pm
Forum: The Dude
Topic: help with setting up pppoe users bandwidth graph
Replies: 23
Views: 3666

Re: help with setting up pppoe users bandwidth graph

Only by creating static server bindings for those pppoe users you would get them to stick with one and the same oids on each connection time.
how to do that without diturbing the clients ?
by soamz
Sat Jul 23, 2016 7:31 pm
Forum: General
Topic: Feature Request : Static oid for PPPoE users
Replies: 9
Views: 2173

Re: Feature Request : Static oid for PPPoE users

Any success yet ?
by soamz
Sat Jul 23, 2016 7:29 pm
Forum: General
Topic: PPPoE user bandwith graphs
Replies: 1
Views: 520

Re: PPPoE user bandwith graphs

Did you find out ?
by soamz
Sat Jul 23, 2016 7:08 pm
Forum: General
Topic: Tool: Realtime per IP traffic monitor for home/office
Replies: 289
Views: 306802

Re: Tool: Realtime per IP traffic monitor for home/office

Final version works for anyone ?
by soamz
Fri Jul 15, 2016 3:00 pm
Forum: Forwarding Protocols
Topic: OSPF and Routing Filters to manage PPPoE Server side failover for routed subnet
Replies: 21
Views: 2736

Re: OSPF and Routing Filters to manage PPPoE Server side failover for routed subnet

which cisco router do you use ? Two CISCO 2951. At this time, i implemented  eBGP to redistribute ONLY Static subnets (on NASs) Each NAS have a private AS, like AS65001,AS65002,.... The two Cisco 2951 have public AS. So, this sistem work, but it's a poor solution... Is Cisco 2951 able to handle ful...
by soamz
Mon Jul 11, 2016 10:42 pm
Forum: General
Topic: Which Microtik router can handle this ?
Replies: 7
Views: 877

Re: Which Microtik router can handle this ?

Yeah, I understand your current diagram ... my point was that you could _change_ it and just have everything connected to your switch (both peers and ISP) and then have the CCR "on a stick" just connected to your switch and use VLANs as virtual patch cables to make any logical topology you want.  O...
by soamz
Mon Jul 11, 2016 8:57 am
Forum: General
Topic: Which Microtik router can handle this ?
Replies: 7
Views: 877

Re: Which Microtik router can handle this ?

CCR1072-1G-8S+ has 8 SFP+ that can do 10G or 1G. There are also other models with 2 SFP+ and 1G ports as 1G-base-t rather than SFP. But you could also only use a single 10G port for all your uplinks using VLANs on your switch to establish the point-to-point connections to your peers. Or even just t...
by soamz
Mon Jul 11, 2016 8:37 am
Forum: General
Topic: Which Microtik router can handle this ?
Replies: 7
Views: 877

Re: Which Microtik router can handle this ?

Have a look at the following devices: CCR1036-8G-2S+ - 8x 1G (copper) ports + 2x SFP+ (10G) ports. CCR1036-8G-2S+EM - Same as above, but more memory on board. CCR1072-1G-8S+ - 1x 1G (copper) port + 8 SFP+ (10G) ports, but all SFP+ ports should be compatible with 1G SFP modules. If you need 1G coppe...
by soamz
Mon Jul 11, 2016 6:42 am
Forum: General
Topic: Which Microtik router can handle this ?
Replies: 7
Views: 877

Which Microtik router can handle this ?

I recently peered to Google and Akamai in a data center and using huawei s5700-28x-li-24s-ac switch for it, but now I have customers there and I need to terminate those CDN providers into a router. Peering to terminate to Router :  Google 10G Port  (500 routes) Akamai 1G Port (181 routes) AMazon 1G ...
by soamz
Sat Jul 02, 2016 6:08 pm
Forum: General
Topic: New RB3011UiAS-RM - not impressed with throughput...
Replies: 22
Views: 7136

Re: New RB3011UiAS-RM - not impressed with throughput...

Can 3011 handle like 500 PPPoe sessions with total throughput of even 700Mbps ?
by soamz
Fri Jul 01, 2016 7:22 pm
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Am a newbie here especially on the firewall thing. I have a similar problem where my entire /23 subnet is on PBL. Am more of a routing person but I have to deal with this. Is anyone willing to help with this Mine is still not blocked, very confused.  Still, after placing everything, Im able to logi...
by soamz
Thu Jun 30, 2016 9:54 pm
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re: How to block a DNS request from the outside world?

First delete my existing 4 rules.  Then ,  /ip firewall address-list add list=dnsClients address=x.x.x.x/m Goto address list and add my IP blocks first.  Then run this, /ip firewall filter add chain=input connection-state=established,related action=accept add chain=input in-interface=ether3 action=...
by soamz
Thu Jun 30, 2016 8:18 pm
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re: How to block a DNS request from the outside world?

Remove the old and place this ? Sorry, Im just afraid to mess it up always, as once for one single click, whole network had gone down for 1 hour,and I had to drive for 22 kms at 2am in the night.  So, could you please paste the final version of total code please ? I will remove the old 4 lines, as I...
by soamz
Thu Jun 30, 2016 7:44 pm
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re: How to block a DNS request from the outside world?

My network is this, 
3 upstreams > 3 dedicated Microtik edge router 
Then it connects to 2 Microtik core routers in VRRP >>
Then it connects to this NAS router >> Customers
by soamz
Thu Jun 30, 2016 7:40 pm
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re: How to block a DNS request from the outside world?

This is the main Router after which there are 2500 customers PPPOE authenticated and using internet. 

I think, you call is NAS or BRAS router. 
by soamz
Thu Jun 30, 2016 6:37 pm
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re: How to block a DNS request from the outside world?

attached. Thanks!!
by soamz
Thu Jun 30, 2016 12:04 pm
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re: How to block a DNS request from the outside world?

okay - so use the in-interface=!pppoe-interface (not ether3, but pppoe1-out or whatever its name may be in your configuration) PPPoE port is ether3 So you mean this is final ? /ip firewall filter add chain=input connection-state=established,related action=accept add chain=input in-interface=ether3 ...
by soamz
Thu Jun 30, 2016 11:49 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Done. 
But still Im able to goto my PC and goto telnet domain.com 25 
by soamz
Thu Jun 30, 2016 11:41 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

And this needs to be done for the PPPoE ether or the Microtek's public IP ether ?
by soamz
Thu Jun 30, 2016 11:39 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

So final version this one ? /ip firewall filter add action=add-src-to-address-list address-list=BAD_SMTP_CLIENTS address-list-timeout=4h chain=forward dst-address-list=!GOOD_SMTP_CLIENTS dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp add action=add-src-to-address-list address-lis...
by soamz
Thu Jun 30, 2016 5:29 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Chances are you have the rules in the wrong order, below one that permits the traffic you are trying to log and filter out.
Oops. 
Can you clear and paste the final version please ?
by soamz
Wed Jun 29, 2016 10:06 pm
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re: How to block a DNS request from the outside world?

I mean, ether8 is the port which is connected from core router to this Router. 
And ether3 is the PPPoE port. 
by soamz
Wed Jun 29, 2016 9:30 pm
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re: How to block a DNS request from the outside world?

My WAN is ether8 and my PPPoE port is ether3 So you mean this ? /ip firewall filter add chain=input connection-state=established,related action=accept add chain=input in-interface=ether3 action=accept add chain=input protocol=icmp action=accept add chain=input action=drop /ip firewall filter add cha...
by soamz
Wed Jun 29, 2016 7:08 am
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re: How to block a DNS request from the outside world?

@ZeroByte, I have this 4 only.  /ip firewall filter add chain=input in-interface=ether8 protocol=udp dst-port=53 action=drop add chain=input in-interface=ether8 protocol=tcp dst-port=53 action=drop /ip firewall filter add chain=forward protocol=udp dst-port=53 out-interface=!ether8 action=drop add c...
by soamz
Wed Jun 29, 2016 6:27 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

I did this in a NAS which has 2500 PPPoE customers.  /ip firewall filter add action=add-src-to-address-list address-list=BAD_SMTP_CLIENTS address-list-timeout=4h chain=forward dst-address-list=!GOOD_SMTP_CLIENTS dst-port=110,995,143,993,25,585 out-interface=ether6 protocol=tcp add action=add-src-to-...
by soamz
Wed Jun 29, 2016 6:15 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

From your port list, 
110,995,143,993,25,465,585
I removed the 465, as 25 is blocked, so customers will use 465 with SSL for sending emails. 
by soamz
Wed Jun 29, 2016 6:07 am
Forum: General
Topic: issue of open some web page in the mikrotik
Replies: 32
Views: 9181

Re: issue of open some web page in the mikrotik

/ip firewall mangle add action=change-mss chain=forward comment="Internet MSS Shaping" disabled=\     no new-mss=1452 out-interface=Internet protocol=tcp tcp-flags=syn \     tcp-mss=1453-65535 add action=change-mss chain=forward disabled=no in-interface=\     Internet new-mss=1452 protocol=tcp tcp-...
by soamz
Wed Jun 29, 2016 6:01 am
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re:

Check it tomorrow. At least the dns server utilisation should be low immediately. Last two rules just prevent the inner devices to talk with other outer dns servers but they are not effective as they are below the general accepting rule for outbound traffic. It depends on you whether you want allow...
by soamz
Tue Jun 28, 2016 7:30 pm
Forum: General
Topic: Router for FTTH autorized with PPPOE and using VLAN
Replies: 13
Views: 1588

Re: Router for FTTH autorized with PPPOE and using VLAN

The throughput you get through each unit depends highly on your rules on firewall/nat etc. If you've limited firewall and make use of fastpath then should get throughput close to specified figures. VPNS (with encryption) and lots of firewall rules all act to reduce your throughput. Yes, I know! We ...
by soamz
Tue Jun 28, 2016 7:22 pm
Forum: General
Topic: Router for FTTH autorized with PPPOE and using VLAN
Replies: 13
Views: 1588

Re: Router for FTTH autorized with PPPOE and using VLAN

Have you looked at the mikrotik/routerboard website at all?  All of the specifications are on there. The amount of memory does not equate to speed/throughput
I had checked it since weeks. 
Just wanted to get real life review of it. 
by soamz
Tue Jun 28, 2016 6:52 pm
Forum: General
Topic: Router for FTTH autorized with PPPOE and using VLAN
Replies: 13
Views: 1588

Re: Router for FTTH autorized with PPPOE and using VLAN

Superb!!!!
And if I get a 3011, then can it handle more than 850Gx2, as it has 1G RAM ?
So, get 3011 or 850Gx2 ?
by soamz
Tue Jun 28, 2016 6:42 pm
Forum: General
Topic: Router for FTTH autorized with PPPOE and using VLAN
Replies: 13
Views: 1588

Re: Router for FTTH autorized with PPPOE and using VLAN

You mean, we can do OSPF + MPLS on a 850Gx2 also ?
Clearly you need an understanding of how before you do, but yes.
Wow, you are making me happy!
but I saw in router board website, it shows RouterOS5 compatible. 
I think, MPLS OSPF only there in Router OS Level 6 license. 
by soamz
Tue Jun 28, 2016 6:26 pm
Forum: General
Topic: Router for FTTH autorized with PPPOE and using VLAN
Replies: 13
Views: 1588

Re: Router for FTTH autorized with PPPOE and using VLAN

I would suggest you check your facts

1) you can run RouterOS 6.x on an RB850Gx2

2) see http://routerboard.com/RB850Gx2 for performance specs
You mean, we can do OSPF + MPLS on a 850Gx2 also ?
Can it handle per port 300-400Mbps even ?
by soamz
Tue Jun 28, 2016 6:14 pm
Forum: General
Topic: issue of open some web page in the mikrotik
Replies: 32
Views: 9181

Re: issue of open some web page in the mikrotik

Hi, i have the same isue i cant open some bank web pages yahoo mail etc. Did anyone find a solution to this problem. I am using MIKROTIK CCR1036
whats the error ?
by soamz
Tue Jun 28, 2016 6:12 pm
Forum: General
Topic: Router for FTTH autorized with PPPOE and using VLAN
Replies: 13
Views: 1588

Re: Router for FTTH autorized with PPPOE and using VLAN

Look at RB850Gx2, RB1100AHx2 or CCR1009-8G-1S-PC
RB850Gx2 is not OS6 capable and also cannot handle more than 200Mbps. 
by soamz
Tue Jun 28, 2016 5:00 pm
Forum: General
Topic: Shall we block all those ports if a ISP ?
Replies: 19
Views: 1712

Re: Shall we block all those ports if a ISP ?

I mean, I kept port 25 open and got my 2000 IP blocked and now dead :(
by soamz
Tue Jun 28, 2016 4:16 pm
Forum: General
Topic: Shall we block all those ports if a ISP ?
Replies: 19
Views: 1712

Re: Shall we block all those ports if a ISP ?

Yes but you need to decide what you want to guard against. You need to be careful.  When you implement measures to prevent your customers from being infected in a certain way, and this fails (if only due to advances in attacks), your customers may claim that you have failed in protecting them. So i...
by soamz
Tue Jun 28, 2016 3:33 pm
Forum: General
Topic: Shall we block all those ports if a ISP ?
Replies: 19
Views: 1712

Re: Shall we block all those ports if a ISP ?

There is no general advice about that because it depends on your intentions. Do you want to guard your own network, to guard your customer, your ISP's reputation, or all? Do you want to guard against abusers from the internet, from your customers, or both? What OS is your typical customer running? ...
by soamz
Tue Jun 28, 2016 2:41 pm
Forum: General
Topic: Shall we block all those ports if a ISP ?
Replies: 19
Views: 1712

Re: Shall we block all those ports if a ISP ?

Please remember if you block any ports > 1024, you should make sure you do them for inbound connections only. Otherwise if a client picks a local ephemeral port number that happens to match a blocked port, suddenly things stop working. Good info.  Is there a one stop wiki for what ports should be b...
by soamz
Tue Jun 28, 2016 2:29 pm
Forum: General
Topic: Shall we block all those ports if a ISP ?
Replies: 19
Views: 1712

Re: Shall we block all those ports if a ISP ?

Okay KISS!
by soamz
Tue Jun 28, 2016 12:14 pm
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

No... use KISS rule ...   Rules for  for e-mail Rules for ssh Rules for WWW Rules for SPI ... Rules for .... whatever you want to filter KISS :P Where do I find more info about it ? I think, there should be a microtik wiki for all this.  As every ISP needs this common and it ends up with 1000 confu...
by soamz
Tue Jun 28, 2016 11:30 am
Forum: General
Topic: Shall we block all those ports if a ISP ?
Replies: 19
Views: 1712

Re: Shall we block all those ports if a ISP ?

Of course they allow the use of their own DNS-servers. (This obstructs malware that diverts DNS-requests to DNS-servers operated by the bad guys.) I see,  so in address list allow they only keep the DNS IP of their DNS server.  so, everything else is blocked. Means, even if someone tries to put Goo...
by soamz
Tue Jun 28, 2016 11:17 am
Forum: General
Topic: Shall we block all those ports if a ISP ?
Replies: 19
Views: 1712

Re: Shall we block all those ports if a ISP ?

Dutch ISP XS4ALL offers its customers customizable firewall settings. Customers can choose the level of protection they want through their support portal. This ranges from Level 0 (all ports open) to Level 4, where all the ports that are susceptible to abuse are blocked (i.e. 25, 53, 136, 137, 139,...
by soamz
Tue Jun 28, 2016 11:07 am
Forum: General
Topic: Shall we block all those ports if a ISP ?
Replies: 19
Views: 1712

Re: Shall we block all those ports if a ISP ?

Dutch ISP XS4ALL offers its customers customizable firewall settings. Customers can choose the level of protection they want through their support portal. This ranges from Level 0 (all ports open) to Level 4, where all the ports that are susceptible to abuse are blocked (i.e. 25, 53, 136, 137, 139,...
by soamz
Tue Jun 28, 2016 10:34 am
Forum: General
Topic: Shall we block all those ports if a ISP ?
Replies: 19
Views: 1712

Re: Shall we block all those ports if a ISP ?

It is your own decision what ports you block to protect your customer and yourself. You CAN block port ranges in MikroTik routers, but not protocol ranges. So you need a separate rule for UDP and TCP each with the range. So so if its 135-139,  So, create 2 rule each of TCP and UDP for 135, 136,137,...
by soamz
Tue Jun 28, 2016 9:01 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

For each device which sends data directly to the Internet  ... if there is more than one then for each one but then for each device you need to maintain lists. It is like gates on the airport ... for each gate which passangers are going through you need security officer. If you can pass all the peo...
by soamz
Tue Jun 28, 2016 8:50 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

For each device which sends data directly to the Internet  ... if there is more than one then for each one but then for each device you need to maintain lists. It is like gates on the airport ... for each gate which passangers are going through you need security officer. If you can pass all the peo...
by soamz
Tue Jun 28, 2016 8:16 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Rules 1,2 collect data in  forward and output chains
Rules 3,4 filter mails in forward and output chains

You can use all of them at the same time.
Amazing. 
In Border or Core ?
Or both ?
Or PPPoE routers ?
by soamz
Tue Jun 28, 2016 8:07 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

You wrote it OR. 
So, I got confused, whether to run 2 or all 4. 
by soamz
Tue Jun 28, 2016 5:49 am
Forum: General
Topic: Shall we block all those ports if a ISP ?
Replies: 19
Views: 1712

Shall we block all those ports if a ISP ?

I was checking Comcast website and I see they have blocked all those ports.  https://customer.xfinity.com/help-and-support/internet/list-of-blocked-ports/ Shall, we simply add rule for each port and block them ? And should it be done at the border or core or PPPoE router ? add chain=forward protocol...
by soamz
Tue Jun 28, 2016 5:43 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

For a global operation of blocking port 25, you're definitely going to want to allow SMTP for some sources - suppose your own company's mail server, for instance, or any customers who are operating their own mail server. You need to create an IP list for hosts that are allowed to use port 25 e.g.: ...
by soamz
Tue Jun 28, 2016 5:37 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Done that just now at my PPPoE Router. / ip firewall filter add chain=forward protocol=tcp dst-port=25 dst-address-list=!SMTP-addr action=drop comment="" disabled=no / ip firewall address-list  add list=SMTP-addr address=1.1.1.1/32 comment="ISP SMTP" disabled=no add list=SMTP-addr address=2.2.2.2/32...
by soamz
Tue Jun 28, 2016 5:24 am
Forum: General
Topic: SMTP port 25 blocking issues????
Replies: 2
Views: 1182

Re:

I use a simple rule, in this example my main (ISP) Mail server is 1.1.1.1 and a customer has a mail server someone else hosts at 2.2.2.2/32 and another customer at 3.3.3.3/32. This rule blocks an destination TCP port 25 that is not destined for the IP addresses listed in the address List SMTP-addr....
by soamz
Tue Jun 28, 2016 4:05 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

See attached. 
by soamz
Tue Jun 28, 2016 4:03 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Okay I did this in CORE ROUTER only.  Did not do in Border routers or PPPoE Routers.  Only done at core.  /ip firewall filter add chain=forward protocol=tcp dst-port=25 src-address-list=spammer action=drop comment="BLOCK SPAMMERS OR INFECTED USERS" add chain=forward protocol=tcp dst-port=25 connecti...
by soamz
Tue Jun 28, 2016 3:49 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

You are checking if port 25 at your site is open. Simply: some server in the Internet tries to open port 25 at your site.
You are not checking if you are transmitting to port 25 somwhere in the internet.
So Block Port 25 on Border or Core or PPPoE router alone ?
by soamz
Mon Jun 27, 2016 4:28 pm
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Weird, I just checked in canyouseeme and it says, port 25 is not open. 
by soamz
Mon Jun 27, 2016 3:54 pm
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Warn/inform users that you will block port 25 Block port 25 and track who is generating traffic to port 25. You can make rules for each customer: add action=drop chain=output dst-port=25 out-interface=ETH-WAN-ISP1 protocol=tcp src-address=IPofClient1 add action=drop chain=output dst-port=25 out-int...
by soamz
Mon Jun 27, 2016 3:03 pm
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

As /22 subnet owner try to remove whole subnet from PBL. Check who is responsible for mail traffic. Warn/inform users from the top of the usage list about problems. Block 25 port ... leave 587 open You need to choose: difficulties for customers or blocked subnet ..... "To ban or not to ban ? That i...
by soamz
Mon Jun 27, 2016 2:42 pm
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

If they experience problems with PBL (which is, imo, their problem) you can refer them to your relaying server. Not true in 100% ..... If PBL blocks whole subnet instead of particular addresses then it backfires on "good guys". They have no chance to remove themselves from PBL as subnet is owned by...
by soamz
Mon Jun 27, 2016 2:11 pm
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Do not try to unblock entire customer subnets on PBL's. They exist for a reason. Customers can unblock themselves based on several conditions (e.g. fixed ip and mx/ptr records). Also, you could host a smtp relay for your customers with a strict enough eula enabling you to get exclusion on most blac...
by soamz
Mon Jun 27, 2016 1:18 pm
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

So, if I block port 25, will they stop working ?  No, they won't. Quick google search shows that both Godaddy and Hostgator use 465/tcp for mail sending. I think I should better block them port 25 and then wait for emails of customers.  Whoever says, outlook not working. Simply ask him to use SSL w...
by soamz
Mon Jun 27, 2016 1:13 pm
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Do not try to unblock entire customer subnets on PBL's. They exist for a reason. Customers can unblock themselves based on several conditions (e.g. fixed ip and mx/ptr records). Also, you could host a smtp relay for your customers with a strict enough eula enabling you to get exclusion on most blac...
by soamz
Mon Jun 27, 2016 12:28 pm
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

When I asked some experts at other forums, they say to block port 25 at your PPPOE router and core router.  is that a solution ? But I guess, every customer outlook will stop working. No, it won't. Or at least it should not. Nowadays, no ordinary customer should have legitimate reasons to make outg...
by soamz
Mon Jun 27, 2016 10:37 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

The first step should be monitoring which IP usues 25 port and make some statistics and then you can inform "suspected" users that they generate traffic on port 25 and ask them to check if all is configured properly. So goto PPPoE router and goto CONNECTION TRACKING and see, who are connected to po...
by soamz
Mon Jun 27, 2016 10:18 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

Yes try that, however not to disturb service first monitor how the script behaves and if it yields results then implement it. 
Don't just jump right in :)
Oops, I still fear. 
Lets wait for some more insights. 
by soamz
Mon Jun 27, 2016 10:02 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Re: Block Port 25 or not ?

An option is writing a script that pulls IP's off a PBL and updates your block list, later you can inform the user that he might be infected with a virus and limit his service until he takes action, some ISP's do this, not the best option since PBL tend to put the whole subnet in rather than a spec...
by soamz
Mon Jun 27, 2016 9:32 am
Forum: General
Topic: Block Port 25 or not ?
Replies: 59
Views: 7984

Block Port 25 or not ?

We are an ISP with over 6000 IPv4 addresses and I see, over 2000+ IP are already on PBL, almost 3 of the /22 are completely showing on PBL list.  How to avoid this happening or get the whole block whitelisted by PBL ? When I asked some experts at other forums, they say to block port 25 at your PPPOE...
by soamz
Wed Jun 22, 2016 9:54 pm
Forum: General
Topic: Correct way of protecting from SYN ?
Replies: 8
Views: 1269

Re: Correct way of protecting from SYN ?

Thanks. 
I think I will first add it to the border routers and then the core and then will add to PPPoE router after 2-3 days. 
by soamz
Wed Jun 22, 2016 8:19 pm
Forum: General
Topic: Correct way of protecting from SYN ?
Replies: 8
Views: 1269

Re: Correct way of protecting from SYN ?

Okay in all routers, use the same code 
But in PPPoE routers only, change to dst
by soamz
Wed Jun 22, 2016 6:56 pm
Forum: General
Topic: Correct way of protecting from SYN ?
Replies: 8
Views: 1269

Re: Correct way of protecting from SYN ?

So the rule is correct ?
Did you see it full ?

And it should be in all the microtik routers ?
Yes, all of my routers are with public IP always. 
by soamz
Tue Jun 21, 2016 3:28 am
Forum: General
Topic: Correct way of protecting from SYN ?
Replies: 8
Views: 1269

Re: Correct way of protecting from SYN ?

And whether those rules should be on border or core or PPPoE router ??
by soamz
Tue Jun 21, 2016 3:28 am
Forum: General
Topic: Correct way of protecting from SYN ?
Replies: 8
Views: 1269

Correct way of protecting from SYN ?

I can see my developer had done this to my core router.  Screenshot_5.png But I found this in a forum thread,  " add action=jump chain=forward comment="SYN Flood protect" disabled=no \     jump-target=SYN-Protect protocol=tcp tcp-flags=\     syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr add action=accept c...
by soamz
Tue Jun 21, 2016 3:24 am
Forum: General
Topic: Does the SYN protect chain really protect anything?
Replies: 5
Views: 1616

Re: Does the SYN protect chain really protect anything?

Can you suggest modifying the above rules for per-destination IP? simply use 'dst-limit' instead of 'limit' parameter add action=jump chain=forward comment="SYN Flood protect" disabled=no \     jump-target=SYN-Protect protocol=tcp tcp-flags=\     syn,!fin,!rst,!psh,!ack,!urg,!ece,!cwr add action=ac...
by soamz
Sat Jun 18, 2016 8:47 am
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

same problem, so sad :(
Whats your story ?
Explain. 
by soamz
Fri Jun 17, 2016 1:01 pm
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6152

Re: Connection Tracking, off or on ?

How many rules are in your firewall filter/mangle/nat? Queues? I remember an issue I had some time ago: on a 1036 acting just as FW and OSPF gateway, I created a fw rule to check for L7 content. I just restricted by dst-port 80 and enabled it. CPU load was around 25-30% (normal usage is around 7%) ...
by soamz
Fri Jun 17, 2016 12:17 pm
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6152

Re: Connection Tracking, off or on ?

Okay but its hardly 1.5Gbps of traffic flowing for 2500 PPPoE session. 
Cannot believe why 1`036 would give up. 
by soamz
Fri Jun 17, 2016 12:00 pm
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6152

Re: Connection Tracking, off or on ?

In that case I suggest you reenable ConnTrack, generated some supout.rif files when the problem is happening and contact support@mikrotik.com with as much information as possible. How many PPS and how much bandwidth are we talking about? How many rules do you have in you firewall filter/nat/mangle?...
by soamz
Fri Jun 17, 2016 11:59 am
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6152

Re: Connection Tracking, off or on ?

But, is it overloaded? Which is the CPU usage? Have you used "Tools, Profiler" to find out which proceses are the most time consuming ones?  Why did you tought about disabling ConnTrack? Don't remove the seats of your car suposing it will run any faster! (and you will not be able to bring anyone wi...
by soamz
Fri Jun 17, 2016 11:16 am
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6152

Re: Connection Tracking, off or on ?

But, is it overloaded? Which is the CPU usage? Have you used "Tools, Profiler" to find out which proceses are the most time consuming ones?  Why did you tought about disabling ConnTrack? Don't remove the seats of your car suposing it will run any faster! (and you will not be able to bring anyone wi...
by soamz
Fri Jun 17, 2016 10:32 am
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6152

Re: Connection Tracking, off or on ?

Ouch. 
But everything is working fine. 
So, do you mean, Connection tracking should be on for PPPoE router ?
Yes, it should. Set it as "auto" and get bigger hardware if load is an issue.
The hardware is 1036 16GB RAM and hardly 2600 PPPoE sessions. 
by soamz
Fri Jun 17, 2016 10:14 am
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6152

Re: Connection Tracking, off or on ?

Leave it as "auto" and Mikrotik will wisely choose to enable it or not. If hardware resources are an issue, set it as "auto" and if RouterOS enables it, try to find out why and then if you can move/disable the service which switches tracking on. Many features require ConnTrack to work (nat, firewal...
by soamz
Fri Jun 17, 2016 8:17 am
Forum: General
Topic: Connection Tracking, off or on ?
Replies: 15
Views: 6152

Connection Tracking, off or on ?

I have recently disabled connection tracking in all of my microtiks, borders routers, peering routers, Core routers, NAS routers, POP routers, everything. 
Is it advisable to keep it on or off ?

IT seems to be handing the Microtik a lot, so I completely switched them off. 
by soamz
Fri Jun 17, 2016 8:13 am
Forum: RouterBOARD hardware
Topic: Does CCR1009-8G-1S-1S+PC go up to 1000Mbps (WAN)?
Replies: 8
Views: 2600

Re: Does CCR1009-8G-1S-1S+PC go up to 1000Mbps (WAN)?

CCR1009-8G-1S-PC can handle as a POP router, which would be used for PPPoE + MPLS + OSPF ?

May be atleast handle 500Mbps PPPoE traffic with simple queues 2 queues per user ?
by soamz
Thu Jun 16, 2016 9:36 am
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

I would say that this whole issue shows that it's probably time to start re-thinking your network design. Large broadcast domains suffer from this kind of problem - one thing can plug into your network anywhere and bring the whole thing to its knees much more easily in a flat network. At the very l...
by soamz
Wed Jun 15, 2016 7:39 pm
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

The G point actually seems to be problem. My team said, today they visited 3 clients and all 3 clients router cable was in LAN instead of WAN.  Now Im afraid, there might be many out of the the 1800 clients, who might have done the same. How would I find out ? Well, You can be (almost) sure they wi...
by soamz
Wed Jun 15, 2016 1:27 pm
Forum: RouterBOARD hardware
Topic: CCR-1072 PPPoE Performance Test
Replies: 3
Views: 1931

Re: CCR-1072 PPPoE Performance Test

Can a 1072 handle like 10000 PPPoE concurrent session with 2 queue per user ?

And plans upto 10Mbps. 
by soamz
Wed Jun 15, 2016 12:29 pm
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

The G point actually seems to be problem. My team said, today they visited 3 clients and all 3 clients router cable was in LAN instead of WAN. 
Now Im afraid, there might be many out of the the 1800 clients, who might have done the same. How would I find out ?
by soamz
Sun Jun 12, 2016 4:52 pm
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

Is the switch managed switch or unmanaged. If it is managed log in and check the interfaces try locate which customer is causing the issue. Also if it is managed you may be able to use spanning tree or advanced detection to prevent loop backs and port errors from bring down your network Already ena...
by soamz
Sun Jun 12, 2016 2:52 pm
Forum: General
Topic: PPPoE Encryption
Replies: 4
Views: 4502

Re: PPPoE Encryption

What does the encrytion thing do ? I have PAP only and I just disabled the encrytion thing.  Earlier it was set to default.  Pap or chap control the handshake of the username and password. Pap is plain text, the others are hashed. Encryption actually effects the pppoe tunnel, encrypting the link af...
by soamz
Sun Jun 12, 2016 2:52 pm
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

How are you distributing to your customers. Do you have one central router. then a managed switch or wireless ap's. if you have a managed switch look for a port with with errors.
Yes, one NAS router and then switch and then customers. 
by soamz
Sun Jun 12, 2016 2:51 pm
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

I can try to help You. As I said, my knowledge of Mikrotik and Routerboard is zero. There's the network part.

Did You find the problematic router/AP?
Please message me your email or SKYPE or whatsapp ID. 
by soamz
Sat Jun 11, 2016 5:44 pm
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

Wireshark would allow You to see the traffic. The hard part is to know what to look for. I have zero experience with Mikrotik/Routerboard - just bought one, and still waiting to get it. But I have experience with network. I would try something like this: 1) Try to isolate the router/AP hit by the p...
by soamz
Sat Jun 11, 2016 10:17 am
Forum: General
Topic: MAC address filtering
Replies: 15
Views: 26773

Re: MAC address filtering

Is Mac filtering only possible in bridge ?

What about them, who doesnt use a bridge as bridge has his own set of problems. 
by soamz
Sat Jun 11, 2016 10:13 am
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

Is there a way to block a specific MAC address reaching the Microtik ?

I suspect 2-3 MAC address, which I think is trying to create the loop or broadcast. 
I need to block them. 
How shall I do that ?
by soamz
Sat Jun 11, 2016 5:56 am
Forum: RouterBOARD hardware
Topic: Expected life of a RB1100AHx2?
Replies: 4
Views: 942

Re: Expected life of a RB1100AHx2?

I just bought my first Mikrotik router (a RB1100AHx2), to use as a router on my work. We have a policy of planned substitution of hardware, in order to avoid problems. But I have no experience with routerboard. What kind of useful service life should I expect from this hardware? 3 years? 5 years? I...
by soamz
Sat Jun 11, 2016 5:55 am
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

It could be a client with a problematic ethernet. I have seen one deffective ethernet flood a network until the switch locked. You said this affects a restrict group of clients. They should be the ones served by the same tower. Could You look at the router on this particular tower? There You should...
by soamz
Sat Jun 11, 2016 5:53 am
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

Re: What can it be, ghost issue ?

What is 192.168.0.100? Problem is between that and next router. It was specially designed that way, so you can start finding problems. Also use traceroute.
Mac, that is his own Wireless router IP, I guess. 
As normally the home routers have those IP 192.168.0.xx
by soamz
Sat Jun 11, 2016 5:46 am
Forum: General
Topic: PPPoE Encryption
Replies: 4
Views: 4502

Re: PPPoE Encryption

What does the encrytion thing do ?

I have PAP only and I just disabled the encrytion thing. 
Earlier it was set to default. 
by soamz
Fri Jun 10, 2016 5:25 pm
Forum: General
Topic: What can it be, ghost issue ?
Replies: 33
Views: 2952

What can it be, ghost issue ?

Since last 12 days, there has been weird things happening in the network.  From morning 10am-8pm, random 100-200 customers keeps on disconnecting and connecting.  But the same customers immediately get stable after 7-8pm normally.  Here is the screenshot of a customer whom I randomly picked.  He got...
by soamz
Fri Jun 10, 2016 1:51 pm
Forum: General
Topic: Packet Loss when users taking full bandwidth
Replies: 16
Views: 4297

Re: Packet Loss when users taking full bandwidth

I have the same issue. Customers PPPoE disconnects when full bandwidth is being used. or they are experiencing ping cut, means ICMP drop. So, simply add those 3 rules in terminal ??? add chain=forward packet-size=0-128 \ action=mark-connection new-connection-mark=small-packets passthrough=yes \ comm...
by soamz
Fri Jun 10, 2016 11:29 am
Forum: General
Topic: PPPoE Random Disconnection Bug!!
Replies: 0
Views: 498

PPPoE Random Disconnection Bug!!

IM on Microtik 6.32.4 and 6.35.2 on 2 of my NAS, which gets a lot of traffic and over 1200-1300 concurrent PPPoe users. Since last 10-12 days, I see all the customers keeps on disconnecting randomly. And when we check their device sys log, we see this, May 26 14:14:34 pppd[888]: Timeout waiting for ...
by soamz
Tue Jun 07, 2016 12:43 pm
Forum: Beginner Basics
Topic: HELP !!!!! How to protect Router automatic Mac generate
Replies: 42
Views: 18267

Re: HELP !!!!! How to protect Router automatic Mac generate

same issue here.
ARP shows many 000000000 entries.

How to fix ?
by soamz
Tue Jun 07, 2016 5:51 am
Forum: General
Topic: pppoe dropping - reconnection problem
Replies: 7
Views: 4723

Re: pppoe dropping - reconnection problem

In forums, everyone asks to keep MTU as 1480 and MRU as 1600 and keep one session per host unchecked.

But in my case, its MTU 1492 and MRU is 1492 and MRU blank and keep one session checked too.


Does that affect ?
by soamz
Sun Jun 05, 2016 10:48 am
Forum: General
Topic: Problem with Mikrotik + RADIUS + PPPoE
Replies: 10
Views: 2568

Re: Problem with Mikrotik + RADIUS + PPPoE

I am getting a similar issues with pptp remote laptop (authenticated to Windows Server 2008) but no problem with a MT router. echo: pptp,ppp,debug <cl.ie.ent.ip>: LCP missed echo reply echo: pptp,ppp,debug,packet <cl.ie.ent.ip>: sent LCP EchoReq id=0x4 echo: pptp,ppp,debug,packet <magic 0x17f25004>...
by soamz
Sun Jun 05, 2016 10:46 am
Forum: General
Topic: Problem with Mikrotik + RADIUS + PPPoE
Replies: 10
Views: 2568

Re: Problem with Mikrotik + RADIUS + PPPoE

This was a problem with Active directory settings. (of which I know nothing, our windows nerd fixed it)
Did you solve this ?

How ?
by soamz
Sun Jun 05, 2016 10:46 am
Forum: General
Topic: PPTP Disconnects and Reconnects continuously
Replies: 3
Views: 1663

Re: PPTP Disconnects and Reconnects continuously

Did you solve this ?

How ?
by soamz
Sun Jun 05, 2016 10:45 am
Forum: General
Topic: [SOLVED] New PPTP VPN connection not working
Replies: 3
Views: 2638

Re: [SOLVED] New PPTP VPN connection not working

Did you solve this ?

How ?
by soamz
Sun Jun 05, 2016 10:40 am
Forum: Beginner Basics
Topic: PPPOE problems
Replies: 13
Views: 17158

Re: PPPOE problems


Remove the DHCP Client from ether1- my PPPoE Interface. Then BOOM in the room.

Remove DHCP client fom PPPOE interface ?

Means, where ?
by soamz
Sun Jun 05, 2016 9:22 am
Forum: General
Topic: PPPoE Getting Disconnected every now and then, HELP!!
Replies: 2
Views: 296

Re: PPPoE Getting Disconnected every now and then, HELP!!

Im at home and I ran a ping to 3 things : My Router at Home Microtik NAS IP in DC Google DNS When this disconnections happen, google IP stops pinging. But the NAS IP and Router IP is on. That means, the issue is not with connectivity, as NAS IP is pinging fine. But the 8.8.8.8 stops pinging. Its sur...
by soamz
Sun Jun 05, 2016 8:54 am
Forum: General
Topic: PPPoE Getting Disconnected every now and then, HELP!!
Replies: 2
Views: 296

PPPoE Getting Disconnected every now and then, HELP!!

Our NAS is 1036 GB Model and around 1200 concurrent PPPoE sessions. Since last 2 weeks, users have been complaining that it gets disconnected randomly and gets connected randomly. I enabled the deep logging for PPPoE as instructed by Microtik Support and I get this. How do we debug this ? Who is at ...
by soamz
Sat Jun 04, 2016 6:40 pm
Forum: General
Topic: Can this is be achieved using CRS Switch or any 2011 or 3011 ?
Replies: 4
Views: 470

Re:

Exactly.
Just to think about it.
Okay thanks, will surely plan for it.
by soamz
Tue May 31, 2016 4:03 pm
Forum: General
Topic: Can this is be achieved using CRS Switch or any 2011 or 3011 ?
Replies: 4
Views: 470

Re:

Sounds like yes. But have you considered the advantages of routed network over the bridged? Remember that RSTP is not implemented in the switch but in the software only so you have to use bridges. That takes your performance effectively down. May easily happen that 2011 will not be able to handle t...
by soamz
Tue May 31, 2016 3:16 pm
Forum: General
Topic: Can this is be achieved using CRS Switch or any 2011 or 3011 ?
Replies: 4
Views: 470

Can this is be achieved using CRS Switch or any 2011 or 3011 ?

Hi, Im going to cover a new town whose radius is 11km circular fiber laying calculated distance. And in every 3 km, we have a POP with Switch and power. So, its like 4 POPs for the whole 11km radius. Now, in each POP we have wireless tower and customers conencted from those towers. All 4 towers are ...
by soamz
Mon May 30, 2016 3:16 pm
Forum: General
Topic: Can a Microtik CCR handle like 4000 concurrent PPPoE sessions ?
Replies: 3
Views: 600

Re: Can a Microtik CCR handle like 4000 concurrent PPPoE sessions ?


I guess thats acting as BGP router and not a PPPoE session router ?
by soamz
Sun May 29, 2016 5:12 pm
Forum: General
Topic: How to deliver 2 types of customers (2 NAS) through one switch ?
Replies: 0
Views: 230

How to deliver 2 types of customers (2 NAS) through one switch ?

For example, we have 2 NAS = Fiber NAS , Wireless NAS. Both are Microtik 1072. Now, I have 21 POP in a radius of 100km. Each POP is connected in a ring fiber network of single core. Only one single core which is connected to the DC managed switch. Each POP as one managed and unmanaged switch for acc...
by soamz
Sun May 29, 2016 4:48 pm
Forum: General
Topic: Can a Microtik CCR handle like 4000 concurrent PPPoE sessions ?
Replies: 3
Views: 600

Can a Microtik CCR handle like 4000 concurrent PPPoE sessions ?

Can a Microtik CCR handle like 4000 concurrent PPPoE sessions ? Can 1072 10G model ? Lets say, we have users with plans upto 100Mbps, and like 5000 customers, so lets say 4000 concurrent users. Can Microtik 1072 handle it ? has anyone tested it ? Any live review thread of any ISP who is having such ...
by soamz
Mon Apr 25, 2016 8:34 am
Forum: General
Topic: Monitor connection uptime
Replies: 2
Views: 735

Re: Monitor connection uptime

With nagios network monitor.

Uptime shows timed out.
I guess, microtik uptime sensor is not supported well in nagios.
Everything else works great.
by soamz
Wed Mar 16, 2016 8:30 am
Forum: General
Topic: Monitor a queue based on SNMP ?
Replies: 0
Views: 384

Monitor a queue based on SNMP ?

Hi, we use LibreNMS and we monitor all of our microtiks routers and switches in the DC.
IT only monitors the ports

Is there a way we can also monitor a microtik simple queue through SNMP ?

Let me know.
by soamz
Thu Mar 03, 2016 9:19 am
Forum: General
Topic: CRS125 option for broadcast storm ?
Replies: 8
Views: 968

Re: CRS125 option for broadcast storm ?

i suggest you to test in LAB (not production network) this configurations because some times can be tricky to troubleshot Thats fine, I can try with a lab router. but how would I try myself generating broadcast ? in my case i have tested doing a loop on the switch, that is a patch-cord connecting f...
by soamz
Thu Mar 03, 2016 9:07 am
Forum: General
Topic: CRS125 option for broadcast storm ?
Replies: 8
Views: 968

Re: CRS125 option for broadcast storm ?

http://wiki.mikrotik.com/wiki/Manual:CRS_examples#Traffic_Storm_Control Thanks! Lets say, I have 2 ports being used in CRS< one for PPPoE and one for DHCP and then it goes to access layer switches. So only place those 2 codes for both of those ether ? i suggest you to test in LAB (not production ne...
by soamz
Thu Mar 03, 2016 8:52 am
Forum: General
Topic: CRS125 option for broadcast storm ?
Replies: 8
Views: 968

Re: CRS125 option for broadcast storm ?

Thanks!
Lets say, I have 2 ports being used in CRS< one for PPPoE and one for DHCP and then it goes to access layer switches.

So only place those 2 codes for both of those ether ?
by soamz
Thu Mar 03, 2016 8:41 am
Forum: General
Topic: CRS125 option for broadcast storm ?
Replies: 8
Views: 968

Re:

You can start thinking about moving from bridged to routed network architecture.
You mean, have each Pop site with a router ?

but we dont have enough Ip to dedicate each POP with specific IP blocks.

Can we do without assigning dedicated IP blocks ?
by soamz
Thu Mar 03, 2016 7:09 am
Forum: General
Topic: CRS125 option for broadcast storm ?
Replies: 8
Views: 968

CRS125 option for broadcast storm ?

Hi, our network is like coomplex core network with multiple routers working with all the protocols and then directly access layer with CRS125 and then customers switch by switch on wireless. To avoid any kind of broadcast storm, is there an option in CRS125 which I should keep it on, so whenever it ...
by soamz
Sun Feb 14, 2016 7:38 pm
Forum: Forwarding Protocols
Topic: Weird issue after BGP
Replies: 1
Views: 748

Weird issue after BGP

I just got a new ISP Feed and tested it with a singapore IP, which is the most used in our network. It gives 72ms to that singapore IP, when Im connected to a direct PC with there ISP WAN IP. Now, my IP blocks were advertised by the ISP and they said, its done and over. So, I have configured my micr...
by soamz
Sat Feb 06, 2016 5:23 pm
Forum: Forwarding Protocols
Topic: Specific IP Load Balancing and fail over automatic ??
Replies: 1
Views: 708

Specific IP Load Balancing and fail over automatic ??

Hi, we have 2 WAN - 800Mbps each. 1 is very unstable and goes down every week. But the 2nd one is rock solid and gives very good latency to USA and Singapore and everything. We have 1 for all the residential customers torrents downloads and everything. I just got a Microtik 1036 16GB Model. Now I wa...
by soamz
Sat Jan 30, 2016 6:35 pm
Forum: Forwarding Protocols
Topic: Use multiple WAN for upload and download both ?
Replies: 11
Views: 1768

Re: Use multiple WAN for upload and download both ?

Then try the other method using PCC:

http://mum.mikrotik.com/presentations/US12/steve.pdf

Let me go through. Hope it works, as we cannot afford Cisco.
We have to use Microtik only.
by soamz
Sat Jan 30, 2016 6:30 pm
Forum: Forwarding Protocols
Topic: Use multiple WAN for upload and download both ?
Replies: 11
Views: 1768

Re: Use multiple WAN for upload and download both ?

There were two talks about load balancing at MUM USA 2012. The one that allowed proportional load sharing based on actual throughput is this one: http://mum.mikrotik.com/presentations/US12/tomas.pdf Its behavior was more like: fill up link 1 then use link 2 if link 1 is full, then use link 3 if lin...
by soamz
Sat Jan 30, 2016 7:55 am
Forum: Forwarding Protocols
Topic: Use multiple WAN for upload and download both ?
Replies: 11
Views: 1768

Re: Use multiple WAN for upload and download both ?

Can someone Moderator or core developer throw some light how to do this ?
Or shall we consider this as a limitation for microtik ?
by soamz
Fri Jan 29, 2016 8:42 pm
Forum: General
Topic: RSTP between a fiber link and wireless link ? Possible in Microtik ?
Replies: 10
Views: 923

Re: RSTP between a fiber link and wireless link ? Possible in Microtik ?

I agree with scampbell - you should use routing and not bridging for your backhaul.

A large broadcast domain can lead to all kinds of problems.

On confused how to do it :(
by soamz
Fri Jan 29, 2016 5:24 pm
Forum: Forwarding Protocols
Topic: Use multiple WAN for upload and download both ?
Replies: 11
Views: 1768

Re: Use multiple WAN for upload and download both ?

We already tried PCC, but it doesnt choose the best path, so we have to force a particular WAN for upload. Is there a way, we can make the settings that mikrotik takes the best path for upload ??
by soamz
Fri Jan 29, 2016 4:05 pm
Forum: Forwarding Protocols
Topic: Use multiple WAN for upload and download both ?
Replies: 11
Views: 1768

Re:

Search for pcc load balancing. Start here. http://wiki.mikrotik.com/wiki/Load_Balancing
He said, ECMP doesnt happen in CCR1009 , which he is using now.

Means he is not able to select 2 WAN for upload.
by soamz
Fri Jan 29, 2016 3:55 pm
Forum: Forwarding Protocols
Topic: Use multiple WAN for upload and download both ?
Replies: 11
Views: 1768

Re:

It will easily fulfil your needs as described.
Okay!
But how do I configure ?
Which is the option ?

I asked a friend and he said, Microtik has limitation to use only 1 WAN for upload.
It cannot use more than 1 WAN for upload.

Is that true ?
If false, how do I fix his situation ?
by soamz
Fri Jan 29, 2016 2:10 pm
Forum: Forwarding Protocols
Topic: Use multiple WAN for upload and download both ?
Replies: 11
Views: 1768

Use multiple WAN for upload and download both ?

Hi, we have 3 ISP feeds. 200Mbps each. And your average peak hours usage will be like 500-550Mbps download and 500Mbps upload, as we sell our upload to a some mini data center clients. We need all 3 ISP feeds to be simultaneously and the packet request should automatically choose which WAN has the b...
by soamz
Fri Jan 29, 2016 11:09 am
Forum: General
Topic: is there a way to block specific URL in Microtik CCR ?
Replies: 10
Views: 794

Re: is there a way to block specific URL in Microtik CCR ?

No it is not possible! Note the "https" which means "secure" communication. The communication is encrypted and the router never sees the URL. Even when you setup a proxy server, the router sees only the hostname not the part after it. So then you can block entire facebook but not one specific page....
by soamz
Fri Jan 29, 2016 9:20 am
Forum: General
Topic: RSTP between a fiber link and wireless link ? Possible in Microtik ?
Replies: 10
Views: 923

Re: RSTP between a fiber link and wireless link ? Possible in Microtik ?

If you are doing that much traffic then the ccr1016-12s might be a better investment. The crs switch chips are good but I'm pretty sure don't support features like RSTP or LACP yet without using the CPU which architecturally is limited to 1gps to/from the CPU. The ccr would allow you to run ospf an...
by soamz
Fri Jan 29, 2016 9:19 am
Forum: General
Topic: is there a way to block specific URL in Microtik CCR ?
Replies: 10
Views: 794

Re: is there a way to block specific URL in Microtik CCR ?

I would try using a L7 firewall rule but these are high CPU cost. Lucky you have a ccr :-)
So possible to do with CCR ?
How ?
by soamz
Wed Jan 27, 2016 7:10 pm
Forum: General
Topic: RSTP between a fiber link and wireless link ? Possible in Microtik ?
Replies: 10
Views: 923

Re: RSTP between a fiber link and wireless link ? Possible in Microtik ?

CRS - make very very very sure that you're ONLY using the hardware switch features. - i.e. no bridge interfaces, no bonding interfaces, etc. CRS cpu absolutely can not handle high traffic. CRS switch chip can do well, but make sure your traffic is hardware-switched. Confused. Seems CRS cannot handl...
by soamz
Wed Jan 27, 2016 5:02 pm
Forum: General
Topic: RSTP between a fiber link and wireless link ? Possible in Microtik ?
Replies: 10
Views: 923

Re: RSTP between a fiber link and wireless link ? Possible in Microtik ?

RSTP will work, but if you have any wireless bridges that support spanning tree, they're going to need to participate in the spanning tree as well. Every bridge must participate or else you get weird behavior. Okay I dont want to make this complex. I just need to setup the RTSP thing among those 3 ...
by soamz
Wed Jan 27, 2016 4:14 pm
Forum: General
Topic: RSTP between a fiber link and wireless link ? Possible in Microtik ?
Replies: 10
Views: 923

RSTP between a fiber link and wireless link ? Possible in Microtik ?

We have like 12 POP locations and each POP will run around 2Gbps traffic at peak hours. We have fiber ring link to each POP and we also have wireless. We are looking to make it auto fail over switch system. Right now, if the fiber gets cut, we have to drive and connect the wireless cable manually. I...
by soamz
Mon Jan 25, 2016 9:41 am
Forum: General
Topic: is there a way to block specific URL in Microtik CCR ?
Replies: 10
Views: 794

is there a way to block specific URL in Microtik CCR ?

Hi, we need to block https://www.facebook.com/abs/ssd
from our microtik CCR1009.

How do we do that ?
by soamz
Sat Jan 23, 2016 11:52 am
Forum: General
Topic: Is there DNS Issue in Microtik ?
Replies: 6
Views: 525

Re: Is there DNS Issue in Microtik ?

Sure DHCP can serve many DNS addresses, but the question is: how many will your clients pick up from that. Try connecting a computer like your typical client uses, and look in the network information to see what it has done. Sure it would be an idea to try to reduce the list in DHCP to 2 servers, o...
by soamz
Sat Jan 23, 2016 11:41 am
Forum: General
Topic: Is there DNS Issue in Microtik ?
Replies: 6
Views: 525

Re: Is there DNS Issue in Microtik ?

There may be a limit on the number of DNS servers your clients are taking from the DHCP reply. Some OS may have a limit of 2 DNS servers. So when you list 4 DNS servers, the clients make take only the first two and when they are both down they never see your other two (google) servers. PPP profile ...
by soamz
Sat Jan 23, 2016 8:22 am
Forum: General
Topic: Is there DNS Issue in Microtik ?
Replies: 6
Views: 525

Is there DNS Issue in Microtik ?

I use a Microtik CCR1009 in my access layer for PPPoE authentication and hotspot both in the same router. I have my own DNS server. So, I have defined the DNS entries in 3 areas : IP > DNS Server PPP > Profile > DNS Server DHCP Server > Networks > DNS Server I have defined this, My DNS IP A My DNS I...
by soamz
Tue Jan 12, 2016 7:52 pm
Forum: Forwarding Protocols
Topic: 3 Telco Links BGP in 1 core Router ?
Replies: 11
Views: 1912

Re: 3 Telco Links BGP in 1 core Router ?

I have one ISP link in my CCR1009 and if a fiber cut happens or anything, my BGP takes like 5 minutes to get back to action. I hope, when I advertise other 2 ISP links in the same router, its not going to take forever :( And BTW, my core router is only used for BGP and ISP feed. All the queue, logi...
by soamz
Tue Jan 12, 2016 7:29 pm
Forum: Forwarding Protocols
Topic: 3 Telco Links BGP in 1 core Router ?
Replies: 11
Views: 1912

Re: 3 Telco Links BGP in 1 core Router ?

I have one ISP link in my CCR1009 and if a fiber cut happens or anything, my BGP takes like 5 minutes to get back to action. I hope, when I advertise other 2 ISP links in the same router, its not going to take forever :( And BTW, my core router is only used for BGP and ISP feed. All the queue, login...
by soamz
Tue Jan 12, 2016 7:20 pm
Forum: Forwarding Protocols
Topic: 3 Telco Links BGP in 1 core Router ?
Replies: 11
Views: 1912

Re: 3 Telco Links BGP in 1 core Router ?

Do you have a need to take full BGP tables from your ISP's? If all you are looking to do is advertise your networks for upstream reliability, then you could take all three into one CCR 1009 without injected routes (only default) from them. Or you could write some inbound filters to split the tables...
by soamz
Tue Jan 12, 2016 6:26 pm
Forum: Forwarding Protocols
Topic: 3 Telco Links BGP in 1 core Router ?
Replies: 11
Views: 1912

Re: 3 Telco Links BGP in 1 core Router ?

As long as BGP table scans are still performed on only one CPU core (RouterOS 7 anyone?), I would advise against using more than one BGP full feed on any tilera-based piece of hardware. A CCR1016 barely finishes the BGP table scan of two BGP full feeds before having to start the next one, so person...
by soamz
Tue Jan 12, 2016 4:59 pm
Forum: Forwarding Protocols
Topic: 3 Telco Links BGP in 1 core Router ?
Replies: 11
Views: 1912

Re: 3 Telco Links BGP in 1 core Router ?

We have used the CCR1009 for a public feed with some clients and it really doesn't work well beyond one full IPv4 BGP table. Once we added the second peering, it started to struggle with CPU. You probably need to look at a CCR1016 or 1036 to add two more feeds. Contacted Microtik Support and they s...
by soamz
Tue Jan 12, 2016 2:01 pm
Forum: Forwarding Protocols
Topic: 3 Telco Links BGP in 1 core Router ?
Replies: 11
Views: 1912

3 Telco Links BGP in 1 core Router ?

I use Microtik CCR1009 as my core router now.
I currently have 1 ISP upstream link, so the BGP is done inside this core router.

Im getting 2 more ISP upstreams this month end.
Just wanted to know, if the same core router can handle 3 ISP BGP inside it and run smooth or not ?
by soamz
Wed Dec 16, 2015 4:30 pm
Forum: General
Topic: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?
Replies: 18
Views: 2338

Re: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?

http://prntscr.com/9eo0wp I have 9 POPs, so 12 core will be done, 9 core will start from CO AND drop its own dedicated core at each POP and others will go ahead, and in the end, all 9 will reach back office the same switch. Perfect. RSTP is good for this topology, too, so you don't need to go to an...
by soamz
Wed Dec 16, 2015 3:39 pm
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re:

Because the attacker doesn't know that you have made such rules. Once it gets you stopped responding he will stop trying to abuse you. None new will be repeating it because they will just make a test on you and then they will search some other opened dns server. Al right so the above code is correc...
by soamz
Wed Dec 16, 2015 1:38 pm
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

I added this two : /ip firewall filter add chain=input in-interface=ether8 protocol=udp dst-port=53 action=drop add chain=input in-interface=ether8 protocol=tcp dst-port=53 action=drop /ip firewall filter add chain=forward protocol=udp dst-port=53 out-interface=!ether8 action=drop add chain=forward ...
by soamz
Wed Dec 16, 2015 1:38 pm
Forum: Wireless Networking
Topic: CPU usage by DNS ??
Replies: 17
Views: 1447

Re: CPU usage by DNS ??

I added this two : /ip firewall filter add chain=input in-interface=ether8 protocol=udp dst-port=53 action=drop add chain=input in-interface=ether8 protocol=tcp dst-port=53 action=drop /ip firewall filter add chain=forward protocol=udp dst-port=53 out-interface=!ether8 action=drop add chain=forward ...
by soamz
Wed Dec 16, 2015 1:37 pm
Forum: General
Topic: How to block a DNS request from the outside world?
Replies: 32
Views: 56270

Re: How to block a DNS request from the outside world?

I added this two : /ip firewall filter add chain=input in-interface=ether8 protocol=udp dst-port=53 action=drop add chain=input in-interface=ether8 protocol=tcp dst-port=53 action=drop /ip firewall filter add chain=forward protocol=udp dst-port=53 out-interface=!ether8 action=drop add chain=forward ...
by soamz
Wed Dec 16, 2015 1:08 pm
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Looks like spam to me. I would ignore such emails, especially if they are not true. Looks I have confused the rules completely. Can you paste the exact code so I can paste it to terminal ? I dont think the above code is working, because when I torch wan port, I see a lot of active connections for p...
by soamz
Wed Dec 16, 2015 1:01 pm
Forum: Wireless Networking
Topic: CPU usage by DNS ??
Replies: 17
Views: 1447

Re: CPU usage by DNS ??

The rule 21 was off.
I have switched it on.

Still when In torch wan port for port 53, it shows a lot of active connections.

What to do ?
by soamz
Wed Dec 16, 2015 11:20 am
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Looks like spam to me. I would ignore such emails, especially if they are not true. Dont think so! As it had completely stopped and started al again and its for the IP which are the gateway IP of the block. So, gateway IP is used no where in the network at all. You can see the emails are authentic,...
by soamz
Wed Dec 16, 2015 11:15 am
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Something is weird.

I got this email for all of my IP blocks start IP address.
Which is not used anywhere.

How is it possible ?
by soamz
Wed Dec 16, 2015 9:17 am
Forum: Wireless Networking
Topic: CPU usage by DNS ??
Replies: 17
Views: 1447

Re: CPU usage by DNS ??

Will this do ? /ip firewall filter add chain=input action=accept protocol=icmp comment="default configuration" add chain=input action=accept connection-state=established in-interface=ether8 comment="default configuration" add chain=input action=accept connection-state=related in-interface=ether8 com...
by soamz
Wed Dec 16, 2015 9:08 am
Forum: Wireless Networking
Topic: CPU usage by DNS ??
Replies: 17
Views: 1447

Re:

I already told you. Read again...
need the terminal paste command, so I can paste and reboot.
by soamz
Wed Dec 16, 2015 8:41 am
Forum: Wireless Networking
Topic: CPU usage by DNS ??
Replies: 17
Views: 1447

Re:

It seems you are not finally dropping the input chain. Not sure if you jump back to it, but you should be dropping everything that was not accepted before (rule 21 should be enabled). Filter the torch according your wan ip port 53 to see if there are incoming requests from outside. At least add dro...
by soamz
Wed Dec 16, 2015 8:30 am
Forum: Wireless Networking
Topic: CPU usage by DNS ??
Replies: 17
Views: 1447

Re:

And did it help? Isn't such issue maybe a MTU problem?
MTU problem ?
by soamz
Wed Dec 16, 2015 8:27 am
Forum: Wireless Networking
Topic: CPU usage by DNS ??
Replies: 17
Views: 1447

Re:

See torch of wan port. See firewall connection list. See the firewall filter rules if you are blocking the incoming traffic to port 53 both tcp and udp from the wan.

Seen, not sure, what I should be check.
I took the screenshots, so you can check and tell me.
by soamz
Wed Dec 16, 2015 8:24 am
Forum: Wireless Networking
Topic: CPU usage by DNS ??
Replies: 17
Views: 1447

Re:

You'd better to use dns servers of your isp than common Google servers. It will speed up the browsing as they are the closest. I have my own DNS server hosted in my CO, and it worked well too. But I got few complaints from customers that youtube doesnt load, and Facebook sometimes. I thought, its s...
by soamz
Wed Dec 16, 2015 8:19 am
Forum: Wireless Networking
Topic: CPU usage by DNS ??
Replies: 17
Views: 1447

Re: CPU usage by DNS ??

I guess I need to switch off ALLOW REMOTE REQUESTS>
by soamz
Wed Dec 16, 2015 8:16 am
Forum: Wireless Networking
Topic: CPU usage by DNS ??
Replies: 17
Views: 1447

Re:

Aren't the dns requests coming from the outside of the network?
How to know ?

See attached my DNS config page.
by soamz
Wed Dec 16, 2015 8:11 am
Forum: Wireless Networking
Topic: CPU usage by DNS ??
Replies: 17
Views: 1447

CPU usage by DNS ??

I use CCR1009 and I just have around 400 customers.
I see the CPU is going above 35%, which is huge for just that less customers.

I know, people using CCR1009 for 20000 customers even.

I saw Tools > Profile.

And it shows, DNS and QUEQE using more than 15%.

Whats wrong ?
by soamz
Wed Dec 16, 2015 7:01 am
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Got the email again, but its for an IP which is no where in the network, but as a block only. You appear to be running an open recursive resolver at IP address 103.194.232.65 that participated in an attack against a customer of ours, generating large UDP responses to spoofed queries, with those resp...
by soamz
Wed Dec 16, 2015 2:29 am
Forum: General
Topic: Something is wrong with the RouterOS
Replies: 3
Views: 641

Re: Something is wrong with the RouterOS

So there is no way to schedule a script for Dynamic Queue always remain above static queue ???
by soamz
Wed Dec 16, 2015 2:08 am
Forum: RouterBOARD hardware
Topic: hotspot queues not working on 6.30.4
Replies: 3
Views: 1097

Re: hotspot queues not working on 6.30.4

I'd posted same problem earlier with mikrotik 6.23-6.27. After studying the problem I found : When there is hotspot and pppoe-server running on Mikrotik on vlans and hotspot user profile setting is insert queue before=bottom then hotspot queues dont work. If I change the profile setting to insert q...
by soamz
Wed Dec 16, 2015 1:43 am
Forum: General
Topic: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?
Replies: 18
Views: 2338

Re: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?

Check this out: http://www.cisco.com/c/en/us/products/collateral/interfaces-modules/cwdm-transceiver-modules/product_data_sheet09186a00801a557c.html You don't have to use Cisco's solution - WDM gbic/sfp modules exist for lots of vendors. You can also purchase WDM add/drop muxes and termination spli...
by soamz
Tue Dec 15, 2015 8:00 pm
Forum: General
Topic: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?
Replies: 18
Views: 2338

Re: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?

And I talked to many about the ring and everyone suggested to go for RSTP way. But you said, its bad and would go with REP. Now, I have no idea about REP. REP is a Cisco proprietary sub-millisecond failover protocol that you use instead of spanning tree. Brocade's got a similar thing called RRP (I ...
by soamz
Tue Dec 15, 2015 7:34 pm
Forum: General
Topic: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?
Replies: 18
Views: 2338

Re: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?

off course we are not talking about similar price switches, 2960-x cost 50% more than a sg300 Friend, tell me which Microtik can handle ? I will simply get Microtik, as I love WINBOX!!!! Honestly, I would never use Mikrotik as a core switching platform. Winbox is nice, and RouterOS has a million wo...
by soamz
Tue Dec 15, 2015 7:19 pm
Forum: General
Topic: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?
Replies: 18
Views: 2338

Re: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?

Hi, Okay so can we go with this, http://www.cisco.com/c/en/us/support/switches/sg300-28sfp-28-port-gigabit-sfp-managed-switch/model.html ? but it says, SMALL BUSINESS :( Dont know why! because it is an entry level switch. I have no experiences with them. I would go with 2960-x with LAN Base licence...
by soamz
Tue Dec 15, 2015 7:17 pm
Forum: General
Topic: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?
Replies: 18
Views: 2338

Re: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?



off course we are not talking about similar price switches, 2960-x cost 50% more than a sg300
Friend, tell me which Microtik can handle ?
I will simply get Microtik, as I love WINBOX!!!!
by soamz
Tue Dec 15, 2015 2:57 pm
Forum: General
Topic: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?
Replies: 18
Views: 2338

Re: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?

Hi, 5gbps ? I wouldn't not think about CRS in such network. Use something: - better manageable. See the hell of options with strange names and meanings under Switch menu. Near no one option uses a name which is widely used in networking world. Simple things like VLANs are rather complicated here an...
by soamz
Tue Dec 15, 2015 12:34 pm
Forum: General
Topic: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?
Replies: 18
Views: 2338

Re: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?

Switching will be wirespeed, anything that gets passed to CPU on this switch will not be [pay attention to "Performance test results"]. I am having a hard time picturing your topology, however. Where in your network would the switch(es) go? At each tower + the CO? The confusion is because you say 5...
by soamz
Mon Dec 14, 2015 1:27 pm
Forum: General
Topic: How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?
Replies: 18
Views: 2338

How is CRS212-1G-10S-1S+IN for Fiber Ring Network ?

I was looking for a 12 or 16 port SFP gigabit managed switch for securing my 10 POP locations by a protected ring fiber network. I came across http://routerboard.com/CRS212-1G-10S-1SplusIN and the price seems amazing, but before I put the money on this, I have to be sure that it can really handle wh...
by soamz
Sun Dec 13, 2015 4:23 am
Forum: General
Topic: 80 Gbps throughput reached in the CCR1072-1G-8S+ !!!
Replies: 9
Views: 2615

Re: 80 Gbps throughput reached in the CCR1072-1G-8S+ !!!

Whats the role of the EXSi servers here ?
by soamz
Sun Dec 06, 2015 3:35 am
Forum: Scripting
Topic: Is there a script to automate this bug fix ?
Replies: 2
Views: 514

Re: Is there a script to automate this bug fix ?

So, do we have a solution to this ???
by soamz
Sun Dec 06, 2015 3:35 am
Forum: General
Topic: Something is wrong with the RouterOS
Replies: 3
Views: 641

Re: Something is wrong with the RouterOS

So, do we have a solution to this ???
by soamz
Sat Dec 05, 2015 7:47 am
Forum: Scripting
Topic: Is there a script to automate this bug fix ?
Replies: 2
Views: 514

Is there a script to automate this bug fix ?

We use both hotspot and PPPoE for our users within the same Microtik CCR1009. Im facing a weird problem since few days. The hotspot server profile is set to put users above the hotspot mother queqe. But since last few days, many times the hotspot users automatically go below that queqe and whole of ...
by soamz
Sat Dec 05, 2015 7:45 am
Forum: General
Topic: Something is wrong with the RouterOS
Replies: 3
Views: 641

Something is wrong with the RouterOS

We use both hotspot and PPPoE for our users within the same Microtik CCR1009. Im facing a weird problem since few days. The hotspot server profile is set to put users above the hotspot mother queqe. But since last few days, many times the hotspot users automatically go below that queqe and whole of ...
by soamz
Mon Nov 16, 2015 4:27 pm
Forum: General
Topic: Why is Hotspot & PPPoE showing on different Tx Rx columns ?
Replies: 1
Views: 323

Re: Why is Hotspot & PPPoE showing on different Tx Rx columns ?

Sorry, I mean, why is the WAN showing opposite side ??

It should show total PPPoE+Hotspot in Tx and Rx as total upload.
But it showing opposite.
by soamz
Mon Nov 16, 2015 4:25 pm
Forum: General
Topic: Why is Hotspot & PPPoE showing on different Tx Rx columns ?
Replies: 1
Views: 323

Why is Hotspot & PPPoE showing on different Tx Rx columns ?

Hi, I use both Hotspot and PPPoE.

Hotspot shows fine, Tx as download speed and Rx as upload speed.

But PPPoE is showing them just opposite.
Its showing download in Rx and upload in Tx.

Why is that ?
Did I do a mistake somewhere ?

See my screenshots of both hotspot and PPPoE.
by soamz
Thu Nov 12, 2015 5:00 pm
Forum: General
Topic: Static IP wont work with PPPoE or Hotspot ?
Replies: 3
Views: 371

Re: Static IP wont work with PPPoE or Hotspot ?

You should keep using PPPoE for that customer, just make its IP static by specifying it on his PPP > Secrets Remote Address. That is already done. But the customer runs on firewall server on their office, and he wants to define the static IP, gateway and subnet mask in his server, without which he ...
by soamz
Thu Nov 12, 2015 3:38 pm
Forum: Wireless Networking
Topic: Regarding static IP users getting hotspot login page
Replies: 2
Views: 834

Re: Regarding static IP users getting hotspot login page

hi, first of d't mix hotspot interface with your static ip. you should run both setup parallel . for wireless create virtual interface to connect the user how have the static ip. some basic changes are also required in your router . give access i will do this for you. for logs your radius manager c...
by soamz
Thu Nov 12, 2015 3:25 pm
Forum: General
Topic: Static IP wont work with PPPoE or Hotspot ?
Replies: 3
Views: 371

Static IP wont work with PPPoE or Hotspot ?

My network runs on hotspot and PPPoE both. I have set static IP for the customers who asked for it. For example, I have set 111.111.111.72 for a customer. And in microtik, I have this pool for static IP customer, 111.111.111.65/26 [I have taken 111.111.111. as reference only ] So, he entered those d...
by soamz
Thu Nov 12, 2015 1:36 pm
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

One issue came after this. The winbox and web both are not accessible from the outside network after this rule. So, I had to switch off the drop firewall rule. you have to add accept rules specifically for winbox (protocol=tcp dst-port=8291) i do not suggest to allow access to web config from outsi...
by soamz
Thu Nov 12, 2015 12:58 pm
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

One issue came after this.
The winbox and web both are not accessible from the outside network after this rule.

So, I had to switch off the drop firewall rule.
by soamz
Tue Nov 10, 2015 11:37 am
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

User traffics goes through forward - this is input, it affects only traffic to router itself.

I really suggest to get some training or hire some consultant.
yes, already enrolled the Microtik training in our country.
by soamz
Tue Nov 10, 2015 10:18 am
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

Then Im confused what exactly to add to stop this behavior in future. Macgaiver already posted what you need to add: http://forum.mikrotik.com/viewtopic.php?p=506950#p506950 Those rules allow established connections from LAN and block all requests from WAN Okay my WAN in NAS Router (Microtik CCR100...
by soamz
Tue Nov 10, 2015 10:04 am
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

But this will drop the DNS requests completely. I think, we need to add one more rule to redirect the requests ? Or did I miss something ? Nop, it will only drop new requests, don't forget that your requests will be initiated by router itself so replies to those will return as connection-state=esta...
by soamz
Tue Nov 10, 2015 9:16 am
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

....but somehow you did delete the default configuration... If your ip firewall filter input is clear you shoud replace ether1-gateway with your interface name and paste these rules /ip firewall filter add chain=input action=accept protocol=icmp comment="default configuration" add chain=input actio...
by soamz
Tue Nov 10, 2015 9:08 am
Forum: General
Topic: Open recursive resolver DNS Attack - What firewall to add to fix ?
Replies: 24
Views: 3647

Re: Open recursive resolver DNS Attack - What firewall to add to fix ?

But this will drop the DNS requests completely.
I think, we need to add one more rule to redirect the requests ?

Or did I miss something ?
  • 1
  • 2