Community discussions

Search found 9 matches

by sls
Wed Mar 01, 2017 11:31 pm
Forum: Beginner Basics
Topic: VLANs with HAP lite and CRS
Replies: 0
Views: 274

VLANs with HAP lite and CRS

Hey there, I'm facing problems to understand how to configure VLAN-Trunk on HAP lite to one of my Mikrotik Cloude Router Switches. I'm not that good in VLANs in general, I only configured some Cisco Catalyst Switches yet. What I'm trying to achieve is as following: HAP lite: VLAN 20, 30 etc. on ethe...
by sls
Sun Jul 31, 2016 12:49 pm
Forum: Beginner Basics
Topic: What Interface maps OVPN server interface ?
Replies: 3
Views: 726

Re: What Interface maps OVPN server interface ?

Hi, You could define more specific rules for your VPN interface (as far as that's what your last question is about) i.e.: ;;; Allow OPVN traffic through WAN1       chain=forward action=accept protocol=tcp in-interface=OVPN out-interface=WAN1 log=no log-prefix="" Now, aforementioned rule will just al...
by sls
Mon Apr 25, 2016 10:45 pm
Forum: Beginner Basics
Topic: First time setup firewall
Replies: 23
Views: 7459

Re: First time setup firewall

I'm not sure if I understand what exactly you do with your custom chains. Post some config or more detailed description. What I'm trying to achieve is to catch all forward tcp packets, move them to custom tcp chain to make sure forbidden tcp ports will drop. I'm not sure if then the tcp chain packe...
by sls
Sun Apr 17, 2016 12:10 pm
Forum: Beginner Basics
Topic: First time setup firewall
Replies: 23
Views: 7459

Re: First time setup firewall

If OpenVPN server runs on router, then yes, obviously you have to add accept rule for its port, if your other rules block all connections from WAN by default. To access your internal LAN, you can: 1) Set up whole LAN as bridge and add client as bridge port. That way it will be direct part of LAN. 2...
by sls
Fri Mar 25, 2016 9:07 pm
Forum: Beginner Basics
Topic: First time setup firewall
Replies: 23
Views: 7459

Re: First time setup firewall

and all packets to <public ip>:80 get forwarded to 192.168.0.10:80. But they would get blocked in forward chain, because only connections originating from LAN are allowed. Accept rule with connection-nat-state=dstnat makes it easy to accept all forwarded connections. Otherwise you would have to add...
by sls
Sun Mar 20, 2016 9:03 pm
Forum: Beginner Basics
Topic: First time setup firewall
Replies: 23
Views: 7459

Re: First time setup firewall

Usually nothing special is needed. My starting config goes like this: For forward, allow established & related, drop invalid, allow anything from LAN (unless there's reason to block something; if there is, match all outgoing connections only once and jump to dedicated chain to do detailed filtering...
by sls
Thu Mar 17, 2016 10:10 pm
Forum: Beginner Basics
Topic: First time setup firewall
Replies: 23
Views: 7459

Re: First time setup firewall

It looks like a good start. Keep the catch-all drop rule at the end, because dropping invalid at the beginning won't protect you. From router's perspective, there's nothing wrong with unsolicited incoming connections from internet, they are just new, not invalid. Few tips: - established & related c...
by sls
Wed Mar 09, 2016 9:52 pm
Forum: Beginner Basics
Topic: First time setup firewall
Replies: 23
Views: 7459

Re: First time setup firewall

Ok, I'm not sure if no answere means everything on this configuration is okay :D I'm just trying out some things after read tons of topics here and there. /ip firewall filter add action=drop chain=input connection-state=invalid add chain=input connection-state=established add chain=input connection-...
by sls
Sun Feb 21, 2016 10:01 pm
Forum: Beginner Basics
Topic: First time setup firewall
Replies: 23
Views: 7459

First time setup firewall

Hey guys, I'm new to Mikrotik routers and need some advice for my first firewall configuration. I'm using the Mikrotik RouterBOARD RB2011UIAS-2HND-IN behind a Fritzbox 7490 (for VDSL) as "Exposed Host" to avoid Fritzbox' NAT / Firewall. On the Mikrotik I've created a lan (192.168.0.0/24). That's the...