Community discussions

Search found 36 matches

by RonJohn63
Thu Sep 06, 2018 2:35 am
Forum: General
Topic: Configuring firewall for use as NTP server
Replies: 2
Views: 1339

Configuring firewall for use as NTP server

Hi, v6.24.7 I've installed the ntp package, and (hopefully correctly) configured the ntp server properly: [admin@MikroTik] /system ntp server> print enabled: yes broadcast: yes multicast: no manycast: yes broadcast-addresses: 192.168.1.0 . Now I need to configure the firewall to allow systems on the...
by RonJohn63
Sat Mar 17, 2018 7:24 pm
Forum: RouterBOARD hardware
Topic: Gigabit fiber
Replies: 5
Views: 957

Re: Gigabit fiber

Looking at the specs of both routers, your question answers itself: https://mikrotik.com/product/RB750r2 https://mikrotik.com/product/RB750Gr3 The r2 only has 100Mbit Ports, while the Gr3 has 1G Ports. Even if the r2 CPU could pull off that Gigabit, you'd still have to go for the Gr3 for the Gigabi...
by RonJohn63
Sat Mar 17, 2018 1:23 pm
Forum: RouterBOARD hardware
Topic: Gigabit fiber
Replies: 5
Views: 957

Gigabit fiber

Hi,

Does the RB750Gr2 support it (maybe just barely), or should I upgrade to an RB750Gr3?

Thanks
by RonJohn63
Wed Nov 09, 2016 1:05 am
Forum: Beginner Basics
Topic: FW rule to block port 22, but still can ssh in
Replies: 11
Views: 3037

Re: FW rule to block port 22, but still can ssh in

The current rule set works. You are correct it works - but I would still recommend removing that section of the rule as it is not required <snip> It is common when rules have been checked in Winbox and options opened but not actually filled in for entries like that to get left behind as orphans. In...
by RonJohn63
Tue Nov 08, 2016 10:01 pm
Forum: General
Topic: Public-Mikrotik-Bandwidth-Test-Server(s)
Replies: 579
Views: 429240

Re: 3.6 GIG - Public-Mikrotik-Bandwidth-Test-Server

Hi, is servers still runing ? I did try few times last couple of days but never able to connect ! It would be so cool if Mikrotik has someting like that for at least 100Mbit test:)! I had the same problem, then enabled logging on the FW rule chain=input action=drop tcp-flags="" in-interface=ether1 ...
by RonJohn63
Tue Nov 08, 2016 4:35 pm
Forum: Beginner Basics
Topic: FW rule to block port 22, but still can ssh in
Replies: 11
Views: 3037

Re: FW rule to block port 22, but still can ssh in

Your default input drop rule has a setting of tcp-flags=""

This is probably the problem. Remove any reference to tcp-flags and it should then catch anything not specifically allowed before that.
The current rule set works.
by RonJohn63
Tue Nov 08, 2016 1:07 am
Forum: General
Topic: Another UPnP question
Replies: 20
Views: 2059

Re: Another UPnP question

Understood. Thanks. (I'll enable logging, and give it a prefix to see how often it occurs.) It is somewhat unlikely you will see anything in the log (especially in comparison to attempts on the input chain itself), but that doesn't mean that you shouldn't protect yourself from that attack vector. A...
by RonJohn63
Mon Nov 07, 2016 4:13 pm
Forum: General
Topic: Another UPnP question
Replies: 20
Views: 2059

Re: Another UPnP question

@nescafe: did you use 6.37.1?

@rohnjohn63: try downgrading to bugfix channel, 6.36.4. Do the linux host uPNP properly creates the dynamic dst-nat on IP > Firewall > Filter in this case?
No.
by RonJohn63
Mon Nov 07, 2016 4:11 pm
Forum: General
Topic: Another UPnP question
Replies: 20
Views: 2059

Re: Another UPnP question

That makes me sad... :( Sorry for playing the "have you tried turning it off and on again" - card.. But really before starting the process elimination you should've checked the obvious. Please take the time to follow my steps. I have installed transmission on Ubuntu and tested UPnP. It seems to be ...
by RonJohn63
Mon Nov 07, 2016 9:52 am
Forum: Beginner Basics
Topic: FW rule to block port 22, but still can ssh in
Replies: 11
Views: 3037

Re: FW rule to block port 22, but still can ssh in

Here's my current filter set: /ip firewall filter add action=accept chain=input comment="defconf: accept ICMP" protocol=icmp add action=accept chain=input comment="defconf: accept established,related" connection-state=established,related add action=accept chain=input comment="IP address of public ba...
by RonJohn63
Mon Nov 07, 2016 9:46 am
Forum: General
Topic: Another UPnP question
Replies: 20
Views: 2059

Re: Another UPnP question

Demonstrating how much I don't know what I don't know: how does someone outside of my router's WAN know what to target behind my router? To some extent, it is a guess. However, 192.168.1.0/24 is the most commonly used private subnet for home users, so the odds of this guess being accurate are fairl...
by RonJohn63
Mon Nov 07, 2016 6:39 am
Forum: General
Topic: Another UPnP question
Replies: 20
Views: 2059

Re: Another UPnP question

From what? (This is a small, trusted LAN.) From malicious traffic :) Anyone in your provider's subnet could send malicious traffic to your internal network. Even if your house is small, you shouldn't leave the doors wide open.. I thought that was what the rule " chain=input action=drop tcp-flags=""...
by RonJohn63
Mon Nov 07, 2016 12:58 am
Forum: General
Topic: Another UPnP question
Replies: 20
Views: 2059

Re: Another UPnP question

From what? (This is a small, trusted LAN.) From malicious traffic :) Anyone in your provider's subnet could send malicious traffic to your internal network. Even if your house is small, you shouldn't leave the doors wide open..[/quote] I thought that was what the rule " chain=input action=drop tcp-...
by RonJohn63
Mon Nov 07, 2016 12:21 am
Forum: General
Topic: Another UPnP question
Replies: 20
Views: 2059

Re: Another UPnP question

Well you did mention your laptop's Windows Explorer Network "Network Infrastructure page" in your opening post ;) My bad for the confusion. I've got two computers: a Windows laptop (where enabling UPnP and adding the interfaces allowed the Explorer Network Infrastructure page to see the RB750G) and...
by RonJohn63
Sun Nov 06, 2016 11:13 pm
Forum: General
Topic: Another UPnP question
Replies: 20
Views: 2059

Re: Another UPnP question

ether1 is definitely the WAN port and ether2-master definitely the LAN port: I mean on your Windows computer itself. When you first connect to a network, Windows asks you if it is a private network or a public network. If you choose "public", or do not choose anything, it will assume public, and wi...
by RonJohn63
Sun Nov 06, 2016 7:02 pm
Forum: General
Topic: Another UPnP question
Replies: 20
Views: 2059

Re: Another UPnP question

Maybe the network type you have chosen for the network on your laptop is "Public" rather than "Private"? I think "Public" would not attempt to communicate with uPnP devices. ether1 is definitely the WAN port and ether2-master definitely the LAN port: Flags: X - disabled, I - invalid, H - DHCP, D - ...
by RonJohn63
Sun Nov 06, 2016 1:19 pm
Forum: General
Topic: Another UPnP question
Replies: 20
Views: 2059

Re: Another UPnP question

Which RouterOS version? Have you tried latest bugfix (6.36.4)? 6.37.1 Can you post /Ip address print? admin@MikroTik] /system routerboard settings> /ip address print Flags: X - disabled, I - invalid, D - dynamic # ADDRESS NETWORK INTERFACE 0 ;;; defconf 192.168.1.1/24 192.168.1.0 ether2-master 1 D ...
by RonJohn63
Sat Nov 05, 2016 11:18 pm
Forum: General
Topic: Another UPnP question
Replies: 20
Views: 2059

Another UPnP question

Hi, I'm trying to get UPnP to dynamically open incoming ports, with no luck, for the Transmission torrent client. I think it's a firewall issue, because in Windows, routers and gateways (even those not mine) show up in my laptop's Windows Explorer Network "Network Infrastructure" page. Here's my rou...
by RonJohn63
Fri Nov 04, 2016 4:29 pm
Forum: General
Topic: OpenSSH has deprecated DSA keys
Replies: 0
Views: 338

OpenSSH has deprecated DSA keys

Does RouterOS v6.37 allow RSA keys (I couldn't get them to work) or have any plans to use them in the future?

Also, the wiki pages which refer to ssh keys need to be updated regarding the need to put this in the ~/.ssh/config file:
PubkeyAcceptedKeyTypes +ssh-dss
by RonJohn63
Fri Nov 04, 2016 4:25 pm
Forum: General
Topic: OpenSSH has deprecated DSA keys
Replies: 0
Views: 294

OpenSSH has deprecated DSA keys

Does RouterOS v6.37 allow RSA keys (I couldn't get them to work) or have any plans to use them in the future?

Also, the wiki pages which refer to ssh keys need to be updated regarding the need to put this in the ~/.ssh/config file:
PubkeyAcceptedKeyTypes +ssh-dss
by RonJohn63
Fri Nov 04, 2016 4:43 am
Forum: Beginner Basics
Topic: ssh key import
Replies: 1
Views: 4083

[SOLVED] Re: ssh key import

OpenSSH deprecated DSA. I had to add this to my ~/.ssh/config file:
PubkeyAcceptedKeyTypes +ssh-dss
This addition to the config file also made things simpler:
Host my-router IdentityFile /home/ron/.ssh/id_dsa
by RonJohn63
Thu Nov 03, 2016 8:11 am
Forum: General
Topic: Domains in logs and Firewall connections
Replies: 10
Views: 1457

Re: Domains in logs and Firewall connections

Why this is not possible to get domain names. Other routers like DD-WRT or Openwrt can do this.
And Tomato Shibby. A list of the last 50(?) web sites visited, with timestamp and LAN IP address. Stunningly useful.
by RonJohn63
Thu Nov 03, 2016 5:39 am
Forum: Beginner Basics
Topic: ssh key import
Replies: 1
Views: 4083

ssh key import

Hi, Following the directions in http://wiki.mikrotik.com/wiki/Use_SSH_to_execute_commands_(DSA_key_login) (which is for v2.9) I generated the key, ftped it to the router and imported it. However, it still asks for a password, and now says "Permission denied, please try again." Where did I go wrong? ...
by RonJohn63
Thu Nov 03, 2016 12:38 am
Forum: General
Topic: Is it possible to install dnsmasq into routeros
Replies: 11
Views: 4228

Re: Is it possible to install dnsmasq into routeros

It appears to work, since I statically added those devices to the router DNS tables: [admin@MikroTik] /ip dns static> print Flags: D - dynamic, X - disabled # NAME REGEXP ADDRESS TTL 0 router 192.168.1.1 1d 1 haggis 192.168.1.10 1d 2 MC0XMUDC 192.168.1.12 1d 3 LinksysPAP 192.168.1.129 1d 4 726729_Ex...
by RonJohn63
Thu Nov 03, 2016 12:31 am
Forum: General
Topic: Lots of dropped 10.132.88.1:67 packets from WAN port
Replies: 1
Views: 423

Lots of dropped 10.132.88.1:67 packets from WAN port

Hi, I see a pair of these broadcast(?) packets every 25-35 seconds whenever I enable logging on this FW rule: 3 ;;; defconf: drop all from WAN chain=input action=drop tcp-flags="" in-interface=ether1 log=no log-prefix="WANDrop " 16:46:36 firewall,info WANDrop input: in:ether1 out:(none), src-mac 60:...
by RonJohn63
Thu Nov 03, 2016 12:06 am
Forum: General
Topic: Is it possible to install dnsmasq into routeros
Replies: 11
Views: 4228

Re: Is it possible to install dnsmasq into routeros

Check if the "resolv.conf" in your client pc is set to your mikrotik router. It does, along with my ISP's name servers (presumably because the router DNS has "allow-remote-requests: yes". $ nslookup router Server: 192.168.1.1 Address: 192.168.1.1#53 Non-authoritative answer: Name: router Address: 1...
by RonJohn63
Wed Nov 02, 2016 11:23 pm
Forum: General
Topic: Is it possible to install dnsmasq into routeros
Replies: 11
Views: 4228

Re: Is it possible to install dnsmasq into routeros

Your dns settings should point to your mikrotik. Depending on your OS, try a command like "nslookup" or "dig". [admin@MikroTik] /ip dns> print servers: <<<<<<<<<<<<<< dynamic-servers: 68.105.28.11,68.105.29.11,68.105.28.12 allow-remote-requests: yes max-udp-packet-size: 4096 query-server-timeout: 2...
by RonJohn63
Wed Nov 02, 2016 11:05 pm
Forum: General
Topic: Public-Mikrotik-Bandwidth-Test-Server(s)
Replies: 579
Views: 429240

Re: 3.6 GIG - Public-Mikrotik-Bandwidth-Test-Server

(Had to temporarily disable the FW rule on dropping all WAN packets.) Otherwise, it matches well with my 150/10 cable tier. [admin@MikroTik] /tool> /tool bandwidth-test address=207.32.195.2 user=btest password=btest \ duration=00:01:00 direction=receive random-data=yes protocol=udp status: done test...
by RonJohn63
Wed Nov 02, 2016 10:45 pm
Forum: General
Topic: Is it possible to install dnsmasq into routeros
Replies: 11
Views: 4228

Re: Is it possible to install dnsmasq into routeros

But dnsmasq can also be a name server for devices in the LAN. that is also available at ip > dns > static Thanks. I clicked on that, and then tried to ping devices who's names are known to the router. But now my devices think that all host names have the IP address 92.242.140.2 instead of something...
by RonJohn63
Wed Nov 02, 2016 10:27 pm
Forum: Beginner Basics
Topic: /tool ip-scan
Replies: 0
Views: 684

/tool ip-scan

Hi,

If I run/tool ip-scan interface=ether1 (where ether1 is the WAN port connected to my cable modem), will it try to scan my ISP's whole address range?
by RonJohn63
Tue Nov 01, 2016 10:45 pm
Forum: General
Topic: Is it possible to install dnsmasq into routeros
Replies: 11
Views: 4228

Re: Is it possible to install dnsmasq into routeros

qubic you have dns cache service already built in into RouterOS. (IP > DNS, tick Allow remote requests)

Unless you have a very large network that needs to cope with more than 100 requests per second no need for a separate cache.
But dnsmasq can also be a name server for devices in the LAN.
by RonJohn63
Tue Nov 01, 2016 7:59 pm
Forum: Beginner Basics
Topic: FW rule to block port 22, but still can ssh in
Replies: 11
Views: 3037

Re: FW rule to block port 22, but still can ssh in

OK, I was in a hurry and did not read properly you post. Rule 3 should block all traffic incoming from wan, but it is disabled. So it does not block. When first installing, the router didn't pick up an address ISP, and I thought that rule 3 was the culprit. Apparently not. Thus, I've enabled Rule 3...
by RonJohn63
Tue Nov 01, 2016 7:22 pm
Forum: Beginner Basics
Topic: FW rule to block port 22, but still can ssh in
Replies: 11
Views: 3037

Re: FW rule to block port 22, but still can ssh in

Flags XI mean "Disabled" and "Invalid". Maybe you need to check the interface names... The WAN cable is definitely plugged into ether1, and the LAN cable is definitely in ether2-master. Flags: D - dynamic, X - disabled, R - running, S - slave # NAME TYPE ACTUAL-MTU L2MTU MAX-L2MTU MAC-ADDRESS 0 R e...
by RonJohn63
Tue Nov 01, 2016 6:32 pm
Forum: Beginner Basics
Topic: FW rule to block port 22, but still can ssh in
Replies: 11
Views: 3037

FW rule to block port 22, but still can ssh in

Hi, I can still remotely ssh in, even though I've got this set of rules: 0 D ;;; special dummy rule to show fasttrack counters chain=forward action=passthrough 1 ;;; defconf: accept ICMP chain=input action=accept protocol=icmp log=no log-prefix="" 2 ;;; defconf: accept established,related chain=inpu...
by RonJohn63
Tue Nov 01, 2016 6:36 am
Forum: Beginner Basics
Topic: RB750Gr2 DHCP client doesn't get IP from WAN port
Replies: 2
Views: 496

Re: RB750Gr2 DHCP client doesn't get IP from WAN port

After trying it again this evening, it worked.
by RonJohn63
Mon Oct 31, 2016 10:22 pm
Forum: Beginner Basics
Topic: RB750Gr2 DHCP client doesn't get IP from WAN port
Replies: 2
Views: 496

RB750Gr2 DHCP client doesn't get IP from WAN port

Hi, RouterOS v6.43.2 I connected the wire from the cable modem going in the "Internet" port, and the wire to the rest of my LAN going in port 2. Then powered up the CM and when it got a signal powered up the router. After the 2nd beep, I refreshed my client's IP address. It successfully gave me 192....