So, was really skeptical that RouterOS could be used as a backbone router. However, my ImageStream router from 2006 was showing its age (Celeron single core/512 RAM) so I took the plunge.
Hardware:
Quad-core Pentium
2 Gigs RAM
2 Intel GigE NICs
Asus Motherboard
Rackmount 2u
Total Cost: around $800
100mb fiber feed (ether1)
10 servers running various functions
Wireless network on 1 class C
Workstations, etc in central office
4-phone VoIP system
I was having issues with hacks on my outgoing mail server. Sometimes, 100,000 attempted email hacks a day. It’s a rather aged bit of software but it works well for the most part.
Lots of other bogus attempts to access my network and I was getting rather tired of it.
I looked at the current ImageStream offerings, I looked at Vyatta, and even using a simple RedHat installation and a couple of other things. The equivalent ImageStream was around $6000. Really great folks and great products but I think I wanted to roll my own so I wasn’t dependent on someone else’s hardware.
Hence, RouterOS.
It has taken me a couple of months to get things where I want them, but lo and behold, it’s working extremely well.
I created a system that monitors how many current SMTP connections are coming from a given IP address. More than 4 and I temporarily drop them.
I have a good set of SMTP packet-monitoring rules that look at certain return codes from my mail server and blocks connections for certain amounts of time, depending on the error code.
One of the better rules I have is adding connections that don’t match the firewall to a hackers address list. If a connections gets to the bottom of the firewall and still hasn’t matched anything, it’s added to the hackers list for 30 seconds.
This has stopped an inordinate amount of hacking and port scanning. 30 seconds seems to be just fine for forcing the offending connection to move on.
My VoIP Queues and Wireless Queues are working great. VoIP quality has certainly increased, especially when the wireless traffic and web and mail traffic are under load.
CPU is running at 0-2% at any time. Memory usage is around 200MB if that.
Below is my firewall and queue config if anyone is interested. I hope it helps someone.
/queue tree
add name=IN parent=global priority=1 queue=default
add name=OUT parent=global priority=1 queue=default
add name=SIP_IN packet-mark=SIP_IN parent=IN priority=1 queue=default
add name=SIP_OUT packet-mark=SIP_OUT parent=OUT priority=1 queue=default
add name=ALL_ELSE_IN packet-mark=ELSE_IN parent=IN queue=default
add name=ALL_ELSE_OUT packet-mark=ELSE_OUT parent=OUT
add max-limit=50M name=KiWi_IN packet-mark=KiWi_In parent=IN priority=6
queue=default
add max-limit=20M name=KiWi_Out packet-mark=KiWi_Out parent=OUT priority=6
queue=default
/ip firewall connection tracking
set enabled=yes
/ip address
add address=15.16.28.59/29 comment=“added by setup” interface=ether1
network=15.16.28.56
add address=11.12.17.11/24 comment=“added by setup” interface=ether2 network=
11.12.17.0
add address=11.12.17.1/24 interface=ether2 network=11.12.17.0
add address=11.12.18.1/24 interface=ether2 network=11.12.18.0
add address=11.12.17.2/24 interface=ether2 network=11.12.17.0
/ip dns
set servers=8.8.8.8,11.12.17.9
/ip firewall address-list
add address=11.12.17.0/24 comment=
“Allow access from our internal IP addresses” list=support
add address=69.64.56.0/24 list=Pingdom
add address=95.211.198.87 list=Pingdom
add address=95.211.87.85 list=Pingdom
add address=85.17.156.76 list=Pingdom
add address=85.17.156.11 list=Pingdom
add address=85.17.156.99 list=Pingdom
add address=95.211.217.68 list=Pingdom
add address=174.34.162.242 list=Pingdom
add address=64.141.100.136 list=Pingdom
add address=174.34.224.167 list=Pingdom
add address=69.59.28.19 list=Pingdom
add address=174.34.156.130 list=Pingdom
add address=82.103.128.63 list=Pingdom
add address=50.22.90.227 list=Pingdom
add address=173.248.147.18 list=Pingdom
add address=46.20.45.18 list=Pingdom
add address=78.31.69.179 list=Pingdom
add address=94.247.174.83 list=Pingdom
add address=188.138.40.20 list=Pingdom
add address=46.165.195.139 list=Pingdom
add address=72.46.140.186 list=Pingdom
add address=76.164.194.74 list=Pingdom
add address=208.64.28.194 list=Pingdom
add address=72.46.153.26 list=Pingdom
add address=72.46.140.106 list=Pingdom
add address=72.46.130.42 list=Pingdom
add address=91.109.115.41 list=Pingdom
add address=94.46.4.1 list=Pingdom
add address=159.8.146.132 list=Pingdom
add address=83.170.113.210 list=Pingdom
add address=204.152.200.42 list=Pingdom
add address=94.46.240.121 list=Pingdom
add address=212.84.74.156 list=Pingdom
add address=158.58.173.160 list=Pingdom
add address=95.141.32.46 list=Pingdom
add address=178.255.155.2 list=Pingdom
add address=67.205.67.76 list=Pingdom
add address=70.32.40.2 list=Pingdom
add address=64.237.55.3 list=Pingdom
add address=78.40.124.16 list=Pingdom
add address=76.72.171.180 list=Pingdom
add address=76.72.172.208 list=Pingdom
add address=76.72.167.90 list=Pingdom
add address=108.62.115.226 list=Pingdom
add address=199.87.228.66 list=Pingdom
add address=178.255.154.2 list=Pingdom
add address=173.204.85.217 list=Pingdom
add address=50.23.94.74 list=Pingdom
add address=64.120.6.122 list=Pingdom
add address=67.228.213.178 list=Pingdom
add address=69.64.56.153 list=Pingdom
add address=69.64.56.47 list=Pingdom
add address=5.178.78.77 list=Pingdom
add address=188.138.118.184 list=Pingdom
add address=188.138.124.110 list=Pingdom
add address=188.138.118.144 list=Pingdom
add address=85.25.176.167 list=Pingdom
add address=96.31.66.245 list=Pingdom
add address=184.75.209.18 list=Pingdom
add address=184.75.208.210 list=Pingdom
add address=184.75.210.90 list=Pingdom
add address=184.75.210.226 list=Pingdom
add address=184.75.210.186 list=Pingdom
add address=178.255.152.2 list=Pingdom
add address=207.244.80.239 list=Pingdom
add address=208.43.68.59 list=Pingdom
add address=178.255.153.2 list=Pingdom
add address=192.84.16.0/24 list=8X8
add address=192.84.18.0/24 list=8X8
add address=8.28.0.0/22 list=8X8
add address=0.0.0.0/8 comment=“Self-Identification [RFC 3330]” list=bogons
add address=10.0.0.0/8 comment=“Private[RFC 1918] - CLASS A # Check if you nee
d this subnet before enable it” list=bogons
add address=127.0.0.0/16 comment=“Loopback [RFC 3330]” list=bogons
add address=169.254.0.0/16 comment=“Link Local [RFC 3330]” list=bogons
add address=172.16.0.0/12 comment=“Private[RFC 1918] - CLASS B # Check if you
need this subnet before enable it” list=bogons
add address=192.168.0.0/16 comment=“Private[RFC 1918] - CLASS C # Check if you
_need this subnet before enable it” list=bogons
add address=192.0.2.0/24 comment=“Reserved - IANA - TestNet1” list=bogons
add address=192.88.99.0/24 comment=“6to4 Relay Anycast [RFC 3068]” list=
bogons
add address=198.18.0.0/15 comment=“NIDB Testing” list=bogons
add address=198.51.100.0/24 comment=“Reserved - IANA - TestNet2” list=bogons
add address=203.0.113.0/24 comment=“Reserved - IANA - TestNet3” list=bogons
add address=224.0.0.0/4 comment=
“MC, Class D, IANA # Check if you need this subnet before enable it”
list=bogons
add address=11.12.17.33 list=VOIP_Phone
add address=11.12.17.30 list=VOIP_Phone
add address=11.12.17.31 list=VOIP_Phone
add address=11.12.17.32 list=VOIP_Phone
add address=11.12.16.0/24 list=Internal_IPs
add address=11.12.17.0/24 list=Internal_IPs
add address=11.12.18.0/24 list=Internal_IPs
/ip firewall filter
add action=drop chain=forward comment=
“Drop things pretending to come from our internal IP addresses”
in-interface=ether1 src-address-list=Internal_IPs
add action=drop chain=forward comment=“Drop spammers” connection-state=
invalid,established,related,new dst-address=11.12.17.6 dst-port=
25,587,10025 in-interface=ether1 protocol=tcp src-address-list=spammers
add action=drop chain=forward comment=“Drop SMTP Auth Error connections”
connection-state=invalid,established,related,new dst-address=11.12.17.6
dst-port=25,587,10025 in-interface=ether1 protocol=tcp src-address-list=
SMTPAuthError
add action=drop chain=forward comment=“Drop email virus connections”
in-interface=ether1 src-address-list=virus
add action=drop chain=forward comment=“Drop hackers” in-interface=ether1
src-address-list=hackers
add chain=forward comment=“Outgoing VOIP” dst-address-list=8X8
src-address-list=VOIP_Phone
add chain=forward comment=“Incoming VOIP” dst-address-list=VOIP_Phone
src-address-list=8X8
add action=drop chain=forward comment=“Drop DNS calls to wireless bridge”
dst-address=11.12.17.15 dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=forward comment=
“drop DNS calls to wireless system main router” dst-address=11.12.16.1
dst-port=53 in-interface=ether1 protocol=udp
add chain=forward comment=“Accept all other traffic to wireless bridge”
dst-address=11.12.17.15 in-interface=ether1
add chain=forward comment=“Accept all traffic to wireless network”
dst-address=11.12.16.0/24 in-interface=ether1
add chain=forward comment=“Accept all outgoing traffic from wireless bridge”
in-interface=ether2 src-address=11.12.17.15
add chain=forward comment=“Accept all outgoing from wireless network”
in-interface=ether2 src-address=11.12.16.0/24
add chain=forward comment=
“Accept tcp traffic from internal network – new, related, established”
connection-state=established,related,new in-interface=ether2 protocol=tcp
add chain=forward comment=
“Accept udp traffic from internal network – new, related, established”
connection-state=established,related,new in-interface=ether2 protocol=udp
add chain=forward comment=
“Accept icmp traffic from internal network – new, related, established”
connection-state=established,related,new in-interface=ether2 protocol=
icmp
add chain=forward comment=
“accept tcp related, established from outside world” connection-state=
established,related in-interface=ether1 protocol=tcp
add chain=forward comment=
“accept udp related, established from outside world” connection-state=
established,related in-interface=ether1 protocol=udp
add chain=forward comment=
“accept icmp related, established from outside world” connection-state=
established,related in-interface=ether1 protocol=icmp
add chain=forward comment=destination-unreachable icmp-options=3:0-1
protocol=icmp
add chain=forward comment=" source-quench" icmp-options=0 protocol=icmp
add chain=forward comment=time-exceeded icmp-options=11:0 protocol=icmp
add chain=forward icmp-options=12:0 protocol=icmp
add chain=forward comment=echo-reply icmp-options=0:0 protocol=icmp
add action=add-src-to-address-list address-list=Syn_Flooder
address-list-timeout=30m chain=forward comment=
“Add Syn Flood IP to the list” connection-limit=30,32 in-interface=ether1
protocol=tcp tcp-flags=syn
add action=drop chain=forward comment=“Drop to syn flood list”
src-address-list=Syn_Flooder
add action=add-src-to-address-list address-list=Port_Scanner
address-list-timeout=1w chain=forward comment=“Port Scanner Detect”
in-interface=ether1 protocol=tcp psd=21,3s,3,1
add action=drop chain=forward comment=“Drop to port scan list”
src-address-list=Port_Scanner
add action=drop chain=input comment=
"Block all access to the router - except to support list " protocol=tcp
src-address-list=!support
add action=drop chain=forward comment=“Drop to bogon list” connection-limit=
30,32 dst-address-list=bogons
add action=add-src-to-address-list address-list=spammers
address-list-timeout=3d chain=forward comment=
“Add Spammers to the list for 3 hours” disabled=yes dst-address=
11.12.17.6 dst-port=25,587,10025 in-interface=ether1 protocol=tcp
src-address-list=SMTP_Con5
add chain=input comment=“Full access to SUPPORT address list”
src-address-list=support
add action=jump chain=forward jump-target=ICMP protocol=icmp
add chain=forward comment=“Authoritative DNS for our Domains” dst-address=
11.12.17.3 dst-port=53 in-interface=ether1 protocol=udp
add chain=forward dst-address=11.12.17.6 dst-port=53 in-interface=ether1
protocol=udp
add chain=forward dst-address=11.12.17.214 dst-port=53 in-interface=ether1
protocol=udp
add action=drop chain=forward comment=“Drop all else incoming DNS queries”
dst-port=53 in-interface=ether1 protocol=udp
add chain=forward comment=“Publc SMTP servers: Incoming and Outgoing”
dst-address=11.12.17.6 dst-port=25 in-interface=ether1 protocol=tcp
add chain=forward dst-address=11.12.17.8 dst-port=25 in-interface=ether1
protocol=tcp
add chain=forward comment=Seabuilt.com dst-address=11.12.17.214 dst-port=25
in-interface=ether1 protocol=tcp
add chain=forward comment=“Alternate SMTP” dst-address=11.12.17.6 dst-port=
10025 in-interface=ether1 protocol=tcp
add chain=forward dst-address=11.12.17.6 dst-port=587 in-interface=ether1
protocol=tcp
add chain=forward dst-port=80 in-interface=ether1 protocol=tcp
add chain=forward dst-port=81 in-interface=ether1 protocol=tcp
add chain=forward connection-state=new dst-port=21 protocol=tcp
add chain=forward connection-state=new dst-port=1021 protocol=tcp
add chain=forward connection-state=new dst-port=10021 protocol=tcp
add chain=forward connection-state=established,related dst-port=20 protocol=
tcp
add chain=forward connection-state=established,related,new dst-port=
65000-65535 in-interface=ether1 protocol=tcp tcp-flags=syn
add chain=forward comment=“Critical Mention” dst-address=11.12.17.221
in-interface=ether1
add chain=forward dst-address=11.12.17.222 in-interface=ether1
add chain=forward dst-address=11.12.17.223 in-interface=ether1
add chain=forward dst-address=11.12.17.224 in-interface=ether1
add chain=forward comment=“Record Printing hosts” dst-address=11.12.17.238
dst-port=445 in-interface=ether1 protocol=tcp
add chain=forward dst-address=11.12.17.239 dst-port=445 in-interface=ether1
protocol=tcp
add chain=forward dst-address=11.12.17.238 dst-port=548 in-interface=ether1
protocol=tcp
add chain=forward dst-address=11.12.17.239 dst-port=548 in-interface=ether1
protocol=tcp
add chain=forward comment=“POP Mail” dst-port=110 in-interface=ether1
protocol=tcp
add chain=forward comment=HTTPS dst-port=443 in-interface=ether1 protocol=tcp
add chain=forward comment=IMAP dst-address=11.12.17.6 dst-port=143
in-interface=ether1 protocol=tcp
add chain=forward comment=“FTP over SSL” dst-port=990 in-interface=ether1
protocol=tcp
add chain=forward comment=PPTP dst-port=1723 in-interface=ether1 protocol=tcp
add chain=forward dst-port=1723 in-interface=ether1 protocol=udp
add chain=forward in-interface=ether1 protocol=gre
add chain=forward dst-port=1701 in-interface=ether1 protocol=udp
add chain=forward comment=
“Internet Security Association and Key Management Protocol " dst-port=500
in-interface=ether1 protocol=udp
add chain=forward dst-port=500 in-interface=ether1 protocol=tcp
add chain=forward comment=” IPSec NAT Traversal " dst-port=4500 in-interface=
ether1 protocol=udp
add chain=forward comment=IPSEC in-interface=ether1 protocol=ipsec-esp
add chain=forward comment=“Alternate HTTPS” dst-port=2006 in-interface=ether1
protocol=tcp
add chain=forward dst-port=8080 in-interface=ether1 protocol=tcp
add chain=forward dst-port=8443 in-interface=ether1 protocol=tcp
add chain=forward dst-port=26675 in-interface=ether1 protocol=tcp
add chain=forward dst-port=26675 in-interface=ether1 protocol=udp
add chain=forward comment=Filemaker dst-port=5003 in-interface=ether1
protocol=tcp
add chain=forward dst-port=16000 in-interface=ether1 protocol=tcp
add chain=forward dst-port=16001 in-interface=ether1 protocol=tcp
add chain=forward dst-port=16016 in-interface=ether1 protocol=tcp
add chain=forward dst-port=16018 in-interface=ether1 protocol=tcp
add chain=forward comment=“FileMaker Data Access Layer (ODBC/JDBC)” dst-port=
2399 in-interface=ether1 protocol=tcp
add chain=forward comment=“Secure Shell (SSH)\97” dst-port=22 in-interface=
ether1 protocol=tcp
add chain=forward dst-address=11.12.17.212 dst-port=5224 in-interface=ether1
protocol=tcp
add chain=input in-interface=ether1 protocol=icmp
add action=add-src-to-address-list address-list=hackers address-list-timeout=
30s chain=forward comment=“If nothing has matched so far, mark the packet
as a Hacker so we can drop the connection when it tries again”
in-interface=ether1
add action=drop chain=forward in-interface=ether1
add chain=forward in-interface=ether2
add action=drop chain=input in-interface=ether1
/ip firewall mangle
add chain=prerouting protocol=gre
add chain=prerouting protocol=ipsec-esp
add action=mark-packet chain=prerouting comment=“VOIP In” dst-address-list=
VOIP_Phone in-interface=ether1 new-packet-mark=SIP_IN passthrough=no
src-address-list=8X8
add action=mark-packet chain=postrouting comment=“VOIP Out” dst-address-list=
8X8 new-packet-mark=SIP_OUT out-interface=ether1 passthrough=no
src-address-list=VOIP_Phone
add action=mark-packet chain=prerouting comment=“KiWireless In” dst-address=
11.12.16.0/24 in-interface=ether1 new-packet-mark=KiWi_In passthrough=no
add action=mark-packet chain=postrouting comment=“KiWireless Out”
new-packet-mark=KiWi_Out out-interface=ether1 passthrough=no src-address=
11.12.16.0/24
add action=mark-packet chain=prerouting comment=“All Else” dst-address=
!11.12.16.0/24 in-interface=ether1 new-packet-mark=ELSE_IN
src-address-list=!VOIP-Phone
add action=add-src-to-address-list address-list=virus address-list-timeout=3d
chain=prerouting comment=“EHLO ylmf-pc” content=“EHLO ylmf-pc”
dst-address=11.12.17.6 dst-port=25,587,10025 in-interface=ether1
protocol=tcp
add action=mark-packet chain=prerouting comment=
“Mark packet as YLMF virus and skip further Mangle” new-packet-mark=virus
passthrough=no src-address-list=virus
add action=add-dst-to-address-list address-list=SMTPAuthError
address-list-timeout=2m chain=prerouting comment=
“SMTP Authorization Error” content=“500 5.7.0 Authentication failed”
in-interface=ether2 protocol=tcp src-address=11.12.17.6 src-address-list=
!Pingdom src-port=25,587,10025
add action=add-dst-to-address-list address-list=SMTPAuthError
address-list-timeout=30m chain=prerouting comment=“SMTP Rejected 550”
content=“550 This system is configured to reject mail” in-interface=
ether2 protocol=tcp src-address=11.12.17.6 src-address-list=!Pingdom
src-port=25,587,10025
add action=add-dst-to-address-list address-list=SMTPAuthError
address-list-timeout=30m chain=prerouting comment=
“SMTP Rejected 501 5.7.1” content=
“501 5.7.1 This system is not configured to relay mail” in-interface=
ether2 protocol=tcp src-address=11.12.17.6 src-address-list=!Pingdom
src-port=25,587,10025
add action=add-dst-to-address-list address-list=SMTPAuthError
address-list-timeout=3h chain=prerouting comment=
“550 This system is configured to reject mail” content=
“550 This system is configured to reject mail” in-interface=ether2
protocol=tcp src-address=11.12.17.6 src-address-list=!Pingdom src-port=
25,587,10025
add action=mark-packet chain=prerouting comment=
“Mark packet as SMTP Auth Error and skip further Mangle” new-packet-mark=
SMTPAuthError passthrough=no src-address-list=SMTPAuthError
add action=add-src-to-address-list address-list=spammers
address-list-timeout=5m chain=prerouting comment=
“SMTP 5th Connection – add to spammers” connection-state=new
dst-address=11.12.17.6 dst-port=25,587,10025 in-interface=ether1
protocol=tcp src-address-list=SMTP_Con4
add action=mark-connection chain=prerouting new-connection-mark=no-mark
passthrough=no src-address-list=spammers
add action=add-src-to-address-list address-list=SMTP_Con4
address-list-timeout=15s chain=prerouting comment=“SMTP 4th Connection”
connection-state=new dst-address=11.12.17.6 dst-port=25,587,10025
in-interface=ether1 protocol=tcp src-address-list=SMTP_Con3
add action=mark-connection chain=prerouting new-connection-mark=no-mark
passthrough=no src-address-list=SMTP_Con4
add action=add-src-to-address-list address-list=SMTP_Con3
address-list-timeout=30s chain=prerouting comment=“SMTP 3rd Connection”
connection-state=new dst-address=11.12.17.6 dst-port=25,587,10025
in-interface=ether1 protocol=tcp src-address-list=SMTP_Con2
add action=mark-connection chain=prerouting new-connection-mark=no-mark
passthrough=no src-address-list=SMTP_Con3
add action=add-src-to-address-list address-list=SMTP_Con2
address-list-timeout=1m chain=prerouting comment=“SMTP 2nd connection”
connection-state=new dst-address=11.12.17.6 dst-port=25,587,10025
in-interface=ether1 protocol=tcp src-address-list=SMTP_Con1
add action=mark-connection chain=prerouting new-connection-mark=no-mark
passthrough=no src-address-list=SMTP_Con2
add action=add-src-to-address-list address-list=SMTP_Con1
address-list-timeout=2m chain=prerouting comment=“SMTP 1st Connection”
connection-state=new dst-address=11.12.17.6 dst-port=25,587,10025
in-interface=ether1 protocol=tcp src-address-list=!Pingdom
add action=mark-connection chain=prerouting disabled=yes new-connection-mark=
no-mark passthrough=no src-address-list=SMTP_Con1
add action=add-src-to-address-list address-list=hackers address-list-timeout=
3m chain=prerouting comment=“drop 3389” connection-state=new dst-port=
3389 protocol=tcp
add action=add-src-to-address-list address-list=hackers address-list-timeout=
3m chain=prerouting comment=“Drop 1443 – SQL” connection-state=new
dst-port=1443 protocol=tcp
add action=mark-packet chain=postrouting comment=“All-Else PostRouting”
new-packet-mark=ELSE_OUT out-interface=ether1 passthrough=no src-address=
!11.12.16.0/24 src-address-list=!VOIP-Phone