I have since yesterday my first mikrotik device and its working really great.
I already set-up some Rules and managed the most with the information on the web
But now i have the problem that i cant get the Upnp feature running.
About my configuration, it should be everything default because i used the Quick Set page for the initial configuration.
I enabled Upnp in the Upnp Settings and added the interfaces (i know it should be better to make an Master/Slave config but this will be my next project )
I testet it also with pppoe-out1 as external but also not working.
I read that after enabling the Upnp it should be a Dynamic NAT Rule automatic created but nothing happens for me.
There is only the masquerade rule and my port forwarding rules.
Sadly its not working. (Tested with Skype and Plex for example)
Do you know how the NAT Rule should look like when its automatic created or am i wrong about this rule?
When Upnp is working where i can see the automatic opened Upnp Ports?
When this is operational, you need to make VERY CERTAIN that your pppoe-out interface is dropping incoming UPnP packets - UPnP is notoriously insecure, so make sure that only your LAN can use it.
Typically, if the input chain of your firewall has rule1 = allow established,connected connection states, rule 2 = allow icmp rate-limit to like 10/sec (stops flooding but allows basic functionality), and rule 3 = drop everything⌠then youâll be safe from UPnP attacks.
Thanks for you input about security, i edited the #1 Rule with icmp and set under Extra the Limit Rate to 10/s.
I let Burst at default 5. Hope this settings are correct #3 Rule is Drop In.Interface ether1-gateway. Should i switch here to pppoe-out1?
Still i cant get the Upnp feature running.
I activated the logging rule and tried now with the Plex Media Server to make it acceptable from the web. Its an extra Option in the Settings. It isnât working and i dont see anything in the log events. Device is connected @ ether2
I only see in the log when i change the upnp settings or save the settings (example: upnp interface removed by admin)
Edit:
I googled now what Port Upnp is using and i found out its 1900 and so i testet the sniffer tools from the tools functions.
I filtered the connections for the UDP 1900 Port and my source IP. There are packages when i start the upnp request on my computer but nothing happens on the router. Any idea?
Yes. Use the actual WAN interface. In fact, change this in every rule wherever it says ether1 - change it to pppoe-out. Ether1-gateway is just a physical port with no IP configuration on it. Itâs simply a vessel to carry the pppoe frames to/from the pppoe server. As far as IP and the firewall are concerned, ether1-gateway is never even used.
As for the ICMP rule, you might make burst a little higher than 5 - if you do a traceroute or something, itâs going to generate more ICMP. Iâd say play around and as long as everythingâs working in normal conditions, then youâre fine.
Whatever interface is your LAN interface, make sure thereâs a rule in the input chain which allows all traffic on that interface. Furthermore, if there are rules in output (these are more rare, but they do serve a purpose) then make sure theyâre not blocking anything heading out-interface= your lan interface
Almost certainly, thereâs a lan-bridge interface with ports = wlan1 and ether6-master (I sense that youâre using a 2011 model). Basically, ether3 - ether5 should have master = ether2, and ether7 - ether10 should have master = ether6
Then the LAN bridge has ports = wlan1, ether2, and ether6.
The LAN bridge is your ACTUAL lan interface.
No firewall rule should mention any of the physical ethernet / wlan interfaces (unless youâre using bridge filtering also, but thatâs more advanced so if you donât know what it is or arenât sure, then youâre not). Your firewall should only have rules about interfaces that also have IP addresses on them.
Likewise, the only interfaces you need to enable for UPnP are pppoe-out and the LAN bridge. The physical interfaces are basically just dumb switch ports.
Yeah! Thanks very much, i changed the internal interface to bridge-local and it works instantly.
At the moment the configuration was 2,3,4,5 separetly bridged and 6 master 7,8,9,10 slave.
I changed it to 2 master 3,4,5 to slave. I will later use the eth1 as master but i have to wait for my sfp.
I dont really understand this bridging and master configuration but i will check it out
Remember those old Linksys routers that only had 1 WAN port and 1 LAN port?
If you wanted to connect more than one computer, you needed a switch in addition to the router.
The âbridgeâ interface is like that single LAN port, and the ether2-master, ether3-slave, ether4-slave, ⌠ports are the switch.
So any configs you put on a master interface (ip addresses, firewall rules, etc) will also apply to all of its slaves.
Thanks! Okey, i also read that the Master/ Slave configuration is faster then briding every interface itself.
Is this because in master/slave mode the interfaces communicate directly?
When the interfaces in Bridge Mode they have to go throw the switch for every connection?
Another question about the ethernet1 and pppoe-out1 interfaces.
After i switched the default configuration rules from âIn. Interface= ether1â to pppoe-out1 for example the WinBox and SSH Conections didnt work from the internet/wan side. I had to add a rule that the access to pppoe-out1 is allowed for SSH and WinBox. Does this mean as long the firewall rule was set to ether1 all connections was going throw?
I am only a little bit confused because when i used the QuickSet option why isnt WinBox configuring the wrong incoming interface? I know its not a router for noobs but this is an important point. Or i does missing something?
Maybe you can check my rules for a moment, are they okey for a basic security?
I am a little bit afraid now about.
Edit:
Ok i read some time in the wiki and found out that the rules are not configured when i use the QuickSetup. The rules are the basic rules when you reset the device.
I donât want to re-open an old topic, but I was having similar issues and after reading through carefully in regards to using âbridge-localâ and âpppoe-outâ over the physical ports, everything started working instantly.
The key point is this: If youâre specifying an interface in an IP feature such as firewall filters, nat rules, dhcp server, etc - then use the name of an interface that actually has an IP address configured on it.
PPPoE is the IP interface, so ether1 is not the IP interface anymore, which is why a filter or nat rule wonât work if you specify ether1 as the interface. The only thing ether1 sees any more are these âboxesâ with âpppoeâ stamped on them. Itâs the PPPoE interface that âloads and unloads the boxes.â
