I post again this message since it seems that the original messages is no more available.
Yesterday the forum was down and when it resumed, not it is no more available.
So, I have at home\office a 1 Gbps Internet connection. The ISP provides all the parameters (PPoE, user, password, VLan ID) and I have the standard rotuer they sent to me.
The wAP-R-AC has 2 Ethernet ports and I was going build a test environment to replace the standard router with the Mikortik and, after the test, get a 8 ports Mikrotik router.
I have no idea where to start from, so i reset the wAP config and started from the green fiels.
Connect the internet cable to Eth1
Defined the Vlan on Eth1
Defined the PPoE on Eth1
Defined the NAT WAN side
Defined a DHCP client on Eth1
Nothing more than the above and the Mikrotik registers correctly to the ISP.
Connecting a PC with a cable to the Eth2 let it browse the internet perfectly.
Question 1)
How to secure this setup? If I look at the firewall, there are no rules defined.
Question 2)
My IPS provides to me a 1 Gbsp down \ 200 Mbps up. Using the speedtest app with the standard router, I get full speed… let me say… 950 Mbps\200 Mbps.
Doing the test with the Mikrotik I get 800 Mbps down and “only” 80… 90… Mbps up
Why?
thanks
P.S.: if someone can suggest to me a guide to configure a Mikrotik for this job… it will be nice.
Hello,
Some posts seem to be deleted due to yesterday’s power outage.
In general, Mikrotik has default firewall rules. If you don’t have any defined rule, I suggest using the quick set or reset to the default config, And then adding your PPPoE-in again. You can add them manually but it may have a conflict with you’r exiting PPPOE, If you are fimiliar with CLI in Mikrotik then you can easily edit them to suit your environment.
Default firewall rules seem to do the work just fine. I personally allow everything I need in inbound rules for my WAN and drop everything else.
This is what I did…
The wAP was used in the past for test purpose and was a bit messy, so I reset it to the factory default with a clean NetInstall to start from scratch.
I am really sure: no default rules in the firewall section.
If I reset again I will have the same result… I already did 3 time during the weekend
This is the My Local Router Firewall It’s the default config With HTTP, HTTPS, Custom Winbox port, and ICMP flow. I disabled two of them for you if you want them then you could just enable them. if you want to use a custom port for your Winbox/SSH cLI=“IP/services” and control the access IP range. good practice for security.
IPv4
# dec/20/2021 13:53:14 by RouterOS 7.1
# model = 2011UAS-2HnD
/ip firewall filter
add action=accept chain=input comment="accept established,related" connection-state=established,related
add action=drop chain=input comment="defconf: drop invalid" connection-state=invalid
add action=accept chain=input comment="accept TCP HTTP/S" dst-port=80,443 in-interface-list=WAN protocol=tcp disabled=yes
add action=accept chain=input comment="accept TCP Winbox " dst-port=CUSTOMPORT in-interface-list=WAN protocol=tcp disabled=yes
add action=jump chain=input comment="Jump for icmp input flow" jump-target=ICMP protocol=icmp
add action=jump chain=forward comment="Jump for icmp forward flow" jump-target=ICMP protocol=icmp
add action=accept chain=ICMP comment="Echo request - Avoiding Ping Flood" icmp-options=8:0 limit=2,5:packet protocol=icmp
add action=accept chain=ICMP comment="Echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=ICMP comment="Time Exceeded" icmp-options=11:0 protocol=icmp
add action=accept chain=ICMP comment="Destination unreachable" icmp-options=3:0-1 protocol=icmp
add action=accept chain=ICMP comment="PMTUD Clamp" icmp-options=3:4 protocol=icmp
add action=drop chain=ICMP comment="Drop to the other ICMPs" protocol=icmp
add action=jump chain=output comment="Jump for icmp output" jump-target=ICMP protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=accept chain=forward comment="accept established,related" connection-state=established,related
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat connection-state=new in-interface-list=WAN
Please avoid the overly complex firewall rules shown.
Something closer to what MT actually provides as a common baseline ruleset is below.
On the WAN side, yes ether1 is typically the WAN port used.
However, setting up the PPPOE client along with a VLAN seems fairly simple.
You should get a username, password and vlan assigned by the provider
You will need the PPP package added so that it is selectable on main left hand side menu of winbox
-first assign the ISPvlan to ether1
Then select a new interface and select PPPoE Client
Under PPPoE Client settings:
-For the interface for that client select the ISP VLAN interface.
-For dial out put in user name and password
++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++++
You can use these if you desire.
ip firewall filter
add action=accept chain=input comment=“defconf: accept established,related,untracked” connection-state=established,related,untracked
add action=drop chain=input comment=“defconf: drop invalid” connection-state=invalid
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept to local loopback (for CAPsMAN)” dst-address=127.0.0.1 {disable if not required}
add action=accept chain=input in-interface-list=LAN
add action=drop chain=input
I must be honest… I am running with the default router provided for free by the ISP.
I wish to have something more secure, but even the most secure device, in the wrong hands, could be very dangerous compared to a simple device that someone like me can understand very very well.
I got the MT working on my ISP with PPoE and VLan in 5 minutes, but to be honest since I do not know RouterOS and the MikroTIk very deep… maybe better to stay with something more simple.
Question: is there around something “ready” to have a MikroTik router to behave like a home\office router like any other Netgear, Fritzz, etc.?
I have not got a clue what you are saying.
The ruleset I provided is as simple as it gets and protects your router and the LAN.
If that is too much suggest looking at a home consumer model.
MT is for people that have an iota of natural curiousity and wish to learn as they go.
The ruleset I gave you is pretty much set and forget, in other words, the “HOME” setup.
In other words, you can forget about the router, except for a yearly checkin to update the firmware.
BEFORE YOU ADD ANY RULES, it is important to see what the current config is to make sure
you dont lock yourself out of the router. So please post your config /export hide-sensitive file=anynameyouwish
Find the Terminal command in winbox and post the code above into the terminal window.
Then go to FILES in winbox and find that file created and copy and paste it here.
Once we have a look at the config and its ready to add some firewall rules, the following applies.
There are two ways (actually more but for simplicity) to enter rules.
One at a time in winbox…
Or using winbox and finding the terminal setting…then copy and paste the text and it will import the rules…
Many many thanks for your help.
What I was trying to say is that when someone (like me) is not perfectly sure about what he is going to do and we are speaking about security… having a powerful device may have several side effects… let me say having the network attacked by hackers.
Let me say… I trust you, but I trust not myself.
Assume I configure the MT in a perfect way with your help then tomorrow I need to ass a forwarding rule for a new service, I try by myself and… wow it works… but I forget because I do not know to add something here or there so I open my network to other people… it will be a nightmare. This is my trouble.
Anyway… I will follow your suggestion and provide what you asked for.
What about the questions I asked? Why the standard router performs 1000\200 Mbps up\down and the mikrotik is OK for down but only about 80 Mbps up ?
That will become clearer upon seeing the config.
There should be no difference, from my experience the MT devices do not reduce throughput unless misconfigured and even then tis hard to do.
Hello
I performed some test comparing the Mikrotik vs the stock router vs different speed test engines.
Very strange: I was used to test my speed using the classic Ookla and with this test the stock router reaches almost the top speed allowed by my ISP ( Vodafone, 1000 Mbps\200 Mbps ); with Ookla the Mickrotik reaches the top speed in download, while in upload it stops at the half speed so more or less at 80-90 Mbps.
using some other test engines, such as Nperf, both the stock router and the Mikrotik reach the top speed in both download and upload.
So it seems that I get poor upload just with MikroTik AND speedtest by Ookla; of course I tested different Ookla servers without any significant differences.
