Tue Sep 14, 2021 1:57 am
- RouterOS 7.1 beta2 all work. RouterOS 7.1 beta3 and up, including rc3 have problem;
- RB750Gr3;
- Using the configuration below for RouterOS 7.1 beta2 version. Bridge for wan interface and interface for IPTV is working correctly. IPTV receives all the necessary packages, updates and shows everything without problems.
When using routeros 7.1 version higher than beta3, for example rc3, IPTV does not receive some of the packets and cannot start.;
[mmmmm@Rrrrrr] > /export hide-sensitive
# sep/14/2021 00:01:00 by RouterOS 7.1beta2
# software id = NVNU-MDCM
#
# model = RB750Gr3
# serial number = CC210B0F****
/interface bridge
add admin-mac=C4:0B:CB:FF:AA:AA auto-mac=no name=bridge-beeline
add name=bridge-lan protocol-mode=none
/interface ethernet
set [ find default-name=ether1 ] mac-address=C4:0B:CB:FF:AA:AA name=ether1-ext
set [ find default-name=ether3 ] name=ether3-comp
set [ find default-name=ether5 ] name=ether5-iptv
/interface wireguard
add listen-port=51820 mtu=1420 name=wg
/interface list
add name=local
add name=ISP
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=dhcp_pool0 ranges=192.168.1.2-192.168.1.254
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge-lan lease-time=3d name=dhcp1
/ip vrf
add list=all name=main
/certificate settings
set crl-download=yes crl-use=yes
/interface bridge port
add bridge=bridge-lan interface=ether2
add bridge=bridge-lan interface=ether3-comp
add bridge=bridge-lan interface=ether4
add bridge=bridge-beeline interface=ether5-iptv
add bridge=bridge-beeline interface=ether1-ext
/interface bridge settings
set use-ip-firewall=yes
/ip neighbor discovery-settings
set discover-interface-list=local
/interface list member
add interface=bridge-lan list=local
add interface=bridge-beeline list=ISP
add interface=ether1-ext list=ISP
/interface wireguard peers
add allowed-address=0.0.0.0/0 interface=wg persistent-keepalive=10 public-key="XI6hPp1j2RFtrd8kojbfec0HFeCQnIyhXqdGoYxxXCQ="
/ip address
add address=192.168.1.1/24 interface=bridge-lan network=192.168.1.0
add address=192.168.2.1/24 interface=wg network=192.168.2.0
/ip arp
add address=192.168.1.242 interface=bridge-lan mac-address=50:EC:50:0A:01:AA
add address=192.168.1.16 interface=bridge-lan mac-address=24:4B:FE:8B:AA:F2
add address=192.168.1.15 interface=bridge-lan mac-address=DC:B7:2E:AA:AA:92
/ip cloud
set ddns-enabled=yes ddns-update-interval=1h
/ip dhcp-client
add disabled=no interface=bridge-beeline
/ip dhcp-server config
set store-leases-disk=immediately
/ip dhcp-server lease
add address=192.168.1.242 mac-address=50:EC:50:0A:01:AA server=dhcp1
add address=192.168.1.210 client-id=1:c4:34:aa:aa:ef:b mac-address=C4:34:AA:AA:EF:0B server=dhcp1
add address=192.168.1.91 mac-address=DC:A6:AA:AA:96:69 server=dhcp1
add address=192.168.1.16 client-id=1:24:4b:fe:8b:aa:f2 mac-address=24:4B:FE:8B:AA:F2 server=dhcp1
add address=192.168.1.15 client-id=1:dc:b7:2e:56:a6:92 mac-address=DC:B7:2E:AA:AA:92 server=dhcp1
/ip dhcp-server network
add address=192.168.1.0/24 dns-server=1.1.1.1,8.8.8.8 gateway=192.168.1.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=1.1.1.1,8.8.8.8
/ip firewall filter
add action=add-src-to-address-list address-list="Honeypot Hacker" address-list-timeout=4w2d chain=input comment="block honeypot ssh rdp winbox" connection-state=\
new dst-port=22,23,3389,8291 in-interface=bridge-beeline protocol=tcp
add action=add-src-to-address-list address-list="Honeypot Hacker" address-list-timeout=4w2d chain=input comment="block honeypot asterisk" connection-state=new \
dst-port=5060,20561 in-interface=bridge-beeline protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="nat for internet" out-interface=bridge-beeline
add action=dst-nat chain=dstnat comment=nextcloud dst-port=80 in-interface=bridge-beeline protocol=tcp to-addresses=192.168.1.16 to-ports=80
add action=dst-nat chain=dstnat dst-port=443 in-interface=bridge-beeline protocol=tcp to-addresses=192.168.1.16 to-ports=443
add action=dst-nat chain=dstnat comment=ubuntu dst-port=2221 in-interface=bridge-beeline protocol=tcp to-addresses=192.168.1.16 to-ports=22
/ip firewall raw
add action=drop chain=prerouting in-interface=bridge-beeline src-address-list="Honeypot Hacker"
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip hotspot service-port
set ftp disabled=yes
/ip service
set telnet address=192.168.1.0/24 disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes port=2200
set api disabled=yes
set winbox address=192.168.1.0/24,192.168.2.0/24
set api-ssl disabled=yes
/ip ssh
set strong-crypto=yes
/ip upnp
set allow-disable-external-interface=yes enabled=yes
/ip upnp interfaces
add interface=bridge-lan type=internal
add interface=bridge-beeline type=external
/system clock
set time-zone-name=Europe/Moscow
/system clock manual
set time-zone=+03:00
/system identity
set name=Rrrrrr
/system logging
set 1 action=disk
set 2 action=disk
set 3 action=disk
/system ntp client
set enabled=yes
/system ntp client servers
add address=88.147.254.230
add address=88.147.254.235
/system package update
set channel=development
/system routerboard settings
set auto-upgrade=yes
/tool bandwidth-server
set enabled=no
/tool mac-server
set allowed-interface-list=local
/tool mac-server mac-winbox
set allowed-interface-list=local
/tool sniffer
set file-limit=5000KiB filter-interface=ether5-iptv filter-stream=yes memory-limit=1000KiB streaming-enabled=yes streaming-server=192.168.1.16
- The attachment contains an archive with two files. This is a packets sniffer dump via wireshark. The settings of tool packets sniffer are visible in the configuration above.
File # 1 RouterOS 7.1 rc3, where IPTV is not receiving the required packets.
File # 2 RouterOS 7.1 beta2, where everything works without problems.
WireShark.zip
.
You do not have the required permissions to view the files attached to this post.