Community discussions

MikroTik App
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

I'm moving to Mikrotik - yayyy, few questions

Mon Sep 28, 2015 5:10 pm

Hi,
As I have more and more SOHO projects I got tired and frustrated with those cheap "consumer" toys, D-link, Tp-link, even with 3rd party firmwares installed (dd-wrt, openwrt) and decided to jump higher onto the Mikrotik range, so here I am.

I just ordered some HAP Lites for start, I can't wait for them to arrive and play :).

I have a few questions I would like you guys to answer to, if you please :D

Is the Mikrotik's integrated DDNS service still available and free to use? The one described here using a format SN.sn.mynetname,net

http://wiki.mikrotik.com/wiki/Manual:IP/Cloud

I would like to use that and set my routers so I can connect via WinBox through WAN (possible yes?).

One issue I keep struggling with in SOHO, where they have a fatal combination of different OSes and shared folders\printers with dynamically allocated IPs by DHCP, is the local DNS resolution. One day PC A (Windows XP) can reach PC B (Win 7) by //pc-name, next day it doesn't because there is a different IP assigned to PC B, etc. I usually just set static IPs to those PCs on wich I can and they work, but I also have employees laptops on wich I have to leave auto IP on the wi-fi connection because currently on Windows I did not find a way to assign static IP per Wi-Fi connection, for those I use the Static DHCP when I can but all these gives me headaches when things go wrong.

With Mikrotik I guess the Static DHCP feature is much more solid and reliable than cheap toy routers but my question is, does the DNS caching feature in RouterOS help me with LAN host names\shares?
 
deanMKD1
Member
Member
Posts: 361
Joined: Fri Dec 12, 2014 12:06 am
Location: Macedonia
Contact:

Re: I'm moving to Mikrotik - yayyy, few questions

Mon Sep 28, 2015 5:44 pm

First welcome to mikrotik family ! :)

now answer to your questions.

1. Yes integrated dyndns called "Cloud" are free with every RB for life and its still available. dont worry about it. ;)

2.Yeah connecting routers and accessibility from Winbox also works great. Routers also can be accessible from outside without problems.

3. Setting static IP adresses to wifi connected clients are the easiest part in RouterOS. Its one click only.

4. accessing computer shares are also very easy to set. set static adresses to computers in lan, set windows sharing properties and you are ready to share files in all your network.
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Re: I'm moving to Mikrotik - yayyy, few questions

Tue Sep 29, 2015 3:45 pm

First welcome to mikrotik family ! :)

now answer to your questions.

1. Yes integrated dyndns called "Cloud" are free with every RB for life and its still available. dont worry about it. ;)

2.Yeah connecting routers and accessibility from Winbox also works great. Routers also can be accessible from outside without problems.

3. Setting static IP adresses to wifi connected clients are the easiest part in RouterOS. Its one click only.

4. accessing computer shares are also very easy to set. set static adresses to computers in lan, set windows sharing properties and you are ready to share files in all your network.
Awesome!
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Re: I'm moving to Mikrotik - yayyy, few questions

Fri Oct 02, 2015 10:18 pm

I've got the HAP Lite today and got to play with it a bit! I was surprised to see it is so small :D but oh man, how many things this little guy could do.

I set it up as my maine router in my office, that is

Huawei ADSL modem put in Bridge mode

Then

HAP Lite
- ether1 - WAN
- put a PPPoE client on ether1 (checked Use peer DNS and add default route)
- switched ether2 + ether3 + ether4 by setting ether3 and ether4 as slaves of ether2
- wlan1 and ether2 made into a bridge, bridge1
- set up IP of 192.168.1.1/24 on bridge1
- set up DHCP server on bridge1, with range from .2 - .254, DNS set to 192.168.1.1, additional 8.8.8.8 and 8.8.4.4
- set DNS with Allow Remote Requests to enable caching
- wlan1 configured with security profile, WPA2

Connected ether1 to LAN1 of ADSL modem and fired up, it works 'till this very moment.

Now, I after I read the wiki I am planning into understanding the firewall but I have a few questions, among others :).

1. What exactly an "established" connection means? What about related, invalid, could you give an example?
I like to know why the following rule would not allow a "hacker" to make a connection to my router
add chain=input connection-state=established comment="Accept established connections"
2.I did set-up some basic rules, like accept on the input chain everything from LAN, drop everything else. As far as I understand, this breaks DNS because router can ask for DNS resolution and when the answer comes back from the external DNS server, it gets dropped, same goes for NTP, ping, cloud, right? So, I set up a rule to allow all UDP, but it doesn't seem to work, same goes for ping, cloud, etc, when the "drop" rule is active.

Here is my firewall export
[admin@MikroTik] /ip firewall> export        
# oct/02/2015 22:11:57 by RouterOS 6.25
# software id = UM3I-I1CV
#
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
/ip firewall filter
add chain=input src-address-list=LAN
add chain=input protocol=udp
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
I then added a new rule to allow all ICMP on the input chain and I could get ping back to work.
add chain=input protocol=icmp
3. I want to manage my router from the Internet via Winbox, is this rule enough in order to do that?
add chain=input protocol=tcp dst-port=8291 comment="winbox" 
 
bwbb
just joined
Posts: 12
Joined: Thu Sep 10, 2015 3:32 am

I'm moving to Mikrotik - yayyy, few questions

Fri Oct 02, 2015 10:27 pm

Make sure to change your Winbox port and disable services you don't need like SSH, FTP, etc.


Sent from my mobile device.
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Re: I'm moving to Mikrotik - yayyy, few questions

Fri Oct 02, 2015 10:42 pm

Make sure to change your Winbox port and disable services you don't need like SSH, FTP, etc.


Sent from my mobile device.
Just did, I only left Winbox as a service.

I just moved the rules that allow ICMP and UDP on the input chain up, and now for some reason it works, I have DNS responses and ping replies to the router.
[admin@MikroTik] /ip firewall> export 
# oct/02/2015 22:41:41 by RouterOS 6.25
# software id = UM3I-I1CV
#
/ip firewall address-list
add address=192.168.1.0/24 list=LAN
/ip firewall filter
add chain=input protocol=udp
add chain=input protocol=icmp
add chain=input src-address-list=LAN
add action=drop chain=input
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
 
deanMKD1
Member
Member
Posts: 361
Joined: Fri Dec 12, 2014 12:06 am
Location: Macedonia
Contact:

Re: I'm moving to Mikrotik - yayyy, few questions

Sat Oct 03, 2015 12:17 am

1. Established meen "Connected" to another item. :)
add chain=input connection-state=established comment="Accept established connections" meen that connection status is "established" and Comment is only for identification on selected firewall rule.

2. /ip firewall address-list
add address=192.168.1.0/24 list=LAN --> With this rule you add 192.168.1.0/24 into adress list. this is required to normally function internet connection and get ip adress every item in network.
/ip firewall filter
add chain=input src-address-list=LAN
add chain=input protocol=udp
add action=drop chain=input --> With this rule, you set, all UDP traffic in LAN bridge, to drop udp packets.
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1 --> With this rule, you set main interface from you get internet connection to share in your lan.

3. with this rule you can access your mt from everywhere.

/ip firewall filter
add action=accept chain=input disabled=no dst-port=8291 protocol=tcp place-before=3
 
SystemErrorMessage
Member
Member
Posts: 378
Joined: Sat Dec 22, 2012 9:04 pm

Re: I'm moving to Mikrotik - yayyy, few questions

Sat Oct 03, 2015 2:08 am

Well when you compare the capabilities of the same range between consumer routers, consumer router firmware alternatives, ubiquiti and mikrotik, for the same things both ubiquiti and mikrotik are much better. Mikrotik takes the lead in routing stuff while ubiquiti can install debian linux packages so you can use it for other things. When you use mikrotik for what makes it truely special you will find it to be disappointing and than will move on to pfsense or similar.

If you have the skill i urge you to consider using pfsense or a linux server. If you need something low cost and low profile there are various small x86 boards and cases with multiple NICs made with networking in mind.
 
jarda
Forum Guru
Forum Guru
Posts: 7603
Joined: Mon Oct 22, 2012 4:46 pm

I'm moving to Mikrotik - yayyy, few questions

Sat Oct 03, 2015 8:55 am

Well. If hap lite is enough for someone, he will surely not move to x86 / pfsense.

Nothing against pfsense but I have played a bit with it and realised that it was accepting packets from wan during booting period and replying to them. Not so good for something that is called firewall...
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Re: I'm moving to Mikrotik - yayyy, few questions

Sat Oct 03, 2015 4:29 pm

As I stated in the first post, I usually deal with small office networks, so a device like Hap Lite is much much better than the usual ISP junk modems that they have in there, most of them keep their networks all managed by those modems.
I used consumer devices like TP-Link WR1043 with 3rd party firmware (Open WRT, DD-Wrt) where more than basic features were needed but the jump to Mikrotik provides me with many more features and most of all, reliability.

In the future, I will off-course move to more advanced models.

I'm trying to understand all the features Mikrotik provides, one by one.

:D
 
kzla
newbie
Posts: 37
Joined: Mon Nov 26, 2012 11:39 am

Re: I'm moving to Mikrotik - yayyy, few questions

Sat Oct 03, 2015 6:32 pm

hAP Lite user here ..
Have you tried setting up a hotspot on your hAP Lite ?
I tried but I dont know why HTTPS sites are not opening.
If you you get that thing running please share config with me. :D
I've been searching this for a week now and still no fix to this :(
 
robertEIT
Member Candidate
Member Candidate
Topic Author
Posts: 110
Joined: Tue Sep 08, 2015 6:16 pm

Re: I'm moving to Mikrotik - yayyy, few questions

Fri Oct 09, 2015 3:48 pm

hAP Lite user here ..
Have you tried setting up a hotspot on your hAP Lite ?
I tried but I dont know why HTTPS sites are not opening.
If you you get that thing running please share config with me. :D
I've been searching this for a week now and still no fix to this :(
I'll try hotspot.

For now I'm going to try isolated guest wlan, some ports forwarding and playing with the firewall. Hotspot sounds nice, will definately try it.
 
kzla
newbie
Posts: 37
Joined: Mon Nov 26, 2012 11:39 am

Re: I'm moving to Mikrotik - yayyy, few questions

Sat Oct 10, 2015 10:52 am

hAP Lite user here ..
Have you tried setting up a hotspot on your hAP Lite ?
I tried but I dont know why HTTPS sites are not opening.
If you you get that thing running please share config with me. :D
I've been searching this for a week now and still no fix to this :(
I'll try hotspot.

For now I'm going to try isolated guest wlan, some ports forwarding and playing with the firewall. Hotspot sounds nice, will definately try it.

Dont know what went wrong with hotspot running on wlan interface, but when i resetted the device and set hotspot on one of the ethernet ports, it works like a charm.

Will share the config if you want just ping me here ! Cheers ! :D

Who is online

Users browsing this forum: No registered users and 27 guests