Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

New to MikroTik

Locked
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

New to MikroTik

Tue Mar 22, 2016 5:04 pm

I got my first MikroTik and while I'm happy with the overall features I'm seeing in the WinBox interface, I am having some problems getting this router to be deployable in one of our standard VoIP situations.

I was able to quickly configure the WAN and LAN addressing schemes. I got on the internet and could browse anything I needed from behind the firewall. Basic router functionality works great. That's where the issues start: I need to be able to both PING the WAN interface and remotely access the router using WinBox from any IP (I can lock it down in the future). After that, I need to configure for SIP/SCCP prioritization, but I'll post another topic on that later.

I could use some help with these items: WAN PING response and remote accessibility
Top
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: New to MikroTik

Tue Mar 22, 2016 5:10 pm

I should note that I have been browsing the forums and have tried several of the methods mentioned. I even went as far as factory resetting my equipment and only allowed PING, but to no avail.
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: New to MikroTik

Tue Mar 22, 2016 5:18 pm

If ping is blocked by something on your router, it's firewall rules in IP->Firewall->Filter, chain "input".
Top
 
Morpheus1607
newbie
Posts: 35
Joined: Fri Jul 25, 2014 1:17 pm

Re: New to MikroTik

Tue Mar 22, 2016 5:47 pm

could you post your config to have a look?

i think it would be a little bit easier to look what the problem should be.
Top
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: New to MikroTik

Wed Mar 23, 2016 12:07 am

Welcome to the world of MikroTik, you'll love it here. Okay, you'll occasionally pull out your hair, but you'll love it again. Here is a very basic setup (delete all current rules).

Create a bridge, put everything you want in there (except eth1 which should be your WAN), name it bridge-LAN.

Paste this into a terminal:
Code: Select all
/ip firewall filter
add action=drop chain=input comment="Disallow weird packets" connection-state=invalid
add chain=input comment="Remote Winbox" dst-port=8291 protocol=tcp
add chain=input comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-LAN
add chain=input comment="Allow connections that originated from LAN" connection-state=established,related
add chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=drop chain=input comment="Disallow all other input"

add action=drop chain=forward comment="Disallow weird packets" connection-state=invalid
add chain=forward comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-LAN
add chain=forward comment="Allow connections that originated from LAN" connection-state=established,related
add action=drop chain=forward comment="Disallow all other forward"
Top
 
nxs02
Member Candidate
Member Candidate
Posts: 119
Joined: Sat Nov 07, 2015 1:25 pm
Location: Planet Earth

Re: New to MikroTik

Wed Mar 23, 2016 6:13 am

Code: Select all
add chain=input comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-LAN
u dont need anyone in LAN have access to router.
Code: Select all
add chain=forward comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge-LAN
is it really need to specify conn-state is new?
also u need to specify output interface so not everyone have access to router.
Top
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: New to MikroTik

Wed Mar 23, 2016 6:19 am

You don't need anyone in LAN have access to router ... also you need to specify output interface so that everyone will not have access to router.
I imagine our friend would like to be able to connect into his own router from his LAN. The other rules I have specified will block access from WAN. Try the rules and see.
Top
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: New to MikroTik

Wed Mar 23, 2016 3:39 pm

What do I need to do to post this information?
Top
 
User avatar
pcunite
Forum Guru
Forum Guru
Posts: 1345
Joined: Sat May 25, 2013 5:13 am
Location: USA

Re: New to MikroTik

Wed Mar 23, 2016 4:13 pm

What do I need to do to post this information?
run this command:
/export verbose file=MyFile.rsc

then paste the output between the forums' code blocks.
Top
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: New to MikroTik

Tue Mar 29, 2016 12:04 am

What do I need to do to post this information?
run this command:
/export verbose file=MyFile.rsc

then paste the output between the forums' code blocks.
Sorry this is taking me so long. A lot of projects came up at work.

So I ran the /export command. Where does this file live so I can open it?
Top
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: New to MikroTik

Tue Mar 29, 2016 12:15 am

What do I need to do to post this information?
run this command:
/export verbose file=MyFile.rsc

then paste the output between the forums' code blocks.
Sorry this is taking me so long. A lot of projects came up at work.

So I ran the /export command. Where does this file live so I can open it?
Nevermind. I found it through the WinBox interface. IP Filter Post coming....
Top
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: New to MikroTik

Tue Mar 29, 2016 12:16 am

Edit** With the below rules I am able to PING the interface now, however I still am unable to connect from a remote IP address: either WebGUI, WinBox, or Telnet
Code: Select all
/ip firewall filter
add action=accept chain=input comment="Remote Winbox" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    !connection-state !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit dst-port=8291 \
    !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    protocol=tcp !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=accept chain=input comment=\
    "Allow LAN access to router and Internet" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=new !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port in-interface=bridge1 \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=accept chain=input comment=\
    "Allow connections that originated from LAN" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=established,related !connection-type !content disabled=\
    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=accept chain=input comment="Allow ping ICMP from anywhere" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority protocol=icmp !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=accept chain=forward comment=\
    "Allow LAN access to router and Internet" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=new !connection-type !content disabled=no !dscp \
    !dst-address !dst-address-list !dst-address-type !dst-limit !dst-port \
    !fragment !hotspot !icmp-options !in-bridge-port in-interface=bridge1 \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=accept chain=forward comment=\
    "Allow connections that originated from LAN" !connection-bytes \
    !connection-limit !connection-mark !connection-nat-state !connection-rate \
    connection-state=established,related !connection-type !content disabled=\
    no !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port !out-interface !p2p \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-flags \
    !tcp-mss !time !ttl
add action=drop chain=input comment="Disallow weird packets" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=invalid \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=drop chain=input comment="Disallow all other input" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=drop chain=forward comment="Disallow weird packets" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate connection-state=invalid \
    !connection-type !content disabled=no !dscp !dst-address \
    !dst-address-list !dst-address-type !dst-limit !dst-port !fragment \
    !hotspot !icmp-options !in-bridge-port !in-interface !ingress-priority \
    !ipsec-policy !ipv4-options !layer7-protocol !limit log=no log-prefix="" \
    !nth !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
add action=drop chain=forward comment="Disallow all other forward" \
    !connection-bytes !connection-limit !connection-mark \
    !connection-nat-state !connection-rate !connection-state !connection-type \
    !content disabled=no !dscp !dst-address !dst-address-list \
    !dst-address-type !dst-limit !dst-port !fragment !hotspot !icmp-options \
    !in-bridge-port !in-interface !ingress-priority !ipsec-policy \
    !ipv4-options !layer7-protocol !limit log=no log-prefix="" !nth \
    !out-bridge-port !out-interface !p2p !packet-mark !packet-size \
    !per-connection-classifier !port !priority !protocol !psd !random \
    !routing-mark !routing-table !src-address !src-address-list \
    !src-address-type !src-mac-address !src-port !tcp-flags !tcp-mss !time \
    !ttl
/ip firewall nat
add action=masquerade chain=srcnat !connection-bytes !connection-limit \
    !connection-mark !connection-rate !connection-type !content disabled=no \
    !dscp !dst-address !dst-address-list !dst-address-type !dst-limit \
    !dst-port !fragment !hotspot !icmp-options !in-bridge-port !in-interface \
    !ingress-priority !ipsec-policy !ipv4-options !layer7-protocol !limit \
    log=no log-prefix="" !nth !out-bridge-port out-interface="WAN (Rise)" \
    !packet-mark !packet-size !per-connection-classifier !port !priority \
    !protocol !psd !random !routing-mark !routing-table !src-address \
    !src-address-list !src-address-type !src-mac-address !src-port !tcp-mss \
    !time !to-addresses !to-ports !ttl
Top
 
Sob
Forum Guru
Forum Guru
Posts: 9121
Joined: Mon Apr 20, 2009 9:11 pm

Re: New to MikroTik

Tue Mar 29, 2016 1:53 am

You don't allow web interface (tcp/80) and telnet (tcp/23) from WAN. But WinBox (tcp/8291) should be allowed from anywhere by first rule.

Btw, "verbose" option for export is not a good idea. It exports all options, including those with default values, and result is too long and very hard to read.
Top
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: New to MikroTik

Tue Mar 29, 2016 6:46 am

You don't allow web interface (tcp/80) and telnet (tcp/23) from WAN. But WinBox (tcp/8291) should be allowed from anywhere by first rule.

Btw, "verbose" option for export is not a good idea. It exports all options, including those with default values, and result is too long and very hard to read.
add chain=input comment="HTTP Access" dst-port=80 protocol=tcp
add chain=input comment="Telnet Access" dst-port=23 protocol=tcp

Hrm, apparently my firewall in the office is blocking the access as I can hit my lab from home... weird... yet another firewall to troubleshoot >.>
Top
 
terminal205
Frequent Visitor
Frequent Visitor
Topic Author
Posts: 77
Joined: Wed Mar 09, 2016 8:53 pm
Location: Texas

Re: New to MikroTik

Tue Mar 29, 2016 6:53 am

Here is my updated firewall settings. Everything is working swimmingly now. Guess I need to tackle why this isn't working from the office. Then I get to tackle QoS policies. Thank you everyone for your help.
Code: Select all
/ip firewall filter
add action=drop chain=input comment="Disallow weird packets" \
    connection-state=invalid
add chain=input comment="Remote Winbox" dst-port=8291 protocol=tcp
add chain=input comment="HTTP Access" dst-port=80 protocol=tcp
add chain=input comment="Telnet Access" dst-port=23 protocol=tcp
add chain=input comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=bridge1
add chain=input comment="Allow connections that originated from LAN" \
    connection-state=established,related
add chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add chain=forward comment="Allow LAN access to router and Internet" \
    connection-state=new in-interface=bridge1
add chain=forward comment="Allow connections that originated from LAN" \
    connection-state=established,related
add action=drop chain=input comment="Disallow all other input"
add action=drop chain=forward comment="Disallow weird packets" \
    connection-state=invalid
add action=drop chain=forward comment="Disallow all other forward"
Top
 
sash7
Frequent Visitor
Frequent Visitor
Posts: 68
Joined: Sun Mar 20, 2016 10:39 pm

Re: New to MikroTik

Tue Mar 29, 2016 10:28 am

1. It's really bad idea to open winbox, http and telnet from all internet.
2. Put "related, established" rule on second place in input chain right behind 'invalid' rule. And this is not from "connection orginated from lan". This rule accept most traffic in input chain, so, move it ahead.
3. In forward chain move rule for "invalid" in first place, or remove it, now it's just pointless - you drop everything in next (last) line.
Top
Locked

Who is online

Users browsing this forum: No registered users and 110 guests
  4. RouterOS
  5. Beginner Basics