All,
This is a new one to me, I must be missing something very basic. I have a RB1100AH running v6.29.1. Here is my setup:
WAN, Masquerade. Public IP
Switch One and Two Bridged House Network, all ports. 10.0.5.0/24
GW 10.0.5.1, DHCP Server
Ethernet 11,12 Bridged to Test Network. 10.0.6.0/24
GW 10.0.6.1, DHCP Server
Route Print
0 ADS 0.0.0.0/0 66.235.23.1 2
1 ADC 10.0.5.0/24 10.0.5.1 HomeNetwork 0
2 ADC 10.0.6.0/24 10.0.6.1 WebPortBridge 0
3 ADC 66.235.23.0/24 66.235.23.228 WaveBroadband 0
Pinging ANY active IP from the ROUTER I get responses. IE: 10.0.5.10, 10.0.6.10
Pinging a 10.0.5.0/24 from a 10.0.5.X IP I get valid responses for live IP addresses
Pinging a 10.0.6.0/24 from a 10.0.6.X IP I get valid responses for live IP addresses
Ping 10.0.5.1 (GW) from a 10.0.6.X IP I get a valid response
Ping 10.0.6.1 (GW) from a 10.0.5.X IP I get a valid response
Ping 10.0.6.10 to 10.0.5.10 Timeout
Ping 10.0.5.10 to 10.0.6.10 Timeout
Basically 10.0.5.0/24 and 10.0.6.0/24 cannot talk to each other.
For trouble shooting I turned off ALL firewall rules. I have also rebooted the box. I have also restored the box and started from zero. I cannot figure out what I have configured incorrectly.
-
-
squeezypiano
newbie
- Posts: 45
- Joined:
Re: Cannot route between two private ip ranges on the same router?
Do the end devices have the gateway correctly configured? Have you tried pinging one of the end devices from the router but specifying the src address for the ping as the other interface (e.g. ping 10.0.5.10 using src address 10.0.6.1)? One more thing, when you disabled the firewall rules did you disable the masquerade? Is the masquerade configured with the out interface only where you want to NAT, i.e. when the traffic is leaving the WAN interface?
Re: Cannot route between two private ip ranges on the same router?
Squeezypiano,
in my test 10.0.5.7 has GW 10.0.5.1 and 10.0.6.10 has GW 10.0.6.1 as per IPCONFIG. I have also verified firewalls on the end points and the router, simply disabled them. I actually have multiple computers on 10.0.5.x/24 and two test computers on 10.0.6.x/24. None of them can ping a computer in the other range, they can only ping within the same subnet. My masquerade rules are for on the outbound interface, as I have made that mistake before
.
Note: last night I upgraded the OS to the most current. I then reset the router to defaults and setup the system with:
WaveBroadband, Masquerade Out Interface
Created a Bridge Called HomeNetwork and added ports 1-10 to it. On the bridge I added IP Address 10.0.5.1/24
Created a Bridge Called Test and added ports 11,12 to it. On the bridge I added IP address 10.0.6.1/24
I then setup two DHCP servers and two pools 10.0.5.0/24 and 10.0.6.0/24, one for each bridge.
I did not even add firewall rules, just let it run wide open.
I then hooked up computers and tried to ping from 10.0.5.X/24 and 10.0.6.X/24. Timeouts, timeouts. I also reversed the test and got timeout timeouts. Very frustrating as I have done this many times before. The only thing different is that it is a RB1100AH instead of the normal routerboard.
in my test 10.0.5.7 has GW 10.0.5.1 and 10.0.6.10 has GW 10.0.6.1 as per IPCONFIG. I have also verified firewalls on the end points and the router, simply disabled them. I actually have multiple computers on 10.0.5.x/24 and two test computers on 10.0.6.x/24. None of them can ping a computer in the other range, they can only ping within the same subnet. My masquerade rules are for on the outbound interface, as I have made that mistake before
. Note: last night I upgraded the OS to the most current. I then reset the router to defaults and setup the system with:
WaveBroadband, Masquerade Out Interface
Created a Bridge Called HomeNetwork and added ports 1-10 to it. On the bridge I added IP Address 10.0.5.1/24
Created a Bridge Called Test and added ports 11,12 to it. On the bridge I added IP address 10.0.6.1/24
I then setup two DHCP servers and two pools 10.0.5.0/24 and 10.0.6.0/24, one for each bridge.
I did not even add firewall rules, just let it run wide open.
I then hooked up computers and tried to ping from 10.0.5.X/24 and 10.0.6.X/24. Timeouts, timeouts. I also reversed the test and got timeout timeouts. Very frustrating as I have done this many times before. The only thing different is that it is a RB1100AH instead of the normal routerboard.
-
-
Revelation
Member
- Posts: 336
- Joined:
Re: Cannot route between two private ip ranges on the same router?
Have you checked the local Windows Firewall log? Depending on the network configuration for Windows firewall it could be blocking the other network. Try disabling Windows firewall on a device in the 10.0.5.0/24 range and on the 10.0.6.0/24 range - then ping. Now you should only need to disable it on the destination device, so that it doesn't drop the packets. (that is if Windows firewall is the culprit)
From a quick glance, I don't see anything wrong with your Mikrotik configuration.
From a quick glance, I don't see anything wrong with your Mikrotik configuration.
Re: Cannot route between two private ip ranges on the same router?
You need to post your configuration...
Re: Cannot route between two private ip ranges on the same router?
Not a problem. I have replaced passwords with ******
# dec/06/2016 15:21:08 by RouterOS 6.37.3
# software id = 9BI2-NSUV
#
/interface bridge
add name=HomeNetwork
add name=WebPort
/interface ethernet
set [ find default-name=ether13 ] name=WaveBroadband
set [ find default-name=ether1 ] advertise=1000M-half,1000M-full comment=AP1
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6 speed=1Gbps
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
/ip neighbor discovery
set ether1 comment=AP1
/interface ethernet switch
set 0 name=HomeNetwork1
set 1 name=HomeNetwork2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
/ip pool
add name=VPNPOOL ranges=10.0.5.195-10.0.5.254
add name=Home ranges=10.0.5.2-10.0.5.194
add name=WebPorts ranges=10.0.6.2-10.0.6.10
/ip dhcp-server
add add-arp=yes address-pool=Home always-broadcast=yes disabled=no interface=HomeNetwork lease-time=3d name=HomeNetwork
add add-arp=yes address-pool=WebPorts always-broadcast=yes disabled=no interface=WebPort name=dhcp1
/port
set 0 baud-rate=9600 flow-control=hardware
set 1 baud-rate=9600
/ppp profile
set *0 only-one=yes use-compression=no use-encryption=yes
add change-tcp-mss=yes dns-server=10.0.5.1 local-address=10.0.5.1 name=L2TP-IN remote-address=VPNPOOL use-compression=yes use-ipv6=default
set *FFFFFFFE dns-server=10.0.5.1 local-address=10.0.5.1 only-one=yes remote-address=Home use-compression=yes use-encryption=required use-ipv6=default wins-server=10.0.5.1
/interface bridge port
add bridge=HomeNetwork interface=ether1
add bridge=HomeNetwork interface=ether6
add bridge=WebPort interface=ether11
add bridge=WebPort interface=ether12
/interface bridge settings
set use-ip-firewall=yes
/ipv6 settings
set max-neighbor-entries=1024
/interface ethernet switch vlan
add independent-learning=no ports=ether1 switch=HomeNetwork1 vlan-id=1
add independent-learning=no ports=ether6 switch=HomeNetwork2 vlan-id=1
/interface l2tp-server server
set default-profile=L2TP-IN max-mru=1460 max-mtu=1460
/interface pptp-server server
set authentication=mschap2 enabled=yes keepalive-timeout=1 max-mru=1460 max-mtu=1460
/ip address
add address=10.0.5.1/24 comment="Home Network" interface=HomeNetwork network=10.0.5.0
add address=10.0.6.1/24 interface=WebPort network=10.0.6.0
/ip arp
add address=10.0.5.2 mac-address=00:1A:A0:3C:CB:1A
add address=10.0.5.13 mac-address=78:2B:CB:A9:BA:B3
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=WaveBroadband use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.5.18 client-id=1:24:a4:3c:10:21:19 mac-address=24:A4:3C:10:21:19 server=HomeNetwork
add address=10.0.5.7 client-id=1:c0:f8:da
24:d6 mac-address=C0:F8:DA:AB:24:D6 server=HomeNetwork
add address=10.0.5.38 client-id=1:a4:1f:72:80:52:82 mac-address=A4:1F:72:80:52:82 server=HomeNetwork
add address=10.0.5.31 client-id=1:0:2:83:0:2d:b8 comment="WebPort Local Access" mac-address=00:02:83:00:2D:B8 server=HomeNetwork
add address=10.0.5.26 client-id=1:c:84:dc:0:2a:50 mac-address=0C:84:DC:00:2A:50 server=HomeNetwork
add address=10.0.5.10 client-id=1:4:18:d6:34:2c:34 mac-address=04:18:D6:34:2C:34 server=HomeNetwork
add address=10.0.5.14 client-id=1:0:2:83:0:30:7d comment="WebPort Local Access" mac-address=00:02:83:00:30:7D server=HomeNetwork
add address=10.0.6.10 client-id=1:0:2:83:0:30:7c comment="WebPort WAN" mac-address=00:02:83:00:30:7C server=dhcp1
add address=10.0.6.9 client-id=1:0:2:83:0:2d:b9 comment="WebPort WAN" mac-address=00:02:83:00:2D:B9 server=dhcp1
/ip dhcp-server network
add address=10.0.5.0/24 dns-server=10.0.5.1 domain=knotpc.local gateway=10.0.5.1 ntp-server=10.0.5.1 wins-server=10.0.5.1
add address=10.0.6.0/24 dns-server=10.0.6.1 gateway=10.0.6.1 wins-server=10.0.6.1
add address=172.16.0.0/24 gateway=172.16.0.1
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.0.5.7 name=master
add address=10.0.5.7 name=master.knotpc.local
add address=10.0.5.6 name=craftroom
add address=10.0.5.6 name=craftroom.knotpc.local
add address=10.0.5.38 name=mediaone
add address=10.0.5.38 name=mediaone.knotpc.local
add address=10.0.5.25 name=networkbackup
add address=10.0.5.25 name=networkbackup.knotpc.local
add address=10.0.5.1 name=ntp.knotpc.com
add address=10.0.5.38 name=unifi.knotpc.com
/ip firewall address-list
add address=10.0.5.0/24 list=LocalNet
add address=10.0.55.0/24 list=LocalNet
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input connection-state=invalid
add action=drop chain=input in-interface=WaveBroadband src-address-list="DOS DNS"
add action=log chain=input dst-port=53 in-interface=WaveBroadband log-prefix="DOS DNS" protocol=udp
add action=drop chain=input dst-port=53 in-interface=WaveBroadband protocol=udp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input src-address-list=LocalNet
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward dst-address=224.0.0.0/3
add action=drop chain=bad_people comment="ChinaTelecom - CitiBank fraud" src-address=219.148.0.0/16
add action=drop chain=bad_people dst-address=219.148.0.0/16
add action=drop chain=bad_people comment=xcelent.biz src-address=61.218.79.53
add action=drop chain=bad_people dst-address=61.218.79.53
add action=drop chain=bad_people comment="Known Spammer" src-address=81.180.98.3
add action=drop chain=bad_people src-address=24.73.97.226
add action=drop chain=bad_people src-address=24.213.234.2
add action=drop chain=bad_people src-address=68.77.210.17
add action=drop chain=bad_people comment="port scanner 20040525" src-address=140.113.94.156
add action=drop chain=bad_people comment="http://isc.incidents.org/top10.html listed" src-address=80.132.187.0/24
add action=drop chain=bad_people src-address=80.183.7.0/24
add action=drop chain=bad_people src-address=212.3.250.194
add action=drop chain=bad_people src-address=218.104.138.0/24
add action=drop chain=bad_people src-address=219.77.152.0/24
add action=drop chain=bad_people src-address=67.75.20.0/24
add action=drop chain=bad_people src-address=80.170.41.0/24
add action=drop chain=bad_people src-address=217.42.241.0/24
add action=drop chain=bad_people src-address=65.95.244.0/24
add action=drop chain=bad_people src-address=172.141.77.0/24
add action=drop chain=bad_people src-address=80.184.18.0/24
add action=drop chain=bad_people src-address=213.130.144.0/24
add action=drop chain=bad_people src-address=217.82.120.0/24
add action=drop chain=bad_people src-address=65.33.234.0/24
add action=drop chain=bad_people src-address=64.65.149.0/24
add action=drop chain=bad_people src-address=202.155.21.0/24
add action=drop chain=bad_people src-address=68.249.239.0/24
add action=drop chain=bad_people src-address=201.128.224.0/24
add action=drop chain=bad_people src-address=202.163.247.0/24
add action=drop chain=bad_people src-address=61.231.97.0/24
add action=drop chain=bad_people src-address=211.150.207.0/24
add action=drop chain=bad_people comment=http://feeds.dshield.org/block.txt src-address=150.209.133.0/24
add action=drop chain=bad_people src-address=203.66.92.0/24
add action=drop chain=bad_people src-address=134.174.177.0/24
add action=drop chain=bad_people src-address=67.41.252.0/24
add action=drop chain=bad_people src-address=172.191.90.0/24
add action=drop chain=bad_people src-address=12.202.141.0/24
add action=drop chain=bad_people src-address=64.246.106.0/24
add action=drop chain=bad_people src-address=63.161.192.0/24
add action=drop chain=bad_people src-address=68.126.211.0/24
add action=drop chain=bad_people src-address=67.122.151.0/24
add action=drop chain=bad_people src-address=67.71.175.0/24
add action=drop chain=bad_people src-address=69.157.33.0/24
add action=drop chain=bad_people src-address=66.122.215.0/24
add action=drop chain=bad_people src-address=210.24.174.0/24
add action=drop chain=bad_people src-address=62.234.82.0/24
add action=drop chain=bad_people src-address=200.162.125.0/24
add action=drop chain=bad_people src-address=80.135.191.0/24
add action=drop chain=bad_people src-address=67.68.53.0/24
add action=drop chain=bad_people src-address=195.56.225.0/24
add action=drop chain=bad_people src-address=172.153.83.0/24
add action=drop chain=bad_people src-address=150.209.150.0/24
add action=drop chain=bad_people src-address=63.150.217.0/24
add action=drop chain=bad_people src-address=139.55.103.0/24
add action=drop chain=bad_people src-address=220.117.228.0/24
add action=drop chain=bad_people src-address=139.55.95.0/24
add action=drop chain=bad_people src-address=220.89.208.0/24
add action=drop chain=bad_people src-address=139.55.121.0/24
add action=drop chain=bad_people src-address=139.55.99.0/24
add action=drop chain=bad_people src-address=139.55.87.0/24
add action=drop chain=bad_people src-address=139.55.151.0/24
add action=drop chain=bad_people src-address=139.55.23.0/24
add action=drop chain=bad_people src-address=69.226.173.0/24
add action=drop chain=bad_people src-address=62.14.249.0/24
add action=drop chain=bad_people src-address=221.233.24.0/24
add action=drop chain=bad_people src-address=139.55.115.0/24
add action=drop chain=bad_people src-address=221.148.225.0/24
add action=drop chain=bad_people src-address=139.55.226.0/24
add action=drop chain=bad_people src-address=210.17.38.0/24
add action=drop chain=bad_people src-address=139.55.139.0/24
add action=drop chain=bad_people src-address=202.222.18.0/24
add action=accept chain=HomeNetwork dst-address-list=LocalNet src-address-list=LocalNet
add action=accept chain=HomeNetwork comment=MediaOne dst-address=10.0.5.38 dst-port=32400 protocol=tcp
add action=drop chain=forward dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
add action=drop chain=forward dst-port=445 protocol=tcp src-address-list=Worm
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=jump chain=forward comment=ICMP jump-target=icmp protocol=icmp
add action=jump chain=forward comment=Virus jump-target=virus out-interface=WaveBroadband
add action=jump chain=forward comment="Bad Addresses" jump-target=bad_people out-interface=WaveBroadband
add action=jump chain=forward comment=TCP jump-target=tcp out-interface=WaveBroadband protocol=tcp
add action=jump chain=forward comment=UDP jump-target=udp out-interface=WaveBroadband protocol=udp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input connection-limit=10,32 protocol=tcp
add action=drop chain=input
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input src-address-list="port scanners"
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=tcp
add action=drop chain=virus dst-port=65506 protocol=tcp
add action=accept chain=HomeNetwork connection-state=established
add action=accept chain=HomeNetwork connection-state=related
add action=log chain=HomeNetwork log-prefix=Homerules
add action=drop chain=HomeNetwork
add action=jump chain=forward comment="Home Network" dst-address=10.0.5.0/24 jump-target=HomeNetwork
/ip firewall nat
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface=WaveBroadband protocol=tcp to-addresses=10.0.5.38 to-ports=32400
add action=masquerade chain=srcnat comment="House Internet Access" out-interface=WaveBroadband src-address=10.0.5.0/24 to-addresses=71.229.204.4
add action=masquerade chain=srcnat comment=WebPort out-interface=WaveBroadband src-address=10.0.6.0/24 to-addresses=71.229.204.4
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des generate-policy=port-override local-address=0.0.0.0 secret=*********
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=disk1/web-proxy2 max-cache-size=none max-client-connections=1000 max-server-connections=1000 parent-proxy=0.0.0.0 port=3128
/ip proxy access
add action=deny dst-port=!443,563 local-port="" method=CONNECT
add action=deny path=*.newsmax
/ip proxy cache
add action=deny local-port=""
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8080
set hotspot port=8088
set ssh disabled=yes
set api disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add type=internal
add interface=ether8 type=internal
add interface=ether5 type=internal
/ipv6 address
add disabled=yes from-pool=ComcastIPv6 interface=HomeNetwork
/ipv6 dhcp-client
add add-default-route=yes disabled=yes interface=WaveBroadband pool-name=ComcastIPv6 request=prefix
/ipv6 firewall filter
add action=accept chain=input comment="/Input Rules/" connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input connection-state=invalid disabled=yes
add action=accept chain=input disabled=yes in-interface=HomeNetwork
add action=accept chain=input disabled=yes protocol=icmpv6
add action=accept chain=input disabled=yes src-address-list="WhiteListed Hosts"
add action=accept chain=input disabled=yes dst-address=fe80::/16 dst-port=546 in-interface=WaveBroadband protocol=udp src-address=fe80::/16
add action=accept chain=forward comment="IPSEC Support" disabled=yes protocol=ipsec-esp
add action=accept chain=forward disabled=yes protocol=ipsec-ah
add action=accept chain=forward disabled=yes dst-port=1723 protocol=tcp
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="NMAP Stealth Scan" disabled=yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="ALL/ALL SCAN" disabled=yes protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="NMAP Port Scanner" disabled=yes protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Port Scanner Drop" disabled=yes src-address-list="Port Scanners"
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=1d chain=input comment="BlackList Connections" connection-limit=10 disabled=yes
add action=drop chain=input comment="Blacklist Drop" disabled=yes src-address-list=Blacklist
add action=drop chain=input disabled=yes
add action=accept chain=forward comment="Forward Rules" connection-state=established disabled=yes
add action=accept chain=forward connection-state=related disabled=yes
add action=accept chain=forward disabled=yes protocol=icmpv6
add action=accept chain=forward disabled=yes src-address-list="WhiteListed Hosts"
add action=accept chain=forward comment=Plex connection-limit=5 disabled=yes dst-port=32400 protocol=tcp
add action=accept chain=forward comment=NVR connection-limit=5 disabled=yes dst-port=8000 protocol=tcp
add action=accept chain=forward connection-limit=5 disabled=yes dst-port=10554 protocol=udp
add action=accept chain=forward connection-limit=5 disabled=yes dst-port=10554 protocol=tcp
add action=accept chain=forward connection-limit=5 disabled=yes dst-port=80 protocol=tcp
add action=accept chain=forward disabled=yes out-interface=WaveBroadband
add action=log chain=forward disabled=yes log-prefix="forward drop"
add action=drop chain=forward disabled=yes
/ppp aaa
set interim-update=10s
/ppp secret
add name=****** password=******* profile=L2TP-IN service=pptp
add name=***** password=******* profile=L2TP-IN service=pptp
add name=****** password=****** profile=L2TP-IN service=pptp
/system clock
set time-zone-name=America/Los_Angeles
/system clock manual
set time-zone=+07:00
/system identity
set name=HouseRouter
/system logging
set 1 prefix=error
set 3 action=memory
add prefix=IPSEC topics=ipsec
add topics=e-mail
add action=disk topics=event
/system ntp client
set enabled=yes primary-ntp=81.169.139.140 secondary-ntp=216.194.70.2
/system ntp server
set broadcast=yes broadcast-addresses=10.0.5.1 enabled=yes multicast=yes
/system scheduler
add interval=1d name=makebackup on-event=makebackup policy=read,write,test start-date=apr/25/2007 start-time=00:00:01
add interval=1m name=DynDns on-event=DynDns policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
/system script
add name=makebackup owner=Admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
"/system backup save name=[/system identity get name]\
\n\
\n /tool e-mail send to=****** subject=([/system identity get name] . \" Backup\") from=***** file=([/system identity get name] . \".backup\") \
\n"
add name=DynDNS owner=Admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":global ddnsuser \"****\"\r\
\n:global ddnspass \"*******\"\r\
\n:global theinterface \"WaveBroadband\"\r\
\n:global ddnshost dyndns.org\r\
\n:global ipddns [:resolve \$ddnshost];\r\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\r\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\r\
\n :log info (\"DynDNS: No ip address on \$theinterface .\")\r\
\n} else={\r\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \r\
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \r\
\n :set ipfresh [:pick \$ipfresh 0 \$i];\r\
\n } \r\
\n}\r\
\n \r\
\n:if (\$ipddns != \$ipfresh) do={\r\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\r\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\r\
\n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\r\
\n :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\r\
\n /tool fetch address=members.dyndns.org src-path=\$str mode=http user=\$ddnsuser \\\r\
\n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\r\
\n :delay 1\r\
\n :global str [/file find name=\"DynDNS.\$ddnshost\"];\r\
\n /file remove \$str\r\
\n :global ipddns \$ipfresh\r\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\r\
\n } else={\r\
\n :log info \"DynDNS: dont need changes\";\r\
\n }\r\
\n} \r\
\n"
/system ups
add min-runtime=5m name=UPS1
[Admin@HouseRouter] >
# dec/06/2016 15:21:08 by RouterOS 6.37.3
# software id = 9BI2-NSUV
#
/interface bridge
add name=HomeNetwork
add name=WebPort
/interface ethernet
set [ find default-name=ether13 ] name=WaveBroadband
set [ find default-name=ether1 ] advertise=1000M-half,1000M-full comment=AP1
set [ find default-name=ether2 ] master-port=ether1
set [ find default-name=ether3 ] master-port=ether1
set [ find default-name=ether4 ] master-port=ether1
set [ find default-name=ether5 ] master-port=ether1
set [ find default-name=ether7 ] master-port=ether6
set [ find default-name=ether8 ] master-port=ether6 speed=1Gbps
set [ find default-name=ether9 ] master-port=ether6
set [ find default-name=ether10 ] master-port=ether6
/ip neighbor discovery
set ether1 comment=AP1
/interface ethernet switch
set 0 name=HomeNetwork1
set 1 name=HomeNetwork2
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=3des pfs-group=none
/ip pool
add name=VPNPOOL ranges=10.0.5.195-10.0.5.254
add name=Home ranges=10.0.5.2-10.0.5.194
add name=WebPorts ranges=10.0.6.2-10.0.6.10
/ip dhcp-server
add add-arp=yes address-pool=Home always-broadcast=yes disabled=no interface=HomeNetwork lease-time=3d name=HomeNetwork
add add-arp=yes address-pool=WebPorts always-broadcast=yes disabled=no interface=WebPort name=dhcp1
/port
set 0 baud-rate=9600 flow-control=hardware
set 1 baud-rate=9600
/ppp profile
set *0 only-one=yes use-compression=no use-encryption=yes
add change-tcp-mss=yes dns-server=10.0.5.1 local-address=10.0.5.1 name=L2TP-IN remote-address=VPNPOOL use-compression=yes use-ipv6=default
set *FFFFFFFE dns-server=10.0.5.1 local-address=10.0.5.1 only-one=yes remote-address=Home use-compression=yes use-encryption=required use-ipv6=default wins-server=10.0.5.1
/interface bridge port
add bridge=HomeNetwork interface=ether1
add bridge=HomeNetwork interface=ether6
add bridge=WebPort interface=ether11
add bridge=WebPort interface=ether12
/interface bridge settings
set use-ip-firewall=yes
/ipv6 settings
set max-neighbor-entries=1024
/interface ethernet switch vlan
add independent-learning=no ports=ether1 switch=HomeNetwork1 vlan-id=1
add independent-learning=no ports=ether6 switch=HomeNetwork2 vlan-id=1
/interface l2tp-server server
set default-profile=L2TP-IN max-mru=1460 max-mtu=1460
/interface pptp-server server
set authentication=mschap2 enabled=yes keepalive-timeout=1 max-mru=1460 max-mtu=1460
/ip address
add address=10.0.5.1/24 comment="Home Network" interface=HomeNetwork network=10.0.5.0
add address=10.0.6.1/24 interface=WebPort network=10.0.6.0
/ip arp
add address=10.0.5.2 mac-address=00:1A:A0:3C:CB:1A
add address=10.0.5.13 mac-address=78:2B:CB:A9:BA:B3
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add default-route-distance=2 dhcp-options=hostname,clientid disabled=no interface=WaveBroadband use-peer-dns=no use-peer-ntp=no
/ip dhcp-server lease
add address=10.0.5.18 client-id=1:24:a4:3c:10:21:19 mac-address=24:A4:3C:10:21:19 server=HomeNetwork
add address=10.0.5.7 client-id=1:c0:f8:da
24:d6 mac-address=C0:F8:DA:AB:24:D6 server=HomeNetworkadd address=10.0.5.38 client-id=1:a4:1f:72:80:52:82 mac-address=A4:1F:72:80:52:82 server=HomeNetwork
add address=10.0.5.31 client-id=1:0:2:83:0:2d:b8 comment="WebPort Local Access" mac-address=00:02:83:00:2D:B8 server=HomeNetwork
add address=10.0.5.26 client-id=1:c:84:dc:0:2a:50 mac-address=0C:84:DC:00:2A:50 server=HomeNetwork
add address=10.0.5.10 client-id=1:4:18:d6:34:2c:34 mac-address=04:18:D6:34:2C:34 server=HomeNetwork
add address=10.0.5.14 client-id=1:0:2:83:0:30:7d comment="WebPort Local Access" mac-address=00:02:83:00:30:7D server=HomeNetwork
add address=10.0.6.10 client-id=1:0:2:83:0:30:7c comment="WebPort WAN" mac-address=00:02:83:00:30:7C server=dhcp1
add address=10.0.6.9 client-id=1:0:2:83:0:2d:b9 comment="WebPort WAN" mac-address=00:02:83:00:2D:B9 server=dhcp1
/ip dhcp-server network
add address=10.0.5.0/24 dns-server=10.0.5.1 domain=knotpc.local gateway=10.0.5.1 ntp-server=10.0.5.1 wins-server=10.0.5.1
add address=10.0.6.0/24 dns-server=10.0.6.1 gateway=10.0.6.1 wins-server=10.0.6.1
add address=172.16.0.0/24 gateway=172.16.0.1
add address=192.168.1.0/24 gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes cache-size=4096KiB servers=8.8.8.8,8.8.4.4
/ip dns static
add address=10.0.5.7 name=master
add address=10.0.5.7 name=master.knotpc.local
add address=10.0.5.6 name=craftroom
add address=10.0.5.6 name=craftroom.knotpc.local
add address=10.0.5.38 name=mediaone
add address=10.0.5.38 name=mediaone.knotpc.local
add address=10.0.5.25 name=networkbackup
add address=10.0.5.25 name=networkbackup.knotpc.local
add address=10.0.5.1 name=ntp.knotpc.com
add address=10.0.5.38 name=unifi.knotpc.com
/ip firewall address-list
add address=10.0.5.0/24 list=LocalNet
add address=10.0.55.0/24 list=LocalNet
/ip firewall filter
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input connection-state=invalid
add action=drop chain=input in-interface=WaveBroadband src-address-list="DOS DNS"
add action=log chain=input dst-port=53 in-interface=WaveBroadband log-prefix="DOS DNS" protocol=udp
add action=drop chain=input dst-port=53 in-interface=WaveBroadband protocol=udp
add action=drop chain=input comment="drop ftp brute forcers" dst-port=21 protocol=tcp src-address-list=ftp_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=22 protocol=tcp
add action=accept chain=input protocol=gre
add action=accept chain=input protocol=icmp
add action=accept chain=input protocol=udp
add action=accept chain=input protocol=ipsec-esp
add action=accept chain=input protocol=ipsec-ah
add action=accept chain=input dst-port=1723 protocol=tcp
add action=accept chain=input src-address-list=LocalNet
add action=accept chain=input connection-state=established
add action=accept chain=input connection-state=related
add action=accept chain=forward connection-state=established
add action=accept chain=forward connection-state=related
add action=drop chain=forward connection-state=invalid
add action=drop chain=forward src-address=0.0.0.0/8
add action=drop chain=forward src-address=127.0.0.0/8
add action=drop chain=forward src-address=224.0.0.0/3
add action=drop chain=forward dst-address=0.0.0.0/8
add action=drop chain=forward dst-address=127.0.0.0/8
add action=drop chain=forward dst-address=224.0.0.0/3
add action=drop chain=bad_people comment="ChinaTelecom - CitiBank fraud" src-address=219.148.0.0/16
add action=drop chain=bad_people dst-address=219.148.0.0/16
add action=drop chain=bad_people comment=xcelent.biz src-address=61.218.79.53
add action=drop chain=bad_people dst-address=61.218.79.53
add action=drop chain=bad_people comment="Known Spammer" src-address=81.180.98.3
add action=drop chain=bad_people src-address=24.73.97.226
add action=drop chain=bad_people src-address=24.213.234.2
add action=drop chain=bad_people src-address=68.77.210.17
add action=drop chain=bad_people comment="port scanner 20040525" src-address=140.113.94.156
add action=drop chain=bad_people comment="http://isc.incidents.org/top10.html listed" src-address=80.132.187.0/24
add action=drop chain=bad_people src-address=80.183.7.0/24
add action=drop chain=bad_people src-address=212.3.250.194
add action=drop chain=bad_people src-address=218.104.138.0/24
add action=drop chain=bad_people src-address=219.77.152.0/24
add action=drop chain=bad_people src-address=67.75.20.0/24
add action=drop chain=bad_people src-address=80.170.41.0/24
add action=drop chain=bad_people src-address=217.42.241.0/24
add action=drop chain=bad_people src-address=65.95.244.0/24
add action=drop chain=bad_people src-address=172.141.77.0/24
add action=drop chain=bad_people src-address=80.184.18.0/24
add action=drop chain=bad_people src-address=213.130.144.0/24
add action=drop chain=bad_people src-address=217.82.120.0/24
add action=drop chain=bad_people src-address=65.33.234.0/24
add action=drop chain=bad_people src-address=64.65.149.0/24
add action=drop chain=bad_people src-address=202.155.21.0/24
add action=drop chain=bad_people src-address=68.249.239.0/24
add action=drop chain=bad_people src-address=201.128.224.0/24
add action=drop chain=bad_people src-address=202.163.247.0/24
add action=drop chain=bad_people src-address=61.231.97.0/24
add action=drop chain=bad_people src-address=211.150.207.0/24
add action=drop chain=bad_people comment=http://feeds.dshield.org/block.txt src-address=150.209.133.0/24
add action=drop chain=bad_people src-address=203.66.92.0/24
add action=drop chain=bad_people src-address=134.174.177.0/24
add action=drop chain=bad_people src-address=67.41.252.0/24
add action=drop chain=bad_people src-address=172.191.90.0/24
add action=drop chain=bad_people src-address=12.202.141.0/24
add action=drop chain=bad_people src-address=64.246.106.0/24
add action=drop chain=bad_people src-address=63.161.192.0/24
add action=drop chain=bad_people src-address=68.126.211.0/24
add action=drop chain=bad_people src-address=67.122.151.0/24
add action=drop chain=bad_people src-address=67.71.175.0/24
add action=drop chain=bad_people src-address=69.157.33.0/24
add action=drop chain=bad_people src-address=66.122.215.0/24
add action=drop chain=bad_people src-address=210.24.174.0/24
add action=drop chain=bad_people src-address=62.234.82.0/24
add action=drop chain=bad_people src-address=200.162.125.0/24
add action=drop chain=bad_people src-address=80.135.191.0/24
add action=drop chain=bad_people src-address=67.68.53.0/24
add action=drop chain=bad_people src-address=195.56.225.0/24
add action=drop chain=bad_people src-address=172.153.83.0/24
add action=drop chain=bad_people src-address=150.209.150.0/24
add action=drop chain=bad_people src-address=63.150.217.0/24
add action=drop chain=bad_people src-address=139.55.103.0/24
add action=drop chain=bad_people src-address=220.117.228.0/24
add action=drop chain=bad_people src-address=139.55.95.0/24
add action=drop chain=bad_people src-address=220.89.208.0/24
add action=drop chain=bad_people src-address=139.55.121.0/24
add action=drop chain=bad_people src-address=139.55.99.0/24
add action=drop chain=bad_people src-address=139.55.87.0/24
add action=drop chain=bad_people src-address=139.55.151.0/24
add action=drop chain=bad_people src-address=139.55.23.0/24
add action=drop chain=bad_people src-address=69.226.173.0/24
add action=drop chain=bad_people src-address=62.14.249.0/24
add action=drop chain=bad_people src-address=221.233.24.0/24
add action=drop chain=bad_people src-address=139.55.115.0/24
add action=drop chain=bad_people src-address=221.148.225.0/24
add action=drop chain=bad_people src-address=139.55.226.0/24
add action=drop chain=bad_people src-address=210.17.38.0/24
add action=drop chain=bad_people src-address=139.55.139.0/24
add action=drop chain=bad_people src-address=202.222.18.0/24
add action=accept chain=HomeNetwork dst-address-list=LocalNet src-address-list=LocalNet
add action=accept chain=HomeNetwork comment=MediaOne dst-address=10.0.5.38 dst-port=32400 protocol=tcp
add action=drop chain=forward dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
add action=drop chain=forward dst-port=445 protocol=tcp src-address-list=Worm
add action=drop chain=forward comment="drop ssh brute downstream" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=jump chain=forward comment=ICMP jump-target=icmp protocol=icmp
add action=jump chain=forward comment=Virus jump-target=virus out-interface=WaveBroadband
add action=jump chain=forward comment="Bad Addresses" jump-target=bad_people out-interface=WaveBroadband
add action=jump chain=forward comment=TCP jump-target=tcp out-interface=WaveBroadband protocol=tcp
add action=jump chain=forward comment=UDP jump-target=udp out-interface=WaveBroadband protocol=udp
add action=drop chain=tcp comment="deny TFTP" dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" dst-port=3133 protocol=udp
add action=accept chain=icmp comment="echo reply" icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" icmp-options=11:0 protocol=icmp
add action=accept chain=icmp comment="allow parameter bad" icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types"
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=accept chain=output content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m protocol=tcp
add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output content="530 Login incorrect" protocol=tcp
add action=add-src-to-address-list address-list=BlackList address-list-timeout=1d chain=input connection-limit=10,32 protocol=tcp
add action=drop chain=input
add action=drop chain=input comment="drop ssh brute forcers" dst-port=22 protocol=tcp src-address-list=ssh_blacklist
add action=drop chain=input src-address-list="port scanners"
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Drop Messenger Worm" dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Drop Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=1433-1434 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=2283 protocol=tcp
add action=drop chain=virus comment="Drop Beagle" dst-port=2535 protocol=tcp
add action=drop chain=virus dst-port=2745 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom" dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Drop Backdoor OptixPro" dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=tcp
add action=drop chain=virus comment=Worm dst-port=4444 protocol=udp
add action=drop chain=virus comment="Drop Sasser" dst-port=5554 protocol=tcp
add action=drop chain=virus comment="Drop Beagle.B" dst-port=8866 protocol=tcp
add action=drop chain=virus comment="Drop Dabber.A-B" dst-port=9898 protocol=tcp
add action=drop chain=virus comment="Drop Dumaru.Y" dst-port=10000 protocol=tcp
add action=drop chain=virus comment="Drop MyDoom.B" dst-port=10080 protocol=tcp
add action=drop chain=virus comment="Drop NetBus" dst-port=12345 protocol=tcp
add action=drop chain=virus comment="Drop Kuang2" dst-port=17300 protocol=tcp
add action=drop chain=virus comment="Drop SubSeven" dst-port=27374 protocol=tcp
add action=drop chain=virus dst-port=65506 protocol=tcp
add action=accept chain=HomeNetwork connection-state=established
add action=accept chain=HomeNetwork connection-state=related
add action=log chain=HomeNetwork log-prefix=Homerules
add action=drop chain=HomeNetwork
add action=jump chain=forward comment="Home Network" dst-address=10.0.5.0/24 jump-target=HomeNetwork
/ip firewall nat
add action=dst-nat chain=dstnat comment=Plex dst-port=32400 in-interface=WaveBroadband protocol=tcp to-addresses=10.0.5.38 to-ports=32400
add action=masquerade chain=srcnat comment="House Internet Access" out-interface=WaveBroadband src-address=10.0.5.0/24 to-addresses=71.229.204.4
add action=masquerade chain=srcnat comment=WebPort out-interface=WaveBroadband src-address=10.0.6.0/24 to-addresses=71.229.204.4
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
/ip ipsec peer
add address=0.0.0.0/0 enc-algorithm=3des generate-policy=port-override local-address=0.0.0.0 secret=*********
/ip ipsec policy
set 0 dst-address=0.0.0.0/0 src-address=0.0.0.0/0
/ip proxy
set cache-path=disk1/web-proxy2 max-cache-size=none max-client-connections=1000 max-server-connections=1000 parent-proxy=0.0.0.0 port=3128
/ip proxy access
add action=deny dst-port=!443,563 local-port="" method=CONNECT
add action=deny path=*.newsmax
/ip proxy cache
add action=deny local-port=""
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes port=8080
set hotspot port=8088
set ssh disabled=yes
set api disabled=yes
/ip upnp
set enabled=yes
/ip upnp interfaces
add type=internal
add interface=ether8 type=internal
add interface=ether5 type=internal
/ipv6 address
add disabled=yes from-pool=ComcastIPv6 interface=HomeNetwork
/ipv6 dhcp-client
add add-default-route=yes disabled=yes interface=WaveBroadband pool-name=ComcastIPv6 request=prefix
/ipv6 firewall filter
add action=accept chain=input comment="/Input Rules/" connection-state=established disabled=yes
add action=accept chain=input connection-state=related disabled=yes
add action=drop chain=input connection-state=invalid disabled=yes
add action=accept chain=input disabled=yes in-interface=HomeNetwork
add action=accept chain=input disabled=yes protocol=icmpv6
add action=accept chain=input disabled=yes src-address-list="WhiteListed Hosts"
add action=accept chain=input disabled=yes dst-address=fe80::/16 dst-port=546 in-interface=WaveBroadband protocol=udp src-address=fe80::/16
add action=accept chain=forward comment="IPSEC Support" disabled=yes protocol=ipsec-esp
add action=accept chain=forward disabled=yes protocol=ipsec-ah
add action=accept chain=forward disabled=yes dst-port=1723 protocol=tcp
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="NMAP Stealth Scan" disabled=yes protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="ALL/ALL SCAN" disabled=yes protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=2w chain=input comment="NMAP Port Scanner" disabled=yes protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="Port Scanner Drop" disabled=yes src-address-list="Port Scanners"
add action=add-src-to-address-list address-list=Blacklist address-list-timeout=1d chain=input comment="BlackList Connections" connection-limit=10 disabled=yes
add action=drop chain=input comment="Blacklist Drop" disabled=yes src-address-list=Blacklist
add action=drop chain=input disabled=yes
add action=accept chain=forward comment="Forward Rules" connection-state=established disabled=yes
add action=accept chain=forward connection-state=related disabled=yes
add action=accept chain=forward disabled=yes protocol=icmpv6
add action=accept chain=forward disabled=yes src-address-list="WhiteListed Hosts"
add action=accept chain=forward comment=Plex connection-limit=5 disabled=yes dst-port=32400 protocol=tcp
add action=accept chain=forward comment=NVR connection-limit=5 disabled=yes dst-port=8000 protocol=tcp
add action=accept chain=forward connection-limit=5 disabled=yes dst-port=10554 protocol=udp
add action=accept chain=forward connection-limit=5 disabled=yes dst-port=10554 protocol=tcp
add action=accept chain=forward connection-limit=5 disabled=yes dst-port=80 protocol=tcp
add action=accept chain=forward disabled=yes out-interface=WaveBroadband
add action=log chain=forward disabled=yes log-prefix="forward drop"
add action=drop chain=forward disabled=yes
/ppp aaa
set interim-update=10s
/ppp secret
add name=****** password=******* profile=L2TP-IN service=pptp
add name=***** password=******* profile=L2TP-IN service=pptp
add name=****** password=****** profile=L2TP-IN service=pptp
/system clock
set time-zone-name=America/Los_Angeles
/system clock manual
set time-zone=+07:00
/system identity
set name=HouseRouter
/system logging
set 1 prefix=error
set 3 action=memory
add prefix=IPSEC topics=ipsec
add topics=e-mail
add action=disk topics=event
/system ntp client
set enabled=yes primary-ntp=81.169.139.140 secondary-ntp=216.194.70.2
/system ntp server
set broadcast=yes broadcast-addresses=10.0.5.1 enabled=yes multicast=yes
/system scheduler
add interval=1d name=makebackup on-event=makebackup policy=read,write,test start-date=apr/25/2007 start-time=00:00:01
add interval=1m name=DynDns on-event=DynDns policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-time=startup
/system script
add name=makebackup owner=Admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=\
"/system backup save name=[/system identity get name]\
\n\
\n /tool e-mail send to=****** subject=([/system identity get name] . \" Backup\") from=***** file=([/system identity get name] . \".backup\") \
\n"
add name=DynDNS owner=Admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=":global ddnsuser \"****\"\r\
\n:global ddnspass \"*******\"\r\
\n:global theinterface \"WaveBroadband\"\r\
\n:global ddnshost dyndns.org\r\
\n:global ipddns [:resolve \$ddnshost];\r\
\n:global ipfresh [ /ip address get [/ip address find interface=\$theinterface ] address ]\r\
\n:if ([ :typeof \$ipfresh ] = nil ) do={\r\
\n :log info (\"DynDNS: No ip address on \$theinterface .\")\r\
\n} else={\r\
\n :for i from=( [:len \$ipfresh] - 1) to=0 do={ \r\
\n :if ( [:pick \$ipfresh \$i] = \"/\") do={ \r\
\n :set ipfresh [:pick \$ipfresh 0 \$i];\r\
\n } \r\
\n}\r\
\n \r\
\n:if (\$ipddns != \$ipfresh) do={\r\
\n :log info (\"DynDNS: IP-DynDNS = \$ipddns\")\r\
\n :log info (\"DynDNS: IP-Fresh = \$ipfresh\")\r\
\n :log info \"DynDNS: Update IP needed, Sending UPDATE...!\"\r\
\n :global str \"/nic/update\\\?hostname=\$ddnshost&myip=\$ipfresh&wildcard=NOCHG&mx=NOCHG&backmx=NOCHG\"\r\
\n /tool fetch address=members.dyndns.org src-path=\$str mode=http user=\$ddnsuser \\\r\
\n password=\$ddnspass dst-path=(\"/DynDNS.\".\$ddnshost)\r\
\n :delay 1\r\
\n :global str [/file find name=\"DynDNS.\$ddnshost\"];\r\
\n /file remove \$str\r\
\n :global ipddns \$ipfresh\r\
\n :log info \"DynDNS: IP updated to \$ipfresh!\"\r\
\n } else={\r\
\n :log info \"DynDNS: dont need changes\";\r\
\n }\r\
\n} \r\
\n"
/system ups
add min-runtime=5m name=UPS1
[Admin@HouseRouter] >
Re: Cannot route between two private ip ranges on the same router?
Your firewall is quite complicated so it is difficult to rule it out without re-building the entire setup in a lab.
I see this rule:
add action=jump chain=forward comment="Home Network" dst-address=10.0.5.0/24 jump-target=HomeNetwork
but no corresponding rule for the other network.
I would advise to put an accept-all rule at the top of the list and test again to make sure the firewall is not the problem.
(and then of course remove that again and make suitable adjustments if necessary)
I also see two fixed ARP entries. That could also cause nasty problems, it is better not to do this unless for
a really special purpose and combined with the special ARP modes on an interface.
I see this rule:
add action=jump chain=forward comment="Home Network" dst-address=10.0.5.0/24 jump-target=HomeNetwork
but no corresponding rule for the other network.
I would advise to put an accept-all rule at the top of the list and test again to make sure the firewall is not the problem.
(and then of course remove that again and make suitable adjustments if necessary)
I also see two fixed ARP entries. That could also cause nasty problems, it is better not to do this unless for
a really special purpose and combined with the special ARP modes on an interface.
Re: Cannot route between two private ip ranges on the same router?
Pelchi,
During my testing ALL firewall rules are disabled. Would you elaborate on your fixed ARP entries, I do not see those?
Thanks.
During my testing ALL firewall rules are disabled. Would you elaborate on your fixed ARP entries, I do not see those?
Thanks.
Re: Cannot route between two private ip ranges on the same router?
I see this:
/ip arp
add address=10.0.5.2 mac-address=00:1A:A0:3C:CB:1A
add address=10.0.5.13 mac-address=78:2B:CB:A9:BA:B3
This means that when one of those 2 systems is replaced or repaired, those addresses will become unusable.
I don't see another issue that the complex firewall, but maybe I am overlooking something. It should just work.
/ip arp
add address=10.0.5.2 mac-address=00:1A:A0:3C:CB:1A
add address=10.0.5.13 mac-address=78:2B:CB:A9:BA:B3
This means that when one of those 2 systems is replaced or repaired, those addresses will become unusable.
I don't see another issue that the complex firewall, but maybe I am overlooking something. It should just work.
Re: Cannot route between two private ip ranges on the same router?
Pelchi,
I have removed those, not sure when I made those static.
Clint
I have removed those, not sure when I made those static.
Clint