As I already wrote: default config which comes with recent versions of ROS, is decent config. Just be sure that "Keep old configuration" is not checked. As result, your device will be as if it came out of factory and initial step of configuring Routerboard device is to set basic working mode. While doing it, default configuration is applied and that default configuration includes decent firewall settings.When upgrade already how to configure the firewall for more protecting for LAN and router.
I'm testing use the netinstall for the 750g but the netinstall not running. I have check other thread need using 3.29 version of the mikrotik. May i know how can i do for it ?Setup is dangerous because firewall is virtually non-existant, not protecting neither router itself nor LAN. Setup is dangerous because router is running ancient version of ROS (5.4). Setup is slow because it's got queues set up which are CPU intensive and your device is no speed monster.
My suggestion: netinstall router with recent version of ROS (long-term 6.46.7 should be fine), reset configuration to factory default, upgrade routerboot as well (/system routerboard upgrade after new ROS boots up). Then start off customizing router, but keep default config as a very decent starting point (don't just follow some random youtube tutorial, those are mostly useless or plain wrong).
I have follow you say reset the configuration and setup for it, starting the network would't get the internet but pppoe get connection. the configure attachment is "default' after add NAT rules then can get internet "default2"This is not default setup, it seems that it was transferred over from old config. You have to reset it to factory default. Log in via WebFix (using web browser), click "Quick Set" button top right, then click "Reset configuration" in lower right area. Reboot device (if it doesn't do it itself). Then test performance again.
The problem with current config is that firewall is actually set up (even though only to protect router itself), but for that, connection tracking runs and connection tracking is pretty CPU intensive operation. In ROS there exists a feature called "fast track" which causes most packets to bypass most of firewall processing, but it's not enabled in your setup. You could enable it (it's simple to do it, but not trivial), but as you would really benefit from full default configuration, I strongly advise you to do factory reset before we move further.
After you do reset to factory defaults, study firewall rules to get acquainted to the philosophy ... before you set up NAT rules. While you could verbatim copy-paste current NAT rule, they (both) are not most effective. You'll notice that new default heavily uses interface lists ... if your WAN interface (pppoe-client) does not land in WAN interface list, add it manually. Which will make your personal src-nat rule redundant because the default rule will cover it. Similarly dst-nat rule could be rewritten to use in-interface-list instead of dst-address ... but that depends on whether you want to access your wlan camera through WAN IP also from LAN. If you want that, then your current dst-nat rule is just fine.
/ip firewall filter
add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked
add action=drop chain=input comment="drop invalid" connection-state=invalid
add action=accept chain=input comment="accept ICMP" protocol=icmp
add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN
add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked
add action=drop chain=forward comment="drop invalid" connection-state=invalid
add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec
add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec
add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
No it is not correct - although I have no idea why MT would not include the default firewalls on new releases even for old equipment.For now the firewall only have one rules default, it's correct ?
MMIPS is only for the 750Gr3 (second version of the hEX). The original 750G, which the OP has, and the 750Gr2 (first version of the hEX) are MIPSBE.MMIPS for 750G, Long term version.
Thanks TDW I will edit my post accordingly...........MMIPS is only for the 750Gr3 (second version of the hEX). The original 750G, which the OP has, and the 750Gr2 (first version of the hEX) are MIPSBE.MMIPS for 750G, Long term version.
The /system routerboard settings set cpu-frequency=150MHz will be reducing the performance, it should be several times greater by default.
Not sure if the default configuration is correct, herewith the default firewall rules:Code: Select all/ip firewall filter add action=accept chain=input comment="accept established,related,untracked" connection-state=established,related,untracked add action=drop chain=input comment="drop invalid" connection-state=invalid add action=accept chain=input comment="accept ICMP" protocol=icmp add action=drop chain=input comment="drop all not coming from LAN" in-interface-list=!LAN add action=accept chain=forward comment="accept established,related, untracked" connection-state=established,related,untracked add action=drop chain=forward comment="drop invalid" connection-state=invalid add action=accept chain=forward comment="accept in ipsec policy" ipsec-policy=in,ipsec add action=accept chain=forward comment="accept out ipsec policy" ipsec-policy=out,ipsec add action=drop chain=forward comment="drop all from WAN not DSTNATed" connection-nat-state=!dstnat in-interface-list=WAN
Already successful NETINSTALL now the v6.47.6 MIPSBE, i try to setup the mikrotik but the download speed and upload speed around 5mbps-8mbps look like internet slow. The mikrotik is configure vlan500 for pppoe setup, may i know need to do bridge ?No it is not correct - although I have no idea why MT would not include the default firewalls on new releases even for old equipment.For now the firewall only have one rules default, it's correct ?
Did you use netinstall to work with the latest long term version of firmware?
OLD 750 unit is MIPSBE
Newer 750Gr3 is MMIPS
Probably time to upgrade your equipment that thing you have is ancient.
thank you very much for this, now the speeed is back to normal.According to product brochure, "native" CPU frequency is 680MHz. If it's not set to that value, change it (/system routerboard set cpu-frequency=680MHz). Before doing it, you may want to check current setting (/system resource print) to see if changing it to default is likely to improve things much.
i will try configure this setting this week for the mikrotik. Currently the connection is working well.You have a very different wan connection.
dont see the pppoe interface defined but here is what I would do.
/interface list member
add interface=WUM-Unifi list=WAN
add interface=ether1 list=wan
add interface=vlan.500 list=wan
add interface=pppoe interface (if there is one) list=wan
Then you can do this more easily.
From
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface=ether1
add action=masquerade chain=srcnat out-interface=WUM-Unifi
To
/ip firewall nat
add action=masquerade chain=srcnat disabled=yes out-interface-list=WAN
Can you confirm that all your port forwarding works as desired??