Hi,
First time user of RouterOS and I was wondering if somebody could confirm I have the CCR1009-7G-1C-1S+ set up correctly. It is connected to the Internet via PPPOE but I am not sure the configuration is as it should be!
Ether1 is connected to the WAN and Ether2 is connected to my switches. I have a static IP on the router as my server on the network assigns the IP addresses via. its DHCP server.
1. First question. When I was configuring the NAT I followed several guides but the only way I can get a connection through the Firewall is to set the Chain as srcnat and the action as masquerade. The guides said to set an in/out interface as pppoe but none of this works. Is it ok to leave it with just srcnat and masquerade? (I have opened ports for my CCTV and that all works perfect. HTTP port 80 point to my servers IIS page instead of going to the routers log in page).
2. Am I correct in thinking I can just connect the SFP+ port direct to my switch and remove the RJ45 from ether2?
3. In the Log I see a continuous stream of login failure for user admin on a unknown IP address via telnet and ssh. Is this hackers and is it normal?
Many thanks in advance for any help. Apologies for the very basic probably simple questions!
Regards, Cliff
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
First answer to question #3: it happens, but it's not normal. It means that firewall does not block these connection attempts so you actually see attempts (hopefully it stays at attempts). And that means you have to do something about firewall.
If you just started off with configuring your router, then it quite likely lacks a decent firewall rule set, CCR line does not have any firewall by default. SOHO line of mikrotik routers, on the other hand, comes with a pretty decent firewall rule set (and a few related settings) by default:
It is very important to add interfaces to proper interface lists. Depending on particular setup it might bi right like this:
Then add your NAT rules (port forwarding) to /ip firewall nat section, no changes are necessary in /ip firewall filter section.
To answer your question #2 about connection to switch: it depends if ether2 and sfp-sfpplus1 interfaces are members of a bridge. If they are, then you can indeed simply replace ethernet connection with SFP-SFP connection. If these interfaces are not members of bridge, then you'd have to reconfigure router a bit before changing the connection.
If you just started off with configuring your router, then it quite likely lacks a decent firewall rule set, CCR line does not have any firewall by default. SOHO line of mikrotik routers, on the other hand, comes with a pretty decent firewall rule set (and a few related settings) by default:
Code: Select all
/ip firewall nat
add chain=srcnat out-interface-list=WAN ipsec-policy=out,none action=masquerade comment="defconf: masquerade"
/ip firewall filter
add chain=input action=accept connection-state=established,related,untracked comment="defconf: accept established,related,untracked"
add chain=input action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=input action=accept dst-address=127.0.0.1 comment="defconf: accept to local loopback (for CAPsMAN)"
add chain=forward action=accept ipsec-policy=in,ipsec comment="defconf: accept in ipsec policy"
add chain=forward action=accept ipsec-policy=out,ipsec comment="defconf: accept out ipsec policy"
add chain=forward action=fasttrack-connection connection-state=established,related comment="defconf: fasttrack"
add chain=forward action=accept connection-state=established,related,untracked comment="defconf: accept established,related, untracked"
add chain=forward action=drop connection-state=invalid comment="defconf: drop invalid"
add chain=forward action=drop connection-state=new connection-nat-state=!dstnat in-interface-list=WAN comment="defconf: drop all from WAN not DSTNATed"
/ip neighbor discovery-settings
set discover-interface-list=LAN
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
It is very important to add interfaces to proper interface lists. Depending on particular setup it might bi right like this:
Code: Select all
/interface list
add name=WAN comment="defconf"
add name=LAN comment="defconf"
/interface list member
add list=LAN interface=bridge comment="defconf"
# if LAN IP address is not on bridge, but on some etherX interface, add that interface to LAN interface list as well
add list=WAN interface=ether1 comment="defconf"
# and add PPPoE interface so that firewall does its job ... assuming default PPPoE interface name is used
add list=WAN interface=pppoe-out1 comment="logical WAN interface"
Then add your NAT rules (port forwarding) to /ip firewall nat section, no changes are necessary in /ip firewall filter section.
To answer your question #2 about connection to switch: it depends if ether2 and sfp-sfpplus1 interfaces are members of a bridge. If they are, then you can indeed simply replace ethernet connection with SFP-SFP connection. If these interfaces are not members of bridge, then you'd have to reconfigure router a bit before changing the connection.
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
Hi mkx, many thanks for the reply. I have added the firewall rule set and it appears to have stopped the connection attempts. The last one in the log was just a couple of minutes before I added the rules. Fantastic I would never have figured that out so quickly!
Not sure what to do about the interface changes. I think I might already have what you suggest.
Hopefully you can see this image that shows my interfaces. https://ibb.co/ZcfQdWm
Not sure what to do about the interface changes. I think I might already have what you suggest.
Hopefully you can see this image that shows my interfaces. https://ibb.co/ZcfQdWm
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
Doesn't look like. But examination of textual export would tell. Execute /export hide-sensitive file=anynameyouwish in terminal windiw, fetch resulting file and copy-paste contents into [code] [/code] block (square brackets icon just above post editing window). You may want to skim through config and obfuscate some sensitive data, such as public IP address (if it's present in the config) ...
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
Code: Select all
# mar/01/2021 21:58:14 by RouterOS 6.48.1
# software id = XSFW-VVK4
#
# model = CCR1009-7G-1C-1S+
# serial number = E3220DAA7224
/interface bridge
add name=local
/interface pppoe-client
add add-default-route=yes disabled=no interface=ether1 name=pppoe-out1 \
use-peer-dns=yes user=bthomehub@btbroadband.com
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.16.3-192.168.16.254
add name=dhcp_pool1 ranges=\
0.0.0.1-255.255.254.255,255.255.255.1-255.255.255.254
add name=vpn ranges=192.168.89.2-192.168.89.255
/ppp profile
set *FFFFFFFE local-address=xxxxxxxxxxx remote-address=vpn
/interface bridge port
add bridge=local interface=ether2
/ip neighbor discovery-settings
set discover-interface-list=LAN
/interface detect-internet
set detect-interface-list=all
/interface l2tp-server server
set use-ipsec=yes
/interface list member
add interface=pppoe-out1 list=WAN
add interface=local list=LAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.16.1/24 interface=local network=192.168.16.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-server network
add gateway=255.255.255.0
add address=192.168.16.0/24 gateway=192.168.16.1 netmask=24
/ip dns
set allow-remote-requests=yes servers=8.8.8.8
/ip firewall filter
add action=accept chain=input comment=\
"defconf: accept established,related,untracked" connection-state=\
established,related,untracked
add action=drop chain=input comment="defconf: drop invalid" connection-state=\
invalid
add action=accept chain=input comment=\
"defconf: accept to local loopback (for CAPsMAN)" dst-address=127.0.0.1
add action=accept chain=forward comment="defconf: accept in ipsec policy" \
ipsec-policy=in,ipsec
add action=accept chain=forward comment="defconf: accept out ipsec policy" \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment="defconf: fasttrack" \
connection-state=established,related
add action=accept chain=forward comment=\
"defconf: accept established,related, untracked" connection-state=\
established,related,untracked
add action=drop chain=forward comment="defconf: drop invalid" \
connection-state=invalid
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN
/ip firewall nat
add action=masquerade chain=srcnat
add action=dst-nat chain=dstnat comment="Drive Cam" dst-port=xxxxxxxxxxx protocol=\
tcp to-addresses=xxxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment="Garden2 Cam" dst-port=xxxxxxxxxxx protocol=\
tcp to-addresses=xxxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment="Garage Cam" dst-port=xxxxxxxxxxx protocol=\
tcp to-addresses=xxxxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment="Garden Cam" dst-port=xxxxxxxxxxx protocol=\
tcp to-addresses=xxxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment="Hall Cam" dst-port=xxxxxxxxxxx protocol=tcp \
to-addresses=xxxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment="Kitchen Cam" dst-port=xxxxxxxxxxx protocol=\
tcp to-addresses=xxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment=VPN dst-port=xxxxxxxxxxx protocol=tcp \
to-addresses=xxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment=VPN dst-port=xxxxxxxxxxx protocol=udp \
to-addresses=xxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment=VPN dst-port=xxxxxxxxxxx protocol=tcp \
to-addresses=xxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment=VPN dst-port=xxxxxxxxxxx protocol=udp \
to-addresses=xxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment=VPN dst-port=xxxxxxxxxxx protocol=tcp \
to-addresses=xxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment=VPN dst-port=xxxxxxxxxxx protocol=udp \
to-addresses=xxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment="WOL Server 2019" dst-port=xxxxxxxxxxx \
protocol=tcp to-addresses=xxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment="WOL Server 2019" dst-port=xxxxxxxxxxx\
protocol=udp to-addresses=xxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=dst-nat chain=dstnat comment=HTTP dst-port=xxxxxxxxxxx protocol=tcp \
to-addresses=xxxxxxxxxxx to-ports=xxxxxxxxxxx
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN
/lcd
set default-screen=stat-slideshow
/lcd interface
set sfp-sfpplus1 disabled=yes
set combo1 disabled=yes
set ether2 disabled=yes
set ether3 disabled=yes
set ether4 disabled=yes
set ether5 disabled=yes
set ether6 disabled=yes
set ether7 disabled=yes
/ppp secret
add name=vpn
/system clock
set time-zone-name=Europe/London
/system ntp client
set enabled=yes primary-ntp=216.239.35.0 secondary-ntp=216.239.35.4
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN
I think from the code above my sfp+ is disabled. Is that easy to bridge?
Sorry for all the questions, your help is greatly appreciated.
edit, still getting quite a lot of connection attempts via. telnet and ssh.
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
No silly questions when trying to tame the beast.
(1) This -from
/ip firewall nat
add action=masquerade chain=srcnat
-to
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-1
(2) Add ether1 (or whatever physical port attaches to ISP, to WAN interface list members for completeness.
(3) Go to IP Services...... and turn everything off not required.
Hint Dont turn off WinBOX!!! YOu need that one.
(4) Got to tools mac server, select mac telnet server and set interface to none
(5) Go to tools man winbox server and set interface to LAN
(6) Go to systems users and create a different one from admin, with full rights and with good password and then delete the admin one.
(7) Go to IP Service Ports (found on the firewall TABS) and make sure they are all greyed out (disabled) unless you need one of them....
(8) The default firewall rules you have are solid and a good start and should not be modified until you have more knowledge.
(9) The only active interface you have defined as part of the bridge is ether2, so I wouldnt be concerned about the other ports.
(1) This -from
/ip firewall nat
add action=masquerade chain=srcnat
-to
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-1
(2) Add ether1 (or whatever physical port attaches to ISP, to WAN interface list members for completeness.
(3) Go to IP Services...... and turn everything off not required.
Hint Dont turn off WinBOX!!! YOu need that one.
(4) Got to tools mac server, select mac telnet server and set interface to none
(5) Go to tools man winbox server and set interface to LAN
(6) Go to systems users and create a different one from admin, with full rights and with good password and then delete the admin one.
(7) Go to IP Service Ports (found on the firewall TABS) and make sure they are all greyed out (disabled) unless you need one of them....
(8) The default firewall rules you have are solid and a good start and should not be modified until you have more knowledge.
(9) The only active interface you have defined as part of the bridge is ether2, so I wouldnt be concerned about the other ports.
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
Hi Anav,
Many thanks for the help. I will work through them now.
When I try the first recommendation, I get the following error :-
input does not match any value of interface
Update....I have just carried out all the recommendations and they all appear to have worked apart from adding the out-interface=pppoe-1
To use the 10G sfp to connect to my switch instead of ether2 do I need to somehow add it to the bridge?
Many thanks for the help. I will work through them now.
When I try the first recommendation, I get the following error :-
input does not match any value of interface
Update....I have just carried out all the recommendations and they all appear to have worked apart from adding the out-interface=pppoe-1
To use the 10G sfp to connect to my switch instead of ether2 do I need to somehow add it to the bridge?
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
Yes.
The first one wasnt literal, I meant your pppoe connection,
So it should match the name you have chosen.
pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
The first one wasnt literal, I meant your pppoe connection,
So it should match the name you have chosen.
pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
-
-
nescafe2002
Forum Veteran
- Posts: 897
- Joined:
- Location: Netherlands
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
Not necessary, interface is member of WAN and there is already a masquerade rule for WAN. Just remove the general masquerade rule.
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
Ok thank you. I will try that when I get home this evening.Yes.
The first one wasnt literal, I meant your pppoe connection,
So it should match the name you have chosen.
pppoe-out1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=pppoe-out1
With the changes I have made would it have stopped a Google Home Display from connecting to the network? It might be a coincidence but around the same time it started trying to connect to the Wi-fi every 30 seconds. I have reset the Google hub but it won’t stay connected. Is this maybe to do with MAC settings? Google says it requires UPNP, IGMP and multicast enabled……have I changed that in anyway?
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
Hi Cliff, sorry I dont use google home but it sounds like its a special case functionality.
Try searching in the forums for google home and see if there are any hits.
Try searching in the forums for google home and see if there are any hits.
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
To use the 10G sfp to connect to my switch instead of ether2 do I need to somehow add it to the bridge?
Yes, add sfp-sfpplus1 to bridge local. After that you'll be able to replace ethernet connection with SFP.
Re: RouterOS - Newbie CCR1009-7G-1C-1S+
Hi Guys,
i just want to thank you for all the advice and help you have given me over the last couple of days. Everything is working perfect now and I believe it is correctly configured. I have had no attempted connections in the log since I turned off everything in the IP service List (apart from winbox).
The only thing left to do is connect up to my switch with a SFP cable when it comes tomorrow. I have already added the port to the bridge so it should be ok!
Once again, many thanks for your time and knowledge it is very much appreciated.
i just want to thank you for all the advice and help you have given me over the last couple of days. Everything is working perfect now and I believe it is correctly configured. I have had no attempted connections in the log since I turned off everything in the IP service List (apart from winbox).
The only thing left to do is connect up to my switch with a SFP cable when it comes tomorrow. I have already added the port to the bridge so it should be ok!
Once again, many thanks for your time and knowledge it is very much appreciated.
Who is online
Users browsing this forum: Amazon [Bot] and 44 guests