Page 1 of 1

Network and firewall Issues

Posted: Thu Apr 10, 2008 6:44 pm
by erudite
I am a network administrator using mikrotik 2.9.45, a beggininer.
I am experiencing a lot of network problem and my ISP said am ocupying my bandwidth when no much users on the net.
So, in trying to lay my hand on something, i wish to only allow this commom port/protocol and block others.
http, https, ftpcontrol, ftpdata, ssh, telnet. Pls help me on how to go about it. guide and step by step

Re: Network and firewall Issues

Posted: Thu Apr 10, 2008 7:32 pm
by SurferTim
Greetings!

There is a section in the docs about the firewall filter. There are examples at the bottom. "How to protect your router" is a must. "How to protect your customers" or something like that, deals with blocking the ports that may be causing you grief.

If you are not using any type of bandwidth throttling, your customers/clients may be using it watching Google/YouTube videos. Only takes a few.

Re: Network and firewall Issues

Posted: Fri Apr 11, 2008 10:56 am
by erudite
I hv tried to read the doc but cant apply it. so if u can help me out with a guide and example i will appreciate. remember i am a beginer

Re: Network and firewall Issues

Posted: Fri Apr 11, 2008 11:12 am
by SurferTim
I will aim this at a beginner then...

I use the command line interface (CLI) through a ssh.
/ ip firewall filter 
add chain=input connection-state=invalid action=drop
add chain=input connection-state=established action=accept
add chain=input protocol=udp action=accept
add chain=input protocol=icmp action=accept
add chain=input src-address=192.168.0.0/24 action=accept
add chain=input src-address=xxx.xxx.xxx.xxx/yy action=accept
add chain=input action=drop
Do not add the last rule until you are certain all else is ok. If any rule will lock you out of your own box, that is it. If you wish to remove rules, remove that last one first!

They must be in this order! Change xxx.xxx.xxx.xxx/yy to your local network's public IP set if this is a remote unit. That way you can access it from your office/home. Otherwise you can omit that rule.

This is the same as the "Protect your router" example in the docs with the local net permission added. You add the "Protect your customer" rules the same way. The examples are way down at the bottom of the page in the docs. http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php

If you are unfamiliar with CLI, let us know. Someone familiar with Winbox may help you translate.

Re: Network and firewall Issues

Posted: Fri Apr 11, 2008 12:06 pm
by erudite
Thnks very much. am not familiar with CLI, I use winbox. I will appreciate if u can interprete it

Re: Network and firewall Issues

Posted: Tue Apr 15, 2008 8:58 pm
by theseb
Thnks very much. am not familiar with CLI, I use winbox. I will appreciate if u can interprete it
if you click "new terminal" in winbox, you can type in those commands.