Community discussions

MikroTik App
 
danielyeap
just joined
Topic Author
Posts: 5
Joined: Sun May 30, 2021 12:23 pm

Home Network Design

Wed Jun 02, 2021 1:39 pm

Hi All,
I am not a total beginner, but also not an expert in networking.

My current home network works well and it looks like this:
Mikrotik RB750gr3
- Port #1 => WAN (Internet)
- Port #2 => Switch #1 (dumb/plug and play) => My workstations (LAN cable)
- Port #3 => Switch #2 (dumb/plug and play) => My other workstations (LAN cable) and Asus XT8 (AP mode)

Due to the increase in IoT devices and wireless devices that I do not trust, I plan to do this:
Mikrotik RB750gr3
- Port #1 => WAN (Internet)
- Port #2 => Switch #1 (dumb/plug and play) => My workstations (LAN cable)
- Port #3 => Switch #2 (dumb/plug and play) => My other workstations (LAN cable)
- Port #4 => Asus XT8 (AP mode) => Trusted WIFI devices
- Port #5 => A new AP (IoT and non-trusted WIFI devices)

Port #2, #3 and #4 will be on VLAN 10 (IP range 192.168.0.0/24)
Port#5 on VLAN40 (IP range 10.1.0.0/24)

How should I configure the router to achieve that?
NOTE: I tried to create VLAN40 and was able to get DHCP to run on Port #5, but no Internet.

Current setup =>
 
 # jun/02/2021 15:02:15 by RouterOS 6.48.1
# software id = EICN-1U0B
#
# model = RB750Gr3
# serial number = 8B010ADE8295
/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan500 vlan-id=500
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan500 keepalive-timeout=\
    disabled max-mru=1492 max-mtu=1492 name=unifi user=inetuser@unifi
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.135-192.168.0.175
add name=vpn ranges=192.168.89.120-192.168.89.135
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=1w name=dhcp1
/ppp profile
set *FFFFFFFE local-address=dhcp remote-address=vpn
/system logging action
set 0 memory-lines=3500
add email-start-tls=yes email-to=inetuser@email.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
    sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add interface=unifi list=WAN
add interface=bridge1 list=LAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
add address=10.1.0.0 network=10.1.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server config
set store-leases-disk=30m
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,208.67.222.222 gateway=\
    192.168.0.1 netmask=24
/ip dns
set servers=8.8.8.8,208.67.222.222
/ip dns static
add address=8.8.8.8 name=google-dns
add address=208.67.222.222 name=opendns
/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=allowed_to_router
add address=192.168.89.120-192.168.89.135 list=allowed_to_router
add address=216.218.206.0/24 list=manual-blocked-ip
add address=213.108.134.0/24 list=manual-blocked-ip
add address=192.241.200.0/21 list=manual-blocked-ip
add address=192.241.224.0/19 list=manual-blocked-ip
add disabled=yes list=enemy-within
/ip firewall filter
add action=drop chain=input comment="drop manually blocked ip" \
    src-address-list=manual-blocked-ip
add action=add-src-to-address-list address-list=syn-flood-protect \
    address-list-timeout=2w chain=input comment=\
    "addr-list: syn-flood-protect" connection-limit=30,32 protocol=tcp \
    tcp-flags=syn
add action=drop chain=input comment="drop syn flooders" src-address-list=\
    syn-flood-protect
add action=add-src-to-address-list address-list=port-scan-protect \
    address-list-timeout=2w chain=input comment=\
    "addr-list: port-scan-protect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="drop port scanners" src-address-list=\
    port-scan-protect
add action=drop chain=input comment="l2tp bruteforce block" connection-state=\
    new dst-port=500,1701,4500 protocol=udp src-address-list=l2tp-bruteforce
add action=add-src-to-address-list address-list=l2tp-bruteforce \
    address-list-timeout=2w chain=input connection-state=new dst-port=1701 \
    protocol=udp src-address-list=l2tp-probe3
add action=add-src-to-address-list address-list=l2tp-probe3 \
    address-list-timeout=15m chain=input connection-state=new dst-port=1701 \
    protocol=udp src-address-list=l2tp-probe2
add action=add-src-to-address-list address-list=l2tp-probe2 \
    address-list-timeout=8m chain=input connection-state=new dst-port=1701 \
    protocol=udp src-address-list=l2tp-probe1
add action=add-src-to-address-list address-list=l2tp-probe1 \
    address-list-timeout=5m chain=input connection-state=new dst-port=\
    500,1701,4500 protocol=udp
add action=drop chain=input comment="drop DNS request from WAN" dst-port=53 \
    in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="accept established, related (input)" \
    connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
    protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
    protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
    protocol=tcp
add action=drop chain=input comment="drop ping" protocol=icmp
add action=drop chain=input comment="drop invalid (input)"
add action=drop chain=input comment="drop all not coming from LAN" \
    in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=FastTrack \
    connection-state=established,related
add action=accept chain=forward comment=\
    "accept established, related (forward)" connection-state=\
    established,related
add action=drop chain=forward comment="drop invalid (forward)" \
    connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=\
    "drop incoming packets that are not NATted" connection-nat-state=!dstnat \
    connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
    192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24,192.168.89.0/24
set ssh address=192.168.0.0/24,192.168.89.0/24
set winbox address=192.168.0.0/24,192.168.89.0/24
/ppp secret
add name=myvpn profile=default-encryption
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system logging
set 0 topics=info,!firewall,!dhcp
set 3 action=email
add topics=account,system
add action=email topics=l2tp,info,!ppp
add action=email topics=pptp,info
add action=email topics=ipsec,error
add action=email topics=system,health
add action=email topics=l2tp,ppp,info,account
add action=email topics=pptp,ppp,error
/tool e-mail
set address=152.92.72.214 from=inetuser@email.com port=587 start-tls=yes \
    user=inetuser@hotmail.com
 
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home Network Design

Wed Jun 02, 2021 2:12 pm

THis is the best guide for setting up vlans........
However in your case vlans are not really required because you do not have multiple subnets running over a single port.

Therefore suggest you create a bridge and run etheports 2-4 on the bridge
The bridge can do the dhcp, pool, address etc.

Ether 5 can be its own subnet address etc..

The only thing you need to do is in teh forward chain firewall rules is stop the router from L3 routing between the bridge and ether5.
There are two ways to acccomplish this.

a. Put drop all else rule at the end of forward chain. This is what most do because it stopS all traffic you have not already allowed.
Meaning you will need to add a LAN to WAN rule for your traffic.

b. The other option is to add two rules block bridge to ether5 traffic AND block ether5 to Bridge traffic.

Suggest you post your config after making changes to have reviewed.
/export hide-sensitive file=anynameyouwish
 
danielyeap
just joined
Topic Author
Posts: 5
Joined: Sun May 30, 2021 12:23 pm

Re: Home Network Design

Wed Jun 02, 2021 2:20 pm

THis is the best guide for setting up vlans........
However in your case vlans are not really required because you do not have multiple subnets running over a single port.

Therefore suggest you create a bridge and run etheports 2-4 on the bridge
The bridge can do the dhcp, pool, address etc.

Ether 5 can be its own subnet address etc..

The only thing you need to do is in teh forward chain firewall rules is stop the router from L3 routing between the bridge and ether5.
There are two ways to acccomplish this.

a. Put drop all else rule at the end of forward chain. This is what most do because it stopS all traffic you have not already allowed.
Meaning you will need to add a LAN to WAN rule for your traffic.

b. The other option is to add two rules block bridge to ether5 traffic AND block ether5 to Bridge traffic.

Suggest you post your config after making changes to have reviewed.
/export hide-sensitive file=anynameyouwish
Hi,
Thanks for your reply.

If I understand you correctly, I should:
1. Remove ether5 from bridge1
2. Create VLAN40 on ether5
3. Create a DHCP server to serve VLAN40

So, if the firewall is setup properly, ether5/VLAN40 should be able to access the internet through ether1?
By the way, I tried to study the current config and still hv no clue how ether2-5 can access the internet through ether1.
 
lufer
just joined
Posts: 7
Joined: Wed Apr 14, 2021 5:54 pm
Location: Valencia, Spain
Contact:

Re: Home Network Design

Wed Jun 02, 2021 2:48 pm

Why not just use a different subnet on the ether5 so you can directly block the traffic to your home subnet via firewall? I dont think that vlans are neccesary at all
 
danielyeap
just joined
Topic Author
Posts: 5
Joined: Sun May 30, 2021 12:23 pm

Re: Home Network Design

Wed Jun 02, 2021 5:01 pm

Why not just use a different subnet on the ether5 so you can directly block the traffic to your home subnet via firewall? I dont think that vlans are neccesary at all
Thanks!!!

I removed ether5 from bridge1.
Created a DHCP server on ether5 with IP range of 10.1.0.0/24.
Now, my devices connected to ether5 will get IP in that 10.1.0.0/24 range and have access to the Internet.

However, I do not know why my firewall rules still allow clients with IP of 10.1.x.x to access my machines on 192.168.0.x?
Strangely that those clients could not access the router at 192.168.0.1, but able to reach other clients (eg. 192.168.0.101)!
UPDATE: I believe the 10.1.x.x client could not access the www and ssh service at 192.168.0.1 due to these rules =>
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24,192.168.89.0/24
set ssh address=192.168.0.0/24,192.168.89.0/24


So, can I know how do I setup to prevent my 10.1.x.x clients to go over to my 192.168.0.x network?
NOTE: I would want my clients on 192.168.0.x and 192.168.89.x to be able to reach 10.1.0.x clients though.

If I can have the firewall rules (where to insert in my current firewall rules too) for the above requirement, it will be much appreciated.

Thanks.

# jun/02/2021 21:58:17 by RouterOS 6.48.1
# software id = EICN-1U0B
#
# model = RB750Gr3
# serial number = 8B010ADE8295
/interface bridge
add name=bridge1
/interface vlan
add interface=ether1 name=vlan500 vlan-id=500
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan500 keepalive-timeout=\
disabled max-mru=1492 max-mtu=1492 name=unifi user=inetuser@unifi
/interface list
add name=WAN
add name=LAN
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp ranges=192.168.0.135-192.168.0.175
add name=vpn ranges=192.168.89.120-192.168.89.135
add name=dhcp_insecured ranges=10.1.0.2-10.1.0.254
/ip dhcp-server
add address-pool=dhcp disabled=no interface=bridge1 lease-time=1w name=dhcp1
add address-pool=dhcp_insecured disabled=no interface=ether5 name=dhcp2
/ppp profile
set *FFFFFFFE local-address=dhcp remote-address=vpn
/system logging action
set 0 memory-lines=3500
add email-start-tls=yes email-to=inetuser@email.com name=email target=email
/user group
set full policy="local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,pas\
sword,web,sniff,sensitive,api,romon,dude,tikapp"
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=ether3
add bridge=bridge1 interface=ether4
/ip neighbor discovery-settings
set discover-interface-list=!dynamic
/interface l2tp-server server
set enabled=yes use-ipsec=required
/interface list member
add interface=unifi list=WAN
add interface=bridge1 list=LAN
add disabled=yes interface=ether5 list=LAN
/interface sstp-server server
set default-profile=default-encryption
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0
add address=10.1.0.1/24 interface=ether5 network=10.1.0.0
/ip cloud
set ddns-enabled=yes
/ip dhcp-client
add interface=ether1
/ip dhcp-server config
set store-leases-disk=30m
/ip dhcp-server network
add address=10.1.0.0/24 dns-server=8.8.8.8,1.9.1.9 gateway=10.1.0.1 netmask=\
24
add address=192.168.0.0/24 dns-server=8.8.8.8,208.67.222.222 gateway=\
192.168.0.1 netmask=24
/ip dns
set servers=8.8.8.8,208.67.222.222
/ip dns static
add address=8.8.8.8 name=google-dns
add address=208.67.222.222 name=opendns
add address=192.168.0.208 disabled=yes name=local-okd-dns ttl=1w
/ip firewall address-list
add address=192.168.0.2-192.168.0.254 list=allowed_to_router
add address=192.168.89.120-192.168.89.135 list=allowed_to_router
add address=216.218.206.0/24 list=manual-blocked-ip
add address=213.108.134.0/24 list=manual-blocked-ip
add address=192.241.200.0/21 list=manual-blocked-ip
add address=192.241.224.0/19 list=manual-blocked-ip
add disabled=yes list=enemy-within
/ip firewall filter
add action=drop chain=input comment="drop manually blocked ip" \
src-address-list=manual-blocked-ip
add action=add-src-to-address-list address-list=syn-flood-protect \
address-list-timeout=2w chain=input comment=\
"addr-list: syn-flood-protect" connection-limit=30,32 protocol=tcp \
tcp-flags=syn
add action=drop chain=input comment="drop syn flooders" src-address-list=\
syn-flood-protect
add action=add-src-to-address-list address-list=port-scan-protect \
address-list-timeout=2w chain=input comment=\
"addr-list: port-scan-protect" protocol=tcp psd=21,3s,3,1
add action=drop chain=input comment="drop port scanners" src-address-list=\
port-scan-protect
add action=drop chain=input comment="l2tp bruteforce block" connection-state=\
new dst-port=500,1701,4500 protocol=udp src-address-list=l2tp-bruteforce
add action=add-src-to-address-list address-list=l2tp-bruteforce \
address-list-timeout=2w chain=input connection-state=new dst-port=1701 \
protocol=udp src-address-list=l2tp-probe3
add action=add-src-to-address-list address-list=l2tp-probe3 \
address-list-timeout=15m chain=input connection-state=new dst-port=1701 \
protocol=udp src-address-list=l2tp-probe2
add action=add-src-to-address-list address-list=l2tp-probe2 \
address-list-timeout=8m chain=input connection-state=new dst-port=1701 \
protocol=udp src-address-list=l2tp-probe1
add action=add-src-to-address-list address-list=l2tp-probe1 \
address-list-timeout=5m chain=input connection-state=new dst-port=\
500,1701,4500 protocol=udp
add action=drop chain=input comment="drop DNS request from WAN" dst-port=53 \
in-interface-list=WAN protocol=tcp
add action=drop chain=input dst-port=53 in-interface-list=WAN protocol=udp
add action=accept chain=input comment="accept established, related (input)" \
connection-state=established,related
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=drop chain=input comment="drop ping" protocol=icmp
add action=drop chain=input comment="drop invalid (input)"
add action=drop chain=input comment="drop all not coming from LAN" \
in-interface-list=!LAN
add action=fasttrack-connection chain=forward comment=FastTrack \
connection-state=established,related
add action=accept chain=forward comment=\
"accept established, related (forward)" connection-state=\
established,related
add action=drop chain=forward comment="drop invalid (forward)" \
connection-state=invalid log=yes log-prefix=invalid
add action=drop chain=forward comment=\
"drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT
/ip firewall nat
add action=masquerade chain=srcnat out-interface-list=WAN
add action=masquerade chain=srcnat comment="masq. vpn traffic" src-address=\
192.168.89.0/24
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24,192.168.89.0/24
set ssh address=192.168.0.0/24,192.168.89.0/24
set winbox address=192.168.0.0/24,192.168.89.0/24
/ppp secret
add name=myvpn profile=default-encryption
/system clock
set time-zone-name=Asia/Kuala_Lumpur
/system logging
set 0 topics=info,!firewall,!dhcp
set 3 action=email
add topics=account,system
add action=email topics=l2tp,info,!ppp
add action=email topics=pptp,info
add action=email topics=ipsec,error
add action=email topics=system,health
add action=email topics=l2tp,ppp,info,account
add action=email topics=pptp,ppp,error
/tool e-mail
set address=52.98.77.114 from=inetuser@email.com port=587 start-tls=yes \
user=inetuser@hotmail.com
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home Network Design

Wed Jun 02, 2021 5:58 pm

Sorry for that, forget the vlan link itself
viewtopic.php?f=23&t=143620

As I stated you dont nee the vlan in your simple config.
Ether 5 just gets its own ethernet setup, pool, address etc, and is NOT on the bridge
The ether ports 2-4 are on teh bridge and assign the bridge the address, dhcp etc.

The firewall rules you can use to block traffic from bridge subnet to etherport 5 subnet (and there are at least 2 approaches for that).

HOWEVER what are stuff are you trying to do here.
WHY IS WWW even turned on ?
If you are using plain internet to access your router you are LOCO.

Remove it asap.
The only safe way to access your router remotely is via VPN, port knocking is another method that is not ideal and temporary until you get VPN established.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home Network Design

Wed Jun 02, 2021 6:20 pm

(1) Remove the vlan
/interface vlan
add interface=ether1 name=vlan500 vlan-id=500

(2) Enable the interface list member
/interface list member
add interface=unifi list=WAN
add interface=bridge1 list=LAN
add disabled=yes interface=ether5 list=LAN

(3) Why is this set to ether 2 should be bridge.
/ip address
add address=192.168.0.1/24 interface=ether2 network=192.168.0.0

(4) Disable www.
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www address=192.168.0.0/24,192.168.89.0/24

(5) Firewall rules......
Simplify your input rules to this......... and there is no reason to block icmp.
/ip firewall filter
add action=accept chain=input comment="accept established, related (input)" \
connection-state=established,related
add action=accept chain=input comment="allow ping" protocol=icmp
add action=drop chain=input comment="drop invalid (input)"
add action=accept chain=input src-address-list=allowed_to_router
add action=accept chain=input comment="allow IPsec NAT" dst-port=4500 \
protocol=udp
add action=accept chain=input comment="allow IKE" dst-port=500 protocol=udp
add action=accept chain=input comment="allow l2tp" dst-port=1701 protocol=udp
add action=accept chain=input comment="allow pptp" disabled=yes dst-port=1723 \
protocol=tcp
add action=accept chain=input comment="allow sstp" disabled=yes dst-port=443 \
protocol=tcp
add action=accept chain=input in-interface=LAN protocol=tcp dst-port=53 connection-state=new comment="allow LAN DNS services"
add action=accept chain=input in-interface=LAN protocol=udp dst-port=53 connection-state=new comment="allow LAN DNS services"
add action=drop chain=input comment="drop all else"

......
In this way, only the admin has access to the router NOBODY else on the LAN does, and they only access DNS for which they need it.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 18958
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Home Network Design

Wed Jun 02, 2021 6:30 pm

Now for the forward chain.
The problem is you do not understand how the firewall rules work.
Is there any rule for layer 3 routing to prevent the two subnets from talking, the answer is NO.
THey cannot see each at other at layer as physically separated by ports and one subnet is on a bridge the other not on the bridge.
The router default rule set presumes a single subnet and now you have two...............

As noted two methods,
A. preferred. Take this rule and change it......
add action=drop chain=forward comment=\
"drop incoming packets that are not NATted" connection-nat-state=!dstnat \
connection-state=new in-interface-list=WAN log=yes log-prefix=!NAT


TO
add action=accept chain=forward connection-nat-state=dstnat connection-state=new \
in-interface-list=WAN comment="allow port forwarding"
add action=drop chain=forward comment="drop all else"

DONE! (bonus if you have no intention of providing servers and associated dst-nat rules, you can disable or remove the port forwarding rule)

Now with the DROP ALL ELSE rule, you are blocking all traffic automatically that you do not have an allow rule for. Safer!!
Which means .........................if you are sharp...........................that you are now stopping lan to wan traffic, no internet, so to fix.

add action=accept chain=forward in-interface-list=LAN out-interface-list=WAN


The other method is to keep the set of rules in play now
and add two blocking rules, drop bridge to ether5 traffic and drop ether5 to bridge traffic,
This is a poorer approach.
 
danielyeap
just joined
Topic Author
Posts: 5
Joined: Sun May 30, 2021 12:23 pm

Re: Home Network Design

Wed Jun 02, 2021 7:31 pm

Thanks, all!!

I finally figured it out!! :)

Who is online

Users browsing this forum: Amazon [Bot], BinaryTB, Bing [Bot] and 72 guests