Community discussions

MikroTik App
 
hahnhell
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Simplifying Home Network

Sat May 14, 2022 6:56 pm

Hello Everyone,

It's been a little while since I've played around with this stuff and I still honestly don't know what I'm doing, but I thought I would simplify what I had, start over and go from there. I used to have a really complicated setup with VLANs and I no longer feel that is doing what I would like it to. I've updated my devices to ROS 7.2.3 and want to know where to head from here.

My main goal at this point is to be able to get my cAP AC setup as a wifi AP in another part of my house and for my RB4011 to do the rest of the heavy lifting. I have tried to follow all the awesome guides and pathways (viewtopic.php?t=182373) that @anav has so graciously put together. I just want to make sure I'm going in the right direction. I did not do anything wrt step A, but I have tried to go through step B via the Novice+modified method... Can someone confirm I did it right?

I have yet to try and setup my cAP AC yet as I was trying to get the 'cloud' portion of things working first. I was hoping to just check the little "DDNS Enabled" box and I'd be good! lol. I have uploaded the current state of my setup and was wondering if anyone could help me understand how to get this working. I am currently using PPPoE with my RB4011 through my ISP's box. My wonderful ISP went and changed their FTTH device and they now have an integrated GPON that I can't just directly plug into my RB4011 SFP anymore. :( So I am getting an IP that way.

My setup consists of a machine on my network running TrueNAS(88.20) and a VM(88.250) in there where I have a Minecraft server running for the kids. I'd like to be able to enable access to the MC server from outside my network. I've enabled DDNS in the RB4011, but I can't seem to connect/see anything from the outside (hotspot my cell(mobile) with a laptop). I'm not sure if there are NAT issues due to it going through my ISP's box, i've gone ahead and made the RB4011 a static IP within the ISP's system, no port forwarding rules in there at this time.

So my first request would be to get the DDNS working. I think at one point in the past I used Dynu.com and a script, but I thought maybe for now I would try and use the dns service already provided by MT? Or should I try for that script way? I still think I'll probably need some firewall rules etc to get that working. I want to be able to connect to my MC server (default 25565 port) on the VM(88.250) within TrueNAS. I can access it locally, just not outside the network yet.

If I missed giving some info, please let me know.

Thank you!

** Forgot to mention that when I try to navigate to my DN or use the IP, I just get connection timed out.**
You do not have the required permissions to view the files attached to this post.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simplifying Home Network

Sat May 14, 2022 9:08 pm

To setup your capac follow the example in red Here.... viewtopic.php?t=182276
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simplifying Home Network  [SOLVED]

Sat May 14, 2022 9:25 pm

(1) Well you have a flat network and no need of vlans it seems. I dont know how you are going to do guest wifi or IOT devices without them??

(2) Since you have a pppoe client setup this line is not required and should be removed.
/ip dhcp-client
add comment=defconf interface=1_-_WAN


(3) From
/tool mac-server
set allowed-interface-list=LAN
/tool mac-server mac-winbox
set allowed-interface-list=LAN


TOO
/tool mac-server
set allowed-interface-list=none
/tool mac-server mac-winbox
set allowed-interface-list=Authorised

(4) This rule is serving what purpose on the input chain??
add action=accept chain=input in-interface-list=LAN

Lets think about the logic! You have a very specific Admin rule to access the router for config purposes - great!!
You have rules to allow LAN users to access necessary Router Services (such as DNS, NTP etc......).

So what is the reason for the above rule highlighted?
Put in another way, why give everybody on the LAN fuller access to the router than what the admin has!!

It makes the next rule seem ridonkulous because if you matched all LAN traffic to the router, the next rule, blocking LAN attempts to the router with Rejected would never get seen!!!

(5) This rule is serving what purpose on the input chain??
add action=drop chain=input comment="defconf: drop all not coming from LAN" \
disabled=yes in-interface-list=!LAN


Lets think about the logic! You have a very specific Admin rule to access the router for config purposes - great!!
You have rules to allow LAN users to access necessary Router Services (such as DNS, NTP etc......).

What is the reason for the rule highlighted above? Its basically saying drop everything not coming from the LAN.
Put it another way, you already have a block rule for all LAN and WAN traffic in place, the NEXT RULE the drop all rule.
The user added rules above this should be allow rules!!

(6) This rule is serving what purpose on the input chain??
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=new disabled=yes in-interface-list=WAN


Lets think about the logic! You have a very specific allow rule already for port forwarding so this is redundant!!

So what is the reason for the above rule highlighted?
Put in another way, this rule also drops all traffic from WAN not dst-natted but the NEXT rule is the drop rule so its not needed!!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simplifying Home Network

Sat May 14, 2022 9:30 pm

(1) As for port forwarding, I suggest you be very specific on your dstnat rule.
Make sure you have source address or source address list for access to the minecraft server.
Such that
add action=dst-nat chain=dstnat comment="Minecraft " dst-port=25565 \
in-interface-list=WAN protocol=tcp to-addresses=192.168.88.250 to-ports=\
25565 src-address=list=PERMITTED

(2) The reason you are not connecting is the in-interface-list=WAN you have is incomplete!!
/interface list member
add comment=defconf interface=Home_Bridge list=LAN
add comment=defconf interface=1_-_WAN list=WAN
add comment="Admin Access" interface=2_-_AdminPC list=Authorised

add interface=1_-_WAN name=Bell_Fibe_PPPoE list=WAN
 
hahnhell
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: Simplifying Home Network

Sun May 15, 2022 12:05 am

Thanks for the cleanup.. I realised only after I had updated with a default firewall that you had all these fancy dandy help/how-tos! I already had my Wifi and pppoe setup so I didn't want to do that over again.. Perhaps I should have just started from scratch, hehe.

I've removed the extra firewall rules (some were actually disabled if you saw) and it seems to be working. The one thing I wasn't sure about, and I didn't do (though it is working) is in the NAT rule:
src-address=list=PERMITTED
What exactly did you mean by this? It is working atm, but I feel that for some reason I have left a hole in my firewall because you said to put this... lol

What is actually in my PERMITTED address list? Isn't this just all WAN, or my PPPoE?

Thank you!
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simplifying Home Network

Sun May 15, 2022 4:02 am

Permitted means, no user should be accessing your server that you have not pre-identified.

/ip firewall address-list
add address=User1-public IP   list=Permitted
add address=User2-public IP   list=Permitted
..........
add address=UserXX-public IP   list=Permitted
add address=dyndns-url-1  list=Permitted
add address=dyndns-url-2  list=Permitted
.........
add address=dyndns-url-XX  list=Permitted
In other words, if someone needs access to the server, then they give you their static public IP address.
If they have a dynamic WANIP, then they need to give you the corresponding dyndns name, mynetname etc...........
There are lots of free provides of such names and thus its fair to demand it to gain access.

The advantages of using the src-address list are two-fold, on its always a good idea to limit access to your LAN, second by using source address on DSTNAT rule, the port in use does not appear on scans. Without src-address, the port will be visible on external scans but will appear closed.
 
hahnhell
Member Candidate
Member Candidate
Topic Author
Posts: 108
Joined: Sat Mar 07, 2020 11:49 pm
Location: NCR, Canada

Re: Simplifying Home Network

Sun May 15, 2022 5:51 pm

Alright, now I understand what you mean to have in the PERMITTED list. Makes sense.

Onto finishing the steps in the New User Pathway to sucesss...

Trying to do the OFF Bridge access thing from : viewtopic.php?t=181718 however I don't understand what you mean by
3. Give it an IP address that does not conflict with any other subnets on the LAN or any remote subnets etc.... lets use 192.168.5.1/24 network 192.168.5.0
How do I give an IP to an empty port, this doesn't seem to make sense to me. I already have the "Authorised" Interface-List, I just now need to setup a port now?

To setup my cAP AC, I don't need anything special on it other than it being a WiFi AP, so I am assuming I can just follow @pukkita post here: viewtopic.php?p=905562#p905562 right?

Thank you, happy Sunday.
 
User avatar
anav
Forum Guru
Forum Guru
Posts: 19104
Joined: Sun Feb 18, 2018 11:28 pm
Location: Nova Scotia, Canada
Contact:

Re: Simplifying Home Network

Sun May 15, 2022 6:07 pm

Yeah I dont do flat networks so if thats what pukita is describing then it should be good to go!

As far as off bridge access for config, yup all you need to do is assign a unique private IP address to the port.
Then include that port on the Authorised list!

Who is online

Users browsing this forum: 0xAA55, mvz71, raiod, TheCat12 and 49 guests