MikroTik

rkau045

Mkx is almost correct. The subnet containing 192.168.1.1/23 would actually be 192.168.0.0/23 so the usable range is 192.168.0.1-192.168.1.254

Sent from my Pixel 3 XL using Tapatalk

rkau045

Tapatalk seems to be working again.

Sent from my Pixel 3 XL using Tapatalk

rkau045

I believe what you are asking for is a "dying gasp"
Edited to add: this is usually implemented in hardware.
Sent from my Pixel 3 XL using Tapatalk

rkau045

Just remove the power for a couple of seconds, then reconnect.

Sent from my Pixel 3 XL using Tapatalk

rkau045

Cycling timeouts like this are usually caused by STP blocking and reenabling forwarding on a port in my experience.

Sent from my Pixel 3 XL using Tapatalk

rkau045

The Juniper should be set up as a policy-based VPN, it seems that they have it set up as route-based, and only partially at that, if the cited config is complete. I do not believe that it is possible to use IPSec in a route-based configuration unless both endpoints are Juniper devices. Proxy ID shou...

rkau045

I should have looked at the diagram before posting. You are correct. Sorry.

Sent from my LG-H910 using Tapatalk

rkau045

Removed

rkau045

@becs On VLAN Example #2 (Trunk and Hybrid Ports) there is a port mismatch /interface bridge vlan add bridge=bridge1 tagged=ether2,ether7,ether8 untagged= ether3 vlan-ids=200 add bridge=bridge1 tagged=ether2,ether6,ether8 untagged= ether4 vlan-ids=300 add bridge=bridge1 tagged=ether2,ether7,ether8 ...

rkau045

You may want to change the action to dst-nat in that rule. Also, I would limit it to only the protocols and ports that have services listening on them (tcp/80,443 on a web server, etc.)

Sent from my LG-D850 using Tapatalk

rkau045

If you have rules for Established, Related before these rules, the remaining packets are probably accepted there. These rules would only match the first packets in the connection.

Sent from my LG-D850 using Tapatalk

rkau045

Those rules are still AND gated. Traffic will only pass to port 3799 from either 1812 or 1813. All other packets will be dropped. The rules here are functionally the same as what was suggested in post #3, but in 3 lines rather than 2.

Sent from my LG-D850 using Tapatalk

rkau045

Put the accept rule before the drop rule. Firewall rules are processed in order top to bottom.

Sent from my LG-D850 using Tapatalk

rkau045

No change to your tx power will ever affect the signal you receive from the client device, unless the client is adaptive, in which case increasing your tx will get you a lower rx.

Sent from my LG-D850 using Tapatalk

rkau045

I can say that if anyone other than one of our qualified technicians tampered with our fiber cables they would soon receive a large invoice for our replacement costs. Call the owning utility...

Sent from my LG-D850 using Tapatalk

rkau045

Check your speed and duplex.

Sent from my LG-D850 using Tapatalk

rkau045

The behavior you describe sounds like STP disabling an interface on your bridge. Check for loops.

Sent from my LG-D850 using Tapatalk

rkau045

You need a dst-address in that rule. It should be the ip for WAN.

rkau045

http://www.macvendorlookup..com is one source.

rkau045

CompanyRouterboard.com AddressMikrotikls SIA Pernavas 46 Riga LV1009 LATVIA Range 4C:5E:0C:00:00:00 - 4C:5E:0C:FF:FF:FF TypeIEEE MA-L CompanyRouterboard.com AddressMikrotikls SIA Pernavas 46 Riga LV-1009 LATVIA Range D4:CA:6D:00:00:00 - D4:CA:6D:FF:FF:FF TypeIEEE MA-L CompanyRouterboard.com AddressM...

rkau045

My first thought is that UAC is preventing the scan from finding any hosts. Try running The Dude as Administrator by right clicking, or create a shortcut and set Run As Administrator in the properties. The other option would be to disable UAC for the computer in the Windows Control Panel. Sent from ...

rkau045

I would change the ICMP rule to only allow echo request/reply. ICMP has other functions, and can be a vector for intrusions.

Sent from my LG-D850 using Tapatalk

rkau045

I fail to see the problem here. The rules are processed in order from top to bottom.

Sent from my LG-D800 using Tapatalk

rkau045

This behavior typically indicates an issue with your cabling. I would recommend replacing the cables on the affected ports.

Sent from my LG-D800 using Tapatalk

rkau045

I block forward as well on the external interface as it allows me to dst-nat port 53 for internal access without having opened that server to traffic from the outside. Your assertion that it will block requests from the he internal network is not correct. Replies are accepted with standard rules for...

rkau045

Add rules to drop TCP and UDP port 53 on the external interface. Put them in both the input and forward chains.
Edited to add:
The parameter you want is
in-interface="ether1"
If ether1 is your external interface.

Sent from my LG-D800 using Tapatalk

rkau045

Unless I am mistaken, your first rule will add all addresses that make DNS requests on ether1_WAN. There doesn't seen to be any metering. Therefore, it would be simpler to just drop all requests on port 53. Either way, you have completely removed your ability to host DNS services behind your firewal...

rkau045

If the destination address after NAT is not the router address it is processed in the FORWARD chain.

Otherwise it would be processed in the INPUT chain.

Sent from my LG-D800 using Tapatalk

rkau045

All you need to do to test this yourself is to connect a PC to the uplink port on your MikroTik device, set it's gateway to be the IP address on the uplink port, and send a packet to any address that is not the router. Capture the forward logs, and your will see the packet route out. So, yes, that i...

rkau045

The fallacy in your post is that the packet is only checked in the input chain IF the dst-nat does NOT change the destination to an address that is different from the router IP. If dst-nat does change the destination IP then the packet never touches the INPUT chain. Edited to add: No DST-NAT = INPUT...

rkau045

Sorry to double post, but I got a free minute. This is a dropped packet on the input of my WAN for a non forwarded port: firewall,info input: in:ether12-gateway out:(none), src-mac 00:1c:f6:xx:xx:xx, proto TCP (SYN), 208.64.x.x:46070-75.127.x.x:10259, len 60 And here is a DST-NAT'ed: firewall,info f...

rkau045

The packet will only flow into the input chain if the destination address is the router address. For other addresses behind the router, the flow is in to the forward chain. So of you source-route a packet to the WAN interface with a destination that is not the router IP it will be forwarded not inpu...

rkau045

No, I accept established and related connections only and drop invalid. There is no matcher for SYN packets in these rules. therefore they follow the default policy of ACCEPT. This is how a new connection is established. IMHO this packet is dropped by rule: /ip firewall filter add action=drop chain...

rkau045

Now I understand why you do not require any additional rules: you are ACCEPTING ALL TRAFFIC transiting your router via the default ACCEPT policy of the router, i.e. you have no firewall for forwarded traffic. Any packet sent to your router with any destination address that is not the router address ...

rkau045

I should add:
For established and related connections, UPnP is never necessary. That is the reason for UPnP to exist at all.

Sent from my LG-D800 using Tapatalk

rkau045

@ditonet Established and related traffic from WAN is allowed in my configs. The problem is that I have devices that should accept New connections on the ports set up by UPnP, but standard firewall rules will drop that traffic without the accept rule added for the local subnet. This is the issue I ha...

rkau045

I also noticed this. My solution was to add a filter rule to allow all connections to my local subnet. Not a good solution, and I agree that UPnP should add a dynamic allow rule to the filter for the dst-nat'ed port.

Sent from my LG-D800 using Tapatalk

rkau045

1. Yes
2. Yes, just create a rule with the same matchers and action=log before the rule you want to log.

Sent from my LG-D800 using Tapatalk

rkau045

My guess is that you are configuring a pptp client and want the connect-to parameter. Perhaps the wiki at http://wiki.mikrotik.com/wiki/Manual:Interface/PPTP would be of help. If this is not the case, might I suggest a more detailed description of your application and problem? Sent from my LG-D800 u...

rkau045

As efaden stated in post 3, the traffic between computer A and computer B never even gets to the MikroTik router, so it has no control in your current configuration.

My name is _______ and I approve this message.

rkau045

You may want to rewrite your dst-nat rules. /ip firewall nat add action=dst-nat chain=dstnat dst-address=199.0.0.1/30 protocol=tcp dst-port=25 to-address=192.168.11.254 I think NAT works better when you specify the original destination address rather than the interface. Also, you can leave out the t...

rkau045

You probably should add another identical to the above rule with proto=tcp as well since many implementations will respond to either protocol.

rkau045

Is your firewall filtering the icmp requests?

Sent from my XT912 using Tapatalk 2

rkau045

The letters in the circles are jumps. So, for example, the output from mpls chart at H goes back into the main loop at H.

Sent from my XT912 using Tapatalk 2

rkau045

The link in post #2 has your answer.

Typed on my phone by 1000 monkeys.

Search found 45 matches