Hey ! Sure I'm interested.
I'd be grateful to get to know the end of this story.
You never know when it will show up again until fully understood and fixed.
Thanks.
Altough this is not what I am trying to do, it sounds interesting to use a scripting tool on a workstation and do the editing before pushing the commit button. Thank you for the idea. The truth is that I realized that our firewall rules were sometimes too harsh in blacklisting IPs. This is why I use...
Ideally it would be much easier if we had a chance to select "static" or "dynamic" whenever an IP is added to a list by a filetr rule. But this is a feature request and has nothing to do with the forum.
I will try the directions you gave me . Thank you.
Thank you for the hint. I did not think of dest-nat rules... but now it does not seem very obvious for at least 2 reasons: 1. My local server (within the lan) knows only about 1 smtp relay (on the net), that means I will have to redirect any requests to the outworld ip smtp, to another one in case o...
Thank you Janisk for the answer, I'll go ahead then and add these rules to our MKs.
I will even search for other "firewall good practices" . If anyone had a ressource to point at.
Hello, Is it meaningfull to prevent acces from the internet to block access to RFC1819 type addresses, once masquerading is used ? Could a LAN be hacked anyway by packets spoofing internal addresses such as : (as a reminder these are RFC1819 internal type addresses). 10.0.0.0/8 172.16.0.0/12 192.168...
Greetings to all... I am willing to use MK to allow our internal (within the LAN) mail server to be relayed with external SMTP servers with a failover feature. I mean if relay1 doesn't respond ( to a port 25 test ) then a static route would select relay2. Could this be achieved with some scripting o...
Normis, I do already use policy routing for load balancing. But it is not straitforward and needs to be built with a complex set of rules. I suggest that you take a look at Pen that is a tiny footprint piece of nix software. I would hope for a balancing module that would use Pen type algorithm that ...
I hope this is a smart suggestion. I believe that integrating some tiny smart load balancer would make it easy for lots of us when managing multiple resources within a LAN. What do you think of Pen :
Sorry to post this twice. I had mistakenly posted it as a new thread... Here is where it belongs. Just in case some others may be facing the same issue. From experiment to experiment I ended in using a 2 lines script that does it all: Netwatch will run this script in the event of a tunnel failure : ...
Just to let you know where my experiments lead me: The IPSEC tunnels seem to be stable or at least to reconnect themselves since the Generic TimeOut sas set to 10 secondes instead of the default value ( 10 minutes ?) in the connection tracking. This setting seems to delete Unreplied connections afte...
I haven't had neither a disconnection of the tunnel nor a Unreplied one since 3 days, still on manual mode. May the problem be fixed ? I'll let you know.
Good day, I tried manual SAs for one night and found the infamous Unreplied connection in the connection list display the next day. Deleting it manually led to a correct reconnection. Thus my thread title: Is there a way to time-out UNREPLIED connections ? I tried all kind of settings in the trackin...
Thank you guys for the feed-back. Although I am in the same mood as Sam, since I am facing the same trouble for 3 months, I want to give a last chance to IPSEC, at least on MT. Fatonk, I am not sure where I can change the setting from IKE to manual. I've been searching (in winbox ) all the menus, wi...
Hi Sam, I think they are related. To solve the problem I have already covered one step with a 1 line script that flushes the SAs if the remote network doesn't respond. But it wasn't enough, as I have noticed that from time to time the IPSEC connection is Unanswered from some reason, until it is dele...
Greeting to all, I am facing IPSEC tunnel connections that some times showup as UNREPLIED in the connection list and sit there unreplied until the connection is manually deleted. I tried several tracking settings hoping that Unreplied connections would just timeout, but I failed. The timeout counter...
Hi, As many are aware of ipsec tunnels suffer from the need to manually flush installed-sa from now and then. I tried to use Netwatch to start a one line script to do the flush. Unfortunately netwatch doesn't ping from a prefered source address, making it unusable to test a remote tunnel address. Di...
Thank you Andrew for your response.
You were almost right. The filter rules were sitting on 2 pppoe interface that went down at a certain moment but were on again at the time I noticed the rules were invalid. I had to rest them nanually as I have explained.
Does anyone know why some firewall filter rules suddenly show as invalid ( red lines in winbox). The only way to reset them to normal color is to disable-enable them.
BTW do red lines mean really invalid ?
I really did have this problem with Dynamic IPs not flushing out. It prevents downed DSL links to reconnect themseves.
Isn't this an interesting issue ?
By the way 80000 p/s means that you have a huge bandwith at your disposal. What kind of link is it ? May be a routerboard is not suited. And may be the 80000 p/s are not all ddos trafic ?
You may also use address lists and tarpit. I do use them intensively and I am failly happy with the ever growing blacklist form various attackers.
In other words, you can add source addresses to a black list whenever there is an attack and use the blacklit to tarpit attackers.
Greetings MT..ers, I am using 2.9.30 on routerboard. For the last 2 days I had the same error in the logs : could not add address. Already have such address. While my 2 DSL (pppoe) connections were down and unable to reconnect by themselves...When I looked at the logs to see that the Dynamically all...
Thanks Sam for your experience. I do have static public IPs on both sides. Also I had to do the flush - thanks to your other posts !!- from time to time to allow the peer to reconnect. I will follow your advice and give a try to L2TP, but you didn't mention REDUNDANCY wich is more the topic in my po...
Greetings. I was wondering if anyone had an experience interconnecting 2 small offices with dual vpn tunnels. Both offices operate simple lan with a few workstatsions/server and 2 dsl links with fixed public IPs. My tries with IPSEC had not been successfull so far. Either I am on a peer-pair or on t...
I may have missed something. But before I start useless work, my understanding was that : - one could build EoIP over IPSEC tunnels. - EoIP was Ethernet like interface thus bondable. - Then if I have 2 offices with 2 ISPs each I could bond the EoIP tunnels for redundancy and bandwidth sake. Sorry I ...
Thanks and gratefullness to Eugene and Sam for their help and directions. I got it working. I had previously tried the connection/route marks and routes based on the routing marks but I was using the "prerouting" chain only because I ( I must confess) wasn't really aware of the differences...
My apologies, but this is a poor workaround, since I have to create an entry in the routing table for every single destination address. Which limits severally the router accessibility. The purpose for a dual link in more a problem of availability than bandwidth, as you can imagine. It becomes useles...
Eugene wrote Router does not have "preferences". If it does not have a specific route to the destination, it _will_ respond through the default gateway. I do not see really why. I believe things would work better in many situations if in any LOCAL services were responding from the relevant...
Eugene, do you mean there is no way to acces routers services from differents public IPs ?
Also IPSEC (and may other L2TP, pptp) tunnels wouldn't work is there is more then one peer, AND/OR if you use for tunnels 2 or more differents wan links ?
If I may add my feeling: - I do not understand why a router would answer requests addressed to one of his wan links from another link. In other words, routes designed to draw paths from the lan to outside world shouldn't apply to services that are listening on the wan side. Isn't this an obvious bug...
Here they are : > /ip route print detail Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, B - blackhole, U - unreachable, P - prohibit 0 A S dst-address=0.0.0.0/0 gateway=193.253.160.3 interface=pppoe-isp2 gateway-state=reachable distance=0 scope=255...
Eugene, Thank you for your response. What I am trying to do is connect from the internet to the Router services (ssh, ftp etc...) to BOTH isp1 and isp2 public addresses: Until now I only can connect to the address that is related to the main-route (in BOLD italic). public addresses : 6 D 195.154.30....
Hello everyone, Greetings. I 've been on this one for a couple of weeks although teh problem seems fairly simple. It is again related to multiple gateways. I am running a routerboard 2.9.30 with 2 DSL links and fixed IPs. There is some routing with marks for incoming trafic to be responded through t...
Hi Guys, I know the following code is wrong, but is there away to AND 2 or more :IF sentences in order to take an action such as route setting ? Here is teh wrong code: :if ([/tool netwatch get R1 status]=up) && :if ([/tool netwatch get R2 status]=up) /ip route set [/ip route find comment=fa...
Finally I did solve the problem with the help of all. The precious link directed by Jörgen was so helpfull that I did save it's content in my local pc. Finally the solution was simple and involved only : - connection marks - routing marks - and routing based on routing marks. The difficulty I had wa...
Sorry Guys, I've been away for a week and could not follow up. I tried the mangle rules but it doesn't seem to be working for ... a good reason: Mangle marks, at least according to the documentation do not exist anymore once they leave the router. Thus the server that responds to a request creates a...
Sorry Guys for the unreadable title. And many thanks also for redirecting me to this huge great thread. It looks like a good direction and I am going to give the 2 examples a close look, altough I believe, incoming trafic from ISPs links side should always be responded accros the initiating link and...
I have been searching the forums, the wiki and the documentations , and noticed that this issue was raised many times but never really solved. When using multiple gateways with some kind of (multiple ISPs) load balancing ( thanks to the wiki there are 3 good example to choose from) , a big problem r...
Thank you for your response. However I guess address lists could still be dynamic and retained in a file (purhaps as an option in case of low space). Well you are certainly right : The lists rebuilt by themselves as soon as the same cause appear. Keep up with this great product, and congratulation f...
I realized that (using 2.9.27 routerboard) dynamic address list ( added with firewall rules) - eg black-list - are not retained upon a reboot. Is this a feature, a bug ? Is ther any hidden way to retain these addresses at least until they expire ?
Thanks