So I've successfully setup a MT proxy server, allowing my wireless clients to cache and disabling a local LAN network (hotel with separate agreement).
The point I'm at now : IF i try to enter ROS 5.4 from an external IP (non-local IP) then I'm blocked via Proxy.
Anyone know how to bypass external IPs from proxy to enter RB? Or a way to allow access from external IPs (non-local) to access RB, but not cache?
Any links/tips/clues/pointers will be appreciated...
Cheers!!
Re: Proxy: want enable access from external IPs, cache inter
Adjust your NAT rules to not match those packets. That's a wild guess because you're not giving much detail.
Re: Proxy: want enable access from external IPs, cache inter
I setup the Transparent Proxy with microSD just like the examples in Wiki and in the forums, changing the proxy port to 8989
so setup the Transparent Proxy NAT rule:
--> Chain=dstnat protocol=6_(tcp) dst_port=80 action=redirect to_ports=8989
I'm a newb, so what do I change/add/delete?
so setup the Transparent Proxy NAT rule:
--> Chain=dstnat protocol=6_(tcp) dst_port=80 action=redirect to_ports=8989
I'm a newb, so what do I change/add/delete?
Re: Proxy: want enable access from external IPs, cache inter
Either add a src-address=1.1.1.1/24 (substituting your LAN network), or in-interface=LAN. That way only connections initiated from LAN to WAN qualify for the destination NAT rule.
Re: Proxy: want enable access from external IPs, cache inter
Still no go...
To enter from non-local IP I had tried these steps until Winbox entry access:
1) [transparent Proxy NAT (with your recommended src LAN entered) = off & proxy = not enabled] -->I am still getting a connection refused message
2) [turned off IP --> Web Proxy --> Access --> all sub entries] --> i can ssh in, but not winbox in
3) [turned off IP --> Web Proxy --> Cache --> all sub entries] --> can enter with winbox now
To enter from non-local IP I had tried these steps until Winbox entry access:
1) [transparent Proxy NAT (with your recommended src LAN entered) = off & proxy = not enabled] -->I am still getting a connection refused message
2) [turned off IP --> Web Proxy --> Access --> all sub entries] --> i can ssh in, but not winbox in
3) [turned off IP --> Web Proxy --> Cache --> all sub entries] --> can enter with winbox now
Re: Proxy: want enable access from external IPs, cache inter
I'm confused now. What are you trying to do?
Also post your firewall configuration (NAT, mangle, and filter) as well as your proxy settings.
Also post your firewall configuration (NAT, mangle, and filter) as well as your proxy settings.
Re: Proxy: want enable access from external IPs, cache inter
Goal: To have Proxy Cache running to improve my network's users experience. + when traveling abroad have ability to tech support, monitor, help clients.
Problem: I'm from US. Hotspot is in Angola, Africa. I'm about 2months/2months in each place cycling. I'm alone in this effort, one man show. So when I'm not locally at the hotspot location (traveling/US/etc.), I'd still like to be able to offer tech support/monitor/help clients/etc.
Proxy cache is up and running, BUT my US tech can't enter RB when I have it running. The aforementioned was the setup and the steps I followed, 1-by-1 disabling until he could enter the RB.
Will post prints now... Thanks!!
Problem: I'm from US. Hotspot is in Angola, Africa. I'm about 2months/2months in each place cycling. I'm alone in this effort, one man show. So when I'm not locally at the hotspot location (traveling/US/etc.), I'd still like to be able to offer tech support/monitor/help clients/etc.
Proxy cache is up and running, BUT my US tech can't enter RB when I have it running. The aforementioned was the setup and the steps I followed, 1-by-1 disabling until he could enter the RB.
Will post prints now... Thanks!!
Re: Proxy: want enable access from external IPs, cache inter
so, pls be kind to the newb... i'm trying to do: ip firewall nat print
and it'll list some items, but not all giving me an option the end: Q-quit; d/Dump down
I choose dump down but it just gives me same few entries... for example I have 19 rules under NAT, but here's the print:
[randy@Angola Hotspot Router] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 ;;; Masquerade Everything
chain=srcnat action=masquerade out-interface=ether1
2 ;;; Transparent Proxy Cache
chain=dstnat action=redirect to-ports=8989 protocol=tcp
src-address=192.167.18.0/24 dst-port=80
The #2 is actually #19...
and it'll list some items, but not all giving me an option the end: Q-quit; d/Dump down
I choose dump down but it just gives me same few entries... for example I have 19 rules under NAT, but here's the print:
[randy@Angola Hotspot Router] > ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 X ;;; place hotspot rules here
chain=unused-hs-chain action=passthrough
1 ;;; Masquerade Everything
chain=srcnat action=masquerade out-interface=ether1
2 ;;; Transparent Proxy Cache
chain=dstnat action=redirect to-ports=8989 protocol=tcp
src-address=192.167.18.0/24 dst-port=80
The #2 is actually #19...
Re: Proxy: want enable access from external IPs, cache inter
[randy@Angola Hotspot Router] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; DSCP - 7 - Skype, HTTPS
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp dst-port=443
1 ;;; Priority - 7 - Skype, HTTPS
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp dst-port=443
2 ;;; Priority - 7 - VOIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=udp port=1167,1719,1720,8010
3 ;;; Priority - 7 - VOIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp port=1719,1720,8008,8009
4 ;;; Priority - 7 - Ventrilo VOIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp port=3784
5 ;;; Priority - 7 - Ventrilo VOIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=udp port=3784,3785
6 ;;; Priority - 7 - Windows Live Messenger Voice
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp port=6901
7 ;;; Priority - 7 - Windows Live Messenger Voice
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=udp port=6901
8 ;;; Priority - 7 - SIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp port=5060
9 ;;; Priority - 7 - SIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=udp port=5060
10 ;;; Priority - 6 - SSH
chain=prerouting action=set-priority new-priority=6
passthrough=yes protocol=tcp port=22
11 ;;; Priority - 6 - Telnet
chain=prerouting action=set-priority new-priority=6
passthrough=yes protocol=tcp port=23
-- [Q quit|D dump|down]
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; DSCP - 7 - Skype, HTTPS
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp dst-port=443
1 ;;; Priority - 7 - Skype, HTTPS
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp dst-port=443
2 ;;; Priority - 7 - VOIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=udp port=1167,1719,1720,8010
3 ;;; Priority - 7 - VOIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp port=1719,1720,8008,8009
4 ;;; Priority - 7 - Ventrilo VOIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp port=3784
5 ;;; Priority - 7 - Ventrilo VOIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=udp port=3784,3785
6 ;;; Priority - 7 - Windows Live Messenger Voice
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp port=6901
7 ;;; Priority - 7 - Windows Live Messenger Voice
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=udp port=6901
8 ;;; Priority - 7 - SIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=tcp port=5060
9 ;;; Priority - 7 - SIP
chain=prerouting action=set-priority new-priority=7
passthrough=yes protocol=udp port=5060
10 ;;; Priority - 6 - SSH
chain=prerouting action=set-priority new-priority=6
passthrough=yes protocol=tcp port=22
11 ;;; Priority - 6 - Telnet
chain=prerouting action=set-priority new-priority=6
passthrough=yes protocol=tcp port=23
-- [Q quit|D dump|down]
Re: Proxy: want enable access from external IPs, cache inter
Code: Select all
/interface print detail
/ip address print detail
/ip route print detail
/ip firewall export
/ip proxy export
Code: Select all
tags to keep things readable. Light blue on light blue is very hard to read.
If you get any "Q-quit D-dump down" prompts just push the space bar until you get the command prompt back.Re: Proxy: want enable access from external IPs, cache inter
ok, thanks for your patience. I'll give it a try. I see the "Code" tab now in options, 1 sec...
Re: Proxy: want enable access from external IPs, cache inter
Code: Select all
[randy@Angola Hotspot Router] > /interface print detail
Flags: D - dynamic, X - disabled, R - running, S - slave
0 X name="ether12" type="ether" mtu=1500 l2mtu=1600 max-l2mtu=9116
1 X name="ether13" type="ether" mtu=1500 l2mtu=1600 max-l2mtu=9116
2 X name="ether11" type="ether" mtu=1500 l2mtu=1600 max-l2mtu=9116
3 R ;;; Hotspot (Slave)
name="ether6" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=9498
4 R ;;; Hotspot (Slave)
name="ether7" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=9498
5 ;;; Hotspot (Slave)
name="ether8" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=9498
6 ;;; Hotspot (Slave)
name="ether9" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=9498
7 R ;;; Hotspot (Primary)
name="ether10" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=9498
8 R ;;; Internet Connection
name="ether1" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=9498
9 R ;;; Hotel Internal Network
name="ether2" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=9498
10 ;;; Hotel Internal (Misc.)
name="ether3" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=9498
11 X name="ether4" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=9498
12 X name="ether5" type="ether" mtu=1500 l2mtu=1598 max-l2mtu=9498
13 name="rick" type="pptp-in" Re: Proxy: want enable access from external IPs, cache inter
where 1.1.1.10 is my public IP for RB
1.1.1.8 is internet origin IP (from my VSAT ISP)
1.1.1.8 is internet origin IP (from my VSAT ISP)
Code: Select all
[randy@Angola Hotspot Router] > /ip address print detail
Flags: X - disabled, I - invalid, D - dynamic
0 address=192.168.10.100/24 network=192.168.10.0 interface=ether2 actual-interface=ether2
1 address=1.1.1.10/29 network=1.1.1.8 interface=ether1 actual-interface=ether1
2 address=192.167.18.1/24 network=192.167.18.0 interface=ether10 actual-interface=ether10
3 address=192.167.19.1/24 network=192.167.19.0 interface=ether10 actual-interface=ether10
4 address=192.167.20.1/24 network=192.167.20.0 interface=ether10 actual-interface=ether10
Last edited by Mashimoto on Tue Jul 19, 2011 7:56 pm, edited 2 times in total.
Re: Proxy: want enable access from external IPs, cache inter
1.1.1.8 = internet origin IP
1.1.1.9 = modem IP
1.1.1.10 = RB IP
1.1.1.9 = modem IP
1.1.1.10 = RB IP
Code: Select all
[randy@Angola Hotspot Router] > /ip route print detail
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
0 A S dst-address=0.0.0.0/0 gateway=1.1.1.9 gateway-status=1.1.1.9 reachable ether1 distance=1 scope=30 target-scope=10
1 ADC dst-address=1.1.1.1.8/29 pref-src=1.1.1.1.10 gateway=ether1 gateway-status=ether1 reachable distance=0 scope=10
2 ADC dst-address=192.167.18.0/24 pref-src=192.167.18.1 gateway=ether10 gateway-status=ether10 reachable distance=0 scope=10
3 ADC dst-address=192.167.19.0/24 pref-src=192.167.19.1 gateway=ether10 gateway-status=ether10 reachable distance=0 scope=10
4 ADC dst-address=192.167.20.0/24 pref-src=192.167.20.1 gateway=ether10 gateway-status=ether10 reachable distance=0 scope=10
5 ADC dst-address=192.168.10.0/24 pref-src=192.168.10.100 gateway=ether2 gateway-status=ether2 reachable distance=0 scope=10
Last edited by Mashimoto on Tue Jul 19, 2011 7:54 pm, edited 1 time in total.
Re: Proxy: want enable access from external IPs, cache inter
Code: Select all
[randy@Angola Hotspot Router] > /ip firewall export
# jul/19/2011 16:51:19 by RouterOS 5.4
# software id = P42A-955A
#
/ip firewall address-list
add address=192.168.10.0/27 disabled=no list="Hotel Staff"
add address=1.0.0.0/8 disabled=no list=Bogons
add address=2.0.0.0/8 disabled=no list=Bogons
add address=5.0.0.0/8 disabled=no list=Bogons
add address=7.0.0.0/8 disabled=no list=Bogons
add address=10.0.0.0/8 disabled=no list=Bogons
add address=23.0.0.0/8 disabled=no list=Bogons
add address=27.0.0.0/8 disabled=no list=Bogons
add address=31.0.0.0/8 disabled=no list=Bogons
add address=36.0.0.0/8 disabled=no list=Bogons
add address=37.0.0.0/8 disabled=no list=Bogons
add address=39.0.0.0/8 disabled=no list=Bogons
add address=42.0.0.0/8 disabled=no list=Bogons
add address=49.0.0.0/8 disabled=no list=Bogons
add address=50.0.0.0/8 disabled=no list=Bogons
add address=77.0.0.0/8 disabled=no list=Bogons
add address=78.0.0.0/8 disabled=no list=Bogons
add address=79.0.0.0/8 disabled=no list=Bogons
add address=92.0.0.0/8 disabled=no list=Bogons
add address=93.0.0.0/8 disabled=no list=Bogons
add address=94.0.0.0/8 disabled=no list=Bogons
add address=95.0.0.0/8 disabled=no list=Bogons
add address=96.0.0.0/8 disabled=no list=Bogons
add address=97.0.0.0/8 disabled=no list=Bogons
add address=98.0.0.0/8 disabled=no list=Bogons
add address=99.0.0.0/8 disabled=no list=Bogons
add address=100.0.0.0/8 disabled=no list=Bogons
add address=101.0.0.0/8 disabled=no list=Bogons
add address=102.0.0.0/8 disabled=no list=Bogons
add address=103.0.0.0/8 disabled=no list=Bogons
add address=104.0.0.0/8 disabled=no list=Bogons
add address=105.0.0.0/8 disabled=no list=Bogons
add address=106.0.0.0/8 disabled=no list=Bogons
add address=107.0.0.0/8 disabled=no list=Bogons
add address=108.0.0.0/8 disabled=no list=Bogons
add address=109.0.0.0/8 disabled=no list=Bogons
add address=110.0.0.0/8 disabled=no list=Bogons
add address=111.0.0.0/8 disabled=no list=Bogons
add address=112.0.0.0/8 disabled=no list=Bogons
add address=113.0.0.0/8 disabled=no list=Bogons
add address=114.0.0.0/8 disabled=no list=Bogons
add address=115.0.0.0/8 disabled=no list=Bogons
add address=116.0.0.0/8 disabled=no list=Bogons
add address=117.0.0.0/8 disabled=no list=Bogons
add address=118.0.0.0/8 disabled=no list=Bogons
add address=119.0.0.0/8 disabled=no list=Bogons
add address=120.0.0.0/8 disabled=no list=Bogons
add address=121.0.0.0/8 disabled=no list=Bogons
add address=122.0.0.0/8 disabled=no list=Bogons
add address=123.0.0.0/8 disabled=no list=Bogons
add address=169.254.0.0/16 disabled=no list=Bogons
add address=172.16.0.0/12 disabled=no list=Bogons
add address=174.0.0.0/8 disabled=no list=Bogons
add address=175.0.0.0/8 disabled=no list=Bogons
add address=176.0.0.0/8 disabled=no list=Bogons
add address=177.0.0.0/8 disabled=no list=Bogons
add address=178.0.0.0/8 disabled=no list=Bogons
add address=179.0.0.0/8 disabled=no list=Bogons
add address=180.0.0.0/8 disabled=no list=Bogons
add address=181.0.0.0/8 disabled=no list=Bogons
add address=182.0.0.0/8 disabled=no list=Bogons
add address=183.0.0.0/8 disabled=no list=Bogons
add address=184.0.0.0/8 disabled=no list=Bogons
add address=185.0.0.0/8 disabled=no list=Bogons
add address=186.0.0.0/8 disabled=no list=Bogons
add address=187.0.0.0/8 disabled=no list=Bogons
add address=192.0.2.0/24 disabled=no list=Bogons
add address=192.168.0.0/16 disabled=yes list=Bogons
add address=197.0.0.0/8 disabled=no list=Bogons
add address=198.18.0.0/15 disabled=no list=Bogons
add address=223.0.0.0/8 disabled=no list=Bogons
add address=192.168.10.20 disabled=no list=Black-List
add address=192.168.10.21 disabled=no list=Black-List
add address=192.168.10.22 disabled=no list=Black-List
add address=192.168.10.23 disabled=no list=Black-List
add address=192.168.10.24 disabled=no list=Black-List
add address=192.168.10.25 disabled=no list=Black-List
/ip firewall connection tracking
set enabled=yes generic-timeout=10m icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=1d \
tcp-fin-wait-timeout=10s tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=yes \
tcp-time-wait-timeout=10s udp-stream-timeout=3m udp-timeout=10s
/ip firewall filter
add action=drop chain=forward comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.20
add action=drop chain=forward comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.21
add action=drop chain=forward comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.22
add action=drop chain=forward comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.23
add action=drop chain=forward comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.24
add action=drop chain=forward comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.25
add action=drop chain=input comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.20
add action=drop chain=input comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.21
add action=drop chain=input comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.22
add action=drop chain=input comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.23
add action=drop chain=input comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.24
add action=drop chain=input comment="Block internet: POS" disabled=no protocol=tcp src-address=192.168.10.25
add action=jump chain=input comment="Jump to Virus Chain" disabled=no jump-target=Virus
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=drop chain=input comment="Drop anyone in the Black-List" disabled=no src-address-list=Black-List
add action=drop chain=forward comment="Drop anyone in the Black-List" disabled=no src-address-list=Black-List
add action=drop chain=forward comment="Drop Bogons (Set LAN Interface)" disabled=no dst-address-type="" dst-limit=0,5,dst-address/1m40s \
fragment=no in-interface=ether2 limit=0,5 psd=21,3s,3,1 src-address-list=Bogons src-address-type="" time=\
0s-23h59m59s,sun,mon,tue,wed,thu,fri,sat
add action=add-src-to-address-list address-list=Black-List address-list-timeout=1d chain=input comment=\
"Transfer repeated attempts from SSH Stage 3 to Black-List" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=\
ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input comment=\
"Add succesive attempts to SSH Stage 3" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment=\
"Add succesive attempts to SSH Stage 2" connection-state=new disabled=no dst-port=22 protocol=tcp src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment=\
"Add intial attempt to SSH Stage 1 List" connection-state=new disabled=no dst-port=22 protocol=tcp
add action=add-src-to-address-list address-list=Black-List address-list-timeout=1d chain=input comment=\
"Transfer repeated attempts from Telnet Stage 3 to Black-List" connection-state=new disabled=no dst-port=23 protocol=tcp \
src-address-list=telnet_stage3
add action=add-src-to-address-list address-list=telnet_stage3 address-list-timeout=1m chain=input comment=\
"Add succesive attempts to Telnet Stage 3" connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage2
add action=add-src-to-address-list address-list=telnet_stage2 address-list-timeout=1m chain=input comment=\
"Add succesive attempts to Telnet Stage 2" connection-state=new disabled=no dst-port=23 protocol=tcp src-address-list=telnet_stage1
add action=add-src-to-address-list address-list=telnet_stage1 address-list-timeout=1m chain=input comment=\
"Add Intial attempt to Telnet Stage 1" connection-state=new disabled=no dst-port=23 protocol=tcp
add action=add-src-to-address-list address-list="Port Scanners" address-list-timeout=0s chain=forward comment=\
"Add TCP Port Scanners to Address List" disabled=yes protocol=tcp psd=40,3s,2,1
add action=drop chain=input comment="Drop [Port Scanners]" disabled=yes src-address-list="Port Scanners"
add action=drop chain=forward comment="Drop [Port Scanners]" disabled=yes src-address-list="Port Scanners"
add action=drop chain=input comment="Drop Invalid Connections" connection-state=invalid disabled=no
add action=drop chain=forward comment="Drop Invalid Connections" connection-state=invalid disabled=no
add action=passthrough chain=forward disabled=no src-address=192.167.18.0/24
add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=135-139 protocol=tcp
add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=tcp
add action=drop chain=Virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=udp
add action=drop chain=Virus comment="Drop Messenger Worm" disabled=no dst-port=135-139 protocol=udp
add action=drop chain=Virus comment=Conficker disabled=no dst-port=593 protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=1024-1030 protocol=tcp
add action=drop chain=Virus comment="ndm requester" disabled=no dst-port=1363 protocol=tcp
add action=drop chain=Virus comment="ndm server" disabled=no dst-port=1364 protocol=tcp
add action=drop chain=Virus comment="screen cast" disabled=no dst-port=1368 protocol=tcp
add action=drop chain=Virus comment=hromgrafx disabled=no dst-port=1373 protocol=tcp
add action=drop chain=Virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=1433-1434 protocol=tcp
add action=drop chain=Virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 protocol=tcp
add action=drop chain=Virus comment="Drop Beagle" disabled=no dst-port=2535 protocol=tcp
add action=drop chain=Virus comment="Drop Beagle.C-K" disabled=no dst-port=2745 protocol=tcp
add action=drop chain=Virus comment="Drop MyDoom" disabled=no dst-port=3127-3128 protocol=tcp
add action=drop chain=Virus comment="Drop Backdoor OptixPro" disabled=no dst-port=3410 protocol=tcp
add action=drop chain=Virus comment="Drop Sasser" disabled=no dst-port=5554 protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=4444 protocol=tcp
add action=drop chain=Virus comment=Worm disabled=no dst-port=4444 protocol=udp
add action=drop chain=Virus comment="Drop Beagle.B" disabled=no dst-port=8866 protocol=tcp
add action=drop chain=Virus comment="Drop Dabber.A-B" disabled=no dst-port=9898 protocol=tcp
add action=drop chain=Virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 protocol=tcp
add action=drop chain=Virus comment="Drop MyDoom.B" disabled=no dst-port=10080 protocol=tcp
add action=drop chain=Virus comment=cichlid disabled=no dst-port=1377 protocol=tcp
add action=drop chain=Virus comment="Drop NetBus" disabled=no dst-port=12345 protocol=tcp
add action=drop chain=Virus comment="Drop Kuang2" disabled=no dst-port=17300 protocol=tcp
add action=drop chain=Virus comment="Drop SubSeven" disabled=no dst-port=27374 protocol=tcp
add action=drop chain=Virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no dst-port=65506 protocol=tcp
add action=drop chain=forward comment="Drop all P2P" disabled=yes p2p=all-p2p
add action=drop chain=forward comment="All 192.168.10.x addresses can not access any address starting with 192.167" disabled=no dst-address=\
192.167.0.0/16 src-address=192.168.10.0/24
/ip firewall mangle
add action=set-priority chain=prerouting comment="DSCP - 7 - Skype, HTTPS" disabled=no dst-port=443 new-priority=7 passthrough=yes protocol=\
tcp
add action=set-priority chain=prerouting comment="Priority - 7 - Skype, HTTPS" disabled=no dst-port=443 new-priority=7 passthrough=yes \
protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 7 - VOIP" disabled=no new-priority=7 passthrough=yes port=1167,1719,1720,8010 \
protocol=udp
add action=set-priority chain=prerouting comment="Priority - 7 - VOIP" disabled=no new-priority=7 passthrough=yes port=1719,1720,8008,8009 \
protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 7 - Ventrilo VOIP" disabled=no new-priority=7 passthrough=yes port=3784 \
protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 7 - Ventrilo VOIP" disabled=no new-priority=7 passthrough=yes port=3784,3785 \
protocol=udp
add action=set-priority chain=prerouting comment="Priority - 7 - Windows Live Messenger Voice" disabled=no new-priority=7 passthrough=yes \
port=6901 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 7 - Windows Live Messenger Voice" disabled=no new-priority=7 passthrough=yes \
port=6901 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 7 - SIP" disabled=no new-priority=7 passthrough=yes port=5060 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 7 - SIP" disabled=no new-priority=7 passthrough=yes port=5060 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 6 - SSH" disabled=no new-priority=6 passthrough=yes port=22 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 6 - Telnet" disabled=no new-priority=6 passthrough=yes port=23 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 6 - ICMP" disabled=no new-priority=6 passthrough=yes protocol=icmp
add action=set-priority chain=prerouting comment="Priority - 6 - TCP DNS Requests" disabled=no new-priority=6 passthrough=yes port=53 \
protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 6 - UDP DNS & mDNS Requests" disabled=no new-priority=6 passthrough=yes port=\
53,5353 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 6 - SSH" disabled=no new-priority=6 passthrough=yes port=22 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 6 - PPTP VPNs" disabled=no new-priority=6 passthrough=yes port=1723 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 6 - PPTP VPNs" disabled=no new-priority=6 passthrough=yes port=1723 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 5 - HTTP Requests" connection-bytes=0-5000000 disabled=no dst-port=80 \
new-priority=5 passthrough=yes protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 4 - Yahoo IM" disabled=no new-priority=4 passthrough=yes port=5050 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 4 - ICQ" disabled=no new-priority=4 passthrough=yes port=5190 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 4 - Time" disabled=no new-priority=4 passthrough=yes port=37 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 4 - Time" disabled=no new-priority=4 passthrough=yes port=37,123 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 4 - AOL, IRC" disabled=no new-priority=4 passthrough=yes port=\
531,5190,6660-6669,6679,6697 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 4 - AOL, IRC" disabled=no new-priority=4 passthrough=yes port=531 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - File Sharing" disabled=no new-priority=0 p2p=all-p2p passthrough=yes
add action=set-priority chain=prerouting comment="Priority - 0 - SFTP" disabled=no dst-port=22 new-priority=0 packet-size=1400-1500 \
passthrough=yes protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - FTP" disabled=no dst-port=20,21 new-priority=0 packet-size=1400-1500 \
passthrough=yes protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - HTTP Downloads" connection-bytes=5000000-0 disabled=no new-priority=0 \
passthrough=yes port=80 protocol=tcp
add action=accept chain=prerouting comment="Priority - 0 - Mail Services" disabled=no port=110,995,143,993,25,57,109,465,587 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - SNMP" disabled=no new-priority=0 passthrough=yes port=161,162 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - SNMP" disabled=no new-priority=0 passthrough=yes port=162 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - IMAP, IMAPS" disabled=no new-priority=0 passthrough=yes port=220,993 \
protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - IMAP" disabled=no new-priority=0 passthrough=yes port=220 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Doom FPS" disabled=no new-priority=0 passthrough=yes port=666 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - America's Army MMO" disabled=no new-priority=0 passthrough=yes port=1716 \
protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Civilization MMO" disabled=no new-priority=0 passthrough=yes port=2056 \
protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Halo: Combat Evolved MMO" disabled=no new-priority=0 passthrough=yes port=\
2302 protocol=udp
add action=accept chain=prerouting comment="Priority - 0 - Dark Ages" disabled=no port=2610 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Xbox Live" disabled=no new-priority=0 passthrough=yes port=3074 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Xbox Live" disabled=no new-priority=0 passthrough=yes port=3074 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Blizzard Games Online" disabled=no new-priority=0 passthrough=yes port=\
3723,6112 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Blizzard Games Online" disabled=no new-priority=0 passthrough=yes port=3723 \
protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - WoW MMO" disabled=no new-priority=0 passthrough=yes port=3724 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - WoW MMO" disabled=no new-priority=0 passthrough=yes port=3724 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Club Penguin Disney Online" disabled=no new-priority=0 passthrough=yes port=\
3724,6112,6113,9875 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Diablo II" disabled=no new-priority=0 passthrough=yes port=4000 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Diablo II" disabled=no new-priority=0 passthrough=yes port=4000 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Microsoft Ants MMO" disabled=no new-priority=0 passthrough=yes port=4001 \
protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Google Desktop" disabled=no new-priority=0 passthrough=yes port=4664 \
protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - BZFlag" disabled=no new-priority=0 passthrough=yes port=5154 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - BZFlag" disabled=no new-priority=0 passthrough=yes port=5154 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Freeciv MMO" disabled=no new-priority=0 passthrough=yes port=5556 protocol=\
tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Freeciv MMO" disabled=no new-priority=0 passthrough=yes port=5556 protocol=\
udp
add action=set-priority chain=prerouting comment="Priority - 0 - Windows Live Messenger File Transfer" disabled=no new-priority=4 \
passthrough=yes port=6891-6900 protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Enemy Territory: Quake Wars" disabled=no new-priority=0 passthrough=yes \
port=7133 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Teamspeak" disabled=no new-priority=0 passthrough=yes port=8767-8768 \
protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Teamspeak" disabled=no new-priority=0 passthrough=yes port=9987 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Earthland Relams 2" disabled=no new-priority=0 passthrough=yes port=\
8888-8889 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Sony Playstation" disabled=no new-priority=0 passthrough=yes port=9293 \
protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Battlefield 1942 MMO" disabled=no new-priority=0 passthrough=yes port=14567 \
protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Battlefield Vietnam" disabled=no new-priority=0 passthrough=yes port=15567 \
protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Battlefield 2" disabled=no new-priority=0 passthrough=yes port=16567 \
protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Quake" disabled=no new-priority=0 passthrough=yes port=26000 protocol=tcp
add action=set-priority chain=prerouting comment="Priority - 0 - Quake" disabled=no new-priority=0 passthrough=yes port=26000,27901,27960 \
protocol=udp
add action=set-priority chain=prerouting comment="Priority - 0 - Call of Duty" disabled=no new-priority=0 passthrough=yes port=28960 \
protocol=udp
add action=mark-connection chain=prerouting disabled=no new-connection-mark="Hotel Room-Conn" passthrough=yes src-address=\
192.168.10.101-192.168.10.219
add action=mark-packet chain=prerouting connection-mark="Hotel Room-Conn" disabled=no new-packet-mark="Hotel Rooms" passthrough=no
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment="place hotspot rules here" disabled=yes
add action=masquerade chain=srcnat comment="Masquerade Everything" disabled=no out-interface=ether1
add action=redirect chain=dstnat comment="Transparent Proxy Cache" disabled=no dst-port=80 protocol=tcp src-address=192.167.18.0/24 to-ports=\
8989
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=no ports=69
set irc disabled=no ports=6667
set h323 disabled=no
set sip disabled=no ports=5060,5061
set pptp disabled=no
Re: Proxy: want enable access from external IPs, cache inter
Code: Select all
[randy@Angola Hotspot Router] > /ip proxy export
# jul/19/2011 16:52:35 by RouterOS 5.4
# software id = P42A-955A
#
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=yes enabled=yes max-cache-size=unlimited \
max-client-connections=1000 max-fresh-time=4w2d max-server-connections=1000 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8989 \
serialize-connections=no src-address=0.0.0.0
/ip proxy access
add action=allow disabled=no dst-port=80 src-address=192.167.18.0/24
add action=allow disabled=no dst-port=80 src-address=192.167.19.0/24
add action=allow disabled=no dst-port=80 src-address=192.167.20.0/24
/ip proxy cache
add action=deny disabled=no src-address=192.168.10.0/24
add action=allow disabled=no src-address=192.167.18.0/24
add action=allow disabled=no src-address=192.167.19.0/24
add action=allow disabled=no src-address=192.167.20.0/24
Re: Proxy: want enable access from external IPs, cache inter
fyi, the Hotel Network (192.168.10.0/24) has a separate fixed bandwidth ONLY package for their internal LAN that they pay for. They pay for nothing else, meaning they don't pay for Proxy.
I have a separate network for my wireless clients, where I buy the bandwidth and I'm responsible for their user experience. That's why I setup the Proxy cache for the Wireless network only. If the hotel network wants to Proxy cache, they'll have to buy a separate Proxy Caching service, b/c on a 4gb microSD, it won't handle the hotel's 100+ clients and my 30+ wireless clients.
My wireless clients pay for performance, the hotel pays for it's clients the bare minimum. Therefore the Proxy cache, on my dollar, is for the wireless subscribers only.
That make sense?
I have a separate network for my wireless clients, where I buy the bandwidth and I'm responsible for their user experience. That's why I setup the Proxy cache for the Wireless network only. If the hotel network wants to Proxy cache, they'll have to buy a separate Proxy Caching service, b/c on a 4gb microSD, it won't handle the hotel's 100+ clients and my 30+ wireless clients.
My wireless clients pay for performance, the hotel pays for it's clients the bare minimum. Therefore the Proxy cache, on my dollar, is for the wireless subscribers only.
That make sense?
Re: Proxy: want enable access from external IPs, cache inter
There is nothing in that configuration that would prevent winbox from working. Nothing at all. Winbox runs on tcp/8291, which has nothing to do with the tcp/80 traffic you're proxying.
My best guess is that you got yourself on the black list by repeated SSH connections, and were dropped due to that. Figure out the IP space you're trying to winbox from and add this rule (it assumes your admin IP space you'd be coming from is 1.1.1.1/24, replace as required), and move it to the very top of the firewall rule set:
If you have multiple admin networks make an address list instead.
That said, there's a few things kinda wrong with your config (though they wouldn't prevent winbox from working). You're using 192.167.0.0/16 as internal space - those are public IP addresses assigned to a company in Italy. By re-using their public IP space you're preventing your customers from accessing those resources. Also, your bogon list is hopelessly outdated. 1/8, for example, has been assigned to APNIC. Again you're preventing your customers from reaching legitimate resources.
My best guess is that you got yourself on the black list by repeated SSH connections, and were dropped due to that. Figure out the IP space you're trying to winbox from and add this rule (it assumes your admin IP space you'd be coming from is 1.1.1.1/24, replace as required), and move it to the very top of the firewall rule set:
Code: Select all
/ip firewall filter add chain=input src-address=1.1.1.1/24 action=acceptThat said, there's a few things kinda wrong with your config (though they wouldn't prevent winbox from working). You're using 192.167.0.0/16 as internal space - those are public IP addresses assigned to a company in Italy. By re-using their public IP space you're preventing your customers from accessing those resources. Also, your bogon list is hopelessly outdated. 1/8, for example, has been assigned to APNIC. Again you're preventing your customers from reaching legitimate resources.
Re: Proxy: want enable access from external IPs, cache inter
so all the previously listed was from a consultant. Again, I'm a one man show, mostly setting up the Wireless infrastructure, relying on hired guns to handle most of the RB part.
for a newb, RB has a decent learning curve, but I'm putting in tons of hours over the months and getting better. still don't think I've hit the point where it all gels yet.
do you consult? can you help me out? I'm here until next week an then gone until October. SO I'd like to have this hotspot running as smoothly as possible, b/c I'm the only one trying to make this place the best it can be...
I've tried a few other consultants, well at least the ones listed on MT's page as recommended and from Google, but only get response rate of maybe 1/10 emails. And then when I get a dialogue going some don't even bother, some have just taken the money and not delivered what the promised, and the most reliable consultant I have right now, well this is his work and he's spent two days trying to fix with no luck. Ran out of patience in the end
Can you help? Or point me to someone who can, please?
and should I delete any of the other posts b/c of incriminating info??!
for a newb, RB has a decent learning curve, but I'm putting in tons of hours over the months and getting better. still don't think I've hit the point where it all gels yet.
do you consult? can you help me out? I'm here until next week an then gone until October. SO I'd like to have this hotspot running as smoothly as possible, b/c I'm the only one trying to make this place the best it can be...
I've tried a few other consultants, well at least the ones listed on MT's page as recommended and from Google, but only get response rate of maybe 1/10 emails. And then when I get a dialogue going some don't even bother, some have just taken the money and not delivered what the promised, and the most reliable consultant I have right now, well this is his work and he's spent two days trying to fix with no luck. Ran out of patience in the end
Can you help? Or point me to someone who can, please?
and should I delete any of the other posts b/c of incriminating info??!
Last edited by Mashimoto on Tue Jul 19, 2011 7:48 pm, edited 1 time in total.
Re: Proxy: want enable access from external IPs, cache inter
You may want to edit them and replace your public IP with "1.1.1.1".
Sorry, I do not consult.
Sorry, I do not consult.
Re: Proxy: want enable access from external IPs, cache inter
well thanks anyways for all your help. i've definitely learned something I've been missing for a bit with the terminal commands... and how to paste code, haha
Re: Proxy: want enable access from external IPs, cache inter
are the filter Priorities ok?
I thought it went from 8(lowest) to 1(top) prioritizing. This seems backwards to me, but had 2 consultants convince me otherwise... without really understanding what they were saying...
I thought it went from 8(lowest) to 1(top) prioritizing. This seems backwards to me, but had 2 consultants convince me otherwise... without really understanding what they were saying...
Re: Proxy: want enable access from external IPs, cache inter
You're confusing VLAN/WMM priority (802.1p) with the priority in queues - which is easy to do given that they're both called priority and have 8 possible values.
http://en.wikipedia.org/wiki/IEEE_P802.1p - as you can see in that link 0 is the lowest 802.1p priority and 7 is the highest. I sorta disagree with the values the consultant picked - picking 7 for VoIP is cheating, 7 is for network control and 5 is for VoIP. This kinda stuff is what makes carriers rewrite 802.1p at borders because they know people will cheat, making it effectively futile and useless.
Also see http://wiki.mikrotik.com/wiki/WMM#How_to_set_priority
Keep in mind that unless you're using VLANs or WMM on your switches, routers, and APs 802.1p won't do you any good. That is of course assuming those switches, routers, and APs can observe 802.1p.
http://en.wikipedia.org/wiki/IEEE_P802.1p - as you can see in that link 0 is the lowest 802.1p priority and 7 is the highest. I sorta disagree with the values the consultant picked - picking 7 for VoIP is cheating, 7 is for network control and 5 is for VoIP. This kinda stuff is what makes carriers rewrite 802.1p at borders because they know people will cheat, making it effectively futile and useless.
Also see http://wiki.mikrotik.com/wiki/WMM#How_to_set_priority
Keep in mind that unless you're using VLANs or WMM on your switches, routers, and APs 802.1p won't do you any good. That is of course assuming those switches, routers, and APs can observe 802.1p.
Re: Proxy: want enable access from external IPs, cache inter
Thanks for the info. I'll read up on it.
I pretty much have RB1100 router with UM + Ubiquiti wireless distribution.
While I am WAY over my head from a pros perspective, I did leave my country to go where no one was/is serving this need to setup the best solution there is available. I just want to make it the best solution from a pros perspective... so does Ubiquiti observe 802.1p? on 2.4 only WISP setup, mostly NSM2s
The MAIN goal I had in mind with this idea/experiment here, that I took a chance with, was that expats could Skype their families in their home country as they're here for 1-12 months without leaving this foreign country where they work. If people who don't get to see their spouses/children but every x-amount of months can at LEAST talk with them or even see them, then I'm happy with what I've done.
...Man, the deeper I go here into seemingly simple issues, the further away I seem from my goal, hahaha. Alas, TIA^2 (This Is Africa/Angola)...
I pretty much have RB1100 router with UM + Ubiquiti wireless distribution.
While I am WAY over my head from a pros perspective, I did leave my country to go where no one was/is serving this need to setup the best solution there is available. I just want to make it the best solution from a pros perspective... so does Ubiquiti observe 802.1p? on 2.4 only WISP setup, mostly NSM2s
The MAIN goal I had in mind with this idea/experiment here, that I took a chance with, was that expats could Skype their families in their home country as they're here for 1-12 months without leaving this foreign country where they work. If people who don't get to see their spouses/children but every x-amount of months can at LEAST talk with them or even see them, then I'm happy with what I've done.
...Man, the deeper I go here into seemingly simple issues, the further away I seem from my goal, hahaha. Alas, TIA^2 (This Is Africa/Angola)...
Re: Proxy: want enable access from external IPs, cache inter
It's a laudable thing to do.
Sorry, I'm not big on wireless, and have never worked with UBNT gear. Maybe someone else can answer that question.
Sorry, I'm not big on wireless, and have never worked with UBNT gear. Maybe someone else can answer that question.
Re: Proxy: want enable access from external IPs, cache inter
no worries
thanks, truly, for everything.
at least I know what I need to do now. gonna work on the how
thanks, truly, for everything.
at least I know what I need to do now. gonna work on the how