MikroTik

Hi,
I'm a CCNA again and my CCIE friend recommended this company to me so I got the RB2011UiAS-2HnD
for my home network.

My MikroTik is etherneted to my ISP DSL gateway (which also has a WEP active - I enabled MAC filtering). The ISP DSL gateway only connects TVs to netflix so I'm not worried about it.

It seems like there is not enough security between the 2 routers?

So my fast MikroTik that the PCs are behind (WPA2 PSK), I want to set up IDS/IPS.
In the Cisco world I could easily type "show running-config" or "show startup-config" and copy/paste to the config file,TFTP, save it as a backup clear text file, etc.

How do I get my MikroTik backup file (if its clear text)?
I want to copy/paste firewall rules from http://wiki.mikrotik.com/wiki/Firewall
but Putty, Terminal, etc are having paste issues.
Thanks!

Putty or Terminal should not be having any paste issues. I can paste config just fine.

To export config on screen or in a file, in readable form, use the command "/export"

Whenever I paste, it autofills what it thinks the command is going to be, it screws it all up.
In cisco you dont have to autofill or hit tab and it will autofill for you.
I could show you
thanks

I like that /export command!
I can easily copy/paste that export to WordPad or something, modify it. Can I just paste it directly back in?
Mine will have all sorts of complications from pasting to a terminal because of auto-fills.

These are Cisco commands= would I have to "WR" or "copy run start" afterwards to save?
sorry for my inexperience

I believe the /import command may get me going! thanks

you can also do "/export file=name" to save the output to file

what you seem to have done, is pressed CTRL+V to trigger auto complete mode. Use right-click to "Paste". Don't use CTRL+V

http://wiki.mikrotik.com/wiki/Home_Firewall

I figured out that those ^ scripts/configs must be from older versions of O/S or something cause my router CLI was wanting different syntax (mostly different order). It was expecting different commands.

in putty, CTRL+V doesnt do anything at all.. I've been right clicking this whole time (and in terminal)
Thanks

Is there any way to manipulate the config file from WebFig or some other GUI like that? thanks!

Whatever you have configured in Webfig or other GUI, will be reflected in the exported "export" file.

in putty, CTRL+V doesnt do anything at all.. I've been right clicking this whole time (and in terminal)

It does, it triggers the auto-complete mode. I just tested it. There will be no messages, it will just be on. Hit it again to type normally without auto complete.

So thats why its been turning on and off, thanks!

EDIT: THAT has been my problem this whole time! Stupid auto complete!

/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,100 \
action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d

keep getting a
"value of limit contains invalid trailing characters"

I think its a problem with the connection-limit command. Also, isnt 100 a good # for a home router?

always put values in "quotes"

sorry sir, I'm not getting it, can you hold my hand?
which value is the value that requires quotation marks? thanks

in this case, the one giving the error:

/ip firewall filter add chain=input protocol=tcp connection-limit="LIMIT,100" action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d

yep thats one of the ways i tried it. I tried "limit" and "100" and "limit,100" nothing worked.
In the Cisco world it has the marker that shows where the error is but this is over my rookie head.
The reason I thought the error lied in the connection-limit command was that was the place I found I was having the problem by trial and lots of error.
thanks!

The command is incorrect in itself, what are you trying to do exactly? The "LIMIT" should be replaced with the actual number of connections that you want to allow per address. "LIMIT" is just a placeholder for the example. Never copy something without checking what it is. Here is an actual example:
also don't just copy it, change it according to your needs

actually, I figured it out:
"connection-limit" was looking for a netmask:

add chain=input protocol=tcp connection-limit=100,255.255.255.0 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d

I was following the basic firewall/home setup in the online user manual. I guess it was just giving me syntax from an old RouterOS version.

(So I'm trying to limit TCP SESSIONS to 100 per host)
My question: will that 255.255.255.0 netmask cover all hosts on my network? or does it need a wildcard mask 0.0.0.255 or something? My network is a 192.168.88.X class C so /24 I guess? Thanks again

actually, I figured it out:
"connection-limit" was looking for a netmask:

add chain=input protocol=tcp connection-limit=100,255.255.255.0 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d

I was following the basic firewall/home setup in the online user manual. I guess it was just giving me syntax from an old RouterOS version.

(So I'm trying to limit TCP SESSIONS to 100 per host)
My question: will that 255.255.255.0 netmask cover all hosts on my network? or does it need a wildcard mask 0.0.0.255 or something? My network is a 192.168.88.X class C so /24 I guess? Thanks again

You can replace 255.255.255.0 with 32 like I wrote in my example. It is the same thing. The "/32" netmask means "per IP". No wildcard needed.