Community discussions

MikroTik App
  4. RouterOS
  5. Beginner Basics

2 problems with configuring routeros

Locked
 
Norman29
just joined
Topic Author
Posts: 10
Joined: Sat Feb 08, 2014 9:08 pm

2 problems with configuring routeros

Mon Mar 30, 2015 8:36 pm

RB2011UAS on ROS 6.27

First a problem with VPN, i can not use VPN on my local network, unless i disable the firewall rule to block unwanted traffic. Then i can use it. So i guess i need a rule above it to allow VPN, but how?
This is the rule, it's my final rule in the filter rules list:
Code: Select all
comment: Drop all other traffic through the router.
      chain=forward action=drop
The second problem is, that my laptop's ip adress is constantly showing up in a blacklist with a 3 hour Timeout.
It's called ftp_blacklist and i disabled the 2 rules that use that adresslist but still it shows up.
When i change the ip adress of the laptop; it makes no difference. How can I whitelist that?
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: 2 problems with configuring routeros

Mon Mar 30, 2015 9:32 pm

What rule has an action that is add to address list, list = ftp-blacklist ?
Find that rule, and you'll have an idea why your laptop is making the 'tik angry.

Also - does this happen even when you are not trying to use the VPN client?
If this is 'just happening' then maybe there's some malware on your computer (if the add-to-blacklist rules aren't written badly, that is)
Top
 
Norman29
just joined
Topic Author
Posts: 10
Joined: Sat Feb 08, 2014 9:08 pm

Re: 2 problems with configuring routeros

Mon Mar 30, 2015 10:45 pm

ok i finally found the rule that triggers the blacklist:
Code: Select all
chain=output action=add-dst-to-address-list protocol=tcp 
address-list=ftp_blacklist address-list-timeout=3h 
content="530 Login incorrect" log=yes log-prefix="black"
Ok traffic is counting continous on this rule...

btw. the vpn problem has nothing to do with this.
Top
 
User avatar
ZeroByte
Forum Guru
Forum Guru
Posts: 4047
Joined: Wed May 11, 2011 6:08 pm

Re: 2 problems with configuring routeros

Mon Mar 30, 2015 10:53 pm

Code: Select all
chain=output action=add-dst-to-address-list protocol=tcp 
address-list=ftp_blacklist address-list-timeout=3h 
content="530 Login incorrect" log=yes log-prefix="black"
Ok traffic is counting continous on this rule...

btw. the vpn problem has nothing to do with this.
VPN should be easy - add action=accept chain=forward dst-address=__vpn server ip here__
Put this rule early in the forward chain.

This blacklist rule is interesting.
It means if the Mikrotik originates a tcp packet, whose contents include "530 Login incorrect" - then bam, blacklist.
No retries / rate limits (unless a similar rule right before it has a rate limit) , no specific port - the rule says FTP, but any tcp traffic with that content will match.

This means that the Mikrotik is sending such packets to your laptop.
(Packets flowing through the Mikrotik to/from the Internet would not match this rule - unless there's another one just like it in the forward chain)
Top
Locked

Who is online

Users browsing this forum: No registered users and 11 guests
  4. RouterOS
  5. Beginner Basics