|
I'm glad it's running smoothly for you. You dont' need to do anything else but it might be a good idea to go to the first post of this thread and walk through backing up your config. Then, if you get the urge to experiment you can get back to this working configuration without much hassle. QoS is loving voodoo but there are online guides about it. I keep saying I'll write something up but in my heart I know that it's not true. here's how you set it up: <image of chicken being slaughtered and its blood smeared around arcane symbols> And then you change to a PCQ and <several scantily clad ladies prance about in diaphanous gauze> but not before setting to mark your packets and <dark lord summoned, QoS now working>. See? It's easy!
|
# ? Jan 21, 2012 00:30 |
|
|
# ? May 15, 2024 03:22 |
|
DrCold posted:Are there any other things I should be configuring on a fresh 750? Clicking through webfig and winbox nothing else really jumped out at me as 'required' for my simple network requirements. I have a RB450G, interfaces set up the same way + PPPoE client on the WAN port, DHCP server on the 2nd port and NAT. Pretty much all you need for a simple network. I've been playing with QoS but it's not exactly simple, gonna take me a while to perfect it! I have mine set up with a Ubiquiti Picostation, couldn't be happier!
|
# ? Jan 21, 2012 04:40 |
|
Reading through this thread has inspired me to get off our junk old Netgear RO318 router and into something a little bit more capable. Now I have a month or so to figure this thing out before we cut over from our junk tiny T1 to business level cable internet.
|
# ? Feb 8, 2012 21:55 |
|
Hahaha that will *crush* your puny Netgear. Let us know if you have any questions.
|
# ? Feb 8, 2012 22:18 |
|
I wish I could put a few of those in some of my customers' buildings.
|
# ? Feb 8, 2012 22:20 |
|
I've noticed a bug lately in export compact. It's leaving off things like port numbers on ip firewall rules. Mine blacklisted half the internet before I noticed it Also Tarpit is nasty, dirty, evil, and wonderful.
|
# ? Feb 9, 2012 00:43 |
|
CuddleChunks posted:QoS is loving voodoo but there are online guides about it. My biggest annoyance is QoS on anything Linux-based. I wish Mikrotik would just rip all that out and replace it with something nicer.
|
# ? Feb 9, 2012 16:47 |
|
Exporting in 5.12 is definitely flaky. It picked up most of my rules, but it left off all the tcp flags on my portscanner rules so it basically started blacklisting everything It's supposed to be this: code:
That coupled with tarpitting does extremely unkind things to the tcp stack of anyone who tries to portscan me. Farking Bastage fucked around with this message at 19:29 on Feb 9, 2012 |
# ? Feb 9, 2012 19:23 |
|
Farking Bastage posted:That coupled with tarpitting does extremely unkind things to the tcp stack of anyone who tries to portscan me. The tarpit feature just has you hold connections open and slowly respond. You're really doing more harm to yourself. Sure, if some kid get your IP and portscans you they're kind of hosed, but anyone launching a real DDoS attack (scanning first, we'll say)? YOUR network stack will melt because you'll exceed 65535 open ports in no time.
|
# ? Feb 9, 2012 22:16 |
|
If I did it right, It's drop/logging DDOS and blacklisting, dropping SYN attack stuff, and tarpitting the portscanners. code:
e: due to export bugs, a lot of those firewall rules are incomplete e2: Maybe I misunderstood tarpit. I thought it basically sent back ack flags regardless of whether a port is open or not causing an attacker's TCP stack to poo poo itself. Farking Bastage fucked around with this message at 03:02 on Feb 10, 2012 |
# ? Feb 10, 2012 02:55 |
|
Farking Bastage posted:e2: Maybe I misunderstood tarpit. I thought it basically sent back ack flags regardless of whether a port is open or not causing an attacker's TCP stack to poo poo itself. I can't comment further as my quick googling of what tarpitting was on mikrotiks seemed to describe what I was talking about. It sort of aligns with your description as well -- you're causing their scan to go slow by responding on all ports. But again, it could backfire.
|
# ? Feb 10, 2012 05:04 |
|
Not to rain on your parade, but no good scanners use the host's IP stack to do scans, it's all done in userland, so no matter what your machine does it's not going to jack their poo poo up. Also it's probably slower for them if you respond to nothing (they'll probably retry now and then to make sure the packets don't get lost) versus responding to everything. That just wastes your bandwidth and CPU time, doubly so if you're logging it. Really though, who cares if you get scanned now and then? Welcome to the internet. Are you filtering out winnuke packets too?
|
# ? Feb 10, 2012 05:12 |
|
Ninja Rope posted:Not to rain on your parade, but no good scanners use the host's IP stack to do scans, it's all done in userland, So the entire concept of making a tcp or udp connection to another host is done in userland? The utility runs in userland, sure, but the kernel still has to open a socket. Any network activity at all has to go through the kernel and network stack at some point or it simply will never reach your NIC and hit the wire. TCP connections don't die immediately when you're done unless they're closed cleanly (unlike tarpitting). They're held open for quite some time by default on nearly all platforms -- "CLOSE_WAIT". This is what kills you. You'll run out in no time. And we're not even taking into consideration the limitations of session tracking on different platforms' firewalls. edit: and really, this is only a serious issue in certain situations. On your home connection? You're probably fine. But if I was an intelligent-but-angry teenage angsty nerd who wanted to show you up I'd start by scanning before I launch an attack. And when I realize you're tarpitting me? Time to push out a script to 20 different hosts to each open defined port ranges to your router every X minutes. Doesn't take much traffic and now you're dead in the water. feld fucked around with this message at 06:50 on Feb 10, 2012 |
# ? Feb 10, 2012 06:43 |
|
feld posted:So the entire concept of making a tcp or udp connection to another host is done in userland? Yes, nmap uses libdnet to craft packets in userland, so does unicornscan. Both programs implement their idea of TCP and IP internally. libdnet uses PF_PACKET on linux to send raw packets, but SOCK_RAW is available on other platforms if you don't mind the OS handling layer 2. You could also write to the ethernet device yourself, or let pcap do it for you via pcap_send or pcap_inject. nmap does have an option to let you use the host's stack, though (connect() scan). You're also confusing the number of unique TCP and UDP port numbers (65535) with the number of active/outstanding connections. A host can have more than 65k open TCP connections if it has the memory. If you scan the poo poo out of a host via TCP you could fill up the syn cache table, causing the host to drop new incoming connections. If supported the host may begin responding with SYN cookies, which use more CPU but no memory. Regardless of the protocol, if you scan fast enough you will eventually run the target out of CPU or bandwidth and you're just DoSing them at that point, though if he has a ton of firewall rules and logging enabled he will tap out sooner. Anyone actually trying to scan a host would do so slowly to help avoid detection and decrease the risk of packets being dropped. They'd also probably scan from multiple locations or from somewhere in China so the scan looks just like every other automated botnet scan. Ninja Rope fucked around with this message at 23:03 on Feb 10, 2012 |
# ? Feb 10, 2012 22:57 |
|
Ninja Rope posted:You're also confusing the number of unique TCP and UDP port numbers (65535) with the number of active/outstanding connections. A host can have more than 65k open TCP connections if it has the memory. I think we're simply misunderstanding each other here. I certainly understand the concept of more than 65K open TCP connections. Like if you have a webserver and you have 100,000 clients hitting it at once. That's fine, assuming your webserver can handle it. It's your port 80 to 100,000 other ports, one on each of the clients. But if this tarpitting pretends that every port of yours is open to slow a scanner down... Now you can easily have your ports 1-65535 being used up very quickly. You can't make further outgoing connections because there's none left in the pool. You're now dead in the water because all of your ports are exhausted. See what I mean?
|
# ? Feb 11, 2012 19:31 |
|
That's true, if some hypothetical tarpit program created and bound one socket per unused ephemeral port the host would be unable to initiate any outgoing TCP connections. However, that would be the case as soon as the sockets were bound, not triggered when someone connected all of the ports. The Linux/iptables tarpitting implementation is done inside iptables and doesn't prevent the port from being used for other connections. I don't know how the Mikrotik tarpit implementation works, but I imagine it uses iptables.
|
# ? Feb 12, 2012 02:24 |
|
Ninja Rope posted:That's true, if some hypothetical tarpit program created and bound one socket per unused ephemeral port the host would be unable to initiate any outgoing TCP connections. However, that would be the case as soon as the sockets were bound, not triggered when someone connected all of the ports. The Linux/iptables tarpitting implementation is done inside iptables and doesn't prevent the port from being used for other connections. I don't know how the Mikrotik tarpit implementation works, but I imagine it uses iptables. I'm still a little fuzzy about how the firewall would respond on a port but the OS has nothing bound to it. Either way, I completely ignored the fact that yes, something would have to be bound to EVERY port. You've made an irrefutable point. Thanks for following up.
|
# ? Feb 13, 2012 16:40 |
|
I hope I didn't come off as if I was trying to bust your balls, I've been working on something related for a while and felt like sperging out. Sorry if I seemed like a dick. If you want to look at the xtables (the internal name for the "new" iptables) tarpit module, the source is here. The "tarpit_tcp" function is where incoming packets are replied to. It looks like it doesn't keep any state, it simply sends a reply to anything that has the SYN or ACK flag set and not RST or FIN.
|
# ? Feb 13, 2012 22:53 |
|
Ninja Rope posted:I hope I didn't come off as if I was trying to bust your balls, I've been working on something related for a while and felt like sperging out. Sorry if I seemed like a dick. Nope, no worries. And thanks for the link -- I'll browse the source later. Cheers!
|
# ? Feb 14, 2012 13:50 |
|
What the gently caress, Roku!code:
The winbox interface lists 10.20.30.80 as unused and "waiting". No active address/mac/hostname/expiration.
|
# ? Feb 17, 2012 23:52 |
|
It looks like it's a static lease. Notice there's no "D" in the dynamic column. If you check the Roku's page does it show that it has that IP address? Did you set the Roku to that static IP so it isn't trying to request DHCP?
|
# ? Feb 18, 2012 00:25 |
|
CuddleChunks posted:It looks like it's a static lease. Notice there's no "D" in the dynamic column. If you check the Roku's page does it show that it has that IP address? Did you set the Roku to that static IP so it isn't trying to request DHCP? I made the DHCP lease static, because I was trying to mangle by IP since the mangle-by-mac was never picking it up. The Roku is using .80 via DHCP. I don't think the Roku even has the option to use static ips. I will unstatic it and see what happens. . . edit: Well now it is working. It grabbed .9 with no problem. I swear it wouldn't do this before! Another question, should this queue tree not see all incoming traffic? add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=18M name=Incoming parent=global-in priority=8 \ queue=default other people fucked around with this message at 00:46 on Feb 18, 2012 |
# ? Feb 18, 2012 00:34 |
|
What are you trying to do with your queue? This is the main reference on it: http://wiki.mikrotik.com/wiki/Manual:Queue But if you tell us what you want to accomplish that will help with writing up something that will work. Oh and this is important: /queue tree menu - for implementing advanced queuing tasks (such as global prioritization policy, user group limitations). Requires marked packet flows from /ip firewall mangle facility.
|
# ? Feb 18, 2012 01:41 |
|
CuddleChunks posted:What are you trying to do with your queue? This is the main reference on it: http://wiki.mikrotik.com/wiki/Manual:Queue But if you tell us what you want to accomplish that will help with writing up something that will work. Yeah, I think I understand that the queue only operates on properly marked packets. Here is what I have: code:
All in all, it works quite well as is, but we still have trouble with the Netflix/Roku being very slow to load and dropping the stream if Crashplan/Bit torrent are going nuts. I think part of the problem is that the roku/netflix mangle rule doesn't seem to catch the streaming video. Also the video stream is obviously a download stream. Is it because the streaming stuff is being caught by the TCP ack mangle rule, or is all that streaming stuff UDP? I don't really know what I am talking about.
|
# ? Feb 18, 2012 05:11 |
|
I can't speak for others, but Netflix streaming is TCP.
|
# ? Feb 18, 2012 06:54 |
|
The incoming queue tree isn't functional, unless you didn't intend to use it in the first place? You don't have any connection tracking set up, so... I don't think this rule will work as intended either: code:
MikroTik QoS is still alien to me so I could very well be wrong about all that.
|
# ? Feb 24, 2012 06:23 |
|
I have a very simple question about raw speeds that I hope someone can answer. I currently have 100/5 internet service which is scheduled to go to 250/15 some time this year. I also currently have 7 wired devices at my house which all have gigabit interfaces. If I purchase an RB493, then: - connect the WAN connection to port 1 - set up a switch group of ports 2-9 with which my wired devices will connect to - set up port forwarding rules from WAN-to-LAN (e.g. forwarding RDP to an internal box, etc.) Will I still see full gigabit traffic (let's say 900mbps, give or take, assuming TCP overhead) on the internal switch group as there will be no rules applied to it, and still get 250mbps from WAN-to-LAN, or will the fact that I've done even a little bit of NAT stuff (the port forwarding) drop the LAN-to-LAN speeds down significantly? I won't be doing any QoS or any routing other than the basic WAN-to-LAN and LAN-to-WAN.
|
# ? Feb 24, 2012 20:00 |
|
If it has a switch chip you should be able to get wire speed as long as it's being used. Routing speed depends on features + pps. Enabling NAT alone probably halves your speed (guess). If it's all larger packets at a short rate you can likely achieve decent results. They have test results for straight up routing in a pdf on routerboard.com, take that info and divide it in half, or even up to 80% lower and see where that puts you.
|
# ? Feb 24, 2012 20:23 |
|
falz posted:If it has a switch chip... EDIT: Nevermind. The big text at the top of the page lists "two switch chips". Do I get to pick which ports each chip uses or is it split 4 on one and 5 on the other?
|
# ? Feb 25, 2012 00:04 |
|
nexxai posted:Where would I find this out? * Atheros8316 is present on RB493G(ether1+ether6-ether9, ether2-ether5), * ICPlus178C is present on RB493 series(ether2-ether9)
|
# ? Feb 25, 2012 00:33 |
|
NOTinuyasha posted:The RB751G is now available - same as the RB751U, but with gigabit ethernet.
|
# ? Feb 26, 2012 11:59 |
|
Mr Chips posted:Does that one do the usual routing/firewalling too, or is it just an AP with a switch built in? They still run RouterOS, so you can do firewalling and routing and BGP and all the usual stuff.
|
# ? Feb 26, 2012 17:38 |
|
thanks. I can see quite a few of those ending up in our branch offices if the pair ordered today end up doing what I want, and replacing ageing Cisco branch routers.
|
# ? Feb 27, 2012 14:13 |
|
It looks like they finally started to release the RB2011 devices. http://routerboard.com/RB2011L-IN
|
# ? Mar 5, 2012 20:44 |
|
Ugh. I just picked up a RB450G and when I power it on, I get the beeps but no connection lights on the ethernet ports. This is my first Routerboard so I am not sure what the startup sounds are suppose to be like. Any pointers? here is a video Boot Issues aluminumonkey fucked around with this message at 03:48 on Mar 6, 2012 |
# ? Mar 6, 2012 03:16 |
|
Is this a new RB450g, or a used one? Mine all sound similar, with the last 2 beeps meaning it is booted and ready. You can try this though: http://wiki.mikrotik.com/wiki/Manual:Password_reset
|
# ? Mar 6, 2012 04:43 |
|
This is a brand new 450G. I did the manual reset along with resetting it through the serial connection. I still get no power to the ethernet ports. I am in contact with the supplier to see what my next options are.
|
# ? Mar 6, 2012 15:04 |
|
sparticus posted:Ugh. I just picked up a RB450G and when I power it on, I get the beeps but no connection lights on the ethernet ports. This is my first Routerboard so I am not sure what the startup sounds are suppose to be like. Any pointers? That chirping at the start sounds like it's unhappy with the power supply. What voltage do you have? The double-beeps at the end says it has finally booted. One thing I'd do is plug a serial cable into the port and watch the boot process directly. It spits out a bunch of handy data in there. I'd also try a 24v power supply. On the other hand, you have a new unit that is being weird out of the box. Talking to your vendor is a smart move since it's new. It should just work, dangit.
|
# ? Mar 6, 2012 18:50 |
|
CuddleChunks posted:That chirping at the start sounds like it's unhappy with the power supply. What voltage do you have? The double-beeps at the end says it has finally booted. One thing I'd do is plug a serial cable into the port and watch the boot process directly. It spits out a bunch of handy data in there. I'd also try a 24v power supply. The chirping went away after doing a grounding reset. Waiting to hear back from roc-noc. Is there anything I can check through the serial port to see if the ethernet ports are dead?
|
# ? Mar 6, 2012 18:57 |
|
|
# ? May 15, 2024 03:22 |
|
sparticus posted:Is there anything I can check through the serial port to see if the ethernet ports are dead? I believe you can see if it's booting to the flash drive, which will load the mikrotik OS. If it's not doing that due to some foolishness at the factory then you can set it there. I don't remember right now if there is a specific diagnostic you can do but I'm very concerned that you aren't getting link lights. In the end, you probably have a bad board and they should get it replaced right away.
|
# ? Mar 6, 2012 19:14 |