|
What are the chances I could load Linux on a device like this and have full support for everything? I assume there wouldn't be any way to offload switched traffic from the CPU, since there's no standard driver/interface for that?
|
#
¿
Oct 18, 2011 06:03
|
|
|
|
| # ¿ May 4, 2024 02:07 |
|
|
Not that this is specific to MikroTik (it's 100% true with Cisco and everyone else too), but just because a device has gigabit ethernet ports doesn't mean it can handle that fast of an internet connection. Depending on the configuration it can switch internal traffic at 1gbps in each direction per port, but only relatively expensive gear can handle a gigabit internet connection (routing, NAT, ACLs, etc) at full speed.
|
|
#
¿
Jan 11, 2012 11:27
|
|
|
Not to rain on your parade, but no good scanners use the host's IP stack to do scans, it's all done in userland, so no matter what your machine does it's not going to jack their poo poo up. Also it's probably slower for them if you respond to nothing (they'll probably retry now and then to make sure the packets don't get lost) versus responding to everything. That just wastes your bandwidth and CPU time, doubly so if you're logging it. Really though, who cares if you get scanned now and then? Welcome to the internet. Are you filtering out winnuke packets too?
|
|
#
¿
Feb 10, 2012 05:12
|
|
|
feld posted:So the entire concept of making a tcp or udp connection to another host is done in userland? Yes, nmap uses libdnet to craft packets in userland, so does unicornscan. Both programs implement their idea of TCP and IP internally. libdnet uses PF_PACKET on linux to send raw packets, but SOCK_RAW is available on other platforms if you don't mind the OS handling layer 2. You could also write to the ethernet device yourself, or let pcap do it for you via pcap_send or pcap_inject. nmap does have an option to let you use the host's stack, though (connect() scan). You're also confusing the number of unique TCP and UDP port numbers (65535) with the number of active/outstanding connections. A host can have more than 65k open TCP connections if it has the memory. If you scan the poo poo out of a host via TCP you could fill up the syn cache table, causing the host to drop new incoming connections. If supported the host may begin responding with SYN cookies, which use more CPU but no memory. Regardless of the protocol, if you scan fast enough you will eventually run the target out of CPU or bandwidth and you're just DoSing them at that point, though if he has a ton of firewall rules and logging enabled he will tap out sooner. Anyone actually trying to scan a host would do so slowly to help avoid detection and decrease the risk of packets being dropped. They'd also probably scan from multiple locations or from somewhere in China so the scan looks just like every other automated botnet scan. Ninja Rope fucked around with this message at 23:03 on Feb 10, 2012 |
|
#
¿
Feb 10, 2012 22:57
|
|
|
That's true, if some hypothetical tarpit program created and bound one socket per unused ephemeral port the host would be unable to initiate any outgoing TCP connections. However, that would be the case as soon as the sockets were bound, not triggered when someone connected all of the ports. The Linux/iptables tarpitting implementation is done inside iptables and doesn't prevent the port from being used for other connections. I don't know how the Mikrotik tarpit implementation works, but I imagine it uses iptables.
|
|
#
¿
Feb 12, 2012 02:24
|
|
|
I hope I didn't come off as if I was trying to bust your balls, I've been working on something related for a while and felt like sperging out. Sorry if I seemed like a dick.  If you want to look at the xtables (the internal name for the "new" iptables) tarpit module, the source is here. The "tarpit_tcp" function is where incoming packets are replied to. It looks like it doesn't keep any state, it simply sends a reply to anything that has the SYN or ACK flag set and not RST or FIN.
|
|
#
¿
Feb 13, 2012 22:53
|
|
|
I can't speak for others, but Netflix streaming is TCP.
|
|
#
¿
Feb 18, 2012 06:54
|
|
|
I don't know how the MikroTik daemon works, but some daemons will allow port mappings to be made by one host for another host, or for ports < 1024. This could allow a node on your network to expose another node from behind the firewall, depending on your firewall's configuration. Something like miniupnpd has options to mitigate this.
|
|
#
¿
Sep 24, 2012 18:23
|
|
|
NOTinuyasha posted:NAT isn't supposed to be a firewall No, but the upnp daemon may take it upon itself to open a hole in the firewall as well as create a NAT mapping to make sure traffic flows through.
|
|
#
¿
Sep 25, 2012 02:39
|
|
|
thebigcow posted:Project will already be too expensive, airfiber is out Remember it's not enough to just have line of sight, you need the whole first Fresnel zone to be clear to guarantee perfect reception.
|
|
#
¿
Oct 12, 2012 21:52
|
|
|
Can you plug a laptop or something directly into the router and test the speed? It would be hard to tell if it's the fault of the router, APs, or just wifi/interference, if you can't start isolating things.
|
|
#
¿
Oct 13, 2012 08:02
|
|
|
thebigcow posted:Any ideas on where to start? Does the pfsense host have all the same goofy /30 and /26 routes back? If not, what does it have?
|
|
#
¿
Mar 20, 2013 18:18
|
|
|
You shouldn't need a firewall rule to tell a device not to forward link-local messages across other links, even if you're paranoid.
|
|
#
¿
Apr 16, 2013 21:40
|
|
|
|
| # ¿ May 4, 2024 02:07 |
|
|
kiwid posted:I have an RB2011UAS-2HnD-IN and when I VPN using L2TP/IPSEC md5/sha I can get max speeds of about 900kB/s. Looking at the CPU, it's at 100% when transferring like this. What is the cheapest routerboard I can buy that would get me about 5mB/s? Would I be better off building my own x86 box? If you have the option, can you change the cipher to something like twofish or AES?
|
|
#
¿
Nov 7, 2013 18:55
|
|