Mikrotik - pre zaciatocnikov

[Chris]

Tipujem bud MTvnenibz local/remote network ipsec tunnela, alebo ti nepasuje routa alebo niektore ACL.
Skus dat vacej info

[Snake]

Kód: Vybrať všetko

ip firewall filter chain=forward action=passthrough 
ip firewall filter chain=forward action=fasttrack-connection connection-state=established,related connection-mark=!ipsec log=no log-prefix="" 
ip firewall filter chain=forward action=accept connection-state=established,related log=no log-prefix="" 
ip firewall filter chain=input action=accept protocol=udp port=4500 log=no log-prefix="" 
ip firewall filter chain=input action=accept protocol=ipsec-esp log=no log-prefix="" 
ip firewall filter chain=input action=accept protocol=udp port=500 log=no log-prefix="" 
ip firewall filter chain=input action=accept protocol=gre log=no log-prefix="" 
ip firewall filter chain=input action=accept protocol=icmp src-address=192.168.0.0/16 log=no log-prefix="" 
ip firewall filter chain=input action=accept protocol=ipsec-ah log=no log-prefix="" 
ip firewall filter chain=input action=accept connection-nat-state="" src-address-list=VPNUser log=no log-prefix="" 
ip firewall nat chain=srcnat action=accept src-address=192.168.5.0/24 dst-address=192.168.0.0/24 log=no log-prefix="" 
ip firewall nat chain=srcnat action=masquerade out-interface=all-ethernet log=no log-prefix="" 
ip ipsec peer address=178.40.x.x/32 auth-method=pre-shared-key secret="" generate-policy=no policy-template-group=default exchange-mode=main send-initial-contact=yes nat-traversal=yes proposal-check=obey hash-algorithm=sha1 enc-algorithm=aes-256 dh-group=modp1024 lifetime=8h dpd-interval=10s dpd-maximum-failures=10 
ip ipsec policy src-address=192.168.5.0/24 src-port=any dst-address=192.168.0.0/24 dst-port=any protocol=all action=encrypt level=require ipsec-protocols=esp tunnel=yes sa-src-address=82.x.x.x sa-dst-address=178.x.x.x proposal=SA ph2-count=2 
ip ipsec proposal name="SA" auth-algorithms=sha1 enc-algorithms=aes-256-cbc,aes-256-ctr,aes-256-gcm lifetime=1h pfs-group=none 

/ip route print
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 A S  0.0.0.0/0                          82.x.x.z             1
 1 ADC  82.x.x.y/29   82.x.x.x   WAN                       0
 2 ADC  192.168.5.0/24     192.168.5.1     LAN                       0

Z domu do firmy

0.jpg

Z firmy domov

1.jpg

z MT domov

2.jpg

[Hexaris]

Ked to rychlo pozeram tak ti to vracia 82.x a ona brana sa nevie dostat na 192.168.0.4 zrejme skrz preffered gw, skus si v ping tool, advanced nastavit source address 192.168.5.x

Ale mozno kecam ... pripadne zapni fw log a tam uvidis ci sa to niekde nezahadzuje.
Edit: este sam zabudol traceroute v MT ... tam uvidis kade to lezie

[Chris]

skus dat traceroute z MT a z firmy. Cize 192.168/24 mas doma 192.168.5/24 v robote ?
Podla mna pingas z MT zo zleho interfacu, ak pingas z 192.168.5.1 tak nejde tiez ?

[Marto]

Ahojte, viem na Mikrotiku v DHCP vyparatiť obdobu tohoto, kde potom po pridelení adresy 1-3 využívajú gw 10.0.0.2 a 4 a 5 10.0.0.1 gw? THX

Kód: Vybrať všetko

...
subnet 10.0.0.0 netmask 255.255.255.0 {
     option routers 10.0.0.1;
     option subnet-mask 255.255.255.0;
     range dynamic-bootp 10.0.0.150 10.0.0.249;
}

group {
        option routers 10.0.0.2;
        host 1 { ... }
        host 2 { ... }
        host 3 { ... }
}

host 4 { ... }
host 5 { ... }

[Snake]

skus dat traceroute z MT a z firmy. Cize 192.168/24 mas doma 192.168.5/24 v robote ?
Podla mna pingas z MT zo zleho interfacu, ak pingas z 192.168.5.1 tak nejde tiez ?

Takze problem bol v tom, ze proposal mi na niektore tunely urcoval subnet 5.224/27, pricom MT lezal na 5.1, preto mi to z klientov slo, ale z MT ne, MT som dal na koniec rozsahu a uz to pinga

[Erazer]

Čaute. Mikrotik beží týždeň, čosi som pogúglil a niečo vyhrabal aj tu na fóre (hlavne turbo a sestnastka) ale chcel by som sa poradiť ohľadom pár vecí.
Služby som zablokoval okrem web ktorému som pridal pravidlo do FW a winboxu som zmenil default port.
Prístup do routra / siete z vonku momentálne nepotrebujem žiaden.
Čo by ste ešte odporučili pridať ? (MT svieti priamo do internetu)

FW:

Kód: Vybrať všetko

 0  D ;;; special dummy rule to show fasttrack counters
      chain=forward action=passthrough 

 1    ;;; defconf: accept in ipsec policy
      chain=forward action=accept ipsec-policy=in,ipsec 

 2    ;;; defconf: accept out ipsec policy
      chain=forward action=accept ipsec-policy=out,ipsec 

 3    ;;; defconf: fasttrack
      chain=forward action=fasttrack-connection 
      connection-state=established,related 

 4    ;;; defconf: accept established,related, untracked
      chain=forward action=accept 
      connection-state=established,related,untracked log=no log-prefix="" 

 5    ;;; defconf: drop invalid
      chain=forward action=drop connection-state=invalid log=no log-prefix="" 

 6    ;;; defconf:  drop all from WAN not DSTNATed
      chain=forward action=drop connection-state=new 
      connection-nat-state=!dstnat in-interface-list=WAN 

 7    ;;; Block WAN Ping
      chain=input action=drop protocol=icmp in-interface=ether1 log=no 
      log-prefix="" 

 8    ;;; ddos
      chain=forward action=jump jump-target=detect-ddos connection-state=new 
      log=no log-prefix="" 

 9    chain=detect-ddos action=return dst-limit=32,32,src-and-dst-addresses/10s 

10    chain=detect-ddos action=add-dst-to-address-list address-list=ddosed 
      address-list-timeout=10m 

11    chain=detect-ddos action=add-src-to-address-list address-list=ddoser 
      address-list-timeout=10m 

12    chain=forward action=drop connection-state=new src-address-list=ddoser 
      dst-address-list=ddosed 

13    ;;; block web z internetu
      chain=input action=drop protocol=tcp in-interface=ether1 dst-port=80 
      log=no log-prefix="" 

14    ;;; DNS TCP
      chain=input action=drop connection-state=new protocol=tcp 
      in-interface=ether1 dst-port=53 log=no log-prefix="" 

15    ;;; DNS UDP
      chain=input action=drop connection-state=new protocol=udp 
      in-interface=ether1 dst-port=53 log=no log-prefix="" 

NAT:

Kód: Vybrať všetko

Flags: X - disabled, I - invalid, D - dynamic 
 0    ;;; defconf: masquerade
      chain=srcnat action=masquerade out-interface-list=WAN 
      ipsec-policy=out,none 

Čo ma trochu znepokojuje je že keď spustím Torch na ether1 (wan) tak tam vidím pripojenú adresu 92.52.16.148
Keď na ňu pristúpim hodí webGui Mikrotiku ktorý mi pripadá ako nejaký pokus o phishing prihlasovacích údajov ?
iplookup tejto IP hovorí o lokalite na ktorej som aj ja ale neverím tomu. Ako sa tej IP pripojenej na moju verejnú IP zbaviť ?
Díky za info

[16cmfan]

Skus:

Kód: Vybrať všetko

chain=forward action=reject reject-with=icmp-admin-prohibited 
      src-address=95.52.16.148 dst-address=interna IP na WAN alebo definuj rovno len WAN rozhranie log=no 
      log-prefix

[Erazer]

Nejak nepomohlo. Ale prečo práve iný Mikrotik v mojom okolí ? (teda aspoň sa tak tvári)

[16cmfan]

Tak namiesto chain forward daj input, je to podstatny rozdiel

[Snake]

CHR - 24 jadier - 2GB RAM - 50 IPsec tunelov, 10 L2TP tunelov, PBR, IVR, IPv6 zapnute (6to4 cez HE), denne cca 30% load, 1GB RAM v standby, ked sa spustaju skripty a comm cez tunely tak zataz vyleze na 60% a RAM na 1,5GB, zatial sa drzi celkom obstojne, dufam ze neposeru AES-NI. Cez IPsec mi najrychlejsi tunel leze aj 700mbps

[16cmfan]

Tak to je pekne davat 700mmbps cez IPSEC

Inak, skusal si na tom SSTP ?

Windows - MikroTik ? Stale mi to nechce zozrat (windows) certifikat, som to robil podla navodov... ze ci reku nemas nahodou osobnu skusenost...

[Chris]

CHR - 24 jadier - 2GB RAM - 50 IPsec tunelov, 10 L2TP tunelov, PBR, IVR, IPv6 zapnute (6to4 cez HE), denne cca 30% load, 1GB RAM v standby, ked sa spustaju skripty a comm cez tunely tak zataz vyleze na 60% a RAM na 1,5GB, zatial sa drzi celkom obstojne, dufam ze neposeru AES-NI. Cez IPsec mi najrychlejsi tunel leze aj 700mbps

to mas RouterOS na HyperV/VMware 24 jadier a len 2GB ram ? trochu vacsia disproporcia nie ?
700Mbps si meral cez co ? iperf ? pri akych velkych paketoch a ostatnych parametroch ?

[Snake]

Hyper-V, viac ram mi zatial netreba, neni naco. Merane cez btest.

[Snake]

SSTP mam na WinServroch, neprevadzkujem to na MT lebo ten na to nema akceleraciu