RB951G-2HnD - firewall zerie 100% CPU pri downloade

[shiro]

Cafte, riesim jednu zaludnost, ktora nieje nejak kriticka, ale ma proste stve

Mam Mikrotik RB951G-2HnD, zapojeny za Orange Fibernet konvertor Huawei, rychlost netu je 250/100Mbit.
A posledne som zistil ze nech robim co robim, nameram pri downloade max 170-190Mbit, pricom CPU v Mikrotiku je vysmazene na 100% jeho vnutornym firewallom. Ostatne blbiny, ako Management alebo Bridging, co tam mam, zeru do 20%.

Myslim ze toto mi limituje rychlost, ktora by inac bola tych 250, meral som to bez Mikrotiku a tu rychlost dam.
Pri uploade dam bez problemu tych 100Mbit, no firewall vytazuje CPU zase, aj ked menej, nejakych 70-80%.

No nepomohlo ani vypnutie vsetkych firewall rules. Pokial viem, firewall ako taky sa v RouterOS vypnut neda, resp vypnutie firewallu = vypnutie vsetkych firewall rules. Google tiez neporadil. Akurat viem ze niesom sam, par ludi malo podobny problem, aj ked nie s firewallom, ale s DNS a podobne.

Vie niekto preco sa firewall do toho ondi, ked som mu vsetky rules vypol?

[mp3turbo]

ides cez radio ? A vobec, hod sem /export a pohrabeme... ked potrebujes, vymaz odtial SSID, IPcky a podobne blbiny.

[shiro]

ee, to je normalne cat5e tieneny kabel

Tu je export:

Kód: Vybrať všetko

[admin@MikroTik] > /export
# may/16/2016 19:52:31 by RouterOS 5.26
# software id = 3D01-2FII
#
/interface bridge
add admin-mac=D4:CA:6D:CC:71:1B ageing-time=5m arp=enabled auto-mac=no disabled=no forward-delay=15s l2mtu=1598 max-message-age=20s mtu=1500 name=\
    bridge-local priority=0x8000 protocol-mode=rstp transmit-hold-count=6
/interface ethernet
set 0 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="Sem je zapojeny konvertor" disabled=no full-duplex=yes l2mtu=1598 mac-address=\
    D4:CA:6D:CC:71:1A master-port=none mtu=1500 name=ether1-gateway speed=1Gbps
set 1 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="Sem je zapojene hlavne PC" disabled=no full-duplex=yes l2mtu=1598 mac-address=\
    D4:CA:6D:CC:71:1B master-port=none mtu=1500 name=ether2-master-local speed=1Gbps
set 2 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited comment="Sem je zapojene Mediacenter PC" disabled=no full-duplex=yes l2mtu=1598 \
    mac-address=D4:CA:6D:CC:71:1C master-port=ether2-master-local mtu=1500 name=ether3-slave-local speed=1Gbps
set 3 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:CC:71:1D master-port=\
    ether2-master-local mtu=1500 name=ether4-slave-local speed=1Gbps
set 4 arp=enabled auto-negotiation=yes bandwidth=unlimited/unlimited disabled=no full-duplex=yes l2mtu=1598 mac-address=D4:CA:6D:CC:71:1E master-port=\
    ether2-master-local mtu=1500 name=ether5-slave-local speed=1Gbps
/interface ethernet switch
set 0 mirror-source=none mirror-target=none name=switch1
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=aes-ccm group-key-update=5m interim-update=0s \
    management-protection=disabled management-protection-key="" mode=dynamic-keys name=default radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none \
    static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none \
    static-sta-private-key="" static-transmit-key=key-0 supplicant-identity=MikroTik tls-certificate=none tls-mode=no-certificates unicast-ciphers=aes-ccm \
    wpa-pre-shared-key= wpa2-pre-shared-key=
add authentication-types=wpa-psk,wpa2-psk eap-methods="" group-ciphers=aes-ccm group-key-update=5m interim-update=0s management-protection=allowed \
    management-protection-key="" mode=dynamic-keys name="Profil pre domacu WiFi" radius-eap-accounting=no radius-mac-accounting=no \
    radius-mac-authentication=no radius-mac-caching=disabled radius-mac-format=XX:XX:XX:XX:XX:XX radius-mac-mode=as-username static-algo-0=none \
    static-algo-1=none static-algo-2=none static-algo-3=none static-key-0="" static-key-1="" static-key-2="" static-key-3="" static-sta-private-algo=none \
    static-sta-private-key="" static-transmit-key=key-0 supplicant-identity="" tls-certificate=none tls-mode=no-certificates unicast-ciphers=aes-ccm \
    wpa-pre-shared-key= wpa2-pre-shared-key=
/interface wireless
set 0 adaptive-noise-immunity=none allow-sharedkey=no antenna-gain=15 area="" arp=enabled band=2ghz-b/g/n basic-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps basic-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps bridge-mode=disabled channel-width=20/40mhz-ht-above \
    compression=no country="slovak republic" default-ap-tx-limit=0 default-authentication=yes default-client-tx-limit=0 default-forwarding=yes dfs-mode=none \
    disable-running-check=no disabled=no disconnect-timeout=3s distance=indoors frame-lifetime=3 frequency=2432 frequency-mode=manual-txpower \
    frequency-offset=0 hide-ssid=no ht-ampdu-priorities=0 ht-amsdu-limit=8192 ht-amsdu-threshold=8192 ht-basic-mcs=\
    mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7 ht-guard-interval=any ht-rxchains=0,1 ht-supported-mcs="mcs-0,mcs-1,mcs-2,mcs-3,mcs-4,mcs-5,mcs-6,mcs-7,m\
    cs-8,mcs-9,mcs-10,mcs-11,mcs-12,mcs-13,mcs-14,mcs-15,mcs-16,mcs-17,mcs-18,mcs-19,mcs-20,mcs-21,mcs-22,mcs-23" ht-txchains=0,1 \
    hw-fragmentation-threshold=disabled hw-protection-mode=none hw-protection-threshold=0 hw-retries=7 l2mtu=2290 mac-address=D4:CA:6D:CC:71:1F \
    max-station-count=2007 mode=ap-bridge mtu=1500 multicast-helper=default name=wlan1 noise-floor-threshold=default nv2-cell-radius=30 \
    nv2-noise-floor-offset=default nv2-preshared-key="" nv2-qos=default nv2-queue-count=2 nv2-security=disabled on-fail-retry-time=100ms \
    periodic-calibration=default periodic-calibration-interval=60 preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=D4CA6DCC711F \
    rate-selection=legacy rate-set=default scan-list=default security-profile="Profil pre domacu WiFi" ssid=ShiroWiFi station-bridge-clone-mac=\
    00:00:00:00:00:00 supported-rates-a/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=1Mbps,2Mbps,5.5Mbps,11Mbps \
    tdma-period-size=2 tx-power-mode=manual-table update-stats-interval=disabled wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=100 \
    wds-ignore-ssid=no wds-mode=disabled wireless-protocol=802.11 wmm-support=disabled
/interface wireless manual-tx-power-table
set wlan1 manual-tx-powers="1Mbps:17,2Mbps:17,5.5Mbps:17,11Mbps:17,6Mbps:17,9Mbps:17,12Mbps:17,18Mbps:17,24Mbps:17,36Mbps:17,48Mbps:17,54Mbps:17,HT20-0:17,HT\
    20-1:17,HT20-2:17,HT20-3:17,HT20-4:17,HT20-5:17,HT20-6:17,HT20-7:17,HT40-0:17,HT40-1:17,HT40-2:17,HT40-3:17,HT40-4:17,HT40-5:17,HT40-6:17,HT40-7:17"
/interface wireless nstreme
set wlan1 disable-csma=no enable-nstreme=no enable-polling=yes framer-limit=3200 framer-policy=none
/ip hotspot profile
set [ find default=yes ] dns-name="" hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap \
    name=default rate-limit="" smtp-server=0.0.0.0 split-user-domain=no use-radius=no
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m transparent-proxy=no
/ip ipsec proposal
set [ find default=yes ] auth-algorithms=sha1 disabled=no enc-algorithms=3des lifetime=30m name=default pfs-group=modp1024
/ip pool
add name="Pool pre DHCP" ranges=
/ip dhcp-server
add address-pool="Pool pre DHCP" authoritative=after-2sec-delay bootp-support=static disabled=no interface=bridge-local lease-time=1w3d name="DHCP pre WiFi"
/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
set 1 change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default
/queue type
set 0 kind=pfifo name=default pfifo-limit=50
set 1 kind=pfifo name=ethernet-default pfifo-limit=50
set 2 kind=sfq name=wireless-default sfq-allot=1514 sfq-perturb=5
set 3 kind=red name=synchronous-default red-avg-packet=1000 red-burst=20 red-limit=60 red-max-threshold=50 red-min-threshold=10
set 4 kind=sfq name=hotspot-default sfq-allot=1514 sfq-perturb=5
set 5 kind=none name=only-hardware-queue
set 6 kind=mq-pfifo mq-pfifo-limit=50 name=multi-queue-ethernet-default
set 7 kind=pfifo name=default-small pfifo-limit=10
/routing bgp instance
set default as=65530 client-to-client-reflection=yes disabled=no ignore-as-path-len=no name=default out-filter="" redistribute-connected=no \
    redistribute-ospf=no redistribute-other-bgp=no redistribute-rip=no redistribute-static=no router-id=0.0.0.0 routing-table=""
/routing ospf instance
set [ find default=yes ] disabled=no distribute-default=never in-filter=ospf-in metric-bgp=auto metric-connected=20 metric-default=1 metric-other-ospf=auto \
    metric-rip=20 metric-static=20 name=default out-filter=ospf-out redistribute-bgp=no redistribute-connected=no redistribute-other-ospf=no \
    redistribute-rip=no redistribute-static=no router-id=0.0.0.0
/routing ospf area
set [ find default=yes ] area-id=0.0.0.0 disabled=no instance=default name=backbone type=default
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-password="" authentication-protocol=MD5 encryption-password="" encryption-protocol=DES name=\
    public read-access=yes security=none write-access=no
/system logging action
set 0 memory-lines=100 memory-stop-on-full=no name=memory target=memory
set 1 disk-file-count=2 disk-file-name=log disk-lines-per-file=100 disk-stop-on-full=no name=disk target=disk
set 2 name=echo remember=yes target=echo
set 3 bsd-syslog=no name=remote remote-port=514 src-address=0.0.0.0 syslog-facility=daemon syslog-severity=auto target=remote
/user group
set read name=read policy=local,telnet,ssh,reboot,read,test,winbox,password,web,sniff,sensitive,api,!ftp,!write,!policy skin=default
set write name=write policy=local,telnet,ssh,reboot,read,write,test,winbox,password,web,sniff,sensitive,api,!ftp,!policy skin=default
set full name=full policy=local,telnet,ssh,ftp,reboot,read,write,policy,test,winbox,password,web,sniff,sensitive,api skin=default
/interface bridge port
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=ether2-master-local path-cost=10 point-to-point=auto priority=0x80
add bridge=bridge-local disabled=no edge=auto external-fdb=auto horizon=none interface=wlan1 path-cost=10 point-to-point=auto priority=0x80
/interface bridge settings
set use-ip-firewall=no use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/interface ethernet switch port
set 0 vlan-header=leave-as-is vlan-mode=disabled
set 1 vlan-header=leave-as-is vlan-mode=disabled
set 2 vlan-header=leave-as-is vlan-mode=disabled
set 3 vlan-header=leave-as-is vlan-mode=disabled
set 4 vlan-header=leave-as-is vlan-mode=disabled
set 5 vlan-header=leave-as-is vlan-mode=disabled
/interface l2tp-server server
set authentication=pap,chap,mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface ovpn-server server
set auth=sha1,md5 certificate=none cipher=blowfish128,aes128 default-profile=default enabled=no keepalive-timeout=60 mac-address=FE:3A:59:7C:57:C3 max-mtu=\
    1500 mode=ip netmask=24 port=1194 require-client-certificate=no
/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=no keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled
/interface sstp-server server
set authentication=pap,chap,mschap1,mschap2 certificate=none default-profile=default enabled=no keepalive-timeout=60 max-mru=1500 max-mtu=1500 mrru=disabled \
    port=443 verify-client-certificate=no
/interface wireless align
set active-mode=yes audio-max=-20 audio-min=-100 audio-monitor=00:00:00:00:00:00 filter-mac=00:00:00:00:00:00 frame-size=300 frames-per-second=25 \
    receive-all=no ssid-all=no
/interface wireless sniffer
set channel-time=200ms file-limit=10 file-name="" memory-limit=10 multiple-channels=no only-headers=no receive-errors=no streaming-enabled=no \
    streaming-max-rate=0 streaming-server=0.0.0.0
/interface wireless snooper
set channel-time=200ms multiple-channels=yes receive-errors=no
/ip accounting
set account-local-traffic=no enabled=no threshold=256
/ip accounting web-access
set accessible-via-web=no address=0.0.0.0/0
/ip address
add address=192. comment="default configuration" disabled=no interface=wlan1 network=192.168.0.0
/ip dhcp-client
add add-default-route=yes comment="default configuration" default-route-distance=1 disabled=no interface=ether1-gateway use-peer-dns=yes use-peer-ntp=yes
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=192.dhcp-option="" dns-server="" gateway=192. netmask=24 ntp-server="" wins-server=""
add address=192.comment="default configuration" dhcp-option="" dns-server=192. gateway=192. ntp-server="" wins-server=""
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=""
/ip dns static
add address=192. disabled=no name=router ttl=1d
/ip firewall connection tracking
set enabled=yes generic-timeout=30s icmp-timeout=10s tcp-close-timeout=10s tcp-close-wait-timeout=10s tcp-established-timeout=2m tcp-fin-wait-timeout=10s \
    tcp-last-ack-timeout=10s tcp-syn-received-timeout=5s tcp-syn-sent-timeout=5s tcp-syncookie=no tcp-time-wait-timeout=10s udp-stream-timeout=30s \
    udp-timeout=10s
/ip firewall filter
add action=accept chain=input comment="default configuration" disabled=yes protocol=icmp
add action=accept chain=input comment="default configuration" connection-state=established disabled=yes
add action=accept chain=input comment="default configuration" connection-state=related disabled=yes
add action=drop chain=input comment="default configuration" disabled=yes in-interface=ether1-gateway
add action=accept chain=forward comment="default configuration" connection-state=established disabled=yes
add action=accept chain=forward comment="default configuration" connection-state=related disabled=yes
add action=drop chain=forward comment="default configuration" connection-state=invalid disabled=yes
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid disabled=no
add action=accept chain=input comment="Allow Established connections" connection-state=established disabled=no
add action=accept chain=input comment="Allow ICMP" disabled=no protocol=icmp
add action=accept chain=input disabled=no in-interface=!ether1-gateway src-address=192.
add action=drop chain=input comment="Drop everything else" disabled=no
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no protocol=tcp
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=no
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=3133 protocol=udp
add action=accept chain=icmp comment="echo reply" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" disabled=no icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=no icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" disabled=no icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=no
add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="Port scanners to list " disabled=no protocol=\
    tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP FIN Stealth scan" disabled=no protocol=tcp \
    tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/FIN scan" disabled=no protocol=tcp \
    tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="SYN/RST scan" disabled=no protocol=tcp \
    tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="FIN/PSH/URG scan" disabled=no protocol=tcp \
    tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="ALL/ALL scan" disabled=no protocol=tcp \
    tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w chain=input comment="NMAP NULL scan" disabled=no protocol=tcp \
    tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
add action=drop chain=input comment="dropping port scanners" disabled=no src-address-list="port scanners"
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" disabled=no out-interface=ether1-gateway
add action=dst-nat chain=dstnat comment="dst.port 2000-65535 znamena, ze vsetky porty okrem normalnych (80 a pod.) su az po port 2000 defaultne zavrete a az \
    od port 2000 vratane po 65536 su defaultne otvorene" disabled=no dst-address=109.230.59.244 dst-port=2000-65535 protocol=tcp to-addresses=192.\
    to-ports=6114
/ip firewall service-port
set ftp disabled=no ports=21
set tftp disabled=yes ports=69
set irc disabled=yes ports=6667
set h323 disabled=yes
set sip disabled=yes ports=5060,5061 sip-direct-media=yes
set pptp disabled=yes
/ip hotspot service-port
set ftp disabled=no ports=21
/ip neighbor discovery
set ether1-gateway disabled=yes
set ether2-master-local disabled=no
set ether3-slave-local disabled=no
set ether4-slave-local disabled=no
set ether5-slave-local disabled=no
set wlan1 disabled=yes
set bridge-local disabled=no
/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=no enabled=no max-cache-size=unlimited max-client-connections=600 \
    max-fresh-time=3d max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0
/ip service
set telnet address="" disabled=yes port=23
set ftp address="" disabled=yes port=21
set www address="" disabled=yes port=80
set ssh address="" disabled=no port=22
set www-ssl address="" certificate=none disabled=yes port=443
set api address="" disabled=yes port=8728
set winbox address="" disabled=no port=8291
/ip smb
set allow-guests=yes comment=MikrotikSMB domain=MSHOME enabled=no interfaces=all
/ip smb shares
set [ find default=yes ] comment="default share" directory=/pub disabled=no max-sessions=10 name=pub
/ip smb users
set [ find default=yes ] disabled=no name=guest password="" read-only=yes
/ip socks
set connection-idle-timeout=2m enabled=no max-connections=200 port=1080
/ip traffic-flow
set active-flow-timeout=30m cache-entries=4k enabled=no inactive-flow-timeout=15s interfaces=all
/ip upnp
set allow-disable-external-interface=yes enabled=yes show-dummy-rule=yes
/ip upnp interfaces
add disabled=no interface=ether2-master-local type=internal
add disabled=no interface=ether3-slave-local type=internal
add disabled=no interface=wlan1 type=internal
/mpls
set dynamic-label-range=16-1048575 propagate-ttl=yes
/mpls interface
set [ find default=yes ] disabled=no interface=all mpls-mtu=1508
/mpls ldp
set distribute-for-default-route=no enabled=no hop-limit=255 loop-detect=no lsr-id=0.0.0.0 path-vector-limit=255 transport-address=0.0.0.0 \
    use-explicit-null=no
/port firmware
set directory=firmware ignore-directip-modem=no
/ppp aaa
set accounting=yes interim-update=0s use-radius=no
/queue interface
set ether1-gateway queue=only-hardware-queue
set ether2-master-local queue=only-hardware-queue
set ether3-slave-local queue=only-hardware-queue
set ether4-slave-local queue=only-hardware-queue
set ether5-slave-local queue=only-hardware-queue
set wlan1 queue=wireless-default
/radius incoming
set accept=no port=3799
/routing bfd interface
set [ find default=yes ] disabled=no interface=all interval=0.2s min-rx=0.2s multiplier=5
/routing mme
set bidirectional-timeout=2 gateway-class=none gateway-keepalive=1m gateway-selection=no-gateway origination-interval=5s preferred-gateway=0.0.0.0 timeout=\
    1m ttl=50
/routing rip
set distribute-default=never garbage-timer=2m metric-bgp=1 metric-connected=1 metric-default=1 metric-ospf=1 metric-static=1 redistribute-bgp=no \
    redistribute-connected=no redistribute-ospf=no redistribute-static=no routing-table=main timeout-timer=3m update-timer=30s
/snmp
set contact="" enabled=yes engine-id="" location="" trap-community=public trap-generators=start-trap trap-interfaces=ether2-master-local trap-target=\
    192. trap-version=3
/system clock
set time-zone-name=Europe/Bratislava
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+00:00
/system identity
set name=MikroTik
/system leds
set 0 disabled=no interface=wlan1 leds=wlan-led type=wireless-status
/system logging
set 0 action=memory disabled=no prefix="" topics=info
set 1 action=memory disabled=no prefix="" topics=error
set 2 action=memory disabled=no prefix="" topics=warning
set 3 action=echo disabled=no prefix="" topics=critical
/system note
set note="" show-at-login=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=193.87.160.18 secondary-ntp=92.240.244.202
/system resource irq
set 0 cpu=auto
set 1 cpu=auto
set 2 cpu=auto
set 3 cpu=auto
/system routerboard settings
set boot-device=nand-if-fail-then-ethernet boot-protocol=bootp cpu-frequency=600MHz force-backup-booter=no silent-boot=no
/system upgrade mirror
set check-interval=1d enabled=no primary-server=0.0.0.0 secondary-server=0.0.0.0 user=""
/system watchdog
set auto-send-supout=no automatic-supout=yes no-ping-delay=5m watch-address=none watchdog-timer=yes
/tool bandwidth-server
set allocate-udp-ports-from=2000 authenticate=yes enabled=yes max-sessions=100
/tool e-mail
set address=74.125.136.108 from=MikroTik password= port=587 starttls=no user=
/tool graphing
set page-refresh=300 store-every=5min
/tool graphing interface
add allow-address=0.0.0.0/0 disabled=no interface=ether1-gateway store-on-disk=no
add allow-address=0.0.0.0/0 disabled=no interface=ether2-master-local store-on-disk=no
add allow-address=0.0.0.0/0 disabled=no interface=ether3-slave-local store-on-disk=no
/tool graphing queue
add allow-address=0.0.0.0/0 allow-target=yes disabled=no store-on-disk=no
add allow-address=0.0.0.0/0 allow-target=yes disabled=no store-on-disk=no
add allow-address=0.0.0.0/0 allow-target=yes disabled=no store-on-disk=no
/tool graphing resource
add allow-address=0.0.0.0/0 disabled=no store-on-disk=no
/tool mac-server
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes interface=all
add disabled=no interface=ether2-master-local
add disabled=no interface=ether3-slave-local
add disabled=no interface=ether4-slave-local
add disabled=no interface=ether5-slave-local
add disabled=no interface=wlan1
add disabled=no interface=bridge-local
/tool mac-server ping
set enabled=yes
/tool sms
set allowed-number="" channel=0 keep-max-sms=0 receive-enabled=no secret=""
/tool sniffer
set file-limit=1000KiB file-name="" filter-direction=any filter-ip-address="" filter-ip-protocol="" filter-mac-address="" filter-mac-protocol="" \
    filter-port="" filter-stream=yes interface=ether2-master-local memory-limit=100KiB memory-scroll=yes only-headers=no streaming-enabled=no \
    streaming-server=0.0.0.0
/tool traffic-generator
set latency-distribution-scale=10 test-id=0
/tool traffic-monitor
add disabled=no interface=ether1-gateway name="TMon - Download" on-event="" threshold=0 traffic=received trigger=above
add disabled=no interface=ether1-gateway name="TMon - Upload" on-event="" threshold=0 traffic=transmitted trigger=above
/user aaa
set accounting=yes default-group=read exclude-groups="" interim-update=0s use-radius=no
[admin@MikroTik] > 

[shiro]

tak som nieco nasiel....
podla tohoto pokecu je to sposobene NATom, ktory samozrejme pouzivam.
https://ispforum.cz/viewtopic.php?f=7&t=16104

Keby som zrusil NAT, tak by sa dalo fungovat si myslim...ten Orange konvertor fici na 192.168.100.xxx sieti, kdezto ja mam 192.168.0.xxx, takze by som si len prestavil IPcky. Akurat potrebujem mat otvorene nejake porty....bude sa to dat spravit aj ked vypnem NAT?

[mp3turbo]

otvorene porty : neviem ako pracuje henta vec, ale chlapci tu nieco hovorili o moznosti zapnut Layer2 mod poziadavkou cez Orange podopu - vtedy by to opticky prevodnik mal naozaj len prehadzovat vidlami na tvoju hromadku cize uplne vsetky porty budes mat otvorene, takisto aj verejnu adresu budes mat na koncovom zariadeni co do neho pripojis (ja to tak mam a nic som neziadal).

Neviem ci to pojde ked vypnes NAT - zrejme ten prevodnik robi NAT sam za seba, skus. Bud to ma DHCP a dostanes adresy 192.168.100.x alebo si nejake naordinuj rucne a skus ci ti pojde internet "napriamo" teda bez Mikrotiku.

Ked vypnes NAT, cez Mikrotik by si teoreticky mohol bezat v bridge mode len potom pozor na firewall pravidla pripadne akukolvek pokrocilu funkcionalitu. Layer2 (bridge, draty natvrdo z jedneho interfejsu na druhy) sa sprava inak ako Layer3 (routovanie a/alebo NAT navyse k tomu).

V kazdom pripade, v linkovanej teme ktoru si nasiel chlapci ficali 300 az 400Mbit cez rovnaky Mikrotik ako mas ty a to by ti stacilo. Podme optimalizovat tvoju konfiguraciu :



a) mas tam verziu 5.26, rozhodne to updatni na aktualnu 6.35.2 predovsetkym kvoli fixom vo funkcionalite

b) na interfejsoch mas MTU=1500 -> nepodporujes jumbo frames. Myslim ze na tychto mydlovych krabickach by to mohlo pomoct.

c) na interfejsoch mas zapnute auto-nego, nemyslim ze by to prinieslo zmenu, ale v CTRL-X safe mode by som to zmenil na 1Gbps

d) cez wireless 250Mbit nedostanes na 2.4GHz frekvencii

e) zakaz vzdialeny pristup na DNS (/ip dns set allow-remote-requests=no) hlavne ked budes ten Mikrotik mat vycapeny von - pozor na Layer2 co spominame hore. Ked vo vnutornej sieti pouzivas Mikrotika ako DNS server, toto samozrejme urobit nemozes. Riesenia : bud pouzijes nejake externe DNS alebo firewallom obmedzis pristup na DNS mikrotiku (z hlavy : /ip firewall filter add chain=input src-address=!192.168.0.0/16 dst-port=53 protocol=any action=drop cize slovensky cokolvek prichadza na router "chain=input" a ide na destination port 53 cize DNS a nejde z adries 192.168.x.x by malo byt trosicku zahodene). Pozor, taketo filtrovacie pravidlo ti samozrejme zase znizuje vykon lebo je to dalsia vec cez ktoru sa SLABULINKE cpu musi prehrabat.

f) v bridge interfejsi (to je slovo!) k ethernetu2 mas prdnutu aj wirelessku. Mno, toto dobrotu nikdy robit nebude. Ja osobne neznasam bridged interfaces, ten Mikrotik tam mas od toho aby robil pokrocily routing a vlastnosti na to naviazane (firewalling, atd). Bridge cely ako taky u mna popiera fyzikalne vlastnosti teplej vody, ale urcite sa najdu nejake pouzitia pre neho.

g) pretaktovat procesor ako zaznelo v tej teme nie je uplne zly napad, ale vyrazne navysenie tym nedosiahnes. Ked pojdes zo 600MHz na 700MHz, dosiahnes maximalne 700/600 = 16% vykonu navyse, co by bolo okolo 20Mbit v IDEALNOM pripade u teba. Tuto riesenie zakopane nie je.

h) mas tam zapnuty traffic-monitor. Tuto cakam vyrazny prepad rychlosti. Vypnut a otestovat.

i) zakazal by som UPNP (/ip upnp interfaces) ale to som zase len ja ktory nema rad automatiku o ktorej nic nevie. Vsetko rucne

j) zakazal by som microsoftacky sharing, /ip smb

k) zakazal by som /ip neighbor discovery pretoze to nepouzivas a nepotrebujes

l) mas tam pusteny nejaky hotspot ? Ak ano a nepotrebujes, samozrejme zakazat.



Nepaci sa mi tvoje druhe NAT pravidlo /ip firewall NAT. Podla toho vypisu (ktory ale vidim ze je ciastocne nekompletny, zeditoval si tam vnutornu 192.x.x.x adresu) je tam pisane ze dst-port=2000-65535 VEREJNEJ IP sa ma redirektnut na JEDEN JEDINY vnutorny port 6144. Tato vec samotna musi zamestnavat CPUcko tak jak nasich politikov kradnutie, teda velice prevelice strasne moc. Ak potrebujes presmerovat jeden jediny port, dal by som tam dst-port=XXXX na ktory sa ti budu pripajat kamošši ; ak potrebujes viacero portov, dal by som aj vnutorny rozsah teda to-ports=2000-65535 ale hovorim toto je vypoctovo strasne narocna varianta.

Osobne by som volil riesenie : NATovat dovnutra presny pocet verejnych portov na vnutorne porty jedna ku jednej, teda napriklad

/ip firewall nat add action=dst-nat chain=dstnat dst-address=xxx.yyy.zzz.bbb dst-port=2100 protocol=tcp to-addresses=192.xxx.yyy.zzz to-ports=2100 {cize, vonkajsi port 2100 prehod na vnutornu adresu 192.xxx.yyy.zzz na ten isty port).

Pokial potrebujes viacero vonku dostupnych sluzieb alebo hier proste portov, vytvoril by som prislusne mnozstvo pravidiel. Ked tych pravidiel bude aj desat, mohli by byt rychlejsie ako jedno "superuniverzalne" ktore mas teraz. Korculujem na tenkom lade, chcelo by to test, z praxe neviem. Proste odhad.

Tvoje prve NATovacie pravidlo teda action=masquerade ti zabezpecuje konektivitu von cez Mikrotik, ked ho vypnes, nebudu ti do Mikrotiku zapojene pocitace chodit na internet.


Save the best for last == teraz firewall rules. Vidim ze tam mas hooooodne slusnu zbierku z nejakeho fora
Co je sranda ? Ze drtivu vacsinu z nich ani nepotrebujes. V principe by som vyhodil vsetko co ma chain=input teda to cim sa snazis chranit Mikrotik router samotny. Mozno by som nechal druhe posledne cize "action=accept chain=input disabled=no in-interface=!ether1-gateway src-address=192.xxxx" slovensky vsetko co prichadza z akehokolvek interfejsu okrem ether1 a pochadza z adries alebo adresy 192... viac nevidime. Tuto mozes mat jednu jedinu konkretnu IP adresu ktoru chces pouzivat na management mikrotika a mozes chciet odstrihnut vsetky ostatne, co je velmi rozumne ak si na nejakej vacsej sieti kde nemas kontrolu nad tym kto je pripojeny ; v domacnosti je to zlahka zbytocne by som povedal (naco si limitujem pristup na router len z jednej IPcky ked mam pod palcom vsetky masiny ktore v tej sieti mozu byt zapojene ? aby sa mi brat neprihlasil ? ach, ved on nevie heslo od linuxu na mikrotiku a tym sme skoncili v realite).

Tieto tri :
add action=drop chain=forward comment="drop invalid connections" connection-state=invalid disabled=no protocol=tcp
add action=accept chain=forward connection-state=established disabled=no
add action=accept chain=forward comment="allow related connections" connection-state=related disabled=no
vidim snad u kazdeho. Vies ich vysvetlit ? Vies co sa stane keby si ich nahodou nemal ? Ak nevies, nepotrebujes ich


Tieto rovno vymaz :
add action=drop chain=tcp comment="deny TFTP" disabled=no dst-port=69 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=111 protocol=tcp
add action=drop chain=tcp comment="deny RPC portmapper" disabled=no dst-port=135 protocol=tcp
add action=drop chain=tcp comment="deny NBT" disabled=no dst-port=137-139 protocol=tcp
add action=drop chain=tcp comment="deny cifs" disabled=no dst-port=445 protocol=tcp
add action=drop chain=tcp comment="deny NFS" disabled=no dst-port=2049 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=12345-12346 protocol=tcp
add action=drop chain=tcp comment="deny NetBus" disabled=no dst-port=20034 protocol=tcp
add action=drop chain=tcp comment="deny BackOriffice" disabled=no dst-port=3133 protocol=tcp
add action=drop chain=tcp comment="deny DHCP" disabled=no dst-port=67-68 protocol=tcp
add action=drop chain=udp comment="deny TFTP" disabled=no dst-port=69 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=111 protocol=udp
add action=drop chain=udp comment="deny PRC portmapper" disabled=no dst-port=135 protocol=udp
add action=drop chain=udp comment="deny NBT" disabled=no dst-port=137-139 protocol=udp
add action=drop chain=udp comment="deny NFS" disabled=no dst-port=2049 protocol=udp
add action=drop chain=udp comment="deny BackOriffice" disabled=no dst-port=3133 protocol=udp
su zbytocne, zvonku nemas spravene NAT aby si sa dostal na tieto vnutorne porty takze ich nie je preco chranit (poznamka : teraz mas vonkajsi port 20034 a 12345 a 12346 presmerovany na vnutorny port 6144 takze tuto ta ochrana naozaj zafunguje, otazka je nakolko je realna lebo na tvojom porte 6144 takmer rozhodne Netbus nebezi). Pred vnutornym utocnikom - napr. bratov zavireny pocitac ktory sa snazi zneuzit slabinu v Microsoft Workstation sluzbe - ta ajtak neochrania lebo cez Mikrotik nejdu, taketo veci idu direkt bez ucasti routra.


Dalej, veselo zahod vsetky tie ICMP chobotiny :
add action=accept chain=icmp comment="echo reply" disabled=no icmp-options=0:0 protocol=icmp
add action=accept chain=icmp comment="net unreachable" disabled=no icmp-options=3:0 protocol=icmp
add action=accept chain=icmp comment="host unreachable" disabled=no icmp-options=3:1 protocol=icmp
add action=accept chain=icmp comment="host unreachable fragmentation required" disabled=no icmp-options=3:4 protocol=icmp
add action=accept chain=icmp comment="allow source quench" disabled=no icmp-options=4:0 protocol=icmp
add action=accept chain=icmp comment="allow echo request" disabled=no icmp-options=8:0 protocol=icmp
add action=accept chain=icmp comment="allow time exceed" disabled=no icmp-options=11:0 protocol=icmp
add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp
add action=drop chain=icmp comment="deny all other types" disabled=no
add action=accept chain=icmp disabled=no icmp-options=12:0 protocol=icmp

Posledna sekcia, port scanners. Tie su vcelku fajn, akurat tebe na mikrotiku bezi len SSH a WinBox. Pri domacom pouziti tymito pravidlami skor sposobis viacej cirkusu ako uzitku, aj ked ochrana voci NMAPom na prvy pohlad vyzera uzasna (attacker by odhalil ze ti nieco bezi na porte 6144 a aj ten mozes spristupnit len vybranym verejnym IP adresam kamaratov alebo podla toho co ti tam bezi - mozes ho pouzivat napriklad na vzdialeny management z roboty, neviem co na tom porte mas a nechce sa mi skumat ktora hra tam typicky bezi). Toto iste, obmedzit len na zname povolene adresy comu sa nadava white list, je ucinna metoda aj pre SSH a WinBox sluzby Mikrotiku a je rozhodne rychlejsia ako to co tam mas teraz.

No, mas co robit a daj vediet ci doslo k nejakemu zlepseniu

[shiro]

otvorene porty : neviem ako pracuje henta vec, ale chlapci tu nieco hovorili o moznosti zapnut Layer2 mod poziadavkou cez Orange podopu - vtedy by to opticky prevodnik mal naozaj len prehadzovat vidlami na tvoju hromadku cize uplne vsetky porty budes mat otvorene, takisto aj verejnu adresu budes mat na koncovom zariadeni co do neho pripojis (ja to tak mam a nic som neziadal).

hej o tom viem. momentalne to mam poriesene podla infa od chlapa, co mi orange zapajal - na konvertore je tlacitko, ktorym sa da vypnuti wifi a ze vraj potom sa to chova len cisto ako konvertor - ako keby bol v tom L2 mode. Takze zatial to mam takto. Aj ked to asi nieje cisty L2 mod, pretoze som tusim videl ze WAN IP mikrotiku je 192.168.100.xxx

Neviem ci to pojde ked vypnes NAT - zrejme ten prevodnik robi NAT sam za seba, skus. Bud to ma DHCP a dostanes adresy 192.168.100.x alebo si nejake naordinuj rucne a skus ci ti pojde internet "napriamo" teda bez Mikrotiku.

Podla infa co mam, by to takto malo fungovat. Konvertor poskytuje ipcky 192.168.100.xxx. Otestujem.

b) na interfejsoch mas MTU=1500 -> nepodporujes jumbo frames. Myslim ze na tychto mydlovych krabickach by to mohlo pomoct.

Cize tam nastavit co ja viem 8192 a takisto zapnut jumbo frames+nastavit ich na stejnu hodnotu na sietovke v PC? S tymto som sa este nikdy nehral, akurat viem ze to existuje.

c) na interfejsoch mas zapnute auto-nego, nemyslim ze by to prinieslo zmenu, ale v CTRL-X safe mode by som to zmenil na 1Gbps

Vyjednane je aj tak vsade 1Gbit, co som pozeral, takze to je asi fuk.

d) cez wireless 250Mbit nedostanes na 2.4GHz frekvencii

viem, co som testoval s iPadom Air, ktory ma MIMO, tak wifi bezi na 60-70Mbit.

e) zakaz vzdialeny pristup na DNS (/ip dns set allow-remote-requests=no) hlavne ked budes ten Mikrotik mat vycapeny von - pozor na Layer2 co spominame hore. Ked vo vnutornej sieti pouzivas Mikrotika ako DNS server, toto samozrejme urobit nemozes. Riesenia : bud pouzijes nejake externe DNS alebo firewallom obmedzis pristup na DNS mikrotiku (z hlavy : /ip firewall filter add chain=input src-address=!192.168.0.0/16 dst-port=53 protocol=any action=drop cize slovensky cokolvek prichadza na router "chain=input" a ide na destination port 53 cize DNS a nejde z adries 192.168.x.x by malo byt trosicku zahodene). Pozor, taketo filtrovacie pravidlo ti samozrejme zase znizuje vykon lebo je to dalsia vec cez ktoru sa SLABULINKE cpu musi prehrabat.

V PC mam ako DNS nastavenu IPcku mikrotika, rovnako ako sa kedatede bezne nastavuju PCcka, aj ked mas DSL router s NATom, tam tiez davas do brany aj DNS IPcku routera....no on vie fungovat aj ako nejake ine DNS ci ako to povedat....takze pouzivam mikrotik ako DNS alebo nie?

f) v bridge interfejsi (to je slovo!) k ethernetu2 mas prdnutu aj wirelessku. Mno, toto dobrotu nikdy robit nebude. Ja osobne neznasam bridged interfaces, ten Mikrotik tam mas od toho aby robil pokrocily routing a vlastnosti na to naviazane (firewalling, atd). Bridge cely ako taky u mna popiera fyzikalne vlastnosti teplej vody, ale urcite sa najdu nejake pouzitia pre neho.

Pravda, ten bridge nechapem, odkedy router mam. Predosly RB751 ho tusim nemal....ale ten nemal ani wifi. Co viem, tak ten bridge je tam na to aby prepajal wifinu s interfacmi ci volaco take. Pokial ho odstranim, nedostanem sa ani do winboxu cez IPcku, jedine cez MAC routra.

g) pretaktovat procesor ako zaznelo v tej teme nie je uplne zly napad, ale vyrazne navysenie tym nedosiahnes. Ked pojdes zo 600MHz na 700MHz, dosiahnes maximalne 700/600 = 16% vykonu navyse, co by bolo okolo 20Mbit v IDEALNOM pripade u teba. Tuto riesenie zakopane nie je.

O tom som ani nerozmyslal, aj ked to mozne je, pochybujem ze ten router je na to nejak HW robeny a nechcem ostat X dni bez netu ak by sa daco stalo.

h) mas tam zapnuty traffic-monitor. Tuto cakam vyrazny prepad rychlosti. Vypnut a otestovat.

To mam kvoli logovaniu prenesenych dat cez SNMP do programu Networx v PC. Ale testnem.

j) zakazal by som microsoftacky sharing, /ip smb

sharing potom obstaraju windowsy v LAN? ci na co je to dobre v mikrotiku? ked si chcem do LAN nasharovat kluc v usb porte v mikrotiku?

l) mas tam pusteny nejaky hotspot ? Ak ano a nepotrebujes, samozrejme zakazat.

neviem ze by som mal...kde to najdem nech mozem ceknut?

Nepaci sa mi tvoje druhe NAT pravidlo /ip firewall NAT. Podla toho vypisu (ktory ale vidim ze je ciastocne nekompletny, zeditoval si tam vnutornu 192.x.x.x adresu) je tam pisane ze dst-port=2000-65535 VEREJNEJ IP sa ma redirektnut na JEDEN JEDINY vnutorny port 6144. Tato vec samotna musi zamestnavat CPUcko tak jak nasich politikov kradnutie, teda velice prevelice strasne moc. Ak potrebujes presmerovat jeden jediny port, dal by som tam dst-port=XXXX na ktory sa ti budu pripajat kamošši ; ak potrebujes viacero portov, dal by som aj vnutorny rozsah teda to-ports=2000-65535 ale hovorim toto je vypoctovo strasne narocna varianta.

Osobne by som volil riesenie : NATovat dovnutra presny pocet verejnych portov na vnutorne porty jedna ku jednej, teda napriklad

/ip firewall nat add action=dst-nat chain=dstnat dst-address=xxx.yyy.zzz.bbb dst-port=2100 protocol=tcp to-addresses=192.xxx.yyy.zzz to-ports=2100 {cize, vonkajsi port 2100 prehod na vnutornu adresu 192.xxx.yyy.zzz na ten isty port).

Pokial potrebujes viacero vonku dostupnych sluzieb alebo hier proste portov, vytvoril by som prislusne mnozstvo pravidiel. Ked tych pravidiel bude aj desat, mohli by byt rychlejsie ako jedno "superuniverzalne" ktore mas teraz. Korculujem na tenkom lade, chcelo by to test, z praxe neviem. Proste odhad.

Port 6114 mam na torrenty, emule a podobne veci. Cize staci mi tento jeden.
Cize ked pouzijem to tvoje pravidlo co si napisal, co mam dat do "dst-address=xxx.yyy.zzz.bbb" ?
V tychto console veciach niesom moc zbehly. NATovanie nastavujem tiez tak 1x za rok, ked kamosi potrebuju, tak to furt zabudnem
Ved ked budem potrebovat otvorit porty na starcraft alebo co, tak postup je stejny, akurat zmenim cislo portu. IPcky pocitacov doma mam staticke, akurat tablet a priatelkin ntb bezia cez wifi a dostavaju IPcky z DHCP poolu pre wifi.

Save the best for last == teraz firewall rules. Vidim ze tam mas hooooodne slusnu zbierku z nejakeho fora

Ano, z viacerych, vratane mikrotik.com
Ak vravis ze tie pravidla netreba, tak ich odfajcim, aj ked je to vlastne fuk, kedze nesposobuju prepad vykonu...ale bude tam aspon cistejsie

No, mas co robit a daj vediet ci doslo k nejakemu zlepseniu

Dik za vycerpavajuce info, otestujem a dam vediet

[Odar]

momentalne to mam poriesene podla infa od chlapa, co mi orange zapajal - na konvertore je tlacitko, ktorym sa da vypnuti wifi a ze vraj potom sa to chova len cisto ako konvertor - ako keby bol v tom L2 mode

To je hlupost. Vsak tam bezi stale DHCP server, konvertor bezi na svojej sieti (192.168.100.1), potom ti to lezie do MikroTik-u a ten ma dalsi DHCP server, kde si to premrvi na svoju siet (192.168.88.1). L2 mod ti prepnu behom par minut aj cez vikend. Staci zavolat na infolinku. Akurat ta upozornia, ze nerucia za funkcnost a bla bla bla. Riesil som to u rodicov. Z principu sa mi riesenie 2 x DHCP server nepacilo. Mohol som vypnut DHCP na MikroTik-u, nechat pridelovat IPcky Huaweju. To sa mi ale nezdalo vyhodnejsie z vykonoveho hladiska.

[shiro]

hej viem, pretoze mikrotik dostane WAN IP 192.168.100.xxx, cize je to uz preNATovane.
huawei s tym problem nema, ten da tych 250Mbit +-, mikrotik robi blbiny. Akurat neviem ci nejak vadi ked do mikrotiku uz pride preNATovana IPcka, alebo nie.

[mp3turbo]

Mikrotiku ani ziadne ine zariadenie nevie ci IPcka ktoru dostali od nadradenej infrastruktury je NATovana alebo nie. Ani to nie je dolezite pre ich pracu.

Vzdy pred akoukolvek zmenou cez SSH sa nauc zapnut Safe Mode, proste stlacis CTRL-X a je to. Ak sa volaco poje...kazi, tak sa ti tato zmena sama automaticky vrati naspat. Jednoduche, krasne, zachranilo mi to krk zoparkrat. Proste opičí hmat, idem robit akukolvek zmenu, CTRL-X. Netrva to dlho. Ak je vsetko OK po zmene, CTRL-X znovu a zmena sa zapise natrvalo.



Podme postupne :



>> Cize tam nastavit co ja viem 8192 a takisto zapnut jumbo frames+nastavit ich na stejnu hodnotu na sietovke v PC?
>> S tymto som sa este nikdy nehral, akurat viem ze to existuje

yes. Na Ethernet porte ktory je nasmerovany na Orange konverter nastav MTU=8000 a takisto doporucujem aj na Ethernete do ktoreho zapajas dratom pocitac/notebook. Takisto treba aj vo Windowse skontrolovat nastavenia sietovky aby pouzivala Jumbo Frames. Niekde je to automaticke, niekde nie, proste checknut a zmenit.





>> Vyjednane je aj tak vsade 1Gbit, co som pozeral, takze to je asi fuk.

takychto fukov ja vidim denne desat. Keby to bolo naozaj fuk, nehovoril by som ti to (typicky Intel sietovky proti Cisco zariadeniam, tam by som niekoho strielal). Zmen to z auto-nego na fixne nastavenie. CTRL-X aj ked sa tam nema co pokazit. Bacha ked ten router ponesies niekde inde, gigabit natvrdo sa samozrejme na 100Mbit nechyti. Skus ci nastane zmena v priepustnosti - ak nie (co ocakavam), tak to vrat naspat na auto-nego ako je to teraz. Dve minuty na otestovanie.




>> V PC mam ako DNS nastavenu IPcku mikrotika, rovnako ako sa kedatede bezne nastavuju PCcka, aj ked mas DSL router s NATom,
>> tam tiez davas do brany aj DNS IPcku routera....no on vie fungovat aj ako nejake ine DNS ci ako to povedat....takze pouzivam
>> mikrotik ako DNS alebo nie?

pouzivas. Lenze ked si zapnes L2 mod na konverteri, bude mat Mikrotik verejnu adresu a celosvetovo verejne [!!!!!!!!] dostupny DNS server. You have been warned. Takze doporucujem vypnut DNS na mikrotiku a nastavit cez DHCP nejaky verejny, napriklad ten co mas od providera (pozres aky to je priamo na Mikrotiku) pripadne googlacke 8.8.8.8 a 8.8.7.7 ci kolko to maju. Alternativa by bola firewallovym pravidlom povolit pristup na Mikrotikacke DNS len vnutornym IPckam, to ta ale zase obera o stipku vykonu co neprilis chceme v tejto situacii.



>> Pravda, ten bridge nechapem, odkedy router mam. Predosly RB751 ho tusim nemal....ale ten nemal ani wifi. Co viem, tak ten
>> bridge je tam na to aby prepajal wifinu s interfacmi ci volaco take. Pokial ho odstranim, nedostanem sa ani do winboxu cez IPcku,
>> jedine cez MAC routra.

musel by si ist na IP adresu interfejsu na ktory sa pripajas. Kedze nemas ziadnu IP adresu nastavenu na ziadny interface (ether1, ether2...) nemas sa kde pripojit == zostava ti len MAC adresa. Jasnacka. Ja by som to spravil takto :

/ip address add address=1.1.1.1/24 interface=ether1
/ip address add address=2.2.2.2/24 interface=ether2

cim si na ether1 naprdis adresu 1.1.1.1 a z hociakej 1.1.1.x sa potom mozes kablom na ether1 pripojit na mikrotik. winbox, ssh, vsetko bude chodit. To iste ether2 s 2.2.2.2 ; upozornenie : touto definiciou si odrezes vsetky 1.1.1.x adresy na verejnom internete (poznamka : nic na nich nebezi) alebo vsetky adresy 2.2.2.x na internete - neviem co tam bezi, rozhodne viem ze tam nechodis






>> zakazal by som microsoftacky sharing, /ip smb
>> sharing potom obstaraju windowsy v LAN? ci na co je to dobre v mikrotiku? ked si chcem do LAN nasharovat kluc v usb porte v
>> mikrotiku?

ak chces sharovat USB z mikrotika tak to samozrejme zakazat nemozes. Tymto nastavenim ovplyvnis iba Mikrotik samotny, so sharovanim na sieti to nema absolutne nic spolocne. Myslel som ze to nepouzivas tak mi prislo zbytocne mat to povolene, otvarat potencialne security issue a zlahka stracat pamat a CPU vykon. Zakaz, otestuj, bude to bez zmeny, povol naspat. Jednoduche.

CTRL-X. Aj tuto. Bez debaty. Ano, vobec ho nie je treba.





> mas tam pusteny nejaky hotspot ? Ak ano a nepotrebujes, samozrejme zakazat.
>> neviem ze by som mal...kde to najdem nech mozem ceknut?

co to bolo, /ip hotspot tusim... pardon, toto si nepamatam presne.



>> Port 6114 mam na torrenty, emule a podobne veci. Cize staci mi tento jeden

takze by som vyhodil to "sirokospektralne antibiotikum" co tam mas teraz cize pravidlo s portami 2000-65535, a napisal by som tam:

/ip firewall nat add action=dst-nat chain=dstnat dst-address=xxx.yyy.zzz.bbb dst-port=6144 protocol=tcp to-addresses=192.xxx.yyy.zzz to-ports=6144

cize vonkajsi port 6144 prehod na vnutornu adresu 192.xxx.yyy.zzz na ten isty port.




>> Ved ked budem potrebovat otvorit porty na starcraft alebo co, tak postup je stejny, akurat zmenim cislo portu.

presne tak

/ip firewall nat add action=dst-nat chain=dstnat dst-address=xxx.yyy.zzz.bbb dst-port=6145 protocol=tcp to-addresses=192.xxx.yyy.zzz to-ports=6145

cize vonkajsiu 6145ku vyprdni dovnutra na konkretny pocitac na port 6145






>> Ak vravis ze tie pravidla netreba, tak ich odfajcim, aj ked je to vlastne fuk, kedze nesposobuju prepad vykonu...

keby nesposobovali, tak by som ti to asi neradil vyskusaj ich zo srandy vyhodit, posudis zmenu vykonu. Ved pridat ich naspat mozes hocikedy. Ale hovorim, predovsetkym su zbytocne pretoze sa nemozu uplatnit takze jedina vec co robia je ze ta okradaju o vykon.


Pri testovani priepustnosti este varovanie : to ze mikrotik dokaze ist XYZ Mbit/s neznamena ani zdaleka ze na dsl.sk alebo speedmetri.sk uvidis XYZ. Kludne tam moze byt o 30% menej. Navrhujem aby si si vzdy prenosovu rychlost otestoval aj napriklad stahovanim nejakeho fajliku z nejakeho rychleho servera, kde doporucujem napriklad:

ftp.antik.sk cojaviem /debian-cd/8.4.0/amd64/iso-cd a hociktory z tych ISO suborov
alebo nieco co je obesene na Benestre a podobne.

Pri tychto testoch samozrejme nevies ci ti ostatne pripojene pocitace nieco z vykonu nezeru, takze na mikrotiku :

/interface monitor ether1, ether2, ..., ether9 [sakra som zabudol kde mas pripojeny konverter Orange]
pozor, uz len to ze su klienti pripojeni na radiu obera Mikrotik o extremne cenne CPU cykly, cize doporucujem testovat bez pripojenych ostatnych kompjutrov. Nemalo by to zmenit vysledok nejako dramaticky, ale 10Mbit tu a tam a hentam... a ked COKOLVEK ladujes cez radio, je ten pokles este znatelnejsi.

Tak sa pochval ako ides 250 naplno my to dame.

[shiro]

Tak som sa s tym pohral.

To crtl+X neviem ci funguje iba ako klav. skratka....tlacitko vo winboxe nemeni svoj stav, tak neviem ci mam zapnute alebo nie.
Pri kliknuti mysou vsetko ok.

Upgradnuty RouterOS cez okno QuickSet na najnovsi 6.35.2
Po upgrate RouterOS mi zmizol bridge z interfejsov. vsimol som si ze v okne QuickSet pribudla moznost nast. rezimu Mikrotiku ako router ci bridge, asi kvoli tomuto. Mam ho ako Router samozrejme.

Skusal som to autonego, pri jeho vypnuti a nast. natvrdo na 1Gbit mi spadne connect, odsekne mi siet, vyp/zap sietovky vo windows nepomaha. asi sa to nema rado s mojou sietovkou, netusim. Nastastie som to nenastavil na vsetkych interfacoch, tak som len prepojil kable a zmenil to nazad

Vyhadzal som veci z firewall rules.

Vypol som SNMP a traffic monitor. No ich opatovne zapnutie nema vplyv na zataz CPU alebo rychlost.

Vysledok je, ze cez speedtest.net bezim na 230-250Mbit downloadu, CPU vytazene na 80-90% - daco sa tam muselo stat. Firewall stale zerie tak polovicu CPU, no myslim ze to asi najviac ovplyvnil novy RouterOS.
Skusal som aj FTP Antiku, sice som nedal plne gule, lebo to tam skackalo, no v jednu chvilu to vybehlo na asi 21Mbyte cisteho downloadu.

Diky za rady a tipy

[mp3turbo]

enjoy !

Podla mna to najviac ovplyvnilo vyhadzanie zbytocnych firewall pravidiel.

[shiro]

Je nejaky rozdiel medzi ich deaktivovanim a uplnym vyhodenim z toho zoznamu?

[mp3turbo]

je, maly ale je.

Pri tejto prenosovej rychlosti to mozno nezbadas, pri vacsich cislach sa to prejavi. Na silnejsej platforme (napriklad x86) by ten vplyv bol samozrejme daleko mensi ako na tvojej mydlovej krabicke, avsak zase drzat 100 zakazanych pravidiel je tiez blbost.

[shiro]

Moze byt.
aj ked podla logiky, ked to clovek deaktivuje, tak by sa router nemal o ne vobec zaujimat = ziadna zataz navyse.
Ktovie, porobil som tam viac veci naraz, takze teraz tazko povedat co to presne robilo.

Napr. som este neriesil ten L2 mod orange konvertora, nenastavil som ani jumbo frames.
Hotspot mam vypnuty, v okne ip-hotspot to nieje zaciarknute.

[PetoBB]

Ahojte, som tu nováčik, tak ma berte s rezervou.

Mám Mikrotik RB951G-2HnD, s ktorým mám problémy pri Wifi. nechcel som zakladať novú tému, tak to napíšem sem. Router je zapojený na Orange Fibernet cez konvertor Huawei HG8240, rýchlost netu mám 250/100Mbit.

Problém spočíva v nestabilite Wifi, konkrétne v rapídnom náraste pingu z obvyklých 30ms na 300 až 500ms a k poklesu rýchlosti z obvyklých 50 Mbit/s na 0,5 Mbit/s download a 2 Mbit/s upload.

Skúšal som rôzne verzie RouterOS (aktuálne mám v6.37), rôzne konfigurácie wifi interface. Nemení sa nič. Ak sa problém objaví, nepomôže reboot, ani zmena konfigurácie. Prišiel som však na to, že sa router pomerne hreje. WinBox však ukazuje max 5% zaťaženie CPU, takže tam problém nebude. Ak však router odpojím na niekoľko minút od napájania a znovu ho zapojím, tak ide zas nejaký čas normálne. Záver je teda asi taký, že sa v ňom niečo prehrieva. Mal niekto podobný problém? Router je z Alzy, má ešte asi pol roka záruku, avšak nie som si istý, či ho budú v prípade RMA testovať v podobnej prevádzke, ako ja. Ten problém sa totiž objaví nepravidelne, niekedy po hodine, niekedy až na druhý deň.

Pre istotu sem dám aj nastavenie, ale ako som písal, nemá to zrejme žiadny vplyv. Takmer celý čas od kúpy MT som používal jeden config.

[admin@MikroTik] > interface wireless print detail
Flags: X - disabled, R - running
0 R name="wlan1" mtu=1500 l2mtu=1600 mac-address=4C:5E:0C:D5:31:87 arp=enabled interface-type=Atheros AR9300
mode=ap-bridge ssid="WIFI_JS" frequency=2447 band=2ghz-b/g/n channel-width=20/40mhz-Ce scan-list=default
wireless-protocol=802.11 vlan-mode=no-tag vlan-id=1 wds-mode=disabled wds-default-bridge=none
wds-ignore-ssid=no bridge-mode=enabled default-authentication=yes default-forwarding=yes default-ap-tx-limit=0
default-client-tx-limit=0 hide-ssid=no security-profile=default compression=no

Ďakujem vopred za každú radu