Hi there
Is there any way to do source address based routing in the miKrotik ?
The idea is to route only local 44 net trafic to the tunnel and other adress spaces that live on the network to route directly to the internet ?
If yes (im almost sure Mikrotik can do it) how ?
What is the command syntax ?
Thanks Forward
Ronen - 4Z4ZQ
http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.orgronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
Hello,
I just updated the gateway setup scripts for Mikrotik routers to make the system more robust.
It now consists of 2 scripts:
- the parent script (update_amprgw) which is scheduled every 5 minutes, on 1 min pat the RIP announcement
- the actual update script (ampr_gw) which called from the parent script
The parent script will:
- prevent run overlaps
- after 3 unsuccessful schedules will consider the update script failed end will enforce a run
- it will prevent tunnel updates if less than 100 RIPv2 routes are available
The scripts and schedule entry are in Mikrotik export format.
The file can be copied into the router and loaded using the import command or the content copy/pasted into the console.
After this step, edit your config in the ampr_gw script under system->scripts and enable the scheduler entry (disabled by default).
Download from:
http://www.yo2loj.ro/hamprojects/ampr-gw-1.5.rschttp://yo2tm.ampr.org/hamprojects/ampr-gw-1.5.rsc
Have fun,
Marius, YO2LOJ
> Subject:
> Re: [44net] Tunnel to UCSD refuse to work on my mikrotik
> From:
> R P <ronenp(a)hotmail.com>
> Date:
> 04/09/2016 05:59 PM
>
> To:
> AMPRNet working group <44net(a)hamradio.ucsd.edu>
>
> Now i have to put the other routes to the other 44 Net Gateways
> I have to find the syntax because i did it in the web interface
You have to use that python program, it is not practical to do this (and keep doing this)
manually.
But I already told you to use /export to get the config which also explains how you could
do it manually.
Rob
> marius already did all the legwork and wrote scripts that do this on the
> Mikrotik.
It requires a more powerful MikroTik than he has.
I looked a bit at the solution of running a virtual Linux system on the MikroTik but I
can't find a reasonably current ready-made Linux image (the one on the site is dated 2010) and
I don't think I will setup a cross-compilation environment just for this pointless experiment.
(I use a Pi when I need things like that)
Also, lately MikroTik have been reducing Flash memory size in their smallest models, making
it difficult to impossible to run arbitrary (non-RouterOS) virtual machines on them.
(my RB2011 has 128MB Flash, the smaller boxes used to have 64MB, but now the smallest boxes
have 16MB Flash. clearly cost cutting is important to sell a router for $39 or less)
Rob
> changed the ip route 0.0.0.0 to point to the UCSD interface (to tunnel outgoing traffic of my 44 net to the tunnel )
Did you first add a route to 169.228.66.251 via the gateway that was used for 0.0.0.0/0 before?
There must be some way to reach the tunnel interface outside of your 0.0.0.0/0 route!
(or else you build an encapsulation loop)
It is easier to start with routing only 44.0.0.0/8 to the tunnel interface.
> If it matterthe OS version is 6.29.1
> and system firmware 3.24
Why not update it to the current version?
It can be done at the click of a button, no separate maintenance contract required as with Cisco.
> Is there any command that i can grab the configuration of the router (like in Cisco the command "Show running config" ) ?
/export
You can also do:
/export file=myrouter
Then download myrouter.rsc from "Files" and delete it.
You can then examine the file using a text editor, e.g. "wordpad".
Rob
Hi group
the tunnel traffic from mikrotik refuse to work
I have done the followings
Gave the wan (called ether1-gateway) ip of the outside (in my case 10.0.0.180 (it connect to the ISP router DMZ zone))
Gave the Lan the gateway 44 IP in my case (44.138.1.l)
unchecked the NAT option
created tunnel interface (called UCSD) with IPIP and source address of 10.0.0.180 and destination address of the amprgw at UCSD
changed the ip route 0.0.0.0 to point to the UCSD interface (to tunnel outgoing traffic of my 44 net to the tunnel )
same config exist and working at the Cisco here ( i have disconnected it and plugged the Mikrotik instead) .
I see that the tunnel interface receive data and send data but i have no connectivity
when i look at the firewall connection tab i see the incoming DNS attacks to what used to be the mikrotik address when it was connected to the 44 net few days ago so it looks like that incoming traffic work ok from the ucsd tunnel side
I disabled all firewalls rules (the one that came with the router out of the box) and no change
When i do trace route from the router it stop at the 10.0.0.180 IP and not go afterward
What am i doing wrong ?
the same setup work at the CIsco
If it matterthe OS version is 6.29.1
and system firmware 3.24
Any help would be more then appreciated
Is there any command that i can grab the configuration of the router (like in Cisco the command "Show running config" ) ?
regards
Ronen - 4Z4ZQ
http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.orgronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
> Subject:
> Re: [44net] firewall rules at AMPR.ORG router ?
> From:
> R P <ronenp(a)hotmail.com>
> Date:
> 04/08/2016 08:50 PM
>
> To:
> AMPRNet working group <44net(a)hamradio.ucsd.edu>
>
>
> and if we talk on explain what is forward chain ? in and out i can understand but forward?
> and also there are a lot of commands in the action that i dont understand beside reject drop accept
> Where can i find description ?
I forgot to mention this in yesterday's reply:
In the "iptables" firewall, "forward" is the path that packets take through a router.
It does not work as in a Cisco, where "forward" is just "input" followed by "output".
"input" and "output" refer to traffic to/from the router itself, like the management interface and the processing
of packets by the router e.g. for a tunnel that it has to encapsulate/decapsulate, but when packets are
just routed they only pass through the "forward" table and not the "input" and "output" table.
This can also be seen in the diagram that Marius posted.
The actions in the entry can do other things than accepting/rejecting, e.g. logging the packet.
Also a nice action that is notably missing from Cisco access lists is "jump".
You can make your own table and put some rules in it that are required only for one interface or in one
particular situation, then in the normal input (or forward) table you can match on that interface or situation
and jump to your custom table.
That way you do not need to put all rules in one long input table, and you can improve clarity and performance.
For example, in an IPIP router you have rules you want to apply to the external interface, and rules you want
to apply to the tunnel interface (which receives traffic for 44-address). You can put these in a separate table
and make it easier to manage.
Rob
> some of the verbs such as established sound familiar from the days i used to work with Cisco access lists and checkpoint firewall
> the new command wasn't known to me
The firewall filters in a MikroTik (and on Linux in general) are far more advanced than the simple
access lists in a Cisco router.
On a Cisco router you generally just have static rules that allow e.g. traffic incoming on some ports.
(there are some exceptions, e.g. "reflexive" access lists)
On a MikroTik or Linux system there is a table of open connections (you can see it on a separate tab in
the MikroTik router), and you can easily allow all traffic belonging to existing open connections.
This means you don't need to do anything to allow replies to outgoing connections, other than having
a rule that allows "established, related" in all directions and a rule that allows "new" in outgoing
direction. (or just a rule that allows everything in outgoing direction)
To allow some things in incoming direction (e.g. outside access to your IPIP tunnel), you need only to
allow some new traffic matching a certain pattern. Once the connection completes, it will be in the
connection table and again it will be matched by the "established, related" rule that you normally put
at the top so it will be matched first.
The checkpoint firewall of course also offers such features.
In the default configuration, the MikroTik is delivered with some rules that allow "established, related",
block other traffic incoming on ether1 (normally the internet port), and allow everything else.
I don't like that, because once you add a new interface that is facing outside (like a tunnel), the default
will be to allow new connections and thus it is possible to exploit the services on the router.
Therefore I always replace such settings by a rule that allows "established, related", then one or more rules
that allow "new" only from interfaces that I know are on the inside (trusted) side, then a rule that
drops everything. So, a new interface is always by default untrusted until a new rule is added.
Make sure that when you modify the firewall you always do it in such a sequence that you do not lock yourself
out because you added the "drop" rule before the correct "accept" rules, for example.
A way to avoid that is to click the "safe mode" button in the menu on the left, then make all your changes
to the firewall and check that you can still navigate around the user interface (open the quick start page,
for example) and when everything is OK click the "safe mode" button again so it pops back out.
When you lose connectivity to the router while the safe mode is active, all changes you made after
clicking it will be rolled back and you will have access again! When you reset safe mode, the changes
are committed and you can logoff without losing them.
(note that there is no separate "running" config and "saved" config, everything you change is always saved
immediately. so a mistake cannot be corrected by power-cycling the router, as with a Cisco)
Rob
> Subject:
> Re: [44net] firewall rules at AMPR.ORG router ?
> From:
> R P <ronenp(a)hotmail.com>
> Date:
> 04/08/2016 08:50 PM
>
> To:
> AMPRNet working group <44net(a)hamradio.ucsd.edu>
>
>
> Dear Rob
> Thank you for Brief explain
> Yes the Syntax of the Mikrotik is totally different then what i use to
> Also the mikrotik is not popular here I had hard time to find stores that sell it and i think im the only amateur who use it here
> The help that comes with the web interface is not so explainable do you know where i can find more explain on the commands (such as the explain you gave me about the establish and new and related) ?
> and if we talk on explain what is forward chain ? in and out i can understand but forward?
> and also there are a lot of commands in the action that i dont understand beside reject drop accept
> Where can i find description ?
As David also wrote: look for manuals of the Linux firewall, "iptables".
What is written about iptables is directly applicable to MikroTik, but in the MikroTik you can enter the values in lots
of fields on the webform whereas in iptables you enter those on the commandline.
Also there is wiki.mikrotik.com for a lot of documentation, unfortunately it is oriented around the command-line
interface but you generally find the same things in the web interface.
Here the MikroTik routers are available at a couple of webshops, but not in the average highstreet computer store.
The reason is that they are very advanced and most users will not know how to configure them beyond the simple
generic configurations available from the quick start screen.
But at features-for-price they are unbeatable.
For example, at work I needed a router for a "workplace-on-the-go". I use a MikroTik router plus a 4G stick.
It opens a VPN to our Cisco VPN router at the central office and routes some subnets both ways using iBGP.
The box can be connected at the installation site automatically using either plain ethernet, guest WiFi, or 4G mobile internet.
The routed subnet is accessible on ethernet and WiFi.
We use this to connect a printer and a couple of laptops at a temporary office site, using the internet access
that is available, or 4G if there is none. Total price for such a setup is about 150 euro when all hardware has
to be bought, or 60 euro when the 4G stick is "free with a mobile subscription".
The MikroTik is either a RB951G-2HnD or a hAP AC Lite.
Not many other cheap routers can be WiFi access point and WiFi client at the same time, and are able to do a VPN and
run a routing protocol over that. (simplifies the configuration, no static routes required)
A similar Cisco (not ex-Linksys) router costs 5-20 times as much, and has less features.
But, it still is not the most convenient router for AMPRnet!
For that, a plain Linux box is to be preferred. We could try to install a Linux VM to bridge the gap between a
standard router and the multipoint IPIP mesh plus modified RIP that we use and that is not supported in standard
routers (either Cisco or MikroTik).
Rob
Hi there
after entering to the DNS attack business (as the one who is attacked) i think of the following
Can an access list rule be done that will have rule per gateway subnet on the main AMPRNET ROUTER ?
I mean if I have a 44.138.1.x that i will be able to have rules for my subnet as i want ?
I ask it because the firewall rule i have added to the miKrotiK (thanks a lot to the ham who gave me the correct syntax) does the job but the tunnel to UCSD still flud with incoming DNS attack noise of about 500KB/s (of course that the router block them to pass through but if i could stop this attack before they even enter to the tunnel from UCSD to me)
NB i still dont understand what is the point standing behind UDP flood may someone explain me ?
I can understand telnet ftp ssh web attempt but not DNS flood may someone explain it to me ?
one more point I have talked with a friend of myn which his job include networking he have a Fixed IP connected to Cisco ASA Firewall and he doesn't see any DNS attacks in the logs he saw here and there SIP attempts (i see at the 44 Net here also some UDP sip but it is almost 0 comparing the DNS attack) so it look like the DNS is related more to the AMPRNET and not to regular internet
or maybe this is a coincidence
anyway it is something i havent seen on the AMPRNET network we had 20 years ago
Regards
Ronen - 4Z4ZQ
http://www.ronen.org
Ronen Pinchooks (4Z4ZQ) WebSite<http://www.ronen.org/>
www.ronen.orgronen.org (Ronen Pinchooks (4Z4ZQ) WebSite) is hosted by domainavenue.com
