Sign In
Create Account
MikroTik RBD52G-5HacD2HnD-TC hAP ac²
7 votes
Last Updated: Dec 04 2023 00:42, Started by
sonnydellmarco
, May 04 2018 13:36
·
32
32
#163
Posted 18 January 2019 - 11:29
|
De cand am activat VPN-ul, in fiecare noapte vad in loguri un "gargaune" care tot incearca sa se conecteze:
[ https://i.postimg.cc/QtWDfVxN/gargaune.png - Pentru incarcare in pagina (embed) Click aici ] Am pus o regula: /ip firewall address-list add address=216.218.206.0/24 list=block /ip firewall filter add action=drop chain=input comment="drop IPsec hacking attempts" \ src-address-list=block ..mai pot face si altceva? Sa-i taie macaroana de tot? |
Back to top
#164
Posted 18 January 2019 - 11:42
|
nu, e ok.
Uite cum am eu facut un auto list&block pentru ssh bruteforce: add action=drop chain=input comment="drop ssh brute forcers" dst-port=2122 log=yes protocol=tcp src-address-list=ssh_blacklist add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input connection-state=new dst-port=2122 protocol=tcp src-address-list=ssh_stage3 add action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=1m chain=input connection-state=new dst-port=2122 protocol=tcp src-address-list=ssh_stage2 add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input connection-state=new dst-port=2122 protocol=tcp src-address-list=ssh_stage1 add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input connection-state=new dst-port=2122 protocol=tcp |
#165
Posted 18 January 2019 - 11:52
|
Gargaunele ala e shadowserver.org
As pune 216.218.128.0/17 pt ca ip-ul ala face parte din prefixul /17 (deci mult mai larg) decat /24 pus de tine. Edited by Tyby, 18 January 2019 - 12:03. |
#166
Posted 18 January 2019 - 12:01
|
Multumesc pentru lamuriri. Nivelul meu de paranoia a scazut acum la limitele normale
|
#167
Posted 31 January 2019 - 21:06
|
Aici vad ca intra pe stoc de pe 20: https://wifimag.ro/mikrotik/hap-ac2 |
#168
Posted 31 January 2019 - 21:55
|
Vad ca au aici: https://www.senetic....yMaAgt0EALw_wcB
|
#171
Posted 04 February 2019 - 19:56
|
~425Mbps |
#173
Posted 04 February 2019 - 20:04
|
Tplink Archer T4U, Edimax EW-7822UAC si altele 
|
#174
Posted 04 February 2019 - 22:13
|
490-500 Mb/s (61-62 MB/s transfer LAN NAS > laptop) DLink DIR 882 + Intel 7260 AC / Intel 8265 dar banuiesc ca intrebarea era pt. viteza obtinuta pe hAP AC^2
|
#175
Posted 14 February 2019 - 20:58
|
Vreau sa va supun atentiei niste setari pe care le-am gasit pe forumul mikrotik. Ce ziceti?
Ar fi vorba fix de ce vreau eu. Sper ca in weekend sa mai am puterea sa mai incerc o data.... Topicul se afla aici: https://forum.mikrot...p?f=13&t=143620 Iar munca este a userului pcunite Quote
Router-Switch-AP all in one device Overview: This is a configuration for a home or even a micro business. Everything lives on a single hardware unit with PCs, laptops, NAS servers, printers, and phones all on the Blue (Native) VLAN. The Blue network is considered the home LAN making use of local ethernet ports and a home SSID. When friends come over, you give them a Guest SSID to keep them off your network. Access Ports: Since most ports are on the Blue Native VLAN, they will not have ingress and egress behavior assigned. You trust your PC, laptop, NAS, and printer to live on Blue. All your IoT devices are probably on a separate switch connected to Green via the one local ethernet port or WiFi. You can create as many VLANs on WiFi as you need, although three is probably a good limit to minimize WiFi inefficiency. Trunk Ports: There are no Purple Trunk ports, instead we opt for a Green VLAN. If whatever is plugged into the single Green ethernet port is VLAN aware, it does not really matter. Once it hits our router/switch, its Green to us. It might be tempting to simply setup a separate bridge for your Guest network. For tiny all-in-one networks like this that is certainly a valid option. But you wanted to learn VLAN so let's give you a better reason. Let's say that you do care about the VLAN aware device(s) on Green. If so, you could turn it into a Purple Trunk port. Perhaps there is an IP Camera that should have more Internet bandwidth compared to Green. So, you have the option of at least three networks you could manage: your Blue home, Green guests, and Red for IoT devices and such. When they all come into the router, you can QoS them differently because you have three VLAN interfaces to work with. IP Addressing & Routing: There is only one hardware device, of which we create one bridge to manage all LAN side devices. We set this IP address to 192.168.0.1. Everything gets routed out the Yellow WAN interface for Internet access. IP Services: The Native (aka Blue) interface (typical MikroTik standard Bridge interface) supplies the VLAN unaware network with the services it needs. A Green VLAN interface supplies the Guest network with Green IP Services. How it all works: Firewall rules keep everyone separate. Show Me The Code! Enough theory, let’s see how to implement this using RouterOS commands. ############################################################################### # Topic: Using RouterOS to VLAN your network # Example: Router-Switch-AP all in one device # Web: https://forum.mikrotik.com/viewtopic.php?t=143620 # RouterOS: 6.43.8 # Date: Feb 8, 2019 # Notes: Start with a reset (/system reset-configuration) # Thanks: mkx, sindy ############################################################################### ####################################### # Naming ####################################### # name the device being configured /system identity set name="RouterSwitchAP" ####################################### # WIFI Setup # # Example wireless settings only. Do # NOT use in production! ####################################### # Blue SSID /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password" /interface wireless set [ find default-name=wlan1 ] ssid=Blue frequency=auto mode=ap-bridge disabled=no # Green SSID /interface wireless security-profiles add name=guest authentication-types=wpa2-psk mode=dynamic-keys wpa2-pre-shared-key="password" /interface wireless add name=wlan2 ssid=Green master-interface=wlan1 security-profile=guest disabled=no ####################################### # Bridge ####################################### # create one bridge, set VLAN mode off while we configure /interface bridge add name=BR1 protocol-mode=none vlan-filtering=no ####################################### # # -- INGRESS Settings -- # ####################################### # prepare to add ports and set ingress behavior /interface bridge port ####################################### # Access Ports ####################################### # Blue (Native) VLAN add bridge=BR1 interface=ether2 pvid=1 add bridge=BR1 interface=ether3 pvid=1 add bridge=BR1 interface=wlan1 pvid=1 # Green VLAN add bridge=BR1 interface=ether4 pvid=10 add bridge=BR1 interface=wlan2 pvid=10 ####################################### # # -- EGRESS Settings -- # ####################################### # prepare to set egress behavior /interface bridge vlan ####################################### # Access Ports ####################################### # Blue (Native) VLAN # Nothing special to configure # Green VLAN add bridge=BR1 untagged=ether4,wlan2 vlan-ids=10 # Because weird. Must tell the Bridge to accept VLAN packets for IP Services to work set bridge=BR1 tagged=BR1 [find vlan-ids=10] ####################################### # IP Addressing & Routing ####################################### # LAN facing # Router's Private IP address on the Native VLAN /ip address add address=192.168.0.1/24 interface=BR1 # DNS server, we also cache /ip dns set allow-remote-requests=yes servers="9.9.9.9" # WAN facing # IP Address provided by ISP /ip address add interface=ether1 address=a.a.a.a/aa network=a.a.a.0 # router's gateway provided by ISP /ip route add distance=1 gateway=b.b.b.b ####################################### # IP Services ####################################### # Blue (Native) interface is BR1 # Already created # Blue (Native) DHCP service assignment /ip pool add name=BLUE_POOL ranges=192.168.0.2-192.168.0.254 /ip dhcp-server add address-pool=BLUE_POOL interface=BR1 name=BLUE_DHCP disabled=no /ip dhcp-server network add address=192.168.0.0/24 dns-server=192.168.0.1 gateway=192.168.0.1 # Green VLAN interface creation /interface vlan add interface=BR1 name=GREEN_VLAN vlan-id=10 /ip address add interface=GREEN_VLAN address=10.0.10.1/24 # Green VLAN DHCP service assignment /ip pool add name=GREEN_POOL ranges=10.0.10.2-10.0.10.254 /ip dhcp-server add address-pool=GREEN_POOL interface=GREEN_VLAN name=GREEN_DHCP disabled=no /ip dhcp-server network add address=10.0.10.0/24 dns-server=9.9.9.9 gateway=10.0.10.1 ####################################### # Firewalling & NAT # A good firewall for WAN. Up to you # about how you want LAN to behave. ####################################### # Use MikroTik's "list" feature for easy rule matchmaking. /interface list add name=WAN /interface list add name=LAN /interface list add name=VLAN /interface list member add interface=ether1 list=WAN add interface=BR1 list=LAN add interface=GREEN_VLAN list=VLAN # VLAN aware firewall. Order is important. /ip firewall filter ################## # INPUT CHAIN ################## add chain=input action=accept connection-state=established,related comment="Allow Estab & Related" add chain=input action=accept in-interface-list=LAN comment="Allow Native LAN" # Optional: Allow VLANs to access router services like DNS. Naturally, you should make it more granular. add chain=input action=accept in-interface-list=VLAN comment="Allow VLAN" add chain=input action=drop comment="Drop" ################## # FORWARD CHAIN ################## add chain=forward action=accept connection-state=established,related comment="Allow Estab & Related" add chain=forward action=accept connection-state=new in-interface-list=LAN out-interface-list=!VLAN comment="Allow Native LAN" # Allow all VLANs to access the Internet only, NOT each other add chain=forward action=accept connection-state=new in-interface-list=VLAN out-interface-list=WAN comment="VLAN Internet Access only" add chain=forward action=drop comment="Drop" ################## # NAT ################## /ip firewall nat add chain=srcnat action=masquerade out-interface-list=WAN comment="Default masquerade" ####################################### # Turn on VLAN mode ####################################### /interface bridge set BR1 vlan-filtering=yes Attached Files
|
#176
Posted 16 February 2019 - 11:47
|
carmenclara1, on 04 februarie 2019 - 19:14, said:
~425Mbps Mentionez ca, cu Hap Ac am descarcat cu maxim 50 MB torenti dar daca incercam sa deschid un youtube Cpu de pe Hap AC statea in 70% si parca "statea in branci". |
#177
Posted 16 February 2019 - 14:42
|
@aladin: nu pot face teste acum pentru ca eu ma joc cu Hap AC2 pe masa...nu e conectat la retea.
@all Am reusit sa fac totul cum scrie in acel tutorial. Toate bune si frumoase (sau poate ca nu). Ip-urile se aloca asa cum ar trebui (10....pe green, 192 pe blue). De fapt asta e cam tot ce functioneaza.... Toate dispozitivele se vad intre ele...indiferent de retea. Ce nu e bine????? Nici nu vreau sa ajung mai departe, la access port pentru ca deja imi scartaie lucrurile aici. Oricum, ce trebuie sa fac acum, este sa combin cumva ceea ce m-a invatat ogo cu ceea ce am in acest tutorial. Practic, eu trebuie sa: - folosesc un trunk port din solutia functionala pe care mi-a dat-o ogo - sa aloc ip-uri corect si sa filtrez traficul pe interfata wlan3 Teoretic nu e complicat...sunt vreo 30-40 de linii din care trebuie sa combin cateceva.... OFF: am facut o chestie: am setat N56u la WAN ca IPoE...si l-am conectat la un gateway Huawei B310 (ca sa am linia de la rds libera pentru teste). E normal ca daca eu am local ip-uri din clasa 192.168.0.x iar gateway-ul din 192.168.1.x sa pot accesa din reteaua locala gateway-ul? Edited by joystick, 16 February 2019 - 14:46. |
|
#178
Posted 16 February 2019 - 21:06
|
Ok, acum m-am panicat.
Ce naiba inseamna log-urile alea???? Ce am facut? Am dezactivat toate regulile de firewall implicite si le-am creat pe cele din tutorialul de mai sus. Sa inteleg ca am dat-o de gard? Se pare ca s-a reusit o conexiune prin telnet. In retea nu am decat un PC protejat de bitdefender ITS. Am schimbat urgent parola de acces si am dezactivat telnet-ul..... |
#179
Posted 16 February 2019 - 21:19
|
Fa un reset din fabrica si lasa regulile FW asa cum sunt, nu le dezactiva daca nu te pricepi sa refaci. Probabil ai lasat totul OPEN in momentul in care ai sters regulile default.
|
#180
Posted 16 February 2019 - 21:27
|
Am uitat poza....
Attached Files
|
Anunturi
Bun venit pe Forumul Softpedia!
▶ 0 user(s) are reading this topic
0 members, 0 guests, 0 anonymous users
-
- Change Theme
- English
- Mark Community Read
- Termene & conditii
- Confidentialitate
- Consimtamant
- Cookies
- Help
© 2001-2024 Softpedia. All rights reserved. Softpedia® and the Softpedia logo are registered trademarks of SoftNews Net SRL.
Ora implicita a Forumului Softpedia este ora standard a Romaniei (GMT+2). Mai multe informatii →
⚠ Postarile afisate pe Forumul Softpedia reprezinta o opinie subiectiva a membrilor care le-au publicat si nu a SoftNews Net SRL.