MikroTik RouterBoard RB532A: Difference between revisions

From Wildsong
Jump to navigationJump to search
Brian Wilson (talk | contribs)
Brian Wilson (talk | contribs)
Line 149: Line 149:


12/22/07 Not set up yet for X-WRT
12/22/07 Not set up yet for X-WRT
== Dump of iptables ==
12/22/07
<pre>
iptables -L -n
Chain INPUT (policy DROP)
target    prot opt source              destination
DROP      all  --  0.0.0.0/0            0.0.0.0/0          state INVALID
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
DROP      tcp  --  0.0.0.0/0            0.0.0.0/0          tcp option=!2 flags:0x02/0x02
input_rule  all  --  0.0.0.0/0            0.0.0.0/0
input_wan  all  --  0.0.0.0/0            0.0.0.0/0
LAN_ACCEPT  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT    icmp --  0.0.0.0/0            0.0.0.0/0
ACCEPT    47  --  0.0.0.0/0            0.0.0.0/0
REJECT    tcp  --  0.0.0.0/0            0.0.0.0/0          reject-with tcp-reset
REJECT    all  --  0.0.0.0/0            0.0.0.0/0          reject-with icmp-port-unreachable
Chain FORWARD (policy DROP)
target    prot opt source              destination
DROP      all  --  0.0.0.0/0            0.0.0.0/0          state INVALID
TCPMSS    tcp  --  0.0.0.0/0            0.0.0.0/0          tcp flags:0x06/0x02 TCPMSS clamp to PMTU
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
forwarding_rule  all  --  0.0.0.0/0            0.0.0.0/0
forwarding_wan  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
Chain OUTPUT (policy DROP)
target    prot opt source              destination
DROP      all  --  0.0.0.0/0            0.0.0.0/0          state INVALID
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0          state RELATED,ESTABLISHED
output_rule  all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
REJECT    tcp  --  0.0.0.0/0            0.0.0.0/0          reject-with tcp-reset
REJECT    all  --  0.0.0.0/0            0.0.0.0/0          reject-with icmp-port-unreachable
Chain LAN_ACCEPT (1 references)
target    prot opt source              destination
RETURN    all  --  0.0.0.0/0            0.0.0.0/0
ACCEPT    all  --  0.0.0.0/0            0.0.0.0/0
Chain forwarding_rule (1 references)
target    prot opt source              destination
Chain forwarding_wan (1 references)
target    prot opt source              destination
ACCEPT    tcp  --  0.0.0.0/0            10.127.32.28        tcp dpt:4569
ACCEPT    tcp  --  0.0.0.0/0            10.127.32.27        tcp dpt:22
ACCEPT    tcp  --  0.0.0.0/0            10.127.32.65        tcp dpt:8081
ACCEPT    tcp  --  0.0.0.0/0            10.127.32.34        tcp dpt:80
ACCEPT    udp  --  0.0.0.0/0            10.127.32.27        udp dpt:1194
ACCEPT    tcp  --  0.0.0.0/0            10.127.32.31        tcp dpt:44555
ACCEPT    tcp  --  0.0.0.0/0            10.127.32.150      tcp dpt:3577
ACCEPT    tcp  --  0.0.0.0/0            10.127.32.148      tcp dpt:3577
ACCEPT    tcp  --  0.0.0.0/0            10.127.32.149      tcp dpt:3577
ACCEPT    tcp  --  0.0.0.0/0            10.127.32.207      tcp dpt:3577
Chain input_rule (1 references)
target    prot opt source              destination
Chain input_wan (1 references)
target    prot opt source              destination
Chain output_rule (1 references)
target    prot opt source              destination
</pre>

Revision as of 23:04, 22 December 2007

RouterBoard 532A

In DNS, it's called OpenWRT and can be reached via ssh or https://openwrt or from outside the lan at https://alseageo.dyndns.biz/

Support for it in OpenWrt seems to be pretty good, they have the latest releases prebuilt for it. I used instructions in this page to get it loaded.

I installed KAMIKAZE (7.09) then later I found out about X-WRT and installed their version from http://downloads.x-wrt.org/xwrt/kamikaze/7.09/

I no longer put all 4 screws into the MicroTik case. :-)

Install took 10 minutes including opening up the case. OpenWrtDocs/Hardware/Mikrotik/RB532

Support in dd-wrt is not good. There is an old beta.

CF layout

Kamikaze fits in a 16MB flash so any old CF card will do for booting.

Ethernet ports

There are three, the one to the left of the serial port is eth0 To the right are eth1 and eth2

By default in Kamikaze eth0 is in DHCP so it would make a good WAN port

MAC numbers

  • eth0 00:0c:42:10:1c:6c
  • eth1 00:0c:42:10:1c:6d
  • eth2 00:0c:42:10:1c:6e

Miscellaneous onfiguration

Password

Root password set from the console port command line using "passwd". Set to the usual root password.

Network

Putting the D-Link mac address assures we wull get the same IP address assigned by Comcast.

/etc/config/network

config interface loopback                                                       
        option ifname   lo                                                      
        option proto    static                                                  
        option ipaddr   127.0.0.1                                               
        option netmask  255.0.0.0                                               
                                                                                
config interface wan                                                            
        option ifname   eth0                                                    
        option proto    dhcp
        option macaddr xx:xx:xx:xx:xx      put the dlink mac here                                    
                                                                                
config interface lan                                                            
        option ifname   eth1                                                    
        option proto    static                                                  
        option ipaddr   10.127.32.5                                             
        option netmask  255.0.0.0                                               
                                                                                
config interface dmz                                                            
        option ifname   eth2                                                    
        option proto    static                                                  
        option ipaddr   192.168.123.1                                           
        option netmask  255.255.255.0      

Route command

Adding a default route so that you can get the webif stuff running initially

route add -net 0.0.0.0 gw 192.168.123.254

DHCP

We provide DHCP only to the DMZ zone.

/etc/config/dhcp
config dhcp                                                                     
        option interface        lan                                             
        option ignore   1                                                       
                                                                                
config dhcp                                                                     
        option interface        dmz                                             
        option start    100                                                     
        option limit    150                                                     
        option leasetime        12h                                             
                                                                                
config dhcp                                                                     
        option interface        wan                                             
        option ignore   1 

Dyndns

Installed changeip client.

Firewall

Not set up yet.

NTP

Set timezone to US/Pacific Installed client.

QoS

Install but not configured yet. I'd like to use this to control bandwidth used for offsite backups. I want full utilization at night and 200 Kbps during business hours. A way to switch it down to a low bandwidth manually would be good.

SNMP

Installed but not configured yet. Could be set to log to cacti on Kilchis

SSL

Installed MatrixSSL so that we can connect to router using a secure connection.

Syslog

Set to log to Kilchis. 10.127.32.27/514 Do a MARK every 20 minutes.

Wake-On-Lan

12/22/07 Not available yet in X-Wrt. This would allow us to power on Desktop machines remotely.

VPN

L2TPns

Have not looked into this one yet. Package is installed.

OpenVPN

Installed package. Not configured yet.

PPTP

12/22/07 Not set up yet for X-WRT