GIANT_CRAB
New Member
I have Cloudcore router.
If you're using their higher end ones that has a console port, you can always get a console cable and to use their CLI.
Also, another thing worth noting is that DHCP server isn't setup by default, so you have to configure your computer to get a static private IP from the 192.168.88.0/24 range first before loading up the web fig 192.168.88.1.
Once you're done with the standard setup (DHCP, NAT and stuff), remember to configure some security things like DHCP leases add MAC to ARP table and then setting the interface to ARP-reply only. Disable services that you don't need like - FTP, API, API-SSL, etc. (Located under IP - Services) These services can also be limited to certain IP addresses but I have already done the configuration through Firewall already.
For wireless, disable default-forwarding and forwarding and then add some other rules to prevent private IP addresses from talking to each other and only allow certain traffic to reach the webfig.
/ip firewall filter
add chain=forward src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=drop
In addition to that, you might want to set your router firewall INPUT to accept established and related TCP packets ONLY and drop all other traffic.
Some here's something I have for myself:
If you have IPv6 stuff, remember to enable the ipv6 package under "Packages". Its not enabled by default iirc. You will also have to setup the NTP stuff for accurate clock timings on your router.
If you're using their higher end ones that has a console port, you can always get a console cable and to use their CLI.
Also, another thing worth noting is that DHCP server isn't setup by default, so you have to configure your computer to get a static private IP from the 192.168.88.0/24 range first before loading up the web fig 192.168.88.1.
Once you're done with the standard setup (DHCP, NAT and stuff), remember to configure some security things like DHCP leases add MAC to ARP table and then setting the interface to ARP-reply only. Disable services that you don't need like - FTP, API, API-SSL, etc. (Located under IP - Services) These services can also be limited to certain IP addresses but I have already done the configuration through Firewall already.
For wireless, disable default-forwarding and forwarding and then add some other rules to prevent private IP addresses from talking to each other and only allow certain traffic to reach the webfig.
/ip firewall filter
add chain=forward src-address=192.168.0.0/24 dst-address=192.168.0.0/24 action=drop
In addition to that, you might want to set your router firewall INPUT to accept established and related TCP packets ONLY and drop all other traffic.
Some here's something I have for myself:
If you have IPv6 stuff, remember to enable the ipv6 package under "Packages". Its not enabled by default iirc. You will also have to setup the NTP stuff for accurate clock timings on your router.
DomainBop
Dormant VPSB Pathogen
Last edited by a moderator:
Here's a copy of my IPv4 and IPv6 firewall rules that may be of some use if you plan on doing PPTP, L2TP, VoIP(I use MagicJack), or want to enable loopback on the router (I run two IP subnets so you can ignore the second entry):
/ip firewall filter
add action=drop chain=input comment="Block Port 53" dst-port=53 in-interface=wan protocol=udp
add chain=input comment="Allow Established connections" connection-state=established
add chain=input comment="Allow Related connections" connection-state=related
add chain=forward comment="Allow Established connections" connection-state=established
add chain=forward comment="Allow Related connections" connection-state=related
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid
add chain=input comment="Accept bridge-local" in-interface=lan
add chain=forward comment="Accept bridge-local" in-interface=lan
add chain=input comment=PPTP dst-port=1723 protocol=tcp
add chain=input comment="PPTP GRE" protocol=gre
add chain=input comment=L2TP dst-port=1701,500,4500 protocol=udp
add chain=input comment=L2TP protocol=ipsec-esp
add chain=input comment="Allow UDP" protocol=udp
add chain=forward comment="Allow UDP" protocol=udp
add chain=input comment="Allow ICMP" protocol=icmp
add chain=forward comment="Allow ICMP" protocol=icmp
add action=drop chain=forward comment="Drop everything else" log-prefix=DROPALLELSE
add action=drop chain=input comment="Drop everything else" log-prefix=DROPALLELSE
/ip firewall mangle
add action=mark-packet chain=forward comment=Magicjack dst-port=5060-5070 new-packet-mark=magicjack protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=wan
add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=sfp1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="NAT Loopback" dst-address=1.0.0.0/24 src-address=1.0.0.0/24
add action=masquerade chain=srcnat comment="NAT Loopback" dst-address=2.0.0.0/24 src-address=2.0.0.0/24
/ip firewall service-port
set irc disabled=yes
set h323 disabled=yes
set sip ports=5060,5061,5090
I picked up my CRS125-24G-1S-2HnD-IN on eBay for $169.99 shipped and it was the best router/switch purchase I've ever made. 
/ip firewall filter
add action=drop chain=input comment="Block Port 53" dst-port=53 in-interface=wan protocol=udp
add chain=input comment="Allow Established connections" connection-state=established
add chain=input comment="Allow Related connections" connection-state=related
add chain=forward comment="Allow Established connections" connection-state=established
add chain=forward comment="Allow Related connections" connection-state=related
add action=drop chain=input comment="Drop Invalid connections" connection-state=invalid
add action=drop chain=forward comment="Drop Invalid connections" connection-state=invalid
add chain=input comment="Accept bridge-local" in-interface=lan
add chain=forward comment="Accept bridge-local" in-interface=lan
add chain=input comment=PPTP dst-port=1723 protocol=tcp
add chain=input comment="PPTP GRE" protocol=gre
add chain=input comment=L2TP dst-port=1701,500,4500 protocol=udp
add chain=input comment=L2TP protocol=ipsec-esp
add chain=input comment="Allow UDP" protocol=udp
add chain=forward comment="Allow UDP" protocol=udp
add chain=input comment="Allow ICMP" protocol=icmp
add chain=forward comment="Allow ICMP" protocol=icmp
add action=drop chain=forward comment="Drop everything else" log-prefix=DROPALLELSE
add action=drop chain=input comment="Drop everything else" log-prefix=DROPALLELSE
/ip firewall mangle
add action=mark-packet chain=forward comment=Magicjack dst-port=5060-5070 new-packet-mark=magicjack protocol=udp
/ip firewall nat
add action=masquerade chain=srcnat comment="default configuration" out-interface=wan
add action=masquerade chain=srcnat comment="default configuration" disabled=yes out-interface=sfp1-gateway to-addresses=0.0.0.0
add action=masquerade chain=srcnat comment="NAT Loopback" dst-address=1.0.0.0/24 src-address=1.0.0.0/24
add action=masquerade chain=srcnat comment="NAT Loopback" dst-address=2.0.0.0/24 src-address=2.0.0.0/24
/ip firewall service-port
set irc disabled=yes
set h323 disabled=yes
set sip ports=5060,5061,5090
Code:
/ipv6 firewall filter
add chain=input comment="Allow established connections" connection-state=established
add chain=input comment="Allow related connections" connection-state=related
add chain=input comment="Allow limited ICMP" limit=50/5s,5 protocol=icmpv6
add chain=input comment="Allow UDP to port 546" dst-port=546 protocol=udp
add chain=forward comment="Allow established connections" connection-state=established
add chain=forward comment="Allow related connections" connection-state=related
add chain=forward comment="Allow limited ICMP" limit=50/5s,5 protocol=icmpv6
add chain=input comment="Allow any from LAN" in-interface=lan
add chain=forward comment="Allow any to internet" out-interface=wan
add action=drop chain=input comment="Drop input"
add action=drop chain=forward comment="Drop forward"
Last edited by a moderator:
drmike
100% Tier-1 Gogent
Wowzers Great responses. Thank you!
I opted into one of these:
http://routerboard.com/RB2011UiAS-2HnD-IN
$120 for switch + wifi + the LCD +++++
Counterintuitive and like where to get started - but once you get moving slightly it's quite nifty underneath.
Now this has me looking at Mikrotik's 5GHZ radios for PTP and PTMP links. Awesome gear all around with the Mikrotiks. Have a feeling they are brand along with their RouterOS that is about to blow up all over.
Great responses. Thank you!I opted into one of these:
http://routerboard.com/RB2011UiAS-2HnD-IN
$120 for switch + wifi + the LCD +++++
Counterintuitive and like where to get started - but once you get moving slightly it's quite nifty underneath.
Now this has me looking at Mikrotik's 5GHZ radios for PTP and PTMP links. Awesome gear all around with the Mikrotiks. Have a feeling they are brand along with their RouterOS that is about to blow up all over.
EdgeRouter in a datacenter? They seem pretty small and I can't really think of too many use-cases. 8 x 1 GbE is not really a lot of bandwidth.
Edit:
The US-48-500W is really nice! Anyone know if it'd hold up well in a rack?
Last edited by a moderator:
We've only even run the ER Lites in our cabinets before so I don't have any experience with the newer models. The ER Lites are amazing though and blow away any x86 based setup and we saved a lot of money when we switched our 2 power hungry Dell servers for 2 ER Lites (both ER Lites combined used less than 1/4 of the power of one of the Dell 1950s running Vyatta). The ER Lite pushes more bandwidth, handles more PPS, and uses less resources than Vyatta did.
Last edited by a moderator:
drmike
100% Tier-1 Gogent
All new to me, but Mikrotik has a pretty big and expanding line of products.
Like this 16GB + 36 core beast
Mikrotik CCR1036-8G-2S+EM Router Firewall 16GB RAM
Our fastest router has now become even better - the new CCR1036-8G-2S+ now has two SFP+ ports for 10G interface support (SFP+ module available separately). It uses the same 36 core Tilera CPU as our other CCR1036 model, and delivers the same performance, but now, ten gigabit links are possible.
The device comes in a 1U rackmount case, has two SFP+ ports, eight Gigabit ethernet ports, a serial console cable and a USB port.
The CCR1036-8G-2S+ has two SODIMM slots, by default it is shipped with 4GB of RAM, but has no memory limit in RouterOS (will accept and utilize 16GB or more). Also available now, the EM model with 16GB of RAM!
Supports both SFP (1.25G) and SFP+ (10G) modules
SPECIFICATIONS
CPU
Tilera Tile-Gx36 CPU (36-cores, 1.2Ghz per core)
Like this 16GB + 36 core beast
Mikrotik CCR1036-8G-2S+EM Router Firewall 16GB RAM
Our fastest router has now become even better - the new CCR1036-8G-2S+ now has two SFP+ ports for 10G interface support (SFP+ module available separately). It uses the same 36 core Tilera CPU as our other CCR1036 model, and delivers the same performance, but now, ten gigabit links are possible.
The device comes in a 1U rackmount case, has two SFP+ ports, eight Gigabit ethernet ports, a serial console cable and a USB port.
The CCR1036-8G-2S+ has two SODIMM slots, by default it is shipped with 4GB of RAM, but has no memory limit in RouterOS (will accept and utilize 16GB or more). Also available now, the EM model with 16GB of RAM!
Supports both SFP (1.25G) and SFP+ (10G) modules
SPECIFICATIONS
CPU
Tilera Tile-Gx36 CPU (36-cores, 1.2Ghz per core)
Last edited by a moderator:
drmike
100% Tier-1 Gogent
It's like the Mikrotik gear is capable and all but they aren't making a play for the density switching market... More of a router with value added. They appear to have 24 port switching units that are $200~. But up above there, not seeing products.
Definitely a strong play in WISP market. Their current 5Ghz radio full units are beasts on paper. $109~ an end and pushing a big chunk of gigabit speed over air and distance. Tiny all integrated which is nicer than Ubiquiti's plays with rather large directional antennas. Both companies rock though. Those are next on my list to get and test for point-to-point setup over a mile or two.
Definitely a strong play in WISP market. Their current 5Ghz radio full units are beasts on paper. $109~ an end and pushing a big chunk of gigabit speed over air and distance. Tiny all integrated which is nicer than Ubiquiti's plays with rather large directional antennas. Both companies rock though. Those are next on my list to get and test for point-to-point setup over a mile or two.
They have 48 port with 2 SFP+ switches for under $800. That's a really good deal. I'm looking to see if I can find a cheap switch to test out the software.