So Much Broken MikroTik

What an absolute nightmare of a week so far!

Friday afternoon my beloved Dell R210ii decided to eat it’s own PSU, completely rendering the box useless and along with it my CHR routing my home network. It’s fine though as I made backups, which I stored within the CHR, so can’t access them #feelsbadman

Never mind, I quickly pulled out my CCR1009 which I retrieved from a scrap pile and whilst it had faulted 1 or 2 times had never completely keeled over. I configured it up and replaced the CHR, after a few hours of tweaking and trying to resume normality as well as activating fast track as CHR can’t do that), home was up and running.

Monday morning, got some weird things going on in the network, checked the CCR and it was reporting traffic on interfaces I knew weren’t even connected as well as flapping on the SFP port which the other end showed as solid. The CCR has now been marked for removal. I am so thankful of having a “spare” RB750Gr3 Hex unit about though as that should keep the family quiet whilst I work out where to go from here. Currently my poultry 55Mb connection won’t stress it but I have been eyeing up a Virgin Media upgrade to 350Mb next which looks set to increase to 500Mb in the next few months, who knows, Gigabit may be round the corner as well. Either way, I’m not confident the little Hex can do that so back to the drawing board and looking for a unit to suffice my needs.

Networking Switch Around

I’ve been lucky enough to get my hands on one of the recently released MikroTik CRS328-24P-4S+RM units.
This is an excellent addition to my network as it means that it can sit right in the very centre of my network and actually remove 2 stand alone pieces of hardware (CRS112 & UniFi 8 port PoE) as well as retaining all the functionality I had before including adding more scale ability for the network as I grow it this year.
Without going nuts on specs, it’s a 24 port + 4 SFP port switch with auto sensing 24v and 48v PoE across all of those ports. Very handy! My current deployment sees me using the 3 switch banks in a Data-48v-24v deployment and then using the 3 fibres I have down to the mancave ensures that the CCTV cameras don’t choke my internet connection.
With plans this year to grow the CCTV camera numbers, minimum 1 extra if not an additional 3 as well as a couple more data points and the potential move away from a single UAP Pro to a Pro plus an additional 2 AC-Lites. Oh and maybe an internet connection upwards of 300Mb? That’s a maybe though.

CHR – Now faster and more efficient!

I’ve finally had some time to pull drag a monitor up into the attic to make some changes to the ESXi server that hosts my CHR. After some extensive reading on the MikroTik forum, it looks to read that a virtual CHR benefits from a “real” core and not a virtual one, in some cases virtual cores hindering performance! Even though my residential 55/15 connection isn’t going to set the world alight, I want to do some really in depth packet inspection next year so having raw performance is top of my list.

The changes I’ve made were to move the server BIOS performance setting from “OS Control” which was initially set to try and minimise noise in the cave to maximum performance, a few packets made there maybe?

The second big change was to turn off the hyperthreading on my Xeon. When I bought the Xeon I went out of my way to buy one with 4c/8t for maximum cores but RouterOS itself is very single core based and can’t multi-thread so single core efficiency is key. It also benefits from L3 cache so splitting the cache between 4 rather than 8 helps more so. There is also some heat efficiency to be made by running the processor without HT which counter balances the BIOS performance setting which could increase heat.

Overall testing without firewall now yields a far healthier 10+Gbps speedtesting to itself on a single core compared to the previous 7(ish).

All will be undone though if/when rOS7 launches with multicore!

Honeypot and Blacklist v3

It’s been a while since I looked at updating this and that’s mostly due to how my working focus has shifted away from the firewall and onto some hotspot related things so the bulk of my research has gone into that however after a visitor to my website engaged with me regarding this I thought it the right time to drop this almost “final” implementation to my blacklist script.

As much as I’d like to have written a totally automated list that dynamically adjusted, there are far cleverer people out there doing this more or less as a day job. I’ve been using now the implementation from Joshaven, some loose geographic blocks and then the IntrusDave list from the MikroTik forum.

I’ve finished that up with a far less brutal approach on something to pick out port scanners and any other snoopers;

/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABLISHED & RELATED INTERNET" connection-state=established,related in-interface=ether2_INTERNET
add action=accept chain=input comment="ACCEPT WHITELIST" src-address-list=WHITELIST
add action=accept chain=input comment="ACCEPT PING" protocol=icmp
add action=drop chain=input comment="DROP BLACKLISTED INPUT" in-interface=ether2_INTERNET src-address-list=myblocklist
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING TCP" dst-port=22,23,80,123,1723,443,8080,10000,5060,5061 in-interface=ether2_INTERNET protocol=tcp src-address-list=!WHITELIST
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING UDP" dst-port=123,53,5060,5061,3478 in-interface=ether2_INTERNET protocol=udp src-address-list=!WHITELIST
add action=drop chain=input comment="DROP ALL" in-interface=ether2_INTERNET

This approach is roughly netting me about 500 blocked IP’s on my private connection and some 2000 on my colo unit.