Networking Switch Around

I’ve been lucky enough to get my hands on one of the recently released MikroTik CRS328-24P-4S+RM units.
This is an excellent addition to my network as it means that it can sit right in the very centre of my network and actually remove 2 stand alone pieces of hardware (CRS112 & UniFi 8 port PoE) as well as retaining all the functionality I had before including adding more scale ability for the network as I grow it this year.
Without going nuts on specs, it’s a 24 port + 4 SFP port switch with auto sensing 24v and 48v PoE across all of those ports. Very handy! My current deployment sees me using the 3 switch banks in a Data-48v-24v deployment and then using the 3 fibres I have down to the mancave ensures that the CCTV cameras don’t choke my internet connection.
With plans this year to grow the CCTV camera numbers, minimum 1 extra if not an additional 3 as well as a couple more data points and the potential move away from a single UAP Pro to a Pro plus an additional 2 AC-Lites. Oh and maybe an internet connection upwards of 300Mb? That’s a maybe though.

CHR – Now faster and more efficient!

I’ve finally had some time to pull drag a monitor up into the attic to make some changes to the ESXi server that hosts my CHR. After some extensive reading on the MikroTik forum, it looks to read that a virtual CHR benefits from a “real” core and not a virtual one, in some cases virtual cores hindering performance! Even though my residential 55/15 connection isn’t going to set the world alight, I want to do some really in depth packet inspection next year so having raw performance is top of my list.

The changes I’ve made were to move the server BIOS performance setting from “OS Control” which was initially set to try and minimise noise in the cave to maximum performance, a few packets made there maybe?

The second big change was to turn off the hyperthreading on my Xeon. When I bought the Xeon I went out of my way to buy one with 4c/8t for maximum cores but RouterOS itself is very single core based and can’t multi-thread so single core efficiency is key. It also benefits from L3 cache so splitting the cache between 4 rather than 8 helps more so. There is also some heat efficiency to be made by running the processor without HT which counter balances the BIOS performance setting which could increase heat.

Overall testing without firewall now yields a far healthier 10+Gbps speedtesting to itself on a single core compared to the previous 7(ish).

All will be undone though if/when rOS7 launches with multicore!

New Hardware Incoming!

I’ve got some really exciting hardware changes coming up which I’m hoping are going to help me along my quest to make better YT videos! I will be saying goodbye to spinning discs completely in my main rig and will be migrating to NVME for OS with the “old” SSD being the new recording drive for super fast writes to enable me to get bandwidth up and help with post recording cutting and shutting.

In addition to that there will be some sound upgrades which are probably going to be less of an impact on the videos but still. Upgrades are upgrades.

Honeypot and Blacklist v3

It’s been a while since I looked at updating this and that’s mostly due to how my working focus has shifted away from the firewall and onto some hotspot related things so the bulk of my research has gone into that however after a visitor to my website engaged with me regarding this I thought it the right time to drop this almost “final” implementation to my blacklist script.

As much as I’d like to have written a totally automated list that dynamically adjusted, there are far cleverer people out there doing this more or less as a day job. I’ve been using now the implementation from Joshaven, some loose geographic blocks and then the IntrusDave list from the MikroTik forum.

I’ve finished that up with a far less brutal approach on something to pick out port scanners and any other snoopers;

/ip firewall filter
add action=accept chain=input comment="ACCEPT ESTABLISHED & RELATED INTERNET" connection-state=established,related in-interface=ether2_INTERNET
add action=accept chain=input comment="ACCEPT WHITELIST" src-address-list=WHITELIST
add action=accept chain=input comment="ACCEPT PING" protocol=icmp
add action=drop chain=input comment="DROP BLACKLISTED INPUT" in-interface=ether2_INTERNET src-address-list=myblocklist
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING TCP" dst-port=22,23,80,123,1723,443,8080,10000,5060,5061 in-interface=ether2_INTERNET protocol=tcp src-address-list=!WHITELIST
add action=add-src-to-address-list address-list=myblocklist address-list-timeout=1w chain=input comment="BLACKLISTING UDP" dst-port=123,53,5060,5061,3478 in-interface=ether2_INTERNET protocol=udp src-address-list=!WHITELIST
add action=drop chain=input comment="DROP ALL" in-interface=ether2_INTERNET

This approach is roughly netting me about 500 blocked IP’s on my private connection and some 2000 on my colo unit.