Starting my blacklist journey

 

Recently with a lot of the “news” about MikroTik being that version X.XX has been compromised and then so has X.XX it got me looking a lot closer at security and what I can do to protect my own router and those that I manage.

The easiest answer primarily is don’t allow external access and make sure your firewall is impervious but then what about actual protection from these sources even before they get near your Winbox interface and what about enhancing that to protect client devices as well?

From reading through the MikroTik community I came across a thread by a guy called Dave who is offering brilliant blacklist capabilities for very cheap (when it comes to market) if you don’t mind running his script on your router ( forum thread here ). This consists of running his script on a scheduled basis and creating a firewall rule to block the traffic from the created list as both input & forward, source & destination with combinations thereof.

Dave’s list is brilliant, it takes from known sources of malicious software as well as his own network of honeypot servers so it will actively catch people trying to get at his servers. An advantage of this is it also does not take up much room as an exported RSC file as the script is to fetch a dynamic file which is imported and then deleted so keeping your file size low.

In addition to this I wanted my own form of very basic protection from specific geolocations, to do this I have found a site called mikrotikconfig.com.

There is an option here to generate an address list from selected countries, I simply chose the countries I don’t want with access, edited the file to use “myblocklist” instead of “countryip” and then created firewall rules to drop those also. The downside to doing this is all of the subnets are statically set so it will vastly increase your export RSC size but for mid to higher range devices this shouldn’t be an issue.

More to come as I develop and increase my blacklisting capabilities.

 

hAP Mini Configuration

I’ve recorded my hAP Mini config video a couple of times so far and still not found a version I like. It is in the pipelines though however I’m thinking that trying to include low powered device optimisation into the same video is a bad thing. Maybe that should be it’s own video?

Either way I’ve configured my new “toy” a couple of times now and have been really amazed by what I was able to push through it. Bearing in mind this is a low powered single core unit out of the box with a handful of firewall rules and NAT it was able to push 94Mb whilst maintaining only 88% of CPU utilisation (minus whatever it was using for me watching Winbox).

Testament to my previous fasttrack learning curve though, once I put a couple of fasttrack rules into the firewall that same 94Mb was achieved on just 22% of CPU utilisation (again whilst I had Winbox open so minus a few % for that.

I seem to be finding 94Mb as a limitation though, this will no doubt be in part due to the unit only being 10/100 and losing some overhead from that but I’m amazed how viable this thing is, even to the point that it would be able to be used for VDSL in the UK with no detriment.

Please keep your eyes peeled for some soon to come videos regarding the hAP mini, potentially a config and then a more broad stroke efficiency ideas.