every now and then you may need to zap the flashmemory on the mikrotik using the netinstall tool (google: mikrotik netinstall)
In this case, i installed dude agent (really the full version) on a test rb/411 running rc5.07 and got it to save the dude database on the default flashmemory (nand). In this case, the database consumed the nand free space which i removed the dude agent but the database remained hidden. Won't do that again...always save dude database to USB device or a SD module (if supported)
To flash the nand with router o/s you need a null serial rs232 cable to tell the routerboard (for the units supporting a rs232 port) to boot from the ethernet port rather than nand. Problem was rs-232 ports on pc's are a little rare so i did the following.
1. connect rb/411 needing the flash via null rs232 cable to my working rb/433uah rs232 comm port
2. on my working rb/433uah "/system/ports/remote access" i removed the remote access
- then from the terminal "/system serial-terminal serial0"
3. open another terminal windows up and booted the rb/411. This enabled me to break the boot sequence to tell it to boot from ethernet, using the terminal screen from my rb/433.
re: http://wiki.mikrotik.com/wiki/Manual:System/Serial_Console
Should get another usb-rs232 device again...misplaced the last one i had which save the above. Still need the rs232 null cable which i used a old cisco management cable with 9-pins heads on each end.
Tuesday 12 July 2011
Dymanic Address lists and port knocking
Something that stands out as a nice firewall feature is the use of address lists (/ip/firewall/address lists). I was talking with a third party who was surprised how this could be used to have some hidden open ports on the external wan interface (or your pppoe interface).
using port knocking (google it) you define say a firewall rule on a TCP or UDP port and when a connection is made, record the source IP in a address list for 5 secs. following that rule, have a 2nd rule on another TCP or UDP port and then check if the source IP is already in the first address list (from within 5 secs ago), if so add the source IP to a "good guys" address list.
a 3rd firewall rule is to check an open inbound port (say RDP on 3389/tcp) and if your source IP is in the goodguy address list then the rule will let you connect.
this isn't a replacement for any vpn solution, just a simple way to sort-of restrict access to certain common ports like RDP. you can get a port knock app for the iphone/ipad/droid/pc so a simple solution to stop the bots from hitting the RDP port.
using port knocking (google it) you define say a firewall rule on a TCP or UDP port and when a connection is made, record the source IP in a address list for 5 secs. following that rule, have a 2nd rule on another TCP or UDP port and then check if the source IP is already in the first address list (from within 5 secs ago), if so add the source IP to a "good guys" address list.
a 3rd firewall rule is to check an open inbound port (say RDP on 3389/tcp) and if your source IP is in the goodguy address list then the rule will let you connect.
this isn't a replacement for any vpn solution, just a simple way to sort-of restrict access to certain common ports like RDP. you can get a port knock app for the iphone/ipad/droid/pc so a simple solution to stop the bots from hitting the RDP port.
Monday 11 July 2011
OmniTIK-5HnD: 5GHz outdoor MIMO Base Station
I see big things for this 5Ghz Mimo all in one access point. The fact thats it mimo and antennas built in makes it a simple install for those small sites needing a wireless bridge between buildings.
http://shop.duxtel.com.au/product_info.php?cPath=30&products_id=145
http://shop.duxtel.com.au/product_info.php?cPath=30&products_id=145
Subscribe to:
Posts (Atom)