Página 1 de 4 1234 ÚltimoÚltimo
+ Responder ao Tópico



  1. Bem pessoal,conforme diz o titulo o meu mikrotik de um tempo pra cá ele simplesmente para de responder!Congela digamos,mesmo acessando localmente ele esta congelado e tudo para.Creio que seja alguma regra no firewall que possa estar ocasionando isso,mas nao tenho certeza...bem segue minhas configs abaixo e espero que alguem possa me ajudar,isso esta me tirando do serio...ele nao tem um tempo certo a travar do nada assim resolve travar...ja foi testada memoria,placa mae,hd etc esta tudo ok..simplesmente depois de 2 dias apos adicionar as regras no fw ele congela...testei com 3.13 e 3.27 ambas travam..

    Mikrotik X86 V 3.13(Core Duo 2.66 1Gb DDR667 HD160IDE)
    Tipo de Auth:PPPoE
    Range Ip Clientes-> 10.2.0.1-10.2.5.254
    Range Ip Servidor -> 10.1.0.1-10.1.5.254

    ====> LEMBRANDO QUE ALGUMAS REGRAS ESTAO MOSTRANDO DISABLE,MAS TODAS FORAM TESTADAS ENABLE <=======

    Código :
    [a@MikroTik] /ip firewall filter> export
    # aug/05/2009 22:11:21 by RouterOS 3.13
    #
    /ip firewall filter
    add action=accept chain=input comment="Allow related connections" connection-state=related disabled=no
    add action=drop chain=input comment="Drop invalid connections" connection-state=invalid disabled=no
    add action=accept chain=input comment="Allow established connections" connection-state=established disabled=no
    add action=drop chain=input comment="Barrar brute forca para ftp" disabled=no dst-port=211 protocol=tcp src-address-list=ftp_blacklist
    add action=accept chain=output comment="" content="530 Login incorrect" disabled=no dst-limit=1/1m,9,dst-address/1m protocol=tcp
    add action=add-dst-to-address-list address-list=ftp_blacklist address-list-timeout=3h chain=output comment="" content="530 Login incorrect" disabled=no \
        protocol=tcp
    add action=drop chain=input comment="drop ssh brute forcers" disabled=no dst-port=222 protocol=tcp src-address-list=ssh_blacklist
    add action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=1w3d chain=input comment="" connection-state=new disabled=no dst-port=222 \
        protocol=tcp src-address-list=ssh_stage2
    add action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m chain=input comment="" connection-state=new disabled=no dst-port=222 \
        protocol=tcp src-address-list=ssh_stage1
    add action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m chain=input comment="" connection-state=new disabled=no dst-port=222 \
        protocol=tcp
    add action=drop chain=input comment="detect and drop port scan connections" disabled=no protocol=tcp psd=21,3s,3,1
    add action=tarpit chain=input comment="suppress DoS attack" connection-limit=3,32 disabled=no protocol=tcp src-address-list=black_list
    add action=add-src-to-address-list address-list=black_list address-list-timeout=1d chain=input comment="detect DoS attack" connection-limit=10,32 disabled=no \
        protocol=tcp
    add action=jump chain=input comment="jump to chain ICMP" disabled=no jump-target=ICMP protocol=icmp
    add action=accept chain=ICMP comment="0:0 and limit for 5pac/s" disabled=no icmp-options=0:0-255 limit=5,5 protocol=icmp
    add action=accept chain=ICMP comment="3:3 and limit for 5pac/s" disabled=no icmp-options=3:3 limit=5,5 protocol=icmp
    add action=accept chain=ICMP comment="3:4 and limit for 5pac/s" disabled=no icmp-options=3:4 limit=5,5 protocol=icmp
    add action=accept chain=ICMP comment="8:0 and limit for 5pac/s" disabled=no icmp-options=8:0-255 limit=5,5 protocol=icmp
    add action=accept chain=ICMP comment="11:0 and limit for 5pac/s" disabled=no icmp-options=11:0-255 limit=5,5 protocol=icmp
    add action=drop chain=ICMP comment="Drop everything else" disabled=no protocol=icmp
    add action=drop chain=input comment="block external dns link1" disabled=no dst-port=53 in-interface=pppoe-out1 protocol=tcp
    add action=drop chain=input comment="" disabled=no dst-port=53 in-interface=pppoe-out1 protocol=udp
    add action=drop chain=input comment="block external dns link2" disabled=no dst-port=53 in-interface=pppoe-out2 protocol=tcp
    add action=drop chain=input comment="" disabled=no dst-port=53 in-interface=pppoe-out2 protocol=udp
    add action=accept chain=input comment="allow external connections to winbox" disabled=yes dst-port=8291 in-interface=pppoe-out1 protocol=tcp
    add action=accept chain=input comment="allow safe-list" disabled=no src-address-list=safe
    add action=accept chain=forward comment="" disabled=no src-address-list=safe
    add action=accept chain=output comment="" disabled=no src-address-list=safe
    add action=accept chain=input comment="allow dns/local networks" disabled=no dst-port=53 protocol=tcp
    add action=accept chain=input comment="" disabled=no dst-port=53 protocol=udp
    add action=drop chain=input comment="drop tcp traffic clients/router" disabled=yes protocol=tcp src-address=10.2.0.0/16
    add action=drop chain=input comment="drop udp traffic clients/router" disabled=yes protocol=udp src-address=10.2.0.0/16
    add action=accept chain=forward comment="allow traffic clients/isp proxy on port #3128" disabled=yes dst-address=10.10.10.2 dst-port=3128 protocol=tcp
    add action=drop chain=forward comment="drop traffic clients/isp proxy" disabled=yes dst-address=10.10.10.2 protocol=tcp src-address=10.2.0.0/16
    add action=drop chain=forward comment="drop traffic clients/isp proxy" disabled=yes dst-address=10.10.10.2 protocol=udp src-address=10.2.0.0/16
    add action=drop chain=forward comment="drop access clients/isp network" disabled=yes dst-address=172.16.0.0/24 protocol=tcp src-address=10.2.0.0/16
    add action=drop chain=forward comment="p2p simple filter" disabled=no p2p=all-p2p src-address=10.2.0.0/16
    add action=drop chain=forward comment="block p2p on hideen ports" disabled=no protocol=udp src-port=0
    add action=drop chain=forward comment="" disabled=no dst-port=0 protocol=udp
    add action=drop chain=forward comment="" disabled=no protocol=tcp src-port=0
    add action=drop chain=forward comment="" disabled=no dst-port=0 protocol=tcp
    add action=drop chain=forward comment="Limitando numero conexoes simultaneas 25 por cliente" connection-limit=10,32 disabled=no packet-mark=!semlimite \
        protocol=tcp src-address=10.2.0.0/16 tcp-flags=syn
    add action=drop chain=forward comment="Bogons IPs Drop" disabled=yes src-address-list=BOGONS
    add action=jump chain=forward comment="!!! Check for well-known viruses !!!" disabled=no jump-target=virus
    add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=135-139 protocol=tcp
    add action=drop chain=virus comment="Drop Messenger Worm" disabled=no dst-port=135-139 protocol=udp
    add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=tcp
    add action=drop chain=virus comment="Drop Blaster Worm" disabled=no dst-port=445 protocol=udp
    add action=drop chain=virus comment=________ disabled=no dst-port=593 protocol=tcp
    add action=drop chain=virus comment=________ disabled=no dst-port=1024-1030 protocol=tcp
    add action=drop chain=virus comment="Drop MyDoom" disabled=no dst-port=1080 protocol=tcp
    add action=drop chain=virus comment=________ disabled=no dst-port=1214 protocol=tcp
    add action=drop chain=virus comment="ndm requester" disabled=no dst-port=1363 protocol=tcp
    add action=drop chain=virus comment="ndm server" disabled=no dst-port=1364 protocol=tcp
    add action=drop chain=virus comment="screen cast" disabled=no dst-port=1368 protocol=tcp
    add action=drop chain=virus comment=hromgrafx disabled=no dst-port=1373 protocol=tcp
    add action=drop chain=virus comment=cichlid disabled=no dst-port=1377 protocol=tcp
    add action=drop chain=virus comment=Worm disabled=no dst-port=1433-1434 protocol=tcp
    add action=drop chain=virus comment="Bagle Virus" disabled=no dst-port=2745 protocol=tcp
    add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=2283 protocol=tcp
    add action=drop chain=virus comment="Drop Beagle" disabled=no dst-port=2535 protocol=tcp
    add action=drop chain=virus comment="Drop Beagle.C-K" disabled=no dst-port=2745 protocol=tcp
    add action=drop chain=virus comment="Drop Backdoor OptixPro" disabled=no dst-port=3410 protocol=tcp
    add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=tcp
    add action=drop chain=virus comment=Worm disabled=no dst-port=4444 protocol=udp
    add action=drop chain=virus comment="Drop Sasser" disabled=no dst-port=5554 protocol=tcp
    add action=drop chain=virus comment="Drop Beagle.B" disabled=no dst-port=8866 protocol=tcp
    add action=drop chain=virus comment="Drop Dabber.A-B" disabled=no dst-port=9898 protocol=tcp
    add action=drop chain=virus comment="Drop MyDoom.B" disabled=no dst-port=10080 protocol=tcp
    add action=drop chain=virus comment="Drop Dumaru.Y" disabled=no dst-port=10000 protocol=tcp
    add action=drop chain=virus comment="Drop NetBus" disabled=no dst-port=12345 protocol=tcp
    add action=drop chain=virus comment="Drop Kuang2" disabled=no dst-port=17300 protocol=tcp
    add action=drop chain=virus comment="Drop SubSeven" disabled=no dst-port=27374 protocol=tcp
    add action=drop chain=virus comment="Drop PhatBot, Agobot, Gaobot" disabled=no dst-port=65506 protocol=tcp
    add action=accept chain=input comment="Allow UDP FW" disabled=no protocol=udp
    add action=drop chain=input comment="Log and drop everything else" disabled=yes
    add action=return chain=virus comment="" disabled=yes

    SEGUE PROXIMA PAG

  2. Código :
    /ip firewall mangle
    add action=mark-connection chain=forward comment="Proxy Squid Hit" content="X-Cache: HIT" disabled=yes new-connection-mark=forward-hits passthrough=yes
    add action=mark-packet chain=forward comment="" connection-mark=forward-hits disabled=yes new-packet-mark=cache-hits passthrough=no
    add action=mark-connection chain=postrouting comment="Proxy Squid ZPH Hit" disabled=yes dscp=12 new-connection-mark=proxy-hits passthrough=yes
    add action=mark-packet chain=postrouting comment="" connection-mark=proxy-hits disabled=yes new-packet-mark=proxy-squid passthrough=no
    add action=mark-routing chain=prerouting comment="SSL/MSN Routes" disabled=yes dst-port=443 new-routing-mark=route1 passthrough=yes protocol=tcp
    add action=mark-routing chain=prerouting comment="" disabled=yes dst-port=1863 new-routing-mark=route1 passthrough=yes protocol=tcp
    add action=mark-packet chain=forward comment="Marcando Pacotes Sem Limite Conexao" disabled=yes dst-port=21 new-packet-mark=semlimite passthrough=yes \
        protocol=tcp src-address=10.2.0.0/16
    add action=mark-packet chain=forward comment="" disabled=yes dst-port=22 new-packet-mark=semlimite passthrough=yes protocol=tcp src-address=10.2.0.0/16
    add action=mark-packet chain=forward comment="" disabled=yes dst-port=23 new-packet-mark=semlimite passthrough=yes protocol=tcp src-address=10.2.0.0/16
    add action=mark-packet chain=forward comment="" disabled=yes dst-port=53 new-packet-mark=semlimite passthrough=yes protocol=tcp src-address=10.2.0.0/16
    add action=mark-packet chain=forward comment="" disabled=yes dst-port=80 new-packet-mark=semlimite passthrough=yes protocol=tcp src-address=10.2.0.0/16
    add action=mark-packet chain=forward comment="" disabled=yes dst-port=25 new-packet-mark=semlimite passthrough=yes protocol=tcp src-address=10.2.0.0/16
    add action=mark-packet chain=forward comment="" disabled=yes dst-port=110 new-packet-mark=semlimite passthrough=yes protocol=tcp src-address=10.2.0.0/16
    add action=mark-packet chain=forward comment="" disabled=yes dst-port=443 new-packet-mark=semlimite passthrough=yes protocol=tcp src-address=10.2.0.0/16
    add action=mark-packet chain=forward comment="" disabled=yes dst-port=1863 new-packet-mark=semlimite passthrough=yes protocol=tcp src-address=10.2.0.0/16
    add action=mark-packet chain=forward comment="" disabled=yes dst-port=3128 new-packet-mark=semlimite passthrough=yes protocol=tcp src-address=10.2.0.0/16
    add action=mark-packet chain=forward comment="" disabled=yes dst-port=8080 new-packet-mark=semlimite passthrough=yes protocol=tcp src-address=10.2.0.0/16
    add action=mark-packet chain=forward comment="" disabled=yes dst-port=6891-6901 new-packet-mark=semlimite passthrough=yes protocol=tcp src-address=\
        10.2.0.0/16



  3. Quando trava o que mostra o log? Qual a média da CPU? é um PC? Se sim, está com multi-pcu em no ou yes? Quais pacotes estão instalados?

  4. Citação Postado originalmente por sergio Ver Post
    Quando trava o que mostra o log? Qual a média da CPU? é um PC? Se sim, está com multi-pcu em no ou yes? Quais pacotes estão instalados?
    Bem no log na mostra nada,simplesmente quando eu abro o terminal ele mostra rebooted by shutdown incorrect bla bla bla afinal eu tive q reinicia na mao...

    A CPU nao passa de 1%...Com relacao a opcao de Multi-cpu não sei como ver e nem como ativar ou desativar tal função...

    Falando em FW você saberia me dizer se as regras ali em cima para bloquear o resto do trafego input para router (tcp e udp) somente liberando port53 e 3128 poderia ser o problema?Dando algum conflito com enderecos internos ?

    Segue tambem lista de outros ips:

    MK(10.10.10.1) PROXY (10.10.10.2) /30


    Segue pacotes instalados:

    Código :
    Flags: X - disabled 
     #   NAME                    VERSION                    SCHEDULED              
     0   system                  3.13                                              
     1 X mpls                    3.13                                              
     2 X ipv6                    3.13                                              
     3   routerboard             3.13                                              
     4   wireless                3.13                                              
     5   hotspot                 3.13                                              
     6   dhcp                    3.13                                              
     7   routing                 3.13                                              
     8   ppp                     3.13                                              
     9   routeros-x86            3.13                                              
    10   security                3.13                                              
    11   advanced-tools          3.13
    Muito Obrigado Sergio!
    Última edição por tskstar; 05-08-2009 às 22:00.



  5. Remova o pacote MPLS. Em system resource poderá observar se o multi-cpu está ativo. Instale o syslog (encontra lá nos dowloads do site da Mikrotikls) em alguma máquina da rede e faça a configuração para o Mikrotik logar nela.






Tópicos Similares

  1. meu mikrotik esta Mikrotik Travando
    Por EderMartinstiros no fórum Redes
    Respostas: 4
    Último Post: 27-11-2007, 00:19
  2. MIkrotik travando!!!!
    Por diegovilela01 no fórum Redes
    Respostas: 2
    Último Post: 21-09-2007, 15:36
  3. Mikrotik Travando ....
    Por rodritter no fórum Redes
    Respostas: 0
    Último Post: 18-09-2007, 12:46
  4. mikrotik travando
    Por jhojon no fórum Redes
    Respostas: 0
    Último Post: 22-08-2007, 12:54
  5. Hi >> New In mikrotik Please help
    Por leo297 no fórum Redes
    Respostas: 24
    Último Post: 07-06-2007, 11:59

Visite: BR-Linux ·  VivaOLinux ·  Dicas-L