March 2026
M	T	W	T	F	S	S
	1
2	3	4	5	6	7	8
9	10	11	12	13	14	15
16	17	18	19	20	21	22
23	24	25	26	27	28	29
30	31

Archive for the ‘Internet’ Category

Mikrotik – Choosing your SFP/SFP+ modules and direct access cables

Posted by jpluimers on 2017/05/09

For hooking up SFP and SFP+ ports on Mikrotik devices you basically have two options:

Direct Access Cable (passive and affordable for 1 and 2 meters; active and more expensive for more than 3 meters)
SFP/SFP+ modules with LC-LC optic fiber cable in between them (pairs of modules are more expensive than passive DAC, but the fiber is a lot cheaper)

Choosing the SFP/SFP+ modules is a bit intimidating as the MikroTik SFP module compatibility table – MikroTik Wiki has very few details.

Then I found sfp_all-150601132341.pdf (archived) which lists many of the SFP and SFP+ modules including their specifications.

Since neither the matrix nor the PDF contains links to the products, here is a small list of what I could source last year and is compatible with both the CCR1009 routeres and CRS226 switches:

DAC allowing for two-way traffic compatible with both SFP and SFP+:
- S+DA0001: SFP+ 1m direct attach cable
- S+DA0003: SFP+ 3m direct attach cable
10G SFP+ modules (I think they are compatible with SFP as well):
- S+2332LC10D: bidirectional kit of 2 modules (a pair of S+23LC10D and S+32LC10D)
- S+85DLC03D: compatible with LC optical fiber cable
- S+31DLC10D: compatible with LC optical fiber cable
1G SFP modules:
- S-85DLC05D: compatible with LC optical fiber cable
- S-31DLC20D: compatible with LC optical fiber cable
- S-3553LC20D bidirectional kit of 2 modules (a pair of S-35LC20D and S35DLC20D)
- S-RJ01: compatible with RJ45 copper

–jeroen

via: Connect CCR1009 with CSR226 over a longer distance than 3 meter – MikroTik RouterOS

Posted in Internet, MikroTik, Power User, routers | Leave a Comment »

Some links for MikroTik tips and scripts

Posted by jpluimers on 2017/04/25

MikroTik has great hardware, but getting things to work can be a bit ehm intimidating.

So here are some links that were useful getting my CCR1009 and CRS226 configurations to do what I wanted.

Saving your configuration (two possibilities: binary backup file which only works on the same physical model device, or text based configuration export script that you can import back to any model).
- When you import a configuration, those settings are added to your current configuration.
- If your configuration gets more complex, it pays to split the textual exports into logical blocks so you can import each of them individually.
- You can even put the downloaded exports into a version control system like Git or SVN.
- The exported configurations are stored in the file system. You cannot manually rename these files, but there is a scripting trick to perform the rename.
- You can download the exported configurations from the UIs in webfig, winbox or through sftp after configuring certificate logon.
Choosing ports for WAN and LAN
- On the CCR1009, the first 4 ports can be used for switching (see also other ref), so it makes sense using those for LAN and others for WAN as it can increase speed: CCR 1009 switch chip menu – MikroTik RouterOS
  - Just look at the block diagrams of the various CCR1009-8G-1S models (currently CCR1009-8G-1S-PC, CCR1009-8G-1S-1S+, CCR1009-8G-1S-1S+PC) as they all have the first four ports connected to an Atheros 8327 Gigabit Switch chip.
  - All ports of the CRS226 models (CRS226-24G-2S+RM and CRS226-24G-2S+IN) are connected through the combined QCA8519-AC2C switching and CPU chip).
  - Note that the switching chips won’t allow for Torch. But you can find the MAC addresses per physical switch ports in the unicast FDBs: Switch -> Unicast FDB shows you every mac and the physical port it is connected to.
Never ever use the domain named .local for your local domain if you have Apple devices in your network:
- .local is a reserved dns domain by the apple os and should not be used if you expect apple devices to work as expected.
Many people like Winbox because they prefer visual configuration. Others like the web or terminal interface better (the terminal is especially useful for scripts)
- Windows Winbox: MikroTik Routers and Wireless: Downloads
- Mac OS X Winbox: “Winbox” by MikroTik with Wine in order to make it usable on Mac – Joshaven.com
Manual:First time startup – MikroTik Wiki (default password for admin is empty; WinBox and web-interface are available on WAN *and* LAN interfaces!)
- Mikrotik Howto block Winbox Discovery + Limit Winbox Access | Syed Jahanzaib Personal Blog to Share Knowledge !
One of the first things I did was binding some ports to use LAN and others to use WAN. The LAN ports are in a bridge: Configure one port for WAN and others for LAN – MikroTik RouterOS
Manual:IP/DHCP Server – MikroTik Wiki and Manual:IP/Pools – MikroTik Wiki
- I had a lot of DHCP entries on my LAN before switching to the MikroTik for which some I wanted to add statically. Couldn’t find out how to do that in the IP pool, but it appeared there is a different way to do it:
  - Assign fixed / static IP address via Mikrotik DHCP server
  - Notes:
    1. the MAC address cab be either (:) separated or minus (-) separated. And yes: there is a RegEx for that.
    2. usually you don’t pass the client-id (it’s here just as an example that you could use it, but most DHCP clients do NOT use a client-ID, as they only use the MAC address)
  - /ip dhcp-server lease add address=192.168.100.10 mac-address=70:F1:A1:D1:49:49 client-id="client10"
Manual:IP/DNS – MikroTik Wiki
- If you use the MikroTik as a caching DNS server, then you need to enable “/ip dns set allow-remote-requests=yes”, but also immediately disable DNS TCP and UDP on all your WAN ports. See:
  - Client DNS issue (reddit)
  - Firewall filter rules for DNS – MikroTik RouterOS
  - /ip firewall filter add chain=input protocol=tcp dst-port=53 action=drop in-interface=!bridge_lan add chain=input protocol=udp dst-port=53 action=drop in-interface=!bridge_lan
  - If you run your internal DNS servers for the outside world, modify the rules to forward non non-LAN ports; see https://www.youtube.com/watch?v=X-wkLYKYaj8: How to redirect DNS to own DNS server using mikrotik routerboard
  - You can add statis DNS entries to your caching server; see https://www.youtube.com/watch?v=zDEx7TxCm1s: Mikrotik Training- Static DNS Entries (With Closed Captioning)
nslookup on the Mikrotik itself is called put[: resolv ...] syntax: nslookup on Mikrotik – MikroTik RouterOS
- Examples (first uses the internal DNS, second one one of the Google DNS servers):
  - put [:resolve shell.xs4all.nl]
  - put [:resolve shell.xs4all.nl 8.8.8.8]
  - put [:resolve 194.109.21.9]
tolaris.com · Synchronising DHCP and DNS on Mikrotik routers (script available on Github: Tolaris/mikrotik-dns-dhcp).
- via MikroTik – Automatically creating DNS record for each DHCP lease/client – GeekTank
- alternatives:
  - Mikrotik DHCP to DNS hostnames | BLOG.MESOUUG.COM
  - Setting static DNS record for each DHCP lease – MikroTik Wiki
Hardening (since my Guest WiFi is outside of the Mikrotik LAN and WAN realm, I’ve left some things open, for instance MAC service is available, but on a limit set of interfaces):
- Router Hardening — Manito Networks
- Not sure if disabling Neighbour discovery is a good thing, as it will disable this from the console as well
  /ip neighbor print;
  - Mikrotik Howto block Winbox Discovery + Limit Winbox Access | Syed Jahanzaib Personal Blog to Share Knowledge !
- Blacklist Filter update script – MikroTik RouterOS
  - As the above is much better maintained it is preferred over Spamhaus + Dshield Malicious Ip Blacklist For RouterOS Now Availalable GRATIS! – MikroTik RouterOS
Manual:Upgrading RouterOS – MikroTik Wiki
- http://web.archive.org/web/*/http://www.mikrotik.com/download/CHANGELOG_6
Manual:IP/Route – MikroTik Wiki (if you think routing is a massive topic, read about firewall rules).
Not sure this is a good idea, but you can get a DDNS address in the sn.mynetname.net domain and VPN to it (for instance using PPTP): Quick Set Home AP — How to use vpn provided? – MikroTik RouterOS
You need to setup both the clock (date/time) and SNTP in one step:
- Setup SNTP (Winbox) aka NTP (shell): /system ntp client set enabled=yes server-dns-names=0.pool.ntp.org,1.pool.ntp.org,2.pool.ntp.org,3.pool.ntp.org
  After a few seconds the Winbox will update the SNTP Client dialog and a few seconds later, the Clock dialog will also update itself.
Manual:IP/Firewall/NAT – MikroTik Wiki
- dstnat: Forwarding a port to an internal IP – MikroTik Wiki and https://www.youtube.com/watch?v=8sGL58AhQCQ:
  Mikrotik Training- Port Forwarding (With Closed Captioning)
- srcnat: getting NAT to work
- Hairpin NAT – MikroTik Wiki
- netmap vs srcnat/dstnat: IP Firewall rules, need help with optimization – MikroTik RouterOS
I like these ones as they use Winbox:
- Mikrotik – Setup – Powered by Kayako Help Desk Software
- Manual:Initial Configuration – MikroTik Wiki
Sharing Ideas … Mikrotik with Kannel/playSMS
- via: Mikrotik Related | Syed Jahanzaib Personal Blog to Share Knowledge !
- Mikrotik Firewall / Short Notes + Scripts
Connect CCR1009 with CSR226 over a longer distance than 3 meter – MikroTik RouterOS
Graphing: ensure you only limit this to IP-addresses that you want graphs to be visible on (0.0.0.0/0 makes it visible to ALL): Manual:Tools/Graphing – MikroTik Wiki
DNS – MikroTik RouterOS: I would like to have my router to stop all the DNS coming from my clients and not reaching my ISP provider.
Email sending can now also use the DNS-name of the SMTP server: Why does the email server configuration only allow IP-addresses? – MikroTik RouterOS
Dynamic DNS Update Script for No-IP DNS for Router OS V.6.7 – MikroTik RouterOS
Script for Ransomware Tracker by abuse.ch. Tracking Ransomware Infrastructure around the globe. Source: How I fight ransomware (crypto viruses) with Mikrotik – MikroTik RouterOS
/ip firewall mangle add chain=prerouting action=change-ttl new-ttl=increment:1
very simple solution for a traceroute to Hide ip address – MikroTik RouterOS
Using staged address list to perform Bruteforce login prevention – MikroTik Wiki

Very advanced stuff:

Packet flow (maybe the toughest part to wrap your head around):

Manual:Packet Flow – MikroTik Wiki (with diagrams on RouterOS 6.x and 3.x can flow).
Manual:Packet Flow v6 – MikroTik Wiki (with updated RouterOS 6.x diagram).
New Packet flow diagram – Page 2 – MikroTik RouterOS (Visio / PDF version of an even newer diagram)

Scripts:

Load balancing:

Syntax highlighting:

Syntax highlighting and completions for Sublime Text – MikroTik RouterOS
- See also: mikrotik/editors/Sublime3 at master · martinclaro/mikrotik and mikrotik/editors/Sublime2 at master · martinclaro/mikrotik and Kentzo/MikrotikScript: Syntax highlighting and completions for the Mikrotik Scripting language for the Sublime Text editor
external editor syntax highlighting – MikroTik RouterOS (Notepad++, Textpad, VIM, EditPlus – look for the word Download and the .zip, .rar and .gz extensions)
- See also: mikrotik/syntax at master · olejor/mikrotik
Atom: language-routeros-script and ofstudio/atom-language-routeros-script: MikroTik RouterOS script language support in Atom
TextMate2: tiktuk / RouterOS.tmbundle — Bitbucket
GEdit: webpagetech/gedit-routeros: Mikrotik RouterOS code syntax highlighting for .rsc Files
Notepad++: jtroybailey/RouterOS-Notepad—Syntax-Highlighting: Syntax highlighting for routeros exports in notepad++

Pictures

CCR1009-8G-1S-1S+ General info & Questions – MikroTik RouterOS

Very well written blog:

Manito Network’s Mikrotik solutions blog. In-depth articles on Mikrotik routing, security, best practices, VPN, and more.

Source: Mikrotik — Manito Networks

Solutions for RouterOS-based Mikrotik networks. Includes security and best practices, VPN, routing, switching, and more.

Source: Mikrotik-1 — Manito Networks

–jeroen

Posted in DNS, Internet, IPSec, MikroTik, Network-and-equipment, OpenVPN, Power User, PPTP, routers, VPN | Leave a Comment »

Powering Raspberry Pi devices from a Fritz!Box USB connection

Posted by jpluimers on 2017/03/30

I tried to power both Raspberry B+ and Raspberry 2 B devices via the USB ports of both a Fritz!Box 7490 and Fritz!Box 7360.

At first this works, but the Raspberry B+ devices over time would become unstable: not being able to ping and/or boot.

So below are some links on power requirements and powering Raspberry Pi A, B, A+, B+, 2B and zero.

Fazit/TL;DR: use an external power supply when available.

Read the rest of this entry »

Posted in *nix, Development, Fritz!, Fritz!Box, Hardware Development, Internet, Linux, openSuSE, Power User, Raspberry Pi, SuSE Linux | Leave a Comment »

Sniffers, Packet Capture – PFSenseDocs – cool, as it uses tcpdump/Wireshark format!

Posted by jpluimers on 2017/03/13

I hadn’t done a lot with pfSense in the past, which I regret a bit since I discovered this really cool feature: Sniffers, Packet Capture – PFSenseDocs.

The coolness isn’t so much that you can capture packets, but that it’s compatible with tcpdump and Wireshark (which has become available natively for Mac like 2 years ago).

Which means that you can download captures and open them in Wireshark.

So it’s as easy as 1,2,3:

Set-up the capture on your router https://a.b.c.d/diag_packet_capture.php and start it
Stop the capture and download the file
Open the file in Wireshark or convert it to text using tshark

–jeroen

Posted in *nix, *nix-tools, Internet, Monitoring, pfSense, Power User, routers, tcpdump, Wireshark | Leave a Comment »

Getting the IP addresses of gmail MX servers – via Super User – dig isn’t enough

Posted by jpluimers on 2017/03/06

I needed the current IP-addresses of the gmail MX server (don’t ask the details; but it has to do with the brain-dead TP-LINK ER5120 configuration possibilities).

This is the command I finally used:

dig @8.8.8.8 +short MX gmail.com | sed "s/^[0-9]* //g" | sed "s/.$//" | xargs -I {} dig @8.8.8.8 +short {} | uniq | sort

Basically it’s a three stage sequence which had to work on OS X as well as Linux using a bash shell:

Use the Google DNS servers (either 8.8.8.8 or 8.8.4.4)
Get the FQDNs of MX records of gmail.com which are the mail servers for GMail.
Translate these in IPv4 addresses
Filter into a distinct list (just in case entries are duplicate: they aren’t yet, but might be)

The basics of the above are about using dig to get short (or terse) answers with as little (but still to the point) information as possible.
Read the rest of this entry »

Posted in *nix, *nix-tools, DNS, Power User | 1 Comment »

Trojans communicating through DNS: Cisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger

Posted by jpluimers on 2017/03/06

DNS traffic within corporate networks should also be considered a channel that an attacker can use to implement a fully functional, bidirectional C2 infrastructure.

Source: [WayBack] Cisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger

–jeroen

Posted in DNS, Internet, Power User, Security | Leave a Comment »

Multiple wifi access points / seamless handoff – Spiceworks

Posted by jpluimers on 2017/01/27

These seem to be the brands to look into:

Ubiquiti
Meraki
Ruckus

Source: Multiple wifi access points / seamless handoff – Spiceworks

–jeroen

Posted in Internet, Power User, Ubiquiti, WiFi | Leave a Comment »

Convert FRITZ!Box 7360 to Managed Switch (or even Access Point) having it’s own IP address: Setting up the FRITZ!Box as an IP client – via AVM International

Posted by jpluimers on 2017/01/23

This was a tad difficult to find as I searched for “Convert Fritz!Box to Switch” instead of “Convert Fritz!Box to Access Point”.

Since I had an old Fritz!Box 7360 lying around (from my ADSL era) and wanted to extend the cabled LAN for my brothers Fritz!Box 7490 with some low-bandwidth devices (max 100 megabit/second) I searched for Switch. My bad.

Oh I had to factory reset it as well as I forgot the management credentials. The AVM help on this is cumbersome: Loading the FRITZ!Box factory settings | FRITZ!Box 7360 | AVM International but the xs4all help includes a web-reset procedure as part of Internet: Reset procedures van mijn FRITZ!Box 7360 which translates to:

Switch off the Fritz!Box (as this procedure needs to be done within 10 minutes of switching it on)
Connect LAN2 to your computer
Switch on the Fritz!Box
Wait for a DHCP IP or (if you know the IP addresses) configure IP manually
Go to the web-interface URL
Indicate you forgot your password:
Forgot your password?
Indicate you want a factory reset:
Restore Factory Settings

Anyway: with the above steps it becomes a Managed Switch (and if you don’t disable WiFi: Access Point too) that uses the primary internet connection as DHCP server (so it gets an IP address itself as well which means you can manage it).

Read the rest of this entry »

Posted in ADSL, Fritz!, Fritz!Box, Internet, Power User | Leave a Comment »

linux port forwarding to external ip – Google Search

Posted by jpluimers on 2017/01/20

For my Link Archive via linux port forwarding to external ip – Google Search:

Need to look at this more closely, but it looks like you need PREROUTING, FORWARD and POSTROUTING and two NATs (DNAT and SNAT), as this graph from Port Forwarding Using iptables – SysTutorials shows:

PACKET IN
    |
PREROUTING--[routing]-->--FORWARD-->--POSTROUTING-->--OUT
 - nat (dst)   |           - filter      - nat (src)
               |                            |
               |                            |
              INPUT                       OUTPUT
              - filter                    - nat (dst)
               |                          - filter
               |                            |
               `----->-----[app]----->------'

–jeroen

Posted in *nix, *nix-tools, Internet, Internet protocol suite, iptables, Linux, openSuSE, Power User, routers, SuSE Linux, TCP | Leave a Comment »

In this tutorial you will learn how to configure pfSense to load balance and…

Posted by jpluimers on 2017/01/13

In this tutorial you will learn how to configure pfSense to load balance and fail over traffic from a LAN to multiple Internet connections (WANs) i.e.… – Joe C. Hecht – Google+

Source: In this tutorial you will learn how to configure pfSense to load balance and…

Posted in Internet, pfSense, Power User, routers | Leave a Comment »

« Previous Entries

Next Entries »

	Attila Kovacs on Crowbarring Windows 95 into Wi…
	Jeroen Wiert Pluimer… on Does Odido (the old T-Mobile N…
	Lars Fosdal on Security alarm provider Woonve…
	Thomas Mueller on Question got closed in May 202…
	Thaddy de Koning on Formulier voor bewindvoerders…

The Wiert Corner – irregular stream of stuff

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

Twitter Updates

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘Internet’ Category

Mikrotik – Choosing your SFP/SFP+ modules and direct access cables

Some links for MikroTik tips and scripts

Powering Raspberry Pi devices from a Fritz!Box USB connection

Sniffers, Packet Capture – PFSenseDocs – cool, as it uses tcpdump/Wireshark format!

Getting the IP addresses of gmail MX servers – via Super User – dig isn’t enough

Trojans communicating through DNS: Cisco’s Talos Intelligence Group Blog: Covert Channels and Poor Decisions: The Tale of DNSMessenger

Multiple wifi access points / seamless handoff – Spiceworks

Convert FRITZ!Box 7360 to Managed Switch (or even Access Point) having it’s own IP address: Setting up the FRITZ!Box as an IP client – via AVM International

linux port forwarding to external ip – Google Search

In this tutorial you will learn how to configure pfSense to load balance and…

Jeroen W. Pluimers on .NET, C#, Delphi, databases, and personal interests

Subscribe

Archives

Recent Comments

Recent Posts

Blog Stats

Meta title

Tag Cloud Title

Top Clicks

Top Posts

My badges

My Flickr Stream

Pages

All categories

Email Subscription

Archive for the ‘Internet’ Category

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this:

Rate this:

Share this: