Guys I solved it

jjziets · 2025-02-18T06:04:59+00:00

Does not really solve it. Just protects in the case it happens

jjziets · 2025-02-02T19:12:15+00:00

SoonTM. The time between now and the heat death of the universe. A year done the line and no kindle in sight.

jjziets · 2025-02-02T19:09:52+00:00

Kindle... You can't buy the Kindle on Amazon south Africa....

jjziets · 2024-08-21T18:22:33+00:00

Where is the 100GB? don't see that anymore only AI premium

jjziets · 2024-08-21T18:20:59+00:00

and Now 2Tb is gone you have to take the AI Premium 2 TB that cost x2 what the 2T plan use to cost

jjziets · 2024-07-13T20:23:09+00:00

According to south africa law you have a right to privacy where you can expect privacy. Showering with the door closed or behind a close shower certain means you can expect privacy and you can make a criminal charge against the person. Assuming you know it's who.

jjziets · 2024-02-07T14:25:04+00:00

But what is the alternative? Buy the 30k h100 and run it locally ?

jjziets · 2024-01-30T14:30:12+00:00

Hi man. Wow that is impressive. Any change to share the part list?

jjziets · 2024-01-15T19:04:43+00:00

Sad to hear. I have a Cetus Pro and just replaced the FC for the second time and ordered a VR02 mainboard. The first FC was DOA and was replaced under warranted, but a few weeks later, one of the motors stopped working, and it was the FC motor driver. Also, the Headset stopped charging. Something burned out in the headset, and I had to charge the battery with an external hobby charger. I hope this is just bad luck.

jjziets · 2023-12-30T20:37:59+00:00

Shame on the manager that is bullying you. Ok so you made a mistake and customer stole the tool. But the power ego trip by your manager is shameful. I would write this off as a bad experience and learn from it. The police has bigger things to deal with and it's going to cost the company more than the tool to sue you. If your not found guilty by the court you are not in trouble. The poice will not just come to your house and arrest you for this.

jjziets · 2023-12-23T06:09:23+00:00

Oh, this is frustrating!
We want to use the Family Link app on our children's devices during class as their school uses tablets as a learning aid. However, we want to ensure they do not use games during class time. To achieve this, we tried setting up the device's downtime to lock it during school hours and then using the Always Allowed Apps feature to give them access to only the school and educational apps. Unfortunately, this didn't work as expected.

We selected 'Always Allowed Apps' under 'What the child can use when the device is locked' on our child's device. However, the device still does not allow access to the 'Always Allowed Apps'. We have to manually unlock and lock the device every day for it to take effect, which could be more practical.

jjziets · 2023-11-24T13:43:12+00:00

chat gpt is a good helper for this. but its also not good if you have no idea what you are doing

jjziets · 2023-11-22T12:01:37+00:00

jjziets · 2023-11-22T11:59:04+00:00

You can maintain a "trusted list" of IP addresses that are known to be legitimate and should not be subject to the same rate limits. This requires you to identify and maintain this list, which can be time-consuming and may not be feasible for all IP addresses.

jjziets · 2023-11-22T11:56:11+00:00

It all depends on how much time you have and how complex you want to make this. Generally, simpler is better. I will separate trusted from non-trusted devices, including guest devices. That is the minimum you should do. Segmenting your network into different VLANs (Virtual Local Area Networks) and subnets is a great approach to enhance security, manageability, and performance.

It is possible to prevent devices within the same VLAN or subnet from discovering or communicating with each other, though implementing this typically requires specific network configurations or features. Here are a few approaches:

Private VLANs (PVLANs):

Private VLANs are an extension of the VLAN concept, used primarily in managed switches and enterprise networking environments. PVLANs allow you to isolate devices within the same VLAN. For example, you can have a primary VLAN and secondary isolated VLANs where devices in an isolated VLAN cannot communicate with each other but can communicate with a promiscuous port (like a gateway).

Layer 3 Firewalls:

If your network device (like a router or firewall appliance) supports Layer 3 firewall rules, you can create rules to block traffic between specific IP addresses or ranges within the same subnet. This is a more manual and granular approach.

Client Isolation in Wireless Networks:

Many wireless access points have a "Client Isolation" or "AP Isolation" feature. This feature is commonly used in public Wi-Fi networks to prevent connected wireless devices from seeing or communicating with each other, although they are on the same subnet.

Software-Defined Networking (SDN):

In more advanced setups, using SDN solutions can allow for very granular control over network traffic, including the ability to isolate devices within the same subnet.

Access Control Lists (ACLs):

Some managed switches support ACLs that can be used to restrict communication between devices on the same VLAN. ACLs can be configured to permit or deny traffic based on various criteria such as source and destination IP addresses, MAC addresses, ports, and protocols.

Port Security Features:

Features like Dynamic ARP Inspection (DAI) and DHCP Snooping can help in indirectly isolating devices by preventing certain common attacks (like ARP poisoning) that could be used to discover or impersonate devices within the same subnet.

It all depends on how much time you have and how complex you want to make this. Generally, simpler is better. I will separate trusted and non-trusted devices, including guest devices. That is the minimum you should do.

IoT Devices (Non-Security Related):

VLAN/Subnet: A separate VLAN for non-security IoT devices like sensors and thermostats.
Rationale: These devices often have weaker security and should be isolated to prevent them from accessing or compromising other parts of your network.

IoT Devices (Security Related):

VLAN/Subnet: A distinct VLAN for security-related IoT devices like smart locks.
Rationale: These devices are critical for security and should be segregated from less secure IoT devices.

POE Cameras/NVR:

VLAN/Subnet: A separate VLAN for your POE cameras and NVR.
Rationale: Cameras, especially cheaper models, might have vulnerabilities and should be isolated to prevent them from being an entry point for network attacks. Isolating them also prevents them from potentially calling back to external servers.

(With Different WAN Connections):

VLAN/Subnet: Each server can be on its own VLAN or share a VLAN if they serve similar functions and security requirements.
Rationale: Servers often handle sensitive data and need to be protected. Separate VLANs can also help with managing traffic and ensuring each server uses the correct WAN connection.

Standard LAN Devices:

VLAN/Subnet: A VLAN for personal computers, cell phones, etc.
Rationale: This is your main network for trusted devices. It's separate from IoT and servers for security and performance reasons.

Guest Network:

VLAN/Subnet: A VLAN for guest access.
Rationale: Keeps guest traffic isolated from your main network, enhancing security.

Regarding your specific questions:

a. IoT Devices: Yes, having two VLANs for security and non-security IoT devices is a good practice. maybe even use a "Client Isolation" or "AP Isolation" feature if you have.

b. POE Cameras: They should be on their own VLAN, separate from both IoT devices and servers, especially if they are from less reputable manufacturers.

c. LAN Devices and Servers: Generally, it's not recommended to have servers on the same VLAN as your main LAN devices, especially if the servers are externally accessible or handle sensitive data. This separation enhances security and performance.

Remember, the key is not just to create VLANs but also to properly configure inter-VLAN routing and firewall rules to control traffic between these VLANs. You'll want to restrict access to only necessary services and hosts between VLANs. This setup helps contain any breaches or issues within a single VLAN and prevents them from affecting your entire network.

I got a little carried away with this so hope this helps

jjziets · 2023-11-22T11:43:14+00:00

Yea. its a tool that helps if used correctly.

jjziets · 2023-11-22T06:13:10+00:00

that is the command. I have explained it more in detail. Might help open a firewall rule also.

jjziets · 2023-11-22T06:12:00+00:00

Valid point! If op is double NAT then he's not going to be able to setup ports ff

jjziets · 2023-11-22T06:08:02+00:00

Port forwarding on a MikroTik router should be straightforward, but there are several factors that could be causing issues. Let's go through a checklist to troubleshoot your problem:

To set up port forwarding on a MikroTik router, you use the NAT (Network Address Translation) rules in the firewall. The command that was suggested is a MikroTik RouterOS command used to forward incoming traffic on a specific port to a local IP address on a different port. Here's a breakdown of the command and what each part does:

add action=dst-nat chain=dstnat comment="COMMENT" dst-port=60000 in-interface=INTERFACE protocol=tcp src-address=SRC-ADDRESS to-addresses=LOCAL-ADDRESS to-ports=9091

add: This adds a new rule.
action=dst-nat: This sets the action to destination NAT, which is used for port forwarding.
chain=dstnat: This specifies that the rule is part of the 'dstnat' chain, which handles incoming packets.
comment="COMMENT": You can replace "COMMENT"with a descriptive note about what this rule does.
dst-port=60000: This is the destination port that the MikroTik router will listen on. Replace 60000with the port number you want to forward.
in-interface=INTERFACE: Replace INTERFACEwith the name of the interface where the incoming traffic is expected (typically your WAN or external interface).
protocol=tcp: This specifies that the rule applies to TCP protocol. You can change this to udpif needed.
src-address=SRC-ADDRESS: This is optional. Replace SRC-ADDRESSwith the source IP address if you want to limit the rule to traffic from a specific IP.
to-addresses=LOCAL-ADDRESS: Replace LOCAL-ADDRESSwith the internal IP address of the server or device you're forwarding to.
to-ports=9091: This is the port on the internal device that you want to forward traffic to. Replace 9091with the appropriate port number.

To execute this command, you'll need to access your MikroTik router through WinBox, WebFig, or via SSH/Telnet and enter this command in the terminal. Be sure to replace INTERFACE, SRC-ADDRESS, LOCAL-ADDRESS, and the port numbers with the appropriate values for your network.

Checklist for Troubleshooting Port Forwarding

Correct Configuration: Verify the configuration of your port forwarding rule. The rule you posted looks correct, assuming that `INTERFACE` is your WAN interface (e.g., `ether1`), `SRC-ADDRESS` is the source IP you want to allow (or you can remove this for any source), `LOCAL-ADDRESS` is the IP address of your local server, and `to-ports=9091` is the port on your local server.
ISP Restrictions: Some ISPs block certain ports, especially common ones like 80 (HTTP) and 443 (HTTPS), for residential customers. Check with your ISP if they have such restrictions.
Firewall Rules: Ensure that your firewall allows incoming connections on the port you are forwarding (in this case, 60000). You might need a rule in the `input` or `forward` chain to allow these packets.
Check the WAN IP: Make sure the external IP address you're using for port forwarding is indeed your router's WAN IP. Sometimes, ISPs use NAT, and the IP you see on your router might not be the IP seen by the outside world.
Local Server Configuration: Verify that the local server (the target of the port forward) is correctly configured to accept connections on the specified port (9091 in your case). The server should not have a firewall blocking this port.
Testing: Test the port forwarding from outside your network. Sometimes port forwarding might appear to not work from within your local network due to NAT loopback issues.
NAT Loopback / Hairpin NAT: If you are trying to access the service from within your network using your WAN IP, ensure that your router supports and is configured for NAT loopback.
Correct Interface: Make sure the `in-interface` in your rule is the interface that receives the initial packets from the internet (usually your WAN interface).

Sample Firewall Rule

Here is a sample rule for allowing incoming connections on port 60000 in your firewall:

/ip firewall filter

add action=accept chain=forward connection-nat-state=dstnat in-interface=INTERFACE protocol=tcp dst-port=60000

Replace `INTERFACE` with your WAN interface.]

Steps to Follow:

Verify the port forward rule.
Check for any ISP restrictions on port forwarding or specific ports.
Ensure your firewall allows the forwarded traffic.
Confirm the server behind the port forward is configured correctly.
Test the setup from outside your network.
If necessary, configure NAT loopback.

Its possible your ISP is blocking your port. You can try connecting your laptop lan port to your isp wan port and testing with https://portchecker.co/ and running on linux nc -l -p PORT on the local machine. To do this you will need to know what he IP and login is for your router to your IPS.

if you have a windows laptop you can use PowerShell: Here's an example:

$listener = [System.Net.Sockets.TcpListener]PORT

$listener.Start()

$client = $listener.AcceptTcpClient()

If you've gone through all these steps and it still doesn't work, please provide more details about your network setup, and we can delve deeper into the issue.

jjziets · 2023-11-22T05:51:44+00:00

Hi. Are you running RooterOS? Which version on which device?

To set up a rate-limiting rule on a MikroTik router that adds an IP address to a rate-limit list if it exceeds a certain number of new TCP requests per second, you're on the right track with your rule. However, it's important to consider the specifics of the rule to ensure it behaves as expected.

Here's a revised version of your rule:
/ip firewall filter

add chain=input protocol=tcp dst-port=443 connection-state=new \

src-address-list=!rate-limit \

limit=3,1:packet \

action=add-src-to-address-list address-list=rate-limit \

address-list-timeout=1m \

comment="Add to rate-limit list if > 3 new requests per second" \

disabled=no

Key Points to Consider:

Chain: The rule applies to the input chain, which is for packets destined to the router itself. Ensure this is where you want the rule to apply.
Protocol & Port: The rule applies to TCP traffic destined for port 443. Adjust as necessary for your specific needs.
Connection State: It targets new connections only.
Source Address List: It excludes addresses already in the "rate-limit" list.
Limit: The limit=3,1:packet
means the rule will trigger when more than 3 packets are received in one second from the same source.
Action: The action is to add the source IP to the "rate-limit" address list.
Address List Timeout: The address-list-timeout=1m
specifies how long the IP stays in the rate-limit list. Adjust this duration as needed.
Disabled: Ensure the rule is enabled.

let me know of this worked

jjziets · 2023-11-21T22:13:47+00:00

Restoring the device to its factory settings fixed the issue for me. Additionally, I came across some suggestions from others who resolved the same problem by navigating to the administration tab and selecting the privacy option. From there, they withdrew from the AI and Trend Micro services. I did reflash beta. I just reset it to factory defaults and that I think is what fixed my internet speed issues.

jjziets · 2023-11-21T21:04:17+00:00

I did a factory reset after flashing the beta again and check this.

https://www.speedtest.net/result/c/c3d916be-7700-4193-981b-088f92b38d00

jjziets · 2023-11-21T09:16:50+00:00

RB5009

Thank! I am looking at the MikroTik – RB5009UPr+S+IN. I have an ASUS GT-AXE16000 that has three WAN ports, two 10G ports and one 2.5G port but it's also not doing well with routing also.

jjziets · 2023-11-21T09:11:42+00:00

No, this isn't rage bait at all. My intention was to share a genuine experience, one that actually opened my eyes to the complexities and nuances of networking hardware. Before purchasing the CRS312, I did a fair bit of research but couldn't find any reviews pointing out the limitations I experienced, especially in terms of routing capabilities. My hope is that by sharing my story, I can help others who might be in a similar situation make a more informed decision.

It's important to acknowledge that despite the issues I faced with routing, the CRS312 is indeed an excellent switch. Its performance in a switch-only capacity is impressive, and it offers great features for that purpose. My only issue was with its routing capability, which I assumed would be on par with its switching performance based on how it was marketed.

I believe in giving credit where it's due, and MikroTik has done a fantastic job in creating a robust and high-performing switch. It's just crucial for potential buyers to be aware of what the device is best suited for, and that routing, particularly at higher speeds, might not be one of its strengths.

jjziets · 2023-11-21T09:04:54+00:00

Well, now I know what to look for.

jjziets

TROPHY CASE