<html><head><meta http-equiv="Content-Type" content="text/html charset=us-ascii"></head><body style="word-wrap: break-word; -webkit-nbsp-mode: space; -webkit-line-break: after-white-space;"><div>Dean</div><div><br></div><div>Agreed RE: getting the edge firewalls in place. Cory is right that we don't really want to do it until we have some system in place for users to update their rules, but not knowing how long that will be, perhaps I'll bring up with the admins what we think of having it be manual, and the requests coming via emails for now.</div><div><br></div><div>Regarding the connection issues, it's been raining the past couple of days, and coupled with your weaker end signal strength to begin with, that's what's bumping you. In fact the same thing happens to my link. I look through some trees, and when it rains in any significant amount, my link can drop by up to 15db or so (which at that point I lose connection). I wouldn't be surprised as today is supposed to be somewhat dryer, that it comes back today, and then gets lost again as it starts to rain again over the next few days.</div><div><br></div><div>RE the firewall, if you like I can set up a block at the edge for you IP now if you prefer, and if so, let me know off list what services you'd like to keep open if any, which should take care of your russian friend.</div><div><br></div><div>Nigel</div><div>K7NVH</div><br><div><div>On Mar 17, 2014, at 12:13 PM, Dean Gibson AE7Q <<a href="mailto:hamwan@ae7q.net">hamwan@ae7q.net</a>> wrote:</div><br class="Apple-interchange-newline"><blockquote type="cite">
<meta content="text/html; charset=UTF-8" http-equiv="Content-Type">
<div bgcolor="#FFFFFF" text="#000000">
Well, I think you are going to have to do something about outside
incoming traffic fairly soon.<br>
<br>
I run "/interface wireless monitor 0", it usually shows the last IP
address of 195.218.200.205 (Russia). I've got the default radio
firewall enabled, so the only traffic I should see are unsuccessful
port probes (or perhaps ICMP traffic).<br>
<br>
If I run constant pings, when I set the ping interval to one second,
my pings predominate, but with a ping interval of two seconds or
more, the above IP predominates.<br>
<br>
I don't know how much data he's sending, but today I'm having a hard
time <b>keeping any connection</b>. I didn't have this problem
before this past weekend, and I've made no configuration or location
change: This morning, to help reestablishing a connect, I created a
new scan list with only the Paine sector aimed toward me, and I'm
using that to reduce the delay in reconnections.<br>
<br>
Note that currently I'm not trying to do anything useful; I've got
a poor antenna location (but it did work reasonably well until
today). Hopefully in a day or two, I will have a better (outside
and higher) temporary location.<br>
<br>
If you temporarily give me a different IP address, I can try that to
see if I'm the only one he's pounding on. I doubt that I am.<br>
<br>
-- Dean<br>
<br>
<div class="moz-cite-prefix">On 2014-03-16 10:05, Cory (NQ1E) wrote:<br>
</div>
<blockquote cite="mid:CAGOhXwLXgvhbF1q2i+JDrUSpYixW4=WKFgsRbPk9-vOQn4yW-w@mail.gmail.com" type="cite">
<div dir="ltr">The current plan is to block all
unsolicited incoming traffic from the internet on the edge
routers before it gets to the RF portions of the network.
However, we don't want to do that until we have automation in
place to maintain those rules and until we have a self-service
way for you to poke holes in that configuration should you want
to allow incoming traffic from the world to one of your IP
addresses. If you want to block traffic from all sources
(including other hams), then adding firewall rules to your own
device is the correct way to accomplish that.
<div>
<br>
</div>
<div>The rules are well established for auto-patches that
connect voice repeaters to the PSTN. Even incoming telephone
calls are allowed as long as they are "expected" by the ham.
Because the parallels between these systems are fairly clear,
the plan above puts us in the best position to make sure our
users are able to maintain their part 97 compliance.</div>
</div>
<div class="gmail_extra"><br>
<br>
<div class="gmail_quote">On Sat, Mar 15, 2014 at 11:25 PM, Dean
Gibson AE7Q <span dir="ltr"><<a moz-do-not-send="true" href="mailto:hamwan@ae7q.net" target="_blank">hamwan@ae7q.net</a>></span>
wrote:<br>
<blockquote class="gmail_quote" style="margin:0 0 0
.8ex;border-left:1px #ccc solid;padding-left:1ex">
<div bgcolor="#FFFFFF" text="#000000"> <small><tt><big>OK,
after seeing the number of "random" IP addresses
hitting the radio from outside the 44.0.0.0 net, I
didn't like the fact that the firewall filters were
removed in the web site's suggested configuration,
so I decided to start from scratch. I learned a
couple things ...</big><br>
<font color="#000099"><br>
</font></tt><font color="#000099"><i><tt># -- Restore
the radio to a factory fresh state --</tt></i><i><tt><br>
</tt></i><i><tt>/system reset</tt></i><i><tt><br>
</tt></i><i><tt><br>
</tt></i><i><tt># === At this point you must connect
via MAC address ===</tt></i><i><tt><br>
</tt></i><i><tt>/user set admin password="This is
not it ..."</tt></i><i><tt><br>
</tt></i><i><tt>/console clear-history</tt></i><i><tt><br>
</tt></i><i><tt>/system identity set
name="CALL-Paine"</tt></i><i><tt><br>
</tt></i><i><tt><br>
</tt></i><i><tt>/ip</tt></i><i><tt><br>
</tt></i><i><tt>dns set allow-remote-requests=no</tt></i><i><tt><br>
</tt></i><i><tt>address remove [find]</tt></i><i><tt><br>
</tt></i><i><tt><br>
</tt></i><i><tt>/ip firewall mangle</tt></i><i><tt><br>
</tt></i><i><tt>add action=change-mss chain=output
new-mss=1378 protocol=tcp tcp-flags=syn
tcp-mss=!0-1378</tt></i><i><tt><br>
</tt></i><i><tt>add action=change-mss chain=forward
new-mss=1378 protocol=tcp tcp-flags=syn
tcp-mss=!0-1378</tt></i><i><tt><br>
</tt></i><i><tt><br>
</tt></i><i><tt>/ip dhcp-server</tt></i><i><tt><br>
</tt></i><i><tt>remove [find]</tt></i><i><tt><br>
</tt></i><i><tt>network remove [find]</tt></i><i><tt><br>
</tt></i><i><tt><br>
</tt></i><i><tt>/ip dhcp-client</tt></i><i><tt><br>
</tt></i><i><tt>add add-default-route=no
dhcp-options=hostname,clientid disabled=no
interface=ether1 use-peer-dns=no</tt></i><i><tt><br>
</tt></i><i><tt># -- The following is already
configured --</tt></i><i><tt><br>
</tt></i><i><tt>#add add-default-route=yes
dhcp-options=hostname,clientid disabled=no
interface=wlan1</tt></i><i><tt><br>
</tt></i><i><tt><br>
</tt></i><i><tt># -- Do the following if you need to
move the radio to a different network --</tt></i><i><tt><br>
</tt></i><i><tt>/system shutdown</tt></i><i><tt><br>
</tt></i><i><tt><br>
</tt></i><i><tt># === At this point you can connect
via IP address ===</tt></i><i><tt><br>
</tt></i><i><tt>/system logging</tt></i><i><tt><br>
</tt></i><i><tt>action set remote bsd-syslog=yes
remote=my.lcl.log.svr remote-port=514
src-address=my.lcl.ether.ip syslog-facility=local1
syslog-severity=info</tt></i><i><tt><br>
</tt></i></font><i><tt><font color="#000099">add
action=remote disabled=no prefix=""
topics=!debug,!snmp</font><br>
</tt></i></small><br>
<small><big>Note that I have "bsd-syslog" set to "yes".
This <b>appears to be necessary</b> if you want a
remote system to see "syslog-facility" and
"syslog-severity" (the radio doesn't save/display
those settings otherwise).<br>
</big><i><tt><br>
</tt></i><font color="#000099"><i><tt>/system ntp
client set enabled=yes mode=unicast
primary-ntp=my.lcl.ntp.svr1
secondary-ntp=my.lcl.ntp.svr2</tt></i><i><tt><br>
</tt></i><i><tt><br>
</tt></i><i><tt>/interface wireless </tt></i><i><tt><br>
</tt></i><i><tt>channels add band=5ghz-onlyn
comment="Cell site sector centered at 360 degrees"
frequency=5920 list=HamWAN name="Sector300-060"
width=5</tt></i><i><tt><br>
</tt></i><i><tt>channels add band=5ghz-onlyn
comment="Cell site sector centered at 120 degrees"
frequency=5905 list=HamWAN name="Sector060-180"
width=5</tt></i><i><tt><br>
</tt></i><i><tt>channels add band=5ghz-onlyn
comment="Cell site sector centered at 240 degrees"
frequency=5890 list=HamWAN name="Sector180-300"
width=5</tt></i><i><tt><br>
</tt></i><i><tt>/delay 5</tt></i><i><tt><br>
</tt></i><i><tt>set 0
radio-name="CALL/Location-Paine"</tt></i><i><tt><br>
</tt></i><i><tt>set 0 disabled=no
frequency-mode=superchannel scan-list=HamWAN
ssid=HamWAN wireless-protocol=nv2</tt></i><i><tt><br>
</tt></i><i><tt><br>
</tt></i><i><tt>/tool dns-update
dns-server=my.lcl.dns.svr key="MD5 key ..."
key-name=ddns ttl=3600 zone=<a moz-do-not-send="true" href="http://ae7q.net/" target="_blank">ae7q.net</a> name=hamwan-1
address=my.ham.wan.ip</tt></i><i><tt><br>
</tt></i><i><tt>/console clear-history</tt></i><i><tt><br>
</tt></i><i><tt><br>
</tt></i><i><tt>monitor 0</tt></i></font><i><tt><br>
</tt></i></small><br>
I like my sector names better than just numbers...<br>
<br>
These "scripts" (when altered) can just be pasted into a
command window (otherwise the "/delay 5" above is not
necessary).<br>
<br>
Oh, I can sometimes connect through my CLOSED window, but
that's not reliable enough for anything useful.<span class="HOEnZb"><font color="#888888"><br>
<br>
-- Dean<br>
<br>
</font></span></div>
<br>
_______________________________________________<br>
PSDR mailing list<br>
<a moz-do-not-send="true" href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a><br>
<a moz-do-not-send="true" href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org" target="_blank">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a><br>
<br>
</blockquote>
</div>
<br>
</div>
<br>
<fieldset class="mimeAttachmentHeader"></fieldset>
<br>
<pre wrap="">_______________________________________________
PSDR mailing list
<a class="moz-txt-link-abbreviated" href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a>
<a class="moz-txt-link-freetext" href="http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org">http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org</a>
</pre>
</blockquote>
<br>
</div>
_______________________________________________<br>PSDR mailing list<br><a href="mailto:PSDR@hamwan.org">PSDR@hamwan.org</a><br>http://mail.hamwan.org/mailman/listinfo/psdr_hamwan.org<br></blockquote></div><br></body></html>