Many businesses want to block facebook on their corporate networks. Here is a useful site to lookup blocks of IPs.
Using the IPs from above we can create firewall rules to block facebook.
/ip firewall filter add action=drop chain=forward comment="Block Facebook" dst-address=220.127.116.11/18 add action=drop chain=forward comment="Block Facebook" dst-address=18.104.22.168/22 add action=drop chain=forward comment="Block Facebook" dst-address=22.214.171.124/20 add action=drop chain=forward comment="Block Facebook" dst-address=126.96.36.199/18 add action=drop chain=forward comment="Block Facebook" dst-address=188.8.131.52/21 add action=drop chain=forward comment="Block Facebook" dst-address=184.108.40.206/19 add action=drop chain=forward comment="Block Facebook" dst-address=220.127.116.11/22 add action=drop chain=forward comment="Block Facebook" dst-address=18.104.22.168/22
Here are the rules I use to open my NAT on Xbox Live. Xbox.com says to “open” ports 88udp, 3074udp/tcp, 53udp/tcp, and 80tcp. Assuming you can browse the internet you don’t need to NAT 80 and 53 to your Xbox. These are just HTTP and DNS traffic which you should already have working. The ports used for actual gaming are 3074 and 88. One is probably used for the actual game play and the other is more than likely used for voice. I am not sure and could be completely wrong, either way you need to NAT them both. Continue reading
Here is the configuration for a Point-to-Point link that can be used with a number of MikroTik devices. With this example I used two StationTik 5G’s but could be used with SXT’s or any other Point-to-Point devices. You might need to change your frequency depending on usage in your area.
/interface bridge add l2mtu=1600 name=bridge1 /interface wireless set 0 band=5ghz-onlyn channel-width=20/40mhz-ht-above disabled=no frequency=5745 \ ht-rxchains=0,1 ht-txchains=0,1 l2mtu=2290 \ mode=bridge nv2-preshared-key=yourpass nv2-security=enabled ssid=PtP wireless-protocol=nv2 /interface wireless security-profiles set [ find default=yes ] group-ciphers="" supplicant-identity=MikroTik unicast-ciphers="" /interface bridge port add bridge=bridge1 interface=wlan1 add bridge=bridge1 interface=ether1 /ip address add address=10.36.84.4/24 interface=bridge1 /ip dhcp-client add interface=bridge1 /system clock set time-zone-name=America/New_York /system identity set name=AP /system ntp client set enabled=yes mode=unicast primary-ntp=22.214.171.124
When you first take the phone out of the box you will have to put some settings in it so it can call back to the server. To do that it is not exactly straight forward and I could not seem to find it anywhere in the documentation. After the phone starts to boot dial Hold Transfer * #. Then you will be asked for a username and login. The username is ADMIN and the password is 6633222. Now configure your phone accordingly.
sudo echo "UseDNS no" >> /etc/ssh/sshd_config
This prevents the server from doing a reverse DNS lookup on the IP address, which apparently takes forever sometimes.
Recently I have needed to restrict access to the internet during certain hours. This is very easy to achieve with MikroTIk using a few mangle and filter rules. I currently have this configuration on a RB751 so I am using a bridge for the LAN. I have ports 2-5 switched together and then bridged the wlan1 and ether2 (the master port) together. Instead of just restricting everything on the bridge I wanted to be able to allow access to myself and certain others during “restricted times”, and this is why I used mangle to mark connections and filter via the connection marks.
Here you can see the two rules mark the connections from my allowed devices. The last two rules mark everything else in and out of the DHCP bridge.
/ip firewall mangle add action=mark-connection chain=forward comment="Mark CBrown Computer" disabled=no in-interface=DHCP \ new-connection-mark=Allowed passthrough=no src-mac-address=XX:XX:XX:XX:XX:XX add action=mark-connection chain=forward comment="Mark CBrown iPhone" disabled=no in-interface=DHCP \ new-connection-mark=Allowed passthrough=no src-mac-address=XX:XX:XX:XX:XX:XX add action=mark-connection chain=prerouting comment="DHCP Upload" disabled=no in-interface=DHCP \ new-connection-mark=DHCP passthrough=no add action=mark-connection chain=postrouting comment="DHCP Download" disabled=no new-connection-mark=DHCP \ out-interface=DHCP passthrough=no
Sometimes when setting up NAT it is useful to see if you have done your configuration correctly. Using this command you can see what your public IP address is from a command line.
wget -qO - http://www.whatismyip.org
In the Group Policy Editor. (gpedit.msc)
Navigate to Computer Configuration / Windows Settings / Security Settings / Local Policies / Security Options.
In the right-hand pane look for the policy:
Interactive logon: Do not display last user name – Change to Enabled.
1. SSH to your machine.
2. Enable Remote Sharing (VNC) via:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -activate -configure -access -on -clientopts -setvnclegacy -vnclegacy yes -clientopts -setvncpw -vncpw mypass -restart -agent -privs -all
3. Login using your VNC client. I used Chicken of the VNC.
4. You can disable Remote Sharing by:
sudo /System/Library/CoreServices/RemoteManagement/ARDAgent.app/Contents/Resources/kickstart -deactivate -configure -access -off
We have had an issue with our FreeNAS server kernel panicing when doing multiple large file transfers. We are running 64-bit machine with 24TB of available space.
First you will need to set the FreeNAS filesystem to writeable so you can make the changes to system files.
mount -o rw /dev/ufs/FreeNASs1a /
Now that your filesystem is writeable you will need to modify the /boot/loader.conf file to include the following.
vm.kmem_size_max="1024M" vm.kmem_size="1024M" vfs.zfs.arc_max="100M"
This seems to have fixed the issue with kernel panics for now.