Updated my UniFi guide to include HyppTV setup.
https://forum.lowyat.net/index.php?showtopi...post&p=78327719

If you guys ever need a backup GSM link to your router. This is the cheapest I can find.

Digi Best Prepaid with Super Long Life (SLL) and IDD Internet Club (IDDIC)
For less than RM50, this gives you SLL 365 days validity and IDDIC 64kbps data for a year. Data Quota is 1GB a month.
More details here: https://forum.lowyat.net/topic/3803865

Now, it's only 64kbps so it's more for configuration than as a backup data link. Actually 64kbps is still fast enough for text based basic stuff.

This post has been edited by soonwai: Jan 28 2016, 04:09 PM

I've been messing with my firewall so most rules are off the moment. Today I realised that I have about 1000/sec inbound UDP connections from the internet to port 53 (DNS) of my router. Any ideas what that is? It chews up 8-10mbps of my ingoing/outgoing bandwidth.

DDOS? Though not very effective since router is still ok.

Anyway port 53 filters are back up.


This is about 1 min after I enabled the filters.

Update: Looks like a DNS amplification attack. Just had my port 53 opened for a few hours and they found it.

This post has been edited by soonwai: Jan 28 2016, 06:19 PM

maybe u need alter your firewall config, for example im using this config plus few other (DDoS, some blacklist IP)
How to ***really*** block invalid TCP and UDP packet
but still u need to add rules drop input tcp/udp 53, mine still have minor packet to my router

microtik got router support dual channel wireless 2.4 and 5.ghz ?

think to replace my asus n16 due to wireless performance issue, need good wireless solution to support multiple wireless device, netflix, video streaming , iptv etc..

need sifu advice to solve this issue.

You should also go ahead and drop all UDP packet that lands on port 123 too to prevent NTP amplification attacks.

u can uncheck your DNS Allow Remote Request and the traffic should be gone.


Attached image(s)

Thank rioven. I'm using the set of firewall rules from klseet's Mikrotik guide (2-3 years ago) which I think already has what you mentioned above. Seems to work well. I'm quite the newbie to firewalls so I don't pretend to understand what some of the rules are for but hey, if they work, that's good enough for me.

Maybe you can write a guide to firewalls or post a sample set of rules for newbies.

Mikrotik's current default config of dropping everything to the Input chain seems to be a good approach too. Then one can just open up what's necessary eg: port 80 webfig, 22 ssh or 8291 winbox, etc...

Thanks asellus. Just googled NTP amplification. Very interesting all these methods of attacks.

Thanks edward88, tis true but I'm using my Mikrotik as DNS server so am unable to do that.

This is what a DNS Amplification Attack look like on a Mikrotik router.

I purposefully left port 53 DNS opened a little less than 48hrs ago and sometime between the last 12hrs, someone found the open port and started a DNS amp attack.



This post has been edited by soonwai: Feb 1 2016, 12:11 AM

This one does. http://routerboard.com/RB952Ui-5ac2nD

It's a new model that just came out but dunno when it'll arrive in Malaysia. But, and a big but, it only has 100meg
ethernet and max wifi transmit power is 200mW. Whereas the ones below with the capital H (for high) in the name has max wifi transmit power of 1000mW.

Current models RB951Ui-2HnD, RB951G-2HnD and 2011UiAS-2HnD are all 2.4GHz only.

Hey guys,

Sorry just a noob and simple question, what's the difference and advantages of using Mikrotik vs stock Unifi L7 router?

Thanks.

Hi Soon wai,

if your pc getting from router, uncheck the remote request is wont affect your surf.
Just add DNS in your DHCP server setting and your client will get it .

Tis true also but I don't want to do that. Only the router is allowed as DNS server in my house. All others are blocked. Too many kids and weird websites, you know.

This post has been edited by soonwai: Feb 1 2016, 04:46 PM

Well, it's got more memory, faster CPU, the OS (RouterOS) can do more router-like stuff. It's harder to configure well but you have a zillion options. You can do things like scripting like get the router to email you everytime the IP address changes. You can limit the kid's phone to 1mbps so their Youtube don't kacau your torrenting. So many fun things.

Im also newbie to firewall, most of the time I used someone config and just leave it (as long it works ) Klseet firewall rules are more strict than mine. Might evaluate again my firewall setting

This script might worth to add for extra protection
1. Blacklist by IntrusDave
Credit to Joyce Dave
2. Joshaven blacklist
Credit to Joshaven Potter

Does anyone have tried hap AC?

http://routerboard.com/RB962UiGS-5HacT2HnT

5 GE Port, .AC, triple chain 3x3

Price tad a bit expensive

This post has been edited by amirsubhi: Feb 9 2016, 10:32 PM

The model is just available for purchase a few days ago after almost 1 year delay. The price is a bit steep. Will have to wait for bro soonwai to get it and try first before deciding whether to get one for myself haha.

This post has been edited by GreenSamurai: Feb 10 2016, 01:19 PM