How to make a HotSpot gateway

To setup simple HotSpot Gateway follow the steps below:

1. Configure wireless interface on HotSpot Gateway:

[admin@HotSpot]> interface wireless set wlan1 ssid=HotSpot band=2.4ghz-b \
\... mode=ap-bridge

2. Configure ip address for HotSpot interface:

[admin@HotSpot] > ip add add address=192.168.0.1/24 interface=wlan1

3. Configure ip address for WAN/LAN interface:

[admin@HotSpot] > ip add add address=10.5.8.250/24 interface=ether1

4. Add a route on HotSpot Gateway

[admin@HotSpot] > ip route add gateway=10.5.8.1

5. Configure Hotspot on wlan1 interface and add user admin with pasword test

[admin@MikroTik] > ip hotspot setup
hotspot interface: wlan1
local address of network: 192.168.0.1/24
masquerade network: yes
address pool of network: 192.168.0.2-192.168.0.254
select certificate: none
ip address of smtp server: 0.0.0.0
dns servers: 10.5.8.2
dns name: hs.example.net
name of local hotspot user: admin
password for the user: test

In order to access network resources HotSpot clients have to configure their wireless interfaces setting proper ssid, band and mode, and enabling dynamic host configuration (dhcp) on the wireless interface.

Read More..

Two gateways failover

This example explains how to use multiple gateways with one taking over when first fails. It begins with adding the gateways. Set bigger distance value for the secondary one, and check-gateway for the first one:

/ip route add gateway=192.168.1.1 check-gateway=ping
/ip route add gateway=192.168.2.1 distance=2

That's all, there are no more steps!

The first gateway will begin as it's distance is smaller (default 0); the check-gateway will make sure it's up; when the ping will fail, it will disable the first gateway and the second will take over; when first one comes up, it will return to it's function.

Read More..

How to Block Websites & Stop Downloading Using Proxy

This example will explain you “How to Block Web Sites” & “How to Stop Downloading”. I have use Web-Proxy test Package.

First, Configure Proxy.

/ip proxy
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0:0
cache-drive: system
cache-administrator: "webmaster"
max-disk-cache-size: none
max-ram-cache-size: none
cache-only-on-disk: no
maximal-client-connections: 1000
maximal-server-connections: 1000
max-object-size: 512KiB
max-fresh-time: 3d

Now, Make it Transparent

/ip firewall nat
chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

Make sure that your proxy is NOT a Open Proxy

/ip firewall filter
chain=input in-interface= src-address=0.0.0.0/0 protocol=tcp dst-port=8080 action=drop

Now for Blocking Websites

/ip proxy access
dst-host=www.vansol27.com action=deny

It will block website http://www.vansol27.com, We can always block the same for different networks by giving src-address. It will block for particular source address.

We can also stop downloading files like.mp3, .exe, .dat, .avi,…etc.

/ip proxy access
path=*.exe action=deny
path=*.mp3 action=deny
path=*.zip action=deny
path=*.rar action=deny.

Try with this also

/ip proxy access
dst-host=:mail action=deny

This will block all the websites contain word “mail” in url.

Example: It will block www.hotmail.com, mail.yahoo.com, www.rediffmail.com

ENJOY BLOCKING…….

Read More..

How to block MSN Messenger

Create a set of rules:

Connected with SSH or Console to your Mikrotik server, using command like this one:

[admin] ip firewall filter add chain=forward protocol=tcp dst-address=207.46.110.0/24 action=drop log=yes comment="MSN Messenger" disabled=no

The whole set of rules I used in my scenario were:

14 X ;;; MSN Messenger

chain=forward protocol=tcp dst-port=1863 action=drop

15 X ;;; MSN Messenger

chain=forward dst-address=207.46.110.0/24 protocol=tcp action=drop

16 X ;;; MSN Messenger

chain=forward protocol=tcp dst-port=5190 action=drop

17 X ;;; MSN Messenger

chain=forward protocol=tcp dst-port=6901 action=drop

18 X ;;; MSN Messenger

chain=forward protocol=tcp dst-port=6891-6900 action=drop

Read More..

How to autodetect infected or spammer users and temporary block the SMTP output

Here can see in the solution which i invented and work excellent to autodetect and block SMTP viruses or spammers!

Only create these 2 rules in firewall forward:

/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"

When an infected user is autodetected with a virus worm or doing spam, the user is added to a spammer list and block the STMP outgoing by 1 day, all the values can be adjusted for different networks types or at your convenience

Logging detected users

Next, to display a red Log each 30 minutes listing the detected infected or spammers users using hotspot, add the next script:

/system script
add name="spammers" source=":log error \"----------Users detected like \
SPAMMERS -------------\";
\n:foreach i in \[/ip firewall address-list find \
list=spammer\] do={:set usser \[/ip firewall address-list get \$i \
address\];
\n:foreach j in=\[/ip hotspot active find address=\$usser\] \
do={:set ip \[/ip hotspot active get \$j user\];
\n:log error \$ip;
\n:log \


error \$usser} };" policy=ftp,read,write,policy,test,winbox

Read More..

User Manager/Hotspot Example

Introduction

To make this setup, you should have running Hotspot server on the router. Let us consider configuration steps for HotSpot and User Manager routers, in order to use User Manager for HotSpot users.
HotSpot configuration

* Set HotSpot to use User Manager for HotSpot server users,

/ ip hotspot profile set hsprof1 use-radius=yes

* Add radius client to consult User Manager for HotSpot service.

/ radius add service=hotspot address=y.y.y.y secret=123456

'secret' is equal to User Manager router secret. 'y.y.y.y' is the User Manager router address. By default this is 127.0.0.1. If using a remotely located Router (perhaps via a VPN) then the IP address entered is the IP address of that remote Router. The router could be a Radius Server, or another ROS with User Manager installed.

* Note, first local HotSpot database is consulted, then User Manager database.

It means that if you have configuration in '/ ip hotspot user print', users will be able to authenticate in HotSpot using these data. Delete users configuration from '/ ip hotspot print' to stop using local HotSpot database for authentication. To move batch of local HotSpot users to the User Manager database use export/import . Use text editor program to create appropriate file to import local users to the User Manager database.
User Manager configuration

* First, you need to download and install User Manager package;
* Create User Manager subscriber;

/ tool user-manager customer add login="MikroTik" password="qwerty" permissions=owner

* Add HotSpot router information to router list,

/ tool user-manager router add subscriber=MikroTik ip-address=x.x.x.x shared-secret=123456

'x.x.x.x' is the address of the HotSpot router, 'shared-secret' should match on both User Manager and HotSpot routers. Adding 'x.x.x.x' as a router allows Radius requests from 'x.x.x.x' to be passed to the Radius Server built into User Manager. Therefore if you have any remote ROS Hotspots that require access to this Radius Server, then all their IP addresses must be added to this list.

* Add HotSpot user information, it is equal to 'ip hotspot user' when local HotSpot is used for clients

/ tool user-manager user add username=demo password=demo subscriber=MikroTik

We discuss only basic configuration example, detailed information about 'user' menu configuration.

* You can use User Manager web interface after first subscriber created.

* To make sure, that client is using User Manager for AAA,

/ ip hotspot active print
Flags: R - radius, B - blocked
# USER ADDRESS UPTIME SESSION-TIME-LEFT IDLE-TIMEOUT
0 R 00:01:29:2... 192.168.100.2 1m29s

'R' means that client uses User Manager server for AAA services.

Read More..

Drop port scanners

To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection from those IP

in /ip firewall filter

add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="Port scanners to list " disabled=no

Various combinations of TCP flags can also indicate port scanner activity.

add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"

add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/FIN scan"

add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/RST scan"

add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"

add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"

add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"

Then you can drop those IPs:

add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

Similarly, you can drop these port scanners in the forward chain, but using the above rules with "chain=forward".

Read More..

Bruteforce login prevention (FTP)

These are 2 basic scripts I use frequently that are from the forum (written by other users)

Allows only 10 FTP login incorrect answers per minute

in /ip firewall filter

add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h


This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.


in /ip firewall filter

add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

Read More..

VOIP

It could be nice if some people who have experience in this field would like to share best practice in VOIP. How do you handle Firewall,vlan,que,mangle, and so on.

1: How to controle SKYPE, and other p2p voice sevices (not fileshare), and get the best benefit out.

2: Make prioity que´s that handle normal VOIP

Layer 3 prioritization.

The priority of VOIP can be increased over other traffic by marking the traffic and then using queue tree to assign a priority to that marked traffic.

Marking can be done of various things that identify the traffic as VOIP.

If you are trying to prioritize your VOIP or a known partnering VOIP service, you could mark traffic based on IP range. Here is an example. a.a.a.0/24 would be a network that includes the VOIP servers.

/ip firewall mangle
add chain=forward src-address=a.a.a.0/24 action=mark-packet new-packet-mark=VOIP\
passthrough=no comment="VOIP" disabled=no

add chain=forward dst-address=a.a.a.0/24 action=mark-packet new-packet-mark=VOIP\
passthrough=no comment="VOIP" disabled=no

Many VOIP hardware use TOS in the IP packet headers to express their preferred priority. If the VOIP equipment configuration does not say what the TOS value is, you can capture packets from it using /tool sniffer on your Mikrotik and look at those packets using wireshark/ethereal on your desktop computer. The RTP packets coming from the VOIP equipment will show the TOS in binary and hex. This value should be converted to decimal for use with Mikrotik's packet marking. Here is an example, using xxx as the decimal value of the TOS information we gathered using sniffer and wireshark.

/ip firewall mangle
add chain=forward tos=xxx action=mark-packet new-packet-mark=VOIP passthrough=no \
comment="voip tos xxx" disabled=no

After the packet is marked, queue tree can assign proper higher priority to the packets marked as VOIP. A queue should be setup on each interface which needs to assign a proper priority. Mikrotik priorities range from 1-8 with 8 being the lowest priority. (This differs from the unrelated but popular Lan CoS priority where 8 is the highest priority.) In my example, I set the priority for 2, which is higher than other traffic, but not the highest, which is typically reserved for routing protocol or other important network functionality.

/ queue tree
add name="ether1_voip" parent=ether1 packet-mark=VOIP limit-at=0 queue=default priority=2 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no
add name="ether2_voip" parent=ether2 packet-mark=VOIP limit-at=0 queue=default priority=2 \
max-limit=0 burst-limit=0 burst-threshold=0 burst-time=0s disabled=no

You can use winbox to observe packet count of the various items in queue tree when making a VOIP phone call. If the counters increase, your marks are getting the right traffic and prioritizing it. If the counters are not increasing, you are not prioritizing the proper data.

Layer 2 prioritization.

On a busy LAN is may be desirable to separate your VOIP traffic from your normal data traffic. Many small networks aren't sufficiently busy or burst to even need this. Some administrators keep the voice and data separate for better security or management using the same techniques.

You setup a separate IP range for your IP phones and equipment, assign that network to your mikrotik using a Vlan interface (or an additional ethernet card). Your other traffic would use a different Vlan (or network card). You need a managed ethernet switch to keep Vlans separate on a LAN infrastructure. A single ethernet port capable of Vlan tagging on the Mikrotik can support multiple Vlans. Some network cards don't do Vlan tagging well, for those you are best not putting Vlan tagged data on them.

On the managed ethernet switch, configure ports going to equipment for their respective proper vlan and to be untagged. (Voip phone on switch port 23 should be part of Voip vlan, file server on switch port 22 should be on the other vlan.) Ports going to other managed switches or to a vlan tagging Mikrotik should be part of both vlans with tagging enabled. If you use separate ethernet cards in the Mikrotik for voice and data, tagging would not be used.

Managed switches and other smart vlan capable layer 2 equipment have vlan prioritization called CoS. This lets you give your voice vlan traffic a higher priority than other vlans. Prioritization must be enabled and configured on every device the data passes through. CoS priorization is the opposite numbering of Mikrotik prioritization, so 8 will be the highest priority. If you have two ethernet switches, both must support Vlans and prioritization and be configured for it. Since it is layer 2, it does not pass through routers. Thus if you use a Mikrotik to route between two networks, both networks would need to be independently configured. CoS is not needed on the Mikrotik itself, but you should implement layer 3 QoS so that priority is maintained as it passes through the Mikrotik and goes out another Mikrotik interface.

Read More..

Blocking Rapidshare.com web page

Blocking connection to Rapidshare.com web page.

/system script \
add name="block_rapidshare" source={ \
:foreach i in=\
"62.67.46.0/24,62.67.57.0/24,64.215.245.0/24,80.129.35.0/24,80.239.151.0/24, \
80.239.159.0/24,80.239.236.0/24,82.129.35.0/24,82.129.36.0/24,82.129.39.0/24, \
195.122.131.0/24,195.219.1.0/24,207.138.168.0/24,212.162.63.0/24" \
do={ /ip firewall filter add chain=forward dst-address=$i dst-port=80 protocol=tcp action=drop } \
};


second simple method is :-

add rules to your firewall:-

ip firewall filter add chain=forward content=rapidshare action=drop

Read More..

VPN with Virtual Routing and Forwarding / Mikrotik and Cisco

This example shows how to setup an VPN using Virtual Routing and Forwarding (VRF), Virtual Routing and Forwarding (VRF) is a technology used in computer networks that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. In this example you can find setup between Mikrotik and Cisco routers. Below are the steps to complete the configuration.

First should configure a Tunnel Interface on Mikrotik Router1 and Router2

Router1:

/ interface ipip
add name="tunnel" local-address=218.100.100.29 remote-address=218.100.98.5 comment="" disabled=no

Router2:

/ interface ipip
add name="tunnel" local-address=218.100.100.30 remote-address=218.100.98.5 comment="" disabled=no

After all interfaces are configured, we should asign IP addresses for interfaces on Router1 and Router2

Router1:

add address=218.100.100.29/27 network=218.100.100.0 broadcast=218.100.100.31 interface=uplink comment="" disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether1 comment="" disabled=no
add address=172.16.1.1/30 network=172.16.1.0 broadcast=172.16.1.3 interface=tunnel comment="" disabled=no

Router2:

add address=218.100.100.30/27 network=218.100.100.0 broadcast=218.100.100.31 interface=uplink comment="" disabled=no
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=ether1 comment="" disabled=no
add address=172.16.1.5/30 network=172.16.1.4 broadcast=172.16.1.7 interface=tunnel comment="" disabled=no


On Cisco router create VRF instance :

cisco#conf t
cisco(config)#ip vrf TEST
cisco(config-vrf)#rd 10:10
cisco(config-vrf)#end


Create interface on Router1 and add to vrf TEST:

cisco#conf t
cisco(config)#interface Tunnel 900
cisco(config-if)#ip vrf forwarding TEST
cisco(config-if)#description Tunnel_to_Mikrotik_router1
cisco(config-if)#tunnel destination
cisco(config-if)#tunnel source Loopback1
cisco(config-if)#load-interval 30
cisco(config-if)#tunnel mode ipip
cisco(config-if)#tunnel path-mtu-discovery
cisco(config-if)#ip address 172.16.1.2 255.255.255.0
cisco(config-if)#end


Create Interface on Router2 and add to vrf TEST:

cisco#conf t
cisco(config)#interface Tunnel 901
cisco(config-if)#ip vrf forwarding TEST
cisco(config-if)#description Tunnel_to_Mikrotik_router2
cisco(config-if)#tunnel destination
cisco(config-if)#tunnel source Loopback1
cisco(config-if)#load-interval 30
cisco(config-if)#tunnel mode ipip
cisco(config-if)#tunnel path-mtu-discovery
cisco(config-if)#ip address 172.16.1.6 255.255.255.0
cisco(config-if)#end

Set up route and some rules on Mikrotik and Cisco

Router1:

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=tun passthrough=yes
in-interface=ether1 src-address=192.168.1.0/24 disabled=no

/ip route rule
add add routing-mark=tun action=lookup table=tun
/ip route
add dst-address=192.168.2.0/24 gateway=172.16.1.2 routing-mark=tun

Router2:

/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=tun passthrough=yes
in-interface=ether1 src-address=192.168.2.0/24 disabled=no

/ip route rule
add add routing-mark=tun action=lookup table=tun
/ip route
add dst-address=192.168.1.0/24 gateway=172.16.1.6 routing-mark=tun

Cisco Router:

cisco#conf t
cisco(config)#ip ro vrf TEST 192.168.1.0 255.255.255.0 Tunnel900
cisco(config)#ip ro vrf TEST 192.168.2.0 255.255.255.0 Tunnel901
cisco(config)#end


It can be done vpn directly from Router1 to Router2, but when you have a lot customers with a lot routers and many of them have same address space , this is a great and easy solution.

All adresses are for example only.
Retrieved from "http://wiki.mikrotik.com/wiki/VPN_with_Virtual_Routing_and_Forwarding_/_Mikrotik_and_Cisco"

Read More..