Syed Jahanzaib Personal Blog to Share Knowledge !

August 29, 2011

Mikrotik 4 WAN Load Balancing using PCC with PPPoE Server / Complete Script !


3

Following is a complete script for Mikrotik to combine/load balance 4 DSL lines. This server is also acting as a PPPoE Server, therefore I have made some modifications in PCC Script.

For normal LB, read my article at https://aacable.wordpress.com/2011/06/04/mikrotik-4-wan-load-balance-pcc-complete-script-by-zaib/

In this example I used MikrotikT RB750 5 ports router. 4 ports were connected with four DSL Routers, and 5th port was connected with User LAN. Also don’t forget to rename the interface names accordingly. This script will also add pppoe server , one pppoe user, dhcp server, dns server and pcc.

In my personnel experience , If users request are directly hitting Mikrotik configured with PCC , then you will get good load balancing. Use src-address as classifier, this way you will get rid of problems like https/broken link, streaming issues etc. Load balancing using this PCC technique (src-address) will be effective and balanced approach when more and more connections (from clients) that occurred. I also recommend to use SQUID proxy server along with mikrotik , either parallel or in front or backend , for better response time and it will also increase good browsing experience to users.

If somehow you are not satisfied with the src-address approach,play with the PCC-Classifier, Try both addresses and ports as the classifier. While this will randomize things the most and in theory give you the most fair allocation of bandwidth, BUT there is also a good chance that it will break certain things like banking web sites and some forums. This is because often times a HTTP requests will generate several connections, so there is a chance that some requests may go out a different route than the initial one, and that will break secure web sites. For that reason I usually stick with src-address  for PCC load balancing.

Regard’s
Syed Jahanzaib
x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-


/ip address
 add address=172.16.0.1/16 broadcast=172.16.255.255 comment="" disabled=no interface=Local network=172.16.0.0
 add address=192.168.1.2/24 broadcast=192.168.1.255 comment="" disabled=no interface=WAN1 network=192.168.1.0
 add address=192.168.2.2/24 broadcast=192.168.2.255 comment="" disabled=no interface=WAN2 network=192.168.2.0
 add address=192.168.3.2/24 broadcast=192.168.3.255 comment="" disabled=no interface=WAN3 network=192.168.3.0
 add address=192.168.4.2/24 broadcast=192.168.4.255 comment="" disabled=no interface=WAN4 network=192.168.4.0

/ip pool
 add name=dhcp_pool1 ranges=172.16.0.70-172.16.0.254
 add name=pppoe-users-pool ranges=10.0.0.1-10.0.0.255

/ip dhcp-server add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=static disabled=no interface=Local lease-time=12h name="My DHCP Server"

/ip dhcp-server config
 set store-leases-disk=5m

/ip dhcp-server network
 add address=172.16.0.0/16 comment="" dns-server=172.16.0.1,221.132.112.8

/interface pppoe-server server
 add authentication=pap default-profile=default disabled=no interface=Local keepalive-timeout=10 max-mru=1480 max-mtu=1480 max-sessions=1 mrru=disabled one-session-per-host=yes service-name=aacable

/ppp profile add change-tcp-mss=default dns-server=172.16.0.1 local-address=172.16.0.1 name=pppoe-profile only-one=default remote-address=pppoe-users-pool use-compression=default use-encryption=default use-vj-compression=default

/ppp secret add caller-id=”" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=zaib password=1234 profile=pppoe-profile routes=”" service=pppoe

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udp-packet-size=512 servers=221.132.112.8,221.132.112.9

/ip firewall mangle
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN4 new-connection-mark=WAN4_conn passthrough=yes

add action=mark-routing chain=output comment="" connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN4_conn disabled=no new-routing-mark=to_WAN4 passthrough=yes

add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.1.0/24
 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.2.0/24
 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.3.0/24
 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.4.0/24

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/0 src-address=10.0.0.1-10.0.0.255

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/1 src-address=10.0.0.1-10.0.0.255

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/2 src-address=10.0.0.1-10.0.0.255

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN4_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/3 src-address=10.0.0.1-10.0.0.255

add action=mark-routing chain=prerouting comment="" connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN4_conn disabled=no new-routing-mark=to_WAN4 passthrough=yes

/ip firewall nat
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1 src-address=10.0.0.1-10.0.0.255
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN2 src-address=10.0.0.1-10.0.0.255
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN3 src-address=10.0.0.1-10.0.0.255
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN4 src-address=10.0.0.1-10.0.0.255

/ip route
 add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_WAN3 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-mark=to_WAN4 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10

add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=30 target-scope=10

add check-gateway=ping comment="" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.3.1 scope=30 target-scope=10

add check-gateway=ping comment="" disabled=no distance=4 dst-address=0.0.0.0/0 gateway=192.168.4.1 scope=30 target-scope=10

All Done ! Now Test the link by putting user load, the more multiple users load you put on it, the better Load Balance result you will get 🙂

PCC WITH HOTSPOT

If you wanna run PCC with HOTSPOT on same Mikrotik Server, Put this rule in place to stop the hotspot from processing people after they have signed into the network.

/ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth

PCC WITH UN-EQUAL WAN LINKS

If you have Un-Equal WAN Links, for example WAN,1,2,3 are of 4MB and WAN,4 is of 8 Mb, and you want to force MT to use WAN4 link more then other because of its capacity, Then you have to Add more PCC rules assigning the same two marks to a specific link i.e WAN4 , something like

Code:

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/3 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/4 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes

٩(●̮̮̃•̃)۶   ZaiB   ٩(●̮̮̃•̃)۶

Advertisements

August 20, 2011

CMAK Howto create VPN Dialer Installer Package Using Windows 2003 utility called CMAK !

Filed under: Microsoft Related, Mikrotik Related — Tags: , , , , , , , , , , , — Syed Jahanzaib / Pinochio~:) @ 3:17 PM

~!~ Howto Create VPN Dialer Installer Package ~!~

Consider if you have a VPN Server and over 100 clients in your area, you certainly do not want to visit every client one just to create dialer in order to connect to internet. Windows 2003 Server have builtin tool called CMAK (connection manager administration kit) , using this tool, you can create a vpn dialer installer package with pre configured settings of your network including your VPN serve IP , Your Customized logo on dialer, Support phone numbers etc, User just have to download it, and run it, it will install itself like any other ordinary program by clikcing on NEXT NEXT NEXT 🙂
simple isn’t it 😉

I have prepared a step by step screenshots guide on howto install CMAK and create dialer using this awesome tool (H) 😀

1) Step by step SLIDE-SHOW of Screenshots are as following

This slideshow requires JavaScript.

2) Step by step [static] Screenshots are as following

Regard’s

SYED JAHANZAIB

August 15, 2011

Mikrotik Firewall / Short Notes + Scripts


Contents …


0- Change mangle PCC rules by finding comments
1- Secure Services by Firewall Filter Rules
2- Firewall Sample
3- Better approach on blocking Ports
4- howto block Winbox Discovery
5- Filter Rules to Allow/Block VPN Protocol
6- Howto block P2P / Torrents & Downloads using L7/Contents
7- Howto block User via MAC address
8- Script to reboot Router Daily in night at 1:00am
9- Disable/Enable Users using Script and Schedule
10- Update Hotspot walled garden list by fetching text file
11- Disconnect all active PPPoE users
12- Block download based on file SIZE …
13- Monitor WAN link (pppoe-out1) and reconnect (for ptcl 50mb vdsl hang issue)
14- Disable HOTSPOT Users based who donot have comments “PAID”
15- Script to disconnect previously logged user if same id connected with second computer [Hotspot]
16- Radisu Offline, enable local ppp secret
17- Download Mikrotik Upgrade package via command in ROS [26/8/2014]
18- Multiple WAN ISP’s link with SAME GATEWAY [03/10-OCT/2014]
19 – Print/Find WAN ip (if you have multiple wan IP assigned on same wan interface] [10th Jan, 2015]
20- Print/Find (pppoe dialer base) WAN IP address [10th Jan, 2015]



0- Change mangle PCC rules by finding comments

Recently I configured a load balancer (PCC base) in Mikrotik RB for a client. For some customized reasons, He wanted to run dst-address as Per-connection-classifier in Day time, & both-address-and-ports in Night time. He had to do this manually on a daily basis, so he asked me if it can be done automatically  by the system. To achieve it, I added comments in all MARK CONNECTION (prerouting) mangle rules, like “rule1” “rule2” and so on, then I used following code in scheduled script which actually change the per connection classifier settings only.

/ip firewall mangle set per-connection-classifier=dst-address:4/0 [find comment="rule1"]

🙂


 

Sometimes, in Mikrotik logs, you will see that some ips from WAN/LAN try to login to your MT box using SSH,Winbox etc. To secure your router , the best solution would be to come up with a list of networks that should be allowed to access the router administratively, and block everything else. Following code might help you in this situation.
[Most rules are copied from Mikrotik Wiki’s Articles]

The following rules will create a address list which will have your management PC ip address. an then it will allow all ports like WINBOX, FTP, SSH, TELNET from this address list only, and rest of ips wont be able to access these ports.


/ip firewall address-list
add list=management-servers address=10.10.0.1

/ip firewall filter
add chain=input src-address-list=management-servers protocol=tcp dst-port=21,22,23,80,443,8291 action=accept

add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop

Now scenario will be like below.

It is strongly advised to DISABLE all Unnecessary Services on the MikroTik Router specially SSH/FTP which is highly used for brute force attacks. Also make sure to change the default services ports to some other number, preferably higher unused ports like 50000 or above or likewise …

This reduces the attack surface of your router the less services there are to attack the less likely your router could be compromised or overloaded 🙂

Remotely Accessible Router Services should be limited to few addresses

This is a simple and very effective way of controlling who can attempt to access the MikroTik router. One could check from which addresses or networks the MikroTik Router would be administered. Then one could create firewall rules that only allow access to the router services from the management networks.

Deny all un wanted inbound Traffic and allow only related traffic  (***The best approach***)

By restricting inbound traffic to the router, you can prevent the accidental opening up of services on the router. Also by restricting all types of services except for the services you know about & you want, you prevent any services (that you may not be aware of ) being accessible remotely on the MikroTik router.


HOWTO PREVENT VIRUS / PORTS FLOODING ?

A basic Mikrotik Firewall Script to secure MT box from virus and flooding. First copy all contents of below script to notepad, then carefully read it,


/ip firewall filter

# To Block ICMP on your WAN Interface
add action=drop chain=input comment="Block ICMP on WAN interface" in-interface=pppoe-out1 protocol=icmp

# Add flooding ips coming from the internet to the Blocked List for 1 mnt
add action=jump chain=forward connection-state=new jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=1m chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=1m chain=block-ddos

# Block DNS Request on INCOMING WAN INTERFACE
add action=drop chain=input comment="BLOCK DNS REQUEST ON WAN INTERFACE" dst-port=53 in-interface=pppoe-out1 protocol=udp

# Block PORT Scanner Users for 2 minutes
add action=drop chain=input comment="ping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=30m chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

# Block Common Virus Ports
add action=drop chain=virus comment="Blaster Worm" dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Messenger Worm" dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 protocol=tcp

add action=jump chain=forward comment="jump to the virus chain" jump-target=virus
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="invalid connections" connection-state=invalid
add chain=input comment=UDP protocol=udp
add action=drop chain=forward comment="invalid connections" connection-state=invalid
# Script Ends Here

A BETTER APPROACH ON BLOCKING PORTS !

/ip firewall mangle
add action=add-src-to-address-list address-list=Worm-Infected-p445 address-list-timeout=1h chain=prerouting connection-state=new disabled=no dst-port=445 limit=5,10 protocol=tcp

/ip firewall filter
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445

[/sourcecode]

The above Rules allows 5 packets per second with a burst of 10 specific to new connections. The mangle rule will put addresses on a list when it exceeds that limit. That way legitimate use isn’t blocked but something like a virus or worm sending out mass amounts will be detected and stopped. It’s a much more elegant solution than blocking a bunch of ports for all users. It also gives you a list of user IPs that need to clean up their pc.


Mikrotik How to block Winbox Discovery + Limit Winbox Access

To hide your mikrotik from being appearing in WINBOX scan negibour list, & to limit WINBOX access from your admin PC only,
Use the Following.

/tool mac-server
add disabled=yes interface=all
/tool mac-server ping
set enabled=no

/ip firewall filter
add action=drop chain=input comment="block mikrotik discovery" disabled=no dst-port=5678 protocol=udp
add action=drop chain=input comment="ALL WINBOX REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udp
add action=drop chain=input comment="ALL WINBOX REQUEST EXCEPT FROM MY PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6

You can Also Disable Network Neighbor Discovery on the interface to which your network users are connected

Example:

/ip neighbor discovery set ether1 discover=no

Personnel Recommendation:
Always disable un-necessary Like FTP / SSH / TELNET etc. or if its necessary to enable services, at least Limit there access to specific pcs only.
Allow only WINBOX with different port number.


How-to  Allow VPN (PPTP) Connections for Mikrotik VPN Server

PPTP uses the GRE protocol, You have to allow ip PROTOCOL 47 (GRE), not TCP port.
TCP port 1723 is the control connection, while the actual tunnel is GRE (protocol 47).

Example:


/ip firewall filter
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input disabled=no protocol=gre

Make sure these rules are above any general DENY rule.


Howto Block Torrent / P2P

Blockin 100% torrent is impossible as nowadays new torrents application are using encrypted method and its nearly impossible to inspect the SSL traffic. I used Forefront TMG 2010 is capable to inspect SSL traffic at some extents.
However you can block basic torrents access by using following.

{The patterns were fetched from Public sources and few from Mikrotik & some personnel lab testing. Modified for easy copy pasting, as we all love copy pasting don’t we ? :p)

/ip firewall layer7-protocol
add comment="P2P WWW web base cnoetent Matching / Zaib" name=p2p_www regexp=\
"^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"
add comment="P2P DNS Matching / Zaib" name=p2p_dns regexp=\
"^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"

/ip firewall mangle
add action=mark-packet chain=postrouting comment="p2p download" disabled=no layer7-protocol=p2p_www new-packet-mark="p2p download" passthrough=no
add action=mark-packet chain=postrouting disabled=no layer7-protocol=p2p_dns new-packet-mark="p2p download" passthrough=no

/ip firewall filter
add action=drop chain=forward comment="Block P2p_www Packets / Zaib" disabled=no layer7-protocol=p2p_www
add action=drop chain=forward comment="Block P2p_dns Packets / Zaib" disabled=no layer7-protocol=p2p_dns
add action=drop chain=forward comment="Block General P2P Connections , default mikrotik p2p colelction / zaib" disabled=no p2p=all-p2p

Another approach to block P2P, taken from the mikrotik forum, Not personally checked yet. Someone please check and update

/ip firewall filter
add action=drop chain=forward comment="TORRENT No 1: Classic non security torrent" disabled=no p2p=all-p2p
add action=drop chain=forward comment="TORRENT No 2: block outgoing DHT" content=d1:ad2:id20: disabled=no dst-port=1025-65535 packet-size=95-190 protocol=udp
add action=drop chain=forward comment="TORRENT No 3: block outgoing TCP announce" content="info_hash=" disabled=no dst-port=2710,80 protocol=tcp
add action=drop chain=forward comment="TORRENT No 4: prohibits download .torrent files. " content="\r\nContent-Type: application/x-bittorrent" disabled=no protocol=tcp src-port=80
add action=drop chain=forward comment="TORRENT No 5: 6771 block Local Broadcast" content="\r\nInfohash:" disabled=no dst-port=6771 protocol=udp


Howto Block User MAC address

/ip fir fi
add chain=input action=drop src-mac-address=74:EA:3A:F2:AF:90
add chain=forward action=drop src-mac-address=74:EA:3A:F2:AF:90

SCRIPT SECTION



Script to reboot router daily at 1:00am

First add script which ahve command to reboto router, then simply schedule it to run daily in night 1:00am or whatever you like 🙂

/system script
add name=sysreboot policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source="/system reboot"
/system scheduler add name="rebootat1am" start-date="dec/04/2013" start-time="01:00:00" interval="1d" on-event="/system reboot"
# OR
/system scheduler add name="rebootat1am" start-date="dec/04/2013" start-time="01:00:00" interval="1d" on-event="sysreboot"


Disable/Enable Users using Script and Schedule

http://forum.mikrotik.com/viewtopic.php?f=13&t=81284&p=406269#p406269



Update Hotspot walled garden list by fetching text file

http://forum.mikrotik.com/viewtopic.php?f=2&t=81249


Disconnect all active PPPoE users

# Print local time for LOG record purposes / tracking
:local CurrentTime [/system clock get time];
:log warning "Script Start to Disconnect all active PPPoE Users for RM Data record purposes at  $CurrentTime. . ."
# Disconnect users using find
/ppp active remove [find service="pppoe"]
:log warning "Users disconnection script completed at  $CurrentTime. . ."


Block download based on file SIZE …

I forgot the guy’s name who is from FB, who asked me a question, lets name him Mr. X. The query was > howto block downloads of large files (lets say 5mb or above ) in specific timings (like 8pm-12am).

But the issue is How the router will know the file size before it’s downloaded? The router has no way of knowing how big a connection is… An workaround is to create a Firewall Filter rule that will will allow the first 5MB of a connection through, and once it reaches that, it will start to drop packets. I used it a network in Gulistan-e-Jauhar, and it worked good.
But do remember that that It will also affect streaming, RDP like protocols, VPNs, and any other connection that transfers a large number of bytes.

/ip firewall filter
add action=drop chain=forward comment="downloading of files larger then 5mb (It will break connection after 5mb of transfer) applicable from 8pm till 12am / zaib" connection-bytes=5242880-0 disabled=no protocol=tcp time=\
20h-23h59m59s,sun,mon,tue,wed,thu,fri,sat

But do remember that it will only drop packets for that specific download, user can do another session of download. to prevent this , you can create mangle rule that will add the user in a temporary list (with timeout value of 1 hour or more) and next time the user will try to download , his access to that particular resource will be denied, you can customize this action to be either whole session or specific file like mp3 exe zip etc etc. You can also do a source base or destination base controlling.

You can also make a Simple Queue with or without burst, that should slow down the download speed after 5Mb to be crawled in few kbits only
( it will not block based on size)

You can also forward these packets to external proxy like Squid to do the filter base on reply_body_max_size directive. example:

reply_body_max_size 5242880 deny all # in specific timings only

As some1 asked, for squid use this:

acl localnet src 100.0.0.0/8
reply_body_max_size 5242880 deny localnet # deny download of 1mb and above,
http_access allow localnet

I would recommend to GO with Queues and mangle rules, this way nothing will gonna be blocked, but scaling back bandwidth based on how much data has passed through the connection to make downloading large files painful for the cable.net users …



Disable HOTSPOT Users based who donot have comments “PAID”

# Script source: http://forum.mikrotik.com/viewtopic.php?f=9&t=82129
# To block HOTSPOT users who donot have comments "PAID" in there comment box
# Syed Jahanzaib / aacable@hotamil.com / https://aacable.wordpress.com

/ip hotspot user
:foreach i in=[find] do={
:local username [get $i name]
:if ([get $i comment]~"paid") do={
} else={
:log warning "$username..."
/ip hotspot user disable $username
}
}

##################################################################
BELOW SCRIPT IS ORIGINAL VERSION OF ABOVE MODIFIED SCRIPT,
SCRIPT SOURCE: MIKROTIK FORUM
##################################################################

:local username
:local userunpaid

:foreach i in=[/ip hotspot user find] do {
:set username ( username [ip hotspot user get $i name])
:if ([/ip hotspot user get [/ip hotspot user find name=$username] comment] != "paid") do {
:foreach j in=[/ip hotspot active find] do {
:set userunpaid ( userunpaid [ip hotspot active get $j user])
:if (username = userunpaid) do {
[/ip hotspot active remove [/ip hotspot active find user=$userunpaid]]
:log info "User $userunpaid was removed from active list due to payment delay"
}}}}}

SCRIPT to disconnect previously logged user if same id is used at second computer

It will automatically remove first logged in user automatically , if the same id is logged in from 2nd computer.
[add it in hotspot user profile ON LOGIN SCRIPT]

# base function Sourcecode: Mikrotik Forum
# Local Variables Section
:local uname $user;
:local usercount 0;
:local usertime "00:00:00";
# Variable for user who is previously logged in
:local kickable;
# Variable for max session allowed, 2 means only one session is allowed at a time
:local maxuser 2;
# Load all active users in hotspot
:foreach i in=[/ip hotspot active find user=$uname] do= {
# Load UPTIME for all users to be matched later
:local curup [/ip hotspot active get $i uptime];
# If previous logged user is matched using UPTIME [above then 0] then set global variables for disconnection
:if ( $curup > $usertime ) do={
:set usertime $curup;
:set kickable $i;
}
:set usercount ($usercount+1);
}
# IF Function for user who is already logged in,
:if ($usercount = $maxuser) do={
:log info "Login user: $uname ($usercount/$maxuser) - Oldest $usertime will be logout!";
# Kick previous logged users (if same ID)
/ip hotspot active remove numbers=$kickable;
# If not, do nothing, just log, You can modify this function as well / JZ
} else {
:log info "Login user: $uname ($usercount/$maxuser)";

.


Remote Radius server offline – enable local ppp secrets !!!

Question was

“Using radius server with pppoe and have set the clients with ppp secret disabled but if radius server goes offline clients cannot authenticate, so I would like to use netwatch to monitor the IP address of radius server and if unreachable to run script to enable ppp client secrets , any advice is most welcome”

Answer was simple:

You can create a for i loop and add it in netwatch.
Example: (copy paste version)

ROS Code:

/tool netwatch
add comment="Netwatch script to detect Radius status and act accordingly" disabled=no down-script=":log error \"RADIUS not responding, enabling local users in SECRET section of PPP/zaib\"\r\
\n/ppp secret\r\
\n:foreach i in=[find] do={\r\
\n/ppp secret enable \$i\r\
\n}\r\
\n:log warning \"All PPP acounts are now enabled.\"" host=192.168.1.2 interval=1m timeout=2s up-script=":log error \"RADIUS is now ONLINE. Enabling local users in SECRET section of PPP/zaib\"\r\
\n/ppp secret\r\
\n:foreach i in=[find] do={\r\
\n/ppp secret disable \$i\r\
\n}\r\
\n:log warning \"All local PPP acounts are now DISABLED.\""

host=192.168.1.2 [change this ip to match your local ip address]
You can adjust the timings and timeout values as per your requirements.
But do remember this is just an workaround with some manual overhead management of keeping all users accounts replica to local mikrotik. As rextended mentioned, If resources allows, you should consider in having a cluster base radius , so in case of any single server failure, its replica or other clsuter node should reply to mirkotik seamless. Also Virtualization is very best for clustering like ESXI base High Availability :D or something like this.


.

Download Mikrotik Upgrade package via command in ROS [26/8/2014]

You can use following command to download upgrade package from the mikrotik CLI.
It’s Useful to upgrade old ROS versions like 5.x.
(Following example is for mipsbe CRS series, RB4xx series, RB7xx series, RB9xx series, RB2011 series, SXT, OmniTik, Groove, METAL, SEXTANT)

for 5.x

/tool fetch mode=http url=http://download2.mikrotik.com/routeros/6.18/routeros-mipsbe-6.18.npk

for 6.x

/tool fetch mode=http url=http://download2.mikrotik.com/routeros/5.26/routeros-powerpc-5.26.npk

to check latest version, see following url

http://www.mikrotik.com/download

18- Multiple WAN ISP’s link with SAME GATEWAY [03/10-OCT/2014]

If you have multiple ISP’s link with SAME gateway, then you can add routes like this.

/ip route gateway=1.1.1.1%ether1 distance=1
/ip route gateway=1.1.1.1%ether2 distance=2

Note: 1.1.1.1 is ISP gateway, and ether1 and ether2 are the interfaces connected with ISP1 and ISP2.

.


19- Print/Find WAN ip (if you have multiple wan IP assigned on same wan interface] [10th Jan, 2015]

/ip address
:foreach i in=[ find interface=ether1] do={
:local ip [get value-name=address $i]
:local status [ get value-name=disabled $i]
:if ($status = false) do={
:log error "ip address $ip"
}
}

Note: Change the WAN (ether1) interface if required.


20- Print/Find (pppoe dialer base) WAN IP address [10th Jan, 2015]

:local wanip [/ip address get [/ip address find where interface=pppoe-out1] address];
:set wanip [:pick $wanip 0 ([:len $wanip]-3) ];
#whatever you want to do with said IP goes here
:log warning "Your PPPoE base WAN IP address is $wanip"


21- Script to disconnect all Hotspot Active Users


# Script to Disconnect all Active users in HOTSPOT

# Syed Jahanzaib / aacable@hotamil.com / https://aacable.wordpress.com

:foreach i in=[/ip hotspot active find] do={

/ip hotspot active remove $i;

:log warning "zaib / Hotspot Scripts executed and following user have been kicked >>>   $i "

}

}


HTH,
SYED JAHANZAIB

August 9, 2011

August 8, 2011

Linux Transparent Squid Proxy Server Guide

Filed under: Linux Related — Syed Jahanzaib / Pinochio~:) @ 6:31 AM

squid

How To Install Squid in Ubuntu Linux

As http://whatis.techtarget.com/definition/squid-proxy-server.html defines, Squid is a Unix-based proxy server that caches Internet content closer to a requestor than its original point of origin. Squid supports caching of many different kinds of Web objects, including those accessed through HTTP and FTP. Caching frequently requested Web pages, media files and other content accelerates response time and reduces bandwidth congestion.

Squid works by tracking object use over the network. Squid will initially act as an intermediary, simply passing the client’s request on to the server and saving a copy of the requested object. If the same client or multiple clients request the same object before it expires from Squid’s cache, Squid can then immediately serve it, accelerating the download and saving bandwidth.

Internet Service Providers (ISPs) have used Squid proxy servers since the early 1990’s to provide faster download speeds and reduce latency, especially for delivering rich media and streaming video. Website operators frequently will put a Squid proxy server as a content accelerator, caching frequently viewed content and easing loads on Web servers. Content delivery networks and media companies employ Squid proxy servers and deploy them throughout their networks to improve the experience of viewers requesting programming, particularly for load balancing and handling traffic spikes for popular content.
Here I will discuss on howto setup it on popular linux flavour “Ubuntu“.
After installing Ubuntu , configure network interface cards, you must have at least 2 LAN cards , one for local LAN, second with internet connection e.g DSL

After configuring networking, make sure you are able to browse the internet. After that install & Configure Squid.

Default login type to linux is GUI (in Ubuntu Desktop or FEDORA) First login as root.

a) Then install SQUID service by issuing following command:

apt-get install squid squid-common 

b) Now configure it using default squid configuration file.

gedit /etc/squid/squid.conf

If you have CLI access, then use nano e.g:

nano /etc/squid/squid.conf

o change squid port  from http_port 3128 to http_port 8080

o find the http_access section, uncomment the following 2 lines and add your own networks (for example 192.168.0.0/24):

acl our_networks src 192.168.0.0/24
http_access allow our_networks

o change hostname in the visible_hostname section after:

#Default: # is none , just add:
visible_hostname proxy.aacable.com

Now save file, and exit and restart squid to implement changes we made to squid configuration:

service squid restart

Now in client browser, set proxy address to SQUID lan ip and port 8080, and test the browsing. If you don’t want to manually set the proxy at client end, setup squid in transparent mode.

Configure Squid as Transparent Proxy (Squid version >= 2.6)

Edit the Squid configuration file
gedit /etc/squid/squid.conf

o change from: http_port 8008 to,
http_port 8080 transparent

Save & Exit. and restart squid proxy server by

service squid restart
OR
squid -k rec


Iptables configuration

Next, add following rules to forward all http requests (coming to port 80) to the Squid server port 8080 :

iptables -t nat -A PREROUTING -i eth0 -p tcp --dport 80 -j DNAT --to 192.168.0.1:8080
#iptables -t nat -A PREROUTING -i eth1 -p tcp --dport 80 -j REDIRECT --to-port 8080

Where 192.168.0.1 is the ip of the Proxy LAN interface. & eth0 is LAN , and eth1 is WAN]

*  Save the new iptables:
iptables-save

OR use the following

https://aacable.wordpress.com/2011/06/01/linux-simple-internet-sharing-script/

++++++++++++++++++++++++++++++++++++

Also, following is a great guide which will gonna help you in installing SQUID proxy server in transparent mode.

http://www.cyberciti.biz/tips/linux-setup-transparent-proxy-squid-howto.html

August 4, 2011

Howto exempt rate limit for FTP Server Behind MT DMZ in placment of Dynamic Queues !

Filed under: Mikrotik Related — Tags: , , , , , , , , — Syed Jahanzaib / Pinochio~:) @ 6:31 AM

Consider the following scenario !

As you can see, FTP servers are placed behind Mikrotik DMZ, when user connects via pppoe server, dynamic queue is created for that user according to his package, lets say 512k, now the problem is this restriction also applied on local FTP server placed behind mikrotik DMZ, and we don’t want to limit speed for Local FTP.

The solution I found was to make mangle rules that mark packets TO/FROM the FTP server, and add Queue tree at my desired speed or at line speed for those marks.

This works for me. JUST MAKE SURE YOUR FTP SERVERS HAVE MIKROTIK IP AS THERE DEFAULT GATEWAY 🙂 This is important so that you can user original ip on the the FTP server rather then just mikrotik ip.


Scenario # 1 – Limit FTP queue to 3mb per user

We have FTP servers hosted in DMZ (at separate port) having ip address of 10.0.0.x series. So we will simply create address list and add ftp server’s ip addresses in it. using of address have added advantage, you can simply add remove ip directly in this list, so you wont have to touch the rules again, plus you can use script to dynamically add remove servers ip, with timeout as well.


/ip firewall address-list
add address=10.0.0.10 list=FTP_SERVER
add address=10.0.0.11 list=FTP_SERVER

# Marking packets going to FTP Servers
/ip firewall mangle
add action=mark-connection chain=prerouting comment="MARK CONN GOING TO FTP SERVER " dst-address-list=FTP_SERVER new-connection-mark=ftp_conn passthrough=yes
add action=mark-packet chain=prerouting comment="MARK PKTS GOING TO FTP SERVER " connection-mark=ftp_conn new-packet-mark=ftp_pkts passthrough=yes

# Creating PCQ base Queue - 3mb per user
/queue type
add kind=pcq name=ftp-download-3MB pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=31M pcq-src-address6-mask=64
add kind=pcq name=ftp-upload-3MB pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=31M pcq-src-address6-mask=64

#- Make sure you move this simple queue on TOP, or else it will not work
/queue simple
add comment="Allow 3 MB FTP Download per user by zaib" name="ftp 1g" packet-marks=ftp_pkts queue=ftp-upload-3MB/ftp-download-3MB target=""


Scenario #2:

172.16.0.0/16 are my pppoe client ip pool.
192.168.250.0/24
is FTP server pool. Behind Mikrotik DMZ.

On mikrotik, I created following rules and FTP servers exempted from dynamic queue rate limit and ftp data delivered at LAN speed , all works ok 🙂

[Mikrotik 5.x ROS Code]


/ip firewall mangle add chain=prerouting src-address=172.16.0.0/16 dst-address=192.168.250.0/24 action=mark-packet new-packet-mark=ftp-up

/ip firewall mangle add chain=postrouting dst-address=172.16.0.0/16 src-address=192.168.250.0/24 action=mark-packet new-packet-mark=ftp-down

/queue type add name=ftp-exempt kind=sfq
/queue tree add name=ftp-up parent=global-in packet-mark=ftp-up queue=ftp-exempt max-limit=100M
/queue tree add name=ftp-down parent=global-out packet-mark=ftp-down queue=ftp-exempt max-limit=100M




ANOTHER EXAMPLE TO MARK TRAFFIC FROM SPECIFIC CLIENTS GOING TO X.X.X.X LOCATION.

for MIKROTIK 6.XX

Scenario:

We want to mark traffic from specific users like expired users, and mark there traffic going to FTP Server, and limit there speed per ip.
IP POOL INFO:

pppoe-pool = 172.16.0.0/16

EXPIRED pool = 192.168.255.0/24
FTP Server = 10.0.0.100

First mark traffic in mangle section , SOURCE should be EXPIRED USERS IP SUBNET , and DESTINATION should be FTP SERVER IP.


/ip firewall mangle
add action=mark-packet chain=prerouting comment="MARK TRAFFIC of EXPIRED USERS GOING TO FTP SERVER" dst-address=10.0.0.100 new-packet-mark=expired_users_ftp_access passthrough=no src-address=192.168.255.0/24

# Now add queue in TYPE for per user implementation, 32kb per ip

/queue type
add kind=pcq name=ftp-download-32k pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64
add kind=pcq name=ftp-upload-32k pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64
# Finally add SIMPLE queue that will limit 32k per ip (only expired pool)

/queue simple
add comment="FTP for EXPIRED USERS / 32kb PER USER " name="ftp queue 32k for expired users  pool" packet-marks=expired_users_ftp_access queue=ftp-upload-32k/ftp-download-32k target=""


Another Example to mark traffic going to FTP Server using MANGLE ,and restrict per user bandwidth using PCQ [updated 26-JAN-2016]

FTP SERVER IP = 10.0.1.5 AND 10.0.1.6

FOLLOWING code will mark traffic for 1.5 and 1.6 and in queue it will create pcq base bandwidth to restrict 4mb per user. Also it will give priority to ICMP packets as well.


/ip firewall mangle

# MARK ICMP PACKETS

add action=mark-connection chain=prerouting new-connection-mark=icmp-con protocol=icmp

add action=mark-packet chain=prerouting connection-mark=icmp-con new-packet-mark=icmp-pkt passthrough=no protocol=icmp

# ACCEPT FTP TRAFFIC , BYPASS PCC

add chain=prerouting comment="accept server4 n radius from being processed by PCC / zaib" dst-address-list=ALLOWED_SERVERS

# MARK TRAFFIC GOING TO FTP LIKE .15 AND 1.6

add action=mark-packet chain=prerouting comment="MARK TRAFFIC GOING TO FTP SERVER _ 1.6" new-packet-mark=ftp_1.6 passthrough=no src-address=10.0.1.6

add action=mark-packet chain=prerouting comment="MARK TRAFFIC GOING TO FTP SERVER _ 1.5" new-packet-mark=ftp_1.5 passthrough=no src-address=10.0.1.5

# CREATE PCQ BASE QUEUE / 4 MB PER USER

/queue type

add kind=pcq name=ftp-download-4MB pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=40M pcq-src-address6-mask=64

add kind=pcq name=ftp-upload-4MB pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=40M pcq-src-address6-mask=64

# CREATE QUEUE TO GIVE HIGH PRIORITY TO ICMP AND FTP

/queue simple

#ICMP

add max-limit=128k/128k name=ICMP_Hi_Priority packet-marks=icmp-pkt target=""

#FTP

add name=FTP_10.0.1.6_DOWN_LIMIT packet-marks=ftp_1.6 queue=ftp-upload-4MB/ftp-download-4MB target=""

add name=FTP_10.0.1.5_DOWN_LIMIT packet-marks=ftp_1.5 queue=ftp-upload-4MB/ftp-download-4MB target=""


Regqard’s
Syed Jahanzaib

%d bloggers like this: