Syed Jahanzaib Personal Blog to Share Knowledge !

December 31, 2013

2013 in review

Filed under: General IT Related — Syed Jahanzaib / Pinochio~:) @ 11:51 AM

The WordPress.com stats helper monkeys prepared a 2013 annual report for this blog.

Here’s an excerpt:

The Louvre Museum has 8.5 million visitors per year. This blog was viewed about 990,000 times in 2013. If it were an exhibit at the Louvre Museum, it would take about 43 days for that many people to see it.

Click here to see the complete report.

Advertisements

December 30, 2013

DMASOFTLAB Radius Manager: Table ‘radius.rm_wlan’ doesn’t exist

Filed under: Radius Manager — Tags: , — Syed Jahanzaib / Pinochio~:) @ 9:20 AM

mysql

Short reference:

While accessing RM users section , I received “Table ‘radius.rm_wlan’ doesn’t exist” error.
As showed in the image below . . .

rm_wlan errorThis is how I fixed it.

On your RM box, create a file in which we will add table information.

touch rm_wlan.sql
nano rm_wlan.sql

and paste following text.

--
-- Table structure for table `rm_wlan`
--

DROP TABLE IF EXISTS `rm_wlan`;
CREATE TABLE `rm_wlan` (
`maccpe` varchar(17) default NULL,
`signal` smallint(6) default NULL,
`ccq` smallint(6) default NULL,
`snr` smallint(6) default NULL,
`apip` varchar(15) default NULL,
`timestamp` timestamp NOT NULL default CURRENT_TIMESTAMP on update CURRENT_TIMESTAMP,
KEY `maccpe` (`maccpe`)
) ENGINE=InnoDB DEFAULT CHARSET=utf8;

--
-- Dumping data for table `rm_wlan`
--

SAVE and exit.

Now use the following command to import table into mysql database ‘radius’.

mysql -h localhost -u root -pYOURPASS radius < rm_wlan.sql

FYI,

The table code have been extracted from radius manager installation archive.  Example:
/radiusmanager-4.x.x/sql/radius.sql

You can import any missing table from above file and import it in mysql.

Regard’s
Syed Jahanzaib

December 23, 2013

Mikrotik TIME base Rules

Filed under: Mikrotik Related — Tags: — Syed Jahanzaib / Pinochio~:) @ 3:17 PM

Scedule-time


TIME is a small but helpful feature of mikrotik. If you want to implement any rule in specific timings only , then it can quickly help you in this regard.

Recently few users asked about it therefore I am writing about it.


TIME based filter rule

Just for an Example I want to BLOCK all sort of access for an IP from 1:00pm till 3:00pm, then simply create a Firewall rule that will block traffic from this IP address and and in TIME section, modify the required time, something like below . . .

Change the IP / Time as per your requirement

time

CLI Code:

/ip firewall filter
#INPUT CHAIN
add action=drop chain=input comment="Block access for user ZAIB from 1:pm till 3:pm" disabled=no src-address=172.16.0.10 time=\
13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat
#FORWARD CHAIN
add action=drop chain=input comment="Block access for user ZAIB from 1:pm till 3:pm" disabled=no src-address=172.16.0.10 time=\
13h-15h59m59s,sun,mon,tue,wed,thu,fri,sat

TIME based QUEUE

Allow users to use 1mbps link at day time starting from 12:00PM till 12:00AM,
then from 12:00AM they can use 2mps till next day 12:00PM.
Example:

/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="2Mb from 12:00am till 12:00pm   - NIGHT Package" direction=both disabled=no \
interface=all limit-at=0/0 max-limit=2M/2M name="2Mb from 12:00am till 12:00pm - NIGHT Package" packet-marks="" parent=none priority=8 \
queue=default-small/default-small target-addresses=172.16.0.0/24 time=0s-11h59m59s,sun,mon,tue,wed,thu,fri,sat total-queue=default-small

add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="1Mb from 12:00pm till 12:00am    - DAY Package" direction=both disabled=no \
interface=all limit-at=0/0 max-limit=1M/1M name="1Mb from 12:00pm till 12:00am - DAY Pacakge" packet-marks="" parent=none priority=8 queue=\
default-small/default-small target-addresses=172.16.0.0/24 time=12h-23h59m59s,sun,mon,tue,wed,thu,fri,sat total-queue=default-small

Another example:

Single User 192.168.1.10
Timings:
6:00AM to 6:00PM 512k
6:00PM to 6:00AM 1Mb

/queue simple
add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no interface=all limit-at=0/0 max-limit=512k/512k name="512kb from 06:00 till 18:00 / Zaib" packet-marks="" parent=none \
priority=8 queue=default-small/default-small target-addresses=192.168.1.10/32 time=6h-17h59m59s,sun,mon,tue,wed,thu,fri,sat total-queue=default-small

add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s direction=both disabled=no interface=all limit-at=0/0 max-limit=1M/1M name="1mb from 18:00 till 06:00 / Zaib" packet-marks="" parent=none priority=\
8 queue=default-small/default-small target-addresses=192.168.1.10/32 time=18h-5h59m59s,sun,mon,tue,wed,thu,fri,sat total-queue=default-small

Regard’s
Syed Jahanzaib

December 19, 2013

Howto clear Mikrotik Log/History

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 10:30 AM

No-log

Today I was in a requirement to clear the Mikrotik LOG window and clear all the commands from the Terminal console history dueto some security and privacy reason. Since I couldn’t found a simple command base method to clear LOG window, I followed a workaround and it worked like a charm.

CLEAR Mikrotik LOG WINDOW HISTORY [Jz]


/system logging action set memory memory-lines=1

It will delete all previous entries.


/system logging action set memory memory-lines=100

It will change it back to the default number of lines. or let it set to 1 , if you dont want any info, which is not recommended in any case 🙂

CLEAR Mikrotik TERMINAL CONSOLE HISTORY [Jz]

In newer version of mikrotik 6.x, you can clear console commands by using


console clear-history

Note: Sticking with newer firmware (but surely stable one) is always a Good idea so that you stay safe and secure with lots of new features 🙂

However I really wish that Mikrotik can add an “CLEAR ALL LOGS” button in the future 😉


Regard’s
Syed Jahanzaib

December 9, 2013

Possible Workaround for Blocking SKYPE with Mikrotik

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:38 PM

skype

SKYPE is using whole block of IP addresses from various ranges. Using Wireshark & some digging I found following pools which skype is using for its various functions.BUT do remember that with new updates/ver more hosts can be added. for this purpose you can use Catch Skype Script on mikrotik to detect new addresses and add them to the list.

Also it is possible that some valid/legitimate sites may get blocked with this approach, just find the right ip address of the particular site, and allow it before the deny rule.

Use following code and then try to connect to SKYPE and watch the results. This is purely Hit & Trial method , try it and post your comments or if you have some better way to block SKYPE do let me know.SKYPE have different server’s for different regions, so probably these destinations may not work for you, but at least they are working in Pakistan.

Regard’s
Syed Jahanzaib

/ip fi ad

add address=111.221.74.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=111.221.77.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.130.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.235.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.56.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.56.52.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=194.165.188.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=195.46.253.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=213.199.179.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=63.245.217.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=64.4.23.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=65.55.223.0/24 comment=disable_skype disabled=no list=skype_servers_z

/ip firewall filter
add action=drop chain=forward disabled=no dst-address-list=skype_servers_z

After blocking, Result as showed in the image below . . .

skype cannot connect

Also read following …

Script to catch all URL name with SKYPE name using DNS cache , and add them to ADDRESS LIST

Today , a good friend (VirtualIT Support) forwarded me a script which catch all URL IP addresses which have ‘Skype‘ in DNS CACHE and then add it to a address list.

Schedule this script to run after every 10-15 minutes, it will check every dns entry (in dns cache) and will add any URL name which have Skype in it to the address list. then using Firewall FILTER , you can block this list (in FORWARD chain)

Just copy paste the following code in terminal. Then add schedule or manually run it, try to login to skype few times, and run the script, every time it will add few ip addresses to the list : )


/sys script

add name=skype_script policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=":foreach i in=[/ip dns cache find] do={\r\
\n    :local bNew \"true\";\r\
\n    :local cacheName [/ip dns cache all get \$i name] ;\r\
\n#    :put \$cacheName;\r\
\n\r\
\n    :if ([:find \$cacheName \"skype\"] != 0) do={\r\
\n\r\
\n        :local tmpAddress [/ip dns cache get \$i address] ;\r\
\n#\t:put \$tmpAddress;\r\
\n\r\
\n# if address list is empty do not check\r\
\n        :if ( [/ip firewall address-list find ] = \"\") do={\r\
\n            :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n            /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
\n        } else={\r\
\n            :foreach j in=[/ip firewall address-list find ] do={\r\
\n                :if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\r\
\n                    :set bNew \"false\";\r\
\n                }\r\
\n            }\r\
\n            :if ( \$bNew = \"true\" ) do={\r\
\n                :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n                /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
\n            }\r\
\n        }\r\
\n    }\r\
\n}"

December 6, 2013

Mikrotik Dual WAN [pppoe-client] PCC with PPPoE Server

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:58 PM

I was stucked with an case (K.S.A Tabook) regarding configuration for dual wan PCC using pppoe client as wan and pppoe serve for user end in one RB. I made this configuration last year but was unable to repeat it when it was required few days back.

I have a very short amount of brain memory , something like 16 KB only 🙂 So posting the export as a reference

Following is a short reference guide for Mikrotik base dual wan PCC (using pppoe clients) with PPPoE Server as a authentication server for local users in one Box. You can add as much wan (pppoe clients) as you like.

Make sure you change the interface name accordingly. In this example I have 3 interfaces.
ether0  (named as Local) is connected with Local LAN users.
ether  1   &   2  (named as WAN1 & WAN2) are connected with ISP WAN switch.

Also change the user name passwords in the pppoe client section, or create manually via PPP/Interfaces

PPPoE users IP pool is 172.16.0.0/16 (internet is allowed for this series only means when the user will be connected via pppoe dialer, he will be able to use internet)

 


# Setting up INTERFACES names for our comfort (Zaib)

/interface ethernet
set 0 name=Local
set 1 name=WAN1
set 2 name=WAN2

### Adding PPPoE Client connections for each WAN interface, Make sure to change it or add via GUI

/interface pppoe-client

add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=yes interface=WAN1 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out1 password=hahaha \
profile=default service-name="" use-peer-dns=no user=user-1
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=yes interface=WAN2 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out2 password=hahaha \
profile=default service-name="" use-peer-dns=no user=user-2

### Starting the MANGLE MAGIC : ) PCC SCRIPTING START Here (Zaib)
/ip firewall mangle

add action=accept chain=prerouting disabled=no in-interface=pppoe-out1
add action=accept chain=prerouting disabled=no in-interface=pppoe-out2

add action=mark-connection chain=prerouting disabled=no dst-address-type=!local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 src-address=172.16.0.0/16
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 src-address=172.16.0.0/16

add action=mark-routing chain=prerouting connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes src-address=172.16.0.0/16
add action=mark-routing chain=prerouting connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes src-address=172.16.0.0/16

### NATTING both WAN connection for PPPoE IP Pool users only

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1 src-address=172.16.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2 src-address=172.16.0.0/16

### Setting Default Routes for MARKED packets for both WAN and for local router use. (zaib)

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 scope=30 target-scope=10

Some screenshots for the results.

▼▼▼

PCC-with-PPPOE-SERVEr-and-PPPoE-Clients

▲▲▲

Side Note:
If you are facing difficulty in opening dsl modem page, then try following code.

/ip firewall address-list
add list=exempt-from-pcc address=192.168.1.1/32
add list=exempt-from-pcc address=192.168.2.1/32
#(change ips to your adsl modem ip’s)

/ip firewall mangle
add chain=prerouting dst-address-list=exempt-from-pcc action=accept

Move above mangle rule to TOP (above all other rules in mangle) .Try and let me know.

Regard’s
Syed Jahanzaib

ESXI 5.5 static mac address “conflicts with VMware reserved MACs”

Filed under: VMware Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 11:36 AM

esxi-error-5-mc-chang

 

You may see above error in ESXI 5.5 after changing dynamically generated MAC address to STATIC mac address dueto application MAC bind restriction.

In new ESXI 5.5 ,  new policies have been added where the statically assigned MAC addresses can only be in the range 00:50:56:xx:xx:xx series, If you try to change it to something else and then power on the guest machine, you may see above error.

Few days before, a friend of mine upgraded his ESXI from ver 5.0 to 5.5. One of his guest application was binded with the MAC address and the new esxi 5.5 doesn’t allow to use that specific series mac address. So I googled and found following solution that worked (at least for me 😉 )

To RESOLVE this issue, follow this.

1- Enable SSH in ESXI Server Configuration

2- Turn off the target guest machine and change the mac address as per your requirements for the required interface.

3- Turn off the V-Sphere ESXI client.

3- Login to ESXI server via SSH using any ssh client like PUTTY

4- Goto your data store / guest machine folder and open the VMX file.

.

For example I have guest machine with ‘123‘ name. So I used following

~ # cd /vmfs/volumes/
/vmfs/volumes # ls

52a18cdd-49376389-86aa-000c29d1de32  61031d71-0233e8da-be74-f942274c16c3
52a18ce5-9d0863e6-e50b-000c29d1de32  8901537a-ad66db83-fd1f-38ac926cce01
52a18ce7-bd9d6e2a-dacf-000c29d1de32  datastore1
/vmfs/volumes #

/vmfs/volumes # cd datastore1/
/vmfs/volumes/52a18ce5-9d0863e6-e50b-000c29d1de32 # ls
123

/vmfs/volumes/52a18ce5-9d0863e6-e50b-000c29d1de32 # cd 123
/vmfs/volumes/52a18ce5-9d0863e6-e50b-000c29d1de32/123 # ls

123-flat.vmdk               vmware-14.log
123.nvram                     123.vmxf                      vmware-15.log
123.vmdk                      vmware-11.log                 vmware-16.log
123.vmsd                      vmware-12.log                 vmware.log
123.vmx                       vmware-13.log

As showed in the image below . . .

3-putty-ssh

Now open the VMX file of the guest machine.

for example

vi 123.vmx

now press I and add this line anywhere.


ethernet0.checkMACAddress = "false"

(Change the ethernet0 to match your local ethernet number)

Now save and exit it by pressing :wq

Now start V-Sphere ESXI client and start the machine as you normally do 🙂

Congrats you are UP with new MAC address activated 😀

SAMPLE .VMX FILE FOR STATIC MAC address

Following is an sample of working .vmx file for static mac address.

ethernet0.networkName = "LAN"
ethernet0.addressType = "static"
ethernet0.present = "TRUE"
ethernet0.checkMACAddress = "false"
ethernet0.address = "00:0C:29:Ha:Ha:Ho"

Regard’s
Syed Jahanzaib

December 3, 2013

Automating Non Payment Reminder for User Manager Expired Accounts

Filed under: Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 2:22 PM

suspended_account

A friend of mine asked me on howto display non payment reminder to users, once there account have been expired on USER MANAGER. By default when any account expired, he gets user id password error, or if hotspot setup, then it shows profile not found. But rather then showing these UN friendly messages, we can display more meaningful message giving confirmation to user that his account is expired and he should pay in order to continue with the service.

To achieve this we have to follow this.

1. In user manager, we have to create another profile name ‘expired-users-profile’ and and either give it a limited uptime like 7 days, or 1 month or for ever. It depends on your policies. Also you have to define an IP POOL name ‘expired-users-pool’

2. In Mikrotik, First create IP pool name ‘expired-users-pool‘ and then create a NAT rule that redirects port 80 request to local proxy or squid proxy server. If using SQUID proxy, then you dont need to enable mikrotik web proxy, simply redirect the expired pool to squid proxy, and in squid proxy, create an ACL for this range and deny it, and in deny_info redirect it to local web page. as i showed on ‘howto block ads in squid’ article.

If you dont have SQUID proxy, then You can enable Mikrotik web proxy and redirect request to it. Then create another firewall rule that blocks all traffic coming from this ‘expired-users-pool’ traffic except port 80. OR in default NAT rule, in src-address add only valid series.

3. In Web Proxy, create a rule that deny all traffic coming from the ‘expired-users-pool‘ and in redirect, point it to any web page showing your non payment advertisement page.

Ok here we go . . .

I assume you have a Mikrotik PPPoE server with User Manager already configured  and working.

Example:

LAN = 10.0.0.0/8
WAN = 192.168.1.0/24
PPPoE Pool = 172.16.0.1 – 172.16.0.255
PPPoE Expired Pool = 172.16.1.1-172.16.1.255
WEB Server = 101.11.11.240

USER MANAGER SECTION

Login to User Manager,
Goto Profiles / Limitations
Add new Limitation and name it “expired-users-profile
As showed in the image below . . .

1-add-expired-profile-in-userman

Now add user and add any profile , for example 512k , and save.
As showed int he image below . . .

2- add user and add single profile

Open that User Properties again, and in ‘All profiles’ select ‘expired-users-profile” and click on + sign to add it. and click on SAVE.
As showed int he image below . . .

3-add-second profile

User Manager Section done. Now moving to Mikrotik section.

MIKROTIK SECTION

Connect to Mikrotik via Winbox,
Goto IP / Pools and add new pool and name it ‘expired-pool‘ (or same as you defined in User manager expired profiles section)

As showed in the image below . . .

4-add-pool-in-mt

Now enable Web-proxy [Or you can redirect these requests to another proxy server like squid proxy and block the expired-pool series there)
As showed in the image below . . .

5-webproxy-enable

Now click on ACCESS button and add a new rule (by clicking on + sign)

> in Src. Address, enter ip range of expired-pool (that you defined in mikrotik earlier, so that request coming from ONLY this ip series should be denied)
> in Dst. Address , click on invert sign, and enter your web server (this is to make sure that request going to your web server where non payment reminder is placed dont get blocked.
> in Action, select DENY
> in Redirect to, Enter your web server full path where the non payment advertisement pag eis located. It can be your local web server like IIS/Apache or it can be remote server too (but for remote Internet server, you ahve to allow the URLs before this deny rule)
As showed in the images below . . .

6-redirect

Now create a NAT rule that will redirect port 80 request to local web proxy, which will already have the rule to deny all requests for expired-users pool.

mt-redirect-nat-rule

OR CLI version . ..


/ip firewall nat
add action=redirect chain=dstnat comment="Redirect Expired Pool Users to local Web Proxy for redirecting them to Non Payment Page." disabled=no dst-port=80 protocol=tcp src-address=\
172.16.100.1-172.16.100.255 to-ports=8080

add action=masquerade chain=srcnat comment="Allow Internet (Masquerade rule for PPPoE Allowed seires only)" disabled=no src-address=172.16.0.1-172.16.0.255

All Done !

TESTING . . .

Once the main profile(for example 512k)  expire after 30 days , next profile (expired-users-profile) will automatically get active and user will get IP from the EXPIRED pool and mikrotik will redirect it to local web proxy and it will will deny all the request and redirect it to your defined non payment page.
As showed in the image below . . .

7- expired profile

and at client you will be seeing this,

8-user-seeing-non-payment-page.

.

When you want to activate this account again, simply take user properties, and remove its profiles by pressing minus sign on each profile, and add 512k or required profile again.

another guide for manual controlling ↓

https://aacable.wordpress.com/2012/11/14/non-payment-reminder-for-pppoe-clients-in-mikrotik/

Regard’s
Syed Jahanzaib

%d bloggers like this: