Syed Jahanzaib Personal Blog to Share Knowledge !

February 28, 2014

Radius Manager 4.1, Patch-5 Deployment [4.1.5]

Filed under: Radius Manager — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 11:11 AM

dma415


 

DMASOFTLAB released patch 5 for Radius Manager 4.1 version. [Release Date: 10 Feb, 2014]


 

FIXES, IMPROVEMENTS:

-default service (srvid 0) find users issue problem fixed
-verification code and mobile number fixed in ACP / edit user
-invalid menu.css reference removed (buyiasmain_tpl.htm, adminmainblank_tpl.htm)
-traffic summary per NAS issue fixed
-connection allowed bug fixed
-multiple email address problem fixed in edit and new user forms
-privileged sim-use edit problem fixed
-enhanced syslog alerts [Helped a lot in troubleshooting now]
-swapped SMS / email alerts fixed (ACP / edit user)
-self registration welcome SMS / email issue fixed
-upon user removal accounting details are also deleted from rm_radacct
-duplicate batch billing problem fixed
-auto renewal uses unit fields instead of initial fields
-expired online time yellow color problem fixed in ACP / List users view
-password recovery updates radcheck for regular users only
-hotspot MAC account password change problem fixed (UCP)
-corrected user name in password recovery email
-bulk SMS custom tag issue fixed
-convert card prefixes to lower case in radcheck
-self registration displays user name, password
-zero gigawords issue fixed with a non Mikrotik NAS
-search users leading and trailing space issue fixed
-SMS, email expiry alerts issue fixed
-grace period account disable bug fixed
-negative deposit addition problem fixed [Good news for Alex]
-IAS duplicate mobile number problem fixed
-card generator issue fixed (PIN length > 10)
-next service issue fixed **** This bug was quite annoying and wasted many hours in useless troubleshoot 😦 Jz
-properly logout grace period expired users
-rmauth IAS and card setup crash fixed
-increased CTS logging capacity (rmconntrack DELAY_KEY_WRITE option)

 


 


 

 

DEPLOYMENT:

Deployment is fairly simple.
First download the radiusmanager-4.1-cumulative_patch.tgz
Extract it any temp folder

mkdir /temp
cd /temp
wget http://wifismartzone.com/files/rm_related/radiusmanager-4.1-cumulative_patch.tgz
tar zxvf /temp/radiusmanager-4.1-cumulative_patch.tgz
cd radiusmanager-4.1-cumulative_patch/
ls

 

You may see following contents

root@rm:/temp/radiusmanager-4.1-cumulative_patch# ls
bin  raddb  readme.txt  www

 


Begin Deployment … Let’s Start

 

1. Copy PHP files to /var/www/html/radiusmanager (Fedora) or /var/www/radiusmanager [Debian, Oh yeah, That’s my Boy ;)] directory.

For Ubuntu
cp -vrf  www/radiusmanager/*  /var/www/radiusmanager

For Fedora
cp -vrf  www/radiusmanager/*  /var/www/html/radiusmanager

2. Chmod all binaries to 755:

chmod 755 bin/rm*

3. Stop rmpoller and copy the binaries to /usr/local/bin directory, overwriting the old versions.

service rmpoller stop
rm /usr/local/bin/rmconntrack # This line Requires ONLY if you get error of text busy

cp bin/* /usr/local/bin

4. Copy acct_users to /usr/local/etc/raddb directory.

cp raddb/acct_users /usr/local/etc/raddb

5. Change permission of acct_users by chmod:

chmod 640 /usr/local/etc/raddb/acct_users
chown root.root /usr/local/etc/raddb/acct_users

7. Restart radiusd and rm poller

service radiusd restart
service rmpoller start

 


 

 

Now relogin to ACP, and hopefully you see the 4.1.5 😀
As showed in the image below …

dma415

 


Quick Copy Paste for Ubuntu [well tested with 12.4.x]

# SYED JAHANZAIB
# HTTPS://AACABLE.WORDPRESS.COM
# AACABLE@HOTMAIL.COM
mkdir /temp
cd /temp
wget http://wifismartzone.com/files/rm_related/radiusmanager-4.1-cumulative_patch.tgz
tar zxvf /temp/radiusmanager-4.1-cumulative_patch.tgz
cd /temp/radiusmanager-4.1-cumulative_patch/
cp -vrf  www/radiusmanager/*  /var/www/radiusmanager
chmod 755 bin/rm*
service rmpoller stop
cp bin/* /usr/local/bin
cp raddb/acct_users /usr/local/etc/raddb
chmod 640 /usr/local/etc/raddb/acct_users
chown root.root /usr/local/etc/raddb/acct_users
service radiusd restart
service rmpoller start

 

Regard’s
Syed Jahanzaib

February 25, 2014

Mikrotik Script to Export PPP users to USER MANAGER

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 10:46 AM

As requested Following is a quick and dirty way to export Mikrotik Local PPP (pppoe) users to USER MANAGER with same profile assigned as LOCAL profile section . I used the word dirty because there is no officially supported method that we can use by single CLI command or one window GUI.

Consider the following scenario:

Mikrotik is configured with PPPoE Server , and have two profiles with the name of 512k and 1mb and 6 users in ppp section …
As showed in the image below …

2-mt-profile

3-users-mt.

Our task is to migrate all local ppp users to USERMAN with minimum overhead management of manual workout.

First Open User Manager, and configure /add the NAS , so that Mikrotik can communicate with the UserMAN and wise-verse.

Now add same profiles in User Manager as present in the local Mikrotik PPP Section.
[This task can be done via CLI too, example is in the end]
As showed in the image below …

1b-userman-profiles.

.

Now as far as my dumb mind goes, I couldn’t found a way to assign profile to user using /tool userman menu, so to overcome this issue, I first created two users with same profile name and id.

Example if profile name is 512k, then create a user with name”512k” , it will be used as a master copy for cloning 😀
As showed in the image below …

1-userman.

.

Userman section is done , moving to Mikrotik Section…

Goto System > Scripts and add new script, use the following code…

# PPP Export to USERMAN SCRIPT START
:log error "Make sure you have usermanager configured properly and created same profile names with same user name (master users for cloning) in USERMAN / Jz"

# Applying Loop for ppp secret section to fetch all user details
/ppp secret
:foreach i in=[find] do={
:local username [get $i username]
:local pass [get $i password]
:local profile [get $i profile]
:local comment [get $i comment]

#Printing User names and other details for record purpose ...
:log warning "Fetching USER details from /ppp secret section , Found $name $pass $profile $comment for EXPORT"

#Creating Users in User Manager with ID / Password / Profile and Comments ...
/tool user-manager user add name=$name password=$pass customer=admin copy-from=$profile comment=$comment
}
:log error "DONE. Script END. Now logout from USERMAN and RE login and check users section"

# Script End.

the result would be something like …
As showed in the image below …

4-log.

.

Now log-out from the User-manager, and re login , and check USERS Section again 🙂
the result would be something like …
As showed in the image below …

5- user-end.

.

This is just an example, you can do much more by adding various functions or variables/constrains to the script 🙂

Example for CLI base profile addition.

/tool user-manager profile
 add name=512k name-for-users="512k Package" override-shared-users=off owner=admin \
 price=500 starts-at=logon validity=4w2d
 add name=1mb name-for-users=1mb override-shared-users=off owner=admin price=500 \
 starts-at=logon validity=4w2d

/tool user-manager profile limitation
 add address-list="" download-limit=0B group-name="" ip-pool="" name=512k \
 rate-limit-min-rx=524288B rate-limit-min-tx=524288B rate-limit-rx=524288B \
 rate-limit-tx=524288B transfer-limit=0B upload-limit=0B uptime-limit=0s
 add address-list="" download-limit=0B group-name="" ip-pool="" name=1mb \
 rate-limit-min-rx=1048576B rate-limit-min-tx=1048576B rate-limit-rx=1048576B \
 rate-limit-tx=1048576B transfer-limit=0B upload-limit=0B uptime-limit=0s
 /tool user-manager profile profile-limitation
 add from-time=0s limitation=512k profile=512k till-time=23h59m59s weekdays=\
 sunday,monday,tuesday,wednesday,thursday,friday,saturday
 add from-time=0s limitation=1mb profile=1mb till-time=23h59m59s weekdays=\
 sunday,monday,tuesday,wednesday,thursday,friday,saturday

.

Remember ….

Sky is the only limit …

.

.

Regard’s
Syed Jahanzaib

February 13, 2014

Quick Note on Winbox Save Password Security Issue.

Filed under: Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 11:47 AM

I know its not recommended to save the password in mikrotik WINBOX (as password are stored in clear text form in winbox.cfg in local pc user profile), But we HUMANS love being lazy enough or with weak memory sometimes prefer to save the password and the management PC and sometimes this PC is also shared by some other co-admins/colleagues dueto lack of resources :p

In my opinion, It could be annoying backdoor / password leak issue by WINBOX.

winbox-security-issue

Mikrotik developer should really focus in this section , and encrypt the password using strong hash algorithm. I used it few months back at a friend’s admin PC to fetch the iD password with all details as showed in the image. Just imagine what will happen if it fall into wrong hands …

Reference: http://forum.mikrotik.com/viewtopic.php?f=2&t=81816

Regard’s
Syed Jahanzaib

February 11, 2014

Blocking Facebook/Youtube via automated address-list in Mikrotik

Filed under: Mikrotik Related — Tags: , , , , — Syed Jahanzaib / Pinochio~:) @ 9:18 AM

bfb

Last Updated: 20-DEC-2016

Update: The script for youtube also adding translate.google.com in the list too. workaround is to either edit the script, or make an ACCEPT rule before the deny rule, which should accept traffic going to translate.google.com ip addresses. 

Recently I was working at a remote network where we configured hotspot for school students and the management wanted to block access to Facebook / Youtube & adult web sites.

Blocking adult websites was easy by redirecting DNS requests to OPENDNS  but blocking facebook was a bit tricky because some people from the management wanted to have its access open for specific users. I preferred to have a address-list with the FB/YT server’s ip addresses using automated script.This way I have more control for these destinations for multi purpose.

Create two scripts which will pick facebook/youtube related dns entries from the Mikrotik DNS cache and add it in “facebook/youtube” address lists.

 


SCRIPT :

The below script(s) (which can be scheduled to run after every 5 or X minutes) will create a address list which will contain facebook/youtube server ips and later a filter rule will block request going to these destinations (using address list). To create this address list, it is required that your users must be using your mikrotik DNS as their primary dns , or make a dst-nat rule that forcefully route user dns (udp 53) requests to local mikrotik dns.


FOR FACEBOOK ~

 

# Script to add target web sites DNS IP addresses into address list
# Tested with Mikrotik 6.3x
# Syed Jahanzaib / aacable@hotmail.com
# List name
:local LISTNAME "facebook"

# Web site names which will be added in address list
:local TARGET1 "facebook.com"
:local TARGET2 "fbcd.net"

# 1st time runner, check if address list is not created previously and add entries in it for 1st time usage
:if ( [/ip firewall address-list find where list=$LISTNAME] = "") do={
:log warning "No address list for $TARGET1 and $TARGET2 found ! creating and adding resolved entry for 1st time usage ... zaib"

:resolve $TARGET1
:resolve $TARGET2

/ip firewall address-list add list=$LISTNAME
} else={
:log warning "Previous List for $LISTNAME found ! moving forward and checking if DNS entries can be added in it ..."
}

# Check DNS entries and collect matching names
:foreach i in=[/ip dns cache all find where (name~"$TARGET1" || name~"$TARGET2") && (type="A") ] do={

# Get IP Address from the names and hold it in temporary buffer
:local Buffer [/ip dns cache get $i address];
delay delay-time=10ms

# Check if entry is already not exists, then OK, otherwise ignore duplication
:if ( [/ip firewall address-list find where address=$Buffer] = "") do={ 

# Fetch DNS names for the entries
:local sitednsname [/ip dns cache get $i name] ;

# Print name in LOG window
:log info ("added entry: $sitednsname $Buffer");

# Add IP addresses and there names to the address list
/ip firewall address-list add address=$Buffer list=$LISTNAME comment=$sitednsname;
}
}

FOR YOUTUBE ~

# Script to add target web sites DNS IP addresses into address list
# Tested with Mikrotik 6.3x
# Syed Jahanzaib / aacable@hotmail.com
# List name
:local LISTNAME "youtube"

# Web site names which will be added in address list
:local TARGET1 "youtube.com"
:local TARGET2 "googlevideo.com"

# 1st time runner, check if address list is not created previously and add entries in it for 1st time usage
:if ( [/ip firewall address-list find where list=$LISTNAME] = "") do={
:log warning "No address list for $TARGET1 and $TARGET2 found ! creating and adding resolved entry for 1st time usage ... zaib"

:resolve $TARGET1
:resolve $TARGET2

/ip firewall address-list add list=$LISTNAME
} else={
:log warning "Previous List for $LISTNAME found ! moving forward and checking if DNS entries can be added in it ..."
}

# Check DNS entries and collect matching names
:foreach i in=[/ip dns cache all find where (name~"$TARGET1" || name~"$TARGET2") && (type="A") ] do={

# Get IP Address from the names and hold it in temporary buffer
:local Buffer [/ip dns cache get $i address];
delay delay-time=10ms

# Check if entry is already not exists, then OK, otherwise ignore duplication
:if ( [/ip firewall address-list find where address=$Buffer] = "") do={ 

# Fetch DNS names for the entries
:local sitednsname [/ip dns cache get $i name] ;

# Print name in LOG window
:log info ("added entry: $sitednsname $Buffer");

# Add IP addresses and there names to the address list
/ip firewall address-list add address=$Buffer list=$LISTNAME comment=$sitednsname;
}
}

SCHEDULER:

Schedule the script to run after every 5 minutes.

/system scheduler
add disabled=no interval=5m name=facebook-script-run-schedule on-event=facebook policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-date=feb/11/2014 start-time=00:00:00
add disabled=no interval=5m name=youtube-script-run-schedule on-event=youtube policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-date=feb/11/2014 start-time=00:00:00

FILTER RULE:

Now create a FIREWALL FILTER rule which will actually DROP the request (in FORWARD CHAIN) going to facebook OR youtube address list.

[Make sure to move this rule on TOP , or before any general accept rule in Filter section)

/ip firewall filter
add action=drop chain=forward comment=Filter Rule to block FB address LIST : ) disabled=no dst-address-list=facebook
add action=drop chain=forward comment=Filter Rule to block YOUTUBE address LIST : ) disabled=no dst-address-list=youtube

[/sourcecode]

Now try to access the facebook, it may be open as usual, but as soon as the script will run, a address list will be created with the FB ip address list, & its access will be blocked.
As showed in the image below …

fir

filter-rule

 


TIME BASE FILTER RULE

You can also use this technique to block FB in some specific timings only. For example you want to block access to FB from 9am to 10:am then use the following filter rule.

/ip firewall filter
add action=drop chain=forward comment=Filter Rule to block FB address LIST : ) disabled=no dst-address-list=facebook time=9h-10h,sun,mon,tue,wed,thu,fri,sat

Force / Redirect users to use your DNS

/ip firewall nat
add action=redirect chain=dstnat comment="FORCE DNS TO LOCAL MIKROTIK DNS SERVER" dst-port=53 protocol=udp to-ports=53

If this method helped you, please do let me know. your comments, tips for improvements etc are most welcome.

Regard’s
Syed Jahanzaib

February 10, 2014

Hotspot User Change Password FORM for ‘User Self Management’

Filed under: Mikrotik Related — Tags: , — Syed Jahanzaib / Pinochio~:) @ 11:18 AM

How to provide Mikrotik Hotspot Users an option to change there password using any form or web page?

The simple answer is to configure USER MANAGER and provide User Panel which is very nice and informative, it also allows users to change there password too, but what if you don’t want to install User Manager, or what if user also change his information via the user panel which you don’t want them to ?? since mikrotik source code is not public so we cannot hide that option (as far as in my limited knowledge) . Using the form base technique you can simply give them a web page from where they can simply change there password when required.

You can also add more functions in this page ,like it can send an email or add any entry in log file so that admin can be aware that at which time the last password was changed or other functions as required.

This is a simple password change form for hotspot users, After they logged in to hotspot , they can change there own password using this simple form.

REQUIREMENTS:

– Linux base system (I used UBUNTU, but you can use any flavor of your own choice)
– Apache / PHP5.x / PEAR2 library

Also Make sure you have enabled the API service in MIKROTIK
/ IP > Services
As showed in the image below …

1

LINUX SECTION

First Update your Ubuntu (if its not already updated on fresh installation)

apt-get install update

Now Install Apache Web Server with PHP5

 apt-get install apache2 php5

Don’t forget to restart the apache2 service, otherwise when you will try to open the password change form, it will ask you to save the file, instead of opening it on the browser 😀

service apache2 restart

Now we have to download PEAR2 support library for the RouterOS functions to be performed via WEB,
Goto your web folder and download pear2 library, and extract it

cd /var/www
 wget http://wifismartzone.com/files/linux_related/pear2.tar.gz
 tar zxvf pear2.tar.gz

Ok now it’s time to create the change password page so that user can access it or you can link it with your status page for the user comfort level.

touch /var/www/changepass.php
 nano /var/www/changepass.php

and paste the following code.
{Make sure to change the IP address of Mikrotik and its admin ID Password}

<?php
use PEAR2\Net\RouterOS;
require_once 'PEAR2/Autoload.php';

$errors = array();

try {
    //Adjust RouterOS IP, username and password accordingly.
    $client = new RouterOS\Client('192.168.30.10', 'admin', 'admin');

    $printRequest = new RouterOS\Request(
        '/ip hotspot active print',
        RouterOS\Query::where('address', $_SERVER['REMOTE_ADDR'])
    );
    $hotspotUsername = $client->sendSync($printRequest)->getArgument('user');
} catch(Exception $e) {
    $errors[] = $e->getMessage();
}

if (isset($_POST['password']) && isset($_POST['password2'])) {
    if ($_POST['password'] !== $_POST['password2']) {
        $errors[] = 'Passwords do not match.';
    } elseif (empty($errors)) {
        //Here's the fun part - actually changing the password
        $setRequest = new RouterOS\Request('/ip hotspot user set');
        $client($setRequest
            ->setArgument('numbers', $hotspotUsername)
            ->setArgument('password', $_POST['password'])
        );
    }
}

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Change your hotspot password sample page in PHP / Syed Jahanzaib.PK-KHI</title>
        <style type="text/css">
            #errors {background-color:darkred;color:white;}
            #success {background-color:darkgreen:color:white;}
        </style>
    </head>
    <body>
        <div>
            <?php if (!isset($hotspotUsername)) { ?>
            <?php } else { ?>
<h3>
<pre><span style="color: blue">PA</span><span style="color: red">KI</span><span style="color: purple">ST</span><span style="color: orange">AN</span> <span style="color: green">ZINDABAD</span> ...JZ!!</pre>
<h2>
<br>HOTSPOT ... Sample password change FORM <br><br>
You are currently logged in as "<?php
                    echo $hotspotUsername;
                ?>"</h2>

            <?php if(!empty($errors)) { ?>
            <div id="errors"><ul>
                <?php foreach ($errors as $error) { ?>
                <li><?php echo $error; ?></li>
                <?php } ?>
            </ul></div>
            <?php } elseif (isset($_POST['password'])) { ?>
            <div id="success">Your password has been changed.</div>
            <?php } ?>

            <form action="" method="post">
                <ul>
                    <li>
                        <label for="password">New password:</label>
                        <input type="password" id="password" name="password" value="" />
                    </li>
                    <li>
                        <label for="password2">Confirm new password:</label>
                        <input type="password" id="password2" name="password2" value="" />
                    </li>
                    <li>
                        <input type="submit" id="act" name="act" value="Change password" />
                    </li>
                </ul>
            </form>
            <?php } ?>
        </div>
    </body>
</html>

Now once the user have logged in to hotspot, he can access the page like below.

http://192.168.30.50/changepass.php

As showed in the image below …

changepass

.

.

log

Credits and legal stuff

Author: Vasil Rangelov, a.k.a. boen_robot (boen [dot] robot [at] gmail [dot] com)

Regard’s
Syed Jahanzaib

February 6, 2014

Detect Rogue DHCP & Alert via Email

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 1:53 PM

Dedicated to Local Desi Cable.Network Operators 😉

dhcp-rogue

To detect ROGUE (Duplicate / Conflicting) DHCP server via mikrotik and received an email alert about the conflicting dhcp server IP/MAC/Date+time, there are several ways to do, either using remote syslog server, OR use LOG action BUT I found the following method more customizable and suitable. Just make sure to tune if properly before deployment 😀

CONFIGURE DHCP-ALERT

Goto IP / DHCP SERVER / ALERTS

Click on + sign to add new alert, & on Alert box,

& paste the following code.


:local CurrentTime [/system clock get time];
 :local hostname [/system identity get name]
 :global date [/system clock get date]
 :local int "$interface"
 :local addr "$address"
 :local mac $"mac-address"
 :local dh

/tool e-mail send server=173.194.69.109 port=587 start-tls=yes YOUR_GMAIL_ID@gmail.com password=YOURPASSWORD to=aacable@hotmail.com subject=DHCP-Detected body=("ROGUE DHCP Server have been detected on $hostname at $date  - time $CurrentTime  - Interface= $int  - IP Address=$addr - MAC-Address= $mac  !! GO HUNT & KILL :D")

Now click on Apply.

As showed in the image below …

dhcp-alert.

Make sure to tune the INTERVAL setting according to your requirement. Also its a good idea to enter legitimate mac address in VALID SERVER box to avoid false detection of your valid dhcp servers.

Configure EMAIL/SMTP Settings

Now configure your EMAIL smtp address so that email can be send,OR you can set other alert options too like sms or print LOG in main window only or whatever :p

I am using GMAIL in this example.


/tool e-mail set address=74.125.45.109 from=gmailid@gmail.com password=mypassword port=587 starttls=no user=gmailid

Also enable EMAIL logging so that in case of any error, you can view it in LOG window for troubleshooting purposes.


/system logging add topics=e-mail action=memory

Now as soon as any rogue/conflicting dhcp server will be detected by Mikrotik, it will log it in main LOG window, and will also send you email alert using your GMAIL ID.

As showed in the image below …

log

.

Regard’s
Syed Jahanzaib

 

February 1, 2014

Mikrotik: Routing Target Web Site to Secondary WAN Link

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:44 PM

If you have two WAN links, and you want to dedicate one link for the specific web site or FACEBOOK traffic only, you can do it with Mikrotik in few simple steps.

First understand the logic, Main idea is to first create the script which will catch the target web site name via dns cache, and then it will add it to a address list with target web site ip addresses. (it will be done automatically via using the script) ,  Now in mangle, create a rule to mark packets with the above created address list, , then in route section, create new route to forward marked packets to go via WAN 2 link.

First add the script

SCRIPT SECTION:

Add the script which will catch the required web site name using dns-cache

###############################################
# script name: target_web_site
# Script to add TARGET_WEB_SITE DNS IP addresses
# Syed Jahanzaib / aacable@hotmail.com
# Script Source: N/A / GOOGLE : )

:log warning "Script Started ... Adding TARGET_WEB_SITE DNS ip's to address list name TARGET_WEB_SITE_dns_ips"
:foreach i in=[/ip dns cache find] do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
:if ([:find $cacheName "aacable.wordpress.com"] != 0) do={
:local tmpAddress [/ip dns cache get $i address] ;
:put $tmpAddress;
:if ( [/ip firewall address-list find ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=TARGET_WEB_SITE_dns_ips comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=TARGET_WEB_SITE_dns_ips comment=$cacheName;
}
}
}
}
# TARGET_WEB_SITE DNS IP ADD Script Ended ...

SCHEDULER SECTION:

Schedule the script to run after every 5 minutes  (or hourly basis)

/system scheduler
add disabled=no interval=5m name=target_web_site_schedule on-event=target_web_site_schedule policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-date=feb/11/2014 start-time=00:00:00

MARK PACKETS SECTION:

Now mark traffic for the required web site in PREROUTING chain.

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-address-list=TARGET_WEB_SITE_dns_ips new-routing-mark=target_website_packets passthrough=yes

ROUTE MARKED PACKETS SECTION:

Finally, create a route for the marked packets to go via second wan.

/ip route
add comment="Route for marked packets for target web marked packets" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=target_website_packets scope=30 target-scope=10

###############################################

All Done !!!
Now simply open your required web site , adn elt the script run ( or run it manually), now you will see few ip addresses in the ip > firewall > address-list

Its amazing, you can route any Website/traffic to specific WAN link, for example dedicated DSL link for streaming media sites or FB. its kewl 😉

For more info and ideas, please visit following link.
http://wiki.mikrotik.com/wiki/Per-Traffic_Load_Balancing

zaiB !

%d bloggers like this: