Syed Jahanzaib Personal Blog to Share Knowledge !

March 27, 2018

Separating NATTING from ROUTING in Mikrotik

Filed under: Mikrotik Related — Tags: — Syed Jahanzaib / Pinochio~:) @ 10:57 AM

nattinv and routing brother.jpg

no nat result

mikrotik natting and routing

Disclaimer:

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create a solution that can match with your network scenario. Do not follow copy paste blindly.

I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read & research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others

Regard’s
Syed Jahanzaib


Scenario:

We are using Mikrotik CCR as PPPOE NAS. It’s a mix match scenario where large number of users receive private ip (via pppoe connection) and smaller number of users gets public ip (routed Public pool)


Problem:

When we have network outages like light failure in any particular area OR port flaps, in LOG we can see many PPPoE sessions disconnects with ‘peer not responding‘ messages. Exactly at this moments, our NAS CPU usage reaches to almost 100% , which results in router stops passing any kind of traffic. This problem continues for 2-3 minutes.

As shown in the image below …

pppoe high cpu usage

After lurking in the mikrotik forums, I was informed that If you are using Masquarade /NAT on the router, that is the problem. When using Masquarade, RouterOS has to do full connection tracking recalculation on EACH interface connect/disconnect. So if you have lots of PPP session connecting/disconnecting, connection tracking will constantly be recalculated which can cause high CPU usage. When interfaces connect/disconnect, in combination with NAT, it gives you high CPU usage.


Solution OR Possible Workaround :

  • If you have lots of PPP users along with some NATTING rules, Stop using Masquarade on same router that have a lot of dynamic interfaces. DO NOT use NAT on any router that have high number of connecting/disconnecting interfaces , like pppoe/vpn. Place an additional router connected with your PPPoE NAS, and route NAT traffic there. Make sure to disable CONNECTION TRACKING on PPPoE NAS router.

Example: Add another router & perform all natting on that router by sending marked traffic from private ip series to that nat router. Setup routing between the PPPoE NAS and the NAT router.Make sure to disable CONNECTION TRACKING on PPPoE NAS router.


Following is an working example.

1# Main CCR as PPPOE NAS

Interface Details:

  • ETHER1-LAN-: 192.168.88.1/24 < User facing interface where pppoe connections establishes. Consider it as LAN facing side for pppoe users.
  • PUBLIC-WAN: 101.11.11.254 < WAN Interface for public IP routing
  • 2-NAT-ROUTER: 192.168.100.2/24  < interface connected with another CCR for natting traffic routing
  • PPPoE User IP Pool > 172.16.0.1-172.16.0.255
  • UPSTREAM ISP Core Router Gateway IP >  101.11.11.36

2# Second CCR as NATTING Router

Interface Details:

  • 2nd-NAT-CCR-LAN: 192.168.100.1/24 < interface connected with main CCR [for pppoe users traffic]
  • NATTING-WAN: 101.11.11.253 < Wan interface for natting users [traffic coming from main CCR for natting]
  • UPSTREAM ISP Core Router Gateway IP >  101.11.11.36
  • PPPoE Users Pool – 172.16.0.0/24

1# Main CCR Configuration for marking traffic

First we will mark traffic for private/public ip and will create routes for them as well.

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mark routing for Private IP users - zaib" disabled=no new-routing-mark=nat_routing passthrough=yes src-address=172.16.0.1-172.16.0.255
# We really dont need to mark traffic for public ip's because they will simply pass from our default route , but just for the sake of demonstration we are doing it.
add action=mark-routing chain=prerouting comment="Mark routing for PUBLIC IP users - zaib" disabled=no new-routing-mark=public_routing passthrough=yes src-address=1.1.1.1-1.1.1.255

Make sure you dont have any NAT rule in place. [in NAT section]

Now add Routes for marked traffic

/ip route
add comment="Route private ip traffic via second NAT router" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-mark=nat_routing scope=30 target-scope=10
add comment="Route public ip via this router default Gateway" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=101.11.11.36 routing-mark=public_routing scope=30 target-scope=10
# DEFAULT Gateway for router's own traffic - zaib
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=101.11.11.36 scope=30 target-scope=10

Main CCR configuration part is done. Now moving towards second router where all NATTING will be done.

2# NATTING CCR Configuration for Masquerade

First create Default NAT rule [you may want to add ip series for security purposes.

/ip route
add comment="Default Router for NATTING router " disabled=no distance=1 dst-address=0.0.0.0/0 gateway=101.11.11.36 scope=30 target-scope=10
# Add reverse Route so that NATTING router can see the pppoe user directly
add disabled=no distance=1 dst-address=172.16.0.0/16 gateway=192.168.100.2 scope=30 target-scope=10

Testing !

  • Create TEST user in main CCR pppoe NAS,
  • Assign him private ip series profile,
  • Connect this TEST id from test PC & run TRACEROUTE

As shown in the image below …

ccr pppoe active private.JPG

.

nat-vs-route.JPG

RUN Torch on NATTING Router… as we can see that NATTING router is seeing pppoe users directly dueto reverse route in it.

NATTING CCR torch


Final Step.

Once you have routed all private ip series 2 2nd CCR, Make sure to disable CONNECTION TRACKING on the pppoe router (1st router where users are connected via pppoe) by using cmd


/ip firewall connection tracking
set enabled=no


Now look at the difference Before Vs After

no nat result

March 21, 2018

FUN with Mikrotik BRIDGE Series# Redirecting Traffic with Mikrotik Bridge – Part#2

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 3:19 PM

link-redirection

  1. FUN with Mikrotik BRIDGE Series#1. Filter PPPoE Requests – Part#1
  2. FUN with Mikrotik BRIDGE Series# Redirecting Traffic with Mikrotik Bridge – Part#2 < You are Here

Disclaimer! This is important!

This post is related to a solution designed specific to cater some local manipulation requirement therefore you may continue to read it as an reference purpose only !

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

Please donot think that I am an expert on this stuff, I am NOT certified in anything including Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I am human being , I do make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others

Regard's
Syed Jahanzaib~

Scenario & Requirements:

We want to connect Network A & B using Mikrotik Bridge so that we can transparently intercept some traffic for control & redirection purposes. Example we want to make sure that any dns traffic that is traveling from A to B or B to A should be redirected to Mikrotik DNS for manipulation purposes. Also we would like to Block ICMP traffic travelling between both networks.

Solution:

We are using Mikrotik 2011UiAS-2HnD model.

Port-1 is connected with Network A and Port-2 is connected with Network B.

# BRIDGE Configuration

First we will do Bridge configuration & add ports in it,

/interface bridge
add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/interface bridge settings
set use-ip-firewall=yes

As showed in image below …

bridge rules

# DNS Configuration

Now setup Local DNS server

/ip dns
set allow-remote-requests=yes servers=8.8.8.8

# Now we will add static DNS entry for our requirements
/ip dns static
add address=1.2.3.4 name=aacable.wordpress.com

As showed in image below …

bridge dns add static.JPG

# DNS Redirection

Firewall NAT configuration to redirect DNS traffic travelling via BRIDGE interface to Mikrotik local DNS for manipulation purposes

/ip firewall nat
add action=redirect chain=dstnat comment="Redirect DNS Traffic via BRIDGE to local DNS - Zaib" dst-port=53 in-interface=bridge1 protocol=udp to-ports=53

# ICMP Filteration

Firewall Filter configuration to block ICMP protocol

/ip firewall filter
add action=reject chain=forward comment="Block ICMP Rule in BRIDGE - Zaib" in-interface=bridge1 protocol=icmp reject-with=icmp-network-unreachable

Client Testing

Result of testing NSLOOKUP from user PC. [Before vs After]

bridge - dns resolve nslookup result

Result of testing ICMP & PING from user PC.

bridge - icmp block result result


Linux is amazing 🙂 however Mikrotik is handy most of the times 🙂

March 8, 2018

Short Notes on LibreNMS !

Filed under: Linux Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 3:46 PM

libre dashboard

This post contains short notes & step by step guide on *NMS* –  An open source network monitoring system called LIBRENMS , it is based on MRTG Php/MySQL/Snmp.


STEP BY STEP iNSTALLATION FOR LIBRENMS

Recommended OS: Ubuntu 18 or 20  (Server Edition/64bit), follow official guide as per below ,

https://docs.librenms.org/Installation/Installation-Ubuntu-1804-Apache/


Tips on upgrade PHP 7.2 to 7.4 on Ubuntu 16.4

I had few older installation done on Ubuntu 16.4 which were giving error for php 7.2 version, therefore I am posting this guide so that you can still upgrade to older version if required.

Upgrading LIbrenms php 7.2 to 7.4

Install 3rd party repository to add support for installing Php 7.4 in UBUNTU 16.4 SERVER.

sudo add-apt-repository ppa:jczaplicki/xenial-php74-temp
sudo apt-get update

*Install php7.4*

apt install composer php7.4 php7.4-cli php7.4-curl php7.4-fpm php7.4-gd php7.4-json php7.4-mbstring php7.4-mysql php7.4-snmp php7.4-xml php7.4-zip

*Change Timezone in PHP*

nano /etc/php/7.4/fpm/php.ini
nano /etc/php/7.4/cli/php.ini

Search for date.time in above 2 _php_ files & change it as per your time zone example

date.timezone = Asia/Karachi

*Configure PHP-FPM*


cp /etc/php/7.4/fpm/pool.d/www.conf /etc/php/7.4/fpm/pool.d/librenms.conf
nano /etc/php/7.4/fpm/pool.d/librenms.conf

in above librenms.conf file, Change below


[www] to [librenms]
user = librenms
group = librenms
listen = /run/php-fpm-librenms.sock

Save & Exit.

Now move & edit below file

mv /etc/apache2/sites-available/librenms.conf /etc/apache2/sites-available/librenms-7.2.conf
nano /etc/apache2/sites-available/librenms.conf

*** use this as template ***


<VirtualHost *:80>
DocumentRoot /opt/librenms/html/
ServerName librenms.jahanzaib.com

AllowEncodedSlashes NoDecode
<Directory "/opt/librenms/html/">
Require all granted
AllowOverride All
Options FollowSymLinks MultiViews
</Directory>

<IfModule setenvif_module>
SetEnvIfNoCase ^Authorization$ "(.+)" HTTP_AUTHORIZATION=$1
</IfModule>

<FilesMatch ".+\.php$">
SetHandler "proxy:unix:/run/php-fpm-librenms.sock|fcgi://localhost"
</FilesMatch>
</VirtualHost>

SAVE & EXIT.

Restart few services & you will be good to Go Insha.Allah !

a2enmod proxy_fcgi setenvif rewrite
a2ensite librenms.conf
systemctl restart php7.4-fpm
systemctl restart apache2

 

%d bloggers like this: