Syed Jahanzaib Personal Blog to Share Knowledge !

March 27, 2018

Separating NATTING from ROUTING in Mikrotik

Filed under: Mikrotik Related — Tags: — Syed Jahanzaib / Pinochio~:) @ 10:57 AM

nattinv and routing brother.jpg

mikrotik natting and routing

Disclaimer:

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create a solution that can match with your network scenario. Do not follow copy paste blindly.

I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read & research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others

Regard’s
Syed Jahanzaib


Scenario:

We are using Mikrotik CCR as PPPOE NAS. Its a mix match router where large number of users received private ip (via pppoe connection) and other large portion receives IP from routed Public pool as well.

 


Problem:

When we have network outages like light failure in any particular area , in LOG we can see many PPPoE sessions disconnects with ‘peer not responding‘ messages. Exactly at this moments, our NAS CPU usage reaches to almost 100% , which results in router stops passing any kind of traffic. This can continue for a minute or so on.

As showed in the image below …

pppoe high cpu usage

If you are using Masquarade /NAT on the router, that is the problem. When using Masquarade, RouterOS has to do full connection tracking recalculation on EACH interface connect/disconnect. So if you have lots of PPP session connecting/disconnecting, connection tracking will constantly be recalculated which can cause high CPU usage. When interfaces connect/disconnect, in combination with NAT, it gives you high CPU usage.


Solution OR Possible Workaround :

  • If you have lots of PPP users along with some NATTING rules, Stop using Masquarade on same router that have a lot of dynamic interfaces. DO NOT use NAT on any router that have high number of connecting/disconnecting interfaces , like pppoe/vpn. Place an additional router connected with your PPPoE NAS, and route NAT there.
    Example: Add another router & perform all natting on that router by sending marked traffic from private ip series to that nat router. Setup routing between the PPPoE NAS and the NAT router.

Following is an working example.

1# Main CCR as PPPOE NAS

Interface Details:

  • ETHER1-LAN-: 192.168.88.1/24 < User facing interface where pppoe connections establishes
  • PUBLIC-WAN: 101.11.11.254 < WAN Interface for public IP routing
  • 2-NAT-ROUTER: 192.168.60.2/24  < interface connected with another CCR for natting

PPPoE User IP Pool > 172.16.0.1-172.16.0.255
UPSTREAM ISP Core Router Gateway IP >  101.11.11.36

2# Second CCR as NATTING Router

Interface Details:

  • 2-CCR-LAN: 192.168.60.1/24 < interface connected with main CCR [pppoe]
  • NATTING-WAN: 101.11.11.253 < Wan interface for natting users [traffic coming from main CCR for natting]
  • UPSTREAM ISP Core Router Gateway IP >  101.11.11.36

1# Main CCR Configuration for marking traffic

First we will mark traffic for private/public ip and will create routes for them as well.

/ip firewall mangle
add action=mark-routing chain=prerouting comment="Mark routing for Private IP users - zaib" disabled=no new-routing-mark=nat_routing passthrough=yes src-address=172.16.0.1-172.16.0.255
# We really dont need to mark traffic for public ip's because they will simply pass from our default route , but just for the sake of demonstration we are doing it.
add action=mark-routing chain=prerouting comment="Mark routing for PUBLIC IP users - zaib" disabled=no new-routing-mark=public_routing passthrough=yes src-address=1.1.1.1-1.1.1.255

Make sure you dont have any NAT rule in place. [in NAT section]

Now add Routes for marked traffic

/ip route
add comment="Route private ip traffic via second NAT router" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.100.1 routing-mark=nat_routing scope=30 target-scope=10
add comment="Route public ip via this router default Gateway" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=101.11.11.36 routing-mark=public_routing scope=30 target-scope=10
# DEFAULT Gateway for router's own traffic - zaib
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=101.11.11.36 scope=30 target-scope=10

Main CCR configuration part is done. Now moving towards second router where all NATTING will be done.

2# NATTING CCR Configuration for Masquerade

First create Default NAT rule [you may want to add ip series for security purposes.

/ip route
add comment="Default Router for NATTING router " disabled=no distance=1 dst-address=0.0.0.0/0 gateway=101.11.11.36 scope=30 target-scope=10
# Add reverse Route so that NATTING router can see the pppoe user directly
add disabled=no distance=1 dst-address=172.16.0.0/16 gateway=192.168.100.2 scope=30 target-scope=10

Testing !

  • Create TEST user in main CCR pppoe NAS,
  • Assign him private ip series profile,
  • Connect this TEST id from test PC & run TRACEROUTE

As showed in the image below …

ccr pppoe active private.JPG

.

nat-vs-route.JPG

RUN Torch on NATTING Router… as we can see that NATTING router is seeing pppoe users directly dueto reverse route in it.

NATTING CCR torch

.


 

March 21, 2018

FUN with Mikrotik BRIDGE Series# Redirecting Traffic with Mikrotik Bridge – Part#2

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 3:19 PM

link-redirection

  1. FUN with Mikrotik BRIDGE Series#1. Filter PPPoE Requests – Part#1
  2. FUN with Mikrotik BRIDGE Series# Redirecting Traffic with Mikrotik Bridge – Part#2 < You are Here

Disclaimer! This is important!

This post is related to a solution designed specific to cater some local manipulation requirement therefore you may continue to read it as an reference purpose only !

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

Please donot think that I am an expert on this stuff, I am NOT certified in anything including Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I am human being , I do make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others

Regard's
Syed Jahanzaib~

Scenario & Requirements:

We want to connect Network A & B using Mikrotik Bridge so that we can transparently intercept some traffic for control & redirection purposes. Example we want to make sure that any dns traffic that is traveling from A to B or B to A should be redirected to Mikrotik DNS for manipulation purposes. Also we would like to Block ICMP traffic travelling between both networks.

Solution:

We are using Mikrotik 2011UiAS-2HnD model.

Port-1 is connected with Network A and Port-2 is connected with Network B.

# BRIDGE Configuration

First we will do Bridge configuration & add ports in it,

/interface bridge
add name=bridge1

/interface bridge port
add bridge=bridge1 interface=ether1
add bridge=bridge1 interface=ether2
/interface bridge settings
set use-ip-firewall=yes

As showed in image below …

bridge rules

# DNS Configuration

Now setup Local DNS server

/ip dns
set allow-remote-requests=yes servers=8.8.8.8

# Now we will add static DNS entry for our requirements
/ip dns static
add address=1.2.3.4 name=aacable.wordpress.com

As showed in image below …

bridge dns add static.JPG

# DNS Redirection

Firewall NAT configuration to redirect DNS traffic travelling via BRIDGE interface to Mikrotik local DNS for manipulation purposes

/ip firewall nat
add action=redirect chain=dstnat comment="Redirect DNS Traffic via BRIDGE to local DNS - Zaib" dst-port=53 in-interface=bridge1 protocol=udp to-ports=53

# ICMP Filteration

Firewall Filter configuration to block ICMP protocol

/ip firewall filter
add action=reject chain=forward comment="Block ICMP Rule in BRIDGE - Zaib" in-interface=bridge1 protocol=icmp reject-with=icmp-network-unreachable

Client Testing

Result of testing NSLOOKUP from user PC. [Before vs After]

bridge - dns resolve nslookup result

Result of testing ICMP & PING from user PC.

bridge - icmp block result result


Linux is amazing 🙂 however Mikrotik is handy most of the times 🙂

March 8, 2018

Short Notes on LibreNMS !

Filed under: Linux Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:46 PM

libre dashboard

This post contains short notes & step by step guide on open source network omonitoring system called LIBRENMS , it is based on Php/MySQL/Snmp.


STEP BY STEP iNSTALLATION FOR LIBRENMS

OS: Ubuntu 16 (Server Edition/64bit)

First install required support packages

apt-get update
# Now install all the required components in a single GO ...
apt install -y apache2 composer fping git graphviz imagemagick libapache2-mod-php7.0 mariadb-client mariadb-server mtr-tiny nmap php7.0-cli php7.0-curl php7.0-gd php7.0-json php7.0-mcrypt php7.0-mysql php7.0-snmp php7.0-xml php7.0-zip python-memcache python-mysqldb rrdtool snmp snmpd whois curl acl
[select your php version and install it accordingly)
apt-get install php-mbstring
sudo apt-get install php7.0-mbstring
sudo apt-get install php7.1-mbstring
sudo apt-get install php7.2-mbstring

Add local user for librenms

useradd librenms -d /opt/librenms -M -r
usermod -a -G librenms www-data
systemctl restart mysql

Create user & DB

mysql -uroot -pzaib1234
CREATE DATABASE librenms CHARACTER SET utf8 COLLATE utf8_unicode_ci;
CREATE USER 'librenms'@'localhost' IDENTIFIED BY 'zaib1234';
GRANT ALL PRIVILEGES ON librenms.* TO 'librenms'@'localhost';
FLUSH PRIVILEGES;
exit

Now edit maria-db config file

nano /etc/mysql/mariadb.conf.d/50-server.cnf

& add following

[Within the [mysqld] section please add]

innodb_file_per_table=1
sql-mode=""
lower_case_table_names=0

& restart mysql
systemctl restart mysql
Save & Exit.

Web Server Config

Edit PHP files & setup TIMEZONEs

nano /etc/php/7.0/apache2/php.ini
nano /etc/php/7.0/cli/php.ini

Search for ‘date.timezone‘ & change it to

date.timezone = Asia/Karachi

Save & EXit.

Configure Apache

nano /etc/apache2/sites-available/librenms.conf

Add the following config,


DocumentRoot /opt/librenms/html/
ServerName  librenms.campusN.ws.nsrc.org
CustomLog /opt/librenms/logs/access_log combined
ErrorLog /opt/librenms/logs/error_log
AllowEncodedSlashes NoDecode

Require all granted
AllowOverride All
Options FollowSymLinks MultiViews


Save & Exit

a2dissite 000-default
a2ensite librenms.conf
a2enmod rewrite
systemctl restart apache2

Edit SNMPD Config file to enable SNMP on localhost

Now edit SNMPD config file and add our SNMP community string like public or other

nano /etc/snmp/snmpd.conf

Edit the text which says rocommunity public and set your own community string.
save and exit.

curl -o /usr/bin/distro https://raw.githubusercontent.com/librenms/librenms-agent/master/snmp/distro
chmod +x /usr/bin/distro
systemctl restart snmpd

Install LIBRE-NMS via composer command

cd /opt
composer create-project --no-dev --keep-vcs librenms/librenms librenms dev-master

Example:

1- install libre via cmd

CRONJOBS for librenms

cp /opt/librenms/librenms.nonroot.cron /etc/cron.d/librenms
cp /opt/librenms/misc/librenms.logrotate /etc/logrotate.d/librenms
chown -R librenms:librenms /opt/librenms
setfacl -d -m g::rwx /opt/librenms/rrd /opt/librenms/logs
setfacl -R -m g::rwx /opt/librenms/rrd /opt/librenms/logs

Start Configuration of LIBRENMS

cd /opt/librenms

cp config.php.default config.php

sudo chown -R librenms:librenms /opt/librenms

sudo setfacl -d -m g::rwx /opt/librenms/bootstrap/cache /opt/librenms/storage /opt/librenms/logs /opt/librenms/rrd

sudo chmod -R ug=rwX /opt/librenms/bootstrap/cache /opt/librenms/storage /opt/librenms/logs /opt/librenms/rrd

Now access libre-nms via browser …

http://yourip/install.php

& follow onscreen steps…

2- libre first step of gui

Make sure to add id password which is authorized to change DB , as required …

and click on FINISH on GUI.

Adding config.php

At one point, IF REQUIRED You may have to create the config.php manually as showed here.

nano /opt/librenms/config.php

& paste the data as showed in the config window.

<!--?php

## Have a look in includes/defaults.inc.php for examples of settings you can set here. DO NOT EDIT defaults.inc.php!

### Database config
$config['db_host'] = 'localhost';
$config['db_user'] = 'librenms';
$config['db_pass'] = 'zaib1234';
$config['db_name'] = 'librenms';

// This is the user LibreNMS will run as
//Please ensure this user is created and has the correct permissions to your install
$config['user'] = 'librenms';

### This should *only* be set if you want to *force* a particular hostname/port
### It will prevent the web interface being usable form any other hostname
$config['base_url'] = "/";

### Enable this to use rrdcached. Be sure rrd_dir is within the rrdcached dir
### and that your web server has permission to talk to rrdcached.
#$config['rrdcached'] = "unix:/var/run/rrdcached.sock";

### Default community
$config['snmp']['community'] = array('public');

### Authentication Model
$config['auth_mechanism'] = "mysql"; # default, other options: ldap, http-auth
#$config['http_auth_guest'] = "guest"; # remember to configure this user if you use http-auth

### List of RFC1918 networks to allow scanning-based discovery
#$config['nets'][] = "10.0.0.0/8";
#$config['nets'][] = "172.16.0.0/12";
#$config['nets'][] = "192.168.0.0/16";

# Uncomment the next line to disable daily updates
#$config['update'] = 0;

# Number in days of how long to keep old rrd files. 0 disables this feature
$config['rrd_purge'] = 0;

# Uncomment to submit callback stats via proxy
#$config['callback_proxy'] = "hostname:port";

# Set default port association mode for new devices (default: ifIndex)
#$config['default_port_association_mode'] = 'ifIndex';

# Enable the in-built billing extension
$config['enable_billing'] = 1;

# Enable the in-built services support (Nagios plugins)
$config['show_services'] = 1;

Save & Exit.

Add User if required

php adduser.php admin2  admin2 10 aacable@yourmail.com

librenms install done

 

Make sure to remove COMPOSER & set permissions when all is OK. Else it will give error in VALIDATION part.

chown -R librenms:librenms /opt/librenms
apt-get remove composer

 


Some more snaps

  • Add Device

 

add device

librenms add device with snmp

Devices Overview

device view

libre dashboard.JPG

%d bloggers like this: