Syed Jahanzaib Personal Blog to Share Knowledge !

February 20, 2018

Bursting with Mikrotik Burst ^o^

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 3:42 PM

Disclaimer! This is important!

Every Network is different , so one solution cannot be applied to all. Therefore try to understand logic & create your own solution as per your network scenario. Just dont follow copy paste.

If anybody here thinks I am an expert on this stuff, I am NOT certified in anything Mikrotik/Cisco/Linux or Windows. However I have worked with some core networks and I read , research & try stuff all of the time. So I am not speaking/posting about stuff I am formerly trained in, I pretty much go with experience and what I have learned on my own. And , If I don’t know something then I read & learn all about it.

So , please don’t hold me/my-postings to be always 100 percent correct. I make mistakes just like everybody else. However – I do my best, learn from my mistakes and always try to help others

Regard's
Syed Jahanzaib~

Mikrotik Burst feature provides predefined extra bandwidth for a limited period of time IF the user remains under the burst threshold limit, or else He will be limited to his max–limit package.

It is best explained here

https://wiki.mikrotik.com/wiki/Manual:Queues_-_Burst

 

Real life Example:


Explanation !

  • User IP (1-TARGET) on which this queue will be implemented
  • When this IP will start downloading he can reach download rate of 512 kbps (3-BURST_LIMIT)
  • Until he continue to do so for a minute (5-BURST_TIME) (period of time, in seconds, over which the average data rate is calculated. (This is NOT the time of actual burst, so on avg it will become 30s)
  • That is on an average basis his download remains 256 kbps (4-BURST_THRESHOLD) for a minute, (average of 30 seconds)
  • Then he will be get back limited to his max-limit (2-MAX_LIMIT)
  • When a user doesn’t use the traffic at all and 30 second average goes to 0 so the next time traffic is requested then it will be at the Burst speed (3-BURST_LIMIT).

 

Small BURST TIME may not give you correct results. So use reasonable time. in this example I used shorter time for demonstration purposes. A large burst isn’t a problem technically, it’s more of a business decision.

To calculate burst and relates values, download this excel sheet named “MikroTik burst simulator.xlsx” from my google drive & try it yourself … you will get clear picture


Another Example by joshaven! so that you can better understand —-


Now look at its Demo ,

 

 

Advertisements

February 5, 2018

Access other OP portal via Mikrotik Load Balancer

Filed under: Mikrotik Related — Tags: — Syed Jahanzaib / Pinochio~:) @ 8:37 PM

portal routing in pcc.jpg

Disclaimer: I receive many emails from local operators on howto access other operators media sharing portal so that there local users can access them. Rather then replying each one separately & Due to time shortage, I am posting a simple method on how you can let your users access the outer operator media portal via your load balance mikrotik.  It is highly recommended to first search for the target web site/servers ip either using trace-route or wire shark. you have to conduct lengthy tracing by simply first try to connect with the target web site and start downloading multiple files, now using either TORCH, or using WIRE SHARK, you can get ips of all the servers which is being accessed by the torrent/idm which is connecting wit the target services. just make a note of these ip’s and add them in list either ip by ip or by /24 subnet.

Also It is recommended to use Mark Connections / Packets and Mark Routing. This way you wont have to create addition rules. So following pseudo codes is highly recommended to fit yourself in a famous quote that says `Work Smarter , not harder …`

Regard’s
Syed Jahanzaib

Example of WIRESHARK is posted bellow ….

wire-shark-example


Scenario:

We are using Mikrotik as pppoe server and dual vdsl links as WAN load balancer. We have acquired another Operator X line just to access there Entertainment portal which is great in media sharing files including video games etc. We want to let our user access there portal using our mikrotik without interfering with any other network.


Solution:

Quick & Dirty method. You should refine it when deploying in production environment.

We have configured an simple wifi router along with Operator X service in it. Now connect this router LAN line in your mikrotik (example Port 12).

IP Scheme:

  • Mikrotik LAN IP for pppoe users : eth0 > 192.168.0.1
  • Mikrotik PPPoE IP series (allowed users for internet) : 192.168.200.0/24
  • Mikrotik WAN-1 IP Series for DSL1 : eth1 > 192.168.1.1
  • Mikrotik WAN-2 IP Series for DSL2 : eth2 > 192.168.2.1
  • Mikrotik eth12 IP Series for Portal X : eth12 > 192.168.12.2 ( > 192.168.12.1 is wifi router with local OP service)
  • PORTAL-X IP Series: Web Portal – 123.123.123.0/24  Download servers – 172.17.1.0/24

Note:
For DNS, you can either use the OP-X dns servers (or wifi router as your dns as wifi router will get the DNS dynamically from the OP-X, or you can make static dns entries in your mikrotik dns server , and make sure all of your clients are using your mikrotik as there preferred dns server, you can also create a forced router to redirect all outgoing dns requests to your mirkotik. whatever is easier for you 🙂


Code!

# PPPoE Users IP List to access internet/portal
/ip firewall address-list
add address=192.168.200.0/24 comment="Allowed Users to Use Internet" list="allowed users"
# Add Portal X IP Series, you can get there list by inspecting torrent files, or using WIRESHARK
add address=123.123.123.0/24 list=portalx_list
add address=172.17.1.0/24 list=portalx_list

# Accept the PORTAL X packets to avoid processing them in PCC, then using routes we can route them via wifi router
/ip firewall mangle
add action=accept chain=prerouting comment="ACCEPT portalx_list PACKETS FROM PROCESSING THEM IN PCC - ZAIB" dst-address-list=portalx_list src-address-list="pppoe_allowed_users"

# Allow requests going to Portal X interface (to wifi router with OP X service)
/ip firewall nat
add action=masquerade chain=srcnat comment=ALLOW_ACCESS_TO_portalx_list_INTERFACE out-interface=eth12 src-address-list="pppoe_allowed_users

# Since we have excluded the Portal.X from PCC, therefor we have to create ROUTE for these packets
# So that these packets should route via Wi.Fi Router (connected with OP X service)
/ip route
add distance=1 dst-address=123.123.123.0/24 gateway=192.168.12.1 comment=route_for_portalx_site_going_via_local_wifi_router
add distance=1 dst-address=172.17.1.0/24 gateway=192.168.12.1 comment=route_for_portalx_site_going_via_local_wifi_router

# In the end , simply create QUEUE to allow more bandwidth going to Portal X servers,
# Again, if you had used packet marking, then you can use marked pkts & use single queue, more efficient
/queue simple
add max-limit=1G/1G name="portalx_list.torrent queue-1G" target=172.17.17.0/24
add max-limit=1G/1G name=portalx_list-public-ips-1G target=123.123.123.0/24

January 27, 2018

Mikrotik: Schedule script to run in specific day(s) of week only

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 1:48 PM


Scenario:

In mikrotik, we want to execute a script which should run on following days at given time. Monday to Friday , 8am Sounds easy enough! but unfortunately Mikrotik doesn’t provides flexible scheduler like windows which let you select days by just clicking. Therefore we have to create some smart function that calculate current day and pass the variable to action part in the script, which than compare variable with its specific days like mon-fri & if it matches then take action ELSE goto Sleep 🙂

(more…)

January 23, 2018

Manipulating Date Functions in Mikrotik

Filed under: Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 12:12 PM

.

Scenario:

In Mikrotik router , we have a script which is scheduled to run every 5 minutes. It gets in+out bytes for specific interface usage (using firewall counters) and save/add in a file,  when date changes, it simply calculate the total usage and sends report via email to the admin. it’s pretty handy and quick way to get your wan usage with customization. Example of email report via script:

mail for wan total

Problem:

if the script is sending email to the admin about whole day usage at 12:05 am , it will send the current date, whereas the usage is for yesterday. therefore we want to display yesterday day date in the subject. like Current date - 1 day

Solution:

The below script along with separate supporting function script, can manipulate date function in mikrotik. Therefore using this script function we can get yesterday date in our email subject to show correct date.

Surely there must be more simpler methods that I am really unaware of I used this method and it works fine. in Linux date manipulation is way too easy example

TODAY=date -d "yesterday" '+%Y-%m-%d'
But in Mikrotik we dont have such easy functions.

Ok moving forward… We need to make one main function script that can be called by any other script to get the required date manipulation.This will be one time script & will function only if its called from another script.

Script# – For date manipulation function
Name: func_date

# This script is for Mikrotik ROS to manipulate date functions as per requirements , you can modify it as required
# This function script is copied from following mikrotik forum. please see
# https://forum.mikrotik.com/viewtopic.php?f=9&t=127050&p=625209#p625209

# Syed Jahanzaib

:local mdays {31;28;31;30;31;30;31;31;30;31;30;31}
:local months {"jan"=1;"feb"=2;"mar"=3;"apr"=4;"may"=5;"jun"=6;"jul"=7;"aug"=8;"sep"=9;"oct"=10;"nov"=11;"dec"=12}
:local monthr {"jan";"feb";"mar";"apr";"may";"jun";"jul";"aug";"sep";"oct";"nov";"dec"}
:local dd [:tonum [:pick $date 4 6]]
:local yy [:tonum [:pick $date 7 11]]
:local month [:pick $date 0 3]
:local mm (:$months->$month)
:set dd ($dd+$days)
:local dm [:pick $mdays ($mm-1)]
:if ($mm=2 && (($yy&3=0 && ($yy/100*100 != $yy)) || $yy/400*400=$yy) ) do={ :set dm 29 }
:while ($dd>$dm) do={
:set dd ($dd-$dm)
:set mm ($mm+1)
:if ($mm>12) do={
:set mm 1
:set yy ($yy+1)
}
:set dm [:pick $mdays ($mm-1)]
:if ($mm=2 && (($yy&3=0 && ($yy/100*100 != $yy)) || $yy/400*400=$yy) ) do={ :set dm 29 }
};
:local res "$[:pick $monthr ($mm-1)]/"
:if ($dd<10) do={ :set res ($res."0") }
:set $res "$res$dd/$yy"
:return $res

Script#2 – Our script that requires Yesterday Date
Name: test

In this example we will get YESTERDAY date.

# You can change the DAYS (-1) as per your requirements like previous or ahead using +)

:local shiftDate [:parse [/system script get func_date source]]
:local DT ([/system clock get date])
:local LASTDAY [$shiftDate date=$DT days=-1]
:put "TODAY Date = $DT"
:put "YESTERDAY date = $LASTDAY"

DRY RUN!

Now run the test script which will result in yesterday date, as showed below …

[zaib@CCR_GW] > /sys scr run test
# OUTPUT RESULT

TODAY Date = jan/23/2018
YESTERDAY date = jan/22/2018

Now you can use such function in any script as per your own requirements…

Regard’s
Syed Jahanzaib

 

November 8, 2017

TikTik – Script to disconnect hotspot user if its already active in pppoe

Filed under: Mikrotik Related — Syed Jahanzaib / Pinochio~:) @ 1:27 PM

its a weird world we live in !

Fix the root cause that is making issue , dont always go for workarounds

WORKAROUND :

Add this in in Hotspot > User Profile > Default > Scripts > On Login)

# Check if this hotspot user is already logged in on PPPOE on same mikrotik, then kick HOTSPOT
:local uname $user;
:local u;
:foreach u in=[/ppp active find name=$user ] do={
:log warning "$user ID is already active in pppoe. Now disconnecting from HotSpot ... Done!"
:foreach i in=[/ip hotspot active find user=$uname] do= {
/ip hotspot active remove numbers=$i;
}
}

123

.

With some modification you can add script in pppoe login profile as well, which will check if user is already active in hotspot then kick pppoe or hs user.

regard’s
J.

October 31, 2017

Mikrotik with Freeradius/mySQL – Auto MAC Binding on 1st Login – Part 4

Filed under: freeradius, Mikrotik Related — Tags: , , , , , — Syed Jahanzaib / Pinochio~:) @ 3:30 PM

mac_auth_radius_mysql

~ Auto Mac Binding via EXEC / PHP in Freeradius 2.x ~
! From the CORE of FREERADIUS !
By
Syed jahanzaib

FREERADIUS WITH MIKROTIK – Part #1

FREERADIUS WITH MIKROTIK – Part #2 

FREERADIUS WITH MIKROTIK – Part #3

FREERADIUS WITH MIKROTIK – Part #4 > You are here 

There are others parts too, look at part-1 for listing, i will update only part-1 listing


Personnel Note:

[At end of this guide I used TRIGGER method to auto insert the mac address of user if there is no mac entry in the radcheck table for his username, Trigger are more efficient method in my opinion.]

This post is just for demonstration purposes. in production environment you should make your own module and add it in proper relevant places. This post contains just minimalist working config to begin with. Make sure to refine it in prd environment.

This is another post about freeradius. My aim is to let people know that creating your own Radius Billing system is not ROCKET SCIENCE. The only thing required is the ultimate passion to achieve the goal & with the proper googling , reading a LOT, understand logic’s, then you can do all on your own. Just wanted to break the image that most of professionals don’t like to share there knowledge. I strongly encourage to read the FR mailing list and Google


OP Requirements:

[ Sort of Wired one 😉 ]

We have a working Freeradius installation. All users can login to mikrotik which verify user account authentication requests via this radius. All working fine. Now OP wants to add Auto MAC binding feature so that when user first time login to NAS, his MAC should auto binds with his account, so next time if he tries to login from another workstation, he must get access denied.


Components used in this guide:

  • Ubuntu 12.4 / x86
  • Freeradius 2.1.10 [Default apt-get installation]
  • MySQL 5.5.47 [Default apt-get installation]

SOLUTION:

To fulfill such weird requirements, we have to use external program example PHP program (via exec) which will be executed when user gets connect successfully. It will then look in RADCHECK table for this specific user MAC address value name “Calling-Station-Id”. If it’s unable to find it, then it will add the entry so that next time user will login his MAC will be verified by the CHECKVAL module in freeradius to match the mac address. If there is mac address entry, it will simply ignore and process further , will also print message that “MAC Entry already found – z@iB”

First enable the CHECKVAL module in following file > /etc/freeradius/sites-enabled/default

nano /etc/freeradius/sites-enabled/default

Search & uncomment the checkval module. Save & Exit.

Now edit EXEC module file by

nano /etc/freeradius/modules/exec

Remove all previous contents (if its lab testing otherwise be careful editing this file) & paste following

exec {
wait = yes
program = "/usr/bin/php /temp/checkmac.php %{User-Name} %{Calling-Station-Id}"
input_pairs = request
}

Save & Exit.

Now create the php program which will be executed by above module.

mkdir /temp
mkdir /temp/checkmac.php
touch /temp/checkmac.php
nano /temp/checkmac.php

and use following to paste make sure to modify relevant details …

>

checkmac.php contents

<?php
// PHP page to check if MAC is not aleady there for the user, then INSERT it for MAC VALIDATION,
// it will add mac for 1st time login user only
// Syed Jahanzaib / aacable at hotmail dot com
// https://aacable . wordpress . com
// 31-OCT-2017

$link = mysql_connect('localhost', 'root', 'MYSQL-ROOT-PASSWORD');
if (!$link) {
die('Could not connect: ' . mysql_error());
}
// Default DB is radius
mysql_select_db('radius');
// Look for MAC entry for this user
$result=mysql_query("select * FROM radcheck WHERE `UserName`='$argv[1]' AND attribute='Calling-Station-Id' order by Username limit 1");
$val = mysql_num_rows($result);
if ($val > 0) {
printf ("MAC Entry already found by ZAiBBBBBBBBBBBBBBBB");
}
else {
printf ("Seems to be New User, adding its MAC address in table ...");
mysql_query("INSERT into radcheck (UserName, Attribute, op, Value) values ('$argv[1]', 'Calling-Station-Id', ':=', '$argv[2]')");
}
?>

TESTING ….

Start FR in debug mode by freeradius -X and try to login with the test ID from your workstation (or use the radtest or ntradping)


rad_recv: Access-Request packet from host 192.168.0.1 port 42449, id=45, length=188
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 15728851
NAS-Port-Type = Ethernet
User-Name = "zaib"
Calling-Station-Id = "0C:84:DC:1E:0B:8D"
Called-Station-Id = "service1"
NAS-Port-Id = "ether10"
MS-CHAP-Challenge = 0x49c4549501e07fad5e6dae708bc815ed
MS-CHAP2-Response = 0x0100acaa712e29adad9abb681c5ef666e69300000000000000003cd5a092d7c816de798b7f5d09acba6f04eeed208cd6c19b
NAS-Identifier = "MIKROTIK"
NAS-IP-Address = 192.168.0.1
# Executing section authorize from file /etc/freeradius/sites-enabled/default
+- entering group authorize {...}
++[preprocess] returns ok
++[chap] returns noop
[mschap] Found MS-CHAP attributes. Setting 'Auth-Type = mschap'
++[mschap] returns ok
++[digest] returns noop
[suffix] No '@' in User-Name = "zaib", looking up realm NULL
[suffix] No such realm "NULL"
++[suffix] returns noop
[eap] No EAP-Message, not doing EAP
++[eap] returns noop
[exec] expand: %{User-Name} -> zaib
[exec] expand: %{Calling-Station-Id} -> 0C:84:DC:1E:0B:8D
Exec-Program output: Seems to be New User, adding its MAC address in table ...
Exec-Program-Wait: plaintext: Seems to be New User, adding its MAC address in table ...
Exec-Program: returned: 0
++[exec] returns ok

As you CAN SEE

“Exec-Program output: Seems to be New User, adding its MAC address in table …”

Now see the difference …

RADCHECK TABLE, Before Login …

1- before login

RADCHECK TABLE, After Login …

2- after login ok

When user will login again, radcheck table will be searched, if the mac found it will simply skip the add part and print the statement

[exec] expand: %{User-Name} -> zaib
[exec] expand: %{Calling-Station-Id} -> 0C:84:DC:1E:0B:8D
Exec-Program output: MAC Entry already found
Exec-Program-Wait: plaintext: MAC Entry already found
Exec-Program: returned: 0
++[exec] returns ok

& If the user will login from any other mac/workstation, he will be denied access.


Method #2
Trigger approach to add MAC address
🙂 ~ ZAIB

Use following TRIGGER on radacct table. It will add the MAC address for the user in RADCHECK table. (or you can modify it as well)

--
-- Triggers `radacct`
--
DELIMITER $$
CREATE TRIGGER `chk_mac_after_insert` AFTER INSERT ON `radacct` FOR EACH ROW BEGIN
SET @mac = (SELECT count(*) from radcheck where username=New.username and attribute='Calling-Station-ID');
IF (@mac = 0) THEN
INSERT into radcheck (username,attribute,op,value) values (NEW.username,'Calling-Station-ID',':=',NEW.callingstationid);
UPDATE users SET mac = NEW.callingstationid where username = NEW.username;
END IF;
END
$$
DELIMITER ;

trigger for mac add.JPG


Regard’s
Syed Jahanzaib ~

October 19, 2017

Prevent Mikrotik from Chocking with Cisco Inter-Vlan Routing

Filed under: Cisco Related, Mikrotik Related — Tags: , , — Syed Jahanzaib / Pinochio~:) @ 4:50 PM

overload

Disclaimer:
I donot have professional level expertise with the mikrotik & specially Cisco. It’s just personnel R&D that sometimes leads me to a working solution. After posting on the internet, I got some clues & Alhamdoillah it worked !


Scenario: [example]

OP have mini ISP setup. Different areas are connected with Cisco 3750 switch where Vlan(s) for each port is configured. Trunk port is connected with Mikrotik Routerboard where vlan interfaces are configured accordingly. DHCP for each VLAN is configured on the Mikrotik RB which provides different subnet to each vlan with default gateway pointing to each VLAN IP.

PPPoE Server is configured on the RB to facilitate ppp dialing for each vlan. As per policy, user must dial pppoe dialer to connect with the mikrotik PPP server in order to access internet.


Problem:

OP have few media sharing server located on Vlan No 3. When user starts downloading heavy media files from the Vlan No 3, all of his traffic routes via Mikrotik Router which creates load on router.


Solution # 1: [that worked partially]

After some R&D, I implemented following

  • Moved DHCP role to Cisco
  • Setup intervlan routing. enabled ip routing
  • Added default gateway in DHCP options pointing to Cisco local vlan ip respectively

This partially solves the problem. When user join the LAN, he gets IP address from the Cisco dhcp with default gateway to its respective vlan IP. all goes well , communication was happening fine with in vlan without touching the Mikrotik. But as soon as users dial the PPPOE dialer, his traffic starts routing via Mikrotik . after some troubleshooting it appears that when user dials pppoe dialer, his routes changes and ppp gets preference over other routes which force all traffic to go via RB.

As showed in the image below …

Load on Trunk Port when ppp user download from vlan no 3

 

routes and ipconfig of client before dhcp option


Solution # 2: [worked 100% as required]

In Cisco Switch DHCP settings for each vlan, Remove Default Gateway,  and add static routes for the sharing media servers subnet via using DHCP classless static routes option

Sounds fair enough :~)


Working Example Config for Cisco Switch 3750

# Cisco Switch Part

[Model: ws-c3750e-24pd / Version 15.0(2)SE10a ]


!
system mtu routing 1500
ip routing
!
ip dhcp pool vlan2
network 192.168.2.0 255.255.255.0
dns-server 101.11.11.36
option 121 ip 24.192.168.3 192.168.2.1 ## This option provides route information , /24.x is the subnet info and other is gw
!
ip dhcp pool vlan3
network 192.168.3.0 255.255.255.0 ## This is media server vlan, we have added manual ip & gateway pointing to vlan ip 192.168.3.0
! to add multiple routes use below
! option 121 ip 24.192.168.3 192.168.2.1 24.192.168.100 192.168.2.1
!
ip dhcp pool vlan4
network 192.168.4.0 255.255.255.0
option 121 ip 24.192.168.3 192.168.4.1 ## This option provides route information , /24.x is the subnet info and other is gw
!

! This port is connected with the Mikrotik RB
interface GigabitEthernet1/0/1
switchport trunk encapsulation dot1q
switchport mode trunk

! This port is connected with user area 2
interface GigabitEthernet1/0/2
switchport access vlan 2
switchport mode access

! This port is connected with local FTP/Media sharing server's
interface GigabitEthernet1/0/3
switchport access vlan 3
switchport mode access

!This port is connected with user area 4
interface GigabitEthernet1/0/4
switchport access vlan 4
switchport mode access
!
interface Vlan1
ip address 192.168.254.1 255.255.255.0
!
interface Vlan2
ip address 192.168.2.1 255.255.255.0
!
interface Vlan3
ip address 192.168.3.1 255.255.255.0
!
interface Vlan4
ip address 192.168.4.1 255.255.255.0
! Following route is pointing to Mikrotik RB
ip route 0.0.0.0 0.0.0.0 192.168.254.2
!

# Mikrotik Routerboard Part


/interface ethernet

set [ find default-name=ether1 ] name=LAN-TRUNK

/interface vlan
add interface=LAN-TRUNK name=vlan2 vlan-id=2
add interface=LAN-TRUNK name=vlan3 vlan-id=3
add interface=LAN-TRUNK name=vlan4 vlan-id=4

# It is recommended to use small subnet, like /29 for below (zaib)
/ip address
add address=192.168.254.2/24 interface=LAN-TRUNK network=192.168.254.0

/interface pppoe-server server
add default-profile=pppoe-profile disabled=no interface=vlan2 max-mru=1480 max-mtu=1480 mrru=1600 one-session-per-host=yes service-name=service2
add default-profile=pppoe-profile disabled=no interface=vlan3 max-mru=1480 max-mtu=1480 mrru=1600 one-session-per-host=yes service-name=service3
add default-profile=pppoe-profile disabled=no interface=vlan4 max-mru=1480 max-mtu=1480 mrru=1600 one-session-per-host=yes service-name=service4

# FTP / Media Sharing Server Part

at your FTP server, which is under vlan no 3, define static ip like 192.168.3.2 and point its gateway to 192.168.3.1, That’s It 🙂

Results are showed as below …

 

client ROUTEs and ipconfig AFTER DHCP OPTIOIN

 

download gpoign via vlan only after addding dhcp option

 

no load on mikrotik router and local vlan download going via local vlan

 


 

Note:

I have posted minimalist configuration to reduce any complication. Most of parts are quite self explanatory. This exercise was done successfully in LAB & required results were achieved. However you must consult with some Cisco expert & conduct your own testing  before implementing it on production.

Also you may want to use ACL in order to restrict access to shared resources, YKWIM


Regard’s
Syed Jahanzaib

 

October 16, 2017

Restart ppp dialer if getting ‘Private IP’

Filed under: Mikrotik Related — Tags: — Syed Jahanzaib / Pinochio~:) @ 3:42 PM

Reference Post:

Following is short script to reconnect PPPoE dialer if it receives any private IP from the ISP including 10.x.x.x / 172.x.x.x & 192.x.x.x series.

reconnect-with-spouse


# Script to find if wan link have private ip and act accordingly,
# Tested with Mikrotik ROS 5.x & 6.x versions
# 19-APR-2016 / Syed Jahanzaib

# Set your WAN Interface name , i have added pppoe-out1 , change it as required
:local WANINTERFACE
:set WANINTERFACE pppoe-out1

# Find Public IP from pppoe-out1 interface & cut subnet
:local WANIP [/ip address get [find where interface=$WANINTERFACE] address];
:set WANIP [:pick $WANIP 0 ([:len $WANIP]-3) ];

# Match if IP address starts with private address 10.*
:if ($WANIP ~"^[0-9 ]*10") do={
:log warning "Private ip address found !!!"
# Set your action here , like Re-Connect the pppoe-link
# /interface pppoe-client disable pppoe-out-1
# :delay 3
# /interface pppoe-client enable pppoe-out-1
} else={

# Match if IP address starts with private address 172.*
:if ($WANIP ~"^[0-9 ]*172") do={
:log warning "Private ip address found !!!"
# Set your action here , like Re-Connect the pppoe-link
# /interface pppoe-client disable pppoe-out-1
# :delay 3
# /interface pppoe-client enable pppoe-out-1
} else={

# Match if IP address starts with private address 192.*
:if ($WANIP ~"^[0-9 ]*192") do={
:log warning "Private ip address found !!!"
# Set your action here , like Re-Connect the pppoe-link
# /interface pppoe-client disable pppoe-out-1
# :delay 3
# /interface pppoe-client enable pppoe-out-1
} else={

# If above statement do not match, then consider it a public ip and take no action, just log : ~ )
:log warning "Public IP - $WANIP - Found, OK ! No action required"
# OR Set your desire action here if required
}
}
}
# Script Ends Here ...


Reference: https://forum.mikrotik.com/viewtopic.php?t=107231

Regard’s
Syed Jahanzaib

July 26, 2017

Mikrotik script to monitor any host with optional SMS/Email alert

Filed under: Mikrotik Related — Syed Jahanzaib / Pinochio~:) @ 2:04 PM

Note to Self:

Following is a simple script for Mikrotik RouterOS to monitor any device by PING & upon status change like Donw/UP, it can take action like sending SMS/Email alert, change routes , interface etc. It is customized according to local OP requirements on demand. You can modify at , add remove any option as per taste. There are lot of good working scripts available on the internet. Just try not to blindly copy paste any one else script. Read it few times until you understand clearly what its made for & what functions it will perform. I have added some comments for the clarity.

Script??? Why use Script ?

Why use such complicated scripts while you can do this easily with builtin net-watch or windows base applications like the Dude, or Nix base Nagios, and so many other tools? the answer is simple, using script you have more Power, more control, more maneuverability , customized ,bizarre and strange actions you can add. Above all, Learning & feeling of Power you have over the system 🙂 this alone justify for me to use scripting 🙂

Thank you
~Syed Jahanzaib~


Script Output Examples:

When Device is DOWN …

1- deviec down

.

When Device is UP (restored) …

2- deviec up

.

Example of SMS received:

2017-07-26 13.44.01


the Script !


# This is Mikrotik Script for Local Device Link monitoring by IP
# - with Optional SMS Alert. We are using local Linux base KANNEL
# You can modify it to add EMAIL alerts as well using GMAIL or local Mail Gw.
# system as SMS gateway with local modem attached
# Script By Syed Jahanzaib / # https://aacable.wordpress.com
# Email : aacable at hotmail dot com
# Script Last Modified : 26-July-2017

# Set Device IP here
:local DEVICE1host1 "192.168.0.1"
# Dont use SPACEC Here, because our KANNEL system dont like spaces, use + sign instead
:local DEVNAME "MY_HOST"
:global DEVICE1LanStatus;
:global DEVICE1LanLastChange;

#:log warning "Checking status of Device $DEVICE1host1 by ping ..."
:local DELAY "3s"
:local i 0;
:local F 0;
:local date;
:local time;
:set date [/system clock get date];
:set time [/system clock get time];
# Setting Date Time variables
:local sub1 ([/system identity get name])
:local sub2 ([/system clock get date])
:local sub3 ([/system clock get time])

# Company Name, Dont use SPACEC Here, because our KANNEL system dont liek spaces, use + sign instead
:local COMPANY "ZABBO"

# Number of Ping Count, how many times mikrotik should ping the target device
:local PINGCOUNT "5"
# Ping threshold
:local PINGTS "5"

# Provide details of Kannel SMS gateway, ID pass, and cell numbers on which sms is required
:local KURL "http://KANNEL-GW-IP-OR-NAME:13013/cgi-bin/sendsms"
:local KID "kannel"
:local KPASS "KANNELPASS"
:local cell1 "03333021909"

# Mail Alert information
:local ADMINMAIL1 "your_to_email@foo.com"

# SMS Msg format for Kannel SMS gateway (donot use spaces in it)
:local MSGDOWNSMS "$COMPANY+ALERT:%0A$DEVNAME%0A$DEVICE1host1+is+now+DOWN."
:local MSGUPSMS "$COMPANY+INFO:%0A$DEVNAME%0A$DEVICE1host1+is+now+UP."

# LOG error
:local DOWNLOG1 "$COMPANY ALERT: $DEVNAME with IP $DEVICE1host1 is now DOWN @ $sub1 $sub2 $sub3..."
:local UPLOG1 "$COMPANY INFO: $DEVNAME with IP $DEVICE1host1 is now UP @ $sub1 $sub2 $sub3 ..."

# Start the SCRIPT
# DONOT EDIT BELOW

# If Script is running for the first time , consider target device UP,
# Just to avoid any errors in the script dueto empty variable.
:if ([:len $DEVICE1LanStatus] = 0) do={
:set DEVICE1LanStatus "UP";
}

# PING each host $PINGCOUNT times
# IF NOT A SINGLE PING SUCCESSFULL THEN CONSIDER LINK DOWN ## ZAIB
:for i from=1 to=$PINGCOUNT do={
if ([/ping $DEVICE1host1 count=1]=0) do={:set F ($F + 1)}
:delay 1;
};

# If no response (all ping counts fails for both hosts, Time out, then LOG down status and take action
:if (($F=$PINGTS)) do={
:if (($DEVICE1LanStatus="UP")) do={

# If the link is down, then LOG warning in Mikrotik LOG window [Zaib]
:log error "$DOWNLOG1";
:set DEVICE1LanStatus "DOWN";
# Also add status in global variables to be used as tracking
:set date [/system clock get date];
:set time [/system clock get time];
:set DEVICE1LanLastChange ($time . " " . $date);
# Send SMS via KANNEL for DOWN Status
:log warning "Sending EMAIL/SMS for DOWN status of $DEVNAME $DEVICE1host1 ..."
#/tool fetch url="$KURL\?username=$KID&password=$KPASS&to=$cell1&text=$MSGDOWNSMS"
/tool e-mail send to=$ADMINMAIL1 subject="$COMPANY ALERT: $DEVNAME $DEVICE1host1 is now DOWN @ $sub3 $sub2 $sub1" start-tls=yes
#/interface sfp1 disable;
#:delay $DELAY
#/interface sfp1 enable;

######################
# ADD YOUR CUSTOMIZED ACTION HERE LIKE CHANGE ROUTE OR DISABL/ENABLE ANY THING
######################
# If ping reply received, then LOG UP and take action as required
} else={:set DEVICE1LanStatus "DOWN";}
} else={
:if (($DEVICE1LanStatus="DOWN")) do={
# If link is UP, then LOG info and warning in Mikrotik LOG window [Zaib]
:log warning "$UPLOG1"
:set DEVICE1LanStatus "UP";

# Send SMS via KANNEL for UP Status
:set date [/system clock get date];
:set time [/system clock get time];
:set DEVICE1LanLastChange ($time . " " . $date);
:log warning "Sending EMAIL/SMS for UP status of $DEVNAME $DEVICE1host1 ..."
#/tool fetch url="$KURL\?username=$KID&password=$KPASS&to=$cell1&text=$MSGUPSMS"
/tool e-mail send to=$ADMINMAIL1 subject="$COMPANY INFO: $DEVNAME $DEVICE1host1 is now UP @ $sub3 $sub2 $sub1" start-tls=yes
# ADD YOUR CUSTOMIZED ACTION HERE LIKE CHANGE ROUTE OR DISABL/ENABLE ANY THING LIKE
#/interface sfp1 disable;
#:delay $DELAY
#/interface sfp1 enable;
} else={:set DEVICE1LanStatus "UP";}
}
# Script ends here ...

June 7, 2017

Blocking WhatsApp in Mikrotik

Filed under: Mikrotik Related — Tags: , , , — Syed Jahanzaib / Pinochio~:) @ 1:14 PM

block whatsapp image.PNG

Updates: This guide may no longer work as whatsapp have moved there ip pool to facebook pool. as stated here.

(You may still be able to block the whatsapp by using script to catch only whatsapp related ip’s which may take some time to catch all the related ip’s but maybe some other contents will be blocked as well. you need to do deep inspection in this regard. I am not removing this post just for reference purposes)

Dear partners,
Please note that we have migrated the latest IP pools of WhatsApp to Facebook Mobile Partner Portal. Feel free to browse to the Settings page of the portal and download the latest WhatsApp IP pool: https://fb.me/mpp_support
Further IP pool updates are also done through the portal and are no longer distributed via email or through WhatsApp web site.
If you have not yet registered on the Mobile Partner Portal or have difficulties accessing it – please request access through the following form and we’ll be happy to assist: https://fb.me/mpp_access
For any technical requests please contact us through the Support section of the portal: https://fb.me/mpp_support
WhatsApp team


In order to block WhatsAPP application in Mikrotik I used WhatsAPP provided address list [167 IPV4 addresses as of June,2017] in order to block the app. [there are already many guides on internet, but I used old school method to block this app & got success!]. Please beware that if user uses vpn, then this restriction will not be effective.

I am sharing two methods to achieve the same target. There is also another method in which you forcefully divert users dns traffic to your mikrotik dns and use script to fetch ip addresses associated with any URL having whatsapp in it, but I am not discussing it here at a moment.

You can also automate this task by fetching the list from whatsapp directly and import it in address list , so that you can always have updated whatsapp servers list. Although the list doesn’t update very frequently but still its good idea to automate it with scheduler.


Method #1 – Download list & import to address list along with firewall block rule

 

1- Download whatsapp IP (CIDR) list from

https://www.whatsapp.com/cidr.txt

Save it as  cidr.txt

Note: If you dont have ipv6 , then open this file and remove all the IPV6 addressess or else you will see below error while importing 

ipv6 error

 

2- Upload this cidr.txt file to Mikrotik FILES section.

[if you use fetch method to download file directly to mikrotik, then you dont need to upload file manualy, but I used this method because most local networks are running on ipv4, so I had to remove ipv6 entries first in order to import list)

cidr

 

3- Import the file contents (which includes ip addresses) using following script. you can simply copy paste it. make sure file name is correct in it.

{
:local content [/file get [/file find name=cidr.txt] contents]
:local contentLen [:len $content]
:local lineEnd 0
:local line ""
:local lastEnd 0
:while ($lineEnd < $contentLen) do={
:set lineEnd [:find $content "\r\n" $lastEnd]
:if ([:len $lineEnd] = 0) do={
:set lineEnd $contentLen
}
:set line [:pick $content $lastEnd $lineEnd]
:set lastEnd ($lineEnd + 2)
/ip firewall address-list add list="whatsapp_list" address=$line
}
}

If successfull , you will see address list as below [currently 167 entries] …

whtsapp address list

4- Create Firewall Filter rule to block requests going to whatsapp_list 

/ip firewall filter
add action=drop chain=forward comment="Block Whatsapp address list - zaib" disabled=yes dst-address-list=whatsapp_list

Result!

block whatapp result

Done!







Method #2 – Copy Paste Method with ipV4 package only.

Open Terminal & copy paste following code. It will add address list name ‘whatsapp_list’ along with firewall rule to block requests going to this list.

/ip firewall address-list
add address=31.13.64.51 list=whatsapp_list
add address=31.13.65.49 list=whatsapp_list
add address=31.13.66.49 list=whatsapp_list
add address=31.13.68.52 list=whatsapp_list
add address=31.13.69.240 list=whatsapp_list
add address=31.13.70.49 list=whatsapp_list
add address=31.13.71.49 list=whatsapp_list
add address=31.13.72.52 list=whatsapp_list
add address=31.13.73.49 list=whatsapp_list
add address=31.13.74.49 list=whatsapp_list
add address=31.13.75.52 list=whatsapp_list
add address=31.13.76.81 list=whatsapp_list
add address=31.13.77.49 list=whatsapp_list
add address=31.13.78.53 list=whatsapp_list
add address=31.13.80.53 list=whatsapp_list
add address=31.13.81.53 list=whatsapp_list
add address=31.13.82.51 list=whatsapp_list
add address=31.13.83.51 list=whatsapp_list
add address=31.13.84.51 list=whatsapp_list
add address=31.13.85.51 list=whatsapp_list
add address=31.13.86.51 list=whatsapp_list
add address=31.13.87.51 list=whatsapp_list
add address=31.13.88.49 list=whatsapp_list
add address=31.13.90.51 list=whatsapp_list
add address=31.13.91.51 list=whatsapp_list
add address=31.13.92.52 list=whatsapp_list
add address=31.13.93.51 list=whatsapp_list
add address=31.13.94.52 list=whatsapp_list
add address=31.13.95.63 list=whatsapp_list
add address=50.22.198.204/30 list=whatsapp_list
add address=50.22.210.32/30 list=whatsapp_list
add address=50.22.210.128/27 list=whatsapp_list
add address=50.22.225.64/27 list=whatsapp_list
add address=50.22.235.248/30 list=whatsapp_list
add address=50.22.240.160/27 list=whatsapp_list
add address=50.23.90.128/27 list=whatsapp_list
add address=50.97.57.128/27 list=whatsapp_list
add address=75.126.39.32/27 list=whatsapp_list
add address=108.168.174.0/27 list=whatsapp_list
add address=108.168.176.192/26 list=whatsapp_list
add address=108.168.177.0/27 list=whatsapp_list
add address=108.168.180.96/27 list=whatsapp_list
add address=108.168.254.65 list=whatsapp_list
add address=108.168.255.224 list=whatsapp_list
add address=108.168.255.227 list=whatsapp_list
add address=157.240.0.53 list=whatsapp_list
add address=157.240.1.53 list=whatsapp_list
add address=157.240.2.53 list=whatsapp_list
add address=157.240.3.53 list=whatsapp_list
add address=157.240.6.53 list=whatsapp_list
add address=157.240.7.54 list=whatsapp_list
add address=157.240.8.53 list=whatsapp_list
add address=157.240.9.53 list=whatsapp_list
add address=157.240.10.53 list=whatsapp_list
add address=157.240.11.53 list=whatsapp_list
add address=157.240.12.53 list=whatsapp_list
add address=157.240.13.54 list=whatsapp_list
add address=158.85.0.96/27 list=whatsapp_list
add address=158.85.5.192/27 list=whatsapp_list
add address=158.85.46.128/27 list=whatsapp_list
add address=158.85.48.224/27 list=whatsapp_list
add address=158.85.58.0/25 list=whatsapp_list
add address=158.85.61.192/27 list=whatsapp_list
add address=158.85.224.160/27 list=whatsapp_list
add address=158.85.233.32/27 list=whatsapp_list
add address=158.85.249.128/27 list=whatsapp_list
add address=158.85.254.64/27 list=whatsapp_list
add address=169.44.23.192/27 list=whatsapp_list
add address=169.44.36.0/25 list=whatsapp_list
add address=169.44.57.64/27 list=whatsapp_list
add address=169.44.58.64/27 list=whatsapp_list
add address=169.44.80.0/26 list=whatsapp_list
add address=169.44.82.96/27 list=whatsapp_list
add address=169.44.82.128/27 list=whatsapp_list
add address=169.44.82.192/26 list=whatsapp_list
add address=169.44.83.0/26 list=whatsapp_list
add address=169.44.83.96/27 list=whatsapp_list
add address=169.44.83.128/27 list=whatsapp_list
add address=169.44.83.192/26 list=whatsapp_list
add address=169.44.84.0/24 list=whatsapp_list
add address=169.44.85.64/27 list=whatsapp_list
add address=169.44.87.160/27 list=whatsapp_list
add address=169.44.167.0/27 list=whatsapp_list
add address=169.45.71.32/27 list=whatsapp_list
add address=169.45.71.96/27 list=whatsapp_list
add address=169.45.87.128/26 list=whatsapp_list
add address=169.45.169.192/27 list=whatsapp_list
add address=169.45.182.96/27 list=whatsapp_list
add address=169.45.210.64/27 list=whatsapp_list
add address=169.45.214.224/27 list=whatsapp_list
add address=169.45.219.224/27 list=whatsapp_list
add address=169.45.237.192/27 list=whatsapp_list
add address=169.45.238.32/27 list=whatsapp_list
add address=169.45.248.96/27 list=whatsapp_list
add address=169.45.248.160/27 list=whatsapp_list
add address=169.46.52.224/27 list=whatsapp_list
add address=169.46.111.144/28 list=whatsapp_list
add address=169.47.5.192/26 list=whatsapp_list
add address=169.47.6.64/27 list=whatsapp_list
add address=169.47.33.128/27 list=whatsapp_list
add address=169.47.35.32/27 list=whatsapp_list
add address=169.47.37.128/27 list=whatsapp_list
add address=169.47.40.128/27 list=whatsapp_list
add address=169.47.42.96/27 list=whatsapp_list
add address=169.47.42.160/27 list=whatsapp_list
add address=169.47.42.192/26 list=whatsapp_list
add address=169.47.47.160/27 list=whatsapp_list
add address=169.47.130.96/27 list=whatsapp_list
add address=169.47.192.192/27 list=whatsapp_list
add address=169.47.194.128/27 list=whatsapp_list
add address=169.47.198.128/27 list=whatsapp_list
add address=169.47.212.160/27 list=whatsapp_list
add address=169.53.29.128/27 list=whatsapp_list
add address=169.53.48.32/27 list=whatsapp_list
add address=169.53.71.224/27 list=whatsapp_list
add address=169.53.81.64/27 list=whatsapp_list
add address=169.53.250.128/26 list=whatsapp_list
add address=169.53.252.64/27 list=whatsapp_list
add address=169.53.255.64/27 list=whatsapp_list
add address=169.54.2.160/27 list=whatsapp_list
add address=169.54.44.224/27 list=whatsapp_list
add address=169.54.51.32/27 list=whatsapp_list
add address=169.54.55.192/27 list=whatsapp_list
add address=169.54.193.160/27 list=whatsapp_list
add address=169.54.210.0/27 list=whatsapp_list
add address=169.54.222.128/27 list=whatsapp_list
add address=169.55.67.224/27 list=whatsapp_list
add address=169.55.69.128/26 list=whatsapp_list
add address=169.55.74.32/27 list=whatsapp_list
add address=169.55.75.96/27 list=whatsapp_list
add address=169.55.100.160/27 list=whatsapp_list
add address=169.55.126.64/26 list=whatsapp_list
add address=169.55.210.96/27 list=whatsapp_list
add address=169.55.235.160/27 list=whatsapp_list
add address=173.192.162.32/27 list=whatsapp_list
add address=173.192.219.128/27 list=whatsapp_list
add address=173.192.222.160/27 list=whatsapp_list
add address=173.192.231.32/27 list=whatsapp_list
add address=173.193.205.0/27 list=whatsapp_list
add address=173.193.230.96/27 list=whatsapp_list
add address=173.193.230.128/27 list=whatsapp_list
add address=173.193.230.192/27 list=whatsapp_list
add address=173.193.239.0/27 list=whatsapp_list
add address=174.36.208.128/27 list=whatsapp_list
add address=174.36.210.32/27 list=whatsapp_list
add address=174.36.251.192/27 list=whatsapp_list
add address=174.37.199.192/27 list=whatsapp_list
add address=174.37.217.64/27 list=whatsapp_list
add address=174.37.243.64/27 list=whatsapp_list
add address=174.37.251.0/27 list=whatsapp_list
add address=179.60.192.51 list=whatsapp_list
add address=179.60.195.51 list=whatsapp_list
add address=184.173.136.64/27 list=whatsapp_list
add address=184.173.147.32/27 list=whatsapp_list
add address=184.173.161.64 list=whatsapp_list
add address=184.173.173.116 list=whatsapp_list
add address=184.173.179.32/27 list=whatsapp_list
add address=185.60.216.53 list=whatsapp_list
add address=185.60.218.53 list=whatsapp_list
add address=185.60.219.53 list=whatsapp_list
add address=192.155.212.192/27 list=whatsapp_list
add address=198.11.193.182/31 list=whatsapp_list
add address=198.11.251.32/27 list=whatsapp_list
add address=198.23.80.0/27 list=whatsapp_list
add address=208.43.115.192/27 list=whatsapp_list
add address=208.43.117.79 list=whatsapp_list
add address=208.43.122.128/27 list=whatsapp_list
# Adding firewall rule to block whatsapp address list.
/ip firewall filter
add action=drop chain=forward comment="Block Whatsapp address list" dst-address-list=whatsapp_list

Result:

block whatapp result


Regard’s
Syed Jahanzaib

Older Posts »

%d bloggers like this: