FREERADIUS WITH MIKROTIK – Part #9 – Restrict user auth from allowed VLAN/Service Type only

FREERADIUS WITH MIKROTIK – Part #1 – General Tip’s>

Disclaimer:
This solution was designed for some specific situation described below. Surely there might be better ways, but sometimes dueto my laziness & dumbness, I select whichever gives required results. You may fine tune it, or modify it as required. I always recommends to read the FR mailing list for any query.

It’s a weird world we live in.
EVERY HUMAN BEING IS BORN FREE BUT YET EVERYWHERE HE IS IN CHAINS … ~

Syed Jahanzaib ~

---

Scenario:

OP have single Mikrotik CCR as NAS (pppoe server) and Freeradius as billing system. VLAN(s) are configured on Cisco switch for each reseller/dealer area with proper Trunking configured from SW to CCR. OP have few reseller/franchise managers, like Dealer-A, Dealer-B. They can create there own users in freeradius using customized fronted designed in php. All dealers can view/add/edit there own users only.

Sometimes it happens that Dealer-A creates User-ID and provide it to a user/friend who is sitting in Dealer-B network, therefore from Billing perspective its a Loss for Dealer-B.

---

Requirement:

To prevent users roaming. Every user must be allowed to connect from there respective dealer network Only. [That is ‘allowed-vlan]. User’s MAC address validation is also in place but we know that mac can be cloned easily.

---

Solution:

We have a user table which contains a column vlanid. We will add a SQL IF statement which will check the the connecting user NAS-Port-Id & match it with users allowed vlanid in the user’s table.

Users Table Example:

mysql> describe users;
+-------------------+--------------+------+-----+-------------------+-----------------------------+
| Field | Type | Null | Key | Default | Extra |
+-------------------+--------------+------+-----+-------------------+-----------------------------+
| id | int(10) | NO | PRI | NULL | auto_increment |
| username | varchar(128) | NO | UNI | NULL | |
| password | varchar(32) | NO | | NULL | |
| firstname | text | NO | | NULL | |
| lastname | text | NO | | NULL | |
| email | text | NO | | NULL | |
| mobile | text | NO | | NULL | |
| cnic | text | NO | | NULL | |
| srvname | text | NO | | NULL | |
| srvid | int(3) | NO | | NULL | |
| expiration | date | YES | | NULL | |
| mac | varchar(30) | NO | | NULL | |
| bwpkg | varchar(256) | NO | | NULL | |
| pool | varchar(128) | YES | | other | |
| is_enabled | int(1) | NO | | NULL | |
| is_days_expired | int(1) | NO | | NULL | |
| is_qt_expired | int(1) | NO | | NULL | |
| is_uptime_expired | int(1) | NO | | NULL | |
| qt_total | varchar(32) | NO | | NULL | |
| qt_used | varchar(20) | NO | | NULL | |
| uptime_limit | varchar(20) | NO | | NULL | |
| uptime_used | varchar(32) | NO | | NULL | |
| owner | text | NO | | NULL | |
| vlanid | varchar(32) | NO | | NULL | |
| createdon | timestamp | NO | | CURRENT_TIMESTAMP | on update CURRENT_TIMESTAMP |
+-------------------+--------------+------+-----+-------------------+-----------------------------+

mysql> select * from users;
+----+----------+----------+----------------+---------------+---------------------+-------------+-------------------+---------+-------+------------+-------------------+-------------+----------------------+------------+-----------------+---------------+-------------------+----------+---------+--------------+-------------+--------+-------------+---------------------+
| id | username | password | firstname | lastname | email | mobile | cnic | srvname | srvid | expiration | mac | bwpkg | pool | is_enabled | is_days_expired | is_qt_expired | is_uptime_expired | qt_total | qt_used | uptime_limit | uptime_used | owner | vlanid | createdon |
+----+----------+----------+----------------+---------------+---------------------+-------------+-------------------+---------+-------+------------+-------------------+-------------+----------------------+------------+-----------------+---------------+-------------------+----------+---------+--------------+-------------+--------+-------------+---------------------+
| 1 | zaib | zaib | OK | jahanzaib | aacableAThotmail.com | 03333021909 | 1234567890-1-1 | | 0 | 2018-01-04 | 00:0C:29:B9:D8:A0 | 1024k/1024k | public-pool | 1 | 0 | 0 | 0 | 300 | 38980 | | | manager1 | ether1-LAN | 2018-01-17 16:45:05 |

Now we will add the SQL IF statement that will actually check every incoming Authentication request for matching vlan with users table.

Edit Default Sites-Enabled file,

nano /etc/freeradius/sites-enabled/default

& paste following in `Authorize` Section

if ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") {
update reply {
Reply-Message = 'Error: You are not allowed to connect form this VLAN !'
}
update control {
Auth-Type := "Reject"
}
}

Save & Exit.

Now reload Freeradius in Debug Mode (by freeradius -X) & monitor the debugging.

If user will connect from another vlan which does not matches the vlanid in user’s table he will get denied with the message.

Note: For testing purposes . I have added dummy entry in user’s vlanid.

rad_recv: Access-Request packet from host 101.11.11.253 port 34175, id=11, length=119
Service-Type = Framed-User
Framed-Protocol = PPP
NAS-Port = 14
NAS-Port-Type = Ethernet
User-Name = "zaib"
Calling-Station-Id = "00:0C:29:B9:D8:A0"
Called-Station-Id = "testppp"
NAS-Port-Id = "ether1-LAN"  # <  select vlanid from users where username = 'zaib'
rlm_sql (sql): Reserving sql socket id: 29
sql_xlat finished
rlm_sql (sql): Released sql socket id: 29
expand: %{sql: select vlanid from users where username = '%{User-Name}'} -> ether1-LAN-DUMMY
expand: %{NAS-Port-Id} -> ether1-LAN
? Evaluating ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") -> TRUE
++? if ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") -> TRUE
++if ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") {
+++update reply {
+++} # update reply = noop
+++update control {
+++} # update control = noop
++} # if ("%{sql: select vlanid from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") = noop

Sending delayed reject for request 0
Sending Access-Reject of id 11 to 101.11.11.253 port 34175

# Meaningful Reply Message by zaib
Reply-Message = "Error: You are not allowed to connect form this VLAN !"

Waking up in 4.9 seconds.
Cleaning up request 0 ID 11 with timestamp +31
Ready to process requests.

& if the users request matches , he will be granted access (off course after all other checks):)

---

2# Limit login by Service Type like PPTP only or PPPoE only

Just to share logic, may be incorrect but In Mikrotik I see following

• PPPoE > NAS-Port-Type = Ethernet
• PPTP  > NAS-Port-Type = Virtual

Now using users table where information is stored, you can then create query to match if user is using the allowed service type.

Users table example:

mysql> describe users;
+----------+-------------+------+-----+---------+----------------+
| Field    | Type        | Null | Key | Default | Extra          |
+----------+-------------+------+-----+---------+----------------+
| id       | int(10)     | NO   | PRI | NULL    | auto_increment |
| username | varchar(64) | NO   |     | NULL    |                |
| srvtype  | varchar(16) | NO   |     | NULL    |                |
+----------+-------------+------+-----+---------+----------------+
3 rows in set (0.00 sec)

</div>
<div>

mysql> select * from users;
# this type will allow pppoe only
+----+----------+----------+
| id | username | srvtype  |
+----+----------+----------+
|  1 | zaib     | Ethernet |
+----+----------+----------+
1 row in set (0.00 sec)

</div>
<div>

Now edit /etc/freeradius/sites-enabled/default & paste following in `Authorize` Section [look for correct syntax & braces if required]

if ("%{sql: select from users where username = '%{User-Name}'}" != "%{NAS-Port-Id}") {
update reply {
Reply-Message = 'Error: You are not allowed to connect form this VLAN !'
}
update control {
Auth-Type := "Reject"
}
}

Now try to connect to users from different type service

(9)   } # if ("%{sql: select srvtype from users where username = '%{User-Name}'}" != "%{NAS-Port-Type}")  = noop
(9)   Reply-Message = "Error: You are not allowed to connect using this service type !"
(9) Found Auth-Type = Reject
(9) Auth-Type = Reject, rejecting user
(9) Failed to authenticate the user

 

---

---

 

Howto create Windows 7 PPPoE Dialer Installer Package using Auto-iT !

PPPoE Dialer Package Sample

THIS IS SOME OLD CODE AND MAY NOT WORK PROPERLY NOW. KINDLY LOOK FOR SOME OTHER SOLUTION. JUST READ IT FOR INFORMATION PURPOSE ONLY BUT IT WILL NOT SERVE ANY GOOD TO YOU I GUESS

THIS IS SOME OLD CODE AND MAY NOT WORK PROPERLY NOW. KINDLY LOOK FOR SOME OTHER SOLUTION. JUST READ IT FOR INFORMATION PURPOSE ONLY BUT IT WILL NOT SERVE ANY GOOD TO YOU I GUESS

THIS IS SOME OLD CODE AND MAY NOT WORK PROPERLY NOW. KINDLY LOOK FOR SOME OTHER SOLUTION. JUST READ IT FOR INFORMATION PURPOSE ONLY BUT IT WILL NOT SERVE ANY GOOD TO YOU I GUESS

 

Following is a guide on howto to create Windows 7 PPPoE DIALER Installer Package.  It is based on same principles as my previous Winxp PPPoE Dialer Script.

Being a Linux Lover, I am publishing these codes under GPL (General Public License). You can modify it as per your requirements, redistribute it. Don’t forget to give credit if it helps you :~) Remember it’s not a standard, neat and clean way but It’s very simple and it do the job nicely:)

This script is made for Windows 7 Operating System Only, For windows XP/200x, please follow the below link.
https://aacable.wordpress.com/2011/09/01/howto-create-pppoe-dialer-installer-package-using-auto-it/

Following functions will be performed.

# First it will ask you if you want to continue to install the Dialer.
# Then it will minimize all opened Window to Let user focus the installation,
# Then it will show you the Logo in front(dialer.jpg which is customizable according to your need),
# in Background it will open the Network and sharing center and create new entry for pppoe dialer,
# After creating dialer, it will close the Logo and will show you the message that Dialer have been installed.

This is not fully final Script, Few things have been left intentionally, Following functions will not be performed.

# It will not check Duplicate entries. For example, If you have installed the dialer, and want to re.install it again, It will not check duplicate entries, and will stop on DUPLICATE NAME FOUND, So please Delete Previously Created Dialer with the same name.

Please check and Do Let me know the results.

I have checked It on Windows 7 several times and working fine. The speed of executing functions in program can be + or – in some cases, It can be tuned with the $DELAY variable.

So Here we go . . .

First of all you have to download ‘Auto-it‘ software from its website at

http://www.autoitscript.com/cgi-bin/getfile.pl?autoit3/autoit-v3-setup.exe

I used Latest version: v3.3.6.1, Do full installation of AutoiT.

After installation, launch it by  Goto Start / Programs / Autoit v3  and select SciTE Script Editor

Now an advance Notepad type windows will open, Just paste the following code in it.

(Note: FOR SOME REASONS, Sometimes CODE Does not displayed PROPERLY IN THIS BLOG, IF you face syntax errors,  you can copy the raw code from following location) http://pastebin.com/BhNSMeKx

#cs ----------------------------------------------------------------------------
AutoIt Version : 3.3.6.1
Author : SYED JAHANZAIB
Email : aacable@hotmail.com
Web : https://aacable.wordpress.com
Script Function: Template AutoIt script. for PPPoE Dialer Installer
OS Supported   : Windows 7
Dated          : 27/09/2011
#ce ----------------------------------------------------------------------------
; Script Start - Add your code below here

$DELAY = 300
$answer = MsgBox(4, "PPPOE Connection", "This script will create a PPPOE DIALER, Do you want to Continue?")
If $answer = 7 Then
Exit
EndIf

WinMinimizeAll ( )
; Put Logo in front and do installation in background, place dialer.jpg in the same folder
; From you have launched dialer.
SplashImageOn("Please wait Few Seconds While Installer Installs PPPoE Dialer ", "dialer.jpg", 800,650)

$COMPANY_NAME = ("Type Your pppoe service name here")
; Example $COMPANY_NAME = ("MY_ISP")
$DELAY = 300

; Run Windows 7 Network Setup
Run("control.exe /name Microsoft.NetworkAndSharingCenter")
Sleep($DELAY)

; Send TAB 7 times to Select 'setup a new connection'
Send("{TAB 7}")

; Send Enter to Launch 'setup a new connection'
Send("{ENTER}")

; Send Next to select 'Connect to Internet'
Sleep($DELAY)
Send("!n")

; Send 'S' to select 'Setup a new connection anyway
Sleep($DELAY)
Send("!s")

;Check Duplicate Connection ???

Sleep($DELAY)
Send("!n")

; Send 'r' to select 'Broadband PPPoE'
Sleep($DELAY)
Send("!r")

; Send TAB 4 times to Enter 'ISP NAME'
Sleep($DELAY)
Send("{TAB 4}")
Send($COMPANY_NAME)
Sleep($DELAY)

; Send 'c' to connect $COMPANY_NAME service to contiue further
Sleep($DELAY)
Send("!c")

; Send 's' to skip connect '$comapany name' service to contiue further
Sleep($DELAY)
Send("!s")

; Send 'c' to close.
Sleep($DELAY)
Send("!c")

WinClose("Network Connections")
Run("control.exe /name Microsoft.NetworkAndSharingCenter")
Sleep($DELAY)
Send("!F")
Send("c")
SplashOff ( )
Sleep($DELAY)
Run("control ncpa.cpl")
WinWaitActive("Network Connections")
Sleep($DELAY)
;send ( "!{TAB}" )
Sleep($DELAY)
MsgBox(0, "Setup Complete", "Your Dialer have been installed , Click Connect on  " & $COMPANY_NAME & " to initiate Dialing")

Now Open File / Save and name it ‘pppoe-win7-dialer-installer’

Now your script with source code is ready to be compiled in .EXE executable format so any user can install it like any other normal application.

Now Open Tools and click on ‘Compile’ and it will compile the script in .exe format and it will save it to the Desktop or whatever Path You have selected.

Now click on ‘pppoe-win7-dialer-installer.exe’ and it will install the pppoe dialer and place its shortcut on Desktop. Its always better to test the script fully before compiling it, as compilation is done when your program is fully tested and good to go.

Any suggestions on improvements and enhancements / advancements are most welcome and will be appreciable

Regard’s
SYED JAHANZAIB

24.851000 67.008300

Mikrotik 4 WAN Load Balancing using PCC with PPPoE Server / Complete Script !

Following is a complete script for Mikrotik to combine/load balance 4 DSL lines. This server is also acting as a PPPoE Server, therefore I have made some modifications in PCC Script.

For normal LB, read my article at https://aacable.wordpress.com/2011/06/04/mikrotik-4-wan-load-balance-pcc-complete-script-by-zaib/

In this example I used MikrotikT RB750 5 ports router. 4 ports were connected with four DSL Routers, and 5th port was connected with User LAN. Also don’t forget to rename the interface names accordingly. This script will also add pppoe server , one pppoe user, dhcp server, dns server and pcc.

In my personnel experience , If users request are directly hitting Mikrotik configured with PCC , then you will get good load balancing. Use src-address as classifier, this way you will get rid of problems like https/broken link, streaming issues etc. Load balancing using this PCC technique (src-address) will be effective and balanced approach when more and more connections (from clients) that occurred. I also recommend to use SQUID proxy server along with mikrotik , either parallel or in front or backend , for better response time and it will also increase good browsing experience to users.

If somehow you are not satisfied with the src-address approach,play with the PCC-Classifier, Try both addresses and ports as the classifier. While this will randomize things the most and in theory give you the most fair allocation of bandwidth, BUT there is also a good chance that it will break certain things like banking web sites and some forums. This is because often times a HTTP requests will generate several connections, so there is a chance that some requests may go out a different route than the initial one, and that will break secure web sites. For that reason I usually stick with src-address  for PCC load balancing.

Regard’s
Syed Jahanzaib
x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-

/ip address
 add address=172.16.0.1/16 broadcast=172.16.255.255 comment="" disabled=no interface=Local network=172.16.0.0
 add address=192.168.1.2/24 broadcast=192.168.1.255 comment="" disabled=no interface=WAN1 network=192.168.1.0
 add address=192.168.2.2/24 broadcast=192.168.2.255 comment="" disabled=no interface=WAN2 network=192.168.2.0
 add address=192.168.3.2/24 broadcast=192.168.3.255 comment="" disabled=no interface=WAN3 network=192.168.3.0
 add address=192.168.4.2/24 broadcast=192.168.4.255 comment="" disabled=no interface=WAN4 network=192.168.4.0

/ip pool
 add name=dhcp_pool1 ranges=172.16.0.70-172.16.0.254
 add name=pppoe-users-pool ranges=10.0.0.1-10.0.0.255

/ip dhcp-server add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=static disabled=no interface=Local lease-time=12h name="My DHCP Server"

/ip dhcp-server config
 set store-leases-disk=5m

/ip dhcp-server network
 add address=172.16.0.0/16 comment="" dns-server=172.16.0.1,221.132.112.8

/interface pppoe-server server
 add authentication=pap default-profile=default disabled=no interface=Local keepalive-timeout=10 max-mru=1480 max-mtu=1480 max-sessions=1 mrru=disabled one-session-per-host=yes service-name=aacable

/ppp profile add change-tcp-mss=default dns-server=172.16.0.1 local-address=172.16.0.1 name=pppoe-profile only-one=default remote-address=pppoe-users-pool use-compression=default use-encryption=default use-vj-compression=default

/ppp secret add caller-id=”" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=zaib password=1234 profile=pppoe-profile routes=”" service=pppoe

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udp-packet-size=512 servers=221.132.112.8,221.132.112.9

/ip firewall mangle
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN4 new-connection-mark=WAN4_conn passthrough=yes

add action=mark-routing chain=output comment="" connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN4_conn disabled=no new-routing-mark=to_WAN4 passthrough=yes

add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.1.0/24
 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.2.0/24
 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.3.0/24
 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.4.0/24

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/0 src-address=10.0.0.1-10.0.0.255

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/1 src-address=10.0.0.1-10.0.0.255

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/2 src-address=10.0.0.1-10.0.0.255

add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN4_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/3 src-address=10.0.0.1-10.0.0.255

add action=mark-routing chain=prerouting comment="" connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN4_conn disabled=no new-routing-mark=to_WAN4 passthrough=yes

/ip firewall nat
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1 src-address=10.0.0.1-10.0.0.255
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN2 src-address=10.0.0.1-10.0.0.255
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN3 src-address=10.0.0.1-10.0.0.255
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN4 src-address=10.0.0.1-10.0.0.255

/ip route
 add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_WAN3 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-mark=to_WAN4 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10

add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=30 target-scope=10

add check-gateway=ping comment="" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.3.1 scope=30 target-scope=10

add check-gateway=ping comment="" disabled=no distance=4 dst-address=0.0.0.0/0 gateway=192.168.4.1 scope=30 target-scope=10

All Done ! Now Test the link by putting user load, the more multiple users load you put on it, the better Load Balance result you will get 🙂

PCC WITH HOTSPOT

If you wanna run PCC with HOTSPOT on same Mikrotik Server, Put this rule in place to stop the hotspot from processing people after they have signed into the network.

/ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth

PCC WITH UN-EQUAL WAN LINKS

If you have Un-Equal WAN Links, for example WAN,1,2,3 are of 4MB and WAN,4 is of 8 Mb, and you want to force MT to use WAN4 link more then other because of its capacity, Then you have to Add more PCC rules assigning the same two marks to a specific link i.e WAN4 , something like

Code:

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/3 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/4 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes

٩(●̮̮̃•̃)۶   ZaiB   ٩(●̮̮̃•̃)۶

---

Another shortest script for 2 wan load balancing (modems are wan gateway)

Updated: 23-April-2018 on request of Hishami Ali, Syria,
~ by syed.jahanzaib

Scenario:

INTERFACES NAMES:
Local
WAN1
WAN2

IP POOLS:
LAN Pool: 192.168.88.0/24
PPPoE Pool: 172.16.50.0/24
WAN1 Pool: 192.16.1.0/24
WAN2 Pool: 192.168.2.0/24

/ip address
add address=192.168.88.1/24 broadcast=192.168.88.255 comment="" disabled=no interface=Local network=192.168.255.0
add address=192.168.1.2/24 broadcast=192.168.1.255 comment="" disabled=no interface=WAN1 network=192.168.1.0
add address=192.168.2.2/24 broadcast=192.168.2.255 comment="" disabled=no interface=WAN2 network=192.168.2.0

# adding firewall list for ease of use, so that we dont have to further modify all rules, we will just modify this part only- - by zaiB
# Change all as required
/ip firewall address-list
add address=172.16.50.1-172.16.50.255 list=allowed_users
add address=192.168.1.0/24 list=modems_gateway_ips_list
add address=192.168.2.0/24 list=modems_gateway_ips_list

# You may use below pool in pppoe profile, or change it as required
/ip pool
add name=pppoe_pool ranges=172.16.50.1-172.16.50.255

/ip firewall mangle
add action=accept chain=prerouting comment="ACCEPT MODEM DST IPS LIST - BY SYED JAHANZAIB" dst-address-list=modems_gateway_ips_list

# Adding Routing marks for WAN-1
add action=mark-routing chain=prerouting dst-address-type="" new-routing-mark=to_WAN1 passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 src-address-list=\
allowed_users src-address-type=!local

# Adding Routing marks for WAN-1
add action=mark-routing chain=prerouting dst-address-type="" new-routing-mark=to_WAN2 passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 src-address-list=\
allowed_users src-address-type=!local

# Default Masquerade / NAT Rule
/ip firewall nat
add action=masquerade chain=srcnat comment="ALLOW ONLY PPPOE INTERNET USERS LIST 172.16.50.1-172.16.50.255 - BY SYED JAHANZAIB" src-address-list=allowed_users

# Adding routes for marked packets
/ip route

add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN2

# Adding Default Gateway for failed routes
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.2.1

Regard’s

Howto exempt rate limit for FTP Server Behind MT DMZ in placment of Dynamic Queues !

Consider the following scenario !

As you can see, FTP servers are placed behind Mikrotik DMZ, when user connects via pppoe server, dynamic queue is created for that user according to his package, lets say 512k, now the problem is this restriction also applied on local FTP server placed behind mikrotik DMZ, and we don’t want to limit speed for Local FTP.

The solution I found was to make mangle rules that mark packets TO/FROM the FTP server, and add Queue tree at my desired speed or at line speed for those marks.

This works for me. JUST MAKE SURE YOUR FTP SERVERS HAVE MIKROTIK IP AS THERE DEFAULT GATEWAY 🙂 This is important so that you can user original ip on the the FTP server rather then just mikrotik ip.

---

Scenario # 1 – Limit FTP queue to 3mb per user

We have FTP servers hosted in DMZ (at separate port) having ip address of 10.0.0.x series. So we will simply create address list and add ftp server’s ip addresses in it. using of address have added advantage, you can simply add remove ip directly in this list, so you wont have to touch the rules again, plus you can use script to dynamically add remove servers ip, with timeout as well.

/ip firewall address-list
add address=10.0.0.10 list=FTP_SERVER
add address=10.0.0.11 list=FTP_SERVER

# Marking packets going to FTP Servers
/ip firewall mangle
add action=mark-connection chain=prerouting comment="MARK CONN GOING TO FTP SERVER " dst-address-list=FTP_SERVER new-connection-mark=ftp_conn passthrough=yes
add action=mark-packet chain=prerouting comment="MARK PKTS GOING TO FTP SERVER " connection-mark=ftp_conn new-packet-mark=ftp_pkts passthrough=yes

# Creating PCQ base Queue - 3mb per user
/queue type
add kind=pcq name=ftp-download-3MB pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=31M pcq-src-address6-mask=64
add kind=pcq name=ftp-upload-3MB pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=31M pcq-src-address6-mask=64

#- Make sure you move this simple queue on TOP, or else it will not work
/queue simple
add comment="Allow 3 MB FTP Download per user by zaib" name="ftp 1g" packet-marks=ftp_pkts queue=ftp-upload-3MB/ftp-download-3MB target=""

---

Scenario #2:

172.16.0.0/16 are my pppoe client ip pool.
192.168.250.0/24 is FTP server pool. Behind Mikrotik DMZ.

On mikrotik, I created following rules and FTP servers exempted from dynamic queue rate limit and ftp data delivered at LAN speed , all works ok 🙂

[Mikrotik 5.x ROS Code]

/ip firewall mangle add chain=prerouting src-address=172.16.0.0/16 dst-address=192.168.250.0/24 action=mark-packet new-packet-mark=ftp-up

/ip firewall mangle add chain=postrouting dst-address=172.16.0.0/16 src-address=192.168.250.0/24 action=mark-packet new-packet-mark=ftp-down

/queue type add name=ftp-exempt kind=sfq
/queue tree add name=ftp-up parent=global-in packet-mark=ftp-up queue=ftp-exempt max-limit=100M
/queue tree add name=ftp-down parent=global-out packet-mark=ftp-down queue=ftp-exempt max-limit=100M

---

---

ANOTHER EXAMPLE TO MARK TRAFFIC FROM SPECIFIC CLIENTS GOING TO X.X.X.X LOCATION.

for MIKROTIK 6.XX

Scenario:

We want to mark traffic from specific users like expired users, and mark there traffic going to FTP Server, and limit there speed per ip.
IP POOL INFO:

pppoe-pool = 172.16.0.0/16

EXPIRED pool = 192.168.255.0/24
FTP Server = 10.0.0.100

First mark traffic in mangle section , SOURCE should be EXPIRED USERS IP SUBNET , and DESTINATION should be FTP SERVER IP.

/ip firewall mangle
add action=mark-packet chain=prerouting comment="MARK TRAFFIC of EXPIRED USERS GOING TO FTP SERVER" dst-address=10.0.0.100 new-packet-mark=expired_users_ftp_access passthrough=no src-address=192.168.255.0/24

# Now add queue in TYPE for per user implementation, 32kb per ip

/queue type
add kind=pcq name=ftp-download-32k pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64
add kind=pcq name=ftp-upload-32k pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64
# Finally add SIMPLE queue that will limit 32k per ip (only expired pool)

/queue simple
add comment="FTP for EXPIRED USERS / 32kb PER USER " name="ftp queue 32k for expired users  pool" packet-marks=expired_users_ftp_access queue=ftp-upload-32k/ftp-download-32k target=""

---

Another Example to mark traffic going to FTP Server using MANGLE ,and restrict per user bandwidth using PCQ [updated 26-JAN-2016]

FTP SERVER IP = 10.0.1.5 AND 10.0.1.6

FOLLOWING code will mark traffic for 1.5 and 1.6 and in queue it will create pcq base bandwidth to restrict 4mb per user. Also it will give priority to ICMP packets as well.

/ip firewall mangle

# MARK ICMP PACKETS

add action=mark-connection chain=prerouting new-connection-mark=icmp-con protocol=icmp

add action=mark-packet chain=prerouting connection-mark=icmp-con new-packet-mark=icmp-pkt passthrough=no protocol=icmp

# ACCEPT FTP TRAFFIC , BYPASS PCC

add chain=prerouting comment="accept server4 n radius from being processed by PCC / zaib" dst-address-list=ALLOWED_SERVERS

# MARK TRAFFIC GOING TO FTP LIKE .15 AND 1.6

add action=mark-packet chain=prerouting comment="MARK TRAFFIC GOING TO FTP SERVER _ 1.6" new-packet-mark=ftp_1.6 passthrough=no src-address=10.0.1.6

add action=mark-packet chain=prerouting comment="MARK TRAFFIC GOING TO FTP SERVER _ 1.5" new-packet-mark=ftp_1.5 passthrough=no src-address=10.0.1.5

# CREATE PCQ BASE QUEUE / 4 MB PER USER

/queue type

add kind=pcq name=ftp-download-4MB pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=40M pcq-src-address6-mask=64

add kind=pcq name=ftp-upload-4MB pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=40M pcq-src-address6-mask=64

# CREATE QUEUE TO GIVE HIGH PRIORITY TO ICMP AND FTP

/queue simple

#ICMP

add max-limit=128k/128k name=ICMP_Hi_Priority packet-marks=icmp-pkt target=""

#FTP

add name=FTP_10.0.1.6_DOWN_LIMIT packet-marks=ftp_1.6 queue=ftp-upload-4MB/ftp-download-4MB target=""

add name=FTP_10.0.1.5_DOWN_LIMIT packet-marks=ftp_1.5 queue=ftp-upload-4MB/ftp-download-4MB target=""

---

Regqard’s
Syed Jahanzaib