Aria Perdana

Setting Hotspot Menggunakan Mikrotik

2008-04-18T20:51:00.001+07:00

/ radius
add service=hotspot called-id="" domain="Radius" address=192.168.1.3 \
secret="123456" authentication-port=1812 accounting-port=1813 \
timeout=900ms accounting-backup=no realm="" comment="" disabled=no
/ radius incoming
set accept=yes port=1700

/ ip hotspot
add name="Hotspot2" interface=Lokal address-pool=hs-pool-1 profile=hsprof2 idle-timeout=none keepalive-timeout=none disabled=no

/ ip hotspot profile
add name="hsprof2" hotspot-address=192.168.1.3 dns-name="hotlink.net" \
html-directory=hotspot rate-limit="" http-proxy=192.168.1.3:3128 \
smtp-server=0.0.0.0 login-by=http-chap split-user-domain=no use-radius=yes \
radius-accounting=yes radius-interim-update=5s nas-port-type=0 \
radius-default-domain="Radius" radius-location-id="" \
radius-location-name=""

/ tool user-manager router
add subscriber=admin name="Hotlink.net" ip-address=192.168.1.3 \
shared-secret="123456" comment="" disabled=no

/ ip dns static
add name="hotlink.net" address=192.168.1.3 ttl=1d

kmudian setelah itu bikin user dan di http://hotlink.net/userman

eh jgn lupa bikin dulu customernya ... biar bisa masuk ke userman

/ tool user-manager customer
add subscriber=admin login="admin" password="admin" company="HOTlink" \
city="Bandung" country="Indonesia" date-format="%m/%d/%y" \
email="admin@hotlink-id.net" time-zone=+00:00 permissions=owner \
parent=admin comment="" disabled=no

Setting PC Router pakai FC 4

2008-04-10T14:24:00.000+07:00

Dari pada beli modem lagi Rp. 400-500k baik bikin router sendiri .. ya ndak ? Model Pentium II juga udah ampuh banged ! Saya lakukan sejak 2 tahun lalu di Net tongkrongan saya Ngetopnet.

Keterangan : Saya menggunakan Fedora Core 2 dengan Kompi Server specs : P III 866 Mhz, 10 GB HDD, 128 MB SDRAM, 2 MB VGA, 2 x 10/100 Ethernet (Auto detect by distro).

Langkah 1 : Pastikan network card dalam system Arahan lsmod untuk menyenaraikan semua modul/perkakasan dalam system, pastikan eth0 dan eth1 atau e100 dan e1000 ada dalam list.
#/sbin/lsmod
Module used
Eth 0(10/100) 0
Eth1 (gigabyte) 0

Langkah 2: Pastikan eth0 dan eth1 ada dalam modules.conf ("Pada langkah kedua ini saya tidak melakukannya karena tidak ada settingan seperti ini.")

#vi /etc/modules.conf
alias eth0 e100
alias eth1 e1000

Langkah 3: set IP untuk eth0 (eth0 merupakan IP public atau IP Private dari ISP) dan eth1 (eth1 merupakan IP Local dari kita Sebagai Server untuk Client ! Harus berbeda dengan eth0 walalu hanya class c nya.)

#cat /etc/sysconfig/network-scripts/ifcfg-eth0

# Intel Corp.|82801BA/BAM/CA/CAM Ethernet Controller
DEVICE=eth0
BOOTPROTO=static
HWADDR=00:02:A5:76:C1:26
IPADDR=192.168.1.88
NETWORK=192.168.1.0
BROADCAST=192.168.1.255
NETMASK=255.255.255.0
GATEWAY=192.168.1.254
ONBOOT=yes
TYPE=Ethernet

*masukkan semua nilai sama seperti nilai di atas.
Untuk menukar nilai (edit), tekan Insert (INS)
Bila selesai mengedit, untuk menyimpan (save) dan keluar, tekan Escape (ESC), kemudian masukan ":wq". (SHIFT-Doubledot, w, q) ENTER.

# cat /etc/sysconfig/network-scripts/ifcfg-eth1

# Intel Corp.|82557/8/9 [Ethernet Pro 100]
DEVICE=eth1
ONBOOT=yes
BOOTPROTO=static
IPADDR=192.168.0.1
NETWORK=192.168.0.0
BROADCAST=192.168.0.255
NETMASK=255.255.255.0
HWADDR=00:D0:B7:55:01:E0

Langkah 4. Mengubah nilai dari "no" kepada "yes" NOZERO configuration (thanks n0x)

#vi /etc/sysconfig/network

masukkan pernyataan seperti di bawah

NOZEROCONF=yes

Langkah 5. Routing IP untuk Internet

#/sbin/iptables -A POSTROUTING -t nat -o eth0 -j MASQUERADE
# /sbin/iptables -t nat -nL (checking aja)
Chain PREROUTING (policy ACCEPT)
target prot opt source destination

Chain POSTROUTING (policy ACCEPT)
target prot opt source destination
MASQUERADE all -- 0.0.0.0/0 0.0.0.0/0

Chain OUTPUT (policy ACCEPT)
target prot opt source destination

Langkah 6. Mengubah ip forwarding value to 1
Check the value for ip forwarding

#echo 1 > /proc/sys/net/ipv4/ip_forward

Langkah 7. Mengubah nilai pada sysctl.conf

#vi /etc/sysctl.conf
# cat /etc/sysctl.conf

# Kernel sysctl configuration file for Red Hat Linux
#
# For binary values, 0 is disabled, 1 is enabled. See sysctl(8) and
# sysctl.conf(5) for more details.

# Controls IP packet forwarding
net.ipv4.ip_forward = 1

# Controls source route verification
net.ipv4.conf.default.rp_filter = 1

# Controls the System Request debugging functionality of the kernel
kernel.sysrq = 0

# Controls whether core dumps will append the PID to the core filename.
# Useful for debugging multi-threaded applications.
kernel.core_uses_pid = 1

Langkah 8. Save the iptables configuration

#/sbin/service iptables save (nah itu yang terlupakan olh om praban dan om ogeb)

Langkah 9. Up all services

#/sbin/service network restart

Langkah 10. trace route output.

#route

Lihat default gateway. Itu harus sama dengan gateway yang diberikan oleh ISP kamu (ADSL kami)

Selesai.

Greetz to om praban (telah maksakan mau untuk membantu ihihihihhi), om ogeb (yang betah banged ngeladeni pertanyaanku dan menjelaskan how to), n0x (selayang baris yang membuat sempurna), dan rekan-rekan semua yang telah membantu sangat banyak.

Mikrotik dan Web Proxynya

2008-04-10T14:10:00.000+07:00

MikroTik RouterOS™, merupakan system operasi Linux base yang diperuntuk
kan sebagai network router. Didesain untuk memberikan kemudahan bagi
penggunanya. Administrasinya bisa dilakukan melalui Windows application
(WinBox). Webbrowser serta via Remote Shell (telnet dan SSH). Selain
itu instalasi dapat dilakukan pada Standard computer PC. PC yang akan
dijadi kan router mikrotikpun tidak memerlukan resource yang cukup besar
untuk penggunaan standard, misalnya hanya sebagai gateway. Untuk keperluan
beban yang besar ( network yang kompleks, routing yang rumit dll)
disarankan untuk mempertimbangkan pemilihan resource PC yang memadai.

Fasilitas pada mikrotik antara lain sebagai berikut :
- Protokoll routing RIP, OSPF, BGP.
- Statefull firewall
- HotSpot for Plug-and-Play access
- remote winbox GUI admin

Lebih lengkap bisa dilihat di www.mikrotik.com.

Meskipun demikian Mikrotik bukanlah free software, artinya kita harus
membeli licensi terhadap segala fasiltas yang disediakan. Free trial
hanya untuk 24 jam saja. Kita bisa membeli software mikrotik dalam
bentuk CD yang diinstall pada Hard disk atau disk on module (DOM).
Jika kita membeli DOM tidak perlu install tetapi tinggal menancapkan
DOM pada slot IDE PC kita.

Instalasi Mikrotik ada beberapa cara :
1. Instalasi melalui NetInstall via jaringan
2. Instalasi melalui Floppy disk
3. Instalasi melalui CD-ROM.

Kali ini kita akan membahasnya instalasi melalui CD-ROM. Untuk percobaan
ini silahkan download ISOnya di http://adminpreman.web.id/download

Langkah-langkah berikut adalah dasar-dasar setup mikrotik yang
dikonfigurasikan untuk jaringan sederhana sebagai PC Router/Gateway,
Web Proxy, DNS Server, DHCP, Firewall serta Bandwidth Management.
Konfigurasi ini dapat dimanfaatkan untuk membangun jaringan pada
Internet Cafe atau untuk Testing pada Laboratorium Pribadi.

--[2.1]-- Topologi Jaringan

Topologi jaringan ini di anggap koneksi Internetnya melalui MODEM
xDSL (ADSL atau SDSL). Dengan catatan konfigurasi IP Publiknya
ditanam didalam MODEM, artinya perlu pula dipilih MODEM yang memiliki
fasilitas seperti Routing, Firewall, dan lain-lain. Semakin lengkap
semakin bagus, namun biasanya harga semakin mahal, yang patut
dipertimbangkan pilihlah MODEM yang memiliki fasilitas Firewall yang
bagus.

Untuk MODEM SDSL, biasanya, IP dibawah NAT, artinya IP nya bukan IP
Publik langsung. Dan umumnya untuk MODEM ADSL, IP Publiknya langsung
ditanam di MODEM itu sendiri.

Saat ini kita anggap IP Publiknya di tanam di MODEM, dimana Interface
PPPoE nya sudah di konfigurasikan dan sudah bisa DIAL ke server RASnya.

Agar memudahkan konfigurasi, perlu dirancang topologi jaringan yang
dikonfigurasi. Sebagai contoh, skema dibawah ini:

(a) Skema Jaringan

_(
o--+ ____|
| / | Telpon
| _/ -(
+--[_] Splitter
|
| +----+
+---| | Modem xDSL
+--*-+
(1)| +---+
| | | (3)
| | +|---------+
| +-----+ | |. . . . . |
| a| | | +--|-|-|-|-+
+---|=====| | | | | |
| | | | | | |
| |---+ +-|-|-|--[client 1]
| |b +-|-|------------[client 2]
| | +-|----------------------[client 3]
L-----J +--------[client n]
(2)

Keterangan skema
(1) = Modem xDSL (Ip Address : 192.168.1.1/24)
(2) = Mikrotik Box dengan 2 ethernet card yaitu a (publik) dan b (local)
(3) = Switch
Untuk sambungan ke Client. Asumsi Client Jumlahnya 20 Client
Range Ip Address : 192.168.0.0/27
Alokasi Ip Client = 192.168.0.1-192.168.0.30
Ip Net ID : 192.168.0.0/27
Ip Broadcast : 192.168.0.31/27

(b) Alokasi IP Address

[*] Mikrotik Box

Keterangan Skema
a = ethernet card 1 (Publik) -> Ip Address : 192.168.1.2/24
b = ethernet card 2 (Local) -> Ip Address : 192.168.0.30/27

Gateway : 192.168.1.1 (ke Modem)

[*] Client
Client 1 - Client n, Ip Address : 192.168.0.n .... n (1-30)

Contoh:
Client 6
Ip Address : 192.168.0.6/27
Gateway : 192.168.0.30 (ke Mikrotik Box)

CATATAN :
Angka dibelakang Ip address ( /27) sama dengan nilai netmasknya
untuk angka (/27) nilainya sama dengan 255.255.255.224.

Untuk Sub Netmask blok ip address Local kelas C, dapat diuraikan
sebagai berikut :

Subnetmask kelas C
-------------------
255.255.255.0 = 24 -> 254 mesin
.. .128 = 25 -> 128 mesin
.. .192 = 26 -> 64 mesin
.. .224 = 27 -> 32 mesin
.. .240 = 28 -> 16 mesin
.. .248 = 29 -> 8 mesin
.. .252 = 30 -> 4 mesin
.. .254 = 31 -> 2 mesin
.. .255 = 32 -> 1 mesin

--[2.2]-- Persiapan

- Untuk PC Router Siapkan PC, minimal Pentium I, RAM 64, HD 500M
atau pake flash memory 64 - Sebagai Web proxy, Siapkan PC, minimal
Pentium III 450Mhz, RAM 256 Mb, HD 20 Gb. Melihat berapa minimum
RAM dan HD yang dibutuhkan untuk Cache Silahkan lihat
http://adminpreman.web.id/download/Rumus Web Proxy Mikrotik.xls

- Siapkan minimal 2 ethernet card, 1 ke arah luar/Internet dan 1
lagi ke Network local
– Burn Source CD Mikrotik OS masukan ke CDROM.
- Versi mikrotik yang digunakan adalah Mikrotik RouterOS versi 2.9.27

--[3]-- Installasi Mikrotik Router
Setelah desain skema jaringan serta perangkat yang dibutuhkan telah
disiapkan, sekarang saatnya kita mulai proses instalasi ini.

--[3.1]-- Booting melalui CD-ROM

Atur di BIOS agar, supaya boot lewat CD-ROM, kemudian tunggu beberapa
saat di monitor akan muncul proses Instalasi.

-------------------------------------------------------------------------

ISOLINUX 2.08 2003-12-12 Copyrigth (C) 1994-2003 H. Peter Anvin
Loading linux..................
Loading initrd.rgz.............
Ready
Uncompressing Linux... Ok, booting the kernel

------------------------------------------------------------------------

--[3.2]-- Memilih paket software

Setelah proses booting akan muncul menu pilihan software yang
mau di install, pilih sesuai kebutuhan yang akan direncanakan.

Paket yang tersedia di Mikrotik

advanced-tools-2.9.27.npk
arlan-2.9.27.npk
dhcp-2.9.27.npk
gps-2.9.27.npk
hotspot-2.9.27.npk
hotspot-fix-2.9.27.npk
isdn-2.9.27.npk
lcd-2.9.27.npk
ntp-2.9.27.npk
ppp-2.9.27.npk
radiolan-2.9.27.npk
routerboard-2.9.27.npk
routing-2.9.27.npk
routing-test-2.9.27.npk
rstp-bridge-test-2.9.27.npk
security-2.9.27.npk
synchronous-2.9.27.npk
system-2.9.27.npk
telephony-2.9.27.npk
ups-2.9.27.npk
user-manager-2.9.27.npk
web-proxy-2.9.27.npk
webproxy-test-2.9.27.npk
wireless-2.9.27.npk
wireless-legacy-2.9.27.npk

--------------------------------------------------------------------------

Welcome to Mikrotik Router Software Installation

Move around menu using 'p' and 'n' or arrow keys, select with 'spacebar'.
Select all with 'a', minimum with 'm'. Press 'i' to install locally or 'r' to
install remote router or 'q' to cancel and reboot.

[X] system [ ] lcd [ ] telephony
[ ] ppp [ ] ntp [ ] ups
[ ] dhcp [ ] radiolan [ ] user-manager
[X] andvanced-tools [ ] routerboard [X] web-proxy
[ ] arlan [ ] routing [ ] webproxy-test
[ ] gps [ ] routing-test [ ] wireless
[ ] hotspot [ ] rstp-bridge-test [ ] wireless-legacy
[ ] hotspot [X] security
[ ] isdn [ ] synchronous

--------------------------------------------------------------------------

Umumnya Paket Mikrotik untuk Warnet, Kantor atau SOHO adalah :

a. SYSTEM : Paket ini merupakan paket dasar, berisi Kernel dari
Mikrotik

b. DHCP : Paket yang berisi fasilitas sebagai DHCP Server, DHCP
client, pastikan memilih paket ini jika Anda menginginkan
agar Client diberikan IP address otomatis dari DHCP Server

c. SECURITY : Paket ini berisikan fasilitas yang mengutamakan Keamanan
jaringan, seperti Remote Mesin dengan SSH, Remote via MAC
Address

d. WEB-PROXY : Jika Anda memilih paket ini, maka Mikrotik Box anda telah
dapat menjalan service sebagai Web proxy yang akan menyimpan
cache agar traffik ke Internet dapat di reduksi serta browsing
untuk Web dapat dipercepat.

e. ADVANCED TOOLS : Paket yang berisi Tool didalam melakukan Admnistrasi jaringan,
seperti Bandwidth meter, Scanning, Nslookup, dan lain sebagainya.

--[3.3]-- Instalasi Paket

ketik "i" setelah selesai memilih software, lalu akan muncul menu
pilihan seperti ini :

- Do you want to keep old configuration ? [y/n] ketik Y
- continue ? [y/n] ketik Y

Setelah itu proses installasi system dimulai, disini kita tidak
perlu membuat partisi hardsik karena secara otomatis mikrotik akan
membuat partisi sendiri.

----------------------------------------------------------------------------

wireless-legacy (depens on system):
Provides support for Cisco Aironet cards and for PrismlI and Atheros wireless
station and AP.

Do you want to keep old configuraion? [y/n]:y

Warning: all data on the disk will be erased!

Continue? [y/n]:y

Creating partition..........
Formatting disk.......................................

Installing system-2.9.27 [################## ]

---------------------------------------------------------------------------

Proses installasi

---------------------------------------------------------------------------

Continue? [y/n]:y

Creating partition.......................
Formatting disk............................

Installed system-2.9.27
Installed advanced-tools-2.9.27
Installed dhcp-2.9.27
Installed security-2.9.27
installed web-proxy-2.9.27

Software installed.
Press ENTER to reboot

------------------------------------------------------------------------------

CATATAN :
Proses Installasi normalnya tidak sampai 15 menit, jika lebih berarti gagal,ulangi
ke step awal. Setelah proses installasi selesai maka kita akan diminta untuk
merestart system, tekan enter untuk merestart system.

--[3.5]-- Proses Check system disk

Setelah komputer booting kembali ke system mikrotik, akan ada pilihan untuk
melakukan check system disk, tekan "y".

----------------------------------------------------------------------------
Loading system with initrd
Uncompressing Linux... Ok, booting the kernel.
Starting.

It is recomended to check your disk drive for error,
but it may take while (~1min for 1Gb).
It can be done later with "/system check-disk".
Do you want to do it now? [y/n]
-----------------------------------------------------------------------------

--[3.6]-- Proses Instalasi Selesai

Setelah proses instalasi selesai, maka akan muncul menu login dalam modus
terminal, kondisi sistem saat ini dalam keadaan default.

Mikrotik login = admin
Password = (kosong, enter saja)

---------------------------------------------------------------------------
Mikrotik 2.9.27
Mikrotik Login:

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 2.9.27 (c) 1999-2005 http://www.mikrotik.com/

Terminal vt102 detected, using multiline input mode
[admin@Mikrotikl] >

----------------------------------------------------------------------------

CATATAN :
Konfigurasi Standar untuk mikrotik ada 2 modus, yaitu modus teks dan
modus GUI. Modus Gui ada 2 juga, yaitu Via Browser serta Via Winbox.
Untuk sekarang saya akan bahas via Teks. Karena cepat serta lebih memahami
terhadap sistem operasi ini.

--[4]-- Perintah Dasar

Perintah mikrotik sebenarnya hampir sama dengan perintah yang ada dilinux,
sebab pada dasarnya mikrotik ini merupakan kernel Linux, hasil pengolahan
kembali Linux dari Distribusi Debian. Pemakaian perintah shellnya sama,
seperti penghematan perintah, cukup menggunakan tombol TAB di keyboard
maka perintah yang panjang, tidak perlu lagi diketikkan, hanya ketikkan
awal nama perintahnya, nanti secara otomatis Shell akan menampilkan sendiri
perintah yang berkenaan. Misalnya perintah IP ADDRESS di mikrotik. Cukup
hanya mengetikkan IP ADD spasi tekan tombol TAB, maka otomatis shell
akan mengenali dan menterjemahkan sebagai perintah IP ADDRESS.

Baiklah kita lanjutkan pengenalan perintah ini.

Setelah login, cek kondisi interface atau ethernet card.

--[4.1]-- Melihat kondisi interface pada Mikrotik Router

[admin@Mikrotik] > interface print
Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500

[admin@Mikrotik]>

Jika interfacenya ada tanda X (disabled) setelah nomor (0,1), maka periksa lagi
etherned cardnya, seharusnya R (running).

a. Mengganti nama interface
[admin@Mikrotik] > interface(enter)

b. Untuk mengganti nama Interface ether1 menjadi Public (atau terserah namanya), maka
[admin@Mikrotik] interface> set 0 name=Public

c. Begitu juga untuk ether2, misalkan namanya diganti menjadi Local, maka
[admin@Mikrotik] interface> set 1 name=Local

d. atau langsung saja dari posisi root direktori, memakai tanda "/", tanpa tanda kutip
[admin@Mikrotik] > /interface set 0 name=Public

e. Cek lagi apakah nama interface sudah diganti.
[admin@Mikrotik] > /interface print

Flags: X - disabled, D - dynamic, R - running
# NAME TYPE RX-RATE TX-RATE MTU
0 R Local ether 0 0 1500
1 R Public ether 0 0 1500

--[4.2]-- Mengganti password default
Untuk keamanan ganti password default
[admin@Mikrotik] > password
old password: *****
new password: *****
retype new password: *****
[admin@ Mikrotik]]>

--[4.3]-- Mengganti nama hostname
Mengganti nama Mikrotik Router untuk memudahkan konfigurasi, pada langkah ini
nama server akan diganti menjadi “routerku"

[admin@Mikrotik] > system identity set name=routerku
[admin@routerku]>

--[5]-- Setting IP Address, Gateway, Masqureade dan Name Server

--[5.1]-- IP Address

Bentuk Perintah konfigurasi

ip address add address ={ip address/netmask} interface={nama interface}

a. Memberikan IP address pada interface Mikrotik. Misalkan Public akan kita gunakan untuk
koneksi ke Internet dengan IP 192.168.1.2 dan Local akan kita gunakan untuk network LAN
kita dengan IP 192.168.0.30 (Lihat topologi)

[admin@routerku] > ip address add address=192.168.1.2
netmask=255.255.255.0 interface=Public comment="IP ke Internet"

[admin@routerku] > ip address add address=192.168.0.30
netmask=255.255.255.224 interface=Local comment = "IP ke LAN"

b. Melihat konfigurasi IP address yang sudah kita berikan

[admin@routerku] >ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 ;;; IP Address ke Internet
192.168.0.30/27 192.168.0.0 192.168.0.31 Local
1 ;;; IP Address ke LAN
192.168.1.2/24 192.168.0.0 192.168.1.255 Public
[admin@routerku]>

--[5.2]-- Gateway

Bentuk Perintah Konfigurasi

ip route add gateway={ip gateway}

a. Memberikan default Gateway, diasumsikan gateway untuk koneksi internet adalah
192.168.1.1

[admin@routerku] > /ip route add gateway=192.168.1.1

b. Melihat Tabel routing pada Mikrotik Routers

[admin@routerku] > ip route print

Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf
# DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 ADC 192.168.0.0/24 192.168.0.30 Local
1 ADC 192.168.0.0/27 192.168.1.2 Public
2 A S 0.0.0.0/0 r 192.168.1.1 Public
[admin@routerku]>

c. Tes Ping ke Gateway untuk memastikan konfigurasi sudah benar

[admin@routerku] > ping 192.168.1.1
192.168.1.1 64 byte ping: ttl=64 time<1 ms
192.168.1.1 64 byte ping: ttl=64 time<1 ms
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max = 0/0.0/0 ms
[admin@routerku]>

--[5.3]-- NAT (Network Address Translation)

Bentuk Perintah Konfigurasi

ip firewall nat add chain=srcnat action=masquerade out-inteface={ethernet
yang langsung terhubung ke Internet atau Public}

a. Setup Masquerading, Jika Mikrotik akan kita pergunakan sebagai gateway server maka agar
client computer pada network dapat terkoneksi ke internet perlu kita masquerading.

[admin@routerku] > ip firewall nat add chain=scrnat out-interface=Public action=masquerade
[admin@routerku]>

b. Melihat konfigurasi Masquerading

[admin@routerku] ip firewall nat print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=Public action=masquerade
[admin@routerku]>

--[5.4] Name server

Bentuk Perintah Konfigurasi

ip dns set primary-dns={dns utama} secondary-dns={dns ke dua}

a. Setup DNS pada Mikrotik Routers, misalkan DNS dengan Ip Addressnya
Primary = 202.134.0.155, Secondary = 202.134.2.5

[admin@routerku] > ip dns set primary-dns=202.134.0.155 allow-remoterequests=yes
[admin@routerku] > ip dns set secondary-dns=202.134.2.5 allow-remoterequests=yes

b. Melihat konfigurasi DNS

[admin@routerku] > ip dns print
primary-dns: 202.134.0.155
secondary-dns: 202.134.2.5
allow-remote-requests: no
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 16KiB

[admin@routerku]>

c. Tes untuk akses domain, misalnya dengan ping nama domain

[admin@routerku] > ping yahoo.com
216.109.112.135 64 byte ping: ttl=48 time=250 ms
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 571/571.0/571 ms
[admin@routerku]>

Jika sudah berhasil reply berarti seting DNS sudah benar.

Setelah langkah ini bisa dilakukan pemeriksaan untuk koneksi dari jaringan local. Dan jika
berhasil berarti kita sudah berhasil melakukan instalasi Mikrotik Router sebagai Gateway
server. Setelah terkoneksi dengan jaringan Mikrotik dapat dimanage menggunakan WinBox yang
bisa di download dari Mikrotik.com atau dari server mikrotik kita. Misal Ip address server
mikrotik kita 192.168.0.30, via browser buka http://192.168.0.30. Di Browser akan ditampilkan
dalam bentuk web dengan beberapa menu, cari tulisan Download dan download WinBox dari situ.
Simpan di local harddisk. Jalankan Winbox, masukkan Ip address, username dan password.

--[7]-- DHCP Server

DHCP merupakan singkatan dari Dynamic Host Configuration Protocol, yaitu suatu program yang
memungkinkan pengaturan IP Address di dalam sebuah jaringan dilakukan terpusat di server,
sehingga PC Client tidak perlu melakukan konfigurasi IP Addres. DHCP memudahkan administrator
untuk melakukan pengalamatan ip address untuk client.

Bentuk perintah konfigurasi

ip dhcp-server setup
dhcp server interface = { interface yang digunakan }
dhcp server space = { network yang akan di dhcp }
gateway for dhcp network = { ip gateway }
address to give out = { range ip address }
dns servers = { name server }
lease time = { waktu sewa yang diberikan }

Jika kita menginginkan client mendapatkan IP address secara otomatis maka perlu kita setup
dhcp server pada Mikrotik. Berikut langkah-langkahnya :

a. Tambahkan IP address pool

/ip pool add name=dhcp-pool ranges=192.168.0.1-192.168.0.30

b. Tambahkan DHCP Network dan gatewaynya yang akan didistribusikan ke client.
Pada contoh ini networknya adalah 192.168.0.0/27 dan gatewaynya 122.168.0.30

/ip dhcp-server network add address=192.168.0.0/27 gateway=192.168.0.30 dns-server=192.168.0.30
comment=""

c. Tambahkan DHCP Server ( pada contoh ini dhcp diterapkan pada interface Local )

/ip dhcp-server add interface=local address-pool=dhcp-pool

d. Lihat status DHCP server

[admin@routerku] > ip dhcp-server print

Flags: X - disabled, I - invalid

# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP

0dhcp1 Local

Tanda X menyatakan bahwa DHCP server belum enable maka perlu dienablekan terlebih
dahulu pada langkah e.

e. Jangan Lupa dibuat enable dulu dhcp servernya

/ip dhcp-server enable 0

kemudian cek kembali dhcp-server seperti langkah 4, jika tanda X sudah tidak ada berarti
sudah aktif

f. Tes Dari client

Misalnya :
D:>ping www.yahoo.com

--[8]-- Transparent Proxy Server

Proxy server merupakan program yang dapat mempercepat akses ke suatu web
yang sudah diakses oleh komputer lain, karena sudah di simpan didalam
caching server.Transparent proxy menguntungkan dalam management client,
karena system administrator tidak perlu lagi melakukan setup proxy di
setiap browser komputer client karena redirection dilakukan otomatis di sisi
server.

Bentuk perintah konfigurasi :
a. Setting web proxy :

- ip proxy set enable=yes
port={ port yang mau digunakan }
maximal-client-connections=1000
maximal-server-connections=1000

- ip proxy direct add src-address={ network yang akan di
NAT} action=allow

- ip web-proxy set parent-proxy={proxy parent/optional}
hostname={ nama host untuk proxy/optional}
port={port yang mau digunakan}
src-address={ address yang akan digunakan untuk koneksi
ke parent proxy/default 0.0.0.0}
transparent-proxy=yes
max-object-size={ ukuran maximal file yang akan disimpan
sebagai cache/default 4096 in Kilobytes}
max-cache-size= { ukuran maximal hardisk yang akan
dipakai sebagai penyimpan file cache/unlimited
| none | 12 in megabytes}
cache-administrator={ email administrator yang akan digunakan
apabila proxy error, status akan dikirim
ke email tersebut}
enable==yes

Contoh konfigurasi
-------------------

a. Web proxy setting

/ ip web-proxy
set enabled=yes src-address=0.0.0.0 port=8080
hostname="proxy.routerku.co.id" transparent-proxy=yes
parent-proxy=0.0.0.0:0 cache-administrator="support@routerku.co.id"
max-object-size=131072KiB cache-drive=system max-cache-size=unlimited
max-ram-cache-size=unlimited

Nat Redirect, perlu ditambahkan yaitu rule REDIRECTING untuk membelokkan
traffic HTTP menuju ke WEB-PROXY.

b. Setting firewall untuk Transparant Proxy

Bentuk perintah konfigurasi :

ip firewall nat add chain=dstnat
protocol=tcp
dst-port=80
action=redirect
to-ports={ port proxy }

Perintahnya:

--------------------------------------------------------------------------------
/ ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
comment="" disabled=no
add chain=dstnat protocol=tcp dst-port=8000 action=redirect to-ports=8080
--------------------------------------------------------------------------------

perintah diatas dimaksudkan, agar semua trafik yang menuju Port 80,3128,8000
dibelokkan menuju port 8080 yaitu portnya Web-Proxy.

CATATAN:
Perintah

/ip web-proxy print { untuk melihat hasil konfigurasi web-proxy}
/ip web-proxy monitor { untuk monitoring kerja web-proxy}

--[9]-- Bandwidth Management

QoS memegang peranan sangat penting dalam hal memberikan pelayanan
yang baik pada client. Untuk itu kita memerlukan bandwidth management
untuk mengatur tiap data yang lewat, sehingga pembagian bandwidth menjadi
adil. Dalam hal ini Mikrotik RouterOs juga menyertakan packet software
untuk memanagement bandwidth.

Bentuk perintah konfigurasi:

queue simple add name={ nama }
target-addresses={ ip address yang dituju }
interface={ interface yang digunakan untuk melewati data }
max-limit={ out/in }

Dibawah ini terdapat konfigurasi Trafik shaping atau bandwidth management
dengan metode Simple Queue, sesuai namanya, Jenis Queue ini memang
sederhana, namun memiliki kelemahan, kadangkala terjadi kebocoran bandwidth
atau bandwidthnya tidak secara real di monitor. Pemakaian untuk 10 Client,
Queue jenis ini tidak masalah.

Diasumsikan Client ada sebanyak 15 client, dan masing-masing client diberi
jatah bandwidth minimum sebanyak 8kbps, dan maksimum 48kbps. Sedangkan
Bandwidth totalnya sebanyak 192kbps. Untuk upstream tidak diberi rule,
berarti masing-masing client dapat menggunakan bandwidth uptream secara
maksimum. Perhatikan perintah priority, range priority di Mikrotik sebanyak
delapan. Berarti dari 1 sampai 8, priority 1 adalah priority tertinggi,
sedangkan priority 8 merupakan priority terendah.

Berikut Contoh kongirufasinya.
--------------------------------------------------------------------------------
/ queue simple
add name="trafikshaping" target-addresses=192.168.0.0/27 dst-address=0.0.0.0/0
interface=all parent=none priority=1 queue=default/default
limit-at=0/64000 max-limit=0/192000 total-queue=default disabled=no
add name="01" target-addresses=192.168.0.1/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="02" target-addresses=192.168.0.2/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="03" target-addresses=192.168.0.3/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="04" target-addresses=192.168.0.4/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="10" target-addresses=192.168.0.25/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="05" target-addresses=192.168.0.5/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="06" target-addresses=192.168.0.6/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="07" target-addresses=192.168.0.7/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="08" target-addresses=192.168.0.8/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="09" target-addresses=192.168.0.9/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="10" target-addresses=192.168.0.10/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="11" target-addresses=192.168.0.11/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="12" target-addresses=192.168.0.12/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="13" target-addresses=192.168.0.13/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="14" target-addresses=192.168.0.14/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no
add name="15" target-addresses=192.168.0.15/32 dst-address=0.0.0.0/0
interface=all parent=trafikshaping priority=1 queue=default/default
limit-at=0/8000 max-limit=0/48000 total-queue=default disabled=no

Perintah diatas karena dalam bentuk command line, bisa juga di copy
paste, selanjutnya di paste saja ke consol mikrotiknya. ingat lihat
dulu path atau direktory aktif. Silahkan dipaste saja, kalau posisi
direktorynya di Root.

-------------------------------------------------------------------
Terminal vt102 detected, using multiline input mode
[admin@mikrotik] >
------------------------------------------------------------------

Pilihan lain metode bandwidth manajemen ini, kalau seandainya ingin
bandwidth tersebut dibagi sama rata oleh Mikrotik, seperti bandwidth
256kbps downstream dan 256kbps upstream. Sedangkan client yang akan
mengakses sebanyak 10 client, maka otomatis masing-masing client
mendapat jatah bandwidth upstream dan downstream sebanyak 256kbps
dibagi 10. Jadi masing-masing dapat 25,6kbps. Andaikata hanya 2 Client
yang mengakses maka masing-masing dapat 128kbps.

Untuk itu dipakai type PCQ (Per Connection Queue), yang bisa secara
otomatis membagi trafik per client. Tentang jenis queue di mikrotik
ini dapat dibaca pada manualnya di http://www.mikrotik.com/testdocs/
ros/2.9/root/queue.php.

Sebelumnya perlu dibuat aturan di bagian MANGLE. Seperti :

--------------------------------------------------------------------
/ip firewall mangle add chain=forward src-address=192.168.0.0/27
action=mark-connection new-connection-mark=users-con
/ip firewall mangle add connection-mark=users-con action=mark-packet
new-packet-mark=users chain=forward
----------------------------------------------------------------------

Karena type PCQ belum ada, maka perlu ditambah, ada 2 type PCQ ini.
Pertama diberi nama pcq-download, yang akan mengatur semua trafik
melalui alamat tujuan/destination address. Trafik ini melewati
interface Local. Sehingga semua traffik download/downstream yang
datang dari jaringan 192.168.0.0/27 akan dibagi secara otomatis.

Tipe PCQ kedua, dinamakan pcq-upload, untuk mengatur semua trafik upstream
yang berasal dari alamat asal/source address. Trafik ini melewati
interface public. Sehingga semua traffik upload/upstream yang berasal
dari jaringan 192.168.0.0/27 akan dibagi secara otomatis.

Perintah:
-------------------------------------------------------------------------
/queue type add name=pcq-download kind=pcq pcq-classifier=dst-address
/queue type add name=pcq-upload kind=pcq pcq-classifier=src-address
-------------------------------------------------------------------------

Setelah aturan untuk PCQ dan Mangle ditambahkan, sekarang untuk aturan
pembagian trafiknya. Queue yang dipakai adalah Queue Tree, Yaitu:

-------------------------------------------------------------------------
/queue tree add parent=Local queue=pcq-download packet-mark=users
/queue tree add parent=Public queue=pcq-upload packet-mark=users
-------------------------------------------------------------------------

Perintah diatas mengasumsikan, kalau bandwidth yang diterima dari provider
Internet berflukstuasi atau berubah-rubah. Jika kita yakin bahwa bandwidth
yang diterima, misalkan dapat 256kbs downstream, dan 256kbps upstream, maka
ada lagi aturannya, seperti :

Untuk trafik downstreamnya :
------------------------------------------------------------------------
/queue tree add name=Download parent=Local max-limit=256k
/queue tree add parent=Download queue=pcq-download packet-mark=users
-------------------------------------------------------------------------

Dan trafik upstreamnya :
---------------------------------------------------------------------------
/queue tree add name=Upload parent=Public max-limit=256k
/queue tree add parent=Upload queue=pcq-upload packet-mark=users
---------------------------------------------------------------------------

--[10]-- Monitor MRTG via Web

Fasilitas ini diperlukan untuk monitoring trafik dalam bentuk grafik, dapat
dilihat dengan menggunakan browser. MRTG (The Multi Router Traffic Grapher)
telah dibuild sedemikian rupa, sehingga memudahkan kita memakainya. Telah
tersedia dipaket dasarnya.

Contoh konfigurasinya

-------------------------------------------------------------------------
/ tool graphing
set store-every=5min
/ tool graphing interface
add interface=all allow-address=0.0.0.0/0 store-on-disk=yes disabled=no
---------------------------------------------------------------------------

Perintah diatas akan menampilkan grafik dari trafik yang melewati interface
jaringan baik berupa Interface Public dan Interface Local, yang dirender
setiap 5 menit sekali. Juga dapat diatur Alamat apa saja yang dapat mengakses
MRTG ini, pada parameter allow-address.

--[11]-- Keamanan di Mikrotik

Setelah beberapa Konfigurasi diatas telah disiapkan, tentu tidak lupa kita
perhatikan keamanan dari Mesin gateway Mikrotik ini, ada beberapa fasilitas
yang dipergunakan. Dalam hal ini akan dibahas tentang Firewallnya. Fasilitas
Firewall ini secara pringsip serupa dengan IP TABLES di Gnu/Linux hanya saja
beberapa perintah telah di sederhanakan namun berdaya guna.

Di Mikrotik perintah firewall ini terdapat dalam modus IP, yaitu

[admin@routerku] > /ip firewall

Terdapat beberapa packet filter seperti mangle, nat, dan filter.

-------------------------------------------------------------------------
[admin@routerku] ip firewall> ?

Firewall allows IP packet filtering on per packet basis.

.. -- go up to ip
mangle/ -- The packet marking management
nat/ -- Network Address Translation
connection/ -- Active connections
filter/ -- Firewall filters
address-list/ --
service-port/ -- Service port management
export --
--------------------------------------------------------------------------

Untuk kali ini kita akan lihat konfigurasi pada ip firewall filternya.

Karena Luasnya parameter dari firewall filter ini untuk pembahasan Firewall
Filter selengkapnya dapat dilihat pada manual mikrotik, di
http://www.mikrotik.com/testdocs/ros/2.9/ip/filter.php

Konfigurasi dibawah ini dapat memblokir beberapa Trojan, Virus, Backdoor
yang telah dikenali sebelumnya baik Nomor Port yang dipakai serta Protokolnya.
Juga telah di konfigurasikan untuk menahan Flooding dari Jaringan Publik dan
jaringan Lokal. Serta pemberian rule untuk Access control agar, Rentang
jaringan tertentu saja yang bisa melakukan Remote atau mengakses service
tertentu terhadap Mesin Mikrotik kita.

Contoh Aplikasi Filternya
-----------------------------------------------------------------------------
/ ip firewall filter
add chain=input connection-state=invalid action=drop comment="Drop Invalid
connections" disabled=no
add chain=input src-address=!192.168.0.0/27 protocol=tcp src-port=1024-65535
dst-port=8080 action=drop comment="Block to Proxy" disabled=no
add chain=input protocol=udp dst-port=12667 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=udp dst-port=27665 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=udp dst-port=31335 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=udp dst-port=27444 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=udp dst-port=34555 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=udp dst-port=35555 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=27444 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=27665 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=31335 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=31846 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=34555 action=drop comment="Trinoo"
disabled=no
add chain=input protocol=tcp dst-port=35555 action=drop comment="Trinoo"
disabled=no
add chain=input connection-state=established action=accept comment="Allow
Established connections" disabled=no
add chain=input protocol=udp action=accept comment="Allow UDP" disabled=no
add chain=input protocol=icmp action=accept comment="Allow ICMP" disabled=no
add chain=input src-address=192.168.0.0/27 action=accept comment="Allow access
to router from known network" disabled=no
add chain=input action=drop comment="Drop anything else" disabled=no
add chain=forward protocol=tcp connection-state=invalid action=drop
comment="drop invalid connections" disabled=no
add chain=forward connection-state=established action=accept comment="allow
already established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow
related connections" disabled=no
add chain=forward src-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=0.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward dst-address=127.0.0.0/8 action=drop comment="" disabled=no
add chain=forward src-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward dst-address=224.0.0.0/3 action=drop comment="" disabled=no
add chain=forward protocol=tcp action=jump jump-target=tcp comment=""
disabled=no
add chain=forward protocol=udp action=jump jump-target=udp comment=""
disabled=no
add chain=forward protocol=icmp action=jump jump-target=icmp comment=""
disabled=no
add chain=tcp protocol=tcp dst-port=69 action=drop comment="deny TFTP"
disabled=no
add chain=tcp protocol=tcp dst-port=111 action=drop comment="deny RPC
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=135 action=drop comment="deny RPC
portmapper" disabled=no
add chain=tcp protocol=tcp dst-port=137-139 action=drop comment="deny NBT"
disabled=no
add chain=tcp protocol=tcp dst-port=445 action=drop comment="deny cifs"
disabled=no
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
disabled=no
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny
NetBus" disabled=no
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
disabled=no
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny
BackOriffice" disabled=no
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"
disabled=no
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
disabled=no
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC
portmapper" disabled=no
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC
portmapper" disabled=no
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
disabled=no
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
disabled=no
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny
BackOriffice" disabled=no
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="Port
scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="SYN/FIN
scan" disabled=no
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="SYN/RST
scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan" disabled=no
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan" disabled=no
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan" disabled=no
add chain=input src-address-list="port scanners" action=drop comment="dropping
port scanners" disabled=no
add chain=icmp protocol=icmp icmp-options=0:0 action=accept comment="drop
invalid connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:0 action=accept comment="allow
established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=3:1 action=accept comment="allow
already established connections" disabled=no
add chain=icmp protocol=icmp icmp-options=4:0 action=accept comment="allow
source quench" disabled=no
add chain=icmp protocol=icmp icmp-options=8:0 action=accept comment="allow
echo request" disabled=no
add chain=icmp protocol=icmp icmp-options=11:0 action=accept comment="allow
time exceed" disabled=no
add chain=icmp protocol=icmp icmp-options=12:0 action=accept comment="allow
parameter bad" disabled=no
add chain=icmp action=drop comment="deny all other types" disabled=no
add chain=tcp protocol=tcp dst-port=25 action=reject
reject-with=icmp-network-unreachable comment="Smtp" disabled=no
add chain=tcp protocol=udp dst-port=25 action=reject
reject-with=icmp-network-unreachable comment="Smtp" disabled=no
add chain=tcp protocol=tcp dst-port=110 action=reject
reject-with=icmp-network-unreachable comment="Smtp" disabled=no
add chain=tcp protocol=udp dst-port=110 action=reject
reject-with=icmp-network-unreachable comment="Smtp" disabled=no
add chain=tcp protocol=udp dst-port=110 action=reject
reject-with=icmp-network-unreachable comment="Smtp" disabled=no
-----------------------------------------------------------------------------

--[11.1]-- Service dan Melihat Service yang Aktif dengan PortScanner

Untuk memastikan Service apa saja yang aktif di Mesin mikrotik, perlu kita
pindai terhadap port tertentu, seandainya ada service yang tidak dibutuhkan,
sebaiknya dimatikan saja.

Untuk menonaktifkan dan mengaktifkan servise, perintah adalah :

Kita periksa dahulu service apa saja yang aktif

----------------------------------------------------------------------------------
[admin@routerku] > ip service
[admin@routerku] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 X telnet 23 0.0.0.0/0
1 ftp 21 0.0.0.0/0
2 www 80 0.0.0.0/0
3 ssh 22 0.0.0.0/0
4 www-ssl 443 0.0.0.0/0 none
[admin@routerku] ip service>
----------------------------------------------------------------------------------

Misalkan service FTP akan dinonaktifkan, yaitu di daftar diatas terletak pada
nomor 1 (lihat bagian Flags) maka :

---------------------------------------------------------------------------------
[admin@routerku] ip service> set 1 disabled=yes
---------------------------------------------------------------------------------

Perlu kita periksa lagi,

---------------------------------------------------------------------------------
[admin@routerku] ip service> print
Flags: X - disabled, I - invalid
# NAME PORT ADDRESS CERTIFICATE
0 X telnet 23 0.0.0.0/0
1 X ftp 21 0.0.0.0/0
2 www 80 0.0.0.0/0
3 ssh 22 0.0.0.0/0
4 www-ssl 443 0.0.0.0/0 none
[admin@router.dprd.provinsi] ip service>
---------------------------------------------------------------------------------

Sekarang service FTP telah dinonaktifkan.

Dengan memakai tool nmap kita dapat mencek port apa saja yang aktif pada mesin
gateway yang telah dikonfigurasikan.

Perintah : nmap -vv -sS -sV -P0 192.168.0.30

Hasil :

-------------------------------------------------------------------------------------
Starting Nmap 4.20 ( http://insecure.org ) at 2007-04-04 19:55 SE Asia Standard Time
Initiating ARP Ping Scan at 19:55
Scanning 192.168.0.30 [1 port]
Completed ARP Ping Scan at 19:55, 0.31s elapsed (1 total hosts)
Initiating Parallel DNS resolution of 1 host. at 19:55
Completed Parallel DNS resolution of 1 host. at 19:55, 0.05s elapsed
Initiating SYN Stealth Scan at 19:55
Scanning 192.168.0.30 [1697 ports]
Discovered open port 22/tcp on 192.168.0.30
Discovered open port 53/tcp on 192.168.0.30
Discovered open port 80/tcp on 192.168.0.30
Discovered open port 21/tcp on 192.168.0.30
Discovered open port 3986/tcp on 192.168.0.30
Discovered open port 2000/tcp on 192.168.0.30
Discovered open port 8080/tcp on 192.168.0.30
Discovered open port 3128/tcp on 192.168.0.30
Completed SYN Stealth Scan at 19:55, 7.42s elapsed (1697 total ports)
Initiating Service scan at 19:55
Scanning 8 services on 192.168.0.30
Completed Service scan at 19:57, 113.80s elapsed (8 services on 1 host)
Host 192.168.0.30 appears to be up ... good.
Interesting ports on 192.168.0.30:
Not shown: 1689 closed ports
PORT STATE SERVICE VERSION
21/tcp open ftp MikroTik router ftpd 2.9.27
22/tcp open ssh OpenSSH 2.3.0 mikrotik 2.9.27 (protocol 1.99)
53/tcp open domain?
80/tcp open http MikroTik router http config
2000/tcp open callbook?
3128/tcp open http-proxy Squid webproxy 2.5.STABLE11
3986/tcp open mapper-ws_ethd?
8080/tcp open http-proxy Squid webproxy 2.5.STABLE11
2 services unrecognized despite returning data. If you know the service/version,
please submit the following fingerprints at
http://www.insecure.org/cgi-bin/servicefp-submit.cgi :

==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port53-TCP:V=4.20%I=7%D=4/4%Time=4613A03C%P=i686-pc-windows-windows%r(D
SF:NSVersionBindReq,E,"�x0c�x06x81x84��")%r(DNSStatusR
SF:equest,E,"�x0c��x90x84��");
==============NEXT SERVICE FINGERPRINT (SUBMIT INDIVIDUALLY)==============
SF-Port2000-TCP:V=4.20%I=7%D=4/4%Time=4613A037%P=i686-pc-windows-windows%r
SF:(NULL,4,"x01��")%r(GenericLines,4,"x01��")%r(GetRequest,18,"
SF:x01��x02��d?xe4{x9dx02x1axccx8bxd1Vxb2Fxff9xb0")%r(
SF:HTTPOptions,18,"x01��x02��d?xe4{x9dx02x1axccx8bxd1Vx
SF:b2Fxff9xb0")%r(RTSPRequest,18,"x01��x02��d?xe4{x9dx02x
SF:1axccx8bxd1Vxb2Fxff9xb0")%r(RPCCheck,18,"x01��x02��d?
SF:xe4{x9dx02x1axccx8bxd1Vxb2Fxff9xb0")%r(DNSVersionBindReq,18,"
SF:x01��x02��d?xe4{x9dx02x1axccx8bxd1Vxb2Fxff9xb0")%r(
SF:DNSStatusRequest,4,"x01��")%r(Help,4,"x01��")%r(X11Probe,4,"
SF:x01��")%r(FourOhFourRequest,18,"x01��x02��xb9x15&xf1A
SF:]+x11nxf6x9bxa0,xb0xe1xa5")%r(LPDString,4,"x01��")%r(LDAP
SF:BindReq,4,"x01��")%r(LANDesk-RC,18,"x01��x02��xb9x15&
SF:xf1A]+x11nxf6x9bxa0,xb0xe1xa5")%r(TerminalServer,4,"x01��
SF:0")%r(NCP,18,"x01��x02��xb9x15&xf1A]+x11nxf6x9bxa0,
SF:xb0xe1xa5")%r(NotesRPC,18,"x01��x02��xb9x15&xf1A]+x1
SF:1nxf6x9bxa0,xb0xe1xa5")%r(NessusTPv10,4,"x01��");
MAC Address: 00:90:4C:91:77:02 (Epigram)
Service Info: Host: routerku; Device: router

Service detection performed. Please report any incorrect results at
http://insecure.org/nmap/submit/ .

Nmap finished: 1 IP address (1 host up) scanned in 123.031 seconds
Raw packets sent: 1706 (75.062KB) | Rcvd: 1722 (79.450KB)

---------------------------------------------------------------------------

Dari hasil scanning tersebut dapat kita ambil kesimpulan, bahwa service dan
port yang aktif adalah FTP dalam versi MikroTik router ftpd 2.9.27. Untuk
SSH dengan versi OpenSSH 2.3.0 mikrotik 2.9.27 (protocol 1.99). Serta Web
proxy memakai Squid dalam versi Squid webproxy 2.5.STABLE11.

Tentu saja pihak vendor mikrotik telah melakukan patch terhadap Hole atau
Vulnerabilities dari Versi Protocol diatas.

--[11.2]-- Tool administrasi Jaringan

Secara praktis terdapat beberapa tool yang dapat dimanfaatkan dalam mela
kukan troubleshooting jaringan, seperti tool ping, traceroute, SSH, dll.
Beberapa tool yang sering digunakan nantinya dalam administrasi sehari-hari
adalah :

o Telnet
o SSH
o Traceroute
o Sniffer

a. Telnet
Perintah remote mesin ini hampir sama penggunaan dengan telnet yang ada
di Linux atau Windows.

[admin@routerku] > system telnet ?

Perintah diatas untuk melihat sekilias paramater apa saja yang ada. Misalnya
mesin remote dengan ip address 192.168.0.21 dan port 23. Maka

[admin@routerku] > system telnet 192.168.0.21

Penggunaan telnet sebaiknya dibatasi untuk kondisi tertentu dengan alasan
keamanan, seperti kita ketahui, packet data yang dikirim melalui telnet
belum di enskripsi. Agar lebih amannya kita pergunakan SSH.

b. SSH
Sama dengan telnet perintah ini juga diperlukan dalam remote mesin, serta
pringsipnya sama juga parameternya dengan perintah di Linux dan Windows.

[admin@routerku] > system ssh 192.168.0.21

Parameter SSH diatas, sedikit perbedaan dengan telnet. Jika lihat helpnya
memiliki parameter tambahan yaitu user.

------------------------------------------------------------------------------
[admin@routerku] > system ssh ?
The SSH feature can be used with various SSH Telnet clients to securely connect
to and administrate the router

--
user -- User name
port -- Port number

[admin@routerku] >
------------------------------------------------------------------------------

Misalkan kita akan melakukan remote pada suatu mesin dengan sistem
operasinya Linux, yang memiliki Account, username Root dan Password
123456 pada Address 66.213.7.30. Maka perintahnya,

-----------------------------------------------------------------------------
[admin@routerku] > system ssh 66.213.7.30 user=root
root@66.213.7.30's password:
----------------------------------------------------------------------------

c. Traceroute

Mengetahui hops atau router apa saja yang dilewati suatu packet sampai packet
itu terkirim ke tujuan, lazimnya kita menggunakan traceroute. Dengan tool ini
dapat di analisa kemana saja route dari jalannya packet.

Misalkan ingin mengetahui jalannya packet yang menuju server yahoo, maka:

----------------------------------------------------------------------------
[admin@routerku] > tool traceroute yahoo.com ADDRESS STATUS
1 63.219.6.nnn 00:00:00 00:00:00 00:00:00
2 222.124.4.nnn 00:00:00 00:00:00 00:00:00
3 192.168.34.41 00:00:00 00:00:00 00:00:00
4 61.94.1.253 00:00:00 00:00:00 00:00:00
5 203.208.143.173 00:00:00 00:00:00 00:00:00
6 203.208.182.5 00:00:00 00:00:00 00:00:00
7 203.208.182.114 00:00:00 00:00:00 00:00:00
8 203.208.168.118 00:00:00 00:00:00 00:00:00
9 203.208.168.134 timeout 00:00:00 00:00:00
10 216.115.101.34 00:00:00 timeout timeout
11 216.115.101.129 timeout timeout 00:00:00
12 216.115.108.1 timeout timeout 00:00:00
13 216.109.120.249 00:00:00 00:00:00 00:00:00
14 216.109.112.135 00:00:00 timeout timeout
------------------------------------------------------------------------------

d. Sniffer

Kita dapat menangkap dan menyadap packet-packet yang berjalan
di jaringan kita, tool ini telah disediakan oleh Mikrotik yang berguna
dalam menganalisa trafik.

----------------------------------------------------------------------------
[admin@routerku] > tool sniffer
Packet sniffering

.. -- go up to tool
start -- Start/reset sniffering
stop -- Stop sniffering
save -- Save currently sniffed packets
packet/ -- Sniffed packets management
protocol/ -- Protocol management
host/ -- Host management
connection/ -- Connection management
print --
get -- get value of property
set --
edit -- edit value of property
export --
----------------------------------------------------------------------------

Untuk memulai proses sniffing dapat menggunakan perintah Start, sedangkan
menghentikannya dapat menggunaka perintah Stop.

[admin@routerku] > tool sniffer start

Proses sniffing sedang dikerjakan, tunggu saja beberapa lama, kemudian
ketikkan perintah stop jika ingin menghentikannya. Melihat hasil packet
yang ditangkap dapat menggunakan perintah print, untuk mengeksportnya
dalam bentuk file dapat digunakan perintah export.

--[12]-- Kesimpulan

Untuk pemakaian jaringan berskala Kecil-menengah produk dari Latvia ini,
dapat menjadi pilihan, saya disini bukan untuk mempromosikan Produk ini.
Namun sebagai gambaran, bagaimana memanfaatkan produk ini untuk berbagai
keperluan, lagipula sebagai alternatif dari produk sejenis yang harganya
cenderung mahal.

Dengan Mikrotik yang saat ini sedang populernya diterapkan pada berbagai
ISP Wireless, Warnet-warnet serta beberapa Perusahaan. Maka Administrasi
Sistem Jaringan dapat lebih mudah dan sederhana. Yang jelas untuk sekedar
memanfaatkan fasilitas Routing saja, PC TUA anda dapat digunakan.

Mudah-mudahan paparan diatas dapat membantu pembaca dalam memahami, apa
dan bagaimana mikrotik ini.

--[13]-- Referensi

Artikel ini merupakan kompilasi dari berbagai sumber

1. Web Blog
- http://dhanis.web.id
- http://okawardhana.web.id
- http://harrychanputra.web.id

2. Website
- http://www.cgd.co.id
- http://www.ilmukomputer.org
- http://www.mikrotik.com
- http://www.mikrotik.co.id
- http://forum.mikrotik.com

oO Using no way as a way, Using no limitations as a limitation Oo

Salam dan terimakasih,
r0t0r
-----------------------------------------------------------------------
Copyleft Unreserved by Law 1995 - 2007 Kecoak Elektronik Indonesia
http://www.kecoak-elektronik.net

.L.A.M.P.I.R.A.N.

Daftar Port dan Protocol berbagai jenis Trojan, Backdoor, Virus.
daftar ini dapat saja tidak berlaku, atau dapat pula perlu ditambah
seiring perkembangan Malware tersebut. Update terus Filter Rule
mesin mikrotik anda.
########## Pembatasan Brute Force #################################
/ ip firewall filter
add chain=input protocol=tcp dst-port=22 connection-limit=1,32
action=add-src-to-address-list address-list=ssh_logins
address-list-timeout=2m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 src-address-list=!ssh_logins
action=accept comment="" disabled=no
add chain=forward src-address=192.168.1.10 protocol=tcp src-port=21
content="password incorrect" action=add-dst-to-address-list
address-list=ftp_logins address-list-timeout=1m comment="" disabled=no
add chain=forward src-address-list=ftp_logins action=drop comment="" disabled=no
########################################################################

Pemblokiran beberapa URL tertentu dapat dilakukan pada mikrotik.
Jika paket web-proxy telah terinstall dan web-proxynya juga telah
dikonfigurasi, maka perintah dibawah ini dapat disertakan.

Tutorial Step By Step Seting MikroTik

2008-04-09T09:57:00.000+07:00

MikroTik RouterOS™ adalah sistem operasi linux yang dapat digunakan untuk menjadikan komputer menjadi router network yang handal, mencakup berbagai fitur yang dibuat untuk ip network dan jaringan wireless, cocok digunakan oleh ISP dan provider hostspot.

Ada pun fitur2 nya sbb:

* Firewall and NAT - stateful packet filtering; Peer-to-Peer protocol filtering; source and destination NAT; classification by source MAC, IP addresses (networks or a list of networks) and address types, port range, IP protocols, protocol options (ICMP type, TCP flags and MSS), interfaces, internal packet and connection marks, ToS (DSCP) byte, content, matching sequence/frequency, packet size, time and more…

* Routing - Static routing; Equal cost multi-path routing; Policy based routing (classification done in firewall); RIP v1 / v2, OSPF v2, BGP v4

* Data Rate Management - Hierarchical HTB QoS system with bursts; per IP / protocol / subnet / port / firewall mark; PCQ, RED, SFQ, FIFO queue; CIR, MIR, contention ratios, dynamic client rate equalizing (PCQ), bursts, Peer-to-Peer protocol limitation

* HotSpot - HotSpot Gateway with RADIUS authentication and accounting; true Plug-and-Play access for network users; data rate limitation; differentiated firewall; traffic quota; real-time status information; walled-garden; customized HTML login pages; iPass support; SSL secure authentication; advertisement support

* Point-to-Point tunneling protocols - PPTP, PPPoE and L2TP Access Concentrators and clients; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; MPPE encryption; compression for PPPoE; data rate limitation; differentiated firewall; PPPoE dial on demand

* Simple tunnels - IPIP tunnels, EoIP (Ethernet over IP)

* IPsec - IP security AH and ESP protocols; MODP Diffie-Hellman groups 1,2,5; MD5 and SHA1 hashing algorithms; DES, 3DES, AES-128, AES-192, AES-256 encryption algorithms; Perfect Forwarding Secrecy (PFS) MODP groups 1,2,5

* Proxy - FTP and HTTP caching proxy server; HTTPS proxy; transparent DNS and HTTP proxying; SOCKS protocol support; DNS static entries; support for caching on a separate drive; access control lists; caching lists; parent proxy support

* DHCP - DHCP server per interface; DHCP relay; DHCP client; multiple DHCP networks; static and dynamic DHCP leases; RADIUS support

* VRRP - VRRP protocol for high availability

* UPnP - Universal Plug-and-Play support

* NTP - Network Time Protocol server and client; synchronization with
GPS system

* Monitoring/Accounting - IP traffic accounting, firewall actions logging, statistics graphs accessible via HTTP

* SNMP - read-only access

* M3P - MikroTik Packet Packer Protocol for Wireless links and Ethernet

* MNDP - MikroTik Neighbor Discovery Protocol; also supports Cisco Discovery Protocol (CDP)

* Tools - ping; traceroute; bandwidth test; ping flood; telnet; SSH; packet sniffer; Dynamic DNS update tool

Layer 2 connectivity:

* Wireless - IEEE802.11a/b/g wireless client and access point (AP) modes; Nstreme and Nstreme2 proprietary protocols; Wireless Distribution System (WDS) support; virtual AP; 40 and 104 bit WEP; WPA pre-shared key authentication; access control list; authentication with RADIUS server; roaming (for wireless client); AP bridging

* Bridge - spanning tree protocol; multiple bridge interfaces; bridge firewalling, MAC

* VLAN - IEEE802.1q Virtual LAN support on Ethernet and wireless links; multiple VLANs; VLAN bridging

* Synchronous - V.35, V.24, E1/T1, X.21, DS3 (T3) media types; sync-PPP, Cisco HDLC, Frame Relay line protocols; ANSI-617d (ANDI or annex D) and Q933a (CCITT or annex A) Frame Relay LMI types

* Asynchronous - s*r*al PPP dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; onboard s*r*al ports; modem pool with up to 128 ports; dial on demand

* ISDN - ISDN dial-in / dial-out; PAP, CHAP, MSCHAPv1 and MSCHAPv2 authentication protocols; RADIUS authentication and accounting; 128K bundle support; Cisco HDLC, x75i, x75ui, x75bui line protocols; dial on demand

* SDSL - Single-line DSL support; line termination and network termination modes

Instalasi dapat dilakukan pada Standard computer PC yang akan dijadikan router dan tidak memerlukan resource yang cukup besar untuk penggunaan standard, misalnya hanya sebagai gateway.

Berikut spec_minimal nya :

* CPU dan motherboard - bisa dgn P1 ~ P4, AMD, cyrix asal yang bukan multi-prosesor

* RAM - minimum 32 MiB, maximum 1 GiB; 64 MiB atau lebih sangat dianjurkan, kalau mau sekalian dibuat proxy , dianjurkan 1GB… perbandingannya, 15MB di memori ada 1GB di proxy..

* HDD minimal 128MB parallel ATA atau Compact Flash, tidak dianjurkan menggunakan UFD, SCSI, apa lagi S-ATA (mungkin nanti Ver. 3.0)

* NIC 10/100 atau 100/1000

Untuk keperluan beban yang besar ( network yang kompleks, routing yang rumit dll) disarankan untuk mempertimbangkan pemilihan resource PC yang memadai.

Lebih lengkap bisa dilihat di www.mikrotik.com. Meskipun demikian Mikrotik bukanlah free software, artinya kita harus membeli licensi terhadap segala fasiltas yang disediakan. Free trial hanya untuk 24 jam saja.

Kita bisa membeli software MikroTik dalam bentuk “licence” di CITRAWEB, UFOAKSES, PC24 (atau download cracknya, he he he …) yang diinstall pada HardDisk yang sebelumnya download/dibuat MikroTik RouterOS ISO kekeping CD atau disk on module (DOM). Jika kita membeli DOM tidak perlu install tetapi tinggal pasang DOM pada slot IDE PC kita.

Langkah-langkah berikut adalah dasar-dasar setup mikrotik yang dikonfigurasikan untuk jaringan
sederhana sebagai gateway server.

1. Langkah pertama adalah install Mikrotik RouterOS pada PC atau pasang DOM.

2. Login Pada Mikrotik Routers melalui console :

MikroTik v2.9.39

Login: admin

Password: (kosongkan)

Sampai langkah ini kita sudah bisa masuk pada mesin Mikrotik. User default adalah admin dan tanpa password, tinggal ketik admin kemudian tekan tombol enter.

3. Untuk keamanan ganti password default

[admin@Mikrotik] > password

old password: *****

new password: *****

retype new password: *****

[admin@ Mikrotik] >

4. Mengganti nama Mikrotik Router, pada langkah ini nama server akan kita ganti menjadi
“r-WLI” (bebas, disesuaikan dengan nama jaringan kita…)

[admin@Mikrotik] > system identity set name=r-WLI

[admin@r-WLI] >

5. Melihat interface pada Mikrotik Router

[admin@r-WLI] > interface print

Flags: X - disabled, D - dynamic, R - running

# NAME TYPE RX-RATE TX-RATE MTU

0 R ether1 ether 0 0 1500

1 R ether2 ether 0 0 1500

[admin@r-WLI] >

6. Memberikan IP address pada interface Mikrotik. Misalkan ether1 akan kita gunakan untuk koneksi ke Internet dengan IP 192.168.0.1 dan ether2 akan kita gunakan untuk network local kita dengan IP 172.16.0.1

[admin@r-WLI] > ip address add address=192.168.0.1 /

netmask=255.255.255.0 interface=ether1

[admin@r-WLI] > ip address add address=172.16.0.1 /

netmask=255.255.255.0 interface=ether2

7. Melihat konfigurasi IP address yang sudah kita berikan

[admin@r-WLI] >ip address print

Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 192.168.0.1/24 192.168.0.0 192.168.0.63 ether1

1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether2

[admin@r-WLI] >

8. Memberikan default Gateway, diasumsikan gateway untuk koneksi internet adalah 192.168.0.254

[admin@r-WLI] > /ip route add gateway=192.168.0.254

9. Melihat Tabel routing pada Mikrotik Routers

[admin@r-WLI] > ip route print

Flags: X - disabled, A - active, D - dynamic,

C - connect, S - static, r - rip, b - bgp, o - ospf

# DST-ADDRESS PREF-SRC G GATEWAY DISTANCE INTERFACE

0 ADC 172.16.0.0/24 172.16.0.1 ether2

1 ADC 192.168.0.0/26 192.168.0.1 ether1

2 A S 0.0.0.0/0 r 192.168.0.254 ether1

[admin@r-WLI] >

10. Tes Ping ke Gateway untuk memastikan konfigurasi sudah benar

[admin@r-WLI] > ping 192.168.0.254

192.168.0.254 64 byte ping: ttl=64 time

11. Setup DNS pada Mikrotik Routers

[admin@r-WLI] > ip dns set primary-dns=192.168.0.10 /

allow-remoterequests=no

[admin@r-WLI] > ip dns set secondary-dns=192.168.0.11 /

allow-remoterequests=no

12. Melihat konfigurasi DNS

[admin@r-WLI] ip dns> pr

primary-dns: 192.168.0.10

secondary-dns: 192.168.0.11

allow-remote-requests: no

cache-size: 2048KiB

cache-max-ttl: 1w

cache-used: 21KiB

[admin@r-WLI] ip dns>

13. Tes untuk akses domain, misalnya dengan ping nama domain

[admin@r-WLI] > ping yahoo.com

216.109.112.135 64 byte ping: ttl=48 time=250 ms
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max = 571/571.0/571 ms
[admin@r-WLI] >

Jika sudah berhasil reply berarti seting DNS sudah benar.

14. Setup Masquerading, Jika Mikrotik akan kita pergunakan sebagai gateway server maka agar client computer pada network dapat terkoneksi ke internet perlu kita masquerading.

[admin@r-WLI]> ip firewall nat add action=masquerade /

outinterface=ether1 chain:srcnat

[admin@r-WLI] >

15. Melihat konfigurasi Masquerading

[admin@r-WLI]ip firewall nat print

Flags: X - disabled, I - invalid, D - dynamic

0 chain=srcnat out-interface=ether1 action=masquerade

[admin@r-WLI] >

Setelah langkah ini bisa dilakukan pemeriksaan untuk koneksi dari jaringan local. Dan jika berhasil berarti kita sudah berhasil melakukan instalasi MikroTik Router sebagai Gateway server. Setelah terkoneksi dengan jaringan Mikrotik dapat dimanage menggunakan WinBox yang bisa didownload dari MikroTik.com atau dari server mikrotik kita.

Misal Ip address server mikrotik kita 192.168.0.1, via browser buka http://192.168.0.1 dan download WinBox dari situ.
Jika kita menginginkan client mendapatkan IP address secara otomatis maka perlu kita setup dhcp server pada Mikrotik. Berikut langkah-langkahnya :

1. Buat IP address pool
/ip pool add name=dhcp-pool ranges=172.16.0.10-172.16.0.20

2. Tambahkan DHCP Network dan gatewaynya yang akan didistribusikan ke client Pada contoh ini networknya adalah 172.16.0.0/24 dan gatewaynya 172.16.0.1
/ip dhcp-server network add address=172.16.0.0/24 gateway=172.16.0.1

3. Tambahkan DHCP Server ( pada contoh ini dhcp diterapkan pada interface ether2 )
/ip dhcp-server add interface=ether2 address-pool=dhcp-pool

4. Lihat status DHCP server

[admin@r-WLI] > ip dhcp-server pr

Flags: X - disabled, I - invalid

# NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP

x dhcp1 ether2 dhcp_pool1 4w2d yes

[admin@r-WLI] >

Tanda X menyatakan bahwa DHCP server belum enable maka perlu dienablekan terlebih dahulu pada langkah 5.

5. Jangan Lupa dibuat enable dulu dhcp servernya
/ip dhcp-server enable 0

Kemudian cek kembali dhcp-server seperti langkah 4, jika tanda X sudah tidak ada berarti sudah aktif.

6. Tes Dari client

Run dari Comman Prompt

Microsoft Windows XP [Version 5.1.2600]
(C) Copyright 1985-2001 Microsoft Corp.

C:\Documents and Settings\EsDat>ping www.yahoo.com

Pinging www.yahoo-ht3.akadns.net [69.147.114.210] with 32 bytes of data:

Reply from 124.158.129.5: bytes=32 time=34ms TTL=59
Reply from 124.158.129.5: bytes=32 time=24ms TTL=59
Reply from 124.158.129.5: bytes=32 time=41ms TTL=59
Reply from 124.158.129.5: bytes=32 time=29ms TTL=59

Ping statistics for 69.147.114.210:
Packets: Sent = 4, Received = 4, Lost = 0 (0% loss),
Approximate round trip times in milli-seconds:
Minimum = 24ms, Maximum = 41ms, Average = 32ms

7. Untuk bandwith controller, bisa dengan sistem simple queue ataupun bisa dengan mangle

[admin@r-WLI] queue simple> add name=Komputer01 /

interface=ether2 target-address=172.16.0.1/24 max-limit=65536/131072

[admin@r-WLI] queue simple> add name=Komputer02 /

interface=ether2 target-address=172.16.0.2/24 max-limit=65536/131072

dan seterusnya…

14 langkah instalasi miktotik pakai speedy

2008-04-09T08:53:00.000+07:00

/ip address add interface=ether1 address = 192.168.1.1 netmask= 255.255.255.0
/ip address add interface=ether2 address = 192.168.0.1 netmask= 255.255.255.0
/interface print
/inteface set 0 name=”Public”
/inteface set 1 name=”Lan”
/ip route add gateway=192.168.0.1
/ip dns set primary-dns=203.130.193.74 secondary-dns=202.134.0.155
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=srcnat out-inteface=Public action=masquerade
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
/ip firewall nat add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
/ip firewall nat add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080
/ip pool add name=”dhcp-pool” ranges=192.168.0.1-192.168.0.29
/ip dhcp-server add name=”dhcp1″ inteface=LAN address-pool=”dhcp-pool” lease-time=3d
/ip dns set allow-remote-requests=yes
/ip firewall nat add chain=srcnat out-inteface=Public action=masquerade
/ip firewall nat add chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080
/ip firewall nat add chain=dstnat protocol=tcp dst-port=3128 action=redirect to-ports=8080
/ip firewall nat add chain=dstnat protocol=tcp dst-port=8080 action=redirect to-ports=8080

Filter

2008-04-08T16:19:00.000+07:00

General Information
Summary

The firewall implements packet filtering and thereby provides security functions that are used to manage data flow to, from and through the router. Along with the Network Address Translation it serve as a tool for preventing unauthorized access to directly attached networks and the router itself as well as a filter for outgoing traffic.
Quick Setup Guide

To add a firewall rule which drops all TCP packets that are destined to port 135 and going through the router, use the following command:
/ip firewall filter add chain=forward dst-port=135 protocol=tcp action=drop

To deny acces to the router via Telnet (protocol TCP, port 23), type the following command:
/ip firewall filter add chain=input protocol=tcp dst-port=23 action=drop

To only allow not more than 5 simultaneous connections from each of the clients, do the following:
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-limit=6,32 action=drop
Specifications
Packages required: system
License required: Level1 (P2P filters limited to 1) , Level3
Submenu level: /ip firewall filter
Standards and Technologies: IP, RFC2113
Hardware usage: Increases with filtering rules count
Firewall Filter
Submenu level: /ip firewall filter
Description

Network firewalls keep outside threats away from sensitive data available inside the network. Whenever different networks are joined together, there is always a threat that someone from outside of your network will break into your LAN. Such break-ins may result in private data being stolen and distributed, valuable data being altered or destroyed, or entire hard drives being erased. Firewalls are used as a means of preventing or minimizing the security risks inherent in connecting to other networks. Properly configured firewall plays a key role in efficient and secure network infrastrure deployment.

MikroTik RouterOS has very powerful firewall implementation with features including:
stateful packet inspection
Layer-7 protocol detection
peer-to-peer protocols filtering
traffic classification by:
source MAC address
IP addresses (network or list) and address types (broadcast, local, multicast, unicast)
port or port range
IP protocols
protocol options (ICMP type and code fields, TCP flags, IP options and MSS)
interface the packet arrived from or left through
internal flow and connection marks
DSCP byte
packet content
rate at which packets arrive and sequence numbers
packet size
packet arrival time
and much more!
General Filtering Principles

The firewall operates by means of firewall rules. A rule is a definitive form expression that tells the router what to do with a particular IP packet. Each rule consists of two parts that are the matcher which matches traffic flow against given conditions and the action which defines what to do with the mathched packets. Rules are organized in chains for better management.

The filter facility has three default chains: input, forward and output that are responsible for traffic coming from, throurh and to the router, respectively. New user-defined chains can be added, as necessary. Since these chains have no default traffic to match, rules with action=jump and relevant jump-target should be added to one or more of the three default chains.
Filter Chains

As mentioned before, the firewall filtering rules are grouped together in chains. It allows a packet to be matched against one common criterion in one chain, and then passed over for processing against some other common criteria to another chain. For example a packet should be matched against the IP address:port pair. Of course, it could be achieved by adding as many rules with IP address:port match as required to the forward chain, but a better way could be to add one rule that matches traffic from a particular IP address, e.g.: /ip firewall filter add src-address=1.1.1.2/32 jump-target="mychain" and in case of successfull match passes control over the IP packet to some other chain, id est mychain in this example. Then rules that perform matching against separate ports can be added to mychain chain without specifying the IP addresses.

There are three predefined chains, which cannot be deleted:
input - used to process packets entering the router through one of the interfaces with the destination IP address which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain
forward - used to process packets passing through the router
output - used to process packets originated from the router and leaving it through one of the interfaces. Packets passing through the router are not processed against the rules of the output chain

When processing a chain, rules are taken from the chain in the order they are listed there from top to bottom. If a packet matches the criteria of the rule, then the specified action is performed on it, and no more rules are processed in that chain (the exception is the passthrough action). If a packet has not matched any rule within the chain, then it is accepted.
Property Description
action (accept | add-dst-to-address-list | add-src-to-address-list | drop | jump | log | passthrough | reject | return | tarpit; default: accept) - action to undertake if the packet matches the ruleaccept - accept the packet. No action is taken, i.e. the packet is passed through and no more rules are applied to it
add-dst-to-address-list - adds destination address of an IP packet to the address list specified by address-list parameter
add-src-to-address-list - adds source address of an IP packet to the address list specified by address-list parameter
drop - silently drop the packet (without sending the ICMP reject message)
jump - jump to the chain specified by the value of the jump-target parameter
log - each match with this action will add a message to the system log
passthrough - ignores this rule and goes on to the next one
reject - reject the packet and send an ICMP reject message
return - passes control back to the chain from where the jump took place
tarpit - captures and holds incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet)
accept - accept the packet. No action is taken, i.e. the packet is passed through and no more rules are applied to it
add-dst-to-address-list - adds destination address of an IP packet to the address list specified by address-list parameter
add-src-to-address-list - adds source address of an IP packet to the address list specified by address-list parameter
drop - silently drop the packet (without sending the ICMP reject message)
jump - jump to the chain specified by the value of the jump-target parameter
log - each match with this action will add a message to the system log
passthrough - ignores this rule and goes on to the next one
reject - reject the packet and send an ICMP reject message
return - passes control back to the chain from where the jump took place
tarpit - captures and holds incoming TCP connections (replies with SYN/ACK to the inbound TCP SYN packet)

address-list (name) - specifies the name of the address list to collect IP addresses from rules having action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be later used for packet matching

address-list-timeout (time; default: 00:00:00) - time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions00:00:00 - leave the address in the address list forever
00:00:00 - leave the address in the address list forever

chain (forward | input | output | name) - specifies the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created

comment (text) - a descriptive comment for the rule. A comment can be used to identify rules form scripts

connection-bytes (integer-integer) - matches packets only if a given amount of bytes has been transfered through the particular connection0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection
0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection

connection-limit (integer,netmask) - restrict connection limit per address or address block

connection-mark (name) - matches packets marked via mangle facility with particular connection mark

connection-state (estabilished | invalid | new | related) - interprets the connection tracking analysis data for a particular packetestabilished - a packet which belongs to an existing connection, exempli gratia a reply packet or a packet which belongs to already replied connection
invalid - a packet which could not be identified for some reason. This includes out of memory condition and ICMP errors which do not correspond to any known connection. It is generally advised to drop these packets
new - a packet which begins a new TCP connection
related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection (the later requires enabled FTP connection tracking helper under /ip firewall service-port)
estabilished - a packet which belongs to an existing connection, exempli gratia a reply packet or a packet which belongs to already replied connection
invalid - a packet which could not be identified for some reason. This includes out of memory condition and ICMP errors which do not correspond to any known connection. It is generally advised to drop these packets
new - a packet which begins a new TCP connection
related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection (the later requires enabled FTP connection tracking helper under /ip firewall service-port)

connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port

content (text) - the text packets should contain in order to match the rule

dscp (integer: 0..63) - DSCP (ex-ToS) IP header field value

dst-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is destined to. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24

dst-address-list (name) - matches destination address of a packet against user-defined address list

dst-address-type (unicast | local | broadcast | multicast) - matches destination address type of the IP packet, one of the:unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points
unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points

dst-limit (integer/time{0,1},integer,dst-address | dst-port | src-address{+},time{0,1}) - limits the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit. The options are as follows (in order of appearance):count - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
mode - the classifier(-s) for packet rate limiting
expire - specifies interval after which recorded IP addresses / ports will be deleted
count - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
mode - the classifier(-s) for packet rate limiting
expire - specifies interval after which recorded IP addresses / ports will be deleted

dst-port (integer: 0..65535-integer: 0..65535{*}) - destination port number or range

fragment (yes | no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments as the system automatically assembles every packet

hotspot (multiple choice: auth | from-client | http | local-dst | to-client) - matches packets received from clients against various HotSpot conditions. All values can be negatedauth - true, if a packet comes from an authenticted HotSpotclient
from-client - true, if a packet comes from any HotSpot client
http - true, if a HotSpot client sends a packet to the address and port previously detected as his proxy server (Universal Proxy technique) or if the destination port is 80 and transparent proxying is enabled for that particular client
local-dst - true, if a packet has local destination IP address
to-client - true, if a packet is sent to a client
auth - true, if a packet comes from an authenticted HotSpotclient
from-client - true, if a packet comes from any HotSpot client
http - true, if a HotSpot client sends a packet to the address and port previously detected as his proxy server (Universal Proxy technique) or if the destination port is 80 and transparent proxying is enabled for that particular client
local-dst - true, if a packet has local destination IP address
to-client - true, if a packet is sent to a client

icmp-options (integer:integer) - matches ICMP Type:Code fields

in-bridge-port (name) - actual interface the packet has entered the router through (if bridged, this property matches the actual bridge port, while in-interface - the bridge itself)

in-interface (name) - interface the packet has entered the router through (if the interface is bridged, then the packet will appear to come from the bridge interface itself)

ingress-priority (integer: 0..63) - INGRESS (received) priority of the packet, if set (0 otherwise). The priority may be derived from either VLAN or WMM priority

ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp) - match ipv4 header optionsany - match packet with at least one of the ipv4 options
loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
no-router-alert - match packets with no router alter option
no-source-routing - match packets with no source routing option
no-timestamp - match packets with no timestamp option
record-route - match packets with record route option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict source routing option
timestamp - match packets with timestamp
any - match packet with at least one of the ipv4 options
loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
no-router-alert - match packets with no router alter option
no-source-routing - match packets with no source routing option
no-timestamp - match packets with no timestamp option
record-route - match packets with record route option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict source routing option
timestamp - match packets with timestamp

jump-target (forward | input | output | name) - name of the target chain to jump to, if the action=jump is used

layer7-protocol (name) - Layer 7 filter name as set in the /ip firewall layer7-protocol menu. Caution: this matcher needs high computational power

limit (integer/time{0,1},integer) - restricts packet match rate to a given limit. Usefull to reduce the amount of log messagescount - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
count - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst

log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log

nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule. One of 16 available counters can be used to count packetsevery - match every every+1th packet. For example, if every=1 then the rule matches every 2nd packet
counter - specifies which counter to use. A counter increments each time the rule containing nth match matches
packet - match on the given packet number. The value by obvious reasons must be between 0 and every. If this option is used for a given counter, then there must be at least every+1 rules with this option, covering all values between 0 and every inclusively.
every - match every every+1th packet. For example, if every=1 then the rule matches every 2nd packet
counter - specifies which counter to use. A counter increments each time the rule containing nth match matches
packet - match on the given packet number. The value by obvious reasons must be between 0 and every. If this option is used for a given counter, then there must be at least every+1 rules with this option, covering all values between 0 and every inclusively.

out-bridge-port (name) - actual interface the packet is leaving the router through (if bridged, this property matches the actual bridge port, while out-interface - the bridge itself)

out-interface (name) - interface the packet is leaving the router through (if the interface is bridged, then the packet will appear to leave through the bridge interface itself)

p2p (all-p2p | bit-torrent | blubster | direct-connect | edonkey | fasttrack | gnutella | soulseek | warez | winmx) - matches packets from various peer-to-peer (P2P) protocols

packet-mark (text) - matches packets marked via mangle facility with particular packet mark

packet-size (integer: 0..65535-integer: 0..65535{0,1}) - matches packet of the specified size or size range in bytesmin - specifies lower boundary of the size range or a standalone value
max - specifies upper boundary of the size range
min - specifies lower boundary of the size range or a standalone value
max - specifies upper boundary of the size range

port (port{0-16}) - matches if any (source or destination) port matches the specified list of ports or port ranges (note that the protocol must still be selected, just like for the regular src-port and dst-port matchers)

protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | integer) - matches particular IP protocol specified by protocol name or number. You should specify this setting if you want to specify ports

psd (integer,time,integer,integer) - attempts to detect TCP and UDP scans. It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives, such as from passive mode FTP transfersWeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
LowPortWeight - weight of the packets with privileged (<=1024) destination port
HighPortWeight - weight of the packet with non-priviliged destination port
WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
LowPortWeight - weight of the packets with privileged (<=1024) destination port
HighPortWeight - weight of the packet with non-priviliged destination port

random (integer: 1..99) - matches packets randomly with given propability

reject-with (icmp-admin-prohibited | icmp-echo-reply | icmp-host-prohibited | icmp-host-unreachable | icmp-net-prohibited | icmp-network-unreachable | icmp-port-unreachable | icmp-protocol-unreachable | tcp-reset | integer) - alters the reply packet of reject action

routing-mark (name) - matches packets marked by mangle facility with particular routing mark

src-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is originated from. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24

src-address-list (name) - matches source address of a packet against user-defined address list

src-address-type (unicast | local | broadcast | multicast) - matches source address type of the IP packet, one of the:unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points
unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points

src-mac-address (MAC address) - source MAC address

src-port (integer: 0..65535-integer: 0..65535{*}) - source port number or range

tcp-flags (ack | cwr | ece | fin | psh | rst | syn | urg) - tcp flags to matchack - acknowledging data
cwr - congestion window reduced
ece - ECN-echo flag (explicit congestion notification)
fin - close connection
psh - push function
rst - drop connection
syn - new connection
urg - urgent data
ack - acknowledging data
cwr - congestion window reduced
ece - ECN-echo flag (explicit congestion notification)
fin - close connection
psh - push function
rst - drop connection
syn - new connection
urg - urgent data

tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet

time (time-time,sat | fri | thu | wed | tue | mon | sun{+}) - allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date

Notes

Because the NAT rules are applied first, it is important to hold this in mind when setting up firewall rules, since the original packets might be already modified by the NAT
Filter Applications
Protect your RouterOS router

To protect your router, you should not only change admin's password but also set up packet filtering. All packets with destination to the router are processed against the ip firewall input chain. Note, that the input chain does not affect packets which are being transferred through the router.
/ ip firewall filter
add chain=input connection-state=invalid action=drop \
comment="Drop Invalid connections"
add chain=input connection-state=established action=accept \
comment="Allow Established connections"
add chain=input protocol=udp action=accept \
comment="Allow UDP"
add chain=input protocol=icmp action=accept \
comment="Allow ICMP"
add chain=input src-address=192.168.0.0/24 action=accept \
comment="Allow access to router from known network"
add chain=input action=drop comment="Drop anything else"

Protecting the Customer's Network

To protect the customer's network, we should check all traffic which goes through router and block unwanted. For icmp, tcp, udp traffic we will create chains, where will be droped all unwanted packets:
/ip firewall filter
add chain=forward protocol=tcp connection-state=invalid \
action=drop comment="drop invalid connections"
add chain=forward connection-state=established action=accept \
comment="allow already established connections"
add chain=forward connection-state=related action=accept \
comment="allow related connections"

Block IP addreses called "bogons":
add chain=forward src-address=0.0.0.0/8 action=drop
add chain=forward dst-address=0.0.0.0/8 action=drop
add chain=forward src-address=127.0.0.0/8 action=drop
add chain=forward dst-address=127.0.0.0/8 action=drop
add chain=forward src-address=224.0.0.0/3 action=drop
add chain=forward dst-address=224.0.0.0/3 action=drop

Make jumps to new chains:
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp

Create tcp chain and deny some tcp ports in it:
add chain=tcp protocol=tcp dst-port=69 action=drop \
comment="deny TFTP"
add chain=tcp protocol=tcp dst-port=111 action=drop \
comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=135 action=drop \
comment="deny RPC portmapper"
add chain=tcp protocol=tcp dst-port=137-139 action=drop \
comment="deny NBT"
add chain=tcp protocol=tcp dst-port=445 action=drop \
comment="deny cifs"
add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

Deny udp ports in udp chain:
add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

Allow only needed icmp codes in icmp chain:
add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
comment="drop invalid connections"
add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
comment="allow established connections"
add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
comment="allow already established connections"
add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
comment="allow source quench"
add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
comment="allow echo request"
add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
comment="allow time exceed"
add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
comment="allow parameter bad"
add chain=icmp action=drop comment="deny all other types"

Address Lists

2008-04-08T16:18:00.000+07:00

General Information
Summary

Firewall address lists allow to create a list of IP addresses to be used for packet matching.
Specifications
Packages required: system
License required: Level1
Submenu level: /ip firewall address-list
Standards and Technologies: IP
Hardware usage: Not significant
Address Lists
Description

Firewall address lists allow user to create lists of IP addresses grouped together. Firewall filter, mangle and NAT facilities can use address lists to match packets against them.

The address list records could be updated dynamically via the action=add-src-to-address-list or action=add-dst-to-address-list items found in NAT mangle and filter facilities.
Property Description
address (IP address/netmask | IP address-IP address) - specify the IP address or range to be added to the address list. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24

list (name) - specify the name of the address list to add IP address to

Example

The following example creates an address list of people thet are connecting to port 23 (telnet) on the router and drops all further traffic from them. Additionaly, the address list will contain one static entry of address=192.0.34.166/32 (www.example.com):
[admin@MikroTik] > /ip firewall address-list add list=drop_traffic address=192.0.34.166/32
[admin@MikroTik] > /ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 drop_traffic 192.0.34.166
[admin@MikroTik] > /ip firewall mangle add chain=prerouting protocol=tcp dst-port=23 \
\... action=add-src-to-address-list address-list=drop_traffic
[admin@MikroTik] > /ip firewall filter add action=drop chain=input src-address-list=drop_traffic
[admin@MikroTik] > /ip firewall address-list print
Flags: X - disabled, D - dynamic
# LIST ADDRESS
0 drop_traffic 192.0.34.166
1 D drop_traffic 1.1.1.1
2 D drop_traffic 10.5.11.8
[admin@MikroTik] >

As seen in the output of the last print command, two new dynamic entries appeared in the address list. Hosts with these IP addresses tried to initialize a telnet session to the router.

Mangle

2008-04-08T16:15:00.000+07:00

General Information
Summary

The mangle facility allows to mark IP packets with special marks. These marks are used by various other router facilities to identify the packets. Additionaly, the mangle facility is used to modify some fields in the IP header, like TOS (DSCP) and TTL fields.
Specifications
Packages required: system
License required: Level1
Submenu level: /ip firewall mangle
Standards and Technologies: IP
Hardware usage: Increases with count of mangle rules
Mangle
Submenu level: /ip firewall mangle
Description

Mangle is a kind of 'marker' that marks packets for future processing with special marks. Many other facilities in RouterOS make use of these marks, e.g. queue trees and NAT. They identify a packet based on its mark and process it accordingly. The mangle marks exist only within the router, they are not transmitted across the network.
Property Description
action (accept | add-dst-to-address-list | add-src-to-address-list | change-dscp | change-mss | change-ttl | jump | log | mark-connection | mark-packet | mark-routing | passthrough | return | set-priority | strip-ipv4-options; default: accept) - action to undertake if the packet matches the ruleaccept - accept the packet. No action, i.e., the packet is passed through and no more rules are applied to it
add-dst-to-address-list - add destination address of an IP packet to the address list specified by address-list parameter
add-src-to-address-list - add source address of an IP packet to the address list specified by address-list parameter
change-dscp - change Differentiated Services Code Point (DSCP) field value specified by the new-dscp parameter
change-mss - change Maximum Segment Size field value of the packet to a value specified by the new-mss parameter
change-ttl - change Time to Live field value of the packet to a value specified by the new-ttl parameter
jump - jump to the chain specified by the value of the jump-target parameter
log - each match with this action will add a message to the system log
mark-connection - place a mark specified by the new-connection-mark parameter on the entire connection that matches the rule
mark-packet - place a mark specified by the new-packet-mark parameter on a packet that matches the rule
mark-routing - place a mark specified by the new-routing-mark parameter on a packet. This kind of marks is used for policy routing purposes only
passthrough - ignore this rule go on to the next one
return - pass control back to the chain from where the jump took place
set-priority - set priority speciefied by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface)
strip-ipv4-options - strip IPv4 option fields from the IP packet
accept - accept the packet. No action, i.e., the packet is passed through and no more rules are applied to it
add-dst-to-address-list - add destination address of an IP packet to the address list specified by address-list parameter
add-src-to-address-list - add source address of an IP packet to the address list specified by address-list parameter
change-dscp - change Differentiated Services Code Point (DSCP) field value specified by the new-dscp parameter
change-mss - change Maximum Segment Size field value of the packet to a value specified by the new-mss parameter
change-ttl - change Time to Live field value of the packet to a value specified by the new-ttl parameter
jump - jump to the chain specified by the value of the jump-target parameter
log - each match with this action will add a message to the system log
mark-connection - place a mark specified by the new-connection-mark parameter on the entire connection that matches the rule
mark-packet - place a mark specified by the new-packet-mark parameter on a packet that matches the rule
mark-routing - place a mark specified by the new-routing-mark parameter on a packet. This kind of marks is used for policy routing purposes only
passthrough - ignore this rule go on to the next one
return - pass control back to the chain from where the jump took place
set-priority - set priority speciefied by the new-priority parameter on the packets sent out through a link that is capable of transporting priority (VLAN or WMM-enabled wireless interface)
strip-ipv4-options - strip IPv4 option fields from the IP packet

address-list (name) - specify the name of the address list to collect IP addresses from rules having action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be later used for packet matching

address-list-timeout (time; default: 00:00:00) - time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions00:00:00 - leave the address in the address list forever
00:00:00 - leave the address in the address list forever

chain (forward | input | output | postrouting | prerouting) - specify the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be created

comment (text) - free form textual comment for the rule. A comment can be used to refer the particular rule from scripts

connection-bytes (integer-integer) - match packets only if a given amount of bytes has been transfered through the particular connection0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection
0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection

connection-limit (integer,netmask) - restrict connection limit per address or address block

connection-mark (name) - match packets marked via mangle facility with particular connection mark

connection-state (estabilished | invalid | new | related) - interprets the connection tracking analysis data for a particular packetestabilished - a packet which belongs to an existing connection, exempli gratia a reply packet or a packet which belongs to already replied connection
invalid - a packet which could not be identified for some reason. This includes out of memory condition and ICMP errors which do not correspond to any known connection. It is generally advised to drop these packets
new - a packet which begins a new TCP connection
related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection (the later requires enabled FTP connection tracking helper under /ip firewall service-port)
estabilished - a packet which belongs to an existing connection, exempli gratia a reply packet or a packet which belongs to already replied connection
invalid - a packet which could not be identified for some reason. This includes out of memory condition and ICMP errors which do not correspond to any known connection. It is generally advised to drop these packets
new - a packet which begins a new TCP connection
related - a packet which is related to, but not part of an existing connection, such as ICMP errors or a packet which begins FTP data connection (the later requires enabled FTP connection tracking helper under /ip firewall service-port)

connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - match packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port

content (text) - the text packets should contain in order to match the rule

dscp (integer: 0..63) - DSCP (ex-ToS) IP header field value

dst-address (IP address/netmask | IP address-IP address) - specify the address range an IP packet is destined to. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24

dst-address-list (name) - match destination address of a packet against user-defined address list

dst-address-type (unicast | local | broadcast | multicast) - match destination address type of the IP packet, one of the:unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - match addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points
unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - match addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points

dst-limit (integer/time{0,1},integer,dst-address | dst-port | src-address{+},time{0,1}) - limit the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit. The options are as follows (in order of appearance):count - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
mode - the classifier(-s) for packet rate limiting
expire - specifies interval after which recorded IP addresses / ports will be deleted
count - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
mode - the classifier(-s) for packet rate limiting
expire - specifies interval after which recorded IP addresses / ports will be deleted

dst-port (integer: 0..65535-integer: 0..65535{*}) - destination port number or range

fragment (yes | no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments as the system automatically assembles every packet

hotspot (multiple choice: auth | from-client | http | local-dst | to-client) - matches packets received from clients against various HotSpot conditions. All values can be negatedauth - true, if a packet comes from an authenticted HotSpotclient
from-client - true, if a packet comes from any HotSpot client
http - true, if a HotSpot client sends a packet to the address and port previously detected as his proxy server (Universal Proxy technique) or if the destination port is 80 and transparent proxying is enabled for that particular client
local-dst - true, if a packet has local destination IP address
to-client - true, if a packet is sent to a client
auth - true, if a packet comes from an authenticted HotSpotclient
from-client - true, if a packet comes from any HotSpot client
http - true, if a HotSpot client sends a packet to the address and port previously detected as his proxy server (Universal Proxy technique) or if the destination port is 80 and transparent proxying is enabled for that particular client
local-dst - true, if a packet has local destination IP address
to-client - true, if a packet is sent to a client

icmp-options (integer:integer) - match ICMP Type:Code fields

in-bridge-port (name) - actual interface the packet has entered the router through (if bridged, this property matches the actual bridge port, while in-interface - the bridge itself)

in-interface (name) - interface the packet has entered the router through (if the interface is bridged, then the packet will appear to come from the bridge interface itself)

ingress-priority (integer: 0..63) - INGRESS (received) priority of the packet, if set (0 otherwise). The priority may be derived from either VLAN or WMM priority

ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp) - match ipv4 header optionsany - match packet with at least one of the ipv4 options
loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
no-router-alert - match packets with no router alter option
no-source-routing - match packets with no source routing option
no-timestamp - match packets with no timestamp option
record-route - match packets with record route option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict source routing option
timestamp - match packets with timestamp
any - match packet with at least one of the ipv4 options
loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
no-router-alert - match packets with no router alter option
no-source-routing - match packets with no source routing option
no-timestamp - match packets with no timestamp option
record-route - match packets with record route option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict source routing option
timestamp - match packets with timestamp

jump-target (forward | input | output | postrouting | preroutingname) - name of the target chain to jump to, if the action=jump is used

layer7-protocol (name) - Layer 7 filter name as set in the /ip firewall layer7-protocol menu. Caution: this matcher needs high computational power

limit (integer/time{0,1},integer) - restrict packet match rate to a given limit. Usefull to reduce the amount of log messagescount - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specify the time interval over which the packet rate is measured
burst - number of packets to match in a burst
count - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specify the time interval over which the packet rate is measured
burst - number of packets to match in a burst

log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log

new-connection-mark (name) - specify the new value of the connection mark to be used in conjunction with action=mark-connection

new-dscp (integer: 0..63) - specify the new value of the DSCP field to be used in conjunction with action=change-dscp

new-mss (integer) - specify MSS value to be used in conjunction with action=change-mss

new-packet-mark (name) - specify the new value of the packet mark to be used in conjunction with action=mark-packet

new-priority (integer) - specify the new value of packet priority for the priority-enabled interfaces, used in conjunction with action=set-priorityfrom-dscp - set packet priority form its DSCP field value
from-ingress - set packet priority from the INGRESS priority of the packet (in case packet has been received from an interface that supports priorities - VLAN or WMM-enabled wireless interface; 0 if not set)
from-dscp - set packet priority form its DSCP field value
from-ingress - set packet priority from the INGRESS priority of the packet (in case packet has been received from an interface that supports priorities - VLAN or WMM-enabled wireless interface; 0 if not set)

new-routing-mark (name) - specify the new value of the routing mark used in conjunction with action=mark-routing

new-ttl (decrement | increment | set:integer) - specify the new TTL field value used in conjunction with action=change-ttldecrement - the value of the TTL field will be decremented for value
increment - the value of the TTL field will be incremented for value
set: - the value of the TTL field will be set to value
decrement - the value of the TTL field will be decremented for value
increment - the value of the TTL field will be incremented for value
set: - the value of the TTL field will be set to value

nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule. One of 16 available counters can be used to count packetsevery - match every every+1th packet. For example, if every=1 then the rule matches every 2nd packet
counter - specifies which counter to use. A counter increments each time the rule containing nth match matches
packet - match on the given packet number. The value by obvious reasons must be between 0 and every. If this option is used for a given counter, then there must be at least every+1 rules with this option, covering all values between 0 and every inclusively.
every - match every every+1th packet. For example, if every=1 then the rule matches every 2nd packet
counter - specifies which counter to use. A counter increments each time the rule containing nth match matches
packet - match on the given packet number. The value by obvious reasons must be between 0 and every. If this option is used for a given counter, then there must be at least every+1 rules with this option, covering all values between 0 and every inclusively.

out-bridge-port (name) - actual interface the packet is leaving the router through (if bridged, this property matches the actual bridge port, while out-interface - the bridge itself)

out-interface (name) - interface the packet is leaving the router through (if the interface is bridged, then the packet will appear to leave through the bridge interface itself)

p2p (all-p2p | bit-torrent | direct-connect | edonkey | fasttrack | gnutella | soulseek | warez | winmx) - match packets belonging to connections of the above P2P protocols

packet-mark (name) - match the packets marked in mangle with specific packet mark

packet-size (integer: 0..65535-integer: 0..65535{0,1}) - matches packet of the specified size or size range in bytesmin - specifies lower boundary of the size range or a standalone value
max - specifies upper boundary of the size range
min - specifies lower boundary of the size range or a standalone value
max - specifies upper boundary of the size range

passthrough (yes | no; default: yes) - whether to let the packet to pass further (like action passthrough) after marking it with a given mark (property only valid if action is mark packet, connection or routing mark)

port (port{0-16}) - matches if any (source or destination) port matches the specified list of ports or port ranges (note that the protocol must still be selected, just like for the regular src-port and dst-port matchers)

protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | integer) - matches particular IP protocol specified by protocol name or number. You should specify this setting if you want to specify ports

psd (integer,time,integer,integer) - attempts to detect TCP and UDP scans. It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives, such as from passive mode FTP transfersWeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
LowPortWeight - weight of the packets with privileged (<=1024) destination port
HighPortWeight - weight of the packet with non-priviliged destination port
WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
LowPortWeight - weight of the packets with privileged (<=1024) destination port
HighPortWeight - weight of the packet with non-priviliged destination port

random (integer: 1..99) - matches packets randomly with given propability

routing-mark (name) - matches packets marked with the specified routing mark

src-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is originated from. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24

src-address-list (name) - matches source address of a packet against user-defined address list

src-address-type (unicast | local | broadcast | multicast) - matches source address type of the IP packet, one of the:unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points
unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points

src-mac-address (MAC address) - source MAC address

src-port (integer: 0..65535-integer: 0..65535{*}) - source port number or range

tcp-flags (multiple choice: ack | cwr | ece | fin | psh | rst | syn | urg) - tcp flags to matchack - acknowledging data
cwr - congestion window reduced
ece - ECN-echo flag (explicit congestion notification)
fin - close connection
psh - push function
rst - drop connection
syn - new connection
urg - urgent data
ack - acknowledging data
cwr - congestion window reduced
ece - ECN-echo flag (explicit congestion notification)
fin - close connection
psh - push function
rst - drop connection
syn - new connection
urg - urgent data

tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet

time (time-time,sat | fri | thu | wed | tue | mon | sun{+}) - allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date

Notes

Instead of making two rules if you want to mark a packet, connection or routing-mark and finish mangle table processing on that event (in other words, mark and simultaneously accept the packet), you may disable the set by default passthrough property of the marking rule.

Usually routing-mark is not used for P2P, since P2P traffic always is routed over a default getaway.
Application Examples
Description

The following section discusses some examples of using the mangle facility.
Peer-to-Peer Traffic Marking

To ensure the quality of service for network connection, interactive traffic types such as VoIP and HTTP should be prioritized over non-interactive, such as peer-to-peer network traffic. RouterOS QOS implementation uses mangle to mark different types of traffic first, and then place them into queues with different limits.

The following example enforces the P2P traffic will get no more than 1Mbps of the total link capacity when the link is heavily used by other traffic otherwice expanding to the full link capacity:
[admin@MikroTik] > /ip firewall mangle add chain=forward \
\... p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn
[admin@MikroTik] > /ip firewall mangle add chain=forward \
\... connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p
[admin@MikroTik] > /ip firewall mangle add chain=forward \
\... connection-mark=!p2p_conn action=mark-packet new-packet-mark=other
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward p2p=all-p2p action=mark-connection new-connection-mark=p2p_conn

1 chain=forward connection-mark=p2p_conn action=mark-packet new-packet-mark=p2p

2 chain=forward packet-mark=!p2p_conn action=mark-packet new-packet-mark=other
[admin@MikroTik] >
[admin@MikroTik] > /queue tree add parent=Public packet-mark=p2p limit-at=1000000 \
\... max-limit=100000000 priority=8
[admin@MikroTik] > /queue tree add parent=Local packet-mark=p2p limit-at=1000000 \
\... max-limit=100000000 priority=8
[admin@MikroTik] > /queue tree add parent=Public packet-mark=other limit-at=1000000 \
\... max-limit=100000000 priority=1
[admin@MikroTik] > /queue tree add parent=Local packet-mark=other limit-at=1000000 \
\... max-limit=100000000 priority=1
Mark by MAC address

To mark traffic from a known MAC address which goes to the router or through it, do the following:
[admin@MikroTik] > / ip firewall mangle add chain=prerouting \
\... src-mac-address=00:01:29:60:36:E7 action=mark-connection new-connection-mark=known_mac_conn
[admin@MikroTik] > / ip firewall mangle add chain=prerouting \
\... connection-mark=known_mac_conn action=mark-packet new-packet-mark=known_mac

Change MSS

It is a well known fact that VPN links have smaller packet size due to incapsulation overhead. A large packet with MSS that exceeds the MSS of the VPN link should be fragmented prior to sending it via that kind of connection. However, if the packet has DF flag set, it cannot be fragmented and should be discarded. On links that have broken path MTU discovery (PMTUD) it may lead to a number of problems, including problems with FTP and HTTP data transfer and e-mail services.

In case of link with broken PMTUD, a decrease of the MSS of the packets coming through the VPN link solves the problem. The following example demonstrates how to decrease the MSS value via mangle:
[admin@MikroTik] > /ip firewall mangle add out-interface=pppoe-out \
\... protocol=tcp tcp-flags=syn action=change-mss new-mss=1300 chain=forward
[admin@MikroTik] > /ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward out-interface=pppoe-out protocol=tcp tcp-flags=syn
action=change-mss new-mss=1300

[admin@MikroTik] >

NAT

2008-04-08T16:14:00.000+07:00

General Information
Summary

Network Address Translation (NAT) is a router facility that replaces source and (or) destination IP addresses of the IP packet as it pass through thhe router. It is most commonly used to enable multiple host on a private network to access the Internet using a single public IP address.
Specifications
Packages required: system
License required: Level1 (number of rules limited to 1) , Level3
Submenu level: /ip firewall nat
Standards and Technologies: IP, RFC1631, RFC2663
Hardware usage: Increases with the count of rules
NAT
Description

Network Address Translation is an Internet standard that allows hosts on local area networks to use one set of IP addresses for internal communications and another set of IP addresses for external communications. A LAN that uses NAT is referred as natted network. For NAT to function, there should be a NAT gateway in each natted network. The NAT gateway (NAT router) performs IP address rewriting on the way a packet travel from/to LAN.

There are two types of NAT:
source NAT or srcnat. This type of NAT is performed on packets that are originated from a natted network. A NAT router replaces the private source address of an IP packet with a new public IP address as it travels through the router. A reverse operation is applied to the reply packets travelling in the other direction.
destination NAT or dstnat. This type of NAT is performed on packets that are destined to the natted network. It is most comonly used to make hosts on a private network to be acceesible from the Internet. A NAT router performing dstnat replaces the destination IP address of an IP packet as it travel through the router towards a private network.
NAT Drawbacks

Hosts behind a NAT-enabled router do not have true end-to-end connectivity. Therefore some Internet protocols might not work in scenarios with NAT. Services that require the initiation of TCP connection from outside the private network or stateless protocols such as UDP, can be disrupted. Moreover, some protocols are inherently incompatible with NAT, a bold example is AH protocol from the IPsec suite.

RouterOS includes a number of so-called NAT helpers, that enable NAT traversal for various protocols.
Redirect and Masquerade

Redirect and masquerade are special forms of destination NAT and source NAT, respectively. Redirect is similar to the regular destination NAT in the same way as masquerade is similar to the source NAT - masquerade is a special form of source NAT without need to specify to-addresses - outgoing interface address is used automatically. The same is for redirect - it is a form of destination NAT where to-addresses is not used - incoming interface address is used instead. Note that to-ports is meaningful for redirect rules - this is the port of the service on the router that will handle these requests (e.g. web proxy).

When packet is dst-natted (no matter - action=nat or action=redirect), dst address is changed. Information about translation of addresses (including original dst address) is kept in router's internal tables. Transparent web proxy working on router (when web requests get redirected to proxy port on router) can access this information from internal tables and get address of web server from them. If you are dst-natting to some different proxy server, it has no way to find web server's address from IP header (because dst address of IP packet that previously was address of web server has changed to address of proxy server). Starting from HTTP/1.1 there is special header in HTTP request which tells web server address, so proxy server can use it, instead of dst address of IP packet. If there is no such header (older HTTP version on client), proxy server can not determine web server address and therefore can not work.

It means, that it is impossible to correctly transparently redirect HTTP traffic from router to some other transparent-proxy box. Only correct way is to add transparent proxy on the router itself, and configure it so that your "real" proxy is its parent-proxy. In this situation your "real" proxy does not have to be transparent any more, as proxy on router will be transparent and will forward proxy-style requests (according to standard; these requests include all necessary information about web server) to "real" proxy.
Property Description
action (accept | add-dst-to-address-list | add-src-to-address-list | dst-nat | jump | log | masquerade | netmap | passthrough | redirect | return | same | src-nat; default: accept) - action to undertake if the packet matches the ruleaccept - accepts the packet. No action is taken, i.e. the packet is passed through and no more rules are applied to it
add-dst-to-address-list - adds destination address of an IP packet to the address list specified by address-list parameter
add-src-to-address-list - adds source address of an IP packet to the address list specified by address-list parameter
dst-nat - replaces destination address of an IP packet to values specified by to-addresses and to-ports parameters
jump - jump to the chain specified by the value of the jump-target parameter
log - each match with this action will add a message to the system log
masquerade - replaces source address of an IP packet to an automatically determined by the routing facility IP address
netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
passthrough - ignores this rule goes on to the next one
redirect - replaces destination address of an IP packet to one of the router's local addresses
return - passes control back to the chain from where the jump took place
same - gives a particular client the same source/destination IP address from supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connections from the same client
src-nat - replaces source address of an IP packet to values specified by to-addresses and to-ports parameters
accept - accepts the packet. No action is taken, i.e. the packet is passed through and no more rules are applied to it
add-dst-to-address-list - adds destination address of an IP packet to the address list specified by address-list parameter
add-src-to-address-list - adds source address of an IP packet to the address list specified by address-list parameter
dst-nat - replaces destination address of an IP packet to values specified by to-addresses and to-ports parameters
jump - jump to the chain specified by the value of the jump-target parameter
log - each match with this action will add a message to the system log
masquerade - replaces source address of an IP packet to an automatically determined by the routing facility IP address
netmap - creates a static 1:1 mapping of one set of IP addresses to another one. Often used to distribute public IP addresses to hosts on private networks
passthrough - ignores this rule goes on to the next one
redirect - replaces destination address of an IP packet to one of the router's local addresses
return - passes control back to the chain from where the jump took place
same - gives a particular client the same source/destination IP address from supplied range for each connection. This is most frequently used for services that expect the same client address for multiple connections from the same client
src-nat - replaces source address of an IP packet to values specified by to-addresses and to-ports parameters

address-list (name) - specifies the name of the address list to collect IP addresses from rules having action=add-dst-to-address-list or action=add-src-to-address-list actions. These address lists could be later used for packet matching

address-list-timeout (time; default: 00:00:00) - time interval after which the address will be removed from the address list specified by address-list parameter. Used in conjunction with add-dst-to-address-list or add-src-to-address-list actions00:00:00 - leave the address in the address list forever
00:00:00 - leave the address in the address list forever

chain (dstnat | srcnat | name) - specifies the chain to put a particular rule into. As the different traffic is passed through different chains, always be careful in choosing the right chain for a new rule. If the input does not match the name of an already defined chain, a new chain will be createddstnat - a rule placed in this chain is applied before routing. The rules that replace destination addresses of IP packets should be placed there
srcnat - a rule placed in this chain is applied after routing. The rules that replace the source addresses of IP packets should be placed there
dstnat - a rule placed in this chain is applied before routing. The rules that replace destination addresses of IP packets should be placed there
srcnat - a rule placed in this chain is applied after routing. The rules that replace the source addresses of IP packets should be placed there

comment (text) - a descriptive comment for the rule. A comment can be used to identify rules form scripts

connection-bytes (integer-integer) - matches packets only if a given amount of bytes has already been transfered through the particular connection0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection
0 - means infinity, exempli gratia: connection-bytes=2000000-0 means that the rule matches if more than 2MB has been transfered through the relevant connection

connection-limit (integer,netmask) - restrict connection number per address or address block (matches if the specified number of connection has already been established)

connection-mark (name) - matches packets marked via mangle facility with particular connection mark

connection-type (ftp | gre | h323 | irc | mms | pptp | quake3 | tftp) - matches packets from related connections based on information from their connection tracking helpers. A relevant connection helper must be enabled under /ip firewall service-port

content (text) - the text packets should contain in order to match the rule

dscp (integer: 0..63) - DSCP (ex-ToS) IP header field value

dst-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is destined to. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24

dst-address-list (name) - matches destination address of a packet against user-defined address list

dst-address-type (unicast | local | broadcast | multicast) - matches destination address type of the IP packet, one of the:unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points
unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points

dst-limit (integer/time{0,1},integer,dst-address | dst-port | src-address{+},time{0,1}) - limits the packet per second (pps) rate on a per destination IP or per destination port base. As opposed to the limit match, every destination IP address / destination port has it's own limit. The options are as follows (in order of appearance):count - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
mode - the classifier(-s) for packet rate limiting
expire - specifies interval after which recorded IP addresses / ports will be deleted
count - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
mode - the classifier(-s) for packet rate limiting
expire - specifies interval after which recorded IP addresses / ports will be deleted

dst-port (integer: 0..65535-integer: 0..65535{*}) - destination port number or range

fragment (yes | no) - whether the packet is a fragment of an IP packet. Starting packet (i.e., first fragment) does not count. Note that is the connection tracking is enabled, there will be no fragments as the system automatically assembles every packet

hotspot (multiple choice: auth | from-client | http | local-dst | to-client) - matches packets received from clients against various HotSpot conditions. All values can be negatedauth - true, if a packet comes from an authenticted HotSpotclient
from-client - true, if a packet comes from any HotSpot client
http - true, if a HotSpot client sends a packet to the address and port previously detected as his proxy server (Universal Proxy technique) or if the destination port is 80 and transparent proxying is enabled for that particular client
local-dst - true, if a packet has local destination IP address
to-client - true, if a packet is sent to a client
auth - true, if a packet comes from an authenticted HotSpotclient
from-client - true, if a packet comes from any HotSpot client
http - true, if a HotSpot client sends a packet to the address and port previously detected as his proxy server (Universal Proxy technique) or if the destination port is 80 and transparent proxying is enabled for that particular client
local-dst - true, if a packet has local destination IP address
to-client - true, if a packet is sent to a client

icmp-options (integer:integer) - matches ICMP Type:Code fields

in-bridge-port (name) - actual interface the packet has entered the router through (if bridged, this property matches the actual bridge port, while in-interface - the bridge itself)

in-interface (name) - interface the packet has entered the router through (if the interface is bridged, then the packet will appear to come from the bridge interface itself)

ingress-priority (integer: 0..63) - INGRESS (received) priority of the packet, if set (0 otherwise). The priority may be derived from either VLAN or WMM priority

ipv4-options (any | loose-source-routing | no-record-route | no-router-alert | no-source-routing | no-timestamp | none | record-route | router-alert | strict-source-routing | timestamp) - match ipv4 header optionsany - match packet with at least one of the ipv4 options
loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
no-router-alert - match packets with no router alter option
no-source-routing - match packets with no source routing option
no-timestamp - match packets with no timestamp option
record-route - match packets with record route option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict source routing option
timestamp - match packets with timestamp
any - match packet with at least one of the ipv4 options
loose-source-routing - match packets with loose source routing option. This option is used to route the internet datagram based on information supplied by the source
no-record-route - match packets with no record route option. This option is used to route the internet datagram based on information supplied by the source
no-router-alert - match packets with no router alter option
no-source-routing - match packets with no source routing option
no-timestamp - match packets with no timestamp option
record-route - match packets with record route option
router-alert - match packets with router alter option
strict-source-routing - match packets with strict source routing option
timestamp - match packets with timestamp

jump-target (dstnat | srcnatname) - name of the target chain to jump to, if the action=jump is used

layer7-protocol (name) - Layer 7 filter name as set in the /ip firewall layer7-protocol menu. Caution: this matcher needs high computational power

limit (integer/time{0,1},integer) - restricts packet match rate to a given limit. Usefull to reduce the amount of log messagescount - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst
count - maximum average packet rate, measured in packets per second (pps), unless followed by time option
time - specifies the time interval over which the packet rate is measured
burst - number of packets to match in a burst

log-prefix (text) - all messages written to logs will contain the prefix specified herein. Used in conjunction with action=log

nth (integer,integer: 0..15,integer{0,1}) - match a particular Nth packet received by the rule. One of 16 available counters can be used to count packetsevery - match every every+1th packet. For example, if every=1 then the rule matches every 2nd packet
counter - specifies which counter to use. A counter increments each time the rule containing nth match matches
packet - match on the given packet number. The value by obvious reasons must be between 0 and every. If this option is used for a given counter, then there must be at least every+1 rules with this option, covering all values between 0 and every inclusively.
every - match every every+1th packet. For example, if every=1 then the rule matches every 2nd packet
counter - specifies which counter to use. A counter increments each time the rule containing nth match matches
packet - match on the given packet number. The value by obvious reasons must be between 0 and every. If this option is used for a given counter, then there must be at least every+1 rules with this option, covering all values between 0 and every inclusively.

out-bridge-port (name) - actual interface the packet is leaving the router through (if bridged, this property matches the actual bridge port, while out-interface - the bridge itself)

out-interface (name) - interface the packet is leaving the router through (if the interface is bridged, then the packet will appear to leave through the bridge interface itself)

packet-mark (text) - matches packets marked via mangle facility with particular packet mark

packet-size (integer: 0..65535-integer: 0..65535{0,1}) - matches packet of the specified size or size range in bytesmin - specifies lower boundary of the size range or a standalone value
max - specifies upper boundary of the size range
min - specifies lower boundary of the size range or a standalone value
max - specifies upper boundary of the size range

port (port{0-16}) - matches if any (source or destination) port matches the specified list of ports or port ranges (note that the protocol must still be selected, just like for the regular src-port and dst-port matchers)

protocol (ddp | egp | encap | ggp | gre | hmp | icmp | idrp-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp | integer) - matches particular IP protocol specified by protocol name or number. You should specify this setting if you want to specify ports

psd (integer,time,integer,integer) - attempts to detect TCP and UDP scans. It is advised to assign lower weight to ports with high numbers to reduce the frequency of false positives, such as from passive mode FTP transfersWeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
LowPortWeight - weight of the packets with privileged (<=1024) destination port
HighPortWeight - weight of the packet with non-priviliged destination port
WeightThreshold - total weight of the latest TCP/UDP packets with different destination ports coming from the same host to be treated as port scan sequence
DelayThreshold - delay for the packets with different destination ports coming from the same host to be treated as possible port scan subsequence
LowPortWeight - weight of the packets with privileged (<=1024) destination port
HighPortWeight - weight of the packet with non-priviliged destination port

random (integer) - match packets randomly with given propability

routing-mark (name) - matches packets marked by mangle facility with particular routing mark

same-not-by-dst (yes | no) - specifies whether to account or not to account for destination IP address when selecting a new source IP address for packets matched by rules with action=same

src-address (IP address/netmask | IP address-IP address) - specifies the address range an IP packet is originated from. Note that console converts entered address/netmask value to a valid network address, i.e.:1.1.1.1/24 is converted to 1.1.1.0/24

src-address-list (name) - matches source address of a packet against user-defined address list

src-address-type (unicast | local | broadcast | multicast) - matches source address type of the IP packet, one of the:unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points
unicast - IP addresses used for one point to another point transmission. There is only one sender and one receiver in this case
local - matches addresses assigned to router's interfaces
broadcast - the IP packet is sent from one point to all other points in the IP subnetwork
multicast - this type of IP addressing is responsible for transmission from one or more points to a set of other points

src-mac-address (MAC address) - source MAC address

src-port (integer: 0..65535-integer: 0..65535{*}) - source port number or range

tcp-mss (integer: 0..65535) - matches TCP MSS value of an IP packet

time (time-time,sat | fri | thu | wed | tue | mon | sun{+}) - allows to create filter based on the packets' arrival time and date or, for locally generated packets, departure time and date

to-addresses (IP address-IP address{0,1}; default: 0.0.0.0) - address or address range to replace original address of an IP packet with

to-ports (integer: 0..65535-integer: 0..65535{0,1}) - port or port range to replace original port of an IP packet with

NAT Applications
Description

In this section some NAT applications and examples of them are discussed.
Basic NAT configuration

Assume we want to create router that:
"hides" the private LAN "behind" one address
provides Public IP to the Local server
creates 1:1 mapping of network addresses
Example of Source NAT (Masquerading)

If you want to "hide" the private LAN 192.168.0.0/24 "behind" one address 10.5.8.109 given to you by the ISP, you should use the source network address translation (masquerading) feature of the MikroTik router. The masquerading will change the source IP address and port of the packets originated from the network 192.168.0.0/24 to the address 10.5.8.109 of the router when the packet is routed through it.

To use masquerading, a source NAT rule with action 'masquerade' should be added to the firewall configuration:
/ip firewall nat add chain=srcnat action=masquerade out-interface=Public

All outgoing connections from the network 192.168.0.0/24 will have source address 10.5.8.109 of the router and source port above 1024. No access from the Internet will be possible to the Local addresses. If you want to allow connections to the server on the local network, you should use destination Network Address Translation (NAT).
Example of Destination NAT

If you want to link Public IP 10.5.8.200 address to Local one 192.168.0.109, you should use destination address translation feature of the MikroTik router. Also if you want allow Local server to talk with outside with given Public IP you should use source address translation, too

Add Public IP to Public interface:
/ip address add address=10.5.8.200/32 interface=Public

Add rule allowing access to the internal server from external networks:
/ip firewall nat add chain=dstnat dst-address=10.5.8.200 action=dst-nat \
to-addresses=192.168.0.109

Add rule allowing the internal server to talk to the outer networks having its source address translated to 10.5.8.200:
/ip firewall nat add chain=srcnat src-address=192.168.0.109 action=src-nat \
to-addresses=10.5.8.200

Example of 1:1 mapping

If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.
/ip firewall nat add chain=dstnat dst-address=11.11.11.1-11.11.11.254 \
action=netmap to-addresses=2.2.2.1-2.2.2.254

/ip firewall nat add chain=srcnat src-address=2.2.2.1-2.2.2.254 \
action=netmap to-addresses=11.11.11.1-11.11.11.254

SOCKS Proxy Server

2008-04-08T16:08:00.000+07:00

General Information
Summary

This manual discusses the SOCKS proxy server which is implemented in RouterOS. MikroTik RouterOS supports SOCKS version 4.
Specifications
Packages required: system
License required: Level1
Submenu level: /ip socks
Standards and Technologies: SOCKS version 4
Hardware usage: Not significant
Description

SOCKS is a proxy server that allows TCP based application data to relay across the firewall, even if the firewall would block the packets. The SOCKS protocol is independent from application protocols, so it can be used for many services, e.g, WWW, FTP, TELNET, and others.

At first, an application client connects to the SOCKS proxy server, then the proxy server looks in its access list to see whether the client is permited to access the remote application resource or not, if it is permitted, the proxy server relies the packet to the application server and creates a connection between the application server and client.
Notes

Remember to configure your application client to use SOCKS version 4.

You should secure the SOCKS proxy using its access list and/or firewall to disallow access from outisde. Failing to secure the proxy server may introduce security issues to your network, and may provide a way for spammers to send junk mail through the router.
Additional Resources
Information about SOCKS
SOCKS Configuration
Description

In this section you will learn how to enable the SOCKS proxy server and do its configuration.
Property Description
connection-idle-timeout (time; default: 2m) - time after which idle connections are terminated

enabled (yes | no; default: no) - whether to enable or no the SOCKS proxy

max-connections (integer: 1..500; default: 200) - maxumum number of simultaneous connections

port (integer: 1..65535; default: 1080) - TCP port on which the SOCKS server listens for connections

Example

To enable SOCKS:
[admin@MikroTik] ip socks> set enabled=yes
[admin@MikroTik] ip socks> print
enabled: yes
port: 1080
connection-idle-timeout: 2m
max-connections: 200
[admin@MikroTik] ip socks>
Access List
Submenu level: /ip socks access
Description

In the SOCKS access list you can add rules which will control access to SOCKS server. This list is similar to firewall lists.
Property Description
action (allow | deny; default: allow) - action to be performed for this ruleallow - allow packets, matching this rule, to be forwarded for further processing
deny - deny access for packets, matching this rule
allow - allow packets, matching this rule, to be forwarded for further processing
deny - deny access for packets, matching this rule

dst-address (IP address/netmask) - destination (server's) address

dst-port (port) - destination TCP port

src-address (IP address/netmask) - source (client's) address for a packet

src-port (port) - source TCP port

Active Connections
Submenu level: /ip socks connections
Description

The Active Connection list shows all established TCP connections, which are maintained through the SOCKS proxy server.
Property Description
dst-address (read-only: IP address) - destination (application server) IP address

rx (read-only: integer) - bytes received

src-address (read-only: IP address) - source (application client) IP address

tx (read-only: integer) - bytes sent

type (read-only: in | out | unknown) - connection typein - incoming connection
out - outgoing connection
unknown - connection has just been initiated
in - incoming connection
out - outgoing connection
unknown - connection has just been initiated

Example

To see current TCP connections:
[admin@MikroTik] ip socks connections> print
# SRC-ADDRESS DST-ADDRESS TX RX
0 192.168.0.2:3242 159.148.147.196:80 4847 2880
1 192.168.0.2:3243 159.148.147.196:80 3408 2127
2 192.168.0.2:3246 159.148.95.16:80 10172 25207
3 192.168.0.2:3248 194.8.18.26:80 474 1629
4 192.168.0.2:3249 159.148.95.16:80 6477 18695
5 192.168.0.2:3250 159.148.95.16:80 4137 27568
6 192.168.0.2:3251 159.148.95.16:80 1712 14296
7 192.168.0.2:3258 80.91.34.241:80 314 208
8 192.168.0.2:3259 80.91.34.241:80 934 524
9 192.168.0.2:3260 80.91.34.241:80 930 524
10 192.168.0.2:3261 80.91.34.241:80 312 158
11 192.168.0.2:3262 80.91.34.241:80 312 158
[admin@MikroTik] ip socks connections>
Application Examples
FTP service through SOCKS server

Let us consider that we have a network 192.168.0.0/24 which is masqueraded, using a router with a public IP 10.1.0.104/24 and a private IP 192.168.0.1/24. Somewhere in the network is an FTP server with IP address 10.5.8.8. We want to allow access to this FTP server for a client in our local network with IP address 192.168.0.2/24.

We have already masqueraded our local network:
[admin@MikroTik] ip firewall nat> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat action=masquerade src-address=192.168.0.0/24
[admin@MikroTik] ip firewall nat>

And the access to public FTP servers is denied in firewall:
[admin@MikroTik] ip firewall filter> print
Flags: X - disabled, I - invalid, D - dynamic
0 chain=forward action=drop src-address=192.168.0.0/24 dst-port=21 protocol=tcp
[admin@MikroTik] ip firewall filter>

We need to enable the SOCKS server:
[admin@MikroTik] ip socks> set enabled=yes
[admin@MikroTik] ip socks> print
enabled: yes
port: 1080
connection-idle-timeout: 2m
max-connections: 200
[admin@MikroTik] ip socks>

Add access to a client with an IP address 192.168.0.2/32 to SOCKS access list, allow data transfer from FTP server to client (allow destionation ports from 1024 to 65535 for any IP address), and drop everything else:
[admin@MikroTik] ip socks access> add src-address=192.168.0.2 dst-port=21 \
\... action=allow
[admin@MikroTik] ip socks access> add dst-port=1024-65535 action=allow
[admin@MikroTik] ip socks access> add action=deny
[admin@MikroTik] ip socks access> print
Flags: X - disabled
0 src-address=192.168.0.2 dst-port=21 action=allow
1 dst-port=1024-65535 action=allow
2 action=deny
[admin@MikroTik] ip socks access>

That's all - the SOCKS server is configured. To see active connections and data transmitted and received:
[admin@MikroTik] ip socks connections> print
# SRC-ADDRESS DST-ADDRESS TX RX
0 192.168.0.2:1238 10.5.8.8:21 1163 4625
1 192.168.0.2:1258 10.5.8.8:3423 0 3231744
[admin@MikroTik] ip socks connections>

Note! In order to use SOCKS proxy server, you have to specify its IP address and port in your FTP client. In this case IP address would be 192.168.0.1 (local IP address of the router/SOCKS server) and TCP port 1080.

Packet Sniffer

2008-04-08T16:06:00.000+07:00

General Information
Summary

Packet sniffer is a feature that catches all the data travelling over the network, that it is able to get (when using switched network, a computer may catch only the data addressed to it or is forwarded through it).
Specifications
Packages required: system
License required: Level1
Submenu level: /tool sniffer
Standards and Technologies: none
Hardware usage: Not significant
Description

It allows you to "sniff" (listen and record) packets going through the router (and any other traffic that gets to the router, when there is no switching in the network) and view them using specific software.
Packet Sniffer Configuration
Submenu level: /tool sniffer
Property Description
file-limit (integer; default: 10) - the limit of the file in KB. Sniffer will stop after this limit is reached

file-name (text; default: "") - the name of the file where the sniffed packets will be saved to

filter-address1 (IP address/netmask:port; default: 0.0.0.0/0:0-65535) - criterion of choosing the packets to process

filter-address2 (IP address/netmask:port; default: 0.0.0.0/0:0-65535) - criterion of choosing the packets to process

filter-protocol (all-frames | ip-only | mac-only-no-ip; default: ip-only) - specific protocol group to filterall-frames - sniff all packets
ip-only - sniff IP packets only
mac-only-no-ip - sniff non-IP packets only
all-frames - sniff all packets
ip-only - sniff IP packets only
mac-only-no-ip - sniff non-IP packets only

filter-stream (yes | no; default: yes) - whether to ignore sniffed packets that are destined to the stream server

interface (name | all; default: all) - the name of the interface that receives the packets

memory-limit (integer; default: 10) - maximum amount of memory to use. Sniffer will stop after this limit is reached

only-headers (yes | no; default: no) - whether to save in the memory packets' headers only (not the whole packet)

running (read-only: yes | no; default: no) - if the sniffer is started then the value is yes otherwise no

streaming-enabled (yes | no; default: no) - whether to send sniffed packets to a remote server

streaming-server (IP address; default: 0.0.0.0) - Tazmen Sniffer Protocol (TZSP) stream receiver

Notes

filter-address1 and filter-address2 are used to specify the two participients in communication (i.e. they will match only in the case if one of them matches the source address and the other one matches the destination address of a packet). These properties are taken in account only if filter-protocol is ip-only.

Not only Wireshark (ex-Ethereal, http://www.wireshark.org) and Packetyzer (http://www.packetyzer.com) can receive the sniffer's stream but also MikroTik's program trafr (http://www.mikrotik.com/download.html) that runs on any IA32 Linux computer and saves received packets libpcap file format.
Example

In the following example streaming-server will be added, streaming will be enabled, file-name will be set to test and packet sniffer will be started and stopped after some time:
[admin@MikroTik] tool sniffer>set streaming-server=10.0.0.241 \
\... streaming-enabled=yes file-name=test
[admin@MikroTik] tool sniffer> prin
interface: all
only-headers: no
memory-limit: 10
file-name: "test"
file-limit: 10
streaming-enabled: yes
streaming-server: 10.0.0.241
filter-stream: yes
filter-protocol: ip-only
filter-address1: 0.0.0.0/0:0-65535
filter-address2: 0.0.0.0/0:0-65535
running: no
[admin@MikroTik] tool sniffer>start
[admin@MikroTik] tool sniffer>stop
Running Packet Sniffer
Specifications
Command name: /tool sniffer start, /tool sniffer stop, /tool sniffer save
Description

The commands are used to control runtime operation of the packet sniffer. The start command is used to start/reset sniffering, stop - stops sniffering. To save currently sniffed packets in a specific file save command is used.
Example

In the following example the packet sniffer will be started and after some time - stopped:
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> stop

Below the sniffed packets will be saved in the file named test:
[admin@MikroTik] tool sniffer> save file-name=test
[admin@MikroTik] tool sniffer> /file print
# NAME TYPE SIZE CREATION-TIME
0 test unknown 1350 apr/07/2003 16:01:52

[admin@MikroTik] tool sniffer>
Sniffed Packets
Submenu level: /tool sniffer packet
Description

The submenu allows to see the list of sniffed packets.
Property Description
data (read-only: text) - specified data inclusion in packets

dst-address (read-only: IP address) - destination IP address

dst-mac-address (MAC address) - destination MAC address

fragment-offset (read-only: integer) - IP fragment offset

identification (read-only: integer) - IP identification

interface (read-only: name) - name of the interface the packet has been captured on

ip-header-size (read-only: integer) - the size of IP header

ip-packet-size (read-only: integer) - the size of IP packet

ip-protocol (ip | icmp | igmp | ggp | ipencap | st | tcp | egp | pup | udp | hmp | xns-idp | rdp | iso-tp4 | xtp | ddp | idrp-cmtp | gre | esp | ah | rspf | vmtp | ospf | ipip | encap) - the name/number of IP protocolip - Internet Protocol
icmp - Internet Control Message Protocol
igmp - Internet Group Management Protocol
ggp - Gateway-Gateway Protocol
ipencap - IP Encapsulated in IP
st - st datagram mode
tcp - Transmission Control Protocol
egp - Exterior Gateway Protocol
pup - Parc Universal packet Protocol
udp - User Datagram Protocol
hmp - Host Monitoring Protocol
xns-idp - Xerox ns idp
rdp - Reliable Datagram Protocol
iso-tp4 - ISO Transport Protocol class 4
xtp - Xpress Transfer Protocol
ddp - Datagram Delivery Protocol
idpr-cmtp - idpr Control Message Transport
gre - General Routing Encapsulation
esp - IPsec ESP protocol
ah - IPsec AH protocol
rspf - Radio Shortest Path First
vmtp - Versatile Message Transport Protocol
ospf - Open Shortest Path First
ipip - IP encapsulation (protocol 4)
encap - IP encapsulation (protocol 98)
ip - Internet Protocol
icmp - Internet Control Message Protocol
igmp - Internet Group Management Protocol
ggp - Gateway-Gateway Protocol
ipencap - IP Encapsulated in IP
st - st datagram mode
tcp - Transmission Control Protocol
egp - Exterior Gateway Protocol
pup - Parc Universal packet Protocol
udp - User Datagram Protocol
hmp - Host Monitoring Protocol
xns-idp - Xerox ns idp
rdp - Reliable Datagram Protocol
iso-tp4 - ISO Transport Protocol class 4
xtp - Xpress Transfer Protocol
ddp - Datagram Delivery Protocol
idpr-cmtp - idpr Control Message Transport
gre - General Routing Encapsulation
esp - IPsec ESP protocol
ah - IPsec AH protocol
rspf - Radio Shortest Path First
vmtp - Versatile Message Transport Protocol
ospf - Open Shortest Path First
ipip - IP encapsulation (protocol 4)
encap - IP encapsulation (protocol 98)

protocol (read-only: ip | arp | rarp | ipx | ipv6) - the name/number of ethernet protocolip - Internet Protocol
arp - Address Resolution Protocol
rarp - Reverse Address Resolution Protocol
ipx - Internet Packet exchange protocol
ipv6 - Internet Protocol next generation
ip - Internet Protocol
arp - Address Resolution Protocol
rarp - Reverse Address Resolution Protocol
ipx - Internet Packet exchange protocol
ipv6 - Internet Protocol next generation

size (read-only: integer) - size of packet

src-address (IP address) - source address

src-mac-address (MAC address) - source MAC address

time (read-only: time) - time when packet arrived

tos (read-only: integer) - IP Type Of Service

ttl (read-only: integer) - IP Time To Live

Example

In the example below it's seen, how to get the list of sniffed packets:
[admin@MikroTik] tool sniffer packet> print
# TIME INTERFACE SRC-ADDRESS DST-ADDRESS IP-.. SIZE
0 0.12 ether1 10.0.0.241:1839 10.0.0.181:23 (telnet) tcp 46
1 0.12 ether1 10.0.0.241:1839 10.0.0.181:23 (telnet) tcp 40
2 0.12 ether1 10.0.0.181:23 (telnet) 10.0.0.241:1839 tcp 78
3 0.292 ether1 10.0.0.181 10.0.0.4 gre 88
4 0.32 ether1 10.0.0.241:1839 10.0.0.181:23 (telnet) tcp 40
5 0.744 ether1 10.0.0.144:2265 10.0.0.181:22 (ssh) tcp 76
6 0.744 ether1 10.0.0.144:2265 10.0.0.181:22 (ssh) tcp 76
7 0.744 ether1 10.0.0.181:22 (ssh) 10.0.0.144:2265 tcp 40
8 0.744 ether1 10.0.0.181:22 (ssh) 10.0.0.144:2265 tcp 76
[admin@MikroTik] tool sniffer packet>
Packet Sniffer Protocols
Submenu level: /tool sniffer protocol
Description

In this submenu you can see all kind of protocols that have been sniffed.
Property Description
bytes (integer) - total number of data bytes

ip-protocol (ip | icmp | igmp | ggp | ipencap | st | tcp | egp | pup | udp | hmp | xns-idp | rdp | iso-tp4 | xtp | ddp | idrp-cmtp | gre | esp | ah | rspf | vmtp | ospf | ipip | encap) - the name/number of IP protocolip - Internet Protocol
icmp - Internet Control Message Protocol
igmp - Internet Group Management Protocol
ggp - Gateway-Gateway Protocol
ipencap - IP Encapsulated in IP
st - st datagram mode
tcp - Transmission Control Protocol
egp - Exterior Gateway Protocol
pup - Parc Universal packet Protocol
udp - User Datagram Protocol
hmp - Host Monitoring Protocol
xns-idp - Xerox ns idp
rdp - Reliable Datagram Protocol
iso-tp4 - ISO Transport Protocol class 4
xtp - Xpress Transfer Protocol
ddp - Datagram Delivery Protocol
idpr-cmtp - idpr Control Message Transport
gre - General Routing Encapsulation
esp - IPsec ESP protocol
ah - IPsec AH protocol
rspf - Radio Shortest Path First
vmtp - Versatile Message Transport Protocol
ospf - Open Shortest Path First
ipip - IP encapsulation
encap - IP encapsulation
ip - Internet Protocol
icmp - Internet Control Message Protocol
igmp - Internet Group Management Protocol
ggp - Gateway-Gateway Protocol
ipencap - IP Encapsulated in IP
st - st datagram mode
tcp - Transmission Control Protocol
egp - Exterior Gateway Protocol
pup - Parc Universal packet Protocol
udp - User Datagram Protocol
hmp - Host Monitoring Protocol
xns-idp - Xerox ns idp
rdp - Reliable Datagram Protocol
iso-tp4 - ISO Transport Protocol class 4
xtp - Xpress Transfer Protocol
ddp - Datagram Delivery Protocol
idpr-cmtp - idpr Control Message Transport
gre - General Routing Encapsulation
esp - IPsec ESP protocol
ah - IPsec AH protocol
rspf - Radio Shortest Path First
vmtp - Versatile Message Transport Protocol
ospf - Open Shortest Path First
ipip - IP encapsulation
encap - IP encapsulation

packets (integer) - the number of packets

port (name) - the port of TCP/UDP protocol

protocol (read-only: ip | arp | rarp | ipx | ipv6) - the name/number of ethernet protocolip - Internet Protocol
arp - Address Resolution Protocol
rarp - Reverse Address Resolution Protocol
ipx - Internet Packet exchange protocol
ipv6 - Internet Protocol next generation
ip - Internet Protocol
arp - Address Resolution Protocol
rarp - Reverse Address Resolution Protocol
ipx - Internet Packet exchange protocol
ipv6 - Internet Protocol next generation

share (integer) - specific type of traffic share compared to all traffic in bytes

Example
[admin@MikroTik] tool sniffer protocol> print
# PROTOCOL IP-PR... PORT PACKETS BYTES SHARE
0 ip 77 4592 100 %
1 ip tcp 74 4328 94.25 %
2 ip gre 3 264 5.74 %
3 ip tcp 22 (ssh) 49 3220 70.12 %
4 ip tcp 23 (telnet) 25 1108 24.12 %

[admin@MikroTik] tool sniffer protocol>
Packet Sniffer Host
Submenu level: /tool sniffer host
Description

The submenu shows the list of hosts that were participating in data excange you've sniffed.
Property Description
address (read-only: IP address) - IP address of the host

peek-rate (read-only: integer/integer) - the maximum data-rate received/transmitted

rate (read-only: integer/integer) - current data-rate received/transmitted

total (read-only: integer/integer) - total packets received/transmitted

Example

In the following example we'll see the list of hosts:
[admin@MikroTik] tool sniffer host> print
# ADDRESS RATE PEEK-RATE TOTAL
0 10.0.0.4 0bps/0bps 704bps/0bps 264/0
1 10.0.0.144 0bps/0bps 6.24kbps/12.2kbps 1092/2128
2 10.0.0.181 0bps/0bps 12.2kbps/6.24kbps 2994/1598
3 10.0.0.241 0bps/0bps 1.31kbps/4.85kbps 242/866

[admin@MikroTik] tool sniffer host>
Packet Sniffer Connections
Submenu level: /tool sniffer connection
Description

Here you can get a list of the connections that have been watched during the sniffing time.
Property Description
active (read-only: yes | no) - if yes the find active connections

bytes (read-only: integer/integer) - bytes in the current connection

dst-address (read-only: IP address) - destination address

mss (read-only: integer/integer) - Maximum Segment Size

resends (read-only: integer/integer) - the number of packets resends in the current connection

src-address (read-only: IP address) - source address

Example

The example shows how to get the list of connections:
[admin@MikroTik] tool sniffer connection> print
Flags: A - active
# SRC-ADDRESS DST-ADDRESS BYTES RESENDS MSS
0 A 10.0.0.241:1839 10.0.0.181:23 (telnet) 6/42 60/0 0/0
1 A 10.0.0.144:2265 10.0.0.181:22 (ssh) 504/252 504/0 0/0

[admin@MikroTik] tool sniffer connection>
Sniff MAC Address

You can also see the source and destination MAC Addresses. To do so, at first stop the sniffer if it is running, and select a specific interface:
[admin@MikroTik] tool sniffer> stop
[admin@MikroTik] tool sniffer> set interface=bridge1
[admin@MikroTik] tool sniffer> start
[admin@MikroTik] tool sniffer> print
interface: bridge1
only-headers: no
memory-limit: 10
file-name:
file-limit: 10
streaming-enabled: no
streaming-server: 0.0.0.0
filter-stream: yes
filter-protocol: ip-only
filter-address1: 0.0.0.0/0:0-65535
filter-address2: 0.0.0.0/0:0-65535
running: yes
[admin@MikroTik] tool sniffer>

Now you have the source and destination MAC Addresses:
[admin@MikroTik] tool sniffer packet> print detail
0 time=0 src-mac-address=00:0C:42:03:02:C7 dst-mac-address=00:30:4F:08:3A:E7
interface=bridge1 src-address=10.5.8.104:1125
dst-address=10.1.0.172:3987 (winbox-tls) protocol=ip ip-protocol=tcp
size=146 ip-packet-size=146 ip-header-size=20 tos=0 identification=5088
fragment-offset=0 ttl=126

1 time=0 src-mac-address=00:30:4F:08:3A:E7 dst-mac-address=00:0C:42:03:02:C7
interface=bridge1 src-address=10.1.0.172:3987 (winbox-tls)
dst-address=10.5.8.104:1125 protocol=ip ip-protocol=tcp size=253
ip-packet-size=253 ip-header-size=20 tos=0 identification=41744
fragment-offset=0 ttl=64

2 time=0.071 src-mac-address=00:0C:42:03:02:C7
dst-mac-address=00:30:4F:08:3A:E7 interface=bridge1
src-address=10.5.8.104:1125 dst-address=10.1.0.172:3987 (winbox-tls)
protocol=ip ip-protocol=tcp size=40 ip-packet-size=40 ip-header-size=20
tos=0 identification=5089 fragment-offset=0 ttl=126

3 time=0.071 src-mac-address=00:30:4F:08:3A:E7
dst-mac-address=00:0C:42:03:02:C7 interface=bridge1
src-address=10.1.0.172:3987 (winbox-tls) dst-address=10.5.8.104:1125
protocol=ip ip-protocol=tcp size=213 ip-packet-size=213 ip-header-size=20
tos=0 identification=41745 fragment-offset=0 ttl=64

-- [Q quit|D dump|down]

Torch (Realtime Traffic Monitor)

2008-04-08T16:00:00.000+07:00

General Information
Summary

Realtime traffic monitor may be used to monitor the traffic flow through an interface.
Specifications
Packages required: system
License required: Level1
Submenu level: /tool
Standards and Technologies: none
Hardware usage: Not significant
Description

Realtime Traffic Monitor called also torch is used for monitoring traffic that is going through an interface. You can monitor traffic classified by protocol name, source address, destination address, port. Torch shows the protocols you have chosen and mean transmitted and received data rate for each of them.
The Torch Command
Command name: /tool torch
Property Description
(name) - the name of the interface to monitor

dst-address (IP address/netmask) - destination address and network mask to filter the traffic only with such an address, any destination address: 0.0.0.0/0

freeze-frame-interval (time) - time in seconds for which the screen output is paused

port (name | integer) - the name or number of the port

protocol (any | any-ip | ddp | egp | encap | ggp | gre | hmp | icmp | idpr-cmtp | igmp | ipencap | ipip | ipsec-ah | ipsec-esp | iso-tp4 | ospf | pup | rdp | rspf | st | tcp | udp | vmtp | xns-idp | xtp) - the name or number of the protocolany - any ethernet or IP protocol
any-ip - any IP protocol
any - any ethernet or IP protocol
any-ip - any IP protocol

src-address (IP address/netmask) - source address and network mask to filter the traffic only with such an address, any source address: 0.0.0.0/0

Notes

If there will be specific port given, then only tcp and udp protocols will be filtered, i.e., the name of the protocol can be any, any-ip, tcp, udp.

Except TX and RX, there will be only the field you've specified in command line in the command's output (e.g., you will get PROTOCOL column only in case if protocol property is explicitly specified).
Example

The following example monitors the traffic that goes through the ether1 interface generated by telnet protocol:
[admin@MikroTik] tool> torch ether1 port=telnet
SRC-PORT DST-PORT TX RX
1439 23 (telnet) 1.7kbps 368bps

[admin@MikroTik] tool>

To see what IP protocols are going through the ether1 interface:
[admin@MikroTik] tool> torch ether1 protocol=any-ip
PRO.. TX RX
tcp 1.06kbps 608bps
udp 896bps 3.7kbps
icmp 480bps 480bps
ospf 0bps 192bps

[admin@MikroTik] tool>

To see what IP protocols are interacting with 10.0.0.144/32 host connected to the ether1 interface:
[admin@MikroTik] tool> torch ether1 src-address=10.0.0.144/32 protocol=any
PRO.. SRC-ADDRESS TX RX
tcp 10.0.0.144 1.01kbps 608bps
icmp 10.0.0.144 480bps 480bps

[admin@MikroTik] tool>

To see what tcp/udp protocols are going through the ether1 interface:
[admin@MikroTik] tool> torch ether1 protocol=any-ip port=any
PRO.. SRC-PORT DST-PORT TX RX
tcp 3430 22 (ssh) 1.06kbps 608bps
udp 2812 1813 (radius-acct) 512bps 2.11kbps
tcp 1059 139 (netbios-ssn) 248bps 360bps
[admin@MikroTik] tool>

MAC Level Access (Telnet and Winbox)

2008-04-08T15:59:00.000+07:00

General Information
Summary

MAC telnet is used to provide access to a router that has no IP address set. It works just like IP telnet. MAC telnet is possible between two MikroTik RouterOS routers only.
Specifications
Packages required: system
License required: Level1
Submenu level: /tool, /tool mac-server
Standards and Technologies: MAC Telnet
Hardware usage: Not significant
MAC Telnet Server
Submenu level: /tool mac-server
Property Description
interface (name | all; default: all) - interface name to which the mac-server clients will connectall - all interfaces
all - all interfaces

Notes

There is an interface list in this submenu level. If you add some interfaces to this list, you allow MAC telnet to that interface. Disabled (disabled=yes) item means that interface is not allowed to accept MAC telnet sessions on that interface. all interfaces iss the default setting to allow MAC teltet on any interface.
Example

To enable MAC telnet server on ether1 interface only:
[admin@MikroTik] tool mac-server> print
Flags: X - disabled
# INTERFACE
0 all
[admin@MikroTik] tool mac-server> remove 0
[admin@MikroTik] tool mac-server> add interface=ether1 disabled=no
[admin@MikroTik] tool mac-server> print
Flags: X - disabled
# INTERFACE
0 ether1
[admin@MikroTik] tool mac-server>
MAC WinBox Server
Submenu level: /tool mac-server mac-winbox
Property Description
interface (name | all; default: all) - interface name to which it is alowed to connect with Winbox using MAC-based protocolall - all interfaces
all - all interfaces

Notes

There is an interface list in this submenu level. If you add some interfaces to this list, you allow MAC Winbox to that interface. Disabled (disabled=yes) item means that interface is not allowed to accept MAC Winbox sessions on that interface.
Example

To enable MAC Winbox server on ether1 interface only:
[admin@MikroTik] tool mac-server mac-winbox> print
Flags: X - disabled
# INTERFACE
0 all
[admin@MikroTik] tool mac-server mac-winbox> remove 0
[admin@MikroTik] tool mac-server mac-winbox> add interface=ether1 disabled=no
[admin@MikroTik] tool mac-server mac-winbox> print
Flags: X - disabled
# INTERFACE
0 ether1
[admin@MikroTik] tool mac-server mac-winbox>
Monitoring Active Session List
Submenu level: /tool mac-server sessions
Property Description
interface (read-only: name) - interface to which the client is connected to

src-address (read-only: MAC address) - client's MAC address

uptime (read-only: time) - how long the client is connected to the server

Example

To see active MAC Telnet sessions:
[admin@MikroTik] tool mac-server sessions> print
# INTERFACE SRC-ADDRESS UPTIME
0 wlan1 00:0B:6B:31:08:22 00:03:01
[admin@MikroTik] tool mac-server sessions>
MAC Scan
Command name: /tool mac-scan
Description

This command discovers all devices, which support MAC telnet protocol on the given network.
Property Description
(name) - interface name to perform the scan on

MAC Telnet Client
Command name: /tool mac-telnet
Property Description
(MAC address) - MAC address of a compatible device

Example
[admin@MikroTik] > /tool mac-telnet 00:02:6F:06:59:42
Login: admin
Password:
Trying 00:02:6F:06:59:42...
Connected to 00:02:6F:06:59:42

MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK

MikroTik RouterOS 3.0beta10 (c) 1999-2007 http://www.mikrotik.com/

Terminal linux detected, using multiline input mode
[admin@MikroTik] >

FTP (File Transfer Protocol) Server

2008-04-08T15:58:00.000+07:00

General Information
Summary

MikroTik RouterOS implements File Transfer Protocol (FTP) server feature. It is intended to be used for software packages uploading, configuration script exporting and importing procedures, as well as for storing HotSpot servlet pages.
Specifications
Packages required: system
License required: Level1
Submenu level: /file
Standards and Technologies: FTP (RFC 959)
Hardware usage: Not significant
File Transfer Protocol Server
Submenu level: /file
Description

MikroTik RouterOS has an industry standard FTP server facility. It uses ports 20 and 21 for communication with other hosts on the network.

Uploaded files as well as exported configuration or backup files can be accessed under /file menu. There you can delete unnecessary files from the router.

Authorization for FTP service uses router's system user account names and passwords. The ftp local user policy controls the access rights to the FTP server.
Property Description
contents (text) - file contents (for text files only; size limit - 4kB)

creation-time (read-only: time) - item creation date and time

name (read-only: name) - item name

package-architecture (read-only: [text]) - RouterOS software package target machine architecture (for package files only)

package-build-time (read-only: [date]) - RouterOS software package build time (for package files only)

package-name (read-only: [text]) - RouterOS software package name (for package files only)

package-version (read-only: [text]) - RouterOS software package version number (for package files only)

size (read-only: integer) - package size in bytes

type (read-only: text) - item type. Few file types are recognized by extension: backup, directory, package, script, ssh key, but other files are just marked by their extension (.html file, for example)

Command Description
print - shows a list of files storedInput Parameters
detail - shows contents of files less that 4kB long
edit [item] contents - offers to edit file's contents with editor
set [item] contents=[content] - sets the file's contents to 'content'

Configuration Management

2008-04-08T15:57:00.000+07:00

General Information
Summary

This manual introduces you with commands which are used to perform the following functions:
system backup;
system restore from a backup;
configuration export;
configuration import;
system configuration reset.
Description

The configuration backup can be used for backing up MikroTik RouterOS configuration to a binary file, which can be stored on the router or downloaded from it using FTP for future use. The configuration restore can be used for restoring the router's configuration, exactly as it was at the backup creation moment, from a backup file. The restoration procedure assumes the cofiguration is restored on the same router, where the backup file was originally created, so it will create partially broken configuration if the hardware has been changed.

The configuration export can be used for dumping out complete or partial MikroTik RouterOS configuration to the console screen or to a text (script) file, which can be downloaded from the router using FTP protocol. The configuration dumped is actually a batch of commands that add (without removing the existing configuration) the selected configuration to a router. The configuration import facility executes a batch of console commands from a script file.

System reset command is used to erase all configuration on the router. Before doing that, it might be useful to backup the router's configuration.
System Backup
Submenu level: /system backup
Description

The save command is used to store the entire router configuration in a backup file. The file is shown in the /file submenu. It can be downloaded via ftp to keep it as a backup for your configuration.

To restore the system configuration, for example, after a /system reset-configuration, it is possible to upload that file via ftp and load that backup file using load command in /system backup submenu.
Command Description
load name=[filename] - Load configuration backup from a file

save name=[filename] - Save configuration backup to a file

Example

To save the router configuration to file test:
[admin@MikroTik] system backup> save name=test
Configuration backup saved
[admin@MikroTik] system backup>

To see the files stored on the router:
[admin@MikroTik] > file print
# NAME TYPE SIZE CREATION-TIME
0 test.backup backup 12567 sep/08/2004 21:07:50
[admin@MikroTik] >
Example

To load the saved backup file test:
[admin@MikroTik] > system backup load name=test
Restore and reboot? [y/N]:
y
Restoring system configuration
System configuration restored, rebooting now
Exporting Configuration
Command name: /export
Description

The export command prints a script that can be used to restore configuration. The command can be invoked at any menu level, and it acts for that menu level and all menu levels below it. The output can be saved into a file, available for download using FTP.
Command Description
file=[filename] - saves the export to a file

Example
[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.1.0.172/24 10.1.0.0 10.1.0.255 bridge1
1 10.5.1.1/24 10.5.1.0 10.5.1.255 ether1
[admin@MikroTik] >

To make an export file:
[admin@MikroTik] ip address> export file=address
[admin@MikroTik] ip address>

To see the files stored on the router:
[admin@MikroTik] > file print
# NAME TYPE SIZE CREATION-TIME
0 address.rsc script 315 dec/23/2003 13:21:48
[admin@MikroTik] >
Importing Configuration
Command name: /import
Description

The root level command /import [file_name] executes a script, stored in the specified file adds the configuration from the specified file to the existing setup. This file may contain any console comands, including scripts. is used to restore configuration or part of it after a /system reset event or anything that causes configuration data loss.

Note that it is impossible to import the whole router configuration using this feature. It can only be used to import a part of configuration (for example, firewall rules) in order to spare you some typing.
Command Description
file=[filename] - loads the exported configuration from a file to router

Example

To load the saved export file use the following command:
[admin@MikroTik] > import address.rsc
Opening script file address.rsc

Script file loaded and executed successfully
[admin@MikroTik] >
Configuration Reset
Command name: /system reset-configuration
Description

The command clears all configuration of the router and sets it to the default including the login name and password ('admin' and no password), IP addresses and other configuration is erased, interfaces will become disabled. After the reset command router will reboot.
Command Description
reset - erases router's configuration

Notes

If the router has been installed using netinstall and had a script specified as the initial configuration, the reset command executes this script after purging the configuration. To stop it doing so, you will have to reinstall the router.
Example
[admin@MikroTik] > system reset-configuration
Dangerous! Reset anyway? [y/N]: n
action cancelled
[admin@MikroTik] >

Nstreme dual Step-by-Step

2008-04-08T15:07:00.000+07:00

Here is a step-by-step explanation how to enable nstreme dual on a fresh installed MikroTik devices:

I. MikroTik Device 1

1.1. Enabling wireless cards 1 and 2:
[admin@MikroTik] > interface enable wlan1
[admin@MikroTik] > interface enable wlan2

1.2. Assigning IP address to the ethernet interface:
[admin@MikroTik] > ip address add address=192.168.1.1/24 interface=ether1

1.3. Creating bridge interface:

[admin@MikroTik] > interface bridge add

1.4. Adding ethernet interface to the bridge interface:

[admin@MikroTik] > interface bridge port add interface=ether1 bridge=bridge1

1.5. Setting wireless cards 1 and 2 to nstreme mode:

[admin@MikroTik] > interface wireless set wlan1 mode=nstremedualslave
[admin@MikroTik] > interface wireless set wlan2 mode=nstremedualslave

1.6. Creating nstreme dual interface and setting Tx and Rx radios and frequencies:
[admin@MikroTik] > interface wireless nstremedual add rxradio=wlan1 txradio=wlan2
rx-=5ghz tx-=5ghz rx-=5180 txfrequency=5300

1.7. Adding nstreme interface to the bridge:
[admin@MikroTik] > interface bridge port add interface=nstreme1 bridge=bridge1

1.8. Checking the MAC address of the nstreme interface (in this example: 11:11:11:11:11:11):
[admin@MikroTik] > interface wireless nstreme print
Flags: X disabled, R running
0 X name="nstreme1" mtu=1500 mac=11:11:11:11:11:11 arp=enabled
disable=no txradio=wlan2 rxradio=wlan1 remote=00:00:00:00:00:00
tx-=5ghz txfrequency=5300 rxband=5ghz rxfrequency=5180
rates=1Mbps,2Mbps,5.5Mbps,11Mbps
rates/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
framer=none framer=2560

II. MikroTik Device 2

2.1. Enabling wireless cards 1 and 2:

[admin@MikroTik] > interface enable wlan1
[admin@MikroTik] > interface enable wlan2

2.2. Assigning IP address to the ethernet interface:

[admin@MikroTik] > ip address add address=192.168.1.2/24 interface=ether1

2.3. Creating bridge interface:
[admin@MikroTik] > interface bridge add

2.4. Adding ethernet interface to the bridge interface:
[admin@MikroTik] > interface bridge port add interface=ether1 bridge=bridge1

2.5. Setting wireless cards 1 and 2 to nstreme mode:
[admin@MikroTik] > interface wireless set wlan1 mode=nstremedual-
[admin@MikroTik] > interface wireless set wlan2 mode=nstremedualslave

2.6. Creating Nstreme dual interface and setting Tx and Rx radios and frequencies and setting the MAC address of the remote nstreme interface (in this example: 11:11:11:11:11:11 [step 1.8]):
[admin@MikroTik] > interface wireless nstremedual add rxradio=wlan1 txradio=wlan2
rxband=5ghz tx-=5ghz rx-=5300 txfrequency=5180
remote=11:11:11:11:11:11 disabled=no

2.7. Adding nstreme interface to the bridge:
[admin@MikroTik] > interface bridge port add interface=nstreme1 bridge=bridge1

2.8. Checking the MAC address of the nstreme interface (in this example: 22:22:22:22:22:22):
[admin@MikroTik] > interface wireless nstreme print
Flags: X disabled, R running
0 R name="nstreme1" mtu=1500 mac=22:22:22:22:22:22 arp=enabled
disable=no txradio=wlan2 rxradio=wlan1 remote=11:11:11:11:11:11
txband=5ghz tx-=5180 rx-=5ghz rx-=5300
rates=1Mbps,2Mbps,5.5Mbps,11Mbps
rates/g=6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps
framer=none framer=2560

III. MikroTik Device 1

1.9. Setting the MAC address of the remote nstreme interface (in this example: 22:22:22:22:22:22 [step 2.8]):
[admin@MikroTik] > interface wireless nstremedual set nstreme1
remote=22:22:22:22:22:22 disabled=no

Wireless repeater

2008-04-08T15:06:00.000+07:00

Introduction

This example shows how to configure a wireless repeater. Wireless repeater extends the range of an existing WLAN instead of adding more access points. Consider the network layout:
We will use two wireless interfaces (two antennas) on the repeater router. WDS links will be established between 'Main gateway' and 'Repeater', 'Repeater' and 'AP1', 'AP2' (end-users are connected to the AP1 and AP2).

Note, client wireless interfaces (station, ad-hoc, infrastructure) do not support bridging because of the limitations of 802.11.

Quick Start

Main Gateway configuration export:
/ ip address add address=192.168.0.1/24 interface=wlan1
/ interface wireless set wlan1 disabled=no mode=ap-bridge band=5ghz frequency=5180 ssid=Main_gw wds-mode=static
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X2 master-interface=wlan1
/ interface bridge add
/ interface bridge port add interface=wlan1 bridge=bridge1
/ interface bridge port add interface=wds1 bridge=bridge1

Repeater configuration export:
/ interface wireless set wlan1 disabled=no mode=ap-bridge band=5ghz frequency=5180 ssid=Main_gw wds-mode=static
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X1 master-interface=wlan1
/ interface bridge add
/ interface bridge port add interface=wlan1 bridge=bridge1
/ interface bridge port add interface=wds1 bridge=bridge1

/ interface wireless set wlan2 disabled=no mode=ap-bridge band=5ghz frequency=5805 ssid=To_clients wds-mode=static
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X4 master-interface=wlan2
/ interface bridge port add interface=wlan2 bridge=bridge1
/ interface bridge port add interface=wds2 bridge=bridge1
/ ip address add address=192.168.0.2/24 interface=bridge1

AP1, AP2 configuration export:
/ interface wireless set wlan1 disabled=no mode=ap-bridge band=5ghz frequency=5805 ssid=To_clients wds-mode=static
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X3 master-interface=wlan1
/ interface bridge add
/ interface bridge port add interface=wlan1 bridge=bridge1
/ interface bridge port add interface=wds1 bridge=bridge1
/ ip adress add address=192.168.0.3/24 interface=wlan1
Explanation
Main Gateway
/ ip address add address=192.168.0.1/24 interface=wlan1

The wireless interface has the name 'wlan1' and IP address of 192.168.0.1/24. It will be the default gateway for other nodes in the network.
/ interface wireless set wlan1 disabled=no mode=ap-bridge band=5ghz frequency=5180 ssid=Main_gw wds-mode=static

Rule enables wireless interface and sets up appropriate configuration: band, frequency (WDS peers all need to be on the same frequency), SSID, wds-mode (static - WDS interfaces created manually in static mode).
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X2 master-interface=wlan1

The rule creates WDS interface on the particular 'master-interface', where 'wds-address' is the remote WDS peer MAC-address.
/ interface bridge add
/ interface bridge port add interface=wlan1 bridge=bridge1
/ interface bridge port add interface=wds1 bridge=bridge1

First we create bridge interface on the router, then 'wlan1' and 'wds1' interface are added to the bridge.
Repeater

Let us consider wireless repeater configuration. First we need to establish communication to 'Main Gateway' router.
/ interface wireless set wlan1 disabled=no mode=ap-bridge band=5ghz frequency=5180 ssid=Main_gw wds-mode=static
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X1 master-interface=wlan1
/ interface bridge add
/ interface bridge port add interface=wlan1 bridge=bridge1
/ interface bridge port add interface=wds1 bridge=bridge1

The rules are quite similar to 'Main Gateway' configuration rules. We need to enable wireless interface, than set appropriate wireless and WDS configuration (don't forget about the same frequency channel) and add interface to created bridge.
/ interface wireless set wlan2 disabled=no mode=ap-bridge band=5ghz frequency=5805 ssid=To_clients wds-mode=static
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X4 master-interface=wlan2
/ interface bridge port add interface=wlan2 bridge=bridge1
/ interface bridge port add interface=wds2 bridge=bridge1
/ ip address add address=192.168.0.2/24 interface=bridge1

Next, we should configure second wireless interface. Rules are very similar to the previous one. IP address configuration is required for troubleshoot options. Repetear will work fine without IP address configuration.
AP1, AP2 configuration
/ interface wireless set wlan1 disabled=no mode=ap-bridge band=5ghz frequency=5805 ssid=To_clients wds-mode=static
/ interface wireless wds add disabled=no wds-address=XX:XX:XX:XX:XX:X3 master-interface=wlan1
/ interface bridge add
/ interface bridge port add interface=wlan1 bridge=bridge1
/ interface bridge port add interface=wds1 bridge=bridge1
/ ip adress add address=192.168.0.3/24 interface=wlan1

Finally, we need to configure AP1, AP2 client routers, which will provide connection to the Internet for the end-user. Add client interface to bridge (Ethernet, wireless). AP1 and AP2 clients will use 192.168.0.0/24 subnet, AP1 and AP2 clients will communicate as they are connected to the one switch.

How to create a transparent AP with more than 1 wireless cards

2008-04-08T15:03:00.000+07:00

I was in need of this transparent AP because I had a linux server and 2 transparent AP-s that clients use to connect to my network. I wanted to change the AP-s so that more bandwith can be provided for the clients. The clients configuration was something like this:
IP = 10.100.11.x
netmask = 255.255.255.0
gateway = 10.100.11.1

I purchased a routerboard with 1 ethernet card and 2 wireless cards. Performing the routing, the configuration of my network had to change so that the wireless cards` IP-s would be the gateways for the clients. In this scenario I had to change the routing of the linux server in a way that the Mikrotik box would be the gateway for the clients. Beside this, we had to change half of the clients` IP because wlan1 became 10.100.11.1 and wlan2 was 10.100.12.1 (new network). People who connect on wlan2 need to be in the 10.100.12.x/24 range.

With a little help from the Mikrotik forum (thanks guys) I succedded in doing this:
eth1 = 10.100.13.1/24
wlan1 = 10.100.12.254/24
wlan2 = 10.100.11.254/24

Now, all 3 interfaces are in bridge and they forward traffic without any question to my Linux box . The wlan1 and wlan2 still have IP-s in that range accidentally, they can have any private IP address, it doesn`t matter anymore.

Here is what you have to do (everything in telnet console):
interface bridge add name=bridge1 (bridge1 being the name of the bridge, in lack of ideas)
interface bridge port add interface=ether1 bridge=bridge1
interface bridge port add interface=wlan1 bridge=bridge1
interface bridge port add interface=wlan2 bridge=bridge1

The wireless cards are in ap-bridge operating mode.
interface wireless set wlan1 mode=ap-bridge ssid=greaca1
interface wireless set wlan2 mode=ap-bridge ssid=greaca2
And now, we have this configuration:

Client IP 10.100.11.2 netmask 255.255.255.0 gateway 10.100.11.1 -> Mikrotik wlan1 (IP=10.100.12.254/24) -> linux server ip 10.100.11.1.

Here are the connected client APs, 28 on that moment.

The default gateway for the mikrotik box is 10.100.13.2, an IP alias on the same ethernet card in the linux server that is 10.100.11.1, but it doesn`t count... it can be any IP, doesn`t have to be in the same range with the linux server.

Here is the complete scheme of my network in that town:

Transparently Bridge two Networks without using WDS (EoIP)

2008-04-08T15:01:00.001+07:00

Server Setup:
Server IP Addresses

/ ip address add address=192.168.0.1/24 interface=ether1 disabled=no
/ ip address add address=192.168.1.1/24 interface=wlan1 disabled=no

Client Setup:
Client IP Addresses

/ ip address add address=192.168.0.2/24 interface=ether1 disabled=no
/ ip address add address=192.168.1.2/24 interface=wlan1 disabled=no

Wireless Area

2008-04-08T15:00:00.002+07:00

Area is a part of a mesh network, for limiting station access to a certain number of APs (e.g., a building or a block). All APs within the mesh may have the same SSID, but stations will select only a few ones, based on their area code.

The Area setting is configured on APs in the wireless menu. This can be done with the goal to limit connectivity (to force the station to stay within a certain area) , or to improve connection quality (as the station will not try to connect to APs from other areas, which may have worse signal quality).
[admin@router] /interface wireless> set wlan1 area=

The stations can be configured to connect to any AP that has its area code beginning with a certain string (area-prefix parameter in wireless connect list), so you configure areas within areas, and make some stations only work within a subarea, and allow some other stations to work within a larger area.
[admin@router] /interface wireless connect list> add area-prefix=

For example stations with area-prefix="area1" will connect to any AP with area code "area1.1" and "area1.2", but if you specify area prefix as "area1.1", then that station will only connect to APs with area code "area1.1"; you can subdivide areas even further.

Layer2 VPN Server

2008-04-08T15:00:00.001+07:00

Ethernet over IP (EoIP) Tunneling is a MikroTik RouterOS protocol that creates an Ethernet tunnel between two routers on top of an IP connection. A VLAN is a logical grouping that allows end users to communicate as if they were physically connected to a single isolated LAN, independent of the physical configuration of the network.

It's required that you have switch that support 802.1Q VLAN and shows how to setup Layer 2 VPN Server. Configuration of switches not added coz it depends on how network you have.

With this example we group devices on one or more LANs that are configured ,so that they can communicate as if they were attached to the same wire when in fact they are located on a number of different LAN segments. Using EoIP you can reach routers that are connected by wireless and with vlans we then segment network. Because VLANs are based on logical instead of physical connections, they are extremely flexible. So, in my network i added a few location that goes througt fiber optic and about 40 wireless locations.

Server Side:
First, install latest Mikrotik OS on computer with 2 ethernet intefaces.

Now lets configure them.
/interface set 0 name=ether1-internet
set 1 name=ether2-trunk

/ip address add address=195.101.10.5/29 interface=ether1-internet comment="" disabled=no

Create Eoip interface for remote router1:

/interface eoip
add name=eoip-router1 tunnel-id=310 remote-address=196.200.50.5 comment="" disabled=no

Create vlan for remote router1:

/interface vlan
add name=vlan-router1 interface=ether2-trunk vlan-id=310 comment="" disabled=no
Now bridge eoip and vlan:

/interface bridge
add name=bridge-to-router1

/interface bridge port
add interface=eoip-router1 bridge=bridge-to-router1
add interface=vlan-router1 bridge=bridge-to-router1

Now we add configuration for remote router2
Create Eoip interface for remote router2:

/interface eoip
add name="eoip-router2" tunnel-id=312 remote-address=196.200.50.6 comment="" disabled=no

Create vlan for remote router2:

/interface vlan
add name=vlan-router2 interface=ether2-trunk vlan-id=312 comment="" disabled=no
Now bridge eoip and vlan:

/interface bridge
add name=bridge-to-router2

/interface bridge port
add interface=eoip-router2 bridge=bridge-to-router2 comment="" disabled=no
add interface=vlan-router2 bridge=bridge-to-router2 comment="" disabled=no

Remote Router1 side:
/interface eoip
add name=eoip-client remote-address=195.101.10.5 tunnel-id=310 comment="" disabled=no

/interface bridge
add name=bridge-to-router1

/interface bridge port
add interface=eoip-client bridge=bridge-to-router1 comment="" disabled=no
add interface=ether1 bridge=bridge-to-router1 comment="" disabled=no

Remote Router2 side:
/interface eoip
add name=eoip-client remote-address=195.101.10.5 tunnel-id=312 comment="" disabled=no

/interface bridge
add name=bridge-to-router2

/interface bridge port
add interface=eoip-client bridge=bridge-to-router2 comment="" disabled=no
add interface=ether1 bridge=bridge-to-router2 comment="" disabled=no

Depends on the network you have , some modifications are required , and dont forget to add and configure conresponding VLANS on Allied Telesyn, Cisco , etc. switches.

TIP: You can always add some address to bridge, just to check if there is connectivity to remote router with ping command.

Server side: /ip address
add adress=192.168.100.1/30 interface=bridge-to-router1 comment="" disabled=no

Remote router side: /ip address
add address=192.168.100.2/30 interface=bridge-to-router1 comment="" disabled=no

OpenVPN

2008-04-08T14:48:00.000+07:00

Generic
[edit]
Why to use OpenVPN ?

OpenVPN has been ported to various platforms, including Linux and Windows, and it's configuration is throughout likewise on each of these systems, so it makes it easier to support and maintain. Also, OpenVPN is one of the few VPN protocols that can make use of a proxy, which might be handy sometimes.

[edit]
Download OpenVPN

Debian provides OpenVPN packages as part of the standard distribution, just install them by typing apt-get install openvpn.
For a server, you want additionally to install the openssl package.
For easy client access, you would want to install network-manager, network-manager-openvpn and network-manager-gnome or network-manager-kde. This is a nice gui for handling wired and wireless network connections, connections via openvpn and cisco vpn (vpnc) and ppp connections (like a regular or 3g modem for example).

RouterOS requires v3.x and you will need to install and enable the ppp package. There is one limitation to using OpenVPN on the RouterOS platform: currently only tcp is supported. udp will not work.

For Windows you probably also want the GUI, that allows you to choose and activate certain VPN configuration from a simple click in the systray. A complete package for installation of OpenVPN incl. OpenVPN GUI can be downloaded at http://www.openvpn.se/download.html .

[edit]
Certificates

OpenVPN works with SSL certificates. You can either use http://cacert.org to issue these or use the easy-rsa scripts, that come with most OpenVPN distributions. In Debian these scripts can be found in the directory /usr/share/doc/openvpn/examples/easy-rsa. Please read the README.gz file for the usage. On RouterOS, all you have to do is to upload them via ftp (ca certificate and router certificate and private key) and import them with /certificate import .

[edit]
Naming Linux/Windows vs. RouterOS

There are two interface types within OpenVPN, that are used.
tun, RouterOS defines this as ip.
tap, which is needed for bridge mode gateways. RouterOS defines this as ethernet.

[edit]
A few comments

The configuation files here are fully layed out for Debian and Ubuntu. If you're using something else, you'll have to do your own research, what you need. Hope they'll give a guideline.

[edit]
Server configuration
[edit]
Seperate segment for VPN and destination network
[edit]
RouterOS
[edit]
The network configuration of your box:
/ip address add address=10.15.30.31/24 interface=ether1 comment=Lan
/ip address add address=189.64.0.2/24 interface=ether2 comment=Internet
/ip route add dst-address=10.0.0.0/8 gateway=10.15.30.5 comment=Wan
/ip route add gateway=189.64.0.1 comment=Internet

Lan and Wan are the internal networks, Internet is obviously the Internet.
If NAT/masquerading is needed, this will do the job:
/ip firewall nat add chain=srcnat out-interface=ether2 action=masquerade
[edit]
Define an IP pool:
/ip pool add name=ovpn-pool ranges=10.15.32.34-10.15.32.38

This pool is used for the OpenVPN clients.
[edit]
Define a profile:
/ppp profile
add change-tcp-mss=default comment="" local-address=10.15.32.33 \
name="your_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default
[edit]
Add a vpn user:
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any
[edit]
OpenVPN server configuration:
/interface ovpn-server server
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ip netmask=29 \
port=1194 require-client-certificate=no

Bug: There is currently a bug in the implementation of OpenVPN in RouterOS, so require-client-certificate has to be set to no. Otherwise you'll end up with TLS errors.

[edit]
Firewall

If you have a firewall defined, that denies access, you would want to allow access to OpenVPN:
/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp
[edit]
Default Route

I haven't figured out, how to redistribute the default route from the OpenVPN server, so you'll have to add it yourself on the client by specifying the add-default-route option (if you have a RouterOS client).
If you have a Linux or a Windows client, you can use the route-up dyrective. Place it on your OpenVPN configuration (client) file with a command in append, and OpenVPN will execute it when the default route comes up.
For example, if you want to add a static route for 192.168.0.0 (obviously this net are on the remote side) through your OpenVPN gateway (IP 10.15.30.31), you have to add for Linux:
route-up "route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.15.30.31"
or, for Windows:
route-up "route add 192.168.0.0 mask 255.255.255.0 10.15.30.31"

[edit]
Linux

/etc/network/interfaces:
iface eth0 inet static
address 10.15.30.31
netmask 255.255.255.0
network 10.15.30.0
broadcast 10.15.30.255
up /sbin/route add -net 10.0.0.0 netmask 255.0.0.0 gw 10.15.30.5
#
iface eth1 inet static
address 189.64.15.2
netmask 255.255.255.0
gateway 189.64.15.1
up echo "1" > /proc/sys/net/ipv4/ip_forward

eth0 is the network, that we want to get access to. eth1 is our outside interface.

/etc/openvpn/gw.conf:
port 1194
proto tcp
dev tun
ca keys/ca.crt
cert keys/vpngate.crt
key keys/vpngate.key
dh keys/dh1024.pem
server 10.15.32.32 255.255.255.224
ifconfig-pool-persist ipp.txt
keepalive 10 120
cipher none
#comp-lzo
user nobody
group nogroup
persist-key
persist-tun
status /var/log/openvpn/vpngate-status.log
verb 3

If you want to push a route to the client, this can be added:
push "route 10.0.0.0 255.0.0.0 10.15.32.33"

For a default gw to the client, usually, this is added:
push "redirect-gateway"

With RouterOS, this has no effect, whatsover, so if you want to push the default route from the server, please add:
push "route 0.0.0.0 0.0.0.0 10.15.32.33"

And to tell the client, what DNS servers to use, this will do the job:
push "dhcp-option DNS 10.15.15.10"
push "dhcp-option DNS 10.15.30.10"
[edit]
Bridge mode
[edit]
RouterOS
[edit]
Create the bridge
/interface bridge add name=vpn-bridge
/interface bridge port add interface=ether1 bridge=vpn-bridge
[edit]
The network configuration of your box:
/ip address add address=10.15.30.31/24 interface=vpn-bridge comment=Lan
/ip address add address=189.64.0.2/24 interface=ether2 comment=Internet
/ip route add dst-address=10.0.0.0/8 gateway=10.15.30.5 comment=Wan
/ip route add gateway=189.64.0.1 comment=Internet

Lan and Wan are the internal networks, Internet is obviously the Internet.
If NAT/masquerading is needed, this will do the job:
/ip firewall nat add chain=srcnat out-interface=ether2 action=masquerade
[edit]
Define an IP pool:
/ip pool add name=ovpn-pool ranges=10.15.30.32-10.15.30.40

This pool is used for the OpenVPN clients.
[edit]
Define a profile:
/ppp profile
add change-tcp-mss=default comment="" bridge=vpn-bridge \
name="your_profile" only-one=default remote-address=ovpn-pool \
use-compression=default use-encryption=required use-vj-compression=default
[edit]
Add a vpn user:
/ppp secret
add caller-id="" comment="" disabled=no limit-bytes-in=0 \
limit-bytes-out=0 name="username" password="password" \
routes="" service=any
[edit]
OpenVPN server configuration:
/interface ovpn-server server
set auth=sha1,md5 certificate=router_cert \
cipher=blowfish128,aes128,aes192,aes256 default-profile=your_profile \
enabled=yes keepalive-timeout=disabled max-mtu=1500 mode=ethernet netmask=24 \
port=1194 require-client-certificate=no

Before using require-client-certificate option, CA and correct server/client certificate must be imported to both OpenVpn server and client.

[edit]
OpenVPN server Instance

At the moment, it looks like, that even though we've specified the vpn-bridge in the profile, RouterOS does not honour that fact. So we need to add a OpenVPN server Instance ourselfes for each user and add it to the bridge. (Not required after RC11).
/interface ovpn-server add name=ovpn-username user=username
/interface bridge port add interface=ovpn-username bridge=vpn-bridge

This will result in, that the dynamically created openvpn server instance automatically get's assigned to this interface and thus the bridge.
[edit]
Firewall

If you have a firewall defined, that denies access, you would want to allow access to OpenVPN:
/ip firewall filter
add action=accept chain=input comment="OpenVPN" disabled=no dst-port=1194 protocol=tcp
[edit]
Default Route

I haven't figured out, how to redistribute the default route from the OpenVPN server, so you'll have to add it yourself on the client by specifying the add-default-route option (if you have a RouterOS client).
If you have a Linux or a Windows client, you can use the route-up dyrective. Place it on your OpenVPN configuration (client) file with a command in append, and OpenVPN will execute it when the default route comes up.
For example, if you want to add a static route for 192.168.0.0 (obviously this net are on the remote side) through your OpenVPN gateway (IP 10.15.30.31), you have to add for Linux:
route-up "route add -net 192.168.0.0 netmask 255.255.255.0 gw 10.15.30.31"
or, for Windows:
route-up "route add 192.168.0.0 mask 255.255.255.0 10.15.30.31"

[edit]
Linux
[edit]
Packages

These packages are needed: openvpn bridge-utils openssl

[edit]
Configuration

The configuration bits here are needed to set up a bridged gateway.

/etc/network/interfaces:
auto eth0 eth1 br0

# WAN interface
iface eth0 inet static
address 10.15.30.31
netmask 255.255.255.0
network 10.15.30.0
broadcast 10.15.30.255
post-up route add -net 10.0.0.0/8 gw 10.15.30.5

# Internet interface
iface eth1 inet static
address 189.64.15.2
netmask 255.255.255.252
gateway 189.64.15.1
dns-nameservers 195.222.111.222 80.190.248.148 91.189.64.189
pre-up echo 1 > /proc/sys/net/ipv4/ip_forward
up /sbin/iptables -t nat -A POSTROUTING -o $IFACE -j MASQUERADE
down /sbin/iptables -t nat -F
post-down echo 0 > /proc/sys/net/ipv4/ip_forward

# OpenVPN interface
iface br0 inet manual
up openvpn --mktun --dev tap0
up ifconfig eth0 0.0.0.0 promisc up
up ifconfig tap0 0.0.0.0 promisc up
up brctl addbr br0
up brctl setfd br0 0
up brctl stp br0 off
up brctl addif br0 eth0
up brctl addif br0 tap0
up ifconfig br0 10.15.30.31 netmask 255.255.255.0 up
up route add -net 10.0.0.0/8 gw 10.15.30.5
down ifconfig br0 down
down brctl delif br0 tap0
down brctl delif br0 eth0
down brctl delbr br0
down openvpn --rmtun --dev tap0
down ifconfig eth0 10.15.30.31 netmask 255.255.255.0 broadcast 10.15.30.255 network 10.15.30.0
down route add -net 10.0.0.0/8 gw 10.15.30.5

/etc/openvpn/bridge-gw.conf
port 1194
proto udp
dev tap0
ca keys/ca.crt
cert keys/bridge-gw.crt
key keys/bridge-gw.key
dh keys/dh1024.pem
ifconfig-pool-persist ipp.txt
server-bridge 10.15.30.31 255.255.255.0 10.15.30.100 10.15.30.119
keepalive 10 120
user nobody
group nogroup
persist-key
persist-tun
status openvpn-status-gw.log
verb 3

If you want to push a route to the client, this can be added:
push "route 10.0.0.0 255.0.0.0 10.15.30.5"

For a default gw to the client, usually, this is added:
push "redirect-gateway"

With RouterOS, this has no effect, whatsover, so if you want to push the default route from the server, please add:
push "route 0.0.0.0 0.0.0.0 10.15.32.33"

And to tell the client, what DNS servers to use, this will do the job:
push "dhcp-option DNS 10.15.15.10"
push "dhcp-option DNS 10.15.30.10"
[edit]
Client configuration
[edit]
RouterOS
[edit]
client of a routed server (tun)
/interface ovpn-client \
name="ovpn-out1" connect-to=189.64.0.1 port=1194 mode=ip user="username" password="password" profile=default \
certificate=vpngate-client cipher=aes256 add-default-route=no
[edit]
client of a bridged server (tap)
/interface ovpn-client \
name="ovpn-out1" connect-to=189.64.0.1 port=1194 mode=ethernet user="username" password="password" profile=default \
certificate=vpngate-client cipher=aes256 add-default-route=no
[edit]
Linux
[edit]
client of a routed server (tun)
dev tun
proto tcp-client

remote openvpn.example.com 1194 # Remote OpenVPN Servername or IP address

ca keys/ca.crt
cert keys/client.crt
key keys/client.key

tls-client
port 1194

user nobody
group nogroup

#comp-lzo # Do not use compression. It doesn't work with RouterOS (at least up to RouterOS 3.0rc9)

# More reliable detection when a system loses its connection.
ping 15
ping-restart 45
ping-timer-rem
persist-tun
persist-key

# Silence the output of replay warnings, which are a common false
# alarm on WiFi networks. This option preserves the security of
# the replay protection code without the verbosity associated with
# warnings about duplicate packets.
mute-replay-warnings

# Verbosity level.
# 0 = quiet, 1 = mostly quiet, 3 = medium output, 9 = verbose
verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass auth.cfg

The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.
username
password
[edit]
client of a bridged server (tap)

Please replace dev tun with dev tap. Otherwise the configuration on the bridged client is exactly the same as the routed client.

[edit]
Windows
[edit]
client of a bridged server (tap)
proto tcp-client

remote openvpn.example.com 1194 # Remote OpenVPN Servername or IP address
dev tap

nobind
persist-key

tls-client
ca ca.crt # Root certificate in the same directory as this configuration file.

ping 10
verb 3

cipher AES-256-CBC
auth SHA1
pull

auth-user-pass auth.cfg

The file auth.cfg holds your username/password combination. On the first line must be the username and on the second line your password.
username
password

Alternatively, if you don't specify the filename the client will prompt for the details.
[edit]
Additional tweaks
[edit]
Disable encryption

If you just want to use OpenVPN for providing people with access to the internet through the WAN, encryption just adds overhead to the traffic. In this case it really isn't needed and would just affect the bandwidth available in the WAN.

Add this to your configuration:

cipher none

This should be done both on server and clients. It disables the encryption and leaves you with a plain, unencrypted ip tunnel.

For RouterOS the syntax is:
/interface ovpn-[client|server] set auth=sha1 cipher=none

VPN with Virtual Routing and Forwarding / Mikrotik and Cisco

2008-04-08T14:47:00.000+07:00

This example shows how to setup an VPN using Virtual Routing and Forwarding (VRF), Virtual Routing and Forwarding (VRF) is a technology used in computer networks that allows multiple instances of a routing table to co-exist within the same router at the same time. Because the routing instances are independent, the same or overlapping IP addresses can be used without conflicting with each other. In this example you can find setup between Mikrotik and Cisco routers. Below are the steps to complete the configuration.

First should configure a Tunnel Interface on Mikrotik Router1 and Router2

Router1:
/ interface ipip
add name="tunnel" local-address=218.100.100.29 remote-address=218.100.98.5 comment="" disabled=no

Router2:
/ interface ipip
add name="tunnel" local-address=218.100.100.30 remote-address=218.100.98.5 comment="" disabled=no

After all interfaces are configured, we should asign IP addresses for interfaces on Router1 and Router2

Router1:
add address=218.100.100.29/27 network=218.100.100.0 broadcast=218.100.100.31 interface=uplink comment="" disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=ether1 comment="" disabled=no
add address=172.16.1.1/30 network=172.16.1.0 broadcast=172.16.1.3 interface=tunnel comment="" disabled=no

Router2:
add address=218.100.100.30/27 network=218.100.100.0 broadcast=218.100.100.31 interface=uplink comment="" disabled=no
add address=192.168.2.1/24 network=192.168.2.0 broadcast=192.168.2.255 interface=ether1 comment="" disabled=no
add address=172.16.1.5/30 network=172.16.1.4 broadcast=172.16.1.7 interface=tunnel comment="" disabled=no

On Cisco router create VRF instance :
cisco#conf t
cisco(config)#ip vrf TEST
cisco(config-vrf)#rd 10:10
cisco(config-vrf)#end

Create interface on Router1 and add to vrf TEST:
cisco#conf t
cisco(config)#interface Tunnel 900
cisco(config-if)#ip vrf forwarding TEST
cisco(config-if)#description Tunnel_to_Mikrotik_router1
cisco(config-if)#tunnel destination
cisco(config-if)#tunnel source Loopback1
cisco(config-if)#load-interval 30
cisco(config-if)#tunnel mode ipip
cisco(config-if)#tunnel path-mtu-discovery
cisco(config-if)#ip address 172.16.1.2 255.255.255.0
cisco(config-if)#end

Create Interface on Router2 and add to vrf TEST:
cisco#conf t
cisco(config)#interface Tunnel 901
cisco(config-if)#ip vrf forwarding TEST
cisco(config-if)#description Tunnel_to_Mikrotik_router2
cisco(config-if)#tunnel destination
cisco(config-if)#tunnel source Loopback1
cisco(config-if)#load-interval 30
cisco(config-if)#tunnel mode ipip
cisco(config-if)#tunnel path-mtu-discovery
cisco(config-if)#ip address 172.16.1.6 255.255.255.0
cisco(config-if)#end

Set up route and some rules on Mikrotik and Cisco

Router1:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=tun passthrough=yes
in-interface=ether1 src-address=192.168.1.0/24 disabled=no
/ip route rule
add add routing-mark=tun action=lookup table=tun
/ip route
add dst-address=192.168.2.0/24 gateway=172.16.1.2 routing-mark=tun

Router2:
/ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark=tun passthrough=yes
in-interface=ether1 src-address=192.168.2.0/24 disabled=no
/ip route rule
add add routing-mark=tun action=lookup table=tun
/ip route
add dst-address=192.168.1.0/24 gateway=172.16.1.6 routing-mark=tun

Cisco Router:
cisco#conf t
cisco(config)#ip ro vrf TEST 192.168.1.0 255.255.255.0 Tunnel900
cisco(config)#ip ro vrf TEST 192.168.2.0 255.255.255.0 Tunnel901
cisco(config)#end

It can be done vpn directly from Router1 to Router2, but when you have a lot customers with a lot routers and many of them have same address space , this is a great and easy solution.

All adresses are for example only.

IPSec VPN with Dynamic Routing / Mikrotik and Cisco

2008-04-08T14:46:00.000+07:00

This example shows how to setup an IPSec VPN using dynamic routing protocol (RIP), it can be use also another protocol. In this exaple you can find setup between Mikrotik and Cisco routers, but it can be done also just between Mikrotik routers, but to be more colorfull I decided to use Mikrotik and Cisco. Below are the steps to complete the configuration of IPSec VPN with Dynamic Routing.

[edit]
Mikrotik RouterOS

If you are using ROS v3.0 or above, be sure to check the end of this list to see a list of necessary mod.

First should configure a Tunnel Interface:
/ interface ipip
add name="Tunnel1" mtu=1480 local-address=10.10.1.100 remote-address=10.10.1.200 comment="" disabled=no

After that all interfaces are configured, than should asign IP addresses for interfaces:
/ ip address
add address=10.10.1.100/24 network=10.10.1.0 broadcast=10.10.1.255 interface=WAN comment="" disabled=no
add address=192.168.1.1/24 network=192.168.1.0 broadcast=192.168.1.255 interface=LAN comment="" disabled=no
add address=172.16.0.1/30 network=172.16.0.0 broadcast=192.168.0.3 interface=Tunnel1 comment="" disabled=no

Enable Routing in Mikrotik Router, in this case RIP:
/ routing rip
set redistribute-static=no redistribute-connected=no redistribute-ospf=no redistribute-bgp=no metric-static=1 \
metric-connected=1 metric-ospf=1 metric-bgp=1 update-timer=30s timeout-timer=3m garbage-timer=2m
/ routing rip interface
add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" prefix-list-in="" prefix-list-out=""
/ routing rip neighbor
add address=172.16.0.2
/ routing rip network
add address=192.168.1.0/24
add address=172.16.0.0/30

IPSec setup, here should be defined the ipsec policy, peer and proposal. Make sure that policy should not have enabled option tunnel, in this case tunel should be set to NO, because it will be used the transport mode of IPSec not the tunnel mode:
/ ip ipsec proposal
add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m lifebytes=0 pfs-group=modp1024 disabled=no
/ ip ipsec peer
add address=10.10.1.200 secret="ipsec" generate-policy=no exchange-mode=main send-initial-contact=yes \
proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no
/ ip ipsec policy
add src-address=10.10.1.100/32:any dst-address=10.10.1.200/32:any protocol=all action=encrypt level=require \
ipsec-protocols=esp tunnel=no sa-src-address=10.10.1.100 sa-dst-address=10.10.1.200 \
proposal=IPSec manual-sa=none dont-fragment=clear disabled=no

In V3.0 the bolded line will change on:
/ routing rip interface
add interface=Tunnel1 receive=v2 send=v2 authentication=none authentication-key="" in-prefix-list="" out-prefix-list=""
/ ip ipsec proposal
add name="IPSec" auth-algorithms=md5 enc-algorithms=3des lifetime=30m pfs-group=modp1024 disabled=no
/ ip ipsec peer
add address=10.10.1.200/32:500 secret="ipsec" generate-policy=no exchange-mode=main send-initial-contact=yes \
proposal-check=obey hash-algorithm=md5 enc-algorithm=3des dh-group=modp1024 lifetime=1d lifebytes=0 disabled=no

[edit]
Cisco IOS

Cisco Interfaces and addresses:
FastEthernet 0/0
description *** WAN ***
ip address 10.10.1.200 255.255.255.0
crypto map vpn
FastEthernet 0/1
description *** LAN ***
ip address 192.168.2.1 255.255.255.0

Cisco Tunnel Interface:
interface Tunnel1
description **Cisco Peer**
ip address 172.16.0.2 255.255.255.252
no ip redirects
no ip unreachables
no ip proxy-arp
ip mtu 1480
ip rip v2-broadcast
ip tcp adjust-mss 1400
load-interval 30
tunnel source 10.10.1.200
tunnel destination 10.10.1.100
tunnel mode ipip
hold-queue 1024 in
hold-queue 1024 out

Routing in Cisco:
router rip
version 2
timers basic 30 60 90 90
redistribute connected metric 1 route-map connected-to-rip
redistribute static metric 5 route-map static-to-rip
network 172.16.0.2
network 192.168.2.0
distribute-list prefix LAN out
no auto-summary

Setup the prefix-list to match the Local subnet:
ip prefix-list LAN seq 10 permit 192.168.2.0/24

Setup route-maps to match interfaces to be advertised by RIP:
route-map connected-to-rip permit 10
match interface FastEthernet0/0
!
route-map static-to-rip permit 10
match ip address prefix-list LAN

IPSec and Crypto setup in Cisco, also here trasnport mode of IPSec should be setup:
!
crypto isakmp policy 1
encr 3des
hash md5
authentication pre-share
group 2
!
crypto isakmp key ipsec address 0.0.0.0 0.0.0.0
!
crypto ipsec security-association idle-time 600
!
crypto ipsec transform-set vpn esp-3des esp-md5-hmac
mode transport
!
crypto map vpn 1 ipsec-isakmp
description **To Mikrotik Peer**
set peer 10.10.1.100
set transform-set vpn
set pfs group2
match address mikrotik_peer
!

Setup access-list to match the IPSec peer:
ip access-list extended mikrotik_peer
permit ipinip host 10.10.1.200 host 10.10.1.100

Type this in "enable" mode to view your routing table (after succesfull RIP update):
sh ip route

or
sh ip rip database

This example can be implemented also with another routing protocol like OSPF, and also very simply we can setup here a failover connection. Regarding the failover, the setup is very easy, all that we need is to create another set of tunnels via another ISP or gateway, but again the remote peer is the same router. Instead of the routing protocol for the second set of tunnels, it needs static routes to be configured, only that the static routes should have higher distance than the dynamic protocol. The idea is that, when the primary link will go down (dynamic routing distance=120) than the backup link becomes active (static routes distance=200), as soon as the primary link will come up, it will put the failover link in inactive mode.

PPTPClient

2008-04-08T14:45:00.002+07:00

PPtp Client / VPN

Now lets configure the remote client to connect to the above VPN
/interface pptp-client
add name="vpn-to-server" connect-to: 192.168.x.x user="user-1" password="********" allow=mschap1,mschap2
>print
Flags: X - disabled, R - running
0 X name="vpn-to-server" max-mtu=1460 max-mru=1460 connect-to=192.168.x.x
user="user-1" password="*******" profile=default-encryption
add-default-route=no allow=mschap1,mschap2
>enable 0

PPTPServer

2008-04-08T14:45:00.001+07:00

A minimalistic HowTo for using a MT Router OS as PPTP-Server, based on 2.9.x. Use it on your own risk.

I prefer bridge-groups as they are always up and one can add physical interfaces later. The arp=proxy-arp is important.

N.B. 8 Oct 2007: "set gre disabled=no" is not active on RouterOS 3.0rc5
/ interface ethernet
set ether1 name="ether1"

/ interface bridge
add name="lan" arp=proxy-arp

/ interface bridge port
add interface=ether1 bridge=lan

/ ip address
add address=192.168.0.1/24 interface=lan

/ ip dns
allow-remote-requests=yes

/ ip firewall service-port
set gre disabled=no
set pptp disabled=no

/ ip pool
add name="pptp" ranges=192.168.0.200-192.168.0.229

/ ppp profile
add name="pptp-in" local-address=192.168.0.1 remote-address=pptp use-encryption=required only-one=yes change-tcp-mss=yes dns-server=192.168.0.1

/ interface pptp-server server
set enabled=yes max-mtu=1460 max-mru=1460 authentication=chap,mschap1,mschap2 default-profile=pptp-in

/ ppp secret
add name="user-1" service=pptp password="******" profile=pptp-in
add name="user-2" service=pptp password="******" profile=pptp-in
# ...

Setting up an IPv6 tunnel via a tunnel broker

2008-04-08T14:41:00.000+07:00

First sign up for your tunnel at http://www.tunnelbroker.net or an equivalent service.

This will get you some information that looks like this:
Server IPv4 address: 216.66.80.26
Server IPv6 address: 2001:470:1111:11::1/64
Client IPv4 address: 222.222.222.222
Client IPv6 address: 2001:470:1111:11::2/64
Assigned /64: 2001:470:3333:33::/64

Setup the 6to4 interface

/interface 6to4 add mtu=1280 name=sixbone local-address=222.222.222.222

Add your client IPv6 address to the new interface

/ipv6 address add address=2001:470:1111:11::2/64 interface=sixbone

Add a default IPv6 route via your tunnel

/ipv6 route add dst-address=2000::/3 gateway=::216.66.80.26

You can now add your assigned IPv6 addresses as required.

Monitoring Network thru SMS Alerts

2008-04-08T14:39:00.000+07:00

Monitor Network thru SMS Alerts

Now it is possible to monitor your network using SMS alerts, while you are on move, you can have a close watch on your network via SMS on your mobile.

To enable this facility, we need to attach GSM Modem with MikroTik.

Configuration is as follows.

STEP-1
Connect GSM Modem on serial or USB port of MikroTik Router.

STEP-2
Configure Netwatch.
/tool netwatch add
host=192.168.1.1
interval=10s
timeout=150
up-script=”tool sms send serial0 "9909890908" message="Message "
down-script=/tool sms send serial0 "9909890908" message="Message"

Repeating the above steps you can configure your whole network, you need to change host, Interval, timeout & message value according to your requirements

Multi node management

2008-04-08T14:38:00.002+07:00

This article, a work in progress, describes how to remotely monitor and manage one or more groups of bridged routers from a central location. The configuration instructions for RouterOS are based on WinBox, and are not intended for copy/paste. Use them as guidelines.
Network Topology

At the network monitoring location, you want to use the Dude or WinBox to monitor and manage all of the remote routers.

Each remote bridged network looks like this:
A cable modem or DSL modem, referred to in this article as The Modem, at a remote location
A router, referred to in this article as the Gateway Router, connected to the Modem using a public IP address
A bunch of routers wirelessly connected to the Gateway Router via WDS
All of the routers having addresses on the same private subnet
The Gateway Router is using NAT to masquerade the private subnet

You might also have these complications:
The Gateway Router might be running a Hotspot
There might be a non-MikroTik firewall or router between the Modem and Gateway Router
There might be several remote subnets
[edit]
Basic Solution - single remote subnet

The following 2 procedures will setup a PPTP server on the gateway router and a PPTP client on the network management PC.

When you activate the connection to the gateway router from your PC, the Dude or WinBox will appear to be on the private side of the gateway router, on the bridged subnet, and WinBox and/or the Dude will be able to connect directly to any router or all of them at once. Port forwarding is not needed.
[edit]
On the Gateway Router:
ppp->pptp server->enabled (check all authentication boxes)
ppp->secrets->add
name =
password =
service = pptp
local address =
remote address =
[edit]
On the Windows PC where WinBox or the Dude is run:

The following prodedure is for Windows XP SP2.
Start->Control Panel->Network Connections->Create a new connection
Connect to the network at my workplace Next>
Virtual Private Network Connection Next>
Select a name to call this VPN Next>
Do not dial the initial connection Next>
Enter the IP address of the PUBLIC side of the Gateway Router

[edit]
Solution with Hotspot on Gateway Router

Since the other routers are behind the hotspot, they will not be able to communicate with the VPN tunnel in the Gateway Router, even though they are all on the same subnet. To permit access through the hotspot to each of the other routers, create an IP Binding entry as shown below for each router that is behind the hotspot. The IP addresses assigned to the routers can be outside the hotspot address pool if you prefer.
For each router, whose private ip address is of the form 192.168.x.y:
ip->hotspot->IP Bindings->Add
Address: 192.168.x.y
To Address: 192.168.x.y
Type: bypassed
[edit]
Solution with Firewall/Router between Modem and Gateway Router

Assume the gateway router has IP address 192.168.a.b as viewed by the firewall/router. On the firewall/router between the Modem and the Gateway Router, do the following:
Forward port 1723 (PPTP) to IP address 192.168.a.b
Forward protocol 47 (GRE) to IP address 192.168.a.b

Note that some routers cannot forward protocols, only ports. In this case, you will NOT be able to create a VPN tunnel to the gateway router. Also, some routers can forward protocol 47, but the mechanism to do so is undocumented. There are also routers that will forward protocol 47 automatically when you forward port 1723. Consult the documentation for your router, and if you don't find any mention of PPTP or port 1723, try finding a user forum where this subject is discussed.
[edit]
Solution with multiple remote subnets

Create a separate VPN tunnel to each bridged network

SNMP MRTG

2008-04-08T14:38:00.001+07:00

1. Introduction

In this text is described how to configure Mikrotik RouterOS and mrtg (FreeBSD). You must be root on nix mashine and ports collection is installed. Web server must be configured and running on BSD mashine. In this example Web server is Apache server. All information about mrtg and apache can be found at homepages: http://www.mrtg.org http://www.apache.org

[edit]
2. RouterOS SNMP Configuration
/ snmp
set enabled=yes contact="your@mail.com" location="SomeCountry"
/ snmp community
set public name="public" address=192.168.0.5/32 read-access=yes

Ip address 192.168.0.5 is address of BSD mashine where mrtg will be installed.
[edit]
2. MRTG Installation and Configuration

Now we install and configure mrtg on BSD mashine.
cd /usr/ports/net-mgmt/
make
make install
Now we need to create configuration file for mrtg. It can be done automatically by cfgmaker program.192.168.0.1 is ip of RouterOS.
cfgmaker public@192.168.0.1 --output=/usr/local/etc/mrtg.cfg

Change WorkDir value in created mrtg file with text editor. WorkDir value specifies where html files will be created.
It must be same as DocumentRoot value in apache configuration.

For example:

### Global Config Options

# for UNIX
WorkDir: /usr/local/www/data/

### Global Defaults

# to get bits instead of bytes and graphs growing to the right
Options[_]: growright, bits

EnableIPv6: no

######################################################################
# System: Mikrotik
# Description: router
# Contact: your@mail.com
# Location: SomeCountry
######################################################################

Execute mrtg with your config to create html files.
mrtg /usr/local/etc/mrtg.cfg
Now in directory /usr/local/www/data are html files for every interface in MT.
Add this string to crontab to update graphs automatically every 5 minutes
*/5 * * * * root mrtg /usr/local/etc/mrtg.cfg
Now we can create 1 html file with graphs for all interfaces
indexmaker /usr/local/etc/mrtg.cfg --output=/usr/local/www/data/index.html

Here is a sample configuration to monitor the power on a RB333 router using MRTG and SNMP
plotting the results with the correct scale and values:

This should be entered into an existing mrtg.conf file replacing IP_Address with your IP address and MT with your community string

### Input Voltage

Target[IP_Address-voltage]:.1.3.6.1.4.1.14988.1.1.3.8.0&.1.3.6.1.4.1.14988.1.1.3.8.0:MT@IP_Address
AbsMax[IP_Address-voltage]: 200
MaxBytes[IP_Address-voltage]: 200
Title[IP_Address-voltage]: Input Voltage for a monitored -333
PageTop[IP_Address-voltage]:

Input Voltage RB333 being monitored

System:	RB333 being monitored
Maintainer:	managee
Description:	Voltage for Monitored 333

Options[IP_Address-voltage]: gauge,growright,nopercent, noo, expscale
YLegend[IP_Address-voltage]: Volts
YTicsFactor[IP_Address-voltage]: 0.1
Factor[IP_Address-voltage]: 0.1
ShortLegend[IP_Address-voltage]: V
LegendI[IP_Address-voltage]: Input Voltage
[[Category: Monitoring]]

SNMP PHP

2008-04-08T14:36:00.002+07:00

This small example is a PHP script, that uses SNMP to read signal strength values from wireless registration table and publish on web page. This example can be quickly transformed to read other values available for SNMP. To use scripts you need Mikrotik RouterOS, tested for version 2.9.xx (not yet for 3.0), PHP version 4 or 5, Web server (Apache, IIS). Configure Apache, and PHP only thing that needs attention is enabled snmp extension for PHP. In Windows in php.ini section Windows Extensions uncomment line
extension=php_snmp.dll .

Enable snmp on Mikrotik, and if needed, unblock UDP port 161. Copy scripts to WEB folder. Open index.php find line
$ip="hostname"; //Change IP to your host names, address
$mask_mac=false; //Use to mask MAC adress (true / false );

Replace hostname with IP address of Mikrotik, if you don’t want to see complete MAC address change false to true and now open the page in browser. You now see MAC address and signal strength. Page is auto refreshed every 10 seconds and reads values from SNMP.

The PHP code, to be saved as a .php file:

// Date in the past
header("Expires: Mon, 26 Jul 1997 05:00:00 GMT");

// always modified
header("Last-Modified: " . gmdate("D, d M Y H:i:s") . " GMT");

// HTTP/1.1
header("Cache-Control: no-store, no-cache, must-revalidate");
header("Cache-Control: post-check=0, pre-check=0", false);

// HTTP/1.0
header("Pragma: no-cache");
?>

$ip="hostname or IP"; //Change IP to your host names, address
$mask_mac=false; //Use to mask MAC adress (true / false );

$tx_bytes_snmp = snmpwalkoid("$ip", "public", ".1.3.6.1.4.1.14988.1.1.1.2.1.3");

if (is_array($tx_bytes_snmp�

while (list($indexOID,$rssi)= each($tx_bytes_snmp�
{
$oidarray=explode(".",$indexOID);
$end_num=count($oidarray);
$mac="";

for ($counter=2;$counter<8;$counter++)
{
$temp=dechex($oidarray[$end_num-$counter]);
if ($oidarray[$end_num-$counter]<16)
$temp="0".$temp;

if �counter <5) and $mask_mac)
$mac=":"."xx".$mac;
else
if ($counter==7)
$mac=$temp.$mac;
else
$mac=":".$temp.$mac;
}

$mac_oiu = substr(str_replace(":","-",$mac),0,8);
$mac=strtoupper($mac);
?>

}
else
{
?>

}
?>

Mikrotik signal list
MAC	Signal strenght(dBm)

Please check SNMP settings and IP address

NTH in RouterOS 3.x

2008-04-08T14:36:00.001+07:00

In v3.0 it is a little different implementation of NTH. It has only two parameters 'every' and 'packet'.
[edit]
How it works in v3.0

Every rule has its own counter. When rule receives packet counter for current rule is increased by one. If counter matches value of 'every' packet will be matched and counter will be set to zero.

If passthrough is not set then packets will be marked as follows:
first rule nth=2,1 rule will match every first packet of 2, hence, 50% of all the traffic that is matched by the rules
second rule if passthrough=no will match ONLY 25% of traffic because in 3.0 you need only one rule to catch traffic not like 2.9
[edit]
Example

Now it is possible to match 50% of all traffic only with one rule:
/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=AAA nth=2,1;

If more than one rule is needed, then there are two ways to match packets:
first rule sees all packets and matches 1/3 of all, second rule sees 2/3 of packets and matches 1/2, third rule sees and matches all packets that passed through first two rules ( 1/3 of all packets ).
/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=AAA nth=3,1 passthrough=no;
add action=mark-packet chain=prerouting new-packet-mark=BBB nth=2,1 passthrough=no;
add action=mark-packet chain=prerouting new-packet-mark=CCC ;
all rules can see all packets and each rule matches every 3-rd packet.
/ip firewall mangle
add action=mark-packet chain=prerouting new-packet-mark=AAA nth=3,1 passthrough=yes;
add action=mark-packet chain=prerouting new-packet-mark=BBB nth=3,2 passthrough=yes;
add action=mark-packet chain=prerouting new-packet-mark=CCC nth=3,3 passthrough=yes;

Calea

2008-04-08T14:35:00.000+07:00

Communications Assistance for Law Enforcement Act requires the routers in USA to have ability to intercept and log network traffic. RouterOS now provides this facility by means of firewall rules. RouterOS can also function as a data retention server if the additional calea package is installed.
CALEA features included in RouterOS

Multiple subject/multiple destination packet interception and streaming in following formats:
Call Content Connection (CCC) Interface according to PKT-SP-ES-DCI-I01-060914 (PacketCable 2.0 PacketCable Electronic Surveillance Delivery Function to Collection Function Interface Specification)
Call Content Connection (CCC) Interface according to ANSI/SCTE 24-13 2006 (IPCalblecom Electronic Surveillance Standard) that is approved method for Communication Content delivery to LEA according to ATIS-1000013.2007 (Lawfully Authorized Electronic Surveillance For Internet Access and Services)
TZSP format - for reception with 'Ethereal', tcpdump, trafr (sniffer stream reader for linux) - http://www.mikrotik.com/download.html
CALEA-server package
accepts multiple CCC streams (identified by destination port/source address/case id)
stores communication content according to "IP Network Access Intercept Requirements and Method"(FBI-WISPA draft) specified "full content" intercept requirements (without out-of-band events)
stores communication content of multiple subjects/cases
stores communication content in libpcap format
new libpcap file based on different conditions (interval/size/packet count)
generates hash for each pcap file (md5/sha1/sha256)
Calea user

Calea provided options are available only for specific RouterOS user, as Calea server configuration as "tap" configuration. Specific user should have 'sniff' policy enabled at RouterOS user configuration,
/ user group set 0 policy=sniff

sniff policy is enabled by default for "full" and "write" user groups.
Intercepting Packet Flow

The IP Firewall and Interface Bridge now have one additional section,
firewall section to intercept packets that are going trough firewall
/ ip firewall calea
bridge section to intercept packets that are going trough bridge
/ interface bridge calea

Firewall and Bridge Calea menus contain same actions and matchers as "ip firewall filter" and "interface bridge filter", new avalailble actions:
sniff - generates a tzsp stream that can be directed to any Wireshark (Ethereal) server
sniff-pc - generates a Packet Cable stream that can be directed to a MikroTik RouterOS system with the calea package installed

By selecting either action, the following options will be available:
sniff-id (Packet Cable protocol only) - packet stream case ID, that can be used to differentiate between separate traffic sets (e.g., between different users; or between client traffic and server traffic)
sniff-target - IP address of the data retention server
sniff-target-port - UDP port that the data retention server is listening on
Data Retention Server

The calea package provides an additional tool menu - /tool calea, that allows to save certain incoming data streams to a file. The server will create separate files for each packet stream (one data file and one hash file, if configured). The files will not grow indefinitely, but rather util a certain limit, after which a new set of files will be created for that stream. The limit is specified in size and extent of time, whichever is reached first.

Add a rule with the following properties:
case-id - case ID set by the intercepting router
case-name - case name is set on server to specify the folder, where intercepted data is stored
intercept-ip - IP address of the intercepting router (IP address to receive the stream from)
intercept-port - UDP port to listen on (port to receive the stream on)
action - storage format (only pcap for now)
pcap-file-stop-interval - maximal interval between creating new fileset, if size limit is not reached earlier
pcap-file-stop-size - maximal filesize, in KiB
pcap-file-stop-count - maximal packet count
pcap-file-hash-method - hashing algorithm (md5, sha1 or sha256) for the data file (saved once the data file is completed and closed); no file is created if set to none
Calea Server/Client Configuration Example

Let's assume the particular network configuration, we need to intercept data from 192.168.0.10 Wireless Client and send it to the Calea Server located on Local Network:
Client Configuration for the Intercept

Wireless Client is connected to Access Point, data interception has to be performed on Access Point for the particular network design.
We have requirement to capture all data from the user Wireless Client with IP address of 192.168.0.10 We have to add two rules to make the interception,
/ ip firewall calea add action=sniff-pc chain=forward sniff-id=100 sniff-target=10.9.1.250 sniff-target-port=5555 \
src-address=192.168.0.10
/ ip firewall calea add action=sniff-pc chain=forward sniff-id=100 sniff-target=10.9.1.250 sniff-target-port=5555 \
dst-address=192.168.0.10

All traffic going trough the router for specified src/dst addresses is intercepted and sent to Calea Server (sniff-target) with sniff-id=100
Calea package is not required for intercepting host.
Calea Server Configuration
Calea package is required for server.
One rule is required to accept the data from the Access Point to receive all intercepted traffic from the Access Point,
/ tool calea add action=pcap intercept-port=5555 case-id=100 intercept-ip=192.168.0.254

Intercept-port and case-id should be equal on server and client side, intercept-ip is IP address of the intercepting router (Access Point).
Calea server received information is available under 'file' menu.

L7

2008-04-08T14:33:00.002+07:00

layer7-protocol is a method of looking for patterns in connections.

First, add Regexp strings to the protocols menu, to define strings you will be looking for.
/ip firewall layer7-protocol add=

Then, use the defined protocols in firewall:
/ip firewall filter add layer7-protocol=

RouterOS will look for these strings in all connections passing the firewall rule where you use this. As this is resource intensive, make sure to filter out all good traffic before it hits this rule.

You can download a script with a list of common programs here (only for RouterOS v3 RC6). Pattern libraries can be found on the layer7 project page and on the protocol wiki.

How to Block Websites & Stop Downloading Using Proxy

2008-04-08T14:33:00.001+07:00

This example will explain you “How to Block Web Sites” & “How to Stop Downloading”. I have use Web-Proxy test Package.

First, Configure Proxy.
/ip proxy
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0:0
cache-drive: system
cache-administrator: "webmaster"
max-disk-cache-size: none
max-ram-cache-size: none
cache-only-on-disk: no
maximal-client-connections: 1000
maximal-server-connections: 1000
max-object-size: 512KiB
max-fresh-time: 3d

Now, Make it Transparent
/ip firewall nat
chain=dstnat protocol=tcp dst-port=80 action=redirect to-ports=8080

Make sure that your proxy is NOT a Open Proxy
/ip firewall filter
chain=input in-interface= src-address=0.0.0.0/0 protocol=tcp dst-port=8080 action=drop

Now for Blocking Websites
/ip proxy access
dst-host=www.vansol27.com action=deny

It will block website http://www.vansol27.com, We can always block the same for different networks by giving src-address. It will block for particular source address.

We can also stop downloading files like.mp3, .exe, .dat, .avi,…etc.
/ip proxy access
path=*.exe action=deny
path=*.mp3 action=deny
path=*.zip action=deny
path=*.rar action=deny.

Try with this also
/ip proxy access
dst-host=:mail action=deny

This will block all the websites contain word “mail” in url.

Example: It will block www.hotmail.com, mail.yahoo.com, www.rediffmail.com

ENJOY BLOCKING…….

Bruteforce login prevention (FTP & SSH)

2008-04-08T14:32:00.000+07:00

These are 2 basic scripts I use frequently that are from the forum (written by other users)

allows only 10 FTP login incorrect answers per minute

in /ip firewall filter
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop \
comment="drop ftp brute forcers"

add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m

add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" \
address-list=ftp_blacklist address-list-timeout=3h

This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. Change the timeouts as necessary.

in /ip firewall filter
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute forcers" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=10d comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 \
action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list \
address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no

If you want to block downstream access as well, you need to block the with the forward chain:
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop \
comment="drop ssh brute downstream" disabled=no

How to autodetect infected or spammer users and temporary block the SMTP output

2008-04-08T14:30:00.000+07:00

Here can see in the solution which i invented and work excellent to autodetect and block SMTP viruses or spammers!

Only create these 2 rules in firewall forward:
/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=spammer
action=drop comment="BLOCK SPAMMERS OR INFECTED USERS"

add chain=forward protocol=tcp dst-port=25 connection-limit=30,32 limit=50,5 action=add-src-to-address-list
address-list=spammer address-list-timeout=1d comment="Detect and add-list SMTP virus or spammers"

When an infected user is autodetected with a virus worm or doing spam, the user is added to a spammer list and block the STMP outgoing by 1 day, all the values can be adjusted for different networks types or at your convenience
Logging detected users

Next, to display a red Log each 30 minutes listing the detected infected or spammers users using hotspot, add the next script:
/system script
add name="spammers" source=":log error \"----------Users detected like \
SPAMMERS -------------\";
\n:foreach i in \[/ip firewall address-list find \
list=spammer\] do={:set usser \[/ip firewall address-list get \$i \
address\];
\n:foreach j in=\[/ip hotspot active find address=\$usser\] \
do={:set ip \[/ip hotspot active get \$j user\];
\n:log error \$ip;
\n:log \error \$usser} };" policy=ftp,read,write,policy,test,winbox

Forwarding a port to an internal IP

2008-04-08T14:29:00.000+07:00

This will go on a 2.9.x mikrotik where you want to forward a port (tcp 5900) to an internal IP. 69.69.69.69 is the example wan IP, 192.168.1.101 is the desired internal destination.
/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=5900 \action=dst-nat to-addresses=192.168.1.101 to-ports=5900

Dmitry on firewalling

2008-04-08T14:27:00.002+07:00

MUM 2006 presentation on firewalling

Presentation in PDF format
[edit]
Components of the filter
protocol classifier
invalid packet filter
port-scan detector
policy classifier
application protocol filter
TCP-specific filters
application protocol specific filters
[edit]
Introduction

There are two interfaces on our router: Local (for connecting internal network) and Public (connected to the Internet)
[edit]
Protocol classifier
/ ip firewall mangle
add chain=prerouting protocol=tcp connection-state=new action=jump jump-target=tcp-services
add chain=prerouting protocol=udp connection-state=new action=jump jump-target=udp-services
add chain=prerouting connection-state=new action=jump jump-target=other-services
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=20-21 action=mark-connection new-connection-mark=ftp passthrough=no
add chain=tcp-services protocol=tcp src-port=513-65535 dst-port=22 action=mark-connection new-connection-mark=ssh passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=23 action=mark-connection new-connection-mark=telnet passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=25 action=mark-connection new-connection-mark=smtp passthrough=no
add chain=tcp-services protocol=tcp src-port=53 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=80 action=mark-connection new-connection-mark=http passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=110 action=mark-connection new-connection-mark=pop3 passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=113 action=mark-connection new-connection-mark=auth passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=119 action=mark-connection new-connection-mark=nntp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=143 action=mark-connection new-connection-mark=imap passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=161-162 action=mark-connection new-connection-mark=snmp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=443 action=mark-connection new-connection-mark=https passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=465 action=mark-connection new-connection-mark=smtps passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=993 action=mark-connection new-connection-mark=imaps passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=995 action=mark-connection new-connection-mark=pop3s passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=1723 action=mark-connection new-connection-mark=pptp passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=2379 action=mark-connection new-connection-mark=kgs passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3128 action=mark-connection new-connection-mark=proxy passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=3389 action=mark-connection new-connection-mark=win-ts passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=4242-4243 action=mark-connection new-connection-mark=emule passthrough=no
add chain=tcp-services protocol=tcp src-port=4661-4662 dst-port=1024-65535 action=mark-connection new-connection-mark=overnet passthrough=no
add chain=tcp-services protocol=tcp src-port=4711 dst-port=1024-65535 action=mark-connection new-connection-mark=emule passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=5900-5901 action=mark-connection new-connection-mark=vnc passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6667-6669 action=mark-connection new-connection-mark=irc passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=6881-6889 action=mark-connection new-connection-mark=bittorrent passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8080 action=mark-connection new-connection-mark=http passthrough=no
add chain=tcp-services protocol=tcp src-port=1024-65535 dst-port=8291 action=mark-connection new-connection-mark=winbox passthrough=no
add chain=tcp-services protocol=tcp action=mark-connection new-connection-mark=other-tcp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=53 action=mark-connection new-connection-mark=dns passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=123 action=mark-connection new-connection-mark=ntp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=1701 action=mark-connection new-connection-mark=l2tp passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4665 action=mark-connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=4672 action=mark-connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=4672 dst-port=1024-65535 action=mark-connection new-connection-mark=emule passthrough=no
add chain=udp-services protocol=udp src-port=1024-65535 dst-port=12053 action=mark-connection new-connection-mark=overnet passthrough=no
add chain=udp-services protocol=udp src-port=12053 dst-port=1024-65535 action=mark-connection new-connection-mark=overnet passthrough=no
add chain=udp-services protocol=udp src-port=36725 dst-port=1024-65535 action=mark-connection new-connection-mark=skype passthrough=no
add chain=udp-services protocol=udp connection-state=new action=mark-connection new-connection-mark=other-udp passthrough=no
add chain=other-services protocol=icmp icmp-options=8:0-255 action=mark-connection new-connection-mark=ping passthrough=no
add chain=other-services protocol=gre action=mark-connection new-connection-mark=gre passthrough=no
add chain=other-services action=mark-connection new-connection-mark=other passthrough=no

Note that for TCP and UDP, we check both, source port (usually, 1024-65535) and destination port. Everything else is not a valid protocol.
[edit]
Sanity-check

Most generic invalid packet and port-scan detection techniques

Place this before all other rules in mangle:
/ip firewall mangle
add chain=prerouting in-interface=Public dst-address-list=nat-addr action=mark-packet new-packet-mark=nat-traversal passthrough=no

Note that just like in the line above, some filter rules rely on address lists. here is a simple list, which you should extend further:
/ ip firewall address-list
add list=illegal-addr address=0.0.0.0/8 comment="illegal addresses"
add list=illegal-addr address=127.0.0.0/8
add list=illegal-addr address=224.0.0.0/3
add list=illegal-addr address=10.0.0.0/8
add list=illegal-addr address=172.16.0.0/12
add list=illegal-addr address=192.168.0.0/16
add list=local-addr address=172.31.255.0/29 comment="my local network"
add list=nat-addr address=172.31.255.0/29 comment="my local network"

So, there are three address lists:
illegal-addr - the list, which could be extended to some few tens of addresses at least to include the bogon IPs, which are not registered with IANA and some more, this short list given in examples is just a short sample;
local-addr - the list to include all addresses located in your network, behind this firewall
nat-addr - should contain all the IP addresses you are source-natting on your router

In this example we exclude traffic between the local clients connected to different ports of the Local interface (which is a bridge between ethernet and wireless networks):
/ ip firewall filter
add chain=forward in-interface=Local out-interface=Local action=accept comment="Allow traffic between wired and wireless networks"

Then we are filtering everything else to the drop chain of the firewall. The separate chain is created to keep all logging and accounting in one place.
/ ip firewall filter
add chain=forward action=jump jump-target=sanity-check comment="Sanity Check"
add chain=sanity-check packet-mark=nat-traversal action=jump jump-target=drop comment="Deny illegal NAT traversal"
add chain=sanity-check protocol=tcp psd=20,3s,3,1 action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block port scans"
add chain=sanity-check protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Null scan"
add chain=sanity-check protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list=blocked-addr address-list-timeout=1d comment="Block TCP Xmas scan"
add chain=sanity-check protocol=tcp src-address-list=blocked-addr action=jump jump-target=drop
add chain=sanity-check protocol=tcp tcp-flags=rst action=jump jump-target=drop comment="Drop TCP RST"
add chain=sanity-check protocol=tcp tcp-flags=fin,syn action=jump jump-target=drop comment="Drop TCP SYN+FIN"
add chain=sanity-check connection-state=invalid action=jump jump-target=drop comment="Dropping invalid connections at once"
add chain=sanity-check connection-state=established action=accept comment="Accepting already established connections"
add chain=sanity-check connection-state=related action=accept comment="Also accepting related connections"
add chain=sanity-check dst-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that goes to multicast or broadcast addresses"
add chain=sanity-check in-interface=Local dst-address-list=illegal-addr dst-address-type=!local action=jump jump-target=drop comment="Drop illegal destination addresses"
add chain=sanity-check in-interface=Local src-address-list=!local-addr action=jump jump-target=drop comment="Drop everything that goes from local interface but not from local address"
add chain=sanity-check in-interface=Public src-address-list=illegal-addr action=jump jump-target=drop comment="Drop illegal source addresses"
add chain=sanity-check in-interface=Public dst-address-list=!local-addr action=jump jump-target=drop comment="Drop everything that goes from public interface but not to local address"
add chain=sanity-check src-address-type=broadcast,multicast action=jump jump-target=drop comment="Drop all traffic that goes from multicast or broadcast addresses"
[edit]
Application-specific filters
/ ip firewall filter
add chain=forward protocol=tcp action=jump jump-target=restrict-tcp
add chain=forward protocol=udp action=jump jump-target=restrict-udp
add chain=forward action=jump jump-target=restrict-ip
add chain=restrict-tcp connection-mark=auth action=reject
add chain=restrict-tcp connection-mark=smtp action=jump jump-target=smtp-first-drop comment="anti-spam policy"
add chain=smtp-first-drop src-address-list=first-smtp action=add-src-to-address-list address-list=approved-smtp
add chain=smtp-first-drop src-address-list=approved-smtp action=return
add chain=smtp-first-drop action=add-src-to-address-list address-list=first-smtp
add chain=smtp-first-drop action=reject reject-with=icmp-network-unreachable
[edit]
Restricting services
/ ip firewall filter
add chain=restrict-tcp connection-mark=other-tcp action=jump jump-target=drop
add chain=restrict-udp connection-mark=other-udp action=jump jump-target=drop
add chain=restrict-ip connection-mark=other action=jump jump-target=drop
[edit]
Protecting the router
/ ip firewall filter
add chain=input src-address-type=local dst-address-type=local action=accept comment="Allow local traffic $between router applications$"
add chain=input in-interface=Local protocol=udp src-port=68 dst-port=67 action=jump jump-target=dhcp comment="DHCP protocol would not pass sanity checking, so enabling it explicitly before other checks"
add chain=input action=jump jump-target=sanity-check comment="Sanity Check"
add chain=input dst-address-type=!local action=jump jump-target=drop comment="Dropping packets not destined to the router itself, including all broadcast traffic"
add chain=input connection-mark=ping limit=5,5 action=accept comment="Allow pings, but at a very limited rate $5 per sec$"
add chain=input in-interface=Local action=jump jump-target=local-services comment="Allowing some services to be accessible from the local network"
add chain=input in-interface=Public action=jump jump-target=public-services comment="Allowing some services to be accessible from the Internet"
add chain=input action=jump jump-target=drop
add chain=dhcp src-address=0.0.0.0 dst-address=255.255.255.255 action=accept
add chain=dhcp src-address=0.0.0.0 dst-address-type=local action=accept
add chain=dhcp src-address-list=local-addr dst-address-type=local action=accept
add chain=local-services connection-mark=ssh action=accept comment="SSH $22/TCP$"
add chain=local-services connection-mark=dns action=accept comment="DNS"
add chain=local-services connection-mark=proxy action=accept comment="HTTP Proxy $3128/TCP$"
add chain=local-services connection-mark=winbox comment="Winbox $8291/TCP$" disabled=no
add chain=local-services action=drop comment="Drop Other Local Services"
add chain=public-services connection-mark=ssh action=accept comment="SSH $22/TCP$"
add chain=public-services connection-mark=pptp action=accept comment="PPTP $1723/TCP$"
add chain=public-services connection-mark=gre action=accept comment="GRE for PPTP"
add chain=public-services action=drop comment="Drop Other Public Services"
The "accept ping" rule needs to come before the "public" and "local" jump rules otherwise that rules will never be executed and ICMP will continue to be dropped.
[edit]
Proxying everything
/ ip firewall nat
add chain=dstnat in-interface=Local connection-mark=dns action=redirect comment="proxy for DNS requests"
add chain=dstnat in-interface=Local connection-mark=http protocol=tcp action=redirect to-ports=3128 comment="proxy for HTTP requests"
add chain=dstnat in-interface=Local connection-mark=ntp action=redirect comment="proxy for NTP requests"
[edit]
Enable Proxy servers
/ system ntp server
set enabled=yes broadcast=no multicast=no manycast=no
/ system ntp client
set enabled=yes mode=unicast primary-ntp=xxx.xxx.xxx.xxx secondary-ntp=0.0.0.0
/ ip proxy
set enabled=yes port=3128 parent-proxy=0.0.0.0:1 maximal-client-connections=1000 maximal-server-connections=1000
/ ip dns
set primary-dns=yyy.yyy.yyy.yyy secondary-dns=0.0.0.0 allow-remote-requests=yes cache-size=2048KiB cache-max-ttl=1w

Please change:
xxx.xxx.xxx.xxx to the NTP server you choose
yyy.yyy.yyy.yyy to your ISP's DNS server ip

How to Block Customer

2008-04-08T14:27:00.001+07:00

How to Block a Customer and Tell him to Pay the Bill

Sometimes you may need to cut off a customer and tell him to pay his bill. It's best done by redirecting his http requests to a page with information telling to pay in order to get reconnected. You can do it with a simple destination NAT rule that captures all http requests from a specific address and sends them to a server with webpage telling to pay the bill. However, it's quite easy to make this using the HotSpot feature of RouterOS. Please note that this don't work with PPPoE connections.

To make this setup, you should have Hotspot package enabled on the RouterOS. This example will cover how to block customer's computer. When he tries to open a webpage he would be redirected to the hotspot page which will contain info that he hasn't paid the bill for the Internet access. Your router should have already been configured and working (customer should have access to the Internet), you should have the DNS server specified in the router.

First you should edit the Hotspot login.html page with the text that contains information that will be shown to the customers who haven't paid their bills. It could be something like this: "Service not available, please pay the bill and contact us by phone to get reconnected

Next, add an ip-binding rule that will allow all customers to bypass the hotspot page. It is done using such a command:
/ip hotspot ip-binding add type=bypassed address=0.0.0.0/0 \
comment="bypass the hotspot for all the paying customers"

After that add the Hotspot server on the interface where your clients are connected. It can be done using such command:
/ip hotspot add interface=local disabled=no

Now you can add ip-binding rules for the customers that haven't paid their bill. You can match them by IP address or MAC address. Here is an example using MAC address:
/ip hotspot ip-binding add mac-address=00:0C:42:00:00:90 type=regular comment "Non paying client 1"

Now we have such configuration:
[admin@MikroTik] ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER
0 P ;;; bypass the hotspot for all the paying customers
0.0.0.0/0
1 ;;; Non paying client 1
00:0C:42:00:00:90

There is one more step to make it work, you should change the order of these rules, the first rule should be above the bypass rule so it could be processed. You can move it using move command:
[admin@MikroTik] ip hotspot ip-binding> move 1 0

Now the ip-binding configuration should look like this:
[admin@MikroTik] ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER
0 ;;; Non paying client 1
00:0C:42:00:00:90
1 P ;;; bypass the hotspot for all the paying customers
0.0.0.0/0

If the customers can pay their bill using internet you can modify the login.html by adding some links to clients bank web-page where they can pay their bill. After you add these links in the login page you should also add them in the hotspot configuration so the blocked customer could access that page. This can be done in the 'ip hotspot walled-garden ip' menu. Here is an example:
/ip hotspot walled-garden ip add dst-host=www.paypal.com

Redirect mail traffic to a specified server

2008-04-08T14:26:00.000+07:00

This is if you want to redirect all traffic through your router to your own specified mail server. This is usefull if you have many clients from different locations connecting to your network at different times. (Note that if you are using Hotspot you can do this in the Hotspot settings instead)
ip firewall nat add chain=dstnat protocol=tcp dst-port=25 action=dst-nat to-addresses=10.0.0.1 to-ports=25

This will redirect all smtp (port 25) traffic out the router to ip address 10.0.0.1

Drop port scanners

2008-04-08T14:25:00.000+07:00

To protect the Router from port scanners, we can record the IPs of hackers who try to scan your box. Using this address list we can drop connection from those IP

in /ip firewall filter
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="Port scanners to list " disabled=no

Various combinations of TCP flags can also indicate port scanner activity.
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan"

Then you can drop those IPs:
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no

Similarly, you can drop these port scanners in the forward chain, but using the above rules with "chain=forward".

How to secure a network using ARP

2008-04-08T14:12:00.001+07:00

Although hosts in IP network are addressed using IP addresses, hardware addresses must be used to actually transport data from one host to another at Layer-2 (EG: Ethernet). Address Resolution Protocol (ARP) provides a mapping between the two different forms of addresses. A router has an ARP table that contains ARP entries. ARP entries consist of IP addresses and corresponding hardware addresses (such as a MAC address). Normally ARP provides a dynamic mapping from an IP address to corresponding hardware address by adding ARP entries automatically as they are discovered, but to increase network security static ARP entries can be created manually. By allowing a router to reply only to those static ARP entries found in the ARP table we restrict access to the router and to the network behind the router to only those IP/Hardware address combinations found in the ARP table. To make a router use only static ARP entries follow the steps listed below:

1. Add ARP entries of hosts you want to accept in WinBox
or in Console
[admin@RB230] ip arp> add address=10.10.10.10 interface=ether2 mac-address=06 \
\... 00:21:00:56:00:12

2. Make ether2 interface only reply to ARP requests using your specified ARP entries in WinBox

or in Console
[admin@RB230] > interface ethernet set ether2 arp=reply-only

Protecting your customers

2008-04-08T14:11:00.000+07:00

To protect the customer's network, we should check all traffic which goes through router and block unwanted. For icmp, tcp, udp traffic we will create chains, where all unwanted packets will be dropped. For the beginning, we can copy and paste the following commands into RouterOS terminal console:
/ip firewall filter
add chain=forward connection-state=established comment="allow established connections"
add chain=forward connection-state=related comment="allow related connections"
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"

Here, the first two rules deal with packets of already opened or related connections. We assume that those are okay. We do not like invalid connection packets, therefore they are dropped.
Next, we should filter out and drop all unwanted packets that look like coming from virus infected hosts. Instead of adding those rules to the forward chain, we create a new chain for all unwanted netbios and similar traffic. We can give the chain a descriptive name, say, "virus" when adding the following rules to the ip firewall filter (you can copy and paste these rules into the terminal window, if you are in the /ip firewall filter menu):
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"

Here, we list all those well known "bad" protocols and ports, used by various trojans and viruses when they take over your computer. This list is incomplete; we should add more rules to it! We can jump to this list from the forward chain by using a rule with action=jump:
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"

The forward chain looks now as follows:
If the packet does not match any of the rules in the virus chain, the processing is returned back to the forward chain.

At this point we are left with various options, and you should explore this more thoroughly by reading the manual.

For the purposes of this example we want to block all traffic except that which we explicitly allow to pass through. For example we wish to allow HTTP Traffic and SMTP Traffic as well as some TCP and UDP packets and ICMP (Ping).

We can now simply add rules allowing the traffic that we want and then drop everything else (this is the part where we block all traffic):
add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP"
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP"
add chain=forward protocol=tcp comment="allow TCP"
add chain=forward protocol=icmp comment="allow ping"
add chain=forward protocol=udp comment="allow udp"
add chain=forward action=drop comment="drop everything else"

NOTE THAT THE LAST RULE WILL BLOCK OR DROP ALL TRAFFIC THAT IS NOT EXPLICITLY ALLOWED THROUGH BY PREVIOUS RULES!

Securing your router

2008-04-08T14:03:00.000+07:00

To protect your MikroTik RouterOS™, you should do following things:
Change admin's password

Just select the Password menu within the winbox GUI, for example:
Or, type the following command in the CLI:
[admin@MikroTik] > / password
old password:
new password: ******
retype new password: ******

This will change your current admin's password to what you have entered twice. Make sure you remember the password! If you forget it, there is no recovery. You need to reinstall the router!
Add users to the system

You should add each user that is going to log on to the router as a separate user and specify group of privileges. Add yourself as user of group full (same as for admin), for example:

You may create new groups for users with specific tasks.
Set up packet filtering

All packets with destination to the router are processed against the ip firewall filter's input chain. Note, that the input chain does not affect packets which are being transferred through the router!

You can add following rules to the input chain under /ip firewall filter (just 'copy and paste' to the router using Terminal Console or configure the relevant arguments in WinBox):
/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
add chain=input protocol=tcp dst-port=22 comment="SSH for secure shell"
add chain=input protocol=tcp dst-port=8291 comment="winbox"
# Edit these rules to reflect your actual IP addresses! #
add chain=input src-address=159.148.172.192/28 comment="From Mikrotikls network"
add chain=input src-address=10.0.0.0/8 comment="From our private LAN"
# End of Edit #
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"

Use /ip firewall filter print input stats command to see how many packets have been processed against these rules. Use reset-counters-all command to reset the counters. Examine the system log file /log print to see the packets which have been dropped.

You may need to include additional rules to allow access from certain hosts, etc. Remember that firewall rules are processed in the order they appear on the list! After a rule matches the packet, no more rules are processed for it. After adding new rules, move them up using the move command.

Note, if you mis-configured the firewall and have locked yourselves out from the router, you may use MAC telnet from another router or workstation on the same LAN to connect to your router and correct the problem.

Drop IM Using L7

2008-04-08T13:58:00.000+07:00

Now we can STOP Instanse Messangers Using Layer-7 Filtering. You Require Mikrotik Router OS V3.x

In This Topic We will Try to STOP some known Messangers like MSN, Yahoo, etc.

First you need to Configure Layer-7 protocols

/ip firewall layer7-protocol
add
name="Yahoo" regexp="^(ymsg|ypns|yhoo).?.?.?.?.?.?.?[lwt].*\xc0\x80" comments="Yahoo Messanger"

name="MSN" regexp="ver [0-9]+ msnp[1-9][0-9]? [\x09-\x0d -~]*cvr0\x0d\x0a$|usr 1 [!-~]+ [0-9. ]+\x0d\x0a$|ans 1 [!-~]+ [0-9. ]+\x0d\x0a$" comments="MSN Messanger"

name="MSN FT" regexp="^(ver [ -~]*msnftp\x0d\x0aver msnftp\x0d\x0ausr|method msnmsgr:)" comments="MSN File Transfer"

name="Skype" regexp="^..\x02............." comments="Skype"

name="Skype-to-Phone" regexp="^(\x01.?.?.?.?.?.?.?.?\x01|\x02.?.?.?.?.?.?.?.?\x02|\x03.?.?.?.?.?.?.?.?\x03|\x04.?.?.?.?.?.?.?.?\x04|\x05.?.?.?.?.?.?.?.?\x05|\x06.?.?.?.?.?.?.?.?\x06|\x07.?.?.?.?.?.?.?.?\x07|\x08.?.?.?.?.?.?.?.?\x08|\x09.?.?.?.?.?.?.?.?\x09|\x0a.?.?.?.?.?.?.?.?\x0a|\x0b.?.?.?.?.?.?.?.?\x0b|\x0c.?.?.?.?.?.?.?.?\x0c|\x0d.?.?.?.?.?.?.?.?\x0d|\x0e.?.?.?.?.?.?.?.?\x0e|\x0f.?.?.?.?.?.?.?.?\x0f|\x10.?.?.?.?.?.?.?.?\x10|\x11.?.?.?.?.?.?.?.?\x11|\x12.?.?.?.?.?.?.?.?\x12|\x13.?.?.?.?.?.?.?.?\x13|\x14.?.?.?.?.?.?.?.?\x14|\x15.?.?.?.?.?.?.?.?\x15|\x16.?.?.?.?.?.?.?.?\x16|\x17.?.?.?.?.?.?.?.?\x17|\x18.?.?.?.?.?.?.?.?\x18|\x19.?.?.?.?.?.?.?.?\x19|\x1a.?.?.?.?.?.?.?.?\x1a|\x1b.?.?.?.?.?.?.?.?\x1b|\x1c.?.?.?.?.?.?.?.?\x1c|\x1d.?.?.?.?.?.?.?.?\x1d|\x1e.?.?.?.?.?.?.?.?\x1e|\x1f.?.?.?.?.?.?.?.?\x1f|\x20.?.?.?.?.?.?.?.?\x20|\x21.?.?.?.?.?.?.?.?\x21|\x22.?.?.?.?.?.?.?.?\x22|\x23.?.?.?.?.?.?.?.?\x23|\$.?.?.?.?.?.?.?.?\$|\x25.?.?.?.?.?.?.?.?\x25|\x26.?.?.?.?.?.?.?.?\x26|\x27.?.?.?.?.?.?.?.?\x27|$.?.?.?.?.?.?.?.?\(|$.?.?.?.?.?.?.?.?\)|\*.?.?.?.?.?.?.?.?\*|\+.?.?.?.?.?.?.?.?\+|\x2c.?.?.?.?.?.?.?.?\x2c|\x2d.?.?.?.?.?.?.?.?\x2d|\..?.?.?.?.?.?.?.?\.|\x2f.?.?.?.?.?.?.?.?\x2f|\x30.?.?.?.?.?.?.?.?\x30|\x31.?.?.?.?.?.?.?.?\x31|\x32.?.?.?.?.?.?.?.?\x32|\x33.?.?.?.?.?.?.?.?\x33|\x34.?.?.?.?.?.?.?.?\x34|\x35.?.?.?.?.?.?.?.?\x35|\x36.?.?.?.?.?.?.?.?\x36|\x37.?.?.?.?.?.?.?.?\x37|\x38.?.?.?.?.?.?.?.?\x38|\x39.?.?.?.?.?.?.?.?\x39|\x3a.?.?.?.?.?.?.?.?\x3a|\x3b.?.?.?.?.?.?.?.?\x3b|\x3c.?.?.?.?.?.?.?.?\x3c|\x3d.?.?.?.?.?.?.?.?\x3d|\x3e.?.?.?.?.?.?.?.?\x3e|\?.?.?.?.?.?.?.?.?\?|\x40.?.?.?.?.?.?.?.?\x40|\x41.?.?.?.?.?.?.?.?\x41|\x42.?.?.?.?.?.?.?.?\x42|\x43.?.?.?.?.?.?.?.?\x43|\x44.?.?.?.?.?.?.?.?\x44|\x45.?.?.?.?.?.?.?.?\x45|\x46.?.?.?.?.?.?.?.?\x46|\x47.?.?.?.?.?.?.?.?\x47|\x48.?.?.?.?.?.?.?.?\x48|\x49.?.?.?.?.?.?.?.?\x49|\x4a.?.?.?.?.?.?.?.?\x4a|\x4b.?.?.?.?.?.?.?.?\x4b|\x4c.?.?.?.?.?.?.?.?\x4c|\x4d.?.?.?.?.?.?.?.?\x4d|\x4e.?.?.?.?.?.?.?.?\x4e|\x4f.?.?.?.?.?.?.?.?\x4f|\x50.?.?.?.?.?.?.?.?\x50|\x51.?.?.?.?.?.?.?.?\x51|\x52.?.?.?.?.?.?.?.?\x52|\x53.?.?.?.?.?.?.?.?\x53|\x54.?.?.?.?.?.?.?.?\x54|\x55.?.?.?.?.?.?.?.?\x55|\x56.?.?.?.?.?.?.?.?\x56|\x57.?.?.?.?.?.?.?.?\x57|\x58.?.?.?.?.?.?.?.?\x58|\x59.?.?.?.?.?.?.?.?\x59|\x5a.?.?.?.?.?.?.?.?\x5a|\[.?.?.?.?.?.?.?.?\[|\\.?.?.?.?.?.?.?.?\\|\].?.?.?.?.?.?.?.?\]|\^.?.?.?.?.?.?.?.?\^|\x5f.?.?.?.?.?.?.?.?\x5f|\x60.?.?.?.?.?.?.?.?\x60|\x61.?.?.?.?.?.?.?.?\x61|\x62.?.?.?.?.?.?.?.?\x62|\x63.?.?.?.?.?.?.?.?\x63|\x64.?.?.?.?.?.?.?.?\x64|\x65.?.?.?.?.?.?.?.?\x65|\x66.?.?.?.?.?.?.?.?\x66|\x67.?.?.?.?.?.?.?.?\x67|\x68.?.?.?.?.?.?.?.?\x68|\x69.?.?.?.?.?.?.?.?\x69|\x6a.?.?.?.?.?.?.?.?\x6a|\x6b.?.?.?.?.?.?.?.?\x6b|\x6c.?.?.?.?.?.?.?.?\x6c|\x6d.?.?.?.?.?.?.?.?\x6d|\x6e.?.?.?.?.?.?.?.?\x6e|\x6f.?.?.?.?.?.?.?.?\x6f|\x70.?.?.?.?.?.?.?.?\x70|\x71.?.?.?.?.?.?.?.?\x71|\x72.?.?.?.?.?.?.?.?\x72|\x73.?.?.?.?.?.?.?.?\x73|\x74.?.?.?.?.?.?.?.?\x74|\x75.?.?.?.?.?.?.?.?\x75|\x76.?.?.?.?.?.?.?.?\x76|\x77.?.?.?.?.?.?.?.?\x77|\x78.?.?.?.?.?.?.?.?\x78|\x79.?.?.?.?.?.?.?.?\x79|\x7a.?.?.?.?.?.?.?.?\x7a|\{.?.?.?.?.?.?.?.?\{|\|.?.?.?.?.?.?.?.?\||\}.?.?.?.?.?.?.?.?\}|\x7e.?.?.?.?.?.?.?.?\x7e|\x7f.?.?.?.?.?.?.?.?\x7f|\x80.?.?.?.?.?.?.?.?\x80|\x81.?.?.?.?.?.?.?.?\x81|\x82.?.?.?.?.?.?.?.?\x82|\x83.?.?.?.?.?.?.?.?\x83|\x84.?.?.?.?.?.?.?.?\x84|\x85.?.?.?.?.?.?.?.?\x85|\x86.?.?.?.?.?.?.?.?\x86|\x87.?.?.?.?.?.?.?.?\x87|\x88.?.?.?.?.?.?.?.?\x88|\x89.?.?.?.?.?.?.?.?\x89|\x8a.?.?.?.?.?.?.?.?\x8a|\x8b.?.?.?.?.?.?.?.?\x8b|\x8c.?.?.?.?.?.?.?.?\x8c|\x8d.?.?.?.?.?.?.?.?\x8d|\x8e.?.?.?.?.?.?.?.?\x8e|\x8f.?.?.?.?.?.?.?.?\x8f|\x90.?.?.?.?.?.?.?.?\x90|\x91.?.?.?.?.?.?.?.?\x91|\x92.?.?.?.?.?.?.?.?\x92|\x93.?.?.?.?.?.?.?.?\x93|\x94.?.?.?.?.?.?.?.?\x94|\x95.?.?.?.?.?.?.?.?\x95|\x96.?.?.?.?.?.?.?.?\x96|\x97.?.?.?.?.?.?.?.?\x97|\x98.?.?.?.?.?.?.?.?\x98|\x99.?.?.?.?.?.?.?.?\x99|\x9a.?.?.?.?.?.?.?.?\x9a|\x9b.?.?.?.?.?.?.?.?\x9b|\x9c.?.?.?.?.?.?.?.?\x9c|\x9d.?.?.?.?.?.?.?.?\x9d|\x9e.?.?.?.?.?.?.?.?\x9e|\x9f.?.?.?.?.?.?.?.?\x9f|\xa0.?.?.?.?.?.?.?.?\xa0|\xa1.?.?.?.?.?.?.?.?\xa1|\xa2.?.?.?.?.?.?.?.?\xa2|\xa3.?.?.?.?.?.?.?.?\xa3|\xa4.?.?.?.?.?.?.?.?\xa4|\xa5.?.?.?.?.?.?.?.?\xa5|\xa6.?.?.?.?.?.?.?.?\xa6|\xa7.?.?.?.?.?.?.?.?\xa7|\xa8.?.?.?.?.?.?.?.?\xa8|\xa9.?.?.?.?.?.?.?.?\xa9|\xaa.?.?.?.?.?.?.?.?\xaa|\xab.?.?.?.?.?.?.?.?\xab|\xac.?.?.?.?.?.?.?.?\xac|\xad.?.?.?.?.?.?.?.?\xad|\xae.?.?.?.?.?.?.?.?\xae|\xaf.?.?.?.?.?.?.?.?\xaf|\xb0.?.?.?.?.?.?.?.?\xb0|\xb1.?.?.?.?.?.?.?.?\xb1|\xb2.?.?.?.?.?.?.?.?\xb2|\xb3.?.?.?.?.?.?.?.?\xb3|\xb4.?.?.?.?.?.?.?.?\xb4|\xb5.?.?.?.?.?.?.?.?\xb5|\xb6.?.?.?.?.?.?.?.?\xb6|\xb7.?.?.?.?.?.?.?.?\xb7|\xb8.?.?.?.?.?.?.?.?\xb8|\xb9.?.?.?.?.?.?.?.?\xb9|\xba.?.?.?.?.?.?.?.?\xba|\xbb.?.?.?.?.?.?.?.?\xbb|\xbc.?.?.?.?.?.?.?.?\xbc|\xbd.?.?.?.?.?.?.?.?\xbd|\xbe.?.?.?.?.?.?.?.?\xbe|\xbf.?.?.?.?.?.?.?.?\xbf|\xc0.?.?.?.?.?.?.?.?\xc0|\xc1.?.?.?.?.?.?.?.?\xc1|\xc2.?.?.?.?.?.?.?.?\xc2|\xc3.?.?.?.?.?.?.?.?\xc3|\xc4.?.?.?.?.?.?.?.?\xc4|\xc5.?.?.?.?.?.?.?.?\xc5|\xc6.?.?.?.?.?.?.?.?\xc6|\xc7.?.?.?.?.?.?.?.?\xc7|\xc8.?.?.?.?.?.?.?.?\xc8|\xc9.?.?.?.?.?.?.?.?\xc9|\xca.?.?.?.?.?.?.?.?\xca|\xcb.?.?.?.?.?.?.?.?\xcb|\xcc.?.?.?.?.?.?.?.?\xcc|\xcd.?.?.?.?.?.?.?.?\xcd|\xce.?.?.?.?.?.?.?.?\xce|\xcf.?.?.?.?.?.?.?.?\xcf|\xd0.?.?.?.?.?.?.?.?\xd0|\xd1.?.?.?.?.?.?.?.?\xd1|\xd2.?.?.?.?.?.?.?.?\xd2|\xd3.?.?.?.?.?.?.?.?\xd3|\xd4.?.?.?.?.?.?.?.?\xd4|\xd5.?.?.?.?.?.?.?.?\xd5|\xd6.?.?.?.?.?.?.?.?\xd6|\xd7.?.?.?.?.?.?.?.?\xd7|\xd8.?.?.?.?.?.?.?.?\xd8|\xd9.?.?.?.?.?.?.?.?\xd9|\xda.?.?.?.?.?.?.?.?\xda|\xdb.?.?.?.?.?.?.?.?\xdb|\xdc.?.?.?.?.?.?.?.?\xdc|\xdd.?.?.?.?.?.?.?.?\xdd|\xde.?.?.?.?.?.?.?.?\xde|\xdf.?.?.?.?.?.?.?.?\xdf|\xe0.?.?.?.?.?.?.?.?\xe0|\xe1.?.?.?.?.?.?.?.?\xe1|\xe2.?.?.?.?.?.?.?.?\xe2|\xe3.?.?.?.?.?.?.?.?\xe3|\xe4.?.?.?.?.?.?.?.?\xe4|\xe5.?.?.?.?.?.?.?.?\xe5|\xe6.?.?.?.?.?.?.?.?\xe6|\xe7.?.?.?.?.?.?.?.?\xe7|\xe8.?.?.?.?.?.?.?.?\xe8|\xe9.?.?.?.?.?.?.?.?\xe9|\xea.?.?.?.?.?.?.?.?\xea|\xeb.?.?.?.?.?.?.?.?\xeb|\xec.?.?.?.?.?.?.?.?\xec|\xed.?.?.?.?.?.?.?.?\xed|\xee.?.?.?.?.?.?.?.?\xee|\xef.?.?.?.?.?.?.?.?\xef|\xf0.?.?.?.?.?.?.?.?\xf0|\xf1.?.?.?.?.?.?.?.?\xf1|\xf2.?.?.?.?.?.?.?.?\xf2|\xf3.?.?.?.?.?.?.?.?\xf3|\xf4.?.?.?.?.?.?.?.?\xf4|\xf5.?.?.?.?.?.?.?.?\xf5|\xf6.?.?.?.?.?.?.?.?\xf6|\xf7.?.?.?.?.?.?.?.?\xf7|\xf8.?.?.?.?.?.?.?.?\xf8|\xf9.?.?.?.?.?.?.?.?\xf9|\xfa.?.?.?.?.?.?.?.?\xfa|\xfb.?.?.?.?.?.?.?.?\xfb|\xfc.?.?.?.?.?.?.?.?\xfc|\xfd.?.?.?.?.?.?.?.?\xfd|\xfe.?.?.?.?.?.?.?.?\xfe|\xff.?.?.?.?.?.?.?.?\xff)" comments="Skype to Phone"

name="AIM" regexp="^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x" comments="AIM Messanger"

name="ICQ" regexp="^(\*[\x01\x02].*\x03\x0b|\*\x01.?.?.?.?\x01)|flapon|toc_signon.*0x" comments="ICQ"

name="IRC" regexp="^(nick[\x09-\x0d -~]*user[\x09-\x0d -~]*:|user[\x09-\x0d -~]*:[\x02-\x0d -~]*nick[\x09-\x0d -~]*\x0d\x0a)" comments=IRC Chat"

Finally configure Layer-7 Filters

/ip firewall filter
add
chain=forward layer7-protocol="Yahoo" action=drop
chain=forward layer7-protocol="MSN" action=drop
chain=forward layer7-protocol="MSN FT" action=drop
chain=forward layer7-protocol="Skype" action=drop
chain=forward layer7-protocol="Skype-to-Phone" action=drop
chain=forward layer7-protocol="AIM" action=drop
chain=forward layer7-protocol="ICQ" action=drop
chain=forward layer7-protocol="IRC" action=drop

Mangle, Queue Tree and prio by fly man ... almost done

2008-04-08T13:57:00.000+07:00

As we know ‘simple queue’ marks packets from/to target ip and queues them using global-in/global-out parents for packets at the local side of router. If we want to queue services using ‘queue tree’ we can do it at the local or public side. However if we want to use ‘simple queue’ and ‘queue tree’ for services we don’t have that choice. Packets are marked at the local side and queued by ‘simple queue’ (we can’t see it in /ip firewall mange and /queue tree). The second marking and the ‘queue tree’ at the local side won’t work. That’s why, for services we need to mark packets incoming/outgoing (prerouting/postrouting) at the public side of router.
/interface set ether1 name=wan
/interface set ether2 name=lan
/ip address add address=192.168.0.1/24 interface=lan
/ip address add address=1.0.0.2/24 interface=wan
/ip route add gateway=1.0.0.1
/ip firewall nat add chain=srcnat action=masquerade src-address=192.168.0.0/24

At first we make simple queue, for example:
:for z from 2 to 254 do={/queue simple add name=(0. . $z) target-addresses=(192.168.0. . $z) \
parent=192.168.0.0/24 interface=all priority=4 queue=default/default max-limit=128000/530000 \
total-queue=default}

Now we mark packets for the services
/ ip firewall mangle
add chain=prerouting action=mark-packet new-packet-mark=icmp_in passthrough=no \
in-interface=wan protocol=icmp comment="icmp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=icmp_out \
passthrough=no out-interface=wan protocol=icmp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=p2p_in passthrough=no \
p2p=all-p2p in-interface=wan comment="p2p" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=p2p_out \
passthrough=no p2p=all-p2p out-interface=wan comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=pop3_in passthrough=no \
in-interface=wan src-port=110 protocol=tcp comment="pop3" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=pop3_out \
passthrough=no out-interface=wan dst-port=110 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=smtp_in passthrough=no \
in-interface=wan src-port=25 protocol=tcp comment="smtp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=smtp_out \
passthrough=no out-interface=wan dst-port=25 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=imap_in passthrough=no \
in-interface=wan src-port=143 protocol=tcp comment="imap" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=imap_out \
passthrough=no out-interface=wan dst-port=143 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=ssh_in passthrough=no \
in-interface=wan dst-port=22 protocol=tcp comment="ssh" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=ssh_out \
passthrough=no out-interface=wan src-port=22 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=winbox_in \
passthrough=no in-interface=wan dst-port=8291 protocol=tcp \
comment="winbox" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=winbox_out \
passthrough=no out-interface=wan src-port=8291 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=dns_in passthrough=no \
in-interface=wan src-port=53 protocol=udp comment="dns" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=dns_out \
passthrough=no out-interface=wan dst-port=53 protocol=udp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=www_in passthrough=no \
in-interface=wan src-port=80 protocol=tcp comment="www" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=www_out \
passthrough=no out-interface=wan dst-port=80 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=ssl_in passthrough=no \
in-interface=wan src-port=443 protocol=tcp comment="ssl" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=ssl_out \
passthrough=no out-interface=wan dst-port=443 protocol=tcp comment="" \
disabled=no
add chain=prerouting action=mark-packet new-packet-mark=udp_in passthrough=no \
in-interface=wan protocol=udp comment="udp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=udp_out \
passthrough=no out-interface=wan protocol=udp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=tcp_in passthrough=no \
in-interface=wan protocol=tcp comment="tcp" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=tcp_out \
passthrough=no out-interface=wan protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-packet new-packet-mark=other_in \
passthrough=no in-interface=wan comment="other" disabled=no
add chain=postrouting action=mark-packet new-packet-mark=other_out \
passthrough=no out-interface=wan comment="" disabled=no

after that we can make queue tree:
/queue tree
add name="upload_wan1" parent=global-out packet-mark="" limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="icmp_down" parent=global-in packet-mark=icmp_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="icmp_up" parent=global-out packet-mark=icmp_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="winbox_down" parent=global-in packet-mark=winbox_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="winbox_up" parent=global-out packet-mark=winbox_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="dns_down" parent=global-in packet-mark=dns_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="dns_up" parent=global-out packet-mark=dns_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="www_up" parent=upload_wan1 packet-mark=www_out limit-at=0 \
queue=wireless-default priority=2 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssl_up" parent=upload_wan1 packet-mark=ssl_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="p2p_up" parent=upload_wan1 packet-mark=p2p_out limit-at=0 \
queue=wireless-default priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="udp_up" parent=upload_wan1 packet-mark=udp_out limit-at=0 \
queue=wireless-default priority=6 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="tcp_up" parent=upload_wan1 packet-mark=tcp_out limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="other_up" parent=upload_wan1 packet-mark=other_out limit-at=0 \
queue=wireless-default priority=7 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="download_wan1" parent=global-in packet-mark="" limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="www_down" parent=download_wan1 packet-mark=www_in limit-at=0 \
queue=wireless-default priority=2 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssl_down" parent=download_wan1 packet-mark=ssl_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="p2p_down" parent=download_wan1 packet-mark=p2p_in limit-at=0 \
queue=wireless-default priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="udp_down" parent=download_wan1 packet-mark=udp_in limit-at=0 \
queue=wireless-default priority=6 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="tcp_down" parent=download_wan1 packet-mark=tcp_in limit-at=0 \
queue=wireless-default priority=4 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="other" parent=download_wan1 packet-mark=other_in limit-at=0 \
queue=wireless-default priority=7 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssh_down" parent=global-in packet-mark=ssh_in limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="ssh_up" parent=global-out packet-mark=ssh_out limit-at=0 \
queue=wireless-default priority=1 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="pop3_down" parent=download_wan1 packet-mark=pop3_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="smtp_down" parent=download packet-mark=smtp_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="imap_down" parent=download packet-mark=imap_in limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="imap_up" parent=upload packet-mark=imap_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="smtp_out" parent=upload packet-mark=smtp_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="pop3_up" parent=upload packet-mark=pop3_out limit-at=0 \
queue=wireless-default priority=5 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no

We have several basic download/upload queues:

- wan

- icmp

- winbox

- dns

Icmp, dns and winbox have the highest priority to ensure low ping, quick answer of dns server and winbox connection without any problems. The second is wan. In wan tree we decide which service has the highest priority, for which one we want to guarantee bandwidth or decrease speed.

Limit Different Bandwidth In Day and Night

2008-04-08T13:56:00.000+07:00

Limit Different Bandwidth In Day and Night.

There are lot many ways to limit bandwidth for day and Night, but personally I found this is the easiest way, Here it is.

I have used Simple Queue, Script and Scheduler.

Suppose we have one network 192.168.1.0/24 and want to limit Bandwidth for day and Night Time.
Network 192.168.1.0/24
Bandwidth = 06:00am – 18:00pm – 1Mbps.
Bandwidth = 18:00pm – 06:00am – 2Mbps.

Create two simple queues for the same network with different Bandwidth Limit.
/queue simple
#name=”Day” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0
interface= parent=none direction=both priority=8
queue=default-small/default-small limit-at=512k/512k
max-limit=1M/1M total-queue=default-small

#name=”Night” target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0
interface= parent=none direction=both priority=8
queue=default-small/default-small limit-at=1M/1M
max-limit=2M/2M total-queue=default-small

Now, write scripts
/system script
#name=”Day” source=/queue simple enable Day; /queue simple disable Night

#name=”Night” source=/queue simple enable Night; /queue simple disable Day

Finally, Schedule it
/system scheduler
#name=”Day” on-event=Day start-date=oct/13/2007 start-time=06:00:00 interval=1d

#name=”Night” on-event=Night start-date=oct/13/2007 start-time=18:00:00 interval=1d

Queue Tree with more than two interfaces

2008-04-08T13:53:00.000+07:00

Basic Setup

This page will tak about how to make QUEUE TREE in RouterOS that with Masquerading for more than two interfaces. It's for sharing internet connection among users on each interfacess. In manual this possibility isn't writted.

First, let's set the basic setting first. I'm using a machine with 3 or more network interfaces:
[admin@instaler] > in pr
# NAME TYPE RX-RATE TX-RATE MTU
0 R public ether 0 0 1500
1 R wifi1 wlan 0 0 1500
2 R wifi2 wlan 0 0 1500
3 R wifi3 wlan 0 0 1500

And this is the IP Addresses for each interface:
[admin@instaler] > ip ad pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 10.20.1.0/24 10.20.1.0 10.20.1.255 public
1 10.10.2.0/24 10.10.2.0 10.10.2.255 wifi1
2 10.10.3.0/24 10.10.3.0 10.10.3.255 wifi2
3 10.10.4.0/24 10.10.4.0 10.10.4.255 wifi3

On the public you can add NAT or proxy if you want.
[edit]
Mangle Setup

And now is the most important part in this case.

We need to mark our users. One connection for upload and second for download. In this example I add mangle for one user. At the end I add mangle for local transmission because I don't QoS local trafic emong users. But for user I need to separate upload and download.
[admin@instaler] ip firewall mangle> print
Flags: X - disabled, I - invalid, D - dynamic
disabled=no
0 chain=forward src-address=10.10.2.36 action=mark-connection \
new-connection-mark=users-userU passthrough=yes comment="" disabled=no
1 chain=forward dst-address=10.10.2.36 action=mark-connection \
new-connection-mark=users-userD passthrough=yes comment="" disabled=no
2 chain=forward connection-mark=users-userU action=mark-packet \
new-packet-mark=userU passthrough=yes comment="" disabled=no
3 chain=forward connection-mark=users-userD action=mark-packet \
new-packet-mark=userD passthrough=yes comment="" disabled=no
98 chain=forward src-address=10.10.0.0/16 dst-address=10.10.0.0/16
action=mark-connection new-connection-mark=users-lokal passthrough=yes
99 chain=forward connection-mark=users-lokal action=mark-packet
new-packet-mark=lokalTrafic passthrough=yes
[edit]
Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent "global-out", because we have two or more downloading interfaces. And for uplink, we are using parent "public", we want QoS uplink traffic. (I'm using pcq-up and download from manual) This example is for 2Mb/1Mb
[admin@instaler] > queue tree pr
Flags: X - disabled, I - invalid
0 name="Download" parent=global-out packet-mark="" limit-at=0
queue=pcq-download priority=1 max-limit=2000000 burst-limit=0
burst-threshold=0 burst-time=0s
1 name="Upload" parent=WGW packet-mark="" limit-at=0 queue=pcq-upload
priority=1 max-limit=1000000 burst-limit=0 burst-threshold=0
burst-time=0s

Now we add our user:
2 name="user10D" parent=Download packet-mark=userD limit-at=0
queue=pcq-download priority=5 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s
3 name="user10U" parent=Upload packet-mark=userU limit-at=0
queue=pcq-upload priority=5 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s

Queue with Masquerading and Internal Web-Proxy

2008-04-08T13:52:00.000+07:00

Introduction

This page will tak about how to make QUEUE TREE in RouterOS that also running Web-Proxy and Masquerading. Several topics in forum say it's impossible to do.

In version 2.9.x, we can not know which traffic is HIT and which traffic is MISS from web-proxy. Several people want to make a configuration, to let cache data in proxy (HIT traffic) deliver in maximum possible speed. In other word, if we already have the requested data, those process will not queued.

In ver 3.0 we can do this, using TOS header modification in web-proxy feature. We can set any TOS value for the HIT traffic, and make it as parameter in mangle.
[edit]
Basic Setup

First, let's set the basic setting first. I'm using a machine with 2 network interface:
admin@instaler] > in pr
# NAME TYPE RX-RATE TX-RATE MTU
0 R public ether 0 0 1500
1 R lan wlan 0 0 1500

And this is the IP Address for each interface:
[admin@instaler] > ip ad pr
Flags: X - disabled, I - invalid, D - dynamic
# ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.217/24 192.168.0.0 192.168.0.255 public
1 172.21.1.1/24 172.21.1.0 172.21.1.255 lan

Don't forget to set the transparant web-proxy. We set cache-hit-dscp: 4.
[admin@instaler] > ip proxy pr
enabled: yes
src-address: 0.0.0.0
port: 3128
parent-proxy: 0.0.0.0
parent-proxy-port: 0
cache-drive: system
cache-administrator: "webmaster"
max-cache-size: none
cache-on-disk: yes
maximal-client-connections: 600
maximal-server-connections: 600
max-fresh-time: 3d
serialize-connections: yes
cache-hit-dscp: 4
[edit]
Firewall NAT

Make 2 NAT rules, 1 for Masquerading, and the other for redirecting transparant proxy.
[admin@instaler] ip firewall nat> pr
Flags: X - disabled, I - invalid, D - dynamic
0 chain=srcnat out-interface=public
src-address=172.21.1.0/24 action=masquerade
1 chain=dstnat in-interface=lan src-address=172.21.1.0/24
protocol=tcp dst-port=80 action=redirect to-ports=3128
[edit]
Mangle Setup

And now is the most important part in this case.

If we want to make HIT traffic from web proxy not queued, we have to make a mangle to handle this traffic. Put this rule on the beginning of the mangle, as it will check first.
[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; HIT TRAFFIC FROM PROXY
chain=output out-interface=lan
dscp=4 action=mark-packet
new-packet-mark=proxy-hit passthrough=no

As we will make Queue for uplink and downlink traffic, we need 2 packet-mark. In this example, we use "test-up" for uplink traffic, and "test-down" for downlink traffic.

For uplink traffic, it's quite simple. We need only one rule, using SRC-ADDRESS and IN-INTERFACE parameters, and using PREROUTING chain. Rule number #1.

But for downlink, we have to make sevaral rules. As we use masquerading, we need Connection Mark, named as "test-conn". Rule no #2.

Then we have to make 2 more rules. First rule is for non-HTTP connection / direct connection. We use chain forward, as the data traveling through the router. Rule no #3.

The second rule is for data coming from web-proxy to the client (MISS traffic). We use OUTPUT chain, as the data coming from internal process in the router itself. Rule no #4.

For both rules (no #3 and #4) we named it "test-down".

Please be aware, we use passthrough only for connection mark (rule no #2).
[admin@instaler] > ip firewall mangle print
Flags: X - disabled, I - invalid, D - dynamic
1 ;;; UP TRAFFIC
chain=prerouting in-interface=lan
src-address=172.21.1.0/24 action=mark-packet
new-packet-mark=test-up passthrough=no

2 ;;; CONN-MARK
chain=forward src-address=172.21.1.0/24
action=mark-connection
new-connection-mark=test-conn passthrough=yes

3 ;;; DOWN-DIRECT CONNECTION
chain=forward in-interface=public
connection-mark=test-conn action=mark-packet
new-packet-mark=test-down passthrough=no

4 ;;; DOWN-VIA PROXY
chain=output out-interface=lan
dst-address=172.21.1.0/24 action=mark-packet
new-packet-mark=test-down passthrough=no
[edit]
Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent "lan", the interface name for local network. And for uplink, we are using parent "global-in".
[admin@instaler] > queue tree pr
Flags: X - disabled, I - invalid
0 name="downstream" parent=lan packet-mark=test-down
limit-at=32000 queue=default priority=8
max-limit=32000 burst-limit=0
burst-threshold=0 burst-time=0s

1 name="upstream" parent=global-in
packet-mark=test-up limit-at=32000
queue=default priority=8
max-limit=32000 burst-limit=0
burst-threshold=0 burst-time=0s

You can use those mangle also with PCQ.

Different limits for Local/Overseas traffic for 3 bandwitch rates using pcq and queue tree

2008-04-08T13:51:00.000+07:00

1. Introdution

Let's consider the scenario, when you want to apply different limits for many users to Local and Oversea traffic and don`t want load cpu with a lot of simple queues and you want sell for customers 3 bandwitch rates.
1.12/6 Mbps Latvian Traffic 1Mbps/512Kbps Overseas traffic
2.6/3 Mbps Latvian Traffic 512kbps/256Kbps Overseas traffic
3.4/2 Mbps Latvian Traffic 256Kbps/128Kbps Overseas traffic

Queue trees will limit data rate for the Local country traffic and Oversea traffic In this scenario local country is Latvia. List of all Latvian subnets located at http://www.nic.lv/local.net
[edit]
2. Configuration
/ ip firewall address-list
add list=12/6 address=192.168.0.2 comment="12/6mbps Local traffic 1mbps/512kbps oversea"
add list=6/3 address=192.168.0.3 comment="6/3mbps Local traffic 512kbps/256kbps oversea"
add list=4/2 address=192.168.0.4 comment="4/2mbps Local traffic 256kbps/128kbps oversea"
add list=Latvia address=159.148.0.0/16 comment="" disabled=no
add list=Latvia address=193.41.195.0/24 comment="" disabled=no
add list=Latvia address=193.41.33.0/24 comment="" disabled=no
add list=Latvia address=193.41.45.0/24 comment="" disabled=no
add list=Latvia address=193.68.64.0/19 comment="" disabled=no
add list=Latvia address=193.108.29.0/24 comment="" disabled=no
add list=Latvia address=193.108.144.0/22 comment="" disabled=no
add list=Latvia address=193.108.185.0/24 comment="" disabled=no

/ ip firewall mangle
add chain=forward action=mark-packet new-packet-mark=LV_DL_6M passthrough=yes \
in-interface=public src-address-list=latvia comment="Default mangle for \
Latvia Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=LV_UL_3M passthrough=yes \
in-interface=local dst-address-list=latvia comment="Default mangle for \
Latvia Upload" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_DL_512k \
passthrough=yes in-interface=public src-address-list=!latvia \
comment="Default mangle for Oversea Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_UL_256k \
passthrough=yes in-interface=local dst-address-list=!latvia \
comment="Default mangle for Oversea Upload" disabled=no
add chain=forward action=mark-packet new-packet-mark=LV_DL_12M passthrough=no \
in-interface=public src-address-list=latvia dst-address-list=12/6 \
comment="Tarif 12/6 Latvia Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=LV_UL_6M passthrough=no \
in-interface=local src-address-list=12/6 dst-address-list=latvia \
comment="Tarif 12/6 Latvia Upload" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_DL_1M passthrough=no \
in-interface=public src-address-list=!latvia dst-address-list=12/6 \
comment="Tarif 12/6 Oversea Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_UL_512k passthrough=no \
in-interface=local src-address-list=12/6 dst-address-list=!latvia \
comment="Tarif 12/6 Oversea Upload" disabled=no
add chain=forward action=mark-packet new-packet-mark=LV_DL_4M passthrough=no \
in-interface=public src-address-list=latvia dst-address-list=4/2 \
comment="Tarif 4/2 Latvia Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=LV_UL_2M passthrough=no \
in-interface=local src-address-list=4/2 dst-address-list=latvia \
comment="Tarif 4/2 Latvia Upload" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_DL_256k passthrough=no \
in-interface=public src-address-list=!latvia dst-address-list=4/2 \
comment="Tarif 4/2 Oversea Download" disabled=no
add chain=forward action=mark-packet new-packet-mark=OS_UL_128k passthrough=no \
in-interface=local src-address-list=4/2 dst-address-list=!latvia \
comment="Tarif 4/2 Oversea Upload" disabled=no

/ queue type
add name="LV_DL_12M" kind=pcq pcq-rate=12000000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="LV_DL_6M" kind=pcq pcq-rate=6000000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="LV_DL_4M" kind=pcq pcq-rate=4000000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="LV_UL_6M" kind=pcq pcq-rate=6000000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="LV_UL_3M" kind=pcq pcq-rate=3000000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="LV_UL_2M" kind=pcq pcq-rate=2000000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="OS_DL_1M" kind=pcq pcq-rate=1000000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="OS_DL_512k" kind=pcq pcq-rate=512000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="OS_DL_256k" kind=pcq pcq-rate=256000 pcq-limit=50 \
pcq-classifier=dst-address pcq-total-limit=2000
add name="OS_UL_512k" kind=pcq pcq-rate=512000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="OS_UL_256k" kind=pcq pcq-rate=256000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000
add name="OS_UL_128k" kind=pcq pcq-rate=128000 pcq-limit=50 \
pcq-classifier=src-address pcq-total-limit=2000

/ queue tree
add name="LV_DL_12M" parent=local packet-mark=LV_DL_12M limit-at=0 queue=LV_DL_12M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="LV_DL_6M" parent=local packet-mark=LV_DL_6M limit-at=0 queue=LV_DL_6M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="LV_UL_2M" parent=public packet-mark=LV_UL_2M limit-at=0 queue=LV_UL_2M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="LV_DL_4M" parent=local packet-mark=LV_DL_4M limit-at=0 queue=LV_DL_4M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="LV_UL_3M" parent=public packet-mark=LV_UL_3M limit-at=0 queue=LV_UL_3M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="LV_UL_6M" parent=public packet-mark=LV_UL_6M limit-at=0 queue=LV_UL_6M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_DL_1M" parent=local packet-mark=OS_DL_1M limit-at=0 queue=OS_DL_1M priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_DL_256k" parent=local packet-mark=OS_DL_256k limit-at=0 queue=OS_DL_256k priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_DL_512k" parent=local packet-mark=OS_DL_512k limit-at=0 queue=OS_DL_512k priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_UL_128k" parent=public packet-mark=OS_UL_128k limit-at=0 queue=OS_UL_128k priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_UL_256k" parent=public packet-mark=OS_UL_256k limit-at=0 queue=OS_UL_256k priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
add name="OS_UL_512k" parent=public packet-mark=OS_UL_512k limit-at=0 queue=OS_UL_512k priority=8 max-limit=0 burst-limit=0 \
burst-threshold=0 burst-time=0s disabled=no
[edit]
3. Explanation

In /ip firewall address-list we created 3 lists for bandwitch profiles and list with name Latvia with latvian subnets In /ip firewall mangle we created address list based packet marks for bandwitch profiles. All ips witch is not included in any address list will have second bandwitch profiles rates. In /queue types we created pcq types for bandwitch profiles. In /queue tree we created rules with Local/Overseas packet marks and queue types for bandwitch profiles.

Now customer with ip 192.168.0.2 have 1 profile rates, customer with ip 192.168.0.3 have 2 profile rates, client with ip 192.168.0.4 have 3 profile rates and all others have 2 bandwitch rates, so all traffic will be limited and your cpu power will be free for other tasks.
[edit]
Important note

This setup will work correctly if local network is not masqueraded. If masquerade is used then parent for all upload queues must be 'global-out' instead of 'public'. The reason for this is that pcq_upload classifier is source address. In case of masquerading source address is changed to public IP address. If queue is set to 'public' interface pcq will think that all packets are coming from one source ( public IP ). PCQ must see source address before masquerading occurs, according to packet flow diagram from manual 'global-out' is before 'src-nat'.

How to apply different limits for Local/Overseas traffic

2008-04-08T13:49:00.001+07:00

Introduction

Let's consider the scenario, when you want to apply different limit to Local and Oversea traffic. Oversea traffic - traffic that doesn't belong to the Local country traffic.

To distinguish oversea traffic from Local country traffic, we will use 'mangle marks' and 'address-list' features. It will place appropriate marks to the packets to/from the Local country and Oversea networks. Local traffic is 'latvian traffic' in the particular example, list of network numbers belonging to ISPs in Latvia can be extracted from file: http://www.nic.lv/local.net

Note, 'address-list' entries should be replaced with respective addresses, if your router isn't located in Latvia. To find the actual list of network numbers belonging to your country, use Google or any other resources.

Simple queues will limit data rate for the Local country traffic and Oversea traffic.
Quick Start for Impatient

Configuration export from the router:
/ ip firewall address-list
add list=Latvia address=159.148.0.0/16 comment="" disabled=no
add list=Latvia address=193.41.195.0/24 comment="" disabled=no
add list=Latvia address=193.41.33.0/24 comment="" disabled=no
add list=Latvia address=193.41.45.0/24 comment="" disabled=no
add list=Latvia address=193.68.64.0/19 comment="" disabled=no
add list=Latvia address=193.108.29.0/24 comment="" disabled=no
add list=Latvia address=193.108.144.0/22 comment="" disabled=no
add list=Latvia address=193.108.185.0/24 comment="" disabled=no
add list=Latvia address=193.109.211.0/24 comment="" disabled=no
add list=Latvia address=193.109.85.0/24 comment="" disabled=no
add list=Latvia address=193.110.8.0/23 comment="" disabled=no
add list=Latvia address=193.110.164.0/23 comment="" disabled=no
...
add list=Latvia address=193.111.244.0/22 comment="" disabled=no

/ ip firewall mangle
add chain=prerouting src-address=192.168.100.0/24 action=mark-connection \
new-connection-mark="Con Entire Traffic" passthrough=yes \
comment="Mark-connection All Traffic" disabled=no
add chain=prerouting src-address=192.168.100.0/24 connection-mark="Con Entire \
Traffic" dst-address-list=!Latvia action=mark-connection \
new-connection-mark="Con Oversea" passthrough=yes comment="Mark-connection \
Oversea Traffic" disabled=no
add chain=prerouting connection-mark="Con Oversea" action=mark-packet \
new-packet-mark="Oversea traffic" passthrough=no comment="Mark-packet \
Oversea Traffic" disabled=no
add chain=prerouting action=mark-packet new-packet-mark="Local Country Traffic" \
passthrough=no comment="Mark-packet Local Country Traffic" disabled=no

/ queue simple
add name="Oversea" target-addresses=192.168.100.254/32 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks="Oversea traffic" direction=both \
priority=8 queue=default-small/default-small limit-at=0/0 \
max-limit=256000/256000 total-queue=default-small disabled=no
add name="Local Country" target-addresses=192.168.100.254/32 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks="Local Country Traffic" direction=both \
priority=8 queue=default-small/default-small limit-at=0/0 \
max-limit=1024000/1024000 total-queue=default-small disabled=no
Explanation
Address-list

First we create Local country address-list, where are placed list of network numbers belonging to ISPs in Latvia (any other country network addresses can be used instead). Full address-list configuration is not included (too many address-list entries), but address-list idea is clear. Networks added to the list 'Latvia':
/ ip firewall address-list
add list=Latvia address=159.148.0.0/16 comment="" disabled=no
add list=Latvia address=193.41.195.0/24 comment="" disabled=no
add list=Latvia address=193.41.33.0/24 comment="" disabled=no
add list=Latvia address=193.41.45.0/24 comment="" disabled=no
add list=Latvia address=193.68.64.0/19 comment="" disabled=no
add list=Latvia address=193.108.29.0/24 comment="" disabled=no
add list=Latvia address=193.108.144.0/22 comment="" disabled=no
add list=Latvia address=193.108.185.0/24 comment="" disabled=no
add list=Latvia address=193.109.211.0/24 comment="" disabled=no
add list=Latvia address=193.109.85.0/24 comment="" disabled=no
add list=Latvia address=193.110.8.0/23 comment="" disabled=no
add list=Latvia address=193.110.164.0/23 comment="" disabled=no
...
add list=Latvia address=193.111.244.0/22 comment="" disabled=no

Note, it's much easier to create/edit such list with Excel or any other similar program.
Mangle

First we add rule to mark connections that belong to local router's subnet (192.168.100.0/24). Second rule marks connections between local subnet and overseas networks. Third rule marks oversea packets and exclude them from mangle table (passtrough=no). Finally, the last rule places packet mark on all packets that belong to Local country traffic.
/ ip firewall mangle
add chain=prerouting src-address=192.168.100.0/24 action=mark-connection \
new-connection-mark="Con Entire Traffic" passthrough=yes \
comment="Mark-connection All Traffic" disabled=no
add chain=prerouting src-address=192.168.100.0/24 connection-mark="Con Entire \
Traffic" dst-address-list=!Latvia action=mark-connection \
new-connection-mark="Con Oversea" passthrough=yes comment="Mark-connection \
Oversea Traffic" disabled=no
add chain=prerouting connection-mark="Con Oversea" action=mark-packet \
new-packet-mark="Oversea traffic" passthrough=no comment="Mark-packet \
Oversea Traffic" disabled=no
add chain=prerouting action=mark-packet new-packet-mark="Local Country Traffic" \
passthrough=no comment="Mark-packet Local Country Traffic" disabled=no
Simple Queue

Queue configuration is quite simple in the particular case. 192.168.100.254 is the local network host. First rule sets limit 256k/256k to Oversea traffic for the particular host. Respectively second simple queue set limit 1M/1M for Local country traffic.
/ queue simple
add name="Oversea" target-addresses=192.168.100.254/32 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks="Oversea traffic" direction=both \
priority=8 queue=default-small/default-small limit-at=0/0 \
max-limit=256000/256000 total-queue=default-small disabled=no
add name="Local Country" target-addresses=192.168.100.254/32 dst-address=0.0.0.0/0 \
interface=all parent=none packet-marks="Local Country Traffic" direction=both \
priority=8 queue=default-small/default-small limit-at=0/0 \
max-limit=1024000/1024000 total-queue=default-small disabled=no

Load Balancing Multi gateway

2008-04-08T13:46:00.002+07:00

Quick Start for Impatient

Configuration export from the gateway router:
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment="" \
disabled=no
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \
comment="" disabled=no
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \
comment="" disabled=no
/ ip firewall mangle
add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
disabled=no
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no comment="" disabled=no
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes comment="" \
disabled=no
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no comment="" disabled=no
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535 comment="" disabled=no
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd \
comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even \
comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" \
disabled=no
Explanation

First we give a code snippet and then explain what it actually does.
Mangle
/ ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local comment="" \
disabled=no
add address=10.111.0.2/24 network=10.111.0.0 broadcast=10.111.0.255 interface=wlan2 \
comment="" disabled=no
add address=10.112.0.2/24 network=10.112.0.0 broadcast=10.112.0.255 interface=wlan1 \
comment="" disabled=no

The router has two upstream (WAN) interfaces with the addresses of 10.111.0.2/24 and 10.112.0.2/24. The LAN interface has the name "Local" and IP address of 192.168.0.1/24.
/ ip firewall mangle

add chain=prerouting in-interface=Local connection-state=new nth=1,1,0 \
action=mark-connection new-connection-mark=odd passthrough=yes comment="" \
disabled=no

First we take every second packet that establishes new session (note connection-state=new), and mark it with connection mark "odd". Consequently all successive packets belonging to the same session will carry the connection mark "odd". Note that we are passing these packets to the second rule (passthrough=yes) to place a routing mark on these packets in addition to the connection mark.
add chain=prerouting in-interface=Local connection-mark=odd action=mark-routing \
new-routing-mark=odd passthrough=no comment="" disabled=no

The rule above places the routing mark "odd" on all packets that belong to the "odd" connection and stops processing all other mangle in prerouting chain rules for these packets.
add chain=prerouting in-interface=Local connection-state=new nth=1,1,1 \
action=mark-connection new-connection-mark=even passthrough=yes comment="" \
disabled=no
add chain=prerouting in-interface=Local connection-mark=even action=mark-routing \
new-routing-mark=even passthrough=no comment="" disabled=no

These rules do the same for the remaining half of the traffic as the first two rules for the first half of the traffic.

The code above effectively means that each new connection initiated through the router from the local network will be marked as either "odd" or "even" with both routing and connection marks.
NAT
/ ip firewall nat
add chain=srcnat connection-mark=odd action=src-nat to-addresses=10.111.0.2 \
to-ports=0-65535 comment="" disabled=no
add chain=srcnat connection-mark=even action=src-nat to-addresses=10.112.0.2 \
to-ports=0-65535 comment="" disabled=no

All traffic marked "odd" is being NATted to source IP address of 10.111.0.2, while traffic marked "even" gets "10.112.0.2" source IP address.
Routing
/ ip route
add dst-address=0.0.0.0/0 gateway=10.111.0.1 scope=255 target-scope=10 routing-mark=odd \
comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 routing-mark=even \
comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.112.0.1 scope=255 target-scope=10 comment="" \
disabled=no comment="gateway for the router itself"

For all traffic marked "odd" (consequently having 10.111.0.2 translated source address) we use 10.111.0.1 gateway. In the same manner all traffic marked "even" is routed through the 10.112.0.1 gateway. Finally, we have one additional entry specifying that traffic from the router itself (the traffic without any routing marks) should go to 10.112.0.1 gateway.

TransparentTrafficShaper

2008-04-08T13:41:00.002+07:00

Introduction

This example shows how to configure a transparent traffic shaper. The transparent traffic shaper is essentially a bridge that is able to differentiate and prioritize traffic that passes through it.

Consider the following network layout:

We will configure one queue limiting the total throughput to the client and three sub-queues that limit HTTP, P2P and all other traffic separately.
Quick Start for Impatient

Configuration snippet from the MikroTik router:
/ interface bridge
add name="bridge1"
/ interface bridge port
add interface=ether2 bridge=bridge1
add interface=ether3 bridge=bridge1

/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet \
new-packet-mark=http passthrough=no
add chain=prerouting p2p=all-p2p action=mark-connection \
new-connection-mark=p2p_conn passthrough=yes
add chain=prerouting connection-mark=p2p_conn action=mark-packet \
new-packet-mark=p2p passthrough=no
add chain=prerouting action=mark-connection new-connection-mark=other_conn \
passthrough=yes
add chain=prerouting connection-mark=other_conn action=mark-packet \
new-packet-mark=other passthrough=no

/ queue simple
add name="main" target-addresses=10.0.0.12/32 max-limit=256000/512000
add name="http" parent=main packet-marks=http max-limit=240000/500000
add name="p2p" parent=main packet-marks=p2p max-limit=64000/64000
add name="other" parent=main packet-marks=other max-limit=128000/128000
Explanation

Each piece of code is followed by the explanation of what it actually does.
Bridge
/ interface bridge
add name="bridge1"
/ interface bridge port
add interface=ether2 bridge=bridge1
add interface=ether3 bridge=bridge1

We create a new bridge interface and assign two ethernet interfaces to it. Thus the prospective traffic shaper will be completely transparent to the client.
Mangle
/ ip firewall mangle
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet \
new-packet-mark=http passthrough=no

All traffic destined to TCP port 80 is likely to be HTTP traffic and therefore is being marked with the packet mark http. Note, that the first rule has passthrough=yes while the second one has passthrough=no. (You can obtain additional information about mangle at http://www.mikrotik.com/docs/ros/2.9/ip/mangle)
/ ip firewall mangle
add chain=prerouting p2p=all-p2p action=mark-connection \
new-connection-mark=p2p_conn passthrough=yes
add chain=prerouting connection-mark=p2p_conn action=mark-packet \
new-packet-mark=p2p passthrough=no
add chain=prerouting action=mark-connection new-connection-mark=other_conn \
passthrough=yes
add chain=prerouting connection-mark=other_conn action=mark-packet \
new-packet-mark=other passthrough=no

Same as above, P2P traffic is marked with the packet mark p2p and all other traffic is marked with the packet mark other.
Queues
/ queue simple
add name="main" target-addresses=10.0.0.12/32 max-limit=256000/512000

We create a queue that limits all the traffic going to/from the client (specified by the target-address) to 256k/512k.
/ queue simple
add name="http" parent=main packet-marks=http max-limit=240000/500000
add name="p2p" parent=main packet-marks=p2p max-limit=64000/64000
add name="other" parent=main packet-marks=other max-limit=128000/128000

All sub-queues have the main queue as the parent, thus the aggregate data rate could not exceed limits specified in the main queue. Note, that http queue has higher priority than other queues, meaning that HTTP downloads are prioritized.

Per-Traffic Load Balancing

2008-04-08T13:37:00.001+07:00

Introduction

Bandwidth management is an essential part of every day operation for typical ISP's, business, and even everyday home users. There are many different types of management tools available to RouterOS users, QoS, rate-limitng, packet-limiting, to name few

I personally operate a wireless ISP in an area that has no other type of conventional high-speed internet conection (ie. cable, fibre or DSL). Not having access to fibre myself, I am in a situation where the single fastest backbone connection I can get does not provide enough bandwidth for me to have only one connection. As a result of this limitation load-balancing multiple internet backbone connections is very important.

In the past I have used ECMP, persisten per connection styled load-balancing (see http://wiki.mikrotik.com/wiki/Load_Balancing), as well as various other methods However, I found all of then lacking in various different areas (not load-balancing correctly, broken large HTTP downloads, IM problems, to name a few issues). I then investigated a way to give me more control over my bandwidth while minimizing the potential problems. The end result was a per-traffic type of load-balancing. This tutorial is designed address that one specific area in depth, at a later date, I may expand/add additional info on fail-over, and other topics
[edit]
Functions of RouterOS used
Firewall mangle rules
Firewall address-lists
Routing
[edit]
Step 1 - How to break up to traffic

Before you even log onto your RouterOS box, you should have an idea of how you want to divide your traffic, and have an understanding of what traffic can and what traffic can't be broken up.

Here is an example of what you may want to attempt to separate (in no particular order)
HTTP traffic (port 80)
SSL traffic (port 443)
POP3 traffic (port 110)
SMTP traffic (port 25)
P2P traffic (various port)
Unknown traffic (various port)

After making a list of the traffic type, and the ports they operate on, you need to look at the list and decide if it is at all even capable of being forced out a certain internet connection.exión a internet.

Using the above list as an example here is what I came up with
HTTP traffic (no problems found yet)
SSL traffic (some issues, for normal SSL websites and 90% of all software it is not a problem, I'll explain why issues can arise later)
POP3 traffic (no problems found yet)
SMTP traffic (no problems found yet)
P2P traffic (must go out same internet connection as Unknown Traffic, I'll explain why this is later)
Unknown traffic (must go out same internet connection as P2P traffic, I'll explain why this is later)

Now for a quick explanation of why there can be some issues depending on the traffic type. Some websites/programs do not play friendly with multiple requests from different IP addresses, this is the reason why ECMP has so many problems. I will provide a simple solution to the rare conditions where load-balancing can't be completed.

Again using the above as an example lets explain where and why issues can be arise. SSL - The beauty of a website is that are separate requests for different data, ie. loading pictures from 3 different sources would be a request to each respective server. The result is if a we have a website that uses both SSL and HTTP traffic we know that in most cases the website will just answer the request without care of the originating IP address. However, and this is a special case, if the website/program developer checks where the requests are originating and they find that the IP are different, they may not succesfully answer those requests (this can be by design or by accident). I had 2 cases of this, in both cases it was secured medical websites that where using it as a method of protecting their data.

P2P and Unknown - I am addressing these together because the issue is one and the same. RouterOS doesn't identify P2P based on any single condition, but instead analyzes the packets! This means RouterOS needs time to watch the data before it realizes that is in fact P2P traffic. As a result RouterOS doesn't know the data is P2P until AFTER the connection is made. This is important because the only way to send data out a specific internet connection you must know that traffic is BEFORE the connection is made. So as with P2P traffic, unknown traffic is just that, it is unknown. By marking the unknown traffic though you can control what internet connection is used for both P2P and the left over unknown traffic (very useful!)
[edit]
Step 2 - Setting Up the Network

Before we get to the real point of this tutorial we need a fictious network we can use as an example.
client computers (172.18.1.0/24)
Internet Gateways (10.0.1.1/24, 10 0.2.1/24)
RouterOS IPs (10.0.1.2/24, 10.0.2.2/24)

Asuming that the IPs, default routes, and DNS settings are already in place the following allow users to get internet access.

Create Address-List for permitted use of internet
/ ip firewall address-list
add list="Salida_Internet" address=172.18.1.0/24 comment="" disabled=no

Create Address-List to bypass load-balancing
/ ip firewall address-list
add list="WAN-01" address=172.18.1.24/32 comment="" disabled=no
add list="WAN-02" address=172.18.1.76/32 comment="" disabled=no

Apply 'Masquerading'to the traffic leaving the WAN interfaces
/ ip firewall nat
add chain=srcnat action=masquerade out-interface="WAN - 01" src-address-list="Allowed - Internet" comment="Gateway 10.0.1.1/24" disabled=no
add chain=srcnat action=masquerade out-interface="WAN - 02" src-address-list="Allowed - Internet" comment="Gateway 10.0.2.1/24" disabled=no

Clients should be able to browse the internet, however only one internet connection would be used (the current default route in RouterOS)
[edit]
Step 3 - Using RouterOS's Mangle Tool to mark specific traffic

This following is the necessary RouterOS commands to mark particular traffic for a certain route, we are using the same example for traffic types as in the beginning, HTTP, SSL, POP3, SMTP, P2P, and Unknown
/ ip firewall mangle
add chain=prerouting action=mark-routing new-routing-mark="WAN-01" src-address-list="WAN-01" passthrough=no comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="WAN-02" src-address-list="WAN-02" passthrough=no comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="HTTP traffic" passthrough=no dst-port=80 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="SSL traffic" passthrough=no dst-port=443 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="POP3 traffic" passthrough=no dst-port=110 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="SMTP traffic" passthrough=no dst-port=25 protocol=tcp comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="P2P traffic" passthrough=no p2p=all-p2p comment="" disabled=no
add chain=prerouting action=mark-routing new-routing-mark="Unknown traffic" passthrough=no comment="" disabled=no

The first two lines provide a method of marking particular clients to bypass the load-balancing and use only a certain internet connection for all of their traffic. The following lines with mark traffic based on the dst-port, notice how we are not passing though, also notice that we are marking all traffic, even if not known, this always for a different internet connection to be specified fot the Unknown and P2P instead of using the router's default route. I also mark P2P separately even though it must go out the same internet connection as Unknown traffic. I do this for a couple of reasons, one is that I could easily stop all traffic by simply disabling a route, and the other is in my RouterOS configuration I use a lot of QoS, it very easy to remember how everything is configured if the QoS mirrors the load-balancing

So now we are marking traffic for their respectives routes, next is to add those actual routes.
[edit]
Step 4 - Using the routing functions of RouterOS to force traffic ou certain internet connections

This following is the necessary RouterOS commands to provide routes for the marked HTTP, SSL, POP3, SMTP, P2P, and Unknown Traffic
/ ip route
add dst-address=0.0.0.0/0 gateway=10.0.1.1 scope=255 target-scope=10 routing-mark="WAN - 01" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.0.2.1 scope=255 target-scope=10 routing-mark="WAN - 02" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.0.2.1 scope=255 target-scope=10 routing-mark="HTTP traffic" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.0.2.1 scope=255 target-scope=10 routing-mark="SSL traffic" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.0.2.1 scope=255 target-scope=10 routing-mark="POP3 traffic" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.0.1.1 scope=255 target-scope=10 routing-mark="SMTP traffic" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.0.1.1 scope=255 target-scope=10 routing-mark="P2P traffic" comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=10.0.1.1 scope=255 target-scope=10 routing-mark="Unknown traffic" comment="" disabled=no

The first two lines provide the routes necessary to give the clients that are not being load-balanced via traffic type the correct gateway to the internet. The remaining lines are the routes necessary to provide the appropiate gateway based on traffic type
[edit]
Step 5 - Review what you've created

What did you do: * You intelligently broke up your internet traffic into different types * Your marked that traffic using the Mangle Tool of RouterOS * You created a bypass list to allow certain IP to bypass the Per-Traffic Load-Balancing * You assigned particular routes based on the traffic you marked with Mangle
[edit]
Conclusion

What you have done is very powerful and this tutorial provides just the tip of the iceberg so to say. The traffic types I have listed here are only a small amout of the total and you may want to add many others (ie. DNS, Terminal Services, ICMP, etc). This can be used is a great deal of different ways be it in a small offfice enviroment (separating your email usage from your browsing) or a large wireless ISP (for load-balancing). Some tips and final thougths

1. Think though what you want to achieve before you start 2. Pay attention to the traffic of type on each line (is it incoming intensive or outgoing intensive) 3. Finally experiment, nothing better then finding better, faster, and more intelligent ways to improve your services with a little capital costs