Monday, 23 December 2013
Sunday, 22 December 2013
HOW TO BLOCK HOTSPOT SHIELD IN MIKROTIK SERVER
Just Copy And Paste in New Terminal Now
Its being long time that people like me were trying to block the hotspot shield on their networks using Mikrotik server.
/ip firewall mangle
add action=add-dst-to-address-list address-list=WhiteList \
address-list-timeout=4d4h chain=prerouting comment=WhiteList content=\
!127.0.0.1:895 disabled=no dst-port=80 protocol=tcp
add action=add-src-to-address-list address-list=HotSpotShieldUsers \
address-list-timeout=1h chain=prerouting comment=HotSpotShieldUsers \
content=127.0.0.1:895 disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=WhiteList \
address-list-timeout=4d4h chain=prerouting comment=WhiteList content=\
!127.0.0.1:895 disabled=no dst-port=443 protocol=tcp
/ip firewall filter
add action=drop chain=forward comment=”\”Block HotSpot Shield\”" disabled=no \
src-address-list=HotSpotShieldUsers
Friday, 29 November 2013
xbee-arduino
Overview
This is an Arduino library for communicating with XBees in API mode, with support for both Series 1 (802.15.4) and Series 2 (ZB Pro/ZNet). This library Includes support for the majority of packet types, including: TX/RX, AT Command, Remote AT, I/O Samples and Modem Status.Note: This software requires API mode, by setting AP=2. If you are using Series 2 XBee, you'll need to install API Firmware (they ship with AT firmware), then set AP=2. This software will not work correctly with AP=1 Refer to XBeeConfiguration and WhyApiMode for more info.
News
- 10/15/12 Release 0.4 (beta) is available. Paul Stoffregen (Teensy creator) has contributed a patch that allows for using SoftwareSerial for XBee communication! This frees up the Serial port for debug or to use with other hardware. Try it out and report any issues on the Google group page. Important: See SoftwareSerialReleaseNotes as it was necessary to change the API to support this feature.
- 12/21/11 Release 0.3 is now available. This release includes support for Arduino 1.0 along with some bug fixes and a new setSerial function for using alternate serial ports (e.g. Mega). This release is compatible with previous Arduino releases as well.
- 4/3/11 I have created an XBeeUseCases wiki on XBee API that describes several use cases for communicating with XBees.
- 11/14/09 Version 0.2.1 is available. This release contains a bug fix for Remote AT
- 10/26/09 XBee-Arduino 0.2 is now available. This release adds support for AT Command, Remote AT, and I/O sample (series 1 and 2) packets. Along with this release I have created several new examples.
- 8/09/09 I have released Droplet, a wireless LCD display/remote control with support for Twitter, Google Calendar, weather etc. It uses this software to send and receive XBee packets.
- 4/19/09 Release 0.1.2: In this release I added some abbreviated constructors for creating basic Requests and get/set methods to facilitate the reuse of Requests
- 3/29/09 Initial Release
Documentation
API docsExample
I have created several sketches of sending/receiving packets with Series 1 and 2 XBee radios. You can find these in the examples folder. Here's an example of sending a packet with a Series 2 radio:// Create an XBee object at the top of your sketch XBee xbee = XBee(); // Tell XBee to start Serial xbee.begin(9600); // Create an array for holding the data you want to send. uint8_t payload[] = { 'H', 'i' }; // Specify the address of the remote XBee (this is the SH + SL) XBeeAddress64 addr64 = XBeeAddress64(0x0013a200, 0x403e0f30); // Create a TX Request ZBTxRequest zbTx = ZBTxRequest(addr64, payload, sizeof(payload)); // Send your request xbee.send(zbTx);See the examples folder for the full source. There are more examples in the download.
See the XBee API project for Arduino < - > Computer communication.
To add XBee support to a new sketch, add "#include <XBee.h>" (without quotes) to the top of your sketch. You can also add it by selecting the "sketch" menu, and choosing "Import Library->XBee".
Learning/Books
If you want to learn more about Arduino and XBee, check out these books:- Wireless Sensor Networks: with ZigBee, XBee, Arduino, and Processing (Available in Kindle)
- Programming Arduino Getting Started with Sketches
- Making Things Talk
- Getting Started with Arduino (Make: Projects (Available in Kindle)
- Arduino Cookbook (Oreilly Cookbooks) (Available in Kindle)
Hardware
I highly recommend using an Arduino that has 2 serial ports, such as the Arduino Leonardo. The reason is the XBee requires one serial port and it's useful to have another serial port available for debugging. The Arduino Leonard actually has one hardware serial port and one virtual (usb serial port). The hardware serial port is for use with XBee (Serial1) and the virtual serial port (Serial) may be used to send debug info to the console. The Arduino Mega is another popular choice as it has 4 hardware serial ports, along with additional memory and I/O. Both boards are compatible with XBee Shields. The Teensy board, by PJRC, may be a good choice for some advanced users. It is not 100% Arduino compatible but PJRC provides a plugin to the Arduino IDE. They also sell an XBee Adapter to interface XBee with Teensy (requires soldering).- Arduino Leonardo (recommended)
- Arduino UNO R3 (note: only has one serial port)
- Arduino Mega 2560
The Arduino XBee Shield is the best choice for connecting the XBee to an Arduino
You can find XBee Shields on ebay, often for less, but keep in mind delivery may be slow when shipped from China. I don't recommend the SparkFun XBee Shield since it requires soldering headers (not included) to connect to an Arduino board
An XBee Explorer is highly recommended for updating firmware and configuring the radio. This is also useful for interfacing an XBee with a computer. If you are using Series 2 radios you'll need an XBee Explorer to upload API firmware to the radio (they ship with AT firmware).
See the xbee-api Hardware wiki for more parts links.
For interfacing with Arduino clones that are not shield compatible, such as Modern Device's http://shop.moderndevice.com/products/rbbb-kit, you will need 3.3V power and logic shifter or voltage divider to convert Arduino's 5V to an XBee safe 3.3V.
Installation
Arduino 16 (or earlier):Download the zip file, extract and copy the XBee folder to ARDUINO_HOME/hardware/libraries If you are upgrading from a previous version, be sure to delete XBee.o
Arduino 17 (or later):
Determine the location of your sketchbook by selecting "preferences" on the Arduino menu. Create a "libraries" folder in your sketchbook and unzip the download there. See this for more information.
Uploading Sketches
The Arduino has only one serial port which must be connected to USB (FTDI) for uploading sketches and to the XBee for running sketches. The Arduino XBee Shield provides a set of jumpers to direct Serial communication to either the USB (Arduino IDE) or the XBee. When using the XBee Shield you will need to place both the jumpers in the USB position prior to uploading your sketch. Then after a successful upload, place the jumpers in the "XBEE" position to run your sketch. Always remember to power off the Arduino before moving the jumpers.Configuration
To use this library your XBee must be configured in API mode (AP=2). Take a look at this for information on configuring your radios to form a network.Other Micros
Not using Arduino? It should be easy to port this library to any microcontroller that supports C++ and serial available/read/write/flush. The only other dependency is the millis() function for milliseconds.Support
Please report any bugs on the Issue Tracker.Questions/Feedback
Questions about this project should be posted to http://groups.google.com/group/xbee-api?pli=1 Be sure to provide as much detail as possible (e.g. what radios s1 or s2, firmware versions, configuration and code).Consulting/Commercial Licenses
I'm available for consulting to assist businesses or entrepreneurs that need help getting their projects up and running. I can also provide a commercial license for situations where you need to distribute code to clients/third parties that would otherwise conflict with GPL. For these matters I can be contacted at andrew.rapp [at] gmail.Sunday, 24 November 2013
Mikrotik DUAL WAN Load Balancing using PCC method. Complete Script ! by zaiB
Mikrotik DUAL WAN Load Balancing using PCC method. Complete Script ! by zaiB
Following is a complete script for Mikrotik to combine/load balance two DSL lines. In this example I used MikrotikT RB750 5 ports router.
2 ports were connected with two difference DSL Routers,
and 3rd port was connected with User LAN.
Both DSL are of same speed , i.e 10Mb each.
DSL MODEM IP’S
DSL MODEM 1 = 192.168.1.1
DSL MODEM 2 = 192.168.2.1
Also don’t forget to rename the interface names accordingly.
In my personnel experience , If users request are directly hitting Mikrotik configured with PCC , then you will get good load balancing. Use src-address as classifier, this way you will get rid of problems like https/broken link, streaming issues etc. Load balancing using this PCC technique (src-address) will be effective and balanced approach when more and more connections (from clients) that occurred. I also recommend to use SQUID proxy server along with mikrotik , either parallel or in front or backend , for better response time and it will also increase good browsing experience to users.
If somehow you are not satisfied with the src-address approach,play with the PCC-Classifier, then Try both addresses and ports as the classifier. While this will randomize things the most and in theory give you the most fair allocation of bandwidth, BUT there is also a good chance that it will break certain things like banking web sites and some forums. This is because often times a HTTP requests will generate several connections, so there is a chance that some requests may go out a different route than the initial one, and that will break secure web sites. For that reason I usually stick with src-address for PCC load balancing.
Regard’s
Syed Jahanzaib
All Done ! Now Test the link by putting user load,
the more multiple users load you put on it, the better Load Balance
result you will get
Code:
Following is a complete script for Mikrotik to combine/load balance two DSL lines. In this example I used MikrotikT RB750 5 ports router.
2 ports were connected with two difference DSL Routers,
and 3rd port was connected with User LAN.
Both DSL are of same speed , i.e 10Mb each.
DSL MODEM IP’S
DSL MODEM 1 = 192.168.1.1
DSL MODEM 2 = 192.168.2.1
Also don’t forget to rename the interface names accordingly.
In my personnel experience , If users request are directly hitting Mikrotik configured with PCC , then you will get good load balancing. Use src-address as classifier, this way you will get rid of problems like https/broken link, streaming issues etc. Load balancing using this PCC technique (src-address) will be effective and balanced approach when more and more connections (from clients) that occurred. I also recommend to use SQUID proxy server along with mikrotik , either parallel or in front or backend , for better response time and it will also increase good browsing experience to users.
If somehow you are not satisfied with the src-address approach,play with the PCC-Classifier, then Try both addresses and ports as the classifier. While this will randomize things the most and in theory give you the most fair allocation of bandwidth, BUT there is also a good chance that it will break certain things like banking web sites and some forums. This is because often times a HTTP requests will generate several connections, so there is a chance that some requests may go out a different route than the initial one, and that will break secure web sites. For that reason I usually stick with src-address for PCC load balancing.
Regard’s
Syed Jahanzaib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
| /ip address add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1 add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2 /ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=221.132.112.8,8.8.8.8 /ip firewall mangle add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1 add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2 add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local add
chain=prerouting dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses-and-ports:2/0
action=mark-connection new-connection-mark=WAN1_conn passthrough=yes add
chain=prerouting dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses-and-ports:2/1
action=mark-connection new-connection-mark=WAN2_conn passthrough=yes add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1 add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2 /ip route add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping /ip firewall nat add chain=srcnat out-interface=WAN1 action=masquerade add chain=srcnat out-interface=WAN2 action=masquerade |
PCC WITH UN-EQUAL WAN LINKS
If you have Un-Equal WAN Links, for example WAN,1 is of 4MB and WAN,2 is of 8 Mb, and you want to force MT to use WAN42link more then other because of its capacity, Then you have to Add more PCC rules assigning the same two marks to a specific link i.e WAN2 , something likeCode:
1
2
3
| add
chain=prerouting dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses-and-ports:2/0
action=mark-connection new-connection-mark=WAN1_conn passthrough=yes add
chain=prerouting dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses-and-ports:2/1
action=mark-connection new-connection-mark=WAN2_conn passthrough=yes add
chain=prerouting dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses-and-ports:2/2
action=mark-connection new-connection-mark=WAN2_conn passthrough=yes |
PCC WITH HOTSPOT (Reference)
1
| /ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth |
٩(●̮̮̃•̃)۶ ZaiB ٩(●̮̮̃•̃)۶
Mikrotik PPPoE Server with User Manager Pre Paid Billing System !
~!~ Article by Syed Jahanzaib ~!~
This guide will illustrate howto create PPPoE server in MIKROTIK RouterOS (I used v 5.6 in
this example). This article will also demonstrate on how you can create
your automated pre-paid billing solution for users using Mikrotik’s
User Manager. This basic RADIUS Server a.k.a USERMAN can be used for any
ppp service like VPN/PPPoE/HOTSPOT.
My Note:I must state that the USERMAN solution is not a reliable one, You cant rely on it on a large/production server. But after all its free package come along with the mikrotik, so dont expect much from it, IMO its suitable for SOHO. If you want real features related to ISP , Better to USe 3rd Party Radius server like DMASOFTLAB which is feature rich radius built to perform
It will also show you how to create a 30 days limit account with 256Kbps speed limit.
We will divide this article in two section.
1) PPPoE Server (Basic Settings)2) User Manager Billing Setup
In this example Mikrotik have two lan cards.
1) ether1 = ip 10.0.0.1 / LAN Interface hosting PPPoE Server
2) ether2 = ip 192.168.0.1 / WAN interface connected with DSL / Fiber etc.
(Configure interfaces accordingly to your environment, in the images
ip series is 192.168.2.1 , don’t get confuse with it. you can adjust it
accordingly)1) ether1 = ip 10.0.0.1 / LAN Interface hosting PPPoE Server
2) ether2 = ip 192.168.0.1 / WAN interface connected with DSL / Fiber etc.
PPPoE SERVER SETUP
First we will add PPPoE Server using CLI (command interface)
1
2
| /interface pppoe-server server add
authentication=pap default-profile=default disabled=no interface=ether1
keepalive-timeout=10 max-mru=1480 max-mtu=1480 max-sessions=1
mrru=disabled one-session-per-host=yes service-name=aacable |
1
| /ip pool add name=pppoe-users-pool ranges=172.16.0.1-172.16.0.254 |
1
| /ppp
profile add change-tcp-mss=default dns-server=10.0.0.1
local-address=10.0.0.1 name=pppoe-profile only-one=default
remote-address=pppoe-users-pool use-compression=default
use-encryption=default use-vj-compression=default |
Add following rule to allow internet.
1
| /ip firewall nat add action=masquerade chain=srcnat disabled=no src-address=172.16.0.1-172.16.0.255 |
(In above
masquerading rule, I have added src-address to 172.16.0.x ip pool, so
that ONLY pppoe connected users internet will work)
Add DNS server so users can resolve internet hostnames.
1
| /ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=221.132.112.8 |
1
| /ppp
secret add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0
name=zaib password=1234 profile=pppoe-profile routes="" service=pppoe |
(Howto create pppoe dialer
If all goes fine, you will start surfing the internet smoothly
Now we will move to mikrotik billing system using its built-in radius called USER MANAGER.
MIKROTIK USER MANAGER WITH BILLING SETUP
We can setup a RADIUS server in mikrotik using its built-in radius server called User Manager. UM is a nice web-based billing manager package to compliment hotspot / pppoe / vpn authentication solution in RouterOS. It is RADIUS based component so it can provide centralised management to single or multiple RouterOS based NASes.
Now we will first configure user manager and then later we will integrate it with our pppoe server so all authentication will be done via UM.Open your web browser and point it to http://10.0.0.1/userman
You will see user manager authentication screen, Now enter admin id and password and you will be forwarded to main UM screen like this.
Note: If default admin password doesn’t work out, change the password by following command
1
2
3
| /tool user-manager customer set admin password=PASSWORD **OR** /tool user-manager customer print |
Now click on Profiles, on your right window, click on + sign (beside profile)
For test purposes, we will add one profile with 256Kbps speed
limit, and 30 days UP Time limit. You can add many packages as per your
requirements later, once you understand how thins works here)Now we want to add 256Kb / 30days Limit Package, Name it 256k.
* in ‘Name for users‘ type ‘256k’
* in ‘Validity‘, type ’4w2d’ (for 1 month validity)
* in ‘Starts‘ , select ‘At First Logon‘ (User time will start when users first login)
* in ‘Price’ enter the amount at which you sell this package to users. e.g 400
* in ‘Shared Users’ select ’1′ (so single ID cannot be used from multiple computers simultaneously)
Now Save Profile. (See attached Screenshot)
Now We want to add Bandwidth Limitation to this profile, goto ‘Limitations’ and click on ADD ,
A new window will appear
* in ‘Name’ type ’256k’
* in ‘Rate Limit’ in RX ’128k’ in TX ’256k’ ,
Now click on SAVE. (See attached Screenshot)
Now go back to Profiles Section. Here you will see your created 256k
Profile, clien on ‘Add New Limitation’ and and click on ’256k Limit’ and
click ‘ADD’ button. (See attached Screenshot)
Done, your first package with 256k Limit and 30 Days uptime limit is created. Now we will Add new user and tag them with this new 256k profile.
Goto Users, and click on ADD / One (to add single user).
* in ‘Username’ type ‘zaib’
* in ‘Password’ type ’1234′
* in ‘Constraints’ check on ‘Called ID’ Bindon first use. This options is good if you want to bind user id with first detected MAC address, if you don’t want to bind , leave this option as it is.
* in ‘Assign profile’ select ’256k’ profile and click on ADD button to finish.
(See attached Screenshot)
Now that we have finished our basic work with UM, its time to integrate it with Mikrotik, so that all Mikrotik PPPoE authentication will be done via UM.
We have to modify some settings, both on UM and Mikrotik as well.
In UM we have to add Mikrotik Router.
* In UM, Goto Routers , ADD, NEW, name it Mikrotik,* in ‘IP Address’ tpye you server IP address, 10.0.0.1
* in ‘Shared Secret’ type ’1234′
Now click ADD to finish. (See attached Screenshot) (in the image ip address is showing 192.168.2.1, dont get confused, use your own ip address class here)
UM section is complete , now moving on to MIKROTIK to complete the RADIUS setup.
ADDING RADIUS SUPPORT IN MIKROTIK
Open Mikrotik Terminal, and type
1
2
3
4
5
| /ppp aaa set accounting=yes interim-update=0s use-radius=yes /radius
add accounting-backup=no accounting-port=1813 address=10.0.0.1
authentication-port=1812 called-id="" disabled=no domain="" realm=""
secret=1234 service=ppp,hotspot timeout=300ms /radius incoming set accept=yes port=3799 |
! COMPLETED !
Now from client end, connect with Users id ‘zaib’ and password ’1234′ that you created via UM.
It should connect fine. After first connect, this ID will expires in 30
days and bandwidth limit will be 256kb download and 128kb upload.Howto create pppoe dialer http://www.petri.co.il/configure_a_pppoe_dialer_in_windows_xp.htm
To view status/change password etc, from client side, point the browser to
OR
[depend on ip series.
If you need any assistance, Do let me know.
Regard’s
Naveed Ahmad
Naveed Ahmad
Mikrotik Firewall / Short Notes
Sometimes, in MT logs, you will see that some ips from WAN/LAN try to login to your MT box using SSH,Winbox
etc. To secure your router , the best solution would be to come up with
a list of networks that should be allowed to access the router
administratively, and block everything else. Following code might help
you in this situation.
[Most rules are copied from Mikrotik Wiki's Articles]
The following rules will create a address list which will have your management PC ip address. an then it will allow all ports like WINBOX, FTP, SSH, TELNET from this address list only, and rest of ips wont be able to access these ports.
Now scenario will be like below.
↓
It is strongly advised to DISABLE all Unnecessary Services on the MikroTik Router specially SSH/FTP which is highly used for brute force attacks.
↑
This reduces the attack surface of your router the less services there are to attack the less likely your router could be compromised or overloaded
Remotely Accessible Router Services should be limited to few addresses
This is a simple and very effective way of controlling who can attempt to access the MikroTik router. One could check from which addresses or networks the MikroTik Router would be administered. Then one could create firewall rules that only allow access to the router services from the management netwokrs.
Deny all un wanted inbound Traffic and allow only related traffic (***The best approach***)
By restricting inbound traffic to the router, you can prevent the accidental opening up of services on the router. Also by restricting all types of services except for the services you know about & you want, you prevent any services (that you may not be aware of ) being accessible remotely on the MikroTik router.
↓
↓
A basic Mikrotik Firewall Script to secure MT box from virus and flooding. First copy all contents of below script to notepad, then carefully read it, add remove any un necessary rules. Also some rules are commented, modify them as per your requirements.***
↓
[/sourcecode]
The above Rules allows 5 packets per second with a burst of 10 specific to new connections. The mangle rule will put addresses on a list when it exceeds that limit. That way legitimate use isn’t blocked but something like a virus or worm sending out mass amounts will be detected and stopped. It’s a much more elegant solution than blocking a bunch of ports for all users. It also gives you a list of user IPs that need to clean up their pc.
Use the Following.
↓
↓
You can Also Disable Network Neighbor Discovery on the interface to which your network users are connected
Example:
Personnel Recommendation:
Always disable un-necessary Like FTP / SSH / TELNET etc. or if its necessary to enable services, at least Limit
there access to specific pcs only.
Allow only WINBOX.
TCP port 1723 is the control connection, while the actual tunnel is GRE (protocol 47).
Example:
Make sure these rules are above any general DENY rule.
Howto Block Torrent / P2P
Blockin 100% torrent is impossible as nowadays new torrents
application are using encrypted method and its nearly impossible to
inspect the SSL traffic. I used Forefront TMG 2010 is capable to inspect
SSL traffic at some extents.
However you can block basic torrents access by using following.
{Modified for easy copy pasting, as we all love copy pasting don’t we ? :p)
Naveed ahmad
[Most rules are copied from Mikrotik Wiki's Articles]
The following rules will create a address list which will have your management PC ip address. an then it will allow all ports like WINBOX, FTP, SSH, TELNET from this address list only, and rest of ips wont be able to access these ports.
1
2
3
4
5
6
7
| /ip firewall address-list add list=management-servers address=10.10.0.1/24 /ip firewall filter add chain=input src-address-list=management-servers protocol=tcp dst-port=21,22,23,80,443,8291 action=accept add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop |
↓
It is strongly advised to DISABLE all Unnecessary Services on the MikroTik Router specially SSH/FTP which is highly used for brute force attacks.
↑
This reduces the attack surface of your router the less services there are to attack the less likely your router could be compromised or overloaded
Remotely Accessible Router Services should be limited to few addresses
This is a simple and very effective way of controlling who can attempt to access the MikroTik router. One could check from which addresses or networks the MikroTik Router would be administered. Then one could create firewall rules that only allow access to the router services from the management netwokrs.
Deny all un wanted inbound Traffic and allow only related traffic (***The best approach***)
By restricting inbound traffic to the router, you can prevent the accidental opening up of services on the router. Also by restricting all types of services except for the services you know about & you want, you prevent any services (that you may not be aware of ) being accessible remotely on the MikroTik router.
↓
↓
HOWTO PREVENT VIRUS / PORTS FLOODING ?
↓A basic Mikrotik Firewall Script to secure MT box from virus and flooding. First copy all contents of below script to notepad, then carefully read it, add remove any un necessary rules. Also some rules are commented, modify them as per your requirements.***
↓
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
| ########################################################################## #### Remove HASH # sign if you want to apply the required rule # #### Syed Jahanzaib / aacable@hotmail.com / http://aacabel.wordpress.com # ########################################################################## /ip firewall filter add chain=input connection-state=established comment="Accept established connections" add chain=input connection-state=related comment="Accept related connections" add chain=input connection-state=invalid action=drop comment="Drop invalid connections" add chain=input protocol=udp action=accept comment="UDP" disabled=no add chain=forward connection-state=invalid action=drop comment="drop invalid connections" #### ALLOW VPN (PPTP) CONNECTIONS TO MIKROTIK VPN SERVER #add action=accept chain=input disabled=no dst-port=1723 protocol=tcp #add action=accept chain=input disabled=no protocol=gre #### TO BLOCK DNS ATTACK on WAN INTERFACE #/ip firewall filter #add chain=input action=drop dst-port=53 protocol=udp in-interface=ether1 # WAN INTERFACE #add chain=input action=drop dst-port=53 protocol=tcp in-interface=ether1 # WAN INTERFACE #### TO BLOCK PROXY ACCESS PORT 8080 / ATTACK on WAN INTERFACE #add chain=input action=drop dst-port=8080 protocol=tcp in-interface=ether1 # WAN INTERFACE #### TO BLOCK ICMP TRAFFIC EXCEPT FROM THE Management PC IP # Blocking ICMP Traffic, saves you from many headaches # add action=drop chain=input comment="DROP PING REPLY" disabled=no protocol=icmp src-address=!10.10.0.4 #### TO BLOCK TRACEROUTE TRAFFIC #/ip firewall add action=drop chain=forward comment="Drop Traceroute" disabled=no \ # icmp-options=11:0 protocol=icmp # add action=drop chain=forward comment="" disabled=no icmp-options=3:3 \ # protocol=icmp # add action=drop chain=input comment="Disable ICMP ping" disabled=no protocol=\ # icmp #### TO BLOCK COMMON VIRUS PORTS add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm" add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm" add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm" add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm" add chain=virus protocol=tcp dst-port=593 action=drop comment="________" add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K" add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom" add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro" add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot" add chain=forward action=jump jump-target=virus comment="jump to the virus chain" #Drop port scanners add
chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list
address-list="port scanners" address-list-timeout=2w comment="Port
scanners to list " disabled=no add
chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP FIN Stealth scan" add
chain=input protocol=tcp tcp-flags=fin,syn
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/FIN scan" add
chain=input protocol=tcp tcp-flags=syn,rst
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="SYN/RST scan" add
chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="FIN/PSH/URG scan" add
chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="ALL/ALL scan" add
chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg
action=add-src-to-address-list address-list="port scanners"
address-list-timeout=2w comment="NMAP NULL scan" add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no #Bruteforce login prevention add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="drop ftp brute forcers" add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m add
chain=output action=add-dst-to-address-list protocol=tcp content="530
Login incorrect" address-list=ftp_blacklist address-list-timeout=3h #This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts. add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no add
chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage3 action=add-src-to-address-list
address-list=ssh_blacklist address-list-timeout=10d comment=""
disabled=no add
chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage2 action=add-src-to-address-list
address-list=ssh_stage3 address-list-timeout=10m comment="" disabled=no add
chain=input protocol=tcp dst-port=22 connection-state=new
src-address-list=ssh_stage1 action=add-src-to-address-list
address-list=ssh_stage2 address-list-timeout=10m comment="" disabled=no add
chain=input protocol=tcp dst-port=22 connection-state=new
action=add-src-to-address-list address-list=ssh_stage1
address-list-timeout=1m comment="" disabled=no #If you want to block downstream access as well, you need to block the with the forward chain: add
chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist
action=drop comment="drop ssh brute downstream" disabled=no |
↓
↓A BETTER APPROACH ON BLOCKING PORTS !
↓
1
2
3
4
5
6
| /ip firewall mangle add
action=add-src-to-address-list address-list=Worm-Infected-p445
address-list-timeout=1h chain=prerouting connection-state=new
disabled=no dst-port=445 limit=5,10 protocol=tcp /ip firewall filter add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445 add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445 |
The above Rules allows 5 packets per second with a burst of 10 specific to new connections. The mangle rule will put addresses on a list when it exceeds that limit. That way legitimate use isn’t blocked but something like a virus or worm sending out mass amounts will be detected and stopped. It’s a much more elegant solution than blocking a bunch of ports for all users. It also gives you a list of user IPs that need to clean up their pc.
↓
↓Mikrotik How to block Winbox Discovery + Limit Winbox Access
To hide your mikrotik from being appearing in WINBOX scan negibour list, & to limit WINBOX access from your admin PC only,Use the Following.
1
2
3
4
5
6
7
8
9
| /tool mac-server add disabled=yes interface=all /tool mac-server ping set enabled=no /ip firewall filter add action=drop chain=input comment="block mikrotik discovery" disabled=no dst-port=5678 protocol=udp add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udp add
action=drop chain=input comment="DROP ALL WINBOX REQUEST EXCEPT FROM MY
PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6 |
↓
You can Also Disable Network Neighbor Discovery on the interface to which your network users are connected
Example:
1
| /ip neighbor discovery set ether1 discover=no |
Always disable un-necessary Like FTP / SSH / TELNET etc. or if its necessary to enable services, at least Limit
there access to specific pcs only.
Allow only WINBOX.
↓
↓How-to Allow VPN (PPTP) Connections for Mikrotik VPN Server
PPTP uses the GRE protocol, You have to allow ip PROTOCOL 47 (GRE), not TCP port.TCP port 1723 is the control connection, while the actual tunnel is GRE (protocol 47).
Example:
1
2
3
| /ip firewall filter add action=accept chain=input disabled=no dst-port=1723 protocol=tcp add action=accept chain=input disabled=no protocol=gre |
Howto Block Torrent / P2P
Blockin 100% torrent is impossible as nowadays new torrents
application are using encrypted method and its nearly impossible to
inspect the SSL traffic. I used Forefront TMG 2010 is capable to inspect
SSL traffic at some extents.However you can block basic torrents access by using following.
{Modified for easy copy pasting, as we all love copy pasting don’t we ? :p)
1
| W A i T |
Naveed ahmad
Mikrotik 4 WAN Load Balancing using PCC with PPPoE Server / Complete Script !
Following is a complete script for Mikrotik to combine/load balance 4 DSL lines. This server is also acting as a PPPoE Server, therefore I have made some modifications in PCC Script.
For normal LB, read my article at http://aacable.wordpress.com/2011/06/04/mikrotik-4-wan-load-balance-pcc-complete-script-by-zaib/
In this example I used MikrotikT RB750 5 ports router. 4 ports were connected with four DSL Routers, and 5th port was connected with User LAN. Also don’t forget to rename the interface names accordingly. This script will also add pppoe server , one pppoe user, dhcp server, dns server and pcc.
In my personnel experience , If users request are directly hitting Mikrotik configured with PCC , then you will get good load balancing. Use src-address as classifier, this way you will get rid of problems like https/broken link, streaming issues etc. Load balancing using this PCC technique (src-address) will be effective and balanced approach when more and more connections (from clients) that occurred. I also recommend to use SQUID proxy server along with mikrotik , either parallel or in front or backend , for better response time and it will also increase good browsing experience to users.
If somehow you are not satisfied with the src-address approach,play with the PCC-Classifier, Try both addresses and ports as the classifier. While this will randomize things the most and in theory give you the most fair allocation of bandwidth, BUT there is also a good chance that it will break certain things like banking web sites and some forums. This is because often times a HTTP requests will generate several connections, so there is a chance that some requests may go out a different route than the initial one, and that will break secure web sites. For that reason I usually stick with src-address for PCC load balancing.
Regard’s
Syed Jahanzaib
x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
| /ip address add address=172.16.0.1/16 broadcast=172.16.255.255 comment="" disabled=no interface=Local network=172.16.0.0 add address=192.168.1.2/24 broadcast=192.168.1.255 comment="" disabled=no interface=WAN1 network=192.168.1.0 add address=192.168.2.2/24 broadcast=192.168.2.255 comment="" disabled=no interface=WAN2 network=192.168.2.0 add address=192.168.3.2/24 broadcast=192.168.3.255 comment="" disabled=no interface=WAN3 network=192.168.3.0 add address=192.168.4.2/24 broadcast=192.168.4.255 comment="" disabled=no interface=WAN4 network=192.168.4.0 /ip pool add name=dhcp_pool1 ranges=172.16.0.70-172.16.0.254 add name=pppoe-users-pool ranges=10.0.0.1-10.0.0.255 /ip
dhcp-server add address-pool=dhcp_pool1 authoritative=after-2sec-delay
bootp-support=static disabled=no interface=Local lease-time=12h name="My
DHCP Server" /ip dhcp-server config set store-leases-disk=5m /ip dhcp-server network add address=172.16.0.0/16 comment="" dns-server=172.16.0.1,221.132.112.8 /interface pppoe-server server add
authentication=pap default-profile=default disabled=no interface=Local
keepalive-timeout=10 max-mru=1480 max-mtu=1480 max-sessions=1
mrru=disabled one-session-per-host=yes service-name=aacable /ppp
profile add change-tcp-mss=default dns-server=172.16.0.1
local-address=172.16.0.1 name=pppoe-profile only-one=default
remote-address=pppoe-users-pool use-compression=default
use-encryption=default use-vj-compression=default /ppp
secret add caller-id=”" disabled=no limit-bytes-in=0 limit-bytes-out=0
name=zaib password=1234 profile=pppoe-profile routes=”" service=pppoe /ip
dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB
max-udp-packet-size=512 servers=221.132.112.8,221.132.112.9 /ip firewall mangle add action=mark-connection chain=input comment="" disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes add action=mark-connection chain=input comment="" disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes add action=mark-connection chain=input comment="" disabled=no in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes add action=mark-connection chain=input comment="" disabled=no in-interface=WAN4 new-connection-mark=WAN4_conn passthrough=yes add action=mark-routing chain=output comment="" connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes add action=mark-routing chain=output comment="" connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes add action=mark-routing chain=output comment="" connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes add action=mark-routing chain=output comment="" connection-mark=WAN4_conn disabled=no new-routing-mark=to_WAN4 passthrough=yes add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.1.0/24 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.2.0/24 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.3.0/24 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.4.0/24 add
action=mark-connection chain=prerouting comment="" disabled=no
dst-address-type=!local new-connection-mark=WAN1_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:4/0
src-address=10.0.0.1-10.0.0.255 add
action=mark-connection chain=prerouting comment="" disabled=no
dst-address-type=!local new-connection-mark=WAN2_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:4/1
src-address=10.0.0.1-10.0.0.255 add
action=mark-connection chain=prerouting comment="" disabled=no
dst-address-type=!local new-connection-mark=WAN3_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:4/2
src-address=10.0.0.1-10.0.0.255 add
action=mark-connection chain=prerouting comment="" disabled=no
dst-address-type=!local new-connection-mark=WAN4_conn passthrough=yes
per-connection-classifier=both-addresses-and-ports:4/3
src-address=10.0.0.1-10.0.0.255 add
action=mark-routing chain=prerouting comment=""
connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1
passthrough=yes add
action=mark-routing chain=prerouting comment=""
connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2
passthrough=yes add
action=mark-routing chain=prerouting comment=""
connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3
passthrough=yes add
action=mark-routing chain=prerouting comment=""
connection-mark=WAN4_conn disabled=no new-routing-mark=to_WAN4
passthrough=yes /ip firewall nat add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1 src-address=10.0.0.1-10.0.0.255 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN2 src-address=10.0.0.1-10.0.0.255 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN3 src-address=10.0.0.1-10.0.0.255 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN4 src-address=10.0.0.1-10.0.0.255 /ip route add
check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0
gateway=192.168.1.1 routing-mark=to_WAN1 scope=30 target-scope=10 add
check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0
gateway=192.168.2.1 routing-mark=to_WAN2 scope=30 target-scope=10 add
check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0
gateway=192.168.3.1 routing-mark=to_WAN3 scope=30 target-scope=10 add
check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0
gateway=192.168.4.1 routing-mark=to_WAN4 scope=30 target-scope=10 add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10 add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=30 target-scope=10 add check-gateway=ping comment="" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.3.1 scope=30 target-scope=10 add check-gateway=ping comment="" disabled=no distance=4 dst-address=0.0.0.0/0 gateway=192.168.4.1 scope=30 target-scope=10 |
PCC WITH HOTSPOT
If you wanna run PCC with HOTSPOT on same Mikrotik Server, Put this rule in place to stop the hotspot from processing people after they have signed into the network.
1
| /ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth |
PCC WITH UN-EQUAL WAN LINKS
If you have Un-Equal WAN Links, for example WAN,1,2,3 are of 4MB and WAN,4 is of 8 Mb, and you want to force MT to use WAN4 link more then other because of its capacity, Then you have to Add more PCC rules assigning the same two marks to a specific link i.e WAN4 , something likeCode:
1
2
3
4
5
| add
chain=prerouting dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses-and-ports:4/0
action=mark-connection new-connection-mark=WAN1_conn passthrough=yes add
chain=prerouting dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses-and-ports:4/1
action=mark-connection new-connection-mark=WAN2_conn passthrough=yes add
chain=prerouting dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses-and-ports:4/2
action=mark-connection new-connection-mark=WAN3_conn passthrough=yes add
chain=prerouting dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses-and-ports:4/3
action=mark-connection new-connection-mark=WAN4_conn passthrough=yes add
chain=prerouting dst-address-type=!local in-interface=Local
per-connection-classifier=both-addresses-and-ports:4/4
action=mark-connection new-connection-mark=WAN4_conn passthrough=yes |
Subscribe to:
Posts (Atom)