Subscribe For Free Updates!

We'll not spam mate! We promise.

Monday 23 December 2013

Earn Money From Linkbucks Just Share Link And earn money online

Earn Money from linkbucks.com you can earn money online just signup linkbucks account and share link ean money much this is best way to ean money online at home
click on link blow creat an account let start now


Sunday 22 December 2013

HOW TO BLOCK HOTSPOT SHIELD IN MIKROTIK SERVER


Just Copy And Paste in New Terminal Now
Its being long time that people like me were trying to block the hotspot shield on their networks using Mikrotik server.
/ip firewall mangle
add action=add-dst-to-address-list address-list=WhiteList \
address-list-timeout=4d4h chain=prerouting comment=WhiteList content=\
!127.0.0.1:895 disabled=no dst-port=80 protocol=tcp
add action=add-src-to-address-list address-list=HotSpotShieldUsers \
address-list-timeout=1h chain=prerouting comment=HotSpotShieldUsers \
content=127.0.0.1:895 disabled=no dst-port=80 protocol=tcp
add action=add-dst-to-address-list address-list=WhiteList \
address-list-timeout=4d4h chain=prerouting comment=WhiteList content=\
!127.0.0.1:895 disabled=no dst-port=443 protocol=tcp
/ip firewall filter
add action=drop chain=forward comment=”\”Block HotSpot Shield\”" disabled=no \
src-address-list=HotSpotShieldUsers

Friday 29 November 2013

xbee-arduino

Overview

This is an Arduino library for communicating with XBees in API mode, with support for both Series 1 (802.15.4) and Series 2 (ZB Pro/ZNet). This library Includes support for the majority of packet types, including: TX/RX, AT Command, Remote AT, I/O Samples and Modem Status.
Note: This software requires API mode, by setting AP=2. If you are using Series 2 XBee, you'll need to install API Firmware (they ship with AT firmware), then set AP=2. This software will not work correctly with AP=1 Refer to XBeeConfiguration and WhyApiMode for more info.

News

  • 10/15/12 Release 0.4 (beta) is available. Paul Stoffregen (Teensy creator) has contributed a patch that allows for using SoftwareSerial for XBee communication! This frees up the Serial port for debug or to use with other hardware. Try it out and report any issues on the Google group page. Important: See SoftwareSerialReleaseNotes as it was necessary to change the API to support this feature.
  • 12/21/11 Release 0.3 is now available. This release includes support for Arduino 1.0 along with some bug fixes and a new setSerial function for using alternate serial ports (e.g. Mega). This release is compatible with previous Arduino releases as well.
  • 4/3/11 I have created an XBeeUseCases wiki on XBee API that describes several use cases for communicating with XBees.
  • 11/14/09 Version 0.2.1 is available. This release contains a bug fix for Remote AT
  • 10/26/09 XBee-Arduino 0.2 is now available. This release adds support for AT Command, Remote AT, and I/O sample (series 1 and 2) packets. Along with this release I have created several new examples.
  • 8/09/09 I have released Droplet, a wireless LCD display/remote control with support for Twitter, Google Calendar, weather etc. It uses this software to send and receive XBee packets.
  • 4/19/09 Release 0.1.2: In this release I added some abbreviated constructors for creating basic Requests and get/set methods to facilitate the reuse of Requests
  • 3/29/09 Initial Release

Documentation

API docs

Example

I have created several sketches of sending/receiving packets with Series 1 and 2 XBee radios. You can find these in the examples folder. Here's an example of sending a packet with a Series 2 radio:
// Create an XBee object at the top of your sketch
XBee xbee = XBee();
// Tell XBee to start Serial
xbee.begin(9600);
// Create an array for holding the data you want to send.
uint8_t payload[] = { 'H', 'i' };
// Specify the address of the remote XBee (this is the SH + SL)
XBeeAddress64 addr64 = XBeeAddress64(0x0013a200, 0x403e0f30);
// Create a TX Request
ZBTxRequest zbTx = ZBTxRequest(addr64, payload, sizeof(payload));
// Send your request
xbee.send(zbTx);
See the examples folder for the full source. There are more examples in the download.
See the XBee API project for Arduino < - > Computer communication.
To add XBee support to a new sketch, add "#include <XBee.h>" (without quotes) to the top of your sketch. You can also add it by selecting the "sketch" menu, and choosing "Import Library->XBee".

Learning/Books

If you want to learn more about Arduino and XBee, check out these books:

Hardware

I highly recommend using an Arduino that has 2 serial ports, such as the Arduino Leonardo. The reason is the XBee requires one serial port and it's useful to have another serial port available for debugging. The Arduino Leonard actually has one hardware serial port and one virtual (usb serial port). The hardware serial port is for use with XBee (Serial1) and the virtual serial port (Serial) may be used to send debug info to the console. The Arduino Mega is another popular choice as it has 4 hardware serial ports, along with additional memory and I/O. Both boards are compatible with XBee Shields. The Teensy board, by PJRC, may be a good choice for some advanced users. It is not 100% Arduino compatible but PJRC provides a plugin to the Arduino IDE. They also sell an XBee Adapter to interface XBee with Teensy (requires soldering).
XBee radios come in two models: Series 1 (S1) and Series 2 (S2). Series 1 are the best choice for most people as they are the easiest to configure. Series 2 XBee radios feature ZigBee and require a firmware update to use this software (requires X-CTU on Windows). Series 1 and 2 are not compatible with each other.
The Arduino XBee Shield is the best choice for connecting the XBee to an Arduino
You can find XBee Shields on ebay, often for less, but keep in mind delivery may be slow when shipped from China. I don't recommend the SparkFun XBee Shield since it requires soldering headers (not included) to connect to an Arduino board
An XBee Explorer is highly recommended for updating firmware and configuring the radio. This is also useful for interfacing an XBee with a computer. If you are using Series 2 radios you'll need an XBee Explorer to upload API firmware to the radio (they ship with AT firmware).
See the xbee-api Hardware wiki for more parts links.
For interfacing with Arduino clones that are not shield compatible, such as Modern Device's http://shop.moderndevice.com/products/rbbb-kit, you will need 3.3V power and logic shifter or voltage divider to convert Arduino's 5V to an XBee safe 3.3V.

Installation

Arduino 16 (or earlier):
Download the zip file, extract and copy the XBee folder to ARDUINO_HOME/hardware/libraries If you are upgrading from a previous version, be sure to delete XBee.o
Arduino 17 (or later):
Determine the location of your sketchbook by selecting "preferences" on the Arduino menu. Create a "libraries" folder in your sketchbook and unzip the download there. See this for more information.

Uploading Sketches

The Arduino has only one serial port which must be connected to USB (FTDI) for uploading sketches and to the XBee for running sketches. The Arduino XBee Shield provides a set of jumpers to direct Serial communication to either the USB (Arduino IDE) or the XBee. When using the XBee Shield you will need to place both the jumpers in the USB position prior to uploading your sketch. Then after a successful upload, place the jumpers in the "XBEE" position to run your sketch. Always remember to power off the Arduino before moving the jumpers.

Configuration

To use this library your XBee must be configured in API mode (AP=2). Take a look at this for information on configuring your radios to form a network.

Other Micros

Not using Arduino? It should be easy to port this library to any microcontroller that supports C++ and serial available/read/write/flush. The only other dependency is the millis() function for milliseconds.

Support

Please report any bugs on the Issue Tracker.

Questions/Feedback

Questions about this project should be posted to http://groups.google.com/group/xbee-api?pli=1 Be sure to provide as much detail as possible (e.g. what radios s1 or s2, firmware versions, configuration and code).

Consulting/Commercial Licenses

I'm available for consulting to assist businesses or entrepreneurs that need help getting their projects up and running. I can also provide a commercial license for situations where you need to distribute code to clients/third parties that would otherwise conflict with GPL. For these matters I can be contacted at andrew.rapp [at] gmail.

Sunday 24 November 2013

Mikrotik DUAL WAN Load Balancing using PCC method. Complete Script ! by zaiB

Mikrotik  DUAL WAN Load Balancing using PCC method. Complete Script ! by zaiB
Following is a complete script for Mikrotik to combine/load balance two DSL lines. In this example I used MikrotikT RB750 5 ports router.
2 ports were connected with two difference DSL Routers,
and 3rd port was connected with User LAN.
Both DSL are of same speed , i.e 10Mb each.
DSL MODEM IP’S
DSL MODEM 1 = 192.168.1.1
DSL MODEM 2 = 192.168.2.1
Also don’t forget to rename the interface names accordingly.
In my personnel experience , If users request are directly hitting Mikrotik configured with PCC , then you will get good load balancing. Use src-address as classifier, this way you will get rid of problems like https/broken link, streaming issues etc. Load balancing using this PCC technique (src-address) will be effective and balanced approach when more and more connections (from clients) that occurred. I also recommend to use SQUID proxy server along with mikrotik , either parallel or in front or backend , for better response time and it will also increase good browsing experience to users.
If somehow you are not satisfied with the src-address approach,play with the PCC-Classifier, then Try both addresses and ports as the classifier. While this will randomize things the most and in theory give you the most fair allocation of bandwidth, BUT there is also a good chance that it will break certain things like banking web sites and some forums. This is because often times a HTTP requests will generate several connections, so there is a chance that some requests may go out a different route than the initial one, and that will break secure web sites. For that reason I usually stick with src-address for PCC load balancing.
Regard’s
Syed Jahanzaib
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2
 
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=221.132.112.8,8.8.8.8
 
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
 
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
 
add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local
 
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
 
add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2
 
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping
 
add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping
 
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
All Done ! Now Test the link by putting user load, the more multiple users load you put on it, the better Load Balance result you will get :)

PCC WITH UN-EQUAL WAN LINKS

If you have Un-Equal WAN Links, for example WAN,1 is of 4MB and WAN,2 is of 8 Mb, and you want to force MT to use WAN42link more then other because of its capacity, Then you have to Add more PCC rules assigning the same two marks to a specific link i.e WAN2 , something like
Code:
1
2
3
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/2 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

PCC WITH HOTSPOT (Reference)

1
/ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth
٩(●̮̮̃•̃)۶   ZaiB   ٩(●̮̮̃•̃)۶

Mikrotik PPPoE Server with User Manager Pre Paid Billing System !

~!~ Article by Syed Jahanzaib ~!~
This guide will illustrate howto create PPPoE server in MIKROTIK RouterOS (I used v 5.6 in this example). This article will also demonstrate on how you can create your automated pre-paid billing solution for users using Mikrotik’s User Manager. This basic RADIUS Server a.k.a USERMAN can be used for any ppp service like VPN/PPPoE/HOTSPOT.
My Note:
I must state that the USERMAN solution is not a reliable one, You cant rely on it on a large/production server. But after all its free package come along with the mikrotik, so dont expect much from it, IMO its suitable for SOHO. If you want real features related to ISP , Better to USe 3rd Party Radius server like DMASOFTLAB which is feature rich radius built to perform :)
It will also show you how to create a 30 days limit account with 256Kbps speed limit.
We will divide this article in two section.
1) PPPoE Server (Basic Settings)
2) User Manager Billing Setup

In this example Mikrotik have two lan cards.
1) ether1 = ip 10.0.0.1 / LAN Interface hosting PPPoE Server
2) ether2 = ip 192.168.0.1 / WAN interface connected with DSL / Fiber etc.
(Configure interfaces accordingly to your environment, in the images ip series is 192.168.2.1 , don’t get confuse with it. you can adjust it accordingly)


PPPoE SERVER SETUP

First we will add PPPoE Server using CLI (command interface)
1
2
/interface pppoe-server server
 add authentication=pap default-profile=default disabled=no interface=ether1 keepalive-timeout=10 max-mru=1480 max-mtu=1480 max-sessions=1 mrru=disabled one-session-per-host=yes service-name=aacable
Now we will add IP Pool for pppoe-users (ips that user will get after successful dialing)
1
/ip pool add name=pppoe-users-pool ranges=172.16.0.1-172.16.0.254
Now we will add new profile for pppoe users.
1
/ppp profile add change-tcp-mss=default dns-server=10.0.0.1 local-address=10.0.0.1 name=pppoe-profile only-one=default remote-address=pppoe-users-pool use-compression=default use-encryption=default use-vj-compression=default
Following is the screenshot for above created rule.


Add following rule to allow internet.
1
/ip firewall nat add action=masquerade chain=srcnat disabled=no src-address=172.16.0.1-172.16.0.255


(In above masquerading rule, I have added src-address to 172.16.0.x ip pool, so that ONLY pppoe connected users internet will work)
Add DNS server so users can resolve internet hostnames.
1
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=221.132.112.8
Now finally we will add local user to test the pppoe server status.
1
/ppp secret add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=zaib password=1234 profile=pppoe-profile routes="" service=pppoe
Now at user end, create a pppoe dialer and connect with the id = zaib and password = 1234
(Howto create pppoe dialer
If all goes fine, you will start surfing the internet smoothly :)
Now we will move to mikrotik billing system using its built-in radius called USER MANAGER.


MIKROTIK USER MANAGER WITH BILLING SETUP

We can setup a RADIUS server in mikrotik using its built-in radius server called User Manager. UM is a nice web-based billing manager package to compliment hotspot / pppoe / vpn authentication solution in RouterOS. It is RADIUS based component so it can provide centralised management to single or multiple RouterOS based NASes.
Now we will first configure user manager and then later we will integrate it with our pppoe server so all authentication will be done via UM.

Open your web browser and point it to http://10.0.0.1/userman
You will see user manager authentication screen, Now enter admin id and password and you will be forwarded to main UM screen like this.
Note: If default admin password doesn’t work out, change the password by following command
1
2
3
/tool user-manager customer set admin password=PASSWORD
**OR**
/tool user-manager customer print
um-main-screen (zaib)
um-main-screen (zaib)
Now click on Profiles, on your right window, click on + sign (beside profile)
For test purposes, we will add one profile with 256Kbps speed limit, and 30 days UP Time limit. You can add many packages as per your requirements later, once you understand how thins works here)
Now we want to add 256Kb / 30days Limit Package, Name it 256k.
* in ‘Name for users‘ type ‘256k’
* in ‘Validity‘, type ’4w2d’ (for 1 month validity)
* in ‘Starts‘ , select ‘At First Logon‘ (User time will start when users first login)
* in ‘Price’ enter the amount at which you sell this package to users. e.g  400
* in ‘Shared Users’ select ’1′ (so single ID cannot be used from multiple computers simultaneously)
Now Save Profile. (See attached Screenshot)

um-add-profile-zaib
um-add-profile-zaib
Now We want to add Bandwidth Limitation to this profile, goto ‘Limitations’ and click on ADD ,
A new window will appear
* in ‘Name’ type ’256k’
* in ‘Rate Limit’ in RX ’128k’ in TX ’256k’ ,
Now click on SAVE. (See attached Screenshot)
um-rate-limit-zaib
um-rate-limit-zaib
Now go back to Profiles Section. Here you will see your created 256k
Profile, clien on ‘Add New Limitation’ and and click on ’256k Limit’ and
click ‘ADD’ button. (See attached Screenshot)
um-add-new-limitation
Done, your first package with 256k Limit and 30 Days uptime limit is created. Now we will Add new user and tag them with this new 256k profile.
Goto Users, and click on ADD / One (to add single user).
* in ‘Username’ type ‘zaib’
* in ‘Password’ type ’1234′
* in ‘Constraints’ check on ‘Called ID’ Bindon first use. This options is good if you want to bind user id with first detected MAC address, if you don’t want to bind , leave this option as it is.
* in ‘Assign profile’ select ’256k’ profile and click on ADD button to finish.
(See attached Screenshot)

Now that we have finished our basic work with UM, its time to integrate it with Mikrotik, so that all Mikrotik PPPoE authentication will be done via UM.
We have to modify some settings, both on UM and Mikrotik as well.
In UM we have to add Mikrotik Router.
* In UM, Goto Routers , ADD, NEW, name it Mikrotik,
* in ‘IP Address’ tpye you server IP address, 10.0.0.1
* in ‘Shared Secret’ type ’1234′
Now click ADD to finish. (See attached Screenshot) (in the image ip address is showing 192.168.2.1, dont get confused, use your own ip address class here)

UM-RADIUS-add
UM-RADIUS-add
UM section is complete , now moving on to MIKROTIK to complete the RADIUS setup.

ADDING RADIUS SUPPORT IN MIKROTIK

Open Mikrotik Terminal, and type
1
2
3
4
5
/ppp aaa set accounting=yes interim-update=0s use-radius=yes
 
/radius add accounting-backup=no accounting-port=1813 address=10.0.0.1 authentication-port=1812 called-id="" disabled=no domain="" realm="" secret=1234 service=ppp,hotspot timeout=300ms
 
/radius incoming set accept=yes port=3799
Make sure you change the ip address as per your local configuration.

 
! COMPLETED !

Now from client end, connect with Users id ‘zaib’ and password ’1234′ that you created via UM. It should connect fine. After first connect, this ID will expires in 30 days and bandwidth limit will be 256kb download and 128kb upload.
Howto create pppoe dialer  http://www.petri.co.il/configure_a_pppoe_dialer_in_windows_xp.htm
To view status/change password etc, from client side, point the browser to
OR
[depend on ip series.
If you need any assistance, Do let me know.
Regard’s
Naveed Ahmad

Mikrotik Firewall / Short Notes

Sometimes, in MT logs, you will see that some ips from WAN/LAN try to login to your MT box using SSH,Winbox etc. To secure your router , the best solution would be to come up with a list of networks that should be allowed to access the router administratively, and block everything else. Following code might help you in this situation.
[Most rules are copied from Mikrotik Wiki's Articles]
The following rules will create a address list which will have your management PC ip address. an then it will allow all ports like WINBOX, FTP, SSH, TELNET from this address list only, and rest of ips wont be able to access these ports.
1
2
3
4
5
6
7
/ip firewall address-list
 add list=management-servers address=10.10.0.1/24
 
/ip firewall filter
 add chain=input src-address-list=management-servers protocol=tcp dst-port=21,22,23,80,443,8291 action=accept
 
add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop
Now scenario will be like below.


It is strongly advised to DISABLE all Unnecessary Services on the MikroTik Router specially SSH/FTP which is highly used for brute force attacks.

This reduces the attack surface of your router the less services there are to attack the less likely your router could be compromised or overloaded :)
Remotely Accessible Router Services should be limited to few addresses
This is a simple and very effective way of controlling who can attempt to access the MikroTik router. One could check from which addresses or networks the MikroTik Router would be administered. Then one could create firewall rules that only allow access to the router services from the management netwokrs.
Deny all un wanted inbound Traffic and allow only related traffic  (***The best approach***)
By restricting inbound traffic to the router, you can prevent the accidental opening up of services on the router. Also by restricting all types of services except for the services you know about & you want, you prevent any services (that you may not be aware of ) being accessible remotely on the MikroTik router.


HOWTO PREVENT VIRUS / PORTS FLOODING ?


A basic Mikrotik Firewall Script to secure MT box from virus and flooding. First copy all contents of below script to notepad, then carefully read it, add remove any un necessary rules. Also some rules are commented, modify them as per your requirements.***

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
80
81
82
83
84
85
86
87
88
89
90
91
92
93
94
95
96
97
##########################################################################
#### Remove HASH # sign if you want to apply the required rule           #
#### Syed Jahanzaib / aacable@hotmail.com / http://aacabel.wordpress.com #
##########################################################################
 
/ip firewall filter
 
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
 
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=forward connection-state=invalid action=drop comment="drop invalid connections"
#### ALLOW VPN (PPTP) CONNECTIONS TO MIKROTIK VPN SERVER
#add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
#add action=accept chain=input disabled=no protocol=gre
 
#### TO BLOCK DNS ATTACK on WAN INTERFACE
#/ip firewall filter
#add chain=input action=drop dst-port=53 protocol=udp in-interface=ether1 # WAN INTERFACE
#add chain=input action=drop dst-port=53 protocol=tcp in-interface=ether1 # WAN INTERFACE
 
#### TO BLOCK PROXY ACCESS PORT 8080 / ATTACK on WAN INTERFACE
#add chain=input action=drop dst-port=8080 protocol=tcp in-interface=ether1 # WAN INTERFACE
 
#### TO BLOCK ICMP TRAFFIC EXCEPT FROM THE Management PC IP
# Blocking ICMP Traffic, saves you from many headaches
# add action=drop chain=input comment="DROP PING  REPLY" disabled=no protocol=icmp src-address=!10.10.0.4
 
#### TO BLOCK TRACEROUTE TRAFFIC
#/ip firewall add action=drop chain=forward comment="Drop Traceroute" disabled=no \
# icmp-options=11:0 protocol=icmp
# add action=drop chain=forward comment="" disabled=no icmp-options=3:3 \
# protocol=icmp
# add action=drop chain=input comment="Disable ICMP ping" disabled=no protocol=\
# icmp
 
#### TO BLOCK COMMON VIRUS PORTS
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm"
add chain=virus protocol=tcp dst-port=593 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________"
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester"
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server"
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast"
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx"
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid"
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus"
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle"
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K"
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom"
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm"
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser"
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B"
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B"
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y"
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B"
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus"
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2"
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven"
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"
 
#Drop port scanners
add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no
add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan"
add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan"
add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan"
add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan"
add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan"
add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan"
add chain=input src-address-list="port scanners" action=drop comment="dropping port scanners" disabled=no
 
#Bruteforce login prevention
 
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="drop ftp brute forcers"
add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m
add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h
 
#This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts.
 
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no
 
#If you want to block downstream access as well, you need to block the with the forward chain:
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="drop ssh brute downstream" disabled=no


A BETTER APPROACH ON BLOCKING PORTS !


1
2
3
4
5
6
/ip firewall mangle
add action=add-src-to-address-list address-list=Worm-Infected-p445 address-list-timeout=1h chain=prerouting connection-state=new disabled=no dst-port=445 limit=5,10 protocol=tcp
 
/ip firewall filter
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445
[/sourcecode]
The above Rules allows 5 packets per second with a burst of 10 specific to new connections. The mangle rule will put addresses on a list when it exceeds that limit. That way legitimate use isn’t blocked but something like a virus or worm sending out mass amounts will be detected and stopped. It’s a much more elegant solution than blocking a bunch of ports for all users. It also gives you a list of user IPs that need to clean up their pc.


Mikrotik How to block Winbox Discovery + Limit Winbox Access

To hide your mikrotik from being appearing in WINBOX scan negibour list, & to limit WINBOX access from your admin PC only,
Use the Following.
1
2
3
4
5
6
7
8
9
/tool mac-server
add disabled=yes interface=all
/tool mac-server ping
set enabled=no
 
/ip firewall filter
add action=drop chain=input comment="block mikrotik discovery" disabled=no dst-port=5678 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST EXCEPT FROM MY PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6


You can Also Disable Network Neighbor Discovery on the interface to which your network users are connected
Example:
1
/ip neighbor discovery set ether1 discover=no
Personnel Recommendation:
Always disable un-necessary Like FTP / SSH / TELNET etc. or if its necessary to enable services, at least Limit
there access to specific pcs only.
Allow only WINBOX.


How-to  Allow VPN (PPTP) Connections for Mikrotik VPN Server

PPTP uses the GRE protocol, You have to allow ip PROTOCOL 47 (GRE), not TCP port.
TCP port 1723 is the control connection, while the actual tunnel is GRE (protocol 47).
Example:
1
2
3
/ip firewall filter
add action=accept chain=input disabled=no dst-port=1723 protocol=tcp
add action=accept chain=input disabled=no protocol=gre
Make sure these rules are above any general DENY rule.

Howto Block Torrent / P2P

Blockin 100% torrent is impossible as nowadays new torrents application are using encrypted method and its nearly impossible to inspect the SSL traffic. I used Forefront TMG 2010 is capable to inspect SSL traffic at some extents.
However you can block basic torrents access by using following.

{Modified for easy copy pasting, as we all love copy pasting don’t we ? :p)
1
W A i T

Naveed ahmad

Mikrotik 4 WAN Load Balancing using PCC with PPPoE Server / Complete Script !



Following is a complete script for Mikrotik to combine/load balance 4 DSL lines. This server is also acting as a PPPoE Server, therefore I have made some modifications in PCC Script.
For normal LB, read my article at http://aacable.wordpress.com/2011/06/04/mikrotik-4-wan-load-balance-pcc-complete-script-by-zaib/

In this example I used MikrotikT RB750 5 ports router. 4 ports were connected with four DSL Routers, and 5th port was connected with User LAN. Also don’t forget to rename the interface names accordingly. This script will also add pppoe server , one pppoe user, dhcp server, dns server and pcc.
In my personnel experience , If users request are directly hitting Mikrotik configured with PCC , then you will get good load balancing. Use src-address as classifier, this way you will get rid of problems like https/broken link, streaming issues etc. Load balancing using this PCC technique (src-address) will be effective and balanced approach when more and more connections (from clients) that occurred. I also recommend to use SQUID proxy server along with mikrotik , either parallel or in front or backend , for better response time and it will also increase good browsing experience to users.
If somehow you are not satisfied with the src-address approach,play with the PCC-Classifier, Try both addresses and ports as the classifier. While this will randomize things the most and in theory give you the most fair allocation of bandwidth, BUT there is also a good chance that it will break certain things like banking web sites and some forums. This is because often times a HTTP requests will generate several connections, so there is a chance that some requests may go out a different route than the initial one, and that will break secure web sites. For that reason I usually stick with src-address  for PCC load balancing.
Regard’s
Syed Jahanzaib
x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-x-x-x-x–x-x-x-x-x-x-
1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
25
26
27
28
29
30
31
32
33
34
35
36
37
38
39
40
41
42
43
44
45
46
47
48
49
50
51
52
53
54
55
56
57
58
59
60
61
62
63
64
65
66
67
68
69
70
71
72
73
74
75
76
77
78
79
/ip address
 add address=172.16.0.1/16 broadcast=172.16.255.255 comment="" disabled=no interface=Local network=172.16.0.0
 add address=192.168.1.2/24 broadcast=192.168.1.255 comment="" disabled=no interface=WAN1 network=192.168.1.0
 add address=192.168.2.2/24 broadcast=192.168.2.255 comment="" disabled=no interface=WAN2 network=192.168.2.0
 add address=192.168.3.2/24 broadcast=192.168.3.255 comment="" disabled=no interface=WAN3 network=192.168.3.0
 add address=192.168.4.2/24 broadcast=192.168.4.255 comment="" disabled=no interface=WAN4 network=192.168.4.0
 
/ip pool
 add name=dhcp_pool1 ranges=172.16.0.70-172.16.0.254
 add name=pppoe-users-pool ranges=10.0.0.1-10.0.0.255
 
/ip dhcp-server add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=static disabled=no interface=Local lease-time=12h name="My DHCP Server"
 
/ip dhcp-server config
 set store-leases-disk=5m
 
/ip dhcp-server network
 add address=172.16.0.0/16 comment="" dns-server=172.16.0.1,221.132.112.8
 
/interface pppoe-server server
 add authentication=pap default-profile=default disabled=no interface=Local keepalive-timeout=10 max-mru=1480 max-mtu=1480 max-sessions=1 mrru=disabled one-session-per-host=yes service-name=aacable
 
/ppp profile add change-tcp-mss=default dns-server=172.16.0.1 local-address=172.16.0.1 name=pppoe-profile only-one=default remote-address=pppoe-users-pool use-compression=default use-encryption=default use-vj-compression=default
 
/ppp secret add caller-id=”" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=zaib password=1234 profile=pppoe-profile routes=”" service=pppoe
 
/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udp-packet-size=512 servers=221.132.112.8,221.132.112.9
 
/ip firewall mangle
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN3 new-connection-mark=WAN3_conn passthrough=yes
 add action=mark-connection chain=input comment="" disabled=no in-interface=WAN4 new-connection-mark=WAN4_conn passthrough=yes
 
add action=mark-routing chain=output comment="" connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
 add action=mark-routing chain=output comment="" connection-mark=WAN4_conn disabled=no new-routing-mark=to_WAN4 passthrough=yes
 
add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.1.0/24
 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.2.0/24
 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.3.0/24
 add action=accept chain=prerouting comment="" disabled=no dst-address=192.168.4.0/24
 
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/0 src-address=10.0.0.1-10.0.0.255
 
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/1 src-address=10.0.0.1-10.0.0.255
 
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/2 src-address=10.0.0.1-10.0.0.255
 
add action=mark-connection chain=prerouting comment="" disabled=no dst-address-type=!local new-connection-mark=WAN4_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:4/3 src-address=10.0.0.1-10.0.0.255
 
add action=mark-routing chain=prerouting comment="" connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN3_conn disabled=no new-routing-mark=to_WAN3 passthrough=yes
 add action=mark-routing chain=prerouting comment="" connection-mark=WAN4_conn disabled=no new-routing-mark=to_WAN4 passthrough=yes
 
/ip firewall nat
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN1 src-address=10.0.0.1-10.0.0.255
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN2 src-address=10.0.0.1-10.0.0.255
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN3 src-address=10.0.0.1-10.0.0.255
 add action=masquerade chain=srcnat comment="" disabled=no out-interface=WAN4 src-address=10.0.0.1-10.0.0.255
 
/ip route
 add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 scope=30 target-scope=10
 
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 scope=30 target-scope=10
 
add check-gateway=ping disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_WAN3 scope=30 target-scope=10
 
add check-gateway=ping disabled=no distance=4 dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-mark=to_WAN4 scope=30 target-scope=10
 
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10
 
add check-gateway=ping comment="" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=30 target-scope=10
 
add check-gateway=ping comment="" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=192.168.3.1 scope=30 target-scope=10
 
add check-gateway=ping comment="" disabled=no distance=4 dst-address=0.0.0.0/0 gateway=192.168.4.1 scope=30 target-scope=10
All Done ! Now Test the link by putting user load, the more multiple users load you put on it, the better Load Balance result you will get :)

PCC WITH HOTSPOT

If you wanna run PCC with HOTSPOT on same Mikrotik Server, Put this rule in place to stop the hotspot from processing people after they have signed into the network.
1
/ip firewall nat add action=accept chain=pre-hotspot disabled=no dst-address-type=!local hotspot=auth

PCC WITH UN-EQUAL WAN LINKS

If you have Un-Equal WAN Links, for example WAN,1,2,3 are of 4MB and WAN,4 is of 8 Mb, and you want to force MT to use WAN4 link more then other because of its capacity, Then you have to Add more PCC rules assigning the same two marks to a specific link i.e WAN4 , something like
Code:
1
2
3
4
5
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/3 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/4 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes
٩(●̮̮̃•̃)۶ Naveed Ahmad   ٩(●̮̮̃•̃)۶

 
".