hey Experts,
why don't you post some tutorials or how to's for services running on Mikrotik!
let's start with a hotspot configuration...
let's share our knowledge...
Mikrotik awesome!
Regards,
These are the input rules on my v2.8.28 hotspot.
** rules I posted last week had a few errors, corrections to follow **
** rules I posted last week had a few errors, corrections to follow **
Last edited by jaytcsd on Mon Oct 17, 2005 11:01 am, edited 1 time in total.
Heres my share.
Porn blocklist:
dowload from this url: http://pickup.mofile.com/7897855218849253
cut and paste to /ip web-proxy access
More power to all!
Robert S.
Porn blocklist:
dowload from this url: http://pickup.mofile.com/7897855218849253
cut and paste to /ip web-proxy access
More power to all!
Robert S.
-
-
randyloveless
Member Candidate
- Posts: 207
- Joined:
- Location: california
- Contact:
hello it says Wrong Pickup Code:Heres my share.
Porn blocklist:
dowload from this url: http://pickup.mofile.com/7897855218849253
cut and paste to /ip web-proxy access
More power to all!
Robert S.
can u double check the link pls???
okay Hadi,
I will post the configuration tonight, since i'm too busy right now.. and concerning the droping of 500 lines on the terminal... I faced a problem which is not freezing... I can't see my keys anymore ..let's say I want to write / ping yahoo.com ... I can't see the line ..but if u press enter it will take the command ... what's goin on?
Mikrotik Heroes
I will post the configuration tonight, since i'm too busy right now.. and concerning the droping of 500 lines on the terminal... I faced a problem which is not freezing... I can't see my keys anymore ..let's say I want to write / ping yahoo.com ... I can't see the line ..but if u press enter it will take the command ... what's goin on?
Mikrotik Heroes
hi....can anybody tell me how to block some url....?
i tried o wrote like this:
ip webproxy access>add url"www.google.com" action=deny
but still i cant block google.....?
note :
i have erased all the rule in dst-nat......!!!!!
i tried o wrote like this:
ip webproxy access>add url"www.google.com" action=deny
but still i cant block google.....?
note :
i have erased all the rule in dst-nat......!!!!!
-
-
Alessio Garavano
Member
- Posts: 306
- Joined:
- Location: Corrientes, Argentina
- Contact:
HOTSPOT - Good idea!
I am using hotspot from first beta versions....
setting the pppoe server on Mikrotik Router OS is the most easiest setup you will ever know...
let's say we have two interfaces { real and fake or internal and external }
we start mikrotik...
set the External IP and route { ISP provides you the subnet and G/W }
add DNS .. I think these are well known to everybody.
now it's time to setup a pppoe server on Mikrotik router OS
let's start with:
1- ip --- pool --- add name="PPPoE Class A" ranges=10.20.20.2-10.20.20.200.
2- ppp --- profiles --- add name="XXX" local-address=10.20.20.1 remote-address="PPPoE Class A" session-timeoute=0s idle-timeout=15m only-one=yes incoming-filter=input outgoing-filter=output dns-server="ISP's DNS" tx-bit-rate="this means download at client side - optional " rx-bit-rate="this means upload at client side - optional"
3- interfaces --- pppoe-server --- server --- add service-name="Class A" interface="internal" mtu=1472 mru=1472 authentication=pap,chap keepalive-timeout=15 one-session-per-host=yes default-profile="XXX"
4- ppp --- secrets --- add name=test password test service= pppoe
create a dialup connection on a WS and try it
with this we've completed setting up a pppoe server... if you need to enable the proxy on mikrotik ... i'm ready to post how-to setup proxy and transparent proxy on mikrotik ...
P.S: most of WS aren't pppoe enabled so go to http://www.raspppoe.com and download the driver... so easy to install it.
Regards,
Maroon
let's say we have two interfaces { real and fake or internal and external }
we start mikrotik...
set the External IP and route { ISP provides you the subnet and G/W }
add DNS .. I think these are well known to everybody.
now it's time to setup a pppoe server on Mikrotik router OS
let's start with:
1- ip --- pool --- add name="PPPoE Class A" ranges=10.20.20.2-10.20.20.200.
2- ppp --- profiles --- add name="XXX" local-address=10.20.20.1 remote-address="PPPoE Class A" session-timeoute=0s idle-timeout=15m only-one=yes incoming-filter=input outgoing-filter=output dns-server="ISP's DNS" tx-bit-rate="this means download at client side - optional " rx-bit-rate="this means upload at client side - optional"
3- interfaces --- pppoe-server --- server --- add service-name="Class A" interface="internal" mtu=1472 mru=1472 authentication=pap,chap keepalive-timeout=15 one-session-per-host=yes default-profile="XXX"
4- ppp --- secrets --- add name=test password test service= pppoe
create a dialup connection on a WS and try it
with this we've completed setting up a pppoe server... if you need to enable the proxy on mikrotik ... i'm ready to post how-to setup proxy and transparent proxy on mikrotik ...
P.S: most of WS aren't pppoe enabled so go to http://www.raspppoe.com and download the driver... so easy to install it.
Regards,
Maroon
-
-
randyloveless
Member Candidate
- Posts: 207
- Joined:
- Location: california
- Contact:
Hotspot how-to !! full setup
why you guys aren't posting some tutorials over here?
anyone knows how to configure a hotspot on Mikrotik? full setup!!!
I think they are a lot who are waiting an expert to post this tutorial on
Mikrotik forum.
Best Regards,
Maroon
anyone knows how to configure a hotspot on Mikrotik? full setup!!!
I think they are a lot who are waiting an expert to post this tutorial on
Mikrotik forum.
Best Regards,
Maroon
OK normis!!!
everything is just so easy on Mikrotik...
so let's share some ideas, so mikrotik users will be more intrested abt it.
mmm! let's make a contest for the mikrotik users, and there will be a
prize { a free mikrotik router OS, or wutever thing ... }
think about it
and we all are ready
thanks for your cooperation Normis
everything is just so easy on Mikrotik...
so let's share some ideas, so mikrotik users will be more intrested abt it.
mmm! let's make a contest for the mikrotik users, and there will be a
prize { a free mikrotik router OS, or wutever thing ... }
think about it
and we all are ready
thanks for your cooperation Normis
come to the mikrotik user meeting and it will all be there (including free licenses and a contest for routerboard hardware)
we are already thinking about a place where such examples can be stored, we just need some activity. if you'd do it on the forums, we could transfer those examples to a separate page. there is simply not enough yet
we are already thinking about a place where such examples can be stored, we just need some activity. if you'd do it on the forums, we could transfer those examples to a separate page. there is simply not enough yet
how I wish Normis,
i'm IT manager at Lebanese Canadian University, and I'm havin a full time job. other than freelance projects...
my time is full this fall. hope next summer...
but concerning the seperate page. me, myself ready but I can't do all these by myself.. at least need some support to post and take care of it
Sincerely Maroon
i'm IT manager at Lebanese Canadian University, and I'm havin a full time job. other than freelance projects...
my time is full this fall. hope next summer...
but concerning the seperate page. me, myself ready but I can't do all these by myself.. at least need some support to post and take care of it
Sincerely Maroon
I dont have enough experience but Im willing to suppport it.
come to think of it, is there any exam we can take to qualify anybody as a certified MT support guy? Since Im from the Philippines, I dont know anybody working with MT here, much more to ask for support.
I guess experience has to do a lot about being able to support MT, and compile proven and tested solutions.
Submitted contributions will be acepted based on mutual trust (and the contributor should be able to prove it working in actual systems and not theoretical in nature).
Next step?????
Robert S.
come to think of it, is there any exam we can take to qualify anybody as a certified MT support guy? Since Im from the Philippines, I dont know anybody working with MT here, much more to ask for support.
I guess experience has to do a lot about being able to support MT, and compile proven and tested solutions.
Submitted contributions will be acepted based on mutual trust (and the contributor should be able to prove it working in actual systems and not theoretical in nature).
Next step?????
Robert S.
Hotspot Setup
HotSpot Setup Howto
I have Been using this setup over over 8 mikrotik routers and it is working excellent
note: i have been using this setup on 2.8.xx versions i dont know if it works on 2.9
also this setup is copied from an old post it doesn't belong to
This little guide takes you through a step-by-step approach to setting up a simple hotspot using the excellent MikroTik RouterOS software. Some detail and explanations are left out to keep things clearer. This guide assumes that you have installed RouterOS v2.8.7 and upwards.
Code:
[admin@MikroTik] > system reset
(The system restores itself to a clean install state and reboots)
Let’s see what interfaces we have on the computer:
Code:
[admin@MikroTik] > /interface print
Flags: X – disabled, D – Dynamic, R - Running
# NAME TYPE MTU
0 X ether1 ether 1500
1 X ether2 ether 1500
(You can see that there are two Ethernet ports on this computer, both disabled)
So let’s enable them both:
Code:
[admin@MikroTik] interface> set 0,1 disabled=no
[admin@MikroTik] interface> print
Flags: X – disabled, D – Dynamic, R - Running
# NAME TYPE MTU
0 R ether1 ether 1500
1 R ether2 ether 1500
Let’s give the Ethernet ports names, as it’s getting complicated already:
Code:
[admin@MikroTik] interface> set 0 name=”hotspot”
[admin@MikroTik] interface> set 1 name=”internet”
[admin@MikroTik] interface> print
Flags: X – disabled, D – Dynamic, R - Running
# NAME TYPE MTU
0 R internet ether 1500
1 R hotspot ether 1500
We can now more easily refer to the interfaces by name, which is also easier to remember. Now, let’s set up the address of Ethernet card on the internet side. In this case, we’re going to call the MikroTik box 192.168.1.2 and the gateway (ie the broadband router) as 192.168.1.1 and the DNS given to you by your ISP. In this case, our example is using the DNS from Plusnet of 212.159.13.50
Code:
[admin@MikroTik] > /ip
[admin@MikroTik] ip> address add address=192.168.1.2/24 interface=internet
[admin@MikroTik] ip> route add gateway=192.168.1.1
[admin@MikroTik] ip> dns
[admin@MikroTik] ip dns> set primary-dns=212.159.13.50
[admin@MikroTik] ip dns> set secondary-dns=212.159.11.50
To speed things up a little, you can cache dns requests local to the MikroTik box as follows:
Code:
[admin@MikroTik] ip dns> set allow-remote-requests=yes
[admin@MikroTik] ip dns> ..
Now set up the hotspot side:
Code:
[admin@MikroTik] ip> hotspot
[admin@MikroTik] ip hotspot> setup
Select interface on which to run HotSpot
Hotspot interface: hotspot
Enable universal client configuration?
Enable universal client: yes
This is a feature that allows remote computers to connect even if they have totally different network settings already set up on them
Code:
Local address of hotspot network gateway: 10.5.50.1/24
Masquerade hotspot network: yes
Address pool of hotspot network will be: 10.5.50.2-10.5.50.254
ip address of smtp server: 192.168.1.3
(We have to enter here the IP address of your ISP SMTP server, or otherwise put the address of your local one. If you don’t have one, then just give it an an address on the “internet” side of the MikroTik box)
Code:
Use local DNS cache?
use local DNS cache: yes
Setup DNS Configuration
dns servers: 192.168.1.2
We enter here the IP address of the MikroTik box on the "internet" side, becasue we have already set up a DNS cache earlier.
Code:
Name of hotspot user: admin
Password for the user: admin
(This is the hotspot administrator username and password – keep the details safe)
Code:
Select another port for (www) service
Another port for service: 8081
The port that you specify here is the port for Winbox.
Code:
Use transparent web proxy for hotspot clients?
Use transparent web proxy: yes
And that’s about it. Connect to your MikroTik box from either the internet side using the address of http://192.168.1.2:8081 or on the hotspot side (use your admin password).
Download the Winbox from that link, and go to the Hotspot section to manage users.
And there you have it – your Hotspot.
I have Been using this setup over over 8 mikrotik routers and it is working excellent
note: i have been using this setup on 2.8.xx versions i dont know if it works on 2.9
also this setup is copied from an old post it doesn't belong to
This little guide takes you through a step-by-step approach to setting up a simple hotspot using the excellent MikroTik RouterOS software. Some detail and explanations are left out to keep things clearer. This guide assumes that you have installed RouterOS v2.8.7 and upwards.
Code:
[admin@MikroTik] > system reset
(The system restores itself to a clean install state and reboots)
Let’s see what interfaces we have on the computer:
Code:
[admin@MikroTik] > /interface print
Flags: X – disabled, D – Dynamic, R - Running
# NAME TYPE MTU
0 X ether1 ether 1500
1 X ether2 ether 1500
(You can see that there are two Ethernet ports on this computer, both disabled)
So let’s enable them both:
Code:
[admin@MikroTik] interface> set 0,1 disabled=no
[admin@MikroTik] interface> print
Flags: X – disabled, D – Dynamic, R - Running
# NAME TYPE MTU
0 R ether1 ether 1500
1 R ether2 ether 1500
Let’s give the Ethernet ports names, as it’s getting complicated already:
Code:
[admin@MikroTik] interface> set 0 name=”hotspot”
[admin@MikroTik] interface> set 1 name=”internet”
[admin@MikroTik] interface> print
Flags: X – disabled, D – Dynamic, R - Running
# NAME TYPE MTU
0 R internet ether 1500
1 R hotspot ether 1500
We can now more easily refer to the interfaces by name, which is also easier to remember. Now, let’s set up the address of Ethernet card on the internet side. In this case, we’re going to call the MikroTik box 192.168.1.2 and the gateway (ie the broadband router) as 192.168.1.1 and the DNS given to you by your ISP. In this case, our example is using the DNS from Plusnet of 212.159.13.50
Code:
[admin@MikroTik] > /ip
[admin@MikroTik] ip> address add address=192.168.1.2/24 interface=internet
[admin@MikroTik] ip> route add gateway=192.168.1.1
[admin@MikroTik] ip> dns
[admin@MikroTik] ip dns> set primary-dns=212.159.13.50
[admin@MikroTik] ip dns> set secondary-dns=212.159.11.50
To speed things up a little, you can cache dns requests local to the MikroTik box as follows:
Code:
[admin@MikroTik] ip dns> set allow-remote-requests=yes
[admin@MikroTik] ip dns> ..
Now set up the hotspot side:
Code:
[admin@MikroTik] ip> hotspot
[admin@MikroTik] ip hotspot> setup
Select interface on which to run HotSpot
Hotspot interface: hotspot
Enable universal client configuration?
Enable universal client: yes
This is a feature that allows remote computers to connect even if they have totally different network settings already set up on them
Code:
Local address of hotspot network gateway: 10.5.50.1/24
Masquerade hotspot network: yes
Address pool of hotspot network will be: 10.5.50.2-10.5.50.254
ip address of smtp server: 192.168.1.3
(We have to enter here the IP address of your ISP SMTP server, or otherwise put the address of your local one. If you don’t have one, then just give it an an address on the “internet” side of the MikroTik box)
Code:
Use local DNS cache?
use local DNS cache: yes
Setup DNS Configuration
dns servers: 192.168.1.2
We enter here the IP address of the MikroTik box on the "internet" side, becasue we have already set up a DNS cache earlier.
Code:
Name of hotspot user: admin
Password for the user: admin
(This is the hotspot administrator username and password – keep the details safe)
Code:
Select another port for (www) service
Another port for service: 8081
The port that you specify here is the port for Winbox.
Code:
Use transparent web proxy for hotspot clients?
Use transparent web proxy: yes
And that’s about it. Connect to your MikroTik box from either the internet side using the address of http://192.168.1.2:8081 or on the hotspot side (use your admin password).
Download the Winbox from that link, and go to the Hotspot section to manage users.
And there you have it – your Hotspot.
Re: Hotspot Setup
note: i have been using this setup on 2.8.xx versions i dont know if it works on 2.9
also this setup is copied from an old post it doesn't belong to
this should mean that it works on 2.8.xx os
The first time I used the hotspot setup routine in 2.8.26 it set my MTU to 1492. I had problems with clients not being able to load some sites like aol.com, finally noticed that the next PC I setup had 1500, as soon as I changed that all the problems went away.
I also made the mistake of checking the 'authoritative' box in the dhcp server for the hotspot, that caused problems with sites like foxnews.com, not positve as to why but I suspect sites that have dynamic load balancing change their DNS settings on the fly, I get different IP addresses for that site depending on where I ping from.
Our hotspot has been live since July, the only problems we've had so far were ones I created.
I also made the mistake of checking the 'authoritative' box in the dhcp server for the hotspot, that caused problems with sites like foxnews.com, not positve as to why but I suspect sites that have dynamic load balancing change their DNS settings on the fly, I get different IP addresses for that site depending on where I ping from.
Our hotspot has been live since July, the only problems we've had so far were ones I created.
Hello guys )) i can post many examples but can anyone tell me how i can setup a queues tree.
I setup queue tree but it work sometimes wrong.. i add mangle rules for icmp gre and udp protocols, than i add parent queue and then add subparent queue for udp and icmp and gre protocol whith priority 1. But sometimes wher parent on full bandwidth icmp request very big 50-200ms.
Help me please
I setup queue tree but it work sometimes wrong.. i add mangle rules for icmp gre and udp protocols, than i add parent queue and then add subparent queue for udp and icmp and gre protocol whith priority 1. But sometimes wher parent on full bandwidth icmp request very big 50-200ms.
Help me please
Limiting number of packets per second in 2.8:
http://www.butchevans.com/readarticle.php?article_id=5
Bursting (how it works and how to configure):
http://www.butchevans.com/readarticle.php?article_id=6
Other How-Tos and short tutorials (including firewall):
http://www.butchevans.com/articles.php
There are more to come, by the way. Just need input on WHAT to post.
http://www.butchevans.com/readarticle.php?article_id=5
Bursting (how it works and how to configure):
http://www.butchevans.com/readarticle.php?article_id=6
Other How-Tos and short tutorials (including firewall):
http://www.butchevans.com/articles.php
There are more to come, by the way. Just need input on WHAT to post.
The QOS article/tutorial is in a reserved area for customers who have attended my training classes.I read you examples, bud i still didnt find about shaping gre or icmp.
The basic idea for building traffic shaper is this:
1. mangle the traffic you want to shape, and create a packet-mark
2. build a queue on your upstream interface that is able to handle as much as your upstream (parent queue will be the interface that faces your upstream provider). This queue will be ALL traffic
3. Do the same for your inbound traffic (parent would be customer facing interface)
4. Build queues with the above 2 queues as parents, which match the mangles you create for the more specific traffic.
Using this information, you should be able to look in the manual here:
http://www.mikrotik.com/docs/ros/2.9/root/queue
and
http://www.mikrotik.com/docs/ros/2.9/ip/mangle
Once you look there, perhaps you will have a more specific question, which can be answered.
))))))
I read this manual maaaany times )) i sea this examples when i sleep ).
Ok, i explaine my config :
i have 2 interface ether1(100mb) and wlan1 (18mb)
I mangle udp, icmp and gre protocol by 3 mangle rules
Then i add queue name ALL to parent wlan1
and add subqueue to this queue "ALL" as parent whith flow udp, icmp and gre.
I did same for interface ether1
On wlan1 i get download speed and on ether1 i get upload speed.
Is that correct ??
I read this manual maaaany times )) i sea this examples when i sleep ).
Ok, i explaine my config :
i have 2 interface ether1(100mb) and wlan1 (18mb)
I mangle udp, icmp and gre protocol by 3 mangle rules
Then i add queue name ALL to parent wlan1
and add subqueue to this queue "ALL" as parent whith flow udp, icmp and gre.
I did same for interface ether1
On wlan1 i get download speed and on ether1 i get upload speed.
Is that correct ??
Add one other mangle that captures ALL traffic that is not matched by the above rules. Like this:I mangle udp, icmp and gre protocol by 3 mangle rules
create flow-mark on ALL traffic (passthrough)
create flow-mark on gre (not passthrough - "accept")
create flow-mark on icmp (not passthrough - "accept")
create flow-mark on udp (not passthrough - "accept")
Yup. THat is how it works. One note, though, add a subqueue using the above mangle to your upload and download queues. The reason for this is because traffic that is not forced through a queue, is considered as priority 1 (highest priority). By using the above queue, you can prioritize traffic the way you want it.Then i add queue name ALL to parent wlan1
and add subqueue to this queue "ALL" as parent whith flow udp, icmp and gre.
I did same for interface ether1
On wlan1 i get download speed and on ether1 i get upload speed.
Is that correct ?? :oops:
I have about about 30 routers which I provide hotspot for clients connected with wireless and viruses was the thing that give me a hadache so I had to think so much about a solution because I setup the hotspot on ethernet card and conect the AP via it and the most of AP's doesn't provide port filtering or inter client interception so this is even much more at the most of time the clients that are not loged in in hotspot (viruses) try go out the router and and you know what make if 1000 packets returnded to hotspot page and everything is down I had to restart router or in worse case have to lose a lot of time finding infected computer and drop it from internet (mac filter ) and at least I have decided to use mikrotik firewall capacities and I get a solution and I think that would help others that running hotspots these are the rules that I have added and helped a litle bit
these were the rule to mark traffic and the final rules
when you redirect the traffic rediret to ip addres which even doesn't exist not in router ip address
and maybe quese to limit the traffic
I hope that this will help
regards Durim
Code: Select all
ip firewall mangle add protocol=tcp dst-port=135-139 flow-mark=virus action=acept
ip firewall mangle add protocol=udp dst-port=135-139 flow-mark=virus action=acept
ip firewall mangle add protocol=udp dst-port=445 flow-mark=virus action=acept
ip firewall mangle add protocol=tcp dst-port=445 flow-mark=virus action=acept
Code: Select all
ip firewall dst-nat add flow=virus action=redirect to dst-address=1.2.3.4 place-before=0 and maybe quese to limit the traffic
Code: Select all
queue tree add flow=virus limit-at=2000 max-limit=3000
parent=antena (interface name) regards Durim
http://www.mikrotik.com/docs/ros/2.9/root/queuewhat is green,yellow,red means in queue.....?
proxy, thanks for help.
you can publish it (if it possible) or email it to gianred123@yahoo.it
thanks
Gianluca
you can publish it (if it possible) or email it to gianred123@yahoo.it
thanks
Gianluca
here friends
TESTED OK
if any problems tell me i will upload it again on another server.,
Code: Select all
http://rapidshare.de/files/7013300/porn_blocklist.txt.htmlif any problems tell me i will upload it again on another server.,
durumwell y dont you just drop all traffic that goes through those ports instead of taking up extra processor by redirecting. i thnknthats neater. theni dont know if ull need it but i have a sett of rules that blocks out most viruses. and its executed before any other rules are; in my tables. so if u need it just holla!!I have about about 30 routers which I provide hotspot for clients connected with wireless and viruses was the thing that give me a hadache so I had to think so much about a solution because I setup the hotspot on ethernet card and conect the AP via it and the most of AP's doesn't provide port filtering or inter client interception so this is even much more at the most of time the clients that are not loged in in hotspot (viruses) try go out the router and and you know what make if 1000 packets returnded to hotspot page and everything is down I had to restart router or in worse case have to lose a lot of time finding infected computer and drop it from internet (mac filter ) and at least I have decided to use mikrotik firewall capacities and I get a solution and I think that would help others that running hotspots these are the rules that I have added and helped a litle bit
these were the rule to mark traffic and the final rulesCode: Select allip firewall mangle add protocol=tcp dst-port=135-139 flow-mark=virus action=acept ip firewall mangle add protocol=udp dst-port=135-139 flow-mark=virus action=acept ip firewall mangle add protocol=udp dst-port=445 flow-mark=virus action=acept ip firewall mangle add protocol=tcp dst-port=445 flow-mark=virus action=acept
when you redirect the traffic rediret to ip addres which even doesn't exist not in router ip addressCode: Select allip firewall dst-nat add flow=virus action=redirect to dst-address=1.2.3.4 place-before=0
and maybe quese to limit the traffic
I hope that this will helpCode: Select allqueue tree add flow=virus limit-at=2000 max-limit=3000 parent=antena (interface name)
regards Durim
even the ports you blocked are a part of it
please i need some help on hotspot. i really do. am a rookie when it comes to that
wel i have a small wireless network and i use firewalls to limit connection and mange connectiond and its growing i am affraid if people get to know how i get the connection done i might have problems
some one suggested HOTSPOT to me but i vnt being able to understand it let alone deploy it so i guess i need a thorough explaination n all
some one suggested HOTSPOT to me but i vnt being able to understand it let alone deploy it so i guess i need a thorough explaination n all
Yes, thats true but how to drop traffic when this traffic try to get out the router and redirected by hotspot into welcome page thousand of packets so the router web server stop respoding and stop and trying to find a solution to stop blocking block of router web server and cause droping these traffic in forward doesn't effect .durumwell y dont you just drop all traffic that goes through those ports instead of taking up extra processor by redirecting. i thnknthats neater. theni dont know if ull need it but i have a sett of rules that blocks out most viruses. and its executed before any other rules are; in my tables. so if u need it just holla!!I have about about 30 routers which I provide hotspot for clients connected with wireless and viruses was the thing that give me a hadache so I had to think so much about a solution because I setup the hotspot on ethernet card and conect the AP via it and the most of AP's doesn't provide port filtering or inter client interception so this is even much more at the most of time the clients that are not loged in in hotspot (viruses) try go out the router and and you know what make if 1000 packets returnded to hotspot page and everything is down I had to restart router or in worse case have to lose a lot of time finding infected computer and drop it from internet (mac filter ) and at least I have decided to use mikrotik firewall capacities and I get a solution and I think that would help others that running hotspots these are the rules that I have added and helped a litle bit
these were the rule to mark traffic and the final rulesCode: Select allip firewall mangle add protocol=tcp dst-port=135-139 flow-mark=virus action=acept ip firewall mangle add protocol=udp dst-port=135-139 flow-mark=virus action=acept ip firewall mangle add protocol=udp dst-port=445 flow-mark=virus action=acept ip firewall mangle add protocol=tcp dst-port=445 flow-mark=virus action=acept
when you redirect the traffic rediret to ip addres which even doesn't exist not in router ip addressCode: Select allip firewall dst-nat add flow=virus action=redirect to dst-address=1.2.3.4 place-before=0
and maybe quese to limit the traffic
I hope that this will helpCode: Select allqueue tree add flow=virus limit-at=2000 max-limit=3000 parent=antena (interface name)
regards Durim
even the ports you blocked are a part of it
please i need some help on hotspot. i really do. am a rookie when it comes to that
i dont know much about hotspot so i cant answer thatcan mt blok user from viewing or browsing or access to another user in the same network(LAN)...?
if can how....?
and how to block user when fail to login 3 times in hotspot...?
but for the clients not vin access just disable forwarding
i wont mind if ull explain hotspot to me alil bit i think i need it
Maybe I was I litle unclear what I mean with yes was that these rules needs extra porccessor, and the meaning of the rules is so when a computer is infected with a virus mostly with worm that use vurnalbities on windows xp on port 135 & 445 (netbios) comunicate with each other(LAN) and tries to get out of router and when user is not logged in the hotspot will redirect to hotspot page which kills the router web server and service is down until router is restarted or disable enable the www service on routerdurim
i didnt understand one lil bit of ur last post . ps be alil clearer
so this could be one of your problems as about your question "hzeid" give an explonation how to setup a hotspot server I think thats enough for starting hotspot service if you have something more don't hesitate to ask.wel i have a small wireless network and i use firewalls to limit connection and mange connectiond and its growing i am affraid if people get to know how i get the connection done i might have problems
some one suggested HOTSPOT to me but i vnt being able to understand it let alone deploy it so i guess i need a thorough explaination n all
Regards Durim
