Beware, clients can see your graphs !

wifi · February 25, 2006, 11:18pm

Beware of the little oversight that most people make. From version 2.9 or whichever had the graphing first, all your clients can view you graphs. And they can see how many clients you have on the network and how much bandwidth they are using.

Go via web browser http://“the ip of your mikrotik:port number”
eg http://192.145.0.1:8080 (yes I know this is obvious to some but not to all. There you will get a lot of info on your mikrotik. Click on the graphs and … oops ! There they are. To stop this, open winbox, login to mikrotik. Click on tools, graphing, then add the ip of the system/s that you want to allow to graphs under all the rules sections

Before you do this, enable default authenticate (will tell you why at the end)
To stop anyone besides your internal network (office) from viewing that start up page you need to add a few firewall rules. (attached below)
You must change ip range to that of your internal network on the attached rules.. (the one connected to the mikrotik otherwise you will lock yourself out.
Best way to make sure you dont get locked out, open x2 instances on the winbox of the same mikrotik. Use the one to paste the below rules into terminal window. Keep the other open on firewall rules. Paste the rules, press enter, close the winbox then try to reopen, if it does not open, then use the other winbox that is open of the firewall rules to correct mistakes. Always have one open when creating firewall rules. If you should do the unthinkable and close both winbox’s and get locked out then default authenticate will be on so you can get at the mikrotik from another highsite via mac-telnet session where you can disable the firewall rules by going to /ip firewall input. Once you get it right and you can get back to winbox, reboot the mikrotik to make sure settings have been applied.

We are working on a list for eliminating excess traffic on the mikrotiks, so far we are down to 6-10% cpu usage from the previous 25-40%.
Will make another post after we have tested the new firewall rules for at least a week on an active network to make sure we dont drop anyone in the *&^%$. We have learnt loads by RTFM’ing and trial and error (on spare mikrotik of course)
Good luck, I hope this has helped

/ip firewall rule input
add connection-state=invalid action=drop comment=“Drop invalid connection packets”
add connection-state=established comment=“Allow established connections”
add connection-state=related comment=“Allow related connections”
add protocol=udp comment=“Allow UDP connections”
add protocol=icmp comment=“Allow ICMP messages”
add src-addr=192.168.10.0/24 comment=“Allow access from ‘trusted’ network 192.168.10.0/24”
add action=drop log=yes

cibernet · February 26, 2006, 2:40am

wifi:

Beware of the little oversight that most people make. From version 2.9 or whichever had the graphing first, all your clients can view you graphs. And they can see how many clients you have on the network and how much bandwidth they are using.

Go via web browser http://“the ip of your mikrotik:port number”
eg http://192.145.0.1:8080 (yes I know this is obvious to some but not to all. There you will get a lot of info on your mikrotik. Click on the graphs and … oops ! There they are. To stop this, open winbox, login to mikrotik. Click on tools, graphing, then add the ip of the system/s that you want to allow to graphs under all the rules sections

Before you do this, enable default authenticate (will tell you why at the end)
To stop anyone besides your internal network (office) from viewing that start up page you need to add a few firewall rules. (attached below)
You must change ip range to that of your internal network on the attached rules.. (the one connected to the mikrotik otherwise you will lock yourself out.
Best way to make sure you dont get locked out, open x2 instances on the winbox of the same mikrotik. Use the one to paste the below rules into terminal window. Keep the other open on firewall rules. Paste the rules, press enter, close the winbox then try to reopen, if it does not open, then use the other winbox that is open of the firewall rules to correct mistakes. Always have one open when creating firewall rules. If you should do the unthinkable and close both winbox’s and get locked out then default authenticate will be on so you can get at the mikrotik from another highsite via mac-telnet session where you can disable the firewall rules by going to /ip firewall input. Once you get it right and you can get back to winbox, reboot the mikrotik to make sure settings have been applied.

We are working on a list for eliminating excess traffic on the mikrotiks, so far we are down to 6-10% cpu usage from the previous 25-40%.
Will make another post after we have tested the new firewall rules for at least a week on an active network to make sure we dont drop anyone in the *&^%$. We have learnt loads by RTFM’ing and trial and error (on spare mikrotik of course)
Good luck, I hope this has helped

/ip firewall rule input
add connection-state=invalid action=drop comment=“Drop invalid connection packets”
add connection-state=established comment=“Allow established connections”
add connection-state=related comment=“Allow related connections”
add protocol=udp comment=“Allow UDP connections”
add protocol=icmp comment=“Allow ICMP messages”
add src-addr=192.168.10.0/24 comment=“Allow access from ‘trusted’ network 192.168.10.0/24”
add action=drop log=yes

When you set up graphing you allow only the ip/ips that you want to have access to the graphs… and graphing is not enabled by default…

Regards…

–
José Ignacio Acosta
Cibernet Comunicaciones / Mikronet
Joaquín V. González
Salta - Argentina
http://www.mikronet.com.ar
http://www.cibernetcom.com.ar

valens · February 26, 2006, 11:37am

No thing to worry.
It’s very easy to block user from seeing the graph.
You can make ACL for each graph