I have routerOS c6.33.3 installed on cisco 3315 and every things OK , but sometimes clintes and me can’t reach internet and in this time I can’t reach the server and new clintes can’t login with there hotspot users or usermanager user
in other meaning we can’t reach the server at all for 5 minute , thes is happen about 4 or 5 times in day
iam thinking about viruses or Ddos attack or netcut or spoofing and some think like thes
any one can help me with all respect
forgive my simple english
You need to do more trouble isolation steps.
I recommend finding out whether it’s the router or the wlan.
Have a computer attached directly to the Mikrotik, and active in the hotspot so that no login is required to be on the Internet. The next time the problem happens, find out if the test computer is also cut off from the Internet.
If so, then there is a problem affecting the router itself, and it isn’t something like wireless interference.
If the Internet goes down for the test computer as well, see if you lose all connectivity to the Mikrotik, or if it is just the Internet. Maybe you should leave a copy of Winbox connected to the router so that when the problem happens, you can just check Winbox to see if you’re still in the router, and if you are, see if it can ping something well known like 8.8.8.8
Find out what part of your system is the cause, then you can start to determine why it is failing.
@ZeroByte … how can we detect if some user is using NetCut or such DOS attacking programs?? You’ve any idea???
Well, if they’re part of a DDoS attack, you’ll see lots of new connections from that one user, or maybe you’ll see lots of random source IP addresses. If you don’t trust your users, one thing to do is put anti-spoofing filters on the router so that your network can’t be part of a DNS amp attack. (drop packets where the src-address is not correct for the LAN)
If you want to stop them from port scanning hosts on the net, you could have some rule that allows a certain amount of new connections per amount of time. If the user exceeds this threshold, they reach another rule which adds them to a blacklist.
The dhcp server has a feature (I think it’s called alert) which will detect rogue DHCP servers.
As for netcut’s ability to ARP poison other users’ computers, the only way you can stop that is to block user-to-user forwarding in all switches in the vlan… which unfortunately blocks netbios / gaming / etc… If all switches and access points are RouterOS devices, you can use bridge filters as you mentioned - and you could narrow down your filtering to, say, ARP requests and BootpC and BootpS…
@ZeroByte … thank you v. much for your helpful info.
Actually, yes I don’t trust the network users as some of them are acting offensively; that’s why I am trying to find out a good way to stand against their use of netcut specifically. (I still looking to find a good solution really)
Another issue, I need to allow a user from login from certain MAC devices only… is there any way to do it?
Without re-reading the thread, I’m thinking this is a student network at a campus… correct?
If so, I would get the administration’s backing and threaten disciplinary action and fines if you catch them doing anything. Log their activities, and follow through on the promise of disciplinary action.
My workplace uses a web content filter to stop people from surfing certain websites, and they want to track stuff and put up fences. My philosophy is: “Stop doing X or you’re fired.” We spend tons of money on licensing and support and running the damned boxes instead of just expecting our employees to follow the rules.
[/rant]
You probably need to do some research into “port level security” and get some gear that can enforce this better than ROS can. ROS is a router first, and while it has some interesting tricks up its sleeve as a middle-box / ethernet switch / bridge / etc - it’s not a very good choice for any layer2 requirements above basic switching and VLAN transport.
One decent access switch with features like DHCP guard, ARP guard, private VLAN, dot1x, igmp snooping, broadcast storm control, etc can make your life so much easier.
I had similar problem some times ago and it was resolved after a deep troubleshooting on my LAN, the problem was a user had another device connecting to my network through one of the RJ-45 Suckets and this device had DHCP enabled which cause DHCP conflict as certain point in time and I have to restart my server rack before users could reconnect.
there are lot of LAN troubleshooting tools out there that you could use but I got my problem solved by using just these two:
- MyLanViewer Network/IP Scanner
MyLanViewer Network/IP Scanner is a powerful Netbios and LAN/Network IP address scanner for Windows, whois and traceroute tool, remote shutdown and Wake On LAN (WOL) manager, wireless network scanner and monitor. This application will help you find all IP addresses, MAC addresses and shared folders of computers on your wired or wireless (Wi-Fi) network. The program scans network and displays your network computers in an easy to read, buddy-list style window that provides the computer name, IP address, MAC address, NIC vendor, OS version, logged users, shared folders and other technical details for each computer. MyLanViewer Network/IP Scanner supports remote shutdown, wake-on-lan, lock workstation, log off, sleep, hibernate, reboot and power off. It is able to monitor IP address and show notifications when the states of some computers change. MyLanViewer Network/IP Scanner can also view and access shared folders, terminate user sessions, disable shared folders, show netstat information and detect rogue DHCP servers. The software can monitor all devices (even hidden) on your subnet, and show notifications when the new devices will be found (for example, to know who is connected to your WiFi router or wireless network). The program easy to install and use, and has a user-friendly and beautiful interface.
Download link: http://www.mylanviewer.com/MyLanViewer-setup.exe
2.DhcpExplorer
DhcpExplorer tool allows you to discover DHCP servers on your local subnet or LAN. This is useful for locating servers that are not supposed to be on your network ( rogue DHCP servers ) as well as checking the expected output of known servers. DHCP Explorer broadcasts on the local physical subnet to find available DHCP servers. The tool is designed with a user-friendly interface and is easy to use.
Download Link : http://www.nsauditor.com/freeware/downloads/DhcpExplorer.exe
Hope this help also as
enable strict RP filtering thus to avoid spoofing part of it.
and enable syncookie(if you don’t use ECN and DCTCP)
thats ANOTHER reason WHY i request/ask for option for disabling “loose” filtering in conntrack, just like how we’re able to disable route caching or redirects.
generally “naked conntrack” anyway very by-passable and you had to use something in you metarouter or separated network node.
personally i would suggest things like ZORP.
i think i found something i was downloading via internet download manager when the problem happened but internet download manager show’s error message (DNS has temporary problems)
maby it’s a DNS attack ?
note : when the problem was ON my main internet line still working 100%
maybe. DNS and NTP exploitations, including DNS amp attacks and DNS poisoning - remain popular for around 20 years 
as you probably use/rely on static DNS server - put firewal rule, restricting DNS traffic toward/from.
and/or build whitelist (in “lists” in firewall) if you feel need to be bit more flexibe and if you use bit more automation, scripts, failover or balancing, bonding.
Could it be as simple as congestion? Download managers attempt to squeeze every single drop of bandwidth so is it possible that DNS was just getting dropped by congestion, and since it’s simple UDP, it doesn’t handle this as well…
may be simply fragementation issues. try reduce MTU for both interfaces and for DNS service.
and add(temporally) MSS Clamp aswell.
or any other kind of exploitations. like redirect exploitation or route cache. thats why its can be disabled in newer ROS (and should b in most cases).
I wonder if “Secure Redirects” option also checks the MAC address of the source of ICMP redirects…
AFAIK most relevant things are purely L3 stuff. including strict RP filtering.
more like ARP poisong attempts or brute-forcing of any kind.
as for redirects - they remain exploitable in any case, just different approach/tactic.
so what to guys ?
in rush hour i have no internet
Does each user receive their own specific queue from the hotspot authentication?
(do you specify rate limits on the user profile or user account)
You might try configuring a master PCQ for the user interface instead of assigning individual user queues:
off-peak times will allow users to surf much faster when more bandwidth is available, but on-peak times will start making sure nobody gets more than their fair share of the bandwidth.
To do this, configure a simple queue with target= the IP range of the LAN, and make the upstream type as pcq-upstream and the downstream type as pcq-downstream. Then set the max-limit up and down to be whatever bandwidth is available to the site (perhaps 512Kbps less so that your remote management and RADIUS requests can have a little bit saved for them)
In the upstream pcq type, use source address as the classifier and in the downstream one, use destination address as the classifier. This will essentially give each user a fair 1/N share of the bandwidth, where N = number of active traffic flows.
i don’t specify rate limits on the user profile because i have 320mb metro line
and i have 1000 active user so i can’t just specify rate limits
i’m realy counfused and i don’t know what to do if there any protection steps that i can do pleas tell me
and 55 pppoe client
In my opinion, you need get a professional in to come and have a look at your network. You aren’t going to get this fixed via the medium of back-and-forth posts on a forum.
try torch or sniff(by built-in sniffer, forwarding caputre to one of your PC’s)traffic to see Exactly with you dealing.
i’m in syria man who want to came ?
LOL