Firewall Filter

RouterOS Beginner Basics
1

Dear Sir,

Please help, to resolve problem with firewall filter.
Now i want to allow access or remote from outside to my local.

Ex: Router:
ether1: 192.168.100.1/24 (wan interface)
ether2: 10.10.10.1/24 (local interface)

net 10.10.10.0/24 can access(ping, remote,…) to net 192.168.100.0/24
but net 192.168.100.0/24 can’t access to net 10.10.10.0/24.
So how to allow this rule to access both side?
This problem from NAT or Firewall Filter? can you show me code?

Regard,
Phearak

2

You don’t need a rule to allow it unless you have blocked it with another rule. If you would be so kind as to post “/ip firewall filter” like I asked in the post below, then maybe someone could help you.
http://forum.mikrotik.com/t/mikrotik-and-ias-please-help/42004/1

If ether1 is your WAN, then the srcnat or masquerade in “/ip firewall nat” could interfere. You will need to either route the network and remove the maquerade, or exclude the WAN localnet from the masquerade.

/ip firewall nat
add chain=srcnat action=masquerade dst-address=!192.168.100.0/24 out-interface=ether1

Oops! Forgot one thing. In the 192.168.100.0/24 devices, you will need to add a route to the 10.10.10.0/24 net. If they are Mikrotik devices, then:

/ip route
add dst-address=10.10.10.0/24 gateway=192.168.100.x

Change the x to match the interface ip assignment for ether1 in your router.

3

Dear Sir,

Thank for your support so much. Now i can do it! All users in Window AD Server can joint to use internet var wireless hotspot.
But why for all user after Login, can’t logout.

Ex: for user-management just lot to: http://10.10.10.1/logout it will logout auto. but now i can’t log to this address. why?
For one more thing,

  • All uses(AD users) connected to internet do not have report as users of user-management. why? and how to get those report?
  • Now i can’t filter on bandwidth for manual users as before, so do you have experience with it?

Regard,
Phearak

4

If you mean you can’t access any computer behind the hotspot unless it is logged in, that is normal. The computer must be logged in to the hotspot to access from outside the hotspot localnet. Or you can bypass the ip address/mac address:

/ip hotspot ip-binding
add address=10.10.10.2 type=bypassed

If you want to limit the upload/download speed, you can do it easily with the user profile.

/ip hotspot user profile
set 0 rate-limit="256K/1M"

This limits the default user group to 256K upload and 1M download. You can add additional user profiles if you want different user bandwidths, or any other user profile options. I think this is the “Group” entry in User Manager. Set it to the user profile name to use a different user profile..

ADD: And some web browsers (IE8 for example) will not display the “logged in” (status) page with the logout button. I am still working on that myself!

5

Dear Sir,

Now i got it, but I focus on users of Active Directory that connect to internet. Those users store in different database, so:

  • How can to limited speed upload/download for manual users? (Ex: user AAA 128/128 k, user BBB speed 512/512 k,…)
  • How to get report of those users?

Regard,
Phearak

6

Read the RADIUS client ACCESS-ACCEPT section of the manual: http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client
It shows what parameters to send back for rate limits. You may to import the Mikrotik dictionally linked on the wiki into IAS before having access to those parameters.

For accounting, refer to the Hotspot server profile manual: http://wiki.mikrotik.com/wiki/Manual:IP/Hotspot/Profile
Set radius-accounting to yes for the relevant Hotspot server profile used by your Hotspot. Ensure IAS is listening on the accounting port specified in the RADIUS client (see first manual link), and that all firewalls are permitting traffic on that port just like you did for RADIUS authentication. IAS will then log accounting packets as usual, see http://technet.microsoft.com/en-us/library/bb742383.aspx or other MS TechNet/KB links for details.

7

Dear Sir,
How to import the Mikrotik dictionally linked on the wiki into IAS ?
I do not have experience with this before.

Regard,

8

I didn’t know either. But I googled it for you. Straight from TechNet:

Will IAS work with my NAS if the attributes for my NAS are not in the IAS multi-vendor dictionary?

Yes. If there is an attribute that your NAS requires, you can configure a custom vendor-specific attribute (VSA) on the Advanced tab of the profile for the matching remote access policy. Check your NAS documentation for the correct format of these attributes.

The wiki link and the dictionary list all the data you need (vendor identifier, attribute identifiers, and types). So just enter the attributes you need as custom VSAs. I imagine Google and the built in Windows help have more details and examples.

9

yes sir, i have try to google how to use it but i still can’t.
I also don’t understand how to send either Framed-IP-Address or Framed-Pool with the RADIUS Access-Accept.
We do on Mikrotik Router or IAS Radius server (AD server 2003)?
I have check link http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client, but i don’t know how to work with it.

so could you explain me again?

regard,

10

http://technet.microsoft.com/en-us/library/cc731611(WS.10).aspx

That is the first result from a Google search for “Microsoft radius custom VSA”.

So if you want to set up the Mikrotik-Rate-Limit attribute, as per http://wiki.mikrotik.com/wiki/Manual:RADIUS_Client#MikroTik_Specific_RADIUS_Attribute_Numeric_Values the vendor code for step 4 is 14988. The vendor is RFC compliant for step 4. In the dialog that opens set the vendor assigned attribute to 8, the type to String and the value to whatever you want the rate limit to be according to the RADIUS client wiki, which is very extensive to that regard. Framed-IP-Address is a standard RADIUS attribute and is in the default dictionary and you can just choose it from the default list of return attributes.

If that is still unclear I am afraid I don’t know how to help you any further.