How to prevent NATed access

prawira · October 27, 2007, 2:38pm

Hi fellows,

Just strike… how to prevent NATed access from clients ?

Let say an IP allocated to client X is 192.168.2.0/28 and suppose to add more PC’s, client decide to put NATed into one of an IP allocated. It could be Winroute, Wingate, linux nat, etc.

How to prevent this ?

TIA

Paul

krigevr · October 27, 2007, 9:50pm

I wonder if one can put a Routing metric limit on it… Limit the TTL - Can that be done in MT?

prawira · October 29, 2007, 5:04am

Example please…

iam8up · October 29, 2007, 5:44am

I can’t make out what you’re saying at all.

If you assign a host with 192.168.2.0/28 it won’t get very far - that IP address is the “network” in that subnet. Look here: http://jodies.de/ipcalc?host=192.168.2.0&mask1=28&mask2=

prawira · October 29, 2007, 6:32am

Hi iam8up,

My original question is to prevent NATed access by client..
I know /28 only has 13 pc’s efective..

The situation is.. if the client put NAT into on his pc allocated, and make their own network too.. it will be support hundred pc’s

So the question is how to prevent this NATed by client ?

mrz · October 29, 2007, 7:21am

It’s simple - add mangle rule with action set TTL to 1. But i don’t think you should disallow NAT because many are using wireless routers to connect their laptops.

cieplik206 · November 5, 2007, 9:46am

You can use TTL… but my opinion is to let them work.. behind the nat can be 100 computer but they will share one band wich you are giving to them so it shouldn’t affect… other solution is if traffic will be high from that user.. try to do some Usage limitation… if Data transfer will exeed some value change speed to lower for some period of time.

karo84 · November 7, 2007, 5:08pm

I have tried to change the TTL value to 1 but it seems not to work, I could not connect to internet.
I have the same problem Prevent NATed access may be try to use conection limit, or packet limit I don’t know
I would be Very glad If somebody solves this problem

With Regards
Karapet Aznavuryan

mrz · November 7, 2007, 6:20pm

Well obviously there are some error in your firewall configuration. Probably you are setting TTL to 1 for outgoing packets and they die at gateway.
Maybe post your config?

o_hawchar86 · November 11, 2007, 7:28pm

is this the correct rule should be set ??

ip firewall mangle> add src-address=192.168.0.4/32 chain=inp
ut action=change-ttl new-ttl=set:1

bet mrz where can i leard coding Mikrotik Scripts?

mrz · November 12, 2007, 7:53am

It’s not correct. Rule should be something like this:
/ip firewall mangle add chain=forward dst-address=192.168.0.4/32action=change-ttl new-ttl=set:1

You can learn from scripts in wiki:
http://wiki.mikrotik.com/wiki/Scripts
Scripting manual:
http://www.mikrotik.com/testdocs/ros/2.9/system/scripting.php

jorj · November 12, 2007, 8:56am

You can do set ttl to 1, but any “wise” user with some networking knowledge will pass trough that, by any of several posibilities of routers that can change ttl themselves.

You can use connection limits, but even that won’t help too much.
Changing ttl will stop only casulal “smarties” from sharing your internet connection.

It’s all about what are you selling: bandwidth or number of stations.
In the long-term, you’l see that selling rock stable capacity will get you clients.
You can put an aditional network address on your router, and give them all that network for use, put a queue on the whole network, to limit to whatever you want, and you can see then how many computers they use, if they don’t use any router. If they do, you have your money for what you sell, anyway.

73

iam8up · November 19, 2007, 7:52am

What we do is use the hotspot functionality. If a router connects to the network the user is still caught by the hotspot.

At this point they pay for an account and they’re fine for life, or they can’t register (because their router doesn’t work right with the hotspot) and we take care of them. Either way, the hotspot helps keep unwanted customers under control!

prawira · December 10, 2007, 2:37pm

Hi there…

Many thanks for variuos replies…
I’ve not try the suggestion yet, but there is some other question but still within the same subject.

Let say our network is 192.168.1.0/24 and we do not want they able to do NAT. BUT.. some of them is allowed to do NAT, let say 192.168.1.72/29

Therefor, how to let 192.168.1.72/29 to having NAT while others within the same class are not ?

Regards

Paul

mrz · December 10, 2007, 2:54pm

You should really consider reading manual. You are asking things that are described in manual very detailed.

prawira · December 10, 2007, 3:34pm

Well… I am still newbie…

The manual said :
new-ttl (decrement | increment | set:integer) - specify the new TTL field value used in conjunction with action=change-ttldecrement - the value of the TTL field will be decremented for value
increment - the value of the TTL field will be incremented for value
set: - the value of the TTL field will be set to value

BUT no examples for more explanation

Any explanations please

Paul

mrz · December 10, 2007, 4:26pm

/ip firewall mangle 
add action=change-ttl dst-address=192.168.1.0/24 chain=forward new-ttl=set:1

janisk · December 11, 2007, 1:28pm

IMHO i do not know many routers (SOHO) that will change ttl of a packet in prerouting so, unless your client have router that is same level as yours or better you cannot limit them that way. any other crappy router will not be able to change ttl value in time for packet to survive

prawira · December 12, 2007, 12:25pm

Hi there,

We use mikrotik for all of our BTS’s and wrt54g/gs/gl with dd-wrt as client (route: RIP2) for all of our clients.

The clients, perhaps will use winroute/wingate/freesco or ICS from windows to share their connections.

So.. will setting the new ttl to 1 will prevent clients from using the above software ?

TIA

Paul

Closed_1 · February 28, 2008, 7:41am

Can it be use this script to prevent client which using CCProxy / squidNT in their Machine to distribute the internet access to another client???