MT + TMG + VLans

mahmoudxp · March 30, 2017, 6:20am

Hi all
need to use tmg reporting & web-filtering abilities (I’m stuck with it) combined with mikrotik 5.20 hotspot features to control users access limits and bandwidth, we have 10 Vlans controlled by a Cisco managed switches.
the current config is like this
Vlans 1-10 > core switch > tmg > internet

the required setup is like this:
Vlans 1-10 > core switch > MT+HS > tmg > internet

is this possible?
can MT & HS detect macs & IPs coming from vlans to pass through it to apply filtering & control
it’s a production environment so no much available time for try & error and really tired from people who consuming my speed and bandwidth

idlemind · April 3, 2017, 5:16am

I guess I’d need it explained differently. What are you hoping the MikroTik device will do function wise? Will it do something the TMG is currently doing? Will it do entirely new things?

mahmoudxp · April 3, 2017, 12:05pm

the issue we are using TMG to web filter and report users access to the internet, but it can’t control bandwidth (speed and quota ) for users, so users keeps manipulating their network settings and using proxy sites/programs to bypass our policy not to mention torrent traffic which is very difficult to monitor/block

so I need to add MT with hotspot enabled on my network to receive users request for internet access and to apply speed & bandwidth control then sends the requests to TMG to web filter it

I know how to do it with basic setup, simply made the TMG internal card as MT gateway, my question is will the tmg detect the users after they are out of MT to apply web filter policy or note

idlemind · April 3, 2017, 1:36pm

So likely a dumb question here. Are the hotspot users all connecting to wireless?

mahmoudxp · April 4, 2017, 7:52am

of course we have wired & wireless network
we are not using a wifi system just basic APs attached to the wired netword in different sub-nets (vlans)

idlemind · April 9, 2017, 1:50am

https://wiki.mikrotik.com/wiki/Hotspot,_apply_different_limits_and_different_traffic_priorities

This should do ya

Personally I don’t recommend bursting. It’s a neat idea but it plays havoc with streaming content. It tries to upgrade the content quality and then hits it in the face when it hits the burst limit and it is back to buffering. Set a speed per user you’re happy with and roll

mahmoudxp · April 24, 2017, 12:09pm

I don’t see how this answer related to my question
I know how to config host-spot and user profiles/speeds for download and upload
it’s just read IPs not macs (keeping only mac of core switch)

Kindis · April 24, 2017, 2:23pm

Years ago on an other company we had the same issue. To solve this we installed a redundant TMG platform and created network rules in the TMG. Then for the router which managed the user VLAN’s we added 0.0.0.0/0 to point to the internal card of the TMG. This meant that if the users wanted to leave the LAN they did this via the TMG platform. So if they tried to bypass the proxy they ended up at the TMG anyway.
Today this is useless because almost all users have access to fast 4G and if we would block a site via a proxy they would simply connect using 4G and then they could access they site.
Best thing, if you ask me, is to have a protection installed on each client that stops the traffic before is even leave the computer. Not bulletproof but gives a good protection.
Many anti malware services have this feature today.