Hello everyone, I’m a teacher at a public school in Thailand. My administrator has asked me to reconfigure the school network to “work better”. I can do the physical setup and I have a understanding of the system and usermanager I am far out of my depth when it comes to firewall and NAT configuration. I would really appreciate some help checking our current configuration and seeing if it makes sense.
Our setup is the following
ISP modem (200/50 MB) → Mikrotik Router (ccr1016-12g) Ether 1 → LAN (Computer Room) and Wifi Hotspot (Ubiquiti Network)’
The LAN is hardwired to a series of switches and has its own IP range (192.168.99.2-192.168.99.254).
The HOTSPOT is a mix of APs directly wired to the router and a switch which connects to other switches in other building with their own APs. The hotspot uses the internal radius capabilities to serve up a login page and handle the login. (10.5.50.1/23 and 10.5.52.1/23)
The goal is to support ~150 concurrent teacher connections via WIFI and potentially 100 student wired desktops. This seems to be within the capabilities of the router as explained here.http://forum.mikrotik.com/t/is-ccr1016-12g-able-to-handle-this/64144/1 However currently the router begins to choke when there are more than ~40 concurrent users.
Here is a copy of the output from /export compact I’ve removed the userlist.
# mar/08/2018 07:46:03 by RouterOS 6.41.2
# software id = 41T3-6MYQ
#
# model = CCR1016-12G
# serial number = 574B04D5DB55
/interface bridge
add comment=\
"HOTSPOT (logical interface) : ether6, ether7, ether8, ether9, ether10" \
fast-forward=no name=HOTSPOT
add comment="LAN (logical interface) : ether4 and ether5" fast-forward=no \
name=LAN
/interface ethernet
set [ find default-name=ether1 ] name="ether1 (WAN)"
set [ find default-name=ether2 ] name="ether2 (Open)"
set [ find default-name=ether3 ] name="ether3 (Open)"
set [ find default-name=ether4 ] name="ether4 (Comp Room Big)"
set [ find default-name=ether5 ] name="ether5 (Open)"
set [ find default-name=ether6 ] name="ether6 (Hotspot)"
set [ find default-name=ether7 ] name="ether7 (Hotspot)"
set [ find default-name=ether8 ] name="ether8 (Hotspot)"
set [ find default-name=ether9 ] name="ether9 (1TB NAS)"
set [ find default-name=ether10 ] name="ether10 (Hotspot)"
set [ find default-name=ether11 ] name="ether11 (Hotspot Switch)"
set [ find default-name=ether12 ] name="ether12 (Test)"
/interface pppoe-client
add add-default-route=yes dial-on-demand=yes disabled=no interface=\
"ether1 (WAN)" keepalive-timeout=60 max-mru=1480 max-mtu=1480 mrru=1600 \
name=pppoe-out1 password=5aFfjPKC service-name=3bb use-peer-dns=yes user=\
660684982@3bbfttx
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=RouterOS
/ip hotspot profile
add hotspot-address=10.5.50.1 login-by=http-chap name=hsprof1 use-radius=yes
/ip hotspot user profile
set [ find default=yes ] idle-timeout=15m keepalive-timeout=5m shared-users=\
10 status-autorefresh=10m
/ip ipsec proposal
set [ find default=yes ] enc-algorithms=aes-128-cbc
/ip pool
add name=LAN ranges=192.168.99.2-192.168.99.254
add name=hs-pool-13 ranges=10.5.50.2-10.5.51.255,10.5.52.0/23
/ip dhcp-server
add address-pool=LAN authoritative=after-2sec-delay disabled=no interface=LAN \
lease-time=1d name=LAN
add address-pool=hs-pool-13 authoritative=after-2sec-delay disabled=no \
interface=HOTSPOT lease-time=1h name=dhcp1
/ip hotspot
add address-pool=hs-pool-13 disabled=no interface=HOTSPOT name=hotspot1 \
profile=hsprof1
/ppp profile
set *FFFFFFFE dns-server=8.8.8.8 wins-server=8.8.4.4
/snmp community
set [ find default=yes ] addresses=0.0.0.0/0
/tool user-manager customer
set admin access=\
own-routers,own-users,own-profiles,own-limits,config-payment-gw password=\
230062lampang time-zone=+07:00
/tool user-manager profile
add name=PSN name-for-users="" override-shared-users=1 owner=admin price=0 \
starts-at=logon validity=0s
add name=Admin name-for-users="" override-shared-users=unlimited owner=admin \
price=0 starts-at=logon validity=0s
add name="Government Teachers" name-for-users="Government Teachers" \
override-shared-users=2 owner=admin price=0 starts-at=logon validity=0s
add name="Foreign Teachers" name-for-users="Foreign Teachers" \
override-shared-users=2 owner=admin price=0 starts-at=logon validity=0s
add name="Other Teachers" name-for-users="Other Teachers" \
override-shared-users=2 owner=admin price=0 starts-at=logon validity=0s
add name=Staff name-for-users="School Staff" override-shared-users=2 owner=\
admin price=0 starts-at=logon validity=0s
add name=Equipment name-for-users=Equipment override-shared-users=1 owner=\
admin price=0 starts-at=logon validity=0s
add name="Student Teachers" name-for-users="Student Teachers" \
override-shared-users=off owner=admin price=0 starts-at=logon validity=0s
/tool user-manager profile limitation
add address-list="" download-limit=0B group-name="" ip-pool="" name=psn \
owner=admin rate-limit-min-rx=31457280B rate-limit-min-tx=31457280B \
rate-limit-priority=8 rate-limit-rx=31457280B rate-limit-tx=31457280B \
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=Unlimited \
owner=admin rate-limit-priority=1 transfer-limit=0B upload-limit=0B \
uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=\
"Government Teachers" owner=admin rate-limit-min-rx=52428800B \
rate-limit-min-tx=52428800B rate-limit-priority=2 rate-limit-rx=52428800B \
rate-limit-tx=52428800B transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=\
"Foreign Teachers" owner=admin rate-limit-min-rx=52428800B \
rate-limit-min-tx=52428800B rate-limit-priority=3 rate-limit-rx=52428800B \
rate-limit-tx=52428800B transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=\
"Other Teachers" owner=admin rate-limit-min-rx=52428800B \
rate-limit-min-tx=52428800B rate-limit-priority=4 rate-limit-rx=52428800B \
rate-limit-tx=52428800B transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=Staff \
owner=admin rate-limit-min-rx=52428800B rate-limit-min-tx=52428800B \
rate-limit-priority=6 rate-limit-rx=52428800B rate-limit-tx=52428800B \
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=Equipment \
owner=admin rate-limit-min-rx=52428800B rate-limit-min-tx=52428800B \
rate-limit-priority=7 rate-limit-rx=52428800B rate-limit-tx=52428800B \
transfer-limit=0B upload-limit=0B uptime-limit=0s
add address-list="" download-limit=0B group-name="" ip-pool="" name=\
"Student Teachers" owner=admin rate-limit-min-rx=52428800B \
rate-limit-min-tx=52428800B rate-limit-priority=5 rate-limit-rx=52428800B \
rate-limit-tx=52428800B transfer-limit=0B upload-limit=0B uptime-limit=0s
/dude
set enabled=yes
/interface bridge port
add bridge=HOTSPOT hw=no interface="ether6 (Hotspot)"
add bridge=HOTSPOT hw=no interface="ether7 (Hotspot)"
add bridge=HOTSPOT hw=no interface="ether8 (Hotspot)"
add bridge=HOTSPOT hw=no interface="ether9 (1TB NAS)"
add bridge=HOTSPOT hw=no interface="ether10 (Hotspot)"
add bridge=LAN hw=no interface="ether4 (Comp Room Big)"
add bridge=LAN hw=no interface="ether5 (Open)"
add bridge=HOTSPOT hw=no interface="ether11 (Hotspot Switch)"
add bridge=HOTSPOT hw=no interface="ether12 (Test)"
/interface pptp-server server
set enabled=yes
/ip address
add address=192.168.99.1/24 comment=\
"LAN (ether4 and ether5) : 192.168.99.1/24" interface=LAN network=\
192.168.99.0
add address=10.5.50.1/23 comment="hotspot network" interface=HOTSPOT network=\
10.5.50.0
add address=10.5.52.1/23 interface=HOTSPOT network=10.5.52.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="ether1 (WAN)"
add dhcp-options=hostname,clientid disabled=no interface="ether2 (Open)"
add dhcp-options=hostname,clientid disabled=no interface="ether3 (Open)"
/ip dhcp-server lease
add address=10.5.51.244 client-id=1:0:12:12:3f:20:ca comment=CCTV \
mac-address=00:12:12:3F:20:CA server=dhcp1
/ip dhcp-server network
add address=10.5.50.0/23 comment="hotspot network" gateway=10.5.50.1
add address=10.5.52.0/23 gateway=10.5.50.1
add address=192.168.99.0/24 dns-server=192.168.99.1 gateway=192.168.99.1 \
netmask=24
/ip dns
set allow-remote-requests=yes max-concurrent-queries=2000 \
max-concurrent-tcp-sessions=500 servers=8.8.8.8,8.8.4.4
/ip firewall mangle
add action=accept chain=prerouting dst-address-list=WAN1 src-address-list=LAN
add action=accept chain=prerouting dst-address-list=WAN2 src-address-list=LAN
add action=accept chain=prerouting dst-address-list=WAN3 src-address-list=LAN
add action=accept chain=prerouting dst-address-list=LAN
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface="ether1 (WAN)" new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface="ether2 (Open)" new-connection-mark=WAN2_conn passthrough=\
yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
in-interface="ether3 (Open)" new-connection-mark=WAN3_conn passthrough=\
yes
add action=mark-routing chain=output connection-mark=WAN1_conn \
new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn \
new-routing-mark=to_WAN2 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN3_conn \
new-routing-mark=to_WAN3 passthrough=yes
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=LAN new-connection-mark=WAN1_conn \
passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=LAN new-connection-mark=WAN2_conn \
passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local in-interface=LAN new-connection-mark=WAN3_conn \
passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=HOTSPOT \
new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
both-addresses:3/0
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=HOTSPOT \
new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
both-addresses:3/1
add action=mark-connection chain=prerouting connection-mark=no-mark \
dst-address-type=!local hotspot=auth in-interface=HOTSPOT \
new-connection-mark=WAN3_conn passthrough=yes per-connection-classifier=\
both-addresses:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn \
new-routing-mark=to_WAN1 passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN2_conn \
new-routing-mark=to_WAN2 passthrough=yes src-address-list=LAN
add action=mark-routing chain=prerouting connection-mark=WAN3_conn \
new-routing-mark=to_WAN3 passthrough=yes src-address-list=LAN
/ip firewall nat
add action=passthrough chain=unused-hs-chain comment=\
"place hotspot rules here"
add action=masquerade chain=srcnat out-interface="ether1 (WAN)"
add action=masquerade chain=srcnat out-interface="ether2 (Open)"
add action=masquerade chain=srcnat out-interface="ether3 (Open)"
add action=masquerade chain=srcnat comment="masquerade hotspot network" \
src-address=10.5.50.0/23
add action=dst-nat chain=dstnat dst-port=82 in-interface="ether3 (Open)" \
protocol=tcp to-addresses=10.5.51.244 to-ports=82
add action=dst-nat chain=dstnat dst-port=34567 in-interface="ether3 (Open)" \
protocol=tcp to-addresses=10.5.51.244 to-ports=34567
add action=dst-nat chain=dstnat dst-port=8291 in-interface="ether3 (Open)" \
protocol=tcp to-addresses=10.5.50.1 to-ports=8291
/ip hotspot ip-binding
add comment=pong mac-address=C4:56:FE:6F:EC:5A type=bypassed
add address=192.168.99.101 type=bypassed
add mac-address=BC:5F:F4:A8:EA:26 type=bypassed
add mac-address=E0:91:53:35:E5:F1 type=bypassed
add comment="MObile Champ" mac-address=F0:25:B7:7B:1C:FC type=bypassed
add mac-address=00:1B:B1:AE:B7:AC type=bypassed
add mac-address=48:74:6E:76:A5:16 type=bypassed
add comment="aoy Notebook" mac-address=00:21:00:56:26:19 type=bypassed
add mac-address=F8:1A:67:5E:32:D2 type=bypassed
add comment=tom mac-address=50:EA:D6:02:04:46 type=bypassed
add mac-address=C8:02:10:01:37:0A type=bypassed
add comment=p6/2 mac-address=CC:2D:8C:D4:77:0D type=bypassed
add comment=p6/1 mac-address=CC:2D:8C:D4:3C:EF type=bypassed
add comment=P6/3 mac-address=CC:2D:8C:D4:77:16 type=bypassed
add comment=P6/4 mac-address=CC:2D:8C:D3:36:7E type=bypassed
add comment="Comroom Teacher" mac-address=E0:69:95:52:0C:32 type=bypassed
add comment=CCTV mac-address=00:12:12:3F:20:CA type=bypassed
add comment=NAS mac-address=00:08:9B:F8:31:29 type=bypassed
add comment=mobileboss1 mac-address=C0:11:73:03:66:33 type=bypassed
add comment=mobile:IQbig mac-address=3C:97:0F:39:F2:71 type=bypassed
add comment="mobile :tik" mac-address=10:F6:81:0D:6E:8C type=bypassed
add comment=cammera01 mac-address=44:33:4C:85:4A:2D type=bypassed
add comment=monitor mac-address=E8:11:32:84:5C:B7 type=bypassed
add comment=ap1 mac-address=80:2A:A8:BA:73:4E type=bypassed
add comment=ap2 mac-address=80:2A:A8:BA:6F:30 type=bypassed
add comment=ap3 mac-address=80:2A:A8:BA:71:23 type=bypassed
add comment=PSN1_library mac-address=68:72:51:26:82:66 type=bypassed
add comment=PSN2_inter mac-address=68:72:51:26:82:BC type=bypassed
add comment=PSN3_inter mac-address=68:72:51:26:81:CC type=bypassed
add comment=PSN4_meeting mac-address=68:72:51:26:82:9F type=bypassed
add comment=PSN5_nursery mac-address=68:72:51:26:81:DA type=bypassed
add comment=PSN6_server_L mac-address=68:72:51:26:82:11 type=bypassed
add comment=PSN7-server mac-address=68:72:51:26:81:8A type=bypassed
add comment=PSN8_uplinkL mac-address=68:72:51:26:82:82 type=bypassed
add comment=PSN9_uplinkR mac-address=68:72:51:26:81:AB type=bypassed
add comment=PSN10_meeting mac-address=DC:9F:DB:6A:63:2D type=bypassed
add comment=camera02 mac-address=44:33:4C:F5:34:1B type=bypassed
add comment=camera03 mac-address=44:33:4C:25:29:73 type=bypassed
add comment=camera04 mac-address=44:33:4C:25:2B:60 type=bypassed
add address=10.5.51.100 type=bypassed
add mac-address=44:D2:44:DD:91:D9 type=bypassed
/ip hotspot user
add name=admin password=pong2002
add disabled=yes name=arjantom password=wasuntom
add disabled=yes name=service password=1234
/ip hotspot walled-garden
add comment="place hotspot rules here" disabled=yes
add dst-host=192.168.99.101 dst-port=80
add dst-host=192.168.99.100 dst-port=80
add dst-host=10.5.51.10 dst-port=80
add dst-host=10.5.51.11 dst-port=80
add dst-host=10.5.51.12 dst-port=80 method=""
add dst-host=10.5.51.13 dst-port=80
/ip route
add check-gateway=ping distance=1 gateway=192.168.0.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.10.1 routing-mark=to_WAN3
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.0.1
add check-gateway=ping distance=3 gateway=192.168.10.1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=81
set ssh disabled=yes
set api disabled=yes
/ip traffic-flow
set enabled=yes
/lcd
set backlight-timeout=10m color-scheme=dark default-screen=stat-slideshow
/ppp secret
add local-address=10.0.0.1 name=ss password=ss remote-address=10.0.0.2
/radius
add address=127.0.0.1 secret=psn2015 service=hotspot timeout=3s
/system clock
set time-zone-name=Asia/Bangkok
/system clock manual
set time-zone=+07:00
/system identity
set name=RouterOS
/tool graphing interface
add store-on-disk=no
/tool romon port
add
/tool user-manager database
set db-path=user-manager
/tool user-manager profile profile-limitation
add from-time=0s till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=Unlimited profile=Admin till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation="Government Teachers" profile=\
"Government Teachers" till-time=23h59m59s weekdays=\
monday,tuesday,wednesday,thursday,friday
add from-time=0s limitation=Unlimited profile="Government Teachers" \
till-time=23h59m59s weekdays=sunday,saturday
add from-time=0s limitation="Foreign Teachers" profile="Foreign Teachers" \
till-time=23h59m59s weekdays=monday,tuesday,wednesday,thursday,friday
add from-time=0s limitation=Unlimited profile="Foreign Teachers" till-time=\
23h59m59s weekdays=sunday,saturday
add from-time=0s limitation=Staff profile=Staff till-time=23h59m59s weekdays=\
monday,tuesday,wednesday,thursday,friday
add from-time=0s limitation=Unlimited profile=Staff till-time=23h59m59s \
weekdays=sunday,saturday
add from-time=0s limitation="Other Teachers" profile="Other Teachers" \
till-time=23h59m59s weekdays=monday,tuesday,wednesday,thursday,friday
add from-time=0s limitation=Unlimited profile="Other Teachers" till-time=\
23h59m59s weekdays=sunday,saturday
add from-time=0s limitation=Equipment profile=Equipment till-time=23h59m59s \
weekdays=sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation=psn profile=PSN till-time=23h59m59s weekdays=\
sunday,monday,tuesday,wednesday,thursday,friday,saturday
add from-time=0s limitation="Student Teachers" profile="Student Teachers" \
till-time=23h59m59s weekdays=monday,tuesday,wednesday,thursday,friday
add from-time=0s limitation=Unlimited profile="Student Teachers" till-time=\
23h59m59s weekdays=sunday,saturday
/tool user-manager router
add coa-port=1700 customer=admin disabled=no ip-address=127.0.0.1 log=\
auth-fail name=*removed* shared-secret=*removed* use-coa=no
Radius Customer list removed
I can’t seem to get it to export the firewall filter rules so I’ve attached a screenshot.
Thank you.