Our company has installed 3000 of sxt lite 5. Now our customers say that their internet usage is so high. We tested the router and found that the devices themselves consume data.
Is their any spesific configuration to limit the usage?
Have you identified the type of data being sent? This is important to know before any analisys can be done.
If you block stuff like mndp, ntp, dns, ospf, etc, you might have networking issues. We need more info. Certain things you might be able to turn off if unsed, like ip cloud.
Regards
Sent from Tapatalk
Thank you for your response.
our customers use this device for connecting to the internet. we haven’t identify any limitation.
what kind of limitations we should set?
The following is ip firewall connection print
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS ORIG-BYTES REPL-BYTES
0 C udp 212.83.134.247:5074 178.253.6.75:5060 17m33s 0bps 0bps 1 0 443 0
1 C udp 0.0.0.0:5678 255.255.255.255:5678 6s 0bps 0bps 3 0 430 0
2 C udp 37.49.231.20:5382 178.253.6.75:5060 15m17s 0bps 0bps 1 0 439 0
3 C udp 0.0.0.0:20561 255.255.255.255:20561 9s 4.0kbps 0bps 248 0 12 604 0
4 C udp 212.83.134.247:5079 178.253.6.75:5060 40m7s 0bps 0bps 1 0 443 0
5 C udp 37.49.231.128:5061 178.253.6.75:5060 16m21s 0bps 0bps 1 0 440 0
6 C udp 212.129.0.96:5063 178.253.6.75:5060 28m8s 0bps 0bps 1 0 439 0
[admin@9148570450] > ip route prin
Flags: X - disabled, A - active, D - dynamic, C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, B - blackhole, U - unreachable, P - prohibit
DST-ADDRESS PREF-SRC GATEWAY DISTANCE
0 ADS 0.0.0.0/0 80.191.199.122 0
1 ADC 80.191.199.122/32 178.253.6.75 TCWA 0
2 DC 192.168.88.0/24 192.168.88.1 ether1 255
[admin@9148570450] > ip firewall connection prin
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS ORIG-BYTES REPL-BYTES
0 C udp 212.83.134.247:5074 178.253.6.75:5060 4m9s
1 C udp 37.49.231.14:5089 178.253.6.75:5060 56m1s
2 C udp 0.0.0.0:5678 255.255.255.255:5678 9s
3 C udp 37.49.231.20:5382 178.253.6.75:5060 1m53s
4 C udp 0.0.0.0:20561 255.255.255.255:20561 10s
5 C udp 212.83.134.247:5079 178.253.6.75:5060 26m43s
6 C udp 37.49.231.128:5061 178.253.6.75:5060 2m57s
7 C udp 212.129.0.96:5063 178.253.6.75:5060 14m43s
[admin@9148570450] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
ADDRESS NETWORK INTERFACE
0 192.168.88.1/24 192.168.88.0 ether1
1 D 178.253.6.75/32 80.191.199.122 TCWA
[admin@9148570450] > ip firewall connection prin
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fa
PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT
0 SAC tcp 178.253.60.36:59686 178.253.6.75:8080 established 23h59m52s
1 C udp 212.83.134.247:5074 178.253.6.75:5060 2m37s
2 SAC tcp 178.253.60.36:59687 178.253.6.75:8080 established 23h59m56s
3 C udp 37.49.231.14:5089 178.253.6.75:5060 54m29s
4 C udp 0.0.0.0:5678 255.255.255.255:5678 8s
5 C udp 37.49.231.20:5382 178.253.6.75:5060 21s
6 C udp 0.0.0.0:20561 255.255.255.255:20561 9s
7 C udp 212.83.134.247:5079 178.253.6.75:5060 25m11s
8 C udp 37.49.231.128:5061 178.253.6.75:5060 1m25s
9 C udp 212.129.0.96:5063 178.253.6.75:5060 13m12s
[admin@9148570450] >
It looks like you have no firewall. Of course then your network becomes the playground of the bad guys…
What kind of firewall rules you sugesst us to add to our router config.
I should add that we have the same problem in our SXTs in station mode in which firewall has been enabled by default.
Sent from my SM-G920F using Tapatalk
\
I suggest a firewall at your internet connection that allows only established/related traffic and new outgoing traffic and blocks all new incoming traffic.
In fact this is installed by default after a reset. Of course you need to make sure that the router is configured correctly so it knows what the internet interface is.
Hello,
We have the same problem too. Our company is located in Iran with more than 3000 customers. We provide wireless internet in rural areas. We have used more than 40 mantbox 19s and around 3000 Sxt lite5 and Sxt sq lite 5. Recently most of our customers complain about their unwanted internet data usage even if they disconnect all of their equipment like mobile phones and laptops and PC’s and even more when they unplug their wireless routers.
This has caused us great pressure and responsibility. Unfortunately, we were unable to find out the reason why and where mikrotik sxt creates internet connections and consumes data which leads to severe complaints and customer loss.
So we urgently ask for your help to guide us on how to solve this issue.
Gratefully
Switch off ip cloud, Internet detection, timezone detection and similar things. Move the network devices to special network segment and block its access to Internet.
jarda I’m talking about wireless devices that connect to the Internet then you say block access to Internet?
I try them all, but the problem still exists, no other suggestion?
Are you able to sniff/collect the data? If yes, by analysis of the data (even if you have to go through packets manually one by one), you should be able to track down where the traffic originates, where it leads and what is it about.
If you cant collect the data, I do not think that anyone will give you better advice than Jarda - he already mentioned all typical services of RouterOS, which might cause this.
We have two types of configuration for our sxtsq I send both of them
jun/15/2018 14:02:37 by RouterOS 6.34.4
software id = B5IN-6DFI
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce
disabled=no frequency=5260 frequency-mode=superchannel mode=
station-bridge radio-name=****** ssid=****** wmm-support=enabled
/interface ethernet
set [ find default-name=ether1 ] mac-address=6C:3B:6B:02:4A:74
/interface pppoe-client
add add-default-route=yes disabled=no interface=wlan1 max-mru=1480 max-mtu=
1480 mrru=1600 name=***** password=****** use-peer-dns=yes user=******
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.88.10-192.168.88.254
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether1 lease-time=3d5h10m
name=dhcp1
/ip address
add address=192.168.88.1/24 interface=ether1 network=192.168.88.0
/ip dhcp-server network
add address=192.168.88.0/24 gateway=192.168.88.1
/ip firewall nat
add action=masquerade chain=srcnat src-address=192.168.88.0/24
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www port=8080
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Tehran
/system identity
set name=******
/system leds
set 0 interface=wlan1
/system routerboard settings
set protected-routerboot=disabled
/tool graphing interface
add
/tool graphing queue
add
/tool graphing resource
add
jul/02/2018 12:32:53 by RouterOS 6.39.2
software id = A000-UTVT
/interface wireless
set [ find default-name=wlan1 ] band=5ghz-a/n channel-width=20/40mhz-Ce
country=iran disabled=no frequency=5805 nv2-preshared-key=huk89eds^
radio-name=******* ssid=******** wds-mode=dynamic
wireless-protocol=802.11
/ip neighbor discovery
set wlan1 discover=no
/interface vlan
add interface=wlan1 name=vlan1 vlan-id=3644
add interface=wlan1 name=vlan2 vlan-id=299
/interface pppoe-client
add add-default-route=yes disabled=no interface=vlan1 name=pppoe-out1
password=******* use-peer-dns=yes user=*******
/interface wireless security-profiles
set [ find default=yes ] authentication-types=wpa2-psk eap-methods=“” mode=
dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=huk89eds^
/ip hotspot profile
set [ find default=yes ] html-directory=flash/hotspot
/ip pool
add name=default-dhcp ranges=192.168.1.10-192.168.1.254
/ip dhcp-server
add address-pool=default-dhcp disabled=no interface=ether1 name=defconf
/ip address
add address=192.168.1.1/24 comment=defconf interface=ether1 network=
192.168.1.0
add address=172.20.22.218/21 interface=vlan2 network=172.20.16.0
/ip dhcp-client
add comment=defconf dhcp-options=hostname,clientid disabled=no interface=
wlan1
/ip dhcp-server network
add address=192.168.1.0/24 comment=defconf gateway=192.168.1.1
/ip dns
set allow-remote-requests=yes
/ip dns static
add address=192.168.88.1 name=router
/ip firewall filter
add action=accept chain=input comment=“defconf: accept ICMP” protocol=icmp
add action=accept chain=input comment=“defconf: accept established,related”
connection-state=established,related
add action=accept chain=input in-interface=vlan2
add action=drop chain=input comment=“defconf: drop all from WAN”
in-interface=wlan1
add action=fasttrack-connection chain=forward comment=“defconf: fasttrack”
connection-state=established,related
add action=accept chain=forward comment=“defconf: accept established,related”
connection-state=established,related
add action=drop chain=forward comment=“defconf: drop invalid”
connection-state=invalid
add action=drop chain=forward comment=
“defconf: drop all from WAN not DSTNATed” connection-nat-state=!dstnat
connection-state=new in-interface=wlan1
/ip firewall nat
add action=masquerade chain=srcnat comment=“defconf: masquerade”
out-interface=pppoe-out1
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set ssh disabled=yes
set api disabled=yes
set api-ssl disabled=yes
/system clock
set time-zone-name=Asia/Tehran
/system identity
set name=********
/tool mac-server
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=vlan2
/tool mac-server mac-winbox
set [ find default=yes ] disabled=yes
add interface=ether1
add interface=vlan2
add interface=wlan1
MMM MMM KKK TTTTTTTTTTT KKK
MMMM MMMM KKK TTTTTTTTTTT KKK
MMM MMMM MMM III KKK KKK RRRRRR OOOOOO TTT III KKK KKK
MMM MM MMM III KKKKK RRR RRR OOO OOO TTT III KKKKK
MMM MMM III KKK KKK RRRRRR OOO OOO TTT III KKK KKK
MMM MMM III KKK KKK RRR RRR OOOOOO TTT III KKK KKK
MikroTik RouterOS 6.34.4 (c) 1999-2015 http://www.mikrotik.com/
[?] Gives the list of available commands
command [?] Gives help on the command and list of arguments
[Tab] Completes the command/word. If the input is ambiguous,
a second [Tab] gives possible options
/ Move up to base level
.. Move up one level
/command Use command at the base level
(544 messages not shown)
jul/19/2018 17:18:13 system,error,critical router was rebooted without proper shut
down
jul/19/2018 17:18:12 system,error,critical router was rebooted without proper shut
down
jul/19/2018 17:18:12 system,error,critical router was rebooted without proper shut
down
jul/21/2018 02:57:42 system,error,critical router was rebooted without proper shut
down
jul/21/2018 13:02:10 system,error,critical router was rebooted without proper shut
down
jul/21/2018 22:05:46 system,error,critical router was rebooted without proper shut
down
jul/22/2018 12:34:27 system,error,critical router was rebooted without proper shut
down
jul/22/2018 17:43:37 system,error,critical router was rebooted without proper shut
down
[admin@] > ip firewall connection print
Flags: E - expected, S - seen-reply, A - assured, C - confirmed, D - dying, F - fasttrack, s - srcnat, d - dstnat
PR.. SRC-ADDRESS DST-ADDRESS TCP-STATE TIMEOUT ORIG-RATE REPL-RATE ORIG-PACKETS REPL-PACKETS
0 C tcp 5.234.142.82:39627 190.168.228.165:80 established 23h59m25s 0bps 0bps 1 0
1 C tcp 5.234.142.82:49228 216.161.139.20:80 established 23h59m16s 0bps 0bps 1 0
2 SAC udp 5.234.142.82:12631 31.167.219.124:20878 1m59s 0bps 0bps 2 2
3 C tcp 5.234.142.82:51678 190.197.96.26:80 established 23h59m27s 0bps 0bps 1 0
4 SAC udp 5.234.142.82:12631 191.187.212.20:28543 1m55s 0bps 0bps 2 2
5 C tcp 5.234.142.82:60929 217.140.122.114:80 established 23h59m30s 0bps 0bps 1 0
6 SAC udp 5.234.142.82:12631 5.160.148.69:1864 2m19s 0bps 0bps 7 7
7 SAC udp 5.234.142.82:12631 67.215.246.10:6881 1m54s 0bps 0bps 7 7
8 C tcp 5.234.142.82:57778 2.222.165.236:80 established 23h59m16s 0bps 0bps 1 0
9 C tcp 5.234.142.82:41478 52.125.3.114:80 established 23h59m16s 0bps 0bps 1 0
10 C tcp 5.234.142.82:49409 59.228.39.125:80 established 23h59m27s 0bps 0bps 1 0
11 C tcp 5.234.142.82:48230 137.158.59.155:80 established 23h59m16s 0bps 0bps 1 0
12 SAC udp 5.234.142.82:12631 14.203.78.17:8999 1m54s 0bps 0bps 2 2
13 C tcp 5.234.142.82:35174 46.73.208.190:80 established 23h59m16s 0bps 0bps 1 0
14 SAC udp 5.234.142.82:12631 5.40.162.133:38405 2m7s 0bps 0bps 8 7
15 C tcp 5.234.142.82:55733 46.249.211.20:80 established 23h59m16s 0bps 0bps 1 0
16 C tcp 5.234.142.82:38284 65.53.117.46:80 established 23h59m16s 0bps 0bps 1 0
17 SAC udp 5.234.142.82:12631 172.105.219.32:16803 2m11s 0bps 0bps 2 2
18 SAC udp 5.234.142.82:12631 109.236.86.4:9544 1m54s 0bps 0bps 3 2
19 SAC udp 5.234.142.82:12631 1.10.181.56:55556 1m49s 0bps 0bps 8 7
20 C tcp 5.234.142.82:52781 114.112.0.236:80 established 23h59m30s 0bps 0bps 1 0
21 SAC udp 5.234.142.82:12631 82.221.103.244:6881 1m54s 0bps 0bps 5 5
22 C tcp 5.234.142.82:46470 53.18.75.128:80 established 23h59m16s 0bps 0bps 1 0
23 C tcp 5.234.142.82:34675 170.113.128.110:80 established 23h59m16s 0bps 0bps 1 0
24 C tcp 5.234.142.82:59763 72.85.233.200:80 established 23h59m30s 0bps 0bps 1 0
25 C udp 172.20.23.250:57314 255.255.255.255:20561 9s 19.6kbps 0bps 3 976 0
26 C tcp 5.234.142.82:37446 57.29.8.155:80 established 23h59m38s 0bps 0bps 1 0
27 C tcp 5.234.142.82:36896 84.92.9.158:80 established 23h59m38s 0bps 0bps 1 0
28 C tcp 5.234.142.82:49749 136.201.139.252:80 established 23h59m38s 0bps 0bps 1 0
29 C tcp 5.234.142.82:35764 101.159.113.105:80 established 23h59m38s 0bps 0bps 1 0
30 C tcp 5.234.142.82:50940 171.59.38.149:80 established 23h59m38s 0bps 0bps 1 0
31 C tcp 5.234.142.82:56045 99.212.139.222:80 established 23h59m38s 0bps 0bps 1 0
32 C tcp 5.234.142.82:40603 118.48.123.115:80 established 23h59m38s 0bps 0bps 1 0
33 C tcp 5.234.142.82:56197 19.92.249.193:80 established 23h59m38s 0bps 0bps 1 0
34 C tcp 5.234.142.82:36616 218.95.19.40:80 established 23h59m38s 0bps 0bps 1 0
35 C tcp 5.234.142.82:33724 84.110.20.66:80 established 23h59m38s 0bps 0bps 1 0
36 C tcp 5.234.142.82:53343 177.191.92.193:80 established 23h59m38s 0bps 0bps 1 0
37 C tcp 5.234.142.82:43299 161.218.130.219:80 established 23h59m38s 0bps 0bps 1 0
38 C tcp 5.234.142.82:40889 145.24.97.121:80 established 23h59m38s 0bps 0bps 1 0
39 C tcp 5.234.142.82:56559 123.45.182.22:80 established 23h59m38s 0bps 0bps 1 0
40 C tcp 5.234.142.82:56529 79.25.31.72:80 established 23h59m38s 0bps 0bps 1 0
41 C tcp 5.234.142.82:53318 129.26.208.186:80 established 23h59m38s 0bps 0bps 1 0
42 C tcp 5.234.142.82:33522 181.78.214.240:80 established 23h59m38s 0bps 0bps 1 0
43 C tcp 5.234.142.82:40479 32.240.19.136:80 established 23h59m38s 0bps 0bps 1 0
44 C tcp 5.234.142.82:56019 140.74.57.38:80 established 23h59m38s 0bps 0bps 1 0
45 C tcp 5.234.142.82:53564 183.158.201.190:80 established 23h59m38s 0bps 0bps 1 0
46 C tcp 5.234.142.82:56975 118.249.236.69:80 established 23h59m38s 0bps 0bps 1 0
47 C tcp 5.234.142.82:37897 120.236.197.98:80 established 23h59m38s 0bps 0bps 1 0
48 C tcp 5.234.142.82:41074 136.167.140.158:80 established 23h59m38s 0bps 0bps 1 0
49 C tcp 5.234.142.82:45065 112.150.179.111:80 established 23h59m38s 0bps 0bps 1 0
50 C tcp 5.234.142.82:33468 130.18.230.36:80 established 23h59m38s 0bps 0bps 1 0
51 C tcp 5.234.142.82:53522 62.101.124.1:80 established 23h59m38s 0bps 0bps 1 0
52 C tcp 5.234.142.82:52575 90.239.157.39:80 established 23h59m38s 0bps 0bps 1 0
53 C tcp 5.234.142.82:51328 150.124.216.2:80 established 23h59m38s 0bps 0bps 1 0
54 C tcp 5.234.142.82:52974 124.57.205.240:80 established 23h59m38s 0bps 0bps 1 0
55 C tcp 5.234.142.82:59341 47.132.144.49:80 established 23h59m38s 0bps 0bps 1 0
56 C tcp 5.234.142.82:58256 200.16.201.81:80 established 23h59m38s 0bps 0bps 1 0
57 C tcp 5.234.142.82:57092 27.56.119.128:80 established 23h59m38s 0bps 0bps 1 0
58 SAC udp 5.234.142.82:12631 5.250.121.49:34418 2m31s 0bps 0bps 5 5
59 SAC udp 5.234.142.82:12631 34.220.6.150:8118 2m47s 0bps 0bps 5 3
60 SAC udp 5.234.142.82:12631 189.63.154.137:22883 2m59s 384bps 448bps 13 10
61 SAC tcp 5.234.142.82:34749 129.113.132.57:80 close 1s 0bps 0bps 6 4
62 SAC tcp 5.234.142.82:48481 138.217.206.191:80 close 1s 0bps 0bps 6 4
63 SAC tcp 5.234.142.82:43426 123.229.32.250:80 close 1s 0bps 0bps 6 4
64 SAC tcp 5.234.142.82:53577 119.109.107.213:80 close 1s 0bps 0bps 6 4
65 SAC tcp 5.234.142.82:35616 57.43.54.132:80 close 1s 0bps 0bps 6 4
66 SAC tcp 5.234.142.82:51672 113.137.101.178:80 close 1s 0bps 0bps 6 4
no such item (4)
[admin@] >
[admin@] > inter mon
interface: ****
name: TCWA
rx-packets-per-second: 165
rx-bits-per-second: 56.6kbps
rx-drops-per-second: 0
rx-errors-per-second: 0
tx-packets-per-second: 344
tx-bits-per-second: 159.0kbps
tx-drops-per-second: 0
tx-errors-per-second: 0
[admin@] >
Even the device that connects to Internet could be blocked. Of course it depends on what you need from it. Don’t forget to upgrade and make sure your firewall rules are correctly set. The easiest way to exhaust your connection is to leave the device open to the Internet and let it serve as dns resolver for the attacker to help him amplify his attacks. But there are also more sophisticated things you might suffer when you don’t upgrade or don’t keep your router secured.
I believe there was a little misunderstanding 
By “collecting data” I meant network traffic data - packet sniffing etc.. And by analysis I did not meant “post on forum”.
I expect all those wireless devices which you referred are connected through some central point which is measuring traffic, right? That means there is some central point, which passes all this (even unwanted) traffic. You can monitor this traffic (for example set up one of your stations without any computer connected so you know all traffic will be generated by the station and not by customer) and look what is happening. This is definitely not quick and simple job. You need to monitor the traffic for some period to catch everything and then try to understand it.
As you are supplying several thousand customers, I find it hard to believe that you have nobody on site, who could identify the issue by checking the network traffic. Traffic monitoring and analysis is one of basic networking skills and it cannot be done by people on forum. It is neither safe, nor convenient (only responsible person should be allowed to review the traffic as it may contain personal data of your customers)
Straight from the setting you posted, I find it hard to figure out what could be wrong (except from your WPA2 key which should not be posted public but whatever… nobody will travel across the globe to Iran to find you and hack you)
Not quite sure if your firewall is correct as I can see rules like “drop all from wan” which drops wlan1 but nothing dropping unwanted packets from pppoe-out1 which is your real WAN based on masquerade rule. However, I might be confused.
This whole seems like full time job for couple of days, not something what can be solved by volunteers who have not much idea about your environment and requirements.
Thank you for understanding that I could not help more 