Hi,
We have around 300 odd RB’s out in the field all connected via SIM cards acting as the Internet connection for various sensors. The Sims use a private APN and we connect to them remotely a IpSec tunnel into a dedicated subnet.
We use Winbox to carry out majority of our housekeeping via Windows based computers. What we notice is when we connect the computer seems to then use RB as its default gateway which can result in quite a bit of data being used via the Sim ( all our Sims are only contracted for 2Gb of data / month although it is aggregated with all Sims we have ).
Unfortunately its not uncommon for engineers to go home and leave a computer connected to a RB which over night / weekend gobbles up data and can max out a Sim.
Its also worth noting that our office router is also a Mikrotik RB.
Does this sound right and if so is there a way to prevent it ? Thanks
I don’t think that winbox itself changes anything on PC’s networking settings. But since network settings have to be already done for winbox to connect[*], it could be that those engineers do set up things too dilligently.
[*] For MAC connectivity, actual IP address set on PC doesn’t matter. So it’s fine to use some random IP address, just be sure to avoid using address from same subnet as router has. APIPA address should do as well.
For IP connectivity, PC needs address from same subnet as router. But it should be fine to omit gateway setting and in this case PC shouldn’t be able to connect to internet sites.
In both cases, PC should not be able to retrieve meaningful setup via DHCP. Either your IoT network should run without DHCP server or it should ignore DHCP request from non-IoT devices or it should reply with crafted lease info to PC or PC should not run DHCP client.
You can always control internet-bound traffic using appropriate firewall rules. Which is probably the best thing to do as this doesn’t rely on appropriate settings on PC.
With IPv6 things are even slightly more complicated if you want to prevent unwanted communication with internet.
Thanks @mkx, sorry i think you have miss understood how we connect, or i didn’t explain it very well.
Our connection to the remove devices ( RB’s ) is via our main office LAN, we have a permanent IpSec tunnel into our private Sim Subnet connected via our office Router ( also RB ) so any device on the office LAN has connectivity to the Sim based RB’s with no intervention needed ( i.e. no dial in, no change of IP etc ). There are no public IP addresses in use, although the Sim Subnet has a dedicated Internet breakout which is the gateway assigned to each remote dives via its LTE settings.
So to recap, devices out in the field have a Sim that connects via a dedicated APN into our own private Subnet, our office based computers connect to that subnet via a permanent IpSec tunnel connected via our office RB ( internal computer gateway ). Any computer in our office connected to the office LAN has connectivity to any field based device via a private IP address 10.x.x.x.
When we connect to these devices via a windows based computer using WinBox rather than the computer using its actual gateway it changes it so the remote device becomes the gateway and hence gobbles up data via the Sim.
And how is the IPsec gateway connected to sim net? Does IPsec client (PC) use LTE to reach to internet?
Thete’s another fact about winbox, which might affect the traffic you’re seeing: winbox is (constantly) polling connected ROS device, the more open windows the larger data (it’s polling stats data to display real-time status). So yes, in case like yours it is essential to terminate winbox connection if it’s not needed anymore.
Its via a Leased Line connection from our office direct into the Sim provider via their own leased line.
However i don’t really see why any of this is relevant to the original question.
No matter what type of internet connection the remote RB device has… if you connect to it via Winbox is there a way to stop the computer connecting to the remote device from being the connecting devices gateway?
The relevance of my previous question: if winbox would change its host’s routing, your PC would access internet via Sim LAN breakout and you’re saying this doesn’t use LTE … so I’m assuming it doesn’t spend your LTE quota. On the other hand I’m 99.99% sure winbox doesn’t change router’s gateway (unless admin does it … on purpose or incidentally), so this doesn’t change utilization of your LTE quota.
If the internet bound traffic from PC, connected to Sim LAN via VPN, indeed uses up LTE quota, then it’s up to VPN tunnel settings. Quite frequently establishing VPN tunnel changes routing setup, often changing default route as well. But this has nothing to do with winbox.
So IMO the most likely reason for increased use of LTE quota while winbox is connected to remote device is what I wrote in my previous post: endless refreshing winbox windows’ contents.
Correct … Winbox on the interfaces screen has an output of between 50K-250K depending on IPSEC/Tunnel complexity it burns thru GSM data in not time flat.
@LdB, These as you so kindly put it are just being human and sometimes forget! Working on a support desk is stressful and work load can be high. Because of accidents like this i wanted to reach out to the community and ask if this is normal and is there a way around it. @mkx has been very helpful and explained why its happening where as you jump on someone else post and literally answer the question in the way i would expect a to answer it.. thank you but your contribution is not helpful,