MikroTik

hey Experts,

why don't you post some tutorials or how to's for services running on Mikrotik!

let's start with a hotspot configuration...

let's share our knowledge...

Mikrotik awesome!

Regards,

I second the motion!

Let Mikrotik live!

Robert S.

alright so what are we doing about it

I would suggest a new subforum for that.

These are the input rules on my v2.8.28 hotspot.

** rules I posted last week had a few errors, corrections to follow **

count me in........



btw dhcp n enabled address which one is better for the security.....?

Don't forget to post the configuration commands too, so n00bs like me only need to copy and paste it.

count me in........



btw dhcp n enabled address which one is better for the security.....?

well it depends on the kinna measures you take. you could enable dhcp but still block unregistered ips or use something like raduis server to authenticate
or use registered ips

Heres my share.

Porn blocklist:
dowload from this url: http://pickup.mofile.com/7897855218849253
cut and paste to /ip web-proxy access

More power to all!

Robert S.

thanks infomate

your blocklist is massive .. but v. useful

we all thankful

Regards,

anybody got a howto for IPSec i can get it to work but wont flow traffic

both ways

Heres my share.

Porn blocklist:
dowload from this url: http://pickup.mofile.com/7897855218849253
cut and paste to /ip web-proxy access

More power to all!

Robert S.

hello it says Wrong Pickup Code:
can u double check the link pls???

it works good with me Hadi

but i'm facing problem pasting the 3000 lines into the terminal ...

the box freezes !!

512mb of ram installed on 1.7 Intel Original box

enlight me please

hey maroon my problem is that i can not get the line from the website they are posted on?


by the way for toturials can u post a a mikrotik configuration for the transparent prxy after microsoft isa server cause i still have a problem access https websites

You can paste the list in smaller parts e..g each 500 lines or less.


But what about performance?

okay Hadi,

I will post the configuration tonight, since i'm too busy right now.. and concerning the droping of 500 lines on the terminal... I faced a problem which is not freezing... I can't see my keys anymore ..let's say I want to write / ping yahoo.com ... I can't see the line ..but if u press enter it will take the command ... what's goin on?

Mikrotik Heroes

Why not copy the list to the router with ftp and import.

great... I will try it and come back with feedback

thanks a million dude

hello everybody,

why not use MS command prompt to telnet into the MT and copy and paste as much as u want into the console. That was what i used and i had no problem until i realised that the list cost me the CPU load and performance

hi....can anybody tell me how to block some url....?
i tried o wrote like this:

ip webproxy access>add url"www.google.com" action=deny

but still i cant block google.....?

note :
i have erased all the rule in dst-nat......!!!!!

did the transparent proxy or proxy enabled on mikrotik?

one of these should be enabled ...

Regards,

anyone intrested by a tutorial of setting up a PPPoE server?

anyone intrested by a tutorial of setting up a PPPoE server?

am interested

anyone intrested by a tutorial of setting up a PPPoE server?

i'm intrested too

I am using hotspot from first beta versions....

setting the pppoe server on Mikrotik Router OS is the most easiest setup you will ever know...

let's say we have two interfaces { real and fake or internal and external }

we start mikrotik...

set the External IP and route { ISP provides you the subnet and G/W }

add DNS .. I think these are well known to everybody.

now it's time to setup a pppoe server on Mikrotik router OS

let's start with:

1- ip --- pool --- add name="PPPoE Class A" ranges=10.20.20.2-10.20.20.200.
2- ppp --- profiles --- add name="XXX" local-address=10.20.20.1 remote-address="PPPoE Class A" session-timeoute=0s idle-timeout=15m only-one=yes incoming-filter=input outgoing-filter=output dns-server="ISP's DNS" tx-bit-rate="this means download at client side - optional " rx-bit-rate="this means upload at client side - optional"
3- interfaces --- pppoe-server --- server --- add service-name="Class A" interface="internal" mtu=1472 mru=1472 authentication=pap,chap keepalive-timeout=15 one-session-per-host=yes default-profile="XXX"
4- ppp --- secrets --- add name=test password test service= pppoe

create a dialup connection on a WS and try it

with this we've completed setting up a pppoe server... if you need to enable the proxy on mikrotik ... i'm ready to post how-to setup proxy and transparent proxy on mikrotik ...

P.S: most of WS aren't pppoe enabled so go to http://www.raspppoe.com and download the driver... so easy to install it.

Regards,

Maroon

@maroon ive already enabled tranparent proxy...
can anyone help...?

and 1 more thing can mt block user when they login after 3 tries...?

thankx for the answer

what cannt you get to work trans proxy is fairly simple to setup ,

Randy

why you guys aren't posting some tutorials over here?

anyone knows how to configure a hotspot on Mikrotik? full setup!!!

I think they are a lot who are waiting an expert to post this tutorial on

Mikrotik forum.

Best Regards,

Maroon

in 2.9 anyone knows how to configure hotspot. it's just too easy.

OK normis!!!

everything is just so easy on Mikrotik...

so let's share some ideas, so mikrotik users will be more intrested abt it.

mmm! let's make a contest for the mikrotik users, and there will be a

prize { a free mikrotik router OS, or wutever thing ... }

think about it

and we all are ready

thanks for your cooperation Normis

come to the mikrotik user meeting and it will all be there (including free licenses and a contest for routerboard hardware)

we are already thinking about a place where such examples can be stored, we just need some activity. if you'd do it on the forums, we could transfer those examples to a separate page. there is simply not enough yet

how I wish Normis,

i'm IT manager at Lebanese Canadian University, and I'm havin a full time job. other than freelance projects...

my time is full this fall. hope next summer...

but concerning the seperate page. me, myself ready but I can't do all these by myself.. at least need some support to post and take care of it

Sincerely Maroon

I dont have enough experience but Im willing to suppport it.

come to think of it, is there any exam we can take to qualify anybody as a certified MT support guy? Since Im from the Philippines, I dont know anybody working with MT here, much more to ask for support.

I guess experience has to do a lot about being able to support MT, and compile proven and tested solutions.

Submitted contributions will be acepted based on mutual trust (and the contributor should be able to prove it working in actual systems and not theoretical in nature).

Next step?????

Robert S.

HotSpot Setup Howto

I have Been using this setup over over 8 mikrotik routers and it is working excellent
note: i have been using this setup on 2.8.xx versions i dont know if it works on 2.9
also this setup is copied from an old post it doesn't belong to

This little guide takes you through a step-by-step approach to setting up a simple hotspot using the excellent MikroTik RouterOS software. Some detail and explanations are left out to keep things clearer. This guide assumes that you have installed RouterOS v2.8.7 and upwards.

Code:
[admin@MikroTik] > system reset

(The system restores itself to a clean install state and reboots)

Let’s see what interfaces we have on the computer:
Code:
[admin@MikroTik] > /interface print

Flags: X – disabled, D – Dynamic, R - Running
# NAME TYPE MTU
0 X ether1 ether 1500
1 X ether2 ether 1500


(You can see that there are two Ethernet ports on this computer, both disabled)
So let’s enable them both:
Code:
[admin@MikroTik] interface> set 0,1 disabled=no
[admin@MikroTik] interface> print

Flags: X – disabled, D – Dynamic, R - Running
# NAME TYPE MTU
0 R ether1 ether 1500
1 R ether2 ether 1500

Let’s give the Ethernet ports names, as it’s getting complicated already:

Code:
[admin@MikroTik] interface> set 0 name=”hotspot”
[admin@MikroTik] interface> set 1 name=”internet”
[admin@MikroTik] interface> print

Flags: X – disabled, D – Dynamic, R - Running
# NAME TYPE MTU
0 R internet ether 1500
1 R hotspot ether 1500


We can now more easily refer to the interfaces by name, which is also easier to remember. Now, let’s set up the address of Ethernet card on the internet side. In this case, we’re going to call the MikroTik box 192.168.1.2 and the gateway (ie the broadband router) as 192.168.1.1 and the DNS given to you by your ISP. In this case, our example is using the DNS from Plusnet of 212.159.13.50

Code:
[admin@MikroTik] > /ip
[admin@MikroTik] ip> address add address=192.168.1.2/24 interface=internet
[admin@MikroTik] ip> route add gateway=192.168.1.1
[admin@MikroTik] ip> dns
[admin@MikroTik] ip dns> set primary-dns=212.159.13.50
[admin@MikroTik] ip dns> set secondary-dns=212.159.11.50


To speed things up a little, you can cache dns requests local to the MikroTik box as follows:

Code:
[admin@MikroTik] ip dns> set allow-remote-requests=yes
[admin@MikroTik] ip dns> ..

Now set up the hotspot side:

Code:
[admin@MikroTik] ip> hotspot
[admin@MikroTik] ip hotspot> setup
Select interface on which to run HotSpot
Hotspot interface: hotspot
Enable universal client configuration?
Enable universal client: yes

This is a feature that allows remote computers to connect even if they have totally different network settings already set up on them
Code:
Local address of hotspot network gateway: 10.5.50.1/24
Masquerade hotspot network: yes
Address pool of hotspot network will be: 10.5.50.2-10.5.50.254
ip address of smtp server: 192.168.1.3


(We have to enter here the IP address of your ISP SMTP server, or otherwise put the address of your local one. If you don’t have one, then just give it an an address on the “internet” side of the MikroTik box)

Code:
Use local DNS cache?
use local DNS cache: yes
Setup DNS Configuration
dns servers: 192.168.1.2


We enter here the IP address of the MikroTik box on the "internet" side, becasue we have already set up a DNS cache earlier.

Code:
Name of hotspot user: admin
Password for the user: admin


(This is the hotspot administrator username and password – keep the details safe)
Code:

Select another port for (www) service
Another port for service: 8081


The port that you specify here is the port for Winbox.
Code:

Use transparent web proxy for hotspot clients?
Use transparent web proxy: yes


And that’s about it. Connect to your MikroTik box from either the internet side using the address of http://192.168.1.2:8081 or on the hotspot side (use your admin password).

Download the Winbox from that link, and go to the Hotspot section to manage users.

And there you have it – your Hotspot.

will i know its old but am still running 2.8.28 can i still use the setup or do i v to upgrade

note: i have been using this setup on 2.8.xx versions i dont know if it works on 2.9
also this setup is copied from an old post it doesn't belong to

this should mean that it works on 2.8.xx os

if you read throught the setup he also assumed one is usoing 2.8.7 upwards

The first time I used the hotspot setup routine in 2.8.26 it set my MTU to 1492. I had problems with clients not being able to load some sites like aol.com, finally noticed that the next PC I setup had 1500, as soon as I changed that all the problems went away.

I also made the mistake of checking the 'authoritative' box in the dhcp server for the hotspot, that caused problems with sites like foxnews.com, not positve as to why but I suspect sites that have dynamic load balancing change their DNS settings on the fly, I get different IP addresses for that site depending on where I ping from.

Our hotspot has been live since July, the only problems we've had so far were ones I created.

seems no one is intrested in the subject!!

yalla guys !!! show us your ideas, potential, everything!!

Regards,

Hello guys )) i can post many examples but can anyone tell me how i can setup a queues tree.

I setup queue tree but it work sometimes wrong.. i add mangle rules for icmp gre and udp protocols, than i add parent queue and then add subparent queue for udp and icmp and gre protocol whith priority 1. But sometimes wher parent on full bandwidth icmp request very big 50-200ms.
Help me please

Limiting number of packets per second in 2.8:

http://www.butchevans.com/readarticle.php?article_id=5

Bursting (how it works and how to configure):

http://www.butchevans.com/readarticle.php?article_id=6

Other How-Tos and short tutorials (including firewall):

http://www.butchevans.com/articles.php

There are more to come, by the way. Just need input on WHAT to post.

thanks butche,

you articles are fruitfull.

"Martini" this is normal, since your bandwidth is full !! what NIC's installed

on your router? try using Intel or 3com.

Regards,

thanks butche from mee too ))
I read you examples, bud i still didnt find about shaping gre or icmp.

I read you examples, bud i still didnt find about shaping gre or icmp.

The QOS article/tutorial is in a reserved area for customers who have attended my training classes.

The basic idea for building traffic shaper is this:
1. mangle the traffic you want to shape, and create a packet-mark
2. build a queue on your upstream interface that is able to handle as much as your upstream (parent queue will be the interface that faces your upstream provider). This queue will be ALL traffic
3. Do the same for your inbound traffic (parent would be customer facing interface)
4. Build queues with the above 2 queues as parents, which match the mangles you create for the more specific traffic.

Using this information, you should be able to look in the manual here:

http://www.mikrotik.com/docs/ros/2.9/root/queue
and
http://www.mikrotik.com/docs/ros/2.9/ip/mangle

Once you look there, perhaps you will have a more specific question, which can be answered.

))))))

I read this manual maaaany times )) i sea this examples when i sleep ).
Ok, i explaine my config :

i have 2 interface ether1(100mb) and wlan1 (18mb)

I mangle udp, icmp and gre protocol by 3 mangle rules
Then i add queue name ALL to parent wlan1
and add subqueue to this queue "ALL" as parent whith flow udp, icmp and gre.
I did same for interface ether1

On wlan1 i get download speed and on ether1 i get upload speed.

Is that correct ??

I mangle udp, icmp and gre protocol by 3 mangle rules

Add one other mangle that captures ALL traffic that is not matched by the above rules. Like this:

create flow-mark on ALL traffic (passthrough)
create flow-mark on gre (not passthrough - "accept")
create flow-mark on icmp (not passthrough - "accept")
create flow-mark on udp (not passthrough - "accept")

Then i add queue name ALL to parent wlan1
and add subqueue to this queue "ALL" as parent whith flow udp, icmp and gre.
I did same for interface ether1

On wlan1 i get download speed and on ether1 i get upload speed.

Is that correct ?? :oops:

Yup. THat is how it works. One note, though, add a subqueue using the above mangle to your upload and download queues. The reason for this is because traffic that is not forced through a queue, is considered as priority 1 (highest priority). By using the above queue, you can prioritize traffic the way you want it.

Maybe we can get the board admins to add another section for Tutorials

I have about about 30 routers which I provide hotspot for clients connected with wireless and viruses was the thing that give me a hadache so I had to think so much about a solution because I setup the hotspot on ethernet card and conect the AP via it and the most of AP's doesn't provide port filtering or inter client interception so this is even much more at the most of time the clients that are not loged in in hotspot (viruses) try go out the router and and you know what make if 1000 packets returnded to hotspot page and everything is down I had to restart router or in worse case have to lose a lot of time finding infected computer and drop it from internet (mac filter ) and at least I have decided to use mikrotik firewall capacities and I get a solution and I think that would help others that running hotspots these are the rules that I have added and helped a litle bit



these were the rule to mark traffic and the final rules
when you redirect the traffic rediret to ip addres which even doesn't exist not in router ip address

and maybe quese to limit the traffic
I hope that this will help

regards Durim

can we have again the list to block porn sites ?
thanks
Gianluca

i think M2.9.6 bandwitdht limiting still having saome problem......!
i follow the manual 100% not working......!
when will the bandwidth limiting works prefectly.....!

what does it have to do with blocking porn sites ?

honestly I haven't installed Mikrotik 2.9... on my systems

and concerning the porn blacklist..

search on the forum and i'm quite sure you will find the list

Regards,

already done, cannot find it.
if you have it, you can publish it

if anyone needs the porn black list for proxy i have it if anyone needs it just tell me and i will post it

what is green,yellow,red means in queue.....?

what is green,yellow,red means in queue.....?

http://www.mikrotik.com/docs/ros/2.9/root/queue

proxy, thanks for help.
you can publish it (if it possible) or email it to gianred123@yahoo.it
thanks
Gianluca

here friends TESTED OK

if any problems tell me i will upload it again on another server.,

thank you very much, BUT it looks like this is very country-sensitive since you can probably still connect to 100% of SPANISH porn sites.... so this is not useful for us since our market is Spain

how bout virus,spyware.....?

I have about about 30 routers which I provide hotspot for clients connected with wireless and viruses was the thing that give me a hadache so I had to think so much about a solution because I setup the hotspot on ethernet card and conect the AP via it and the most of AP's doesn't provide port filtering or inter client interception so this is even much more at the most of time the clients that are not loged in in hotspot (viruses) try go out the router and and you know what make if 1000 packets returnded to hotspot page and everything is down I had to restart router or in worse case have to lose a lot of time finding infected computer and drop it from internet (mac filter ) and at least I have decided to use mikrotik firewall capacities and I get a solution and I think that would help others that running hotspots these are the rules that I have added and helped a litle bit

Code: Select all

 ip firewall mangle add protocol=tcp dst-port=135-139 flow-mark=virus action=acept 

ip firewall mangle add protocol=udp dst-port=135-139 flow-mark=virus action=acept 

ip firewall mangle add protocol=udp dst-port=445 flow-mark=virus action=acept 

ip firewall mangle add protocol=tcp dst-port=445 flow-mark=virus action=acept 

these were the rule to mark traffic and the final rules

Code: Select all

 ip firewall dst-nat add flow=virus action=redirect to dst-address=1.2.3.4 place-before=0 

when you redirect the traffic rediret to ip addres which even doesn't exist not in router ip address

and maybe quese to limit the traffic

Code: Select all

 queue tree add flow=virus limit-at=2000 max-limit=3000
 parent=antena (interface name) 

I hope that this will help

regards Durim

durumwell y dont you just drop all traffic that goes through those ports instead of taking up extra processor by redirecting. i thnknthats neater. theni dont know if ull need it but i have a sett of rules that blocks out most viruses. and its executed before any other rules are; in my tables. so if u need it just holla!!
even the ports you blocked are a part of it


please i need some help on hotspot. i really do. am a rookie when it comes to that

nowoxi, what kind of help do you need with hotspots?

I've managed to get 2.8.28 and 2.9.5 working with hotspots.

wel i have a small wireless network and i use firewalls to limit connection and mange connectiond and its growing i am affraid if people get to know how i get the connection done i might have problems
some one suggested HOTSPOT to me but i vnt being able to understand it let alone deploy it so i guess i need a thorough explaination n all

can mt blok user from viewing or browsing or access to another user in the same network(LAN)...?
if can how....?

and how to block user when fail to login 3 times in hotspot...?

I have about about 30 routers which I provide hotspot for clients connected with wireless and viruses was the thing that give me a hadache so I had to think so much about a solution because I setup the hotspot on ethernet card and conect the AP via it and the most of AP's doesn't provide port filtering or inter client interception so this is even much more at the most of time the clients that are not loged in in hotspot (viruses) try go out the router and and you know what make if 1000 packets returnded to hotspot page and everything is down I had to restart router or in worse case have to lose a lot of time finding infected computer and drop it from internet (mac filter ) and at least I have decided to use mikrotik firewall capacities and I get a solution and I think that would help others that running hotspots these are the rules that I have added and helped a litle bit

Code: Select all

 ip firewall mangle add protocol=tcp dst-port=135-139 flow-mark=virus action=acept 

ip firewall mangle add protocol=udp dst-port=135-139 flow-mark=virus action=acept 

ip firewall mangle add protocol=udp dst-port=445 flow-mark=virus action=acept 

ip firewall mangle add protocol=tcp dst-port=445 flow-mark=virus action=acept 

these were the rule to mark traffic and the final rules

Code: Select all

 ip firewall dst-nat add flow=virus action=redirect to dst-address=1.2.3.4 place-before=0 

when you redirect the traffic rediret to ip addres which even doesn't exist not in router ip address

and maybe quese to limit the traffic

Code: Select all

 queue tree add flow=virus limit-at=2000 max-limit=3000
 parent=antena (interface name) 

I hope that this will help

regards Durim

durumwell y dont you just drop all traffic that goes through those ports instead of taking up extra processor by redirecting. i thnknthats neater. theni dont know if ull need it but i have a sett of rules that blocks out most viruses. and its executed before any other rules are; in my tables. so if u need it just holla!!
even the ports you blocked are a part of it


please i need some help on hotspot. i really do. am a rookie when it comes to that

Yes, thats true but how to drop traffic when this traffic try to get out the router and redirected by hotspot into welcome page thousand of packets so the router web server stop respoding and stop and trying to find a solution to stop blocking block of router web server and cause droping these traffic in forward doesn't effect .

can mt blok user from viewing or browsing or access to another user in the same network(LAN)...?
if can how....?

and how to block user when fail to login 3 times in hotspot...?

i dont know much about hotspot so i cant answer that

but for the clients not vin access just disable forwarding

i wont mind if ull explain hotspot to me alil bit i think i need it

durim

i didnt understand one lil bit of ur last post . ps be alil clearer

@nowoxis: when a user try to login into hotspot but they fail 3 times, and i want that user block for about 1 hour or maybe 1 day.....?


anybody know howto setup watchdog...?

durim

i didnt understand one lil bit of ur last post . ps be alil clearer

Maybe I was I litle unclear what I mean with yes was that these rules needs extra porccessor, and the meaning of the rules is so when a computer is infected with a virus mostly with worm that use vurnalbities on windows xp on port 135 & 445 (netbios) comunicate with each other(LAN) and tries to get out of router and when user is not logged in the hotspot will redirect to hotspot page which kills the router web server and service is down until router is restarted or disable enable the www service on router

wel i have a small wireless network and i use firewalls to limit connection and mange connectiond and its growing i am affraid if people get to know how i get the connection done i might have problems
some one suggested HOTSPOT to me but i vnt being able to understand it let alone deploy it so i guess i need a thorough explaination n all

so this could be one of your problems as about your question "hzeid" give an explonation how to setup a hotspot server I think thats enough for starting hotspot service if you have something more don't hesitate to ask.

Regards Durim

Posting a PCQ example!!

anyone? ready to post it?

thanks

Can admin create a how to secction on this forum??
because there are a lot of message and difficult the reading.