Community discussions

 
prawira
Trainer
Trainer
Topic Author
Posts: 279
Joined: Fri Feb 10, 2006 5:11 am

How to prevent NATed access

Sat Oct 27, 2007 5:38 pm

Hi fellows,

Just strike... how to prevent NATed access from clients ?

Let say an IP allocated to client X is 192.168.2.0/28 and suppose to add more PC's, client decide to put NATed into one of an IP allocated. It could be Winroute, Wingate, linux nat, etc.

How to prevent this ?

TIA

Paul
 
User avatar
krigevr
Member Candidate
Member Candidate
Posts: 155
Joined: Mon Aug 20, 2007 7:02 pm
Location: South Africa

Re: How to prevent NATed access

Sun Oct 28, 2007 12:50 am

I wonder if one can put a Routing metric limit on it... Limit the TTL - Can that be done in MT?
 
prawira
Trainer
Trainer
Topic Author
Posts: 279
Joined: Fri Feb 10, 2006 5:11 am

Re: How to prevent NATed access

Mon Oct 29, 2007 7:04 am

Example please...
 
iam8up
Member
Member
Posts: 312
Joined: Sun Oct 28, 2007 10:58 pm
Location: Troy, OH
Contact:

Re: How to prevent NATed access

Mon Oct 29, 2007 7:44 am

I can't make out what you're saying at all.

If you assign a host with 192.168.2.0/28 it won't get very far - that IP address is the "network" in that subnet. Look here: http://jodies.de/ipcalc?host=192.168.2. ... =28&mask2=
 
prawira
Trainer
Trainer
Topic Author
Posts: 279
Joined: Fri Feb 10, 2006 5:11 am

Re: How to prevent NATed access

Mon Oct 29, 2007 8:32 am

Hi iam8up,

My original question is to prevent NATed access by client..
I know /28 only has 13 pc's efective..

The situation is.. if the client put NAT into on his pc allocated, and make their own network too.. it will be support hundred pc's

So the question is how to prevent this NATed by client ?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5919
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: How to prevent NATed access

Mon Oct 29, 2007 9:21 am

It's simple - add mangle rule with action set TTL to 1. But i don't think you should disallow NAT because many are using wireless routers to connect their laptops.
 
cieplik206
Trainer
Trainer
Posts: 286
Joined: Sun Jul 01, 2007 12:25 am
Contact:

Re: How to prevent NATed access

Mon Nov 05, 2007 11:46 am

You can use TTL... but my opinion is to let them work.. behind the nat can be 100 computer but they will share one band wich you are giving to them so it shouldn't affect... other solution is if traffic will be high from that user.. try to do some Usage limitation... if Data transfer will exeed some value change speed to lower for some period of time.
https://www.wispcasts.com - Mikrotik Video Tutorials.

The best place where you can improve your skills!

Facebook - F/wispcasts
Twitter - @wispcasts
 
User avatar
karo84
Member Candidate
Member Candidate
Posts: 194
Joined: Fri Aug 17, 2007 9:06 am

Re: How to prevent NATed access

Wed Nov 07, 2007 7:08 pm

I have tried to change the TTL value to 1 but it seems not to work, I could not connect to internet.
I have the same problem Prevent NATed access may be try to use conection limit, or packet limit I don't know
I would be Very glad If somebody solves this problem


With Regards
Karapet Aznavuryan
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5919
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: How to prevent NATed access

Wed Nov 07, 2007 8:20 pm

Well obviously there are some error in your firewall configuration. Probably you are setting TTL to 1 for outgoing packets and they die at gateway.
Maybe post your config?
 
o_hawchar86
Frequent Visitor
Frequent Visitor
Posts: 67
Joined: Sun Nov 26, 2006 8:59 am

Re: How to prevent NATed access

Sun Nov 11, 2007 9:28 pm

is this the correct rule should be set ??

ip firewall mangle> add src-address=192.168.0.4/32 chain=inp
ut
action=change-ttl new-ttl=set:1

bet mrz where can i leard coding Mikrotik Scripts?
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5919
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: How to prevent NATed access

Mon Nov 12, 2007 9:53 am

It's not correct. Rule should be something like this:
/ip firewall mangle add chain=forward dst-address=192.168.0.4/32action=change-ttl new-ttl=set:1

You can learn from scripts in wiki:
http://wiki.mikrotik.com/wiki/Scripts
Scripting manual:
http://www.mikrotik.com/testdocs/ros/2. ... ipting.php
 
User avatar
jorj
Member
Member
Posts: 398
Joined: Mon Mar 12, 2007 4:34 pm
Location: /dev/null

Re: How to prevent NATed access

Mon Nov 12, 2007 10:56 am

You can do set ttl to 1, but any "wise" user with some networking knowledge will pass trough that, by any of several posibilities of routers that can change ttl themselves.

You can use connection limits, but even that won't help too much.
Changing ttl will stop only casulal "smarties" from sharing your internet connection.

It's all about what are you selling: bandwidth or number of stations.
In the long-term, you'l see that selling rock stable capacity will get you clients.
You can put an aditional network address on your router, and give them all that network for use, put a queue on the whole network, to limit to whatever you want, and you can see then how many computers they use, if they don't use any router. If they do, you have your money for what you sell, anyway.

73
 
iam8up
Member
Member
Posts: 312
Joined: Sun Oct 28, 2007 10:58 pm
Location: Troy, OH
Contact:

Re: How to prevent NATed access

Mon Nov 19, 2007 9:52 am

What we do is use the hotspot functionality. If a router connects to the network the user is still caught by the hotspot.

At this point they pay for an account and they're fine for life, or they can't register (because their router doesn't work right with the hotspot) and we take care of them. Either way, the hotspot helps keep unwanted customers under control!
 
prawira
Trainer
Trainer
Topic Author
Posts: 279
Joined: Fri Feb 10, 2006 5:11 am

Re: How to prevent NATed access

Mon Dec 10, 2007 4:37 pm

Hi there...

Many thanks for variuos replies...
I've not try the suggestion yet, but there is some other question but still within the same subject.

Let say our network is 192.168.1.0/24 and we do not want they able to do NAT. BUT.. some of them is allowed to do NAT, let say 192.168.1.72/29

Therefor, how to let 192.168.1.72/29 to having NAT while others within the same class are not ?

Regards

Paul
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5919
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: How to prevent NATed access

Mon Dec 10, 2007 4:54 pm

You should really consider reading manual. You are asking things that are described in manual very detailed.
 
prawira
Trainer
Trainer
Topic Author
Posts: 279
Joined: Fri Feb 10, 2006 5:11 am

Re: How to prevent NATed access

Mon Dec 10, 2007 5:34 pm

Well... I am still newbie... :(

The manual said :
new-ttl (decrement | increment | set:integer) - specify the new TTL field value used in conjunction with action=change-ttldecrement - the value of the TTL field will be decremented for value
increment - the value of the TTL field will be incremented for value
set: - the value of the TTL field will be set to value

BUT no examples for more explanation

Any explanations please

Paul
 
User avatar
mrz
MikroTik Support
MikroTik Support
Posts: 5919
Joined: Wed Feb 07, 2007 12:45 pm
Location: Latvia
Contact:

Re: How to prevent NATed access

Mon Dec 10, 2007 6:26 pm

/ip firewall mangle 
add action=change-ttl dst-address=192.168.1.0/24 chain=forward new-ttl=set:1 

 
User avatar
janisk
MikroTik Support
MikroTik Support
Posts: 6283
Joined: Tue Feb 14, 2006 9:46 am
Location: Riga, Latvia

Re: How to prevent NATed access

Tue Dec 11, 2007 3:28 pm

IMHO i do not know many routers (SOHO) that will change ttl of a packet in prerouting :) so, unless your client have router that is same level as yours or better you cannot limit them that way. any other crappy router will not be able to change ttl value in time for packet to survive :)
 
prawira
Trainer
Trainer
Topic Author
Posts: 279
Joined: Fri Feb 10, 2006 5:11 am

Re: How to prevent NATed access

Wed Dec 12, 2007 2:25 pm

Hi there,

We use mikrotik for all of our BTS's and wrt54g/gs/gl with dd-wrt as client (route: RIP2) for all of our clients.

The clients, perhaps will use winroute/wingate/freesco or ICS from windows to share their connections.

So.. will setting the new ttl to 1 will prevent clients from using the above software ?

TIA

Paul
 
Closed_1
just joined
Posts: 7
Joined: Fri Dec 08, 2006 11:40 am

Re: How to prevent NATed access

Thu Feb 28, 2008 9:41 am

Can it be use this script to prevent client which using CCProxy / squidNT in their Machine to distribute the internet access to another client???
 
prawira
Trainer
Trainer
Topic Author
Posts: 279
Joined: Fri Feb 10, 2006 5:11 am

Re: How to prevent NATed access

Wed Jul 29, 2009 8:27 am

Hi there,

I just try the clue...
/ip firewall mangle
add action=change-ttl dst-address=192.168.2.0/24 chain=forward new-ttl=set:1
The result, all customer of our customer down.

When I ping 192.168.2.3 the response is
TTL expired in transit.
TIA

Paul

Who is online

Users browsing this forum: No registered users and 6 guests