I will describe the steps that need to be performed to configure HotSpot in Mikrotik.Continue reading “Configuring HotSpot on MikroTik (RouterOS)”
I will give an example of a command to send a wol packet:Continue reading “Using Wake On Lan on MikroTik”
They asked to find out somehow the reason for the frequent reboot of the MikroTik router.
When logging in the device, an error was constantly displayed in the logs:
I will give an example of setting up DHCP Snooping on MikroTik (RouterOS) to block third-party DHCP servers:Continue reading “Configuring DHCP Snooping on MikroTik”
To forward a port on the Mikrotik router, you need to open the “IP” – “Firewall” menu, select the “NAT” tab and add a new rule by clicking “Add new” or “+”.Continue reading “Port forwarding on Mikrotik routers”
In this article I will give an example of setting Hairpin NAT on RouterOS (Mikrotik).
I happen to have a server or a DVR in the local network, the ports to which are forwarded in the firewall, but you can connect only from other networks, and from the local network it is obtained only by the local IP address, but not external, on the WAN interface of the router.Continue reading “Configure Hairpin NAT on RouterOS (Mikrotik)”
There are several ways to prohibit access to social networks and other sites on Mikrotik routers.
The first and most effective
method is to enable web proxy, disable specific sites in it, in the firewall in the NAT tab add a rule that will send the necessary IP to web proxy.
Adds a rule to IP – Firewall – NAT (Chain: dstnat, protocol: tcp, Dst. Port: 80, Action: redirect, To Ports: 8080, in Src.Address or Src.Address List specify who needs to be sent to Web proxy)
We enable Web proxy by ticking the IP – Web proxy – Enabled, we look for the port to be 8080.
Add sites that need to be blocked in IP – Web proxy – Access (for example, Dst.Host: vk.com, Action: deny)
The second and one of the simplest
is to add a static DNS record, then everyone connected to the router will not be able to enter the site.
To do this, click “IP” – “DNS” – “Add New”, in the “Name” field, specify the domain of the site, in the “Address” – 127.0.0.1.
An example of adding via the command line:
ip dns static add name youtube.com address=127.0.0.1 ip dns static add name www.youtube.com address=127.0.0.1 ip dns static add name name=".*\.vk\.com" address=127.0.0.1
The command to view static DNS records on the router:
ip dns static print
However, this prohibition can be circumvented by manually registering a third-party DNS server on computers, such as Google DNS – 22.214.171.124 and 126.96.36.199.
The third option
is to look at what ip-addresses the site is in, for example by typing nslookup vk.com in the Windows command line, then block access to them for all users or specific users in the firewall. Instead of a heap of ip addresses, you can specify a subnet, for example, 188.8.131.52/24 (this is ip 184.108.40.206-254). On sites like “http://bgp.he.net/AS47541#_prefixes” you can see the ranges of IP addresses owned by AS companies.
ip firewall filter add chain=forward src-address-list=socialnetworks action=drop comment="Social Network" disabled=no ip firewall address-list add list=socialnetworks address=220.127.116.11 disabled=no ip firewall address-list add list=socialnetworks address=18.104.22.168 disabled=no ip firewall address-list add list=socialnetworks address=22.214.171.124 disabled=no ip firewall address-list add list=socialnetworks address=126.96.36.199 disabled=no ip firewall address-list add list=socialnetworks address=188.8.131.52 disabled=no ip firewall address-list add list=socialnetworks address=184.108.40.206 disabled=no
The fourth option
through the protocol of the seventh level (all packets in which the specified expressions will be encountered will be discarded, so even chat messages that contain expressions can be blocked):
ip firewall layer7-protocol add name=social regexp="^.+(vk.com|vkontakte|odnoklassniki|odnoklasniki|facebook|youtube|loveplanet).*\$" ip firewall filter add action=drop chain=forward comment="Block_social" layer7-protocol=social src-address-list=Block_social
Finally, starting with the version of RouterOS v6.37 and higher, protection against loops has appeared.
Loop Protect can be enabled on ethernet, vlan, eoip, eoipv6 interfaces.
Via WEB and Winbox on the interface settings page, opening the Interfaces menu.
Through the CLI, you need to go to the required submenu:
/interface ethernet /interface vlan /interface eoip /interface eoipv6
It took somehow in one network to determine where the jumps of broadcast traffic are coming from, because of which the CPU usage was increasing on devices and there were interruptions with the Internet.
The network equipment was used from MikroTik.
Having connected to MikroTik with the following command, let’s look at the traffic statistics on ports, namely the broadcast traffic “Rx Broadcast” coming to the port, since this is the packet counter, then the figure should grow if the flood comes, if it does not change, then all is well:
interface ethernet print stats interval=1
Here is an example of viewing the statistics of a specific port (where ether2 is the name of the interface, it may be different depending on how it was called in the configuration):
interface ethernet print stats from ether2 interval=1
See the list of ports/interfaces with the command:
In this way, by the chain we will reach the final port from which there is a broadcast flood and, if necessary, turn it off by the command (where NUMBER is the number of the port in order in the table which can be viewed by the command above):
interface disable NUMBER
To enable the port:
interface enable NUMBER
Via WEB or Winbox, you can see the statistics by opening the Interfaces menu on the left and in the Interface tab, let’s look at each interface.
Example of resetting port statistics:
interface ethernet reset-counters ether2 interface ethernet reset-counters ether2,ether3,ether4,ether5
On CRS models MikroTik, you can enable broadcast traffic control, for example, 100 packets per second on an ether3 port (similarly for other ports):
interface ethernet switch ingress-port-policer add port=ether3 rate=100 meter-unit=packet packet-types=broadcast
In the future, you can watch the network for example through the system Zabbix, in which you can configure the display of broadcast packet schedules and if the packet counter starts to grow, the system will notify you.
It was necessary somehow on the sector antenna to limit traffic for fans to shake torrents. Point set up and described in this article – MikroTik RB912UAG-2HPnD (BaseBox 2) + Ubiquiti Sector. In my case, the speed adjusts the billing, but I wanted to limit the test for the means of MikroTik.
I want to note that if the FastTrack function is enabled, then Simple Queues will not work.
Here is an example of the command to add a queue rule (where 192.168.50.0/24 is the subnet for which the speed is limited):
queue simple add name=queue1 target=192.168.50.0/24 max-limit=3M/3M
If the speed is limited for a subnet and somebody needs to remove the restriction from this network, then we add a new rule in which we specify max-limit=0/0 and place it at the beginning of the list.
Via WEB and Winbox, open the Queues menu on the left and in the first Simple Queues tab, click Add New and specify:
Name: the name of the restriction at its discretion
Target: for whom the restriction will apply, for example, the entire subnet 192.168.50.0/24 or one address 192.168.50.144/32
Max Limit: here we indicate the limitation of the download and return rates
Click OK and the simple rule is ready.
You can also specify the time when you need to limit the speed, then the rule will automatically turn on and off.