Suppose there are two Internet channels, from different or one provider, the gateway can be the same, it does not matter. They are connected to the first and second ports.Continue reading “Automatic switching between backup channels on MikroTik (RouterOS)”
It was once necessary to divide the MikroTik RB2011iLS-IN into two separate routers in order to connect two users, while the uplink was one with two different IPs.
I solved this problem by throwing two VLANs to MikroTik, in each I assigned IP and configured two masquerades, and divided the ports with two bridges.
I will describe the steps that need to be performed to configure HotSpot in Mikrotik.Continue reading “Configuring HotSpot on MikroTik (RouterOS)”
I will give an example of a command to send a wol packet:Continue reading “Using Wake On Lan on MikroTik”
They asked to find out somehow the reason for the frequent reboot of the MikroTik router.
When logging in the device, an error was constantly displayed in the logs:
I will give an example of setting up DHCP Snooping on MikroTik (RouterOS) to block third-party DHCP servers:Continue reading “Configuring DHCP Snooping on MikroTik”
To forward a port on the Mikrotik router, you need to open the “IP” – “Firewall” menu, select the “NAT” tab and add a new rule by clicking “Add new” or “+”.Continue reading “Port forwarding on Mikrotik routers”
In this article I will give an example of setting Hairpin NAT on RouterOS (Mikrotik).
I happen to have a server or a DVR in the local network, the ports to which are forwarded in the firewall, but you can connect only from other networks, and from the local network it is obtained only by the local IP address, but not external, on the WAN interface of the router.Continue reading “Configure Hairpin NAT on RouterOS (Mikrotik)”
There are several ways to prohibit access to social networks and other sites on Mikrotik routers.
The first and most effective
method is to enable web proxy, disable specific sites in it, in the firewall in the NAT tab add a rule that will send the necessary IP to web proxy.
Adds a rule to IP – Firewall – NAT (Chain: dstnat, protocol: tcp, Dst. Port: 80, Action: redirect, To Ports: 8080, in Src.Address or Src.Address List specify who needs to be sent to Web proxy)
We enable Web proxy by ticking the IP – Web proxy – Enabled, we look for the port to be 8080.
Add sites that need to be blocked in IP – Web proxy – Access (for example, Dst.Host: vk.com, Action: deny)
The second and one of the simplest
is to add a static DNS record, then everyone connected to the router will not be able to enter the site.
To do this, click “IP” – “DNS” – “Add New”, in the “Name” field, specify the domain of the site, in the “Address” – 127.0.0.1.
An example of adding via the command line:
ip dns static add name youtube.com address=127.0.0.1 ip dns static add name www.youtube.com address=127.0.0.1 ip dns static add name name=".*\.vk\.com" address=127.0.0.1
The command to view static DNS records on the router:
ip dns static print
However, this prohibition can be circumvented by manually registering a third-party DNS server on computers, such as Google DNS – 22.214.171.124 and 126.96.36.199.
The third option
is to look at what ip-addresses the site is in, for example by typing nslookup vk.com in the Windows command line, then block access to them for all users or specific users in the firewall. Instead of a heap of ip addresses, you can specify a subnet, for example, 188.8.131.52/24 (this is ip 184.108.40.206-254). On sites like “http://bgp.he.net/AS47541#_prefixes” you can see the ranges of IP addresses owned by AS companies.
ip firewall filter add chain=forward src-address-list=socialnetworks action=drop comment="Social Network" disabled=no ip firewall address-list add list=socialnetworks address=220.127.116.11 disabled=no ip firewall address-list add list=socialnetworks address=18.104.22.168 disabled=no ip firewall address-list add list=socialnetworks address=22.214.171.124 disabled=no ip firewall address-list add list=socialnetworks address=126.96.36.199 disabled=no ip firewall address-list add list=socialnetworks address=188.8.131.52 disabled=no ip firewall address-list add list=socialnetworks address=184.108.40.206 disabled=no
The fourth option
through the protocol of the seventh level (all packets in which the specified expressions will be encountered will be discarded, so even chat messages that contain expressions can be blocked):
ip firewall layer7-protocol add name=social regexp="^.+(vk.com|vkontakte|odnoklassniki|odnoklasniki|facebook|youtube|loveplanet).*\$" ip firewall filter add action=drop chain=forward comment="Block_social" layer7-protocol=social src-address-list=Block_social
Finally, starting with the version of RouterOS v6.37 and higher, protection against loops has appeared.
Loop Protect can be enabled on ethernet, vlan, eoip, eoipv6 interfaces.
Via WEB and Winbox on the interface settings page, opening the Interfaces menu.
Through the CLI, you need to go to the required submenu:
/interface ethernet /interface vlan /interface eoip /interface eoipv6