Configure Hairpin NAT on RouterOS (Mikrotik)

In this article I will give an example of setting Hairpin NAT on RouterOS (Mikrotik).

I happen to have a server or a DVR in the local network, the ports to which are forwarded in the firewall, but you can connect only from other networks, and from the local network it is obtained only by the local IP address, but not external, on the WAN interface of the router.

Continue reading “Configure Hairpin NAT on RouterOS (Mikrotik)”

Blocking social networks on Mikrotik routers

There are several ways to prohibit access to social networks and other sites on Mikrotik routers.

The first and most effective

method is to enable web proxy, disable specific sites in it, in the firewall in the NAT tab add a rule that will send the necessary IP to web proxy.
Adds a rule to IP – Firewall – NAT (Chain: dstnat, protocol: tcp, Dst. Port: 80, Action: redirect, To Ports: 8080, in Src.Address or Src.Address List specify who needs to be sent to Web proxy)
We enable Web proxy by ticking the IP – Web proxy – Enabled, we look for the port to be 8080.
Add sites that need to be blocked in IP – Web proxy – Access (for example, Dst.Host: vk.com, Action: deny)

The second and one of the simplest

is to add a static DNS record, then everyone connected to the router will not be able to enter the site.
To do this, click “IP” – “DNS” – “Add New”, in the “Name” field, specify the domain of the site, in the “Address” – 127.0.0.1.
An example of adding via the command line:

ip dns static add name youtube.com address=127.0.0.1
ip dns static add name www.youtube.com address=127.0.0.1
ip dns static add name name=".*\.vk\.com" address=127.0.0.1

The command to view static DNS records on the router:

ip dns static print

However, this prohibition can be circumvented by manually registering a third-party DNS server on computers, such as Google DNS – 8.8.8.8 and 8.8.4.4.

The third option

is to look at what ip-addresses the site is in, for example by typing nslookup vk.com in the Windows command line, then block access to them for all users or specific users in the firewall. Instead of a heap of ip addresses, you can specify a subnet, for example, 87.240.131.0/24 (this is ip 87.240.131.1-254). On sites like “http://bgp.he.net/AS47541#_prefixes” you can see the ranges of IP addresses owned by AS companies.
Example commands:

ip firewall filter add chain=forward src-address-list=socialnetworks action=drop comment="Social Network" disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.97 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.103 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.117 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.131.120 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.143.245 disabled=no
ip firewall address-list add list=socialnetworks address=87.240.143.246 disabled=no

The fourth option

through the protocol of the seventh level (all packets in which the specified expressions will be encountered will be discarded, so even chat messages that contain expressions can be blocked):

ip firewall layer7-protocol add name=social regexp="^.+(vk.com|vkontakte|odnoklassniki|odnoklasniki|facebook|youtube|loveplanet).*\$"
ip firewall filter add action=drop chain=forward comment="Block_social" layer7-protocol=social src-address-list=Block_social

See also my articles:
Blocking social networks on Cisco
Blocking social networks using iptables

Configure Loop Protect in RouterOS (MikroTik)

Finally, starting with the version of RouterOS v6.37 and higher, protection against loops has appeared.
Loop Protect can be enabled on ethernet, vlan, eoip, eoipv6 interfaces.
Via WEB and Winbox on the interface settings page, opening the Interfaces menu.

Through the CLI, you need to go to the required submenu:

/interface ethernet
/interface vlan
/interface eoip
/interface eoipv6

Continue reading “Configure Loop Protect in RouterOS (MikroTik)”

How to catch broadcast flooding on MikroTik devices

It took somehow in one network to determine where the jumps of broadcast traffic are coming from, because of which the CPU usage was increasing on devices and there were interruptions with the Internet.
The network equipment was used from MikroTik.

Having connected to MikroTik with the following command, let’s look at the traffic statistics on ports, namely the broadcast traffic “Rx Broadcast” coming to the port, since this is the packet counter, then the figure should grow if the flood comes, if it does not change, then all is well:

interface ethernet print stats interval=1

Here is an example of viewing the statistics of a specific port (where ether2 is the name of the interface, it may be different depending on how it was called in the configuration):

interface ethernet print stats from ether2 interval=1

See the list of ports/interfaces with the command:

interface print

In this way, by the chain we will reach the final port from which there is a broadcast flood and, if necessary, turn it off by the command (where NUMBER is the number of the port in order in the table which can be viewed by the command above):

interface disable NUMBER

To enable the port:

interface enable NUMBER

Via WEB or Winbox, you can see the statistics by opening the Interfaces menu on the left and in the Interface tab, let’s look at each interface.

Example of resetting port statistics:

interface ethernet reset-counters ether2
interface ethernet reset-counters ether2,ether3,ether4,ether5

On CRS models MikroTik, you can enable broadcast traffic control, for example, 100 packets per second on an ether3 port (similarly for other ports):

interface ethernet switch ingress-port-policer add port=ether3 rate=100 meter-unit=packet packet-types=broadcast

In the future, you can watch the network for example through the system Zabbix, in which you can configure the display of broadcast packet schedules and if the packet counter starts to grow, the system will notify you.

Speed limit on MikroTik through Queues

It was necessary somehow on the sector antenna to limit traffic for fans to shake torrents. Point set up and described in this article – MikroTik RB912UAG-2HPnD (BaseBox 2) + Ubiquiti Sector. In my case, the speed adjusts the billing, but I wanted to limit the test for the means of MikroTik.

I want to note that if the FastTrack function is enabled, then Simple Queues will not work.

Here is an example of the command to add a queue rule (where 192.168.50.0/24 is the subnet for which the speed is limited):

queue simple add name=queue1 target=192.168.50.0/24 max-limit=3M/3M

If the speed is limited for a subnet and somebody needs to remove the restriction from this network, then we add a new rule in which we specify max-limit=0/0 and place it at the beginning of the list.

Via WEB and Winbox, open the Queues menu on the left and in the first Simple Queues tab, click Add New and specify:

Name: the name of the restriction at its discretion
Target: for whom the restriction will apply, for example, the entire subnet 192.168.50.0/24 or one address 192.168.50.144/32
Max Limit: here we indicate the limitation of the download and return rates
Click OK and the simple rule is ready.

You can also specify the time when you need to limit the speed, then the rule will automatically turn on and off.

Configuring MikroTik RB912UAG-2HPnD (BaseBox 2) + Ubiquiti Sector

Recently tuned MikroTik RB912UAG-2HPnD (BaseBox 2).
The sticker says that without the antenna connected it can not be turned on :), it will be used with Ubiquiti Sector AM-2G15, I connected this sector to two contacts.

The standard IP device is 192.168.88.1, the login admin is without a password, DHCP is disabled as standard, so you need to manually register IP on the computer, for example 192.168.88.2 with a subnet mask of 255.255.255.0.

First of all we will change the password in “System” – “Users”.

Set up Wi-Fi settings in “Wireless” – “Interfaces”:
Wireless Protocol: 802.11 so that you can connect to any device

In “Wireless” – “Security Profiles”, configure:
SSID (the name of the wireless network)
Mode: dynamic keys
type of encryption WPA2 PSK AES
WPA2 Pre-Shared Key (wireless password)

Now change the device IP address, in IP – Addresses, the network where it will stand. For example, instead of 192.168.88.1 on 172.16.200.11, after that on the computer, we will manually change the IP registered on the IP from this network, for example 172.16.200.12 so that you can continue to configure.
“IP” – “Routes” add a gateway, for example Dst. Address: 0.0.0.0/0, Gateway: 172.16.200.1.

On this basic setup is completed, the device will work as an access point to the bridge, that is, it will not be issued by the IP, but by the device before it or by billing.

Restoring MikroTik (RouterOS) using NetInstall

NetInstall is used to reinstall RouterOS when it is damaged, the access password is incorrectly set or the access password is not known.

I will describe the basic steps:

1) Download NetInstall from the official site
https://www.mikrotik.com/download

2) Register a static IP address to the computer, for example 192.168.88.254

3) Connect the Ethernet cable to the router through the ETH1 port with the computer using the switch or directly.

4) Run the NetInstall application. Click the “Net booting” button, check “Boot Server” enabled and enter the IP address from the same subnet where the computer is located, for example 192.168.88.200, its NetInstall will temporarily assign it to the router. Any firewall on the computer must be disabled.

5) When the router is disconnected from the mains, press the “reset” button and continue to turn it on, wait for about half a minute until the NetInstall program displays a new device in the device list.

6) In “Packages”, click the “Browse” button and specify the directory with the firmware. In the list of devices (Routers/Drives) select a router, in the bottom of the list, tick the firmware to be downloaded to the router and click “Install”. The firmware is downloaded to the router and the status will be written “Waiting for reboot”, after which, instead of the install button, there will be a reboot button, and you will need to click it.

The router will boot with the new firmware. If there are any problems with the loading of the router, you can try to reset it to the standard settings by holding the reset button, or if there is a display, select “Restore settings” and enter the standard pin code 1234. Alternatively, restore via Netinstall with the tick “Keep Old Configuration” and indicating below your “Configure script”.

Firmware update of MikroTik devices

Updating the MikroTik firmware is easy enough, just open the web-interface of the device or WinBox, select “System” – “Packages” from the menu and click “Check For Updates”, if a new firmware is found, then click “Download & Upgrade”. The device will download the firmware from the official website and starts from it.

To flash MikroTik devices not to the newest version, or when the device does not have access to the Internet, I propose the following:

1) Download the firmware from the official website
https://www.mikrotik.com/download

2) Connect via WinBox (not through the web interface!), Select “Files” in the menu, a window will appear, just drag the firmware file with the *.npk extension and wait for the file to upload.

3) Reload the router. It will have to start with a new firmware.

Done.

To downgrade the firmware version, you need to perform steps 1 and 2, then connect to the device via telnet and run the command:

/system package downgrade

In case of problems, you can restore the router by following the instructions
Restoring MikroTik (RouterOS) using NetInstall

Setting up and using Traffic Flow in Mikrotik

Enable Traffic Flow on the Mikrotik router:

ip traffic-flow set enabled=yes cache-entries=4k set active-flow-timeout=30m inactive-flow-timeout=15s interfaces=all

View settings:

ip traffic-flow print

Specify the IP address and port of the computer that will receive the Traffic-Flow packets:

ip traffic-flow target add address=192.168.88.240:1234 disabled=no version=9 v9-template-refresh=20 v9-template-timeout=30m

or

ip traffic-flow target add address=192.168.88.240:1234 disabled=no version=5

View settings:

ip traffic-flow target print

To configure through the GUI, the settings can be found in the menu IP -> Traffic Flow.

For monitoring under Windows, you can install the program ManageEngine NetFlow Analyzer, which will work as a server, receive packets from the specified port and generate graphs and statistics via a web server that can be opened by the browser.

For monitoring under Linux, you can install and configure for example flow-tools.