Configure Hairpin NAT on RouterOS (Mikrotik)

In this article I will give an example of setting Hairpin NAT on RouterOS (Mikrotik).

I happen to have a server or a DVR in the local network, the ports to which are forwarded in the firewall, but you can connect only from other networks, and from the local network it is obtained only by the local IP address, but not external, on the WAN interface of the router.

Continue reading “Configure Hairpin NAT on RouterOS (Mikrotik)”

Blocking social networks on Mikrotik routers

There are several ways to prohibit access to social networks and other sites on Mikrotik routers.

The first and most effective

method is to enable web proxy, disable specific sites in it, in the firewall in the NAT tab add a rule that will send the necessary IP to web proxy.
Adds a rule to IP – Firewall – NAT (Chain: dstnat, protocol: tcp, Dst. Port: 80, Action: redirect, To Ports: 8080, in Src.Address or Src.Address List specify who needs to be sent to Web proxy)
We enable Web proxy by ticking the IP – Web proxy – Enabled, we look for the port to be 8080.
Add sites that need to be blocked in IP – Web proxy – Access (for example, Dst.Host:, Action: deny)

The second and one of the simplest

is to add a static DNS record, then everyone connected to the router will not be able to enter the site.
To do this, click “IP” – “DNS” – “Add New”, in the “Name” field, specify the domain of the site, in the “Address” –
An example of adding via the command line:

ip dns static add name address=
ip dns static add name address=
ip dns static add name name=".*\.vk\.com" address=

The command to view static DNS records on the router:

ip dns static print

However, this prohibition can be circumvented by manually registering a third-party DNS server on computers, such as Google DNS – and

The third option

is to look at what ip-addresses the site is in, for example by typing nslookup in the Windows command line, then block access to them for all users or specific users in the firewall. Instead of a heap of ip addresses, you can specify a subnet, for example, (this is ip On sites like “” you can see the ranges of IP addresses owned by AS companies.
Example commands:

ip firewall filter add chain=forward src-address-list=socialnetworks action=drop comment="Social Network" disabled=no
ip firewall address-list add list=socialnetworks address= disabled=no
ip firewall address-list add list=socialnetworks address= disabled=no
ip firewall address-list add list=socialnetworks address= disabled=no
ip firewall address-list add list=socialnetworks address= disabled=no
ip firewall address-list add list=socialnetworks address= disabled=no
ip firewall address-list add list=socialnetworks address= disabled=no

The fourth option

through the protocol of the seventh level (all packets in which the specified expressions will be encountered will be discarded, so even chat messages that contain expressions can be blocked):

ip firewall layer7-protocol add name=social regexp="^.+(|vkontakte|odnoklassniki|odnoklasniki|facebook|youtube|loveplanet).*\$"
ip firewall filter add action=drop chain=forward comment="Block_social" layer7-protocol=social src-address-list=Block_social

See also my articles:
Blocking social networks on Cisco
Blocking social networks using iptables

Configure Loop Protect in RouterOS (MikroTik)

Finally, starting with the version of RouterOS v6.37 and higher, protection against loops has appeared.
Loop Protect can be enabled on ethernet, vlan, eoip, eoipv6 interfaces.
Via WEB and Winbox on the interface settings page, opening the Interfaces menu.

Through the CLI, you need to go to the required submenu:

/interface ethernet
/interface vlan
/interface eoip
/interface eoipv6

Continue reading “Configure Loop Protect in RouterOS (MikroTik)”

How to catch broadcast flooding on MikroTik devices

It took somehow in one network to determine where the jumps of broadcast traffic are coming from, because of which the CPU usage was increasing on devices and there were interruptions with the Internet.
The network equipment was used from MikroTik.

Having connected to MikroTik with the following command, let’s look at the traffic statistics on ports, namely the broadcast traffic “Rx Broadcast” coming to the port, since this is the packet counter, then the figure should grow if the flood comes, if it does not change, then all is well:

interface ethernet print stats interval=1

Here is an example of viewing the statistics of a specific port (where ether2 is the name of the interface, it may be different depending on how it was called in the configuration):

interface ethernet print stats from ether2 interval=1

See the list of ports/interfaces with the command:

interface print

In this way, by the chain we will reach the final port from which there is a broadcast flood and, if necessary, turn it off by the command (where NUMBER is the number of the port in order in the table which can be viewed by the command above):

interface disable NUMBER

To enable the port:

interface enable NUMBER

Via WEB or Winbox, you can see the statistics by opening the Interfaces menu on the left and in the Interface tab, let’s look at each interface.

Example of resetting port statistics:

interface ethernet reset-counters ether2
interface ethernet reset-counters ether2,ether3,ether4,ether5

On CRS models MikroTik, you can enable broadcast traffic control, for example, 100 packets per second on an ether3 port (similarly for other ports):

interface ethernet switch ingress-port-policer add port=ether3 rate=100 meter-unit=packet packet-types=broadcast

In the future, you can watch the network for example through the system Zabbix, in which you can configure the display of broadcast packet schedules and if the packet counter starts to grow, the system will notify you.

Speed limit on MikroTik through Queues

It was necessary somehow on the sector antenna to limit traffic for fans to shake torrents. Point set up and described in this article – MikroTik RB912UAG-2HPnD (BaseBox 2) + Ubiquiti Sector. In my case, the speed adjusts the billing, but I wanted to limit the test for the means of MikroTik.

Continue reading “Speed limit on MikroTik through Queues”