First, I will describe the first simple option for setting up a PPTP (VPN) server on Mikrotik via the web interface or Winbox. In this embodiment, only one client can connect to the server.
Continue reading “Configuring PPTP (VPN) server on Mikrotik”Category Archives: MikroTik
Automatic switching between backup channels on MikroTik (RouterOS)
Suppose there are two Internet channels, from different or one provider, the gateway can be the same, it does not matter. They are connected to the first and second ports.
Continue reading “Automatic switching between backup channels on MikroTik (RouterOS)”MikroTik as two routers with one uplink
It was once necessary to divide the MikroTik RB2011iLS-IN into two separate routers in order to connect two users, while the uplink was one with two different IPs.
I solved this problem by throwing two VLANs to MikroTik, in each I assigned IP and configured two masquerades, and divided the ports with two bridges.
Configuring HotSpot on MikroTik (RouterOS)
I will describe the steps that need to be performed to configure HotSpot in Mikrotik.
Continue reading “Configuring HotSpot on MikroTik (RouterOS)”Using Wake On Lan on MikroTik
I will give an example of a command to send a wol packet:
Continue reading “Using Wake On Lan on MikroTik”Solving the “router was rebooted without proper shutdown” error in MikroTik
They asked to find out somehow the reason for the frequent reboot of the MikroTik router.
When logging in the device, an error was constantly displayed in the logs:
Configuring DHCP Snooping on MikroTik
I will give an example of setting up DHCP Snooping on MikroTik (RouterOS) to block third-party DHCP servers:
Continue reading “Configuring DHCP Snooping on MikroTik”Port forwarding on Mikrotik routers
To forward a port on the Mikrotik router, you need to open the “IP” – “Firewall” menu, select the “NAT” tab and add a new rule by clicking “Add new” or “+”.
Continue reading “Port forwarding on Mikrotik routers”Configure Hairpin NAT on RouterOS (Mikrotik)
In this article I will give an example of setting Hairpin NAT on RouterOS (Mikrotik).
I happen to have a server or a DVR in the local network, the ports to which are forwarded in the firewall, but you can connect only from other networks, and from the local network it is obtained only by the local IP address, but not external, on the WAN interface of the router.
Continue reading “Configure Hairpin NAT on RouterOS (Mikrotik)”Blocking social networks on Mikrotik routers
There are several ways to prohibit access to social networks and other sites on Mikrotik routers.
The first and most effective
method is to enable web proxy, disable specific sites in it, in the firewall in the NAT tab add a rule that will send the necessary IP to web proxy.
Adds a rule to IP – Firewall – NAT (Chain: dstnat, protocol: tcp, Dst. Port: 80, Action: redirect, To Ports: 8080, in Src.Address or Src.Address List specify who needs to be sent to Web proxy)
We enable Web proxy by ticking the IP – Web proxy – Enabled, we look for the port to be 8080.
Add sites that need to be blocked in IP – Web proxy – Access (for example, Dst.Host: vk.com, Action: deny)
The second and one of the simplest
is to add a static DNS record, then everyone connected to the router will not be able to enter the site.
To do this, click “IP” – “DNS” – “Add New”, in the “Name” field, specify the domain of the site, in the “Address” – 127.0.0.1.
An example of adding via the command line:
ip dns static add name youtube.com address=127.0.0.1 ip dns static add name www.youtube.com address=127.0.0.1 ip dns static add name name=".*\.vk\.com" address=127.0.0.1
The command to view static DNS records on the router:
ip dns static print
However, this prohibition can be circumvented by manually registering a third-party DNS server on computers, such as Google DNS – 8.8.8.8 and 8.8.4.4.
The third option
is to look at what ip-addresses the site is in, for example by typing nslookup vk.com in the Windows command line, then block access to them for all users or specific users in the firewall. Instead of a heap of ip addresses, you can specify a subnet, for example, 87.240.131.0/24 (this is ip 87.240.131.1-254). On sites like “http://bgp.he.net/AS47541#_prefixes” you can see the ranges of IP addresses owned by AS companies.
Example commands:
ip firewall filter add chain=forward src-address-list=socialnetworks action=drop comment="Social Network" disabled=no ip firewall address-list add list=socialnetworks address=87.240.131.97 disabled=no ip firewall address-list add list=socialnetworks address=87.240.131.103 disabled=no ip firewall address-list add list=socialnetworks address=87.240.131.117 disabled=no ip firewall address-list add list=socialnetworks address=87.240.131.120 disabled=no ip firewall address-list add list=socialnetworks address=87.240.143.245 disabled=no ip firewall address-list add list=socialnetworks address=87.240.143.246 disabled=no
The fourth option
through the protocol of the seventh level (all packets in which the specified expressions will be encountered will be discarded, so even chat messages that contain expressions can be blocked):
ip firewall layer7-protocol add name=social regexp="^.+(vk.com|vkontakte|odnoklassniki|odnoklasniki|facebook|youtube|loveplanet).*\$" ip firewall filter add action=drop chain=forward comment="Block_social" layer7-protocol=social src-address-list=Block_social
See also my articles:
Blocking social networks on Cisco
Blocking social networks using iptables