Faruque Ahmed : MCP, MCSA, MCSE, MCTS, MCIT, CCNA, OCA, OCP, GCP
web: https://kkslinuxinfo.wordpress.com/2015/09/22/mikrotik-web-proxy-configuration/
Activated NTP Client for Mikrotik Clock
Here this the script for activating NTP client for auto-update Mikrotik O'clock
SYSTEM NTP CLIENT
/system ntp client
set enabled=yes mode=unicast primary-ntp=203.160.128.6 secondary-ntp=202.169.224.16
SYSTEM CLOCK
On this sample i use Timezone Asia/jakarta, you can change to other Timezone
/system clock
set time-zone-name=Asia/Jakarta
Limit Queue for Video Streaming "eg:Youtube" and Video Download using Layer7-Protocol.
LAYER7-PROTOCOL
/ip firewall layer7-protocol
add comment="" name=http-video regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][\
1-5][0-9][0-9][\\x09-\\x0d-~]*(content-type: video)"
IP FIREWALL MANGLE
/ip firewall mangle
add action=mark-packet chain=forward comment="Limit Video Streaming" disabled=no \
layer7-protocol=http-video new-packet-mark=Limit-Video passthrough=no \
protocol=tcp
QUEUE TREE
Note: This sample use bandwith limit 256k, you can change the limit as you need by edited "256000" to other Limit you needed.
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=256000 \
max-limit=256000 name=Limit-Video packet-mark=Limit-Video parent=global-out \
priority=8 queue=default
Posted by Admin
Here this the script for blocked facebook access using mikrotik
IP FIREWALL
/ip firewall
add action=drop chain=forward comment="No-Facebook" content=facebook.com disabled=yes \
dst-port=80 protocol=tcp src-address=192.168.100.0/24
Note:
Content: Facebook.com (you can change it to other site as you want to blocked)
Src-Address: You local IP Rules (change this ip rules with your ip rules)
Posted by Admin
Sometime we want to share equal bandwidth to all uses example a compute lab (this time we allowing all computer to use 64kdown/32kupload
1./ip firewall mangle add chain=prerouting action=mark-packet \
in-interface=ether1-WAN new-packet-mark=client_download /ip firewall mangle add chain=prerouting action=mark-packet \ in-interface=ether2-LAN new-packet-mark=client_upload 2./queue type add name="PCQ_download" kind=pcq pcq-rate=64000 pcq-classifier=dst-address /queue type add name="PCQ_upload" kind=pcq pcq-rate=32000 pcq-classifier=src-address 3. /queue tree add parent=global-in queue=PCQ_download packet-mark=client_download /queue tree add parent=global-out queue=PCQ_upload packet-mark=client_upload
2nd Method this time 512kbps per user
/queue type add kind=pcq name=download-512kb pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=524288 \ pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000 add kind=pcq name=upload-512kb pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=524288 \ pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000 /queue simple add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Limit every Users at 512kb using PCQ." \direction=both disabled=no interface=all limit-at=0/0 max-limit=0/0 name=512k-limit packet-marks="" parent=none priority=8 queue=upload-512kb/download-512kb target-addresses=192.168.1.0/24 \ total-queue=default-small
Posted by Arohintl at 10:36 PM
wan ip :192.168.0.1 ether 1 10 Mbps Total Bandwidth
lan ip:-172.16.0.1/24 5Mb con1 masquerade network
lan p:-172.17.0.1/24 5Mb con2 masquerade network
Lets Start
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall mangle
add action=mark-connection chain=prerouting comment=con1 disabled=no new-connection-mark=con1_Conn passthrough=\
yes src-address=172.16.0.0/24
add action=mark-packet chain=prerouting connection-mark=con1_Conn disabled=no new-packet-mark="con1 _PACKET" \
passthrough=no
add action=mark-connection chain=prerouting comment=con2 disabled=no new-connection-mark=con2_Conn \
passthrough=yes src-address=172.17.0.0/24
add action=mark-packet chain=prerouting connection-mark=con2_Conn disabled=no new-packet-mark=con2_PACKET
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s comment="\"Total Download\"" disabled=no limit-at=0 max-limit=0 \
name="Internet Download" packet-mark="" parent=global-in priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=5M name="con1 Down Limit" \
packet-mark="con1 _PACKET" parent="Internet Download" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=5M name="con2 Down Limit" \
packet-mark=con2_PACKET parent="Internet Download" priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s comment="\" Total Upload\"" disabled=no limit-at=0 max-limit=0 \
name="Internet Upload" packet-mark="" parent="ether1" priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=5M name="con1 Up Limit" \
packet-mark="con1 _PACKET" parent="Internet Upload" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=5M name="con2 Up Limit" \
packet-mark=con2_PACKET parent="Internet Upload" priority=2 queue=default
/ip firewall address-list add list=VALID_SMTP address=yy.yy.yy.yy \ comment="Valid email server" \ disabled=no
/ip firewall filteradd chain=forward protocol=tcp dst-port=25 \
dst-address-list=VALID_SMTP action=accept \ comment="Known servers" add chain=forward protocol=tcp dst-port=25 \ action=drop \ comment="Drop traffic to invalid SMTP servers"
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=xx.xx.xx.xx(wanip) dst-port=80 protocol=tcp to-addresses=\
192.168.10.226 to-ports=80
xxxxx
Link(1) - 192.168.3.2 = WAN1
Link(2) - 192.168.4.2= WAN2
WAN-OUT = 172.16.0.1
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.3.0/24 action=accept in-interface=WAN-OUT
add chain=prerouting dst-address=192.168.4.0/24 action=accept in-interface=WAN-OUT
add chain=prerouting dst-address-type=!local in-interface=WAN-OUT per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=WAN-OUT per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=WAN-OUT action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=WAN-OUT action=mark-routing new-routing-mark=to_WAN2
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 distance=2 check-gateway=ping
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
/ip firewall filter
add chain=input in-interface=ether1 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether1 protocol=tcp dst-port=53 action=drop
/ip firewall filter
add chain=forward protocol=udp dst-port=53 out-interface=!ether1 action=drop
add chain=forward protocol=tcp dst-port=53 out-interface=!ether1 action=drop
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 in-interface=!ether1 action=redirect
add chain=dstnat protocol=tcp dst-port=53 in-interface=!ether1 action=redirect
change ip address and interface name accordingly you
/ip address
add address= 192.168.5.2/24 interface=WAN1
add address=192.168.10.2/24 interface=WAN2
add address=192.168.50.1/24 interface=LAN
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.5.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=192.168.10.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.5.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 distance=2 check-gateway=ping
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
Regexp:
^.+(facebook.com).*$
^.+(twitter.com).*$
Mikrotik Script :
/ip firewall layer7-protocol add name=facebook regexp="^.+(facebook.com).*$"
/ip firewall layer7-protocol add name=twitter regexp="^.+(twitter.com).*$"
/ip firewall filter add chain=forward protocol=tcp dst-port=80,443 layer7-protocol=facebook action=drop comment="Block Facebook"
/ip firewall filter add chain=forward protocol=tcp dst-port=80,443 layer7-protocol=twitter action=drop comment="Block Twitter"
Note:- for best result move rules on top of other rules
step-1 IP > WEB PROXY-(enable) port 8080
Step-2
FIREWALL > NAT
chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80
done
Note:- Block Open Proxy highly recommend coz any one can use your web proxy for illegal use
/ip firewall filter>
chain=input action=drop protocol=tcp src-address=0.0.0.0/0 in-interface=ether1(your wan interface) dst-port=8080
send cached content to user at full speed
/ip firewall mangle
add action=mark-packet chain=output comment="cached item" disabled=no dscp=4 \
new-packet-mark=cache-hits passthrough=no
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="full speed for cached item" packet-mark=cache-hits \
parent=global-out priority=8 queue=default
/ip firewall mangle
add action=accept chain=prerouting disabled=no protocol=icmp src-address=0.0.0.0/0
add action=mark-connection chain=prerouting comment=user1 disabled=no \
new-connection-mark=user1_Conn passthrough=yes src-address=172.16.0.1/24
add action=mark-packet chain=prerouting connection-mark=user1_Conn disabled=no \
new-packet-mark="user1 _PACKET" passthrough=no
add action=mark-connection chain=prerouting comment=user2 disabled=no \
new-connection-mark=user2_Conn passthrough=yes src-address=172.17.0.1/24
add action=mark-packet chain=prerouting connection-mark=user2_Conn disabled=no \
new-packet-mark=user2_PACKET passthrough=no
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s comment="\"Total Download\"" disabled=no limit-at=0 max-limit=0 \
name="Internet Download" packet-mark="" parent=global-in priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=10M name="user1 Down Limit" \
packet-mark="user1 _PACKET" parent="Internet Download" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=2M name="user2 Down Limit" \
packet-mark=user2_PACKET parent="Internet Download" priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s comment="\" Total Upload\"" disabled=no limit-at=0 max-limit=0 \
name="Internet Upload" packet-mark="" parent="ether13 WAN" priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=10M name="user1 Up Limit" \
packet-mark="user1 _PACKET" parent="Internet Upload" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=2M name="user2 Up Limit" \
packet-mark=user2_PACKET parent="Internet Upload" priority=2 queue=default
Posted by Arohintl at 4:22 AM No comments:
New terminal
Mikrotik @ : Ip hotspot user – export users it will create users.rsc to file folder
To restore
Mikrotik@: import users.rsc
Same for user profile
add chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=udp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=tcp dst-port=53
/system logging action set memory memory-lines=1
/system logging action set memory memory-lines=100
/ip address
add address=192.168.1.2/24 network=103.7.248.200 broadcast=192.168.1.0 interface=WAN
add address=10.10.10.1/24 network=10.10.10.0 broadcast=10.10.10.255 interface=LOCAL
Ip dhcp-server enable 0
/ip dhcp-server add interface=LOCAL address-pool=DHCP-POOL
/ Ip dhcp-server network add address = 10.10.10.0/24 gateway = 10.10.10.1 dns-server = 8.8.8.8
comment="DHCP-POOL"
/ip firewall nat
add chain=srcnat action=masquerade src-address=10.10.10.0/24 out-interface=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1
/ip address
add address=192.168.1.2/24 disabled=no interface=ether2 network=192.168.1.0 (your wan ip)
add address=192.168.10.1/24 disabled=no interface=ether1 network=192.168.10.0 (lan ip no need to assign ip to lan interface )
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4
/interface pppoe-server server
add authentication=pap default-profile=default disabled=no interface=ether1 keepalive-timeout=3 max-mru=1480 max-mtu=\
1480 max-sessions=0 mrru=disabled one-session-per-host=no service-name=PPPoE
/ip pool
add name=PPPoE ranges=192.168.10.2-192.168.10.100
add name=Fix ip address ranges=192.168.10.101-192.168.10.254
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether2 src-address=192.168.10.0/24
/ppp profile
set 0 change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.10.1 \
name=default only-one=default remote-address=PPPoE use-compression=default \
use-encryption=default use-ipv6=yes use-mpls=default use-vj-compression=\
default
add change-tcp-mss=default dns-server=8.8.8.8 local-address=192.168.10.1 name=\
1Mbps only-one=default rate-limit=1224000/1024000 remote-address=PPPoE \
use-compression=default use-encryption=default use-ipv6=yes use-mpls=default \
use-vj-compression=default
add change-tcp-mss=default dns-server=8.8.8.8 local-address=192.168.10.1 name=\
2Mbps only-one=default rate-limit=2048000/2048000 remote-address=PPPoE \
use-compression=default use-encryption=default use-ipv6=yes use-mpls=default \
use-vj-compression=default
add change-tcp-mss=default dns-server=8.8.8.8 local-address=192.168.10.1 name=\
512Kbps only-one=default rate-limit=512000/512000 remote-address=PPPoE \
use-compression=default use-encryption=default use-ipv6=yes use-mpls=default \
use-vj-compression=default
add change-tcp-mss=default dns-server=8.8.8.8 local-address=192.168.10.1 name=\
10Mbps only-one=default rate-limit=10480000/10480000 remote-address=PPPoE \
use-compression=default use-encryption=default use-ipv6=yes use-mpls=default \
use-vj-compression=default
set 5 change-tcp-mss=yes name=default-encryption only-one=default \
remote-ipv6-prefix-pool=none use-compression=default use-encryption=yes \
use-ipv6=yes use-mpls=default use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=5s use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=test \
password=1234 profile=10Mbps remote-address=192.168.10.203 routes="" \
service=pppoe
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=test1 \
password=1234 profile=1Mbps remote-address=192.168.10.201 routes="" service=\
pppoe
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=test2 \
password=1234 profile=2Mbps remote-address=192.168.10.202 routes="" service=\
pppoe
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=test3 \
password=1234 profile=1Mbps remote-address=192.168.10.204 routes="" service=\
pppoe
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=test4 \
password=1234 profile=512Kbps remote-address=192.168.10.205 routes="" \
service=pppoe
now connect your system to lan interface and create a pppoe dialer and use any username and password givin above or create new as your req.
xxxx