MIX
web: https://kkslinuxinfo.wordpress.com/2015/09/22/mikrotik-web-proxy-configuration/
Activated NTP Client for Mikrotik Clock
Here this the script for activating NTP client for auto-update Mikrotik O'clock
SYSTEM NTP CLIENT
/system ntp client
set enabled=yes mode=unicast primary-ntp=203.160.128.6 secondary-ntp=202.169.224.16
SYSTEM CLOCK
On this sample i use Timezone Asia/jakarta, you can change to other Timezone
/system clock
set time-zone-name=Asia/Jakarta
Limit Queue Video Streaming
Limit Queue for Video Streaming "eg:Youtube" and Video Download using Layer7-Protocol.
LAYER7-PROTOCOL
/ip firewall layer7-protocol
add comment="" name=http-video regexp="http/(0\\.9|1\\.0|1\\.1)[\\x09-\\x0d ][\
1-5][0-9][0-9][\\x09-\\x0d-~]*(content-type: video)"
IP FIREWALL MANGLE
/ip firewall mangle
add action=mark-packet chain=forward comment="Limit Video Streaming" disabled=no \
layer7-protocol=http-video new-packet-mark=Limit-Video passthrough=no \
protocol=tcp
QUEUE TREE
Note: This sample use bandwith limit 256k, you can change the limit as you need by edited "256000" to other Limit you needed.
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=256000 \
max-limit=256000 name=Limit-Video packet-mark=Limit-Video parent=global-out \
priority=8 queue=default
Posted by Admin
How to Block Facebook using Mikrotik
Here this the script for blocked facebook access using mikrotik
IP FIREWALL
/ip firewall
add action=drop chain=forward comment="No-Facebook" content=facebook.com disabled=yes \
dst-port=80 protocol=tcp src-address=192.168.100.0/24
Note:
Content: Facebook.com (you can change it to other site as you want to blocked)
Src-Address: You local IP Rules (change this ip rules with your ip rules)
Posted by Admin
same bandwidth limit at once to all users in mikrotik
Sometime we want to share equal bandwidth to all uses example a compute lab (this time we allowing all computer to use 64kdown/32kupload
1./ip firewall mangle add chain=prerouting action=mark-packet \
in-interface=ether1-WAN new-packet-mark=client_download /ip firewall mangle add chain=prerouting action=mark-packet \ in-interface=ether2-LAN new-packet-mark=client_upload 2./queue type add name="PCQ_download" kind=pcq pcq-rate=64000 pcq-classifier=dst-address /queue type add name="PCQ_upload" kind=pcq pcq-rate=32000 pcq-classifier=src-address 3. /queue tree add parent=global-in queue=PCQ_download packet-mark=client_download /queue tree add parent=global-out queue=PCQ_upload packet-mark=client_upload
2nd Method this time 512kbps per user
/queue type add kind=pcq name=download-512kb pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=dst-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=524288 \ pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000 add kind=pcq name=upload-512kb pcq-burst-rate=0 pcq-burst-threshold=0 pcq-burst-time=10s pcq-classifier=src-address pcq-dst-address-mask=32 pcq-dst-address6-mask=64 pcq-limit=50 pcq-rate=524288 \ pcq-src-address-mask=32 pcq-src-address6-mask=64 pcq-total-limit=2000 /queue simple add burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s comment="Limit every Users at 512kb using PCQ." \direction=both disabled=no interface=all limit-at=0/0 max-limit=0/0 name=512k-limit packet-marks="" parent=none priority=8 queue=upload-512kb/download-512kb target-addresses=192.168.1.0/24 \ total-queue=default-small
Posted by Arohintl at 10:36 PM
Mikrotik Pool wise Bandwidth Distribution queue tree
wan ip :192.168.0.1 ether 1 10 Mbps Total Bandwidth
lan ip:-172.16.0.1/24 5Mb con1 masquerade network
lan p:-172.17.0.1/24 5Mb con2 masquerade network
Lets Start
/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=no
/ip firewall mangle
add action=mark-connection chain=prerouting comment=con1 disabled=no new-connection-mark=con1_Conn passthrough=\
yes src-address=172.16.0.0/24
add action=mark-packet chain=prerouting connection-mark=con1_Conn disabled=no new-packet-mark="con1 _PACKET" \
passthrough=no
add action=mark-connection chain=prerouting comment=con2 disabled=no new-connection-mark=con2_Conn \
passthrough=yes src-address=172.17.0.0/24
add action=mark-packet chain=prerouting connection-mark=con2_Conn disabled=no new-packet-mark=con2_PACKET
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s comment="\"Total Download\"" disabled=no limit-at=0 max-limit=0 \
name="Internet Download" packet-mark="" parent=global-in priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=5M name="con1 Down Limit" \
packet-mark="con1 _PACKET" parent="Internet Download" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=5M name="con2 Down Limit" \
packet-mark=con2_PACKET parent="Internet Download" priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s comment="\" Total Upload\"" disabled=no limit-at=0 max-limit=0 \
name="Internet Upload" packet-mark="" parent="ether1" priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=5M name="con1 Up Limit" \
packet-mark="con1 _PACKET" parent="Internet Upload" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=5M name="con2 Up Limit" \
packet-mark=con2_PACKET parent="Internet Upload" priority=2 queue=default
block all smtp traffic in mikrotik and allowing for know server only
/ip firewall address-list add list=VALID_SMTP address=yy.yy.yy.yy \ comment="Valid email server" \ disabled=no
/ip firewall filteradd chain=forward protocol=tcp dst-port=25 \
dst-address-list=VALID_SMTP action=accept \ comment="Known servers" add chain=forward protocol=tcp dst-port=25 \ action=drop \ comment="Drop traffic to invalid SMTP servers"
Mikrotik port forwarding
/ip firewall nat
add action=dst-nat chain=dstnat disabled=no dst-address=xx.xx.xx.xx(wanip) dst-port=80 protocol=tcp to-addresses=\
192.168.10.226 to-ports=80
xxxxx
Link(1) - 192.168.3.2 = WAN1
Link(2) - 192.168.4.2= WAN2
WAN-OUT = 172.16.0.1
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.3.0/24 action=accept in-interface=WAN-OUT
add chain=prerouting dst-address=192.168.4.0/24 action=accept in-interface=WAN-OUT
add chain=prerouting dst-address-type=!local in-interface=WAN-OUT per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=WAN-OUT per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=WAN-OUT action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=WAN-OUT action=mark-routing new-routing-mark=to_WAN2
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 distance=2 check-gateway=ping
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
block dns request outide world mikrotik
/ip firewall filter
add chain=input in-interface=ether1 protocol=udp dst-port=53 action=drop
add chain=input in-interface=ether1 protocol=tcp dst-port=53 action=drop
/ip firewall filter
add chain=forward protocol=udp dst-port=53 out-interface=!ether1 action=drop
add chain=forward protocol=tcp dst-port=53 out-interface=!ether1 action=drop
/ip firewall nat
add chain=dstnat protocol=udp dst-port=53 in-interface=!ether1 action=redirect
add chain=dstnat protocol=tcp dst-port=53 in-interface=!ether1 action=redirect
mikrotik 2 wan (2mb+1mb=3mb)
change ip address and interface name accordingly you
/ip address
add address= 192.168.5.2/24 interface=WAN1
add address=192.168.10.2/24 interface=WAN2
add address=192.168.50.1/24 interface=LAN
/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.5.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address=192.168.10.0/24 action=accept in-interface=LAN
add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=LAN per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting connection-mark=WAN1_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=LAN action=mark-routing new-routing-mark=to_WAN2
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.5.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.5.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.10.1 distance=2 check-gateway=ping
/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade
block facebook and twitter in mikrotik
Regexp:
^.+(facebook.com).*$
^.+(twitter.com).*$
Mikrotik Script :
/ip firewall layer7-protocol add name=facebook regexp="^.+(facebook.com).*$"
/ip firewall layer7-protocol add name=twitter regexp="^.+(twitter.com).*$"
/ip firewall filter add chain=forward protocol=tcp dst-port=80,443 layer7-protocol=facebook action=drop comment="Block Facebook"
/ip firewall filter add chain=forward protocol=tcp dst-port=80,443 layer7-protocol=twitter action=drop comment="Block Twitter"
Note:- for best result move rules on top of other rules
step-1 IP > WEB PROXY-(enable) port 8080
Step-2
FIREWALL > NAT
chain=dstnat action=redirect to-ports=8080 protocol=tcp dst-port=80
done
Note:- Block Open Proxy highly recommend coz any one can use your web proxy for illegal use
/ip firewall filter>
chain=input action=drop protocol=tcp src-address=0.0.0.0/0 in-interface=ether1(your wan interface) dst-port=8080
send cached content to user at full speed
/ip firewall mangle
add action=mark-packet chain=output comment="cached item" disabled=no dscp=4 \
new-packet-mark=cache-hits passthrough=no
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 \
max-limit=0 name="full speed for cached item" packet-mark=cache-hits \
parent=global-out priority=8 queue=default
/ip firewall mangle
add action=accept chain=prerouting disabled=no protocol=icmp src-address=0.0.0.0/0
add action=mark-connection chain=prerouting comment=user1 disabled=no \
new-connection-mark=user1_Conn passthrough=yes src-address=172.16.0.1/24
add action=mark-packet chain=prerouting connection-mark=user1_Conn disabled=no \
new-packet-mark="user1 _PACKET" passthrough=no
add action=mark-connection chain=prerouting comment=user2 disabled=no \
new-connection-mark=user2_Conn passthrough=yes src-address=172.17.0.1/24
add action=mark-packet chain=prerouting connection-mark=user2_Conn disabled=no \
new-packet-mark=user2_PACKET passthrough=no
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s comment="\"Total Download\"" disabled=no limit-at=0 max-limit=0 \
name="Internet Download" packet-mark="" parent=global-in priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=10M name="user1 Down Limit" \
packet-mark="user1 _PACKET" parent="Internet Download" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=2M name="user2 Down Limit" \
packet-mark=user2_PACKET parent="Internet Download" priority=2 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s comment="\" Total Upload\"" disabled=no limit-at=0 max-limit=0 \
name="Internet Upload" packet-mark="" parent="ether13 WAN" priority=1
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=10M name="user1 Up Limit" \
packet-mark="user1 _PACKET" parent="Internet Upload" priority=1 queue=default
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=0 max-limit=2M name="user2 Up Limit" \
packet-mark=user2_PACKET parent="Internet Upload" priority=2 queue=default
Posted by Arohintl at 4:22 AM No comments:
Monday, December 15, 2014
New terminal
Mikrotik @ : Ip hotspot user – export users it will create users.rsc to file folder
To restore
Mikrotik@: import users.rsc
Same for user profile
add chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=udp dst-port=53
add chain=dstnat action=dst-nat to-addresses=192.168.1.1 to-ports=53 protocol=tcp dst-port=53
/system logging action set memory memory-lines=1
/system logging action set memory memory-lines=100
/ip address
add address=192.168.1.2/24 network=103.7.248.200 broadcast=192.168.1.0 interface=WAN
add address=10.10.10.1/24 network=10.10.10.0 broadcast=10.10.10.255 interface=LOCAL
Ip dhcp-server enable 0
/ip dhcp-server add interface=LOCAL address-pool=DHCP-POOL
/ Ip dhcp-server network add address = 10.10.10.0/24 gateway = 10.10.10.1 dns-server = 8.8.8.8
comment="DHCP-POOL"
/ip firewall nat
add chain=srcnat action=masquerade src-address=10.10.10.0/24 out-interface=WAN
/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1
/ip address
add address=192.168.1.2/24 disabled=no interface=ether2 network=192.168.1.0 (your wan ip)
add address=192.168.10.1/24 disabled=no interface=ether1 network=192.168.10.0 (lan ip no need to assign ip to lan interface )
/ip route
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=30 target-scope=10
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB max-udp-packet-size=4096 servers=8.8.8.8,8.8.4.4
/interface pppoe-server server
add authentication=pap default-profile=default disabled=no interface=ether1 keepalive-timeout=3 max-mru=1480 max-mtu=\
1480 max-sessions=0 mrru=disabled one-session-per-host=no service-name=PPPoE
/ip pool
add name=PPPoE ranges=192.168.10.2-192.168.10.100
add name=Fix ip address ranges=192.168.10.101-192.168.10.254
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=ether2 src-address=192.168.10.0/24
/ppp profile
set 0 change-tcp-mss=yes dns-server=8.8.8.8,8.8.4.4 local-address=192.168.10.1 \
name=default only-one=default remote-address=PPPoE use-compression=default \
use-encryption=default use-ipv6=yes use-mpls=default use-vj-compression=\
default
add change-tcp-mss=default dns-server=8.8.8.8 local-address=192.168.10.1 name=\
1Mbps only-one=default rate-limit=1224000/1024000 remote-address=PPPoE \
use-compression=default use-encryption=default use-ipv6=yes use-mpls=default \
use-vj-compression=default
add change-tcp-mss=default dns-server=8.8.8.8 local-address=192.168.10.1 name=\
2Mbps only-one=default rate-limit=2048000/2048000 remote-address=PPPoE \
use-compression=default use-encryption=default use-ipv6=yes use-mpls=default \
use-vj-compression=default
add change-tcp-mss=default dns-server=8.8.8.8 local-address=192.168.10.1 name=\
512Kbps only-one=default rate-limit=512000/512000 remote-address=PPPoE \
use-compression=default use-encryption=default use-ipv6=yes use-mpls=default \
use-vj-compression=default
add change-tcp-mss=default dns-server=8.8.8.8 local-address=192.168.10.1 name=\
10Mbps only-one=default rate-limit=10480000/10480000 remote-address=PPPoE \
use-compression=default use-encryption=default use-ipv6=yes use-mpls=default \
use-vj-compression=default
set 5 change-tcp-mss=yes name=default-encryption only-one=default \
remote-ipv6-prefix-pool=none use-compression=default use-encryption=yes \
use-ipv6=yes use-mpls=default use-vj-compression=default
/ppp aaa
set accounting=yes interim-update=5s use-radius=no
/ppp secret
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=test \
password=1234 profile=10Mbps remote-address=192.168.10.203 routes="" \
service=pppoe
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=test1 \
password=1234 profile=1Mbps remote-address=192.168.10.201 routes="" service=\
pppoe
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=test2 \
password=1234 profile=2Mbps remote-address=192.168.10.202 routes="" service=\
pppoe
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=test3 \
password=1234 profile=1Mbps remote-address=192.168.10.204 routes="" service=\
pppoe
add caller-id="" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=test4 \
password=1234 profile=512Kbps remote-address=192.168.10.205 routes="" \
service=pppoe
now connect your system to lan interface and create a pppoe dialer and use any username and password givin above or create new as your req.
xxxx