Pages

Wednesday, May 16, 2012

MikrotiK Simple Queue

Just type  
/Queue simple name="172.16.1.1" target-addresses=172.16.1.1/32 interface=all parent=none direction=both priority=8 limit-at=32k/32k max-limit=256k/256k
Posted by at No comments:

Sunday, March 18, 2012

P21 -- What is T1 and E1 ?

T1 
T1 is a digital carrier signal that transmits the DS – 1 signal. It has a data rate of about 1.544 megabits / second. It contains twenty four digital channels and hence requires a device that has digital connection. This digital connection is called as the CSU / DSU – Customer Switching Unit or Digital Switching Unit. The scalability of the T1 is up to 200 and above users. It also provides some services similar to the internet provider. Most of the computer uses a T1 connection. This technology makes your modem to have higher speeds and it is an affordable technology.  

E1
E1 is similar to the T1. T1 is the North American term whereas the E1 is the European term for the transmission (digital). The data rate of E1 is about 2 mega bits per second. It has 32 channels at the speed of 64 Kbps. It is important to know that 2 channels among the 32 are already reserved. One channel is used for signaling while the other channel is used for controlling. The difference between T1 and E1 lies in the number of channels here. The speed remains the same. There may be inter – connection between the E1 and T1 lines. This is interconnected because it is used for international purpose. 
Posted by at No comments:

Tuesday, March 13, 2012

P20 -- Well known TCP and UDP ports

7 TCP/UDP echo 792 echo -
20 TCP File Transport Protocol (FTP) 959 ftp-data -
21 TCP FTP control 959 ftp -
22 TCP Secure Shell (SSH) 4250 - 4254 ssh -
23 TCP Telnet 854 telnet -
25 TCP Simple Mail Transfer Protocol (SMTP) 5321 smtp Mail (for sending email); MobileMe Mail (sending)
53 TCP/UDP Domain Name System (DNS) 1034 domain MacDNS, FaceTime
67 UDP Bootstrap Protocol Server (BootP, bootps) 951 bootps NetBoot via DHCP
68 UDP Bootstrap Protocol Client (bootpc) 951 bootpc NetBoot via DHCP
69 UDP Trivial File Transfer Protocol (TFTP) 1350 tftp -
79 TCP Finger 1288 finger -
80 TCP Hypertext Transfer Protocol (HTTP) 2616 http World Wide Web, MobileMe, QuickTime Installer, iTunes Store and Radio, Software Update, RAID Admin, Backup, iCal calendar publishing, iWeb, WebDAV (iDisk), Final Cut Server, AirPlay, OS X Lion Internet Restore, Profile Manager.
88 TCP Kerberos 4120 kerberos -
106 TCP Password Server
(Unregistered Use)		 - 3com-tsmux Mac OS X Server Password Server
110 TCP Post Office Protocol (POP3)
Authenticated Post Office Protocol (APOP)		 1939 pop3 Mail (for receiving email)
111 TCP/UDP Remote Procedure Call (RPC) 1057, 1831 sunrpc Portmap (sunrpc)
113 TCP Identification Protocol 1413 ident -
115 TCP Secure File Transfer Program (SFTP) 913 sftp Note: Some authorities reference a "Simple File Transport Protocol" or "Secured File Transport Protocol" on this port.
119 TCP Network News Transfer Protocol (NNTP) 3977 nntp Used by applications that read newsgroups.
123 TCP/UDP Network Time Protocol (NTP) 1305 ntp Date & Time preferences. Used for network time server synchronization, AppleTV Network Time Server Sync
137 UDP Windows Internet Naming Service (WINS) - netbios-ns -
138 UDP NETBIOS Datagram Service - netbios-dgm Windows Datagram Service, Windows Network Neighborhood
139 TCP Server Message Block (SMB) - netbios-ssn Used by Microsoft Windows file and print services, such as Windows Sharing in Mac OS X.
143 TCP Internet Message Access Protocol (IMAP) 3501 imap Mail (for receiving email); MobileMe Mail (IMAP)
161 UDP Simple Network Management Protocol (SNMP) 1157 snmp -
192 UDP OSU Network Monitoring System - osu-nms AirPort Base Station PPP status or discovery (certain configurations), AirPort Admin Utility, AirPort Express Assistant
311 TCP Secure server administration - asip-webadmin Server Admin, Workgroup Manager, Server Monitor, Xsan Admin
389 TCP Lightweight Directory Access Protocol (LDAP) 4511 ldap Used by applications that look up addresses, such as Mail and Address Book.
427 TCP/UDP Service Location Protocol (SLP) 2608 svrloc Network Browser
443 TCP Secure Sockets Layer (SSL, or "HTTPS") 2818 https TLS websites, iTunes Store, FaceTime, Game Center, MobileMe (authentication, iDisk, iDisk Sync, and MobileMe Sync), AirPlay, OS X Lion Internet Restore, Profile Manager.
445 TCP Microsoft SMB Domain Server - microsoft-ds -
464 TCP/UDP kpasswd 3244 kpasswd -
497 TCP/UDP Dantz Retrospect - dantz -
500 UDP ISAKMP/IKE - isakmp Mac OS X Server VPN service, Back to My Mac (MobileMe, Mac OS X v10.5 or later).
514 TCP shell - shell -
514 UDP Syslog - syslog -
515 TCP Line Printer (LPR), Line Printer Daemon (LPD) - printer Used for printing to a network printer, Printer Sharing in Mac OS X.
532 TCP netnews - netnews -
548 TCP Apple Filing Protocol (AFP) over TCP - afpovertcp AppleShare, Personal File Sharing, Apple File Service
554 TCP/UDP Real Time Streaming Protocol (RTSP) 2326 rtsp QuickTime Streaming Server (QTSS), streaming media players, AirPlay
587 TCP Message Submission for Mail (Authenticated SMTP) 4409 submission Mail (for sending mail), MobileMe Mail (SMTP authentication)
600-1023 TCP/UDP Mac OS X RPC-based services - ipcserver Used by NetInfo, for example.
623 UDP Lights-Out-Monitoring - asf-rmcp Used by Intel Xserves' Lights-Out-Monitoring (LOM) feature; used by Server Monitor
625 TCP Directory Service Proxy (DSProxy) (Unregistered Use) - dec_dlm DirectoryService, Open Directory Assistant, Workgroup Manager. Note: This port is registered to DEC DLM.
626 TCP AppleShare Imap Admin (ASIA) - asia IMAP Administration (Mac OS X Server 10.2.8 or earlier, AppleShare IP 6)
626 UDP serialnumberd (Unregistered Use) - asia Server serial number registration (Xsan, Mac OS X Server v10.3 - v10.6)
631 TCP Internet Printing Protocol (IPP) 2910 ipp Mac OS X Printer Sharing, Printing to many common printers
636 TCP Secure LDAP - ldaps -
660 TCP MacOS Server Admin - mac-srvr-admin Server Admin (both AppleShare IP and Mac OS X Server), Server settings
687 TCP Server administration - asipregistry Server app, Server Admin, Workgroup Manager, Server Monitor, Xsan Admin
749 TCP/UDP Kerberos 5 admin/changepw - kerberos-adm -
985 TCP NetInfo Static Port - - -
993 TCP Mail IMAP SSL - imaps MobileMe Mail (SSL IMAP)
995 TCP/UDP Mail POP SSL - pop3s -
1085 TCP/UDP WebObjects - webobjects -
1099 & 8043 TCP Remote RMI and IIOP Acess to JBOSS - rmiregistry -
1220 TCP QT Server Admin - qt-serveradmin Used for administration of QuickTime Streaming Server.
1640 TCP Certificate Enrollment Server - cert-responder Profile Manager, SCEP
1649 TCP IP Failover - kermit -
1701 UDP L2TP - l2f Mac OS X Server VPN service
1723 TCP PPTP - pptp Mac OS X Server VPN service
2049 TCP/UDP Network File System (NFS) (version 3 and 4) 1094 nfsd -
2195 TCP Apple Push Notification Service (APNS) - - Push notifications
2196 TCP Apple Push Notification Service (APNS) - - Feedback service
2336 TCP Mobile account sync - appleugcontrol Home directory synchronization
3004 TCP iSync - csoftragent -
3031 TCP/UDP Remote AppleEvents - eppc Program Linking, Remote Apple Events
3283 TCP/UDP Net Assistant - net-assistant Apple Remote Desktop 2.0 or later (Reporting feature)
3306 TCP MySQL - mysql -
3478-3497 UDP - - nat-stun-port - ipether232port FaceTime, Game Center
3632 TCP Distributed compiler - distcc -
3659 TCP/UDP Simple Authentication and Security Layer (SASL) - apple-sasl Mac OS X Server Password Server
3689 TCP Digital Audio Access Protocol (DAAP) - daap iTunes Music Sharing, AirPlay
4111 TCP XGrid - xgrid -
4398 UDP - - - Game Center
4488 TCP/UDP Apple Wide Area Connectivity Service   awacs-ice Back To My Mac
4500 UDP IKE NAT Traversal - ipsec-msft Mac OS X Server VPN service, Back to My Mac (MobileMe, Mac OS X v10.5 or later).
Note: VPN and MobileMe are mutually exclusive when configured through an Apple access point (such as an AirPort Base Station); MobileMe will take precedence.
5003 TCP FileMaker - name binding and transport - fmpro-internal -
5009 TCP (Unregistered Use) - winfs AirPort Admin Utility, AirPort Express Assistant
5060 UDP Session Initiation Protocol (SIP) 3261 sip iChat
5100 TCP - - socalia Mac OS X camera and scanner sharing
5190 TCP/UDP America Online (AOL) - aol iChat and AOL Instant Messenger, file transfer
5222 TCP XMPP (Jabber) 3920 jabber-client iChat and Jabber messages
5223 TCP XMPP over SSL, Apple Push Notification Service - - MobileMe (Automatic sync notifications) (see note 9), APNs, FaceTime, Game Center
5269 TCP XMPP server-to-server communication 3920 jabber-server iChat Server
5297 TCP - - - iChat (local traffic), Bonjour
5298 TCP/UDP - - - iChat (local traffic), Bonjour
5353 UDP Multicast DNS (MDNS) 3927 mdns Bonjour (mDNSResponder), AirPlay, Home Sharing, Printer Discovery
5354 TCP Multicast DNS Responder - mdnsresponder Back to My Mac
5432 TCP PostgreSQL - postgresql May be enabled manually on Lion Server. Previously enabled by default for ARD 2.0 Database.
5678 UDP SNATMAP server - rrac The SNATMAP service on port 5678 is used to determine the external Internet address of hosts so that connections between iChat users can properly function behind network address translation (NAT). The SNATMAP service simply communicates to clients the Internet address that connected to it. This service runs on an Apple server, but does not send personal information to Apple. When certain iChat AV features are used, this service will be contacted. Blocking this service may cause issues with iChat AV connections with hosts on networks that use NAT.
5897-5898 UDP (Unregistered Use) - - xrdiags
5900 TCP Virtual Network Computing (VNC)
(Unregistered Use)		 - vnc-server Apple Remote Desktop 2.0 or later (Observe/Control feature)
Screen Sharing (Mac OS X 10.5 or later)
5988 TCP WBEM HTTP - wbem-http Apple Remote Desktop 2.x (see http://www.dmtf.org/about/faq/wbem)
6970-9999 UDP - - - QuickTime Streaming Server
7070 TCP RTSP (Unregistered Use)
Automatic Router Configuration Protocol (ARCP - Registered Use)		 - arcp QuickTime Streaming Server (RTSP)
7070 UDP RTSP alternate - arcp QuickTime Streaming Server
7777 TCP iChat server file transfer proxy (unregistered use) - cbt -
8000-8999 TCP - - irdmi Web service, iTunes Radio streams
8005 TCP Tomcat remote shutdown - - -
8008 TCP iCal service - http-alt Mac OS X Server v10.5 and later
8080 TCP Alternate port for Apache web service - http-alt -
8085-8087 TCP Wiki service - - Mac OS X Server v10.5 and later
8088 TCP Software Update service - radan-http Mac OS X Server v10.4 and later
8089 TCP Web email rules - - Mac OS X Server v10.6 and later
8096 TCP Web Password Reset - - Mac OS X Server v10.6.3 and later
8170 TCP HTTPS (web service/site) - - Podcast Capture/podcast CLI
8171 TCP HTTP (web service/site) - - Podcast Capture/podcast CLI
8175 TCP Pcast Tunnel - - pcastagentd (for control operations, camera and so on)
8443 TCP iCal service (SSL) - pcsync-https Mac OS X Server v10.5 and later
8800 TCP Address Book service - sunwebadmin Mac OS X Server v10.6 and later
8843 TCP Address Book service (SSL) - - Mac OS X Server v10.6 and later
8821, 8826
 TCP Stored - - Final Cut Server
8891 TCP ldsd - - Final Cut Server (data transfers)
9006, 8080, 8443 - HTTP and HTTPS ports for Tomcat Standalone and JBOSS (J2EE) - -, http-alt, pcsync-https -
11211 - memcached (unregistered) - - iCal Server
16080 TCP - - - Web service with performance cache
16384-16403 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - connected, - iChat AV (Audio RTP, RTCP; Video RTP, RTCP)
16384-16387 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - connected, - FaceTime, Game Center
16393-16402 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - - FaceTime, Game Center
16403-16472 UDP Real-Time Transport Protocol (RTP), Real-Time Control Protocol (RTCP) - - Game Center
24000-24999 TCP - - med-ltp Web service with performance cache
42000-42999 TCP - - - iTunes Radio streams
49152-65535 TCP Xsan - - Xsan Filesystem Access
50003 - FileMaker server service - - -
50006 - FileMaker helper service - - -

Posted by at No comments:

Sunday, March 11, 2012

P19 --Mikrotik router board Password reset

RouterOS password can only be reset by reinstalling the router, or using the reset jumper (or jumper hole) in case the hardware is RouterBOARD. For RouterBOARDS just close the jumper and boot the board until the configuration is cleared. For some RouterBOARDs there is not a jumper, but a jumper hole - just put a metal object into the hole, and boot the board.





For older models
The below image shows the location of the Reset Jumper on older RouterBOARDs like RB133C:


Note: Don't forget to remove the jumper after configuration has been reset, or it will be reset every time you reboot.
Posted by at No comments:

P18 --Forwarding a port to an internal IP using Mikrotik

This example will show you how to forward port (tcp 5900) to an internal IP using destination NAT. 69.69.69.69 is the example wan IP, 192.168.1.101 is the desired internal destination.

/ip firewall nat add chain=dstnat dst-address=69.69.69.69 protocol=tcp dst-port=5900 \
    action=dst-nat to-addresses=192.168.1.101 to-ports=5900
Posted by at No comments:

P17-- How to Block Websites & Stop Downloading Using Mikrotik Proxy

This example will explain you “How to Block Web Sites” & “How to Stop Downloading”.

First, Configure Proxy.

/ip proxy
set enabled=yes
set src-address=0.0.0.0
set port=8080
set parent-proxy=0.0.0.0
set parent-proxy-port=0
set cache-administrator="webmaster"
set max-cache-size=none
set cache-on-disk=no
set max-client-connections=600
set max-server-connections=600
set max-fresh-time=3d
set always-from-cache=no
set cache-hit-dscp=4
set serialize-connections=no

Now, Make it Transparent

/ip firewall nat
add chain=dstnat protocol=tcp dst-port=80 action=dst-nat to-addresses=<Your LAN IP for the Router>
to-ports=8080

Make sure that your proxy is NOT a Open Proxy

/ip firewall filter
add chain=input in-interface=<Your WAN Port> src-address=0.0.0.0/0\
    protocol=tcp dst-port=8080 action=drop
Now for Blocking Websites

/ip proxy access
add dst-host=www.vansol27.com action=deny
It will block website http://www.vansol27.com, We can always block the same for different networks by giving src-address. It will block for particular source address.

We can also stop downloading files like.mp3, .exe, .dat, .avi,…etc.

/ip proxy access
add path=*.exe action=deny
add path=*.mp3 action=deny
add path=*.zip action=deny
add path=*.rar action=deny.

Try with this also

/ip proxy access
add dst-host=:mail action=deny

This will block all the websites contain word “mail” in url.

Example: It will block www.hotmail.com, mail.yahoo.com, www.rediffmail.com
Posted by at No comments:

P16 -- DoS(Denial of Service) attack protection using MikrotiK

Generally there is no perfect solution to protect against DoS attacks. Every service could be overloaded by too much requests. So there are only some methods for minimization impact of attack.

  • Get more powerfull router or server
  • Get more faster uplink
  • Reduce number of firewall rules, queues and other packet handling actions
  • Track attack path and block it closer to source (by upstream provider)  
Types

TCP SYN flood  

More info: SYN flood. 

Diagnose

  • Are there too much connections with syn-sent state present? 
/ip firewall connection print
  • Is too much packets per second going through interface?
/interface monitor-traffic ether3
  • Is CPU usage 100%?
/system resource monitor
  • Are there too much suspicious connections?
/tool torch

Protection

  • Limit incoming connections
Address with too much connections can be added to address list for futher blocking. 
/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32  \
action=add-src-to-address-list  address-list=blocked-addr address-list-timeout=1d
where LIMIT is max. number of connection per IP. LIMIT should be 100 or higher as many services use multiple connection (HTTP, Torrent, other P2P programs).
  • Action tarpit
Instead of simply droping attackers packets(action=drop) router can capture and hold connections and with enough powerfull router is can kill the attacker. 
/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr \
connection-limit=3,32 action=tarpit
  • SYN filtering
Some advanced filtering can by applied to tcp packet state. 
/ip firewall filter add chain=forward protocol=tcp tcp-flags=syn connection-state=new \
action=jump jump-target=SYN-Protect comment="SYN Flood protect" disabled=yes
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 connection-state=new \
action=accept comment="" disabled=no
/ip firewall filter add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \
action=drop comment="" disabled=no
"syn limit=400" is a threshold, just enable rule in forward for syn packets to get dropped (for excessive amount of new connection)
  • SYN cookies
More info: SYN cookies 
/ip firewall connection tracking set tcp-syncookie=yes
Posted by at No comments:

P15 --Mikrotik essentials firewall

Just copy and paste to new terminal

/ ip firewall filter
add chain=forward protocol=udp dst-port=1718-1720 action=drop \
    comment="Drop_ILLIGAL_VOIP" disabled=no
add chain=forward protocol=tcp dst-port=1718-1720 action=drop \
    comment="Drop_ILLIGAL_VOIP" disabled=no
add chain=forward protocol=udp dst-port=5060 action=drop \
    comment="Drop_ILLIGAL_VOIP" disabled=no
add chain=forward protocol=tcp dst-port=5060 action=drop \
    comment="Drop_ILLIGAL_VOIP" disabled=no
add chain=forward protocol=tcp dst-port=11720 action=drop \
    comment="Drop_ILLIGAL_VOIP" disabled=no
add chain=forward protocol=udp dst-port=11720 action=drop \
    comment="Drop_ILLIGAL_VOIP" disabled=no
add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist \
    action=drop comment="drop ftp brute forcers" disabled=no
add chain=output protocol=tcp content="530 Login incorrect" \
    dst-limit=1/1m,9,dst-address/1m action=accept comment="" disabled=no
add chain=output protocol=tcp content="530 Login incorrect" \
    action=add-dst-to-address-list address-list=ftp_blacklist \
    address-list-timeout=3h comment="" disabled=no
add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist \
    action=drop comment="drop ssh brute forcers" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage3 action=add-src-to-address-list \
    address-list=ssh_blacklist address-list-timeout=1w3d comment="" \
    disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage2 action=add-src-to-address-list \
    address-list=ssh_stage3 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
    src-address-list=ssh_stage1 action=add-src-to-address-list \
    address-list=ssh_stage2 address-list-timeout=1m comment="" disabled=no
add chain=input protocol=tcp dst-port=22 connection-state=new \
    action=add-src-to-address-list address-list=ssh_stage1 \
    address-list-timeout=1m comment="" disabled=no
add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist \
    action=drop comment="drop ssh brute downstream" disabled=no
add chain=forward connection-state=established action=accept comment="allow \
    established connections" disabled=no
add chain=forward connection-state=related action=accept comment="allow \
    related connections" disabled=no
add chain=forward connection-state=invalid action=drop comment="drop invalid \
    connections" disabled=no
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop \
    Blaster Worm" disabled=no
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop \
    Messenger Worm" disabled=no
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster \
    Worm" disabled=no
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster \
    Worm" disabled=no
add chain=virus protocol=tcp dst-port=593 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="" \
    disabled=no
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" \
    disabled=no
add chain=virus protocol=tcp dst-port=1214 action=drop comment="" disabled=no
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" \
    disabled=no
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" \
    disabled=no
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" \
    disabled=no
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" \
    disabled=no
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" \
    disabled=no
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" \
    disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" \
    disabled=no
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" \
    disabled=no
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" \
    disabled=no
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop \
    Beagle.C-K" disabled=no
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop \
    MyDoom" disabled=no
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor \
    OptixPro" disabled=no
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" \
    disabled=no
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" \
    disabled=no
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" \
    disabled=no
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" \
    disabled=no
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop \
    Dabber.A-B" disabled=no
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop \
    Dumaru.Y" disabled=no
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop \
    MyDoom.B" disabled=no
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" \
    disabled=no
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" \
    disabled=no
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop \
    SubSeven" disabled=no
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, \
    Agobot, Gaobot" disabled=no
add chain=forward action=jump jump-target=virus comment="jump to the virus \
    chain" disabled=no
add chain=forward protocol=tcp dst-port=25 action=drop comment="" disabled=no
add chain=forward protocol=tcp src-port=25 action=drop comment="" disabled=no
add chain=forward protocol=tcp tcp-flags=syn connection-state=new action=jump \
    jump-target=SYN-Protect comment="SYN Flood protect" disabled=no
add chain=SYN-Protect protocol=tcp tcp-flags=syn limit=400,5 \
    connection-state=new action=accept comment="" disabled=no
add chain=SYN-Protect protocol=tcp tcp-flags=syn connection-state=new \
    action=drop comment="" disabled=no
Posted by at No comments:

P14 -- Mikrotik EOIP Tunnel

Let us assume we want to bridge two networks: 'Office LAN' and 'Remote LAN'. By using EoIP setup can be made so that Office and Remote LANs are in the same Layer2 broadcast domain.

Diagram:


At first we create EoIP tunnel on our gateway ...
Code: [Select]
[admin@Our_GW] interface eoip> add name="eoip-remote" tunnel-id=0 \
\... remote-address=10.0.0.2
[admin@Our_GW] interface eoip> enable eoip-remote
[admin@Our_GW] interface eoip> print
Flags: X - disabled, R - running
  0    name=eoip-remote mtu=1500 arp=enabled remote-address=10.0.0.2 tunnel-id=0
[admin@Our_GW] interface eoip>
 
and on Remote router

Code: [Select]
[admin@Remote] interface eoip> add name="eoip" tunnel-id=0 \
\... remote-address=10.0.0.1
[admin@Remote] interface eoip> enable eoip-main
[admin@Remote] interface eoip> print
Flags: X - disabled, R - running
  0   name=eoip mtu=1500 arp=enabled remote-address=10.0.0.1 tunnel-id=0

[admin@Remote] interface eoip>

Next step is to bridge local interfaces with EoIP tunnel On Our GW ...

Code: [Select]
[admin@Our_GW] interface bridge> add 
[admin@Our_GW] interface bridge> print
Flags: X - disabled, R - running
 0  R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00 
      protocol-mode=none priority=0x8000 auto-mac=yes 
      admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s 
      transmit-hold-count=6 ageing-time=5m 
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=eoip-remote
[admin@Our_GW] interface bridge> port add bridge=bridge1 interface=office-eth
[admin@Our_GW] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE      BRIDGE  PRIORITY PATH-COST
 0    eoip-remote    bridge1 128      10
 1    office-eth     bridge1 128      10
[admin@Our_GW] interface bridge>

... and Remote router:

Code: [Select]
[admin@Remote] interface bridge> add 
[admin@Remote] interface bridge> print
Flags: X - disabled, R - running
 0  R name="bridge1" mtu=1500 arp=enabled mac-address=00:00:00:00:00:00 
      protocol-mode=none priority=0x8000 auto-mac=yes 
      admin-mac=00:00:00:00:00:00 max-message-age=20s forward-delay=15s 
      transmit-hold-count=6 ageing-time=5m 
[admin@Remote] interface bridge> port add bridge=bridge1 interface=ether
[admin@Remote] interface bridge> port add bridge=bridge1 interface=eoip-main
[admin@Remote] interface bridge> port print
Flags: X - disabled, I - inactive, D - dynamic
 #    INTERFACE      BRIDGE  PRIORITY PATH-COST
 0    ether          bridge1 128      10
 1    eoip-main      bridge1 128      10     
[admin@Remote] interface bridge>

Now both sites are in the same Layer2 broadcast domain. You can set up IP addresses from the same network on both sites.

Posted by at No comments:

P13 -- Bridge mode Bandwidth Shaping in Mikrotik

Introduction

This example shows how to configure a transparent traffic shaper. The transparent traffic shaper is essentially a bridge that is able to differentiate and prioritize traffic that passes through it.

Consider the following network layout:


Configuration code:

Code: [Select]
/ interface bridge 
add name="bridge1"
/ interface bridge port 
add interface=ether2 bridge=bridge1 
add interface=ether3 bridge=bridge1 
/ interface bridge settings
set use-ip-firewall=yes

/ ip firewall mangle 
add chain=prerouting protocol=tcp dst-port=80 action=mark-connection \
    new-connection-mark=http_conn passthrough=yes
add chain=prerouting connection-mark=http_conn action=mark-packet \
    new-packet-mark=http passthrough=no
add chain=prerouting p2p=all-p2p action=mark-connection \
    new-connection-mark=p2p_conn passthrough=yes
add chain=prerouting connection-mark=p2p_conn action=mark-packet \
    new-packet-mark=p2p passthrough=no
add chain=prerouting action=mark-connection new-connection-mark=other_conn \
    passthrough=yes
add chain=prerouting connection-mark=other_conn action=mark-packet \
    new-packet-mark=other passthrough=no

/ queue simple 
add name="main" target-addresses=10.0.0.12/32 max-limit=256000/512000
add name="http" parent=main packet-marks=http max-limit=240000/500000 priority=1
add name="p2p" parent=main packet-marks=p2p max-limit=64000/64000 priority=8
add name="other" parent=main packet-marks=other max-limit=128000/128000 priority=4
Posted by at No comments:

P12 -- Bridge Filter - Blocking DHCP Traffic

I've been working on implementing DHCP Relay throughout our network. However at times we have had problems with customer plugging their routers in backwards. They start handing out DHCP Leases to other customers, definitely annoying. I'm not taking credit for this idea, just putting it together what I found. I'm aware of setting the authoritative flag on the dhcp server.

This will put a stop to it:
Rule to block dhcp traffic originating from a 192.168.0.0/16 device, blocks normal router dhcp traffic from linksys or dlink products. 

Code: [Select]
/interface bridge filter
add action=log chain=input comment="Block DHCP servers on 192.168.0.0/16" \
   disabled=no dst-address=255.255.255.255/32 ip-protocol=udp log-prefix=\
   "ALERT ROGUE DHCP (BLOCKED)" mac-protocol=ip src-address=192.168.0.0/16 \
   src-port=67-68
add action=drop chain=input comment="Block DHCP servers on 192.168.0.0/16" \
   disabled=no dst-address=255.255.255.255/32 ip-protocol=udp mac-protocol=\
   ip src-address=192.168.0.0/16 src-port=67-68

Code: [Select]
/interface bridge settings 
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=yes

You should also make sure that IP Firewall connection tracking is turned on. Add this rule to your core routers and access points where customers have the potential of plugging devices in backwards.
Posted by at No comments:

P11 -- Protecting your users using Mikrotik firewall

To protect the customer's network, we should check all traffic which goes through router and block unwanted. For icmp, tcp, udp traffic we will create chains, where all unwanted packets will be dropped. For the beginning, we can copy and paste the following commands into RouterOS terminal console:

Code: [Select]
/ip firewall filter
add chain=forward connection-state=established comment="allow established connections"  
add chain=forward connection-state=related comment="allow related connections"
add chain=forward connection-state=invalid action=drop comment="drop invalid connections" 

Here, the first two rules deal with packets of already opened or related connections. We assume that those are okay. We do not like invalid connection packets, therefore they are dropped.



Next, we should filter out and drop all unwanted packets that look like coming from virus infected hosts. Instead of adding those rules to the forward chain, we create a new chain for all unwanted netbios and similar traffic. We can give the chain a descriptive name, say, "virus" when adding the following rules to the ip firewall filter (you can copy and paste these rules into the terminal window, if you are in the /ip firewall filter menu):

Code: [Select]
add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Drop Blaster Worm" 
add chain=virus protocol=udp dst-port=135-139 action=drop comment="Drop Messenger Worm"    
add chain=virus protocol=tcp dst-port=445 action=drop comment="Drop Blaster Worm" 
add chain=virus protocol=udp dst-port=445 action=drop comment="Drop Blaster Worm" 
add chain=virus protocol=tcp dst-port=593 action=drop comment="________" 
add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" 
add chain=virus protocol=tcp dst-port=1080 action=drop comment="Drop MyDoom" 
add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" 
add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" 
add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" 
add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" 
add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" 
add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" 
add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" 
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" 
add chain=virus protocol=tcp dst-port=2283 action=drop comment="Drop Dumaru.Y" 
add chain=virus protocol=tcp dst-port=2535 action=drop comment="Drop Beagle" 
add chain=virus protocol=tcp dst-port=2745 action=drop comment="Drop Beagle.C-K" 
add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="Drop MyDoom" 
add chain=virus protocol=tcp dst-port=3410 action=drop comment="Drop Backdoor OptixPro"
add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" 
add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" 
add chain=virus protocol=tcp dst-port=5554 action=drop comment="Drop Sasser" 
add chain=virus protocol=tcp dst-port=8866 action=drop comment="Drop Beagle.B" 
add chain=virus protocol=tcp dst-port=9898 action=drop comment="Drop Dabber.A-B" 
add chain=virus protocol=tcp dst-port=10000 action=drop comment="Drop Dumaru.Y" 
add chain=virus protocol=tcp dst-port=10080 action=drop comment="Drop MyDoom.B" 
add chain=virus protocol=tcp dst-port=12345 action=drop comment="Drop NetBus" 
add chain=virus protocol=tcp dst-port=17300 action=drop comment="Drop Kuang2" 
add chain=virus protocol=tcp dst-port=27374 action=drop comment="Drop SubSeven" 
add chain=virus protocol=tcp dst-port=65506 action=drop comment="Drop PhatBot, Agobot, Gaobot"

Here, we list all those well known "bad" protocols and ports, used by various trojans and viruses when they take over your computer. This list is incomplete; we should add more rules to it! We can jump to this list from the forward chain by using a rule with action=jump:

Code: [Select]
add chain=forward action=jump jump-target=virus comment="jump to the virus chain"add chain=forward action=jump jump-target=virus comment="jump to the virus chain"

The forward chain looks now as follows:


If the packet does not match any of the rules in the virus chain, the processing is returned back to the forward chain.

At this point we are left with various options, and you should explore this more thoroughly by reading the manual.

For the purposes of this example we want to block all traffic except that which we explicitly allow to pass through. For example we wish to allow HTTP Traffic and SMTP Traffic as well as some TCP and UDP packets and ICMP (Ping).

We can now simply add rules allowing the traffic that we want and then drop everything else (this is the part where we block all traffic):

Code: [Select]
add chain=forward action=accept protocol=tcp dst-port=80 comment="Allow HTTP" 
add chain=forward action=accept protocol=tcp dst-port=25 comment="Allow SMTP" 
add chain=forward protocol=tcp comment="allow TCP"
add chain=forward protocol=icmp comment="allow ping"
add chain=forward protocol=udp comment="allow udp"
add chain=forward action=drop comment="drop everything else"

NOTE THAT THE LAST RULE WILL BLOCK OR DROP ALL TRAFFIC THAT IS NOT EXPLICITLY ALLOWED THROUGH BY PREVIOUS RULES!
 
Posted by at No comments:

P10 -- Mikrotik server Port mapping/port forwarding

If you would like to direct requests for a certain port to an internal machine (sometimes called opening a port, port mapping), you can do it like this:

Code: [Select] 
/ip firewall nat add chain=dstnat dst-port=1234 action=dst-nat protocol=tcp to-address=192.168.1.1 to-port=1234

This rule translates to: when an incoming connection requests TCP port 1234, use the DST-NAT action and redirect it to local address 192.168.1.1 and the port 1234
Posted by at No comments:

P9 -- Customer IP drop using Mikrotik Firewall Fillter rule.

Drop a single ip

Code: [Select]
/ip firewall filter
add chain=forward src-address=192.168.10.10/32 action=drop
Posted by at No comments:

P8 -- Using PCC to load balance across multiple wan in Mikrotik

Note that none of this config requires the use of IP addresses at all, as it simply uses the pppoe-client interfaces and your lan interface to mark traffic. In my example wan1-pppoe,wan2-pppoe,wan3-pppoe are used and lan



Code: [Select]
/ip route
add check-gateway=arp comment="WAN 3  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan3
add check-gateway=arp comment="WAN 2  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 1  - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 1  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 2  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 3  - Distance 2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan3
add check-gateway=arp comment="WAN 1  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=wan1
add check-gateway=arp comment="WAN 2  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=wan2
add check-gateway=arp comment="WAN 3  - Distance 3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=wan3
add check-gateway=arp comment="Default Route - Distance 1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe
add check-gateway=arp comment="Default Route - Distance 2" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe
add check-gateway=arp comment="Default Route - Distance 3" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe
add check-gateway=arp comment="Static Route - WAN1" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=wan1-pppoe routing-mark=static-wan1
add check-gateway=arp comment="Static Route - WAN2" disabled=no distance=2 dst-address=0.0.0.0/0 gateway=wan2-pppoe routing-mark=static-wan2
add check-gateway=arp comment="Static Route - WAN3" disabled=no distance=3 dst-address=0.0.0.0/0 gateway=wan3-pppoe routing-mark=static-wan3


/ip firewall mangle
add action=mark-connection chain=input comment="Mark new inbound connection wan1" connection-state=new disabled=no in-interface=wan1-pppoe new-connection-mark=wan1 \
passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan2" connection-state=new disabled=no in-interface=wan2-pppoe new-connection-mark=wan2 \
passthrough=yes
add action=mark-connection chain=input comment="Mark new inbound connection wan3" connection-state=new disabled=no in-interface=wan3-pppoe new-connection-mark=wan3 \
passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan1" connection-state=established disabled=no in-interface=wan1-pppoe \
new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan2" connection-state=established disabled=no in-interface=wan2-pppoe \
new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark established inbound connection wan3" connection-state=established disabled=no in-interface=wan3-pppoe \
new-connection-mark=wan3 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan1" connection-state=related disabled=no in-interface=wan1-pppoe \
new-connection-mark=wan1 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan2" connection-state=related disabled=no in-interface=wan2-pppoe \
new-connection-mark=wan2 passthrough=yes
add action=mark-connection chain=prerouting comment="Mark related inbound connection wan3" connection-state=related disabled=no in-interface=wan3-pppoe \
new-connection-mark=wan3 passthrough=yes
add action=mark-routing chain=output comment="Mark new inbound route wan1" connection-mark=wan1 disabled=no new-routing-mark=static-wan1 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan2" connection-mark=wan2 disabled=no new-routing-mark=static-wan2 passthrough=no
add action=mark-routing chain=output comment="Mark new inbound route wan3" connection-mark=wan3 disabled=no new-routing-mark=static-wan3 passthrough=no
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=new disabled=no \
dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=new disabled=no \
dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=new disabled=no \
dst-address-type=!local in-interface=lan new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=\
established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=\
both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=\
established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=\
both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark established traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=\
established disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=\
both-addresses:3/2
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 1" connection-state=related \
disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan1_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/0
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 2" connection-state=related \
disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan2_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/1
add action=mark-connection chain=prerouting comment="Mark related traffic that isn't local with PCC mark rand (3 possibilities) - option 3" connection-state=related \
disabled=no dst-address-type=!local in-interface=lan new-connection-mark=wan3_pcc_conn passthrough=yes per-connection-classifier=both-addresses:3/2
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 1" connection-mark=wan1_pcc_conn disabled=no new-routing-mark=wan1 passthrough=\
yes
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 2" connection-mark=wan2_pcc_conn disabled=no new-routing-mark=wan2 passthrough=\
yes
add action=mark-routing chain=prerouting comment="Mark routing for  PCC mark - option 3" connection-mark=wan3_pcc_conn disabled=no new-routing-mark=wan3 passthrough=\
yes
 
Posted by at 2 comments:

Saturday, March 10, 2012

P7-- Securing your Mikrotik router

To protect your MikroTik RouterOS™, you should do following things:

Change admin's password

Just select the Password menu within the winbox GUI, for example:


Or, type the following command in the CLI:
Code: [Select]
[admin@MikroTik] > / password 
old password: 
new password: ******
retype new password: ******

This will change your current admin's password to what you have entered twice. Make sure you remember the password! If you forget it, there is no recovery. You need to reinstall the router!

Add users to the system

You should add each user that is going to log on to the router as a separate user and specify group of privileges. Add yourself as user of group full (same as for admin), for example:

You may create new groups for users with specific tasks.

Set up packet filtering

All packets with destination to the router are processed against the ip firewall filter's input chain. Note, that the input chain does not affect packets which are being transferred through the router!

You can add following rules to the input chain under /ip firewall filter (just 'copy and paste' to the router using Terminal Console or configure the relevant arguments in WinBox):

Code: [Select]
/ ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections" 
add chain=input protocol=udp action=accept comment="UDP" disabled=no 
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings" 
add chain=input protocol=icmp action=drop comment="Drop excess pings" 
add chain=input protocol=tcp dst-port=22 comment="SSH for secure shell"
add chain=input protocol=tcp dst-port=8291 comment="winbox" 
# Edit these rules to reflect your actual IP addresses! # 
add chain=input src-address=159.148.172.192/28 comment="From Mikrotikls network" 
add chain=input src-address=10.0.0.0/8 comment="From our private LAN"
# End of Edit #
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"

Use /ip firewall filter print input stats command to see how many packets have been processed against these rules. Use reset-counters-all command to reset the counters. Examine the system log file /log print to see the packets which have been dropped.

You may need to include additional rules to allow access from certain hosts, etc. Remember that firewall rules are processed in the order they appear on the list! After a rule matches the packet, no more rules are processed for it. After adding new rules, move them up using the move command.

Note, if you mis-configured the firewall and have locked yourselves out from the router, you may use MAC telnet from another router or workstation on the same LAN to connect to your router and correct the problem.
Posted by at No comments:

P6-- Weekly Auto Mikrotik backup and send to mail.

To send an email with a regular backup of all system settings, three steps are needed. Firstly you must ensure you have set the outgoing email SMTP server settings in "tool email", then create the script that generates the backup file itself, lastly is to create a schedule to run that backup script on a regular basis.

Mail SMTP configure:
Code: [Select]
/ tool e-mail 
set server=1.2.3.4 from="samename@somewhere.com"

"Generate a Backup" Script
Code: [Select]
/ system script
add name="backup_mail" source="/system backup save name=email_backup \n/tool \
   e-mail send file=email_backup.backup to=\"someone@somewhere.tld\" body=\"See \
   attached file for System Backup\" subject=\(\[/system identity get name\] \
   . \" \" .  \[/system clock get time\] . \" \" . \[/system clock get date\] \
   . \"  Backup\"\)\n"

"Weekly Scheduler" Script
Code: [Select]
/ system scheduler
add name="sched_backup_mail" on-event="backup_mail" start-date=jan/01/1970 start-time=07:30:00 interval=7d \
comment="" disabled=no

Every week at 7:30 am auto generate mikrotik backup and send to mail.
Posted by at No comments:

P5--Mikrotik IPIP tunnel.

Setup Diagram:



At first, we need to configure IPIP interfaces and then add IP addresses to them.

The configuration for router R1 is as follows:
Code: [Select]
[admin@MikroTik] interface ipip> add
local-address: 10.0.0.1
remote-address: 22.63.11.6
[admin@MikroTik] interface ipip> print
Flags: X - disabled, R - running
  #    NAME                               MTU   LOCAL-ADDRESS   REMOTE-ADDRESS
  0 X  ipip1                              1480  10.0.0.1        22.63.11.6

[admin@MikroTik] interface ipip> en 0
[admin@MikroTik] interface ipip> /ip address add address 1.1.1.1/24 interface=ipip1

The configuration of the R2 is shown below:
Code: [Select]
[admin@MikroTik] interface ipip> add local-address=22.63.11.6 remote-address=10.
0.0.1
[admin@MikroTik] interface ipip> print
Flags: X - disabled, R - running
  #    NAME                               MTU   LOCAL-ADDRESS   REMOTE-ADDRESS
  0 X  ipip1                              1480  22.63.11.6      10.0.0.1

[admin@MikroTik] interface ipip> enable 0
[admin@MikroTik] interface ipip> /ip address add address 1.1.1.2/24 interface=ipip1

Now both routers can ping each other:
[admin@MikroTik] interface ipip> /ping 1.1.1.2
1.1.1.2 64 byte ping: ttl=64 time=24 ms
1.1.1.2 64 byte ping: ttl=64 time=19 ms
1.1.1.2 64 byte ping: ttl=64 time=20 ms
3 packets transmitted, 3 packets received, 0% packet loss
round-trip min/avg/max = 19/21.0/24 ms
[admin@MikroTik] interface ipip>
Posted by at No comments:

P4-- Setting DHCP Server via Winbox on Mikrotik PC Router

The following article will describe how to make the DHCP server configuration through Winbox on Mikrotik PC Router. Here are step by step to setting up DHCP Server Pc Router.

  1. Install MikrotikOs on your Pc router with two ethernet card ( 1 ethernet for internet connection (ether1) and 1 ethernet for Local connection (ether2)
  2. Connect your pc router to Windows pc using utp cable, look at the picture below:
  3. Set your IP address....click Tab Menu IP------>Address---->Add

    4. Ip for interface ether1 for example: 114.30.82.85/27
    Ip for interface ether2 for example: 192.168.0.1/24
    look at the picture below:

  4. Set Gateway for your internet connection on interface ether1 (internet connection)

    5. IP--------Routes----Add
    For Example Ip Gateway: 114.30.82.65

  5. Set your DNS Server...IP.....>DNS----tab Setting

    6. For example DNS:
    primary-dns: 114.30.82.90
    secondary-dns: 114.30.80.34

  6. Setting DHCP Server

    7. IP----Pool----Pools---->Add
    Name: dhcppool
    Addresses: 192.168.0.2-192.168.0.100

    IP------DHCP Server----DHCP----Add
    Name: dhcpserver
    Interface: ether2
    Address pool: dhcppool

    IP----->DHCP Server---DHCP---Networks---Add
    Address: 192.168.0.0/24
    Gateway: 192.168.0.1
    DNS Server: 114.30.82.90
    114.30.80.34

    IP----Firewall-----Nat----Add
    on tab General:Chain: src-nat
    Out Interface: ether1
    On tab Action: Action: masquerade
  7. Done
Open Tab New Terminal to try your internet connection with Pc router DHCP Server

Posted by at No comments:

P3--Manual: Configuration Management of MikrotiK

Contents 

Summary This manual introduces you with commands which are used to perform the following functions:
  • system backup;
  • system restore from a backup;
  • configuration export;
  • configuration import;
  • system configuration reset
Description
The configuration backup can be used for backing up MikroTik RouterOS configuration to a binary file, which can be stored on the router or downloaded from it using FTP for future use. The configuration restore can be used for restoring the router's configuration, exactly as it was at the backup creation moment, from a backup file. The restoration procedure assumes the cofiguration is restored on the same router, where the backup file was originally created, so it will create partially broken configuration if the hardware has been changed.
The configuration export can be used for dumping out complete or partial MikroTik RouterOS configuration to the console screen or to a text (script) file, which can be downloaded from the router using FTP protocol. The configuration dumped is actually a batch of commands that add (without removing the existing configuration) the selected configuration to a router. The configuration import facility executes a batch of console commands from a script file.
System reset command is used to erase all configuration on the router. Before doing that, it might be useful to backup the router's configuration.

System Backup

Submenu level: /system backup

Description

The backup save command is used to store the entire router configuration in a backup file. The file is shown in the /file submenu. It can be downloaded via ftp to keep it as a backup for your configuration.
Important! The backup file contains sensitive information, do not store your backup files inside the router's Files directory, instead, download them, and keep them in a secure location.
To restore the system configuration, for example, after a /system reset-configuration, it is possible to upload that file via ftp and load that backup file using load command in /system backup submenu. Command Description
  • load name=[filename] - Load configuration backup from a file
  • save name=[filename] - Save configuration backup to a file
Icon-warn.png
Warning: If TheDude and user-manager is installed on the router then backup will not take care of configuration used by these tools. Therefore additional care should be taken to save configuration from these. Use provided tool mechanisms to save/export configuration if you want to save it.


Example

To save the router configuration to file test: 
[admin@MikroTik] system backup> save name=test
Configuration backup saved
[admin@MikroTik] system backup>
To see the files stored on the router: 
[admin@MikroTik] > file print
  # NAME                           TYPE         SIZE       CREATION-TIME
  0 test.backup                    backup       12567      sep/08/2004 21:07:50
[admin@MikroTik] >
To load the saved backup file test: 
[admin@MikroTik] > system backup load name=test 
Restore and reboot? [y/N]: 
y
Restoring system configuration
System configuration restored, rebooting now

Exporting Configuration

Command name: /export
The export command prints a script that can be used to restore configuration. The command can be invoked at any menu level, and it acts for that menu level and all menu levels below it. The output can be saved into a file, available for download using FTP.

Command Description

  • file=[filename] - saves the export to a file

Example

[admin@MikroTik] > ip address print
Flags: X - disabled, I - invalid, D - dynamic
 #   ADDRESS            NETWORK         BROADCAST       INTERFACE
 0   10.1.0.172/24      10.1.0.0        10.1.0.255      bridge1
 1   10.5.1.1/24        10.5.1.0        10.5.1.255      ether1
[admin@MikroTik] >
To make an export file: 
[admin@MikroTik] ip address> export file=address
[admin@MikroTik] ip address>
To see the files stored on the router: 
[admin@MikroTik] > file print
 # NAME                            TYPE         SIZE       CREATION-TIME
0  address.rsc                     script       315        dec/23/2003 13:21:48
[admin@MikroTik] >

Compact Export

Starting from v5.12 compact export was added. It allows to export only part of configuration that is not default RouterOS config.
For example compact OSPF export: 
[admin@SXT-ST] /routing ospf> export compact 
# jan/02/1970 20:16:32 by RouterOS 5.12
# software id = JRB7-9UGC
#
/routing ospf instance
set [ find default=yes ] redistribute-connected=as-type-1
/routing ospf interface
add disabled=yes interface=wlan1 network-type=point-to-point
/routing ospf network
add area=backbone network=10.255.255.36/32
add area=backbone disabled=yes network=10.5.101.0/24
add area=backbone network=10.10.10.0/24
[admin@SXT-ST] /routing ospf>
Compact export introduces another feature that indicates which part of config is default on RouterOS and cannot be deleted. As in example below '*' indicates that this OSPF instance is part of default configuration. 
[admin@SXT-ST] /routing ospf instance> print 
Flags: X - disabled, * - default 
 0  * name="default" router-id=0.0.0.0 distribute-default=never 
      redistribute-connected=as-type-1 redistribute-static=no 
      redistribute-rip=no redistribute-bgp=no redistribute-other-ospf=no 
      metric-default=1 metric-connected=20 metric-static=20 metric-rip=20 
      metric-bgp=auto metric-other-ospf=auto in-filter=ospf-in 
      out-filter=ospf-out

Importing Configuration

Command name: /import
The root level command /import [file_name] executes a script, stored in the specified file adds the configuration from the specified file to the existing setup. This file may contain any console comands, including scripts. is used to restore configuration or part of it after a /system reset event or anything that causes configuration data loss.
Note that it is impossible to import the whole router configuration using this feature. It can only be used to import a part of configuration (for example, firewall rules) in order to spare you some typing.

Command Description

  • file=[filename] - loads the exported configuration from a file to router

Automatic Import

Since RouterOS v3rc it is possible to automatically execute scripts - your script file has to be called anything.auto.rsc - once this file is uploaded with FTP to the router, it will automatically be executed, just like with the Import command.

Example

To load the saved export file use the following command: 
[admin@MikroTik] > import address.rsc
Opening script file address.rsc

Script file loaded and executed successfully
[admin@MikroTik] >

Configuration Reset

Command name: /system reset-configuration

Description

The command clears all configuration of the router and sets it to the default including the login name and password ('admin' and no password), IP addresses and other configuration is erased, interfaces will become disabled. After the reset command router will reboot.

Command Description

  • keep-users: keeps router users and passwords
  • no-defaults: doesn't load any default cofigurations, just clears everything
  • skip-backup: automatic backup is not created before reset, when yes is specified
  • run-after-reset: specify export file name to run after reset
Icon-warn.png
Warning: If the router has been installed using netinstall and had a script specified as the initial configuration, the reset command executes this script after purging the configuration. To stop it doing so, you will have to reinstall the router.


Example

[admin@MikroTik] > system reset-configuration
Dangerous! Reset anyway? [y/N]: n
action cancelled
[admin@MikroTik] >
Posted by at No comments:
Subscribe to: Posts (Atom)