Sunday, November 13, 2011

Mikrotik: Blocking Unleased DHCP IP Address

The case this time is how we block users other than DHCP Client with Mikrotik Winbox, in the other word that users who use a static Ip Address instead of DHCP.

ip can not use our connections. Just who gets an IP address via DHCP Server mikrotik who can use the internet connection,

I asume that Your DHCP server in mikrotik router are already running well.
We only need to change some the existing settings. 
  1. Sign In to Your Mikrotik Via Winbox
  2. IP menu> DHCP Server click 2x on the DHCP server. And Check "Add ARP For Lease"
  3. Go to menu "Interfaces" click 2x on your local interface or an interface where you apply a DHCP Server And Replace option "ARP" to "reply-only '
DONE! Now you try to use a static IP on your computer at yourlocal network, connections to the router will not work unless you use the options "Obtain an IP Address Automaticaly" or DHCP on interfaces / ethernet your computer enabled.
READ MORE - Mikrotik: Blocking Unleased DHCP IP Address

Saturday, November 5, 2011

Quick Way to Setup Mikrotik with Proxy Enabled Using Terminal (Command Line)

5 step to configure the mikrotik


  1. IP Address
  2. Gateway
  3. DNS
  4. NAT
  5. Proxy + transparent rules

Step 1
[admin@MikroTik] > ip address add interface=ether1 address=”your public ip” \
disabled=no
[admin@MikroTik] > ip address add interface=ether2 address=”your lan ip” \
disabled=no

Step 2
[admin@MikroTik] > ip route add gateway=”your gateway ip” disabled=no

Step 3
[admin@MikroTik] > ip dns set primary-dns=”your isp primary dns” \
secondary-dns=”your isp secondary dns” \
allow-remote-requests=yes

Step 4
[admin@MikroTik] > ip firewall nat add chain=srcnat out-interface=ether1 \
action=masquerade disabled=no

Step 5
[admin@MikroTik] > ip web-proxy set port=8080 hostname=host.yourdomain.com \
transparent-proxy=yes \
cache-administrator=support@yourdomain.com enabled=yes
[admin@MikroTik] > ip firewall nat add chain=dstnat protocol=tcp dst-port=80 \
action=redirect to-ports=8080 disabled=no \
comment=”transparent proxy”
[admin@MikroTik] > ip firewall nat add chain=dstnat protocol=tcp dst-port=3128 \
action=redirect to-ports=8080 disabled=no
[admin@MikroTik] > ip firewall nat add chain=dstnat protocol=tcp dst-port=8080 \
action=redirect to-ports=8080 disabled=no
READ MORE - Quick Way to Setup Mikrotik with Proxy Enabled Using Terminal (Command Line)

Setting up Your Own Hotspot with Mikrotik Router

You need to setup your Mikrotik router by using Winbox. Winbox is the graphical user interface that makes easier for configuring the Mikrotik Router OS. You can get Winbox via The Dude. Once installed, click on Discover. Once the devices are discovered and displayed, you can right click on the Router OS select tools then select Winbox.


  1. First we need to define the first port for WAN connection so the router will connect to the internet via another router with DHCP.
    In winbox click IP > DHCP Client and Add DHCP Client to port ether1



  2. Let's add the hotspot service to wlan Click IP > HotSpot and the Setup box, choose wlan1 as hotspot interface. You can accept default values but choose none for certificate. Leave the IP as it is (10.5.50.x). If you change this IP, the LOGIN and LOGOUT links will not work on your splash page.

  3. You need to add our radius server as authentication and accounting server.

    In the hotspot profiles (IP > HotSpot > Profiles) choose your hotspot profile and allow radius in the radius tab, de-select cookie, allow http pap and chap.



  4. You need to define our radius server. Click Radius and the + sign to add our radius server .
    Click Servies > Hotspot, enter radius address: 195.228.254.149, Secret: hotsys123 (please change at your own radius IP)

  5. We have to allow certain sites and servers for non authenticated users otherwise they can't buy access.

    In the section IP > HotSpot > Walled Garden, click on + sign and add the following domains to Dst. Host one by one:

    *.hotspotsystem.com
    *.rbsworldpay.com
    *.paypal.com
    *.paypalobjects.com
    *.akamaiedge.net
    * paypal.112.2O7.net
    *.moneybookers.com
    *.adyen.com

    Then in the section IP > HotSpot > Walled Garden > IP List add the following IPs to Dst. Address one by one (if your Mikrotik doesn't allow netmask values (.0/24) you can skip the netmask value):

    194.149.46.0/24
    198.241.128.0/17
    66.211.128.0/17
    216.113.128.0/17
    70.42.128.0/17
    128.242.125.0/24
    216.52.17.0/24
    62.249.232.74
    155.136.68.77
    66.4.128.0/17
    66.211.128.0/17
    66.235.128.0/17
    88.221.136.146
    195.228.254.149
    195.228.254.152
    203.211.140.157
    203.211.150.204
    82.199.90.136/29
    82.199.90.160/27
    91.212.42.0/24

  6. You need to syncronize the router's time with our server.

    Click on System > NTP Client. Enter primary and secondary NTP servers. To find NTP servers, go to http://www.pool.ntp.org/ and select the location's continent on the right side of the page. You'll find NTP servers there.

    Be sure to leave TimeZoneName: manual, and TimeZone: 00:00 in System > Clock. (Don't set your own timezone, because the router has to show the GMT time!)

  7. You need to change the router's NASID. The NASID setting in the Mikrotik is located under System > Identity. Default is 'MikroTik'.

    Change this the following way: OPERATORUSERNAME_LOCATIONNUMBER

    Example: Operator Username is 'globalhotspot', Location ID: '2', then NASID should be: 'globalhotspot_2'

  8. You have to customize Mikrotik's built-in login page. On the side menu go to Files, and find the login.html file under the 'hotspot' directory. Double click on the file and choose Backup.

    Open a simple text editor like notepad and copy and paste the following to the editor:
    Save it as login.html to your Desktop.

    Drag and drop this login.html to your "hotspot" directory in the Winbox program.

    If you wish to use FTP you can FTP to your mikrotik router with the admin userid and password and replace the file there under the 'hotspot' directory.

    If you don't wish to redirect users to our nice splash page you can continue to use the router's built-in login page but in this case it is important to add a link to the internal page where your users can buy access or activate their prepaid cards. Click here for more information.
  9. You have to set the Login/Logout URL IP addresses in the Control Center. Log in to the Control Center with your Operator Username and password and go to Manage > Locations. Click on the location, then click on Modify Hotspot Data & Settings. In Splash Page Settings modify the Internal Login/Logout URL Set to Mikrotik. Make sure that 'Display Login Box on Main Splash Page' option is CHECKED.
  10. As the last step you have to add hourly checking for up status for the Router Alert feature.
    Go to System > Scheduler and add a new task by pressing the plus sign.

    Name: up
    Interval: 01:00:00
    On Event:

    /tool fetch keep-result=no mode=http address=tech.hotspotsystem.com src-path=("up.php?mac=".[/interface ethernet get 0 mac-address]."&nasid=".[/system identity get name]."&os_date=Mikrotik&uptime=".[/system clock get time]."%20up%20".[/system resource get uptime].",%20load%20average:%20".[/system resource get cpu-load]."%")

    Policy: enable all
    Press Apply and OK.

That's all. You can setup hotspot service even on a wired connection. In this case you have to choose an ethernet port instead of wlan or you can setup hotspot on both ports.

If you have successfully setup your mikrotik router you have to see a login window when connecting via wireless. You can log in with username admin, blank password.
READ MORE - Setting up Your Own Hotspot with Mikrotik Router

Mikrotik : How to Block Facebook - Youtube and Other sites using L7 (Layer7)

Below i will show you how to block facebook and youtube sites using Mikrotik L7 Protocols (Layer 7). here i use RouterBoardOS RB1100.

STEP 1:
you have to create new Regexp rule at Layer7 Protocols by Press , and name it as "DENIED" (withoue quote), see details below:

You can Copy & Paste the code above at below:
^.+(facebook.com|youtube).*$

STEP 2:
Now create Filter Rules, as follow:
At General Tabs for Chain, Please Choose : Foward

At Advanced tabs, select 'DENIED' (rule that you have create at step 1) for Layer7 Protocols

Choose Action 'DROP' 
And At last, your Filter rule to block facebook and youtube should have effected to your network.
try to access facebook & youtube, and you will see that the two sites will not able to access.

this can be see from the filter rule you have created, it will catch the bytes for denied sites in your network.


READ MORE - Mikrotik : How to Block Facebook - Youtube and Other sites using L7 (Layer7)

Thursday, November 3, 2011

Mikrotik Router - Step By Step Basic Configurations

This article explains how to configure Mikrotik device Router straight out of the box. It goes through the Winbox configuration utility and some of the basic setup procedures to turn your MikroTik device into a home or office wireless and wired router.

well In this tutorial we'll go through a step by step guide to make it as simple as possible to learn and implement these settings on your own routers.

These 4 Steps below are what we going to learn and setup for the beginning:
  1. Downloading and running winbox
  2. Setting an identity on the router
  3. Setting an IP address on the router
  4. Setting a password
STEP 1
Downloading and running winbox
Winbox is the graphical configuration utility designed for MikroTik RouterOS. It is a small application that can be downloaded from the MikroTik website at htttp://www.mikrotik.com Once you download winbox it can be run straight away, as no installation is required. It does however when running, setup a number of folders in your application data folder in order to save login data and plugins. This is transparent to the user but worthwhile to be aware, in order to diagnose problems and also understand the security implications of saving sensitive login information in the utility.

STEP 2
Setting an identity on the router
  1. Download the latest Winbox Configuration Tool under the Tools and Utilities section at http://www.mikrotik.com/download.html and place it to you desktop.
  2. Double click on the Winbox icon on your desktop.
  3. Click on System menu item then on the Identy sub menu as in the image below.
  4. The Identity dialog will open as in image below. Remove the default "Mikrotik" value and replace it with something meaning full. Usually the location of the router combiened with its purpose acts as a suitable Identity for your router.

STEP 3
Setting an IP address on the router
To configure your Router IP Address
Click IP >> Addresses on the left menu in winbox as seen in image below.
This will open the Address list dialog window as seen below. Click on the red plus button to open the add IP address window.
When the New IP address dialog opens enter the address details select an interface to set the adress on and press apply and OK button.


For information on what IP settings to use please see a basic tutorial in IP Networking. But just to explain one or two points about this dialog...

It is best to delete an address entirely instead of editing it, as I found that it a cleaner way of editing an address as to modify network or broadcast options can sometimes not apply 100% properly.

You have an option of entering the network and broadcast address explicitly in the boxes provided or is you prefer you can use the short slash notation and press the apply button, this will populate the broadcast and network boxes with the correct settings.

STEP 4
Setting a password for Mikrotik


This tutorial demonistrates how to set the password of the current Mikrotik Winbox user.
Click on the menu item as shown below

System >> Password

This will open the password dialog box as shown below.

Enter the old or current password followed by the new password that you wish to use.

If this is your first time logging into the router or the router is on factory settings the Old password box should be just left blank. As the default username and password is admin and no password.

Note:
This is how you set the password of the current Winbox user. To change other users you must go to system >> users menu item open that dialog and set the password for that particular user. You must have adequate user privileges to perform this action.

>> You can also see how easy to setup mikrotik with proxy via terminal with only 4 steps here
READ MORE - Mikrotik Router - Step By Step Basic Configurations