Showing posts with label Mikrotik. Show all posts
Showing posts with label Mikrotik. Show all posts

Aug 2, 2013

How to Securing your MikroTik Router / Firewall



The first step in securing your network is to secure any appliance (managed switch router / firewall / VPN Concentrator) that is directly attached to your network)There are many approaches to securing devices, some are better than others. The Basic concepts of securing your MikroTik Router, or any router for that matter can be summarised as follows;
  1. Stop all Unnecessary Services on the MikroTik Router.
  2. Create Firewall Lists to Deny all un wanted inbound Traffic and only allow wanted /needed inbound trafic.
  3. If you need services on the router to be remotely accessible you should limit the addresses that can connect to the router.
  4. If there are services on the router that cannot be pratically limited to a small number of addresses, then you should try to protect the router by stricty firewalling these services so that the services can only operate strictly to standards suchas RFCs etc.
 Each of the above approaches & their implementations will be outlined  in detail in this article:

Stop all Unnecessary Services on the MikroTik Router.
This reduces the attack surface of your router the less services there are to attack the less likely your router could be compromised or overloaded;

 Deny all un wanted inbound Traffic
By restricting inbound traffic to the router, one can prevent the accidental opening up of services on the router. Also by restricting all types of services except for the services you know about & you want, you prevent any services (that you may not be aware of ) being accessible remotely on the MikroTik router.

Remotely Accessible Router Services should be limited to few addresses
This is a simple and very effective way of controlling who can attempt to access the MikroTik router. One could check from which addresses or networks the MikroTik Router would be administered. Then one could create firewall rules that only allow access to the router services from the management netwokrs.


 PubliclyAccessible Router Services should filtered

to operate strictly to RFC standards
If there is a service open to the world one should create firewall rules that limit access to the service within strict parameters.One should monitor the behavior of the service in normal operation and then create firewall rules that prevent the service being used outside its normal working parameters.

A typical example of this type of firewalling is someone wants to be able to ssh into a router from anywhere, however if you leave TCP port 22 (SSH) open to the world you would find that there are alot of morons out there who are only two happy to run a bruteforce dictionary attack on your server. Fortunately SSH servers normally disconnect a user after a number of failed attempts. So we can use this fact to create a firewall rule to prevent someone trying to brute force hack our ssh server by carrying out the following algorithim
  1. Deny any one who is on the ssh_blacklist a new session on any protocol.
  2. Allow anyone who was on the "ssh_Dark grey list" to connect a new session on port 22 and add the address to the "ssh_Blacklist " with a time out of 1 hour
  3. Allow anyone who was on the "ssh_grey list" to connect a new session on port 22 and add the address to the "ssh_dark grey list" with a time out of 1 minute
  4. Allow anyone who was on the "light_grey_list" to connect a new session on port 22 and add the address to the "ssh_grey list" with a time out of 1 minute
  5. Allow anyone who creates a first session on port 22 and add the address to the "ssh_lightgreylist " with a time out of 1 minute

/ip firewall filter

add chain=input src-address-list=sshblacklist action=drop \
comment="drop all traffic brute force attack sources" disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=sshdarkgreylist action=add-src-to-address-list \
address-list=sshblacklist address-list-timeout=1h \
comment="add new failed sshdarkgreylist to sshblacklist" \
disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=sshgreylist action=add-src-to-address-list \
address-list=sshdarkgreylist address-list-timeout=1m \
comment="add new failed sshgreylist to sshdarkgreylist" \
disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
src-address-list=sshlightgreylist action=add-src-to-address-list \
address-list=sshgreylist address-list-timeout=1m \
comment="add new failed sshlightgreylist to sshgreylist" \
disabled=no

add chain=input protocol=tcp dst-port=22 connection-state=new \
action=add-src-to-address-list \
address-list=sshlightgreylist address-list-timeout=1m \
comment="new connections to sshlightgreylist" \
disabled=no



 References
The SSH brute force mitigation Script is based on some legend's script at the following location;

Setting up a MikroTik Router as a HotSpot

This document outlines how to configure a MikroTik RouterBoard to be used as a HIB with SIMPLer.

General information on the RouterBoard may be found in the MikroTik Wiki: http://wiki.mikrotik.com/wiki/Category:Manual

Basic Setup

Once an IP address is assigned, use Winbox (download from the first time setup page) to do the remainder of the setup.
  • Setup the hotspot as follows (this info is based on http://www.hotspotsystem.com/en/hotspot/install_guide_mikrotik.html
    • Verify that the routerboard DNS settings are correct - click on IP -> DNS and then Settings - if the default values are not correct, update them to reflect the current network. 
    • Add the hotspot service to ether2 (or any other ether port - just replace references to ether2 with whatever ethernet port you are using below) by going IP -> Hotspot and then clicking Hotspot Setup:
    • Select ether2 from the drop down and click Next.
    • Pick a suitable IP range to use (192.168.182.1/24 is the default used on HIBs, so use that)


    • Click Next for the "Address Pool of Network"  
    •  Click Next for the "Certificate" - leave at "none" 

    • Ignore the SMTP server setting, and accept the default for the DNS server setting, and leave the DNS name blank.
    • On the next dialog, create a password for the "admin" user - this will allow you to login to the hotspot with this username/password without having to use the RADIUS server - this is useful to verify basic operation before going any further.
  • At this point the basic hotspot should be up and running. Connect a laptop to the ether2 port, and verify that you get an IP address from the range 192.168.182.2 - 192.168.182.254. Try to access the internet using a web browser, and you should get the default MikroTik splash page. You can enter the admin username / password you created above in order to get access to the internet. (if the status / logout dialog does not popup, you can logout using http://192.168.182.1/logout)

Adding RADIUS support to authenticate against SIMPLer

  • Again using winbox, configure RADIUS support as follows:
    • In the hotspot profiles (IP -> HotSpot -> Server Profiles), double click the hotspot you created (should probably be hsprof1)
    • In the Login tab, deselect Cookie and select CHAP and PAP: 
    • In the RADIUS tab, select "Use RADIUS", and click OK: 
 On the left colum, click Radius, and then the red + to add a new RADIUS server. On the dialog, click hotspot, and enter the IP address of the RADIUS server and the secret (the default, which you can get from the hotspot setup in SIMPLer is az0s3cr3t):



  • If you want to allow access to certain sites without authentication (e.g. payment gateways, etc), you can add them to IP -> HotSpot -> Walled Garden. For basic setup this should not be necessary.
  • Set the clock on the routerboard by going to System -> NTP Client, click "Enabled", set the Mode to unicast and the server to "pool.ntp.org": 
 Set the system identity to be the hotspot name as follows: Go to System -> Identity and enter the full hotspot name (for example demowisp_demowisp_hs5 is the one I am using):


    • At this point you should be able to login using a token from the selected hotspot. You can verify which users are logged in using IP -> Hotspot -> Active in winbox

Updating the login splash page


The login (and logout) splash pages can be updated as wished. However in order to allow customers to purchase a token using the operator's payment gateway, a link to the SIMPLer captive portal purchase form must be added. The format of the link is as follows:

https://xyz.azotel.com/hotspot/register.pl?hs_name=hotspot_name

Where xyz and hotspot_name are replaced with the relevant equivalents for the operator.

To get the html code for the current login page, click on Files in winbox, and go to hotspot/login.html:


You can just drag'n'drop this file to your desktop, update it, and then drag it back into the Files dialog. Or, if you wish, you can copy the file to your PC using ssh/ftp. The ssh command to copy it is as follows:

    scp admin@<ip of mikrotik>:/hotspot/login.html login.html

To copy it back, use
   
    scp login.html admin@<ip of mikrotik>:/hotspot/login.html

You can also drag'n'drop graphics to the hotspot/img directory to be used on the login page.

Jun 7, 2013

How to Setup Your Own Hotspot with MIKROTIK routers

Before starting, reset your router. If you see a message about "Default configuration" press Remove configuration.
You need to setup your Mikrotik router by using Winbox. Winbox is the graphical user interface for configuring the Mikrotik Router OS. You can get Winbox from Mikrotik's website.
1. First we need to define the first port for WAN connection so the router will connect to the internet via another router with DHCP.
In winbox click IP > DHCP Client and Add DHCP Client to port ether1


 2. Let's add the hotspot service to wlan Click IP > HotSpot and the hotspot Setup box, choose wlan1 as hotspot interface. You can accept default values but choose none for certificate. Leave the IP as it is (10.5.50.x). If you change this IP, the LOGIN and LOGOUT links will not work on your splash page.


3. The router should be placed in ap bridge mode.
Click interface, double click wlan1, click Mode: and select ap bridge
And make sure the frequency is set to 2.4 b/G.

4. You need to add our radius server as authentication and accounting server.
In the hotspot profiles (IP > HotSpot > Profiles) choose your hotspot profile and click the radius tab, check allow radius. Then click the login tab and de-select cookie, allow http pap and chap.



5. You need to define our radius server. Click Radius and the + sign to add our radius server.
Click Services > Hotspot, enter radius address: Radius.hotspotsystem.com, Secret: hotsys123
Check the box next to hotspot


6. You need to add the secondary radius server. Click Radius and the + sign.
Click Services > Hotspot, enter radius Address: radius2.hotspotsystem.com, Secret: hotsys123
Check the box next to hotspot 


7. We have to allow certain sites and servers for non authenticated users otherwise they can't buy access.
In the section IP > HotSpot > Walled Garden, click on + sign and add the following domains to Dst. Host one by one:
*.hotspotsystem.com
*.worldpay.com
*.paypal.com
*.paypalobjects.com
*.paypal-metrics.com
*.altfarm.mediaplex.com
*.akamaiedge.net
paypal.112.2O7.net
*.moneybookers.com
*.adyen.com *.directebanking.com
*.paysafecard.com
betalen.rabobank.nl
ideal.ing.nl
internetbankieren.frieslandbank.nl
ideal.abnamro.nl
ideal.snsreaal.nl
ideal.triodos-onlinebanking.nl

For Hotspot FREE SOCIAL locations: you must add 'www.apple.com' too!
Then in the section IP > HotSpot > Walled Garden > IP List add the following IPs to Dst. Address one by one (if your Mikrotik doesn't allow netmask values (.0/24) you can skip the netmask value):
194.149.46.0/24
198.241.128.0/17
66.211.128.0/17
216.113.128.0/17
70.42.128.0/17
128.242.125.0/24
216.52.17.0/24
62.249.232.74
155.136.68.77
66.4.128.0/17
66.211.128.0/17
66.235.128.0/17
88.221.136.146
195.228.254.149
195.228.254.152
203.211.140.157
203.211.150.204
82.199.90.136/29
82.199.90.160/27
91.212.42.0/24


8. You need to syncronize the router's time with our server.
Click on System > NTP Client. Enter primary and secondary NTP servers. To find NTP servers, go to http://www.pool.ntp.org/ and select the location's continent on the right side of the page. You'll find NTP servers there.
Be sure to leave TimeZoneName: manual, and TimeZone: 00:00 in System > Clock. (Don't set your own timezone, because the router has to show the GMT time!)

9. You need to change the router's NASID. The NASID setting in the Mikrotik is located under System > Identity. Default is 'MikroTik'.
Change this the following way: OPERATORUSERNAME_LOCATIONNUMBER
Example: Operator Username is 'globalhotspot', Location ID: '2', then NASID should be: 'globalhotspot_2'
NOTE: In case you are installing multiple routers in the same location, you should use different NAS IDs. For the second routers you need to add '_wds_1' to the NAS Id, for the third router '_wds_2', etc. So for example if you want to install the second router in location 3, the NASID should be set to 'globalhotspot_3_wds_1'.

10. You have to customize Mikrotik's built-in login page. On the side menu go to Files, and find the login.html file under the 'hotspot' directory. Double click on the file and choose Backup.
Open a simple text editor like notepad and copy and paste the following to the editor:

<html><head>
<title>HotSpot System Login</title>
</head>
<body>
<form name="redirect" action="https://customer.hotspotsystem.com/customer/hotspotlogin.php" method="GET">

<input type="hidden" name="res" value="notyet" />
<input type="hidden" name="mac" value="$(mac)" />
<input type="hidden" name="user" value="$(username)" />
<input type="hidden" name="uamport" value="mikrotik" />
<input type="hidden" name="userurl" value="$(link-orig)" />
<input type="hidden" name="nasid" value="$(identity)" />
<input type="hidden" name="uamip" value="$(server-address)" />
<input type="hidden" name="error" value="$(error)" />
<input type="hidden" name="chap-id" value="$(chap-id)" />
<input type="hidden" name="chap-challenge" value="$(chap-challenge)" />

</form>

<script language="JavaScript">

<!--

 document.redirect.submit();

 //-->

</script>
</body>
</html>
ave it as login.html to your Desktop.
Drag and drop this login.html to your "hotspot" directory in the Winbox program.
If you wish to use FTP you can FTP to your mikrotik router with the admin userid and password and replace the file there under the 'hotspot' directory.
If you don't wish to redirect users to our nice splash page you can continue to use the router's built-in login page but in this case it is important to add a link to the internal page where your users can buy access or activate their prepaid cards. Click here for more information.

10/b. In case you are using Hotspot FREE SOCIAL service, you also need to edit logout.html template. You need to use the same content as for the login.html (code above).

11. You have to set the Login/Logout URL IP addresses in the Control Center. Log in to the Control Center with your Operator Username and password and go to Manage > Locations. Click on the location, then click on Modify Hotspot Data & Settings. In Splash Page Settings modify the Internal Login/Logout URL Set to Mikrotik. Make sure that 'Display Login Box on Main Splash Page' option is CHECKED.

12. Extend the shared-users limit in your hotspot profile.
Sub-menu: /ip hotspot user profile
or go to IP > Hotspot > User Profiles > default > Shared-Users
Change shared-users to 5.

13. As the last step you have to add hourly checking for up status for the Router Alert feature.
Go to System > Scheduler and add a new task by pressing the plus sign.
Name: up
Interval: 01:00:00
On Event:

/tool fetch keep-result=no mode=http address=tech.hotspotsystem.com src-path=("up.php?mac=".[/interface ethernet get 0 mac-address]."&nasid=".[/system identity get name]."&os_date=Mikrotik&uptime=".[/system clock get time]."%20up%20".[/system resource get uptime].",%20load%20average:%20".[/system resource get cpu-load]."%")


Policy: enable all
Press Apply and OK.




That's all. You can setup hotspot service even on a wired connection. In this case you have to choose an ethernet port instead of wlan or you can setup hotspot on both ports.
If you have successfully setup your mikrotik router you have to see a login window when connecting via wireless. You can log in with username admin, blank password.



Jun 1, 2013

How to Change DNS to google public DNS

In this tutorial , i will show you how to change DNS from Mikrotik router OS to google public DNS. If you have a special configuration DNS from your ISP, make sure the internet stil can running up if you change it to another DNS service. In another case, Sometimes we need to change the DNS server from our ISP to another DNS service provider. If DNS service from ISP is down , we should to do something to resolve this problems to make the internet service still running well.

I wrote this tutorials because some friends ask to me how to change their DNS service to google public DNS and another DNS service provider. Ok follow this instruction.

Make sure you have been backed up the Mikrotik Router OS configuration. To doing this, see the Picture bellow and follow the instruction:

1. Open your Winbox
2. Go to "File" and clik Backup




Ok, if you have finished the first steps, change your DNS service with this steps :

1. Go to "IP > DNS > SETTING > change the DNS with Public DNS. The Google public DNS is 8.8.8.8 as primary servers and 8.8.4.4 as secondary servers. see the pic bellow :

How to Setup Mikrotik Router OS

After i wrote article about how to install Router OS on a Pc's, Now i will show you how to configure the Mikrotik Router OS as a Internet Gateways. For your information, to setup the Mikrotik Router OS you can use some metode. First, We can configure directly from the pc's . Just turn on the pc and you will show the login screen after the boot process finished.

Second : We can use the small tools from mikrotik with Grapic user Interface,The tools is a magic tools, Mikrotik give the name as Winbox . But on this article i will guide you to setting up the router Os with the first methode. Unfortunetly with this methode you will setup the router with command line interface. But don't worry, you can copy paste my configuration for the first time before you understand the command line function.

If you copy-paste my configuration, Make sure the Network topology on your home is same as with this tutorials.

For the first : Setting up your DSL Modems or your internet connection with this parametre :

Modem Ip/ Internet Ip : 192.168.1.1
Your Laptop/workstation IP : 192.168.0.10

We will start the configuration :


system identity set name=MyNet
ip address add address 192.168.1.2/27 interface=ether1
ip address add address 192.168.0.1/24 interface=ether2

Explanation :

-System identity is a identity of aour routers, you can change with what ever you want
- Ip address 192.168.1.2 is an Ip address which will comunicated with the Modems Ip to the internet
- Ip address 192.168.0.1 is a default gateway for the client/your computers
- Ether1 is an interface, you must connetcting the Modems with the UTP cable to ether1 port
- Ether2 is an interface which connecting your laptops or your PC client/switch. Remember, you must be connecting with this port if you wanna conect to the internet with your pc.

Next step : Add the internet gateway
add comment="" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.1.1 scope=30 target-scope=10

192.168.1.1 is your Modems Ip

Next : DNS Setup

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
max-udp-packet-size=512 servers=8.8.8.8,8.8.4.4

8.8.8.8 and 8.8.4.4 is a google free DNS service. You can use your own parametre from ISP's

Before i show you the next steps, you must test your connection with ping command to the DNS servers :

ping 8.8.8.8
8.8.8.8 64 byte ping: ttl=242 time=255 ms
8.8.8.8 64 byte ping: ttl=242 time=243 ms
8.8.8.8 64 byte ping: ttl=242 time=247 ms
8.8.8.8 64 byte ping: ttl=242 time=243 ms
4 packets transmitted, 4 packets received, 0% packet loss
round-trip min/avg/max = 243/247.0/255 ms

If the DNS replayed , you have been succed to configure the router to cominicate with the DNS servers and Internet

As long as, your router have been succes to comincating with the internet, But your computer Can;t do it. We must create the rules to NAT the Internet to your computers.

add action=masquerade chain=srcnat comment="" disabled=no out-interface=\
ether1

You should to change your ip address configuration on your laptops to the static IP.

for the exmaple :

Ip address : 192.168.0.20
netmask : 255.255.255.0
Default gateway : 192.168.0.1
Primary DNS : 8.8.8.8
Secondary DNS : 8.8.4.4

This is it, you have been succed to configure the Mikrotik router os as a Internet Gateway. In the next article i will show you how to configure mikrotik with Grapic user interface using a tools called Winbox. I hope this article can help you. Thanks

How to install Mikrotik Router OS




In this article i will show you how to install MikroTik Router OS on a PCs. Just relax..because this step is very simple and easy to practice at your home. I will Guide you how to install the Router OS step by step. Prepare your pc with minimum requirement: Intel Pentium 3 or pentium 4 with minimal 512 MB storage ( HDD ) and 64 MB Physical Memory. You should buy minimal 1 NIC or Network address Card because the NIC will be used to connetcing the client trhough the internet( On Board and New NIC ). For the first steps, Download the Router OS from official Mikrotik website at this link www.mikrotik.com/download.html and Select system type with PC / x86, Select software type with all version. Download the iso's file. When i wrote this article, The last version of Mikrotik router OS is OS 5.7. You can download the router OS v5.7 from this link directly http://download.mikrotik.com/mikrotik-5.7.iso

Now.. after you have finished to downloads the image file , burn the images file to the CD's and make sure the file is not currupted. You can burn's the image files using free software burner tools like free iso burner, and download the software from http://www.freeisoburner.com/ , or you can use the another softwares.

After you finished to burn the cd , turn on your pc and make sure you have been enable first boot with CD from the BIOS setup. Now the boot proces will start, The computer's will boot from the cd . After that you will see a menu to choose what packages to instal on your pc. You will see the welcome screen bellow :

Welcome to MikroTik Router Software installation Move around menu using 'p' and 'n' or arrow keys, select with 'spacebar'. Select all with 'a', minimum with 'm'. Press 'i' to install locally or 'r' to install remote router or 'q' to cancel and reboot.

Press "a" key for select all package and then press "i" to install the router OS.
After that, Press [Y] to continue the installation. In this porcess, Mikrotik loader will erase all of data on your hardrive. Make sure you have been backup the data to another hardrive.

Next step :

Do you want to keep old configuration? [y/n]:
You should choose whether you want to keep old configuration (press [Y]) or to erase the configuration permanently (press [N]) and continue without saving it.

I sugest you to press the [N] button to make fresh install Router OS. After you pressed the N Button, Mikrotik will Creating the partition and Formatting the disk.

The Mikrotik system will install selected packages. After that you will be prompted to press 'Enter'. And remove the CD from your CD-Drive:

Software installed. Press ENTER to reboot

After rebooting type "admin" as login and keep password blank. Because the default password Mikrotik is a Blank
After that , router OS is already installed on your PC and ready to configure. In the next artcle i will show you how to setup Mikrotik as a Internet gateway.

I hope this article can help you to install the Mikrotik Router OS

Download Mikrotik

When i  write this article , the last Mikrotik router os version is 5.7 stable version. You can download this OS for free and still can use the OS untill 24 hours. Remember, To be able to use it full time, you must purchase a license key with the record of a license for only one hard drive. Whre i can download this os ?? yeah..you can download the mikrotik router OS from official website Mikrotik.com.

Or you can download directly from the link bellow :

 USA Link
Australia link
Australia link
Iran Link
Italy Link
Poland Link
South Africa link
Sweden Link
Indonesia Link

Remember, that link is for PC Router (X86) and still ISO format. you Should to burn it to the CD's

How to Setting Up Mikrotik Hotspot

For your information , Mikrotik is a router os with all in one solution for small business and solution for your small  or Big Network. Mikrotik Router OS or Mikrotik Router Board can be used and setting as a Hotspot gateway with a login page. In this tutorials i will saw you how to configure Mikrotik as a Hotspot network with Login page and user manager . This is just a basic configuration, in the next article i will guide you to setting up the mikrotik as a hotspot with fully fiutured intergrated system.


 Ok, this is it :

For the first , make sure your router is have been installed this package :


System

DHCP

Wireless

Hotspot

Proxy

User Manager

Security

Advanced tools

Step to setting up Mikrotik hotspot :

system identity set name=MyNet
ip address add address 192.168.1.2/27 interface=ether1
ip address add address 192.168.0.1/24 interface=ether2

add comment="" disabled=yes distance=1 dst-address=0.0.0.0/0 gateway=\
192.168.1.1 scope=30 target-scope=10

[admin@MikroTik] > ip hotspot setup
hotspot interface: ether2
local address of network: 192.168.0.1/24
masquerade network: yes
address pool of network: 192.168.0.2-192.168.0.250
select certificate: none
ip address of smtp server: 0.0.0.0
dns servers: 8.8.8.8
dns name: hotspot.mynet
name of local hotspot user: user
password for the user: password

Now, we will configure the user manager :

tool user-manager customer add login=admin password=password

tool user-manager router add ip-address=127.0.0.1 shared-secret=12345 subscriber=admin

radius add service=hotspot address=127.0.0.1 secret=12345

ip hotspot profile set 1 use-radius=yes

Done, your Mikrotik now can be use as hospot gateway !!


How To Upgrade Mikrotik

How to upgrade Mikrotik router OS with a new version ? ok..on this article i will show you how to upgrade Mikrotik.  To upgrading mikrotik os with a new version is very simple, Download the last package of mikrotik router os. Extrac the rar or zip file to another folders.

Login to mikrotik os with winbox, and open File Menu's , just drag and drop all package to the file. After that, Open new terminal and type this command : system reboot

Your router will restart, and when the router boot up your os version has been changed !!

Remote Mikrotik from Blackberry

Do you have a BlackBerry ? hehehe . if you using this smart phone and you need to remote your servers, you can do it with simple tricks and simple mobile application.

This application is free to download and very usefull, when we need to stay connected to our servers, this application can do much :D

this application called BBSSH. Download this application over the air and install this tools. read the manuals or you don't need to read if you have experience using ssh tools

downloads BBSSH


Download BBSSH OTA



How to backup Mikrotik

In this tutorials, i will show you how to backup your mikrotik. Backup is a must, you need to do this before and after you make a change the router os. Becaouse when you mad a change and you don't have a backup, you can undo your change hehehe

Follow this step to make a backup your router :

1. Login with winbox
2. Goto "menu" file on your mikrotik
3. Click Backup on tab menu

Thats it :D

See the pic bellow

How to View Log Mikrotik

Some time we need to know what happens with our routers, if someone make a change the router or someone attack our routers, we need to know and analyze the log. How to view log file on mikrotik ? to view log file on mikrotik is very simple. just click on Log menu , see the picture bellow :

 Now, you can analyze the log file

May 22, 2013

Internet access from VRF with NAT--Mikrotik

MPLS Per-VRF NAT for internet access to L3VPNs

Abstract

This article will describe the basic configuration of how to provide internet access to L3VPN customers in an MPLS infrastructure. It has been tested with RouterOS version 3.28 with mpls-test and routing-test. This article assumes basic knowledge of MPLS operation as well as knowledge of NAT and routing.

Requirements

The concepts in this article requires at least one routable public ip address per VRF that needs to have internet access. It also requires you to have a dedicated PE-router to be placed between your internet-connected router and the MPLS network in order to do the actuall NAT translation before the data is transmitted to the internet-facing router. This article does not require you to have your own AS, although it may be convenient, just as long as you have the routable public IP addresses to spare for your customers.

Example topology 

 

In this example topology we have two customers, RED and GREEN, who both reside in a separate VRF. Their LAN addressing is of no concern to this setup, and could possibly overlap. They receive internet access on the InetPE router. This design is not an actual MPLS network, but just a simple illustration of the basic concept.

InetPE configuration

We assume that the example network here has a public network of 1.1.1.0/24. The link between the InetPE and the actual internet gateway is 1.1.1.0/30, and 1.1.1.16/28 is assigned for VRFs terminating here. A default route to the internet gateway exists on the InetPE in some form, pointing to 1.1.1.1, and 1.1.1.1 should have a route to 1.1.1.16/28 via 1.1.1.2 (the InetPE).

VRF configuration

The VRFs are configured like this:
/ip route vrf add routing-mark=RED route-distinguisher=65001:111 import-route-targets=65001:111 \
  export-route-targets=65001:111 disabled=no 

/ip route vrf add routing-mark=GREEN route-distinguisher=65001:222 import-route-targets=65001:222 \ 
  export-route-targets=65001:222 disabled=no

/routing bgp instance vrf add routing-mark=RED redistribute-static=yes instance=default

/routing bgp instance vrf add routing-mark=GREEN redistribute-static=yes instance=default

Default Route

To add a default route, the following commands should be used:
/ip route add routing-mark=RED dst-address=0.0.0.0/0 gateway=1.1.1.1@main
/ip route add routing-mark=GREEN dst-address=0.0.0.0/0 gateway=1.1.1.1@main
Notice the @main part. This indicates that the address 1.1.1.1 should be resolved on the main routing table instead of inside the VRF routing table.

NAT

In this step, we will source NAT the traffic from the RED VRF to the address 1.1.1.16 and the GREEN VRF to 1.1.1.17. This requires both a NAT entry and a MANGLE entry, since the return traffic does not automatically go back into the correct VRF.
  • NAT:
/ip firewall nat add action=src-nat chain=srcnat out-interface=ether1 routing-mark=RED \
  to-addresses=1.1.1.16 disabled=no

/ip firewall nat add action=src-nat chain=srcnat out-interface=ether1 routing-mark=GREEN \
  to-addresses=1.1.1.17 disabled=no

  • MANGLE:
/ip firewall mangle add chain=prerouting action=mark-routing disabled=no dst-addres=1.1.1.16 \
  new-routing-mark=RED passthrough=yes

/ip firewall mangle add chain=prerouting action=mark-routing disabled=no dst-address=1.1.1.17 \
  new-routing-mark=GREEN passthrough=yes

Further design considerations

There are several ways you could enhance this design. You could consider breaking out internet access to a separate RT, allowing you a little more flexibility with the internet routes. I have yet to find out how to do this without a default route that points to a next-hop router, eg. if you want to terminate the VRF's on a box with full BGP feed. If you discover, please update this Wiki article.

Conclusion

This configuration is enough to get simple src-nat working. You may want to fine tune these rules to fit into your setup. Dst-nat is not covered by this guide, but should be simple to set up as long as you remember to set up the corresponding mangle rules. It has not been thoroughly tested, so I cannot say what kind of performance you might expect from this.

Internet access from VRF--Mikrotik

Packages required: routing-test, mpls-test, RouterOS version 3.23+

There are multiple ways how Internet access could be provided to VRF clients. They are outlined in RFC 4364 section 11, for example.
Here we show the way how to configure access using global routing table.

Example 

Default routes

Add default routes to VRF routing tables on PE:
 /ip route add routing-mark=cust-one gateway=10.0.0.1@main
 /ip route add routing-mark=cust-two gateway=10.0.0.1@main
Note that we must explicitly specify that the gateway should be resolved in the @main routing table, otherwise the routes will not become active.

Routes to client's networks

Routes to client's networks should be added in the main routing table, while their nexthops should be reachable via client's VRF interfaces, and as such belong to the VRF tables.
On the other hand, there is no way how to explicitly specify that gateway must be resolved in any other table, except the main table. So instead we specify the interface (which is in a VRF) and nexthop gateway address (which must be directly reachable on that interface). For point-to-point interfaces even the gateway address is not required.
Add these routes to PE's route table and redistribute them via OSPF:
 /ip route add dst-address=10.7.7.0/24 gateway=10.3.3.4%ether2
 /ip route add dst-address=10.8.8.0/24 gateway=10.4.4.5%ether3
And this is how should look in print:
 [admin@PE2] > /ip route print detail where !routing-mark
  ...
  5 A S  dst-address=10.7.7.0/24 gateway=10.3.3.4 on cust-one reachable ether2 
     distance=1 scope=30 target-scope=10
   
  6 A S  dst-address=10.8.8.0/24 gateway=10.4.4.5 on cust-two reachable ether3 
      distance=1 scope=30 target-scope=10

802.1q Trunk extension over Wireless P2P Link

Introduction

It is very common practice to isolate group of users in a network using VLANs. In wired
Networks we use lot of Trunk links to carry and extend VLANs from one switch to the other.
Sometimes it becomes necessary to plan redundant parallel network links for these trunk
links. Now building a trunk link using wi-fi network is little tricky.
Let us assume the Scenario as following.
  • A network is having three VLANs with IDs -10,20,30
  • A Mikrotik P2P link is being configured as trunk for carrying these three VLANs.
  • Eth1 of the wireless routers are connected to the switches.








A. Create VLAN interfaces for your vlans

You need to create as many VLAN interfaces as the total no. of VLANs being forwarded through
the trunk link. Here in this example I have maintained symmetry between VLAN ID and the name
of the corresponding VLAN interface.
/interface vlan
add arp=enabled comment="" disabled=no interface=ether1 mtu=1500 name=vlan10 \
    vlan-id=10
add arp=enabled comment="" disabled=no interface=ether1 mtu=1500 name=vlan20 \
    vlan-id=20
add arp=enabled comment="" disabled=no interface=ether1 mtu=1500 name=vlan30 \
    vlan-id=30






B. Create bridges - one per vlan

One has to create as many bridges as the number of the vlan interfaces. This will run
isolated Spanning Tree instances for the individual VLANs.
/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s max-message-age=20s mtu=1500 \
    name=bridge_VLAN_10 priority=0x8000 protocol-mode=stp \
    transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s max-message-age=20s mtu=1500 \
    name=bridge_VLAN_20 priority=0x8000 protocol-mode=stp \
    transmit-hold-count=6
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes \
    comment="" disabled=no forward-delay=15s max-message-age=20s mtu=1500 \
    name=bridge_VLAN_30 priority=0x8000 protocol-mode=stp \
    transmit-hold-count=6








C. Add vlan interfaces to the corresponding bridge

After the creation of the bridges, vlan interfaces need to be assigned to the corresponding
bridges. This is to note that no primary interface like ether1 or wlan1 is assigned to the
bridges. If this is done by mistake, the whole system might stop forrwarding frames.


/interface bridge port
add bridge=bridge_VLAN_10 comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=vlan10 path-cost=10 point-to-point=auto priority=\
    0x80
add bridge=bridge_VLAN_20 comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=vlan20 path-cost=10 point-to-point=auto priority=\
    0x80
add bridge=bridge_VLAN_30 comment="" disabled=no edge=auto external-fdb=auto \
    horizon=none interface=vlan30 path-cost=10 point-to-point=auto priority=\
    0x80




D. Create Virtual APs - one per vlan

  • The Primary interface, wlan1 in this case will be in ap-bride mode and will not have any
SSID associated with it.
  • The virtual APs will have hidden SSIDs. While creating virtual APs put 00:00:00:00:00:00
as MAC address. RouterOS will dynamically assign a MAC address to these.
  • In VAPs enable WDS in dynamic mode and select the corresponding VLAN bridge created
earlier.
/interface wireless
set 0 ack-timeout=dynamic adaptive-noise-immunity=none allow-sharedkey=no \
    antenna-gain=0 antenna-mode=ant-a area="" arp=enabled band=2.4ghz-b \
    basic-rates-a/g=6Mbps basic-rates-b=1Mbps burst-time=disabled comment="" \
    compression=no country=no_country_set default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes dfs-mode=none disable-running-check=no disabled=no \
    disconnect-timeout=3s frame-lifetime=0 frequency=2412 frequency-mode=\
    manual-txpower hide-ssid=no hw-retries=4 mac-address=00:80:48:60:6B:91 \
    max-station-count=2007 mode=ap-bridge mtu=1500 name=wlan1 \
    noise-floor-threshold=default on-fail-retry-time=100ms \
    periodic-calibration=default periodic-calibration-interval=60 \
    preamble-mode=both proprietary-extensions=post-2.9.25 radio-name=\
    008048606B91 rate-set=default scan-list=default security-profile=default \
    ssid="" station-bridge-clone-mac=00:00:00:00:00:00 supported-rates-a/g=\
    6Mbps,9Mbps,12Mbps,18Mbps,24Mbps,36Mbps,48Mbps,54Mbps supported-rates-b=\
    1Mbps,2Mbps,5.5Mbps,11Mbps tx-power-mode=default update-stats-interval=\
    disabled wds-cost-range=50-150 wds-default-bridge=none wds-default-cost=\
    100 wds-ignore-ssid=no wds-mode=disabled wmm-support=disabled



Here in this example we have created three virtual APS associated with three different
bridges through three separate WDS.


add area="" arp=enabled comment="" default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes disable-running-check=no disabled=no hide-ssid=yes mac-address=\
    02:80:48:60:6B:91 master-interface=wlan1 max-station-count=2007 mtu=1500 \
    name=wlan_VAP_10 proprietary-extensions=post-2.9.25 security-profile=\
    default ssid=CISCO_V_10 update-stats-interval=disabled wds-cost-range=0 \
    wds-default-bridge=bridge_VLAN_10 wds-default-cost=0 wds-ignore-ssid=no \
    wds-mode=dynamic wmm-support=disabled
add area="" arp=enabled comment="" default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes disable-running-check=no disabled=no hide-ssid=yes mac-address=\
    02:80:48:60:6B:92 master-interface=wlan1 max-station-count=2007 mtu=1500 \
    name=wlan_VAP_20 proprietary-extensions=post-2.9.25 security-profile=\
    default ssid=CISCO_V_20 update-stats-interval=disabled wds-cost-range=0 \
    wds-default-bridge=bridge_VLAN_20 wds-default-cost=0 wds-ignore-ssid=no \
    wds-mode=dynamic wmm-support=disabled
add area="" arp=enabled comment="" default-ap-tx-limit=0 \
    default-authentication=yes default-client-tx-limit=0 default-forwarding=\
    yes disable-running-check=no disabled=no hide-ssid=yes mac-address=\
    02:80:48:60:6B:93 master-interface=wlan1 max-station-count=2007 mtu=1500 \
    name=wlan_VAP_30 proprietary-extensions=post-2.9.25 security-profile=\
    default ssid=CISCO_V_30 update-stats-interval=disabled wds-cost-range=0 \
    wds-default-bridge=bridge_VLAN_30 wds-default-cost=0 wds-ignore-ssid=no \
    wds-mode=dynamic wmm-support=disabled
VAP General TAB: Assign a meaningful name to the Virtual AP.



VAP Wireless TAB: Create a meningful SSID. It is advisable to hide SSID.



VAP WDS TAB: Turn on WDS in Dynamic mode and select the appropriate bridge.



Limitations

  • The Agregate Throuput of the trunk link will never be more that 22-23 Mbps. I have tested
this on 5.8 GHz 802.11a only. I need to test the same on 802.11n also. I will also test
NStreme.
  • Since one can create 128 no. of Virtual APs, total no. of VLANs that this wireless link
would be able to carry is 128 at maximum. In last 10 years I have not encountered a
situation where a trunk was carrying those many VLANs.
  • This trunking will only work with 802.1q protocol. It is incompatible with ISL.


Readers' Questions and Answers

1. What about the AP configuration at the other end ? Is this article incomplete?

Since this is an end-to-end L-2 Set-up, both the APs would have identical configuration. Just get an export of the first AP and apply that on the second AP. Yes, it is that simple. The configuration is not incomplete. It does not have an IP address because this does not require one. Just following the steps described in this article, people were able to commission wireless trunks successfully.

May 21, 2013

Simple TE on Mikrotik

Network Layout

We will create a network consisting of four routers connected in diamond shape as illustrated in diagram below.


Each router is connected to neighboring router using /30 network and each of them have unique loopback address form 10.255.0.x network. Loopback addresses will be used as tunnel source and destination.
The goal is to interconnect two LAN segments (Lan1, Lan2) using TE tunnels in the way that:
  • traffic in direction from LAN1 to LAN2 goes over path through R2
  • traffic in direction from LAN2 to LAN1 goes over path through R4

Router Configurations

Connectivity between routers and Loopback addresses

R1
/system identity set name=R1

/interface bridge add name=Loopback

/ip address
add address=192.168.33.1/30 interface=ether1
add address=192.168.33.14/30 interface=ether2
add address=192.168.10.1/24 interface=ether3
add address=10.255.0.1/32 interface=Loopback
R2
/system identity set name=R2

/interface bridge add name=Loopback

/ip address
add address=192.168.33.2/30 interface=ether1
add address=192.168.33.5/30 interface=ether2
add address=10.255.0.2/32 interface=Loopback

R3
/system identity set name=R3

/interface bridge add name=Loopback

/ip address
add address=192.168.33.6/30 interface=ether1
add address=192.168.33.9/30 interface=ether2
add address=192.168.20.1/24 interface=ether3
add address=10.255.0.3/32 interface=Loopback
R4
/system identity set name=R4

/interface bridge add name=Loopback

/ip address
add address=192.168.33.10/30 interface=ether1
add address=192.168.33.13/30 interface=ether2
add address=10.255.0.4/32 interface=Loopback


Loopback address reachability and CSPF setup

In this setup we will use OSPF dynamic routing protocol to distribute routing information between routers. To successfully complete the setup we need loopback reachability information on every router.
CSPF will also be configured (extension of OSPF) to carry TE reservation information.
R1
/routing ospf instance
set default router-id=10.255.0.1 mpls-te-area=backbone mpls-te-router-id=Loopback

/routing ospf network
add network=192.168.33.0/24 area=backbone
add network=10.255.0.1/32 area=backbone
R2
/routing ospf instance
set default router-id=10.255.0.2 mpls-te-area=backbone mpls-te-router-id=Loopback

/routing ospf network
add network=192.168.33.0/24 area=backbone
add network=10.255.0.2/32 area=backbone
R3
/routing ospf instance
set default router-id=10.255.0.3 mpls-te-area=backbone mpls-te-router-id=Loopback

/routing ospf network
add network=192.168.33.0/24 area=backbone
add network=10.255.0.3/32 area=backbone
R4
/routing ospf instance
set default router-id=10.255.0.4 mpls-te-area=backbone mpls-te-router-id=Loopback

/routing ospf network
add network=192.168.33.0/24 area=backbone
add network=10.255.0.4/32 area=backbone

After OSPF is set up verify that we have correct routing information in routing table of each router:
[admin@R1] /ip route> print 
Flags: X - disabled, A - active, D - dynamic, 
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme, 
B - blackhole, U - unreachable, P - prohibit 
 #      DST-ADDRESS        PREF-SRC        GATEWAY            DISTANCE
 0 ADS  0.0.0.0/0                          10.5.101.1                1
 1 ADC  10.255.0.1/32      10.255.0.1      lo                        0
 2 ADo  10.255.0.2/32                      192.168.33.2            110
 3 ADo  10.255.0.3/32                      192.168.33.2            110
                                           192.168.33.13     
 4 ADo  10.255.0.4/32                      192.168.33.13           110
 5 ADC  192.168.10.0/30    192.168.10.1    ether3                    0
 6 ADC  192.168.33.0/30    192.168.33.1    ether1                    0
 7 ADo  192.168.33.4/30                    192.168.33.2            110
 8 ADo  192.168.33.8/30                    192.168.33.13           110
 9 ADC  192.168.33.12/30   192.168.33.14   ether2                    0

Setting Resource Reservation

Next step is to set up TE resource for every interface on which we might want to run TE tunnel.
Configuration on all the routers are the same:
/mpls traffic-eng interface
add interface=ether1 bandwidth=10Mbps
add interface=ether2 bandwidth=10Mbps
Since we are not using real bandwidth limitation on the tunnels in this example, bandwidth parameter is only used for administrative purposes and can be any value (it does not represent how much bandwidth will actually flow through the interface).

TE tunnel setup

Since our primary goal is to strictly forward traffic over specific path we will use static path configuration as primary, and dynamic (CSPF) as secondary path if primary fails.
R1
/mpls traffic-eng tunnel-path
add name=dyn use-cspf=yes
add name=tun-first-link use-cspf=no \
   hops=192.168.33.2:strict,192.168.33.5:strict,192.168.33.6:strict

/interface traffic-eng
add bandwidth=5Mbps name=TE-to-R3 to-address=10.255.0.3 primary-path=tun-first-link \
   secondary-paths=dyn record-route=yes from-address=10.255.0.1

R3
/mpls traffic-eng tunnel-path
add name=dyn use-cspf=yes
add name=tun-second-link use-cspf=no \
   hops=192.168.33.10:strict,192.168.33.13:strict,192.168.33.14:strict

/interface traffic-eng
add bandwidth=5Mbps name=TE-to-R1 to-address=10.255.0.1 primary-path=tun-second-link \
   secondary-paths=dyn record-route=yes from-address=10.255.0.3

Verify that TE tunnels are working
[admin@R1] /interface traffic-eng> monitor 0
             tunnel-id: 14
    primary-path-state: established
          primary-path: tun-first-link
  secondary-path-state: not-necessary
           active-path: tun-first-link
          active-lspid: 1
          active-label: 39
        explicit-route: S:192.168.33.2/32,S:192.168.33.5/32,S:192.168.33.6/32
    reserved-bandwidth: 5.0Mbps
Notice that running router will show assigned MPLS lables, whole tunnel path and reserved bandwidth. Reserved resources also can be monitored on each router:
[admin@R1] /mpls traffic-eng> path-state print 
Flags: L - locally-originated, E - egress, F - forwarding, P - sending-path, 
R - sending-resv 
 #      SRC                  DST                  BANDWIDTH OUT.. OUT-NEXT-HOP   
 0 LFP  10.255.0.1:1         10.255.0.3:15          5.0Mbps eth.. 192.168.33.2   
 1  E R 10.255.0.3:1         10.255.0.1:8           5.0Mbps
[admin@R1] /mpls traffic-eng> resv-state print 
Flags: E - egress, A - active, N - non-output, S - shared 
 #    SRC                  DST                  BANDWIDTH LABEL            INT...
 0 AS 10.255.0.1:1         10.255.0.3:15          5.0Mbps 41               ether1
[admin@R1] /mpls traffic-eng> 
[admin@R1] /mpls traffic-eng> interface print 
Flags: X - disabled, I - invalid 
 #   INTERFACE                                  BANDWIDTH  TE-METRIC REMAINING-BW
 0   ether1                                        10Mbps          1      5.0Mbps
 1   ether2                                        10Mbps          1     10.0Mbp
Notice that remaining bandwidth on interface decreased. It means that if multiple tunnels are created and whole bandwidth on that particular interface is used, then tunnel will try to look for different path.
Icon-note.png
Note: TE tunnels are unidirectional, meaning that tunnel may be running in one direction but fail in another direction if whole resources are reserved




Route Traffic over TE

To route LAN traffic over TE tunnel we will assign address 10.99.99.1/30 and 10.99.99.2/30 to each tunnel end.
R1
/ip address add address=10.99.99.1/30 interface=TE-to-R3

/ip route add dst-address=192.168.20.0/24 gateway=10.99.99.2
R3
/ip address add address=10.99.99.2/30 interface=TE-to-R1

/ip route add dst-address=192.168.10.0/24 gateway=10.99.99.1
To verify if traffic is actually going over TE tunnel and is label switched we can run traceroute:
[admin@R1] /ip address> /tool traceroute  10.99.99.1
 # ADDRESS                                 RT1   RT2   RT3   STATUS              
 1 192.168.33.2                            2ms   1ms   1ms   <MPLS:L=41,E=0>     
 2 10.99.99.1                              3ms   1ms   1ms   
As you can see traceroute recorded MPLS label in the path.
Congratulations our setup works.

Failover Testing

Lets consider that router R4 went down, and whole traffic needs to be switched over R2.


Traffic engineering does not switch paths automatically. If we use dynamic path then path relies on OSPF routing information and is recalculated whenever one of the link fails. In case of static primary paths as in our case, we need to re-optimize the tunnel. It can be done in two ways:
  • manually - which is not what we need
  • automatically - at specific interval

To set up path re-optimization we need to specify interval.
R1
/interface trafic-eng set TE-to-R3 reoptimize-interval=5s 
R3
/interface trafic-eng set TE-to-R1 reoptimize-interval=5s 
After a while tunnel will switch paths do secondary
[admin@R3] /interface traffic-eng> monitor 0
             tunnel-id: 10
    primary-path-state: trying-to-establish
          primary-path: tun-second-link
  secondary-path-state: established
        secondary-path: dyn
           active-path: dyn
          active-lspid: 3
          active-label: 45
        explicit-route: S:192.168.33.5/32,S:192.168.33.2/32,S:192.168.33.1/32
    reserved-bandwidth: 5.0Mbps

By default tunnel will try to switch back to primary path every minute. This setting can be changed with primary-retry-interval parameter.
Icon-note.png
Note: Switching from primary to secondary path may not be as fast as expected. It depends on OSPF dead timeouts, routing table updates and timeout settings in TE tunnel configuration.


Extended Tunnel for VoIP

Lets consider that in network that we made previously, path through R4 has lower latency which is good for VoIP traffic. Since VOIP server is on LAN2 we will create another TE tunnel from R1 to R3 explicitly for VoIP traffic.


Assuming that previous configuration is up and running, we will start with path definition for VOIP tunnel.
R1
/mpls traffic-eng tunnel-path
add name=tun-second-link use-cspf=no \
   hops=192.168.33.13:strict,192.168.33.10:strict,192.168.33.9:strict

/interface traffic-eng
add name=TE-to-R3-VOIP to-address=10.255.0.3 bandwidth=5Mbps record-route=yes \
   primary-path=tun-second-link secondary-paths=dyn reoptimize-interval=5s

Verify that tunnel is up and running
[admin@R1] /interface traffic-eng> monitor TE-to-R3-VOIP
             tunnel-id: 19
    primary-path-state: established
          primary-path: tun-second-link
  secondary-path-state: not-necessary
           active-path: tun-second-link
          active-lspid: 1
          active-label: 20
        explicit-route: S:192.168.33.13/32,S:192.168.33.10/32,S:192.168.33.9/32
        recorded-route: 192.168.33.10[20],192.168.33.9[0]
    reserved-bandwidth: 5.0Mbps

Notice that we are doing configuration only in one direction, since traffic coming back form the server will use the same tunnel as regular data.
Now it is time to set up routing.
Let's consider that VoIP server's IP address is 192.168.20.250. We will also need to set up IP addresses on tunnel ends.
R1
/ip address add address=10.100.100.1/30 interface=TE-to-R3-VOIP

/ip route add dst-address=192.168.20.250/32 gateway=10.100.100.2
R3
/ip address add address=10.100.100.2/30 interface=TE-to-R1

May 17, 2013

Manual:Customizing Hotspot

Summary

You can create a completely different set of servlet pages for each HotSpot server you have, specifying the directory it will be stored in html-directory property of a HotSpot server profile /ip hotspot profile. The default servlet pages are copied in the directory of your choice right after you create the profile. This directory can be accessed by connecting to the router with an FTP client. You can modify the pages as you like using the information from this section of the manual. Note that it is suggested to edit the files manually, as automated HTML editing tools may corrupt the pages by removing variables or other vital parts.

Available Pages

Main HTML servlet pages, which are shown to user:
  • redirect.html - redirects user to another url (for example, to login page)
  • login.html - login page shown to a user to ask for username and password. This page may take the following parameters:
    • username - username
    • password - either plain-text password (in case of PAP authentication) or MD5 hash of chap-id variable, password and CHAP challenge (in case of CHAP authentication). This value is used as e-mail address for trial users
    • dst - original URL requested before the redirect. This will be opened on successfull login
    • popup - whether to pop-up a status window on successfull login
    • radius<id> - send the attribute identified with <id> in text string form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)
    • radius<id>u - send the attribute identified with <id> in unsigned integer form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)
    • radius<id>-<vnd-id> - send the attribute identified with <id> and vendor ID <vnd-id> in text string form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)
    • radius<id>-<vnd-id>u - send the attribute identified with <id> and vendor ID <vnd-id> in unsigned integer form to the RADIUS server (in case RADIUS authentication is used; lost otherwise)
  • md5.js - JavaScript for MD5 password hashing. Used together with http-chap login method
  • alogin.html - page shown after client has logged in. It pops-up status page and redirects browser to originally requested page (before he/she was redirected to the HotSpot login page)
  • status.html - status page, shows statistics for the client. It is also able to display advertisements automatically
  • logout.html - logout page, shown after user is logged out. Shows final statistics about the finished session. This page may take the following additional parameters:
    • erase-cookie - whether to erase cookies from the HotSpot server on logout (makes impossible to log in with cookie next time from the same browser, might be useful in multiuser environments)
  • error.html - error page, shown on fatal errors only

Some other pages are available as well, if more control is needed:
  • rlogin.html - page, which redirects client from some other URL to the login page, if authorization of the client is required to access that URL
  • rstatus.html - similarly to rlogin.html, only in case if the client is already logged in and the original URL is not known
  • radvert.html - redirects client to the scheduled advertisement link
  • flogin.html - shown instead of login.html, if some error has happened (invalid username or password, for example)
  • fstatus.html - shown instead of redirect, if status page is requested, but client is not logged in
  • flogout.html - shown instead of redirect, if logout page is requested, but client is not logged in


Serving Servlet Pages

The HotSpot servlet recognizes 5 different request types:
  1. request for a remote host
    • if user is logged in and advertisement is due to be displayed, radvert.html is displayed. This page makes redirect to the scheduled advertisment page
    • if user is logged in and advertisement is not scheduled for this user, the requested page is served
    • if user is not logged in, but the destination host is allowed by walled garden, then the request is also served
    • if user is not logged in, and the destination host is disallowed by walled garden, rlogin.html is displayed; if rlogin.html is not found, redirect.html is used to redirect to the login page
  2. request for "/" on the HotSpot host
    • if user is logged in, rstatus.html is displayed; if rstatus.html is not found, redirect.html is used to redirect to the status page
    • if user is not logged in, rlogin.html is displayed; if rlogin.html is not found, redirect.html is used to redirect to the login page
  3. request for "/login" page
    • if user has successfully logged in (or is already logged in), alogin.html is displayed; if alogin.html is not found, redirect.html is used to redirect to the originally requested page or the status page (in case, original destination page was not given)
    • if user is not logged in (username was not supplied, no error message appeared), login.html is showed
    • if login procedure has failed (error message is supplied), flogin.html is displayed; if flogin.html is not found, login.html is used
    • in case of fatal errors, error.html is showed
  4. request for "/status" page
    • if user is logged in, status.html is displayed
    • if user is not logged in, fstatus.html is displayed; if fstatus.html is not found, redirect.html is used to redirect to the login page
  5. request for '/logout' page
    • if user is logged in, logout.html is displayed
    • if user is not logged in, flogout.html is displayed; if flogout.html is not found, redirect.html is used to redirect to the login page
Icon-note.png
Note: If it is not possible to meet a request using the pages stored on the router's FTP server, Error 404 is displayed


There are many possibilities to customize what the HotSpot authentication pages look like:
  • The pages are easily modifiable. They are stored on the router's FTP server in the directory you choose for the respective HotSpot server profile.
  • By changing the variables, which client sends to the HotSpot servlet, it is possible to reduce keyword count to one (username or password; for example, the client's MAC address may be used as the other value) or even to zero (License Agreement; some predefined values general for all users or client's MAC address may be used as username and password)
  • Registration may occur on a different server (for example, on a server that is able to charge Credit Cards). Client's MAC address may be passed to it, so that this information need not be written in manually. After the registration, the server should change RADIUS database enabling client to log in for some amount of time.

To insert variable in some place in HTML file, the $(var_name) syntax is used, where the "var_name" is the name of the variable (without quotes). This construction may be used in any HotSpot HTML file accessed as '/', '/login', '/status' or '/logout', as well as any text or HTML (.txt, .htm or .html) file stored on the HotSpot server (with the exception of traffic counters, which are available in status page only, and error, error-orig, chap-id, chap-challenge and popup variables, which are available in login page only). For example, to show a link to the login page, following construction can be used:
<a href="$(link-login)">login</a>


Variables

All of the Servlet HTML pages use variables to show user specific values. Variable names appear only in the HTML source of the servlet pages - they are automatically replaced with the respective values by the HotSpot Servlet. For most variables there is an example of their possible value included in brackets. All the described variables are valid in all servlet pages, but some of them just might be empty at the time they are accesses (for example, there is no uptime before a user has logged in).


List of available variables

Common server variables:
  • hostname - DNS name or IP address (if DNS name is not given) of the HotSpot Servlet ("hotspot.example.net")
  • identity - RouterOS identity name ("MikroTik")
  • login-by - authentication method used by user
  • plain-passwd - a "yes/no" representation of whether HTTP-PAP login method is allowed ("no")
  • server-address - HotSpot server address ("10.5.50.1:80")
  • ssl-login - a "yes/no" representation of whether HTTPS method was used to access that servlet page ("no")
  • server-name - HotSpot server name (set in the /ip hotspot menu, as the name property)

Links:

General client information:
  • domain - domain name of the user ("example.com")
  • interface-name - physical HotSpot interface name (in case of bridged interfaces, this will return the actual bridge port name)
  • ip - IP address of the client ("10.5.50.2")
  • logged-in - "yes" if the user is logged in, otherwise - "no" ("yes")
  • mac - MAC address of the user ("01:23:45:67:89:AB")
  • trial - a "yes/no" representation of whether the user has access to trial time. If users trial time has expired, the value is "no"
  • username - the name of the user ("John")
  • host-ip - client IP address from /ip hotspot host table

User status information:
  • idle-timeout - idle timeout ("20m" or "" if none)
  • idle-timeout-secs - idle timeout in seconds ("88" or "0" if there is such timeout)
  • limit-bytes-in - byte limit for send ("1000000" or "---" if there is no limit)
  • limit-bytes-out - byte limit for receive ("1000000" or "---" if there is no limit)
  • refresh-timeout - status page refresh timeout ("1m30s" or "" if none)
  • refresh-timeout-secs - status page refresh timeout in seconds ("90s" or "0" if none)
  • session-timeout - session time left for the user ("5h" or "" if none)
  • session-timeout-secs - session time left for the user, in seconds ("3475" or "0" if there is such timeout)
  • session-time-left - session time left for the user ("5h" or "" if none)
  • session-time-left-secs - session time left for the user, in seconds ("3475" or "0" if there is such timeout)
  • uptime - current session uptime ("10h2m33s")
  • uptime-secs - current session uptime in seconds ("125")

Traffic counters, which are available only in the status page:
  • bytes-in - number of bytes received from the user ("15423")
  • bytes-in-nice - user-friendly form of number of bytes received from the user ("15423")
  • bytes-out - number of bytes sent to the user ("11352")
  • bytes-out-nice - user-friendly form of number of bytes sent to the user ("11352")
  • packets-in - number of packets received from the user ("251")
  • packets-out - number of packets sent to the user ("211")
  • remain-bytes-in - remaining bytes until limit-bytes-in will be reached ("337465" or "---" if there is no limit)
  • remain-bytes-out - remaining bytes until limit-bytes-out will be reached ("124455" or "---" if there is no limit)

Miscellaneous variables:
  • session-id - value of 'session-id' parameter in the last request
  • var - value of 'var' parameter in the last request
  • error - error message, if something failed ("invalid username or password")
  • error-orig - original error message (without translations retrieved from errors.txt), if something failed ("invalid username or password")
  • chap-id - value of chap ID ("\371")
  • chap-challenge - value of chap challenge ("\357\015\330\013\021\234\145\245\303\253\142\246\133\175\375\316")
  • popup - whether to pop-up checkbox ("true" or "false")
  • advert-pending - whether an advertisement is pending to be displayed ("yes" or "no")
  • http-status - allows to set http status code and message
  • http-header - allows to add http header
RADIUS-related variables:
  • radius<id> - show the attribute identified with <id> in text string form (in case RADIUS authentication was used; "" otherwise)
  • radius<id>u - show the attribute identified with <id> in unsigned integer form (in case RADIUS authentication was used; "0" otherwise)
  • radius<id>-<vnd-id> - show the attribute identified with <id> and vendor ID <vnd-id> in text string form (in case RADIUS authentication was used; "" otherwise)
  • radius<id>-<vnd-id>u - show the attribute identified with <id> and vendor ID <vnd-id> in unsigned integer form (in case RADIUS authentication was used; "0" otherwise)


Working with variables

$(if <var_name>) statements can be used in theses pages. Following content will be included, if value of <var_name> will not be an empty string. It is an equivalent to $(if <var_name> != "") It is possible to compare on equivalence as well: $(if <var_name> == <value>) These statements have effect until $(elif <var_name>), $(else) or $(endif). In general case it looks like this:
some content, which will always be displayed
$(if username == john)
Hey, your username is john
$(elif username == dizzy)
Hello, Dizzy! How are you? Your administrator.
$(elif ip == 10.1.2.3)
You are sitting at that crappy computer, which is damn slow...
$(elif mac == 00:01:02:03:04:05)
This is an ethernet card, which was stolen few months ago...
$(else)
I don't know who you are, so lets live in peace.
$(endif)
other content, which will always be displayed
Only one of those expressions will be shown. Which one - depends on values of those variables for each client.


Redirects and custom Headers

Starting from RouterOS 5.12 there are 2 new hotspot html page variables:
  • http-status - allows to set http status code and message
  • http-header - allows to add http header

Example:
 $(if http-status == 302)Hotspot login required$(endif)
 $(if http-header == "Location")$(link-redirect)$(endif)
In case if $(link-redirect) will evaluate to "http://192.168.88.1/login", then HTTP response will look like:
HTTP/1.0 302 Hotspot login required
<regular HTTP headers>
Location: http://192.168.88.1/login

http-status syntax:
 $(if http-status == XYZ)HTTP_STATUS_MESSAGE$(endif)
  • XYZ - status code, should be 3 decimal digits, first one must not be 0
  • HTTP_STATUS_MESSAGE - any text, will follow status code in HTTP reply
In HTTP response it will be on first line and will look like:
HTTP/1.0 XYZ HTTP_STATUS_MESSAGE

http-header syntax:
 $(if http-header == HTTP_HEADER_NAME)HTTP_HEADER_VALUE$(endif)
  • HTTP_HEADER_NAME - name of the HTTP header to add
  • HTTP_HEADER_VALUE - value of HTTP header with name HTTP_HEADER_NAME
In HTTP response it will look like:
HTTP_HEADER_NAME: HTTP_HEADER_VALUE

All variables and conditional expressions within HTTP_HEADER_VALUE and HTTP_STATUS_MESSAGE are processed as usual.
In case multiple headers with the same name are added, then only the last one will be used (previous ones will be discarded). It allows to override regular HTTP headers (for example, Content-Type and Cache-Control).

Customizing Error Messages

All error messages are stored in the errors.txt file within the respective HotSpot servlet directory. You can change and translate all these messages to your native language. To do so, edit the errors.txt file. You can also use variables in the messages. All instructions are given in that file.


Multiple Versions of HotSpot Pages

Multiple HotSpot page sets for the same HotSpot server are supported. They can be chosen by user (to select language) or automatically by JavaScript (to select PDA/regular version of HTML pages).
To utilize this feature, create subdirectories in HotSpot HTML directory, and place those HTML files, which are different, in that subdirectory. For example, to translate everything in Latvian, subdirectory "lv" can be created with login.html, logout.html, status.html, alogin.html, radvert.html and errors.txt files, which are translated into Latvian. If the requested HTML page can not be found in the requested subdirectory, the corresponding HTML file from the main directory will be used. Then main login.html file would contain link to "/lv/login?dst=$(link-orig-esc)", which then displays Latvian version of login page: <a href="/lv/login?dst=$(link-orig-esc)">Latviski</a> . And Latvian version would contain link to English version: <a href="/login?dst=$(link-orig-esc)">English</a>
Another way of referencing directories is to specify 'target' variable:
        <a href="$(link-login-only)?dst=$(link-orig-esc)&target=lv">Latviski</a>
        <a href="$(link-login-only)?dst=$(link-orig-esc)&target=%2F">English</a>
After preferred directory has been selected (for example, "lv"), all links to local HotSpot pages will contain that path (for example, $(link-status) = "http://hotspot.mt.lv/lv/status"). So, if all HotSpot pages reference links using "$(link-xxx)" variables, then no more changes are to be made - each client will stay within the selected directory all the time.


Misc

If you want to use HTTP-CHAP authentication method it is supposed that you include the doLogin() function (which references to the md5.js which must be already loaded) before the Submit action of the login form. Otherwise, CHAP login will fail.
The resulting password to be sent to the HotSpot gateway in case of HTTP-CHAP method, is formed MD5-hashing the concatenation of the following: chap-id, the password of the user and chap-challenge (in the given order)
In case variables are to be used in link directly, then they must be escaped accordingly. For example, in login page, <a href="https://login.example.com/login?mac=$(mac)&user=$(username)">link</a> will not work as intended, if username will be "123&456=1 2". In this case instead of $(user), its escaped version must be used: $(user-esc): <a href="https://login.server.serv/login?mac=$(mac-esc)&user=$(user-esc)">link</a>. Now the same username will be converted to "123%26456%3D1+2", which is the valid representation of "123&456=1 2" in URL. This trick may be used with any variables, not only with $(username).
There is a boolean parameter "erase-cookie" to the logout page, which may be either "on" or "true" to delete user cookie on logout (so that the user would not be automatically logged on when he/she opens a browser next time.

Examples

With basic HTML language knowledge and the examples below it should be easy to implement the ideas described above.
  • To provide predefined value as username, in login.html change:
<type="text" value="$(username)>
to this line:
<input type="hidden" name="username" value="hsuser">
(where hsuser is the username you are providing)
  • To provide predefined value as password, in login.html change:
<input type="password">
to this line:
<input type="hidden" name="password" value="hspass">
(where hspass is the password you are providing)
  • To send client's MAC address to a registration server in form of:
https://www.example.com/register.html?mac=XX:XX:XX:XX:XX:XX
change the Login button link in login.html to:
https://www.example.com/register.html?mac=$(mac)
(you should correct the link to point to your server)
  • To show a banner after user login, in alogin.html after
$(if popup == 'true') add the following line:
open('http://www.example.com/your-banner-page.html', 'my-banner-name','');
(you should correct the link to point to the page you want to show)
  • To choose different page shown after login, in login.html change:
<input type="hidden" name="dst" value="$(link-orig)">
to this line:
<input type="hidden" name="dst" value="http://www.example.com">
(you should correct the link to point to your server)
  • To erase the cookie on logoff, in the page containing link to the logout (for example, in status.html) change:
open('$(link-logout)', 'hotspot_logout', ...
to this:
open('$(link-logout)?erase-cookie=on', 'hotspot_logout', ...
or alternatively add this line:
<input type="hidden" name="erase-cookie" value="on">
before this one:
<input type="submit" value="log off">
An another example is making HotSpot to authenticate on a remote server (which may, for example, perform creditcard charging):
  • Allow direct access to the external server in walled-garden (either HTTP-based, or IP-based)
  • Modify login page of the HotSpot servlet to redirect to the external authentication server. The external server should modify RADIUS database as needed
Here is an example of such a login page to put on the HotSpot router (it is redirecting to https://auth.example.com/login.php, replace with the actual address of an external authentication server):
<html>
<title>...</title>
<body>
<form name="redirect" action="https://auth.example.com/login.php" method="post">
<input type="hidden" name="mac" value="$(mac)">
<input type="hidden" name="ip" value="$(ip)">
<input type="hidden" name="username" value="$(username)">
<input type="hidden" name="link-login" value="$(link-login)">
<input type="hidden" name="link-orig" value="$(link-orig)">
<input type="hidden" name="error" value="$(error)">
</form>
<script language="JavaScript">
<!--
 document.redirect.submit();
//-->
</script>
</body>
</html>
          
  • The external server can log in a HotSpot client by redirecting it back to the original HotSpot servlet login page, specifying the correct username and password
Here is an example of such a page (it is redirecting to https://hotspot.example.com/login, replace with the actual address of a HotSpot router; also, it is displaying www.mikrotik.com after successful login, replace with what needed):
<html>
<title>Hotspot login page</title>
<body>
<form name="login" action="https://hotspot.example.com/login" method="post">
<input type="text" name="username" value="demo">
<input type="password" name="password" value="none">
<input type="hidden" name="domain" value="">
<input type="hidden" name="dst" value="http://www.mikrotik.com/">
<input type="submit" name="login" value="log in">
</form>
</body>
</html>
          
  • Hotspot will ask RADIUS server whether to allow the login or not. If not allowed, alogin.html page will be displayed (it can be modified to do anything). If not allowed, flogin.html (or login.html) page will be displayed, which will redirect client back to the external authentication server.
Icon-note.png
Note: as shown in these examples, HTTPS protocol and POST method can be used to secure communications.


Firewall customizations

Summary

Apart from the obvious dynamic entries in the /ip hotspot submenu itself (like hosts and active users), some additional rules are added in the firewall tables when activating a HotSpot service. Unlike RouterOS version 2.8, there are relatively few firewall rules added in the firewall as the main job is made by the one-to-one NAT algorithm.

NAT

From /ip firewall nat print dynamic command, you can get something like this (comments follow after each of the rules):
 0 D chain=dstnat action=jump jump-target=hotspot hotspot=from-client
Putting all HotSpot-related tasks for packets from all HotSpot clients into a separate chain.
 1 I chain=hotspot action=jump jump-target=pre-hotspot
Any actions that should be done before HotSpot rules apply, should be put in the pre-hotspot chain. This chain is under full administrator control and does not contain any rules set by the system, hence the invalid jump rule (as the chain does not have any rules by default).
 2 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=udp 
 3 D chain=hotspot action=redirect to-ports=64872 dst-port=53 protocol=tcp 
Redirect all DNS requests to the HotSpot service. The 64872 port provides DNS service for all HotSpot users. If you want HotSpot server to listen also to another port, add rules here the same way, changing dst-port property.
 4 D chain=hotspot action=redirect to-ports=64873 hotspot=local-dst dst-port=80
     protocol=tcp
Redirect all HTTP login requests to the HTTP login servlet. The 64873 is HotSpot HTTP servlet port.
 5 D chain=hotspot action=redirect to-ports=64875 hotspot=local-dst dst-port=443
     protocol=tcp
Redirect all HTTPS login requests to the HTTPS login servlet. The 64875 is HotSpot HTTPS servlet port.
 6 D chain=hotspot action=jump jump-target=hs-unauth hotspot=!auth protocol=tcp
All other packets except DNS and login requests from unauthorized clients should pass through the hs-unauth chain.
 7 D chain=hotspot action=jump jump-target=hs-auth hotspot=auth protocol=tcp
And packets from the authorized clients - through the hs-auth chain.
 8 D ;;; www.mikrotik.com
     chain=hs-unauth action=return dst-address=66.228.113.26 dst-port=80 protocol=tcp
First in the hs-unauth chain is put everything that affects TCP protocol in the /ip hotspot walled-garden ip submenu (i.e., everything where either protocol is not set, or set to TCP). Here we are excluding www.mikrotik.com from being redirected to the login page.
 9 D chain=hs-unauth action=redirect to-ports=64874 dst-port=80 protocol=tcp
All other HTTP requests are redirected to the Walled Garden proxy server which listens the 64874 port. If there is an allow entry in the /ip hotspot walled-garden menu for an HTTP request, it is being forwarded to the destination. Otherwise, the request will be automatically redirected to the HotSpot login servlet (port 64873).
10 D chain=hs-unauth action=redirect to-ports=64874 dst-port=3128 protocol=tcp 
11 D chain=hs-unauth action=redirect to-ports=64874 dst-port=8080 protocol=tcp 
HotSpot by default assumes that only these ports may be used for HTTP proxy requests. These two entries are used to "catch" client requests to unknown proxies (you can add more rules here for other ports). I.e., to make it possible for the clients with unknown proxy settings to work with the HotSpot system. This feature is called "Universal Proxy". If it is detected that a client is using some proxy server, the system will automatically mark that packets with the http hotspot mark to work around the unknown proxy problem, as we will see later on. Note that the port used (64874) is the same as for HTTP requests in the rule #9 (so both HTTP and HTTP proxy requests are processed by the same code).
12 D chain=hs-unauth action=redirect to-ports=64875 dst-port=443 protocol=tcp
HTTPS proxy is listening on the 64875 port.
13 I chain=hs-unauth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp
Redirect for SMTP protocol may also be defined in the HotSpot configuration. In case it is, a redirect rule will be put in the hs-smtp chain. This is done so that users with unknown SMTP configuration would be able to send their mail through the service provider's (your) SMTP server instead of going to the [possibly unavailable outside their network of origin] SMTP server users have configured on their computers. The chain is empty by default, hence the invalid jump rule.
14 D chain=hs-auth action=redirect to-ports=64874 hotspot=http protocol=tcp
Providing HTTP proxy service for authorized users. Authenticated user requests may need to be subject to transparent proxying (the "Universal Proxy" technique and advertisement feature). This http mark is put automatically on the HTTP proxy requests to the servers detected by the HotSpot HTTP proxy (the one that is listening on the 64874 port) as HTTP proxy requests for unknown proxy servers. This is done so that users that have some proxy settings would use the HotSpot gateway instead of the [possibly unavailable outside their network of origin] proxy server users have configured in their computers. This mark is also applied when advertisement is due to be shown to the user, as well as on any HTTP requests done form the users whose profile is configured to transparently proxy their requests.
15 I chain=hs-auth action=jump jump-target=hs-smtp dst-port=25 protocol=tcp
Providing SMTP proxy for authorized users (the same as in rule #13).


Packet Filtering

From /ip firewall filter print dynamic command, you can get something like this (comments follow after each of the rules):
 0 D chain=forward action=jump jump-target=hs-unauth hotspot=from-client,!auth
Any packet that traverse the router from an unauthorized client will be sent to the hs-unauth chain. The hs-unauth implements the IP-based Walled Garden filter.
 1 D chain=forward action=jump jump-target=hs-unauth-to hotspot=to-client,!auth
Everything that comes to clients through the router, gets redirected to another chain, called hs-unauth-to. This chain should reject unauthorized requests to the clients.
 2 D chain=input action=jump jump-target=hs-input hotspot=from-client
Everything that comes from clients to the router itself, gets to yet another chain, called hs-input.
 3 I chain=hs-input action=jump jump-target=pre-hs-input
Before proceeding with [predefined] dynamic rules, the packet gets to the administratively controlled pre-hs-input chain, which is empty by default, hence the invalid state of the jump rule.
 4 D chain=hs-input action=accept dst-port=64872 protocol=udp 
 5 D chain=hs-input action=accept dst-port=64872-64875 protocol=tcp 
Allow client access to the local authentication and proxy services (as described earlier).
 6 D chain=hs-input action=jump jump-target=hs-unauth hotspot=!auth
All other traffic from unauthorized clients to the router itself will be treated the same way as the traffic traversing the routers.
 7 D chain=hs-unauth action=return protocol=icmp
 8 D ;;; www.mikrotik.com
     chain=hs-unauth action=return dst-address=66.228.113.26 dst-port=80 protocol=tcp
Unlike NAT table where only TCP-protocol related Walled Garden entries were added, in the packet filter hs-unauth chain is added everything you have set in the /ip hotspot walled-garden ip menu. That is why although you have seen only one entry in the NAT table, there are two rules here.
 9 D chain=hs-unauth action=reject reject-with=tcp-reset protocol=tcp
10 D chain=hs-unauth action=reject reject-with=icmp-net-prohibited
Everything else that has not been while-listed by the Walled Garden will be rejected. Note usage of TCP Reset for rejecting TCP connections.
11 D chain=hs-unauth-to action=return protocol=icmp
12 D ;;; www.mikrotik.com
     chain=hs-unauth-to action=return src-address=66.228.113.26 src-port=80 protocol=tcp
Same action as in rules #7 and #8 is performed for the packets destined to the clients (chain hs-unauth-to) as well.
13 D chain=hs-unauth-to action=reject reject-with=icmp-host-prohibited
Reject all packets to the clients with ICMP reject message.

Twitter Delicious Facebook Digg Stumbleupon Favorites More

 
Design by Computer Tricks and Tips