Selective Policy-Based Routing with Mikrotik RouterOS

This guide assumes that you have two Internet Connections of different or the same provider. Selective policy-based routing is useful when you want to route specific services to a dedicated or specific network or service provider (e.g all voip connections goes to provider “A” and all http connections goes to provider “B”).

Benefits of Policy-based routing

• Load sharing - when you want to separate the voice from data traffic, or assign bandwidth hunger services to a much bigger bandwidth pipe.
• Quality of Service - all network services will have a fair weighted share of bandwidth, such as network administrator will be able to classify what services would be routed or assign to a bigger bandwidth link.

Setting up Mikrotik RouterOS for Policy-based Routing

• Login to your Mikrotik winbox
• Once logged in, click on “IP -> Routes” then add a route
• Select the gateway where you want to route selected traffic or protocols, under the “Mark” input box enter the name of the route (we will be using the route name later for marking packet route), Click Ok.

After adding the route name in your routing table, we will now proceed to the packet mangling, where all packet alteration will be done.

• Click on “IP -> Firewall -> Mangle”, then click add. Under general tab, input your src address, destination address, protocol these are not required, only if you want to be too specific with your mangling rule.
• 
• Click on “Action” tab, then under Action, select the “Mark Routing” then enter the routing name where you want the traffic to be routed under the “New Routing Mark”.
  
• Lastly, Click ok.

To check if the traffic is routed to the desired link, perform a traceroute

Automatically find unathorized devices and block it on firewall

One of the features I like most in Mikrotik RouterOS is the ability to run custom scripts that will enable you to automate some things on router side. In a workplace where “bring your own device” is practiced, being able to control the registration of these devices on your network is very important especially for mobile devices - laptops, tablets and smartphones.
It’s becoming harder to control these device especially if they are in large number. Smartphone can be just placed inside a bag or pocket while it automatically connect through your access points where wireless key is known to the user and download unnecessary files on the internet thus wasting network bandwidth while increasing network security risk.
Now, if you happen to have a Mikrotik RouterOS in your network and is facing the same dilemma then probably the script below will help you solve it or least get you started on a better solution.

01

02	# Tested to work on RouterOS 5.19

03

04	:foreach i in=[/ip dhcp-server lease find dynamic=yes] do={

05	:local dynamicIP [/ip dhcp-server lease get $i address];

06	:local dynamicMAC [/ip dhcp-server lease get $i mac-address];

07	:local dynamicHOST [/ip dhcp-server lease get $i host-name];

08	:local macfound [/ip firewall filter find src-mac-address=$dynamicMAC];

09

10	:if ($macfound != "") do={

11	:log info ($dynamicMAC. " already filtered")

12

} else= {

13	/ip firewall filter add chain=forward src-mac-address=$dynamicMAC action=drop comment=($dynamicHOST . " - " . $dynamicMAC . " Unregistered device")

14	:log info ("Added " . $dynamicMAC. " to firewall filter")

15

}

16

}

Basically, the script will look for dynamic ip addresses inside the dhcp server leases table and search their mac address in the firewall filter table. If it’s not yet blocked then it will create an entry blocking the mac address to prevent it from sending traffic through your network.
To automatically execute the script periodically, you will need to add it on the scheduler, see example below:

1	/system scheduler add comment="Find unauthorized devices and block" disabled=no interval=5m  name=block_unauthorized_devices on-event=block_unauthorized_devices policy=read,write,test

You should be able to see on your log what devices are being blocked as the script finds one.

Mac authentication with Mikrotik for HotSpot user

Mac authentication with Mikrotik

How do I use Mac authentication with Mikrotik?

Using mac authentication you can provide free access to a device without it going through the splash page.
First you have to create a user with the username that will be his wireless mac address, and a password which is set to "password".
Click IP-HOTSPOT-USERS. Click add user.
The name field should be the wireless mac address of the device that you want to bypass the splash page.
The password field should be set to "password".


Click SERVER PROFILES, still under the hotspot section. Double click the current profile in use and under the login tab find the field "mac auth. password". Fill in "password"  for this field.

Dual WAN loadbalancing nth method

/ip address
add address=192.168.1.3/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1 comment="" disabled=no
add address=192.168.2.3/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2 comment="" disabled=no
add address=10.10.0.1/24 network=10.10.0.0 broadcast=10.10.0.255 interface=internal comment="" disabled=no

/ip firewall mangle
add chain=prerouting in-interface=internal connection-state=new nth=2,1 action=mark-connection new-connection-mark=conn1 passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=internal connection-mark=conn1 action=mark-routing new-routing-mark=conn1 passthrough=no comment="" disabled=no
add chain=prerouting in-interface=internal connection-state=new nth=1,1 action=mark-connection new-connection-mark=conn2 passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=internal connection-mark=conn2 action=mark-routing new-routing-mark=conn2 passthrough=no comment="" disabled=no


/ip firewall nat
add chain=srcnat connection-mark=conn1 action=masquerade out-interface=WAN1 comment="" disabled=no
add chain=srcnat connection-mark=conn2 action=masquerade out-interface=WAN2 comment="" disabled=no


/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 routing-mark=conn1 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 routing-mark=conn2 comment="" disabled=no

Dual WAN LoadBalancing PCC Method

/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=221.132.112.8,8.8.8.8

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

One to One NETMAP using Mikrotik Router

If we use private ip in our server and want to access that server from internet then we need to set 1 to 1 netmap bellow are the configuration of netmap, you just need to change the public IP, Private IP and WAN interface name as per your configuration.

say we have 4 public ip address 10.10.55.171 to 10.10.55.174
and we want to netmap private IP address 192.168.123.71 to 192.168.123.74


/ip address add address=10.10.55.171/32 interface=wan 
/ip address add address=10.10.55.172/32 interface=wan 
/ip address add address=10.10.55.173/32 interface=wan 
/ip address add address=10.10.55.174/32 interface=wan 

/ip firewall nat add chain=dstnat dst-address=103.10.55.171 action=dst-nat to-addresses=192.168.123.71
/ip firewall nat add chain=dstnat dst-address=103.10.55.172 action=dst-nat to-addresses=192.168.123.72
/ip firewall nat add chain=dstnat dst-address=103.10.55.173 action=dst-nat to-addresses=192.168.123.73
/ip firewall nat add chain=dstnat dst-address=103.10.55.174 action=dst-nat to-addresses=192.168.123.74

/ip firewall nat add chain=srcnat src-address=192.168.123.71 action=src-nat to-addresses=103.10.55.171
/ip firewall nat add chain=srcnat src-address=192.168.123.72 action=src-nat to-addresses=103.10.55.172
/ip firewall nat add chain=srcnat src-address=192.168.123.73 action=src-nat to-addresses=103.10.55.173
/ip firewall nat add chain=srcnat src-address=192.168.123.74 action=src-nat to-addresses=103.10.55.174


Best Regards

Nawshad Ahmed
www.mikrotikacademybd.com
Mikrotik Router OS Training in Bangladesh

DoS attack Protection

DoS attack Protection

• Limit incoming connections

Address with too much connections can be added to address list for blocking.

/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 action=add-src-to-address-list  address-list=blocked-addr address-list-timeout=1d 

/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr connection-limit=3,32 action=tarpit 

where LIMIT is max. number of connection per IP. LIMIT should be 100 or higher as many services use multiple connection (HTTP, Torrent, other P2P programs).

• Action tarpit

Instead of simply droping attackers packets(action=drop) router can capture and hold connections and with enough powerfull router is can kill the attacker.

www.mikrotikacademybd.com

Mikrotik Configuration Backup sent via Email

Login in to Mikrotik Router using WinBox,


First Step : =========Setup Email server user information==========


on Winbox  Main Menu
Click On==>tools

Email Settings
smtp server : type outgoing mail server address
port: 25
from : nawshad[at]bijoy.net

Second Step ===========Setup Schedule============

Here we will create schedule for auto backup sent to email address every 7days

Follow this steps to create new schedule
on Winbox Main Menu
Click on ===>system ==>scheduler

Name : backup via email
start date :
Intervale : 7d 00:00:00 

##put following command on event box##

/system backup save name=emailback
/tool e-mail send file=emailback.backup to="nawshad@gmail.com" body="Backup of Mikrotik" subject="$[/system identity get name] $[/system clock get time] $[/system clock get date] Backup"
"

============================================

If you need any help regardin above issue please do email at info@mikrotikacademybd.com please visit our web site www.mikrotikacademybd.com

Best Regards

Nawshad Ahmed

Mikrotik Certified Trainer in Dhaka, Bangladesh

Mobile : 8801817040808