Load-balancing and Fail-over in Mikrotik

Conditions: ISP where we work as the Administrator to use more than one gateway to connect to the internet. Everything must be able to serve the upstram service and understanding. Because the case will be different when one can only serve understanding, for example, if using VSAT DVB one-way.

For this case ISPs have 2 point to the internet. One using DSL access (256kbps) and the other using the Wireless (512kbps). With the radio of DSL: Wireless=1:2.

Will be performed:

1. Using all available channels gateway with load-balancing technique.
2. Making one as back-up file with the technique-over.

Ok. Let's just start:

1.
IP address for access to the LAN:
>/ip address add address=192.168.0.1/28 interface=LAN
IP address for access to the DSL lines:
>/ip address add address=10.31.57.253/29 interface=DSL
IP address for the access point to Wireless:
>/ip address add address=10.9.8.2/29 interface=Wireless

Specify the gateway to the each:
>/ip route add gateway=10.32.57.254,10.9.8.1,10.9.8.1

2.
In the case of techniques to file-oer. Is assumed to be the main route through the Wireless DSL line as back-up when the main route can not be passed. To check whether the main point can be passed or not, use THE PING commnand.
>/ip firewall mangle add chain=prerouting src-address=192.168.0.0/28 action=mark-routing
new-routing-mark=SUBNET1-RM
>/ip route add gateway=10.9.8.1 routing-mark=SUBNET1-RM check-gateway=ping
>/ip route add gateway=10.32.57.254

PCQ

By using the queue type pcq in Mikrotik, we can share the bandwidth available to the equally-bandwith glutton --> the peak position on the network.

For example, we subscribe to 256 Kbps, if therare joyful about, then he can all the bandwidth allocation. But the friends come, say 9 people, they each can be about 256/10Kbps, still to open the open-site non-porn or just check email $ blog-->

Ok, only to direct how:

1. Assumption: Network Address192.168.169.0/28, the interface that leads to the user is given the name of a LAN, and the interface that leads to the upstream providers are given the name INTERNET;
2. Type in the console or terminal:
>/ip firewall mangle add chain=forward src-address=192.168.169.0/28 action=mark-connection new-connection-mark=NET1-CM
>/ip firewall mangle add connection-mark=NET1-CM action=mark-packet new-packet-mark=NET1-PM chain=forward
>/queue type add name=downsteam-pcq kind=pcq pcq-classsifier=dst-address
>/queue type add name=upstream-pcq kind=pcq pcq-classifier=src-address
>/queue tree add parent=LAN queue=DOWNSTREAM packet-mark=NET1-PM
>/queue tree add paren=INTERNET queue=UPSTEAM packet-mark=NET1-PM

TOS & Entertainment, ICMP DNS Mirkrotik

Destination:
. Detract from the delay ping client side to the Internet.. Accelerating resolving the hostname to the IP address.
Assumption: Client-clients are on the subnet 10.10.10.0/28

1. Type of Entertainment service for the ICMP Packet:

>ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=icmpacton=mark-connection new-connection-mark=ICMP-CM passthrough=yes

>ip firewall mangle add chain=prerouting connection-mark=ICMP-CM action=mark-packetnew-packet-mark=ICMP-PM passthrough=yes

>ip firewall mangle add chain=prerouting packet-mark=ICMP-PM action=chage-tosnew-tos=min-delay

2.Type of manipulating DNS service for Resolving:

>ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=tcp dst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes

>ip firewall mangle add chain=prerouting src-address=10.10.10.0/28 protocol=udpdst-port=53 action=mark-connection new-connection-mark=DNS-CM passthrough=yes

>ip firewall mangle add chain=prerouting connection-mark=DNS-CM action=mark-packet new-packet-mark=DNS-PM passthrough=yes

>ip firewall mangle add chain=prerouting packet-mark=DNS-PM action=change-tos new-tos=min-delay

3.Adding Queue Type:

>queue type add name="PFIFO-64" kind=pfifo pfifo-linit=64

4.Allocating Bandwidth for the ICMP Packet:

>queue tree add name=ICMP parent=INTERNET packet-mark=ICMP-PMpriority=1 limit-at=8000 max-linit=16000 queue=PFIFO-64

5.Allocating Bandwidth for Resolving DNS:

>queue tree add name=DNS parent=INTERNET packet-mark=DNS-PM priority=1 limit-at=8000 max-limit=16000 queue=PFIFO-64

Queue Tree with more than two interfaces

Basic Setup

This page will tak about how to make QUEUE TREE in RouterOS that with Masquerading for more than two interfaces. It’s for sharing internet connection among users on each interfacess. In manual this possibility isn’t writted.

First, let’s set the basic setting first. I’m using a machine with 3 or more network interfaces:

[admin@instaler] > in pr

# NAME TYPE RX-RATE TX-RATE MTU

0 R public ether 0 0 1500

1 R wifi1 wlan 0 0 1500

2 R wifi2 wlan 0 0 1500

3 R wifi3 wlan 0 0 1500

And this is the IP Addresses for each interface:

[admin@instaler] > ip ad pr

Flags: X - disabled, I - invalid, D - dynamic

# ADDRESS NETWORK BROADCAST INTERFACE

0 10.20.1.0/24 10.20.1.0 10.20.1.255 public

1 10.10.2.0/24 10.10.2.0 10.10.2.255 wifi1

2 10.10.3.0/24 10.10.3.0 10.10.3.255 wifi2

3 10.10.4.0/24 10.10.4.0 10.10.4.255 wifi3

On the public you can add NAT or proxy if you want.

Mangle Setup

And now is the most important part in this case.

We need to mark our users. One connectoin for upload and second for download. In this example I add mangle for one user. At the end I add mangle for local transmission because I don’t QoS local trafic emong users. But for user I need to separate upload and download.

[admin@instaler] ip firewall mangle> print

Flags: X - disabled, I - invalid, D - dynamic

disabled=no

0 chain=forward dst-address=10.10.2.36 action=mark-connection
new-connection-mark=users-userU passthrough=yes comment=”” disabled=no

1 chain=forward dst-address=10.10.2.36 action=mark-connection
new-connection-mark=users-userD passthrough=yes comment=”” disabled=no

2 chain=forward connection-mark=users-userU action=mark-packet
new-packet-mark=userU passthrough=yes comment=”” disabled=no

3 chain=forward connection-mark=users-userD action=mark-packet
new-packet-mark=userD passthrough=yes comment=”” disabled=no

98 chain=forward src-address=10.10.0.0/16 dst-address=10.10.0.0/16
action=mark-connection new-connection-mark=users-lokal passthrough=yes

99 chain=forward connection-mark=users-lokal action=mark-packet
new-packet-mark=lokalTrafic passthrough=yes

Queue Tree Setup

And now, the queue tree setting. We need one rule for downlink and one rule for uplink. Be careful when choosing the parent. for downlink traffic, we use parent “global-out”, because we have two or more downloading interfaces. And for uplink, we are using parent “public”, we want QoS uplink traffic. (I’m using pcq-up and download from manual) This example is for 2Mb/1Mb

[admin@instaler] > queue tree pr
Flags: X - disabled, I - invalid
0 name=”Download” parent=global-out packet-mark=”” limit-at=0

queue=pcq-download priority=1 max-limit=2000000 burst-limit=0
burst-threshold=0 burst-time=0s

1 name=”Upload” parent=WGW packet-mark=”” limit-at=0 queue=pcq-upload
priority=1 max-limit=1000000 burst-limit=0 burst-threshold=0
burst-time=0s

Now we add our user:

2 name=”user10D” parent=Download packet-mark=userD limit-at=0
queue=pcq-download priority=5 max-limit=0 burst-limit=0
burst-threshold=0 burst-time=0s

3 name=”user10U” parent=Upload packet-mark=userU limit-at=0
queue=pcq-upload priority=5 max-limit=0 burst-limit=0 burst-threshold=0
burst-time=0s

MAC Address + IP Address Linux

#!/bin/sh
iptables=/sbin/iptables
# define a default policy here

$iptables -F INPUT

$iptables -F OUTPUT

$iptables -P INPUT DROP

$iptables -P OUTPUT DROP #remember later open the output of the policy

$iptables -F FORWARD

$iptables -F -t nat

$iptables -P FORWARD DROP

# default policy definition and make a new chain called maccheck in the interface eth1$iptables -t mangle -F

$iptables -t mangle -F maccheck

$iptables -t mangle -X maccheck

$iptables -t mangle -N maccheck

$iptables -t mangle -I PREROUTING -i eth1 -p all -j maccheck

# self-explanatory ... ip address + mac

$iptables -t mangle -A maccheck -s 192.168.0.1 -i eth1

-m mac -j RETURN–mac-source00:80:11:11:11:11

$iptables -t mangle -A maccheck -s 192.168.0.2 -i eth1 -m mac -j RETURN–mac-source

00:80:22:22:22:22

$iptables -t mangle -A maccheck -s 192.168.0.3 -i eth1 -m mac -j RETURN–mac-source

00:80:33:33:33:33

# besides i registered both ip and mac will be marked for later in the drop, contentwith one

mac's active, which only

# 00:80:11:11:11:11 here, for example we have defined above

$iptables -t mangle -A maccheck -s 0/0 -i eth1 -m mac -j MARK –mac-source !00:80:11:11:11:11–set-mark 1

$iptables -t mangle -A maccheck -s 0/0 -i eth1 -p all -j MARK –set-mark 1

# drop in packet marking$iptables -A INPUT -i eth1 -m mark –mark 1 -j DROP

$iptables -A OUTPUT -o eth1 -m mark –mark 1 -j DROP

$iptables -A FORWARD -i eth1 -m mark –mark 1 -j DROP

Mikrotik block from the Scan Winbox and Neighbour

Sometime the ISP or service provider is not too sharp to protect customers. Especially when the souter to protect customers useing Mikrotik RouterOS. By running the IP>> Neighbor, we can see the router Mikrotik other physically connected to the router via our network provider in us.
For that we can protect the various ways such as a block form the scan winbox and our neighbor. Here is the easy way:

[admin@mikrotik] interface bridge> filter print
Flages: X - disabled, I - invalid, D - dynamic
0 ;;; block discovery mikrotik
chain=forward in-interface=ether1 mac-protocol=ip dst-port=5678
ip-protocol=udp action=drop

1 ;;; block discovery mikrotik
chain=input in-interface=ether1 mac-protocol=ip dst-port=5678
ip-protocol=udp action=drop

2 ;;; block discovery mikrotik
chain=output mac-protocol=ip dst-port=5678 ip-protocol=udp action=drop

3 ;;; block discovery mikrotik
chain=input in-interface=ether1 mac-portocol=ip dst-port=8291
ip-protocol=tcp action=drop

4 ;;; block winbox mikrotik
chain=forward in-interface=ether1 mac-protocol=ip dst-port=8291
ip-protocol=tcp action=drop

5 ;;; block request DHCP
chain=input mac-protocol=ip dst-port=68 ip-protocol=udp action=drop

6 ;;; block request DHCP
chain=forward mac-protocol=ip dst-port=68 ip-protocol=udp action=drop

7 ;;; block request DHCP
chain=output mac-protocol=ip dst-port=68 ip=protocol=udp action=drop

With this command we can close some scans, especially the use the winbox and ip neighbor. Above the port is part of the share Mikrotik RouterOS who are in need for monitoring.

In Bandwidth Limit Different Day and Night in Mikrotik

There are many ways to limit bandwidth for Night and Day, but i found this person is the easiest way, here it is.

i have used Simple QUEUE, script and scheduler.

Details we have 192.168.1.0/24 network and want to limit Bandwidth for the day and the Night Time.

Network 192.168.1.0/24
Bandwidth = 06:00am - 18:00pm - 1Mbps.
Bandwidth = 18:00pm - 06:00am - 2Mbps.

Create two simple queues for the same network with different Bandwidth Limit.

/queue simple
#name="Day" target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0
interface= parent=none direction=both priority=8
queue=default-small/default-small limit-at=512k/512k
max-limit=1M/1M total-queue=default-small
#name="Night" target-addresses=192.168.1.0/24 dst-address=0.0.0.0/0
interface= parent=none direction=both priority=8
queue=deafult-small/default-small limit-at=1M/1M
max-limit=2M/2M total-queue=default-small

Now, Write Scripts

/system script
#name="Day" source=/queue simple enable
Day; /queue simple disable Night
#name="Night" source=/queue simple enable
Night; /queue simple disable Day

Finally, Schedule it

/system scheduler
#name="Day" on-event=Day start-date=oct/13/2008
start-time=06:00:00 interval=1d
#name="Night" on-event=Night start-date=oct/13/2008 start-time=18:00:00 interval=1d

Traffic Monitor with Mikrotik Tools

Monitoring the flow of data packets that pass through the interface Mikrotik router, you can use the facilities Torch. For more information, can be read on Mikrotik Manual, the Torch Tools.

We can monotor the flow of packages based on the type of protocol, address the origin, destination address and port types. With this facility, which has been provided in the Packet System, when we installed Mikrotik RouterOS, the easier we in the administration of the router, form this facility, we can guess whether the flow of data in the machine we are Normal or not. Flooding monitor the occurrence, to monitor the activities Malware, and so forth.

Easy enough to use them, usually to be more comfortable int the Monitorin, please activated throuh Winbox, to enter Router. It view the image below.

Torch this facility can be used through Winbox on the Tools menu - Torch. Please click the menu Torch, the window will be displayed Torch.

It is also through, or IP -ARP. In the ARP List window, please select the IP address, Mac address, which will be in the Monitor. Click the right to enter the Torch.

Note, the items contained in this window Torch, the Manual has been give above is clearly a description of these items. Click the Strat button to activate this service Torch. Now we can joint monitoring againt the flow of packages in the engine router. If ther is supicius traffic please taken further action.

In the above list, i monitor the traffic flow form the IP address (Src address) 192.168.0.13 through the LAN interface. If observed, in the port there Src port 514 (syslog) IP Protocol UDP (17) to the IP address (DST address) 192.168.0.14, and indeed i Syslog Daemon is rouning on a PC running Windows XP is the Remote to save the log router Mikrotik, on the PC that has the IP address 192.168.0.13, with a router that has remote IP address 192.168.0.14, active in the port 514 (UDP). We can choose the source address (Src Address) on the client that we will be watching, Select the port, destination address and Protocol.

How to Block a Customer (Hotspot) and Tell him to Pay the Bill

Sometimes you may need to cut off a customer and tell him to pay his bill. It's best done by redirecting his http requests to a page with information telling to pay in order to get reconnected. You can do it with a simple destination NAT rule that captures all http requests from a specific address and sends them to a server with webpage telling to pay the bill. However, it's quite easy to make this using the HotSpot feature of RouterOS. Please note that this don't work with PPPoE connections.

To make this setup, you should have Hotspot package enabled on the RouterOS. This example will cover how to block customer's computer. When he tries to open a webpage he would be redirected to the hotspot page which will contain info that he hasn't paid the bill for the Internet access. Your router should have already been configured and working (customer should have access to the Internet), you should have the DNS server specified in the router.

First you should edit the Hotspot login.html page with the text that contains information that will be shown to the customers who haven't paid their bills. It could be something like this: "Service not available, please pay the bill and contact us by phone to get reconnected". This page can be found within the hotspot folder of RouterOS.

Next, add an ip-binding rule that will allow all customers to bypass the hotspot page. It is done using such a command:

/ip hotspot ip-binding add type=bypassed address=0.0.0.0/0 \
comment="bypass the hotspot for all the paying customers"

After that add the Hotspot server on the interface where your clients are connected. It can be done using such command:

/ip hotspot add interface=local disabled=no

Now you can add ip-binding rules for the customers that haven't paid their bill. You can match them by IP address or MAC address. Here is an example using MAC address:

/ip hotspot ip-binding add mac-address=00:0C:42:00:00:90 type=regular comment "Non paying client 1"

Now we have such configuration:

[admin@MikroTik] ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER
0 P ;;; bypass the hotspot for all the paying customers
0.0.0.0/0
1 ;;; Non paying client 1
00:0C:42:00:00:90

There is one more step to make it work, you should change the order of these rules, the first rule should be above the bypass rule so it could be processed. You can move it using move command:

[admin@MikroTik] ip hotspot ip-binding> move 1 0

Now the ip-binding configuration should look like this:

[admin@MikroTik] ip hotspot ip-binding> print
Flags: X - disabled, P - bypassed, B - blocked
# MAC-ADDRESS ADDRESS TO-ADDRESS SERVER
0 ;;; Non paying client 1
00:0C:42:00:00:90
1 P ;;; bypass the hotspot for all the paying customers
0.0.0.0/0

If the customers can pay their bill using internet you can modify the login.html by adding some links to clients bank web-page where they can pay their bill. After you add these links in the login page you should also add them in the hotspot configuration so the blocked customer could access that page. This can be done in the 'ip hotspot walled-garden ip' menu. Here is an example:

/ip hotspot walled-garden ip add dst-host=www.paypal.com

Setting Up Mikrotik PPPoE Server

This is a straight-forward guide on setting up Mikrotik RouterOS PPPoE service. To use this guide, you should already have Mikrotik RouterOS running and at least level 1 license.

Warning:

This guide will modify your current configurations, the author shall not be held liable for whatever damages including loss or white hairs, resulting from following this guide. You’ve been warned, proceed at your own risk.

1. Login to your Miktrotik router and click on PPP in the left menu.

2. Click on interfaces and click the “+” icon then click PPPoE Server, Type in the name or leave it as is and click OK.

3. After creating the PPPoE server incoming interface, click on PPPoE Server button, the PPPoE server list window will then pop-up. Click on the “+” icon, Type in the service name or use the default name, under the interface selection box select the incoming interface or the interface where the PPPoE server will accept incoming connections. Click OK.

4. Now that the PPPoE service is enabled, its time to add a dial-in user. Click on Secrets tab and then click on the “+” icon. Type in the username of the dial-in user you wanted to create and type in the password, under the service select the PPPoE, leave the profile in default value, Type in the ip address of the router under the Local Address box, then type in the IP address to be assigned to the dial-in user. Click OK.

PPPoE Server Testing

1. We have the PPPoE server setup, now its time to establish connection to the PPPoE server. Create a new network connection the same way you create a dialup connection but instead of using a modem, use the PPPoE. Enter the username and password and connect.

Viewing PPPoE connections

1. To view current PPPoE connections in Mikrotik router, click on Active Connections tab.

Tutorial Mikrotik VPN : EoIP

Ethernet over IP (EoIP) Tunneling is a Mikrotik RouterOS protocol that creates an Ethernet turnnel between two routers on top of an IP aconnection. The EoIP interface appears as an Ethernet interface.
When the bridging function of the router is enabled, all Ethernet level traffic (all Ethernet protocols) will be bridged just as if there where a physical Ethernet interface and cable between the two routers (with bridging enabled). This protocol makes multiple network schemes possible.

Network setups with EoIP interfaces:

* Possibility to bridge LANs over the internet
* Possibility to bridge LANs over encrypted tunnels
* Possibility to bridge LANs over 802.11b 'ad-hoc' wireless networks

An EoIP interface should be configured on two routers that have the possibility for an IP level connection. The EoIP tunnel may run over an IPIP tunnel, a PPTP 128bit encrypted tunnel, a PPPoE connection, or andy connection that transports IP. Specific properties:

* Each EoIP tunnel interface can connect with one remote router which has a corresponding interface configured with the same 'Tunnel ID'.
* The EoIP interface appears as an Ethernet interface under the interface list.
* This interface support all features of and Ethernet interface. IP addresses and other tunnels may be run over the interface.
* The EoIP protocol encapsulates Ethernet frames in GRE (IP protocol number 47) packets (just like PPTP) and sends them to the remote side of the EoIP tunnel.
* Maximal count of EoIP tunnels is 65536

This is how to set up EoIP to bridge two (or more) Mikrotik routers for central PPPoE authentication

Using 2 routers called R1 and R2 that have an IP connection between them and R2 has 2ethernet ports, i.e. you can ping R2 form R1 and R1 form R2 where the R1 facing eth port is called eth1 and its other port is called the2.

1. Create a new EoIP tunnel on R1.
2. Create a new EoIP tunnel on R2, where the tunnel ID is the same as the one on R1 but the MAC address are different.
3. Create a new bridge on R1 and R2
4. Add a PPoE server to the Bridge on R1
5. On R2 and add eth2 and the EoIP tunnel to the Bridge.
6. Put an IP address onto eth2 (any address seem to work, but it maybe better to use a different subnet for routing purposes).

Now you should be able to establish a PPPoE connection form a PC plugged into the eth2 port on router R2, this PPPoE connection will terminate on router R1.

This is not the most efficient method of using the available bandwidth on a network, but is perhaps easier that having a PPPoE A/C on every Mikrotik router and using RADIUS as you can just have PPP secrets setup on one router.

How to Block Websites with Mikrotik proxy

This example will explain you “How to Block Web Sites” & “How to Stop Downloading”. I have use Web-Proxy test Package.

First, Configure Proxy.

/ip proxy
enabled: yes
src-address: 0.0.0.0
port: 8080
parent-proxy: 0.0.0.0:0
cache-drive: system
cache-administrator: "ASHISH PATEL"
max-disk-cache-size: none
max-ram-cache-size: none
cache-only-on-disk: no
maximal-client-connections: 1000
maximal-server-connections: 1000
max-object-size: 512KiB
max-fresh-time: 3d

Now, Make it Transparent

/ip firewall nat
chain=dstnat protocol=tcp dst-port=80
action=redirect to-ports=8080

Make sure that your proxy is NOT a Open Proxy

/ip firewall filter
chain=input in=interface= src-address=0.0.0.0/0
protocol=tcp dst-port=8080 action=drop

Now for Blocking Websites

/ip proxy access
dst-host=www.aaa07.com action=deny

it will block website http://www.aaa07.com, we can always block the same for different networks by giving src-address. it will block for particular source address.

we can also stop downloading files like .mp3, .mp4.....,etc

/ip proxy access
path=*.mp3 action=deny
path=*.mp4 action=deny

try with this also

/ip proxy access
dst-host=:mail action=deny

this will block all the websites contain word "mail" in url.

Example: it will block www.hotmail.com, mail.yahoo.com,.....

Wireless Hotspot Server topology Mikrotik

The MikroTik HotSpot Gateway enables providing of public network access for clients using wireless or wired network connections.HotSpot Gateway features:

authentication of clients using local client database, or RADIUS serveraccounting using local database, or RADIUS server

Walled-garden system (accessing some web pages without authorization)

Quick Setup Guide

The most noticeable difference in user experience setting up HotSpot system in version 2.9 from the previous RouterOS versions is that it has become in order of magnitude easier to set up a correctly working HotSpot system.

Given a router with two interfaces: Local (where HotSpot clients are connected to) and Public, which is connected to the Internet. To set up HotSpot on the Local interface:

first, a valid IP config is required on both interfaces. This can be done with /setup command. In this example we will assume the configuration with DHCP server on the Local interface

valid DNS configuration must be set up in the /ip dns submenu

To put HotSpot on the Local interface, using the same IP address pool as DHCP server uses for that interface: /ip hotspot add interface=local address-pool=dhcp-pool-1

and finally, add at least one HotSpot user: /ip hotspot user add name=admin

These simple steps should be sufficient to enable HotSpot system

Please find many HotSpot How-to's, which will answer most of your questions about configuring a HotSpot gateway, at the end of this manual. It is still recommended that you read and understand all the Description section below before deploying a HotSpot system.for complete configuration please visit:http://www.mikrotik.com/testdocs/ros/2.9/ip/hotspot.php

Local Users via Radius Authentication Server

This manual discusses how to make two users ex and ex2 which are members of different groups and are authenticated with RADIUS.

For the purposes of this manual we use Debian GNU/Linux system and FreeRADIUS RADIUS server. Both these products are free software.

*** Mikrotik Router Configuration

Configure the router with proper RADIUS server connection parameters.

[admin@Mikrotik] radius> add service=login address=1.1.1.1 secret="xxx" disabled=no
[admin@Mikrotik] radius> print detail
Flags: X -disabled
0 service=login called-id="" domain="" address=1.1.1.1 secret="xxx"
authentication-port=1812 accounting-port=1813 timeout=300ms accounting-backup=no
[admin@Mikrotik] radius>

Enable local user authorization service to use RADIUS server

[admin@Mikrotik] user aaa> set use-radius=yes
[admin@Mikrotik] user aaa> print
use-radius: yes
accounting: yes
interim-update: 0s
default-group: read
[admin@Mikrotik] user aaa>

*** FreeRADIUS server installtion and Configuration

Install FreeRADIUS server package

root@wildcat:/etc# apt-get install freeradius
Reading Package Lists... Done
Building Dependency Tree... Done
Suggested packegaes:
freeradius-Idap freeradius-mysql freeradius-krb5 freeradius-iodbc
The following NEW packages will be installed:
freeradius
0 upgraded, 1 newly installed, 0 to remove and 269 not upgraded.
Neet to get 0B/1788kB of archives.
After unpacking 4362kB of additional disk space will be used.
Selecting previously deselected package freeradius.
(Reading database ... 60006 files and directories currently installed.)
Unpacking freeradius (from .../freeradius_0.9.3-1_i386.deb) ...
Setting up freeradius (0.9.3-1) ...
Group freerad does already exist as a system group. Exiting...
freerad: freerad shadow
Restarting FreeRADIUS daemon: Stopping FreeRADIUS daemon:
freeRADIUS.
Starting FreeRADIUS daemon: Tue Sep 14 10:50:30 2--8 : infor:
Starting
- Reading configuration files...
freeradius.

root@wildcat:/etc#

Open the files /etc/freeradius/clients.conf and add the following record:

client 1.1.1.3 {
secret = xxx
shortname = xxx
}

This record represents reachable MT router's address (src-address of packets coming form MT router).

Open the file /etc/freeradius/users and add the following line:

ex User-password=="ex"

This adds user named ex which will belong to the default group specified under /user aaa submenu.

To add a user which belongs to the group other then default, you need to supply Group attribute to the router.
Open /etc/freeradius/users file once more and add second user named ex2 which will be the member of group full.

ex2 User-password =="ex2"
Group = "full"

Do not forget to update FreeRADIUS dictionary with additional attributes! Open /etc/freeradius/dictionary file and add the following:

VENDOR Mikrotik 14988

ATTRIBUTE Recv-limit 1 integer Mikrotik
ATTRIBUTE Xmit-Limit 2 integer Mikrotik
ATTRIBUTE Group 3 string Mikrotik
ATTRIBUTE Wireless-Forward 4 integer Mikrotik
ATTRIBUTE Wireless-Skip-Dot1x 5 integer Mikrotik
ATTRIBUTE Wireless-Enc-Algo 6 integer Mikrotik
ATTRIBUTE Wireless-Enc-Key 7 string Mikrotik
ATTRIBUTE Rate-Limit 8 string Mikrotik

Restart FreeRADIUS server.

root@wildcat:/etc# /etc/init.d/freeradius restart
Restring FreeRADIUS daemon: Stopping FreeRADIUS daemon:
freeradius
Starting FreeRADIUS daemon: Tue Sep 14 12:02:05 2008 : info:
Starting
- reading configuration files ...
freeradius.
root@wildcat:/etc#

===================
Configuration testing

To test the configuartion log on to your router as whether ex or ex2 user. Note, that user ex has only read permissions while on the contraty user ex2 has full permission, exempli gratia he can create new users.

Mikrotik OS To Bandwidth Management

MikroTik RouterOS is the operating system and that can be used to make computer a reliable network routers, includes various features to complete the network and wireless, is one of bandwidth management. Here the way most initial settings for Mikrotik to Bandwidth management.

A. Install OS Mikrotik

1. Prepare your PC, at least Pentium II, also a father of RAM 64, HD 500M Flash memory or a packet of 64
2. In the server /PC must exist for at least 2 Ethernet, 1 to the outside and 1 more to the local Network will manage the Bandwidth
3. Source Burn CD Mikrotik OS input to the CD-ROM
4. Boot from the CD-ROM
5. Follow the instructions, use the next-next and the default
6. Install the main package, more package with all the bestt way mark
7. After all the package marked for install press the "I"

B. Setting Basic Mikrotik
1. log in as the default admin password it is filled directly enter
2. After the entrace to the command promt type:
[admin@BaseStation]>ip address add address=222.124.21.26/29 interface=ether1
3. Replace with your ip address and the interface will be used for temporary remote
4. Make ping to Mikrotik Server from other computer
5. After connecting procced to the next step, but not repeat steps 2

C. Advanced Settings
1. Mikrotik ip access through a browser, the page will appear and welcome sign in
2. Click the Download link to download the WinBox it's used for remote Mikrotika GUI
3. Run WinBox, Log in as admin password blank
4. Go to the top of the menu (interface), and the interface's not there by clicking the +
5. Add also the interface "bridge" to enable Mikrotik as a bridge

D. Setting Bandwidth Limiter
1. Click on the menu ip> firewall>mangle
Create a rule (click the + red) with the following parameters: On the General tab: Chanin=forward, src.add=192.168.0.2 (or ip i want the limit) in the action tab: Action=marking connection, New connection mark=ropix-con ( or the name of the mark, we make connection) Click Apply and Ok

Create a rule with the following parameters: On the General Tab: Chain=forward, Connection mark=ropix-com (select from the dropdown menu) At the tab Action: Action=mark packet, New packet Mark=ropix (or packet marking, we create) Click Apply and Ok.

2. Queues Click menu> Queues Tree
Create a rule (Click the + red) with the following parameters: on the General Tab: Name=ropix-downstrem (eg), Parent=ether2 (the interface is out of my way), Paket Mark=ropix (select for the dropdown, as we made on the mangle). Queue Type= Default, Priority=8, Limit At=8k (for a minimum bandwidth) Max Limit=64k (limit for setting the bandwidth) Click Apply and Ok.
Create a rule with the follwing parameters: on the General Tab: Name=ropix-Upstrem (eg) Parent=ether1 (is my way into the interface), Mark Packet Mark=ropix (select form the dropdown, as we made on the mangle), Queue Type=Default, Priority=8, Limit At=8k (for a minumum bandwidth upstrem) Max Limit=64k (for setting the bandwidth) Click apply and Ok.
3. Try browsing and downloading form IP, we limit was Rate in Queues rule was to be manage counter, i have not check more steps before
4. Green icon indicates the lack of the bandwidth restrictions (Normal), changed the yellow icon means getting close to limite bandwidth, and red means full.

Mikrotik Configured as a Gateway server

The following steps are the basic setup Mikrotik theat are configured for the network simple as a gateway server.

1. the first step is to install Mikrotik RouterOS on a PC or plug Dom.

2. Log in Mikrotik router through the console:
Mikrotik v2.9.7
Login: admin
Password: (empty)

Until this step we have to enter the engine Mikrotik. The default user is admin and without a password, type admin and press the enter key.

3. To change the password default security
[admin@Mikrotik]>password
old password: ******
new password: ******
Retype new password: ******
[admin@Mikrotik]>

4. Changing the name Mikrotik Router, Step on this server name will be changed to "BaseStation"
[admin@Mikrotik]identity system set name="BaseStation"
[admin@BaseStaion]>

5. Viewing interface on the Mikrotik Router
[admin@BaseStation]>interface print
Flages: X - disabled, D - dynamic, R - running
#NAME TYPE RX-RATE TX-RATE MTU
0 R ether1 ether 0 0 1500
1 R ether2 ether 0 0 1500
[admin@BaseStaion]>

6. Giving IP address on the interface Mikrotik. Ether1 For example, we will use to connect to the internet with IP 192.168.0.1 and Ether2 will we use for our local network with IP 172.16.0.1

[admin@BaseStation]>ip address add address=192.168.0.1 netmask=255.255.255.0 interface=ether1
[admin@BaseStation]>ip address add address=172.16.0.1/24 interface=ether2

7. See the IP address configuration, which we already provide
[admin@BaseStation]>ip address print
Flags: X - disableed, I - invalid, D - dynamic
#ADDRESS NETWORK BROADCAST INTERFACE
0 192.168.0.1/24 192.168.0.0 192.168.0.63 ether1
1 172.16.0.1/24 172.16.0.0 172.16.0.255 ether2
[admin@BaseStation]>

8. Provide a default gateway, is assumed to be the gateway to the internet connection 192.168.0.254
[admin@BaseStation]> /ip route add gateway=192.168.0.254

9. View the routing table on Mikrotik routers
[admin@BaseStation]>ip route print
Flages: X - disabled, A - active, D -dynamic, C - connect, S - static, r - rip, b - bgp, o - ispf
#DST-ADDRESS PREFSRC G GATEWAY DISTANCE INTERFACE
0 ADC 172.16.0.0/24 172.16.0.1 ether2
1 ADC 192.168.0.0/24 192.168.0.1 ether1
2 A S 0.0.0.0/0 r 192.168.0.254 ether1
[admin@BaseStaion]>

10. Ping Gateway to the test to ensure the configuration is correct
[admin@BaseStation]>ping 192.168.0.254
192.168.0.254 64 byte ping: ttl=64 time<1>
192.168.0.254 64 byte ping: ttl=64 time<1>
2 packets transmitted, 2 packets received, 0% packet loss
round-trip min/avg/max=0/0.0/0 ms
[admin@BaseStation]>

11. DNS setup on Mikrotik routers
[admin@BaseStation]>ip dns set primary-dns=192.168.0.10 allow-remoterequests=no
[admin@BaseStation]>ip dns set secondary-dns=192.168.0.11 allow-remoterequests=no

12. Viewing DNS configuration
[admin@BaseStation]>ip dns print
primary-dns: 192.168.0.10
secondary-dns:192.168.0.11
allow-remote-requests: no
cache-size: 2048KiB
cache-max-ttl: 1w
cache-used: 16KiB
[admin@BaseStation]>

13. Test access to the domain, for example, ping a domain name
[admin@BaseStation]> ping yahoo.com
216.109.112.135 64 byte ping: ttl=48 time=250 ms
10 packets transmitted, 10 packets received, 0% packet loss
round-trip min/avg/max=571/571.0/571 ms
[admin@BaseStation]>

if sucessful reply means DNS settings are correct.

14. Masquerading setup, Mikrotik if we will use as a gateway to the client server computer on the network can connect to the internet we need to be masquerading.
[admin@BaseStation]>ip firewall nat add action=masquerade outinterface=ether1 chain=srcnat
[admin@BaseStation]>

15. View configuration Masquerading
[admin@BaseStation]>ip firewall nat print
Flages: X -disabled, I- invalid, D - Dynamic
0 chain=srcnat out-interface=ether1 action=masquerade
[admin@BaseStation]>

after this step can be done to check the connection from a local network. And if successul it means we have to do the installation Mikrotik Router as a Gateway server. Once connected to the network Mikrotik can use WinBox which can be downloads from the Mikrotik.com or form the server Mikrotik us.

Ex: Ip address server Mikrotik we 192.168.0.1, via a browser open http://192.168.0.1/ and WinBox downloads form there.
if we want the client to get the ip address automatically then we need to set up a DHCP-Server on the Mikrotik. Next Steps:

1. Create IP address Pool
/ip pool add name=dhcp-pool ranges=172.17.0.10-172.16.0.20

2. Add a DHCP Network and gateway which will be distributed to the client in this example network is 172.16.0.0/24 and gateway 172.16.0.1

3. add a DHCP server (in this example is applied to the interface dhcp ether2)
/ip dhcp-server add interface=ether2 address-pool=dhcp-pool

4. See the status of the DHCP server
[admin@BaseStation]>ip dhcp-server print
Flags: X -disabled, I - invalid
#NAME INTERFACE RELAY ADDRESS-POOL LEASE-TIME ADD-ARP
0 X dhcp1 ether2
X marks the DHCP server that has not been to enable the first step

5. Do not Forget made enable a dhcp server
/ip dhcp-server enable 0

and then check back dhcp server, such as step-4, X marks if there is no means have been active.

6. Form the client test
c:\>ping http://www.yahoo.com/

for the bandwidth controller, the system can be simple or queue can mangle
[admin@BaseStation] queue simple>add name=Usercomputer1 interface=ether2 target-address=172.16.0.1/24 max-limit=65536/131072
[admin@BaseStation] queue simple>add name=Usercomputer2 interface=ether2 target-address=172.16.0.2/24 max-limite=65536/131072

Mikrotik Step by step Configuration under 5 min by Command

Mikrotik Step by step Configuration under 5

Ethernet base ISP

5 Step to configure the Mikrotik:

1. IP Address
2. Gateway
3. DNS
4. NAT
5. + Transparent proxy rules

Step 1
[admin@Mikrotik]>ip address interface add=ether1 address="your public ip" \
disabled=no
[admin@Mikrotik]>ip address interface add=ether2 address="your LAN ip" \
disabled=no

Step 2
[admin@Mikrotik]>ip route add gateway="your gateway ip" disabled = no

Step 3
[admin@Mikrotik]>ip dns set primary-dns="your ISP's primary dns" \
secondary-dns = "your ISP secondary dns" \
allow-remote-requests = yes

Step 4
[admin@Mikrotik]>ip firewall NAT add chain=srcnat out-interface=ether1 \
action = MASQUERADE disabled = no

Step 5
[admin@Mikrotik]>ip web-proxy set port=8080
hostname=host.yourdomain.com \
transparent-proxy = yes \

Cache-administrator=support@yourdomain.com enabled=yes

[admin@Mikrotik]>ip firewall NAT add chain=dstnat protocol=tcp dst-port=80 \
action=redirect to-ports=8080 disabled=no \
comment="transparent proxy"

[admin@Mikrotik]>ip firewall nat add chain=dstnat protocol=tcp dst-port=3128
action=redirect to-ports=8080 disabled=no

[admin@Mikrotik]>ip firewall nat add chain=dstnat protocol=tcp dst-port=8080 \
action=redirect to-ports=8080 disabled=no

How Easily Convert Binary - Decimal - Hexa

IP is very important for network engineers, especially in the much-needed Binary to decimal conversion or Hexa or vice versa. How easy enough, that is,
1. Consists of a decimal number, or a combination of: 0, 1, 2, 3, 4, 5, 6, 7, 8 ,9
2. Binary consists of a number: 0 and 1
3. HEXA consists of 16 fruit number (combination): 0, 1, 2, 3, 4, 5, 6, 7, 8, 9, A, B, C, D, E, F

paint: Hexa usually given a leading 0x, for example, the D4 written 0xD4

Case
IP: 192.168.0.212
How Brinary and Hexa form the IP?

For an answer we must have a separate segment, which is a, 192 b. 168 c.0 and d.212

Please note that:
----------------
Decimal I Bin I HEXA
----------------
0 I 0000 I 0
1 I 0001 I 1
2 I 0010 I 2
3 I 0011 I 3
4 I 0100 I 4
5 I 0101 I 5
6 I 0110 I 6
7 I 0111 I 7
8 I 1000 I 8
9 I 1001 I 9
10 I 1010 I A
11 I 1011 I B
12 I 1100 I C
13 I 1101 I D
14 I 1110 I E
15 I 1111 I M

--------------------
Answer:

Numbers for the Hexa consists of 2 x 4 bits of binary. Numbers in other words the results form the binary decimal we separate into each of 4 bits.

IP: 192.168.0.212
192 = 1100 I 0000 to become -> C and 0 is written C0 or 0xC0
168 = 1010 I 1000 to become -> A and 8 is written A8 or 0xA8
0 = 0000 I 0000 to become -> 0 and 0 is written 00 or 0x00
212 = 1101 I 0100 to become -> D and 4 is written D4 or 0xD8

so that created the IP Hexa we can write:
C0.A8.00.D8 or equal to 192.168.0.212

Vice versa if we will mengkoneversi form HEXA to decimal:
for instance, the C0, C and 0 separated, and in such a binary (see table above)
C=1100 and 0 = 0000 for a decimal we merge these two binary into 1100 I 0000 or 11000000. or can be in the detail
11000000 = 128 +64 +0 +0 +0 +0 +0 +0= 192