Month: December 2013

Mikrotik 4 Wan PCC Loadbalance


#Simple Pcc Loadbalance 4Wan
#Rename ether as WAN1,WAN2,WAN3,WAN4,Local

/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2
add address=192.168.3.2/24 network=192.168.3.0 broadcast=192.168.3.255 interface=WAN3
add address=192.168.4.2/24 network=192.168.4.0 broadcast=192.168.4.255 interface=WAN4

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add chain=input in-interface=WAN3 action=mark-connection new-connection-mark=WAN3_conn
add chain=input in-interface=WAN4 action=mark-connection new-connection-mark=WAN4_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2
add chain=output connection-mark=WAN3_conn action=mark-routing new-routing-mark=to_WAN3
add chain=output connection-mark=WAN4_conn action=mark-routing new-routing-mark=to_WAN4

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.3.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.4.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/2 action=mark-connection new-connection-mark=WAN3_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:4/3 action=mark-connection new-connection-mark=WAN4_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2
add chain=prerouting connection-mark=WAN3_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN3
add chain=prerouting connection-mark=WAN4_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN4

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 routing-mark=to_WAN3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 routing-mark=to_WAN4 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.3.1 distance=3 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.4.1 distance=4 check-gateway=ping

/ip firewall nat
add chain=srcnat src-address=192.168.0.0/24 out-interface=WAN1 action=masquerade
add chain=srcnat src-address=192.168.0.0/24 out-interface=WAN2 action=masquerade
add chain=srcnat src-address=192.168.0.0/24 out-interface=WAN3 action=masquerade
add chain=srcnat src-address=192.168.0.0/24 out-interface=WAN4 action=masquerade

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.8.8,4.2.2.6

/ip dns static
add address=192.168.0.1 disabled=yes name=dns ttl=1d

/ip pool
add name=dhcp_pool1 ranges=192.168.0.2-192.168.0.253

/ip dhcp-server
add add-arp=yes address-pool=dhcp_pool1 disabled=no interface=Local name=dhcp1

/ip dhcp-server config
set store-leases-disk=never

/ip dhcp-server network
add address=192.168.0.0/24 gateway=192.168.0.1

/system clock
set time-zone-name=manual

/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+05:00

/system ntp client
set enabled=yes mode=unicast primary-ntp=203.158.118.2 secondary-ntp=116.193.170.16

2 wan unequal loadbalance pcc for Hotspot


2 Wan Load Balance


# change ether name as WAN1,WAN2,Local
# PCC Loadbalance for hotspot only.
# After Apply this script manually run hotspot setup
# Unequal Loadbalance for wan1

/ip pool add name=dhcp_pool1 ranges=192.168.21.2-192.168.21.254

/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=Local name=dhcp1

/ip address
add address=192.168.1.2/24 interface=WAN1
add address=192.168.2.2/24 interface=WAN2
add address=192.168.21.1/24 interface=Local

/ip dhcp-server network
add address=192.168.21.0/24 gateway=192.168.21.1

/ip dns
set allow-remote-requests=yes cache-size=5000KiB max-udp-packet-size=2048 servers=8.8.8.8,8.8.4.4

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn
add action=mark-routing chain=output connection-mark=WAN1_conn new-routing-mark=to_WAN1
add action=mark-routing chain=output connection-mark=WAN2_conn new-routing-mark=to_WAN2
add chain=prerouting dst-address=192.168.1.0/24 in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 in-interface=Local
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=Local new-connection-mark=WAN1_conn per-connection-classifier=both-addresses-and-ports:3/0
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=Local new-connection-mark=WAN2_conn per-connection-classifier=both-addresses-and-ports:3/1
add action=mark-connection chain=prerouting dst-address-type=!local hotspot=auth in-interface=Local new-connection-mark=WAN1_conn per-connection-classifier=both-addresses-and-ports:3/2
add action=mark-routing chain=prerouting connection-mark=WAN1_conn in-interface=Local new-routing-mark=to_WAN1
add action=mark-routing chain=prerouting connection-mark=WAN2_conn in-interface=Local new-routing-mark=to_WAN2

/ip firewall nat
add action=masquerade chain=srcnat out-interface=WAN1
add action=masquerade chain=srcnat out-interface=WAN2

/ip route
add check-gateway=ping distance=1 gateway=192.168.1.1 routing-mark=to_WAN1
add check-gateway=ping distance=1 gateway=192.168.2.1 routing-mark=to_WAN2
add check-gateway=ping distance=1 gateway=192.168.1.1
add check-gateway=ping distance=2 gateway=192.168.2.1

Mikrotik NTP Setup


ntp

/system clock
set time-zone-name=manual
/system clock manual
set dst-delta=+00:00 dst-end="jan/01/1970 00:00:00" dst-start="jan/01/1970 00:00:00" time-zone=+05:00
/system ntp client
set enabled=yes mode=unicast primary-ntp=203.158.118.2 secondary-ntp=116.193.170.16
/system ntp server
set broadcast=no broadcast-addresses="" enabled=no manycast=yes multicast=no

How to give PiNG / iCMP high Priority in Mikrotik


So when we do browsing or downloading any data , there will be less bandwidth available for PING/ ICMP packets and ping form client to mikrotik will face frequent time out and high latency.

No need to worry about that , in fact the general ICMP/PING should be blocked on every network to avoid flooding and un wanted queries from the client end.

/ip firewall mangle
add chain=prerouting protocol=icmp action=mark-connection new-connection-mark=icmp-con passthrough=yes comment="" disabled=no

add chain=prerouting protocol=icmp connection-mark=icmp-con action=mark-packet new-packet-mark=icmp-pkt passthrough=no comment="" disabled=no

/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=1024k max-limit=2048k name=Hi-Prio-to-icmp-aacable packet-mark=icmp-pkt parent=global-in priority=1 queue=default

Dynamic Dns Change IP Script Bridge Mode


changeip.com

If you have DSL Modem configured in BRIDGE mode, and you are dialing via Mikrotik PPPoE Client Dialer, then use the following Script.
NOTE:
Make sure you change the user id + password + host name to match the same you have entered at the time of registration. Also Make sure that you change the INTERFACE setting.

ddns-script-modem-in-pppoe-mode- code.

:global ddnsuser "usernamechangeip"
:global ddnspass "passwordchangeip"
:global ddnshost "freedomaianchangeip"
:global ddnsinterface "ether1"
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~
# END OF USER DEFINED CONFIGURATION
# ~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~~

:global ddnssystem ("mt-" . [/system package get [/system package find name=system] version] )
:global ddnsip [ /ip address get [/ip address find interface=$ddnsinterface] address ]
:global ddnslastip

:if ([:len [/interface find name=$ddnsinterface]] = 0 ) do={ :log info "DDNS: No interface named $ddnsinterface, please check configuration." }
:if ([ :typeof $ddnslastip ] = "nothing" ) do={ :global ddnslastip 0.0.0.0/0 }
:if ([ :typeof $ddnsip ] = "nothing" ) do={
:log info ("DDNS: No ip address present on " . $ddnsinterface . ", please check.")
} else={
:if ($ddnsip != $ddnslastip) do={
:log info "DDNS: Sending UPDATE!"
:log info [ :put [/tool dns-update name=$ddnshost address=[:pick $ddnsip 0 [:find $ddnsip "/"] ] key-name=$ddnsuser key=$ddnspass ] ]
:global ddnslastip $ddnsip
} else={
:log info "DDNS: No changes necessary."
}

}
# END OF SCRIPT

 


/system scheduler
add disabled=no interval=5m name=ddns_update on-event=ddns_changeip policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    start-time=startup

How to Block Torrent & P2P in Mikrotik


Assume you want to block torrent & p2p traffic on 192.168.1.0/24

Local/Lan address is 192.168.1.0/24 (Change setting according to your network)


/ip firewall layer7-protocol
add name=torrentsites regexp="^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|torrentz|vertor|h33t|btscene|bitunity|bittoxic|thunderbytes|entertane|zoozle|vcdq|bitnova|bitsoup|meganova|fulldls|btbot|flixflux|seedpeer|fenopy|gpirate|commonbits).*\$"

/ip firewall filter
add chain=forward src-address=192.168.1.0/24 layer7-protocol=torrentsites action=drop comment=torrentsites
add chain=forward src-address=192.168.1.0/24 protocol=17 dst-port=53 layer7-protocol=torrentsites action=drop comment=dropDNS
add chain=forward src-address=192.168.1.0/24 content=torrent action=drop comment=keyword_drop
add chain=forward src-address=192.168.1.0/24 content=tracker action=drop comment=trackers_drop
add chain=forward src-address=192.168.1.0/24 content=getpeers action=drop comment=get_peers_drop
add chain=forward src-address=192.168.1.0/24 content=info_hash action=drop comment=info_hash_drop
add chain=forward src-address=192.168.1.0/24 content=announce_peers action=drop comment=announce_peers_drop

# also use default rule to drop p2p traffic which alone is not working for me

add chain=forward src-address=192.168.1.0/24 p2p=all-p2p action=drop comment=p2p_drop

How to Block Skype Traffic in Mikrotik


Since last several week i am blocking a Skype traffic in my office environment. I have tried Layer-7 protocol to stop traffic but i am failed on it. So i search internet but not found any solution….

After that i have contact my friend who help me on it ..

/ip firewall address-list
add address=111.221.74.0/24 comment=\
    "------------- disable_skype  -------------" disabled=no list=skype_servers_x
add address=111.221.77.0/24 comment=disable_skype disabled=no list=\
    skype_servers_x
add address=157.55.130.0/24 comment=disable_skype disabled=no list=\
    skype_servers_x
add address=157.55.235.0/24 comment=disable_skype disabled=no list=\
    skype_servers_x
add address=157.55.56.0/24 comment=disable_skype disabled=no list=\
    skype_servers_x
add address=157.56.52.0/24 comment=disable_skype disabled=no list=\
    skype_servers_x
add address=213.199.179.0/24 comment=disable_skype disabled=no list=\
    skype_servers_x
add address=63.245.217.0/24 comment=disable_skype disabled=no list=\
    skype_servers_x
add address=64.4.23.0/24 comment=disable_skype disabled=no list=\
    skype_servers_x
add address=65.55.223.0/24 comment=disable_skype disabled=no list=\
    skype_servers_x

/ip firewall filter
add action=drop chain=forward comment="Skype - Block - Pool" disabled=yes \
    dst-address-list=skype_servers_x

If you need to catch Skype server address via dns .. use below script… It just fetch address from dns and create address-list

Test under v.5.x

/system script
add name=skype_script policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=":foreach i in=[/ip dns cache find] do={\r\
    \n    :local bNew \"true\";\r\
    \n    :local cacheName [/ip dns cache all get \$i name] ;\r\
    \n#    :put \$cacheName;\r\
    \n\r\
    \n    :if ([:find \$cacheName \"skype\"] != 0) do={\r\
    \n\r\
    \n        :local tmpAddress [/ip dns cache get \$i address] ;\r\
    \n#\t:put \$tmpAddress;\r\
    \n\r\
    \n# if address list is empty do not check\r\
    \n        :if ( [/ip firewall address-list find ] = \"\") do={\r\
    \n            :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
    \n            /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
    \n        } else={\r\
    \n            :foreach j in=[/ip firewall address-list find ] do={\r\
    \n                :if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\r\
    \n                    :set bNew \"false\";\r\
    \n                }\r\
    \n            }\r\
    \n            :if ( \$bNew = \"true\" ) do={\r\
    \n                :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
    \n                /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
    \n            }\r\
    \n        }\r\
    \n    }\r\
    \n}"/system scheduler
add disabled=no interval=5s name=Skype on-event="/system script run skype_script" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    start-time=startup

Mikrotik – 1 Lan 2 Servers



Easy to way setup Hotspot & PPPoE Server

Join us to @facebook.com/virtualitsupportpk
Join us to @facebook.com/groups/virtualitsupportpk

Dynamic Dns Change IP Script


changeip.com

Just copy this script into script section with name ddns_changeip

now add your userid / password in below script add ddns server id you have created


Only edit this field
:global ddnsuser “usernamechangeip”
:global ddnspass “passwordchangeip”
:global ddnshost “freedomaianchangeip”

# Written by Sam Norris, ChangeIP.com
# 20100728 Tested on RouterOS 4.9
# 20110511 Tested on RouterOS 5.2

# Set your specific ChangeIP.com preferences here.
:global ddnsuser "usernamechangeip"
:global ddnspass "passwordchangeip"
:global ddnshost "freedomaianchangeip"
# Change ddnsport to 8245 to bypass proxy.
:local ddnsport 80

# Do not edit anything below this line.  You have been warned.
# Abusive updates to the system will cause firewall blocks.

# Please be considerate and
# do not let this script run more than once per 3-5 minutes.

:log info "DDNS: Starting."

# Initialize checkpoint
:global ddnscheckpoint
:if ([:typeof $ddnscheckpoint] = "time") do={
	:log info ("DDNS: Last check was " . ([/system clock get time] - $ddnscheckpoint))
} else={
	:log info "DDNS: Cannot determine checkpoint, set now."
	:global ddnscheckpoint ( [/system clock get time] - 1d )
}

# Get the current IP
:if ([/system clock get time] - $ddnscheckpoint > [:totime 180s] || [/system clock get time] - $ddnscheckpoint < [:totime 0s]) do={
   :log info "DDNS: Performing remote IP detection."
   /tool fetch address="ip.changeip.com" host="ip.changeip.com" src-path=("/?" . [/int eth get 0 mac-address ]) dst-path="ip.changeip.com.txt" mode=http port=$ddnsport
   :global ddnscheckpoint [/system clock get time]
} else={
   :log info "DDNS: Please be considerate and wait a few seconds longer."
   :break
}

# Parse the IP address received from fetch script.
	:global ddnslastip
	:local html [/file get "ip.changeip.com.txt" contents]
	:local ddnsip [:pick $html ([:find $html "<!--IPADDR="] + 11) [:find $html "-->"] ]

# Is it a valid IP and is it different than the last one?
	:if ([:typeof [:toip $ddnsip]] = "ip" AND $ddnsip != $ddnslastip ) do={
		:log info "DDNS: Sending UPDATE with $ddnsip"
		:log info [/tool dns-update name=$ddnshost address=$ddnsip key-name=$ddnsuser key=$ddnspass ]
		:global ddnslastip $ddnsip
	} else={
		:log info "DDNS: No update required."
	}
}



Now Create Schedule

/system scheduler
add disabled=no interval=5m name=ddns_update on-event=ddns_changeip policy=\
    ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
    start-time=startup