.

Its a good idea to virtualize various servers so underutilized hardware can be used more efficiently, as now a days, getting good hardware is not a big deal. It can save considerable amount of power consumption , reduced heat factor , easy to mange multiple VM using various tools like Vcenter / VEEAM (my favorite), VM Explorer , live migrations from one Virtual Server to Another, Backup & Restore becomes very easy and the list goes on . . .

Recently I did an installation of a network where they were low in hardware resources but still they wanted to utilize the benefits of Mikrotik Router OS with external Squid proxy server and also the Radius Billing Server . So in total they required at least 3 physical machines, but I managed to install all of them on single server using Virtualization technology of VMWARE ESXi 5.x (64bit) and it worked so great
Here is how I did it.

Note: Because of some time shortage, I am just giving you an idea how it can be done, I am not writing in pin point details on how to connect every machine with Virtual/Physical switches. I will write about it soon.

Hardware Used for the Example:

64bit Server Class machine

Multiple SATA HDD’s (the more Faster drives (like 10-15krpm) you have, the better result you will be able to achieve. Preferably in RAID mode, either 10 or 0, depend on your management and goals, in this example I used 7200krpm SATA HDD, I dedicate each hdd for each OS, I tested it on IBM xseries with RAID0 and found RAID 0 much more faster with 15krpm but its not redundant, one drive fail and your whole RAID will go down, so if you want redundancy, go with at least RAID 5 or RAID 10 , Raid 1 is also good as it mirrors each drive, but requires additional drives and also for proxy, its useless to use mirroring as it would be requiring more read/write burden on controller, oh GOD, in which argument I got into :p)

16GB RAM (Mikrotik doesn’t requires much RAM in fact it officially supports maximum of 2G, but Radius and Squid do requires some good amount of RAM, I dedicated 8 GB to SQUID, 4GB to Radius, 2 GB to Mikrotik)

4 Network Adapters ( In this article, dueto time shortage, I have only mentioned howto add two network adapters for LAN and WAN link using virtual Switch tech)

Software Used:

1) Vmware ESXi 5.x  64bit as a Virtual Hyper-visor Server
Guest OS installed in it are as following
2) Mikrotik Router-OS 5.22
3) Ubuntu 10.4 for SQUID Proxy (2.7)
4) Ubuntu 10.4 for Radius Manager Billing System

First install Vmware ESXi. You can get its free edition from www.vmware.com  , just register and download the latest version , it would be in .iso format, Simply burn it to CD, and install it on your server , its very simple to install the ESXi, nothing more then just clicking NEXT NEXT

After ESXi installed, configure IP address on it, so you can manage it using its client called Vsphere client.

To shorten the story I am using only two interfaces for the mikrotik, LAN and WAN. in this example (shorten version) ESXi have two interfaces connected , one with the LAN user switch and other interface connected with the WAN (physically)

Creating Virtual Switch and bind Network Adapters with this switch.

Goto Configuration tab
From the list appear in Hardware section, click on Networking and click on ADD Networking
As showed in the image below , , ,

Ok, our virtual switch is created.
Now its time to bind our WAN adapter in this switch. (So it can later be used for WAN for all hosts we will requiring for)

Click on the Properties

Done.

Creating Mikrotik in VM and assigning network adapters.

Now create new Virtual Machine for your Mikrotik.

Select necessary hardware that you required as required per user load. for example
Mikrotik = 1 CPU / 1 GB RAM / 10 GB HDD /

In Network Adapter Section, by default only one adapter is added, You have to add another adapter by selecting the number of adapters in drop down listing.
As showed in the image below . . .

Once the configuration is completed. Simply install the Mikrotik in newly created hosts you just created in above steps.
After configuration is complete, review once again the host settings,
As showed in the image below . . .

After the installation is done, Connect to mikrotik with WINBOX  and look for interfaces
As showed in the image below . . .

.

I will write more on it later.

Regard’s
Syed Jahanzaib

Someone requested me to create a script that can check Squid Proxy or Target Server Link state from Mikrotik, and if the Squid Proxy / Target Server is not responding, then it should Disable the redirect NAT rule so all load can be handle by Mikrotik.You can modify this script as per your requirements. you can modify it to check WAN link, and if the WAN link is down, it can trigger SMS Script / Sound Alaram, or shift to backup WAN link by enabling diabling ROUTE’s or it can also be used to detect any wan link failure detection and change the rules accordingly.
Possibilities are endless.
So here it is.

Adding Comments in Redirect Rule

First add comments in required NAT rule, i.e Rule that redirects port 80 traffic to squid. You can also disable/enable rules based on the numbers, BUT its not recommended BECAUSE if you add any new rule and move it somewhere, all your scripts will disable/enable wrong rules, that is why you have to use find command and get rules this way.

You can use GUI to add comment in the rule, I am showing you an example below . . .
/ip firewall nat
add action=dst-nat chain=dstnat comment=”Redirect to SQUID” disabled=no dst-port=80 protocol=tcp to-addresses=192.168.6.1 to-ports=8080

add action=masquerade chain=srcnat comment=”Default NAT Rule for Internet Access / zaib” disabled=no to-addresses=0.0.0.0

Change the host ip address as your local requirements. Its jsut an example to show you.

.

.

Adding Scripts to Enable/Disable Rule

After adding comments in the dst-nt rule, you have to create two scripts that can enable and disable the dst-nat rule. We can name them UP and DOWN.
Copy paste the below scripts on Mikrotik Terminal. It will create two scripts in System/Scripts with the name of UP and DOWN.

/system script

add name=down policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=”:log info \”SQUID PROXY link Down. Disabling SQUID NAT Rule s\
    o all load should be handled by Mikrotik alone / zaib\”\r\
    \n/ip firewall nat disable [find comment=\"Redirect to SQUID\"];”

add name=up policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=\
    “:log info \”SQUID PROXY link is UP. Enabling SQUID NAT Rule / zaib\”\r\
    \n/ip firewall nat enable [find comment=\"Redirect to SQUID\"];”

.

Adding NETWATCH to monitor Target Server [Squid] Link Detection

Use the below script to add netwatch entry for squid / target server link detection. It will also add the UP and DOWN script for the appropriate action. For example. When the target server link is down, it will execute script DOWN which will disable the NAT redirect rule , when the target server link is up and working, it will execute the UP script which will re-enable the redirect rule.

/tool netwatch
add comment=”Netwatch to Check SQUID Server Link state / zaib” disabled=no down-script=”/sys script run down” host=192.168.6.1 interval=5m timeout=1s \
    up-script=”/sys script run up”

(Replace the host ip to match your local target server ip)

.

.

Testing Scripts . . .   ~

Now test the scripts, Unplug the Target Server LAN link, and you will see something like below in the LOG.

.

Now plugin the Target Server LAN link, and you will see something like below in the LOG.

.

Regard’s

Syed Jahanzaib

Howto filter traffic via BRIDGE in Mikrotik RouterOS / RB

Scenario # 1

# Network A is running VPN server with DHCP server having ip pool 172.16.0.0/16 series.

# Network B is running PPPoE server with DHCP server having ip pool 10.0.0.0/xx series.

Now Network A wants to merge with Network B and the Operator A wants to use his own DHCP rather then using Network B DHCP. As we all know that we cannot run two DHCP parallel in same network. Following is an workaround to accomplish the task.Create BRIDGE in mikrotik and block DHCP traffic. See the following rules. These are CLI commands , but you can use the GUI to do the same.

First Add bridge port.

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=15s l2mtu=1522 \
max-message-age=20s mtu=1500 name=ds-bridge priority=0x8000 protocol-mode=none transmit-hold-count=6

Now Add Ethernet ports in bridge, For example we want to use Port No 2 and 3 for bridge.
[ Port 2 is connected with Network A and port 3 is connected with Network B ]

/interface bridge port
add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether2 path-cost=10 point-to-point=\
auto priority=0x80
add bridge=ds-bridge disabled=no edge=auto external-fdb=auto horizon=none interface=ether3 path-cost=10 point-to-point=\
auto priority=0x80

Now enable firewall filtering for this bridge.

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=no use-ip-firewall-for-vlan=n

Now your BRIDGE is ready to pass traffic to both networks.

Add firewall filter rules to block DHCP traffic, You can use the same topology to filter any traffic from passing by, For example common virus ports or any specific port you like to block , you can simply add it in filter rules.

/ip firewall filter

add action=drop chain=forward disabled=no dst-port=67 protocol=udp
add action=drop chain=forward disabled=no dst-port=68 protocol=udp

add action=drop chain=input disabled=no dst-port=67 protocol=udp
add action=drop chain=input disabled=no dst-port=68 protocol=udp

add action=drop chain=output disabled=no dst-port=67 protocol=udp
add action=drop chain=output disabled=no dst-port=68 protocol=udp

I dont remember exactly but I guess one or two rules in above are not necessary, i guess OUTPUT rules are not necessary. Just check the packets counting and remove un unnecessary rules.

Regard’s
Syed Jahanzaib

I received many requests from various friends/personnel’s to write something easy about howto create fail over for PCC/Dual Wan . In this guide, I will post some WAN link fail over scenarios. For example If you have two DSL wan links, and one of link goes down , What will happen? If your  DSL modem is down – then check-gateway=ping can save your packets from being sent to that link , But what if your modem is up, and telephone line is down? Or one of your ISP has a problem from there end  ????

There are several method that you can use to sort this problem, either by using NetWatch tool to monitor WAN link , or you can use use scripts to periodically ping remote hosts. And then disable/enable routes.

Following is a very simple method you can use for fail over.

SCENARIO #1
FAIL OVER for Dual WAN links without Load Balancing & without Scripting

We have two WAN links and we want to use second WAN for fail over ONLY, No load balancing is required.

To achieve fail-over follow the  below

Example:

LAN = 192.168.0.1
WAN1 GW= 192.168.1.1
WAN2 GW= 192.168.2.1

External Host ip that we want to monitor for the WAN status. (You can use your ISP’s DNS / Web server ip also or any one which is more reliable and preferably closer to you)

Google DNS = 8.8.8.8
TW DNS (PK) = 221.132.112.8

Following is complete script.

1# Make sure you change the interface names and IP addresses according to your network,
2# In DNS section, Use your ISP’s DNS ip addresses
3# You can use different host ip addresses for monitoring, preferably your primary ISP’s reliable servers like DNS or other. You can use other web sites ips too.

# apr/12/2013 10:41:20 by RouterOS 5.20
# Syed Jahanzaib / aacable@hotmail.com
# Web= http://aacable.wordpress.com
/ip address
add address=192.168.0.1/24 disabled=no interface=LAN network=192.168.0.0
add address=192.168.1.2/24 disabled=no interface=WAN1 network=192.168.1.0
add address=192.168.2.2/24 disabled=no interface=WAN2 network=192.168.2.0

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB \
max-udp-packet-size=512 servers=208.67.222.222,202.141.224.34
# Or use your ISP's DNS

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=masquerade chain=srcnat disabled=no out-interface=WAN2

#### Following is ROUTE section where we will be using check-gateway function to monitor external hosts from each wan

/ip route
add dst-address=8.8.8.8 gateway=192.168.1.1 scope=10
add dst-address=221.132.112.8 gateway=192.168.2.1 scope=10

add distance=1 gateway=8.8.8.8 check-gateway=ping
add distance=2 gateway=221.132.112.8 check-gateway=ping

The above fail over method works fine,when the WAN1 link will fail , it will automatically fail over to secondary link, and when the wan1 link becomes available all load will shift back to wan1 link. The only negative is that we are using single wan host to monitor, if that particular host (e.g 8.8.8.8) ping goes down and the rest is fine , wan1 link will still shift to secondary link. To avoid it use multiple hosts to monitor wan connectivity.

SCENARIO #2
FAIL OVER for Dual WAN links without Load Balancing using SCRIPT

If you have 2 WAN Links , and you want to use Primary Link for Main internet usage, and in case Primary Link [WAN1] Looses its connectivity with the INTERNET (For example problem with the link between your modem and ISP or Problem between ISP link and the internet), then Secondary Link take its place, and when Primary link [WAN1] restores, it will become active again. You can use the following scripts.

You have to create two scripts for this purpose.

SCRIPT-1 will check Internet connectivity by ping to Google DNS 8.8.8.8 (You can change this value) using Default Primary Link[WAN1], if it fails to receive reply, it will change this route distance value to 3.

SCRIPT-2 will check internet connectivity using Primary Link, if it able to get reply from Google DNS IP 8.8.8.8, it will Primary Link Routedistance value to 1 again, thus primary link will become Active again.

Route Distance values should be

[WAN1]  PRIMARY link with Route DISTANCE value 1
&
[WAN2]  SECONDARY link with Route DISTANCE value 2,

Make sure that you must  do the following

1- Add following comment in the Default Primary Link [WAN1] route

Default Route

(If you don’t add this comment , Script wont be able to locate your default route)

2- Add static route for 8.8.8.8 [google dns] to make sure that monitoring to google dns always goes via primary link)

Ok It’s time to add Scripts

.

.

SCRIPT 1: (For WAN1 Down status checking)

It will check Internet Connectivity (with google DNS 8.8.8.8 , you can change it) Using Default Route (Primary Link[WAN1]), if it fails to get replies from it, it will change the distance value of primary link to 3 , so Secondary Link [WAN2] will automatically be promoted and it will act as the Primary Link for the connectivity.

Note: Following scripts have been taken from following link. I only modify it for my local need.

http://wiki.mikrotik.com/wiki/Improved_Netwatch_II

:local i 0; {:do {:set i ($i + 1)} while (($i < 5) && ([/ping 8.8.8.8 interval=3 count=1]=0))};
:if ($i=5 && [/ip route get [find comment="Default Route"] distance]=1) do={:log info "PRIMAYR LINK DOWN, Call 911 / 15,Zaib";
/ip route set [find comment="Default Route"] distance=3}

.
.

SCRIPT 2:  (For WAN1 UP status checking)

It will again check Internet Connectivity (with Google DNS 8.8.8.8 ) using Default Route (Primary Link[WAN1]) as we have also set fixed route for 8.8.8.8 to always go throught primary link , If it get ping replies from teh google dns using the Primary Link [WAN1], it will change the Primary Link [WAN1] Route Distance back to 1 , so it will become Primary Link again.

:local i 0; {:do {:set i ($i + 1)} while (($i < 5) && ([/ping 8.8.8.8 interval=3 count=1]=1))};
:if ($i=5 && [/ip route get [find comment="Default Route"] distance]=3) do={:log info "PRIMARY LINK UP, Hurraaah,Zaib";
/ip route set [find comment="Default Route"] distance=1}

Make sure that you Add following comment in the Default Primary Link [WAN1] route
Default Route
(If you don’t add this comment , Script wont be able to locate your default route)

Now You can now schedule them to run SCRIPTs  every 1 minute or whatever is ok for you.

You will see following entries in LOG when WAN link goes DOWN and UP. You can also configure actions to email or SMS you if any link goes down for tack purposes, or if you want to be informed about the WAN status.

As showed in the image below  . .

.

.

.

.

SCENARIO #3

DUAL WAN LOAD BALANCING USING PCC WITH FAIL OVER  without scripting (Very useful )

The following script does the two wan load balancing using PCC method, also if any of WAN link will fail , it will automatically fail over to secondary link, and when the particular failed link becomes available load will be start distributing among both links (remember it will not shift back previously made connections like downloads via idm etc. new packets will be distributed) .The only negative is that we are using single wan host to monitor, if that particular host (e.g 8.8.8.8) ping goes down and the rest is fine , wan1 link will still shift to secondary link. To avoid it use multiple hosts to monitor wan connectivity.

1# Make sure you change the interface names and IP addresses according to your network,
2# In DNS section, Use your ISP’s DNS ip addresses
3# You can use different host ip addresses for monitoring, preferably your primary ISP’s reliable servers like DNS or other. You can use other web sites ips too.

# apr/12/2013 11:13:43 by RouterOS 5.20
# Syed Jahanzaib / aacable@hotmail.com
# Web= http://aacable.wordpress.com
/ip address
add address=192.168.0.1/8 disabled=no interface=WAN1 network=192.168.0.0
add address=192.168.1.2/24 disabled=no interface=WAN2 network=192.168.1.0
add address=192.168.2.2/24 disabled=no interface=LAN network=192.168.2.0

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=208.67.222.222,202.141.224.34
# Use your OWN isp DNS ips , in this example I have used OPENDNS and other isp dns. Filtering is ON at opendns

/ip firewall mangle
add action=accept chain=prerouting disabled=no dst-address=192.168.1.0/24 in-interface=LAN
add action=accept chain=prerouting disabled=no dst-address=192.168.2.0/24 in-interface=LAN
add action=mark-connection chain=input disabled=no in-interface=WAN1 new-connection-mark=WAN1_mark passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=WAN2 new-connection-mark=WAN2_mark passthrough=yes
add action=mark-routing chain=output connection-mark=WAN1_mark disabled=no new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_mark disabled=no new-routing-mark=to_ISP2 passthrough=yes
add action=mark-connection chain=prerouting disabled=no dst-address-type=!LAN in-interface=LAN new-connection-mark=WAN1_mark passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0
add action=mark-connection chain=prerouting disabled=no dst-address-type=!LAN in-interface=LAN new-connection-mark=WAN2_mark passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1
add action=mark-routing chain=prerouting connection-mark=WAN1_mark disabled=no in-interface=LAN new-routing-mark=to_ISP1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_mark disabled=no in-interface=LAN new-routing-mark=to_ISP2 passthrough=yes

# Default masquerade rule for both WAN links
/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=WAN1
add action=masquerade chain=srcnat disabled=no out-interface=WAN2

###   ROUTE SECTION   ###
### Magic begins here

/ip route

add dst-address=8.8.8.8 gateway=192.168.1.1 scope=10
add dst-address=221.132.112.8 gateway=192.168.2.1 scope=10

## Now we create rules for Isp's routing mark:
add distance=1 gateway=8.8.8.8 routing-mark=to_ISP1 check-gateway=ping
add distance=2 gateway=221.132.112.8 routing-mark=to_ISP2 check-gateway=ping

## Create destinations to "virtual" hops to be use in further routes
add dst-address=10.0.0.1 gateway=8.8.8.8 scope=10 target-scope=10 check-gateway=ping
add dst-address=10.0.0.2 gateway=221.132.112.8 scope=10 target-scope=10 check-gateway=ping

## Add default routes for both isp's marked packets by mangle section
add distance=1 gateway=10.0.0.1 routing-mark=to_ISP1
add distance=2 gateway=10.0.0.2 routing-mark=to_ISP2

## Add default routes for no routing marks , For router itself
add distance=1 gateway=10.0.0.1
add distance=2 gateway=10.0.0.2

For more information, please visit
http://wiki.mikrotik.com/index.php?title=Advanced_Routing_Failover_without_Scripting

Regard’s
Syed Jahanzaib

I received few requests from friends on how to configure mikrotik web proxy with PCC on same box to save hardware resources and ease of management. Although I never recommend to use Mikrotik web proxy as it is designed for SOHO usage, and suitable for small networks. It have basic capability of simple objects and it have only few options to tune.
- Usually when you enable web proxy on pcc, it wont work. To make it work you have to mark web proxy connection in output chain, and exlude port 80 traffic from pre-routing PCC rules. Example is as below. (I assume you have dual wan pcc already configured and in running state)

.

Add Rules in Output Chain & exclue port 80 traffic from PCC prerouting chain

Add following rules (Output chain)

/ip firewall mangle
add action=mark-connection chain=output comment=”Marking Web Proxy Connection for WAN-1″ disabled=no dst-port=80 new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/0 protocol=tcp

add action=mark-connection chain=output comment=”Marking Web Proxy Connection for WAN-2″ disabled=no dst-port=80 new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
    both-addresses-and-ports:2/1 protocol=tcp

.

Now exclude port 80 from the PCC rules in pre-routing chain.

add action=mark-connection chain=prerouting comment=”Excluding Port 80 from PCC – WAN1″ disabled=no dst-address-type=!local dst-port=!80 in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=prerouting comment=”Excluding Port 80 from PCC – WAN2″ disabled=no dst-address-type=!local dst-port=!80 in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes \
    per-connection-classifier=both-addresses-and-ports:2/1 protocol=tcp

As showed in the image below . . .

.

.

.

Enable Mikrotik Web Proxy

Now Enable Web proxy.

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=yes enabled=yes max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d \
    max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0

As showed in the image below . . .

.

.

Redirect port 80 traffic to web proxy (Transparent Proxy)

Now redirect users port 80 traffic to web proxy by creating a NAT rule so all users browsing (port 80) request should automatically be redirected to mikrotik web proxy, (aka Transparent Proxy) (Move this rule at end in NAT section)

/ip firewall nat
add action=redirect chain=dstnat comment=”Redirect port 80 request to Web Proxy” disabled=no dst-port=80 protocol=tcp to-ports=8080

As showed in the image below . . .

.

.

.

Now try to browse from client side, or download using IDM etc, and see the both WAN usage and web proxy status.

WAN USAGE STATUS >

.

.

WEB PROXY USAGE STATUS >

.

.

.

Mikrotik EXPORT  with complete script for Dual WAN and Proxy.

[admin@MikroTik-2] > /ip ad ex
# may/16/2013 09:09:34 by RouterOS 5.20
# software id = zaib-home

/ip address
add address=10.0.0.1/8 disabled=no interface=WAN1 network=10.0.0.0
add address=192.168.0.1/24 disabled=no interface=WAN2 network=192.168.0.0
add address=192.168.5.1/24 disabled=no interface=LAN network=192.168.5.0

/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=8.8.8.8

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 cache-on-disk=yes enabled=yes max-cache-size=unlimited max-client-connections=600 max-fresh-time=3d \
max-server-connections=600 parent-proxy=0.0.0.0 parent-proxy-port=0 port=8080 serialize-connections=no src-address=0.0.0.0

/ip firewall mangle
add action=mark-connection chain=input disabled=no in-interface=WAN1 new-connection-mark=WAN1_conn passthrough=yes
add action=mark-connection chain=input disabled=no in-interface=WAN2 new-connection-mark=WAN2_conn passthrough=yes

add action=mark-connection chain=output comment="Marking Web Proxy Connection for WAN-1" disabled=no dst-port=80 new-connection-mark=WAN1_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=output comment="Marking Web Proxy Connection for WAN-2" disabled=no dst-port=80 new-connection-mark=WAN2_conn passthrough=yes per-connection-classifier=\
both-addresses-and-ports:2/1 protocol=tcp

add action=mark-connection chain=prerouting comment="Excluding Port 80 from PCC - WAN1" disabled=no dst-address-type=!local dst-port=!80 in-interface=LAN new-connection-mark=WAN1_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/0 protocol=tcp
add action=mark-connection chain=prerouting comment="Excluding Port 80 from PCC - WAN2" disabled=no dst-address-type=!local dst-port=!80 in-interface=LAN new-connection-mark=WAN2_conn passthrough=yes \
per-connection-classifier=both-addresses-and-ports:2/1 protocol=tcp

add action=mark-routing chain=prerouting connection-mark=WAN1_conn disabled=no in-interface=LAN new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=prerouting connection-mark=WAN2_conn disabled=no in-interface=LAN new-routing-mark=to_WAN2 passthrough=yes

add action=mark-routing chain=output connection-mark=WAN1_conn disabled=no new-routing-mark=to_WAN1 passthrough=yes
add action=mark-routing chain=output connection-mark=WAN2_conn disabled=no new-routing-mark=to_WAN2 passthrough=yes

add action=accept chain=prerouting disabled=no dst-address=10.0.0.0/8 in-interface=LAN
add action=accept chain=prerouting disabled=no dst-address=192.168.0.0/24 in-interface=LAN

/ip firewall nat
add action=masquerade chain=srcnat comment="Masquerade WAN1 Traffic" disabled=no out-interface=WAN1
add action=masquerade chain=srcnat comment="Masquerade WAN2 Traffic" disabled=no out-interface=WAN2
add action=redirect chain=dstnat comment="Redirect port 80 request to Mikrotik Web Proxy" disabled=no dst-port=80 protocol=tcp to-ports=8080

/ip route
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.0.0.1 routing-mark=to_WAN1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 routing-mark=to_WAN2 scope=30 target-scope=10

add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.0.1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=2 dst-address=0.0.0.0/0 gateway=10.0.0.1 scope=30 target-scope=10

[admin@MikroTik-2] >

Regard’s
SYED JAHANZAIB

.

In my network, I have few Cisco switches at various departments connected via FIBER optics. Recently we were having issue of network connectivity in between various switches and devices. I already have a very good setup of Mikrotik base DUDE monitoring system, but it shows only the SWITCH availability status on the screen, I wanted to have a good visual for switch ports too.

I found few ways to accomplish this task using DUDE functions, scripts, etc, but found following method is very simple to start with . It also sends me email when any port goes Down or not in use.

Make sure your switch support SNMP , and SNMP agent is enabled at your SWITCH as well as at your DUDE to match the same. For simplicity you can use PUBLIC as a default community string in the switch. Also In this example I have used CISCO 3750 (in dual stack mode) and add only few ports just for example.

First add your switch in the map so that it can appear in the map as look like below.

As showed in the image below . . .

.

.

.

Adding PROBE for port monitoring

Now to add PORTS monitoring, Open Dude,
Goto PROBES and click on + sign to add new probe.
Use the following data.

Name = PORT 9
Type = SNMP
SNMP Profile = Your SNMP Profile
Oid = iso.org.dod.internet.mgmt.mib-2.interfaces.ifTable.ifEntry.ifOperStatus.10109
Oid Type = integer
Comapre method = ==equal
Integer Value = 1

As showed in the image below . . .

Note: Change the OID number to match the port number on your switch , for example I am monitoring port number9 which value is 10109 . You can use SNMPWALK via DUDE to check the OID’s for different ports of your switch.

Now click OK to save

.

.

Adding Switch PORT separately using IP and PROBE

Its time to add PORTs in your map so they can appear separately as showed in the title image

Go back to your MAP,
Right click and ADD new device,
Type your switch IP address, and click on Next,
Now DO NOT  click on Discover , simply click on + sign
In PROBE, Select the PORT 9 probe you created earlier
and click on Apply/OK

As showed in the image below . . .

Click on Finish.

.

.

Now you will see something like below . . .

As you can see the port number 9 is down , so the status is shown correctly.

.

.

Now you can repeat the same procedure to add as much ports you like to monitor.

Something like below image . . .

.

.

.

Adding LINKS to monitor port usage

You can also add LINKS to show the port usage

As showed in the example below . . .

.

.

.

After adding ports / snmp links, and other enhancements , you can see something like below image . .

.

.

.

.

I will add more methods to monitor the ports. For more info , please read more at following links

http://forum.mikrotik.com/viewtopic.php?f=8&t=46928

http://forum.mikrotik.com/viewtopic.php?t=46419

.

.

.

Regard’s
Syed Jahanzaib

A comprehensive and practical guide to MikroTik RouterOS. Useful literature with examples and other reference materials. Recommended for beginners and administrators ☺

The cost is $49.95 (+ tax if shipped to a Texas address) plus shipping anywhere in the world (international shipping by US Postal Service Priority Mail for only $16.95!).

.

Download Link:

http://learnmikrotik.com/index.php/get-the-book.html

.

.

Regard’s
Syed Jahanzaib

I have another article that explains well about monitoring most of the mikrotik parts via nix base MRTG but it have lots of junk data too , curse upon WordPress who always messes with the coding and most of the time my hard work goes to TRASH

I will post updates

↓

# Enabling SNMP on Mikrotik

First Enable SNMP service (with public as community string or whatever you like on your mikrotik. Make sure no firewall rule is blocking SNMP traffic from/to the monitoring server.

Open Terminal in mikrotik and paste the following command. Or you can configure it via going to IP > SNMP

/snmp community
set [ find default=yes ] addresses=0.0.0.0/0 authentication-password="" authentication-protocol=MD5 encryption-password="" encryption-protocol=DES name=public read-access=yes \
security=none write-access=no

/snmp
set contact=Syed-Jahanzaib enabled=yes engine-id="" location=aacable-wordpress-com trap-community=public trap-generators="" trap-target="" trap-version=1
[admin@MikroTik-2] /snmp>

Now proceed further

↓

1. Monitoring Mikrotik Simple Queue with Linux base MRTG (for monitoring performance and track purposes)

↓

To monitor simple QUEUE via Linux base MRTG, you can use following config as an example

First you have to check your simple queue OID (numeric value which is used by MRTG to poll specific data from the remote server) in mikrotik. for example you have a queue to allow 100M for proxy cached marked packets.

Open Terminal and print OID for Simple Queue number 0 (your can be changed, but in general Queue for proxy hit packets should be on ** TOP ** )

[admin@MikroTik] /queue simple print

Flags: X - disabled, I - invalid, D - dynamic

0    ;;; Simple Queue for squid Proxy CACHE HIT Packet Allow Unlimited Bandwidth
name=SQ-for-cache-hit interface=all parent=none packet-marks=Cache direction=both priority=8 queue=default-small/default-small limit-at=0/0 max-limit=100M/100M burst-limit=0/0
burst-threshold=0/0 burst-time=0s/0s total-queue=default-smal

Now check its OID value which will be used in MRTG to graph the values. Do remember, If you move/delete/add particular Queue , the oid value will change, simply note down new value and recreate graphs with the new values. Also on every system these OIDs are different, simply take a print oid to use them.

[admin@MikroTik] /queue simple print oid

Flags: X - disabled, I - invalid, D - dynamic

0    ;;; Simple Queue for squid Proxy CACHE HIT Packet Allow Unlimited Bandwidth
name=.1.3.6.1.4.1.14988.1.1.2.1.1.2.12534 bytes-in=.1.3.6.1.4.1.14988.1.1.2.1.1.8.12534 bytes-out=.1.3.6.1.4.1.14988.1.1.2.1.1.8.12534 packets-in=.1.3.6.1.4.1.14988.1.1.2.1.1.10.12534
packets-out=.1.3.6.1.4.1.14988.1.1.2.1.1.11.12534 queues-in=.1.3.6.1.4.1.14988.1.1.2.1.1.12.12534 queues-out=.1.3.6.1.4.1.14988.1.1.2.1.1.13.12534

↓

As showed in the image below . . .

↓

Now we have to take bytes-in and bytes-out value for graphing purposes. which is in our case are

.1.3.6.1.4.1.14988.1.1.2.1.1.8.12534
.1.3.6.1.4.1.14988.1.1.2.1.1.9.12534

Now you can simply use the below CFG file to create Graphs for the mikrotik simple queue.

Target[mikrotik-simple-queue-in-out]: .1.3.6.1.4.1.14988.1.1.2.1.1.8.12534&.1.3.6.1.4.1.14988.1.1.2.1.1.9.12534:public@10.0.0.1
MaxBytes[mikrotik-simple-queue-in-out]: 100000000
#Options[mikrotik-simple-queue-in-out]: bits
Title[mikrotik-simple-queue-in-out]: Mikrotik QUEUE for Cache HIT
PageTop[mikrotik-simple-queue-in-out]: <H1>Mikrotik QUEUE for Cache HIT</H1>
<TABLE>
<TR><TD>Port:</TD><TD>Connected on WAN router</TD></TR>
<TR><TD>Maintainer:</TD><TD>Syed Jahanzaib</TD></TR>
<TR><TD>Interface:</TD><TD>eth0</TD></TR>
<TR><TD>Max Speed:</TD><TD>10.mbps poor man</TD></TR>
</TABLE

↓

↓

SAMPLE GRAPH FOR THE SIMPLE QUEUE MONITORING VIA MRTG

↓

.

.

2. Monitoring CPU Usage

### MIKROTIK 10.0.0.1 CPU load ###
Target[10.0.0.1_cpu]: 1.3.6.1.2.1.25.3.3.1.2.1&1.3.6.1.2.1.25.3.3.1.2.1:public@10.0.0.1
AbsMax[10.0.0.1_cpu]: 100
MaxBytes[10.0.0.1_cpu]: 100
Title[10.0.0.1_cpu]: MIKROTIK CPU load
PageTop[10.0.0.1_cpu]: <H1>MIKROTIK CPU load</H1>
Options[10.0.0.1_cpu]: gauge,growright,nopercent, noo
YLegend[10.0.0.1_cpu]: CPU load
ShortLegend[10.0.0.1_cpu]: %
LegendI[10.0.0.1_cpu]: CPU load (percentage)

3. Monitoring Active PPP Users

# Mikrotik PPP ACTIVE Users
Target[mtpppusers]: 1.3.6.1.4.1.9.9.150.1.1.1.0&1.3.6.1.4.1.9.9.150.1.1.1.0:public@10.0.0.1
Title[mtpppusers]: Active PPP Users on MT
PageTop[mtpppusers]: <H1>Active PPP Users on MT</H1>
MaxBytes[mtpppusers]: 300
Colours[mtpppusers]: B#8888ff,B#8888ff,B#5398ff,B#5398ff
Options[mtpppusers]: gauge,nopercent,noo,integer,growright
LegendI[mtpppusers]: Active PPP Users on MT
LegendO[mtpppusers]:
YLegend[mtpppusers]: Active PPP Users on MT
Legend1[mtpppusers]: Active PPP Users on MT
Legend2[mtpppusers]:

↓

As showed in the image below . . .

↓

4. Monitoring RB CPU Temperature

### MONITORING Mikrotik CPU TEMP ###
Target[mt.cpu.temp]: 1.3.6.1.4.1.14988.1.1.3.11.0&.1.3.6.1.4.1.14988.1.1.3.11.0:public@10.0.0.1
Options[mt.cpu.temp]: gauge, growright, nopercent, noinfo
MaxBytes[mt.cpu.temp]: 100
Colours[mt.cpu.temp]: RED#ff4f27,Y#fffb15,RED#ff4f27,RED#fffb15
#Unscaled[mt.cpu.temp]: dwmy
YLegend[mt.cpu.temp]: CPU Temprature
Title[mt.cpu.temp]: Mikrotik RB  CPU Temprature
PageTop[mt.cpu.temp]: <H1>Mikrotik RB  CPU Temprature</H1>
ShortLegend[mt.cpu.temp]: c
LegendI[mt.cpu.temp]:
LegendO[mt.cpu.temp]: CPU Temp
Legend1[mt.cpu.temp]: CPU Temprature
Legend2[mt.cpu.temp]: CPU Temprature

↓

↓

5. Monitoring RB Temperature

### MONITORING Mikrotik RB TEMP ###
Target[mt.rb.temp]: 1.3.6.1.4.1.14988.1.1.3.10.0&.1.3.6.1.4.1.14988.1.1.3.10.0:public@10.0.0.1
Options[mt.rb.temp]: gauge, growright, nopercent, noinfo
MaxBytes[mt.rb.temp]: 100
Colours[mt.rb.temp]: RED#ff4f27,Y#fffb15,RED#ff4f27,RED#fffb15
#Unscaled[mt.rb.temp]: dwmy
YLegend[mt.rb.temp]: RBTemprature
Title[mt.rb.temp]: Mikrotik Router Board Temprature
PageTop[mt.rb.temp]: <H1>Mikrotik Router Board Temprature</H1>
ShortLegend[mt.rb.temp]: c
LegendI[mt.rb.temp]:
LegendO[mt.rb.temp]: RB Temp
Legend1[mt.rb.temp]: RB Temprature
Legend2[mt.rb.temp]: RB Temprature

Regard’s
Syed Jahanzaib

Scenario:

GSM device is connected with Mikrotik for SEND/RECEIVE purposes.

DUDE is installed in Windows base PC.

As far as my research goes, there is no direct method in Dude to send SMS using DUDE own mechanism, you must have to involve / call 3rd party tool to accomplish the sms sending task. It can be windows CLI base SMS sender program like smssender.exe/gammu for win32 , sms base HTTP gateway or whatever.

You can also connect gsm device to your windows base PC, but in my scenario, my gsm device was not supported in 64 bit version of Windows 7, that’s why I had to take a long route of sending sms via mikrotik, also my mikrotik is set to receive sms to to perform various function like reboot, wan status etc , so chill )

Now the simple task is that we want to send DUDE notification via SMS using Mikrotik GSM/Mobile device, Just in case any critical device/server goes down.

We have to configure both Mirkotik server as well as DUDE too. so first Mikrotik section.

↓

MIKROTIK Section:

First make sure you have configured your gsm/mobile device properly in mikrotik and you have tested it by sending an test SMS. Read the following article for reference.

http://aacable.wordpress.com/2012/11/22/howto-enable-mikrotik-to-sendreceive-sms-using-gsm-modem/

Also don’t forget to enable SSH service in Mikrotik as we will use ssh to execute sms send command from DUDE server.
[Note: Be careful , enabling SSH service can potentially open door for some unwanted guests/possible hackers, So better to allow only DUDE server IP for ssh access via filter rule]

.

DUDE Section:

First Download PLINK which will be used to SSH in to Mikrotik and execute send sms command on behalf of dude. click here to download plink and copy it to any folder like c:\temp\ , Also turn off File Run warning from Windows Firewall.

http://the.earth.li/~sgtatham/putty/latest/x86/plink.exe

Now at DUDE Service, on the left menu, Goto Notifications and add new one by click on + sign or right click/add.

↓

As showed in the image below . . .

↓

Now use following details.

Name = SMS Notification

Type = Execute on Server

Command:

c:\temp\plink.exe -ssh -l admin -pw 123 192.168.1.11 “/tool sms send phone-number=03333021909 usb3 message=[Probe.Name]_on_[Device.Name]_is_now__[Service.Status]“

[Change the password + IP + mobile number + USB Port number from above command]

Make sure your device name and message have no BLANK SPACES in it, thats why I used underscore or dash.
It took me 3-4 hours just to figure out that spaces were not supported or create problems with brackets [( )]
hope this will help some one ☺

↓

As showed in the image below . . .

↓

.

From your MAP, select the device you want to monitor and receive sms alert for.
Goto POLLING , and click on USE NOTIFICATION

Now you will “SMS NOTIFICATION” , Simply Select it, and click on APPLY/OK.
As showed in image below . . .

↓

.

Now test it by disconnecting that target device (or for test change the IP address to some unreachable IP in target IP)
You should receive the alert on your SMS . Do monitor the Mikrotik LOG window for the activities. also enable GSM debug so that you can aware of its activity.

☺

☺

☺

Regard’s
Syed Jahanzaib

Mark my words !

MIKROTIK is the Future & Cisco domination is about to end.
For sure CISCO still holds the majority of shares in routers world, but it is going to change very soon
Jz

↓

Recently I did some testing at my office for a possible replacement of Cisco ASA 5510 Firewall/Router with Mikrotik Router-board. Following are some short reference on how I did it. I had a /29 public ip pool.  Configuration was was pretty straight forward but i was confused on howto route specific LAN server (or ip) traffic with Specific WAN ip. Using src-address I managed to solve it. Following are short reference for future usage.

Scenario is as follows

We will configure all useable WAN ip addresses in mikrotik wan interface, and we will forward required ports from specific wan ip’s to specific lan servers. we will also configure firewall so that only required ports are open from WAN side for security purposes, all other traffic will be denied on WAN interface. We will also bind local servers with specific WAN ip addresses.

Mikrotik have two interfaces.

ether1 = LAN users
ether2 = WAN Link

Now we want to forward traffic as follows. (all ip scheme used here is fictional and for example purposes only)

mail server = 10.0.0.2 → 1.2.3.1    WAN IP
dude server = 10.0.0.3 → 1.2.3.2   WAN IP
cctv1 server = 10.0.0.4 → 1.2.3.3   WAN IP
cctv2 server = 10.0.0.5 → 1.2.3.4   WAN IP

IP Configuration at Mikrotik Interfaces . . .

/ip address
add address=10.0.0.1/8 comment=LAN disabled=no interface="LAN - ether1"
add address=1.2.3.1/29 interface="WAN - ether2"
add address=1.2.3.2/29 interface="WAN - ether2"
add address=1.2.3.3/29 interface="WAN - ether2"
add address=1.2.3.4/29 interface="WAN - ether2"

↓

Filter Rules Section to allow only required Incoming traffic on WAN interface, and DENY all other for security purposes

Now we will first add required ports in firewall filter BEFORE DENY rule which is in last.

/ip firewall filter
add action=accept chain=input comment="SMTP" disabled=no dst-address=1.2.3.1 dst-port=25 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="POP3" disabled=no dst-address=1.2.3.1 dst-port=110 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="Webmail" disabled=no dst-address=1.2.3.1 dst-port=80 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="DUDE" disabled=no dst-address=1.2.3.2 dst-port=80 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="CCTV 1" disabled=no dst-address=1.2.3.3 dst-port=81 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="CCTV 2" disabled=no dst-address=1.2.3.4 dst-port=82 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="WINBOX 8192" disabled=no dst-port=8192 in-interface="WAN - ether2" protocol=tcp
add action=accept chain=input comment="Allow PING ICMP " disabled=no protocol=icmp
add action=drop chain=input comment="DROP ALL INCOMING TRAFFIC ON WAN INTERFACE" disabled=no in-interface="WAN - ether2"

↓

NAT Section To Do Port Forwarding From WAN ip’s  To  Local Server’s and use src-nat to bind local server to route traffic via specific WAN IP

### First dst-nat section to forward port

/ip firewall nat
add action=dst-nat chain=dstnat comment="SMTP 25 Forward to MAIL-Server" disabled=no dst-address=1.2.3.1 dst-port=25 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=25
add action=dst-nat chain=dstnat comment="POP3 110 Forward to MAIL-Server" disabled=no dst-address=1.2.3.1 dst-port=110 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=110
add action=dst-nat chain=dstnat comment="Web 80 Forward to MAIL-Server Webmail" disabled=no dst-address=1.2.3.1 dst-port=80 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.2 to-ports=80
add action=dst-nat chain=dstnat comment="Web 80 Forward to DUDE" disabled=no dst-address=1.2.3.2 dst-port=80 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.3 to-ports=80
add action=dst-nat chain=dstnat comment="CCTV1 - 81 Forward to cctv1" disabled=no dst-address=1.2.3.3 dst-port=81 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.4 to-ports=81
add action=dst-nat chain=dstnat comment="CCTV2 - 82 Forward to cctv2" disabled=no dst-address=1.2.3.4 dst-port=82 in-interface="WAN - ether2" protocol=tcp to-addresses=10.0.0.5 to-ports=82

### Now route specific local servers traffic from specific WAN IP address

add action=src-nat chain=srcnat comment="Rotue mail traffic via 1.2.3.1" disabled=no src-address=10.0.0.2 to-addresses=1.2.3.1
add action=src-nat chain=srcnat comment="Rotue DUDE traffic via 1.2.3.2" disabled=no src-address=10.0.0.3 to-addresses=1.2.3.2
add action=src-nat chain=srcnat comment="Rotue CCTV1  traffic via 1.2.3.3" disabled=no src-address=10.0.0.4 to-addresses=1.2.3.3
add action=src-nat chain=srcnat comment="Rotue CCTV2  traffic via 1.2.3.4" disabled=no src-address=10.0.0.5 to-addresses=1.2.3.4

add action=masquerade chain=srcnat comment="Default Masquerade Rule for LAN" disabled=no out-interface="WAN - ether2" src-address=10.0.0.2-10.0.0.255

☺

Now test it from WAN side. You can check port status from http://www.yougetsignal.com/tools/open-ports/

♣ ♣ ♣

Regard’s
Syed Jahanzaib

↓

If you are running a network or ISP/WISP, and using Mikrotik as a PPPoE server, then you may have ran into this problem that many users have configured wifi router at there home to share internet between mobile/laptop and other devices, its common now a days. Usually PPPoE dialer is configured in user WiFi ROUTER. But the problem begins that if the user account gets expired BUT the router will keep retrying PPPoE dialer again n again 24 hours a day , and imagine if you have lots of routers doing this sort of flooding/bombing, you will see only PPPoE failed authentication messages in Mikrotik logs and you wont be able to see any other valid info due-to continuous logging of failed auth messages. You can ignore it if the number is low, but some times it becomes annoying to see such messages, and also if you are very short in space with lower model of RB, then it will gonna become issue for you. Some times its not just possible to visit at user end to tell him that turn off his router / remove his cable from the switch , OR if you are running layer2 un managed switches, OR you simply don’t want to visit that user. After little searching (did not made extensive search) I found out that from Mikrotik Firewall , you cannot block PPPoE request as it works on BROADCAST.

So I found the following method to block PPPoE request from particular VALID expired users. ( I am using the word VALID expired users, because if the user is not doing it intentionally then its easier to block him at mikrotik level, but if any smart bugger is doing it just to annoy you, you have to hunt him down and cut the cable or block at manageable AP level, because he can change the mac address any time)

Ok the simple theory is ,

1-  Create bridge interface,
2- Enable bridge firewall,
3- Add your LAN interface in it,
4- Finally create a filter that blocks PPPoE discovery for that specific
MAC address and that’s it

Ok here we go . . .
We will first add virtual BRIDGE interface

/interface bridge
add admin-mac=00:00:00:00:00:00 ageing-time=5m arp=enabled auto-mac=yes disabled=no forward-delay=\
15s l2mtu=65535 max-message-age=20s mtu=1500 name=bridge1 priority=0x8000 protocol-mode=none \
transmit-hold-count=6

Now we will add LAN interfce in this BRIDGE to intercept every traffic passing from it and block it before it passes to LAN interface

/interface bridge port
add bridge=bridge1 disabled=no edge=auto external-fdb=auto horizon=none interface=LAN-ether2 \
path-cost=10 point-to-point=auto priority=0x80

Now we will enable BRIDGE FIREWALL, it is necessary as mikrotik IP/FIREWALL will not be applicable to filter traffic in BRIDGE interface.

/interface bridge settings
set use-ip-firewall=yes use-ip-firewall-for-pppoe=yes use-ip-firewall-for-vlan=no

Finally we will create BRIDGE FILTER(s) to drop traffic from particular user to block PPPoE connection attempts only, using his mac address.

/interface bridge filter
add action=drop chain=input comment=\
"Block only PPPoE Discovery (connectivity) from user 'ZAIB' to prevent pppoe flooding" disabled=no \
mac-protocol=pppoe-discovery src-mac-address=00:23:AE:A8:1F:7F/FF:FF:FF:FF:FF:FF

[/sourcecode]

IF you want to BLOCK ANY traffic coming from that or other user mac address to pass from bridge to LAN interface. (some times is a good approach hmmmmm )

## IF you want to BLOCK ANY traffic coming from that or other  user
#add action=drop chain=input comment="Block ANY traffic from user 'KARACHI'" disabled=yes \
#    mac-protocol=ip src-mac-address=00:23:AE:A8:1F:7F/FF:FF:FF:FF:FF:FF

↓

As showed in the image below . . .

↓

↓

↓

Note: I found this method with some R&D using WIRESHARK capturing tool but I am very confident that there are some suitable methods that maybe more simple and easier to implement with simple rules, If you have info, drop me a message so that I can update these little notes.

Another proper method is to use VLAN and manageable switches combination to block all sorts of flooding at that particular end. But usually its not affordable at smaller networks.

↓

↓
Regard’s
Syed Jahanzaib

Someone asked me about hotspot related issue . The scenario was that HOTSPOT was configured with SQUID proxy server. He also had User Manager so queuing is dynamically managed by user manager in hotspot. He had simple queue to provide cache hit marked packets unlimited speed to users. The issue was that when any hotspot user user login and Hotspot/Radius creates Dynamic Queues, and it override simple queue by moving itself above the static queue, so the cache-hit queue remain useless to provide unlimited speed to cache packets dueto its lower position.

As showed in the image below . . .

Before HOTSPOT user login,

↓

After HOTSPOT user logged in,

The workaround for this issue was to create a script that moves this static queue name “cache-hit” to 0 (top number) whenever any user login. The scripts can be added in HOTSPOT > USERS PROFILES > SCRIPTS.
This way whenever any hotspot user login, this script will run, and it will move the cache-hit to 0 number (Top)

Ok first rename your cache hit queue to “cache-hit“

Now add a script that will do actually move the cache-hit queue to top.

/system script
add name=movestatic0 policy=\
ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api \
source="/queue simple move [find name=\"cache-hit\"] 0"

↓

Now we have to add this script in the HOTSPOT user profiles (in this example I have only one default profile, if you ahve multiple user profiles, you have to add this in all profiles either via CLI, or preferably via GUI )

/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m name=default \
on-login="/system script run movestatic0" shared-users=1 \
status-autorefresh=1m transparent-proxy=no

↓

Now whenever any hotspot user will login , the hotspot profile will execute the script “movestatic0″ that we created earlier, and it will move the cache-hit queue to TOP.

Now the results will be as showed in the images below . . .

↓

↓

Regard’s
Syed Jahanzaib

Consider following scenario:

An ISP have multiple locations all over the country. Main Mikrotik router at NOC have fixed public IP. Radius Billing system is connected with LAN. All remote locations have Mikrotik Router boards as NAS and have dynamic public IP. All locations have there own internet connectivity with various ISP’s but we want to use our main RADIUS server as a centralized billing solution for all the REMOTE locations. So this is a short guide on howto create central Radius Server and connected all remote branches/nases with it.

To be continued . . . will write soon about it , while writing guide,an issue in the network popup . . 00-(

Head Office Mikrotik Config

LAN subnet = 10.0.0.1/8WAN subnet = 1.1.1.1/29
Radius = 10.0.0.2/8

First add IP pool for VPN users, like same as LAN series but with specific series.

/ip pool
add name=PPP-Pool ranges=172.16.0.1-172.16.1.255

Now add VPN Profile

/ppp profile
set 0 change-tcp-mss=yes name=default only-one=default use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
add change-tcp-mss=default dns-server=101.11.11.246 local-address=101.11.11.246 name=vpn-profile only-one=default remote-address=PPP-Pool \
use-compression=default use-encryption=default use-mpls=default use-vj-compression=default
set 2 change-tcp-mss=yes name=default-encryption only-one=default use-compression=default use-encryption=yes use-mpls=default use-vj-compression=default

Now enable VPN server

/interface pptp-server server
set authentication=mschap1,mschap2 default-profile=default-encryption enabled=yes keepalive-timeout=30 max-mru=1460 max-mtu=1460 mrru=disabled

Now add user so that we will be testing from remote location NAS.

/ppp secret
add caller-id=”" disabled=no limit-bytes-in=0 limit-bytes-out=0 name=aa password=aa profile=vpn-profile routes=”" service=any

Remote Branch Mikrotik Config

LAN subnet = 192.168.100.1/8
WAN subnet = DYNAMIC Public IP x.x.x.x

Now we want to connect remote NAS with head office VPN server so that it can use central radius server as a centralized billing system.

A friend of mine asked me on howto display non payment reminder to users, once there account have been expired on USER MANAGER. By default when any account expired, he gets user id password error, or if hotspot setup, then it shows profile not found. But rather then showing these UN friendly messages, we can display more meaningful message giving confirmation to user that his account is expired and he should pay in order to continue with the service.

To achieve this we have to follow this.

1. In user manager, we have to create another profile name ‘expired-users-profile’ and and either give it a limited uptime like 7 days, or 1 month or for ever. It depends on your policies. Also you have to define an IP POOL name ‘expired-users-pool’

2. In Mikrotik, First create IP pool name ‘expired-users-pool‘ and then create a NAT rule that redirects port 80 request to local proxy or squid proxy server. If using SQUID proxy, then you dont need to enable mikrotik web proxy, simply redirect the expired pool to squid proxy, and in squid proxy, create an ACL for this range and deny it, and in deny_info redirect it to local web page. as i showed on ‘howto block ads in squid’ article.

If you dont have SQUID proxy, then You can enable Mikrotik web proxy and redirect request to it. Then create another firewall rule that blocks all traffic coming from this ‘expired-users-pool’ traffic except port 80. OR in default NAT rule, in src-address add only valid series.

3. In Web Proxy, create a rule that deny all traffic coming from the ‘expired-users-pool‘ and in redirect, point it to any web page showing your non payment advertisement page.

Ok here we go . . .

I assume you have a Mikrotik PPPoE server with User Manager already configured  and working.

Example:

LAN = 10.0.0.0/8
WAN = 192.168.1.0/24
PPPoE Pool = 172.16.0.1 – 172.16.0.255
PPPoE Expired Pool = 172.16.1.1-172.16.1.255
WEB Server = 101.11.11.240

↓

↓

USER MANAGER SECTION

Login to User Manager,
Goto Profiles / Limitations
Add new Limitation and name it “expired-users-profile“
As showed in the image below . . .

Now add user and add any profile , for example 512k , and save.
As showed int he image below . . .

Open that User Properties again, and in ‘All profiles’ select ‘expired-users-profile” and click on + sign to add it. and click on SAVE.
As showed int he image below . . .

User Manager Section done. Now moving to Mikrotik section.

↓

↓

MIKROTIK SECTION

Connect to Mikrotik via Winbox,
Goto IP / Pools and add new pool and name it ‘expired-pool‘ (or same as you defined in User manager expired profiles section)

As showed in the image below . . .

↓

↓

Now enable Web-proxy [Or you can redirect these requests to another proxy server like squid proxy and block the expired-pool series there)
As showed in the image below . . .

↓

↓

Now click on ACCESS button and add a new rule (by clicking on + sign)

> in Src. Address, enter ip range of expired-pool (that you defined in mikrotik earlier, so that request coming from ONLY this ip series should be denied)
> in Dst. Address , click on invert sign, and enter your web server (this is to make sure that request going to your web server where non payment reminder is placed dont get blocked.
> in Action, select DENY
> in Redirect to, Enter your web server full path where the non payment advertisement pag eis located. It can be your local web server like IIS/Apache or it can be remote server too (but for remote Internet server, you ahve to allow the URLs before this deny rule)
As showed in the images below . . .

↓

↓

Now create a NAT rule that will redirect port 80 request to local web proxy, which will already have the rule to deny all requests for expired-users pool.

OR CLI version . ..

/ip firewall nat
add action=redirect chain=dstnat comment="Redirect Expired Pool Users to local Web Proxy for redirecting them to Non Payment Page." disabled=no dst-port=80 protocol=tcp src-address=\
172.16.100.1-172.16.100.255 to-ports=8080

add action=masquerade chain=srcnat comment="Allow Internet (Masquerade rule for PPPoE Allowed seires only)" disabled=no src-address=172.16.0.1-172.16.0.255

All Done !

☺

TESTING . . .

Once the main profile(for example 512k)  expire after 30 days , next profile (expired-users-profile) will automatically get active and user will get IP from the EXPIRED pool and mikrotik will redirect it to local web proxy and it will will deny all the request and redirect it to your defined non payment page.
As showed in the image below . . .

☺

and at client you will be seeing this,

.

.

When you want to activate this account again, simply take user properties, and remove its profiles by pressing minus sign on each profile, and add 512k or required profile again.

another guide for manual controlling ↓

http://aacable.wordpress.com/2012/11/14/non-payment-reminder-for-pppoe-clients-in-mikrotik/

Regard’s
Syed Jahanzaib

I was stucked with an case (K.S.A Tabook) regarding configuration for dual wan PCC using pppoe client as wan and pppoe serve for user end in one RB. I made this configuration last year but was unable to repeat it when it was required few days back.

I have a very short amount of brain memory , something like 16 KB only So posting the export as a reference

Following is a short reference guide for Mikrotik base dual wan PCC (using pppoe clients) with PPPoE Server as a authentication server for local users in one Box. You can add as much wan (pppoe clients) as you like.

Make sure you change the interface name accordingly. In this example I have 3 interfaces.
ether0  (named as Local) is connected with Local LAN users.
ether  1   &   2  (named as WAN1 & WAN2) are connected with ISP WAN switch.

Also change the user name passwords in the pppoe client section, or create manually via PPP/Interfaces

PPPoE users IP pool is 172.16.0.0/16 (internet is allowed for this series only means when the user will be connected via pppoe dialer, he will be able to use internet)

# Setting up INTERFACES names for our comfort (Zaib)

/interface ethernet
set 0 name=Local
set 1 name=WAN1
set 2 name=WAN2

### Adding PPPoE Client connections for each WAN interface, Make sure to change it or add via GUI

/interface pppoe-client

add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=yes interface=WAN1 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out1 password=hahaha \
profile=default service-name="" use-peer-dns=no user=user-1
add ac-name="" add-default-route=no allow=pap,chap,mschap1,mschap2 dial-on-demand=no disabled=yes interface=WAN2 max-mru=1480 max-mtu=1480 mrru=disabled name=pppoe-out2 password=hahaha \
profile=default service-name="" use-peer-dns=no user=user-2

### Starting the MANGLE MAGIC : ) PCC SCRIPTING START Here (Zaib)
/ip firewall mangle

add action=accept chain=prerouting disabled=no in-interface=pppoe-out1
add action=accept chain=prerouting disabled=no in-interface=pppoe-out2

add action=mark-connection chain=prerouting disabled=no dst-address-type=!local new-connection-mark=wan1_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/0 src-address=172.16.0.0/16
add action=mark-connection chain=prerouting disabled=no dst-address-type=!local new-connection-mark=wan2_conn passthrough=yes per-connection-classifier=both-addresses-and-ports:2/1 src-address=172.16.0.0/16

add action=mark-routing chain=prerouting connection-mark=wan1_conn disabled=no new-routing-mark=to_wan1 passthrough=yes src-address=172.16.0.0/16
add action=mark-routing chain=prerouting connection-mark=wan2_conn disabled=no new-routing-mark=to_wan2 passthrough=yes src-address=172.16.0.0/16

### NATTING both WAN connection for PPPoE IP Pool users only

/ip firewall nat
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out1 src-address=172.16.0.0/16
add action=masquerade chain=srcnat disabled=no out-interface=pppoe-out2 src-address=172.16.0.0/16

### Setting Default Routes for MARKED packets for both WAN and for local router use. (zaib)

/ip route
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 routing-mark=to_wan1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 routing-mark=to_wan2 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out1 scope=30 target-scope=10
add check-gateway=ping disabled=no distance=1 dst-address=0.0.0.0/0 gateway=pppoe-out2 scope=30 target-scope=10

Some screenshots for the results.

▼▼▼

▲▲▲

☺

Regard’s
Syed Jahanzaib

SKYPE is using whole block of IP addresses from various ranges. Using Wireshark & some digging I found following pools which skype is using for its various functions.BUT do remember that with new updates/ver more hosts can be added. for this purpose you can use Catch Skype Script on mikrotik to detect new addresses and add them to the list.

Also it is possible that some valid/legitimate sites may get blocked with this approach, just find the right ip address of the particular site, and allow it before the deny rule.

Use following code and then try to connect to SKYPE and watch the results. This is purely Hit & Trial method , try it and post your comments or if you have some better way to block SKYPE do let me know.

Regard’s
Syed Jahanzaib

/ip fi ad

add address=111.221.74.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=111.221.77.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.130.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.235.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.55.56.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=157.56.52.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=194.165.188.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=195.46.253.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=213.199.179.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=63.245.217.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=64.4.23.0/24 comment=disable_skype disabled=no list=skype_servers_z
add address=65.55.223.0/24 comment=disable_skype disabled=no list=skype_servers_z


/ip firewall filter
add action=drop chain=forward disabled=no dst-address-list=skype_servers_z

▼

After blocking, Result as showed in the image below . . .

▼

Script to catch all URL name with SKYPE name using DNS cache , and add them to ADDRESS LIST

Today , a very good friend (VirtualIT SupporT) shared a script which catches all URL IP addresses which have ‘Skype‘ in DNS CACHE and then add it to a address list. Schedule this script to run after every 10-15 minutes, it will check every dns entry (in dns cache) and will add any URL name which have Skype in it to the address list. then using Firewall FILTER , you can block this list (in FORWARD chain)

Just copy paste the following code in terminal. Then add schedule or manually run it, try to login to skype few times, and run the script, every time it will add few ip addresses to the list : )

/sys script

add name=skype_script policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=":foreach i in=[/ip dns cache find] do={\r\
\n    :local bNew \"true\";\r\
\n    :local cacheName [/ip dns cache all get \$i name] ;\r\
\n#    :put \$cacheName;\r\
\n\r\
\n    :if ([:find \$cacheName \"skype\"] != 0) do={\r\
\n\r\
\n        :local tmpAddress [/ip dns cache get \$i address] ;\r\
\n#\t:put \$tmpAddress;\r\
\n\r\
\n# if address list is empty do not check\r\
\n        :if ( [/ip firewall address-list find ] = \"\") do={\r\
\n            :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n            /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
\n        } else={\r\
\n            :foreach j in=[/ip firewall address-list find ] do={\r\
\n                :if ( [/ip firewall address-list get \$j address] = \$tmpAddress ) do={\r\
\n                    :set bNew \"false\";\r\
\n                }\r\
\n            }\r\
\n            :if ( \$bNew = \"true\" ) do={\r\
\n                :log info (\"added entry: \$[/ip dns cache get \$i name] IP \$tmpAddress\");\r\
\n                /ip firewall address-list add address=\$tmpAddress list=skype_dns_ips comment=\$cacheName;\r\
\n            }\r\
\n        }\r\
\n    }\r\
\n}"

Today I was in a requirement to clear the Mikrotik LOG window and clear all the commands from the Terminal console history dueto some security and privacy reason. Since I couldn’t found a simple command base method to clear LOG window, I followed a workaround and it worked like a charm.

▼

CLEAR Mikrotik LOG WINDOW HISTORY [Jz]

/system logging action set memory memory-lines=1

It will delete all previous entries.

/system logging action set memory memory-lines=100

It will change it back to the default number of lines. or let it set to 1 , if you dont want any info, which is not recommended in any case

CLEAR Mikrotik TERMINAL CONSOLE HISTORY [Jz]

In newer version of mikrotik 6.x, you can clear console commands by using

console clear-history

Note: Sticking with newer firmware (but surely stable one) is always a Good idea so that you stay safe and secure with lots of new features

However I really wish that Mikrotik can add an “CLEAR ALL LOGS” button in the future

▼
Regard’s
Syed Jahanzaib

If you have two WAN links, and you want to dedicate one link for the specific web site or FACEBOOK traffic only, you can do it with Mikrotik in few simple steps.

First understand the logic, Main idea is to first create the script which will catch the target web site name via dns cache, and then it will add it to a address list with target web site ip addresses. (it will be done automatically via using the script) ,  Now in mangle, create a rule to mark packets with the above created address list, , then in route section, create new route to forward marked packets to go via WAN 2 link.

First add the script

SCRIPT SECTION:

Add the script which will catch the required web site name using dns-cache

###############################################
# script name: target_web_site
# Script to add TARGET_WEB_SITE DNS IP addresses
# Syed Jahanzaib / aacable@hotmail.com
# Script Source: N/A / GOOGLE : )

:log warning "Script Started ... Adding TARGET_WEB_SITE DNS ip's to address list name TARGET_WEB_SITE_dns_ips"
:foreach i in=[/ip dns cache find] do={
:local bNew "true";
:local cacheName [/ip dns cache all get $i name] ;
:if ([:find $cacheName "aacable.wordpress.com"] != 0) do={
:local tmpAddress [/ip dns cache get $i address] ;
:put $tmpAddress;
:if ( [/ip firewall address-list find ] = "") do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=TARGET_WEB_SITE_dns_ips comment=$cacheName;
} else={
:foreach j in=[/ip firewall address-list find ] do={
:if ( [/ip firewall address-list get $j address] = $tmpAddress ) do={
:set bNew "false";
}
}
:if ( $bNew = "true" ) do={
:log info ("added entry: $[/ip dns cache get $i name] IP $tmpAddress");
/ip firewall address-list add address=$tmpAddress list=TARGET_WEB_SITE_dns_ips comment=$cacheName;
}
}
}
}
# TARGET_WEB_SITE DNS IP ADD Script Ended ...

SCHEDULER SECTION:

Schedule the script to run after every 5 minutes  (or hourly basis)

/system scheduler
add disabled=no interval=5m name=target_web_site_schedule on-event=target_web_site_schedule policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api start-date=feb/11/2014 start-time=00:00:00

MARK PACKETS SECTION:

Now mark traffic for the required web site in PREROUTING chain.

/ip firewall mangle
add action=mark-routing chain=prerouting disabled=no dst-address-list=TARGET_WEB_SITE_dns_ips new-routing-mark=target_website_packets passthrough=yes

ROUTE MARKED PACKETS SECTION:

Finally, create a route for the marked packets to go via second wan.

/ip route
add comment="Route for marked packets for target web marked packets" disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=target_website_packets scope=30 target-scope=10

###############################################

All Done !!!
Now simply open your required web site , adn elt the script run ( or run it manually), now you will see few ip addresses in the ip > firewall > address-list

Its amazing, you can route any Website/traffic to specific WAN link, for example dedicated DSL link for streaming media sites or FB. its kewl

For more info and ideas, please visit following link.
http://wiki.mikrotik.com/wiki/Per-Traffic_Load_Balancing

zaiB !

Dedicated to Local Desi Cable.Network Operators  

To detect ROGUE (Duplicate / Conflicting) DHCP server via mikrotik and received an email alert about the conflicting dhcp server IP/MAC/Date+time, there are several ways to do, either using remote syslog server, OR use LOG action BUT I found the following method more customizable and suitable. Just make sure to tune if properly before deployment

CONFIGURE DHCP-ALERT

Goto IP / DHCP SERVER / ALERTS

Click on + sign to add new alert, & on Alert box,

& paste the following code.

:local CurrentTime [/system clock get time];
 :local hostname [/system identity get name]
 :global date [/system clock get date]
 :local int "$interface"
 :local addr "$address"
 :local mac $"mac-address"
 :local dh

/tool e-mail send server=173.194.69.109 port=587 start-tls=yes YOUR_GMAIL_ID@gmail.com password=YOURPASSWORD to=aacable@hotmail.com subject=DHCP-Detected body=("ROGUE DHCP Server have been detected on $hostname at $date  - time $CurrentTime  - Interface= $int  - IP Address=$addr - MAC-Address= $mac  !! GO HUNT & KILL :D")

Now click on Apply.

As showed in the image below …

.

Make sure to tune the INTERVAL setting according to your requirement. Also its a good idea to enter legitimate mac address in VALID SERVER box to avoid false detection of your valid dhcp servers.

Configure EMAIL/SMTP Settings

Now configure your EMAIL smtp address so that email can be send,OR you can set other alert options too like sms or print LOG in main window only or whatever :p

I am using GMAIL in this example.

/tool e-mail set address=74.125.45.109 from=gmailid@gmail.com password=mypassword port=587 starttls=no user=gmailid

Also enable EMAIL logging so that in case of any error, you can view it in LOG window for troubleshooting purposes.

/system logging add topics=e-mail action=memory

Now as soon as any rogue/conflicting dhcp server will be detected by Mikrotik, it will log it in main LOG window, and will also send you email alert using your GMAIL ID.

As showed in the image below …

.

Regard’s
Syed Jahanzaib

How to provide Mikrotik Hotspot Users an option to change there password using any form or web page?

The simple answer is to configure USER MANAGER and provide User Panel which is very nice and informative, it also allows users to change there password too, but what if you don’t want to install User Manager, or what if user also change his information via the user panel which you don’t want them to ?? since mikrotik source code is not public so we cannot hide that option (as far as in my limited knowledge) . Using the form base technique you can simply give them a web page from where they can simply change there password when required.

You can also add more functions in this page ,like it can send an email or add any entry in log file so that admin can be aware that at which time the last password was changed or other functions as required.

This is a simple password change form for hotspot users, After they logged in to hotspot , they can change there own password using this simple form.

REQUIREMENTS:

- Linux base system (I used UBUNTU, but you can use any flavor of your own choice)
- Apache / PHP5.x / PEAR2 library

Also Make sure you have enabled the API service in MIKROTIK
/ IP > Services
As showed in the image below …

LINUX SECTION

First Update your Ubuntu (if its not already updated on fresh installation)

apt-get install update

Now Install Apache Web Server with PHP5

 apt-get install apache2 php5

Don’t forget to restart the apache2 service, otherwise when you will try to open the password change form, it will ask you to save the file, instead of opening it on the browser

service apache2 restart

Now we have to download PEAR2 support library for the RouterOS functions to be performed via WEB,
Goto your web folder and download pear2 library, and extract it

cd /var/www
 wget http://wifismartzone.com/files/linux_related/pear2.tar.gz
 tar zxvf pear2.tar.gz

Ok now it’s time to create the change password page so that user can access it or you can link it with your status page for the user comfort level.

touch /var/www/changepass.php
 nano /var/www/changepass.php

and paste the following code.
{Make sure to change the IP address of Mikrotik and its admin ID Password}

<?php
use PEAR2\Net\RouterOS;
require_once 'PEAR2/Autoload.php';

$errors = array();

try {
    //Adjust RouterOS IP, username and password accordingly.
    $client = new RouterOS\Client('192.168.30.10', 'admin', 'admin');

    $printRequest = new RouterOS\Request(
        '/ip hotspot active print',
        RouterOS\Query::where('address', $_SERVER['REMOTE_ADDR'])
    );
    $hotspotUsername = $client->sendSync($printRequest)->getArgument('user');
} catch(Exception $e) {
    $errors[] = $e->getMessage();
}

if (isset($_POST['password']) && isset($_POST['password2'])) {
    if ($_POST['password'] !== $_POST['password2']) {
        $errors[] = 'Passwords do not match.';
    } elseif (empty($errors)) {
        //Here's the fun part - actually changing the password
        $setRequest = new RouterOS\Request('/ip hotspot user set');
        $client($setRequest
            ->setArgument('numbers', $hotspotUsername)
            ->setArgument('password', $_POST['password'])
        );
    }
}

?><!DOCTYPE html PUBLIC "-//W3C//DTD XHTML 1.0 Strict//EN"
"http://www.w3.org/TR/xhtml1/DTD/xhtml1-strict.dtd">
<html xmlns="http://www.w3.org/1999/xhtml">
    <head>
        <title>Change your hotspot password sample page in PHP / Syed Jahanzaib.PK-KHI</title>
        <style type="text/css">
            #errors {background-color:darkred;color:white;}
            #success {background-color:darkgreen:color:white;}
        </style>
    </head>
    <body>
        <div>
            <?php if (!isset($hotspotUsername)) { ?>
            <?php } else { ?>
<h3>
<pre><span style="color: blue">PA</span><span style="color: red">KI</span><span style="color: purple">ST</span><span style="color: orange">AN</span> <span style="color: green">ZINDABAD</span> ...JZ!!</pre>
<h2>
<br>HOTSPOT ... Sample password change FORM <br><br>
You are currently logged in as "<?php
                    echo $hotspotUsername;
                ?>"</h2>

            <?php if(!empty($errors)) { ?>
            <div id="errors"><ul>
                <?php foreach ($errors as $error) { ?>
                <li><?php echo $error; ?></li>
                <?php } ?>
            </ul></div>
            <?php } elseif (isset($_POST['password'])) { ?>
            <div id="success">Your password has been changed.</div>
            <?php } ?>

            <form action="" method="post">
                <ul>
                    <li>
                        <label for="password">New password:</label>
                        <input type="password" id="password" name="password" value="" />
                    </li>
                    <li>
                        <label for="password2">Confirm new password:</label>
                        <input type="password" id="password2" name="password2" value="" />
                    </li>
                    <li>
                        <input type="submit" id="act" name="act" value="Change password" />
                    </li>
                </ul>
            </form>
            <?php } ?>
        </div>
    </body>
</html>

Now once the user have logged in to hotspot, he can access the page like below.

http://192.168.30.50/changepass.php

As showed in the image below …

.

.

Credits and legal stuff

Author: Vasil Rangelov, a.k.a. boen_robot (boen [dot] robot [at] gmail [dot] com)

Regard’s
Syed Jahanzaib