Friday, 26 January 2018

Mikrotik Hotspot with User Manager



Add Router IP Address:
/ip address add address=10.0.0.2/24 interface=ether1
Change the IP to match your network configuration

  1. Click on the IP Menu
  2. Click on the Addresses Menu
  3. Click "+"
  4. Enter the IP Address you wish to assign to the router, this will be the outward facing IP, so make sure to select the ethernet interface that will give the router internet access.
  5. Click on "Apply"
Configure Upstream DNS Server:
/ip dns set servers=8.8.8.8 allow-remote-requests=yes
This example uses Google's DNS service. You can easily make use of OpenDNS to implement simple filtering, or use your own DNS servers if needed.

  1. Click on the IP Menu
  2. Click on the DNS Menu
  3. Enter your desired DNS server - here I am using Google's DNS
  4. Click on "Apply"
Configure Default Route:
/ip route add dst-address=0.0.0.0/0 gateway 10.0.0.1

  1. Click on IP
  2. Click on Routes
  3. Click on "+"
  4. Enter 0.0.0.0/0 as the Dst. Address
  5. Enter 10.0.0.1 as the Gateway
Test:
Check if you can ping a public ip address like 8.8.8.8

  1. Click on Tools
  2. Click on Ping
  3. Enter a publicly available address 
  4. Click Start 

Step 2: Install User Manager and Hotspot

If you plan to use a stand alone Radius Server, you may skip this step.

Download the firmware package from Mikrotik
Extract the zip file on your local drive
  1. Make sure that the version of the file matches the version and architecture of your device
  2. Open the Files window on winbox
  3. Drag the "user-manager-X.X-xxxxxx.npk" to the files window.
  4. Do the same for "hotspot-X.X-xxxxxx.npk".
  5. Reboot the router (/system reboot)

Step 3: Configure interfaces

First, we need to configure two Bridge interfaces. The first one will be a loopback interface. I have found in the past that if you use the normal loopback address (127.0.0.1), or one of the other static addresses, for the Radius (Usermanager) server, you may experience some difficulties.

3.1.1 - Create Loopback Bridge
/interface bridge add name=Loopback
  1. Click on the "Bridge" menu
  2. Click on "+"
  3. Enter "Loopback" for the bridge name
  4. Click "Apply"
3.1.2 - Add Loopback Bridge IP Address
I use any unused private ip range for this, it is used simply as an interface to run the RADIUS server on.
/ip address add address=10.10.0.1/32 interface=Loopback

  1. Click on the IP Menu
  2. Click on the Addresses menu
  3. Click the "+" button
  4. Enter "10.10.0.1/32" as the IP Address
  5. Select the "Loopback" Interface
  6. Click "OK"
3.2.1 - Create Hotspot Bridge
If you are planning to run the hotspot on a single interface you may skip this step.
/interface bridge add name=Hotspot
  1. Click on the "Bridge" menu
  2. Click on "+"
  3. Enter "Hotspot" for the bridge name
  4. Click "Apply"
3.2.2 - Add Hotspot Bridge IP Address
I make use of the private 192.168.0.1/24 range for the hotspot network, but you can use whatever is suitable in your setup.
/ip address add address=192.168.0.1/24 interface=Hotspot
  1. Click on the IP Menu
  2. Click on the Addresses menu
  3. Click the "+" button
  4. Enter "192.168.0.1/24" as the IP Address
  5. Select the "Hotspot" Interface
  6. Click "OK"
3.2.3 - Add Hotspot Ports to Bridge
If you would like multiple interfaces to have access to the hotspot, you can repeat this process, only changing the interface each time.
If you are running on a RouterBOARD 750 or similar, you will need to add the ports that you AP's are connected to, to the bridge.
/interface bridge port add bridge=Hotspot interface=wlan1
  1. Click on the "Bridge" menu
  2. Click on the "Ports" Tab
  3. Click on the "+"
  4. Select the interface you want to add to the hotspot, in my case it is "wlan1"
  5. Select the "Hotspot" bridge
  6. Click "OK

3.3 - Configure the Access Point
If you are using a RouterBOARD 750 or similar, you will not be using this section.
You may choose to implement security on your access point, but since this is a captive portal, you should not need to use any security. This tutorial will not include any security settings.
/interface wireless set [ find default-name=wlan1 ] band=2ghz-b/g disabled=no mode=ap-bridge ssid=Hotspot
  1. Click on the "Wireless" Menu
  2. Double click on the Wireless Interface that you will be using
  3. Set the mode to "ap-bridge"
  4. Set the band to 2Ghz-B/G (or otherwise if needs be)
  5. Change the SSID to "Hotspot", or whatever suits you.
  6. Click "OK"

4 - Configure the Hotspot

/ip hotspot profile
add dns-name=hotspot.example.com hotspot-address=192.168.0.1 name=hsprof1 smtp-server=192.168.123.4
/ip hotspot
add address-pool=hs-pool-7 disabled=no interface=Hotspot name=hotspot1 profile=hsprof1
/ip hotspot user profile
set [ find default=yes ] idle-timeout=none keepalive-timeout=2m mac-cookie-timeout=3d
/ip hotspot user
add name=dexter password=dexter

  1. Click on the "IP" menu. If this option is not available refer to step 2
  2. Click on the "Hotspot" item
  3. Click on "Hotspot Setup". This will start the Hotspot Setup Wizard
4.1 - The Hotspot Wizard
  1. Select the Hotspot bridge as the Hotspot Interface
  2. Click Next

  1. Click next - The address range should be filled in automatically as per our network configuration.


  1. Click Next - the address pool should be pre-populated with the right settings


  1. This tutorial will not cover the use of Certificates, so you may select "none" and click next

  1. Enter the IP-Address of your SMTP server. Many providers do not allow use of their SMTP servers outside their own network, so this option allows you to circumvent the SMTP server configured on the client's device in favor of your own. (You may even specify the SMTP server of you own provider in some cases)
  2. Click "Next"


These are the upstream DNS servers used by the hotspot.
  1. Enter one or more upstream DNS servers, you can use OpenDNS to provide you with a basic filtering service. Here I use Google's public DNS.
  2. Click "Next"


  1. Enter a host name for the local Hotspot. I am using hotspot.example.com, but this could be anything you want.
  2. Click "Next"


  1. Enter a name for your administrative Hotspot user.
  2. Enter a password for your administrative user.
  3. Click "Next"


  1.  Click "OK" to complete your hotspot setup.


Congratulations, you have now set up basic functionality for a Mikrotik Wireless Hotspot, you can create users under "IP->Hotspot->Users. But alas, you still need to configure the Usermanager for a fully featured hotspot.

Step 5 - Configuring UserManager

5.1 Setting up the Hotspot to use RADIUS
  1. Click on the "IP" menu
  2. Click on "Hotspot"
  3. Select the "Server Profiles" tab
  4. Double click on "hsprof1"
  5. Select the "RADIUS" tab
  6. Tick the "Use RADIUS" tickbox
  7. Click "OK"

  1. Click on "RADIUS"
  2. Click on "+"
  3. Tick the "hotspot" tickbox
  4. Add the loopback bridge IP to the address field, in this tutorial 10.10.0.1
  5. Choose a secure password
  6. Click "OK"

  1. Using your browser of choice, connect to http://router-ip/userman
  2. Click "Log In" - The default username is admin with no password

  1. Once you have logged in, click on the "Routers" menu
  2. Click "Add" then "New"
  3. Enter "Local Router" as the name
  4. Enter the Loopback Bridge IP address
  5. Enter the password you chose earlier.
  6. Click "OK" 


Your Mikrotik Hotspot should now be able to communicate with the Usermanager Radius Server. You can now proceed to set up profiles and users on the user manager interface.
at 1 comment:
Labels:

DMZ (demilitarized zone)

DMZ (demilitarized zone)

In computer networks, a DMZ (demilitarized zone) is a physical or logical sub-network that separates an internal local area network (LAN) from other untrusted networks, usually the Internet. External-facing servers, resources and services are located in the DMZ so they are accessible from the Internet but the rest of the internal LAN remains unreachable. This provides an additional layer of security to the LAN as it restricts the ability of hackers to directly access internal servers and data via the Internet.

Q: When do we need to configure DMZ host:
A
1. Do not know the port number of some kinds of application servers, and then can’t set port mapping. Such as network cameras, some database software, etc., then you can open the DMZ host.
2. Can’t play some games when the normal operation (e.g. StarCraft) and you can land normally, but can’t field a team, then you can open the DMZ host.
3. Some special sites can not open or can’t operate normally, such as certain online banking can’t be transferred, can‘t enter the verification code, etc., and you can also try to open the DMZ host.

As the following picture, I want to do DMZ Host for my IP Camera so that I can visit my IP Camera when I am not at home.

The steps are as below
1. Connect my IP Camera to my router.
2. Set a static IP which is in the same IP range of the router for your IP Camera 
4. Open your router's interface and click on Virtual Server (depend on your router's settings), then click on DMZ Host and fill in the IP address your IP Camera, then click OK to save settings.


at No comments:

Wednesday, 24 January 2018

Check Feasibility

at No comments:

Default Router Username and Password List

Router Brand

Login IP

Username

Password
3Comhttp://192.168.1.1adminadmin
Belkinhttp://192.168.2.1adminadmin
BenQhttp://192.168.1.1adminadmin
D-Linkhttp://192.168.0.1adminadmin
Linksyshttp://192.168.1.1adminadmin
Netgearhttp://192.168.0.1adminpassword
Sitecomhttp://192.168.0.1sitecomadmin
Thomsonhttp://192.168.1.254useruser
US Roboticshttp://192.168.1.1adminadmin
TP-Linkhttp://192.168.1.1adminadmin
Mikrotikhttp://192.168.88.1adminblank
at No comments:

Mikrotik Port Forwarding

Port Forwarding on Mikrotik
/ip firewall nat

 add action=dst-nat chain=dstnat disabled=no dst-port=2000 in-interface=ether1-gateway protocol=tcp to-addresses=192.168.0.254 to-ports=2000

------------------------------------------------------------------------------------------------------------------


at No comments:
Labels:

Mikrotik Two WAN Failover

Failover with Netwatch
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether3 ] name=LOCAL
set [ find default-name=ether1 ] name="WAN-1 AIRTEL"
set [ find default-name=ether2 ] name="WAN-2 BSNL"
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool0 ranges=192.168.0.40-192.168.0.250
/ip dhcp-server
add address-pool=dhcp_pool0 disabled=no interface=bridge1 name=dhcp1
/tool user-manager customer
set admin access=\
    own-routers,own-users,own-profiles,own-limits,config-payment-gw
/interface bridge port
add bridge=bridge1 interface=LOCAL
add bridge=bridge1 interface=ether4
add bridge=bridge1 interface=ether5
add bridge=bridge1 interface=ether6
add bridge=bridge1 interface=ether7
add bridge=bridge1 interface=ether8
add bridge=bridge1 interface=ether9
add bridge=bridge1 interface=ether10
/ip address
add address=1.1.1.1/1 <<<Change IP>>>interface="WAN-1 AIRTEL" network=<<<1.1.1.1/1>>>
add address=192.168.0.1/24 interface=LOCAL network=192.168.0.0
add address=2.2.2.2/2 interface="WAN-2 BSNL" network=2.2.2.2
add address=192.168.30.1 network=255.255.255.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface="WAN-2 BSNL"
/ip dhcp-server network
add address=192.168.0.0/24 dns-server=8.8.8.8,8.8.4.4 gateway=192.168.0.1
/ip dns
set allow-remote-requests=yes max-udp-packet-size=2096 servers=8.8.4.4
/ip firewall mangle
add action=mark-packet chain=postrouting comment="p2p download" \
    layer7-protocol=*1 new-packet-mark="p2p download" passthrough=no
add action=mark-packet chain=postrouting layer7-protocol=*2 new-packet-mark=\
    "p2p download" passthrough=no
/ip firewall nat
add action=masquerade chain=srcnat out-interface="WAN-1 AIRTEL"
add action=masquerade chain=srcnat out-interface="WAN-2 BSNL"
/ip firewall service-port
set sip disabled=yes
/ip route
add distance=20 gateway=1.1.1.1/1 (Change IP)
add distance=1 dst-address=8.8.8.8/32 gateway=(Change ageway)
add distance=2 dst-address=8.8.8.8/32 type=blackhole
/ip service
set telnet disabled=yes
set ssh disabled=yes
/system clock
set time-zone-name=Asia/Kolkata
/system identity
set name=Office-Router
/system script
add name=AIRTEL owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip\
    \_route set [/ip route find dst-address=\"0.0.0.0/0\"] gateway=1.1.1.1 <<<Change Gateway>>>\
    "
add name=BSNL owner=admin policy=\
    ftp,reboot,read,write,policy,test,password,sniff,sensitive,romon source="/ip\
    \_route set [/ip route find dst-address=\"0.0.0.0/0\"] gateway=2.2.2.2<<<Change gateway>>>\
    7"
/tool netwatch

add down-script=BSNL host=8.8.8.8 interval=10s timeout=998ms up-script=AIRTEL

-------------------------------------------------------------------------------------------------------------------
at 4 comments:

Mikrotik Firewall Script

Mikrotik Firewall Script


/ip firewall filter

# To Block ICMP on your WAN Interface
add action=drop chain=input comment="Block ICMP on WAN interface" in-interface=WAN-1 protocol=icmp

# Add flooding ips coming from the internet to the Blocked List for 1 mnt
add action=jump chain=forward connection-state=new jump-target=block-ddos
add action=drop chain=forward connection-state=new dst-address-list=ddosed src-address-list=ddoser
add action=return chain=block-ddos dst-limit=50,50,src-and-dst-addresses/10s
add action=add-dst-to-address-list address-list=ddosed address-list-timeout=1m chain=block-ddos
add action=add-src-to-address-list address-list=ddoser address-list-timeout=1m chain=block-ddos

# Block DNS Request on INCOMING WAN INTERFACE
add action=drop chain=input comment="BLOCK DNS REQUEST ON WAN INTERFACE" dst-port=53 in-interface=WAN-1 protocol=udp

# Block PORT Scanner Users for 2 minutes
add action=drop chain=input comment="ping port scanners" src-address-list="port scanners"
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="Port scanners to list " protocol=tcp psd=21,3s,3,1
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="NMAP FIN Stealth scan" protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="SYN/FIN scan" protocol=tcp tcp-flags=fin,syn
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="SYN/RST scan" protocol=tcp tcp-flags=syn,rst
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="FIN/PSH/URG scan" protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=30m chain=input comment="ALL/ALL scan" protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg
add action=add-src-to-address-list address-list="port scanners" address-list-timeout=2m chain=input comment="NMAP NULL scan" protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg

# Block Common Virus Ports
add action=drop chain=virus comment="Blaster Worm" dst-port=135-139 protocol=tcp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=tcp
add action=drop chain=virus comment="Messenger Worm" dst-port=135-139 protocol=udp
add action=drop chain=virus comment="Blaster Worm" dst-port=445 protocol=udp
add action=drop chain=virus comment=________ dst-port=593 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1024-1030 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=1080 protocol=tcp
add action=drop chain=virus comment=________ dst-port=1214 protocol=tcp
add action=drop chain=virus comment="ndm requester" dst-port=1363 protocol=tcp
add action=drop chain=virus comment="ndm server" dst-port=1364 protocol=tcp
add action=drop chain=virus comment="screen cast" dst-port=1368 protocol=tcp
add action=drop chain=virus comment=hromgrafx dst-port=1373 protocol=tcp
add action=drop chain=virus comment=cichlid dst-port=1377 protocol=tcp
add action=drop chain=virus comment="Bagle Virus" dst-port=2745 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=2283 protocol=tcp
add action=drop chain=virus comment=Beagle dst-port=2535 protocol=tcp
add action=drop chain=virus comment=Beagle.C-K dst-port=2745 protocol=tcp
add action=drop chain=virus comment=MyDoom dst-port=3127-3128 protocol=tcp
add action=drop chain=virus comment="Backdoor OptixPro" dst-port=3410 protocol=tcp
add action=drop chain=virus comment=Sasser dst-port=5554 protocol=tcp
add action=drop chain=virus comment=Beagle.B dst-port=8866 protocol=tcp
add action=drop chain=virus comment=Dabber.A-B dst-port=9898 protocol=tcp
add action=drop chain=virus comment=Dumaru.Y dst-port=10000 protocol=tcp
add action=drop chain=virus comment=MyDoom.B dst-port=10080 protocol=tcp
add action=drop chain=virus comment=NetBus dst-port=12345 protocol=tcp
add action=drop chain=virus comment=Kuang2 dst-port=17300 protocol=tcp
add action=drop chain=virus comment=SubSeven dst-port=27374 protocol=tcp
add action=drop chain=virus comment="PhatBot, Agobot, Gaobot" dst-port=65506 protocol=tcp

add action=jump chain=forward comment="jump to the virus chain" jump-target=virus
add chain=input comment="Accept established connections" connection-state=established
add chain=input comment="Accept related connections" connection-state=related
add action=drop chain=input comment="invalid connections" connection-state=invalid
add chain=input comment=UDP protocol=udp

add action=drop chain=forward comment="invalid connections" connection-state=invalid


-------------------------------------------------------------------------------------------------------
at No comments:

Mikrotik Email Configuration

Email-Configuration on Mikrotik



/tool e-mail set address=74.125.136.108 from="<your name>" password=<gmail password> port=587 start-tls=yes user=<gmail username>

------------------------------------------------------------------------------------------------------------
at No comments:

Monday, 22 January 2018

Mikrotik Downloads

Mikrotik Firmware Download


 Download Latest Firmware
at No comments:
Location: Kangra, Himachal Pradesh 176001, India
Subscribe to: Posts (Atom)

Cisco Commands

Basic Configuration Commands Command  Purpose enable Logs you into enable mode, which is also known as user exec mode or privilege...