Mikrotik Setup

User Authentication:

PPPOE-

PPP->interface(+)->pppoe server

PPPOE server->interface(lan)->       one session per host (make check)

IP->POOL->(.1 Lan) 2-254 pppoe pool (same LAN ip range)

Profile-> name() -> local Address (lan port address) -> Remote Address (pppoe pool) -> dns server 8.8.8.8 -> limits -256000/256000

Secrets(create user) -> name () -> pass () -> service-> pppoe -> profile-256

Client:

Right click on lan icon-> open network and sharing center->Create new connection ->

Next (without change) -> setup connection manually -> connect using a broadband connection

Hotspot-

Prepaid user Or Packages-

no need to apply nat rules while configure

Hotspot Setup-> Interface->LAN

user 2 at a time have to change 1

user profile->(+) name address-pool->hs pool

Server profile-> unchecked cookies (login)

user (+) Server-hotspot1 name-worshi password-(any)

Profile- limit in/out ->OK

limit uptime-30d0:00:00

Tunnelling:

EOIP:
Tunnel 2 private address
192.168.2.0/24        192.168.3.0/24

Dhaka/boro

Interface->EOIP tunnel->Name()->Remote address116.193.216.26->Tunnel id-200

IP->address(+) ->10.1.1.1/30 -> interface-> boro>>gul

IP-> Route-dst. Address192.168.3.0/24 ->gateway-10.1.1.2

Barisal/gul

Interface->EOIP tunnel->Name()->Remote address103.36.102.145->Tunnel id-200

IP->address(+) ->10.1.1.2/30 -> interface-> gul >> boro

IP-> Route-dst. Address192.168.2.0/24 ->gateway-10.1.1.1

Port Block

IP>firewall>(+) chain>forward>protocol>tcp>dst port->1433

IP>firewall>(+) chain>forward>protocol>udp>dst port->1433

GRE Tunnel-

PPP Server-

PPTP Server Binding-

L2TP Server Binding-

SSTP Server Binding-

OVPN Server Binding-

MPLS/VPLS-

WEB Proxy

IP-> web proxy->web proxy enable

Ip ->Firewall->Nat->

Chain->dstnat->protocol->tcp->dst. Port=80

Action=redirect-> To port->8080

Allow/deny website

Ip> web proxy>access>dst. Host - facebook

Action>deny

Vlan:

Segment network and reduce broadcast. Use layer2 method follow ieee802.1q. 4byte vlan identifier. Maximum no. of valn in one interface 4096.

Create vlan by command: interface connect numbers=1 comment=INTERNAL_NETWORK [0 is ether1 1 is ether2]

            #interface vlan add interface=ether2 name=vlan_10 vlan-id=10

            #ip address add interface=ether1 address=192.168.2.2/24

            # ip address add interface=vlan_10 address=192.168.3.1/24

            #ip route add distance=1 gateway=192.168.2.1

            #ip pool add name=vlan_10_pppoe ranges=192.168.3.30-192.168.3.254

            #ppp profile add dns-server=8.8.8.8 local-address=192.168.3.1 name=valn_10 rate-limite=512k/1024 remote-address=vlan_10_pppoe

            #interface pppoe-server server add default-profile=valn_10 disabled=no interface=valn_10 one-session per-host=yes service-name=vlan_10-pppoe

            #ip firewall nat add action=src-nat chain=src-nat out-interface=ether1 src-address=192.168.3.0/24 to address=192.168.2.2

            #ppp secret add name=user1 password=user1 profile=valn_10 service=pppoe

Valn in same router:

Interface->vlan-name-vlan id- interface

Configure nat.

Port based vlan: switch-vlan-(+)vlan id-200  ports lan-ok

Inter vlan routing/Router and switch valn:

Router: Bridge>name(vlan)-ok

Port>Ether2-lan or switch bound port

Interface>vlan>ID-100>interface-vlan

                        >ID-200>interface-vlan

IP>address>10.10.10.1/24-int-vlan-100

Ip>Dhcp Server>int-vlan100

Switch: Bridge-valn100 and vlan 200-ok

Int-vlan-valn 100 and 200-ok

Ports: ether2,3 vlan 100 4,5 vlan200

Ports: (+) name vlan 100- bridge>vlan100  

            Vlan 200> Bridge-vlan200

Vlan Mikrotik router and Cisco Switch:

Mikrotik: Interface>Vlan->name (IT)->ID-10

Ad Address Per vlan: Ip->address->(+) address 192.168.1.1/24 ->Interface-valn IT

Enable Dhcp Across Vlan:  Ip >Dhcp Server->Dhcp setup->Vlan IT

Create another for HR

Create Vlan on Cisco Switch and Configure Trunk:

SW-Vlan 10

#name IT

#int e0/0         (Router bound port)

#Switchport mode trunk encapsulation dot1q

# Switchport mode trunk

#int e0/1

# Switchport mode access

#switchport access vlan 10

Load Balancing with failover-

Ip-firewall- mangle – (+) -> chain- input -> in interface-wan1-> action-mark connection –> new connection mark-WAN1_connection

Ip-firewall- mangle – (+) -> chain- input -> in interface-wan2-> action-mark connection –> new connection mark-WAN2_connection

Ip-firewall- mangle – (+) -> chain- output -> connection mark-wan1_connection -> action-mark routing –> new connection mark-to WAN1

Ip-firewall- mangle – (+) -> chain- output -> connection mark-wan2_connection -> action-mark routing –> new connection mark-to WAN2

(+) ->chain- perouting ->dst address-WAN1 address range like (192.168.2.0/29) ->in interface-local Action- Accept

(+) ->chain- perouting ->dst address-WAN2 address range like (192.168.3.0/29) ->in interface-local Action- Accept

(+) ->chain- perouting -> ->in interface-local-> advanced->Per connection Classifier->Both address and ports-2-0->Extra-dst addess type-local (chack inet)-> Action- mark connection-> new connection mark- WAN1_connection

(+) ->chain- perouting -> ->in interface-local-> advanced->Per connection Classifier->Both address and ports-2-1->Extra-dst addess type-local (chack inet)-> Action- mark connection-> new connection mark- WAN2_connection

(+) ->chain- perouting->in interface-local-> connection mark- wan1_connection -> Action-mark routing-> new connection mark- to wan1

(+) ->chain- perouting->in interface-local-> connection mark- wan2_connection -> Action-mark routing-> new connection mark- to wan2

Route list:

IP-> Route-> (+)dst address- 0.0.0.0 -> gateway-WAN1gateway->check gateway-ping-> distance-1 ->routing mak-> to wan1

IP-> Route-> (+)dst address- 0.0.0.0 -> gateway-WAN2gateway->check gateway-ping-> distance-1 ->routing mak-> to wan2

IP-> Route-> (+)dst address- 0.0.0.0 -> gateway-WAN1gateway->check gateway-ping-> distance-1

IP-> Route-> (+)dst address- 0.0.0.0 -> gateway-WAN2gateway->check gateway-ping-> distance-2

NAT:

IP-Firewall- (+) chain-src nat -> out inteace-WAN1 ->action-masquerade

IP-Firewall- (+) chain-src nat -> out inteace-WAN2 ->action-masquerade

Src-nat- to address will be public address

chain- forward-> src-addressss-Lan address

Action- src-nat  ->to address WAN address  - OK

 Port Forward-

file share in lan to wlan to private address nating:

chain- dst-nat->dst-address 172.26.0.0/24 -> protocol 6(tcp) ->dst. port 139    Action -dst-nat -> To address 192.168.14.45 -> To-port 139

chain- dst-nat->dst-address 172.26.0.0/24 -> protocol 6(tcp) ->dst. port 445    Action -dst-nat -> To address 192.168.14.45 -> To-port 445

Dst. NAT to address will be privet address

NAT>chain>dstnat>dst. Address->103.36.102.145 ->protocol>tcp>dst port-53

Action->dst nat->to address ->8.8.8.8

NAT>chain>dstnat>dst. Address->103.36.102.145 ->protocol>udp>dst port-53

Action->dst nat->to address ->8.8.8.8

For DVR

Chain-> dst nat dst address-103.36.102.145 protocol-tcp dst. Port (dvr port)

Action->dst nat->to address ->DVR address To port-> DVR port

For ATA IPTELEPHONY:

ATA SIP

General-> Chain->dst-nat dst-address->203.76.107.177  ->Protocol-UDP

dst-port-5060

Action->dst-nat  ->To address-192.168.14.80 ->to ports5060

ATA RTP

General-> Chain->dst-nat dst-address->203.76.107.177  ->Protocol-UDP

dst-port-5004

Action->dst-nat  ->To address-192.168.14.80 ->to ports5004

1:1 mapping

If you want to link Public IP subnet 11.11.11.0/24 to local one 2.2.2.0/24, you should use destination address translation and source address translation features with action=netmap.

/ip firewall nat add chain=dstnat dst-address=11.11.11.0/24 \

     action=netmap to-addresses=2.2.2.0/24

/ip firewall nat add chain=srcnat src-address=2.2.2.0/24 \

     action=netmap to-addresses=11.11.11.0/24 

Same can be written using different address notation, that still have to match with the described network

/ip firewall nat add chain=dstnat dst-address=11.11.11.0-11.11.11.255 \

     action=netmap to-addresses=2.2.2.0-2.2.2.255

/ip firewall nat add chain=srcnat src-address=2.2.2.0-2.2.2.255 \

     action=netmap to-addresses=11.11.11.0-11.11.11.255  

 Firewall:

How to block all user but allow one user in Facebook:

Ip-firewall-layer7- ^.+(facebook.com).*$

Filter rules- chain-forward-src. Address-192.168.2.0/24

Advanced-layer7-action-drop

Allow specific address-> address-chain-forward-scr. Address-192.168.2.10

Advanced-layer7-fb block-action-accept

Block a website by filter ruls:

Firewall->Filter Ruls->Chain-Forward  Src-address –local lan address   -> Advanced- Content  -facebook.com ->  Action- Drop

Block multiple address-

10.10.10.10   10.10.10.20   10.10.10.30   10.10.10.40

Firewall-> Address list -> (+) Name-FB_block  Address-10.10.10.10

Firewall-> Address list -> (+) Name-FB_block  Address-10.10.10.20

Firewall->Filter Ruls->Chain-Forward 

Advanced  src address list-fb_block

Content- facebook.com ->Action-Drop

Permit specific Ip:

Filter ruls-> chain-Forward  -> src-address- 10.10.10.120  Advanced->Content- facebook.com  -> Action-Accept

/ip firewall filter
chain=forward src-address=192.168.12.250 dst-address=0.0.0.0/0 action=drop

isolation a address range:

ip firewall filter add chain=forward src-address=10.0.0.0/16 dst-address=192.168.1.0/24 action=drop

ip firewall filter add chain=forward src-address=192.168.1.0/24 dst-address=10.0.0.0/16 action=drop

Block a range of ip to access internet:

filter rules-> chain=forward src-address=192.168.12.0/24 Action-Drop

Block all incoming and outgoing and internet for a range of ip:

Filter-Rules  -> Chain-Forward ->Src-address-local lan address -> dst-address-0.0.0.0/0  Action-Drop

Chain-Forward-> Src-address-0.0.0.0/0  -> dst-address local lan address -Action-Drop

Drop DNS hit from outside:

Filter rules-> Chain-Forward  Protocol-tcp-> src port-53  Action-Drop

Filter rules-> Chain-Forward  Protocol-tcp-> dst port-53  Action-Drop

 BGP:

 IBGP-

EBGP-