Category / Mikrotik

by LAO

Get mac address from Mikrotik CAPsMAN Registration Table is no comment. TO Access List

Script :

Get mac address  from CAPsMAN Registration Table is no comment. compare with dhcp server leases mac and add active host name, address list and comment to access list in CAPsMAN.

NOW We know who connect on CAPsMAN.

{
/caps-man registration-table {
:local SSID;:local MAC; :local AP
:foreach rule in=[print detail as-value where (!comment~””)\
# :foreach rule in=[print detail as-value where (comment~”LAO”)\
# interface=”AP_EE”
] do={\
# :put $rule
:set AP “”; :set MAC “”; :set SSID “”
:local num 0
:foreach item in=$rule do={
:if ($num = 2) do={ :set AP $item }
:if ($num = 3) do={ :set MAC $item }
:if ($num = 4) do={ :set SSID $item }
:set num ($num + 1)
}
:local HOSTNAME [ /ip dhcp-server lease get [/ip dhcp-server lease find mac-address=$MAC ] host-name ]
:local ADDRLIST [ /ip dhcp-server lease get [/ip dhcp-server lease find mac-address=$MAC ] address-lists ]
:local COMMENTHOST [ /ip dhcp-server lease get [/ip dhcp-server lease find mac-address=$MAC ] comment ]
:put ($HOSTNAME . $ADDRLIST . “, ” . $COMMENTHOST)

:put ($AP .” ” . $MAC . ” ” . $SSID)
/caps-man access-list {
add mac-address=$MAC action=accept comment=($HOSTNAME . $ADDRLIST . “, ” . $COMMENTHOST) disabled=yes
move [find mac-address=$MAC] destination=1
}
:delay delay-time=10ms
}
}
}

by LAO

Mikrotik Active User Hotspot In A Day

แก้ไขค่า Comment ให้ตรงค่าของเรา นะครับ

Please edit comment mikrotik user match you comment.

{
# Calculates day of the week for a givien date
# Month: jan,feb … nov,dec (must be lower-case)
# Day: 1 – 31
# Year: 1900 – 2999
# mmm/dd/yyyy same format as [/system clock get date]
# (ex. jul/22/2009)

:local date [/system clock get date]

# Math Calculation here
:local result “”
:local months [:toarray “jan,feb,mar,apr,may,jun,jul,aug,sep,oct,nov,dec”]
:local monthtbl [:toarray “0,3,3,6,1,4,6,2,5,0,3,5”]
:local daytbl [:toarray “sun,mon,tue,wed,thu,fri,sat”]

:local month [:pick $date 0 3]
:local day [:pick $date 4 6]
:local dayc [:pick $date 5 6]
:local century [:pick $date 7 9]
:local year [:pick $date 9 11]
:local yearc [:pick $date 10 11]

# if the first char is a 0 (zero) only read last char, else script fails
:if ([:pick $date 4 5] = 0) do={ :set day ($dayc)}
:if ([:pick $date 9 10] = 0) do=[:set year ($yearc)]

:local sum 0
:set sum ($sum + (2 * (3 – ($century – (($century / 4) * 4)))))
:set sum ($sum + ($year / 4))
:set sum ($sum + $year + $day)
:for mindex from=0 to=[:len $months] do={
:if ([:pick $months $mindex] = $month) do={:set sum ($sum + [:pick $monthtbl $mindex]) }
}
:set sum ($sum – (($sum / 7) * 7))
:set result [:pick $daytbl $sum]

# END Math Calculation

:put ([:pick $date 0 3] . “/” . [:pick $date 4 6] . “/” . [:pick $date 7 9] . [:pick $date 9 11] . ” is on a ” . $result)
#:log info ([:pick $date 0 3] . “/” . [:pick $date 4 6] . “/” . [:pick $date 7 9] . [:pick $date 9 11] . ” is on a ” . $result)

:if ($result = “mon”) do={/ip hotspot user set disable=no [find comment=Monday]} else= {/ip hotspot user set disable=yes [find comment=Monday]}
:if ($result = “tue”) do={/ip hotspot user set disable=no [find comment=Tuesday]} else= {/ip hotspot user set disable=yes [find comment=Tuesday]}
:if ($result = “wed”) do={/ip hotspot user set disable=no [find comment=Wednesday]} else= {/ip hotspot user set disable=yes [find comment=Wednesday]}
:if ($result = “thu”) do={/ip hotspot user set disable=no [find comment=Thursday]} else= {/ip hotspot user set disable=yes [find comment=Thursday]}
:if ($result = “fri”) do={/ip hotspot user set disable=no [find comment=Friday]} else= {/ip hotspot user set disable=yes [find comment=Friday]}
:if ($result = “sat”) do={/ip hotspot user set disable=no [find comment=Saturday]} else= {/ip hotspot user set disable=yes [find comment=Saturday]}
:if ($result = “sun”) do={/ip hotspot user set disable=no [find comment=Sunday]} else= {/ip hotspot user set disable=yes [find comment=Sunday]}
}

by LAO

Mikrotik Howto give PiNG / iCMP high Priority

Original Link

 

Mikrotik Queuing is heuristic , means every packet leaving mikrotik destined to your IP is capped, even ICMP too.

So when you do browsing or downloading any data , there will be less or no bandwidth available for PING/ ICMP packets and ping form client to mikrotik OR to internet will face frequent timeout and high latency in case of full usage of allowed bandwidth.
As showed in the image below …

highi_ping

 

NOTE:

It is recommended to block the ICMP/PING protocol on every network to avoid flooding and un wanted queries from the client end. (You can exempt your admin pc or other from this restriction via source address list)

Or if you still want to allow icmp , then simply mark icmp packets and and create a queue that allows more bandwidth to icmp marked packets.

 

1- EXAMPLE OF PING/ICMP QUEUE USING SIMPLE QUEUE [overall capping]

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18
19
20
21
22
23
24
###########################################
# PING/ICMP Priority Script for Mikrotik
# Syed Jahanzaib / aacable @ hotmail . com
# https://aacable.wordpress.com
###########################################
# Connection PACKET marking for ICMP, valid for both 5.x and 6.x ROS versions
/ip firewall mangle
add chain=prerouting protocol=icmp action=mark-connection new-connection-mark=icmp-con passthrough=yes comment="" disabled=no
# PACKET marking for ICMP, valid for both 5.x and 6.x ROS versions
add chain=prerouting protocol=icmp connection-mark=icmp-con action=mark-packet new-packet-mark=icmp-pkt passthrough=no comment="" disabled=no
# QUEUE TREE For Mikrotik 5.x Version to allow 128k Bandwidth for ICMP/PING Packets
/queue tree
add burst-limit=0 burst-threshold=0 burst-time=0s disabled=no limit-at=128k max-limit=128k name=Hi-Prio-to-icmp-aacable packet-mark=icmp-pkt parent=global-out priority=1 queue=default
# For 5.x All Done. Now check your PING results. t.c
###################################################################
# IF you are using Mikrotik 6.x then above queue wont work,instead use SIMPLE queue
# SIMPLE QUEUE approach is valid For both 5.x and 6.x Versions.
# DO Make sure to move it on TOP [order wise 0]
/queue simple
add max-limit=128k/128k name=ICMP_Priority packet-marks=icmp-pkt target=""

Result after implementing above code.

ping ok

2- SECOND EXAMPLE OF PING/ICMP QUEUE USING PCQ TREE | (FOR PER USER DISTRIBUTION)

The following script will mark icmp packets and will allow 32k per user for icmp traffic via PCQ / QUEUE TREE

1
2
3
4
5
6
7
8
9
10
11
12
/ip firewall mangle
add action=mark-packet chain=prerouting comment="Mark ICMP I / zaib" new-packet-mark=ping_pkts_i protocol=icmp
add action=mark-packet chain=postrouting comment="Mark ICMP O / zaib" new-packet-mark=ping_pkts_o protocol=icmp
/queue type
add kind=pcq name="ping_pkts_i_32K" pcq-classifier=dst-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64
add kind=pcq name="ping_pkts_o_32K" pcq-classifier=src-address pcq-dst-address6-mask=64 pcq-rate=32k pcq-src-address6-mask=64
/queue tree
add name=ping_pkts_i packet-mark=ping_pkts_i parent=global-out queue="ping_pkts_i_32K / zaib"
add name=ping_pkts_o packet-mark=ping_pkts_o parent=global-out queue="ping_pkts_o_32K / zaib"
by LAO

Firewall Spam Filtering

Firewall Spam Filtering

Adds connections to regular servers to a VALID_SMTP list (you can add your own “always valid” servers to this)
If a user is seen making multiple simultaneous connections (in excess of 10) they’re added to a blacklist and SMTP traffic from them is dropped.
/ip firewall filter
add action=add-dst-to-address-list address-list=VALID_SMTP address-list-timeout=2d chain=forward comment="Checking POP3" disabled=no dst-port=110 protocol=tcp
add action=add-dst-to-address-list address-list=VALID_SMTP address-list-timeout=2d chain=forward comment="Checking Secure POP3" disabled=no dst-port=995 protocol=tcp
add action=add-dst-to-address-list address-list=VALID_SMTP address-list-timeout=2d chain=forward comment="Checking IMAP" disabled=no dst-port=143 protocol=tcp
add action=accept chain=forward comment="Allow SMTP going to known servers" disabled=no dst-address-list=VALID_SMTP dst-port=25 protocol=tcp
add action=drop chain=forward comment="Drop traffic from those on the suspect list" disabled=no dst-port=25 protocol=tcp src-address-list=spambot
add action=add-src-to-address-list address-list=spambot address-list-timeout=2d chain=forward comment="10+ connects = spammy" connection-limit=10,32 disabled=no dst-port=25 protocol=tcp src-address-list=QOSCustomerIPs
/ip firewall address-list
add address=202.171.191.9 comment=smtp.bigair.net.au disabled=no list=VALID_SMTP

MASTER

by LAO

Mikrotik LB PCC CAL WEIGHT

# การคำนวน Weight ของ internet แต่ละ WAN ในระบบ PCC
# คำนวนหาอัตราส่วนเองนะครับ
# ใส่เรียงลำดับ WAN หากไม่มีใส่เป็นค่า 0
# lineID:sumonchai
# Page: FB.COM/LJTECHNOLOGY
# หากนำไปแจกจ่ายต่อ กรุณาใส่เครดิสข้างต้นให้ครบ หากไม่ใส่ถือว่าละเมิดลิขสิทธิ์
{
:local wanp1; :set wanp1 3;
:local wanp2; :set wanp2 2;
:local wanp3; :set wanp3 1;
:local wanp4; :set wanp4 0;
:local sump; :set sump ($wanp1 + $wanp2 + $wanp3 + $wanp4);
:local ca; :set ca $sump;
:for i from=0 to=$ca do={
:if ($wanp1!=0) do={
/ip fi ma; add di=yes ch=TEST ac=mark-co new-co=(“pcc_1”) \
per-co=(“both-addresses:”.$ca.”/”.($sump – 1 ));
:set wanp1 ($wanp1 – 1);
:set sump ($sump – 1);
:log info $wanp1;
:log info $sump
};
:if ($wanp2!=0) do={
/ip fi ma; add di=yes ch=TEST ac=mark-co new-co=(“pcc_2”) \
per-co=(“both-addresses:”.$ca.”/”.($sump – 1 ));
:set wanp2 ($wanp2 – 1);
:set sump ($sump – 1);
:log info $wanp2;
:log info $sump
};
:if ($wanp3!=0) do={
/ip fi ma; add di=yes ch=TEST ac=mark-co new-co=(“pcc_3”) \
per-co=(“both-addresses:”.$ca.”/”.($sump – 1 ));
:set wanp3 ($wanp3 – 1);
:set sump ($sump – 1);
:log info $wanp3;
:log info $sump
};
:if ($wanp4!=0) do={
/ip fi ma; add di=yes ch=TEST ac=mark-co new-co=(“pcc_4”) \
per-co=(“both-addresses:”.$ca.”/”.($sump – 1 ));
:set wanp4 ($wanp4 – 1);
:set sump ($sump – 1);
:log info $wanp4;
:log info $sump
};
};
}