MikroTik Script for Link up down enable disable based on gateway timeout

** for example we have two separate links with two gateway IP,
we wants to disable or enable concern interface(ether1 or ether2) if gateway ping timeout
    * If we wants montior/ ping gateway three times and script will run Ones each 1 minute (interval = 00:01:00)

ether1 = lnik1 = Interface IP 192.168.1.2 and gateway IP 192.168.1.1
ether2 = link2 = Interface IP 172.16.1.2 and gateway IP 172.16.1.1

** GoTo Winbox -> and Click
#System -> Scheduler -> + Add
------------------------------
interval = 00:01:00

:if ([ /ping 192.168.1.1 src-address=192.168.1.2 count=3] = 0) do={
[/interface disable ether1]
:log info "gateway timeout, disabling link1 ether1 interface"
}
:if ([ /ping 192.168.1.1 src-address=192.168.1.2 count=3] = 3) do={
[/interface enable ether1]
:log info "Link1 is now up  enabling ether1 interface"
}

---------------------------
** script to check link2
----------------------------
System -> Scheduler -> + Add

interval = 00:01:00


:if ([ /ping 172.16.1.1 src-address=172.16.1.2 count=3] = 0) do={
[/interface disable ether2]
:log info "gateway timeout, disabling link2 ether2 interface"
}
:if ([ /ping 172.16.1.1 src-address=172.16.1.2 count=3] = 3) do={
[/interface enable ether2]
:log info "Link2 is now up  enabling ether2 interface"
}

------------------------------

#Enjoy## Tayab Khan ###

Dude Monitoring server installation, backup and restore

* DUDE Installation: 
---------------------------
* First adjust Router OS version with Dude-Server version
* for example, if RouterOS version 6.40.8 and download Dude-server with 6.40.8 version
from
https://mikrotik.com/download

also check router specifications like ... ( mipsle, mipsbe, ppc, x86, mmips, arm )

* Put packages to files and reboot

* /dude set enabled=(yes/no)

* /dude print
         enabled: yes
         data-directory: dude
          status: running

* by default all The Dude data is stored on system disk, if you wish to change it's location the use this command:

* /dude set data-directory=(new_db_path)

* dwonlaod dude client for windows to access/monitor/manage from windows


* connect dude server from windows dude client and configure as your requirement

** Backup 

/dude export-db  backup-file=dude-backup-18-7-2018

** Restore

/dude import-db  backup-file=dude-backup-18-7-2018

MikroTik Multiple Gateway redundancy failover by Netwatch and firewall

MikroTik Multiple Gateway redundancy by Netwatch and firewall

* Exampe two WAN Internet
ether1 = wan1 = GW IP 192.168.10.1
ether2 = wan2 = GW IP 172.16.1.1\

* First make sure source gw ip not reachable via another interface ...

/ip firewall filter add chain output dst-address = 192.168.10.1 out-interface=ether1 action=accept
/ip firewall filter add chain output dst-address = 192.168.10.1  action=drop


/ip firewall filter add chain output dst-address = 172.16.1.1 out-interface=ether2 action=accept
/ip firewall filter add chain output dst-address = 172.16.1.1  action=drop


** Then create rules for ip -> route with gateway priority

** Then create netwatch to check evry 5 seconds
/tool netwatch host=192.168.10.1 interval 00:00:05 UP=/ip route enable 0 Down= /ip route disable 0
/tool netwatch host=172.6.1.1 interval 00:00:05 UP=/ip route enable 1 Down= /ip route disable 1

Juniper LACP and MikoTik Bonding

Juniper LACP (Aggregation / Ether Channel)
---------------------------------------------
** We want to use two port ge3 and ge3 for Juniper LACP

set chassis aggregated-devices ethernet device-count 3

set interfaces ge-0/0/3 ether-options 802.3ad ae1
set interfaces ge-0/0/4 ether-options 802.3ad ae1

set interfaces ae1 description AE-Interface-Tayab
set interfaces ae1 aggregated-ether-options lacp active periodic fast
set interfaces ae1 unit 0 family ethernet-switching interface-mode trunk
set interfaces ae1 unit 0 family ethernet-switching vlan members all


MikroTik Bonding
------------------------
Goto Interface and click Bonding

Goto Tab "Bonding" use Slave Ports and use mode 802.3ad

Facebook and Youtube Block including Mobile APP by MikroTik

We can block Facebook and YouTube from Laptop/Desktop and also from Mobile APPs

*** Blocking Facebook

Login MikroTik via Winbox: Goto "IP" -> Firewall -> Layer7 Protocol

+ Add => Name = Facebook ,
                Regexp :
^.+(facebook.com|apps.facebook.com|
www.connect.facebook.net|m.facebok.com|staticak.connect.facebook.com|login.facebook.com|fbcdn.net ).*$

** Now add Filter rules for your local network 192.168.1.0/24

IP -> Firewall -> Filter Rules-> ADD -> Forward chain -> SRC Address: 192.168.1.0/24

Advance -> Layer7 Protocl = Facebook => Action =DROP


*** Blocking YouTube

Goto: IP --> Firewall --> Filter --> Add -> Chain=Forward --> SRC Address: 192.168.1.0/24 -> advance--> Content="googlevideo",  Action= Drop


Goto: IP --> Firewall --> Filter --> Add -> Chain=Forward --> SRC Address: 192.168.1.0/24 -> advance--> Content="youtube",  Action= Drop


==================== Enjoy ######################################

MikroTik mac discovery / login disable

Go to Tools -> MAC Server
Click on the WinBox Interfaces Tab
By default this is set to all
You can add specific interfaces, and disable the all entry

OR using CLI, use the following command

/tool mac-server
add disabled=yes interface=all
/tool mac-server ping
set enabled=no

OR, can control by Firewall

/ip firewall filter
add action=drop chain=input comment="Block mikrotik discovery" disabled=no dst-port=5678 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udp
add action=drop chain=input comment="DROP ALL WINBOX REQUEST EXCEPT FROM MY PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6

EOIP Tunnel MTU size Problem

If we create EOIP tunnel by MirkoTik Router, we may face some problem like browsing/others due to MTU size.


We need set manually MTU 1500 into eoip tunnel to avoid this problem.

>> Click Interfaces -->> Click Eoip-Tunnel --> set MTU  =   1500

MikroTik Script to Add Multiple Queue with a Single command

We can use PCQ for Multiple queue but another method we can use to add multiple queues with a single command.

Goto-->> "New Terminal"

for i from=2 to=254 do=[queue simple add name="$i" target="192.168.1.$i" max-limit=512K/512K]


*** Here 253 queues will be create with IP address: 192.168.1.2 to 192.168.1.254 with 512K bandwith.

*** If you wants to set /24 series of IP address on one interface ether5, then

for i from=2 to=254 do={ip address add address="172.16.1.$i/24" network="172.16.1.0" interface=ether5}

*** For Older version of mikroTik use bellow scripts

:for e from 2 to 254 do={/ip address add address=("172.16.1." . $e . "/24") network=("172.16.1.0") interface=ether5} 

####################### Enjoy ####################

MikroTik Queue Graph by Cacti

*** Cacti MRTG/Graph for MikroTik

Download Zip File and Unzip and upload specific directory

1. zipdir/scripts/mikrotik_wireless_interfaces.php -> usr/share/cacti/scripts/mikrotik_wireless_interfaces.php
2. zipdir/scripts/mikrotik_ppp_connections.php -> usr/share/cacti/scripts/mikrotik_ppp_connections.php
3. zipdir/resources/script_server/mikrotik_wireless_interfaces.xml -> usr/share/cacti/resources/script_server/mikrotik_wireless_interfaces.xml
4. zipdir/resources/snmp_queries/mikrotik_queue_simple.xml -> usr/share/cacti/resources/snmp_queries/mikrotik_queue_simple.xml
5. zipdir/resources/snmp_queries/mikrotik_queue_tree.xml -> usr/share/cacti/resources/snmp_queries/mikrotik_queue_tree.xml
6. zipdir/resources/snmp_queries/mikrotik_wireless_client.xml -> usr/share/cacti/resources/snmp_queries/mikrotik_wireless_client.xml

Finally Import Template "cacti_host_template_mikrotik.xml" from CACTI Admin Login from web

https://dl.dropboxusercontent.com/u/16618107/cacti-mikrotik-queue.rar

L2 Loop Protection on MikroTik interface

We can use MikroTik feature "Loop-Protect"
Loop protect feature can prevent Layer2 loops by sending loop protect protocol packets and shutting down interfaces in case they receive loop protect packets


GOTO Terminal:: enabling LOOP Protection for Ethernet

## interface ethernet set loop-protect=on 2

*** Three values "ON", "OFF" and "Default" ... default works as turned off 

*** [2 is the number of Ethernet :: use command:: 'interface print'  to see the number of interfaces]

** We can use it by VLAN interface also

## interface vlan set loop-protect=on 3

loop-protect-send-interval (time interval; Default: 5m)

Sets how often loop protect packets are sent on selected interface.

loop-protect-disable-time (time interval | 0; Default: 5m)

Sets how long selected interface is disabled when loop is detected. 0 - forever.

Block Youtube Taffic by MikroTik

Login via Winbox:
Goto: IP --> Firewall --> Filter --> Add -> Chain=Forward --> advance--> Content="googlevideo",

Action= Drop

============

MikroTik Schedule reboot Script

/system scheduler
add comment="Reboot every 1 hours" disabled=no interval=1h name=Reboot1hour on-event=\
    "/system reboot" policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive \
    start-date=jul/23/2016 start-time=08:00:00

MikroTik Interface Traffic Shape

queue simple
      name="Limit ether1" dst-address=0.0.0.0/0 interface=ether1 parent=none
      direction=both priority=8 queue=default-small/default-small
      limit-at=256k/256k max-limit=256k/256k burst-limit=0/0
      burst-threshold=0/0 burst-time=0s/0s total-queue=default-small
  

Denial-of-service (DoS) attack protection by MikroTik

 A denial-of-service (DoS) attack is an attempt to make a machine or network resource unavailable to its intended users, such as to temporarily or indefinitely interrupt or suspend services of a host connected to the Internet.

Way to protect by MikroTik is : 

Limit incoming connections
Address with too much connections can be added to address list for blocking.

/ip firewall filter add chain=input protocol=tcp connection-limit=LIMIT,32 action=add-src-to-address-list  address-list=blocked-addr address-list-timeout=1d 

/ip firewall filter add chain=input protocol=tcp src-address-list=blocked-addr connection-limit=3,32 action=tarpit 


Description: 
where LIMIT is max. number of connection per IP. LIMIT should be 100 or higher as many services use multiple connection (HTTP, Torrent, other P2P programs).
Action tarpit. Instead of simply droping attackers packets(action=drop) router can capture and hold connections and with enough powerful router is can block the attacker.

NAT with MikroTik ( One to One Mapping)

Using Multiple Public IP to NAT private IP addresses

If we use private ip in our server and want to access that server from internet then we need to set 1 to 1 netmap bellow are the configuration of netmap, you just need to change the public IP, Private IP and WAN interface name as per your configuration.

say we have 4 public ip address 10.10.55.171 to 10.10.55.174
and we want to netmap private IP address 192.168.123.71 to 192.168.123.74


/ip address add address=10.10.55.171/32 interface=wan
/ip address add address=10.10.55.172/32 interface=wan
/ip address add address=10.10.55.173/32 interface=wan
/ip address add address=10.10.55.174/32 interface=wan

/ip firewall nat add chain=dstnat dst-address=103.10.55.171 action=dst-nat to-addresses=192.168.123.71
/ip firewall nat add chain=dstnat dst-address=103.10.55.172 action=dst-nat to-addresses=192.168.123.72
/ip firewall nat add chain=dstnat dst-address=103.10.55.173 action=dst-nat to-addresses=192.168.123.73
/ip firewall nat add chain=dstnat dst-address=103.10.55.174 action=dst-nat to-addresses=192.168.123.74

/ip firewall nat add chain=srcnat src-address=192.168.123.71 action=src-nat to-addresses=103.10.55.171
/ip firewall nat add chain=srcnat src-address=192.168.123.72 action=src-nat to-addresses=103.10.55.172
/ip firewall nat add chain=srcnat src-address=192.168.123.73 action=src-nat to-addresses=103.10.55.173
/ip firewall nat add chain=srcnat src-address=192.168.123.74 action=src-nat to-addresses=103.10.55.174

MikroTik Backup Auto/Schedule Send to EMAIL

Goto:  Tools -> Email 
smtp server : mail.tayabkhan.com
port: 25
from : tayab@tayabkhan.com

Here we will create schedule for auto backup sent to email address every 1 day and this will start work at every day 8:01PM(20:01:00)

Goto: System ->scheduler

Name :  mail full backup
start date : 20:01:00
Intervale : 1d 00:00:00 

/system backup save name=emailback
/tool e-mail send file=emailback.backup to="tayab@tayabkhan.com" body="Backup of Mikrotik" subject="$[/system identity get name] $[/system clock get time] $[/system clock get date] Backup"

Mail SPAM detect by MikroTik

We need to create a Firewall Filter Rule

/ip firewall filter

add chain=forward protocol=tcp dst-port=25 src-address-list=suspectedspambot \

    action=drop comment="Drop traffic from those on the suspect list"

add chain=forward protocol=tcp dst-port=25 \

    connection-limit=10,32 \

    action=add-src-to-address-list \

    address-list=suspectedspambot \

    address-list-timeout=2d \

    comment="More than 10 simultaneous connections looks spammer"

We use alternated colors for readability. The operation of this approach is quite simple. The first rule (in blue) simply drops any SMTP connection attempts from anyone who is found in the address list called “suspectedspambot”. The second rule (in red) is the one that does the work of actually detecting spammers. What this rule does is watch for SMTP connections and, if the count of connections from a single IP (/32) goes above 10, then the source address of that packet is added to an address list called “suspectedspambot”. On the next connection attempt, the packet will be dropped. The only problem with this approach is that it assumes that there are NO mail servers that MAY be sending more than 10 emails at a time legitimately. If this is the case, you can simply create another address list called “smtpservers” then add a rule as follows ABOVE the rule above (in blue):

add chain=forward protocol=tcp dst-port=25 \

       src-address-list=smtpservers action=accept \

       comment="Allow known smtp servers to send email"

This would allow your known mail servers to send email without fear of being “caught” and tagged as a spam source. One further comment on these rules. This set of rules does not take into account smtp traffic that is going TO your mail server. I will leave that fix as an exercise for the reader. If one of your customers is “tagged” as a suspected spambot, you will find their IP address in the address list and can begin troubleshooting from there.

Mikrotik Load Balance by two uplinks

Mikrotik Load Balance by two uplinks
==============================
Two Uplinks are
1. ISP1-A
2. ISP2-B

Two LANS are connected with a single interface
1. 192.168.50.0/24   want to use with ISP1-A
2. 172.16.50.0/24     want to use with ISP2-B

3. Creating NAT for two LANS
4. Creating Mangle for Mark Routing with separate LANs
5. Creating default routes with routing mark  with distance-1
     and also create route for failover with distance-10
6. Assign Queues

=========================================================

Another two methods of load balancing given bellow:

Dual WAN LoadBalancing PCC Method

/ip address
add address=192.168.0.1/24 network=192.168.0.0 broadcast=192.168.0.255 interface=Local
add address=192.168.1.2/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1
add address=192.168.2.2/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=5000KiB max-udp-packet-size=512 servers=221.132.112.8,8.8.8.8

/ip firewall mangle
add chain=input in-interface=WAN1 action=mark-connection new-connection-mark=WAN1_conn
add chain=input in-interface=WAN2 action=mark-connection new-connection-mark=WAN2_conn

add chain=output connection-mark=WAN1_conn action=mark-routing new-routing-mark=to_WAN1
add chain=output connection-mark=WAN2_conn action=mark-routing new-routing-mark=to_WAN2

add chain=prerouting dst-address=192.168.1.0/24 action=accept in-interface=Local
add chain=prerouting dst-address=192.168.2.0/24 action=accept in-interface=Local

add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/0 action=mark-connection new-connection-mark=WAN1_conn passthrough=yes
add chain=prerouting dst-address-type=!local in-interface=Local per-connection-classifier=both-addresses-and-ports:2/1 action=mark-connection new-connection-mark=WAN2_conn passthrough=yes

add chain=prerouting connection-mark=WAN1_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN1
add chain=prerouting connection-mark=WAN2_conn in-interface=Local action=mark-routing new-routing-mark=to_WAN2

/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 routing-mark=to_WAN1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 routing-mark=to_WAN2 check-gateway=ping

add dst-address=0.0.0.0/0 gateway=192.168.1.1 distance=1 check-gateway=ping
add dst-address=0.0.0.0/0 gateway=192.168.2.1 distance=2 check-gateway=ping

/ip firewall nat
add chain=srcnat out-interface=WAN1 action=masquerade
add chain=srcnat out-interface=WAN2 action=masquerade

Dual WAN loadbalancing nth method

/ip address
add address=192.168.1.3/24 network=192.168.1.0 broadcast=192.168.1.255 interface=WAN1 comment="" disabled=no
add address=192.168.2.3/24 network=192.168.2.0 broadcast=192.168.2.255 interface=WAN2 comment="" disabled=no
add address=10.10.0.1/24 network=10.10.0.0 broadcast=10.10.0.255 interface=internal comment="" disabled=no

/ip firewall mangle
add chain=prerouting in-interface=internal connection-state=new nth=2,1 action=mark-connection new-connection-mark=conn1 passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=internal connection-mark=conn1 action=mark-routing new-routing-mark=conn1 passthrough=no comment="" disabled=no
add chain=prerouting in-interface=internal connection-state=new nth=1,1 action=mark-connection new-connection-mark=conn2 passthrough=yes comment="" disabled=no
add chain=prerouting in-interface=internal connection-mark=conn2 action=mark-routing new-routing-mark=conn2 passthrough=no comment="" disabled=no


/ip firewall nat
add chain=srcnat connection-mark=conn1 action=masquerade out-interface=WAN1 comment="" disabled=no
add chain=srcnat connection-mark=conn2 action=masquerade out-interface=WAN2 comment="" disabled=no


/ip route
add dst-address=0.0.0.0/0 gateway=192.168.1.1 scope=255 target-scope=10 routing-mark=conn1 comment="" disabled=no
add dst-address=0.0.0.0/0 gateway=192.168.2.1 scope=255 target-scope=10 routing-mark=conn2 comment="" disabled=no

Mikrotik backup restore export import individual modules/configurations

Mikrotik backup restore export import individual modules

We can export any of our individual configurations and also can restore to other device

Here I export firewall filter, address list, arp, dhcp lease etc...

ip firewall filter export file=filter-rules
ip firewall address-list export file=addresslist
ip arp export file=arplist

ip dhcp-server lease export file=dhcp-lease-all


Now click the "Files" tab of Mikrotik

Now click Copy and Paste to your Desktop or Desired Local Drive


Restore
======
Login to other Mikrotik and  Click Files
Copy files from your Local Drive and Pase here

Select the File and Click Restore Button


==============================================

MAC based filter by Mikrotik

##################################################
Select LAN interface of clients

# Click "Interfce" ->> Double Click ether-LAN ->> Change ARP to "reply only"

# Disable IP based allow/deny firewall ....

# Click "IP" ->> "ARP" ->> "Add Local IP and MAC addresses of clients"


=========================================