Iam8up Blog

#| ether1 is renamed ether1-gateway, rest of interfaces are switched
#| IP address 192.168.88.1/24 is on switch
#| DHCP client is on ether1-gateway
#| DHCP server is on switch, with address pool 192.168.88.10-192.168.88.254
#| masquerade on ether1-gateway
:global action

# these commands are executed after installation or configuration reset
:if ($action = “apply”) do={
/interface set ether1 name=ether1-gateway
/interface set ether2 name=ether2-local-master
/interface set ether3 name=ether3-local-slave
/interface set ether4 name=ether4-local-slave
/interface set ether5 name=ether5-local-slave

/interface ethernet set ether3-local-slave master-port=ether2-local-master
/interface ethernet set ether4-local-slave master-port=ether2-local-master
/interface ethernet set ether5-local-slave master-port=ether2-local-master

/ip address add address=192.168.88.1/24 interface=ether2-local-master comment=”default configuration”

:if ([:len [/system package find name="dhcp" !disabled]] != 0) do={
/ip dhcp-client add interface=ether1-gateway disabled=no comment=”default configuration”;
/ip pool add name=default-dhcp ranges=192.168.88.10-192.168.88.254;
/ip dhcp-server add name=default address-pool=default-dhcp interface=ether2-local-master disabled=no;
/ip dhcp-server network add address=192.168.88.0/24 gateway=192.168.88.1 dns-server=192.168.88.1 comment=”default configuration”;
}

/ip firewall {
filter add chain=input action=accept protocol=icmp comment=”default configuration”
filter add chain=input action=accept connection-state=established in-interface=ether1-gateway comment=”default configuration”
filter add chain=input action=accept connection-state=related in-interface=ether1-gateway comment=”default configuration”
filter add chain=input action=drop in-interface=ether1-gateway comment=”default configuration”
nat add chain=srcnat out-interface=ether1-gateway action=masquerade comment=”default configuration”
}

/ip dns {
set allow-remote-requests=yes
static add name=router address=192.168.88.1
}

/tool mac-server remove [find]
/tool mac-server add interface=ether2-local-master disabled=no
/tool mac-server add interface=ether3-local-slave disabled=no
/tool mac-server add interface=ether4-local-slave disabled=no
/tool mac-server add interface=ether5-local-slave disabled=no

/tool mac-server mac-winbox disable [find]
/tool mac-server mac-winbox add interface=ether2-local-master disabled=no
/tool mac-server mac-winbox add interface=ether3-local-slave disabled=no
/tool mac-server mac-winbox add interface=ether4-local-slave disabled=no
/tool mac-server mac-winbox add interface=ether5-local-slave disabled=no

/ip neighbor discovery set [find name=ether1-gateway] discover=no
}

# these commands are executed if user requests to remove default configuration
:if ($action = “revert”) do={
/ip firewall {
:local o [nat find comment="default configuration"]
:if ([:len $o] != 0) do={ nat remove $o }

:local o [filter find comment="default configuration"]
:if ([:len $o] != 0) do={ filter remove $o }
}

:if ([:len [/system package find name="dhcp" !disabled]] != 0) do={
:local o [/ip dhcp-server network find comment="default configuration"]
:if ([:len $o] != 0) do={ /ip dhcp-server network remove $o }

:local o [/ip dhcp-server find name="default" address-pool="default-dhcp" interface=ether2-local-master !disabled]
:if ([:len $o] != 0) do={ /ip dhcp-server remove $o }

/ip pool {
:local o [find name=default-dhcp ranges=192.168.88.10-192.168.88.254]
:if ([:len $o] != 0) do={ remove $o }
}

:local o [/ip dhcp-client find comment="default configuration"]
:if ([:len $o] != 0) do={ /ip dhcp-client remove $o }
}

/ip dns {
set allow-remote-requests=no
:local o [static find name=router address=192.168.88.1]
:if ([:len $o] != 0) do={ static remove $o }
}

/ip address {
:local o [find comment="default configuration"]
:if ([:len $o] != 0) do={ remove $o }
}

/tool mac-server remove [find]
/tool mac-server add interface=all disabled=no

/tool mac-server mac-winbox remove [find interface!=all]
/tool mac-server mac-winbox set [find] disabled=no

/ip neighbor discovery set [find name=ether1-gateway] discover=yes

/interface ethernet set ether3-local-slave master-port=none
/interface ethernet set ether4-local-slave master-port=none
/interface ethernet set ether5-local-slave master-port=none

/interface set ether1-gateway name=ether1
/interface set ether2-local-master name=ether2
/interface set ether3-local-slave name=ether3
/interface set ether4-local-slave name=ether4
/interface set ether5-local-slave name=ether5
}

UPDATE: Christopher Tyler of Total Wireless Communications pointed out DNS can’t be done. Whoopsy daisy!

You will find three rules that have WEBSERVERIP. This must be the IP (not the DNS name) of the webserver. This means the default vhost or the only directory of your Apache server must be the redirect page.

The firewall filter rules are to allow traffic from the customer’s /32 and the web server on 80/tcp and 443/tcp and vice versa. Then it blocks everything else.

/ip firewall filter
add action=accept chain=forward comment="allow nonpayment http to bmu" \
disabled=no dst-address=WEBSERVERIP port=80 protocol=tcp \
src-address-list=nonpayment
add action=accept chain=forward comment="allow nonpayment https to bmu" \
disabled=no dst-address=WEBSERVERIP port=443 protocol=tcp \
src-address-list=nonpayment
#thankschris
add action=accept chain=forward comment="allow dns" disabled=no protocol=udp\
port=53
add action=accept chain=forward comment="allow dns" disabled=no protocol=tcp\
port=53
#end thankschris
add action=drop chain=forward comment="drop nonpayment tcp traffic" disabled=\
no protocol=tcp src-address-list=nonpayment
add action=drop chain=forward comment="drop nonpayment udp traffic" disabled=\
no protocol=udp src-address-list=nonpayment

This does the redirecting work. This takes the address list of nonpayment and points them to the web server.

/ip firewall nat
add action=dst-nat chain=dstnat comment="redirect nonpayment http" disabled=\
no port=80 protocol=tcp src-address-list=nonpayment to-addresses=\
WEBSERVERIP to-ports=80

Then just add the late people to address list “nonpayment”.

*Create bridge1
*Create fakebridge
*Create eoip-tunnel1
*Put eoip-tunnel1 and ether1 in bridge1
*Assign the four IPs in the diagram to their respective interfaces
*Set bridge or station modes – get the two wireless links up; make life easier by connecting wlan1 to wlan1 and wlan2 to wlan2; use radio-name to identify them
*OSPF on primary side

/routing ospf set redistribute-connected=as-type-1 router-id=172.31.254.1
/routing ospf interface add cost=100 interface=wlan1
/routing ospf network add area=backbone network=172.31.254.0/24
/routing ospf network add area=backbone network=172.31.255.0/24

*OSPF on secondary side

/routing ospf set redistribute-connected=as-type-1 router-id=172.31.254.2
/routing ospf interface add cost=100 interface=wlan2
/routing ospf network add area=backbone network=172.31.254.0/24
/routing ospf network add area=backbone network=172.31.255.0/24

SRC: http://blog.butchevans.com/2008/10/using-ospf-to-create-full-duplex-behaviour-for-wireless-links/

Now if I had this between my network and Level 3…

#basic stuff for all mt devices

/tool graphing
set store-every=5min
/tool graphing interface
add allow-address=0.0.0.0/0 disabled=no interface=all store-on-disk=yes
/tool graphing queue
add allow-address=0.0.0.0/0 allow-target=yes disabled=no simple-queue=all \
    store-on-disk=yes
/tool graphing resource
add allow-address=0.0.0.0/0 disabled=no store-on-disk=yes
/system ntp client
set enabled=yes mode=unicast primary-ntp=192.5.41.41 secondary-ntp=0.0.0.0
/system clock set time=12:00:00 date=Nov/11/2008 time-zone-name=America/New_York
/ip dns
set allow-remote-requests=yes cache-max-ttl=1w cache-size=2048KiB \
    max-udp-packet-size=512 primary-dns=208.67.222.222 secondary-dns=\
    208.67.220.220
/ip firewall filter
add action=drop chain=input comment="blocks incoming dns queries" disabled=no \
    dst-port=53 protocol=udp in-interface=ether1

#assuming your wan provides dhcp

/ip dhcp-client
add interface=ether5 use-peer-ntp=yes use-peer-dns=yes

#gets the wlan1 working
#this puts your wlan1 and ether1 to ether4 in a rstp bridge

/interface wireless
set wlan1 mode=ap-bridge band=2.4ghz-b/g frequency=2462 \
ssid=MyHomeNetwork disabled=no

/interface bridge add name=bridge-lan protocol-mode=rstp
/interface bridge port add bridge=bridge-lan interface=wlan1
/interface bridge port add bridge=bridge-lan interface=ether1
/interface bridge port add bridge=bridge-lan interface=ether2
/interface bridge port add bridge=bridge-lan interface=ether3
/interface bridge port add bridge=bridge-lan interface=ether4

#add ip address to bridge

/ip address add interface=bridge-lan address=172.16.16.1/24

#masq the bridge network

/ip firewall nat
add action=masquerade chain=srcnat comment="masq bridge lan" disabled=no out-interface=\
    ether5 src-address=172.16.16.0/24

#add dhcp server to bridge

/ip pool
add name=dhcp_pool1 ranges=172.16.16.100-172.16.16.199
/ip dhcp-server
add address-pool=dhcp_pool1 authoritative=after-2sec-delay bootp-support=\
    static disabled=no interface=bridge-lan lease-time=1d name=dhcp1
/ip dhcp-server config
set store-leases-disk=5m
/ip dhcp-server network
add address=172.16.16.0/24 comment="" dns-server=172.16.16.1,4.2.2.2 gateway=\
    172.16.16.1

This guide is using one connection in which the IP is obtained through the dhcp-client and a second one is static. It can easily be modified for two static IPs or two dhcp-client addresses. The guide uses static route distances to determine which to use. It works for my customer but your mileage may vary.

Start by making sure you can use both interfaces to route out. You’ll need to add the static information and the dhcp-client. Simply disable the default gateway of one or the other, then vice versa to confirm you’re able to correctly use both when the other is unused. I suggest a ping test to 4.2.2.2 after route changes.

If not done already, be sure to document both public IPs. Be aware you may be able to use safe mode if you’re careful. Hit Control+X in the terminal window to enter and leave safe mode. If connectivity is lost to the router, any commands issued during safe mode are undone. You can save these commands by exiting and re-entering the terminal window as often as you wish.

Assuming you’re doing NAT make sure you do masquerade rules for both or all outgoing interfaces:

/ip firewall nat add action=masquerade chain=srcnat comment=”masquerade-lan-network” disabled=no src-address=192.168.1.0/24

Set the dhcp-client to a distance of 5 – this feature was added in 3.11:

/ip dhcp-client set etherX default-route-distance=4

Set the static default gateway to a distance of 10:

/ip route set [find dst-address=0.0.0.0/0] distance=9

Now it should look like this:

[jluthman@hisawesomecustomer] > ip route pr
Flags: X - disabled, A - active, D - dynamic,
C - connect, S - static, r - rip, b - bgp, o - ospf, m - mme,
B - blackhole, U - unreachable, P - prohibit
 #      DST-ADDRESS        PREF-SRC        G GATEWAY         DISTANCE IN..
 0   S  0.0.0.0/0                          r 2.2.2.2         10       et..
 1 ADS  0.0.0.0/0                          r 1.1.1.1         5        et..
 2 ADC  10.0.0.0/24      10.0.0.1                            0        et..

Now make sure you are using the primary connection. Confirm you are on this network with a traceroute. You will now add one final static route that the netwatch tool will utilize to deterimine if the connection is down, through a ping test.

/ip route
add comment=”FORCE FOR PRIMARY CONNECTION TEST” disabled=no \
gateway=1.1.1.1 distance=1 dst-address=4.2.2.1/32

Add this netwatch script:

/tool netwatch
add host=4.2.2.1 interval=30s timeout=1s

Add this for up:

/ip route set [find distance=4] distance=10
:log error “main route is up”
/ip firewall connection remove [find]

and down:

/ip route set [find distance=10] distance=4
:log error “main route is DOWN”
/ip firewall connection remove [find]

From this point on, through your static route to 4.2.2.1 it will only use the gateway specified (that is from the primary connection). If this ping fails even once, it will perform the down section – changing the distance of your static IP route from 10 to 4, making it closer then the dhcp-client route of 5. The final command in both up and down sections erases the current connections as needed if you’re running NAT (masquerading). Note that the ping test will continue to run while on the down condition, once again through the 4.2.2.1/32 static route.

For alternative or more complicated MikroTik assistance join the mailing list or ask Butch Evans

You’ll probably want to change the IP range, limits and burst limits but this should work for most!

:for i from=2 to=254 do={/queue simple add name=”172.16.64.$i” target-address=”172.16.64.$i/32″ max-limit=”256000/800000″ burst-limit=”0/1500000″ burst-threshold=”0/400000″ burst-time=”0s/1m”}

Download this archive and put login.html and status.html in the hotspot directory of your MikroTik. This is probably just the deafult – hotspot. You can use the Winbox (suggested) or FTP to do this.

Run through the setup:

/ip hotspot setup

Now get the server’s hotspot setup:

/ip hotspot profile
set default dns-name=”" hotspot-address=0.0.0.0 html-directory=hotspot \
http-proxy=0.0.0.0:0 login-by=http-pap,trial name=default rate-limit=”" \
smtp-server=0.0.0.0 split-user-domain=no trial-uptime=2h/2h \
trial-user-profile=default use-radius=no

Get the hotspot user profile ready:

/ip hotspot user profile
set default advertise=no idle-timeout=none keepalive-timeout=2m name=default \
open-status-page=always rate-limit=128k/1024k shared-users=unlimited \
status-autorefresh=1m transparent-proxy=yes

You should be able to click the link on the login.html page and get redirect to the originally requested page, probably your home page.

Most admins will want to modify login.html to have terms and conditions. You can have them on this page or link them to an offsite location (to centralize and easily update as needed or reference to your location’s provided link). Off site terms and conditions will need the URL set in the walled-garden (that’s /ip hotspot walled-garden) so users that have yet to agree/login can see it. Beyond that the limitation is your HTML capabilities.

Src: http://www.butchevans.com/pipermail/mikrotik/2009-August/000917.html