Microtik to log internet use

B

booswig

Active Member
Joined
Apr 4, 2005
Messages
98
Hi All,

I use a Microtik HEX PoE router behind a firewall as our office router. Software version 6.38.5.

I am trying to use it to limit internet use, as we only have a 1,000 GB package per month. I installed SnifferViewer that logs some traffic (I think it mainly logs port 80 communication), and use a simple Queue to try and limit internet use. I currently have it set to a 64kbps for both up and downloads for all IP's I could identify (using Angry IP Scanner and the IP's identified by SnifferViewer (Attix5 Traffic Monitor)). This include all user IP's, the VOIP IP, the WIFI IP.

However, logging into the ISP website I see that there are still massive downloads happening. According to them there was a 36.4 GB use today, while the Traffic Monitor only show around 400 MB for the day. The queue list on the Microtik only show 60 MiB ....

Can anyone help me on how I can trace the user, and how I can stop this leak.

Note: I am no expert and do not want to mess around with firewall rules, but if need be I must turn to rules to block ports etc., but first I want to trace this user.
 
J

JayM

Expert Member
Joined
Oct 30, 2005
Messages
3,618
Get the free version of PRTG and send netflow records from the Mikrotik to it. You could even run it on your PC.
 
N

Nuke

Senior Member
Joined
May 29, 2006
Messages
737
Quick questions.

Do have have a public IP directly on the Mikrotwak? Do you perhaps have the DNS or proxy server running on the Mikrotwak? That combination has lead to many a gig being wasted.

Tried using the Torch tool yet and just leaving it open throughout the day? If you check it every now and then it won't take you long to see any large downloads going on.
 
DWPTA

DWPTA

Expert Member
Joined
Jul 28, 2006
Messages
4,366
booswig said:
Hi All,

I use a Microtik HEX PoE router behind a firewall as our office router. Software version 6.38.5.

I am trying to use it to limit internet use, as we only have a 1,000 GB package per month. I installed SnifferViewer that logs some traffic (I think it mainly logs port 80 communication), and use a simple Queue to try and limit internet use. I currently have it set to a 64kbps for both up and downloads for all IP's I could identify (using Angry IP Scanner and the IP's identified by SnifferViewer (Attix5 Traffic Monitor)). This include all user IP's, the VOIP IP, the WIFI IP.

However, logging into the ISP website I see that there are still massive downloads happening. According to them there was a 36.4 GB use today, while the Traffic Monitor only show around 400 MB for the day. The queue list on the Microtik only show 60 MiB ....

Can anyone help me on how I can trace the user, and how I can stop this leak.

Note: I am no expert and do not want to mess around with firewall rules, but if need be I must turn to rules to block ports etc., but first I want to trace this user.
Click to expand...

Mangle and Queue rules please.
 
B

booswig

Active Member
Joined
Apr 4, 2005
Messages
98
OK, I have no mangle rules, do not even know what it does. I have a queue for each active IP similar to this:

Queue Untitled-3.jpg

I have completely blocked the DHCP range as well as all IPs I do not know. Scripting is amazing I have to add.

Added a firewall rule for all IPs using the script below to check where there is communication:
:for i from=3 to=253 do={/ip firewall filter add chain=forward src-address="192.168.0.$i" action=passthrough}
Click to expand...

Gateway / DNS server is 254. Two owners IP's are 1 and 2 but we are not massive users.
 
You must log in or register to reply here.
Top