The official Mikrotik router thread

AirWolf

Honorary Master
Joined
Aug 18, 2006
Messages
22,032
#1
Didn't see one - so made one.

How would one go about limiting traffic in the following ways:
- blocking specific sites (or categories of sites)[including https sites];
- limiting bandwidth per Mac address per day (while excluding MS update bandwidth).

That's it for now. Got one for one of our offices a couple weeks ago - still need to set it up.

Always hear about this brand of router (on the forum) for a wide range of applications, and never used one before.

Edit: got this one: http://takealot.com/og/v1/PLID46625509
 
Last edited:

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
35,357
#4
Didn't see one - so made one.

How would one go about limiting traffic in the following ways:
- blocking specific sites (or categories of sites)[including hpps sites];
- limiting bandwidth per Mac address per day (while excluding MS update bandwidth).

That's it for now. Got one for one of our offices a couple weeks ago - still need to set it up.

Always hear about this brand of router (on the forum) for a wide range of applications, and never used one before.

Edit: got this one: http://takealot.com/og/v1/PLID46625509

I might be wrong but you can do this with layer7 inspection, but that tends to be very slow and will maybe slow your hap router.

Otherway is to have a proxy, not transparent, like your clients need to explitcily configure their browsers to use your hap as the proxy I think this route is the only way to filter SSL.

As for the bandwith, probably radius or hotspot manager?
 

killerbyte

Expert Member
Joined
May 10, 2007
Messages
1,386
#5
/subscribes (hap is k@k btw, RB2011UiAS-2HnD-IN of niks)
Haha.
We use the Hap for our very small clients. We actually rent it out so that we retain control of it.

I personally have a RB2011UiAS-RM at home. In fact I just installed it in my network this weekend.


OP: Once you get used to Miktorik you will only want to use it.
 

rubber_otter

Expert Member
Joined
May 25, 2009
Messages
1,393
#6
Blocking specific sites is quite difficult. It involves prerouting packet marking and mangle rules. I have sort of delved into them, but I usually tell the client it is not possible just to save myself the headache.

As for home routers, I have an RB2011iLS that does all my routing, and a Groove that does the wireless to the tower. That, and HAP Lite that acts as a wireless bridge to a wired IP Cam, effectively turning a wired cam into a wireless.
 

DWPTA

Expert Member
Joined
Jul 28, 2006
Messages
3,772
#7
Awesome, speaking of which, Mikrotik sent out an advisory

Hello,

It has come to our attention that a rogue botnet is currently using a vulnerability in the RouterOS Winbox service, that was patched in RouterOS v6.42.1 in April 23, 2018.

Since all RouterOS devices offer free upgrades with just two clicks, we urge you to upgrade your devices with the "Check for updates" button, if you haven't done so already.

Steps to be taken:

- Upgrade RouterOS to the latest release
- Change your password after upgrading
- Restore your configuration and inspect it for unknown settings
- Implement a good firewall according to the article here:

https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

All versions from 6.29 (release date: 2015/28/05) to 6.42 (release date 2018/04/20) are vulnerable. Is your device affected? If you have open Winbox access to untrusted networks and are running one of the affected versions: yes, you could be affected. Follow advice above. If Winbox is not available to internet, you might be safe, but upgrade still recommended.

More information about the issue can be found here: https://blog.mikrotik.com

Best regards,
MikroTik
Make sure your Tik's are updated.
 

HeftyCrab

Expert Member
Joined
Mar 26, 2009
Messages
2,088
#8
To limit sites, you can perhaps look at something like OpenDNS. You set it as your DNS server, and on the openDNS site you can limit categories of sites.

To limit bandwidth you can have a look at simple queues (IIRC you have to turn off fasttrack under the firewall to make it work).

You can assign a static IP to a Mac address then create a simple queue for that IP, or a range of IPs. In the simple queue you can specify time ranges.

This guy has some brilliant videos (TKSJa on youtube):

https://youtu.be/76nK1LXyPMA
 

rorz0r

Executive Member
Joined
Feb 10, 2006
Messages
7,794
#10
Most useful thing I learnt is "export compact" on the command line. Generally all the documentation is command line centric but for most people it's harder to figure out than the gui. With exporting you can at least see what your gui changes actually look like, compare them to docs etc, and possibly also help you script things. It's also a great way to just get an overview of what's going on with a router.
 

HApyM3al

Expert Member
Joined
Oct 27, 2012
Messages
1,060
#13
Does anyone know how to track usage by using a Mikrotik?
SNMP? Surely easiest way. You get a lot of NPM tools that can capture the info.

wrt OPs blocking websites, Mikrotik forums. Best I have found is to have either L7 rules or static DNS entries
 

Genisys

Executive Member
Joined
Jan 12, 2016
Messages
9,131
#15
No wifi, no fiber.
(the beefed up specs, unless you have very specific needs this is not the router I'll recommend for a small business.)
The RB2011 is too old to recommend for even 10Mbps ADSL in 2018. There has since been many other Mikrotik Routerboards been released that will be better options. As for the "No wifi, no fiber" argument:

1. Fibre gets terminated to a CPE, so the SFP port is pointless for most small business use cases. Its a nice to have but probably unused for the most part. If you really need to Terminate fibre you are probably not using the correct equipment if you are buying a Mikrotik. Even if a Mikrotik is capable of doing it, there are better options out there.

2. For WiFi everyone knows Unifi AP is the best Prosumer equipment for WiFi, I love Mikrotik, but I'll not use it for WiFi. I won't even recommend it for WiFi.

3. The Hex S has SFP and lots of other features including hardware acceleration, more ram, USB and SD card slots, support to run the Dude, and much more. Recommending a RB2011 to any business just because it has "WiFi" is not even funny. Any well designed network will split Wireless from the Routing platform and Firewall from the Routing platform. Having a singular point of failure in a business environment is asking for trouble.
 

Thor

Honorary Master
Joined
Jun 5, 2014
Messages
35,357
#16
The RB2011 is too old to recommend for even 10Mbps ADSL in 2018. There has since been many other Mikrotik Routerboards been released that will be better options. As for the "No wifi, no fiber" argument:

1. Fibre gets terminated to a CPE, so the SFP port is pointless for most small business use cases. Its a nice to have but probably unused for the most part. If you really need to Terminate fibre you are probably not using the correct equipment if you are buying a Mikrotik. Even if a Mikrotik is capable of doing it, there are better options out there.

2. For WiFi everyone knows Unifi AP is the best Prosumer equipment for WiFi, I love Mikrotik, but I'll not use it for WiFi. I won't even recommend it for WiFi.

3. The Hex S has SFP and lots of other features including hardware acceleration, more ram, USB and SD card slots, support to run the Dude, and much more. Recommending a RB2011 to any business just because it has "WiFi" is not even funny. Any well designed network will split Wireless from the Routing platform and Firewall from the Routing platform. Having a singular point of failure in a business environment is asking for trouble.
Exactly my point, if you want a dedicated router then HP or Ubiquiti

If you want a small business setup then RB2011 it's more than sufficient for a 40Mbps VDSL line (I run two).

Fair WiFi ability and the benifit of being highly configurable.

RB2011 + Squid = perfect small business setup.

If you have a situation where the RB2011 can't cope then you go over to ubiquiti and if that can't cope (never been in such a position ie data center setups) then you go HP, Juniper etc.

So the way I go about stuff,

VDSL/Fiber -> RB2011 -> Office
VDSL/Fiber -> RB2011 -> Squid -> office

If it's a big office (surface area):
VDSL/Fiber -> RB2011 -> Mikrotik AP(Capsman)

If the client has money
Unifi + USG


(just to be clear, this is just my opinion and go about, im not a hardcore Mikrotik fan, the device is a headache to program, but I am a big fan of the RB2011.)
 
Last edited:

Genisys

Executive Member
Joined
Jan 12, 2016
Messages
9,131
#18
I have an Rb750gr3. Love the features of RouterOS, but almost feel like its wasted on my 4Mb fibre line. CPU is running at 0/1%, and only using 40MB RAM. :D
Good to hear I'm not the only one enjoying my Mikrotik router. I might have cheated a little bit, but the RB750Gr3 is seriously good, I have the upgraded RB760, but they are based off the same architecture, It has nothing on some of my other Mirkotiks, but its still a great router that is at the perfect pricing point and offers great performance for the price.
 
Joined
Feb 23, 2016
Messages
1,134
#20
/subbed

Have a question? Is there a basic guide on how to do NAT / PAT .

I have a device on the LAN, CCTV. I have a rule that allows incoming traffic to CCTV which works.

I connect to CCTV using dyndns name on my apps. Problem is when I am inside the network, it doesn't work. The IP is being resolved as the external IP of the router ..

I think it doesn't like seeing the traffic coming from inside to go out and then coming back in.

Don't know how to fix this :(
 
Top