Recently, we needed to check if any computers inside of a given network were configured to use OpenDNS servers. In our case, the router (10.10.100.1) is acting as a DNS cache and configured to query upstream DNS servers. What we want to do is first catch any internal IP address using OpenDNS IP addresses (208.67.222.222 …
Category: Mikrotik
Oct 31
Mikrotik DNS Failover Script
Traditionally, a minimum of two DNS servers are used for any given computer for redundancy. The problem is that Windows computers (and others) will choose the fastest responding server and ignore the order given (primary, secondary, etc.). If we wish to force a primary and only fail over to a secondary, then scripting coupled with …
Sep 28
Dynamic Address Lists Creation with Port Knocking
Port knocking is a technique used to generate or modify firewall rules on the fly based on connections made to specific predetermined ports. Suppose we have a web-facing service (HTTP, DNS, etc.) that we wish to limit access to based on IP addresses. If all of the clients on the Internet side of the router …
Aug 23
Mikrotik Dual WAN Routing – Packet Flow
If we add a second ISP line to our network, we need a couple of mangle entries to keep the traffic flowing in and out the correct interfaces. If we simply add a second WAN connection to the router (in this example we will use eth4), the router may not respond to pings or allow …
Aug 23
Mikrotik 6to4 IPv6 Setup
Today we are looking at how to set up a 6to4 IPv6 tunnel. I will be using a free service at http://www.tunnelbroker.net as the tunnel broker. Hurricane Electric provides this service along with some other very cool IPv6 tools. They also provide a mini IPv6 certification program to help get people started. There are a few things …
Aug 16
Mikrotik Proxy: Limiting Internet Access
In library environments, we often have a need to limit Internet access on certain computers. One example would be for a dedicated card catalog computer where we do not want patrons using the machine for anything else. In this example, we have a certain computer that will only be allowed to access a card catalog …
Aug 01
Mikrotik VLAN Trunk and Unifi AP
Suppose we have an access point capable of multiple SSID and VLAN. We want to set up an open hotspot for public access on one channel, and a secured channel for staff. For this exercise, we will use a Ubiquiti Unifi AP and set up two WLANs. The first WLAN will be called “Public” and …
Jul 20
Mikrotik Firewall Basic Settings
Out of the box, the RouterOS firewall is pretty lean on rules. The default configuration may have as few as four rules in place, three for accepting traffic (icmp, connected, and related traffic) and one for blocking all other inbound traffic. Depending on how you have configured your Internet access (static IP, PPPoE, etc.), the …
Jul 16
Mikrotik Policy-Based Routing
One of the more interesting features within the RouterOS mangle (packet marking) facility is the ability to mark packets in the pre-routing chain. With this option, we can perform what is called policy-based routing. Suppose we have two WAN (Internet) connections that our LAN clients could potentially use, and that we wish to split the usage such …
Jul 13
Basic RouterOS Traffic Queueing
In this post, we will look at a basic traffic queuing configuration. Our example network will be comprised of two subnets, one for wired computers (staff and patron) and one for wireless computers (accessed via a wireless AP plugged into port 5). Our wired computers will all be within the 192.168.88.0/24 network on port2, and …
- 1
- 2