Mikrotik How To

Biggest WISP event in Europe!  LESS THAN TWO MONTHS UNTIL THE MUM !!!
Warsaw/Poland, March 15-16, 2012

Over 500 people have already registered for the MUM Europe 2012. The
capacity of the conference room will be reached soon. We are working
with the hotel to get additional space if needed, but please register
IMMEDIATELY to be sure of your place.


FREE registration will end on February 21, 2012. Entrance ticket at the
door will cost USD 75.

Registered attendees and the next 150 people to register will receive a
HARDWARE GIFT from MikroTik! Register now to be among them
http://mum.mikrotik.com/register.php?section=32.

The hotel is filling up as well, please reserve your room as soon as
possible to be sure that you get one! Promotion code for booking rooms
at a special price is "MIKROTIK", more information -
http://mum.mikrotik.com/2012/PL/accomodation.

Come and see:

- !!! BIG new product announcements and demos !!!
- New Hands On Workshop Events
- a raffle on the last day of the MUM with many interesting gifts from
us and the vendors at the show
- meet, greet, and register Wednesday night at 6PM (free beer and soft
drinks)
- exhibition area with distributors and vendors presenting their
innovative hardware and software designs
http://mum.mikrotik.com/2012/PL/exhibitors

    Totalconn (Italy) http://www.wi4net.it/
    Meconet (Germany) http://www.meconet.de/
    Batna (Poland) http://www.anteny24.pl/
    CDR (Poland) http://www.4wifi.pl/
    FMS (Germany) http://www.fmsweb.de/
    Inter Projekt (Poland) http://www.interprojekt.pl/
    Sys-DataCom (Czech Republic) http://www.sys-data.com/
    ATS (Poland) http://www.wirelesslan.pl/
    Cyberbajt (Poland) http://www.cyberbajt.pl/
    i4wifi (Czech Republic) http://www.i4-wifi.com/
    NIM Wave (Italy) http://www.nimwave.com/
    RF Elements (Slovakia) http://www.rfelements.com/
    Deltalink (Turkey) http://deltalink.com.tr/
    EDCwifi (China) http://www.edcwifi.com/
    NET service solution (Czech Republic) http://www.net-service.cz/
    Jirous (Czech Republic) http://en.jirous.com/
    Technologic (Poland) http://www.technologic.pl/
    ... 4 more in process

Where:           Warsaw (Poland)
When:            Thu-Fri, March 15-16
Meet and greet:  Wednesday, March 14, 6PM (registration and free beer)
Register:        http://mum.mikrotik.com/register.php?section=32
Venue:          http://mum.mikrotik.com/2012/PL/accomodation
Agenda:        http://mum.mikrotik.com/2012/PL/agenda

Training sessions before the MUM are almost fully booked. Please be sure
to register soon to get a seat. Contact the organizer to sign up!

Trainings before MUM (March 12-14):

- Training for Trainers by MikroTik (ENG)
http://www.mikrotik.com/training/offers
- MTCTCE by Sys-DataCom and Citraweb (ENG) http://mtctce.mikrotik.cz/
- MTCINE by MikroTik (ENG) http://www.mikrotik.com/training/offers
- MTCWE by NEST Wireless UK (ENG) http://www.nestwireless.co.uk/training/
- MTCNA by router.lv (ENG) http://www.router.lv/eng/courses/24
- MTCRE by FMS Internetservice (GER)
http://www.mikrotik-shop.de/Training:::92.html
- MTCRE by MD Brasil (ENG) http://www.mdbrasil.com.br/en
- MTCUME by Grifonline S.r.l. (ENG)
http://training.grifonline.it/training_mikrotik_MTCUME_WARSAW_032012_en.html
- MTCNA by Pawel Cieplinski (POL)
http://cieplinski.pl/training.php?e=mtcna-before-mum

To register for the MUM event (conference, exhibition, workshop), follow this link: http://mum.mikrotik.com/register.php?section=32

See you in Warsaw!

Regards,
MikroTik

The MikroTik new products: 

* RB751U-2HnD
* RB411L
* RB433GL
* R5SHPn
* RB433L
* RB751G-2HnD
* OmniTikUPA-5HnD
* RB433UAHL


Download the newsletter here: 
http://www.mikrotik.com/download/share/news_36.pdf

See you in the MUM in Poland! 

Came across an interesting (yet to be verified) bug today.
The info:
RouterOS v4.10 running on x86 server
Site runs both a hotspot and PPPoE server on the same interface.
Users can decide to login via the captive portal (which most do) or for those who understand and wish to use a pppoe connection, they have the option to use that instead, as it comes with a public IP.

The problem:
Support call came in saying that a user was unable to access www.google.com (which for the sake of this example we’ll say resolves to 192.0.2.1). I checked and confirmed I could indeed ping and trace to the address and put it down to a user issue, but left the ticket open to have one of our on-site techs give a try.
– later on–
Onsite tech indicated he to had become unable to access www.google.com via the pppoe login option and after getting a first hop response from the gateway the connection simply timed out.
The cause:
I’ll save you from having to hear about everything I tested and tried over the next hour however the actual cause was rather interesting.
The “hosts list” on the hotspot, had old entries from someone with an improperly configured IP address (in this case 192.0.2.1) which had tried to access the login page sometime in the past couple of days and was being held there. This meant that for users connected behind the pppoe interfaces, traffic to 192.0.2.1 was trying to go to that host RATHER than going out the correct default route.
Why? No idea.
The solution:
When the hotspot was setup (we’d reinstalled the machine just recently) it appears someone had forgotten to set the ‘idle-timeout’ value on the hotspot user-profile. This meant all these hosts were being held and the table was getting larger and larger (there were other incorrect addresses in there too).
Better solution: Provided by Mikrotik support
You have an option to allow only specific subnet to reach the HotSpot network.
Add the to ip-binding, specify subnets you would like to allow and set type=regular.
Block any other unneeded subnet by type=blocked.
Eg:
/ip hotspot ip-binding
add address=10.10.40.0/21 comment="Accept (not bypass) anything in the LAN range" disabled=no
add address=0.0.0.0/0 comment="block all else" disabled=no type=blocked
Side note: We don’t use the address-pool option on the hotspots as this causes LAN traffic to pass back (and be counted by) the router which we don’t want (as we let our users have unlimited LAN access to each other) so I’m at quite a loss as to why this routing pattern would occur.

The port "knock" itself is similar to a secret handshake and can considt of any number of TCP, UDP, or ICMP or other protocol packets to numbered ports on the destination machine.The KNock may also consist of text strings sent to the device being knocked to add additional complexity and security.
Port knocking example :

Host send a connection to the one of router ports, the router stores the requester's IP for an amount of time.If the host send a connection again in the other ports, the router will check to see if the IP is the same IP from the first connection. If the IP is the same and the time between first attemp and second is within a specified time then the requester IP will be allowed to access the router.

/ip firewall filter

add action=add-src-to-address-list address-list=ICMP address-list-timeout=1m chain=input \
  disabled=no protocol=icmp

add action=add-src-to-address-list address-list="ICMP + Http" address-list-timeout=1m chain=input
  disabled=no dst-port=80 protocol=tcp src-address-list=ICMP

add  action=drop chain=input disabled=no dst-port=22,23,8291 protocol=tcp \
  src-address-list="!ICMP + Http"

(youtube/wiki)