How to configure Mikrotik OPENVPN Server
1- Create IP Pool for OpenVpn Clients
IP > IP Pool > Add IP Pool
For Example I have taken range 172.16.100.100-172.16.100.150
This IP address will be assigned to OpenVpn Clients and Mikrotik Routers.
2- Create OpenVPN Profile
Go to PPP > Profiles > Add New Profile
Continue reading How to configure Mikrotik OPENVPN Server
How to setup your IT Infrastructure for Work From Home in low cost with open source secure industry standard technologies.
Here I am going to talk about talk about small and medium size offices and companies who are not able to invest big amount to upgrade or migrate there IT infrastructure for there workers to work from home in the COVID pandemic .
There are few things mostly you are using in the office as IT infrastructure as end user. if that IT infrastructure is available at your home then mostly people can work from home easily.
I am taking a small office example scenario with 30 employees which you require to work from home.
Simple small office network diagram .
Continue reading How to setup your IT Infrastructure for Work From Home
MikroTik DHCP Server configuration for multiple Networks
If you are having multiple Network and want to configure DHCP server for your Networks .
Follow the steps and change the IP Address and Interface names according to your requirement.
Here I will configure two networks for my home
1- 172.16.10.0/24 for my LAB
2- 10.34.200.0/24 for my Home
My Interfaces IP address
add address=172.16.10.1/24 interface=ether2_lab network=172.16.10.0
add address=10.34.200.1/24 interface=ether3_home network=10.34.200.0
1- Create IP Pools for your Network
add name=lab ranges=172.16.10.100-172.16.10.150
add name=home ranges=10.34.200.100-10.34.200.150
add name=PPTP ranges=172.16.11.100-172.16.11.150
2- Create DHCP Server
add address-pool=lab disabled=no interface=ether2_lab name=dhcp1
add address-pool=home disabled=no interface=ether3_home name=server1
3- Create DHCP-Server Network
/ip dhcp-server network
add address=10.34.200.0/24 gateway=10.34.200.1
add address=172.16.10.0/24 gateway=172.16.10.1
How to block Country in Mikrotik Firewall.
If you want to block whole country in Mikrotik firewall visit the website https://mikrotikconfig.com/firewall/
step 1 :-
Check the countries you want included in the address list. Scroll down for additional countries.
Step 2- Click this button to generate your stand alone address list for use with your own custom rules
it will generate the firewall command with IP address . now copy and paste in Mikrotik CLI.
If you are trying to access mikrotik router through winbox and you are confirm your admin password is wright and its not getting you login through winbox. You tried to login through Router console locally and you are able to login. but through winbox you are getting below error.
its giving Error : wrong username or password
So This is because your router has been compromised and the hacker has denied all logins from any IP address except his IP address . like below image.
Now you will have to remove there IP address to access through winbox.
1- Login in to your Mikrotik router console
2- go to under user /user >edit admin address and press Enter
3- Now delete all the IP address
4- Now press Ctrl + O
5- Now try to access through winbox
you should be able to login.
How to bandwidth limit with simple queue on Mikrotik Router OS
we have network topology like below picture and we want to limited download and upload for private network (download – 512 kbps and upload – 128 kbps).
Continue reading How to bandwidth limit with simple queue on Mikrotik Router OS
Mikrotik hotspot setup
copy and paste line by line
add address=172.16.1.1/24 comment=LAN disabled=no interface=LAN network=172.16.1.0
add address=192.168.137.100/24 comment=WAN disabled=no interface=WAN network=192.168.137.0
add name=hs-pool-1 ranges=172.16.1.10-172.16.1.255
set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udp-packet-size=512 servers=192.168.137.1
add address-pool=hs-pool-1 authoritative=after-2sec-delay bootp-support=static disabled=no interface=LAN lease-time=1h name=dhcp1
/ip dhcp-server config set store-leases-disk=5m
/ip dhcp-server network add address=172.16.1.0/24 comment=”hotspot network” gateway=172.16.1.1
/ip hotspot profile
set default dns-name=”” hotspot-address=0.0.0.0 html-directory=hotspot http-cookie-lifetime=3d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=default rate-limit=”” smtp-server=0.0.0.0 split-user-domain=no use-radius=no
add dns-name=login.aacable.net hotspot-address=172.16.1.1 html-directory=hotspot http-cookie-lifetime=1d http-proxy=0.0.0.0:0 login-by=cookie,http-chap name=hsprof1 rate-limit=”” smtp-server=0.0.0.0 split-user-domain=no use-radius=no
add address-pool=hs-pool-1 addresses-per-mac=2 disabled=no idle-timeout=5m interface=LAN keepalive-timeout=none name=hotspot1 profile=hsprof1
/ip hotspot user profile
set default idle-timeout=none keepalive-timeout=2m name=default shared-users=1 status-autorefresh=1m transparent-proxy=no
add address-pool=hs-pool-1 advertise=no idle-timeout=none keepalive-timeout=2m name=”512k Limit” open-status-page=always rate-limit=512k/512k shared-users=1 status-autorefresh=1m transparent-proxy=yes
add address-pool=hs-pool-1 advertise=no idle-timeout=none keepalive-timeout=2m name=”256k Limit” open-status-page=always rate-limit=256k/256k shared-users=1 status-autorefresh=1m transparent-proxy=yes
/ip hotspot service-port set ftp disabled=yes ports=21
/ip hotspot walled-garden ip add action=accept disabled=no dst-address=172.16.1.1
/ip hotspot set numbers=hotspot1 address-pool=none
/ip firewall nat add action=masquerade chain=srcnat disabled=no
/ip hotspot user
add disabled=no name=admin password=123 profile=default
add disabled=no name=zaib password=test profile=”512k Limit” server=hotspot1
add disabled=no name=test-256k password=test profile=”256k Limit” server=hotspot1
add disabled=no distance=1 dst-address=0.0.0.0/0 gateway=192.168.137.1 scope=30 target-scope=10
Sorce Link click
How to limit upload and download to all users in network using mikrotik RouterOS
There are two ways how to make this: using mangle and queue trees, or, using simple queues.
1. Mark all packets with packet-marks upload/download: (lets constider that ether1-LAN is public interface to the Internet and ether2-LAN is local interface where clients are connected
/ip firewall mangle add chain=prerouting action=mark-packet in-interface=ether1-LAN new-packet-mark=client_upload
/ip firewall mangle add chain=prerouting action=mark-packet in-interface=ether2-WAN new-packet-mark=client_download
2. Setup two PCQ queue types – one for download and one for upload.
dst-address is classifier for user’s download traffic, src-address for upload traffic:
/queue type add name=”PCQ_download” kind=pcq pcq-rate=64000 pcq-classifier=dst-address
/queue type add name=”PCQ_upload” kind=pcq pcq-rate=32000 pcq-classifier=src-address
3. Finally, two queue rules are required, one for download and one for upload:
/queue tree add parent=global-in queue=PCQ_download packet-mark=client_download
/queue tree add parent=global-out queue=PCQ_upload packet-mark=client_upload
If you don’t like using mangle and queue trees, you can skip step 1, do step 2, and step 3 would be to create one simple queue as shown here:
/queue simple add target-addresses=192.168.0.0/24 queue=PCQ_upload/PCQ_download packet-marks=client_download,client_upload
Sorce link:- Click