ponedeljek, 28. december 2015

Mikrotik Guest Wi-Fi

If you have a home Wi-Fi network – Who doesn’t? No the Amish don’t count. It’s a good idea to make a Guest Wi-Fi, so you don’t have all your friends and family, knowing your Wi-Fi password or reaching your resources in the local network. With Mikrotik the setup is pretty simple. So let’s do this.

What will we do here:

  • Create Separate SSID with name wirelessinfo_guest
  • Create separate IP and DHCP pool for that interface
  • Create a masquerade rule for internet access
  • Block traffic coming from guest to lan and vice versa

 First of all, you need to create a Virtual interface under your Wi-Fi interface and give it a name:

Name the new Interface ap-Guest

Under the Wireless Tab create your SSID and apply the default profile.

NOTE: The default profile is probably the profile that you are using so we will keep it here for now and create separate profile for the guests latter.

Now create new Address for the new interface in our case that will be but you can set this up as you wish but you must adjust the firewall rules accordingly. And apply that IP on the ap-guest interface.

Create DHCP server for the new network and apply it to the interface ap-guest

Now we need to create a masquerade rule for the subnet so it gets translated to external IP under Firewall\NAT tab.

Now we need to block the traffic going from to and vice versa. Just create these 2 simple rules in forward chain and move them to the top of the Firewall list.
First rule :

And the second rule with action DROP.

Apply and OK

Now, if you try to connect to your Guest SSID, you should have working internet, but the password will still be the same as your private Wi-Fi . To change that go to :
Wireless\security profiles and press +. Choose your Profile name, encryption and password for the guests.

Apply that policy under security profile, on the new wireless interface ap-guest:

Now if you connect to your guest network, you should use your password, specified under the new security profile.
I hope this has been clear, and may the force be with you :)

torek, 22. december 2015

Mikrotik Basic DOS Attack prevention

Sometimes on the internet you piss people off. And in this day and age everybody can be a script kiddie and run some tools that spam your IP an overload your internet connection. If you have a shitty router you’re done. But luckily for you own a Mikrotik. So here we will make some rules to block someone who wants to DOS your WAN IP. You must know before you get to happy to have a router that can do DOS prevention, that that kind of prevention takes toll on routers CPU so if you have a really the cheapest hAP Lite for 20$, you will be easily overpowered. But if you own a better router let’s say RB2011, RB3011 or a bad boy like CCR, your good. But if you REALLY pissed  some wrong people off, and are a target of a DDOS attack, well in that case you are screwed no matter what you own. Your best bet is to change your IP :D

So what can you do with a Mikrotik?

In the input chain, you can make a firewall rule to track the number of TCP connections coming in to the router and set a threshold at which the IP gets listed on an address list. Then, that list is Tarpited.

First off all you need to know the basic behind the Mikrotik Tarpit functionality. 

The Tarpit functionality exploits the 3-way handshake, that is used to establish the TCP connection when your router receives the initial SYN packet of the DOS-er and sends a SYN/ACK in response. It does not open a socket or prepare a connection, in fact it can forget all about the connection after sending the SYN/ACK. However, the remote site sends its ACK (which gets ignored) and believes the 3-way-handshake to be complete. Then it starts to send data, which never reaches a destination. The connection will time out after a while, but since the system believes it is dealing with a live (established) connection, it is conservative in timing it out and will instead try to retransmit, back-off, retransmit, etc. for quite a while. That puts a lot of strain on attacker’s computer and can eventually crash or freeze his program. This Tarpit functionality is especially useful for mitigating brute force attacks against SSH and Telnet.

How do we implement this on the router?

Well I will make one example, but you need to customize it to your needs. 
 We will create these rules in the ip\firewall\filter in the terminal window.
1.      We make a rule, that checks the number of TCP connections coming in the router on the Input chain. And if a threshold we set is reached, the source address of the packet is put on an address list for 24 hrs. (that is also customizable) In our case that will be 50 connections (FYI – that is low)
2.      In the second step we will take that list and Tarpit the IP addresses that try to DOS us.

1.       chain=input action=add-src-to-address-list protocol=tcp src-address=! address-list=DOS address-list-timeout=1d connection-limit=50,32 log=no log-prefix=""

2.       chain=input action=tarpit protocol=tcp src-address-list=DOS log=no log-prefix=""

How the router would read such a rule?

The first rule: If a packet comes to the Router and is not sourced from and has more than 50 TCP connections to me, put that IP address on the DOS list for 24 hrs.
Router in this case has not done any action on the source IP other to create a list with this IP on it.
But you must customize those 50 connections to your needs.

The second rule: If there is and address list named DOS, Tarpit traffic coming from the IP on that list.

Just remember to put the tarpit rule above the first rule so the packets from DOS IP address are not reprocessed every time in both rules. It takes off load on the router.

I hope I made myself clear.

May the force be With you all :D

Mikrotik SSTP Server setup

Today we will setup a Mikrotik Router, to work as a SSTP Server, so you can connect to your local network using certificate for authentication and username and password.
Why is SSTP better than the others, well as far as I know it’s safer and has one HUGE advantage comparing to L2TP and PPTP. It uses port 443 for connection, meaning that it will work almost anywhere, since the port 443 is a port used for majority of web pages, meaning it is always allowed in all the networks. If you ever used mobile network or a free WiFi in a hotel, you will know that some block outgoing traffic by port and only allow port 80 and 443 for internet access, so if you are using PPTP you are out of luck if you want to connect to your network, since your traffic to port 1723 will be blocked.
I personally used SSTP to bypass P2P blocking restrictions. In a hotel I was for a week there was nothing on TV so I tried to download some movies, to no surprise P2P traffic was blocked. So what I did was connect to my home router via SSTP so all my traffic went through the encrypted tunnel and the hotel router could not block it since it could not decrypt the traffic. Well the download speed was shitty but it worked and I got my movies downloaded through the night. J

So let’s start with this.

FIRST we need to import our certificates to the router. If you don’t have the certificates, see my previous blog how to create them.
Open Winbox and click on files and drag and drop the two files with certificate and private key to the router. 

Open the terminal and type this in or copy paste with your correct password:

/certificate import file-name=ca.crt passphrase=yourpassword
/certificate import file-name=ca.key passphrase=yourpassword

Now type: /certificate print

You should see letters K and T in front of the certificate. Meaning it is trusted and has the right Key.
It should look a bit like this. Ii MUST have the KT or else it will not work.

As you can see the name of the cert is cert_1 so you remember that as you will need this info later.

Now that the hard part is over let’s go to the simpler stuff.

On WinBox click on the PPP and go to the Profiles tab and Click +

Here create the profile for your SSTP Connection. As seen in the pictures. The name you can change to your liking. The only thing I need to tell you here is the local and remote address. Here I use my DHCP server for assigning IP addresses to VPN clients. Oh jea, and as you can see I added bridge local to the profile. Why? Well if you add bridge-local to SSTP profile and then go to interfaces and enable proxy-ARP (as seen in the picture below) you will be able to ping and access other machines on that network behind the router. If you don’t do that the VPN will still work as it should but you will not have connectivity with internal network. 

Now you need to create username and passwords for users to connect. Look at the picture. Yes. So simple I will not even bother to explain.

And last but not least you need to enable SSTP Server in the PPP/Interface/SSTP Server. Use settings below just remember to pick the right certificate. Apply and OK.


That is the whole magic.

Now you need to import the ca.crt certificate to your computer, as a local machine certificate in Trusted Root Certificate store. If you don’t know how to do that here is a link : 

Caution : The link I provided describes the process to add a certificate in a personal certificate store. You need to add your certificate in a trusted root certificate store. Choose your folder accordingly.

Now setup the VPN Connection on your computer/laptop and connect. I will not go to that process so here is another link for SSTP Client setup on Windows 7. The process for Windows 8 and 10 is similar. Use your username and password that you specified in the PPP/Secrets tab on Mikrotik.

Here is my connection – Working. 

I hope this has been clear and informative if you have any troubles and questions please leave them at the comment section below.

May the force be with you, and happy holidays and Merry Christmas and all that stuff.