Policy Routing based on Client IP Address

Image.png

WAN
# export

/queue simple
add max-limit=128k/128k name=128k target=ether2
add max-limit=256k/256k name=256k target=ether3
/ip address
add address=13.13.13.1/30 interface=ether2 network=13.13.13.0
add address=23.23.23.1/30 interface=ether3 network=23.23.23.0
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip firewall nat
add action=masquerade chain=srcnat src-address=13.13.13.0/30
add action=masquerade chain=srcnat src-address=23.23.23.0/30

R1
# export
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip pool
add name=dhcp_pool1 ranges=192.168.0.21-192.168.0.125
add name=dhcp_pool2 ranges=192.168.0.131-192.168.0.235
/ip dhcp-server
add address-pool=dhcp_pool1 disabled=no interface=ether3 name=dhcp1
add address-pool=dhcp_pool2 disabled=no interface=ether4 name=dhcp2
/ip address
add address=13.13.13.2/30 interface=ether1 network=13.13.13.0
add address=23.23.23.2/30 interface=ether2 network=23.23.23.0
add address=192.168.0.1/25 interface=ether3 network=192.168.0.0
add address=192.168.0.129/25 interface=ether4 network=192.168.0.128
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether1
/ip dhcp-server network
add address=192.168.0.0/25 dns-server=8.8.8.8 gateway=192.168.0.1
add address=192.168.0.128/25 dns-server=8.8.8.8 gateway=192.168.0.129
/ip firewall mangle
add action=mark-routing chain=prerouting in-interface=ether3 new-routing-mark=ISP1
add action=mark-routing chain=prerouting in-interface=ether4 new-routing-mark=ISP2
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
add action=masquerade chain=srcnat out-interface=ether2
/ip route
add check-gateway=ping distance=11 gateway=13.13.13.1 routing-mark=ISP1
add check-gateway=ping distance=12 gateway=23.23.23.1 routing-mark=ISP1
add check-gateway=ping distance=11 gateway=23.23.23.1 routing-mark=ISP2
add check-gateway=ping distance=12 gateway=13.13.13.1 routing-mark=ISP2
add distance=11 gateway=13.13.13.1
add distance=11 gateway=23.23.23.1
/ip route rule
add action=lookup-only-in-table dst-address=192.168.0.0/24 table=main
/system identity
set name=R1

PC1
# export

/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether3
/system identity

set name=PC1

PC2
# export
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip dhcp-client
add dhcp-options=hostname,clientid disabled=no interface=ether3
/system identity

set name=PC2

-to add interface into vlan
/interface bridge add name=vlan_bridge
/interface bridge port add bridge=vlan_bridge interface=ether1
/interface bridge port add bridge=vlan_bridge interface=ether2

/interface vlan add disabled=no name=vlan1 interface=vlan_bridge vlan-id=1

-to delete port in a bridge
admin@R1] > interface bridge port print
Flags: X – disabled, I – inactive, D – dynamic
 #    INTERFACE              BRIDGE              PRIORITY  PATH-COST    HORIZON
 0    ether3                 LAN_bridge              0x80         10       none
 1    ether4                 LAN_bridge              0x80         10       none
[admin@R1] > interface bridge port remove 0
[admin@R1] > interface bridge port remove 1

 

OSPF Labs

Cisco-Cisco

19-Apr 05.23.44
R1#sh run
hostname R1
interface Loopback0
 ip address 1.0.0.1 255.255.255.255
interface FastEthernet0/0
 no ip address
 shutdown
 duplex full
interface Ethernet1/0
 ip address 10.0.10.61 255.255.255.0
 ip nat outside
 duplex full
interface Ethernet1/1
 ip address 12.12.12.1 255.255.255.252
 ip nat inside
 duplex full
interface Ethernet1/2
 ip address 31.31.31.2 255.255.255.252
 ip nat inside
 duplex full
interface Ethernet1/3
 no ip address
 duplex full
router ospf 1
 redistribute static subnets
 network 1.0.0.0 0.0.0.0 area 0
 network 12.12.12.0 0.0.0.3 area 0
 network 31.31.31.0 0.0.0.3 area 0
 default-information originate
ip nat inside source list LAN interface Ethernet1/0 overload
ip forward-protocol nd
ip route 0.0.0.0 0.0.0.0 10.0.10.1
ip access-list standard LAN
 permit 12.12.12.0 0.0.0.3
 permit 23.23.23.0 0.0.0.3
 permit 31.31.31.0 0.0.0.3
 permit 1.0.0.0 0.0.0.7
R2#sh run
hostname R2
interface Loopback0
 ip address 1.0.0.2 255.255.255.255
interface FastEthernet0/0
 no ip address
 shutdown
 duplex full
interface Ethernet1/0
 no ip address
 duplex full
interface Ethernet1/1
 ip address 12.12.12.2 255.255.255.252
 duplex full
interface Ethernet1/2
 ip address 23.23.23.1 255.255.255.252
 duplex full
interface Ethernet1/3
 no ip address
 shutdown
 duplex full
router ospf 1
 network 1.0.0.0 0.0.0.0 area 0
 network 12.12.12.0 0.0.0.3 area 0
 network 23.23.23.0 0.0.0.3 area 0
ip forward-protocol nd
R3#sh run
hostname R3
interface Loopback0
 ip address 1.0.0.3 255.255.255.255
interface FastEthernet0/0
 no ip address
 shutdown
 duplex full
interface Ethernet1/0
 no ip address
 duplex full
interface Ethernet1/1
 ip address 23.23.23.2 255.255.255.252
 duplex full
interface Ethernet1/2
 ip address 31.31.31.1 255.255.255.252
 duplex full
interface Ethernet1/3
 no ip address
 shutdown
 duplex full
router ospf 1
 network 1.0.0.0 0.0.0.0 area 0
 network 23.23.23.0 0.0.0.3 area 0
 network 31.31.31.0 0.0.0.3 area 0

ip forward-protocol nd

FortiGate-FortiGate
20-Apr 00.51.19
FGT1
config system interface
    edit “port1”
        set vdom “root”
        set ip 10.0.10.61 255.255.255.0
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
    next
    edit “port2”
        set vdom “root”
        set ip 12.12.12.1 255.255.255.252
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 2
    next
    edit “port3”
        set vdom “root”
        set ip 31.31.31.2 255.255.255.252
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 3
    next
    edit “port4”
        set vdom “root”
        set type physical
        set snmp-index 4
    next
    edit “ssl.root”
        set vdom “root”
        set type tunnel
        set alias “SSL VPN interface”
        set snmp-index 5
    next
    edit “loopback”
        set vdom “root”
        set ip 1.0.0.1 255.255.255.255
        set type loopback
        set snmp-index 6
    next
end
config firewall policy
    edit 1
        set uuid ef6c951c-0627-51e6-739a-6ddf25cfc795
        set srcintf “port2”
        set dstintf “port3”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
    next
    edit 2
        set uuid 6e9d6c2c-0708-51e6-17f6-3c373c555f2b
        set srcintf “port3”
        set dstintf “port2”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
    next
    edit 3
        set uuid 0d34fb4c-070a-51e6-439a-725742a0b680
        set srcintf “port2” “port3”
        set dstintf “port1”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
        set nat enable
    next
end
config router static
    edit 1
        set gateway 10.0.10.1
        set device “port1”
    next
end
config router ospf
    set default-information-originate enable
    set router-id 1.0.0.1
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit “loopback”
            set interface “loopback”
            set ip 1.0.0.1
        next
    end
    config network
        edit 1
            set prefix 12.12.12.0 255.255.255.252
        next
        edit 2
            set prefix 31.31.31.0 255.255.255.252
        next
        edit 3
            set prefix 1.0.0.1 255.255.255.255
        next
    end
    config redistribute “connected”
    end
    config redistribute “static”
        set status enable
    end
    config redistribute “rip”
    end
    config redistribute “bgp”
    end
    config redistribute “isis”
    end

end

FGT2
config system interface
    edit “port1”
        set vdom “root”
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
    next
    edit “port2”
        set vdom “root”
        set ip 12.12.12.2 255.255.255.252
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 2
    next
    edit “port3”
        set vdom “root”
        set ip 23.23.23.1 255.255.255.252
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 3
    next
    edit “port4”
        set vdom “root”
        set type physical
        set snmp-index 4
    next
    edit “ssl.root”
        set vdom “root”
        set type tunnel
        set alias “SSL VPN interface”
        set snmp-index 5
    next
    edit “loopback”
        set vdom “root”
        set ip 1.0.0.2 255.255.255.255
        set type loopback
        set snmp-index 6
    next
end
config router ospf
    set router-id 1.0.0.2
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit “loopback”
            set interface “loopback”
            set ip 1.0.0.2
        next
    end
    config network
        edit 1
            set prefix 12.12.12.0 255.255.255.252
        next
        edit 2
            set    prefix 23.23.23.0 255.255.255.252
        next
        edit 3
             set prefix 1.0.0.2 255.255.255.255
        next
    end
    config redistribute “connected”
    end
    config redistribute “static”
    end
     config redistribute “rip”
    end
    config redistribute “bgp”
    end
    config redistribute “isis”
    end
end
config firewall policy
    edit 1
        set uuid 5a630c00-071f-51e6-e8ae-2344f9e5a0e6
        set srcintf “port2”
        set dstintf “port3”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
        set nat enable
    next
    edit 2
        set uuid 5db36f80-071f-51e6-623f-42be7d156fd5
        set srcintf “port3”
        set dstintf “port2”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
    next

end

FGT3
config system interface
    edit “port1”
        set vdom “root”
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 1
    next
    edit “port2”
        set vdom “root”
        set ip 23.23.23.2 255.255.255.252
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 2
    next
    edit “port3”
        set vdom “root”
        set ip 31.31.31.1 255.255.255.252
        set allowaccess ping https ssh http fgfm
        set type physical
        set snmp-index 3
    next
    edit “port4”
        set vdom “root”
        set type physical
        set snmp-index 4
    next
    edit “ssl.root”
        set vdom “root”
        set type tunnel
        set alias “SSL VPN interface”
        set snmp-index 5
    next
    edit “loopback”
        set vdom “root”
        set ip 1.0.0.3 255.255.255.255
        set type loopback
        set snmp-index 6
    next
end
config router ospf
    set router-id 1.0.0.3
    config area
        edit 0.0.0.0
        next
    end
    config ospf-interface
        edit “loopback”
            set interface “loopback”
            set ip 1.0.0.3
        next
    end
    config network
        edit 1
            set prefix 23.23.23.0 255.255.255.252
        next
        edit 2
            set prefix 31.31.31.0 255.255.255.252
        next
        edit 3
            set prefix 1.0.0.3 255.255.255.255
        next
    end
    config redistribute “connected”
    end
    config redistribute “static”
    end
    config redistribute “rip”
    end
    config redistribute “bgp”
    end
    config redistribute “isis”
    end
end
config firewall policy
    edit 1
        set uuid 41d5f3a0-071f-51e6-df0e-727622495609
        set srcintf “port2”
        set dstintf “port3”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
        set nat enable
    next
    edit 2
        set uuid 46ddcb20-071f-51e6-0dc2-22dfea80d1d2
        set srcintf “port3”
        set dstintf “port2”
        set srcaddr “all”
        set dstaddr “all”
        set action accept
        set schedule “always”
        set service “ALL”
    next
end
NOTE:
-to refresh ospf db
# exe router clear ospf process
-to show route db

# get router info routing-table all

Juniper-Juniper
22-Apr 16.13.05.jpg

 

NOTE:

-With current config, I have problem ping to Internet from R1. I don’t know yet that is because in Unetlab or because I reduce the RAM in each router to 1GB

R1

# show
system {
    host-name R1;
    root-authentication {
        encrypted-password “$1$7VWGeJRn$iG.WRousX9Fi5BKcaZGV7/”; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        file messages {
            any any;
        }
    }
    license {
        autoupdate {
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet {
                address 10.0.10.61/24;
            }
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 12.12.12.1/30;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 31.31.31.2/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 1.0.0.1/32;
            }
        }
    }
}
routing-options {
    static {
        route 0.0.0.0/0 {
            next-hop 10.0.10.1;
            no-install;
        }
    }
}
protocols {
    ospf {
        export ospf-default;
        area 0.0.0.0 {
            interface ge-0/0/1.0;
            interface ge-0/0/2.0;
            interface lo0.0;
        }
    }
}
policy-options {
    policy-statement ospf-default {
        from {
            protocol static;
          route-filter 0.0.0.0/0 exact;
        }
        then accept;
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: ‘queue-size’ is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    nat {
        source {
            rule-set trust-to-untrust {
                from zone trust;
                to zone untrust;
                rule source-nat-rule {
                    match {
                        source-address 0.0.0.0/0;
                    }
                    then {
                        source-nat {
                            interface;
                        }
                    }
                }
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
                lo0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
            interfaces {
                ge-0/0/0.0;
            }
        }
    }
}
# run show ospf neighbor
Address          Interface              State     ID               Pri  Dead
12.12.12.2       ge-0/0/1.0             Full      1.0.0.2          128    32
31.31.31.1       ge-0/0/2.0             Full      1.0.0.3          128    39
# run show route
inet.0: 12 destinations, 12 routes (12 active, 0 holddown, 0 hidden)
+ = Active Route, – = Last Active, * = Both
0.0.0.0/0          *[Static/5] 01:24:39
                    > to 10.0.10.1 via ge-0/0/0.0
1.0.0.1/32         *[Direct/0] 00:55:05
                    > via lo0.0
1.0.0.2/32         *[OSPF/10] 00:54:19, metric 1
                    > to 12.12.12.2 via ge-0/0/1.0
1.0.0.3/32         *[OSPF/10] 00:54:57, metric 1
                    > to 31.31.31.1 via ge-0/0/2.0
10.0.10.0/24       *[Direct/0] 01:09:05
                    > via ge-0/0/0.0
10.0.10.61/32      *[Local/0] 01:09:05
                      Local via ge-0/0/0.0
12.12.12.0/30      *[Direct/0] 01:09:05
                    > via ge-0/0/1.0
12.12.12.1/32      *[Local/0] 01:09:05
                      Local via ge-0/0/1.0
23.23.23.0/30      *[OSPF/10] 00:54:19, metric 2
                    > to 12.12.12.2 via ge-0/0/1.0
                      to 31.31.31.1 via ge-0/0/2.0
31.31.31.0/30      *[Direct/0] 01:09:05
                    > via ge-0/0/2.0
31.31.31.2/32      *[Local/0] 01:09:05
                      Local via ge-0/0/2.0
224.0.0.5/32       *[OSPF/10] 00:55:07, metric 1

                      MultiRecv

R2

# show
system {
    host-name R2;
    root-authentication {
        encrypted-password “$1$ucm0iauC$pA0/LpyHYtln36Hmw12Gj0”; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        file messages {
            any any;
        }
    }
    license {
        autoupdate {
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 12.12.12.2/30;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 23.23.23.1/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 1.0.0.2/32;
            }
        }
    }
}
protocols {
    ospf {
        area 0.0.0.0 {
            interface ge-0/0/1.0;
            interface ge-0/0/2.0;
            interface lo0.0;
        }
    }
}
security {
    zones {
        security-zone trust {
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
                lo0.0;
            }
        }
    }

}

R3

# show
system {
    host-name R3;
    root-authentication {
        encrypted-password “$1$jYOE9h1/$8E0Rfv77QNRFiAEItVkTZ.”; ## SECRET-DATA
    }
    services {
        ssh;
        web-management {
            http {
                interface ge-0/0/0.0;
            }
        }
    }
    syslog {
        file messages {
            any any;
        }
    }
    license {
        autoupdate {
        }
    }
}
interfaces {
    ge-0/0/0 {
        unit 0 {
            family inet;
        }
    }
    ge-0/0/1 {
        unit 0 {
            family inet {
                address 23.23.23.2/30;
            }
        }
    }
    ge-0/0/2 {
        unit 0 {
            family inet {
                address 31.31.31.1/30;
            }
        }
    }
    lo0 {
        unit 0 {
            family inet {
                address 1.0.0.3/32;
            }
        }
    }
}
protocols {
    ospf {
        area 0.0.0.0 {
            interface ge-0/0/1.0;
            interface ge-0/0/2.0;
            interface lo0.0;
        }
    }
}
security {
    screen {
        ids-option untrust-screen {
            icmp {
                ping-death;
            }
            ip {
                source-route-option;
                tear-drop;
            }
            tcp {
                syn-flood {
                    alarm-threshold 1024;
                    attack-threshold 200;
                    source-threshold 1024;
                    destination-threshold 2048;
                    queue-size 2000; ## Warning: ‘queue-size’ is deprecated
                    timeout 20;
                }
                land;
            }
        }
    }
    policies {
        from-zone trust to-zone trust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone trust to-zone untrust {
            policy default-permit {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    permit;
                }
            }
        }
        from-zone untrust to-zone trust {
            policy default-deny {
                match {
                    source-address any;
                    destination-address any;
                    application any;
                }
                then {
                    deny;
                }
            }
        }
    }
    zones {
        security-zone trust {
            tcp-rst;
            host-inbound-traffic {
                system-services {
                    all;
                }
                protocols {
                    all;
                }
            }
            interfaces {
                ge-0/0/1.0;
                ge-0/0/2.0;
                lo0.0;
            }
        }
        security-zone untrust {
            screen untrust-screen;
        }
    }
}
Mikrotik-Mikrotik
19-Apr 10.06.22
R1] > export
/interface bridge
add name=loopback
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] distribute-default=always-as-type-1 \
    redistribute-static=as-type-1 router-id=1.0.0.1
/ip address
add address=10.0.10.61/24 interface=ether1 network=10.0.10.0
add address=12.12.12.1/30 interface=ether2 network=12.12.12.0
add address=31.31.31.2/30 interface=ether3 network=31.31.31.0
add address=1.0.0.1 interface=loopback network=1.0.0.1
/ip firewall nat
add action=masquerade chain=srcnat out-interface=ether1
/ip route
add distance=1 gateway=10.0.10.1
/routing ospf network
add area=backbone network=1.0.0.1/32
add area=backbone network=12.12.12.0/30
add area=backbone network=31.31.31.0/30
/system identity

set name=R1

[admin@R2] > export
/interface bridge
add name=loopback
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] router-id=1.0.0.2
/ip address
add address=12.12.12.2/30 interface=ether2 network=12.12.12.0
add address=1.0.0.2 interface=loopback network=1.0.0.2
add address=23.23.23.1/30 interface=ether3 network=23.23.23.0
/routing ospf network
add area=backbone network=1.0.0.2/32
add area=backbone network=12.12.12.0/30
add area=backbone network=23.23.23.0/30
/system identity

set name=R2

[admin@R3] > export
/interface bridge
add name=loopback
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/routing ospf instance
set [ find default=yes ] router-id=1.0.0.3
/ip address
add address=23.23.23.2/30 interface=ether2 network=23.23.23.0
add address=31.31.31.1/30 interface=ether3 network=31.31.31.0
/routing ospf network
add area=backbone network=1.0.0.3/32
add area=backbone network=31.31.31.0/30
add area=backbone network=23.23.23.0/30
/system identity

set name=R3

Cisco-FortiGate-Juniper-Mikrotik
 20-Apr 22.27.42.jpg

Backup Mikrotik config to FTP server

Set your ftpuser, ftppassword, ftppath, ftpserver accordingly

/system scheduler
add name=FTPBackup on-event=FTPBackup policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=00:00:00
/system script
add name=FTPBackup owner=admin policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive source=”:local hostname [/system identity get name];\r\
    \n:local ftppassword \”password\”\r\
    \n:local ftpuser \”ftp\”\r\
    \n:local ftppath \”/\”\r\
    \n:local ftpserver \”10.0.10.113\”\r\
    \n\r\
    \n:local date [/system clock get date]\r\
    \n# convert name of month to number\r\
    \n:local months (\”jan\”,\”feb\”,\”mar\”,\”apr\”,\”may\”,\”jun\”,\”jul\”,\”aug\”,\”sep\”,\”oct\”,\”nov\”,\”dec\”);\r\
    \n:local month [ :pick \$date 0 3 ];\r\
    \n:local mm ([ :find \$months \$month -1 ] + 1);\r\
    \n:if (\$mm < 10) do={ :set mm (\”0\” . \$mm); }\r\
    \n# set \$date to format DDMMYYYY\r\
    \n:set date ([:pick \$date 4 6] . \$mm . [:pick \$date 7 11])\r\
    \n\r\
    \n:local filename \”\$hostname-\$date\”;\r\
    \nexport compact file=\”\$filename\”\r\
    \n/system backup save name=\”\$filename\”\r\
    \n:log info \”Backup Created Successfully\”\r\
    \n/tool fetch address=\$ftpserver src-path=\”\$filename.rsc\” \\\r\
    \nuser=\$ftpuser mode=ftp password=\$ftppassword \\\r\
    \ndst-path=\”\$ftppath/\$filename.rsc\” upload=yes\r\
    \n/tool fetch address=\$ftpserver src-path=\”\$filename.backup\” \\\r\
    \nuser=\$ftpuser mode=ftp password=\$ftppassword \\\r\
    \ndst-path=\”\$ftppath/\$filename.backup\” upload=yes\r\
    \n:log info \”Backup Uploaded Successfully\”\r\
    \n/file remove \”\$filename.rsc\”\r\
    \n/file remove \”\$filename.backup\”\r\
    \n:log info \”Local Backup Files Deleted Successfully\””

Backup Mikrotik Config to Email

SOURCE: https://aacable.wordpress.com/2012/11/19/mikrotik-auto-backup-email-using-gmail-smtp/
-create System/Script/Backup2Email

:local backupfile mt_config_backup
:local mikrotikexport mt_export_backup
:local sub1 ([/system identity get name])
:local sub2 ([/system clock get time])
:local sub3 ([/system clock get date])
:local company “NGTrain”
:local adminmail1 ngtrain@gmail.com
:local gmailid ngtrain@gmail.com
:local gmailuser ngtrain
:local gmailpwd Password123
:local gmailport 587
:local gmailsmtp
:set gmailsmtp [:resolve “smtp.gmail.com”];
/tool e-mail set address=$gmailsmtp port=$gmailport start-tls=yes from=$gmailid user=$gmailuser password=$gmailpwd
:log warning “$company : Creating new up to date backup files . . . ”
/system backup save name=$backupfile dont-encrypt=yes
/export file=$mikrotikexport
:log warning “$company : Backup JOB process pausing for 10s so it can complete creating backup. Usually for Slow systems …”
:delay 10s
:log warning “Backup JOB is now sending Backup File via Email using GMAIL SMTP . . .”
# Start Sending email files, make sure you ahve configured tools email section before this. or else it will fail
/tool e-mail send to=$adminmail1 subject=”$sub3 $sub2 $sub1 Configuration BACKUP File” file=$backupfile start-tls=yes
/tool e-mail send to=$adminmail1 subject=”$sub3 $sub2 $sub1 Configuration EXPORT File” file=$mikrotikexport start-tls=yes
:log warning “$company : BACKUP JOB: Sleeping for 30 seconds so email can be delivered, ”
:delay 30s
# REMOVE Old backup files to save space.
/file remove $backupfile
/file remove $mikrotikexport

# Print Log for done
:log warning “$company : Backup JOB: Process Finished & Backup File Removed. All Done. You should verify your inbox for confirmation”

-create Scheduler
/system scheduler
add comment=”Scheduler for daily backup of MT” interval=1d name=daily-backup on-event=Backup2Email policy=ftp,reboot,read,write,policy,test,password,sniff,sensitive start-date=jan/01/1970 start-time=00:00:00

Blocking ZenMate

CheckPoint:
Image.png

Cisco ASA:

(config)# object-group network zenmate
(config)# network-object host 78.137.98.120
(config)# network-object host 78.137.98.123
(config)# network-object host 162.159.244.96
(config)# network-object host 162.159.245.96
(config)# network-object host 207.244.77.22
(config)# network-object host 103.10.197.146
(config)# network-object host 46.165.220.211
(config)# network-object host 81.17.26.242
(config)# network-object host 149.3.140.250

(config)# access-list acl-inside extended deny ip any object-group zenmate

Cyberoam:

FortiGate:

Juniper:

Mikrotik:
# export
/ip firewall address-list
add address=12.12.12.0/24 list=LAN
/ip firewall layer7-protocol
add name=zenmate regexp=”^.+(zenguard.biz|zenmate.io|zenguard.zendesk.com|zendesk.com|zenguard.org).*\$”
/ip firewall filter

add action=drop chain=forward disabled=yes layer7-protocol=zenmate src-address-list=LAN

PaloAlto:

SonicWall:

Mikrotik EOIP in Unetlab

SOURCE: http://computechtips.com/534/mikrotik-eoip-tunnel-in-action

26-Feb 10.57.42.jpg

Image.png
NOTE:
-I am using Mikrotik as PC, just to proof that ping between subnet is successful
-Unetlab will be my main testing environment from now on

[admin@PC1] > export
# feb/24/2016 15:35:38 by RouterOS 6.34.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=12.12.12.2/24 interface=ether1 network=12.12.12.0
/ip dns set servers=8.8.8.8,8.8.4.4
/ip route add distance=1 gateway=12.12.12.1
/system identity
set name=PC1
/tool romon
set enabled=yes

[admin@R1] > export
/interface ethernet
set [ find default-name=ether1 ] mtu=9000
/interface eoip
add !keepalive mac-address=FE:CC:3F:2B:A6:6E mtu=9000 name=eoip1 remote-address=\
10.0.10.143 tunnel-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=12.12.12.1/24 interface=ether2 network=12.12.12.0
add address=10.0.10.142/24 interface=ether1 network=10.0.10.0
add address=23.23.23.1/30 interface=eoip1 network=23.23.23.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=10.0.10.1
add distance=1 dst-address=34.34.34.0/24 gateway=23.23.23.2
/system identity
set name=R1
/tool romon
set enabled=yes

[admin@R2] > export
# feb/24/2016 15:33:51 by RouterOS 6.34.2
/interface ethernet
set [ find default-name=ether1 ] mtu=9000
/interface eoip
add !keepalive mac-address=FE:C1:E4:9A:A8:94 mtu=9000 name=eoip1 \
remote-address=10.0.10.142 tunnel-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=10.0.10.143/24 interface=ether1 network=10.0.10.0
add address=23.23.23.2/30 interface=eoip1 network=23.23.23.0
add address=34.34.34.1/24 interface=ether2 network=34.34.34.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=10.0.10.1
add distance=1 dst-address=12.12.12.0/24 gateway=23.23.23.1
/system identity
set name=R2
/tool romon
set enabled=yes

[admin@PC2] > export
# feb/24/2016 15:35:03 by RouterOS 6.34.2
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=34.34.34.2/24 interface=ether1 network=34.34.34.0
/ip dns set servers=8.8.8.8,8.8.4.4
/ip route add distance=1 gateway=34.34.34.1
/system identity set name=PC2
/tool romon set enabled=yes

26-Feb 11.10.37.jpg

26-Feb 07.36.45.jpg

PC1
[admin@PC1] > export
# feb/25/2016 10:10:24 by RouterOS 6.34.2
# software id =
#
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=12.12.12.2/24 interface=ether1 network=12.12.12.0
/ip dns
set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=12.12.12.1
/system identity
set name=PC1
/tool romon
set enabled=yes

R1
[admin@R1] > export
# feb/25/2016 09:55:48 by RouterOS 6.34.2
# software id =
#
/interface bridge
add name=bridge1
/interface eoip
add allow-fast-path=no !keepalive mac-address=02:B5:23:BE:B8:85 name=eoip1 \
remote-address=10.0.10.143 tunnel-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=eoip1
/ip address
add address=10.0.10.142/24 interface=ether1 network=10.0.10.0
add address=12.12.12.1/24 interface=ether2 network=12.12.12.0
/ip dns set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=10.0.10.1
/system identity
set name=R1
/tool romon
set enabled=yes

R2
[admin@R2] > export
# feb/25/2016 09:56:33 by RouterOS 6.34.2
# software id =
#
/interface bridge
add name=bridge1
/interface ethernet
set [ find default-name=ether1 ] mtu=9000
/interface eoip
add allow-fast-path=no !keepalive mac-address=02:1B:33:BC:55:77 name=eoip1 \
remote-address=10.0.10.142 tunnel-id=10
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/interface bridge port
add bridge=bridge1 interface=ether2
add bridge=bridge1 interface=eoip1
/ip address
add address=10.0.10.143/24 interface=ether1 network=10.0.10.0
add address=12.12.12.128/24 interface=ether2 network=12.12.12.0
/ip dns set servers=8.8.8.8,8.8.4.4
/ip route
add distance=1 gateway=10.0.10.1
/system identity
set name=R2
/tool romon
set enabled=yes

PC2
[admin@PC2] > export
# feb/24/2016 15:35:38 by RouterOS 6.34.2
/interface wireless security-profiles
set [ find default=yes ] supplicant-identity=MikroTik
/ip address
add address=12.12.12.129/24 interface=ether1 network=12.12.12.0
/ip dns set servers=8.8.8.8,8.8.4.4
/ip route add distance=1 gateway=12.12.12.128
/system identity
set name=PC2
/tool romon
set enabled=yes

Option 43 DHCP

To give ip address info of wireless controller in DHCP.
We need to set it in Option 43.

Each Option 43 settings is different for Cisco, Ruckus or Ubiquity.

ARUBA:
SOURCE:
Cisco DHCP
ip dhcp pool yournet
  network 10.0.30.0 255.255.255.0
  default-router 10.0.30.1
  option 60 ascii “ArubaAP”
RUCKUS:
UBIQUITY:
add
# 01: suboption
# 04: length of the payload (must be 4 bytes)
# 192.168.0.1 in hex = c0a80001

result: option 43 hex 0104c0a80001

SOURCE:
The same Option is used to Disable NetBios via DHCP
Mikrotik Disable Netbios via DHCP
/ip dhcp-server option
add code=43 name=OptionDisableNetBios value=0x010400000002
/ip dhcp-server network
add address=192.168.1.0/24 dhcp-option=OptionDisableNetBios dns-server=\
192.168.1.1 gateway=192.168.1.1