I made simple configuration of internet access limitation at our client (tour & travel company).
So, the users can only access something that related to their job (browsing *limited*, YM and MSN).
They (div_ticketing) can browsing sites that already listed in list_ticketing.
But i have problem with Skype!!! I'm stuck with this about 6 hours...
I tried add skype server IP but too many, either with ports (skype doesn't use static port), then i test L7 protocol "skypetoskype" but i still can not open the Skype.
I think the key is Skype connection need established, then
2 ;;; Accept established connections
chain=forward action=accept connection-state=established
will allow others...
Any idea to solve this?
[admin@MikroTik] > ip firewall filter print
Flags: X - disabled, I - invalid, D - dynamic
0 ;;; Allow OpenDNS
chain=output action=accept dst-address=208.67.220.220
1 ;;; Allow OpenDNS
chain=output action=accept dst-address=208.67.222.222
2 ;;; Accept established connections
chain=forward action=accept connection-state=established
3 ;;; Accept related connections
chain=forward action=accept connection-state=related
4 ;;; Jump to services chain
chain=forward action=jump jump-target=services
5 ;;; Drop invalid connections
chain=forward action=drop connection-state=invalid
6 ;;; Drop everything else
chain=forward action=drop
7 ;;; DIV. TICKETING
chain=services action=accept src-address-list=div_ticketing dst-address-list=list_ticketing
dst-port=80,8080,3000,443 protocol=tcp
8 ;;; DIV. TICKETING - Allow YM
chain=services action=accept src-address-list=div_ticketing dst-address-list=list_YM
9 ;;; DIV. TICKETING - Allow MSN
chain=services action=accept src-address-list=div_ticketing dst-port=1863 protocol=tcp
Re: Drop them all, but allow some! How about Skype??
I'm very surprised you managed to block skype in the first place 
skype uses supernodes (other skype users nearby) to connect to the server, it also can look like SSL traffic, so it's very hard to track
skype uses supernodes (other skype users nearby) to connect to the server, it also can look like SSL traffic, so it's very hard to track
-
-
yudigadget
Frequent Visitor
- Posts: 60
- Joined:
Re: Drop them all, but allow some! How about Skype??
Yes normis, my plan is apply this configuration in emergency state. Sometime main internet connection at our client is down, so i must enable the 56K Dial-Up connection for backup connection and that very small bandwidth share to 20 usersI'm very surprised you managed to block skype in the first place
skype uses supernodes (other skype users nearby) to connect to the server, it also can look like SSL traffic, so it's very hard to track
.So i need to set the best internet access limitation, by limit some group of IP (division), specific IP, port, etc.
but i think nevermind.. 56K connection can not use for Skype connection right? hehe
I just want to know how to use L7 protocol in this case (knowledge reason).. so it will catch Skype first connection, then after that connection will established. Is that possible?
Re: Drop them all, but allow some! How about Skype??
You will not be able to block skype even with l7 rules, however you can mark skype connections and packets in mangle and add queue to prioritize other traffic leaving for skype lowest possible bandwidth.
Re: Drop them all, but allow some! How about Skype??
Pray tell how would I do this please?You will not be able to block skype even with l7 rules, however you can mark skype connections and packets in mangle and add queue to prioritize other traffic leaving for skype lowest possible bandwidth.
Re: Drop them all, but allow some! How about Skype??
/ip firewall mangle
3 chain=forward action=mark-connection new-connection-mark=skype passthrough=yes layer7-protocol=skypetoskype
4 chain=forward action=mark-connection new-connection-mark=skype passthrough=yes layer7-protocol=skypeout
5 chain=forward action=mark-packet new-packet-mark=skype-pack passthrough=no connection-mark=skype
/queue simple
4 name="queue2" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=skype-pack direction=both priority=8 queue=default/default
limit-at=1000/1000 max-limit=1000/1000 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default
These rules are catching almost all chats and skype calls, but file transfers are not working with these rules.
As I said it is not possible to catch all skype traffic even with L7.
It is also possible that these rules will catch not only skype traffic packets.
3 chain=forward action=mark-connection new-connection-mark=skype passthrough=yes layer7-protocol=skypetoskype
4 chain=forward action=mark-connection new-connection-mark=skype passthrough=yes layer7-protocol=skypeout
5 chain=forward action=mark-packet new-packet-mark=skype-pack passthrough=no connection-mark=skype
/queue simple
4 name="queue2" dst-address=0.0.0.0/0 interface=all parent=none packet-marks=skype-pack direction=both priority=8 queue=default/default
limit-at=1000/1000 max-limit=1000/1000 burst-limit=0/0 burst-threshold=0/0 burst-time=0s/0s total-queue=default
These rules are catching almost all chats and skype calls, but file transfers are not working with these rules.
As I said it is not possible to catch all skype traffic even with L7.
It is also possible that these rules will catch not only skype traffic packets.
Last edited by mrz on Wed Sep 24, 2008 4:00 pm, edited 1 time in total.
Re: Drop them all, but allow some! How about Skype??
thanks mrz, much appreciated.
Re: Drop them all, but allow some! How about Skype??
Hello, how I can get the "skypetoskype" and "skypeout" marks?/ip firewall mangle
3 chain=forward action=mark-connection new-connection-mark=skype passthrough=yes layer7-protocol=skypetoskype
4 chain=forward action=mark-connection new-connection-mark=skype passthrough=yes layer7-protocol=skypeout
5 chain=forward action=mark-packet new-packet-mark=skype-pack passthrough=no connection-mark=skype
Thanks
--
Mareg