Page 1 of 1

protecting local network by filter rules

Posted: Wed May 18, 2011 9:12 am
by salytwo
Hello all,

You know what Mikrotik capability of blocking ports. but I have hotspot configured so when I add drop rules in filter it became unusable or has no effect. so how can I associate it with hotspot?
second frustrating thing is webproxy hit counters. its not saved?

thanks bros.

Re: protecting local network by filter rules

Posted: Wed May 18, 2011 7:07 pm
by Feklar
Going to need a lot more detail to provide assistance. Like what kind of rules are you trying to add, and specifically what rules you added.

Re: protecting local network by filter rules

Posted: Thu May 19, 2011 8:29 am
by salytwo
these are the rules [queue tree]


[admin@MikroTik] /queue tree> print
Flags: X - disabled, I - invalid
0 name="youtube" parent=global-out packet-mark=youtube limit-at=0
queue=default-small priority=8 max-limit=1000 burst-limit=0
burst-threshold=0 burst-time=0s

1 name="zip file" parent=global-out packet-mark=zip limit-at=0
queue=default-small priority=8 max-limit=16000 burst-limit=0
burst-threshold=0 burst-time=0s

2 name="rar" parent=global-out packet-mark=rar limit-at=0
queue=default-small priority=8 max-limit=8000 burst-limit=0
burst-threshold=0 burst-time=0s

3 name="avi" parent=global-out packet-mark=avi limit-at=0
queue=default-small priority=8 max-limit=1000 burst-limit=0
burst-threshold=0 burst-time=0s

4 name="7z" parent=global-out packet-mark=7z limit-at=0 queue=default-small
priority=8 max-limit=3000 burst-limit=0 burst-threshold=0 burst-time=0s

5 name="asf" parent=global-out packet-mark=asf limit-at=0
queue=default-small priority=8 max-limit=16000 burst-limit=0
burst-threshold=0 burst-time=0s

6 name="bin" parent=global-out packet-mark=bin limit-at=0
queue=default-small priority=8 max-limit=16000 burst-limit=0
burst-threshold=0 burst-time=0s

7 name="flv" parent=global-out packet-mark=flv limit-at=0
queue=default-small priority=8 max-limit=1000 burst-limit=0
burst-threshold=0 burst-time=0s

8 name="iso" parent=global-out packet-mark=iso limit-at=0
queue=default-small priority=8 max-limit=16000 burst-limit=0
burst-threshold=0 burst-time=0s

9 name="mkv" parent=global-out packet-mark=mkv limit-at=0
queue=default-small priority=8 max-limit=16000 burst-limit=0
burst-threshold=0 burst-time=0s

10 name="exe" parent=global-out packet-mark=exe limit-at=0
queue=default-small priority=8 max-limit=1000 burst-limit=0
burst-threshold=0 burst-time=0s

11 name="mov" parent=global-out packet-mark=mov limit-at=0
queue=default-small priority=8 max-limit=16000 burst-limit=0
burst-threshold=0 burst-time=0s

12 name="mp3" parent=global-out packet-mark=mp3 limit-at=0
queue=default-small priority=8 max-limit=16000 burst-limit=0
burst-threshold=0 burst-time=0s

13 name="mp4" parent=global-out packet-mark=mp4 limit-at=0
queue=default-small priority=8 max-limit=1000 burst-limit=0
burst-threshold=0 burst-time=0s

14 name="mpeg" parent=global-out packet-mark=mpeg limit-at=0
queue=default-small priority=8 max-limit=16000 burst-limit=0
burst-threshold=0 burst-time=0s

15 name="mpg" parent=global-out packet-mark=mpg limit-at=0
queue=default-small priority=8 max-limit=16000 burst-limit=0
burst-threshold=0 burst-time=0s

16 name="nrg" parent=global-in packet-mark=nrg limit-at=0 queue=default
priority=8 max-limit=16000 burst-limit=0 burst-threshold=0 burst-time=0s

17 name="pdf" parent=global-out packet-mark=pdf limit-at=0
queue=default-small priority=8 max-limit=16000 burst-limit=0
burst-threshold=0 burst-time=0s

Can I specify which rule should be apply to hotspot users? I mean if I want some users pass these rules (get arround) Can this be done?

thanks

Re: protecting local network by filter rules

Posted: Thu May 19, 2011 7:49 pm
by Feklar
I'm not sure what your queue tree has to do with filter rules and blocking ports that you talked about in the op and the subject?

Yes you can get certain queues to apply to or not apply to certain end users as long as you mark their packets appropriately and take that into account with the queue tree. How you go about that is completely up to you (address lists, connection marks, etc.). Also based off of your queue names, you aren't going to get the results that you expect. The router is a layer3 device, to determine what is being downloaded with a given connection is generally a layer7 function. Someone downloading an ISO, MP3, or browsing the internet via HTTP is exactly the same protocol and the exact same thing to a router. While MikroTik does have some layer7 functionality, it is very CPU intensive and should only be used as a last resort and in limit situations.