Архив метки: Mikrotik

MikroTik User Management (RouterOS User)

MikroTik User Management plays an important role in MikroTik system administration as well as MikroTik security. Don’t be confused the title User Management with the MikroTik UserManager. UserManager is an optional and totally separate package distributed by MikroTik. UserManager is an implementation of Radius server that is used to maintain not only RouterOS users but also PPPoE, PPTP, Hotspot, Wireless and DHCP users. In my few future articles, I will discuss how to maintain these users with MikroTik UserManager Radius server.

MikroTik RouterOS has a local user database which defines how to create login user and how to assign their permission. Without proper user management it is impossible to maintain MikroTik administration level as well as MikroTik security because most of the cases MikroTik Router will function in public network and thousands of hackers in public network will try to destroy your MikroTik Router configuration. So, as a network admin of MikroTik Router it is your first duty to know how to manage MikroTik RouterOS users properly.

In this article we will learn how to manage MikroTik RouterOS users with proper permission.

How to Create MikroTik RouterOS User

By default admin user who has full permission is created with no password while running MikroTik RouterOS first time. So, after login first time it is your first duty to assign a strong password to admin user. I always prefer to remove admin user and creating another user with full permission because admin is a known user and a hacker will always try to login to your MikroTik Router with admin user. So, if you keep this admin user, half of his work is done and he just needs to guess your password to login in your MikroTik router. On the other hand, if you remove admin user, it will be very difficult to guess your full permission user as well as his password.

In Winbox software, users will be found in System > Users menu item and the following steps will show how to create a RouterOS user with Winbox software.

Go to System > Users menu item. User List window will appear.
Click on PLUS SIGN (+) to create a new user. New User window will appear.
Now put username or login name in Name input field.
Choose user permission from Group dropdown menu. By default three permission levels are present: full, read and write. Full permission means an administrator user who has all privileges, read permission will allow only view the configuration and write permission will allow all the privileges except ftp and policy permission. I will discuss about custom permission level and their privileges in the next section elaborately. Now choose your user’s permission level what you want from Group dropdown menu.
Optionally you can assign user IP address from which he is allowed to login to the system. If you want to assign IP address, put it in Allowed Address input box. You can also assign multiple IP address by clicking right side arrow sign.
Put user password in Password input box and retype your password in Confirm Password input box.
Click Apply and OK button.

A new user has been created successfully. Sometimes you may need to edit your existing user’s property. Now I will show you how to edit your existing users.

How to Edit MikroTik RouterOS User

User editing is easier than creating a new user. The following steps will show you how to edit your existing user’s property so easily.

Just double click on your user which you want to edit. User property window will appear.
Now you can edit username or login name, user permission level as well as user’s allowed IP address.
If you want to change user’s password, click on Password button from button panel and change user’s password.
Click Apply and OK button.

How to Remove, Disable or Enable MikroTik RouterOS user

Sometimes you may need to remove, disable or enable your MikroTik user. Removing (or disabling and enabling) user is so easy. Just right click on your desired user and then choose your option what you want to do from the appeared option panel.

How to Create Custom Permission Level

User’s permission level is located under Group tab. By default three permission levels (called user Group) is created but you can create as many user permission levels as you want and can assign their policies. The following steps will show you how to create a new user group with policies.

Click on Groups tab and then click on PLUS SIGN (+) to create a new group. New Group window will appear.

Put your custom group name in Name input box.

Now choose policies for this group from Policies panel. Available policies and their description are given below table.

Policy Name	Description
local	User can log on locally via console
telnet	User can log on remotely via telnet
ssh	User can log on remotely via secure shell
winbox	User can log on remotely via winbox
ftp	User can log on remotely via ftp and send and retrieve files from the router
reboot	User can reboot the router
read	User can retrieve the configuration
write	User can retrieve and change the configuration
policy	Manage user policies, add and remove user
test	User can run ping, traceroute, bandwidth test
web	user can log on remotely via https
ppp	User can log on using ppp connections to the router (PPP, PPTP, PPPoE)
api	User can access router via api

After choosing group policies, click Apply and OK button.

How to manage MikroTik RouterOS users has been discussed in this article. I hope you are now able to manage and secure your MikroTik Router easily. However, if you face any problem to manage your MikroTik RouterOS user, feel free to discuss in comment or contact with me from Contact page. I will try my best to stay with you.

2017-10-22T01:24:01

MikroTik Router Tutorials & Guides

MikroTik Block Website (Facebook, YouTube and Other Sites)

MikroTik Firewall is a powerful security tool that can be used to block unwanted websites. If you are a network administrator, sometimes it may be your requirement to block any website like Facebook, YouTube, Pornographic site and so on. To block these types of websites, you just need to create Firewall Rules that will drop any connection to these websites through your MikroTik Router. MikroTik Firewall basic concept such as what is MikroTik Firewall, what is MikroTik Firewall Rule, how to implement MikroTik Firewall Rule etc. was discussed in my previous article. If you feel that you need the basic concept of MikroTik Firewall, feel free to spend time to study that article. In this article, I am only going to show how to block unwanted websites using MikroTik Firewall Rules.

How MikroTik Firewall Blocks Websites

MikroTik Firewall blocks website using Filter Rule. A MikroTik Filter Rule has two parts.

Conditional part which takes various conditional properties such as Chain, Source Address, Destination Address, Protocol, Source Port, Destination Port, Layer7 Protocol etc. to match conditions.
Action part which takes only drop action to block any website.

If conditional part of a Filter Rule is matched, MikroTik Firewall will drop that connection. So, any user cannot access that website through MikroTik Router.

Why Layer7 Protocol

MikroTik Firewall is capable to block any website with not only source address or destination address but also Layer7 Protocol. Layer7 Protocol uses Perl Regex (Regular Expression) to match any keyword in URL. If matched is occurred, action is taken by the Filter Rule that uses this Layer7 Protocol. As we want to block any website providing keyword such as Facebook, YouTube etc. we will create a Layer7 Protocol with Regex and then we will use this Layer7 Protocol in our Filter Rule.

Block Facebook, YouTube with MikroTik Filter Rule

Now we will create Filter Rule that will block websites like Facebook, YouTube or any other website that you want. Complete process to create a Filter Rule can be divided into two steps.

Step 1: Creating layer7 protocol to select desired website and
Step 2: Creating firewall rule to block that selected website

Step 1: Creating Layer7 Protocol to Select Desired Website

Before creating Filter Rule, we need to create Layer7 Protocol with Regex because this Layer7 Protocol will be used by Filter Rule to match any keyword in URL. The following process will show how to create Layer7 Protocol with Regex.

Open winbox and login with your login credentials.
Go to IP > Firewall and then click on Layer7 Protocols tab.
Click on PLUS SIGN (+) to create a new Layer7 Protocol with Regex. New Firewall L7 Protocol window will appear.
Put a meaningful name such as Facebook in Name input box.
Now put ^.+(facebook.com).*$ Regex in Regexp textarea input field if you want to block Facebook. If you are interested to know Perl Regex, you will find here.
Now click Apply and OK button.
Similarly, if you want to block YouTube, do step 4, 5 and 6 but change facebook.com with youtube.com like ^.+(youtube.com).*$. You can put any keyword such as sex, porn etc. that you want to block within parenthesis in this Regex.

Layer 7 Protocol Regex to Block Websites

We have created our Layer7 Protocols which will be used in Filter Rule to block our desired sites. Now we will create our Firewall Filter Rule.

Step 2: Creating Filter Rule to Block Selected Website with Layer7 Protocol

After creating Layer7 Protocol, we will now create Filter Rule that will block our desired website. The following steps will show how to create a Filter Rule to block any website.

Now click on Filter Rules tab and then click on PLUS SIGN (+) to create a new Filter Rule. New Firewall Rule window will appear now.
In General tab, choose forward from Chain dropdown menu.
We are keeping untouched both Src. Address and Dst. Address because we want to block all users. If you want to block for a specific user, put his/her IP address in Src. Address input box or if you want to block for an IP block, put that IP block in the Src. Address input box.
Click on Protocol dropdown menu and choose tcp from Protocol dropdown menu.
Put port 80,443 in Dst. Port input box. Value should be comma separated.
Click on Advanced tab and then choose your Layer7 Protocol that you created before from Layer7 Protocol dropdown menu.
Now click on Action tab and choose drop from Action dropdown menu.
Click Apply and OK button.
Similarly, you can create another Filter Rule to block any other website.

Filter Rule to block website has been created. The above rule will block all the users to access our desired website. But sometimes you may need to access this website for a specific user. In this case, you have to create another Filter Rule where user’s IP address has to provide in source address and the Filter action will be accept.

How to Allow a Specific User to a Blocked Website

The above Filter Rule that we have created will block all users in your LAN. But sometimes you may have some specific users who need to access your blocked website such as Facebook, YouTube etc. The following steps will show you how to give access a specific user to your blocked website.

Click on Filter Rules tab and then click on PLUS SIGN (+) to create a new Filter Rule. New Firewall Rule window will appear now.
In General tab, choose forward from Chain dropdown menu.
Put your user’s IP address which will be allowed to access blocked website in Address input box.
Click on Protocol dropdown menu and choose tcp from Protocol dropdown menu.
Put port 80,443 in Dst. Port input box.
Click on Advanced tab and then choose your Layer7 Protocol which will be allowed for the user from Layer7 Protocol dropdown menu.
Now click on Action tab and choose accept from Action dropdown menu.
Click Apply and OK button.
Similarly, you can add another IP address (user) to access blocked website.

Note: You must place allowed rule before dropped rule. Otherwise, allowed user will go under dropped rule. So, he/she cannot access to desired website.

I hope, you will be able to block any unwanted website using layer7 protocol and MikroTik Firewall filter rule if you follow the above steps properly. However, if you face any confusion to follow above steps, feel free to watch my video about MikroTik Block Website (facebook, youtube etc). I hope, it will reduce your any confusion.

readmag.ru

IT обзоры, подробные инструкции, пошаговые руководства, рабочие рецепты