Securing the Web proxy in MikroTik

Securing the web proxy

/ip firewall chain=input src-address=0.0.0.0/0 protocol=tcp dst-port=8080<your webproxy port> interface=WAN<To internet cloud interface> action=drop


Very simple!!!

Securing the DNS in MikroTik

Security practitioners for decades have advised people to limit DNS queries against their DNS servers to only use UDP port 53. The reality is that DNS queries can also use TCP port 53 if UDP port 53 is not accepted. Now with the impending deployment of DNSSEC and the eventual addition of IPv6 we will need to allow our firewalls for forward both TCP and UDP port 53 packets.
DNS can be used by attackers as one of their reconnaissance techniques. Public information contained a target's servers is valuable to an attacker and helps them focus their attacks. Attackers can use a variety of techniques to retrieve DNS information through queries. However, hackers often try to perform a zone transfer from your authoritative DNS servers to gain access to even more information.

Do not check mark Allow Remote Requests

/ip firewall filter add chain=input action=drop in-interface=e
ther1 src-address=0.0.0.0/0 dst-port=53 protocol=udp comment="Securing DNS udp"

/ip firewall filter add chain=input action=drop in-interface=ether1 src-address=0.0.0.0/0 dst-port=53 protocol=tcp comment="Securing DNS tcp"

Equal Bandwidth for All Users with PCQ in MIKROTIK Router (Best configuration for home/small office use)

Per Connection Queue (PCQ) is a queuing discipline that can be used to dynamically equalize or shape traffic for multiple users, using little administration. It is possible to divide PCQ scenarios into three major groups: equal bandwidth for a number of users, certain bandwidth equal distribution between unknown number of users, unknown bandwidth(upstream/downstream) equal distribution between users. See below example for better understanding.

We will configure the MT router for unknown bandwidth equal distribution between users.

Lets constider that,

ether1: WAN(public interface to the Internet) 

ether2: LAN (local interface where clients are connected)

and LAN network: 10.0.0.0/24

/ip firewall mangle add action=mark-connection chain=forward comment="PCQ Equal mark-conn" new-connection-mark=equal-mark-con src-address=10.0.0.0/24

/ip firewall mangle add action=mark-packet chain=forward comment="PCQ Equal mark-pack" connection-mark=equal-mark-con new-packet-mark=equal-mark-pack

/queue type add kind=pcq name=pcq_down pcq-classifier=dst-address

/queue type add kind=pcq name=pcq_up pcq-classifier=src-address

/queue tree add name=DOWLOAD packet-mark=equal-mark-pack parent=LAN queue=pcq_down

/queue tree add name=UPLOAD packet-mark=equal-mark-pack parent=WAN queue=pcq_up

Step by step connect one user and Monitor Average rate, Connect two user and Monitor Average rate, Connect three user and Monitor Average rate, Connect four user and Monitor Average rate.

Its work very well!

What is HOTSPOT means in Mikrotik?

Hotspot in Mikrotik  is the authentication method which allows the user to connect through their browser without using any software or driver. This is an HTTP base authentication method. This is an easy way to connect to your network because it always reminds the user to Login before using internet. It shows the Login page when user try to open any website.

Hope you have a cleared concept about HOTSPOT in mikroitk.