Dynamic Bandwidth Shaper for ISPs, the Hospitality Industry, and Education
 
Configuring Mikrotik Router OS for use with the DBS

Overview

To allow the DBS to access and manage your router(s) while maintaining a high level of security we recommend taking the following steps:

  • Back up your router's configuration
  • Secure and configure a static IP for your router
  • Secure your router's interface to the Internet
  • Enable the API service
  • Secure the API service
  • Open the API port on the firewall

Note: the following examples were created using Router OS version 4.16.

Back up your router's configuration

As a best practice we highly recommend that you back up your routers current configuration before continuing with any configuration changes.

  1. Use Terminal and Telnet to your router and login.
  2. Enter the following command, and replace [filename] to something meaningful:

    > /system backup save name="[filename]"

Please make a note of the [filename], which is needed in the event the configuration needs to be restored.

Secure and configure a static IP for your router

The DBS needs a static IP address as a central point of contact to manage your Mikrotik router(s) for bandwidth shaping. Static IP Addresses (also known as public IP addresses) are IP addresses that don't change over time. Although static IP are also known as public they don't need to be publicized through a DNS.

For more information on configuration of a static IP please refer to http://wiki.mikrotik.com/wiki/Manual:IP/Address.

Secure your Router's Interface to the Internet

You can start with a secure baseline by using your router's web based user interface called WebBox to make sure the router's connection to the Internet is locked down and secured.

Note: following these steps will overwrite your router's existing firewall rules. If this is not appropriate for your installation then please just follow along and familiarize yourself with this approach.

  1. Using a web browser enter your router's IP address, and hit [enter].
  2. Login to your router's WebBox user interface in the top right corner of the page by entering the administrator's user name, password, and clicking the [login] button.
  3. Click on the [Firewall] folder tab.
  4. By default, the Internet gateway interface should be selected. If it isn't then please select it.
  5. Make sure Protect Router, Protect LAN, and NAT boxes are all checked.
  6. Click [Apply]

Once you click [Apply], WebBox creates rules in your router's firewall filter that will lock down your router from outside intrusion.

Enable the API service

  1. Use Terminal and Telnet to your router and login.
  2. Enter the following command:

    > /ip service enable api

Secure the API service

When you sign up for DBS service you are provided with the IP address of the DBS host that will be managing your Mikrotik router(s). You'll need to add the DBS host address via terminal and telnet to the API service. Substitute the DBS host address we provide as the "host ip" in the following command:

> /ip service set [find name="api"] address="host ip/32"

This command allows only the DBS server to access the router's API. If you need to allow access to the API by other internal servers or networks you can include those addresses by separating them with a comma within the address double quotes.

Open the API port on firewall

Since you started by locking down the router from being accessed by the outside world, you'll now need to open a TCP port into the router to accept API commands from the DBS server within the Router OS firewall filter.

The firewall filter uses filtering rules that are grouped together in chains and the order of these rules is important for successful implementation of the firewall. There are three predefined chains, which cannot be deleted, including input, forward, and output. For the purposes of opening the API port we'll be interested in just the input chain.

The input chain is used to process packets entering the router through one of the interfaces with the destination IP address, which is one of the router's addresses. Packets passing through the router are not processed against the rules of the input chain.

  1. While maintaining your login from the previous steps, enter the following command to export the current filter list:

    > /ip firewall filter export

  2. Copy script into the clipboard or your favorite text editor. The following is an example of the output created:

    # jul/27/2011 14:47:40 by RouterOS 4.16 
    # software id = A2F2-ZHHW 
    # 
    /ip firewall filter 
    add action=accept chain=input comment="Added by webbox" disabled=no protocol=icmp 
    add action=accept chain=input comment="Added by webbox" connection-state=\
    	established disabled=no in-interface=eth1-gateway 
    add action=accept chain=input comment="Added by webbox" connection-state=related \
    	disabled=no in-interface=eth1-gateway 
    add action=drop chain=input comment="Added by webbox" disabled=no in-interface=\
    	eth1-gateway 
    add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=\
    	eth1-gateway jump-target=customer 
    add action=accept chain=customer comment="Added by webbox" connection-state=\
    	established disabled=no 
    add action=accept chain=customer comment="Added by webbox" connection-state=\
    	related disabled=no 
    add action=drop chain=customer comment="Added by webbox" disabled=no
    

    Note: backslashes in the example above only indicate the continuation of the line and don't actually exist in the export.

  3. Create a script called "dbs_open_ports" by entering the following command:

    > /system script add name="dbs_open_ports"

  4. Edit the script by entering the command:

    > /system script edit [find name="dbs_open_ports"] source

  5. Paste the contents of the clipboard (results of "/ip firewall filter export") into the full screen editor.
  6. Replace the comments at the top with the following command, which will delete all existing firewall filters when executed.

    /ip firewall filter remove [find]

  7. Find the rule that contains "action-drop chain=input" and insert the following command above it.

    add action=accept chain=input comment=API disabled=no dst-port=8728 in-interface=eth1-gateway protocol=tcp

    /ip firewall filter remove [find]
    /ip firewall filter 
    add action=accept chain=input comment="Added by webbox" disabled=no protocol=icmp 
    add action=accept chain=input comment="Added by webbox" connection-state=\
    	established disabled=no in-interface=eth1-gateway 
    add action=accept chain=input comment="Added by webbox" connection-state=related \
    	disabled=no in-interface=eth1-gateway
    add action=accept chain=input comment=API disabled=no dst-port=8728 in-interface=\
    	eth1-gateway protocol=tcp	 
    add action=drop chain=input comment="Added by webbox" disabled=no in-interface=\
    	eth1-gateway 
    add action=jump chain=forward comment="Added by webbox" disabled=no in-interface=\
    	eth1-gateway jump-target=customer 
    add action=accept chain=customer comment="Added by webbox" connection-state=\
    	established disabled=no 
    add action=accept chain=customer comment="Added by webbox" connection-state=\
    	related disabled=no 
    add action=drop chain=customer comment="Added by webbox" disabled=no
    
    Note: The additions are illustrated in red above. Also remember, rules with "chain=input" are associated with traffic directed at the router.

  8. From your keyboard, issue the key combination Ctrl+o to save and quit full screen editor.
  9. Finally, run the "dbs_open_ports" script by issuing the command:

    > /system script run [find name="dbs_open_ports"]

Summary

By completing these steps you've now opened the API port of your router, which only allows access by the DBS server.

... the Dynamic Bandwidth Shaper provides online graphs for a subscriber's traffic ... We provide that link to our subscribers so they won't call tech support when they're trying to troubleshoot the reason why they can't stream any more video ...

River District Manager, Swift Wireless

 

“Automatically manage open Wi-Fi traffic 24/7”

 

Copyright © 2011-2013 DynamicBandwidthShaper.com. All rights reserved.