Table of Contents

MikroTik: Controlling Access

Read Time: 4 mins

Prerequisites

Before you can use Sonar to control access in a MikroTik, you need to build address lists and add the MikroTik as an inline device in Sonar. Once both of these prerequisites are met, follow the steps below to start controlling access based on account attributes in Sonar. For the purposes of this guide, we will talk about how to drop and redirect traffic.

While dropping traffic will work regardless of the customer's network, redirecting traffic will only work on HTTP traffic, not HTTPS, and is therefore not a recommended access control method.

Dropping Traffic

  1. Winbox into the MikroTik you would like to setup rules in and go to IP > Firewall > Filter Rules, then hit the blue "+" button to create a new filter rule.
  1. In the Advanced tab, set the Src. Address List to the address list for which you would like to drop traffic. In this article we will use the "Delinquent" list.
  2. Under the Action tab, set the Action to Drop. It is also best practice to set a Comment here saying what this rule does, for example "Drop all Delinquent Traffic". Once this is set, press OK on the comment and OK on the rule.

If you have built these rules on a live network, you should see both the Bytes and Packets tables climbing for each filter rule.

Redirecting Traffic

Using your Inline Device to redirect traffic allows you to take non-paying customers' network traffic and redirect and HTTP request to a domain of your choosing. For example, in many cases you would opt to redirect traffic to the customer portal which will remove the customer's ability to hit any other HTTP website.

Traffic Redirection with an Inline Device will only work to redirect HTTP traffic, not HTTPS. According to Google's Transparency Report, 96% of all traffic going through Google Chrome is now encrypted, and will bypass a redirection.
  1. Winbox into the MikroTik you would like to setup rules in and navigate to IP > Web Proxy
  2. Check the Enabled box and add a high non-standard port as the port that you would like to trigger the web proxy in the Port field. In this example we will use port 16099.
  3. Click on the Access button, then click the blue "+" button to create a new Web Proxy Rule. For the first rule, set the Dst. Host to the URL of your customer portal. If you have not yet built your customer portal you can follow these articles to do so. Set the Action to "allow" and click OK.
  4. Click on the blue "+" button again to create a new Web Proxy Rule. This time set the Action to "deny" and add the URL of your customer portal to the Redirect To line, then click OK.
  5. Next we will build a firewall rule to allow access to the web proxy. Navigate to IP > Firewall, then click the blue "+" button to create a new firewall rule. Under the General tab, set the Chain to "input", the Protocol to "6 (tcp)" and the Dst. Port to 16099. Under the Action tab, set the Action to "accept". Click the Comment button and call this rule "Allow to Web Proxy" then click OK on the comment and OK on the rule. Lastly, drag this rule above the drop rules you built to Drop Traffic.
  6. Now we can build the firewall rule that does the redirect. Once again, create a new firewall rule. Under Advanced, set the Src. Address List to "Delinquent". Under the Action tab, set the Action to "jump" and the Jump Target to "delinquent". Click the Comment button and call this rule "Delinquent Forward to Web Proxy"
  7. Now we will build rules to allow Delinquent traffic DNS access and https access. Once again, click the blue "+" button to create a new firewall rule. Under the General tab, set the Chain to "delinquent", the Protocol to "udp", and the Dst. Port to "53". Under the Advanced tab, set the Src. Address List to "Delinquent". Under the Action tab, set the Action to "accept". Finally, click the Comment button and call this rule "Allow DNS to Delinquent" and click OK on the comment and OK on the rule. Again, drag this rule above the drop rules created earlier.
  8. Again, create a new firewall rule. Under General, set the Chain to "delinquent", the Protocol to "6 (tcp)", and the Dst. Port to 443. Under the Advanced tab, set the Src. Address List to "Delinquent". Under the Action tab, set the Action to "accept". Click the Comment button and call this rule "Allow HTTPS to Delinquent" and click OK on the comment and OK on the rule. Again, drag this rule above the drop rules created earlier. The order of new rules created from top to bottom should now be Allow to Web Proxy, Delinquent Forward to Web Proxy, Allow DNS to Delinquent, Allow HTTPS to Delinquent, Drop all Delinquent Traffic.
  1. Finally, we need to configure NAT to redirect an incoming port 80 connection attempt to our web proxy.
    1. General
      1. Set the chain to dstnat
      2. Set Protocol to 6 (tcp)
      3. Dst. Port to 80
    2. Advanced > Src. Address List: Delinquent
    3. Action
      1. Action: Redirect
      2. To Ports: 16099 (or whatever you chose when setting up the web proxy)

How did we do?

MikroTik as an Inline Device: Integration With Sonar

MikroTik: Controlling Speeds

Contact