Monday, 15 February 2016

Limit number connection based on user profile, Mikrotik Hotspot

Managing mikrotik hotspot firewall rule can be tricky, the mikrotik hotspot always ignored mangle rules. If we create a mangle rule for mikrotik hotspot and then open the statistic menu, there will be no activity. Since mangle firewall not help us on managing hotspot traffic for every user, there is one easy way to catch users traffic by automatically trap their IP address to a group of address list. When their address trapped we can then set any rules to them for example Limiting their number connections.

Let’s start trapping user’s IP Address

winbox
  1. Open winbox and connect to the mikrotik hotspot server.
  2. On hotspot menu, create a new user profile (Let say we want to create a public hotspot which 75 people can use the same login name and password).
  3. Set everything up such as profile name, bandwidth limit or anything else suit your need and then set shared users = 75 to allow max 75 user use the same login name and pasword.
  4. Set an address name list (this is how we trap their ip addresses).
  5. Apply and close.
  6. Create a user name and use the above created profile (75 user can use this login name and password at the same time).
Test your setting by login using user’s login, your ip address should be shown on Firewall address lists.
winbox2
At this moment any rules can be set to all logged user either on Firewall or Queue setting. Let’s try to limit their number of tcp connections (we used to use this limitation to reduce problem for hotspot network, i.e. viruses traffics which sometime flooding our internet with thousands of connection from single computer).
mikrotik hotspot limit number connection
Create a firewall filter rules and set:
  1. on general tab : Chain = forward, Protocol = Tcp.
  2. on Advanced tab : Src. Address Lists = “address list name (look at how to trap section no. 4)”, Tcp Flag = syn.
  3. on Extra tab : Limit = (max number connection + 1, for example 20 maks connection, then fill it with 21), Netmask = 32.
  4. on Action tab : Action = drop.
  5. Apply and close.
There still many things we can do with this address list through firewall filter, for example we can block specified port number for public hotspot user to prevent viruses infection trough our network on that port. We also blocked access to some web address to specific users (mostly public), and also limiting YouTube streaming to specific users. Because many of our public hotspot users are unknown users, so we think trapping their address is the only way to handle it.