Академический Документы
Профессиональный Документы
Культура Документы
Table of Contents
1. Overview.........................................................................................................................................3 2. Approach..........................................................................................................................................3 3. Gathering billing information..........................................................................................................4 4. Enable the Mikrotik API..................................................................................................................6 5. Block specific clients.......................................................................................................................8 5.1. To cut all traffic of a specific group ........................................................................................9 5.2. To cut all traffic and redirect all HTML traffic to a usage page..............................................9 6. In a nut shell..................................................................................................................................13
1.Overview
This document gives an overview on how to configure a Miktrotik routerboard for MT Accounting. The following assumption applies:
The Mikrotik is located in such a position, in your network, that it is the last physical device which traffic pass trough, for traffic on its way toward the internet, and obviously the first for traffic which is coming from the internet. (The exception might be that you have a Proxy Server between the Mikrotik and the internet).
The Mikrotik(s) being used for traffic measuring is in the position shown above. The MT Accounting server monitor(s) the Mikrotik(s) to measure all traffic flowing between the network and the internet. The Accounting server has access to the Mikrotik(s) being monitored The Mikrotik(s) is responsible for gathering short term billing statistics. The Mikrotik(s) is also responsible to serve as 'n firewall to block clients, which have exceeded their allowed capacity. The Accounting sever collects the short term billing statistics, analyzes and categorizes the data and stores it in a database.
2.Approach
The Mikrotik(s) has to set up to perform to the following tasks:
Gather billing traffic information Receive commands from the Accounting server. Block specific clients. Route blocked clients to a page, indicating to the client that at they have been blocked.
Thee above functionality has to setup on the Miktortiks in order for MT Accounting to function properly.
Check Enable Accounting and Check Account Local Traffic. To begin with set the Threshold to 2048 entries:
Check the Accessible via Web checkbox. If you are security aware change the address to allow only the network mask/IP of your Accounting server to be able to access the short term billing information gathered by the Mikrotik.
Make sure the API is enabled. Again if you are security aware set the Available From to only allow your Accounting server to have access to it:
The Accounting server will now be able to tell the Mikrotik which clients needs to be blocked or unblocked. This is done via the Address list capability of the Mikrotik to do specific actions for
entities in a specific group. By default the accounting server uses 3 different groups, but it possible to place specific user is there own (manual and automatic) groups. The 3 default groups are:
mt_manual Clients which is cut by manual operator action will be placed into this group. These clients will remain in the group until, they are again manually removed from this group by operator action mt_automated Clients which is cut by automatically by the Accounting server will be placed in this group. These clients will remain in this group, either until a new month starts, or the Cap limit for this client is increased and the user is removed manually by operator action mt_unknown_ips All IP address falling into the same network range as your internal network, which have not been allocated against a known user, or a known device, will automatically be place in this group. This will allow you to block all devices which you unaware of on your network. The only way to remove an entity form this list is to , allocate the unknown Ip to a client, or a device, in the accounting server.
All other groups which you wish to use for clients with a specific need, needs to start with mt_, as the accounting server will maintain synchronization between all entries in groups starting with mt_ and its own database. If you have group not starting with mt_ then the accounting server will ignore the entries in these groups.
A rule to cut traffic is required A rule to redirect traffic to a page indicating that the user have been cut.
Don't do anything on the Extra Tab or the Statistics Tab. The Action Tab
This rule will block all TCP/IP traffic when the users IP is added to the mt_manual group.
5.2.To cut all traffic and redirect all HTML traffic to a usage page
A standard usage page on the accounting server is avalable. This pages either displays a web page
indicating your current usage or a suspended notification combined with a usages page. To achieve this you need to add a Nat rule combined with two Filter rules. Again as example, the example below is only for the mt_manual group. You need to to this for each group. The first rule is a firewall rule make sure the DNS capability of client is not affected by the any of the other rules associated with the groups. This is required, without resolving the domain name a browser will not attempt to connect to the site. The General tab: The Advanced tab:
The second rule is a Firewall rule to block all traffic except the traffic of port 80-81: The General tab: The Advanced tab:
Don't do anything on the Extra or the Statistics tab. The Action tab
Note : In this case the traffic going to ports 80 and 81 is not blocked because the Nat rule will forward this traffic to the accounting server. Note that your accounting server must be set to run on port 81 for this to work.
To achieve the Nat rule add the NAT rule as indicated by the images below:
Don't do anything on the Extra or the Statistics tab. The Action tab
Set the To Addresses to point to your accounting server (in the examples case it is 10.0.0.202) and the To Ports to the port on which the accounting server is hosting its web server. (Likely port 81). If you use a different port make sure the firewall rule does not block traffic to that port. Together the two Filer rules and the NAT rule block all non HTML traffic , and forward HTML traffic to the accounting server.