Setting up a Mikrotik router-board for MT Accounting

Table of Contents
1. Overview.........................................................................................................................................3 2. Approach..........................................................................................................................................3 3. Gathering billing information..........................................................................................................4 4. Enable the Mikrotik API..................................................................................................................6 5. Block specific clients.......................................................................................................................8 5.1. To cut all traffic of a specific group ........................................................................................9 5.2. To cut all traffic and redirect all HTML traffic to a usage page..............................................9 6. In a nut shell..................................................................................................................................13

1.Overview
This document gives an overview on how to configure a Miktrotik routerboard for MT Accounting. The following assumption applies:

The Mikrotik is located in such a position, in your network, that it is the last physical device which traffic pass trough, for traffic on its way toward the internet, and obviously the first for traffic which is coming from the internet. (The exception might be that you have a Proxy Server between the Mikrotik and the internet).

The Mikrotik(s) being used for traffic measuring is in the position shown above. The MT Accounting server monitor(s) the Mikrotik(s) to measure all traffic flowing between the network and the internet. The Accounting server has access to the Mikrotik(s) being monitored The Mikrotik(s) is responsible for gathering short term billing statistics. The Mikrotik(s) is also responsible to serve as 'n firewall to block clients, which have exceeded their allowed capacity. The Accounting sever collects the short term billing statistics, analyzes and categorizes the data and stores it in a database.

2.Approach
The Mikrotik(s) has to set up to perform to the following tasks:

Gather billing traffic information Receive commands from the Accounting server. Block specific clients. Route blocked clients to a page, indicating to the client that at they have been blocked.

Thee above functionality has to setup on the Miktortiks in order for MT Accounting to function properly.

3.Gathering billing information

In short this section sets the Mikrotik up to count traffic passing trough it. The section enables the Mikrotik to be able to keep track of 2048 distinct Source->Destinations routes. Any additional information off further routes will be lost if the Mikrotik is not accessed by the Accounting server before the 2048 limit is reached. Thus the more traffic pass trough the Mikrotik, the higher the threshold must be, or the more frequently the Mikrotik must be polled, by the Accounting server. The Accounting server polls the Miktotik via port 80, and each time when the Mikrotik is polled, the Mikrotik will empty its current Table of traffic records. To gather billing information the following must be setup on the Mikrotik. Via Winbox access the IP->Accounting Window:

Click on Traffic Accounting button:

Check Enable Accounting and Check Account Local Traffic. To begin with set the Threshold to 2048 entries:

Click on the Web Access button:

Check the Accessible via Web checkbox. If you are security aware change the address to allow only the network mask/IP of your Accounting server to be able to access the short term billing information gathered by the Mikrotik.

4.Enable the Mikrotik API

In order for the Miktrotik to receive blocking/unblocking instructions from the Accounting server, to maintain the list of client which is to be blocked/unblocked (capped), the Mirotik's API must be enabled. To achieve this on Winbox click on IP->Services

Make sure the API is enabled. Again if you are security aware set the Available From to only allow your Accounting server to have access to it:

The Accounting server will now be able to tell the Mikrotik which clients needs to be blocked or unblocked. This is done via the Address list capability of the Mikrotik to do specific actions for

entities in a specific group. By default the accounting server uses 3 different groups, but it possible to place specific user is there own (manual and automatic) groups. The 3 default groups are:

mt_manual Clients which is cut by manual operator action will be placed into this group. These clients will remain in the group until, they are again manually removed from this group by operator action mt_automated Clients which is cut by automatically by the Accounting server will be placed in this group. These clients will remain in this group, either until a new month starts, or the Cap limit for this client is increased and the user is removed manually by operator action mt_unknown_ips All IP address falling into the same network range as your internal network, which have not been allocated against a known user, or a known device, will automatically be place in this group. This will allow you to block all devices which you unaware of on your network. The only way to remove an entity form this list is to , allocate the unknown Ip to a client, or a device, in the accounting server.

All other groups which you wish to use for clients with a specific need, needs to start with mt_, as the accounting server will maintain synchronization between all entries in groups starting with mt_ and its own database. If you have group not starting with mt_ then the accounting server will ignore the entries in these groups.

5.Block specific clients.

As already mentioned the Mikrotik achieves blocking (capping) of clients by adding an removing them from groups. In itself this will not work until the correct firewall rules has been associated to each of the groups. For each of the group the following rules must be added:

A rule to cut traffic is required A rule to redirect traffic to a page indicating that the user have been cut.

The rules are added under the IP->Firewall window.

Rules to cut traffic. To add a rule click on Filter Rules and +.

To add a Nat rule click on NAT and +

5.1.To cut all traffic of a specific group

This example id for group mt_manual. You need to set this rule up for each group. Configure the rule as indicated below: The General Tab: The Advanced Tab:

Don't do anything on the Extra Tab or the Statistics Tab. The Action Tab

This rule will block all TCP/IP traffic when the users IP is added to the mt_manual group.

5.2.To cut all traffic and redirect all HTML traffic to a usage page
A standard usage page on the accounting server is avalable. This pages either displays a web page

indicating your current usage or a suspended notification combined with a usages page. To achieve this you need to add a Nat rule combined with two Filter rules. Again as example, the example below is only for the mt_manual group. You need to to this for each group. The first rule is a firewall rule make sure the DNS capability of client is not affected by the any of the other rules associated with the groups. This is required, without resolving the domain name a browser will not attempt to connect to the site. The General tab: The Advanced tab:

The Action tab:

Leave the Extra and Statistics tabs as is.

The second rule is a Firewall rule to block all traffic except the traffic of port 80-81: The General tab: The Advanced tab:

Don't do anything on the Extra or the Statistics tab. The Action tab

Note : In this case the traffic going to ports 80 and 81 is not blocked because the Nat rule will forward this traffic to the accounting server. Note that your accounting server must be set to run on port 81 for this to work.

To achieve the Nat rule add the NAT rule as indicated by the images below:

The General tab:

The Advanced tab:

Don't do anything on the Extra or the Statistics tab. The Action tab

Set the To Addresses to point to your accounting server (in the examples case it is 10.0.0.202) and the To Ports to the port on which the accounting server is hosting its web server. (Likely port 81). If you use a different port make sure the firewall rule does not block traffic to that port. Together the two Filer rules and the NAT rule block all non HTML traffic , and forward HTML traffic to the accounting server.

6.In a nut shell

This should be the basics required to set the Mikrotik up. Get to know your router.