Mikrotik Policy-Based Routing

One of the more interesting features within the RouterOS mangle (packet marking) facility is the ability to mark packets in the pre-routing chain. With this option, we can perform what is called policy-based routing. Suppose we have two WAN (Internet) connections that our LAN clients could potentially use, and that we wish to split the usage such that one range of IP addresses use WAN1 and another range use WAN2. As an example in our library environments, we may have situations where we want staff machines to use one ISP and patron machines use another. Here is a simple diagram we can reference:

What we want to have happen is for all machines in the IP range through to use ISP1 (, and all machines in the IP range through to use ISP2 (

So, our interface IP assignments could be something like this:

/ip address
add address= disabled=no interface=LAN network=
add address= disabled=no interface=WAN1 network=
add address= disabled=no interface=WAN2 network=

First, let’s get some address lists going in IP > Firewall > Address Lists

/ip firewall address-list
add address= comment="Use ISP 1" disabled=no list=patron
add address= comment="Use ISP 2" disabled=no list=staff

Now, let’s set up routing marks based on the address lists above:

/ip firewall mangle
add action=mark-routing chain=prerouting comment=ISP1 disabled=no new-routing-mark=ISP1 passthrough=yes src-address-list=patron
add action=mark-routing chain=prerouting comment=ISP2 disabled=no new-routing-mark=ISP2 passthrough=yes src-address-list=staff

Finally, we add default routes based on the routing mark of the packets:

/ip route
add disabled=no distance=1 dst-address= gateway= routing-mark=ISP1 scope=30 target-scope=10
add disabled=no distance=1 dst-address= gateway= routing-mark=ISP2 scope=30 target-scope=10

Another way we could use policy-based routing would be for routing packets through a filtering proxy. Suppose we have a transparent Squid proxy set up for content filtering in our network. We have would need to set up four interfaces including WAN, LAN, and two more to loop the packets out to the Squid box and back into the router. Our diagram is something like this:

Our interface list:

/ip address
add address= disabled=no interface=LAN network= comment="LAN"
add address= disabled=no interface=WAN network= comment="WAN"
add address= disabled=no interface=F-Out network= comment="Filter Out"
add address= disabled=no interface-F-In network= comment="Filter In"

What we would do is cable the filter-out (F-Out) interface of the router to the LAN port of the Squid box (assigned IP Then, cable the Squid box WAN port (assigned IP back to the filter-in (F-In) interface of the router. This creates a detour path to route our packets through if we wish to filter them. Then, set up an address-list for filtered machines, as well as routing marks in mangle:

/ip firewall address-list
add address= comment="Filtered" disabled=no list=patron
/ip firewall mangle
add action=mark-routing chain=prerouting comment=Filtered disabled=no new-routing-mark=Filtered passthrough=yes src-address-list=patron

Notice in this example that we need only create address-lists and mangle rules for machines we wish to detour through the Squid box as all other packets will exit the router directly through the WAN port and out to the Internet like normal.

Now, we set one routing rule for the detour, using the Squid box LAN IP as our gateway:

/ip route

add disabled=no distance=1 dst-address= gateway= routing-mark=Filtered scope=30 target-scope=10


Howto mount windows shared folder in Ubuntu

First create a folder where you want to mount windows folder in. Then mount the target windows shared folder in it using below commands.

mkdir /mnt/winfolder
mount -t cifs // /mnt/winfolder -o username=kashif,password=1234,domain=mydomain


# is Windows System where our required folder is shared

# change the user name , password, and domain as per your local settings.


Kashif Qamar

Howto Block Adult websites using OPENDNS for free

Last day someone asked me howto block Adult websites in mikrotik. There is no builtin way to do it as it involves URL filtering and its not the job of ROUTER to do such task. Dedicated proxy server can effectively do it easily since they are built for such purposes like caching/URL filtering/redirecting etc.

We are using Microsoft TMG in our organization which filters URL based on category, so its easier for us to just select the required category that we want to block , for example Porn / Gambling / Spywares etc but Microsoft charge for this service on annual basis (Which I guess is about 12$ per user annually) , It does the job perfectly and very efficiently but its not a cost efective solution specially if you dont have much budget to pay Microsoft.

However following is the free, neat and clean method to block about 80-90% of porn web sites using OpenDNS serveras your primary dns server in your router/proxy or even desktop PC.

Use the below DNS server as your primary dns server in mikrotik / isa server / router or even a desktop. If you are using Mikrotik or other Server, make sure clients are using your server ip as there DNS server, because opendns will work only if the client / router is using there dns server. You can also force users to use your DNS server by adding redirect rule so every request for dns should be redirected to your local server.

If you are using mikrotik server, then it would look alike something below image . . .

Now if you will try to open any adult web site , it wont open and will give you the default browser ‘Could not open’ error,  or the request will  will be redirected to OpenDNS block page informing you that your request was blocked by OpenDNS.
As showed in the image below . . .


You can also show your own page explaining that Adult web sites are blocked and with your Advertisement. For this purpose, you have to enable web.proxy and redirect user traffic to local proxy, then in proxy access, block the http://www.blocked-website.com and redirect it to local web server page.

Howto Enable Web Proxy in Mikrotik and redirect opendns error page to local error page.

/ip proxy
set always-from-cache=no cache-administrator=webmaster cache-hit-dscp=4 \
cache-on-disk=no enabled=yes max-cache-size=none max-client-connections=\
600 max-fresh-time=3d max-server-connections=600 parent-proxy= \
parent-proxy-port=0 port=8080 serialize-connections=no src-address=\
/ip proxy access
add action=deny disabled=no dst-host=www.blocked-website.com dst-port=”” \

Replace the and the full path with your local web server.

Now enable NAT rule to redirect user traffic to local proxy.

Now Redirect All User Traffic to Local Proxy

/ip firewall nat
add action=redirect chain=dstnat disabled=no dst-port=80 protocol=tcp \

Make sure you move this rule in NAT section above the default masquerading rule. so it captures the http traffic & redirect it, before masquerading it to outside world.

As showed in the image below . . .

If you dont want to use proxy for all request, but for only http://www.blocked-website.com , then use the below rule that will only redirect blocked-website.com traffic to local web proxy, all other traffic will go directly.

/ip firewall nat
add action=redirect chain=dstnat disabled=no dst-address= \
dst-port=80 protocol=tcp to-ports=8080

Now when the user will try to open any adult web site, he will be redirected to local proxy, and proxy will (using access rules we defined above) redirect the request to our local web server page showing our info page.

(Like to Thanks Zaib Bhai for this Excellent R&D)


Kashif Qamar

Mikrotik PPPoE Server Configuration Complete Guide

Here is my first post for Mikrotik a complete guide for deploying PPPoE Server with Mikrotik Router.

/ip address
add address= broadcast= comment=”” disabled=no interface=Local network=
add address= broadcast= comment=”” disabled=no interface=WAN network=

/ip pool
add name=dhcp_pool1 ranges=
add name=pppoe-users-pool ranges=

/ip dhcp-server network
add address= comment=”” dns-server=,

/interface pppoe-server server
add authentication=pap default-profile=default disabled=no interface=Local keepalive-timeout=10 max-mru=1480 max-mtu=1480 max-sessions=1 mrru=disabled one-session-per-host=yes service-name=SK

/ppp profile add change-tcp-mss=default dns-server= local-address= name=pppoe-profile only-one=default remote-address=pppoe-users-pool use-compression=default use-encryption=default use-vj-compression=default

/ppp secret add caller-id=”” disabled=no limit-bytes-in=0 limit-bytes-out=0 name=kashif password=1234 profile=pppoe-profile routes=”” service=pppoe

/ip dns set allow-remote-requests=yes cache-max-ttl=1w cache-size=10000KiB max-udp-packet-size=512 servers=

/ip firewall nat
add action=masquerade chain=srcnat comment=”” disabled=no out-interface=WAN src-address=

/ip route
add comment=”” disabled=no distance=1 dst-address= gateway= scope=30 target-scope=10