Mikrotik Firewall / Short Notes + Scripts

Mikrotik Firewall / Short Notes + Scripts

Contents …

1- Secure Services by Firewall Filter Rules
2- Firewall Sample
3- Better approach on blocking Ports
4- howto block Winbox Discovery
5- Filter Rules to Allow/Block VPN Protocol
6- Howto block P2P / Torrents & Downloads using L7/Contents
7- Howto block User via MAC address
8- Script to reboot Router Daily in night at 1:00am
9- Disable/Enable Users using Script and Schedule
10- Update Hotspot walled garden list by fetching text file
11- Disconnect all active PPPoE users
12- Block download based on file SIZE …
13- Monitor WAN link (pppoe-out1) and reconnect (for ptcl 50mb vdsl hang issue)
14- Disable HOTSPOT Users based who donot have comments “PAID”
15- Script to disconnect previously logged user if same id connected with second computer [Hotspot]
16- Radisu Offline, enable local ppp secrets

Sometimes, in Mikrotik logs, you will see that some ips from WAN/LAN try to login to your MT box using SSH,Winbox etc. To secure your router , the best solution would be to come up with a list of networks that should be allowed to access the router administratively, and block everything else. Following code might help you in this situation.
[Most rules are copied from Mikrotik Wiki's Articles]

The following rules will create a address list which will have your management PC ip address. an then it will allow all ports like WINBOX, FTP, SSH, TELNET from this address list only, and rest of ips wont be able to access these ports.

1 2 3 4 5 6 7

/ip firewall address-list add list=management-servers address=10.10.0.1   /ip firewall filter add chain=input src-address-list=management-servers protocol=tcp dst-port=21,22,23,80,443,8291 action=accept   add chain=input protocol=tcp dst-port=21,22,23,80,443,8291 action=drop

Now scenario will be like below.

↓

It is strongly advised to DISABLE all Unnecessary Services on the MikroTik Router specially SSH/FTP which is highly used for brute force attacks. Also make sure to change the default services ports to some other number, preferably higher unused ports like 50000 or above or likewise …

↑

This reduces the attack surface of your router the less services there are to attack the less likely your router could be compromised or overloaded :)

Remotely Accessible Router Services should be limited to few addresses

This is a simple and very effective way of controlling who can attempt to access the MikroTik router. One could check from which addresses or networks the MikroTik Router would be administered. Then one could create firewall rules that only allow access to the router services from the management networks.

Deny all un wanted inbound Traffic and allow only related traffic  (***The best approach***)

By restricting inbound traffic to the router, you can prevent the accidental opening up of services on the router. Also by restricting all types of services except for the services you know about & you want, you prevent any services (that you may not be aware of ) being accessible remotely on the MikroTik router.

↓

↓
HOWTO PREVENT VIRUS / PORTS FLOODING ?

↓

A basic Mikrotik Firewall Script to secure MT box from virus and flooding. First copy all contents of below script to notepad, then carefully read it, add remove any un necessary rules. Also some rules are commented, modify them as per your requirements.***

↓

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28 29 30 31 32 33 34 35 36 37 38 39 40 41 42 43 44 45 46 47 48 49 50 51 52 53 54 55 56 57 58 59 60 61 62 63 64 65 66 67 68 69 70 71 72 73 74 75 76 77 78 79 80 81 82 83 84 85 86 87 88 89 90 91 92 93 94 95 96 97

########################################################################## #### Remove HASH # sign if you want to apply the required rule           # #### Syed Jahanzaib / aacable@<span class="skimlinks-unlinked">hotmail.com</span> / <span class="skimlinks-unlinked">http://aacabel.wordpress.com</span> # ##########################################################################   /ip firewall filter   add chain=input connection-state=established comment="Accept established connections" add chain=input connection-state=related comment="Accept related connections"   add chain=input connection-state=invalid action=drop comment="invalid connections" add chain=input protocol=udp action=accept comment="UDP" disabled=no add chain=forward connection-state=invalid action=drop comment="invalid connections" #### ALLOW VPN (PPTP) CONNECTIONS TO MIKROTIK VPN SERVER #add action=accept chain=input disabled=no dst-port=1723 protocol=tcp #add action=accept chain=input disabled=no protocol=gre   #### TO BLOCK DNS ATTACK on WAN INTERFACE #/ip firewall filter #add chain=input action=drop dst-port=53 protocol=udp in-interface=ether1 # WAN INTERFACE #add chain=input action=drop dst-port=53 protocol=tcp in-interface=ether1 # WAN INTERFACE   #### TO BLOCK PROXY ACCESS PORT 8080 / ATTACK on WAN INTERFACE #add chain=input action=drop dst-port=8080 protocol=tcp in-interface=ether1 # WAN INTERFACE   #### TO BLOCK ICMP TRAFFIC EXCEPT FROM THE Management PC IP # Blocking ICMP Traffic, saves you from many headaches # add action=drop chain=input comment="PING  REPLY" disabled=no protocol=icmp src-address=!10.10.0.4   #### TO BLOCK TRACEROUTE TRAFFIC #/ip firewall add action=drop chain=forward comment="Traceroute" disabled=no \ # icmp-options=11:0 protocol=icmp # add action=drop chain=forward comment="" disabled=no icmp-options=3:3 \ # protocol=icmp # add action=drop chain=input comment="Disable ICMP ping" disabled=no protocol=\ # icmp   #### TO BLOCK COMMON VIRUS PORTS add chain=virus protocol=tcp dst-port=135-139 action=drop comment="Blaster Worm" add chain=virus protocol=udp dst-port=135-139 action=drop comment="Messenger Worm" add chain=virus protocol=tcp dst-port=445 action=drop comment="Blaster Worm" add chain=virus protocol=udp dst-port=445 action=drop comment="Blaster Worm" add chain=virus protocol=tcp dst-port=593 action=drop comment="________" add chain=virus protocol=tcp dst-port=1024-1030 action=drop comment="________" add chain=virus protocol=tcp dst-port=1080 action=drop comment="MyDoom" add chain=virus protocol=tcp dst-port=1214 action=drop comment="________" add chain=virus protocol=tcp dst-port=1363 action=drop comment="ndm requester" add chain=virus protocol=tcp dst-port=1364 action=drop comment="ndm server" add chain=virus protocol=tcp dst-port=1368 action=drop comment="screen cast" add chain=virus protocol=tcp dst-port=1373 action=drop comment="hromgrafx" add chain=virus protocol=tcp dst-port=1377 action=drop comment="cichlid" add chain=virus protocol=tcp dst-port=1433-1434 action=drop comment="Worm" add chain=virus protocol=tcp dst-port=2745 action=drop comment="Bagle Virus" add chain=virus protocol=tcp dst-port=2283 action=drop comment="Dumaru.Y" add chain=virus protocol=tcp dst-port=2535 action=drop comment="Beagle" add chain=virus protocol=tcp dst-port=2745 action=drop comment="<span class="skimlinks-unlinked">Beagle.C-K</span>" add chain=virus protocol=tcp dst-port=3127-3128 action=drop comment="MyDoom" add chain=virus protocol=tcp dst-port=3410 action=drop comment="Backdoor OptixPro" add chain=virus protocol=tcp dst-port=4444 action=drop comment="Worm" add chain=virus protocol=udp dst-port=4444 action=drop comment="Worm" add chain=virus protocol=tcp dst-port=5554 action=drop comment="Sasser" add chain=virus protocol=tcp dst-port=8866 action=drop comment="Beagle.B" add chain=virus protocol=tcp dst-port=9898 action=drop comment="<span class="skimlinks-unlinked">Dabber.A-B</span>" add chain=virus protocol=tcp dst-port=10000 action=drop comment="Dumaru.Y" add chain=virus protocol=tcp dst-port=10080 action=drop comment="MyDoom.B" add chain=virus protocol=tcp dst-port=12345 action=drop comment="NetBus" add chain=virus protocol=tcp dst-port=17300 action=drop comment="Kuang2" add chain=virus protocol=tcp dst-port=27374 action=drop comment="SubSeven" add chain=virus protocol=tcp dst-port=65506 action=drop comment="PhatBot, Agobot, Gaobot" add chain=forward action=jump jump-target=virus comment="jump to the virus chain"   #Drop port scanners add chain=input protocol=tcp psd=21,3s,3,1 action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="Port scanners to list " disabled=no add chain=input protocol=tcp tcp-flags=fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP FIN Stealth scan" add chain=input protocol=tcp tcp-flags=fin,syn action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/FIN scan" add chain=input protocol=tcp tcp-flags=syn,rst action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="SYN/RST scan" add chain=input protocol=tcp tcp-flags=fin,psh,urg,!syn,!rst,!ack action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="FIN/PSH/URG scan" add chain=input protocol=tcp tcp-flags=fin,syn,rst,psh,ack,urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="ALL/ALL scan" add chain=input protocol=tcp tcp-flags=!fin,!syn,!rst,!psh,!ack,!urg action=add-src-to-address-list address-list="port scanners" address-list-timeout=2w comment="NMAP NULL scan" add chain=input src-address-list="port scanners" action=drop comment="ping port scanners" disabled=no   #Bruteforce login prevention   add chain=input protocol=tcp dst-port=21 src-address-list=ftp_blacklist action=drop comment="ftp brute forcers" add chain=output action=accept protocol=tcp content="530 Login incorrect" dst-limit=1/1m,9,dst-address/1m add chain=output action=add-dst-to-address-list protocol=tcp content="530 Login incorrect" address-list=ftp_blacklist address-list-timeout=3h   #This will prevent a SSH brute forcer to be banned for 10 days after repetitive attempts.   add chain=input protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="ssh brute forcers" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage3 action=add-src-to-address-list address-list=ssh_blacklist address-list-timeout=10d comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage2 action=add-src-to-address-list address-list=ssh_stage3 address-list-timeout=10m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new src-address-list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-timeout=10m comment="" disabled=no add chain=input protocol=tcp dst-port=22 connection-state=new action=add-src-to-address-list address-list=ssh_stage1 address-list-timeout=1m comment="" disabled=no   #If you want to block downstream access as well, you need to block the with the forward chain: add chain=forward protocol=tcp dst-port=22 src-address-list=ssh_blacklist action=drop comment="ssh brute downstream" disabled=no

↓

↓
A BETTER APPROACH ON BLOCKING PORTS !

↓

1 2 3 4 5 6

/ip firewall mangle add action=add-src-to-address-list address-list=Worm-Infected-p445 address-list-timeout=1h chain=prerouting connection-state=new disabled=no dst-port=445 limit=5,10 protocol=tcp   /ip firewall filter add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445 add action=drop chain=forward disabled=no dst-port=445 protocol=tcp src-address-list=Worm-Infected-p445

[/sourcecode]

The above Rules allows 5 packets per second with a burst of 10 specific to new connections. The mangle rule will put addresses on a list when it exceeds that limit. That way legitimate use isn’t blocked but something like a virus or worm sending out mass amounts will be detected and stopped. It’s a much more elegant solution than blocking a bunch of ports for all users. It also gives you a list of user IPs that need to clean up their pc.
↓

↓
Mikrotik How to block Winbox Discovery + Limit Winbox Access

To hide your mikrotik from being appearing in WINBOX scan negibour list, & to limit WINBOX access from your admin PC only,
Use the Following.

1 2 3 4 5 6 7 8 9

/tool mac-server add disabled=yes interface=all /tool mac-server ping set enabled=no   /ip firewall filter add action=drop chain=input comment="block mikrotik discovery" disabled=no dst-port=5678 protocol=udp add action=drop chain=input comment="ALL WINBOX REQUEST By MAC Address" disabled=no dst-port=20561 protocol=udp add action=drop chain=input comment="ALL WINBOX REQUEST EXCEPT FROM MY PC" disabled=no dst-port=8291 protocol=tcp src-address=!192.168.2.6

↓

↓

You can Also Disable Network Neighbor Discovery on the interface to which your network users are connected

Example:

1	/ip neighbor discovery set ether1 discover=no

Personnel Recommendation:
Always disable un-necessary Like FTP / SSH / TELNET etc. or if its necessary to enable services, at least Limit
there access to specific pcs only.
Allow only WINBOX with different port number.
↓

↓
How-to  Allow VPN (PPTP) Connections for Mikrotik VPN Server

PPTP uses the GRE protocol, You have to allow ip PROTOCOL 47 (GRE), not TCP port.
TCP port 1723 is the control connection, while the actual tunnel is GRE (protocol 47).

Example:

1 2 3

/ip firewall filter add action=accept chain=input disabled=no dst-port=1723 protocol=tcp add action=accept chain=input disabled=no protocol=gre

Make sure these rules are above any general DENY rule.

Howto Block Torrent / P2P

Blockin 100% torrent is impossible as nowadays new torrents application are using encrypted method and its nearly impossible to inspect the SSL traffic. I used Forefront TMG 2010 is capable to inspect SSL traffic at some extents.
However you can block basic torrents access by using following.

{The patterns were fetched from Public sources and few from Mikrotik & some personnel lab testing. Modified for easy copy pasting, as we all love copy pasting don’t we ? :p)

1 2 3 4 5 6 7 8 9 10 11 12 13 14

/ip firewall layer7-protocol add comment="P2P WWW web base cnoetent Matching / Zaib" name=p2p_www regexp=\ "^.*(get|GET).+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$" add comment="P2P DNS Matching / Zaib" name=p2p_dns regexp=\ "^.+(torrent|thepiratebay|isohunt|entertane|demonoid|btjunkie|mininova|flixflux|vertor|h33t|zoozle|bitnova|bitsoup|meganova|fulldls|btbot|fenopy|gpirate|commonbits).*\$"   /ip firewall mangle add action=mark-packet chain=postrouting comment="p2p download" disabled=no layer7-protocol=p2p_www new-packet-mark="p2p download" passthrough=no add action=mark-packet chain=postrouting disabled=no layer7-protocol=p2p_dns new-packet-mark="p2p download" passthrough=no   /ip firewall filter add action=drop chain=forward comment="Block P2p_www Packets / Zaib" disabled=no layer7-protocol=p2p_www add action=drop chain=forward comment="Block P2p_dns Packets / Zaib" disabled=no layer7-protocol=p2p_dns add action=drop chain=forward comment="Block General P2P Connections , default mikrotik p2p colelction / zaib" disabled=no p2p=all-p2p

Another approach to block P2P, taken from the mikrotik forum, Not personally checked yet. Someone please check and update

1 2 3 4 5 6

/ip firewall filter add action=drop chain=forward comment="TORRENT No 1: Classic non security torrent" disabled=no p2p=all-p2p add action=drop chain=forward comment="TORRENT No 2: block outgoing DHT" content=d1:ad2:id20: disabled=no dst-port=1025-65535 packet-size=95-190 protocol=udp add action=drop chain=forward comment="TORRENT No 3: block outgoing TCP announce" content="info_hash=" disabled=no dst-port=2710,80 protocol=tcp add action=drop chain=forward comment="TORRENT No 4: prohibits download .torrent files. " content="\r\nContent-Type: application/x-bittorrent" disabled=no protocol=tcp src-port=80 add action=drop chain=forward comment="TORRENT No 5: 6771 block Local Broadcast" content="\r\nInfohash:" disabled=no dst-port=6771 protocol=udp

▼
Howto Block User MAC address

1 2 3

/ip fir fi add chain=input action=drop src-mac-address=74:EA:3A:F2:AF:90 add chain=forward action=drop src-mac-address=74:EA:3A:F2:AF:90

▼

▼
SCRIPT SECTION

▼

▼
Script to reboot router daily at 1:00am

First add script which ahve command to reboto router, then simply schedule it to run daily in night 1:00am or whatever you like :)

1 2 3 4 5 6 7 8

/system script add name=sysreboot policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source="/system reboot"   /system scheduler add name="rebootat1am" start-date="dec/04/2013" start-time="01:00:00" interval="1d" on-event="/system reboot"   # OR   /system scheduler add name="rebootat1am" start-date="dec/04/2013" start-time="01:00:00" interval="1d" on-event="sysreboot"

▼
Disable/Enable Users using Script and Schedule

http://forum.mikrotik.com/viewtopic.php?f=13&t=81284&p=406269#p406269

▼
Update Hotspot walled garden list by fetching text file

http://forum.mikrotik.com/viewtopic.php?f=2&t=81249

Disconnect all active PPPoE users

1 2 3 4 5 6

# Print local time for LOG record purposes / tracking :local CurrentTime [/system clock get time]; :log warning "Script Start to Disconnect all active PPPoE Users for RM Data record purposes at  $CurrentTime. . ." # Disconnect users using find /ppp active remove [find service="pppoe"] :log warning "Users disconnection script completed at  $CurrentTime. . ."

↓
Block download based on file SIZE …

I forgot the guy’s name who is from FB, who asked me a question, lets name him Mr. X. The query was > howto block downloads of large files (lets say 5mb or above ) in specific timings (like 8pm-12am).

But the issue is How the router will know the file size before it’s downloaded? The router has no way of knowing how big a connection is… An workaround is to create a Firewall Filter rule that will will allow the first 5MB of a connection through, and once it reaches that, it will start to drop packets. I used it a network in Gulistan-e-Jauhar, and it worked good.
But do remember that that It will also affect streaming, RDP like protocols, VPNs, and any other connection that transfers a large number of bytes.

1 2 3

/ip firewall filter add action=drop chain=forward comment="downloading of files larger then 5mb (It will break connection after 5mb of transfer) applicable from 8pm till 12am / zaib" connection-bytes=5242880-0 disabled=no protocol=tcp time=\ 20h-23h59m59s,sun,mon,tue,wed,thu,fri,sat

But do remember that it will only drop packets for that specific download, user can do another session of download. to prevent this , you can create mangle rule that will add the user in a temporary list (with timeout value of 1 hour or more) and next time the user will try to download , his access to that particular resource will be denied, you can customize this action to be either whole session or specific file like mp3 exe zip etc etc. You can also do a source base or destination base controlling.

You can also make a Simple Queue with or without burst, that should slow down the download speed after 5Mb to be crawled in few kbits only
( it will not block based on size)

You can also forward these packets to external proxy like Squid to do the filter base on reply_body_max_size directive. example:

1	reply_body_max_size 5242880 deny all # in specific timings only

As some1 asked, for squid use this:

1 2 3

acl localnet src 100.0.0.0/8 reply_body_max_size 5242880 deny localnet # deny download of 1mb and above, http_access allow localnet

I would recommend to GO with Queues and mangle rules, this way nothing will gonna be blocked, but scaling back bandwidth based on how much data has passed through the connection to make downloading large files painful for the cable.net users …

↓

↓
Monitor WAN link (pppoe-out1) and reconnect (for PTCL  50mb VDSL HANG issue !!!)

I have received few emails regarding an on going issue of PTCL VDSL 50mb link which hangs frequently on daily basis. it is most common in CELLPIPE vdsl modems. The workaround was to first configure PTCL modem in BRIDGE mode, then dial pppoe client from the Mikrotik/Server. but at one operator informed me that it still hangs even after bridge mode configuration , BUT after disconnect and re-connect the pppoe client, Internet link start working properly.

To sort it out on automatic basis, I created a simple script of NETWATCH TOOL which keep monitoring any reliable internet host like Google DNS or other, and if it failed to receive any reply , it will simply disconnect pppoe client, wait for 10 seconds, and then re connect the pppoe client ,

Simple !!!

1 2 3 4 5 6 7 8 9 10 11 12 13 14

/system script add name=disconnect policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source="# Script to Disconnect pppoe client for ptcl 50 mb vdsl link&amp;amp; reconnect again\r\ \n# Syed Jahanzaib / aacable@<span class="skimlinks-unlinked">hotamil.com</span> / +92.333.3021.909\r\ \n:log error \"No response from Internet Found, probably Link from PTCL internet or VDSL modem is down ... Disconnecting VDSL PPPoE client on mikrotik and waiting for 5 seconds\"\r\ \n/interface pppoe-client disable pppoe-out1\r\ \ndelay 5\r\ \n/interface pppoe-client enable pppoe-out1" add name=connect policy=ftp,reboot,read,write,policy,test,winbox,password,sniff,sensitive,api source=\ "# Script to connect pppoe client for ptcl 50 mb vdsl link\r\ \n# Syed Jahanzaib\r\ \n:log warning \"PTCL vdsl seems to be working now after reconnecting pppoe client ...\""   /tool netwatch add disabled=no down-script="/sys script run disconnect" host=8.8.8.8 interval=1m timeout=3s up-script="/sys script run connect"

↓

↓
Disable HOTSPOT Users based who donot have comments “PAID”

1 2 3 4 5 6 7 8 9 10 11 12 13

# Script source: <span class="skimlinks-unlinked">http://forum.mikrotik.com/viewtopic.php?f=9&amp;t=82129</span> # To block HOTSPOT users who donot have comments "PAID" in there comment box # Syed Jahanzaib / aacable@<span class="skimlinks-unlinked">hotamil.com</span> / <span class="skimlinks-unlinked">http://aacable.wordpress.com</span>   /ip hotspot user :foreach i in=[find] do={ :local username [get $i name] :if ([get $i comment]~"paid") do={ } else={ :log warning "$username..." /ip hotspot user disable $username } }

##################################################################
BELOW SCRIPT IS ORIGINAL VERSION OF ABOVE MODIFIED SCRIPT,
SCRIPT SOURCE: MIKROTIK FORUM
##################################################################

1 2 3 4 5 6 7 8 9 10 11 12

:local username :local userunpaid   :foreach i in=[/ip hotspot user find] do { :set username ( username [ip hotspot user get $i name]) :if ([/ip hotspot user get [/ip hotspot user find name=$username] comment] != "paid") do { :foreach j in=[/ip hotspot active find] do { :set userunpaid ( userunpaid [ip hotspot active get $j user]) :if (username = userunpaid) do { [/ip hotspot active remove [/ip hotspot active find user=$userunpaid]] :log info "User $userunpaid was removed from active list due to payment delay" }}}}}

SCRIPT to disconnect previously logged user if same id is used at second computer

It will automatically remove first logged in user automatically , if the same id is logged in from 2nd computer.
[add it in hotspot user profile ON LOGIN SCRIPT]

1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 19 20 21 22 23 24 25 26 27 28

# base function Sourcecode: Mikrotik Forum # Local Variables Section :local uname $user; :local usercount 0; :local usertime "00:00:00"; # Variable for user who is previously logged in :local kickable; # Variable for max session allowed, 2 means only one session is allowed at a time :local maxuser 2; # Load all active users in hotspot :foreach i in=[/ip hotspot active find user=$uname] do= { # Load UPTIME for all users to be matched later :local curup [/ip hotspot active get $i uptime]; # If previous logged user is matched using UPTIME [above then 0] then set global variables for disconnection :if ( $curup > $usertime ) do={ :set usertime $curup; :set kickable $i; } :set usercount ($usercount+1); } # IF Function for user who is already logged in, :if ($usercount >= $maxuser) do={ :log info "Login user: $uname ($usercount/$maxuser) - Oldest $usertime will be logout!"; # Kick previous logged users (if same ID) /ip hotspot active remove numbers=$kickable; # If not, do nothing, just log, You can modify this function as well / JZ } else { :log info "Login user: $uname ($usercount/$maxuser)";

.

Remote Radius server offline – enable local ppp secrets !!!

Question was

“Using radius server with pppoe and have set the clients with ppp secret disabled but if radius server goes offline clients cannot authenticate, so I would like to use netwatch to monitor the IP address of radius server and if unreachable to run script to enable ppp client secrets , any advice is most welcome”

Answer was simple:

You can create a for i loop and add it in netwatch.
Example: (copy paste version)

ROS Code:

1 2 3 4 5 6 7 8 9 10 11 12

/tool netwatch add comment="Netwatch script to detect Radius status and act accordingly" disabled=no down-script=":log error \"RADIUS not responding, enabling local users in SECRET section of PPP/zaib\"\r\ \n/ppp secret\r\ \n:foreach i in=[find] do={\r\ \n/ppp secret enable \$i\r\ \n}\r\ \n:log warning \"All PPP acounts are now enabled.\"" host=192.168.1.2 interval=1m timeout=2s up-script=":log error \"RADIUS is now ONLINE. Enabling local users in SECRET section of PPP/zaib\"\r\ \n/ppp secret\r\ \n:foreach i in=[find] do={\r\ \n/ppp secret disable \$i\r\ \n}\r\ \n:log warning \"All local PPP acounts are now DISABLED.\""

host=192.168.1.2 [change this ip to match your local ip address]
You can adjust the timings and timeout values as per your requirements.
But do remember this is just an workaround with some manual overhead management of keeping all users accounts replica to local mikrotik. As rextended mentioned, If resources allows, you should consider in having a cluster base radius , so in case of any single server failure, its replica or other clsuter node should reply to mirkotik seamless. Also Virtualization is very best for clustering like ESXI base High Availabilityor something like this.