...
Code Block |
---|
language | perl |
---|
theme | ConfluenceEclipse |
---|
linenumbers | true |
---|
|
/system reset-configuration no-defaults=yes skip-backup=yes |
...
To set this in RouterOS we will manually add IP address, add default route with provided gateway and set up DNS server
?
1 2 3 | / ip address add address =1.2.3.100/24 interface =ether1
/ ip route add gateway=1.2.3.1
/ ip dns set servers=8.8.8.8
|
PPPoE connection
PPPoE connection also gives you dynamic IP address and can configure dynamically DNS and default gateway. Typically service provider (ISP) gives you a username and password for connection
?
1 2 3 | / interface pppoe-client
add disabled=no interface =ether1 user =me password=123 \
add -default- route =yes use-peer- dns =yes
|
Winbox/Webfig actions:
- Open PPP window, Interfaces tab should be sellected;
- Click on + button, and choose PPPoE Client from the dropdown list, new dialog will open;
- Select interface ether1 form dropdown list and click on Ok button to apply settings.
...
[admin@MikroTik] /tool mac-server> print
Flags: X - disabled, * - default
# INTERFACE
0 * all
?
1 2 3 | / tool mac- server
disable 0;
add interface = local ;
|
Do the same for Winbox MAC access
?
1 2 3 | / tool mac- server mac-winbox
disable 0;
add interface = local ;
|
Winbox/Webfig actions:
- Open Tools -> Mac Server window, Telnet Interfaces tab should be sellected;
- Click on + button, new dialog will open;
- Select interface local form dropdown list and click on Ok button to apply settings;
- From the list of entries in Telnet Interface tab select all and click on x to disable selected entry.
...
IP connectivity on public interface also must be limited. We will accept only ICMP(ping/traceroute), IP winbox and ssh access.
?
1 2 3 4 5 6 7 | / ip firewall filter
add chain=input connection -state=established,related action=accept comment = "accept established,related" ;
add chain=input connection -state=invalid action=drop;
add chain=input in - interface =ether1 protocol=icmp action=accept comment = "allow ICMP" ;
add chain=input in - interface =ether1 protocol=tcp port =8291 action=accept comment = "allow Winbox" ;
add chain=input in - interface =ether1 protocol=tcp port =22 action=accept comment = "allow SSH" ;
add chain=input in - interface =ether1 action=drop comment = "block everything else" ;
|
Warning! In case if public interfce is pppoe, then in-interface should be set to "pppoe-out".
...
Solution for this problem is change the source address for outgoing packets to routers public IP. This can be done with NAT rule:
?
1 2 | / ip firewall nat
add chain=srcnat out- interface =ether1 action=masquerade
|
Warning! In case if public interfce is pppoe, then out-interface should be set to "pppoe-out".
...
After quick search on Google we find out that RDP runs on TCP port 3389. Now we can add destination nat rule to redirect RDP to the clients PC.
?
1 2 3 | / ip firewall nat
add chain=dstnat protocol=tcp port =3389 in - interface =ether1 \
action=dst- nat to - address =192.168.88.254
|
Warning! If you have set up strict firewall rules, allow RDP protocol in forward chain.
...
Seciruty profiles are configured from /interface wireless security-profiles
menu in terminal or in Winbox/Webfig click on Wireless to open wireless windows and choose Security Profile tab.
?
1 2 3 | / interface wireless security-profiles
add name=myProfile authentication-types=wpa2-psk mode=dynamic-keys \
wpa2-pre-shared-key=1234567890
|
If there are legacy devices which do not support WPA2 (like Windows XP), you may also want to allow WPA protocol.
Warning! WPA and WPA2 pre-shared keys should not be the same.
Now when security profile is ready we can enable wireless interface and set desired parameters
?
1 2 3 4 5 6 | / interface wireless
enable wlan1;
set wlan1 band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors \
mode=ap- bridge ssid=MikroTik-006360 wireless -protocol=802.11 \
security-profile=myProfile frequency-mode=regulatory-domain \
set country=latvia antenna-gain=3
|
To do the same from Winbox/Webfig:
...
Last step is to add wireless interface to local bridge, otherwise connected clients will not get an IP address:
?
1 2 | / interface bridge port
add interface =wlan1 bridge = local
|
Now wireless should be able to connect to your access point, get an IP address and access internet.
...
Now it is time to add some protection for clients on our LAN. We will start with basic set of rules.
?
1 2 3 4 5 6 7 8 | / ip firewall filter
add chain=forward action=fasttrack- connection connection -state=established,related \
comment = "fast-track for established,related" ;
add chain=forward action=accept connection -state=established,related \
comment = "accept established,related" ;
add chain=forward action=drop connection -state=invalid
add chain=forward action=drop connection -state=new connection - nat -state=!dstnat \
in - interface =ether1 comment = "drop access to clients behind NAT form WAN"
|
We start with similar rules to input chain (accept established/related and drop invalid). Notice the first rule with action=fasttrack-connection
. This rule allows established and related connections to bypass firewall and significantly reduce CPU usage.
...
For ease of rule management we will add several new chains and jump rules:
?
1 2 3 4 5 | / ip firewall filter
add chain=forward action=jump jump-target=bogons
add chain=forward protocol=tcp action=jump jump-target=tcp
add chain=forward protocol=udp action=jump jump-target=udp
add chain=forward protocol=icmp action=jump jump-target=icmp
|
Chain "bogons" drops all connection attempts from/to bogon addresses:
?
1 2 3 4 5 6 7 | / ip firewall filter
add chain=bogons src-address =0.0.0.0/8 action=drop
add chain=bogons dst-address =0.0.0.0/8 action=drop
add chain=bogons src-address =127.0.0.0/8 action=drop
add chain=bogons dst-address =127.0.0.0/8 action=drop
add chain=bogons src-address =224.0.0.0/3 action=drop
add chain=bogons dst-address =224.0.0.0/3 action=drop
|
Create tcp chain and deny some tcp ports in it:
?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 | / ip firewall filter
add chain=tcp protocol=tcp dst- port =69 action=drop \
comment = "deny TFTP"
add chain=tcp protocol=tcp dst- port =111 action=drop \
comment = "deny RPC portmapper"
add chain=tcp protocol=tcp dst- port =135 action=drop \
comment = "deny RPC portmapper"
add chain=tcp protocol=tcp dst- port =137-139 action=drop \
comment = "deny NBT"
add chain=tcp protocol=tcp dst- port =445 action=drop \
comment = "deny cifs"
add chain=tcp protocol=tcp dst- port =2049 action=drop comment = "deny NFS"
add chain=tcp protocol=tcp dst- port =12345-12346 action=drop comment = "deny NetBus"
add chain=tcp protocol=tcp dst- port =20034 action=drop comment = "deny NetBus"
add chain=tcp protocol=tcp dst- port =3133 action=drop comment = "deny BackOriffice"
add chain=tcp protocol=tcp dst- port =67-68 action=drop comment = "deny DHCP"
|
Deny udp ports in udp chain:
?
1 2 3 4 5 6 7 | / ip firewall filter
add chain=udp protocol=udp dst- port =69 action=drop comment = "deny TFTP"
add chain=udp protocol=udp dst- port =111 action=drop comment = "deny PRC portmapper"
add chain=udp protocol=udp dst- port =135 action=drop comment = "deny PRC portmapper"
add chain=udp protocol=udp dst- port =137-139 action=drop comment = "deny NBT"
add chain=udp protocol=udp dst- port =2049 action=drop comment = "deny NFS"
add chain=udp protocol=udp dst- port =3133 action=drop comment = "deny BackOriffice"
|
Allow only needed icmp codes in icmp chain:
?
1 2 3 4 5 6 7 8 9 10 11 12 13 14 15 16 17 18 | / ip firewall filter
add chain=icmp protocol=icmp icmp-options=0 :0 action=accept \
comment = "echo reply"
add chain=icmp protocol=icmp icmp-options=3 :0 action=accept \
comment = "net unreachable"
add chain=icmp protocol=icmp icmp-options=3 :1 action=accept \
comment = "host unreachable"
add chain=icmp protocol=icmp icmp-options=3 :4 action=accept \
comment = "host unreachable fragmentation required"
add chain=icmp protocol=icmp icmp-options=4 :0 action=accept \
comment = "allow source quench"
add chain=icmp protocol=icmp icmp-options=8 :0 action=accept \
comment = "allow echo request"
add chain=icmp protocol=icmp icmp-options=11 :0 action=accept \
comment = "allow time exceed"
add chain=icmp protocol=icmp icmp-options=12 :0 action=accept \
comment = "allow parameter bad"
add chain=icmp action=drop comment = "deny all other types"
|
Blocking Unwanted Websites
...
First we need to add NAT rule to redirect http to our proxy. We will use RouterOS built in proxy server running on port 8080.
?
1 2 3 | / ip firewall nat
add chain=dst- nat protocol=tcp dst- port =80 src-address =192.168.88.0/24 \
action=redirect to -ports=8080
|
Enable web proxy and drop some websites:
?
1 2 3 4 | / ip proxy set enabled=yes
/ ip proxy access add dst- host =www.facebook.com action=deny
/ ip proxy access add dst- host =*.youtube.* action=deny
/ ip proxy access add dst- host = :vimeo action=deny
|
Using winbox
- On the left menu navigate to IP -> Web Proxy
- Web proxy settings dialog will appear.
- Check the "Enable" checkbox and click on "Apply" button
- Then click on "Access" button to open "Web Proxy Access" dialog
...