Versions Compared

Old Version 2

changes.mady.by.user Māris B.

Saved on

compared with

New Version 3

changes.mady.by.user Māris B.

Saved on

Key

  • This line was added.
  • This line was removed.
  • Formatting was changed.

...

Code Block
languageperl
themeConfluenceEclipse
linenumberstrue
/system reset-configuration no-defaults=yes skip-backup=yes

...

To set this in RouterOS we will manually add IP address, add default route with provided gateway and set up DNS server
?

1
2
3

/ip address add address=1.2.3.100/24 interface=ether1
/ip route add gateway=1.2.3.1
/ip dns set servers=8.8.8.8

PPPoE connection

PPPoE connection also gives you dynamic IP address and can configure dynamically DNS and default gateway. Typically service provider (ISP) gives you a username and password for connection
?

1
2
3

/interface pppoe-client
  add disabled=no interface=ether1 user=me password=123 \
    add-default-route=yes use-peer-dns=yes

Winbox/Webfig actions:

  • Open PPP window, Interfaces tab should be sellected;
  • Click on + button, and choose PPPoE Client from the dropdown list, new dialog will open;
  • Select interface ether1 form dropdown list and click on Ok button to apply settings.

...

[admin@MikroTik] /tool mac-server> print
Flags: X - disabled, * - default
 #    INTERFACE
 0  * all


?

1
2
3

/tool mac-server
  disable 0;
  add interface=local;

Do the same for Winbox MAC access
?

1
2
3

/tool mac-server mac-winbox
  disable 0;
  add interface=local;

Winbox/Webfig actions:

  • Open Tools -> Mac Server window, Telnet Interfaces tab should be sellected;
  • Click on + button, new dialog will open;
  • Select interface local form dropdown list and click on Ok button to apply settings;
  • From the list of entries in Telnet Interface tab select all and click on x to disable selected entry.

...

IP connectivity on public interface also must be limited. We will accept only ICMP(ping/traceroute), IP winbox and ssh access.
?

1
2
3
4
5
6
7

/ip firewall filter
  add chain=input connection-state=established,related action=accept comment="accept established,related";
  add chain=input connection-state=invalid action=drop;
  add chain=input in-interface=ether1 protocol=icmp action=accept comment="allow ICMP";
  add chain=input in-interface=ether1 protocol=tcp port=8291 action=accept comment="allow Winbox";
  add chain=input in-interface=ether1 protocol=tcp port=22 action=accept comment="allow SSH";
  add chain=input in-interface=ether1 action=drop comment="block everything else";



Warning! In case if public interfce is pppoe, then in-interface should be set to "pppoe-out".

...

Solution for this problem is change the source address for outgoing packets to routers public IP. This can be done with NAT rule:
?

1
2

/ip firewall nat
  add chain=srcnat out-interface=ether1 action=masquerade



Warning! In case if public interfce is pppoe, then out-interface should be set to "pppoe-out".

...

After quick search on Google we find out that RDP runs on TCP port 3389. Now we can add destination nat rule to redirect RDP to the clients PC.
?

1
2
3

/ip firewall nat
  add chain=dstnat protocol=tcp port=3389 in-interface=ether1 \
    action=dst-nat to-address=192.168.88.254



Warning! If you have set up strict firewall rules, allow RDP protocol in forward chain.

...

Seciruty profiles are configured from /interface wireless security-profiles menu in terminal or in Winbox/Webfig click on Wireless to open wireless windows and choose Security Profile tab.
?

1
2
3

/interface wireless security-profiles
  add name=myProfile authentication-types=wpa2-psk mode=dynamic-keys \
    wpa2-pre-shared-key=1234567890

If there are legacy devices which do not support WPA2 (like Windows XP), you may also want to allow WPA protocol.
Warning! WPA and WPA2 pre-shared keys should not be the same.

Now when security profile is ready we can enable wireless interface and set desired parameters
?

1
2
3
4
5
6

/interface wireless
  enable wlan1;
  set wlan1 band=2ghz-b/g/n channel-width=20/40mhz-Ce distance=indoors \
    mode=ap-bridge ssid=MikroTik-006360 wireless-protocol=802.11 \
    security-profile=myProfile frequency-mode=regulatory-domain \
    set country=latvia antenna-gain=3

To do the same from Winbox/Webfig:

...

Last step is to add wireless interface to local bridge, otherwise connected clients will not get an IP address:
?

1
2

/interface bridge port
  add interface=wlan1 bridge=local

Now wireless should be able to connect to your access point, get an IP address and access internet.

...

Now it is time to add some protection for clients on our LAN. We will start with basic set of rules.
?

1
2
3
4
5
6
7
8

/ip firewall filter
  add chain=forward action=fasttrack-connection connection-state=established,related \
    comment="fast-track for established,related";
  add chain=forward action=accept connection-state=established,related \
    comment="accept established,related";
  add chain=forward action=drop connection-state=invalid
  add chain=forward action=drop connection-state=new connection-nat-state=!dstnat \
    in-interface=ether1 comment="drop access to clients behind NAT form WAN"

We start with similar rules to input chain (accept established/related and drop invalid). Notice the first rule with action=fasttrack-connection. This rule allows established and related connections to bypass firewall and significantly reduce CPU usage.

...

For ease of rule management we will add several new chains and jump rules:
?

1
2
3
4
5

/ip firewall filter
  add chain=forward action=jump jump-target=bogons
  add chain=forward protocol=tcp action=jump jump-target=tcp
  add chain=forward protocol=udp action=jump jump-target=udp
  add chain=forward protocol=icmp action=jump jump-target=icmp

Chain "bogons" drops all connection attempts from/to bogon addresses:
?

1
2
3
4
5
6
7

/ip firewall filter
  add chain=bogons src-address=0.0.0.0/8 action=drop
  add chain=bogons dst-address=0.0.0.0/8 action=drop
  add chain=bogons src-address=127.0.0.0/8 action=drop
  add chain=bogons dst-address=127.0.0.0/8 action=drop
  add chain=bogons src-address=224.0.0.0/3 action=drop
  add chain=bogons dst-address=224.0.0.0/3 action=drop

Create tcp chain and deny some tcp ports in it:
?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16

/ip firewall filter
  add chain=tcp protocol=tcp dst-port=69 action=drop \
    comment="deny TFTP"
  add chain=tcp protocol=tcp dst-port=111 action=drop \
    comment="deny RPC portmapper"
  add chain=tcp protocol=tcp dst-port=135 action=drop \
    comment="deny RPC portmapper"
  add chain=tcp protocol=tcp dst-port=137-139 action=drop \
    comment="deny NBT"
  add chain=tcp protocol=tcp dst-port=445 action=drop \
    comment="deny cifs"
  add chain=tcp protocol=tcp dst-port=2049 action=drop comment="deny NFS"
  add chain=tcp protocol=tcp dst-port=12345-12346 action=drop comment="deny NetBus"
  add chain=tcp protocol=tcp dst-port=20034 action=drop comment="deny NetBus"
  add chain=tcp protocol=tcp dst-port=3133 action=drop comment="deny BackOriffice"
  add chain=tcp protocol=tcp dst-port=67-68 action=drop comment="deny DHCP"

Deny udp ports in udp chain:
?

1
2
3
4
5
6
7

/ip firewall filter
  add chain=udp protocol=udp dst-port=69 action=drop comment="deny TFTP"
  add chain=udp protocol=udp dst-port=111 action=drop comment="deny PRC portmapper"
  add chain=udp protocol=udp dst-port=135 action=drop comment="deny PRC portmapper"
  add chain=udp protocol=udp dst-port=137-139 action=drop comment="deny NBT"
  add chain=udp protocol=udp dst-port=2049 action=drop comment="deny NFS"
  add chain=udp protocol=udp dst-port=3133 action=drop comment="deny BackOriffice"

Allow only needed icmp codes in icmp chain:
?

1
2
3
4
5
6
7
8
9
10
11
12
13
14
15
16
17
18

/ip firewall filter
  add chain=icmp protocol=icmp icmp-options=0:0 action=accept \
    comment="echo reply"
  add chain=icmp protocol=icmp icmp-options=3:0 action=accept \
    comment="net unreachable"
  add chain=icmp protocol=icmp icmp-options=3:1 action=accept \
    comment="host unreachable"
  add chain=icmp protocol=icmp icmp-options=3:4 action=accept \
    comment="host unreachable fragmentation required"
  add chain=icmp protocol=icmp icmp-options=4:0 action=accept \
    comment="allow source quench"
  add chain=icmp protocol=icmp icmp-options=8:0 action=accept \
    comment="allow echo request"
  add chain=icmp protocol=icmp icmp-options=11:0 action=accept \
    comment="allow time exceed"
  add chain=icmp protocol=icmp icmp-options=12:0 action=accept \
    comment="allow parameter bad"
  add chain=icmp action=drop comment="deny all other types"


Blocking Unwanted Websites

...

First we need to add NAT rule to redirect http to our proxy. We will use RouterOS built in proxy server running on port 8080.
?

1
2
3

/ip firewall nat
  add chain=dst-nat protocol=tcp dst-port=80 src-address=192.168.88.0/24 \
    action=redirect to-ports=8080

Enable web proxy and drop some websites:
?

1
2
3
4

/ip proxy set enabled=yes
/ip proxy access add dst-host=www.facebook.com action=deny
/ip proxy access add dst-host=*.youtube.* action=deny
/ip proxy access add dst-host=:vimeo action=deny

Using winbox

  • On the left menu navigate to IP -> Web Proxy
  • Web proxy settings dialog will appear.
  • Check the "Enable" checkbox and click on "Apply" button
  • Then click on "Access" button to open "Web Proxy Access" dialog

...