Howto mikrotik: Difference between revisions

From Vidalinux Wiki
Jump to navigation Jump to search
 
(8 intermediate revisions by the same user not shown)
Line 63: Line 63:
  nmcli con add con-name eth0-mikrotik-default ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.88.100/24 autoconnect no
  nmcli con add con-name eth0-mikrotik-default ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.88.100/24 autoconnect no
create eth0 configuration for subnet 192.168.35.0/24 using network manager:
create eth0 configuration for subnet 192.168.35.0/24 using network manager:
  nmcli con add con-name eth0-mikrotik ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.35.100/24 autoconnect no
  nmcli con add con-name eth0-mikrotik-anthena ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.35.100/24 autoconnect no
start eth0 configuration for subnet 192.168.88.0/24:
start eth0 configuration for subnet 192.168.88.0/24:
  nmcli con up eth0-mikrotik-default
  nmcli con up eth0-mikrotik-default
Line 72: Line 72:
when winbox loads on application top menu enable legacy mode:
when winbox loads on application top menu enable legacy mode:
  tools / legacy mode
  tools / legacy mode
on first login to your router on anthena1 reset configuration:
on first login to anthena1 reset configuration:
  remove this default configuration type "r" or hit any other key to continue
  remove this default configuration type "r" or hit any other key to continue
list interfaces mac addresses anthena1:
list interfaces mac addresses anthena1:
Line 79: Line 79:
  /interface bridge add admin-mac='''CHANGEME''' auto-mac=no comment=defconf name=bridge  
  /interface bridge add admin-mac='''CHANGEME''' auto-mac=no comment=defconf name=bridge  
configure w60g interface anthena1:
configure w60g interface anthena1:
  /interface w60g set [ find ] disabled=no frequency=58320 mode=bridge name=wlan60-1 password='''CHANGEME''' put-stations-in-bridge=bridge region=usa ssid='''CHANGEME'''
  /interface w60g set [ find ] disabled=no frequency=58320 mode=bridge name=wlan60-1 password='''CHANGEME''' put-stations-in-bridge=bridge ssid='''CHANGEME'''
create your security profile anthena1:
create your security profile anthena1:
  /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key='''CHANGEME'''
  /interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key='''CHANGEME'''
Line 99: Line 99:
  set api disabled=yes
  set api disabled=yes
  set api-ssl disabled=yes
  set api-ssl disabled=yes
set winbox disabled=yes
change ssh port on anthena1:
change ssh port on anthena1:
  /ip service set ssh port=2389
  /ip service set ssh port=2389
allow ssh only from 192.168.35.100:
/ip service set ssh address=192.168.35.100/32
configure timezone on anthena1:
configure timezone on anthena1:
  /system clock set time-zone-name=America/Puerto_Rico
  /system clock set time-zone-name=America/Puerto_Rico
update clock with ntp on anthena1:
update clock with ntp on anthena1:
  /system ntp client set enabled=yes server-dns-names=us.pool.ntp.org
  /system ntp client set enabled=yes server-dns-names=us.pool.ntp.org
create another user with admin priviliges:
/user add name=mynewuser password=mypassword group=full
start eth0 configuration for subnet 192.168.35.0/24:  
start eth0 configuration for subnet 192.168.35.0/24:  
  nmcli con up eth0-mikrotik
  nmcli con up eth0-mikrotik-anthena
sharing my wireless internet to eth0 script:
sharing my wireless internet to eth0 script:
  cat > /usr/local/bin/sharenetwlan << EOF
  cat > /usr/local/bin/sharenetwlan << EOF
Line 118: Line 123:
  chmod +x /usr/local/bin/sharenetwlan && /usr/local/bin/sharenetwlan
  chmod +x /usr/local/bin/sharenetwlan && /usr/local/bin/sharenetwlan
connect to anthena1 using ssh:
connect to anthena1 using ssh:
  ssh -oHostKeyAlgorithms=+ssh-rsa admin@192.168.35.1 -p2389
  ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.1 -p2389
remove admin user:
/user remove admin
upgrade anthena1 firmware to latest version:
upgrade anthena1 firmware to latest version:
  /system package update download
  /system package update download
Line 129: Line 136:
on winbox application look for anthena2 ip address:
on winbox application look for anthena2 ip address:
  192.168.88.3
  192.168.88.3
on first login to your router on anthena2 reset configuration:
on first login to anthena2 reset configuration:
  remove this default configuration type "r" or hit any other key to continue
  remove this default configuration type "r" or hit any other key to continue
list interfaces mac addresses anthena2:
list interfaces mac addresses anthena2:
  /interface print
  /interface print
create bridge interface anthena2:
create bridge interface anthena2:
  /interface bridge add admin-mac=CHANGEME auto-mac=no comment=defconf name=bridge
  /interface bridge add admin-mac='''CHANGEME''' auto-mac=no comment=defconf name=bridge
configure w60g interface anthena2:
configure w60g interface anthena2:
  /interface w60g set [ find ] disabled=no mode=station-bridge name=wlan60-1 password=CHANGEME ssid=CHANGEME
  /interface w60g set [ find ] disabled=no mode=station-bridge name=wlan60-1 password='''CHANGEME''' ssid='''CHANGEME'''
create your security profile anthena2:
create your security profile anthena2:
  /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
  /interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
Line 156: Line 163:
  set api disabled=yes
  set api disabled=yes
  set api-ssl disabled=yes
  set api-ssl disabled=yes
set winbox disabled=yes
change ssh port on anthena2:
change ssh port on anthena2:
  /ip service set ssh port=2389
  /ip service set ssh port=2389
allow ssh only from 192.168.35.100:
/ip service set ssh address=192.168.35.100/32
configure timezone on anthena2:
configure timezone on anthena2:
  /system clock set time-zone-name=America/Puerto_Rico
  /system clock set time-zone-name=America/Puerto_Rico
update clock with ntp on anthena2:
update clock with ntp on anthena2:
  /system ntp client set enabled=yes server-dns-names=us.pool.ntp.org
  /system ntp client set enabled=yes server-dns-names=us.pool.ntp.org
create another user with admin priviliges:
/user add name=mynewuser password=mypassword group=full
start eth0 configuration for subnet 192.168.35.0/24:
start eth0 configuration for subnet 192.168.35.0/24:
  nmcli con up eth0-mikrotik
  nmcli con up eth0-mikrotik-anthena
connect to anthena2 using ssh:
connect to anthena2 using ssh:
  ssh -oHostKeyAlgorithms=+ssh-rsa admin@192.168.35.2 -p2389
  ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.2 -p2389
remove admin user:
/user remove admin
upgrade anthena2 firmware to latest version:
upgrade anthena2 firmware to latest version:
  /system package update download
  /system package update download
Line 181: Line 195:
  /interface/wireguard add name=wg0 mtu=1420
  /interface/wireguard add name=wg0 mtu=1420
add wireguard peer using server information:
add wireguard peer using server information:
  /interface/wireguard/peers add endpoint=12.34.56.78:51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0
  /interface/wireguard/peers add endpoint-address=12.34.56.78 endpoint-port=51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0
add ip address to interface:
add ip address to interface:
  /ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0
  /ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0
Line 190: Line 204:
restart wireguard on server:
restart wireguard on server:
  systemctl restart wg-quick@wg0.service
  systemctl restart wg-quick@wg0.service
= references =
= references =
* https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
* https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

Latest revision as of 14:49, 1 November 2024

initial setup

default ip address for router:

192.168.88.1

update user admin password:

/user set admin password=mypassword

add admin username:

/user add name=pedroadm group=full password="mypassword"

set timezone:

/system clock set time-zone-name=America/Puerto_Rico

update clock with ntp:

/system ntp client set enable=yes servers=us.pool.ntp.org

configure ip address:

/ip address add address=192.168.75.93/24 interface="ether1"

configure gateway:

/ip route add gateway=192.168.75.1

check routeros version:

/system resource print

update router os:

/system package update download

update router firmware:

/system routerboard upgrade

configure dns:

/ip dns set servers=4.2.2.1,4.2.2.2 allow-remote-requests=no

configure dhcp server:

/ip address add address=172.16.77.244/24 interface=ether2
/ip pool add name=dhcp-pool ranges=172.16.77.50-172.16.7.100
/ip dhcp-server add name=dhcp interface=ether2 address-pool=dhcp-pool
/ip dhcp-server network add address=172.16.77.0/24 gateway=172.16.77.244 dns-server=4.2.2.1,4.2.2.2

configure firewall:

/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.77.0/24 comment="nat rule for internet on 172.16.77.0 subnet" disabled=no out-interface=ether1

other commands

search for file on routeros:

/file print where name~".npk"

monitor interface ether1 using torch:

/tool torch ip-protocol=any port=any src-address=0.0.0.0/0 interface=ether1

show user history log:

/log print

secure router

change ssh port:

/ip service set ssh port=5000

disable services:

/ip services disable telnet,winbox,ftp,api,api-ssl,www

specify static allowed address for winbox:

/ip service set winbox address=192.168.75.2/24

disable bandwith server:

/tool bandwidth-server set enabled=no 

disable proxy server:

/ip proxy set enabled=no
/ip socks set enabled=no

disable upnp service:

/ip upnp set enabled=no

disable dynamic ip service or ip cloud:

/ip cloud set ddns-enabled=no update-time=no

more secure ssh encryption:

/ip ssh set strong-crypto=yes

disable ipv6:

/ipv6 nd set [find] disabled=yes

lhg 60g anthenas

create eth0 configuration for subnet 192.168.88.0/24 using network manager:

nmcli con add con-name eth0-mikrotik-default ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.88.100/24 autoconnect no

create eth0 configuration for subnet 192.168.35.0/24 using network manager:

nmcli con add con-name eth0-mikrotik-anthena ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.35.100/24 autoconnect no

start eth0 configuration for subnet 192.168.88.0/24:

nmcli con up eth0-mikrotik-default

download latest winbox:

https://download.mikrotik.com/routeros/winbox/3.41/winbox64.exe

load winbox with wine:

wine winbox64.exe

when winbox loads on application top menu enable legacy mode:

tools / legacy mode

on first login to anthena1 reset configuration:

remove this default configuration type "r" or hit any other key to continue

list interfaces mac addresses anthena1:

/interface print

create bridge interface anthena1:

/interface bridge add admin-mac=CHANGEME auto-mac=no comment=defconf name=bridge 

configure w60g interface anthena1:

/interface w60g set [ find ] disabled=no frequency=58320 mode=bridge name=wlan60-1 password=CHANGEME put-stations-in-bridge=bridge ssid=CHANGEME

create your security profile anthena1:

/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=CHANGEME

add interfaces to bridge anthena1:

/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan60-1

set ip address to bridge interface anthena1:

/ip address add address=192.168.35.1/24 comment=defconf interface=bridge network=192.168.35.0

set gateway to anthena1:

/ip route add distance=1 gateway=192.168.35.100

set nameserers to anthena1:

/ip dns set servers=4.2.2.1,4.2.2.2

disable following services on anthena1:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set winbox disabled=yes

change ssh port on anthena1:

/ip service set ssh port=2389

allow ssh only from 192.168.35.100:

/ip service set ssh address=192.168.35.100/32

configure timezone on anthena1:

/system clock set time-zone-name=America/Puerto_Rico

update clock with ntp on anthena1:

/system ntp client set enabled=yes server-dns-names=us.pool.ntp.org

create another user with admin priviliges:

/user add name=mynewuser password=mypassword group=full

start eth0 configuration for subnet 192.168.35.0/24:

nmcli con up eth0-mikrotik-anthena

sharing my wireless internet to eth0 script:

cat > /usr/local/bin/sharenetwlan << EOF
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.35.0/24 -o wlan0 -j MASQUERADE
EOF

set permissions and run script:

chmod +x /usr/local/bin/sharenetwlan && /usr/local/bin/sharenetwlan

connect to anthena1 using ssh:

ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.1 -p2389

remove admin user:

/user remove admin

upgrade anthena1 firmware to latest version:

/system package update download

reboot anthena1:

/system reboot

start eth0 configuration for subnet 192.168.88.0/24:

nmcli con up eth0-mikrotik-default

connect to anthena2 using winbox:

wine winbox64.exe

on winbox application look for anthena2 ip address:

192.168.88.3

on first login to anthena2 reset configuration:

remove this default configuration type "r" or hit any other key to continue

list interfaces mac addresses anthena2:

/interface print

create bridge interface anthena2:

/interface bridge add admin-mac=CHANGEME auto-mac=no comment=defconf name=bridge

configure w60g interface anthena2:

/interface w60g set [ find ] disabled=no mode=station-bridge name=wlan60-1 password=CHANGEME ssid=CHANGEME

create your security profile anthena2:

/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik

add interfaces to bridge anthena2:

/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan60-1

set ip address to bridge interface anthena2:

/ip address add address=192.168.35.2/24 comment=defconf interface=bridge network=192.168.35.0

set gateway to anthena2:

/ip route add distance=1 gateway=192.168.35.100

set nameserers to anthena2:

/ip dns set servers=4.2.2.1,4.2.2.2

disable following services on anthena2:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set winbox disabled=yes

change ssh port on anthena2:

/ip service set ssh port=2389

allow ssh only from 192.168.35.100:

/ip service set ssh address=192.168.35.100/32

configure timezone on anthena2:

/system clock set time-zone-name=America/Puerto_Rico

update clock with ntp on anthena2:

/system ntp client set enabled=yes server-dns-names=us.pool.ntp.org

create another user with admin priviliges:

/user add name=mynewuser password=mypassword group=full

start eth0 configuration for subnet 192.168.35.0/24:

nmcli con up eth0-mikrotik-anthena

connect to anthena2 using ssh:

ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.2 -p2389

remove admin user:

/user remove admin

upgrade anthena2 firmware to latest version:

/system package update download

reboot anthena2:

/system reboot

wireguard

for wireguard support we need to switch to development channel:

/system package update set channel=development

then download the latest update:

/system package update download

reboot the router:

/system reboot

add wireguard interface:

/interface/wireguard add name=wg0 mtu=1420

add wireguard peer using server information:

/interface/wireguard/peers add endpoint-address=12.34.56.78 endpoint-port=51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0

add ip address to interface:

/ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0

add the following on the server configuration:

[Peer]
PublicKey=pEU+xV6YeWOKT34iECYDPRW99oLZKYodkUtjdIV8CwI=
AllowedIPs=10.10.10.3/32

restart wireguard on server:

systemctl restart wg-quick@wg0.service

references