Howto mikrotik: Difference between revisions
No edit summary |
Mandulete1 (talk | contribs) |
||
(62 intermediate revisions by 2 users not shown) | |||
Line 1: | Line 1: | ||
= initial setup = | = initial setup = | ||
default ip address for router: | |||
192.168.88.1 | |||
update user admin password: | update user admin password: | ||
/user set admin password=mypassword | /user set admin password=mypassword | ||
add admin username: | |||
/user add name=pedroadm group=full password="mypassword" | |||
set timezone: | set timezone: | ||
/system clock set time-zone-name=America/Puerto_Rico | /system clock set time-zone-name=America/Puerto_Rico | ||
update clock with ntp: | update clock with ntp: | ||
/system ntp client set | /system ntp client set enable=yes servers=us.pool.ntp.org | ||
configure ip address: | |||
/ip address add address=192.168.75.93/24 interface="ether1" | |||
configure gateway: | |||
/ip route add gateway=192.168.75.1 | |||
check routeros version: | check routeros version: | ||
/system resource print | /system resource print | ||
update router os: | update router os: | ||
/system package update download | /system package update download | ||
update router firmware: | update router firmware: | ||
/system routerboard upgrade | /system routerboard upgrade | ||
configure dns: | configure dns: | ||
/ip dns set servers=4.2.2.1,4.2.2.2 allow-remote-requests= | /ip dns set servers=4.2.2.1,4.2.2.2 allow-remote-requests=no | ||
configure dhcp server: | configure dhcp server: | ||
/ip address add address=172.16.77.244/24 interface=ether2 | /ip address add address=172.16.77.244/24 interface=ether2 | ||
/ip pool add name=dhcp-pool ranges=172.16. | /ip pool add name=dhcp-pool ranges=172.16.77.50-172.16.7.100 | ||
/ip dhcp-server add name=dhcp interface=ether2 address-pool=dhcp-pool | /ip dhcp-server add name=dhcp interface=ether2 address-pool=dhcp-pool | ||
/ip dhcp-server network add address=172.16. | /ip dhcp-server network add address=172.16.77.0/24 gateway=172.16.77.244 dns-server=4.2.2.1,4.2.2.2 | ||
configure firewall: | configure firewall: | ||
/ip firewall nat | /ip firewall nat | ||
add action=masquerade chain=srcnat src-address=172.16. | add action=masquerade chain=srcnat src-address=172.16.77.0/24 comment="nat rule for internet on 172.16.77.0 subnet" disabled=no out-interface=ether1 | ||
= other commands = | = other commands = | ||
search for file on routeros: | search for file on routeros: | ||
Line 38: | Line 36: | ||
monitor interface ether1 using torch: | monitor interface ether1 using torch: | ||
/tool torch ip-protocol=any port=any src-address=0.0.0.0/0 interface=ether1 | /tool torch ip-protocol=any port=any src-address=0.0.0.0/0 interface=ether1 | ||
show user history log: | |||
/log print | |||
= secure router = | = secure router = | ||
change ssh port: | change ssh port: | ||
/ip service set ssh port=5000 | /ip service set ssh port=5000 | ||
disable services: | |||
/ip services disable telnet,winbox,ftp,api,api-ssl,www | |||
specify static allowed address for winbox: | |||
/ip service set winbox address=192.168.75.2/24 | |||
disable bandwith server: | |||
/tool bandwidth-server set enabled=no | |||
disable proxy server: | |||
/ip proxy set enabled=no | |||
/ip socks set enabled=no | |||
disable upnp service: | |||
/ip upnp set enabled=no | |||
disable dynamic ip service or ip cloud: | |||
/ip cloud set ddns-enabled=no update-time=no | |||
more secure ssh encryption: | |||
/ip ssh set strong-crypto=yes | |||
disable ipv6: | |||
/ipv6 nd set [find] disabled=yes | |||
= lhg 60g anthenas = | |||
create eth0 configuration for subnet 192.168.88.0/24 using network manager: | |||
nmcli con add con-name eth0-mikrotik-default ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.88.100/24 autoconnect no | |||
create eth0 configuration for subnet 192.168.35.0/24 using network manager: | |||
nmcli con add con-name eth0-mikrotik-anthena ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.35.100/24 autoconnect no | |||
start eth0 configuration for subnet 192.168.88.0/24: | |||
nmcli con up eth0-mikrotik-default | |||
download latest winbox: | |||
https://download.mikrotik.com/routeros/winbox/3.41/winbox64.exe | |||
load winbox with wine: | |||
wine winbox64.exe | |||
when winbox loads on application top menu enable legacy mode: | |||
tools / legacy mode | |||
on first login to anthena1 reset configuration: | |||
remove this default configuration type "r" or hit any other key to continue | |||
list interfaces mac addresses anthena1: | |||
/interface print | |||
create bridge interface anthena1: | |||
/interface bridge add admin-mac='''CHANGEME''' auto-mac=no comment=defconf name=bridge | |||
configure w60g interface anthena1: | |||
/interface w60g set [ find ] disabled=no frequency=58320 mode=bridge name=wlan60-1 password='''CHANGEME''' put-stations-in-bridge=bridge ssid='''CHANGEME''' | |||
create your security profile anthena1: | |||
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key='''CHANGEME''' | |||
add interfaces to bridge anthena1: | |||
/interface bridge port | |||
add bridge=bridge comment=defconf interface=ether1 | |||
add bridge=bridge comment=defconf interface=wlan60-1 | |||
set ip address to bridge interface anthena1: | |||
/ip address add address=192.168.35.1/24 comment=defconf interface=bridge network=192.168.35.0 | |||
set gateway to anthena1: | |||
/ip route add distance=1 gateway=192.168.35.100 | |||
set nameserers to anthena1: | |||
/ip dns set servers=4.2.2.1,4.2.2.2 | |||
disable following services on anthena1: | |||
/ip service | |||
set telnet disabled=yes | |||
set ftp disabled=yes | |||
set www disabled=yes | |||
set api disabled=yes | |||
set api-ssl disabled=yes | |||
set winbox disabled=yes | |||
change ssh port on anthena1: | |||
/ip service set ssh port=2389 | |||
allow ssh only from 192.168.35.100: | |||
/ip service set ssh address=192.168.35.100/32 | |||
configure timezone on anthena1: | |||
/system clock set time-zone-name=America/Puerto_Rico | |||
update clock with ntp on anthena1: | |||
/system ntp client set enabled=yes server-dns-names=us.pool.ntp.org | |||
create another user with admin priviliges: | |||
/user add name=mynewuser password=mypassword group=full | |||
start eth0 configuration for subnet 192.168.35.0/24: | |||
nmcli con up eth0-mikrotik-anthena | |||
sharing my wireless internet to eth0 script: | |||
cat > /usr/local/bin/sharenetwlan << EOF | |||
#!/bin/bash | |||
echo "1" > /proc/sys/net/ipv4/ip_forward | |||
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT | |||
iptables -t nat -I POSTROUTING -s 192.168.35.0/24 -o wlan0 -j MASQUERADE | |||
EOF | |||
set permissions and run script: | |||
chmod +x /usr/local/bin/sharenetwlan && /usr/local/bin/sharenetwlan | |||
connect to anthena1 using ssh: | |||
ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.1 -p2389 | |||
remove admin user: | |||
/user remove admin | |||
upgrade anthena1 firmware to latest version: | |||
/system package update download | |||
reboot anthena1: | |||
/system reboot | |||
start eth0 configuration for subnet 192.168.88.0/24: | |||
nmcli con up eth0-mikrotik-default | |||
connect to anthena2 using winbox: | |||
wine winbox64.exe | |||
on winbox application look for anthena2 ip address: | |||
192.168.88.3 | |||
on first login to anthena2 reset configuration: | |||
remove this default configuration type "r" or hit any other key to continue | |||
list interfaces mac addresses anthena2: | |||
/interface print | |||
create bridge interface anthena2: | |||
/interface bridge add admin-mac='''CHANGEME''' auto-mac=no comment=defconf name=bridge | |||
configure w60g interface anthena2: | |||
/interface w60g set [ find ] disabled=no mode=station-bridge name=wlan60-1 password='''CHANGEME''' ssid='''CHANGEME''' | |||
create your security profile anthena2: | |||
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik | |||
add interfaces to bridge anthena2: | |||
/interface bridge port | |||
add bridge=bridge comment=defconf interface=ether1 | |||
add bridge=bridge comment=defconf interface=wlan60-1 | |||
set ip address to bridge interface anthena2: | |||
/ip address add address=192.168.35.2/24 comment=defconf interface=bridge network=192.168.35.0 | |||
set gateway to anthena2: | |||
/ip route add distance=1 gateway=192.168.35.100 | |||
set nameserers to anthena2: | |||
/ip dns set servers=4.2.2.1,4.2.2.2 | |||
disable following services on anthena2: | |||
/ip service | |||
set telnet disabled=yes | |||
set ftp disabled=yes | |||
set www disabled=yes | |||
set api disabled=yes | |||
set api-ssl disabled=yes | |||
set winbox disabled=yes | |||
change ssh port on anthena2: | |||
/ip service set ssh port=2389 | |||
allow ssh only from 192.168.35.100: | |||
/ip service set ssh address=192.168.35.100/32 | |||
configure timezone on anthena2: | |||
/system clock set time-zone-name=America/Puerto_Rico | |||
update clock with ntp on anthena2: | |||
/system ntp client set enabled=yes server-dns-names=us.pool.ntp.org | |||
create another user with admin priviliges: | |||
/user add name=mynewuser password=mypassword group=full | |||
start eth0 configuration for subnet 192.168.35.0/24: | |||
nmcli con up eth0-mikrotik-anthena | |||
connect to anthena2 using ssh: | |||
ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.2 -p2389 | |||
remove admin user: | |||
/user remove admin | |||
upgrade anthena2 firmware to latest version: | |||
/system package update download | |||
reboot anthena2: | |||
/system reboot | |||
= wireguard = | = wireguard = | ||
for wireguard support we need to switch to development channel: | for wireguard support we need to switch to development channel: | ||
Line 51: | Line 195: | ||
/interface/wireguard add name=wg0 mtu=1420 | /interface/wireguard add name=wg0 mtu=1420 | ||
add wireguard peer using server information: | add wireguard peer using server information: | ||
/interface/wireguard/peers add endpoint=12.34.56.78 | /interface/wireguard/peers add endpoint-address=12.34.56.78 endpoint-port=51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0 | ||
add ip address to interface: | add ip address to interface: | ||
/ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0 | /ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0 | ||
Line 60: | Line 204: | ||
restart wireguard on server: | restart wireguard on server: | ||
systemctl restart wg-quick@wg0.service | systemctl restart wg-quick@wg0.service | ||
= references = | |||
* https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router |
Latest revision as of 14:49, 1 November 2024
initial setup
default ip address for router:
192.168.88.1
update user admin password:
/user set admin password=mypassword
add admin username:
/user add name=pedroadm group=full password="mypassword"
set timezone:
/system clock set time-zone-name=America/Puerto_Rico
update clock with ntp:
/system ntp client set enable=yes servers=us.pool.ntp.org
configure ip address:
/ip address add address=192.168.75.93/24 interface="ether1"
configure gateway:
/ip route add gateway=192.168.75.1
check routeros version:
/system resource print
update router os:
/system package update download
update router firmware:
/system routerboard upgrade
configure dns:
/ip dns set servers=4.2.2.1,4.2.2.2 allow-remote-requests=no
configure dhcp server:
/ip address add address=172.16.77.244/24 interface=ether2 /ip pool add name=dhcp-pool ranges=172.16.77.50-172.16.7.100 /ip dhcp-server add name=dhcp interface=ether2 address-pool=dhcp-pool /ip dhcp-server network add address=172.16.77.0/24 gateway=172.16.77.244 dns-server=4.2.2.1,4.2.2.2
configure firewall:
/ip firewall nat add action=masquerade chain=srcnat src-address=172.16.77.0/24 comment="nat rule for internet on 172.16.77.0 subnet" disabled=no out-interface=ether1
other commands
search for file on routeros:
/file print where name~".npk"
monitor interface ether1 using torch:
/tool torch ip-protocol=any port=any src-address=0.0.0.0/0 interface=ether1
show user history log:
/log print
secure router
change ssh port:
/ip service set ssh port=5000
disable services:
/ip services disable telnet,winbox,ftp,api,api-ssl,www
specify static allowed address for winbox:
/ip service set winbox address=192.168.75.2/24
disable bandwith server:
/tool bandwidth-server set enabled=no
disable proxy server:
/ip proxy set enabled=no /ip socks set enabled=no
disable upnp service:
/ip upnp set enabled=no
disable dynamic ip service or ip cloud:
/ip cloud set ddns-enabled=no update-time=no
more secure ssh encryption:
/ip ssh set strong-crypto=yes
disable ipv6:
/ipv6 nd set [find] disabled=yes
lhg 60g anthenas
create eth0 configuration for subnet 192.168.88.0/24 using network manager:
nmcli con add con-name eth0-mikrotik-default ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.88.100/24 autoconnect no
create eth0 configuration for subnet 192.168.35.0/24 using network manager:
nmcli con add con-name eth0-mikrotik-anthena ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.35.100/24 autoconnect no
start eth0 configuration for subnet 192.168.88.0/24:
nmcli con up eth0-mikrotik-default
download latest winbox:
https://download.mikrotik.com/routeros/winbox/3.41/winbox64.exe
load winbox with wine:
wine winbox64.exe
when winbox loads on application top menu enable legacy mode:
tools / legacy mode
on first login to anthena1 reset configuration:
remove this default configuration type "r" or hit any other key to continue
list interfaces mac addresses anthena1:
/interface print
create bridge interface anthena1:
/interface bridge add admin-mac=CHANGEME auto-mac=no comment=defconf name=bridge
configure w60g interface anthena1:
/interface w60g set [ find ] disabled=no frequency=58320 mode=bridge name=wlan60-1 password=CHANGEME put-stations-in-bridge=bridge ssid=CHANGEME
create your security profile anthena1:
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=CHANGEME
add interfaces to bridge anthena1:
/interface bridge port add bridge=bridge comment=defconf interface=ether1 add bridge=bridge comment=defconf interface=wlan60-1
set ip address to bridge interface anthena1:
/ip address add address=192.168.35.1/24 comment=defconf interface=bridge network=192.168.35.0
set gateway to anthena1:
/ip route add distance=1 gateway=192.168.35.100
set nameserers to anthena1:
/ip dns set servers=4.2.2.1,4.2.2.2
disable following services on anthena1:
/ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set api disabled=yes set api-ssl disabled=yes set winbox disabled=yes
change ssh port on anthena1:
/ip service set ssh port=2389
allow ssh only from 192.168.35.100:
/ip service set ssh address=192.168.35.100/32
configure timezone on anthena1:
/system clock set time-zone-name=America/Puerto_Rico
update clock with ntp on anthena1:
/system ntp client set enabled=yes server-dns-names=us.pool.ntp.org
create another user with admin priviliges:
/user add name=mynewuser password=mypassword group=full
start eth0 configuration for subnet 192.168.35.0/24:
nmcli con up eth0-mikrotik-anthena
sharing my wireless internet to eth0 script:
cat > /usr/local/bin/sharenetwlan << EOF #!/bin/bash echo "1" > /proc/sys/net/ipv4/ip_forward iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -I FORWARD -m state --state RELATED,ESTABLISHED -j ACCEPT iptables -t nat -I POSTROUTING -s 192.168.35.0/24 -o wlan0 -j MASQUERADE EOF
set permissions and run script:
chmod +x /usr/local/bin/sharenetwlan && /usr/local/bin/sharenetwlan
connect to anthena1 using ssh:
ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.1 -p2389
remove admin user:
/user remove admin
upgrade anthena1 firmware to latest version:
/system package update download
reboot anthena1:
/system reboot
start eth0 configuration for subnet 192.168.88.0/24:
nmcli con up eth0-mikrotik-default
connect to anthena2 using winbox:
wine winbox64.exe
on winbox application look for anthena2 ip address:
192.168.88.3
on first login to anthena2 reset configuration:
remove this default configuration type "r" or hit any other key to continue
list interfaces mac addresses anthena2:
/interface print
create bridge interface anthena2:
/interface bridge add admin-mac=CHANGEME auto-mac=no comment=defconf name=bridge
configure w60g interface anthena2:
/interface w60g set [ find ] disabled=no mode=station-bridge name=wlan60-1 password=CHANGEME ssid=CHANGEME
create your security profile anthena2:
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
add interfaces to bridge anthena2:
/interface bridge port add bridge=bridge comment=defconf interface=ether1 add bridge=bridge comment=defconf interface=wlan60-1
set ip address to bridge interface anthena2:
/ip address add address=192.168.35.2/24 comment=defconf interface=bridge network=192.168.35.0
set gateway to anthena2:
/ip route add distance=1 gateway=192.168.35.100
set nameserers to anthena2:
/ip dns set servers=4.2.2.1,4.2.2.2
disable following services on anthena2:
/ip service set telnet disabled=yes set ftp disabled=yes set www disabled=yes set api disabled=yes set api-ssl disabled=yes set winbox disabled=yes
change ssh port on anthena2:
/ip service set ssh port=2389
allow ssh only from 192.168.35.100:
/ip service set ssh address=192.168.35.100/32
configure timezone on anthena2:
/system clock set time-zone-name=America/Puerto_Rico
update clock with ntp on anthena2:
/system ntp client set enabled=yes server-dns-names=us.pool.ntp.org
create another user with admin priviliges:
/user add name=mynewuser password=mypassword group=full
start eth0 configuration for subnet 192.168.35.0/24:
nmcli con up eth0-mikrotik-anthena
connect to anthena2 using ssh:
ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.2 -p2389
remove admin user:
/user remove admin
upgrade anthena2 firmware to latest version:
/system package update download
reboot anthena2:
/system reboot
wireguard
for wireguard support we need to switch to development channel:
/system package update set channel=development
then download the latest update:
/system package update download
reboot the router:
/system reboot
add wireguard interface:
/interface/wireguard add name=wg0 mtu=1420
add wireguard peer using server information:
/interface/wireguard/peers add endpoint-address=12.34.56.78 endpoint-port=51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0
add ip address to interface:
/ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0
add the following on the server configuration:
[Peer] PublicKey=pEU+xV6YeWOKT34iECYDPRW99oLZKYodkUtjdIV8CwI= AllowedIPs=10.10.10.3/32
restart wireguard on server:
systemctl restart wg-quick@wg0.service