Howto mikrotik: Difference between revisions

From Vidalinux Wiki
Jump to navigation Jump to search
No edit summary
 
(68 intermediate revisions by 2 users not shown)
Line 1: Line 1:
= initial setup =
= initial setup =
default ip address for router:
192.168.88.1
update user admin password:
update user admin password:
  /user set admin password=mypassword
  /user set admin password=mypassword
add admin username:
/user add name=pedroadm group=full password="mypassword"
set timezone:
/system clock set time-zone-name=America/Puerto_Rico
update clock with ntp:
/system ntp client set enable=yes servers=us.pool.ntp.org
configure ip address:
/ip address add address=192.168.75.93/24 interface="ether1"
configure gateway:
/ip route add gateway=192.168.75.1
check routeros version:
check routeros version:
  /system resource print
  /system resource print
mikrotik distribution channels are:
stable (former current)
long-term (former bugfix)
testing
development
change the current channel:
/system package update set channel=development
update router os:
update router os:
  /system package update download
  /system package update download
update router firmware:
update router firmware:
  /system routerboard upgrade
  /system routerboard upgrade
configure dns:
/ip dns set servers=4.2.2.1,4.2.2.2 allow-remote-requests=no
configure dhcp server:
/ip address add address=172.16.77.244/24 interface=ether2
/ip pool add name=dhcp-pool ranges=172.16.77.50-172.16.7.100
/ip dhcp-server add name=dhcp interface=ether2 address-pool=dhcp-pool
/ip dhcp-server network add address=172.16.77.0/24 gateway=172.16.77.244 dns-server=4.2.2.1,4.2.2.2
configure firewall:
/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.77.0/24 comment="nat rule for internet on 172.16.77.0 subnet" disabled=no out-interface=ether1
= other commands =
search for file on routeros:
search for file on routeros:
  /file print where name~".npk"
  /file print where name~".npk"
monitor interface ether1 using torch:
/tool torch ip-protocol=any port=any src-address=0.0.0.0/0 interface=ether1
show user history log:
/log print
= secure router =
change ssh port:
change ssh port:
  /ip service set ssh port=5000
  /ip service set ssh port=5000
monitor interface ether1 using torch:
disable services:
  /tool torch ip-protocol=any port=any src-address=0.0.0.0/0 interface=ether1
/ip services disable telnet,winbox,ftp,api,api-ssl,www
= timeclock =
specify static allowed address for winbox:
set timezone:
/ip service set winbox address=192.168.75.2/24
disable bandwith server:
  /tool bandwidth-server set enabled=no
disable proxy server:
/ip proxy set enabled=no
/ip socks set enabled=no
disable upnp service:
/ip upnp set enabled=no
disable dynamic ip service or ip cloud:
/ip cloud set ddns-enabled=no update-time=no
more secure ssh encryption:
/ip ssh set strong-crypto=yes
disable ipv6:
/ipv6 nd set [find] disabled=yes
= lhg 60g anthenas =
create eth0 configuration for subnet 192.168.88.0/24 using network manager:
nmcli con add con-name eth0-mikrotik-default ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.88.100/24 autoconnect no
create eth0 configuration for subnet 192.168.35.0/24 using network manager:
nmcli con add con-name eth0-mikrotik-anthena ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.35.100/24 autoconnect no
start eth0 configuration for subnet 192.168.88.0/24:
nmcli con up eth0-mikrotik-default
download latest winbox:
https://download.mikrotik.com/routeros/winbox/3.41/winbox64.exe
load winbox with wine:
wine winbox64.exe
when winbox loads on application top menu enable legacy mode:
tools / legacy mode
on first login to anthena1 reset configuration:
remove this default configuration type "r" or hit any other key to continue
list interfaces mac addresses anthena1:
/interface print
create bridge interface anthena1:
/interface bridge add admin-mac='''CHANGEME''' auto-mac=no comment=defconf name=bridge
configure w60g interface anthena1:
/interface w60g set [ find ] disabled=no frequency=58320 mode=bridge name=wlan60-1 password='''CHANGEME''' put-stations-in-bridge=bridge ssid='''CHANGEME'''
create your security profile anthena1:
/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key='''CHANGEME'''
add interfaces to bridge anthena1:
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan60-1
set ip address to bridge interface anthena1:
/ip address add address=192.168.35.1/24 comment=defconf interface=bridge network=192.168.35.0
set gateway to anthena1:
/ip route add distance=1 gateway=192.168.35.100
set nameserers to anthena1:
/ip dns set servers=4.2.2.1,4.2.2.2
disable following services on anthena1:
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set winbox disabled=yes
change ssh port on anthena1:
/ip service set ssh port=2389
allow ssh only from 192.168.35.100:
/ip service set ssh address=192.168.35.100/32
configure timezone on anthena1:
/system clock set time-zone-name=America/Puerto_Rico
update clock with ntp on anthena1:
/system ntp client set enabled=yes server-dns-names=us.pool.ntp.org
create another user with admin priviliges:
/user add name=mynewuser password=mypassword group=full
start eth0 configuration for subnet 192.168.35.0/24:
nmcli con up eth0-mikrotik-anthena
sharing my wireless internet to eth0 script:
cat > /usr/local/bin/sharenetwlan << EOF
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.35.0/24 -o wlan0 -j MASQUERADE
EOF
set permissions and run script:
chmod +x /usr/local/bin/sharenetwlan && /usr/local/bin/sharenetwlan
connect to anthena1 using ssh:
ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.1 -p2389
remove admin user:
/user remove admin
upgrade anthena1 firmware to latest version:
/system package update download
reboot anthena1:
/system reboot
start eth0 configuration for subnet 192.168.88.0/24:
nmcli con up eth0-mikrotik-default
connect to anthena2 using winbox:
wine winbox64.exe
on winbox application look for anthena2 ip address:
192.168.88.3
on first login to anthena2 reset configuration:
remove this default configuration type "r" or hit any other key to continue
list interfaces mac addresses anthena2:
/interface print
create bridge interface anthena2:
/interface bridge add admin-mac='''CHANGEME''' auto-mac=no comment=defconf name=bridge
configure w60g interface anthena2:
/interface w60g set [ find ] disabled=no mode=station-bridge name=wlan60-1 password='''CHANGEME''' ssid='''CHANGEME'''
create your security profile anthena2:
/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik
add interfaces to bridge anthena2:
/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan60-1
set ip address to bridge interface anthena2:
/ip address add address=192.168.35.2/24 comment=defconf interface=bridge network=192.168.35.0
set gateway to anthena2:
/ip route add distance=1 gateway=192.168.35.100
set nameserers to anthena2:
/ip dns set servers=4.2.2.1,4.2.2.2
disable following services on anthena2:
/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set winbox disabled=yes
change ssh port on anthena2:
/ip service set ssh port=2389
allow ssh only from 192.168.35.100:
/ip service set ssh address=192.168.35.100/32
configure timezone on anthena2:
  /system clock set time-zone-name=America/Puerto_Rico
  /system clock set time-zone-name=America/Puerto_Rico
update clock with ntp:
update clock with ntp on anthena2:
  /system ntp client set enabled=yes primary-ntp=0.0.0.0 secondary-ntp=0.0.0.0 server-dns-names=us.pool.ntp.org
  /system ntp client set enabled=yes server-dns-names=us.pool.ntp.org
create another user with admin priviliges:
/user add name=mynewuser password=mypassword group=full
start eth0 configuration for subnet 192.168.35.0/24:
nmcli con up eth0-mikrotik-anthena
connect to anthena2 using ssh:
ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.2 -p2389
remove admin user:
/user remove admin
upgrade anthena2 firmware to latest version:
/system package update download
reboot anthena2:
/system reboot
 
= wireguard =
= wireguard =
for wireguard support we need to switch to development channel:
for wireguard support we need to switch to development channel:
Line 36: Line 195:
  /interface/wireguard add name=wg0 mtu=1420
  /interface/wireguard add name=wg0 mtu=1420
add wireguard peer using server information:
add wireguard peer using server information:
  /interface/wireguard/peers add endpoint=12.34.56.78:51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0
  /interface/wireguard/peers add endpoint-address=12.34.56.78 endpoint-port=51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0
add ip address to interface:
add ip address to interface:
  /ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0
  /ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0
Line 45: Line 204:
restart wireguard on server:
restart wireguard on server:
  systemctl restart wg-quick@wg0.service
  systemctl restart wg-quick@wg0.service
= references =
* https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router

Latest revision as of 14:49, 1 November 2024

initial setup

default ip address for router:

192.168.88.1

update user admin password:

/user set admin password=mypassword

add admin username:

/user add name=pedroadm group=full password="mypassword"

set timezone:

/system clock set time-zone-name=America/Puerto_Rico

update clock with ntp:

/system ntp client set enable=yes servers=us.pool.ntp.org

configure ip address:

/ip address add address=192.168.75.93/24 interface="ether1"

configure gateway:

/ip route add gateway=192.168.75.1

check routeros version:

/system resource print

update router os:

/system package update download

update router firmware:

/system routerboard upgrade

configure dns:

/ip dns set servers=4.2.2.1,4.2.2.2 allow-remote-requests=no

configure dhcp server:

/ip address add address=172.16.77.244/24 interface=ether2
/ip pool add name=dhcp-pool ranges=172.16.77.50-172.16.7.100
/ip dhcp-server add name=dhcp interface=ether2 address-pool=dhcp-pool
/ip dhcp-server network add address=172.16.77.0/24 gateway=172.16.77.244 dns-server=4.2.2.1,4.2.2.2

configure firewall:

/ip firewall nat
add action=masquerade chain=srcnat src-address=172.16.77.0/24 comment="nat rule for internet on 172.16.77.0 subnet" disabled=no out-interface=ether1

other commands

search for file on routeros:

/file print where name~".npk"

monitor interface ether1 using torch:

/tool torch ip-protocol=any port=any src-address=0.0.0.0/0 interface=ether1

show user history log:

/log print

secure router

change ssh port:

/ip service set ssh port=5000

disable services:

/ip services disable telnet,winbox,ftp,api,api-ssl,www

specify static allowed address for winbox:

/ip service set winbox address=192.168.75.2/24

disable bandwith server:

/tool bandwidth-server set enabled=no 

disable proxy server:

/ip proxy set enabled=no
/ip socks set enabled=no

disable upnp service:

/ip upnp set enabled=no

disable dynamic ip service or ip cloud:

/ip cloud set ddns-enabled=no update-time=no

more secure ssh encryption:

/ip ssh set strong-crypto=yes

disable ipv6:

/ipv6 nd set [find] disabled=yes

lhg 60g anthenas

create eth0 configuration for subnet 192.168.88.0/24 using network manager:

nmcli con add con-name eth0-mikrotik-default ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.88.100/24 autoconnect no

create eth0 configuration for subnet 192.168.35.0/24 using network manager:

nmcli con add con-name eth0-mikrotik-anthena ifname eth0 type ethernet ipv4.method manual ipv4.address 192.168.35.100/24 autoconnect no

start eth0 configuration for subnet 192.168.88.0/24:

nmcli con up eth0-mikrotik-default

download latest winbox:

https://download.mikrotik.com/routeros/winbox/3.41/winbox64.exe

load winbox with wine:

wine winbox64.exe

when winbox loads on application top menu enable legacy mode:

tools / legacy mode

on first login to anthena1 reset configuration:

remove this default configuration type "r" or hit any other key to continue

list interfaces mac addresses anthena1:

/interface print

create bridge interface anthena1:

/interface bridge add admin-mac=CHANGEME auto-mac=no comment=defconf name=bridge 

configure w60g interface anthena1:

/interface w60g set [ find ] disabled=no frequency=58320 mode=bridge name=wlan60-1 password=CHANGEME put-stations-in-bridge=bridge ssid=CHANGEME

create your security profile anthena1:

/interface wireless security-profiles set [ find default=yes ] authentication-types=wpa2-psk,wpa2-eap mode=dynamic-keys supplicant-identity=MikroTik wpa2-pre-shared-key=CHANGEME

add interfaces to bridge anthena1:

/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan60-1

set ip address to bridge interface anthena1:

/ip address add address=192.168.35.1/24 comment=defconf interface=bridge network=192.168.35.0

set gateway to anthena1:

/ip route add distance=1 gateway=192.168.35.100

set nameserers to anthena1:

/ip dns set servers=4.2.2.1,4.2.2.2

disable following services on anthena1:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set winbox disabled=yes

change ssh port on anthena1:

/ip service set ssh port=2389

allow ssh only from 192.168.35.100:

/ip service set ssh address=192.168.35.100/32

configure timezone on anthena1:

/system clock set time-zone-name=America/Puerto_Rico

update clock with ntp on anthena1:

/system ntp client set enabled=yes server-dns-names=us.pool.ntp.org

create another user with admin priviliges:

/user add name=mynewuser password=mypassword group=full

start eth0 configuration for subnet 192.168.35.0/24:

nmcli con up eth0-mikrotik-anthena

sharing my wireless internet to eth0 script:

cat > /usr/local/bin/sharenetwlan << EOF
#!/bin/bash
echo "1" > /proc/sys/net/ipv4/ip_forward
iptables -I INPUT -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -I FORWARD  -m state --state RELATED,ESTABLISHED -j ACCEPT
iptables -t nat -I POSTROUTING -s 192.168.35.0/24 -o wlan0 -j MASQUERADE
EOF

set permissions and run script:

chmod +x /usr/local/bin/sharenetwlan && /usr/local/bin/sharenetwlan

connect to anthena1 using ssh:

ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.1 -p2389

remove admin user:

/user remove admin

upgrade anthena1 firmware to latest version:

/system package update download

reboot anthena1:

/system reboot

start eth0 configuration for subnet 192.168.88.0/24:

nmcli con up eth0-mikrotik-default

connect to anthena2 using winbox:

wine winbox64.exe

on winbox application look for anthena2 ip address:

192.168.88.3

on first login to anthena2 reset configuration:

remove this default configuration type "r" or hit any other key to continue

list interfaces mac addresses anthena2:

/interface print

create bridge interface anthena2:

/interface bridge add admin-mac=CHANGEME auto-mac=no comment=defconf name=bridge

configure w60g interface anthena2:

/interface w60g set [ find ] disabled=no mode=station-bridge name=wlan60-1 password=CHANGEME ssid=CHANGEME

create your security profile anthena2:

/interface wireless security-profiles set [ find default=yes ] supplicant-identity=MikroTik

add interfaces to bridge anthena2:

/interface bridge port
add bridge=bridge comment=defconf interface=ether1
add bridge=bridge comment=defconf interface=wlan60-1

set ip address to bridge interface anthena2:

/ip address add address=192.168.35.2/24 comment=defconf interface=bridge network=192.168.35.0

set gateway to anthena2:

/ip route add distance=1 gateway=192.168.35.100

set nameserers to anthena2:

/ip dns set servers=4.2.2.1,4.2.2.2

disable following services on anthena2:

/ip service
set telnet disabled=yes
set ftp disabled=yes
set www disabled=yes
set api disabled=yes
set api-ssl disabled=yes
set winbox disabled=yes

change ssh port on anthena2:

/ip service set ssh port=2389

allow ssh only from 192.168.35.100:

/ip service set ssh address=192.168.35.100/32

configure timezone on anthena2:

/system clock set time-zone-name=America/Puerto_Rico

update clock with ntp on anthena2:

/system ntp client set enabled=yes server-dns-names=us.pool.ntp.org

create another user with admin priviliges:

/user add name=mynewuser password=mypassword group=full

start eth0 configuration for subnet 192.168.35.0/24:

nmcli con up eth0-mikrotik-anthena

connect to anthena2 using ssh:

ssh -oHostKeyAlgorithms=+ssh-rsa mynewuser@192.168.35.2 -p2389

remove admin user:

/user remove admin

upgrade anthena2 firmware to latest version:

/system package update download

reboot anthena2:

/system reboot

wireguard

for wireguard support we need to switch to development channel:

/system package update set channel=development

then download the latest update:

/system package update download

reboot the router:

/system reboot

add wireguard interface:

/interface/wireguard add name=wg0 mtu=1420

add wireguard peer using server information:

/interface/wireguard/peers add endpoint-address=12.34.56.78 endpoint-port=51820 persistent-keepalive=61 public-key="75VNV7HqFh+3QIT5OHZkcjWfbjx8tc6Ck62gZJT/KRA=" allowed-address="10.10.10.0/24" interface=wg0

add ip address to interface:

/ip/address add address=10.10.10.3/24 network=10.10.10.0 interface=wg0

add the following on the server configuration:

[Peer]
PublicKey=pEU+xV6YeWOKT34iECYDPRW99oLZKYodkUtjdIV8CwI=
AllowedIPs=10.10.10.3/32

restart wireguard on server:

systemctl restart wg-quick@wg0.service

references