MKT RouterOS // Standard network setup

for home or small business network

tested on a casual RouterBOARD

Initialize

i didn’t manage to get a lease from the device on the 192.168.88.0 network so I had to do it the other way around.

to reset the configuration, setup a dhcp server

ifconfig eth0 10.1.1.254/24 up
systemctl restart isc-dhcp-server.service
mii-tool eth0

and proceed as follows

plug wire on some port ether1-5
press RESET button while power-plug
wait until the blinking stopped to release the button
it then reboots and gets a lease — look at the dhcp sever logs and see what IP the device obtained

now connect to the device first through the Web UI

ping 10.1.1.101
nmap -p 22,80 10.1.1.101 -Pn -T5
http://10.1.1.101/

and through SSH

ssh 10.1.1.101 -l admin

RouterOS upgrade

that’s easier from the WUI (webfig) than from the CLI/FTP

http://10.1.1.101/ --> check updates

then check after device reboot

/system resource
print

Standard setup

from the WUI (webfig)

quick set: CAP

dhcp source: ethernet
bridge all
hostname: rboard1

quick set: Home AP Dual

Wireless/
    SSID 2ghz SSID 5ghz
    choose country
    PSK/hide

Internet/Eth1
    **ENABLE DHCP**
    Firewall Router

Local Network
    192.168.100.1 / 255.255.255.0
    bridge all
    dhcp server
    dhcp range 192.168.100.100-192.168.100.199
    nat

(AT THIS POINT YOU LOOSE CONNECTION BECAUSE FIREWALL ENABLED)

plug ether1 to ISP’s media access device (assuming DHCP)

switch WLAN or plug another cable on ether2, disable your DHCP daemon and get a lease for yourself

systemctl stop isc-dhcp-server.service
systemctl disable isc-dhcp-server.service

and get a lease for yourself

wpa...
ip addr del 10.1.1.254/24 dev wlan0
dhclient -v wlan0
route add -net 192.168.100.0/24 dev wlan0

#dhclient -v eth0
#ip addr del 10.1.1.254/24 dev eth0
#route add -net 192.168.100.0/24 dev eth0

connect back to the Web UI

ping 192.168.100.1
nmap -p 22,80 192.168.100.1 -Pn -T5
http://192.168.100.1/

Additional CLI setup

time sync

define time zone

/system clock
print
set time-zone-name=Europe/Chisinau time-zone-autodetect=no

make sure dns is in place

/ip dns print
/ping md.pool.ntp.org

enable ntp client

/system ntp client
print
set server-dns-names=md.pool.ntp.org,ro.pool.ntp.org
set enabled=yes

dns

enable DNS caching

/ip dns
set allow-remote-requests=yes

and obtain a new lease to update your dns forwarder

dhclient -r wlan0
dhclient -v wlan0
resolvectl status

dhcp server

make the lease last longer

/ip dhcp-server
set 0 lease-time=3d

ssl & hardening

/certificate
print
add name=LocalCA common-name=LocalCA key-usage=key-cert-sign,crl-sign
sign LocalCA
add name=Webfig common-name=192.168.100.1
sign Webfig ca=LocalCA

beware the www-ssl service potentially conflicts with other services on 443

/interface sstp-client
print

therefore let’s setup www-ssl on an alternate port

/ip service
print detail
set www-ssl certificate=Webfig disabled=no port=8443 tls-version=only-1.2

also disable unused services from the internal network

/ip service
disable telnet
disable ftp
disable api
disable-api-ssl

poe

disable PoE

    /interface ethernet poe
    set ether5 poe-out=off

SNAT + routing

now imagine you also want to simply route packets without SNAT on ether5

remove ether5 from the LAN

    /interface bridge port
print
    disable 4

TODO - eventually make sure firewalling is enabled on the bridge

/interface bridge settings
print
set use-ip-firewall=yes

define an IP for routing

/ip address
    add address=x.x.x.x/xx interface=ether5

always allow ICMP

/ip firewall filter
print
chain=input action=accept protocol=icmp

prevent ether5 from reaching bridgeLocal addresses

/ip firewall address-list
add list=INTERNAL address=CIDR
add list=ROUTED address=CIDR

/ip firewall filter
add chain=input action=drop src-address-list=ROUTED dst-address-list=INTERNAL in-interface=ether5

restrict dynamic SNAT to the LAN subnet

/ip firewall nat
print
add chain=srcnat action=masquerade src-address=192.168.100.0/24 out-interface-list=WAN

listen ssh on wan

/ip service
set ssh port=2222

/ip firewall filter
add action=accept chain=input protocol=tcp dst-port=2222 comment="allow ssh publicly"

/user ssh-keys
import public-key-file=id_dsa.pub user=admin

keep password login as an option

/ip ssh
set always-allow-password-login=yes strong-crypto=yes

check

nmap -p 2222 SOMETHING.sn.mynetname.net

vi .ssh/config

host HOST
    hostname SOMETHING.sn.mynetname.net
    port 2222
    user admin
    identityfile /home/USER/.ssh/id_dsa
    PubkeyAcceptedKeyTypes +ssh-dss

ssh HOST

once everything is fine you can disable password-based login

/ip ssh
set always-allow-password-login=no

backup

/system backup save name=HOST.backup

TODO

all from the CLI (skip WebFig)
serial terminal

Resources

https://i.mt.lv/cdn/product_files/hAPac2-qg-v_190103.pdf

https://wiki.mikrotik.com/wiki/Manual:TOC

ПОДНИМАЕМ НА MIKROTIK OPENVPN СЕРВЕР https://adminway.ru/podnimaem-na-mikrotik-openvpn-server –> timezone

poe

https://wiki.mikrotik.com/wiki/Manual:PoE-Out#RouterOS_2

https://help.mikrotik.com/docs/display/ROS/PoE-Out

troubles

firewall forward drop rule not working between LAN IPs https://forum.mikrotik.com/viewtopic.php?t=141935