RouterOS Setup for Internet and Services

A while ago, I had a go at setting up a router using Linux. I used a Rock64 with a USB3 Gigabit NIC along with it’s built in Gigabit NIC.

While it worked quite well for several months, the hardware was not quite up to the level of performance I would expect or would use long term. Learning about setting up the NAT, firewall, VPN and other routing terms definitely helped me tackle my next setup. The RouterOS using the Mikrotik CRS109-8G-1S-2HnD-IN.

There are numerous forum posts as well as Wikis out there which describe how to setup various parts, but this post will try to consolidate it.

Goals

Like all of you, I just want reliable internet, especially when it comes to WiFi. I decided to get a solid router appliance as opposed to using the free ones given to me from the ISP.

In addition to reliable internet, I will guide you through

  • Initial Configuration and getting started
  • I will configure the router for services (HTTPS, SSH etc) which I need to access from the internet.
  • Configure L2TP/IPSec VPN

Initial Configuration

https://wiki.mikrotik.com/wiki/Manual:Initial_Configuration

Reset the Device

https://wiki.mikrotik.com/wiki/Manual:Reset

If you’re starting from scratch. It’s a good idea to reset the entire config. Press and hold the reset button while turning the unit on. When the “USER” led begins to flash, release the button to clear config.

 

Connect to Device

Download the WinBox configurator tool. (winbox64.exe) Check the Mikrotik website to see what the default configuration is.

MikroDefault

From this description, we need to connect up our computer to one of the switched ports (2 to 8). As there is a DHCP server we can leave or NIC to be configured for DHCP. Connect to the router via 192.168.88.1 with the admin user, there is no password.

Don’t be like me and connect it up to port1 and wonder why I cannot connect to the router.

Setup Credentials & Securing

The first thing you should do after logging in, is to set up a proper password.

System -> Users -> Password

It’s also good to disable most router services that you are not using. Also change the default SSH port to something other than 22. I was getting login attempts from Russia only 5 minutes after plugging in!

/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=2222
set api disabled=yes
set api-ssl disabled=yes

Setup Public IP

A note about VLANs. In New Zealand, most ISPs use VLAN10 to provide your internet. Setup VLAN10 on Port1/Eth1 by:

> interface vlan add vlan-id=1 interface=ether1

Attach your WAN cable to Port 1. Hopefully your ISP has a DHCP server, if not goto IP->Addresses add new Static IP.

https://wiki.mikrotik.com/wiki/Manual:Initial_Configuration#DHCP_Client
> ip dhcp-client add interface=vlan10 use-peer-dns=yes use-peer-ntp=yes add-default-route=yes
> ip dhcp-client print

We should see that we have a public IP assigned to us by the ISP.

Setup Local DHCP server

This should be setup by default, but to set it up again…

Add a pool of IPs for the DHCP server to use.

ip pool add ranges=192.168.88.100-192.168.88.254 name=dhcp

Setup the actual DHCP server on the bridged interfaces (wireless lan, ether2-8)

/ip dhcp-server
add address-pool=dhcp authoritative=yes disabled=no interface=bridge
/ip dhcp-server config
set accounting=yes interim-update=0s store-leases-disk=5m
/ip dhcp-server network
add address=192.168.88.0/24 comment=defconf gateway=192.168.88.1

This DHCP server will populate the gateway for the clients with the router IP (192.168.88.1)

Firewall and NAT Setup

https://wiki.mikrotik.com/wiki/NAT_Tutorial

You will now want your local PCs to connect to the web. However you need to setup NAT.

Assign the VLAN10 to the interface list ‘WAN’ and assign the bridge interface to ‘LAN’ .

/interface list member
add comment=defconf interface=bridge list=LAN
add comment=defconf interface=vlan10 list=WAN

Set up a NAT srcnat to masquerade on the WAN.

/ip firewall nat
add action=masquerade chain=srcnat comment="defconf: masquerade" \
ipsec-policy=out,none out-interface-list=WAN

Services Setup

https://wiki.mikrotik.com/wiki/Hairpin_NAT

Lets say you have a gitlab server which uses ports HTTP 80, HTTPS 443 and SSH 22 on the computer 192.168.88.3

You will notice that the default firewall rules has “defconf: drop all from WAN not DSTNATed”. This basically means the firewall drops all WAN initiated packets which are not port forwarded.

/ip firewall nat
add action=drop chain=forward comment=\
"defconf: drop all from WAN not DSTNATed" connection-nat-state=!dstnat \
connection-state=established,related,untracked in-interface-list=WAN

We need to port forward these to allow clients from the WAN initiate new connections. Do this by set up an address list called WAN IP which contains your WAN IP.

/ip firewall address-list
add address=<public wan ip, or myserial.sn.mynetname.net> list="WAN IP"

If you have a dynamic public IP, you can use the Mikrotik IP Cloud service to assign you a DDNS. This is a free service in the format of: myserial.sn.mynetname.net

/ip cloud
set ddns-enabled=yes
/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list="WAN IP" dst-address-type=\
local dst-port=80,443,22 protocol=tcp to-addresses=192.168.88.3

Access Services Locally

After setting this up, you should be able to access the services from the public WAN IP, but not from the LAN locally… how annoying!

To do this, add a hairpin NAT. This means that any traffic attempting to access say the 192.168.88.3 local server from inside the NAT will be srcnat masqueraded.

/ip firewall nat
add action=masquerade chain=srcnat comment=Hairpin dst-address=192.168.88.0/24 \
protocol=tcp src-address=192.168.88.0/24

Alternative to this solution:

https://forum.mikrotik.com/viewtopic.php?t=107851

They had a line like this:
mikro_natex
I don’t particularly like this solution because of the dstaddress!=<router local ip> and  dst-address-type=local.

This would be required so that Port 80 internally could still be used to access the router Webfig interface. Otherwise ALL traffic on port 80 whether external or internal would be sent to our local server.

We get around this by (as above): adding the ‘dst-address-list=”WAN IP”‘ parameter. This means only traffic from the WAN on those ports are dst-nat’ed to our 192.168.88.3 server, LAN traffic is unaffected.

/ip firewall nat
add action=dst-nat chain=dstnat dst-address-list="WAN IP" dst-address-type=\
local dst-port=80,443,22 protocol=tcp to-addresses=192.168.88.3

Additional Notes

Ensure that the Hairpin rule is first, then NAT masquerade, followed by the port forwarding.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out /  Change )

Google photo

You are commenting using your Google account. Log Out /  Change )

Twitter picture

You are commenting using your Twitter account. Log Out /  Change )

Facebook photo

You are commenting using your Facebook account. Log Out /  Change )

Connecting to %s