Basic Guidelines On Routeros Configuration and Debugging: Martins Strods Mikrotik, Latvia
Basic Guidelines On Routeros Configuration and Debugging: Martins Strods Mikrotik, Latvia
Basic Guidelines On Routeros Configuration and Debugging: Martins Strods Mikrotik, Latvia
Martins Strods
MikroTik, Latvia
●
Disable unused packages (mainly IPv6)
/system package disable hotspot,ipv6,mpls,ppp,routing
Simple security
●
Disable IP/Services
/ip service disable api,api-ssl,ftp,www-ssl
Simple security
●
Adjust MAC access
/tool mac-server set [ find default=yes ] disabled=yes
/tool mac-server add interface=bridge
/tool mac-server mac-winbox set [ find default=yes ] disabled=yes
/tool mac-server mac-winbox add interface=bridge
Simple security
●
Hide device in Neighbor Discovery
/ip neighbor discovery set ether1 discover=no
Simple security
●
Disable serial port if not used (and if included)
/system console disable [find where port=serial0]
●
Disable LCD
/lcd set enabled=no
/lcd set touch-screen=disabled
Simple security
●
Protect reset button
/system routerboard settings set protected-routerboot=enabled reformat-hold-
button=30s
https://wiki.mikrotik.com/wiki/Manual:RouterBOARD_settings#Protected_bootloa
der
Firewall
Firewall
Two approaches
●
Drop not trusted and allow trusted
●
Allow trusted and drop untrusted
https://wiki.mikrotik.com/wiki/Manual:IP/Firewall/NAT#Masquerade
Firewall
https://wiki.mikrotik.com/wiki/Manual:Packet_Flow_v6
Firewall
●
NAT to LAN
/ip firewall nat add chain=dstnat in-interface=ether1 protocol=tcp dst-port=22
action=dst-nat dst-address=172.16.1.243 to-address=192.168.88.23
Note: In order to make port forwarding work you have to:
Have dst-nat
Have src-nat
Accept traffic in forward chain (example in previous slides)
Firewall
•
Hairpin NAT (access local resource through public IP)
https://wiki.mikrotik.com/wiki/Hairpin_NAT
Firewall
●
Block specific traffic
/ip firewall address-list add list=blocked address=www.facebook.com
/ip firewall filter add chain=forward action=drop dst-address-list=blocked out-
interface=ether1
Firewall
●
Protect device against attacks, if you allow particular access
/ip firewall filter
add chain=input protocol=tcp dst-port=23 src-address-list=ssh_blacklist
action=drop
add chain=input protocol=tcp dst-port=23 connection-state=new src-address-
list=ssh_stage2 action=add-src-to-address-list address-list=ssh_blacklist address-
list-timeout=10d
add chain=input protocol=tcp dst-port=23 connection-state=new src-address-
list=ssh_stage1 action=add-src-to-address-list address-list=ssh_stage2 address-list-
timeout=1m
add chain=input protocol=tcp dst-port=23 connection-state=new action=add-src-
to-address-list address-list=ssh_stage1 address-list-timeout=1m
Firewall
https://wiki.mikrotik.com/wiki/Bruteforce_login_prevention
Handle bandwidth
FastTrack
●
Remember this rule?
/ip firewall filter
add chain=forward action=accept connection-state=established,related
●
Add FastTrack rule before previous one
/ip firewall filter
●
add chain=forward action=fasttrack-connection connection-
state=established,related
FastTrack
https://wiki.mikrotik.com/index.php?title=Manual:IP/Fasttrack&redirect=no
Queues
●
Add queues to limit traffic for specific resources
/queue simple add name=private target=192.168.88.243 max-limit=5M/5M
Queues
●
Add queues to limit traffic equally (PCQ)
/queue simple add target-addresses=192.168.88.0/24 queue=pcq-upload-
default/pcq-download-default
https://wiki.mikrotik.com/wiki/Manual:System/Log
Debugging tools
●
Torch
Analyse processed traffic
https://wiki.mikrotik.com/wiki/Manual:Troubleshooting_tools#Torch_.28.2Ftool_to
rch.29
Debugging tools
●
Sniffer
Analyse processed packets
https://wiki.mikrotik.com/wiki/Manual:Troubleshooting_tools#Packet_Sniffer_.28.2F
tool_sniffer.29
Debugging tools
●
Profiler
Find out current CPU usage
https://wiki.mikrotik.com/wiki/Manual:Tools/Profiler
Debugging tools
●
Graphing
Find out information about Interfaces/Queues/Resources per
interval:
https://wiki.mikrotik.com/wiki/Manual:Tools/Graphing
Debugging tools
●
The Dude
Powerful network monitoring tool:
https://wiki.mikrotik.com/wiki/Manual:The_Dude
Keep features and fixes up-to-date
Upgrade device
●
Release candidate
The most up-to-date version (hardly tested) with all possible
features (also half-implemented) and fixes
●
Current
Latest full release (tested on many different scenarios for long
time) with all fully implemented features
●
Bugfix
Latest full release (tested on many different scenarios for long
time and admitted as trustworthy) with all safe fixes
Upgrade device
https://wiki.mikrotik.com/wiki/Manual:Upgrading_RouterOS
What to do when software stops working?
Resolve problems
●
Backup RouterBOOT
1) Power device off, press and hold the reset button
2) Power device on and after 1-2 seconds release the button
●
Netinstall
1) Test Netinstall
https://wiki.mikrotik.com/wiki/Manual:Netinstall