So who is MikroTik and what is a Routerboard?
Well MikroTik are a Latvian based manufacturer who produce networking equipment namely Wireless and Router products, and one particular product we have been toying with is a Routerboard RB2011UAS-RM a 1U rack-mountable device with an LCD touchscreen which typically sells for around the £100* price mark. LinITX are not only MikroTik Certified Consultants but also sell an entire array of MikroTik products via their website. We contacted LinITX due to previously ordering M0n0wall/pfSense based firewall devices from them, which until now has served us and our clients very well for many years - however since FTTC (Fibre to the cabinet) has become more prevalent the throughput on these devices struggles without expensive hardware.
The Routerboard operating system (RouterOS) is based upon the Linux Kernel which is then run on these devices or can be run on x86 hardware to provide a powerful network router which implements many of the features needed like DNS, DHCP, Firewalling, VPN, Bandwidth shaping/control, Wireless hotspot/captive portal to name but a few. Depending on your requirements various models and OS Levels are available, our device came pre-loaded with RouterOS Level 5 ready to go out of the box.
Routerboards can be configured in several ways depending on what you prefer:
- WebFig - This is web based utility which provides access to the router to perform tasks such as monitor, configure and troubleshoot. WebFig is an alternative to WinBox which is accessible on the routers ip address.
- WinBox - A Win32 utility which again will allow administration of the router but in a Windows environment. It is possible to run WinBox under Linux and Mac OSX under Wine. WinBox can be downloaded from here
- CLI - It is also possible to use Command Line Interface to access and configure the router via Telnet, SSH, WinBox Terminal, Serial Cable (provided it has a serial connection)
Basic Setup
In the most recent version of RouterOS (v6) this now includes a QuickSet option which will help most users quickly set the Routerboards IP address, NAT, WAN IP and DHCP Server. Depending on what you are connecting to, in our case a PPPOE connection and have applied the QuickSet options you should now have a basic working router config.
If you have not done so already, change the admin password ! System->Password.
Top Tip: Something you will find extremely important as you setup/modify or test rules is 'Safe Mode' I cannot stress this enough - at some point something you do or add will cause you to lose connection with your RB device, safe mode holds off applying your changes so a simple reboot of the RB will undo these changes and place you back where you were before the lock out. Safe Mode is your best friend here.
Next step is to set the clock, this way any logs will show a correct time/date which can be useful when tracking down changes. To do this Select System->Clock and select the tab Manual Time Zone. Here you can enter the Time Zone and any DST time settings that are required. In order to set the time you can select the tab called time and manually put this in, however it is generally better to use a NTP server to sync with. To do this select System->NTP Client and here set the required NTP servers (Primary/Secondary) and correct mode i.e Unicast and then select the tick box Enable. If you have not yet set the time manually the RB should now automatically set the time from your preferred NTP server.
If you have not done so already it would be good to set a name for your RB device using the System->Identity - this will help if you manage multiple devices in your organisation. If you are the sole admin of the RB you may not need to allow other user access, however you may need to setup other users with varying levels of permissions. This can be done via the System->Users menu option which you can then add other users, set specific groups etc. At any time you can backup the config of your RB device, this can be done by selecting Files and pressing Backup (likewise you can restore here too) or if you prefer the Terminal/CLI you can enter
export backup={filename here}
If you have multiple public facing IP address you may want to add these using IP->Addresses here you can you add your (for example) a /29 subnet or single ip's from the range. Again this can be performed on the CLI/Terminal by using the ip address add command. So now that the RB has the correct time/date identity users and you have found the benefit of safe mode ;) whats next ?
Packet Filtering
Setting some basic filtering will help protect the Router, opening a Terminal and copy/paste the following is the quickest way to do this. It is possible to do this via the IP->Firewall-Filter Rules route - but here the Terminal wins hands down.
/ip firewall filter
add chain=input connection-state=established comment="Accept established connections"
add chain=input connection-state=related comment="Accept related connections"
add chain=input connection-state=invalid action=drop comment="Drop invalid connections"
add chain=input protocol=udp action=accept comment="UDP" disabled=no
add chain=input protocol=icmp limit=50/5s,2 comment="Allow limited pings"
add chain=input protocol=icmp action=drop comment="Drop excess pings"
add chain=input protocol=tcp dst-port=22 comment="SSH for secure shell"
add chain=input protocol=tcp dst-port=8291 comment="winbox"
# Edit these rules to reflect your actual IP addresses! #
add chain=input src-address=159.148.172.192/28 comment="From Mikrotikls network"
add chain=input src-address=10.0.0.0/8 comment="From our private LAN"
# End of Edit #
add chain=input action=log log-prefix="DROP INPUT" comment="Log everything else"
add chain=input action=drop comment="Drop everything else"
All packets with a destination to the router will hit the router input chain and are subject to these rules, packets which are being transferred through the router will be unaffected by the input chain.It will also be quite likely you will need to add some NAT rules to allow traffic to devices on your LAN, in this example opening port 80 to an internal IP of 192.168.0.1 could look like this (via CLI)
/ip firewall nat add chain=dstnat dst-port=80 action=dst-nat protocol=tcp to-address=192.168.0.1 to-port=80
Now that you have a very basic router setup, some input filtering and basic NAT rules the world is your oyster. The MikroTik RouterOS perfoms many features and complex tasks which I have not even begun to explore here. There are many useful videos, guides and user submitted scripts to cover most topics. I have listed here some links which you may find as useful resources when installing/configuring your new Routerboard device.
- MikroTik Wiki - good place for all things MikroTik/Routerboard.
- Greg Sowell Consulting - useful collection of configuration videos to help get you started.
- Chat to other users on irc #routerboard at irc.z.je
*Price quoted inc V.A.T correct as of 03/04/2014