Mikrotik

  • MikroTik Broadband (NZ UFB) Setup

    /interfaceethernet set[finddefault-name=ether1]name=ether1-wan
    /interfacevlanaddinterface=ether1-wan name="Broadband UFB"vlan-id=10
    /pppprofileaddchange-tcp-mss=yesname=ppp-wan
    /interfacepppoe-clientaddadd-default-route=yesdisabled=nointerface="Broadband UFB"keepalive-timeout=disabledname=pppoe-wanpassword=ISP_USER_PASSWDprofile=ppp-wanuse-peer-dns=yesuser=ISP_USER_LOGON
    /ipfirewallservice-portseth323disabled=yes
    /ipfirewallservice-port 
    setsipdisabled=yes   
    /ipdhcp-clientdisable 0
     
    Please Note: The last command above (/ip dhcp-client disable 0) is VERY important.
  • Mikrotik Fasttrack AND L2TP VPN

    It is possible to have Fastrack AND a L2TP VPN setup without the VPN feeling 'sluggish':
    First off we 'mark' the ipsec connections for identification:
    /ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=out,ipsec new-connection-mark=ipsec
    /ip firewall mangle add action=mark-connection chain=forward comment="mark ipsec connections to exclude them from fasttrack" ipsec-policy=in,ipsec new-connection-mark=ipsec

    Then we add a fasttrack rule to fasttrack all connections EXCEPT those marked by the mangle commands above:
    /ip firewall filter add action=fasttrack-connection chain=forward comment="Fast Track everything except IPSEC" connection-mark=!ipsec connection-state=established,related

    Move this rule to just below where the factory/original fasttrack rule is and disable/delete that original rule.
     
     
  • MikroTik GRE Tunnel

    A GRE Tunnel is a very quick and easy way to setup a, optionally encrypted, tunnel between 2 endpoints whose WAN IP Addresses are known and static. The GRE tunnel does NOT work with dynamic IP addresses.
     
    Setup the following on both endpoints, swapping remote and local where applicable.
    /interfacegre addallow-fast-path=nocomment="Site 2 Site Network"ipsec-secret="VERY_STRONG_PASSWORD"keepalive=5s,5local-address=LOCAL_WAN_IP_ADDRESS name=gre-tunnel-location1 remote-address=REMOTE_WAN_IP_ADDRESS
    /ipaddress 
    addaddress=GRE_INTERFACE_IP_ADDRESSinterface=gre-tunnel-location1
    /iproute 
    adddistance=1dst-address=REMOTE_LAN_IP_SUBNET gateway=gre-tunnel-location1
    /iproute adddistance=1dst-address=REMOTE_L2TP_VPN_IP_SUBNET gateway=gre-tunnel-location1

     
    Where:
    LOCAL_WAN_IP_ADDRESS - External STATIC IP Address assigned by your ISP to the local router.
    REMOTE_WAN_IP_ADDRESS - External STATIC IP Address assigned by your ISP to the remote router.
    GRE_INTERFACE_IP_ADDRESS - is an arbitary ip address, not in use anywhere else in your network(s) AND the other end of the GRE tunnel is in the same subnet. eg: one end is 10.1.1.1/32, the other is 10.1.1.2/32
    REMOTE_LAN_IP_SUBNET - is the LAN subnet of the remote LAN eg: 192.168.1.0/24
    REMOTE_VPN_IP_SUBNET - is the LAN subnet of the remote L2TP VPN network, if any. eg: 192.168.2.0/24. See Mikrotik L2TP-IPSec Server.
    Adding this will allow VPN clients to route packets to/from the other end of the GRE tunnel.
     N.B. Including the ipsec-secret= option requires the allow-fast-path=no option.
  • MikroTik Handy Commands

    /export

    /export file=EXPORT_FILENAME.rsc show-sensitive1

    /system backup save name=BACKUP_FILENAME.backup dont-encrypt=yes

    /ip firewall filter print all

    /ppp active print without-paging terse


    1show-sensitive will export the secrets/passwords into the file as well. This is the default for RouterOS 6.x. N.B. For RouterOS 7.x, hide-sensitive is the default
  • MikroTik L2TP-IPSec Server

    /pppprofileaddname=ipsec_vpnlocal-address=192.168.11.1dns-server=DNS1,DNS2
    /interfacel2tp-serverserversetenabled=yesdefault-profile=ipsec_vpnauthentication=mschap1,mschap2
    /ipipsecpolicyset[finddefault=yes]src-address=0.0.0.0/0dst-address=0.0.0.0/0protocol=allproposal=defaulttemplate=yes
    /ipipsecpeeraddexchange-mode=mainpassive=yesname=l2tpserver
    /ipipsecidentityaddgenerate-policy=port-overrideauth-method=pre-shared-keysecret="STRONGSECRET1"peer=l2tpserver                   
    /ipipsecproposalset defaultauth-algorithms=sha256,sha1enc-algorithms=aes-256-cbc,aes-192-cbc,aes-128-cbc,3des pfs-group=modp1024
    /pppsecretaddname="USER"password="STRONGSECRET2"service=l2tpprofile=ipsec_vpnremote-address=192.168.11.2                        
    /ipfirewallfilteraddchain=inputaction=acceptprotocol=udpport=1701,500,4500
    /ipfirewallfilteraddchain=inputaction=acceptprotocol=ipsec-esp


    The 192.168.11.x ip addresses are an arbitary, NOT-in-use IP address range for use by the VPN. Remember to add an appropriate route in the connecting user client to get access to the 'real/normal' internal network LAN with the gateway being the above specified local-address ip address (in the above case, 192.168.11.1). Each /ppp secret (user login) needs a unique ip address in the same range. 
     
    Move the firewall filter rules to the top (first) of the firewall rules using:  /ip firewall filter print all, /ip firewall filter move from_number to_number.
     
    DNS1,DNS2 are the DNS servers used on the normal LAN - I normally include any LAN server running a DNS server and the gateway router itself. Separate IP addresses with a comma. You can have just one.
     
    STRONGSECRET1 is typically a nice long password.
    STRONGSECRET2 is typically something an end user might know or remember (but not necessarily).
    Remember these DO show up in any 'export'ed file config.