This article is written by Server Management Inc. IT systems administrator Timo Puistaja - 19.04.2017, Tartu, Estonia.
We have built several different networking systems all over EU. This is the main step-by-step overview of MikroTik RouterOS configurations we are using. This is the basics - everything you need to do when you just want to get the internet up and running but also know how to secure your router from potetial threats. In this scenario im going to use RB3011Ui-AS running Router OS 18.104.22.168 as example.
Usually there are 3 ways of getting cable internet to your home or office:
Usually we setup bridge and add all ports to bridge. Give this bridge IP (this will be the GW; DHCP and DNS server for local PC´s). Configure IP Pool and then make DHCP Server to serve addresses from the pool.
Now we need to Masquerade our LAN and WAN networks, so they can talk in the default route (0.0.0.0/0) - our clients can access internet.
This is one of the best firewalls we have seen in the years. More info: MikroTik RouterOS - Best practice firewall
As you noticed before we did allow our router to answer DNS requests. Its good idea to make MikroTik you internal DNS server - you can make fake DNS records. (for example elephant.monkey.com = 192.168.x.100). But we need to Drop the DNS requests coming from outside (WAN) otherwise our router will be Open DNS Resolver and sooner or later will be used to attack some other DNS servers.
Our firewalls idea is to block everything coming from outside (WAN) and then start allowing only needed traffic (for example you put up Webserver - then you allow port 80 towards your IP/router and make port forward in NAT to reach the server in your internal network)
Here is the export of our most used firewall, comments showing what each line is for:
/ip firewall filter
add action=drop chain=input comment="Drop DNS requests from public" connection-state=new dst-port=53 in-interface=ether1 protocol=tcp
add action=drop chain=input comment="Drop DNS requests from public" connection-state=new dst-port=53 in-interface=ether1 protocol=udp
add action=drop chain=input comment="Disallow weird packets" connection-state=invalid
add action=accept chain=input comment="Allow LAN access to router and Internet" connection-state=new in-interface=bridge1-LAN
add action=accept chain=input comment="Allow connections that originated from LAN" connection-state=established
add action=accept chain=input comment="Allow connections that originated from LAN" connection-state=related
add action=accept chain=input comment="Allow ping ICMP from anywhere" protocol=icmp
add action=accept chain=input comment="Allow WAN access to router" dst-port=8291 protocol=tcp
add action=drop chain=input comment="Disallow anything from anywhere on any interface"
add action=drop chain=forward comment="Disallow weird packets" connection-state=invalid
By default you should configure some graphing - whenever you or your PC users feel like the internet is slow - you can check out whether MikroTik is out of resources (CPU; Mem) or the uplink speed is not enough.
Ofcouse for bigger infrastructures its recommended to use SNMP monitoring softwares (Cacti/Observium/The Dude or something similar). Next step from SNMP monitoring is Packet Flow monitoring to monitor WHO is using the resource.
To setup basic graphing:
You can View your graphs from the same menu OR enable WWW from IP - Services and go to you MikroTiks webpage/panel.
This is VERY important - by default MikroTik holds its logs on RAM which means if you reboot the device when you are in trouble - you will lose all the logs. We will setup MikroTik to keep logs on Disk:
We usually keep configs in .rsc format. Its really easy to export and import them between routers. We make manual backups form devices after every bigger change. Note that this method doesnt export MAC addresses and admin password - perfect for import-export between 2 different routers.
Open terminal and write export file=filenamehere and press Enter on your keyboard.
The backup file is now in the Files menu - go and download it to your PC. (Your backup file is useless if the MikroTik is dead or corrupted and its only stored on the MikroTik itself)
Thats it - your basic configuration is now done as professional networking engineer would do it.