There are many descriptions of how to set up a network operated with a mikrotik router on the Internet and on the manufacturer’s website.
That won’t it in here! The goal is to start a network within 5 minutes, that includes:
– attack protection
– statefull firewall
– the elements of the local network are assigned an IP address
– the elements of the local network are reached the Internet
Config file’s parts are presented and how to modified this file, that most Mikrotik routers accepted the config. We’re presented the Mikrotik HEX S (RB760iGS) in working.
1., Router reset (https://wiki.mikrotik.com/wiki/Manual:Reset):
– unplug the device from power
– press and hold the button right after applying power; hold the button until LED will start flashing
– release the button to clear configuration
>>> If you wait until LED stops flashing, and only then release the button – this will instead launch Netinstall mode, to reinstall RouterOS <<<
2., After reset the router is loading a default config. We must to delete this, and need to router reboot again without config.
/system reset-configuration skip-backup=yes no-defaults=yes
3., Copy the „Mikrotik Router Config.rsc” file and start it.
/import file-name=Mikrotik_router_config.rsc
4., After restarting, the router already works according to the values set in the configuration file, so entering a password is required:
– username: admin
– password: IPboard
5., Mikrotik_router_config.rsc file’s content
Create a new text file and change its name and extension. Then copy the belowing text into the file and save it.
###############################################
#
# Mikrotik router config
# >> IP-board.hu <<
#
###############################################
###############################################
#
# Router reset
#
###############################################
#1) Open Winbox :
# – Click the „MAC Address”
# – Login: admin
# – Password: – null –
# – Click the „Connect” button
#
#2) Open „New Terminal” and copy command:
#
#/system reset-configuration skip-backup=yes no-defaults=yes
#
#3) After reboot, click „NEW Terminal” and check running config:
#
#/export file=any_name
#
#4) Files => any_name.rsc => right click on the file and „Download”
# Check in it, that all settings has been deleted (open file in notepad)
#
###############################################
#
# Upload router config
#
###############################################
#1) Files => Click „Upload” button => search „Mikrotik_router_config.rsc”
#
#2) Open „New Terminal” and copy command:
#
#/import file-name=Mikrotik_router_config.rsc
#
#3) After reboot, router is working!
#
###############################################
#
# Router config’s commands
#
###############################################
#
#
/interface bridge
add name=bridge1
#
/interface ethernet
set [ find default-name=ether2 ] loop-protect=on
set [ find default-name=ether3 ] loop-protect=on
set [ find default-name=ether4 ] loop-protect=on
set [ find default-name=ether5 ] loop-protect=on
#set [ find default-name=ether6 ] loop-protect=on
#set [ find default-name=ether7 ] loop-protect=on
#set [ find default-name=ether8 ] loop-protect=on
#set [ find default-name=ether9 ] loop-protect=on
#set [ find default-name=ether10 ] loop-protect=on
#
/interface list
add name=inet
add name=lan
#
/ip pool
add name=bridge1-dhcp-pool ranges=192.168.88.101-192.168.88.199
#
/ip dhcp-server
add add-arp=yes address-pool=bridge1-dhcp-pool disabled=no interface=bridge1 \
lease-time=1d name=bridge1-dhcp-server
#
/interface bridge port
add bridge=bridge1 comment=defconf interface=ether2
add bridge=bridge1 comment=defconf interface=ether3
add bridge=bridge1 comment=defconf interface=ether4
add bridge=bridge1 comment=defconf interface=ether5
#add bridge=bridge comment=defconf interface=ether6
#add bridge=bridge comment=defconf interface=ether7
#add bridge=bridge comment=defconf interface=ether8
#add bridge=bridge comment=defconf interface=ether9
#add bridge=bridge comment=defconf interface=ether10
#add bridge=bridge comment=defconf interface=sfp1
#
/ip neighbor discovery-settings
set discover-interface-list=lan
#
/interface list member
add interface=ether1 list=inet
add interface=bridge1 list=lan
#
/ip address
#WAN_interface
add address=192.168.1.2/24 interface=ether1 network=192.168.1.0
#LAN_interface
add address=192.168.88.1/24 interface=bridge1 network=192.168.88.0
#
/ip cloud
set ddns-enabled=yes
#
/ip dhcp-server network
add address=192.168.88.0/24 dns-server=192.168.88.1 gateway=192.168.88.1 \
netmask=24 ntp-server=192.168.88.1
#
/ip dns
set allow-remote-requests=yes servers=8.8.8.8,8.8.4.4
#
/ip firewall filter
#
#INPUT
add action=accept chain=input comment=”accept established,related,untracked” \
connection-state=established,related,untracked
add action=drop chain=input comment=”drop invalid” connection-state=invalid
add action=drop chain=input comment=”drop ssh brute forcers” dst-port=22 \
in-interface-list=!lan protocol=tcp src-address-list=ssh_blacklist
add action=add-src-to-address-list address-list=ssh_blacklist \
address-list-timeout=2h chain=input comment=”Add ssh blacklist” \
connection-state=new dst-port=22 in-interface-list=!lan protocol=tcp \
src-address-list=ssh_stage3
add action=add-src-to-address-list address-list=ssh_stage3 \
address-list-timeout=5m chain=input comment=”Add ssh blacklist stage3″ \
connection-state=new dst-port=22 in-interface-list=!lan protocol=tcp \
src-address-list=ssh_stage2
add action=add-src-to-address-list address-list=ssh_stage2 \
address-list-timeout=5m chain=input comment=”Add ssh blacklist stage2″ \
connection-state=new dst-port=22 in-interface-list=!lan protocol=tcp \
src-address-list=ssh_stage1
add action=add-src-to-address-list address-list=ssh_stage1 \
address-list-timeout=5m chain=input comment=”Add ssh blacklist stage1″ \
connection-state=new dst-port=22 in-interface-list=!lan protocol=tcp
add action=accept chain=input comment=”accept ICMP” protocol=icmp
add action=accept chain=input dst-port=22 protocol=tcp
add action=drop chain=input comment=” drop all not coming from lan” \
in-interface-list=!lan
#
#FORWARD
add action=accept chain=forward comment=” accept in ipsec policy” \
ipsec-policy=in,ipsec
add action=accept chain=forward comment=”accept out ipsec policy” \
ipsec-policy=out,ipsec
add action=fasttrack-connection chain=forward comment=fasttrack \
connection-state=established,related
add action=accept chain=forward comment=\
„accept established,related, untracked” connection-state=\
established,related,untracked
add action=drop chain=forward comment=”drop invalid” connection-state=invalid
add action=drop chain=forward comment=” drop all from inet not DSTNATed” \
connection-nat-state=!dstnat connection-state=new in-interface=ether1
#
/ip firewall nat
add action=masquerade chain=srcnat comment=masquerade ipsec-policy=out,none \
out-interface=ether1
#
/ip firewall service-port
set ftp disabled=yes
set tftp disabled=yes
set irc disabled=yes
set h323 disabled=yes
set sip disabled=yes
set pptp disabled=yes
set udplite disabled=yes
set dccp disabled=yes
set sctp disabled=yes
#
/ip route
add distance=1 dst-address=192.168.1.0/24 gateway=192.168.1.1
#
/ip service
set telnet disabled=yes
set ftp disabled=yes
set ssh port=22
set api disabled=yes
set api-ssl disabled=yes
#
/ip ssh
set forwarding-enabled=both
#
#/lcd
#set time-interval=hour
#
/user
set admin password=IPboard
#
/snmp
set enabled=yes
#
/system clock
set time-zone-name=Europe/Budapest
#
/system identity
set name=IP_board_hu
#
/system ntp client
set enabled=yes primary-ntp=148.6.0.1
#
/system package update set channel=long-term
6., How to modified the Mikrotik_router_config.rsc file
The file contain more commands, which can be copied row by row or loaded all at once. Every lines which beginning with „#” are skipped.
/interface ethernet:
Adjust the configuration according to the port number of the router.
/interface bridge port:
Adjust the configuration according to the port number of the router.
#WAN_interface:
Set up that network address to which the device is connected.
/ip route:
Set up that address of the network device to which the router is connected.
/user:
Set up that admin’s password in here.
/system identity:
Set up that router’s name of network.