Mikrotik

From Personal Wiki
Jump to navigation Jump to search

General

Be aware of different VLAN configuration CRS3xx and CRS1/2xx

Switching performance depends on non-blocking switching capacity and how ports are attach to switch chip, always check before purchase.

Common L2 Misconfigs

Before enabling VLAN FILTERING, setup everything else, trunk, router on stick, management VLAN and management port. Always change this only when console cable is near.

https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#LAG_interfaces_and_load_balancing

Analyze HW offload bridge

/interface ethernet switch rule
add copy-to-cpu=yes dst-mac-address=4C:5E:0C:4D:12:4B/FF:FF:FF:FF:FF:FF ports=ether1 switch=switch1

Hairpin NAT

Server's IP address 192.168.254.20. There are some issues with IPP, that's why internal DNS server is more suitable then Masquerade. 

add action=masquerade chain=srcnat comment="Hairpin SRC NAT MASQ" dst-address=192.168.254.20 log=yes log-prefix=HAIRPIN src-address=192.168.254.0/24
add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.254.20 to-ports=443
add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.254.20 to-ports=80

VPN Split tunnel

For windows split must be included due to presence in routing table, in Linux routes are not visible and only first network from split tunnel is effective. That's why is better to use 0.0.0.0/0 for Linux.

Certificates

Cert for local HTTPS e.g. graphs must be ECP381, ECP521 would not work.

L2TP

L2TP

Route Failover

NETWATCH FAILOVER

Secure router

Securing router 

https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router
https://help.mikrotik.com/docs/display/ROS/Securing+your+router

set user + pass through GUI!
delete default admin
disable use of system DNS or only for INPUT
disable unused packages
disable services that are not used
services that are enabled must have different port that default and ACL must be set
untrusted subnets can go only to port 67 UDP INPUT and internet
disable SNMP and SMB
enable email notifications
SSH key import and set max size

/tool mac-server set allowed-interface-list=none
/tool mac-server mac-winbox set allowed-interface-list=none
/tool mac-server ping set enabled=no
/ip neighbor discovery-settings set discover-interface-list=none
/tool bandwidth-server set enabled=no
/ip dns set allow-remote-requests=no
/ip proxy set enabled=no
/ip socks set enabled=no
/ip upnp set enabled=no
/ip cloud set ddns-enabled=no update-time=no
/ip ssh set strong-crypto=yes

/ip service set ssh port=2222 address=192.168.1.0/28
/ip service disable telnet,ftp,www,api,api-ssl
/ip service set winbox  address=192.168.1.0/28

Interested links

MISCONFIGS [wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration]

CRS3XX [1]

CRS2XX [2] [3]

INTERFACE LIST (ZONE) VS ADDRESS LIST (MORE GRANULAR) [4]

MONITORING AND FAILOVER DUAL WAN [5] [6]

VACL A PACL through CPU [7]

PBR instead of MANGLE [8] [9] [10]

VLAN [11]

ARP LEASE [12]

IS ALLOW ONLY TAG NEEDED ON BRIDGE AND VLAN FILTERING TOO?

DUAL WAN FAILOVER [13] [14]

TO access MT via Winbox some IP must be set on interface

VLAN TABLE - TRUNK/ACC/HYB [15] [16]

AVOID VLAN 1 on BRIDGE [17]

L2 OPTIMALIZATIONS [18]

ARP INSPECTION [19] [20]

OLD VS NEW VLAN STYLE [21]

INTERESTING SCRIPTS [22]

FW INVALID [23] DO NOT ALLOW INVALID

[24]

ROUTER on STICK [25]

STORM CONTROL(CRS326 multicast issue) [26]

DHCP SNOOP [27]

IPv6 FW [28]

Link bonding LACP and different link type

Fasttrack Fastpath Firewall flow

Packet flow

STP

Bridge

VPN MUM

Tips for beginners

Fast Path

FastTrack

SSH Hardening

Real speed

FastTrack explain blog

Retrieved from "https://wiki.senetos.com/index.php?title=Mikrotik&oldid=497"