Mikrotik
Contents
General
Be aware of different VLAN configuration CRS3xx and CRS1/2xx
Switching performance depends on non-blocking switching capacity and how ports are attach to switch chip, always check before purchase.
Common L2 Misconfigs
Before enabling VLAN FILTERING, setup everything else, trunk, router on stick, management VLAN and management port. Always change this only when console cable is near.
https://wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration#LAG_interfaces_and_load_balancing
Analyze HW offload bridge
/interface ethernet switch rule add copy-to-cpu=yes dst-mac-address=4C:5E:0C:4D:12:4B/FF:FF:FF:FF:FF:FF ports=ether1 switch=switch1
Hairpin NAT
Server's IP address 192.168.254.20. There are some issues with IPP, that's why internal DNS server is more suitable then Masquerade.
add action=masquerade chain=srcnat comment="Hairpin SRC NAT MASQ" dst-address=192.168.254.20 log=yes log-prefix=HAIRPIN src-address=192.168.254.0/24 add action=dst-nat chain=dstnat dst-address-type=local dst-port=443 protocol=tcp to-addresses=192.168.254.20 to-ports=443 add action=dst-nat chain=dstnat dst-address-type=local dst-port=80 protocol=tcp to-addresses=192.168.254.20 to-ports=80
VPN Split tunnel
For windows split must be included due to presence in routing table, in Linux routes are not visible and only first network from split tunnel is effective. That's why is better to use 0.0.0.0/0 for Linux.
Certificates
Cert for local HTTPS e.g. graphs must be ECP381, ECP521 would not work.
L2TP
Route Failover
Secure router
https://wiki.mikrotik.com/wiki/Manual:Securing_Your_Router https://help.mikrotik.com/docs/display/ROS/Securing+your+router set user + pass through GUI! delete default admin disable use of system DNS or only for INPUT disable unused packages disable services that are not used services that are enabled must have different port that default and ACL must be set untrusted subnets can go only to port 67 UDP INPUT and internet disable SNMP and SMB enable email notifications SSH key import and set max size /tool mac-server set allowed-interface-list=none /tool mac-server mac-winbox set allowed-interface-list=none /tool mac-server ping set enabled=no /ip neighbor discovery-settings set discover-interface-list=none /tool bandwidth-server set enabled=no /ip dns set allow-remote-requests=no /ip proxy set enabled=no /ip socks set enabled=no /ip upnp set enabled=no /ip cloud set ddns-enabled=no update-time=no /ip ssh set strong-crypto=yes /ip service set ssh port=2222 address=192.168.1.0/28 /ip service disable telnet,ftp,www,api,api-ssl /ip service set winbox address=192.168.1.0/28
Interested links
MISCONFIGS [wiki.mikrotik.com/wiki/Manual:Layer2_misconfiguration]
CRS3XX [1]
INTERFACE LIST (ZONE) VS ADDRESS LIST (MORE GRANULAR) [4]
MONITORING AND FAILOVER DUAL WAN [5] [6]
VACL A PACL through CPU [7]
PBR instead of MANGLE [8] [9] [10]
VLAN [11]
ARP LEASE [12]
IS ALLOW ONLY TAG NEEDED ON BRIDGE AND VLAN FILTERING TOO?
TO access MT via Winbox some IP must be set on interface
VLAN TABLE - TRUNK/ACC/HYB [15] [16]
AVOID VLAN 1 on BRIDGE [17]
L2 OPTIMALIZATIONS [18]
OLD VS NEW VLAN STYLE [21]
INTERESTING SCRIPTS [22]
FW INVALID [23] DO NOT ALLOW INVALID
ROUTER on STICK [25]
STORM CONTROL(CRS326 multicast issue) [26]
DHCP SNOOP [27]
IPv6 FW [28]
Link bonding LACP and different link type