MikroTik System

Why? Prevent un-authorized people to access to the system. Intruder can steal information from you, or even deny you access to your resources. Intruder can use your resources to access to the other system. How? Keeping router up-to-date. Securing user & password. Securing physical access. Configuring packages. Hardening services. 01. Keeping router up-to-date firmware. Use current version Check Changelog before upgrade to newer version Download from trusted source Check file (MD5) when download from third party site https://mikrotik.com/download 02. Securing user & password. System> Users Change admin account name. Set complex password. Create separate account for each user. Set allowed address. Put read-only user in “read” group 03. Securing physical access. Interfaces> Interface List Disable Console (optional). Always logout console session. Disable Unused interface. Don’t configunused interface (optional). 04. Configurin

01. How to change default MikroTik ip services. IP> Services> IP Service List Default ip services SSH: 22 --> 62222 ftp: 21 --> 62121 telnet: 23 --> 62223 www: 80 --> 62880 winbox: 8291 --> 68291 02. Firewall Rules Allow. IP> Firewall> Filter Rules (+) General Chain: input Protocol: 6(tcp) Dst. Port: 8291 Action Action: accept Click Apply and OK button. 03. Test Verification. cmd telnet 192.168.1.1 62223 Login: admin Password: *****

01. Create VLAN. Interfaces> VLAN> (+) Name: VLAN-10 VLAN ID: 10 Interface: Ether5 Click Apply and OK button. Name: VLAN-20 VLAN ID: 20 Interface: Ether5 Click Apply and OK button. Name: VLAN-30 VLAN ID: 30 Interface: Ether5 Click Apply and OK button. 02. IP assign into VLAN interface. Go to Menu > IP > Addresses > (+) Add Type Address: 192.168.10.1/24 [Local IP address] Interface: VLAN-10 Click Apply and OK button. Type Address: 192.168.20.1/24 [Local IP address] Interface: VLAN-20 Click Apply and OK button. Type Address: 192.168.30.1/24 [Local IP address] Interface: VLAN-30 Click Apply and OK button. Note: If you want to create VLAN for WAN connection, your ISP will provide you the VLAN ID. If you want to create VLAN for your network, provide an integer number between 1 to 4095 what you wish.

HyperText Transfer Protocol (HTTP/www): 80 File Transfer Protocol (FTP): 20, 21 Remote Desktop Protocol: 3389 WiFi (HTTP): 8080 SSH: 22 Telnet: 23 Winbox: 8291

01. Create Bridge interface. Bridge> Bridge (+)  Name: Bridge1 Comment: Ether2+Ether3 Click Apply and OK button. 02. Port Assign in interface Bridge. Bridge> Ports (+)  Double click into Ether2 Interface: Ether2 Bridger: Bridge1 Click Apply and OK button. Bridge> Ports (+)  Double click into Ether3 Interface: Ether3 Bridger: Bridge1 Click Apply and OK button.

01. L2TP Server Bonding. PPP> Interface> L2TP Server Bonding. Name: L2TP-VPN Click Apply and OK button. 02. Enable L2TP Server. PPP> Interface> L2TP Server> Enable: Yes Authentication: Yes (pap, chap, mschap1, mschap2) Use IPSec: Yes IPsec Secret: 12345 Caller IP Type: IP address Click Apply and OK button. 03. Create IP Pool. IP> Pool> (+) Name: L2TP-Poll Address: 30.30.30.30.10-30.30.30.40 Next Pool: None Click Apply and OK button. 04. Create PPP Profile. PPP> Profile> (+) Name: L2TP-VPN Local Address: 30.30.30.1 Remote Address: L2TP-Pool Click Apply and OK button. 05. Create PPP account for each users. PPP> Secret> (+) Name: abc Password: 123 Service: L2TP Profile: L2TP-VPN Click Apply and OK button. Client Portion 01. Network and Sharing Center Set up a new connection or network Connect to a workplace (Set up a dial-up or VPN) Next Use my Internet connection (VPN) Internet address: 103.X.XX.224 Destination name: L2TP-VPN

01. Default MikroTik Router Login. IP address: 192.168.88.1 Username: admin Password: blank 02. Identity Rename. System> Identity> Identity 03. Password Recovery. Backup MikroTik router Open Web browser mikrotikpasswordrecovery.net Choose File as backup file Click on Upload and show me passwords!. 04. How to system reset-configuration. Go to New Terminal > Type > system reset-configuration > Enter Dangerous! Reset anyway? [y/N]: y > Enter Router has been disconnected! > Ok Could not connect to 00:0C:42:89:A9:A6 (port 2056) – other end is not responding! > Ok Open WinBox > Neighbors > Select MAC Address > Connect > Remove Configuration Or Push reset button in mikrotik router

01. Web Server IP> Firewall> NAT(+) General Chain: dstnat Dst. Address: 102.115.55.44 Protocol: 6 (tcp) Dst. Port: 4005 Action Action: dst-nat To Addresses: 192.168.1.5 To Ports: 80 02. FTP Server IP> Firewall> NAT (+) General Chain: dstnat Dst. Address: 102.115.55.44 Protocol: 6 (tcp) Dst. Port: 4006 Action Action: dst-nat To Addresses: 192.168.1.6 To Ports: 21 03. Remote Desktop Sharing IP> Firewall> NAT (+) General Chain: dstnat Dst. Address: 102.115.55.44 Protocol: 6 (tcp) Dst. Port: 4070 Action Action: dst-nat To Addresses: 192.168.1.70 To Ports: 3389 04. WiFi Router IP> Firewall> NAT (+) General Chain: dstnat Dst. Address: 102.115.55.44 Protocol: 6 (tcp) Dst. Port: 4050 Action Action: dst-nat To Addresses: 192.168.1.50 To Ports: 8080

Simple Queues (Dedicated Bandwidth). PCQ (Per Connection Queue). Total Bandwidth Queues. Priority Queues. Parent Queues (Share Bandwidth). 01. How to create simple queues (dedicated bandwidth). Queues> Simple Queues> (+) Name: HR_1Mb Target Address: 192.168.1.100 Max Limit: 1M (Target Upload) Max Limit: 1M (Target Download) Click Apply and OK button. 02. How to create PCQ (per connection queue). Note: We can use PCQ for control multiple users dedicated bandwidth like. Queues> Queue Types (+) Type Name: 1_Mb_Download Kind: pcq Rate: 1M or 1000 Dist. Address (Download Address) Click Apply and OK button. Type Name: 1_Mb_Upload Kind: pcq Rate: 1M or 1000 Src. Address (Upload Address) Click Apply and OK button. Queues> Simple Queues> (+) Name: 1Mb_Users Target Address: 192.168.1.0/24 Max Limit: 200M (Target Upload) Total bandwidth Max Limit: 200M (Target Download) Total bandwidth Click Apply and OK button. Advanced>

Complete configuration for storing backup and then sending via email can be divided into 4 steps. I. Gmail POP, IMAP enable and Allow less secure apps II. Mail Configuration III. Creating scheduler for backup IV. Creating scheduler for send mail 01. Gmail POP, IMAP enable and Allow less secure apps. Gmail> Privacy> Google Account> Device activity & security events> Sign-in & security> Allow less secure apps: ON Gmail> Settings> Forwarding and POP/IMAP> Enable POP for all mail & Enable IMAP> Save 02. Mail Configuration. Run> cmd> ping smtp.gmail.com Reply from 74.125.24.108 Reply from 74.125.24.109 Go to Tools > Email and provide sender email information as below: Server: 74.125.24.108 (SMTP Server IP address). Port: 587 (SMTP Server Port). Start Tls: yes From : <abc@gmail.com> (Put your email address). User: abc@gmail.com Password: ***** (Put your email password). Click Apply and OK button. 03. Schedul

Go to System > NTP client > Check: Enabled Mode: unicast Primary NTP Server: 133.243.238.163 Secondary NTP Server: 106.10.186.200 Click Apply and OK button. Go to System > Clock Time Zone Name: Asia/Dhaka Click Apply and OK button. Reference: www.pool.ntp.org/zone/bd

Go to Menu > IP > DHCP Server > DHCP Setup DHCP Server Interface: ether2-DHCP DHCP Address Space: 192.168.1.0/24 Gateway for DHCP Network: 192.168.1.1 Addresses to Give Out: 192.168.1.20-192.168.1.254 DNS Server1: 8.8.8.8 DNS Server2: 8.8.4.4 Lease Time: 3d 00:00:00 Click Apply and OK button.

01. Rename interface name of MikroTik Router. Go to Menu> Interfaces> Interface List> Double click on interface. ether1  (default) to rename as  ether1-WAN ether2  (default) to rename as  ether2-DHCP ether3  (default) to rename as  ether5-NAT Click Apply and OK button. 02. IP assign into (ether1-WAN) interface. Go to Menu > IP > Addresses > (+) Add Type Address: 10.10.10.2/28 [Real/Public IP address] Interface: ether1-WAN Click Apply and OK button. 03. IP assign into (ether5-NAT) interface. Go to Menu > IP > Addresses > (+) Add Type Address: 192.168.1.1/24 [Local IP address] Interface: ether5-NAT Click Apply and OK button. 04. Put Gateway Go to IP > Routes > (+) Add Dist. Address: 0.0.0.0/0 Gateway: 10.10.10.1 Comment: Gateway Click Apply and OK button. 05. DNS Configuration IP> DNS> Settings Servers1: 8.8.8.8 Servers2: 8.8.4.4 Click Apply and OK button. 06. NAT Configuration IP>

MikroTik is a Latvian company which was founded in 1996 to develop routers and wireless ISP systems. MikroTik now provides hardware and software for Internet connectivity in most of the countries around the world. Our experience in using industry standard PC hardware and complete routing systems allowed us in 1997 to create the RouterOS software system that provides extensive stability, controls, and flexibility for all kinds of data interfaces and routing. In 2002 we decided to make our own hardware, and the RouterBOARD brand was born. We have resellers in most parts of the world, and customers in probably every country on the planet. Our company is located in Riga, the capital city of Latvia and has more than 280 employees. https://mikrotik.com/aboutus Next